Learn how you can bring together the best-in-class productivity and collaboration capabilities of Office 365 with device management and security solutions to safeguard business data for small and midsize businesses (SMB).
Get help on the most common admin tasks in the Microsoft 365 Business admin center. The Microsoft 365 Business admin center is lot like the Office 365 admin center so the admin guidance we provide for Office 365 admin center also apply to Microsoft 365 Business.
Learn how you can bring together the best-in-class productivity and collaboration capabilities of Office 365 with device management and security solutions to safeguard business data for small and midsize businesses (SMB).
Get help on the most common admin tasks in the Microsoft 365 Business admin center. The Microsoft 365 Business admin center is lot like the Office 365 admin center so the admin guidance we provide for Office 365 admin center also apply to Microsoft 365 Business.
+redirect_url: /microsoft-365/business/
+---
diff --git a/bcs/support/images/pc_customer_m365bpreview_suspend.png b/bcs/support/images/pc_customer_m365bpreview_suspend.png
deleted file mode 100644
index 7017cf8105..0000000000
Binary files a/bcs/support/images/pc_customer_m365bpreview_suspend.png and /dev/null differ
diff --git a/bcs/support/images/pc_customer_m365bpreview_suspend_confirm.png b/bcs/support/images/pc_customer_m365bpreview_suspend_confirm.png
deleted file mode 100644
index f44337889b..0000000000
Binary files a/bcs/support/images/pc_customer_m365bpreview_suspend_confirm.png and /dev/null differ
diff --git a/bcs/support/images/pc_customer_reviewnewsubscription.png b/bcs/support/images/pc_customer_reviewnewsubscription.png
deleted file mode 100644
index 6f67c31383..0000000000
Binary files a/bcs/support/images/pc_customer_reviewnewsubscription.png and /dev/null differ
diff --git a/bcs/support/images/pc_customer_subscriptions.PNG b/bcs/support/images/pc_customer_subscriptions.PNG
deleted file mode 100644
index 77fba8ef8b..0000000000
Binary files a/bcs/support/images/pc_customer_subscriptions.PNG and /dev/null differ
diff --git a/bcs/support/images/pc_customer_subscriptions_1.png b/bcs/support/images/pc_customer_subscriptions_1.png
deleted file mode 100644
index fc27c2c26c..0000000000
Binary files a/bcs/support/images/pc_customer_subscriptions_1.png and /dev/null differ
diff --git a/bcs/support/images/pc_customer_userslicenses_m365b_validate.png b/bcs/support/images/pc_customer_userslicenses_m365b_validate.png
deleted file mode 100644
index 1af38b82af..0000000000
Binary files a/bcs/support/images/pc_customer_userslicenses_m365b_validate.png and /dev/null differ
diff --git a/bcs/support/microsoft-365-business-faqs.md b/bcs/support/microsoft-365-business-faqs.md
index 8dec00bbf8..332b565f0c 100644
--- a/bcs/support/microsoft-365-business-faqs.md
+++ b/bcs/support/microsoft-365-business-faqs.md
@@ -1,186 +1,3 @@
---
-title: Microsoft 365 Business Frequently Asked Questions
-description: Find answers to the most frequently asked questions about Microsoft 365 Business, a new solution designed for small and midsize businesses (SMB).
-author: CelesteDG
-ms.author: celested
-ms.topic: article
-ms.prod: microsoft-365-business
-ms.localizationpriority: high
-audience: microsoft-business
-keywords: Microsoft 365 Business, Microsoft 365, SMB, FAQ, frequently asked questions, answers, business
-ms.date: 11/02/2017
----
-
-
-# Microsoft 365 Business Frequently Asked Questions
-
-## General
-
-### What is Microsoft 365 Business?
-Microsoft 365 is an integrated solution that brings together best-in-class productivity tools, security and device management capabilities for small to medium-sized businesses.
-
-**A holistic set of business productivity and collaboration tools**
-* Word, Excel, PowerPoint, Outlook, OneNote, Publisher, and Access
-* Exchange, OneDrive, Skype for Business, Microsoft Teams, SharePoint
-* Business apps from Office (Bookings, Outlook Customer Manager, MileIQ[1](#footnote1), Microsoft Listings[1](#footnote1), Microsoft Connections[1](#footnote1), Microsoft Invoicing[1](#footnote1))
-
-**Enterprise-grade device management and security capabilities**
-* App protection for Office mobile apps
-* Device management for Windows 10 PCs
-* Consistent security configuration across devices
-* Protection of company data across devices
-* Windows Defender, always-on and up-to-date
-
-**Simplified device deployment and user setup**
-* Single admin console to setup and manage users and devices
-* Auto-installation of Office apps on Windows 10 PCs
-* Always up-to-date Office + Windows 10
-* Streamlined deployment of PCs with Windows AutoPilot
-
-### Who should consider adopting Microsoft 365 Business?
-Microsoft 365 Business was built for small and medium-sized customers that have little to no IT resources on staff and want best-in-class productivity and collaboration capabilities of Office 365 together with device management and security solutions that safeguard business data. The Microsoft 365 Business customer is ready to move their IT operations to the cloud and is interested in maintaining a proactive stance to help protect data on both company and employee-owned devices.
-
-### How can I get Microsoft 365 Business for my business?
-Microsoft 365 Business may be purchased through a Microsoft Partner or directly from Microsoft. In choosing whether to purchase directly from Microsoft or via a Microsoft Partner, you should consider your on-staff capability and desire to maintain an IT infrastructure. A Microsoft Partner can help you deploy and manage your IT infrastructure including Microsoft solutions.
-
-### How much does Microsoft 365 Business cost?
-Microsoft 365 Business is offered at USD$20.00 user/month based on an _annual contract_ if purchased directly from Microsoft. When purchased through a Microsoft Partner, pricing can vary based on the services the partner provides and their pricing model for Microsoft 365 Business. There are no planned pricing discounts for government, education or non-profit organizations.
-
-### Is there a cap to how many Microsoft 365 Business seats a customer can have?
-Microsoft 365 Business was designed for small to medium sized businesses with low to medium IT complexity requirements. Customers may purchase up to 300 Microsoft 365 Business licenses for their organization. Customers can mix and match cloud subscriptions; as a result, depending on their organization’s IT requirements, customers may add Microsoft 365 Enterprise licenses to the same account.
-
-When considering an environment consisting of multiple subscription types, customers should work with their trusted IT advisors to determine how best to manage and secure the various subscriptions as Microsoft 365 Business and Microsoft 365 Enterprise use different capabilities to secure and manage applications and data.
-
-### Can I combine Microsoft 365 Business with other Microsoft subscription offerings?
-Yes, customers can combine their Microsoft 365 Business subscriptions with plans and add-ons from Azure, Dynamics 365, Enterprise Mobility + Security, and Office 365.
-
-### Is everyone in my business required to have a Microsoft 365 Business subscription?
-No, not everyone needs a Microsoft 365 Business subscription, although the security and management benefits are available only to those users with devices managed with a Microsoft 365 Business subscription.
-
-Standardizing an IT environment serves to help reduce maintenance and security costs over time and is a state that businesses should strive to attain. However, we recognize that some small and medium size customers update their software primarily when they upgrade their hardware, over an extended period. Businesses can deploy Microsoft 365 Business to part of their organization, but for best protection of sensitive business data and consistent collaboration experiences, deployment to all users is recommended.
-
-### How can I know if the hardware and software I run today is compatible with Microsoft 365 Business?
-If the hardware you run today runs Windows 7 Pro or later, it likely meets the minimum requirements for Microsoft 365 Business. Certain Windows 10 features such as Cortana, Windows Hello and multitouch require specific hardware that is only available on newer PCs. See the Windows 10 Pro system requirements for additional details.
-
-Existing desktop (Win32) application compatibility is strong in Windows 10, with most existing applications working without any changes. Customers and their trusted IT advisors should read the recommended application testing process for Windows 10 compatibility and review the Office system requirements to ensure a smooth transition to Microsoft 365 Business.
-
-### What is Windows 10 Business?
-Windows 10 Business is a set of cloud-services and device management capabilities that complement Windows 10 Pro and enable the centralized management and security controls of Microsoft 365 Business. Windows 10 Business also comes with Windows AutoPilot, a service that streamlines the deployment of new Windows 10 PCs. If you have devices that are licensed for Windows 7, 8 and 8.1 Professional, Microsoft 365 Business provides an upgrade to Windows 10 Pro which is the prerequisite for deploying Windows 10 Business.
-
-### How does Microsoft 365 Business help support our Bring Your Own Device (BYOD) policy?
-Many employees prefer to use their own mobile phones or tablets to access personal and work information rather than carrying multiple devices for each purpose. The use of personal devices for work, while commonplace, increases the risk that business information could end up in the wrong hands. Many competing mobile data protection solutions require users to switch to a specific mode on their device or use another complex mechanism that users may find intrusive and therefore avoid using.
-
-Microsoft 365 Business offers customers a simple but powerful means of enabling employees to use their personal devices for work while providing the business with the ability to prevent those devices from accessing, retaining and/or sharing business information. More specifically:
-* **App Protection for Office mobile apps** helps protect Office data, including email, calendar, contacts, and documents on iOS and Android mobile devices, by enforcing policies such as automatically deleting business data after a prescribed amount of time of not connecting to the service, requiring that information is stored only to OneDrive for Business, requiring a PIN/fingerprint verification to access Office apps, and preventing company data from being copied from an Office app into personal apps.
-* **Device Management for Windows 10 PCs** allows businesses to choose to set and enforce capabilities such as Windows Defender protection for malware, automatic updates, and turning off screens after a prescribed amount of time. In addition, lost or stolen Windows 10 devices can be completely wiped of business applications and data through the Admin center.
-
-### How does Microsoft 365 Business help protect PCs in my organization from malicious attacks?
-PCs managed with Microsoft 365 Business are protected with Windows Defender, which is the No. 1 antivirus feature on Windows 10, protecting more computers against viruses, malware, spyware, and other threats than any other solution. With Microsoft 365 Business, businesses can ensure Windows Defender protection is running and always up to date on all their Windows 10 devices
-
-### What's the difference between Office 365 Business Premium, Microsoft 365 Business and Microsoft 365 Enterprise?
-Microsoft has a variety of productivity and security management offerings that small to medium-sized customers may consider when upgrading their desktop and device infrastructure, each bringing increasingly powerful features and functionality.
-
-**Office 365 Business Premium** delivers best-in-class productivity with Office 365 apps and services but does not include the application protection and device management capabilities of Microsoft 365 Business.
-
-**Microsoft 365 Business** combines Office 365 apps and services with mobile application management and Windows 10 Pro to enable remote management and help protect devices against viruses and malware. It includes a simplified management console through which device and data policies may be administered. Many small to medium-sized businesses can be best served with Microsoft 365 Business, although those in highly regulated industries may require more advanced functionality provided by Microsoft 365 Enterprise plans (E3 and E5).
-
-**Microsoft 365 Enterprise** is a set of licensing plans that offer increased levels of mobility and security management over Microsoft 365 Business and are designed for enterprise customers and those customers that are required or regulated to provide the highest level of protection for their data. In addition, Microsoft 365 Business plans provide additional functionality including business intelligence and analytics tools.
-
-### Can I switch my Office 365 plan to Microsoft 365 Business?
-Yes, customers may switch their plans from a qualifying Office 365 plan to Microsoft 365 Business. Depending on the customer’s current plan there may be a decrease or increase in monthly charges.
-
-### In what regions is Microsoft 365 Business available?
-The Microsoft 365 Business will be available to all partners and customers where Office 365 is available. See the list of Office 365 international availability for languages, countries and regions.
-
-### Is there a Microsoft 365 Business trial I may use to evaluate the offer?
-A Microsoft 365 Business trial will be available later this year both for direct customers and for CSPs.
-
-### What should customers and partners know before running Microsoft 365 Business within their organization?
-Customers that wish to experience the complete capabilities of Microsoft 365 Business must be running Windows 7, 8.1 or 10 Pro[2](#footnote2) on their existing desktops. Customers who use on-premises Active Directory to enable login to PCs will switch devices over cloud identity and management as part of their deployment. Existing Windows 10 Pro PCs should be running Creators Update if they have not already done so.
-
-## Deployment
-
-### What should customers consider when planning a Microsoft 365 Business deployment?
-The most direct path to a successful Microsoft 365 Business deployment is to engage with a Microsoft Partner. They have extensive training and experience with a wide variety of customer scenarios and are best equipped to understand your environment and needs. Customers that have experienced IT on staff can use the Microsoft 365 Business Getting Started to assist them in their Microsoft 365 Business deployment.
-
-### Does Microsoft 365 Business include the full capabilities of Microsoft Intune?
-Microsoft 365 Business includes a robust set of mobile app management capabilities powered by Microsoft’s MDM solution (Microsoft Intune). These are a subset of features, specifically chosen to meet the needs of SMBs and organized to be easily managed via a simplified administration experience. If a company requires the full capabilities of Intune, they can purchase a qualifying plan separately.
-
-### Does Azure Active Directory P1 come with Microsoft 365 Business?
-Microsoft 365 Business is built on technology from across Microsoft and while it shares some features with Azure Active Directory, it is not a full version. The security and management policies created in Microsoft 365 Business rely on some Azure functionality but does not include all features (e.g. selfservice features, conditional access features, and reporting). Customers may choose to purchase Azure Active Directory Premium as an add-on to Microsoft 365 Business.
-
-### Does Microsoft 365 Business allow customers to manage Macs?
-The security and management capabilities of Microsoft 365 Business pertain to iOS and Android mobile and tablet devices, and Windows PCs.
-
-### What is Windows AutoPilot?
-Windows AutoPilot is a service that streamlines the deployment of new Windows 10 PCs. This process can be done when the end-user logs on to Microsoft 365 Business for the first time—without IT ever touching the device—by leveraging centralized management controls of Microsoft 365 Business. You can also use Windows AutoPilot for existing PCs that are running Windows 10 Professional Creators Update (or later) and have been factory reset. Details about Windows AutoPilot can be found in this June blog post.
-
-## Compatibility
-
-### Can I add Office 365 add-ons to Microsoft 365 Business?
-All the add-ons that can be added to Office 365 Business Premium can be added to Microsoft 365 Business. This means that you can purchase Advanced Threat Protection, Office 365 Cloud App Security, Advanced Compliance, Threat Intelligence, MyAnalytics, PowerBI Pro, and Audio Conferencing.
-
-### Can I add Phone System and Calling Plans to Microsoft 365 Business?
-No, Phone System and Calling Plan are reserved for customers who have more advanced needs. Customers who require these capabilities should look at Microsoft 365 Enterprise offerings.
-
-### Can Microsoft 365 Business customers use Windows Defender Advanced Threat Protection?
-No, customers that require Windows Defender Advanced Threat Protection need either Windows 10 Enterprise E5 or Microsoft 365 Enterprise E5.
-
-### Can I use Windows Information Protection with Microsoft 365 Business?
-Yes, Windows Information Protection (WIP) is a feature of Windows 10 Pro and helps businesses prevent accidental leaks by restricting user and app access to business files based on policies you define. Your business data is protected no matter where it lives on your devices—without affecting your user experience. Microsoft 365 Business includes controls to ensure Windows Information Protection is properly configured and automatically deployed to end-user devices.
-
-### Can customers use Microsoft 365 Business with on-premises Active Directory?
-To realize the full value of Windows 10, Windows 10 PCs need to be joined to Azure Active Directory. You may use Microsoft 365 Business with Windows 10 devices joined to on-premises Active Directory but it is not recommended because you won’t be able to enforce policies from the Microsoft 365 Business Admin console.
-
-### Can customers create hosted Windows 10 VMs with a Microsoft 365 Business subscription?
-No, customers that require virtualization should purchase Windows 10 Enterprise or a Microsoft 365 Enterprise subscription.
-
-## Partner opportunity
-
-### Where can I learn more about the opportunities and benefits in becoming a Microsoft Partner?
-IT service providers that are not already Microsoft partners can learn more about the Microsoft Cloud Solution Provider program at
-[https://partners.office.com/microsoft365business](https://partners.office.com/microsoft365business).
-
-### Where can I learn how to sell Microsoft 365 Business?
-Partners now selling Office 365 can use the same consultative selling methods to sell Microsoft 365 Business. In addition, we are introducing more resources and training for your sales team to understand the customers’ existing desktop environment, Active Directory reliance, mobility and security needs to effectively communicate the full value of Microsoft 365 Business in a way that is relevant to the customer. Find these resources on the Office Partner portal at [http://partners.office.com/microsoft365business](http://partners.office.com/microsoft365business).
-
-### How can Microsoft 365 Business help partners increase the profitability?
-Microsoft 365 Business will help partners reduce costs through greater operational efficiencies and enhance revenue through the sale of additional services. The Forrester Research, Microsoft 365 Business Total Economic Impact (TEI) Study, June 2017 (https://partners.office.com/TEIBusiness), demonstrates that Microsoft 365 Business will have positive impact on partner profitability.
-
-In the TEI study partners reported that with Microsoft 365 Business they expect:
-
-- 20%-point increase in \[one-time\] deployment and advisory services revenue
-- 10%-point increase in attach rate of managed services
-- 8%-point increase in consulting and \[ongoing\] managed services profit margins (from lower costs)
-
-### What resources are available to partners to sell, deploy and support Microsoft 365 Business?
-Microsoft provides a wide selection of resources for CSP partners to market, sell, and support Microsoft 365 Business. They can be found at
-[https://partners.office.com/microsoft365business](https://partners.office.com/microsoft365business).
-
-### What up-sell opportunities does Microsoft 365 Business give partners?
-Microsoft 365 Business allows partners to maintain their trusted advisor position with customers, by creating a solid and secure platform upon which to sell additional services and to upgrade existing products and services. Microsoft 365 Business provides an opportunity to have an upgrade discussion with customers now using Exchange Server, Exchange Online or Office 365 Business Essentials. Partners may also gain additional revenue from increased managed services and/or peruser support fees.
-
-With the new Windows AutoPilot feature included in Microsoft 365 Business, partners who have been reluctant to sell new Windows devices due to deployment logistics and costs will find this opportunity much more attractive. Customers who are confident in the security of their on-premise and mobile devices are also more likely to invest in additional services, such as Dynamics 365.
-
-### Should partners sell Microsoft 365 Business over other plans from Microsoft?
-A Microsoft Cloud Solution Provider should always sell the plan that best suits its customer business needs and budget. For example, if a customer must comply with privacy and security regulations, a CSP may sell Microsoft 365 Business plus any add-ons that help the customer meet its requirements or may suggest the advanced security and management provided by Microsoft 365 Business E SKUs.
-
-### Some of my customers have devices that are not genuine; will Microsoft 365 Business make these devices genuine?
-Microsoft 365 Business does not make an otherwise non-genuine version of Windows, genuine. Microsoft 365 Business does provide an upgrade benefit allowing those customers running genuine Windows 7, 8 or 8.1 Pro to upgrade to the most recent, genuine version of Windows 10 Pro.
-
-### What support is available to CSP partners for the Microsoft 365 Business Preview?
-The same support channels available to CSP partners today (premier support and advanced support program) have been trained on Microsoft 365 Business and are ready to provide partners with support.
-
-### What is the GDPR and how does Microsoft 365 Business help customers with their compliance obligations?
-The General Data Protection Regulation (GDPR) is a comprehensive new privacy law that gives residents of the European Union (EU) greater control over their “personal data” and requires organizations to maintain the integrity of that personal data. The GDPR requires organizations that control, or process personal data tied to EU residents to only use third-party data processors that meet the GDPR’s requirements for personal data processing. In March 2017, Microsoft made available contractual guarantees that provide these assurances. Customers that have questions about how Microsoft can help them meet their additional GDPR obligations should learn about the advanced compliance and security capabilities available as add-ons (e.g. Azure Information Protection) and in other Suites (e.g. Microsoft 365 Enterprise E5). To learn more, visit [www.microsoft.com/gdpr](https://www.microsoft.com/gdpr).
-
-
-
-
-## Footnotes
-**1** Available in US, UK, and Canada.
-**2** Devices running Windows 7 or 8.1 Pro are eligible for an upgrade to Windows 10 Pro within the Microsoft 365 Business preview.
-
-
-
-
+redirect_url: https://docs.microsoft.com/microsoft-365/business/support/microsoft-365-business-faqs
+---
\ No newline at end of file
diff --git a/bcs/support/transition-csp-subscription.md b/bcs/support/transition-csp-subscription.md
index 7c15aa33b6..45a6e1c74c 100644
--- a/bcs/support/transition-csp-subscription.md
+++ b/bcs/support/transition-csp-subscription.md
@@ -1,103 +1,3 @@
---
-title: Transition a Microsoft 365 Business CSP subscription
-description: Find out how you can transition a Microsoft 365 Business CSP subscription from preview to GA.
-author: CelesteDG
-ms.author: celested
-ms.topic: article
-ms.prod: microsoft-365-business
-ms.localizationpriority: high
-audience: microsoft-business
-keywords: Microsoft 365 Business, Microsoft 365, SMB, transition CSP subscription
-ms.date: 11/01/2017
----
-
-# Transition a Microsoft 365 Business CSP subscription
-
-If you have a Microsoft 365 Business Preview CSP subscription, follow this guide to find out how you can transition your existing preview subscription to Microsoft 365 Business GA (general availability).
-
-**How to transition a preview subscription to GA**
-
-1. Log in to Partner Center.
-2. From the dashboard, select **Customers**, and then find and select the company name.
-
- The subscriptions for the company will be listed.
-
- 
-
-3. In the company's **Subscriptions** page, select **Add subscription**.
-4. In the **New subscription** page, select **Small business** and then select **Microsoft 365 Business** from the list.
-5. Add the number of licenses and then select **Next: Review** to review the subscription and then select **Submit**.
-
- 
-
- The **License-based subscriptions** will show **Microsoft 365 Business Preview** and **Microsoft 365 Business**. You'll need to suspend the Preview subscription next.
-
-6. Select **Microsoft 365 Business Preview**.
-7. In the **Microsoft 365 Business Preview** page, select **Suspended** to suspend the Preview subscription.
-
- 
-
-8. Select **Submit** to confirm.
-
- In the **Subscriptions** page, confirm that the **Microsoft 365 Business Preview** status shows **Suspended**.
-
- 
-
-9. Optionally, you can also validate the license agreement. To do this, follow these steps:
- 1. Select **Users and licenses** from the company's **Subscriptions** page.
- 2. From the **Users and licenses** page, select a user.
- 3. In the user's page, check the **Assign licenses** section and confirm that it shows **Microsoft 365 Business**.
-
- 
-
-## Impact to customers and users during and after transition
-
-There is no impact to customers and users during transition and post transition.
-
-## Impact to customers who don't transition
-
-The following table summarizes the impact to customers who don't transition from a Microsoft 365 Business Preview subscription to a Microsoft 365 Business subscription.
-
-| | T-0 to T+30 | T+30 to T+60 | T+60 to T+120 | Beyond T+120 |
-|-------|-----------------|--------------|---------------|---------------|
-| **State** | In grace period | Expired | Disabled | Deprovisioned |
-| **Service impacts** |
-| **Microsoft 365 Business admin portal** | No impact to functionality | No impact to functionality | Can add/delete users, purchase subscriptions. Cannot assign/revoke licenses. | Customer's subscription and all data is deleted. Admin can manage other paid subscriptions. |
-| **Office apps** | No end user impact | No end user impact | Office enters reduced functionality mode. Users can view files only. | Office enters reduced functionality mode. Users can view files only. |
-| **Cloud services (SharePoint Online, Exchange Online, Skype, Teams, and more)** | No end user impact | No end user impact | End users and admins have no access to data in the cloud. | Customer's subscription and all data are deleted. |
-| **EM+S components** | No admin impact No end user impact | No admin impact No end user impact | Capability will cease to be enforced. See [Mobile device impacts upon subscription expiration](#mobile-device-impacts-upon-subscription-expiration) and [Windows 10 PC impacts upon subscription expiration](#windows-10-pc-impacts-upon-subscription-expiration) for more info. | Capability will cease to be enforced. See [Mobile device impacts upon subscription expiration](#mobile-device-impacts-upon-subscription-expiration) and [Windows 10 PC impacts upon subscription expiration](#windows-10-pc-impacts-upon-subscription-expiration) for more info. |
-| **Windows 10 Business** | No admin impact No end user impact | No admin impact No end user impact | Capability will cease to be enforced. See [Mobile device impacts upon subscription expiration](#mobile-device-impacts-upon-subscription-expiration) and [Windows 10 PC impacts upon subscription expiration](#windows-10-pc-impacts-upon-subscription-expiration) for more info. | Capability will cease to be enforced. See [Mobile device impacts upon subscription expiration](#mobile-device-impacts-upon-subscription-expiration) and [Windows 10 PC impacts upon subscription expiration](#windows-10-pc-impacts-upon-subscription-expiration) for more info. |
-| **Azure AD login to a Windows 10 PC** | No admin impact No end user impact | No admin impact No end user impact | No admin impact No end user impact | Once the tenant is deleted, a user can log in with local credentials only. Re-image the device if there are no local credentials. |
-
-## Mobile device impacts upon subscription expiration
-
-The followint table summarizes the impact to the app management policies on mobile devices.
-
-| | Fully licensed experience | T+60 days post expiration |
-|----------------------------|------------------------------------------------|------------------------------------|
-| **Delete work files from an inactive device** | Work files are removed after selected days | Work files remain on the user's personal devices |
-| **Force users to save all work files to OneDrive for Business** | Work files can only be saved to OneDrive for Business | Work files can be saved anywhere |
-| **Encrypt work files** | Work files are encrypted | Work files are no longer encrypted. Security policies are removed and Office data on apps is removed. |
-| **Require PIN or fingerprint to access Office apps** | Restricted access to apps | No app-level access restriction |
-| **Reset PIN when login fails** | Restricted access to apps | No app-level access restriction |
-| **Require users to sign in again after Office apps have been idle** | Sign-in required | No sign-in required to access apps |
-| **Deny access to work files on jailbroken or rooted devices** | Work files cannot be accessed on jailbroken/rooted devices | Work files can be accessed on jailbroken/rooted devices |
-| **Allow users to copy content from Office apps to Personal apps** | Copy/paste restricted to apps available as part of Microsoft 365 Business subscription | Copy/paste available to all apps |
-
-## Windows 10 PC impacts upon subscription expiration
-
-The following table summarizes the impact to the Windows 10 device configuration policies.
-
-| | Fully licensed experience | T+60 days post expiration |
-|----------------------------|------------------------------------------------|------------------------------------|
-| **Help protect PCs from threats using Windows Defender** | Turn on/off is outside of user control | User may turn on/off Windows Defender on the Windows 10 PC |
-| **Help protect PCs from web-based threats in Microsoft Edge** | PC protection in Microsoft Edge | User may turn on/off PC protection in Microsoft Edge |
-| **Turn off device screen when idle** | Admin defines screen timeout interval policy | Screen timeout can be configured by end user |
-| **Allow users to download apps from Microsoft Store** | Admin defines if a user can download apps from Microsoft Store | User can download apps from Microsoft Store anytime |
-| **Allow users to access Cortana** | Admin defines policy on user access to Cortana | User devices to turn on/off Cortana |
-| **Allow users to receive tips and advertisements from Microsoft** | Admin defines policy on user receive tips and advertisements from Microsoft | User may turn on/off tips and advertisements from Microsoft |
-| **Allow users to copy content from Office apps into personal apps** | Admin defines policy to keep Windows 10 devices up-to-date | Users can decide when to update Windows |
-
-
-
-
+redirect_url: https://docs.microsoft.com/microsoft-365/business/support/transition-csp-subscription
+---
\ No newline at end of file
diff --git a/browsers/edge/available-policies.md b/browsers/edge/available-policies.md
index 215e7cc5a8..8f9901dcb2 100644
--- a/browsers/edge/available-policies.md
+++ b/browsers/edge/available-policies.md
@@ -7,15 +7,14 @@ ms.mktglfcycl: explore
ms.sitesec: library
title: Group Policy and Mobile Device Management settings for Microsoft Edge (Microsoft Edge for IT Pros)
ms.localizationpriority: high
-ms.date: 09/13/2017
+ms.date: 09/13/2017 #Previsou release date
---
+
+
# Group Policy and Mobile Device Management (MDM) settings for Microsoft Edge
-**Applies to:**
-
-- Windows 10
-- Windows 10 Mobile
+> Applies to: Windows 10, Windows 10 Mobile
Microsoft Edge works with Group Policy and Microsoft Intune to help you manage your organization's computer settings. Group Policy objects (GPO's) can include registry-based Administrative Template policy settings, security settings, software deployment information, scripts, folder redirection, and preferences.
@@ -25,348 +24,328 @@ By using Group Policy and Intune, you can set up a policy setting once, and then
> For more info about the tools you can use to change your Group Policy objects, see the Internet Explorer 11 topics, [Group Policy and the Group Policy Management Console (GPMC)](https://go.microsoft.com/fwlink/p/?LinkId=617921), [Group Policy and the Local Group Policy Editor](https://go.microsoft.com/fwlink/p/?LinkId=617922), [Group Policy and the Advanced Group Policy Management (AGPM)](https://go.microsoft.com/fwlink/p/?LinkId=617923), and [Group Policy and Windows PowerShell](https://go.microsoft.com/fwlink/p/?LinkId=617924).
## Group Policy settings
+Microsoft Edge works with the following Group Policy settings to help you manager your company's web browser configurations. The Group Policy settings are found in the Group Policy Editor in the following location:
+
+`Computer Configuration\Administrative Templates\Windows Components\Microsoft Edge\`
+
+
### Allow Address bar drop-down list suggestions
-- **Supported versions:** Windows 10, version 1703
-
-- **Description:** This policy setting lets you decide whether the Address bar drop-down functionality is available in Microsoft Edge. We recommend disabling this setting if you want to minimize network connections from Microsoft Edge to Microsoft services.
-
- - If you enable or don't configure this setting (default), employees can see the Address bar drop-down functionality in Microsoft Edge.
-
- - If you disable this setting, employees won't see the Address bar drop-down functionality in Microsoft Edge. This setting also disables the user-defined setting, "Show search and site suggestions as I type".
-
- > [!Note]
- > Disabling this setting turns off the Address bar drop-down functionality. Therefore, because search suggestions are shown in the drop-down, this setting takes precedence over the "Configure search suggestions in Address bar" setting.
+>*Supporteded versions: Windows 10, version 1703*
+This policy setting lets you decide whether the Address bar drop-down functionality is available in Microsoft Edge. We recommend disabling this setting if you want to minimize network connections from Microsoft Edge to Microsoft services.
+| If you... | Then... |
+| --- | --- |
+| Enable (default) | Employees can see the Address bar drop-down functionality in Microsoft Edge. |
+| Disable | Employees do not see the Address bar drop-down functionality in Microsoft Edge. This setting also disables the user-defined setting, "Show search and site suggestions as I type."
Disabling this setting turns off the Address bar drop-down functionality. Therefore, because search suggestions are shown in the drop-down, this setting takes precedence over the "Configure search suggestions in Address bar" setting. |
+
### Allow Adobe Flash
-- **Supported versions:** Windows 10 or later
+>*Supporteded version: Windows 10*
-- **Description:** This setting lets you decide whether employees can run Adobe Flash in Microsoft Edge.
-
- - If you enable or don't configure this setting (default), employees can use Adobe Flash.
-
- - If you disable this setting, employees can't use Adobe Flash.
+This policy setting lets you decide whether employees can run Adobe Flash on Microsoft Edge.
+| If you… | Then… |
+| --- | --- |
+| Enable or don’t configure (default) | Employees can use Adobe Flash. |
+| Disable | Employees cannot use Adobe Flash. |
### Allow clearing browsing data on exit
-- **Supported versions:** Windows 10, version 1703
+>*Supporteded versions: Windows 10, version 1703*
-- **Description:** This policy setting allows the automatic clearing of browsing data when Microsoft Edge closes.
-
- - If you enable this policy setting, clearing browsing history on exit is turned on.
-
- - If you disable or don't configure this policy setting (default), it can be turned on and configured by the employee in the Clear browsing data options area, under Settings.
+This policy setting allows the automatic clearing of browsing data when Microsoft Edge closes.
+| If you… | Then… |
+| --- | --- |
+| Enable | Clear browsing history on exit is turned on. |
+| Disable or don’t configure (default) | Employees can turn on and configure the Clear browsing data option under Settings. |
### Allow Developer Tools
-- **Supported versions:** Windows 10, version 1511 or later
+>*Supporteded versions: Windows 10, version 1511 or later*
-- **Description:** This policy setting lets you decide whether F12 Developer Tools are available on Microsoft Edge.
- - If you enable or don’t configure this setting (default), the F12 Developer Tools are available in Microsoft Edge.
-
- - If you disable this setting, the F12 Developer Tools aren’t available in Microsoft Edge.
+This policy setting lets you decide whether F12 Developer Tools are available on Microsoft Edge.
+| If you… | Then… |
+| --- | --- |
+| Enable (default) | F12 Developer Tools are available. |
+| Disable | F12 Developer Tools are not available. |
### Allow Extensions
-- **Supported versions:** Windows 10, version 1607 or later
+>*Supporteded versions: Windows 10, version 1607 or later*
-- **Description:** This policy setting lets you decide whether employees can use Edge Extensions.
-
- - If you enable or don’t configure this setting, employees can use Edge Extensions.
-
- - If you disable this setting, employees can’t use Edge Extensions.
+This policy setting lets you decide whether employees can use Microsft Edge Extensions.
+| If you… | Then… |
+| --- | --- |
+| Enable | Employees can use Microsoft Edge Extensions. |
+| Disable | Employees cannot use Microsoft Edge Extensions. |
### Allow InPrivate browsing
-- **Supported versions:** Windows 10, version 1511 or later
+>*Supporteded versions: Windows 10, version 1511 or later*
-- **Description:** This policy setting lets you decide whether employees can browse using InPrivate website browsing.
-
- - If you enable or don’t configure this setting (default), employees can use InPrivate website browsing.
-
- - If you disable this setting, employees can’t use InPrivate website browsing.
+This policy setting lets you decide whether employees can browse using InPrivate website browsing.
+| If you… | Then… |
+| --- | --- |
+| Enable (default) | Employees can use InPrivate website browsing. |
+| Disable | Employees cannot use InPrivate website browsing. |
### Allow Microsoft Compatibility List
-- **Supported versions:** Windows 10, version 1607 or later
+>*Supporteded versions: Windows 10, version 1607 or later*
-- **Description:** This policy setting lets you decide whether to use the Microsoft Compatibility List (a Microsoft-provided list that helps sites with known compatibility issues to display properly) in Microsoft Edge. By default, the Microsoft Compatibility List is enabled and can be viewed by visiting about:compat.
-
- - If you enable or don’t configure this setting (default), Microsoft Edge periodically downloads the latest version of the list from Microsoft, applying the updates during browser navigation. Visiting any site on the Microsoft Compatibility List prompts the employee to use Internet Explorer 11, where the site is automatically rendered as though it’s in whatever version of IE is necessary for it to appear properly.
-
- - If you disable this setting, the Microsoft Compatibility List isn’t used during browser navigation.
+This policy setting lets you decide whether to use the Microsoft Compatibility List (a Microsoft-provided list that helps sites with known compatibility issues to display properly) in Microsoft Edge. By default, the Microsoft Compatibility List is enabled and can be viewed by visiting about:compat.
+| If you… | Then… |
+| --- | --- |
+| Enable (default) | Microsoft Edge periodically downloads the latest version of the list from Microsoft, applying the updates during browser navigation . Visiting any site on the Microsoft Compatibility List prompts the employee to use Internet Explorer 11, where the site renders as though it’s in whatever version of IE is necessary for it to appear properly. |
+| Disable | Browser navigation does not use the Microsoft Compatibility List. |
### Allow search engine customization
-- **Supported versions:** Windows 10, version 1703
+>*Supported versions: Windows 10, version 1703*
-- **Description:** This policy setting lets you decide whether users can change their search engine.
+This policy setting lets you decide whether users can change their search engine. Important. You can only use this setting with domain-joined or MDM-enrolled devices.
- >[!Important]
- >This setting can only be used with domain-joined or MDM-enrolled devices. For more info, see the Microsoft browser extension policy (aka.ms/browserpolicy).
+For more info, see the [Microsoft browser extension policy](http://aka.ms/browserpolicy).
- - If you enable or don't configure this policy (default), users can add new search engines and change the default used in the Address bar from within Microsoft Edge Settings.
-
- - If you disable this setting, users can't add search engines or change the default used in the address bar.
+| If you… | Then… |
+| --- | --- |
+| Enable or don’t configure (default) | Employees can add new search engines and change the default used in the Address bar from within Microsoft Edge Settings. |
+| Disable | Employees cannot add search engines or change the default used in the Address bar. |
### Allow web content on New Tab page
-- **Supported versions:** Windows 10 or later
+>*Supported versions: Windows 10*
-- **Description:** This policy setting lets you configure what appears when Microsoft Edge opens a new tab. By default, Microsoft Edge opens the New Tab page. If you use this setting, employees can’t change it.
-
- - If you enable this setting, Microsoft Edge opens a new tab with the New Tab page.
-
- - If you disable this setting, Microsoft Edge opens a new tab with a blank page.
-
- - If you don’t configure this setting (default), employees can choose how new tabs appears.
+This policy setting lets you configure what appears when Microsoft Edge opens a new tab. By default, Microsoft Edge opens the New Tab page. If you use this setting, employees cannot change it.
+| If you… | Then… |
+| --- | --- |
+| Enable | Microsoft Edge opens a new tab with the New Tab page. |
+| Disable | Microsoft Edge opens a new tab with a blank page. |
+| Do not configure (default) | Employees can choose how new tabs appear. |
### Configure additional search engines
-- **Supported versions:** Windows 10, version 1703
+>*Supported versions: Windows 10, version 1703*
-- **Description:** This policy setting lets you add up to 5 additional search engines, which can't be removed by your employees, but can be made a personal default engine. This setting doesn't set the default search engine. For that, you must use the "Set default search engine" setting.
-
- > [!Important]
- > This setting can only be used with domain-joined or MDM-enrolled devices. For more info, see the Microsoft browser extension policy (aka.ms/browserpolicy).
-
- - If you enable this setting, you can add up to 5 additional search engines. For each additional engine, you must also add a link to your OpenSearch XML file, including at least the short name and https: URL of the search engine, using this format:
-
- https://www.contoso.com/opensearch.xml
-
- For more info about creating the OpenSearch XML file, see the [Understanding OpenSearch Standards](https://msdn.microsoft.com/en-us/library/dd163546.aspx) topic.
-
- - If you disable this setting (default), any added search engines are removed from your employee's devices.
-
- - If you don't configure this setting, the search engine list is set to what is specified in App settings.
+This policy setting lets you add up to 5 additional search engines, which cannot be removed by your employees but can make a personal default engine. This setting does not set the default search engine. For that, you must use the "Set default search engine" setting.
+| If you… | Then… |
+| --- | --- |
+| Enable | You can add up to 5 additional search engines. For each additional search engine, you must add a link to your OpenSearch XML file, including at least the short name and https URL of the search engine, using this format:
``
For more info about creating the OpenSearch XML file, see the [Understanding OpenSearch Standards](https://msdn.microsoft.com/en-us/library/dd163546.aspx) topic. | Disable setting (default) | Any added search engines are removed from the employee’s device. |
+| Do not configure | The search engine list is set to what is specified in App settings. |
### Configure Autofill
-- **Supported versions:** Windows 10 or later
+>*Supported versions: Windows 10*
-- **Description:** This policy setting lets you decide whether employees can use Autofill to automatically fill in form fields while using Microsoft Edge. By default, employees can choose whether to use Autofill.
-
- - If you enable this setting, employees can use Autofill to automatically fill in forms while using Microsoft Edge.
-
- - If you disable this setting, employees can’t use Autofill to automatically fill in forms while using Microsoft Edge.
-
- - If you don’t configure this setting (default), employees can choose whether to use Autofill to automatically fill in forms while using Microsoft Edge.
+This policy setting lets you decide whether employees can use Autofill the form fields automatically while using Microsoft Edge. By default, employees can choose whether to use Autofill.
+| If you… | Then… |
+| --- | --- |
+| Enable | Employees can use Autofill to populate form fields automatically. |
+| Disable | Employees cannot use Autofill to populate form fields automatically. |
+| Do not configure (default) | Employees can choose whether to use Autofill to populate the form fields automatically. |
### Configure cookies
-- **Supported versions:** Windows 10 or later
+>*Supported versions: Windows 10*
-- **Description:** This setting lets you configure how to work with cookies.
-
- - If you enable this setting, you must also decide whether to:
- - **Allow all cookies (default):** Allows all cookies from all websites.
-
- - **Block all cookies:** Blocks all cookies from all websites.
-
- - **Block only 3rd-party cookies:** Blocks only cookies from 3rd-party websites.
-
- - If you disable or don't configure this setting, all cookies are allowed from all sites.
+This setting lets you configure how to work with cookies.
+| If you… | Then… |
+| --- | --- |
+| Enable (default) | You must also decide whether to:
**Allow all cookies (default)** from all websites.
**Block all cookies** from all websites.
**Block only 3rd-party cookies** from 3rd-party websites.
|
+| Disable or do not configure | All cookies are allowed from all sites. |
### Configure Do Not Track
-- **Supported versions:** Windows 10 or later
+>*Supported versions: Windows 10*
-- **Description:** This policy setting lets you decide whether employees can send Do Not Track requests to websites that ask for tracking info. By default, Do Not Track requests aren’t sent, but employees can choose to turn on and send requests.
-
- - If you enable this setting, Do Not Track requests are always sent to websites asking for tracking info.
-
- - If you disable this setting, Do Not Track requests are never sent to websites asking for tracking info.
-
- - If you don’t configure this setting (default), employees can choose whether to send Do Not Track requests to websites asking for tracking info.
+This policy setting lets you decide whether employees can send Do Not Track requests to websites that ask for tracking info. By default, Do Not Track requests are never sent, but employees can choose to turn on and send requests.
+| If you… | Then… |
+| --- | --- |
+| Enable | Do Not Track requests are always sent to websites asking for tracking information. |
+| Disable | Do Not Track requests are never sent to websites asking for tracking information. |
+| Do not configure (default) | Employees can choose whether to send Do Not Track requests to websites asking for tracking information. |
### Configure Favorites
-- **Supported versions:** Windows 10, version 1511 or later
+>*Supported versions: Windows 10, version 1511 or later*
-- **Description:** This policy setting lets you configure the default list of Favorites that appear for your employees. Employees can change their Favorites by adding or removing items at any time.
-
- - If you enable this setting, you can configure what default Favorites appear for your employees. If this setting is enabled, you must also provide a list of Favorites in the Options section. This list is imported after your policy is deployed.
-
- - If you disable or don’t configure this setting, employees will see the Favorites that they set in the Favorites hub.
+This policy setting lets you configure the default list of Favorites that appear for your employees. Employees can change their Favorites by adding or removing items at any time.
+| If you… | Then… |
+| --- | --- |
+| Enable | You must provide a list of Favorites in the Options section. The list imports automatically after you deploy this policy. |
+| Disable or do not configure | Employees will see the Favorites that they set in the Favorites hub. |
### Configure Password Manager
-- **Supported versions:** Windows 10 or later
+>*Supported versions: Windows 10*
-- **Description:** This policy setting lets you decide whether employees can save their passwords locally, using Password Manager. By default, Password Manager is turned on.
-
- - If you enable this setting (default), employees can use Password Manager to save their passwords locally.
-
- - If you disable this setting, employees can’t use Password Manager to save their passwords locally.
-
- - If you don’t configure this setting, employees can choose whether to use Password Manager to save their passwords locally.
+This policy setting lets you decide whether employees can save their passwords locally, using Password Manager. By default, Password Manager is turned on.
+| If you… | Then… |
+| --- | --- |
+| Enable (default) | Employees can use Password Manager to save their passwords locally. |
+| Disable | Employees cannot use Password Manager to save their passwords locally. |
+| Do not configure | Employees can choose whether to use Password Manager to save their passwords locally. |
### Configure Pop-up Blocker
-- **Supported versions:** Windows 10 or later
+>*Supported versions: Windows 10*
-- **Description:** This policy setting lets you decide whether to turn on Pop-up Blocker. By default, Pop-up Blocker is turned on.
-
- - If you enable this setting (default), Pop-up Blocker is turned on, stopping pop-up windows from appearing.
-
- - If you disable this setting, Pop-up Blocker is turned off, letting pop-ups windows appear.
-
- - If you don’t configure this setting, employees can choose whether to use Pop-up Blocker.
+This policy setting lets you decide whether to turn on Pop-up Blocker. By default, Pop-up Blocker is turned on.
+| If you… | Then… |
+| --- | --- |
+| Enable (default) | Pop-up Blocker is turned on, stopping pop-up windows from appearing. |
+| Disable | Pop-up Blocker is turned off, letting pop-up windows appear. |
+| Do not configure | Employees can choose whether to use Pop-up Blocker. |
### Configure search suggestions in Address bar
-- **Supported versions:** Windows 10 or later
+>*Supported versions: Windows 10*
-- **Description:** This policy setting lets you decide whether search suggestions appear in the Address bar of Microsoft Edge. By default, employees can choose whether search suggestions appear in the Address bar of Microsoft Edge.
-
- - If you enable this setting, employees can see search suggestions in the Address bar of Microsoft Edge.
-
- - If you disable this setting, employees can't see search suggestions in the Address bar of Microsoft Edge.
-
- - If you don’t configure this setting (default), employees can choose whether search suggestions appear in the Address bar of Microsoft Edge.
+This policy setting lets you decide whether search suggestions appear in the Address bar of Microsoft Edge. By default, employees can choose whether search suggestions appear in the Address bar of Microsoft Edge.
+| If you… | Then… |
+| --- | --- |
+| Enable | Employees can see search suggestions in the Address bar. |
+| Disable | Employees cannot see search suggestions in the Address bar. |
+| Do not configure (default) | Employees can choose whether search suggestions appear in the Address bar. |
### Configure Start pages
-- **Supported versions:** Windows 10, version 1511 or later
+>*Supported versions: Windows 10, version 1511 or later*
-- **Description:** This policy setting lets you configure one or more Start pages, for domain-joined devices. Your employees won't be able to change this after you set it.
-
- - If you enable this setting, you can configure one or more Start pages. If this setting is enabled, you must also include URLs to the pages, separating multiple pages by using angle brackets in this format:
-
-
-
- - If you disable or don’t configure this setting (default), your default Start page is the webpage specified in App settings.
+This policy setting lets you configure one or more Start pages, for domain-joined devices. Your employees will not be able to change this after you set it.
+| If you… | Then… |
+| --- | --- |
+| Enable | You must include URLs to the pages, separating multiple pages by using angle brackets in this format:
`` |
+| Disable or do not configure (default) | The default Start page is the webpage specified in App settings. |
### Configure the Adobe Flash Click-to-Run setting
-- **Supported versions:** Windows 10, version 1703
+>*Supported versions: Windows 10, version 1703*
-- **Description:** This policy setting lets you decide whether employees must take an action, such as clicking the content or a Click-to-Run button, before seeing content in Adobe Flash.
-
- - If you enable or don’t configure the Adobe Flash Click-to-Run setting, an employee must click the content, click a Click-to-Run button, or have the site appear on an auto-allow list before Microsoft Edge loads and runs Adobe Flash content.
-
- - If you disable this setting, Adobe Flash content is automatically loaded and run by Microsoft Edge.
+This policy setting lets you decide whether employees must take action, such as clicking the content or a Click-to-Run button, before seeing content in Adobe Flash.
+| If you… | Then… |
+| --- | --- |
+| Enable or don’t configure | Employees must click the content, click the Click-to-Run button, or have the site appear on an auto-allow list before Microsoft Edge loads and runs Adobe Flash content. |
+| Disable | Adobe Flash loads automatically and runs in Microsoft Edge. |
### Configure the Enterprise Mode Site List
-- **Supported versions:** Windows 10 or later
+>*Supported versions: Windows 10*
-- **Description:** This policy setting lets you configure whether to use Enterprise Mode and the Enterprise Mode Site List to address common compatibility problems with legacy apps.
+This policy setting lets you configure whether to use Enterprise Mode and the Enterprise Mode Site List to address common compatibility problems with legacy apps.
+| If you… | Then… |
+| --- | --- |
+| Enable | You must add the location to your site list in the **{URI}** box. When configured, Microsoft Edge looks for the Enterprise Mode Site List XML file, which includes the sites and domains that need to be viewed using Internet Explorer 11 and Enterprise Mode. |
+Disable or do not configure (default) | Microsoft Edge won’t use the Enterprise Mode Site List XML file. In this case, employees might experience compatibility problems while using legacy apps. |
- - If you enable this setting, Microsoft Edge looks for the Enterprise Mode Site List XML file, which includes the sites and domains that need to be viewed using Internet Explorer 11 and Enterprise Mode. If you use this option, you must also add the location to your site list in the **{URI}** box. When configured, any site on the list will always open in Internet Explorer 11.
-
- - If you disable or don’t configure this setting (default), Microsoft Edge won’t use the Enterprise Mode Site List XML file. In this case, employees might experience compatibility problems while using legacy apps.
-
- >[!Note]
- >If there’s an .xml file in the cache container, IE waits 65 seconds and then checks the local cache for a newer version of the file from the server, based on standard caching rules. If the server file has a different version number than the version in the cache container, the server file is used and stored in the cache container.
- >If you’re already using a site list, enterprise mode continues to work during the 65 second wait; it just uses your existing site list instead of your new one.
+>[!Note]
+>If there is a .xml file in the cache container, IE waits 65 seconds and then checks the local cache for a newer version of the file from the server, based on standard caching rules. If the server has a different version number than the version in the cache container, the server file is used and stored in the cache container.
+>If you already use a site list, enterprise mode continues to work during the 65-second wait; it just uses the existing site list instead of the new one.
### Configure Windows Defender SmartScreen
-- **Supported versions:** Windows 10 or later
+>*Supported versions: Windows 10*
-- **Description:** This policy setting lets you configure whether to turn on Windows Defender SmartScreen. Windows Defender SmartScreen provides warning messages to help protect your employees from potential phishing scams and malicious software. By default, Windows Defender SmartScreen is turned on.
-
- - If you enable this setting, Windows Defender SmartScreen is turned on and employees can’t turn it off.
-
- - If you disable this setting, Windows Defender SmartScreen is turned off and employees can’t turn it on.
-
- - If you don’t configure this setting (default), employees can choose whether to use Windows Defender SmartScreen.
+This policy setting lets you configure whether to turn on Windows Defender SmartScreen. Windows Defender SmartScreen provides warning messages to help protect your employees from potential phishing scams and malicious software. By default, Windows Defender SmartScreen is turned on.
+| If you… | Then… |
+| --- | --- |
+| Enable | Windows Defender SmartScreen is turned on, and employees cannot turn it off. |
+| Disable | Windows Defender SmartScreen is turned off, and employees cannot turn it on. |
+| Do not configure | Employees can choose whether to use Windows Defender SmartScreen. |
### Disable lockdown of Start pages
-- **Supported versions:** Windows 10, version 1703
+>*Supported versions: Windows 10, version 1703*
-- **Description:** This policy setting lets you disable the lock down of Start pages, letting employees modify the Start pages when the "Configure Start pages" setting is in effect.
+This policy setting lets you disable the lockdown of Start pages if the Configure Start pages setting is in effect . This setting only applies to domain-joined or MDM-enrolled devices.
- >[!Important]
- >This setting only applies when you're using the “Configure Start pages" setting and can only be used with domain-joined or MDM-enrolled devices. For more info, see the Microsoft browser extension policy (aka.ms/browserpolicy).
-
- - If you enable this setting, you can't lock down any Start pages that are configured using the "Configure Start pages" setting, which means that employees can modify them.
-
- - If you disable or don't configure this setting (default), employees can't change any Start pages configured using the "Configure Start pages" setting, thereby locking down the Start pages.
+For more info, see the [Microsoft browser extension policy](http://aka.ms/browserpolicy).
+
+| If you… | Then… |
+| --- | --- |
+| Enable | You cannot lock down Start pages that are configured using the “Configure Start pages” setting. Employees can, therefore, modify the pages. |
+| Disable or do not configure (default) | Employees cannot change Start pages configured using the “Configure Start pages” setting. |
### Keep favorites in sync between Internet Explorer and Microsoft Edge
-- **Supported versions:** Windows 10, version 1703
+>*Supported versions: Windows 10, version 1703*
-- **Description:** This setting lets you decide whether people can sync their favorites between Internet Explorer and Microsoft Edge, including additions, deletions, changes, and position.
+This policy setting lets you decide whether people can sync their favorites between Internet Explorer and Microsoft Edge, including additions, deletions, changes, and position.
- >[!Note]
- >Enabling this setting stops Edge favorites from syncing between connected Windows 10 devices.
-
- - If you enable this setting, employees can sync their favorites between Internet Explorer and Microsoft Edge.
-
- - If you disable or don't configure this setting (default), employees can’t sync their favorites between Internet Explorer and Microsoft Edge.
+
+| If you… | Then… |
+| --- | --- |
+| Enable | Employees can sync their favorites between Internet Explorer and Microsoft Edge.
Enabling this setting stops Microsoft Edge favorites from syncing between connected Windows 10 devices. |
+| Disable or do not configure | Employees cannot sync their favorites between Internet Explorer and Microsoft Edge. |
### Prevent access to the about:flags page
-- **Supported versions:** Windows 10, version 1607 or later
+>*Supported versions: Windows 10, version 1607 or later*
-- **Description:** This policy setting lets you decide whether employees can access the about:flags page, which is used to change developer settings and to enable experimental features.
-
- - If you enable this policy setting, employees can’t access the about:flags page.
-
- - If you disable or don’t configure this setting (default), employees can access the about:flags page.
+This policy setting lets you decide whether employees can access the about:flags page, which is used to change developer settings and to enable experimental features.
+| If you… | Then… |
+| --- | --- |
+| Enable | Employees cannot access the about:flags page. |
+| Disable or do not configure (default) | Employees can access the about:flags page. |
### Prevent bypassing Windows Defender SmartScreen prompts for files
-- **Supported versions:** Windows 10, version 1511 or later
-
-- **Description:** This policy setting lets you decide whether employees can override the Windows Defender SmartScreen warnings about downloading unverified files.
-
- - If you enable this setting, employees can’t ignore Windows Defender SmartScreen warnings and they’re blocked from downloading the unverified files.
-
- - If you disable or don’t configure this setting (default), employees can ignore Windows Defender SmartScreen warnings and continue the download process.
+>*Supported versions: Windows 10, version 1511 or later*
+This policy setting lets you decide whether employees can override the Windows Defender SmartScreen warnings about downloading unverified files.
+| If you… | Then… |
+| --- | --- |
+| Enable | Employees cannot ignore Windows Defender SmartScreen warnings when downloading files. |
+| Disable or do not configure (default) | Employees can ignore Windows Defender SmartScreen warnings and can continue the download process. |
### Prevent bypassing Windows Defender SmartScreen prompts for sites
-- **Supported versions:** Windows 10, version 1511 or later
+>*Supported versions: Windows 10, version 1511 or later*
-- **Description:** This policy setting lets you decide whether employees can override the Windows Defender SmartScreen warnings about potentially malicious websites.
-
- - If you enable this setting, employees can’t ignore Windows Defender SmartScreen warnings and they’re blocked from continuing to the site.
-
- - If you disable or don’t configure this setting (default), employees can ignore Windows Defender SmartScreen warnings and continue to the site.
+This policy setting lets you decide whether employees can override the Windows Defender SmartScreen warnings about potentially malicious websites.
+| If you… | Then… |
+| --- | --- |
+| Enable | Employees cannot ignore Windows Defender SmartScreen warnings and prevents them from continuing to the site. |
+| Disable or do not configure (default) | Employees can ignore Windows Defender SmartScreen warnings, allowing them to continue to the site. |
### Prevent Microsoft Edge from gathering Live Tile information when pinning a site to Start
-- **Supported versions:** Windows 10, version 1703
+>*Supported versions: Windows 10, version 1703*
-- **Description:** This policy lets you decide whether Microsoft Edge can gather Live Tile metadata from the ieonline.microsoft.com service to provide a better experience while pinning a Live Tile to the Start menu.
+This policy lets you decide whether Microsoft Edge can gather Live Tile metadata from the ieonline.microsoft.com service to provide a better experience while pinning a Live Tile to the Start menu.
+| If you… | Then… |
+| --- | --- |
+| Enable | Microsoft Edge does not gather the Live Tile metadata, providing a minimal experience. |
+| Disable or do not configure (default) | Microsoft Edge gathers the Live Tile metadata, providing a fuller and complete experience. |
- - If you enable this setting, Microsoft Edge won't gather the Live Tile metadata, providing a minimal experience when a user pins a Live Tile to the Start menu.
-
- - If you disable or don't configure this setting (default), Microsoft Edge gathers the Live Tile metadata, providing a fuller and more complete experience when a user pins a Live Tile to the Start menu.
### Prevent the First Run webpage from opening on Microsoft Edge
-- **Supported versions:** Windows 10, version 1703
+>*Supported versions: Windows 10, version 1703*
-- **Description:** This policy setting lets you decide whether employees see Microsoft's First Run webpage when opening Microsoft Edge for the first time.
-
- - If you enable this setting, employees won't see the First Run page when opening Microsoft Edge for the first time.
-
- - If you disable or don't configure this setting (default), employees will see the First Run page when opening Microsoft Edge for the first time.
+This policy setting lets you decide whether employees see Microsoft's First Run webpage when opening Microsoft Edge for the first time.
+| If you… | Then… |
+| --- | --- |
+| Enable | Employees do not see the First Run page. |
+| Disable or do not configure (default) | Employees see the First Run page. |
### Prevent using Localhost IP address for WebRTC
-- **Supported versions:** Windows 10, version 1511 or later
+>*Supported versions: Windows 10, version 1511 or later*
-- **Description:** This policy setting lets you decide whether an employee’s Localhost IP address shows while making calls using the WebRTC protocol. By default, this setting is turned off.
-
- - If you enable this setting, Localhost IP addresses are hidden while making calls using the WebRTC protocol.
-
- - If you disable or don’t configure this setting (default), Localhost IP addresses are shown while making calls using the WebRTC protocol.
+This policy setting lets you decide whether localhost IP addresses are visible or hidden while making calls to the WebRTC protocol.
+| If you… | Then… |
+| --- | --- |
+| Enable | Localhost IP addresses are hidden. |
+| Disable or do not configure (default) | Localhost IP addresses are visible. |
### Send all intranet sites to Internet Explorer 11
-- **Supported versions:** Windows 10 or later
+>*Supported versions: Windows 10*
-- **Description:** This policy setting lets you decide whether your intranet sites should all open using Internet Explorer 11. This setting should only be used if there are known compatibility problems with Microsoft Edge.
-
- - If you enable this setting, all intranet sites are automatically opened using Internet Explorer 11.
-
- - If you disable or don’t configure this setting (default), all websites, including intranet sites, are automatically opened using Microsoft Edge.
+This policy setting lets you decide whether your intranet sites should all open using Internet Explorer 11. This setting should only be used if there are known compatibility problems with Microsoft Edge.
+| If you… | Then… |
+| --- | --- |
+| Enable | All intranet sites are opened in Internet Explorer 11 automatically. |
+| Disable or do not configure (default) | All websites, including intranet sites, open in Microsoft Edge. |
### Set default search engine
-- **Supported versions:** Windows 10, version 1703
+>*Supported versions: Windows 10, version 1703*
-- **Description:** This policy setting lets you configure the default search engine for your employees. Employees can change the default search engine at any time unless you disable the "Allow search engine customization" setting, which restricts any changes.
+This policy setting applies only to domain-joined or MDM-enrolled devices and lets you configure the default search engine for Microsoft Edge. Employees can change the default search engine at any time unless you disable the "Allow search engine customization" setting, which restricts any changes.
- >[!Important]
- >This setting can only be used with domain-joined or MDM-enrolled devices. For more info, see the Microsoft browser extension policy (aka.ms/browserpolicy).
- >If you'd like your employees to use the default Microsoft Edge settings for each market, you can set the string to EDGEDEFAULT. If you'd like your employees to use Microsoft Bing as the default search engine, you can set the string to EDGEBING.
+For more info, see the [Microsoft browser extension policy](http://aka.ms/browserpolicy).
- - If you enable this setting, you can choose a default search engine for your employees. To choose the default engine, you must add a link to your OpenSearch XML file, including at least the short name and https: URL of the search engine, using this format:
-
- https://fabrikam.com/opensearch.xml
-
- - If you disable this setting, the policy-set default search engine is removed. If this is also the current in-use default, the engine changes to the Microsoft Edge specified engine for the market.
+| If you… | Then… |
+| --- | --- |
+| Enable | To set a default search engine, you must add a link to your OpenSearch XML file, including at least the short name and https URL of the search engine, using this format:
`https://fabrikam.com/opensearch.xml` |
+| Disable | The policy-set default search engine is removed. If this is also the current in-use default, the search engine changes to the Microsoft Edge specified engine for the market . |
+| Do not configure | The default search engine is set to the one specified in App settings. |
- - If you don't configure this setting (default), the default search engine is set to the one specified in App settings.
+>[!Important]
+>If you'd like your employees to use the default Microsoft Edge settings for each market , you can set the string to EDGEDEFAULT. If you'd like your employees to use Microsoft Bing as the default search engine, you can set the string to EDGEBING.
### Show message when opening sites in Internet Explorer
-- **Supported versions:** Windows 10, version 1607 and later
+>*Supported versions: Windows 10, version 1607 and later*
-- **Description:** This policy setting lets you decide whether employees see an additional page in Microsoft Edge, stating that a site has been opened using Internet Explorer 11.
-
- - If you enable this setting, employees see an additional page in Microsoft Edge, stating that a site has been opened using Internet Explorer 11.
-
- - If you disable or don’t configure this setting (default), the default app behavior occurs and no additional page appears.
+This policy setting lets you decide whether employees see an additional page in Microsoft Edge, stating that a site has been opened using Internet Explorer 11.
+| If you… | Then… |
+| --- | --- |
+| Enable | Employees see an additional page. |
+| Disable or do not configure (default) | No additional pages display. |
## Using Microsoft Intune to manage your Mobile Device Management (MDM) settings for Microsoft Edge
If you manage your policies using Intune, you'll want to use these MDM policy settings. You can see the full list of available policies, on the [Policy CSP]( https://go.microsoft.com/fwlink/p/?LinkId=722885) page.
@@ -397,7 +376,7 @@ All devices must be enrolled with Intune if you want to use the Windows Custom U
- **1 (default).** Allowed. Address bar drop-down is enabled.
### AllowAutofill
-- **Supported versions:** Windows 10 or later
+- **Supported versions:** Windows 10
- **Supported devices:** Desktop
@@ -409,12 +388,12 @@ All devices must be enrolled with Intune if you want to use the Windows Custom U
- **Allowed values:**
- - **0.** Employees can’t use Autofill to complete form fields.
+ - **0.** Employees cannot use Autofill to complete form fields.
- **1 (default).** Employees can use Autofill to complete form fields.
### AllowBrowser
-- **Supported versions:** Windows 10 or later
+- **Supported versions:** Windows 10
- **Supported devices:** Mobile
@@ -426,12 +405,12 @@ All devices must be enrolled with Intune if you want to use the Windows Custom U
- **Allowed values:**
- - **0.** Employees can’t use Microsoft Edge.
+ - **0.** Employees cannot use Microsoft Edge.
- **1 (default).** Employees can use Microsoft Edge.
### AllowCookies
-- **Supported versions:** Windows 10 or later
+- **Supported versions:** Windows 10
- **Supported devices:** Both
@@ -462,12 +441,12 @@ All devices must be enrolled with Intune if you want to use the Windows Custom U
- **Allowed values:**
- - **0.** Employees can't use the F12 Developer Tools.
+ - **0.** Employees cannot use the F12 Developer Tools.
- **1 (default).** Employees can use the F12 Developer Tools.
### AllowDoNotTrack
-- **Supported versions:** Windows 10 or later
+- **Supported versions:** Windows 10
- **Supported devices:** Both
@@ -496,12 +475,12 @@ All devices must be enrolled with Intune if you want to use the Windows Custom U
- **Allowed values:**
- - **0.** Employees can’t use Edge Extensions.
+ - **0.** Employees cannot use Edge Extensions.
- **1 (default).** Employees can use Edge Extensions.
### AllowFlash
-- **Supported versions:** Windows 10 or later
+- **Supported versions:** Windows 10
- **Supported devices:** Desktop
@@ -513,7 +492,7 @@ All devices must be enrolled with Intune if you want to use the Windows Custom U
- **Allowed values:**
- - **0.** Not allowed. Employees can’t use Adobe Flash.
+ - **0.** Not allowed. Employees cannot use Adobe Flash.
- **1 (default).** Allowed. Employees can use Adobe Flash.
@@ -547,7 +526,7 @@ All devices must be enrolled with Intune if you want to use the Windows Custom U
- **Allowed values:**
- - **0.** Employees can’t use InPrivate browsing.
+ - **0.** Employees cannot use InPrivate browsing.
- **1 (default).** Employees can use InPrivate browsing.
@@ -564,12 +543,12 @@ All devices must be enrolled with Intune if you want to use the Windows Custom U
- **Allowed values:**
- - **0.** Additional search engines aren't allowed and the default can’t be changed in the Address bar.
+ - **0.** Additional search engines are not allowed and the default cannot be changed in the Address bar.
- **1 (default).** Additional search engines are allowed and the default can be changed in the Address bar.
### AllowPasswordManager
-- **Supported versions:** Windows 10 or later
+- **Supported versions:** Windows 10
- **Supported devices:** Both
@@ -581,12 +560,12 @@ All devices must be enrolled with Intune if you want to use the Windows Custom U
- **Allowed values:**
- - **0 (default).** Employees can't use Password Manager to save passwords locally.
+ - **0 (default).** Employees cannot use Password Manager to save passwords locally.
- **1.** Employees can use Password Manager to save passwords locally.
### AllowPopups
-- **Supported versions:** Windows 10 or later
+- **Supported versions:** Windows 10
- **Supported devices:** Desktop
@@ -615,13 +594,13 @@ All devices must be enrolled with Intune if you want to use the Windows Custom U
- **Allowed values:**
- - **0.** Additional search engines are not allowed and the default can’t be changed in the Address bar.
+ - **0.** Additional search engines are not allowed and the default cannot be changed in the Address bar.
- **1 (default).** Additional search engines are allowed and the default can be changed in the Address bar.
### AllowSearchSuggestionsinAddressBar
-- **Supported versions:** Windows 10 or later
+- **Supported versions:** Windows 10
- **Supported devices:** Both
@@ -633,12 +612,12 @@ All devices must be enrolled with Intune if you want to use the Windows Custom U
- **Allowed values:**
- - **0 (default).** Employees can’t see search suggestions in the Address bar of Microsoft Edge.
+ - **0 (default).** Employees cannot see search suggestions in the Address bar of Microsoft Edge.
- **1.** Employees can see search suggestions in the Address bar of Microsoft Edge.
### AllowSmartScreen
-- **Supported versions:** Windows 10 or later
+- **Supported versions:** Windows 10
- **Supported devices:** Both
@@ -706,7 +685,7 @@ All devices must be enrolled with Intune if you want to use the Windows Custom U
- **1.** Disable lockdown of the Start pages and allow users to modify them.
### EnterpriseModeSiteList
-- **Supported versions:** Windows 10 or later
+- **Supported versions:** Windows 10
- **Supported devices:** Desktop
@@ -747,7 +726,7 @@ All devices must be enrolled with Intune if you want to use the Windows Custom U
- URLs must be on separate lines and aren't shared between Microsoft Edge and Internet Explorer 11.
+ URLs must be on separate lines and are not shared between Microsoft Edge and Internet Explorer 11.
### FirstRunURL
- **Supported versions:** Windows 10, version 1511 or later
@@ -802,7 +781,7 @@ All devices must be enrolled with Intune if you want to use the Windows Custom U
- **0 (default).** Employees can access the about:flags page in Microsoft Edge.
- - **1.** Employees can't access the about:flags page in Microsoft Edge.
+ - **1.** Employees cannot access the about:flags page in Microsoft Edge.
### PreventFirstRunPage
- **Supported versions:** Windows 10, version 1703
@@ -819,7 +798,7 @@ All devices must be enrolled with Intune if you want to use the Windows Custom U
- **0 (default).** Employees see the First Run webpage.
- - **1.** Employees don't see the First Run webpage.
+ - **1.** Employees do not see the First Run webpage.
### PreventLiveTileDataCollection
- **Supported versions:** Windows 10, version 1703
@@ -887,10 +866,10 @@ All devices must be enrolled with Intune if you want to use the Windows Custom U
- **0 (default).** Shows an employee's LocalHost IP address while using the WebRTC protocol.
- - **1.** Doesn't show an employee's LocalHost IP address while using the WebRTC protocol.
+ - **1.** Does not show an employee's LocalHost IP address while using the WebRTC protocol.
### SendIntranetTraffictoInternetExplorer
-- **Supported versions:** Windows 10 or later
+- **Supported versions:** Windows 10
- **Supported devices:** Desktop
@@ -968,9 +947,9 @@ These are additional Windows 10-specific Group Policy settings that work with M
- **Description:** This policy settings lets you decide whether employees can use Cortana.
- - If you enable or don't configure this setting, employees can use Cortana on their devices.
+ - If you enable or do not configure this setting, employees can use Cortana on their devices.
- - If you disable this setting, employees won't be able to use Cortana on their devices.
+ - If you disable this setting, employees will not be able to use Cortana on their devices.
>[!Note]
>Employees can still perform searches even with Cortana turned off.
@@ -982,7 +961,7 @@ These are additional Windows 10-specific Group Policy settings that work with M
- If you enable this setting, the Sync your Settings options are turned off and none of the Sync your Setting groups are synced on the device. You can use the Allow users to turn syncing on option to turn the feature off by default, but to let the employee change this setting.
- - If you disable or don't configure this setting (default), the Sync your Settings options are turned on, letting employees pick what can sync on their device.
+ - If you disable or do not configure this setting (default), the Sync your Settings options are turned on, letting employees pick what can sync on their device.
### Do not sync browser settings
- **Location:** Computer Configuration\Administrative Templates\Windows Components\sync your settings\Do not sync browser settings
@@ -991,7 +970,7 @@ These are additional Windows 10-specific Group Policy settings that work with M
- If you enable this setting, the Sync your Settings options are turned off so that browser groups are unable to sync their settings and info. You can use the Allow users to turn browser syncing on option to turn the feature off by default, but to let the employee change this setting.
- - If you disable or don't configure this setting (default), the Sync your Settings options are turned on, letting browser groups pick what can sync on their device.
+ - If you disable or do not configure this setting (default), the Sync your Settings options are turned on, letting browser groups pick what can sync on their device.
## Microsoft Edge and Windows 10-specific MDM policy settings
@@ -1008,7 +987,7 @@ These are additional Windows 10-specific MDM policy settings that work with Mic
- **Allowed values:**
- - **0.** Employees can’t use Cortana on their devices.
+ - **0.** Employees cannot use Cortana on their devices.
- **1 (default).** Employees can use Cortana on their devices.
@@ -1023,7 +1002,7 @@ These are additional Windows 10-specific MDM policy settings that work with Mic
- **Allowed values:**
- - **0.** Employees can’t sync settings between PCs.
+ - **0.** Employees cannot sync settings between PCs.
- **1 (default).** Employees can sync between PCs.
diff --git a/browsers/edge/emie-to-improve-compatibility.md b/browsers/edge/emie-to-improve-compatibility.md
index 433e1061bf..cffe549908 100644
--- a/browsers/edge/emie-to-improve-compatibility.md
+++ b/browsers/edge/emie-to-improve-compatibility.md
@@ -13,15 +13,15 @@ ms.date: 07/27/2017
# Use Enterprise Mode to improve compatibility
-**Applies to:**
-
-- Windows 10
+> Applies to: Windows 10
If you have specific web sites and apps that you know have compatibility problems with Microsoft Edge, you can use the Enterprise Mode site list so that the web sites will automatically open using Internet Explorer 11. Additionally, if you know that your intranet sites aren't going to work properly with Microsoft Edge, you can set all intranet sites to automatically open using IE11.
Using Enterprise Mode means that you can continue to use Microsoft Edge as your default browser, while also ensuring that your apps continue working on IE11.
-> **Note**
+
+[@Reviewer: will RS5 have the need for the following note?]
+>[!NOTE]
>If you want to use Group Policy to set Internet Explorer as your default browser, you can find the info here, [Set the default browser using Group Policy]( https://go.microsoft.com/fwlink/p/?LinkId=620714).
## Fix specific websites
@@ -98,7 +98,5 @@ You can add the **Send all intranet traffic over to Internet Explorer** Group Po
* [Set the default browser using Group Policy]( https://go.microsoft.com/fwlink/p/?LinkId=620714)
-
-
diff --git a/browsers/edge/hardware-and-software-requirements.md b/browsers/edge/hardware-and-software-requirements.md
index 6c45062cc6..81c4a2c980 100644
--- a/browsers/edge/hardware-and-software-requirements.md
+++ b/browsers/edge/hardware-and-software-requirements.md
@@ -13,15 +13,13 @@ ms.date: 07/27/2017
# Microsoft Edge requirements and language support
-**Applies to:**
-
-- Windows 10
-- Windows 10 Mobile
+>Applies to: Windows 10, Windows 10 Mobile
Microsoft Edge is pre-installed on all Windows 10-capable devices that meet the minimum system requirements and are on the supported language list.
->**Note** The Long-Term Servicing Branch (LTSB) versions of Windows, including Windows Server 2016, don't include Microsoft Edge or many other Universal Windows Platform (UWP) apps. These apps and their services are frequently updated with new functionality, and can't be supported on systems running the LTSB operating systems. For customers who require the LTSB for specialized devices, we recommend using Internet Explorer 11.
+>[!NOTE]
+>The Long-Term Servicing Branch (LTSB) versions of Windows, including Windows Server 2016, don't include Microsoft Edge or many other Universal Windows Platform (UWP) apps. These apps and their services are frequently updated with new functionality, and can't be supported on systems running the LTSB operating systems. For customers who require the LTSB for specialized devices, we recommend using Internet Explorer 11.
## Minimum system requirements
Some of the components in this table might also need additional system resources. Check the component's documentation for more information.
diff --git a/browsers/edge/microsoft-edge-faq.md b/browsers/edge/microsoft-edge-faq.md
index ca6eea8b48..05335d7416 100644
--- a/browsers/edge/microsoft-edge-faq.md
+++ b/browsers/edge/microsoft-edge-faq.md
@@ -12,10 +12,7 @@ ms.date: 09/19/2017
# Microsoft Edge - Frequently Asked Questions (FAQs) for IT Pros
-**Applies to:**
-
-- Windows 10
-- Windows 10 Mobile
+>Applies to: Windows 10, Windows 10 Mobile
**Q: What is the difference between Microsoft Edge and Internet Explorer 11? How do I know which one to use?**
diff --git a/browsers/edge/security-enhancements-microsoft-edge.md b/browsers/edge/security-enhancements-microsoft-edge.md
index 2e06bbe027..40952d55dc 100644
--- a/browsers/edge/security-enhancements-microsoft-edge.md
+++ b/browsers/edge/security-enhancements-microsoft-edge.md
@@ -11,19 +11,16 @@ ms.date: 10/16/2017
# Security enhancements for Microsoft Edge
-**Applies to:**
-
-- Windows 10
-- Windows 10 Mobile
+>Applies to: Windows 10, Windows 10 Mobile
Microsoft Edge is designed with significant security improvements, helping to defend people from increasingly sophisticated and prevalent web-based attacks against Windows.
## Help to protect against web-based security threats
While most websites are safe, some sites have been designed to steal personal information or gain access to your system’s resources. Thieves by nature don’t care about rules, and will use any means to take advantage of victims, most often using trickery or hacking:
-- **Trickery.** Means using things like “phishing” attacks to convince a person to enter a banking password into a website that looks like the bank, but isn’t.
+- **Trickery** uses things like “phishing” attacks to convince a person to enter a banking password into a website that looks like the bank, but isn’t.
-- **Hacking.** Means attacking a system through malformed content that exploits subtle flaws in a browser, or in various browser extensions, such as video decoders. This exploit lets an attacker run code on a device, taking over first a browsing session, and perhaps ultimately the entire device.
+- **Hacking** attacks a system through malformed content that exploits subtle flaws in a browser, or in various browser extensions, such as video decoders. This exploit lets an attacker run code on a device, taking over first a browsing session, and perhaps ultimately the entire device.
While trickery and hacking are threats faced by every browser, it’s important that we explore how Microsoft Edge addresses these threats and is helping make the web a safer experience.
@@ -55,8 +52,8 @@ The Microsoft EdgeHTML engine also helps to defend against hacking through these
- Support for the [HTTP Strict Transport Security (HSTS)](https://developer.microsoft.com/microsoft-edge/platform/documentation/dev-guide/security/HSTS/) security feature (IETF-standard compliant). This helps ensure that connections to important sites, such as to your bank, are always secured.
- **Note**
- Both Microsoft Edge and Internet Explorer 11 support HSTS.
+>[!NOTE]
+>Both Microsoft Edge and Internet Explorer 11 support HSTS.
#### All web content runs in an app container sandbox
Internet Explorer 7 on Windows Vista was the first web browser to provide a browsing sandbox, called [Protected Mode](http://windows.microsoft.com/windows-vista/What-does-Internet-Explorer-protected-mode-do). Protected Mode forced the part of the browser that rendered web content to run with less privilege than the browser controls or the user, providing a level of isolation and protection should a malicious website attempt to exploit a bug in the browser or one of its plug-ins.
diff --git a/browsers/internet-explorer/ie11-deploy-guide/enterprise-mode-schema-version-2-guidance.md b/browsers/internet-explorer/ie11-deploy-guide/enterprise-mode-schema-version-2-guidance.md
index 237d0411b6..df6a01cb68 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/enterprise-mode-schema-version-2-guidance.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/enterprise-mode-schema-version-2-guidance.md
@@ -191,6 +191,17 @@ The <url> attribute, as part of the <site> element in the v.2 versio
+
allow-redirect
+
A boolean attribute of the <open-in> element that controls the behavior for redirected sites. Setting this attribute to "true" indicates that the site will open in IE11 or Microsoft Edge even if the site is navigated to as part of a HTTP or meta refresh redirection chain. Omitting the attribute is equivalent to "false" (sites in redirect chain will not open in another browser).
+
+In this example, if http://contoso.com/travel is encountered in a redirect chain in Microsoft Edge, it will be opened in Internet Explorer.
+
Internet Explorer 11 and Microsoft Edge
+
+
version
Specifies the version of the Enterprise Mode Site List. This attribute is supported for the <site-list> element.
Internet Explorer 11 and Microsoft Edge
diff --git a/devices/hololens/change-history-hololens.md b/devices/hololens/change-history-hololens.md
index 54958dccd3..6178f56bfb 100644
--- a/devices/hololens/change-history-hololens.md
+++ b/devices/hololens/change-history-hololens.md
@@ -20,6 +20,11 @@ This topic lists new and updated topics in the [Microsoft HoloLens documentation
The topics in this library have been updated for Windows 10 Holographic for Business, version 1803. The following new topics have been added:
- >
+## February 2018
+
+New or changed topic | Description
+--- | ---
+[Unlock Windows Holographic for Business features](hololens-upgrade-enterprise.md) | Replaced the instructions for upgrading to Windows Holographic for Business using Microsoft Intune with a link to the new Intune topic.
## December 2017
diff --git a/devices/hololens/hololens-enroll-mdm.md b/devices/hololens/hololens-enroll-mdm.md
index 428a49e956..1412357e31 100644
--- a/devices/hololens/hololens-enroll-mdm.md
+++ b/devices/hololens/hololens-enroll-mdm.md
@@ -12,7 +12,7 @@ ms.date: 07/27/2017
# Enroll HoloLens in MDM
-You can manage multiple Microsoft HoloLens devices simultaneously using solutions like Microsoft Intune. You will be able to manage settings, select apps to install and set security configurations tailored to your organization's need. See the [configuration service providers (CSPs) that are supported in Windows Holographic](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/configuration-service-provider-reference#hololens) and the [policies supported by Windows Holographic for Business](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#hololenspolicies).
+You can manage multiple Microsoft HoloLens devices simultaneously using solutions like Microsoft Intune. You will be able to manage settings, select apps to install and set security configurations tailored to your organization's need. See [Manage devices running Windows Holographic with Microsoft Intune](https://docs.microsoft.com/intune/windows-holographic-for-business), the [configuration service providers (CSPs) that are supported in Windows Holographic](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/configuration-service-provider-reference#hololens), and the [policies supported by Windows Holographic for Business](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#hololenspolicies).
>[!NOTE]
>Mobile device management (MDM), including the VPN, Bitlocker, and kiosk mode features, is only available when you [upgrade to Windows Holographic for Business](hololens-upgrade-enterprise.md).
diff --git a/devices/hololens/hololens-upgrade-enterprise.md b/devices/hololens/hololens-upgrade-enterprise.md
index 9d30a43826..d77f7f7798 100644
--- a/devices/hololens/hololens-upgrade-enterprise.md
+++ b/devices/hololens/hololens-upgrade-enterprise.md
@@ -7,12 +7,12 @@ ms.pagetype: hololens, devices
ms.sitesec: library
author: jdeckerms
ms.localizationpriority: medium
-ms.date: 07/27/2017
+ms.date: 02/02/2018
---
# Unlock Windows Holographic for Business features
-Microsoft HoloLens is available in the *Development Edition*, which runs Windows Holographic (an edition of Windows 10 designed for HoloLens), and in the [Commercial Suite](https://developer.microsoft.com/windows/mixed-reality/release_notes#introducing_microsoft_hololens_commercial_suite), which provides extra features designed for business.
+Microsoft HoloLens is available in the *Development Edition*, which runs Windows Holographic (an edition of Windows 10 designed for HoloLens), and in the [Commercial Suite](https://developer.microsoft.com/windows/mixed-reality/release_notes_-_august_2016#introducing_microsoft_hololens_commercial_suite), which provides extra features designed for business.
When you purchase the Commercial Suite, you receive a license that upgrades Windows Holographic to Windows Holographic for Business. This license can be applied to the device either through the organization's [mobile device management (MDM) provider](#edition-upgrade-using-mdm) or a [provisioning package](#edition-upgrade-using-a-provisioning-package).
@@ -25,50 +25,12 @@ When you purchase the Commercial Suite, you receive a license that upgrades Wind
The enterprise license can be applied by any MDM provider that supports the [WindowsLicensing configuration service provider (CSP)](https://msdn.microsoft.com/library/windows/hardware/dn904983.aspx). The latest version of the Microsoft MDM API will support WindowsLicensing CSP.
+For step-by-step instructions for upgrading HoloLens using Microsoft Intune, see [Upgrade devices running Windows Holographic to Windows Holographic for Business](https://docs.microsoft.com/intune/holographic-upgrade).
-**Overview**
-
-1. Set up the edition upgrade policy.
-2. Deploy the policy.
-3. [Enroll the device through the Settings app](hololens-enroll-mdm.md).
-
-The procedures in this topic use Microsoft Intune as an example. On other MDM providers, the specific steps for setting up and deploying the policy might vary.
-
-### Set up the Edition Upgrade policy
-
-1. Sign into the Intune Dashboard with your Intune admin account.
-
-2. In the **Policy** workspace, select **Configuration Policies** and then **Add**.
-
- 
-
-3. In **Create a new policy**, select the **Edition Upgrade Policy (Windows 10 Holographic and later** template, and click **Create Policy**.
-
- 
-
-4. Enter a name for the policy.
-
-5. In the **Edition Upgrade** section, in **License File**, browse to and select the XML license file that was provided when you purchased the Commercial Suite.
-
- 
-
-5. Click **Save Policy**.
+ On other MDM providers, the specific steps for setting up and deploying the policy might vary.
-### Deploy the Edition Upgrade policy
-
-Next, you will assign the Edition Upgrade policy to selected groups.
-
-1. In the **Policy** workspace, select the Edition upgrade policy that you created, and then choose **Manage Deployment**.
-
-2. In the **Manage Deployment** dialog box, select one or more groups to which you want to deploy the policy, and then choose **Add** > **OK**.
-
-When these users enroll their devices in MDM, the Edition Upgrade policy will be applied.
-
-
-For more information about groups, see [Use groups to manage users and devices in Microsoft Intune](https://docs.microsoft.com/intune/deploy-use/use-groups-to-manage-users-and-devices-with-microsoft-intune).
-
## Edition upgrade using a provisioning package
Provisioning packages are files created by the Windows Configuration Designer tool that apply a specified configuration to a device.
diff --git a/devices/surface-hub/change-history-surface-hub.md b/devices/surface-hub/change-history-surface-hub.md
index 595a61e131..d0cb5eb932 100644
--- a/devices/surface-hub/change-history-surface-hub.md
+++ b/devices/surface-hub/change-history-surface-hub.md
@@ -8,7 +8,7 @@ ms.sitesec: library
ms.pagetype: surfacehub
author: jdeckerms
ms.author: jdecker
-ms.date: 01/17/2018
+ms.date: 03/06/2018
ms.localizationpriority: medium
---
@@ -16,6 +16,20 @@ ms.localizationpriority: medium
This topic lists new and updated topics in the [Surface Hub Admin Guide]( surface-hub-administrators-guide.md).
+## March 2018
+
+New or changed topic | Description
+--- | ---
+[Create and test a device account (Surface Hub)](create-and-test-a-device-account-surface-hub.md) | Added section for account verification and testing, with link to new Surface Hub Hardware Diagnostic app.
+
+## February 2018
+
+New or changed topic | Description
+--- | ---
+[Manage settings with an MDM provider (Surface Hub)](manage-settings-with-mdm-for-surface-hub.md) | Updated instructions for custom settings using Microsoft Intune.
+[Hybrid deployment](hybrid-deployment-surface-hub-device-accounts.md) | Updated instructions and scripts.
+| [Online deployment](online-deployment-surface-hub-device-accounts.md) | Updated instructions and scripts.
+
## January 2018
New or changed topic | Description
diff --git a/devices/surface-hub/connect-and-display-with-surface-hub.md b/devices/surface-hub/connect-and-display-with-surface-hub.md
index 1a16c46d86..44cc9145f9 100644
--- a/devices/surface-hub/connect-and-display-with-surface-hub.md
+++ b/devices/surface-hub/connect-and-display-with-surface-hub.md
@@ -31,7 +31,7 @@ When connecting external devices and displays to a Surface Hub, there are severa
## Guest Mode
-Guest Mode uses a wired connection, so people can display content from their devices to the Surface Hub. If the source device is Windows-based, that device can also provide Touchback and Inkback. Surface Hub's internal PC takes video and audio from the connected device and presents them on the Surface Hub. If Surface Hub encounters a High-Bandwidth Digital Content Protection (HDCP) signal, the source will be re-routed through an alternate path, allowing the source to be displayed full-screen without violating HDCP requirements.
+Guest Mode uses a wired connection, so people can display content from their devices to the Surface Hub. If the source device is Windows-based, that device can also provide Touchback and Inkback. Surface Hub's internal PC takes video and audio from the connected device and presents them on the Surface Hub. If Surface Hub encounters a High-Bandwidth Digital Content Protection (HDCP) signal, the source will be be displayed as a black image. To display your content without violating HDCP requirements, use the keypad on the right side of the Surface Hub to directly choose the external source.
>[!NOTE]
>When an HDCP source is connected, use the side keypad to change source inputs.
diff --git a/devices/surface-hub/create-a-device-account-using-office-365.md b/devices/surface-hub/create-a-device-account-using-office-365.md
index 47f53254f6..f6f48f6401 100644
--- a/devices/surface-hub/create-a-device-account-using-office-365.md
+++ b/devices/surface-hub/create-a-device-account-using-office-365.md
@@ -91,7 +91,7 @@ From here on, you'll need to finish the account creation process using PowerShel
In order to run cmdlets used by these PowerShell scripts, the following must be installed for the admin PowerShell console:
- [Microsoft Online Services Sign-In Assistant for IT Professionals BETA](https://go.microsoft.com/fwlink/?LinkId=718149)
-- [Windows Azure Active Directory Module for Windows PowerShell](https://go.microsoft.com/fwlink/p/?linkid=236297)
+- [Windows Azure Active Directory Module for Windows PowerShell](https://www.microsoft.com/web/handlers/webpi.ashx/getinstaller/WindowsAzurePowershellGet.3f.3f.3fnew.appids)
- [Skype for Business Online, Windows PowerShell Module](http://www.microsoft.com/download/details.aspx?id=39366)
### Connecting to online services
diff --git a/devices/surface-hub/create-and-test-a-device-account-surface-hub.md b/devices/surface-hub/create-and-test-a-device-account-surface-hub.md
index 470db2937e..cc5d233b08 100644
--- a/devices/surface-hub/create-and-test-a-device-account-surface-hub.md
+++ b/devices/surface-hub/create-and-test-a-device-account-surface-hub.md
@@ -9,7 +9,7 @@ ms.sitesec: library
ms.pagetype: surfacehub
author: jdeckerms
ms.author: jdecker
-ms.date: 07/27/2017
+ms.date: 03/06/2018
ms.localizationpriority: medium
---
@@ -57,7 +57,9 @@ For detailed steps using PowerShell to provision a device account, choose an opt
If you prefer to use a graphical user interface (UI), some steps can be done using UI instead of PowerShell.
For more information, see [Creating a device account using UI](create-a-device-account-using-office-365.md).
+## Account verification and testing
+There are two methods available that you can use to validate and test a Surface Hub device account: [account verifications scripts](appendix-a-powershell-scripts-for-surface-hub.md#acct-verification-ps-scripts) and the [Surface Hub Hardware Diagnostic app](https://www.microsoft.com/store/apps/9nblggh51f2g). The account verification script will validate a previously-created device account using PowerShell from your desktop. The Surface Hub Hardware Diagnostic app is installed on your Surface Hub and provides detailed feedback about signin and communication failures. Both are valuable tools to test newly created device accounts and should be used to ensure optimal account availability.
diff --git a/devices/surface-hub/differences-between-surface-hub-and-windows-10-enterprise.md b/devices/surface-hub/differences-between-surface-hub-and-windows-10-enterprise.md
index 01157f507c..61120d6a25 100644
--- a/devices/surface-hub/differences-between-surface-hub-and-windows-10-enterprise.md
+++ b/devices/surface-hub/differences-between-surface-hub-and-windows-10-enterprise.md
@@ -164,8 +164,8 @@ Users can sign in to Microsoft Edge to access intranet sites and online resource
*Organization policies that this may affect:*
-->
-### Telemetry
+### Diagnostic data
-The Surface Hub OS uses the Windows 10 Connected User Experience and Telemetry component to gather and transmit telemetry data. For more information, see [Configure Windows telemetry in your organization](https://technet.microsoft.com/itpro/windows/manage/configure-windows-telemetry-in-your-organization).
+The Surface Hub OS uses the Windows 10 Connected User Experience and Telemetry component to gather and transmit diagnostic data. For more information, see [Configure Windows diagnostic data in your organization](https://technet.microsoft.com/itpro/windows/manage/configure-windows-diagnostic-data-in-your-organization).
-*Organization policies that this may affect:* Configure telemetry levels for Surface Hub in the same way as you do for Windows 10 Enterprise.
+*Organization policies that this may affect:* Configure diagnostic data levels for Surface Hub in the same way as you do for Windows 10 Enterprise.
diff --git a/devices/surface-hub/hybrid-deployment-surface-hub-device-accounts.md b/devices/surface-hub/hybrid-deployment-surface-hub-device-accounts.md
index 1281d6ae51..de3ffd59ee 100644
--- a/devices/surface-hub/hybrid-deployment-surface-hub-device-accounts.md
+++ b/devices/surface-hub/hybrid-deployment-surface-hub-device-accounts.md
@@ -9,7 +9,7 @@ ms.sitesec: library
ms.pagetype: surfacehub
author: jdeckerms
ms.author: jdecker
-ms.date: 10/20/2017
+ms.date: 02/21/2018
ms.localizationpriority: medium
---
@@ -38,11 +38,11 @@ Use this procedure if you use Exchange on-premises.
-3. Enable the remote mailbox.
+2. Enable the remote mailbox.
Open your on-premises Exchange Management Shell with administrator permissions, and run this cmdlet.
- ```ps1
+ ```PowerShell
Enable-RemoteMailbox 'HUB01@contoso.com' -RemoteRoutingAddress 'HUB01@contoso.com' -Room
```
>[!NOTE]
@@ -54,7 +54,7 @@ Use this procedure if you use Exchange on-premises.
>
>msExchRecipientTypeDetails = 8589934592
-2. After you've created the account, run a directory synchronization. When it's complete, go to the users page in your Office 365 admin center and verify that the account created in the previous steps has merged to online.
+3. After you've created the account, run a directory synchronization. When it's complete, go to the users page in your Office 365 admin center and verify that the account created in the previous steps has merged to online.
4. Connect to Microsoft Exchange Online and set some properties for the account in Office 365.
@@ -62,8 +62,8 @@ Use this procedure if you use Exchange on-premises.
The next steps will be run on your Office 365 tenant.
- ```ps1
- Set-ExecutionPolicy Unrestricted
+ ```PowerShell
+ Set-ExecutionPolicy RemoteSigned
$cred=Get-Credential -Message "Please use your Office 365 admin credentials"
$sess= New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri 'https://ps.outlook.com/powershell' -Credential $cred -Authentication Basic -AllowRedirection
Import-PSSession $sess
@@ -77,13 +77,13 @@ Use this procedure if you use Exchange on-premises.
If you haven’t created a compatible policy yet, use the following cmdlet—-this one creates a policy called "Surface Hubs". Once it’s created, you can apply the same policy to other device accounts.
- ```ps1
+ ```PowerShell
$easPolicy = New-MobileDeviceMailboxPolicy -Name “SurfaceHubs” -PasswordEnabled $false
```
Once you have a compatible policy, then you will need to apply the policy to the device account.
- ```ps1
+ ```PowerShell
Set-CASMailbox 'HUB01@contoso.com' -ActiveSyncMailboxPolicy $easPolicy.id
```
@@ -91,31 +91,44 @@ Use this procedure if you use Exchange on-premises.
Setting Exchange properties on the device account to improve the meeting experience. You can see which properties need to be set in the [Exchange properties](exchange-properties-for-surface-hub-device-accounts.md) section.
- ```ps1
+ ```PowerShell
Set-CalendarProcessing -Identity 'HUB01@contoso.com' -AutomateProcessing AutoAccept -AddOrganizerToSubject $false –AllowConflicts $false –DeleteComments $false -DeleteSubject $false -RemovePrivateProperty $false
Set-CalendarProcessing -Identity 'HUB01@contoso.com' -AddAdditionalResponse $true -AdditionalResponse 'This is a Surface Hub room!'
```
7. Connect to Azure AD.
+ You first need to install Azure AD module for PowerShell version 2. In an elevated powershell prompt run the following command :
+ ```PowerShell
+ Install-Module -Name AzureAD
+ ```
+
You need to connect to Azure AD to apply some account settings. You can run this cmdlet to connect.
- ```ps1
- Connect-MsolService -Credential $cred
+ ```PowerShell
+ Import-Module AzureAD
+ Connect-AzureAD -Credential $cred
```
-
8. Assign an Office 365 license.
The device account needs to have a valid Office 365 (O365) license, or Exchange and Skype for Business will not work. If you have the license, you need to assign a usage location to your device account—this determines what license SKUs are available for your account.
+
+ You can use `Get-AzureADSubscribedSku` to retrieve a list of available SKUs for your O365 tenant.
- Next, you can use `Get-MsolAccountSku` to retrieve a list of available SKUs for your O365 tenant.
+ Once you list out the SKUs, you'll need to assign the SkuId you want to the `$License.SkuId` variable.
- Once you list out the SKUs, you can add a license using the `Set-MsolUserLicense` cmdlet. In this case, `$strLicense` is the SKU code that you see (for example, *contoso:STANDARDPACK*).
-
- ```ps1
- Set-MsolUser -UserPrincipalName 'HUB01@contoso.com' -UsageLocation 'US'
- Get-MsolAccountSku
- Set-MsolUserLicense -UserPrincipalName 'HUB01@contoso.com' -AddLicenses $strLicense
+ ```PowerShell
+ Set-AzureADUser -ObjectId "HUB01@contoso.com" -UsageLocation "US"
+
+ Get-AzureADSubscribedSku | Select Sku*,*Units
+ $License = New-Object -TypeName Microsoft.Open.AzureAD.Model.AssignedLicense
+ $License.SkuId = SkuId You selected
+
+ $AssignedLicenses = New-Object -TypeName Microsoft.Open.AzureAD.Model.AssignedLicenses
+ $AssignedLicenses.AddLicenses = $License
+ $AssignedLicenses.RemoveLicenses = @()
+
+ Set-AzureADUserLicense -ObjectId "HUB01@contoso.com" -AssignedLicenses $AssignedLicenses
```
Next, you enable the device account with [Skype for Business Online](#skype-for-business-online), [Skype for Business on-premises](#skype-for-business-on-premises), or [Skype for Business hybrid](#skype-for-business-hybrid).
@@ -144,25 +157,25 @@ The following table lists the Office 365 plans and Skype for Business options.
1. Start by creating a remote PowerShell session from a PC to the Skype for Business online environment.
- ```ps1
- Import-Module LyncOnlineConnector
+ ```PowerShell
+ Import-Module SkypeOnlineConnector
$cssess=New-CsOnlineSession -Credential $cred
Import-PSSession $cssess -AllowClobber
```
2. To enable your Surface Hub account for Skype for Business Server, run this cmdlet:
- ```ps1
+ ```PowerShell
Enable-CsMeetingRoom -Identity 'HUB01@contoso.com' -RegistrarPool 'sippoolbl20a04.infra.lync.com' -SipAddressType UserPrincipalName
```
If you aren't sure what value to use for the `RegistrarPool` parameter in your environment, you can get the value from an existing Skype for Business user using this cmdlet:
- ```ps1
+ ```PowerShell
Get-CsOnlineUser -Identity ‘HUB01@contoso.com’| fl *registrarpool*
```
-2. Assign Skype for Business license to your Surface Hub account.
+3. Assign Skype for Business license to your Surface Hub account.
Once you've completed the preceding steps to enable your Surface Hub account in Skype for Business Online, you need to assign a license to the Surface Hub. Using the O365 administrative portal, assign either a Skype for Business Online (Plan 2) or a Skype for Business Online (Plan 3) to the device.
@@ -215,10 +228,10 @@ Use this procedure if you use Exchange online.
Start a remote PowerShell session on a PC and connect to Exchange. Be sure you have the right permissions set to run the associated cmdlets.
- ```ps1
- Set-ExecutionPolicy Unrestricted
+ ```PowerShell
+ Set-ExecutionPolicy RemoteSigned
$cred=Get-Credential -Message "Please use your Office 365 admin credentials"
- $sess= New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://outlook.office365.com/ps1-liveid/ -Credential $cred -Authentication Basic -AllowRedirection
+ $sess= New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://outlook.office365.com/PowerShell-liveid/ -Credential $cred -Authentication Basic -AllowRedirection
Import-PSSession $sess
```
@@ -228,13 +241,13 @@ Use this procedure if you use Exchange online.
If you're changing an existing resource mailbox:
- ```ps1
+ ```PowerShell
Set-Mailbox -Identity 'HUB01' -EnableRoomMailboxAccount $true -RoomMailboxPassword (ConvertTo-SecureString -String -AsPlainText -Force)
```
If you’re creating a new resource mailbox:
- ```ps1
+ ```PowerShell
New-Mailbox -MicrosoftOnlineServicesID 'HUB01@contoso.com' -Alias HUB01 -Name "Hub-01" -Room -EnableRoomMailboxAccount $true -RoomMailboxPassword (ConvertTo-SecureString -String -AsPlainText -Force)
```
@@ -246,13 +259,13 @@ Use this procedure if you use Exchange online.
If you haven’t created a compatible policy yet, use the following cmdlet—this one creates a policy called "Surface Hubs". Once it’s created, you can apply the same policy to other device accounts.
- ```ps1
+ ```PowerShell
$easPolicy = New-MobileDeviceMailboxPolicy -Name “SurfaceHubs” -PasswordEnabled $false
```
Once you have a compatible policy, then you will need to apply the policy to the device account. However, policies can only be applied to user accounts and not resource mailboxes. You need to convert the mailbox into a user type, apply the policy, and then convert it back into a mailbox—you may need to re-enable it and set the password again too.
- ```ps1
+ ```PowerShell
Set-Mailbox 'HUB01@contoso.com' -Type Regular
Set-CASMailbox 'HUB01@contoso.com' -ActiveSyncMailboxPolicy $easPolicy.id
Set-Mailbox 'HUB01@contoso.com' -Type Room
@@ -264,7 +277,7 @@ Use this procedure if you use Exchange online.
Various Exchange properties must be set on the device account to improve the meeting experience. You can see which properties need to be set in the [Exchange properties](exchange-properties-for-surface-hub-device-accounts.md) section.
- ```ps1
+ ```PowerShell
Set-CalendarProcessing -Identity 'HUB01@contoso.com' -AutomateProcessing AutoAccept -AddOrganizerToSubject $false –AllowConflicts $false –DeleteComments $false -DeleteSubject $false -RemovePrivateProperty $false
Set-CalendarProcessing -Identity 'HUB01@contoso.com' -AddAdditionalResponse $true -AdditionalResponse "This is a Surface Hub room!"
```
@@ -294,24 +307,38 @@ Use this procedure if you use Exchange online.
7. Connect to Azure AD.
+ You first need to install Azure AD module for PowerShell version 2. In an elevated powershell prompt run the following command :
+
+ ```PowerShell
+ Install-Module -Name AzureAD
+ ```
You need to connect to Azure AD to apply some account settings. You can run this cmdlet to connect.
- ```ps1
- Connect-MsolService -Credential $cred
+ ```PowerShell
+ Import-Module AzureAD
+ Connect-AzureAD -Credential $cred
```
8. Assign an Office 365 license.
The device account needs to have a valid Office 365 (O365) license, or Exchange and Skype for Business will not work. If you have the license, you need to assign a usage location to your device account—this determines what license SKUs are available for your account.
- Next, you can use `Get-MsolAccountSku` to retrieve a list of available SKUs for your O365 tenant.
+ Next, you can use `Get-AzureADSubscribedSku` to retrieve a list of available SKUs for your O365 tenant.
- Once you list out the SKUs, you can add a license using the `Set-MsolUserLicense` cmdlet. In this case, `$strLicense` is the SKU code that you see (for example, *contoso:STANDARDPACK*).
+ Once you list out the SKUs, you'll need to assign the SkuId you want to the `$License.SkuId` variable.
- ```ps1
- Set-MsolUser -UserPrincipalName 'HUB01@contoso.com' -UsageLocation 'US'
- Get-MsolAccountSku
- Set-MsolUserLicense -UserPrincipalName 'HUB01@contoso.com' -AddLicenses $strLicense
+ ```PowerShell
+ Set-AzureADUser -ObjectId "HUB01@contoso.com" -UsageLocation "US"
+
+ Get-AzureADSubscribedSku | Select Sku*,*Units
+ $License = New-Object -TypeName Microsoft.Open.AzureAD.Model.AssignedLicense
+ $License.SkuId = SkuId You selected
+
+ $AssignedLicenses = New-Object -TypeName Microsoft.Open.AzureAD.Model.AssignedLicenses
+ $AssignedLicenses.AddLicenses = $License
+ $AssignedLicenses.RemoveLicenses = @()
+
+ Set-AzureADUserLicense -ObjectId "HUB01@contoso.com" -AssignedLicenses $AssignedLicenses
```
Next, you enable the device account with [Skype for Business Online](#sfb-online), [Skype for Business on-premises](#sfb-onprem), or [Skype for Business hybrid](#sfb-hybrid).
@@ -323,22 +350,22 @@ In order to enable Skype for Business, your environment will need to meet the [p
1. Start by creating a remote PowerShell session to the Skype for Business online environment from a PC.
- ```
- Import-Module LyncOnlineConnector
+ ```PowerShell
+ Import-Module SkypeOnlineConnector
$cssess=New-CsOnlineSession -Credential $cred
Import-PSSession $cssess -AllowClobber
```
2. To enable your Surface Hub account for Skype for Business Server, run this cmdlet:
- ```
+ ```PowerShell
Enable-CsMeetingRoom -Identity 'HUB01@contoso.com' -RegistrarPool
'sippoolbl20a04.infra.lync.com' -SipAddressType UserPrincipalName
```
If you aren't sure what value to use for the `RegistrarPool` parameter in your environment, you can get the value from an existing Skype for Business user using this cmdlet:
- ```
+ ```PowerShell
Get-CsOnlineUser -Identity 'HUB01@contoso.com'| fl *registrarpool*
```
@@ -368,7 +395,7 @@ For validation, you should be able to use any Skype for Business client (PC, And
To run this cmdlet, you will need to connect to one of the Skype front-ends. Open the Skype PowerShell and run:
-```
+```PowerShell
Enable-CsMeetingRoom -Identity 'HUB01@contoso.com' -RegistrarPool registrarpoolfqdn -SipAddressType UserPrincipalName
```
@@ -383,7 +410,7 @@ In a hybrid Skype environment, you have to create the user on-premises first, th
In order to have a functional Surface Hub account in a Skype hybrid configuration, create the Skype account as a normal user type account, instead of creating the account as a meetingroom. First follow the Exchange steps - either [online](#exchange-online) or [on-premises](#exchange-on-premises) - and, instead of enabling the user for Skype for Business Online as described, [enable the account](https://technet.microsoft.com/library/gg398711.aspx) on the on-premises Skype server:
-```
+```PowerShell
Enable-CsUser -Identity 'HUB01@contoso.com' -RegistrarPool "registrarpoolfqdn" -SipAddressType UserPrincipalName
```
diff --git a/devices/surface-hub/install-apps-on-surface-hub.md b/devices/surface-hub/install-apps-on-surface-hub.md
index 8449690b59..b0737d1f6b 100644
--- a/devices/surface-hub/install-apps-on-surface-hub.md
+++ b/devices/surface-hub/install-apps-on-surface-hub.md
@@ -164,6 +164,10 @@ There are a few different ways to install apps on your Surface Hub depending on
| Microsoft Store app | | X | |
| Supported MDM provider | | | X |
+## More information
+
+- [Blog post: Deploy Windows Store apps to Surface Hub using Intune](https://blogs.technet.microsoft.com/y0av/2018/01/18/7-2/)
+
## Related topics
diff --git a/devices/surface-hub/manage-settings-with-mdm-for-surface-hub.md b/devices/surface-hub/manage-settings-with-mdm-for-surface-hub.md
index 23eb0e418f..735c1a071f 100644
--- a/devices/surface-hub/manage-settings-with-mdm-for-surface-hub.md
+++ b/devices/surface-hub/manage-settings-with-mdm-for-surface-hub.md
@@ -9,7 +9,7 @@ ms.sitesec: library
ms.pagetype: surfacehub, mobility
author: jdeckerms
ms.author: jdecker
-ms.date: 01/17/2018
+ms.date: 02/16/2018
ms.localizationpriority: medium
---
@@ -147,7 +147,7 @@ The following tables include info on Windows 10 settings that have been validate
| Setting | Details | CSP reference | Supported with Intune? | Supported with Configuration Manager? | Supported with SyncML\*? |
| --- | --- | --- |---- | --- | --- |
-| Reboot the device immediately | Use in conjunction with OMS to minimize support costs – see [Monitor your Microsoft Surface Hub](monitor-surface-hub.md). | ./Vendor/MSFT/Reboot/RebootNow See [Reboot CSP](https://msdn.microsoft.com/library/windows/hardware/mt720802.aspx) | No | No | Yes |
+| Reboot the device immediately | Use in conjunction with OMS to minimize support costs – see [Monitor your Microsoft Surface Hub](monitor-surface-hub.md). | ./Vendor/MSFT/Reboot/RebootNow See [Reboot CSP](https://msdn.microsoft.com/library/windows/hardware/mt720802.aspx) | Yes | No | Yes |
| Reboot the device at a scheduled date and time | See above. | ./Vendor/MSFT/Reboot/Schedule/Single See [Reboot CSP](https://msdn.microsoft.com/library/windows/hardware/mt720802.aspx) | Yes [Use a custom policy.](#example-intune) | Yes. [Use a custom setting.](#example-sccm) | Yes |
| Reboot the device daily at a scheduled date and time | See above. | ./Vendor/MSFT/Reboot/Schedule/DailyRecurrent See [Reboot CSP](https://msdn.microsoft.com/library/windows/hardware/mt720802.aspx) | Yes [Use a custom policy.](#example-intune) | Yes. [Use a custom setting.](#example-sccm) | Yes |
\*Settings supported with SyncML can also be configured in a Windows Configuration Designer provisioning package.
@@ -212,38 +212,9 @@ The data type is also stated in the CSP documentation. The most common data type
## Example: Manage Surface Hub settings with Microsoft Intune
-You can use Microsoft Intune to manage Surface Hub settings.
+You can use Microsoft Intune to manage Surface Hub settings. For custom settings, follow the instructions in [How to configure custom device settings in Microsoft Intune](https://docs.microsoft.com/intune/custom-settings-configure). For **Platform**, select **Windows 10 and later**, and in **Profile type**, select **Device restrictions (Windows 10 Team)**.
-**To create a configuration policy from a template**
-You'll use the **Windows 10 Team general configuration policy** as the template.
-
-1. On the [Intune management portal](https://manage.microsoft.com), sign in with your Intune administrator account.
-2. On the left-hand navigation menu, click **Policy**.
-3. In the Overview page, click **Add Policy**.
-4. On **Select a template for the new policy**, expand **Windows**, select **General Configuration (Windows 10 Team and later)**, and then click **Create Policy**.
-
- 
-5. Configure your policy, then click **Save Policy**
-
- 
-6. When prompted, click **Yes** to deploy your new policy to a user or device group. For more information, see [Use groups to manage users and devices in Microsoft Intune](https://docs.microsoft.com/intune/deploy-use/use-groups-to-manage-users-and-devices-with-microsoft-intune).
-
-**To create a custom configuration policy**
-
-You’ll need to create a custom policy using the **Custom Configuration (Windows 10 Desktop and Mobile and later)** template to manage settings that are not available in the **Windows 10 Team general configuration policy** template.
-
-1. On the [Intune management portal](https://manage.microsoft.com), sign in with your Intune administrator account.
-2. On the left-hand navigation menu, click **Policy**.
-3. On the Overview page, click **Add Policy**.
-4. On **Select a template for the new policy**, expand **Windows**, select **Custom Configuration (Windows 10 Desktop and Mobile and later)**, and then click **Create Policy**.
-5. Type a name and optional description for the policy.
-6. Under OMA-URI Settings, click **Add**.
-7. Complete the form to create a new setting, and then click **OK**.
-
- 
-8. Repeat Steps 6 and 7 for each setting you want to configure with this policy.
-9. After you're done, click **Save Policy** and deploy it to a user or device group.
## Example: Manage Surface Hub settings with System Center Configuration Manager
diff --git a/devices/surface-hub/monitor-surface-hub.md b/devices/surface-hub/monitor-surface-hub.md
index d8ddba730e..7fe0d6aeff 100644
--- a/devices/surface-hub/monitor-surface-hub.md
+++ b/devices/surface-hub/monitor-surface-hub.md
@@ -86,7 +86,7 @@ This table describes the sample queries in the Surface Hub solution:
| Alert type | Impact | Recommended remediation | Details |
| ---------- | ------ | ----------------------- | ------- |
-| Software | Error | **Reboot the device**. Reboot manually, or using the [Reboot configuration service provider](https://msdn.microsoft.com/en-us/library/windows/hardware/mt720802(v=vs.85).aspx). Suggest doing this between meetings to minimize impact to your people in your organization. | Trigger conditions: - A critical process in the Surface Hub operating system, such as the shell, projection, or Skype, crashes or becomes non-responsive. - The device hasn't reported a heartbeat in the past 24 hours. This may be due to network connectivity issue or network-related hardware failure, or an error with the telemetry reporting system. |
+| Software | Error | **Reboot the device**. Reboot manually, or using the [Reboot configuration service provider](https://msdn.microsoft.com/en-us/library/windows/hardware/mt720802(v=vs.85).aspx). Suggest doing this between meetings to minimize impact to your people in your organization. | Trigger conditions: - A critical process in the Surface Hub operating system, such as the shell, projection, or Skype, crashes or becomes non-responsive. - The device hasn't reported a heartbeat in the past 24 hours. This may be due to network connectivity issue or network-related hardware failure, or an error with the diagnostic data reporting system. |
| Software | Error | **Check your Exchange service**. Verify: - The service is available. - The device account password is up to date – see [Password management](password-management-for-surface-hub-device-accounts.md) for details.| Triggers when there's an error syncing the device calendar with Exchange. |
| Software | Error | **Check your Skype for Business service**. Verify: - The service is available. - The device account password is up to date – see [Password management](password-management-for-surface-hub-device-accounts.md) for details. - The domain name for Skype for Business is properly configured - see [Configure a domain name](use-fully-qualified-domain-name-surface-hub.md). | Triggers when Skype fails to sign in. |
| Software | Error | **Reset the device**. This takes some time, so you should take the device offline. For more information, see [Device reset](device-reset-surface-hub.md).| Triggers when there is an error cleaning up user and app data at the end of a session. When this operation repeatedly fails, the device is locked to protect user data. You must reset the device to continue. |
diff --git a/devices/surface-hub/online-deployment-surface-hub-device-accounts.md b/devices/surface-hub/online-deployment-surface-hub-device-accounts.md
index 6dc990e855..6a314c317a 100644
--- a/devices/surface-hub/online-deployment-surface-hub-device-accounts.md
+++ b/devices/surface-hub/online-deployment-surface-hub-device-accounts.md
@@ -9,7 +9,7 @@ ms.sitesec: library
ms.pagetype: surfacehub
author: jdeckerms
ms.author: jdecker
-ms.date: 08/29/2017
+ms.date: 02/21/2018
ms.localizationpriority: medium
---
@@ -25,7 +25,7 @@ If you have a pure, online (O365) deployment, then you can [use the provided Pow
Be sure you have the right permissions set to run the associated cmdlets.
```PowerShell
- Set-ExecutionPolicy Unrestricted
+ Set-ExecutionPolicy RemoteSigned
$org='contoso.microsoft.com'
$cred=Get-Credential admin@$org
$sess= New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://outlook.office365.com/powershell-liveid/ -Credential $cred -Authentication Basic -AllowRedirection
@@ -70,37 +70,52 @@ If you have a pure, online (O365) deployment, then you can [use the provided Pow
```
5. Connect to Azure AD.
-
+
+ You first need to install Azure AD module for PowerShell version 2. In an elevated powershell prompt run the following command :
+
+ ```PowerShell
+ Install-Module -Name AzureAD
+ ```
You need to connect to Azure AD to apply some account settings. You can run this cmdlet to connect.
```PowerShell
- Connect-MsolService -Credential $cred
+ Import-Module AzureAD
+ Connect-AzureAD -Credential $cred
```
6. If you decide to have the password not expire, you can set that with PowerShell cmdlets too. See [Password management](password-management-for-surface-hub-device-accounts.md) for more information.
```PowerShell
- Set-MsolUser -UserPrincipalName 'HUB01@contoso.com' -PasswordNeverExpires $true
+ Set-AzureADUser -ObjectId "HUB01@contoso.com" -PasswordPolicies "DisablePasswordExpiration"
```
7. Surface Hub requires a license for Skype for Business functionality. In order to enable Skype for Business, your environment will need to meet the [prerequisites for Skype for Business online](hybrid-deployment-surface-hub-device-accounts.md#sfb-online).
- Next, you can use `Get-MsolAccountSku` to retrieve a list of available SKUs for your O365 tenant.
+ Next, you can use `Get-AzureADSubscribedSku` to retrieve a list of available SKUs for your O365 tenant.
- Once you list out the SKUs, you can add a license using the `Set-MsolUserLicense` cmdlet. In this case, `$strLicense` is the SKU code that you see (for example, *contoso:STANDARDPACK*).
+ Once you list out the SKUs, you'll need to assign the SkuId you want to the `$License.SkuId` variable.
```PowerShell
- Set-MsolUser -UserPrincipalName 'HUB01@contoso.com' -UsageLocation "US"
- Get-MsolAccountSku
- Set-MsolUserLicense -UserPrincipalName 'HUB01@contoso.com' -AddLicenses $strLicense
+ Set-AzureADUser -ObjectId "HUB01@contoso.com" -UsageLocation "US"
+
+ Get-AzureADSubscribedSku | Select Sku*,*Units
+ $License = New-Object -TypeName Microsoft.Open.AzureAD.Model.AssignedLicense
+ $License.SkuId = SkuId You selected
+
+ $AssignedLicenses = New-Object -TypeName Microsoft.Open.AzureAD.Model.AssignedLicenses
+ $AssignedLicenses.AddLicenses = $License
+ $AssignedLicenses.RemoveLicenses = @()
+
+ Set-AzureADUserLicense -ObjectId "HUB01@contoso.com" -AssignedLicenses $AssignedLicenses
```
8. Enable the device account with Skype for Business.
+ If the Skype for Business PowerShell module is not installed, [download the Skype for Business Online Windows PowerShell Module](https://www.microsoft.com/download/details.aspx?id=39366).
- Start by creating a remote PowerShell session from a PC.
```PowerShell
- Import-Module LyncOnlineConnector
+ Import-Module SkypeOnlineConnector
$cssess=New-CsOnlineSession -Credential $cred
Import-PSSession $cssess -AllowClobber
```
@@ -108,12 +123,13 @@ If you have a pure, online (O365) deployment, then you can [use the provided Pow
- Next, if you aren't sure what value to use for the `RegistrarPool` parameter in your environment, you can get the value from an existing Skype for Business user using this cmdlet (for example, *alice@contoso.com*):
```PowerShell
- Get-CsOnlineUser -Identity ‘alice@contoso.com’| fl *registrarpool*
+ (Get-CsTenant).TenantPoolExtension
```
OR by setting a variable
```PowerShell
- $strRegistrarPool = (Get-CsOnlineUser -Identity ‘alice@contoso.com’).RegistrarPool
+ $strRegistrarPool = (Get-CsTenant).TenantPoolExtension
+ $strRegistrarPool = $strRegistrarPool[0].Substring($strRegistrarPool[0].IndexOf(':') + 1)
```
- Enable the Surface Hub account with the following cmdlet:
diff --git a/devices/surface-hub/prepare-your-environment-for-surface-hub.md b/devices/surface-hub/prepare-your-environment-for-surface-hub.md
index d649dc5dda..077e16a6a5 100644
--- a/devices/surface-hub/prepare-your-environment-for-surface-hub.md
+++ b/devices/surface-hub/prepare-your-environment-for-surface-hub.md
@@ -40,9 +40,9 @@ Depending on your environment, access to additional ports may be needed:
- For online environments, see [Office 365 IP URLs and IP address ranges](https://support.office.com/en-us/article/Office-365-URLs-and-IP-address-ranges-8548a211-3fe7-47cb-abb1-355ea5aa88a2?ui=en-US&rs=en-US&ad=US).
- For on-premises installations, see [Skype for Business Server: Ports and protocols for internal servers](https://technet.microsoft.com/library/gg398833.aspx).
-Microsoft collects telemetry to help improve your Surface Hub experience. Add these sites to your allow list:
-- Telemetry client endpoint: `https://vortex.data.microsoft.com/`
-- Telemetry settings endpoint: `https://settings.data.microsoft.com/`
+Microsoft collects diagnostic data to help improve your Surface Hub experience. Add these sites to your allow list:
+- Diagnostic data client endpoint: `https://vortex.data.microsoft.com/`
+- Diagnostic data settings endpoint: `https://settings.data.microsoft.com/`
### Proxy configuration
diff --git a/devices/surface-hub/surface-hub-authenticator-app.md b/devices/surface-hub/surface-hub-authenticator-app.md
index c00bb03bbb..b303d0354c 100644
--- a/devices/surface-hub/surface-hub-authenticator-app.md
+++ b/devices/surface-hub/surface-hub-authenticator-app.md
@@ -34,7 +34,7 @@ To let people in your organization sign in to Surface Hub with their phones and
- Surface Hub is set up with either a local or domain-joined account.
-Currently, you cannot use Microsoft Authenticator to sign in to Surface Hubs that are joined to an Active Directory domain or to Azure AD.
+Currently, you cannot use Microsoft Authenticator to sign in to Surface Hubs that are joined to Azure AD.
## Individual prerequisites
diff --git a/devices/surface-hub/surface-hub-downloads.md b/devices/surface-hub/surface-hub-downloads.md
index 838e8452a9..33ef0f983f 100644
--- a/devices/surface-hub/surface-hub-downloads.md
+++ b/devices/surface-hub/surface-hub-downloads.md
@@ -17,21 +17,21 @@ This topic provides links to useful Surface Hub documents, such as product datas
| Link | Description |
| --- | --- |
-| [Surface Hub Site Readiness Guide (PDF)](https://www.microsoft.com/surface/support/surface-hub/surface-hub-site-readiness-guide) | Make sure your site is ready for Surface Hub, including structural and power requirements, and get technical specs for Surface Hub. [Watch the video (opens in a pop-up media player)](http://compass.xbox.com/assets/27/aa/27aa7dd7-7cb7-40ea-9bd6-c7de0795f68c.mov?n=04.07.16_installation_video_01_site_readiness.mov) |
-| [Surface Hub Setup Guide (English, French, Spanish) (PDF)](https://www.microsoft.com/surface/support/surface-hub/surface-hub-setup-guide) | Get a quick overview of how to set up the environment for your new Surface Hub. |
-| [Surface Hub Quick Reference Guide (PDF)](https://www.microsoft.com/surface/support/surface-hub/surface-hub-quick-reference-guide) | Use this quick reference guide to get information about key features and functions of the Surface Hub. |
+| [Surface Hub Site Readiness Guide (PDF)](http://download.microsoft.com/download/3/8/8/3883E991-DFDB-4E70-8D28-20B26045FC5B/Surface-Hub-Site-Readiness-Guide_EN.pdf) | Make sure your site is ready for Surface Hub, including structural and power requirements, and get technical specs for Surface Hub. [Watch the video (opens in a pop-up media player)](http://compass.xbox.com/assets/27/aa/27aa7dd7-7cb7-40ea-9bd6-c7de0795f68c.mov?n=04.07.16_installation_video_01_site_readiness.mov) |
+| [Surface Hub Setup Guide (English, French, Spanish) (PDF)](http://download.microsoft.com/download/0/1/6/016363A4-8602-4F01-8281-9BE5C814DC78/Setup-Guide_EN-FR-SP.pdf) | Get a quick overview of how to set up the environment for your new Surface Hub. |
+| [Surface Hub Quick Reference Guide (PDF)](http://download.microsoft.com/download/9/E/E/9EE660F8-3FC6-4909-969E-89EA648F06DB/Surface Hub Quick Reference Guide_en-us.pdf) | Use this quick reference guide to get information about key features and functions of the Surface Hub. |
| [Surface Hub User Guide (PDF)](http://download.microsoft.com/download/3/6/B/36B6331E-0C63-4E71-A05D-EE88D05081F8/surface-hub-user-guide-en-us.pdf) | Learn how to use Surface Hub in scheduled or ad-hoc meetings. Invite remote participants, use the built-in tools, save data from your meeting, and more. |
| [Surface Hub Replacement PC Drivers](https://www.microsoft.com/download/details.aspx?id=52210) | The Surface Hub Replacement PC driver set is available for those customers who have chosen to disable the Surface Hub’s internal PC and use an external computer with their 84” or 55” Surface Hub. This download is meant to be used with the Surface Hub Admin Guide , which contains further details on configuring a Surface Hub Replacement PC. |
-| [Surface Hub SSD Replacement Guide (PDF)](https://www.microsoft.com/surface/en-us/support/surfacehubssd) | Learn how to replace the solid state drive (SSD) for the 55- and 84-inch Surface Hub. |
+| [Surface Hub SSD Replacement Guide (PDF)](http://download.microsoft.com/download/1/F/2/1F202254-7156-459F-ABD2-39CF903A25DE/surface-hub-ssd-replacement-guide_en-us.pdf) | Learn how to replace the solid state drive (SSD) for the 55- and 84-inch Surface Hub. |
| [Microsoft Surface Hub Rollout and Adoption Success Kit (ZIP)](http://download.microsoft.com/download/F/A/3/FA3ADEA4-4966-456B-8BDE-0A594FD52C6C/Surface_Hub_Adoption_Kit_Final_0519.pdf) | Best practices for generating awareness and implementing change management to maximize adoption, usage, and benefits of Microsoft Surface Hub. The Rollout and Adoption Success Kit zip file includes the Rollout and Adoption Success Kit detailed document, Surface Hub presentation, demo guidance, awareness graphics, and more. |
-| [Unpacking Guide for 84-inch Surface Hub (PDF)](https://www.microsoft.com/surface/support/surface-hub/surface-hub-unpacking-guide-84) | Learn how to unpack your 84-inch Surface Hub efficiently and safely. [Watch the video (opens in a pop-up media player)](http://compass.xbox.com/assets/75/2b/752b73dc-6e9d-4692-8ba1-0f9fc03bff6b.mov?n=04.07.16_installation_video_03_unpacking_84.mov) |
-| [Unpacking Guide for 55-inch Surface Hub (PDF)](https://www.microsoft.com/surface/support/surface-hub/surface-hub-unpacking-guide-55) | Learn how to unpack your 55-inch Surface Hub efficiently and safely. [Watch the video (opens in a pop-up media player)](http://compass.xbox.com/assets/a9/d6/a9d6b4d7-d33f-4e8b-be92-28f7fc2c06d7.mov?n=04.07.16_installation_video_02_unpacking_55.mov) |
-| [Wall Mounting and Assembly Guide (PDF)](https://www.microsoft.com/surface/support/surface-hub/surface-hub-wall-mounting-assembly-guide) | Detailed instructions on how to safely and securely assemble the wall brackets, and how to mount your Surface Hub onto them. [Watch the video (opens in a pop-up media player)](http://compass.xbox.com/assets/bf/4d/bf4d6f06-370c-45ee-88e6-c409873914e8.mov?n=04.07.16_installation_video_05_wall_mount.mov) |
-| [Floor-Supported Mounting and Assembly Guide (PDF)](https://www.microsoft.com/surface/support/surface-hub/surface-hub-floor-supported-mounting-assembly-guide) | Detailed instructions on how to safely and securely assemble the floor-supported brackets, and how to mount your Surface Hub onto them. [Watch the video (opens in a pop-up media player)](http://compass.xbox.com/assets/ed/de/edde468a-e1d4-4ce8-8b61-c4527dd25c81.mov?n=04.07.16_installation_video_06_floor_support_mount.mov) |
-| [Rolling Stand Mounting and Assembly Guide (PDF)](https://www.microsoft.com/surface/support/surface-hub/surface-hub-rolling-stand-mounting-assembly-guide) | Detailed instructions on how to safely and securely assemble the rolling stand, and how to mount your Surface Hub onto it. [Watch the video (opens in a pop-up media player)](http://compass.xbox.com/assets/1f/94/1f949613-3e4a-41e3-ad60-fe8aa7134115.mov?n=04.07.16_installation_video_04_rolling_stand_mount.mov) |
-| [Mounts and Stands Datasheet (PDF)](https://www.microsoft.com/surface/support/surface-hub/surface-hub-mounts-and-stands-datasheet) | Specifications and prices for all Surface Hub add-on stands and mounts that turn your workspace into a Surface Hub workspace. |
-| [Surface Hub Stand and Wall Mount Specifications (PDF)](https://www.microsoft.com/surface/support/surface-hub/surface-hub-stand-and-wall-mount-specs) | Illustrated specifications for the 55” and 84” Surface Hub rolling stands, wall mounts, and floor-supported wall mounts. |
-| [Surface Hub Onsite Installation and Onsite Repair/Exchange Services FAQ (PDF)](https://www.microsoft.com/surface/en-us/support/surface-hub/onsite-installation-repair-faq) | Get answers to the most common questions about Surface Hub onsite service offerings and delivery. |
+| [Unpacking Guide for 84-inch Surface Hub (PDF)](http://download.microsoft.com/download/5/2/B/52B4007E-D8C8-4EED-ACA9-FEEF93F6055C/84_Unpacking_Guide_English_French-Spanish.pdf) | Learn how to unpack your 84-inch Surface Hub efficiently and safely. [Watch the video (opens in a pop-up media player)](http://compass.xbox.com/assets/75/2b/752b73dc-6e9d-4692-8ba1-0f9fc03bff6b.mov?n=04.07.16_installation_video_03_unpacking_84.mov) |
+| [Unpacking Guide for 55-inch Surface Hub (PDF)](http://download.microsoft.com/download/2/E/7/2E7616A2-F936-4512-8052-1E2D92DFD070/55_Unpacking_Guide_English-French-Spanish.PDF) | Learn how to unpack your 55-inch Surface Hub efficiently and safely. [Watch the video (opens in a pop-up media player)](http://compass.xbox.com/assets/a9/d6/a9d6b4d7-d33f-4e8b-be92-28f7fc2c06d7.mov?n=04.07.16_installation_video_02_unpacking_55.mov) |
+| [Wall Mounting and Assembly Guide (PDF)](http://download.microsoft.com/download/7/0/2/702485E3-B55E-4DE8-B5DD-3B56F90DCF5D/SH-Guide_WACG_Wall_Mounts_EN-FR-ES-NL-DE-IT-PT-AR-DA-FI-NO-SV.pdf) | Detailed instructions on how to safely and securely assemble the wall brackets, and how to mount your Surface Hub onto them. [Watch the video (opens in a pop-up media player)](http://compass.xbox.com/assets/bf/4d/bf4d6f06-370c-45ee-88e6-c409873914e8.mov?n=04.07.16_installation_video_05_wall_mount.mov) |
+| [Floor-Supported Mounting and Assembly Guide (PDF)](http://download.microsoft.com/download/7/0/2/702485E3-B55E-4DE8-B5DD-3B56F90DCF5D/SH-Guide_WACG_Floor_Support_Mount_EN-FR-ES-NL-DE-IT-AR-DA-FI-NO-SV.pdf) | Detailed instructions on how to safely and securely assemble the floor-supported brackets, and how to mount your Surface Hub onto them. [Watch the video (opens in a pop-up media player)](http://compass.xbox.com/assets/ed/de/edde468a-e1d4-4ce8-8b61-c4527dd25c81.mov?n=04.07.16_installation_video_06_floor_support_mount.mov) |
+| [Rolling Stand Mounting and Assembly Guide (PDF)](http://download.microsoft.com/download/7/0/2/702485E3-B55E-4DE8-B5DD-3B56F90DCF5D/SH-Guide_WACG_Rolling_Stands_EN-FR-ES-NL-DE-IT-AR-DA-FI-NO-SV.pdf) | Detailed instructions on how to safely and securely assemble the rolling stand, and how to mount your Surface Hub onto it. [Watch the video (opens in a pop-up media player)](http://compass.xbox.com/assets/1f/94/1f949613-3e4a-41e3-ad60-fe8aa7134115.mov?n=04.07.16_installation_video_04_rolling_stand_mount.mov) |
+| [Mounts and Stands Datasheet (PDF)](http://download.microsoft.com/download/5/0/1/501F98D9-1BCC-4448-A1DB-47056CEE33B6/20160711_Surface_Hub_Mounts_and_Stands_Datasheet.pdf) | Specifications and prices for all Surface Hub add-on stands and mounts that turn your workspace into a Surface Hub workspace. |
+| [Surface Hub Stand and Wall Mount Specifications (PDF)](http://download.microsoft.com/download/7/A/7/7A75BD0F-5A46-4BCE-B313-A80E47AEB581/20160720_Combined_Stand_Wall_Mount_Drawings.pdf) | Illustrated specifications for the 55” and 84” Surface Hub rolling stands, wall mounts, and floor-supported wall mounts. |
+| [Surface Hub Onsite Installation and Onsite Repair/Exchange Services FAQ (PDF)](http://download.microsoft.com/download/B/D/1/BD16D7C5-2662-4B7D-9C98-272CEB11A6F3/20160816%20SurfaceHub_Onsite%20Services%20FAQs%20FINAL.PDF) | Get answers to the most common questions about Surface Hub onsite service offerings and delivery. |
diff --git a/devices/surface-hub/surface-hub-start-menu.md b/devices/surface-hub/surface-hub-start-menu.md
index 0f3defa248..07671c8e12 100644
--- a/devices/surface-hub/surface-hub-start-menu.md
+++ b/devices/surface-hub/surface-hub-start-menu.md
@@ -28,7 +28,7 @@ The customized Start menu is defined in a Start layout XML file. You have two op
- Configure the desired Start menu on a desktop (pinning only apps that are available on Surface Hub), and then [export the layout](https://docs.microsoft.com/windows/configuration/customize-and-export-start-layout#export-the-start-layout).
>[!TIP]
->To add a tile with a web link to your desktop start menu, go the the link in Microsoft Edge, select `...` in the top right corner, and select **Pin this page to Start**. See [a Start layout that includes a Microsoft Edge link](#edge) for an example of how links will appear in the XML.
+>To add a tile with a web link to your desktop start menu, go to the link in Microsoft Edge, select `...` in the top right corner, and select **Pin this page to Start**. See [a Start layout that includes a Microsoft Edge link](#edge) for an example of how links will appear in the XML.
To edit the default XML or the exported layout, familiarize yourself with the [Start layout XML](https://docs.microsoft.com/en-us/windows/configuration/start-layout-xml-desktop). There are a few [differences between Start layout on a deskop and a Surface Hub.](#differences)
@@ -176,4 +176,8 @@ This example shows a link to a website and a link to a .pdf file.
-```
\ No newline at end of file
+```
+
+## More information
+
+- [Blog post: Changing Surface Hub’s Start Menu](https://blogs.technet.microsoft.com/y0av/2018/02/13/47/)
diff --git a/devices/surface-hub/surfacehub-whats-new-1703.md b/devices/surface-hub/surfacehub-whats-new-1703.md
index 7d770e3856..59ced8ff5d 100644
--- a/devices/surface-hub/surfacehub-whats-new-1703.md
+++ b/devices/surface-hub/surfacehub-whats-new-1703.md
@@ -7,7 +7,7 @@ ms.pagetype: devices
ms.sitesec: library
author: jdeckerms
ms.author: jdecker
-ms.date: 07/27/2017
+ms.date: 01/18/2018
ms.localizationpriority: medium
---
diff --git a/devices/surface-hub/troubleshoot-surface-hub.md b/devices/surface-hub/troubleshoot-surface-hub.md
index 71a5e73675..9b2ef8764a 100644
--- a/devices/surface-hub/troubleshoot-surface-hub.md
+++ b/devices/surface-hub/troubleshoot-surface-hub.md
@@ -524,7 +524,7 @@ This section lists status codes, mapping, user messages, and actions an admin ca
0x85002004
E_FAIL_ABORT
-
This error is used to interrupt the hanging sync, and will not be exposed to users. It will be shown in the telemetry if you force an interactive sync, delete the account, or update its settings.
+
This error is used to interrupt the hanging sync, and will not be exposed to users. It will be shown in the diagnostic data if you force an interactive sync, delete the account, or update its settings.
Nothing.
@@ -602,7 +602,7 @@ This section lists status codes, mapping, user messages, and actions an admin ca
## Related content
-- [Troubleshooting Miracast connection to the Surface Hub](https://blogs.msdn.microsoft.com/surfacehub/2017/01/30/troubleshooting-miracast-connection-to-the-surface-hub/)
+- [Troubleshooting Miracast connection to the Surface Hub](https://docs.microsoft.com/surface-hub/miracast-troubleshooting)
diff --git a/devices/surface/TOC.md b/devices/surface/TOC.md
index 5dd7130ea6..778c88fa47 100644
--- a/devices/surface/TOC.md
+++ b/devices/surface/TOC.md
@@ -1,5 +1,6 @@
# [Surface](index.md)
## [Deploy Surface devices](deploy.md)
+### [Windows AutoPilot and Surface devices](windows-autopilot-and-surface-devices.md)
### [Surface device compatibility with Windows 10 Long-Term Servicing Branch](surface-device-compatibility-with-windows-10-ltsc.md)
#### [Long-Term Servicing Branch for Surface devices](ltsb-for-surface.md)
### [Deploy Windows 10 to Surface devices with MDT](deploy-windows-10-to-surface-devices-with-mdt.md)
diff --git a/devices/surface/change-history-for-surface.md b/devices/surface/change-history-for-surface.md
index a18646b616..a374627e4d 100644
--- a/devices/surface/change-history-for-surface.md
+++ b/devices/surface/change-history-for-surface.md
@@ -5,18 +5,26 @@ ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
author: jdeckerms
-ms.date: 11/03/2017
+ms.date: 02/12/2018
---
# Change history for Surface documentation
This topic lists new and updated topics in the Surface documentation library.
+## February 2018
+
+|New or changed topic | Description |
+| --- | --- |
+|[Surface Dock Updater](surface-dock-updater.md) | Added version 2.12.136.0 information |
+|[Microsoft Surface Data Eraser](microsoft-surface-data-eraser.md) | Added version 3.2.46.0 information |
+
## January 2018
|New or changed topic | Description |
| --- | --- |
-|[Microsoft Surface Data Eraser](microsoft-surface-data-eraser.md) | Added version 3.2.45 information |
+|[Windows AutoPilot and Surface devices](windows-autopilot-and-surface-devices.md) | New article |
+|[Microsoft Surface Data Eraser](microsoft-surface-data-eraser.md) | Added version 3.2.45.0 information |
|[Surface device compatibility with Windows 10 Long-Term Servicing Channel (LTSC)](surface-device-compatibility-with-windows-10-ltsc.md) | Updated Current Branch (CB) or Current Branch for Business (CBB) servicing options with Semi-Annual Channel (SAC) information |
|[Wake On LAN for Surface devices](wake-on-lan-for-surface-devices.md) | Added Surface Book 2, Surface Laptop, Surface Pro, Surface Pro with LTE Advanced, and Surface Pro information |
diff --git a/devices/surface/deploy.md b/devices/surface/deploy.md
index d76f67bec8..a52eef5395 100644
--- a/devices/surface/deploy.md
+++ b/devices/surface/deploy.md
@@ -5,8 +5,9 @@ ms.prod: w10
ms.mktglfcycl: manage
ms.pagetype: surface, devices
ms.sitesec: library
-author: heatherpoulsen
-ms.date: 04/11/2017
+author: brecords
+ms.date: 01/29/2018
+ms.author: jdecker
---
# Deploy Surface devices
@@ -17,7 +18,8 @@ Get deployment guidance for your Surface devices including information about MDT
| Topic | Description |
| --- | --- |
-| [Surface device compatibility with Windows 10 Long-Term Servicing Channel](surface-device-compatibility-with-windows-10-ltsc.md) | Find out about compatibility and limitations of Surface devices running Windows 10 Enterprise LTSB edition. |
+| [Windows AutoPilot and Surface devices](windows-autopilot-and-surface-devices.md) | Find out how to remotely deploy and configure devices with Windows AutoPilot. |
+| [Surface device compatibility with Windows 10 Long-Term Servicing Channel](surface-device-compatibility-with-windows-10-ltsc.md) | Find out about compatibility and limitations of Surface devices running Windows 10 Enterprise LTSC edition. |
| [Deploy Windows 10 to Surface devices with MDT](deploy-windows-10-to-surface-devices-with-mdt.md) | Walk through the recommended process of how to deploy Windows 10 to your Surface devices with the Microsoft Deployment Toolkit.|
| [Upgrade Surface devices to Windows 10 with MDT](upgrade-surface-devices-to-windows-10-with-mdt.md)| Find out how to perform a Windows 10 upgrade deployment to your Surface devices. |
| [Customize the OOBE for Surface deployments](customize-the-oobe-for-surface-deployments.md)| Walk through the process of customizing the Surface out-of-box experience for end users in your organization.|
diff --git a/devices/surface/microsoft-surface-data-eraser.md b/devices/surface/microsoft-surface-data-eraser.md
index fd67224039..b1f7c26052 100644
--- a/devices/surface/microsoft-surface-data-eraser.md
+++ b/devices/surface/microsoft-surface-data-eraser.md
@@ -10,7 +10,7 @@ ms.pagetype: surface, devices, security
ms.sitesec: library
author: brecords
ms.author: jdecker
-ms.date: 01/03/2018
+ms.date: 02/12/2018
---
# Microsoft Surface Data Eraser
@@ -139,25 +139,32 @@ After you create a Microsoft Surface Data Eraser USB stick, you can boot a suppo
8. Click the **Yes** button to continue erasing data on the Surface device.
+>[!NOTE]
+>When you run Surface Data Eraser on the Surface Data Eraser USB drive, a log file is generated in the **SurfaceDataEraserLogs** folder.
+
## Changes and updates
Microsoft Surface Data Eraser is periodically updated by Microsoft. For information about the changes provided in each new version, see the following:
-### Version 3.2.45
+### Version 3.2.46.0
+This version of Microsoft Surface Data Eraser adds support for the following:
+
+- Surface Pro with LTE Advanced
+
+
+### Version 3.2.45.0
This version of Microsoft Surface Data Eraser adds support for the following:
- Surface Book 2
-- Surface Pro with LTE Advanced
-
- Surface Pro 1TB
>[!NOTE]
->Surface Data Eraser v3.2.45 and above can be used to restore Surface Pro or Surface Laptop devices with the 1TB storage option in the scenario that the device shows two separate 512GB volumes or encounters errors when attempting to deploy or install Windows 10. See [Surface Pro Model 1796 and Surface Laptop 1TB display two drives](https://support.microsoft.com/en-us/help/4046105/surface-pro-model-1796-and-surface-laptop-1tb-display-two-drives) for more information.
+>Surface Data Eraser v3.2.45.0 and above can be used to restore Surface Pro or Surface Laptop devices with the 1TB storage option in the scenario that the device shows two separate 512GB volumes or encounters errors when attempting to deploy or install Windows 10. See [Surface Pro Model 1796 and Surface Laptop 1TB display two drives](https://support.microsoft.com/en-us/help/4046105/surface-pro-model-1796-and-surface-laptop-1tb-display-two-drives) for more information.
-### Version 3.2.36
+### Version 3.2.36.0
This version of Microsoft Surface Data Eraser adds support for the following:
diff --git a/devices/surface/surface-dock-updater.md b/devices/surface/surface-dock-updater.md
index eff1dae917..55d7b233dc 100644
--- a/devices/surface/surface-dock-updater.md
+++ b/devices/surface/surface-dock-updater.md
@@ -9,7 +9,7 @@ ms.mktglfcycl: manage
ms.pagetype: surface, devices
ms.sitesec: library
author: brecords
-ms.date: 11/03/2017
+ms.date: 02/23/2018
ms.author: jdecker
---
@@ -116,6 +116,22 @@ Microsoft periodically updates Surface Dock Updater. To learn more about the app
>[!Note]
>Each update to Surface Dock firmware is included in a new version of Surface Dock Updater. To update a Surface Dock to the latest firmware, you must use the latest version of Surface Dock Updater.
+### Version 2.12.136.0
+*Release Date: 29 January 2018*
+
+This version of Surface Dock Updater adds support for the following:
+* Update for Surface Dock Main Chipset Firmware
+* Update for Surface Dock DisplayPort Firmware
+* Improved display stability for external displays when used with Surface Book or Surface Book 2
+
+Additionally, installation of this version of Surface Dock Updater on Surface Book devices includes the following:
+* Update for Surface Book Base Firmware
+* Added support for Surface Dock firmware updates with improvements targeted to Surface Book devices
+
+>[!Note]
+>Before the Surface Dock firmware update applied by Surface Dock Updater v2.12.136.0 will take effect on a Surface Book device, a firmware update for the Surface Book Base is required. If you install Surface Dock Updater v2.12.136.0 on a Surface Book and update an attached Surface Dock from that same device, the firmware of the Surface Book Base will automatically be updated when installing the Surface Dock Updater. However, if you update a Surface Dock using Surface Dock Updater v2.12.136.0 on different device, and then connect that Surface Dock to a Surface Book where Surface Dock Updater v2.12.136.0 has not been installed, the benefits of the updated Surface Dock will not be enabled. To enable the benefits of the updated Surface Dock on a Surface Book device, Surface Book Base firmware must also be updated by installing Surface Dock Updater v2.12.136.0 on the Surface Book device. Surface Book Base firmware update is not required on a Surface Book 2 device.
+
+
### Version 2.9.136.0
*Release date: November 3, 2017*
diff --git a/devices/surface/windows-autopilot-and-surface-devices.md b/devices/surface/windows-autopilot-and-surface-devices.md
new file mode 100644
index 0000000000..d4599d8ffd
--- /dev/null
+++ b/devices/surface/windows-autopilot-and-surface-devices.md
@@ -0,0 +1,51 @@
+---
+title: Windows AutoPilot and Surface Devices (Surface)
+description: Find out about Windows AutoPilot deployment options for Surface devices.
+keywords: autopilot, windows 10, surface, deployment
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.pagetype: surface, devices
+ms.sitesec: library
+author: brecords
+ms.date: 01/31/2018
+ms.author: jdecker
+---
+
+# Windows AutoPilot and Surface devices
+
+Windows AutoPilot is a cloud-based deployment technology available in Windows 10. Using Windows AutoPilot, you can remotely deploy and configure devices in a truly zero-touch process right out of the box. Windows AutoPilot registered devices are identified over the internet at first boot using a unique device signature, known as the hardware hash, and automatically enrolled and configured using modern management solutions such as Azure Active Directory (AAD) and Mobile Device Management (MDM).
+
+With Surface devices, you can choose to register your devices at the time of purchase when purchasing from a Surface partner enabled for Windows AutoPilot. New devices can be shipped directly to your end-users and will be automatically enrolled and configured when the units are unboxed and turned on for the first time. This process can eliminate need to reimage your devices as part of your deployment process, reducing the work required of your deployment staff and opening up new, agile methods for device management and distribution.
+
+In this article learn how to enroll your Surface devices in Windows AutoPilot with a Surface partner and the options and considerations you will need to know along the way. This article focuses specifically on Surface devices, for more information about using Windows AutoPilot with other devices, or to read more about Windows AutoPilot and its capabilities, see [Overview of Windows AutoPilot](https://docs.microsoft.com/en-us/windows/deployment/windows-autopilot/windows-10-autopilot) in the Windows Docs Library.
+
+## Prerequisites
+Enrollment of Surface devices in Windows AutoPilot with a Surface partner enabled for Windows AutoPilot has the following licensing requirements for each enrolled Surface device:
+* **Azure Active Directory Premium** – Required to enroll your devices in your organization and to automatically enroll devices in your organization’s mobile management solution.
+* **Mobile Device Management (such as Microsoft Intune)** – Required to remotely deploy applications, configure, and manage your enrolled devices.
+* **Office 365 ProPlus** – Required to deploy Microsoft Office to your enrolled devices.
+
+These requirements are also met by the following solutions:
+* Microsoft 365 E3 or E5 (includes Azure Active Directory Premium, Microsoft Intune, and Office 365 ProPlus)
+
+Or
+* Enterprise Mobility + Security E3 or E5 (includes Azure Active Directory Premium and Microsoft Intune)
+* Office 365 ProPlus, E3, or E5 (includes Office 365 ProPlus)
+
+>[!NOTE]
+>Deployment of devices using Windows AutoPilot to complete the Out-of-Box Experience (OOBE) is supported without these prerequisites, however will yield deployed devices without applications, configuration, or enrollment in a management solution and is highly discouraged.
+
+### Windows version considerations
+Support for broad deployments of Surface devices using Windows AutoPilot, including enrollment performed by Surface partners at the time of purchase, requires devices manufactured with or otherwise installed with Windows 10 Version 1709 (Fall Creators Update). Windows 10 Version 1709 uses a secure 4096-bit (4k) hash value to uniquely identify devices for Windows AutoPilot that is necessary for deployments at scale.
+
+### Surface device support
+Surface devices with support for out-of-box deployment with Windows AutoPilot, enrolled during the purchase process with a Surface partner, include the following devices, where the devices ship from the factory with Windows 10 Version 1709:
+* Surface Pro (Model 1796)
+* Surface Book 2
+* Surface Laptop
+* Surface Studio
+
+## Surface partners enabled for Windows AutoPilot
+Enrolling Surface devices in Windows AutoPilot at the time of purchase is a capability provided by select Surface partners that are enabled with the capability to identify individual Surface devices during the purchase process and perform enrollment on an organization’s behalf. Devices enrolled by a Surface partner at time of purchase can be shipped directly to users and configured entirely through the zero-touch process of Windows AutoPilot, Azure Active Directory, and Mobile Device Management.
+
+You can find a list of Surface partners enabled for Windows AutoPilot at the [Windows AutoPilot for Surface portal](https://www.microsoft.com/en-us/itpro/surface/windows-autopilot-for-surface).
\ No newline at end of file
diff --git a/education/get-started/configure-microsoft-store-for-education.md b/education/get-started/configure-microsoft-store-for-education.md
index b57970b3ce..ec173a261d 100644
--- a/education/get-started/configure-microsoft-store-for-education.md
+++ b/education/get-started/configure-microsoft-store-for-education.md
@@ -23,7 +23,7 @@ You'll need to configure Microsoft Store for Education to accept the services ag
You can watch the video to see how this is done, or follow the step-by-step guide.
-
+> [!VIDEO https://www.youtube.com/embed/Jnbssq0gC_g]
You can watch the descriptive audio version here: [Microsoft Education: Configure Microsoft Store for Education (DA)](https://www.youtube.com/watch?v=bStgEpHbEXw)
@@ -53,11 +53,6 @@ You can watch the descriptive audio version here: [Microsoft Education: Configur
Your Microsoft Store for Education account is now linked to Intune for Education so let's set that up next.
-
-
> [!div class="step-by-step"]
[<< Use School Data Sync to import student data](use-school-data-sync.md)
[Use Intune for Education to manage groups, apps, and settings >>](use-intune-for-education.md)
diff --git a/education/get-started/enable-microsoft-teams.md b/education/get-started/enable-microsoft-teams.md
index 09326b1e2e..6c74c506b0 100644
--- a/education/get-started/enable-microsoft-teams.md
+++ b/education/get-started/enable-microsoft-teams.md
@@ -46,10 +46,6 @@ To get started, IT administrators need to use the Office 365 Admin Center to ena
You can find more info about how to control which users in your school can use Microsoft Teams, turn off group creation, configure tenant-level settings, and more by reading the *Guide for IT admins* getting started guide in the Meet Microsoft Teams page.
-
> [!div class="step-by-step"]
[<< Use School Data Sync to import student data](use-school-data-sync.md)
diff --git a/education/get-started/finish-setup-and-other-tasks.md b/education/get-started/finish-setup-and-other-tasks.md
index 7dd5513764..55a52faa11 100644
--- a/education/get-started/finish-setup-and-other-tasks.md
+++ b/education/get-started/finish-setup-and-other-tasks.md
@@ -26,7 +26,7 @@ Once you've set up your Windows 10 education device, it's worth checking to veri
You can watch the video to see how this is done, or follow the step-by-step guide.
-
+> [!VIDEO https://www.youtube.com/embed/nhQ_4okWFmk]
You can watch the descriptive audio version here: [Microsoft Education: Verify Windows 10 education devices are Azure AD joined and managed (DA)](https://www.youtube.com/watch?v=_hVIxaEsu2Y)
@@ -78,7 +78,7 @@ You can follow the rest of the walkthrough to finish setup and complete other ta
You can watch the following video to see how to update group settings in Intune for Education and configure Azure settings. Or, you can follow the step-by-step guide for these tasks and the other tasks listed above.
-
+> [!VIDEO https://www.youtube.com/embed/M6-k73dZOfw]
You can watch the descriptive audio version here: [Microsoft Education: Update settings, apps, and Azure AD settings for your education tenant (DA)](https://www.youtube.com/watch?v=-Rz3VcDXbzs)
diff --git a/education/get-started/images/03bfe22a-469b-4b73-ab8d-af5aaac8ff89.png b/education/get-started/images/03bfe22a-469b-4b73-ab8d-af5aaac8ff89.png
new file mode 100644
index 0000000000..82aeef7c40
Binary files /dev/null and b/education/get-started/images/03bfe22a-469b-4b73-ab8d-af5aaac8ff89.png differ
diff --git a/education/get-started/images/how-to-deploy-SDS-using-CSV-files-2a.PNG b/education/get-started/images/how-to-deploy-SDS-using-CSV-files-2a.PNG
new file mode 100644
index 0000000000..1dcae48622
Binary files /dev/null and b/education/get-started/images/how-to-deploy-SDS-using-CSV-files-2a.PNG differ
diff --git a/education/get-started/images/how-to-deploy-SDS-using-CSV-files-3.PNG b/education/get-started/images/how-to-deploy-SDS-using-CSV-files-3.PNG
new file mode 100644
index 0000000000..b366d25c4e
Binary files /dev/null and b/education/get-started/images/how-to-deploy-SDS-using-CSV-files-3.PNG differ
diff --git a/education/get-started/images/how-to-deploy-SDS-using-CSV-files-4.PNG b/education/get-started/images/how-to-deploy-SDS-using-CSV-files-4.PNG
new file mode 100644
index 0000000000..60f4857c8e
Binary files /dev/null and b/education/get-started/images/how-to-deploy-SDS-using-CSV-files-4.PNG differ
diff --git a/education/get-started/images/how-to-deploy-SDS-using-CSV-files-5.PNG b/education/get-started/images/how-to-deploy-SDS-using-CSV-files-5.PNG
new file mode 100644
index 0000000000..56cd93787e
Binary files /dev/null and b/education/get-started/images/how-to-deploy-SDS-using-CSV-files-5.PNG differ
diff --git a/education/get-started/set-up-office365-edu-tenant.md b/education/get-started/set-up-office365-edu-tenant.md
index 2427878df1..59d939c2eb 100644
--- a/education/get-started/set-up-office365-edu-tenant.md
+++ b/education/get-started/set-up-office365-edu-tenant.md
@@ -23,7 +23,7 @@ Schools can use Office 365 to save time and be more productive. Built with power
Don't have an Office 365 for Education verified tenant or just starting out? Follow these steps to set up an Office 365 for Education tenant. [Learn more about Office 365 for Education plans and pricing](https://products.office.com/academic/compare-office-365-education-plans).
-
+> [!VIDEO https://www.youtube.com/embed/X7bscA-knaY]
You can watch the descriptive audio version here: [Microsoft Education: Set up an Office 365 Education tenant (DA)](https://www.youtube.com/watch?v=d5tQ8KoB3ic)
diff --git a/education/get-started/set-up-windows-education-devices.md b/education/get-started/set-up-windows-education-devices.md
index 3398db7d3f..edb76d6448 100644
--- a/education/get-started/set-up-windows-education-devices.md
+++ b/education/get-started/set-up-windows-education-devices.md
@@ -19,7 +19,7 @@ If you are setting up a Windows 10 device invidividually, and network bandwidth
You can watch the video to see how this is done, or follow the step-by-step guide.
-
+> [!VIDEO https://www.youtube.com/embed/nADWqBYvqXk]
You can watch the descriptive audio version here: [Microsoft Education: Set up a new Windows 10 education devices using the Windows setup experience (DA)](https://www.youtube.com/watch?v=_UtS1Cz2Pno)
diff --git a/education/get-started/use-intune-for-education.md b/education/get-started/use-intune-for-education.md
index 5541526c47..646d7b8e16 100644
--- a/education/get-started/use-intune-for-education.md
+++ b/education/get-started/use-intune-for-education.md
@@ -41,7 +41,7 @@ Note that for verified education tenants, Microsoft automatically provisions you
You can watch the video to see how this is done, or follow the step-by-step guide.
-
+> [!VIDEO https://www.youtube.com/embed/c3BLoZZw3TQ]
You can watch the descriptive audio version here: [Microsoft Education: Use Intune for Education to manage groups, apps, and settings (DA)](https://youtu.be/Tejxfc4V7cQ)
diff --git a/education/get-started/use-school-data-sync.md b/education/get-started/use-school-data-sync.md
index 4b8fdf410f..c5392b41b9 100644
--- a/education/get-started/use-school-data-sync.md
+++ b/education/get-started/use-school-data-sync.md
@@ -10,7 +10,7 @@ ms.localizationpriority: high
ms.pagetype: edu
author: CelesteDG
ms.author: celested
-ms.date: 10/09/2017
+ms.date: 07/10/2017
---
# Use School Data Sync to import student data
@@ -25,11 +25,10 @@ Follow all the steps in this section to use SDS and sample CSV files in a trial
You can watch the video to see how this is done, or follow the step-by-step guide.
-
+> [!VIDEO https://www.youtube.com/embed/ehSU8jr8T24]
You can watch the descriptive audio version here: [Microsoft Education: Use School Data Sync to import student data (DA)](https://www.youtube.com/watch?v=l4b086IMtvc)
-
## Download sample school data
1. Go to the O365-EDU-Tools GitHub site.
@@ -56,89 +55,83 @@ To learn more about the CSV files that are required and the info you need to inc
## Use SDS to import student data
-1. If you haven't done so already, go to the SDS portal, https://sds.microsoft.com.
-2. Click **Sign in**. You will see the **Settings** option for **Manage School Data Sync**.
+1. If you haven't done so already, go to the SDS portal, https://sds.microsoft.com.
+2. Click Sign in. Then enter your O365 Global Admin account credentials.
+3. After logging in, click **+ Add Profile** in the left hand navigation pane to create a Sync Profile.. This opens up the new profile setup wizard within the main page.
- **Figure 3** - Settings for managing SDS
+ **Figure 3** - New SDS profile setup wizard
+
+ 
- 
+4. For the new profile, in the **How do you want to connect to your school?** screen:
+
+ 1. Enter a name for your profile, such as *Contoso_Elementary_Profile*.
+ 2. Select a sync method for your profile. For this walkthrough, select **Upload CSV Files**.
+ 3. Select the type of CSV files that you're using. For this walkthrough, select **CSV files: SDS Format**.
+ 4. Click **Start**.
-3. Turn on **School Data Sync**. You will get a notification that it is turned on. Click **OK**.
+5. In the **Sync options** screen:
- New menu options will appear on the left of the SDS portal.
-
- **Figure 4** - New menu options appear after SDS is turned on
-
- 
-
-4. Click **+ Add Profile** from the sync dashboard or from the menu on the left to start syncing school data.
-
- This opens up the new profile setup wizard within the main page.
-
- **Figure 5** - New SDS profile setup wizard
-
- 
-
-5. For the new profile, in the **How do you want to connect to your school?** screen:
- 1. Enter a name for your profile, such as *Contoso_Elementary_Profile*.
- 2. Select a sync method for your profile. For this walkthrough, select **Upload CSV Files**.
- 3. Select the type of CSV files that you're using. For this walkthrough, select **CSV files: SDS Format**.
- 4. Click **Start**.
-
-6. In the **Sync options** screen:
1. In the **Select new or existing users** section, you can select either **Existing users** or **New users** based on the scenaro that applies to you. For this walkthrough, select **New users**.
- 2. In the **Import data** section:
- 1. Click **Upload Files** to bring up the **Select data files to be uploaded** window.
- 2. In the **Select data files to be uploaded** window, click **+ Add Files** and navigate to the directory where you saved the six CSV files required for data import.
- 3. In the File Explorer window, you will see a folder for the sample CSV files for the UK and six sample CSV files for the US. Select the CSV files that match your region/locale, and then click **Open**.
- 4. In the **Select data files to be uploaded** window, confirm that all six CSV files (School.csv, Section.csv, Student.csv, StudentEnrollment.csv, Teacher.csv, and TeacherRoster.csv) are listed and then click **Upload**.
+ 2. In the **Import data** section, click **Upload Files** to bring up the **Select data files to be uploaded** window.
+ 3. In the **Select data files to be uploaded** window, click **+ Add Files** and navigate to the directory where you saved the six CSV files required for data import.
+ 4. In the File Explorer window, you will see a folder for the sample CSV files for the UK and six sample CSV files for the US. Select the CSV files that match your region/locale, and then click **Open**.
+ 5. In the **Select data files to be uploaded** window, confirm that all six CSV files (School.csv, Section.csv, Student.csv, StudentEnrollment.csv, Teacher.csv, and TeacherRoster.csv) are listed and then click **Upload**.
- > [!NOTE]
- > After you click **Upload**, the status in the **Select data files to be uploaded** window will indicate that files are being uploaded and verified.
+ > [!NOTE]
+ > After you click **Upload**, the status in the **Select data files to be uploaded** window will indicate that files are being uploaded and verified.
- 5. After all the files are successfully uploaded, click **OK**.
-
- 3. Select the domain for the schools/sections. This domain will be used for the Section email addresses created during setup. If you have more than one domain, make sure you select the appropriate domain for the sync profile and subsequent sections being created.
- 4. In the **Select school and section properties** section, ensure the attributes that have been automatically selected for you align to your CSV files. If you select additional properties, or deselect any properties, make sure you have the properties and values contained within the CSV files. For the walkthrough, you don't have to change the default.
- 5. In the **Sync option for Section Group Display Name**, check the box if you want to allow teachers to overwrite the section names. Otherwise, SDS will always reset the display name value for sections to the value contained within the CSV files.
- 6. In the **Student enrollment option** section:
+ 6. After all the files are successfully uploaded, click **OK**.
+ 7. In the **Select school and section properties** section, ensure the attributes that have been automatically selected for you align to your CSV files. If you select additional properties, or deselect any properties, make sure you have the properties and values contained within the CSV files. For the walkthrough, you don't have to change the default.
+ 8. In the Replace Unsupported Special Characters section, checking this box will allow SDS to automatically replace unsupported special characters while the sync is running. Special characters will be replaced with an "_", and no longer result in an error during the sync process for that object.
+ 9. In the **Sync option for Section Group Display Name**, check the box if you want to allow teachers to overwrite the section names. Otherwise, SDS will always reset the display name value for sections to the value contained within the CSV files.
+ 10. In the **Student enrollment option** section:
* If you want to sync your student roster data immediately, leave the box unchecked.
* If you prefer to sync student enrollment/rostering data at a later date, check this box and then pick a date by clicking the empty box and selecting the appropriate date in the calendar when you would like to begin syncing your student roster data. Some schools prefer to delay syncing student roster data so they don't expose rosters before the start of the new term, semester, or school year.
- 7. In the **License Options** section, check the box for **Intune for Education** to allow students and teachers to receive the Intune for Education license. This will also create the SDS dynamic groups and security groups, which will be used within Intune for Education.
- 8. Click **Next**.
+ 11. In the Default Term Dates section, You can set default start and end dates for Section terms. These dates will only be used if you do not provide these dates in your CSV files. If you upload files with Section start and end dates, you will be asked to select the format of the dates provided. If the format that you enter does not match the format of start and end dates in your files, you will receive an error message and need to edit the date format so that it matches the format in your files.
+ 12. In the **License Options** section, check the box for **Intune for Education** to allow students and teachers to receive the Intune for Education license. This will also create the SDS dynamic groups and security groups, which will be used within Intune for Education.
+ 13. Click **Next**.
- **Figure 6** - Sync options for the new profile
+ **Figure 4** - Sync options for the new profile
- 
+ 
+
+6. In the **Teacher options** screen:
-7. In the **Teacher options** screen:
1. Select the domain for the teachers. SDS appends the selected domain suffix to the teacher's username attribute contained in the CSV file, to build the UserPrincipalName for each user in Office 365/Azure Active Directory during the account creation process. The teacher will log in to Office 365 with the UserPrincipalName once the account is created.
+ * Primary Key (Source Directory) - This is the Teacher attribute in the CSV file used for SDS Identity Matching. Watch the Identity Matching video for additional information on how to select the appropriate source directory attribute, and properly configure the identity matching settings for teacher.
+ * Primary Key (Target Directory) - This is the User attribute in Azure AD used for SDS Identity Matching. Watch the Identity Matching video for additional information on how to select the appropriate target directory attribute, and properly configure the identity matching settings for the teacher.
+ * Domain (optional) - This is an optional domain value that you can add to the selected Source Directory attribute to complete your Teacher Identity Matching. If you need to match to a UserPrincipalName or Mail attribute, you must have a domain included in the string. Your source attribute must either include the domain already or you can append the appropriate domain to the source attribute using this dropdown menu.
+
2. In the **Select teacher properties** section, make sure the attributes that have been automatically selected for you align to your CSV files. If you select additional properties or deselect any properties, make sure you have the corresponding properties and values contained within the CSV files. For this walkthrough, you don't have to change the default.
- 3. In the **Teacher licenses** section, choose the SKU to assign licenses for teachers. For example, **STANDARDWOFFPACK_FACULTY**.
+
+ 3. In the **License assignment** section, choose the SKU to assign licenses for teachers.
+
4. Click **Next**.
- **Figure 7** - Specify options for teacher mapping
+ **Figure 5** - Specify options for teacher mapping
- 
+ 
+
+7. In the **Student options** screen:
-8. In the **Student options** screen:
1. Select the domain for the students. SDS appends the selected domain suffix to the student's username attribute contained in the CSV file, to build the UserPrincipalName for each user in Office 365/Azure Active Directory during the account creation process. The student will log in to Office 365 with the UserPrincipalName once the account is created.
2. In the **Select student properties** section, make sure the attributes that have been automatically selected for you align to your CSV files. If you select additional properties or deselect any properties, make sure you have the corresponding properties and values contained within the CSV files. For this walkthrough, you don't have to change the default.
- 3. In the **Student licenses** section, choose the SKU to assign licenses for students. For example, **STANDARDWOFFPACK_STUDENT**.
+ 3. In the **License assignment** section, choose the SKU to assign licenses for students.
4. Click **Next**.
- **Figure 8** - Specify options for student mapping
+ **Figure 6** - Specify options for student mapping
- 
+ 
-9. In the profile **Review** page, review the summary and confirm that the options selected are correct.
-10. Click **Create profile**. You will see a notification that your profile is being submitted and then you will see a page for your profile.
+8. In the profile **Review** page, review the summary and confirm that the options selected are correct.
+9. Click **Create profile**. You will see a notification that your profile is being submitted and then you will see a page for your profile.
- **Figure 9** - SDS profile page
+ **Figure 7** - SDS profile page
+
+ 
- 
-
-11. After the profile is created and the status indicates as **Setting up**, refresh the page until you see the status change to **Sync in progress**. Beneath the **Sync in progress** status, you will see which of the 5 sync stages SDS is working on:
+10. After the profile is created and the status indicates as **Setting up**, refresh the page until you see the status change to **Sync in progress**. Beneath the **Sync in progress** status, you will see which of the 5 sync stages SDS is working on:
* Stage 1 - Validating data
* Stage 2 - Processing schools and sections
* Stage 3 - Processing students and teachers
@@ -153,15 +146,15 @@ To learn more about the CSV files that are required and the info you need to inc
Here are some examples of what the sync status can look like:
- **Figure 10** - New profile: Sync in progress
+ **Figure 8** - New profile: Sync in progress
- **Figure 11** - New profile: Sync complete - no errors
+ **Figure 9** - New profile: Sync complete - no errors
- **Figure 12** - New profile: Sync complete - with errors
+ **Figure 10** - New profile: Sync complete - with errors
@@ -171,14 +164,9 @@ To learn more about the CSV files that are required and the info you need to inc
That's it for importing sample school data using SDS.
-
-
> [!div class="step-by-step"]
[<< Set up an Office 365 education tenant](set-up-office365-edu-tenant.md)
[Configure Microsoft Store for Education >>](configure-microsoft-store-for-education.md)
## Related topic
-[Get started: Deploy and manage a full cloud IT solution with Microsoft Education](get-started-with-microsoft-education.md)
\ No newline at end of file
+[Get started: Deploy and manage a full cloud IT solution with Microsoft Education](get-started-with-microsoft-education.md)
diff --git a/education/index.md b/education/index.md
index 386a59f34f..3e75f1c5ee 100644
--- a/education/index.md
+++ b/education/index.md
@@ -4,6 +4,7 @@ hide_bc: true
title: Microsoft 365 Education documentation and resources | Microsoft Docs
description: Learn about product documentation and resources available for school IT administrators, teachers, students, and education app developers.
author: CelesteDG
+ms.topic: hub-page
ms.author: celested
ms.date: 10/30/2017
---
@@ -696,4 +697,4 @@ ms.date: 10/30/2017
-
\ No newline at end of file
+
diff --git a/education/trial-in-a-box/educator-tib-get-started.md b/education/trial-in-a-box/educator-tib-get-started.md
index f448a10be8..d1b54552d1 100644
--- a/education/trial-in-a-box/educator-tib-get-started.md
+++ b/education/trial-in-a-box/educator-tib-get-started.md
@@ -23,7 +23,7 @@ ms.date: 01/12/2017
| | |
| :---: |:--- |
| [](#edu-task1) | [Log in](#edu-task1) to **Device A** with your Teacher credentials and connect to the school network. |
-| [](#edu-task2) | **Interested in drastically improving your students' reading speed and comprehension?[1](#footnote1)** Try the [Learning Tools Immersive Reader](#edu-task2) to see how kids can learn to read faster, using text read aloud, and highlighting words for syntax. |
+| [](#edu-task2) | **Interested in significantly improving your students' reading speed and comprehension?[1](#footnote1)** Try the [Learning Tools Immersive Reader](#edu-task2) to see how kids can learn to read faster, using text read aloud, and highlighting words for syntax. |
| [](#edu-task3) | **Looking to foster collaboration, communication, and critical thinking in the classroom?** Launch [Microsoft Teams](#edu-task3) and learn how to set up digital classroom discussions, respond to student questions, and organize class content. |
| [](#edu-task4) | **Trying to expand classroom creativity and interaction between students?** Open [OneNote](#edu-task4) and create an example group project for your class. |
| [](#edu-task5) | **Want to teach kids to further collaborate and problem solve?** Play with [Minecraft: Education Edition](#edu-task5) to see how it can be used as a collaborative and versatile platform across subjects to encourage 21st century skills. |
@@ -31,27 +31,28 @@ ms.date: 01/12/2017
-
+
## 1. Log in and connect to the school network
To try out the educator tasks, start by logging in as a teacher.
-1. Log in to **Device A** using the **Teacher Username** and **Teacher Password** included in the **Credentials Sheet** located in your kit.
-2. Connect to your school's Wi-Fi network or connect with a local Ethernet connection.
+1. Turn on **Device A** and ensure you plug in the PC to an electrical outlet.
+2. Log in to **Device A** using the **Teacher Username** and **Teacher Password** included in the **Credentials Sheet** located in your kit.
+3. Connect to your school's Wi-Fi network or connect with a local Ethernet connection.
-## 2. Drastically improve student reading speed and comprehension
+## 2. Significantly improve student reading speed and comprehension
+
+> [!VIDEO https://www.youtube.com/embed/GCzSAslq_2Y]
-
+
Learning Tools and the Immersive Reader can be used in the Microsoft Edge browser, Microsoft Word, and Microsoft OneNote to:
* Increase fluency for English language learners
@@ -79,10 +80,10 @@ Learning Tools and the Immersive Reader can be used in the Microsoft Edge browse
## 3. Spark communication, critical thinking, and creativity in the classroom
-
+
Microsoft Teams is a digital hub that brings conversations, content, and apps together in one place. This guided tour walks you through the essential teaching features of the app. Then, through interactive prompts, experience how you can use this tool in your own classroom to spark digital classroom discussions, respond to student questions, organize content, and more!
@@ -98,15 +99,16 @@ Take a guided tour of Microsoft Teams and test drive this digital hub.
## 4. Expand classroom collaboration and interaction between students
-
+
Microsoft OneNote organizes curriculum and lesson plans for teachers and students to work together and at their own pace. It provides a digital canvas to store text, images, handwritten drawings, attachments, links, voice, and video.
**Try this!**
See how a group project comes together with opportunities to interact with other students and collaborate with peers. This one works best with the digital pen, included with your Trial in a Box.
+When you're not using the pen, just use the magnet to stick it to the left side of the screen until you need it again.
1. On the **Start** menu, click the OneNote shortcut named **Imagine Giza** to open the **Reimagine the Great Pyramid of Giza project**.
2. Take the digital pen out of the box and make notes or draw.
@@ -120,7 +122,7 @@ See how a group project comes together with opportunities to interact with other
- - The Researcher tool from the Insert tab can help find answers.
+ - To find information without leaving OneNote, use the Researcher tool found under the Insert tab.
@@ -129,10 +131,9 @@ See how a group project comes together with opportunities to interact with other
## 5. Get kids to further collaborate and problem solve
-
Minecraft: Education Edition provides an immersive environment to develop creativity, collaboration, and problem-solving in an immersive environment where the only limit is your imagination.
@@ -153,8 +154,9 @@ Today, we'll explore a Minecraft world through the eyes of a student.
9. Explore the world by using the keys on your keyboard.
* **W** moves forward.
* **A** moves left.
- * **D** moves right.
- * **S** moves backward
+ * **S** moves right.
+ * **D** moves backward.
+
10. Use your mouse as your "eyes". Just move it to look around.
11. For a bird's eye view, double-tap the SPACE BAR. Now press the SPACE BAR to fly higher. And then hold the SHIFT key to safely land.
diff --git a/education/trial-in-a-box/images/onenote_checkmark.PNG b/education/trial-in-a-box/images/onenote_checkmark.PNG
deleted file mode 100644
index fc6cccebc4..0000000000
Binary files a/education/trial-in-a-box/images/onenote_checkmark.PNG and /dev/null differ
diff --git a/education/trial-in-a-box/images/onenote_checkmark.png b/education/trial-in-a-box/images/onenote_checkmark.png
new file mode 100644
index 0000000000..1d276b4c1d
Binary files /dev/null and b/education/trial-in-a-box/images/onenote_checkmark.png differ
diff --git a/education/trial-in-a-box/index.md b/education/trial-in-a-box/index.md
index 2dbb835a36..62510022e6 100644
--- a/education/trial-in-a-box/index.md
+++ b/education/trial-in-a-box/index.md
@@ -20,9 +20,9 @@ ms.date: 12/11/2017
-
+> [!VIDEO https://www.youtube.com/embed/azoxUYWbeGg]
+
+
Welcome to Microsoft Education Trial in a Box. We built this trial to make it easy to try our latest classroom technologies. We have two scenarios for you to try: one for educators and one for IT. We recommend starting with Educators. To begin, click **Get started** below.
diff --git a/education/trial-in-a-box/itadmin-tib-get-started.md b/education/trial-in-a-box/itadmin-tib-get-started.md
index 29f0a0de6c..bd1c4b36cd 100644
--- a/education/trial-in-a-box/itadmin-tib-get-started.md
+++ b/education/trial-in-a-box/itadmin-tib-get-started.md
@@ -35,9 +35,8 @@ To get the most out of Microsoft Education, we've pre-configured your tenant for
If you run into any problems while following the steps in this guide, or you have questions about Trial in a Box or Microsoft Education, see [Microsoft Education Trial in a Box Support](support-options.md).
-
+
+> [!VIDEO https://www.youtube.com/embed/cVVKCpO2tyI]
@@ -45,9 +44,10 @@ If you run into any problems while following the steps in this guide, or you hav
## 1. Log in to Device A with your IT Admin credentials and connect to the school network
To try out the IT admin tasks, start by logging in as an IT admin.
-1. Log in to **Device A** using the **Administrator Username** and **Administrator Password** included in the **Credentials Sheet** located in your kit.
-2. Connect to your school's Wi-Fi network or connect with a local Ethernet connection.
-3. Note the serial numbers on the Trial in a Box devices and register both devices with the hardware manufacturer to activate the manufacturer's warranty.
+1. Turn on **Device A** and ensure you plug in the PC to an electrical outlet.
+2. Log in to **Device A** using the **Administrator Username** and **Administrator Password** included in the **Credentials Sheet** located in your kit.
+3. Connect to your school's Wi-Fi network or connect with a local Ethernet connection.
+4. Note the serial numbers on the Trial in a Box devices and register both devices with the hardware manufacturer to activate the manufacturer's warranty.
diff --git a/education/windows/images/mc-ee-video-icon.png b/education/windows/images/mc-ee-video-icon.png
new file mode 100644
index 0000000000..61c8a0f681
Binary files /dev/null and b/education/windows/images/mc-ee-video-icon.png differ
diff --git a/education/windows/images/mcee-icon.png b/education/windows/images/mcee-icon.png
new file mode 100644
index 0000000000..32ed1cf134
Binary files /dev/null and b/education/windows/images/mcee-icon.png differ
diff --git a/education/windows/school-get-minecraft.md b/education/windows/school-get-minecraft.md
index 0e3dfcd0ba..f0c3df0aea 100644
--- a/education/windows/school-get-minecraft.md
+++ b/education/windows/school-get-minecraft.md
@@ -10,7 +10,7 @@ author: trudyha
searchScope:
- Store
ms.author: trudyha
-ms.date: 10/13/2017
+ms.date: 1/5/2018
---
# For IT administrators - get Minecraft: Education Edition
@@ -152,7 +152,7 @@ You can install the app on your PC. This gives you a chance to test the app and
1. Sign in to [Microsoft Store for Education](https://educationstore.microsoft.com).
2. Click **Manage**, and then click **Install**.
- 
+
3. Click **Install**.
diff --git a/education/windows/set-up-school-pcs-technical.md b/education/windows/set-up-school-pcs-technical.md
index 0deb4b8fbc..59d779962f 100644
--- a/education/windows/set-up-school-pcs-technical.md
+++ b/education/windows/set-up-school-pcs-technical.md
@@ -9,7 +9,7 @@ ms.pagetype: edu
ms.localizationpriority: high
author: CelesteDG
ms.author: celested
-ms.date: 12/12/2017
+ms.date: 02/02/2018
---
# Technical reference for the Set up School PCs app
@@ -292,7 +292,7 @@ The Set up School PCs app produces a specialized provisioning package that makes
Interactive logon: Sign-in last interactive user automatically after a system-initiated restart
Disabled
-
Shutdown: Allow system to be shut down without having to log on
Disabled
+
Shutdown: Allow system to be shut down without having to log on
Enabled
User Account Control: Behavior of the elevation prompt for standard users
Auto deny
diff --git a/education/windows/teacher-get-minecraft.md b/education/windows/teacher-get-minecraft.md
index 7cf6b0d940..14bbe54561 100644
--- a/education/windows/teacher-get-minecraft.md
+++ b/education/windows/teacher-get-minecraft.md
@@ -10,8 +10,7 @@ author: trudyha
searchScope:
- Store
ms.author: trudyha
-ms.date: 10/13/2017
----
+ms.date: 1/5/2018
# For teachers - get Minecraft: Education Edition
@@ -41,9 +40,9 @@ Learn how teachers can get and distribute Minecraft: Education Edition.
6. **Minecraft: Education Edition** opens in the Microsoft Store for Education. Select **Get the app**. This places **Minecraft: Education Edition** in your Microsoft Store inventory.
- 
+
-If you need additional licenses for **Minecraft: Education Edition**, see [Purchase additional licenses](https://technet.microsoft.com/edu/windows/education-scenarios-store-for-business#purchase-additional-licenses).
+If you need additional licenses for **Minecraft: Education Edition**, see [Purchase additional licenses](https://docs.microsoft.com/education/windows/education-scenarios-store-for-business#purchase-additional-licenses).
## Distribute Minecraft
@@ -53,7 +52,7 @@ After Minecraft: Education Edition is added to your Microsoft Store for Educatio
- You can assign the app to others.
- You can download the app to distribute.
-
+
### Install for me
You can install the app on your PC. This gives you a chance to work with the app before using it with your students.
@@ -61,7 +60,7 @@ You can install the app on your PC. This gives you a chance to work with the app
1. Sign in to [Microsoft Store for Education](https://educationstore.microsoft.com).
2. Click **Manage**, and then click **Install**.
- 
+
3. Click **Install**.
@@ -72,7 +71,7 @@ Enter email addresses for your students, and each student will get an email with
1. Sign in to [Microsoft Store for Education](https://educationstore.microsoft.com).
2. Click **Manage**.
- 
+
3. Click **Invite people**.
diff --git a/education/windows/use-set-up-school-pcs-app.md b/education/windows/use-set-up-school-pcs-app.md
index 8a1a4c3068..7cd7884f9b 100644
--- a/education/windows/use-set-up-school-pcs-app.md
+++ b/education/windows/use-set-up-school-pcs-app.md
@@ -42,7 +42,7 @@ Set up School PCs makes it easy to set up Windows 10 PCs with Microsoft's recomm
You can watch the video to see how to use the Set up School PCs app, or follow the step-by-step guide.
-
+> [!VIDEO https://www.youtube.com/embed/2ZLup_-PhkA]
You can watch the descriptive audio version here: [Microsoft Education: Use the Set up School PCs app (DA)](https://www.youtube.com/watch?v=qqe_T2LkGsI)
@@ -89,9 +89,19 @@ You can watch the descriptive audio version here: [Microsoft Education: Use the
5. Click **Just remove my files**.
6. Click **Reset**.
+* **Use an NTFS-formatted USB key**
+
+ If you're planning to install several apps, the Set up School PCs package may exceed 4 GB. Check if your USB drive format is FAT32. If it is, you won't be able to save more than 4 GB of data on the drive. To work around this, reformat the USB drive to use the NTFS format. To do this:
+
+ 1. Insert the USB key into your computer.
+ 2. Go to the Start menu and type **This PC** and then select the **This PC (Desktop app)** from the search results.
+ 3. In the **Devices and drivers** section, find the USB drive, select and then right-click to bring up options.
+ 4. Select **Format** from the list to bring up the **Format ** window.
+ 5. Set **File system** to **NTFS** and then click **Start** to format the drive.
+
* **Use more than one USB key**
- If you are setting up multiple PCs, you can set them up at the same time. Just save the provisioning package to another USB drive. Create two keys and you can run it on two PCs at once, and so on.
+ If you are setting up multiple PCs, you can set them up at the same time. Just save the provisioning package to another USB drive. Create two keys and you can run it on two PCs at once, and so on.
* **Keep it clean**
@@ -110,9 +120,10 @@ You can watch the descriptive audio version here: [Microsoft Education: Use the
- Install the app on your work PC and make sure you're connected to your school's network.
- You must have Office 365 and Azure Active Directory.
- You must have the Microsoft Store for Education configured.
-- You must be a global admin, store admin, or purchaser in the Microsoft Store for Education.
+- You must be a global admin in the Microsoft Store for Education.
- It's best if you sign up for and [configure Intune for Education](../get-started/use-intune-for-education.md) before using the Set up School PCs app.
-- Have a USB drive, 1 GB or larger, to save the provisioning package. We recommend an 8 GB or larger USB drive if you're installing Office.
+- Have a USB drive, 1 GB or larger, to save the provisioning package. We recommend an 8 GB or larger USB drive if you're installing Office.
+- Check the default file system format for your USB drive. You may need to set this to NTFS to save a provisioning package that's 4 GB or larger.
## Set up School PCs step-by-step
diff --git a/mdop/mbam-v25/TOC.md b/mdop/mbam-v25/TOC.md
index d465652210..22008a42bb 100644
--- a/mdop/mbam-v25/TOC.md
+++ b/mdop/mbam-v25/TOC.md
@@ -55,6 +55,7 @@
#### [How to Enable BitLocker by Using MBAM as Part of a Windows Deployment](how-to-enable-bitlocker-by-using-mbam-as-part-of-a-windows-deploymentmbam-25.md)
#### [How to Deploy the MBAM Client by Using a Command Line](how-to-deploy-the-mbam-client-by-using-a-command-line.md)
### [MBAM 2.5 Deployment Checklist](mbam-25-deployment-checklist.md)
+### [Upgrading to MBAM 2.5 SP1 from MBAM 2.5](upgrading-to-mbam-25-sp1-from-mbam-25.md)
### [Upgrading to MBAM 2.5 or MBAM 2.5 SP1 from Previous Versions](upgrading-to-mbam-25-or-mbam-25-sp1-from-previous-versions.md)
### [Removing MBAM Server Features or Software](removing-mbam-server-features-or-software.md)
## [Operations for MBAM 2.5](operations-for-mbam-25.md)
diff --git a/mdop/mbam-v25/upgrading-to-mbam-25-sp1-from-mbam-25.md b/mdop/mbam-v25/upgrading-to-mbam-25-sp1-from-mbam-25.md
new file mode 100644
index 0000000000..f650f130b3
--- /dev/null
+++ b/mdop/mbam-v25/upgrading-to-mbam-25-sp1-from-mbam-25.md
@@ -0,0 +1,44 @@
+---
+title: Upgrading to MBAM 2.5 SP1 from MBAM 2.5
+description: Upgrading to MBAM 2.5 SP1 from MBAM 2.5
+author: kaushika-msft
+ms.assetid:
+ms.pagetype: mdop, security
+ms.mktglfcycl: manage
+ms.sitesec: library
+ms.prod: w10
+ms.date: 2/16/2018
+---
+
+# Upgrading to MBAM 2.5 SP1 from MBAM 2.5
+This topic describes the process for upgrading the Microsoft BitLocker Administration and Monitoring (MBAM) Server 2.5 and the MBAM Client from 2.5 to MBAM 2.5 SP1.
+
+### Before you begin, download the September 2017 servicing release
+[Desktop Optimization Pack](https://www.microsoft.com/en-us/download/details.aspx?id=56126)
+
+#### Steps to upgrade the MBAM Database (SQL Server)
+1. Using the MBAM Configurator; remove the Reports roll from the SQL server, or wherever the SSRS database is housed (Could be on the same server or different one, depending on your environment)
+Note: You will not see an option to remove the Databases; this is expected.
+2. Install 2.5 SP1 (Located with MDOP - Microsoft Desktop Optimization Pack 2015 from the Volume Licensing Service Center site:
+3. Do not configure it at this time
+4. Install the September Rollup: https://www.microsoft.com/en-us/download/details.aspx?id=56126
+5. Using the MBAM Configurator; re-add the Reports rollup
+6. This will configure the SSRS connection using the latest MBAM code from the rollup
+7. Using the MBAM Configurator; re-add the SQL Database roll on the SQL Server.
+- At the end, you will be warned that the DBs already exist and weren’t created, but this is expected.
+- This process updates the existing databases to the current version being installed
+
+#### Steps to upgrade the MBAM Server (Running MBAM and IIS)
+1. Using the MBAM Configurator; remove the Admin and Self Service Portals from the IIS server
+2. Install MBAM 2.5 SP1
+3. Do not configure it at this time
+4. Install the September 2017 Rollup on the IIS server(https://www.microsoft.com/en-us/download/details.aspx?id=56126)
+5. Using the MBAM Configurator; re-add the Admin and Self Service Portals to the IIS server
+6. This will configure the sites using the latest MBAM code from the June Rollup
+- Open an elevated command prompt, Type: **IISRESET** and Hit Enter.
+
+#### Steps to upgrade the MBAM Clients/Endpoints
+1. Uninstall the 2.5 Agent from client endpoints
+2. Install the 2.5 SP1 Agent on the client endpoints
+3. Push out the September Rollup Client update to clients running the 2.5 SP1 Agent
+4. There is no need to uninstall existing client prior to installing the September Rollup.
diff --git a/microsoft-365/TOC.md b/microsoft-365/TOC.md
deleted file mode 100644
index 06913f7aef..0000000000
--- a/microsoft-365/TOC.md
+++ /dev/null
@@ -1 +0,0 @@
-# [Index](index.md)
\ No newline at end of file
diff --git a/microsoft-365/docfx.json b/microsoft-365/docfx.json
deleted file mode 100644
index 585130e915..0000000000
--- a/microsoft-365/docfx.json
+++ /dev/null
@@ -1,37 +0,0 @@
-{
- "build": {
- "content": [
- {
- "files": [
- "**/*.md"
- ],
- "exclude": [
- "**/obj/**",
- "**/includes/**",
- "README.md",
- "LICENSE",
- "LICENSE-CODE",
- "ThirdPartyNotices"
- ]
- }
- ],
- "resource": [
- {
- "files": [
- "**/*.png",
- "**/*.jpg"
- ],
- "exclude": [
- "**/obj/**",
- "**/includes/**"
- ]
- }
- ],
- "overwrite": [],
- "externalReference": [],
- "globalMetadata": {},
- "fileMetadata": {},
- "template": [],
- "dest": "microsoft-365"
- }
-}
\ No newline at end of file
diff --git a/microsoft-365/images/M365-education.svg b/microsoft-365/images/M365-education.svg
deleted file mode 100644
index 7f83629296..0000000000
--- a/microsoft-365/images/M365-education.svg
+++ /dev/null
@@ -1,171 +0,0 @@
-
diff --git a/microsoft-365/index.md b/microsoft-365/index.md
deleted file mode 100644
index 9249c650ec..0000000000
--- a/microsoft-365/index.md
+++ /dev/null
@@ -1,90 +0,0 @@
----
-layout: HubPage
-hide_bc: true
-author: CelesteDG
-ms.author: celested
-ms.topic: hub-page
-keywords: Microsoft 365, Microsoft 365 documentation, Microsoft 365 for business, Microsoft 365 for enterprise, Microsoft 365 for education, enterprise, business, education, docs, documentation
-title: Microsoft 365 Documentation
-description: Find documentation and resources for Microsoft 365--a complete, intelligent solution, including Office 365, Windows 10, and Enterprise Mobility + Security, that empowers everyone to be creative and work together, securely.
-ms.date: 09/25/2017
----
-
-
-
Microsoft 365 Documentation
-
-
-
-
-
-
-
-
[Microsoft 365](https://www.microsoft.com/microsoft-365/default.aspx) is a complete, intelligent solution, including Office 365, Windows 10, and Enterprise Mobility + Security, that empowers everyone to be creative and work together, securely.
-
\ No newline at end of file
diff --git a/store-for-business/acquire-apps-microsoft-store-for-business.md b/store-for-business/acquire-apps-microsoft-store-for-business.md
index 181fb19436..3c59ec92f0 100644
--- a/store-for-business/acquire-apps-microsoft-store-for-business.md
+++ b/store-for-business/acquire-apps-microsoft-store-for-business.md
@@ -56,9 +56,9 @@ There are a couple of things we need to know when you pay for apps. You can add
6. If you don’t have a payment method saved in **Billing - Payment methods**, we will prompt you for one.
7. Add your credit card or debit card info, and click **Next**. Your card info is saved as a payment option on **Billing - Payment methods**.
-You’ll also need to have your business address saved on ****Billing - Account profile***. The address is used to generate tax rates. For more information on taxes for apps, see [organization tax information](https://docs.microsoft.com/microsoft-store/update-microsoft-store-for-business-account-settings#organization-tax-information).
+You’ll also need to have your business address saved on **Billing - Account profile**. The address is used to generate tax rates. For more information on taxes for apps, see [organization tax information](https://docs.microsoft.com/microsoft-store/update-microsoft-store-for-business-account-settings#organization-tax-information).
-Microsoft Store adds the app to your inventory. From **Inventory** or **Apps & software**, you can:
+Microsoft Store adds the app to your inventory. From **Products & services**, you can:
- Distribute the app: add to private store, or assign licenses
- View app licenses: review current licenses, reclaim and reassign licenses
- View app details: review the app details page and purchase more licenses
diff --git a/store-for-business/add-profile-to-devices.md b/store-for-business/add-profile-to-devices.md
index cee7f01a25..20536b0115 100644
--- a/store-for-business/add-profile-to-devices.md
+++ b/store-for-business/add-profile-to-devices.md
@@ -7,7 +7,7 @@ ms.sitesec: library
ms.pagetype: store
author: TrudyHa
ms.author: TrudyHa
-ms.date: 1/4/2018
+ms.date: 2/9/2018
ms.localizationpriority: high
---
@@ -20,7 +20,7 @@ Windows AutoPilot Deployment Program simplifies device set up for IT Admins. For
Watch this video to learn more about Windows AutoPilot in Micrsoft Store for Business.
-
+> [!video https://www.microsoft.com/en-us/videoplayer/embed/3b30f2c2-a3e2-4778-aa92-f65dbc3ecf54?autoplay=false]
## What is Windows AutoPilot Deployment Program?
In Microsoft Store for Business, you can manage devices for your organization and apply an *AutoPilot deployment profile* to your devices. When people in your organization run the out-of-box experience on the device, the profile configures Windows based on the AutoPilot deployment profile you applied to the device.
diff --git a/store-for-business/education/TOC.md b/store-for-business/education/TOC.md
index 63f52ca1ce..f5ff057e17 100644
--- a/store-for-business/education/TOC.md
+++ b/store-for-business/education/TOC.md
@@ -26,6 +26,8 @@
### [Manage access to private store](/microsoft-store/manage-access-to-private-store?toc=/microsoft-store/education/toc.json)
### [Manage private store settings](/microsoft-store/manage-private-store-settings?toc=/microsoft-store/education/toc.json)
### [Configure MDM provider](/microsoft-store/configure-mdm-provider-microsoft-store-for-business?toc=/microsoft-store/education/toc.json)
+### [Manage Windows device deployment with Windows AutoPilot Deployment](/microsoft-store/add-profile-to-devices?toc=/microsoft-store/education/toc.json)
+### [Microsoft Store for Business and Education PowerShell module - preview](/microsoft-store/microsoft-store-for-business-education-powershell-module?toc=/microsoft-store/education/toc.json)
## [Device Guard signing portal](/microsoft-store/device-guard-signing-portal?toc=/microsoft-store/education/toc.json)
### [Add unsigned app to code integrity policy](/microsoft-store/add-unsigned-app-to-code-integrity-policy?toc=/microsoft-store/education/toc.json)
### [Sign code integrity policy with Device Guard signing](/microsoft-store/sign-code-integrity-policy-with-device-guard-signing?toc=/microsoft-store/education/toc.json)
diff --git a/store-for-business/images/invite-people.png b/store-for-business/images/invite-people.png
new file mode 100644
index 0000000000..b004d3ad7f
Binary files /dev/null and b/store-for-business/images/invite-people.png differ
diff --git a/store-for-business/images/mc-ee-video-icon.png b/store-for-business/images/mc-ee-video-icon.png
new file mode 100644
index 0000000000..61c8a0f681
Binary files /dev/null and b/store-for-business/images/mc-ee-video-icon.png differ
diff --git a/store-for-business/images/mpsa-link.png b/store-for-business/images/mpsa-link.png
new file mode 100644
index 0000000000..74f1496935
Binary files /dev/null and b/store-for-business/images/mpsa-link.png differ
diff --git a/store-for-business/images/msfb-products-services.png b/store-for-business/images/msfb-products-services.png
new file mode 100644
index 0000000000..1ddba79518
Binary files /dev/null and b/store-for-business/images/msfb-products-services.png differ
diff --git a/store-for-business/images/msfb-ps-collection-idp.png b/store-for-business/images/msfb-ps-collection-idp.png
new file mode 100644
index 0000000000..ddd8907d6b
Binary files /dev/null and b/store-for-business/images/msfb-ps-collection-idp.png differ
diff --git a/store-for-business/images/msfb-settings-icon.png b/store-for-business/images/msfb-settings-icon.png
new file mode 100644
index 0000000000..1601965566
Binary files /dev/null and b/store-for-business/images/msfb-settings-icon.png differ
diff --git a/store-for-business/images/msfb-wn-1801-products-services.png b/store-for-business/images/msfb-wn-1801-products-services.png
new file mode 100644
index 0000000000..dc98ffd2e4
Binary files /dev/null and b/store-for-business/images/msfb-wn-1801-products-services.png differ
diff --git a/store-for-business/images/office-logo.png b/store-for-business/images/office-logo.png
new file mode 100644
index 0000000000..04d970bb47
Binary files /dev/null and b/store-for-business/images/office-logo.png differ
diff --git a/store-for-business/images/perf-improvement-icon.png b/store-for-business/images/perf-improvement-icon.png
new file mode 100644
index 0000000000..74be488894
Binary files /dev/null and b/store-for-business/images/perf-improvement-icon.png differ
diff --git a/store-for-business/images/private-store-icon.png b/store-for-business/images/private-store-icon.png
new file mode 100644
index 0000000000..f09679693f
Binary files /dev/null and b/store-for-business/images/private-store-icon.png differ
diff --git a/store-for-business/images/product-and-service-icon.png b/store-for-business/images/product-and-service-icon.png
new file mode 100644
index 0000000000..c18d3c8266
Binary files /dev/null and b/store-for-business/images/product-and-service-icon.png differ
diff --git a/store-for-business/images/products-and-services-photoshop.png b/store-for-business/images/products-and-services-photoshop.png
new file mode 100644
index 0000000000..f20c074aeb
Binary files /dev/null and b/store-for-business/images/products-and-services-photoshop.png differ
diff --git a/store-for-business/images/products-and-services-ppt.png b/store-for-business/images/products-and-services-ppt.png
new file mode 100644
index 0000000000..9b4d77fb7c
Binary files /dev/null and b/store-for-business/images/products-and-services-ppt.png differ
diff --git a/store-for-business/manage-private-store-settings.md b/store-for-business/manage-private-store-settings.md
index dc2a945599..93d1f09234 100644
--- a/store-for-business/manage-private-store-settings.md
+++ b/store-for-business/manage-private-store-settings.md
@@ -7,7 +7,7 @@ ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: store
author: TrudyHa
-ms.date: 11/30/2017
+ms.date: 2/15/2018
ms.localizationpriority: high
---
@@ -25,21 +25,25 @@ The name of your private store is shown on a tab in Microsoft Store app, or on [
You can change the name of your private store in Microsoft Store.
-
\ No newline at end of file
diff --git a/store-for-business/release-history-microsoft-store-business-education.md b/store-for-business/release-history-microsoft-store-business-education.md
index 4d706c69f6..705b6a6199 100644
--- a/store-for-business/release-history-microsoft-store-business-education.md
+++ b/store-for-business/release-history-microsoft-store-business-education.md
@@ -6,7 +6,7 @@ ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: store
author: TrudyHa
-ms.date: 1/8/2018
+ms.date: 2/8/2018
---
# Microsoft Store for Business and Education release history
@@ -15,6 +15,10 @@ Microsoft Store for Business and Education regularly releases new and improved f
Looking for info on the latest release? Check out [What's new in Microsoft Store for Business and Education](whats-new-microsoft-store-business-education.md)
+## December 2017
+
+- Bug fixes and permformance improvements.
+
## November 2017
- **Export list of Minecraft: Education Edition users** - Admins and teachers can now export a list of users who have Minecraft: Education Edition licenses assigned to them. Click **Export users**, and Store for Education creates an Excel spreadsheet for you, and saves it as a .csv file.
diff --git a/store-for-business/whats-new-microsoft-store-business-education.md b/store-for-business/whats-new-microsoft-store-business-education.md
index 38af4a8e01..fd595f2771 100644
--- a/store-for-business/whats-new-microsoft-store-business-education.md
+++ b/store-for-business/whats-new-microsoft-store-business-education.md
@@ -6,23 +6,32 @@ ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: store
author: TrudyHa
-ms.date: 1/8/2018
+ms.date: 2/16/2018
---
# What's new in Microsoft Store for Business and Education
-Microsoft Store for Business and Education regularly releases new and improved feaures.
+Microsoft Store for Business and Education regularly releases new and improved features.
## Latest updates for Store for Business and Education
-**December 2017**
+**January & February, 2018**
+
+| | |
+|--------------------------------------|---------------------------------|
+|  |**One place for apps, software, and subscriptions**
The new **Products & services** page in Microsoft Store for Business and Education gives customers a single place to manage all products and services. This includes Apps, Software, and Subscriptions that your organization acquired or manages through Microsoft Store for Business. This change centralizes these products, but the platform changes also improve overall performance.
**Applies to**: Microsoft Store for Business Microsoft Store for Education |
+|  |**Create collections of apps in your private store**
Use **collections** to customize your private store. Collections allow you to create groups of apps that are commonly used in your organization or school -- you might create a collection for a Finance department, or a 6th-grade class.
[Get more info](https://docs.microsoft.com/microsoft-store/manage-private-store-settings#private-store-collections)
**Applies to**: Microsoft Store for Business Microsoft Store for Education |
+|  |**Upgrade Office 365 trial subscription**
Customers with Office 365 trials can now transition their trial to a paid subscription in Microsoft Store for Business. This works for trials you acquired from Microsoft Store for Business, or Office Admin Portal.
**Applies to**: Microsoft Store for Business Microsoft Store for Education |
+|  |**Supporting Microsoft Product and Services Agreement customers**
If you are purchasing under the Microsoft Products and Services Agreement (MPSA), you can use Microsoft Store for Business. Here you will find access to Products & Services purchased, Downloads & Keys, Software Assurance benefits, Order history, and Agreement details. Also, we added the ability to associate your purchasing account to your tenant.
**Applies to**: Microsoft Store for Business Microsoft Store for Education |
+|  |**Microsoft Product and Services Agreement customers can invite people to take roles**
MPSA admins can invite people to take Microsoft Store for Business roles even if the person is not in their tenant. You provide an email address when you assign the role, and we'll add the account to your tenant and assign the role.
**Applies to**: Microsoft Store for Business Microsoft Store for Education |
+
-We’ve been working on bug fixes and performance improvements to provide you a better experience. Stay tuned for new features!
+
+
+
+
+
+
+
+
+
+
-
+
```
## Example AssignedAccessConfiguration XML
@@ -560,3 +654,480 @@ Example of the Delete command.
```
+
+## StatusConfiguration XSD
+
+``` syntax
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+```
+
+## StatusConfiguration example
+
+StatusConfiguration Add OnWithAlerts
+
+``` syntax
+
+
+
+ 2
+
+
+ ./Device/Vendor/MSFT/AssignedAccess/StatusConfiguration
+
+
+ chr
+
+
+
+
+ OnWithAlerts
+
+ ]]>
+
+
+
+
+
+
+```
+
+
+StatusConfiguration Delete
+``` syntax
+
+
+
+ 2
+
+
+ ./Device/Vendor/MSFT/AssignedAccess/StatusConfiguration
+
+
+
+
+
+
+```
+
+StatusConfiguration Get
+
+``` syntax
+
+
+
+ 2
+
+
+ ./Device/Vendor/MSFT/AssignedAccess/StatusConfiguration
+
+
+
+
+
+
+```
+
+StatusConfiguration Replace On
+
+```syntax
+
+
+
+ 2
+
+
+ ./Device/Vendor/MSFT/AssignedAccess/StatusConfiguration
+
+
+ chr
+
+
+
+
+ On
+
+ ]]>
+
+
+
+
+
+
+```
+
+## Status example
+
+Status Get
+``` syntax
+
+
+
+ 2
+
+
+ ./Device/Vendor/MSFT/AssignedAccess/Status
+
+
+
+
+
+
+```
+
+## ShellLauncherConfiguration XSD
+
+``` syntax
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+```
+
+## ShellLauncherConfiguration examples
+
+ShellLauncherConfiguration Add
+```
+
+
+
+ 2
+
+
+ ./Device/Vendor/MSFT/AssignedAccess/ShellLauncher
+
+
+ chr
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ ]]>
+
+
+
+
+
+
+```
+
+ShellLauncherConfiguration Add AutoLogon
+```
+
+
+
+ 2
+
+
+ ./Device/Vendor/MSFT/AssignedAccess/ShellLauncher
+
+
+ chr
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ ]]>
+
+
+
+
+
+
+```
+
+ShellLauncherConfiguration Get
+```
+
+
+
+ 2
+
+
+ ./Device/Vendor/MSFT/AssignedAccess/ShellLauncher
+
+
+
+
+
+
+```
+
+## AssignedAccessAlert XSD
+
+```syntax
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+```
\ No newline at end of file
diff --git a/windows/client-management/mdm/assignedaccess-ddf.md b/windows/client-management/mdm/assignedaccess-ddf.md
index 564378ac63..4d6da38792 100644
--- a/windows/client-management/mdm/assignedaccess-ddf.md
+++ b/windows/client-management/mdm/assignedaccess-ddf.md
@@ -7,12 +7,15 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
-ms.date: 11/01/2017
+ms.date: 02/22/2018
---
# AssignedAccess DDF
+> [!WARNING]
+> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
+
This topic shows the OMA DM device description framework (DDF) for the **AssignedAccess** configuration service provider. DDF files are used only with OMA DM provisioning XML.
You can download the DDF files from the links below:
@@ -20,7 +23,7 @@ You can download the DDF files from the links below:
- [Download all the DDF files for Windows 10, version 1703](http://download.microsoft.com/download/C/7/C/C7C94663-44CF-4221-ABCA-BC895F42B6C2/Windows10_1703_DDF_download.zip)
- [Download all the DDF files for Windows 10, version 1607](http://download.microsoft.com/download/2/3/E/23E27D6B-6E23-4833-B143-915EDA3BDD44/Windows10_1607_DDF.zip)
-The XML below is for Windows 10, version 1709.
+The XML below is for Windows 10, version 1803.
``` syntax
@@ -48,7 +51,7 @@ The XML below is for Windows 10, version 1709.
- com.microsoft/1.1/MDM/AssignedAccess
+ com.microsoft/2.0/MDM/AssignedAccess
@@ -111,6 +114,84 @@ This node supports Add, Delete, Replace and Get methods. When there's no configu
+
+ Status
+
+
+
+
+ This read only node contains kiosk health event xml
+
+
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ ShellLauncher
+
+
+
+
+
+
+
+ This node accepts a ShellLauncherConfiguration xml as input. Please check out samples and required xsd on MSDN.
+
+
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ StatusConfiguration
+
+
+
+
+
+
+
+ This node accepts a StatusConfiguration xml as input. Please check out samples and required xsd on MSDN.
+
+
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
```
diff --git a/windows/client-management/mdm/bitlocker-csp.md b/windows/client-management/mdm/bitlocker-csp.md
index b6f9f2667c..556cb49468 100644
--- a/windows/client-management/mdm/bitlocker-csp.md
+++ b/windows/client-management/mdm/bitlocker-csp.md
@@ -6,11 +6,14 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
-ms.date: 10/30/2017
+ms.date: 01/04/2018
---
# BitLocker CSP
+> [!WARNING]
+> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
+
The BitLocker configuration service provider (CSP) is used by the enterprise to manage encryption of PCs and devices. This CSP was added in Windows 10, version 1703.
> [!Note]
@@ -794,6 +797,12 @@ The following diagram shows the BitLocker configuration service provider in tree
Allows the Admin to disable the warning prompt for other disk encryption on the user machines.
+> [!Important]
+> Starting in Windows 10, version 1803, the value 0 can only be set for Azure Active Directory joined devices. Windows will attempt to silently enable [BitLocker](https://docs.microsoft.com/en-us/windows/device-security/bitlocker/bitlocker-overview) for value 0.
+
+> [!Warning]
+> When you enable BitLocker on a device with third party encryption, it may render the device unusable and will require reinstallation of Windows.
+
Home
@@ -817,11 +826,9 @@ The following diagram shows the BitLocker configuration service provider in tree
The following list shows the supported values:
-- 0 – Disables the warning prompt.
+- 0 – Disables the warning prompt. Starting in Windows 10, version 1803, the value 0 can only be set for Azure Active Directory joined devices. Windows will attempt to silently enable BitLocker for value 0.
- 1 (default) – Warning prompt allowed.
-
Admin should set the value to 0 to disable the warning. If you want to disable this policy use the following SyncML:
-
``` syntax
110
diff --git a/windows/client-management/mdm/cm-cellularentries-csp.md b/windows/client-management/mdm/cm-cellularentries-csp.md
index e81ff53e92..22bb311265 100644
--- a/windows/client-management/mdm/cm-cellularentries-csp.md
+++ b/windows/client-management/mdm/cm-cellularentries-csp.md
@@ -14,9 +14,6 @@ ms.date: 08/02/2017
The CM\_CellularEntries configuration service provider is used to configure the General Packet Radio Service (GPRS) entries on the device. It defines each GSM data access point.
-> [!Note]
-> Starting in the next major update to Windows 10, the CM\_CellularEntries CSP is supported in Windows 10 Home, Pro, Enterprise, and Education editions.
-
This configuration service provider requires the ID\_CAP\_NETWORKING\_ADMIN capability to be accessed from a network configuration application.
The following diagram shows the CM\_CellularEntries configuration service provider management object in tree format as used by Open Mobile Alliance Client Provisioning (OMA CP). The OMA DM protocol is not supported with this configuration service provider.
diff --git a/windows/client-management/mdm/configuration-service-provider-reference.md b/windows/client-management/mdm/configuration-service-provider-reference.md
index a72cf5ff8f..1f6269d889 100644
--- a/windows/client-management/mdm/configuration-service-provider-reference.md
+++ b/windows/client-management/mdm/configuration-service-provider-reference.md
@@ -7,7 +7,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
-ms.date: 12/05/2017
+ms.date: 03/02/2018
---
# Configuration service provider reference
@@ -1127,6 +1127,34 @@ Footnotes:
+
+[eUICCs CSP](euiccs-csp.md)
+
+
+
+
+
+
+
[UnifiedWriteFilter CSP](unifiedwritefilter-csp.md)
@@ -2425,7 +2509,7 @@ Footnotes:
Footnotes:
- 1 - Added in Windows 10, version 1607
- 2 - Added in Windows 10, version 1703
-- 3 - Added in the next major update to Windows 10
+- 3 - Added in Windows 10, version 1803
## CSP DDF files download
diff --git a/windows/client-management/mdm/defender-csp.md b/windows/client-management/mdm/defender-csp.md
index 36cb8e6e0f..b2c82ca8e5 100644
--- a/windows/client-management/mdm/defender-csp.md
+++ b/windows/client-management/mdm/defender-csp.md
@@ -7,12 +7,15 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
-ms.date: 06/26/2017
+ms.date: 01/29/2018
---
# Defender CSP
+> [!WARNING]
+> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
+
The Windows Defender configuration service provider is used to configure various Windows Defender actions across the enterprise.
The following image shows the Windows Defender configuration service provider in tree format.
@@ -310,6 +313,11 @@ Node that can be used to perform signature updates for Windows Defender.
Supported operations are Get and Execute.
+**OfflineScan**
+Added in Windows 10, version 1803. OfflineScan action starts a Windows Defender offline scan on the computer where you run the command. This command causes the computer reboot and start in Windows Defender offline mode to begin the scan.
+
+Supported operations are Get and Execute.
+
## Related topics
diff --git a/windows/client-management/mdm/defender-ddf.md b/windows/client-management/mdm/defender-ddf.md
index 126869323b..4077ab58af 100644
--- a/windows/client-management/mdm/defender-ddf.md
+++ b/windows/client-management/mdm/defender-ddf.md
@@ -7,12 +7,15 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
-ms.date: 12/05/2017
+ms.date: 01/29/20178
---
# Defender DDF file
+> [!WARNING]
+> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
+
This topic shows the OMA DM device description framework (DDF) for the **Defender** configuration service provider. DDF files are used only with OMA DM provisioning XML.
Looking for the DDF XML files? See [CSP DDF files download](configuration-service-provider-reference.md#csp-ddf-files-download).
@@ -22,648 +25,659 @@ The XML below is the current version for this CSP.
``` syntax
]>
+ "http://www.openmobilealliance.org/tech/DTD/DM_DDF-V1_2.dtd"
+ []>
- 1.2
-
+ 1.2
+ Defender./Vendor/MSFT
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
+
+
+
+
+
+
+
+
+
+
+
+
+
+ com.microsoft/1.1/MDM/Defender
+
- Detections
+ Detections
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
+
+
+
+
+
+
+
+
+
+
+
+
+ ThreatId
+
+
+
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- ThreatId
-
-
-
-
-
- Name
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- URL
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- Severity
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- Category
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- CurrentStatus
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- ExecutionStatus
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- InitialDetectionTime
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- LastThreatStatusChangeTime
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- NumberOfDetections
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
+ Name
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+ URL
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ Severity
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ Category
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ CurrentStatus
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ ExecutionStatus
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ InitialDetectionTime
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ LastThreatStatusChangeTime
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ NumberOfDetections
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
- Health
+ Health
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ ComputerState
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
+
+
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
-
- ComputerState
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- DefenderEnabled
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- RtpEnabled
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- NisEnabled
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- QuickScanOverdue
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- FullScanOverdue
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- SignatureOutOfDate
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- RebootRequired
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- FullScanRequired
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- EngineVersion
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- SignatureVersion
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- DefenderVersion
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- QuickScanTime
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- FullScanTime
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- QuickScanSigVersion
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- FullScanSigVersion
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
+
+
+ DefenderEnabled
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ RtpEnabled
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ NisEnabled
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ QuickScanOverdue
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ FullScanOverdue
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ SignatureOutOfDate
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ RebootRequired
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ FullScanRequired
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ EngineVersion
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ SignatureVersion
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ DefenderVersion
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ QuickScanTime
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ FullScanTime
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ QuickScanSigVersion
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ FullScanSigVersion
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
- Scan
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
+ Scan
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
- UpdateSignature
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
+ UpdateSignature
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
-
+
+ OfflineScan
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
```
## Related topics
-[Defender configuration service provider](defender-csp.md)
-
-
-
-
-
-
-
-
-
-
+[Defender configuration service provider](defender-csp.md)
\ No newline at end of file
diff --git a/windows/client-management/mdm/developersetup-csp.md b/windows/client-management/mdm/developersetup-csp.md
index 4057384f64..de3145a84f 100644
--- a/windows/client-management/mdm/developersetup-csp.md
+++ b/windows/client-management/mdm/developersetup-csp.md
@@ -1,6 +1,6 @@
---
title: DeveloperSetup CSP
-description: The DeveloperSetup configuration service provider (CSP) is used to configure developer mode on the device. This CSP was added in the next major update of Windows 10.
+description: The DeveloperSetup configuration service provider (CSP) is used to configure developer mode on the device. This CSP was added in the Windows 10, version 1703.
ms.assetid:
ms.author: maricia
ms.topic: article
diff --git a/windows/client-management/mdm/dmclient-csp.md b/windows/client-management/mdm/dmclient-csp.md
index 2e48728ffc..4de7bc9cc1 100644
--- a/windows/client-management/mdm/dmclient-csp.md
+++ b/windows/client-management/mdm/dmclient-csp.md
@@ -13,6 +13,9 @@ ms.date: 11/01/2017
# DMClient CSP
+> [!WARNING]
+> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
+
The DMClient configuration service provider is used to specify additional enterprise-specific mobile device management configuration settings for identifying the device in the enterprise domain, security mitigation for certificate renewal, and server-triggered enterprise unenrollment.
The following diagram shows the DMClient configuration service provider in tree format.
@@ -216,7 +219,7 @@ Added in Windows 10, version 1607. Returns the hardware device ID.
Supported operation is Get.
**Provider/*ProviderID*/CommercialID**
-Added in Windows 10, version 1607. Configures the identifier used to uniquely associate this telemetry data of this device as belonging to a given organization. If your organization is participating in a program that requires this device to be identified as belonging to your organization then use this setting to provide that identification. The value for this setting will be provided by Microsoft as part of the onboarding process for the program. If you disable or do not configure this policy setting, then Microsoft will not be able to use this identifier to associate this machine and its telemetry data with your organization..
+Added in Windows 10, version 1607. Configures the identifier used to uniquely associate this diagnostic data of this device as belonging to a given organization. If your organization is participating in a program that requires this device to be identified as belonging to your organization then use this setting to provide that identification. The value for this setting will be provided by Microsoft as part of the onboarding process for the program. If you disable or do not configure this policy setting, then Microsoft will not be able to use this identifier to associate this machine and its diagnostic data with your organization..
Supported operations are Add, Get, Replace, and Delete.
@@ -257,6 +260,11 @@ Optional. Number of days after last sucessful sync to unenroll.
Supported operations are Add, Delete, Get, and Replace. Value type is integer.
+**Provider/*ProviderID*/AADSendDeviceToken**
+Device. Added in Windows 10 version 1803. For AZure AD backed enrollments, this will cause the client to send a Device Token if the User Token can not be obtained.
+
+Supported operations are Add, Delete, Get, and Replace. Value type is bool.
+
**Provider/*ProviderID*/Poll**
Optional. Polling schedules must utilize the DMClient CSP. The Registry paths previously associated with polling using the Registry CSP are now deprecated.
@@ -690,19 +698,45 @@ Required. Added in Windows 10, version 1709. This node determines how long we wi
Supported operations are Get and Replace. Value type is integer.
**Provider/*ProviderID*/FirstSyncStatus/ServerHasFinishedProvisioning**
-Required. Added in Windows 10, version 1709. This node is set by the server to inform the UX that the server has finished provisioning the device. This was added so that the server can “change its mind" about what it needs to provision on the device. When this node is set, many other DM Client nodes will no longer be able to be changed. If this node is not True, the UX will consider the provisioning a failure. Once set to true, it would reject attempts to change it back to false with CFGMGR_E_COMMANDNOTALLOWED.
+Required. Added in Windows 10, version 1709. This node is set by the server to inform the UX that the server has finished provisioning the device. This was added so that the server can “change its mind" about what it needs to provision on the device. When this node is set, many other DM Client nodes will no longer be able to be changed. If this node is not True, the UX will consider the provisioning a failure. Once set to true, it would reject attempts to change it back to false with CFGMGR_E_COMMANDNOTALLOWED. This node applies to the per user expected policies and resources lists.
Supported operations are Get and Replace. Value type is boolean.
-**Provider/*ProviderID*/FirstSyncStatus/IsSyncDone**Required. Added in Windows 10, version 1709. This node, when doing a get, tells the server if the “First Syncs" are done and the device is fully provisioned. When doing a Set, this triggers the UX to override whatever state it is in and tell the user that the device is provisioned. It cannot be set from True to False (it will not change its mind on whether or not the sync is done), and it cannot be set from True to True (to prevent notifications from firing multiple times).
+**Provider/*ProviderID*/FirstSyncStatus/IsSyncDone**
+Required. Added in Windows 10, version 1709. This node, when doing a get, tells the server if the “First Syncs" are done and the device is fully provisioned. When doing a Set, this triggers the UX to override whatever state it is in and tell the user that the device is provisioned. It cannot be set from True to False (it will not change its mind on whether or not the sync is done), and it cannot be set from True to True (to prevent notifications from firing multiple times). This node only applies to the user MDM status page (on a per user basis).
Supported operations are Get and Replace. Value type is boolean.
**Provider/*ProviderID*/FirstSyncStatus/WasDeviceSuccessfullyProvisioned**
-Required. Added in Windows 10, version 1709. Integer node determining if a device was successfully provisioned. 0 is failure, 1 is success, 2 is in progress. Once the value is changed to 0 or 1, the value cannot be changed again. The client will change the value of success or failure and update the node. The server can, however, force a failure or success message to appear on the device by setting this value and then setting the IsSyncDone node to true.
+Required. Added in Windows 10, version 1709. Integer node determining if a device was successfully provisioned. 0 is failure, 1 is success, 2 is in progress. Once the value is changed to 0 or 1, the value cannot be changed again. The client will change the value of success or failure and update the node. The server can, however, force a failure or success message to appear on the device by setting this value and then setting the IsSyncDone node to true. This node only applies to the user MDM status page (on a per user basis).
Supported operations are Get and Replace. Value type is integer.
+**Provider/*ProviderID*/FirstSyncStatus/BlockInStatusPage**
+Required. Device Only. Added in Windows 10, version 1803. This node determines whether or not the MDM progress page is blocking in the Azure AD joined or DJ++ case, as well as which remediation options are available.
+
+Supported operations are Get and Replace. Value type is integer.
+
+**Provider/*ProviderID*/FirstSyncStatus/AllowCollectLogsButton**
+Required. Added in Windows 10, version 1803. This node decides whether or not the MDM progress page displays the Collect Logs button.
+
+Supported operations are Get and Replace. Value type is bool.
+
+**Provider/*ProviderID*/FirstSyncStatus/CustomErrorText**
+Required. Added in Windows 10, version 1803. This node allows the MDM to set custom error text, detailing what the user needs to do in case of error.
+
+Supported operations are Add, Get, Delete, and Replace. Value type is string.
+
+**Provider/*ProviderID*/FirstSyncStatus/SkipDeviceStatusPage**
+Required. Device only. Added in Windows 10, version 1803. This node decides wheter or not the MDM device progress page skips after Azure AD joined or Hybrid Azure AD joined in OOBE.
+
+Supported operations are Get and Replace. Value type is bool.
+
+**Provider/*ProviderID*/FirstSyncStatus/SkipUserStatusPage**
+Required. Device only. Added in Windows 10, version 1803. This node decides wheter or not the MDM user progress page skips after Azure AD joined or DJ++ after user login.
+
+Supported operations are Get and Replace. Value type is bool.
+
**Provider/*ProviderID*/EnhancedAppLayerSecurity**
Required node. Added in Windows 10, version 1709.
diff --git a/windows/client-management/mdm/dmclient-ddf-file.md b/windows/client-management/mdm/dmclient-ddf-file.md
index 22082b40c3..fda5ae3f82 100644
--- a/windows/client-management/mdm/dmclient-ddf-file.md
+++ b/windows/client-management/mdm/dmclient-ddf-file.md
@@ -13,11 +13,14 @@ ms.date: 12/05/2017
# DMClient DDF file
+> [!WARNING]
+> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
+
This topic shows the OMA DM device description framework (DDF) for the **DMClient** configuration service provider. DDF files are used only with OMA DM provisioning XML.
Looking for the DDF XML files? See [CSP DDF files download](configuration-service-provider-reference.md#csp-ddf-files-download).
-The XML below is for Windows 10, version 1907.
+The XML below is for Windows 10, version 1803.
``` syntax
@@ -28,7 +31,355 @@ The XML below is for Windows 10, version 1907.
1.2DMClient
- ./Vendor/MSFT
+ ./User/Vendor/MSFT
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ com.microsoft/1.5/MDM/DMClient
+
+
+
+ Provider
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+ FirstSyncStatus
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ ExpectedPolicies
+
+
+
+
+
+
+
+ This node contains a list of LocURIs that refer to Policies the ISV expects to provision, delimited by the character L"\xF000" (the CSP_LIST_DELIMITER). This is per user.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ ExpectedNetworkProfiles
+
+
+
+
+
+
+
+ This node contains a list of LocURIs that refer to Wi-Fi profiles and VPN profiles the ISV expects to provision, delimited by the character L"\xF000". This is per user.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ ExpectedMSIAppPackages
+
+
+
+
+
+
+
+ This node contains a list of LocURIs that refer to App Packages the ISV expects to provision via EnterpriseDesktopAppManagement CSP, delimited by the character L"\xF000". The LocURI will be followed by a semicolon and a number, representing the amount of apps included in the App Package. We will not verify that number. E.G. ./User/Vendor/MSFT/EnterpriseDesktopAppManagement/MSI/ProductID1/Status;4"\xF000" ./User/Vendor/MSFT/EnterpriseDesktopAppManagement/MSI/ProductID2/Status;2 Which will represent that App Package ProductID1 contains 4 apps, whereas ProductID2 contains 2 apps. This is per user.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ ExpectedModernAppPackages
+
+
+
+
+
+
+
+ This node contains a list of LocURIs that refer to App Packages the ISV expects to provision via EnterpriseModernAppManagement CSP, delimited by the character L"\xF000". The LocURI will be followed by a semicolon and a number, representing the amount of apps included in the App Package. We will not verify that number. E.G. ./Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/AppStore/PackageFamilyName/PackageFullName/Name;4"\xF000" ./Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/AppStore/PackageFamilyName/PackageFullName2/Name;2 Which will represent that App Package PackageFullName contains 4 apps, whereas PackageFullName2 contains 2 apps. This is per user.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ ExpectedPFXCerts
+
+
+
+
+
+
+
+ This node contains a list of LocURIs that refer to certs the ISV expects to provision via ClientCertificateInstall CSP, delimited by the character L"\xF000" (the CSP_LIST_DELIMITER). This is per user.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ ExpectedSCEPCerts
+
+
+
+
+
+
+
+ This node contains a list of LocURIs that refer to SCEP certs the ISV expects to provision via ClientCertificateInstall CSP, delimited by the character L"\xF000" (the CSP_LIST_DELIMITER). This is per user.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ ServerHasFinishedProvisioning
+
+
+
+
+
+ This node is set by the server to inform the UX that the server has finished provisioning the device. This was added so that the server can “change its mind" about what it needs to provision on the device. When this node is set, many other DM Client nodes will no longer be able to be changed. If this node is not True, the UX will consider the provisioning a failure. Once set to true, it would reject attempts to change it back to false with CFGMGR_E_COMMANDNOTALLOWED. This node applies to the per user expected policies and resources lists.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ IsSyncDone
+
+
+
+
+
+ This node, when doing a get, tells the server if the “First Syncs" are done and the device is fully provisioned. When doing a Set, this triggers the UX to override whatever state it is in and tell the user that the device is provisioned. It cannot be set from True to False (it will not change its mind on whether or not the sync is done), and it cannot be set from True to True (to prevent notifications from firing multiple times). This node only applies to the user MDM status page (on a per user basis).
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ WasDeviceSuccessfullyProvisioned
+
+
+
+
+
+ Integer node determining if a Device was Successfully provisioned. 0 is failure, 1 is success, 2 is in progress. Once the value is changed to 0 or 1, the value cannot be changed again. The client will change the value of success or failure and update the node. The server can, however, force a failure or success message to appear on the device by setting this value and then setting the IsSyncDone node to true. This node only applies to the user MDM status page (on a per user basis).
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ AllowCollectLogsButton
+
+
+
+
+
+ false
+ This node decides whether or not the MDM progress page displays the Collect Logs button. This node only applies to the user MDM status page (on a per user basis).
+
+
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ CustomErrorText
+
+
+
+
+
+
+
+ This node allows the MDM to set custom error text, detailing what the user needs to do in case of error. This node only applies to the user MDM status page (on a per user basis).
+
+
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+
+
+
+
+ DMClient
+ ./Device/Vendor/MSFT
@@ -622,6 +973,30 @@ The XML below is for Windows 10, version 1907.
+
+ AADSendDeviceToken
+
+
+
+
+
+
+
+ Send the device AAD token, if the user one can't be returned
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+ Push
@@ -1221,7 +1596,7 @@ The XML below is for Windows 10, version 1907.
- This node is set by the server to inform the UX that the server has finished provisioning the device. This was added so that the server can “change its mind" about what it needs to provision on the device. When this node is set, many other DM Client nodes will no longer be able to be changed. If this node is not True, the UX will consider the provisioning a failure. Once set to true, it would reject attempts to change it back to false with CFGMGR_E_COMMANDNOTALLOWED.
+ This node is set by the server to inform the UX that the server has finished provisioning the device. This was added so that the server can “change its mind" about what it needs to provision on the device. When this node is set, many other DM Client nodes will no longer be able to be changed. If this node is not True, the UX will consider the provisioning a failure. Once set to true, it would reject attempts to change it back to false with CFGMGR_E_COMMANDNOTALLOWED. This node applies to the per user expected policies and resources lists.
@@ -1243,7 +1618,7 @@ The XML below is for Windows 10, version 1907.
- This node, when doing a get, tells the server if the “First Syncs" are done and the device is fully provisioned. When doing a Set, this triggers the UX to override whatever state it is in and tell the user that the device is provisioned. It cannot be set from True to False (it will not change its mind on whether or not the sync is done), and it cannot be set from True to True (to prevent notifications from firing multiple times).
+ This node, when doing a get, tells the server if the “First Syncs" are done and the device is fully provisioned. When doing a Set, this triggers the UX to override whatever state it is in and tell the user that the device is provisioned. It cannot be set from True to False (it will not change its mind on whether or not the sync is done), and it cannot be set from True to True (to prevent notifications from firing multiple times). This node only applies to the user MDM status page (on a per user basis).
@@ -1265,7 +1640,7 @@ The XML below is for Windows 10, version 1907.
- Integer node determining if a Device was Successfully provisioned. 0 is failure, 1 is success, 2 is in progress. Once the value is changed to 0 or 1, the value cannot be changed again. The client will change the value of success or failure and update the node. The server can, however, force a failure or success message to appear on the device by setting this value and then setting the IsSyncDone node to true.
+ Integer node determining if a Device was Successfully provisioned. 0 is failure, 1 is success, 2 is in progress. Once the value is changed to 0 or 1, the value cannot be changed again. The client will change the value of success or failure and update the node. The server can, however, force a failure or success message to appear on the device by setting this value and then setting the IsSyncDone node to true. This node only applies to the user MDM status page (on a per user basis).
@@ -1280,6 +1655,137 @@ The XML below is for Windows 10, version 1907.
+
+ BlockInStatusPage
+
+
+
+
+
+ 0
+ Device Only. This node determines whether or not the MDM progress page is blocking in the AADJ or DJ++ case, as well as which remediation options are available.
+
+
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ AllowCollectLogsButton
+
+
+
+
+
+ false
+ This node decides whether or not the MDM progress page displays the Collect Logs button. This node only applies to the device MDM status page.
+
+
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ CustomErrorText
+
+
+
+
+
+
+
+ This node allows the MDM to set custom error text, detailing what the user needs to do in case of error. This node only applies to the user MDM status page (on a per user basis).
+
+
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ SkipDeviceStatusPage
+
+
+
+
+
+ true
+ Device only. This node decides wheter or not the MDM device progress page skips after AADJ or Hybrid AADJ in OOBE.
+
+
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ SkipUserStatusPage
+
+
+
+
+
+ false
+ Device only. This node decides wheter or not the MDM user progress page skips after AADJ or DJ++ after user login.
+
+
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+ EnhancedAppLayerSecurity
diff --git a/windows/client-management/mdm/enterprisemodernappmanagement-csp.md b/windows/client-management/mdm/enterprisemodernappmanagement-csp.md
index 5062ee119e..2ad3ca1434 100644
--- a/windows/client-management/mdm/enterprisemodernappmanagement-csp.md
+++ b/windows/client-management/mdm/enterprisemodernappmanagement-csp.md
@@ -7,11 +7,15 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
-ms.date: 09/22/2017
+ms.date: 03/01/2018
---
# EnterpriseModernAppManagement CSP
+
+> [!WARNING]
+> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
+
The EnterpriseModernAppManagement configuration service provider (CSP) is used for the provisioning and reporting of modern enterprise apps. For details about how to use this CSP to for reporting apps inventory, installation and removal of apps for users, provisioning apps to devices, and managing app licenses, see [Enterprise app management](enterprise-app-management.md).
> [!Note]
@@ -359,6 +363,20 @@ The following image shows the EnterpriseModernAppManagement configuration servic
```
+**.../*PackageFamilyName*/MaintainProcessorArchitectureOnUpdate**
+Added in Windows 10, version 1803. Specify whether on a AMD64 device, across an app update, the architecture of the installed app must not change. For example if you have the x86 flavor of a Windows app installed, with this setting enabled, across an update, the x86 flavor will be installed even when x64 flavor is available.
+
+Supported operations are Add, Get, Delete, and Replace. Value type is integer.
+
+Expected Behavior on an AMD64 machine that has x86 flavor of an app installed (Most restrictive wins).
+
+|Applicability Setting |CSP state |Result |
+|---------|---------|---------|
+|True |Not configured |X86 flavor is picked |
+|True |Enabled |X86 flavor is picked |
+|True |Disabled |X86 flavor is picked |
+|False (not set) |Not configured |X64 flavor is picked |
+
**AppInstallation**
diff --git a/windows/client-management/mdm/firewall-csp.md b/windows/client-management/mdm/firewall-csp.md
index 01c9d509c3..1330e71e5a 100644
--- a/windows/client-management/mdm/firewall-csp.md
+++ b/windows/client-management/mdm/firewall-csp.md
@@ -6,13 +6,13 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
-ms.date: 11/07/2017
+ms.date: 01/26/2018
---
# Firewall CSP
-The Firewall configuration service provider (CSP) allows the mobile device management (MDM) server to configure the Windows Defender Firewall global settings, per profile settings, as well as the desired set of custom rules to be enforced on the device. Using the Firewall CSP the IT admin can now manage non-domain devices, and reduce the risk of network security threats across all systems connecting to the corporate network. This CSP is new in the next major update to Windows 10.
+The Firewall configuration service provider (CSP) allows the mobile device management (MDM) server to configure the Windows Defender Firewall global settings, per profile settings, as well as the desired set of custom rules to be enforced on the device. Using the Firewall CSP the IT admin can now manage non-domain devices, and reduce the risk of network security threats across all systems connecting to the corporate network. This CSP was added Windows 10, version 1709.
Firewall configuration commands must be wrapped in an Atomic block in SyncML.
diff --git a/windows/client-management/mdm/images/Provisioning_CSP_DMClient_TH2.png b/windows/client-management/mdm/images/Provisioning_CSP_DMClient_TH2.png
new file mode 100644
index 0000000000..28ae086ef7
Binary files /dev/null and b/windows/client-management/mdm/images/Provisioning_CSP_DMClient_TH2.png differ
diff --git a/windows/client-management/mdm/images/Provisioning_CSP_Defender.png b/windows/client-management/mdm/images/Provisioning_CSP_Defender.png
new file mode 100644
index 0000000000..6ee31a8f16
Binary files /dev/null and b/windows/client-management/mdm/images/Provisioning_CSP_Defender.png differ
diff --git a/windows/client-management/mdm/images/Provisioning_CSP_RemoteWipe_DMandCP.png b/windows/client-management/mdm/images/Provisioning_CSP_RemoteWipe_DMandCP.png
new file mode 100644
index 0000000000..f7d21f0a94
Binary files /dev/null and b/windows/client-management/mdm/images/Provisioning_CSP_RemoteWipe_DMandCP.png differ
diff --git a/windows/client-management/mdm/images/provisioning-csp-assignedaccess.png b/windows/client-management/mdm/images/provisioning-csp-assignedaccess.png
index c8db9ee059..663f449910 100644
Binary files a/windows/client-management/mdm/images/provisioning-csp-assignedaccess.png and b/windows/client-management/mdm/images/provisioning-csp-assignedaccess.png differ
diff --git a/windows/client-management/mdm/images/provisioning-csp-defender.png b/windows/client-management/mdm/images/provisioning-csp-defender.png
index b3be3ba7f4..4d90f1b6f2 100644
Binary files a/windows/client-management/mdm/images/provisioning-csp-defender.png and b/windows/client-management/mdm/images/provisioning-csp-defender.png differ
diff --git a/windows/client-management/mdm/images/provisioning-csp-dmclient-th2.png b/windows/client-management/mdm/images/provisioning-csp-dmclient-th2.png
index 88398bc1c5..28ae086ef7 100644
Binary files a/windows/client-management/mdm/images/provisioning-csp-dmclient-th2.png and b/windows/client-management/mdm/images/provisioning-csp-dmclient-th2.png differ
diff --git a/windows/client-management/mdm/images/provisioning-csp-enterprisemodernappmanagement.png b/windows/client-management/mdm/images/provisioning-csp-enterprisemodernappmanagement.png
index b834990924..a28f41fe6a 100644
Binary files a/windows/client-management/mdm/images/provisioning-csp-enterprisemodernappmanagement.png and b/windows/client-management/mdm/images/provisioning-csp-enterprisemodernappmanagement.png differ
diff --git a/windows/client-management/mdm/images/provisioning-csp-euiccs.png b/windows/client-management/mdm/images/provisioning-csp-euiccs.png
index a4c67a8b7e..387fdae3fb 100644
Binary files a/windows/client-management/mdm/images/provisioning-csp-euiccs.png and b/windows/client-management/mdm/images/provisioning-csp-euiccs.png differ
diff --git a/windows/client-management/mdm/images/provisioning-csp-multisim.png b/windows/client-management/mdm/images/provisioning-csp-multisim.png
new file mode 100644
index 0000000000..86473079f4
Binary files /dev/null and b/windows/client-management/mdm/images/provisioning-csp-multisim.png differ
diff --git a/windows/client-management/mdm/images/provisioning-csp-remotewipe-dmandcp.png b/windows/client-management/mdm/images/provisioning-csp-remotewipe-dmandcp.png
index fdbeb278ab..8a01ad0dff 100644
Binary files a/windows/client-management/mdm/images/provisioning-csp-remotewipe-dmandcp.png and b/windows/client-management/mdm/images/provisioning-csp-remotewipe-dmandcp.png differ
diff --git a/windows/client-management/mdm/images/provisioning-csp-uefi.png b/windows/client-management/mdm/images/provisioning-csp-uefi.png
new file mode 100644
index 0000000000..6900dd0c83
Binary files /dev/null and b/windows/client-management/mdm/images/provisioning-csp-uefi.png differ
diff --git a/windows/client-management/mdm/images/provisioning-csp-update.png b/windows/client-management/mdm/images/provisioning-csp-update.png
index d98b7fcea1..e88466a113 100644
Binary files a/windows/client-management/mdm/images/provisioning-csp-update.png and b/windows/client-management/mdm/images/provisioning-csp-update.png differ
diff --git a/windows/client-management/mdm/multisim-csp.md b/windows/client-management/mdm/multisim-csp.md
new file mode 100644
index 0000000000..9467b896ff
--- /dev/null
+++ b/windows/client-management/mdm/multisim-csp.md
@@ -0,0 +1,58 @@
+---
+title: MultiSIM CSP
+description: MultiSIM CSP allows the enterprise to manage devices with dual SIM single active configuration.
+ms.author: maricia
+ms.topic: article
+ms.prod: w10
+ms.technology: windows
+author: nickbrower
+ms.date: 02/27/2018
+---
+
+# MultiSIM CSP
+
+> [!WARNING]
+> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
+
+The MultiSIM configuration service provider (CSP) is used by the enterprise to manage devices with dual SIM single active configuration. An enterprise can set policies on whether that user can switch between SIM slots, specify which slot is the default, and whether the slot is embedded. This CSP was added in Windows 10, version 1803.
+
+
+The following diagram shows the MultiSIM configuration service provider in tree format.
+
+
+
+**./Device/Vendor/MSFT/MultiSIM**
+Root node.
+
+**_ModemID_**
+Node representing a Mobile Broadband Modem. The node name is the modem ID. Modem ID is a GUID without curly braces, with exception of "Embedded" which represents the embedded modem.
+
+**_ModemID_/Identifier**
+Modem ID.
+
+**_ModemID_/IsEmbedded**
+Indicates whether this modem is embedded or external.
+
+**_ModemID_/Slots**
+Represents all SIM slots in the Modem.
+
+**_ModemID_/Slots/_SlotID_**
+Node representing a SIM Slot. The node name is the Slot ID. SIM Slot ID format is "0", "1", etc., with exception of "Embedded" which represents the embedded Slot.
+
+**_ModemID_/Slots/_SlotID_/Identifier**
+Slot ID.
+
+**_ModemID_/Slots/_SlotID_/IsEmbedded**
+Indicates whether this Slot is embedded or a physical SIM slot.
+
+**_ModemID_/Slots/_SlotID_/IsSelected**
+Indicates whether this Slot is selected or not.
+
+**_ModemID_/Slots/_SlotID_/State**
+Slot state (Unknown = 0, OffEmpty = 1, Off = 2, Empty = 3, NotReady = 4, Active = 5, Error = 6, ActiveEsim = 7, ActiveEsimNoProfile = 8)
+
+**_ModemID_/Policies**
+Policies associated with the Modem.
+
+**_ModemID_/Policies/SlotSelectionEnabled**
+Determines whether the user is allowed to change slots in the Cellular settings UI. Default is true.
\ No newline at end of file
diff --git a/windows/client-management/mdm/multisim-ddf.md b/windows/client-management/mdm/multisim-ddf.md
new file mode 100644
index 0000000000..ccdbecbaee
--- /dev/null
+++ b/windows/client-management/mdm/multisim-ddf.md
@@ -0,0 +1,291 @@
+---
+title: MultiSIM DDF file
+description: XML file containing the device description framework
+ms.author: maricia
+ms.topic: article
+ms.prod: w10
+ms.technology: windows
+author: nickbrower
+ms.date: 02/27/2018
+---
+
+# MultiSIM CSP
+
+> [!WARNING]
+> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
+
+This topic shows the OMA DM device description framework (DDF) for the **MultiSIM** configuration service provider.
+
+The XML below is for Windows 10, version 1803.
+
+``` syntax
+
+]>
+
+ 1.2
+
+ MultiSIM
+ ./Device/Vendor/MSFT
+
+
+
+
+ Subtree for multi-SIM management.
+
+
+
+
+
+
+
+
+
+
+ com.microsoft/1.0/MDM/MultiSIM
+
+
+
+
+
+
+
+
+
+ Node representing a Mobile Broadband Modem. The node name is the Modem ID. Modem ID is a GUID without curly braces, with exception of "Embedded" which represents the embedded Modem.
+
+
+
+
+
+
+
+
+
+ ModemID
+
+
+
+
+
+ Identifier
+
+
+
+
+ Modem ID.
+
+
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ IsEmbedded
+
+
+
+
+ Indicates whether this Modem is embedded or external.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ Slots
+
+
+
+
+ Represents all SIM slots in the Modem.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ Node representing a SIM Slot. The node name is the Slot ID. SIM Slot ID format is "0", "1", etc., with exception of "Embedded" which represents the embedded Slot.
+
+
+
+
+
+
+
+
+
+ SlotID
+
+
+
+
+
+ Identifier
+
+
+
+
+ Slot ID.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ IsEmbedded
+
+
+
+
+ Indicates whether this Slot is embedded or a physical SIM slot.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ IsSelected
+
+
+
+
+
+ Indicates whether this Slot is selected or not.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ State
+
+
+
+
+ Slot state (Unknown = 0, OffEmpty = 1, Off = 2, Empty = 3, NotReady = 4, Active = 5, Error = 6, ActiveEsim = 7, ActiveEsimNoProfile = 8)
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+
+
+ Policies
+
+
+
+
+ Policies associated with the Modem.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ SlotSelectionEnabled
+
+
+
+
+
+ true
+ Determines whether the user is allowed to change slots in the Cellular settings UI. Default is true.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+
+
+
+```
\ No newline at end of file
diff --git a/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md b/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md
index 16d073feae..62bdf664f0 100644
--- a/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md
+++ b/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md
@@ -10,12 +10,16 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
-ms.date: 01/12/2018
+ms.date: 03/03/2018
---
# What's new in MDM enrollment and management
+> [!WARNING]
+> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
+
+
This topic provides information about what's new and breaking changes in Windows 10 mobile device management (MDM) enrollment and management experience across all Windows 10 devices.
For details about Microsoft mobile device management protocols for Windows 10 see [\[MS-MDM\]: Mobile Device Management Protocol](http://go.microsoft.com/fwlink/p/?LinkId=619346) and [\[MS-MDE2\]: Mobile Device Enrollment Protocol Version 2]( http://go.microsoft.com/fwlink/p/?LinkId=619347).
@@ -1385,6 +1389,99 @@ The DM agent for [push-button reset](https://msdn.microsoft.com/windows/hardware
## Change history in MDM documentation
+### March 2018
+
+
+
+
+
+
+
+
+
New or updated topic
+
Description
+
+
+
+
+
[eUICCs CSP](euiccs-csp.md)
+
Added the following node in Windows 10, version 1803:
[How to create a custom xml to enable an ADMX-backed policy and deploy the XML in Intune](https://www.microsoft.com/showcase/video.aspx?uuid=bdc9b54b-11b0-4bdb-a022-c339d16e7121)
+
[How to import a custom ADMX file to a device using Intune](https://www.microsoft.com/showcase/video.aspx?uuid=a59888b1-429f-4a49-8570-c39a143d9a73)
Added new node MaintainProcessorArchitectureOnUpdate in Windows 10, next major update.
+
+
+
[DMClient CSP](dmclient-csp.md)
+
Added ./User/Vendor/MSFT/DMClient/Provider/[ProviderID]/FirstSyncStatus node. Also added the following nodes in Windows 10, version 1803:
+
+
AADSendDeviceToken
+
BlockInStatusPage
+
AllowCollectLogsButton
+
CustomErrorText
+
SkipDeviceStatusPage
+
SkipUserStatusPage
+
+
+
+
[RemoteWipe CSP](remotewipe-csp.md)
+
Added the following nodes in Windows 10, version 1803:
+
+
AutomaticRedeployment
+
doAutomaticRedeployment
+
LastError
+
Status
+
+
+
+
[Defender CSP](defender-csp.md)
+
Added new node (OfflineScan) in Windows 10, version 1803.
+
+
+
[UEFI CSP](uefi-csp.md)
+
Added a new CSP in Windows 10, version 1803.
+
+
+
[Update CSP](update-csp.md)
+
Added the following nodes in Windows 10, version 1803:
+
+
Rollback
+
Rollback/FeatureUpdate
+
Rollback/QualityUpdateStatus
+
Rollback/FeatureUpdateStatus
+
+
diff --git a/windows/client-management/mdm/office-csp.md b/windows/client-management/mdm/office-csp.md
index b3eec1da15..f031f91a4b 100644
--- a/windows/client-management/mdm/office-csp.md
+++ b/windows/client-management/mdm/office-csp.md
@@ -6,13 +6,13 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
-ms.date: 11/01/2017
+ms.date: 01/26/2018
---
# Office CSP
-The Office configuration service provider (CSP) enables a Microsoft Office client to be installed on a device via the Office Deployment Tool. For more information, see [Configuration options for the Office Deployment Tool](https://technet.microsoft.com/en-us/library/jj219426.aspx).
+The Office configuration service provider (CSP) enables a Microsoft Office client to be installed on a device via the Office Deployment Tool (ODT). For more information, see [Configuration options for the Office Deployment Tool](https://technet.microsoft.com/en-us/library/jj219426.aspx).
This CSP was added in Windows 10, version 1703.
For additional information, see [Office DDF](office-ddf.md).
@@ -144,31 +144,54 @@ To get the current status of Office 365 on the device.
997
Installation in progress
-
Windows Information Protection
+
-
13 (ERROR_INVALID_DATA)
-
Cannot verify signature of the downloaded ODT
+
13
+
ERROR_INVALID_DATA
+
Cannot verify signature of the downloaded Office Deployment Tool (ODT)
Failure
-
1460 (ERROR_TIMEOUT)
-
Failed to download ODT
+
1460
+
ERROR_TIMEOUT
+
Failed to download ODT
Failure
-
1603 (ERROR_INSTALL_FAILURE)
-
Failed any pre-req check.
+
1602
+
ERROR_INSTALL_USEREXIT
+
User cancelled the installation
+
Failure
+
+
+
1603
+
ERROR_INSTALL_FAILURE
+
Failed any pre-req check.
SxS (Tried to install when 2016 MSI is installed)
-
Bit mismatch
+
Bit mismatch between the currently installed Office and the Office that was attempting to be installed (such as when you try to install a 32-bit version while 64-bit version is currently installed.)
Failure
+
17000
+
ERROR_PROCESSPOOL_INITIALIZATION
+
Failed to start C2RClient
+
Failure
+
+
+
17001
+
ERROR_QUEUE_SCENARIO
+
Failed to queue installation scenario in C2RClient
+
Failure
+
+
17002
-
Failed to complete the process. Possible reasons:
+
ERROR_COMPLETING_SCENARIO
+
Failed to complete the process. Possible reasons:
+
Installation cancelled by user
Installation cancelled by another installation
Out of disk space during installation
@@ -177,13 +200,60 @@ To get the current status of Office 365 on the device.
Failure
-
17004
-
Unknown SKU
+
17003
+
ERROR_ANOTHER_RUNNING_SCENARIO
+
Another scenario is running
Failure
-
0x8000ffff (E_UNEXPECTED)
-
Tried to uninstall when there is no C2R Office on the machine.
+
17004
+
ERROR_COMPLETING_SCENARIO_NEED_CLEAN_UP
+
Possible reasons:
+
+
Unknown SKUs
+
Content does't exist on CDN
+
such as trying to install an unsupported LAP, like zh-sg
+
CDN issue that content is not available
+
+
Signature check issue, such as failed the signature check for Office content
+
User cancelled
+
+
+
Failure
+
+
+
17005
+
ERROR_SCENARIO_CANCELLED_AS_PLANNED
+
Failure
+
+
+
17006
+
ERROR_SCENARIO_CANCELLED
+
Blocked update by running apps
+
Failure
+
+
+
17007
+
ERROR_REMOVE_INSTALLATION_NEEDED
+
The client is requesting client clean up in a "Remove Installation" scenario
+
Failure
+
+
+
17100
+
ERROR_HANDLING_COMMAND_LINE
+
C2RClient command line error
+
Failure
+
+
+
0x80004005
+
E_FAIL
+
ODT cannot be used to install Volume license
+
Failure
+
+
+
0x8000ffff
+
E_UNEXPECTED
+
Tried to uninstall when there is no C2R Office on the machine.
Failure
diff --git a/windows/client-management/mdm/policy-configuration-service-provider.md b/windows/client-management/mdm/policy-configuration-service-provider.md
index 4a50c52186..4f14d81f4f 100644
--- a/windows/client-management/mdm/policy-configuration-service-provider.md
+++ b/windows/client-management/mdm/policy-configuration-service-provider.md
@@ -7,7 +7,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
-ms.date: 01/12/2018
+ms.date: 03/05/2018
---
# Policy CSP
@@ -95,7 +95,7 @@ The following diagram shows the Policy configuration service provider in tree fo
Supported operations are Add, Get, and Delete.
**Policy/ConfigOperations/ADMXInstall**
-
Added in Windows 10, version 1703. Allows settings for ADMX files for Win32 and Desktop Bridge apps to be imported (ingested) by your device and processed into new ADMX-backed policies or preferences. By using ADMXInstall, you can add ADMX-backed polices for those Win32 or Desktop Bridge apps that have been added between OS releases. ADMX-backed policies are ingested to your device by using the Policy CSP URI: `./Vendor/MSFT/Policy/ConfigOperations/ADMXInstall`. Each ADMX-backed policy or preference that is added is assigned a unique ID. For more information about using Policy CSP to configure Win32 and Desktop Bridge app policies, see [Win32 and Desktop Bridge app policy configuration](win32-and-centennial-app-policy-configuration.md).
+
Added in Windows 10, version 1703. Allows settings for ADMX files for Win32 and Desktop Bridge apps to be imported (ingested) by your device and processed into new ADMX-backed policies or preferences. By using ADMXInstall, you can add ADMX-backed policies for those Win32 or Desktop Bridge apps that have been added between OS releases. ADMX-backed policies are ingested to your device by using the Policy CSP URI: `./Vendor/MSFT/Policy/ConfigOperations/ADMXInstall`. Each ADMX-backed policy or preference that is added is assigned a unique ID. For more information about using Policy CSP to configure Win32 and Desktop Bridge app policies, see [Win32 and Desktop Bridge app policy configuration](win32-and-centennial-app-policy-configuration.md).
> [!NOTE]
> The OPAX settings that are managed by the Microsoft Office Customization Tool are not supported by MDM. For more information about this tool, see [Office Customization Tool](https://technet.microsoft.com/en-us/library/cc179097.aspx).
@@ -130,7 +130,7 @@ The following diagram shows the Policy configuration service provider in tree fo
Supported operations are Add and Get. Does not support Delete.
> [!Note]
-> The policies supported in Windows 10 S is the same as in Windows 10 Pro, except that policies under AppliationsDefaults are not suppported in Windows 10 S.
+> The policies supported in Windows 10 S are the same as those supported in Windows 10 Pro with the exception of the policies under ApplicationDefaults. The ApplicationDefaults policies are not supported in Windows 10 S.
## Policies
@@ -376,30 +376,6 @@ The following diagram shows the Policy configuration service provider in tree fo
### TaskScheduler policies
@@ -2824,6 +2824,9 @@ The following diagram shows the Policy configuration service provider in tree fo
### TextInput policies
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -65,16 +67,16 @@ ms.date: 12/14/2017
-
-
+
+
> [!NOTE]
> This policy is only enforced in Windows 10 Mobile and not supported in Windows 10 for desktop.
-
Specifies whether to allow Action Center notifications above the device lock screen.
+Specifies whether to allow Action Center notifications above the device lock screen.
-
Most restricted value is 0.
+Most restricted value is 0.
-
+
The following list shows the supported values:
@@ -82,12 +84,14 @@ The following list shows the supported values:
- 1 (default) - Allowed.
-
+
+
-
+
+
**AboveLock/AllowCortanaAboveLock**
-
+
Home
@@ -109,8 +113,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -118,11 +122,19 @@ The following list shows the supported values:
-
-
-
Added in Windows 10, version 1607. Specifies whether or not the user can interact with Cortana using speech while the system is locked. If you enable or don’t configure this setting, the user can interact with Cortana using speech while the system is locked. If you disable this setting, the system will need to be unlocked for the user to interact with Cortana using speech.
+
+
+Added in Windows 10, version 1607. Specifies whether or not the user can interact with Cortana using speech while the system is locked. If you enable or don’t configure this setting, the user can interact with Cortana using speech while the system is locked. If you disable this setting, the system will need to be unlocked for the user to interact with Cortana using speech.
-
+
+
+ADMX Info:
+- GP English name: *Allow Cortana above lock screen*
+- GP name: *AllowCortanaAboveLock*
+- GP path: *Windows Components/Search*
+- GP ADMX file name: *Search.admx*
+
+
The following list shows the supported values:
@@ -130,12 +142,14 @@ The following list shows the supported values:
- 1 (default) - Allowed.
-
+
+
-
+
+
**AboveLock/AllowToasts**
-
+
Home
@@ -157,8 +171,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -166,13 +180,13 @@ The following list shows the supported values:
-
-
-
Specifies whether to allow toast notifications above the device lock screen.
+
+
+Specifies whether to allow toast notifications above the device lock screen.
-
Most restricted value is 0.
+Most restricted value is 0.
-
+
The following list shows the supported values:
@@ -180,7 +194,7 @@ The following list shows the supported values:
- 1 (default) - Allowed.
-
+
Footnote:
@@ -189,5 +203,5 @@ Footnote:
- 2 - Added in Windows 10, version 1703.
- 3 - Added in Windows 10, version 1709.
-
+
diff --git a/windows/client-management/mdm/policy-csp-accountpoliciesaccountlockoutpolicy.md b/windows/client-management/mdm/policy-csp-accountpoliciesaccountlockoutpolicy.md
index dfe6305024..2d0549e77b 100644
--- a/windows/client-management/mdm/policy-csp-accountpoliciesaccountlockoutpolicy.md
+++ b/windows/client-management/mdm/policy-csp-accountpoliciesaccountlockoutpolicy.md
@@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
-ms.date: 12/29/2017
+ms.date: 01/30/2018
---
# Policy CSP - AccountPoliciesAccountLockoutPolicy
@@ -17,7 +17,7 @@ ms.date: 12/29/2017
-
+
## AccountPoliciesAccountLockoutPolicy policies
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -67,30 +69,23 @@ ms.date: 12/29/2017
-
-
+
+
Added in Windows 10, next major release. This security setting determines the number of minutes a locked-out account remains locked out before automatically becoming unlocked. The available range is from 0 minutes through 99,999 minutes. If you set the account lockout duration to 0, the account will be locked out until an administrator explicitly unlocks it.
If an account lockout threshold is defined, the account lockout duration must be greater than or equal to the reset time.
Default: None, because this policy setting only has meaning when an Account lockout threshold is specified.
-
-
+
+
-
-
-
-
-
-
-
-
-
+
+
**AccountPoliciesAccountLockoutPolicy/AccountLockoutThreshold**
-
+
Home
@@ -112,8 +107,8 @@ Default: None, because this policy setting only has meaning when an Account lock
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -121,30 +116,23 @@ Default: None, because this policy setting only has meaning when an Account lock
-
-
+
+
Added in Windows 10, next major release. This security setting determines the number of failed logon attempts that causes a user account to be locked out. A locked-out account cannot be used until it is reset by an administrator or until the lockout duration for the account has expired. You can set a value between 0 and 999 failed logon attempts. If you set the value to 0, the account will never be locked out.
Failed password attempts against workstations or member servers that have been locked using either CTRL+ALT+DELETE or password-protected screen savers count as failed logon attempts.
Default: 0.
-
-
+
+
-
-
-
-
-
-
-
-
-
+
+
**AccountPoliciesAccountLockoutPolicy/ResetAccountLockoutCounterAfter**
-
+
Home
@@ -166,8 +154,8 @@ Default: 0.
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -175,25 +163,16 @@ Default: 0.
-
-
+
+
Added in Windows 10, next major release. This security setting determines the number of minutes that must elapse after a failed logon attempt before the failed logon attempt counter is reset to 0 bad logon attempts. The available range is 1 minute to 99,999 minutes.
If an account lockout threshold is defined, this reset time must be less than or equal to the Account lockout duration.
Default: None, because this policy setting only has meaning when an Account lockout threshold is specified.
-
-
-
-
-
-
-
-
-
-
-
+
+
Footnote:
@@ -202,5 +181,5 @@ Footnote:
- 2 - Added in Windows 10, version 1703.
- 3 - Added in Windows 10, version 1709.
-
+
diff --git a/windows/client-management/mdm/policy-csp-accounts.md b/windows/client-management/mdm/policy-csp-accounts.md
index b64e96d236..0fb29f4870 100644
--- a/windows/client-management/mdm/policy-csp-accounts.md
+++ b/windows/client-management/mdm/policy-csp-accounts.md
@@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
-ms.date: 12/14/2017
+ms.date: 01/30/2018
---
# Policy CSP - Accounts
@@ -15,7 +15,7 @@ ms.date: 12/14/2017
-
+
## Accounts policies
Specifies whether user is allowed to add non-MSA email accounts.
+
+
+Specifies whether user is allowed to add non-MSA email accounts.
-
Most restricted value is 0.
+Most restricted value is 0.
> [!NOTE]
> This policy will only block UI/UX-based methods for adding non-Microsoft accounts. Even if this policy is enforced, you can still provision non-MSA accounts using the [EMAIL2 CSP](email2-csp.md).
-
+
The following list shows the supported values:
@@ -85,12 +87,14 @@ The following list shows the supported values:
- 1 (default) - Allowed.
-
+
+
@@ -112,8 +116,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -121,13 +125,13 @@ The following list shows the supported values:
-
-
-
Specifies whether the user is allowed to use an MSA account for non-email related connection authentication and services.
+
+
+Specifies whether the user is allowed to use an MSA account for non-email related connection authentication and services.
-
Most restricted value is 0.
+Most restricted value is 0.
-
+
The following list shows the supported values:
@@ -135,12 +139,14 @@ The following list shows the supported values:
- 1 (default) - Allowed.
-
+
+
@@ -162,8 +168,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -171,11 +177,11 @@ The following list shows the supported values:
-
-
-
Added in Windows 10, version 1703. Allows IT Admins the ability to disable the "Microsoft Account Sign-In Assistant" (wlidsvc) NT service.
+
+
+Added in Windows 10, version 1703. Allows IT Admins the ability to disable the "Microsoft Account Sign-In Assistant" (wlidsvc) NT service.
-
+
The following list shows the supported values:
@@ -183,12 +189,14 @@ The following list shows the supported values:
- 1 (default) - Manual start.
-
+
+
-
+
+
**Accounts/DomainNamesForEmailSync**
-
+
Home
@@ -210,8 +218,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -219,16 +227,16 @@ The following list shows the supported values:
-
-
-
Specifies a list of the domains that are allowed to sync email on the device.
+
+
+Specifies a list of the domains that are allowed to sync email on the device.
-
The data type is a string.
+The data type is a string.
-
The default value is an empty string, which allows all email accounts on the device to sync email. Otherwise, the string should contain a pipe-separated list of domains that are allowed to sync email on the device. For example, "contoso.com|fabrikam.net|woodgrove.gov".
+The default value is an empty string, which allows all email accounts on the device to sync email. Otherwise, the string should contain a pipe-separated list of domains that are allowed to sync email on the device. For example, "contoso.com|fabrikam.net|woodgrove.gov".
-
-
+
+
Footnote:
@@ -237,7 +245,7 @@ Footnote:
- 2 - Added in Windows 10, version 1703.
- 3 - Added in Windows 10, version 1709.
-
+
## Accounts policies supported by Windows Holographic for Business
diff --git a/windows/client-management/mdm/policy-csp-activexcontrols.md b/windows/client-management/mdm/policy-csp-activexcontrols.md
index 411a6aa435..925504ac0d 100644
--- a/windows/client-management/mdm/policy-csp-activexcontrols.md
+++ b/windows/client-management/mdm/policy-csp-activexcontrols.md
@@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
-ms.date: 11/01/2017
+ms.date: 03/05/2018
---
# Policy CSP - ActiveXControls
@@ -15,7 +15,7 @@ ms.date: 11/01/2017
-
+
## ActiveXControls policies
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -59,17 +61,17 @@ ms.date: 11/01/2017
-
-
-This policy setting determines which ActiveX installation sites standard users in your organization can use to install ActiveX controls on their computers. When this setting is enabled, the administrator can create a list of approved Activex Install sites specified by host URL.
+
+
+This policy setting determines which ActiveX installation sites standard users in your organization can use to install ActiveX controls on their computers. When this setting is enabled, the administrator can create a list of approved Activex Install sites specified by host URL.
-If you enable this setting, the administrator can create a list of approved ActiveX Install sites specified by host URL.
+If you enable this setting, the administrator can create a list of approved ActiveX Install sites specified by host URL.
-If you disable or do not configure this policy setting, ActiveX controls prompt the user for administrative credentials before installation.
+If you disable or do not configure this policy setting, ActiveX controls prompt the user for administrative credentials before installation.
Note: Wild card characters cannot be used when specifying the host URLs.
-
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -77,15 +79,15 @@ Note: Wild card characters cannot be used when specifying the host URLs.
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Approved Installation Sites for ActiveX Controls*
- GP name: *ApprovedActiveXInstallSites*
- GP path: *Windows Components/ActiveX Installer Service*
- GP ADMX file name: *ActiveXInstallService.admx*
-
-
+
+
Footnote:
@@ -94,5 +96,5 @@ Footnote:
- 2 - Added in Windows 10, version 1703.
- 3 - Added in Windows 10, version 1709.
-
+
diff --git a/windows/client-management/mdm/policy-csp-applicationdefaults.md b/windows/client-management/mdm/policy-csp-applicationdefaults.md
index 05657e6bd9..dba53edc54 100644
--- a/windows/client-management/mdm/policy-csp-applicationdefaults.md
+++ b/windows/client-management/mdm/policy-csp-applicationdefaults.md
@@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
-ms.date: 12/04/2017
+ms.date: 03/05/2018
---
# Policy CSP - ApplicationDefaults
@@ -15,7 +15,7 @@ ms.date: 12/04/2017
-
+
## ApplicationDefaults policies
Added in Windows 10, version 1703. This policy allows an administrator to set default file type and protocol associations. When set, default associations will be applied on sign-in to the PC. The association file can be created using the DISM tool (dism /online /export-defaultappassociations:appassoc.xml), and then needs to be base64 encoded before being added to SyncML.
+
+
+Added in Windows 10, version 1703. This policy allows an administrator to set default file type and protocol associations. When set, default associations will be applied on sign-in to the PC. The association file can be created using the DISM tool (dism /online /export-defaultappassociations:appassoc.xml), and then needs to be base64 encoded before being added to SyncML.
-
If policy is enabled and the client machine is Azure Active Directory joined, the associations assigned in SyncML will be processed and default associations will be applied.
+If policy is enabled and the client machine is Azure Active Directory joined, the associations assigned in SyncML will be processed and default associations will be applied.
-
To create create the SyncML, follow these steps:
+
+
+ADMX Info:
+- GP English name: *Set a default associations configuration file*
+- GP name: *DefaultAssociationsConfiguration*
+- GP element: *DefaultAssociationsConfiguration_TextBox*
+- GP path: *File Explorer*
+- GP ADMX file name: *WindowsExplorer.admx*
+
+
+
+To create create the SyncML, follow these steps:
Install a few apps and change your defaults.
From an elevated prompt, run "dism /online /export-defaultappassociations:appassoc.xml"
@@ -73,7 +86,7 @@ ms.date: 12/04/2017
Paste the base64 encoded XML into the SyncML
-
Here is an example output from the dism default association export command:
+Here is an example output from the dism default association export command:
``` syntax
@@ -86,13 +99,13 @@ ms.date: 12/04/2017
Here is the base64 encoded result:
+Here is the base64 encoded result:
``` syntax
PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz4NCjxEZWZhdWx0QXNzb2NpYXRpb25zPg0KICA8QXNzb2NpYXRpb24gSWRlbnRpZmllcj0iLmh0bSIgUHJvZ0lkPSJBcHBYNGh4dGFkNzdmYmszamtrZWVya3JtMHplOTR3amYzczkiIEFwcGxpY2F0aW9uTmFtZT0iTWljcm9zb2Z0IEVkZ2UiIC8+DQogIDxBc3NvY2lhdGlvbiBJZGVudGlmaWVyPSIuaHRtbCIgUHJvZ0lkPSJBcHBYNGh4dGFkNzdmYmszamtrZWVya3JtMHplOTR3amYzczkiIEFwcGxpY2F0aW9uTmFtZT0iTWljcm9zb2Z0IEVkZ2UiIC8+DQogIDxBc3NvY2lhdGlvbiBJZGVudGlmaWVyPSIucGRmIiBQcm9nSWQ9IkFwcFhkNG5yejhmZjY4c3JuaGY5dDVhOHNianlhcjFjcjcyMyIgQXBwbGljYXRpb25OYW1lPSJNaWNyb3NvZnQgRWRnZSIgLz4NCiAgPEFzc29jaWF0aW9uIElkZW50aWZpZXI9Imh0dHAiIFByb2dJZD0iQXBwWHEwZmV2em1lMnB5czYybjNlMGZicWE3cGVhcHlrcjh2IiBBcHBsaWNhdGlvbk5hbWU9Ik1pY3Jvc29mdCBFZGdlIiAvPg0KICA8QXNzb2NpYXRpb24gSWRlbnRpZmllcj0iaHR0cHMiIFByb2dJZD0iQXBwWDkwbnY2bmhheTVuNmE5OGZuZXR2N3RwazY0cHAzNWVzIiBBcHBsaWNhdGlvbk5hbWU9Ik1pY3Jvc29mdCBFZGdlIiAvPg0KPC9EZWZhdWx0QXNzb2NpYXRpb25zPg0KDQo=
```
-
Here is the SyncMl example:
+Here is the SyncMl example:
``` syntax
@@ -117,8 +130,8 @@ PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz4NCjxEZWZhdWx0QXNzb2NpYXRpb25z
```
-
-
+
+
Footnote:
@@ -127,6 +140,5 @@ Footnote:
- 2 - Added in Windows 10, version 1703.
- 3 - Added in Windows 10, version 1709.
-
-
+
diff --git a/windows/client-management/mdm/policy-csp-applicationmanagement.md b/windows/client-management/mdm/policy-csp-applicationmanagement.md
index c495acc547..5822ec21c5 100644
--- a/windows/client-management/mdm/policy-csp-applicationmanagement.md
+++ b/windows/client-management/mdm/policy-csp-applicationmanagement.md
@@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
-ms.date: 12/14/2017
+ms.date: 03/05/2018
---
# Policy CSP - ApplicationManagement
@@ -15,7 +15,7 @@ ms.date: 12/14/2017
-
+
## ApplicationManagement policies
Specifies whether non Microsoft Store apps are allowed.
+
+
+Specifies whether non Microsoft Store apps are allowed.
-
Most restricted value is 0.
+Most restricted value is 0.
-
+
+
+ADMX Info:
+- GP English name: *Allow all trusted apps to install*
+- GP name: *AppxDeploymentAllowAllTrustedApps*
+- GP path: *Windows Components/App Package Deployment*
+- GP ADMX file name: *AppxPackageManager.admx*
+
+
The following list shows the supported values:
@@ -104,12 +114,14 @@ The following list shows the supported values:
- 65535 (default) - Not configured.
-
+
+
@@ -131,8 +143,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -140,24 +152,37 @@ The following list shows the supported values:
-
-
-
Specifies whether automatic update of apps from Microsoft Store are allowed.
+
+
+Specifies whether automatic update of apps from Microsoft Store are allowed.
-
The following list shows the supported values:
+
+Most restricted value is 0.
+
+
+
+ADMX Info:
+- GP English name: *Turn off Automatic Download and Install of updates*
+- GP name: *DisableAutoInstall*
+- GP path: *Windows Components/Store*
+- GP ADMX file name: *WindowsStore.admx*
+
+
+
+The following list shows the supported values:
- 0 – Not allowed.
- 1 (default) – Allowed.
-
@@ -179,8 +204,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -188,13 +213,21 @@ The following list shows the supported values:
-
-
-
Specifies whether developer unlock is allowed.
+
+
+Specifies whether developer unlock is allowed.
-
Most restricted value is 0.
+Most restricted value is 0.
-
+
+
+ADMX Info:
+- GP English name: *Allows development of Windows Store apps and installing them from an integrated development environment (IDE)*
+- GP name: *AllowDevelopmentWithoutDevLicense*
+- GP path: *Windows Components/App Package Deployment*
+- GP ADMX file name: *AppxPackageManager.admx*
+
+
The following list shows the supported values:
@@ -203,12 +236,14 @@ The following list shows the supported values:
- 65535 (default) - Not configured.
-
+
+
-
+
+
**ApplicationManagement/AllowGameDVR**
-
+
Home
@@ -230,8 +265,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -239,16 +274,24 @@ The following list shows the supported values:
-
-
+
+
> [!NOTE]
> The policy is only enforced in Windows 10 for desktop.
-
Specifies whether DVR and broadcasting is allowed.
+Specifies whether DVR and broadcasting is allowed.
-
Most restricted value is 0.
+Most restricted value is 0.
-
+
+
+ADMX Info:
+- GP English name: *Enables or disables Windows Game Recording and Broadcasting*
+- GP name: *AllowGameDVR*
+- GP path: *Windows Components/Windows Game Recording and Broadcasting*
+- GP ADMX file name: *GameDVR.admx*
+
+
The following list shows the supported values:
@@ -256,12 +299,14 @@ The following list shows the supported values:
- 1 (default) – Allowed.
-
+
+
@@ -283,8 +328,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -292,13 +337,21 @@ The following list shows the supported values:
-
-
-
Specifies whether multiple users of the same app can share data.
+
+
+Specifies whether multiple users of the same app can share data.
-
Most restricted value is 0.
+Most restricted value is 0.
-
+
+
+ADMX Info:
+- GP English name: *Allow a Windows app to share application data between users*
+- GP name: *AllowSharedLocalAppData*
+- GP path: *Windows Components/App Package Deployment*
+- GP ADMX file name: *AppxPackageManager.admx*
+
+
The following list shows the supported values:
@@ -306,12 +359,14 @@ The following list shows the supported values:
- 1 – Allowed.
-
+
+
-
+
+
**ApplicationManagement/AllowStore**
-
+
Home
@@ -333,8 +388,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -342,13 +397,13 @@ The following list shows the supported values:
-
-
-
Specifies whether app store is allowed at the device.
+
+
+Specifies whether app store is allowed at the device.
-
Most restricted value is 0.
+Most restricted value is 0.
-
+
The following list shows the supported values:
@@ -356,12 +411,14 @@ The following list shows the supported values:
- 1 (default) – Allowed.
-
+
+
@@ -383,8 +440,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -392,13 +449,13 @@ The following list shows the supported values:
-
-
+
+
> [!NOTE]
> This policy is only enforced in Windows 10 Mobile and not supported in Windows 10 for desktop. For desktop devices, use the [AppLocker CSP](applocker-csp.md) instead.
-
An XML blob that specifies the application restrictions company want to put to the device. It could be an app allow list, app disallow list, allowed publisher IDs, and so on. For a list of Windows apps and product IDs, see [inbox apps](applocker-csp.md#inboxappsandcomponents). For more information about the XML, see the [ApplicationRestrictions XSD](applicationrestrictions-xsd.md).
+An XML blob that specifies the application restrictions company want to put to the device. It could be an app allow list, app disallow list, allowed publisher IDs, and so on. For a list of Windows apps and product IDs, see [inbox apps](applocker-csp.md#inboxappsandcomponents). For more information about the XML, see the [ApplicationRestrictions XSD](applicationrestrictions-xsd.md).
> [!NOTE]
> When you upgrade Windows Phone 8.1 devices to Windows 10 Mobile with a list of allowed apps, some Windows inbox apps get blocked causing unexpected behavior. To work around this issue, you must include the [inbox apps](applocker-csp.md#inboxappsandcomponents) that you need to your list of allowed apps.
@@ -412,19 +469,21 @@ The following list shows the supported values:
> - You cannot disable or enable **Contact Support** and **Windows Feedback** apps using ApplicationManagement/ApplicationRestrictions policy, although these are listed in the [inbox apps](applocker-csp.md#inboxappsandcomponents).
-
An application that is running may not be immediately terminated.
+An application that is running may not be immediately terminated.
-
Value type is chr.
+Value type is chr.
-
Value evaluation rule - The information for PolicyManager is opaque. There is no most restricted value evaluation. Whenever there is a change to the value, the device parses the node value and enforces specified policies.
+Value evaluation rule - The information for PolicyManager is opaque. There is no most restricted value evaluation. Whenever there is a change to the value, the device parses the node value and enforces specified policies.
+
+
+
-
-
@@ -446,8 +505,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -455,11 +514,19 @@ The following list shows the supported values:
-
-
-
Added in Windows 10, version 1607. Boolean value that disables the launch of all apps from Microsoft Store that came pre-installed or were downloaded.
+
+
+Added in Windows 10, version 1607. Boolean value that disables the launch of all apps from Microsoft Store that came pre-installed or were downloaded.
-
+
+
+ADMX Info:
+- GP English name: *Disable all apps from Microsoft Store *
+- GP name: *DisableStoreApps*
+- GP path: *Windows Components/Store*
+- GP ADMX file name: *WindowsStore.admx*
+
+
The following list shows the supported values:
@@ -467,12 +534,14 @@ The following list shows the supported values:
- 1 – Disable launch of apps.
-
+
+
@@ -494,8 +563,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -503,24 +572,37 @@ The following list shows the supported values:
-
-
-
Allows disabling of the retail catalog and only enables the Private store.
+
+
+Allows disabling of the retail catalog and only enables the Private store.
-
The following list shows the supported values:
+
+Most restricted value is 1.
+
+
+
+ADMX Info:
+- GP English name: *Only display the private store within the Microsoft Store*
+- GP name: *RequirePrivateStoreOnly_1*
+- GP path: *Windows Components/Store*
+- GP ADMX file name: *WindowsStore.admx*
+
+
+
+The following list shows the supported values:
- 0 (default) – Allow both public and Private store.
- 1 – Only Private store is enabled.
-
@@ -542,8 +624,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -551,13 +633,21 @@ The following list shows the supported values:
-
-
-
Specifies whether application data is restricted to the system drive.
+
+
+Specifies whether application data is restricted to the system drive.
-
Most restricted value is 1.
+Most restricted value is 1.
-
+
+
+ADMX Info:
+- GP English name: *Prevent users' app data from being stored on non-system volumes*
+- GP name: *RestrictAppDataToSystemVolume*
+- GP path: *Windows Components/App Package Deployment*
+- GP ADMX file name: *AppxPackageManager.admx*
+
+
The following list shows the supported values:
@@ -565,12 +655,14 @@ The following list shows the supported values:
- 1 – Restricted.
-
+
+
@@ -592,8 +684,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -601,13 +693,21 @@ The following list shows the supported values:
-
-
-
Specifies whether the installation of applications is restricted to the system drive.
+
+
+Specifies whether the installation of applications is restricted to the system drive.
-
Most restricted value is 1.
+Most restricted value is 1.
-
+
+
+ADMX Info:
+- GP English name: *Disable installing Windows apps on non-system volumes*
+- GP name: *DisableDeploymentToNonSystemVolumes*
+- GP path: *Windows Components/App Package Deployment*
+- GP ADMX file name: *AppxPackageManager.admx*
+
+
The following list shows the supported values:
@@ -615,7 +715,7 @@ The following list shows the supported values:
- 1 – Restricted.
-
+
Footnote:
@@ -624,7 +724,7 @@ Footnote:
- 2 - Added in Windows 10, version 1703.
- 3 - Added in Windows 10, version 1709.
-
+
## ApplicationManagement policies supported by Windows Holographic for Business
diff --git a/windows/client-management/mdm/policy-csp-appvirtualization.md b/windows/client-management/mdm/policy-csp-appvirtualization.md
index e8d81c05b3..bbb346e93c 100644
--- a/windows/client-management/mdm/policy-csp-appvirtualization.md
+++ b/windows/client-management/mdm/policy-csp-appvirtualization.md
@@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
-ms.date: 11/01/2017
+ms.date: 03/05/2018
---
# Policy CSP - AppVirtualization
@@ -15,7 +15,7 @@ ms.date: 11/01/2017
-
+
## AppVirtualization policies
@@ -105,11 +105,13 @@ ms.date: 11/01/2017
+
-
+
+
**AppVirtualization/AllowAppVClient**
-
+
Home
@@ -131,8 +133,8 @@ ms.date: 11/01/2017
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -140,11 +142,11 @@ ms.date: 11/01/2017
-
-
+
+
This policy setting allows you to enable or disable Microsoft Application Virtualization (App-V) feature. Reboot is needed for disable to take effect.
-
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -152,20 +154,22 @@ This policy setting allows you to enable or disable Microsoft Application Virtua
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Enable App-V Client*
- GP name: *EnableAppV*
- GP path: *System/App-V*
- GP ADMX file name: *appv.admx*
-
-
+
+
+
-
+
+
**AppVirtualization/AllowDynamicVirtualization**
-
+
Home
@@ -187,8 +191,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -196,11 +200,11 @@ ADMX Info:
-
-
+
+
Enables Dynamic Virtualization of supported shell extensions, browser helper objects, and ActiveX controls.
-
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -208,20 +212,22 @@ Enables Dynamic Virtualization of supported shell extensions, browser helper obj
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Enable Dynamic Virtualization*
- GP name: *Virtualization_JITVEnable*
- GP path: *System/App-V/Virtualization*
- GP ADMX file name: *appv.admx*
-
-
+
+
+
-
+
+
**AppVirtualization/AllowPackageCleanup**
-
+
Home
@@ -243,8 +249,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -252,11 +258,11 @@ ADMX Info:
-
-
+
+
Enables automatic cleanup of appv packages that were added after Windows10 anniversary release.
-
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -264,20 +270,22 @@ Enables automatic cleanup of appv packages that were added after Windows10 anniv
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Enable automatic cleanup of unused appv packages*
- GP name: *PackageManagement_AutoCleanupEnable*
- GP path: *System/App-V/PackageManagement*
- GP ADMX file name: *appv.admx*
-
-
+
+
+
-
+
+
**AppVirtualization/AllowPackageScripts**
-
+
Home
@@ -299,8 +307,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -308,11 +316,11 @@ ADMX Info:
-
-
+
+
Enables scripts defined in the package manifest of configuration files that should run.
-
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -320,20 +328,22 @@ Enables scripts defined in the package manifest of configuration files that shou
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Enable Package Scripts*
- GP name: *Scripting_Enable_Package_Scripts*
- GP path: *System/App-V/Scripting*
- GP ADMX file name: *appv.admx*
-
-
+
+
+
-
+
+
**AppVirtualization/AllowPublishingRefreshUX**
-
+
Home
@@ -355,8 +365,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -364,11 +374,11 @@ ADMX Info:
-
-
+
+
Enables a UX to display to the user when a publishing refresh is performed on the client.
-
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -376,20 +386,22 @@ Enables a UX to display to the user when a publishing refresh is performed on th
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Enable Publishing Refresh UX*
- GP name: *Enable_Publishing_Refresh_UX*
- GP path: *System/App-V/Publishing*
- GP ADMX file name: *appv.admx*
-
-
+
+
+
-
+
+
**AppVirtualization/AllowReportingServer**
-
+
Home
@@ -411,8 +423,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -420,8 +432,8 @@ ADMX Info:
-
-
+
+
Reporting Server URL: Displays the URL of reporting server.
Reporting Time: When the client data should be reported to the server. Acceptable range is 0~23, corresponding to the 24 hours in a day. A good practice is, don't set this time to a busy hour, e.g. 9AM.
@@ -434,7 +446,7 @@ Data Cache Limit: This value specifies the maximum size in megabytes (MB) of the
Data Block Size: This value specifies the maximum size in bytes to transmit to the server at once on a reporting upload, to avoid permanent transmission failures when the log has reached a significant size. The default value is 65536. When transmitting report data to the server, one block at a time of application records that is less than or equal to the block size in bytes of XML data will be removed from the cache and sent to the server. Each block will have the general Client data and global package list data prepended, and these will not factor into the block size calculations; the potential exists for an extremely large package list to result in transmission failures over low bandwidth or unreliable connections.
-
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -442,20 +454,22 @@ Data Block Size: This value specifies the maximum size in bytes to transmit to t
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Reporting Server*
- GP name: *Reporting_Server_Policy*
- GP path: *System/App-V/Reporting*
- GP ADMX file name: *appv.admx*
-
-
+
+
+
-
+
+
**AppVirtualization/AllowRoamingFileExclusions**
-
+
Home
@@ -477,8 +491,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -486,11 +500,11 @@ ADMX Info:
-
-
+
+
Specifies the file paths relative to %userprofile% that do not roam with a user's profile. Example usage: /FILEEXCLUSIONLIST='desktop;my pictures'.
-
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -498,20 +512,22 @@ Specifies the file paths relative to %userprofile% that do not roam with a user'
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Roaming File Exclusions*
- GP name: *Integration_Roaming_File_Exclusions*
- GP path: *System/App-V/Integration*
- GP ADMX file name: *appv.admx*
-
-
+
+
+
-
+
+
**AppVirtualization/AllowRoamingRegistryExclusions**
-
+
Home
@@ -533,8 +549,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -542,11 +558,11 @@ ADMX Info:
-
-
+
+
Specifies the registry paths that do not roam with a user profile. Example usage: /REGISTRYEXCLUSIONLIST=software\classes;software\clients.
-
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -554,20 +570,22 @@ Specifies the registry paths that do not roam with a user profile. Example usage
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Roaming Registry Exclusions*
- GP name: *Integration_Roaming_Registry_Exclusions*
- GP path: *System/App-V/Integration*
- GP ADMX file name: *appv.admx*
-
-
+
+
+
-
+
+
**AppVirtualization/AllowStreamingAutoload**
-
+
Home
@@ -589,8 +607,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -598,11 +616,11 @@ ADMX Info:
-
-
+
+
Specifies how new packages should be loaded automatically by App-V on a specific computer.
-
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -610,20 +628,22 @@ Specifies how new packages should be loaded automatically by App-V on a specific
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Specify what to load in background (aka AutoLoad)*
- GP name: *Steaming_Autoload*
- GP path: *System/App-V/Streaming*
- GP ADMX file name: *appv.admx*
-
-
+
+
+
-
+
+
**AppVirtualization/ClientCoexistenceAllowMigrationmode**
-
+
Home
@@ -645,8 +665,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -654,11 +674,11 @@ ADMX Info:
-
-
+
+
Migration mode allows the App-V client to modify shortcuts and FTA's for packages created using a previous version of App-V.
-
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -666,20 +686,22 @@ Migration mode allows the App-V client to modify shortcuts and FTA's for package
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Enable Migration Mode*
- GP name: *Client_Coexistence_Enable_Migration_mode*
- GP path: *System/App-V/Client Coexistence*
- GP ADMX file name: *appv.admx*
-
-
+
+
+
-
+
+
**AppVirtualization/IntegrationAllowRootGlobal**
-
+
Home
@@ -701,8 +723,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -710,11 +732,11 @@ ADMX Info:
-
-
+
+
Specifies the location where symbolic links are created to the current version of a per-user published package. Shortcuts, file type associations, etc. are created pointing to this path. If empty, symbolic links are not used during publishing. Example: %localappdata%\Microsoft\AppV\Client\Integration.
-
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -722,20 +744,22 @@ Specifies the location where symbolic links are created to the current version o
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Integration Root User*
- GP name: *Integration_Root_User*
- GP path: *System/App-V/Integration*
- GP ADMX file name: *appv.admx*
-
-
+
+
+
-
+
+
**AppVirtualization/IntegrationAllowRootUser**
-
+
Home
@@ -757,8 +781,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -766,11 +790,11 @@ ADMX Info:
-
-
+
+
Specifies the location where symbolic links are created to the current version of a globally published package. Shortcuts, file type associations, etc. are created pointing to this path. If empty, symbolic links are not used during publishing. Example: %allusersprofile%\Microsoft\AppV\Client\Integration.
-
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -778,20 +802,22 @@ Specifies the location where symbolic links are created to the current version o
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Integration Root Global*
- GP name: *Integration_Root_Global*
- GP path: *System/App-V/Integration*
- GP ADMX file name: *appv.admx*
-
-
+
+
+
-
+
+
**AppVirtualization/PublishingAllowServer1**
-
+
Home
@@ -813,8 +839,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -822,8 +848,8 @@ ADMX Info:
-
-
+
+
Publishing Server Display Name: Displays the name of publishing server.
Publishing Server URL: Displays the URL of publishing server.
@@ -844,7 +870,7 @@ User Publishing Refresh Interval: Specifies the publishing refresh interval usin
User Publishing Refresh Interval Unit: Specifies the interval unit (Hour 0-23, Day 0-31).
-
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -852,20 +878,22 @@ User Publishing Refresh Interval Unit: Specifies the interval unit (Hour 0-23, D
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Publishing Server 1 Settings*
- GP name: *Publishing_Server1_Policy*
- GP path: *System/App-V/Publishing*
- GP ADMX file name: *appv.admx*
-
-
+
+
+
-
+
+
**AppVirtualization/PublishingAllowServer2**
-
+
Home
@@ -887,8 +915,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -896,8 +924,8 @@ ADMX Info:
-
-
+
+
Publishing Server Display Name: Displays the name of publishing server.
Publishing Server URL: Displays the URL of publishing server.
@@ -918,7 +946,7 @@ User Publishing Refresh Interval: Specifies the publishing refresh interval usin
User Publishing Refresh Interval Unit: Specifies the interval unit (Hour 0-23, Day 0-31).
-
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -926,20 +954,22 @@ User Publishing Refresh Interval Unit: Specifies the interval unit (Hour 0-23, D
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Publishing Server 2 Settings*
- GP name: *Publishing_Server2_Policy*
- GP path: *System/App-V/Publishing*
- GP ADMX file name: *appv.admx*
-
-
+
+
+
-
+
+
**AppVirtualization/PublishingAllowServer3**
-
+
Home
@@ -961,8 +991,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -970,8 +1000,8 @@ ADMX Info:
-
-
+
+
Publishing Server Display Name: Displays the name of publishing server.
Publishing Server URL: Displays the URL of publishing server.
@@ -992,7 +1022,7 @@ User Publishing Refresh Interval: Specifies the publishing refresh interval usin
User Publishing Refresh Interval Unit: Specifies the interval unit (Hour 0-23, Day 0-31).
-
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -1000,20 +1030,22 @@ User Publishing Refresh Interval Unit: Specifies the interval unit (Hour 0-23, D
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Publishing Server 3 Settings*
- GP name: *Publishing_Server3_Policy*
- GP path: *System/App-V/Publishing*
- GP ADMX file name: *appv.admx*
-
-
+
+
+
-
+
+
**AppVirtualization/PublishingAllowServer4**
-
+
Home
@@ -1035,8 +1067,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -1044,8 +1076,8 @@ ADMX Info:
-
-
+
+
Publishing Server Display Name: Displays the name of publishing server.
Publishing Server URL: Displays the URL of publishing server.
@@ -1066,7 +1098,7 @@ User Publishing Refresh Interval: Specifies the publishing refresh interval usin
User Publishing Refresh Interval Unit: Specifies the interval unit (Hour 0-23, Day 0-31).
-
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -1074,20 +1106,22 @@ User Publishing Refresh Interval Unit: Specifies the interval unit (Hour 0-23, D
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Publishing Server 4 Settings*
- GP name: *Publishing_Server4_Policy*
- GP path: *System/App-V/Publishing*
- GP ADMX file name: *appv.admx*
-
-
+
+
+
-
+
+
**AppVirtualization/PublishingAllowServer5**
-
+
Home
@@ -1109,8 +1143,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -1118,8 +1152,8 @@ ADMX Info:
-
-
+
+
Publishing Server Display Name: Displays the name of publishing server.
Publishing Server URL: Displays the URL of publishing server.
@@ -1140,7 +1174,7 @@ User Publishing Refresh Interval: Specifies the publishing refresh interval usin
User Publishing Refresh Interval Unit: Specifies the interval unit (Hour 0-23, Day 0-31).
-
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -1148,20 +1182,22 @@ User Publishing Refresh Interval Unit: Specifies the interval unit (Hour 0-23, D
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Publishing Server 5 Settings*
- GP name: *Publishing_Server5_Policy*
- GP path: *System/App-V/Publishing*
- GP ADMX file name: *appv.admx*
-
-
+
+
+
-
+
+
**AppVirtualization/StreamingAllowCertificateFilterForClient_SSL**
-
+
Home
@@ -1183,8 +1219,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -1192,11 +1228,11 @@ ADMX Info:
-
-
+
+
Specifies the path to a valid certificate in the certificate store.
-
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -1204,20 +1240,22 @@ Specifies the path to a valid certificate in the certificate store.
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Certificate Filter For Client SSL*
- GP name: *Streaming_Certificate_Filter_For_Client_SSL*
- GP path: *System/App-V/Streaming*
- GP ADMX file name: *appv.admx*
-
-
+
+
+
-
+
+
**AppVirtualization/StreamingAllowHighCostLaunch**
-
+
Home
@@ -1239,8 +1277,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -1248,11 +1286,11 @@ ADMX Info:
-
-
+
+
This setting controls whether virtualized applications are launched on Windows 8 machines connected via a metered network connection (e.g. 4G).
-
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -1260,20 +1298,22 @@ This setting controls whether virtualized applications are launched on Windows 8
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Allow First Time Application Launches if on a High Cost Windows 8 Metered Connection*
- GP name: *Streaming_Allow_High_Cost_Launch*
- GP path: *System/App-V/Streaming*
- GP ADMX file name: *appv.admx*
-
-
+
+
+
-
+
+
**AppVirtualization/StreamingAllowLocationProvider**
-
+
Home
@@ -1295,8 +1335,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -1304,11 +1344,11 @@ ADMX Info:
-
-
+
+
Specifies the CLSID for a compatible implementation of the IAppvPackageLocationProvider interface.
-
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -1316,20 +1356,22 @@ Specifies the CLSID for a compatible implementation of the IAppvPackageLocationP
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Location Provider*
- GP name: *Streaming_Location_Provider*
- GP path: *System/App-V/Streaming*
- GP ADMX file name: *appv.admx*
-
-
+
+
+
-
+
+
**AppVirtualization/StreamingAllowPackageInstallationRoot**
-
+
Home
@@ -1351,8 +1393,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -1360,11 +1402,11 @@ ADMX Info:
-
-
+
+
Specifies directory where all new applications and updates will be installed.
-
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -1372,20 +1414,22 @@ Specifies directory where all new applications and updates will be installed.
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Package Installation Root*
- GP name: *Streaming_Package_Installation_Root*
- GP path: *System/App-V/Streaming*
- GP ADMX file name: *appv.admx*
-
-
+
+
+
-
+
+
**AppVirtualization/StreamingAllowPackageSourceRoot**
-
+
Home
@@ -1407,8 +1451,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -1416,11 +1460,11 @@ ADMX Info:
-
-
+
+
Overrides source location for downloading package content.
-
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -1428,20 +1472,22 @@ Overrides source location for downloading package content.
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Package Source Root*
- GP name: *Streaming_Package_Source_Root*
- GP path: *System/App-V/Streaming*
- GP ADMX file name: *appv.admx*
-
-
+
+
+
-
+
+
**AppVirtualization/StreamingAllowReestablishmentInterval**
-
+
Home
@@ -1463,8 +1509,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -1472,11 +1518,11 @@ ADMX Info:
-
-
+
+
Specifies the number of seconds between attempts to reestablish a dropped session.
-
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -1484,20 +1530,22 @@ Specifies the number of seconds between attempts to reestablish a dropped sessio
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Reestablishment Interval*
- GP name: *Streaming_Reestablishment_Interval*
- GP path: *System/App-V/Streaming*
- GP ADMX file name: *appv.admx*
-
-
+
+
+
-
+
+
**AppVirtualization/StreamingAllowReestablishmentRetries**
-
+
Home
@@ -1519,8 +1567,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -1528,11 +1576,11 @@ ADMX Info:
-
-
+
+
Specifies the number of times to retry a dropped session.
-
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -1540,20 +1588,22 @@ Specifies the number of times to retry a dropped session.
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Reestablishment Retries*
- GP name: *Streaming_Reestablishment_Retries*
- GP path: *System/App-V/Streaming*
- GP ADMX file name: *appv.admx*
-
-
+
+
+
-
+
+
**AppVirtualization/StreamingSharedContentStoreMode**
-
+
Home
@@ -1575,8 +1625,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -1584,11 +1634,11 @@ ADMX Info:
-
-
+
+
Specifies that streamed package contents will be not be saved to the local hard disk.
-
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -1596,20 +1646,22 @@ Specifies that streamed package contents will be not be saved to the local hard
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Shared Content Store (SCS) mode*
- GP name: *Streaming_Shared_Content_Store_Mode*
- GP path: *System/App-V/Streaming*
- GP ADMX file name: *appv.admx*
-
-
+
+
+
-
+
+
**AppVirtualization/StreamingSupportBranchCache**
-
+
Home
@@ -1631,8 +1683,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -1640,11 +1692,11 @@ ADMX Info:
-
-
+
+
If enabled, the App-V client will support BrancheCache compatible HTTP streaming. If BranchCache support is not desired, this should be disabled. The client can then apply HTTP optimizations which are incompatible with BranchCache
-
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -1652,20 +1704,22 @@ If enabled, the App-V client will support BrancheCache compatible HTTP streaming
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Enable Support for BranchCache*
- GP name: *Streaming_Support_Branch_Cache*
- GP path: *System/App-V/Streaming*
- GP ADMX file name: *appv.admx*
-
-
+
+
+
-
+
+
**AppVirtualization/StreamingVerifyCertificateRevocationList**
-
+
Home
@@ -1687,8 +1741,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -1696,11 +1750,11 @@ ADMX Info:
-
-
+
+
Verifies Server certificate revocation status before streaming using HTTPS.
-
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -1708,20 +1762,22 @@ Verifies Server certificate revocation status before streaming using HTTPS.
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Verify certificate revocation list*
- GP name: *Streaming_Verify_Certificate_Revocation_List*
- GP path: *System/App-V/Streaming*
- GP ADMX file name: *appv.admx*
-
-
+
+
+
-
+
+
**AppVirtualization/VirtualComponentsAllowList**
-
+
Home
@@ -1743,8 +1799,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -1752,11 +1808,11 @@ ADMX Info:
-
-
+
+
Specifies a list of process paths (may contain wildcards) which are candidates for using virtual components (shell extensions, browser helper objects, etc). Only processes whose full path matches one of these items can use virtual components.
-
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -1764,15 +1820,15 @@ Specifies a list of process paths (may contain wildcards) which are candidates f
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Virtual Component Process Allow List*
- GP name: *Virtualization_JITVAllowList*
- GP path: *System/App-V/Virtualization*
- GP ADMX file name: *appv.admx*
-
-
+
+
Footnote:
@@ -1781,5 +1837,5 @@ Footnote:
- 2 - Added in Windows 10, version 1703.
- 3 - Added in Windows 10, version 1709.
-
+
diff --git a/windows/client-management/mdm/policy-csp-attachmentmanager.md b/windows/client-management/mdm/policy-csp-attachmentmanager.md
index 71012e8237..c80e44f614 100644
--- a/windows/client-management/mdm/policy-csp-attachmentmanager.md
+++ b/windows/client-management/mdm/policy-csp-attachmentmanager.md
@@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
-ms.date: 11/01/2017
+ms.date: 03/05/2018
---
# Policy CSP - AttachmentManager
@@ -15,7 +15,7 @@ ms.date: 11/01/2017
-
+
## AttachmentManager policies
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -65,8 +67,8 @@ ms.date: 11/01/2017
-
-
+
+
This policy setting allows you to manage whether Windows marks file attachments with information about their zone of origin (such as restricted, Internet, intranet, local). This requires NTFS in order to function correctly, and will fail without notice on FAT32. By not preserving the zone information, Windows cannot make proper risk assessments.
If you enable this policy setting, Windows does not mark file attachments with their zone information.
@@ -75,7 +77,7 @@ If you disable this policy setting, Windows marks file attachments with their zo
If you do not configure this policy setting, Windows marks file attachments with their zone information.
-
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -83,20 +85,22 @@ If you do not configure this policy setting, Windows marks file attachments with
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Do not preserve zone information in file attachments*
- GP name: *AM_MarkZoneOnSavedAtttachments*
- GP path: *Windows Components/Attachment Manager*
- GP ADMX file name: *AttachmentManager.admx*
-
-
+
+
+
-
+
+
**AttachmentManager/HideZoneInfoMechanism**
-
+
Home
@@ -118,8 +122,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -127,8 +131,8 @@ ADMX Info:
-
-
+
+
This policy setting allows you to manage whether users can manually remove the zone information from saved file attachments by clicking the Unblock button in the file's property sheet or by using a check box in the security warning dialog. Removing the zone information allows users to open potentially dangerous file attachments that Windows has blocked users from opening.
If you enable this policy setting, Windows hides the check box and Unblock button.
@@ -137,7 +141,7 @@ If you disable this policy setting, Windows shows the check box and Unblock butt
If you do not configure this policy setting, Windows hides the check box and Unblock button.
-
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -145,20 +149,22 @@ If you do not configure this policy setting, Windows hides the check box and Unb
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Hide mechanisms to remove zone information*
- GP name: *AM_RemoveZoneInfo*
- GP path: *Windows Components/Attachment Manager*
- GP ADMX file name: *AttachmentManager.admx*
-
-
+
+
+
-
+
+
**AttachmentManager/NotifyAntivirusPrograms**
-
+
Home
@@ -180,8 +186,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -189,9 +195,9 @@ ADMX Info:
-
-
-This policy setting allows you to manage the behavior for notifying registered antivirus programs. If multiple programs are registered, they will all be notified. If the registered antivirus program already performs on-access checks or scans files as they arrive on the computer's email server, additional calls would be redundant.
+
+
+This policy setting allows you to manage the behavior for notifying registered antivirus programs. If multiple programs are registered, they will all be notified. If the registered antivirus program already performs on-access checks or scans files as they arrive on the computer's email server, additional calls would be redundant.
If you enable this policy setting, Windows tells the registered antivirus program to scan the file when a user opens a file attachment. If the antivirus program fails, the attachment is blocked from being opened.
@@ -199,7 +205,7 @@ If you disable this policy setting, Windows does not call the registered antivir
If you do not configure this policy setting, Windows does not call the registered antivirus programs when file attachments are opened.
-
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -207,15 +213,15 @@ If you do not configure this policy setting, Windows does not call the registere
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Notify antivirus programs when opening attachments*
- GP name: *AM_CallIOfficeAntiVirus*
- GP path: *Windows Components/Attachment Manager*
- GP ADMX file name: *AttachmentManager.admx*
-
-
+
+
Footnote:
@@ -224,5 +230,5 @@ Footnote:
- 2 - Added in Windows 10, version 1703.
- 3 - Added in Windows 10, version 1709.
-
+
diff --git a/windows/client-management/mdm/policy-csp-authentication.md b/windows/client-management/mdm/policy-csp-authentication.md
index aefc04173f..02a363e078 100644
--- a/windows/client-management/mdm/policy-csp-authentication.md
+++ b/windows/client-management/mdm/policy-csp-authentication.md
@@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
-ms.date: 12/14/2017
+ms.date: 03/05/2018
---
# Policy CSP - Authentication
@@ -15,7 +15,7 @@ ms.date: 12/14/2017
-
+
## Authentication policies
Added in Windows 10, version 1709. Specifies whether password reset is enabled for Azure Active Directory accounts. This policy allows the Azure AD tenant administrators to enable self service password reset feature on the windows logon screen.
+
+
+Added in Windows 10, version 1709. Specifies whether password reset is enabled for Azure Active Directory accounts. This policy allows the Azure AD tenant administrators to enable self service password reset feature on the windows logon screen.
-
+
The following list shows the supported values:
@@ -83,12 +85,14 @@ The following list shows the supported values:
- 1 – Allowed.
-
+
+
-
+
+
**Authentication/AllowEAPCertSSO**
-
+
Home
@@ -110,8 +114,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -119,11 +123,11 @@ The following list shows the supported values:
-
-
-
Allows an EAP cert-based authentication for a single sign on (SSO) to access internal resources.
+
+
+Allows an EAP cert-based authentication for a single sign on (SSO) to access internal resources.
-
+
The following list shows the supported values:
@@ -131,12 +135,14 @@ The following list shows the supported values:
- 1 (default) – Allowed.
-
+
+
-
+
+
**Authentication/AllowFastReconnect**
-
+
Home
@@ -158,8 +164,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -167,13 +173,13 @@ The following list shows the supported values:
-
-
-
Allows EAP Fast Reconnect from being attempted for EAP Method TLS.
+
+
+Allows EAP Fast Reconnect from being attempted for EAP Method TLS.
-
Most restricted value is 0.
+Most restricted value is 0.
-
+
The following list shows the supported values:
@@ -181,12 +187,14 @@ The following list shows the supported values:
- 1 (default) – Allowed.
-
+
+
@@ -208,8 +216,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -217,15 +225,15 @@ The following list shows the supported values:
-
-
-
Preview release in Windows 10, version 1709. Supported in the next release. Specifies whether Fast Identity Online (FIDO) device can be used to sign on. This policy enables the Windows logon credential provider for FIDO 2.0
+
+
+Preview release in Windows 10, version 1709. Supported in the next release. Specifies whether Fast Identity Online (FIDO) device can be used to sign on. This policy enables the Windows logon credential provider for FIDO 2.0
-
Value type is integer.
+Value type is integer.
-
Here is an example scenario: At Contoso, there are a lot of shared devices and kiosks that employees throughout the day using as many as 20 different devices. To minimize the loss in productivity when employees have to login with username and password everytime they pick up a device, the IT admin deploys SharePC CSP and Authentication/AllowFidoDeviceSignon policy to shared devices. The IT admin provisions and distributes FIDO 2.0 devices to employees, which allows them to authenticate to various shared devices and PCs.
+Here is an example scenario: At Contoso, there are a lot of shared devices and kiosks that employees throughout the day using as many as 20 different devices. To minimize the loss in productivity when employees have to login with username and password everytime they pick up a device, the IT admin deploys SharePC CSP and Authentication/AllowFidoDeviceSignon policy to shared devices. The IT admin provisions and distributes FIDO 2.0 devices to employees, which allows them to authenticate to various shared devices and PCs.
-
+
The following list shows the supported values:
@@ -233,12 +241,14 @@ The following list shows the supported values:
- 1 - Allow. The FIDO device credential provider is enabled and allows usage of FIDO devices to sign into an Windows.
-
+
+
@@ -260,8 +270,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -269,13 +279,21 @@ The following list shows the supported values:
-
-
-
Added in Windows 10, version 1607. Allows secondary authentication devices to work with Windows.
+
+
+Added in Windows 10, version 1607. Allows secondary authentication devices to work with Windows.
-
The default for this policy must be on for consumer devices (defined as local or Microsoft account connected device) and off for enterprise devices (such as cloud domain-joined, cloud domain-joined in an on-premise only environment, cloud domain-joined in a hybrid environment, and BYOD).
+The default for this policy must be on for consumer devices (defined as local or Microsoft account connected device) and off for enterprise devices (such as cloud domain-joined, cloud domain-joined in an on-premise only environment, cloud domain-joined in a hybrid environment, and BYOD).
-
+
+
+ADMX Info:
+- GP English name: *Allow companion device for secondary authentication*
+- GP name: *MSSecondaryAuthFactor_AllowSecondaryAuthenticationDevice*
+- GP path: *Windows Components/Microsoft Secondary Authentication Factor*
+- GP ADMX file name: *DeviceCredential.admx*
+
+
The following list shows the supported values:
@@ -283,7 +301,7 @@ The following list shows the supported values:
- 1 – Allowed.
-
+
Footnote:
@@ -292,7 +310,7 @@ Footnote:
- 2 - Added in Windows 10, version 1703.
- 3 - Added in Windows 10, version 1709.
-
+
## Authentication policies supported by Windows Holographic for Business
diff --git a/windows/client-management/mdm/policy-csp-autoplay.md b/windows/client-management/mdm/policy-csp-autoplay.md
index 0eeac9b230..2e2ecaf426 100644
--- a/windows/client-management/mdm/policy-csp-autoplay.md
+++ b/windows/client-management/mdm/policy-csp-autoplay.md
@@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
-ms.date: 11/01/2017
+ms.date: 03/05/2018
---
# Policy CSP - Autoplay
@@ -15,7 +15,7 @@ ms.date: 11/01/2017
-
+
## Autoplay policies
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -66,15 +68,15 @@ ms.date: 11/01/2017
-
-
+
+
This policy setting disallows AutoPlay for MTP devices like cameras or phones.
If you enable this policy setting, AutoPlay is not allowed for MTP devices like cameras or phones.
If you disable or do not configure this policy setting, AutoPlay is enabled for non-volume devices.
-
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -82,20 +84,22 @@ If you disable or do not configure this policy setting, AutoPlay is enabled for
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Disallow Autoplay for non-volume devices*
- GP name: *NoAutoplayfornonVolume*
- GP path: *Windows Components/AutoPlay Policies*
- GP ADMX file name: *AutoPlay.admx*
-
-
+
+
+
-
+
+
**Autoplay/SetDefaultAutoRunBehavior**
-
+
Home
@@ -117,8 +121,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -127,8 +131,8 @@ ADMX Info:
-
-
+
+
This policy setting sets the default behavior for Autorun commands.
Autorun commands are generally stored in autorun.inf files. They often launch the installation program or other routines.
@@ -144,7 +148,7 @@ b) Revert back to pre-Windows Vista behavior of automatically executing the auto
If you disable or not configure this policy setting, Windows Vista or later will prompt the user whether autorun command is to be run.
-
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -152,20 +156,22 @@ If you disable or not configure this policy setting, Windows Vista or later will
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Set the default behavior for AutoRun*
- GP name: *NoAutorun*
- GP path: *Windows Components/AutoPlay Policies*
- GP ADMX file name: *AutoPlay.admx*
-
-
+
+
+
-
+
+
**Autoplay/TurnOffAutoPlay**
-
+
Home
@@ -187,8 +193,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -197,8 +203,8 @@ ADMX Info:
-
-
+
+
This policy setting allows you to turn off the Autoplay feature.
Autoplay begins reading from a drive as soon as you insert media in the drive. As a result, the setup file of programs and the music on audio media start immediately.
@@ -215,7 +221,7 @@ If you disable or do not configure this policy setting, AutoPlay is enabled.
Note: This policy setting appears in both the Computer Configuration and User Configuration folders. If the policy settings conflict, the policy setting in Computer Configuration takes precedence over the policy setting in User Configuration.
-
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -223,15 +229,15 @@ Note: This policy setting appears in both the Computer Configuration and User Co
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Turn off Autoplay*
- GP name: *Autorun*
- GP path: *Windows Components/AutoPlay Policies*
- GP ADMX file name: *AutoPlay.admx*
-
-
+
+
Footnote:
@@ -240,5 +246,5 @@ Footnote:
- 2 - Added in Windows 10, version 1703.
- 3 - Added in Windows 10, version 1709.
-
+
diff --git a/windows/client-management/mdm/policy-csp-bitlocker.md b/windows/client-management/mdm/policy-csp-bitlocker.md
index ede5f3ea04..852a915bac 100644
--- a/windows/client-management/mdm/policy-csp-bitlocker.md
+++ b/windows/client-management/mdm/policy-csp-bitlocker.md
@@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
-ms.date: 12/14/2017
+ms.date: 01/30/2018
---
# Policy CSP - Bitlocker
@@ -15,7 +15,7 @@ ms.date: 12/14/2017
-
+
## Bitlocker policies
Specifies the BitLocker Drive Encryption method and cipher strength.
+
+
+Specifies the BitLocker Drive Encryption method and cipher strength.
> [!NOTE]
> XTS-AES 128-bit and XTS-AES 256-bit values are only supported on Windows 10 for desktop.
-
You can find the following policies in BitLocker CSP:
+You can find the following policies in BitLocker CSP:
Specifies whether the device can send out Bluetooth advertisements.
+
+
+Specifies whether the device can send out Bluetooth advertisements.
-
If this is not set or it is deleted, the default value of 1 (Allow) is used.
+If this is not set or it is deleted, the default value of 1 (Allow) is used.
-
Most restricted value is 0.
+Most restricted value is 0.
-
+
The following list shows the supported values:
@@ -87,12 +89,14 @@ The following list shows the supported values:
- 1 (default) – Allowed. When set to 1, the device will send out advertisements. To verify, use any Bluetooth LE app and enable it to do advertising. Then, verify that the advertisement is received by the peripheral.
-
+
+
-
+
+
**Bluetooth/AllowDiscoverableMode**
-
+
Home
@@ -114,8 +118,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -123,15 +127,15 @@ The following list shows the supported values:
-
-
-
Specifies whether other Bluetooth-enabled devices can discover the device.
+
+
+Specifies whether other Bluetooth-enabled devices can discover the device.
-
If this is not set or it is deleted, the default value of 1 (Allow) is used.
+If this is not set or it is deleted, the default value of 1 (Allow) is used.
-
Most restricted value is 0.
+Most restricted value is 0.
-
+
The following list shows the supported values:
@@ -139,12 +143,14 @@ The following list shows the supported values:
- 1 (default) – Allowed. When set to 1, other devices will be able to detect the device. To verify, open the Bluetooth control panel on the device. Then, go to another Bluetooth-enabled device, open the Bluetooth control panel and verify that you can discover it.
-
+
+
-
+
+
**Bluetooth/AllowPrepairing**
-
+
Home
@@ -166,8 +172,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -175,11 +181,11 @@ The following list shows the supported values:
-
-
-
Specifies whether to allow specific bundled Bluetooth peripherals to automatically pair with the host device.
+
+
+Specifies whether to allow specific bundled Bluetooth peripherals to automatically pair with the host device.
-
+
The following list shows the supported values:
@@ -187,12 +193,14 @@ The following list shows the supported values:
- 1 (default)– Allowed.
-
+
+
-
+
+
**Bluetooth/LocalDeviceName**
-
+
Home
@@ -214,8 +222,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -223,21 +231,23 @@ The following list shows the supported values:
-
-
-
Sets the local Bluetooth device name.
+
+
+Sets the local Bluetooth device name.
-
If this is set, the value that it is set to will be used as the Bluetooth device name. To verify the policy is set, open the Bluetooth control panel on the device. Then, go to another Bluetooth-enabled device, open the Bluetooth control panel, and verify that the value that was specified.
+If this is set, the value that it is set to will be used as the Bluetooth device name. To verify the policy is set, open the Bluetooth control panel on the device. Then, go to another Bluetooth-enabled device, open the Bluetooth control panel, and verify that the value that was specified.
-
If this policy is not set or it is deleted, the default local radio name is used.
+If this policy is not set or it is deleted, the default local radio name is used.
+
+
+
-
-
-
+
+
**Bluetooth/ServicesAllowedList**
-
+
Home
@@ -259,8 +269,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -268,14 +278,14 @@ The following list shows the supported values:
-
-
-
Set a list of allowable services and profiles. String hex formatted array of Bluetooth service UUIDs in canonical format, delimited by semicolons. For example, {782AFCFC-7CAA-436C-8BF0-78CD0FFBD4AF}.
+
+
+Set a list of allowable services and profiles. String hex formatted array of Bluetooth service UUIDs in canonical format, delimited by semicolons. For example, {782AFCFC-7CAA-436C-8BF0-78CD0FFBD4AF}.
-
The default value is an empty string.
+The default value is an empty string.
-
-
+
+
Footnote:
@@ -284,7 +294,7 @@ Footnote:
- 2 - Added in Windows 10, version 1703.
- 3 - Added in Windows 10, version 1709.
-
+
## Bluetooth policies supported by Windows Holographic for Business
diff --git a/windows/client-management/mdm/policy-csp-browser.md b/windows/client-management/mdm/policy-csp-browser.md
index 990c0726eb..22fc158c08 100644
--- a/windows/client-management/mdm/policy-csp-browser.md
+++ b/windows/client-management/mdm/policy-csp-browser.md
@@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
-ms.date: 01/03/2018
+ms.date: 03/05/2018
---
# Policy CSP - Browser
@@ -17,7 +17,7 @@ ms.date: 01/03/2018
-
+
## Browser policies
Added in Windows 10, version 1703. Specifies whether to allow the address bar drop-down functionality in Microsoft Edge. If you want to minimize network connections from Microsoft Edge to Microsoft services, we recommend disabling this functionality.
+
+
+Added in Windows 10, version 1703. Specifies whether to allow the address bar drop-down functionality in Microsoft Edge. If you want to minimize network connections from Microsoft Edge to Microsoft services, we recommend disabling this functionality.
> [!NOTE]
> Disabling this setting turns off the address bar drop-down functionality. Because search suggestions are shown in the drop-down list, this setting takes precedence over the Browser/AllowSearchSuggestionsinAddressBar setting.
-
Most restricted value is 0.
+Most restricted value is 0.
-
+
+
+ADMX Info:
+- GP English name: *Allow Address bar drop-down list suggestions*
+- GP name: *AllowAddressBarDropdown*
+- GP path: *Windows Components/Microsoft Edge*
+- GP ADMX file name: *MicrosoftEdge.admx*
+
+
The following list shows the supported values:
@@ -190,12 +203,14 @@ The following list shows the supported values:
- 1 (default) – Allowed. Address bar drop-down is enabled.
-
+
+
-
+
+
**Browser/AllowAutofill**
-
+
Home
@@ -217,8 +232,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -227,33 +242,45 @@ The following list shows the supported values:
-
-
-
Specifies whether autofill on websites is allowed.
+
+
+Specifies whether autofill on websites is allowed.
-
Most restricted value is 0.
+Most restricted value is 0.
-
To verify AllowAutofill is set to 0 (not allowed):
+
+
+ADMX Info:
+- GP English name: *Configure Autofill*
+- GP name: *AllowAutofill*
+- GP path: *Windows Components/Microsoft Edge*
+- GP ADMX file name: *MicrosoftEdge.admx*
+
+
+
+The following list shows the supported values:
+
+- 0 – Not allowed.
+- 1 (default) – Allowed.
+
+
+
+To verify AllowAutofill is set to 0 (not allowed):
1. Open Microsoft Edge.
2. In the upper-right corner of the browser, click **…**.
3. Click **Settings** in the drop down list, and select **View Advanced Settings**.
4. Verify the setting **Save form entries** is greyed out.
-
-
-The following list shows the supported values:
+
+
-- 0 – Not allowed.
-- 1 (default) – Allowed.
-
-
-
-
+
+
**Browser/AllowBrowser**
-
+
Home
@@ -275,8 +302,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -285,19 +312,19 @@ The following list shows the supported values:
-
-
+
+
> [!NOTE]
> This policy is only enforced in Windows 10 Mobile and not supported in Windows 10 for desktop. For desktop devices, use the [AppLocker CSP](applocker-csp.md) instead.
-
Specifies whether the browser is allowed on the device.
+Specifies whether the browser is allowed on the device.
-
Most restricted value is 0.
+Most restricted value is 0.
-
When this policy is set to 0 (not allowed), the Microsoft Edge for Windows 10 Mobile tile will appear greyed out, and clicking on the tile will display a message indicating theat Internet browsing has been disabled by your administrator.
+When this policy is set to 0 (not allowed), the Microsoft Edge for Windows 10 Mobile tile will appear greyed out, and clicking on the tile will display a message indicating theat Internet browsing has been disabled by your administrator.
-
+
The following list shows the supported values:
@@ -305,12 +332,65 @@ The following list shows the supported values:
- 1 (default) – Allowed.
-
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+> * Device
+
+
+
+
+
+This policy setting lets you decide whether Microsoft Edge can automatically update the configuration data for the Books Library.
+
+
+
+The following list shows the supported values:
+
+- 0 - Disable. Microsoft Edge cannot retrieve a configuration
+- 1 - Enable (default). Microsoft Edge can retrieve a configuration for Books Library
+
+
+
+
+
+
+
**Browser/AllowCookies**
-
+
Home
@@ -332,8 +412,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -342,31 +422,47 @@ The following list shows the supported values:
-
-
-
Specifies whether cookies are allowed.
+
+
+Specifies whether cookies are allowed.
-
The following list shows the supported values:
+
+Most restricted value is 0.
+
+
+
+ADMX Info:
+- GP English name: *Configure cookies*
+- GP name: *Cookies*
+- GP element: *CookiesListBox*
+- GP path: *Windows Components/Microsoft Edge*
+- GP ADMX file name: *MicrosoftEdge.admx*
+
+
+
+The following list shows the supported values:
- 0 – Not allowed.
- 1 (default) – Allowed.
-
Most restricted value is 0.
-
-
To verify AllowCookies is set to 0 (not allowed):
+
+
+To verify AllowCookies is set to 0 (not allowed):
1. Open Microsoft Edge or Microsoft Edge for Windows 10 Mobile.
2. In the upper-right corner of the browser, click **…**.
3. Click **Settings** in the drop down list, and select **View Advanced Settings**.
4. Verify the setting **Cookies** is greyed out.
-
-
+
+
+
-
+
+
**Browser/AllowDeveloperTools**
-
+
Home
@@ -388,8 +484,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -398,17 +494,25 @@ The following list shows the supported values:
-
-
+
+
> [!NOTE]
> This policy is only enforced in Windows 10 for desktop and not supported in Windows 10 Mobile.
-
Specifies whether employees can use F12 Developer Tools on Microsoft Edge. Turning this setting on, or not configuring it, lets employees use F12 Developer Tools. Turning this setting off stops employees from using F12 Developer Tools.
+Specifies whether employees can use F12 Developer Tools on Microsoft Edge. Turning this setting on, or not configuring it, lets employees use F12 Developer Tools. Turning this setting off stops employees from using F12 Developer Tools.
-
Most restricted value is 0.
+Most restricted value is 0.
-
+
+
+ADMX Info:
+- GP English name: *Allow Developer Tools*
+- GP name: *AllowDeveloperTools*
+- GP path: *Windows Components/Microsoft Edge*
+- GP ADMX file name: *MicrosoftEdge.admx*
+
+
The following list shows the supported values:
@@ -416,12 +520,14 @@ The following list shows the supported values:
- 1 (default) – Allowed.
-
+
+
-
+
+
**Browser/AllowDoNotTrack**
-
+
Home
@@ -443,8 +549,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -453,20 +559,21 @@ The following list shows the supported values:
-
-
-
Specifies whether Do Not Track headers are allowed.
+
+
+Specifies whether Do Not Track headers are allowed.
-
Most restricted value is 1.
+Most restricted value is 1.
-
To verify AllowDoNotTrack is set to 0 (not allowed):
+
+
+ADMX Info:
+- GP English name: *Configure Do Not Track*
+- GP name: *AllowDoNotTrack*
+- GP path: *Windows Components/Microsoft Edge*
+- GP ADMX file name: *MicrosoftEdge.admx*
-1. Open Microsoft Edge or Microsoft Edge for Windows 10 Mobile.
-2. In the upper-right corner of the browser, click **…**.
-3. Click **Settings** in the drop down list, and select **View Advanced Settings**.
-4. Verify the setting **Send Do Not Track requests** is greyed out.
-
-
+
The following list shows the supported values:
@@ -474,12 +581,23 @@ The following list shows the supported values:
- 1 – Allowed.
-
+
+To verify AllowDoNotTrack is set to 0 (not allowed):
+
+1. Open Microsoft Edge or Microsoft Edge for Windows 10 Mobile.
+2. In the upper-right corner of the browser, click **…**.
+3. Click **Settings** in the drop down list, and select **View Advanced Settings**.
+4. Verify the setting **Send Do Not Track requests** is greyed out.
+
+
+
+
-
+
+
**Browser/AllowExtensions**
-
+
Home
@@ -501,8 +619,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -511,11 +629,19 @@ The following list shows the supported values:
-
-
-
Added in Windows 10, version 1607. Specifies whether Microsoft Edge extensions are allowed.
+
+
+Added in Windows 10, version 1607. Specifies whether Microsoft Edge extensions are allowed.
-
+
+
+ADMX Info:
+- GP English name: *Allow Extensions*
+- GP name: *AllowExtensions*
+- GP path: *Windows Components/Microsoft Edge*
+- GP ADMX file name: *MicrosoftEdge.admx*
+
+
The following list shows the supported values:
@@ -523,12 +649,14 @@ The following list shows the supported values:
- 1 (default) – Allowed.
-
+
+
-
+
+
**Browser/AllowFlash**
-
+
Home
@@ -550,8 +678,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -560,11 +688,19 @@ The following list shows the supported values:
-
-
-
Added in Windows 10. Specifies whether Adobe Flash can run in Microsoft Edge.
+
+
+Added in Windows 10. Specifies whether Adobe Flash can run in Microsoft Edge.
-
+
+
+ADMX Info:
+- GP English name: *Allow Adobe Flash*
+- GP name: *AllowFlash*
+- GP path: *Windows Components/Microsoft Edge*
+- GP ADMX file name: *MicrosoftEdge.admx*
+
+
The following list shows the supported values:
@@ -572,12 +708,14 @@ The following list shows the supported values:
- 1 (default) – Allowed.
-
+
+
-
+
+
**Browser/AllowFlashClickToRun**
-
+
Home
@@ -599,8 +737,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -609,11 +747,19 @@ The following list shows the supported values:
-
-
-
Added in Windows 10, version 1703. Specifies whether users must take an action, such as clicking the content or a Click-to-Run button, before seeing content in Adobe Flash.
+
+
+Added in Windows 10, version 1703. Specifies whether users must take an action, such as clicking the content or a Click-to-Run button, before seeing content in Adobe Flash.
-
+
+
+ADMX Info:
+- GP English name: *Configure the Adobe Flash Click-to-Run setting*
+- GP name: *AllowFlashClickToRun*
+- GP path: *Windows Components/Microsoft Edge*
+- GP ADMX file name: *MicrosoftEdge.admx*
+
+
The following list shows the supported values:
@@ -621,12 +767,14 @@ The following list shows the supported values:
- 1 (default) – Users must click the content, click a Click-to-Run button, or have the site appear on an auto-allow list before Microsoft Edge loads and runs Adobe Flash content.
-
+
+
-
+
+
**Browser/AllowInPrivate**
-
+
Home
@@ -648,8 +796,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -658,13 +806,21 @@ The following list shows the supported values:
-
-
-
Specifies whether InPrivate browsing is allowed on corporate networks.
+
+
+Specifies whether InPrivate browsing is allowed on corporate networks.
-
Most restricted value is 0.
+Most restricted value is 0.
-
+
+
+ADMX Info:
+- GP English name: *Allow InPrivate browsing*
+- GP name: *AllowInPrivate*
+- GP path: *Windows Components/Microsoft Edge*
+- GP ADMX file name: *MicrosoftEdge.admx*
+
+
The following list shows the supported values:
@@ -672,12 +828,14 @@ The following list shows the supported values:
- 1 (default) – Allowed.
-
+
+
@@ -699,8 +857,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -709,16 +867,24 @@ The following list shows the supported values:
-
-
-
Added in Windows 10, version 1703. Specifies whether to use the Microsoft compatibility list in Microsoft Edge. The Microsoft compatibility list is a Microsoft-provided list that enables sites with known compatibility issues to display properly.
+
+
+Added in Windows 10, version 1703. Specifies whether to use the Microsoft compatibility list in Microsoft Edge. The Microsoft compatibility list is a Microsoft-provided list that enables sites with known compatibility issues to display properly.
By default, the Microsoft compatibility list is enabled and can be viewed by visiting "about:compat".
-
If you enable or don’t configure this setting, Microsoft Edge periodically downloads the latest version of the compatibility list from Microsoft, applying the updates during browser navigation. Visiting any site on the compatibility list prompts the employee to use Internet Explorer 11 (or enables/disables certain browser features on mobile), where the site is automatically rendered as though it’s run in the version of Internet Explorer necessary for it to display properly. If you disable this setting, the compatibility list isn’t used during browser navigation.
+If you enable or don’t configure this setting, Microsoft Edge periodically downloads the latest version of the compatibility list from Microsoft, applying the updates during browser navigation. Visiting any site on the compatibility list prompts the employee to use Internet Explorer 11 (or enables/disables certain browser features on mobile), where the site is automatically rendered as though it’s run in the version of Internet Explorer necessary for it to display properly. If you disable this setting, the compatibility list isn’t used during browser navigation.
-
Most restricted value is 0.
+Most restricted value is 0.
-
+
+
+ADMX Info:
+- GP English name: *Allow Microsoft Compatibility List*
+- GP name: *AllowCVList*
+- GP path: *Windows Components/Microsoft Edge*
+- GP ADMX file name: *MicrosoftEdge.admx*
+
+
The following list shows the supported values:
@@ -726,12 +892,14 @@ The following list shows the supported values:
- 1 (default) – Enabled.
-
+
+
-
+
+
**Browser/AllowPasswordManager**
-
+
Home
@@ -753,8 +921,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -763,20 +931,21 @@ The following list shows the supported values:
-
-
-
Specifies whether saving and managing passwords locally on the device is allowed.
+
+
+Specifies whether saving and managing passwords locally on the device is allowed.
-
Most restricted value is 0.
+Most restricted value is 0.
-
To verify AllowPasswordManager is set to 0 (not allowed):
+
+
+ADMX Info:
+- GP English name: *Configure Password Manager*
+- GP name: *AllowPasswordManager*
+- GP path: *Windows Components/Microsoft Edge*
+- GP ADMX file name: *MicrosoftEdge.admx*
-1. Open Microsoft Edge or Microsoft Edge for Windows 10 Mobile.
-2. In the upper-right corner of the browser, click **…**.
-3. Click **Settings** in the drop down list, and select **View Advanced Settings**.
-4. Verify the settings **Offer to save password** and **Manage my saved passwords** are greyed out.
-
-
+
The following list shows the supported values:
@@ -784,12 +953,23 @@ The following list shows the supported values:
- 1 (default) – Allowed.
-
+
+To verify AllowPasswordManager is set to 0 (not allowed):
+
+1. Open Microsoft Edge or Microsoft Edge for Windows 10 Mobile.
+2. In the upper-right corner of the browser, click **…**.
+3. Click **Settings** in the drop down list, and select **View Advanced Settings**.
+4. Verify the settings **Offer to save password** and **Manage my saved passwords** are greyed out.
+
+
+
+
-
+
+
**Browser/AllowPopups**
-
+
Home
@@ -811,8 +991,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -821,20 +1001,21 @@ The following list shows the supported values:
-
-
-
Specifies whether pop-up blocker is allowed or enabled.
+
+
+Specifies whether pop-up blocker is allowed or enabled.
-
Most restricted value is 1.
+Most restricted value is 1.
-
To verify AllowPopups is set to 0 (not allowed):
+
+
+ADMX Info:
+- GP English name: *Configure Pop-up Blocker*
+- GP name: *AllowPopups*
+- GP path: *Windows Components/Microsoft Edge*
+- GP ADMX file name: *MicrosoftEdge.admx*
-1. Open Microsoft Edge.
-2. In the upper-right corner of the browser, click **…**.
-3. Click **Settings** in the drop down list, and select **View Advanced Settings**.
-4. Verify the setting **Block pop-ups** is greyed out.
-
-
+
The following list shows the supported values:
@@ -842,12 +1023,23 @@ The following list shows the supported values:
- 1 – Pop-up blocker is allowed or enabled. It means that pop-up browser windows are blocked.
-
+
+To verify AllowPopups is set to 0 (not allowed):
+
+1. Open Microsoft Edge.
+2. In the upper-right corner of the browser, click **…**.
+3. Click **Settings** in the drop down list, and select **View Advanced Settings**.
+4. Verify the setting **Block pop-ups** is greyed out.
+
+
+
+
@@ -869,8 +1061,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -879,15 +1071,23 @@ The following list shows the supported values:
-
-
-
Added in Windows 10, version 1703. Allows search engine customization for MDM-enrolled devices. Users can change their default search engine.
+
+
+Added in Windows 10, version 1703. Allows search engine customization for MDM-enrolled devices. Users can change their default search engine.
-
If this setting is turned on or not configured, users can add new search engines and change the default used in the address bar from within Microsoft Edge settings. If this setting is disabled, users will be unable to add search engines or change the default used in the address bar. This policy applies only on domain-joined machines or when the device is MDM-enrolled. For more information, see Microsoft browser extension policy (aka.ms/browserpolicy).
+If this setting is turned on or not configured, users can add new search engines and change the default used in the address bar from within Microsoft Edge settings. If this setting is disabled, users will be unable to add search engines or change the default used in the address bar. This policy applies only on domain-joined machines or when the device is MDM-enrolled. For more information, see Microsoft browser extension policy (aka.ms/browserpolicy).
-
Most restricted value is 0.
+Most restricted value is 0.
-
+
+
+ADMX Info:
+- GP English name: *Allow search engine customization*
+- GP name: *AllowSearchEngineCustomization*
+- GP path: *Windows Components/Microsoft Edge*
+- GP ADMX file name: *MicrosoftEdge.admx*
+
+
The following list shows the supported values:
@@ -895,12 +1095,14 @@ The following list shows the supported values:
- 1 (default) – Allowed.
-
+
+
@@ -922,8 +1124,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -932,13 +1134,21 @@ The following list shows the supported values:
-
-
-
Specifies whether search suggestions are allowed in the address bar.
+
+
+Specifies whether search suggestions are allowed in the address bar.
-
Most restricted value is 0.
+Most restricted value is 0.
-
+
+
+ADMX Info:
+- GP English name: *Configure search suggestions in Address bar*
+- GP name: *AllowSearchSuggestionsinAddressBar*
+- GP path: *Windows Components/Microsoft Edge*
+- GP ADMX file name: *MicrosoftEdge.admx*
+
+
The following list shows the supported values:
@@ -946,12 +1156,14 @@ The following list shows the supported values:
- 1 (default) – Allowed.
-
+
+
-
+
+
**Browser/AllowSmartScreen**
-
+
Home
@@ -973,8 +1185,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -983,33 +1195,45 @@ The following list shows the supported values:
-
-
-
Specifies whether Windows Defender SmartScreen is allowed.
+
+
+Specifies whether Windows Defender SmartScreen is allowed.
-
Most restricted value is 1.
+Most restricted value is 1.
-
To verify AllowSmartScreen is set to 0 (not allowed):
+
+
+ADMX Info:
+- GP English name: *Configure Windows Defender SmartScreen*
+- GP name: *AllowSmartScreen*
+- GP path: *Windows Components/Microsoft Edge*
+- GP ADMX file name: *MicrosoftEdge.admx*
+
+
+
+The following list shows the supported values:
+
+- 0 – Not allowed.
+- 1 (default) – Allowed.
+
+
+
+To verify AllowSmartScreen is set to 0 (not allowed):
1. Open Microsoft Edge or Microsoft Edge for Windows 10 Mobile.
2. In the upper-right corner of the browser, click **…**.
3. Click **Settings** in the drop down list, and select **View Advanced Settings**.
4. Verify the setting **Help protect me from malicious sites and download with SmartScreen Filter** is greyed out.
-
-
-The following list shows the supported values:
+
+
-- 0 – Not allowed.
-- 1 (default) – Allowed.
-
-
-
-
+
+
**Browser/AlwaysEnableBooksLibrary**
-
+
Home
@@ -1031,9 +1255,8 @@ The following list shows the supported values:
-
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -1042,13 +1265,19 @@ The following list shows the supported values:
-
-
-
+
+
+Added in Windows 10, next majot update. Always show the Books Library in Microsoft Edge
-
Added in Windows 10, next majot update. Always show the Books Library in Microsoft Edge
+
+
+ADMX Info:
+- GP English name: *Always show the Books Library in Microsoft Edge*
+- GP name: *AlwaysEnableBooksLibrary*
+- GP path: *Windows Components/Microsoft Edge*
+- GP ADMX file name: *MicrosoftEdge.admx*
-
+
The following list shows the supported values:
@@ -1056,12 +1285,14 @@ The following list shows the supported values:
- 1 - Enable. Always show the Books Library, regardless of countries or region of activation.
-
+
+
-
+
+
**Browser/ClearBrowsingDataOnExit**
-
+
Home
@@ -1083,8 +1314,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -1093,19 +1324,21 @@ The following list shows the supported values:
-
-
-
Added in Windows 10, version 1703. Specifies whether to clear browsing data on exiting Microsoft Edge.
+
+
+Added in Windows 10, version 1703. Specifies whether to clear browsing data on exiting Microsoft Edge.
-
Most restricted value is 1.
+Most restricted value is 1.
-
To verify that browsing data is cleared on exit (ClearBrowsingDataOnExit is set to 1):
+
+
+ADMX Info:
+- GP English name: *Allow clearing browsing data on exit*
+- GP name: *AllowClearingBrowsingDataOnExit*
+- GP path: *Windows Components/Microsoft Edge*
+- GP ADMX file name: *MicrosoftEdge.admx*
-1. Open Microsoft Edge and browse to websites.
-2. Close the Microsoft Edge window.
-3. Open Microsoft Edge and start typing the same URL in address bar. Verify that it does not auto-complete from history.
-
-
+
The following list shows the supported values:
@@ -1113,12 +1346,22 @@ The following list shows the supported values:
- 1 – Browsing data is cleared on exit.
-
+
+To verify that browsing data is cleared on exit (ClearBrowsingDataOnExit is set to 1):
+
+1. Open Microsoft Edge and browse to websites.
+2. Close the Microsoft Edge window.
+3. Open Microsoft Edge and start typing the same URL in address bar. Verify that it does not auto-complete from history.
+
+
+
+
@@ -1140,8 +1383,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -1150,32 +1393,46 @@ The following list shows the supported values:
-
-
-
Added in Windows 10, version 1703. Allows you to add up to 5 additional search engines for MDM-enrolled devices.
+
+
+Added in Windows 10, version 1703. Allows you to add up to 5 additional search engines for MDM-enrolled devices.
-
If this policy is enabled, you can add up to 5 additional search engines for your employees. For each additional search engine you want to add, specify a link to the OpenSearch XML file that contains, at a minimum, the short name and the URL template (HTTPS) of the search engine. For more information about creating the OpenSearch XML file, see [Search provider discovery](https://developer.microsoft.com/en-us/microsoft-edge/platform/documentation/dev-guide/browser/search-provider-discovery/).
+If this policy is enabled, you can add up to 5 additional search engines for your employees. For each additional search engine you want to add, specify a link to the OpenSearch XML file that contains, at a minimum, the short name and the URL template (HTTPS) of the search engine. For more information about creating the OpenSearch XML file, see [Search provider discovery](https://developer.microsoft.com/en-us/microsoft-edge/platform/documentation/dev-guide/browser/search-provider-discovery/).
Employees cannot remove these search engines, but they can set any one as the default. This setting does not affect the default search engine.
-
If this setting is not configured, the search engines used are the ones that are specified in the App settings. If this setting is disabled, the search engines you added will be deleted from your employee's machine.
+If this setting is not configured, the search engines used are the ones that are specified in the App settings. If this setting is disabled, the search engines you added will be deleted from your employee's machine.
> [!IMPORTANT]
> Due to Protected Settings (aka.ms/browserpolicy), this setting will apply only on domain-joined machines or when the device is MDM-enrolled.
-
The following list shows the supported values:
+
+Most restricted value is 0.
+
+
+
+ADMX Info:
+- GP English name: *Configure additional search engines*
+- GP name: *ConfigureAdditionalSearchEngines*
+- GP element: *ConfigureAdditionalSearchEngines_Prompt*
+- GP path: *Windows Components/Microsoft Edge*
+- GP ADMX file name: *MicrosoftEdge.admx*
+
+
+
+The following list shows the supported values:
- 0 (default) – Additional search engines are not allowed.
- 1 – Additional search engines are allowed.
-
Most restricted value is 0.
+
+
-
-
-
+
+
**Browser/DisableLockdownOfStartPages**
-
+
Home
@@ -1197,8 +1454,8 @@ Employees cannot remove these search engines, but they can set any one as the de
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -1207,9 +1464,9 @@ Employees cannot remove these search engines, but they can set any one as the de
-
-
-
Added in Windows 10, version 1703. Boolean value that specifies whether the lockdown on the Start pages is disabled. This policy works with the Browser/HomePages policy, which locks down the Start pages that the users cannot modify. You can use the DisableLockdownOfStartPages policy to allow users to modify the Start pages when the Browser/HomePages policy is in effect.
+
+
+Added in Windows 10, version 1703. Boolean value that specifies whether the lockdown on the Start pages is disabled. This policy works with the Browser/HomePages policy, which locks down the Start pages that the users cannot modify. You can use the DisableLockdownOfStartPages policy to allow users to modify the Start pages when the Browser/HomePages policy is in effect.
> [!NOTE]
> This policy has no effect when the Browser/HomePages policy is not configured.
@@ -1217,22 +1474,32 @@ Employees cannot remove these search engines, but they can set any one as the de
> [!IMPORTANT]
> This setting can be used only with domain-joined or MDM-enrolled devices. For more information, see the Microsoft browser extension policy (aka.ms/browserpolicy).
-
Most restricted value is 0.
+Most restricted value is 0.
-
+
+
+ADMX Info:
+- GP English name: *Disable lockdown of Start pages*
+- GP name: *DisableLockdownOfStartPages*
+- GP path: *Windows Components/Microsoft Edge*
+- GP ADMX file name: *MicrosoftEdge.admx*
+
+
The following list shows the supported values:
- 0 (default) – Enable lockdown of the Start pages according to the settings specified in the Browser/HomePages policy. Users cannot change the Start pages.
-- 1 – Disable lockdown of the Start pages and allow users to modify them.
+- 1 – Disable lockdown of the Start pages and allow users to modify them.
-
+
+
@@ -1254,8 +1521,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -1264,33 +1531,36 @@ The following list shows the supported values:
-
-
+
+
This policy setting lets you decide how much data to send to Microsoft about the book you're reading from the Books tab in Microsoft Edge.
-If you enable this setting, Microsoft Edge sends additional telemetry data, on top of the basic telemetry data, from the Books tab. If you disable or don't configure this setting, Microsoft Edge only sends basic telemetry data, depending on your device configuration.
+If you enable this setting, Microsoft Edge sends additional diagnostic data, on top of the basic diagnostic data, from the Books tab. If you disable or don't configure this setting, Microsoft Edge only sends basic diagnostic data, depending on your device configuration.
-
+
+
+ADMX Info:
+- GP English name: *Allow extended telemetry for the Books tab*
+- GP name: *EnableExtendedBooksTelemetry*
+- GP path: *Windows Components/Microsoft Edge*
+- GP ADMX file name: *MicrosoftEdge.admx*
+
+
The following list shows the supported values:
-- 0 (default) - Disable. No additional telemetry.
-- 1 - Enable. Additional telemetry for schools.
-
+- 0 (default) - Disable. No additional diagnostic data.
+- 1 - Enable. Additional diagnostic data for schools.
-
+
-
-
-
-
-
-
+
+
**Browser/EnterpriseModeSiteList**
-
+
Home
@@ -1312,8 +1582,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -1322,26 +1592,39 @@ The following list shows the supported values:
-
-
+
+
> [!NOTE]
> This policy is only enforced in Windows 10 for desktop and not supported in Windows 10 Mobile.
-
Allows the user to specify an URL of an enterprise site list.
+Allows the user to specify an URL of an enterprise site list.
-
The following list shows the supported values:
+
+
+ADMX Info:
+- GP English name: *Configure the Enterprise Mode Site List*
+- GP name: *EnterpriseModeSiteList*
+- GP element: *EnterSiteListPrompt*
+- GP path: *Windows Components/Microsoft Edge*
+- GP ADMX file name: *MicrosoftEdge.admx*
+
+
+
+The following list shows the supported values:
- Not configured. The device checks for updates from Microsoft Update.
- Set to a URL location of the enterprise site list.
-
-
+
+
+
@@ -1363,8 +1646,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -1373,18 +1656,20 @@ The following list shows the supported values:
-
-
+
+
> [!IMPORTANT]
> This policy (introduced in Windows 10, version 1507) was deprecated in Windows 10, version 1511 by [Browser/EnterpriseModeSiteList](#browser-enterprisemodesitelist).
-
-
+
+
+
-
+
+
**Browser/FirstRunURL**
-
+
Home
@@ -1406,8 +1691,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -1416,25 +1701,27 @@ The following list shows the supported values:
-
-
+
+
> [!NOTE]
> This policy is only enforced in Windows 10 Mobile and not supported in Windows 10 for desktop.
-
Specifies the URL that Microsoft Edge for Windows 10 Mobile. will use when it is opened the first time.
+Specifies the URL that Microsoft Edge for Windows 10 Mobile. will use when it is opened the first time.
-
The data type is a string.
+The data type is a string.
-
The default value is an empty string. Otherwise, the string should contain the URL of the webpage users will see the first time Microsoft Edge is run. For example, “contoso.com”.
+The default value is an empty string. Otherwise, the string should contain the URL of the webpage users will see the first time Microsoft Edge is run. For example, “contoso.com”.
+
+
+
-
-
-
+
+
**Browser/HomePages**
-
+
Home
@@ -1456,8 +1743,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -1466,27 +1753,38 @@ The following list shows the supported values:
-
-
+
+
> [!NOTE]
> This policy is only available for Windows 10 for desktop and not supported in Windows 10 Mobile.
-
Specifies your Start pages for MDM-enrolled devices. Turning this setting on lets you configure one or more corporate Start pages. If this setting is turned on, you must also include URLs to the pages, separating multiple pages by using the XML-escaped characters **<** and **>**. For example, "<support.contoso.com><support.microsoft.com>"
+Specifies your Start pages for MDM-enrolled devices. Turning this setting on lets you configure one or more corporate Start pages. If this setting is turned on, you must also include URLs to the pages, separating multiple pages by using the XML-escaped characters **<** and **>**. For example, "<support.contoso.com><support.microsoft.com>"
-
Starting in Windows 10, version 1607, this policy will be enforced so that the Start pages specified by this policy cannot be changed by the users.
+Starting in Windows 10, version 1607, this policy will be enforced so that the Start pages specified by this policy cannot be changed by the users.
-
Starting in Windows 10, version 1703, if you don’t want to send traffic to Microsoft, you can use the "<about:blank>" value, which is honored for both domain- and non-domain-joined machines, when it’s the only configured URL.
+Starting in Windows 10, version 1703, if you don’t want to send traffic to Microsoft, you can use the "<about:blank>" value, which is honored for both domain- and non-domain-joined machines, when it’s the only configured URL.
> [!NOTE]
> Turning this setting off, or not configuring it, sets your default Start pages to the webpages specified in App settings.
-
-
+
+
+ADMX Info:
+- GP English name: *Configure Start pages*
+- GP name: *HomePages*
+- GP element: *HomePagesPrompt*
+- GP path: *Windows Components/Microsoft Edge*
+- GP ADMX file name: *MicrosoftEdge.admx*
+
+
+
+
-
+
+
**Browser/LockdownFavorites**
-
+
Home
@@ -1508,8 +1806,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -1518,20 +1816,28 @@ The following list shows the supported values:
-
-
-
Added in Windows 10, version 1709. This policy setting lets you decide whether employees can add, import, sort, or edit the Favorites list on Microsoft Edge.
+
+
+Added in Windows 10, version 1709. This policy setting lets you decide whether employees can add, import, sort, or edit the Favorites list on Microsoft Edge.
-
If you enable this setting, employees won't be able to add, import, or change anything in the Favorites list. Also as part of this, Save a Favorite, Import settings, and the context menu items (such as, Create a new folder) are all turned off.
+If you enable this setting, employees won't be able to add, import, or change anything in the Favorites list. Also as part of this, Save a Favorite, Import settings, and the context menu items (such as, Create a new folder) are all turned off.
> [!Important]
> Don't enable both this setting and the Keep favorites in sync between Internet Explorer and Microsoft Edge setting. Enabling both settings stops employees from syncing their favorites between Internet Explorer and Microsoft Edge.
-
If you disable or don't configure this setting (default), employees can add, import and make changes to the Favorites list.
+If you disable or don't configure this setting (default), employees can add, import and make changes to the Favorites list.
-
Data type is integer.
+Data type is integer.
-
+
+
+ADMX Info:
+- GP English name: *Prevent changes to Favorites on Microsoft Edge*
+- GP name: *LockdownFavorites*
+- GP path: *Windows Components/Microsoft Edge*
+- GP ADMX file name: *MicrosoftEdge.admx*
+
+
The following list shows the supported values:
@@ -1539,12 +1845,14 @@ The following list shows the supported values:
- 1 - Enabled. Lockdown Favorites.
-
+
+
@@ -1566,8 +1874,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -1576,11 +1884,19 @@ The following list shows the supported values:
-
-
-
Specifies whether users can access the about:flags page, which is used to change developer settings and to enable experimental features.
+
+
+Specifies whether users can access the about:flags page, which is used to change developer settings and to enable experimental features.
-
+
+
+ADMX Info:
+- GP English name: *Prevent access to the about:flags page in Microsoft Edge*
+- GP name: *PreventAccessToAboutFlagsInMicrosoftEdge*
+- GP path: *Windows Components/Microsoft Edge*
+- GP ADMX file name: *MicrosoftEdge.admx*
+
+
The following list shows the supported values:
@@ -1588,12 +1904,14 @@ The following list shows the supported values:
- 1 – Users can't access the about:flags page in Microsoft Edge.
-
+
+
-
+
+
**Browser/PreventFirstRunPage**
-
+
Home
@@ -1615,8 +1933,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -1625,13 +1943,21 @@ The following list shows the supported values:
-
-
-
Added in Windows 10, version 1703. Specifies whether to enable or disable the First Run webpage. On the first explicit user-launch of Microsoft Edge, a First Run webpage hosted on Microsoft.com opens automatically via a FWLINK. This policy allows enterprises (such as those enrolled in a zero-emissions configuration) to prevent this page from opening.
+
+
+Added in Windows 10, version 1703. Specifies whether to enable or disable the First Run webpage. On the first explicit user-launch of Microsoft Edge, a First Run webpage hosted on Microsoft.com opens automatically via a FWLINK. This policy allows enterprises (such as those enrolled in a zero-emissions configuration) to prevent this page from opening.
-
Most restricted value is 1.
+Most restricted value is 1.
-
+
+
+ADMX Info:
+- GP English name: *Prevent the First Run webpage from opening on Microsoft Edge*
+- GP name: *PreventFirstRunPage*
+- GP path: *Windows Components/Microsoft Edge*
+- GP ADMX file name: *MicrosoftEdge.admx*
+
+
The following list shows the supported values:
@@ -1639,12 +1965,14 @@ The following list shows the supported values:
- 1 – Employees don't see the First Run webpage.
-
+
+
@@ -1666,8 +1994,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -1676,13 +2004,21 @@ The following list shows the supported values:
-
-
-
Added in Windows 10, version 1703. Specifies whether Microsoft can collect information to create a Live Tile when pinning a site to Start from Microsoft Edge.
+
+
+Added in Windows 10, version 1703. Specifies whether Microsoft can collect information to create a Live Tile when pinning a site to Start from Microsoft Edge.
-
Most restricted value is 1.
+Most restricted value is 1.
-
+
+
+ADMX Info:
+- GP English name: *Prevent Microsoft Edge from gathering Live Tile information when pinning a site to Start*
+- GP name: *PreventLiveTileDataCollection*
+- GP path: *Windows Components/Microsoft Edge*
+- GP ADMX file name: *MicrosoftEdge.admx*
+
+
The following list shows the supported values:
@@ -1690,12 +2026,14 @@ The following list shows the supported values:
- 1 – Microsoft servers will not be contacted if a site is pinned to Start from Microsoft Edge.
-
+
+
@@ -1717,8 +2055,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -1727,13 +2065,21 @@ The following list shows the supported values:
-
-
-
Specifies whether users can override the Windows Defender SmartScreen Filter warnings about potentially malicious websites.
+
+
+Specifies whether users can override the Windows Defender SmartScreen Filter warnings about potentially malicious websites.
-
Turning this setting on stops users from ignoring the Windows Defender SmartScreen Filter warnings and blocks them from going to the site. Turning this setting off, or not configuring it, lets users ignore the Windows Defender SmartScreen Filter warnings about potentially malicious websites and to continue to the site.
+Turning this setting on stops users from ignoring the Windows Defender SmartScreen Filter warnings and blocks them from going to the site. Turning this setting off, or not configuring it, lets users ignore the Windows Defender SmartScreen Filter warnings about potentially malicious websites and to continue to the site.
-
+
+
+ADMX Info:
+- GP English name: *Prevent bypassing Windows Defender SmartScreen prompts for sites*
+- GP name: *PreventSmartScreenPromptOverride*
+- GP path: *Windows Components/Microsoft Edge*
+- GP ADMX file name: *MicrosoftEdge.admx*
+
+
The following list shows the supported values:
@@ -1741,12 +2087,14 @@ The following list shows the supported values:
- 1 – On.
-
+
+
@@ -1768,8 +2116,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -1778,11 +2126,19 @@ The following list shows the supported values:
-
-
-
Specifies whether users can override the Windows Defender SmartScreen Filter warnings about downloading unverified files. Turning this setting on stops users from ignoring the Windows Defender SmartScreen Filter warnings and blocks them from downloading unverified files. Turning this setting off, or not configuring it, lets users ignore the Windows Defender SmartScreen Filter warnings about unverified files and lets them continue the download process.
+
+
+Specifies whether users can override the Windows Defender SmartScreen Filter warnings about downloading unverified files. Turning this setting on stops users from ignoring the Windows Defender SmartScreen Filter warnings and blocks them from downloading unverified files. Turning this setting off, or not configuring it, lets users ignore the Windows Defender SmartScreen Filter warnings about unverified files and lets them continue the download process.
-
+
+
+ADMX Info:
+- GP English name: *Prevent bypassing Windows Defender SmartScreen prompts for files*
+- GP name: *PreventSmartScreenPromptOverrideForFiles*
+- GP path: *Windows Components/Microsoft Edge*
+- GP ADMX file name: *MicrosoftEdge.admx*
+
+
The following list shows the supported values:
@@ -1790,12 +2146,14 @@ The following list shows the supported values:
- 1 – On.
-
+
+
@@ -1817,8 +2175,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -1827,15 +2185,23 @@ The following list shows the supported values:
-
-
+
+
> [!NOTE]
> This policy is only enforced in Windows 10 for desktop and not supported in Windows 10 Mobile.
-
Specifies whether a user's localhost IP address is displayed while making phone calls using the WebRTC protocol. Turning this setting on hides an user’s localhost IP address while making phone calls using WebRTC. Turning this setting off, or not configuring it, shows an
user’s localhost IP address while making phone calls using WebRTC.
+Specifies whether a user's localhost IP address is displayed while making phone calls using the WebRTC protocol. Turning this setting on hides an user’s localhost IP address while making phone calls using WebRTC. Turning this setting off, or not configuring it, shows an user’s localhost IP address while making phone calls using WebRTC.
-
+
+
+ADMX Info:
+- GP English name: *Prevent using Localhost IP address for WebRTC*
+- GP name: *HideLocalHostIPAddress*
+- GP path: *Windows Components/Microsoft Edge*
+- GP ADMX file name: *MicrosoftEdge.admx*
+
+
The following list shows the supported values:
@@ -1843,12 +2209,14 @@ The following list shows the supported values:
- 1 – The localhost IP address is hidden.
-
+
+
-
+
+
**Browser/ProvisionFavorites**
-
+
Home
@@ -1870,8 +2238,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -1880,11 +2248,11 @@ The following list shows the supported values:
-
-
-
Added in Windows 10, version 1709. This policy setting allows you to configure a default set of favorites, which will appear for employees. Employees cannot modify, sort, move, export or delete these provisioned favorites. Specify the URL which points to the file that has all the data for provisioning favorites (in html format). You can export a set of favorites from Edge and use that html file for provisioning user machines.
+
+
+Added in Windows 10, version 1709. This policy setting allows you to configure a default set of favorites, which will appear for employees. Employees cannot modify, sort, move, export or delete these provisioned favorites. Specify the URL which points to the file that has all the data for provisioning favorites (in html format). You can export a set of favorites from Edge and use that html file for provisioning user machines.
-
URL can be specified as:
+URL can be specified as:
- HTTP location: "SiteList"="http://localhost:8080/URLs.html"
- Local network: "SiteList"="\\network\shares\URLs.html"
@@ -1893,17 +2261,28 @@ The following list shows the supported values:
> [!Important]
> Don't enable both this setting and the Keep favorites in sync between Internet Explorer and Microsoft Edge setting. Enabling both settings stops employees from syncing their favorites between Internet Explorer and Microsoft Edge.
-
If you disable or don't configure this setting, employees will see the favorites they set in the Hub and Favorites Bar.
+If you disable or don't configure this setting, employees will see the favorites they set in the Hub and Favorites Bar.
-
Data type is string.
+Data type is string.
+
+
+
+ADMX Info:
+- GP English name: *Provision Favorites*
+- GP name: *ConfiguredFavorites*
+- GP element: *ConfiguredFavoritesPrompt*
+- GP path: *Windows Components/Microsoft Edge*
+- GP ADMX file name: *MicrosoftEdge.admx*
+
+
+
-
-
@@ -1925,8 +2304,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -1935,17 +2314,25 @@ The following list shows the supported values:
-
-
+
+
> [!NOTE]
> This policy is only enforced in Windows 10 for desktop and not supported in Windows 10 Mobile.
-
Specifies whether to send intranet traffic over to Internet Explorer.
+Specifies whether to send intranet traffic over to Internet Explorer.
-
Most restricted value is 0.
+Most restricted value is 0.
-
+
+
+ADMX Info:
+- GP English name: *Send all intranet sites to Internet Explorer 11*
+- GP name: *SendIntranetTraffictoInternetExplorer*
+- GP path: *Windows Components/Microsoft Edge*
+- GP ADMX file name: *MicrosoftEdge.admx*
+
+
The following list shows the supported values:
@@ -1953,12 +2340,14 @@ The following list shows the supported values:
- 1 – Intranet traffic is sent to Microsoft Edge.
-
+
+
-
+
+
**Browser/SetDefaultSearchEngine**
-
+
Home
@@ -1980,8 +2369,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -1990,31 +2379,45 @@ The following list shows the supported values:
-
-
-
Added in Windows 10, version 1703. Allows you configure the default search engine for your employees. By default, your employees can change the default search engine at any time. If you want to prevent your employees from changing the default search engine that you set, you can do so by configuring the AllowSearchEngineCustomization policy.
+
+
+Added in Windows 10, version 1703. Allows you configure the default search engine for your employees. By default, your employees can change the default search engine at any time. If you want to prevent your employees from changing the default search engine that you set, you can do so by configuring the AllowSearchEngineCustomization policy.
-
You must specify a link to the OpenSearch XML file that contains, at a minimum, the short name and the URL template (HTTPS) of the search engine. For more information about creating the OpenSearch XML file, see [Search provider discovery](https://developer.microsoft.com/en-us/microsoft-edge/platform/documentation/dev-guide/browser/search-provider-discovery/). If you want your employees to use the Microsoft Edge factory settings for the default search engine for their market, set the string EDGEDEFAULT; otherwise, if you want your employees to use Bing as the default search engine, set the string EDGEBING.
+You must specify a link to the OpenSearch XML file that contains, at a minimum, the short name and the URL template (HTTPS) of the search engine. For more information about creating the OpenSearch XML file, see [Search provider discovery](https://developer.microsoft.com/en-us/microsoft-edge/platform/documentation/dev-guide/browser/search-provider-discovery/). If you want your employees to use the Microsoft Edge factory settings for the default search engine for their market, set the string EDGEDEFAULT; otherwise, if you want your employees to use Bing as the default search engine, set the string EDGEBING.
-
If this setting is not configured, the default search engine is set to the one specified in App settings and can be changed by your employees. If this setting is disabled, the policy-set search engine will be removed, and, if it is the current default, the default will be set back to the factory Microsoft Edge search engine for the market.
+If this setting is not configured, the default search engine is set to the one specified in App settings and can be changed by your employees. If this setting is disabled, the policy-set search engine will be removed, and, if it is the current default, the default will be set back to the factory Microsoft Edge search engine for the market.
> [!IMPORTANT]
> This setting can be used only with domain-joined or MDM-enrolled devices. For more information, see the Microsoft browser extension policy (aka.ms/browserpolicy).
-
The following list shows the supported values:
+
+Most restricted value is 0.
+
+
+
+ADMX Info:
+- GP English name: *Set default search engine*
+- GP name: *SetDefaultSearchEngine*
+- GP element: *SetDefaultSearchEngine_Prompt*
+- GP path: *Windows Components/Microsoft Edge*
+- GP ADMX file name: *MicrosoftEdge.admx*
+
+
+
+The following list shows the supported values:
- 0 (default) - The default search engine is set to the one specified in App settings.
- 1 - Allows you to configure the default search engine for your employees.
-
@@ -2036,8 +2439,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -2046,17 +2449,25 @@ The following list shows the supported values:
-
-
+
+
> [!NOTE]
> This policy is only enforced in Windows 10 for desktop and not supported in Windows 10 Mobile.
-
Added in Windows 10, version 1607. Specifies whether users should see a full interstitial page in Microsoft Edge when opening sites that are configured to open in Internet Explorer using the Enterprise Site List.
+Added in Windows 10, version 1607. Specifies whether users should see a full interstitial page in Microsoft Edge when opening sites that are configured to open in Internet Explorer using the Enterprise Site List.
-
Most restricted value is 0.
+Most restricted value is 0.
-
+
+
+ADMX Info:
+- GP English name: *Show message when opening sites in Internet Explorer*
+- GP name: *ShowMessageWhenOpeningSitesInInternetExplorer*
+- GP path: *Windows Components/Microsoft Edge*
+- GP ADMX file name: *MicrosoftEdge.admx*
+
+
The following list shows the supported values:
@@ -2064,12 +2475,14 @@ The following list shows the supported values:
- 1 – Interstitial pages are shown.
-
+
+
@@ -2091,8 +2504,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -2101,24 +2514,24 @@ The following list shows the supported values:
-
-
-
Added in Windows 10, version 1703. Specifies whether favorites are kept in sync between Internet Explorer and Microsoft Edge. Changes to favorites in one browser are reflected in the other, including: additions, deletions, modifications, and ordering.
+
+
+Added in Windows 10, version 1703. Specifies whether favorites are kept in sync between Internet Explorer and Microsoft Edge. Changes to favorites in one browser are reflected in the other, including: additions, deletions, modifications, and ordering.
> [!NOTE]
> This policy is only enforced in Windows 10 for desktop and not supported in Windows 10 Mobile.
>
> Enabling this setting stops Microsoft Edge favorites from syncing between connected Windows 10 devices.
-
To verify that favorites are in synchronized between Internet Explorer and Microsoft Edge:
+
+
+ADMX Info:
+- GP English name: *Keep favorites in sync between Internet Explorer and Microsoft Edge*
+- GP name: *SyncFavoritesBetweenIEAndMicrosoftEdge*
+- GP path: *Windows Components/Microsoft Edge*
+- GP ADMX file name: *MicrosoftEdge.admx*
-
-
Open Internet Explorer and add some favorites.
-
Open Microsoft Edge, then select Hub > Favorites.
-
Verify that the favorites added to Internet Explorer show up in the favorites list in Microsoft Edge.
-
-
-
+
The following list shows the supported values:
@@ -2126,12 +2539,24 @@ The following list shows the supported values:
- 1 – Synchronization is on.
-
+
+To verify that favorites are in synchronized between Internet Explorer and Microsoft Edge:
+
+
+
Open Internet Explorer and add some favorites.
+
Open Microsoft Edge, then select Hub > Favorites.
+
Verify that the favorites added to Internet Explorer show up in the favorites list in Microsoft Edge.
+
@@ -2153,8 +2578,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -2163,26 +2588,27 @@ The following list shows the supported values:
-
-
+
+
This setting specifies whether organizations should use a folder shared across users to store books from the Books Library.
-
+
+
+ADMX Info:
+- GP English name: *Allow a shared Books folder*
+- GP name: *UseSharedFolderForBooks*
+- GP path: *Windows Components/Microsoft Edge*
+- GP ADMX file name: *MicrosoftEdge.admx*
+
+
The following list shows the supported values:
- 0 - No shared folder.
- 1 - Use a shared folder.
-
-
-
-
-
-
-
-
+
Footnote:
@@ -2191,7 +2617,7 @@ Footnote:
- 2 - Added in Windows 10, version 1703.
- 3 - Added in Windows 10, version 1709.
-
+
## Browser policies that can be set using Exchange Active Sync (EAS)
diff --git a/windows/client-management/mdm/policy-csp-camera.md b/windows/client-management/mdm/policy-csp-camera.md
index a6d562399b..02a242ec12 100644
--- a/windows/client-management/mdm/policy-csp-camera.md
+++ b/windows/client-management/mdm/policy-csp-camera.md
@@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
-ms.date: 12/14/2017
+ms.date: 03/05/2018
---
# Policy CSP - Camera
@@ -15,7 +15,7 @@ ms.date: 12/14/2017
-
+
## Camera policies
Disables or enables the camera.
+
+
+Disables or enables the camera.
-
Most restricted value is 0.
+Most restricted value is 0.
-
+
+
+ADMX Info:
+- GP English name: *Allow Use of Camera*
+- GP name: *L_AllowCamera*
+- GP path: *Windows Components/Camera*
+- GP ADMX file name: *Camera.admx*
+
+
The following list shows the supported values:
@@ -73,7 +83,7 @@ The following list shows the supported values:
- 1 (default) – Allowed.
-
+
Footnote:
@@ -82,7 +92,7 @@ Footnote:
- 2 - Added in Windows 10, version 1703.
- 3 - Added in Windows 10, version 1709.
-
+
## Camera policies that can be set using Exchange Active Sync (EAS)
diff --git a/windows/client-management/mdm/policy-csp-cellular.md b/windows/client-management/mdm/policy-csp-cellular.md
index 6c2905b717..5b9aa0d665 100644
--- a/windows/client-management/mdm/policy-csp-cellular.md
+++ b/windows/client-management/mdm/policy-csp-cellular.md
@@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
-ms.date: 12/13/2017
+ms.date: 03/05/2018
---
# Policy CSP - Cellular
@@ -15,7 +15,7 @@ ms.date: 12/13/2017
-
+
## Cellular policies
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -71,8 +73,8 @@ ms.date: 12/13/2017
-
-
+
+
Added in Windows 10, version 1709. This policy setting specifies whether Windows apps can access cellular data.
You can specify either a default setting for all apps or a per-app setting by specifying a Package Family Name. You can get the Package Family Name for an app by using the Get-AppPackage Windows PowerShell cmdlet. A per-app setting overrides the default setting.
@@ -87,7 +89,14 @@ If you disable or do not configure this policy setting, employees in your organi
If an app is open when this Group Policy object is applied on a device, employees must restart the app or device for the policy changes to be applied to the app.”
-
+
+
+ADMX Info:
+- GP name: *LetAppsAccessCellularData*
+- GP element: *LetAppsAccessCellularData_Enum*
+- GP ADMX file name: *wwansvc.admx*
+
+
The following list shows the supported values:
@@ -96,12 +105,14 @@ The following list shows the supported values:
- 2 - Force Deny
-
-
-
-**Cellular/LetAppsAccessCellularData_ForceAllowTheseApps**
+
-
+
+
+
+**Cellular/LetAppsAccessCellularData_ForceAllowTheseApps**
+
+
Home
@@ -123,8 +134,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -132,17 +143,26 @@ The following list shows the supported values:
-
-
+
+
Added in Windows 10, version 1709. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are allowed access to cellular data. This setting overrides the default LetAppsAccessCellularData policy setting for the specified apps. Value type is string.
-
-
-
-
-**Cellular/LetAppsAccessCellularData_ForceDenyTheseApps**
+
+
+ADMX Info:
+- GP name: *LetAppsAccessCellularData*
+- GP element: *LetAppsAccessCellularData_ForceAllowTheseApps_List*
+- GP ADMX file name: *wwansvc.admx*
-
+
+
+
+
+
+
+**Cellular/LetAppsAccessCellularData_ForceDenyTheseApps**
+
+
Home
@@ -164,8 +184,8 @@ Added in Windows 10, version 1709. List of semi-colon delimited Package Family N
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -173,17 +193,26 @@ Added in Windows 10, version 1709. List of semi-colon delimited Package Family N
-
-
+
+
Added in Windows 10, version 1709. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are denied access to cellular data. This setting overrides the default LetAppsAccessCellularData policy setting for the specified apps. Value type is string.
-
-
-
-
-**Cellular/LetAppsAccessCellularData_UserInControlOfTheseApps**
+
+
+ADMX Info:
+- GP name: *LetAppsAccessCellularData*
+- GP element: *LetAppsAccessCellularData_ForceDenyTheseApps_List*
+- GP ADMX file name: *wwansvc.admx*
-
+
+
+
+
+
+
+**Cellular/LetAppsAccessCellularData_UserInControlOfTheseApps**
+
+
Home
@@ -205,8 +234,8 @@ Added in Windows 10, version 1709. List of semi-colon delimited Package Family N
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -214,17 +243,26 @@ Added in Windows 10, version 1709. List of semi-colon delimited Package Family N
-
-
+
+
Added in Windows 10, version 1709. List of semi-colon delimited Package Family Names of Windows Store Apps. The user is able to control the cellular data access setting for the listed apps. This setting overrides the default LetAppsAccessCellularData policy setting for the specified apps. Value type is string.
-
-
+
+
+ADMX Info:
+- GP name: *LetAppsAccessCellularData*
+- GP element: *LetAppsAccessCellularData_UserInControlOfTheseApps_List*
+- GP ADMX file name: *wwansvc.admx*
+
+
+
+
-
+
+
**Cellular/ShowAppCellularAccessUI**
-
+
Home
@@ -246,8 +284,8 @@ Added in Windows 10, version 1709. List of semi-colon delimited Package Family N
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -255,20 +293,14 @@ Added in Windows 10, version 1709. List of semi-colon delimited Package Family N
-
-
+
+
This policy setting configures the visibility of the link to the per-application cellular access control page in the cellular setting UX.
If this policy setting is enabled, a drop-down list box presenting possible values will be active. Select "Hide" or "Show" to hide or show the link to the per-application cellular access control page.
+If this policy setting is disabled or is not configured, the link to the per-application cellular access control page is showed by default.
-If this policy setting is disabled or is not configured, the link to the per-application cellular access control page is showed by default.”
-
-Supported values:
-
-- 0 - Hide
-- 1 - Show
-
-
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -276,15 +308,15 @@ Supported values:
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Set Per-App Cellular Access UI Visibility*
- GP name: *ShowAppCellularAccessUI*
- GP path: *Network/WWAN Service/WWAN UI Settings*
- GP ADMX file name: *wwansvc.admx*
-
-
+
+
Footnote:
@@ -293,7 +325,7 @@ Footnote:
- 2 - Added in Windows 10, version 1703.
- 3 - Added in Windows 10, version 1709.
-
+
## Cellular policies that can be set using Exchange Active Sync (EAS)
diff --git a/windows/client-management/mdm/policy-csp-connectivity.md b/windows/client-management/mdm/policy-csp-connectivity.md
index 45755803ec..249cc6cac3 100644
--- a/windows/client-management/mdm/policy-csp-connectivity.md
+++ b/windows/client-management/mdm/policy-csp-connectivity.md
@@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
-ms.date: 12/14/2017
+ms.date: 03/05/2018
---
# Policy CSP - Connectivity
@@ -15,7 +15,7 @@ ms.date: 12/14/2017
-
+
## Connectivity policies
Allows the user to enable Bluetooth or restrict access.
+
+
+Allows the user to enable Bluetooth or restrict access.
> [!NOTE]
> This value is not supported in Windows Phone 8.1 MDM and EAS, Windows 10 for desktop, or Windows 10 Mobile.
-
If this is not set or it is deleted, the default value of 2 (Allow) is used.
+If this is not set or it is deleted, the default value of 2 (Allow) is used.
-
Most restricted value is 0.
+Most restricted value is 0.
-
+
The following list shows the supported values:
@@ -118,12 +120,14 @@ The following list shows the supported values:
- 2 (default) – Allow Bluetooth. If this is set to 2, the radio in the Bluetooth control panel will be functional and the user will be able to turn Bluetooth on.
-
+
+
-
+
+
**Connectivity/AllowCellularData**
-
+
Home
@@ -145,8 +149,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -154,11 +158,11 @@ The following list shows the supported values:
-
-
-
Allows the cellular data channel on the device. Device reboot is not required to enforce the policy.
+
+
+Allows the cellular data channel on the device. Device reboot is not required to enforce the policy.
-
+
The following list shows the supported values:
@@ -167,12 +171,14 @@ The following list shows the supported values:
- 2 - Allow the cellular data channel. The user cannot turn it off.
-
+
+
@@ -194,8 +200,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -203,13 +209,21 @@ The following list shows the supported values:
-
-
-
Allows or disallows cellular data roaming on the device. Device reboot is not required to enforce the policy.
+
+
+Allows or disallows cellular data roaming on the device. Device reboot is not required to enforce the policy.
-
Most restricted value is 0.
+Most restricted value is 0.
-
+
+
+ADMX Info:
+- GP English name: *Prohibit connection to roaming Mobile Broadband networks*
+- GP name: *WCM_DisableRoaming*
+- GP path: *Network/Windows Connection Manager*
+- GP ADMX file name: *WCM.admx*
+
+
The following list shows the supported values:
@@ -219,21 +233,23 @@ The following list shows the supported values:
-
To validate, the enterprise can confirm by observing the roaming enable switch in the UX. It will be inactive if the roaming policy is being enforced by the enterprise policy.
+To validate, the enterprise can confirm by observing the roaming enable switch in the UX. It will be inactive if the roaming policy is being enforced by the enterprise policy.
-
To validate on mobile devices, do the following:
+To validate on mobile devices, do the following:
1. Go to Cellular & SIM.
2. Click on the SIM (next to the signal strength icon) and select **Properties**.
3. On the Properties page, select **Data roaming options**.
-
+
+
-
+
+
**Connectivity/AllowConnectedDevices**
-
+
Home
@@ -255,8 +271,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -264,14 +280,14 @@ The following list shows the supported values:
-
-
+
+
> [!NOTE]
> This policy requires reboot to take effect.
-
Added in Windows 10, version 1703. Allows IT Admins the ability to disable the Connected Devices Platform (CDP) component. CDP enables discovery and connection to other devices (either proximally with BT/LAN or through the cloud) to support remote app launching, remote messaging, remote app sessions, and other cross-device experiences.
+Added in Windows 10, version 1703. Allows IT Admins the ability to disable the Connected Devices Platform (CDP) component. CDP enables discovery and connection to other devices (either proximally with BT/LAN or through the cloud) to support remote app launching, remote messaging, remote app sessions, and other cross-device experiences.
-
+
The following list shows the supported values:
@@ -279,12 +295,14 @@ The following list shows the supported values:
- 0 - Disable (CDP service not available).
-
+
+
-
+
+
**Connectivity/AllowNFC**
-
+
Home
@@ -306,8 +324,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -315,17 +333,17 @@ The following list shows the supported values:
-
-
+
+
> [!NOTE]
> This policy is only enforced in Windows 10 Mobile and not supported in Windows 10 for desktop.
-
Allows or disallows near field communication (NFC) on the device.
+Allows or disallows near field communication (NFC) on the device.
-
Most restricted value is 0.
+Most restricted value is 0.
-
+
The following list shows the supported values:
@@ -333,12 +351,14 @@ The following list shows the supported values:
- 1 (default) – Allow NFC capabilities.
-
+
+
-
+
+
**Connectivity/AllowUSBConnection**
-
+
Home
@@ -360,8 +380,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -369,19 +389,19 @@ The following list shows the supported values:
-
-
+
+
> [!NOTE]
> This policy is only enforced in Windows 10 Mobile and not supported in Windows 10 for desktop.
-
Enables USB connection between the device and a computer to sync files with the device or to use developer tools to deploy or debug applications. Changing this policy does not affect USB charging.
+Enables USB connection between the device and a computer to sync files with the device or to use developer tools to deploy or debug applications. Changing this policy does not affect USB charging.
-
Both Media Transfer Protocol (MTP) and IP over USB are disabled when this policy is enforced.
+Both Media Transfer Protocol (MTP) and IP over USB are disabled when this policy is enforced.
-
Most restricted value is 0.
+Most restricted value is 0.
-
+
The following list shows the supported values:
@@ -389,12 +409,14 @@ The following list shows the supported values:
- 1 (default) – Allowed.
-
+
+
-
+
+
**Connectivity/AllowVPNOverCellular**
-
+
Home
@@ -416,8 +438,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -425,13 +447,13 @@ The following list shows the supported values:
-
-
-
Specifies what type of underlying connections VPN is allowed to use.
+
+
+Specifies what type of underlying connections VPN is allowed to use.
-
Most restricted value is 0.
+Most restricted value is 0.
-
+
The following list shows the supported values:
@@ -439,12 +461,14 @@ The following list shows the supported values:
- 1 (default) – VPN can use any connection, including cellular.
-
+
+
@@ -466,8 +490,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -475,13 +499,13 @@ The following list shows the supported values:
-
-
-
Prevents the device from connecting to VPN when the device roams over cellular networks.
+
+
+Prevents the device from connecting to VPN when the device roams over cellular networks.
-
Most restricted value is 0.
+Most restricted value is 0.
-
+
The following list shows the supported values:
@@ -489,12 +513,14 @@ The following list shows the supported values:
- 1 (default) – Allowed.
-
+
+
-
+
+
**Connectivity/DiablePrintingOverHTTP**
-
+
Home
@@ -516,8 +542,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -525,10 +551,21 @@ The following list shows the supported values:
-
-
+
+
+This policy setting specifies whether to allow printing over HTTP from this client.
-
+Printing over HTTP allows a client to print to printers on the intranet as well as the Internet.
+
+Note: This policy setting affects the client side of Internet printing only. It does not prevent this computer from acting as an Internet Printing server and making its shared printers available via HTTP.
+
+If you enable this policy setting, it prevents this client from printing to Internet printers over HTTP.
+
+If you disable or do not configure this policy setting, users can choose to print to Internet printers over HTTP.
+
+Also, see the "Web-based printing" policy setting in Computer Configuration/Administrative Templates/Printers.
+
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -536,20 +573,22 @@ The following list shows the supported values:
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Turn off printing over HTTP*
- GP name: *DisableHTTPPrinting_2*
- GP path: *Internet Communication settings*
- GP ADMX file name: *ICM.admx*
-
-
+
+
+
-
+
+
**Connectivity/DisableDownloadingOfPrintDriversOverHTTP**
-
+
Home
@@ -571,8 +610,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -580,10 +619,19 @@ ADMX Info:
-
-
+
+
+This policy setting specifies whether to allow this client to download print driver packages over HTTP.
-
+To set up HTTP printing, non-inbox drivers need to be downloaded over HTTP.
+
+Note: This policy setting does not prevent the client from printing to printers on the Intranet or the Internet over HTTP. It only prohibits downloading drivers that are not already installed locally.
+
+If you enable this policy setting, print drivers cannot be downloaded over HTTP.
+
+If you disable or do not configure this policy setting, users can download print drivers over HTTP.
+
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -591,20 +639,22 @@ ADMX Info:
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Turn off downloading of print drivers over HTTP*
- GP name: *DisableWebPnPDownload_2*
- GP path: *Internet Communication settings*
- GP ADMX file name: *ICM.admx*
-
-
+
+
+
-
+
+
**Connectivity/DisableInternetDownloadForWebPublishingAndOnlineOrderingWizards**
-
+
Home
@@ -626,8 +676,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -635,10 +685,19 @@ ADMX Info:
-
-
+
+
+This policy setting specifies whether Windows should download a list of providers for the web publishing and online ordering wizards.
-
+These wizards allow users to select from a list of companies that provide services such as online storage and photographic printing. By default, Windows displays providers downloaded from a Windows website in addition to providers specified in the registry.
+
+If you enable this policy setting, Windows does not download providers, and only the service providers that are cached in the local registry are displayed.
+
+If you disable or do not configure this policy setting, a list of providers are downloaded when the user uses the web publishing or online ordering wizards.
+
+See the documentation for the web publishing and online ordering wizards for more information, including details on specifying service providers in the registry.
+
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -646,20 +705,22 @@ ADMX Info:
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Turn off Internet download for Web publishing and online ordering wizards*
- GP name: *ShellPreventWPWDownload_2*
- GP path: *Internet Communication settings*
- GP ADMX file name: *ICM.admx*
-
-
+
+
+
-
+
+
**Connectivity/DisallowNetworkConnectivityActiveTests**
-
+
Home
@@ -681,8 +742,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -690,19 +751,29 @@ ADMX Info:
-
-
+
+
Added in Windows 10, version 1703. Network Connection Status Indicator (NCSI) detects Internet connectivity and corporate network connectivity status. NCSI sends a DNS request and HTTP query to http://www.msftconnecttest.com/connecttest.txt to determine if the device can communicate with the Internet. This policy disables the NCSI active probe, preventing network connectivity to www.msftconnecttest.com.
Value type is integer.
-
-
+
+
+ADMX Info:
+- GP English name: *Turn off Windows Network Connectivity Status Indicator active tests*
+- GP name: *NoActiveProbe*
+- GP path: *Internet Communication settings*
+- GP ADMX file name: *ICM.admx*
+
+
+
+
-
+
+
**Connectivity/HardenedUNCPaths**
-
+
Home
@@ -724,8 +795,8 @@ Value type is integer.
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -733,13 +804,13 @@ Value type is integer.
-
-
+
+
This policy setting configures secure access to UNC paths.
If you enable this policy, Windows only allows access to the specified UNC paths after fulfilling additional security requirements.
-
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -747,20 +818,22 @@ If you enable this policy, Windows only allows access to the specified UNC paths
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Hardened UNC Paths*
- GP name: *Pol_HardenedPaths*
- GP path: *Network/Network Provider*
- GP ADMX file name: *networkprovider.admx*
-
-
+
+
+
-
+
+
**Connectivity/ProhibitInstallationAndConfigurationOfNetworkBridge**
-
+
Home
@@ -782,8 +855,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -791,10 +864,17 @@ ADMX Info:
-
-
+
+
+Determines whether a user can install and configure the Network Bridge.
-
+Important: This settings is location aware. It only applies when a computer is connected to the same DNS domain network it was connected to when the setting was refreshed on that computer. If a computer is connected to a DNS domain network other than the one it was connected to when the setting was refreshed, this setting does not apply.
+
+The Network Bridge allows users to create a layer 2 MAC bridge, enabling them to connect two or more network segements together. This connection appears in the Network Connections folder.
+
+If you disable this setting or do not configure it, the user will be able to create and modify the configuration of a Network Bridge. Enabling this setting does not remove an existing Network Bridge from the user's computer.
+
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -802,15 +882,15 @@ ADMX Info:
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Prohibit installation and configuration of Network Bridge on your DNS domain network*
- GP name: *NC_AllowNetBridge_NLA*
- GP path: *Network/Network Connections*
- GP ADMX file name: *NetworkConnections.admx*
-
-
+
+
Footnote:
@@ -819,7 +899,7 @@ Footnote:
- 2 - Added in Windows 10, version 1703.
- 3 - Added in Windows 10, version 1709.
-
+
## Connectivity policies that can be set using Exchange Active Sync (EAS)
diff --git a/windows/client-management/mdm/policy-csp-controlpolicyconflict.md b/windows/client-management/mdm/policy-csp-controlpolicyconflict.md
index c628f5e912..229109756e 100644
--- a/windows/client-management/mdm/policy-csp-controlpolicyconflict.md
+++ b/windows/client-management/mdm/policy-csp-controlpolicyconflict.md
@@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
-ms.date: 01/11/2018
+ms.date: 01/30/2018
---
# Policy CSP - ControlPolicyConflict
@@ -17,7 +17,7 @@ ms.date: 01/11/2018
-
+
## ControlPolicyConflict policies
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -61,11 +63,11 @@ ms.date: 01/11/2018
-
-
-Added in Windows 10, next major update. This policy allows the IT admin to control which policy will be used whenever both the MDM policy and its equivalent Group Policy are set on the device.
+
+
+Added in Windows 10, version 1803. This policy allows the IT admin to control which policy will be used whenever both the MDM policy and its equivalent Group Policy are set on the device.
-This policy is used to ensure that MDM policy wins over GP when same setting is set by both GP and MDM channel. This policy doesn’t support Delete command. This policy doesn’t support setting the value to be 0 again after it was previously set 1. The default value is 0. In next major update, the MDM policies in Policy CSP will behave as described if this policy value is set 1.
+This policy is used to ensure that MDM policy wins over GP when same setting is set by both GP and MDM channel. This policy doesn’t support Delete command. This policy doesn’t support setting the value to be 0 again after it was previously set 1. The default value is 0. The MDM policies in Policy CSP will behave as described if this policy value is set 1.
The policy should be set at every sync to ensure the device removes any settings that conflict with MDM just as it does on the very first set of the policy. This ensures that:
@@ -73,22 +75,15 @@ The policy should be set at every sync to ensure the device removes any settings
- The current Policy Manager policies are refreshed from what MDM has set
- Any values set by scripts/user outside of GP that conflict with MDM are removed
-
+
The following list shows the supported values:
- 0 (default)
- 1 - The MDM policy is used and the GP policy is blocked.
-
-
-
-
-
-
-
-
+
Footnote:
@@ -97,5 +92,5 @@ Footnote:
- 2 - Added in Windows 10, version 1703.
- 3 - Added in Windows 10, version 1709.
-
+
diff --git a/windows/client-management/mdm/policy-csp-credentialproviders.md b/windows/client-management/mdm/policy-csp-credentialproviders.md
index 8db7adb8b4..039a57e0fb 100644
--- a/windows/client-management/mdm/policy-csp-credentialproviders.md
+++ b/windows/client-management/mdm/policy-csp-credentialproviders.md
@@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
-ms.date: 12/14/2017
+ms.date: 03/05/2018
---
# Policy CSP - CredentialProviders
@@ -15,7 +15,7 @@ ms.date: 12/14/2017
-
+
## CredentialProviders policies
@@ -30,11 +30,13 @@ ms.date: 12/14/2017
+
-
+
+
**CredentialProviders/AllowPINLogon**
-
+
Home
@@ -56,8 +58,8 @@ ms.date: 12/14/2017
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -65,8 +67,8 @@ ms.date: 12/14/2017
-
-
+
+
This policy setting allows you to control whether a domain user can sign in using a convenience PIN.
If you enable this policy setting, a domain user can set up and sign in with a convenience PIN.
@@ -77,7 +79,7 @@ Note: The user's domain password will be cached in the system vault when using t
To configure Windows Hello for Business, use the Administrative Template policies under Windows Hello for Business.
-
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -85,20 +87,22 @@ To configure Windows Hello for Business, use the Administrative Template policie
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Turn on convenience PIN sign-in*
- GP name: *AllowDomainPINLogon*
- GP path: *System/Logon*
- GP ADMX file name: *credentialproviders.admx*
-
-
+
+
+
-
+
+
**CredentialProviders/BlockPicturePassword**
-
+
Home
@@ -120,8 +124,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -129,17 +133,17 @@ ADMX Info:
-
-
+
+
This policy setting allows you to control whether a domain user can sign in using a picture password.
-If you enable this policy setting, a domain user can't set up or sign in with a picture password.
+If you enable this policy setting, a domain user can't set up or sign in with a picture password.
If you disable or don't configure this policy setting, a domain user can set up and use a picture password.
Note that the user's domain password will be cached in the system vault when using this feature.
-
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -147,20 +151,22 @@ Note that the user's domain password will be cached in the system vault when usi
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Turn off picture password sign-in*
- GP name: *BlockDomainPicturePassword*
- GP path: *System/Logon*
- GP ADMX file name: *credentialproviders.admx*
-
-
+
+
+
-
+
+
**CredentialProviders/DisableAutomaticReDeploymentCredentials**
-
+
Home
@@ -182,8 +188,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -191,13 +197,13 @@ ADMX Info:
-
-
+
+
Added in Windows 10, version 1709. Boolean policy to disable the visibility of the credential provider that triggers the PC refresh on a device. This policy does not actually trigger the refresh. The admin user is required to authenticate to trigger the refresh on the target device.
The Windows 10 Automatic ReDeployment feature allows admin to reset devices to a known good managed state while preserving the management enrollment. After the automatic redeployment is triggered the devices are for ready for use by information workers or students.
-
+
The following list shows the supported values:
@@ -205,7 +211,7 @@ The following list shows the supported values:
- 1 - Disable visibility of the credentials for Windows 10 Automatic ReDeployment
-
+
Footnote:
@@ -214,7 +220,7 @@ Footnote:
- 2 - Added in Windows 10, version 1703.
- 3 - Added in Windows 10, version 1709.
-
+
## CredentialProviders policies supported by IoT Core
diff --git a/windows/client-management/mdm/policy-csp-credentialsui.md b/windows/client-management/mdm/policy-csp-credentialsui.md
index 6a2a7950a3..ec0f9a0c5e 100644
--- a/windows/client-management/mdm/policy-csp-credentialsui.md
+++ b/windows/client-management/mdm/policy-csp-credentialsui.md
@@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
-ms.date: 11/01/2017
+ms.date: 03/05/2018
---
# Policy CSP - CredentialsUI
@@ -15,7 +15,7 @@ ms.date: 11/01/2017
-
+
## CredentialsUI policies
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -63,8 +65,8 @@ ms.date: 11/01/2017
-
-
+
+
This policy setting allows you to configure the display of the password reveal button in password entry user experiences.
If you enable this policy setting, the password reveal button will not be displayed after a user types a password in the password entry text box.
@@ -75,7 +77,7 @@ By default, the password reveal button is displayed after a user types a passwor
The policy applies to all Windows components and applications that use the Windows system controls, including Internet Explorer.
-
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -83,20 +85,22 @@ The policy applies to all Windows components and applications that use the Windo
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Do not display the password reveal button*
- GP name: *DisablePasswordReveal*
- GP path: *Windows Components/Credential User Interface*
- GP ADMX file name: *credui.admx*
-
-
+
+
+
-
+
+
**CredentialsUI/EnumerateAdministrators**
-
+
Home
@@ -118,8 +122,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -127,15 +131,15 @@ ADMX Info:
-
-
+
+
This policy setting controls whether administrator accounts are displayed when a user attempts to elevate a running application. By default, administrator accounts are not displayed when the user attempts to elevate a running application.
If you enable this policy setting, all local administrator accounts on the PC will be displayed so the user can choose one and enter the correct password.
If you disable this policy setting, users will always be required to type a user name and password to elevate.
-
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -143,15 +147,15 @@ If you disable this policy setting, users will always be required to type a user
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Enumerate administrator accounts on elevation*
- GP name: *EnumerateAdministrators*
- GP path: *Windows Components/Credential User Interface*
- GP ADMX file name: *credui.admx*
-
-
+
+
Footnote:
@@ -160,5 +164,5 @@ Footnote:
- 2 - Added in Windows 10, version 1703.
- 3 - Added in Windows 10, version 1709.
-
+
diff --git a/windows/client-management/mdm/policy-csp-cryptography.md b/windows/client-management/mdm/policy-csp-cryptography.md
index e65cf59e9f..b2360eb40b 100644
--- a/windows/client-management/mdm/policy-csp-cryptography.md
+++ b/windows/client-management/mdm/policy-csp-cryptography.md
@@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
-ms.date: 11/01/2017
+ms.date: 03/05/2018
---
# Policy CSP - Cryptography
@@ -15,7 +15,7 @@ ms.date: 11/01/2017
-
+
## Cryptography policies
Allows or disallows the Federal Information Processing Standard (FIPS) policy.
+
+
+Allows or disallows the Federal Information Processing Standard (FIPS) policy.
-
The following list shows the supported values:
+
+
+GP Info:
+- GP English name: *System cryptography: Use FIPS-compliant algorithms for encryption, hashing, and signing*
+- GP path: *Windows Settings/Security Settings/Local Policies/Security Options*
+
+
+
+The following list shows the supported values:
- 0 (default) – Not allowed.
- 1– Allowed.
-
-
+
+
+
Lists the Cryptographic Cipher Algorithms allowed for SSL connections. Format is a semicolon delimited list. Last write win.
+
+
+Lists the Cryptographic Cipher Algorithms allowed for SSL connections. Format is a semicolon delimited list. Last write win.
-
-
+
+
Footnote:
@@ -122,7 +134,7 @@ Footnote:
- 2 - Added in Windows 10, version 1703.
- 3 - Added in Windows 10, version 1709.
-
+
## Cryptography policies supported by Microsoft Surface Hub
diff --git a/windows/client-management/mdm/policy-csp-dataprotection.md b/windows/client-management/mdm/policy-csp-dataprotection.md
index 5a2461e9cb..1563402e93 100644
--- a/windows/client-management/mdm/policy-csp-dataprotection.md
+++ b/windows/client-management/mdm/policy-csp-dataprotection.md
@@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
-ms.date: 12/14/2017
+ms.date: 01/30/2018
---
# Policy CSP - DataProtection
@@ -15,7 +15,7 @@ ms.date: 12/14/2017
-
+
## DataProtection policies
This policy setting allows you to block direct memory access (DMA) for all hot pluggable PCI downstream ports until a user logs into Windows. Once a user logs in, Windows will enumerate the PCI devices connected to the host plug PCI ports. Every time the user locks the machine, DMA will be blocked on hot plug PCI ports with no children devices until the user logs in again. Devices which were already enumerated when the machine was unlocked will continue to function until unplugged. This policy setting is only enforced when BitLocker or device encryption is enabled.
+
+
+This policy setting allows you to block direct memory access (DMA) for all hot pluggable PCI downstream ports until a user logs into Windows. Once a user logs in, Windows will enumerate the PCI devices connected to the host plug PCI ports. Every time the user locks the machine, DMA will be blocked on hot plug PCI ports with no children devices until the user logs in again. Devices which were already enumerated when the machine was unlocked will continue to function until unplugged. This policy setting is only enforced when BitLocker or device encryption is enabled.
-
Most restricted value is 0.
+Most restricted value is 0.
-
+
The following list shows the supported values:
@@ -76,12 +78,14 @@ The following list shows the supported values:
- 1 (default) – Allowed.
-
+
+
@@ -103,8 +107,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -112,19 +116,19 @@ The following list shows the supported values:
-
-
+
+
> [!IMPORTANT]
> This policy may change in a future release. It may be used for testing purposes, but should not be used in a production environment at this time.
-
Setting used by Windows 8.1 Selective Wipe.
+Setting used by Windows 8.1 Selective Wipe.
> [!NOTE]
> This policy is not recommended for use in Windows 10.
-
-
+
+
Footnote:
@@ -133,7 +137,7 @@ Footnote:
- 2 - Added in Windows 10, version 1703.
- 3 - Added in Windows 10, version 1709.
-
+
## DataProtection policies supported by IoT Core
diff --git a/windows/client-management/mdm/policy-csp-datausage.md b/windows/client-management/mdm/policy-csp-datausage.md
index b9d3a22ccc..2aa9b34cd0 100644
--- a/windows/client-management/mdm/policy-csp-datausage.md
+++ b/windows/client-management/mdm/policy-csp-datausage.md
@@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
-ms.date: 11/01/2017
+ms.date: 03/05/2018
---
# Policy CSP - DataUsage
@@ -15,7 +15,7 @@ ms.date: 11/01/2017
-
+
## DataUsage policies
@@ -27,11 +27,13 @@ ms.date: 11/01/2017
+
-
+
+
**DataUsage/SetCost3G**
-
+
Home
@@ -53,8 +55,8 @@ ms.date: 11/01/2017
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -62,21 +64,21 @@ ms.date: 11/01/2017
-
-
+
+
This policy setting configures the cost of 3G connections on the local machine.
If this policy setting is enabled, a drop-down list box presenting possible cost values will be active. Selecting one of the following values from the list will set the cost of all 3G connections on the local machine:
-- Unrestricted: Use of this connection is unlimited and not restricted by usage charges and capacity constraints.
+- Unrestricted: Use of this connection is unlimited and not restricted by usage charges and capacity constraints.
-- Fixed: Use of this connection is not restricted by usage charges and capacity constraints up to a certain data limit.
+- Fixed: Use of this connection is not restricted by usage charges and capacity constraints up to a certain data limit.
- Variable: This connection is costed on a per byte basis.
If this policy setting is disabled or is not configured, the cost of 3G connections is Fixed by default.
-
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -84,20 +86,22 @@ If this policy setting is disabled or is not configured, the cost of 3G connecti
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Set 3G Cost*
- GP name: *SetCost3G*
- GP path: *Network/WWAN Service/WWAN Media Cost*
- GP ADMX file name: *wwansvc.admx*
-
-
+
+
+
-
+
+
**DataUsage/SetCost4G**
-
+
Home
@@ -119,8 +123,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -128,21 +132,21 @@ ADMX Info:
-
-
-This policy setting configures the cost of 4G connections on the local machine.
+
+
+This policy setting configures the cost of 4G connections on the local machine.
If this policy setting is enabled, a drop-down list box presenting possible cost values will be active. Selecting one of the following values from the list will set the cost of all 4G connections on the local machine:
-- Unrestricted: Use of this connection is unlimited and not restricted by usage charges and capacity constraints.
+- Unrestricted: Use of this connection is unlimited and not restricted by usage charges and capacity constraints.
-- Fixed: Use of this connection is not restricted by usage charges and capacity constraints up to a certain data limit.
+- Fixed: Use of this connection is not restricted by usage charges and capacity constraints up to a certain data limit.
- Variable: This connection is costed on a per byte basis.
If this policy setting is disabled or is not configured, the cost of 4G connections is Fixed by default.
-
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -150,15 +154,15 @@ If this policy setting is disabled or is not configured, the cost of 4G connecti
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Set 4G Cost*
- GP name: *SetCost4G*
- GP path: *Network/WWAN Service/WWAN Media Cost*
- GP ADMX file name: *wwansvc.admx*
-
-
+
+
Footnote:
@@ -167,5 +171,5 @@ Footnote:
- 2 - Added in Windows 10, version 1703.
- 3 - Added in Windows 10, version 1709.
-
+
diff --git a/windows/client-management/mdm/policy-csp-defender.md b/windows/client-management/mdm/policy-csp-defender.md
index c261f2807f..74091500ca 100644
--- a/windows/client-management/mdm/policy-csp-defender.md
+++ b/windows/client-management/mdm/policy-csp-defender.md
@@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
-ms.date: 11/01/2017
+ms.date: 03/05/2018
---
# Policy CSP - Defender
@@ -15,7 +15,7 @@ ms.date: 11/01/2017
-
+
## Defender policies
@@ -126,11 +126,13 @@ ms.date: 11/01/2017
+
-
+
+
**Defender/AllowArchiveScanning**
-
+
Home
@@ -152,8 +154,8 @@ ms.date: 11/01/2017
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -161,26 +163,38 @@ ms.date: 11/01/2017
-
-
+
+
> [!NOTE]
> This policy is only enforced in Windows 10 for desktop.
-
Allows or disallows scanning of archives.
+Allows or disallows scanning of archives.
-
The following list shows the supported values:
+
+
+ADMX Info:
+- GP English name: *Scan archive files*
+- GP name: *Scan_DisableArchiveScanning*
+- GP path: *Windows Components/Windows Defender Antivirus/Scan*
+- GP ADMX file name: *WindowsDefender.admx*
+
+
+
+The following list shows the supported values:
- 0 – Not allowed.
- 1 (default) – Allowed.
-
-
+
+
+
-
+
+
**Defender/AllowBehaviorMonitoring**
-
+
Home
@@ -202,8 +216,8 @@ ms.date: 11/01/2017
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -211,26 +225,38 @@ ms.date: 11/01/2017
-
-
+
+
> [!NOTE]
> This policy is only enforced in Windows 10 for desktop.
-
Allows or disallows Windows Defender Behavior Monitoring functionality.
+Allows or disallows Windows Defender Behavior Monitoring functionality.
-
The following list shows the supported values:
+
+
+ADMX Info:
+- GP English name: *Turn on behavior monitoring*
+- GP name: *RealtimeProtection_DisableBehaviorMonitoring*
+- GP path: *Windows Components/Windows Defender Antivirus/Real-time Protection*
+- GP ADMX file name: *WindowsDefender.admx*
+
+
+
+The following list shows the supported values:
- 0 – Not allowed.
- 1 (default) – Allowed.
-
-
+
+
+
-
+
+
**Defender/AllowCloudProtection**
-
+
Home
@@ -252,8 +278,8 @@ ms.date: 11/01/2017
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -261,26 +287,39 @@ ms.date: 11/01/2017
-
-
+
+
> [!NOTE]
> This policy is only enforced in Windows 10 for desktop.
-
To best protect your PC, Windows Defender will send information to Microsoft about any problems it finds. Microsoft will analyze that information, learn more about problems affecting you and other customers, and offer improved solutions.
+To best protect your PC, Windows Defender will send information to Microsoft about any problems it finds. Microsoft will analyze that information, learn more about problems affecting you and other customers, and offer improved solutions.
-
The following list shows the supported values:
+
+
+ADMX Info:
+- GP English name: *Join Microsoft MAPS*
+- GP name: *SpynetReporting*
+- GP element: *SpynetReporting*
+- GP path: *Windows Components/Windows Defender Antivirus/MAPS*
+- GP ADMX file name: *WindowsDefender.admx*
+
+
+
+The following list shows the supported values:
- 0 – Not allowed.
- 1 (default) – Allowed.
-
-
+
+
+
-
+
+
**Defender/AllowEmailScanning**
-
+
Home
@@ -302,8 +341,8 @@ ms.date: 11/01/2017
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -311,26 +350,38 @@ ms.date: 11/01/2017
-
-
+
+
> [!NOTE]
> This policy is only enforced in Windows 10 for desktop.
-
Allows or disallows scanning of email.
+Allows or disallows scanning of email.
-
The following list shows the supported values:
+
+
+ADMX Info:
+- GP English name: *Turn on e-mail scanning*
+- GP name: *Scan_DisableEmailScanning*
+- GP path: *Windows Components/Windows Defender Antivirus/Scan*
+- GP ADMX file name: *WindowsDefender.admx*
+
+
+
+The following list shows the supported values:
- 0 (default) – Not allowed.
- 1 – Allowed.
-
-
+
+
+
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -361,26 +412,38 @@ ms.date: 11/01/2017
-
-
+
+
> [!NOTE]
> This policy is only enforced in Windows 10 for desktop.
-
Allows or disallows a full scan of mapped network drives.
+Allows or disallows a full scan of mapped network drives.
-
The following list shows the supported values:
+
+
+ADMX Info:
+- GP English name: *Run full scan on mapped network drives*
+- GP name: *Scan_DisableScanningMappedNetworkDrivesForFullScan*
+- GP path: *Windows Components/Windows Defender Antivirus/Scan*
+- GP ADMX file name: *WindowsDefender.admx*
+
+
+
+The following list shows the supported values:
- 0 (default) – Not allowed.
- 1 – Allowed.
-
-
+
+
+
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -411,26 +474,38 @@ ms.date: 11/01/2017
-
-
+
+
> [!NOTE]
> This policy is only enforced in Windows 10 for desktop.
-
Allows or disallows a full scan of removable drives.
+Allows or disallows a full scan of removable drives.
-
The following list shows the supported values:
+
+
+ADMX Info:
+- GP English name: *Scan removable drives*
+- GP name: *Scan_DisableRemovableDriveScanning*
+- GP path: *Windows Components/Windows Defender Antivirus/Scan*
+- GP ADMX file name: *WindowsDefender.admx*
+
+
+
+The following list shows the supported values:
- 0 – Not allowed.
- 1 (default) – Allowed.
-
-
+
+
+
-
+
+
**Defender/AllowIOAVProtection**
-
+
Home
@@ -452,8 +527,8 @@ ms.date: 11/01/2017
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -461,26 +536,38 @@ ms.date: 11/01/2017
-
-
+
+
> [!NOTE]
> This policy is only enforced in Windows 10 for desktop.
-
Allows or disallows Windows Defender IOAVP Protection functionality.
+Allows or disallows Windows Defender IOAVP Protection functionality.
-
The following list shows the supported values:
+
+
+ADMX Info:
+- GP English name: *Scan all downloaded files and attachments*
+- GP name: *RealtimeProtection_DisableIOAVProtection*
+- GP path: *Windows Components/Windows Defender Antivirus/Real-time Protection*
+- GP ADMX file name: *WindowsDefender.admx*
+
+
+
+The following list shows the supported values:
- 0 – Not allowed.
- 1 (default) – Allowed.
-
-
+
+
+
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -511,26 +598,30 @@ ms.date: 11/01/2017
-
-
+
+
> [!NOTE]
> This policy is only enforced in Windows 10 for desktop.
-
Allows or disallows Windows Defender Intrusion Prevention functionality.
+Allows or disallows Windows Defender Intrusion Prevention functionality.
-
The following list shows the supported values:
+
+
+The following list shows the supported values:
- 0 – Not allowed.
- 1 (default) – Allowed.
-
-
+
+
+
-
+
+
**Defender/AllowOnAccessProtection**
-
+
Home
@@ -552,8 +643,8 @@ ms.date: 11/01/2017
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -561,26 +652,38 @@ ms.date: 11/01/2017
-
-
+
+
> [!NOTE]
> This policy is only enforced in Windows 10 for desktop.
-
Allows or disallows Windows Defender On Access Protection functionality.
+Allows or disallows Windows Defender On Access Protection functionality.
-
The following list shows the supported values:
+
+
+ADMX Info:
+- GP English name: *Monitor file and program activity on your computer*
+- GP name: *RealtimeProtection_DisableOnAccessProtection*
+- GP path: *Windows Components/Windows Defender Antivirus/Real-time Protection*
+- GP ADMX file name: *WindowsDefender.admx*
+
+
+
+The following list shows the supported values:
- 0 – Not allowed.
- 1 (default) – Allowed.
-
-
+
+
+
-
+
+
**Defender/AllowRealtimeMonitoring**
-
+
Home
@@ -602,8 +705,8 @@ ms.date: 11/01/2017
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -611,26 +714,38 @@ ms.date: 11/01/2017
-
-
+
+
> [!NOTE]
> This policy is only enforced in Windows 10 for desktop.
-
Allows or disallows Windows Defender Realtime Monitoring functionality.
+Allows or disallows Windows Defender Realtime Monitoring functionality.
-
The following list shows the supported values:
+
+
+ADMX Info:
+- GP English name: *Turn off real-time protection*
+- GP name: *DisableRealtimeMonitoring*
+- GP path: *Windows Components/Windows Defender Antivirus/Real-time Protection*
+- GP ADMX file name: *WindowsDefender.admx*
+
+
+
+The following list shows the supported values:
- 0 – Not allowed.
- 1 (default) – Allowed.
-
-
+
+
+
-
+
+
**Defender/AllowScanningNetworkFiles**
-
+
Home
@@ -652,8 +767,8 @@ ms.date: 11/01/2017
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -661,26 +776,38 @@ ms.date: 11/01/2017
-
-
+
+
> [!NOTE]
> This policy is only enforced in Windows 10 for desktop.
-
Allows or disallows a scanning of network files.
+Allows or disallows a scanning of network files.
-
The following list shows the supported values:
+
+
+ADMX Info:
+- GP English name: *Scan network files*
+- GP name: *Scan_DisableScanningNetworkFiles*
+- GP path: *Windows Components/Windows Defender Antivirus/Scan*
+- GP ADMX file name: *WindowsDefender.admx*
+
+
+
+The following list shows the supported values:
- 0 – Not allowed.
- 1 (default) – Allowed.
-
-
+
+
+
-
+
+
**Defender/AllowScriptScanning**
-
+
Home
@@ -702,8 +829,8 @@ ms.date: 11/01/2017
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -711,26 +838,30 @@ ms.date: 11/01/2017
-
-
+
+
> [!NOTE]
> This policy is only enforced in Windows 10 for desktop.
-
Allows or disallows Windows Defender Script Scanning functionality.
+Allows or disallows Windows Defender Script Scanning functionality.
-
The following list shows the supported values:
+
+
+The following list shows the supported values:
- 0 – Not allowed.
- 1 (default) – Allowed.
-
-
+
+
+
-
+
+
**Defender/AllowUserUIAccess**
-
+
Home
@@ -752,8 +883,8 @@ ms.date: 11/01/2017
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -761,26 +892,38 @@ ms.date: 11/01/2017
-
-
+
+
> [!NOTE]
> This policy is only enforced in Windows 10 for desktop.
-
Allows or disallows user access to the Windows Defender UI. If disallowed, all Windows Defender notifications will also be suppressed.
+Allows or disallows user access to the Windows Defender UI. If disallowed, all Windows Defender notifications will also be suppressed.
-
The following list shows the supported values:
+
+
+ADMX Info:
+- GP English name: *Enable headless UI mode*
+- GP name: *UX_Configuration_UILockdown*
+- GP path: *Windows Components/Windows Defender Antivirus/Client Interface*
+- GP ADMX file name: *WindowsDefender.admx*
+
+
+
+The following list shows the supported values:
- 0 – Not allowed.
- 1 (default) – Allowed.
-
-
+
+
+
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -811,23 +954,34 @@ ms.date: 11/01/2017
-
-
+
+
> [!NOTE]
> This policy is only enforced in Windows 10 for desktop.
-
Added in Windows 10, version 1709. This policy setting allows you to prevent Attack Surface reduction rules from matching on files under the paths specified or for the fully qualified resources specified. Paths should be added under the Options for this setting. Each entry must be listed as a name value pair, where the name should be a string representation of a path or a fully qualified resource name. As an example, a path might be defined as: "c:\Windows" to exclude all files in this directory. A fully qualified resource name might be defined as: "C:\Windows\App.exe"..
+Added in Windows 10, version 1709. This policy setting allows you to prevent Attack Surface reduction rules from matching on files under the paths specified or for the fully qualified resources specified. Paths should be added under the Options for this setting. Each entry must be listed as a name value pair, where the name should be a string representation of a path or a fully qualified resource name. As an example, a path might be defined as: "c:\Windows" to exclude all files in this directory. A fully qualified resource name might be defined as: "C:\Windows\App.exe"..
-
Value type is string.
+Value type is string.
+
+
+
+ADMX Info:
+- GP English name: *Exclude files and paths from Attack Surface Reduction Rules*
+- GP name: *ExploitGuard_ASR_ASROnlyExclusions*
+- GP element: *ExploitGuard_ASR_ASROnlyExclusions*
+- GP path: *Windows Components/Windows Defender Antivirus/Windows Defender Exploit Guard/Attack Surface Reduction*
+- GP ADMX file name: *WindowsDefender.admx*
+
+
+
-
-
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -858,25 +1012,36 @@ ms.date: 11/01/2017
-
-
+
+
> [!NOTE]
> This policy is only enforced in Windows 10 for desktop.
-
Added in Windows 10, version 1709. This policy setting enables setting the state (Block/Audit/Off) for each Attack surface reduction (ASR) rule. Each ASR rule listed can be set to one of the following states (Block/Audit/Off). The ASR rule ID and state should be added under the Options for this setting. Each entry must be listed as a name value pair. The name defines a valid ASR rule ID, while the value contains the status ID indicating the status of the rule.
+Added in Windows 10, version 1709. This policy setting enables setting the state (Block/Audit/Off) for each Attack surface reduction (ASR) rule. Each ASR rule listed can be set to one of the following states (Block/Audit/Off). The ASR rule ID and state should be added under the Options for this setting. Each entry must be listed as a name value pair. The name defines a valid ASR rule ID, while the value contains the status ID indicating the status of the rule.
-
For more information about ASR rule ID and status ID, see [Enable Attack Surface Reduction](https://docs.microsoft.com/en-us/windows/threat-protection/windows-defender-exploit-guard/enable-attack-surface-reduction).
+For more information about ASR rule ID and status ID, see [Enable Attack Surface Reduction](https://docs.microsoft.com/en-us/windows/threat-protection/windows-defender-exploit-guard/enable-attack-surface-reduction).
-
Value type is string.
+Value type is string.
+
+
+
+ADMX Info:
+- GP English name: *Configure Attack Surface Reduction rules*
+- GP name: *ExploitGuard_ASR_Rules*
+- GP element: *ExploitGuard_ASR_Rules*
+- GP path: *Windows Components/Windows Defender Antivirus/Windows Defender Exploit Guard/Attack Surface Reduction*
+- GP ADMX file name: *WindowsDefender.admx*
+
+
+
-
-
-
+
+
**Defender/AvgCPULoadFactor**
-
+
Home
@@ -898,8 +1063,8 @@ ms.date: 11/01/2017
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -907,25 +1072,39 @@ ms.date: 11/01/2017
-
-
+
+
> [!NOTE]
> This policy is only enforced in Windows 10 for desktop.
-
Represents the average CPU load factor for the Windows Defender scan (in percent).
+Represents the average CPU load factor for the Windows Defender scan (in percent).
-
Valid values: 0–100
-
The default value is 50.
+The default value is 50.
+
+
+
+ADMX Info:
+- GP English name: *Specify the maximum percentage of CPU utilization during a scan*
+- GP name: *Scan_AvgCPULoadFactor*
+- GP element: *Scan_AvgCPULoadFactor*
+- GP path: *Windows Components/Windows Defender Antivirus/Scan*
+- GP ADMX file name: *WindowsDefender.admx*
+
+
+
+Valid values: 0–100
+
+
+
-
-
-
+
+
**Defender/CloudBlockLevel**
-
+
Home
@@ -947,8 +1126,8 @@ ms.date: 11/01/2017
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -956,22 +1135,31 @@ ms.date: 11/01/2017
-
-
+
+
> [!NOTE]
> This policy is only enforced in Windows 10 for desktop.
-
Added in Windows 10, version 1709. This policy setting determines how aggressive Windows Defender Antivirus will be in blocking and scanning suspicious files. Value type is integer.
+Added in Windows 10, version 1709. This policy setting determines how aggressive Windows Defender Antivirus will be in blocking and scanning suspicious files. Value type is integer.
-
If this setting is on, Windows Defender Antivirus will be more aggressive when identifying suspicious files to block and scan; otherwise, it will be less aggressive and therefore block and scan with less frequency.
+If this setting is on, Windows Defender Antivirus will be more aggressive when identifying suspicious files to block and scan; otherwise, it will be less aggressive and therefore block and scan with less frequency.
-
For more information about specific values that are supported, see the Windows Defender Antivirus documentation site.
+For more information about specific values that are supported, see the Windows Defender Antivirus documentation site.
> [!Note]
> This feature requires the "Join Microsoft MAPS" setting enabled in order to function.
-
+
+
+ADMX Info:
+- GP English name: *Select cloud protection level*
+- GP name: *MpEngine_MpCloudBlockLevel*
+- GP element: *MpCloudBlockLevel*
+- GP path: *Windows Components/Windows Defender Antivirus/MpEngine*
+- GP ADMX file name: *WindowsDefender.admx*
+
+
The following list shows the supported values:
@@ -981,12 +1169,14 @@ The following list shows the supported values:
- 0x6 - Zero tolerance blocking level – block all unknown executables
-
+
+
-
+
+
**Defender/CloudExtendedTimeout**
-
+
Home
@@ -1008,8 +1198,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -1017,27 +1207,38 @@ The following list shows the supported values:
-
-
+
+
> [!NOTE]
> This policy is only enforced in Windows 10 for desktop.
-
Added in Windows 10, version 1709. This feature allows Windows Defender Antivirus to block a suspicious file for up to 60 seconds, and scan it in the cloud to make sure it's safe. Value type is integer, range is 0 - 50.
+Added in Windows 10, version 1709. This feature allows Windows Defender Antivirus to block a suspicious file for up to 60 seconds, and scan it in the cloud to make sure it's safe. Value type is integer, range is 0 - 50.
-
The typical cloud check timeout is 10 seconds. To enable the extended cloud check feature, specify the extended time in seconds, up to an additional 50 seconds.
+The typical cloud check timeout is 10 seconds. To enable the extended cloud check feature, specify the extended time in seconds, up to an additional 50 seconds.
-
For example, if the desired timeout is 60 seconds, specify 50 seconds in this setting, which will enable the extended cloud check feature, and will raise the total time to 60 seconds.
+For example, if the desired timeout is 60 seconds, specify 50 seconds in this setting, which will enable the extended cloud check feature, and will raise the total time to 60 seconds.
> [!Note]
> This feature depends on three other MAPS settings the must all be enabled- "Configure the 'Block at First Sight' feature; "Join Microsoft MAPS"; "Send file samples when further analysis is required".
-
-
+
+
+ADMX Info:
+- GP English name: *Configure extended cloud check*
+- GP name: *MpEngine_MpBafsExtendedTimeout*
+- GP element: *MpBafsExtendedTimeout*
+- GP path: *Windows Components/Windows Defender Antivirus/MpEngine*
+- GP ADMX file name: *WindowsDefender.admx*
+
+
+
+
@@ -1059,8 +1260,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -1068,20 +1269,31 @@ The following list shows the supported values:
-
-
+
+
> [!NOTE]
> This policy is only enforced in Windows 10 for desktop. The previous name was GuardedFoldersAllowedApplications and changed to ControlledFolderAccessAllowedApplications.
-
Added in Windows 10, version 1709. This policy setting allows user-specified applications to the guard my folders feature. Adding an allowed application means the guard my folders feature will allow the application to modify or delete content in certain folders such as My Documents. In most cases it will not be necessary to add entries. Windows Defender Antivirus will automatically detect and dynamically add applications that are friendly. Value type is string. Use the | as the substring separator.
+Added in Windows 10, version 1709. This policy setting allows user-specified applications to the guard my folders feature. Adding an allowed application means the guard my folders feature will allow the application to modify or delete content in certain folders such as My Documents. In most cases it will not be necessary to add entries. Windows Defender Antivirus will automatically detect and dynamically add applications that are friendly. Value type is string. Use the | as the substring separator.
+
+
+
+ADMX Info:
+- GP English name: *Configure allowed applications*
+- GP name: *ExploitGuard_ControlledFolderAccess_AllowedApplications*
+- GP element: *ExploitGuard_ControlledFolderAccess_AllowedApplications*
+- GP path: *Windows Components/Windows Defender Antivirus/Windows Defender Exploit Guard/Controlled Folder Access*
+- GP ADMX file name: *WindowsDefender.admx*
+
+
+
-
-
@@ -1103,8 +1315,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -1112,20 +1324,31 @@ The following list shows the supported values:
-
-
+
+
> [!NOTE]
> This policy is only enforced in Windows 10 for desktop. The previous name was GuardedFoldersList and changed to ControlledFolderAccessProtectedFolders.
-
Added in Windows 10, version 1709. This policy settings allows adding user-specified folder locations to the guard my folders feature. These folders will complement the system defined folders such as My Documents and My Pictures. The list of system folders will be displayed in the user interface and can not be changed. Value type is string. Use the | as the substring separator.
+Added in Windows 10, version 1709. This policy settings allows adding user-specified folder locations to the guard my folders feature. These folders will complement the system defined folders such as My Documents and My Pictures. The list of system folders will be displayed in the user interface and can not be changed. Value type is string. Use the | as the substring separator.
+
+
+
+ADMX Info:
+- GP English name: *Configure protected folders*
+- GP name: *ExploitGuard_ControlledFolderAccess_ProtectedFolders*
+- GP element: *ExploitGuard_ControlledFolderAccess_ProtectedFolders*
+- GP path: *Windows Components/Windows Defender Antivirus/Windows Defender Exploit Guard/Controlled Folder Access*
+- GP ADMX file name: *WindowsDefender.admx*
+
+
+
-
-
-
+
+
**Defender/DaysToRetainCleanedMalware**
-
+
Home
@@ -1147,8 +1370,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -1156,25 +1379,39 @@ The following list shows the supported values:
-
-
+
+
> [!NOTE]
> This policy is only enforced in Windows 10 for desktop.
-
Time period (in days) that quarantine items will be stored on the system.
+Time period (in days) that quarantine items will be stored on the system.
-
Valid values: 0–90
-
The default value is 0, which keeps items in quarantine, and does not automatically remove them.
+The default value is 0, which keeps items in quarantine, and does not automatically remove them.
+
+
+
+ADMX Info:
+- GP English name: *Configure removal of items from Quarantine folder*
+- GP name: *Quarantine_PurgeItemsAfterDelay*
+- GP element: *Quarantine_PurgeItemsAfterDelay*
+- GP path: *Windows Components/Windows Defender Antivirus/Quarantine*
+- GP ADMX file name: *WindowsDefender.admx*
+
+
+
+Valid values: 0–90
+
+
+
-
-
@@ -1196,8 +1433,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -1205,14 +1442,23 @@ The following list shows the supported values:
-
-
+
+
> [!NOTE]
> This policy is only enforced in Windows 10 for desktop. The previous name was EnableGuardMyFolders and changed to EnableControlledFolderAccess.
-
Added in Windows 10, version 1709. This policy enables setting the state (On/Off/Audit) for the guard my folders feature. The guard my folders feature removes modify and delete permissions from untrusted applications to certain folders such as My Documents. Value type is integer and the range is 0 - 2.
+Added in Windows 10, version 1709. This policy enables setting the state (On/Off/Audit) for the guard my folders feature. The guard my folders feature removes modify and delete permissions from untrusted applications to certain folders such as My Documents. Value type is integer and the range is 0 - 2.
-
+
+
+ADMX Info:
+- GP English name: *Configure Controlled folder access*
+- GP name: *ExploitGuard_ControlledFolderAccess_EnableControlledFolderAccess*
+- GP element: *ExploitGuard_ControlledFolderAccess_EnableControlledFolderAccess*
+- GP path: *Windows Components/Windows Defender Antivirus/Windows Defender Exploit Guard/Controlled Folder Access*
+- GP ADMX file name: *WindowsDefender.admx*
+
+
The following list shows the supported values:
@@ -1221,12 +1467,14 @@ The following list shows the supported values:
- 2 - Audit Mode
-
+
+
-
+
+
**Defender/EnableNetworkProtection**
-
+
Home
@@ -1248,8 +1496,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -1257,32 +1505,45 @@ The following list shows the supported values:
-
-
+
+
> [!NOTE]
> This policy is only enforced in Windows 10 for desktop.
-
Added in Windows 10, version 1709. This policy allows you to turn network protection on (block/audit) or off in Windows Defender Exploit Guard. Network protection is a feature of Windows Defender Exploit Guard that protects employees using any app from accessing phishing scams, exploit-hosting sites, and malicious content on the Internet. This includes preventing third-party browsers from connecting to dangerous sites. Value type is integer.
+Added in Windows 10, version 1709. This policy allows you to turn network protection on (block/audit) or off in Windows Defender Exploit Guard. Network protection is a feature of Windows Defender Exploit Guard that protects employees using any app from accessing phishing scams, exploit-hosting sites, and malicious content on the Internet. This includes preventing third-party browsers from connecting to dangerous sites. Value type is integer.
-
If you enable this setting, network protection is turned on and employees can't turn it off. Its behavior can be controlled by the following options: Block and Audit.
-
If you enable this policy with the ""Block"" option, users/apps will be blocked from connecting to dangerous domains. You will be able to see this activity in Windows Defender Security Center.
-
If you enable this policy with the ""Audit"" option, users/apps will not be blocked from connecting to dangerous domains. However, you will still see this activity in Windows Defender Security Center.
-
If you disable this policy, users/apps will not be blocked from connecting to dangerous domains. You will not see any network activity in Windows Defender Security Center.
-
If you do not configure this policy, network blocking will be disabled by default.
+If you enable this setting, network protection is turned on and employees can't turn it off. Its behavior can be controlled by the following options: Block and Audit.
+If you enable this policy with the ""Block"" option, users/apps will be blocked from connecting to dangerous domains. You will be able to see this activity in Windows Defender Security Center.
+If you enable this policy with the ""Audit"" option, users/apps will not be blocked from connecting to dangerous domains. However, you will still see this activity in Windows Defender Security Center.
+If you disable this policy, users/apps will not be blocked from connecting to dangerous domains. You will not see any network activity in Windows Defender Security Center.
+If you do not configure this policy, network blocking will be disabled by default.
-
Valid values:
+
+
+ADMX Info:
+- GP English name: *Prevent users and apps from accessing dangerous websites*
+- GP name: *ExploitGuard_EnableNetworkProtection*
+- GP element: *ExploitGuard_EnableNetworkProtection*
+- GP path: *Windows Components/Windows Defender Antivirus/Windows Defender Exploit Guard/Network Protection*
+- GP ADMX file name: *WindowsDefender.admx*
+
+
+
+The following list shows the supported values:
- 0 (default) - Disabled
- 1 - Enabled (block mode)
- 2 - Enabled (audit mode)
-
-
+
+
+
-
+
+
**Defender/ExcludedExtensions**
-
+
Home
@@ -1304,8 +1565,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -1313,21 +1574,32 @@ The following list shows the supported values:
-
-
+
+
> [!NOTE]
> This policy is only enforced in Windows 10 for desktop.
-
Allows an administrator to specify a list of file type extensions to ignore during a scan. Each file type in the list must be separated by a **|**. For example, "lib|obj".
+Allows an administrator to specify a list of file type extensions to ignore during a scan. Each file type in the list must be separated by a **|**. For example, "lib|obj".
+
+
+
+ADMX Info:
+- GP English name: *Path Exclusions*
+- GP name: *Exclusions_Paths*
+- GP element: *Exclusions_PathsList*
+- GP path: *Windows Components/Windows Defender Antivirus/Exclusions*
+- GP ADMX file name: *WindowsDefender.admx*
+
+
+
-
-
-
+
+
**Defender/ExcludedPaths**
-
+
Home
@@ -1349,8 +1621,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -1358,21 +1630,32 @@ The following list shows the supported values:
-
-
+
+
> [!NOTE]
> This policy is only enforced in Windows 10 for desktop.
-
Allows an administrator to specify a list of directory paths to ignore during a scan. Each path in the list must be separated by a **|**. For example, "C:\\Example|C:\\Example1".
+Allows an administrator to specify a list of directory paths to ignore during a scan. Each path in the list must be separated by a **|**. For example, "C:\\Example|C:\\Example1".
+
+
+
+ADMX Info:
+- GP English name: *Extension Exclusions*
+- GP name: *Exclusions_Extensions*
+- GP element: *Exclusions_ExtensionsList*
+- GP path: *Windows Components/Windows Defender Antivirus/Exclusions*
+- GP ADMX file name: *WindowsDefender.admx*
+
+
+
-
-
-
+
+
**Defender/ExcludedProcesses**
-
+
Home
@@ -1394,8 +1677,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -1403,27 +1686,38 @@ The following list shows the supported values:
-
-
+
+
> [!NOTE]
> This policy is only enforced in Windows 10 for desktop.
-
Allows an administrator to specify a list of files opened by processes to ignore during a scan.
+Allows an administrator to specify a list of files opened by processes to ignore during a scan.
> [!IMPORTANT]
> The process itself is not excluded from the scan, but can be by using the **Defender/ExcludedPaths** policy to exclude its path.
-
Each file type must be separated by a **|**. For example, "C:\\Example.exe|C:\\Example1.exe".
+Each file type must be separated by a **|**. For example, "C:\\Example.exe|C:\\Example1.exe".
+
+
+
+ADMX Info:
+- GP English name: *Process Exclusions*
+- GP name: *Exclusions_Processes*
+- GP element: *Exclusions_ProcessesList*
+- GP path: *Windows Components/Windows Defender Antivirus/Exclusions*
+- GP ADMX file name: *WindowsDefender.admx*
+
+
+
-
-
-
+
+
**Defender/PUAProtection**
-
+
Home
@@ -1445,8 +1739,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -1454,27 +1748,31 @@ The following list shows the supported values:
-
-
+
+
> [!NOTE]
> This policy is only enforced in Windows 10 for desktop.
-
Added in Windows 10, version 1607. Specifies the level of detection for potentially unwanted applications (PUAs). Windows Defender alerts you when potentially unwanted software is being downloaded or attempts to install itself on your computer.
+Added in Windows 10, version 1607. Specifies the level of detection for potentially unwanted applications (PUAs). Windows Defender alerts you when potentially unwanted software is being downloaded or attempts to install itself on your computer.
-
The following list shows the supported values:
+
+
+The following list shows the supported values:
- 0 (default) – PUA Protection off. Windows Defender will not protect against potentially unwanted applications.
- 1 – PUA Protection on. Detected items are blocked. They will show in history along with other threats.
- 2 – Audit mode. Windows Defender will detect potentially unwanted applications, but take no action. You can review information about the applications Windows Defender would have taken action against by searching for events created by Windows Defender in the Event Viewer.
-
-
+
+
+
-
+
+
**Defender/RealTimeScanDirection**
-
+
Home
@@ -1496,8 +1794,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -1505,31 +1803,43 @@ The following list shows the supported values:
-
-
+
+
> [!NOTE]
> This policy is only enforced in Windows 10 for desktop.
-
Controls which sets of files should be monitored.
+Controls which sets of files should be monitored.
> [!NOTE]
> If **AllowOnAccessProtection** is not allowed, then this configuration can be used to monitor specific files.
+
+
+ADMX Info:
+- GP English name: *Configure monitoring for incoming and outgoing file and program activity*
+- GP name: *RealtimeProtection_RealtimeScanDirection*
+- GP element: *RealtimeProtection_RealtimeScanDirection*
+- GP path: *Windows Components/Windows Defender Antivirus/Real-time Protection*
+- GP ADMX file name: *WindowsDefender.admx*
-
The following list shows the supported values:
+
+
+The following list shows the supported values:
- 0 (default) – Monitor all files (bi-directional).
- 1 – Monitor incoming files.
- 2 – Monitor outgoing files.
-
-
+
+
+
-
+
+
**Defender/ScanParameter**
-
+
Home
@@ -1551,8 +1861,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -1560,26 +1870,39 @@ The following list shows the supported values:
-
-
+
+
> [!NOTE]
> This policy is only enforced in Windows 10 for desktop.
-
Selects whether to perform a quick scan or full scan.
+Selects whether to perform a quick scan or full scan.
-
The following list shows the supported values:
+
+
+ADMX Info:
+- GP English name: *Specify the scan type to use for a scheduled scan*
+- GP name: *Scan_ScanParameters*
+- GP element: *Scan_ScanParameters*
+- GP path: *Windows Components/Windows Defender Antivirus/Scan*
+- GP ADMX file name: *WindowsDefender.admx*
+
+
+
+The following list shows the supported values:
- 1 (default) – Quick scan
- 2 – Full scan
-
-
+
+
+
-
+
+
**Defender/ScheduleQuickScanTime**
-
+
Home
@@ -1601,8 +1924,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -1610,31 +1933,45 @@ The following list shows the supported values:
-
-
+
+
> [!NOTE]
> This policy is only enforced in Windows 10 for desktop.
-
Selects the time of day that the Windows Defender quick scan should run.
+Selects the time of day that the Windows Defender quick scan should run.
> [!NOTE]
> The scan type will depends on what scan type is selected in the **Defender/ScanParameter** setting.
-
Valid values: 0–1380
-
For example, a value of 0=12:00AM, a value of 60=1:00AM, a value of 120=2:00, and so on, up to a value of 1380=11:00PM.
+For example, a value of 0=12:00AM, a value of 60=1:00AM, a value of 120=2:00, and so on, up to a value of 1380=11:00PM.
-
The default value is 120
+The default value is 120
+
+
+
+ADMX Info:
+- GP English name: *Specify the time for a daily quick scan*
+- GP name: *Scan_ScheduleQuickScantime*
+- GP element: *Scan_ScheduleQuickScantime*
+- GP path: *Windows Components/Windows Defender Antivirus/Scan*
+- GP ADMX file name: *WindowsDefender.admx*
+
+
+
+Valid values: 0–1380
+
+
+
-
-
-
+
+
**Defender/ScheduleScanDay**
-
+
Home
@@ -1656,8 +1993,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -1665,19 +2002,29 @@ The following list shows the supported values:
-
-
+
+
> [!NOTE]
> This policy is only enforced in Windows 10 for desktop.
-
Selects the day that the Windows Defender scan should run.
+Selects the day that the Windows Defender scan should run.
> [!NOTE]
> The scan type will depends on what scan type is selected in the **Defender/ScanParameter** setting.
+
+
+ADMX Info:
+- GP English name: *Specify the day of the week to run a scheduled scan*
+- GP name: *Scan_ScheduleDay*
+- GP element: *Scan_ScheduleDay*
+- GP path: *Windows Components/Windows Defender Antivirus/Scan*
+- GP ADMX file name: *WindowsDefender.admx*
-
The following list shows the supported values:
+
+
+The following list shows the supported values:
- 0 (default) – Every day
- 1 – Monday
@@ -1689,13 +2036,15 @@ The following list shows the supported values:
- 7 – Sunday
- 8 – No scheduled scan
-
-
+
+
+
-
+
+
**Defender/ScheduleScanTime**
-
+
Home
@@ -1717,8 +2066,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -1726,31 +2075,45 @@ The following list shows the supported values:
-
-
+
+
> [!NOTE]
> This policy is only enforced in Windows 10 for desktop.
-
Selects the time of day that the Windows Defender scan should run.
+Selects the time of day that the Windows Defender scan should run.
> [!NOTE]
> The scan type will depends on what scan type is selected in the **Defender/ScanParameter** setting.
-
Valid values: 0–1380.
-
For example, a value of 0=12:00AM, a value of 60=1:00AM, a value of 120=2:00, and so on, up to a value of 1380=11:00PM.
+For example, a value of 0=12:00AM, a value of 60=1:00AM, a value of 120=2:00, and so on, up to a value of 1380=11:00PM.
-
The default value is 120.
+The default value is 120.
+
+
+
+ADMX Info:
+- GP English name: *Specify the time of day to run a scheduled scan*
+- GP name: *Scan_ScheduleTime*
+- GP element: *Scan_ScheduleTime*
+- GP path: *Windows Components/Windows Defender Antivirus/Scan*
+- GP ADMX file name: *WindowsDefender.admx*
+
+
+
+Valid values: 0–1380.
+
+
+
-
-
-
+
+
**Defender/SignatureUpdateInterval**
-
+
Home
@@ -1772,8 +2135,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -1781,27 +2144,41 @@ The following list shows the supported values:
-
-
+
+
> [!NOTE]
> This policy is only enforced in Windows 10 for desktop.
-
Specifies the interval (in hours) that will be used to check for signatures, so instead of using the ScheduleDay and ScheduleTime the check for new signatures will be set according to the interval.
+Specifies the interval (in hours) that will be used to check for signatures, so instead of using the ScheduleDay and ScheduleTime the check for new signatures will be set according to the interval.
-
Valid values: 0–24.
-
A value of 0 means no check for new signatures, a value of 1 means to check every hour, a value of 2 means to check every two hours, and so on, up to a value of 24, which means to check every day.
+A value of 0 means no check for new signatures, a value of 1 means to check every hour, a value of 2 means to check every two hours, and so on, up to a value of 24, which means to check every day.
-
The default value is 8.
+The default value is 8.
+
+
+
+ADMX Info:
+- GP English name: *Specify the interval to check for definition updates*
+- GP name: *SignatureUpdate_SignatureUpdateInterval*
+- GP element: *SignatureUpdate_SignatureUpdateInterval*
+- GP path: *Windows Components/Windows Defender Antivirus/Signature Updates*
+- GP ADMX file name: *WindowsDefender.admx*
+
+
+
+Valid values: 0–24.
+
+
+
-
-
-
+
+
**Defender/SubmitSamplesConsent**
-
+
Home
@@ -1823,8 +2200,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -1832,28 +2209,41 @@ The following list shows the supported values:
-
-
+
+
> [!NOTE]
> This policy is only enforced in Windows 10 for desktop.
-
Checks for the user consent level in Windows Defender to send data. If the required consent has already been granted, Windows Defender submits them. If not, (and if the user has specified never to ask), the UI is launched to ask for user consent (when **Defender/AllowCloudProtection** is allowed) before sending data.
+Checks for the user consent level in Windows Defender to send data. If the required consent has already been granted, Windows Defender submits them. If not, (and if the user has specified never to ask), the UI is launched to ask for user consent (when **Defender/AllowCloudProtection** is allowed) before sending data.
-
The following list shows the supported values:
+
+
+ADMX Info:
+- GP English name: *Send file samples when further analysis is required*
+- GP name: *SubmitSamplesConsent*
+- GP element: *SubmitSamplesConsent*
+- GP path: *Windows Components/Windows Defender Antivirus/MAPS*
+- GP ADMX file name: *WindowsDefender.admx*
+
+
+
+The following list shows the supported values:
- 0 – Always prompt.
- 1 (default) – Send safe samples automatically.
- 2 – Never send.
- 3 – Send all samples automatically.
-
-
+
+
+
@@ -1875,8 +2265,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -1884,24 +2274,24 @@ The following list shows the supported values:
-
-
+
+
> [!NOTE]
> This policy is only enforced in Windows 10 for desktop.
-
Allows an administrator to specify any valid threat severity levels and the corresponding default action ID to take.
+Allows an administrator to specify any valid threat severity levels and the corresponding default action ID to take.
-
This value is a list of threat severity level IDs and corresponding actions, separated by a**|** using the format "*threat level*=*action*|*threat level*=*action*". For example "1=6|2=2|4=10|5=3
+This value is a list of threat severity level IDs and corresponding actions, separated by a**|** using the format "*threat level*=*action*|*threat level*=*action*". For example "1=6|2=2|4=10|5=3
-
The following list shows the supported values for threat severity levels:
+The following list shows the supported values for threat severity levels:
- 1 – Low severity threats
- 2 – Moderate severity threats
- 4 – High severity threats
- 5 – Severe threats
-
The following list shows the supported values for possible actions:
+The following list shows the supported values for possible actions:
- 1 – Clean
- 2 – Quarantine
@@ -1910,8 +2300,17 @@ The following list shows the supported values:
- 8 – User defined
- 10 – Block
-
-
+
+
+ADMX Info:
+- GP English name: *Specify threat alert levels at which default action should not be taken when detected*
+- GP name: *Threats_ThreatSeverityDefaultAction*
+- GP element: *Threats_ThreatSeverityDefaultActionList*
+- GP path: *Windows Components/Windows Defender Antivirus/Threats*
+- GP ADMX file name: *WindowsDefender.admx*
+
+
+
Footnote:
@@ -1920,7 +2319,7 @@ Footnote:
- 2 - Added in Windows 10, version 1703.
- 3 - Added in Windows 10, version 1709.
-
+
## Defender policies supported by Microsoft Surface Hub
diff --git a/windows/client-management/mdm/policy-csp-deliveryoptimization.md b/windows/client-management/mdm/policy-csp-deliveryoptimization.md
index c369584fc8..2dda85153c 100644
--- a/windows/client-management/mdm/policy-csp-deliveryoptimization.md
+++ b/windows/client-management/mdm/policy-csp-deliveryoptimization.md
@@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
-ms.date: 01/03/2018
+ms.date: 03/05/2018
---
# Policy CSP - DeliveryOptimization
@@ -17,7 +17,7 @@ ms.date: 01/03/2018
-
+
## DeliveryOptimization policies
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -130,23 +132,34 @@ ms.date: 01/03/2018
-
-
+
+
> [!NOTE]
> This policy is only enforced in Windows 10 Pro, Enterprise, and Education editions and not supported in Windows 10 Mobile.
-
Added in Windows 10, version 1607. Specifies the maximum size in GB of Delivery Optimization cache. This policy overrides the DOMaxCacheSize policy. The value 0 (zero) means "unlimited" cache. Delivery Optimization will clear the cache when the device is running low on disk space.
+Added in Windows 10, version 1607. Specifies the maximum size in GB of Delivery Optimization cache. This policy overrides the DOMaxCacheSize policy. The value 0 (zero) means "unlimited" cache. Delivery Optimization will clear the cache when the device is running low on disk space.
-
The default value is 10.
+The default value is 10.
+
+
+
+ADMX Info:
+- GP English name: *Absolute Max Cache Size (in GB)*
+- GP name: *AbsoluteMaxCacheSize*
+- GP element: *AbsoluteMaxCacheSize*
+- GP path: *Windows Components/Delivery Optimization*
+- GP ADMX file name: *DeliveryOptimization.admx*
+
+
+
-
-
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -177,15 +190,24 @@ ms.date: 01/03/2018
-
-
+
+
> [!NOTE]
> This policy is only enforced in Windows 10 Pro, Enterprise, and Education editions and not supported in Windows 10 Mobile.
-
Added in Windows 10, version 1703. Specifies whether the device is allowed to participate in Peer Caching while connected via VPN to the domain network. This means the device can download from or upload to other domain network devices, either on VPN or on the corporate domain network.
+Added in Windows 10, version 1703. Specifies whether the device is allowed to participate in Peer Caching while connected via VPN to the domain network. This means the device can download from or upload to other domain network devices, either on VPN or on the corporate domain network.
-
+
+
+ADMX Info:
+- GP English name: *Enable Peer Caching while the device connects via VPN*
+- GP name: *AllowVPNPeerCaching*
+- GP element: *AllowVPNPeerCaching*
+- GP path: *Windows Components/Delivery Optimization*
+- GP ADMX file name: *DeliveryOptimization.admx*
+
+
The following list shows the supported values:
@@ -193,12 +215,14 @@ The following list shows the supported values:
- 1 - Allowed.
-
+
+
@@ -220,8 +244,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -229,28 +253,30 @@ The following list shows the supported values:
-
-
-Added in Windows 10, next major update. This policy allows you to delay the use of an HTTP source in a background download that is allowed to use peer-to-peer.
+
+
+Added in Windows 10, version 1803. This policy allows you to delay the use of an HTTP source in a background download that is allowed to use peer-to-peer.
After the max delay is reached, the download will resume using HTTP, either downloading the entire payload or complementing the bytes that could not be downloaded from peers. Note that a download that is waiting for peer sources, will appear to be stuck for the end user. The recommended value is 1 hour (3600).
-
-
+
+
+ADMX Info:
+- GP English name: *Delay background download from http (in secs)*
+- GP name: *DelayBackgroundDownloadFromHttp*
+- GP element: *DelayBackgroundDownloadFromHttp*
+- GP path: *Windows Components/Delivery Optimization*
+- GP ADMX file name: *DeliveryOptimization.admx*
-
-
+
+
-
-
-
-
-
-
+
+
**DeliveryOptimization/DODelayForegroundDownloadFromHttp**
-
+
Home
@@ -272,8 +298,8 @@ After the max delay is reached, the download will resume using HTTP, either down
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -281,9 +307,9 @@ After the max delay is reached, the download will resume using HTTP, either down
-
-
-Added in Windows 10, next major update. This policy allows you to delay the use of an HTTP source in a foreground (interactive) download that is allowed to use peer-to-peer.
+
+
+Added in Windows 10, version 1803. This policy allows you to delay the use of an HTTP source in a foreground (interactive) download that is allowed to use peer-to-peer.
After the max delay has reached, the download will resume using HTTP, either downloading the entire payload or complementing the bytes that could not be downloaded from Peers.
@@ -291,26 +317,32 @@ Note that a download that is waiting for peer sources, will appear to be stuck f
The recommended value is 1 minute (60).
-
+
+
+ADMX Info:
+- GP English name: *Delay Foreground download from http (in secs)*
+- GP name: *DelayForegroundDownloadFromHttp*
+- GP element: *DelayForegroundDownloadFromHttp*
+- GP path: *Windows Components/Delivery Optimization*
+- GP ADMX file name: *DeliveryOptimization.admx*
+
+
The following list shows the supported values as number of seconds:
- 0 to 86400 (1 day)
- 0 - managed by the cloud service
- Default is not configured.
+
-
+
-
-
-
-
-
-
+
+
**DeliveryOptimization/DODownloadMode**
-
+
Home
@@ -332,8 +364,8 @@ The following list shows the supported values as number of seconds:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -341,15 +373,24 @@ The following list shows the supported values as number of seconds:
-
-
+
+
> [!NOTE]
> This policy is only enforced in Windows 10 Pro, Enterprise, and Education editions and not supported in Windows 10 Mobile.
-
Specifies the download method that Delivery Optimization can use in downloads of Windows Updates, Apps and App updates.
+Specifies the download method that Delivery Optimization can use in downloads of Windows Updates, Apps and App updates.
-
+
+
+ADMX Info:
+- GP English name: *Download Mode*
+- GP name: *DownloadMode*
+- GP element: *DownloadMode*
+- GP path: *Windows Components/Delivery Optimization*
+- GP ADMX file name: *DeliveryOptimization.admx*
+
+
The following list shows the supported values:
@@ -361,12 +402,14 @@ The following list shows the supported values:
- 100 - Bypass mode. Do not use Delivery Optimization and use BITS instead. Added in Windows 10, version 1607.
-
+
+
-
+
+
**DeliveryOptimization/DOGroupId**
-
+
Home
@@ -388,8 +431,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -397,24 +440,35 @@ The following list shows the supported values:
-
-
+
+
> [!NOTE]
> This policy is only enforced in Windows 10 Pro, Enterprise, and Education editions and not supported in Windows 10 Mobile.
-
This Policy specifies an arbitrary group ID that the device belongs to. Use this if you need to create a single group for Local Network Peering for branches that are on different domains or are not on the same LAN. Note that this is a best effort optimization and should not be relied on for an authentication of identity.
+This Policy specifies an arbitrary group ID that the device belongs to. Use this if you need to create a single group for Local Network Peering for branches that are on different domains or are not on the same LAN. Note that this is a best effort optimization and should not be relied on for an authentication of identity.
> [!NOTE]
> You must use a GUID as the group ID.
-
-
+
+
+ADMX Info:
+- GP English name: *Group ID*
+- GP name: *GroupId*
+- GP element: *GroupId*
+- GP path: *Windows Components/Delivery Optimization*
+- GP ADMX file name: *DeliveryOptimization.admx*
+
+
+
+
@@ -436,8 +490,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -445,9 +499,9 @@ The following list shows the supported values:
-
-
-Added in Windows 10, next major update. Set this policy to restrict peer selection to a specific source. Options available are: 1 = AD Site, 2 = Authenticated domain SID, 3 = DHCP Option ID, 4 = DNS Suffix
+
+
+Added in Windows 10, version 1803. Set this policy to restrict peer selection to a specific source. Options available are: 1 = AD Site, 2 = Authenticated domain SID, 3 = DHCP Option ID, 4 = DNS Suffix
When set, the Group ID will be assigned automatically from the selected source.
@@ -457,7 +511,16 @@ The options set in this policy only apply to Group (2) download mode. If Group (
For option 4 - DHCP Option ID, the client will query DHCP Option ID 234 and use the returned GUID value as the Group ID.
-
+
+
+ADMX Info:
+- GP English name: *Select the source of Group IDs*
+- GP name: *GroupIdSource*
+- GP element: *GroupIdSource*
+- GP path: *Windows Components/Delivery Optimization*
+- GP ADMX file name: *DeliveryOptimization.admx*
+
+
The following list shows the supported values:
@@ -465,19 +528,16 @@ The following list shows the supported values:
- 2 - Authenticated domain SID
- 3 - DHCP user option
- 4 - DNS suffix
+
-
+
-
-
-
-
-
-
+
+
**DeliveryOptimization/DOMaxCacheAge**
-
+
Home
@@ -499,8 +559,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -508,23 +568,34 @@ The following list shows the supported values:
-
-
+
+
> [!NOTE]
> This policy is only enforced in Windows 10 Pro, Enterprise, and Education editions and not supported in Windows 10 Mobile.
-
Specifies the maximum time in seconds that each file is held in the Delivery Optimization cache after downloading successfully. The value 0 (zero) means "unlimited"; Delivery Optimization will hold the files in the cache longer and make the files available for uploads to other devices, as long as the cache size has not exceeded. The value 0 is new in Windows 10, version 1607.
+Specifies the maximum time in seconds that each file is held in the Delivery Optimization cache after downloading successfully. The value 0 (zero) means "unlimited"; Delivery Optimization will hold the files in the cache longer and make the files available for uploads to other devices, as long as the cache size has not exceeded. The value 0 is new in Windows 10, version 1607.
-
The default value is 259200 seconds (3 days).
+The default value is 259200 seconds (3 days).
+
+
+
+ADMX Info:
+- GP English name: *Max Cache Age (in seconds)*
+- GP name: *MaxCacheAge*
+- GP element: *MaxCacheAge*
+- GP path: *Windows Components/Delivery Optimization*
+- GP ADMX file name: *DeliveryOptimization.admx*
+
+
+
-
-
-
+
+
**DeliveryOptimization/DOMaxCacheSize**
-
+
Home
@@ -546,8 +617,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -555,23 +626,34 @@ The following list shows the supported values:
-
-
+
+
> [!NOTE]
> This policy is only enforced in Windows 10 Pro, Enterprise, and Education editions and not supported in Windows 10 Mobile.
-
Specifies the maximum cache size that Delivery Optimization can utilize, as a percentage of disk size (1-100).
+Specifies the maximum cache size that Delivery Optimization can utilize, as a percentage of disk size (1-100).
-
The default value is 20.
+The default value is 20.
+
+
+
+ADMX Info:
+- GP English name: *Max Cache Size (percentage)*
+- GP name: *MaxCacheSize*
+- GP element: *MaxCacheSize*
+- GP path: *Windows Components/Delivery Optimization*
+- GP ADMX file name: *DeliveryOptimization.admx*
+
+
+
-
-
@@ -593,8 +675,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -602,23 +684,34 @@ The following list shows the supported values:
-
-
+
+
> [!NOTE]
> This policy is only enforced in Windows 10 Pro, Enterprise, and Education editions and not supported in Windows 10 Mobile.
-
Added in Windows 10, version 1607. Specifies the maximum download bandwidth in KiloBytes/second that the device can use across all concurrent download activities using Delivery Optimization.
+Added in Windows 10, version 1607. Specifies the maximum download bandwidth in KiloBytes/second that the device can use across all concurrent download activities using Delivery Optimization.
-
The default value 0 (zero) means that Delivery Optimization dynamically adjusts to use the available bandwidth for downloads.
+The default value 0 (zero) means that Delivery Optimization dynamically adjusts to use the available bandwidth for downloads.
+
+
+
+ADMX Info:
+- GP English name: *Maximum Download Bandwidth (in KB/s)*
+- GP name: *MaxDownloadBandwidth*
+- GP element: *MaxDownloadBandwidth*
+- GP path: *Windows Components/Delivery Optimization*
+- GP ADMX file name: *DeliveryOptimization.admx*
+
+
+
-
-
@@ -640,8 +733,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -649,23 +742,34 @@ The following list shows the supported values:
-
-
+
+
> [!NOTE]
> This policy is only enforced in Windows 10 Pro, Enterprise, and Education editions and not supported in Windows 10 Mobile.
-
Specifies the maximum upload bandwidth in KiloBytes/second that a device will use across all concurrent upload activity using Delivery Optimization.
+Specifies the maximum upload bandwidth in KiloBytes/second that a device will use across all concurrent upload activity using Delivery Optimization.
-
The default value is 0, which permits unlimited possible bandwidth (optimized for minimal usage of upload bandwidth).
+The default value is 0, which permits unlimited possible bandwidth (optimized for minimal usage of upload bandwidth).
+
+
+
+ADMX Info:
+- GP English name: *Max Upload Bandwidth (in KB/s)*
+- GP name: *MaxUploadBandwidth*
+- GP element: *MaxUploadBandwidth*
+- GP path: *Windows Components/Delivery Optimization*
+- GP ADMX file name: *DeliveryOptimization.admx*
+
+
+
-
-
@@ -687,8 +791,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -696,23 +800,34 @@ The following list shows the supported values:
-
-
+
+
> [!NOTE]
> This policy is only enforced in Windows 10 Pro, Enterprise, and Education editions and not supported in Windows 10 Mobile.
-
Added in Windows 10, version 1607. Specifies the minimum download QoS (Quality of Service or speed) in KiloBytes/sec for background downloads. This policy affects the blending of peer and HTTP sources. Delivery Optimization complements the download from the HTTP source to achieve the minimum QoS value set.
+Added in Windows 10, version 1607. Specifies the minimum download QoS (Quality of Service or speed) in KiloBytes/sec for background downloads. This policy affects the blending of peer and HTTP sources. Delivery Optimization complements the download from the HTTP source to achieve the minimum QoS value set.
-
The default value is 500.
+The default value is 500.
+
+
+
+ADMX Info:
+- GP English name: *Minimum Background QoS (in KB/s)*
+- GP name: *MinBackgroundQos*
+- GP element: *MinBackgroundQos*
+- GP path: *Windows Components/Delivery Optimization*
+- GP ADMX file name: *DeliveryOptimization.admx*
+
+
+
-
-
@@ -734,8 +849,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -743,22 +858,33 @@ The following list shows the supported values:
-
-
+
+
> [!NOTE]
> This policy is only enforced in Windows 10 Pro, Business, Enterprise, and Education editions and not supported in Windows 10 Mobile.
-
Added in Windows 10, version 1703. Specifies any value between 1 and 100 (in percentage) to allow the device to upload data to LAN and Group peers while on battery power. Uploads will automatically pause when the battery level drops below the set minimum battery level. The recommended value to set is 40 (for 40%) if you allow uploads on battery.
+Added in Windows 10, version 1703. Specifies any value between 1 and 100 (in percentage) to allow the device to upload data to LAN and Group peers while on battery power. Uploads will automatically pause when the battery level drops below the set minimum battery level. The recommended value to set is 40 (for 40%) if you allow uploads on battery.
-
The default value is 0. The value 0 (zero) means "not limited" and the cloud service default value will be used.
+The default value is 0. The value 0 (zero) means "not limited" and the cloud service default value will be used.
+
+
+
+ADMX Info:
+- GP English name: *Allow uploads while the device is on battery while under set Battery level (percentage)*
+- GP name: *MinBatteryPercentageAllowedToUpload*
+- GP element: *MinBatteryPercentageAllowedToUpload*
+- GP path: *Windows Components/Delivery Optimization*
+- GP ADMX file name: *DeliveryOptimization.admx*
+
+
+
-
-
@@ -780,8 +906,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -789,26 +915,37 @@ The following list shows the supported values:
-
-
+
+
> [!NOTE]
> This policy is only enforced in Windows 10 Pro, Business, Enterprise, and Education editions and not supported in Windows 10 Mobile.
-
Added in Windows 10, version 1703. Specifies the required minimum disk size (capacity in GB) for the device to use Peer Caching. The value 0 means "not-limited" which means the cloud service set default value will be used. Recommended values: 64 GB to 256 GB.
+Added in Windows 10, version 1703. Specifies the required minimum disk size (capacity in GB) for the device to use Peer Caching. The value 0 means "not-limited" which means the cloud service set default value will be used. Recommended values: 64 GB to 256 GB.
> [!NOTE]
> If the DOMofidyCacheDrive policy is set, the disk size check will apply to the new working directory specified by this policy.
-
The default value is 32 GB.
+The default value is 32 GB.
+
+
+
+ADMX Info:
+- GP English name: *Minimum disk size allowed to use Peer Caching (in GB)*
+- GP name: *MinDiskSizeAllowedToPeer*
+- GP element: *MinDiskSizeAllowedToPeer*
+- GP path: *Windows Components/Delivery Optimization*
+- GP ADMX file name: *DeliveryOptimization.admx*
+
+
+
-
-
@@ -830,8 +967,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -839,23 +976,34 @@ The following list shows the supported values:
-
-
+
+
> [!NOTE]
> This policy is only enforced in Windows 10 Pro, Business, Enterprise, and Education editions and not supported in Windows 10 Mobile.
-
Added in Windows 10, version 1703. Specifies the minimum content file size in MB enabled to use Peer Caching. The value 0 means "unlimited" which means the cloud service set default value will be used. Recommended values: 1 MB to 100,000 MB.
+Added in Windows 10, version 1703. Specifies the minimum content file size in MB enabled to use Peer Caching. The value 0 means "unlimited" which means the cloud service set default value will be used. Recommended values: 1 MB to 100,000 MB.
-
The default value is 100 MB.
+The default value is 100 MB.
+
+
+
+ADMX Info:
+- GP English name: *Minimum Peer Caching Content File Size (in MB)*
+- GP name: *MinFileSizeToCache*
+- GP element: *MinFileSizeToCache*
+- GP path: *Windows Components/Delivery Optimization*
+- GP ADMX file name: *DeliveryOptimization.admx*
+
+
+
-
-
@@ -877,8 +1025,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -886,23 +1034,34 @@ The following list shows the supported values:
-
-
+
+
> [!NOTE]
> This policy is only enforced in Windows 10 Pro, Business, Enterprise, and Education editions and not supported in Windows 10 Mobile.
-
Added in Windows 10, version 1703. Specifies the minimum RAM size in GB required to use Peer Caching. The value 0 means "not-limited" which means the cloud service set default value will be used. For example if the minimum set is 1 GB, then devices with 1 GB or higher available RAM will be allowed to use Peer caching. Recommended values: 1 GB to 4 GB.
+Added in Windows 10, version 1703. Specifies the minimum RAM size in GB required to use Peer Caching. The value 0 means "not-limited" which means the cloud service set default value will be used. For example if the minimum set is 1 GB, then devices with 1 GB or higher available RAM will be allowed to use Peer caching. Recommended values: 1 GB to 4 GB.
-
The default value is 4 GB.
+The default value is 4 GB.
+
+
+
+ADMX Info:
+- GP English name: *Minimum RAM capacity (inclusive) required to enable use of Peer Caching (in GB)*
+- GP name: *MinRAMAllowedToPeer*
+- GP element: *MinRAMAllowedToPeer*
+- GP path: *Windows Components/Delivery Optimization*
+- GP ADMX file name: *DeliveryOptimization.admx*
+
+
+
-
-
@@ -924,8 +1083,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -933,23 +1092,34 @@ The following list shows the supported values:
-
-
+
+
> [!NOTE]
> This policy is only enforced in Windows 10 Pro, Enterprise, and Education editions and not supported in Windows 10 Mobile.
-
Added in Windows 10, version 1607. Specifies the drive that Delivery Optimization should use for its cache. The drive location can be specified using environment variables, drive letter or using a full path.
+Added in Windows 10, version 1607. Specifies the drive that Delivery Optimization should use for its cache. The drive location can be specified using environment variables, drive letter or using a full path.
-
By default, %SystemDrive% is used to store the cache.
+By default, %SystemDrive% is used to store the cache.
+
+
+
+ADMX Info:
+- GP English name: *Modify Cache Drive*
+- GP name: *ModifyCacheDrive*
+- GP element: *ModifyCacheDrive*
+- GP path: *Windows Components/Delivery Optimization*
+- GP ADMX file name: *DeliveryOptimization.admx*
+
+
+
-
-
@@ -971,8 +1141,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -980,25 +1150,36 @@ The following list shows the supported values:
-
-
+
+
> [!NOTE]
> This policy is only enforced in Windows 10 Pro, Enterprise, and Education editions and not supported in Windows 10 Mobile.
-
Added in Windows 10, version 1607. Specifies the maximum total bytes in GB that Delivery Optimization is allowed to upload to Internet peers in each calendar month.
+Added in Windows 10, version 1607. Specifies the maximum total bytes in GB that Delivery Optimization is allowed to upload to Internet peers in each calendar month.
-
The value 0 (zero) means "unlimited"; No monthly upload limit is applied if 0 is set.
+The value 0 (zero) means "unlimited"; No monthly upload limit is applied if 0 is set.
-
The default value is 20.
+The default value is 20.
+
+
+
+ADMX Info:
+- GP English name: *Monthly Upload Data Cap (in GB)*
+- GP name: *MonthlyUploadDataCap*
+- GP element: *MonthlyUploadDataCap*
+- GP path: *Windows Components/Delivery Optimization*
+- GP ADMX file name: *DeliveryOptimization.admx*
+
+
+
-
-
@@ -1020,8 +1201,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -1029,36 +1210,32 @@ The following list shows the supported values:
-
-
-Added in Windows 10, next major update. Specifies the maximum background download bandwidth that Delivery Optimization uses across all concurrent download activities as a percentage of available download bandwidth. The default value 0 (zero) means that Delivery Optimization dynamically adjusts to use the available bandwidth for background downloads.
+
+
+Added in Windows 10, version 1803. Specifies the maximum background download bandwidth that Delivery Optimization uses across all concurrent download activities as a percentage of available download bandwidth. The default value 0 (zero) means that Delivery Optimization dynamically adjusts to use the available bandwidth for background downloads.
Note that downloads from LAN peers will not be throttled even when this policy is set.
-
-
-
-
+
+
-
-
-
-
-
-
+
+
**DeliveryOptimization/DOPercentageMaxDownloadBandwidth**
-
-This policy is deprecated. Use [DOPercentageMaxForeDownloadBandwidth](#deliveryoptimization-dopercentagemaxforedownloadbandwidth) and [DOPercentageMaxBackDownloadBandwidth](#deliveryoptimization-dopercentagemaxbackdownloadbandwidth) policies instead.
+
+This policy is deprecated. Use [DOPercentageMaxForegroundBandwidth](#deliveryoptimization-dopercentagemaxforegroundbandwidth) and [DOPercentageMaxBackgroundBandwidth](#deliveryoptimization-dopercentagemaxbackgroundbandwidth) policies instead.
+
+
+
-
-
-
-**DeliveryOptimization/DOPercentageMaxForeDownloadBandwidth**
-
+
+**DeliveryOptimization/DOPercentageMaxForegroundBandwidth**
+
+
Home
@@ -1080,8 +1257,8 @@ This policy is deprecated. Use [DOPercentageMaxForeDownloadBandwidth](#deliveryo
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -1089,27 +1266,21 @@ This policy is deprecated. Use [DOPercentageMaxForeDownloadBandwidth](#deliveryo
-
-
-Added in Windows 10, next major update. Specifies the maximum foreground download bandwidth that Delivery Optimization uses across all concurrent download activities as a percentage of available download bandwidth. The default value 0 (zero) means that Delivery Optimization dynamically adjusts to use the available bandwidth for foreground downloads.
+
+
+Added in Windows 10, version 1803. Specifies the maximum foreground download bandwidth that Delivery Optimization uses across all concurrent download activities as a percentage of available download bandwidth. The default value 0 (zero) means that Delivery Optimization dynamically adjusts to use the available bandwidth for foreground downloads.
Note that downloads from LAN peers will not be throttled even when this policy is set.
-
-
-
-
+
+
-
-
-
-
-
-
+
+
**DeliveryOptimization/DORestrictPeerSelectionBy**
-
+
Home
@@ -1131,8 +1302,8 @@ Note that downloads from LAN peers will not be throttled even when this policy i
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -1140,32 +1311,37 @@ Note that downloads from LAN peers will not be throttled even when this policy i
-
-
-Added in Windows 10, next major update. Set this policy to restrict peer selection via selected option.
+
+
+Added in Windows 10, version 1803. Set this policy to restrict peer selection via selected option.
Options available are: 1=Subnet mask (more options will be added in a future release).
Option 1 (Subnet mask) applies to both Download Mode LAN (1) and Group (2).
-
+
+
+ADMX Info:
+- GP English name: *Select a method to restrict Peer Selection*
+- GP name: *RestrictPeerSelectionBy*
+- GP element: *RestrictPeerSelectionBy*
+- GP path: *Windows Components/Delivery Optimization*
+- GP ADMX file name: *DeliveryOptimization.admx*
+
+
The following list shows the supported values:
- 1 - Subnet mask.
-
+
-
-
-
-
-
-
+
+
**DeliveryOptimization/DOSetHoursToLimitBackgroundDownloadBandwidth**
-
+
Home
@@ -1187,8 +1363,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -1196,31 +1372,42 @@ The following list shows the supported values:
-
-
-Added in Windows 10, next major update. Specifies the maximum background download bandwidth that Delivery Optimization uses during and outside business hours across all concurrent download activities as a percentage of available download bandwidth.
-
-Note that downloads from LAN peers will not be throttled even when this policy is set.
-
+
+
+Added in Windows 10, version 1803. Specifies the maximum background download bandwidth that Delivery Optimization uses during and outside business hours across all concurrent download activities as a percentage of available download bandwidth.
+
+
This policy allows an IT Admin to define the following:
- Business hours range (for example 06:00 to 18:00)
-- % of throttle for foreground traffic during business hours
-- % of throttle for foreground traffic outside of business hours
+- % of throttle for background traffic during business hours
+- % of throttle for background traffic outside of business hours
+
-
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
-
-
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Set Business Hours to Limit Background Download Bandwidth*
+- GP name: *SetHoursToLimitBackgroundDownloadBandwidth*
+- GP path: *Windows Components/Delivery Optimization*
+- GP ADMX file name: *DeliveryOptimization.admx*
+
+
+
-
-
-
+
+
**DeliveryOptimization/DOSetHoursToLimitForegroundDownloadBandwidth**
-
+
Home
@@ -1242,8 +1429,8 @@ This policy allows an IT Admin to define the following:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -1251,26 +1438,35 @@ This policy allows an IT Admin to define the following:
-
-
-Added in Windows 10, next major update. Specifies the maximum foreground download bandwidth that Delivery Optimization uses during and outside business hours across all concurrent download activities as a percentage of available download bandwidth.
-
-Note that downloads from LAN peers will not be throttled even when this policy is set.
-
+
+
+Added in Windows 10, version 1803. Specifies the maximum foreground download bandwidth that Delivery Optimization uses during and outside business hours across all concurrent download activities as a percentage of available download bandwidth.
+
+
This policy allows an IT Admin to define the following:
- Business hours range (for example 06:00 to 18:00)
- % of throttle for foreground traffic during business hours
- % of throttle for foreground traffic outside of business hours
+
-
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
-
-
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
-
-
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Set Business Hours to Limit Foreground Download Bandwidth*
+- GP name: *SetHoursToLimitForegroundDownloadBandwidth*
+- GP path: *Windows Components/Delivery Optimization*
+- GP ADMX file name: *DeliveryOptimization.admx*
+
+
+
Footnote:
@@ -1279,7 +1475,7 @@ Footnote:
- 2 - Added in Windows 10, version 1703.
- 3 - Added in Windows 10, version 1709.
-
+
## DeliveryOptimization policies supported by Microsoft Surface Hub
diff --git a/windows/client-management/mdm/policy-csp-desktop.md b/windows/client-management/mdm/policy-csp-desktop.md
index 048304c12e..2957bd78f7 100644
--- a/windows/client-management/mdm/policy-csp-desktop.md
+++ b/windows/client-management/mdm/policy-csp-desktop.md
@@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
-ms.date: 11/01/2017
+ms.date: 03/05/2018
---
# Policy CSP - Desktop
@@ -15,7 +15,7 @@ ms.date: 11/01/2017
-
+
## Desktop policies
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -59,15 +61,15 @@ ms.date: 11/01/2017
-
-
+
+
Prevents users from changing the path to their profile folders.
By default, a user can change the location of their individual profile folders like Documents, Music etc. by typing a new path in the Locations tab of the folder's Properties dialog box.
If you enable this setting, users are unable to type a new location in the Target box.
-
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -75,15 +77,15 @@ If you enable this setting, users are unable to type a new location in the Targe
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Prohibit User from manually redirecting Profile Folders*
- GP name: *DisablePersonalDirChange*
- GP path: *Desktop*
- GP ADMX file name: *desktop.admx*
-
-
+
+
Footnote:
@@ -92,7 +94,7 @@ Footnote:
- 2 - Added in Windows 10, version 1703.
- 3 - Added in Windows 10, version 1709.
-
+
## Desktop policies supported by Microsoft Surface Hub
diff --git a/windows/client-management/mdm/policy-csp-deviceguard.md b/windows/client-management/mdm/policy-csp-deviceguard.md
index 4023eee26c..a516cc7ab4 100644
--- a/windows/client-management/mdm/policy-csp-deviceguard.md
+++ b/windows/client-management/mdm/policy-csp-deviceguard.md
@@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
-ms.date: 12/14/2017
+ms.date: 03/05/2018
---
# Policy CSP - DeviceGuard
@@ -15,7 +15,7 @@ ms.date: 12/14/2017
-
+
## DeviceGuard policies
Added in Windows 10, version 1709. Turns on virtualization based security(VBS) at the next reboot. virtualization based security uses the Windows Hypervisor to provide support for security services. Value type is integer.
+
+
+Added in Windows 10, version 1709. Turns on virtualization based security(VBS) at the next reboot. virtualization based security uses the Windows Hypervisor to provide support for security services. Value type is integer.
-
+
+
+ADMX Info:
+- GP English name: *Turn On Virtualization Based Security*
+- GP name: *VirtualizationBasedSecurity*
+- GP path: *System/Device Guard*
+- GP ADMX file name: *DeviceGuard.admx*
+
+
The following list shows the supported values:
@@ -78,12 +87,14 @@ The following list shows the supported values:
- 1 - enable virtualization based security.
-
+
+
-
+
+
**DeviceGuard/LsaCfgFlags**
-
+
Home
@@ -105,8 +116,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -114,12 +125,20 @@ The following list shows the supported values:
-
-
-
-
Added in Windows 10, version 1709. This setting lets users turn on Credential Guard with virtualization-based security to help protect credentials at next reboot. Value type is integer.
+
+
+Added in Windows 10, version 1709. This setting lets users turn on Credential Guard with virtualization-based security to help protect credentials at next reboot. Value type is integer.
-
+
+
+ADMX Info:
+- GP English name: *Turn On Virtualization Based Security*
+- GP name: *VirtualizationBasedSecurity*
+- GP element: *CredentialIsolationDrop*
+- GP path: *System/Device Guard*
+- GP ADMX file name: *DeviceGuard.admx*
+
+
The following list shows the supported values:
@@ -128,12 +147,14 @@ The following list shows the supported values:
- 2 - (Enabled without lock) Turns on Credential Guard without UEFI lock.
-
+
+
@@ -155,8 +176,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -164,13 +185,20 @@ The following list shows the supported values:
-
-
+
+
Added in Windows 10, version 1709. Specifies the platform security level at the next reboot. Value type is integer.
-
-
-
+
+
+ADMX Info:
+- GP English name: *Turn On Virtualization Based Security*
+- GP name: *VirtualizationBasedSecurity*
+- GP element: *RequirePlatformSecurityFeaturesDrop*
+- GP path: *System/Device Guard*
+- GP ADMX file name: *DeviceGuard.admx*
+
+
The following list shows the supported values:
@@ -178,7 +206,7 @@ The following list shows the supported values:
- 3 - Turns on VBS with Secure Boot and direct memory access (DMA). DMA requires hardware support.
-
+
Footnote:
@@ -187,5 +215,5 @@ Footnote:
- 2 - Added in Windows 10, version 1703.
- 3 - Added in Windows 10, version 1709.
-
+
diff --git a/windows/client-management/mdm/policy-csp-deviceinstallation.md b/windows/client-management/mdm/policy-csp-deviceinstallation.md
index 7e7740810a..c8b4f6b9d9 100644
--- a/windows/client-management/mdm/policy-csp-deviceinstallation.md
+++ b/windows/client-management/mdm/policy-csp-deviceinstallation.md
@@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
-ms.date: 11/01/2017
+ms.date: 03/05/2018
---
# Policy CSP - DeviceInstallation
@@ -15,7 +15,7 @@ ms.date: 11/01/2017
-
+
## DeviceInstallation policies
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -62,15 +64,15 @@ ms.date: 11/01/2017
-
-
+
+
This policy setting allows you to specify a list of Plug and Play hardware IDs and compatible IDs for devices that Windows is prevented from installing. This policy setting takes precedence over any other policy setting that allows Windows to install a device.
If you enable this policy setting, Windows is prevented from installing a device whose hardware ID or compatible ID appears in the list you create. If you enable this policy setting on a remote desktop server, the policy setting affects redirection of the specified devices from a remote desktop client to the remote desktop server.
If you disable or do not configure this policy setting, devices can be installed and updated as allowed or prevented by other policy settings.
-
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -78,20 +80,22 @@ If you disable or do not configure this policy setting, devices can be installed
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Prevent installation of devices that match any of these device IDs*
- GP name: *DeviceInstall_IDs_Deny*
- GP path: *System/Device Installation/Device Installation Restrictions*
- GP ADMX file name: *deviceinstallation.admx*
-
-
+
+
+
-
+
+
**DeviceInstallation/PreventInstallationOfMatchingDeviceSetupClasses**
-
+
Home
@@ -113,8 +117,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -122,15 +126,15 @@ ADMX Info:
-
-
+
+
This policy setting allows you to specify a list of device setup class globally unique identifiers (GUIDs) for device drivers that Windows is prevented from installing. This policy setting takes precedence over any other policy setting that allows Windows to install a device.
If you enable this policy setting, Windows is prevented from installing or updating device drivers whose device setup class GUIDs appear in the list you create. If you enable this policy setting on a remote desktop server, the policy setting affects redirection of the specified devices from a remote desktop client to the remote desktop server.
If you disable or do not configure this policy setting, Windows can install and update devices as allowed or prevented by other policy settings.
-
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -138,15 +142,15 @@ If you disable or do not configure this policy setting, Windows can install and
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Prevent installation of devices using drivers that match these device setup classes*
- GP name: *DeviceInstall_Classes_Deny*
- GP path: *System/Device Installation/Device Installation Restrictions*
- GP ADMX file name: *deviceinstallation.admx*
-
-
+
+
Footnote:
@@ -155,5 +159,5 @@ Footnote:
- 2 - Added in Windows 10, version 1703.
- 3 - Added in Windows 10, version 1709.
-
+
diff --git a/windows/client-management/mdm/policy-csp-devicelock.md b/windows/client-management/mdm/policy-csp-devicelock.md
index b056313e5a..e418951b10 100644
--- a/windows/client-management/mdm/policy-csp-devicelock.md
+++ b/windows/client-management/mdm/policy-csp-devicelock.md
@@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
-ms.date: 01/12/2018
+ms.date: 03/05/2018
---
# Policy CSP - DeviceLock
@@ -17,7 +17,7 @@ ms.date: 01/12/2018
-
+
## DeviceLock policies
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -109,18 +111,18 @@ ms.date: 01/12/2018
-
-
+
+
> [!NOTE]
> This policy is only enforced in Windows 10 Mobile and not supported in Windows 10 for desktop.
-
Specifies whether the user must input a PIN or password when the device resumes from an idle state.
+Specifies whether the user must input a PIN or password when the device resumes from an idle state.
> [!NOTE]
> This policy must be wrapped in an Atomic command.
-
+
The following list shows the supported values:
@@ -128,12 +130,14 @@ The following list shows the supported values:
- 1 (default) – Allowed.
-
+
+
@@ -155,8 +159,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -164,33 +168,38 @@ The following list shows the supported values:
-
-
+
+
> [!NOTE]
> This policy is only enforced in Windows 10 Mobile and not supported in Windows 10 for desktop.
-
Specifies whether to show a user-configurable setting to control the screen timeout while on the lock screen of Windows 10 Mobile devices.
+Specifies whether to show a user-configurable setting to control the screen timeout while on the lock screen of Windows 10 Mobile devices.
> [!NOTE]
> This policy must be wrapped in an Atomic command.
-
The following list shows the supported values:
-
-- 0 (default) – Not allowed.
-- 1 – Allowed.
> [!IMPORTANT]
> If this policy is set to 1 (Allowed), the value set by **DeviceLock/ScreenTimeOutWhileLocked** is ignored. To ensure enterprise control over the screen timeout, set this policy to 0 (Not allowed) and use **DeviceLock/ScreenTimeOutWhileLocked** to set the screen timeout period.
-
-
+
+
+The following list shows the supported values:
+
+- 0 (default) – Not allowed.
+- 1 – Allowed.
+
+
+
+
@@ -212,8 +221,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -221,28 +230,33 @@ The following list shows the supported values:
-
-
-
Specifies whether PINs or passwords such as "1111" or "1234" are allowed. For the desktop, it also controls the use of picture passwords.
+
+
+Specifies whether PINs or passwords such as "1111" or "1234" are allowed. For the desktop, it also controls the use of picture passwords.
> [!NOTE]
> This policy must be wrapped in an Atomic command.
-
The following list shows the supported values:
+
+For additional information about this policy, see [Exchange ActiveSync Policy Engine Overview](https://technet.microsoft.com/library/dn282287.aspx).
+
+
+
+The following list shows the supported values:
- 0 – Not allowed.
- 1 (default) – Allowed.
-
For additional information about this policy, see [Exchange ActiveSync Policy Engine Overview](https://technet.microsoft.com/library/dn282287.aspx).
+
+
-
-
@@ -264,8 +278,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -273,9 +287,9 @@ The following list shows the supported values:
-
-
-
Determines the type of PIN or password required. This policy only applies if the **DeviceLock/DevicePasswordEnabled** policy is set to 0 (required).
+
+
+Determines the type of PIN or password required. This policy only applies if the **DeviceLock/DevicePasswordEnabled** policy is set to 0 (required).
> [!NOTE]
> This policy must be wrapped in an Atomic command.
@@ -283,26 +297,29 @@ The following list shows the supported values:
> Always use the Replace command instead of Add for this policy in Windows 10 for desktop editions (Home, Pro, Enterprise, and Education).
-
The following list shows the supported values:
-
-- 0 – Alphanumeric PIN or password required.
-- 1 – Numeric PIN or password required.
-- 2 (default) – Users can choose: Numeric PIN or password, or Alphanumeric PIN or password.
> [!NOTE]
> If **AlphanumericDevicePasswordRequired** is set to 1 or 2, then MinDevicePasswordLength = 0 and MinDevicePasswordComplexCharacters = 1.
>
> If **AlphanumericDevicePasswordRequired** is set to 0, then MinDevicePasswordLength = 4 and MinDevicePasswordComplexCharacters = 2.
-
+
+
+The following list shows the supported values:
+
+- 0 – Alphanumeric PIN or password required.
+- 1 – Numeric PIN or password required.
+- 2 (default) – Users can choose: Numeric PIN or password, or Alphanumeric PIN or password.
+
+
+
-
-
-
+
+
**DeviceLock/DevicePasswordEnabled**
-
+
Home
@@ -324,8 +341,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -333,9 +350,9 @@ The following list shows the supported values:
-
-
-
Specifies whether device lock is enabled.
+
+
+Specifies whether device lock is enabled.
> [!NOTE]
> This policy must be wrapped in an Atomic command.
@@ -343,10 +360,6 @@ The following list shows the supported values:
> Always use the Replace command instead of Add for this policy in Windows 10 for desktop editions.
-
The following list shows the supported values:
-
-- 0 (default) – Enabled
-- 1 – Disabled
> [!IMPORTANT]
> The **DevicePasswordEnabled** setting must be set to 0 (device password is enabled) for the following policy settings to take effect:
@@ -382,13 +395,22 @@ The following list shows the supported values:
> - MaxDevicePasswordFailedAttempts
> - MaxInactivityTimeDeviceLock
-
-
+
+
+The following list shows the supported values:
+
+- 0 (default) – Enabled
+- 1 – Disabled
+
+
+
+
-
+
+
**DeviceLock/DevicePasswordExpiration**
-
+
Home
@@ -410,8 +432,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -419,30 +441,35 @@ The following list shows the supported values:
-
-
-
Specifies when the password expires (in days).
+
+
+Specifies when the password expires (in days).
> [!NOTE]
> This policy must be wrapped in an Atomic command.
-
The following list shows the supported values:
+
+If all policy values = 0 then 0; otherwise, Min policy value is the most secure value.
+
+For additional information about this policy, see [Exchange ActiveSync Policy Engine Overview](https://technet.microsoft.com/library/dn282287.aspx).
+
+
+
+The following list shows the supported values:
- An integer X where 0 <= X <= 730.
- 0 (default) - Passwords do not expire.
-
If all policy values = 0 then 0; otherwise, Min policy value is the most secure value.
+
+
-
For additional information about this policy, see [Exchange ActiveSync Policy Engine Overview](https://technet.microsoft.com/library/dn282287.aspx).
-
-
-
-
+
+
**DeviceLock/DevicePasswordHistory**
-
+
Home
@@ -464,8 +491,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -473,32 +500,37 @@ The following list shows the supported values:
-
-
-
Specifies how many passwords can be stored in the history that can’t be used.
+
+
+Specifies how many passwords can be stored in the history that can’t be used.
> [!NOTE]
> This policy must be wrapped in an Atomic command.
-
The following list shows the supported values:
+
+The value includes the user's current password. This means that with a setting of 1 the user cannot reuse their current password when choosing a new password, while a setting of 5 means that a user cannot set their new password to their current password or any of their previous four passwords.
+
+Max policy value is the most restricted.
+
+For additional information about this policy, see [Exchange ActiveSync Policy Engine Overview](https://technet.microsoft.com/library/dn282287.aspx).
+
+
+
+The following list shows the supported values:
- An integer X where 0 <= X <= 50.
- 0 (default)
-
The value includes the user's current password. This means that with a setting of 1 the user cannot reuse their current password when choosing a new password, while a setting of 5 means that a user cannot set their new password to their current password or any of their previous four passwords.
+
+
-
Max policy value is the most restricted.
-
-
For additional information about this policy, see [Exchange ActiveSync Policy Engine Overview](https://technet.microsoft.com/library/dn282287.aspx).
-
-
-
@@ -520,8 +552,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -529,23 +561,25 @@ The following list shows the supported values:
-
-
-
Added in Windows 10, version 1607. Specifies the default lock screen and logon image shown when no user is signed in. It also sets the specified image for all users, which replaces the default image. The same image is used for both the lock and logon screens. Users will not be able to change this image.
+
+
+Added in Windows 10, version 1607. Specifies the default lock screen and logon image shown when no user is signed in. It also sets the specified image for all users, which replaces the default image. The same image is used for both the lock and logon screens. Users will not be able to change this image.
> [!NOTE]
> This policy is only enforced in Windows 10 Enterprise and Education editions and not supported in Windows 10 Home and Pro.
-
Value type is a string, which is the full image filepath and filename.
+Value type is a string, which is the full image filepath and filename.
+
+
+
-
-
@@ -567,8 +601,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -576,23 +610,25 @@ The following list shows the supported values:
-
-
-
Added in Windows 10, version 1607. Restricts lock screen image to a specific lock screen provider. Users will not be able change this provider.
+
+
+Added in Windows 10, version 1607. Restricts lock screen image to a specific lock screen provider. Users will not be able change this provider.
> [!NOTE]
> This policy is only enforced in Windows 10 for mobile devices.
-
Value type is a string, which is the AppID.
+Value type is a string, which is the AppID.
+
+
+
-
-
@@ -614,8 +650,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -623,37 +659,42 @@ The following list shows the supported values:
-
-
+
+
The number of authentication failures allowed before the device will be wiped. A value of 0 disables device wipe functionality.
> [!NOTE]
> This policy must be wrapped in an Atomic command.
-
This policy has different behaviors on the mobile device and desktop.
+This policy has different behaviors on the mobile device and desktop.
- On a mobile device, when the user reaches the value set by this policy, then the device is wiped.
- On a desktop, when the user reaches the value set by this policy, it is not wiped. Instead, the desktop is put on BitLocker recovery mode, which makes the data inaccessible but recoverable. If BitLocker is not enabled, then the policy cannot be enforced.
Prior to reaching the failed attempts limit, the user is sent to the lock screen and warned that more failed attempts will lock their computer. When the user reaches the limit, the device automatically reboots and shows the BitLocker recovery page. This page prompts the user for the BitLocker recovery key.
-
The following list shows the supported values:
+
+Most secure value is 0 if all policy values = 0; otherwise, Min policy value is the most secure value.
+
+For additional information about this policy, see [Exchange ActiveSync Policy Engine Overview](https://technet.microsoft.com/library/dn282287.aspx).
+
+
+
+The following list shows the supported values:
- An integer X where 4 <= X <= 16 for desktop and 0 <= X <= 999 for mobile devices.
- 0 (default) - The device is never wiped after an incorrect PIN or password is entered.
-
Most secure value is 0 if all policy values = 0; otherwise, Min policy value is the most secure value.
+
+
-
For additional information about this policy, see [Exchange ActiveSync Policy Engine Overview](https://technet.microsoft.com/library/dn282287.aspx).
-
-
-
@@ -675,8 +716,8 @@ The number of authentication failures allowed before the device will be wiped. A
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -684,28 +725,33 @@ The number of authentication failures allowed before the device will be wiped. A
-
-
-
Specifies the maximum amount of time (in minutes) allowed after the device is idle that will cause the device to become PIN or password locked. Users can select any existing timeout value less than the specified maximum time in the Settings app. Note the Lumia 950 and 950XL have a maximum timeout value of 5 minutes, regardless of the value set by this policy.
+
+
+Specifies the maximum amount of time (in minutes) allowed after the device is idle that will cause the device to become PIN or password locked. Users can select any existing timeout value less than the specified maximum time in the Settings app. Note the Lumia 950 and 950XL have a maximum timeout value of 5 minutes, regardless of the value set by this policy.
> [!NOTE]
> This policy must be wrapped in an Atomic command.
-
The following list shows the supported values:
+
+For additional information about this policy, see [Exchange ActiveSync Policy Engine Overview](https://technet.microsoft.com/library/dn282287.aspx).
+
+
+
+The following list shows the supported values:
- An integer X where 0 <= X <= 999.
- 0 (default) - No timeout is defined. The default of "0" is Windows Phone 7.5 parity and is interpreted by as "No timeout is defined."
-
For additional information about this policy, see [Exchange ActiveSync Policy Engine Overview](https://technet.microsoft.com/library/dn282287.aspx).
+
+
-
-
@@ -727,8 +773,8 @@ The number of authentication failures allowed before the device will be wiped. A
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -736,26 +782,29 @@ The number of authentication failures allowed before the device will be wiped. A
-
-
-
Specifies the maximum amount of time (in minutes) allowed after the device is idle that will cause the device to become PIN or password locked while connected to an external display.
+
+
+Specifies the maximum amount of time (in minutes) allowed after the device is idle that will cause the device to become PIN or password locked while connected to an external display.
> [!NOTE]
> This policy must be wrapped in an Atomic command.
-
-
The following list shows the supported values:
+
+
+The following list shows the supported values:
- An integer X where 0 <= X <= 999.
- 0 (default) - No timeout is defined. The default of "0" is Windows Phone 7.5 parity and is interpreted by as "No timeout is defined."
-
-
+
+
+
@@ -777,8 +826,8 @@ The number of authentication failures allowed before the device will be wiped. A
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -786,23 +835,23 @@ The number of authentication failures allowed before the device will be wiped. A
-
-
-
The number of complex element types (uppercase and lowercase letters, numbers, and punctuation) required for a strong PIN or password.
+
+
+The number of complex element types (uppercase and lowercase letters, numbers, and punctuation) required for a strong PIN or password.
> [!NOTE]
> This policy must be wrapped in an Atomic command.
>
> Always use the Replace command instead of Add for this policy in Windows 10 for desktop editions.
-
PIN enforces the following behavior for desktop and mobile devices:
+PIN enforces the following behavior for desktop and mobile devices:
- 1 - Digits only
- 2 - Digits and lowercase letters are required
- 3 - Digits, lowercase letters, and uppercase letters are required. Not supported in desktop Microsoft accounts and domain accounts.
- 4 - Digits, lowercase letters, uppercase letters, and special characters are required. Not supported in desktop.
-
The default value is 1. The following list shows the supported values and actual enforced values:
+The default value is 1. The following list shows the supported values and actual enforced values:
@@ -843,7 +892,7 @@ The number of authentication failures allowed before the device will be wiped. A
-
Enforced values for Local and Microsoft Accounts:
+Enforced values for Local and Microsoft Accounts:
- Local accounts support values of 1, 2, and 3, however they always enforce a value of 3.
- Passwords for local accounts must meet the following minimum requirements:
@@ -857,17 +906,19 @@ The number of authentication failures allowed before the device will be wiped. A
- Base 10 digits (0 through 9)
- Special characters (!, $, \#, %, etc.)
-
The enforcement of policies for Microsoft accounts happen on the server, and the server requires a password length of 8 and a complexity of 2. A complexity value of 3 or 4 is unsupported and setting this value on the server makes Microsoft accounts non-compliant.
+The enforcement of policies for Microsoft accounts happen on the server, and the server requires a password length of 8 and a complexity of 2. A complexity value of 3 or 4 is unsupported and setting this value on the server makes Microsoft accounts non-compliant.
-
For additional information about this policy, see [Exchange ActiveSync Policy Engine Overview](https://technet.microsoft.com/library/dn282287.aspx) and [KB article](https://support.office.com/article/This-device-doesn-t-meet-the-security-requirements-set-by-your-email-administrator-87132fc7-2c7f-4a71-9de0-779ff81c86ca).
+For additional information about this policy, see [Exchange ActiveSync Policy Engine Overview](https://technet.microsoft.com/library/dn282287.aspx) and [KB article](https://support.office.com/article/This-device-doesn-t-meet-the-security-requirements-set-by-your-email-administrator-87132fc7-2c7f-4a71-9de0-779ff81c86ca).
+
+
+
-
-
-
+
+
**DeviceLock/MinDevicePasswordLength**
-
+
Home
@@ -889,8 +940,8 @@ The number of authentication failures allowed before the device will be wiped. A
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -898,9 +949,9 @@ The number of authentication failures allowed before the device will be wiped. A
-
-
-
Specifies the minimum number or characters required in the PIN or password.
+
+
+Specifies the minimum number or characters required in the PIN or password.
> [!NOTE]
> This policy must be wrapped in an Atomic command.
@@ -908,23 +959,28 @@ The number of authentication failures allowed before the device will be wiped. A
> Always use the Replace command instead of Add for this policy in Windows 10 for desktop editions.
-
The following list shows the supported values:
+
+Max policy value is the most restricted.
+
+For additional information about this policy, see [Exchange ActiveSync Policy Engine Overview](https://technet.microsoft.com/library/dn282287.aspx) and [KB article](https://support.office.com/article/This-device-doesn-t-meet-the-security-requirements-set-by-your-email-administrator-87132fc7-2c7f-4a71-9de0-779ff81c86ca).
+
+
+
+The following list shows the supported values:
- An integer X where 4 <= X <= 16 for mobile devices and desktop. However, local accounts will always enforce a minimum password length of 6.
- Not enforced.
- The default value is 4 for mobile devices and desktop devices.
-
Max policy value is the most restricted.
+
+
-
For additional information about this policy, see [Exchange ActiveSync Policy Engine Overview](https://technet.microsoft.com/library/dn282287.aspx) and [KB article](https://support.office.com/article/This-device-doesn-t-meet-the-security-requirements-set-by-your-email-administrator-87132fc7-2c7f-4a71-9de0-779ff81c86ca).
-
-
-
-
+
+
**DeviceLock/MinimumPasswordAge**
-
+
Home
@@ -946,8 +1002,8 @@ The number of authentication failures allowed before the device will be wiped. A
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -955,30 +1011,29 @@ The number of authentication failures allowed before the device will be wiped. A
-
-
+
+
This security setting determines the period of time (in days) that a password must be used before the user can change it. You can set a value between 1 and 998 days, or you can allow changes immediately by setting the number of days to 0.
The minimum password age must be less than the Maximum password age, unless the maximum password age is set to 0, indicating that passwords will never expire. If the maximum password age is set to 0, the minimum password age can be set to any value between 0 and 998.
Configure the minimum password age to be more than 0 if you want Enforce password history to be effective. Without a minimum password age, users can cycle through passwords repeatedly until they get to an old favorite. The default setting does not follow this recommendation, so that an administrator can specify a password for a user and then require the user to change the administrator-defined password when the user logs on. If the password history is set to 0, the user does not have to choose a new password. For this reason, Enforce password history is set to 1 by default.
-
-
+
+
+GP Info:
+- GP English name: *Minimum password age*
+- GP path: *Windows Settings/Security Settings/Account Policies/Password Policy*
-
-
+
+
-
-
-
-
-
-
+
+
**DeviceLock/PreventLockScreenSlideShow**
-
+
Home
@@ -1000,8 +1055,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -1009,15 +1064,15 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
-
+
+
Disables the lock screen slide show settings in PC Settings and prevents a slide show from playing on the lock screen.
By default, users can enable a slide show that will run after they lock the machine.
If you enable this setting, users will no longer be able to modify slide show settings in PC Settings, and no slide show will ever start.
-
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -1025,20 +1080,22 @@ If you enable this setting, users will no longer be able to modify slide show se
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Prevent enabling lock screen slide show*
- GP name: *CPL_Personalization_NoLockScreenSlideshow*
- GP path: *Control Panel/Personalization*
- GP ADMX file name: *ControlPanelDisplay.admx*
-
-
+
+
+
-
+
+
**DeviceLock/ScreenTimeoutWhileLocked**
-
+
Home
@@ -1060,8 +1117,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -1069,23 +1126,23 @@ ADMX Info:
-
-
+
+
> [!NOTE]
> This policy is only enforced in Windows 10 Mobile and not supported in Windows 10 for desktop.
-
Allows an enterprise to set the duration in seconds for the screen timeout while on the lock screen of Windows 10 Mobile devices.
+Allows an enterprise to set the duration in seconds for the screen timeout while on the lock screen of Windows 10 Mobile devices.
-
Minimum supported value is 10.
+Minimum supported value is 10.
-
Maximum supported value is 1800.
+Maximum supported value is 1800.
-
The default value is 10.
+The default value is 10.
-
Most restricted value is 0.
+Most restricted value is 0.
-
-
+
+
Footnote:
@@ -1094,7 +1151,7 @@ Footnote:
- 2 - Added in Windows 10, version 1703.
- 3 - Added in Windows 10, version 1709.
-
+
## DeviceLock policies that can be set using Exchange Active Sync (EAS)
diff --git a/windows/client-management/mdm/policy-csp-display.md b/windows/client-management/mdm/policy-csp-display.md
index b23977c0bc..827b347c3e 100644
--- a/windows/client-management/mdm/policy-csp-display.md
+++ b/windows/client-management/mdm/policy-csp-display.md
@@ -6,19 +6,30 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
-ms.date: 11/01/2017
+ms.date: 03/05/2018
---
# Policy CSP - Display
+> [!WARNING]
+> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
-
+
## Display policies
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+This policy allows you to disable Per-Process System DPI for a semicolon-separated list of applications. Applications can be specified either by using full paths or with filenames and extensions. This policy will override the system-wide default value.
+
+
+
+ADMX Info:
+- GP English name: *Configure Per-Process System DPI settings*
+- GP name: *DisplayPerProcessSystemDpiSettings*
+- GP element: *DisplayDisablePerProcessSystemDpiSettings*
+- GP path: *System/Display*
+- GP ADMX file name: *Display.admx*
+
+
+
+
+
+
+
+**Display/EnablePerProcessDpi**
+
+
+
+
+
Home
+
Pro
+
Business
+
Enterprise
+
Education
+
Mobile
+
Mobile Enterprise
+
+
+
4
+
4
+
4
+
4
+
4
+
+
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+> * Device
+
+
+
+
+
+Per Process System DPI is an application compatibility feature for desktop applications that do not render properly after a display-scale factor (DPI) change. When the display scale factor of the primary display changes (which can happen when you connect or disconnect a display that has a different display scale factor (DPI), connect remotely from a device with a different display scale factor, or manually change the display scale factor), many desktop applications can display blurry. Desktop applications that have not been updated to display properly in this scenario will be blurry until you log out and back in to Windows.
+
+When you enable this policy some blurry applications will be crisp after they are restarted, without requiring the user to log out and back in to Windows.
+
+Be aware of the following:
+
+Per Process System DPI will only improve the rendering of desktop applications that are positioned on the primary display (or any other display that has the same scale factor as that of the primary display). Some desktop applications can still be blurry on secondary displays that have different display scale factors.
+
+Per Process System DPI will not work for all applications as some older desktop applications will always be blurry on high DPI displays.
+
+In some cases, you may see some unexpected behavior in some desktop applications that have Per-Process System DPI applied. If that happens, Per Process System DPI should be disabled.
+
+Enabling this setting lets you specify the system-wide default for desktop applications as well as per-application overrides. If you disable or do not configure this setting, Per Process System DPI will not apply to any processes on the system.
+
+
+
+ADMX Info:
+- GP English name: *Configure Per-Process System DPI settings*
+- GP name: *DisplayPerProcessSystemDpiSettings*
+- GP element: *DisplayGlobalPerProcessSystemDpiSettings*
+- GP path: *System/Display*
+- GP ADMX file name: *Display.admx*
+
+
+
+The following list shows the supported values:
+
+- 0 - Disable.
+- 1 - Enable.
+
+
+
+
+
+
+
+**Display/EnablePerProcessDpiForApps**
+
+
+
+
+
Home
+
Pro
+
Business
+
Enterprise
+
Education
+
Mobile
+
Mobile Enterprise
+
+
+
4
+
4
+
4
+
4
+
4
+
+
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+This policy allows you to enable Per-Process System DPI for a semicolon-separated list of applications. Applications can be specified either by using full paths or with filenames and extensions. This policy will override the system-wide default value.
+
+
+
+ADMX Info:
+- GP English name: *Configure Per-Process System DPI settings*
+- GP name: *DisplayPerProcessSystemDpiSettings*
+- GP element: *DisplayEnablePerProcessSystemDpiSettings*
+- GP path: *System/Display*
+- GP ADMX file name: *Display.admx*
+
+
+
+
+
+
+
**Display/TurnOffGdiDPIScalingForApps**
-
+
GDI DPI Scaling enables applications that are not DPI aware to become per monitor DPI aware.
+
+
+GDI DPI Scaling enables applications that are not DPI aware to become per monitor DPI aware.
-
This policy setting lets you specify legacy applications that have GDI DPI Scaling turned off.
+This policy setting lets you specify legacy applications that have GDI DPI Scaling turned off.
-
If you enable this policy setting, GDI DPI Scaling is turned off for all applications in the list, even if they are enabled by using ApplicationCompatibility database, ApplicationCompatibility UI System (Enhanced) setting, or an application manifest.
+If you enable this policy setting, GDI DPI Scaling is turned off for all applications in the list, even if they are enabled by using ApplicationCompatibility database, ApplicationCompatibility UI System (Enhanced) setting, or an application manifest.
-
If you disable or do not configure this policy setting, GDI DPI Scaling might still be turned on for legacy applications.
+If you disable or do not configure this policy setting, GDI DPI Scaling might still be turned on for legacy applications.
-
If GDI DPI Scaling is configured to both turn off and turn on an application, the application will be turned off.
+If GDI DPI Scaling is configured to both turn off and turn on an application, the application will be turned off.
-
To validate on Desktop, do the following:
+
+
+ADMX Info:
+- GP English name: *Turn off GdiDPIScaling for applications*
+- GP name: *DisplayTurnOffGdiDPIScaling*
+- GP element: *DisplayTurnOffGdiDPIScalingPrompt*
+- GP path: *System/Display*
+- GP ADMX file name: *Display.admx*
+
+
+
+To validate on Desktop, do the following:
1. Configure the setting for an app which has GDI DPI scaling enabled via MDM or any other supported mechanisms.
2. Run the app and observe blurry text.
-
-
+
+
+
GDI DPI Scaling enables applications that are not DPI aware to become per monitor DPI aware.
+
+
+GDI DPI Scaling enables applications that are not DPI aware to become per monitor DPI aware.
-
This policy setting lets you specify legacy applications that have GDI DPI Scaling turned on.
+This policy setting lets you specify legacy applications that have GDI DPI Scaling turned on.
-
If you enable this policy setting, GDI DPI Scaling is turned on for all legacy applications in the list.
+If you enable this policy setting, GDI DPI Scaling is turned on for all legacy applications in the list.
-
If you disable or do not configure this policy setting, GDI DPI Scaling will not be enabled for an application except when an application is enabled by using ApplicationCompatibility database, ApplicationCompatibility UI System (Enhanced) setting, or an application manifest.
+If you disable or do not configure this policy setting, GDI DPI Scaling will not be enabled for an application except when an application is enabled by using ApplicationCompatibility database, ApplicationCompatibility UI System (Enhanced) setting, or an application manifest.
-
If GDI DPI Scaling is configured to both turn off and turn on an application, the application will be turned off.
+If GDI DPI Scaling is configured to both turn off and turn on an application, the application will be turned off.
-
To validate on Desktop, do the following:
+
+
+ADMX Info:
+- GP English name: *Turn on GdiDPIScaling for applications*
+- GP name: *DisplayTurnOnGdiDPIScaling*
+- GP element: *DisplayTurnOnGdiDPIScalingPrompt*
+- GP path: *System/Display*
+- GP ADMX file name: *Display.admx*
+
+
+
+To validate on Desktop, do the following:
1. Configure the setting for an app which uses GDI.
2. Run the app and observe crisp text.
-
-
+
+
Footnote:
@@ -143,5 +356,5 @@ Footnote:
- 2 - Added in Windows 10, version 1703.
- 3 - Added in Windows 10, version 1709.
-
+
diff --git a/windows/client-management/mdm/policy-csp-education.md b/windows/client-management/mdm/policy-csp-education.md
index 0b37a6b5c5..8eab86d6e3 100644
--- a/windows/client-management/mdm/policy-csp-education.md
+++ b/windows/client-management/mdm/policy-csp-education.md
@@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
-ms.date: 12/14/2017
+ms.date: 03/05/2018
---
# Policy CSP - Education
@@ -15,7 +15,7 @@ ms.date: 12/14/2017
-
+
## Education policies
@@ -30,11 +30,13 @@ ms.date: 12/14/2017
+
-
+
+
**Education/DefaultPrinterName**
-
+
Home
@@ -56,8 +58,8 @@ ms.date: 12/14/2017
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -65,19 +67,21 @@ ms.date: 12/14/2017
-
-
+
+
Added in Windows 10, version 1709. This policy allows IT Admins to set the user's default printer.
The policy value is expected to be the name (network host name) of an installed printer.
-
-
+
+
+
-
+
+
**Education/PreventAddingNewPrinters**
-
+
Home
@@ -99,8 +103,8 @@ The policy value is expected to be the name (network host name) of an installed
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -108,11 +112,19 @@ The policy value is expected to be the name (network host name) of an installed
-
-
+
+
Added in Windows 10, version 1709. Allows IT Admins to prevent user installation of additional printers from the printers settings.
-
+
+
+ADMX Info:
+- GP English name: *Prevent addition of printers*
+- GP name: *NoAddPrinter*
+- GP path: *Control Panel/Printers*
+- GP ADMX file name: *Printing.admx*
+
+
The following list shows the supported values:
@@ -120,12 +132,14 @@ The following list shows the supported values:
- 1 – Prevent user installation.
-
+
+
-
+
+
**Education/PrinterNames**
-
+
Home
@@ -147,8 +161,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -156,14 +170,14 @@ The following list shows the supported values:
-
-
+
+
Added in Windows 10, version 1709. Allows IT Admins to automatically provision printers based on their names (network host names).
The policy value is expected to be a `````` seperated list of printer names. The OS will attempt to search and install the matching printer driver for each listed printer.
-
-
+
+
Footnote:
@@ -172,5 +186,5 @@ Footnote:
- 2 - Added in Windows 10, version 1703.
- 3 - Added in Windows 10, version 1709.
-
+
diff --git a/windows/client-management/mdm/policy-csp-enterprisecloudprint.md b/windows/client-management/mdm/policy-csp-enterprisecloudprint.md
index 3506a2c3f1..63d4b5f3b2 100644
--- a/windows/client-management/mdm/policy-csp-enterprisecloudprint.md
+++ b/windows/client-management/mdm/policy-csp-enterprisecloudprint.md
@@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
-ms.date: 11/01/2017
+ms.date: 01/30/2018
---
# Policy CSP - EnterpriseCloudPrint
@@ -15,7 +15,7 @@ ms.date: 11/01/2017
-
+
## EnterpriseCloudPrint policies
Added in Windows 10, version 1703. Specifies the authentication endpoint for acquiring OAuth tokens. This policy must target ./User, otherwise it fails.
+
+
+Added in Windows 10, version 1703. Specifies the authentication endpoint for acquiring OAuth tokens. This policy must target ./User, otherwise it fails.
-
The datatype is a string.
+The datatype is a string.
-
The default value is an empty string. Otherwise, the value should contain the URL of an endpoint. For example, "https://azuretenant.contoso.com/adfs".
+The default value is an empty string. Otherwise, the value should contain the URL of an endpoint. For example, "https://azuretenant.contoso.com/adfs".
+
+
+
-
-
Added in Windows 10, version 1703. Specifies the GUID of a client application authorized to retrieve OAuth tokens from the OAuthAuthority. This policy must target ./User, otherwise it fails.
+
+
+Added in Windows 10, version 1703. Specifies the GUID of a client application authorized to retrieve OAuth tokens from the OAuthAuthority. This policy must target ./User, otherwise it fails.
-
The datatype is a string.
+The datatype is a string.
-
The default value is an empty string. Otherwise, the value should contain a GUID. For example, "E1CF1107-FF90-4228-93BF-26052DD2C714".
+The default value is an empty string. Otherwise, the value should contain a GUID. For example, "E1CF1107-FF90-4228-93BF-26052DD2C714".
+
+
+
-
-
Added in Windows 10, version 1703. Specifies the per-user resource URL for which access is requested by the enterprise cloud print client during OAuth authentication. This policy must target ./User, otherwise it fails.
+
+
+Added in Windows 10, version 1703. Specifies the per-user resource URL for which access is requested by the enterprise cloud print client during OAuth authentication. This policy must target ./User, otherwise it fails.
-
The datatype is a string.
+The datatype is a string.
-
The default value is an empty string. Otherwise, the value should contain a URL. For example, "http://MicrosoftEnterpriseCloudPrint/CloudPrint".
+The default value is an empty string. Otherwise, the value should contain a URL. For example, "http://MicrosoftEnterpriseCloudPrint/CloudPrint".
+
+
+
-
-
Added in Windows 10, version 1703. Specifies the per-user end point for discovering cloud printers. This policy must target ./User, otherwise it fails.
+
+
+Added in Windows 10, version 1703. Specifies the per-user end point for discovering cloud printers. This policy must target ./User, otherwise it fails.
-
The datatype is a string.
+The datatype is a string.
-
The default value is an empty string. Otherwise, the value should contain the URL of an endpoint. For example, "https://cloudprinterdiscovery.contoso.com".
+The default value is an empty string. Otherwise, the value should contain the URL of an endpoint. For example, "https://cloudprinterdiscovery.contoso.com".
+
+
+
-
-
Added in Windows 10, version 1703. Defines the maximum number of printers that should be queried from a discovery end point. This policy must target ./User, otherwise it fails.
+
+
+Added in Windows 10, version 1703. Defines the maximum number of printers that should be queried from a discovery end point. This policy must target ./User, otherwise it fails.
-
The datatype is an integer.
+The datatype is an integer.
-
For Windows Mobile, the default value is 20.
+For Windows Mobile, the default value is 20.
+
+
+
-
-
Added in Windows 10, version 1703. Specifies the per-user resource URL for which access is requested by the Mopria discovery client during OAuth authentication. This policy must target ./User, otherwise it fails.
+
+
+Added in Windows 10, version 1703. Specifies the per-user resource URL for which access is requested by the Mopria discovery client during OAuth authentication. This policy must target ./User, otherwise it fails.
-
The datatype is a string.
+The datatype is a string.
-
The default value is an empty string. Otherwise, the value should contain a URL. For example, "http://MopriaDiscoveryService/CloudPrint".
+The default value is an empty string. Otherwise, the value should contain a URL. For example, "http://MopriaDiscoveryService/CloudPrint".
-
-
+
+
Footnote:
@@ -317,5 +329,5 @@ Footnote:
- 2 - Added in Windows 10, version 1703.
- 3 - Added in Windows 10, version 1709.
-
+
diff --git a/windows/client-management/mdm/policy-csp-errorreporting.md b/windows/client-management/mdm/policy-csp-errorreporting.md
index 67f7bd2d6a..ed18d1d8d9 100644
--- a/windows/client-management/mdm/policy-csp-errorreporting.md
+++ b/windows/client-management/mdm/policy-csp-errorreporting.md
@@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
-ms.date: 11/01/2017
+ms.date: 03/05/2018
---
# Policy CSP - ErrorReporting
@@ -15,7 +15,7 @@ ms.date: 11/01/2017
-
+
## ErrorReporting policies
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -71,8 +73,8 @@ ms.date: 11/01/2017
-
-
+
+
This policy setting determines the consent behavior of Windows Error Reporting for specific event types.
If you enable this policy setting, you can add specific event types to a list by clicking Show, and typing event types in the Value Name column of the Show Contents dialog box. Event types are those for generic, non-fatal errors: crash, no response, and kernel fault errors. For each specified event type, you can set a consent level of 0, 1, 2, 3, or 4.
@@ -89,7 +91,7 @@ If you enable this policy setting, you can add specific event types to a list by
If you disable or do not configure this policy setting, then the default consent settings that are applied are those specified by the user in Control Panel, or in the Configure Default Consent policy setting.
-
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -97,20 +99,22 @@ If you disable or do not configure this policy setting, then the default consent
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Customize consent settings*
- GP name: *WerConsentCustomize_2*
- GP path: *Windows Components/Windows Error Reporting/Consent*
- GP ADMX file name: *ErrorReporting.admx*
-
-
+
+
+
-
+
+
**ErrorReporting/DisableWindowsErrorReporting**
-
+
Home
@@ -132,8 +136,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -141,15 +145,15 @@ ADMX Info:
-
-
+
+
This policy setting turns off Windows Error Reporting, so that reports are not collected or sent to either Microsoft or internal servers within your organization when software unexpectedly stops working or fails.
If you enable this policy setting, Windows Error Reporting does not send any problem information to Microsoft. Additionally, solution information is not available in Security and Maintenance in Control Panel.
If you disable or do not configure this policy setting, the Turn off Windows Error Reporting policy setting in Computer Configuration/Administrative Templates/System/Internet Communication Management/Internet Communication settings takes precedence. If Turn off Windows Error Reporting is also either disabled or not configured, user settings in Control Panel for Windows Error Reporting are applied.
-
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -157,20 +161,22 @@ If you disable or do not configure this policy setting, the Turn off Windows Err
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Disable Windows Error Reporting*
- GP name: *WerDisable_2*
- GP path: *Windows Components/Windows Error Reporting*
- GP ADMX file name: *ErrorReporting.admx*
-
-
+
+
+
-
+
+
**ErrorReporting/DisplayErrorNotification**
-
+
Home
@@ -192,8 +198,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -201,8 +207,8 @@ ADMX Info:
-
-
+
+
This policy setting controls whether users are shown an error dialog box that lets them report an error.
If you enable this policy setting, users are notified in a dialog box that an error has occurred, and can display more details about the error. If the Configure Error Reporting policy setting is also enabled, the user can also report the error.
@@ -213,7 +219,7 @@ If you do not configure this policy setting, users can change this setting in Co
See also the Configure Error Reporting policy setting.
-
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -221,20 +227,22 @@ See also the Configure Error Reporting policy setting.
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Display Error Notification*
- GP name: *PCH_ShowUI*
- GP path: *Windows Components/Windows Error Reporting*
- GP ADMX file name: *ErrorReporting.admx*
-
-
+
+
+
-
+
+
**ErrorReporting/DoNotSendAdditionalData**
-
+
Home
@@ -256,8 +264,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -265,15 +273,15 @@ ADMX Info:
-
-
+
+
This policy setting controls whether additional data in support of error reports can be sent to Microsoft automatically.
If you enable this policy setting, any additional data requests from Microsoft in response to a Windows Error Reporting report are automatically declined, without notification to the user.
If you disable or do not configure this policy setting, then consent policy settings in Computer Configuration/Administrative Templates/Windows Components/Windows Error Reporting/Consent take precedence.
-
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -281,20 +289,22 @@ If you disable or do not configure this policy setting, then consent policy sett
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Do not send additional data*
- GP name: *WerNoSecondLevelData_2*
- GP path: *Windows Components/Windows Error Reporting*
- GP ADMX file name: *ErrorReporting.admx*
-
-
+
+
+
-
+
+
**ErrorReporting/PreventCriticalErrorDisplay**
-
+
Home
@@ -316,8 +326,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -325,15 +335,15 @@ ADMX Info:
-
-
+
+
This policy setting prevents the display of the user interface for critical errors.
If you enable this policy setting, Windows Error Reporting does not display any GUI-based error messages or dialog boxes for critical errors.
If you disable or do not configure this policy setting, Windows Error Reporting displays the user interface for critical errors.
-
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -341,15 +351,15 @@ If you disable or do not configure this policy setting, Windows Error Reporting
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Prevent display of the user interface for critical errors*
- GP name: *WerDoNotShowUI*
- GP path: *Windows Components/Windows Error Reporting*
- GP ADMX file name: *ErrorReporting.admx*
-
-
+
+
Footnote:
@@ -358,5 +368,5 @@ Footnote:
- 2 - Added in Windows 10, version 1703.
- 3 - Added in Windows 10, version 1709.
-
+
diff --git a/windows/client-management/mdm/policy-csp-eventlogservice.md b/windows/client-management/mdm/policy-csp-eventlogservice.md
index ea5746021f..e0d3529cc9 100644
--- a/windows/client-management/mdm/policy-csp-eventlogservice.md
+++ b/windows/client-management/mdm/policy-csp-eventlogservice.md
@@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
-ms.date: 11/01/2017
+ms.date: 03/05/2018
---
# Policy CSP - EventLogService
@@ -15,7 +15,7 @@ ms.date: 11/01/2017
-
+
## EventLogService policies
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -68,17 +70,17 @@ ms.date: 11/01/2017
-
-
+
+
This policy setting controls Event Log behavior when the log file reaches its maximum size.
If you enable this policy setting and a log file reaches its maximum size, new events are not written to the log and are lost.
If you disable or do not configure this policy setting and a log file reaches its maximum size, new events overwrite old events.
-Note: Old events may or may not be retained according to the "Backup log automatically when full" policy setting.
+Note: Old events may or may not be retained according to the "Backup log automatically when full" policy setting.
-
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -86,20 +88,22 @@ Note: Old events may or may not be retained according to the "Backup log automat
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Control Event Log behavior when the log file reaches its maximum size*
- GP name: *Channel_Log_Retention_1*
- GP path: *Windows Components/Event Log Service/Application*
- GP ADMX file name: *eventlog.admx*
-
-
+
+
+
-
+
+
**EventLogService/SpecifyMaximumFileSizeApplicationLog**
-
+
Home
@@ -121,8 +125,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -130,15 +134,15 @@ ADMX Info:
-
-
+
+
This policy setting specifies the maximum size of the log file in kilobytes.
If you enable this policy setting, you can configure the maximum log file size to be between 1 megabyte (1024 kilobytes) and 2 terabytes (2147483647 kilobytes) in kilobyte increments.
If you disable or do not configure this policy setting, the maximum size of the log file will be set to the locally configured value. This value can be changed by the local administrator using the Log Properties dialog and it defaults to 20 megabytes.
-
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -146,20 +150,22 @@ If you disable or do not configure this policy setting, the maximum size of the
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Specify the maximum log file size (KB)*
- GP name: *Channel_LogMaxSize_1*
- GP path: *Windows Components/Event Log Service/Application*
- GP ADMX file name: *eventlog.admx*
-
-
+
+
+
-
+
+
**EventLogService/SpecifyMaximumFileSizeSecurityLog**
-
+
Home
@@ -181,8 +187,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -190,15 +196,15 @@ ADMX Info:
-
-
+
+
This policy setting specifies the maximum size of the log file in kilobytes.
If you enable this policy setting, you can configure the maximum log file size to be between 1 megabyte (1024 kilobytes) and 2 terabytes (2147483647 kilobytes) in kilobyte increments.
If you disable or do not configure this policy setting, the maximum size of the log file will be set to the locally configured value. This value can be changed by the local administrator using the Log Properties dialog and it defaults to 20 megabytes.
-
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -206,20 +212,22 @@ If you disable or do not configure this policy setting, the maximum size of the
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Specify the maximum log file size (KB)*
- GP name: *Channel_LogMaxSize_2*
- GP path: *Windows Components/Event Log Service/Security*
- GP ADMX file name: *eventlog.admx*
-
-
+
+
+
-
+
+
**EventLogService/SpecifyMaximumFileSizeSystemLog**
-
+
Home
@@ -241,8 +249,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -250,15 +258,15 @@ ADMX Info:
-
-
+
+
This policy setting specifies the maximum size of the log file in kilobytes.
If you enable this policy setting, you can configure the maximum log file size to be between 1 megabyte (1024 kilobytes) and 2 terabytes (2147483647 kilobytes) in kilobyte increments.
If you disable or do not configure this policy setting, the maximum size of the log file will be set to the locally configured value. This value can be changed by the local administrator using the Log Properties dialog and it defaults to 20 megabytes.
-
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -266,15 +274,15 @@ If you disable or do not configure this policy setting, the maximum size of the
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Specify the maximum log file size (KB)*
- GP name: *Channel_LogMaxSize_4*
- GP path: *Windows Components/Event Log Service/System*
- GP ADMX file name: *eventlog.admx*
-
-
+
+
Footnote:
@@ -283,5 +291,5 @@ Footnote:
- 2 - Added in Windows 10, version 1703.
- 3 - Added in Windows 10, version 1709.
-
+
diff --git a/windows/client-management/mdm/policy-csp-experience.md b/windows/client-management/mdm/policy-csp-experience.md
index 8d3786e647..b741cd983e 100644
--- a/windows/client-management/mdm/policy-csp-experience.md
+++ b/windows/client-management/mdm/policy-csp-experience.md
@@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
-ms.date: 12/19/2017
+ms.date: 03/05/2018
---
# Policy CSP - Experience
@@ -17,7 +17,7 @@ ms.date: 12/19/2017
-
+
## Experience policies
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -121,16 +126,16 @@ ms.date: 12/19/2017
-
-
+
+
> [!NOTE]
> This policy is only enforced in Windows 10 Mobile and not supported in Windows 10 for desktop.
-
Specifies whether copy and paste is allowed.
+Specifies whether copy and paste is allowed.
-
Most restricted value is 0.
+Most restricted value is 0.
-
+
The following list shows the supported values:
@@ -138,12 +143,14 @@ The following list shows the supported values:
- 1 (default) – Allowed.
-
+
+
-
+
+
**Experience/AllowCortana**
-
+
Home
@@ -165,8 +172,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -174,13 +181,21 @@ The following list shows the supported values:
-
-
-
Specifies whether Cortana is allowed on the device. If you enable or don’t configure this setting, Cortana is allowed on the device. If you disable this setting, Cortana is turned off. When Cortana is off, users will still be able to use search to find items on the device.
+
+
+Specifies whether Cortana is allowed on the device. If you enable or don’t configure this setting, Cortana is allowed on the device. If you disable this setting, Cortana is turned off. When Cortana is off, users will still be able to use search to find items on the device.
-
Most restricted value is 0.
+Most restricted value is 0.
-
+
+
+ADMX Info:
+- GP English name: *Allow Cortana*
+- GP name: *AllowCortana*
+- GP path: *Windows Components/Search*
+- GP ADMX file name: *Search.admx*
+
+
The following list shows the supported values:
@@ -188,12 +203,14 @@ The following list shows the supported values:
- 1 (default) – Allowed.
-
+
+
-
+
+
**Experience/AllowDeviceDiscovery**
-
+
Home
@@ -215,8 +232,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -224,15 +241,15 @@ The following list shows the supported values:
-
-
-
Allows users to turn on/off device discovery UX.
+
+
+Allows users to turn on/off device discovery UX.
-
When set to 0 , the projection pane is disabled. The Win+P and Win+K shortcut keys will not work on.
+When set to 0 , the projection pane is disabled. The Win+P and Win+K shortcut keys will not work on.
-
Most restricted value is 0.
+Most restricted value is 0.
-
+
The following list shows the supported values:
@@ -240,12 +257,14 @@ The following list shows the supported values:
- 1 (default) – Allowed.
-
+
+
-
+
+
**Experience/AllowFindMyDevice**
-
+
Home
@@ -267,8 +286,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -276,15 +295,23 @@ The following list shows the supported values:
-
-
-
Added in Windows 10, version 1703. This policy turns on Find My Device.
+
+
+Added in Windows 10, version 1703. This policy turns on Find My Device.
-
When Find My Device is on, the device and its location are registered in the cloud so that the device can be located when the user initiates a Find command from account.microsoft.com. In Windows 10, version 1709 devices that are compatible with active digitizers, enabling Find My Device will also allow the user to view the last location of use of their active digitizer on their device; this location is stored locally on the user's device after each use of their active digitizer.
+When Find My Device is on, the device and its location are registered in the cloud so that the device can be located when the user initiates a Find command from account.microsoft.com. In Windows 10, version 1709 devices that are compatible with active digitizers, enabling Find My Device will also allow the user to view the last location of use of their active digitizer on their device; this location is stored locally on the user's device after each use of their active digitizer.
-
When Find My Device is off, the device and its location are not registered and the Find My Device feature will not work. In Windows 10, version 1709 the user will not be able to view the location of the last use of their active digitizer on their device.
+When Find My Device is off, the device and its location are not registered and the Find My Device feature will not work. In Windows 10, version 1709 the user will not be able to view the location of the last use of their active digitizer on their device.
-
+
+
+ADMX Info:
+- GP English name: *Turn On/Off Find My Device*
+- GP name: *FindMy_AllowFindMyDeviceConfig*
+- GP path: *Windows Components/Find My Device*
+- GP ADMX file name: *FindMy.admx*
+
+
The following list shows the supported values:
@@ -292,12 +319,14 @@ The following list shows the supported values:
- 1 (default) – Allowed.
-
+
+
@@ -319,8 +348,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -328,17 +357,17 @@ The following list shows the supported values:
-
-
-
Specifies whether to allow the user to delete the workplace account using the workplace control panel. If the device is Azure Active Directory joined and MDM enrolled (e.g. auto-enrolled), which is majority of the case for Intune, then disabling the MDM unenrollment has no effect.
+
+
+Specifies whether to allow the user to delete the workplace account using the workplace control panel. If the device is Azure Active Directory joined and MDM enrolled (e.g. auto-enrolled), which is majority of the case for Intune, then disabling the MDM unenrollment has no effect.
> [!NOTE]
> The MDM server can always remotely delete the account.
-
Most restricted value is 0.
+Most restricted value is 0.
-
+
The following list shows the supported values:
@@ -346,12 +375,14 @@ The following list shows the supported values:
- 1 (default) – Allowed.
-
+
+
@@ -373,8 +404,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -382,15 +413,15 @@ The following list shows the supported values:
-
-
+
+
> [!NOTE]
> This policy is only enforced in Windows 10 Mobile and not supported in Windows 10 for desktop.
-
Specifies whether to display dialog prompt when no SIM card is detected.
+Specifies whether to display dialog prompt when no SIM card is detected.
-
+
The following list shows the supported values:
@@ -398,20 +429,25 @@ The following list shows the supported values:
- 1 (default) – SIM card dialog prompt is displayed.
-
+
+
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -442,17 +478,17 @@ This policy is deprecated.
-
-
+
+
> [!NOTE]
> This policy is only enforced in Windows 10 Mobile and not supported in Windows 10 for desktop.
-
Specifies whether screen capture is allowed.
+Specifies whether screen capture is allowed.
-
Most restricted value is 0.
+Most restricted value is 0.
-
+
The following list shows the supported values:
@@ -460,20 +496,25 @@ The following list shows the supported values:
- 1 (default) – Allowed.
-
+
+
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -504,11 +545,11 @@ This policy is deprecated.
-
-
-
Allows or disallows all Windows sync settings on the device. For information about what settings are sync'ed, see [About sync setting on Windows 10 devices](http://windows.microsoft.com/windows-10/about-sync-settings-on-windows-10-devices).
+
+
+Allows or disallows all Windows sync settings on the device. For information about what settings are sync'ed, see [About sync setting on Windows 10 devices](http://windows.microsoft.com/windows-10/about-sync-settings-on-windows-10-devices).
-
+
The following list shows the supported values:
@@ -516,12 +557,14 @@ The following list shows the supported values:
- 1 (default) – Sync settings allowed.
-
+
+
@@ -537,14 +580,14 @@ The following list shows the supported values:
2
2
2
-
2
+
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -552,20 +595,28 @@ The following list shows the supported values:
-
-
+
+
> [!NOTE]
> This policy is only enforced in Windows 10 for desktop and not supported in Windows 10 Mobile.
-
Added in Windows 10, version 1703. This policy allows you to prevent Windows from using diagnostic data to provide customized experiences to the user. If you enable this policy setting, Windows will not use diagnostic data from this device to customize content shown on the lock screen, Windows tips, Microsoft consumer features, or other related features. If these features are enabled, users will still see recommendations, tips and offers, but they may be less relevant. If you disable or do not configure this policy setting, Microsoft will use diagnostic data to provide personalized recommendations, tips, and offers to tailor Windows for the user's needs and make it work better for them.
+Added in Windows 10, version 1703. This policy allows you to prevent Windows from using diagnostic data to provide customized experiences to the user. If you enable this policy setting, Windows will not use diagnostic data from this device to customize content shown on the lock screen, Windows tips, Microsoft consumer features, or other related features. If these features are enabled, users will still see recommendations, tips and offers, but they may be less relevant. If you disable or do not configure this policy setting, Microsoft will use diagnostic data to provide personalized recommendations, tips, and offers to tailor Windows for the user's needs and make it work better for them.
-
Diagnostic data can include browser, app and feature usage, depending on the "Diagnostic and usage data" setting value.
+Diagnostic data can include browser, app and feature usage, depending on the "Diagnostic and usage data" setting value.
> **Note** This setting does not control Cortana cutomized experiences because there are separate policies to configure it.
-
Most restricted value is 0.
+Most restricted value is 0.
-
+
+
+ADMX Info:
+- GP English name: *Do not use diagnostic data for tailored experiences*
+- GP name: *DisableTailoredExperiencesWithDiagnosticData*
+- GP path: *Windows Components/Cloud Content*
+- GP ADMX file name: *CloudContent.admx*
+
+
The following list shows the supported values:
@@ -573,12 +624,14 @@ The following list shows the supported values:
- 1 (default) – Allowed.
-
+
+
-
+
+
**Experience/AllowTaskSwitcher**
-
+
Home
@@ -600,8 +653,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -609,15 +662,15 @@ The following list shows the supported values:
-
-
+
+
> [!NOTE]
> This policy is only enforced in Windows 10 Mobile and not supported in Windows 10 for desktop.
-
Allows or disallows task switching on the device.
+Allows or disallows task switching on the device.
-
+
The following list shows the supported values:
@@ -625,12 +678,14 @@ The following list shows the supported values:
- 1 (default) – Task switching allowed.
-
+
+
@@ -644,16 +699,16 @@ The following list shows the supported values:
1
-
1
1
+
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -661,15 +716,23 @@ The following list shows the supported values:
-
-
+
+
> [!NOTE]
> This policy is only available for Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education.
-
Specifies whether to allow app and content suggestions from third-party software publishers in Windows spotlight features like lock screen spotlight, suggested apps in the Start menu, and Windows tips. Users may still see suggestions for Microsoft features, apps, and services.
+Specifies whether to allow app and content suggestions from third-party software publishers in Windows spotlight features like lock screen spotlight, suggested apps in the Start menu, and Windows tips. Users may still see suggestions for Microsoft features, apps, and services.
-
+
+
+ADMX Info:
+- GP English name: *Do not suggest third-party content in Windows spotlight*
+- GP name: *DisableThirdPartySuggestions*
+- GP path: *Windows Components/Cloud Content*
+- GP ADMX file name: *CloudContent.admx*
+
+
The following list shows the supported values:
@@ -677,12 +740,14 @@ The following list shows the supported values:
- 1 (default) – Third-party suggestions allowed.
-
+
+
-
+
+
**Experience/AllowVoiceRecording**
-
+
Home
@@ -704,8 +769,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -713,17 +778,17 @@ The following list shows the supported values:
-
-
+
+
> [!NOTE]
> This policy is only enforced in Windows 10 Mobile and not supported in Windows 10 for desktop.
-
Specifies whether voice recording is allowed for apps.
+Specifies whether voice recording is allowed for apps.
-
Most restricted value is 0.
+Most restricted value is 0.
-
+
The following list shows the supported values:
@@ -731,12 +796,14 @@ The following list shows the supported values:
- 1 (default) – Allowed.
-
+
+
@@ -749,35 +816,43 @@ The following list shows the supported values:
-
-
+
+
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
-> * User
+> * Device
-
-
+
+
> [!NOTE]
> This policy is only enforced in Windows 10 for desktop and not supported in Windows 10 Mobile.
-
This policy allows IT admins to turn on experiences that are typically for consumers only, such as Start suggestions, Membership notifications, Post-OOBE app install and redirect tiles.
+This policy allows IT admins to turn on experiences that are typically for consumers only, such as Start suggestions, Membership notifications, Post-OOBE app install and redirect tiles.
-
Most restricted value is 0.
+Most restricted value is 0.
-
+
+
+ADMX Info:
+- GP English name: *Turn off Microsoft consumer experiences*
+- GP name: *DisableWindowsConsumerFeatures*
+- GP path: *Windows Components/Cloud Content*
+- GP ADMX file name: *CloudContent.admx*
+
+
The following list shows the supported values:
@@ -785,12 +860,14 @@ The following list shows the supported values:
- 1 – Allowed.
-
+
+
-
+
+
**Experience/AllowWindowsSpotlight**
-
+
Home
@@ -804,16 +881,16 @@ The following list shows the supported values:
-
1
1
+
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -821,17 +898,25 @@ The following list shows the supported values:
-
-
+
+
> [!NOTE]
> This policy is only available for Windows 10 Enterprise and Windows 10 Education.
-
Specifies whether to turn off all Windows spotlight features at once. If you enable this policy setting, Windows spotlight on lock screen, Windows Tips, Microsoft consumer features and other related features will be turned off. You should enable this policy setting if your goal is to minimize network traffic from target devices. If you disable or do not configure this policy setting, Windows spotlight features are allowed and may be controlled individually using their corresponding policy settings.
+Specifies whether to turn off all Windows spotlight features at once. If you enable this policy setting, Windows spotlight on lock screen, Windows Tips, Microsoft consumer features and other related features will be turned off. You should enable this policy setting if your goal is to minimize network traffic from target devices. If you disable or do not configure this policy setting, Windows spotlight features are allowed and may be controlled individually using their corresponding policy settings.
-
Most restricted value is 0.
+Most restricted value is 0.
-
+
+
+ADMX Info:
+- GP English name: *Turn off all Windows spotlight features*
+- GP name: *DisableWindowsSpotlightFeatures*
+- GP path: *Windows Components/Cloud Content*
+- GP ADMX file name: *CloudContent.admx*
+
+
The following list shows the supported values:
@@ -839,12 +924,14 @@ The following list shows the supported values:
- 1 (default) – Allowed.
-
+
+
@@ -860,14 +947,14 @@ The following list shows the supported values:
2
2
-
2
+
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -875,16 +962,24 @@ The following list shows the supported values:
-
-
+
+
> [!NOTE]
> This policy is only enforced in Windows 10 for desktop and not supported in Windows 10 Mobile.
-
Added in Windows 10, version 1703. This policy allows administrators to prevent Windows spotlight notifications from being displayed in the Action Center. If you enable this policy, Windows spotlight notifications will no longer be displayed in the Action Center. If you disable or do not configure this policy, Microsoft may display notifications in the Action Center that will suggest apps or features to help users be more productive on Windows.
+Added in Windows 10, version 1703. This policy allows administrators to prevent Windows spotlight notifications from being displayed in the Action Center. If you enable this policy, Windows spotlight notifications will no longer be displayed in the Action Center. If you disable or do not configure this policy, Microsoft may display notifications in the Action Center that will suggest apps or features to help users be more productive on Windows.
-
Most restricted value is 0.
+Most restricted value is 0.
-
+
+
+ADMX Info:
+- GP English name: *Turn off Windows Spotlight on Action Center*
+- GP name: *DisableWindowsSpotlightOnActionCenter*
+- GP path: *Windows Components/Cloud Content*
+- GP ADMX file name: *CloudContent.admx*
+
+
The following list shows the supported values:
@@ -892,12 +987,76 @@ The following list shows the supported values:
- 1 (default) – Allowed.
-
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+
+
+
+
+
+Added in Windows 10, version 1083. This policy allows IT admins to turn off Suggestions in Settings app. These suggestions from Microsoft may show after each OS clean install, upgrade or an on-going basis to help users discover apps/features on Windows or across devices, to make thier experience productive.
+
+- User setting is under Settings -> Privacy -> General -> Show me suggested content in Settings app.
+- User Setting is changeable on a per user basis.
+- If the Group policy is set to off, no suggestions will be shown to the user in Settings app.
+
+
+
+ADMX Info:
+- GP English name: *Turn off Windows Spotlight on Settings*
+- GP name: *DisableWindowsSpotlightOnSettings*
+- GP path: *Windows Components/Cloud Content*
+- GP ADMX file name: *CloudContent.admx*
+
+
+
+The following list shows the supported values:
+
+- 0 - Not allowed.
+- 1 - Allowed.
+
+
+
+
+
+
+
**Experience/AllowWindowsSpotlightWindowsWelcomeExperience**
-
+
Home
@@ -913,14 +1072,14 @@ The following list shows the supported values:
2
2
-
2
+
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -928,17 +1087,25 @@ The following list shows the supported values:
-
-
+
+
> [!NOTE]
> This policy is only enforced in Windows 10 for desktop and not supported in Windows 10 Mobile.
-
Added in Windows 10, version 1703. This policy setting lets you turn off the Windows spotlight Windows welcome experience feature.
+Added in Windows 10, version 1703. This policy setting lets you turn off the Windows spotlight Windows welcome experience feature.
The Windows welcome experience feature introduces onboard users to Windows; for example, launching Microsoft Edge with a webpage that highlights new features. If you enable this policy, the Windows welcome experience will no longer be displayed when there are updates and changes to Windows and its apps. If you disable or do not configure this policy, the Windows welcome experience will be launched to inform onboard users about what's new, changed, and suggested.
-
Most restricted value is 0.
+Most restricted value is 0.
-
+
+
+ADMX Info:
+- GP English name: *Turn off the Windows Welcome Experience*
+- GP name: *DisableWindowsSpotlightWindowsWelcomeExperience*
+- GP path: *Windows Components/Cloud Content*
+- GP ADMX file name: *CloudContent.admx*
+
+
The following list shows the supported values:
@@ -946,12 +1113,14 @@ The following list shows the supported values:
- 1 (default) – Allowed.
-
+
+
-
+
+
**Experience/AllowWindowsTips**
-
+
Home
@@ -964,17 +1133,17 @@ The following list shows the supported values:
-
-
+
+
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -982,11 +1151,19 @@ The following list shows the supported values:
-
-
+
+
Enables or disables Windows Tips / soft landing.
-
+
+
+ADMX Info:
+- GP English name: *Do not show Windows tips*
+- GP name: *DisableSoftLanding*
+- GP path: *Windows Components/Cloud Content*
+- GP ADMX file name: *CloudContent.admx*
+
+
The following list shows the supported values:
@@ -994,12 +1171,14 @@ The following list shows the supported values:
- 1 (default) – Enabled.
-
+
+
-
+
+
**Experience/ConfigureWindowsSpotlightOnLockScreen**
-
+
Home
@@ -1013,16 +1192,16 @@ The following list shows the supported values:
-
1
1
+
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -1030,27 +1209,39 @@ The following list shows the supported values:
-
-
+
+
> [!NOTE]
> This policy is only available for Windows 10 Enterprise and Windows 10 Education.
-
Allows IT admins to specify whether spotlight should be used on the user's lock screen. If your organization does not have an Enterprise spotlight content service, then this policy will behave the same as a setting of 1.
+Allows IT admins to specify whether spotlight should be used on the user's lock screen. If your organization does not have an Enterprise spotlight content service, then this policy will behave the same as a setting of 1.
-
The following list shows the supported values:
+
+
+ADMX Info:
+- GP English name: *Configure Windows spotlight on lock screen*
+- GP name: *ConfigureWindowsSpotlight*
+- GP path: *Windows Components/Cloud Content*
+- GP ADMX file name: *CloudContent.admx*
+
+
+
+The following list shows the supported values:
- 0 – None.
- 1 (default) – Windows spotlight enabled.
- 2 – placeholder only for future extension. Using this value has no effect.
-
-
+
+
+
@@ -1072,8 +1263,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -1081,21 +1272,31 @@ The following list shows the supported values:
-
-
-
Prevents devices from showing feedback questions from Microsoft.
+
+
+Prevents devices from showing feedback questions from Microsoft.
-
If you enable this policy setting, users will no longer see feedback notifications through the Feedback hub app. If you disable or do not configure this policy setting, users may see notifications through the Feedback hub app asking users for feedback.
+If you enable this policy setting, users will no longer see feedback notifications through the Feedback hub app. If you disable or do not configure this policy setting, users may see notifications through the Feedback hub app asking users for feedback.
-
If you disable or do not configure this policy setting, users can control how often they receive feedback questions.
+If you disable or do not configure this policy setting, users can control how often they receive feedback questions.
-
The following list shows the supported values:
+
+
+ADMX Info:
+- GP English name: *Do not show feedback notifications*
+- GP name: *DoNotShowFeedbackNotifications*
+- GP path: *Data Collection and Preview Builds*
+- GP ADMX file name: *FeedbackNotifications.admx*
+
+
+
+The following list shows the supported values:
- 0 (default) – Feedback notifications are not disabled. The actual state of feedback notifications on the device will then depend on what GP has configured or what the user has configured locally.
- 1 – Feedback notifications are disabled.
-
-
+
+
Footnote:
@@ -1104,7 +1305,7 @@ Footnote:
- 2 - Added in Windows 10, version 1703.
- 3 - Added in Windows 10, version 1709.
-
+
## Experience policies supported by Windows Holographic for Business
diff --git a/windows/client-management/mdm/policy-csp-exploitguard.md b/windows/client-management/mdm/policy-csp-exploitguard.md
index e165e843f7..ca51c9a7a7 100644
--- a/windows/client-management/mdm/policy-csp-exploitguard.md
+++ b/windows/client-management/mdm/policy-csp-exploitguard.md
@@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
-ms.date: 11/01/2017
+ms.date: 03/05/2018
---
# Policy CSP - ExploitGuard
@@ -15,7 +15,7 @@ ms.date: 11/01/2017
-
+
## ExploitGuard policies
Enables the IT admin to push out a configuration representing the desired system and application mitigation options to all the devices in the organization. The configuration is represented by an XML. For more information Exploit Protection, see [Protect devices from exploits with Windows Defender Exploit Guard](https://docs.microsoft.com/en-us/windows/threat-protection/windows-defender-exploit-guard/exploit-protection-exploit-guard) and [Import, export, and deploy Exploit Protection configurations](https://docs.microsoft.com/en-us/windows/threat-protection/windows-defender-exploit-guard/import-export-exploit-protection-emet-xml).
+
+
+Enables the IT admin to push out a configuration representing the desired system and application mitigation options to all the devices in the organization. The configuration is represented by an XML. For more information Exploit Protection, see [Protect devices from exploits with Windows Defender Exploit Guard](https://docs.microsoft.com/en-us/windows/threat-protection/windows-defender-exploit-guard/exploit-protection-exploit-guard) and [Import, export, and deploy Exploit Protection configurations](https://docs.microsoft.com/en-us/windows/threat-protection/windows-defender-exploit-guard/import-export-exploit-protection-emet-xml).
-
The system settings require a reboot; the application settings do not require a reboot.
+The system settings require a reboot; the application settings do not require a reboot.
-
Here is an example:
+
+
+ADMX Info:
+- GP English name: *Use a common set of exploit protection settings*
+- GP name: *ExploitProtection_Name*
+- GP element: *ExploitProtection_Name*
+- GP path: *Windows Components/Windows Defender Exploit Guard/Exploit Protection*
+- GP ADMX file name: *ExploitGuard.admx*
+
+
+
+Here is an example:
``` syntax
@@ -90,8 +103,8 @@ ms.date: 11/01/2017
```
-
-
+
+
Footnote:
@@ -100,5 +113,5 @@ Footnote:
- 2 - Added in Windows 10, version 1703.
- 3 - Added in Windows 10, version 1709.
-
+
diff --git a/windows/client-management/mdm/policy-csp-games.md b/windows/client-management/mdm/policy-csp-games.md
index 17be10dc9d..2a651204e1 100644
--- a/windows/client-management/mdm/policy-csp-games.md
+++ b/windows/client-management/mdm/policy-csp-games.md
@@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
-ms.date: 12/14/2017
+ms.date: 01/30/2018
---
# Policy CSP - Games
@@ -15,7 +15,7 @@ ms.date: 12/14/2017
-
+
## Games policies
Added in Windows 10, version 1709. Specifies whether advanced gaming services can be used. These services may send data to Microsoft or publishers of games that use these services. Value type is integer.
+
+
+Added in Windows 10, version 1709. Specifies whether advanced gaming services can be used. These services may send data to Microsoft or publishers of games that use these services. Value type is integer.
-
+
The following list shows the supported values:
@@ -71,7 +73,7 @@ The following list shows the supported values:
- 1 (default) - Allowed
-
+
Footnote:
@@ -80,5 +82,5 @@ Footnote:
- 2 - Added in Windows 10, version 1703.
- 3 - Added in Windows 10, version 1709.
-
+
diff --git a/windows/client-management/mdm/policy-csp-handwriting.md b/windows/client-management/mdm/policy-csp-handwriting.md
index 3ca3c0d2bd..438387b1b6 100644
--- a/windows/client-management/mdm/policy-csp-handwriting.md
+++ b/windows/client-management/mdm/policy-csp-handwriting.md
@@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
-ms.date: 12/14/2017
+ms.date: 03/05/2018
---
# Policy CSP - Handwriting
@@ -15,7 +15,7 @@ ms.date: 12/14/2017
-
+
## Handwriting policies
Added in Windows 10. version 1709. This policy allows an enterprise to configure the default mode for the handwriting panel.
+
+
+Added in Windows 10. version 1709. This policy allows an enterprise to configure the default mode for the handwriting panel.
-
The handwriting panel has 2 modes - floats near the text box, or docked to the bottom of the screen. The default configuration to is floating near text box. If you want the panel to be fixed or docked, use this policy to fix it to the bottom of the screen.
+The handwriting panel has 2 modes - floats near the text box, or docked to the bottom of the screen. The default configuration to is floating near text box. If you want the panel to be fixed or docked, use this policy to fix it to the bottom of the screen.
-
In floating mode, the content is hidden behind a flying-in panel and results in end-user dissatisfaction. The end-user will need to drag the flying-in panel to see the rest of the content. In the fixed mode, the flying-in panel is fixed to the bottom of the screen and does not require any user interaction.
+In floating mode, the content is hidden behind a flying-in panel and results in end-user dissatisfaction. The end-user will need to drag the flying-in panel to see the rest of the content. In the fixed mode, the flying-in panel is fixed to the bottom of the screen and does not require any user interaction.
-
The docked mode is especially useful in Kiosk mode where you do not expect the end-user to drag the flying-in panel out of the way.
+The docked mode is especially useful in Kiosk mode where you do not expect the end-user to drag the flying-in panel out of the way.
-
+
+
+ADMX Info:
+- GP English name: *Handwriting Panel Default Mode Docked*
+- GP name: *PanelDefaultModeDocked*
+- GP path: *Windows Components/Handwriting*
+- GP ADMX file name: *Handwriting.admx*
+
+
The following list shows the supported values:
@@ -77,7 +87,7 @@ The following list shows the supported values:
- 1 - Enabled.
-
+
Footnote:
@@ -86,5 +96,5 @@ Footnote:
- 2 - Added in Windows 10, version 1703.
- 3 - Added in Windows 10, version 1709.
-
+
diff --git a/windows/client-management/mdm/policy-csp-internetexplorer.md b/windows/client-management/mdm/policy-csp-internetexplorer.md
index 88e6a352f7..23a0b5a050 100644
--- a/windows/client-management/mdm/policy-csp-internetexplorer.md
+++ b/windows/client-management/mdm/policy-csp-internetexplorer.md
@@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
-ms.date: 11/01/2017
+ms.date: 03/05/2018
---
# Policy CSP - InternetExplorer
@@ -15,7 +15,7 @@ ms.date: 11/01/2017
-
+
## InternetExplorer policies
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -786,15 +788,15 @@ ms.date: 11/01/2017
-
-
+
+
This policy setting allows you to add a specific list of search providers to the user's default list of search providers. Normally, search providers can be added from third-party toolbars or in Setup. The user can also add a search provider from the provider's website.
If you enable this policy setting, the user can add and remove search providers, but only from the set of search providers specified in the list of policy keys for search providers (found under [HKCU or HKLM\Software\policies\Microsoft\Internet Explorer\SearchScopes]). Note: This list can be created from a custom administrative template file. For information about creating this custom administrative template file, see the Internet Explorer documentation on search providers.
If you disable or do not configure this policy setting, the user can configure their list of search providers unless another policy setting restricts such configuration.
-
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -802,20 +804,22 @@ If you disable or do not configure this policy setting, the user can configure t
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Add a specific list of search providers to the user's list of search providers*
- GP name: *AddSearchProvider*
- GP path: *Windows Components/Internet Explorer*
- GP ADMX file name: *inetres.admx*
-
-
+
+
+
-
+
+
**InternetExplorer/AllowActiveXFiltering**
-
+
Home
@@ -837,8 +841,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -847,15 +851,15 @@ ADMX Info:
-
-
+
+
This policy setting controls the ActiveX Filtering feature for websites that are running ActiveX controls. The user can choose to turn off ActiveX Filtering for specific websites so that ActiveX controls can run properly.
If you enable this policy setting, ActiveX Filtering is enabled by default for the user. The user cannot turn off ActiveX Filtering, although they may add per-site exceptions.
If you disable or do not configure this policy setting, ActiveX Filtering is not enabled by default for the user. The user can turn ActiveX Filtering on or off.
-
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -863,20 +867,22 @@ If you disable or do not configure this policy setting, ActiveX Filtering is not
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Turn on ActiveX Filtering*
- GP name: *TurnOnActiveXFiltering*
- GP path: *Windows Components/Internet Explorer*
- GP ADMX file name: *inetres.admx*
-
-
+
+
+
-
+
+
**InternetExplorer/AllowAddOnList**
-
+
Home
@@ -898,8 +904,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -908,21 +914,21 @@ ADMX Info:
-
-
+
+
This policy setting allows you to manage a list of add-ons to be allowed or denied by Internet Explorer. Add-ons in this case are controls like ActiveX Controls, Toolbars, and Browser Helper Objects (BHOs) which are specifically written to extend or enhance the functionality of the browser or web pages.
This list can be used with the 'Deny all add-ons unless specifically allowed in the Add-on List' policy setting, which defines whether add-ons not listed here are assumed to be denied.
If you enable this policy setting, you can enter a list of add-ons to be allowed or denied by Internet Explorer. For each entry that you add to the list, enter the following information:
-Name of the Value - the CLSID (class identifier) for the add-on you wish to add to the list. The CLSID should be in brackets for example, {000000000-0000-0000-0000-0000000000000}'. The CLSID for an add-on can be obtained by reading the OBJECT tag from a Web page on which the add-on is referenced.
+Name of the Value - the CLSID (class identifier) for the add-on you wish to add to the list. The CLSID should be in brackets for example, ‘{000000000-0000-0000-0000-0000000000000}'. The CLSID for an add-on can be obtained by reading the OBJECT tag from a Web page on which the add-on is referenced.
Value - A number indicating whether Internet Explorer should deny or allow the add-on to be loaded. To specify that an add-on should be denied enter a 0 (zero) into this field. To specify that an add-on should be allowed, enter a 1 (one) into this field. To specify that an add-on should be allowed and also permit the user to manage the add-on through Add-on Manager, enter a 2 (two) into this field.
If you disable this policy setting, the list is deleted. The 'Deny all add-ons unless specifically allowed in the Add-on List' policy setting will still determine whether add-ons not in this list are assumed to be denied.
-
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -930,20 +936,22 @@ If you disable this policy setting, the list is deleted. The 'Deny all add-ons u
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Add-on List*
- GP name: *AddonManagement_AddOnList*
- GP path: *Windows Components/Internet Explorer/Security Features/Add-on Management*
- GP ADMX file name: *inetres.admx*
-
-
+
+
+
-
+
+
**InternetExplorer/AllowAutoComplete**
-
+
Home
@@ -965,8 +973,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -974,9 +982,17 @@ ADMX Info:
-
-
-
+
+
+This AutoComplete feature can remember and suggest User names and passwords on Forms.
+
+If you enable this setting, the user cannot change "User name and passwords on forms" or "prompt me to save passwords". The Auto Complete feature for User names and passwords on Forms will be turned on. You have to decide whether to select "prompt me to save passwords".
+
+If you disable this setting the user cannot change "User name and passwords on forms" or "prompt me to save passwords". The Auto Complete feature for User names and passwords on Forms is turned off. The user also cannot opt to be prompted to save passwords.
+
+If you do not configure this setting, the user has the freedom of turning on Auto complete for User name and passwords on forms and the option of prompting to save passwords. To display this option, the users open the Internet Options dialog box, click the Contents Tab and click the Settings button.
+
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -984,20 +1000,22 @@ ADMX Info:
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Turn on the auto-complete feature for user names and passwords on forms*
- GP name: *RestrictFormSuggestPW*
- GP path: *Windows Components/Internet Explorer*
- GP ADMX file name: *inetres.admx*
-
-
+
+
+
-
+
+
**InternetExplorer/AllowCertificateAddressMismatchWarning**
-
+
Home
@@ -1019,8 +1037,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -1029,9 +1047,15 @@ ADMX Info:
-
-
-
+
+
+This policy setting allows you to turn on the certificate address mismatch security warning. When this policy setting is turned on, the user is warned when visiting Secure HTTP (HTTPS) websites that present certificates issued for a different website address. This warning helps prevent spoofing attacks.
+
+If you enable this policy setting, the certificate address mismatch warning always appears.
+
+If you disable or do not configure this policy setting, the user can choose whether the certificate address mismatch warning appears (by using the Advanced page in the Internet Control panel).
+
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -1039,20 +1063,22 @@ ADMX Info:
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Turn on certificate address mismatch warning*
- GP name: *IZ_PolicyWarnCertMismatch*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page*
- GP ADMX file name: *inetres.admx*
-
-
+
+
+
-
+
+
**InternetExplorer/AllowDeletingBrowsingHistoryOnExit**
-
+
Home
@@ -1074,8 +1100,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -1084,9 +1110,19 @@ ADMX Info:
-
-
-
+
+
+This policy setting allows the automatic deletion of specified items when the last browser window closes. The preferences selected in the Delete Browsing History dialog box (such as deleting temporary Internet files, cookies, history, form data, and passwords) are applied, and those items are deleted.
+
+If you enable this policy setting, deleting browsing history on exit is turned on.
+
+If you disable this policy setting, deleting browsing history on exit is turned off.
+
+If you do not configure this policy setting, it can be configured on the General tab in Internet Options.
+
+If the "Prevent access to Delete Browsing History" policy setting is enabled, this policy setting has no effect.
+
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -1094,20 +1130,22 @@ ADMX Info:
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Allow deleting browsing history on exit*
- GP name: *DBHDisableDeleteOnExit*
- GP path: *Windows Components/Internet Explorer/Delete Browsing History*
- GP ADMX file name: *inetres.admx*
-
-
+
+
+
-
+
+
**InternetExplorer/AllowEnhancedProtectedMode**
-
+
Home
@@ -1129,8 +1167,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -1139,8 +1177,8 @@ ADMX Info:
-
-
+
+
Enhanced Protected Mode provides additional protection against malicious websites by using 64-bit processes on 64-bit versions of Windows. For computers running at least Windows 8, Enhanced Protected Mode also limits the locations Internet Explorer can read from in the registry and the file system.
If you enable this policy setting, Enhanced Protected Mode will be turned on. Any zone that has Protected Mode enabled will use Enhanced Protected Mode. Users will not be able to disable Enhanced Protected Mode.
@@ -1149,7 +1187,7 @@ If you disable this policy setting, Enhanced Protected Mode will be turned off.
If you do not configure this policy, users will be able to turn on or turn off Enhanced Protected Mode on the Advanced tab of the Internet Options dialog.
-
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -1157,20 +1195,22 @@ If you do not configure this policy, users will be able to turn on or turn off E
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Turn on Enhanced Protected Mode*
- GP name: *Advanced_EnableEnhancedProtectedMode*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Advanced Page*
- GP ADMX file name: *inetres.admx*
-
-
+
+
+
-
+
+
**InternetExplorer/AllowEnterpriseModeFromToolsMenu**
-
+
Home
@@ -1192,8 +1232,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -1202,15 +1242,15 @@ ADMX Info:
-
-
+
+
This policy setting lets you decide whether users can turn on Enterprise Mode for websites with compatibility issues. Optionally, this policy also lets you specify where to get reports (through post messages) about the websites for which users turn on Enterprise Mode using the Tools menu.
If you turn this setting on, users can see and use the Enterprise Mode option from the Tools menu. If you turn this setting on, but don't specify a report location, Enterprise Mode will still be available to your users, but you won't get any reports.
If you disable or don't configure this policy setting, the menu option won't appear and users won't be able to run websites in Enterprise Mode.
-
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -1218,20 +1258,22 @@ If you disable or don't configure this policy setting, the menu option won't app
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Let users turn on and use Enterprise Mode from the Tools menu*
- GP name: *EnterpriseModeEnable*
- GP path: *Windows Components/Internet Explorer*
- GP ADMX file name: *inetres.admx*
-
-
+
+
+
-
+
+
**InternetExplorer/AllowEnterpriseModeSiteList**
-
+
Home
@@ -1253,8 +1295,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -1263,15 +1305,15 @@ ADMX Info:
-
-
+
+
This policy setting lets you specify where to find the list of websites you want opened using Enterprise Mode IE, instead of Standard mode, because of compatibility issues. Users can't edit this list.
If you enable this policy setting, Internet Explorer downloads the website list from your location (HKCU or HKLM\Software\policies\Microsoft\Internet Explorer\Main\EnterpriseMode), opening all listed websites using Enterprise Mode IE.
If you disable or don't configure this policy setting, Internet Explorer opens all websites using Standards mode.
-
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -1279,20 +1321,22 @@ If you disable or don't configure this policy setting, Internet Explorer opens a
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Use the Enterprise Mode IE website list*
- GP name: *EnterpriseModeSiteList*
- GP path: *Windows Components/Internet Explorer*
- GP ADMX file name: *inetres.admx*
-
-
+
+
+
-
+
+
**InternetExplorer/AllowFallbackToSSL3**
-
+
Home
@@ -1314,8 +1358,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -1323,9 +1367,17 @@ ADMX Info:
-
-
-
+
+
+This policy setting allows you to block an insecure fallback to SSL 3.0. When this policy is enabled, Internet Explorer will attempt to connect to sites using SSL 3.0 or below when TLS 1.0 or greater fails.
+
+We recommend that you do not allow insecure fallback in order to prevent a man-in-the-middle attack.
+
+This policy does not affect which security protocols are enabled.
+
+If you disable this policy, system defaults will be used.
+
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -1333,20 +1385,22 @@ ADMX Info:
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Allow fallback to SSL 3.0 (Internet Explorer)*
- GP name: *Advanced_EnableSSL3Fallback*
- GP path: *Windows Components/Internet Explorer/Security Features*
- GP ADMX file name: *inetres.admx*
-
-
+
+
+
-
+
+
**InternetExplorer/AllowInternetExplorer7PolicyList**
-
+
Home
@@ -1368,8 +1422,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -1378,15 +1432,15 @@ ADMX Info:
-
-
+
+
This policy setting allows you to add specific sites that must be viewed in Internet Explorer 7 Compatibility View.
If you enable this policy setting, the user can add and remove sites from the list, but the user cannot remove the entries that you specify.
If you disable or do not configure this policy setting, the user can add and remove sites from the list.
-
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -1394,20 +1448,22 @@ If you disable or do not configure this policy setting, the user can add and rem
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Use Policy List of Internet Explorer 7 sites*
- GP name: *CompatView_UsePolicyList*
- GP path: *Windows Components/Internet Explorer/Compatibility View*
- GP ADMX file name: *inetres.admx*
-
-
+
+
+
-
+
+
**InternetExplorer/AllowInternetExplorerStandardsMode**
-
+
Home
@@ -1429,8 +1485,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -1439,8 +1495,8 @@ ADMX Info:
-
-
+
+
This policy setting controls how Internet Explorer displays local intranet content. Intranet content is defined as any webpage that belongs to the local intranet security zone.
If you enable this policy setting, Internet Explorer uses the current user agent string for local intranet content. Additionally, all local intranet Standards Mode pages appear in the Standards Mode available with the latest version of Internet Explorer. The user cannot change this behavior through the Compatibility View Settings dialog box.
@@ -1449,7 +1505,7 @@ If you disable this policy setting, Internet Explorer uses an Internet Explorer
If you do not configure this policy setting, Internet Explorer uses an Internet Explorer 7 user agent string (with an additional string appended) for local intranet content. Additionally, all local intranet Standards Mode pages appear in Internet Explorer 7 Standards Mode. This option results in the greatest compatibility with existing webpages, but newer content written to common Internet standards may be displayed incorrectly. This option matches the default behavior of Internet Explorer.
-
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -1457,20 +1513,22 @@ If you do not configure this policy setting, Internet Explorer uses an Internet
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Turn on Internet Explorer Standards Mode for local intranet*
- GP name: *CompatView_IntranetSites*
- GP path: *Windows Components/Internet Explorer/Compatibility View*
- GP ADMX file name: *inetres.admx*
-
-
+
+
+
-
+
+
**InternetExplorer/AllowInternetZoneTemplate**
-
+
Home
@@ -1492,8 +1550,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -1502,8 +1560,8 @@ ADMX Info:
-
-
+
+
This template policy setting allows you to configure policy settings in this zone consistent with a selected security level, for example, Low, Medium Low, Medium, or High.
If you enable this template policy setting and select a security level, all values for individual settings in the zone will be overwritten by the standard template defaults.
@@ -1516,7 +1574,7 @@ Note. Local Machine Zone Lockdown Security and Network Protocol Lockdown operate
Note. It is recommended to configure template policy settings in one Group Policy object (GPO) and configure any related individual policy settings in a separate GPO. You can then use Group Policy management features (for example, precedence, inheritance, or enforce) to apply individual settings to specific targets.
-
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -1524,20 +1582,22 @@ Note. It is recommended to configure template policy settings in one Group Polic
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Internet Zone Template*
- GP name: *IZ_PolicyInternetZoneTemplate*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page*
- GP ADMX file name: *inetres.admx*
-
-
+
+
+
-
+
+
**InternetExplorer/AllowIntranetZoneTemplate**
-
+
Home
@@ -1559,8 +1619,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -1569,8 +1629,8 @@ ADMX Info:
-
-
+
+
This template policy setting allows you to configure policy settings in this zone consistent with a selected security level, for example, Low, Medium Low, Medium, or High.
If you enable this template policy setting and select a security level, all values for individual settings in the zone will be overwritten by the standard template defaults.
@@ -1583,7 +1643,7 @@ Note. Local Machine Zone Lockdown Security and Network Protocol Lockdown operate
Note. It is recommended to configure template policy settings in one Group Policy object (GPO) and configure any related individual policy settings in a separate GPO. You can then use Group Policy management features (for example, precedence, inheritance, or enforce) to apply individual settings to specific targets.
-
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -1591,20 +1651,22 @@ Note. It is recommended to configure template policy settings in one Group Polic
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Intranet Zone Template*
- GP name: *IZ_PolicyIntranetZoneTemplate*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page*
- GP ADMX file name: *inetres.admx*
-
-
+
+
+
-
+
+
**InternetExplorer/AllowLocalMachineZoneTemplate**
-
+
Home
@@ -1626,8 +1688,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -1636,8 +1698,8 @@ ADMX Info:
-
-
+
+
This template policy setting allows you to configure policy settings in this zone consistent with a selected security level, for example, Low, Medium Low, Medium, or High.
If you enable this template policy setting and select a security level, all values for individual settings in the zone will be overwritten by the standard template defaults.
@@ -1650,7 +1712,7 @@ Note. Local Machine Zone Lockdown Security and Network Protocol Lockdown operate
Note. It is recommended to configure template policy settings in one Group Policy object (GPO) and configure any related individual policy settings in a separate GPO. You can then use Group Policy management features (for example, precedence, inheritance, or enforce) to apply individual settings to specific targets.
-
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -1658,20 +1720,22 @@ Note. It is recommended to configure template policy settings in one Group Polic
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Local Machine Zone Template*
- GP name: *IZ_PolicyLocalMachineZoneTemplate*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page*
- GP ADMX file name: *inetres.admx*
-
-
+
+
+
-
+
+
**InternetExplorer/AllowLockedDownInternetZoneTemplate**
-
+
Home
@@ -1693,8 +1757,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -1703,8 +1767,8 @@ ADMX Info:
-
-
+
+
This template policy setting allows you to configure policy settings in this zone consistent with a selected security level, for example, Low, Medium Low, Medium, or High.
If you enable this template policy setting and select a security level, all values for individual settings in the zone will be overwritten by the standard template defaults.
@@ -1717,7 +1781,7 @@ Note. Local Machine Zone Lockdown Security and Network Protocol Lockdown operate
Note. It is recommended to configure template policy settings in one Group Policy object (GPO) and configure any related individual policy settings in a separate GPO. You can then use Group Policy management features (for example, precedence, inheritance, or enforce) to apply individual settings to specific targets.
-
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -1725,20 +1789,22 @@ Note. It is recommended to configure template policy settings in one Group Polic
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Locked-Down Internet Zone Template*
- GP name: *IZ_PolicyInternetZoneLockdownTemplate*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page*
- GP ADMX file name: *inetres.admx*
-
-
+
+
+
-
+
+
**InternetExplorer/AllowLockedDownIntranetZoneTemplate**
-
+
Home
@@ -1760,8 +1826,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -1770,8 +1836,8 @@ ADMX Info:
-
-
+
+
This template policy setting allows you to configure policy settings in this zone consistent with a selected security level, for example, Low, Medium Low, Medium, or High.
If you enable this template policy setting and select a security level, all values for individual settings in the zone will be overwritten by the standard template defaults.
@@ -1784,7 +1850,7 @@ Note. Local Machine Zone Lockdown Security and Network Protocol Lockdown operate
Note. It is recommended to configure template policy settings in one Group Policy object (GPO) and configure any related individual policy settings in a separate GPO. You can then use Group Policy management features (for example, precedence, inheritance, or enforce) to apply individual settings to specific targets.
-
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -1792,20 +1858,22 @@ Note. It is recommended to configure template policy settings in one Group Polic
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Locked-Down Intranet Zone Template*
- GP name: *IZ_PolicyIntranetZoneLockdownTemplate*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page*
- GP ADMX file name: *inetres.admx*
-
-
+
+
+
-
+
+
**InternetExplorer/AllowLockedDownLocalMachineZoneTemplate**
-
+
Home
@@ -1827,8 +1895,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -1837,8 +1905,8 @@ ADMX Info:
-
-
+
+
This template policy setting allows you to configure policy settings in this zone consistent with a selected security level, for example, Low, Medium Low, Medium, or High.
If you enable this template policy setting and select a security level, all values for individual settings in the zone will be overwritten by the standard template defaults.
@@ -1851,7 +1919,7 @@ Note. Local Machine Zone Lockdown Security and Network Protocol Lockdown operate
Note. It is recommended to configure template policy settings in one Group Policy object (GPO) and configure any related individual policy settings in a separate GPO. You can then use Group Policy management features (for example, precedence, inheritance, or enforce) to apply individual settings to specific targets.
-
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -1859,20 +1927,22 @@ Note. It is recommended to configure template policy settings in one Group Polic
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Locked-Down Local Machine Zone Template*
- GP name: *IZ_PolicyLocalMachineZoneLockdownTemplate*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page*
- GP ADMX file name: *inetres.admx*
-
-
+
+
+
-
+
+
**InternetExplorer/AllowLockedDownRestrictedSitesZoneTemplate**
-
+
Home
@@ -1894,8 +1964,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -1904,8 +1974,8 @@ ADMX Info:
-
-
+
+
This template policy setting allows you to configure policy settings in this zone consistent with a selected security level, for example, Low, Medium Low, Medium, or High.
If you enable this template policy setting and select a security level, all values for individual settings in the zone will be overwritten by the standard template defaults.
@@ -1918,7 +1988,7 @@ Note. Local Machine Zone Lockdown Security and Network Protocol Lockdown operate
Note. It is recommended to configure template policy settings in one Group Policy object (GPO) and configure any related individual policy settings in a separate GPO. You can then use Group Policy management features (for example, precedence, inheritance, or enforce) to apply individual settings to specific targets.
-
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -1926,20 +1996,22 @@ Note. It is recommended to configure template policy settings in one Group Polic
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Locked-Down Restricted Sites Zone Template*
- GP name: *IZ_PolicyRestrictedSitesZoneLockdownTemplate*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page*
- GP ADMX file name: *inetres.admx*
-
-
+
+
+
-
+
+
**InternetExplorer/AllowOneWordEntry**
-
+
Home
@@ -1961,8 +2033,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -1971,15 +2043,15 @@ ADMX Info:
-
-
+
+
This policy allows the user to go directly to an intranet site for a one-word entry in the Address bar.
If you enable this policy setting, Internet Explorer goes directly to an intranet site for a one-word entry in the Address bar, if it is available.
If you disable or do not configure this policy setting, Internet Explorer does not go directly to an intranet site for a one-word entry in the Address bar.
-
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -1987,20 +2059,22 @@ If you disable or do not configure this policy setting, Internet Explorer does n
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Go to an intranet site for a one-word entry in the Address bar*
- GP name: *UseIntranetSiteForOneWordEntry*
- GP path: *Windows Components/Internet Explorer/Internet Settings/Advanced settings/Browsing*
- GP ADMX file name: *inetres.admx*
-
-
+
+
+
-
+
+
**InternetExplorer/AllowSiteToZoneAssignmentList**
-
+
Home
@@ -2022,8 +2096,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -2032,21 +2106,21 @@ ADMX Info:
-
-
+
+
This policy setting allows you to manage a list of sites that you want to associate with a particular security zone. These zone numbers have associated security settings that apply to all of the sites in the zone.
Internet Explorer has 4 security zones, numbered 1-4, and these are used by this policy setting to associate sites to zones. They are: (1) Intranet zone, (2) Trusted Sites zone, (3) Internet zone, and (4) Restricted Sites zone. Security settings can be set for each of these zones through other policy settings, and their default settings are: Trusted Sites zone (Low template), Intranet zone (Medium-Low template), Internet zone (Medium template), and Restricted Sites zone (High template). (The Local Machine zone and its locked down equivalent have special security settings that protect your local computer.)
-If you enable this policy setting, you can enter a list of sites and their related zone numbers. The association of a site with a zone will ensure that the security settings for the specified zone are applied to the site. For each entry that you add to the list, enter the following information:
+If you enable this policy setting, you can enter a list of sites and their related zone numbers. The association of a site with a zone will ensure that the security settings for the specified zone are applied to the site. For each entry that you add to the list, enter the following information:
-Valuename A host for an intranet site, or a fully qualified domain name for other sites. The valuename may also includea specificprotocol. For example, if you enter http://www.contoso.comas the valuename, other protocols are not affected.If you enter just www.contoso.com,then all protocolsare affected for that site, including http, https, ftp, and so on. The site may also be expressed as an IP address (e.g., 127.0.0.1) or range (e.g., 127.0.0.1-10). To avoid creating conflicting policies, do not include additional characters after the domain such as trailing slashes or URL path. For example, policy settings for www.contoso.com and www.contoso.com/mail would be treated as the same policy setting by Internet Explorer, and would therefore be in conflict.
+Valuename – A host for an intranet site, or a fully qualified domain name for other sites. The valuename may also include a specific protocol. For example, if you enter http://www.contoso.com as the valuename, other protocols are not affected. If you enter just www.contoso.com, then all protocols are affected for that site, including http, https, ftp, and so on. The site may also be expressed as an IP address (e.g., 127.0.0.1) or range (e.g., 127.0.0.1-10). To avoid creating conflicting policies, do not include additional characters after the domain such as trailing slashes or URL path. For example, policy settings for www.contoso.com and www.contoso.com/mail would be treated as the same policy setting by Internet Explorer, and would therefore be in conflict.
Value - A number indicating the zone with which this site should be associated for security settings. The Internet Explorer zones described above are 1-4.
If you disable or do not configure this policy, users may choose their own site-to-zone assignments.
-
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -2054,20 +2128,22 @@ If you disable or do not configure this policy, users may choose their own site-
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Site to Zone Assignment List*
- GP name: *IZ_Zonemaps*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page*
- GP ADMX file name: *inetres.admx*
-
-
+
+
+
-
+
+
**InternetExplorer/AllowSoftwareWhenSignatureIsInvalid**
-
+
Home
@@ -2089,8 +2165,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -2099,9 +2175,17 @@ ADMX Info:
-
-
-
+
+
+This policy setting allows you to manage whether software, such as ActiveX controls and file downloads, can be installed or run by the user even though the signature is invalid. An invalid signature might indicate that someone has tampered with the file.
+
+If you enable this policy setting, users will be prompted to install or run files with an invalid signature.
+
+If you disable this policy setting, users cannot run or install files with an invalid signature.
+
+If you do not configure this policy, users can choose to run or install files with an invalid signature.
+
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -2109,20 +2193,22 @@ ADMX Info:
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Allow software to run or install even if the signature is invalid*
- GP name: *Advanced_InvalidSignatureBlock*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Advanced Page*
- GP ADMX file name: *inetres.admx*
-
-
+
+
+
-
+
+
**InternetExplorer/AllowSuggestedSites**
-
+
Home
@@ -2144,8 +2230,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -2154,17 +2240,17 @@ ADMX Info:
-
-
-This policy setting controls the Suggested Sites feature, which recommends websites based on the users browsing activity. Suggested Sites reports a users browsing history to Microsoft to suggest sites that the user might want to visit.
+
+
+This policy setting controls the Suggested Sites feature, which recommends websites based on the user’s browsing activity. Suggested Sites reports a user’s browsing history to Microsoft to suggest sites that the user might want to visit.
-If you enable this policy setting, the user is not prompted to enable Suggested Sites. The users browsing history is sent to Microsoft to produce suggestions.
+If you enable this policy setting, the user is not prompted to enable Suggested Sites. The user’s browsing history is sent to Microsoft to produce suggestions.
If you disable this policy setting, the entry points and functionality associated with this feature are turned off.
If you do not configure this policy setting, the user can turn on and turn off the Suggested Sites feature.
-
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -2172,20 +2258,22 @@ If you do not configure this policy setting, the user can turn on and turn off t
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Turn on Suggested Sites*
- GP name: *EnableSuggestedSites*
- GP path: *Windows Components/Internet Explorer*
- GP ADMX file name: *inetres.admx*
-
-
+
+
+
-
+
+
**InternetExplorer/AllowTrustedSitesZoneTemplate**
-
+
Home
@@ -2207,8 +2295,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -2217,8 +2305,8 @@ ADMX Info:
-
-
+
+
This template policy setting allows you to configure policy settings in this zone consistent with a selected security level, for example, Low, Medium Low, Medium, or High.
If you enable this template policy setting and select a security level, all values for individual settings in the zone will be overwritten by the standard template defaults.
@@ -2231,7 +2319,7 @@ Note. Local Machine Zone Lockdown Security and Network Protocol Lockdown operate
Note. It is recommended to configure template policy settings in one Group Policy object (GPO) and configure any related individual policy settings in a separate GPO. You can then use Group Policy management features (for example, precedence, inheritance, or enforce) to apply individual settings to specific targets.
-
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -2239,20 +2327,22 @@ Note. It is recommended to configure template policy settings in one Group Polic
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Trusted Sites Zone Template*
- GP name: *IZ_PolicyTrustedSitesZoneTemplate*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page*
- GP ADMX file name: *inetres.admx*
-
-
+
+
+
-
+
+
**InternetExplorer/AllowsLockedDownTrustedSitesZoneTemplate**
-
+
Home
@@ -2274,8 +2364,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -2284,8 +2374,8 @@ ADMX Info:
-
-
+
+
This template policy setting allows you to configure policy settings in this zone consistent with a selected security level, for example, Low, Medium Low, Medium, or High.
If you enable this template policy setting and select a security level, all values for individual settings in the zone will be overwritten by the standard template defaults.
@@ -2298,7 +2388,7 @@ Note. Local Machine Zone Lockdown Security and Network Protocol Lockdown operate
Note. It is recommended to configure template policy settings in one Group Policy object (GPO) and configure any related individual policy settings in a separate GPO. You can then use Group Policy management features (for example, precedence, inheritance, or enforce) to apply individual settings to specific targets.
-
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -2306,20 +2396,22 @@ Note. It is recommended to configure template policy settings in one Group Polic
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Locked-Down Trusted Sites Zone Template*
- GP name: *IZ_PolicyTrustedSitesZoneLockdownTemplate*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page*
- GP ADMX file name: *inetres.admx*
-
-
+
+
+
-
+
+
**InternetExplorer/AllowsRestrictedSitesZoneTemplate**
-
+
Home
@@ -2341,8 +2433,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -2351,8 +2443,8 @@ ADMX Info:
-
-
+
+
This template policy setting allows you to configure policy settings in this zone consistent with a selected security level, for example, Low, Medium Low, Medium, or High.
If you enable this template policy setting and select a security level, all values for individual settings in the zone will be overwritten by the standard template defaults.
@@ -2365,7 +2457,7 @@ Note. Local Machine Zone Lockdown Security and Network Protocol Lockdown operate
Note. It is recommended to configure template policy settings in one Group Policy object (GPO) and configure any related individual policy settings in a separate GPO. You can then use Group Policy management features (for example, precedence, inheritance, or enforce) to apply individual settings to specific targets.
-
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -2373,20 +2465,22 @@ Note. It is recommended to configure template policy settings in one Group Polic
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Restricted Sites Zone Template*
- GP name: *IZ_PolicyRestrictedSitesZoneTemplate*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page*
- GP ADMX file name: *inetres.admx*
-
-
+
+
+
-
+
+
**InternetExplorer/CheckServerCertificateRevocation**
-
+
Home
@@ -2408,8 +2502,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -2418,9 +2512,17 @@ ADMX Info:
-
-
-
+
+
+This policy setting allows you to manage whether Internet Explorer will check revocation status of servers' certificates. Certificates are revoked when they have been compromised or are no longer valid, and this option protects users from submitting confidential data to a site that may be fraudulent or not secure.
+
+If you enable this policy setting, Internet Explorer will check to see if server certificates have been revoked.
+
+If you disable this policy setting, Internet Explorer will not check server certificates to see if they have been revoked.
+
+If you do not configure this policy setting, Internet Explorer will not check server certificates to see if they have been revoked.
+
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -2428,20 +2530,22 @@ ADMX Info:
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Check for server certificate revocation*
- GP name: *Advanced_CertificateRevocation*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Advanced Page*
- GP ADMX file name: *inetres.admx*
-
-
+
+
+
-
+
+
**InternetExplorer/CheckSignaturesOnDownloadedPrograms**
-
+
Home
@@ -2463,8 +2567,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -2473,9 +2577,17 @@ ADMX Info:
-
-
-
+
+
+This policy setting allows you to manage whether Internet Explorer checks for digital signatures (which identifies the publisher of signed software and verifies it hasn't been modified or tampered with) on user computers before downloading executable programs.
+
+If you enable this policy setting, Internet Explorer will check the digital signatures of executable programs and display their identities before downloading them to user computers.
+
+If you disable this policy setting, Internet Explorer will not check the digital signatures of executable programs or display their identities before downloading them to user computers.
+
+If you do not configure this policy, Internet Explorer will not check the digital signatures of executable programs or display their identities before downloading them to user computers.
+
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -2483,20 +2595,22 @@ ADMX Info:
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Check for signatures on downloaded programs*
- GP name: *Advanced_DownloadSignatures*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Advanced Page*
- GP ADMX file name: *inetres.admx*
-
-
+
+
+
-
+
+
**InternetExplorer/ConsistentMimeHandlingInternetExplorerProcesses**
-
+
Home
@@ -2518,8 +2632,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -2528,9 +2642,19 @@ ADMX Info:
-
-
-
+
+
+Internet Explorer uses Multipurpose Internet Mail Extensions (MIME) data to determine file handling procedures for files received through a Web server.
+
+This policy setting determines whether Internet Explorer requires that all file-type information provided by Web servers be consistent. For example, if the MIME type of a file is text/plain but the MIME sniff indicates that the file is really an executable file, Internet Explorer renames the file by saving it in the Internet Explorer cache and changing its extension.
+
+If you enable this policy setting, Internet Explorer requires consistent MIME data for all received files.
+
+If you disable this policy setting, Internet Explorer will not require consistent MIME data for all received files.
+
+If you do not configure this policy setting, Internet Explorer requires consistent MIME data for all received files.
+
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -2538,20 +2662,22 @@ ADMX Info:
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Internet Explorer Processes*
-- GP name: *IESF_PolicyExplorerProcesses_2*
-- GP path: *Windows Components/Internet Explorer/Security Features/Binary Behavior Security Restriction*
+- GP name: *IESF_PolicyExplorerProcesses_5*
+- GP path: *Windows Components/Internet Explorer/Security Features/Consistent Mime Handling*
- GP ADMX file name: *inetres.admx*
-
-
+
+
+
-
+
+
**InternetExplorer/DisableAdobeFlash**
-
+
Home
@@ -2573,8 +2699,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -2583,8 +2709,8 @@ ADMX Info:
-
-
+
+
This policy setting turns off Adobe Flash in Internet Explorer and prevents applications from using Internet Explorer technology to instantiate Flash objects.
If you enable this policy setting, Flash is turned off for Internet Explorer, and applications cannot use Internet Explorer technology to instantiate Flash objects. In the Manage Add-ons dialog box, the Flash status will be 'Disabled', and users cannot enable Flash. If you enable this policy setting, Internet Explorer will ignore settings made for Adobe Flash through the "Add-on List" and "Deny all add-ons unless specifically allowed in the Add-on List" policy settings.
@@ -2593,7 +2719,7 @@ If you disable, or do not configure this policy setting, Flash is turned on for
Note that Adobe Flash can still be disabled through the "Add-on List" and "Deny all add-ons unless specifically allowed in the Add-on List" policy settings, even if this policy setting is disabled, or not configured. However, if Adobe Flash is disabled through the "Add-on List" and "Deny all add-ons unless specifically allowed in the Add-on List" policy settings and not through this policy setting, all applications that use Internet Explorer technology to instantiate Flash object can still do so. For more information, see "Group Policy Settings in Internet Explorer 10" in the Internet Explorer TechNet library.
-
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -2601,20 +2727,22 @@ Note that Adobe Flash can still be disabled through the "Add-on List" and "Deny
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Turn off Adobe Flash in Internet Explorer and prevent applications from using Internet Explorer technology to instantiate Flash objects*
- GP name: *DisableFlashInIE*
- GP path: *Windows Components/Internet Explorer/Security Features/Add-on Management*
- GP ADMX file name: *inetres.admx*
-
-
+
+
+
-
+
+
**InternetExplorer/DisableBypassOfSmartScreenWarnings**
-
+
Home
@@ -2636,8 +2764,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -2646,15 +2774,15 @@ ADMX Info:
-
-
+
+
This policy setting determines whether the user can bypass warnings from SmartScreen Filter. SmartScreen Filter prevents the user from browsing to or downloading from sites that are known to host malicious content. SmartScreen Filter also prevents the execution of files that are known to be malicious.
If you enable this policy setting, SmartScreen Filter warnings block the user.
If you disable or do not configure this policy setting, the user can bypass SmartScreen Filter warnings.
-
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -2662,20 +2790,22 @@ If you disable or do not configure this policy setting, the user can bypass Smar
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Prevent bypassing SmartScreen Filter warnings*
- GP name: *DisableSafetyFilterOverride*
- GP path: *Windows Components/Internet Explorer*
- GP ADMX file name: *inetres.admx*
-
-
+
+
+
-
+
+
**InternetExplorer/DisableBypassOfSmartScreenWarningsAboutUncommonFiles**
-
+
Home
@@ -2697,8 +2827,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -2707,15 +2837,15 @@ ADMX Info:
-
-
+
+
This policy setting determines whether the user can bypass warnings from SmartScreen Filter. SmartScreen Filter warns the user about executable files that Internet Explorer users do not commonly download from the Internet.
If you enable this policy setting, SmartScreen Filter warnings block the user.
If you disable or do not configure this policy setting, the user can bypass SmartScreen Filter warnings.
-
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -2723,20 +2853,22 @@ If you disable or do not configure this policy setting, the user can bypass Smar
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Prevent bypassing SmartScreen Filter warnings about files that are not commonly downloaded from the Internet*
- GP name: *DisableSafetyFilterOverrideForAppRepUnknown*
- GP path: *Windows Components/Internet Explorer*
- GP ADMX file name: *inetres.admx*
-
-
+
+
+
-
+
+
**InternetExplorer/DisableConfiguringHistory**
-
+
Home
@@ -2758,8 +2890,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -2768,9 +2900,15 @@ ADMX Info:
-
-
-
+
+
+This setting specifies the number of days that Internet Explorer tracks views of pages in the History List. To access the Temporary Internet Files and History Settings dialog box, from the Menu bar, on the Tools menu, click Internet Options, click the General tab, and then click Settings under Browsing history.
+
+If you enable this policy setting, a user cannot set the number of days that Internet Explorer tracks views of the pages in the History List. You must specify the number of days that Internet Explorer tracks views of pages in the History List. Users can not delete browsing history.
+
+If you disable or do not configure this policy setting, a user can set the number of days that Internet Explorer tracks views of pages in the History list. Users can delete browsing history.
+
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -2778,20 +2916,22 @@ ADMX Info:
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Disable "Configuring History"*
- GP name: *RestrictHistory*
- GP path: *Windows Components/Internet Explorer/Delete Browsing History*
- GP ADMX file name: *inetres.admx*
-
-
+
+
+
-
+
+
**InternetExplorer/DisableCrashDetection**
-
+
Home
@@ -2813,8 +2953,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -2823,9 +2963,15 @@ ADMX Info:
-
-
-
+
+
+This policy setting allows you to manage the crash detection feature of add-on Management.
+
+If you enable this policy setting, a crash in Internet Explorer will exhibit behavior found in Windows XP Professional Service Pack 1 and earlier, namely to invoke Windows Error Reporting. All policy settings for Windows Error Reporting continue to apply.
+
+If you disable or do not configure this policy setting, the crash detection feature for add-on management will be functional.
+
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -2833,20 +2979,22 @@ ADMX Info:
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Turn off Crash Detection*
- GP name: *AddonManagement_RestrictCrashDetection*
- GP path: *Windows Components/Internet Explorer*
- GP ADMX file name: *inetres.admx*
-
-
+
+
+
-
+
+
**InternetExplorer/DisableCustomerExperienceImprovementProgramParticipation**
-
+
Home
@@ -2868,8 +3016,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -2878,8 +3026,8 @@ ADMX Info:
-
-
+
+
This policy setting prevents the user from participating in the Customer Experience Improvement Program (CEIP).
If you enable this policy setting, the user cannot participate in the CEIP, and the Customer Feedback Options command does not appear on the Help menu.
@@ -2888,7 +3036,7 @@ If you disable this policy setting, the user must participate in the CEIP, and t
If you do not configure this policy setting, the user can choose to participate in the CEIP.
-
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -2896,20 +3044,22 @@ If you do not configure this policy setting, the user can choose to participate
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Prevent participation in the Customer Experience Improvement Program*
- GP name: *SQM_DisableCEIP*
- GP path: *Windows Components/Internet Explorer*
- GP ADMX file name: *inetres.admx*
-
-
+
+
+
-
+
+
**InternetExplorer/DisableDeletingUserVisitedWebsites**
-
+
Home
@@ -2931,8 +3081,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -2941,9 +3091,19 @@ ADMX Info:
-
-
-
+
+
+This policy setting prevents the user from deleting the history of websites that he or she has visited. This feature is available in the Delete Browsing History dialog box.
+
+If you enable this policy setting, websites that the user has visited are preserved when he or she clicks Delete.
+
+If you disable this policy setting, websites that the user has visited are deleted when he or she clicks Delete.
+
+If you do not configure this policy setting, the user can choose whether to delete or preserve visited websites when he or she clicks Delete.
+
+If the "Prevent access to Delete Browsing History" policy setting is enabled, this policy setting is enabled by default.
+
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -2951,20 +3111,22 @@ ADMX Info:
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Prevent deleting websites that the user has visited*
- GP name: *DBHDisableDeleteHistory*
- GP path: *Windows Components/Internet Explorer/Delete Browsing History*
- GP ADMX file name: *inetres.admx*
-
-
+
+
+
-
+
+
**InternetExplorer/DisableEnclosureDownloading**
-
+
Home
@@ -2986,8 +3148,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -2996,15 +3158,15 @@ ADMX Info:
-
-
+
+
This policy setting prevents the user from having enclosures (file attachments) downloaded from a feed to the user's computer.
If you enable this policy setting, the user cannot set the Feed Sync Engine to download an enclosure through the Feed property page. A developer cannot change the download setting through the Feed APIs.
If you disable or do not configure this policy setting, the user can set the Feed Sync Engine to download an enclosure through the Feed property page. A developer can change the download setting through the Feed APIs.
-
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -3012,20 +3174,22 @@ If you disable or do not configure this policy setting, the user can set the Fee
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Prevent downloading of enclosures*
- GP name: *Disable_Downloading_of_Enclosures*
- GP path: *Windows Components/RSS Feeds*
- GP ADMX file name: *inetres.admx*
-
-
+
+
+
-
+
+
**InternetExplorer/DisableEncryptionSupport**
-
+
Home
@@ -3047,8 +3211,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -3057,9 +3221,9 @@ ADMX Info:
-
-
-This policy setting allows you to turn off support for Transport Layer Security (TLS) 1.0, TLS 1.1, TLS 1.2, Secure Sockets Layer (SSL) 2.0, or SSL 3.0 in the browser. TLS and SSL are protocols that help protect communication between the browser and the target server. When the browser attempts to set up a protected communication with the target server, the browser and server negotiate which protocol and version to use. The browser and server attempt to match each others list of supported protocols and versions, and they select the most preferred match.
+
+
+This policy setting allows you to turn off support for Transport Layer Security (TLS) 1.0, TLS 1.1, TLS 1.2, Secure Sockets Layer (SSL) 2.0, or SSL 3.0 in the browser. TLS and SSL are protocols that help protect communication between the browser and the target server. When the browser attempts to set up a protected communication with the target server, the browser and server negotiate which protocol and version to use. The browser and server attempt to match each other’s list of supported protocols and versions, and they select the most preferred match.
If you enable this policy setting, the browser negotiates or does not negotiate an encryption tunnel by using the encryption methods that you select from the drop-down list.
@@ -3067,7 +3231,7 @@ If you disable or do not configure this policy setting, the user can select whic
Note: SSL 2.0 is off by default and is no longer supported starting with Windows 10 Version 1607. SSL 2.0 is an outdated security protocol, and enabling SSL 2.0 impairs the performance and functionality of TLS 1.0.
-
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -3075,20 +3239,22 @@ Note: SSL 2.0 is off by default and is no longer supported starting with Windows
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Turn off encryption support*
- GP name: *Advanced_SetWinInetProtocols*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Advanced Page*
- GP ADMX file name: *inetres.admx*
-
-
+
+
+
-
+
+
**InternetExplorer/DisableFirstRunWizard**
-
+
Home
@@ -3110,8 +3276,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -3120,19 +3286,19 @@ ADMX Info:
-
-
+
+
This policy setting prevents Internet Explorer from running the First Run wizard the first time a user starts the browser after installing Internet Explorer or Windows.
If you enable this policy setting, you must make one of the following choices:
-Skip the First Run wizard, and go directly to the user's home page.
-Skip the First Run wizard, and go directly to the "Welcome to Internet Explorer" webpage.
+- Skip the First Run wizard, and go directly to the user's home page.
+- Skip the First Run wizard, and go directly to the "Welcome to Internet Explorer" webpage.
Starting with Windows 8, the "Welcome to Internet Explorer" webpage is not available. The user's home page will display regardless of which option is chosen.
If you disable or do not configure this policy setting, Internet Explorer may run the First Run wizard the first time the browser is started after installation.
-
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -3140,20 +3306,22 @@ If you disable or do not configure this policy setting, Internet Explorer may ru
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Prevent running First Run wizard*
- GP name: *NoFirstRunCustomise*
- GP path: *Windows Components/Internet Explorer*
- GP ADMX file name: *inetres.admx*
-
-
+
+
+
-
+
+
**InternetExplorer/DisableFlipAheadFeature**
-
+
Home
@@ -3175,8 +3343,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -3185,8 +3353,8 @@ ADMX Info:
-
-
+
+
This policy setting determines whether a user can swipe across a screen or click Forward to go to the next pre-loaded page of a website.
Microsoft collects your browsing history to improve how flip ahead with page prediction works. This feature isn't available for Internet Explorer for the desktop.
@@ -3197,7 +3365,7 @@ If you disable this policy setting, flip ahead with page prediction is turned on
If you don't configure this setting, users can turn this behavior on or off, using the Settings charm.
-
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -3205,20 +3373,22 @@ If you don't configure this setting, users can turn this behavior on or off, usi
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Turn off the flip ahead with page prediction feature*
- GP name: *Advanced_DisableFlipAhead*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Advanced Page*
- GP ADMX file name: *inetres.admx*
-
-
+
+
+
-
+
+
**InternetExplorer/DisableHomePageChange**
-
+
Home
@@ -3240,8 +3410,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -3249,15 +3419,15 @@ ADMX Info:
-
-
+
+
The Home page specified on the General tab of the Internet Options dialog box is the default Web page that Internet Explorer loads whenever it is run.
If you enable this policy setting, a user cannot set a custom default home page. You must specify which default home page should load on the user machine. For machines with at least Internet Explorer 7, the home page can be set within this policy to override other home page policies.
If you disable or do not configure this policy setting, the Home page box is enabled and users can choose their own home page.
-
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -3265,20 +3435,22 @@ If you disable or do not configure this policy setting, the Home page box is ena
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Disable changing home page settings*
- GP name: *RestrictHomePage*
- GP path: *Windows Components/Internet Explorer*
- GP ADMX file name: *inetres.admx*
-
-
+
+
+
-
+
+
**InternetExplorer/DisableIgnoringCertificateErrors**
-
+
Home
@@ -3300,8 +3472,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -3310,9 +3482,15 @@ ADMX Info:
-
-
-
+
+
+This policy setting prevents the user from ignoring Secure Sockets Layer/Transport Layer Security (SSL/TLS) certificate errors that interrupt browsing (such as "expired", "revoked", or "name mismatch" errors) in Internet Explorer.
+
+If you enable this policy setting, the user cannot continue browsing.
+
+If you disable or do not configure this policy setting, the user can choose to ignore certificate errors and continue browsing.
+
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -3320,20 +3498,22 @@ ADMX Info:
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Prevent ignoring certificate errors*
- GP name: *NoCertError*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel*
- GP ADMX file name: *inetres.admx*
-
-
+
+
+
-
+
+
**InternetExplorer/DisableInPrivateBrowsing**
-
+
Home
@@ -3355,8 +3535,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -3365,9 +3545,19 @@ ADMX Info:
-
-
-
+
+
+This policy setting allows you to turn off the InPrivate Browsing feature.
+
+InPrivate Browsing prevents Internet Explorer from storing data about a user's browsing session. This includes cookies, temporary Internet files, history, and other data.
+
+If you enable this policy setting, InPrivate Browsing is turned off.
+
+If you disable this policy setting, InPrivate Browsing is available for use.
+
+If you do not configure this policy setting, InPrivate Browsing can be turned on or off through the registry.
+
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -3375,20 +3565,22 @@ ADMX Info:
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Turn off InPrivate Browsing*
- GP name: *DisableInPrivateBrowsing*
- GP path: *Windows Components/Internet Explorer/Privacy*
- GP ADMX file name: *inetres.admx*
-
-
+
+
+
-
+
+
**InternetExplorer/DisableProcessesInEnhancedProtectedMode**
-
+
Home
@@ -3410,8 +3602,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -3420,9 +3612,19 @@ ADMX Info:
-
-
-
+
+
+This policy setting determines whether Internet Explorer 11 uses 64-bit processes (for greater security) or 32-bit processes (for greater compatibility) when running in Enhanced Protected Mode on 64-bit versions of Windows.
+
+Important: Some ActiveX controls and toolbars may not be available when 64-bit processes are used.
+
+If you enable this policy setting, Internet Explorer 11 will use 64-bit tab processes when running in Enhanced Protected Mode on 64-bit versions of Windows.
+
+If you disable this policy setting, Internet Explorer 11 will use 32-bit tab processes when running in Enhanced Protected Mode on 64-bit versions of Windows.
+
+If you don't configure this policy setting, users can turn this feature on or off using Internet Explorer settings. This feature is turned off by default.
+
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -3430,20 +3632,22 @@ ADMX Info:
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Turn on 64-bit tab processes when running in Enhanced Protected Mode on 64-bit versions of Windows*
- GP name: *Advanced_EnableEnhancedProtectedMode64Bit*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Advanced Page*
- GP ADMX file name: *inetres.admx*
-
-
+
+
+
-
+
+
**InternetExplorer/DisableProxyChange**
-
+
Home
@@ -3465,8 +3669,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -3475,15 +3679,15 @@ ADMX Info:
-
-
+
+
This policy setting specifies if a user can change proxy settings.
If you enable this policy setting, the user will not be able to configure proxy settings.
If you disable or do not configure this policy setting, the user can configure proxy settings.
-
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -3491,20 +3695,22 @@ If you disable or do not configure this policy setting, the user can configure p
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Prevent changing proxy settings*
- GP name: *RestrictProxy*
- GP path: *Windows Components/Internet Explorer*
- GP ADMX file name: *inetres.admx*
-
-
+
+
+
-
+
+
**InternetExplorer/DisableSearchProviderChange**
-
+
Home
@@ -3526,8 +3732,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -3536,15 +3742,15 @@ ADMX Info:
-
-
+
+
This policy setting prevents the user from changing the default search provider for the Address bar and the toolbar Search box.
If you enable this policy setting, the user cannot change the default search provider.
If you disable or do not configure this policy setting, the user can change the default search provider.
-
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -3552,20 +3758,22 @@ If you disable or do not configure this policy setting, the user can change the
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Prevent changing the default search provider*
- GP name: *NoSearchProvider*
- GP path: *Windows Components/Internet Explorer*
- GP ADMX file name: *inetres.admx*
-
-
+
+
+
-
+
+
**InternetExplorer/DisableSecondaryHomePageChange**
-
+
Home
@@ -3587,8 +3795,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -3597,17 +3805,17 @@ ADMX Info:
-
-
+
+
Secondary home pages are the default Web pages that Internet Explorer loads in separate tabs from the home page whenever the browser is run. This policy setting allows you to set default secondary home pages.
If you enable this policy setting, you can specify which default home pages should load as secondary home pages. The user cannot set custom default secondary home pages.
If you disable or do not configure this policy setting, the user can add secondary home pages.
-Note: If the Disable Changing Home Page Settings policy is enabled, the user cannot add secondary home pages.
+Note: If the “Disable Changing Home Page Settings” policy is enabled, the user cannot add secondary home pages.
-
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -3615,20 +3823,22 @@ Note: If the Disable Changing Home Page Settings policy is enabled, the user can
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Disable changing secondary home page settings*
- GP name: *SecondaryHomePages*
- GP path: *Windows Components/Internet Explorer*
- GP ADMX file name: *inetres.admx*
-
-
+
+
+
-
+
+
**InternetExplorer/DisableSecuritySettingsCheck**
-
+
Home
@@ -3650,8 +3860,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -3660,9 +3870,15 @@ ADMX Info:
-
-
-
+
+
+This policy setting turns off the Security Settings Check feature, which checks Internet Explorer security settings to determine when the settings put Internet Explorer at risk.
+
+If you enable this policy setting, the feature is turned off.
+
+If you disable or do not configure this policy setting, the feature is turned on.
+
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -3670,20 +3886,22 @@ ADMX Info:
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Turn off the Security Settings Check feature*
- GP name: *Disable_Security_Settings_Check*
- GP path: *Windows Components/Internet Explorer*
- GP ADMX file name: *inetres.admx*
-
-
+
+
+
-
+
+
**InternetExplorer/DisableUpdateCheck**
-
+
Home
@@ -3705,8 +3923,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -3714,8 +3932,8 @@ ADMX Info:
-
-
+
+
Prevents Internet Explorer from checking whether a new version of the browser is available.
If you enable this policy, it prevents Internet Explorer from checking to see whether it is the latest available browser version and notifying users if a new version is available.
@@ -3724,7 +3942,7 @@ If you disable this policy or do not configure it, Internet Explorer checks ever
This policy is intended to help the administrator maintain version control for Internet Explorer by preventing users from being notified about new versions of the browser.
-
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -3732,20 +3950,22 @@ This policy is intended to help the administrator maintain version control for I
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Disable Periodic Check for Internet Explorer software updates*
- GP name: *NoUpdateCheck*
- GP path: *Windows Components/Internet Explorer*
- GP ADMX file name: *inetres.admx*
-
-
+
+
+
-
+
+
**InternetExplorer/DoNotAllowActiveXControlsInProtectedMode**
-
+
Home
@@ -3767,8 +3987,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -3777,9 +3997,19 @@ ADMX Info:
-
-
-
+
+
+This policy setting prevents ActiveX controls from running in Protected Mode when Enhanced Protected Mode is enabled. When a user has an ActiveX control installed that is not compatible with Enhanced Protected Mode and a website attempts to load the control, Internet Explorer notifies the user and gives the option to run the website in regular Protected Mode. This policy setting disables this notification and forces all websites to run in Enhanced Protected Mode.
+
+Enhanced Protected Mode provides additional protection against malicious websites by using 64-bit processes on 64-bit versions of Windows. For computers running at least Windows 8, Enhanced Protected Mode also limits the locations Internet Explorer can read from in the registry and the file system.
+
+When Enhanced Protected Mode is enabled, and a user encounters a website that attempts to load an ActiveX control that is not compatible with Enhanced Protected Mode, Internet Explorer notifies the user and gives the option to disable Enhanced Protected Mode for that particular website.
+
+If you enable this policy setting, Internet Explorer will not give the user the option to disable Enhanced Protected Mode. All Protected Mode websites will run in Enhanced Protected Mode.
+
+If you disable or do not configure this policy setting, Internet Explorer notifies users and provides an option to run websites with incompatible ActiveX controls in regular Protected Mode. This is the default behavior.
+
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -3787,20 +4017,22 @@ ADMX Info:
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Do not allow ActiveX controls to run in Protected Mode when Enhanced Protected Mode is enabled*
- GP name: *Advanced_DisableEPMCompat*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Advanced Page*
- GP ADMX file name: *inetres.admx*
-
-
+
+
+
-
+
+
**InternetExplorer/DoNotAllowUsersToAddSites**
-
+
Home
@@ -3822,8 +4054,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -3831,8 +4063,8 @@ ADMX Info:
-
-
+
+
Prevents users from adding or removing sites from security zones. A security zone is a group of Web sites with the same security level.
If you enable this policy, the site management settings for security zones are disabled. (To see the site management settings for security zones, in the Internet Options dialog box, click the Security tab, and then click the Sites button.)
@@ -3845,7 +4077,7 @@ Note: The "Disable the Security page" policy (located in \User Configuration\Ad
Also, see the "Security zones: Use only machine settings" policy.
-
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -3853,20 +4085,22 @@ Also, see the "Security zones: Use only machine settings" policy.
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Security Zones: Do not allow users to add/delete sites*
- GP name: *Security_zones_map_edit*
- GP path: *Windows Components/Internet Explorer*
- GP ADMX file name: *inetres.admx*
-
-
+
+
+
-
+
+
**InternetExplorer/DoNotAllowUsersToChangePolicies**
-
+
Home
@@ -3888,8 +4122,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -3897,8 +4131,8 @@ ADMX Info:
-
-
+
+
Prevents users from changing security zone settings. A security zone is a group of Web sites with the same security level.
If you enable this policy, the Custom Level button and security-level slider on the Security tab in the Internet Options dialog box are disabled.
@@ -3911,7 +4145,7 @@ Note: The "Disable the Security page" policy (located in \User Configuration\Adm
Also, see the "Security zones: Use only machine settings" policy.
-
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -3919,20 +4153,22 @@ Also, see the "Security zones: Use only machine settings" policy.
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Security Zones: Do not allow users to change policies*
- GP name: *Security_options_edit*
- GP path: *Windows Components/Internet Explorer*
- GP ADMX file name: *inetres.admx*
-
-
+
+
+
-
+
+
**InternetExplorer/DoNotBlockOutdatedActiveXControls**
-
+
Home
@@ -3954,8 +4190,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -3964,8 +4200,8 @@ ADMX Info:
-
-
+
+
This policy setting determines whether Internet Explorer blocks specific outdated ActiveX controls. Outdated ActiveX controls are never blocked in the Intranet Zone.
If you enable this policy setting, Internet Explorer stops blocking outdated ActiveX controls.
@@ -3974,7 +4210,7 @@ If you disable or don't configure this policy setting, Internet Explorer continu
For more information, see "Outdated ActiveX Controls" in the Internet Explorer TechNet library.
-
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -3982,20 +4218,22 @@ For more information, see "Outdated ActiveX Controls" in the Internet Explorer T
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Turn off blocking of outdated ActiveX controls for Internet Explorer*
- GP name: *VerMgmtDisable*
- GP path: *Windows Components/Internet Explorer/Security Features/Add-on Management*
- GP ADMX file name: *inetres.admx*
-
-
+
+
+
-
+
+
**InternetExplorer/DoNotBlockOutdatedActiveXControlsOnSpecificDomains**
-
+
Home
@@ -4017,8 +4255,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -4027,8 +4265,8 @@ ADMX Info:
-
-
+
+
This policy setting allows you to manage a list of domains on which Internet Explorer will stop blocking outdated ActiveX controls. Outdated ActiveX controls are never blocked in the Intranet Zone.
If you enable this policy setting, you can enter a custom list of domains for which outdated ActiveX controls won't be blocked in Internet Explorer. Each domain entry must be formatted like one of the following:
@@ -4041,7 +4279,7 @@ If you disable or don't configure this policy setting, the list is deleted and I
For more information, see "Outdated ActiveX Controls" in the Internet Explorer TechNet library.
-
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -4049,20 +4287,22 @@ For more information, see "Outdated ActiveX Controls" in the Internet Explorer T
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Turn off blocking of outdated ActiveX controls for Internet Explorer on specific domains*
- GP name: *VerMgmtDomainAllowlist*
- GP path: *Windows Components/Internet Explorer/Security Features/Add-on Management*
- GP ADMX file name: *inetres.admx*
-
-
+
+
+
-
+
+
**InternetExplorer/IncludeAllLocalSites**
-
+
Home
@@ -4084,8 +4324,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -4094,8 +4334,8 @@ ADMX Info:
-
-
+
+
This policy setting controls whether local sites which are not explicitly mapped into any Security Zone are forced into the local Intranet security zone.
If you enable this policy setting, local sites which are not explicitly mapped into a zone are considered to be in the Intranet Zone.
@@ -4104,7 +4344,7 @@ If you disable this policy setting, local sites which are not explicitly mapped
If you do not configure this policy setting, users choose whether to force local sites into the Intranet Zone.
-
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -4112,20 +4352,22 @@ If you do not configure this policy setting, users choose whether to force local
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Intranet Sites: Include all local (intranet) sites not listed in other zones*
- GP name: *IZ_IncludeUnspecifiedLocalSites*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page*
- GP ADMX file name: *inetres.admx*
-
-
+
+
+
-
+
+
**InternetExplorer/IncludeAllNetworkPaths**
-
+
Home
@@ -4147,8 +4389,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -4157,8 +4399,8 @@ ADMX Info:
-
-
+
+
This policy setting controls whether URLs representing UNCs are mapped into the local Intranet security zone.
If you enable this policy setting, all network paths are mapped into the Intranet Zone.
@@ -4167,7 +4409,7 @@ If you disable this policy setting, network paths are not necessarily mapped int
If you do not configure this policy setting, users choose whether network paths are mapped into the Intranet Zone.
-
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -4175,20 +4417,22 @@ If you do not configure this policy setting, users choose whether network paths
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Intranet Sites: Include all network paths (UNCs)*
- GP name: *IZ_UNCAsIntranet*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page*
- GP ADMX file name: *inetres.admx*
-
-
+
+
+
-
+
+
**InternetExplorer/InternetZoneAllowAccessToDataSources**
-
+
Home
@@ -4210,8 +4454,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -4220,8 +4464,8 @@ ADMX Info:
-
-
+
+
This policy setting allows you to manage whether Internet Explorer can access data from another security zone using the Microsoft XML Parser (MSXML) or ActiveX Data Objects (ADO).
If you enable this policy setting, users can load a page in the zone that uses MSXML or ADO to access data from another site in the zone. If you select Prompt in the drop-down box, users are queried to choose whether to allow a page to be loaded in the zone that uses MSXML or ADO to access data from another site in the zone.
@@ -4230,7 +4474,7 @@ If you disable this policy setting, users cannot load a page in the zone that us
If you do not configure this policy setting, users cannot load a page in the zone that uses MSXML or ADO to access data from another site in the zone.
-
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -4238,20 +4482,22 @@ If you do not configure this policy setting, users cannot load a page in the zon
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Access data sources across domains*
- GP name: *IZ_PolicyAccessDataSourcesAcrossDomains_1*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone*
- GP ADMX file name: *inetres.admx*
-
-
+
+
+
-
+
+
**InternetExplorer/InternetZoneAllowAutomaticPromptingForActiveXControls**
-
+
Home
@@ -4273,8 +4519,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -4283,8 +4529,8 @@ ADMX Info:
-
-
+
+
This policy setting manages whether users will be automatically prompted for ActiveX control installations.
If you enable this policy setting, users will receive a prompt when a site instantiates an ActiveX control they do not have installed.
@@ -4293,7 +4539,7 @@ If you disable this policy setting, ActiveX control installations will be blocke
If you do not configure this policy setting, ActiveX control installations will be blocked using the Notification bar. Users can click on the Notification bar to allow the ActiveX control prompt.
-
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -4301,20 +4547,22 @@ If you do not configure this policy setting, ActiveX control installations will
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Automatic prompting for ActiveX controls*
- GP name: *IZ_PolicyNotificationBarActiveXURLaction_1*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone*
- GP ADMX file name: *inetres.admx*
-
-
+
+
+
-
+
+
**InternetExplorer/InternetZoneAllowAutomaticPromptingForFileDownloads**
-
+
Home
@@ -4336,8 +4584,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -4346,15 +4594,15 @@ ADMX Info:
-
-
+
+
This policy setting determines whether users will be prompted for non user-initiated file downloads. Regardless of this setting, users will receive file download dialogs for user-initiated downloads.
If you enable this setting, users will receive a file download dialog for automatic download attempts.
If you disable or do not configure this setting, file downloads that are not user-initiated will be blocked, and users will see the Notification bar instead of the file download dialog. Users can then click the Notification bar to allow the file download prompt.
-
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -4362,20 +4610,22 @@ If you disable or do not configure this setting, file downloads that are not use
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Automatic prompting for file downloads*
- GP name: *IZ_PolicyNotificationBarDownloadURLaction_1*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone*
- GP ADMX file name: *inetres.admx*
-
-
+
+
+
-
+
+
**InternetExplorer/InternetZoneAllowCopyPasteViaScript**
-
+
Home
@@ -4397,8 +4647,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -4407,9 +4657,19 @@ ADMX Info:
-
-
-
+
+
+This policy setting allows you to manage whether scripts can perform a clipboard operation (for example, cut, copy, and paste) in a specified region.
+
+If you enable this policy setting, a script can perform a clipboard operation.
+
+If you select Prompt in the drop-down box, users are queried as to whether to perform clipboard operations.
+
+If you disable this policy setting, a script cannot perform a clipboard operation.
+
+If you do not configure this policy setting, a script can perform a clipboard operation.
+
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -4417,20 +4677,22 @@ ADMX Info:
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Allow cut, copy or paste operations from the clipboard via script*
- GP name: *IZ_PolicyAllowPasteViaScript_1*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone*
- GP ADMX file name: *inetres.admx*
-
-
+
+
+
-
+
+
**InternetExplorer/InternetZoneAllowDragAndDropCopyAndPasteFiles**
-
+
Home
@@ -4452,8 +4714,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -4462,9 +4724,17 @@ ADMX Info:
-
-
-
+
+
+This policy setting allows you to manage whether users can drag files or copy and paste files from a source within the zone.
+
+If you enable this policy setting, users can drag files or copy and paste files from this zone automatically. If you select Prompt in the drop-down box, users are queried to choose whether to drag or copy files from this zone.
+
+If you disable this policy setting, users are prevented from dragging files or copying and pasting files from this zone.
+
+If you do not configure this policy setting, users can drag files or copy and paste files from this zone automatically.
+
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -4472,20 +4742,22 @@ ADMX Info:
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Allow drag and drop or copy and paste files*
- GP name: *IZ_PolicyDropOrPasteFiles_1*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone*
- GP ADMX file name: *inetres.admx*
-
-
+
+
+
-
+
+
**InternetExplorer/InternetZoneAllowFontDownloads**
-
+
Home
@@ -4507,8 +4779,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -4517,8 +4789,8 @@ ADMX Info:
-
-
+
+
This policy setting allows you to manage whether pages of the zone may download HTML fonts.
If you enable this policy setting, HTML fonts can be downloaded automatically. If you enable this policy setting and Prompt is selected in the drop-down box, users are queried whether to allow HTML fonts to download.
@@ -4527,7 +4799,7 @@ If you disable this policy setting, HTML fonts are prevented from downloading.
If you do not configure this policy setting, HTML fonts can be downloaded automatically.
-
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -4535,20 +4807,22 @@ If you do not configure this policy setting, HTML fonts can be downloaded automa
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Allow font downloads*
- GP name: *IZ_PolicyFontDownload_1*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone*
- GP ADMX file name: *inetres.admx*
-
-
+
+
+
-
+
+
**InternetExplorer/InternetZoneAllowLessPrivilegedSites**
-
+
Home
@@ -4570,8 +4844,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -4580,8 +4854,8 @@ ADMX Info:
-
-
+
+
This policy setting allows you to manage whether Web sites from less privileged zones, such as Restricted Sites, can navigate into this zone.
If you enable this policy setting, Web sites from less privileged zones can open new windows in, or navigate into, this zone. The security zone will run without the added layer of security that is provided by the Protection from Zone Elevation security feature. If you select Prompt in the drop-down box, a warning is issued to the user that potentially risky navigation is about to occur.
@@ -4590,7 +4864,7 @@ If you disable this policy setting, the possibly harmful navigations are prevent
If you do not configure this policy setting, Web sites from less privileged zones can open new windows in, or navigate into, this zone.
-
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -4598,20 +4872,22 @@ If you do not configure this policy setting, Web sites from less privileged zone
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Web sites in less privileged Web content zones can navigate into this zone*
- GP name: *IZ_PolicyZoneElevationURLaction_1*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone*
- GP ADMX file name: *inetres.admx*
-
-
+
+
+
-
+
+
**InternetExplorer/InternetZoneAllowLoadingOfXAMLFiles**
-
+
Home
@@ -4633,8 +4909,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -4643,9 +4919,17 @@ ADMX Info:
-
-
-
+
+
+This policy setting allows you to manage the loading of Extensible Application Markup Language (XAML) files. XAML is an XML-based declarative markup language commonly used for creating rich user interfaces and graphics that take advantage of the Windows Presentation Foundation.
+
+If you enable this policy setting and set the drop-down box to Enable, XAML files are automatically loaded inside Internet Explorer. The user cannot change this behavior. If you set the drop-down box to Prompt, the user is prompted for loading XAML files.
+
+If you disable this policy setting, XAML files are not loaded inside Internet Explorer. The user cannot change this behavior.
+
+If you do not configure this policy setting, the user can decide whether to load XAML files inside Internet Explorer.
+
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -4653,20 +4937,22 @@ ADMX Info:
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Allow loading of XAML files*
- GP name: *IZ_Policy_XAML_1*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone*
- GP ADMX file name: *inetres.admx*
-
-
+
+
+
-
+
+
**InternetExplorer/InternetZoneAllowNETFrameworkReliantComponents**
-
+
Home
@@ -4688,8 +4974,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -4698,8 +4984,8 @@ ADMX Info:
-
-
+
+
This policy setting allows you to manage whether .NET Framework components that are not signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link.
If you enable this policy setting, Internet Explorer will execute unsigned managed components. If you select Prompt in the drop-down box, Internet Explorer will prompt the user to determine whether to execute unsigned managed components.
@@ -4708,7 +4994,7 @@ If you disable this policy setting, Internet Explorer will not execute unsigned
If you do not configure this policy setting, Internet Explorer will execute unsigned managed components.
-
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -4716,20 +5002,22 @@ If you do not configure this policy setting, Internet Explorer will execute unsi
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Run .NET Framework-reliant components not signed with Authenticode*
- GP name: *IZ_PolicyUnsignedFrameworkComponentsURLaction_1*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone*
- GP ADMX file name: *inetres.admx*
-
-
+
+
+
-
+
+
**InternetExplorer/InternetZoneAllowOnlyApprovedDomainsToUseActiveXControls**
-
+
Home
@@ -4751,8 +5039,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -4761,9 +5049,15 @@ ADMX Info:
-
-
-
+
+
+This policy setting controls whether or not the user is prompted to allow ActiveX controls to run on websites other than the website that installed the ActiveX control.
+
+If you enable this policy setting, the user is prompted before ActiveX controls can run from websites in this zone. The user can choose to allow the control to run from the current site or from all sites.
+
+If you disable this policy setting, the user does not see the per-site ActiveX prompt, and ActiveX controls can run from all sites in this zone.
+
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -4771,20 +5065,22 @@ ADMX Info:
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Allow only approved domains to use ActiveX controls without prompt*
- GP name: *IZ_PolicyOnlyAllowApprovedDomainsToUseActiveXWithoutPrompt_Both_Internet*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone*
- GP ADMX file name: *inetres.admx*
-
-
+
+
+
-
+
+
**InternetExplorer/InternetZoneAllowOnlyApprovedDomainsToUseTDCActiveXControl**
-
+
Home
@@ -4806,8 +5102,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -4816,9 +5112,15 @@ ADMX Info:
-
-
-
+
+
+This policy setting controls whether or not the user is allowed to run the TDC ActiveX control on websites.
+
+If you enable this policy setting, the TDC ActiveX control will not run from websites in this zone.
+
+If you disable this policy setting, the TDC Active X control will run from all sites in this zone.
+
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -4826,20 +5128,22 @@ ADMX Info:
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Allow only approved domains to use the TDC ActiveX control*
- GP name: *IZ_PolicyAllowTDCControl_Both_Internet*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone*
- GP ADMX file name: *inetres.admx*
-
-
+
+
+
-
+
+
**InternetExplorer/InternetZoneAllowScriptInitiatedWindows**
-
+
Home
@@ -4861,8 +5165,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -4871,9 +5175,17 @@ ADMX Info:
-
-
-
+
+
+This policy setting allows you to manage restrictions on script-initiated pop-up windows and windows that include the title and status bars.
+
+If you enable this policy setting, Windows Restrictions security will not apply in this zone. The security zone runs without the added layer of security provided by this feature.
+
+If you disable this policy setting, the possible harmful actions contained in script-initiated pop-up windows and windows that include the title and status bars cannot be run. This Internet Explorer security feature will be on in this zone as dictated by the Scripted Windows Security Restrictions feature control setting for the process.
+
+If you do not configure this policy setting, the possible harmful actions contained in script-initiated pop-up windows and windows that include the title and status bars cannot be run. This Internet Explorer security feature will be on in this zone as dictated by the Scripted Windows Security Restrictions feature control setting for the process.
+
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -4881,20 +5193,22 @@ ADMX Info:
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Allow script-initiated windows without size or position constraints*
- GP name: *IZ_PolicyWindowsRestrictionsURLaction_1*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone*
- GP ADMX file name: *inetres.admx*
-
-
+
+
+
-
+
+
**InternetExplorer/InternetZoneAllowScriptingOfInternetExplorerWebBrowserControls**
-
+
Home
@@ -4916,8 +5230,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -4926,9 +5240,17 @@ ADMX Info:
-
-
-
+
+
+This policy setting determines whether a page can control embedded WebBrowser controls via script.
+
+If you enable this policy setting, script access to the WebBrowser control is allowed.
+
+If you disable this policy setting, script access to the WebBrowser control is not allowed.
+
+If you do not configure this policy setting, the user can enable or disable script access to the WebBrowser control. By default, script access to the WebBrowser control is allowed only in the Local Machine and Intranet zones.
+
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -4936,20 +5258,22 @@ ADMX Info:
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Allow scripting of Internet Explorer WebBrowser controls*
- GP name: *IZ_Policy_WebBrowserControl_1*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone*
- GP ADMX file name: *inetres.admx*
-
-
+
+
+
-
+
+
**InternetExplorer/InternetZoneAllowScriptlets**
-
+
Home
@@ -4971,8 +5295,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -4981,8 +5305,8 @@ ADMX Info:
-
-
+
+
This policy setting allows you to manage whether the user can run scriptlets.
If you enable this policy setting, the user can run scriptlets.
@@ -4991,7 +5315,7 @@ If you disable this policy setting, the user cannot run scriptlets.
If you do not configure this policy setting, the user can enable or disable scriptlets.
-
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -4999,20 +5323,22 @@ If you do not configure this policy setting, the user can enable or disable scri
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Allow scriptlets*
- GP name: *IZ_Policy_AllowScriptlets_1*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone*
- GP ADMX file name: *inetres.admx*
-
-
+
+
+
-
+
+
**InternetExplorer/InternetZoneAllowSmartScreenIE**
-
+
Home
@@ -5034,8 +5360,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -5044,8 +5370,8 @@ ADMX Info:
-
-
+
+
This policy setting controls whether SmartScreen Filter scans pages in this zone for malicious content.
If you enable this policy setting, SmartScreen Filter scans pages in this zone for malicious content.
@@ -5056,7 +5382,7 @@ If you do not configure this policy setting, the user can choose whether SmartSc
Note: In Internet Explorer 7, this policy setting controls whether Phishing Filter scans pages in this zone for malicious content.
-
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -5064,20 +5390,22 @@ Note: In Internet Explorer 7, this policy setting controls whether Phishing Filt
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Turn on SmartScreen Filter scan*
- GP name: *IZ_Policy_Phishing_1*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone*
- GP ADMX file name: *inetres.admx*
-
-
+
+
+
-
+
+
**InternetExplorer/InternetZoneAllowUpdatesToStatusBarViaScript**
-
+
Home
@@ -5099,8 +5427,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -5109,9 +5437,15 @@ ADMX Info:
-
-
-
+
+
+This policy setting allows you to manage whether script is allowed to update the status bar within the zone.
+
+If you enable this policy setting, script is allowed to update the status bar.
+
+If you disable or do not configure this policy setting, script is not allowed to update the status bar.
+
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -5119,20 +5453,22 @@ ADMX Info:
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Allow updates to status bar via script*
- GP name: *IZ_Policy_ScriptStatusBar_1*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone*
- GP ADMX file name: *inetres.admx*
-
-
+
+
+
-
+
+
**InternetExplorer/InternetZoneAllowUserDataPersistence**
-
+
Home
@@ -5154,8 +5490,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -5164,8 +5500,8 @@ ADMX Info:
-
-
+
+
This policy setting allows you to manage the preservation of information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. When a user returns to a persisted page, the state of the page can be restored if this policy setting is appropriately configured.
If you enable this policy setting, users can preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk.
@@ -5174,7 +5510,7 @@ If you disable this policy setting, users cannot preserve information in the bro
If you do not configure this policy setting, users can preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk.
-
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -5182,20 +5518,22 @@ If you do not configure this policy setting, users can preserve information in t
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Userdata persistence*
- GP name: *IZ_PolicyUserdataPersistence_1*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone*
- GP ADMX file name: *inetres.admx*
-
-
+
+
+
-
+
+
**InternetExplorer/InternetZoneDoNotRunAntimalwareAgainstActiveXControls**
-
+
Home
@@ -5217,8 +5555,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -5227,9 +5565,17 @@ ADMX Info:
-
-
-
+
+
+This policy setting determines whether Internet Explorer runs antimalware programs against ActiveX controls, to check if they're safe to load on pages.
+
+If you enable this policy setting, Internet Explorer won't check with your antimalware program to see if it's safe to create an instance of the ActiveX control.
+
+If you disable this policy setting, Internet Explorer always checks with your antimalware program to see if it's safe to create an instance of the ActiveX control.
+
+If you don't configure this policy setting, Internet Explorer always checks with your antimalware program to see if it's safe to create an instance of the ActiveX control. Users can turn this behavior on or off, using Internet Explorer Security settings.
+
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -5237,20 +5583,22 @@ ADMX Info:
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Don't run antimalware programs against ActiveX controls*
- GP name: *IZ_PolicyAntiMalwareCheckingOfActiveXControls_1*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone*
- GP ADMX file name: *inetres.admx*
-
-
+
+
+
-
+
+
**InternetExplorer/InternetZoneDownloadSignedActiveXControls**
-
+
Home
@@ -5272,8 +5620,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -5282,9 +5630,17 @@ ADMX Info:
-
-
-
+
+
+This policy setting allows you to manage whether users may download signed ActiveX controls from a page in the zone.
+
+If you enable this policy, users can download signed controls without user intervention. If you select Prompt in the drop-down box, users are queried whether to download controls signed by publishers who aren't trusted. Code signed by trusted publishers is silently downloaded.
+
+If you disable the policy setting, signed controls cannot be downloaded.
+
+If you do not configure this policy setting, users are queried whether to download controls signed by publishers who aren't trusted. Code signed by trusted publishers is silently downloaded.
+
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -5292,20 +5648,22 @@ ADMX Info:
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Download signed ActiveX controls*
- GP name: *IZ_PolicyDownloadSignedActiveX_1*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone*
- GP ADMX file name: *inetres.admx*
-
-
+
+
+
-
+
+
**InternetExplorer/InternetZoneDownloadUnsignedActiveXControls**
-
+
Home
@@ -5327,8 +5685,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -5337,9 +5695,17 @@ ADMX Info:
-
-
-
+
+
+This policy setting allows you to manage whether users may download unsigned ActiveX controls from the zone. Such code is potentially harmful, especially when coming from an untrusted zone.
+
+If you enable this policy setting, users can run unsigned controls without user intervention. If you select Prompt in the drop-down box, users are queried to choose whether to allow the unsigned control to run.
+
+If you disable this policy setting, users cannot run unsigned controls.
+
+If you do not configure this policy setting, users cannot run unsigned controls.
+
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -5347,20 +5713,22 @@ ADMX Info:
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Download unsigned ActiveX controls*
- GP name: *IZ_PolicyDownloadUnsignedActiveX_1*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone*
- GP ADMX file name: *inetres.admx*
-
-
+
+
+
-
+
+
**InternetExplorer/InternetZoneEnableCrossSiteScriptingFilter**
-
+
Home
@@ -5382,8 +5750,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -5392,9 +5760,15 @@ ADMX Info:
-
-
-
+
+
+This policy controls whether or not the Cross-Site Scripting (XSS) Filter will detect and prevent cross-site script injections into websites in this zone.
+
+If you enable this policy setting, the XSS Filter is turned on for sites in this zone, and the XSS Filter attempts to block cross-site script injections.
+
+If you disable this policy setting, the XSS Filter is turned off for sites in this zone, and Internet Explorer permits cross-site script injections.
+
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -5402,20 +5776,22 @@ ADMX Info:
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Turn on Cross-Site Scripting Filter*
- GP name: *IZ_PolicyTurnOnXSSFilter_Both_Internet*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone*
- GP ADMX file name: *inetres.admx*
-
-
+
+
+
-
+
+
**InternetExplorer/InternetZoneEnableDraggingOfContentFromDifferentDomainsAcrossWindows**
-
+
Home
@@ -5437,8 +5813,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -5447,9 +5823,19 @@ ADMX Info:
-
-
-
+
+
+This policy setting allows you to set options for dragging content from one domain to a different domain when the source and destination are in different windows.
+
+If you enable this policy setting and click Enable, users can drag content from one domain to a different domain when the source and destination are in different windows. Users cannot change this setting.
+
+If you enable this policy setting and click Disable, users cannot drag content from one domain to a different domain when both the source and destination are in different windows. Users cannot change this setting.
+
+In Internet Explorer 10, if you disable this policy setting or do not configure it, users cannot drag content from one domain to a different domain when the source and destination are in different windows. Users can change this setting in the Internet Options dialog.
+
+In Internet Explorer 9 and earlier versions, if you disable this policy or do not configure it, users can drag content from one domain to a different domain when the source and destination are in different windows. Users cannot change this setting.
+
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -5457,20 +5843,22 @@ ADMX Info:
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Enable dragging of content from different domains across windows*
- GP name: *IZ_PolicyDragDropAcrossDomainsAcrossWindows_Both_Internet*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone*
- GP ADMX file name: *inetres.admx*
-
-
+
+
+
-
+
+
**InternetExplorer/InternetZoneEnableDraggingOfContentFromDifferentDomainsWithinWindows**
-
+
Home
@@ -5492,8 +5880,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -5502,9 +5890,19 @@ ADMX Info:
-
-
-
+
+
+This policy setting allows you to set options for dragging content from one domain to a different domain when the source and destination are in the same window.
+
+If you enable this policy setting and click Enable, users can drag content from one domain to a different domain when the source and destination are in the same window. Users cannot change this setting.
+
+If you enable this policy setting and click Disable, users cannot drag content from one domain to a different domain when the source and destination are in the same window. Users cannot change this setting in the Internet Options dialog.
+
+In Internet Explorer 10, if you disable this policy setting or do not configure it, users cannot drag content from one domain to a different domain when the source and destination are in the same window. Users can change this setting in the Internet Options dialog.
+
+In Internet Explorer 9 and earlier versions, if you disable this policy setting or do not configure it, users can drag content from one domain to a different domain when the source and destination are in the same window. Users cannot change this setting in the Internet Options dialog.
+
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -5512,20 +5910,22 @@ ADMX Info:
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Enable dragging of content from different domains within a window*
- GP name: *IZ_PolicyDragDropAcrossDomainsWithinWindow_Both_Internet*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone*
- GP ADMX file name: *inetres.admx*
-
-
+
+
+
-
+
+
**InternetExplorer/InternetZoneEnableMIMESniffing**
-
+
Home
@@ -5547,8 +5947,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -5557,9 +5957,17 @@ ADMX Info:
-
-
-
+
+
+This policy setting allows you to manage MIME sniffing for file promotion from one type to another based on a MIME sniff. A MIME sniff is the recognition by Internet Explorer of the file type based on a bit signature.
+
+If you enable this policy setting, the MIME Sniffing Safety Feature will not apply in this zone. The security zone will run without the added layer of security provided by this feature.
+
+If you disable this policy setting, the actions that may be harmful cannot run; this Internet Explorer security feature will be turned on in this zone, as dictated by the feature control setting for the process.
+
+If you do not configure this policy setting, the MIME Sniffing Safety Feature will not apply in this zone.
+
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -5567,20 +5975,22 @@ ADMX Info:
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Enable MIME Sniffing*
- GP name: *IZ_PolicyMimeSniffingURLaction_1*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone*
- GP ADMX file name: *inetres.admx*
-
-
+
+
+
-
+
+
**InternetExplorer/InternetZoneEnableProtectedMode**
-
+
Home
@@ -5602,8 +6012,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -5612,9 +6022,17 @@ ADMX Info:
-
-
-
+
+
+This policy setting allows you to turn on Protected Mode. Protected Mode helps protect Internet Explorer from exploited vulnerabilities by reducing the locations that Internet Explorer can write to in the registry and the file system.
+
+If you enable this policy setting, Protected Mode is turned on. The user cannot turn off Protected Mode.
+
+If you disable this policy setting, Protected Mode is turned off. The user cannot turn on Protected Mode.
+
+If you do not configure this policy setting, the user can turn on or turn off Protected Mode.
+
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -5622,20 +6040,22 @@ ADMX Info:
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Turn on Protected Mode*
- GP name: *IZ_Policy_TurnOnProtectedMode_1*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone*
- GP ADMX file name: *inetres.admx*
-
-
+
+
+
-
+
+
**InternetExplorer/InternetZoneIncludeLocalPathWhenUploadingFilesToServer**
-
+
Home
@@ -5657,8 +6077,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -5667,9 +6087,17 @@ ADMX Info:
-
-
-
+
+
+This policy setting controls whether or not local path information is sent when the user is uploading a file via an HTML form. If the local path information is sent, some information may be unintentionally revealed to the server. For instance, files sent from the user's desktop may contain the user name as a part of the path.
+
+If you enable this policy setting, path information is sent when the user is uploading a file via an HTML form.
+
+If you disable this policy setting, path information is removed when the user is uploading a file via an HTML form.
+
+If you do not configure this policy setting, the user can choose whether path information is sent when he or she is uploading a file via an HTML form. By default, path information is sent.
+
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -5677,20 +6105,22 @@ ADMX Info:
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Include local path when user is uploading files to a server*
- GP name: *IZ_Policy_LocalPathForUpload_1*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone*
- GP ADMX file name: *inetres.admx*
-
-
+
+
+
-
+
+
**InternetExplorer/InternetZoneInitializeAndScriptActiveXControls**
-
+
Home
@@ -5712,8 +6142,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -5722,8 +6152,8 @@ ADMX Info:
-
-
+
+
This policy setting allows you to manage ActiveX controls not marked as safe.
If you enable this policy setting, ActiveX controls are run, loaded with parameters, and scripted without setting object safety for untrusted data or scripts. This setting is not recommended, except for secure and administered zones. This setting causes both unsafe and safe controls to be initialized and scripted, ignoring the Script ActiveX controls marked safe for scripting option.
@@ -5734,7 +6164,7 @@ If you disable this policy setting, ActiveX controls that cannot be made safe ar
If you do not configure this policy setting, ActiveX controls that cannot be made safe are not loaded with parameters or scripted.
-
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -5742,20 +6172,22 @@ If you do not configure this policy setting, ActiveX controls that cannot be mad
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Initialize and script ActiveX controls not marked as safe*
- GP name: *IZ_PolicyScriptActiveXNotMarkedSafe_1*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone*
- GP ADMX file name: *inetres.admx*
-
-
+
+
+
-
+
+
**InternetExplorer/InternetZoneInitializeAndScriptActiveXControlsNotMarkedSafe**
-
+
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -5817,9 +6252,23 @@ ADMX Info:
-
-
-
+
+
+This policy setting allows you to manage permissions for Java applets.
+
+If you enable this policy setting, you can choose options from the drop-down box. Custom, to control permissions settings individually.
+
+Low Safety enables applets to perform all operations.
+
+Medium Safety enables applets to run in their sandbox (an area in memory outside of which the program cannot make calls), plus capabilities like scratch space (a safe and secure storage area on the client computer) and user-controlled file I/O.
+
+High Safety enables applets to run in their sandbox. Disable Java to prevent any applets from running.
+
+If you disable this policy setting, Java applets cannot run.
+
+If you do not configure this policy setting, the permission is set to High Safety.
+
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -5827,20 +6276,22 @@ ADMX Info:
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Java permissions*
- GP name: *IZ_PolicyJavaPermissions_1*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone*
- GP ADMX file name: *inetres.admx*
-
-
+
+
+
-
+
+
**InternetExplorer/InternetZoneLaunchingApplicationsAndFilesInIFRAME**
-
+
Home
@@ -5862,8 +6313,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -5872,9 +6323,17 @@ ADMX Info:
-
-
-
+
+
+This policy setting allows you to manage whether applications may be run and files may be downloaded from an IFRAME reference in the HTML of the pages in this zone.
+
+If you enable this policy setting, users can run applications and download files from IFRAMEs on the pages in this zone without user intervention. If you select Prompt in the drop-down box, users are queried to choose whether to run applications and download files from IFRAMEs on the pages in this zone.
+
+If you disable this policy setting, users are prevented from running applications and downloading files from IFRAMEs on the pages in this zone.
+
+If you do not configure this policy setting, users are queried to choose whether to run applications and download files from IFRAMEs on the pages in this zone.
+
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -5882,20 +6341,22 @@ ADMX Info:
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Launching applications and files in an IFRAME*
- GP name: *IZ_PolicyLaunchAppsAndFilesInIFRAME_1*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone*
- GP ADMX file name: *inetres.admx*
-
-
+
+
+
-
+
+
**InternetExplorer/InternetZoneLogonOptions**
-
+
Home
@@ -5917,8 +6378,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -5927,9 +6388,25 @@ ADMX Info:
-
-
-
+
+
+This policy setting allows you to manage settings for logon options.
+
+If you enable this policy setting, you can choose from the following logon options.
+
+Anonymous logon to disable HTTP authentication and use the guest account only for the Common Internet File System (CIFS) protocol.
+
+Prompt for user name and password to query users for user IDs and passwords. After a user is queried, these values can be used silently for the remainder of the session.
+
+Automatic logon only in Intranet zone to query users for user IDs and passwords in other zones. After a user is queried, these values can be used silently for the remainder of the session.
+
+Automatic logon with current user name and password to attempt logon using Windows NT Challenge Response (also known as NTLM authentication). If Windows NT Challenge Response is supported by the server, the logon uses the user's network user name and password for logon. If Windows NT Challenge Response is not supported by the server, the user is queried to provide the user name and password.
+
+If you disable this policy setting, logon is set to Automatic logon only in Intranet zone.
+
+If you do not configure this policy setting, logon is set to Automatic logon only in Intranet zone.
+
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -5937,20 +6414,22 @@ ADMX Info:
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Logon options*
- GP name: *IZ_PolicyLogon_1*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone*
- GP ADMX file name: *inetres.admx*
-
-
+
+
+
-
+
+
**InternetExplorer/InternetZoneNavigateWindowsAndFrames**
-
+
Home
@@ -5972,8 +6451,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -5982,8 +6461,8 @@ ADMX Info:
-
-
+
+
This policy setting allows you to manage the opening of windows and frames and access of applications across different domains.
If you enable this policy setting, users can open windows and frames from othe domains and access applications from other domains. If you select Prompt in the drop-down box, users are queried whether to allow windows and frames to access applications from other domains.
@@ -5992,7 +6471,7 @@ If you disable this policy setting, users cannot open windows and frames to acce
If you do not configure this policy setting, users can open windows and frames from othe domains and access applications from other domains.
-
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -6000,20 +6479,22 @@ If you do not configure this policy setting, users can open windows and frames f
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Navigate windows and frames across different domains*
- GP name: *IZ_PolicyNavigateSubframesAcrossDomains_1*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone*
- GP ADMX file name: *inetres.admx*
-
-
+
+
+
-
+
+
**InternetExplorer/InternetZoneRunNETFrameworkReliantComponentsSignedWithAuthenticode**
-
+
Home
@@ -6035,8 +6516,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -6045,9 +6526,17 @@ ADMX Info:
-
-
-
+
+
+This policy setting allows you to manage whether .NET Framework components that are signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link.
+
+If you enable this policy setting, Internet Explorer will execute signed managed components. If you select Prompt in the drop-down box, Internet Explorer will prompt the user to determine whether to execute signed managed components.
+
+If you disable this policy setting, Internet Explorer will not execute signed managed components.
+
+If you do not configure this policy setting, Internet Explorer will execute signed managed components.
+
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -6055,20 +6544,22 @@ ADMX Info:
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Run .NET Framework-reliant components signed with Authenticode*
- GP name: *IZ_PolicySignedFrameworkComponentsURLaction_1*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone*
- GP ADMX file name: *inetres.admx*
-
-
+
+
+
-
+
+
**InternetExplorer/InternetZoneShowSecurityWarningForPotentiallyUnsafeFiles**
-
+
Home
@@ -6090,8 +6581,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -6100,9 +6591,17 @@ ADMX Info:
-
-
-
+
+
+This policy setting controls whether or not the "Open File - Security Warning" message appears when the user tries to open executable files or other potentially unsafe files (from an intranet file share by using File Explorer, for example).
+
+If you enable this policy setting and set the drop-down box to Enable, these files open without a security warning. If you set the drop-down box to Prompt, a security warning appears before the files open.
+
+If you disable this policy setting, these files do not open.
+
+If you do not configure this policy setting, the user can configure how the computer handles these files. By default, these files are blocked in the Restricted zone, enabled in the Intranet and Local Computer zones, and set to prompt in the Internet and Trusted zones.
+
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -6110,20 +6609,22 @@ ADMX Info:
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Show security warning for potentially unsafe files*
- GP name: *IZ_Policy_UnsafeFiles_1*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone*
- GP ADMX file name: *inetres.admx*
-
-
+
+
+
-
+
+
**InternetExplorer/InternetZoneUsePopupBlocker**
-
+
Home
@@ -6145,8 +6646,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -6155,9 +6656,17 @@ ADMX Info:
-
-
-
+
+
+This policy setting allows you to manage whether unwanted pop-up windows appear. Pop-up windows that are opened when the end user clicks a link are not blocked.
+
+If you enable this policy setting, most unwanted pop-up windows are prevented from appearing.
+
+If you disable this policy setting, pop-up windows are not prevented from appearing.
+
+If you do not configure this policy setting, most unwanted pop-up windows are prevented from appearing.
+
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -6165,20 +6674,22 @@ ADMX Info:
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Use Pop-up Blocker*
- GP name: *IZ_PolicyBlockPopupWindows_1*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone*
- GP ADMX file name: *inetres.admx*
-
-
+
+
+
-
+
+
**InternetExplorer/IntranetZoneAllowAccessToDataSources**
-
+
Home
@@ -6200,8 +6711,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -6210,8 +6721,8 @@ ADMX Info:
-
-
+
+
This policy setting allows you to manage whether Internet Explorer can access data from another security zone using the Microsoft XML Parser (MSXML) or ActiveX Data Objects (ADO).
If you enable this policy setting, users can load a page in the zone that uses MSXML or ADO to access data from another site in the zone. If you select Prompt in the drop-down box, users are queried to choose whether to allow a page to be loaded in the zone that uses MSXML or ADO to access data from another site in the zone.
@@ -6220,7 +6731,7 @@ If you disable this policy setting, users cannot load a page in the zone that us
If you do not configure this policy setting, users are queried to choose whether to allow a page to be loaded in the zone that uses MSXML or ADO to access data from another site in the zone.
-
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -6228,20 +6739,22 @@ If you do not configure this policy setting, users are queried to choose whether
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Access data sources across domains*
- GP name: *IZ_PolicyAccessDataSourcesAcrossDomains_3*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Intranet Zone*
- GP ADMX file name: *inetres.admx*
-
-
+
+
+
-
+
+
**InternetExplorer/IntranetZoneAllowAutomaticPromptingForActiveXControls**
-
+
Home
@@ -6263,8 +6776,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -6273,8 +6786,8 @@ ADMX Info:
-
-
+
+
This policy setting manages whether users will be automatically prompted for ActiveX control installations.
If you enable this policy setting, users will receive a prompt when a site instantiates an ActiveX control they do not have installed.
@@ -6283,7 +6796,7 @@ If you disable this policy setting, ActiveX control installations will be blocke
If you do not configure this policy setting, users will receive a prompt when a site instantiates an ActiveX control they do not have installed.
-
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -6291,20 +6804,22 @@ If you do not configure this policy setting, users will receive a prompt when a
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Automatic prompting for ActiveX controls*
- GP name: *IZ_PolicyNotificationBarActiveXURLaction_3*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Intranet Zone*
- GP ADMX file name: *inetres.admx*
-
-
+
+
+
-
+
+
**InternetExplorer/IntranetZoneAllowAutomaticPromptingForFileDownloads**
-
+
Home
@@ -6326,8 +6841,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -6336,15 +6851,15 @@ ADMX Info:
-
-
+
+
This policy setting determines whether users will be prompted for non user-initiated file downloads. Regardless of this setting, users will receive file download dialogs for user-initiated downloads.
If you enable this setting, users will receive a file download dialog for automatic download attempts.
If you disable or do not configure this setting, users will receive a file download dialog for automatic download attempts.
-
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -6352,20 +6867,22 @@ If you disable or do not configure this setting, users will receive a file downl
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Automatic prompting for file downloads*
- GP name: *IZ_PolicyNotificationBarDownloadURLaction_3*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Intranet Zone*
- GP ADMX file name: *inetres.admx*
-
-
+
+
+
-
+
+
**InternetExplorer/IntranetZoneAllowFontDownloads**
-
+
Home
@@ -6387,8 +6904,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -6397,8 +6914,8 @@ ADMX Info:
-
-
+
+
This policy setting allows you to manage whether pages of the zone may download HTML fonts.
If you enable this policy setting, HTML fonts can be downloaded automatically. If you enable this policy setting and Prompt is selected in the drop-down box, users are queried whether to allow HTML fonts to download.
@@ -6407,7 +6924,7 @@ If you disable this policy setting, HTML fonts are prevented from downloading.
If you do not configure this policy setting, HTML fonts can be downloaded automatically.
-
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -6415,20 +6932,22 @@ If you do not configure this policy setting, HTML fonts can be downloaded automa
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Allow font downloads*
- GP name: *IZ_PolicyFontDownload_3*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Intranet Zone*
- GP ADMX file name: *inetres.admx*
-
-
+
+
+
-
+
+
**InternetExplorer/IntranetZoneAllowLessPrivilegedSites**
-
+
Home
@@ -6450,8 +6969,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -6460,8 +6979,8 @@ ADMX Info:
-
-
+
+
This policy setting allows you to manage whether Web sites from less privileged zones, such as Restricted Sites, can navigate into this zone.
If you enable this policy setting, Web sites from less privileged zones can open new windows in, or navigate into, this zone. The security zone will run without the added layer of security that is provided by the Protection from Zone Elevation security feature. If you select Prompt in the drop-down box, a warning is issued to the user that potentially risky navigation is about to occur.
@@ -6470,7 +6989,7 @@ If you disable this policy setting, the possibly harmful navigations are prevent
If you do not configure this policy setting, Web sites from less privileged zones can open new windows in, or navigate into, this zone.
-
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -6478,20 +6997,22 @@ If you do not configure this policy setting, Web sites from less privileged zone
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Web sites in less privileged Web content zones can navigate into this zone*
- GP name: *IZ_PolicyZoneElevationURLaction_3*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Intranet Zone*
- GP ADMX file name: *inetres.admx*
-
-
+
+
+
-
+
+
**InternetExplorer/IntranetZoneAllowNETFrameworkReliantComponents**
-
+
Home
@@ -6513,8 +7034,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -6523,8 +7044,8 @@ ADMX Info:
-
-
+
+
This policy setting allows you to manage whether .NET Framework components that are not signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link.
If you enable this policy setting, Internet Explorer will execute unsigned managed components. If you select Prompt in the drop-down box, Internet Explorer will prompt the user to determine whether to execute unsigned managed components.
@@ -6533,7 +7054,7 @@ If you disable this policy setting, Internet Explorer will not execute unsigned
If you do not configure this policy setting, Internet Explorer will execute unsigned managed components.
-
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -6541,20 +7062,22 @@ If you do not configure this policy setting, Internet Explorer will execute unsi
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Run .NET Framework-reliant components not signed with Authenticode*
- GP name: *IZ_PolicyUnsignedFrameworkComponentsURLaction_3*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Intranet Zone*
- GP ADMX file name: *inetres.admx*
-
-
+
+
+
-
+
+
**InternetExplorer/IntranetZoneAllowScriptlets**
-
+
Home
@@ -6576,8 +7099,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -6586,8 +7109,8 @@ ADMX Info:
-
-
+
+
This policy setting allows you to manage whether the user can run scriptlets.
If you enable this policy setting, the user can run scriptlets.
@@ -6596,7 +7119,7 @@ If you disable this policy setting, the user cannot run scriptlets.
If you do not configure this policy setting, the user can enable or disable scriptlets.
-
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -6604,20 +7127,22 @@ If you do not configure this policy setting, the user can enable or disable scri
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Allow scriptlets*
- GP name: *IZ_Policy_AllowScriptlets_3*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Intranet Zone*
- GP ADMX file name: *inetres.admx*
-
-
+
+
+
-
+
+
**InternetExplorer/IntranetZoneAllowSmartScreenIE**
-
+
Home
@@ -6639,8 +7164,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -6649,8 +7174,8 @@ ADMX Info:
-
-
+
+
This policy setting controls whether SmartScreen Filter scans pages in this zone for malicious content.
If you enable this policy setting, SmartScreen Filter scans pages in this zone for malicious content.
@@ -6661,7 +7186,7 @@ If you do not configure this policy setting, the user can choose whether SmartSc
Note: In Internet Explorer 7, this policy setting controls whether Phishing Filter scans pages in this zone for malicious content.
-
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -6669,20 +7194,22 @@ Note: In Internet Explorer 7, this policy setting controls whether Phishing Filt
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Turn on SmartScreen Filter scan*
- GP name: *IZ_Policy_Phishing_3*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Intranet Zone*
- GP ADMX file name: *inetres.admx*
-
-
+
+
+
-
+
+
**InternetExplorer/IntranetZoneAllowUserDataPersistence**
-
+
Home
@@ -6704,8 +7231,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -6714,8 +7241,8 @@ ADMX Info:
-
-
+
+
This policy setting allows you to manage the preservation of information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. When a user returns to a persisted page, the state of the page can be restored if this policy setting is appropriately configured.
If you enable this policy setting, users can preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk.
@@ -6724,7 +7251,7 @@ If you disable this policy setting, users cannot preserve information in the bro
If you do not configure this policy setting, users can preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk.
-
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -6732,20 +7259,22 @@ If you do not configure this policy setting, users can preserve information in t
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Userdata persistence*
- GP name: *IZ_PolicyUserdataPersistence_3*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Intranet Zone*
- GP ADMX file name: *inetres.admx*
-
-
+
+
+
-
+
+
**InternetExplorer/IntranetZoneDoNotRunAntimalwareAgainstActiveXControls**
-
+
Home
@@ -6767,8 +7296,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -6777,9 +7306,17 @@ ADMX Info:
-
-
-
+
+
+This policy setting determines whether Internet Explorer runs antimalware programs against ActiveX controls, to check if they're safe to load on pages.
+
+If you enable this policy setting, Internet Explorer won't check with your antimalware program to see if it's safe to create an instance of the ActiveX control.
+
+If you disable this policy setting, Internet Explorer always checks with your antimalware program to see if it's safe to create an instance of the ActiveX control.
+
+If you don't configure this policy setting, Internet Explorer won't check with your antimalware program to see if it's safe to create an instance of the ActiveX control. Users can turn this behavior on or off, using Internet Explorer Security settings.
+
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -6787,20 +7324,22 @@ ADMX Info:
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Don't run antimalware programs against ActiveX controls*
- GP name: *IZ_PolicyAntiMalwareCheckingOfActiveXControls_3*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Intranet Zone*
- GP ADMX file name: *inetres.admx*
-
-
+
+
+
-
+
+
**InternetExplorer/IntranetZoneInitializeAndScriptActiveXControls**
-
+
Home
@@ -6822,8 +7361,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -6832,8 +7371,8 @@ ADMX Info:
-
-
+
+
This policy setting allows you to manage ActiveX controls not marked as safe.
If you enable this policy setting, ActiveX controls are run, loaded with parameters, and scripted without setting object safety for untrusted data or scripts. This setting is not recommended, except for secure and administered zones. This setting causes both unsafe and safe controls to be initialized and scripted, ignoring the Script ActiveX controls marked safe for scripting option.
@@ -6844,7 +7383,7 @@ If you disable this policy setting, ActiveX controls that cannot be made safe ar
If you do not configure this policy setting, ActiveX controls that cannot be made safe are not loaded with parameters or scripted.
-
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -6852,20 +7391,22 @@ If you do not configure this policy setting, ActiveX controls that cannot be mad
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Initialize and script ActiveX controls not marked as safe*
- GP name: *IZ_PolicyScriptActiveXNotMarkedSafe_3*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Intranet Zone*
- GP ADMX file name: *inetres.admx*
-
-
+
+
+
-
+
+
**InternetExplorer/IntranetZoneJavaPermissions**
-
+
Home
@@ -6887,8 +7428,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -6897,9 +7438,23 @@ ADMX Info:
-
-
-
+
+
+This policy setting allows you to manage permissions for Java applets.
+
+If you enable this policy setting, you can choose options from the drop-down box. Custom, to control permissions settings individually.
+
+Low Safety enables applets to perform all operations.
+
+Medium Safety enables applets to run in their sandbox (an area in memory outside of which the program cannot make calls), plus capabilities like scratch space (a safe and secure storage area on the client computer) and user-controlled file I/O.
+
+High Safety enables applets to run in their sandbox. Disable Java to prevent any applets from running.
+
+If you disable this policy setting, Java applets cannot run.
+
+If you do not configure this policy setting, the permission is set to Medium Safety.
+
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -6907,20 +7462,22 @@ ADMX Info:
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Java permissions*
- GP name: *IZ_PolicyJavaPermissions_3*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Intranet Zone*
- GP ADMX file name: *inetres.admx*
-
-
+
+
+
-
+
+
**InternetExplorer/IntranetZoneNavigateWindowsAndFrames**
-
+
Home
@@ -6942,8 +7499,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -6952,8 +7509,8 @@ ADMX Info:
-
-
+
+
This policy setting allows you to manage the opening of windows and frames and access of applications across different domains.
If you enable this policy setting, users can open windows and frames from othe domains and access applications from other domains. If you select Prompt in the drop-down box, users are queried whether to allow windows and frames to access applications from other domains.
@@ -6962,7 +7519,7 @@ If you disable this policy setting, users cannot open windows and frames to acce
If you do not configure this policy setting, users can open windows and frames from othe domains and access applications from other domains.
-
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -6970,20 +7527,22 @@ If you do not configure this policy setting, users can open windows and frames f
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Navigate windows and frames across different domains*
- GP name: *IZ_PolicyNavigateSubframesAcrossDomains_3*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Intranet Zone*
- GP ADMX file name: *inetres.admx*
-
-
+
+
+
-
+
+
**InternetExplorer/LocalMachineZoneAllowAccessToDataSources**
-
+
Home
@@ -7005,8 +7564,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -7015,8 +7574,8 @@ ADMX Info:
-
-
+
+
This policy setting allows you to manage whether Internet Explorer can access data from another security zone using the Microsoft XML Parser (MSXML) or ActiveX Data Objects (ADO).
If you enable this policy setting, users can load a page in the zone that uses MSXML or ADO to access data from another site in the zone. If you select Prompt in the drop-down box, users are queried to choose whether to allow a page to be loaded in the zone that uses MSXML or ADO to access data from another site in the zone.
@@ -7025,7 +7584,7 @@ If you disable this policy setting, users cannot load a page in the zone that us
If you do not configure this policy setting, users can load a page in the zone that uses MSXML or ADO to access data from another site in the zone.
-
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -7033,20 +7592,22 @@ If you do not configure this policy setting, users can load a page in the zone t
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Access data sources across domains*
- GP name: *IZ_PolicyAccessDataSourcesAcrossDomains_9*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Local Machine Zone*
- GP ADMX file name: *inetres.admx*
-
-
+
+
+
-
+
+
**InternetExplorer/LocalMachineZoneAllowAutomaticPromptingForActiveXControls**
-
+
Home
@@ -7068,8 +7629,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -7078,8 +7639,8 @@ ADMX Info:
-
-
+
+
This policy setting manages whether users will be automatically prompted for ActiveX control installations.
If you enable this policy setting, users will receive a prompt when a site instantiates an ActiveX control they do not have installed.
@@ -7088,7 +7649,7 @@ If you disable this policy setting, ActiveX control installations will be blocke
If you do not configure this policy setting, users will receive a prompt when a site instantiates an ActiveX control they do not have installed.
-
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -7096,20 +7657,22 @@ If you do not configure this policy setting, users will receive a prompt when a
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Automatic prompting for ActiveX controls*
- GP name: *IZ_PolicyNotificationBarActiveXURLaction_9*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Local Machine Zone*
- GP ADMX file name: *inetres.admx*
-
-
+
+
+
-
+
+
**InternetExplorer/LocalMachineZoneAllowAutomaticPromptingForFileDownloads**
-
+
Home
@@ -7131,8 +7694,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -7141,15 +7704,15 @@ ADMX Info:
-
-
+
+
This policy setting determines whether users will be prompted for non user-initiated file downloads. Regardless of this setting, users will receive file download dialogs for user-initiated downloads.
If you enable this setting, users will receive a file download dialog for automatic download attempts.
If you disable or do not configure this setting, users will receive a file download dialog for automatic download attempts.
-
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -7157,20 +7720,22 @@ If you disable or do not configure this setting, users will receive a file downl
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Automatic prompting for file downloads*
- GP name: *IZ_PolicyNotificationBarDownloadURLaction_9*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Local Machine Zone*
- GP ADMX file name: *inetres.admx*
-
-
+
+
+
-
+
+
**InternetExplorer/LocalMachineZoneAllowFontDownloads**
-
+
Home
@@ -7192,8 +7757,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -7202,8 +7767,8 @@ ADMX Info:
-
-
+
+
This policy setting allows you to manage whether pages of the zone may download HTML fonts.
If you enable this policy setting, HTML fonts can be downloaded automatically. If you enable this policy setting and Prompt is selected in the drop-down box, users are queried whether to allow HTML fonts to download.
@@ -7212,7 +7777,7 @@ If you disable this policy setting, HTML fonts are prevented from downloading.
If you do not configure this policy setting, HTML fonts can be downloaded automatically.
-
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -7220,20 +7785,22 @@ If you do not configure this policy setting, HTML fonts can be downloaded automa
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Allow font downloads*
- GP name: *IZ_PolicyFontDownload_9*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Local Machine Zone*
- GP ADMX file name: *inetres.admx*
-
-
+
+
+
-
+
+
**InternetExplorer/LocalMachineZoneAllowLessPrivilegedSites**
-
+
Home
@@ -7255,8 +7822,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -7265,8 +7832,8 @@ ADMX Info:
-
-
+
+
This policy setting allows you to manage whether Web sites from less privileged zones, such as Internet sites, can navigate into this zone.
If you enable this policy setting, Web sites from less privileged zones can open new windows in, or navigate into, this zone. The security zone will run without the added layer of security that is provided by the Protection from Zone Elevation security feature. If you select Prompt in the drop-down box, a warning is issued to the user that potentially risky navigation is about to occur.
@@ -7275,7 +7842,7 @@ If you disable this policy setting, the possibly harmful navigations are prevent
If you do not configure this policy setting, the possibly harmful navigations are prevented. The Internet Explorer security feature will be on in this zone as set by Protection from Zone Elevation feature control.
-
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -7283,20 +7850,22 @@ If you do not configure this policy setting, the possibly harmful navigations ar
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Web sites in less privileged Web content zones can navigate into this zone*
- GP name: *IZ_PolicyZoneElevationURLaction_9*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Local Machine Zone*
- GP ADMX file name: *inetres.admx*
-
-
+
+
+
-
+
+
**InternetExplorer/LocalMachineZoneAllowNETFrameworkReliantComponents**
-
+
Home
@@ -7318,8 +7887,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -7328,8 +7897,8 @@ ADMX Info:
-
-
+
+
This policy setting allows you to manage whether .NET Framework components that are not signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link.
If you enable this policy setting, Internet Explorer will execute unsigned managed components. If you select Prompt in the drop-down box, Internet Explorer will prompt the user to determine whether to execute unsigned managed components.
@@ -7338,7 +7907,7 @@ If you disable this policy setting, Internet Explorer will not execute unsigned
If you do not configure this policy setting, Internet Explorer will not execute unsigned managed components.
-
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -7346,20 +7915,22 @@ If you do not configure this policy setting, Internet Explorer will not execute
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Run .NET Framework-reliant components not signed with Authenticode*
- GP name: *IZ_PolicyUnsignedFrameworkComponentsURLaction_9*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Local Machine Zone*
- GP ADMX file name: *inetres.admx*
-
-
+
+
+
-
+
+
**InternetExplorer/LocalMachineZoneAllowScriptlets**
-
+
Home
@@ -7381,8 +7952,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -7391,8 +7962,8 @@ ADMX Info:
-
-
+
+
This policy setting allows you to manage whether the user can run scriptlets.
If you enable this policy setting, the user can run scriptlets.
@@ -7401,7 +7972,7 @@ If you disable this policy setting, the user cannot run scriptlets.
If you do not configure this policy setting, the user can enable or disable scriptlets.
-
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -7409,20 +7980,22 @@ If you do not configure this policy setting, the user can enable or disable scri
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Allow scriptlets*
- GP name: *IZ_Policy_AllowScriptlets_9*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Local Machine Zone*
- GP ADMX file name: *inetres.admx*
-
-
+
+
+
-
+
+
**InternetExplorer/LocalMachineZoneAllowSmartScreenIE**
-
+
Home
@@ -7444,8 +8017,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -7454,8 +8027,8 @@ ADMX Info:
-
-
+
+
This policy setting controls whether SmartScreen Filter scans pages in this zone for malicious content.
If you enable this policy setting, SmartScreen Filter scans pages in this zone for malicious content.
@@ -7466,7 +8039,7 @@ If you do not configure this policy setting, the user can choose whether SmartSc
Note: In Internet Explorer 7, this policy setting controls whether Phishing Filter scans pages in this zone for malicious content.
-
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -7474,20 +8047,22 @@ Note: In Internet Explorer 7, this policy setting controls whether Phishing Filt
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Turn on SmartScreen Filter scan*
- GP name: *IZ_Policy_Phishing_9*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Local Machine Zone*
- GP ADMX file name: *inetres.admx*
-
-
+
+
+
-
+
+
**InternetExplorer/LocalMachineZoneAllowUserDataPersistence**
-
+
Home
@@ -7509,8 +8084,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -7519,8 +8094,8 @@ ADMX Info:
-
-
+
+
This policy setting allows you to manage the preservation of information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. When a user returns to a persisted page, the state of the page can be restored if this policy setting is appropriately configured.
If you enable this policy setting, users can preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk.
@@ -7529,7 +8104,7 @@ If you disable this policy setting, users cannot preserve information in the bro
If you do not configure this policy setting, users can preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk.
-
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -7537,20 +8112,22 @@ If you do not configure this policy setting, users can preserve information in t
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Userdata persistence*
- GP name: *IZ_PolicyUserdataPersistence_9*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Local Machine Zone*
- GP ADMX file name: *inetres.admx*
-
-
+
+
+
-
+
+
**InternetExplorer/LocalMachineZoneDoNotRunAntimalwareAgainstActiveXControls**
-
+
Home
@@ -7572,8 +8149,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -7582,9 +8159,17 @@ ADMX Info:
-
-
-
+
+
+This policy setting determines whether Internet Explorer runs antimalware programs against ActiveX controls, to check if they're safe to load on pages.
+
+If you enable this policy setting, Internet Explorer won't check with your antimalware program to see if it's safe to create an instance of the ActiveX control.
+
+If you disable this policy setting, Internet Explorer always checks with your antimalware program to see if it's safe to create an instance of the ActiveX control.
+
+If you don't configure this policy setting, Internet Explorer won't check with your antimalware program to see if it's safe to create an instance of the ActiveX control. Users can turn this behavior on or off, using Internet Explorer Security settings.
+
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -7592,20 +8177,22 @@ ADMX Info:
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Don't run antimalware programs against ActiveX controls*
- GP name: *IZ_PolicyAntiMalwareCheckingOfActiveXControls_9*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Local Machine Zone*
- GP ADMX file name: *inetres.admx*
-
-
+
+
+
-
+
+
**InternetExplorer/LocalMachineZoneInitializeAndScriptActiveXControls**
-
+
Home
@@ -7627,8 +8214,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -7637,8 +8224,8 @@ ADMX Info:
-
-
+
+
This policy setting allows you to manage ActiveX controls not marked as safe.
If you enable this policy setting, ActiveX controls are run, loaded with parameters, and scripted without setting object safety for untrusted data or scripts. This setting is not recommended, except for secure and administered zones. This setting causes both unsafe and safe controls to be initialized and scripted, ignoring the Script ActiveX controls marked safe for scripting option.
@@ -7649,7 +8236,7 @@ If you disable this policy setting, ActiveX controls that cannot be made safe ar
If you do not configure this policy setting, users are queried whether to allow the control to be loaded with parameters or scripted.
-
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -7657,20 +8244,22 @@ If you do not configure this policy setting, users are queried whether to allow
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Initialize and script ActiveX controls not marked as safe*
- GP name: *IZ_PolicyScriptActiveXNotMarkedSafe_9*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Local Machine Zone*
- GP ADMX file name: *inetres.admx*
-
-
+
+
+
-
+
+
**InternetExplorer/LocalMachineZoneJavaPermissions**
-
+
Home
@@ -7692,8 +8281,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -7702,9 +8291,23 @@ ADMX Info:
-
-
-
+
+
+This policy setting allows you to manage permissions for Java applets.
+
+If you enable this policy setting, you can choose options from the drop-down box. Custom, to control permissions settings individually.
+
+Low Safety enables applets to perform all operations.
+
+Medium Safety enables applets to run in their sandbox (an area in memory outside of which the program cannot make calls), plus capabilities like scratch space (a safe and secure storage area on the client computer) and user-controlled file I/O.
+
+High Safety enables applets to run in their sandbox. Disable Java to prevent any applets from running.
+
+If you disable this policy setting, Java applets cannot run.
+
+If you do not configure this policy setting, the permission is set to Medium Safety.
+
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -7712,20 +8315,22 @@ ADMX Info:
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Java permissions*
- GP name: *IZ_PolicyJavaPermissions_9*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Local Machine Zone*
- GP ADMX file name: *inetres.admx*
-
-
+
+
+
-
+
+
**InternetExplorer/LocalMachineZoneNavigateWindowsAndFrames**
-
+
Home
@@ -7747,8 +8352,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -7757,8 +8362,8 @@ ADMX Info:
-
-
+
+
This policy setting allows you to manage the opening of windows and frames and access of applications across different domains.
If you enable this policy setting, users can open windows and frames from othe domains and access applications from other domains. If you select Prompt in the drop-down box, users are queried whether to allow windows and frames to access applications from other domains.
@@ -7767,7 +8372,7 @@ If you disable this policy setting, users cannot open windows and frames to acce
If you do not configure this policy setting, users can open windows and frames from othe domains and access applications from other domains.
-
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -7775,20 +8380,22 @@ If you do not configure this policy setting, users can open windows and frames f
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Navigate windows and frames across different domains*
- GP name: *IZ_PolicyNavigateSubframesAcrossDomains_9*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Local Machine Zone*
- GP ADMX file name: *inetres.admx*
-
-
+
+
+
-
+
+
**InternetExplorer/LockedDownInternetZoneAllowAccessToDataSources**
-
+
Home
@@ -7810,8 +8417,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -7820,8 +8427,8 @@ ADMX Info:
-
-
+
+
This policy setting allows you to manage whether Internet Explorer can access data from another security zone using the Microsoft XML Parser (MSXML) or ActiveX Data Objects (ADO).
If you enable this policy setting, users can load a page in the zone that uses MSXML or ADO to access data from another site in the zone. If you select Prompt in the drop-down box, users are queried to choose whether to allow a page to be loaded in the zone that uses MSXML or ADO to access data from another site in the zone.
@@ -7830,7 +8437,7 @@ If you disable this policy setting, users cannot load a page in the zone that us
If you do not configure this policy setting, users cannot load a page in the zone that uses MSXML or ADO to access data from another site in the zone.
-
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -7838,20 +8445,22 @@ If you do not configure this policy setting, users cannot load a page in the zon
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Access data sources across domains*
- GP name: *IZ_PolicyAccessDataSourcesAcrossDomains_2*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Internet Zone*
- GP ADMX file name: *inetres.admx*
-
-
+
+
+
-
+
+
**InternetExplorer/LockedDownInternetZoneAllowAutomaticPromptingForActiveXControls**
-
+
Home
@@ -7873,8 +8482,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -7883,8 +8492,8 @@ ADMX Info:
-
-
+
+
This policy setting manages whether users will be automatically prompted for ActiveX control installations.
If you enable this policy setting, users will receive a prompt when a site instantiates an ActiveX control they do not have installed.
@@ -7893,7 +8502,7 @@ If you disable this policy setting, ActiveX control installations will be blocke
If you do not configure this policy setting, ActiveX control installations will be blocked using the Notification bar. Users can click on the Notification bar to allow the ActiveX control prompt.
-
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -7901,20 +8510,22 @@ If you do not configure this policy setting, ActiveX control installations will
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Automatic prompting for ActiveX controls*
- GP name: *IZ_PolicyNotificationBarActiveXURLaction_2*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Internet Zone*
- GP ADMX file name: *inetres.admx*
-
-
+
+
+
-
+
+
**InternetExplorer/LockedDownInternetZoneAllowAutomaticPromptingForFileDownloads**
-
+
Home
@@ -7936,8 +8547,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -7946,15 +8557,15 @@ ADMX Info:
-
-
+
+
This policy setting determines whether users will be prompted for non user-initiated file downloads. Regardless of this setting, users will receive file download dialogs for user-initiated downloads.
If you enable this setting, users will receive a file download dialog for automatic download attempts.
If you disable or do not configure this setting, file downloads that are not user-initiated will be blocked, and users will see the Notification bar instead of the file download dialog. Users can then click the Notification bar to allow the file download prompt.
-
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -7962,20 +8573,22 @@ If you disable or do not configure this setting, file downloads that are not use
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Automatic prompting for file downloads*
- GP name: *IZ_PolicyNotificationBarDownloadURLaction_2*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Internet Zone*
- GP ADMX file name: *inetres.admx*
-
-
+
+
+
-
+
+
**InternetExplorer/LockedDownInternetZoneAllowFontDownloads**
-
+
Home
@@ -7997,8 +8610,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -8007,8 +8620,8 @@ ADMX Info:
-
-
+
+
This policy setting allows you to manage whether pages of the zone may download HTML fonts.
If you enable this policy setting, HTML fonts can be downloaded automatically. If you enable this policy setting and Prompt is selected in the drop-down box, users are queried whether to allow HTML fonts to download.
@@ -8017,7 +8630,7 @@ If you disable this policy setting, HTML fonts are prevented from downloading.
If you do not configure this policy setting, HTML fonts can be downloaded automatically.
-
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -8025,20 +8638,22 @@ If you do not configure this policy setting, HTML fonts can be downloaded automa
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Allow font downloads*
- GP name: *IZ_PolicyFontDownload_2*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Internet Zone*
- GP ADMX file name: *inetres.admx*
-
-
+
+
+
-
+
+
**InternetExplorer/LockedDownInternetZoneAllowLessPrivilegedSites**
-
+
Home
@@ -8060,8 +8675,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -8070,8 +8685,8 @@ ADMX Info:
-
-
+
+
This policy setting allows you to manage whether Web sites from less privileged zones, such as Internet sites, can navigate into this zone.
If you enable this policy setting, Web sites from less privileged zones can open new windows in, or navigate into, this zone. The security zone will run without the added layer of security that is provided by the Protection from Zone Elevation security feature. If you select Prompt in the drop-down box, a warning is issued to the user that potentially risky navigation is about to occur.
@@ -8080,7 +8695,7 @@ If you disable this policy setting, the possibly harmful navigations are prevent
If you do not configure this policy setting, the possibly harmful navigations are prevented. The Internet Explorer security feature will be on in this zone as set by Protection from Zone Elevation feature control.
-
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -8088,20 +8703,22 @@ If you do not configure this policy setting, the possibly harmful navigations ar
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Web sites in less privileged Web content zones can navigate into this zone*
- GP name: *IZ_PolicyZoneElevationURLaction_2*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Internet Zone*
- GP ADMX file name: *inetres.admx*
-
-
+
+
+
-
+
+
**InternetExplorer/LockedDownInternetZoneAllowNETFrameworkReliantComponents**
-
+
Home
@@ -8123,8 +8740,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -8133,8 +8750,8 @@ ADMX Info:
-
-
+
+
This policy setting allows you to manage whether .NET Framework components that are not signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link.
If you enable this policy setting, Internet Explorer will execute unsigned managed components. If you select Prompt in the drop-down box, Internet Explorer will prompt the user to determine whether to execute unsigned managed components.
@@ -8143,7 +8760,7 @@ If you disable this policy setting, Internet Explorer will not execute unsigned
If you do not configure this policy setting, Internet Explorer will not execute unsigned managed components.
-
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -8151,20 +8768,22 @@ If you do not configure this policy setting, Internet Explorer will not execute
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Run .NET Framework-reliant components not signed with Authenticode*
- GP name: *IZ_PolicyUnsignedFrameworkComponentsURLaction_2*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Internet Zone*
- GP ADMX file name: *inetres.admx*
-
-
+
+
+
-
+
+
**InternetExplorer/LockedDownInternetZoneAllowScriptlets**
-
+
Home
@@ -8186,8 +8805,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -8196,8 +8815,8 @@ ADMX Info:
-
-
+
+
This policy setting allows you to manage whether the user can run scriptlets.
If you enable this policy setting, the user can run scriptlets.
@@ -8206,7 +8825,7 @@ If you disable this policy setting, the user cannot run scriptlets.
If you do not configure this policy setting, the user can enable or disable scriptlets.
-
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -8214,20 +8833,22 @@ If you do not configure this policy setting, the user can enable or disable scri
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Allow scriptlets*
- GP name: *IZ_Policy_AllowScriptlets_2*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Internet Zone*
- GP ADMX file name: *inetres.admx*
-
-
+
+
+
-
+
+
**InternetExplorer/LockedDownInternetZoneAllowSmartScreenIE**
-
+
Home
@@ -8249,8 +8870,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -8259,8 +8880,8 @@ ADMX Info:
-
-
+
+
This policy setting controls whether SmartScreen Filter scans pages in this zone for malicious content.
If you enable this policy setting, SmartScreen Filter scans pages in this zone for malicious content.
@@ -8271,7 +8892,7 @@ If you do not configure this policy setting, the user can choose whether SmartSc
Note: In Internet Explorer 7, this policy setting controls whether Phishing Filter scans pages in this zone for malicious content.
-
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -8279,20 +8900,22 @@ Note: In Internet Explorer 7, this policy setting controls whether Phishing Filt
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Turn on SmartScreen Filter scan*
- GP name: *IZ_Policy_Phishing_2*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Internet Zone*
- GP ADMX file name: *inetres.admx*
-
-
+
+
+
-
+
+
**InternetExplorer/LockedDownInternetZoneAllowUserDataPersistence**
-
+
Home
@@ -8314,8 +8937,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -8324,8 +8947,8 @@ ADMX Info:
-
-
+
+
This policy setting allows you to manage the preservation of information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. When a user returns to a persisted page, the state of the page can be restored if this policy setting is appropriately configured.
If you enable this policy setting, users can preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk.
@@ -8334,7 +8957,7 @@ If you disable this policy setting, users cannot preserve information in the bro
If you do not configure this policy setting, users can preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk.
-
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -8342,20 +8965,22 @@ If you do not configure this policy setting, users can preserve information in t
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Userdata persistence*
- GP name: *IZ_PolicyUserdataPersistence_2*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Internet Zone*
- GP ADMX file name: *inetres.admx*
-
-
+
+
+
-
+
+
**InternetExplorer/LockedDownInternetZoneInitializeAndScriptActiveXControls**
-
+
Home
@@ -8377,8 +9002,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -8387,8 +9012,8 @@ ADMX Info:
-
-
+
+
This policy setting allows you to manage ActiveX controls not marked as safe.
If you enable this policy setting, ActiveX controls are run, loaded with parameters, and scripted without setting object safety for untrusted data or scripts. This setting is not recommended, except for secure and administered zones. This setting causes both unsafe and safe controls to be initialized and scripted, ignoring the Script ActiveX controls marked safe for scripting option.
@@ -8399,7 +9024,7 @@ If you disable this policy setting, ActiveX controls that cannot be made safe ar
If you do not configure this policy setting, ActiveX controls that cannot be made safe are not loaded with parameters or scripted.
-
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -8407,20 +9032,22 @@ If you do not configure this policy setting, ActiveX controls that cannot be mad
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Initialize and script ActiveX controls not marked as safe*
- GP name: *IZ_PolicyScriptActiveXNotMarkedSafe_2*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Internet Zone*
- GP ADMX file name: *inetres.admx*
-
-
+
+
+
-
+
+
**InternetExplorer/LockedDownInternetZoneJavaPermissions**
-
+
Home
@@ -8442,8 +9069,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -8452,9 +9079,23 @@ ADMX Info:
-
-
-
+
+
+This policy setting allows you to manage permissions for Java applets.
+
+If you enable this policy setting, you can choose options from the drop-down box. Custom, to control permissions settings individually.
+
+Low Safety enables applets to perform all operations.
+
+Medium Safety enables applets to run in their sandbox (an area in memory outside of which the program cannot make calls), plus capabilities like scratch space (a safe and secure storage area on the client computer) and user-controlled file I/O.
+
+High Safety enables applets to run in their sandbox. Disable Java to prevent any applets from running.
+
+If you disable this policy setting, Java applets cannot run.
+
+If you do not configure this policy setting, Java applets are disabled.
+
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -8462,20 +9103,22 @@ ADMX Info:
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Java permissions*
- GP name: *IZ_PolicyJavaPermissions_2*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Internet Zone*
- GP ADMX file name: *inetres.admx*
-
-
+
+
+
-
+
+
**InternetExplorer/LockedDownInternetZoneNavigateWindowsAndFrames**
-
+
Home
@@ -8497,8 +9140,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -8507,8 +9150,8 @@ ADMX Info:
-
-
+
+
This policy setting allows you to manage the opening of windows and frames and access of applications across different domains.
If you enable this policy setting, users can open windows and frames from othe domains and access applications from other domains. If you select Prompt in the drop-down box, users are queried whether to allow windows and frames to access applications from other domains.
@@ -8517,7 +9160,7 @@ If you disable this policy setting, users cannot open windows and frames to acce
If you do not configure this policy setting, users can open windows and frames from othe domains and access applications from other domains.
-
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -8525,20 +9168,22 @@ If you do not configure this policy setting, users can open windows and frames f
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Navigate windows and frames across different domains*
- GP name: *IZ_PolicyNavigateSubframesAcrossDomains_2*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Internet Zone*
- GP ADMX file name: *inetres.admx*
-
-
+
+
+
-
+
+
**InternetExplorer/LockedDownIntranetZoneAllowAccessToDataSources**
-
+
Home
@@ -8560,8 +9205,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -8570,8 +9215,8 @@ ADMX Info:
-
-
+
+
This policy setting allows you to manage whether Internet Explorer can access data from another security zone using the Microsoft XML Parser (MSXML) or ActiveX Data Objects (ADO).
If you enable this policy setting, users can load a page in the zone that uses MSXML or ADO to access data from another site in the zone. If you select Prompt in the drop-down box, users are queried to choose whether to allow a page to be loaded in the zone that uses MSXML or ADO to access data from another site in the zone.
@@ -8580,7 +9225,7 @@ If you disable this policy setting, users cannot load a page in the zone that us
If you do not configure this policy setting, users are queried to choose whether to allow a page to be loaded in the zone that uses MSXML or ADO to access data from another site in the zone.
-
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -8588,20 +9233,22 @@ If you do not configure this policy setting, users are queried to choose whether
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Access data sources across domains*
- GP name: *IZ_PolicyAccessDataSourcesAcrossDomains_4*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Intranet Zone*
- GP ADMX file name: *inetres.admx*
-
-
+
+
+
-
+
+
**InternetExplorer/LockedDownIntranetZoneAllowAutomaticPromptingForActiveXControls**
-
+
Home
@@ -8623,8 +9270,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -8633,8 +9280,8 @@ ADMX Info:
-
-
+
+
This policy setting manages whether users will be automatically prompted for ActiveX control installations.
If you enable this policy setting, users will receive a prompt when a site instantiates an ActiveX control they do not have installed.
@@ -8643,7 +9290,7 @@ If you disable this policy setting, ActiveX control installations will be blocke
If you do not configure this policy setting, ActiveX control installations will be blocked using the Notification bar. Users can click on the Notification bar to allow the ActiveX control prompt.
-
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -8651,20 +9298,22 @@ If you do not configure this policy setting, ActiveX control installations will
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Automatic prompting for ActiveX controls*
- GP name: *IZ_PolicyNotificationBarActiveXURLaction_4*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Intranet Zone*
- GP ADMX file name: *inetres.admx*
-
-
+
+
+
-
+
+
**InternetExplorer/LockedDownIntranetZoneAllowAutomaticPromptingForFileDownloads**
-
+
Home
@@ -8686,8 +9335,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -8696,15 +9345,15 @@ ADMX Info:
-
-
+
+
This policy setting determines whether users will be prompted for non user-initiated file downloads. Regardless of this setting, users will receive file download dialogs for user-initiated downloads.
If you enable this setting, users will receive a file download dialog for automatic download attempts.
If you disable or do not configure this setting, file downloads that are not user-initiated will be blocked, and users will see the Notification bar instead of the file download dialog. Users can then click the Notification bar to allow the file download prompt.
-
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -8712,20 +9361,22 @@ If you disable or do not configure this setting, file downloads that are not use
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Automatic prompting for file downloads*
- GP name: *IZ_PolicyNotificationBarDownloadURLaction_4*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Intranet Zone*
- GP ADMX file name: *inetres.admx*
-
-
+
+
+
-
+
+
**InternetExplorer/LockedDownIntranetZoneAllowFontDownloads**
-
+
Home
@@ -8747,8 +9398,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -8757,8 +9408,8 @@ ADMX Info:
-
-
+
+
This policy setting allows you to manage whether pages of the zone may download HTML fonts.
If you enable this policy setting, HTML fonts can be downloaded automatically. If you enable this policy setting and Prompt is selected in the drop-down box, users are queried whether to allow HTML fonts to download.
@@ -8767,7 +9418,7 @@ If you disable this policy setting, HTML fonts are prevented from downloading.
If you do not configure this policy setting, HTML fonts can be downloaded automatically.
-
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -8775,20 +9426,22 @@ If you do not configure this policy setting, HTML fonts can be downloaded automa
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Allow font downloads*
- GP name: *IZ_PolicyFontDownload_4*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Intranet Zone*
- GP ADMX file name: *inetres.admx*
-
-
+
+
+
-
+
+
**InternetExplorer/LockedDownIntranetZoneAllowLessPrivilegedSites**
-
+
Home
@@ -8810,8 +9463,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -8820,8 +9473,8 @@ ADMX Info:
-
-
+
+
This policy setting allows you to manage whether Web sites from less privileged zones, such as Internet sites, can navigate into this zone.
If you enable this policy setting, Web sites from less privileged zones can open new windows in, or navigate into, this zone. The security zone will run without the added layer of security that is provided by the Protection from Zone Elevation security feature. If you select Prompt in the drop-down box, a warning is issued to the user that potentially risky navigation is about to occur.
@@ -8830,7 +9483,7 @@ If you disable this policy setting, the possibly harmful navigations are prevent
If you do not configure this policy setting, the possibly harmful navigations are prevented. The Internet Explorer security feature will be on in this zone as set by Protection from Zone Elevation feature control.
-
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -8838,20 +9491,22 @@ If you do not configure this policy setting, the possibly harmful navigations ar
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Web sites in less privileged Web content zones can navigate into this zone*
- GP name: *IZ_PolicyZoneElevationURLaction_4*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Intranet Zone*
- GP ADMX file name: *inetres.admx*
-
-
+
+
+
-
+
+
**InternetExplorer/LockedDownIntranetZoneAllowNETFrameworkReliantComponents**
-
+
Home
@@ -8873,8 +9528,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -8883,8 +9538,8 @@ ADMX Info:
-
-
+
+
This policy setting allows you to manage whether .NET Framework components that are not signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link.
If you enable this policy setting, Internet Explorer will execute unsigned managed components. If you select Prompt in the drop-down box, Internet Explorer will prompt the user to determine whether to execute unsigned managed components.
@@ -8893,7 +9548,7 @@ If you disable this policy setting, Internet Explorer will not execute unsigned
If you do not configure this policy setting, Internet Explorer will not execute unsigned managed components.
-
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -8901,20 +9556,22 @@ If you do not configure this policy setting, Internet Explorer will not execute
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Run .NET Framework-reliant components not signed with Authenticode*
- GP name: *IZ_PolicyUnsignedFrameworkComponentsURLaction_4*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Intranet Zone*
- GP ADMX file name: *inetres.admx*
-
-
+
+
+
-
+
+
**InternetExplorer/LockedDownIntranetZoneAllowScriptlets**
-
+
Home
@@ -8936,8 +9593,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -8946,8 +9603,8 @@ ADMX Info:
-
-
+
+
This policy setting allows you to manage whether the user can run scriptlets.
If you enable this policy setting, the user can run scriptlets.
@@ -8956,7 +9613,7 @@ If you disable this policy setting, the user cannot run scriptlets.
If you do not configure this policy setting, the user can enable or disable scriptlets.
-
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -8964,20 +9621,22 @@ If you do not configure this policy setting, the user can enable or disable scri
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Allow scriptlets*
- GP name: *IZ_Policy_AllowScriptlets_4*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Intranet Zone*
- GP ADMX file name: *inetres.admx*
-
-
+
+
+
-
+
+
**InternetExplorer/LockedDownIntranetZoneAllowSmartScreenIE**
-
+
Home
@@ -8999,8 +9658,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -9009,8 +9668,8 @@ ADMX Info:
-
-
+
+
This policy setting controls whether SmartScreen Filter scans pages in this zone for malicious content.
If you enable this policy setting, SmartScreen Filter scans pages in this zone for malicious content.
@@ -9021,7 +9680,7 @@ If you do not configure this policy setting, the user can choose whether SmartSc
Note: In Internet Explorer 7, this policy setting controls whether Phishing Filter scans pages in this zone for malicious content.
-
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -9029,20 +9688,22 @@ Note: In Internet Explorer 7, this policy setting controls whether Phishing Filt
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Turn on SmartScreen Filter scan*
- GP name: *IZ_Policy_Phishing_4*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Intranet Zone*
- GP ADMX file name: *inetres.admx*
-
-
+
+
+
-
+
+
**InternetExplorer/LockedDownIntranetZoneAllowUserDataPersistence**
-
+
Home
@@ -9064,8 +9725,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -9074,8 +9735,8 @@ ADMX Info:
-
-
+
+
This policy setting allows you to manage the preservation of information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. When a user returns to a persisted page, the state of the page can be restored if this policy setting is appropriately configured.
If you enable this policy setting, users can preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk.
@@ -9084,7 +9745,7 @@ If you disable this policy setting, users cannot preserve information in the bro
If you do not configure this policy setting, users can preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk.
-
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -9092,20 +9753,22 @@ If you do not configure this policy setting, users can preserve information in t
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Userdata persistence*
- GP name: *IZ_PolicyUserdataPersistence_4*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Intranet Zone*
- GP ADMX file name: *inetres.admx*
-
-
+
+
+
-
+
+
**InternetExplorer/LockedDownIntranetZoneInitializeAndScriptActiveXControls**
-
+
Home
@@ -9127,8 +9790,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -9137,8 +9800,8 @@ ADMX Info:
-
-
+
+
This policy setting allows you to manage ActiveX controls not marked as safe.
If you enable this policy setting, ActiveX controls are run, loaded with parameters, and scripted without setting object safety for untrusted data or scripts. This setting is not recommended, except for secure and administered zones. This setting causes both unsafe and safe controls to be initialized and scripted, ignoring the Script ActiveX controls marked safe for scripting option.
@@ -9149,7 +9812,7 @@ If you disable this policy setting, ActiveX controls that cannot be made safe ar
If you do not configure this policy setting, ActiveX controls that cannot be made safe are not loaded with parameters or scripted.
-
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -9157,20 +9820,22 @@ If you do not configure this policy setting, ActiveX controls that cannot be mad
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Initialize and script ActiveX controls not marked as safe*
- GP name: *IZ_PolicyScriptActiveXNotMarkedSafe_4*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Intranet Zone*
- GP ADMX file name: *inetres.admx*
-
-
+
+
+
-
+
+
**InternetExplorer/LockedDownIntranetZoneNavigateWindowsAndFrames**
-
+
Home
@@ -9192,8 +9857,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -9202,8 +9867,8 @@ ADMX Info:
-
-
+
+
This policy setting allows you to manage the opening of windows and frames and access of applications across different domains.
If you enable this policy setting, users can open windows and frames from othe domains and access applications from other domains. If you select Prompt in the drop-down box, users are queried whether to allow windows and frames to access applications from other domains.
@@ -9212,7 +9877,7 @@ If you disable this policy setting, users cannot open windows and frames to acce
If you do not configure this policy setting, users can open windows and frames from othe domains and access applications from other domains.
-
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -9220,20 +9885,22 @@ If you do not configure this policy setting, users can open windows and frames f
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Navigate windows and frames across different domains*
- GP name: *IZ_PolicyNavigateSubframesAcrossDomains_4*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Intranet Zone*
- GP ADMX file name: *inetres.admx*
-
-
+
+
+
-
+
+
**InternetExplorer/LockedDownLocalMachineZoneAllowAccessToDataSources**
-
+
Home
@@ -9255,8 +9922,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -9265,8 +9932,8 @@ ADMX Info:
-
-
+
+
This policy setting allows you to manage whether Internet Explorer can access data from another security zone using the Microsoft XML Parser (MSXML) or ActiveX Data Objects (ADO).
If you enable this policy setting, users can load a page in the zone that uses MSXML or ADO to access data from another site in the zone. If you select Prompt in the drop-down box, users are queried to choose whether to allow a page to be loaded in the zone that uses MSXML or ADO to access data from another site in the zone.
@@ -9275,7 +9942,7 @@ If you disable this policy setting, users cannot load a page in the zone that us
If you do not configure this policy setting, users can load a page in the zone that uses MSXML or ADO to access data from another site in the zone.
-
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -9283,20 +9950,22 @@ If you do not configure this policy setting, users can load a page in the zone t
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Access data sources across domains*
- GP name: *IZ_PolicyAccessDataSourcesAcrossDomains_10*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Local Machine Zone*
- GP ADMX file name: *inetres.admx*
-
-
+
+
+
-
+
+
**InternetExplorer/LockedDownLocalMachineZoneAllowAutomaticPromptingForActiveXControls**
-
+
Home
@@ -9318,8 +9987,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -9328,8 +9997,8 @@ ADMX Info:
-
-
+
+
This policy setting manages whether users will be automatically prompted for ActiveX control installations.
If you enable this policy setting, users will receive a prompt when a site instantiates an ActiveX control they do not have installed.
@@ -9338,7 +10007,7 @@ If you disable this policy setting, ActiveX control installations will be blocke
If you do not configure this policy setting, ActiveX control installations will be blocked using the Notification bar. Users can click on the Notification bar to allow the ActiveX control prompt.
-
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -9346,20 +10015,22 @@ If you do not configure this policy setting, ActiveX control installations will
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Automatic prompting for ActiveX controls*
- GP name: *IZ_PolicyNotificationBarActiveXURLaction_10*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Local Machine Zone*
- GP ADMX file name: *inetres.admx*
-
-
+
+
+
-
+
+
**InternetExplorer/LockedDownLocalMachineZoneAllowAutomaticPromptingForFileDownloads**
-
+
Home
@@ -9381,8 +10052,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -9391,15 +10062,15 @@ ADMX Info:
-
-
+
+
This policy setting determines whether users will be prompted for non user-initiated file downloads. Regardless of this setting, users will receive file download dialogs for user-initiated downloads.
If you enable this setting, users will receive a file download dialog for automatic download attempts.
If you disable or do not configure this setting, file downloads that are not user-initiated will be blocked, and users will see the Notification bar instead of the file download dialog. Users can then click the Notification bar to allow the file download prompt.
-
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -9407,20 +10078,22 @@ If you disable or do not configure this setting, file downloads that are not use
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Automatic prompting for file downloads*
- GP name: *IZ_PolicyNotificationBarDownloadURLaction_10*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Local Machine Zone*
- GP ADMX file name: *inetres.admx*
-
-
+
+
+
-
+
+
**InternetExplorer/LockedDownLocalMachineZoneAllowFontDownloads**
-
+
Home
@@ -9442,8 +10115,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -9452,8 +10125,8 @@ ADMX Info:
-
-
+
+
This policy setting allows you to manage whether pages of the zone may download HTML fonts.
If you enable this policy setting, HTML fonts can be downloaded automatically. If you enable this policy setting and Prompt is selected in the drop-down box, users are queried whether to allow HTML fonts to download.
@@ -9462,7 +10135,7 @@ If you disable this policy setting, HTML fonts are prevented from downloading.
If you do not configure this policy setting, HTML fonts can be downloaded automatically.
-
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -9470,20 +10143,22 @@ If you do not configure this policy setting, HTML fonts can be downloaded automa
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Allow font downloads*
- GP name: *IZ_PolicyFontDownload_10*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Local Machine Zone*
- GP ADMX file name: *inetres.admx*
-
-
+
+
+
-
+
+
**InternetExplorer/LockedDownLocalMachineZoneAllowLessPrivilegedSites**
-
+
Home
@@ -9505,8 +10180,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -9515,8 +10190,8 @@ ADMX Info:
-
-
+
+
This policy setting allows you to manage whether Web sites from less privileged zones, such as Internet sites, can navigate into this zone.
If you enable this policy setting, Web sites from less privileged zones can open new windows in, or navigate into, this zone. The security zone will run without the added layer of security that is provided by the Protection from Zone Elevation security feature. If you select Prompt in the drop-down box, a warning is issued to the user that potentially risky navigation is about to occur.
@@ -9525,7 +10200,7 @@ If you disable this policy setting, the possibly harmful navigations are prevent
If you do not configure this policy setting, the possibly harmful navigations are prevented. The Internet Explorer security feature will be on in this zone as set by Protection from Zone Elevation feature control.
-
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -9533,20 +10208,22 @@ If you do not configure this policy setting, the possibly harmful navigations ar
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Web sites in less privileged Web content zones can navigate into this zone*
- GP name: *IZ_PolicyZoneElevationURLaction_10*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Local Machine Zone*
- GP ADMX file name: *inetres.admx*
-
-
+
+
+
-
+
+
**InternetExplorer/LockedDownLocalMachineZoneAllowNETFrameworkReliantComponents**
-
+
Home
@@ -9568,8 +10245,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -9578,8 +10255,8 @@ ADMX Info:
-
-
+
+
This policy setting allows you to manage whether .NET Framework components that are not signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link.
If you enable this policy setting, Internet Explorer will execute unsigned managed components. If you select Prompt in the drop-down box, Internet Explorer will prompt the user to determine whether to execute unsigned managed components.
@@ -9588,7 +10265,7 @@ If you disable this policy setting, Internet Explorer will not execute unsigned
If you do not configure this policy setting, Internet Explorer will not execute unsigned managed components.
-
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -9596,20 +10273,22 @@ If you do not configure this policy setting, Internet Explorer will not execute
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Run .NET Framework-reliant components not signed with Authenticode*
- GP name: *IZ_PolicyUnsignedFrameworkComponentsURLaction_10*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Local Machine Zone*
- GP ADMX file name: *inetres.admx*
-
-
+
+
+
-
+
+
**InternetExplorer/LockedDownLocalMachineZoneAllowScriptlets**
-
+
Home
@@ -9631,8 +10310,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -9641,8 +10320,8 @@ ADMX Info:
-
-
+
+
This policy setting allows you to manage whether the user can run scriptlets.
If you enable this policy setting, the user can run scriptlets.
@@ -9651,7 +10330,7 @@ If you disable this policy setting, the user cannot run scriptlets.
If you do not configure this policy setting, the user can enable or disable scriptlets.
-
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -9659,20 +10338,22 @@ If you do not configure this policy setting, the user can enable or disable scri
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Allow scriptlets*
- GP name: *IZ_Policy_AllowScriptlets_10*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Local Machine Zone*
- GP ADMX file name: *inetres.admx*
-
-
+
+
+
-
+
+
**InternetExplorer/LockedDownLocalMachineZoneAllowSmartScreenIE**
-
+
Home
@@ -9694,8 +10375,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -9704,8 +10385,8 @@ ADMX Info:
-
-
+
+
This policy setting controls whether SmartScreen Filter scans pages in this zone for malicious content.
If you enable this policy setting, SmartScreen Filter scans pages in this zone for malicious content.
@@ -9716,7 +10397,7 @@ If you do not configure this policy setting, the user can choose whether SmartSc
Note: In Internet Explorer 7, this policy setting controls whether Phishing Filter scans pages in this zone for malicious content.
-
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -9724,20 +10405,22 @@ Note: In Internet Explorer 7, this policy setting controls whether Phishing Filt
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Turn on SmartScreen Filter scan*
- GP name: *IZ_Policy_Phishing_10*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Local Machine Zone*
- GP ADMX file name: *inetres.admx*
-
-
+
+
+
-
+
+
**InternetExplorer/LockedDownLocalMachineZoneAllowUserDataPersistence**
-
+
Home
@@ -9759,8 +10442,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -9769,8 +10452,8 @@ ADMX Info:
-
-
+
+
This policy setting allows you to manage the preservation of information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. When a user returns to a persisted page, the state of the page can be restored if this policy setting is appropriately configured.
If you enable this policy setting, users can preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk.
@@ -9779,7 +10462,7 @@ If you disable this policy setting, users cannot preserve information in the bro
If you do not configure this policy setting, users can preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk.
-
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -9787,20 +10470,22 @@ If you do not configure this policy setting, users can preserve information in t
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Userdata persistence*
- GP name: *IZ_PolicyUserdataPersistence_10*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Local Machine Zone*
- GP ADMX file name: *inetres.admx*
-
-
+
+
+
-
+
+
**InternetExplorer/LockedDownLocalMachineZoneInitializeAndScriptActiveXControls**
-
+
Home
@@ -9822,8 +10507,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -9832,8 +10517,8 @@ ADMX Info:
-
-
+
+
This policy setting allows you to manage ActiveX controls not marked as safe.
If you enable this policy setting, ActiveX controls are run, loaded with parameters, and scripted without setting object safety for untrusted data or scripts. This setting is not recommended, except for secure and administered zones. This setting causes both unsafe and safe controls to be initialized and scripted, ignoring the Script ActiveX controls marked safe for scripting option.
@@ -9844,7 +10529,7 @@ If you disable this policy setting, ActiveX controls that cannot be made safe ar
If you do not configure this policy setting, ActiveX controls that cannot be made safe are not loaded with parameters or scripted.
-
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -9852,20 +10537,22 @@ If you do not configure this policy setting, ActiveX controls that cannot be mad
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Initialize and script ActiveX controls not marked as safe*
- GP name: *IZ_PolicyScriptActiveXNotMarkedSafe_10*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Local Machine Zone*
- GP ADMX file name: *inetres.admx*
-
-
+
+
+
-
+
+
**InternetExplorer/LockedDownLocalMachineZoneJavaPermissions**
-
+
Home
@@ -9887,8 +10574,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -9897,9 +10584,23 @@ ADMX Info:
-
-
-
+
+
+This policy setting allows you to manage permissions for Java applets.
+
+If you enable this policy setting, you can choose options from the drop-down box. Custom, to control permissions settings individually.
+
+Low Safety enables applets to perform all operations.
+
+Medium Safety enables applets to run in their sandbox (an area in memory outside of which the program cannot make calls), plus capabilities like scratch space (a safe and secure storage area on the client computer) and user-controlled file I/O.
+
+High Safety enables applets to run in their sandbox. Disable Java to prevent any applets from running.
+
+If you disable this policy setting, Java applets cannot run.
+
+If you do not configure this policy setting, Java applets are disabled.
+
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -9907,20 +10608,22 @@ ADMX Info:
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Java permissions*
- GP name: *IZ_PolicyJavaPermissions_10*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Local Machine Zone*
- GP ADMX file name: *inetres.admx*
-
-
+
+
+
-
+
+
**InternetExplorer/LockedDownLocalMachineZoneNavigateWindowsAndFrames**
-
+
Home
@@ -9942,8 +10645,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -9952,8 +10655,8 @@ ADMX Info:
-
-
+
+
This policy setting allows you to manage the opening of windows and frames and access of applications across different domains.
If you enable this policy setting, users can open windows and frames from othe domains and access applications from other domains. If you select Prompt in the drop-down box, users are queried whether to allow windows and frames to access applications from other domains.
@@ -9962,7 +10665,7 @@ If you disable this policy setting, users cannot open windows and frames to acce
If you do not configure this policy setting, users can open windows and frames from othe domains and access applications from other domains.
-
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -9970,20 +10673,22 @@ If you do not configure this policy setting, users can open windows and frames f
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Navigate windows and frames across different domains*
- GP name: *IZ_PolicyNavigateSubframesAcrossDomains_10*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Local Machine Zone*
- GP ADMX file name: *inetres.admx*
-
-
+
+
+
-
+
+
**InternetExplorer/LockedDownRestrictedSitesZoneAllowAccessToDataSources**
-
+
Home
@@ -10005,8 +10710,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -10015,8 +10720,8 @@ ADMX Info:
-
-
+
+
This policy setting allows you to manage whether Internet Explorer can access data from another security zone using the Microsoft XML Parser (MSXML) or ActiveX Data Objects (ADO).
If you enable this policy setting, users can load a page in the zone that uses MSXML or ADO to access data from another site in the zone. If you select Prompt in the drop-down box, users are queried to choose whether to allow a page to be loaded in the zone that uses MSXML or ADO to access data from another site in the zone.
@@ -10025,7 +10730,7 @@ If you disable this policy setting, users cannot load a page in the zone that us
If you do not configure this policy setting, users cannot load a page in the zone that uses MSXML or ADO to access data from another site in the zone.
-
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -10033,20 +10738,22 @@ If you do not configure this policy setting, users cannot load a page in the zon
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Access data sources across domains*
- GP name: *IZ_PolicyAccessDataSourcesAcrossDomains_8*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Restricted Sites Zone*
- GP ADMX file name: *inetres.admx*
-
-
+
+
+
-
+
+
**InternetExplorer/LockedDownRestrictedSitesZoneAllowAutomaticPromptingForActiveXControls**
-
+
Home
@@ -10068,8 +10775,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -10078,8 +10785,8 @@ ADMX Info:
-
-
+
+
This policy setting manages whether users will be automatically prompted for ActiveX control installations.
If you enable this policy setting, users will receive a prompt when a site instantiates an ActiveX control they do not have installed.
@@ -10088,7 +10795,7 @@ If you disable this policy setting, ActiveX control installations will be blocke
If you do not configure this policy setting, ActiveX control installations will be blocked using the Notification bar. Users can click on the Notification bar to allow the ActiveX control prompt.
-
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -10096,20 +10803,22 @@ If you do not configure this policy setting, ActiveX control installations will
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Automatic prompting for ActiveX controls*
- GP name: *IZ_PolicyNotificationBarActiveXURLaction_8*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Restricted Sites Zone*
- GP ADMX file name: *inetres.admx*
-
-
+
+
+
-
+
+
**InternetExplorer/LockedDownRestrictedSitesZoneAllowAutomaticPromptingForFileDownloads**
-
+
Home
@@ -10131,8 +10840,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -10141,15 +10850,15 @@ ADMX Info:
-
-
+
+
This policy setting determines whether users will be prompted for non user-initiated file downloads. Regardless of this setting, users will receive file download dialogs for user-initiated downloads.
If you enable this setting, users will receive a file download dialog for automatic download attempts.
If you disable or do not configure this setting, file downloads that are not user-initiated will be blocked, and users will see the Notification bar instead of the file download dialog. Users can then click the Notification bar to allow the file download prompt.
-
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -10157,20 +10866,22 @@ If you disable or do not configure this setting, file downloads that are not use
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Automatic prompting for file downloads*
- GP name: *IZ_PolicyNotificationBarDownloadURLaction_8*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Restricted Sites Zone*
- GP ADMX file name: *inetres.admx*
-
-
+
+
+
-
+
+
**InternetExplorer/LockedDownRestrictedSitesZoneAllowFontDownloads**
-
+
Home
@@ -10192,8 +10903,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -10202,8 +10913,8 @@ ADMX Info:
-
-
+
+
This policy setting allows you to manage whether pages of the zone may download HTML fonts.
If you enable this policy setting, HTML fonts can be downloaded automatically. If you enable this policy setting and Prompt is selected in the drop-down box, users are queried whether to allow HTML fonts to download.
@@ -10212,7 +10923,7 @@ If you disable this policy setting, HTML fonts are prevented from downloading.
If you do not configure this policy setting, users are queried whether to allow HTML fonts to download.
-
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -10220,20 +10931,22 @@ If you do not configure this policy setting, users are queried whether to allow
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Allow font downloads*
- GP name: *IZ_PolicyFontDownload_8*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Restricted Sites Zone*
- GP ADMX file name: *inetres.admx*
-
-
+
+
+
-
+
+
**InternetExplorer/LockedDownRestrictedSitesZoneAllowLessPrivilegedSites**
-
+
Home
@@ -10255,8 +10968,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -10265,8 +10978,8 @@ ADMX Info:
-
-
+
+
This policy setting allows you to manage whether Web sites from less privileged zones, such as Internet sites, can navigate into this zone.
If you enable this policy setting, Web sites from less privileged zones can open new windows in, or navigate into, this zone. The security zone will run without the added layer of security that is provided by the Protection from Zone Elevation security feature. If you select Prompt in the drop-down box, a warning is issued to the user that potentially risky navigation is about to occur.
@@ -10275,7 +10988,7 @@ If you disable this policy setting, the possibly harmful navigations are prevent
If you do not configure this policy setting, the possibly harmful navigations are prevented. The Internet Explorer security feature will be on in this zone as set by Protection from Zone Elevation feature control.
-
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -10283,20 +10996,22 @@ If you do not configure this policy setting, the possibly harmful navigations ar
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Web sites in less privileged Web content zones can navigate into this zone*
- GP name: *IZ_PolicyZoneElevationURLaction_8*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Restricted Sites Zone*
- GP ADMX file name: *inetres.admx*
-
-
+
+
+
-
+
+
**InternetExplorer/LockedDownRestrictedSitesZoneAllowNETFrameworkReliantComponents**
-
+
Home
@@ -10318,8 +11033,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -10328,8 +11043,8 @@ ADMX Info:
-
-
+
+
This policy setting allows you to manage whether .NET Framework components that are not signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link.
If you enable this policy setting, Internet Explorer will execute unsigned managed components. If you select Prompt in the drop-down box, Internet Explorer will prompt the user to determine whether to execute unsigned managed components.
@@ -10338,7 +11053,7 @@ If you disable this policy setting, Internet Explorer will not execute unsigned
If you do not configure this policy setting, Internet Explorer will not execute unsigned managed components.
-
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -10346,20 +11061,22 @@ If you do not configure this policy setting, Internet Explorer will not execute
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Run .NET Framework-reliant components not signed with Authenticode*
- GP name: *IZ_PolicyUnsignedFrameworkComponentsURLaction_8*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Restricted Sites Zone*
- GP ADMX file name: *inetres.admx*
-
-
+
+
+
-
+
+
**InternetExplorer/LockedDownRestrictedSitesZoneAllowScriptlets**
-
+
Home
@@ -10381,8 +11098,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -10391,8 +11108,8 @@ ADMX Info:
-
-
+
+
This policy setting allows you to manage whether the user can run scriptlets.
If you enable this policy setting, the user can run scriptlets.
@@ -10401,7 +11118,7 @@ If you disable this policy setting, the user cannot run scriptlets.
If you do not configure this policy setting, the user can enable or disable scriptlets.
-
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -10409,20 +11126,22 @@ If you do not configure this policy setting, the user can enable or disable scri
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Allow scriptlets*
- GP name: *IZ_Policy_AllowScriptlets_8*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Restricted Sites Zone*
- GP ADMX file name: *inetres.admx*
-
-
+
+
+
-
+
+
**InternetExplorer/LockedDownRestrictedSitesZoneAllowSmartScreenIE**
-
+
Home
@@ -10444,8 +11163,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -10454,8 +11173,8 @@ ADMX Info:
-
-
+
+
This policy setting controls whether SmartScreen Filter scans pages in this zone for malicious content.
If you enable this policy setting, SmartScreen Filter scans pages in this zone for malicious content.
@@ -10466,7 +11185,7 @@ If you do not configure this policy setting, the user can choose whether SmartSc
Note: In Internet Explorer 7, this policy setting controls whether Phishing Filter scans pages in this zone for malicious content.
-
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -10474,20 +11193,22 @@ Note: In Internet Explorer 7, this policy setting controls whether Phishing Filt
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Turn on SmartScreen Filter scan*
- GP name: *IZ_Policy_Phishing_8*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Restricted Sites Zone*
- GP ADMX file name: *inetres.admx*
-
-
+
+
+
-
+
+
**InternetExplorer/LockedDownRestrictedSitesZoneAllowUserDataPersistence**
-
+
Home
@@ -10509,8 +11230,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -10519,8 +11240,8 @@ ADMX Info:
-
-
+
+
This policy setting allows you to manage the preservation of information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. When a user returns to a persisted page, the state of the page can be restored if this policy setting is appropriately configured.
If you enable this policy setting, users can preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk.
@@ -10529,7 +11250,7 @@ If you disable this policy setting, users cannot preserve information in the bro
If you do not configure this policy setting, users cannot preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk.
-
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -10537,20 +11258,22 @@ If you do not configure this policy setting, users cannot preserve information i
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Userdata persistence*
- GP name: *IZ_PolicyUserdataPersistence_8*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Restricted Sites Zone*
- GP ADMX file name: *inetres.admx*
-
-
+
+
+
-
+
+
**InternetExplorer/LockedDownRestrictedSitesZoneInitializeAndScriptActiveXControls**
-
+
Home
@@ -10572,8 +11295,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -10582,8 +11305,8 @@ ADMX Info:
-
-
+
+
This policy setting allows you to manage ActiveX controls not marked as safe.
If you enable this policy setting, ActiveX controls are run, loaded with parameters, and scripted without setting object safety for untrusted data or scripts. This setting is not recommended, except for secure and administered zones. This setting causes both unsafe and safe controls to be initialized and scripted, ignoring the Script ActiveX controls marked safe for scripting option.
@@ -10594,7 +11317,7 @@ If you disable this policy setting, ActiveX controls that cannot be made safe ar
If you do not configure this policy setting, ActiveX controls that cannot be made safe are not loaded with parameters or scripted.
-
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -10602,20 +11325,22 @@ If you do not configure this policy setting, ActiveX controls that cannot be mad
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Initialize and script ActiveX controls not marked as safe*
- GP name: *IZ_PolicyScriptActiveXNotMarkedSafe_8*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Restricted Sites Zone*
- GP ADMX file name: *inetres.admx*
-
-
+
+
+
-
+
+
**InternetExplorer/LockedDownRestrictedSitesZoneJavaPermissions**
-
+
Home
@@ -10637,8 +11362,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -10647,9 +11372,23 @@ ADMX Info:
-
-
-
+
+
+This policy setting allows you to manage permissions for Java applets.
+
+If you enable this policy setting, you can choose options from the drop-down box. Custom, to control permissions settings individually.
+
+Low Safety enables applets to perform all operations.
+
+Medium Safety enables applets to run in their sandbox (an area in memory outside of which the program cannot make calls), plus capabilities like scratch space (a safe and secure storage area on the client computer) and user-controlled file I/O.
+
+High Safety enables applets to run in their sandbox. Disable Java to prevent any applets from running.
+
+If you disable this policy setting, Java applets cannot run.
+
+If you do not configure this policy setting, Java applets are disabled.
+
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -10657,20 +11396,22 @@ ADMX Info:
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Java permissions*
- GP name: *IZ_PolicyJavaPermissions_8*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Restricted Sites Zone*
- GP ADMX file name: *inetres.admx*
-
-
+
+
+
-
+
+
**InternetExplorer/LockedDownRestrictedSitesZoneNavigateWindowsAndFrames**
-
+
Home
@@ -10692,8 +11433,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -10702,8 +11443,8 @@ ADMX Info:
-
-
+
+
This policy setting allows you to manage the opening of windows and frames and access of applications across different domains.
If you enable this policy setting, users can open additional windows and frames from other domains and access applications from other domains. If you select Prompt in the drop-down box, users are queried whether to allow additional windows and frames to access applications from other domains.
@@ -10712,7 +11453,7 @@ If you disable this policy setting, users cannot open other windows and frames f
If you do not configure this policy setting, users cannot open other windows and frames from different domains or access applications from different domains.
-
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -10720,20 +11461,22 @@ If you do not configure this policy setting, users cannot open other windows and
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Navigate windows and frames across different domains*
- GP name: *IZ_PolicyNavigateSubframesAcrossDomains_8*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Restricted Sites Zone*
- GP ADMX file name: *inetres.admx*
-
-
+
+
+
-
+
+
**InternetExplorer/LockedDownTrustedSitesZoneAllowAccessToDataSources**
-
+
Home
@@ -10755,8 +11498,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -10765,8 +11508,8 @@ ADMX Info:
-
-
+
+
This policy setting allows you to manage whether Internet Explorer can access data from another security zone using the Microsoft XML Parser (MSXML) or ActiveX Data Objects (ADO).
If you enable this policy setting, users can load a page in the zone that uses MSXML or ADO to access data from another site in the zone. If you select Prompt in the drop-down box, users are queried to choose whether to allow a page to be loaded in the zone that uses MSXML or ADO to access data from another site in the zone.
@@ -10775,7 +11518,7 @@ If you disable this policy setting, users cannot load a page in the zone that us
If you do not configure this policy setting, users can load a page in the zone that uses MSXML or ADO to access data from another site in the zone.
-
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -10783,20 +11526,22 @@ If you do not configure this policy setting, users can load a page in the zone t
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Access data sources across domains*
- GP name: *IZ_PolicyAccessDataSourcesAcrossDomains_6*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Trusted Sites Zone*
- GP ADMX file name: *inetres.admx*
-
-
+
+
+
-
+
+
**InternetExplorer/LockedDownTrustedSitesZoneAllowAutomaticPromptingForActiveXControls**
-
+
Home
@@ -10818,8 +11563,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -10828,8 +11573,8 @@ ADMX Info:
-
-
+
+
This policy setting manages whether users will be automatically prompted for ActiveX control installations.
If you enable this policy setting, users will receive a prompt when a site instantiates an ActiveX control they do not have installed.
@@ -10838,7 +11583,7 @@ If you disable this policy setting, ActiveX control installations will be blocke
If you do not configure this policy setting, ActiveX control installations will be blocked using the Notification bar. Users can click on the Notification bar to allow the ActiveX control prompt.
-
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -10846,20 +11591,22 @@ If you do not configure this policy setting, ActiveX control installations will
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Automatic prompting for ActiveX controls*
- GP name: *IZ_PolicyNotificationBarActiveXURLaction_6*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Trusted Sites Zone*
- GP ADMX file name: *inetres.admx*
-
-
+
+
+
-
+
+
**InternetExplorer/LockedDownTrustedSitesZoneAllowAutomaticPromptingForFileDownloads**
-
+
Home
@@ -10881,8 +11628,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -10891,15 +11638,15 @@ ADMX Info:
-
-
+
+
This policy setting determines whether users will be prompted for non user-initiated file downloads. Regardless of this setting, users will receive file download dialogs for user-initiated downloads.
If you enable this setting, users will receive a file download dialog for automatic download attempts.
If you disable or do not configure this setting, file downloads that are not user-initiated will be blocked, and users will see the Notification bar instead of the file download dialog. Users can then click the Notification bar to allow the file download prompt.
-
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -10907,20 +11654,22 @@ If you disable or do not configure this setting, file downloads that are not use
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Automatic prompting for file downloads*
- GP name: *IZ_PolicyNotificationBarDownloadURLaction_6*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Trusted Sites Zone*
- GP ADMX file name: *inetres.admx*
-
-
+
+
+
-
+
+
**InternetExplorer/LockedDownTrustedSitesZoneAllowFontDownloads**
-
+
Home
@@ -10942,8 +11691,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -10952,8 +11701,8 @@ ADMX Info:
-
-
+
+
This policy setting allows you to manage whether pages of the zone may download HTML fonts.
If you enable this policy setting, HTML fonts can be downloaded automatically. If you enable this policy setting and Prompt is selected in the drop-down box, users are queried whether to allow HTML fonts to download.
@@ -10962,7 +11711,7 @@ If you disable this policy setting, HTML fonts are prevented from downloading.
If you do not configure this policy setting, HTML fonts can be downloaded automatically.
-
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -10970,20 +11719,22 @@ If you do not configure this policy setting, HTML fonts can be downloaded automa
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Allow font downloads*
- GP name: *IZ_PolicyFontDownload_6*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Trusted Sites Zone*
- GP ADMX file name: *inetres.admx*
-
-
+
+
+
-
+
+
**InternetExplorer/LockedDownTrustedSitesZoneAllowLessPrivilegedSites**
-
+
Home
@@ -11005,8 +11756,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -11015,8 +11766,8 @@ ADMX Info:
-
-
+
+
This policy setting allows you to manage whether Web sites from less privileged zones, such as Internet sites, can navigate into this zone.
If you enable this policy setting, Web sites from less privileged zones can open new windows in, or navigate into, this zone. The security zone will run without the added layer of security that is provided by the Protection from Zone Elevation security feature. If you select Prompt in the drop-down box, a warning is issued to the user that potentially risky navigation is about to occur.
@@ -11025,7 +11776,7 @@ If you disable this policy setting, the possibly harmful navigations are prevent
If you do not configure this policy setting, the possibly harmful navigations are prevented. The Internet Explorer security feature will be on in this zone as set by Protection from Zone Elevation feature control.
-
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -11033,20 +11784,22 @@ If you do not configure this policy setting, the possibly harmful navigations ar
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Web sites in less privileged Web content zones can navigate into this zone*
- GP name: *IZ_PolicyZoneElevationURLaction_6*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Trusted Sites Zone*
- GP ADMX file name: *inetres.admx*
-
-
+
+
+
-
+
+
**InternetExplorer/LockedDownTrustedSitesZoneAllowNETFrameworkReliantComponents**
-
+
Home
@@ -11068,8 +11821,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -11078,8 +11831,8 @@ ADMX Info:
-
-
+
+
This policy setting allows you to manage whether .NET Framework components that are not signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link.
If you enable this policy setting, Internet Explorer will execute unsigned managed components. If you select Prompt in the drop-down box, Internet Explorer will prompt the user to determine whether to execute unsigned managed components.
@@ -11088,7 +11841,7 @@ If you disable this policy setting, Internet Explorer will not execute unsigned
If you do not configure this policy setting, Internet Explorer will not execute unsigned managed components.
-
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -11096,20 +11849,22 @@ If you do not configure this policy setting, Internet Explorer will not execute
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Run .NET Framework-reliant components not signed with Authenticode*
- GP name: *IZ_PolicyUnsignedFrameworkComponentsURLaction_6*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Trusted Sites Zone*
- GP ADMX file name: *inetres.admx*
-
-
+
+
+
-
+
+
**InternetExplorer/LockedDownTrustedSitesZoneAllowScriptlets**
-
+
Home
@@ -11131,8 +11886,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -11141,8 +11896,8 @@ ADMX Info:
-
-
+
+
This policy setting allows you to manage whether the user can run scriptlets.
If you enable this policy setting, the user can run scriptlets.
@@ -11151,7 +11906,7 @@ If you disable this policy setting, the user cannot run scriptlets.
If you do not configure this policy setting, the user can enable or disable scriptlets.
-
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -11159,20 +11914,22 @@ If you do not configure this policy setting, the user can enable or disable scri
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Allow scriptlets*
- GP name: *IZ_Policy_AllowScriptlets_6*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Trusted Sites Zone*
- GP ADMX file name: *inetres.admx*
-
-
+
+
+
-
+
+
**InternetExplorer/LockedDownTrustedSitesZoneAllowSmartScreenIE**
-
+
Home
@@ -11194,8 +11951,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -11204,8 +11961,8 @@ ADMX Info:
-
-
+
+
This policy setting controls whether SmartScreen Filter scans pages in this zone for malicious content.
If you enable this policy setting, SmartScreen Filter scans pages in this zone for malicious content.
@@ -11216,7 +11973,7 @@ If you do not configure this policy setting, the user can choose whether SmartSc
Note: In Internet Explorer 7, this policy setting controls whether Phishing Filter scans pages in this zone for malicious content.
-
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -11224,20 +11981,22 @@ Note: In Internet Explorer 7, this policy setting controls whether Phishing Filt
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Turn on SmartScreen Filter scan*
- GP name: *IZ_Policy_Phishing_6*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Trusted Sites Zone*
- GP ADMX file name: *inetres.admx*
-
-
+
+
+
-
+
+
**InternetExplorer/LockedDownTrustedSitesZoneAllowUserDataPersistence**
-
+
Home
@@ -11259,8 +12018,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -11269,8 +12028,8 @@ ADMX Info:
-
-
+
+
This policy setting allows you to manage the preservation of information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. When a user returns to a persisted page, the state of the page can be restored if this policy setting is appropriately configured.
If you enable this policy setting, users can preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk.
@@ -11279,7 +12038,7 @@ If you disable this policy setting, users cannot preserve information in the bro
If you do not configure this policy setting, users can preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk.
-
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -11287,20 +12046,22 @@ If you do not configure this policy setting, users can preserve information in t
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Userdata persistence*
- GP name: *IZ_PolicyUserdataPersistence_6*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Trusted Sites Zone*
- GP ADMX file name: *inetres.admx*
-
-
+
+
+
-
+
+
**InternetExplorer/LockedDownTrustedSitesZoneInitializeAndScriptActiveXControls**
-
+
Home
@@ -11322,8 +12083,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -11332,8 +12093,8 @@ ADMX Info:
-
-
+
+
This policy setting allows you to manage ActiveX controls not marked as safe.
If you enable this policy setting, ActiveX controls are run, loaded with parameters, and scripted without setting object safety for untrusted data or scripts. This setting is not recommended, except for secure and administered zones. This setting causes both unsafe and safe controls to be initialized and scripted, ignoring the Script ActiveX controls marked safe for scripting option.
@@ -11344,7 +12105,7 @@ If you disable this policy setting, ActiveX controls that cannot be made safe ar
If you do not configure this policy setting, ActiveX controls that cannot be made safe are not loaded with parameters or scripted.
-
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -11352,20 +12113,22 @@ If you do not configure this policy setting, ActiveX controls that cannot be mad
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Initialize and script ActiveX controls not marked as safe*
- GP name: *IZ_PolicyScriptActiveXNotMarkedSafe_6*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Trusted Sites Zone*
- GP ADMX file name: *inetres.admx*
-
-
+
+
+
-
+
+
**InternetExplorer/LockedDownTrustedSitesZoneJavaPermissions**
-
+
Home
@@ -11387,8 +12150,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -11397,9 +12160,23 @@ ADMX Info:
-
-
-
+
+
+This policy setting allows you to manage permissions for Java applets.
+
+If you enable this policy setting, you can choose options from the drop-down box. Custom, to control permissions settings individually.
+
+Low Safety enables applets to perform all operations.
+
+Medium Safety enables applets to run in their sandbox (an area in memory outside of which the program cannot make calls), plus capabilities like scratch space (a safe and secure storage area on the client computer) and user-controlled file I/O.
+
+High Safety enables applets to run in their sandbox. Disable Java to prevent any applets from running.
+
+If you disable this policy setting, Java applets cannot run.
+
+If you do not configure this policy setting, Java applets are disabled.
+
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -11407,20 +12184,22 @@ ADMX Info:
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Java permissions*
- GP name: *IZ_PolicyJavaPermissions_6*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Trusted Sites Zone*
- GP ADMX file name: *inetres.admx*
-
-
+
+
+
-
+
+
**InternetExplorer/LockedDownTrustedSitesZoneNavigateWindowsAndFrames**
-
+
Home
@@ -11442,8 +12221,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -11452,8 +12231,8 @@ ADMX Info:
-
-
+
+
This policy setting allows you to manage the opening of windows and frames and access of applications across different domains.
If you enable this policy setting, users can open windows and frames from othe domains and access applications from other domains. If you select Prompt in the drop-down box, users are queried whether to allow windows and frames to access applications from other domains.
@@ -11462,7 +12241,7 @@ If you disable this policy setting, users cannot open windows and frames to acce
If you do not configure this policy setting, users can open windows and frames from othe domains and access applications from other domains.
-
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -11470,20 +12249,22 @@ If you do not configure this policy setting, users can open windows and frames f
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Navigate windows and frames across different domains*
- GP name: *IZ_PolicyNavigateSubframesAcrossDomains_6*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Trusted Sites Zone*
- GP ADMX file name: *inetres.admx*
-
-
+
+
+
-
+
+
**InternetExplorer/MKProtocolSecurityRestrictionInternetExplorerProcesses**
-
+
Home
@@ -11505,8 +12286,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -11515,9 +12296,17 @@ ADMX Info:
-
-
-
+
+
+The MK Protocol Security Restriction policy setting reduces attack surface area by preventing the MK protocol. Resources hosted on the MK protocol will fail.
+
+If you enable this policy setting, the MK Protocol is prevented for File Explorer and Internet Explorer, and resources hosted on the MK protocol will fail.
+
+If you disable this policy setting, applications can use the MK protocol API. Resources hosted on the MK protocol will work for the File Explorer and Internet Explorer processes.
+
+If you do not configure this policy setting, the MK Protocol is prevented for File Explorer and Internet Explorer, and resources hosted on the MK protocol will fail.
+
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -11525,20 +12314,22 @@ ADMX Info:
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Internet Explorer Processes*
- GP name: *IESF_PolicyExplorerProcesses_3*
- GP path: *Windows Components/Internet Explorer/Security Features/MK Protocol Security Restriction*
- GP ADMX file name: *inetres.admx*
-
-
+
+
+
-
+
+
**InternetExplorer/MimeSniffingSafetyFeatureInternetExplorerProcesses**
-
+
Home
@@ -11560,8 +12351,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -11570,9 +12361,17 @@ ADMX Info:
-
-
-
+
+
+This policy setting determines whether Internet Explorer MIME sniffing will prevent promotion of a file of one type to a more dangerous file type.
+
+If you enable this policy setting, MIME sniffing will never promote a file of one type to a more dangerous file type.
+
+If you disable this policy setting, Internet Explorer processes will allow a MIME sniff promoting a file of one type to a more dangerous file type.
+
+If you do not configure this policy setting, MIME sniffing will never promote a file of one type to a more dangerous file type.
+
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -11580,20 +12379,22 @@ ADMX Info:
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Internet Explorer Processes*
- GP name: *IESF_PolicyExplorerProcesses_6*
- GP path: *Windows Components/Internet Explorer/Security Features/Mime Sniffing Safety Feature*
- GP ADMX file name: *inetres.admx*
-
-
+
+
+
-
+
+
**InternetExplorer/NotificationBarInternetExplorerProcesses**
-
+
Home
@@ -11615,8 +12416,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -11625,9 +12426,17 @@ ADMX Info:
-
-
-
+
+
+This policy setting allows you to manage whether the Notification bar is displayed for Internet Explorer processes when file or code installs are restricted. By default, the Notification bar is displayed for Internet Explorer processes.
+
+If you enable this policy setting, the Notification bar will be displayed for Internet Explorer Processes.
+
+If you disable this policy setting, the Notification bar will not be displayed for Internet Explorer processes.
+
+If you do not configure this policy setting, the Notification bar will be displayed for Internet Explorer Processes.
+
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -11635,20 +12444,22 @@ ADMX Info:
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Internet Explorer Processes*
- GP name: *IESF_PolicyExplorerProcesses_10*
- GP path: *Windows Components/Internet Explorer/Security Features/Notification bar*
- GP ADMX file name: *inetres.admx*
-
-
+
+
+
-
+
+
**InternetExplorer/PreventManagingSmartScreenFilter**
-
+
Home
@@ -11670,8 +12481,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -11680,9 +12491,15 @@ ADMX Info:
-
-
-
+
+
+This policy setting prevents the user from managing SmartScreen Filter, which warns the user if the website being visited is known for fraudulent attempts to gather personal information through "phishing," or is known to host malware.
+
+If you enable this policy setting, the user is not prompted to turn on SmartScreen Filter. All website addresses that are not on the filter's allow list are sent automatically to Microsoft without prompting the user.
+
+If you disable or do not configure this policy setting, the user is prompted to decide whether to turn on SmartScreen Filter during the first-run experience.
+
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -11690,20 +12507,22 @@ ADMX Info:
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Prevent managing SmartScreen Filter*
- GP name: *Disable_Managing_Safety_Filter_IE9*
- GP path: *Windows Components/Internet Explorer*
- GP ADMX file name: *inetres.admx*
-
-
+
+
+
-
+
+
**InternetExplorer/PreventPerUserInstallationOfActiveXControls**
-
+
Home
@@ -11725,8 +12544,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -11735,9 +12554,15 @@ ADMX Info:
-
-
-
+
+
+This policy setting allows you to prevent the installation of ActiveX controls on a per-user basis.
+
+If you enable this policy setting, ActiveX controls cannot be installed on a per-user basis.
+
+If you disable or do not configure this policy setting, ActiveX controls can be installed on a per-user basis.
+
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -11745,20 +12570,22 @@ ADMX Info:
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Prevent per-user installation of ActiveX controls*
- GP name: *DisablePerUserActiveXInstall*
- GP path: *Windows Components/Internet Explorer*
- GP ADMX file name: *inetres.admx*
-
-
+
+
+
-
+
+
**InternetExplorer/ProtectionFromZoneElevationInternetExplorerProcesses**
-
+
Home
@@ -11780,8 +12607,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -11790,9 +12617,15 @@ ADMX Info:
-
-
-
+
+
+Internet Explorer places restrictions on each Web page it opens. The restrictions are dependent upon the location of the Web page (Internet, Intranet, Local Machine zone, and so on). For example, Web pages on the local computer have the fewest security restrictions and reside in the Local Machine zone, making the Local Machine security zone a prime target for malicious users.
+
+If you enable this policy setting, any zone can be protected from zone elevation for all processes.
+
+If you disable or do not configure this policy setting, processes other than Internet Explorer or those listed in the Process List receive no such protection.
+
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -11800,20 +12633,22 @@ ADMX Info:
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *All Processes*
- GP name: *IESF_PolicyAllProcesses_9*
- GP path: *Windows Components/Internet Explorer/Security Features/Protection From Zone Elevation*
- GP ADMX file name: *inetres.admx*
-
-
+
+
+
-
+
+
**InternetExplorer/RemoveRunThisTimeButtonForOutdatedActiveXControls**
-
+
Home
@@ -11835,8 +12670,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -11845,9 +12680,17 @@ ADMX Info:
-
-
-
+
+
+This policy setting allows you to stop users from seeing the "Run this time" button and from running specific outdated ActiveX controls in Internet Explorer.
+
+If you enable this policy setting, users won't see the "Run this time" button on the warning message that appears when Internet Explorer blocks an outdated ActiveX control.
+
+If you disable or don't configure this policy setting, users will see the "Run this time" button on the warning message that appears when Internet Explorer blocks an outdated ActiveX control. Clicking this button lets the user run the outdated ActiveX control once.
+
+For more information, see "Outdated ActiveX Controls" in the Internet Explorer TechNet library.
+
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -11855,20 +12698,22 @@ ADMX Info:
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Remove "Run this time" button for outdated ActiveX controls in Internet Explorer *
- GP name: *VerMgmtDisableRunThisTime*
- GP path: *Windows Components/Internet Explorer/Security Features/Add-on Management*
- GP ADMX file name: *inetres.admx*
-
-
+
+
+
-
+
+
**InternetExplorer/RestrictActiveXInstallInternetExplorerProcesses**
-
+
Home
@@ -11890,8 +12735,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -11900,9 +12745,15 @@ ADMX Info:
-
-
-
+
+
+This policy setting enables applications hosting the Web Browser Control to block automatic prompting of ActiveX control installation.
+
+If you enable this policy setting, the Web Browser Control will block automatic prompting of ActiveX control installation for all processes.
+
+If you disable or do not configure this policy setting, the Web Browser Control will not block automatic prompting of ActiveX control installation for all processes.
+
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -11910,20 +12761,22 @@ ADMX Info:
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *All Processes*
- GP name: *IESF_PolicyAllProcesses_11*
- GP path: *Windows Components/Internet Explorer/Security Features/Restrict ActiveX Install*
- GP ADMX file name: *inetres.admx*
-
-
+
+
+
-
+
+
**InternetExplorer/RestrictFileDownloadInternetExplorerProcesses**
-
+
Home
@@ -11945,8 +12798,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -11955,9 +12808,15 @@ ADMX Info:
-
-
-
+
+
+This policy setting enables applications hosting the Web Browser Control to block automatic prompting of file downloads that are not user initiated.
+
+If you enable this policy setting, the Web Browser Control will block automatic prompting of file downloads that are not user initiated for all processes.
+
+If you disable this policy setting, the Web Browser Control will not block automatic prompting of file downloads that are not user initiated for all processes.
+
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -11965,20 +12824,22 @@ ADMX Info:
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *All Processes*
- GP name: *IESF_PolicyAllProcesses_12*
- GP path: *Windows Components/Internet Explorer/Security Features/Restrict File Download*
- GP ADMX file name: *inetres.admx*
-
-
+
+
+
-
+
+
**InternetExplorer/RestrictedSitesZoneAllowAccessToDataSources**
-
+
Home
@@ -12000,8 +12861,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -12010,8 +12871,8 @@ ADMX Info:
-
-
+
+
This policy setting allows you to manage whether Internet Explorer can access data from another security zone using the Microsoft XML Parser (MSXML) or ActiveX Data Objects (ADO).
If you enable this policy setting, users can load a page in the zone that uses MSXML or ADO to access data from another site in the zone. If you select Prompt in the drop-down box, users are queried to choose whether to allow a page to be loaded in the zone that uses MSXML or ADO to access data from another site in the zone.
@@ -12020,7 +12881,7 @@ If you disable this policy setting, users cannot load a page in the zone that us
If you do not configure this policy setting, users cannot load a page in the zone that uses MSXML or ADO to access data from another site in the zone.
-
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -12028,20 +12889,22 @@ If you do not configure this policy setting, users cannot load a page in the zon
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Access data sources across domains*
- GP name: *IZ_PolicyAccessDataSourcesAcrossDomains_7*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone*
- GP ADMX file name: *inetres.admx*
-
-
+
+
+
-
+
+
**InternetExplorer/RestrictedSitesZoneAllowActiveScripting**
-
+
Home
@@ -12063,8 +12926,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -12073,9 +12936,17 @@ ADMX Info:
-
-
-
+
+
+This policy setting allows you to manage whether script code on pages in the zone is run.
+
+If you enable this policy setting, script code on pages in the zone can run automatically. If you select Prompt in the drop-down box, users are queried to choose whether to allow script code on pages in the zone to run.
+
+If you disable this policy setting, script code on pages in the zone is prevented from running.
+
+If you do not configure this policy setting, script code on pages in the zone is prevented from running.
+
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -12083,20 +12954,22 @@ ADMX Info:
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Allow active scripting*
- GP name: *IZ_PolicyActiveScripting_7*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone*
- GP ADMX file name: *inetres.admx*
-
-
+
+
+
-
+
+
**InternetExplorer/RestrictedSitesZoneAllowAutomaticPromptingForActiveXControls**
-
+
Home
@@ -12118,8 +12991,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -12128,8 +13001,8 @@ ADMX Info:
-
-
+
+
This policy setting manages whether users will be automatically prompted for ActiveX control installations.
If you enable this policy setting, users will receive a prompt when a site instantiates an ActiveX control they do not have installed.
@@ -12138,7 +13011,7 @@ If you disable this policy setting, ActiveX control installations will be blocke
If you do not configure this policy setting, ActiveX control installations will be blocked using the Notification bar. Users can click on the Notification bar to allow the ActiveX control prompt.
-
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -12146,20 +13019,22 @@ If you do not configure this policy setting, ActiveX control installations will
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Automatic prompting for ActiveX controls*
- GP name: *IZ_PolicyNotificationBarActiveXURLaction_7*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone*
- GP ADMX file name: *inetres.admx*
-
-
+
+
+
-
+
+
**InternetExplorer/RestrictedSitesZoneAllowAutomaticPromptingForFileDownloads**
-
+
Home
@@ -12181,8 +13056,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -12191,15 +13066,15 @@ ADMX Info:
-
-
+
+
This policy setting determines whether users will be prompted for non user-initiated file downloads. Regardless of this setting, users will receive file download dialogs for user-initiated downloads.
If you enable this setting, users will receive a file download dialog for automatic download attempts.
If you disable or do not configure this setting, file downloads that are not user-initiated will be blocked, and users will see the Notification bar instead of the file download dialog. Users can then click the Notification bar to allow the file download prompt.
-
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -12207,20 +13082,22 @@ If you disable or do not configure this setting, file downloads that are not use
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Automatic prompting for file downloads*
- GP name: *IZ_PolicyNotificationBarDownloadURLaction_7*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone*
- GP ADMX file name: *inetres.admx*
-
-
+
+
+
-
+
+
**InternetExplorer/RestrictedSitesZoneAllowBinaryAndScriptBehaviors**
-
+
Home
@@ -12242,8 +13119,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -12252,9 +13129,17 @@ ADMX Info:
-
-
-
+
+
+This policy setting allows you to manage dynamic binary and script behaviors: components that encapsulate specific functionality for HTML elements to which they were attached.
+
+If you enable this policy setting, binary and script behaviors are available. If you select Administrator approved in the drop-down box, only behaviors listed in the Admin-approved Behaviors under Binary Behaviors Security Restriction policy are available.
+
+If you disable this policy setting, binary and script behaviors are not available unless applications have implemented a custom security manager.
+
+If you do not configure this policy setting, binary and script behaviors are not available unless applications have implemented a custom security manager.
+
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -12262,20 +13147,22 @@ ADMX Info:
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Allow binary and script behaviors*
- GP name: *IZ_PolicyBinaryBehaviors_7*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone*
- GP ADMX file name: *inetres.admx*
-
-
+
+
+
-
+
+
**InternetExplorer/RestrictedSitesZoneAllowCopyPasteViaScript**
-
+
Home
@@ -12297,8 +13184,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -12307,9 +13194,19 @@ ADMX Info:
-
-
-
+
+
+This policy setting allows you to manage whether scripts can perform a clipboard operation (for example, cut, copy, and paste) in a specified region.
+
+If you enable this policy setting, a script can perform a clipboard operation.
+
+If you select Prompt in the drop-down box, users are queried as to whether to perform clipboard operations.
+
+If you disable this policy setting, a script cannot perform a clipboard operation.
+
+If you do not configure this policy setting, a script cannot perform a clipboard operation.
+
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -12317,20 +13214,22 @@ ADMX Info:
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Allow cut, copy or paste operations from the clipboard via script*
- GP name: *IZ_PolicyAllowPasteViaScript_7*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone*
- GP ADMX file name: *inetres.admx*
-
-
+
+
+
-
+
+
**InternetExplorer/RestrictedSitesZoneAllowDragAndDropCopyAndPasteFiles**
-
+
Home
@@ -12352,8 +13251,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -12362,9 +13261,17 @@ ADMX Info:
-
-
-
+
+
+This policy setting allows you to manage whether users can drag files or copy and paste files from a source within the zone.
+
+If you enable this policy setting, users can drag files or copy and paste files from this zone automatically. If you select Prompt in the drop-down box, users are queried to choose whether to drag or copy files from this zone.
+
+If you disable this policy setting, users are prevented from dragging files or copying and pasting files from this zone.
+
+If you do not configure this policy setting, users are queried to choose whether to drag or copy files from this zone.
+
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -12372,20 +13279,22 @@ ADMX Info:
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Allow drag and drop or copy and paste files*
- GP name: *IZ_PolicyDropOrPasteFiles_7*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone*
- GP ADMX file name: *inetres.admx*
-
-
+
+
+
-
+
+
**InternetExplorer/RestrictedSitesZoneAllowFileDownloads**
-
+
Home
@@ -12407,8 +13316,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -12417,9 +13326,17 @@ ADMX Info:
-
-
-
+
+
+This policy setting allows you to manage whether file downloads are permitted from the zone. This option is determined by the zone of the page with the link causing the download, not the zone from which the file is delivered.
+
+If you enable this policy setting, files can be downloaded from the zone.
+
+If you disable this policy setting, files are prevented from being downloaded from the zone.
+
+If you do not configure this policy setting, files are prevented from being downloaded from the zone.
+
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -12427,20 +13344,22 @@ ADMX Info:
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Allow file downloads*
- GP name: *IZ_PolicyFileDownload_7*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone*
- GP ADMX file name: *inetres.admx*
-
-
+
+
+
-
+
+
**InternetExplorer/RestrictedSitesZoneAllowFontDownloads**
-
+
Home
@@ -12462,8 +13381,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -12472,8 +13391,8 @@ ADMX Info:
-
-
+
+
This policy setting allows you to manage whether pages of the zone may download HTML fonts.
If you enable this policy setting, HTML fonts can be downloaded automatically. If you enable this policy setting and Prompt is selected in the drop-down box, users are queried whether to allow HTML fonts to download.
@@ -12482,7 +13401,7 @@ If you disable this policy setting, HTML fonts are prevented from downloading.
If you do not configure this policy setting, users are queried whether to allow HTML fonts to download.
-
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -12490,20 +13409,22 @@ If you do not configure this policy setting, users are queried whether to allow
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Allow font downloads*
- GP name: *IZ_PolicyFontDownload_7*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone*
- GP ADMX file name: *inetres.admx*
-
-
+
+
+
-
+
+
**InternetExplorer/RestrictedSitesZoneAllowLessPrivilegedSites**
-
+
Home
@@ -12525,8 +13446,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -12535,8 +13456,8 @@ ADMX Info:
-
-
+
+
This policy setting allows you to manage whether Web sites from less privileged zones, such as Internet sites, can navigate into this zone.
If you enable this policy setting, Web sites from less privileged zones can open new windows in, or navigate into, this zone. The security zone will run without the added layer of security that is provided by the Protection from Zone Elevation security feature. If you select Prompt in the drop-down box, a warning is issued to the user that potentially risky navigation is about to occur.
@@ -12545,7 +13466,7 @@ If you disable this policy setting, the possibly harmful navigations are prevent
If you do not configure this policy setting, the possibly harmful navigations are prevented. The Internet Explorer security feature will be on in this zone as set by Protection from Zone Elevation feature control.
-
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -12553,20 +13474,22 @@ If you do not configure this policy setting, the possibly harmful navigations ar
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Web sites in less privileged Web content zones can navigate into this zone*
- GP name: *IZ_PolicyZoneElevationURLaction_7*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone*
- GP ADMX file name: *inetres.admx*
-
-
+
+
+
-
+
+
**InternetExplorer/RestrictedSitesZoneAllowLoadingOfXAMLFiles**
-
+
Home
@@ -12588,8 +13511,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -12598,9 +13521,17 @@ ADMX Info:
-
-
-
+
+
+This policy setting allows you to manage the loading of Extensible Application Markup Language (XAML) files. XAML is an XML-based declarative markup language commonly used for creating rich user interfaces and graphics that take advantage of the Windows Presentation Foundation.
+
+If you enable this policy setting and set the drop-down box to Enable, XAML files are automatically loaded inside Internet Explorer. The user cannot change this behavior. If you set the drop-down box to Prompt, the user is prompted for loading XAML files.
+
+If you disable this policy setting, XAML files are not loaded inside Internet Explorer. The user cannot change this behavior.
+
+If you do not configure this policy setting, the user can decide whether to load XAML files inside Internet Explorer.
+
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -12608,20 +13539,22 @@ ADMX Info:
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Allow loading of XAML files*
- GP name: *IZ_Policy_XAML_7*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone*
- GP ADMX file name: *inetres.admx*
-
-
+
+
+
-
+
+
**InternetExplorer/RestrictedSitesZoneAllowMETAREFRESH**
-
+
Home
@@ -12643,8 +13576,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -12653,9 +13586,17 @@ ADMX Info:
-
-
-
+
+
+This policy setting allows you to manage whether a user's browser can be redirected to another Web page if the author of the Web page uses the Meta Refresh setting (tag) to redirect browsers to another Web page.
+
+If you enable this policy setting, a user's browser that loads a page containing an active Meta Refresh setting can be redirected to another Web page.
+
+If you disable this policy setting, a user's browser that loads a page containing an active Meta Refresh setting cannot be redirected to another Web page.
+
+If you do not configure this policy setting, a user's browser that loads a page containing an active Meta Refresh setting cannot be redirected to another Web page.
+
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -12663,20 +13604,22 @@ ADMX Info:
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Allow META REFRESH*
- GP name: *IZ_PolicyAllowMETAREFRESH_7*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone*
- GP ADMX file name: *inetres.admx*
-
-
+
+
+
-
+
+
**InternetExplorer/RestrictedSitesZoneAllowNETFrameworkReliantComponents**
-
+
Home
@@ -12698,8 +13641,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -12708,8 +13651,8 @@ ADMX Info:
-
-
+
+
This policy setting allows you to manage whether .NET Framework components that are not signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link.
If you enable this policy setting, Internet Explorer will execute unsigned managed components. If you select Prompt in the drop-down box, Internet Explorer will prompt the user to determine whether to execute unsigned managed components.
@@ -12718,7 +13661,7 @@ If you disable this policy setting, Internet Explorer will not execute unsigned
If you do not configure this policy setting, Internet Explorer will not execute unsigned managed components.
-
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -12726,20 +13669,22 @@ If you do not configure this policy setting, Internet Explorer will not execute
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Run .NET Framework-reliant components not signed with Authenticode*
- GP name: *IZ_PolicyUnsignedFrameworkComponentsURLaction_7*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone*
- GP ADMX file name: *inetres.admx*
-
-
+
+
+
-
+
+
**InternetExplorer/RestrictedSitesZoneAllowOnlyApprovedDomainsToUseActiveXControls**
-
+
Home
@@ -12761,8 +13706,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -12771,9 +13716,15 @@ ADMX Info:
-
-
-
+
+
+This policy setting controls whether or not the user is prompted to allow ActiveX controls to run on websites other than the website that installed the ActiveX control.
+
+If you enable this policy setting, the user is prompted before ActiveX controls can run from websites in this zone. The user can choose to allow the control to run from the current site or from all sites.
+
+If you disable this policy setting, the user does not see the per-site ActiveX prompt, and ActiveX controls can run from all sites in this zone.
+
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -12781,20 +13732,22 @@ ADMX Info:
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Allow only approved domains to use ActiveX controls without prompt*
- GP name: *IZ_PolicyOnlyAllowApprovedDomainsToUseActiveXWithoutPrompt_Both_Restricted*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone*
- GP ADMX file name: *inetres.admx*
-
-
+
+
+
-
+
+
**InternetExplorer/RestrictedSitesZoneAllowOnlyApprovedDomainsToUseTDCActiveXControl**
-
+
Home
@@ -12816,8 +13769,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -12826,9 +13779,15 @@ ADMX Info:
-
-
-
+
+
+This policy setting controls whether or not the user is allowed to run the TDC ActiveX control on websites.
+
+If you enable this policy setting, the TDC ActiveX control will not run from websites in this zone.
+
+If you disable this policy setting, the TDC Active X control will run from all sites in this zone.
+
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -12836,20 +13795,22 @@ ADMX Info:
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Allow only approved domains to use the TDC ActiveX control*
- GP name: *IZ_PolicyAllowTDCControl_Both_Restricted*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone*
- GP ADMX file name: *inetres.admx*
-
-
+
+
+
-
+
+
**InternetExplorer/RestrictedSitesZoneAllowScriptInitiatedWindows**
-
+
Home
@@ -12871,8 +13832,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -12881,9 +13842,17 @@ ADMX Info:
-
-
-
+
+
+This policy setting allows you to manage restrictions on script-initiated pop-up windows and windows that include the title and status bars.
+
+If you enable this policy setting, Windows Restrictions security will not apply in this zone. The security zone runs without the added layer of security provided by this feature.
+
+If you disable this policy setting, the possible harmful actions contained in script-initiated pop-up windows and windows that include the title and status bars cannot be run. This Internet Explorer security feature will be on in this zone as dictated by the Scripted Windows Security Restrictions feature control setting for the process.
+
+If you do not configure this policy setting, the possible harmful actions contained in script-initiated pop-up windows and windows that include the title and status bars cannot be run. This Internet Explorer security feature will be on in this zone as dictated by the Scripted Windows Security Restrictions feature control setting for the process.
+
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -12891,20 +13860,22 @@ ADMX Info:
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Allow script-initiated windows without size or position constraints*
- GP name: *IZ_PolicyWindowsRestrictionsURLaction_7*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone*
- GP ADMX file name: *inetres.admx*
-
-
+
+
+
-
+
+
**InternetExplorer/RestrictedSitesZoneAllowScriptingOfInternetExplorerWebBrowserControls**
-
+
Home
@@ -12926,8 +13897,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -12936,9 +13907,17 @@ ADMX Info:
-
-
-
+
+
+This policy setting determines whether a page can control embedded WebBrowser controls via script.
+
+If you enable this policy setting, script access to the WebBrowser control is allowed.
+
+If you disable this policy setting, script access to the WebBrowser control is not allowed.
+
+If you do not configure this policy setting, the user can enable or disable script access to the WebBrowser control. By default, script access to the WebBrowser control is allowed only in the Local Machine and Intranet zones.
+
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -12946,20 +13925,22 @@ ADMX Info:
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Allow scripting of Internet Explorer WebBrowser controls*
- GP name: *IZ_Policy_WebBrowserControl_7*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone*
- GP ADMX file name: *inetres.admx*
-
-
+
+
+
-
+
+
**InternetExplorer/RestrictedSitesZoneAllowScriptlets**
-
+
Home
@@ -12981,8 +13962,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -12991,8 +13972,8 @@ ADMX Info:
-
-
+
+
This policy setting allows you to manage whether the user can run scriptlets.
If you enable this policy setting, the user can run scriptlets.
@@ -13001,7 +13982,7 @@ If you disable this policy setting, the user cannot run scriptlets.
If you do not configure this policy setting, the user can enable or disable scriptlets.
-
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -13009,20 +13990,22 @@ If you do not configure this policy setting, the user can enable or disable scri
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Allow scriptlets*
- GP name: *IZ_Policy_AllowScriptlets_7*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone*
- GP ADMX file name: *inetres.admx*
-
-
+
+
+
-
+
+
**InternetExplorer/RestrictedSitesZoneAllowSmartScreenIE**
-
+
Home
@@ -13044,8 +14027,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -13054,8 +14037,8 @@ ADMX Info:
-
-
+
+
This policy setting controls whether SmartScreen Filter scans pages in this zone for malicious content.
If you enable this policy setting, SmartScreen Filter scans pages in this zone for malicious content.
@@ -13066,7 +14049,7 @@ If you do not configure this policy setting, the user can choose whether SmartSc
Note: In Internet Explorer 7, this policy setting controls whether Phishing Filter scans pages in this zone for malicious content.
-
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -13074,20 +14057,22 @@ Note: In Internet Explorer 7, this policy setting controls whether Phishing Filt
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Turn on SmartScreen Filter scan*
- GP name: *IZ_Policy_Phishing_7*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone*
- GP ADMX file name: *inetres.admx*
-
-
+
+
+
-
+
+
**InternetExplorer/RestrictedSitesZoneAllowUpdatesToStatusBarViaScript**
-
+
Home
@@ -13109,8 +14094,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -13119,9 +14104,15 @@ ADMX Info:
-
-
-
+
+
+This policy setting allows you to manage whether script is allowed to update the status bar within the zone.
+
+If you enable this policy setting, script is allowed to update the status bar.
+
+If you disable or do not configure this policy setting, script is not allowed to update the status bar.
+
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -13129,20 +14120,22 @@ ADMX Info:
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Allow updates to status bar via script*
- GP name: *IZ_Policy_ScriptStatusBar_7*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone*
- GP ADMX file name: *inetres.admx*
-
-
+
+
+
-
+
+
**InternetExplorer/RestrictedSitesZoneAllowUserDataPersistence**
-
+
Home
@@ -13164,8 +14157,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -13174,8 +14167,8 @@ ADMX Info:
-
-
+
+
This policy setting allows you to manage the preservation of information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. When a user returns to a persisted page, the state of the page can be restored if this policy setting is appropriately configured.
If you enable this policy setting, users can preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk.
@@ -13184,7 +14177,7 @@ If you disable this policy setting, users cannot preserve information in the bro
If you do not configure this policy setting, users cannot preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk.
-
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -13192,20 +14185,22 @@ If you do not configure this policy setting, users cannot preserve information i
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Userdata persistence*
- GP name: *IZ_PolicyUserdataPersistence_7*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone*
- GP ADMX file name: *inetres.admx*
-
-
+
+
+
-
+
+
**InternetExplorer/RestrictedSitesZoneDoNotRunAntimalwareAgainstActiveXControls**
-
+
Home
@@ -13227,8 +14222,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -13237,9 +14232,17 @@ ADMX Info:
-
-
-
+
+
+This policy setting determines whether Internet Explorer runs antimalware programs against ActiveX controls, to check if they're safe to load on pages.
+
+If you enable this policy setting, Internet Explorer won't check with your antimalware program to see if it's safe to create an instance of the ActiveX control.
+
+If you disable this policy setting, Internet Explorer always checks with your antimalware program to see if it's safe to create an instance of the ActiveX control.
+
+If you don't configure this policy setting, Internet Explorer always checks with your antimalware program to see if it's safe to create an instance of the ActiveX control. Users can turn this behavior on or off, using Internet Explorer Security settings.
+
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -13247,20 +14250,22 @@ ADMX Info:
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Don't run antimalware programs against ActiveX controls*
- GP name: *IZ_PolicyAntiMalwareCheckingOfActiveXControls_7*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone*
- GP ADMX file name: *inetres.admx*
-
-
+
+
+
-
+
+
**InternetExplorer/RestrictedSitesZoneDownloadSignedActiveXControls**
-
+
Home
@@ -13282,8 +14287,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -13292,9 +14297,17 @@ ADMX Info:
-
-
-
+
+
+This policy setting allows you to manage whether users may download signed ActiveX controls from a page in the zone.
+
+If you enable this policy, users can download signed controls without user intervention. If you select Prompt in the drop-down box, users are queried whether to download controls signed by publishers who aren't trusted. Code signed by trusted publishers is silently downloaded.
+
+If you disable the policy setting, signed controls cannot be downloaded.
+
+If you do not configure this policy setting, signed controls cannot be downloaded.
+
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -13302,20 +14315,22 @@ ADMX Info:
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Download signed ActiveX controls*
- GP name: *IZ_PolicyDownloadSignedActiveX_7*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone*
- GP ADMX file name: *inetres.admx*
-
-
+
+
+
-
+
+
**InternetExplorer/RestrictedSitesZoneDownloadUnsignedActiveXControls**
-
+
Home
@@ -13337,8 +14352,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -13347,9 +14362,17 @@ ADMX Info:
-
-
-
+
+
+This policy setting allows you to manage whether users may download unsigned ActiveX controls from the zone. Such code is potentially harmful, especially when coming from an untrusted zone.
+
+If you enable this policy setting, users can run unsigned controls without user intervention. If you select Prompt in the drop-down box, users are queried to choose whether to allow the unsigned control to run.
+
+If you disable this policy setting, users cannot run unsigned controls.
+
+If you do not configure this policy setting, users cannot run unsigned controls.
+
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -13357,20 +14380,22 @@ ADMX Info:
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Download unsigned ActiveX controls*
- GP name: *IZ_PolicyDownloadUnsignedActiveX_7*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone*
- GP ADMX file name: *inetres.admx*
-
-
+
+
+
-
+
+
**InternetExplorer/RestrictedSitesZoneEnableCrossSiteScriptingFilter**
-
+
Home
@@ -13392,8 +14417,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -13402,9 +14427,15 @@ ADMX Info:
-
-
-
+
+
+This policy controls whether or not the Cross-Site Scripting (XSS) Filter will detect and prevent cross-site script injections into websites in this zone.
+
+If you enable this policy setting, the XSS Filter is turned on for sites in this zone, and the XSS Filter attempts to block cross-site script injections.
+
+If you disable this policy setting, the XSS Filter is turned off for sites in this zone, and Internet Explorer permits cross-site script injections.
+
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -13412,20 +14443,22 @@ ADMX Info:
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Turn on Cross-Site Scripting Filter*
- GP name: *IZ_PolicyTurnOnXSSFilter_Both_Restricted*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone*
- GP ADMX file name: *inetres.admx*
-
-
+
+
+
-
+
+
**InternetExplorer/RestrictedSitesZoneEnableDraggingOfContentFromDifferentDomainsAcrossWindows**
-
+
Home
@@ -13447,8 +14480,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -13457,9 +14490,19 @@ ADMX Info:
-
-
-
+
+
+This policy setting allows you to set options for dragging content from one domain to a different domain when the source and destination are in different windows.
+
+If you enable this policy setting and click Enable, users can drag content from one domain to a different domain when the source and destination are in different windows. Users cannot change this setting.
+
+If you enable this policy setting and click Disable, users cannot drag content from one domain to a different domain when both the source and destination are in different windows. Users cannot change this setting.
+
+In Internet Explorer 10, if you disable this policy setting or do not configure it, users cannot drag content from one domain to a different domain when the source and destination are in different windows. Users can change this setting in the Internet Options dialog.
+
+In Internet Explorer 9 and earlier versions, if you disable this policy or do not configure it, users can drag content from one domain to a different domain when the source and destination are in different windows. Users cannot change this setting.
+
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -13467,20 +14510,22 @@ ADMX Info:
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Enable dragging of content from different domains across windows*
- GP name: *IZ_PolicyDragDropAcrossDomainsAcrossWindows_Both_Restricted*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone*
- GP ADMX file name: *inetres.admx*
-
-
+
+
+
-
+
+
**InternetExplorer/RestrictedSitesZoneEnableDraggingOfContentFromDifferentDomainsWithinWindows**
-
+
Home
@@ -13502,8 +14547,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -13512,9 +14557,19 @@ ADMX Info:
-
-
-
+
+
+This policy setting allows you to set options for dragging content from one domain to a different domain when the source and destination are in the same window.
+
+If you enable this policy setting and click Enable, users can drag content from one domain to a different domain when the source and destination are in the same window. Users cannot change this setting.
+
+If you enable this policy setting and click Disable, users cannot drag content from one domain to a different domain when the source and destination are in the same window. Users cannot change this setting in the Internet Options dialog.
+
+In Internet Explorer 10, if you disable this policy setting or do not configure it, users cannot drag content from one domain to a different domain when the source and destination are in the same window. Users can change this setting in the Internet Options dialog.
+
+In Internet Explorer 9 and earlier versions, if you disable this policy setting or do not configure it, users can drag content from one domain to a different domain when the source and destination are in the same window. Users cannot change this setting in the Internet Options dialog.
+
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -13522,20 +14577,22 @@ ADMX Info:
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Enable dragging of content from different domains within a window*
- GP name: *IZ_PolicyDragDropAcrossDomainsWithinWindow_Both_Restricted*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone*
- GP ADMX file name: *inetres.admx*
-
-
+
+
+
-
+
+
**InternetExplorer/RestrictedSitesZoneEnableMIMESniffing**
-
+
Home
@@ -13557,8 +14614,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -13567,9 +14624,17 @@ ADMX Info:
-
-
-
+
+
+This policy setting allows you to manage MIME sniffing for file promotion from one type to another based on a MIME sniff. A MIME sniff is the recognition by Internet Explorer of the file type based on a bit signature.
+
+If you enable this policy setting, the MIME Sniffing Safety Feature will not apply in this zone. The security zone will run without the added layer of security provided by this feature.
+
+If you disable this policy setting, the actions that may be harmful cannot run; this Internet Explorer security feature will be turned on in this zone, as dictated by the feature control setting for the process.
+
+If you do not configure this policy setting, the actions that may be harmful cannot run; this Internet Explorer security feature will be turned on in this zone, as dictated by the feature control setting for the process.
+
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -13577,20 +14642,22 @@ ADMX Info:
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Enable MIME Sniffing*
- GP name: *IZ_PolicyMimeSniffingURLaction_7*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone*
- GP ADMX file name: *inetres.admx*
-
-
+
+
+
-
+
+
**InternetExplorer/RestrictedSitesZoneIncludeLocalPathWhenUploadingFilesToServer**
-
+
Home
@@ -13612,8 +14679,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -13622,9 +14689,17 @@ ADMX Info:
-
-
-
+
+
+This policy setting controls whether or not local path information is sent when the user is uploading a file via an HTML form. If the local path information is sent, some information may be unintentionally revealed to the server. For instance, files sent from the user's desktop may contain the user name as a part of the path.
+
+If you enable this policy setting, path information is sent when the user is uploading a file via an HTML form.
+
+If you disable this policy setting, path information is removed when the user is uploading a file via an HTML form.
+
+If you do not configure this policy setting, the user can choose whether path information is sent when he or she is uploading a file via an HTML form. By default, path information is sent.
+
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -13632,20 +14707,22 @@ ADMX Info:
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Include local path when user is uploading files to a server*
- GP name: *IZ_Policy_LocalPathForUpload_7*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone*
- GP ADMX file name: *inetres.admx*
-
-
+
+
+
-
+
+
**InternetExplorer/RestrictedSitesZoneInitializeAndScriptActiveXControls**
-
+
Home
@@ -13667,8 +14744,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -13677,8 +14754,8 @@ ADMX Info:
-
-
+
+
This policy setting allows you to manage ActiveX controls not marked as safe.
If you enable this policy setting, ActiveX controls are run, loaded with parameters, and scripted without setting object safety for untrusted data or scripts. This setting is not recommended, except for secure and administered zones. This setting causes both unsafe and safe controls to be initialized and scripted, ignoring the Script ActiveX controls marked safe for scripting option.
@@ -13689,7 +14766,7 @@ If you disable this policy setting, ActiveX controls that cannot be made safe ar
If you do not configure this policy setting, ActiveX controls that cannot be made safe are not loaded with parameters or scripted.
-
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -13697,20 +14774,22 @@ If you do not configure this policy setting, ActiveX controls that cannot be mad
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Initialize and script ActiveX controls not marked as safe*
- GP name: *IZ_PolicyScriptActiveXNotMarkedSafe_7*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone*
- GP ADMX file name: *inetres.admx*
-
-
+
+
+
-
+
+
**InternetExplorer/RestrictedSitesZoneJavaPermissions**
-
+
Home
@@ -13732,8 +14811,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -13742,9 +14821,23 @@ ADMX Info:
-
-
-
+
+
+This policy setting allows you to manage permissions for Java applets.
+
+If you enable this policy setting, you can choose options from the drop-down box. Custom, to control permissions settings individually.
+
+Low Safety enables applets to perform all operations.
+
+Medium Safety enables applets to run in their sandbox (an area in memory outside of which the program cannot make calls), plus capabilities like scratch space (a safe and secure storage area on the client computer) and user-controlled file I/O.
+
+High Safety enables applets to run in their sandbox. Disable Java to prevent any applets from running.
+
+If you disable this policy setting, Java applets cannot run.
+
+If you do not configure this policy setting, Java applets are disabled.
+
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -13752,20 +14845,22 @@ ADMX Info:
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Java permissions*
- GP name: *IZ_PolicyJavaPermissions_7*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone*
- GP ADMX file name: *inetres.admx*
-
-
+
+
+
-
+
+
**InternetExplorer/RestrictedSitesZoneLaunchingApplicationsAndFilesInIFRAME**
-
+
Home
@@ -13787,8 +14882,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -13797,9 +14892,17 @@ ADMX Info:
-
-
-
+
+
+This policy setting allows you to manage whether applications may be run and files may be downloaded from an IFRAME reference in the HTML of the pages in this zone.
+
+If you enable this policy setting, users can run applications and download files from IFRAMEs on the pages in this zone without user intervention. If you select Prompt in the drop-down box, users are queried to choose whether to run applications and download files from IFRAMEs on the pages in this zone.
+
+If you disable this policy setting, users are prevented from running applications and downloading files from IFRAMEs on the pages in this zone.
+
+If you do not configure this policy setting, users are prevented from running applications and downloading files from IFRAMEs on the pages in this zone.
+
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -13807,20 +14910,22 @@ ADMX Info:
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Launching applications and files in an IFRAME*
- GP name: *IZ_PolicyLaunchAppsAndFilesInIFRAME_7*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone*
- GP ADMX file name: *inetres.admx*
-
-
+
+
+
-
+
+
**InternetExplorer/RestrictedSitesZoneLogonOptions**
-
+
Home
@@ -13842,8 +14947,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -13852,9 +14957,25 @@ ADMX Info:
-
-
-
+
+
+This policy setting allows you to manage settings for logon options.
+
+If you enable this policy setting, you can choose from the following logon options.
+
+Anonymous logon to disable HTTP authentication and use the guest account only for the Common Internet File System (CIFS) protocol.
+
+Prompt for user name and password to query users for user IDs and passwords. After a user is queried, these values can be used silently for the remainder of the session.
+
+Automatic logon only in Intranet zone to query users for user IDs and passwords in other zones. After a user is queried, these values can be used silently for the remainder of the session.
+
+Automatic logon with current user name and password to attempt logon using Windows NT Challenge Response (also known as NTLM authentication). If Windows NT Challenge Response is supported by the server, the logon uses the user's network user name and password for logon. If Windows NT Challenge Response is not supported by the server, the user is queried to provide the user name and password.
+
+If you disable this policy setting, logon is set to Automatic logon only in Intranet zone.
+
+If you do not configure this policy setting, logon is set to Prompt for username and password.
+
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -13862,20 +14983,22 @@ ADMX Info:
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Logon options*
- GP name: *IZ_PolicyLogon_7*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone*
- GP ADMX file name: *inetres.admx*
-
-
+
+
+
-
+
+
**InternetExplorer/RestrictedSitesZoneNavigateWindowsAndFrames**
-
+
Home
@@ -13897,8 +15020,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -13907,8 +15030,8 @@ ADMX Info:
-
-
+
+
This policy setting allows you to manage the opening of windows and frames and access of applications across different domains.
If you enable this policy setting, users can open additional windows and frames from other domains and access applications from other domains. If you select Prompt in the drop-down box, users are queried whether to allow additional windows and frames to access applications from other domains.
@@ -13917,7 +15040,7 @@ If you disable this policy setting, users cannot open other windows and frames f
If you do not configure this policy setting, users cannot open other windows and frames from different domains or access applications from different domains.
-
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -13925,20 +15048,22 @@ If you do not configure this policy setting, users cannot open other windows and
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Navigate windows and frames across different domains*
- GP name: *IZ_PolicyNavigateSubframesAcrossDomains_7*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone*
- GP ADMX file name: *inetres.admx*
-
-
+
+
+
-
+
+
**InternetExplorer/RestrictedSitesZoneRunActiveXControlsAndPlugins**
-
+
Home
@@ -13960,8 +15085,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -13970,9 +15095,19 @@ ADMX Info:
-
-
-
+
+
+This policy setting allows you to manage whether ActiveX controls and plug-ins can be run on pages from the specified zone.
+
+If you enable this policy setting, controls and plug-ins can run without user intervention.
+
+If you selected Prompt in the drop-down box, users are asked to choose whether to allow the controls or plug-in to run.
+
+If you disable this policy setting, controls and plug-ins are prevented from running.
+
+If you do not configure this policy setting, controls and plug-ins are prevented from running.
+
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -13980,20 +15115,22 @@ ADMX Info:
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Run ActiveX controls and plugins*
- GP name: *IZ_PolicyRunActiveXControls_7*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone*
- GP ADMX file name: *inetres.admx*
-
-
+
+
+
-
+
+
**InternetExplorer/RestrictedSitesZoneRunNETFrameworkReliantComponentsSignedWithAuthenticode**
-
+
Home
@@ -14015,8 +15152,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -14025,9 +15162,17 @@ ADMX Info:
-
-
-
+
+
+This policy setting allows you to manage whether .NET Framework components that are signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link.
+
+If you enable this policy setting, Internet Explorer will execute signed managed components. If you select Prompt in the drop-down box, Internet Explorer will prompt the user to determine whether to execute signed managed components.
+
+If you disable this policy setting, Internet Explorer will not execute signed managed components.
+
+If you do not configure this policy setting, Internet Explorer will not execute signed managed components.
+
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -14035,20 +15180,22 @@ ADMX Info:
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Run .NET Framework-reliant components signed with Authenticode*
- GP name: *IZ_PolicySignedFrameworkComponentsURLaction_7*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone*
- GP ADMX file name: *inetres.admx*
-
-
+
+
+
-
+
+
**InternetExplorer/RestrictedSitesZoneScriptActiveXControlsMarkedSafeForScripting**
-
+
Home
@@ -14070,8 +15217,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -14080,9 +15227,19 @@ ADMX Info:
-
-
-
+
+
+This policy setting allows you to manage whether an ActiveX control marked safe for scripting can interact with a script.
+
+If you enable this policy setting, script interaction can occur automatically without user intervention.
+
+If you select Prompt in the drop-down box, users are queried to choose whether to allow script interaction.
+
+If you disable this policy setting, script interaction is prevented from occurring.
+
+If you do not configure this policy setting, script interaction is prevented from occurring.
+
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -14090,20 +15247,22 @@ ADMX Info:
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Script ActiveX controls marked safe for scripting*
- GP name: *IZ_PolicyScriptActiveXMarkedSafe_7*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone*
- GP ADMX file name: *inetres.admx*
-
-
+
+
+
-
+
+
**InternetExplorer/RestrictedSitesZoneScriptingOfJavaApplets**
-
+
Home
@@ -14125,8 +15284,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -14135,9 +15294,19 @@ ADMX Info:
-
-
-
+
+
+This policy setting allows you to manage whether applets are exposed to scripts within the zone.
+
+If you enable this policy setting, scripts can access applets automatically without user intervention.
+
+If you select Prompt in the drop-down box, users are queried to choose whether to allow scripts to access applets.
+
+If you disable this policy setting, scripts are prevented from accessing applets.
+
+If you do not configure this policy setting, scripts are prevented from accessing applets.
+
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -14145,20 +15314,22 @@ ADMX Info:
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Scripting of Java applets*
- GP name: *IZ_PolicyScriptingOfJavaApplets_7*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone*
- GP ADMX file name: *inetres.admx*
-
-
+
+
+
-
+
+
**InternetExplorer/RestrictedSitesZoneShowSecurityWarningForPotentiallyUnsafeFiles**
-
+
Home
@@ -14180,8 +15351,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -14190,9 +15361,17 @@ ADMX Info:
-
-
-
+
+
+This policy setting controls whether or not the "Open File - Security Warning" message appears when the user tries to open executable files or other potentially unsafe files (from an intranet file share by using File Explorer, for example).
+
+If you enable this policy setting and set the drop-down box to Enable, these files open without a security warning. If you set the drop-down box to Prompt, a security warning appears before the files open.
+
+If you disable this policy setting, these files do not open.
+
+If you do not configure this policy setting, the user can configure how the computer handles these files. By default, these files are blocked in the Restricted zone, enabled in the Intranet and Local Computer zones, and set to prompt in the Internet and Trusted zones.
+
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -14200,20 +15379,22 @@ ADMX Info:
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Show security warning for potentially unsafe files*
- GP name: *IZ_Policy_UnsafeFiles_7*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone*
- GP ADMX file name: *inetres.admx*
-
-
+
+
+
-
+
+
**InternetExplorer/RestrictedSitesZoneTurnOnProtectedMode**
-
+
Home
@@ -14235,8 +15416,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -14245,9 +15426,17 @@ ADMX Info:
-
-
-
+
+
+This policy setting allows you to turn on Protected Mode. Protected Mode helps protect Internet Explorer from exploited vulnerabilities by reducing the locations that Internet Explorer can write to in the registry and the file system.
+
+If you enable this policy setting, Protected Mode is turned on. The user cannot turn off Protected Mode.
+
+If you disable this policy setting, Protected Mode is turned off. The user cannot turn on Protected Mode.
+
+If you do not configure this policy setting, the user can turn on or turn off Protected Mode.
+
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -14255,20 +15444,22 @@ ADMX Info:
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Turn on Protected Mode*
- GP name: *IZ_Policy_TurnOnProtectedMode_7*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone*
- GP ADMX file name: *inetres.admx*
-
-
+
+
+
-
+
+
**InternetExplorer/RestrictedSitesZoneUsePopupBlocker**
-
+
Home
@@ -14290,8 +15481,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -14300,9 +15491,17 @@ ADMX Info:
-
-
-
+
+
+This policy setting allows you to manage whether unwanted pop-up windows appear. Pop-up windows that are opened when the end user clicks a link are not blocked.
+
+If you enable this policy setting, most unwanted pop-up windows are prevented from appearing.
+
+If you disable this policy setting, pop-up windows are not prevented from appearing.
+
+If you do not configure this policy setting, most unwanted pop-up windows are prevented from appearing.
+
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -14310,20 +15509,22 @@ ADMX Info:
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Use Pop-up Blocker*
- GP name: *IZ_PolicyBlockPopupWindows_7*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone*
- GP ADMX file name: *inetres.admx*
-
-
+
+
+
-
+
+
**InternetExplorer/ScriptedWindowSecurityRestrictionsInternetExplorerProcesses**
-
+
Home
@@ -14345,8 +15546,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -14355,9 +15556,15 @@ ADMX Info:
-
-
-
+
+
+Internet Explorer allows scripts to programmatically open, resize, and reposition windows of various types. The Window Restrictions security feature restricts popup windows and prohibits scripts from displaying windows in which the title and status bars are not visible to the user or obfuscate other Windows' title and status bars.
+
+If you enable this policy setting, scripted windows are restricted for all processes.
+
+If you disable or do not configure this policy setting, scripted windows are not restricted.
+
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -14365,20 +15572,22 @@ ADMX Info:
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *All Processes*
- GP name: *IESF_PolicyAllProcesses_8*
- GP path: *Windows Components/Internet Explorer/Security Features/Scripted Window Security Restrictions*
- GP ADMX file name: *inetres.admx*
-
-
+
+
+
-
+
+
**InternetExplorer/SearchProviderList**
-
+
Home
@@ -14400,8 +15609,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -14410,15 +15619,15 @@ ADMX Info:
-
-
+
+
This policy setting allows you to restrict the search providers that appear in the Search box in Internet Explorer to those defined in the list of policy keys for search providers (found under [HKCU or HKLM\Software\policies\Microsoft\Internet Explorer\SearchScopes]). Normally, search providers can be added from third-party toolbars or in Setup, but the user can also add them from a search provider's website.
If you enable this policy setting, the user cannot configure the list of search providers on his or her computer, and any default providers installed do not appear (including providers installed from other applications). The only providers that appear are those in the list of policy keys for search providers. Note: This list can be created through a custom administrative template file. For information about creating this custom administrative template file, see the Internet Explorer documentation on search providers.
If you disable or do not configure this policy setting, the user can configure his or her list of search providers.
-
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -14426,20 +15635,22 @@ If you disable or do not configure this policy setting, the user can configure h
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Restrict search providers to a specific list*
- GP name: *SpecificSearchProvider*
- GP path: *Windows Components/Internet Explorer*
- GP ADMX file name: *inetres.admx*
-
-
+
+
+
-
+
+
**InternetExplorer/SecurityZonesUseOnlyMachineSettings**
-
+
Home
@@ -14461,8 +15672,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -14470,9 +15681,19 @@ ADMX Info:
-
-
-
+
+
+Applies security zone information to all users of the same computer. A security zone is a group of Web sites with the same security level.
+
+If you enable this policy, changes that the user makes to a security zone will apply to all users of that computer.
+
+If you disable this policy or do not configure it, users of the same computer can establish their own security zone settings.
+
+This policy is intended to ensure that security zone settings apply uniformly to the same computer and do not vary from user to user.
+
+Also, see the "Security zones: Do not allow users to change policies" policy.
+
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -14480,20 +15701,22 @@ ADMX Info:
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Security Zones: Use only machine settings *
- GP name: *Security_HKLM_only*
- GP path: *Windows Components/Internet Explorer*
- GP ADMX file name: *inetres.admx*
-
-
+
+
+
-
+
+
**InternetExplorer/SpecifyUseOfActiveXInstallerService**
-
+
Home
@@ -14515,8 +15738,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -14525,9 +15748,15 @@ ADMX Info:
-
-
-
+
+
+This policy setting allows you to specify how ActiveX controls are installed.
+
+If you enable this policy setting, ActiveX controls are installed only if the ActiveX Installer Service is present and has been configured to allow the installation of ActiveX controls.
+
+If you disable or do not configure this policy setting, ActiveX controls, including per-user controls, are installed through the standard installation process.
+
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -14535,20 +15764,22 @@ ADMX Info:
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Specify use of ActiveX Installer Service for installation of ActiveX controls*
- GP name: *OnlyUseAXISForActiveXInstall*
- GP path: *Windows Components/Internet Explorer*
- GP ADMX file name: *inetres.admx*
-
-
+
+
+
-
+
+
**InternetExplorer/TrustedSitesZoneAllowAccessToDataSources**
-
+
Home
@@ -14570,8 +15801,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -14580,8 +15811,8 @@ ADMX Info:
-
-
+
+
This policy setting allows you to manage whether Internet Explorer can access data from another security zone using the Microsoft XML Parser (MSXML) or ActiveX Data Objects (ADO).
If you enable this policy setting, users can load a page in the zone that uses MSXML or ADO to access data from another site in the zone. If you select Prompt in the drop-down box, users are queried to choose whether to allow a page to be loaded in the zone that uses MSXML or ADO to access data from another site in the zone.
@@ -14590,7 +15821,7 @@ If you disable this policy setting, users cannot load a page in the zone that us
If you do not configure this policy setting, users can load a page in the zone that uses MSXML or ADO to access data from another site in the zone.
-
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -14598,20 +15829,22 @@ If you do not configure this policy setting, users can load a page in the zone t
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Access data sources across domains*
- GP name: *IZ_PolicyAccessDataSourcesAcrossDomains_5*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Trusted Sites Zone*
- GP ADMX file name: *inetres.admx*
-
-
+
+
+
-
+
+
**InternetExplorer/TrustedSitesZoneAllowAutomaticPromptingForActiveXControls**
-
+
Home
@@ -14633,8 +15866,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -14643,8 +15876,8 @@ ADMX Info:
-
-
+
+
This policy setting manages whether users will be automatically prompted for ActiveX control installations.
If you enable this policy setting, users will receive a prompt when a site instantiates an ActiveX control they do not have installed.
@@ -14653,7 +15886,7 @@ If you disable this policy setting, ActiveX control installations will be blocke
If you do not configure this policy setting, users will receive a prompt when a site instantiates an ActiveX control they do not have installed.
-
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -14661,20 +15894,22 @@ If you do not configure this policy setting, users will receive a prompt when a
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Automatic prompting for ActiveX controls*
- GP name: *IZ_PolicyNotificationBarActiveXURLaction_5*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Trusted Sites Zone*
- GP ADMX file name: *inetres.admx*
-
-
+
+
+
-
+
+
**InternetExplorer/TrustedSitesZoneAllowAutomaticPromptingForFileDownloads**
-
+
Home
@@ -14696,8 +15931,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -14706,15 +15941,15 @@ ADMX Info:
-
-
+
+
This policy setting determines whether users will be prompted for non user-initiated file downloads. Regardless of this setting, users will receive file download dialogs for user-initiated downloads.
If you enable this setting, users will receive a file download dialog for automatic download attempts.
If you disable or do not configure this setting, users will receive a file download dialog for automatic download attempts.
-
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -14722,20 +15957,22 @@ If you disable or do not configure this setting, users will receive a file downl
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Automatic prompting for file downloads*
- GP name: *IZ_PolicyNotificationBarDownloadURLaction_5*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Trusted Sites Zone*
- GP ADMX file name: *inetres.admx*
-
-
+
+
+
-
+
+
**InternetExplorer/TrustedSitesZoneAllowFontDownloads**
-
+
Home
@@ -14757,8 +15994,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -14767,8 +16004,8 @@ ADMX Info:
-
-
+
+
This policy setting allows you to manage whether pages of the zone may download HTML fonts.
If you enable this policy setting, HTML fonts can be downloaded automatically. If you enable this policy setting and Prompt is selected in the drop-down box, users are queried whether to allow HTML fonts to download.
@@ -14777,7 +16014,7 @@ If you disable this policy setting, HTML fonts are prevented from downloading.
If you do not configure this policy setting, HTML fonts can be downloaded automatically.
-
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -14785,20 +16022,22 @@ If you do not configure this policy setting, HTML fonts can be downloaded automa
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Allow font downloads*
- GP name: *IZ_PolicyFontDownload_5*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Trusted Sites Zone*
- GP ADMX file name: *inetres.admx*
-
-
+
+
+
-
+
+
**InternetExplorer/TrustedSitesZoneAllowLessPrivilegedSites**
-
+
Home
@@ -14820,8 +16059,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -14830,8 +16069,8 @@ ADMX Info:
-
-
+
+
This policy setting allows you to manage whether Web sites from less privileged zones, such as Restricted Sites, can navigate into this zone.
If you enable this policy setting, Web sites from less privileged zones can open new windows in, or navigate into, this zone. The security zone will run without the added layer of security that is provided by the Protection from Zone Elevation security feature. If you select Prompt in the drop-down box, a warning is issued to the user that potentially risky navigation is about to occur.
@@ -14840,7 +16079,7 @@ If you disable this policy setting, the possibly harmful navigations are prevent
If you do not configure this policy setting, a warning is issued to the user that potentially risky navigation is about to occur.
-
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -14848,20 +16087,22 @@ If you do not configure this policy setting, a warning is issued to the user tha
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Web sites in less privileged Web content zones can navigate into this zone*
- GP name: *IZ_PolicyZoneElevationURLaction_5*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Trusted Sites Zone*
- GP ADMX file name: *inetres.admx*
-
-
+
+
+
-
+
+
**InternetExplorer/TrustedSitesZoneAllowNETFrameworkReliantComponents**
-
+
Home
@@ -14883,8 +16124,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -14893,8 +16134,8 @@ ADMX Info:
-
-
+
+
This policy setting allows you to manage whether .NET Framework components that are not signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link.
If you enable this policy setting, Internet Explorer will execute unsigned managed components. If you select Prompt in the drop-down box, Internet Explorer will prompt the user to determine whether to execute unsigned managed components.
@@ -14903,7 +16144,7 @@ If you disable this policy setting, Internet Explorer will not execute unsigned
If you do not configure this policy setting, Internet Explorer will execute unsigned managed components.
-
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -14911,20 +16152,22 @@ If you do not configure this policy setting, Internet Explorer will execute unsi
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Run .NET Framework-reliant components not signed with Authenticode*
- GP name: *IZ_PolicyUnsignedFrameworkComponentsURLaction_5*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Trusted Sites Zone*
- GP ADMX file name: *inetres.admx*
-
-
+
+
+
-
+
+
**InternetExplorer/TrustedSitesZoneAllowScriptlets**
-
+
Home
@@ -14946,8 +16189,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -14956,8 +16199,8 @@ ADMX Info:
-
-
+
+
This policy setting allows you to manage whether the user can run scriptlets.
If you enable this policy setting, the user can run scriptlets.
@@ -14966,7 +16209,7 @@ If you disable this policy setting, the user cannot run scriptlets.
If you do not configure this policy setting, the user can enable or disable scriptlets.
-
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -14974,20 +16217,22 @@ If you do not configure this policy setting, the user can enable or disable scri
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Allow scriptlets*
- GP name: *IZ_Policy_AllowScriptlets_5*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Trusted Sites Zone*
- GP ADMX file name: *inetres.admx*
-
-
+
+
+
-
+
+
**InternetExplorer/TrustedSitesZoneAllowSmartScreenIE**
-
+
Home
@@ -15009,8 +16254,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -15019,8 +16264,8 @@ ADMX Info:
-
-
+
+
This policy setting controls whether SmartScreen Filter scans pages in this zone for malicious content.
If you enable this policy setting, SmartScreen Filter scans pages in this zone for malicious content.
@@ -15031,7 +16276,7 @@ If you do not configure this policy setting, the user can choose whether SmartSc
Note: In Internet Explorer 7, this policy setting controls whether Phishing Filter scans pages in this zone for malicious content.
-
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -15039,20 +16284,22 @@ Note: In Internet Explorer 7, this policy setting controls whether Phishing Filt
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Turn on SmartScreen Filter scan*
- GP name: *IZ_Policy_Phishing_5*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Trusted Sites Zone*
- GP ADMX file name: *inetres.admx*
-
-
+
+
+
-
+
+
**InternetExplorer/TrustedSitesZoneAllowUserDataPersistence**
-
+
Home
@@ -15074,8 +16321,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -15084,8 +16331,8 @@ ADMX Info:
-
-
+
+
This policy setting allows you to manage the preservation of information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. When a user returns to a persisted page, the state of the page can be restored if this policy setting is appropriately configured.
If you enable this policy setting, users can preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk.
@@ -15094,7 +16341,7 @@ If you disable this policy setting, users cannot preserve information in the bro
If you do not configure this policy setting, users can preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk.
-
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -15102,20 +16349,22 @@ If you do not configure this policy setting, users can preserve information in t
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Userdata persistence*
- GP name: *IZ_PolicyUserdataPersistence_5*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Trusted Sites Zone*
- GP ADMX file name: *inetres.admx*
-
-
+
+
+
-
+
+
**InternetExplorer/TrustedSitesZoneDoNotRunAntimalwareAgainstActiveXControls**
-
+
Home
@@ -15137,8 +16386,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -15147,9 +16396,17 @@ ADMX Info:
-
-
-
+
+
+This policy setting determines whether Internet Explorer runs antimalware programs against ActiveX controls, to check if they're safe to load on pages.
+
+If you enable this policy setting, Internet Explorer won't check with your antimalware program to see if it's safe to create an instance of the ActiveX control.
+
+If you disable this policy setting, Internet Explorer always checks with your antimalware program to see if it's safe to create an instance of the ActiveX control.
+
+If you don't configure this policy setting, Internet Explorer won't check with your antimalware program to see if it's safe to create an instance of the ActiveX control. Users can turn this behavior on or off, using Internet Explorer Security settings.
+
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -15157,20 +16414,22 @@ ADMX Info:
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Don't run antimalware programs against ActiveX controls*
- GP name: *IZ_PolicyAntiMalwareCheckingOfActiveXControls_5*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Trusted Sites Zone*
- GP ADMX file name: *inetres.admx*
-
-
+
+
+
-
+
+
**InternetExplorer/TrustedSitesZoneInitializeAndScriptActiveXControls**
-
+
Home
@@ -15192,8 +16451,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -15202,8 +16461,8 @@ ADMX Info:
-
-
+
+
This policy setting allows you to manage ActiveX controls not marked as safe.
If you enable this policy setting, ActiveX controls are run, loaded with parameters, and scripted without setting object safety for untrusted data or scripts. This setting is not recommended, except for secure and administered zones. This setting causes both unsafe and safe controls to be initialized and scripted, ignoring the Script ActiveX controls marked safe for scripting option.
@@ -15214,7 +16473,7 @@ If you disable this policy setting, ActiveX controls that cannot be made safe ar
If you do not configure this policy setting, users are queried whether to allow the control to be loaded with parameters or scripted.
-
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -15222,20 +16481,22 @@ If you do not configure this policy setting, users are queried whether to allow
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Initialize and script ActiveX controls not marked as safe*
- GP name: *IZ_PolicyScriptActiveXNotMarkedSafe_5*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Trusted Sites Zone*
- GP ADMX file name: *inetres.admx*
-
-
+
+
+
-
+
+
**InternetExplorer/TrustedSitesZoneJavaPermissions**
-
+
Home
@@ -15257,8 +16518,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -15267,9 +16528,23 @@ ADMX Info:
-
-
-
+
+
+This policy setting allows you to manage permissions for Java applets.
+
+If you enable this policy setting, you can choose options from the drop-down box. Custom, to control permissions settings individually.
+
+Low Safety enables applets to perform all operations.
+
+Medium Safety enables applets to run in their sandbox (an area in memory outside of which the program cannot make calls), plus capabilities like scratch space (a safe and secure storage area on the client computer) and user-controlled file I/O.
+
+High Safety enables applets to run in their sandbox. Disable Java to prevent any applets from running.
+
+If you disable this policy setting, Java applets cannot run.
+
+If you do not configure this policy setting, the permission is set to Low Safety.
+
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -15277,20 +16552,22 @@ ADMX Info:
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Java permissions*
- GP name: *IZ_PolicyJavaPermissions_5*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Trusted Sites Zone*
- GP ADMX file name: *inetres.admx*
-
-
+
+
+
-
+
+
**InternetExplorer/TrustedSitesZoneNavigateWindowsAndFrames**
-
+
Home
@@ -15312,8 +16589,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -15322,8 +16599,8 @@ ADMX Info:
-
-
+
+
This policy setting allows you to manage the opening of windows and frames and access of applications across different domains.
If you enable this policy setting, users can open windows and frames from othe domains and access applications from other domains. If you select Prompt in the drop-down box, users are queried whether to allow windows and frames to access applications from other domains.
@@ -15332,7 +16609,7 @@ If you disable this policy setting, users cannot open windows and frames to acce
If you do not configure this policy setting, users can open windows and frames from othe domains and access applications from other domains.
-
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -15340,15 +16617,15 @@ If you do not configure this policy setting, users can open windows and frames f
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Navigate windows and frames across different domains*
- GP name: *IZ_PolicyNavigateSubframesAcrossDomains_5*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Trusted Sites Zone*
- GP ADMX file name: *inetres.admx*
-
-
+
+
Footnote:
@@ -15357,5 +16634,5 @@ Footnote:
- 2 - Added in Windows 10, version 1703.
- 3 - Added in Windows 10, version 1709.
-
+
diff --git a/windows/client-management/mdm/policy-csp-kerberos.md b/windows/client-management/mdm/policy-csp-kerberos.md
index 43b40603af..6831acebc5 100644
--- a/windows/client-management/mdm/policy-csp-kerberos.md
+++ b/windows/client-management/mdm/policy-csp-kerberos.md
@@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
-ms.date: 11/01/2017
+ms.date: 03/05/2018
---
# Policy CSP - Kerberos
@@ -15,7 +15,7 @@ ms.date: 11/01/2017
-
+
## Kerberos policies
@@ -36,11 +36,13 @@ ms.date: 11/01/2017
+
-
+
+
**Kerberos/AllowForestSearchOrder**
-
+
Home
@@ -62,8 +64,8 @@ ms.date: 11/01/2017
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -71,15 +73,15 @@ ms.date: 11/01/2017
-
-
+
+
This policy setting defines the list of trusting forests that the Kerberos client searches when attempting to resolve two-part service principal names (SPNs).
If you enable this policy setting, the Kerberos client searches the forests in this list, if it is unable to resolve a two-part SPN. If a match is found, the Kerberos client requests a referral ticket to the appropriate domain.
If you disable or do not configure this policy setting, the Kerberos client does not search the listed forests to resolve the SPN. If the Kerberos client is unable to resolve the SPN because the name is not found, NTLM authentication might be used.
-
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -87,20 +89,22 @@ If you disable or do not configure this policy setting, the Kerberos client does
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Use forest search order*
- GP name: *ForestSearch*
- GP path: *System/Kerberos*
- GP ADMX file name: *Kerberos.admx*
-
-
+
+
+
-
+
+
**Kerberos/KerberosClientSupportsClaimsCompoundArmor**
-
+
Home
@@ -122,8 +126,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -131,14 +135,14 @@ ADMX Info:
-
-
-This policy setting controls whether a device will request claims and compound authentication for Dynamic Access Control and Kerberos armoring using Kerberos authentication with domains that support these features.
+
+
+This policy setting controls whether a device will request claims and compound authentication for Dynamic Access Control and Kerberos armoring using Kerberos authentication with domains that support these features.
If you enable this policy setting, the client computers will request claims, provide information required to create compounded authentication and armor Kerberos messages in domains which support claims and compound authentication for Dynamic Access Control and Kerberos armoring.
If you disable or do not configure this policy setting, the client devices will not request claims, provide information required to create compounded authentication and armor Kerberos messages. Services hosted on the device will not be able to retrieve claims for clients using Kerberos protocol transition.
-
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -146,20 +150,22 @@ If you disable or do not configure this policy setting, the client devices will
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Kerberos client support for claims, compound authentication and Kerberos armoring*
- GP name: *EnableCbacAndArmor*
- GP path: *System/Kerberos*
- GP ADMX file name: *Kerberos.admx*
-
-
+
+
+
-
+
+
**Kerberos/RequireKerberosArmoring**
-
+
Home
@@ -181,8 +187,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -190,19 +196,19 @@ ADMX Info:
-
-
+
+
This policy setting controls whether a computer requires that Kerberos message exchanges be armored when communicating with a domain controller.
Warning: When a domain does not support Kerberos armoring by enabling "Support Dynamic Access Control and Kerberos armoring", then all authentication for all its users will fail from computers with this policy setting enabled.
-If you enable this policy setting, the client computers in the domain enforce the use of Kerberos armoring in only authentication service (AS) and ticket-granting service (TGS) message exchanges with the domain controllers.
+If you enable this policy setting, the client computers in the domain enforce the use of Kerberos armoring in only authentication service (AS) and ticket-granting service (TGS) message exchanges with the domain controllers.
-Note: The Kerberos Group Policy "Kerberos client support for claims, compound authentication and Kerberos armoring" must also be enabled to support Kerberos armoring.
+Note: The Kerberos Group Policy "Kerberos client support for claims, compound authentication and Kerberos armoring" must also be enabled to support Kerberos armoring.
If you disable or do not configure this policy setting, the client computers in the domain enforce the use of Kerberos armoring when possible as supported by the target domain.
-
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -210,20 +216,22 @@ If you disable or do not configure this policy setting, the client computers in
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Fail authentication requests when Kerberos armoring is not available*
- GP name: *ClientRequireFast*
- GP path: *System/Kerberos*
- GP ADMX file name: *Kerberos.admx*
-
-
+
+
+
-
+
+
**Kerberos/RequireStrictKDCValidation**
-
+
Home
@@ -245,8 +253,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -254,15 +262,15 @@ ADMX Info:
-
-
-This policy setting controls the Kerberos client's behavior in validating the KDC certificate for smart card and system certificate logon.
+
+
+This policy setting controls the Kerberos client's behavior in validating the KDC certificate for smart card and system certificate logon.
If you enable this policy setting, the Kerberos client requires that the KDC's X.509 certificate contains the KDC key purpose object identifier in the Extended Key Usage (EKU) extensions, and that the KDC's X.509 certificate contains a dNSName subjectAltName (SAN) extension that matches the DNS name of the domain. If the computer is joined to a domain, the Kerberos client requires that the KDC's X.509 certificate must be signed by a Certificate Authority (CA) in the NTAuth store. If the computer is not joined to a domain, the Kerberos client allows the root CA certificate on the smart card to be used in the path validation of the KDC's X.509 certificate.
If you disable or do not configure this policy setting, the Kerberos client requires only that the KDC certificate contain the Server Authentication purpose object identifier in the EKU extensions which can be issued to any server.
-
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -270,20 +278,22 @@ If you disable or do not configure this policy setting, the Kerberos client requ
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Require strict KDC validation*
- GP name: *ValidateKDC*
- GP path: *System/Kerberos*
- GP ADMX file name: *Kerberos.admx*
-
-
+
+
+
-
+
+
**Kerberos/SetMaximumContextTokenSize**
-
+
Home
@@ -305,8 +315,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -314,19 +324,19 @@ ADMX Info:
-
-
+
+
This policy setting allows you to set the value returned to applications which request the maximum size of the SSPI context token buffer size.
-The size of the context token buffer determines the maximum size of SSPI context tokens an application expects and allocates. Depending upon authentication request processing and group memberships, the buffer might be smaller than the actual size of the SSPI context token.
+The size of the context token buffer determines the maximum size of SSPI context tokens an application expects and allocates. Depending upon authentication request processing and group memberships, the buffer might be smaller than the actual size of the SSPI context token.
If you enable this policy setting, the Kerberos client or server uses the configured value, or the locally allowed maximum value, whichever is smaller.
-If you disable or do not configure this policy setting, the Kerberos client or server uses the locally configured value or the default value.
+If you disable or do not configure this policy setting, the Kerberos client or server uses the locally configured value or the default value.
Note: This policy setting configures the existing MaxTokenSize registry value in HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters, which was added in Windows XP and Windows Server 2003, with a default value of 12,000 bytes. Beginning with Windows 8 the default is 48,000 bytes. Due to HTTP's base64 encoding of authentication context tokens, it is not advised to set this value more than 48,000 bytes.
-
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -334,15 +344,15 @@ Note: This policy setting configures the existing MaxTokenSize registry value in
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Set maximum Kerberos SSPI context token buffer size*
- GP name: *MaxTokenSize*
- GP path: *System/Kerberos*
- GP ADMX file name: *Kerberos.admx*
-
-
+
+
Footnote:
@@ -351,5 +361,5 @@ Footnote:
- 2 - Added in Windows 10, version 1703.
- 3 - Added in Windows 10, version 1709.
-
+
diff --git a/windows/client-management/mdm/policy-csp-kioskbrowser.md b/windows/client-management/mdm/policy-csp-kioskbrowser.md
index ab4e33bba0..933c3fa2e8 100644
--- a/windows/client-management/mdm/policy-csp-kioskbrowser.md
+++ b/windows/client-management/mdm/policy-csp-kioskbrowser.md
@@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
-ms.date: 01/03/2018
+ms.date: 01/30/2018
---
# Policy CSP - KioskBrowser
@@ -17,7 +17,7 @@ ms.date: 01/03/2018
-
+
## KioskBrowser policies
@@ -41,11 +41,13 @@ ms.date: 01/03/2018
+
-
+
+
**KioskBrowser/BlockedUrlExceptions**
-
+
Home
@@ -67,8 +69,8 @@ ms.date: 01/03/2018
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -77,26 +79,19 @@ ms.date: 01/03/2018
-
-
-Added in Windows 10, next major update. List of exceptions to the blocked website URLs (with wildcard support). This is used to configure URLs kiosk browsers are allowed to navigate to, which are a subset of the blocked URLs.
+
+
+Added in Windows 10, version 1803. List of exceptions to the blocked website URLs (with wildcard support). This is used to configure URLs kiosk browsers are allowed to navigate to, which are a subset of the blocked URLs.
-
-
+
+
-
-
-
-
-
-
-
-
-
+
+
**KioskBrowser/BlockedUrls**
-
+
Home
@@ -118,8 +113,8 @@ Added in Windows 10, next major update. List of exceptions to the blocked websit
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -128,26 +123,19 @@ Added in Windows 10, next major update. List of exceptions to the blocked websit
-
-
-Added in Windows 10, next major update. List of blocked website URLs (with wildcard support). This is used to configure blocked URLs kiosk browsers cannot navigate to.
+
+
+Added in Windows 10, version 1803. List of blocked website URLs (with wildcard support). This is used to configure blocked URLs kiosk browsers cannot navigate to.
-
-
+
+
-
-
-
-
-
-
-
-
-
+
+
**KioskBrowser/DefaultURL**
-
+
Home
@@ -169,8 +157,8 @@ Added in Windows 10, next major update. List of blocked website URLs (with wildc
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -179,26 +167,19 @@ Added in Windows 10, next major update. List of blocked website URLs (with wildc
-
-
-Added in Windows 10, next major update. Configures the default URL kiosk browsers to navigate on launch and restart.
+
+
+Added in Windows 10, version 1803. Configures the default URL kiosk browsers to navigate on launch and restart.
-
-
+
+
-
-
-
-
-
-
-
-
-
+
+
**KioskBrowser/EnableHomeButton**
-
+
Home
@@ -220,8 +201,8 @@ Added in Windows 10, next major update. Configures the default URL kiosk browser
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -230,26 +211,19 @@ Added in Windows 10, next major update. Configures the default URL kiosk browser
-
-
-Added in Windows 10, next major update. Enable/disable kiosk browser's home button.
+
+
+Added in Windows 10, version 1803. Enable/disable kiosk browser's home button.
-
-
+
+
-
-
-
-
-
-
-
-
-
+
+
**KioskBrowser/EnableNavigationButtons**
-
+
Home
@@ -271,8 +245,8 @@ Added in Windows 10, next major update. Enable/disable kiosk browser's home butt
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -281,26 +255,19 @@ Added in Windows 10, next major update. Enable/disable kiosk browser's home butt
-
-
-Added in Windows 10, next major update. Enable/disable kiosk browser's navigation buttons (forward/back).
+
+
+Added in Windows 10, version 1803. Enable/disable kiosk browser's navigation buttons (forward/back).
-
-
+
+
-
-
-
-
-
-
-
-
-
+
+
**KioskBrowser/RestartOnIdleTime**
-
+
Home
@@ -322,8 +289,8 @@ Added in Windows 10, next major update. Enable/disable kiosk browser's navigatio
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -332,23 +299,14 @@ Added in Windows 10, next major update. Enable/disable kiosk browser's navigatio
-
-
-Added in Windows 10, next major update. Amount of time in minutes the session is idle until the kiosk browser restarts in a fresh state.
+
+
+Added in Windows 10, version 1803. Amount of time in minutes the session is idle until the kiosk browser restarts in a fresh state.
The value is an int 1-1440 that specifies the amount of minutes the session is idle until the kiosk browser restarts in a fresh state. The default value is empty which means there is no idle timeout within the kiosk browser.
-
-
-
-
-
-
-
-
-
-
-
+
+
Footnote:
@@ -357,5 +315,5 @@ Footnote:
- 2 - Added in Windows 10, version 1703.
- 3 - Added in Windows 10, version 1709.
-
+
diff --git a/windows/client-management/mdm/policy-csp-licensing.md b/windows/client-management/mdm/policy-csp-licensing.md
index 64f7550a15..0e063d9b5f 100644
--- a/windows/client-management/mdm/policy-csp-licensing.md
+++ b/windows/client-management/mdm/policy-csp-licensing.md
@@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
-ms.date: 12/14/2017
+ms.date: 03/05/2018
---
# Policy CSP - Licensing
@@ -15,7 +15,7 @@ ms.date: 12/14/2017
-
+
## Licensing policies
Added in Windows 10, version 1607. Enables or Disable Windows license reactivation on managed devices.
+
+
+Added in Windows 10, version 1607. Enables or Disable Windows license reactivation on managed devices.
-
+
+
+ADMX Info:
+- GP English name: *Control Device Reactivation for Retail devices*
+- GP name: *AllowWindowsEntitlementReactivation*
+- GP path: *Windows Components/Software Protection Platform*
+- GP ADMX file name: *AVSValidationGP.admx*
+
+
The following list shows the supported values:
@@ -74,12 +84,14 @@ The following list shows the supported values:
- 1 (default) – Enable Windows license reactivation on managed devices.
-
+
+
@@ -101,8 +113,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -110,11 +122,19 @@ The following list shows the supported values:
-
-
-
Added in Windows 10, version 1607. Enabling this setting prevents this computer from sending data to Microsoft regarding its activation state.
+
+
+Added in Windows 10, version 1607. Enabling this setting prevents this computer from sending data to Microsoft regarding its activation state.
-
+
+
+ADMX Info:
+- GP English name: *Turn off KMS Client Online AVS Validation*
+- GP name: *NoAcquireGT*
+- GP path: *Windows Components/Software Protection Platform*
+- GP ADMX file name: *AVSValidationGP.admx*
+
+
The following list shows the supported values:
@@ -122,7 +142,7 @@ The following list shows the supported values:
- 1 – Enabled.
-
+
Footnote:
@@ -131,5 +151,5 @@ Footnote:
- 2 - Added in Windows 10, version 1703.
- 3 - Added in Windows 10, version 1709.
-
+
diff --git a/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions.md b/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions.md
index 5ef2395ae6..1ffde8a086 100644
--- a/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions.md
+++ b/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions.md
@@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
-ms.date: 12/29/2017
+ms.date: 03/05/2018
---
# Policy CSP - LocalPoliciesSecurityOptions
@@ -17,7 +17,7 @@ ms.date: 12/29/2017
-
+
## LocalPoliciesSecurityOptions policies
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -223,8 +225,8 @@ ms.date: 12/29/2017
-
-
+
+
This policy setting prevents users from adding new Microsoft accounts on this computer.
If you select the "Users cannot add Microsoft accounts" option, users will not be able to create new Microsoft accounts on this computer, switch a local account to a Microsoft account, or connect a domain account to a Microsoft account. This is the preferred option if you need to limit the use of Microsoft accounts in your enterprise.
@@ -235,7 +237,13 @@ If you disable or do not configure this policy (recommended), users will be able
Value type is integer. Supported operations are Add, Get, Replace, and Delete.
-
+
+
+GP Info:
+- GP English name: *Accounts: Block Microsoft accounts*
+- GP path: *Windows Settings/Security Settings/Local Policies/Security Options*
+
+
The following list shows the supported values:
@@ -243,12 +251,14 @@ The following list shows the supported values:
- 1 - enabled (users cannot add Microsoft accounts).
-
+
+
-
+
+
**LocalPoliciesSecurityOptions/Accounts_EnableAdministratorAccountStatus**
-
+
Home
@@ -270,8 +280,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -279,8 +289,8 @@ The following list shows the supported values:
-
-
+
+
This security setting determines whether the local Administrator account is enabled or disabled.
If you try to reenable the Administrator account after it has been disabled, and if the current Administrator password does not meet the password requirements, you cannot reenable the account. In this case, an alternative member of the Administrators group must reset the password on the Administrator account. For information about how to reset a password, see To reset a password.
@@ -289,19 +299,30 @@ Disabling the Administrator account can become a maintenance issue under certain
Under Safe Mode boot, the disabled Administrator account will only be enabled if the machine is non-domain joined and there are no other local active administrator accounts. If the computer is domain joined the disabled administrator will not be enabled.
Default: Disabled.
+
+Value type is integer. Supported operations are Add, Get, Replace, and Delete.
+
+
+
+GP Info:
+- GP English name: *Accounts: Administrator account status*
+- GP path: *Windows Settings/Security Settings/Local Policies/Security Options*
+
+
+
Valid values:
- 0 - local Administrator account is disabled
- 1 - local Administrator account is enabled
-Value type is integer. Supported operations are Add, Get, Replace, and Delete.
+
+
-
-
-
+
+
**LocalPoliciesSecurityOptions/Accounts_EnableGuestAccountStatus**
-
+
Home
@@ -323,8 +344,8 @@ Value type is integer. Supported operations are Add, Get, Replace, and Delete.
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -332,26 +353,37 @@ Value type is integer. Supported operations are Add, Get, Replace, and Delete.
-
-
+
+
This security setting determines if the Guest account is enabled or disabled.
Default: Disabled.
-Valid values:
-- 0 - local Guest account is disabled
-- 1 - local Guest account is enabled
Note: If the Guest account is disabled and the security option Network Access: Sharing and Security Model for local accounts is set to Guest Only, network logons, such as those performed by the Microsoft Network Server (SMB Service), will fail.
Value type is integer. Supported operations are Add, Get, Replace, and Delete.
-
-
+
+
+GP Info:
+- GP English name: *Accounts: Guest account status*
+- GP path: *Windows Settings/Security Settings/Local Policies/Security Options*
+
+
+
+Valid values:
+- 0 - local Guest account is disabled
+- 1 - local Guest account is enabled
+
+
+
+
-
+
+
**LocalPoliciesSecurityOptions/Accounts_LimitLocalAccountUseOfBlankPasswordsToConsoleLogonOnly**
-
+
Home
@@ -373,8 +405,8 @@ Value type is integer. Supported operations are Add, Get, Replace, and Delete.
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -382,16 +414,13 @@ Value type is integer. Supported operations are Add, Get, Replace, and Delete.
-
-
+
+
Accounts: Limit local account use of blank passwords to console logon only
This security setting determines whether local accounts that are not password protected can be used to log on from locations other than the physical computer console. If enabled, local accounts that are not password protected will only be able to log on at the computer's keyboard.
Default: Enabled.
-Valid values:
-- 0 - disabled - local accounts that are not password protected can be used to log on from locations other than the physical computer console
-- 1 - enabled - local accounts that are not password protected will only be able to log on at the computer's keyboard
Warning:
@@ -403,13 +432,27 @@ It is possible for applications that use remote interactive logons to bypass thi
Value type is integer. Supported operations are Add, Get, Replace, and Delete.
-
-
+
+
+GP Info:
+- GP English name: *Accounts: Limit local account use of blank passwords to console logon only*
+- GP path: *Windows Settings/Security Settings/Local Policies/Security Options*
+
+
+
+Valid values:
+- 0 - disabled - local accounts that are not password protected can be used to log on from locations other than the physical computer console
+- 1 - enabled - local accounts that are not password protected will only be able to log on at the computer's keyboard
+
+
+
+
-
+
+
**LocalPoliciesSecurityOptions/Accounts_RenameAdministratorAccount**
-
+
Home
@@ -431,8 +474,8 @@ Value type is integer. Supported operations are Add, Get, Replace, and Delete.
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -440,8 +483,8 @@ Value type is integer. Supported operations are Add, Get, Replace, and Delete.
-
-
+
+
Accounts: Rename administrator account
This security setting determines whether a different account name is associated with the security identifier (SID) for the account Administrator. Renaming the well-known Administrator account makes it slightly more difficult for unauthorized persons to guess this privileged user name and password combination.
@@ -450,13 +493,21 @@ Default: Administrator.
Value type is string. Supported operations are Add, Get, Replace, and Delete.
-
-
+
+
+GP Info:
+- GP English name: *Accounts: Rename administrator account*
+- GP path: *Windows Settings/Security Settings/Local Policies/Security Options*
+
+
+
+
-
+
+
**LocalPoliciesSecurityOptions/Accounts_RenameGuestAccount**
-
+
Home
@@ -478,8 +529,8 @@ Value type is string. Supported operations are Add, Get, Replace, and Delete.
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -487,8 +538,8 @@ Value type is string. Supported operations are Add, Get, Replace, and Delete.
-
-
+
+
Accounts: Rename guest account
This security setting determines whether a different account name is associated with the security identifier (SID) for the account "Guest." Renaming the well-known Guest account makes it slightly more difficult for unauthorized persons to guess this user name and password combination.
@@ -497,13 +548,21 @@ Default: Guest.
Value type is string. Supported operations are Add, Get, Replace, and Delete.
-
-
+
+
+GP Info:
+- GP English name: *Accounts: Rename guest account*
+- GP path: *Windows Settings/Security Settings/Local Policies/Security Options*
+
+
+
+
-
+
+
**LocalPoliciesSecurityOptions/Devices_AllowUndockWithoutHavingToLogon**
-
+
Home
@@ -525,8 +584,8 @@ Value type is string. Supported operations are Add, Get, Replace, and Delete.
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -534,8 +593,8 @@ Value type is string. Supported operations are Add, Get, Replace, and Delete.
-
-
+
+
Devices: Allow undock without having to log on.
This security setting determines whether a portable computer can be undocked without having to log on. If this policy is enabled, logon is not required and an external hardware eject button can be used to undock the computer. If disabled, a user must log on and have the Remove computer from docking station privilege to undock the computer.
@@ -545,22 +604,21 @@ Caution:
Disabling this policy may tempt users to try and physically remove the laptop from its docking station using methods other than the external hardware eject button. Since this may cause damage to the hardware, this setting, in general, should only be disabled on laptop configurations that are physically securable.
-
-
+
+
+GP Info:
+- GP English name: *Devices: Allow undock without having to log on*
+- GP path: *Windows Settings/Security Settings/Local Policies/Security Options*
-
-
+
+
-
-
-
-
-
-
+
+
**LocalPoliciesSecurityOptions/Devices_AllowedToFormatAndEjectRemovableMedia**
-
+
Home
@@ -582,8 +640,8 @@ Disabling this policy may tempt users to try and physically remove the laptop fr
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -591,8 +649,8 @@ Disabling this policy may tempt users to try and physically remove the laptop fr
-
-
+
+
Devices: Allowed to format and eject removable media
This security setting determines who is allowed to format and eject removable NTFS media. This capability can be given to:
@@ -602,22 +660,21 @@ This security setting determines who is allowed to format and eject removable NT
Default: This policy is not defined and only Administrators have this ability.
-
-
+
+
+GP Info:
+- GP English name: *Devices: Allowed to format and eject removable media*
+- GP path: *Windows Settings/Security Settings/Local Policies/Security Options*
-
-
+
+
-
-
-
-
-
-
+
+
**LocalPoliciesSecurityOptions/Devices_PreventUsersFromInstallingPrinterDriversWhenConnectingToSharedPrinters**
-
+
Home
@@ -639,8 +696,8 @@ Default: This policy is not defined and only Administrators have this ability.
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -648,8 +705,8 @@ Default: This policy is not defined and only Administrators have this ability.
-
-
+
+
Devices: Prevent users from installing printer drivers when connecting to shared printers
For a computer to print to a shared printer, the driver for that shared printer must be installed on the local computer. This security setting determines who is allowed to install a printer driver as part of connecting to a shared printer. If this setting is enabled, only Administrators can install a printer driver as part of connecting to a shared printer. If this setting is disabled, any user can install a printer driver as part of connecting to a shared printer.
@@ -661,22 +718,21 @@ Note
This setting does not affect the ability to add a local printer. This setting does not affect Administrators.
-
-
+
+
+GP Info:
+- GP English name: *Devices: Prevent users from installing printer drivers*
+- GP path: *Windows Settings/Security Settings/Local Policies/Security Options*
-
-
+
+
-
-
-
-
-
-
+
+
**LocalPoliciesSecurityOptions/Devices_RestrictCDROMAccessToLocallyLoggedOnUserOnly**
-
+
Home
@@ -698,8 +754,8 @@ This setting does not affect the ability to add a local printer. This setting do
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -707,8 +763,8 @@ This setting does not affect the ability to add a local printer. This setting do
-
-
+
+
Devices: Restrict CD-ROM access to locally logged-on user only
This security setting determines whether a CD-ROM is accessible to both local and remote users simultaneously.
@@ -717,22 +773,21 @@ If this policy is enabled, it allows only the interactively logged-on user to ac
Default: This policy is not defined and CD-ROM access is not restricted to the locally logged-on user.
-
-
+
+
+GP Info:
+- GP English name: *Devices: Restrict CD-ROM access to locally logged-on user only*
+- GP path: *Windows Settings/Security Settings/Local Policies/Security Options*
-
-
+
+
-
-
-
-
-
-
+
+
**LocalPoliciesSecurityOptions/DomainMember_DigitallyEncryptOrSignSecureChannelDataAlways**
-
+
Home
@@ -754,8 +809,8 @@ Default: This policy is not defined and CD-ROM access is not restricted to the l
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -763,8 +818,8 @@ Default: This policy is not defined and CD-ROM access is not restricted to the l
-
-
+
+
Domain member: Digitally encrypt or sign secure channel data (always)
This security setting determines whether all secure channel traffic initiated by the domain member must be signed or encrypted.
@@ -784,22 +839,21 @@ If this policy is enabled, the policy Domain member: Digitally sign secure chann
If this policy is enabled, the policy Domain member: Digitally sign secure channel data (when possible) is assumed to be enabled regardless of its current setting. This ensures that the domain member attempts to negotiate at least signing of the secure channel traffic.
Logon information transmitted over the secure channel is always encrypted regardless of whether encryption of ALL other secure channel traffic is negotiated or not.
-
-
+
+
+GP Info:
+- GP English name: *Domain member: Digitally encrypt or sign secure channel data (always)*
+- GP path: *Windows Settings/Security Settings/Local Policies/Security Options*
-
-
+
+
-
-
-
-
-
-
+
+
**LocalPoliciesSecurityOptions/DomainMember_DigitallyEncryptSecureChannelDataWhenPossible**
-
+
Home
@@ -821,8 +875,8 @@ Logon information transmitted over the secure channel is always encrypted regard
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -830,8 +884,8 @@ Logon information transmitted over the secure channel is always encrypted regard
-
-
+
+
Domain member: Digitally encrypt secure channel data (when possible)
This security setting determines whether a domain member attempts to negotiate encryption for all secure channel traffic that it initiates.
@@ -848,22 +902,21 @@ There is no known reason for disabling this setting. Besides unnecessarily reduc
Note: Domain controllers are also domain members and establish secure channels with other domain controllers in the same domain as well as domain controllers in trusted domains.
-
-
+
+
+GP Info:
+- GP English name: *Domain member: Digitally encrypt secure channel data (when possible)*
+- GP path: *Windows Settings/Security Settings/Local Policies/Security Options*
-
-
+
+
-
-
-
-
-
-
+
+
**LocalPoliciesSecurityOptions/DomainMember_DigitallySignSecureChannelDataWhenPossible**
-
+
Home
@@ -885,8 +938,8 @@ Note: Domain controllers are also domain members and establish secure channels w
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -894,8 +947,8 @@ Note: Domain controllers are also domain members and establish secure channels w
-
-
+
+
Domain member: Digitally sign secure channel data (when possible)
This security setting determines whether a domain member attempts to negotiate signing for all secure channel traffic that it initiates.
@@ -906,22 +959,21 @@ This setting determines whether or not the domain member attempts to negotiate s
Default: Enabled.
-
-
+
+
+GP Info:
+- GP English name: *Domain member: Digitally sign secure channel data (when possible)*
+- GP path: *Windows Settings/Security Settings/Local Policies/Security Options*
-
-
+
+
-
-
-
-
-
-
+
+
**LocalPoliciesSecurityOptions/DomainMember_DisableMachineAccountPasswordChanges**
-
+
Home
@@ -943,8 +995,8 @@ Default: Enabled.
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -952,8 +1004,8 @@ Default: Enabled.
-
-
+
+
Domain member: Disable machine account password changes
Determines whether a domain member periodically changes its computer account password. If this setting is enabled, the domain member does not attempt to change its computer account password. If this setting is disabled, the domain member attempts to change its computer account password as specified by the setting for Domain Member: Maximum age for machine account password, which by default is every 30 days.
@@ -965,22 +1017,21 @@ Notes
This security setting should not be enabled. Computer account passwords are used to establish secure channel communications between members and domain controllers and, within the domain, between the domain controllers themselves. Once it is established, the secure channel is used to transmit sensitive information that is necessary for making authentication and authorization decisions.
This setting should not be used in an attempt to support dual-boot scenarios that use the same computer account. If you want to dual-boot two installations that are joined to the same domain, give the two installations different computer names.
-
-
+
+
+GP Info:
+- GP English name: *Domain member: Disable machine account password changes*
+- GP path: *Windows Settings/Security Settings/Local Policies/Security Options*
-
-
+
+
-
-
-
-
-
-
+
+
**LocalPoliciesSecurityOptions/DomainMember_MaximumMachineAccountPasswordAge**
-
+
Home
@@ -1002,8 +1053,8 @@ This setting should not be used in an attempt to support dual-boot scenarios tha
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -1011,8 +1062,8 @@ This setting should not be used in an attempt to support dual-boot scenarios tha
-
-
+
+
Domain member: Maximum machine account password age
This security setting determines how often a domain member will attempt to change its computer account password.
@@ -1023,22 +1074,21 @@ Important
This setting applies to Windows 2000 computers, but it is not available through the Security Configuration Manager tools on these computers.
-
-
+
+
+GP Info:
+- GP English name: *Domain member: Maximum machine account password age*
+- GP path: *Windows Settings/Security Settings/Local Policies/Security Options*
-
-
+
+
-
-
-
-
-
-
+
+
**LocalPoliciesSecurityOptions/DomainMember_RequireStrongSessionKey**
-
+
Home
@@ -1060,8 +1110,8 @@ This setting applies to Windows 2000 computers, but it is not available through
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -1069,8 +1119,8 @@ This setting applies to Windows 2000 computers, but it is not available through
-
-
+
+
Domain member: Require strong (Windows 2000 or later) session key
This security setting determines whether 128-bit key strength is required for encrypted secure channel data.
@@ -1092,22 +1142,21 @@ Important
In order to take advantage of this policy on member workstations and servers, all domain controllers that constitute the member's domain must be running Windows 2000 or later.
In order to take advantage of this policy on domain controllers, all domain controllers in the same domain as well as all trusted domains must run Windows 2000 or later.
-
-
+
+
+GP Info:
+- GP English name: *Domain member: Require strong (Windows 2000 or later) session key*
+- GP path: *Windows Settings/Security Settings/Local Policies/Security Options*
-
-
+
+
-
-
-
-
-
-
+
+
**LocalPoliciesSecurityOptions/InteractiveLogon_DisplayUserInformationWhenTheSessionIsLocked**
-
+
Home
@@ -1129,8 +1178,8 @@ In order to take advantage of this policy on domain controllers, all domain cont
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -1138,24 +1187,35 @@ In order to take advantage of this policy on domain controllers, all domain cont
-
-
+
+
Interactive Logon:Display user information when the session is locked
+
+Value type is integer. Supported operations are Add, Get, Replace, and Delete.
+
+
+
+GP Info:
+- GP English name: *Interactive logon: Display user information when the session is locked*
+- GP path: *Windows Settings/Security Settings/Local Policies/Security Options*
+
+
+
Valid values:
- 1 - User display name, domain and user names
- 2 - User display name only
- 3 - Do not display user information
-Value type is integer. Supported operations are Add, Get, Replace, and Delete.
+
+
-
-
-
+
+
**LocalPoliciesSecurityOptions/InteractiveLogon_DoNotDisplayLastSignedIn**
-
+
Home
@@ -1177,8 +1237,8 @@ Value type is integer. Supported operations are Add, Get, Replace, and Delete.
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -1186,8 +1246,8 @@ Value type is integer. Supported operations are Add, Get, Replace, and Delete.
-
-
+
+
Interactive logon: Don't display last signed-in
This security setting determines whether the Windows sign-in screen will show the username of the last person who signed in on this PC.
@@ -1196,19 +1256,30 @@ If this policy is enabled, the username will not be shown.
If this policy is disabled, the username will be shown.
Default: Disabled.
+
+Value type is integer. Supported operations are Add, Get, Replace, and Delete.
+
+
+
+GP Info:
+- GP English name: *Interactive logon: Don't display last signed-in*
+- GP path: *Windows Settings/Security Settings/Local Policies/Security Options*
+
+
+
Valid values:
- 0 - disabled (username will be shown)
- 1 - enabled (username will not be shown)
-Value type is integer. Supported operations are Add, Get, Replace, and Delete.
+
+
-
-
-
+
+
**LocalPoliciesSecurityOptions/InteractiveLogon_DoNotDisplayUsernameAtSignIn**
-
+
Home
@@ -1230,8 +1301,8 @@ Value type is integer. Supported operations are Add, Get, Replace, and Delete.
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -1239,8 +1310,8 @@ Value type is integer. Supported operations are Add, Get, Replace, and Delete.
-
-
+
+
Interactive logon: Don't display username at sign-in
This security setting determines whether the username of the person signing in to this PC appears at Windows sign-in, after credentials are entered, and before the PC desktop is shown.
@@ -1250,19 +1321,30 @@ If this policy is enabled, the username will not be shown.
If this policy is disabled, the username will be shown.
Default: Disabled.
+
+Value type is integer. Supported operations are Add, Get, Replace, and Delete.
+
+
+
+GP Info:
+- GP English name: *Interactive logon: Don't display username at sign-in*
+- GP path: *Windows Settings/Security Settings/Local Policies/Security Options*
+
+
+
Valid values:
- 0 - disabled (username will be shown)
- 1 - enabled (username will not be shown)
-Value type is integer. Supported operations are Add, Get, Replace, and Delete.
+
+
-
-
-
+
+
**LocalPoliciesSecurityOptions/InteractiveLogon_DoNotRequireCTRLALTDEL**
-
+
Home
@@ -1284,8 +1366,8 @@ Value type is integer. Supported operations are Add, Get, Replace, and Delete.
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -1293,8 +1375,8 @@ Value type is integer. Supported operations are Add, Get, Replace, and Delete.
-
-
+
+
Interactive logon: Do not require CTRL+ALT+DEL
This security setting determines whether pressing CTRL+ALT+DEL is required before a user can log on.
@@ -1305,19 +1387,30 @@ If this policy is disabled, any user is required to press CTRL+ALT+DEL before lo
Default on domain-computers: Enabled: At least Windows 8/Disabled: Windows 7 or earlier.
Default on stand-alone computers: Enabled.
+
+Value type is integer. Supported operations are Add, Get, Replace, and Delete.
+
+
+
+GP Info:
+- GP English name: *Interactive logon: Do not require CTRL+ALT+DEL*
+- GP path: *Windows Settings/Security Settings/Local Policies/Security Options*
+
+
+
Valid values:
- 0 - disabled
- 1 - enabled (a user is not required to press CTRL+ALT+DEL to log on)
-Value type is integer. Supported operations are Add, Get, Replace, and Delete.
+
+
-
-
-
+
+
**LocalPoliciesSecurityOptions/InteractiveLogon_MachineInactivityLimit**
-
+
Home
@@ -1339,8 +1432,8 @@ Value type is integer. Supported operations are Add, Get, Replace, and Delete.
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -1348,26 +1441,37 @@ Value type is integer. Supported operations are Add, Get, Replace, and Delete.
-
-
+
+
Interactive logon: Machine inactivity limit.
Windows notices inactivity of a logon session, and if the amount of inactive time exceeds the inactivity limit, then the screen saver will run, locking the session.
Default: not enforced.
+
+Value type is integer. Supported operations are Add, Get, Replace, and Delete.
+
+
+
+GP Info:
+- GP English name: *Interactive logon: Machine inactivity limit*
+- GP path: *Windows Settings/Security Settings/Local Policies/Security Options*
+
+
+
Valid values:
- 0 - disabled
- 1 - enabled (session will lock after amount of inactive time exceeds the inactivity limit)
-Value type is integer. Supported operations are Add, Get, Replace, and Delete.
+
+
-
-
-
+
+
**LocalPoliciesSecurityOptions/InteractiveLogon_MessageTextForUsersAttemptingToLogOn**
-
+
Home
@@ -1389,8 +1493,8 @@ Value type is integer. Supported operations are Add, Get, Replace, and Delete.
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -1398,8 +1502,8 @@ Value type is integer. Supported operations are Add, Get, Replace, and Delete.
-
-
+
+
Interactive logon: Message text for users attempting to log on
This security setting specifies a text message that is displayed to users when they log on.
@@ -1410,13 +1514,21 @@ Default: No message.
Value type is string. Supported operations are Add, Get, Replace, and Delete.
-
-
+
+
+GP Info:
+- GP English name: *Interactive logon: Message text for users attempting to log on*
+- GP path: *Windows Settings/Security Settings/Local Policies/Security Options*
+
+
+
+
-
+
+
**LocalPoliciesSecurityOptions/InteractiveLogon_MessageTitleForUsersAttemptingToLogOn**
-
+
Home
@@ -1438,8 +1550,8 @@ Value type is string. Supported operations are Add, Get, Replace, and Delete.
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -1447,8 +1559,8 @@ Value type is string. Supported operations are Add, Get, Replace, and Delete.
-
-
+
+
Interactive logon: Message title for users attempting to log on
This security setting allows the specification of a title to appear in the title bar of the window that contains the Interactive logon: Message text for users attempting to log on.
@@ -1457,13 +1569,21 @@ Default: No message.
Value type is string. Supported operations are Add, Get, Replace, and Delete.
-
-
+
+
+GP Info:
+- GP English name: *Interactive logon: Message title for users attempting to log on*
+- GP path: *Windows Settings/Security Settings/Local Policies/Security Options*
+
+
+
+
-
+
+
**LocalPoliciesSecurityOptions/InteractiveLogon_SmartCardRemovalBehavior**
-
+
Home
@@ -1485,8 +1605,8 @@ Value type is string. Supported operations are Add, Get, Replace, and Delete.
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -1494,8 +1614,8 @@ Value type is string. Supported operations are Add, Get, Replace, and Delete.
-
-
+
+
Interactive logon: Smart card removal behavior
This security setting determines what happens when the smart card for a logged-on user is removed from the smart card reader.
@@ -1519,22 +1639,21 @@ Default: This policy is not defined, which means that the system treats it as No
On Windows Vista and above: For this setting to work, the Smart Card Removal Policy service must be started.
-
-
+
+
+GP Info:
+- GP English name: *Interactive logon: Smart card removal behavior*
+- GP path: *Windows Settings/Security Settings/Local Policies/Security Options*
-
-
+
+
-
-
-
-
-
-
+
+
**LocalPoliciesSecurityOptions/MicrosoftNetworkClient_DigitallySignCommunicationsAlways**
-
+
Home
@@ -1556,8 +1675,8 @@ On Windows Vista and above: For this setting to work, the Smart Card Removal Pol
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -1565,8 +1684,8 @@ On Windows Vista and above: For this setting to work, the Smart Card Removal Pol
-
-
+
+
Microsoft network client: Digitally sign communications (always)
This security setting determines whether packet signing is required by the SMB client component.
@@ -1591,22 +1710,21 @@ Microsoft network server: Digitally sign communications (if client agrees) - Con
SMB packet signing can significantly degrade SMB performance, depending on dialect version, OS version, file sizes, processor offloading capabilities, and application IO behaviors.
For more information, reference: https://go.microsoft.com/fwlink/?LinkID=787136.
-
-
+
+
+GP Info:
+- GP English name: *Microsoft network client: Digitally sign communications (always)*
+- GP path: *Windows Settings/Security Settings/Local Policies/Security Options*
-
-
+
+
-
-
-
-
-
-
+
+
**LocalPoliciesSecurityOptions/MicrosoftNetworkClient_DigitallySignCommunicationsIfServerAgrees**
-
+
Home
@@ -1628,8 +1746,8 @@ For more information, reference: https://go.microsoft.com/fwlink/?LinkID=787136.
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -1637,8 +1755,8 @@ For more information, reference: https://go.microsoft.com/fwlink/?LinkID=787136.
-
-
+
+
Microsoft network client: Digitally sign communications (if server agrees)
This security setting determines whether the SMB client attempts to negotiate SMB packet signing.
@@ -1660,22 +1778,21 @@ If both client-side and server-side SMB signing is enabled and the client establ
SMB packet signing can significantly degrade SMB performance, depending on dialect version, OS version, file sizes, processor offloading capabilities, and application IO behaviors. This setting only applies to SMB 1.0 connections.
For more information, reference: https://go.microsoft.com/fwlink/?LinkID=787136.
-
-
+
+
+GP Info:
+- GP English name: *Microsoft network client: Digitally sign communications (if server agrees)*
+- GP path: *Windows Settings/Security Settings/Local Policies/Security Options*
-
-
+
+
-
-
-
-
-
-
+
+
**LocalPoliciesSecurityOptions/MicrosoftNetworkClient_SendUnencryptedPasswordToThirdPartySMBServers**
-
+
Home
@@ -1697,8 +1814,8 @@ For more information, reference: https://go.microsoft.com/fwlink/?LinkID=787136.
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -1706,8 +1823,8 @@ For more information, reference: https://go.microsoft.com/fwlink/?LinkID=787136.
-
-
+
+
Microsoft network client: Send unencrypted password to connect to third-party SMB servers
If this security setting is enabled, the Server Message Block (SMB) redirector is allowed to send plaintext passwords to non-Microsoft SMB servers that do not support password encryption during authentication.
@@ -1716,22 +1833,21 @@ Sending unencrypted passwords is a security risk.
Default: Disabled.
-
-
+
+
+GP Info:
+- GP English name: *Microsoft network client: Send unencrypted password to third-party SMB servers*
+- GP path: *Windows Settings/Security Settings/Local Policies/Security Options*
-
-
+
+
-
-
-
-
-
-
+
+
**LocalPoliciesSecurityOptions/MicrosoftNetworkServer_AmountOfIdleTimeRequiredBeforeSuspendingSession**
-
+
Home
@@ -1753,8 +1869,8 @@ Default: Disabled.
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -1762,8 +1878,8 @@ Default: Disabled.
-
-
+
+
Microsoft network server: Amount of idle time required before suspending a session
This security setting determines the amount of continuous idle time that must pass in a Server Message Block (SMB) session before the session is suspended due to inactivity.
@@ -1774,22 +1890,21 @@ For this policy setting, a value of 0 means to disconnect an idle session as qui
Default:This policy is not defined, which means that the system treats it as 15 minutes for servers and undefined for workstations.
-
-
+
+
+GP Info:
+- GP English name: *Microsoft network server: Amount of idle time required before suspending session*
+- GP path: *Windows Settings/Security Settings/Local Policies/Security Options*
-
-
+
+
-
-
-
-
-
-
+
+
**LocalPoliciesSecurityOptions/MicrosoftNetworkServer_DigitallySignCommunicationsAlways**
-
+
Home
@@ -1811,8 +1926,8 @@ Default:This policy is not defined, which means that the system treats it as 15
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -1820,8 +1935,8 @@ Default:This policy is not defined, which means that the system treats it as 15
-
-
+
+
Microsoft network server: Digitally sign communications (always)
This security setting determines whether packet signing is required by the SMB server component.
@@ -1855,22 +1970,21 @@ For Windows 2000 servers to negotiate signing with Windows NT 4.0 clients, the f
HKLM\System\CurrentControlSet\Services\lanmanserver\parameters\enableW9xsecuritysignature
For more information, reference: https://go.microsoft.com/fwlink/?LinkID=787136.
-
-
+
+
+GP Info:
+- GP English name: *Microsoft network server: Digitally sign communications (always)*
+- GP path: *Windows Settings/Security Settings/Local Policies/Security Options*
-
-
+
+
-
-
-
-
-
-
+
+
**LocalPoliciesSecurityOptions/MicrosoftNetworkServer_DigitallySignCommunicationsIfClientAgrees**
-
+
Home
@@ -1892,8 +2006,8 @@ For more information, reference: https://go.microsoft.com/fwlink/?LinkID=787136.
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -1901,8 +2015,8 @@ For more information, reference: https://go.microsoft.com/fwlink/?LinkID=787136.
-
-
+
+
Microsoft network server: Digitally sign communications (if client agrees)
This security setting determines whether the SMB server will negotiate SMB packet signing with clients that request it.
@@ -1928,22 +2042,21 @@ If both client-side and server-side SMB signing is enabled and the client establ
SMB packet signing can significantly degrade SMB performance, depending on dialect version, OS version, file sizes, processor offloading capabilities, and application IO behaviors. This setting only applies to SMB 1.0 connections.
For more information, reference: https://go.microsoft.com/fwlink/?LinkID=787136.
-
-
+
+
+GP Info:
+- GP English name: *Microsoft network server: Digitally sign communications (if client agrees)*
+- GP path: *Windows Settings/Security Settings/Local Policies/Security Options*
-
-
+
+
-
-
-
-
-
-
+
+
**LocalPoliciesSecurityOptions/NetworkAccess_DoNotAllowAnonymousEnumerationOfSAMAccounts**
-
+
Home
@@ -1965,8 +2078,8 @@ For more information, reference: https://go.microsoft.com/fwlink/?LinkID=787136.
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -1974,8 +2087,8 @@ For more information, reference: https://go.microsoft.com/fwlink/?LinkID=787136.
-
-
+
+
Network access: Do not allow anonymous enumeration of SAM accounts
This security setting determines what additional permissions will be granted for anonymous connections to the computer.
@@ -1994,22 +2107,21 @@ Important
This policy has no impact on domain controllers.
-
-
+
+
+GP Info:
+- GP English name: *Network access: Do not allow anonymous enumeration of SAM accounts*
+- GP path: *Windows Settings/Security Settings/Local Policies/Security Options*
-
-
+
+
-
-
-
-
-
-
+
+
**LocalPoliciesSecurityOptions/NetworkAccess_DoNotAllowAnonymousEnumerationOfSamAccountsAndShares**
-
+
Home
@@ -2031,8 +2143,8 @@ This policy has no impact on domain controllers.
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -2040,8 +2152,8 @@ This policy has no impact on domain controllers.
-
-
+
+
Network access: Do not allow anonymous enumeration of SAM accounts and shares
This security setting determines whether anonymous enumeration of SAM accounts and shares is allowed.
@@ -2050,22 +2162,21 @@ Windows allows anonymous users to perform certain activities, such as enumeratin
Default: Disabled.
-
-
+
+
+GP Info:
+- GP English name: *Network access: Do not allow anonymous enumeration of SAM accounts and shares*
+- GP path: *Windows Settings/Security Settings/Local Policies/Security Options*
-
-
+
+
-
-
-
-
-
-
+
+
**LocalPoliciesSecurityOptions/NetworkAccess_LetEveryonePermissionsApplyToAnonymousUsers**
-
+
Home
@@ -2087,8 +2198,8 @@ Default: Disabled.
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -2096,8 +2207,8 @@ Default: Disabled.
-
-
+
+
Network access: Let Everyone permissions apply to anonymous users
This security setting determines what additional permissions are granted for anonymous connections to the computer.
@@ -2108,22 +2219,15 @@ If this policy is enabled, the Everyone SID is added to the token that is create
Default: Disabled.
-
-
+
+
-
-
-
-
-
-
-
-
-
+
+
**LocalPoliciesSecurityOptions/NetworkAccess_RestrictAnonymousAccessToNamedPipesAndShares**
-
+
Home
@@ -2145,8 +2249,8 @@ Default: Disabled.
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -2154,8 +2258,8 @@ Default: Disabled.
-
-
+
+
Network access: Restrict anonymous access to Named Pipes and Shares
When enabled, this security setting restricts anonymous access to shares and pipes to the settings for:
@@ -2164,22 +2268,21 @@ Network access: Named pipes that can be accessed anonymously
Network access: Shares that can be accessed anonymously
Default: Enabled.
-
-
+
+
+GP Info:
+- GP English name: *Network access: Restrict anonymous access to Named Pipes and Shares*
+- GP path: *Windows Settings/Security Settings/Local Policies/Security Options*
-
-
+
+
-
-
-
-
-
-
+
+
**LocalPoliciesSecurityOptions/NetworkAccess_RestrictClientsAllowedToMakeRemoteCallsToSAM**
-
+
Home
@@ -2201,8 +2304,8 @@ Default: Enabled.
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -2210,8 +2313,8 @@ Default: Enabled.
-
-
+
+
Network access: Restrict clients allowed to make remote calls to SAM
This policy setting allows you to restrict remote rpc connections to SAM.
@@ -2220,22 +2323,21 @@ If not selected, the default security descriptor will be used.
This policy is supported on at least Windows Server 2016.
-
-
+
+
+GP Info:
+- GP English name: *Network access: Restrict clients allowed to make remote calls to SAM*
+- GP path: *Windows Settings/Security Settings/Local Policies/Security Options*
-
-
+
+
-
-
-
-
-
-
+
+
**LocalPoliciesSecurityOptions/NetworkSecurity_AllowLocalSystemToUseComputerIdentityForNTLM**
-
+
Home
@@ -2257,8 +2359,8 @@ This policy is supported on at least Windows Server 2016.
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -2266,8 +2368,8 @@ This policy is supported on at least Windows Server 2016.
-
-
+
+
Network security: Allow Local System to use computer identity for NTLM
This policy setting allows Local System services that use Negotiate to use the computer identity when reverting to NTLM authentication.
@@ -2284,22 +2386,15 @@ This policy is supported on at least Windows Vista or Windows Server 2008.
Note: Windows Vista or Windows Server 2008 do not expose this setting in Group Policy.
-
-
+
+
-
-
-
-
-
-
-
-
-
+
+
**LocalPoliciesSecurityOptions/NetworkSecurity_AllowPKU2UAuthenticationRequests**
-
+
Home
@@ -2321,8 +2416,8 @@ Note: Windows Vista or Windows Server 2008 do not expose this setting in Group P
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -2330,25 +2425,36 @@ Note: Windows Vista or Windows Server 2008 do not expose this setting in Group P
-
-
+
+
Network security: Allow PKU2U authentication requests to this computer to use online identities.
This policy will be turned off by default on domain joined machines. This would prevent online identities from authenticating to the domain joined machine.
+
+Value type is integer. Supported operations are Add, Get, Replace, and Delete.
+
+
+
+GP Info:
+- GP English name: *Network security: Allow PKU2U authentication requests to this computer to use online identities.*
+- GP path: *Windows Settings/Security Settings/Local Policies/Security Options*
+
+
+
Valid values:
- 0 - disabled
- 1 - enabled (allow PKU2U authentication requests to this computer to use online identities.)
-Value type is integer. Supported operations are Add, Get, Replace, and Delete.
+
+
-
-
-
+
+
**LocalPoliciesSecurityOptions/NetworkSecurity_DoNotStoreLANManagerHashValueOnNextPasswordChange**
-
+
Home
@@ -2370,8 +2476,8 @@ Value type is integer. Supported operations are Add, Get, Replace, and Delete.
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -2379,8 +2485,8 @@ Value type is integer. Supported operations are Add, Get, Replace, and Delete.
-
-
+
+
Network security: Do not store LAN Manager hash value on next password change
This security setting determines if, at the next password change, the LAN Manager (LM) hash value for the new password is stored. The LM hash is relatively weak and prone to attack, as compared with the cryptographically stronger Windows NT hash. Since the LM hash is stored on the local computer in the security database the passwords can be compromised if the security database is attacked.
@@ -2394,22 +2500,21 @@ Important
Windows 2000 Service Pack 2 (SP2) and above offer compatibility with authentication to previous versions of Windows, such as Microsoft Windows NT 4.0.
This setting can affect the ability of computers running Windows 2000 Server, Windows 2000 Professional, Windows XP, and the Windows Server 2003 family to communicate with computers running Windows 95 and Windows 98.
-
-
+
+
+GP Info:
+- GP English name: *Network security: Do not store LAN Manager hash value on next password change*
+- GP path: *Windows Settings/Security Settings/Local Policies/Security Options*
-
-
+
+
-
-
-
-
-
-
+
+
**LocalPoliciesSecurityOptions/NetworkSecurity_LANManagerAuthenticationLevel**
-
+
Home
@@ -2431,8 +2536,8 @@ This setting can affect the ability of computers running Windows 2000 Server, Wi
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -2440,8 +2545,8 @@ This setting can affect the ability of computers running Windows 2000 Server, Wi
-
-
+
+
Network security LAN Manager authentication level
This security setting determines which challenge/response authentication protocol is used for network logons. This choice affects the level of authentication protocol used by clients, the level of session security negotiated, and the level of authentication accepted by servers as follows:
@@ -2470,22 +2575,21 @@ Windows Server 2003: Send NTLM response only
Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2: Send NTLMv2 response only
-
-
+
+
+GP Info:
+- GP English name: *Network security: LAN Manager authentication level*
+- GP path: *Windows Settings/Security Settings/Local Policies/Security Options*
-
-
+
+
-
-
-
-
-
-
+
+
**LocalPoliciesSecurityOptions/NetworkSecurity_MinimumSessionSecurityForNTLMSSPBasedClients**
-
+
Home
@@ -2507,8 +2611,8 @@ Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2: Send
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -2516,8 +2620,8 @@ Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2: Send
-
-
+
+
Network security: Minimum session security for NTLM SSP based (including secure RPC) clients
This security setting allows a client to require the negotiation of 128-bit encryption and/or NTLMv2 session security. These values are dependent on the LAN Manager Authentication Level security setting value. The options are:
@@ -2531,22 +2635,21 @@ Windows XP, Windows Vista, Windows 2000 Server, Windows Server 2003, and Windows
Windows 7 and Windows Server 2008 R2: Require 128-bit encryption
-
-
+
+
+GP Info:
+- GP English name: *Network security: Minimum session security for NTLM SSP based (including secure RPC) clients*
+- GP path: *Windows Settings/Security Settings/Local Policies/Security Options*
-
-
+
+
-
-
-
-
-
-
+
+
**LocalPoliciesSecurityOptions/NetworkSecurity_MinimumSessionSecurityForNTLMSSPBasedServers**
-
+
Home
@@ -2568,8 +2671,8 @@ Windows 7 and Windows Server 2008 R2: Require 128-bit encryption
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -2577,8 +2680,8 @@ Windows 7 and Windows Server 2008 R2: Require 128-bit encryption
-
-
+
+
Network security: Minimum session security for NTLM SSP based (including secure RPC) servers
This security setting allows a server to require the negotiation of 128-bit encryption and/or NTLMv2 session security. These values are dependent on the LAN Manager Authentication Level security setting value. The options are:
@@ -2592,22 +2695,21 @@ Windows XP, Windows Vista, Windows 2000 Server, Windows Server 2003, and Windows
Windows 7 and Windows Server 2008 R2: Require 128-bit encryption
-
-
+
+
+GP Info:
+- GP English name: *Network security: Minimum session security for NTLM SSP based (including secure RPC) servers*
+- GP path: *Windows Settings/Security Settings/Local Policies/Security Options*
-
-
+
+
-
-
-
-
-
-
+
+
**LocalPoliciesSecurityOptions/RecoveryConsole_AllowAutomaticAdministrativeLogon**
-
+
Home
@@ -2629,26 +2731,31 @@ Windows 7 and Windows Server 2008 R2: Require 128-bit encryption
-
-
+
+
Recovery console: Allow automatic administrative logon
This security setting determines if the password for the Administrator account must be given before access to the system is granted. If this option is enabled, the Recovery Console does not require you to provide a password, and it automatically logs on to the system.
Default: This policy is not defined and automatic administrative logon is not allowed.
+
+Value type is integer. Supported operations are Add, Get, Replace, and Delete.
+
+
+
Valid values:
- 0 - disabled
- 1 - enabled (allow automatic administrative logon)
-Value type is integer. Supported operations are Add, Get, Replace, and Delete.
+
+
-
-
-
+
+
**LocalPoliciesSecurityOptions/Shutdown_AllowSystemToBeShutDownWithoutHavingToLogOn**
-
+
Home
@@ -2670,8 +2777,8 @@ Value type is integer. Supported operations are Add, Get, Replace, and Delete.
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -2679,8 +2786,8 @@ Value type is integer. Supported operations are Add, Get, Replace, and Delete.
-
-
+
+
Shutdown: Allow system to be shut down without having to log on
This security setting determines whether a computer can be shut down without having to log on to Windows.
@@ -2691,19 +2798,30 @@ When this policy is disabled, the option to shut down the computer does not appe
Default on workstations: Enabled.
Default on servers: Disabled.
+
+Value type is integer. Supported operations are Add, Get, Replace, and Delete.
+
+
+
+GP Info:
+- GP English name: *Shutdown: Allow system to be shut down without having to log on*
+- GP path: *Windows Settings/Security Settings/Local Policies/Security Options*
+
+
+
Valid values:
- 0 - disabled
- 1 - enabled (allow system to be shut down without having to log on)
-Value type is integer. Supported operations are Add, Get, Replace, and Delete.
+
+
-
-
-
+
+
**LocalPoliciesSecurityOptions/Shutdown_ClearVirtualMemoryPageFile**
-
+
Home
@@ -2725,8 +2843,8 @@ Value type is integer. Supported operations are Add, Get, Replace, and Delete.
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -2734,8 +2852,8 @@ Value type is integer. Supported operations are Add, Get, Replace, and Delete.
-
-
+
+
Shutdown: Clear virtual memory pagefile
This security setting determines whether the virtual memory pagefile is cleared when the system is shut down.
@@ -2746,22 +2864,21 @@ When this policy is enabled, it causes the system pagefile to be cleared upon cl
Default: Disabled.
-
-
+
+
+GP Info:
+- GP English name: *Shutdown: Clear virtual memory pagefile*
+- GP path: *Windows Settings/Security Settings/Local Policies/Security Options*
-
-
+
+
-
-
-
-
-
-
+
+
**LocalPoliciesSecurityOptions/SystemObjects_RequireCaseInsensitivityForNonWindowsSubsystems**
-
+
Home
@@ -2783,8 +2900,8 @@ Default: Disabled.
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -2792,8 +2909,8 @@ Default: Disabled.
-
-
+
+
System objects: Require case insensitivity for non-Windows subsystems
This security setting determines whether case insensitivity is enforced for all subsystems. The Win32 subsystem is case insensitive. However, the kernel supports case sensitivity for other subsystems, such as POSIX.
@@ -2802,22 +2919,15 @@ If this setting is enabled, case insensitivity is enforced for all directory obj
Default: Enabled.
-
-
+
+
-
-
-
-
-
-
-
-
-
+
+
**LocalPoliciesSecurityOptions/UserAccountControl_AllowUIAccessApplicationsToPromptForElevation**
-
+
Home
@@ -2839,8 +2949,8 @@ Default: Enabled.
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -2848,8 +2958,8 @@ Default: Enabled.
-
-
+
+
User Account Control: Allow UIAccess applications to prompt for elevation without using the secure desktop.
This policy setting controls whether User Interface Accessibility (UIAccess or UIA) programs can automatically disable the secure desktop for elevation prompts used by a standard user.
@@ -2857,21 +2967,32 @@ This policy setting controls whether User Interface Accessibility (UIAccess or U
Enabled: UIA programs, including Windows Remote Assistance, automatically disable the secure desktop for elevation prompts. If you do not disable the "User Account Control: Switch to the secure desktop when prompting for elevation" policy setting, the prompts appear on the interactive user's desktop instead of the secure desktop.
Disabled: (Default)
-Valid values:
-- 0 - disabled
-- 1 - enabled (allow UIAccess applications to prompt for elevation without using the secure desktop)
The secure desktop can be disabled only by the user of the interactive desktop or by disabling the "User Account Control: Switch to the secure desktop when prompting for elevation" policy setting.
Value type is integer. Supported operations are Add, Get, Replace, and Delete.
-
-
+
+
+GP Info:
+- GP English name: *User Account Control: Allow UIAccess applications to prompt for elevation without using the secure desktop*
+- GP path: *Windows Settings/Security Settings/Local Policies/Security Options*
+
+
+
+Valid values:
+- 0 - disabled
+- 1 - enabled (allow UIAccess applications to prompt for elevation without using the secure desktop)
+
+
+
+
-
+
+
**LocalPoliciesSecurityOptions/UserAccountControl_BehaviorOfTheElevationPromptForAdministrators**
-
+
Home
@@ -2893,8 +3014,8 @@ Value type is integer. Supported operations are Add, Get, Replace, and Delete.
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -2902,8 +3023,8 @@ Value type is integer. Supported operations are Add, Get, Replace, and Delete.
-
-
+
+
User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode
This policy setting controls the behavior of the elevation prompt for administrators.
@@ -2924,13 +3045,21 @@ The options are:
Value type is integer. Supported operations are Add, Get, Replace, and Delete.
-
-
+
+
+GP Info:
+- GP English name: *User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode*
+- GP path: *Windows Settings/Security Settings/Local Policies/Security Options*
+
+
+
+
-
+
+
**LocalPoliciesSecurityOptions/UserAccountControl_BehaviorOfTheElevationPromptForStandardUsers**
-
+
Home
@@ -2952,8 +3081,8 @@ Value type is integer. Supported operations are Add, Get, Replace, and Delete.
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -2961,14 +3090,20 @@ Value type is integer. Supported operations are Add, Get, Replace, and Delete.
-
-
+
+
User Account Control: Behavior of the elevation prompt for standard users
This policy setting controls the behavior of the elevation prompt for standard users.
Value type is integer. Supported operations are Add, Get, Replace, and Delete.
-
+
+
+GP Info:
+- GP English name: *User Account Control: Behavior of the elevation prompt for standard users*
+- GP path: *Windows Settings/Security Settings/Local Policies/Security Options*
+
+
The following list shows the supported values:
@@ -2977,12 +3112,14 @@ The following list shows the supported values:
- 3 (Default) - Prompt for credentials: When an operation requires elevation of privilege, the user is prompted to enter an administrative user name and password. If the user enters valid credentials, the operation continues with the applicable privilege.
-
+
+
-
+
+
**LocalPoliciesSecurityOptions/UserAccountControl_DetectApplicationInstallationsAndPromptForElevation**
-
+
Home
@@ -3004,8 +3141,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -3013,8 +3150,8 @@ The following list shows the supported values:
-
-
+
+
User Account Control: Detect application installations and prompt for elevation
This policy setting controls the behavior of application installation detection for the computer.
@@ -3025,22 +3162,21 @@ Enabled: (Default) When an application installation package is detected that req
Disabled: Application installation packages are not detected and prompted for elevation. Enterprises that are running standard user desktops and use delegated installation technologies such as Group Policy Software Installation or Systems Management Server (SMS) should disable this policy setting. In this case, installer detection is unnecessary.
-
-
+
+
+GP Info:
+- GP English name: *User Account Control: Detect application installations and prompt for elevation*
+- GP path: *Windows Settings/Security Settings/Local Policies/Security Options*
-
-
+
+
-
-
-
-
-
-
+
+
**LocalPoliciesSecurityOptions/UserAccountControl_OnlyElevateExecutableFilesThatAreSignedAndValidated**
-
+
Home
@@ -3062,8 +3198,8 @@ Disabled: Application installation packages are not detected and prompted for el
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -3071,8 +3207,8 @@ Disabled: Application installation packages are not detected and prompted for el
-
-
+
+
User Account Control: Only elevate executable files that are signed and validated
This policy setting enforces public key infrastructure (PKI) signature checks for any interactive applications that request elevation of privilege. Enterprise administrators can control which applications are allowed to run by adding certificates to the Trusted Publishers certificate store on local computers.
@@ -3083,13 +3219,21 @@ The options are:
Value type is integer. Supported operations are Add, Get, Replace, and Delete.
-
-
+
+
+GP Info:
+- GP English name: *User Account Control: Only elevate executables that are signed and validated*
+- GP path: *Windows Settings/Security Settings/Local Policies/Security Options*
+
+
+
+
-
+
+
**LocalPoliciesSecurityOptions/UserAccountControl_OnlyElevateUIAccessApplicationsThatAreInstalledInSecureLocations**
-
+
Home
@@ -3111,8 +3255,8 @@ Value type is integer. Supported operations are Add, Get, Replace, and Delete.
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -3120,8 +3264,8 @@ Value type is integer. Supported operations are Add, Get, Replace, and Delete.
-
-
+
+
User Account Control: Only elevate UIAccess applications that are installed in secure locations
This policy setting controls whether applications that request to run with a User Interface Accessibility (UIAccess) integrity level must reside in a secure location in the file system. Secure locations are limited to the following:
@@ -3138,13 +3282,21 @@ The options are:
Value type is integer. Supported operations are Add, Get, Replace, and Delete.
-
-
+
+
+GP Info:
+- GP English name: *User Account Control: Only elevate UIAccess applications that are installed in secure locations*
+- GP path: *Windows Settings/Security Settings/Local Policies/Security Options*
+
+
+
+
-
+
+
**LocalPoliciesSecurityOptions/UserAccountControl_RunAllAdministratorsInAdminApprovalMode**
-
+
Home
@@ -3166,8 +3318,8 @@ Value type is integer. Supported operations are Add, Get, Replace, and Delete.
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -3175,8 +3327,8 @@ Value type is integer. Supported operations are Add, Get, Replace, and Delete.
-
-
+
+
User Account Control: Turn on Admin Approval Mode
This policy setting controls the behavior of all User Account Control (UAC) policy settings for the computer. If you change this policy setting, you must restart your computer.
@@ -3188,13 +3340,21 @@ The options are:
Value type is integer. Supported operations are Add, Get, Replace, and Delete.
-
-
+
+
+GP Info:
+- GP English name: *User Account Control: Run all administrators in Admin Approval Mode*
+- GP path: *Windows Settings/Security Settings/Local Policies/Security Options*
+
+
+
+
-
+
+
**LocalPoliciesSecurityOptions/UserAccountControl_SwitchToTheSecureDesktopWhenPromptingForElevation**
-
+
Home
@@ -3216,8 +3376,8 @@ Value type is integer. Supported operations are Add, Get, Replace, and Delete.
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -3225,8 +3385,8 @@ Value type is integer. Supported operations are Add, Get, Replace, and Delete.
-
-
+
+
User Account Control: Switch to the secure desktop when prompting for elevation
This policy setting controls whether the elevation request prompt is displayed on the interactive user's desktop or the secure desktop.
@@ -3237,13 +3397,21 @@ The options are:
Value type is integer. Supported operations are Add, Get, Replace, and Delete.
-
-
+
+
+GP Info:
+- GP English name: *User Account Control: Switch to the secure desktop when prompting for elevation*
+- GP path: *Windows Settings/Security Settings/Local Policies/Security Options*
+
+
+
+
-
+
+
**LocalPoliciesSecurityOptions/UserAccountControl_UseAdminApprovalMode**
-
+
Home
@@ -3265,8 +3433,8 @@ Value type is integer. Supported operations are Add, Get, Replace, and Delete.
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -3274,8 +3442,8 @@ Value type is integer. Supported operations are Add, Get, Replace, and Delete.
-
-
+
+
User Account Control: Use Admin Approval Mode for the built-in Administrator account
This policy setting controls the behavior of Admin Approval Mode for the built-in Administrator account.
@@ -3286,22 +3454,21 @@ The options are:
• Disabled: (Default) The built-in Administrator account runs all applications with full administrative privilege.
-
-
+
+
+GP Info:
+- GP English name: *User Account Control: Admin Approval Mode for the Built-in Administrator account*
+- GP path: *Windows Settings/Security Settings/Local Policies/Security Options*
-
-
+
+
-
-
-
-
-
-
+
+
**LocalPoliciesSecurityOptions/UserAccountControl_VirtualizeFileAndRegistryWriteFailuresToPerUserLocations**
-
+
Home
@@ -3323,8 +3490,8 @@ The options are:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -3332,15 +3499,21 @@ The options are:
-
-
+
+
User Account Control: Virtualize file and registry write failures to per-user locations
This policy setting controls whether application write failures are redirected to defined registry and file system locations. This policy setting mitigates applications that run as administrator and write run-time application data to %ProgramFiles%, %Windir%, %Windir%\system32, or HKLM\Software.
Value type is integer. Supported operations are Add, Get, Replace, and Delete.
-
+
+
+GP Info:
+- GP English name: *User Account Control: Virtualize file and registry write failures to per-user locations*
+- GP path: *Windows Settings/Security Settings/Local Policies/Security Options*
+
+
The following list shows the supported values:
@@ -3348,7 +3521,7 @@ The following list shows the supported values:
- 1 - Enabled: (Default) Application write failures are redirected at run time to defined user locations for both the file system and registry.
-
+
Footnote:
@@ -3357,5 +3530,5 @@ Footnote:
- 2 - Added in Windows 10, version 1703.
- 3 - Added in Windows 10, version 1709.
-
+
diff --git a/windows/client-management/mdm/policy-csp-location.md b/windows/client-management/mdm/policy-csp-location.md
index 9c979b9d53..18e7a7fd97 100644
--- a/windows/client-management/mdm/policy-csp-location.md
+++ b/windows/client-management/mdm/policy-csp-location.md
@@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
-ms.date: 11/01/2017
+ms.date: 03/05/2018
---
# Policy CSP - Location
@@ -15,7 +15,7 @@ ms.date: 11/01/2017
-
+
## Location policies
Added in Windows 10, version 1703. Optional policy that allows for IT admin to preconfigure whether or not Location Service's Device Switch is enabled or disabled for the device. Setting this policy is not required for Location Services to function. This policy controls a device wide state that affects all users, apps, and services ability to find the device's latitude and longitude on a map. There is a separate user switch that defines whether the location service is allowed to retrieve a position for the current user. In order to retrieve a position for a specific user, both the Device Switch and the User Switch must be enabled. If either is disabled, positions cannot be retrieved for the user. The user can later change both the User Switch and the Device Switch through the user interface on the Settings -> Privacy -> Location page.
+
+
+Added in Windows 10, version 1703. Optional policy that allows for IT admin to preconfigure whether or not Location Service's Device Switch is enabled or disabled for the device. Setting this policy is not required for Location Services to function. This policy controls a device wide state that affects all users, apps, and services ability to find the device's latitude and longitude on a map. There is a separate user switch that defines whether the location service is allowed to retrieve a position for the current user. In order to retrieve a position for a specific user, both the Device Switch and the User Switch must be enabled. If either is disabled, positions cannot be retrieved for the user. The user can later change both the User Switch and the Device Switch through the user interface on the Settings -> Privacy -> Location page.
> [!IMPORTANT]
> This policy is not intended to ever be set, pushed, or refreshed more than one time after the first boot of the device because it is meant as initial configuration. Refreshing this policy might result in the Location Service's Device Switch changing state to something the user did not select, which is not an intended use for this policy.
-
The following list shows the supported values:
+
+
+ADMX Info:
+- GP English name: *Turn off Windows Location Provider*
+- GP name: *DisableWindowsLocationProvider_1*
+- GP path: *Windows Components/Location and Sensors/Windows Location Provider*
+- GP ADMX file name: *LocationProviderAdm.admx*
+
+
+
+The following list shows the supported values:
- 0 (default) – Disabled.
- 1 – Enabled.
-
To validate on Desktop, do the following:
+
+
+To validate on Desktop, do the following:
1. Verify that Settings -> Privacy -> Location -> Location for this device is On/Off as expected.
2. Use Windows Maps Application (or similar) to see if a location can or cannot be obtained.
-
-
+
+
Footnote:
@@ -86,5 +100,5 @@ Footnote:
- 2 - Added in Windows 10, version 1703.
- 3 - Added in Windows 10, version 1709.
-
+
diff --git a/windows/client-management/mdm/policy-csp-lockdown.md b/windows/client-management/mdm/policy-csp-lockdown.md
index 8db727d554..be9c02f1d7 100644
--- a/windows/client-management/mdm/policy-csp-lockdown.md
+++ b/windows/client-management/mdm/policy-csp-lockdown.md
@@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
-ms.date: 12/14/2017
+ms.date: 03/05/2018
---
# Policy CSP - LockDown
@@ -15,7 +15,7 @@ ms.date: 12/14/2017
-
+
## LockDown policies
Added in Windows 10, version 1607. Allows the user to invoke any system user interface by swiping in from any screen edge using touch.
+
+
+Added in Windows 10, version 1607. Allows the user to invoke any system user interface by swiping in from any screen edge using touch.
-
The easiest way to verify the policy is to restart the explorer process or to reboot after the policy is applied. And then try to swipe from the right edge of the screen. The desired result is for Action Center to not be invoked by the swipe. You can also enter tablet mode and attempt to swipe from the top of the screen to rearrange. That will also be disabled.
+The easiest way to verify the policy is to restart the explorer process or to reboot after the policy is applied. And then try to swipe from the right edge of the screen. The desired result is for Action Center to not be invoked by the swipe. You can also enter tablet mode and attempt to swipe from the top of the screen to rearrange. That will also be disabled.
-
+
+
+ADMX Info:
+- GP English name: *Allow edge swipe*
+- GP name: *AllowEdgeSwipe*
+- GP path: *Windows Components/Edge UI*
+- GP ADMX file name: *EdgeUI.admx*
+
+
The following list shows the supported values:
@@ -73,7 +83,7 @@ The following list shows the supported values:
- 1 (default, not configured) - allow edge swipe.
-
+
Footnote:
@@ -82,5 +92,5 @@ Footnote:
- 2 - Added in Windows 10, version 1703.
- 3 - Added in Windows 10, version 1709.
-
+
diff --git a/windows/client-management/mdm/policy-csp-maps.md b/windows/client-management/mdm/policy-csp-maps.md
index aca34d8a1b..d60af40683 100644
--- a/windows/client-management/mdm/policy-csp-maps.md
+++ b/windows/client-management/mdm/policy-csp-maps.md
@@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
-ms.date: 12/14/2017
+ms.date: 03/05/2018
---
# Policy CSP - Maps
@@ -15,7 +15,7 @@ ms.date: 12/14/2017
-
+
## Maps policies
Added in Windows 10, version 1607. Allows the download and update of map data over metered connections.
+
+
+Added in Windows 10, version 1607. Allows the download and update of map data over metered connections.
-
After the policy is applied, you can verify the settings in the user interface in **System** > **Offline Maps**.
+After the policy is applied, you can verify the settings in the user interface in **System** > **Offline Maps**.
-
+
The following list shows the supported values:
@@ -77,12 +79,14 @@ The following list shows the supported values:
- 65535 (default) – Not configured. User's choice.
-
+
+
-
+
+
**Maps/EnableOfflineMapsAutoUpdate**
-
+
Home
@@ -104,8 +108,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -113,13 +117,21 @@ The following list shows the supported values:
-
-
-
Added in Windows 10, version 1607. Disables the automatic download and update of map data.
+
+
+Added in Windows 10, version 1607. Disables the automatic download and update of map data.
-
After the policy is applied, you can verify the settings in the user interface in **System** > **Offline Maps**.
+After the policy is applied, you can verify the settings in the user interface in **System** > **Offline Maps**.
-
+
+
+ADMX Info:
+- GP English name: *Turn off Automatic Download and Update of Map Data*
+- GP name: *TurnOffAutoUpdate*
+- GP path: *Windows Components/Maps*
+- GP ADMX file name: *WinMaps.admx*
+
+
The following list shows the supported values:
@@ -128,7 +140,7 @@ The following list shows the supported values:
- 65535 (default) – Not configured. User's choice.
-
+
Footnote:
@@ -137,5 +149,5 @@ Footnote:
- 2 - Added in Windows 10, version 1703.
- 3 - Added in Windows 10, version 1709.
-
+
diff --git a/windows/client-management/mdm/policy-csp-messaging.md b/windows/client-management/mdm/policy-csp-messaging.md
index 4d41080dfa..2ad6d83fe0 100644
--- a/windows/client-management/mdm/policy-csp-messaging.md
+++ b/windows/client-management/mdm/policy-csp-messaging.md
@@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
-ms.date: 11/01/2017
+ms.date: 03/05/2018
---
# Policy CSP - Messaging
@@ -15,7 +15,7 @@ ms.date: 11/01/2017
-
+
## Messaging policies
@@ -30,11 +30,13 @@ ms.date: 11/01/2017
+
-
+
+
**Messaging/AllowMMS**
-
+
Home
@@ -56,8 +58,8 @@ ms.date: 11/01/2017
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -65,25 +67,29 @@ ms.date: 11/01/2017
-
-
+
+
> [!NOTE]
> This policy is only enforced in Windows 10 Mobile and not supported in Windows 10 for desktop.
-
Added in Windows 10, version 1703. Enables or disables the MMS send/receive functionality on the device. For enterprises, this policy can be used to disable MMS on devices as part of the auditing or management requirement.
+Added in Windows 10, version 1703. Enables or disables the MMS send/receive functionality on the device. For enterprises, this policy can be used to disable MMS on devices as part of the auditing or management requirement.
-
The following list shows the supported values:
+
+
+The following list shows the supported values:
- 0 - Disabled.
- 1 (default) - Enabled.
-
-
+
+
+
Added in Windows 10, version 1607. Enables text message back up and restore and Messaging Everywhere. This policy allows an organization to disable these features to avoid information being stored on servers outside of their control.
+
+
+Added in Windows 10, version 1607. Enables text message back up and restore and Messaging Everywhere. This policy allows an organization to disable these features to avoid information being stored on servers outside of their control.
-
The following list shows the supported values:
+
+
+ADMX Info:
+- GP English name: *Allow Message Service Cloud Sync*
+- GP name: *AllowMessageSync*
+- GP path: *Windows Components/Messaging*
+- GP ADMX file name: *messaging.admx*
+
+
+
+The following list shows the supported values:
- 0 - message sync is not allowed and cannot be changed by the user.
- 1 - message sync is allowed. The user can change this setting.
-
-
+
+
+
-
+
+
**Messaging/AllowRCS**
-
+
Home
@@ -151,8 +169,8 @@ ms.date: 11/01/2017
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -160,20 +178,22 @@ ms.date: 11/01/2017
-
-
+
+
> [!NOTE]
> This policy is only enforced in Windows 10 Mobile and not supported in Windows 10 for desktop.
-
Added in Windows 10, version 1703. Enables or disables the RCS send/receive functionality on the device. For enterprises, this policy can be used to disable RCS on devices as part of the auditing or management requirement.
+Added in Windows 10, version 1703. Enables or disables the RCS send/receive functionality on the device. For enterprises, this policy can be used to disable RCS on devices as part of the auditing or management requirement.
-
The following list shows the supported values:
+
+
+The following list shows the supported values:
- 0 - Disabled.
- 1 (default) - Enabled.
-
-
+
+
Footnote:
@@ -182,5 +202,5 @@ Footnote:
- 2 - Added in Windows 10, version 1703.
- 3 - Added in Windows 10, version 1709.
-
+
diff --git a/windows/client-management/mdm/policy-csp-networkisolation.md b/windows/client-management/mdm/policy-csp-networkisolation.md
index c15086a614..70db29303b 100644
--- a/windows/client-management/mdm/policy-csp-networkisolation.md
+++ b/windows/client-management/mdm/policy-csp-networkisolation.md
@@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
-ms.date: 11/01/2017
+ms.date: 03/05/2018
---
# Policy CSP - NetworkIsolation
@@ -15,7 +15,7 @@ ms.date: 11/01/2017
-
+
## NetworkIsolation policies
Contains a list of Enterprise resource domains hosted in the cloud that need to be protected. Connections to these resources are considered enterprise data. If a proxy is paired with a cloud resource, traffic to the cloud resource will be routed through the enterprise network via the denoted proxy server (on Port 80). A proxy server used for this purpose must also be configured using the **EnterpriseInternalProxyServers** policy. This domain list is a pipe-separated list of cloud resources. Each cloud resource can also be paired optionally with an internal proxy server by using a trailing comma followed by the proxy address. For example, **<*cloudresource*>|<*cloudresource*>|<*cloudresource*>,<*proxy*>|<*cloudresource*>|<*cloudresource*>,<*proxy*>|**.
+
+
+Contains a list of Enterprise resource domains hosted in the cloud that need to be protected. Connections to these resources are considered enterprise data. If a proxy is paired with a cloud resource, traffic to the cloud resource will be routed through the enterprise network via the denoted proxy server (on Port 80). A proxy server used for this purpose must also be configured using the **EnterpriseInternalProxyServers** policy. This domain list is a pipe-separated list of cloud resources. Each cloud resource can also be paired optionally with an internal proxy server by using a trailing comma followed by the proxy address. For example, **<*cloudresource*>|<*cloudresource*>|<*cloudresource*>,<*proxy*>|<*cloudresource*>|<*cloudresource*>,<*proxy*>|**.
+
+
+
+ADMX Info:
+- GP English name: *Enterprise resource domains hosted in the cloud*
+- GP name: *WF_NetIsolation_EnterpriseCloudResources*
+- GP element: *WF_NetIsolation_EnterpriseCloudResourcesBox*
+- GP path: *Network/Network Isolation*
+- GP ADMX file name: *NetworkIsolation.admx*
+
+
+
-
-
Sets the enterprise IP ranges that define the computers in the enterprise network. Data that comes from those computers will be considered part of the enterprise and protected. These locations will be considered a safe destination for enterprise data to be shared to. This is a comma-separated list of IPv4 and IPv6 ranges.
+
+
+Sets the enterprise IP ranges that define the computers in the enterprise network. Data that comes from those computers will be considered part of the enterprise and protected. These locations will be considered a safe destination for enterprise data to be shared to. This is a comma-separated list of IPv4 and IPv6 ranges.
-
+
+
+ADMX Info:
+- GP English name: *Private network ranges for apps*
+- GP name: *WF_NetIsolation_PrivateSubnet*
+- GP element: *WF_NetIsolation_PrivateSubnetBox*
+- GP path: *Network/Network Isolation*
+- GP ADMX file name: *NetworkIsolation.admx*
+
+
For example:
@@ -139,12 +161,14 @@ fd00::-fdff:ffff:ffff:ffff:ffff:ffff:ffff:ffff
```
-
+
+
Boolean value that tells the client to accept the configured list and not to use heuristics to attempt to find other subnets.
+
+
+Boolean value that tells the client to accept the configured list and not to use heuristics to attempt to find other subnets.
+
+
+
+ADMX Info:
+- GP English name: *Subnet definitions are authoritative*
+- GP name: *WF_NetIsolation_Authoritative_Subnet*
+- GP path: *Network/Network Isolation*
+- GP ADMX file name: *NetworkIsolation.admx*
+
+
+
-
-
This is the comma-separated list of internal proxy servers. For example "157.54.14.28, 157.54.11.118, 10.202.14.167, 157.53.14.163, 157.69.210.59". These proxies have been configured by the admin to connect to specific resources on the Internet. They are considered to be enterprise network locations. The proxies are only leveraged in configuring the **EnterpriseCloudResources** policy to force traffic to the matched cloud resources through these proxies.
+
+
+This is the comma-separated list of internal proxy servers. For example "157.54.14.28, 157.54.11.118, 10.202.14.167, 157.53.14.163, 157.69.210.59". These proxies have been configured by the admin to connect to specific resources on the Internet. They are considered to be enterprise network locations. The proxies are only leveraged in configuring the **EnterpriseCloudResources** policy to force traffic to the matched cloud resources through these proxies.
+
+
+
+ADMX Info:
+- GP English name: *Intranet proxy servers for apps*
+- GP name: *WF_NetIsolation_Intranet_Proxies*
+- GP element: *WF_NetIsolation_Intranet_ProxiesBox*
+- GP path: *Network/Network Isolation*
+- GP ADMX file name: *NetworkIsolation.admx*
+
+
+
-
-
This is the list of domains that comprise the boundaries of the enterprise. Data from one of these domains that is sent to a device will be considered enterprise data and protected These locations will be considered a safe destination for enterprise data to be shared to. This is a comma-separated list of domains, for example "contoso.sharepoint.com, Fabrikam.com".
+
+
+This is the list of domains that comprise the boundaries of the enterprise. Data from one of these domains that is sent to a device will be considered enterprise data and protected These locations will be considered a safe destination for enterprise data to be shared to. This is a comma-separated list of domains, for example "contoso.sharepoint.com, Fabrikam.com".
> [!NOTE]
> The client requires domain name to be canonical, otherwise the setting will be rejected by the client.
-
Here are the steps to create canonical domain names:
+Here are the steps to create canonical domain names:
1. Transform the ASCII characters (A-Z only) to lower case. For example, Microsoft.COM -> microsoft.com.
2. Call [IdnToAscii](https://msdn.microsoft.com/library/windows/desktop/dd318149.aspx) with IDN\_USE\_STD3\_ASCII\_RULES as the flags.
3. Call [IdnToUnicode](https://msdn.microsoft.com/library/windows/desktop/dd318151.aspx) with no flags set (dwFlags = 0).
-
-
+
+
+
This is a comma-separated list of proxy servers. Any server on this list is considered non-enterprise. For example "157.54.14.28, 157.54.11.118, 10.202.14.167, 157.53.14.163, 157.69.210.59".
+
+
+This is a comma-separated list of proxy servers. Any server on this list is considered non-enterprise. For example "157.54.14.28, 157.54.11.118, 10.202.14.167, 157.53.14.163, 157.69.210.59".
+
+
+
+ADMX Info:
+- GP English name: *Internet proxy servers for apps*
+- GP name: *WF_NetIsolation_Domain_Proxies*
+- GP element: *WF_NetIsolation_Domain_ProxiesBox*
+- GP path: *Network/Network Isolation*
+- GP ADMX file name: *NetworkIsolation.admx*
+
+
+
-
-
Boolean value that tells the client to accept the configured list of proxies and not try to detect other work proxies.
+
+
+Boolean value that tells the client to accept the configured list of proxies and not try to detect other work proxies.
+
+
+
+ADMX Info:
+- GP English name: *Proxy definitions are authoritative*
+- GP name: *WF_NetIsolation_Authoritative_Proxies*
+- GP path: *Network/Network Isolation*
+- GP ADMX file name: *NetworkIsolation.admx*
+
+
+
-
-
List of domain names that can used for work or personal resource.
+
+
+List of domain names that can used for work or personal resource.
-
-
+
+
+ADMX Info:
+- GP English name: *Domains categorized as both work and personal*
+- GP name: *WF_NetIsolation_NeutralResources*
+- GP element: *WF_NetIsolation_NeutralResourcesBox*
+- GP path: *Network/Network Isolation*
+- GP ADMX file name: *NetworkIsolation.admx*
+
+
+
Footnote:
@@ -404,5 +481,5 @@ Footnote:
- 2 - Added in Windows 10, version 1703.
- 3 - Added in Windows 10, version 1709.
-
+
diff --git a/windows/client-management/mdm/policy-csp-notifications.md b/windows/client-management/mdm/policy-csp-notifications.md
index 1aaec21713..b4363ef967 100644
--- a/windows/client-management/mdm/policy-csp-notifications.md
+++ b/windows/client-management/mdm/policy-csp-notifications.md
@@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
-ms.date: 12/14/2017
+ms.date: 03/05/2018
---
# Policy CSP - Notifications
@@ -15,7 +15,7 @@ ms.date: 12/14/2017
-
+
## Notifications policies
Added in Windows 10, version 1607. Boolean value that turns off notification mirroring.
+
+
+Added in Windows 10, version 1607. Boolean value that turns off notification mirroring.
-
For each user logged into the device, if you enable this policy (set value to 1) the app and system notifications received by this user on this device will not get mirrored to other devices of the same logged in user. If you disable or do not configure this policy (set value to 0) the notifications received by this user on this device will be mirrored to other devices of the same logged in user. This feature can be turned off by apps that do not want to participate in Notification Mirroring. This feature can also be turned off by the user in the Cortana setting page.
+For each user logged into the device, if you enable this policy (set value to 1) the app and system notifications received by this user on this device will not get mirrored to other devices of the same logged in user. If you disable or do not configure this policy (set value to 0) the notifications received by this user on this device will be mirrored to other devices of the same logged in user. This feature can be turned off by apps that do not want to participate in Notification Mirroring. This feature can also be turned off by the user in the Cortana setting page.
-
No reboot or service restart is required for this policy to take effect.
+No reboot or service restart is required for this policy to take effect.
-
+
+
+ADMX Info:
+- GP English name: *Turn off notification mirroring*
+- GP name: *NoNotificationMirroring*
+- GP path: *Start Menu and Taskbar/Notifications*
+- GP ADMX file name: *WPN.admx*
+
+
The following list shows the supported values:
@@ -75,7 +85,7 @@ The following list shows the supported values:
- 1 - disable notification mirroring.
-
+
Footnote:
@@ -84,5 +94,5 @@ Footnote:
- 2 - Added in Windows 10, version 1703.
- 3 - Added in Windows 10, version 1709.
-
+
diff --git a/windows/client-management/mdm/policy-csp-power.md b/windows/client-management/mdm/policy-csp-power.md
index 533e43da2d..c69cf5db4a 100644
--- a/windows/client-management/mdm/policy-csp-power.md
+++ b/windows/client-management/mdm/policy-csp-power.md
@@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
-ms.date: 11/01/2017
+ms.date: 03/05/2018
---
# Policy CSP - Power
@@ -15,7 +15,7 @@ ms.date: 11/01/2017
-
+
## Power policies
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -83,15 +85,15 @@ ms.date: 11/01/2017
-
-
+
+
This policy setting manages whether or not Windows is allowed to use standby states when putting the computer in a sleep state.
If you enable or do not configure this policy setting, Windows uses standby states to put the computer in a sleep state.
If you disable this policy setting, standby states (S1-S3) are not allowed.
-
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -99,20 +101,22 @@ If you disable this policy setting, standby states (S1-S3) are not allowed.
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Allow standby states (S1-S3) when sleeping (plugged in)*
- GP name: *AllowStandbyStatesAC_2*
- GP path: *System/Power Management/Sleep Settings*
- GP ADMX file name: *power.admx*
-
-
+
+
+
-
+
+
**Power/DisplayOffTimeoutOnBattery**
-
+
Added in Windows 10, version 1709. Turn off the display (on battery). This policy setting allows you to specify the period of inactivity before Windows turns off the display.
+
+
+Added in Windows 10, version 1709. This policy setting allows you to specify the period of inactivity before Windows turns off the display.
-
If you enable this policy setting, you must provide a value, in seconds, indicating how much idle time should elapse before Windows turns off the display.
+If you enable this policy setting, you must provide a value, in seconds, indicating how much idle time should elapse before Windows turns off the display.
-
If you disable or do not configure this policy setting, users control this setting.
+If you disable or do not configure this policy setting, users control this setting.
-
If the user has configured a slide show to run on the lock screen when the machine is locked, this can prevent the display from turning off. The "Prevent enabling lock screen slide show" (DeviceLock/PreventLockScreenSlideShow) policy setting can be used to disable the slide show feature.
+If the user has configured a slide show to run on the lock screen when the machine is locked, this can prevent the display from turning off. The "Prevent enabling lock screen slide show" policy setting can be used to disable the slide show feature.
-
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -161,20 +165,22 @@ ADMX Info:
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Turn off the display (on battery)*
- GP name: *VideoPowerDownTimeOutDC_2*
- GP path: *System/Power Management/Video and Display Settings*
- GP ADMX file name: *power.admx*
-
-
+
+
+
Added in Windows 10, version 1709. Turn off the display (plugged in). This policy setting allows you to specify the period of inactivity before Windows turns off the display.
+
+
+Added in Windows 10, version 1709. This policy setting allows you to specify the period of inactivity before Windows turns off the display.
-
If you enable this policy setting, you must provide a value, in seconds, indicating how much idle time should elapse before Windows turns off the display.
+If you enable this policy setting, you must provide a value, in seconds, indicating how much idle time should elapse before Windows turns off the display.
-
If you disable or do not configure this policy setting, users control this setting.
+If you disable or do not configure this policy setting, users control this setting.
-
If the user has configured a slide show to run on the lock screen when the machine is locked, this can prevent the display from turning off. The "Prevent enabling lock screen slide show" (DeviceLock/PreventLockScreenSlideShow) policy setting can be used to disable the slide show feature.
+If the user has configured a slide show to run on the lock screen when the machine is locked, this can prevent the display from turning off. The "Prevent enabling lock screen slide show" policy setting can be used to disable the slide show feature.
-
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -223,20 +229,22 @@ ADMX Info:
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Turn off the display (plugged in)*
- GP name: *VideoPowerDownTimeOutAC_2*
- GP path: *System/Power Management/Video and Display Settings*
- GP ADMX file name: *power.admx*
-
-
+
+
+
Added in Windows 10, version 1709. Specify the system hibernate timeout (on battery). This policy setting allows you to specify the period of inactivity before Windows transitions the system to hibernate.
+
+
+Added in Windows 10, version 1709. This policy setting allows you to specify the period of inactivity before Windows transitions the system to hibernate.
-
If you enable this policy setting, you must provide a value, in seconds, indicating how much idle time should elapse before Windows transitions to hibernate.
+If you enable this policy setting, you must provide a value, in seconds, indicating how much idle time should elapse before Windows transitions to hibernate.
-
If you disable or do not configure this policy setting, users control this setting.
+If you disable or do not configure this policy setting, users control this setting.
+If the user has configured a slide show to run on the lock screen when the machine is locked, this can prevent the sleep transition from occuring. The "Prevent enabling lock screen slide show" policy setting can be used to disable the slide show feature.
-
If the user has configured a slide show to run on the lock screen when the machine is locked, this can prevent the sleep transition from occuring. The "Prevent enabling lock screen slide show" (DeviceLock/PreventLockScreenSlideShow) policy setting can be used to disable the slide show feature.
-
-
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -286,20 +293,22 @@ ADMX Info:
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Specify the system hibernate timeout (on battery)*
- GP name: *DCHibernateTimeOut_2*
- GP path: *System/Power Management/Sleep Settings*
- GP ADMX file name: *power.admx*
-
-
+
+
+
Added in Windows 10, version 1709. Specify the system hibernate timeout (plugged in). This policy setting allows you to specify the period of inactivity before Windows transitions the system to hibernate.
+
+
+Added in Windows 10, version 1709. This policy setting allows you to specify the period of inactivity before Windows transitions the system to hibernate.
-
If you enable this policy setting, you must provide a value, in seconds, indicating how much idle time should elapse before Windows transitions to hibernate.
+If you enable this policy setting, you must provide a value, in seconds, indicating how much idle time should elapse before Windows transitions to hibernate.
-
If you disable or do not configure this policy setting, users control this setting.
+If you disable or do not configure this policy setting, users control this setting.
-
If the user has configured a slide show to run on the lock screen when the machine is locked, this can prevent the sleep transition from occuring. The "Prevent enabling lock screen slide show" (DeviceLock/PreventLockScreenSlideShow) policy setting can be used to disable the slide show feature.
+If the user has configured a slide show to run on the lock screen when the machine is locked, this can prevent the sleep transition from occuring. The "Prevent enabling lock screen slide show" policy setting can be used to disable the slide show feature.
-
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -348,20 +357,22 @@ ADMX Info:
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Specify the system hibernate timeout (plugged in)*
- GP name: *ACHibernateTimeOut_2*
- GP path: *System/Power Management/Sleep Settings*
- GP ADMX file name: *power.admx*
-
-
+
+
+
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -392,15 +403,15 @@ ADMX Info:
-
-
+
+
This policy setting specifies whether or not the user is prompted for a password when the system resumes from sleep.
If you enable or do not configure this policy setting, the user is prompted for a password when the system resumes from sleep.
If you disable this policy setting, the user is not prompted for a password when the system resumes from sleep.
-
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -408,20 +419,22 @@ If you disable this policy setting, the user is not prompted for a password when
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Require a password when a computer wakes (on battery)*
- GP name: *DCPromptForPasswordOnResume_2*
- GP path: *System/Power Management/Sleep Settings*
- GP ADMX file name: *power.admx*
-
-
+
+
+
-
+
+
**Power/RequirePasswordWhenComputerWakesPluggedIn**
-
+
Home
@@ -443,8 +456,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -452,15 +465,15 @@ ADMX Info:
-
-
+
+
This policy setting specifies whether or not the user is prompted for a password when the system resumes from sleep.
If you enable or do not configure this policy setting, the user is prompted for a password when the system resumes from sleep.
If you disable this policy setting, the user is not prompted for a password when the system resumes from sleep.
-
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -468,20 +481,22 @@ If you disable this policy setting, the user is not prompted for a password when
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Require a password when a computer wakes (plugged in)*
- GP name: *ACPromptForPasswordOnResume_2*
- GP path: *System/Power Management/Sleep Settings*
- GP ADMX file name: *power.admx*
-
-
+
+
+
-
+
+
**Power/StandbyTimeoutOnBattery**
-
+
Added in Windows 10, version 1709. Specify the system sleep timeout (on battery). This policy setting allows you to specify the period of inactivity before Windows transitions the system to sleep.
+
+
+Added in Windows 10, version 1709. This policy setting allows you to specify the period of inactivity before Windows transitions the system to sleep.
-
If you enable this policy setting, you must provide a value, in seconds, indicating how much idle time should elapse before Windows transitions to sleep.
+If you enable this policy setting, you must provide a value, in seconds, indicating how much idle time should elapse before Windows transitions to sleep.
-
If you disable or do not configure this policy setting, users control this setting.
+If you disable or do not configure this policy setting, users control this setting.
-
If the user has configured a slide show to run on the lock screen when the machine is locked, this can prevent the sleep transition from occuring. The "Prevent enabling lock screen slide show" (DeviceLock/PreventLockScreenSlideShow) policy setting can be used to disable the slide show feature.
+If the user has configured a slide show to run on the lock screen when the machine is locked, this can prevent the sleep transition from occuring. The "Prevent enabling lock screen slide show" policy setting can be used to disable the slide show feature.
-
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -530,20 +545,22 @@ ADMX Info:
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Specify the system sleep timeout (on battery)*
- GP name: *DCStandbyTimeOut_2*
- GP path: *System/Power Management/Sleep Settings*
- GP ADMX file name: *power.admx*
-
-
+
+
+
Added in Windows 10, version 1709. Specify the system sleep timeout (plugged in). This policy setting allows you to specify the period of inactivity before Windows transitions the system to sleep.
+
+
+Added in Windows 10, version 1709. This policy setting allows you to specify the period of inactivity before Windows transitions the system to sleep.
-
If you enable this policy setting, you must provide a value, in seconds, indicating how much idle time should elapse before Windows transitions to sleep.
+If you enable this policy setting, you must provide a value, in seconds, indicating how much idle time should elapse before Windows transitions to sleep.
-
If you disable or do not configure this policy setting, users control this setting.
+If you disable or do not configure this policy setting, users control this setting.
-
If the user has configured a slide show to run on the lock screen when the machine is locked, this can prevent the sleep transition from occuring. The "Prevent enabling lock screen slide show" (DeviceLock/PreventLockScreenSlideShow) policy setting can be used to disable the slide show feature.
+If the user has configured a slide show to run on the lock screen when the machine is locked, this can prevent the sleep transition from occuring. The "Prevent enabling lock screen slide show" policy setting can be used to disable the slide show feature.
-
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -592,15 +609,15 @@ ADMX Info:
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Specify the system sleep timeout (plugged in)*
- GP name: *ACStandbyTimeOut_2*
- GP path: *System/Power Management/Sleep Settings*
- GP ADMX file name: *power.admx*
-
-
+
+
Footnote:
@@ -609,5 +626,5 @@ Footnote:
- 2 - Added in Windows 10, version 1703.
- 3 - Added in Windows 10, version 1709.
-
+
diff --git a/windows/client-management/mdm/policy-csp-printers.md b/windows/client-management/mdm/policy-csp-printers.md
index 8718ad65f0..fd0939f604 100644
--- a/windows/client-management/mdm/policy-csp-printers.md
+++ b/windows/client-management/mdm/policy-csp-printers.md
@@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
-ms.date: 11/01/2017
+ms.date: 03/05/2018
---
# Policy CSP - Printers
@@ -15,7 +15,7 @@ ms.date: 11/01/2017
-
+
## Printers policies
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -65,8 +67,8 @@ ms.date: 11/01/2017
-
-
+
+
This policy setting controls the client Point and Print behavior, including the security prompts for Windows Vista computers. The policy setting applies only to non-Print Administrator clients, and only to computers that are members of a domain.
If you enable this policy setting:
@@ -86,7 +88,7 @@ If you disable this policy setting:
-Windows Server 2003 and Windows XP client computers can create a printer connection to any server using Point and Print.
-The "Users can only point and print to computers in their forest" setting applies only to Windows Server 2003 and Windows XP SP1 (and later service packs).
-
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -94,20 +96,22 @@ If you disable this policy setting:
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Point and Print Restrictions*
- GP name: *PointAndPrint_Restrictions_Win7*
- GP path: *Printers*
- GP ADMX file name: *Printing.admx*
-
-
+
+
+
-
+
+
**Printers/PointAndPrintRestrictions_User**
-
+
Home
@@ -129,8 +133,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -138,8 +142,8 @@ ADMX Info:
-
-
+
+
This policy setting controls the client Point and Print behavior, including the security prompts for Windows Vista computers. The policy setting applies only to non-Print Administrator clients, and only to computers that are members of a domain.
If you enable this policy setting:
@@ -159,7 +163,7 @@ If you disable this policy setting:
-Windows Server 2003 and Windows XP client computers can create a printer connection to any server using Point and Print.
-The "Users can only point and print to computers in their forest" setting applies only to Windows Server 2003 and Windows XP SP1 (and later service packs).
-
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -167,20 +171,22 @@ If you disable this policy setting:
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Point and Print Restrictions*
- GP name: *PointAndPrint_Restrictions*
- GP path: *Control Panel/Printers*
- GP ADMX file name: *Printing.admx*
-
-
+
+
+
-
+
+
**Printers/PublishPrinters**
-
+
Home
@@ -202,8 +208,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -211,8 +217,8 @@ ADMX Info:
-
-
+
+
Determines whether the computer's shared printers can be published in Active Directory.
If you enable this setting or do not configure it, users can use the "List in directory" option in the Printer's Properties' Sharing tab to publish shared printers in Active Directory.
@@ -221,7 +227,7 @@ If you disable this setting, this computer's shared printers cannot be published
Note: This settings takes priority over the setting "Automatically publish new printers in the Active Directory".
-
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -229,15 +235,15 @@ Note: This settings takes priority over the setting "Automatically publish new p
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Allow printers to be published*
- GP name: *PublishPrinters*
- GP path: *Printers*
- GP ADMX file name: *Printing2.admx*
-
-
+
+
Footnote:
@@ -246,5 +252,5 @@ Footnote:
- 2 - Added in Windows 10, version 1703.
- 3 - Added in Windows 10, version 1709.
-
+
diff --git a/windows/client-management/mdm/policy-csp-privacy.md b/windows/client-management/mdm/policy-csp-privacy.md
index 9c4392ca1c..3595219241 100644
--- a/windows/client-management/mdm/policy-csp-privacy.md
+++ b/windows/client-management/mdm/policy-csp-privacy.md
@@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
-ms.date: 12/14/2017
+ms.date: 03/05/2018
---
# Policy CSP - Privacy
@@ -15,7 +15,7 @@ ms.date: 12/14/2017
-
+
## Privacy policies
Allows or disallows the automatic acceptance of the pairing and privacy user consent dialog when launching apps.
+
+
+Allows or disallows the automatic acceptance of the pairing and privacy user consent dialog when launching apps.
> [!Note]
> There were issues reported with the previous release of this policy and a fix was added in Windows 10, version 1709.
-
Most restricted value is 0.
+Most restricted value is 0.
-
+
The following list shows the supported values:
@@ -305,12 +307,14 @@ The following list shows the supported values:
- 1 – Allowed.
-
+
+
-
+
+
**Privacy/AllowInputPersonalization**
-
+
Home
@@ -332,8 +336,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -341,28 +345,36 @@ The following list shows the supported values:
-
-
-
Updated in Windows 10, version 1709. Allows the usage of cloud based speech services for Cortana, dictation, or Store applications. Setting this policy to 1, lets Microsoft use the user's voice data to improve cloud speech services for all users.
+
+
+Updated in Windows 10, version 1709. Allows the usage of cloud based speech services for Cortana, dictation, or Store applications. Setting this policy to 1, lets Microsoft use the user's voice data to improve cloud speech services for all users.
-
Most restricted value is 0.
-
+Most restricted value is 0.
-
+
+
+ADMX Info:
+- GP English name: *Allow input personalization*
+- GP name: *AllowInputPersonalization*
+- GP path: *Control Panel/Regional and Language Options*
+- GP ADMX file name: *Globalization.admx*
+
+
The following list shows the supported values:
- 0 – Not allowed.
- 1 (default) – Allowed.
-
-
+
+
-
+
+
**Privacy/DisableAdvertisingId**
-
+
Home
@@ -384,8 +396,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -393,13 +405,21 @@ The following list shows the supported values:
-
-
-
Added in Windows 10, version 1607. Enables or disables the Advertising ID.
+
+
+Added in Windows 10, version 1607. Enables or disables the Advertising ID.
-
Most restricted value is 0.
+Most restricted value is 0.
-
+
+
+ADMX Info:
+- GP English name: *Turn off the advertising ID*
+- GP name: *DisableAdvertisingId*
+- GP path: *System/User Profiles*
+- GP ADMX file name: *UserProfiles.admx*
+
+
The following list shows the supported values:
@@ -408,12 +428,14 @@ The following list shows the supported values:
- 65535 (default)- Not configured.
-
+
+
-
+
+
**Privacy/EnableActivityFeed**
-
+
Home
@@ -435,8 +457,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -444,11 +466,19 @@ The following list shows the supported values:
-
-
+
+
Added in Windows 10, version 1709. Allows IT Admins to allow Apps/OS to publish to the activity feed.
-
+
+
+ADMX Info:
+- GP English name: *Enables Activity Feed*
+- GP name: *EnableActivityFeed*
+- GP path: *System/OS Policies*
+- GP ADMX file name: *OSPolicy.admx*
+
+
The following list shows the supported values:
@@ -456,12 +486,14 @@ The following list shows the supported values:
- 1 – (default) Enabled. Apps/OS can publish the activities and will be roamed across device graph.
-
+
+
-
+
+
**Privacy/LetAppsAccessAccountInfo**
-
+
Home
@@ -483,8 +515,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -492,25 +524,39 @@ The following list shows the supported values:
-
-
-
Added in Windows 10, version 1607. Specifies whether Windows apps can access account information.
+
+
+Added in Windows 10, version 1607. Specifies whether Windows apps can access account information.
-
The following list shows the supported values:
+
+Most restricted value is 2.
+
+
+
+ADMX Info:
+- GP English name: *Let Windows apps access account information*
+- GP name: *LetAppsAccessAccountInfo*
+- GP element: *LetAppsAccessAccountInfo_Enum*
+- GP path: *Windows Components/App Privacy*
+- GP ADMX file name: *AppPrivacy.admx*
+
+
+
+The following list shows the supported values:
- 0 – User in control.
- 1 – Force allow.
- 2 - Force deny.
-
@@ -532,8 +578,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -541,17 +587,28 @@ The following list shows the supported values:
-
-
-
Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows apps. Listed Windows apps are allowed access to account information. This setting overrides the default LetAppsAccessAccountInfo policy setting for the specified Windows apps.
+
+
+Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows apps. Listed Windows apps are allowed access to account information. This setting overrides the default LetAppsAccessAccountInfo policy setting for the specified Windows apps.
+
+
+
+ADMX Info:
+- GP English name: *Let Windows apps access account information*
+- GP name: *LetAppsAccessAccountInfo*
+- GP element: *LetAppsAccessAccountInfo_ForceAllowTheseApps_List*
+- GP path: *Windows Components/App Privacy*
+- GP ADMX file name: *AppPrivacy.admx*
+
+
+
-
-
@@ -573,8 +630,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -582,17 +639,28 @@ The following list shows the supported values:
-
-
-
Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows apps. Listed Windows apps are denied access to account information. This setting overrides the default LetAppsAccessAccountInfo policy setting for the specified Windows apps.
+
+
+Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows apps. Listed Windows apps are denied access to account information. This setting overrides the default LetAppsAccessAccountInfo policy setting for the specified Windows apps.
+
+
+
+ADMX Info:
+- GP English name: *Let Windows apps access account information*
+- GP name: *LetAppsAccessAccountInfo*
+- GP element: *LetAppsAccessAccountInfo_ForceDenyTheseApps_List*
+- GP path: *Windows Components/App Privacy*
+- GP ADMX file name: *AppPrivacy.admx*
+
+
+
-
-
@@ -614,8 +682,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -623,17 +691,28 @@ The following list shows the supported values:
-
-
-
Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows apps. The user is able to control the account information privacy setting for the listed Windows apps. This setting overrides the default LetAppsAccessAccountInfo policy setting for the specified Windows apps.
+
+
+Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows apps. The user is able to control the account information privacy setting for the listed Windows apps. This setting overrides the default LetAppsAccessAccountInfo policy setting for the specified Windows apps.
+
+
+
+ADMX Info:
+- GP English name: *Let Windows apps access account information*
+- GP name: *LetAppsAccessAccountInfo*
+- GP element: *LetAppsAccessAccountInfo_UserInControlOfTheseApps_List*
+- GP path: *Windows Components/App Privacy*
+- GP ADMX file name: *AppPrivacy.admx*
+
+
+
-
-
-
+
+
**Privacy/LetAppsAccessCalendar**
-
+
Home
@@ -655,8 +734,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -664,25 +743,39 @@ The following list shows the supported values:
-
-
-
Added in Windows 10, version 1607. Specifies whether Windows apps can access the calendar.
+
+
+Added in Windows 10, version 1607. Specifies whether Windows apps can access the calendar.
-
The following list shows the supported values:
+
+Most restricted value is 2.
+
+
+
+ADMX Info:
+- GP English name: *Let Windows apps access the calendar*
+- GP name: *LetAppsAccessCalendar*
+- GP element: *LetAppsAccessCalendar_Enum*
+- GP path: *Windows Components/App Privacy*
+- GP ADMX file name: *AppPrivacy.admx*
+
+
+
+The following list shows the supported values:
- 0 – User in control.
- 1 – Force allow.
- 2 - Force deny.
-
@@ -704,8 +797,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -713,17 +806,28 @@ The following list shows the supported values:
-
-
-
Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows apps. Listed Windows apps are allowed access to the calendar. This setting overrides the default LetAppsAccessCalendar policy setting for the specified Windows apps.
+
+
+Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows apps. Listed Windows apps are allowed access to the calendar. This setting overrides the default LetAppsAccessCalendar policy setting for the specified Windows apps.
+
+
+
+ADMX Info:
+- GP English name: *Let Windows apps access the calendar*
+- GP name: *LetAppsAccessCalendar*
+- GP element: *LetAppsAccessCalendar_ForceAllowTheseApps_List*
+- GP path: *Windows Components/App Privacy*
+- GP ADMX file name: *AppPrivacy.admx*
+
+
+
-
-
@@ -745,8 +849,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -754,17 +858,28 @@ The following list shows the supported values:
-
-
-
Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows apps. Listed Windows apps are denied access to the calendar. This setting overrides the default LetAppsAccessCalendar policy setting for the specified Windows apps.
+
+
+Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows apps. Listed Windows apps are denied access to the calendar. This setting overrides the default LetAppsAccessCalendar policy setting for the specified Windows apps.
+
+
+
+ADMX Info:
+- GP English name: *Let Windows apps access the calendar*
+- GP name: *LetAppsAccessCalendar*
+- GP element: *LetAppsAccessCalendar_ForceDenyTheseApps_List*
+- GP path: *Windows Components/App Privacy*
+- GP ADMX file name: *AppPrivacy.admx*
+
+
+
-
-
@@ -786,8 +901,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -795,17 +910,28 @@ The following list shows the supported values:
-
-
-
Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows apps. The user is able to control the calendar privacy setting for the listed Windows apps. This setting overrides the default LetAppsAccessCalendar policy setting for the specified Windows apps.
+
+
+Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows apps. The user is able to control the calendar privacy setting for the listed Windows apps. This setting overrides the default LetAppsAccessCalendar policy setting for the specified Windows apps.
+
+
+
+ADMX Info:
+- GP English name: *Let Windows apps access the calendar*
+- GP name: *LetAppsAccessCalendar*
+- GP element: *LetAppsAccessCalendar_UserInControlOfTheseApps_List*
+- GP path: *Windows Components/App Privacy*
+- GP ADMX file name: *AppPrivacy.admx*
+
+
+
-
-
-
+
+
**Privacy/LetAppsAccessCallHistory**
-
+
Home
@@ -827,8 +953,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -836,25 +962,39 @@ The following list shows the supported values:
-
-
-
Added in Windows 10, version 1607. Specifies whether Windows apps can access call history.
+
+
+Added in Windows 10, version 1607. Specifies whether Windows apps can access call history.
-
The following list shows the supported values:
+
+Most restricted value is 2.
+
+
+
+ADMX Info:
+- GP English name: *Let Windows apps access call history*
+- GP name: *LetAppsAccessCallHistory*
+- GP element: *LetAppsAccessCallHistory_Enum*
+- GP path: *Windows Components/App Privacy*
+- GP ADMX file name: *AppPrivacy.admx*
+
+
+
+The following list shows the supported values:
- 0 – User in control.
- 1 – Force allow.
- 2 - Force deny.
-
@@ -876,8 +1016,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -885,17 +1025,28 @@ The following list shows the supported values:
-
-
-
Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows apps. Listed Windows apps are allowed access to call history. This setting overrides the default LetAppsAccessCallHistory policy setting for the specified Windows apps.
+
+
+Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows apps. Listed Windows apps are allowed access to call history. This setting overrides the default LetAppsAccessCallHistory policy setting for the specified Windows apps.
+
+
+
+ADMX Info:
+- GP English name: *Let Windows apps access call history*
+- GP name: *LetAppsAccessCallHistory*
+- GP element: *LetAppsAccessCallHistory_ForceAllowTheseApps_List*
+- GP path: *Windows Components/App Privacy*
+- GP ADMX file name: *AppPrivacy.admx*
+
+
+
-
-
@@ -917,8 +1068,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -926,17 +1077,28 @@ The following list shows the supported values:
-
-
-
Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows apps. Listed Windows apps are denied access to call history. This setting overrides the default LetAppsAccessCallHistory policy setting for the specified Windows apps.
+
+
+Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows apps. Listed Windows apps are denied access to call history. This setting overrides the default LetAppsAccessCallHistory policy setting for the specified Windows apps.
+
+
+
+ADMX Info:
+- GP English name: *Let Windows apps access call history*
+- GP name: *LetAppsAccessCallHistory*
+- GP element: *LetAppsAccessCallHistory_ForceDenyTheseApps_List*
+- GP path: *Windows Components/App Privacy*
+- GP ADMX file name: *AppPrivacy.admx*
+
+
+
-
-
@@ -958,8 +1120,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -967,17 +1129,28 @@ The following list shows the supported values:
-
-
-
Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows apps. The user is able to control the call history privacy setting for the listed Windows apps. This setting overrides the default LetAppsAccessCallHistory policy setting for the specified Windows apps.
+
+
+Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows apps. The user is able to control the call history privacy setting for the listed Windows apps. This setting overrides the default LetAppsAccessCallHistory policy setting for the specified Windows apps.
+
+
+
+ADMX Info:
+- GP English name: *Let Windows apps access call history*
+- GP name: *LetAppsAccessCallHistory*
+- GP element: *LetAppsAccessCallHistory_UserInControlOfTheseApps_List*
+- GP path: *Windows Components/App Privacy*
+- GP ADMX file name: *AppPrivacy.admx*
+
+
+
-
-
-
+
+
**Privacy/LetAppsAccessCamera**
-
+
Home
@@ -999,8 +1172,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -1008,25 +1181,39 @@ The following list shows the supported values:
-
-
-
Added in Windows 10, version 1607. Specifies whether Windows apps can access the camera.
+
+
+Added in Windows 10, version 1607. Specifies whether Windows apps can access the camera.
-
The following list shows the supported values:
+
+Most restricted value is 2.
+
+
+
+ADMX Info:
+- GP English name: *Let Windows apps access the camera*
+- GP name: *LetAppsAccessCamera*
+- GP element: *LetAppsAccessCamera_Enum*
+- GP path: *Windows Components/App Privacy*
+- GP ADMX file name: *AppPrivacy.admx*
+
+
+
+The following list shows the supported values:
- 0 – User in control.
- 1 – Force allow.
- 2 - Force deny.
-
@@ -1048,8 +1235,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -1057,17 +1244,28 @@ The following list shows the supported values:
-
-
-
Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are allowed access to the camera. This setting overrides the default LetAppsAccessCamera policy setting for the specified apps.
+
+
+Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are allowed access to the camera. This setting overrides the default LetAppsAccessCamera policy setting for the specified apps.
+
+
+
+ADMX Info:
+- GP English name: *Let Windows apps access the camera*
+- GP name: *LetAppsAccessCamera*
+- GP element: *LetAppsAccessCamera_ForceAllowTheseApps_List*
+- GP path: *Windows Components/App Privacy*
+- GP ADMX file name: *AppPrivacy.admx*
+
+
+
-
-
@@ -1089,8 +1287,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -1098,17 +1296,28 @@ The following list shows the supported values:
-
-
-
Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are denied access to the camera. This setting overrides the default LetAppsAccessCamera policy setting for the specified apps.
+
+
+Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are denied access to the camera. This setting overrides the default LetAppsAccessCamera policy setting for the specified apps.
+
+
+
+ADMX Info:
+- GP English name: *Let Windows apps access the camera*
+- GP name: *LetAppsAccessCamera*
+- GP element: *LetAppsAccessCamera_ForceDenyTheseApps_List*
+- GP path: *Windows Components/App Privacy*
+- GP ADMX file name: *AppPrivacy.admx*
+
+
+
-
-
@@ -1130,8 +1339,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -1139,17 +1348,28 @@ The following list shows the supported values:
-
-
-
Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the camera privacy setting for the listed apps. This setting overrides the default LetAppsAccessCamera policy setting for the specified apps.
+
+
+Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the camera privacy setting for the listed apps. This setting overrides the default LetAppsAccessCamera policy setting for the specified apps.
+
+
+
+ADMX Info:
+- GP English name: *Let Windows apps access the camera*
+- GP name: *LetAppsAccessCamera*
+- GP element: *LetAppsAccessCamera_UserInControlOfTheseApps_List*
+- GP path: *Windows Components/App Privacy*
+- GP ADMX file name: *AppPrivacy.admx*
+
+
+
-
-
-
+
+
**Privacy/LetAppsAccessContacts**
-
+
Home
@@ -1171,8 +1391,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -1180,25 +1400,39 @@ The following list shows the supported values:
-
-
-
Added in Windows 10, version 1607. Specifies whether Windows apps can access contacts.
+
+
+Added in Windows 10, version 1607. Specifies whether Windows apps can access contacts.
-
The following list shows the supported values:
+
+Most restricted value is 2.
+
+
+
+ADMX Info:
+- GP English name: *Let Windows apps access contacts*
+- GP name: *LetAppsAccessContacts*
+- GP element: *LetAppsAccessContacts_Enum*
+- GP path: *Windows Components/App Privacy*
+- GP ADMX file name: *AppPrivacy.admx*
+
+
+
+The following list shows the supported values:
- 0 – User in control.
- 1 – Force allow.
- 2 - Force deny.
-
@@ -1220,8 +1454,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -1229,17 +1463,28 @@ The following list shows the supported values:
-
-
-
Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are allowed access to contacts. This setting overrides the default LetAppsAccessContacts policy setting for the specified apps.
+
+
+Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are allowed access to contacts. This setting overrides the default LetAppsAccessContacts policy setting for the specified apps.
+
+
+
+ADMX Info:
+- GP English name: *Let Windows apps access contacts*
+- GP name: *LetAppsAccessContacts*
+- GP element: *LetAppsAccessContacts_ForceAllowTheseApps_List*
+- GP path: *Windows Components/App Privacy*
+- GP ADMX file name: *AppPrivacy.admx*
+
+
+
-
-
@@ -1261,8 +1506,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -1270,17 +1515,28 @@ The following list shows the supported values:
-
-
-
Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are denied access to contacts. This setting overrides the default LetAppsAccessContacts policy setting for the specified apps.
+
+
+Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are denied access to contacts. This setting overrides the default LetAppsAccessContacts policy setting for the specified apps.
+
+
+
+ADMX Info:
+- GP English name: *Let Windows apps access contacts*
+- GP name: *LetAppsAccessContacts*
+- GP element: *LetAppsAccessContacts_ForceDenyTheseApps_List*
+- GP path: *Windows Components/App Privacy*
+- GP ADMX file name: *AppPrivacy.admx*
+
+
+
-
-
@@ -1302,8 +1558,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -1311,17 +1567,28 @@ The following list shows the supported values:
-
-
-
Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the contacts privacy setting for the listed apps. This setting overrides the default LetAppsAccessContacts policy setting for the specified apps.
+
+
+Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the contacts privacy setting for the listed apps. This setting overrides the default LetAppsAccessContacts policy setting for the specified apps.
+
+
+
+ADMX Info:
+- GP English name: *Let Windows apps access contacts*
+- GP name: *LetAppsAccessContacts*
+- GP element: *LetAppsAccessContacts_UserInControlOfTheseApps_List*
+- GP path: *Windows Components/App Privacy*
+- GP ADMX file name: *AppPrivacy.admx*
+
+
+
-
-
-
+
+
**Privacy/LetAppsAccessEmail**
-
+
Home
@@ -1343,8 +1610,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -1352,25 +1619,39 @@ The following list shows the supported values:
-
-
-
Added in Windows 10, version 1607. Specifies whether Windows apps can access email.
+
+
+Added in Windows 10, version 1607. Specifies whether Windows apps can access email.
-
The following list shows the supported values:
+
+Most restricted value is 2.
+
+
+
+ADMX Info:
+- GP English name: *Let Windows apps access email*
+- GP name: *LetAppsAccessEmail*
+- GP element: *LetAppsAccessEmail_Enum*
+- GP path: *Windows Components/App Privacy*
+- GP ADMX file name: *AppPrivacy.admx*
+
+
+
+The following list shows the supported values:
- 0 – User in control.
- 1 – Force allow.
- 2 - Force deny.
-
@@ -1392,8 +1673,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -1401,17 +1682,28 @@ The following list shows the supported values:
-
-
-
Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are allowed access to email. This setting overrides the default LetAppsAccessEmail policy setting for the specified apps.
+
+
+Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are allowed access to email. This setting overrides the default LetAppsAccessEmail policy setting for the specified apps.
+
+
+
+ADMX Info:
+- GP English name: *Let Windows apps access email*
+- GP name: *LetAppsAccessEmail*
+- GP element: *LetAppsAccessEmail_ForceAllowTheseApps_List*
+- GP path: *Windows Components/App Privacy*
+- GP ADMX file name: *AppPrivacy.admx*
+
+
+
-
-
@@ -1433,8 +1725,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -1442,17 +1734,28 @@ The following list shows the supported values:
-
-
-
Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are denied access to email. This setting overrides the default LetAppsAccessEmail policy setting for the specified apps.
+
+
+Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are denied access to email. This setting overrides the default LetAppsAccessEmail policy setting for the specified apps.
+
+
+
+ADMX Info:
+- GP English name: *Let Windows apps access email*
+- GP name: *LetAppsAccessEmail*
+- GP element: *LetAppsAccessEmail_ForceDenyTheseApps_List*
+- GP path: *Windows Components/App Privacy*
+- GP ADMX file name: *AppPrivacy.admx*
+
+
+
-
-
@@ -1474,8 +1777,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -1483,17 +1786,28 @@ The following list shows the supported values:
-
-
-
Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the email privacy setting for the listed apps. This setting overrides the default LetAppsAccessEmail policy setting for the specified apps.
+
+
+Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the email privacy setting for the listed apps. This setting overrides the default LetAppsAccessEmail policy setting for the specified apps.
+
+
+
+ADMX Info:
+- GP English name: *Let Windows apps access email*
+- GP name: *LetAppsAccessEmail*
+- GP element: *LetAppsAccessEmail_UserInControlOfTheseApps_List*
+- GP path: *Windows Components/App Privacy*
+- GP ADMX file name: *AppPrivacy.admx*
+
+
+
-
-
-
+
+
**Privacy/LetAppsAccessLocation**
-
+
Home
@@ -1515,8 +1829,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -1524,25 +1838,39 @@ The following list shows the supported values:
-
-
-
Added in Windows 10, version 1607. Specifies whether Windows apps can access location.
+
+
+Added in Windows 10, version 1607. Specifies whether Windows apps can access location.
-
The following list shows the supported values:
+
+Most restricted value is 2.
+
+
+
+ADMX Info:
+- GP English name: *Let Windows apps access location*
+- GP name: *LetAppsAccessLocation*
+- GP element: *LetAppsAccessLocation_Enum*
+- GP path: *Windows Components/App Privacy*
+- GP ADMX file name: *AppPrivacy.admx*
+
+
+
+The following list shows the supported values:
- 0 – User in control.
- 1 – Force allow.
- 2 - Force deny.
-
@@ -1564,8 +1892,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -1573,17 +1901,28 @@ The following list shows the supported values:
-
-
-
Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are allowed access to location. This setting overrides the default LetAppsAccessLocation policy setting for the specified apps.
+
+
+Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are allowed access to location. This setting overrides the default LetAppsAccessLocation policy setting for the specified apps.
+
+
+
+ADMX Info:
+- GP English name: *Let Windows apps access location*
+- GP name: *LetAppsAccessLocation*
+- GP element: *LetAppsAccessLocation_ForceAllowTheseApps_List*
+- GP path: *Windows Components/App Privacy*
+- GP ADMX file name: *AppPrivacy.admx*
+
+
+
-
-
@@ -1605,8 +1944,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -1614,17 +1953,28 @@ The following list shows the supported values:
-
-
-
Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are denied access to location. This setting overrides the default LetAppsAccessLocation policy setting for the specified apps.
+
+
+Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are denied access to location. This setting overrides the default LetAppsAccessLocation policy setting for the specified apps.
+
+
+
+ADMX Info:
+- GP English name: *Let Windows apps access location*
+- GP name: *LetAppsAccessLocation*
+- GP element: *LetAppsAccessLocation_ForceDenyTheseApps_List*
+- GP path: *Windows Components/App Privacy*
+- GP ADMX file name: *AppPrivacy.admx*
+
+
+
-
-
@@ -1646,8 +1996,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -1655,17 +2005,28 @@ The following list shows the supported values:
-
-
-
Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the location privacy setting for the listed apps. This setting overrides the default LetAppsAccessLocation policy setting for the specified apps.
+
+
+Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the location privacy setting for the listed apps. This setting overrides the default LetAppsAccessLocation policy setting for the specified apps.
+
+
+
+ADMX Info:
+- GP English name: *Let Windows apps access location*
+- GP name: *LetAppsAccessLocation*
+- GP element: *LetAppsAccessLocation_UserInControlOfTheseApps_List*
+- GP path: *Windows Components/App Privacy*
+- GP ADMX file name: *AppPrivacy.admx*
+
+
+
-
-
-
+
+
**Privacy/LetAppsAccessMessaging**
-
+
Home
@@ -1687,8 +2048,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -1696,25 +2057,39 @@ The following list shows the supported values:
-
-
-
Added in Windows 10, version 1607. Specifies whether Windows apps can read or send messages (text or MMS).
+
+
+Added in Windows 10, version 1607. Specifies whether Windows apps can read or send messages (text or MMS).
-
The following list shows the supported values:
+
+Most restricted value is 2.
+
+
+
+ADMX Info:
+- GP English name: *Let Windows apps access messaging*
+- GP name: *LetAppsAccessMessaging*
+- GP element: *LetAppsAccessMessaging_Enum*
+- GP path: *Windows Components/App Privacy*
+- GP ADMX file name: *AppPrivacy.admx*
+
+
+
+The following list shows the supported values:
- 0 – User in control.
- 1 – Force allow.
- 2 - Force deny.
-
@@ -1736,8 +2111,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -1745,17 +2120,28 @@ The following list shows the supported values:
-
-
-
Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are allowed to read or send messages (text or MMS). This setting overrides the default LetAppsAccessMessaging policy setting for the specified apps.
+
+
+Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are allowed to read or send messages (text or MMS). This setting overrides the default LetAppsAccessMessaging policy setting for the specified apps.
+
+
+
+ADMX Info:
+- GP English name: *Let Windows apps access messaging*
+- GP name: *LetAppsAccessMessaging*
+- GP element: *LetAppsAccessMessaging_ForceAllowTheseApps_List*
+- GP path: *Windows Components/App Privacy*
+- GP ADMX file name: *AppPrivacy.admx*
+
+
+
-
-
@@ -1777,8 +2163,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -1786,17 +2172,28 @@ The following list shows the supported values:
-
-
-
Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are not allowed to read or send messages (text or MMS). This setting overrides the default LetAppsAccessMessaging policy setting for the specified apps.
+
+
+Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are not allowed to read or send messages (text or MMS). This setting overrides the default LetAppsAccessMessaging policy setting for the specified apps.
+
+
+
+ADMX Info:
+- GP English name: *Let Windows apps access messaging*
+- GP name: *LetAppsAccessMessaging*
+- GP element: *LetAppsAccessMessaging_ForceDenyTheseApps_List*
+- GP path: *Windows Components/App Privacy*
+- GP ADMX file name: *AppPrivacy.admx*
+
+
+
-
-
@@ -1818,8 +2215,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -1827,17 +2224,28 @@ The following list shows the supported values:
-
-
-
Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the messaging privacy setting for the listed apps. This setting overrides the default LetAppsAccessMessaging policy setting for the specified apps.
+
+
+Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the messaging privacy setting for the listed apps. This setting overrides the default LetAppsAccessMessaging policy setting for the specified apps.
+
+
+
+ADMX Info:
+- GP English name: *Let Windows apps access messaging*
+- GP name: *LetAppsAccessMessaging*
+- GP element: *LetAppsAccessMessaging_UserInControlOfTheseApps_List*
+- GP path: *Windows Components/App Privacy*
+- GP ADMX file name: *AppPrivacy.admx*
+
+
+
-
-
-
+
+
**Privacy/LetAppsAccessMicrophone**
-
+
Home
@@ -1859,8 +2267,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -1868,25 +2276,39 @@ The following list shows the supported values:
-
-
-
Added in Windows 10, version 1607. Specifies whether Windows apps can access the microphone.
+
+
+Added in Windows 10, version 1607. Specifies whether Windows apps can access the microphone.
-
The following list shows the supported values:
+
+Most restricted value is 2.
+
+
+
+ADMX Info:
+- GP English name: *Let Windows apps access the microphone*
+- GP name: *LetAppsAccessMicrophone*
+- GP element: *LetAppsAccessMicrophone_Enum*
+- GP path: *Windows Components/App Privacy*
+- GP ADMX file name: *AppPrivacy.admx*
+
+
+
+The following list shows the supported values:
- 0 – User in control.
- 1 – Force allow.
- 2 - Force deny.
-
@@ -1908,8 +2330,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -1917,17 +2339,28 @@ The following list shows the supported values:
-
-
-
Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are allowed access to the microphone. This setting overrides the default LetAppsAccessMicrophone policy setting for the specified apps.
+
+
+Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are allowed access to the microphone. This setting overrides the default LetAppsAccessMicrophone policy setting for the specified apps.
+
+
+
+ADMX Info:
+- GP English name: *Let Windows apps access the microphone*
+- GP name: *LetAppsAccessMicrophone*
+- GP element: *LetAppsAccessMicrophone_ForceAllowTheseApps_List*
+- GP path: *Windows Components/App Privacy*
+- GP ADMX file name: *AppPrivacy.admx*
+
+
+
-
-
@@ -1949,8 +2382,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -1958,17 +2391,28 @@ The following list shows the supported values:
-
-
-
Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are denied access to the microphone. This setting overrides the default LetAppsAccessMicrophone policy setting for the specified apps.
+
+
+Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are denied access to the microphone. This setting overrides the default LetAppsAccessMicrophone policy setting for the specified apps.
+
+
+
+ADMX Info:
+- GP English name: *Let Windows apps access the microphone*
+- GP name: *LetAppsAccessMicrophone*
+- GP element: *LetAppsAccessMicrophone_ForceDenyTheseApps_List*
+- GP path: *Windows Components/App Privacy*
+- GP ADMX file name: *AppPrivacy.admx*
+
+
+
-
-
@@ -1990,8 +2434,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -1999,17 +2443,28 @@ The following list shows the supported values:
-
-
-
Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the microphone privacy setting for the listed apps. This setting overrides the default LetAppsAccessMicrophone policy setting for the specified apps.
+
+
+Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the microphone privacy setting for the listed apps. This setting overrides the default LetAppsAccessMicrophone policy setting for the specified apps.
+
+
+
+ADMX Info:
+- GP English name: *Let Windows apps access the microphone*
+- GP name: *LetAppsAccessMicrophone*
+- GP element: *LetAppsAccessMicrophone_UserInControlOfTheseApps_List*
+- GP path: *Windows Components/App Privacy*
+- GP ADMX file name: *AppPrivacy.admx*
+
+
+
-
-
-
+
+
**Privacy/LetAppsAccessMotion**
-
+
Home
@@ -2031,8 +2486,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -2040,25 +2495,39 @@ The following list shows the supported values:
-
-
-
Added in Windows 10, version 1607. Specifies whether Windows apps can access motion data.
+
+
+Added in Windows 10, version 1607. Specifies whether Windows apps can access motion data.
-
The following list shows the supported values:
+
+Most restricted value is 2.
+
+
+
+ADMX Info:
+- GP English name: *Let Windows apps access motion*
+- GP name: *LetAppsAccessMotion*
+- GP element: *LetAppsAccessMotion_Enum*
+- GP path: *Windows Components/App Privacy*
+- GP ADMX file name: *AppPrivacy.admx*
+
+
+
+The following list shows the supported values:
- 0 – User in control.
- 1 – Force allow.
- 2 - Force deny.
-
@@ -2080,8 +2549,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -2089,17 +2558,28 @@ The following list shows the supported values:
-
-
-
Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are allowed access to motion data. This setting overrides the default LetAppsAccessMotion policy setting for the specified apps.
+
+
+Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are allowed access to motion data. This setting overrides the default LetAppsAccessMotion policy setting for the specified apps.
+
+
+
+ADMX Info:
+- GP English name: *Let Windows apps access motion*
+- GP name: *LetAppsAccessMotion*
+- GP element: *LetAppsAccessMotion_ForceAllowTheseApps_List*
+- GP path: *Windows Components/App Privacy*
+- GP ADMX file name: *AppPrivacy.admx*
+
+
+
-
-
@@ -2121,8 +2601,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -2130,17 +2610,28 @@ The following list shows the supported values:
-
-
-
Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are denied access to motion data. This setting overrides the default LetAppsAccessMotion policy setting for the specified apps.
+
+
+Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are denied access to motion data. This setting overrides the default LetAppsAccessMotion policy setting for the specified apps.
+
+
+
+ADMX Info:
+- GP English name: *Let Windows apps access motion*
+- GP name: *LetAppsAccessMotion*
+- GP element: *LetAppsAccessMotion_ForceDenyTheseApps_List*
+- GP path: *Windows Components/App Privacy*
+- GP ADMX file name: *AppPrivacy.admx*
+
+
+
-
-
@@ -2162,8 +2653,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -2171,17 +2662,28 @@ The following list shows the supported values:
-
-
-
Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the motion privacy setting for the listed apps. This setting overrides the default LetAppsAccessMotion policy setting for the specified apps.
+
+
+Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the motion privacy setting for the listed apps. This setting overrides the default LetAppsAccessMotion policy setting for the specified apps.
+
+
+
+ADMX Info:
+- GP English name: *Let Windows apps access motion*
+- GP name: *LetAppsAccessMotion*
+- GP element: *LetAppsAccessMotion_UserInControlOfTheseApps_List*
+- GP path: *Windows Components/App Privacy*
+- GP ADMX file name: *AppPrivacy.admx*
+
+
+
-
-
-
+
+
**Privacy/LetAppsAccessNotifications**
-
+
Home
@@ -2203,8 +2705,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -2212,25 +2714,39 @@ The following list shows the supported values:
-
-
-
Added in Windows 10, version 1607. Specifies whether Windows apps can access notifications.
+
+
+Added in Windows 10, version 1607. Specifies whether Windows apps can access notifications.
-
The following list shows the supported values:
+
+Most restricted value is 2.
+
+
+
+ADMX Info:
+- GP English name: *Let Windows apps access notifications*
+- GP name: *LetAppsAccessNotifications*
+- GP element: *LetAppsAccessNotifications_Enum*
+- GP path: *Windows Components/App Privacy*
+- GP ADMX file name: *AppPrivacy.admx*
+
+
+
+The following list shows the supported values:
- 0 – User in control.
- 1 – Force allow.
- 2 - Force deny.
-
@@ -2252,8 +2768,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -2261,17 +2777,28 @@ The following list shows the supported values:
-
-
-
Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are allowed access to notifications. This setting overrides the default LetAppsAccessNotifications policy setting for the specified apps.
+
+
+Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are allowed access to notifications. This setting overrides the default LetAppsAccessNotifications policy setting for the specified apps.
+
+
+
+ADMX Info:
+- GP English name: *Let Windows apps access notifications*
+- GP name: *LetAppsAccessNotifications*
+- GP element: *LetAppsAccessNotifications_ForceAllowTheseApps_List*
+- GP path: *Windows Components/App Privacy*
+- GP ADMX file name: *AppPrivacy.admx*
+
+
+
-
-
@@ -2293,8 +2820,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -2302,17 +2829,28 @@ The following list shows the supported values:
-
-
-
Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are denied access to notifications. This setting overrides the default LetAppsAccessNotifications policy setting for the specified apps.
+
+
+Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are denied access to notifications. This setting overrides the default LetAppsAccessNotifications policy setting for the specified apps.
+
+
+
+ADMX Info:
+- GP English name: *Let Windows apps access notifications*
+- GP name: *LetAppsAccessNotifications*
+- GP element: *LetAppsAccessNotifications_ForceDenyTheseApps_List*
+- GP path: *Windows Components/App Privacy*
+- GP ADMX file name: *AppPrivacy.admx*
+
+
+
-
-
@@ -2334,8 +2872,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -2343,17 +2881,28 @@ The following list shows the supported values:
-
-
-
Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the notifications privacy setting for the listed apps. This setting overrides the default LetAppsAccessNotifications policy setting for the specified apps.
+
+
+Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the notifications privacy setting for the listed apps. This setting overrides the default LetAppsAccessNotifications policy setting for the specified apps.
+
+
+
+ADMX Info:
+- GP English name: *Let Windows apps access notifications*
+- GP name: *LetAppsAccessNotifications*
+- GP element: *LetAppsAccessNotifications_UserInControlOfTheseApps_List*
+- GP path: *Windows Components/App Privacy*
+- GP ADMX file name: *AppPrivacy.admx*
+
+
+
-
-
-
+
+
**Privacy/LetAppsAccessPhone**
-
+
Home
@@ -2375,8 +2924,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -2384,25 +2933,39 @@ The following list shows the supported values:
-
-
-
Added in Windows 10, version 1607. Specifies whether Windows apps can make phone calls.
+
+
+Added in Windows 10, version 1607. Specifies whether Windows apps can make phone calls.
-
The following list shows the supported values:
+
+Most restricted value is 2.
+
+
+
+ADMX Info:
+- GP English name: *Let Windows apps make phone calls*
+- GP name: *LetAppsAccessPhone*
+- GP element: *LetAppsAccessPhone_Enum*
+- GP path: *Windows Components/App Privacy*
+- GP ADMX file name: *AppPrivacy.admx*
+
+
+
+The following list shows the supported values:
- 0 – User in control.
- 1 – Force allow.
- 2 - Force deny.
-
@@ -2424,8 +2987,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -2433,17 +2996,28 @@ The following list shows the supported values:
-
-
-
Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are allowed to make phone calls. This setting overrides the default LetAppsAccessPhone policy setting for the specified apps.
+
+
+Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are allowed to make phone calls. This setting overrides the default LetAppsAccessPhone policy setting for the specified apps.
+
+
+
+ADMX Info:
+- GP English name: *Let Windows apps make phone calls*
+- GP name: *LetAppsAccessPhone*
+- GP element: *LetAppsAccessPhone_ForceAllowTheseApps_List*
+- GP path: *Windows Components/App Privacy*
+- GP ADMX file name: *AppPrivacy.admx*
+
+
+
-
-
@@ -2465,8 +3039,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -2474,17 +3048,28 @@ The following list shows the supported values:
-
-
-
Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are not allowed to make phone calls. This setting overrides the default LetAppsAccessPhone policy setting for the specified apps.
+
+
+Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are not allowed to make phone calls. This setting overrides the default LetAppsAccessPhone policy setting for the specified apps.
+
+
+
+ADMX Info:
+- GP English name: *Let Windows apps make phone calls*
+- GP name: *LetAppsAccessPhone*
+- GP element: *LetAppsAccessPhone_ForceDenyTheseApps_List*
+- GP path: *Windows Components/App Privacy*
+- GP ADMX file name: *AppPrivacy.admx*
+
+
+
-
-
@@ -2506,8 +3091,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -2515,17 +3100,28 @@ The following list shows the supported values:
-
-
-
Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the phone call privacy setting for the listed apps. This setting overrides the default LetAppsAccessPhone policy setting for the specified apps.
+
+
+Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the phone call privacy setting for the listed apps. This setting overrides the default LetAppsAccessPhone policy setting for the specified apps.
+
+
+
+ADMX Info:
+- GP English name: *Let Windows apps make phone calls*
+- GP name: *LetAppsAccessPhone*
+- GP element: *LetAppsAccessPhone_UserInControlOfTheseApps_List*
+- GP path: *Windows Components/App Privacy*
+- GP ADMX file name: *AppPrivacy.admx*
+
+
+
-
-
-
+
+
**Privacy/LetAppsAccessRadios**
-
+
Home
@@ -2547,8 +3143,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -2556,25 +3152,39 @@ The following list shows the supported values:
-
-
-
Added in Windows 10, version 1607. Specifies whether Windows apps have access to control radios.
+
+
+Added in Windows 10, version 1607. Specifies whether Windows apps have access to control radios.
-
The following list shows the supported values:
+
+Most restricted value is 2.
+
+
+
+ADMX Info:
+- GP English name: *Let Windows apps control radios*
+- GP name: *LetAppsAccessRadios*
+- GP element: *LetAppsAccessRadios_Enum*
+- GP path: *Windows Components/App Privacy*
+- GP ADMX file name: *AppPrivacy.admx*
+
+
+
+The following list shows the supported values:
- 0 – User in control.
- 1 – Force allow.
- 2 - Force deny.
-
@@ -2596,8 +3206,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -2605,17 +3215,28 @@ The following list shows the supported values:
-
-
-
Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps will have access to control radios. This setting overrides the default LetAppsAccessRadios policy setting for the specified apps.
+
+
+Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps will have access to control radios. This setting overrides the default LetAppsAccessRadios policy setting for the specified apps.
+
+
+
+ADMX Info:
+- GP English name: *Let Windows apps control radios*
+- GP name: *LetAppsAccessRadios*
+- GP element: *LetAppsAccessRadios_ForceAllowTheseApps_List*
+- GP path: *Windows Components/App Privacy*
+- GP ADMX file name: *AppPrivacy.admx*
+
+
+
-
-
@@ -2637,8 +3258,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -2646,17 +3267,28 @@ The following list shows the supported values:
-
-
-
Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps will not have access to control radios. This setting overrides the default LetAppsAccessRadios policy setting for the specified apps.
+
+
+Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps will not have access to control radios. This setting overrides the default LetAppsAccessRadios policy setting for the specified apps.
+
+
+
+ADMX Info:
+- GP English name: *Let Windows apps control radios*
+- GP name: *LetAppsAccessRadios*
+- GP element: *LetAppsAccessRadios_ForceDenyTheseApps_List*
+- GP path: *Windows Components/App Privacy*
+- GP ADMX file name: *AppPrivacy.admx*
+
+
+
-
-
@@ -2678,8 +3310,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -2687,17 +3319,28 @@ The following list shows the supported values:
-
-
-
Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the radios privacy setting for the listed apps. This setting overrides the default LetAppsAccessRadios policy setting for the specified apps.
+
+
+Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the radios privacy setting for the listed apps. This setting overrides the default LetAppsAccessRadios policy setting for the specified apps.
+
+
+
+ADMX Info:
+- GP English name: *Let Windows apps control radios*
+- GP name: *LetAppsAccessRadios*
+- GP element: *LetAppsAccessRadios_UserInControlOfTheseApps_List*
+- GP path: *Windows Components/App Privacy*
+- GP ADMX file name: *AppPrivacy.admx*
+
+
+
-
-
-
+
+
**Privacy/LetAppsAccessTasks**
-
+
Home
@@ -2719,8 +3362,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -2728,17 +3371,28 @@ The following list shows the supported values:
-
-
-
Added in Windows 10, version 1703. Specifies whether Windows apps can access tasks.
+
+
+Added in Windows 10, version 1703. Specifies whether Windows apps can access tasks.
+
+
+
+ADMX Info:
+- GP English name: *Let Windows apps access Tasks*
+- GP name: *LetAppsAccessTasks*
+- GP element: *LetAppsAccessTasks_Enum*
+- GP path: *Windows Components/App Privacy*
+- GP ADMX file name: *AppPrivacy.admx*
+
+
+
-
-
@@ -2760,8 +3414,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -2769,17 +3423,28 @@ The following list shows the supported values:
-
-
-
Added in Windows 10, version 1703. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are allowed access to tasks. This setting overrides the default LetAppsAccessTasks policy setting for the specified apps.
+
+
+Added in Windows 10, version 1703. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are allowed access to tasks. This setting overrides the default LetAppsAccessTasks policy setting for the specified apps.
+
+
+
+ADMX Info:
+- GP English name: *Let Windows apps access Tasks*
+- GP name: *LetAppsAccessTasks*
+- GP element: *LetAppsAccessTasks_ForceAllowTheseApps_List*
+- GP path: *Windows Components/App Privacy*
+- GP ADMX file name: *AppPrivacy.admx*
+
+
+
-
-
@@ -2801,8 +3466,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -2810,17 +3475,28 @@ The following list shows the supported values:
-
-
-
Added in Windows 10, version 1703. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are denied access to tasks. This setting overrides the default LetAppsAccessTasks policy setting for the specified apps.
+
+
+Added in Windows 10, version 1703. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are denied access to tasks. This setting overrides the default LetAppsAccessTasks policy setting for the specified apps.
+
+
+
+ADMX Info:
+- GP English name: *Let Windows apps access Tasks*
+- GP name: *LetAppsAccessTasks*
+- GP element: *LetAppsAccessTasks_ForceDenyTheseApps_List*
+- GP path: *Windows Components/App Privacy*
+- GP ADMX file name: *AppPrivacy.admx*
+
+
+
-
-
@@ -2842,8 +3518,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -2851,17 +3527,28 @@ The following list shows the supported values:
-
-
-
Added in Windows 10, version 1703. List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the tasks privacy setting for the listed apps. This setting overrides the default LetAppsAccessTasks policy setting for the specified apps.
+
+
+Added in Windows 10, version 1703. List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the tasks privacy setting for the listed apps. This setting overrides the default LetAppsAccessTasks policy setting for the specified apps.
+
+
+
+ADMX Info:
+- GP English name: *Let Windows apps access Tasks*
+- GP name: *LetAppsAccessTasks*
+- GP element: *LetAppsAccessTasks_UserInControlOfTheseApps_List*
+- GP path: *Windows Components/App Privacy*
+- GP ADMX file name: *AppPrivacy.admx*
+
+
+
-
-
-
+
+
**Privacy/LetAppsAccessTrustedDevices**
-
+
Home
@@ -2883,8 +3570,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -2892,25 +3579,39 @@ The following list shows the supported values:
-
-
-
Added in Windows 10, version 1607. Specifies whether Windows apps can access trusted devices.
+
+
+Added in Windows 10, version 1607. Specifies whether Windows apps can access trusted devices.
-
The following list shows the supported values:
+
+Most restricted value is 2.
+
+
+
+ADMX Info:
+- GP English name: *Let Windows apps access trusted devices*
+- GP name: *LetAppsAccessTrustedDevices*
+- GP element: *LetAppsAccessTrustedDevices_Enum*
+- GP path: *Windows Components/App Privacy*
+- GP ADMX file name: *AppPrivacy.admx*
+
+
+
+The following list shows the supported values:
- 0 – User in control.
- 1 – Force allow.
- 2 - Force deny.
-
@@ -2932,8 +3633,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -2941,17 +3642,28 @@ The following list shows the supported values:
-
-
-
Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps will have access to trusted devices. This setting overrides the default LetAppsAccessTrustedDevices policy setting for the specified apps.
+
+
+Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps will have access to trusted devices. This setting overrides the default LetAppsAccessTrustedDevices policy setting for the specified apps.
+
+
+
+ADMX Info:
+- GP English name: *Let Windows apps access trusted devices*
+- GP name: *LetAppsAccessTrustedDevices*
+- GP element: *LetAppsAccessTrustedDevices_ForceAllowTheseApps_List*
+- GP path: *Windows Components/App Privacy*
+- GP ADMX file name: *AppPrivacy.admx*
+
+
+
-
-
@@ -2973,8 +3685,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -2982,17 +3694,28 @@ The following list shows the supported values:
-
-
-
Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps will not have access to trusted devices. This setting overrides the default LetAppsAccessTrustedDevices policy setting for the specified apps.
+
+
+Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps will not have access to trusted devices. This setting overrides the default LetAppsAccessTrustedDevices policy setting for the specified apps.
+
+
+
+ADMX Info:
+- GP English name: *Let Windows apps access trusted devices*
+- GP name: *LetAppsAccessTrustedDevices*
+- GP element: *LetAppsAccessTrustedDevices_ForceDenyTheseApps_List*
+- GP path: *Windows Components/App Privacy*
+- GP ADMX file name: *AppPrivacy.admx*
+
+
+
-
-
@@ -3014,8 +3737,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -3023,17 +3746,28 @@ The following list shows the supported values:
-
-
-
Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the 'trusted devices' privacy setting for the listed apps. This setting overrides the default LetAppsAccessTrustedDevices policy setting for the specified apps.
+
+
+Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the 'trusted devices' privacy setting for the listed apps. This setting overrides the default LetAppsAccessTrustedDevices policy setting for the specified apps.
+
+
+
+ADMX Info:
+- GP English name: *Let Windows apps access trusted devices*
+- GP name: *LetAppsAccessTrustedDevices*
+- GP element: *LetAppsAccessTrustedDevices_UserInControlOfTheseApps_List*
+- GP path: *Windows Components/App Privacy*
+- GP ADMX file name: *AppPrivacy.admx*
+
+
+
-
-
-
+
+
**Privacy/LetAppsGetDiagnosticInfo**
-
+
Home
@@ -3055,8 +3789,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -3064,25 +3798,39 @@ The following list shows the supported values:
-
-
-
Added in Windows 10, version 1703. Force allow, force deny or give user control of apps that can get diagnostic information about other running apps.
+
+
+Added in Windows 10, version 1703. Force allow, force deny or give user control of apps that can get diagnostic information about other running apps.
-
The following list shows the supported values:
+
+Most restricted value is 2.
+
+
+
+ADMX Info:
+- GP English name: *Let Windows apps access diagnostic information about other apps*
+- GP name: *LetAppsGetDiagnosticInfo*
+- GP element: *LetAppsGetDiagnosticInfo_Enum*
+- GP path: *Windows Components/App Privacy*
+- GP ADMX file name: *AppPrivacy.admx*
+
+
+
+The following list shows the supported values:
- 0 – User in control.
- 1 – Force allow.
- 2 - Force deny.
-
@@ -3104,8 +3852,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -3113,17 +3861,28 @@ The following list shows the supported values:
-
-
-
Added in Windows 10, version 1703. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps will have access to diagnostic information about other running apps. This setting overrides the default LetAppsGetDiagnosticInfo policy setting for the specified apps.
+
+
+Added in Windows 10, version 1703. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps will have access to diagnostic information about other running apps. This setting overrides the default LetAppsGetDiagnosticInfo policy setting for the specified apps.
+
+
+
+ADMX Info:
+- GP English name: *Let Windows apps access diagnostic information about other apps*
+- GP name: *LetAppsGetDiagnosticInfo*
+- GP element: *LetAppsGetDiagnosticInfo_ForceAllowTheseApps_List*
+- GP path: *Windows Components/App Privacy*
+- GP ADMX file name: *AppPrivacy.admx*
+
+
+
-
-
@@ -3145,8 +3904,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -3154,17 +3913,28 @@ The following list shows the supported values:
-
-
-
Added in Windows 10, version 1703. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps will not have access to diagnostic information about other running apps. This setting overrides the default LetAppsGetDiagnosticInfo policy setting for the specified apps.
+
+
+Added in Windows 10, version 1703. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps will not have access to diagnostic information about other running apps. This setting overrides the default LetAppsGetDiagnosticInfo policy setting for the specified apps.
+
+
+
+ADMX Info:
+- GP English name: *Let Windows apps access diagnostic information about other apps*
+- GP name: *LetAppsGetDiagnosticInfo*
+- GP element: *LetAppsGetDiagnosticInfo_ForceDenyTheseApps_List*
+- GP path: *Windows Components/App Privacy*
+- GP ADMX file name: *AppPrivacy.admx*
+
+
+
-
-
@@ -3186,8 +3956,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -3195,17 +3965,28 @@ The following list shows the supported values:
-
-
-
Added in Windows 10, version 1703. List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the 'get diagnostic info' privacy setting for the listed apps. This setting overrides the default LetAppsGetDiagnosticInfo policy setting for the specified apps.
+
+
+Added in Windows 10, version 1703. List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the 'get diagnostic info' privacy setting for the listed apps. This setting overrides the default LetAppsGetDiagnosticInfo policy setting for the specified apps.
+
+
+
+ADMX Info:
+- GP English name: *Let Windows apps access diagnostic information about other apps*
+- GP name: *LetAppsGetDiagnosticInfo*
+- GP element: *LetAppsGetDiagnosticInfo_UserInControlOfTheseApps_List*
+- GP path: *Windows Components/App Privacy*
+- GP ADMX file name: *AppPrivacy.admx*
+
+
+
-
-
-
+
+
**Privacy/LetAppsRunInBackground**
-
+
Home
@@ -3227,8 +4008,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -3236,27 +4017,41 @@ The following list shows the supported values:
-
-
-
Added in Windows 10, version 1703. Specifies whether Windows apps can run in the background.
+
+
+Added in Windows 10, version 1703. Specifies whether Windows apps can run in the background.
-
The following list shows the supported values:
+
+Most restricted value is 2.
+> [!WARNING]
+> Be careful when determining which apps should have their background activity disabled. Communication apps normally update tiles and notifications through background processes. Turning off background activity for these types of apps could cause text message, email, and voicemail notifications to not function. This could also cause background email syncing to not function properly.
+
+
+
+ADMX Info:
+- GP English name: *Let Windows apps run in the background*
+- GP name: *LetAppsRunInBackground*
+- GP element: *LetAppsRunInBackground_Enum*
+- GP path: *Windows Components/App Privacy*
+- GP ADMX file name: *AppPrivacy.admx*
+
+
+
+The following list shows the supported values:
- 0 – User in control (default).
- 1 – Force allow.
- 2 - Force deny.
-
Most restricted value is 2.
-> [!WARNING]
-> Be careful when determining which apps should have their background activity disabled. Communication apps normally update tiles and notifications through background processes. Turning off background activity for these types of apps could cause text message, email, and voicemail notifications to not function. This could also cause background email syncing to not function properly.
+
+
-
-
@@ -3278,8 +4073,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -3287,17 +4082,28 @@ The following list shows the supported values:
-
-
-
Added in Windows 10, version 1703. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are able to run in the background. This setting overrides the default LetAppsRunInBackground policy setting for the specified apps.
+
+
+Added in Windows 10, version 1703. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are able to run in the background. This setting overrides the default LetAppsRunInBackground policy setting for the specified apps.
+
+
+
+ADMX Info:
+- GP English name: *Let Windows apps run in the background*
+- GP name: *LetAppsRunInBackground*
+- GP element: *LetAppsRunInBackground_ForceAllowTheseApps_List*
+- GP path: *Windows Components/App Privacy*
+- GP ADMX file name: *AppPrivacy.admx*
+
+
+
-
-
@@ -3319,8 +4125,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -3328,17 +4134,28 @@ The following list shows the supported values:
-
-
-
Added in Windows 10, version 1703. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are denied the ability to run in the background. This setting overrides the default LetAppsRunInBackground policy setting for the specified apps.
+
+
+Added in Windows 10, version 1703. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are denied the ability to run in the background. This setting overrides the default LetAppsRunInBackground policy setting for the specified apps.
+
+
+
+ADMX Info:
+- GP English name: *Let Windows apps run in the background*
+- GP name: *LetAppsRunInBackground*
+- GP element: *LetAppsRunInBackground_ForceDenyTheseApps_List*
+- GP path: *Windows Components/App Privacy*
+- GP ADMX file name: *AppPrivacy.admx*
+
+
+
-
-
@@ -3360,8 +4177,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -3369,17 +4186,28 @@ The following list shows the supported values:
-
-
-
Added in Windows 10, version 1703. List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the background apps privacy setting for the listed apps. This setting overrides the default LetAppsRunInBackground policy setting for the specified apps.
+
+
+Added in Windows 10, version 1703. List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the background apps privacy setting for the listed apps. This setting overrides the default LetAppsRunInBackground policy setting for the specified apps.
+
+
+
+ADMX Info:
+- GP English name: *Let Windows apps run in the background*
+- GP name: *LetAppsRunInBackground*
+- GP element: *LetAppsRunInBackground_UserInControlOfTheseApps_List*
+- GP path: *Windows Components/App Privacy*
+- GP ADMX file name: *AppPrivacy.admx*
+
+
+
-
-
-
+
+
**Privacy/LetAppsSyncWithDevices**
-
+
Home
@@ -3401,8 +4229,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -3410,25 +4238,39 @@ The following list shows the supported values:
-
-
-
Added in Windows 10, version 1607. Specifies whether Windows apps can sync with devices.
+
+
+Added in Windows 10, version 1607. Specifies whether Windows apps can sync with devices.
-
The following list shows the supported values:
+
+Most restricted value is 2.
+
+
+
+ADMX Info:
+- GP English name: *Let Windows apps communicate with unpaired devices*
+- GP name: *LetAppsSyncWithDevices*
+- GP element: *LetAppsSyncWithDevices_Enum*
+- GP path: *Windows Components/App Privacy*
+- GP ADMX file name: *AppPrivacy.admx*
+
+
+
+The following list shows the supported values:
- 0 – User in control.
- 1 – Force allow.
- 2 - Force deny.
-
@@ -3450,8 +4292,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -3459,17 +4301,28 @@ The following list shows the supported values:
-
-
-
Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps will have access to sync with devices. This setting overrides the default LetAppsSyncWithDevices policy setting for the specified apps.
+
+
+Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps will have access to sync with devices. This setting overrides the default LetAppsSyncWithDevices policy setting for the specified apps.
+
+
+
+ADMX Info:
+- GP English name: *Let Windows apps communicate with unpaired devices*
+- GP name: *LetAppsSyncWithDevices*
+- GP element: *LetAppsSyncWithDevices_ForceAllowTheseApps_List*
+- GP path: *Windows Components/App Privacy*
+- GP ADMX file name: *AppPrivacy.admx*
+
+
+
-
-
@@ -3491,8 +4344,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -3500,17 +4353,28 @@ The following list shows the supported values:
-
-
-
Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps will not have access to sync with devices. This setting overrides the default LetAppsSyncWithDevices policy setting for the specified apps.
+
+
+Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps will not have access to sync with devices. This setting overrides the default LetAppsSyncWithDevices policy setting for the specified apps.
+
+
+
+ADMX Info:
+- GP English name: *Let Windows apps communicate with unpaired devices*
+- GP name: *LetAppsSyncWithDevices*
+- GP element: *LetAppsSyncWithDevices_ForceDenyTheseApps_List*
+- GP path: *Windows Components/App Privacy*
+- GP ADMX file name: *AppPrivacy.admx*
+
+
+
-
-
@@ -3532,8 +4396,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -3541,17 +4405,28 @@ The following list shows the supported values:
-
-
-
Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the 'sync with devices' privacy setting for the listed apps. This setting overrides the default LetAppsSyncWithDevices policy setting for the specified apps.
+
+
+Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the 'sync with devices' privacy setting for the listed apps. This setting overrides the default LetAppsSyncWithDevices policy setting for the specified apps.
+
+
+
+ADMX Info:
+- GP English name: *Let Windows apps communicate with unpaired devices*
+- GP name: *LetAppsSyncWithDevices*
+- GP element: *LetAppsSyncWithDevices_UserInControlOfTheseApps_List*
+- GP path: *Windows Components/App Privacy*
+- GP ADMX file name: *AppPrivacy.admx*
+
+
+
-
-
-
+
+
**Privacy/PublishUserActivities**
-
+
Home
@@ -3573,8 +4448,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -3582,11 +4457,19 @@ The following list shows the supported values:
-
-
+
+
Added in Windows 10, version 1709. Allows It Admins to enable publishing of user activities to the activity feed.
-
+
+
+ADMX Info:
+- GP English name: *Allow publishing of User Activities*
+- GP name: *PublishUserActivities*
+- GP path: *System/OS Policies*
+- GP ADMX file name: *OSPolicy.admx*
+
+
The following list shows the supported values:
@@ -3594,7 +4477,7 @@ The following list shows the supported values:
- 1 – (default) Enabled. Apps/OS can publish the *user activities*.
-
+
Footnote:
@@ -3603,7 +4486,7 @@ Footnote:
- 2 - Added in Windows 10, version 1703.
- 3 - Added in Windows 10, version 1709.
-
+
## Privacy policies supported by Windows Holographic for Business
diff --git a/windows/client-management/mdm/policy-csp-remoteassistance.md b/windows/client-management/mdm/policy-csp-remoteassistance.md
index 29f29a7267..a26dd4c251 100644
--- a/windows/client-management/mdm/policy-csp-remoteassistance.md
+++ b/windows/client-management/mdm/policy-csp-remoteassistance.md
@@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
-ms.date: 11/01/2017
+ms.date: 03/05/2018
---
# Policy CSP - RemoteAssistance
@@ -15,7 +15,7 @@ ms.date: 11/01/2017
-
+
## RemoteAssistance policies
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -68,8 +70,8 @@ ms.date: 11/01/2017
-
-
+
+
This policy setting lets you customize warning messages.
The "Display warning message before sharing control" policy setting allows you to specify a custom message to display before a user shares control of his or her computer.
@@ -82,7 +84,7 @@ If you disable this policy setting, the user sees the default warning message.
If you do not configure this policy setting, the user sees the default warning message.
-
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -90,20 +92,22 @@ If you do not configure this policy setting, the user sees the default warning m
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Customize warning messages*
- GP name: *RA_Options*
- GP path: *System/Remote Assistance*
- GP ADMX file name: *remoteassistance.admx*
-
-
+
+
+
-
+
+
**RemoteAssistance/SessionLogging**
-
+
Home
@@ -125,8 +129,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -134,8 +138,8 @@ ADMX Info:
-
-
+
+
This policy setting allows you to turn logging on or off. Log files are located in the user's Documents folder under Remote Assistance.
If you enable this policy setting, log files are generated.
@@ -144,7 +148,7 @@ If you disable this policy setting, log files are not generated.
If you do not configure this setting, application-based settings are used.
-
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -152,20 +156,22 @@ If you do not configure this setting, application-based settings are used.
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Turn on session logging*
- GP name: *RA_Logging*
- GP path: *System/Remote Assistance*
- GP ADMX file name: *remoteassistance.admx*
-
-
+
+
+
-
+
+
**RemoteAssistance/SolicitedRemoteAssistance**
-
+
Home
@@ -187,8 +193,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -196,8 +202,8 @@ ADMX Info:
-
-
+
+
This policy setting allows you to turn on or turn off Solicited (Ask for) Remote Assistance on this computer.
If you enable this policy setting, users on this computer can use email or file transfer to ask someone for help. Also, users can use instant messaging programs to allow connections to this computer, and you can configure additional Remote Assistance settings.
@@ -214,7 +220,7 @@ The "Select the method for sending email invitations" setting specifies which em
If you enable this policy setting you should also enable appropriate firewall exceptions to allow Remote Assistance communications.
-
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -222,20 +228,22 @@ If you enable this policy setting you should also enable appropriate firewall ex
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Configure Solicited Remote Assistance*
- GP name: *RA_Solicit*
- GP path: *System/Remote Assistance*
- GP ADMX file name: *remoteassistance.admx*
-
-
+
+
+
-
+
+
**RemoteAssistance/UnsolicitedRemoteAssistance**
-
+
Home
@@ -257,8 +265,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -266,8 +274,8 @@ ADMX Info:
-
-
+
+
This policy setting allows you to turn on or turn off Offer (Unsolicited) Remote Assistance on this computer.
If you enable this policy setting, users on this computer can get help from their corporate technical support staff using Offer (Unsolicited) Remote Assistance.
@@ -307,7 +315,7 @@ Port 135:TCP
%WINDIR%\PCHealth\HelpCtr\Binaries\Helpctr.exe
Allow Remote Desktop Exception
-
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -315,15 +323,15 @@ Allow Remote Desktop Exception
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Configure Offer Remote Assistance*
- GP name: *RA_Unsolicit*
- GP path: *System/Remote Assistance*
- GP ADMX file name: *remoteassistance.admx*
-
-
+
+
Footnote:
@@ -332,5 +340,5 @@ Footnote:
- 2 - Added in Windows 10, version 1703.
- 3 - Added in Windows 10, version 1709.
-
+
diff --git a/windows/client-management/mdm/policy-csp-remotedesktopservices.md b/windows/client-management/mdm/policy-csp-remotedesktopservices.md
index dc0834d71a..3af7f7ca34 100644
--- a/windows/client-management/mdm/policy-csp-remotedesktopservices.md
+++ b/windows/client-management/mdm/policy-csp-remotedesktopservices.md
@@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
-ms.date: 11/01/2017
+ms.date: 03/05/2018
---
# Policy CSP - RemoteDesktopServices
@@ -15,7 +15,7 @@ ms.date: 11/01/2017
-
+
## RemoteDesktopServices policies
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -74,21 +76,21 @@ ms.date: 11/01/2017
-
-
+
+
This policy setting allows you to configure remote access to computers by using Remote Desktop Services.
If you enable this policy setting, users who are members of the Remote Desktop Users group on the target computer can connect remotely to the target computer by using Remote Desktop Services.
If you disable this policy setting, users cannot connect remotely to the target computer by using Remote Desktop Services. The target computer will maintain any current connections, but will not accept any new incoming connections.
-If you do not configure this policy setting, Remote Desktop Services uses the Remote Desktop setting on the target computer to determine whether the remote connection is allowed. This setting is found on the Remote tab in the System properties sheet. By default, remote connections are not allowed.
+If you do not configure this policy setting, Remote Desktop Services uses the Remote Desktop setting on the target computer to determine whether the remote connection is allowed. This setting is found on the Remote tab in the System properties sheet. By default, remote connections are not allowed.
-Note: You can limit which clients are able to connect remotely by using Remote Desktop Services by configuring the policy setting at Computer Configuration\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Security\Require user authentication for remote connections by using Network Level Authentication.
+Note: You can limit which clients are able to connect remotely by using Remote Desktop Services by configuring the policy setting at Computer Configuration\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Security\Require user authentication for remote connections by using Network Level Authentication.
You can limit the number of users who can connect simultaneously by configuring the policy setting at Computer Configuration\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Connections\Limit number of connections, or by configuring the policy setting Maximum Connections by using the Remote Desktop Session Host WMI Provider.
-
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -96,20 +98,22 @@ You can limit the number of users who can connect simultaneously by configuring
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Allow users to connect remotely by using Remote Desktop Services*
- GP name: *TS_DISABLE_CONNECTIONS*
- GP path: *Windows Components/Remote Desktop Services/Remote Desktop Session Host/Connections*
- GP ADMX file name: *terminalserver.admx*
-
-
+
+
+
-
+
+
**RemoteDesktopServices/ClientConnectionEncryptionLevel**
-
+
Home
@@ -131,8 +135,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -140,8 +144,8 @@ ADMX Info:
-
-
+
+
Specifies whether to require the use of a specific encryption level to secure communications between client computers and RD Session Host servers during Remote Desktop Protocol (RDP) connections. This policy only applies when you are using native RDP encryption. However, native RDP encryption (as opposed to SSL encryption) is not recommended. This policy does not apply to SSL encryption.
If you enable this policy setting, all communications between clients and RD Session Host servers during remote connections must use the encryption method specified in this setting. By default, the encryption level is set to High. The following encryption methods are available:
@@ -158,7 +162,7 @@ Important
FIPS compliance can be configured through the System cryptography. Use FIPS compliant algorithms for encryption, hashing, and signing settings in Group Policy (under Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options.) The FIPS compliant setting encrypts and decrypts data sent from the client to the server and from the server to the client, with the Federal Information Processing Standard (FIPS) 140 encryption algorithms, by using Microsoft cryptographic modules. Use this encryption level when communications between clients and RD Session Host servers requires the highest level of encryption.
-
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -166,20 +170,22 @@ FIPS compliance can be configured through the System cryptography. Use FIPS comp
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Set client connection encryption level*
- GP name: *TS_ENCRYPTION_POLICY*
- GP path: *Windows Components/Remote Desktop Services/Remote Desktop Session Host/Security*
- GP ADMX file name: *terminalserver.admx*
-
-
+
+
+
-
+
+
**RemoteDesktopServices/DoNotAllowDriveRedirection**
-
+
Home
@@ -201,8 +207,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -210,8 +216,8 @@ ADMX Info:
-
-
+
+
This policy setting specifies whether to prevent the mapping of client drives in a Remote Desktop Services session (drive redirection).
By default, an RD Session Host server maps client drives automatically upon connection. Mapped drives appear in the session folder tree in File Explorer or Computer in the format on . You can use this policy setting to override this behavior.
@@ -222,7 +228,7 @@ If you disable this policy setting, client drive redirection is always allowed.
If you do not configure this policy setting, client drive redirection and Clipboard file copy redirection are not specified at the Group Policy level.
-
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -230,20 +236,22 @@ If you do not configure this policy setting, client drive redirection and Clipbo
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Do not allow drive redirection*
- GP name: *TS_CLIENT_DRIVE_M*
- GP path: *Windows Components/Remote Desktop Services/Remote Desktop Session Host/Device and Resource Redirection*
- GP ADMX file name: *terminalserver.admx*
-
-
+
+
+
-
+
+
**RemoteDesktopServices/DoNotAllowPasswordSaving**
-
+
Home
@@ -265,8 +273,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -274,15 +282,15 @@ ADMX Info:
-
-
+
+
Controls whether passwords can be saved on this computer from Remote Desktop Connection.
If you enable this setting the password saving checkbox in Remote Desktop Connection will be disabled and users will no longer be able to save passwords. When a user opens an RDP file using Remote Desktop Connection and saves his settings, any password that previously existed in the RDP file will be deleted.
If you disable this setting or leave it not configured, the user will be able to save passwords using Remote Desktop Connection.
-
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -290,20 +298,22 @@ If you disable this setting or leave it not configured, the user will be able to
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Do not allow passwords to be saved*
- GP name: *TS_CLIENT_DISABLE_PASSWORD_SAVING_2*
- GP path: *Windows Components/Remote Desktop Services/Remote Desktop Connection Client*
- GP ADMX file name: *terminalserver.admx*
-
-
+
+
+
-
+
+
**RemoteDesktopServices/PromptForPasswordUponConnection**
-
+
Home
@@ -325,8 +335,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -334,8 +344,8 @@ ADMX Info:
-
-
+
+
This policy setting specifies whether Remote Desktop Services always prompts the client for a password upon connection.
You can use this setting to enforce a password prompt for users logging on to Remote Desktop Services, even if they already provided the password in the Remote Desktop Connection client.
@@ -348,7 +358,7 @@ If you disable this policy setting, users can always log on to Remote Desktop Se
If you do not configure this policy setting, automatic logon is not specified at the Group Policy level.
-
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -356,20 +366,22 @@ If you do not configure this policy setting, automatic logon is not specified at
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Always prompt for password upon connection*
- GP name: *TS_PASSWORD*
- GP path: *Windows Components/Remote Desktop Services/Remote Desktop Session Host/Security*
- GP ADMX file name: *terminalserver.admx*
-
-
+
+
+
-
+
+
**RemoteDesktopServices/RequireSecureRPCCommunication**
-
+
Home
@@ -391,8 +403,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -400,8 +412,8 @@ ADMX Info:
-
-
+
+
Specifies whether a Remote Desktop Session Host server requires secure RPC communication with all clients or allows unsecured communication.
You can use this setting to strengthen the security of RPC communication with clients by allowing only authenticated and encrypted requests.
@@ -414,7 +426,7 @@ If the status is set to Not Configured, unsecured communication is allowed.
Note: The RPC interface is used for administering and configuring Remote Desktop Services.
-
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -422,15 +434,15 @@ Note: The RPC interface is used for administering and configuring Remote Desktop
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Require secure RPC communication*
- GP name: *TS_RPC_ENCRYPTION*
- GP path: *Windows Components/Remote Desktop Services/Remote Desktop Session Host/Security*
- GP ADMX file name: *terminalserver.admx*
-
-
+
+
Footnote:
@@ -439,5 +451,5 @@ Footnote:
- 2 - Added in Windows 10, version 1703.
- 3 - Added in Windows 10, version 1709.
-
+
diff --git a/windows/client-management/mdm/policy-csp-remotemanagement.md b/windows/client-management/mdm/policy-csp-remotemanagement.md
index 315cac1258..67d82bb4f9 100644
--- a/windows/client-management/mdm/policy-csp-remotemanagement.md
+++ b/windows/client-management/mdm/policy-csp-remotemanagement.md
@@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
-ms.date: 11/01/2017
+ms.date: 03/05/2018
---
# Policy CSP - RemoteManagement
@@ -15,7 +15,7 @@ ms.date: 11/01/2017
-
+
## RemoteManagement policies
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -101,9 +103,15 @@ ms.date: 11/01/2017
-
-
-
+
+
+This policy setting allows you to manage whether the Windows Remote Management (WinRM) client uses Basic authentication.
+
+If you enable this policy setting, the WinRM client uses Basic authentication. If WinRM is configured to use HTTP transport, the user name and password are sent over the network as clear text.
+
+If you disable or do not configure this policy setting, the WinRM client does not use Basic authentication.
+
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -111,20 +119,22 @@ ms.date: 11/01/2017
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Allow Basic authentication*
- GP name: *AllowBasic_2*
- GP path: *Windows Components/Windows Remote Management (WinRM)/WinRM Client*
- GP ADMX file name: *WindowsRemoteManagement.admx*
-
-
+
+
+
-
+
+
**RemoteManagement/AllowBasicAuthentication_Service**
-
+
Home
@@ -146,8 +156,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -155,9 +165,15 @@ ADMX Info:
-
-
-
+
+
+This policy setting allows you to manage whether the Windows Remote Management (WinRM) service accepts Basic authentication from a remote client.
+
+If you enable this policy setting, the WinRM service accepts Basic authentication from a remote client.
+
+If you disable or do not configure this policy setting, the WinRM service does not accept Basic authentication from a remote client.
+
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -165,20 +181,22 @@ ADMX Info:
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Allow Basic authentication*
- GP name: *AllowBasic_1*
- GP path: *Windows Components/Windows Remote Management (WinRM)/WinRM Service*
- GP ADMX file name: *WindowsRemoteManagement.admx*
-
-
+
+
+
-
+
+
**RemoteManagement/AllowCredSSPAuthenticationClient**
-
+
Home
@@ -200,8 +218,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -209,9 +227,15 @@ ADMX Info:
-
-
-
+
+
+This policy setting allows you to manage whether the Windows Remote Management (WinRM) client uses CredSSP authentication.
+
+If you enable this policy setting, the WinRM client uses CredSSP authentication.
+
+If you disable or do not configure this policy setting, the WinRM client does not use CredSSP authentication.
+
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -219,20 +243,22 @@ ADMX Info:
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Allow CredSSP authentication*
- GP name: *AllowCredSSP_2*
- GP path: *Windows Components/Windows Remote Management (WinRM)/WinRM Client*
- GP ADMX file name: *WindowsRemoteManagement.admx*
-
-
+
+
+
-
+
+
**RemoteManagement/AllowCredSSPAuthenticationService**
-
+
Home
@@ -254,8 +280,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -263,9 +289,15 @@ ADMX Info:
-
-
-
+
+
+This policy setting allows you to manage whether the Windows Remote Management (WinRM) service accepts CredSSP authentication from a remote client.
+
+If you enable this policy setting, the WinRM service accepts CredSSP authentication from a remote client.
+
+If you disable or do not configure this policy setting, the WinRM service does not accept CredSSP authentication from a remote client.
+
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -273,20 +305,22 @@ ADMX Info:
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Allow CredSSP authentication*
- GP name: *AllowCredSSP_1*
- GP path: *Windows Components/Windows Remote Management (WinRM)/WinRM Service*
- GP ADMX file name: *WindowsRemoteManagement.admx*
-
-
+
+
+
-
+
+
**RemoteManagement/AllowRemoteServerManagement**
-
+
Home
@@ -308,8 +342,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -317,9 +351,28 @@ ADMX Info:
-
-
-
+
+
+This policy setting allows you to manage whether the Windows Remote Management (WinRM) service automatically listens on the network for requests on the HTTP transport over the default HTTP port.
+
+If you enable this policy setting, the WinRM service automatically listens on the network for requests on the HTTP transport over the default HTTP port.
+
+To allow WinRM service to receive requests over the network, configure the Windows Firewall policy setting with exceptions for Port 5985 (default port for HTTP).
+
+If you disable or do not configure this policy setting, the WinRM service will not respond to requests from a remote computer, regardless of whether or not any WinRM listeners are configured.
+
+The service listens on the addresses specified by the IPv4 and IPv6 filters. The IPv4 filter specifies one or more ranges of IPv4 addresses, and the IPv6 filter specifies one or more ranges of IPv6addresses. If specified, the service enumerates the available IP addresses on the computer and uses only addresses that fall within one of the filter ranges.
+
+You should use an asterisk (*) to indicate that the service listens on all available IP addresses on the computer. When * is used, other ranges in the filter are ignored. If the filter is left blank, the service does not listen on any addresses.
+
+For example, if you want the service to listen only on IPv4 addresses, leave the IPv6 filter empty.
+
+Ranges are specified using the syntax IP1-IP2. Multiple ranges are separated using "," (comma) as the delimiter.
+
+Example IPv4 filters:\n2.0.0.1-2.0.0.20, 24.0.0.1-24.0.0.22
+Example IPv6 filters:\n3FFE:FFFF:7654:FEDA:1245:BA98:0000:0000-3FFE:FFFF:7654:FEDA:1245:BA98:3210:4562
+
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -327,20 +380,22 @@ ADMX Info:
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Allow remote server management through WinRM*
- GP name: *AllowAutoConfig*
- GP path: *Windows Components/Windows Remote Management (WinRM)/WinRM Service*
- GP ADMX file name: *WindowsRemoteManagement.admx*
-
-
+
+
+
-
+
+
**RemoteManagement/AllowUnencryptedTraffic_Client**
-
+
Home
@@ -362,8 +417,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -371,9 +426,15 @@ ADMX Info:
-
-
-
+
+
+This policy setting allows you to manage whether the Windows Remote Management (WinRM) client sends and receives unencrypted messages over the network.
+
+If you enable this policy setting, the WinRM client sends and receives unencrypted messages over the network.
+
+If you disable or do not configure this policy setting, the WinRM client sends or receives only encrypted messages over the network.
+
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -381,20 +442,22 @@ ADMX Info:
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Allow unencrypted traffic*
- GP name: *AllowUnencrypted_2*
- GP path: *Windows Components/Windows Remote Management (WinRM)/WinRM Client*
- GP ADMX file name: *WindowsRemoteManagement.admx*
-
-
+
+
+
-
+
+
**RemoteManagement/AllowUnencryptedTraffic_Service**
-
+
Home
@@ -416,8 +479,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -425,9 +488,15 @@ ADMX Info:
-
-
-
+
+
+This policy setting allows you to manage whether the Windows Remote Management (WinRM) service sends and receives unencrypted messages over the network.
+
+If you enable this policy setting, the WinRM client sends and receives unencrypted messages over the network.
+
+If you disable or do not configure this policy setting, the WinRM client sends or receives only encrypted messages over the network.
+
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -435,20 +504,22 @@ ADMX Info:
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Allow unencrypted traffic*
- GP name: *AllowUnencrypted_1*
- GP path: *Windows Components/Windows Remote Management (WinRM)/WinRM Service*
- GP ADMX file name: *WindowsRemoteManagement.admx*
-
-
+
+
+
-
+
+
**RemoteManagement/DisallowDigestAuthentication**
-
+
Home
@@ -470,8 +541,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -479,9 +550,15 @@ ADMX Info:
-
-
-
+
+
+This policy setting allows you to manage whether the Windows Remote Management (WinRM) client uses Digest authentication.
+
+If you enable this policy setting, the WinRM client does not use Digest authentication.
+
+If you disable or do not configure this policy setting, the WinRM client uses Digest authentication.
+
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -489,20 +566,22 @@ ADMX Info:
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Disallow Digest authentication*
- GP name: *DisallowDigest*
- GP path: *Windows Components/Windows Remote Management (WinRM)/WinRM Client*
- GP ADMX file name: *WindowsRemoteManagement.admx*
-
-
+
+
+
-
+
+
**RemoteManagement/DisallowNegotiateAuthenticationClient**
-
+
Home
@@ -524,8 +603,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -533,9 +612,15 @@ ADMX Info:
-
-
-
+
+
+This policy setting allows you to manage whether the Windows Remote Management (WinRM) client uses Negotiate authentication.
+
+If you enable this policy setting, the WinRM client does not use Negotiate authentication.
+
+If you disable or do not configure this policy setting, the WinRM client uses Negotiate authentication.
+
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -543,20 +628,22 @@ ADMX Info:
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Disallow Negotiate authentication*
- GP name: *DisallowNegotiate_2*
- GP path: *Windows Components/Windows Remote Management (WinRM)/WinRM Client*
- GP ADMX file name: *WindowsRemoteManagement.admx*
-
-
+
+
+
-
+
+
**RemoteManagement/DisallowNegotiateAuthenticationService**
-
+
Home
@@ -578,8 +665,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -587,9 +674,15 @@ ADMX Info:
-
-
-
+
+
+This policy setting allows you to manage whether the Windows Remote Management (WinRM) service accepts Negotiate authentication from a remote client.
+
+If you enable this policy setting, the WinRM service does not accept Negotiate authentication from a remote client.
+
+If you disable or do not configure this policy setting, the WinRM service accepts Negotiate authentication from a remote client.
+
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -597,20 +690,22 @@ ADMX Info:
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Disallow Negotiate authentication*
- GP name: *DisallowNegotiate_1*
- GP path: *Windows Components/Windows Remote Management (WinRM)/WinRM Service*
- GP ADMX file name: *WindowsRemoteManagement.admx*
-
-
+
+
+
-
+
+
**RemoteManagement/DisallowStoringOfRunAsCredentials**
-
+
Home
@@ -632,8 +727,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -641,9 +736,17 @@ ADMX Info:
-
-
-
+
+
+This policy setting allows you to manage whether the Windows Remote Management (WinRM) service will not allow RunAs credentials to be stored for any plug-ins.
+
+If you enable this policy setting, the WinRM service will not allow the RunAsUser or RunAsPassword configuration values to be set for any plug-ins. If a plug-in has already set the RunAsUser and RunAsPassword configuration values, the RunAsPassword configuration value will be erased from the credential store on this computer.
+
+If you disable or do not configure this policy setting, the WinRM service will allow the RunAsUser and RunAsPassword configuration values to be set for plug-ins and the RunAsPassword value will be stored securely.
+
+If you enable and then disable this policy setting,any values that were previously configured for RunAsPassword will need to be reset.
+
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -651,20 +754,22 @@ ADMX Info:
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Disallow WinRM from storing RunAs credentials*
- GP name: *DisableRunAs*
- GP path: *Windows Components/Windows Remote Management (WinRM)/WinRM Service*
- GP ADMX file name: *WindowsRemoteManagement.admx*
-
-
+
+
+
-
+
+
**RemoteManagement/SpecifyChannelBindingTokenHardeningLevel**
-
+
Home
@@ -686,8 +791,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -695,9 +800,21 @@ ADMX Info:
-
-
-
+
+
+This policy setting allows you to set the hardening level of the Windows Remote Management (WinRM) service with regard to channel binding tokens.
+
+If you enable this policy setting, the WinRM service uses the level specified in HardeningLevel to determine whether or not to accept a received request, based on a supplied channel binding token.
+
+If you disable or do not configure this policy setting, you can configure the hardening level locally on each computer.
+
+If HardeningLevel is set to Strict, any request not containing a valid channel binding token is rejected.
+
+If HardeningLevel is set to Relaxed (default value), any request containing an invalid channel binding token is rejected. However, a request that does not contain a channel binding token is accepted (though it is not protected from credential-forwarding attacks).
+
+If HardeningLevel is set to None, all requests are accepted (though they are not protected from credential-forwarding attacks).
+
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -705,20 +822,22 @@ ADMX Info:
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Specify channel binding token hardening level*
- GP name: *CBTHardeningLevel_1*
- GP path: *Windows Components/Windows Remote Management (WinRM)/WinRM Service*
- GP ADMX file name: *WindowsRemoteManagement.admx*
-
-
+
+
+
-
+
+
**RemoteManagement/TrustedHosts**
-
+
Home
@@ -740,8 +859,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -749,9 +868,15 @@ ADMX Info:
-
-
-
+
+
+This policy setting allows you to manage whether the Windows Remote Management (WinRM) client uses the list specified in TrustedHostsList to determine if the destination host is a trusted entity.
+
+If you enable this policy setting, the WinRM client uses the list specified in TrustedHostsList to determine if the destination host is a trusted entity. The WinRM client uses this list when neither HTTPS nor Kerberos are used to authenticate the identity of the host.
+
+If you disable or do not configure this policy setting and the WinRM client needs to use the list of trusted hosts, you must configure the list of trusted hosts locally on each computer.
+
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -759,20 +884,22 @@ ADMX Info:
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Trusted Hosts*
- GP name: *TrustedHosts*
- GP path: *Windows Components/Windows Remote Management (WinRM)/WinRM Client*
- GP ADMX file name: *WindowsRemoteManagement.admx*
-
-
+
+
+
-
+
+
**RemoteManagement/TurnOnCompatibilityHTTPListener**
-
+
Home
@@ -794,8 +921,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -803,9 +930,19 @@ ADMX Info:
-
-
-
+
+
+This policy setting turns on or turns off an HTTP listener created for backward compatibility purposes in the Windows Remote Management (WinRM) service.
+
+If you enable this policy setting, the HTTP listener always appears.
+
+If you disable or do not configure this policy setting, the HTTP listener never appears.
+
+When certain port 80 listeners are migrated to WinRM 2.0, the listener port number changes to 5985.
+
+A listener might be automatically created on port 80 to ensure backward compatibility.
+
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -813,20 +950,22 @@ ADMX Info:
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Turn On Compatibility HTTP Listener*
- GP name: *HttpCompatibilityListener*
- GP path: *Windows Components/Windows Remote Management (WinRM)/WinRM Service*
- GP ADMX file name: *WindowsRemoteManagement.admx*
-
-
+
+
+
-
+
+
**RemoteManagement/TurnOnCompatibilityHTTPSListener**
-
+
Home
@@ -848,8 +987,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -857,9 +996,19 @@ ADMX Info:
-
-
-
+
+
+This policy setting turns on or turns off an HTTPS listener created for backward compatibility purposes in the Windows Remote Management (WinRM) service.
+
+If you enable this policy setting, the HTTPS listener always appears.
+
+If you disable or do not configure this policy setting, the HTTPS listener never appears.
+
+When certain port 443 listeners are migrated to WinRM 2.0, the listener port number changes to 5986.
+
+A listener might be automatically created on port 443 to ensure backward compatibility.
+
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -867,15 +1016,15 @@ ADMX Info:
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Turn On Compatibility HTTPS Listener*
- GP name: *HttpsCompatibilityListener*
- GP path: *Windows Components/Windows Remote Management (WinRM)/WinRM Service*
- GP ADMX file name: *WindowsRemoteManagement.admx*
-
-
+
+
Footnote:
@@ -884,5 +1033,5 @@ Footnote:
- 2 - Added in Windows 10, version 1703.
- 3 - Added in Windows 10, version 1709.
-
+
diff --git a/windows/client-management/mdm/policy-csp-remoteprocedurecall.md b/windows/client-management/mdm/policy-csp-remoteprocedurecall.md
index 1569a65e29..41fb1d8539 100644
--- a/windows/client-management/mdm/policy-csp-remoteprocedurecall.md
+++ b/windows/client-management/mdm/policy-csp-remoteprocedurecall.md
@@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
-ms.date: 11/01/2017
+ms.date: 03/05/2018
---
# Policy CSP - RemoteProcedureCall
@@ -15,7 +15,7 @@ ms.date: 11/01/2017
-
+
## RemoteProcedureCall policies
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -62,9 +64,9 @@ ms.date: 11/01/2017
-
-
-This policy setting controls whether RPC clients authenticate with the Endpoint Mapper Service when the call they are making contains authentication information. The Endpoint Mapper Service on computers running Windows NT4 (all service packs) cannot process authentication information supplied in this manner.
+
+
+This policy setting controls whether RPC clients authenticate with the Endpoint Mapper Service when the call they are making contains authentication information. The Endpoint Mapper Service on computers running Windows NT4 (all service packs) cannot process authentication information supplied in this manner.
If you disable this policy setting, RPC clients will not authenticate to the Endpoint Mapper Service, but they will be able to communicate with the Endpoint Mapper Service on Windows NT4 Server.
@@ -74,7 +76,7 @@ If you do not configure this policy setting, it remains disabled. RPC clients w
Note: This policy will not be applied until the system is rebooted.
-
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -82,20 +84,22 @@ Note: This policy will not be applied until the system is rebooted.
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Enable RPC Endpoint Mapper Client Authentication*
- GP name: *RpcEnableAuthEpResolution*
- GP path: *System/Remote Procedure Call*
- GP ADMX file name: *rpc.admx*
-
-
+
+
+
-
+
+
**RemoteProcedureCall/RestrictUnauthenticatedRPCClients**
-
+
Home
@@ -117,8 +121,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -126,15 +130,15 @@ ADMX Info:
-
-
+
+
This policy setting controls how the RPC server runtime handles unauthenticated RPC clients connecting to RPC servers.
This policy setting impacts all RPC applications. In a domain environment this policy setting should be used with caution as it can impact a wide range of functionality including group policy processing itself. Reverting a change to this policy setting can require manual intervention on each affected machine. This policy setting should never be applied to a domain controller.
-If you disable this policy setting, the RPC server runtime uses the value of "Authenticated" on Windows Client, and the value of "None" on Windows Server versions that support this policy setting.
+If you disable this policy setting, the RPC server runtime uses the value of "Authenticated" on Windows Client, and the value of "None" on Windows Server versions that support this policy setting.
-If you do not configure this policy setting, it remains disabled. The RPC server runtime will behave as though it was enabled with the value of "Authenticated" used for Windows Client and the value of "None" used for Server SKUs that support this policy setting.
+If you do not configure this policy setting, it remains disabled. The RPC server runtime will behave as though it was enabled with the value of "Authenticated" used for Windows Client and the value of "None" used for Server SKUs that support this policy setting.
If you enable this policy setting, it directs the RPC server runtime to restrict unauthenticated RPC clients connecting to RPC servers running on a machine. A client will be considered an authenticated client if it uses a named pipe to communicate with the server or if it uses RPC Security. RPC Interfaces that have specifically requested to be accessible by unauthenticated clients may be exempt from this restriction, depending on the selected value for this policy setting.
@@ -146,7 +150,7 @@ If you enable this policy setting, it directs the RPC server runtime to restrict
Note: This policy setting will not be applied until the system is rebooted.
-
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -154,15 +158,15 @@ Note: This policy setting will not be applied until the system is rebooted.
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Restrict Unauthenticated RPC clients*
- GP name: *RpcRestrictRemoteClients*
- GP path: *System/Remote Procedure Call*
- GP ADMX file name: *rpc.admx*
-
-
+
+
Footnote:
@@ -171,5 +175,5 @@ Footnote:
- 2 - Added in Windows 10, version 1703.
- 3 - Added in Windows 10, version 1709.
-
+
diff --git a/windows/client-management/mdm/policy-csp-remoteshell.md b/windows/client-management/mdm/policy-csp-remoteshell.md
index a9538c867b..20a0ac4151 100644
--- a/windows/client-management/mdm/policy-csp-remoteshell.md
+++ b/windows/client-management/mdm/policy-csp-remoteshell.md
@@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
-ms.date: 11/01/2017
+ms.date: 03/05/2018
---
# Policy CSP - RemoteShell
@@ -15,7 +15,7 @@ ms.date: 11/01/2017
-
+
## RemoteShell policies
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -77,9 +79,15 @@ ms.date: 11/01/2017
-
-
-
+
+
+This policy setting configures access to remote shells.
+
+If you enable or do not configure this policy setting, new remote shell connections are accepted by the server.
+
+If you set this policy to ‘disabled’, new remote shell connections are rejected by the server.
+
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -87,20 +95,22 @@ ms.date: 11/01/2017
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Allow Remote Shell Access*
- GP name: *AllowRemoteShellAccess*
- GP path: *Windows Components/Windows Remote Shell*
- GP ADMX file name: *WindowsRemoteShell.admx*
-
-
+
+
+
-
+
+
**RemoteShell/MaxConcurrentUsers**
-
+
Home
@@ -122,8 +132,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -131,9 +141,17 @@ ADMX Info:
-
-
-
+
+
+This policy setting configures the maximum number of users able to concurrently perform remote shell operations on the system.
+
+The value can be any number from 1 to 100.
+
+If you enable this policy setting, the new shell connections are rejected if they exceed the specified limit.
+
+If you disable or do not configure this policy setting, the default number is five users.
+
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -141,20 +159,22 @@ ADMX Info:
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *MaxConcurrentUsers*
- GP name: *MaxConcurrentUsers*
- GP path: *Windows Components/Windows Remote Shell*
- GP ADMX file name: *WindowsRemoteShell.admx*
-
-
+
+
+
-
+
+
**RemoteShell/SpecifyIdleTimeout**
-
+
Home
@@ -176,8 +196,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -185,9 +205,17 @@ ADMX Info:
-
-
-
+
+
+This policy setting configures the maximum time in milliseconds remote shell will stay open without any user activity until it is automatically deleted.
+
+Any value from 0 to 0x7FFFFFFF can be set. A minimum of 60000 milliseconds (1 minute) is used for smaller values.
+
+If you enable this policy setting, the server will wait for the specified amount of time since the last received message from the client before terminating the open shell.
+
+If you do not configure or disable this policy setting, the default value of 900000 or 15 min will be used.
+
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -195,20 +223,22 @@ ADMX Info:
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Specify idle Timeout*
- GP name: *IdleTimeout*
- GP path: *Windows Components/Windows Remote Shell*
- GP ADMX file name: *WindowsRemoteShell.admx*
-
-
+
+
+
-
+
+
**RemoteShell/SpecifyMaxMemory**
-
+
Home
@@ -230,8 +260,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -239,9 +269,17 @@ ADMX Info:
-
-
-
+
+
+This policy setting configures the maximum total amount of memory in megabytes that can be allocated by any active remote shell and all its child processes.
+
+Any value from 0 to 0x7FFFFFFF can be set, where 0 equals unlimited memory, which means the ability of remote operations to allocate memory is only limited by the available virtual memory.
+
+If you enable this policy setting, the remote operation is terminated when a new allocation exceeds the specified quota.
+
+If you disable or do not configure this policy setting, the value 150 is used by default.
+
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -249,20 +287,22 @@ ADMX Info:
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Specify maximum amount of memory in MB per Shell*
- GP name: *MaxMemoryPerShellMB*
- GP path: *Windows Components/Windows Remote Shell*
- GP ADMX file name: *WindowsRemoteShell.admx*
-
-
+
+
+
-
+
+
**RemoteShell/SpecifyMaxProcesses**
-
+
Home
@@ -284,8 +324,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -293,9 +333,15 @@ ADMX Info:
-
-
-
+
+
+This policy setting configures the maximum number of processes a remote shell is allowed to launch.
+
+If you enable this policy setting, you can specify any number from 0 to 0x7FFFFFFF to set the maximum number of process per shell. Zero (0) means unlimited number of processes.
+
+If you disable or do not configure this policy setting, the limit is five processes per shell.
+
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -303,20 +349,22 @@ ADMX Info:
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Specify maximum number of processes per Shell*
- GP name: *MaxProcessesPerShell*
- GP path: *Windows Components/Windows Remote Shell*
- GP ADMX file name: *WindowsRemoteShell.admx*
-
-
+
+
+
-
+
+
**RemoteShell/SpecifyMaxRemoteShells**
-
+
Home
@@ -338,8 +386,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -347,9 +395,17 @@ ADMX Info:
-
-
-
+
+
+This policy setting configures the maximum number of concurrent shells any user can remotely open on the same system.
+
+Any number from 0 to 0x7FFFFFFF cand be set, where 0 means unlimited number of shells.
+
+If you enable this policy setting, the user cannot open new remote shells if the count exceeds the specified limit.
+
+If you disable or do not configure this policy setting, by default the limit is set to two remote shells per user.
+
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -357,20 +413,22 @@ ADMX Info:
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Specify maximum number of remote shells per user*
- GP name: *MaxShellsPerUser*
- GP path: *Windows Components/Windows Remote Shell*
- GP ADMX file name: *WindowsRemoteShell.admx*
-
-
+
+
+
-
+
+
**RemoteShell/SpecifyShellTimeout**
-
+
Home
@@ -392,8 +450,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -401,9 +459,11 @@ ADMX Info:
-
-
-
+
+
+This policy setting is deprecated and has no effect when set to any state: Enabled, Disabled, or Not Configured.
+
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -411,15 +471,15 @@ ADMX Info:
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Specify Shell Timeout*
- GP name: *ShellTimeOut*
- GP path: *Windows Components/Windows Remote Shell*
- GP ADMX file name: *WindowsRemoteShell.admx*
-
-
+
+
Footnote:
@@ -428,5 +488,5 @@ Footnote:
- 2 - Added in Windows 10, version 1703.
- 3 - Added in Windows 10, version 1709.
-
+
diff --git a/windows/client-management/mdm/policy-csp-restrictedgroups.md b/windows/client-management/mdm/policy-csp-restrictedgroups.md
new file mode 100644
index 0000000000..8b0251476c
--- /dev/null
+++ b/windows/client-management/mdm/policy-csp-restrictedgroups.md
@@ -0,0 +1,96 @@
+---
+title: Policy CSP - RestrictedGroups
+description: Policy CSP - RestrictedGroups
+ms.author: maricia
+ms.topic: article
+ms.prod: w10
+ms.technology: windows
+author: nickbrower
+ms.date: 01/12/2018
+---
+
+# Policy CSP - RestrictedGroups
+
+> [!WARNING]
+> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
+
+
+
+
+
+## RestrictedGroups policies
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+This security setting allows an administrator to define the members of a security-sensitive (restricted) group. When a Restricted Groups Policy is enforced, any current member of a restricted group that is not on the Members list is removed. Any user on the Members list who is not currently a member of the restricted group is added. You can use Restricted Groups policy to control group membership.
+
+> [!Note]
+> This policy is only scoped to the Administrators group at this time.
+
+Using the policy, you can specify what members are part of a group. Any members that are not specified in the policy are removed during configuration or refresh. For example, you can create a Restricted Groups policy to only allow specified users (for example, Alice and John) to be members of the Administrators group. When policy is refreshed, only Alice and John will remain as members of the Administrators group.
+
+> [!Note]
+> If a Restricted Groups policy is applied, any current member not on the Restricted Groups policy members list is removed. This can include default members, such as administrators. Restricted Groups should be used primarily to configure membership of local groups on workstation or member servers. An empty Members list means that the restricted group has no members.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Footnote:
+
+- 1 - Added in Windows 10, version 1607.
+- 2 - Added in Windows 10, version 1703.
+- 3 - Added in Windows 10, version 1709.
+
+
+
diff --git a/windows/client-management/mdm/policy-csp-search.md b/windows/client-management/mdm/policy-csp-search.md
index 204a76ade1..85b59673d8 100644
--- a/windows/client-management/mdm/policy-csp-search.md
+++ b/windows/client-management/mdm/policy-csp-search.md
@@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
-ms.date: 01/08/2018
+ms.date: 03/05/2018
---
# Policy CSP - Search
@@ -17,7 +17,7 @@ ms.date: 01/08/2018
-
+
## Search policies
Added in Windows 10, version 1709. Allow search and Cortana to search cloud sources like OneDrive and SharePoint. This policy allows corporate administrators to control whether employees can turn off/on the search of these cloud sources. The default policy value is to allow employees access to the setting that controls search of cloud sources.
+
+
+Added in Windows 10, version 1709. Allow search and Cortana to search cloud sources like OneDrive and SharePoint. This policy allows corporate administrators to control whether employees can turn off/on the search of these cloud sources. The default policy value is to allow employees access to the setting that controls search of cloud sources.
-
The following list shows the supported values:
+
+
+ADMX Info:
+- GP English name: *Allow Cloud Search*
+- GP name: *AllowCloudSearch*
+- GP element: *AllowCloudSearch_Dropdown*
+- GP path: *Windows Components/Search*
+- GP ADMX file name: *Search.admx*
+
+
+
+The following list shows the supported values:
- 0 – Not allowed.
- 1 (default) – Allowed.
-
-
+
+
+
-
+
+
**Search/AllowCortanaInAAD**
-
+
Home
@@ -137,8 +152,8 @@ ms.date: 01/08/2018
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -146,31 +161,34 @@ ms.date: 01/08/2018
-
-
-Added in Windows 10, next major update. This specifies whether the Cortana consent page can appear in the Azure Active Directory (AAD) device out-of-box-experience (OOBE) flow. If this policy is left in its default state, Cortana will not be shown in the AAD OOBE flow. If you opt-in to this policy, then the Cortana consent page will appear in the AAD OOBE flow..
+
+
+Added in Windows 10, version 1803. This specifies whether the Cortana consent page can appear in the Azure Active Directory (AAD) device out-of-box-experience (OOBE) flow. If this policy is left in its default state, Cortana will not be shown in the AAD OOBE flow. If you opt-in to this policy, then the Cortana consent page will appear in the AAD OOBE flow..
-
+
+
+ADMX Info:
+- GP English name: *Allow Cortana Page in OOBE on an AAD account*
+- GP name: *AllowCortanaInAAD*
+- GP path: *Windows Components/Search*
+- GP ADMX file name: *Search.admx*
+
+
The following list shows the supported values:
- 0 (default) - Not allowed. The Cortana consent page will not appear in AAD OOBE during setup.
- 1 - Allowed. The Cortana consent page will appear in Azure AAD OOBE during setup.
-
-
+
-
-
-
-
-
-
+
+
**Search/AllowIndexingEncryptedStoresOrItems**
-
+
Home
@@ -192,8 +210,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -201,17 +219,25 @@ The following list shows the supported values:
-
-
-
Allows or disallows the indexing of items. This switch is for the Windows Search Indexer, which controls whether it will index items that are encrypted, such as the Windows Information Protection (WIP) protected files.
+
+
+Allows or disallows the indexing of items. This switch is for the Windows Search Indexer, which controls whether it will index items that are encrypted, such as the Windows Information Protection (WIP) protected files.
-
When the policy is enabled, WIP protected items are indexed and the metadata about them are stored in an unencrypted location. The metadata includes things like file path and date modified.
+When the policy is enabled, WIP protected items are indexed and the metadata about them are stored in an unencrypted location. The metadata includes things like file path and date modified.
-
When the policy is disabled, the WIP protected items are not indexed and do not show up in the results in Cortana or file explorer. There may also be a performance impact on photos and Groove apps if there are a lot of WIP protected media files on the device.
+When the policy is disabled, the WIP protected items are not indexed and do not show up in the results in Cortana or file explorer. There may also be a performance impact on photos and Groove apps if there are a lot of WIP protected media files on the device.
-
Most restricted value is 0.
+Most restricted value is 0.
-
+
+
+ADMX Info:
+- GP English name: *Allow indexing of encrypted files*
+- GP name: *AllowIndexingEncryptedStoresOrItems*
+- GP path: *Windows Components/Search*
+- GP ADMX file name: *Search.admx*
+
+
The following list shows the supported values:
@@ -219,12 +245,14 @@ The following list shows the supported values:
- 1 (default) – Allowed.
-
+
+
-
+
+
**Search/AllowSearchToUseLocation**
-
+
Home
@@ -246,8 +274,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -255,13 +283,21 @@ The following list shows the supported values:
-
-
-
Specifies whether search can leverage location information.
+
+
+Specifies whether search can leverage location information.
-
Most restricted value is 0.
+Most restricted value is 0.
-
+
+
+ADMX Info:
+- GP English name: *Allow search and Cortana to use location*
+- GP name: *AllowSearchToUseLocation*
+- GP path: *Windows Components/Search*
+- GP ADMX file name: *Search.admx*
+
+
The following list shows the supported values:
@@ -269,12 +305,14 @@ The following list shows the supported values:
- 1 (default) – Allowed.
-
+
+
-
+
+
**Search/AllowStoringImagesFromVisionSearch**
-
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -282,17 +320,19 @@ The following list shows the supported values:
-
-
-
This policy has been deprecated.
+
+
+This policy has been deprecated.
+
+
+
-
-
-
+
+
**Search/AllowUsingDiacritics**
-
+
Home
@@ -314,8 +354,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -323,24 +363,37 @@ The following list shows the supported values:
-
-
-
Allows the use of diacritics.
+
+
+Allows the use of diacritics.
-
The following list shows the supported values:
+
+Most restricted value is 0.
+
+
+
+ADMX Info:
+- GP English name: *Allow use of diacritics*
+- GP name: *AllowUsingDiacritics*
+- GP path: *Windows Components/Search*
+- GP ADMX file name: *Search.admx*
+
+
+
+The following list shows the supported values:
- 0 – Not allowed.
- 1 (default) – Allowed.
-
Most restricted value is 0.
+
+
-
-
-
+
+
**Search/AllowWindowsIndexer**
-
+
Home
@@ -362,8 +415,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -371,17 +424,19 @@ The following list shows the supported values:
-
-
-
Allow Windows indexer. Value type is integer.
+
+
+Allow Windows indexer. Value type is integer.
+
+
+
-
-
-
+
+
**Search/AlwaysUseAutoLangDetection**
-
+
Home
@@ -403,8 +458,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -412,24 +467,37 @@ The following list shows the supported values:
-
-
-
Specifies whether to always use automatic language detection when indexing content and properties.
+
+
+Specifies whether to always use automatic language detection when indexing content and properties.
-
The following list shows the supported values:
+
+Most restricted value is 0.
+
+
+
+ADMX Info:
+- GP English name: *Always use automatic language detection when indexing content and properties*
+- GP name: *AlwaysUseAutoLangDetection*
+- GP path: *Windows Components/Search*
+- GP ADMX file name: *Search.admx*
+
+
+
+The following list shows the supported values:
- 0 – Not allowed.
- 1 (default) – Allowed.
-
Most restricted value is 0.
+
+
-
-
-
+
+
**Search/DisableBackoff**
-
+
Home
@@ -451,8 +519,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -460,22 +528,34 @@ The following list shows the supported values:
-
-
-
If enabled, the search indexer backoff feature will be disabled. Indexing will continue at full speed even when system activity is high. If disabled, backoff logic will be used to throttle back indexing activity when system activity is high. Default is disabled.
+
+
+If enabled, the search indexer backoff feature will be disabled. Indexing will continue at full speed even when system activity is high. If disabled, backoff logic will be used to throttle back indexing activity when system activity is high. Default is disabled.
-
The following list shows the supported values:
+
+
+ADMX Info:
+- GP English name: *Disable indexer backoff*
+- GP name: *DisableBackoff*
+- GP path: *Windows Components/Search*
+- GP ADMX file name: *Search.admx*
+
+
+
+The following list shows the supported values:
- 0 (default) – Disable.
- 1 – Enable.
-
-
+
+
+
@@ -497,8 +577,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -506,26 +586,38 @@ The following list shows the supported values:
-
-
-
This policy setting configures whether or not locations on removable drives can be added to libraries.
+
+
+This policy setting configures whether or not locations on removable drives can be added to libraries.
-
If you enable this policy setting, locations on removable drives cannot be added to libraries. In addition, locations on removable drives cannot be indexed.
+If you enable this policy setting, locations on removable drives cannot be added to libraries. In addition, locations on removable drives cannot be indexed.
-
If you disable or do not configure this policy setting, locations on removable drives can be added to libraries. In addition, locations on removable drives can be indexed.
+If you disable or do not configure this policy setting, locations on removable drives can be added to libraries. In addition, locations on removable drives can be indexed.
-
The following list shows the supported values:
+
+
+ADMX Info:
+- GP English name: *Do not allow locations on removable drives to be added to libraries*
+- GP name: *DisableRemovableDriveIndexing*
+- GP path: *Windows Components/Search*
+- GP ADMX file name: *Search.admx*
+
+
+
+The following list shows the supported values:
- 0 (default) – Disable.
- 1 – Enable.
-
-
+
+
+
-
+
+
**Search/DoNotUseWebResults**
-
+
Home
@@ -547,8 +639,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -556,16 +648,24 @@ The following list shows the supported values:
-
-
-Added in Windows 10, next major update. Don't search the web or display web results in Search.
+
+
+Added in Windows 10, version 1803. Don't search the web or display web results in Search.
This policy setting allows you to control whether or not Search can perform queries on the web, and if the web results are displayed in Search.
If you enable this policy setting, queries won't be performed on the web and web results won't be displayed when a user performs a query in Search.
If you disable this policy setting, queries will be performed on the web and web results will be displayed when a user performs a query in Search.
-
+
+
+ADMX Info:
+- GP English name: *Don't search the web or display web results in Search*
+- GP name: *DoNotUseWebResults*
+- GP path: *Windows Components/Search*
+- GP ADMX file name: *Search.admx*
+
+
The following list shows the supported values:
@@ -573,18 +673,14 @@ The following list shows the supported values:
- 1 (default) - Allowed. Queries will be performed on the web and web results will be displayed when a user performs a query in Search.
-
+
-
-
-
-
-
-
+
+
**Search/PreventIndexingLowDiskSpaceMB**
-
+
Home
@@ -606,8 +702,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -615,26 +711,38 @@ The following list shows the supported values:
-
-
-
Enabling this policy prevents indexing from continuing after less than the specified amount of hard drive space is left on the same drive as the index location. Select between 0 and 1.
+
+
+Enabling this policy prevents indexing from continuing after less than the specified amount of hard drive space is left on the same drive as the index location. Select between 0 and 1.
-
Enable this policy if computers in your environment have extremely limited hard drive space.
+Enable this policy if computers in your environment have extremely limited hard drive space.
-
When this policy is disabled or not configured, Windows Desktop Search automatically manages your index size.
+When this policy is disabled or not configured, Windows Desktop Search automatically manages your index size.
-
The following list shows the supported values:
+
+
+ADMX Info:
+- GP English name: *Stop indexing in the event of limited hard drive space*
+- GP name: *StopIndexingOnLimitedHardDriveSpace*
+- GP path: *Windows Components/Search*
+- GP ADMX file name: *Search.admx*
+
+
+
+The following list shows the supported values:
- 0 – Disable.
- 1 (default) – Enable.
-
-
+
+
+
-
+
+
**Search/PreventRemoteQueries**
-
+
Home
@@ -656,8 +764,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -665,22 +773,34 @@ The following list shows the supported values:
-
-
-
If enabled, clients will be unable to query this computer's index remotely. Thus, when they are browsing network shares that are stored on this computer, they will not search them using the index. If disabled, client search requests will use this computer's index..
+
+
+If enabled, clients will be unable to query this computer's index remotely. Thus, when they are browsing network shares that are stored on this computer, they will not search them using the index. If disabled, client search requests will use this computer's index..
-
The following list shows the supported values:
+
+
+ADMX Info:
+- GP English name: *Prevent clients from querying the index remotely*
+- GP name: *PreventRemoteQueries*
+- GP path: *Windows Components/Search*
+- GP ADMX file name: *Search.admx*
+
+
+
+The following list shows the supported values:
- 0 – Disable.
- 1 (default) – Enable.
-
-
+
+
+
-
+
+
**Search/SafeSearchPermissions**
-
+
Home
@@ -702,8 +822,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -711,23 +831,26 @@ The following list shows the supported values:
-
-
+
+
> [!NOTE]
> This policy is only enforced in Windows 10 Mobile and not supported in Windows 10 for desktop.
-
Specifies what level of safe search (filtering adult content) is required.
+Specifies what level of safe search (filtering adult content) is required.
-
The following list shows the supported values:
+
+Most restricted value is 0.
+
+
+
+The following list shows the supported values:
- 0 – Strict, highest filtering against adult content.
- 1 (default) – Moderate filtering against adult content (valid search results will not be filtered).
-
Most restricted value is 0.
-
-
-
+
+
Footnote:
@@ -736,7 +859,7 @@ Footnote:
- 2 - Added in Windows 10, version 1703.
- 3 - Added in Windows 10, version 1709.
-
+
## Search policies that can be set using Exchange Active Sync (EAS)
diff --git a/windows/client-management/mdm/policy-csp-security.md b/windows/client-management/mdm/policy-csp-security.md
index 41b61f3d9e..9d95aab726 100644
--- a/windows/client-management/mdm/policy-csp-security.md
+++ b/windows/client-management/mdm/policy-csp-security.md
@@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
-ms.date: 01/16/2018
+ms.date: 03/05/2018
---
# Policy CSP - Security
@@ -17,7 +17,7 @@ ms.date: 01/16/2018
-
+
## Security policies
Specifies whether to allow the runtime configuration agent to install provisioning packages.
+
+
+Specifies whether to allow the runtime configuration agent to install provisioning packages.
-
+
The following list shows the supported values:
@@ -103,12 +105,14 @@ The following list shows the supported values:
- 1 (default) – Allowed.
-
+
+
@@ -130,8 +134,8 @@ The following list shows the supported values:
-
-
+
+
> [!NOTE]
> This policy has been deprecated in Windows 10, version 1607
@@ -141,20 +145,24 @@ The following list shows the supported values:
> This policy is only enforced in Windows 10 for desktop and not supported in Windows 10 Mobile.
-
Specifies whether to allow automatic device encryption during OOBE when the device is Azure AD joined.
+Specifies whether to allow automatic device encryption during OOBE when the device is Azure AD joined.
-
The following list shows the supported values:
+
+
+The following list shows the supported values:
- 0 – Not allowed.
- 1 (default) – Allowed.
-
-
+
+
+
@@ -176,8 +184,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -185,17 +193,17 @@ The following list shows the supported values:
-
-
+
+
> [!NOTE]
> This policy is only enforced in Windows 10 Mobile and not supported in Windows 10 for desktop.
-
Specifies whether the user is allowed to manually install root and intermediate CA certificates.
+Specifies whether the user is allowed to manually install root and intermediate CA certificates.
-
Most restricted value is 0.
+Most restricted value is 0.
-
+
The following list shows the supported values:
@@ -203,12 +211,14 @@ The following list shows the supported values:
- 1 (default) – Allowed.
-
+
+
@@ -230,8 +240,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -239,11 +249,11 @@ The following list shows the supported values:
-
-
-
Specifies whether to allow the runtime configuration agent to remove provisioning packages.
+
+
+Specifies whether to allow the runtime configuration agent to remove provisioning packages.
-
+
The following list shows the supported values:
@@ -251,12 +261,14 @@ The following list shows the supported values:
- 1 (default) – Allowed.
-
+
+
-
+
+
**Security/AntiTheftMode**
-
+
Home
@@ -278,8 +290,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -287,15 +299,15 @@ The following list shows the supported values:
-
-
+
+
> [!NOTE]
> This policy is only enforced in Windows 10 Mobile and not supported in Windows 10 for desktop.
-
Allows or disallow Anti Theft Mode on the device.
+Allows or disallow Anti Theft Mode on the device.
-
+
The following list shows the supported values:
@@ -303,12 +315,14 @@ The following list shows the supported values:
- 1 (default) – Anti Theft Mode will follow the default device configuration (region-dependent).
-
+
+
-
+
+
**Security/ClearTPMIfNotReady**
-
+
Home
@@ -330,8 +344,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -339,14 +353,22 @@ The following list shows the supported values:
-
-
+
+
> [!NOTE]
> This policy is only enforced in Windows 10 for desktop and not supported in Windows 10 Mobile.
Added in Windows 10, version 1709. Admin access is required. The prompt will appear on first admin logon after a reboot when the TPM is in a non-ready state that can be remediated with a TPM Clear. The prompt will have a description of what clearing the TPM does and that it requires a reboot. The user can dismiss it, but it will appear on next admin logon after restart.
-
+
+
+ADMX Info:
+- GP English name: *Configure the system to clear the TPM if it is not in a ready state.*
+- GP name: *ClearTPMIfNotReady_Name*
+- GP path: *System/Trusted Platform Module Services*
+- GP ADMX file name: *TPM.admx*
+
+
The following list shows the supported values:
@@ -354,12 +376,14 @@ The following list shows the supported values:
- 1 – Will prompt to clear the TPM if the TPM is in a non-ready state (or reduced functionality) which can be remediated with a TPM Clear.
-
+
+
-
+
+
**Security/ConfigureWindowsPasswords**
-
+
Home
@@ -381,8 +405,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -390,33 +414,30 @@ The following list shows the supported values:
-
-
-Added in Windows 10, next major update. Configures the use of passwords for Windows features.
+
+
+Added in Windows 10, version 1803. Configures the use of passwords for Windows features.
> [!Note]
> This policy is only supported in Windows 10 S.
-
+
The following list shows the supported values:
- 0 -Disallow passwords (Asymmetric credentials will be promoted to replace passwords on Windows features)
- 1- Allow passwords (Passwords continue to be allowed to be used for Windows features)
- 2- Default (Feature defaults as per SKU and device capabilities. Windows 10 S devices will exhibit "Disallow passwords" default, and all other devices will default to "Allow passwords")
+
-
+
-
-
-
-
-
-
+
+
**Security/PreventAutomaticDeviceEncryptionForAzureADJoinedDevices**
-
+
Home
@@ -438,8 +459,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -447,28 +468,32 @@ The following list shows the supported values:
-
-
+
+
> [!NOTE]
> This policy is only enforced in Windows 10 for desktop and not supported in Windows 10 Mobile.
-
Added in Windows 10, version 1607 to replace the deprecated policy **Security/AllowAutomaticDeviceEncryptionForAzureADJoinedDevices**.
+Added in Windows 10, version 1607 to replace the deprecated policy **Security/AllowAutomaticDeviceEncryptionForAzureADJoinedDevices**.
-
Specifies whether to allow automatic device encryption during OOBE when the device is Azure AD joined.
+Specifies whether to allow automatic device encryption during OOBE when the device is Azure AD joined.
-
The following list shows the supported values:
+
+
+The following list shows the supported values:
- 0 (default) – Encryption enabled.
- 1 – Encryption disabled.
-
-
+
+
+
-
+
+
**Security/RequireDeviceEncryption**
-
+
Home
@@ -481,17 +506,17 @@ The following list shows the supported values:
-
-
-
-
+
+
+
+
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -499,30 +524,32 @@ The following list shows the supported values:
-
-
-> [!NOTE]
-> This policy is only enforced in Windows 10 Mobile. In Windows 10 for desktop, you can query encryption status by using the [DeviceStatus CSP](devicestatus-csp.md) node **DeviceStatus/Compliance/EncryptionCompliance**.
+
+
+Allows enterprise to turn on internal storage encryption.
-
Allows enterprise to turn on internal storage encryption.
-
The following list shows the supported values:
-
-- 0 (default) – Encryption is not required.
-- 1 – Encryption is required.
-
-
Most restricted value is 1.
+Most restricted value is 1.
> [!IMPORTANT]
> If encryption has been enabled, it cannot be turned off by using this policy.
-
-
+
+
+The following list shows the supported values:
+
+- 0 (default) – Encryption is not required.
+- 1 – Encryption is required.
+
+
+
+
@@ -544,8 +571,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -553,22 +580,26 @@ The following list shows the supported values:
-
-
-
Specifies whether provisioning packages must have a certificate signed by a device trusted authority.
+
+
+Specifies whether provisioning packages must have a certificate signed by a device trusted authority.
-
The following list shows the supported values:
+
+
+The following list shows the supported values:
- 0 (default) – Not required.
- 1 – Required.
-
-
+
+
+
@@ -590,8 +621,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -599,16 +630,12 @@ The following list shows the supported values:
-
-
-
Specifies whether to retrieve and post TCG Boot logs, and get or cache an encrypted or signed Health Attestation Report from the Microsoft Health Attestation Service (HAS) when a device boots or reboots.
+
+
+Specifies whether to retrieve and post TCG Boot logs, and get or cache an encrypted or signed Health Attestation Report from the Microsoft Health Attestation Service (HAS) when a device boots or reboots.
-
The following list shows the supported values:
-- 0 (default) – Not required.
-- 1 – Required.
-
-
Setting this policy to 1 (Required):
+Setting this policy to 1 (Required):
- Determines whether a device is capable of Remote Device Health Attestation, by verifying if the device has TPM 2.0.
- Improves the performance of the device by enabling the device to fetch and cache data to reduce the latency during Device Health Verification.
@@ -617,10 +644,17 @@ The following list shows the supported values:
> We recommend that this policy is set to Required after MDM enrollment.
-
Most restricted value is 1.
+Most restricted value is 1.
-
-
+
+
+The following list shows the supported values:
+
+- 0 (default) – Not required.
+- 1 – Required.
+
+
+
Footnote:
@@ -629,7 +663,7 @@ Footnote:
- 2 - Added in Windows 10, version 1703.
- 3 - Added in Windows 10, version 1709.
-
+
## Security policies that can be set using Exchange Active Sync (EAS)
diff --git a/windows/client-management/mdm/policy-csp-settings.md b/windows/client-management/mdm/policy-csp-settings.md
index eae7e34484..5031440194 100644
--- a/windows/client-management/mdm/policy-csp-settings.md
+++ b/windows/client-management/mdm/policy-csp-settings.md
@@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
-ms.date: 12/19/2017
+ms.date: 03/05/2018
---
# Policy CSP - Settings
@@ -17,7 +17,7 @@ ms.date: 12/19/2017
-
+
## Settings policies
@@ -65,11 +65,13 @@ ms.date: 12/19/2017
+
-
+
+
**Settings/AllowAutoPlay**
-
+
Home
@@ -91,8 +93,8 @@ ms.date: 12/19/2017
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -100,18 +102,18 @@ ms.date: 12/19/2017
-
-
+
+
> [!NOTE]
> This policy is only enforced in Windows 10 for desktop and not supported in Windows 10 Mobile.
-
Allows the user to change Auto Play settings.
+Allows the user to change Auto Play settings.
> [!NOTE]
> Setting this policy to 0 (Not allowed) does not affect the autoplay dialog box that appears when a device is connected.
-
+
The following list shows the supported values:
@@ -119,12 +121,14 @@ The following list shows the supported values:
- 1 (default) – Allowed.
-
+
+
-
+
+
**Settings/AllowDataSense**
-
+
Home
@@ -146,8 +150,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -155,11 +159,11 @@ The following list shows the supported values:
-
-
-
Allows the user to change Data Sense settings.
+
+
+Allows the user to change Data Sense settings.
-
+
The following list shows the supported values:
@@ -167,12 +171,14 @@ The following list shows the supported values:
- 1 (default) – Allowed.
-
+
+
-
+
+
**Settings/AllowDateTime**
-
+
Home
@@ -194,8 +200,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -203,11 +209,11 @@ The following list shows the supported values:
-
-
-
Allows the user to change date and time settings.
+
+
+Allows the user to change date and time settings.
-
+
The following list shows the supported values:
@@ -215,12 +221,14 @@ The following list shows the supported values:
- 1 (default) – Allowed.
-
+
+
-
+
+
**Settings/AllowEditDeviceName**
-
+
Home
@@ -242,8 +250,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -251,11 +259,11 @@ The following list shows the supported values:
-
-
-
Allows editing of the device name.
+
+
+Allows editing of the device name.
-
+
The following list shows the supported values:
@@ -263,12 +271,14 @@ The following list shows the supported values:
- 1 (default) – Allowed.
-
+
+
-
+
+
**Settings/AllowLanguage**
-
+
Home
@@ -290,8 +300,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -299,15 +309,15 @@ The following list shows the supported values:
-
-
+
+
> [!NOTE]
> This policy is only enforced in Windows 10 for desktop and not supported in Windows 10 Mobile.
-
Allows the user to change the language settings.
+Allows the user to change the language settings.
-
+
The following list shows the supported values:
@@ -315,12 +325,14 @@ The following list shows the supported values:
- 1 (default) – Allowed.
-
+
+
-
+
+
**Settings/AllowOnlineTips**
-
+
Home
@@ -342,8 +354,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -351,27 +363,30 @@ The following list shows the supported values:
-
-
+
+
Enables or disables the retrieval of online tips and help for the Settings app.
If disabled, Settings will not contact Microsoft content services to retrieve tips and help content.
-
-
-
-
+
+
+ADMX Info:
+- GP English name: *Allow Online Tips*
+- GP name: *AllowOnlineTips*
+- GP element: *CheckBox_AllowOnlineTips*
+- GP path: *Control Panel*
+- GP ADMX file name: *ControlPanel.admx*
-
-
+
+
-
-
-
+
+
**Settings/AllowPowerSleep**
-
+
Home
@@ -393,8 +408,8 @@ If disabled, Settings will not contact Microsoft content services to retrieve ti
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -402,15 +417,15 @@ If disabled, Settings will not contact Microsoft content services to retrieve ti
-
-
+
+
> [!NOTE]
> This policy is only enforced in Windows 10 for desktop and not supported in Windows 10 Mobile.
-
Allows the user to change power and sleep settings.
+Allows the user to change power and sleep settings.
-
+
The following list shows the supported values:
@@ -418,12 +433,14 @@ The following list shows the supported values:
- 1 (default) – Allowed.
-
+
+
-
+
+
**Settings/AllowRegion**
-
+
Home
@@ -445,8 +462,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -454,15 +471,15 @@ The following list shows the supported values:
-
-
+
+
> [!NOTE]
> This policy is only enforced in Windows 10 for desktop and not supported in Windows 10 Mobile.
-
Allows the user to change the region settings.
+Allows the user to change the region settings.
-
+
The following list shows the supported values:
@@ -470,12 +487,14 @@ The following list shows the supported values:
- 1 (default) – Allowed.
-
+
+
-
+
+
**Settings/AllowSignInOptions**
-
+
Home
@@ -497,8 +516,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -506,15 +525,15 @@ The following list shows the supported values:
-
-
+
+
> [!NOTE]
> This policy is only enforced in Windows 10 for desktop and not supported in Windows 10 Mobile.
-
Allows the user to change sign-in options.
+Allows the user to change sign-in options.
-
+
The following list shows the supported values:
@@ -522,12 +541,14 @@ The following list shows the supported values:
- 1 (default) – Allowed.
-
+
+
-
+
+
**Settings/AllowVPN**
-
+
Home
@@ -549,8 +570,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -558,11 +579,11 @@ The following list shows the supported values:
-
-
-
Allows the user to change VPN settings.
+
+
+Allows the user to change VPN settings.
-
+
The following list shows the supported values:
@@ -570,12 +591,14 @@ The following list shows the supported values:
- 1 (default) – Allowed.
-
+
+
-
+
+
**Settings/AllowWorkplace**
-
+
Home
@@ -597,8 +620,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -606,15 +629,15 @@ The following list shows the supported values:
-
-
+
+
> [!NOTE]
> This policy is only enforced in Windows 10 for desktop and not supported in Windows 10 Mobile.
-
Allows user to change workplace settings.
+Allows user to change workplace settings.
-
+
The following list shows the supported values:
@@ -622,12 +645,14 @@ The following list shows the supported values:
- 1 (default) – Allowed.
-
+
+
-
+
+
**Settings/AllowYourAccount**
-
+
Home
@@ -649,8 +674,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -658,11 +683,11 @@ The following list shows the supported values:
-
-
-
Allows user to change account settings.
+
+
+Allows user to change account settings.
-
+
The following list shows the supported values:
@@ -670,12 +695,14 @@ The following list shows the supported values:
- 1 (default) – Allowed.
-
+
+
-
+
+
**Settings/ConfigureTaskbarCalendar**
-
+
Home
@@ -697,8 +724,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -706,24 +733,36 @@ The following list shows the supported values:
-
-
-
Added in Windows 10, version 1703. Allows IT Admins to configure the default setting for showing additional calendars (besides the default calendar for the locale) in the taskbar clock and calendar flyout. In this version of Windows 10, supported additional calendars are: Simplified or Traditional Chinese lunar calendar. Turning on one of these calendars will display Chinese lunar dates below the default calendar for the locale. Select "Don't show additional calendars" to prevent showing other calendars besides the default calendar for the locale.
+
+
+Added in Windows 10, version 1703. Allows IT Admins to configure the default setting for showing additional calendars (besides the default calendar for the locale) in the taskbar clock and calendar flyout. In this version of Windows 10, supported additional calendars are: Simplified or Traditional Chinese lunar calendar. Turning on one of these calendars will display Chinese lunar dates below the default calendar for the locale. Select "Don't show additional calendars" to prevent showing other calendars besides the default calendar for the locale.
-
The following list shows the supported values:
+
+
+ADMX Info:
+- GP English name: *Show additional calendar*
+- GP name: *ConfigureTaskbarCalendar*
+- GP path: *Start Menu and Taskbar*
+- GP ADMX file name: *Taskbar.admx*
+
+
+
+The following list shows the supported values:
- 0 (default) – User will be allowed to configure the setting.
- 1 – Don't show additional calendars.
- 2 - Simplified Chinese (Lunar).
- 3 - Traditional Chinese (Lunar).
-
-
+
+
+
-
+
+
**Settings/PageVisibilityList**
-
+
Home
@@ -745,8 +784,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -754,17 +793,17 @@ The following list shows the supported values:
-
-
-
Added in Windows 10, version 1703. Allows IT Admins to either prevent specific pages in the System Settings app from being visible or accessible, or to do so for all pages except those specified. The mode will be specified by the policy string beginning with either the string "showonly:" or "hide:". Pages are identified by a shortened version of their already published URIs, which is the URI minus the "ms-settings:" prefix. For example, if the URI for a settings page is "ms-settings:foo", the page identifier used in the policy will be just "foo". Multiple page identifiers are separated by semicolons.
+
+
+Added in Windows 10, version 1703. Allows IT Admins to either prevent specific pages in the System Settings app from being visible or accessible, or to do so for all pages except those specified. The mode will be specified by the policy string beginning with either the string "showonly:" or "hide:". Pages are identified by a shortened version of their already published URIs, which is the URI minus the "ms-settings:" prefix. For example, if the URI for a settings page is "ms-settings:foo", the page identifier used in the policy will be just "foo". Multiple page identifiers are separated by semicolons.
-
The following example illustrates a policy that would allow access only to the about and bluetooth pages, which have URI "ms-settings:about" and "ms-settings:bluetooth" respectively:
+The following example illustrates a policy that would allow access only to the about and bluetooth pages, which have URI "ms-settings:about" and "ms-settings:bluetooth" respectively:
-
If the policy is not specified, the behavior will be that no pages are affected. If the policy string is formatted incorrectly, it will be ignored entirely (i.e. treated as not set) to prevent the machine from becoming unserviceable if data corruption occurs. Note that if a page is already hidden for another reason, then it will remain hidden even if it is in a "showonly:" list.
+If the policy is not specified, the behavior will be that no pages are affected. If the policy string is formatted incorrectly, it will be ignored entirely (i.e. treated as not set) to prevent the machine from becoming unserviceable if data corruption occurs. Note that if a page is already hidden for another reason, then it will remain hidden even if it is in a "showonly:" list.
-
The format of the PageVisibilityList value is as follows:
+The format of the PageVisibilityList value is as follows:
- The value is a unicode string up to 10,000 characters long, which will be used without case sensitivity.
- There are two variants: one that shows only the given pages and one which hides the given pages.
@@ -772,24 +811,35 @@ The following list shows the supported values:
- Following the variant identifier is a semicolon-delimited list of page identifiers, which must not have any extra whitespace.
- Each page identifier is the ms-settings:xyz URI for the page, minus the ms-settings: prefix, so the identifier for the page with URI "ms-settings:wi-fi" would be just "wi-fi".
-
The default value for this setting is an empty string, which is interpreted as show everything.
+The default value for this setting is an empty string, which is interpreted as show everything.
-
Example 1, specifies that only the wifi and bluetooth pages should be shown (they have URIs ms-settings:wi-fi and ms-settings:bluetooth). All other pages (and the categories they're in) will be hidden:
+Example 1, specifies that only the wifi and bluetooth pages should be shown (they have URIs ms-settings:wi-fi and ms-settings:bluetooth). All other pages (and the categories they're in) will be hidden:
-
Example 2, specifies that the wifi page should not be shown:
+Example 2, specifies that the wifi page should not be shown:
-
hide:wifi
+hide:wifi
-
To validate on Desktop, do the following:
+
+
+ADMX Info:
+- GP English name: *Settings Page Visibility*
+- GP name: *SettingsPageVisibility*
+- GP element: *SettingsPageVisibilityBox*
+- GP path: *Control Panel*
+- GP ADMX file name: *ControlPanel.admx*
+
+
+
+To validate on Desktop, do the following:
1. Open System Settings and verfiy that the About page is visible and accessible.
2. Configure the policy with the following string: "hide:about".
3. Open System Settings again and verify that the About page is no longer accessible.
-
-
+
+
Footnote:
@@ -798,7 +848,7 @@ Footnote:
- 2 - Added in Windows 10, version 1703.
- 3 - Added in Windows 10, version 1709.
-
+
## Settings policies supported by Windows Holographic for Business
diff --git a/windows/client-management/mdm/policy-csp-smartscreen.md b/windows/client-management/mdm/policy-csp-smartscreen.md
index 8dbd4fe36b..be4301165b 100644
--- a/windows/client-management/mdm/policy-csp-smartscreen.md
+++ b/windows/client-management/mdm/policy-csp-smartscreen.md
@@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
-ms.date: 12/14/2017
+ms.date: 03/05/2018
---
# Policy CSP - SmartScreen
@@ -15,7 +15,7 @@ ms.date: 12/14/2017
-
+
## SmartScreen policies
Added in Windows 10, version 1703. Allows IT Admins to control whether users are allowed to install apps from places other than the Store.
+
+
+Added in Windows 10, version 1703. Allows IT Admins to control whether users are allowed to install apps from places other than the Store.
-
+
+
+ADMX Info:
+- GP English name: *Configure App Install Control*
+- GP name: *ConfigureAppInstallControl*
+- GP path: *Windows Components/Windows Defender SmartScreen/Explorer*
+- GP ADMX file name: *SmartScreen.admx*
+
+
The following list shows the supported values:
@@ -77,12 +87,14 @@ The following list shows the supported values:
- 1 – Turns on Application Installation Control, allowing users to only install apps from the Store.
-
+
+
@@ -104,8 +116,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -113,11 +125,19 @@ The following list shows the supported values:
-
-
-
Added in Windows 10, version 1703. Allows IT Admins to configure SmartScreen for Windows.
+
+
+Added in Windows 10, version 1703. Allows IT Admins to configure SmartScreen for Windows.
-
+
+
+ADMX Info:
+- GP English name: *Configure Windows Defender SmartScreen*
+- GP name: *ShellConfigureSmartScreen*
+- GP path: *Windows Components/Windows Defender SmartScreen/Explorer*
+- GP ADMX file name: *SmartScreen.admx*
+
+
The following list shows the supported values:
@@ -125,12 +145,14 @@ The following list shows the supported values:
- 1 – Turns on SmartScreen in Windows.
-
+
+
@@ -152,8 +174,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -161,11 +183,20 @@ The following list shows the supported values:
-
-
-
Added in Windows 10, version 1703. Allows IT Admins to control whether users can can ignore SmartScreen warnings and run malicious files.
+
+
+Added in Windows 10, version 1703. Allows IT Admins to control whether users can can ignore SmartScreen warnings and run malicious files.
-
+
+
+ADMX Info:
+- GP English name: *Configure Windows Defender SmartScreen*
+- GP name: *ShellConfigureSmartScreen*
+- GP element: *ShellConfigureSmartScreen_Dropdown*
+- GP path: *Windows Components/Windows Defender SmartScreen/Explorer*
+- GP ADMX file name: *SmartScreen.admx*
+
+
The following list shows the supported values:
@@ -173,7 +204,7 @@ The following list shows the supported values:
- 1 – Employees cannot ignore SmartScreen warnings and run malicious files.
-
+
Footnote:
@@ -182,5 +213,5 @@ Footnote:
- 2 - Added in Windows 10, version 1703.
- 3 - Added in Windows 10, version 1709.
-
+
diff --git a/windows/client-management/mdm/policy-csp-speech.md b/windows/client-management/mdm/policy-csp-speech.md
index 0f87f58919..9a691d7670 100644
--- a/windows/client-management/mdm/policy-csp-speech.md
+++ b/windows/client-management/mdm/policy-csp-speech.md
@@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
-ms.date: 12/14/2017
+ms.date: 03/05/2018
---
# Policy CSP - Speech
@@ -15,7 +15,7 @@ ms.date: 12/14/2017
-
+
## Speech policies
Added in Windows 10, version 1607. Specifies whether the device will receive updates to the speech recognition and speech synthesis models. A speech model contains data used by the speech engine to convert audio to text (or vice-versa). The models are periodically updated to improve accuracy and performance. Models are non-executable data files. If enabled, the device will periodically check for updated speech models and then download them from a Microsoft service using the Background Internet Transfer Service (BITS).
+
+
+Added in Windows 10, version 1607. Specifies whether the device will receive updates to the speech recognition and speech synthesis models. A speech model contains data used by the speech engine to convert audio to text (or vice-versa). The models are periodically updated to improve accuracy and performance. Models are non-executable data files. If enabled, the device will periodically check for updated speech models and then download them from a Microsoft service using the Background Internet Transfer Service (BITS).
-
+
+
+ADMX Info:
+- GP English name: *Allow Automatic Update of Speech Data*
+- GP name: *AllowSpeechModelUpdate*
+- GP path: *Windows Components/Speech*
+- GP ADMX file name: *Speech.admx*
+
+
The following list shows the supported values:
@@ -71,7 +81,7 @@ The following list shows the supported values:
- 1 (default) – Allowed.
-
+
Footnote:
@@ -80,5 +90,5 @@ Footnote:
- 2 - Added in Windows 10, version 1703.
- 3 - Added in Windows 10, version 1709.
-
+
diff --git a/windows/client-management/mdm/policy-csp-start.md b/windows/client-management/mdm/policy-csp-start.md
index 02f3b03e71..50809d5486 100644
--- a/windows/client-management/mdm/policy-csp-start.md
+++ b/windows/client-management/mdm/policy-csp-start.md
@@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
-ms.date: 12/14/2017
+ms.date: 03/05/2018
---
# Policy CSP - Start
@@ -15,7 +15,7 @@ ms.date: 12/14/2017
-
+
## Start policies
Added in Windows 10, version 1703. This policy controls the visibility of the Documents shortcut on the Start menu.
+
+
+Added in Windows 10, version 1703. This policy controls the visibility of the Documents shortcut on the Start menu.
-
+
The following list shows the supported values:
@@ -156,12 +158,14 @@ The following list shows the supported values:
- 65535 (default) - There is no enforced configuration and the setting can be changed by the user.
-
+
+
-
+
+
**Start/AllowPinnedFolderDownloads**
-
+
Home
@@ -183,8 +187,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -192,11 +196,11 @@ The following list shows the supported values:
-
-
-
Added in Windows 10, version 1703. This policy controls the visibility of the Downloads shortcut on the Start menu.
+
+
+Added in Windows 10, version 1703. This policy controls the visibility of the Downloads shortcut on the Start menu.
-
+
The following list shows the supported values:
@@ -205,12 +209,14 @@ The following list shows the supported values:
- 65535 (default) - There is no enforced configuration and the setting can be changed by the user.
-
+
+
-
+
+
**Start/AllowPinnedFolderFileExplorer**
-
+
Home
@@ -232,8 +238,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -241,11 +247,11 @@ The following list shows the supported values:
-
-
-
Added in Windows 10, version 1703. This policy controls the visibility of the File Explorer shortcut on the Start menu.
+
+
+Added in Windows 10, version 1703. This policy controls the visibility of the File Explorer shortcut on the Start menu.
-
+
The following list shows the supported values:
@@ -254,12 +260,14 @@ The following list shows the supported values:
- 65535 (default) - There is no enforced configuration and the setting can be changed by the user.
-
+
+
-
+
+
**Start/AllowPinnedFolderHomeGroup**
-
+
Home
@@ -281,8 +289,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -290,11 +298,11 @@ The following list shows the supported values:
-
-
-
Added in Windows 10, version 1703. This policy controls the visibility of the HomeGroup shortcut on the Start menu.
+
+
+Added in Windows 10, version 1703. This policy controls the visibility of the HomeGroup shortcut on the Start menu.
-
+
The following list shows the supported values:
@@ -303,12 +311,14 @@ The following list shows the supported values:
- 65535 (default) - There is no enforced configuration and the setting can be changed by the user.
-
+
+
-
+
+
**Start/AllowPinnedFolderMusic**
-
+
Home
@@ -330,8 +340,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -339,11 +349,11 @@ The following list shows the supported values:
-
-
-
Added in Windows 10, version 1703. This policy controls the visibility of the Music shortcut on the Start menu.
+
+
+Added in Windows 10, version 1703. This policy controls the visibility of the Music shortcut on the Start menu.
-
+
The following list shows the supported values:
@@ -352,12 +362,14 @@ The following list shows the supported values:
- 65535 (default) - There is no enforced configuration and the setting can be changed by the user.
-
+
+
-
+
+
**Start/AllowPinnedFolderNetwork**
-
+
Home
@@ -379,8 +391,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -388,11 +400,11 @@ The following list shows the supported values:
-
-
-
Added in Windows 10, version 1703. This policy controls the visibility of the Network shortcut on the Start menu.
+
+
+Added in Windows 10, version 1703. This policy controls the visibility of the Network shortcut on the Start menu.
-
+
The following list shows the supported values:
@@ -401,12 +413,14 @@ The following list shows the supported values:
- 65535 (default) - There is no enforced configuration and the setting can be changed by the user.
-
+
+
@@ -428,8 +442,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -437,11 +451,11 @@ The following list shows the supported values:
-
-
-
Added in Windows 10, version 1703. This policy controls the visibility of the PersonalFolder shortcut on the Start menu.
+
+
+Added in Windows 10, version 1703. This policy controls the visibility of the PersonalFolder shortcut on the Start menu.
-
+
The following list shows the supported values:
@@ -450,12 +464,14 @@ The following list shows the supported values:
- 65535 (default) - There is no enforced configuration and the setting can be changed by the user.
-
+
+
-
+
+
**Start/AllowPinnedFolderPictures**
-
+
Home
@@ -477,8 +493,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -486,11 +502,11 @@ The following list shows the supported values:
-
-
-
Added in Windows 10, version 1703. This policy controls the visibility of the Pictures shortcut on the Start menu.
+
+
+Added in Windows 10, version 1703. This policy controls the visibility of the Pictures shortcut on the Start menu.
-
+
The following list shows the supported values:
@@ -499,12 +515,14 @@ The following list shows the supported values:
- 65535 (default) - There is no enforced configuration and the setting can be changed by the user.
-
+
+
-
+
+
**Start/AllowPinnedFolderSettings**
-
+
Home
@@ -526,8 +544,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -535,11 +553,11 @@ The following list shows the supported values:
-
-
-
Added in Windows 10, version 1703. This policy controls the visibility of the Settings shortcut on the Start menu.
+
+
+Added in Windows 10, version 1703. This policy controls the visibility of the Settings shortcut on the Start menu.
-
+
The following list shows the supported values:
@@ -548,12 +566,14 @@ The following list shows the supported values:
- 65535 (default) - There is no enforced configuration and the setting can be changed by the user.
-
+
+
-
+
+
**Start/AllowPinnedFolderVideos**
-
+
Home
@@ -575,8 +595,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -584,11 +604,11 @@ The following list shows the supported values:
-
-
-
Added in Windows 10, version 1703. This policy controls the visibility of the Videos shortcut on the Start menu.
+
+
+Added in Windows 10, version 1703. This policy controls the visibility of the Videos shortcut on the Start menu.
-
+
The following list shows the supported values:
@@ -597,12 +617,14 @@ The following list shows the supported values:
- 65535 (default) - There is no enforced configuration and the setting can be changed by the user.
-
+
+
-
+
+
**Start/ForceStartSize**
-
+
Home
@@ -624,8 +646,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -633,29 +655,34 @@ The following list shows the supported values:
-
-
+
+
> [!NOTE]
> This policy is only enforced in Windows 10 for desktop and not supported in Windows 10 Mobile.
-
Forces the start screen size.
+Forces the start screen size.
-
The following list shows the supported values:
+
+If there is policy configuration conflict, the latest configuration request is applied to the device.
+
+
+
+The following list shows the supported values:
- 0 (default) – Do not force size of Start.
- 1 – Force non-fullscreen size of Start.
- 2 - Force a fullscreen size of Start.
-
If there is policy configuration conflict, the latest configuration request is applied to the device.
+
+
-
-
-
+
+
**Start/HideAppList**
-
+
Home
@@ -677,8 +704,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -686,37 +713,42 @@ The following list shows the supported values:
-
-
+
+
> [!NOTE]
> This policy requires reboot to take effect.
-
Allows IT Admins to configure Start by collapsing or removing the all apps list.
+Allows IT Admins to configure Start by collapsing or removing the all apps list.
> [!Note]
> There were issues reported with the previous release of this policy and a fix was added in Windows 10, version 1709.
-
The following list shows the supported values:
-- 0 (default) – None.
-- 1 – Hide all apps list.
-- 2 - Hide all apps list, and Disable "Show app list in Start menu" in Settings app.
-- 3 - Hide all apps list, remove all apps button, and Disable "Show app list in Start menu" in Settings app.
-
-
To validate on Desktop, do the following:
+To validate on Desktop, do the following:
- 1 - Enable policy and restart explorer.exe
- 2a - If set to '1': Verify that the all apps list is collapsed, and that the Settings toggle is not grayed out.
- 2b - If set to '2': Verify that the all apps list is collapsed, and that the Settings toggle is grayed out.
- 2c - If set to '3': Verify that there is no way of opening the all apps list from Start, and that the Settings toggle is grayed out.
-
-
+
+
+The following list shows the supported values:
+
+- 0 (default) – None.
+- 1 – Hide all apps list.
+- 2 - Hide all apps list, and Disable "Show app list in Start menu" in Settings app.
+- 3 - Hide all apps list, remove all apps button, and Disable "Show app list in Start menu" in Settings app.
+
+
+
+
-
+
+
**Start/HideChangeAccountSettings**
-
+
Home
@@ -738,8 +770,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -747,16 +779,11 @@ The following list shows the supported values:
-
-
-
Added in Windows 10, version 1703. Allows IT Admins to configure Start by hiding "Change account settings" from appearing in the user tile.
+
+
+Added in Windows 10, version 1703. Allows IT Admins to configure Start by hiding "Change account settings" from appearing in the user tile.
-
To validate on Desktop, do the following:
-
-1. Enable policy.
-2. Open Start, click on the user tile, and verify that "Change account settings" is not available.
-
-
+
The following list shows the supported values:
@@ -764,12 +791,21 @@ The following list shows the supported values:
- 1 - True (hide).
-
+
+To validate on Desktop, do the following:
+
+1. Enable policy.
+2. Open Start, click on the user tile, and verify that "Change account settings" is not available.
+
+
+
+
-
+
+
**Start/HideFrequentlyUsedApps**
-
+
Home
@@ -791,8 +827,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -800,14 +836,23 @@ The following list shows the supported values:
-
-
+
+
> [!NOTE]
> This policy requires reboot to take effect.
-
Added in Windows 10, version 1703. Allows IT Admins to configure Start by hiding most used apps.
+Added in Windows 10, version 1703. Allows IT Admins to configure Start by hiding most used apps.
-
To validate on Desktop, do the following:
+
+
+The following list shows the supported values:
+
+- 0 (default) – False (do not hide).
+- 1 - True (hide).
+
+
+
+To validate on Desktop, do the following:
1. Enable "Show most used apps" in the Settings app.
2. Use some apps to get them into the most used group in Start.
@@ -816,20 +861,15 @@ The following list shows the supported values:
5. Check that "Show most used apps" Settings toggle is grayed out.
6. Check that most used apps do not appear in Start.
-
-
-The following list shows the supported values:
+
+
-- 0 (default) – False (do not hide).
-- 1 - True (hide).
-
-
-
-
+
+
**Start/HideHibernate**
-
+
Home
@@ -851,8 +891,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -860,19 +900,15 @@ The following list shows the supported values:
-
-
-
Added in Windows 10, version 1703. Allows IT Admins to configure Start by hiding "Hibernate" from appearing in the Power button.
+
+
+Added in Windows 10, version 1703. Allows IT Admins to configure Start by hiding "Hibernate" from appearing in the Power button.
-
To validate on Laptop, do the following:
-
-1. Enable policy.
-2. Open Start, click on the Power button, and verify "Hibernate" is not available.
> [!NOTE]
> This policy can only be verified on laptops as "Hibernate" does not appear on regular PC's.
-
+
The following list shows the supported values:
@@ -880,12 +916,21 @@ The following list shows the supported values:
- 1 - True (hide).
-
+
+To validate on Laptop, do the following:
+
+1. Enable policy.
+2. Open Start, click on the Power button, and verify "Hibernate" is not available.
+
+
+
+
-
+
+
**Start/HideLock**
-
+
Home
@@ -907,8 +952,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -916,16 +961,11 @@ The following list shows the supported values:
-
-
-
Added in Windows 10, version 1703. Allows IT Admins to configure Start by hiding "Lock" from appearing in the user tile.
+
+
+Added in Windows 10, version 1703. Allows IT Admins to configure Start by hiding "Lock" from appearing in the user tile.
-
To validate on Desktop, do the following:
-
-1. Enable policy.
-2. Open Start, click on the user tile, and verify "Lock" is not available.
-
-
+
The following list shows the supported values:
@@ -933,12 +973,21 @@ The following list shows the supported values:
- 1 - True (hide).
-
+
+To validate on Desktop, do the following:
+
+1. Enable policy.
+2. Open Start, click on the user tile, and verify "Lock" is not available.
+
+
+
+
-
+
+
**Start/HidePeopleBar**
-
+
Home
@@ -960,8 +1009,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -969,19 +1018,29 @@ The following list shows the supported values:
-
-
-
Added in Windows 10, version 1709. Enabling this policy removes the people icon from the taskbar as well as the corresponding settings toggle. It also prevents users from pinning people to the taskbar.
+
+
+Added in Windows 10, version 1709. Enabling this policy removes the people icon from the taskbar as well as the corresponding settings toggle. It also prevents users from pinning people to the taskbar.
-
Value type is integer.
+Value type is integer.
+
+
+
+ADMX Info:
+- GP English name: *Remove the People Bar from the taskbar*
+- GP name: *HidePeopleBar*
+- GP path: *Start Menu and Taskbar*
+- GP ADMX file name: *StartMenu.admx*
+
+
+
-
-
-
+
+
**Start/HidePowerButton**
-
+
Home
@@ -1003,8 +1062,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -1012,19 +1071,14 @@ The following list shows the supported values:
-
-
+
+
> [!NOTE]
> This policy requires reboot to take effect.
-
Added in Windows 10, version 1703. Allows IT Admins to configure Start by hiding the Power button from appearing.
+Added in Windows 10, version 1703. Allows IT Admins to configure Start by hiding the Power button from appearing.
-
To validate on Desktop, do the following:
-
-1. Enable policy.
-2. Open Start, and verify the power button is not available.
-
-
+
The following list shows the supported values:
@@ -1032,12 +1086,21 @@ The following list shows the supported values:
- 1 - True (hide).
-
+
+To validate on Desktop, do the following:
+
+1. Enable policy.
+2. Open Start, and verify the power button is not available.
+
+
+
+
-
+
+
**Start/HideRecentJumplists**
-
+
Home
@@ -1059,8 +1122,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -1068,14 +1131,23 @@ The following list shows the supported values:
-
-
+
+
> [!NOTE]
> This policy requires reboot to take effect.
-
Added in Windows 10, version 1703. Allows IT Admins to configure Start by hiding recently opened items in the jumplists from appearing.
+Added in Windows 10, version 1703. Allows IT Admins to configure Start by hiding recently opened items in the jumplists from appearing.
-
To validate on Desktop, do the following:
+
+
+The following list shows the supported values:
+
+- 0 (default) – False (do not hide).
+- 1 - True (hide).
+
+
+
+To validate on Desktop, do the following:
1. Enable "Show recently opened items in Jump Lists on Start of the taskbar" in Settings.
2. Pin Photos to the taskbar, and open some images in the photos app.
@@ -1087,20 +1159,15 @@ The following list shows the supported values:
8. Repeat Step 2.
9. Right Click pinned photos app and verify that there is no jumplist of recent items.
-
-
-The following list shows the supported values:
+
+
-- 0 (default) – False (do not hide).
-- 1 - True (hide).
-
-
-
-
+
+
**Start/HideRecentlyAddedApps**
-
+
Home
@@ -1122,8 +1189,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -1131,14 +1198,31 @@ The following list shows the supported values:
-
-
+
+
> [!NOTE]
> This policy requires reboot to take effect.
-
Added in Windows 10, version 1703. Allows IT Admins to configure Start by hiding recently added apps.
+Added in Windows 10, version 1703. Allows IT Admins to configure Start by hiding recently added apps.
-
To validate on Desktop, do the following:
+
+
+ADMX Info:
+- GP English name: *Remove "Recently added" list from Start Menu*
+- GP name: *HideRecentlyAddedApps*
+- GP path: *Start Menu and Taskbar*
+- GP ADMX file name: *StartMenu.admx*
+
+
+
+The following list shows the supported values:
+
+- 0 (default) – False (do not hide).
+- 1 - True (hide).
+
+
+
+To validate on Desktop, do the following:
1. Enable "Show recently added apps" in the Settings app.
2. Check if there are recently added apps in Start (if not, install some).
@@ -1147,20 +1231,15 @@ The following list shows the supported values:
5. Check that "Show recently added apps" Settings toggle is grayed out.
6. Check that recently added apps do not appear in Start.
-
-
-The following list shows the supported values:
+
+
-- 0 (default) – False (do not hide).
-- 1 - True (hide).
-
-
-
-
+
+
**Start/HideRestart**
-
+
Home
@@ -1182,8 +1261,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -1191,29 +1270,33 @@ The following list shows the supported values:
-
-
-
Added in Windows 10, version 1703. Allows IT Admins to configure Start by hiding "Restart" and "Update and restart" from appearing in the Power button.
+
+
+Added in Windows 10, version 1703. Allows IT Admins to configure Start by hiding "Restart" and "Update and restart" from appearing in the Power button.
-
To validate on Desktop, do the following:
+
+
+The following list shows the supported values:
+
+- 0 (default) – False (do not hide).
+- 1 - True (hide).
+
+
+
+To validate on Desktop, do the following:
1. Enable policy.
2. Open Start, click on the Power button, and verify "Restart" and "Update and restart" are not available.
-
-
-The following list shows the supported values:
+
+
-- 0 (default) – False (do not hide).
-- 1 - True (hide).
-
-
-
-
+
+
**Start/HideShutDown**
-
+
Home
@@ -1235,8 +1318,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -1244,29 +1327,33 @@ The following list shows the supported values:
-
-
-
Added in Windows 10, version 1703. Allows IT Admins to configure Start by hiding "Shut down" and "Update and shut down" from appearing in the Power button.
+
+
+Added in Windows 10, version 1703. Allows IT Admins to configure Start by hiding "Shut down" and "Update and shut down" from appearing in the Power button.
-
To validate on Desktop, do the following:
+
+
+The following list shows the supported values:
+
+- 0 (default) – False (do not hide).
+- 1 - True (hide).
+
+
+
+To validate on Desktop, do the following:
1. Enable policy.
2. Open Start, click on the Power button, and verify "Shut down" and "Update and shut down" are not available.
-
-
-The following list shows the supported values:
+
+
-- 0 (default) – False (do not hide).
-- 1 - True (hide).
-
-
-
-
+
+
**Start/HideSignOut**
-
+
Home
@@ -1288,8 +1375,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -1297,29 +1384,33 @@ The following list shows the supported values:
-
-
-
Added in Windows 10, version 1703. Allows IT Admins to configure Start by hiding "Sign out" from appearing in the user tile.
+
+
+Added in Windows 10, version 1703. Allows IT Admins to configure Start by hiding "Sign out" from appearing in the user tile.
-
To validate on Desktop, do the following:
+
+
+The following list shows the supported values:
+
+- 0 (default) – False (do not hide).
+- 1 - True (hide).
+
+
+
+To validate on Desktop, do the following:
1. Enable policy.
2. Open Start, click on the user tile, and verify "Sign out" is not available.
-
-
-The following list shows the supported values:
+
+
-- 0 (default) – False (do not hide).
-- 1 - True (hide).
-
-
-
-
+
+
**Start/HideSleep**
-
+
Home
@@ -1341,8 +1432,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -1350,29 +1441,33 @@ The following list shows the supported values:
-
-
-
Added in Windows 10, version 1703. Allows IT Admins to configure Start by hiding "Sleep" from appearing in the Power button.
+
+
+Added in Windows 10, version 1703. Allows IT Admins to configure Start by hiding "Sleep" from appearing in the Power button.
-
To validate on Desktop, do the following:
+
+
+The following list shows the supported values:
+
+- 0 (default) – False (do not hide).
+- 1 - True (hide).
+
+
+
+To validate on Desktop, do the following:
1. Enable policy.
2. Open Start, click on the Power button, and verify that "Sleep" is not available.
-
-
-The following list shows the supported values:
+
+
-- 0 (default) – False (do not hide).
-- 1 - True (hide).
-
-
-
-
+
+
**Start/HideSwitchAccount**
-
+
Home
@@ -1394,8 +1489,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -1403,29 +1498,33 @@ The following list shows the supported values:
-
-
-
Added in Windows 10, version 1703. Allows IT Admins to configure Start by hiding "Switch account" from appearing in the user tile.
+
+
+Added in Windows 10, version 1703. Allows IT Admins to configure Start by hiding "Switch account" from appearing in the user tile.
-
To validate on Desktop, do the following:
+
+
+The following list shows the supported values:
+
+- 0 (default) – False (do not hide).
+- 1 - True (hide).
+
+
+
+To validate on Desktop, do the following:
1. Enable policy.
2. Open Start, click on the user tile, and verify that "Switch account" is not available.
-
-
-The following list shows the supported values:
+
+
-- 0 (default) – False (do not hide).
-- 1 - True (hide).
-
-
-
-
+
+
**Start/HideUserTile**
-
+
Home
@@ -1447,8 +1546,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -1456,33 +1555,37 @@ The following list shows the supported values:
-
-
+
+
> [!NOTE]
> This policy requires reboot to take effect.
-
Added in Windows 10, version 1703. Allows IT Admins to configure Start by hiding the user tile.
+Added in Windows 10, version 1703. Allows IT Admins to configure Start by hiding the user tile.
-
To validate on Desktop, do the following:
+
+
+The following list shows the supported values:
+
+- 0 (default) – False (do not hide).
+- 1 - True (hide).
+
+
+
+To validate on Desktop, do the following:
1. Enable policy.
2. Log off.
3. Log in, and verify that the user tile is gone from Start.
-
-
-The following list shows the supported values:
+
+
-- 0 (default) – False (do not hide).
-- 1 - True (hide).
-
-
-
-
+
+
**Start/ImportEdgeAssets**
-
+
Home
@@ -1504,8 +1607,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -1513,32 +1616,36 @@ The following list shows the supported values:
-
-
+
+
> [!NOTE]
> This policy requires reboot to take effect.
-
Added in Windows 10, version 1703. This policy imports Edge assets (e.g. .png/.jpg files) for secondary tiles into its local app data path which allows the StartLayout policy to pin Edge secondary tiles as weblink that tie to the image asset files.
+Added in Windows 10, version 1703. This policy imports Edge assets (e.g. .png/.jpg files) for secondary tiles into its local app data path which allows the StartLayout policy to pin Edge secondary tiles as weblink that tie to the image asset files.
> [!IMPORTANT]
> Please note that the import happens only when StartLayout policy is changed. So it is better to always change ImportEdgeAssets policy at the same time as StartLayout policy whenever there are Edge secondary tiles to be pinned from StartLayout policy.
-
The value set for this policy is an XML string containing Edge assets. For an example XML string, see [Add image for secondary Microsoft Edge tiles](https://docs.microsoft.com/en-us/windows/configuration/start-secondary-tiles).
+The value set for this policy is an XML string containing Edge assets. For an example XML string, see [Add image for secondary Microsoft Edge tiles](https://docs.microsoft.com/en-us/windows/configuration/start-secondary-tiles).
-
To validate on Desktop, do the following:
+
+
+To validate on Desktop, do the following:
1. Set policy with an XML for Edge assets.
2. Set StartLayout policy to anything so that it would trigger the Edge assets import.
3. Sign out/in.
4. Verify that all Edge assets defined in XML show up in %LOCALAPPDATA%\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\LocalState path.
-
-
+
+
+
-
+
+
**Start/NoPinningToTaskbar**
-
+
Home
@@ -1560,8 +1667,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -1569,19 +1676,11 @@ The following list shows the supported values:
-
-
-
Added in Windows 10, version 1703. Allows IT Admins to configure the taskbar by disabling pinning and unpinning apps on the taskbar.
+
+
+Added in Windows 10, version 1703. Allows IT Admins to configure the taskbar by disabling pinning and unpinning apps on the taskbar.
-
To validate on Desktop, do the following:
-
-1. Enable policy.
-2. Right click on a program pinned to taskbar.
-3. Verify that "Unpin from taskbar" menu does not show.
-4. Open Start and right click on one of the app list icons.
-5. Verify that More->Pin to taskbar menu does not show.
-
-
+
The following list shows the supported values:
@@ -1589,12 +1688,24 @@ The following list shows the supported values:
- 1 - True (pinning disabled).
-
+
+To validate on Desktop, do the following:
+
+1. Enable policy.
+2. Right click on a program pinned to taskbar.
+3. Verify that "Unpin from taskbar" menu does not show.
+4. Open Start and right click on one of the app list icons.
+5. Verify that More->Pin to taskbar menu does not show.
+
+
+
+
-
+
+
**Start/StartLayout**
-
+
Home
@@ -1616,8 +1727,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -1626,17 +1737,25 @@ The following list shows the supported values:
-
-
+
+
> [!IMPORTANT]
> Added in Windows 10 version 1703: In addition to being able to set this node on a per user-basis, it can now also be set on a per-device basis. For more information, see [Policy scope](./policy-configuration-service-provider.md#policy-scope)
-
Allows you to override the default Start layout and prevents the user from changing it. If both user and device policies are set, the user policy will be used. Apps pinned to the taskbar can also be changed with this policy
+Allows you to override the default Start layout and prevents the user from changing it. If both user and device policies are set, the user policy will be used. Apps pinned to the taskbar can also be changed with this policy
-
For further details on how to customize the Start layout, please see [Customize and export Start layout](https://docs.microsoft.com/en-us/windows/configuration/customize-and-export-start-layout) and [Configure Windows 10 taskbar](https://docs.microsoft.com/en-us/windows/configuration/configure-windows-10-taskbar).
+For further details on how to customize the Start layout, please see [Customize and export Start layout](https://docs.microsoft.com/en-us/windows/configuration/customize-and-export-start-layout) and [Configure Windows 10 taskbar](https://docs.microsoft.com/en-us/windows/configuration/configure-windows-10-taskbar).
-
-
+
+
+ADMX Info:
+- GP English name: *Start Layout*
+- GP name: *LockedStartLayout*
+- GP path: *Start Menu and Taskbar*
+- GP ADMX file name: *StartMenu.admx*
+
+
+
Footnote:
@@ -1645,5 +1764,5 @@ Footnote:
- 2 - Added in Windows 10, version 1703.
- 3 - Added in Windows 10, version 1709.
-
+
diff --git a/windows/client-management/mdm/policy-csp-storage.md b/windows/client-management/mdm/policy-csp-storage.md
index 57e64d4e9f..536aac2ce2 100644
--- a/windows/client-management/mdm/policy-csp-storage.md
+++ b/windows/client-management/mdm/policy-csp-storage.md
@@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
-ms.date: 12/13/2017
+ms.date: 03/05/2018
---
# Policy CSP - Storage
@@ -15,7 +15,7 @@ ms.date: 12/13/2017
-
+
## Storage policies
Added in Windows 10, version 1709. Allows disk health model updates.
+
+
+Added in Windows 10, version 1709. Allows disk health model updates.
-
The following list shows the supported values:
+
+Value type is integer.
+
+
+
+ADMX Info:
+- GP English name: *Allow downloading updates to the Disk Failure Prediction Model*
+- GP name: *SH_AllowDiskHealthModelUpdates*
+- GP path: *System/Storage Health*
+- GP ADMX file name: *StorageHealth.admx*
+
+
+
+The following list shows the supported values:
- 0 - Do not allow
- 1 (default) - Allow
-
Value type is integer.
+
+
-
-
-
+
+
**Storage/EnhancedStorageDevices**
-
+
Home
@@ -102,8 +117,8 @@ ms.date: 12/13/2017
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -111,15 +126,15 @@ ms.date: 12/13/2017
-
-
+
+
This policy setting configures whether or not Windows will activate an Enhanced Storage device.
If you enable this policy setting, Windows will not activate unactivated Enhanced Storage devices.
If you disable or do not configure this policy setting, Windows will activate unactivated Enhanced Storage devices.
-
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -127,15 +142,15 @@ If you disable or do not configure this policy setting, Windows will activate un
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Do not allow Windows to activate Enhanced Storage devices*
- GP name: *TCGSecurityActivationDisabled*
- GP path: *System/Enhanced Storage Access*
- GP ADMX file name: *enhancedstorage.admx*
-
-
+
+
Footnote:
@@ -144,5 +159,5 @@ Footnote:
- 2 - Added in Windows 10, version 1703.
- 3 - Added in Windows 10, version 1709.
-
+
diff --git a/windows/client-management/mdm/policy-csp-system.md b/windows/client-management/mdm/policy-csp-system.md
index 5a62fcc89e..d943b9d855 100644
--- a/windows/client-management/mdm/policy-csp-system.md
+++ b/windows/client-management/mdm/policy-csp-system.md
@@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
-ms.date: 12/19/2017
+ms.date: 03/05/2018
---
# Policy CSP - System
@@ -17,7 +17,7 @@ ms.date: 12/19/2017
-
+
## System policies
@@ -68,11 +68,13 @@ ms.date: 12/19/2017
+
-
+
+
**System/AllowBuildPreview**
-
+
Home
@@ -94,8 +96,8 @@ ms.date: 12/19/2017
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -103,29 +105,41 @@ ms.date: 12/19/2017
-
-
+
+
> [!NOTE]
> This policy setting applies only to devices running Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education, Windows 10 Mobile, and Windows 10 Mobile Enterprise.
-
This policy setting determines whether users can access the Insider build controls in the Advanced Options for Windows Update. These controls are located under "Get Insider builds," and enable users to make their devices available for downloading and installing Windows preview software.
+This policy setting determines whether users can access the Insider build controls in the Advanced Options for Windows Update. These controls are located under "Get Insider builds," and enable users to make their devices available for downloading and installing Windows preview software.
-
If you enable or do not configure this policy setting, users can download and install Windows preview software on their devices. If you disable this policy setting, the item "Get Insider builds" will be unavailable.
+If you enable or do not configure this policy setting, users can download and install Windows preview software on their devices. If you disable this policy setting, the item "Get Insider builds" will be unavailable.
-
The following list shows the supported values:
+
+
+ADMX Info:
+- GP English name: *Toggle user control over Insider builds*
+- GP name: *AllowBuildPreview*
+- GP path: *Data Collection and Preview Builds*
+- GP ADMX file name: *AllowBuildPreview.admx*
+
+
+
+The following list shows the supported values:
- 0 – Not allowed. The item "Get Insider builds" is unavailable, users are unable to make their devices available for preview software.
- 1 – Allowed. Users can make their devices available for downloading and installing preview software.
- 2 (default) – Not configured. Users can make their devices available for downloading and installing preview software.
-
-
+
+
+
Specifies whether set general purpose device to be in embedded mode.
+
+
+Specifies whether set general purpose device to be in embedded mode.
-
Most restricted value is 0.
+Most restricted value is 0.
-
+
The following list shows the supported values:
@@ -170,12 +184,14 @@ The following list shows the supported values:
- 1 – Allowed.
-
+
+
-
+
+
**System/AllowExperimentation**
-
+
Home
@@ -197,8 +213,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -206,28 +222,33 @@ The following list shows the supported values:
-
-
+
+
> [!NOTE]
> This policy is not supported in Windows 10, version 1607.
-
This policy setting determines the level that Microsoft can experiment with the product to study user preferences or device behavior.
+This policy setting determines the level that Microsoft can experiment with the product to study user preferences or device behavior.
-
The following list shows the supported values:
+
+Most restricted value is 0.
+
+
+
+The following list shows the supported values:
- 0 – Disabled.
- 1 (default) – Permits Microsoft to configure device settings only.
- 2 – Allows Microsoft to conduct full experimentations.
-
Most restricted value is 0.
+
+
-
-
-
+
+
**System/AllowFontProviders**
-
+
Home
@@ -249,8 +270,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -258,18 +279,26 @@ The following list shows the supported values:
-
-
-
Added in Windows 10, version 1703. Boolean policy setting that determines whether Windows is allowed to download fonts and font catalog data from an online font provider. If you enable this setting, Windows periodically queries an online font provider to determine whether a new font catalog is available. Windows may also download font data if needed to format or render text. If you disable this policy setting, Windows does not connect to an online font provider and only enumerates locally-installed fonts.
+
+
+Added in Windows 10, version 1703. Boolean policy setting that determines whether Windows is allowed to download fonts and font catalog data from an online font provider. If you enable this setting, Windows periodically queries an online font provider to determine whether a new font catalog is available. Windows may also download font data if needed to format or render text. If you disable this policy setting, Windows does not connect to an online font provider and only enumerates locally-installed fonts.
-
This MDM setting corresponds to the EnableFontProviders Group Policy setting. If both the Group Policy and the MDM settings are configured, the group policy setting takes precedence. If neither is configured, the behavior depends on a DisableFontProviders registry value. In server editions, this registry value is set to 1 by default, so the default behavior is false (disabled). In all other editions, the registry value is not set by default, so the default behavior is true (enabled).
+This MDM setting corresponds to the EnableFontProviders Group Policy setting. If both the Group Policy and the MDM settings are configured, the group policy setting takes precedence. If neither is configured, the behavior depends on a DisableFontProviders registry value. In server editions, this registry value is set to 1 by default, so the default behavior is false (disabled). In all other editions, the registry value is not set by default, so the default behavior is true (enabled).
-
This setting is used by lower-level components for text display and fond handling and has not direct effect on web browsers, which may download web fonts used in web content.
+This setting is used by lower-level components for text display and fond handling and has not direct effect on web browsers, which may download web fonts used in web content.
> [!Note]
> Reboot is required after setting the policy; alternatively you can stop and restart the FontCache service.
-
+
+
+ADMX Info:
+- GP English name: *Enable Font Providers*
+- GP name: *EnableFontProviders*
+- GP path: *Network/Fonts*
+- GP ADMX file name: *GroupPolicy.admx*
+
+
The following list shows the supported values:
@@ -278,17 +307,19 @@ The following list shows the supported values:
-
To verify if System/AllowFontProviders is set to true:
+To verify if System/AllowFontProviders is set to true:
- After a client machine is rebooted, check whether there is any network traffic from client machine to fs.microsoft.com.
-
+
+
-
+
+
**System/AllowLocation**
-
+
Home
@@ -310,8 +341,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -319,31 +350,44 @@ The following list shows the supported values:
-
-
-
Specifies whether to allow app access to the Location service.
+
+
+Specifies whether to allow app access to the Location service.
-
The following list shows the supported values:
+
+Most restricted value is 0.
+
+While the policy is set to 0 (Force Location Off) or 2 (Force Location On), any Location service call from an app would trigger the value set by this policy.
+
+When switching the policy back from 0 (Force Location Off) or 2 (Force Location On) to 1 (User Control), the app reverts to its original Location service setting.
+
+For example, an app's original Location setting is Off. The administrator then sets the **AllowLocation** policy to 2 (Force Location On.) The Location service starts working for that app, overriding the original setting. Later, if the administrator switches the **AllowLocation** policy back to 1 (User Control), the app will revert to using its original setting of Off.
+
+
+
+ADMX Info:
+- GP English name: *Turn off location*
+- GP name: *DisableLocation_2*
+- GP path: *Windows Components/Location and Sensors*
+- GP ADMX file name: *Sensors.admx*
+
+
+
+The following list shows the supported values:
- 0 – Force Location Off. All Location Privacy settings are toggled off and greyed out. Users cannot change the settings, and no apps are allowed access to the Location service, including Cortana and Search.
- 1 (default) – Location service is allowed. The user has control and can change Location Privacy settings on or off.
- 2 – Force Location On. All Location Privacy settings are toggled on and greyed out. Users cannot change the settings and all consent permissions will be automatically suppressed.
-
Most restricted value is 0.
+
+
-
While the policy is set to 0 (Force Location Off) or 2 (Force Location On), any Location service call from an app would trigger the value set by this policy.
-
-
When switching the policy back from 0 (Force Location Off) or 2 (Force Location On) to 1 (User Control), the app reverts to its original Location service setting.
-
-
For example, an app's original Location setting is Off. The administrator then sets the **AllowLocation** policy to 2 (Force Location On.) The Location service starts working for that app, overriding the original setting. Later, if the administrator switches the **AllowLocation** policy back to 1 (User Control), the app will revert to using its original setting of Off.
-
-
-
-
+
+
**System/AllowStorageCard**
-
+
Home
@@ -365,8 +409,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -374,13 +418,13 @@ The following list shows the supported values:
-
-
-
Controls whether the user is allowed to use the storage card for device storage. This setting prevents programmatic access to the storage card.
+
+
+Controls whether the user is allowed to use the storage card for device storage. This setting prevents programmatic access to the storage card.
-
Most restricted value is 0.
+Most restricted value is 0.
-
+
The following list shows the supported values:
@@ -388,12 +432,14 @@ The following list shows the supported values:
- 1 (default) – Allow a storage card.
-
+
+
-
+
+
**System/AllowTelemetry**
-
+
Home
@@ -415,8 +461,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -425,11 +471,11 @@ The following list shows the supported values:
-
-
-
Allow the device to send diagnostic and usage telemetry data, such as Watson.
+
+
+Allow the device to send diagnostic and usage telemetry data, such as Watson.
-
The following tables describe the supported values:
+The following tables describe the supported values:
Windows 8.1 Values:
@@ -502,15 +548,26 @@ Windows 10 Values:
> If you are using Windows 8.1 MDM server and set a value of 0 using the legacy AllowTelemetry policy on a Windows 10 Mobile device, then the value is not respected and the telemetry level is silently set to level 1.
-
Most restricted value is 0.
+Most restricted value is 0.
+
+
+
+ADMX Info:
+- GP English name: *Allow Telemetry*
+- GP name: *AllowTelemetry*
+- GP element: *AllowTelemetry*
+- GP path: *Data Collection and Preview Builds*
+- GP ADMX file name: *DataCollection.admx*
+
+
+
-
-
-
+
+
**System/AllowUserToResetPhone**
-
+
Home
@@ -532,8 +589,8 @@ Windows 10 Values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -541,13 +598,13 @@ Windows 10 Values:
-
-
-
Specifies whether to allow the user to factory reset the phone by using control panel and hardware key combination.
+
+
+Specifies whether to allow the user to factory reset the phone by using control panel and hardware key combination.
-
Most restricted value is 0.
+Most restricted value is 0.
-
+
The following list shows the supported values:
orted values:
@@ -556,12 +613,14 @@ orted values:
- 1 (default) – Allowed to reset to factory default settings.
-
+
+
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -592,11 +651,21 @@ orted values:
-
-
-N/A
+
+
+This policy setting allows you to specify which boot-start drivers are initialized based on a classification determined by an Early Launch Antimalware boot-start driver. The Early Launch Antimalware boot-start driver can return the following classifications for each boot-start driver:
+- Good: The driver has been signed and has not been tampered with.
+- Bad: The driver has been identified as malware. It is recommended that you do not allow known bad drivers to be initialized.
+- Bad, but required for boot: The driver has been identified as malware, but the computer cannot successfully boot without loading this driver.
+- Unknown: This driver has not been attested to by your malware detection application and has not been classified by the Early Launch Antimalware boot-start driver.
-
+If you enable this policy setting you will be able to choose which boot-start drivers to initialize the next time the computer is started.
+
+If you disable or do not configure this policy setting, the boot start drivers determined to be Good, Unknown or Bad but Boot Critical are initialized and the initialization of drivers determined to be Bad is skipped.
+
+If your malware detection application does not include an Early Launch Antimalware boot-start driver or if your Early Launch Antimalware boot-start driver has been disabled, this setting has no effect and all boot-start drivers are initialized.
+
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -604,18 +673,22 @@ N/A
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
+- GP English name: *Boot-Start Driver Initialization Policy*
- GP name: *POL_DriverLoadPolicy_Name*
+- GP path: *System/Early Launch Antimalware*
- GP ADMX file name: *earlylauncham.admx*
-
-
+
+
+
-
+
+
**System/DisableEnterpriseAuthProxy**
-
+
Home
@@ -637,8 +710,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -646,20 +719,28 @@ ADMX Info:
-
-
+
+
This policy setting blocks the Connected User Experience and Telemetry service from automatically using an authenticated proxy to send data back to Microsoft on Windows 10. If you disable or do not configure this policy setting, the Connected User Experience and Telemetry service will automatically use an authenticated proxy to send data back to Microsoft. Enabling this policy will block the Connected User Experience and Telemetry service from automatically using an authenticated proxy.
-
-
+
+
+ADMX Info:
+- GP English name: *Configure Authenticated Proxy usage for the Connected User Experience and Telemetry service*
+- GP name: *DisableEnterpriseAuthProxy*
+- GP element: *DisableEnterpriseAuthProxy*
+- GP path: *Data Collection and Preview Builds*
+- GP ADMX file name: *DataCollection.admx*
+
+
+
-
-
-
+
+
**System/DisableOneDriveFileSync**
-
+
Home
@@ -681,8 +762,8 @@ This policy setting blocks the Connected User Experience and Telemetry service f
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -690,9 +771,9 @@ This policy setting blocks the Connected User Experience and Telemetry service f
-
-
-
Added in Windows 10, version 1703. Allows IT Admins to prevent apps and features from working with files on OneDrive. If you enable this policy setting:
+
+
+Added in Windows 10, version 1703. Allows IT Admins to prevent apps and features from working with files on OneDrive. If you enable this policy setting:
* Users cannot access OneDrive from the OneDrive app or file picker.
* Microsoft Store apps cannot access OneDrive using the WinRT API.
@@ -700,15 +781,17 @@ This policy setting blocks the Connected User Experience and Telemetry service f
* OneDrive files are not kept in sync with the cloud.
* Users cannot automatically upload photos and videos from the camera roll folder.
-
If you disable or do not configure this policy setting, apps and features can work with OneDrive file storage.
+If you disable or do not configure this policy setting, apps and features can work with OneDrive file storage.
-
To validate on Desktop, do the following:
+
+
+ADMX Info:
+- GP English name: *Prevent the usage of OneDrive for file storage*
+- GP name: *PreventOnedriveFileSync*
+- GP path: *Windows Components/OneDrive*
+- GP ADMX file name: *SkyDrive.admx*
-1. Enable policy.
-2. Restart machine.
-3. Verify that OneDrive.exe is not running in Task Manager.
-
-
+
The following list shows the supported values:
@@ -716,12 +799,22 @@ The following list shows the supported values:
- 1 – True (sync disabled).
-
+
+To validate on Desktop, do the following:
+
+1. Enable policy.
+2. Restart machine.
+3. Verify that OneDrive.exe is not running in Task Manager.
+
+
+
+
-
+
+
**System/DisableSystemRestore**
-
+
Home
@@ -743,8 +836,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -752,8 +845,8 @@ The following list shows the supported values:
-
-
+
+
Allows you to disable System Restore.
This policy setting allows you to turn off System Restore.
@@ -766,7 +859,7 @@ If you disable or do not configure this policy setting, users can perform System
Also, see the "Turn off System Restore configuration" policy setting. If the "Turn off System Restore" policy setting is disabled or not configured, the "Turn off System Restore configuration" policy setting is used to determine whether the option to configure System Restore is available.
-
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -774,20 +867,22 @@ Also, see the "Turn off System Restore configuration" policy setting. If the "Tu
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Turn off System Restore*
- GP name: *SR_DisableSR*
- GP path: *System/System Restore*
- GP ADMX file name: *systemrestore.admx*
-
-
+
+
+
-
+
+
**System/FeedbackHubAlwaysSaveDiagnosticsLocally**
-
+
Home
@@ -795,6 +890,8 @@ ADMX Info:
Business
Enterprise
Education
+
Mobile
+
Mobile Enterprise
4
@@ -802,11 +899,13 @@ ADMX Info:
4
4
4
+
+
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -814,11 +913,11 @@ ADMX Info:
-
-
-Added in Windows 10, next major update. When filing feedback in the Feedback Hub, diagnostic logs are collected for certain types of feedback. We now offer the option for users to save it locally, in addition to sending it to Microsoft. This policy will allow enterprises to mandate that all diagnostics are saved locally for use in internal investigations.
+
+
+Added in Windows 10, version 1803. When filing feedback in the Feedback Hub, diagnostic logs are collected for certain types of feedback. We now offer the option for users to save it locally, in addition to sending it to Microsoft. This policy will allow enterprises to mandate that all diagnostics are saved locally for use in internal investigations.
-
+
The following list shows the supported values:
@@ -826,18 +925,14 @@ The following list shows the supported values:
- 1 - True. The Feedback Hub should always save a local copy of diagnostics that may be created when a feedback is submitted.
-
+
-
-
-
-
-
-
+
+
**System/LimitEnhancedDiagnosticDataWindowsAnalytics**
-
+
Home
@@ -859,8 +954,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -868,30 +963,41 @@ The following list shows the supported values:
-
-
-
This policy setting, in combination with the System/AllowTelemetry
+
+
+This policy setting, in combination with the System/AllowTelemetry
policy setting, enables organizations to send Microsoft a specific set of diagnostic data for IT insights via Windows Analytics services.
-
To enable this behavior you must complete two steps:
+To enable this behavior you must complete two steps:
Enable this policy setting
Set Allow Telemetry to level 2 (Enhanced)
-
When you configure these policy settings, a basic level of diagnostic data plus additional events that are required for Windows Analytics are sent to Microsoft. These events are documented here: [Windows 10, version 1709 enhanced telemetry events and fields used by Windows Analytics](https://go.microsoft.com/fwlink/?linkid=847594).
+When you configure these policy settings, a basic level of diagnostic data plus additional events that are required for Windows Analytics are sent to Microsoft. These events are documented here: [Windows 10, version 1709 enhanced telemetry events and fields used by Windows Analytics](https://go.microsoft.com/fwlink/?linkid=847594).
-
Enabling enhanced diagnostic data in the System/AllowTelemetry policy in combination with not configuring this policy will also send the required events for Windows Analytics, plus additional enhanced level telemetry data. This setting has no effect on computers configured to send full, basic or security level diagnostic data to Microsoft.
+Enabling enhanced diagnostic data in the System/AllowTelemetry policy in combination with not configuring this policy will also send the required events for Windows Analytics, plus additional enhanced level telemetry data. This setting has no effect on computers configured to send full, basic or security level diagnostic data to Microsoft.
-
If you disable or do not configure this policy setting, then the level of diagnostic data sent to Microsoft is determined by the System/AllowTelemetry policy.
+If you disable or do not configure this policy setting, then the level of diagnostic data sent to Microsoft is determined by the System/AllowTelemetry policy.
+
+
+
+ADMX Info:
+- GP English name: *Limit Enhanced diagnostic data to the minimum required by Windows Analytics*
+- GP name: *LimitEnhancedDiagnosticDataWindowsAnalytics*
+- GP element: *LimitEnhancedDiagnosticDataWindowsAnalytics*
+- GP path: *Data Collection and Preview Builds*
+- GP ADMX file name: *DataCollection.admx*
+
+
+
-
-
-
+
+
**System/TelemetryProxy**
-
+
Home
@@ -913,8 +1019,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -922,14 +1028,23 @@ The following list shows the supported values:
-
-
-
Allows you to specify the fully qualified domain name (FQDN) or IP address of a proxy server to forward Connected User Experiences and Telemetry requests. The format for this setting is *<server>:<port>*. The connection is made over a Secure Sockets Layer (SSL) connection. If the named proxy fails, or if there is no proxy specified when this policy is enabled, the Connected User Experiences and Telemetry data will not be transmitted and will remain on the local device.
+
+
+Allows you to specify the fully qualified domain name (FQDN) or IP address of a proxy server to forward Connected User Experiences and Telemetry requests. The format for this setting is *<server>:<port>*. The connection is made over a Secure Sockets Layer (SSL) connection. If the named proxy fails, or if there is no proxy specified when this policy is enabled, the Connected User Experiences and Telemetry data will not be transmitted and will remain on the local device.
-
If you disable or do not configure this policy setting, Connected User Experiences and Telemetry will go to Microsoft using the default proxy configuration.
+If you disable or do not configure this policy setting, Connected User Experiences and Telemetry will go to Microsoft using the default proxy configuration.
-
-
+
+
+ADMX Info:
+- GP English name: *Configure Connected User Experiences and Telemetry*
+- GP name: *TelemetryProxy*
+- GP element: *TelemetryProxyName*
+- GP path: *Data Collection and Preview Builds*
+- GP ADMX file name: *DataCollection.admx*
+
+
+
Footnote:
@@ -938,7 +1053,7 @@ Footnote:
- 2 - Added in Windows 10, version 1703.
- 3 - Added in Windows 10, version 1709.
-
+
## System policies that can be set using Exchange Active Sync (EAS)
diff --git a/windows/client-management/mdm/policy-csp-systemservices.md b/windows/client-management/mdm/policy-csp-systemservices.md
index c307f1e57f..ffdb12f42a 100644
--- a/windows/client-management/mdm/policy-csp-systemservices.md
+++ b/windows/client-management/mdm/policy-csp-systemservices.md
@@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
-ms.date: 01/03/2018
+ms.date: 03/05/2018
---
# Policy CSP - SystemServices
@@ -17,7 +17,7 @@ ms.date: 01/03/2018
-
+
## SystemServices policies
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -76,26 +78,25 @@ ms.date: 01/03/2018
-
-
-Added in Windows 10, next major update. This setting determines whether the service's start type is Automaic(2), Manual(3), Disabled(4). Default: Manual.
+
+
+Added in Windows 10, version 1803. This setting determines whether the service's start type is Automaic(2), Manual(3), Disabled(4). Default: Manual.
-
-
+
+
+GP Info:
+- GP English name: *HomeGroup Listener*
+- GP path: *Windows Settings/Security Settings/System Services*
-
-
+
+
-
-
-
-
-
-
+
+
**SystemServices/ConfigureHomeGroupProviderServiceStartupMode**
-
+
Home
@@ -117,8 +118,8 @@ Added in Windows 10, next major update. This setting determines whether the serv
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -126,26 +127,25 @@ Added in Windows 10, next major update. This setting determines whether the serv
-
-
-Added in Windows 10, next major update. This setting determines whether the service's start type is Automaic(2), Manual(3), Disabled(4). Default: Manual.
+
+
+Added in Windows 10, version 1803. This setting determines whether the service's start type is Automaic(2), Manual(3), Disabled(4). Default: Manual.
-
-
+
+
+GP Info:
+- GP English name: *HomeGroup Provider*
+- GP path: *Windows Settings/Security Settings/System Services*
-
-
+
+
-
-
-
-
-
-
+
+
**SystemServices/ConfigureXboxAccessoryManagementServiceStartupMode**
-
+
Home
@@ -167,8 +167,8 @@ Added in Windows 10, next major update. This setting determines whether the serv
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -176,26 +176,25 @@ Added in Windows 10, next major update. This setting determines whether the serv
-
-
-Added in Windows 10, next major update. This setting determines whether the service's start type is Automaic(2), Manual(3), Disabled(4). Default: Manual.
+
+
+Added in Windows 10, version 1803. This setting determines whether the service's start type is Automaic(2), Manual(3), Disabled(4). Default: Manual.
-
-
+
+
+GP Info:
+- GP English name: *Xbox Accessory Management Service*
+- GP path: *Windows Settings/Security Settings/System Services*
-
-
+
+
-
-
-
-
-
-
+
+
**SystemServices/ConfigureXboxLiveAuthManagerServiceStartupMode**
-
+
Home
@@ -217,8 +216,8 @@ Added in Windows 10, next major update. This setting determines whether the serv
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -226,26 +225,25 @@ Added in Windows 10, next major update. This setting determines whether the serv
-
-
-Added in Windows 10, next major update. This setting determines whether the service's start type is Automaic(2), Manual(3), Disabled(4). Default: Manual.
+
+
+Added in Windows 10, version 1803. This setting determines whether the service's start type is Automaic(2), Manual(3), Disabled(4). Default: Manual.
-
-
+
+
+GP Info:
+- GP English name: *Xbox Live Auth Manager*
+- GP path: *Windows Settings/Security Settings/System Services*
-
-
+
+
-
-
-
-
-
-
+
+
**SystemServices/ConfigureXboxLiveGameSaveServiceStartupMode**
-
+
Home
@@ -267,8 +265,8 @@ Added in Windows 10, next major update. This setting determines whether the serv
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -276,26 +274,25 @@ Added in Windows 10, next major update. This setting determines whether the serv
-
-
-Added in Windows 10, next major update. This setting determines whether the service's start type is Automaic(2), Manual(3), Disabled(4). Default: Manual.
+
+
+Added in Windows 10, version 1803. This setting determines whether the service's start type is Automaic(2), Manual(3), Disabled(4). Default: Manual.
-
-
+
+
+GP Info:
+- GP English name: *Xbox Live Game Save*
+- GP path: *Windows Settings/Security Settings/System Services*
-
-
+
+
-
-
-
-
-
-
+
+
**SystemServices/ConfigureXboxLiveNetworkingServiceStartupMode**
-
+
Home
@@ -317,8 +314,8 @@ Added in Windows 10, next major update. This setting determines whether the serv
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -326,21 +323,18 @@ Added in Windows 10, next major update. This setting determines whether the serv
-
-
-Added in Windows 10, next major update. This setting determines whether the service's start type is Automaic(2), Manual(3), Disabled(4). Default: Manual.
+
+
+Added in Windows 10, version 1803. This setting determines whether the service's start type is Automaic(2), Manual(3), Disabled(4). Default: Manual.
-
-
+
+
+GP Info:
+- GP English name: *Xbox Live Networking Service*
+- GP path: *Windows Settings/Security Settings/System Services*
-
-
-
-
-
-
-
-
+
+
Footnote:
@@ -349,5 +343,5 @@ Footnote:
- 2 - Added in Windows 10, version 1703.
- 3 - Added in Windows 10, version 1709.
-
+
diff --git a/windows/client-management/mdm/policy-csp-taskscheduler.md b/windows/client-management/mdm/policy-csp-taskscheduler.md
index 0a8f13c708..88a19a26c4 100644
--- a/windows/client-management/mdm/policy-csp-taskscheduler.md
+++ b/windows/client-management/mdm/policy-csp-taskscheduler.md
@@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
-ms.date: 01/03/2018
+ms.date: 01/30/2018
---
# Policy CSP - TaskScheduler
@@ -17,7 +17,7 @@ ms.date: 01/03/2018
-
+
## TaskScheduler policies
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Added in Windows 10, version 1803. Specifies text prediction for hardware keyboard is always disabled. When this policy is set to 0, text prediction for hardware keyboard is always disabled.
+
+
+
+The following list shows the supported values:
+
+- 0 – Text prediction for the hardware keyboard is disabled and the switch is unusable (user cannot activate the feature).
+- 1 (default) – Text prediction for the hardware keyboard is enabled. User can change the setting.
+
+
+
+
+
+
+
**TextInput/AllowIMELogging**
-
+
Home
@@ -91,8 +170,8 @@ ms.date: 12/19/2017
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -100,17 +179,17 @@ ms.date: 12/19/2017
-
-
+
+
> [!NOTE]
> The policy is only enforced in Windows 10 for desktop.
-
Allows the user to turn on and off the logging for incorrect conversion and saving auto-tuning result to a file and history-based predictive input.
+Allows the user to turn on and off the logging for incorrect conversion and saving auto-tuning result to a file and history-based predictive input.
-
Most restricted value is 0.
+Most restricted value is 0.
-
+
The following list shows the supported values:
@@ -118,12 +197,14 @@ The following list shows the supported values:
- 1 (default) – Allowed.
-
+
+
-
+
+
**TextInput/AllowIMENetworkAccess**
-
+
Home
@@ -145,8 +226,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -154,17 +235,17 @@ The following list shows the supported values:
-
-
+
+
> [!NOTE]
> The policy is only enforced in Windows 10 for desktop.
-
Allows the user to turn on Open Extended Dictionary, Internet search integration, or cloud candidate features to provide input suggestions that do not exist in the device's local dictionary.
+Allows the user to turn on Open Extended Dictionary, Internet search integration, or cloud candidate features to provide input suggestions that do not exist in the device's local dictionary.
-
Most restricted value is 0.
+Most restricted value is 0.
-
+
The following list shows the supported values:
@@ -172,12 +253,14 @@ The following list shows the supported values:
- 1 (default) – Allowed.
-
+
+
-
+
+
**TextInput/AllowInputPanel**
-
+
Home
@@ -199,8 +282,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -208,17 +291,17 @@ The following list shows the supported values:
-
-
+
+
> [!NOTE]
> The policy is only enforced in Windows 10 for desktop.
-
Allows the IT admin to disable the touch/handwriting keyboard on Windows.
+Allows the IT admin to disable the touch/handwriting keyboard on Windows.
-
Most restricted value is 0.
+Most restricted value is 0.
-
+
The following list shows the supported values:
@@ -226,12 +309,14 @@ The following list shows the supported values:
- 1 (default) – Allowed.
-
+
+
@@ -253,8 +338,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -262,28 +347,33 @@ The following list shows the supported values:
-
-
+
+
> [!NOTE]
> The policy is only enforced in Windows 10 for desktop.
-
Allows the Japanese IME surrogate pair characters.
+Allows the Japanese IME surrogate pair characters.
-
The following list shows the supported values:
+
+Most restricted value is 0.
+
+
+
+The following list shows the supported values:
- 0 – Not allowed.
- 1 (default) – Allowed.
-
@@ -305,8 +395,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -314,17 +404,17 @@ The following list shows the supported values:
-
-
+
+
> [!NOTE]
> The policy is only enforced in Windows 10 for desktop.
-
Allows Japanese Ideographic Variation Sequence (IVS) characters.
+Allows Japanese Ideographic Variation Sequence (IVS) characters.
-
Most restricted value is 0.
+Most restricted value is 0.
-
+
The following list shows the supported values:
@@ -332,12 +422,14 @@ The following list shows the supported values:
- 1 (default) – Allowed.
-
+
+
@@ -359,8 +451,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -368,17 +460,17 @@ The following list shows the supported values:
-
-
+
+
> [!NOTE]
> The policy is only enforced in Windows 10 for desktop.
-
Allows the Japanese non-publishing standard glyph.
+Allows the Japanese non-publishing standard glyph.
-
Most restricted value is 0.
+Most restricted value is 0.
-
+
The following list shows the supported values:
@@ -386,12 +478,14 @@ The following list shows the supported values:
- 1 (default) – Allowed.
-
+
+
@@ -413,8 +507,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -422,17 +516,17 @@ The following list shows the supported values:
-
-
+
+
> [!NOTE]
> The policy is only enforced in Windows 10 for desktop.
-
Allows the Japanese user dictionary.
+Allows the Japanese user dictionary.
-
Most restricted value is 0.
+Most restricted value is 0.
-
+
The following list shows the supported values:
@@ -440,12 +534,14 @@ The following list shows the supported values:
- 1 (default) – Allowed.
-
+
+
@@ -467,8 +563,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -476,22 +572,16 @@ The following list shows the supported values:
-
-
+
+
> [!NOTE]
> The policy is only enforced in Windows 10 for desktop.
-
Added in Windows 10, version 1703. Specifies whether text prediction is enabled or disabled for the on-screen keyboard, touch keyboard, and handwriting recognition tool. When this policy is set to disabled, text prediction is disabled.
+Added in Windows 10, version 1703. Specifies whether text prediction is enabled or disabled for the on-screen keyboard, touch keyboard, and handwriting recognition tool. When this policy is set to disabled, text prediction is disabled.
-
Most restricted value is 0.
+Most restricted value is 0.
-
To validate that text prediction is disabled on Windows 10 for desktop, do the following:
-
-1. Search for and launch the on-screen keyboard. Verify that text prediction is disabled by typing some text. Text prediction on the keyboard will be disabled even if the “Use Text Prediction” setting is enabled from the options button.
-2. Launch the input panel/touch keyboard by touching a text input field or launching it from the taskbar. Verify that text prediction is disabled by typing some text. Text prediction on the keyboard will be disabled even if the “Show text suggestions as I type” setting is enabled in the Settings app.
-3. Launch the handwriting tool from the touch keyboard. Verify that text prediction is disabled when you write using the tool.
-
-
+
The following list shows the supported values:
@@ -499,21 +589,33 @@ The following list shows the supported values:
- 1 (default) – Enabled.
-
+
+To validate that text prediction is disabled on Windows 10 for desktop, do the following:
+
+1. Search for and launch the on-screen keyboard. Verify that text prediction is disabled by typing some text. Text prediction on the keyboard will be disabled even if the “Use Text Prediction” setting is enabled from the options button.
+2. Launch the input panel/touch keyboard by touching a text input field or launching it from the taskbar. Verify that text prediction is disabled by typing some text. Text prediction on the keyboard will be disabled even if the “Show text suggestions as I type” setting is enabled in the Settings app.
+3. Launch the handwriting tool from the touch keyboard. Verify that text prediction is disabled when you write using the tool.
+
+
+
+
-
+
+
**TextInput/AllowKoreanExtendedHanja**
-
-
This policy has been deprecated.
+
+This policy has been deprecated.
+
+
+
-
-
@@ -535,8 +637,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -544,17 +646,25 @@ The following list shows the supported values:
-
-
+
+
> [!NOTE]
> The policy is only enforced in Windows 10 for desktop.
-
Allows the uninstall of language features, such as spell checkers, on a device.
+Allows the uninstall of language features, such as spell checkers, on a device.
-
Most restricted value is 0.
+Most restricted value is 0.
-
+
+
+ADMX Info:
+- GP English name: *Allow Uninstallation of Language Features*
+- GP name: *AllowLanguageFeaturesUninstall*
+- GP path: *Windows Components/Text Input*
+- GP ADMX file name: *TextInput.admx*
+
+
The following list shows the supported values:
@@ -562,12 +672,14 @@ The following list shows the supported values:
- 1 (default) – Allowed.
-
+
+
@@ -589,8 +701,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -598,9 +710,9 @@ The following list shows the supported values:
-
-
-Added in Windows 10, next major update. This policy allows the IT admin to enable the touch keyboard to automatically show up when the device is in the desktop mode.
+
+
+Added in Windows 10, version 1803. This policy allows the IT admin to enable the touch keyboard to automatically show up when the device is in the desktop mode.
The touch keyboard is enabled in both the tablet and desktop mode. In the tablet mode, when you touch a textbox, the touch keyboard automatically shows up.
But in the desktop mode, by default, the touch keyboard does not automatically show up when you touch a textbox. The user must click the system tray to enable the touch keyboard.
@@ -608,27 +720,22 @@ When this policy is enabled, the touch keyboard automatically shows up when the
This policy corresponds to "Show the touch keyboard when not in tablet mode and there's no keyboard attached" in the Settings app.
-
+
The following list shows the supported values:
- 0 (default) - Disabled.
- 1 - Enabled.
-
-
+
-
-
-
-
-
-
+
+
**TextInput/ExcludeJapaneseIMEExceptJIS0208**
-
+
Home
@@ -650,8 +757,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -659,26 +766,30 @@ The following list shows the supported values:
-
-
+
+
> [!NOTE]
> The policy is only enforced in Windows 10 for desktop.
-
Allows the users to restrict character code range of conversion by setting the character filter.
+Allows the users to restrict character code range of conversion by setting the character filter.
-
The following list shows the supported values:
+
+
+The following list shows the supported values:
- 0 (default) – No characters are filtered.
- 1 – All characters except JIS0208 are filtered.
-
-
+
+
+
@@ -700,8 +811,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -709,26 +820,30 @@ The following list shows the supported values:
-
-
+
+
> [!NOTE]
> The policy is only enforced in Windows 10 for desktop.
-
Allows the users to restrict character code range of conversion by setting the character filter.
+Allows the users to restrict character code range of conversion by setting the character filter.
-
The following list shows the supported values:
+
+
+The following list shows the supported values:
- 0 (default) – No characters are filtered.
- 1 – All characters except JIS0208 and EUDC are filtered.
-
-
+
+
+
@@ -750,8 +865,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -759,21 +874,431 @@ The following list shows the supported values:
-
-
+
+
> [!NOTE]
> The policy is only enforced in Windows 10 for desktop.
-
Allows the users to restrict character code range of conversion by setting the character filter.
+Allows the users to restrict character code range of conversion by setting the character filter.
-
The following list shows the supported values:
+
+
+The following list shows the supported values:
- 0 (default) – No characters are filtered.
- 1 – All characters except ShiftJIS are filtered.
-
-
+
+
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Added in Windows 10, version 1803. Specifies the touch keyboard is always docked. When this policy is set to enabled, the touch keyboard is always docked.
+
+
+
+The following list shows the supported values:
+
+- 0 - (default) - The OS determines when it's most appropriate to be available.
+- 1 - Touch keyboard is always docked.
+- 2 - Touch keyboard docking can be changed.
+
+
+
+
+
+
+
+**TextInput/TouchKeyboardDictationButtonAvailability**
+
+
+
+
+
Home
+
Pro
+
Business
+
Enterprise
+
Education
+
Mobile
+
Mobile Enterprise
+
+
+
+
4
+
4
+
4
+
4
+
+
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Added in Windows 10, version 1803. Specifies whether the dictation input button is enabled or disabled for the touch keyboard. When this policy is set to disabled, the dictation input button on touch keyboard is disabled.
+
+
+
+The following list shows the supported values:
+
+- 0 (default) - The OS determines when it's most appropriate to be available.
+- 1 - Dictation button on the keyboard is always available.
+- 2 - Dictation button on the keyboard is always disabled.
+
+
+
+
+
+
+
+**TextInput/TouchKeyboardEmojiButtonAvailability**
+
+
+
+
+
Home
+
Pro
+
Business
+
Enterprise
+
Education
+
Mobile
+
Mobile Enterprise
+
+
+
+
4
+
4
+
4
+
4
+
+
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Added in Windows 10, version 1803. Specifies whether the emoji button is enabled or disabled for the touch keyboard. When this policy is set to disabled, the emoji button on touch keyboard is disabled.
+
+
+
+The following list shows the supported values:
+
+- 0 (default) - The OS determines when it's most appropriate to be available.
+- 1 - Emoji button on keyboard is always available.
+- 2 - Emoji button on keyboard is always disabled.
+
+
+
+
+
+
+
+**TextInput/TouchKeyboardFullModeAvailability**
+
+
+
+
+
Home
+
Pro
+
Business
+
Enterprise
+
Education
+
Mobile
+
Mobile Enterprise
+
+
+
+
4
+
4
+
4
+
4
+
+
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Added in Windows 10, version 1803. Specifies whether the full keyboard mode is enabled or disabled for the touch keyboard. When this policy is set to disabled, the full keyboard mode for touch keyboard is disabled.
+
+
+
+The following list shows the supported values:
+
+- 0 (default) - The OS determines when it's most appropriate to be available.
+- 1 - Full keyboard is always available.
+- 2 - Full keyboard is always disabled.
+
+
+
+
+
+
+
+**TextInput/TouchKeyboardHandwritingModeAvailability**
+
+
+
+
+
Home
+
Pro
+
Business
+
Enterprise
+
Education
+
Mobile
+
Mobile Enterprise
+
+
+
+
4
+
4
+
4
+
4
+
+
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Added in Windows 10, version 1803. Specifies whether the handwriting input panel is enabled or disabled. When this policy is set to disabled, the handwriting input panel is disabled.
+
+
+
+The following list shows the supported values:
+
+- 0 (default) - The OS determines when it's most appropriate to be available.
+- 1 - Handwriting input panel is always available.
+- 2 - Handwriting input panel is always disabled.
+
+
+
+
+
+
+
+**TextInput/TouchKeyboardNarrowModeAvailability**
+
+
+
+
+
Home
+
Pro
+
Business
+
Enterprise
+
Education
+
Mobile
+
Mobile Enterprise
+
+
+
+
4
+
4
+
4
+
4
+
+
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Added in Windows 10, version 1803. Specifies whether the narrow keyboard mode is enabled or disabled for the touch keyboard. When this policy is set to disabled, the narrow keyboard mode for touch keyboard is disabled.
+
+
+
+The following list shows the supported values:
+
+- 0 (default) - The OS determines when it's most appropriate to be available.
+- 1 - Narrow keyboard is always available.
+- 2 - Narrow keyboard is always disabled.
+
+
+
+
+
+
+
+**TextInput/TouchKeyboardSplitModeAvailability**
+
+
+
+
+
Home
+
Pro
+
Business
+
Enterprise
+
Education
+
Mobile
+
Mobile Enterprise
+
+
+
+
4
+
4
+
4
+
4
+
+
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Added in Windows 10, version 1803. Specifies whether the split keyboard mode is enabled or disabled for the touch keyboard. When this policy is set to disabled, the split keyboard mode for touch keyboard is disabled.
+
+
+
+The following list shows the supported values:
+
+- 0 (default) - The OS determines when it's most appropriate to be available.
+- 1 - Split keyboard is always available.
+- 2 - Split keyboard is always disabled.
+
+
+
+
+
+
+
+**TextInput/TouchKeyboardWideModeAvailability**
+
+
+
+
+
Home
+
Pro
+
Business
+
Enterprise
+
Education
+
Mobile
+
Mobile Enterprise
+
+
+
+
4
+
4
+
4
+
4
+
+
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Added in Windows 10, version 1803. Specifies whether the wide keyboard mode is enabled or disabled for the touch keyboard. When this policy is set to disabled, the wide keyboard mode for touch keyboard is disabled.
+
+
+
+The following list shows the supported values:
+
+- 0 (default) - The OS determines when it's most appropriate to be available.
+- 1 - Wide keyboard is always available.
+- 2 - Wide keyboard is always disabled.
+
+
+
Footnote:
@@ -782,7 +1307,7 @@ Footnote:
- 2 - Added in Windows 10, version 1703.
- 3 - Added in Windows 10, version 1709.
-
+
## TextInput policies supported by Microsoft Surface Hub
diff --git a/windows/client-management/mdm/policy-csp-timelanguagesettings.md b/windows/client-management/mdm/policy-csp-timelanguagesettings.md
index 42221e6fde..c926c03e45 100644
--- a/windows/client-management/mdm/policy-csp-timelanguagesettings.md
+++ b/windows/client-management/mdm/policy-csp-timelanguagesettings.md
@@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
-ms.date: 12/14/2017
+ms.date: 01/30/2018
---
# Policy CSP - TimeLanguageSettings
@@ -15,7 +15,7 @@ ms.date: 12/14/2017
-
+
## TimeLanguageSettings policies
Allows for the configuration of the default clock setting to be the 24 hour format. Selecting 'Set 24 hour Clock' enables this setting. Selecting 'Locale default setting' uses the default clock as prescribed by the current locale setting.
+
+
+Allows for the configuration of the default clock setting to be the 24 hour format. Selecting 'Set 24 hour Clock' enables this setting. Selecting 'Locale default setting' uses the default clock as prescribed by the current locale setting.
-
+
The following list shows the supported values:
@@ -71,7 +73,7 @@ The following list shows the supported values:
- 1 (default) – Set 24 hour clock.
-
+
Footnote:
@@ -80,5 +82,5 @@ Footnote:
- 2 - Added in Windows 10, version 1703.
- 3 - Added in Windows 10, version 1709.
-
+
diff --git a/windows/client-management/mdm/policy-csp-update.md b/windows/client-management/mdm/policy-csp-update.md
index f0cc05b9e9..7a92fffc6a 100644
--- a/windows/client-management/mdm/policy-csp-update.md
+++ b/windows/client-management/mdm/policy-csp-update.md
@@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
-ms.date: 12/19/2017
+ms.date: 03/05/2018
---
# Policy CSP - Update
@@ -17,7 +17,7 @@ ms.date: 12/19/2017
-
+
## Update policies
Added in Windows 10, version 1607. Allows the IT admin (when used with **Update/ActiveHoursStart**) to manage a range of active hours where update reboots are not scheduled. This value sets the end time. There is a 12 hour maximum from start time.
+
+
+Added in Windows 10, version 1607. Allows the IT admin (when used with **Update/ActiveHoursStart**) to manage a range of active hours where update reboots are not scheduled. This value sets the end time. There is a 12 hour maximum from start time.
> [!NOTE]
> The default maximum difference from start time has been increased to 18 in Windows 10, version 1703. In this version of Windows 10, the maximum range of active hours can now be configured. See **Update/ActiveHoursMaxRange** below for more information.
-
Supported values are 0-23, where 0 is 12 AM, 1 is 1 AM, etc.
+Supported values are 0-23, where 0 is 12 AM, 1 is 1 AM, etc.
-
The default is 17 (5 PM).
+The default is 17 (5 PM).
+
+
+
+ADMX Info:
+- GP English name: *Turn off auto-restart for updates during active hours*
+- GP name: *ActiveHours*
+- GP element: *ActiveHoursEndTime*
+- GP path: *Windows Components/Windows Update*
+- GP ADMX file name: *WindowsUpdate.admx*
+
+
+
-
-
Added in Windows 10, version 1703. Allows the IT admin to specify the max active hours range. This value sets max number of active hours from start time.
+
+
+Added in Windows 10, version 1703. Allows the IT admin to specify the max active hours range. This value sets max number of active hours from start time.
-
Supported values are 8-18.
+Supported values are 8-18.
-
The default value is 18 (hours).
+The default value is 18 (hours).
+
+
+
+ADMX Info:
+- GP English name: *Specify active hours range for auto-restarts*
+- GP name: *ActiveHoursMaxRange*
+- GP element: *ActiveHoursMaxRange*
+- GP path: *Windows Components/Windows Update*
+- GP ADMX file name: *WindowsUpdate.admx*
+
+
+
-
-
Added in Windows 10, version 1607. Allows the IT admin (when used with **Update/ActiveHoursEnd**) to manage a range of hours where update reboots are not scheduled. This value sets the start time. There is a 12 hour maximum from end time.
+
+
+Added in Windows 10, version 1607. Allows the IT admin (when used with **Update/ActiveHoursEnd**) to manage a range of hours where update reboots are not scheduled. This value sets the start time. There is a 12 hour maximum from end time.
> [!NOTE]
> The default maximum difference from end time has been increased to 18 in Windows 10, version 1703. In this version of Windows 10, the maximum range of active hours can now be configured. See **Update/ActiveHoursMaxRange** above for more information.
-
Supported values are 0-23, where 0 is 12 AM, 1 is 1 AM, etc.
+Supported values are 0-23, where 0 is 12 AM, 1 is 1 AM, etc.
-
The default value is 8 (8 AM).
+The default value is 8 (8 AM).
+
+
+
+ADMX Info:
+- GP English name: *Turn off auto-restart for updates during active hours*
+- GP name: *ActiveHours*
+- GP element: *ActiveHoursStartTime*
+- GP path: *Windows Components/Windows Update*
+- GP ADMX file name: *WindowsUpdate.admx*
+
+
+
-
-
Enables the IT admin to manage automatic update behavior to scan, download, and install updates.
+
+
+Enables the IT admin to manage automatic update behavior to scan, download, and install updates.
-
Supported operations are Get and Replace.
+Supported operations are Get and Replace.
-
The following list shows the supported values:
+
+> [!IMPORTANT]
+> This option should be used only for systems under regulatory compliance, as you will not get security updates as well.
+
+
+If the policy is not configured, end-users get the default behavior (Auto install and restart).
+
+
+
+ADMX Info:
+- GP English name: *Configure Automatic Updates*
+- GP name: *AutoUpdateCfg*
+- GP element: *AutoUpdateMode*
+- GP path: *Windows Components/Windows Update*
+- GP ADMX file name: *WindowsUpdate.admx*
+
+
+
+The following list shows the supported values:
- 0 – Notify the user before downloading the update. This policy is used by the enterprise who wants to enable the end-users to manage data usage. With this option users are notified when there are updates that apply to the device and are ready for download. Users can download and install the updates from the Windows Update control panel.
- 1 – Auto install the update and then notify the user to schedule a device restart. Updates are downloaded automatically on non-metered networks and installed during "Automatic Maintenance" when the device is not in use and is not running on battery power. If automatic maintenance is unable to install updates for two days, Windows Update will install updates immediately. If the installation requires a restart, the end-user is prompted to schedule the restart time. The end-user has up to seven days to schedule the restart and after that, a restart of the device is forced. Enabling the end-user to control the start time reduces the risk of accidental data loss caused by applications that do not shutdown properly on restart.
@@ -358,19 +411,15 @@ ms.date: 12/19/2017
- 4 – Auto install and restart without end-user control. Updates are downloaded automatically on non-metered networks and installed during "Automatic Maintenance" when the device is not in use and is not running on battery power. If automatic maintenance is unable to install updates for two days, Windows Update will install updates right away. If a restart is required, then the device is automatically restarted when the device is not actively being used. This setting option also sets the end-user control panel to read-only.
- 5 – Turn off automatic updates.
-> [!IMPORTANT]
-> This option should be used only for systems under regulatory compliance, as you will not get security updates as well.
-
+
+
-
If the policy is not configured, end-users get the default behavior (Auto install and restart).
-
-
-
Added in Windows 10, version 1709. Option to download updates automatically over metered connections (off by default). Value type is integer.
+
+
+Added in Windows 10, version 1709. Option to download updates automatically over metered connections (off by default). Value type is integer.
A significant number of devices primarily use cellular data and do not have Wi-Fi access, which leads to a lower number of devices getting updates. Since a large number of devices have large data plans or unlimited data, this policy can unblock devices from getting updates.
This policy is accessible through the Update setting in the user interface or Group Policy.
-
+
+
+ADMX Info:
+- GP English name: *Allow updates to be downloaded automatically over metered connections*
+- GP name: *AllowAutoWindowsUpdateDownloadOverMeteredNetwork*
+- GP path: *Windows Components/Windows Update*
+- GP ADMX file name: *WindowsUpdate.admx*
+
+
The following list shows the supported values:
@@ -417,12 +474,14 @@ The following list shows the supported values:
- 1 - Allowed
-
+
+
-
+
+
**Update/AllowMUUpdateService**
-
+
Home
@@ -444,8 +503,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -453,22 +512,35 @@ The following list shows the supported values:
-
-
-
Added in Windows 10, version 1607. Allows the IT admin to manage whether to scan for app updates from Microsoft Update.
+
+
+Added in Windows 10, version 1607. Allows the IT admin to manage whether to scan for app updates from Microsoft Update.
-
The following list shows the supported values:
+
+
+ADMX Info:
+- GP English name: *Configure Automatic Updates*
+- GP name: *AutoUpdateCfg*
+- GP element: *AllowMUUpdateServiceId*
+- GP path: *Windows Components/Windows Update*
+- GP ADMX file name: *WindowsUpdate.admx*
+
+
+
+The following list shows the supported values:
- 0 – Not allowed or not configured.
- 1 – Allowed. Accepts updates received through Microsoft Update.
-
-
+
+
+
@@ -490,8 +562,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -499,15 +571,15 @@ The following list shows the supported values:
-
-
-
Allows the IT admin to manage whether Automatic Updates accepts updates signed by entities other than Microsoft when the update is found at the UpdateServiceUrl location. This policy supports using WSUS for 3rd party software and patch distribution.
+
+
+Allows the IT admin to manage whether Automatic Updates accepts updates signed by entities other than Microsoft when the update is found at the UpdateServiceUrl location. This policy supports using WSUS for 3rd party software and patch distribution.
-
Supported operations are Get and Replace.
+Supported operations are Get and Replace.
-
This policy is specific to desktop and local publishing via WSUS for 3rd party updates (binaries and updates not hosted on Microsoft Update) and allows IT to manage whether Automatic Updates accepts updates signed by entities other than Microsoft when the update is found on an intranet Microsoft update service location.
+This policy is specific to desktop and local publishing via WSUS for 3rd party updates (binaries and updates not hosted on Microsoft Update) and allows IT to manage whether Automatic Updates accepts updates signed by entities other than Microsoft when the update is found on an intranet Microsoft update service location.
-
+
The following list shows the supported values:
@@ -515,12 +587,14 @@ The following list shows the supported values:
- 1 – Allowed. Accepts updates received through an intranet Microsoft update service location, if they are signed by a certificate found in the "Trusted Publishers" certificate store of the local computer.
-
+
+
-
+
+
**Update/AllowUpdateService**
-
+
Home
@@ -542,8 +616,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -551,18 +625,26 @@ The following list shows the supported values:
-
-
-
Specifies whether the device could use Microsoft Update, Windows Server Update Services (WSUS), or Microsoft Store.
+
+
+Specifies whether the device could use Microsoft Update, Windows Server Update Services (WSUS), or Microsoft Store.
-
Even when Windows Update is configured to receive updates from an intranet update service, it will periodically retrieve information from the public Windows Update service to enable future connections to Windows Update, and other services like Microsoft Update or the Microsoft Store
+Even when Windows Update is configured to receive updates from an intranet update service, it will periodically retrieve information from the public Windows Update service to enable future connections to Windows Update, and other services like Microsoft Update or the Microsoft Store
-
Enabling this policy will disable that functionality, and may cause connection to public services such as the Microsoft Store to stop working.
+Enabling this policy will disable that functionality, and may cause connection to public services such as the Microsoft Store to stop working.
> [!NOTE]
> This policy applies only when the desktop or device is configured to connect to an intranet update service using the "Specify intranet Microsoft update service location" policy.
-
+
+
+ADMX Info:
+- GP English name: *Specify intranet Microsoft update service location*
+- GP name: *CorpWuURL*
+- GP path: *Windows Components/Windows Update*
+- GP ADMX file name: *WindowsUpdate.admx*
+
+
The following list shows the supported values:
@@ -570,12 +652,14 @@ The following list shows the supported values:
- 1 (default) – Update service is allowed.
-
+
+
@@ -597,8 +681,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -606,21 +690,32 @@ The following list shows the supported values:
-
-
-
Added in Windows 10, version 1703. This policy defines the deadline in days after which a reboot for updates will become mandatory.
+
+
+Added in Windows 10, version 1703. This policy defines the deadline in days after which a reboot for updates will become mandatory.
-
Supported values are 2-30 days.
+Supported values are 2-30 days.
-
The default value is 7 days.
+The default value is 7 days.
+
+
+
+ADMX Info:
+- GP English name: *Specify deadline before auto-restart for update installation*
+- GP name: *AutoRestartDeadline*
+- GP element: *AutoRestartDeadline*
+- GP path: *Windows Components/Windows Update*
+- GP ADMX file name: *WindowsUpdate.admx*
+
+
+
-
-
@@ -642,8 +737,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -651,23 +746,34 @@ The following list shows the supported values:
-
-
-
Added in Windows 10, version 1703. Allows the IT Admin to specify the period for auto-restart reminder notifications.
+
+
+Added in Windows 10, version 1703. Allows the IT Admin to specify the period for auto-restart reminder notifications.
-
The default value is 15 (minutes).
+The default value is 15 (minutes).
-
+
+
+ADMX Info:
+- GP English name: *Configure auto-restart reminder notifications for updates*
+- GP name: *AutoRestartNotificationConfig*
+- GP element: *AutoRestartNotificationSchd*
+- GP path: *Windows Components/Windows Update*
+- GP ADMX file name: *WindowsUpdate.admx*
+
+
Supported values are 15, 30, 60, 120, and 240 (minutes).
-
+
+
@@ -689,8 +795,8 @@ Supported values are 15, 30, 60, 120, and 240 (minutes).
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -698,22 +804,35 @@ Supported values are 15, 30, 60, 120, and 240 (minutes).
-
-
-
Added in Windows 10, version 1703. Allows the IT Admin to specify the method by which the auto-restart required notification is dismissed.
+
+
+Added in Windows 10, version 1703. Allows the IT Admin to specify the method by which the auto-restart required notification is dismissed.
-
The following list shows the supported values:
+
+
+ADMX Info:
+- GP English name: *Configure auto-restart required notification for updates*
+- GP name: *AutoRestartRequiredNotificationDismissal*
+- GP element: *AutoRestartRequiredNotificationDismissal*
+- GP path: *Windows Components/Windows Update*
+- GP ADMX file name: *WindowsUpdate.admx*
+
+
+
+The following list shows the supported values:
- 1 (default) – Auto Dismissal.
- 2 – User Dismissal.
-
-
+
+
+
-
+
+
**Update/BranchReadinessLevel**
-
+
Home
@@ -735,8 +854,8 @@ Supported values are 15, 30, 60, 120, and 240 (minutes).
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -744,11 +863,20 @@ Supported values are 15, 30, 60, 120, and 240 (minutes).
-
-
-
Added in Windows 10, version 1607. Allows the IT admin to set which branch a device receives their updates from.
+
+
+Added in Windows 10, version 1607. Allows the IT admin to set which branch a device receives their updates from.
-
+
+
+ADMX Info:
+- GP English name: *Select when Preview Builds and Feature Updates are received*
+- GP name: *DeferFeatureUpdates*
+- GP element: *BranchReadinessLevelId*
+- GP path: *Windows Components/Windows Update/Windows Update for Business*
+- GP ADMX file name: *WindowsUpdate.admx*
+
+
The following list shows the supported values:
@@ -759,12 +887,14 @@ The following list shows the supported values:
- 32 {0x20} - Semi-annual Channel. Device gets feature updates from Semi-annual Channel.
-
+
+
@@ -786,21 +916,19 @@ The following list shows the supported values:
-
+
+
+Added in Windows 10, version 1803. Enable IT admin to configure feature update uninstall period. Values range 2 - 60 days. Default is 10 days.
-
-
Added in Windows 10, next major update. Enable IT admin to configure feature update uninstall period. Values range 2 - 60 days. Default is 10 days.
+
+
-
-
-
-
-
@@ -822,8 +950,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -831,24 +959,35 @@ The following list shows the supported values:
-
-
-
Since this policy is not blocked, you will not get a failure message when you use it to configure a Windows 10 Mobile device. However, the policy will not take effect.
+
+
+Since this policy is not blocked, you will not get a failure message when you use it to configure a Windows 10 Mobile device. However, the policy will not take effect.
-
Added in Windows 10, version 1607. Defers Feature Updates for the specified number of days.
+Added in Windows 10, version 1607. Defers Feature Updates for the specified number of days.
-
Supported values are 0-365 days.
+Supported values are 0-365 days.
> [!IMPORTANT]
> The default maximum number of days to defer an update has been increased from 180 (Windows 10, version 1607) to 365 in Windows 10, version 1703.
-
-
+
+
+ADMX Info:
+- GP English name: *Select when Preview Builds and Feature Updates are received*
+- GP name: *DeferFeatureUpdates*
+- GP element: *DeferFeatureUpdatesPeriodId*
+- GP path: *Windows Components/Windows Update/Windows Update for Business*
+- GP ADMX file name: *WindowsUpdate.admx*
+
+
+
+
@@ -870,8 +1009,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -879,19 +1018,30 @@ The following list shows the supported values:
-
-
-
Added in Windows 10, version 1607. Defers Quality Updates for the specified number of days.
+
+
+Added in Windows 10, version 1607. Defers Quality Updates for the specified number of days.
-
Supported values are 0-30.
+Supported values are 0-30.
+
+
+
+ADMX Info:
+- GP English name: *Select when Quality Updates are received*
+- GP name: *DeferQualityUpdates*
+- GP element: *DeferQualityUpdatesPeriodId*
+- GP path: *Windows Components/Windows Update/Windows Update for Business*
+- GP ADMX file name: *WindowsUpdate.admx*
+
+
+
-
-
-
+
+
**Update/DeferUpdatePeriod**
-
+
Home
@@ -913,8 +1063,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -922,24 +1072,24 @@ The following list shows the supported values:
-
-
+
+
> [!NOTE]
> Don't use this policy in Windows 10, version 1607 devices, instead use the new policies listed in [Changes in Windows 10, version 1607 for update management](device-update-management.md#windows10version1607forupdatemanagement). You can continue to use DeferUpdatePeriod for Windows 10, version 1511 devices.
-
Allows IT Admins to specify update delays for up to 4 weeks.
+Allows IT Admins to specify update delays for up to 4 weeks.
-
Supported values are 0-4, which refers to the number of weeks to defer updates.
+Supported values are 0-4, which refers to the number of weeks to defer updates.
-
In Windows 10 Mobile Enterprise version 1511 devices set to automatic updates, for DeferUpdatePeriod to work, you must set the following:
+In Windows 10 Mobile Enterprise version 1511 devices set to automatic updates, for DeferUpdatePeriod to work, you must set the following:
- Update/RequireDeferUpgrade must be set to 1
- System/AllowTelemetry must be set to 1 or higher
-
If the "Specify intranet Microsoft update service location" policy is enabled, then the "Defer upgrades by", "Defer updates by" and "Pause Updates and Upgrades" settings have no effect.
+If the "Specify intranet Microsoft update service location" policy is enabled, then the "Defer upgrades by", "Defer updates by" and "Pause Updates and Upgrades" settings have no effect.
-
If the Allow Telemetry policy is enabled and the Options value is set to 0, then the "Defer upgrades by", "Defer updates by" and "Pause Updates and Upgrades" settings have no effect.
+If the Allow Telemetry policy is enabled and the Options value is set to 0, then the "Defer upgrades by", "Defer updates by" and "Pause Updates and Upgrades" settings have no effect.
OS upgrade:
- Maximum deferral: 8 months
@@ -1019,13 +1169,22 @@ If a machine has Microsoft Update enabled, any Microsoft Updates in these catego
@@ -1047,8 +1206,8 @@ If a machine has Microsoft Update enabled, any Microsoft Updates in these catego
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -1056,29 +1215,38 @@ If a machine has Microsoft Update enabled, any Microsoft Updates in these catego
-
-
+
+
> [!NOTE]
> Since this policy is not blocked, you will not get a failure message when you use it to configure a Windows 10 Mobile device. However, the policy will not take effect.
>
> Don't use this policy in Windows 10, version 1607 devices, instead use the new policies listed in [Changes in Windows 10, version 1607 for update management](device-update-management.md#windows10version1607forupdatemanagement). You can continue to use DeferUpgradePeriod for Windows 10, version 1511 devices.
-
Allows IT Admins to specify additional upgrade delays for up to 8 months.
+Allows IT Admins to specify additional upgrade delays for up to 8 months.
-
Supported values are 0-8, which refers to the number of months to defer upgrades.
+Supported values are 0-8, which refers to the number of months to defer upgrades.
-
If the "Specify intranet Microsoft update service location" policy is enabled, then the "Defer upgrades by", "Defer updates by" and "Pause Updates and Upgrades" settings have no effect.
+If the "Specify intranet Microsoft update service location" policy is enabled, then the "Defer upgrades by", "Defer updates by" and "Pause Updates and Upgrades" settings have no effect.
-
If the "Allow Telemetry" policy is enabled and the Options value is set to 0, then the "Defer upgrades by", "Defer updates by" and "Pause Updates and Upgrades" settings have no effect.
+If the "Allow Telemetry" policy is enabled and the Options value is set to 0, then the "Defer upgrades by", "Defer updates by" and "Pause Updates and Upgrades" settings have no effect.
+
+
+
+ADMX Info:
+- GP name: *DeferUpgrade*
+- GP element: *DeferUpgradePeriodId*
+- GP ADMX file name: *WindowsUpdate.admx*
+
+
+
-
-
-
+
+
**Update/DetectionFrequency**
-
+
Home
@@ -1100,8 +1268,8 @@ If a machine has Microsoft Update enabled, any Microsoft Updates in these catego
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -1109,17 +1277,28 @@ If a machine has Microsoft Update enabled, any Microsoft Updates in these catego
-
-
-
Added in Windows 10, version 1703. Specifies the scan frequency from every 1 - 22 hours. Default is 22 hours.
+
+
+Added in Windows 10, version 1703. Specifies the scan frequency from every 1 - 22 hours. Default is 22 hours.
+
+
+
+ADMX Info:
+- GP English name: *Automatic Updates detection frequency*
+- GP name: *DetectionFrequency_Title*
+- GP element: *DetectionFrequency_Hour2*
+- GP path: *Windows Components/Windows Update*
+- GP ADMX file name: *WindowsUpdate.admx*
+
+
+
-
-
-
+
+
**Update/DisableDualScan**
-
+
Home
@@ -1141,8 +1320,8 @@ If a machine has Microsoft Update enabled, any Microsoft Updates in these catego
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -1150,30 +1329,40 @@ If a machine has Microsoft Update enabled, any Microsoft Updates in these catego
-
-
-
Added in Windows 10, version 1709, but was added to 1607 and 1703 service releases. Do not allow update deferral policies to cause scans against Windows Update. If this policy is not enabled, then configuring deferral policies will result in the client unexpectedly scanning Windows update. With the policy enabled, those scans are prevented, and users can configure deferral policies as much as they like.
+
+
+Added in Windows 10, version 1709, but was added to 1607 and 1703 service releases. Do not allow update deferral policies to cause scans against Windows Update. If this policy is not enabled, then configuring deferral policies will result in the client unexpectedly scanning Windows update. With the policy enabled, those scans are prevented, and users can configure deferral policies as much as they like.
-
For more information about dual scan, see [Demystifying "Dual Scan"](https://blogs.technet.microsoft.com/wsus/2017/05/05/demystifying-dual-scan/) and [Improving Dual Scan on 1607](https://blogs.technet.microsoft.com/wsus/2017/08/04/improving-dual-scan-on-1607/).
+For more information about dual scan, see [Demystifying "Dual Scan"](https://blogs.technet.microsoft.com/wsus/2017/05/05/demystifying-dual-scan/) and [Improving Dual Scan on 1607](https://blogs.technet.microsoft.com/wsus/2017/08/04/improving-dual-scan-on-1607/).
-
This is the same as the Group Policy in Windows Components > Window Update "Do not allow update deferral policies to cause scans against Windows Update."
+This is the same as the Group Policy in Windows Components > Window Update "Do not allow update deferral policies to cause scans against Windows Update."
-
Value type is integer. Supported operations are Add, Get, Replace, and Delete.
+Value type is integer. Supported operations are Add, Get, Replace, and Delete.
-
+
+
+ADMX Info:
+- GP English name: *Do not allow update deferral policies to cause scans against Windows Update*
+- GP name: *DisableDualScan*
+- GP path: *Windows Components/Windows Update*
+- GP ADMX file name: *WindowsUpdate.admx*
+
+
The following list shows the supported values:
- 0 - allow scan against Windows Update
-- 1 - do not allow update deferral policies to cause scans against Windows Update
+- 1 - do not allow update deferral policies to cause scans against Windows Update
-
+
+
-
+
+
**Update/EngagedRestartDeadline**
-
+
Home
@@ -1195,8 +1384,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -1204,21 +1393,32 @@ The following list shows the supported values:
-
-
-
Added in Windows 10, version 1703. Allows the IT Admin to specify the deadline in days before automatically scheduling and executing a pending restart outside of active hours. The deadline can be set between 2 and 30 days from the time the restart becomes pending. If configured, the pending restart will transition from Auto-restart to Engaged restart (pending user schedule) to be automatically executed within the specified period. If no deadline is specified or deadline is set to 0, the restart will not be automatically executed and will remain Engaged restart (pending user scheduling).
+
+
+Added in Windows 10, version 1703. Allows the IT Admin to specify the deadline in days before automatically scheduling and executing a pending restart outside of active hours. The deadline can be set between 2 and 30 days from the time the restart becomes pending. If configured, the pending restart will transition from Auto-restart to Engaged restart (pending user schedule) to be automatically executed within the specified period. If no deadline is specified or deadline is set to 0, the restart will not be automatically executed and will remain Engaged restart (pending user scheduling).
-
Supported values are 2-30 days.
+Supported values are 2-30 days.
-
The default value is 0 days (not specified).
+The default value is 0 days (not specified).
+
+
+
+ADMX Info:
+- GP English name: *Specify Engaged restart transition and notification schedule for updates*
+- GP name: *EngagedRestartTransitionSchedule*
+- GP element: *EngagedRestartDeadline*
+- GP path: *Windows Components/Windows Update*
+- GP ADMX file name: *WindowsUpdate.admx*
+
+
+
-
-
-
+
+
**Update/EngagedRestartSnoozeSchedule**
-
+
Home
@@ -1240,8 +1440,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -1249,21 +1449,32 @@ The following list shows the supported values:
-
-
-
Added in Windows 10, version 1703. Allows the IT Admin to control the number of days a user can snooze Engaged restart reminder notifications.
+
+
+Added in Windows 10, version 1703. Allows the IT Admin to control the number of days a user can snooze Engaged restart reminder notifications.
-
Supported values are 1-3 days.
+Supported values are 1-3 days.
-
The default value is 3 days.
+The default value is 3 days.
+
+
+
+ADMX Info:
+- GP English name: *Specify Engaged restart transition and notification schedule for updates*
+- GP name: *EngagedRestartTransitionSchedule*
+- GP element: *EngagedRestartSnoozeSchedule*
+- GP path: *Windows Components/Windows Update*
+- GP ADMX file name: *WindowsUpdate.admx*
+
+
+
-
-
@@ -1285,8 +1496,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -1294,21 +1505,32 @@ The following list shows the supported values:
-
-
-
Added in Windows 10, version 1703. Allows the IT Admin to control the timing before transitioning from Auto restarts scheduled outside of active hours to Engaged restart, which requires the user to schedule. The period can be set between 2 and 30 days from the time the restart becomes pending.
+
+
+Added in Windows 10, version 1703. Allows the IT Admin to control the timing before transitioning from Auto restarts scheduled outside of active hours to Engaged restart, which requires the user to schedule. The period can be set between 2 and 30 days from the time the restart becomes pending.
-
Supported values are 2-30 days.
+Supported values are 2-30 days.
-
The default value is 7 days.
+The default value is 7 days.
+
+
+
+ADMX Info:
+- GP English name: *Specify Engaged restart transition and notification schedule for updates*
+- GP name: *EngagedRestartTransitionSchedule*
+- GP element: *EngagedRestartTransitionSchedule*
+- GP path: *Windows Components/Windows Update*
+- GP ADMX file name: *WindowsUpdate.admx*
+
+
+
-
-
@@ -1330,8 +1552,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -1339,25 +1561,37 @@ The following list shows the supported values:
-
-
+
+
> [!NOTE]
> Since this policy is not blocked, you will not get a failure message when you use it to configure a Windows 10 Mobile device. However, the policy will not take effect.
-
Added in Windows 10, version 1607. Allows IT Admins to exclude Windows Update (WU) drivers during updates.
+Added in Windows 10, version 1607. Allows IT Admins to exclude Windows Update (WU) drivers during updates.
-
The following list shows the supported values:
+
+
+ADMX Info:
+- GP English name: *Do not include drivers with Windows Updates*
+- GP name: *ExcludeWUDriversInQualityUpdate*
+- GP path: *Windows Components/Windows Update*
+- GP ADMX file name: *WindowsUpdate.admx*
+
+
+
+The following list shows the supported values:
- 0 (default) – Allow Windows Update drivers.
- 1 – Exclude Windows Update drivers.
-
-
+
+
+
-
+
+
**Update/FillEmptyContentUrls**
-
+
Home
@@ -1379,8 +1613,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -1388,25 +1622,38 @@ The following list shows the supported values:
-
-
-
Added in the April service release of Windows 10, version 1607. Allows Windows Update Agent to determine the download URL when it is missing from the metadata. This scenario will occur when intranet update service stores the metadata files but the download contents are stored in the ISV file cache (specified as the alternate download URL).
+
+
+Added in the April service release of Windows 10, version 1607. Allows Windows Update Agent to determine the download URL when it is missing from the metadata. This scenario will occur when intranet update service stores the metadata files but the download contents are stored in the ISV file cache (specified as the alternate download URL).
> [!NOTE]
> This setting should only be used in combination with an alternate download URL and configured to use ISV file cache. This setting is used when the intranet update service does not provide download URLs in the update metadata for files which are available on the alternate download server.
-
The following list shows the supported values:
+
+
+ADMX Info:
+- GP English name: *Specify intranet Microsoft update service location*
+- GP name: *CorpWuURL*
+- GP element: *CorpWUFillEmptyContentUrls*
+- GP path: *Windows Components/Windows Update*
+- GP ADMX file name: *WindowsUpdate.admx*
+
+
+
+The following list shows the supported values:
- 0 (default) – Disabled.
- 1 – Enabled.
-
-
+
+
+
-
+
+
**Update/IgnoreMOAppDownloadLimit**
-
+
Home
@@ -1428,8 +1675,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -1437,14 +1684,14 @@ The following list shows the supported values:
-
-
-
Added in Windows 10, version 1703. Specifies whether to ignore the MO download limit (allow unlimited downloading) over a cellular network for apps and their updates. If lower-level limits (for example, mobile caps) are required, those limits are controlled by external policies.
+
+
+Added in Windows 10, version 1703. Specifies whether to ignore the MO download limit (allow unlimited downloading) over a cellular network for apps and their updates. If lower-level limits (for example, mobile caps) are required, those limits are controlled by external policies.
> [!WARNING]
> Setting this policy might cause devices to incur costs from MO operators.
-
+
The following list shows the supported values:
@@ -1464,12 +1711,14 @@ To validate this policy:
3. Verify that any downloads that are above the download size limit will complete without being paused.
-
+
+
-
+
+
**Update/IgnoreMOUpdateDownloadLimit**
-
+
Home
@@ -1491,8 +1740,8 @@ To validate this policy:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -1500,23 +1749,19 @@ To validate this policy:
-
-
-
Added in Windows 10, version 1703. Specifies whether to ignore the MO download limit (allow unlimited downloading) over a cellular network for OS updates. If lower-level limits (for example, mobile caps) are required, those limits are controlled by external policies.
+
+
+Added in Windows 10, version 1703. Specifies whether to ignore the MO download limit (allow unlimited downloading) over a cellular network for OS updates. If lower-level limits (for example, mobile caps) are required, those limits are controlled by external policies.
> [!WARNING]
> Setting this policy might cause devices to incur costs from MO operators.
-
To validate this policy:
-
-1. Enable the policy and ensure the device is on a cellular network.
-2. Run the scheduled task on phone to check for OS updates in the background. For example, on a mobile device, run the following commands in TShell:
- `exec-device schtasks.exe -arguments ""/run /tn """"\Microsoft\Windows\WindowsUpdate\AUScheduledInstall"""" /I""`
3. Verify that any downloads that are above the download size limit will complete without being paused.
-
+
The following list shows the supported values:
@@ -1524,12 +1769,21 @@ The following list shows the supported values:
- 1 – Ignore MO download limit (allow unlimited downloading) for OS updates.
-
+
+To validate this policy:
+
+1. Enable the policy and ensure the device is on a cellular network.
+2. Run the scheduled task on phone to check for OS updates in the background. For example, on a mobile device, run the following commands in TShell:
+
+
+
+
-
+
+
**Update/ManagePreviewBuilds**
-
+
Home
@@ -1551,8 +1805,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -1560,23 +1814,36 @@ The following list shows the supported values:
-
-
-
Added in Windows 10, version 1709. Used to manage Windows 10 Insider Preview builds. Value type is integer.
+
+
+Added in Windows 10, version 1709. Used to manage Windows 10 Insider Preview builds. Value type is integer.
-
The following list shows the supported values:
+
+
+ADMX Info:
+- GP English name: *Manage preview builds*
+- GP name: *ManagePreviewBuilds*
+- GP element: *ManagePreviewBuildsId*
+- GP path: *Windows Components/Windows Update/Windows Update for Business*
+- GP ADMX file name: *WindowsUpdate.admx*
+
+
+
+The following list shows the supported values:
- 0 - Disable Preview builds
- 1 - Disable Preview builds once the next release is public
- 2 - Enable Preview builds
-
-
+
+
+
-
+
+
**Update/PauseDeferrals**
-
+
Home
@@ -1598,8 +1865,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -1607,30 +1874,42 @@ The following list shows the supported values:
-
-
+
+
> [!NOTE]
> Don't use this policy in Windows 10, version 1607 devices, instead use the new policies listed in [Changes in Windows 10, version 1607 for update management](device-update-management.md#windows10version1607forupdatemanagement). You can continue to use PauseDeferrals for Windows 10, version 1511 devices.
-
Allows IT Admins to pause updates and upgrades for up to 5 weeks. Paused deferrals will be reset after 5 weeks.
+Allows IT Admins to pause updates and upgrades for up to 5 weeks. Paused deferrals will be reset after 5 weeks.
-
The following list shows the supported values:
+
+If the "Specify intranet Microsoft update service location" policy is enabled, then the "Defer upgrades by", "Defer updates by" and "Pause Updates and Upgrades" settings have no effect.
+
+If the "Allow Telemetry" policy is enabled and the Options value is set to 0, then the "Defer upgrades by", "Defer updates by" and "Pause Updates and Upgrades" settings have no effect.
+
+
+
+ADMX Info:
+- GP name: *DeferUpgrade*
+- GP element: *PauseDeferralsId*
+- GP ADMX file name: *WindowsUpdate.admx*
+
+
+
+The following list shows the supported values:
- 0 (default) – Deferrals are not paused.
- 1 – Deferrals are paused.
-
If the "Specify intranet Microsoft update service location" policy is enabled, then the "Defer upgrades by", "Defer updates by" and "Pause Updates and Upgrades" settings have no effect.
+
+
-
If the "Allow Telemetry" policy is enabled and the Options value is set to 0, then the "Defer upgrades by", "Defer updates by" and "Pause Updates and Upgrades" settings have no effect.
-
-
-
-
+
+
**Update/PauseFeatureUpdates**
-
+
Home
@@ -1652,8 +1931,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -1661,25 +1940,38 @@ The following list shows the supported values:
-
-
-
Since this policy is not blocked, you will not get a failure message when you use it to configure a Windows 10 Mobile device. However, the policy will not take effect.
+
+
+Since this policy is not blocked, you will not get a failure message when you use it to configure a Windows 10 Mobile device. However, the policy will not take effect.
-
Added in Windows 10, version 1607. Allows IT Admins to pause Feature Updates for up to 60 days.
+Added in Windows 10, version 1607. Allows IT Admins to pause Feature Updates for up to 60 days.
-
The following list shows the supported values:
+
+
+ADMX Info:
+- GP English name: *Select when Preview Builds and Feature Updates are received*
+- GP name: *DeferFeatureUpdates*
+- GP element: *PauseFeatureUpdatesId*
+- GP path: *Windows Components/Windows Update/Windows Update for Business*
+- GP ADMX file name: *WindowsUpdate.admx*
+
+
+
+The following list shows the supported values:
- 0 (default) – Feature Updates are not paused.
- 1 – Feature Updates are paused for 60 days or until value set to back to 0, whichever is sooner.
-
-
+
+
+
-
+
+
**Update/PauseFeatureUpdatesStartTime**
-
+
Home
@@ -1701,8 +1993,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -1710,19 +2002,30 @@ The following list shows the supported values:
-
-
-
Added in Windows 10, version 1703. Specifies the date and time when the IT admin wants to start pausing the Feature Updates.
+
+
+Added in Windows 10, version 1703. Specifies the date and time when the IT admin wants to start pausing the Feature Updates.
-
Value type is string. Supported operations are Add, Get, Delete, and Replace.
+Value type is string. Supported operations are Add, Get, Delete, and Replace.
+
+
+
+ADMX Info:
+- GP English name: *Select when Preview Builds and Feature Updates are received*
+- GP name: *DeferFeatureUpdates*
+- GP element: *PauseFeatureUpdatesStartId*
+- GP path: *Windows Components/Windows Update/Windows Update for Business*
+- GP ADMX file name: *WindowsUpdate.admx*
+
+
+
-
-
-
+
+
**Update/PauseQualityUpdates**
-
+
Home
@@ -1744,8 +2047,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -1753,22 +2056,35 @@ The following list shows the supported values:
-
-
-
Added in Windows 10, version 1607. Allows IT Admins to pause Quality Updates.
+
+
+Added in Windows 10, version 1607. Allows IT Admins to pause Quality Updates.
-
The following list shows the supported values:
+
+
+ADMX Info:
+- GP English name: *Select when Quality Updates are received*
+- GP name: *DeferQualityUpdates*
+- GP element: *PauseQualityUpdatesId*
+- GP path: *Windows Components/Windows Update/Windows Update for Business*
+- GP ADMX file name: *WindowsUpdate.admx*
+
+
+
+The following list shows the supported values:
- 0 (default) – Quality Updates are not paused.
- 1 – Quality Updates are paused for 35 days or until value set back to 0, whichever is sooner.
-
-
+
+
+
-
+
+
**Update/PauseQualityUpdatesStartTime**
-
+
Home
@@ -1790,8 +2106,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -1799,36 +2115,41 @@ The following list shows the supported values:
-
-
-
Added in Windows 10, version 1703. Specifies the date and time when the IT admin wants to start pausing the Quality Updates.
+
+
+Added in Windows 10, version 1703. Specifies the date and time when the IT admin wants to start pausing the Quality Updates.
-
Value type is string. Supported operations are Add, Get, Delete, and Replace.
+Value type is string. Supported operations are Add, Get, Delete, and Replace.
+
+
+
+ADMX Info:
+- GP English name: *Select when Quality Updates are received*
+- GP name: *DeferQualityUpdates*
+- GP element: *PauseQualityUpdatesStartId*
+- GP path: *Windows Components/Windows Update/Windows Update for Business*
+- GP ADMX file name: *WindowsUpdate.admx*
+
+
+
-
-
-
+
+
**Update/PhoneUpdateRestrictions**
-
-
This policy is deprecated. Use [Update/RequireUpdateApproval](#update-requireupdateapproval) instead.
-
-
+
+This policy is deprecated. Use [Update/RequireUpdateApproval](#update-requireupdateapproval) instead.
-
-
+
+
-
-
-
-
-
-
+
+
**Update/RequireDeferUpgrade**
-
+
Home
@@ -1850,8 +2171,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -1859,26 +2180,37 @@ The following list shows the supported values:
-
-
+
+
> [!NOTE]
> Don't use this policy in Windows 10, version 1607 devices, instead use the new policies listed in [Changes in Windows 10, version 1607 for update management](device-update-management.md#windows10version1607forupdatemanagement). You can continue to use RequireDeferUpgrade for Windows 10, version 1511 devices.
-
Allows the IT admin to set a device to Semi-Annual Channel train.
+Allows the IT admin to set a device to Semi-Annual Channel train.
-
The following list shows the supported values:
+
+
+ADMX Info:
+- GP name: *DeferUpgrade*
+- GP element: *DeferUpgradePeriodId*
+- GP ADMX file name: *WindowsUpdate.admx*
+
+
+
+The following list shows the supported values:
- 0 (default) – User gets upgrades from Semi-Annual Channel (Targeted).
- 1 – User gets upgrades from Semi-Annual Channel.
-
-
+
+
+
-
+
+
**Update/RequireUpdateApproval**
-
+
Home
@@ -1900,8 +2232,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -1909,28 +2241,32 @@ The following list shows the supported values:
-
-
+
+
> [!NOTE]
> If you previously used the **Update/PhoneUpdateRestrictions** policy in previous versions of Windows, it has been deprecated. Please use this policy instead.
-
Allows the IT admin to restrict the updates that are installed on a device to only those on an update approval list. It enables IT to accept the End User License Agreement (EULA) associated with the approved update on behalf of the end-user. EULAs are approved once an update is approved.
+Allows the IT admin to restrict the updates that are installed on a device to only those on an update approval list. It enables IT to accept the End User License Agreement (EULA) associated with the approved update on behalf of the end-user. EULAs are approved once an update is approved.
-
Supported operations are Get and Replace.
+Supported operations are Get and Replace.
-
The following list shows the supported values:
+
+
+The following list shows the supported values:
- 0 – Not configured. The device installs all applicable updates.
- 1 – The device only installs updates that are both applicable and on the Approved Updates list. Set this policy to 1 if IT wants to control the deployment of updates on devices, such as when testing is required prior to deployment.
-
-
+
+
+
@@ -1952,8 +2288,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -1961,23 +2297,34 @@ The following list shows the supported values:
-
-
-
Added in Windows 10, version 1703. Allows the IT Admin to specify the period for auto-restart imminent warning notifications.
+
+
+Added in Windows 10, version 1703. Allows the IT Admin to specify the period for auto-restart imminent warning notifications.
-
The default value is 15 (minutes).
+The default value is 15 (minutes).
-
+
+
+ADMX Info:
+- GP English name: *Configure auto-restart warning notifications schedule for updates*
+- GP name: *RestartWarnRemind*
+- GP element: *RestartWarn*
+- GP path: *Windows Components/Windows Update*
+- GP ADMX file name: *WindowsUpdate.admx*
+
+
Supported values are 15, 30, or 60 (minutes).
-
+
+
-
+
+
**Update/ScheduleRestartWarning**
-
+
Home
@@ -1999,8 +2346,8 @@ Supported values are 15, 30, or 60 (minutes).
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -2008,27 +2355,38 @@ Supported values are 15, 30, or 60 (minutes).
-
-
+
+
> [!NOTE]
> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise
-
Added in Windows 10, version 1703. Allows the IT Admin to specify the period for auto-restart warning reminder notifications.
+Added in Windows 10, version 1703. Allows the IT Admin to specify the period for auto-restart warning reminder notifications.
-
The default value is 4 (hours).
+The default value is 4 (hours).
-
+
+
+ADMX Info:
+- GP English name: *Configure auto-restart warning notifications schedule for updates*
+- GP name: *RestartWarnRemind*
+- GP element: *RestartWarnRemind*
+- GP path: *Windows Components/Windows Update*
+- GP ADMX file name: *WindowsUpdate.admx*
+
+
Supported values are 2, 4, 8, 12, or 24 (hours).
-
+
+
-
+
+
**Update/ScheduledInstallDay**
-
+
Home
@@ -2050,8 +2408,8 @@ Supported values are 2, 4, 8, 12, or 24 (hours).
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -2059,15 +2417,26 @@ Supported values are 2, 4, 8, 12, or 24 (hours).
-
-
-
Enables the IT admin to schedule the day of the update installation.
+
+
+Enables the IT admin to schedule the day of the update installation.
-
The data type is a integer.
+The data type is a integer.
-
Supported operations are Add, Delete, Get, and Replace.
+Supported operations are Add, Delete, Get, and Replace.
-
The following list shows the supported values:
+
+
+ADMX Info:
+- GP English name: *Configure Automatic Updates*
+- GP name: *AutoUpdateCfg*
+- GP element: *AutoUpdateSchDay*
+- GP path: *Windows Components/Windows Update*
+- GP ADMX file name: *WindowsUpdate.admx*
+
+
+
+The following list shows the supported values:
- 0 (default) – Every day
- 1 – Sunday
@@ -2078,13 +2447,15 @@ Supported values are 2, 4, 8, 12, or 24 (hours).
- 6 – Friday
- 7 – Saturday
-
-
+
+
+
-
+
+
**Update/ScheduledInstallEveryWeek**
-
+
Home
@@ -2106,8 +2477,8 @@ Supported values are 2, 4, 8, 12, or 24 (hours).
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -2115,21 +2486,32 @@ Supported values are 2, 4, 8, 12, or 24 (hours).
-
-
-
Added in Windows 10, version 1709. Enables the IT admin to schedule the update installation on the every week. Value type is integer. Supported values:
+
+
+Added in Windows 10, version 1709. Enables the IT admin to schedule the update installation on the every week. Value type is integer. Supported values:
0 - no update in the schedule
1 - update is scheduled every week
-
-
+
+
+ADMX Info:
+- GP English name: *Configure Automatic Updates*
+- GP name: *AutoUpdateCfg*
+- GP element: *AutoUpdateSchEveryWeek*
+- GP path: *Windows Components/Windows Update*
+- GP ADMX file name: *WindowsUpdate.admx*
+
+
+
+
-
+
+
**Update/ScheduledInstallFirstWeek**
-
+
Home
@@ -2151,8 +2533,8 @@ Supported values are 2, 4, 8, 12, or 24 (hours).
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -2160,21 +2542,32 @@ Supported values are 2, 4, 8, 12, or 24 (hours).
-
-
-
Added in Windows 10, version 1709. Enables the IT admin to schedule the update installation on the first week of the month. Value type is integer. Supported values:
+
+
+Added in Windows 10, version 1709. Enables the IT admin to schedule the update installation on the first week of the month. Value type is integer. Supported values:
0 - no update in the schedule
1 - update is scheduled every first week of the month
-
-
+
+
+ADMX Info:
+- GP English name: *Configure Automatic Updates*
+- GP name: *AutoUpdateCfg*
+- GP element: *AutoUpdateSchFirstWeek*
+- GP path: *Windows Components/Windows Update*
+- GP ADMX file name: *WindowsUpdate.admx*
+
+
+
+
-
+
+
**Update/ScheduledInstallFourthWeek**
-
+
Home
@@ -2196,8 +2589,8 @@ Supported values are 2, 4, 8, 12, or 24 (hours).
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -2205,21 +2598,32 @@ Supported values are 2, 4, 8, 12, or 24 (hours).
-
-
-
Added in Windows 10, version 1709. Enables the IT admin to schedule the update installation on the fourth week of the month. Value type is integer. Supported values:
+
+
+Added in Windows 10, version 1709. Enables the IT admin to schedule the update installation on the fourth week of the month. Value type is integer. Supported values:
0 - no update in the schedule
1 - update is scheduled every fourth week of the month
-
-
+
+
+ADMX Info:
+- GP English name: *Configure Automatic Updates*
+- GP name: *AutoUpdateCfg*
+- GP element: *ScheduledInstallFourthWeek*
+- GP path: *Windows Components/Windows Update*
+- GP ADMX file name: *WindowsUpdate.admx*
+
+
+
+
-
+
+
**Update/ScheduledInstallSecondWeek**
-
+
Home
@@ -2241,8 +2645,8 @@ Supported values are 2, 4, 8, 12, or 24 (hours).
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -2250,21 +2654,32 @@ Supported values are 2, 4, 8, 12, or 24 (hours).
-
-
-
Added in Windows 10, version 1709. Enables the IT admin to schedule the update installation on the second week of the month. Value type is integer. Supported values:
+
+
+Added in Windows 10, version 1709. Enables the IT admin to schedule the update installation on the second week of the month. Value type is integer. Supported values:
0 - no update in the schedule
1 - update is scheduled every second week of the month
-
-
+
+
+ADMX Info:
+- GP English name: *Configure Automatic Updates*
+- GP name: *AutoUpdateCfg*
+- GP element: *ScheduledInstallSecondWeek*
+- GP path: *Windows Components/Windows Update*
+- GP ADMX file name: *WindowsUpdate.admx*
+
+
+
+
-
+
+
**Update/ScheduledInstallThirdWeek**
-
+
Home
@@ -2286,8 +2701,8 @@ Supported values are 2, 4, 8, 12, or 24 (hours).
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -2295,21 +2710,32 @@ Supported values are 2, 4, 8, 12, or 24 (hours).
-
-
-
Added in Windows 10, version 1709. Enables the IT admin to schedule the update installation on the third week of the month. Value type is integer. Supported values:
+
+
+Added in Windows 10, version 1709. Enables the IT admin to schedule the update installation on the third week of the month. Value type is integer. Supported values:
0 - no update in the schedule
1 - update is scheduled every third week of the month
-
-
+
+
+ADMX Info:
+- GP English name: *Configure Automatic Updates*
+- GP name: *AutoUpdateCfg*
+- GP element: *ScheduledInstallThirdWeek*
+- GP path: *Windows Components/Windows Update*
+- GP ADMX file name: *WindowsUpdate.admx*
+
+
+
+
-
+
+
**Update/ScheduledInstallTime**
-
+
Home
@@ -2331,8 +2757,8 @@ Supported values are 2, 4, 8, 12, or 24 (hours).
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -2340,29 +2766,40 @@ Supported values are 2, 4, 8, 12, or 24 (hours).
-
-
+
+
> [!NOTE]
> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise
-
Enables the IT admin to schedule the time of the update installation.
+Enables the IT admin to schedule the time of the update installation.
-
The data type is a integer.
+The data type is a integer.
-
Supported operations are Add, Delete, Get, and Replace.
+Supported operations are Add, Delete, Get, and Replace.
-
Supported values are 0-23, where 0 = 12 AM and 23 = 11 PM.
+Supported values are 0-23, where 0 = 12 AM and 23 = 11 PM.
-
The default value is 3.
+The default value is 3.
+
+
+
+ADMX Info:
+- GP English name: *Configure Automatic Updates*
+- GP name: *AutoUpdateCfg*
+- GP element: *AutoUpdateSchTime*
+- GP path: *Windows Components/Windows Update*
+- GP ADMX file name: *WindowsUpdate.admx*
+
+
+
-
-
@@ -2384,8 +2821,8 @@ Supported values are 2, 4, 8, 12, or 24 (hours).
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -2393,22 +2830,35 @@ Supported values are 2, 4, 8, 12, or 24 (hours).
-
-
-
Added in Windows 10, version 1703. Allows the IT Admin to disable auto-restart notifications for update installations.
+
+
+Added in Windows 10, version 1703. Allows the IT Admin to disable auto-restart notifications for update installations.
-
The following list shows the supported values:
+
+
+ADMX Info:
+- GP English name: *Turn off auto-restart notifications for update installations*
+- GP name: *AutoRestartNotificationDisable*
+- GP element: *AutoRestartNotificationSchd*
+- GP path: *Windows Components/Windows Update*
+- GP ADMX file name: *WindowsUpdate.admx*
+
+
+
+The following list shows the supported values:
- 0 (default) – Enabled
- 1 – Disabled
-
-
+
+
+
-
+
+
**Update/SetEDURestart**
-
+
Home
@@ -2430,8 +2880,8 @@ Supported values are 2, 4, 8, 12, or 24 (hours).
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -2439,22 +2889,34 @@ Supported values are 2, 4, 8, 12, or 24 (hours).
-
-
-
Added in Windows 10, version 1703. For devices in a cart, this policy skips all restart checks to ensure that the reboot will happen at ScheduledInstallTime.
+
+
+Added in Windows 10, version 1703. For devices in a cart, this policy skips all restart checks to ensure that the reboot will happen at ScheduledInstallTime.
-
The following list shows the supported values:
+
+
+ADMX Info:
+- GP English name: *Update Power Policy for Cart Restarts*
+- GP name: *SetEDURestart*
+- GP path: *Windows Components/Windows Update*
+- GP ADMX file name: *WindowsUpdate.admx*
+
+
+
+The following list shows the supported values:
- 0 - not configured
- 1 - configured
-
-
+
+
+
-
+
+
**Update/UpdateServiceUrl**
-
+
Home
@@ -2476,8 +2938,8 @@ Supported values are 2, 4, 8, 12, or 24 (hours).
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -2485,20 +2947,33 @@ Supported values are 2, 4, 8, 12, or 24 (hours).
-
-
+
+
> [!Important]
> Starting in Windows 10, version 1703 this policy is not supported in Windows 10 Mobile Enteprise and IoT Mobile.
-
Allows the device to check for updates from a WSUS server instead of Microsoft Update. This is useful for on-premise MDMs that need to update devices that cannot connect to the Internet.
+Allows the device to check for updates from a WSUS server instead of Microsoft Update. This is useful for on-premise MDMs that need to update devices that cannot connect to the Internet.
-
Supported operations are Get and Replace.
+Supported operations are Get and Replace.
-
The following list shows the supported values:
+
+
+ADMX Info:
+- GP English name: *Specify intranet Microsoft update service location*
+- GP name: *CorpWuURL*
+- GP element: *CorpWUURL_Name*
+- GP path: *Windows Components/Windows Update*
+- GP ADMX file name: *WindowsUpdate.admx*
+
+
+
+The following list shows the supported values:
- Not configured. The device checks for updates from Microsoft Update.
- Set to a URL, such as `http://abcd-srv:8530`. The device checks for updates from the WSUS server at the specified URL.
+
+
Example
``` syntax
@@ -2517,13 +2992,15 @@ Example
```
-
-
+
+
+
-
+
+
**Update/UpdateServiceUrlAlternate**
-
+
Home
@@ -2545,8 +3022,8 @@ Example
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -2554,23 +3031,32 @@ Example
-
-
-
Added in the January service release of Windows 10, version 1607. Specifies an alternate intranet server to host updates from Microsoft Update. You can then use this update service to automatically update computers on your network.
+
+
+Added in the January service release of Windows 10, version 1607. Specifies an alternate intranet server to host updates from Microsoft Update. You can then use this update service to automatically update computers on your network.
-
This setting lets you specify a server on your network to function as an internal update service. The Automatic Updates client will search this service for updates that apply to the computers on your network.
+This setting lets you specify a server on your network to function as an internal update service. The Automatic Updates client will search this service for updates that apply to the computers on your network.
-
To use this setting, you must set two server name values: the server from which the Automatic Updates client detects and downloads updates, and the server to which updated workstations upload statistics. You can set both values to be the same server. An optional server name value can be specified to configure Windows Update agent, and download updates from an alternate download server instead of WSUS Server.
+To use this setting, you must set two server name values: the server from which the Automatic Updates client detects and downloads updates, and the server to which updated workstations upload statistics. You can set both values to be the same server. An optional server name value can be specified to configure Windows Update agent, and download updates from an alternate download server instead of WSUS Server.
-
Value type is string and the default value is an empty string, "". If the setting is not configured, and if Automatic Updates is not disabled by policy or user preference, the Automatic Updates client connects directly to the Windows Update site on the Internet.
+Value type is string and the default value is an empty string, "". If the setting is not configured, and if Automatic Updates is not disabled by policy or user preference, the Automatic Updates client connects directly to the Windows Update site on the Internet.
> [!Note]
> If the "Configure Automatic Updates" Group Policy is disabled, then this policy has no effect.
> If the "Alternate Download Server" Group Policy is not set, it will use the WSUS server by default to download updates.
> This policy is not supported on Windows RT. Setting this policy will not have any effect on Windows RT PCs.
-
-
+
+
+ADMX Info:
+- GP English name: *Specify intranet Microsoft update service location*
+- GP name: *CorpWuURL*
+- GP element: *CorpWUContentHost_Name*
+- GP path: *Windows Components/Windows Update*
+- GP ADMX file name: *WindowsUpdate.admx*
+
+
+
Footnote:
@@ -2579,7 +3065,7 @@ Footnote:
- 2 - Added in Windows 10, version 1703.
- 3 - Added in Windows 10, version 1709.
-
+
## Update policies supported by Windows Holographic for Business
diff --git a/windows/client-management/mdm/policy-csp-userrights.md b/windows/client-management/mdm/policy-csp-userrights.md
index 5a1943db52..6e52bc893b 100644
--- a/windows/client-management/mdm/policy-csp-userrights.md
+++ b/windows/client-management/mdm/policy-csp-userrights.md
@@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
-ms.date: 01/03/2018
+ms.date: 03/05/2018
---
# Policy CSP - UserRights
@@ -17,7 +17,7 @@ ms.date: 01/03/2018
-
+
## UserRights policies
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -145,26 +147,25 @@ ms.date: 01/03/2018
-
-
+
+
This user right is used by Credential Manager during Backup/Restore. No accounts should have this privilege, as it is only assigned to Winlogon. Users' saved credentials might be compromised if this privilege is given to other entities.
-
-
+
+
+GP Info:
+- GP English name: *Access Credential Manager ase a trusted caller*
+- GP path: *Windows Settings/Security Settings/Local Policies/User Rights Assignment*
-
-
+
+
-
-
-
-
-
-
+
+
**UserRights/AccessFromNetwork**
-
+
Home
@@ -186,8 +187,8 @@ This user right is used by Credential Manager during Backup/Restore. No accounts
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -195,26 +196,25 @@ This user right is used by Credential Manager during Backup/Restore. No accounts
-
-
+
+
This user right determines which users and groups are allowed to connect to the computer over the network. Remote Desktop Services are not affected by this user right.Note: Remote Desktop Services was called Terminal Services in previous versions of Windows Server.
-
-
+
+
+GP Info:
+- GP English name: *Access this computer from the network*
+- GP path: *Windows Settings/Security Settings/Local Policies/User Rights Assignment*
-
-
+
+
-
-
-
-
-
-
+
+
**UserRights/ActAsPartOfTheOperatingSystem**
-
+
Home
@@ -236,8 +236,8 @@ This user right determines which users and groups are allowed to connect to the
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -245,26 +245,25 @@ This user right determines which users and groups are allowed to connect to the
-
-
+
+
This user right allows a process to impersonate any user without authentication. The process can therefore gain access to the same local resources as that user. Processes that require this privilege should use the LocalSystem account, which already includes this privilege, rather than using a separate user account with this privilege specially assigned. Caution:Assigning this user right can be a security risk. Only assign this user right to trusted users.
-
-
+
+
+GP Info:
+- GP English name: *Act as part of the operating system*
+- GP path: *Windows Settings/Security Settings/Local Policies/User Rights Assignment*
-
-
+
+
-
-
-
-
-
-
+
+
**UserRights/AllowLocalLogOn**
-
+
Home
@@ -286,8 +285,8 @@ This user right allows a process to impersonate any user without authentication.
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -295,26 +294,25 @@ This user right allows a process to impersonate any user without authentication.
-
-
-This user right determines which users can log on to the computer. Note: Modifying this setting may affect compatibility with clients, services, and applications. For compatibility information about this setting, see Allow log on locally (https://go.microsoft.com/fwlink/?LinkId=24268 ) at the Microsoft website.
+
+
+This user right determines which users can log on to the computer. Note: Modifying this setting may affect compatibility with clients, services, and applications. For compatibility information about this setting, see Allow log on locally (https://go.microsoft.com/fwlink/?LinkId=24268 ) at the Microsoft website.
-
-
+
+
+GP Info:
+- GP English name: *Allow log on locally*
+- GP path: *Windows Settings/Security Settings/Local Policies/User Rights Assignment*
-
-
+
+
-
-
-
-
-
-
+
+
**UserRights/BackupFilesAndDirectories**
-
+
Home
@@ -336,8 +334,8 @@ This user right determines which users can log on to the computer. Note: Modifyi
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -345,26 +343,25 @@ This user right determines which users can log on to the computer. Note: Modifyi
-
-
+
+
This user right determines which users can bypass file, directory, registry, and other persistent objects permissions when backing up files and directories.Specifically, this user right is similar to granting the following permissions to the user or group in question on all files and folders on the system:Traverse Folder/Execute File, Read. Caution: Assigning this user right can be a security risk. Since users with this user right can read any registry settings and files, only assign this user right to trusted users
-
-
+
+
+GP Info:
+- GP English name: *Back up files and directories*
+- GP path: *Windows Settings/Security Settings/Local Policies/User Rights Assignment*
-
-
+
+
-
-
-
-
-
-
+
+
**UserRights/ChangeSystemTime**
-
+
Home
@@ -386,8 +383,8 @@ This user right determines which users can bypass file, directory, registry, and
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -395,26 +392,25 @@ This user right determines which users can bypass file, directory, registry, and
-
-
+
+
This user right determines which users and groups can change the time and date on the internal clock of the computer. Users that are assigned this user right can affect the appearance of event logs. If the system time is changed, events that are logged will reflect this new time, not the actual time that the events occurred.
-
-
+
+
+GP Info:
+- GP English name: *Change the system time*
+- GP path: *Windows Settings/Security Settings/Local Policies/User Rights Assignment*
-
-
+
+
-
-
-
-
-
-
+
+
**UserRights/CreateGlobalObjects**
-
+
Home
@@ -436,8 +432,8 @@ This user right determines which users and groups can change the time and date o
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -445,26 +441,25 @@ This user right determines which users and groups can change the time and date o
-
-
+
+
This security setting determines whether users can create global objects that are available to all sessions. Users can still create objects that are specific to their own session if they do not have this user right. Users who can create global objects could affect processes that run under other users' sessions, which could lead to application failure or data corruption. Caution: Assigning this user right can be a security risk. Assign this user right only to trusted users.
-
-
+
+
+GP Info:
+- GP English name: *Create global objects*
+- GP path: *Windows Settings/Security Settings/Local Policies/User Rights Assignment*
-
-
+
+
-
-
-
-
-
-
+
+
**UserRights/CreatePageFile**
-
+
Home
@@ -486,8 +481,8 @@ This security setting determines whether users can create global objects that ar
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -495,26 +490,25 @@ This security setting determines whether users can create global objects that ar
-
-
+
+
This user right determines which users and groups can call an internal application programming interface (API) to create and change the size of a page file. This user right is used internally by the operating system and usually does not need to be assigned to any users
-
-
+
+
+GP Info:
+- GP English name: *Create a pagefile*
+- GP path: *Windows Settings/Security Settings/Local Policies/User Rights Assignment*
-
-
+
+
-
-
-
-
-
-
+
+
**UserRights/CreatePermanentSharedObjects**
-
+
Home
@@ -536,8 +530,8 @@ This user right determines which users and groups can call an internal applicati
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -545,26 +539,25 @@ This user right determines which users and groups can call an internal applicati
-
-
+
+
This user right determines which accounts can be used by processes to create a directory object using the object manager. This user right is used internally by the operating system and is useful to kernel-mode components that extend the object namespace. Because components that are running in kernel mode already have this user right assigned to them, it is not necessary to specifically assign it.
-
-
+
+
+GP Info:
+- GP English name: *Create permanent shared objects*
+- GP path: *Windows Settings/Security Settings/Local Policies/User Rights Assignment*
-
-
+
+
-
-
-
-
-
-
+
+
**UserRights/CreateSymbolicLinks**
-
+
Home
@@ -586,8 +579,8 @@ This user right determines which accounts can be used by processes to create a d
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -595,26 +588,25 @@ This user right determines which accounts can be used by processes to create a d
-
-
+
+
This user right determines if the user can create a symbolic link from the computer he is logged on to. Caution: This privilege should only be given to trusted users. Symbolic links can expose security vulnerabilities in applications that aren't designed to handle them. Note: This setting can be used in conjunction a symlink filesystem setting that can be manipulated with the command line utility to control the kinds of symlinks that are allowed on the machine. Type 'fsutil behavior set symlinkevaluation /?' at the command line to get more information about fsutil and symbolic links.
-
-
+
+
+GP Info:
+- GP English name: *Create symbolic links*
+- GP path: *Windows Settings/Security Settings/Local Policies/User Rights Assignment*
-
-
+
+
-
-
-
-
-
-
+
+
**UserRights/CreateToken**
-
+
Home
@@ -636,8 +628,8 @@ This user right determines if the user can create a symbolic link from the compu
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -645,26 +637,25 @@ This user right determines if the user can create a symbolic link from the compu
-
-
+
+
This user right determines which accounts can be used by processes to create a token that can then be used to get access to any local resources when the process uses an internal application programming interface (API) to create an access token. This user right is used internally by the operating system. Unless it is necessary, do not assign this user right to a user, group, or process other than Local System. Caution: Assigning this user right can be a security risk. Do not assign this user right to any user, group, or process that you do not want to take over the system.
-
-
+
+
+GP Info:
+- GP English name: *Create a token object*
+- GP path: *Windows Settings/Security Settings/Local Policies/User Rights Assignment*
-
-
+
+
-
-
-
-
-
-
+
+
**UserRights/DebugPrograms**
-
+
Home
@@ -686,8 +677,8 @@ This user right determines which accounts can be used by processes to create a t
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -695,26 +686,25 @@ This user right determines which accounts can be used by processes to create a t
-
-
+
+
This user right determines which users can attach a debugger to any process or to the kernel. Developers who are debugging their own applications do not need to be assigned this user right. Developers who are debugging new system components will need this user right to be able to do so. This user right provides complete access to sensitive and critical operating system components. Caution:Assigning this user right can be a security risk. Only assign this user right to trusted users.
-
-
+
+
+GP Info:
+- GP English name: *Debug programs*
+- GP path: *Windows Settings/Security Settings/Local Policies/User Rights Assignment*
-
-
+
+
-
-
-
-
-
-
+
+
**UserRights/DenyAccessFromNetwork**
-
+
Home
@@ -736,8 +726,8 @@ This user right determines which users can attach a debugger to any process or t
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -745,26 +735,25 @@ This user right determines which users can attach a debugger to any process or t
-
-
+
+
This user right determines which users are prevented from accessing a computer over the network. This policy setting supersedes the Access this computer from the network policy setting if a user account is subject to both policies.
-
-
+
+
+GP Info:
+- GP English name: *Deny access to this computer from the network*
+- GP path: *Windows Settings/Security Settings/Local Policies/User Rights Assignment*
-
-
+
+
-
-
-
-
-
-
+
+
**UserRights/DenyLocalLogOn**
-
+
Home
@@ -786,8 +775,8 @@ This user right determines which users are prevented from accessing a computer o
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -795,26 +784,25 @@ This user right determines which users are prevented from accessing a computer o
-
-
+
+
This security setting determines which service accounts are prevented from registering a process as a service. Note: This security setting does not apply to the System, Local Service, or Network Service accounts.
-
-
+
+
+GP Info:
+- GP English name: *Deny log on as a service*
+- GP path: *Windows Settings/Security Settings/Local Policies/User Rights Assignment*
-
-
+
+
-
-
-
-
-
-
+
+
**UserRights/DenyRemoteDesktopServicesLogOn**
-
+
Home
@@ -836,8 +824,8 @@ This security setting determines which service accounts are prevented from regis
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -845,26 +833,25 @@ This security setting determines which service accounts are prevented from regis
-
-
+
+
This user right determines which users and groups are prohibited from logging on as a Remote Desktop Services client.
-
-
+
+
+GP Info:
+- GP English name: *Deny log on through Remote Desktop Services*
+- GP path: *Windows Settings/Security Settings/Local Policies/User Rights Assignment*
-
-
+
+
-
-
-
-
-
-
+
+
**UserRights/EnableDelegation**
-
+
Home
@@ -886,8 +873,8 @@ This user right determines which users and groups are prohibited from logging on
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -895,26 +882,25 @@ This user right determines which users and groups are prohibited from logging on
-
-
+
+
This user right determines which users can set the Trusted for Delegation setting on a user or computer object. The user or object that is granted this privilege must have write access to the account control flags on the user or computer object. A server process running on a computer (or under a user context) that is trusted for delegation can access resources on another computer using delegated credentials of a client, as long as the client account does not have the Account cannot be delegated account control flag set. Caution: Misuse of this user right, or of the Trusted for Delegation setting, could make the network vulnerable to sophisticated attacks using Trojan horse programs that impersonate incoming clients and use their credentials to gain access to network resources.
-
-
+
+
+GP Info:
+- GP English name: *Enable computer and user accounts to be trusted for delegation*
+- GP path: *Windows Settings/Security Settings/Local Policies/User Rights Assignment*
-
-
+
+
-
-
-
-
-
-
+
+
**UserRights/GenerateSecurityAudits**
-
+
Home
@@ -936,8 +922,8 @@ This user right determines which users can set the Trusted for Delegation settin
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -945,26 +931,25 @@ This user right determines which users can set the Trusted for Delegation settin
-
-
+
+
This user right determines which accounts can be used by a process to add entries to the security log. The security log is used to trace unauthorized system access. Misuse of this user right can result in the generation of many auditing events, potentially hiding evidence of an attack or causing a denial of service. Shut down system immediately if unable to log security audits security policy setting is enabled.
-
-
+
+
+GP Info:
+- GP English name: *Generate security audits*
+- GP path: *Windows Settings/Security Settings/Local Policies/User Rights Assignment*
-
-
+
+
-
-
-
-
-
-
+
+
**UserRights/ImpersonateClient**
-
+
Home
@@ -986,8 +971,8 @@ This user right determines which accounts can be used by a process to add entrie
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -995,30 +980,29 @@ This user right determines which accounts can be used by a process to add entrie
-
-
+
+
Assigning this user right to a user allows programs running on behalf of that user to impersonate a client. Requiring this user right for this kind of impersonation prevents an unauthorized user from convincing a client to connect (for example, by remote procedure call (RPC) or named pipes) to a service that they have created and then impersonating that client, which can elevate the unauthorized user's permissions to administrative or system levels. Caution: Assigning this user right can be a security risk. Only assign this user right to trusted users. Note: By default, services that are started by the Service Control Manager have the built-in Service group added to their access tokens. Component Object Model (COM) servers that are started by the COM infrastructure and that are configured to run under a specific account also have the Service group added to their access tokens. As a result, these services get this user right when they are started. In addition, a user can also impersonate an access token if any of the following conditions exist.
1) The access token that is being impersonated is for this user.
2) The user, in this logon session, created the access token by logging on to the network with explicit credentials.
3) The requested level is less than Impersonate, such as Anonymous or Identify.
Because of these factors, users do not usually need this user right. Warning: If you enable this setting, programs that previously had the Impersonate privilege may lose it, and they may not run.
-
-
+
+
+GP Info:
+- GP English name: *Impersonate a client after authentication*
+- GP path: *Windows Settings/Security Settings/Local Policies/User Rights Assignment*
-
-
+
+
-
-
-
-
-
-
+
+
**UserRights/IncreaseSchedulingPriority**
-
+
Home
@@ -1040,8 +1024,8 @@ Because of these factors, users do not usually need this user right. Warning: If
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -1049,26 +1033,25 @@ Because of these factors, users do not usually need this user right. Warning: If
-
-
+
+
This user right determines which accounts can use a process with Write Property access to another process to increase the execution priority assigned to the other process. A user with this privilege can change the scheduling priority of a process through the Task Manager user interface.
-
-
+
+
+GP Info:
+- GP English name: *Increase scheduling priority*
+- GP path: *Windows Settings/Security Settings/Local Policies/User Rights Assignment*
-
-
+
+
-
-
-
-
-
-
+
+
**UserRights/LoadUnloadDeviceDrivers**
-
+
Home
@@ -1090,8 +1073,8 @@ This user right determines which accounts can use a process with Write Property
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -1099,26 +1082,25 @@ This user right determines which accounts can use a process with Write Property
-
-
+
+
This user right determines which users can dynamically load and unload device drivers or other code in to kernel mode. This user right does not apply to Plug and Play device drivers. It is recommended that you do not assign this privilege to other users. Caution: Assigning this user right can be a security risk. Do not assign this user right to any user, group, or process that you do not want to take over the system.
-
-
+
+
+GP Info:
+- GP English name: *Load and unload device drivers*
+- GP path: *Windows Settings/Security Settings/Local Policies/User Rights Assignment*
-
-
+
+
-
-
-
-
-
-
+
+
**UserRights/LockMemory**
-
+
Home
@@ -1140,8 +1122,8 @@ This user right determines which users can dynamically load and unload device dr
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -1149,26 +1131,25 @@ This user right determines which users can dynamically load and unload device dr
-
-
+
+
This user right determines which accounts can use a process to keep data in physical memory, which prevents the system from paging the data to virtual memory on disk. Exercising this privilege could significantly affect system performance by decreasing the amount of available random access memory (RAM).
-
-
+
+
+GP Info:
+- GP English name: *Lock pages in memory*
+- GP path: *Windows Settings/Security Settings/Local Policies/User Rights Assignment*
-
-
+
+
-
-
-
-
-
-
+
+
**UserRights/ManageAuditingAndSecurityLog**
-
+
Home
@@ -1190,8 +1171,8 @@ This user right determines which accounts can use a process to keep data in phys
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -1199,26 +1180,25 @@ This user right determines which accounts can use a process to keep data in phys
-
-
+
+
This user right determines which users can specify object access auditing options for individual resources, such as files, Active Directory objects, and registry keys. This security setting does not allow a user to enable file and object access auditing in general. You can view audited events in the security log of the Event Viewer. A user with this privilege can also view and clear the security log.
-
-
+
+
+GP Info:
+- GP English name: *Manage auditing and security log*
+- GP path: *Windows Settings/Security Settings/Local Policies/User Rights Assignment*
-
-
+
+
-
-
-
-
-
-
+
+
**UserRights/ManageVolume**
-
+
Home
@@ -1240,8 +1220,8 @@ This user right determines which users can specify object access auditing option
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -1249,26 +1229,25 @@ This user right determines which users can specify object access auditing option
-
-
+
+
This user right determines which users and groups can run maintenance tasks on a volume, such as remote defragmentation. Use caution when assigning this user right. Users with this user right can explore disks and extend files in to memory that contains other data. When the extended files are opened, the user might be able to read and modify the acquired data.
-
-
+
+
+GP Info:
+- GP English name: *Perform volume maintenance tasks*
+- GP path: *Windows Settings/Security Settings/Local Policies/User Rights Assignment*
-
-
+
+
-
-
-
-
-
-
+
+
**UserRights/ModifyFirmwareEnvironment**
-
+
Home
@@ -1290,8 +1269,8 @@ This user right determines which users and groups can run maintenance tasks on a
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -1299,26 +1278,25 @@ This user right determines which users and groups can run maintenance tasks on a
-
-
+
+
This user right determines who can modify firmware environment values. Firmware environment variables are settings stored in the nonvolatile RAM of non-x86-based computers. The effect of the setting depends on the processor.On x86-based computers, the only firmware environment value that can be modified by assigning this user right is the Last Known Good Configuration setting, which should only be modified by the system. On Itanium-based computers, boot information is stored in nonvolatile RAM. Users must be assigned this user right to run bootcfg.exe and to change the Default Operating System setting on Startup and Recovery in System Properties. On all computers, this user right is required to install or upgrade Windows.Note: This security setting does not affect who can modify the system environment variables and user environment variables that are displayed on the Advanced tab of System Properties.
-
-
+
+
+GP Info:
+- GP English name: *Modify firmware environment values*
+- GP path: *Windows Settings/Security Settings/Local Policies/User Rights Assignment*
-
-
+
+
-
-
-
-
-
-
+
+
**UserRights/ModifyObjectLabel**
-
+
Home
@@ -1340,8 +1318,8 @@ This user right determines who can modify firmware environment values. Firmware
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -1349,26 +1327,25 @@ This user right determines who can modify firmware environment values. Firmware
-
-
+
+
This user right determines which user accounts can modify the integrity label of objects, such as files, registry keys, or processes owned by other users. Processes running under a user account can modify the label of an object owned by that user to a lower level without this privilege.
-
-
+
+
+GP Info:
+- GP English name: *Modify an object label*
+- GP path: *Windows Settings/Security Settings/Local Policies/User Rights Assignment*
-
-
+
+
-
-
-
-
-
-
+
+
**UserRights/ProfileSingleProcess**
-
+
Home
@@ -1390,8 +1367,8 @@ This user right determines which user accounts can modify the integrity label of
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -1399,26 +1376,25 @@ This user right determines which user accounts can modify the integrity label of
-
-
+
+
This user right determines which users can use performance monitoring tools to monitor the performance of system processes.
-
-
+
+
+GP Info:
+- GP English name: *Profile single process*
+- GP path: *Windows Settings/Security Settings/Local Policies/User Rights Assignment*
-
-
+
+
-
-
-
-
-
-
+
+
**UserRights/RemoteShutdown**
-
+
Home
@@ -1440,8 +1416,8 @@ This user right determines which users can use performance monitoring tools to m
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -1449,26 +1425,25 @@ This user right determines which users can use performance monitoring tools to m
-
-
+
+
This user right determines which users are allowed to shut down a computer from a remote location on the network. Misuse of this user right can result in a denial of service.
-
-
+
+
+GP Info:
+- GP English name: *Force shutdown from a remote system*
+- GP path: *Windows Settings/Security Settings/Local Policies/User Rights Assignment*
-
-
+
+
-
-
-
-
-
-
+
+
**UserRights/RestoreFilesAndDirectories**
-
+
Home
@@ -1490,8 +1465,8 @@ This user right determines which users are allowed to shut down a computer from
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -1499,26 +1474,25 @@ This user right determines which users are allowed to shut down a computer from
-
-
+
+
This user right determines which users can bypass file, directory, registry, and other persistent objects permissions when restoring backed up files and directories, and determines which users can set any valid security principal as the owner of an object. Specifically, this user right is similar to granting the following permissions to the user or group in question on all files and folders on the system:Traverse Folder/Execute File, Write. Caution: Assigning this user right can be a security risk. Since users with this user right can overwrite registry settings, hide data, and gain ownership of system objects, only assign this user right to trusted users.
-
-
+
+
+GP Info:
+- GP English name: *Restore files and directories*
+- GP path: *Windows Settings/Security Settings/Local Policies/User Rights Assignment*
-
-
+
+
-
-
-
-
-
-
+
+
**UserRights/TakeOwnership**
-
+
Home
@@ -1540,8 +1514,8 @@ This user right determines which users can bypass file, directory, registry, and
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -1549,21 +1523,18 @@ This user right determines which users can bypass file, directory, registry, and
-
-
+
+
This user right determines which users can take ownership of any securable object in the system, including Active Directory objects, files and folders, printers, registry keys, processes, and threads. Caution: Assigning this user right can be a security risk. Since owners of objects have full control of them, only assign this user right to trusted users.
-
-
+
+
+GP Info:
+- GP English name: *Take ownership of files or other objects*
+- GP path: *Windows Settings/Security Settings/Local Policies/User Rights Assignment*
-
-
-
-
-
-
-
-
+
+
Footnote:
@@ -1572,5 +1543,5 @@ Footnote:
- 2 - Added in Windows 10, version 1703.
- 3 - Added in Windows 10, version 1709.
-
+
diff --git a/windows/client-management/mdm/policy-csp-wifi.md b/windows/client-management/mdm/policy-csp-wifi.md
index eb5a2581ab..f4e3dbae88 100644
--- a/windows/client-management/mdm/policy-csp-wifi.md
+++ b/windows/client-management/mdm/policy-csp-wifi.md
@@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
-ms.date: 12/14/2017
+ms.date: 03/05/2018
---
# Policy CSP - Wifi
@@ -15,7 +15,7 @@ ms.date: 12/14/2017
-
+
## Wifi policies
@@ -42,20 +42,24 @@ ms.date: 12/14/2017
+
-
+
+
**WiFi/AllowWiFiHotSpotReporting**
-
-
This policy has been deprecated.
+
+This policy has been deprecated.
+
+
+
-
-
Allow or disallow the device to automatically connect to Wi-Fi hotspots.
+
+
+Allow or disallow the device to automatically connect to Wi-Fi hotspots.
-
Most restricted value is 0.
+Most restricted value is 0.
-
+
+
+ADMX Info:
+- GP English name: *Allow Windows to automatically connect to suggested open hotspots, to networks shared by contacts, and to hotspots offering paid services*
+- GP name: *WiFiSense*
+- GP path: *Network/WLAN Service/WLAN Settings*
+- GP ADMX file name: *wlansvc.admx*
+
+
The following list shows the supported values:
@@ -100,12 +112,14 @@ The following list shows the supported values:
- 1 (default) – Allowed.
-
+
+
-
+
+
**Wifi/AllowInternetSharing**
-
+
Home
@@ -127,8 +141,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -136,13 +150,21 @@ The following list shows the supported values:
-
-
-
Allow or disallow internet sharing.
+
+
+Allow or disallow internet sharing.
-
Most restricted value is 0.
+Most restricted value is 0.
-
+
+
+ADMX Info:
+- GP English name: *Prohibit use of Internet Connection Sharing on your DNS domain network*
+- GP name: *NC_ShowSharedAccessUI*
+- GP path: *Network/Network Connections*
+- GP ADMX file name: *NetworkConnections.admx*
+
+
The following list shows the supported values:
@@ -150,12 +172,14 @@ The following list shows the supported values:
- 1 (default) – Allow the use of Internet Sharing.
-
+
+
-
+
+
**Wifi/AllowManualWiFiConfiguration**
-
+
Home
@@ -177,8 +201,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -186,16 +210,16 @@ The following list shows the supported values:
-
-
-
Allow or disallow connecting to Wi-Fi outside of MDM server-installed networks.
+
+
+Allow or disallow connecting to Wi-Fi outside of MDM server-installed networks.
-
Most restricted value is 0.
+Most restricted value is 0.
> [!NOTE]
> Setting this policy deletes any previously installed user-configured and Wi-Fi sense Wi-Fi profiles from the device. Certain Wi-Fi profiles that are not user configured nor Wi-Fi sense might not be deleted. In addition, not all non-MDM profiles are completely deleted.
-
+
The following list shows the supported values:
@@ -203,12 +227,14 @@ The following list shows the supported values:
- 1 (default) – Adding new network SSIDs beyond the already MDM provisioned ones is allowed.
-
+
+
-
+
+
**Wifi/AllowWiFi**
-
+
Home
@@ -230,8 +256,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -239,13 +265,13 @@ The following list shows the supported values:
-
-
-
Allow or disallow WiFi connection.
+
+
+Allow or disallow WiFi connection.
-
Most restricted value is 0.
+Most restricted value is 0.
-
+
The following list shows the supported values:
@@ -253,12 +279,14 @@ The following list shows the supported values:
- 1 (default) – WiFi connection is allowed.
-
+
+
-
+
+
**Wifi/AllowWiFiDirect**
-
+
Home
@@ -280,8 +308,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -289,11 +317,11 @@ The following list shows the supported values:
-
-
-
Added in Windows 10, version 1703. Allow WiFi Direct connection..
+
+
+Added in Windows 10, version 1703. Allow WiFi Direct connection..
-
+
The following list shows the supported values:
@@ -301,12 +329,14 @@ The following list shows the supported values:
- 1 - WiFi Direct connection is allowed.
-
+
+
-
+
+
**Wifi/WLANScanMode**
-
+
Home
@@ -328,8 +358,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -337,18 +367,18 @@ The following list shows the supported values:
-
-
-
Allow an enterprise to control the WLAN scanning behavior and how aggressively devices should be actively scanning for Wi-Fi networks to get devices connected.
+
+
+Allow an enterprise to control the WLAN scanning behavior and how aggressively devices should be actively scanning for Wi-Fi networks to get devices connected.
-
Supported values are 0-500, where 100 = normal scan frequency and 500 = low scan frequency.
+Supported values are 0-500, where 100 = normal scan frequency and 500 = low scan frequency.
-
The default value is 0.
+The default value is 0.
-
Supported operations are Add, Delete, Get, and Replace.
+Supported operations are Add, Delete, Get, and Replace.
-
-
+
+
Footnote:
@@ -357,7 +387,7 @@ Footnote:
- 2 - Added in Windows 10, version 1703.
- 3 - Added in Windows 10, version 1709.
-
+
## Wifi policies that can be set using Exchange Active Sync (EAS)
diff --git a/windows/client-management/mdm/policy-csp-windowsdefendersecuritycenter.md b/windows/client-management/mdm/policy-csp-windowsdefendersecuritycenter.md
index 88d40dca78..8329d11f77 100644
--- a/windows/client-management/mdm/policy-csp-windowsdefendersecuritycenter.md
+++ b/windows/client-management/mdm/policy-csp-windowsdefendersecuritycenter.md
@@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
-ms.date: 12/29/2017
+ms.date: 03/05/2018
---
# Policy CSP - WindowsDefenderSecurityCenter
@@ -17,7 +17,7 @@ ms.date: 12/29/2017
-
+
## WindowsDefenderSecurityCenter policies
Added in Windows 10, version 1709. The company name that is displayed to the users. CompanyName is required for both EnableCustomizedToasts and EnableInAppCustomization. If you disable or do not configure this setting, or do not have EnableCustomizedToasts or EnableInAppCustomization enabled, then devices will not display the contact options.
+
+
+Added in Windows 10, version 1709. The company name that is displayed to the users. CompanyName is required for both EnableCustomizedToasts and EnableInAppCustomization. If you disable or do not configure this setting, or do not have EnableCustomizedToasts or EnableInAppCustomization enabled, then devices will not display the contact options.
-
Value type is string. Supported operations are Add, Get, Replace and Delete.
+Value type is string. Supported operations are Add, Get, Replace and Delete.
+
+
+
+ADMX Info:
+- GP English name: *Specify contact company name*
+- GP name: *EnterpriseCustomization_CompanyName*
+- GP element: *Presentation_EnterpriseCustomization_CompanyName*
+- GP path: *Windows Components/Windows Defender Security Center/Enterprise Customization*
+- GP ADMX file name: *WindowsDefenderSecurityCenter.admx*
+
+
+
-
-
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -158,31 +171,34 @@ ms.date: 12/29/2017
-
-
+
+
Added in Windows 10, next major release. Use this policy setting to specify if to display the Account protection area in Windows Defender Security Center. If you disable or do not configure this setting, Windows defender Security Center will display this area.
+
+
+ADMX Info:
+- GP English name: *Hide the Account protection area*
+- GP name: *AccountProtection_UILockdown*
+- GP path: *Windows Components/Windows Defender Security Center/Account protection*
+- GP ADMX file name: *WindowsDefenderSecurityCenter.admx*
+
+
+
Valid values:
- 0 - (Disable) The users can see the display of the Account protection area in Windows Defender Security Center.
- 1 - (Enable) The users cannot see the display of the Account protection area in Windows Defender Security Center.
-
-
-
-
+
-
-
-
-
-
-
+
+
**WindowsDefenderSecurityCenter/DisableAppBrowserUI**
-
+
Added in Windows 10, version 1709. Use this policy setting if you want to disable the display of the app and browser protection area in Windows Defender Security Center. If you disable or do not configure this setting, Windows defender Security Center will display this area.
+
+
+Added in Windows 10, version 1709. Use this policy setting if you want to disable the display of the app and browser protection area in Windows Defender Security Center. If you disable or do not configure this setting, Windows defender Security Center will display this area.
-
Value type is integer. Supported operations are Add, Get, Replace and Delete.
+Value type is integer. Supported operations are Add, Get, Replace and Delete.
-
+
+
+ADMX Info:
+- GP English name: *Hide the App and browser protection area*
+- GP name: *AppBrowserProtection_UILockdown*
+- GP path: *Windows Components/Windows Defender Security Center/App and browser protection*
+- GP ADMX file name: *WindowsDefenderSecurityCenter.admx*
+
The following list shows the supported values:
@@ -228,12 +251,14 @@ The following list shows the supported values:
- 1 - (Enable) The users cannot see the display of the app and browser protection area in Windows Defender Security Center.
-
+
+
@@ -255,8 +280,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -264,31 +289,34 @@ The following list shows the supported values:
-
-
+
+
Added in Windows 10, next major release. Use this policy setting if you want to disable the display of the Device security area in the Windows Defender Security Center. If you disable or do not configure this setting, Windows defender Security Center will display this area.
+
+
+ADMX Info:
+- GP English name: *Hide the Device security area*
+- GP name: *DeviceSecurity_UILockdown*
+- GP path: *Windows Components/Windows Defender Security Center/Device security*
+- GP ADMX file name: *WindowsDefenderSecurityCenter.admx*
+
+
+
Valid values:
- 0 - (Disable) The users can see the display of the Device security area in Windows Defender Security Center.
- 1 - (Enable) The users cannot see the display of the Device secuirty area in Windows Defender Security Center.
-
-
-
-
+
-
-
-
-
-
-
+
+
**WindowsDefenderSecurityCenter/DisableEnhancedNotifications**
-
+
Added in Windows 10, version 1709. Use this policy if you want Windows Defender Security Center to only display notifications which are considered critical. If you disable or do not configure this setting, Windows Defender Security Center will display critical and non-critical notifications to users.
+
+
+Added in Windows 10, version 1709. Use this policy if you want Windows Defender Security Center to only display notifications which are considered critical. If you disable or do not configure this setting, Windows Defender Security Center will display critical and non-critical notifications to users.
> [!Note]
> If Suppress notification is enabled then users will not see critical or non-critical messages.
-
Value type is integer. Supported operations are Add, Get, Replace and Delete.
+Value type is integer. Supported operations are Add, Get, Replace and Delete.
-
+
+
+ADMX Info:
+- GP English name: *Hide non-critical notifications*
+- GP name: *Notifications_DisableEnhancedNotifications*
+- GP path: *Windows Components/Windows Defender Security Center/Notifications*
+- GP ADMX file name: *WindowsDefenderSecurityCenter.admx*
+
+
The following list shows the supported values:
@@ -336,12 +372,14 @@ The following list shows the supported values:
- 1 - (Enable) Windows Defender Security Center only display notifications which are considered critical on clients.
-
+
+
@@ -363,8 +401,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -372,13 +410,21 @@ The following list shows the supported values:
-
-
-
Added in Windows 10, version 1709. Use this policy setting if you want to disable the display of the family options area in Windows Defender Security Center. If you disable or do not configure this setting, Windows defender Security Center will display this area.
+
+
+Added in Windows 10, version 1709. Use this policy setting if you want to disable the display of the family options area in Windows Defender Security Center. If you disable or do not configure this setting, Windows defender Security Center will display this area.
-
Value type is integer. Supported operations are Add, Get, Replace and Delete.
+Value type is integer. Supported operations are Add, Get, Replace and Delete.
-
+
+
+ADMX Info:
+- GP English name: *Hide the Family options area*
+- GP name: *FamilyOptions_UILockdown*
+- GP path: *Windows Components/Windows Defender Security Center/Family options*
+- GP ADMX file name: *WindowsDefenderSecurityCenter.admx*
+
+
The following list shows the supported values:
@@ -386,12 +432,14 @@ The following list shows the supported values:
- 1 - (Enable) The users cannot see the display of the family options area in Windows Defender Security Center.
-
+
+
@@ -413,8 +461,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -422,13 +470,21 @@ The following list shows the supported values:
-
-
-
Added in Windows 10, version 1709. Use this policy setting if you want to disable the display of the device performance and health area in Windows Defender Security Center. If you disable or do not configure this setting, Windows defender Security Center will display this area.
+
+
+Added in Windows 10, version 1709. Use this policy setting if you want to disable the display of the device performance and health area in Windows Defender Security Center. If you disable or do not configure this setting, Windows defender Security Center will display this area.
-
Value type is integer. Supported operations are Add, Get, Replace and Delete.
+Value type is integer. Supported operations are Add, Get, Replace and Delete.
-
+
+
+ADMX Info:
+- GP English name: *Hide the Device performance and health area*
+- GP name: *DevicePerformanceHealth_UILockdown*
+- GP path: *Windows Components/Windows Defender Security Center/Device performance and health*
+- GP ADMX file name: *WindowsDefenderSecurityCenter.admx*
+
+
The following list shows the supported values:
@@ -436,12 +492,14 @@ The following list shows the supported values:
- 1 - (Enable) The users cannot see the display of the device performance and health area in Windows Defender Security Center.
-
+
+
@@ -463,8 +521,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -472,13 +530,21 @@ The following list shows the supported values:
-
-
-
Added in Windows 10, version 1709. Use this policy setting if you want to disable the display of the firewall and network protection area in Windows Defender Security Center. If you disable or do not configure this setting, Windows defender Security Center will display this area.
+
+
+Added in Windows 10, version 1709. Use this policy setting if you want to disable the display of the firewall and network protection area in Windows Defender Security Center. If you disable or do not configure this setting, Windows defender Security Center will display this area.
-
Value type is integer. Supported operations are Add, Get, Replace and Delete.
+Value type is integer. Supported operations are Add, Get, Replace and Delete.
-
+
+
+ADMX Info:
+- GP English name: *Hide the Firewall and network protection area*
+- GP name: *FirewallNetworkProtection_UILockdown*
+- GP path: *Windows Components/Windows Defender Security Center/Firewall and network protection*
+- GP ADMX file name: *WindowsDefenderSecurityCenter.admx*
+
+
The following list shows the supported values:
@@ -486,12 +552,14 @@ The following list shows the supported values:
- 1 - (Enable) The users cannot see the display of the firewall and network protection area in Windows Defender Security Center.
-
+
+
@@ -513,8 +581,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -522,13 +590,21 @@ The following list shows the supported values:
-
-
-
Added in Windows 10, version 1709. Use this policy setting if you want to disable the display of Windows Defender Security Center notifications. If you disable or do not configure this setting, Windows Defender Security Center notifications will display on devices.
+
+
+Added in Windows 10, version 1709. Use this policy setting if you want to disable the display of Windows Defender Security Center notifications. If you disable or do not configure this setting, Windows Defender Security Center notifications will display on devices.
-
Value type is integer. Supported operations are Add, Get, Replace and Delete.
+Value type is integer. Supported operations are Add, Get, Replace and Delete.
-
+
+
+ADMX Info:
+- GP English name: *Hide all notifications*
+- GP name: *Notifications_DisableNotifications*
+- GP path: *Windows Components/Windows Defender Security Center/Notifications*
+- GP ADMX file name: *WindowsDefenderSecurityCenter.admx*
+
+
The following list shows the supported values:
@@ -536,12 +612,14 @@ The following list shows the supported values:
- 1 - (Enable) The users cannot see the display of Windows Defender Security Center notifications.
-
+
+
@@ -563,8 +641,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -572,13 +650,21 @@ The following list shows the supported values:
-
-
-
Added in Windows 10, version 1709. Use this policy setting if you want to disable the display of the virus and threat protection area in Windows Defender Security Center. If you disable or do not configure this setting, Windows defender Security Center will display this area.
+
+
+Added in Windows 10, version 1709. Use this policy setting if you want to disable the display of the virus and threat protection area in Windows Defender Security Center. If you disable or do not configure this setting, Windows defender Security Center will display this area.
-
Value type is integer. Supported operations are Add, Get, Replace and Delete.
+Value type is integer. Supported operations are Add, Get, Replace and Delete.
-
+
+
+ADMX Info:
+- GP English name: *Hide the Virus and threat protection area*
+- GP name: *VirusThreatProtection_UILockdown*
+- GP path: *Windows Components/Windows Defender Security Center/Virus and threat protection*
+- GP ADMX file name: *WindowsDefenderSecurityCenter.admx*
+
+
The following list shows the supported values:
@@ -586,12 +672,14 @@ The following list shows the supported values:
- 1 - (Enable) The users cannot see the display of the virus and threat protection area in Windows Defender Security Center.
-
+
+
@@ -613,8 +701,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -622,13 +710,21 @@ The following list shows the supported values:
-
-
-
Added in Windows 10, version 1709. Prevent users from making changes to the exploit protection settings area in the Windows Defender Security Center. If you disable or do not configure this setting, local users can make changes in the exploit protection settings area.
+
+
+Added in Windows 10, version 1709. Prevent users from making changes to the exploit protection settings area in the Windows Defender Security Center. If you disable or do not configure this setting, local users can make changes in the exploit protection settings area.
-
Value type is integer. Supported operations are Add, Get, Replace and Delete.
+Value type is integer. Supported operations are Add, Get, Replace and Delete.
-
+
+
+ADMX Info:
+- GP English name: *Prevent users from modifying settings*
+- GP name: *AppBrowserProtection_DisallowExploitProtectionOverride*
+- GP path: *Windows Components/Windows Defender Security Center/App and browser protection*
+- GP ADMX file name: *WindowsDefenderSecurityCenter.admx*
+
+
The following list shows the supported values:
@@ -636,12 +732,14 @@ The following list shows the supported values:
- 1 - (Enable) Local users cannot make changes in the exploit protection settings area.
-
+
+
-
+
+
**WindowsDefenderSecurityCenter/Email**
-
+
Home
@@ -663,8 +761,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -672,19 +770,30 @@ The following list shows the supported values:
-
-
-
Added in Windows 10, version 1709. The email address that is displayed to users. The default mail application is used to initiate email actions. If you disable or do not configure this setting, or do not have EnableCustomizedToasts or EnableInAppCustomization enabled, then devices will not display contact options.
+
+
+Added in Windows 10, version 1709. The email address that is displayed to users. The default mail application is used to initiate email actions. If you disable or do not configure this setting, or do not have EnableCustomizedToasts or EnableInAppCustomization enabled, then devices will not display contact options.
-
Value type is string. Supported operations are Add, Get, Replace and Delete.
+Value type is string. Supported operations are Add, Get, Replace and Delete.
+
+
+
+ADMX Info:
+- GP English name: *Specify contact email address or Email ID*
+- GP name: *EnterpriseCustomization_Email*
+- GP element: *Presentation_EnterpriseCustomization_Email*
+- GP path: *Windows Components/Windows Defender Security Center/Enterprise Customization*
+- GP ADMX file name: *WindowsDefenderSecurityCenter.admx*
+
+
+
-
-
@@ -706,8 +815,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -715,13 +824,21 @@ The following list shows the supported values:
-
-
-
Added in Windows 10, version 1709. Enable this policy to display your company name and contact options in the notifications. If you disable or do not configure this setting, or do not provide CompanyName and a minimum of one contact method (Phone using Skype, Email, Help portal URL) Windows Defender Security Center will display a default notification text.
+
+
+Added in Windows 10, version 1709. Enable this policy to display your company name and contact options in the notifications. If you disable or do not configure this setting, or do not provide CompanyName and a minimum of one contact method (Phone using Skype, Email, Help portal URL) Windows Defender Security Center will display a default notification text.
-
Value type is integer. Supported operations are Add, Get, Replace, and Delete.
+Value type is integer. Supported operations are Add, Get, Replace, and Delete.
-
+
+
+ADMX Info:
+- GP English name: *Configure customized notifications*
+- GP name: *EnterpriseCustomization_EnableCustomizedToasts*
+- GP path: *Windows Components/Windows Defender Security Center/Enterprise Customization*
+- GP ADMX file name: *WindowsDefenderSecurityCenter.admx*
+
+
The following list shows the supported values:
@@ -729,12 +846,14 @@ The following list shows the supported values:
- 1 - (Enable) Notifications contain the company name and contact options.
-
+
+
@@ -756,8 +875,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -765,13 +884,21 @@ The following list shows the supported values:
-
-
-
Added in Windows 10, version 1709. Enable this policy to have your company name and contact options displayed in a contact card fly out in Windows Defender Security Center. If you disable or do not configure this setting, or do not provide CompanyName and a minimum of one contact method (Phone using Skype, Email, Help portal URL) Windows Defender Security Center will not display the contact card fly out notification.
+
+
+Added in Windows 10, version 1709. Enable this policy to have your company name and contact options displayed in a contact card fly out in Windows Defender Security Center. If you disable or do not configure this setting, or do not provide CompanyName and a minimum of one contact method (Phone using Skype, Email, Help portal URL) Windows Defender Security Center will not display the contact card fly out notification.
-
Value type is integer. Supported operations are Add, Get, Replace, and Delete.
+Value type is integer. Supported operations are Add, Get, Replace, and Delete.
-
+
+
+ADMX Info:
+- GP English name: *Configure customized contact information*
+- GP name: *EnterpriseCustomization_EnableInAppCustomization*
+- GP path: *Windows Components/Windows Defender Security Center/Enterprise Customization*
+- GP ADMX file name: *WindowsDefenderSecurityCenter.admx*
+
+
The following list shows the supported values:
@@ -779,12 +906,14 @@ The following list shows the supported values:
- 1 - (Enable) Display the company name and contact options in the card fly out notification.
-
+
+
@@ -806,8 +935,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -815,30 +944,34 @@ The following list shows the supported values:
-
-
-Added in Windows 10, next major update. Use this policy setting to hide the Ransomware data recovery area in Windows Defender Security Center.
+
+
+Added in Windows 10, version 1803. Use this policy setting to hide the Ransomware data recovery area in Windows Defender Security Center.
+
+
+ADMX Info:
+- GP English name: *Hide the Ransomware data recovery area*
+- GP name: *VirusThreatProtection_HideRansomwareRecovery*
+- GP path: *Windows Components/Windows Defender Security Center/Virus and threat protection*
+- GP ADMX file name: *WindowsDefenderSecurityCenter.admx*
+
+
+
Valid values:
- 0 - (Disable or not configured) The Ransomware data recovery area will be visible.
-- 1 - (Enable) The Ransomware data recovery area is hidden.
-
-
+- 1 - (Enable) The Ransomware data recovery area is hidden.
-
+
-
-
-
-
-
-
+
+
**WindowsDefenderSecurityCenter/HideSecureBoot**
-
+
Home
@@ -860,8 +993,8 @@ Valid values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -869,30 +1002,34 @@ Valid values:
-
-
-Added in Windows 10, next major update. Use this policy to hide the Secure boot area in the Windows Defender Security Center.
+
+
+Added in Windows 10, version 1803. Use this policy to hide the Secure boot area in the Windows Defender Security Center.
+
+
+ADMX Info:
+- GP English name: *Hide the Secure boot area*
+- GP name: *DeviceSecurity_HideSecureBoot*
+- GP path: *Windows Components/Windows Defender Security Center/Device security*
+- GP ADMX file name: *WindowsDefenderSecurityCenter.admx*
+
+
+
Valid values:
- 0 - (Disable or not configured) The Secure boot area is displayed.
- 1 - (Enable) The Secure boot area is hidden.
-
-
-
+
-
-
-
-
-
-
+
+
**WindowsDefenderSecurityCenter/HideTPMTroubleshooting**
-
+
Home
@@ -914,8 +1051,8 @@ Valid values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -923,30 +1060,34 @@ Valid values:
-
-
-Added in Windows 10, next major update. Use this policy to hide the Security processor (TPM) troubleshooting area in the Windows Defender Security Center.
+
+
+Added in Windows 10, version 1803. Use this policy to hide the Security processor (TPM) troubleshooting area in the Windows Defender Security Center.
+
+
+ADMX Info:
+- GP English name: *Hide the Security processor (TPM) troubleshooter page*
+- GP name: *DeviceSecurity_HideTPMTroubleshooting*
+- GP path: *Windows Components/Windows Defender Security Center/Device security*
+- GP ADMX file name: *WindowsDefenderSecurityCenter.admx*
+
+
+
Valid values:
- 0 - (Disable or not configured) The Security processor (TPM) troubleshooting area is displayed.
- 1 - (Enable) The Security processor (TPM) troubleshooting area is hidden.
-
-
-
+
-
-
-
-
-
-
+
+
**WindowsDefenderSecurityCenter/Phone**
-
+
Added in Windows 10, version 1709. The phone number or Skype ID that is displayed to users. Skype is used to initiate the call. If you disable or do not configure this setting, or do not have EnableCustomizedToasts or EnableInAppCustomization enabled, then devices will not display contact options.
+
+
+Added in Windows 10, version 1709. The phone number or Skype ID that is displayed to users. Skype is used to initiate the call. If you disable or do not configure this setting, or do not have EnableCustomizedToasts or EnableInAppCustomization enabled, then devices will not display contact options.
-
Value type is string. Supported operations are Add, Get, Replace, and Delete.
+Value type is string. Supported operations are Add, Get, Replace, and Delete.
+
+
+
+ADMX Info:
+- GP English name: *Specify contact phone number or Skype ID*
+- GP name: *EnterpriseCustomization_Phone*
+- GP element: *Presentation_EnterpriseCustomization_Phone*
+- GP path: *Windows Components/Windows Defender Security Center/Enterprise Customization*
+- GP ADMX file name: *WindowsDefenderSecurityCenter.admx*
+
+
+
-
-
Added in Windows 10, version 1709. The help portal URL this is displayed to users. The default browser is used to initiate this action. If you disable or do not configure this setting, or do not have EnableCustomizedToasts or EnableInAppCustomization enabled, then the device will not display contact options.
+
+
+Added in Windows 10, version 1709. The help portal URL this is displayed to users. The default browser is used to initiate this action. If you disable or do not configure this setting, or do not have EnableCustomizedToasts or EnableInAppCustomization enabled, then the device will not display contact options.
-
Value type is Value type is string. Supported operations are Add, Get, Replace, and Delete.
+Value type is Value type is string. Supported operations are Add, Get, Replace, and Delete.
-
-
+
+
+ADMX Info:
+- GP English name: *Specify contact website*
+- GP name: *EnterpriseCustomization_URL*
+- GP element: *Presentation_EnterpriseCustomization_URL*
+- GP path: *Windows Components/Windows Defender Security Center/Enterprise Customization*
+- GP ADMX file name: *WindowsDefenderSecurityCenter.admx*
+
+
+
Footnote:
@@ -1036,5 +1197,5 @@ Footnote:
- 2 - Added in Windows 10, version 1703.
- 3 - Added in Windows 10, version 1709.
-
+
diff --git a/windows/client-management/mdm/policy-csp-windowsinkworkspace.md b/windows/client-management/mdm/policy-csp-windowsinkworkspace.md
index eea3c2b2c4..3549c95e06 100644
--- a/windows/client-management/mdm/policy-csp-windowsinkworkspace.md
+++ b/windows/client-management/mdm/policy-csp-windowsinkworkspace.md
@@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
-ms.date: 12/14/2017
+ms.date: 03/05/2018
---
# Policy CSP - WindowsInkWorkspace
@@ -15,7 +15,7 @@ ms.date: 12/14/2017
-
+
## WindowsInkWorkspace policies
Added in Windows 10, version 1607. Show recommended app suggestions in the ink workspace.
+
+
+Added in Windows 10, version 1607. Show recommended app suggestions in the ink workspace.
-
+
+
+ADMX Info:
+- GP English name: *Allow suggested apps in Windows Ink Workspace*
+- GP name: *AllowSuggestedAppsInWindowsInkWorkspace*
+- GP path: *Windows Components/Windows Ink Workspace*
+- GP ADMX file name: *WindowsInkWorkspace.admx*
+
+
The following list shows the supported values:
@@ -74,12 +84,14 @@ The following list shows the supported values:
- 1 (default) -allow app suggestions.
-
+
+
@@ -101,8 +113,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -110,18 +122,29 @@ The following list shows the supported values:
-
-
-
Added in Windows 10, version 1607. Specifies whether to allow the user to access the ink workspace.
+
+
+Added in Windows 10, version 1607. Specifies whether to allow the user to access the ink workspace.
-
Value type is int. The following list shows the supported values:
+
+
+ADMX Info:
+- GP English name: *Allow Windows Ink Workspace*
+- GP name: *AllowWindowsInkWorkspace*
+- GP element: *AllowWindowsInkWorkspaceDropdown*
+- GP path: *Windows Components/Windows Ink Workspace*
+- GP ADMX file name: *WindowsInkWorkspace.admx*
+
+
+
+Value type is int. The following list shows the supported values:
- 0 - access to ink workspace is disabled. The feature is turned off.
- 1 - ink workspace is enabled (feature is turned on), but the user cannot access it above the lock screen.
- 2 (default) - ink workspace is enabled (feature is turned on), and the user is allowed to use it above the lock screen.
-
-
+
+
Footnote:
@@ -130,5 +153,5 @@ Footnote:
- 2 - Added in Windows 10, version 1703.
- 3 - Added in Windows 10, version 1709.
-
+
diff --git a/windows/client-management/mdm/policy-csp-windowslogon.md b/windows/client-management/mdm/policy-csp-windowslogon.md
index 2a237c5b45..cc10b25f2c 100644
--- a/windows/client-management/mdm/policy-csp-windowslogon.md
+++ b/windows/client-management/mdm/policy-csp-windowslogon.md
@@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
-ms.date: 12/14/2017
+ms.date: 03/05/2018
---
# Policy CSP - WindowsLogon
@@ -15,7 +15,7 @@ ms.date: 12/14/2017
-
+
## WindowsLogon policies
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -65,15 +67,15 @@ ms.date: 12/14/2017
-
-
+
+
This policy setting allows you to prevent app notifications from appearing on the lock screen.
If you enable this policy setting, no app notifications are displayed on the lock screen.
If you disable or do not configure this policy setting, users can choose which apps display notifications on the lock screen.
-
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -81,20 +83,22 @@ If you disable or do not configure this policy setting, users can choose which a
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Turn off app notifications on the lock screen*
- GP name: *DisableLockScreenAppNotifications*
- GP path: *System/Logon*
- GP ADMX file name: *logon.admx*
-
-
+
+
+
-
+
+
**WindowsLogon/DontDisplayNetworkSelectionUI**
-
+
Home
@@ -116,8 +120,8 @@ ADMX Info:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -125,15 +129,15 @@ ADMX Info:
-
-
+
+
This policy setting allows you to control whether anyone can interact with available networks UI on the logon screen.
If you enable this policy setting, the PC's network connectivity state cannot be changed without signing into Windows.
If you disable or don't configure this policy setting, any user can disconnect the PC from the network or can connect the PC to other available networks without signing into Windows.
-
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -141,20 +145,22 @@ If you disable or don't configure this policy setting, any user can disconnect t
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
ADMX Info:
- GP English name: *Do not display network selection UI*
- GP name: *DontDisplayNetworkSelectionUI*
- GP path: *System/Logon*
- GP ADMX file name: *logon.admx*
-
-
+
+
+
-
+
+
**WindowsLogon/HideFastUserSwitching**
-
+
Added in Windows 10, version 1703. This policy setting allows you to hide the Switch account button on the sign-in screen, Start, and the Task Manager. If you enable this policy setting, the Switch account button is hidden from the user who is attempting to sign-in or is signed in to the computer that has this policy applied. If you disable or do not configure this policy setting, the Switch account button is accessible to the user in the three locations.
+
+
+Added in Windows 10, version 1703. This policy setting allows you to hide the Switch account button on the sign-in screen, Start, and the Task Manager. If you enable this policy setting, the Switch account button is hidden from the user who is attempting to sign-in or is signed in to the computer that has this policy applied. If you disable or do not configure this policy setting, the Switch account button is accessible to the user in the three locations.
-
To validate on Desktop, do the following:
+
+
+ADMX Info:
+- GP English name: *Hide entry points for Fast User Switching*
+- GP name: *HideFastUserSwitching*
+- GP path: *System/Logon*
+- GP ADMX file name: *Logon.admx*
-1. Enable policy.
-2. Verify that the Switch account button in Start is hidden.
-
-
+
The following list shows the supported values:
@@ -202,7 +211,14 @@ The following list shows the supported values:
- 1 - Enabled (hidden).
-
+
+To validate on Desktop, do the following:
+
+1. Enable policy.
+2. Verify that the Switch account button in Start is hidden.
+
+
+
Footnote:
@@ -211,5 +227,5 @@ Footnote:
- 2 - Added in Windows 10, version 1703.
- 3 - Added in Windows 10, version 1709.
-
+
diff --git a/windows/client-management/mdm/policy-csp-wirelessdisplay.md b/windows/client-management/mdm/policy-csp-wirelessdisplay.md
index a6b8d30818..9e122a3f3f 100644
--- a/windows/client-management/mdm/policy-csp-wirelessdisplay.md
+++ b/windows/client-management/mdm/policy-csp-wirelessdisplay.md
@@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
-ms.date: 12/14/2017
+ms.date: 03/05/2018
---
# Policy CSP - WirelessDisplay
@@ -15,7 +15,7 @@ ms.date: 12/14/2017
-
+
## WirelessDisplay policies
Added in Windows 10, version 1709. This policy setting allows you to turn off the Wireless Display multicast DNS service advertisement from a Wireless Display receiver. If the network administrator is concerned about network congestion, they may set this policy to 0, disabling mDNS advertisement.
+
+
+Added in Windows 10, version 1709. This policy setting allows you to turn off the Wireless Display multicast DNS service advertisement from a Wireless Display receiver. If the network administrator is concerned about network congestion, they may set this policy to 0, disabling mDNS advertisement.
-
+
The following list shows the supported values:
@@ -92,12 +94,14 @@ The following list shows the supported values:
- 1 - Allow
-
+
+
-
+
+
**WirelessDisplay/AllowMdnsDiscovery**
-
+
Home
@@ -119,8 +123,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -128,11 +132,11 @@ The following list shows the supported values:
-
-
-
Added in Windows 10, version 1709. This policy setting allows you to turn off discovering the display service advertised over multicast DNS by a Wireless Display receiver. If the network administrator is concerned about network congestion, they may set this policy to 0, disabling mDNS discovery.
+
+
+Added in Windows 10, version 1709. This policy setting allows you to turn off discovering the display service advertised over multicast DNS by a Wireless Display receiver. If the network administrator is concerned about network congestion, they may set this policy to 0, disabling mDNS discovery.
-
+
The following list shows the supported values:
@@ -140,12 +144,14 @@ The following list shows the supported values:
- 1 - Allow
-
+
+
@@ -167,8 +173,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -176,11 +182,11 @@ The following list shows the supported values:
-
-
-
Added in Windows 10, version 1703. This policy allows you to turn off projection from a PC.
+
+
+Added in Windows 10, version 1703. This policy allows you to turn off projection from a PC.
-
+
The following list shows the supported values:
@@ -188,12 +194,14 @@ The following list shows the supported values:
- 1 - your PC can discover and project to other devices
-
+
+
@@ -215,8 +223,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -224,11 +232,11 @@ The following list shows the supported values:
-
-
-
Added in Windows 10, version 1703. This policy allows you to turn off projection from a PC over infrastructure.
+
+
+Added in Windows 10, version 1703. This policy allows you to turn off projection from a PC over infrastructure.
-
+
The following list shows the supported values:
@@ -236,12 +244,14 @@ The following list shows the supported values:
- 1 - your PC can discover and project to other devices over infrastructure.
-
+
+
-
+
+
**WirelessDisplay/AllowProjectionToPC**
-
+
Home
@@ -263,8 +273,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -272,15 +282,23 @@ The following list shows the supported values:
-
-
-
Added in Windows 10, version 1607. Allow or disallow turning off the projection to a PC.
+
+
+Added in Windows 10, version 1607. Allow or disallow turning off the projection to a PC.
-
If you set it to 0 (zero), your PC is not discoverable and you cannot project to it. If you set it to 1, your PC is discoverable and you can project to it above the lock screen. The user has an option to turn it always on or always off except for manual launch. In PCs that support Miracast, after the policy is applied you can verify the setting from the user interface in **Settings** > **System** > **Projecting to this PC**.
+If you set it to 0 (zero), your PC is not discoverable and you cannot project to it. If you set it to 1, your PC is discoverable and you can project to it above the lock screen. The user has an option to turn it always on or always off except for manual launch. In PCs that support Miracast, after the policy is applied you can verify the setting from the user interface in **Settings** > **System** > **Projecting to this PC**.
-
Value type is integer.
+Value type is integer.
-
+
+
+ADMX Info:
+- GP English name: *Don't allow this PC to be projected to*
+- GP name: *AllowProjectionToPC*
+- GP path: *Windows Components/Connect*
+- GP ADMX file name: *WirelessDisplay.admx*
+
+
The following list shows the supported values:
@@ -288,12 +306,14 @@ The following list shows the supported values:
- 1 (default) - projection to PC is allowed. Enabled only above the lock screen.
-
+
+
@@ -315,8 +335,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -324,11 +344,11 @@ The following list shows the supported values:
-
-
-
Added in Windows 10, version 1703. This policy setting allows you to turn off projection to a PC over infrastructure.
+
+
+Added in Windows 10, version 1703. This policy setting allows you to turn off projection to a PC over infrastructure.
-
+
The following list shows the supported values:
@@ -336,12 +356,14 @@ The following list shows the supported values:
- 1 - your PC is discoverable and other devices can project to it over infrastructure.
-
+
+
-
+
+
**WirelessDisplay/AllowUserInputFromWirelessDisplayReceiver**
-
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -349,11 +371,11 @@ The following list shows the supported values:
-
-
-
Added in Windows 10, version 1703. Setting this policy controls whether or not the wireless display can send input—keyboard, mouse, pen, and touch input if the display supports it—back to the source device.
+
+
+Added in Windows 10, version 1703. Setting this policy controls whether or not the wireless display can send input—keyboard, mouse, pen, and touch input if the display supports it—back to the source device.
-
+
The following list shows the supported values:
@@ -361,12 +383,14 @@ The following list shows the supported values:
- 1 (default) - Wireless display input enabled.
-
+
+
@@ -388,8 +412,8 @@ The following list shows the supported values:
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -397,15 +421,23 @@ The following list shows the supported values:
-
-
-
Added in Windows 10, version 1607. Allow or disallow requirement for a PIN for pairing.
+
+
+Added in Windows 10, version 1607. Allow or disallow requirement for a PIN for pairing.
-
If you turn this on, the pairing ceremony for new devices will always require a PIN. If you turn this off or do not configure it, a PIN is not required for pairing. In PCs that support Miracast, after the policy is applied you can verify the setting from the user interface in **Settings** > **System** > **Projecting to this PC**.
+If you turn this on, the pairing ceremony for new devices will always require a PIN. If you turn this off or do not configure it, a PIN is not required for pairing. In PCs that support Miracast, after the policy is applied you can verify the setting from the user interface in **Settings** > **System** > **Projecting to this PC**.
-
Value type is integer.
+Value type is integer.
-
+
+
+ADMX Info:
+- GP English name: *Require pin for pairing*
+- GP name: *RequirePinForPairing*
+- GP path: *Windows Components/Connect*
+- GP ADMX file name: *WirelessDisplay.admx*
+
+
The following list shows the supported values:
@@ -413,7 +445,7 @@ The following list shows the supported values:
- 1 - PIN is required.
-
+
Footnote:
@@ -422,5 +454,5 @@ Footnote:
- 2 - Added in Windows 10, version 1703.
- 3 - Added in Windows 10, version 1709.
-
+
diff --git a/windows/client-management/mdm/policy-ddf-file.md b/windows/client-management/mdm/policy-ddf-file.md
index 72cac2741a..406db3df06 100644
--- a/windows/client-management/mdm/policy-ddf-file.md
+++ b/windows/client-management/mdm/policy-ddf-file.md
@@ -7,7 +7,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
-ms.date: 12/05/2017
+ms.date: 02/26/2018
---
# Policy DDF file
@@ -24,7 +24,7 @@ You can download the DDF files from the links below:
- [Download the Policy DDF file for Windows 10, version 1607 release 8C](http://download.microsoft.com/download/6/1/C/61C022FD-6F5D-4F73-9047-17F630899DC4/PolicyDDF_all_version1607_8C.xml)
- [CSP DDF files download](configuration-service-provider-reference.md#csp-ddf-files-download)
-The XML below is the DDF for Windows 10, version 1709.
+The XML below is the DDF for Windows 10, version 1803.
``` syntax
@@ -50,7 +50,7 @@ The XML below is the DDF for Windows 10, version 1709.
- com.microsoft/6.0/MDM/Policy
+ com.microsoft/7.0/MDM/Policy
@@ -58,8 +58,8 @@ The XML below is the DDF for Windows 10, version 1709.
-
+
@@ -79,8 +79,8 @@ The XML below is the DDF for Windows 10, version 1709.
-
+
@@ -125,8 +125,8 @@ The XML below is the DDF for Windows 10, version 1709.
-
+
@@ -219,8 +219,8 @@ The XML below is the DDF for Windows 10, version 1709.
-
+
@@ -265,8 +265,8 @@ The XML below is the DDF for Windows 10, version 1709.
-
+
@@ -359,8 +359,8 @@ The XML below is the DDF for Windows 10, version 1709.
-
+
@@ -447,6 +447,30 @@ The XML below is the DDF for Windows 10, version 1709.
+
+ AllowConfigurationUpdateForBooksLibrary
+
+
+
+
+
+
+
+ This policy setting lets you decide whether Microsoft Edge can automatically update the configuration data for the Books Library.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+ AllowCookies
@@ -875,6 +899,30 @@ This setting can only be used with domain-joined or MDM-enrolled devices. For mo
+
+ EnableExtendedBooksTelemetry
+
+
+
+
+
+
+
+ This setting allows organizations to send extended telemetry on book usage from the Books Library.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+ EnterpriseModeSiteList
@@ -1131,6 +1179,30 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
+
+ PreventTabPreloading
+
+
+
+
+
+
+
+ Prevent Microsoft Edge from starting and loading the Start and New Tab page at Windows startup and each time Microsoft Edge is closed.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+ PreventUsingLocalHostIPAddressForWebRTC
@@ -1288,14 +1360,38 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
+
+ UseSharedFolderForBooks
+
+
+
+
+
+
+
+ This setting specifies whether organizations should use a folder shared across users to store books from the Books Library.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+ CredentialsUI
-
+
@@ -1340,8 +1436,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -1381,13 +1477,59 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
+
+ Display
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ EnablePerProcessDpi
+
+
+
+
+
+
+
+ Enable or disable Per-Process System DPI for all applications.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+ Education
-
+
@@ -1480,8 +1622,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -1646,8 +1788,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -1710,30 +1852,6 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
- AllowWindowsConsumerFeatures
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
- AllowWindowsSpotlight
@@ -1782,6 +1900,30 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
+
+ AllowWindowsSpotlightOnSettings
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+ AllowWindowsSpotlightWindowsWelcomeExperience
@@ -1836,8 +1978,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -3508,6 +3650,30 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
+
+ InternetZoneAllowVBScriptToRunInInternetExplorer
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+ InternetZoneDoNotRunAntimalwareAgainstActiveXControls
@@ -4828,6 +4994,30 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
+
+ LockedDownIntranetJavaPermissions
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+ LockedDownIntranetZoneAllowAccessToDataSources
@@ -6652,6 +6842,30 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
+
+ RestrictedSitesZoneAllowVBScriptToRunInInternetExplorer
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+ RestrictedSitesZoneDoNotRunAntimalwareAgainstActiveXControls
@@ -7541,13 +7755,179 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
+
+ KioskBrowser
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ BlockedUrlExceptions
+
+
+
+
+
+
+
+ List of exceptions to the blocked website URLs (with wildcard support). This is used to configure URLs kiosk browsers are allowed to navigate to, which are a subset of the blocked URLs.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ BlockedUrls
+
+
+
+
+
+
+
+ List of blocked website URLs (with wildcard support). This is used to configure blocked URLs kiosk browsers can not navigate to.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ DefaultURL
+
+
+
+
+
+
+
+ Configures the default URL kiosk browsers to navigate on launch and restart.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ EnableHomeButton
+
+
+
+
+
+
+
+ Enable/disable kiosk browser's home button.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ EnableNavigationButtons
+
+
+
+
+
+
+
+ Enable/disable kiosk browser's navigation buttons (forward/back).
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ RestartOnIdleTime
+
+
+
+
+
+
+
+ Amount of time in minutes the session is idle until the kiosk browser restarts in a fresh state.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+ Notifications
-
+
@@ -7592,8 +7972,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -7638,8 +8018,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -7684,8 +8064,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -7700,6 +8080,30 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
+
+ DisableContextMenus
+
+
+
+
+
+
+
+ Enabling this policy prevents context menus from being invoked in the Start Menu.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+ HidePeopleBar
@@ -7754,8 +8158,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -7795,6 +8199,52 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
+
+ WindowsPowerShell
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ TurnOnPowerShellScriptBlockLogging
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+ Result
@@ -7840,8 +8290,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
- 0
+
@@ -7854,6 +8304,10 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
text/plain
+
+ WindowsStore.admx
+ WindowsStore~AT~WindowsComponents~WindowsStore
+ RequirePrivateStoreOnly_1HighestValueMostSecure
@@ -7883,8 +8337,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -7910,8 +8364,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -7937,8 +8391,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -7984,8 +8438,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
- 0
+
@@ -8028,8 +8482,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -8055,8 +8509,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -8082,8 +8536,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -8129,8 +8583,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
- This policy setting lets you decide whether the Address bar drop-down functionality is available in Microsoft Edge. We recommend disabling this setting if you want to minimize network connections from Microsoft Edge to Microsoft services.1
+ This policy setting lets you decide whether the Address bar drop-down functionality is available in Microsoft Edge. We recommend disabling this setting if you want to minimize network connections from Microsoft Edge to Microsoft services.
@@ -8145,6 +8599,9 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
phone
+ MicrosoftEdge.admx
+ MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge
+ AllowAddressBarDropdownLowestValueMostSecure
@@ -8154,8 +8611,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
- This setting lets you decide whether employees can use Autofill to automatically fill in form fields while using Microsoft Edge.0
+ This setting lets you decide whether employees can use Autofill to automatically fill in form fields while using Microsoft Edge.
@@ -8169,6 +8626,9 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
text/plain
+ MicrosoftEdge.admx
+ MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge
+ AllowAutofillLowestValueMostSecure
@@ -8178,8 +8638,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
- 1
+
@@ -8198,13 +8658,13 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
- AllowCookies
+ AllowConfigurationUpdateForBooksLibrary
- This setting lets you configure how your company deals with cookies.
- 2
+ 1
+ This policy setting lets you decide whether Microsoft Edge can automatically update the configuration data for the Books Library.
@@ -8217,6 +8677,35 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
text/plain
+
+ LowestValueMostSecure
+
+
+
+ AllowCookies
+
+
+
+
+ 2
+ This setting lets you configure how your company deals with cookies.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+ MicrosoftEdge.admx
+ CookiesListBox
+ MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge
+ CookiesLowestValueMostSecure
@@ -8226,8 +8715,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
- This setting lets you decide whether employees can use F12 Developer Tools on Microsoft Edge.1
+ This setting lets you decide whether employees can use F12 Developer Tools on Microsoft Edge.
@@ -8242,6 +8731,9 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
phone
+ MicrosoftEdge.admx
+ MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge
+ AllowDeveloperToolsLowestValueMostSecure
@@ -8251,8 +8743,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
- This setting lets you decide whether employees can send Do Not Track headers to websites that request tracking info.0
+ This setting lets you decide whether employees can send Do Not Track headers to websites that request tracking info.
@@ -8266,6 +8758,9 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
text/plain
+ MicrosoftEdge.admx
+ MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge
+ AllowDoNotTrackLowestValueMostSecure
@@ -8275,8 +8770,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
- This setting lets you decide whether employees can load extensions in Microsoft Edge.1
+ This setting lets you decide whether employees can load extensions in Microsoft Edge.
@@ -8291,6 +8786,9 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
phone
+ MicrosoftEdge.admx
+ MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge
+ AllowExtensionsLowestValueMostSecure
@@ -8300,8 +8798,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
- This setting lets you decide whether employees can run Adobe Flash in Microsoft Edge.1
+ This setting lets you decide whether employees can run Adobe Flash in Microsoft Edge.
@@ -8316,6 +8814,9 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
phone
+ MicrosoftEdge.admx
+ MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge
+ AllowFlashHighestValueMostSecure
@@ -8325,8 +8826,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
- Configure the Adobe Flash Click-to-Run setting.1
+ Configure the Adobe Flash Click-to-Run setting.
@@ -8341,6 +8842,9 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
phone
+ MicrosoftEdge.admx
+ MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge
+ AllowFlashClickToRunHighestValueMostSecure
@@ -8350,8 +8854,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
- This setting lets you decide whether employees can browse using InPrivate website browsing.1
+ This setting lets you decide whether employees can browse using InPrivate website browsing.
@@ -8365,6 +8869,9 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
text/plain
+ MicrosoftEdge.admx
+ MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge
+ AllowInPrivateLowestValueMostSecure
@@ -8374,12 +8881,12 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
+ 1This policy setting lets you decide whether the Microsoft Compatibility List is enabled or disabled in Microsoft Edge. This feature uses a Microsoft-provided list to ensure that any sites with known compatibility issues are displayed correctly when a user navigates to them. By default, the Microsoft Compatibility List is enabled and can be viewed by navigating to about:compat.
If you enable or don’t configure this setting, Microsoft Edge will periodically download the latest version of the list from Microsoft and will apply the configurations specified there during browser navigation. If a user visits a site on the Microsoft Compatibility List, he or she will be prompted to open the site in Internet Explorer 11. Once in Internet Explorer, the site will automatically be rendered as if the user is viewing it in the previous version of Internet Explorer it requires to display correctly.
If you disable this setting, the Microsoft Compatibility List will not be used during browser navigation.
- 1
@@ -8393,6 +8900,9 @@ If you disable this setting, the Microsoft Compatibility List will not be used d
text/plain
+ MicrosoftEdge.admx
+ MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge
+ AllowCVListLowestValueMostSecure
@@ -8402,8 +8912,8 @@ If you disable this setting, the Microsoft Compatibility List will not be used d
- This setting lets you decide whether employees can save their passwords locally, using Password Manager.1
+ This setting lets you decide whether employees can save their passwords locally, using Password Manager.
@@ -8417,6 +8927,9 @@ If you disable this setting, the Microsoft Compatibility List will not be used d
text/plain
+ MicrosoftEdge.admx
+ MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge
+ AllowPasswordManagerLowestValueMostSecure
@@ -8426,8 +8939,8 @@ If you disable this setting, the Microsoft Compatibility List will not be used d
- This setting lets you decide whether to turn on Pop-up Blocker and whether to allow pop-ups to appear in secondary windows.0
+ This setting lets you decide whether to turn on Pop-up Blocker and whether to allow pop-ups to appear in secondary windows.
@@ -8442,6 +8955,9 @@ If you disable this setting, the Microsoft Compatibility List will not be used d
phone
+ MicrosoftEdge.admx
+ MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge
+ AllowPopupsLowestValueMostSecure
@@ -8451,13 +8967,13 @@ If you disable this setting, the Microsoft Compatibility List will not be used d
+ 1Allow search engine customization for MDM enrolled devices. Users can change their default search engine.
If this setting is turned on or not configured, users can add new search engines and change the default used in the address bar from within Microsoft Edge Settings.
If this setting is disabled, users will be unable to add search engines or change the default used in the address bar.
This policy will only apply on domain joined machines or when the device is MDM enrolled. For more information, see Microsoft browser extension policy (aka.ms/browserpolicy).
- 1
@@ -8471,6 +8987,9 @@ This policy will only apply on domain joined machines or when the device is MDM
text/plain
+ MicrosoftEdge.admx
+ MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge
+ AllowSearchEngineCustomizationLowestValueMostSecure
@@ -8480,8 +8999,8 @@ This policy will only apply on domain joined machines or when the device is MDM
- This setting lets you decide whether search suggestions should appear in the Address bar of Microsoft Edge.1
+ This setting lets you decide whether search suggestions should appear in the Address bar of Microsoft Edge.
@@ -8495,6 +9014,9 @@ This policy will only apply on domain joined machines or when the device is MDM
text/plain
+ MicrosoftEdge.admx
+ MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge
+ AllowSearchSuggestionsinAddressBarLowestValueMostSecure
@@ -8504,8 +9026,8 @@ This policy will only apply on domain joined machines or when the device is MDM
- This setting lets you decide whether to turn on Windows Defender SmartScreen.1
+ This setting lets you decide whether to turn on Windows Defender SmartScreen.
@@ -8519,6 +9041,9 @@ This policy will only apply on domain joined machines or when the device is MDM
text/plain
+ MicrosoftEdge.admx
+ MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge
+ AllowSmartScreenLowestValueMostSecure
@@ -8528,8 +9053,8 @@ This policy will only apply on domain joined machines or when the device is MDM
- Specifies whether the Books Library in Microsoft Edge will always be visible regardless of the country or region setting for the device.0
+ Specifies whether the Books Library in Microsoft Edge will always be visible regardless of the country or region setting for the device.
@@ -8543,6 +9068,9 @@ This policy will only apply on domain joined machines or when the device is MDM
text/plain
+ MicrosoftEdge.admx
+ MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge
+ AlwaysEnableBooksLibraryLowestValueMostSecure
@@ -8552,8 +9080,8 @@ This policy will only apply on domain joined machines or when the device is MDM
- Specifies whether to always clear browsing history on exiting Microsoft Edge.0
+ Specifies whether to always clear browsing history on exiting Microsoft Edge.
@@ -8568,6 +9096,9 @@ This policy will only apply on domain joined machines or when the device is MDM
phone
+ MicrosoftEdge.admx
+ MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge
+ AllowClearingBrowsingDataOnExitLowestValueMostSecure
@@ -8577,6 +9108,7 @@ This policy will only apply on domain joined machines or when the device is MDM
+ Allows you to add up to 5 additional search engines for MDM-enrolled devices.
If this setting is turned on, you can add up to 5 additional search engines for your employee. For each additional search engine you wish to add, you must specify a link to the OpenSearch XML file that contains, at minimum, the short name and the URL to the search engine. This policy does not affect the default search engine. Employees will not be able to remove these search engines, but they can set any one of these as the default.
@@ -8584,7 +9116,6 @@ If this setting is turned on, you can add up to 5 additional search engines for
If this setting is not configured, the search engines are the ones specified in the App settings. If this setting is disabled, the search engines you had added will be deleted from your employee's machine.
Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on domain-joined machines or when the device is MDM-enrolled.
-
@@ -8597,6 +9128,10 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
text/plain
+ MicrosoftEdge.admx
+ ConfigureAdditionalSearchEngines_Prompt
+ MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge
+ ConfigureAdditionalSearchEnginesLastWrite
@@ -8606,13 +9141,13 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
+ 0Boolean policy that specifies whether the lockdown on the Start pages is disabled. This policy works with the Browser/HomePages policy, which locks down the Start pages that the users cannot modify. You can use the DisableLockdownOfStartPages policy to allow users to modify the Start pages when Browser/HomePages policy is in effect.
Note: This policy has no effect when Browser/HomePages is not configured.
Important
This setting can only be used with domain-joined or MDM-enrolled devices. For more info, see the Microsoft browser extension policy (aka.ms/browserpolicy).
- 0
@@ -8627,6 +9162,36 @@ This setting can only be used with domain-joined or MDM-enrolled devices. For mo
phone
+ MicrosoftEdge.admx
+ MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge
+ DisableLockdownOfStartPages
+ LowestValueMostSecure
+
+
+
+ EnableExtendedBooksTelemetry
+
+
+
+
+ 0
+ This setting allows organizations to send extended telemetry on book usage from the Books Library.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+ MicrosoftEdge.admx
+ MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge
+ EnableExtendedBooksTelemetryLowestValueMostSecure
@@ -8636,8 +9201,8 @@ This setting can only be used with domain-joined or MDM-enrolled devices. For mo
- This setting lets you configure whether your company uses Enterprise Mode and the Enterprise Mode Site List to address common compatibility problems with legacy websites.
+ This setting lets you configure whether your company uses Enterprise Mode and the Enterprise Mode Site List to address common compatibility problems with legacy websites.
@@ -8651,6 +9216,10 @@ This setting can only be used with domain-joined or MDM-enrolled devices. For mo
text/plainphone
+ MicrosoftEdge.admx
+ EnterSiteListPrompt
+ MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge
+ EnterpriseModeSiteListLastWrite
@@ -8660,8 +9229,8 @@ This setting can only be used with domain-joined or MDM-enrolled devices. For mo
-
+
@@ -8684,8 +9253,8 @@ This setting can only be used with domain-joined or MDM-enrolled devices. For mo
- Configure first run URL.
+ Configure first run URL.
@@ -8708,13 +9277,13 @@ This setting can only be used with domain-joined or MDM-enrolled devices. For mo
+ Configure the Start page URLs for your employees.
Example:
If you wanted to allow contoso.com and fabrikam.com then you would append /support to the site strings like contoso.com/support and fabrikam.com/support.
Encapsulate each string with greater than and less than characters like any other XML tag.
Version 1703 or later: If you don't want to send traffic to Microsoft, you can use the about:blank value (encapsulate with greater than and less than characters like any other XML tag), which is honored for both domain- and non-domain-joined machines, when it's the only configured URL.
-
@@ -8728,6 +9297,10 @@ Version 1703 or later: If you don't want to send traffic to Microsoft, you ca
text/plainphone
+ MicrosoftEdge.admx
+ HomePagesPrompt
+ MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge
+ HomePagesLastWrite
@@ -8737,6 +9310,7 @@ Version 1703 or later: If you don't want to send traffic to Microsoft, you ca
+ 0This policy setting lets you decide whether employees can add, import, sort, or edit the Favorites list on Microsoft Edge.
If you enable this setting, employees won't be able to add, import, or change anything in the Favorites list. Also as part of this, Save a Favorite, Import settings, and the context menu items (such as, Create a new folder) are all turned off.
@@ -8745,7 +9319,6 @@ Important
Don't enable both this setting and the Keep favorites in sync between Internet Explorer and Microsoft Edge setting. Enabling both settings stops employees from syncing their favorites between Internet Explorer and Microsoft Edge.
If you disable or don't configure this setting (default), employees can add, import and make changes to the Favorites list.
- 0
@@ -8759,6 +9332,9 @@ If you disable or don't configure this setting (default), employees can add, imp
text/plain
+ MicrosoftEdge.admx
+ MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge
+ LockdownFavoritesLowestValueMostSecure
@@ -8768,8 +9344,8 @@ If you disable or don't configure this setting (default), employees can add, imp
- Prevent access to the about:flags page in Microsoft Edge.0
+ Prevent access to the about:flags page in Microsoft Edge.
@@ -8783,6 +9359,9 @@ If you disable or don't configure this setting (default), employees can add, imp
text/plain
+ MicrosoftEdge.admx
+ MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge
+ PreventAccessToAboutFlagsInMicrosoftEdgeHighestValueMostSecure
@@ -8792,10 +9371,10 @@ If you disable or don't configure this setting (default), employees can add, imp
+ 0Specifies whether the First Run webpage is prevented from automatically opening on the first launch of Microsoft Edge. This policy is only available for Windows 10 version 1703 or later for desktop.
Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on domain-joined machines or when the device is MDM-enrolled.
- 0
@@ -8810,6 +9389,9 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
phone
+ MicrosoftEdge.admx
+ MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge
+ PreventFirstRunPageHighestValueMostSecure
@@ -8819,10 +9401,10 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
+ 0This policy lets you decide whether Microsoft Edge can gather Live Tile metadata from the ieonline.microsoft.com service to provide a better experience while pinning a Live Tile to the Start menu.
Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on domain-joined machines or when the device is MDM-enrolled.
- 0
@@ -8836,6 +9418,9 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
text/plain
+ MicrosoftEdge.admx
+ MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge
+ PreventLiveTileDataCollectionHighestValueMostSecure
@@ -8845,8 +9430,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
- Don't allow Windows Defender SmartScreen warning overrides0
+ Don't allow Windows Defender SmartScreen warning overrides
@@ -8860,6 +9445,9 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
text/plain
+ MicrosoftEdge.admx
+ MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge
+ PreventSmartScreenPromptOverrideHighestValueMostSecure
@@ -8869,8 +9457,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
- Don't allow Windows Defender SmartScreen warning overrides for unverified files.0
+ Don't allow Windows Defender SmartScreen warning overrides for unverified files.
@@ -8884,6 +9472,37 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
text/plain
+ MicrosoftEdge.admx
+ MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge
+ PreventSmartScreenPromptOverrideForFiles
+ HighestValueMostSecure
+
+
+
+ PreventTabPreloading
+
+
+
+
+ 0
+ Prevent Microsoft Edge from starting and loading the Start and New Tab page at Windows startup and each time Microsoft Edge is closed.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+ phone
+ MicrosoftEdge.admx
+ MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge
+ PreventTabPreloadingHighestValueMostSecure
@@ -8893,8 +9512,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
- Prevent using localhost IP address for WebRTC0
+ Prevent using localhost IP address for WebRTC
@@ -8908,6 +9527,9 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
text/plain
+ MicrosoftEdge.admx
+ MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge
+ HideLocalHostIPAddressHighestValueMostSecure
@@ -8917,6 +9539,7 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
+ This policy setting allows you to configure a default set of favorites, which will appear for employees. Employees cannot modify, sort, move, export or delete these provisioned favorites.
If you enable this setting, you can set favorite URL's and favorite folders to appear on top of users' favorites list (either in the Hub or Favorites Bar). The user favorites will appear after these provisioned favorites.
@@ -8925,7 +9548,6 @@ Important
Don't enable both this setting and the Keep favorites in sync between Internet Explorer and Microsoft Edge setting. Enabling both settings stops employees from syncing their favorites between Internet Explorer and Microsoft Edge.
If you disable or don't configure this setting, employees will see the favorites they set in the Hub and Favorites Bar.
-
@@ -8938,6 +9560,10 @@ If you disable or don't configure this setting, employees will see the favorites
text/plain
+ MicrosoftEdge.admx
+ ConfiguredFavoritesPrompt
+ MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge
+ ConfiguredFavoritesLastWrite
@@ -8947,8 +9573,8 @@ If you disable or don't configure this setting, employees will see the favorites
- Sends all intranet traffic over to Internet Explorer.0
+ Sends all intranet traffic over to Internet Explorer.
@@ -8963,6 +9589,9 @@ If you disable or don't configure this setting, employees will see the favorites
phone
+ MicrosoftEdge.admx
+ MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge
+ SendIntranetTraffictoInternetExplorerHighestValueMostSecure
@@ -8972,6 +9601,7 @@ If you disable or don't configure this setting, employees will see the favorites
+ Sets the default search engine for MDM-enrolled devices. Users can still change their default search engine.
If this setting is turned on, you are setting the default search engine that you would like your employees to use. Employees can still change the default search engine, unless you apply the AllowSearchEngineCustomization policy which will disable the ability to change it. You must specify a link to the OpenSearch XML file that contains, at minimum, the short name and the URL to the search engine. If you would like for your employees to use the Edge factory settings for the default search engine for their market, set the string EDGEDEFAULT; if you would like for your employees to use Bing as the default search engine, set the string EDGEBING.
@@ -8979,7 +9609,6 @@ If this setting is turned on, you are setting the default search engine that you
If this setting is not configured, the default search engine is set to the one specified in App settings and can be changed by your employees. If this setting is disabled, the policy-set search engine will be removed, and, if it is the current default, the default will be set back to the factory Microsoft Edge search engine for the market.
Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on domain-joined machines or when the device is MDM-enrolled.
-
@@ -8992,6 +9621,10 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
text/plain
+ MicrosoftEdge.admx
+ SetDefaultSearchEngine_Prompt
+ MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge
+ SetDefaultSearchEngineLastWrite
@@ -9001,8 +9634,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
- Show message when opening sites in Internet Explorer0
+ Show message when opening sites in Internet Explorer
@@ -9017,6 +9650,9 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
phone
+ MicrosoftEdge.admx
+ MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge
+ ShowMessageWhenOpeningSitesInInternetExplorerHighestValueMostSecure
@@ -9026,8 +9662,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
- Specifies whether favorites are kept in sync between Internet Explorer and Microsoft Edge. Changes to favorites in one browser are reflected in the other, including: additions, deletions, modifications, and ordering.0
+ Specifies whether favorites are kept in sync between Internet Explorer and Microsoft Edge. Changes to favorites in one browser are reflected in the other, including: additions, deletions, modifications, and ordering.
@@ -9042,6 +9678,36 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
phone
+ MicrosoftEdge.admx
+ MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge
+ SyncFavoritesBetweenIEAndMicrosoftEdge
+ LowestValueMostSecure
+
+
+
+ UseSharedFolderForBooks
+
+
+
+
+ 0
+ This setting specifies whether organizations should use a folder shared across users to store books from the Books Library.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+ MicrosoftEdge.admx
+ MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge
+ UseSharedFolderForBooksLowestValueMostSecure
@@ -9071,8 +9737,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -9118,8 +9784,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -9140,6 +9806,55 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
+
+ Display
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ EnablePerProcessDpi
+
+
+
+
+
+ Enable or disable Per-Process System DPI for all applications.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+ phone
+ Display.admx
+ DisplayGlobalPerProcessSystemDpiSettings
+ Display~AT~System~DisplayCat
+ DisplayPerProcessSystemDpiSettings
+ LowestValueMostSecure
+
+
+ Education
@@ -9165,8 +9880,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
- This policy sets user's default printer
+ This policy sets user's default printer
@@ -9188,8 +9903,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
- Boolean that specifies whether or not to prevent user to install new printers0
+ Boolean that specifies whether or not to prevent user to install new printers
@@ -9203,6 +9918,9 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
text/plain
+ Printing.admx
+ Printing~AT~ControlPanel~CplPrinters
+ NoAddPrinterHighestValueMostSecure
@@ -9212,8 +9930,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
- This policy provisions per-user network printers
+ This policy provisions per-user network printers
@@ -9255,8 +9973,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
- This policy provisions per-user discovery end point to discover cloud printers
+ This policy provisions per-user discovery end point to discover cloud printers
@@ -9278,8 +9996,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
- Authentication endpoint for acquiring OAuth tokens
+ Authentication endpoint for acquiring OAuth tokens
@@ -9301,8 +10019,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
- A GUID identifying the client application authorized to retrieve OAuth tokens from the OAuthAuthority
+ A GUID identifying the client application authorized to retrieve OAuth tokens from the OAuthAuthority
@@ -9324,8 +10042,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
- Resource URI for which access is being requested by the Enterprise Cloud Print client during OAuth authentication
+ Resource URI for which access is being requested by the Enterprise Cloud Print client during OAuth authentication
@@ -9347,8 +10065,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
- Defines the maximum number of printers that should be queried from discovery end point20
+ Defines the maximum number of printers that should be queried from discovery end point
@@ -9361,6 +10079,7 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
text/plain
+ LastWrite
@@ -9370,8 +10089,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
- Resource URI for which access is being requested by the Mopria discovery client during OAuth authentication
+ Resource URI for which access is being requested by the Mopria discovery client during OAuth authentication
@@ -9413,8 +10132,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
- 1
+
@@ -9428,6 +10147,9 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
text/plain
+ CloudContent.admx
+ CloudContent~AT~WindowsComponents~CloudContent
+ DisableTailoredExperiencesWithDiagnosticDataLowestValueMostSecure
@@ -9437,33 +10159,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
- 1
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
- phone
- LowestValueMostSecure
-
-
-
- AllowWindowsConsumerFeatures
-
-
-
-
- 0
@@ -9478,6 +10175,9 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
phone
+ CloudContent.admx
+ CloudContent~AT~WindowsComponents~CloudContent
+ DisableThirdPartySuggestionsLowestValueMostSecure
@@ -9487,8 +10187,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
- 1
+
@@ -9503,6 +10203,9 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
phone
+ CloudContent.admx
+ CloudContent~AT~WindowsComponents~CloudContent
+ DisableWindowsSpotlightFeaturesLowestValueMostSecure
@@ -9512,8 +10215,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
- 1
+
@@ -9527,6 +10230,36 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
text/plain
+ CloudContent.admx
+ CloudContent~AT~WindowsComponents~CloudContent
+ DisableWindowsSpotlightOnActionCenter
+ LowestValueMostSecure
+
+
+
+ AllowWindowsSpotlightOnSettings
+
+
+
+
+ 1
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+ CloudContent.admx
+ CloudContent~AT~WindowsComponents~CloudContent
+ DisableWindowsSpotlightOnSettingsLowestValueMostSecure
@@ -9536,8 +10269,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
- 1
+
@@ -9551,6 +10284,9 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
text/plain
+ CloudContent.admx
+ CloudContent~AT~WindowsComponents~CloudContent
+ DisableWindowsSpotlightWindowsWelcomeExperienceLowestValueMostSecure
@@ -9560,8 +10296,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
- 1
+
@@ -9574,7 +10310,11 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
text/plain
+ phone
+ CloudContent.admx
+ CloudContent~AT~WindowsComponents~CloudContent
+ ConfigureWindowsSpotlightLowestValueMostSecure
@@ -9604,8 +10344,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -9631,8 +10371,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -9658,8 +10398,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -9685,8 +10425,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -9712,8 +10452,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -9739,8 +10479,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -9766,8 +10506,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -9793,8 +10533,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -9820,8 +10560,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -9847,8 +10587,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -9874,8 +10614,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -9901,8 +10641,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -9928,8 +10668,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -9955,8 +10695,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -9982,8 +10722,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -10009,8 +10749,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -10036,8 +10776,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -10063,8 +10803,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -10090,8 +10830,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -10117,8 +10857,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -10144,8 +10884,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -10171,8 +10911,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -10198,8 +10938,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -10225,8 +10965,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -10252,8 +10992,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -10279,8 +11019,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -10306,8 +11046,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -10333,8 +11073,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -10349,8 +11089,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
phoneinetres.admx
- inetres~AT~WindowsComponents~InternetExplorer~SecurityFeatures~IESF_CategoryBinaryBehaviorSecurityRestriction
- IESF_PolicyExplorerProcesses_2
+ inetres~AT~WindowsComponents~InternetExplorer~SecurityFeatures~IESF_CategoryConsistentMimeHandling
+ IESF_PolicyExplorerProcesses_5LastWrite
@@ -10360,8 +11100,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -10387,8 +11127,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -10414,8 +11154,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -10441,8 +11181,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -10468,8 +11208,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -10495,8 +11235,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -10522,8 +11262,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -10549,8 +11289,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -10576,8 +11316,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -10603,8 +11343,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -10630,8 +11370,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -10657,8 +11397,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -10684,8 +11424,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -10711,8 +11451,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -10738,8 +11478,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -10765,8 +11505,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -10792,8 +11532,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -10819,8 +11559,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -10846,8 +11586,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -10873,8 +11613,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -10900,8 +11640,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -10927,8 +11667,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -10954,8 +11694,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -10981,8 +11721,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -11008,8 +11748,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -11035,8 +11775,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -11062,8 +11802,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -11089,8 +11829,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -11116,8 +11856,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -11143,8 +11883,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -11170,8 +11910,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -11197,8 +11937,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -11224,8 +11964,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -11251,8 +11991,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -11278,8 +12018,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -11305,8 +12045,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -11332,8 +12072,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -11359,8 +12099,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -11386,8 +12126,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -11413,8 +12153,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -11440,8 +12180,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -11461,14 +12201,41 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
LastWrite
+
+ InternetZoneAllowVBScriptToRunInInternetExplorer
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+ phone
+ inetres.admx
+ inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone
+ IZ_PolicyAllowVBScript_1
+ LastWrite
+
+ InternetZoneDoNotRunAntimalwareAgainstActiveXControls
-
+
@@ -11494,8 +12261,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -11521,8 +12288,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -11548,8 +12315,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -11575,8 +12342,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -11602,8 +12369,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -11629,8 +12396,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -11656,8 +12423,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -11683,8 +12450,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -11710,8 +12477,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -11737,8 +12504,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -11764,8 +12531,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -11791,8 +12558,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -11818,8 +12585,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -11845,8 +12612,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -11872,8 +12639,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -11899,8 +12666,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -11926,8 +12693,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -11953,8 +12720,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -11980,8 +12747,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -12007,8 +12774,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -12034,8 +12801,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -12061,8 +12828,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -12088,8 +12855,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -12115,8 +12882,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -12142,8 +12909,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -12169,8 +12936,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -12196,8 +12963,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -12223,8 +12990,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -12250,8 +13017,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -12277,8 +13044,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -12304,8 +13071,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -12331,8 +13098,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -12358,8 +13125,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -12385,8 +13152,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -12412,8 +13179,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -12439,8 +13206,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -12466,8 +13233,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -12493,8 +13260,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -12520,8 +13287,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -12547,8 +13314,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -12574,8 +13341,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -12601,8 +13368,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -12628,8 +13395,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -12655,8 +13422,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -12682,8 +13449,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -12709,8 +13476,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -12736,8 +13503,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -12763,8 +13530,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -12790,8 +13557,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -12817,8 +13584,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -12844,8 +13611,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -12871,8 +13638,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -12898,8 +13665,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -12925,8 +13692,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -12946,14 +13713,41 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
LastWrite
+
+ LockedDownIntranetJavaPermissions
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+ phone
+ inetres.admx
+ inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_IntranetZoneLockdown
+ IZ_PolicyJavaPermissions_4
+ LastWrite
+
+ LockedDownIntranetZoneAllowAccessToDataSources
-
+
@@ -12979,8 +13773,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -13006,8 +13800,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -13033,8 +13827,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -13060,8 +13854,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -13087,8 +13881,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -13114,8 +13908,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -13141,8 +13935,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -13168,8 +13962,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -13195,8 +13989,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -13222,8 +14016,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -13249,8 +14043,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -13276,8 +14070,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -13303,8 +14097,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -13330,8 +14124,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -13357,8 +14151,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -13384,8 +14178,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -13411,8 +14205,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -13438,8 +14232,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -13465,8 +14259,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -13492,8 +14286,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -13519,8 +14313,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -13546,8 +14340,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -13573,8 +14367,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -13600,8 +14394,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -13627,8 +14421,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -13654,8 +14448,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -13681,8 +14475,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -13708,8 +14502,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -13735,8 +14529,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -13762,8 +14556,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -13789,8 +14583,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -13816,8 +14610,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -13843,8 +14637,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -13870,8 +14664,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -13897,8 +14691,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -13924,8 +14718,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -13951,8 +14745,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -13978,8 +14772,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -14005,8 +14799,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -14032,8 +14826,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -14059,8 +14853,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -14086,8 +14880,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -14113,8 +14907,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -14140,8 +14934,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -14167,8 +14961,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -14194,8 +14988,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -14221,8 +15015,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -14248,8 +15042,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -14275,8 +15069,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -14302,8 +15096,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -14329,8 +15123,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -14356,8 +15150,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -14383,8 +15177,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -14410,8 +15204,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -14437,8 +15231,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -14464,8 +15258,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -14491,8 +15285,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -14518,8 +15312,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -14545,8 +15339,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -14572,8 +15366,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -14599,8 +15393,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -14626,8 +15420,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -14653,8 +15447,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -14680,8 +15474,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -14707,8 +15501,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -14734,8 +15528,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -14761,8 +15555,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -14788,8 +15582,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -14815,8 +15609,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -14842,8 +15636,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -14869,8 +15663,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -14896,8 +15690,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -14923,8 +15717,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -14950,8 +15744,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -14977,8 +15771,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -14998,14 +15792,41 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
LastWrite
+
+ RestrictedSitesZoneAllowVBScriptToRunInInternetExplorer
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+ phone
+ inetres.admx
+ inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone
+ IZ_PolicyAllowVBScript_7
+ LastWrite
+
+ RestrictedSitesZoneDoNotRunAntimalwareAgainstActiveXControls
-
+
@@ -15031,8 +15852,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -15058,8 +15879,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -15085,8 +15906,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -15112,8 +15933,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -15139,8 +15960,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -15166,8 +15987,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -15193,8 +16014,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -15220,8 +16041,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -15247,8 +16068,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -15274,8 +16095,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -15301,8 +16122,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -15328,8 +16149,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -15355,8 +16176,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -15382,8 +16203,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -15409,8 +16230,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -15436,8 +16257,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -15463,8 +16284,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -15490,8 +16311,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -15517,8 +16338,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -15544,8 +16365,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -15571,8 +16392,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -15598,8 +16419,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -15625,8 +16446,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -15652,8 +16473,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -15679,8 +16500,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -15706,8 +16527,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -15733,8 +16554,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -15760,8 +16581,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -15787,8 +16608,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -15814,8 +16635,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -15841,8 +16662,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -15868,8 +16689,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -15895,8 +16716,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -15922,8 +16743,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -15949,8 +16770,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -15976,8 +16797,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -15998,6 +16819,173 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
+
+ KioskBrowser
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ BlockedUrlExceptions
+
+
+
+
+
+ List of exceptions to the blocked website URLs (with wildcard support). This is used to configure URLs kiosk browsers are allowed to navigate to, which are a subset of the blocked URLs.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+ phone
+ LastWrite
+
+
+
+ BlockedUrls
+
+
+
+
+
+ List of blocked website URLs (with wildcard support). This is used to configure blocked URLs kiosk browsers can not navigate to.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+ phone
+ LastWrite
+
+
+
+ DefaultURL
+
+
+
+
+
+ Configures the default URL kiosk browsers to navigate on launch and restart.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+ phone
+ LastWrite
+
+
+
+ EnableHomeButton
+
+
+
+
+ 0
+ Enable/disable kiosk browser's home button.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+ phone
+ LastWrite
+
+
+
+ EnableNavigationButtons
+
+
+
+
+ 0
+ Enable/disable kiosk browser's navigation buttons (forward/back).
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+ phone
+ LastWrite
+
+
+
+ RestartOnIdleTime
+
+
+
+
+ 0
+ Amount of time in minutes the session is idle until the kiosk browser restarts in a fresh state.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+ phone
+ LastWrite
+
+
+ Notifications
@@ -16023,8 +17011,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
- 0
+
@@ -16038,6 +17026,9 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
text/plain
+ WPN.admx
+ WPN~AT~StartMenu~NotificationsCategory
+ NoNotificationMirroringLowestValueMostSecure
@@ -16067,8 +17058,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -16114,8 +17105,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
- 0
+
@@ -16128,6 +17119,10 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
text/plain
+
+ Taskbar.admx
+ Taskbar~AT~StartMenu~TPMCategory
+ ConfigureTaskbarCalendarLastWrite
@@ -16152,13 +17147,13 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
- HidePeopleBar
+ DisableContextMenus
- Enabling this policy removes the people icon from the taskbar as well as the corresponding settings toggle. It also prevents users from pinning people to the taskbar.0
+ Enabling this policy prevents context menus from being invoked in the Start Menu.
@@ -16173,6 +17168,37 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
phone
+ StartMenu.admx
+ StartMenu~AT~StartMenu
+ DisableContextMenusInStart
+ LowestValueMostSecure
+
+
+
+ HidePeopleBar
+
+
+
+
+ 0
+ Enabling this policy removes the people icon from the taskbar as well as the corresponding settings toggle. It also prevents users from pinning people to the taskbar.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+ phone
+ StartMenu.admx
+ StartMenu~AT~StartMenu
+ HidePeopleBarLowestValueMostSecure
@@ -16182,8 +17208,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -16197,6 +17223,9 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
text/plainphone
+ StartMenu.admx
+ StartMenu~AT~StartMenu
+ LockedStartLayoutLastWrite
@@ -16226,8 +17255,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
- 3
+
@@ -16240,10 +17269,62 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
text/plain
+
+ DataCollection.admx
+ AllowTelemetry
+ DataCollection~AT~WindowsComponents~DataCollectionAndPreviewBuilds
+ AllowTelemetryLowestValueMostSecure
+
+ WindowsPowerShell
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ TurnOnPowerShellScriptBlockLogging
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+ phone
+ PowerShellExecutionPolicy.admx
+ PowerShellExecutionPolicy~AT~WindowsComponents~PowerShell
+ EnableScriptBlockLogging
+ LastWrite
+
+
+
@@ -16263,7 +17344,7 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
- com.microsoft/6.0/MDM/Policy
+ com.microsoft/7.0/MDM/Policy
@@ -16271,8 +17352,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+ Policy CSP ConfigOperations
@@ -16293,8 +17374,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+ Win32 App ADMX Ingestion
@@ -16315,8 +17396,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+ Win32 App Name
@@ -16337,8 +17418,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+ Setting Type of Win32 App. Policy Or Preference
@@ -16359,8 +17440,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+ Unique ID of ADMX file
@@ -16386,8 +17467,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -16407,8 +17488,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -16501,8 +17582,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -16619,8 +17700,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -16665,8 +17746,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -16705,14 +17786,38 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
+
+ EnableAppUriHandlers
+
+
+
+
+
+
+
+ Enables web-to-app linking, which allows apps to be launched with a http(s) URI
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+ ApplicationManagement
-
+
@@ -16968,13 +18073,59 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
+
+ AppRuntime
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ AllowMicrosoftAccountsToBeOptional
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+ AppVirtualization
-
+
@@ -17667,8 +18818,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -17731,30 +18882,6 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
- AllowFidoDeviceSignon
-
-
-
-
-
-
-
- Specifies whether FIDO device can be used to sign on.
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
- AllowSecondaryAuthenticationDevice
@@ -17785,8 +18912,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -17879,8 +19006,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -17925,8 +19052,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -18013,6 +19140,30 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
+
+ AllowPromptedProximalConnections
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+ LocalDeviceName
@@ -18067,8 +19218,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -18155,6 +19306,30 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
+
+ AllowConfigurationUpdateForBooksLibrary
+
+
+
+
+
+
+
+ This policy setting lets you decide whether Microsoft Edge can automatically update the configuration data for the Books Library.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+ AllowCookies
@@ -18583,6 +19758,30 @@ This setting can only be used with domain-joined or MDM-enrolled devices. For mo
+
+ EnableExtendedBooksTelemetry
+
+
+
+
+
+
+
+ This setting allows organizations to send extended telemetry on book usage from the Books Library.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+ EnterpriseModeSiteList
@@ -18839,6 +20038,30 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
+
+ PreventTabPreloading
+
+
+
+
+
+
+
+ Prevent Microsoft Edge from starting and loading the Start and New Tab page at Windows startup and each time Microsoft Edge is closed.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+ PreventUsingLocalHostIPAddressForWebRTC
@@ -18996,14 +20219,38 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
+
+ UseSharedFolderForBooks
+
+
+
+
+
+
+
+ This setting specifies whether organizations should use a folder shared across users to store books from the Books Library.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+ Camera
-
+
@@ -19048,8 +20295,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -19121,7 +20368,7 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
- List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are denied access to cellular data. This setting overrides the default LetAppsAccessCellularData policy setting for the specified apps.
+ List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are denied access to cellular data. This setting overrides the default LetAppsAccessCellularData policy setting for the specified apps.
@@ -19145,7 +20392,7 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
- List of semi-colon delimited Package Family Names of Windows Store Apps. The user is able to control the cellular data access setting for the listed apps. This setting overrides the default LetAppsAccessCellularData policy setting for the specified apps.
+ List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the cellular data access setting for the listed apps. This setting overrides the default LetAppsAccessCellularData policy setting for the specified apps.
@@ -19190,8 +20437,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -19326,6 +20573,30 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
+
+ AllowPhonePCLinking
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+ AllowUSBConnection
@@ -19544,12 +20815,56 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
- CredentialProviders
+ ControlPolicyConflict
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ MDMWinsOverGP
+
+
+
+
+
+
+ If set to 1 then any MDM policy that is set that has an equivalent GP policy will result in GP service blocking the setting of the policy by GP MMC
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+
+ CredentialProviders
+
+
+
+
@@ -19637,13 +20952,59 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
+
+ CredentialsDelegation
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ RemoteHostAllowsDelegationOfNonExportableCredentials
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+ CredentialsUI
-
+
@@ -19712,8 +21073,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -19782,8 +21143,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -19852,8 +21213,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -19922,8 +21283,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -20784,8 +22145,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -20849,7 +22210,7 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
- DOCacheHost
+ DODelayBackgroundDownloadFromHttp
@@ -20859,7 +22220,31 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ DODelayForegroundDownloadFromHttp
+
+
+
+
+
+
+
+
+
+
@@ -20920,6 +22305,30 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
+
+ DOGroupIdSource
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+ DOMaxCacheAge
@@ -21184,6 +22593,30 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
+
+ DOPercentageMaxBackgroundBandwidth
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+ DOPercentageMaxDownloadBandwidth
@@ -21208,14 +22641,110 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
+
+ DOPercentageMaxForegroundBandwidth
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ DORestrictPeerSelectionBy
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ DOSetHoursToLimitBackgroundDownloadBandwidth
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ DOSetHoursToLimitForegroundDownloadBandwidth
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+ DeviceGuard
-
+
@@ -21308,8 +22837,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -21378,8 +22907,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -21758,6 +23287,30 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
+
+ PreventEnablingLockScreenCamera
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+ PreventLockScreenSlideShow
@@ -21812,8 +23365,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -21828,6 +23381,78 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
+
+ DisablePerProcessDpiForApps
+
+
+
+
+
+
+
+ This policy allows you to disable Per-Process System DPI for a semicolon-separated list of applications. Applications can be specified either by using full paths or with filenames and extensions. This policy will override the system-wide default value.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ EnablePerProcessDpi
+
+
+
+
+
+
+
+ Enable or disable Per-Process System DPI for all applications.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ EnablePerProcessDpiForApps
+
+
+
+
+
+
+
+ This policy allows you to enable Per-Process System DPI for a semicolon-separated list of applications. Applications can be specified either by using full paths or with filenames and extensions. This policy will override the system-wide default value.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+ TurnOffGdiDPIScalingForApps
@@ -21882,8 +23507,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -22024,8 +23649,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -22142,8 +23767,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -22446,6 +24071,30 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
+
+ AllowWindowsConsumerFeatures
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+ AllowWindowsTips
@@ -22500,8 +24149,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -22541,13 +24190,83 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
+
+ FileExplorer
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ TurnOffDataExecutionPreventionForExplorer
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ TurnOffHeapTerminationOnCorruption
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+ Games
-
+
@@ -22592,8 +24311,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -22638,8 +24357,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -24358,6 +26077,30 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
+
+ InternetZoneAllowVBScriptToRunInInternetExplorer
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+ InternetZoneDoNotRunAntimalwareAgainstActiveXControls
@@ -25678,6 +27421,30 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
+
+ LockedDownIntranetJavaPermissions
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+ LockedDownIntranetZoneAllowAccessToDataSources
@@ -27502,6 +29269,30 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
+
+ RestrictedSitesZoneAllowVBScriptToRunInInternetExplorer
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+ RestrictedSitesZoneDoNotRunAntimalwareAgainstActiveXControls
@@ -28055,7 +29846,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
- SecurityZonesUseOnlyMachineSettings
+ SecurityZonesUseOnlyMachineSettings
@@ -28420,8 +30211,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -28557,13 +30348,179 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
+
+ KioskBrowser
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ BlockedUrlExceptions
+
+
+
+
+
+
+
+ List of exceptions to the blocked website URLs (with wildcard support). This is used to configure URLs kiosk browsers are allowed to navigate to, which are a subset of the blocked URLs.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ BlockedUrls
+
+
+
+
+
+
+
+ List of blocked website URLs (with wildcard support). This is used to configure blocked URLs kiosk browsers can not navigate to.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ DefaultURL
+
+
+
+
+
+
+
+ Configures the default URL kiosk browsers to navigate on launch and restart.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ EnableHomeButton
+
+
+
+
+
+
+
+ Enable/disable kiosk browser's home button.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ EnableNavigationButtons
+
+
+
+
+
+
+
+ Enable/disable kiosk browser's navigation buttons (forward/back).
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ RestartOnIdleTime
+
+
+
+
+
+
+
+ Amount of time in minutes the session is idle until the kiosk browser restarts in a fresh state.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+ Licensing
-
+
@@ -28632,8 +30589,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -28958,6 +30915,225 @@ Default: This policy is not defined and CD-ROM access is not restricted to the l
+
+ DomainMember_DigitallyEncryptOrSignSecureChannelDataAlways
+
+
+
+
+
+
+
+ Domain member: Digitally encrypt or sign secure channel data (always)
+
+This security setting determines whether all secure channel traffic initiated by the domain member must be signed or encrypted.
+
+When a computer joins a domain, a computer account is created. After that, when the system starts, it uses the computer account password to create a secure channel with a domain controller for its domain. This secure channel is used to perform operations such as NTLM pass through authentication, LSA SID/name Lookup etc.
+
+This setting determines whether or not all secure channel traffic initiated by the domain member meets minimum security requirements. Specifically it determines whether all secure channel traffic initiated by the domain member must be signed or encrypted. If this policy is enabled, then the secure channel will not be established unless either signing or encryption of all secure channel traffic is negotiated. If this policy is disabled, then encryption and signing of all secure channel traffic is negotiated with the Domain Controller in which case the level of signing and encryption depends on the version of the Domain Controller and the settings of the following two policies:
+
+Domain member: Digitally encrypt secure channel data (when possible)
+Domain member: Digitally sign secure channel data (when possible)
+
+Default: Enabled.
+
+Notes:
+
+If this policy is enabled, the policy Domain member: Digitally sign secure channel data (when possible) is assumed to be enabled regardless of its current setting. This ensures that the domain member attempts to negotiate at least signing of the secure channel traffic.
+If this policy is enabled, the policy Domain member: Digitally sign secure channel data (when possible) is assumed to be enabled regardless of its current setting. This ensures that the domain member attempts to negotiate at least signing of the secure channel traffic.
+Logon information transmitted over the secure channel is always encrypted regardless of whether encryption of ALL other secure channel traffic is negotiated or not.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ DomainMember_DigitallyEncryptSecureChannelDataWhenPossible
+
+
+
+
+
+
+
+ Domain member: Digitally encrypt secure channel data (when possible)
+
+This security setting determines whether a domain member attempts to negotiate encryption for all secure channel traffic that it initiates.
+
+When a computer joins a domain, a computer account is created. After that, when the system starts, it uses the computer account password to create a secure channel with a domain controller for its domain. This secure channel is used to perform operations such as NTLM pass-through authentication, LSA SID/name Lookup etc.
+
+This setting determines whether or not the domain member attempts to negotiate encryption for all secure channel traffic that it initiates. If enabled, the domain member will request encryption of all secure channel traffic. If the domain controller supports encryption of all secure channel traffic, then all secure channel traffic will be encrypted. Otherwise only logon information transmitted over the secure channel will be encrypted. If this setting is disabled, then the domain member will not attempt to negotiate secure channel encryption.
+
+Default: Enabled.
+
+Important
+
+There is no known reason for disabling this setting. Besides unnecessarily reducing the potential confidentiality level of the secure channel, disabling this setting may unnecessarily reduce secure channel throughput, because concurrent API calls that use the secure channel are only possible when the secure channel is signed or encrypted.
+
+Note: Domain controllers are also domain members and establish secure channels with other domain controllers in the same domain as well as domain controllers in trusted domains.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ DomainMember_DigitallySignSecureChannelDataWhenPossible
+
+
+
+
+
+
+
+ Domain member: Digitally sign secure channel data (when possible)
+
+This security setting determines whether a domain member attempts to negotiate signing for all secure channel traffic that it initiates.
+
+When a computer joins a domain, a computer account is created. After that, when the system starts, it uses the computer account password to create a secure channel with a domain controller for its domain. This secure channel is used to perform operations such as NTLM pass through authentication, LSA SID/name Lookup etc.
+
+This setting determines whether or not the domain member attempts to negotiate signing for all secure channel traffic that it initiates. If enabled, the domain member will request signing of all secure channel traffic. If the Domain Controller supports signing of all secure channel traffic, then all secure channel traffic will be signed which ensures that it cannot be tampered with in transit.
+
+Default: Enabled.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ DomainMember_DisableMachineAccountPasswordChanges
+
+
+
+
+
+
+
+ Domain member: Disable machine account password changes
+
+Determines whether a domain member periodically changes its computer account password. If this setting is enabled, the domain member does not attempt to change its computer account password. If this setting is disabled, the domain member attempts to change its computer account password as specified by the setting for Domain Member: Maximum age for machine account password, which by default is every 30 days.
+
+Default: Disabled.
+
+Notes
+
+This security setting should not be enabled. Computer account passwords are used to establish secure channel communications between members and domain controllers and, within the domain, between the domain controllers themselves. Once it is established, the secure channel is used to transmit sensitive information that is necessary for making authentication and authorization decisions.
+This setting should not be used in an attempt to support dual-boot scenarios that use the same computer account. If you want to dual-boot two installations that are joined to the same domain, give the two installations different computer names.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ DomainMember_MaximumMachineAccountPasswordAge
+
+
+
+
+
+
+
+ Domain member: Maximum machine account password age
+
+This security setting determines how often a domain member will attempt to change its computer account password.
+
+Default: 30 days.
+
+Important
+
+This setting applies to Windows 2000 computers, but it is not available through the Security Configuration Manager tools on these computers.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ DomainMember_RequireStrongSessionKey
+
+
+
+
+
+
+
+ Domain member: Require strong (Windows 2000 or later) session key
+
+This security setting determines whether 128-bit key strength is required for encrypted secure channel data.
+
+When a computer joins a domain, a computer account is created. After that, when the system starts, it uses the computer account password to create a secure channel with a domain controller within the domain. This secure channel is used to perform operations such as NTLM pass-through authentication, LSA SID/name Lookup, and so on.
+
+Depending on what version of Windows is running on the domain controller that the domain member is communicating with and the settings of the parameters:
+
+Domain member: Digitally encrypt or sign secure channel data (always)
+Domain member: Digitally encrypt secure channel data (when possible)
+Some or all of the information that is transmitted over the secure channel will be encrypted. This policy setting determines whether or not 128-bit key strength is required for the secure channel information that is encrypted.
+
+If this setting is enabled, then the secure channel will not be established unless 128-bit encryption can be performed. If this setting is disabled, then the key strength is negotiated with the domain controller.
+
+Default: Enabled.
+
+Important
+
+In order to take advantage of this policy on member workstations and servers, all domain controllers that constitute the member's domain must be running Windows 2000 or later.
+In order to take advantage of this policy on domain controllers, all domain controllers in the same domain as well as all trusted domains must run Windows 2000 or later.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+ InteractiveLogon_DisplayUserInformationWhenTheSessionIsLocked
@@ -29164,6 +31340,404 @@ Default: No message.
+
+ InteractiveLogon_SmartCardRemovalBehavior
+
+
+
+
+
+
+
+ Interactive logon: Smart card removal behavior
+
+This security setting determines what happens when the smart card for a logged-on user is removed from the smart card reader.
+
+The options are:
+
+ No Action
+ Lock Workstation
+ Force Logoff
+ Disconnect if a Remote Desktop Services session
+
+If you click Lock Workstation in the Properties dialog box for this policy, the workstation is locked when the smart card is removed, allowing users to leave the area, take their smart card with them, and still maintain a protected session.
+
+If you click Force Logoff in the Properties dialog box for this policy, the user is automatically logged off when the smart card is removed.
+
+If you click Disconnect if a Remote Desktop Services session, removal of the smart card disconnects the session without logging the user off. This allows the user to insert the smart card and resume the session later, or at another smart card reader-equipped computer, without having to log on again. If the session is local, this policy functions identically to Lock Workstation.
+
+Note: Remote Desktop Services was called Terminal Services in previous versions of Windows Server.
+
+Default: This policy is not defined, which means that the system treats it as No action.
+
+On Windows Vista and above: For this setting to work, the Smart Card Removal Policy service must be started.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ MicrosoftNetworkClient_DigitallySignCommunicationsAlways
+
+
+
+
+
+
+
+ Microsoft network client: Digitally sign communications (always)
+
+This security setting determines whether packet signing is required by the SMB client component.
+
+The server message block (SMB) protocol provides the basis for Microsoft file and print sharing and many other networking operations, such as remote Windows administration. To prevent man-in-the-middle attacks that modify SMB packets in transit, the SMB protocol supports the digital signing of SMB packets. This policy setting determines whether SMB packet signing must be negotiated before further communication with an SMB server is permitted.
+
+If this setting is enabled, the Microsoft network client will not communicate with a Microsoft network server unless that server agrees to perform SMB packet signing. If this policy is disabled, SMB packet signing is negotiated between the client and server.
+
+Default: Disabled.
+
+Important
+
+For this policy to take effect on computers running Windows 2000, client-side packet signing must also be enabled. To enable client-side SMB packet signing, set Microsoft network client: Digitally sign communications (if server agrees).
+
+Notes
+
+All Windows operating systems support both a client-side SMB component and a server-side SMB component. On Windows 2000 and later operating systems, enabling or requiring packet signing for client and server-side SMB components is controlled by the following four policy settings:
+Microsoft network client: Digitally sign communications (always) - Controls whether or not the client-side SMB component requires packet signing.
+Microsoft network client: Digitally sign communications (if server agrees) - Controls whether or not the client-side SMB component has packet signing enabled.
+Microsoft network server: Digitally sign communications (always) - Controls whether or not the server-side SMB component requires packet signing.
+Microsoft network server: Digitally sign communications (if client agrees) - Controls whether or not the server-side SMB component has packet signing enabled.
+SMB packet signing can significantly degrade SMB performance, depending on dialect version, OS version, file sizes, processor offloading capabilities, and application IO behaviors.
+For more information, reference: https://go.microsoft.com/fwlink/?LinkID=787136.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ MicrosoftNetworkClient_DigitallySignCommunicationsIfServerAgrees
+
+
+
+
+
+
+
+ Microsoft network client: Digitally sign communications (if server agrees)
+
+This security setting determines whether the SMB client attempts to negotiate SMB packet signing.
+
+The server message block (SMB) protocol provides the basis for Microsoft file and print sharing and many other networking operations, such as remote Windows administration. To prevent man-in-the-middle attacks that modify SMB packets in transit, the SMB protocol supports the digital signing of SMB packets. This policy setting determines whether the SMB client component attempts to negotiate SMB packet signing when it connects to an SMB server.
+
+If this setting is enabled, the Microsoft network client will ask the server to perform SMB packet signing upon session setup. If packet signing has been enabled on the server, packet signing will be negotiated. If this policy is disabled, the SMB client will never negotiate SMB packet signing.
+
+Default: Enabled.
+
+Notes
+
+All Windows operating systems support both a client-side SMB component and a server-side SMB component. On Windows 2000 and later, enabling or requiring packet signing for client and server-side SMB components is controlled by the following four policy settings:
+Microsoft network client: Digitally sign communications (always) - Controls whether or not the client-side SMB component requires packet signing.
+Microsoft network client: Digitally sign communications (if server agrees) - Controls whether or not the client-side SMB component has packet signing enabled.
+Microsoft network server: Digitally sign communications (always) - Controls whether or not the server-side SMB component requires packet signing.
+Microsoft network server: Digitally sign communications (if client agrees) - Controls whether or not the server-side SMB component has packet signing enabled.
+If both client-side and server-side SMB signing is enabled and the client establishes an SMB 1.0 connection to the server, SMB signing will be attempted.
+SMB packet signing can significantly degrade SMB performance, depending on dialect version, OS version, file sizes, processor offloading capabilities, and application IO behaviors. This setting only applies to SMB 1.0 connections.
+For more information, reference: https://go.microsoft.com/fwlink/?LinkID=787136.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ MicrosoftNetworkClient_SendUnencryptedPasswordToThirdPartySMBServers
+
+
+
+
+
+
+
+ Microsoft network client: Send unencrypted password to connect to third-party SMB servers
+
+If this security setting is enabled, the Server Message Block (SMB) redirector is allowed to send plaintext passwords to non-Microsoft SMB servers that do not support password encryption during authentication.
+
+Sending unencrypted passwords is a security risk.
+
+Default: Disabled.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ MicrosoftNetworkServer_AmountOfIdleTimeRequiredBeforeSuspendingSession
+
+
+
+
+
+
+
+ Microsoft network server: Amount of idle time required before suspending a session
+
+This security setting determines the amount of continuous idle time that must pass in a Server Message Block (SMB) session before the session is suspended due to inactivity.
+
+Administrators can use this policy to control when a computer suspends an inactive SMB session. If client activity resumes, the session is automatically reestablished.
+
+For this policy setting, a value of 0 means to disconnect an idle session as quickly as is reasonably possible. The maximum value is 99999, which is 208 days; in effect, this value disables the policy.
+
+Default:This policy is not defined, which means that the system treats it as 15 minutes for servers and undefined for workstations.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ MicrosoftNetworkServer_DigitallySignCommunicationsAlways
+
+
+
+
+
+
+
+ Microsoft network server: Digitally sign communications (always)
+
+This security setting determines whether packet signing is required by the SMB server component.
+
+The server message block (SMB) protocol provides the basis for Microsoft file and print sharing and many other networking operations, such as remote Windows administration. To prevent man-in-the-middle attacks that modify SMB packets in transit, the SMB protocol supports the digital signing of SMB packets. This policy setting determines whether SMB packet signing must be negotiated before further communication with an SMB client is permitted.
+
+If this setting is enabled, the Microsoft network server will not communicate with a Microsoft network client unless that client agrees to perform SMB packet signing. If this setting is disabled, SMB packet signing is negotiated between the client and server.
+
+Default:
+
+Disabled for member servers.
+Enabled for domain controllers.
+
+Notes
+
+All Windows operating systems support both a client-side SMB component and a server-side SMB component. On Windows 2000 and later, enabling or requiring packet signing for client and server-side SMB components is controlled by the following four policy settings:
+Microsoft network client: Digitally sign communications (always) - Controls whether or not the client-side SMB component requires packet signing.
+Microsoft network client: Digitally sign communications (if server agrees) - Controls whether or not the client-side SMB component has packet signing enabled.
+Microsoft network server: Digitally sign communications (always) - Controls whether or not the server-side SMB component requires packet signing.
+Microsoft network server: Digitally sign communications (if client agrees) - Controls whether or not the server-side SMB component has packet signing enabled.
+Similarly, if client-side SMB signing is required, that client will not be able to establish a session with servers that do not have packet signing enabled. By default, server-side SMB signing is enabled only on domain controllers.
+If server-side SMB signing is enabled, SMB packet signing will be negotiated with clients that have client-side SMB signing enabled.
+SMB packet signing can significantly degrade SMB performance, depending on dialect version, OS version, file sizes, processor offloading capabilities, and application IO behaviors.
+
+Important
+
+For this policy to take effect on computers running Windows 2000, server-side packet signing must also be enabled. To enable server-side SMB packet signing, set the following policy:
+Microsoft network server: Digitally sign communications (if server agrees)
+
+For Windows 2000 servers to negotiate signing with Windows NT 4.0 clients, the following registry value must be set to 1 on the Windows 2000 server:
+HKLM\System\CurrentControlSet\Services\lanmanserver\parameters\enableW9xsecuritysignature
+For more information, reference: https://go.microsoft.com/fwlink/?LinkID=787136.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ MicrosoftNetworkServer_DigitallySignCommunicationsIfClientAgrees
+
+
+
+
+
+
+
+ Microsoft network server: Digitally sign communications (if client agrees)
+
+This security setting determines whether the SMB server will negotiate SMB packet signing with clients that request it.
+
+The server message block (SMB) protocol provides the basis for Microsoft file and print sharing and many other networking operations, such as remote Windows administration. To prevent man-in-the-middle attacks that modify SMB packets in transit, the SMB protocol supports the digital signing of SMB packets. This policy setting determines whether the SMB server will negotiate SMB packet signing when an SMB client requests it.
+
+If this setting is enabled, the Microsoft network server will negotiate SMB packet signing as requested by the client. That is, if packet signing has been enabled on the client, packet signing will be negotiated. If this policy is disabled, the SMB client will never negotiate SMB packet signing.
+
+Default: Enabled on domain controllers only.
+
+Important
+
+For Windows 2000 servers to negotiate signing with Windows NT 4.0 clients, the following registry value must be set to 1 on the server running Windows 2000: HKLM\System\CurrentControlSet\Services\lanmanserver\parameters\enableW9xsecuritysignature
+
+Notes
+
+All Windows operating systems support both a client-side SMB component and a server-side SMB component. For Windows 2000 and above, enabling or requiring packet signing for client and server-side SMB components is controlled by the following four policy settings:
+Microsoft network client: Digitally sign communications (always) - Controls whether or not the client-side SMB component requires packet signing.
+Microsoft network client: Digitally sign communications (if server agrees) - Controls whether or not the client-side SMB component has packet signing enabled.
+Microsoft network server: Digitally sign communications (always) - Controls whether or not the server-side SMB component requires packet signing.
+Microsoft network server: Digitally sign communications (if client agrees) - Controls whether or not the server-side SMB component has packet signing enabled.
+If both client-side and server-side SMB signing is enabled and the client establishes an SMB 1.0 connection to the server, SMB signing will be attempted.
+SMB packet signing can significantly degrade SMB performance, depending on dialect version, OS version, file sizes, processor offloading capabilities, and application IO behaviors. This setting only applies to SMB 1.0 connections.
+For more information, reference: https://go.microsoft.com/fwlink/?LinkID=787136.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ NetworkAccess_DoNotAllowAnonymousEnumerationOfSAMAccounts
+
+
+
+
+
+
+
+ Network access: Do not allow anonymous enumeration of SAM accounts
+
+This security setting determines what additional permissions will be granted for anonymous connections to the computer.
+
+Windows allows anonymous users to perform certain activities, such as enumerating the names of domain accounts and network shares. This is convenient, for example, when an administrator wants to grant access to users in a trusted domain that does not maintain a reciprocal trust.
+
+This security option allows additional restrictions to be placed on anonymous connections as follows:
+
+Enabled: Do not allow enumeration of SAM accounts. This option replaces Everyone with Authenticated Users in the security permissions for resources.
+Disabled: No additional restrictions. Rely on default permissions.
+
+Default on workstations: Enabled.
+Default on server:Enabled.
+
+Important
+
+This policy has no impact on domain controllers.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ NetworkAccess_DoNotAllowAnonymousEnumerationOfSamAccountsAndShares
+
+
+
+
+
+
+
+ Network access: Do not allow anonymous enumeration of SAM accounts and shares
+
+This security setting determines whether anonymous enumeration of SAM accounts and shares is allowed.
+
+Windows allows anonymous users to perform certain activities, such as enumerating the names of domain accounts and network shares. This is convenient, for example, when an administrator wants to grant access to users in a trusted domain that does not maintain a reciprocal trust. If you do not want to allow anonymous enumeration of SAM accounts and shares, then enable this policy.
+
+Default: Disabled.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ NetworkAccess_RestrictAnonymousAccessToNamedPipesAndShares
+
+
+
+
+
+
+
+ Network access: Restrict anonymous access to Named Pipes and Shares
+
+When enabled, this security setting restricts anonymous access to shares and pipes to the settings for:
+
+Network access: Named pipes that can be accessed anonymously
+Network access: Shares that can be accessed anonymously
+Default: Enabled.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+ NetworkAccess_RestrictClientsAllowedToMakeRemoteCallsToSAM
@@ -29220,6 +31794,161 @@ This policy will be turned off by default on domain joined machines. This would
+
+ NetworkSecurity_DoNotStoreLANManagerHashValueOnNextPasswordChange
+
+
+
+
+
+
+
+ Network security: Do not store LAN Manager hash value on next password change
+
+This security setting determines if, at the next password change, the LAN Manager (LM) hash value for the new password is stored. The LM hash is relatively weak and prone to attack, as compared with the cryptographically stronger Windows NT hash. Since the LM hash is stored on the local computer in the security database the passwords can be compromised if the security database is attacked.
+
+
+Default on Windows Vista and above: Enabled
+Default on Windows XP: Disabled.
+
+Important
+
+Windows 2000 Service Pack 2 (SP2) and above offer compatibility with authentication to previous versions of Windows, such as Microsoft Windows NT 4.0.
+This setting can affect the ability of computers running Windows 2000 Server, Windows 2000 Professional, Windows XP, and the Windows Server 2003 family to communicate with computers running Windows 95 and Windows 98.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ NetworkSecurity_LANManagerAuthenticationLevel
+
+
+
+
+
+
+
+ Network security LAN Manager authentication level
+
+This security setting determines which challenge/response authentication protocol is used for network logons. This choice affects the level of authentication protocol used by clients, the level of session security negotiated, and the level of authentication accepted by servers as follows:
+
+Send LM and NTLM responses: Clients use LM and NTLM authentication and never use NTLMv2 session security; domain controllers accept LM, NTLM, and NTLMv2 authentication.
+
+Send LM and NTLM - use NTLMv2 session security if negotiated: Clients use LM and NTLM authentication and use NTLMv2 session security if the server supports it; domain controllers accept LM, NTLM, and NTLMv2 authentication.
+
+Send NTLM response only: Clients use NTLM authentication only and use NTLMv2 session security if the server supports it; domain controllers accept LM, NTLM, and NTLMv2 authentication.
+
+Send NTLMv2 response only: Clients use NTLMv2 authentication only and use NTLMv2 session security if the server supports it; domain controllers accept LM, NTLM, and NTLMv2 authentication.
+
+Send NTLMv2 response only\refuse LM: Clients use NTLMv2 authentication only and use NTLMv2 session security if the server supports it; domain controllers refuse LM (accept only NTLM and NTLMv2 authentication).
+
+Send NTLMv2 response only\refuse LM and NTLM: Clients use NTLMv2 authentication only and use NTLMv2 session security if the server supports it; domain controllers refuse LM and NTLM (accept only NTLMv2 authentication).
+
+Important
+
+This setting can affect the ability of computers running Windows 2000 Server, Windows 2000 Professional, Windows XP Professional, and the Windows Server 2003 family to communicate with computers running Windows NT 4.0 and earlier over the network. For example, at the time of this writing, computers running Windows NT 4.0 SP4 and earlier did not support NTLMv2. Computers running Windows 95 and Windows 98 did not support NTLM.
+
+Default:
+
+Windows 2000 and windows XP: send LM and NTLM responses
+
+Windows Server 2003: Send NTLM response only
+
+Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2: Send NTLMv2 response only
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ NetworkSecurity_MinimumSessionSecurityForNTLMSSPBasedClients
+
+
+
+
+
+
+
+ Network security: Minimum session security for NTLM SSP based (including secure RPC) clients
+
+This security setting allows a client to require the negotiation of 128-bit encryption and/or NTLMv2 session security. These values are dependent on the LAN Manager Authentication Level security setting value. The options are:
+
+Require NTLMv2 session security: The connection will fail if NTLMv2 protocol is not negotiated.
+Require 128-bit encryption: The connection will fail if strong encryption (128-bit) is not negotiated.
+
+Default:
+
+Windows XP, Windows Vista, Windows 2000 Server, Windows Server 2003, and Windows Server 2008: No requirements.
+
+Windows 7 and Windows Server 2008 R2: Require 128-bit encryption
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ NetworkSecurity_MinimumSessionSecurityForNTLMSSPBasedServers
+
+
+
+
+
+
+
+ Network security: Minimum session security for NTLM SSP based (including secure RPC) servers
+
+This security setting allows a server to require the negotiation of 128-bit encryption and/or NTLMv2 session security. These values are dependent on the LAN Manager Authentication Level security setting value. The options are:
+
+Require NTLMv2 session security: The connection will fail if message integrity is not negotiated.
+Require 128-bit encryption. The connection will fail if strong encryption (128-bit) is not negotiated.
+
+Default:
+
+Windows XP, Windows Vista, Windows 2000 Server, Windows Server 2003, and Windows Server 2008: No requirements.
+
+Windows 7 and Windows Server 2008 R2: Require 128-bit encryption
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+ Shutdown_AllowSystemToBeShutDownWithoutHavingToLogOn
@@ -29624,8 +32353,8 @@ The options are:
-
+
@@ -29670,8 +32399,8 @@ The options are:
-
+
@@ -29716,8 +32445,8 @@ The options are:
-
+
@@ -29786,8 +32515,8 @@ The options are:
-
+
@@ -29875,13 +32604,273 @@ The options are:
+
+ MSSecurityGuide
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ ApplyUACRestrictionsToLocalAccountsOnNetworkLogon
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ ConfigureSMBV1ClientDriver
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ ConfigureSMBV1Server
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ EnableStructuredExceptionHandlingOverwriteProtection
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ WDigestAuthentication
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+
+ MSSLegacy
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ AllowICMPRedirectsToOverrideOSPFGeneratedRoutes
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ AllowTheComputerToIgnoreNetBIOSNameReleaseRequestsExceptFromWINSServers
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ IPSourceRoutingProtectionLevel
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ IPv6SourceRoutingProtectionLevel
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+ NetworkIsolation
-
+
@@ -30090,12 +33079,12 @@ The options are:
- Power
+ Notifications
-
+
@@ -30110,6 +33099,76 @@ The options are:
+
+ DisallowCloudNotification
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+
+ Power
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ AllowStandbyStatesWhenSleepingOnBattery
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+ AllowStandbyWhenSleepingPluggedIn
@@ -30332,8 +33391,8 @@ The options are:
-
+
@@ -30402,8 +33461,8 @@ The options are:
-
+
@@ -30835,7 +33894,7 @@ The options are:
- List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are allowed access to the camera. This setting overrides the default LetAppsAccessCamera policy setting for the specified apps.
+ List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are allowed access to the camera. This setting overrides the default LetAppsAccessCamera policy setting for the specified apps.
@@ -30859,7 +33918,7 @@ The options are:
- List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are denied access to the camera. This setting overrides the default LetAppsAccessCamera policy setting for the specified apps.
+ List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are denied access to the camera. This setting overrides the default LetAppsAccessCamera policy setting for the specified apps.
@@ -30883,7 +33942,7 @@ The options are:
- List of semi-colon delimited Package Family Names of Windows Store Apps. The user is able to control the camera privacy setting for the listed apps. This setting overrides the default LetAppsAccessCamera policy setting for the specified apps.
+ List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the camera privacy setting for the listed apps. This setting overrides the default LetAppsAccessCamera policy setting for the specified apps.
@@ -30931,7 +33990,7 @@ The options are:
- List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are allowed access to contacts. This setting overrides the default LetAppsAccessContacts policy setting for the specified apps.
+ List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are allowed access to contacts. This setting overrides the default LetAppsAccessContacts policy setting for the specified apps.
@@ -30955,7 +34014,7 @@ The options are:
- List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are denied access to contacts. This setting overrides the default LetAppsAccessContacts policy setting for the specified apps.
+ List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are denied access to contacts. This setting overrides the default LetAppsAccessContacts policy setting for the specified apps.
@@ -30979,7 +34038,7 @@ The options are:
- List of semi-colon delimited Package Family Names of Windows Store Apps. The user is able to control the contacts privacy setting for the listed apps. This setting overrides the default LetAppsAccessContacts policy setting for the specified apps.
+ List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the contacts privacy setting for the listed apps. This setting overrides the default LetAppsAccessContacts policy setting for the specified apps.
@@ -31027,7 +34086,7 @@ The options are:
- List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are allowed access to email. This setting overrides the default LetAppsAccessEmail policy setting for the specified apps.
+ List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are allowed access to email. This setting overrides the default LetAppsAccessEmail policy setting for the specified apps.
@@ -31051,7 +34110,7 @@ The options are:
- List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are denied access to email. This setting overrides the default LetAppsAccessEmail policy setting for the specified apps.
+ List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are denied access to email. This setting overrides the default LetAppsAccessEmail policy setting for the specified apps.
@@ -31075,7 +34134,103 @@ The options are:
- List of semi-colon delimited Package Family Names of Windows Store Apps. The user is able to control the email privacy setting for the listed apps. This setting overrides the default LetAppsAccessEmail policy setting for the specified apps.
+ List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the email privacy setting for the listed apps. This setting overrides the default LetAppsAccessEmail policy setting for the specified apps.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ LetAppsAccessGazeInput
+
+
+
+
+
+
+
+ This policy setting specifies whether Windows apps can access the eye tracker.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ LetAppsAccessGazeInput_ForceAllowTheseApps
+
+
+
+
+
+
+
+ List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are allowed access to the eye tracker. This setting overrides the default LetAppsAccessGazeInput policy setting for the specified apps.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ LetAppsAccessGazeInput_ForceDenyTheseApps
+
+
+
+
+
+
+
+ List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are denied access to the eye tracker. This setting overrides the default LetAppsAccessGazeInput policy setting for the specified apps.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ LetAppsAccessGazeInput_UserInControlOfTheseApps
+
+
+
+
+
+
+
+ List of semi-colon delimited Package Family Names of Windows Store Apps. The user is able to control the eye tracker privacy setting for the listed apps. This setting overrides the default LetAppsAccessGazeInput policy setting for the specified apps.
@@ -31123,7 +34278,7 @@ The options are:
- List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are allowed access to location. This setting overrides the default LetAppsAccessLocation policy setting for the specified apps.
+ List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are allowed access to location. This setting overrides the default LetAppsAccessLocation policy setting for the specified apps.
@@ -31147,7 +34302,7 @@ The options are:
- List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are denied access to location. This setting overrides the default LetAppsAccessLocation policy setting for the specified apps.
+ List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are denied access to location. This setting overrides the default LetAppsAccessLocation policy setting for the specified apps.
@@ -31171,7 +34326,7 @@ The options are:
- List of semi-colon delimited Package Family Names of Windows Store Apps. The user is able to control the location privacy setting for the listed apps. This setting overrides the default LetAppsAccessLocation policy setting for the specified apps.
+ List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the location privacy setting for the listed apps. This setting overrides the default LetAppsAccessLocation policy setting for the specified apps.
@@ -31219,7 +34374,7 @@ The options are:
- List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are allowed to read or send messages (text or MMS). This setting overrides the default LetAppsAccessMessaging policy setting for the specified apps.
+ List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are allowed to read or send messages (text or MMS). This setting overrides the default LetAppsAccessMessaging policy setting for the specified apps.
@@ -31243,7 +34398,7 @@ The options are:
- List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are not allowed to read or send messages (text or MMS). This setting overrides the default LetAppsAccessMessaging policy setting for the specified apps.
+ List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are not allowed to read or send messages (text or MMS). This setting overrides the default LetAppsAccessMessaging policy setting for the specified apps.
@@ -31267,7 +34422,7 @@ The options are:
- List of semi-colon delimited Package Family Names of Windows Store Apps. The user is able to control the messaging privacy setting for the listed apps. This setting overrides the default LetAppsAccessMessaging policy setting for the specified apps.
+ List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the messaging privacy setting for the listed apps. This setting overrides the default LetAppsAccessMessaging policy setting for the specified apps.
@@ -31315,7 +34470,7 @@ The options are:
- List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are allowed access to the microphone. This setting overrides the default LetAppsAccessMicrophone policy setting for the specified apps.
+ List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are allowed access to the microphone. This setting overrides the default LetAppsAccessMicrophone policy setting for the specified apps.
@@ -31339,7 +34494,7 @@ The options are:
- List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are denied access to the microphone. This setting overrides the default LetAppsAccessMicrophone policy setting for the specified apps.
+ List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are denied access to the microphone. This setting overrides the default LetAppsAccessMicrophone policy setting for the specified apps.
@@ -31363,7 +34518,7 @@ The options are:
- List of semi-colon delimited Package Family Names of Windows Store Apps. The user is able to control the microphone privacy setting for the listed apps. This setting overrides the default LetAppsAccessMicrophone policy setting for the specified apps.
+ List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the microphone privacy setting for the listed apps. This setting overrides the default LetAppsAccessMicrophone policy setting for the specified apps.
@@ -31411,7 +34566,7 @@ The options are:
- List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are allowed access to motion data. This setting overrides the default LetAppsAccessMotion policy setting for the specified apps.
+ List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are allowed access to motion data. This setting overrides the default LetAppsAccessMotion policy setting for the specified apps.
@@ -31435,7 +34590,7 @@ The options are:
- List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are denied access to motion data. This setting overrides the default LetAppsAccessMotion policy setting for the specified apps.
+ List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are denied access to motion data. This setting overrides the default LetAppsAccessMotion policy setting for the specified apps.
@@ -31459,7 +34614,7 @@ The options are:
- List of semi-colon delimited Package Family Names of Windows Store Apps. The user is able to control the motion privacy setting for the listed apps. This setting overrides the default LetAppsAccessMotion policy setting for the specified apps.
+ List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the motion privacy setting for the listed apps. This setting overrides the default LetAppsAccessMotion policy setting for the specified apps.
@@ -31507,7 +34662,7 @@ The options are:
- List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are allowed access to notifications. This setting overrides the default LetAppsAccessNotifications policy setting for the specified apps.
+ List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are allowed access to notifications. This setting overrides the default LetAppsAccessNotifications policy setting for the specified apps.
@@ -31531,7 +34686,7 @@ The options are:
- List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are denied access to notifications. This setting overrides the default LetAppsAccessNotifications policy setting for the specified apps.
+ List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are denied access to notifications. This setting overrides the default LetAppsAccessNotifications policy setting for the specified apps.
@@ -31555,7 +34710,7 @@ The options are:
- List of semi-colon delimited Package Family Names of Windows Store Apps. The user is able to control the notifications privacy setting for the listed apps. This setting overrides the default LetAppsAccessNotifications policy setting for the specified apps.
+ List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the notifications privacy setting for the listed apps. This setting overrides the default LetAppsAccessNotifications policy setting for the specified apps.
@@ -31603,7 +34758,7 @@ The options are:
- List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are allowed to make phone calls. This setting overrides the default LetAppsAccessPhone policy setting for the specified apps.
+ List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are allowed to make phone calls. This setting overrides the default LetAppsAccessPhone policy setting for the specified apps.
@@ -31627,7 +34782,7 @@ The options are:
- List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are not allowed to make phone calls. This setting overrides the default LetAppsAccessPhone policy setting for the specified apps.
+ List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are not allowed to make phone calls. This setting overrides the default LetAppsAccessPhone policy setting for the specified apps.
@@ -31651,7 +34806,7 @@ The options are:
- List of semi-colon delimited Package Family Names of Windows Store Apps. The user is able to control the phone call privacy setting for the listed apps. This setting overrides the default LetAppsAccessPhone policy setting for the specified apps.
+ List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the phone call privacy setting for the listed apps. This setting overrides the default LetAppsAccessPhone policy setting for the specified apps.
@@ -31699,7 +34854,7 @@ The options are:
- List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps will have access to control radios. This setting overrides the default LetAppsAccessRadios policy setting for the specified apps.
+ List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps will have access to control radios. This setting overrides the default LetAppsAccessRadios policy setting for the specified apps.
@@ -31723,7 +34878,7 @@ The options are:
- List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps will not have access to control radios. This setting overrides the default LetAppsAccessRadios policy setting for the specified apps.
+ List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps will not have access to control radios. This setting overrides the default LetAppsAccessRadios policy setting for the specified apps.
@@ -31747,7 +34902,7 @@ The options are:
- List of semi-colon delimited Package Family Names of Windows Store Apps. The user is able to control the radios privacy setting for the listed apps. This setting overrides the default LetAppsAccessRadios policy setting for the specified apps.
+ List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the radios privacy setting for the listed apps. This setting overrides the default LetAppsAccessRadios policy setting for the specified apps.
@@ -31795,7 +34950,7 @@ The options are:
- List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are allowed access to tasks. This setting overrides the default LetAppsAccessTasks policy setting for the specified apps.
+ List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are allowed access to tasks. This setting overrides the default LetAppsAccessTasks policy setting for the specified apps.
@@ -31819,7 +34974,7 @@ The options are:
- List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are denied access to tasks. This setting overrides the default LetAppsAccessTasks policy setting for the specified apps.
+ List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are denied access to tasks. This setting overrides the default LetAppsAccessTasks policy setting for the specified apps.
@@ -31843,7 +34998,7 @@ The options are:
- List of semi-colon delimited Package Family Names of Windows Store Apps. The user is able to control the tasks privacy setting for the listed apps. This setting overrides the default LetAppsAccessTasks policy setting for the specified apps.
+ List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the tasks privacy setting for the listed apps. This setting overrides the default LetAppsAccessTasks policy setting for the specified apps.
@@ -31891,7 +35046,7 @@ The options are:
- List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps will have access to trusted devices. This setting overrides the default LetAppsAccessTrustedDevices policy setting for the specified apps.
+ List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps will have access to trusted devices. This setting overrides the default LetAppsAccessTrustedDevices policy setting for the specified apps.
@@ -31915,7 +35070,7 @@ The options are:
- List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps will not have access to trusted devices. This setting overrides the default LetAppsAccessTrustedDevices policy setting for the specified apps.
+ List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps will not have access to trusted devices. This setting overrides the default LetAppsAccessTrustedDevices policy setting for the specified apps.
@@ -31939,7 +35094,7 @@ The options are:
- List of semi-colon delimited Package Family Names of Windows Store Apps. The user is able to control the 'trusted devices' privacy setting for the listed apps. This setting overrides the default LetAppsAccessTrustedDevices policy setting for the specified apps.
+ List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the 'trusted devices' privacy setting for the listed apps. This setting overrides the default LetAppsAccessTrustedDevices policy setting for the specified apps.
@@ -32179,7 +35334,7 @@ The options are:
- List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps will be allowed to communicate with unpaired wireless devices. This setting overrides the default LetAppsSyncWithDevices policy setting for the specified apps.
+ List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps will be allowed to communicate with unpaired wireless devices. This setting overrides the default LetAppsSyncWithDevices policy setting for the specified apps.
@@ -32203,7 +35358,7 @@ The options are:
- List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps will not be allowed to communicate with unpaired wireless devices. This setting overrides the default LetAppsSyncWithDevices policy setting for the specified apps.
+ List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps will not be allowed to communicate with unpaired wireless devices. This setting overrides the default LetAppsSyncWithDevices policy setting for the specified apps.
@@ -32227,7 +35382,7 @@ The options are:
- List of semi-colon delimited Package Family Names of Windows Store Apps. The user is able to control the 'Communicate with unpaired wireless devices' privacy setting for the listed apps. This setting overrides the default LetAppsSyncWithDevices policy setting for the specified apps.
+ List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the 'Communicate with unpaired wireless devices' privacy setting for the listed apps. This setting overrides the default LetAppsSyncWithDevices policy setting for the specified apps.
@@ -32266,14 +35421,38 @@ The options are:
+
+ UploadUserActivities
+
+
+
+
+
+
+
+ Allows ActivityFeed to upload published 'User Activities'.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+ RemoteAssistance
-
+
@@ -32390,8 +35569,8 @@ The options are:
-
+
@@ -32556,8 +35735,8 @@ The options are:
-
+
@@ -32938,8 +36117,8 @@ The options are:
-
+
@@ -33008,8 +36187,8 @@ The options are:
-
+
@@ -33193,13 +36372,60 @@ The options are:
+
+ RestrictedGroups
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ ConfigureGroupMembership
+
+
+
+
+
+
+
+ This security setting allows an administrator to define the members of a security-sensitive (restricted) group. When a Restricted Groups Policy is enforced, any current member of a restricted group that is not on the Members list is removed. Any user on the Members list who is not currently a member of the restricted group is added. You can use Restricted Groups policy to control group membership. Using the policy, you can specify what members are part of a group. Any members that are not specified in the policy are removed during configuration or refresh. For example, you can create a Restricted Groups policy to only allow specified users (for example, Alice and John) to be members of the Administrators group. When policy is refreshed, only Alice and John will remain as members of the Administrators group.
+Caution: If a Restricted Groups policy is applied, any current member not on the Restricted Groups policy members list is removed. This can include default members, such as administrators. Restricted Groups should be used primarily to configure membership of local groups on workstation or member servers. An empty Members list means that the restricted group has no members.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+ Search
-
+
@@ -33238,6 +36464,30 @@ The options are:
+
+ AllowCortanaInAAD
+
+
+
+
+
+
+
+ This features allows you to show the cortana opt-in page during Windows Setup
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+ AllowIndexingEncryptedStoresOrItems
@@ -33430,6 +36680,30 @@ The options are:
+
+ DoNotUseWebResults
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+ PreventIndexingLowDiskSpaceMB
@@ -33508,8 +36782,8 @@ The options are:
-
+
@@ -33644,6 +36918,30 @@ The options are:
+
+ ConfigureWindowsPasswords
+
+
+
+
+
+
+
+ Configures the use of passwords for Windows features
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+ PreventAutomaticDeviceEncryptionForAzureADJoinedDevices
@@ -33746,8 +37044,8 @@ The options are:
-
+
@@ -34080,8 +37378,8 @@ The options are:
-
+
@@ -34174,8 +37472,8 @@ The options are:
-
+
@@ -34220,8 +37518,8 @@ The options are:
-
+
@@ -34476,6 +37774,30 @@ The options are:
+
+ DisableContextMenus
+
+
+
+
+
+
+
+ Enabling this policy prevents context menus from being invoked in the Start Menu.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+ ForceStartSize
@@ -34914,8 +38236,8 @@ The options are:
-
+
@@ -34984,8 +38306,8 @@ The options are:
-
+
@@ -35216,6 +38538,54 @@ The options are:
+
+ ConfigureTelemetryOptInChangeNotification
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ ConfigureTelemetryOptInSettingsUx
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+ DisableEnterpriseAuthProxy
@@ -35249,7 +38619,7 @@ The options are:
- This policy setting lets you prevent apps and features from working with files on OneDrive. If you enable this policy setting: users can’t access OneDrive from the OneDrive app and file picker; Windows Store apps can’t access OneDrive using the WinRT API; OneDrive doesn’t appear in the navigation pane in File Explorer; OneDrive files aren’t kept in sync with the cloud; Users can’t automatically upload photos and videos from the camera roll folder. If you disable or do not configure this policy setting, apps and features can work with OneDrive file storage.
+ This policy setting lets you prevent apps and features from working with files on OneDrive. If you enable this policy setting: users can’t access OneDrive from the OneDrive app and file picker; Microsoft Store apps can’t access OneDrive using the WinRT API; OneDrive doesn’t appear in the navigation pane in File Explorer; OneDrive files aren’t kept in sync with the cloud; Users can’t automatically upload photos and videos from the camera roll folder. If you disable or do not configure this policy setting, apps and features can work with OneDrive file storage.
@@ -35321,7 +38691,7 @@ The options are:
- This policy setting, in combination with the Allow Telemetry policy setting, enables organizations to send Microsoft a specific set of diagnostic data for IT insights via Windows Analytics services. To enable this behavior you must complete two steps: 1. Enable this policy setting 2. Set Allow Telemetry to level 2 (Enhanced) When you configure these policy settings, a Basic level of diagnostic data plus additional events that are required for Windows Analytics are sent to Microsoft. These events are documented here: https://go.microsoft.com/fwlink/?linkid=847594. Enabling Enhanced diagnostic data in the Allow Telemetry policy in combination with not configuring this policy will also send the required events for Windows Analytics, plus additional Enhanced level telemetry data. This setting has no effect on computers configured to send Full, Basic or Security level diagnostic data to Microsoft. If you disable or do not configure this policy setting, then the level of diagnostic data sent to Microsoft is determined by the Allow Telemetry policy.
+ This policy setting, in combination with the Allow Telemetry policy setting, enables organizations to send Microsoft a specific set of diagnostic data for IT insights via Windows Analytics services. By configuring this setting, you're not stopping people from changing their Telemetry Settings; however, you are stopping them from choosing a higher level than you've set for the organization. To enable this behavior, you must complete two steps: 1. Enable this policy setting 2. Set Allow Telemetry to level 2 (Enhanced).If you configure these policy settings together, you'll send the Basic level of diagnostic data plus any additional events that are required for Windows Analytics, to Microsoft. The additional events are documented here: https://go.Microsoft.com/fwlink/?linked=847594. If you enable Enhanced diagnostic data in the Allow Telemetry policy setting, but you don't configure this policy setting, you'll send the required events for Windows Analytics, plus any additional Enhanced level telemetry data to Microsoft. This setting has no effect on computers configured to send Full, Basic, or Security level diagnostic data to Microsoft. If you disable or don't configure this policy setting, then the level of diagnostic data sent to Microsoft is determined by the Allow Telemetry policy setting.
@@ -35362,12 +38732,12 @@ The options are:
- TextInput
+ SystemServices
-
+
@@ -35382,6 +38752,242 @@ The options are:
+
+ ConfigureHomeGroupListenerServiceStartupMode
+
+
+
+
+
+
+
+ This setting determines whether the service's start type is Automaic(2), Manual(3), Disabled(4). Default: Manual.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ ConfigureHomeGroupProviderServiceStartupMode
+
+
+
+
+
+
+
+ This setting determines whether the service's start type is Automaic(2), Manual(3), Disabled(4). Default: Manual.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ ConfigureXboxAccessoryManagementServiceStartupMode
+
+
+
+
+
+
+
+ This setting determines whether the service's start type is Automaic(2), Manual(3), Disabled(4). Default: Manual.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ ConfigureXboxLiveAuthManagerServiceStartupMode
+
+
+
+
+
+
+
+ This setting determines whether the service's start type is Automaic(2), Manual(3), Disabled(4). Default: Manual.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ ConfigureXboxLiveGameSaveServiceStartupMode
+
+
+
+
+
+
+
+ This setting determines whether the service's start type is Automaic(2), Manual(3), Disabled(4). Default: Manual.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ ConfigureXboxLiveNetworkingServiceStartupMode
+
+
+
+
+
+
+
+ This setting determines whether the service's start type is Automaic(2), Manual(3), Disabled(4). Default: Manual.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+
+ TaskScheduler
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ EnableXboxGameSaveTask
+
+
+
+
+
+
+
+ This setting determines whether the specific task is enabled (1) or disabled (0). Default: Enabled.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+
+ TextInput
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ AllowHardwareKeyboardTextSuggestions
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+ AllowIMELogging
@@ -35598,6 +39204,54 @@ The options are:
+
+ AllowLinguisticDataCollection
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ EnableTouchKeyboardAutoInvokeInDesktopMode
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+ ExcludeJapaneseIMEExceptJIS0208
@@ -35670,14 +39324,206 @@ The options are:
+
+ ForceTouchKeyboardDockedState
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ TouchKeyboardDictationButtonAvailability
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ TouchKeyboardEmojiButtonAvailability
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ TouchKeyboardFullModeAvailability
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ TouchKeyboardHandwritingModeAvailability
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ TouchKeyboardNarrowModeAvailability
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ TouchKeyboardSplitModeAvailability
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ TouchKeyboardWideModeAvailability
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+ TimeLanguageSettings
-
+
@@ -35722,8 +39568,8 @@ The options are:
-
+
@@ -36026,6 +39872,30 @@ The options are:
+
+ ConfigureFeatureUpdateUninstallPeriod
+
+
+
+
+
+
+
+ Enable enterprises/IT admin to configure feature update uninstall period
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+ DeferFeatureUpdatesPeriodInDays
@@ -36867,13 +40737,735 @@ The options are:
+
+ UserRights
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ AccessCredentialManagerAsTrustedCaller
+
+
+
+
+
+
+
+ This user right is used by Credential Manager during Backup/Restore. No accounts should have this privilege, as it is only assigned to Winlogon. Users' saved credentials might be compromised if this privilege is given to other entities.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ AccessFromNetwork
+
+
+
+
+
+
+
+ This user right determines which users and groups are allowed to connect to the computer over the network. Remote Desktop Services are not affected by this user right.Note: Remote Desktop Services was called Terminal Services in previous versions of Windows Server.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ ActAsPartOfTheOperatingSystem
+
+
+
+
+
+
+
+ This user right allows a process to impersonate any user without authentication. The process can therefore gain access to the same local resources as that user. Processes that require this privilege should use the LocalSystem account, which already includes this privilege, rather than using a separate user account with this privilege specially assigned. Caution:Assigning this user right can be a security risk. Only assign this user right to trusted users.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ AllowLocalLogOn
+
+
+
+
+
+
+
+ This user right determines which users can log on to the computer. Note: Modifying this setting may affect compatibility with clients, services, and applications. For compatibility information about this setting, see Allow log on locally (https://go.microsoft.com/fwlink/?LinkId=24268 ) at the Microsoft website.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ BackupFilesAndDirectories
+
+
+
+
+
+
+
+ This user right determines which users can bypass file, directory, registry, and other persistent objects permissions when backing up files and directories.Specifically, this user right is similar to granting the following permissions to the user or group in question on all files and folders on the system:Traverse Folder/Execute File, Read. Caution: Assigning this user right can be a security risk. Since users with this user right can read any registry settings and files, only assign this user right to trusted users
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ ChangeSystemTime
+
+
+
+
+
+
+
+ This user right determines which users and groups can change the time and date on the internal clock of the computer. Users that are assigned this user right can affect the appearance of event logs. If the system time is changed, events that are logged will reflect this new time, not the actual time that the events occurred.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ CreateGlobalObjects
+
+
+
+
+
+
+
+ This security setting determines whether users can create global objects that are available to all sessions. Users can still create objects that are specific to their own session if they do not have this user right. Users who can create global objects could affect processes that run under other users' sessions, which could lead to application failure or data corruption. Caution: Assigning this user right can be a security risk. Assign this user right only to trusted users.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ CreatePageFile
+
+
+
+
+
+
+
+ This user right determines which users and groups can call an internal application programming interface (API) to create and change the size of a page file. This user right is used internally by the operating system and usually does not need to be assigned to any users
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ CreatePermanentSharedObjects
+
+
+
+
+
+
+
+ This user right determines which accounts can be used by processes to create a directory object using the object manager. This user right is used internally by the operating system and is useful to kernel-mode components that extend the object namespace. Because components that are running in kernel mode already have this user right assigned to them, it is not necessary to specifically assign it.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ CreateSymbolicLinks
+
+
+
+
+
+
+
+ This user right determines if the user can create a symbolic link from the computer he is logged on to. Caution: This privilege should only be given to trusted users. Symbolic links can expose security vulnerabilities in applications that aren't designed to handle them. Note: This setting can be used in conjunction a symlink filesystem setting that can be manipulated with the command line utility to control the kinds of symlinks that are allowed on the machine. Type 'fsutil behavior set symlinkevaluation /?' at the command line to get more information about fsutil and symbolic links.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ CreateToken
+
+
+
+
+
+
+
+ This user right determines which accounts can be used by processes to create a token that can then be used to get access to any local resources when the process uses an internal application programming interface (API) to create an access token. This user right is used internally by the operating system. Unless it is necessary, do not assign this user right to a user, group, or process other than Local System. Caution: Assigning this user right can be a security risk. Do not assign this user right to any user, group, or process that you do not want to take over the system.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ DebugPrograms
+
+
+
+
+
+
+
+ This user right determines which users can attach a debugger to any process or to the kernel. Developers who are debugging their own applications do not need to be assigned this user right. Developers who are debugging new system components will need this user right to be able to do so. This user right provides complete access to sensitive and critical operating system components. Caution:Assigning this user right can be a security risk. Only assign this user right to trusted users.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ DenyAccessFromNetwork
+
+
+
+
+
+
+
+ This user right determines which users are prevented from accessing a computer over the network. This policy setting supersedes the Access this computer from the network policy setting if a user account is subject to both policies.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ DenyLocalLogOn
+
+
+
+
+
+
+
+ This security setting determines which service accounts are prevented from registering a process as a service. Note: This security setting does not apply to the System, Local Service, or Network Service accounts.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ DenyRemoteDesktopServicesLogOn
+
+
+
+
+
+
+
+ This user right determines which users and groups are prohibited from logging on as a Remote Desktop Services client.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ EnableDelegation
+
+
+
+
+
+
+
+ This user right determines which users can set the Trusted for Delegation setting on a user or computer object. The user or object that is granted this privilege must have write access to the account control flags on the user or computer object. A server process running on a computer (or under a user context) that is trusted for delegation can access resources on another computer using delegated credentials of a client, as long as the client account does not have the Account cannot be delegated account control flag set. Caution: Misuse of this user right, or of the Trusted for Delegation setting, could make the network vulnerable to sophisticated attacks using Trojan horse programs that impersonate incoming clients and use their credentials to gain access to network resources.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ GenerateSecurityAudits
+
+
+
+
+
+
+
+ This user right determines which accounts can be used by a process to add entries to the security log. The security log is used to trace unauthorized system access. Misuse of this user right can result in the generation of many auditing events, potentially hiding evidence of an attack or causing a denial of service. Shut down system immediately if unable to log security audits security policy setting is enabled.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ ImpersonateClient
+
+
+
+
+
+
+
+ Assigning this user right to a user allows programs running on behalf of that user to impersonate a client. Requiring this user right for this kind of impersonation prevents an unauthorized user from convincing a client to connect (for example, by remote procedure call (RPC) or named pipes) to a service that they have created and then impersonating that client, which can elevate the unauthorized user's permissions to administrative or system levels. Caution: Assigning this user right can be a security risk. Only assign this user right to trusted users. Note: By default, services that are started by the Service Control Manager have the built-in Service group added to their access tokens. Component Object Model (COM) servers that are started by the COM infrastructure and that are configured to run under a specific account also have the Service group added to their access tokens. As a result, these services get this user right when they are started. In addition, a user can also impersonate an access token if any of the following conditions exist.
+1) The access token that is being impersonated is for this user.
+2) The user, in this logon session, created the access token by logging on to the network with explicit credentials.
+3) The requested level is less than Impersonate, such as Anonymous or Identify.
+Because of these factors, users do not usually need this user right. Warning: If you enable this setting, programs that previously had the Impersonate privilege may lose it, and they may not run.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ IncreaseSchedulingPriority
+
+
+
+
+
+
+
+ This user right determines which accounts can use a process with Write Property access to another process to increase the execution priority assigned to the other process. A user with this privilege can change the scheduling priority of a process through the Task Manager user interface.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ LoadUnloadDeviceDrivers
+
+
+
+
+
+
+
+ This user right determines which users can dynamically load and unload device drivers or other code in to kernel mode. This user right does not apply to Plug and Play device drivers. It is recommended that you do not assign this privilege to other users. Caution: Assigning this user right can be a security risk. Do not assign this user right to any user, group, or process that you do not want to take over the system.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ LockMemory
+
+
+
+
+
+
+
+ This user right determines which accounts can use a process to keep data in physical memory, which prevents the system from paging the data to virtual memory on disk. Exercising this privilege could significantly affect system performance by decreasing the amount of available random access memory (RAM).
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ ManageAuditingAndSecurityLog
+
+
+
+
+
+
+
+ This user right determines which users can specify object access auditing options for individual resources, such as files, Active Directory objects, and registry keys. This security setting does not allow a user to enable file and object access auditing in general. You can view audited events in the security log of the Event Viewer. A user with this privilege can also view and clear the security log.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ ManageVolume
+
+
+
+
+
+
+
+ This user right determines which users and groups can run maintenance tasks on a volume, such as remote defragmentation. Use caution when assigning this user right. Users with this user right can explore disks and extend files in to memory that contains other data. When the extended files are opened, the user might be able to read and modify the acquired data.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ ModifyFirmwareEnvironment
+
+
+
+
+
+
+
+ This user right determines who can modify firmware environment values. Firmware environment variables are settings stored in the nonvolatile RAM of non-x86-based computers. The effect of the setting depends on the processor.On x86-based computers, the only firmware environment value that can be modified by assigning this user right is the Last Known Good Configuration setting, which should only be modified by the system. On Itanium-based computers, boot information is stored in nonvolatile RAM. Users must be assigned this user right to run bootcfg.exe and to change the Default Operating System setting on Startup and Recovery in System Properties. On all computers, this user right is required to install or upgrade Windows.Note: This security setting does not affect who can modify the system environment variables and user environment variables that are displayed on the Advanced tab of System Properties.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ ModifyObjectLabel
+
+
+
+
+
+
+
+ This user right determines which user accounts can modify the integrity label of objects, such as files, registry keys, or processes owned by other users. Processes running under a user account can modify the label of an object owned by that user to a lower level without this privilege.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ ProfileSingleProcess
+
+
+
+
+
+
+
+ This user right determines which users can use performance monitoring tools to monitor the performance of system processes.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ RemoteShutdown
+
+
+
+
+
+
+
+ This user right determines which users are allowed to shut down a computer from a remote location on the network. Misuse of this user right can result in a denial of service.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ RestoreFilesAndDirectories
+
+
+
+
+
+
+
+ This user right determines which users can bypass file, directory, registry, and other persistent objects permissions when restoring backed up files and directories, and determines which users can set any valid security principal as the owner of an object. Specifically, this user right is similar to granting the following permissions to the user or group in question on all files and folders on the system:Traverse Folder/Execute File, Write. Caution: Assigning this user right can be a security risk. Since users with this user right can overwrite registry settings, hide data, and gain ownership of system objects, only assign this user right to trusted users.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ TakeOwnership
+
+
+
+
+
+
+
+ This user right determines which users can take ownership of any securable object in the system, including Active Directory objects, files and folders, printers, registry keys, processes, and threads. Caution: Assigning this user right can be a security risk. Since owners of objects have full control of them, only assign this user right to trusted users.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+ Wifi
-
+
@@ -37033,13 +41625,59 @@ The options are:
+
+ WindowsConnectionManager
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ ProhitConnectionToNonDomainNetworksWhenConnectedToDomainAuthenticatedNetwork
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+ WindowsDefenderSecurityCenter
-
+
@@ -37078,6 +41716,30 @@ The options are:
+
+ DisableAccountProtectionUI
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+ DisableAppBrowserUI
@@ -37102,6 +41764,30 @@ The options are:
+
+ DisableDeviceSecurityUI
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+ DisableEnhancedNotifications
@@ -37342,6 +42028,78 @@ The options are:
+
+ HideRansomwareDataRecovery
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ HideSecureBoot
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ HideTPMTroubleshooting
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+ Phone
@@ -37396,8 +42154,8 @@ The options are:
-
+
@@ -37466,8 +42224,8 @@ The options are:
-
+
@@ -37530,6 +42288,30 @@ The options are:
+
+ EnumerateLocalUsersOnDomainJoinedComputers
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+ HideFastUserSwitching
@@ -37554,14 +42336,84 @@ The options are:
+
+ SignInLastInteractiveUserAutomaticallyAfterASystemInitiatedRestart
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+
+ WindowsPowerShell
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ TurnOnPowerShellScriptBlockLogging
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+ WirelessDisplay
-
+
@@ -37824,8 +42676,8 @@ The options are:
- 1
+
@@ -37849,8 +42701,8 @@ The options are:
- 1
+
@@ -37864,6 +42716,9 @@ The options are:
text/plain
+ Search.admx
+ Search~AT~WindowsComponents~Search
+ AllowCortanaAboveLockLowestValueMostSecure
@@ -37873,8 +42728,8 @@ The options are:
- 1
+
@@ -37917,8 +42772,8 @@ The options are:
- 1
+
@@ -37941,8 +42796,8 @@ The options are:
- 1
+
@@ -37965,8 +42820,8 @@ The options are:
- 1
+
@@ -37989,8 +42844,8 @@ The options are:
-
+
@@ -38032,8 +42887,8 @@ The options are:
-
+
@@ -38079,8 +42934,8 @@ The options are:
-
+
@@ -38094,9 +42949,40 @@ The options are:
text/plainphone
+ WindowsExplorer.admx
+ DefaultAssociationsConfiguration_TextBox
+ WindowsExplorer~AT~WindowsComponents~WindowsExplorer
+ DefaultAssociationsConfigurationLastWrite
+
+ EnableAppUriHandlers
+
+
+
+
+ 1
+ Enables web-to-app linking, which allows apps to be launched with a http(s) URI
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+ GroupPolicy.admx
+ GroupPolicy~AT~System~PolicyPolicies
+ EnableAppUriHandlers
+ HighestValueMostSecure
+
+ ApplicationManagement
@@ -38123,8 +43009,8 @@ The options are:
- 65535
+
@@ -38138,6 +43024,9 @@ The options are:
text/plain
+ AppxPackageManager.admx
+ AppxPackageManager~AT~WindowsComponents~AppxDeployment
+ AppxDeploymentAllowAllTrustedAppsLowestValueMostSecure
@@ -38147,8 +43036,8 @@ The options are:
- 2
+
@@ -38161,6 +43050,10 @@ The options are:
text/plain
+
+ WindowsStore.admx
+ WindowsStore~AT~WindowsComponents~WindowsStore
+ DisableAutoInstallLowestValueMostSecure
@@ -38170,8 +43063,8 @@ The options are:
- 65535
+
@@ -38185,6 +43078,9 @@ The options are:
text/plain
+ AppxPackageManager.admx
+ AppxPackageManager~AT~WindowsComponents~AppxDeployment
+ AllowDevelopmentWithoutDevLicenseLowestValueMostSecure
@@ -38194,8 +43090,8 @@ The options are:
- 1
+
@@ -38210,6 +43106,9 @@ The options are:
phone
+ GameDVR.admx
+ GameDVR~AT~WindowsComponents~GAMEDVR
+ AllowGameDVRLowestValueMostSecure
@@ -38219,8 +43118,8 @@ The options are:
- 0
+
@@ -38234,6 +43133,9 @@ The options are:
text/plain
+ AppxPackageManager.admx
+ AppxPackageManager~AT~WindowsComponents~AppxDeployment
+ AllowSharedLocalAppDataLowestValueMostSecure
@@ -38243,8 +43145,8 @@ The options are:
- 1
+
@@ -38268,8 +43170,8 @@ The options are:
-
+
@@ -38292,8 +43194,8 @@ The options are:
- 0
+
@@ -38307,6 +43209,9 @@ The options are:
text/plain
+ WindowsStore.admx
+ WindowsStore~AT~WindowsComponents~WindowsStore
+ DisableStoreAppsLowestValueMostSecure
@@ -38316,8 +43221,8 @@ The options are:
- 0
+
@@ -38331,6 +43236,9 @@ The options are:
text/plain
+ AppxPackageManager.admx
+ AppxPackageManager~AT~WindowsComponents~AppxDeployment
+ RestrictAppDataToSystemVolumeLowestValueMostSecure
@@ -38340,8 +43248,8 @@ The options are:
- 0
+
@@ -38355,10 +43263,60 @@ The options are:
text/plain
+ AppxPackageManager.admx
+ AppxPackageManager~AT~WindowsComponents~AppxDeployment
+ DisableDeploymentToNonSystemVolumesLowestValueMostSecure
+
+ AppRuntime
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ AllowMicrosoftAccountsToBeOptional
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+ phone
+ AppXRuntime.admx
+ AppXRuntime~AT~WindowsComponents~AppXRuntime
+ AppxRuntimeMicrosoftAccountsOptional
+ LastWrite
+
+
+ AppVirtualization
@@ -38384,8 +43342,8 @@ The options are:
-
+
@@ -38411,8 +43369,8 @@ The options are:
-
+
@@ -38438,8 +43396,8 @@ The options are:
-
+
@@ -38465,8 +43423,8 @@ The options are:
-
+
@@ -38492,8 +43450,8 @@ The options are:
-
+
@@ -38519,8 +43477,8 @@ The options are:
-
+
@@ -38546,8 +43504,8 @@ The options are:
-
+
@@ -38573,8 +43531,8 @@ The options are:
-
+
@@ -38600,8 +43558,8 @@ The options are:
-
+
@@ -38627,8 +43585,8 @@ The options are:
-
+
@@ -38654,8 +43612,8 @@ The options are:
-
+
@@ -38681,8 +43639,8 @@ The options are:
-
+
@@ -38708,8 +43666,8 @@ The options are:
-
+
@@ -38735,8 +43693,8 @@ The options are:
-
+
@@ -38762,8 +43720,8 @@ The options are:
-
+
@@ -38789,8 +43747,8 @@ The options are:
-
+
@@ -38816,8 +43774,8 @@ The options are:
-
+
@@ -38843,8 +43801,8 @@ The options are:
-
+
@@ -38870,8 +43828,8 @@ The options are:
-
+
@@ -38897,8 +43855,8 @@ The options are:
-
+
@@ -38924,8 +43882,8 @@ The options are:
-
+
@@ -38951,8 +43909,8 @@ The options are:
-
+
@@ -38978,8 +43936,8 @@ The options are:
-
+
@@ -39005,8 +43963,8 @@ The options are:
-
+
@@ -39032,8 +43990,8 @@ The options are:
-
+
@@ -39059,8 +44017,8 @@ The options are:
-
+
@@ -39086,8 +44044,8 @@ The options are:
-
+
@@ -39113,8 +44071,8 @@ The options are:
-
+
@@ -39160,8 +44118,8 @@ The options are:
- Specifies whether password reset is enabled for AAD accounts.0
+ Specifies whether password reset is enabled for AAD accounts.
@@ -39185,8 +44143,8 @@ The options are:
- 1
+
@@ -39203,39 +44161,14 @@ The options are:
LowestValueMostSecure
-
- AllowFidoDeviceSignon
-
-
-
-
- Specifies whether FIDO device can be used to sign on.
- 0
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
- phone
- LowestValueMostSecure
-
- AllowSecondaryAuthenticationDevice
- 0
+
@@ -39249,6 +44182,9 @@ The options are:
text/plain
+ DeviceCredential.admx
+ DeviceCredential~AT~WindowsComponents~MSSecondaryAuthFactorCategory
+ MSSecondaryAuthFactor_AllowSecondaryAuthenticationDeviceLowestValueMostSecure
@@ -39278,8 +44214,8 @@ The options are:
-
+
@@ -39305,8 +44241,8 @@ The options are:
-
+
@@ -39332,8 +44268,8 @@ The options are:
-
+
@@ -39379,8 +44315,8 @@ The options are:
- 6
+
@@ -39423,8 +44359,8 @@ The options are:
- 1
+
@@ -39447,8 +44383,8 @@ The options are:
- 1
+
@@ -39471,8 +44407,32 @@ The options are:
- 1
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+ LowestValueMostSecure
+
+
+
+ AllowPromptedProximalConnections
+
+
+
+
+ 1
+
@@ -39495,8 +44455,8 @@ The options are:
-
+
@@ -39518,8 +44478,8 @@ The options are:
-
+
@@ -39561,8 +44521,8 @@ The options are:
- This policy setting lets you decide whether the Address bar drop-down functionality is available in Microsoft Edge. We recommend disabling this setting if you want to minimize network connections from Microsoft Edge to Microsoft services.1
+ This policy setting lets you decide whether the Address bar drop-down functionality is available in Microsoft Edge. We recommend disabling this setting if you want to minimize network connections from Microsoft Edge to Microsoft services.
@@ -39577,6 +44537,9 @@ The options are:
phone
+ MicrosoftEdge.admx
+ MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge
+ AllowAddressBarDropdownLowestValueMostSecure
@@ -39586,8 +44549,8 @@ The options are:
- This setting lets you decide whether employees can use Autofill to automatically fill in form fields while using Microsoft Edge.0
+ This setting lets you decide whether employees can use Autofill to automatically fill in form fields while using Microsoft Edge.
@@ -39601,6 +44564,9 @@ The options are:
text/plain
+ MicrosoftEdge.admx
+ MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge
+ AllowAutofillLowestValueMostSecure
@@ -39610,8 +44576,8 @@ The options are:
- 1
+
@@ -39630,13 +44596,13 @@ The options are:
- AllowCookies
+ AllowConfigurationUpdateForBooksLibrary
- This setting lets you configure how your company deals with cookies.
- 2
+ 1
+ This policy setting lets you decide whether Microsoft Edge can automatically update the configuration data for the Books Library.
@@ -39649,6 +44615,35 @@ The options are:
text/plain
+
+ LowestValueMostSecure
+
+
+
+ AllowCookies
+
+
+
+
+ 2
+ This setting lets you configure how your company deals with cookies.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+ MicrosoftEdge.admx
+ CookiesListBox
+ MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge
+ CookiesLowestValueMostSecure
@@ -39658,8 +44653,8 @@ The options are:
- This setting lets you decide whether employees can use F12 Developer Tools on Microsoft Edge.1
+ This setting lets you decide whether employees can use F12 Developer Tools on Microsoft Edge.
@@ -39674,6 +44669,9 @@ The options are:
phone
+ MicrosoftEdge.admx
+ MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge
+ AllowDeveloperToolsLowestValueMostSecure
@@ -39683,8 +44681,8 @@ The options are:
- This setting lets you decide whether employees can send Do Not Track headers to websites that request tracking info.0
+ This setting lets you decide whether employees can send Do Not Track headers to websites that request tracking info.
@@ -39698,6 +44696,9 @@ The options are:
text/plain
+ MicrosoftEdge.admx
+ MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge
+ AllowDoNotTrackLowestValueMostSecure
@@ -39707,8 +44708,8 @@ The options are:
- This setting lets you decide whether employees can load extensions in Microsoft Edge.1
+ This setting lets you decide whether employees can load extensions in Microsoft Edge.
@@ -39723,6 +44724,9 @@ The options are:
phone
+ MicrosoftEdge.admx
+ MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge
+ AllowExtensionsLowestValueMostSecure
@@ -39732,8 +44736,8 @@ The options are:
- This setting lets you decide whether employees can run Adobe Flash in Microsoft Edge.1
+ This setting lets you decide whether employees can run Adobe Flash in Microsoft Edge.
@@ -39748,6 +44752,9 @@ The options are:
phone
+ MicrosoftEdge.admx
+ MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge
+ AllowFlashHighestValueMostSecure
@@ -39757,8 +44764,8 @@ The options are:
- Configure the Adobe Flash Click-to-Run setting.1
+ Configure the Adobe Flash Click-to-Run setting.
@@ -39773,6 +44780,9 @@ The options are:
phone
+ MicrosoftEdge.admx
+ MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge
+ AllowFlashClickToRunHighestValueMostSecure
@@ -39782,8 +44792,8 @@ The options are:
- This setting lets you decide whether employees can browse using InPrivate website browsing.1
+ This setting lets you decide whether employees can browse using InPrivate website browsing.
@@ -39797,6 +44807,9 @@ The options are:
text/plain
+ MicrosoftEdge.admx
+ MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge
+ AllowInPrivateLowestValueMostSecure
@@ -39806,12 +44819,12 @@ The options are:
+ 1This policy setting lets you decide whether the Microsoft Compatibility List is enabled or disabled in Microsoft Edge. This feature uses a Microsoft-provided list to ensure that any sites with known compatibility issues are displayed correctly when a user navigates to them. By default, the Microsoft Compatibility List is enabled and can be viewed by navigating to about:compat.
If you enable or don’t configure this setting, Microsoft Edge will periodically download the latest version of the list from Microsoft and will apply the configurations specified there during browser navigation. If a user visits a site on the Microsoft Compatibility List, he or she will be prompted to open the site in Internet Explorer 11. Once in Internet Explorer, the site will automatically be rendered as if the user is viewing it in the previous version of Internet Explorer it requires to display correctly.
If you disable this setting, the Microsoft Compatibility List will not be used during browser navigation.
- 1
@@ -39825,6 +44838,9 @@ If you disable this setting, the Microsoft Compatibility List will not be used d
text/plain
+ MicrosoftEdge.admx
+ MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge
+ AllowCVListLowestValueMostSecure
@@ -39834,8 +44850,8 @@ If you disable this setting, the Microsoft Compatibility List will not be used d
- This setting lets you decide whether employees can save their passwords locally, using Password Manager.1
+ This setting lets you decide whether employees can save their passwords locally, using Password Manager.
@@ -39849,6 +44865,9 @@ If you disable this setting, the Microsoft Compatibility List will not be used d
text/plain
+ MicrosoftEdge.admx
+ MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge
+ AllowPasswordManagerLowestValueMostSecure
@@ -39858,8 +44877,8 @@ If you disable this setting, the Microsoft Compatibility List will not be used d
- This setting lets you decide whether to turn on Pop-up Blocker and whether to allow pop-ups to appear in secondary windows.0
+ This setting lets you decide whether to turn on Pop-up Blocker and whether to allow pop-ups to appear in secondary windows.
@@ -39874,6 +44893,9 @@ If you disable this setting, the Microsoft Compatibility List will not be used d
phone
+ MicrosoftEdge.admx
+ MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge
+ AllowPopupsLowestValueMostSecure
@@ -39883,13 +44905,13 @@ If you disable this setting, the Microsoft Compatibility List will not be used d
+ 1Allow search engine customization for MDM enrolled devices. Users can change their default search engine.
If this setting is turned on or not configured, users can add new search engines and change the default used in the address bar from within Microsoft Edge Settings.
If this setting is disabled, users will be unable to add search engines or change the default used in the address bar.
This policy will only apply on domain joined machines or when the device is MDM enrolled. For more information, see Microsoft browser extension policy (aka.ms/browserpolicy).
- 1
@@ -39903,6 +44925,9 @@ This policy will only apply on domain joined machines or when the device is MDM
text/plain
+ MicrosoftEdge.admx
+ MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge
+ AllowSearchEngineCustomizationLowestValueMostSecure
@@ -39912,8 +44937,8 @@ This policy will only apply on domain joined machines or when the device is MDM
- This setting lets you decide whether search suggestions should appear in the Address bar of Microsoft Edge.1
+ This setting lets you decide whether search suggestions should appear in the Address bar of Microsoft Edge.
@@ -39927,6 +44952,9 @@ This policy will only apply on domain joined machines or when the device is MDM
text/plain
+ MicrosoftEdge.admx
+ MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge
+ AllowSearchSuggestionsinAddressBarLowestValueMostSecure
@@ -39936,8 +44964,8 @@ This policy will only apply on domain joined machines or when the device is MDM
- This setting lets you decide whether to turn on Windows Defender SmartScreen.1
+ This setting lets you decide whether to turn on Windows Defender SmartScreen.
@@ -39951,6 +44979,9 @@ This policy will only apply on domain joined machines or when the device is MDM
text/plain
+ MicrosoftEdge.admx
+ MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge
+ AllowSmartScreenLowestValueMostSecure
@@ -39960,8 +44991,8 @@ This policy will only apply on domain joined machines or when the device is MDM
- Specifies whether the Books Library in Microsoft Edge will always be visible regardless of the country or region setting for the device.0
+ Specifies whether the Books Library in Microsoft Edge will always be visible regardless of the country or region setting for the device.
@@ -39975,6 +45006,9 @@ This policy will only apply on domain joined machines or when the device is MDM
text/plain
+ MicrosoftEdge.admx
+ MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge
+ AlwaysEnableBooksLibraryLowestValueMostSecure
@@ -39984,8 +45018,8 @@ This policy will only apply on domain joined machines or when the device is MDM
- Specifies whether to always clear browsing history on exiting Microsoft Edge.0
+ Specifies whether to always clear browsing history on exiting Microsoft Edge.
@@ -40000,6 +45034,9 @@ This policy will only apply on domain joined machines or when the device is MDM
phone
+ MicrosoftEdge.admx
+ MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge
+ AllowClearingBrowsingDataOnExitLowestValueMostSecure
@@ -40009,6 +45046,7 @@ This policy will only apply on domain joined machines or when the device is MDM
+ Allows you to add up to 5 additional search engines for MDM-enrolled devices.
If this setting is turned on, you can add up to 5 additional search engines for your employee. For each additional search engine you wish to add, you must specify a link to the OpenSearch XML file that contains, at minimum, the short name and the URL to the search engine. This policy does not affect the default search engine. Employees will not be able to remove these search engines, but they can set any one of these as the default.
@@ -40016,7 +45054,6 @@ If this setting is turned on, you can add up to 5 additional search engines for
If this setting is not configured, the search engines are the ones specified in the App settings. If this setting is disabled, the search engines you had added will be deleted from your employee's machine.
Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on domain-joined machines or when the device is MDM-enrolled.
-
@@ -40029,6 +45066,10 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
text/plain
+ MicrosoftEdge.admx
+ ConfigureAdditionalSearchEngines_Prompt
+ MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge
+ ConfigureAdditionalSearchEnginesLastWrite
@@ -40038,13 +45079,13 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
+ 0Boolean policy that specifies whether the lockdown on the Start pages is disabled. This policy works with the Browser/HomePages policy, which locks down the Start pages that the users cannot modify. You can use the DisableLockdownOfStartPages policy to allow users to modify the Start pages when Browser/HomePages policy is in effect.
Note: This policy has no effect when Browser/HomePages is not configured.
Important
This setting can only be used with domain-joined or MDM-enrolled devices. For more info, see the Microsoft browser extension policy (aka.ms/browserpolicy).
- 0
@@ -40059,6 +45100,36 @@ This setting can only be used with domain-joined or MDM-enrolled devices. For mo
phone
+ MicrosoftEdge.admx
+ MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge
+ DisableLockdownOfStartPages
+ LowestValueMostSecure
+
+
+
+ EnableExtendedBooksTelemetry
+
+
+
+
+ 0
+ This setting allows organizations to send extended telemetry on book usage from the Books Library.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+ MicrosoftEdge.admx
+ MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge
+ EnableExtendedBooksTelemetryLowestValueMostSecure
@@ -40068,8 +45139,8 @@ This setting can only be used with domain-joined or MDM-enrolled devices. For mo
- This setting lets you configure whether your company uses Enterprise Mode and the Enterprise Mode Site List to address common compatibility problems with legacy websites.
+ This setting lets you configure whether your company uses Enterprise Mode and the Enterprise Mode Site List to address common compatibility problems with legacy websites.
@@ -40083,6 +45154,10 @@ This setting can only be used with domain-joined or MDM-enrolled devices. For mo
text/plainphone
+ MicrosoftEdge.admx
+ EnterSiteListPrompt
+ MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge
+ EnterpriseModeSiteListLastWrite
@@ -40092,8 +45167,8 @@ This setting can only be used with domain-joined or MDM-enrolled devices. For mo
-
+
@@ -40116,8 +45191,8 @@ This setting can only be used with domain-joined or MDM-enrolled devices. For mo
- Configure first run URL.
+ Configure first run URL.
@@ -40140,13 +45215,13 @@ This setting can only be used with domain-joined or MDM-enrolled devices. For mo
+ Configure the Start page URLs for your employees.
Example:
If you wanted to allow contoso.com and fabrikam.com then you would append /support to the site strings like contoso.com/support and fabrikam.com/support.
Encapsulate each string with greater than and less than characters like any other XML tag.
Version 1703 or later: If you don't want to send traffic to Microsoft, you can use the about:blank value (encapsulate with greater than and less than characters like any other XML tag), which is honored for both domain- and non-domain-joined machines, when it's the only configured URL.
-
@@ -40160,6 +45235,10 @@ Version 1703 or later: If you don't want to send traffic to Microsoft, you ca
text/plainphone
+ MicrosoftEdge.admx
+ HomePagesPrompt
+ MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge
+ HomePagesLastWrite
@@ -40169,6 +45248,7 @@ Version 1703 or later: If you don't want to send traffic to Microsoft, you ca
+ 0This policy setting lets you decide whether employees can add, import, sort, or edit the Favorites list on Microsoft Edge.
If you enable this setting, employees won't be able to add, import, or change anything in the Favorites list. Also as part of this, Save a Favorite, Import settings, and the context menu items (such as, Create a new folder) are all turned off.
@@ -40177,7 +45257,6 @@ Important
Don't enable both this setting and the Keep favorites in sync between Internet Explorer and Microsoft Edge setting. Enabling both settings stops employees from syncing their favorites between Internet Explorer and Microsoft Edge.
If you disable or don't configure this setting (default), employees can add, import and make changes to the Favorites list.
- 0
@@ -40191,6 +45270,9 @@ If you disable or don't configure this setting (default), employees can add, imp
text/plain
+ MicrosoftEdge.admx
+ MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge
+ LockdownFavoritesLowestValueMostSecure
@@ -40200,8 +45282,8 @@ If you disable or don't configure this setting (default), employees can add, imp
- Prevent access to the about:flags page in Microsoft Edge.0
+ Prevent access to the about:flags page in Microsoft Edge.
@@ -40215,6 +45297,9 @@ If you disable or don't configure this setting (default), employees can add, imp
text/plain
+ MicrosoftEdge.admx
+ MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge
+ PreventAccessToAboutFlagsInMicrosoftEdgeHighestValueMostSecure
@@ -40224,10 +45309,10 @@ If you disable or don't configure this setting (default), employees can add, imp
+ 0Specifies whether the First Run webpage is prevented from automatically opening on the first launch of Microsoft Edge. This policy is only available for Windows 10 version 1703 or later for desktop.
Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on domain-joined machines or when the device is MDM-enrolled.
- 0
@@ -40242,6 +45327,9 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
phone
+ MicrosoftEdge.admx
+ MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge
+ PreventFirstRunPageHighestValueMostSecure
@@ -40251,10 +45339,10 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
+ 0This policy lets you decide whether Microsoft Edge can gather Live Tile metadata from the ieonline.microsoft.com service to provide a better experience while pinning a Live Tile to the Start menu.
Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on domain-joined machines or when the device is MDM-enrolled.
- 0
@@ -40268,6 +45356,9 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
text/plain
+ MicrosoftEdge.admx
+ MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge
+ PreventLiveTileDataCollectionHighestValueMostSecure
@@ -40277,8 +45368,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
- Don't allow Windows Defender SmartScreen warning overrides0
+ Don't allow Windows Defender SmartScreen warning overrides
@@ -40292,6 +45383,9 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
text/plain
+ MicrosoftEdge.admx
+ MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge
+ PreventSmartScreenPromptOverrideHighestValueMostSecure
@@ -40301,8 +45395,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
- Don't allow Windows Defender SmartScreen warning overrides for unverified files.0
+ Don't allow Windows Defender SmartScreen warning overrides for unverified files.
@@ -40316,6 +45410,37 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
text/plain
+ MicrosoftEdge.admx
+ MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge
+ PreventSmartScreenPromptOverrideForFiles
+ HighestValueMostSecure
+
+
+
+ PreventTabPreloading
+
+
+
+
+ 0
+ Prevent Microsoft Edge from starting and loading the Start and New Tab page at Windows startup and each time Microsoft Edge is closed.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+ phone
+ MicrosoftEdge.admx
+ MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge
+ PreventTabPreloadingHighestValueMostSecure
@@ -40325,8 +45450,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
- Prevent using localhost IP address for WebRTC0
+ Prevent using localhost IP address for WebRTC
@@ -40340,6 +45465,9 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
text/plain
+ MicrosoftEdge.admx
+ MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge
+ HideLocalHostIPAddressHighestValueMostSecure
@@ -40349,6 +45477,7 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
+ This policy setting allows you to configure a default set of favorites, which will appear for employees. Employees cannot modify, sort, move, export or delete these provisioned favorites.
If you enable this setting, you can set favorite URL's and favorite folders to appear on top of users' favorites list (either in the Hub or Favorites Bar). The user favorites will appear after these provisioned favorites.
@@ -40357,7 +45486,6 @@ Important
Don't enable both this setting and the Keep favorites in sync between Internet Explorer and Microsoft Edge setting. Enabling both settings stops employees from syncing their favorites between Internet Explorer and Microsoft Edge.
If you disable or don't configure this setting, employees will see the favorites they set in the Hub and Favorites Bar.
-
@@ -40370,6 +45498,10 @@ If you disable or don't configure this setting, employees will see the favorites
text/plain
+ MicrosoftEdge.admx
+ ConfiguredFavoritesPrompt
+ MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge
+ ConfiguredFavoritesLastWrite
@@ -40379,8 +45511,8 @@ If you disable or don't configure this setting, employees will see the favorites
- Sends all intranet traffic over to Internet Explorer.0
+ Sends all intranet traffic over to Internet Explorer.
@@ -40395,6 +45527,9 @@ If you disable or don't configure this setting, employees will see the favorites
phone
+ MicrosoftEdge.admx
+ MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge
+ SendIntranetTraffictoInternetExplorerHighestValueMostSecure
@@ -40404,6 +45539,7 @@ If you disable or don't configure this setting, employees will see the favorites
+ Sets the default search engine for MDM-enrolled devices. Users can still change their default search engine.
If this setting is turned on, you are setting the default search engine that you would like your employees to use. Employees can still change the default search engine, unless you apply the AllowSearchEngineCustomization policy which will disable the ability to change it. You must specify a link to the OpenSearch XML file that contains, at minimum, the short name and the URL to the search engine. If you would like for your employees to use the Edge factory settings for the default search engine for their market, set the string EDGEDEFAULT; if you would like for your employees to use Bing as the default search engine, set the string EDGEBING.
@@ -40411,7 +45547,6 @@ If this setting is turned on, you are setting the default search engine that you
If this setting is not configured, the default search engine is set to the one specified in App settings and can be changed by your employees. If this setting is disabled, the policy-set search engine will be removed, and, if it is the current default, the default will be set back to the factory Microsoft Edge search engine for the market.
Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on domain-joined machines or when the device is MDM-enrolled.
-
@@ -40424,6 +45559,10 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
text/plain
+ MicrosoftEdge.admx
+ SetDefaultSearchEngine_Prompt
+ MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge
+ SetDefaultSearchEngineLastWrite
@@ -40433,8 +45572,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
- Show message when opening sites in Internet Explorer0
+ Show message when opening sites in Internet Explorer
@@ -40449,6 +45588,9 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
phone
+ MicrosoftEdge.admx
+ MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge
+ ShowMessageWhenOpeningSitesInInternetExplorerHighestValueMostSecure
@@ -40458,8 +45600,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
- Specifies whether favorites are kept in sync between Internet Explorer and Microsoft Edge. Changes to favorites in one browser are reflected in the other, including: additions, deletions, modifications, and ordering.0
+ Specifies whether favorites are kept in sync between Internet Explorer and Microsoft Edge. Changes to favorites in one browser are reflected in the other, including: additions, deletions, modifications, and ordering.
@@ -40474,6 +45616,36 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
phone
+ MicrosoftEdge.admx
+ MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge
+ SyncFavoritesBetweenIEAndMicrosoftEdge
+ LowestValueMostSecure
+
+
+
+ UseSharedFolderForBooks
+
+
+
+
+ 0
+ This setting specifies whether organizations should use a folder shared across users to store books from the Books Library.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+ MicrosoftEdge.admx
+ MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge
+ UseSharedFolderForBooksLowestValueMostSecure
@@ -40503,8 +45675,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
- 1
+
@@ -40518,6 +45690,9 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
text/plain
+ Camera.admx
+ Camera~AT~WindowsComponents~L_Camera_GroupPolicyCategory
+ L_AllowCameraLowestValueMostSecure
@@ -40547,8 +45722,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
- This policy setting specifies whether Windows apps can access cellular data.0
+ This policy setting specifies whether Windows apps can access cellular data.
@@ -40561,6 +45736,11 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
text/plain
+
+ wwansvc.admx
+ LetAppsAccessCellularData_Enum
+ wwansvc~AT~Network~WwanSvc_Category~CellularDataAccess
+ LetAppsAccessCellularDataHighestValueMostSecure
@@ -40570,8 +45750,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
- List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are allowed access to cellular data. This setting overrides the default LetAppsAccessCellularData policy setting for the specified apps.
+ List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are allowed access to cellular data. This setting overrides the default LetAppsAccessCellularData policy setting for the specified apps.
@@ -40584,6 +45764,10 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
text/plain
+ wwansvc.admx
+ LetAppsAccessCellularData_ForceAllowTheseApps_List
+ wwansvc~AT~Network~WwanSvc_Category~CellularDataAccess
+ LetAppsAccessCellularDataLastWrite;
@@ -40594,8 +45778,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
- List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are denied access to cellular data. This setting overrides the default LetAppsAccessCellularData policy setting for the specified apps.
+ List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are denied access to cellular data. This setting overrides the default LetAppsAccessCellularData policy setting for the specified apps.
@@ -40608,6 +45792,10 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
text/plain
+ wwansvc.admx
+ LetAppsAccessCellularData_ForceDenyTheseApps_List
+ wwansvc~AT~Network~WwanSvc_Category~CellularDataAccess
+ LetAppsAccessCellularDataLastWrite;
@@ -40618,8 +45806,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
- List of semi-colon delimited Package Family Names of Windows Store Apps. The user is able to control the cellular data access setting for the listed apps. This setting overrides the default LetAppsAccessCellularData policy setting for the specified apps.
+ List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the cellular data access setting for the listed apps. This setting overrides the default LetAppsAccessCellularData policy setting for the specified apps.
@@ -40632,6 +45820,10 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
text/plain
+ wwansvc.admx
+ LetAppsAccessCellularData_UserInControlOfTheseApps_List
+ wwansvc~AT~Network~WwanSvc_Category~CellularDataAccess
+ LetAppsAccessCellularDataLastWrite;
@@ -40642,8 +45834,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -40688,8 +45880,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
- 2
+
@@ -40712,8 +45904,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
- 1
+
@@ -40726,6 +45918,7 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
text/plain
+ LowestValueMostSecure
@@ -40735,8 +45928,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
- 1
+
@@ -40749,6 +45942,10 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
text/plain
+
+ WCM.admx
+ WCM~AT~Network~WCM_Category
+ WCM_DisableRoamingLowestValueMostSecure
@@ -40758,8 +45955,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
- 1
+
@@ -40782,8 +45979,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
- 1
+
@@ -40801,14 +45998,41 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
LowestValueMostSecure
+
+ AllowPhonePCLinking
+
+
+
+
+ 1
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+ grouppolicy.admx
+ grouppolicy~AT~System~PolicyPolicies
+ enableMMX
+ LowestValueMostSecure
+
+ AllowUSBConnection
- 1
+
@@ -40832,8 +46056,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
- 1
+
@@ -40856,8 +46080,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
- 1
+
@@ -40880,8 +46104,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -40907,8 +46131,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -40934,8 +46158,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -40961,8 +46185,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
- 0
+
@@ -40975,6 +46199,10 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
text/plain
+
+ ICM.admx
+ ICM~AT~System~InternetManagement~InternetManagement_Settings
+ NoActiveProbeHighestValueMostSecure
@@ -40984,8 +46212,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -41011,8 +46239,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -41033,6 +46261,50 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
+
+ ControlPolicyConflict
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ MDMWinsOverGP
+
+
+
+
+ 0
+ If set to 1 then any MDM policy that is set that has an equivalent GP policy will result in GP service blocking the setting of the policy by GP MMC
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+ LastWrite
+
+
+ CredentialProviders
@@ -41058,8 +46330,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -41085,8 +46357,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -41112,8 +46384,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
- 1
+
@@ -41131,6 +46403,53 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
+
+ CredentialsDelegation
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ RemoteHostAllowsDelegationOfNonExportableCredentials
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+ phone
+ CredSsp.admx
+ CredSsp~AT~System~CredentialsDelegation
+ AllowProtectedCreds
+ LastWrite
+
+
+ CredentialsUI
@@ -41156,8 +46475,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -41183,8 +46502,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -41230,8 +46549,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
- 0
+
@@ -41244,6 +46563,9 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
text/plain
+
+ Windows Settings~Security Settings~Local Policies~Security Options
+ System cryptography: Use FIPS-compliant algorithms for encryption, hashing, and signingLastWrite
@@ -41253,8 +46575,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -41296,8 +46618,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
- 1
+
@@ -41320,8 +46642,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -41363,8 +46685,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -41389,8 +46711,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -41435,8 +46757,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
- 1
+
@@ -41449,7 +46771,11 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
text/plain
+ phone
+ WindowsDefender.admx
+ WindowsDefender~AT~WindowsComponents~AntiSpywareDefender~Scan
+ Scan_DisableArchiveScanningHighestValueMostSecure
@@ -41459,8 +46785,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
- 1
+
@@ -41473,7 +46799,11 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
text/plain
+ phone
+ WindowsDefender.admx
+ WindowsDefender~AT~WindowsComponents~AntiSpywareDefender~RealtimeProtection
+ RealtimeProtection_DisableBehaviorMonitoringHighestValueMostSecure
@@ -41483,8 +46813,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
- 1
+
@@ -41497,7 +46827,12 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
text/plain
+ phone
+ WindowsDefender.admx
+ SpynetReporting
+ WindowsDefender~AT~WindowsComponents~AntiSpywareDefender~Spynet
+ SpynetReportingHighestValueMostSecure
@@ -41507,8 +46842,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
- 0
+
@@ -41521,7 +46856,11 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
text/plain
+ phone
+ WindowsDefender.admx
+ WindowsDefender~AT~WindowsComponents~AntiSpywareDefender~Scan
+ Scan_DisableEmailScanningHighestValueMostSecure
@@ -41531,8 +46870,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
- 0
+
@@ -41545,7 +46884,11 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
text/plain
+ phone
+ WindowsDefender.admx
+ WindowsDefender~AT~WindowsComponents~AntiSpywareDefender~Scan
+ Scan_DisableScanningMappedNetworkDrivesForFullScanHighestValueMostSecure
@@ -41555,8 +46898,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
- 1
+
@@ -41569,7 +46912,11 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
text/plain
+ phone
+ WindowsDefender.admx
+ WindowsDefender~AT~WindowsComponents~AntiSpywareDefender~Scan
+ Scan_DisableRemovableDriveScanningHighestValueMostSecure
@@ -41579,8 +46926,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
- 1
+
@@ -41593,6 +46940,7 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
text/plain
+ phoneHighestValueMostSecure
@@ -41603,8 +46951,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
- 1
+
@@ -41617,7 +46965,11 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
text/plain
+ phone
+ WindowsDefender.admx
+ WindowsDefender~AT~WindowsComponents~AntiSpywareDefender~RealtimeProtection
+ RealtimeProtection_DisableIOAVProtectionHighestValueMostSecure
@@ -41627,8 +46979,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
- 1
+
@@ -41641,7 +46993,11 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
text/plain
+ phone
+ WindowsDefender.admx
+ WindowsDefender~AT~WindowsComponents~AntiSpywareDefender~RealtimeProtection
+ RealtimeProtection_DisableOnAccessProtectionHighestValueMostSecure
@@ -41651,8 +47007,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
- 1
+
@@ -41665,7 +47021,11 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
text/plain
+ phone
+ WindowsDefender.admx
+ WindowsDefender~AT~WindowsComponents~AntiSpywareDefender~RealtimeProtection
+ DisableRealtimeMonitoringHighestValueMostSecure
@@ -41675,8 +47035,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
- 0
+
@@ -41689,7 +47049,11 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
text/plain
+ phone
+ WindowsDefender.admx
+ WindowsDefender~AT~WindowsComponents~AntiSpywareDefender~Scan
+ Scan_DisableScanningNetworkFilesHighestValueMostSecure
@@ -41699,8 +47063,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
- 1
+
@@ -41713,6 +47077,7 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
text/plain
+ phoneHighestValueMostSecure
@@ -41723,8 +47088,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
- 1
+
@@ -41737,7 +47102,11 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
text/plain
+ phone
+ WindowsDefender.admx
+ WindowsDefender~AT~WindowsComponents~AntiSpywareDefender~ClientInterface
+ UX_Configuration_UILockdownLastWrite
@@ -41747,8 +47116,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -41762,6 +47131,10 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
text/plainphone
+ WindowsDefender.admx
+ ExploitGuard_ASR_ASROnlyExclusions
+ WindowsDefender~AT~WindowsComponents~AntiSpywareDefender~ExploitGuard~ExploitGuard_ASR
+ ExploitGuard_ASR_ASROnlyExclusionsLastWrite
@@ -41771,8 +47144,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -41786,6 +47159,10 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
text/plainphone
+ WindowsDefender.admx
+ ExploitGuard_ASR_Rules
+ WindowsDefender~AT~WindowsComponents~AntiSpywareDefender~ExploitGuard~ExploitGuard_ASR
+ ExploitGuard_ASR_RulesLastWrite
@@ -41795,8 +47172,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
- 50
+
@@ -41809,7 +47186,12 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
text/plain
+ phone
+ WindowsDefender.admx
+ Scan_AvgCPULoadFactor
+ WindowsDefender~AT~WindowsComponents~AntiSpywareDefender~Scan
+ Scan_AvgCPULoadFactorLastWrite
@@ -41819,8 +47201,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
- 0
+
@@ -41833,7 +47215,12 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
text/plain
+ phone
+ WindowsDefender.admx
+ MpCloudBlockLevel
+ WindowsDefender~AT~WindowsComponents~AntiSpywareDefender~MpEngine
+ MpEngine_MpCloudBlockLevelLastWrite
@@ -41843,8 +47230,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
- 0
+
@@ -41857,7 +47244,12 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
text/plain
+ phone
+ WindowsDefender.admx
+ MpBafsExtendedTimeout
+ WindowsDefender~AT~WindowsComponents~AntiSpywareDefender~MpEngine
+ MpEngine_MpBafsExtendedTimeoutLastWrite
@@ -41867,8 +47259,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -41882,6 +47274,10 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
text/plainphone
+ WindowsDefender.admx
+ ExploitGuard_ControlledFolderAccess_AllowedApplications
+ WindowsDefender~AT~WindowsComponents~AntiSpywareDefender~ExploitGuard~ExploitGuard_ControlledFolderAccess
+ ExploitGuard_ControlledFolderAccess_AllowedApplicationsLastWrite
@@ -41891,8 +47287,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -41906,6 +47302,10 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
text/plainphone
+ WindowsDefender.admx
+ ExploitGuard_ControlledFolderAccess_ProtectedFolders
+ WindowsDefender~AT~WindowsComponents~AntiSpywareDefender~ExploitGuard~ExploitGuard_ControlledFolderAccess
+ ExploitGuard_ControlledFolderAccess_ProtectedFoldersLastWrite
@@ -41915,8 +47315,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
- 0
+
@@ -41929,7 +47329,12 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
text/plain
+ phone
+ WindowsDefender.admx
+ Quarantine_PurgeItemsAfterDelay
+ WindowsDefender~AT~WindowsComponents~AntiSpywareDefender~Quarantine
+ Quarantine_PurgeItemsAfterDelayLastWrite
@@ -41939,8 +47344,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
- 0
+
@@ -41953,7 +47358,12 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
text/plain
+ phone
+ WindowsDefender.admx
+ ExploitGuard_ControlledFolderAccess_EnableControlledFolderAccess
+ WindowsDefender~AT~WindowsComponents~AntiSpywareDefender~ExploitGuard~ExploitGuard_ControlledFolderAccess
+ ExploitGuard_ControlledFolderAccess_EnableControlledFolderAccessLastWrite
@@ -41963,8 +47373,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
- 0
+
@@ -41977,7 +47387,12 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
text/plain
+ phone
+ WindowsDefender.admx
+ ExploitGuard_EnableNetworkProtection
+ WindowsDefender~AT~WindowsComponents~AntiSpywareDefender~ExploitGuard~ExploitGuard_NetworkProtection
+ ExploitGuard_EnableNetworkProtectionLastWrite
@@ -41987,8 +47402,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -42002,6 +47417,10 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
text/plainphone
+ WindowsDefender.admx
+ Exclusions_PathsList
+ WindowsDefender~AT~WindowsComponents~AntiSpywareDefender~Exclusions
+ Exclusions_PathsLastWrite
@@ -42011,8 +47430,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -42026,6 +47445,10 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
text/plainphone
+ WindowsDefender.admx
+ Exclusions_ExtensionsList
+ WindowsDefender~AT~WindowsComponents~AntiSpywareDefender~Exclusions
+ Exclusions_ExtensionsLastWrite
@@ -42035,8 +47458,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -42050,6 +47473,10 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
text/plainphone
+ WindowsDefender.admx
+ Exclusions_ProcessesList
+ WindowsDefender~AT~WindowsComponents~AntiSpywareDefender~Exclusions
+ Exclusions_ProcessesLastWrite
@@ -42059,8 +47486,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
- 0
+
@@ -42073,6 +47500,7 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
text/plain
+ phoneLastWrite
@@ -42083,8 +47511,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
- 0
+
@@ -42097,7 +47525,12 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
text/plain
+ phone
+ WindowsDefender.admx
+ RealtimeProtection_RealtimeScanDirection
+ WindowsDefender~AT~WindowsComponents~AntiSpywareDefender~RealtimeProtection
+ RealtimeProtection_RealtimeScanDirectionLowestValueMostSecure
@@ -42107,8 +47540,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
- 1
+
@@ -42121,7 +47554,12 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
text/plain
+ phone
+ WindowsDefender.admx
+ Scan_ScanParameters
+ WindowsDefender~AT~WindowsComponents~AntiSpywareDefender~Scan
+ Scan_ScanParametersLastWrite
@@ -42131,8 +47569,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
- 120
+
@@ -42145,7 +47583,12 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
text/plain
+ phone
+ WindowsDefender.admx
+ Scan_ScheduleQuickScantime
+ WindowsDefender~AT~WindowsComponents~AntiSpywareDefender~Scan
+ Scan_ScheduleQuickScantimeLastWrite
@@ -42155,8 +47598,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
- 0
+
@@ -42169,7 +47612,12 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
text/plain
+ phone
+ WindowsDefender.admx
+ Scan_ScheduleDay
+ WindowsDefender~AT~WindowsComponents~AntiSpywareDefender~Scan
+ Scan_ScheduleDayLastWrite
@@ -42179,8 +47627,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
- 120
+
@@ -42193,7 +47641,12 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
text/plain
+ phone
+ WindowsDefender.admx
+ Scan_ScheduleTime
+ WindowsDefender~AT~WindowsComponents~AntiSpywareDefender~Scan
+ Scan_ScheduleTimeLastWrite
@@ -42203,8 +47656,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
- 8
+
@@ -42217,7 +47670,12 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
text/plain
+ phone
+ WindowsDefender.admx
+ SignatureUpdate_SignatureUpdateInterval
+ WindowsDefender~AT~WindowsComponents~AntiSpywareDefender~SignatureUpdate
+ SignatureUpdate_SignatureUpdateIntervalLastWrite
@@ -42227,8 +47685,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
- 1
+
@@ -42241,7 +47699,12 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
text/plain
+ phone
+ WindowsDefender.admx
+ SubmitSamplesConsent
+ WindowsDefender~AT~WindowsComponents~AntiSpywareDefender~Spynet
+ SubmitSamplesConsentHighestValueMostSecure
@@ -42251,8 +47714,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -42266,6 +47729,10 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
text/plainphone
+ WindowsDefender.admx
+ Threats_ThreatSeverityDefaultActionList
+ WindowsDefender~AT~WindowsComponents~AntiSpywareDefender~Threats
+ Threats_ThreatSeverityDefaultActionLastWrite
@@ -42295,8 +47762,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
- 10
+
@@ -42309,7 +47776,11 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
text/plain
- phone
+
+ DeliveryOptimization.admx
+ AbsoluteMaxCacheSize
+ DeliveryOptimization~AT~WindowsComponents~DeliveryOptimizationCat
+ AbsoluteMaxCacheSizeLastWrite
@@ -42319,8 +47790,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
- 0
+
@@ -42334,20 +47805,23 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
text/plain
- phone
+ DeliveryOptimization.admx
+ AllowVPNPeerCaching
+ DeliveryOptimization~AT~WindowsComponents~DeliveryOptimizationCat
+ AllowVPNPeerCachingLowestValueMostSecure
- DOCacheHost
+ DODelayBackgroundDownloadFromHttp
+ 0
-
-
+
@@ -42358,7 +47832,39 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
text/plain
- phone
+
+ DeliveryOptimization.admx
+ DelayBackgroundDownloadFromHttp
+ DeliveryOptimization~AT~WindowsComponents~DeliveryOptimizationCat
+ DelayBackgroundDownloadFromHttp
+ LastWrite
+
+
+
+ DODelayForegroundDownloadFromHttp
+
+
+
+
+ 0
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+ DeliveryOptimization.admx
+ DelayForegroundDownloadFromHttp
+ DeliveryOptimization~AT~WindowsComponents~DeliveryOptimizationCat
+ DelayForegroundDownloadFromHttpLastWrite
@@ -42368,8 +47874,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
- 1
+
@@ -42383,7 +47889,10 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
text/plain
- phone
+ DeliveryOptimization.admx
+ DownloadMode
+ DeliveryOptimization~AT~WindowsComponents~DeliveryOptimizationCat
+ DownloadModeLastWrite
@@ -42393,8 +47902,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -42407,7 +47916,38 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
text/plain
- phone
+ DeliveryOptimization.admx
+ GroupId
+ DeliveryOptimization~AT~WindowsComponents~DeliveryOptimizationCat
+ GroupId
+ LastWrite
+
+
+
+ DOGroupIdSource
+
+
+
+
+ 0
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+ DeliveryOptimization.admx
+ GroupIdSource
+ DeliveryOptimization~AT~WindowsComponents~DeliveryOptimizationCat
+ GroupIdSourceLastWrite
@@ -42417,8 +47957,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
- 259200
+
@@ -42431,7 +47971,11 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
text/plain
- phone
+
+ DeliveryOptimization.admx
+ MaxCacheAge
+ DeliveryOptimization~AT~WindowsComponents~DeliveryOptimizationCat
+ MaxCacheAgeLastWrite
@@ -42441,8 +47985,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
- 20
+
@@ -42455,7 +47999,11 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
text/plain
- phone
+
+ DeliveryOptimization.admx
+ MaxCacheSize
+ DeliveryOptimization~AT~WindowsComponents~DeliveryOptimizationCat
+ MaxCacheSizeLastWrite
@@ -42465,8 +48013,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
- 0
+
@@ -42479,7 +48027,11 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
text/plain
- phone
+
+ DeliveryOptimization.admx
+ MaxDownloadBandwidth
+ DeliveryOptimization~AT~WindowsComponents~DeliveryOptimizationCat
+ MaxDownloadBandwidthLastWrite
@@ -42489,8 +48041,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
- 0
+
@@ -42503,7 +48055,11 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
text/plain
- phone
+
+ DeliveryOptimization.admx
+ MaxUploadBandwidth
+ DeliveryOptimization~AT~WindowsComponents~DeliveryOptimizationCat
+ MaxUploadBandwidthLastWrite
@@ -42513,8 +48069,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
- 500
+
@@ -42527,7 +48083,11 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
text/plain
- phone
+
+ DeliveryOptimization.admx
+ MinBackgroundQos
+ DeliveryOptimization~AT~WindowsComponents~DeliveryOptimizationCat
+ MinBackgroundQosLastWrite
@@ -42537,8 +48097,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
- 0
+
@@ -42551,7 +48111,11 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
text/plain
- phone
+
+ DeliveryOptimization.admx
+ MinBatteryPercentageAllowedToUpload
+ DeliveryOptimization~AT~WindowsComponents~DeliveryOptimizationCat
+ MinBatteryPercentageAllowedToUploadLastWrite
@@ -42561,8 +48125,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
- 32
+
@@ -42575,7 +48139,11 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
text/plain
- phone
+
+ DeliveryOptimization.admx
+ MinDiskSizeAllowedToPeer
+ DeliveryOptimization~AT~WindowsComponents~DeliveryOptimizationCat
+ MinDiskSizeAllowedToPeerLastWrite
@@ -42585,8 +48153,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
- 100
+
@@ -42599,7 +48167,11 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
text/plain
- phone
+
+ DeliveryOptimization.admx
+ MinFileSizeToCache
+ DeliveryOptimization~AT~WindowsComponents~DeliveryOptimizationCat
+ MinFileSizeToCacheLastWrite
@@ -42609,8 +48181,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
- 4
+
@@ -42623,7 +48195,11 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
text/plain
- phone
+
+ DeliveryOptimization.admx
+ MinRAMAllowedToPeer
+ DeliveryOptimization~AT~WindowsComponents~DeliveryOptimizationCat
+ MinRAMAllowedToPeerLastWrite
@@ -42633,8 +48209,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
- %SystemDrive%
+
@@ -42647,7 +48223,10 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
text/plain
- phone
+ DeliveryOptimization.admx
+ ModifyCacheDrive
+ DeliveryOptimization~AT~WindowsComponents~DeliveryOptimizationCat
+ ModifyCacheDriveLastWrite
@@ -42657,8 +48236,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
- 20
+
@@ -42671,7 +48250,39 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
text/plain
- phone
+
+ DeliveryOptimization.admx
+ MonthlyUploadDataCap
+ DeliveryOptimization~AT~WindowsComponents~DeliveryOptimizationCat
+ MonthlyUploadDataCap
+ LastWrite
+
+
+
+ DOPercentageMaxBackgroundBandwidth
+
+
+
+
+ 0
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+ DeliveryOptimization.admx
+ PercentageMaxBackgroundBandwidth
+ DeliveryOptimization~AT~WindowsComponents~DeliveryOptimizationCat
+ PercentageMaxBackgroundBandwidthLastWrite
@@ -42681,8 +48292,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
- 0
+
@@ -42695,10 +48306,191 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
text/plain
+ phoneLastWrite
+
+ DOPercentageMaxForegroundBandwidth
+
+
+
+
+ 0
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+ DeliveryOptimization.admx
+ PercentageMaxForegroundBandwidth
+ DeliveryOptimization~AT~WindowsComponents~DeliveryOptimizationCat
+ PercentageMaxForegroundBandwidth
+ LastWrite
+
+
+
+ DORestrictPeerSelectionBy
+
+
+
+
+ 0
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+ DeliveryOptimization.admx
+ RestrictPeerSelectionBy
+ DeliveryOptimization~AT~WindowsComponents~DeliveryOptimizationCat
+ RestrictPeerSelectionBy
+ LastWrite
+
+
+
+ DOSetHoursToLimitBackgroundDownloadBandwidth
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+ DeliveryOptimization.admx
+ DeliveryOptimization~AT~WindowsComponents~DeliveryOptimizationCat
+ SetHoursToLimitBackgroundDownloadBandwidth
+ LastWrite
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ ]]>
+
+
+
+ DOSetHoursToLimitForegroundDownloadBandwidth
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+ DeliveryOptimization.admx
+ DeliveryOptimization~AT~WindowsComponents~DeliveryOptimizationCat
+ SetHoursToLimitForegroundDownloadBandwidth
+ LastWrite
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ ]]>
+
+ DeviceGuard
@@ -42725,8 +48517,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
- Turns On Virtualization Based Security(VBS)0
+ Turns On Virtualization Based Security(VBS)
@@ -42741,6 +48533,9 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
phone
+ DeviceGuard.admx
+ DeviceGuard~AT~System~DeviceGuardCategory
+ VirtualizationBasedSecurityHighestValueMostSecure
@@ -42750,8 +48545,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
- Credential Guard Configuration: 0 - Turns off CredentialGuard remotely if configured previously without UEFI Lock, 1 - Turns on CredentialGuard with UEFI lock. 2 - Turns on CredentialGuard without UEFI lock.0
+ Credential Guard Configuration: 0 - Turns off CredentialGuard remotely if configured previously without UEFI Lock, 1 - Turns on CredentialGuard with UEFI lock. 2 - Turns on CredentialGuard without UEFI lock.
@@ -42766,6 +48561,10 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
phone
+ DeviceGuard.admx
+ CredentialIsolationDrop
+ DeviceGuard~AT~System~DeviceGuardCategory
+ VirtualizationBasedSecurityLowestValueMostSecureZeroHasNoLimits
@@ -42775,8 +48574,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
- Select Platform Security Level: 1 - Turns on VBS with Secure Boot, 3 - Turns on VBS with Secure Boot and DMA. DMA requires hardware support.1
+ Select Platform Security Level: 1 - Turns on VBS with Secure Boot, 3 - Turns on VBS with Secure Boot and DMA. DMA requires hardware support.
@@ -42791,6 +48590,10 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
phone
+ DeviceGuard.admx
+ RequirePlatformSecurityFeaturesDrop
+ DeviceGuard~AT~System~DeviceGuardCategory
+ VirtualizationBasedSecurityHighestValueMostSecure
@@ -42820,8 +48623,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -42847,8 +48650,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -42894,8 +48697,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
- Specifies whether the user must input a PIN or password when the device resumes from an idle state.1
+ Specifies whether the user must input a PIN or password when the device resumes from an idle state.
@@ -42919,8 +48722,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
- Specifies whether to show a user-configurable setting to control the screen timeout while on the lock screen of Windows 10 Mobile devices.0
+ Specifies whether to show a user-configurable setting to control the screen timeout while on the lock screen of Windows 10 Mobile devices.
@@ -42933,6 +48736,7 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
text/plain
+ LastWrite
@@ -42942,8 +48746,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
- Specifies whether PINs or passwords such as 1111 or 1234 are allowed. For the desktop, it also controls the use of picture passwords.1
+ Specifies whether PINs or passwords such as 1111 or 1234 are allowed. For the desktop, it also controls the use of picture passwords.
@@ -42956,6 +48760,7 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
text/plain
+ LowestValueMostSecure
@@ -42965,8 +48770,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
- Determines the type of PIN or password required. This policy only applies if the DeviceLock/DevicePasswordEnabled policy is set to 02
+ Determines the type of PIN or password required. This policy only applies if the DeviceLock/DevicePasswordEnabled policy is set to 0
@@ -42979,6 +48784,7 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
text/plain
+ LowestValueMostSecure
@@ -42988,8 +48794,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
- Specifies whether device lock is enabled.1
+ Specifies whether device lock is enabled.
@@ -43002,6 +48808,7 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
text/plain
+ LowestValueMostSecure
@@ -43011,8 +48818,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
- Specifies when the password expires (in days).0
+ Specifies when the password expires (in days).
@@ -43025,6 +48832,7 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
text/plain
+ LowestValueMostSecureZeroHasNoLimits
@@ -43034,8 +48842,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
- Specifies how many passwords can be stored in the history that can’t be used.0
+ Specifies how many passwords can be stored in the history that can’t be used.
@@ -43048,6 +48856,7 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
text/plain
+ HighestValueMostSecure
@@ -43057,8 +48866,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -43081,8 +48890,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -43104,8 +48913,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
- 0
+
@@ -43118,6 +48927,7 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
text/plain
+ LowestValueMostSecureZeroHasNoLimits
@@ -43127,8 +48937,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
- The number of authentication failures allowed before the device will be wiped. A value of 0 disables device wipe functionality.0
+ The number of authentication failures allowed before the device will be wiped. A value of 0 disables device wipe functionality.
@@ -43141,6 +48951,7 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
text/plain
+ LowestValueMostSecureZeroHasNoLimits
@@ -43150,8 +48961,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
- Sets the maximum timeout value for the external display.0
+ Sets the maximum timeout value for the external display.
@@ -43164,6 +48975,7 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
text/plain
+ desktopLowestValueMostSecure
@@ -43174,8 +48986,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
- The number of complex element types (uppercase and lowercase letters, numbers, and punctuation) required for a strong PIN or password.1
+ The number of complex element types (uppercase and lowercase letters, numbers, and punctuation) required for a strong PIN or password.
@@ -43188,6 +49000,7 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
text/plain
+ HighestValueMostSecure
@@ -43197,8 +49010,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
- Specifies the minimum number or characters required in the PIN or password.4
+ Specifies the minimum number or characters required in the PIN or password.
@@ -43211,6 +49024,7 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
text/plain
+ HighestValueMostSecureZeroHasNoLimits
@@ -43220,12 +49034,12 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
+ 1This security setting determines the period of time (in days) that a password must be used before the user can change it. You can set a value between 1 and 998 days, or you can allow changes immediately by setting the number of days to 0.
The minimum password age must be less than the Maximum password age, unless the maximum password age is set to 0, indicating that passwords will never expire. If the maximum password age is set to 0, the minimum password age can be set to any value between 0 and 998.
Configure the minimum password age to be more than 0 if you want Enforce password history to be effective. Without a minimum password age, users can cycle through passwords repeatedly until they get to an old favorite. The default setting does not follow this recommendation, so that an administrator can specify a password for a user and then require the user to change the administrator-defined password when the user logs on. If the password history is set to 0, the user does not have to choose a new password. For this reason, Enforce password history is set to 1 by default.
- 1
@@ -43238,8 +49052,38 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
text/plain
+
+ phone
+ Windows Settings~Security Settings~Account Policies~Password Policy
+ Minimum password age
+ HighestValueMostSecure
+
+
+
+ PreventEnablingLockScreenCamera
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+ phone
- HighestValueMostSecure
+ ControlPanelDisplay.admx
+ ControlPanelDisplay~AT~ControlPanel~Personalization
+ CPL_Personalization_NoLockScreenCamera
+ LastWrite
@@ -43248,8 +49092,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -43275,8 +49119,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
- Specifies whether to show a user-configurable setting to control the screen timeout while on the lock screen of Windows 10 Mobile devices.10
+ Specifies whether to show a user-configurable setting to control the screen timeout while on the lock screen of Windows 10 Mobile devices.
@@ -43289,6 +49133,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
text/plain
+ LastWrite
@@ -43313,13 +49158,13 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
- TurnOffGdiDPIScalingForApps
+ DisablePerProcessDpiForApps
- This policy allows to force turn off GDI DPI Scaling for a semicolon separated list of applications. Applications can be specified either by using full path or just filename and extension.
+ This policy allows you to disable Per-Process System DPI for a semicolon-separated list of applications. Applications can be specified either by using full paths or with filenames and extensions. This policy will override the system-wide default value.
@@ -43333,6 +49178,95 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
text/plainphone
+ Display.admx
+ DisplayDisablePerProcessSystemDpiSettings
+ Display~AT~System~DisplayCat
+ DisplayPerProcessSystemDpiSettings
+ LastWrite
+
+
+
+ EnablePerProcessDpi
+
+
+
+
+
+ Enable or disable Per-Process System DPI for all applications.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+ phone
+ Display.admx
+ DisplayGlobalPerProcessSystemDpiSettings
+ Display~AT~System~DisplayCat
+ DisplayPerProcessSystemDpiSettings
+ LowestValueMostSecure
+
+
+
+ EnablePerProcessDpiForApps
+
+
+
+
+
+ This policy allows you to enable Per-Process System DPI for a semicolon-separated list of applications. Applications can be specified either by using full paths or with filenames and extensions. This policy will override the system-wide default value.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+ phone
+ Display.admx
+ DisplayEnablePerProcessSystemDpiSettings
+ Display~AT~System~DisplayCat
+ DisplayPerProcessSystemDpiSettings
+ LastWrite
+
+
+
+ TurnOffGdiDPIScalingForApps
+
+
+
+
+
+ This policy allows to force turn off GDI DPI Scaling for a semicolon separated list of applications. Applications can be specified either by using full path or just filename and extension.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+ phone
+ Display.admx
+ DisplayTurnOffGdiDPIScalingPrompt
+ Display~AT~System~DisplayCat
+ DisplayTurnOffGdiDPIScalingLastWrite
@@ -43342,8 +49276,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
- This policy allows to turn on GDI DPI Scaling for a semicolon separated list of applications. Applications can be specified either by using full path or just filename and extension.
+ This policy allows to turn on GDI DPI Scaling for a semicolon separated list of applications. Applications can be specified either by using full path or just filename and extension.
@@ -43357,6 +49291,10 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
text/plainphone
+ Display.admx
+ DisplayTurnOnGdiDPIScalingPrompt
+ Display~AT~System~DisplayCat
+ DisplayTurnOnGdiDPIScalingLastWrite
@@ -43386,8 +49324,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -43413,8 +49351,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -43440,8 +49378,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -43467,8 +49405,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -43494,8 +49432,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -43541,8 +49479,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -43568,8 +49506,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -43595,8 +49533,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -43622,8 +49560,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -43669,8 +49607,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
- 1
+
@@ -43694,8 +49632,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
- 1
+
@@ -43709,6 +49647,9 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
text/plain
+ Search.admx
+ Search~AT~WindowsComponents~Search
+ AllowCortanaLowestValueMostSecure
@@ -43718,8 +49659,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
- 1
+
@@ -43742,8 +49683,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
- 1
+
@@ -43757,6 +49698,9 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
text/plain
+ FindMy.admx
+ FindMy~AT~WindowsComponents~FindMyDeviceCat
+ FindMy_AllowFindMyDeviceConfigLowestValueMostSecure
@@ -43766,8 +49710,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
- 1
+
@@ -43790,8 +49734,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
- 1
+
@@ -43814,8 +49758,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
- 1
+
@@ -43838,8 +49782,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
- 1
+
@@ -43862,8 +49806,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
- 1
+
@@ -43886,8 +49830,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
- 1
+
@@ -43910,8 +49854,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
- 1
+
@@ -43935,8 +49879,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
- 1
+
@@ -43955,13 +49899,13 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
- AllowWindowsTips
+ AllowWindowsConsumerFeatures
+ 0
- 1
@@ -43976,17 +49920,20 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
phone
+ CloudContent.admx
+ CloudContent~AT~WindowsComponents~CloudContent
+ DisableWindowsConsumerFeaturesLowestValueMostSecure
- DoNotShowFeedbackNotifications
+ AllowWindowsTips
+ 1
- 0
@@ -43999,6 +49946,38 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
text/plain
+
+ phone
+ CloudContent.admx
+ CloudContent~AT~WindowsComponents~CloudContent
+ DisableSoftLanding
+ LowestValueMostSecure
+
+
+
+ DoNotShowFeedbackNotifications
+
+
+
+
+ 0
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+ FeedbackNotifications.admx
+ FeedbackNotifications~AT~WindowsComponents~DataCollectionAndPreviewBuilds
+ DoNotShowFeedbackNotificationsHighestValueMostSecure
@@ -44028,8 +50007,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -44042,6 +50021,84 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
text/plain
+ ExploitGuard.admx
+ ExploitProtection_Name
+ ExploitGuard~AT~WindowsComponents~WindowsDefenderExploitGuard~ExploitProtection
+ ExploitProtection_Name
+ LastWrite
+
+
+
+
+ FileExplorer
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ TurnOffDataExecutionPreventionForExplorer
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+ phone
+ Explorer.admx
+ Explorer~AT~WindowsExplorer
+ NoDataExecutionPrevention
+ LastWrite
+
+
+
+ TurnOffHeapTerminationOnCorruption
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+ phone
+ Explorer.admx
+ Explorer~AT~WindowsExplorer
+ NoHeapTerminationOnCorruptionLastWrite
@@ -44071,8 +50128,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
- Specifies whether advanced gaming services can be used. These services may send data to Microsoft or publishers of games that use these services.1
+ Specifies whether advanced gaming services can be used. These services may send data to Microsoft or publishers of games that use these services.
@@ -44115,8 +50172,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
- Specifies whether the handwriting panel comes up floating near the text box or attached to the bottom of the screen0
+ Specifies whether the handwriting panel comes up floating near the text box or attached to the bottom of the screen
@@ -44131,6 +50188,9 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
phone
+ Handwriting.admx
+ Handwriting~AT~WindowsComponents~Handwriting
+ PanelDefaultModeDockedLowestValueMostSecure
@@ -44160,8 +50220,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -44187,8 +50247,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -44214,8 +50274,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -44241,8 +50301,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -44268,8 +50328,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -44295,8 +50355,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -44322,8 +50382,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -44349,8 +50409,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -44376,8 +50436,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -44403,8 +50463,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -44430,8 +50490,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -44457,8 +50517,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -44484,8 +50544,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -44511,8 +50571,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -44538,8 +50598,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -44565,8 +50625,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -44592,8 +50652,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -44619,8 +50679,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -44646,8 +50706,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -44673,8 +50733,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -44700,8 +50760,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -44727,8 +50787,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -44754,8 +50814,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -44781,8 +50841,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -44808,8 +50868,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -44835,8 +50895,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -44862,8 +50922,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -44889,8 +50949,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -44905,8 +50965,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
phoneinetres.admx
- inetres~AT~WindowsComponents~InternetExplorer~SecurityFeatures~IESF_CategoryBinaryBehaviorSecurityRestriction
- IESF_PolicyExplorerProcesses_2
+ inetres~AT~WindowsComponents~InternetExplorer~SecurityFeatures~IESF_CategoryConsistentMimeHandling
+ IESF_PolicyExplorerProcesses_5LastWrite
@@ -44916,8 +50976,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -44943,8 +51003,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -44970,8 +51030,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -44997,8 +51057,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -45024,8 +51084,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -45051,8 +51111,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -45078,8 +51138,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -45105,8 +51165,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -45132,8 +51192,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -45159,8 +51219,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -45186,8 +51246,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -45213,8 +51273,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -45240,8 +51300,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -45267,8 +51327,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -45294,8 +51354,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -45321,8 +51381,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -45348,8 +51408,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -45375,8 +51435,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -45402,8 +51462,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -45429,8 +51489,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -45456,8 +51516,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -45483,8 +51543,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -45510,8 +51570,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -45537,8 +51597,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -45564,8 +51624,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -45591,8 +51651,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -45618,8 +51678,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -45645,8 +51705,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -45672,8 +51732,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -45699,8 +51759,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -45726,8 +51786,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -45753,8 +51813,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -45780,8 +51840,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -45807,8 +51867,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -45834,8 +51894,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -45861,8 +51921,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -45888,8 +51948,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -45915,8 +51975,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -45942,8 +52002,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -45969,8 +52029,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -45996,8 +52056,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -46023,8 +52083,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -46050,8 +52110,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -46071,14 +52131,41 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
LastWrite
+
+ InternetZoneAllowVBScriptToRunInInternetExplorer
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+ phone
+ inetres.admx
+ inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone
+ IZ_PolicyAllowVBScript_1
+ LastWrite
+
+ InternetZoneDoNotRunAntimalwareAgainstActiveXControls
-
+
@@ -46104,8 +52191,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -46131,8 +52218,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -46158,8 +52245,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -46185,8 +52272,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -46212,8 +52299,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -46239,8 +52326,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -46266,8 +52353,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -46293,8 +52380,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -46320,8 +52407,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -46347,8 +52434,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -46374,8 +52461,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -46401,8 +52488,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -46428,8 +52515,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -46455,8 +52542,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -46482,8 +52569,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -46509,8 +52596,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -46536,8 +52623,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -46563,8 +52650,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -46590,8 +52677,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -46617,8 +52704,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -46644,8 +52731,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -46671,8 +52758,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -46698,8 +52785,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -46725,8 +52812,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -46752,8 +52839,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -46779,8 +52866,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -46806,8 +52893,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -46833,8 +52920,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -46860,8 +52947,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -46887,8 +52974,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -46914,8 +53001,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -46941,8 +53028,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -46968,8 +53055,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -46995,8 +53082,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -47022,8 +53109,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -47049,8 +53136,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -47076,8 +53163,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -47103,8 +53190,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -47130,8 +53217,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -47157,8 +53244,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -47184,8 +53271,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -47211,8 +53298,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -47238,8 +53325,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -47265,8 +53352,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -47292,8 +53379,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -47319,8 +53406,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -47346,8 +53433,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -47373,8 +53460,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -47400,8 +53487,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -47427,8 +53514,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -47454,8 +53541,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -47481,8 +53568,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -47508,8 +53595,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -47535,8 +53622,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -47556,14 +53643,41 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
LastWrite
+
+ LockedDownIntranetJavaPermissions
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+ phone
+ inetres.admx
+ inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_IntranetZoneLockdown
+ IZ_PolicyJavaPermissions_4
+ LastWrite
+
+ LockedDownIntranetZoneAllowAccessToDataSources
-
+
@@ -47589,8 +53703,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -47616,8 +53730,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -47643,8 +53757,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -47670,8 +53784,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -47697,8 +53811,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -47724,8 +53838,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -47751,8 +53865,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -47778,8 +53892,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -47805,8 +53919,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -47832,8 +53946,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -47859,8 +53973,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -47886,8 +54000,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -47913,8 +54027,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -47940,8 +54054,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -47967,8 +54081,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -47994,8 +54108,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -48021,8 +54135,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -48048,8 +54162,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -48075,8 +54189,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -48102,8 +54216,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -48129,8 +54243,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -48156,8 +54270,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -48183,8 +54297,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -48210,8 +54324,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -48237,8 +54351,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -48264,8 +54378,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -48291,8 +54405,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -48318,8 +54432,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -48345,8 +54459,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -48372,8 +54486,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -48399,8 +54513,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -48426,8 +54540,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -48453,8 +54567,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -48480,8 +54594,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -48507,8 +54621,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -48534,8 +54648,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -48561,8 +54675,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -48588,8 +54702,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -48615,8 +54729,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -48642,8 +54756,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -48669,8 +54783,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -48696,8 +54810,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -48723,8 +54837,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -48750,8 +54864,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -48777,8 +54891,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -48804,8 +54918,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -48831,8 +54945,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -48858,8 +54972,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -48885,8 +54999,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -48912,8 +55026,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -48939,8 +55053,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -48966,8 +55080,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -48993,8 +55107,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -49020,8 +55134,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -49047,8 +55161,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -49074,8 +55188,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -49101,8 +55215,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -49128,8 +55242,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -49155,8 +55269,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -49182,8 +55296,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -49209,8 +55323,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -49236,8 +55350,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -49263,8 +55377,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -49290,8 +55404,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -49317,8 +55431,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -49344,8 +55458,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -49371,8 +55485,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -49398,8 +55512,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -49425,8 +55539,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -49452,8 +55566,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -49479,8 +55593,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -49506,8 +55620,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -49533,8 +55647,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -49560,8 +55674,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -49587,8 +55701,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -49608,14 +55722,41 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
LastWrite
+
+ RestrictedSitesZoneAllowVBScriptToRunInInternetExplorer
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+ phone
+ inetres.admx
+ inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone
+ IZ_PolicyAllowVBScript_7
+ LastWrite
+
+ RestrictedSitesZoneDoNotRunAntimalwareAgainstActiveXControls
-
+
@@ -49641,8 +55782,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -49668,8 +55809,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -49695,8 +55836,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -49722,8 +55863,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -49749,8 +55890,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -49776,8 +55917,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -49803,8 +55944,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -49830,8 +55971,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -49857,8 +55998,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -49884,8 +56025,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -49911,8 +56052,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -49938,8 +56079,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -49965,8 +56106,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -49992,8 +56133,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -50019,8 +56160,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -50046,8 +56187,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -50073,8 +56214,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -50100,8 +56241,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -50127,8 +56268,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -50154,8 +56295,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -50181,8 +56322,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -50208,8 +56349,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -50230,13 +56371,13 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
- SecurityZonesUseOnlyMachineSettings
+ SecurityZonesUseOnlyMachineSettings
-
+
@@ -50262,8 +56403,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -50289,8 +56430,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -50316,8 +56457,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -50343,8 +56484,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -50370,8 +56511,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -50397,8 +56538,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -50424,8 +56565,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -50451,8 +56592,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -50478,8 +56619,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -50505,8 +56646,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -50532,8 +56673,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -50559,8 +56700,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -50586,8 +56727,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -50613,8 +56754,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -50660,8 +56801,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -50687,8 +56828,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -50714,8 +56855,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -50741,8 +56882,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -50768,8 +56909,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -50790,6 +56931,173 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
+
+ KioskBrowser
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ BlockedUrlExceptions
+
+
+
+
+
+ List of exceptions to the blocked website URLs (with wildcard support). This is used to configure URLs kiosk browsers are allowed to navigate to, which are a subset of the blocked URLs.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+ phone
+ LastWrite
+
+
+
+ BlockedUrls
+
+
+
+
+
+ List of blocked website URLs (with wildcard support). This is used to configure blocked URLs kiosk browsers can not navigate to.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+ phone
+ LastWrite
+
+
+
+ DefaultURL
+
+
+
+
+
+ Configures the default URL kiosk browsers to navigate on launch and restart.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+ phone
+ LastWrite
+
+
+
+ EnableHomeButton
+
+
+
+
+ 0
+ Enable/disable kiosk browser's home button.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+ phone
+ LastWrite
+
+
+
+ EnableNavigationButtons
+
+
+
+
+ 0
+ Enable/disable kiosk browser's navigation buttons (forward/back).
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+ phone
+ LastWrite
+
+
+
+ RestartOnIdleTime
+
+
+
+
+ 0
+ Amount of time in minutes the session is idle until the kiosk browser restarts in a fresh state.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+ phone
+ LastWrite
+
+
+ Licensing
@@ -50815,8 +57123,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
- 1
+
@@ -50831,6 +57139,9 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
phone
+ AVSValidationGP.admx
+ AVSValidationGP~AT~WindowsComponents~SoftwareProtectionPlatform
+ AllowWindowsEntitlementReactivationLowestValueMostSecure
@@ -50840,8 +57151,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
- 0
+
@@ -50856,6 +57167,9 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
phone
+ AVSValidationGP.admx
+ AVSValidationGP~AT~WindowsComponents~SoftwareProtectionPlatform
+ NoAcquireGTLowestValueMostSecure
@@ -50885,6 +57199,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
+ 0This policy setting prevents users from adding new Microsoft accounts on this computer.
If you select the "Users can’t add Microsoft accounts" option, users will not be able to create new Microsoft accounts on this computer, switch a local account to a Microsoft account, or connect a domain account to a Microsoft account. This is the preferred option if you need to limit the use of Microsoft accounts in your enterprise.
@@ -50892,7 +57207,6 @@ If you select the "Users can’t add Microsoft accounts" option, users will not
If you select the "Users can’t add or log on with Microsoft accounts" option, existing Microsoft account users will not be able to log on to Windows. Selecting this option might make it impossible for an existing administrator on this computer to log on and manage the system.
If you disable or do not configure this policy (recommended), users will be able to use Microsoft accounts with Windows.
- 0
@@ -50907,6 +57221,8 @@ If you disable or do not configure this policy (recommended), users will be able
phone
+ Windows Settings~Security Settings~Local Policies~Security Options
+ Accounts: Block Microsoft accountsLastWrite
@@ -50916,6 +57232,7 @@ If you disable or do not configure this policy (recommended), users will be able
+ 0This security setting determines whether the local Administrator account is enabled or disabled.
Notes
@@ -50926,7 +57243,6 @@ Disabling the Administrator account can become a maintenance issue under certain
Under Safe Mode boot, the disabled Administrator account will only be enabled if the machine is non-domain joined and there are no other local active administrator accounts. If the computer is domain joined the disabled administrator will not be enabled.
Default: Disabled.
- 0
@@ -50939,7 +57255,10 @@ Default: Disabled.
text/plain
+ phone
+ Windows Settings~Security Settings~Local Policies~Security Options
+ Accounts: Administrator account statusLastWrite
@@ -50949,12 +57268,12 @@ Default: Disabled.
+ 0This security setting determines if the Guest account is enabled or disabled.
Default: Disabled.
Note: If the Guest account is disabled and the security option Network Access: Sharing and Security Model for local accounts is set to Guest Only, network logons, such as those performed by the Microsoft Network Server (SMB Service), will fail.
- 0
@@ -50967,7 +57286,10 @@ Note: If the Guest account is disabled and the security option Network Access: S
text/plain
+ phone
+ Windows Settings~Security Settings~Local Policies~Security Options
+ Accounts: Guest account statusLastWrite
@@ -50977,6 +57299,7 @@ Note: If the Guest account is disabled and the security option Network Access: S
+ 1Accounts: Limit local account use of blank passwords to console logon only
This security setting determines whether local accounts that are not password protected can be used to log on from locations other than the physical computer console. If enabled, local accounts that are not password protected will only be able to log on at the computer's keyboard.
@@ -50993,7 +57316,6 @@ Notes
This setting does not affect logons that use domain accounts.
It is possible for applications that use remote interactive logons to bypass this setting.
- 1
@@ -51006,7 +57328,10 @@ It is possible for applications that use remote interactive logons to bypass thi
text/plain
+ phone
+ Windows Settings~Security Settings~Local Policies~Security Options
+ Accounts: Limit local account use of blank passwords to console logon onlyLastWrite
@@ -51016,12 +57341,12 @@ It is possible for applications that use remote interactive logons to bypass thi
+ AdministratorAccounts: Rename administrator account
This security setting determines whether a different account name is associated with the security identifier (SID) for the account Administrator. Renaming the well-known Administrator account makes it slightly more difficult for unauthorized persons to guess this privileged user name and password combination.
Default: Administrator.
- Administrator
@@ -51035,6 +57360,8 @@ Default: Administrator.
text/plainphone
+ Windows Settings~Security Settings~Local Policies~Security Options
+ Accounts: Rename administrator accountLastWrite
@@ -51044,12 +57371,12 @@ Default: Administrator.
+ GuestAccounts: Rename guest account
This security setting determines whether a different account name is associated with the security identifier (SID) for the account "Guest." Renaming the well-known Guest account makes it slightly more difficult for unauthorized persons to guess this user name and password combination.
Default: Guest.
- Guest
@@ -51063,6 +57390,8 @@ Default: Guest.
text/plainphone
+ Windows Settings~Security Settings~Local Policies~Security Options
+ Accounts: Rename guest accountLastWrite
@@ -51072,6 +57401,7 @@ Default: Guest.
+ 0Devices: Allowed to format and eject removable media
This security setting determines who is allowed to format and eject removable NTFS media. This capability can be given to:
@@ -51080,7 +57410,6 @@ Administrators
Administrators and Interactive Users
Default: This policy is not defined and only Administrators have this ability.
- 0
@@ -51094,6 +57423,8 @@ Default: This policy is not defined and only Administrators have this ability.text/plain
phone
+ Windows Settings~Security Settings~Local Policies~Security Options
+ Devices: Allowed to format and eject removable mediaLastWrite
@@ -51103,13 +57434,13 @@ Default: This policy is not defined and only Administrators have this ability.
+ 1Devices: Allow undock without having to log on
This security setting determines whether a portable computer can be undocked without having to log on. If this policy is enabled, logon is not required and an external hardware eject button can be used to undock the computer. If disabled, a user must log on and have the Remove computer from docking station privilege to undock the computer.
Default: Enabled.
Caution
Disabling this policy may tempt users to try and physically remove the laptop from its docking station using methods other than the external hardware eject button. Since this may cause damage to the hardware, this setting, in general, should only be disabled on laptop configurations that are physically securable.
- 1
@@ -51122,7 +57453,10 @@ Disabling this policy may tempt users to try and physically remove the laptop fr
text/plain
+ phone
+ Windows Settings~Security Settings~Local Policies~Security Options
+ Devices: Allow undock without having to log onLastWrite
@@ -51132,6 +57466,7 @@ Disabling this policy may tempt users to try and physically remove the laptop fr
+ 0Devices: Prevent users from installing printer drivers when connecting to shared printers
For a computer to print to a shared printer, the driver for that shared printer must be installed on the local computer. This security setting determines who is allowed to install a printer driver as part of connecting to a shared printer. If this setting is enabled, only Administrators can install a printer driver as part of connecting to a shared printer. If this setting is disabled, any user can install a printer driver as part of connecting to a shared printer.
@@ -51143,7 +57478,6 @@ Notes
This setting does not affect the ability to add a local printer.
This setting does not affect Administrators.
- 0
@@ -51156,7 +57490,10 @@ This setting does not affect Administrators.
text/plain
+ phone
+ Windows Settings~Security Settings~Local Policies~Security Options
+ Devices: Prevent users from installing printer driversLastWrite
@@ -51166,6 +57503,7 @@ This setting does not affect Administrators.
+ 0Devices: Restrict CD-ROM access to locally logged-on user only
This security setting determines whether a CD-ROM is accessible to both local and remote users simultaneously.
@@ -51173,7 +57511,6 @@ This security setting determines whether a CD-ROM is accessible to both local an
If this policy is enabled, it allows only the interactively logged-on user to access removable CD-ROM media. If this policy is enabled and no one is logged on interactively, the CD-ROM can be accessed over the network.
Default: This policy is not defined and CD-ROM access is not restricted to the locally logged-on user.
- 0
@@ -51187,6 +57524,245 @@ Default: This policy is not defined and CD-ROM access is not restricted to the l
text/plainphone
+ Windows Settings~Security Settings~Local Policies~Security Options
+ Devices: Restrict CD-ROM access to locally logged-on user only
+ LastWrite
+
+
+
+ DomainMember_DigitallyEncryptOrSignSecureChannelDataAlways
+
+
+
+
+ 1
+ Domain member: Digitally encrypt or sign secure channel data (always)
+
+This security setting determines whether all secure channel traffic initiated by the domain member must be signed or encrypted.
+
+When a computer joins a domain, a computer account is created. After that, when the system starts, it uses the computer account password to create a secure channel with a domain controller for its domain. This secure channel is used to perform operations such as NTLM pass through authentication, LSA SID/name Lookup etc.
+
+This setting determines whether or not all secure channel traffic initiated by the domain member meets minimum security requirements. Specifically it determines whether all secure channel traffic initiated by the domain member must be signed or encrypted. If this policy is enabled, then the secure channel will not be established unless either signing or encryption of all secure channel traffic is negotiated. If this policy is disabled, then encryption and signing of all secure channel traffic is negotiated with the Domain Controller in which case the level of signing and encryption depends on the version of the Domain Controller and the settings of the following two policies:
+
+Domain member: Digitally encrypt secure channel data (when possible)
+Domain member: Digitally sign secure channel data (when possible)
+
+Default: Enabled.
+
+Notes:
+
+If this policy is enabled, the policy Domain member: Digitally sign secure channel data (when possible) is assumed to be enabled regardless of its current setting. This ensures that the domain member attempts to negotiate at least signing of the secure channel traffic.
+If this policy is enabled, the policy Domain member: Digitally sign secure channel data (when possible) is assumed to be enabled regardless of its current setting. This ensures that the domain member attempts to negotiate at least signing of the secure channel traffic.
+Logon information transmitted over the secure channel is always encrypted regardless of whether encryption of ALL other secure channel traffic is negotiated or not.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+ phone
+ Windows Settings~Security Settings~Local Policies~Security Options
+ Domain member: Digitally encrypt or sign secure channel data (always)
+ LastWrite
+
+
+
+ DomainMember_DigitallyEncryptSecureChannelDataWhenPossible
+
+
+
+
+ 1
+ Domain member: Digitally encrypt secure channel data (when possible)
+
+This security setting determines whether a domain member attempts to negotiate encryption for all secure channel traffic that it initiates.
+
+When a computer joins a domain, a computer account is created. After that, when the system starts, it uses the computer account password to create a secure channel with a domain controller for its domain. This secure channel is used to perform operations such as NTLM pass-through authentication, LSA SID/name Lookup etc.
+
+This setting determines whether or not the domain member attempts to negotiate encryption for all secure channel traffic that it initiates. If enabled, the domain member will request encryption of all secure channel traffic. If the domain controller supports encryption of all secure channel traffic, then all secure channel traffic will be encrypted. Otherwise only logon information transmitted over the secure channel will be encrypted. If this setting is disabled, then the domain member will not attempt to negotiate secure channel encryption.
+
+Default: Enabled.
+
+Important
+
+There is no known reason for disabling this setting. Besides unnecessarily reducing the potential confidentiality level of the secure channel, disabling this setting may unnecessarily reduce secure channel throughput, because concurrent API calls that use the secure channel are only possible when the secure channel is signed or encrypted.
+
+Note: Domain controllers are also domain members and establish secure channels with other domain controllers in the same domain as well as domain controllers in trusted domains.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+ phone
+ Windows Settings~Security Settings~Local Policies~Security Options
+ Domain member: Digitally encrypt secure channel data (when possible)
+ LastWrite
+
+
+
+ DomainMember_DigitallySignSecureChannelDataWhenPossible
+
+
+
+
+ 1
+ Domain member: Digitally sign secure channel data (when possible)
+
+This security setting determines whether a domain member attempts to negotiate signing for all secure channel traffic that it initiates.
+
+When a computer joins a domain, a computer account is created. After that, when the system starts, it uses the computer account password to create a secure channel with a domain controller for its domain. This secure channel is used to perform operations such as NTLM pass through authentication, LSA SID/name Lookup etc.
+
+This setting determines whether or not the domain member attempts to negotiate signing for all secure channel traffic that it initiates. If enabled, the domain member will request signing of all secure channel traffic. If the Domain Controller supports signing of all secure channel traffic, then all secure channel traffic will be signed which ensures that it cannot be tampered with in transit.
+
+Default: Enabled.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+ phone
+ Windows Settings~Security Settings~Local Policies~Security Options
+ Domain member: Digitally sign secure channel data (when possible)
+ LastWrite
+
+
+
+ DomainMember_DisableMachineAccountPasswordChanges
+
+
+
+
+ 0
+ Domain member: Disable machine account password changes
+
+Determines whether a domain member periodically changes its computer account password. If this setting is enabled, the domain member does not attempt to change its computer account password. If this setting is disabled, the domain member attempts to change its computer account password as specified by the setting for Domain Member: Maximum age for machine account password, which by default is every 30 days.
+
+Default: Disabled.
+
+Notes
+
+This security setting should not be enabled. Computer account passwords are used to establish secure channel communications between members and domain controllers and, within the domain, between the domain controllers themselves. Once it is established, the secure channel is used to transmit sensitive information that is necessary for making authentication and authorization decisions.
+This setting should not be used in an attempt to support dual-boot scenarios that use the same computer account. If you want to dual-boot two installations that are joined to the same domain, give the two installations different computer names.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+ phone
+ Windows Settings~Security Settings~Local Policies~Security Options
+ Domain member: Disable machine account password changes
+ LastWrite
+
+
+
+ DomainMember_MaximumMachineAccountPasswordAge
+
+
+
+
+ 30
+ Domain member: Maximum machine account password age
+
+This security setting determines how often a domain member will attempt to change its computer account password.
+
+Default: 30 days.
+
+Important
+
+This setting applies to Windows 2000 computers, but it is not available through the Security Configuration Manager tools on these computers.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+ phone
+ Windows Settings~Security Settings~Local Policies~Security Options
+ Domain member: Maximum machine account password age
+ LowestValueMostSecure
+
+
+
+ DomainMember_RequireStrongSessionKey
+
+
+
+
+ 1
+ Domain member: Require strong (Windows 2000 or later) session key
+
+This security setting determines whether 128-bit key strength is required for encrypted secure channel data.
+
+When a computer joins a domain, a computer account is created. After that, when the system starts, it uses the computer account password to create a secure channel with a domain controller within the domain. This secure channel is used to perform operations such as NTLM pass-through authentication, LSA SID/name Lookup, and so on.
+
+Depending on what version of Windows is running on the domain controller that the domain member is communicating with and the settings of the parameters:
+
+Domain member: Digitally encrypt or sign secure channel data (always)
+Domain member: Digitally encrypt secure channel data (when possible)
+Some or all of the information that is transmitted over the secure channel will be encrypted. This policy setting determines whether or not 128-bit key strength is required for the secure channel information that is encrypted.
+
+If this setting is enabled, then the secure channel will not be established unless 128-bit encryption can be performed. If this setting is disabled, then the key strength is negotiated with the domain controller.
+
+Default: Enabled.
+
+Important
+
+In order to take advantage of this policy on member workstations and servers, all domain controllers that constitute the member's domain must be running Windows 2000 or later.
+In order to take advantage of this policy on domain controllers, all domain controllers in the same domain as well as all trusted domains must run Windows 2000 or later.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+ phone
+ Windows Settings~Security Settings~Local Policies~Security Options
+ Domain member: Require strong (Windows 2000 or later) session keyLastWrite
@@ -51196,11 +57772,11 @@ Default: This policy is not defined and CD-ROM access is not restricted to the l
+ 1Interactive Logon:Display user information when the session is locked
User display name, domain and user names (1)
User display name only (2)
Do not display user information (3)
- 1
@@ -51213,7 +57789,10 @@ Do not display user information (3)
text/plain
+ phone
+ Windows Settings~Security Settings~Local Policies~Security Options
+ Interactive logon: Display user information when the session is lockedLastWrite
@@ -51223,6 +57802,7 @@ Do not display user information (3)
+ 0Interactive logon: Don't display last signed-in
This security setting determines whether the Windows sign-in screen will show the username of the last person who signed in on this PC.
If this policy is enabled, the username will not be shown.
@@ -51230,7 +57810,6 @@ If this policy is enabled, the username will not be shown.
If this policy is disabled, the username will be shown.
Default: Disabled.
- 0
@@ -51243,7 +57822,10 @@ Default: Disabled.
text/plain
+ phone
+ Windows Settings~Security Settings~Local Policies~Security Options
+ Interactive logon: Don't display last signed-inLastWrite
@@ -51253,6 +57835,7 @@ Default: Disabled.
+ 1Interactive logon: Don't display username at sign-in
This security setting determines whether the username of the person signing in to this PC appears at Windows sign-in, after credentials are entered, and before the PC desktop is shown.
If this policy is enabled, the username will not be shown.
@@ -51260,7 +57843,6 @@ If this policy is enabled, the username will not be shown.
If this policy is disabled, the username will be shown.
Default: Disabled.
- 1
@@ -51273,7 +57855,10 @@ Default: Disabled.
text/plain
+ phone
+ Windows Settings~Security Settings~Local Policies~Security Options
+ Interactive logon: Don't display username at sign-inLastWrite
@@ -51283,6 +57868,7 @@ Default: Disabled.
+ 1Interactive logon: Do not require CTRL+ALT+DEL
This security setting determines whether pressing CTRL+ALT+DEL is required before a user can log on.
@@ -51293,7 +57879,6 @@ If this policy is disabled, any user is required to press CTRL+ALT+DEL before lo
Default on domain-computers: Enabled: At least Windows 8/Disabled: Windows 7 or earlier.
Default on stand-alone computers: Enabled.
- 1
@@ -51306,7 +57891,10 @@ Default on stand-alone computers: Enabled.
text/plain
+ phone
+ Windows Settings~Security Settings~Local Policies~Security Options
+ Interactive logon: Do not require CTRL+ALT+DELLastWrite
@@ -51316,12 +57904,12 @@ Default on stand-alone computers: Enabled.
+ 0Interactive logon: Machine inactivity limit.
Windows notices inactivity of a logon session, and if the amount of inactive time exceeds the inactivity limit, then the screen saver will run, locking the session.
Default: not enforced.
- 0
@@ -51334,7 +57922,10 @@ Default: not enforced.
text/plain
+ phone
+ Windows Settings~Security Settings~Local Policies~Security Options
+ Interactive logon: Machine inactivity limitLastWrite
@@ -51344,6 +57935,7 @@ Default: not enforced.
+ Interactive logon: Message text for users attempting to log on
This security setting specifies a text message that is displayed to users when they log on.
@@ -51351,7 +57943,6 @@ This security setting specifies a text message that is displayed to users when t
This text is often used for legal reasons, for example, to warn users about the ramifications of misusing company information or to warn them that their actions may be audited.
Default: No message.
-
@@ -51365,6 +57956,8 @@ Default: No message.
text/plainphone
+ Windows Settings~Security Settings~Local Policies~Security Options
+ Interactive logon: Message text for users attempting to log onLastWrite0xF000
@@ -51375,12 +57968,12 @@ Default: No message.
+ Interactive logon: Message title for users attempting to log on
This security setting allows the specification of a title to appear in the title bar of the window that contains the Interactive logon: Message text for users attempting to log on.
Default: No message.
-
@@ -51394,23 +57987,40 @@ Default: No message.
text/plainphone
+ Windows Settings~Security Settings~Local Policies~Security Options
+ Interactive logon: Message title for users attempting to log onLastWrite
- NetworkAccess_RestrictClientsAllowedToMakeRemoteCallsToSAM
+ InteractiveLogon_SmartCardRemovalBehavior
- Network access: Restrict clients allowed to make remote calls to SAM
+ 0
+ Interactive logon: Smart card removal behavior
-This policy setting allows you to restrict remote rpc connections to SAM.
+This security setting determines what happens when the smart card for a logged-on user is removed from the smart card reader.
-If not selected, the default security descriptor will be used.
+The options are:
-This policy is supported on at least Windows Server 2016.
-
+ No Action
+ Lock Workstation
+ Force Logoff
+ Disconnect if a Remote Desktop Services session
+
+If you click Lock Workstation in the Properties dialog box for this policy, the workstation is locked when the smart card is removed, allowing users to leave the area, take their smart card with them, and still maintain a protected session.
+
+If you click Force Logoff in the Properties dialog box for this policy, the user is automatically logged off when the smart card is removed.
+
+If you click Disconnect if a Remote Desktop Services session, removal of the smart card disconnects the session without logging the user off. This allows the user to insert the smart card and resume the session later, or at another smart card reader-equipped computer, without having to log on again. If the session is local, this policy functions identically to Lock Workstation.
+
+Note: Remote Desktop Services was called Terminal Services in previous versions of Windows Server.
+
+Default: This policy is not defined, which means that the system treats it as No action.
+
+On Windows Vista and above: For this setting to work, the Smart Card Removal Policy service must be started.
@@ -51424,19 +58034,41 @@ This policy is supported on at least Windows Server 2016.
text/plainphone
+ Windows Settings~Security Settings~Local Policies~Security Options
+ Interactive logon: Smart card removal behaviorLastWrite
- NetworkSecurity_AllowPKU2UAuthenticationRequests
+ MicrosoftNetworkClient_DigitallySignCommunicationsAlways
- Network security: Allow PKU2U authentication requests to this computer to use online identities.
+ 0
+ Microsoft network client: Digitally sign communications (always)
-This policy will be turned off by default on domain joined machines. This would prevent online identities from authenticating to the domain joined machine.
- 1
+This security setting determines whether packet signing is required by the SMB client component.
+
+The server message block (SMB) protocol provides the basis for Microsoft file and print sharing and many other networking operations, such as remote Windows administration. To prevent man-in-the-middle attacks that modify SMB packets in transit, the SMB protocol supports the digital signing of SMB packets. This policy setting determines whether SMB packet signing must be negotiated before further communication with an SMB server is permitted.
+
+If this setting is enabled, the Microsoft network client will not communicate with a Microsoft network server unless that server agrees to perform SMB packet signing. If this policy is disabled, SMB packet signing is negotiated between the client and server.
+
+Default: Disabled.
+
+Important
+
+For this policy to take effect on computers running Windows 2000, client-side packet signing must also be enabled. To enable client-side SMB packet signing, set Microsoft network client: Digitally sign communications (if server agrees).
+
+Notes
+
+All Windows operating systems support both a client-side SMB component and a server-side SMB component. On Windows 2000 and later operating systems, enabling or requiring packet signing for client and server-side SMB components is controlled by the following four policy settings:
+Microsoft network client: Digitally sign communications (always) - Controls whether or not the client-side SMB component requires packet signing.
+Microsoft network client: Digitally sign communications (if server agrees) - Controls whether or not the client-side SMB component has packet signing enabled.
+Microsoft network server: Digitally sign communications (always) - Controls whether or not the server-side SMB component requires packet signing.
+Microsoft network server: Digitally sign communications (if client agrees) - Controls whether or not the server-side SMB component has packet signing enabled.
+SMB packet signing can significantly degrade SMB performance, depending on dialect version, OS version, file sizes, processor offloading capabilities, and application IO behaviors.
+For more information, reference: https://go.microsoft.com/fwlink/?LinkID=787136.
@@ -51449,16 +58081,579 @@ This policy will be turned off by default on domain joined machines. This would
text/plain
+ phone
+ Windows Settings~Security Settings~Local Policies~Security Options
+ Microsoft network client: Digitally sign communications (always)LastWrite
+
+ MicrosoftNetworkClient_DigitallySignCommunicationsIfServerAgrees
+
+
+
+
+ 1
+ Microsoft network client: Digitally sign communications (if server agrees)
+
+This security setting determines whether the SMB client attempts to negotiate SMB packet signing.
+
+The server message block (SMB) protocol provides the basis for Microsoft file and print sharing and many other networking operations, such as remote Windows administration. To prevent man-in-the-middle attacks that modify SMB packets in transit, the SMB protocol supports the digital signing of SMB packets. This policy setting determines whether the SMB client component attempts to negotiate SMB packet signing when it connects to an SMB server.
+
+If this setting is enabled, the Microsoft network client will ask the server to perform SMB packet signing upon session setup. If packet signing has been enabled on the server, packet signing will be negotiated. If this policy is disabled, the SMB client will never negotiate SMB packet signing.
+
+Default: Enabled.
+
+Notes
+
+All Windows operating systems support both a client-side SMB component and a server-side SMB component. On Windows 2000 and later, enabling or requiring packet signing for client and server-side SMB components is controlled by the following four policy settings:
+Microsoft network client: Digitally sign communications (always) - Controls whether or not the client-side SMB component requires packet signing.
+Microsoft network client: Digitally sign communications (if server agrees) - Controls whether or not the client-side SMB component has packet signing enabled.
+Microsoft network server: Digitally sign communications (always) - Controls whether or not the server-side SMB component requires packet signing.
+Microsoft network server: Digitally sign communications (if client agrees) - Controls whether or not the server-side SMB component has packet signing enabled.
+If both client-side and server-side SMB signing is enabled and the client establishes an SMB 1.0 connection to the server, SMB signing will be attempted.
+SMB packet signing can significantly degrade SMB performance, depending on dialect version, OS version, file sizes, processor offloading capabilities, and application IO behaviors. This setting only applies to SMB 1.0 connections.
+For more information, reference: https://go.microsoft.com/fwlink/?LinkID=787136.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+ phone
+ Windows Settings~Security Settings~Local Policies~Security Options
+ Microsoft network client: Digitally sign communications (if server agrees)
+ LastWrite
+
+
+
+ MicrosoftNetworkClient_SendUnencryptedPasswordToThirdPartySMBServers
+
+
+
+
+ 0
+ Microsoft network client: Send unencrypted password to connect to third-party SMB servers
+
+If this security setting is enabled, the Server Message Block (SMB) redirector is allowed to send plaintext passwords to non-Microsoft SMB servers that do not support password encryption during authentication.
+
+Sending unencrypted passwords is a security risk.
+
+Default: Disabled.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+ phone
+ Windows Settings~Security Settings~Local Policies~Security Options
+ Microsoft network client: Send unencrypted password to third-party SMB servers
+ LastWrite
+
+
+
+ MicrosoftNetworkServer_AmountOfIdleTimeRequiredBeforeSuspendingSession
+
+
+
+
+ 15
+ Microsoft network server: Amount of idle time required before suspending a session
+
+This security setting determines the amount of continuous idle time that must pass in a Server Message Block (SMB) session before the session is suspended due to inactivity.
+
+Administrators can use this policy to control when a computer suspends an inactive SMB session. If client activity resumes, the session is automatically reestablished.
+
+For this policy setting, a value of 0 means to disconnect an idle session as quickly as is reasonably possible. The maximum value is 99999, which is 208 days; in effect, this value disables the policy.
+
+Default:This policy is not defined, which means that the system treats it as 15 minutes for servers and undefined for workstations.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+ phone
+ Windows Settings~Security Settings~Local Policies~Security Options
+ Microsoft network server: Amount of idle time required before suspending session
+ LowestValueMostSecure
+
+
+
+ MicrosoftNetworkServer_DigitallySignCommunicationsAlways
+
+
+
+
+ 0
+ Microsoft network server: Digitally sign communications (always)
+
+This security setting determines whether packet signing is required by the SMB server component.
+
+The server message block (SMB) protocol provides the basis for Microsoft file and print sharing and many other networking operations, such as remote Windows administration. To prevent man-in-the-middle attacks that modify SMB packets in transit, the SMB protocol supports the digital signing of SMB packets. This policy setting determines whether SMB packet signing must be negotiated before further communication with an SMB client is permitted.
+
+If this setting is enabled, the Microsoft network server will not communicate with a Microsoft network client unless that client agrees to perform SMB packet signing. If this setting is disabled, SMB packet signing is negotiated between the client and server.
+
+Default:
+
+Disabled for member servers.
+Enabled for domain controllers.
+
+Notes
+
+All Windows operating systems support both a client-side SMB component and a server-side SMB component. On Windows 2000 and later, enabling or requiring packet signing for client and server-side SMB components is controlled by the following four policy settings:
+Microsoft network client: Digitally sign communications (always) - Controls whether or not the client-side SMB component requires packet signing.
+Microsoft network client: Digitally sign communications (if server agrees) - Controls whether or not the client-side SMB component has packet signing enabled.
+Microsoft network server: Digitally sign communications (always) - Controls whether or not the server-side SMB component requires packet signing.
+Microsoft network server: Digitally sign communications (if client agrees) - Controls whether or not the server-side SMB component has packet signing enabled.
+Similarly, if client-side SMB signing is required, that client will not be able to establish a session with servers that do not have packet signing enabled. By default, server-side SMB signing is enabled only on domain controllers.
+If server-side SMB signing is enabled, SMB packet signing will be negotiated with clients that have client-side SMB signing enabled.
+SMB packet signing can significantly degrade SMB performance, depending on dialect version, OS version, file sizes, processor offloading capabilities, and application IO behaviors.
+
+Important
+
+For this policy to take effect on computers running Windows 2000, server-side packet signing must also be enabled. To enable server-side SMB packet signing, set the following policy:
+Microsoft network server: Digitally sign communications (if server agrees)
+
+For Windows 2000 servers to negotiate signing with Windows NT 4.0 clients, the following registry value must be set to 1 on the Windows 2000 server:
+HKLM\System\CurrentControlSet\Services\lanmanserver\parameters\enableW9xsecuritysignature
+For more information, reference: https://go.microsoft.com/fwlink/?LinkID=787136.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+ phone
+ Windows Settings~Security Settings~Local Policies~Security Options
+ Microsoft network server: Digitally sign communications (always)
+ LastWrite
+
+
+
+ MicrosoftNetworkServer_DigitallySignCommunicationsIfClientAgrees
+
+
+
+
+ 0
+ Microsoft network server: Digitally sign communications (if client agrees)
+
+This security setting determines whether the SMB server will negotiate SMB packet signing with clients that request it.
+
+The server message block (SMB) protocol provides the basis for Microsoft file and print sharing and many other networking operations, such as remote Windows administration. To prevent man-in-the-middle attacks that modify SMB packets in transit, the SMB protocol supports the digital signing of SMB packets. This policy setting determines whether the SMB server will negotiate SMB packet signing when an SMB client requests it.
+
+If this setting is enabled, the Microsoft network server will negotiate SMB packet signing as requested by the client. That is, if packet signing has been enabled on the client, packet signing will be negotiated. If this policy is disabled, the SMB client will never negotiate SMB packet signing.
+
+Default: Enabled on domain controllers only.
+
+Important
+
+For Windows 2000 servers to negotiate signing with Windows NT 4.0 clients, the following registry value must be set to 1 on the server running Windows 2000: HKLM\System\CurrentControlSet\Services\lanmanserver\parameters\enableW9xsecuritysignature
+
+Notes
+
+All Windows operating systems support both a client-side SMB component and a server-side SMB component. For Windows 2000 and above, enabling or requiring packet signing for client and server-side SMB components is controlled by the following four policy settings:
+Microsoft network client: Digitally sign communications (always) - Controls whether or not the client-side SMB component requires packet signing.
+Microsoft network client: Digitally sign communications (if server agrees) - Controls whether or not the client-side SMB component has packet signing enabled.
+Microsoft network server: Digitally sign communications (always) - Controls whether or not the server-side SMB component requires packet signing.
+Microsoft network server: Digitally sign communications (if client agrees) - Controls whether or not the server-side SMB component has packet signing enabled.
+If both client-side and server-side SMB signing is enabled and the client establishes an SMB 1.0 connection to the server, SMB signing will be attempted.
+SMB packet signing can significantly degrade SMB performance, depending on dialect version, OS version, file sizes, processor offloading capabilities, and application IO behaviors. This setting only applies to SMB 1.0 connections.
+For more information, reference: https://go.microsoft.com/fwlink/?LinkID=787136.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+ phone
+ Windows Settings~Security Settings~Local Policies~Security Options
+ Microsoft network server: Digitally sign communications (if client agrees)
+ LastWrite
+
+
+
+ NetworkAccess_DoNotAllowAnonymousEnumerationOfSAMAccounts
+
+
+
+
+ 1
+ Network access: Do not allow anonymous enumeration of SAM accounts
+
+This security setting determines what additional permissions will be granted for anonymous connections to the computer.
+
+Windows allows anonymous users to perform certain activities, such as enumerating the names of domain accounts and network shares. This is convenient, for example, when an administrator wants to grant access to users in a trusted domain that does not maintain a reciprocal trust.
+
+This security option allows additional restrictions to be placed on anonymous connections as follows:
+
+Enabled: Do not allow enumeration of SAM accounts. This option replaces Everyone with Authenticated Users in the security permissions for resources.
+Disabled: No additional restrictions. Rely on default permissions.
+
+Default on workstations: Enabled.
+Default on server:Enabled.
+
+Important
+
+This policy has no impact on domain controllers.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+ phone
+ Windows Settings~Security Settings~Local Policies~Security Options
+ Network access: Do not allow anonymous enumeration of SAM accounts
+ LastWrite
+
+
+
+ NetworkAccess_DoNotAllowAnonymousEnumerationOfSamAccountsAndShares
+
+
+
+
+ 0
+ Network access: Do not allow anonymous enumeration of SAM accounts and shares
+
+This security setting determines whether anonymous enumeration of SAM accounts and shares is allowed.
+
+Windows allows anonymous users to perform certain activities, such as enumerating the names of domain accounts and network shares. This is convenient, for example, when an administrator wants to grant access to users in a trusted domain that does not maintain a reciprocal trust. If you do not want to allow anonymous enumeration of SAM accounts and shares, then enable this policy.
+
+Default: Disabled.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+ phone
+ Windows Settings~Security Settings~Local Policies~Security Options
+ Network access: Do not allow anonymous enumeration of SAM accounts and shares
+ LastWrite
+
+
+
+ NetworkAccess_RestrictAnonymousAccessToNamedPipesAndShares
+
+
+
+
+ 1
+ Network access: Restrict anonymous access to Named Pipes and Shares
+
+When enabled, this security setting restricts anonymous access to shares and pipes to the settings for:
+
+Network access: Named pipes that can be accessed anonymously
+Network access: Shares that can be accessed anonymously
+Default: Enabled.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+ phone
+ Windows Settings~Security Settings~Local Policies~Security Options
+ Network access: Restrict anonymous access to Named Pipes and Shares
+ LastWrite
+
+
+
+ NetworkAccess_RestrictClientsAllowedToMakeRemoteCallsToSAM
+
+
+
+
+
+ Network access: Restrict clients allowed to make remote calls to SAM
+
+This policy setting allows you to restrict remote rpc connections to SAM.
+
+If not selected, the default security descriptor will be used.
+
+This policy is supported on at least Windows Server 2016.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+ phone
+ Windows Settings~Security Settings~Local Policies~Security Options
+ Network access: Restrict clients allowed to make remote calls to SAM
+ LastWrite
+
+
+
+ NetworkSecurity_AllowPKU2UAuthenticationRequests
+
+
+
+
+ 1
+ Network security: Allow PKU2U authentication requests to this computer to use online identities.
+
+This policy will be turned off by default on domain joined machines. This would prevent online identities from authenticating to the domain joined machine.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+ phone
+ Windows Settings~Security Settings~Local Policies~Security Options
+ Network security: Allow PKU2U authentication requests to this computer to use online identities.
+ LastWrite
+
+
+
+ NetworkSecurity_DoNotStoreLANManagerHashValueOnNextPasswordChange
+
+
+
+
+ 1
+ Network security: Do not store LAN Manager hash value on next password change
+
+This security setting determines if, at the next password change, the LAN Manager (LM) hash value for the new password is stored. The LM hash is relatively weak and prone to attack, as compared with the cryptographically stronger Windows NT hash. Since the LM hash is stored on the local computer in the security database the passwords can be compromised if the security database is attacked.
+
+
+Default on Windows Vista and above: Enabled
+Default on Windows XP: Disabled.
+
+Important
+
+Windows 2000 Service Pack 2 (SP2) and above offer compatibility with authentication to previous versions of Windows, such as Microsoft Windows NT 4.0.
+This setting can affect the ability of computers running Windows 2000 Server, Windows 2000 Professional, Windows XP, and the Windows Server 2003 family to communicate with computers running Windows 95 and Windows 98.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+ phone
+ Windows Settings~Security Settings~Local Policies~Security Options
+ Network security: Do not store LAN Manager hash value on next password change
+ LastWrite
+
+
+
+ NetworkSecurity_LANManagerAuthenticationLevel
+
+
+
+
+ 0
+ Network security LAN Manager authentication level
+
+This security setting determines which challenge/response authentication protocol is used for network logons. This choice affects the level of authentication protocol used by clients, the level of session security negotiated, and the level of authentication accepted by servers as follows:
+
+Send LM and NTLM responses: Clients use LM and NTLM authentication and never use NTLMv2 session security; domain controllers accept LM, NTLM, and NTLMv2 authentication.
+
+Send LM and NTLM - use NTLMv2 session security if negotiated: Clients use LM and NTLM authentication and use NTLMv2 session security if the server supports it; domain controllers accept LM, NTLM, and NTLMv2 authentication.
+
+Send NTLM response only: Clients use NTLM authentication only and use NTLMv2 session security if the server supports it; domain controllers accept LM, NTLM, and NTLMv2 authentication.
+
+Send NTLMv2 response only: Clients use NTLMv2 authentication only and use NTLMv2 session security if the server supports it; domain controllers accept LM, NTLM, and NTLMv2 authentication.
+
+Send NTLMv2 response only\refuse LM: Clients use NTLMv2 authentication only and use NTLMv2 session security if the server supports it; domain controllers refuse LM (accept only NTLM and NTLMv2 authentication).
+
+Send NTLMv2 response only\refuse LM and NTLM: Clients use NTLMv2 authentication only and use NTLMv2 session security if the server supports it; domain controllers refuse LM and NTLM (accept only NTLMv2 authentication).
+
+Important
+
+This setting can affect the ability of computers running Windows 2000 Server, Windows 2000 Professional, Windows XP Professional, and the Windows Server 2003 family to communicate with computers running Windows NT 4.0 and earlier over the network. For example, at the time of this writing, computers running Windows NT 4.0 SP4 and earlier did not support NTLMv2. Computers running Windows 95 and Windows 98 did not support NTLM.
+
+Default:
+
+Windows 2000 and windows XP: send LM and NTLM responses
+
+Windows Server 2003: Send NTLM response only
+
+Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2: Send NTLMv2 response only
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+ phone
+ Windows Settings~Security Settings~Local Policies~Security Options
+ Network security: LAN Manager authentication level
+ HighestValueMostSecure
+
+
+
+ NetworkSecurity_MinimumSessionSecurityForNTLMSSPBasedClients
+
+
+
+
+ 0
+ Network security: Minimum session security for NTLM SSP based (including secure RPC) clients
+
+This security setting allows a client to require the negotiation of 128-bit encryption and/or NTLMv2 session security. These values are dependent on the LAN Manager Authentication Level security setting value. The options are:
+
+Require NTLMv2 session security: The connection will fail if NTLMv2 protocol is not negotiated.
+Require 128-bit encryption: The connection will fail if strong encryption (128-bit) is not negotiated.
+
+Default:
+
+Windows XP, Windows Vista, Windows 2000 Server, Windows Server 2003, and Windows Server 2008: No requirements.
+
+Windows 7 and Windows Server 2008 R2: Require 128-bit encryption
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+ phone
+ Windows Settings~Security Settings~Local Policies~Security Options
+ Network security: Minimum session security for NTLM SSP based (including secure RPC) clients
+ HighestValueMostSecure
+
+
+
+ NetworkSecurity_MinimumSessionSecurityForNTLMSSPBasedServers
+
+
+
+
+ 0
+ Network security: Minimum session security for NTLM SSP based (including secure RPC) servers
+
+This security setting allows a server to require the negotiation of 128-bit encryption and/or NTLMv2 session security. These values are dependent on the LAN Manager Authentication Level security setting value. The options are:
+
+Require NTLMv2 session security: The connection will fail if message integrity is not negotiated.
+Require 128-bit encryption. The connection will fail if strong encryption (128-bit) is not negotiated.
+
+Default:
+
+Windows XP, Windows Vista, Windows 2000 Server, Windows Server 2003, and Windows Server 2008: No requirements.
+
+Windows 7 and Windows Server 2008 R2: Require 128-bit encryption
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+ phone
+ Windows Settings~Security Settings~Local Policies~Security Options
+ Network security: Minimum session security for NTLM SSP based (including secure RPC) servers
+ HighestValueMostSecure
+
+ Shutdown_AllowSystemToBeShutDownWithoutHavingToLogOn
+ 1Shutdown: Allow system to be shut down without having to log on
This security setting determines whether a computer can be shut down without having to log on to Windows.
@@ -51469,7 +58664,6 @@ When this policy is disabled, the option to shut down the computer does not appe
Default on workstations: Enabled.
Default on servers: Disabled.
- 1
@@ -51482,7 +58676,10 @@ Default on servers: Disabled.
text/plain
+ phone
+ Windows Settings~Security Settings~Local Policies~Security Options
+ Shutdown: Allow system to be shut down without having to log onLastWrite
@@ -51492,6 +58689,7 @@ Default on servers: Disabled.
+ 0Shutdown: Clear virtual memory pagefile
This security setting determines whether the virtual memory pagefile is cleared when the system is shut down.
@@ -51501,7 +58699,6 @@ Virtual memory support uses a system pagefile to swap pages of memory to disk wh
When this policy is enabled, it causes the system pagefile to be cleared upon clean shutdown. If you enable this security option, the hibernation file (hiberfil.sys) is also zeroed out when hibernation is disabled.
Default: Disabled.
- 0
@@ -51514,7 +58711,10 @@ Default: Disabled.
text/plain
+ phone
+ Windows Settings~Security Settings~Local Policies~Security Options
+ Shutdown: Clear virtual memory pagefileLastWrite
@@ -51524,6 +58724,7 @@ Default: Disabled.
+ 0User Account Control: Allow UIAccess applications to prompt for elevation without using the secure desktop.
This policy setting controls whether User Interface Accessibility (UIAccess or UIA) programs can automatically disable the secure desktop for elevation prompts used by a standard user.
@@ -51531,7 +58732,6 @@ This policy setting controls whether User Interface Accessibility (UIAccess or U
• Enabled: UIA programs, including Windows Remote Assistance, automatically disable the secure desktop for elevation prompts. If you do not disable the "User Account Control: Switch to the secure desktop when prompting for elevation" policy setting, the prompts appear on the interactive user's desktop instead of the secure desktop.
• Disabled: (Default) The secure desktop can be disabled only by the user of the interactive desktop or by disabling the "User Account Control: Switch to the secure desktop when prompting for elevation" policy setting.
- 0
@@ -51544,7 +58744,10 @@ This policy setting controls whether User Interface Accessibility (UIAccess or U
text/plain
+ phone
+ Windows Settings~Security Settings~Local Policies~Security Options
+ User Account Control: Allow UIAccess applications to prompt for elevation without using the secure desktopLastWrite
@@ -51554,6 +58757,7 @@ This policy setting controls whether User Interface Accessibility (UIAccess or U
+ 5User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode
This policy setting controls the behavior of the elevation prompt for administrators.
@@ -51571,7 +58775,6 @@ The options are:
• Prompt for consent: When an operation requires elevation of privilege, the user is prompted to select either Permit or Deny. If the user selects Permit, the operation continues with the user's highest available privilege.
• Prompt for consent for non-Windows binaries: (Default) When an operation for a non-Microsoft application requires elevation of privilege, the user is prompted on the secure desktop to select either Permit or Deny. If the user selects Permit, the operation continues with the user's highest available privilege.
- 5
@@ -51584,7 +58787,10 @@ The options are:
text/plain
+ phone
+ Windows Settings~Security Settings~Local Policies~Security Options
+ User Account Control: Behavior of the elevation prompt for administrators in Admin Approval ModeLastWrite
@@ -51594,6 +58800,7 @@ The options are:
+ 3User Account Control: Behavior of the elevation prompt for standard users
This policy setting controls the behavior of the elevation prompt for standard users.
@@ -51604,7 +58811,6 @@ The options are:
• Automatically deny elevation requests: When an operation requires elevation of privilege, a configurable access denied error message is displayed. An enterprise that is running desktops as standard user may choose this setting to reduce help desk calls.
• Prompt for credentials on the secure desktop: When an operation requires elevation of privilege, the user is prompted on the secure desktop to enter a different user name and password. If the user enters valid credentials, the operation continues with the applicable privilege.
- 3
@@ -51619,6 +58825,8 @@ The options are:
phone
+ Windows Settings~Security Settings~Local Policies~Security Options
+ User Account Control: Behavior of the elevation prompt for standard usersLastWrite
@@ -51628,6 +58836,7 @@ The options are:
+ 1User Account Control: Detect application installations and prompt for elevation
This policy setting controls the behavior of application installation detection for the computer.
@@ -51637,7 +58846,6 @@ The options are:
Enabled: (Default) When an application installation package is detected that requires elevation of privilege, the user is prompted to enter an administrative user name and password. If the user enters valid credentials, the operation continues with the applicable privilege.
Disabled: Application installation packages are not detected and prompted for elevation. Enterprises that are running standard user desktops and use delegated installation technologies such as Group Policy Software Installation or Systems Management Server (SMS) should disable this policy setting. In this case, installer detection is unnecessary.
- 1
@@ -51650,7 +58858,10 @@ Disabled: Application installation packages are not detected and prompted for el
text/plain
+ phone
+ Windows Settings~Security Settings~Local Policies~Security Options
+ User Account Control: Detect application installations and prompt for elevationLastWrite
@@ -51660,6 +58871,7 @@ Disabled: Application installation packages are not detected and prompted for el
+ 0User Account Control: Only elevate executable files that are signed and validated
This policy setting enforces public key infrastructure (PKI) signature checks for any interactive applications that request elevation of privilege. Enterprise administrators can control which applications are allowed to run by adding certificates to the Trusted Publishers certificate store on local computers.
@@ -51669,7 +58881,6 @@ The options are:
• Enabled: Enforces the PKI certification path validation for a given executable file before it is permitted to run.
• Disabled: (Default) Does not enforce PKI certification path validation before a given executable file is permitted to run.
- 0
@@ -51682,7 +58893,10 @@ The options are:
text/plain
+ phone
+ Windows Settings~Security Settings~Local Policies~Security Options
+ User Account Control: Only elevate executables that are signed and validatedLastWrite
@@ -51692,6 +58906,7 @@ The options are:
+ 1User Account Control: Only elevate UIAccess applications that are installed in secure locations
This policy setting controls whether applications that request to run with a User Interface Accessibility (UIAccess) integrity level must reside in a secure location in the file system. Secure locations are limited to the following:
@@ -51707,7 +58922,6 @@ The options are:
• Enabled: (Default) If an application resides in a secure location in the file system, it runs only with UIAccess integrity.
• Disabled: An application runs with UIAccess integrity even if it does not reside in a secure location in the file system.
- 1
@@ -51720,7 +58934,10 @@ The options are:
text/plain
+ phone
+ Windows Settings~Security Settings~Local Policies~Security Options
+ User Account Control: Only elevate UIAccess applications that are installed in secure locationsLastWrite
@@ -51730,6 +58947,7 @@ The options are:
+ 1User Account Control: Turn on Admin Approval Mode
This policy setting controls the behavior of all User Account Control (UAC) policy settings for the computer. If you change this policy setting, you must restart your computer.
@@ -51739,7 +58957,6 @@ The options are:
• Enabled: (Default) Admin Approval Mode is enabled. This policy must be enabled and related UAC policy settings must also be set appropriately to allow the built-in Administrator account and all other users who are members of the Administrators group to run in Admin Approval Mode.
• Disabled: Admin Approval Mode and all related UAC policy settings are disabled. Note: If this policy setting is disabled, the Security Center notifies you that the overall security of the operating system has been reduced.
- 1
@@ -51752,7 +58969,10 @@ The options are:
text/plain
+ phone
+ Windows Settings~Security Settings~Local Policies~Security Options
+ User Account Control: Run all administrators in Admin Approval ModeLastWrite
@@ -51762,6 +58982,7 @@ The options are:
+ 1User Account Control: Switch to the secure desktop when prompting for elevation
This policy setting controls whether the elevation request prompt is displayed on the interactive user's desktop or the secure desktop.
@@ -51771,7 +58992,6 @@ The options are:
• Enabled: (Default) All elevation requests go to the secure desktop regardless of prompt behavior policy settings for administrators and standard users.
• Disabled: All elevation requests go to the interactive user's desktop. Prompt behavior policy settings for administrators and standard users are used.
- 1
@@ -51784,7 +59004,10 @@ The options are:
text/plain
+ phone
+ Windows Settings~Security Settings~Local Policies~Security Options
+ User Account Control: Switch to the secure desktop when prompting for elevationLastWrite
@@ -51794,6 +59017,7 @@ The options are:
+ 0User Account Control: Use Admin Approval Mode for the built-in Administrator account
This policy setting controls the behavior of Admin Approval Mode for the built-in Administrator account.
@@ -51803,7 +59027,6 @@ The options are:
• Enabled: The built-in Administrator account uses Admin Approval Mode. By default, any operation that requires elevation of privilege will prompt the user to approve the operation.
• Disabled: (Default) The built-in Administrator account runs all applications with full administrative privilege.
- 0
@@ -51816,7 +59039,10 @@ The options are:
text/plain
+ phone
+ Windows Settings~Security Settings~Local Policies~Security Options
+ User Account Control: Admin Approval Mode for the Built-in Administrator accountLastWrite
@@ -51826,6 +59052,7 @@ The options are:
+ 1User Account Control: Virtualize file and registry write failures to per-user locations
This policy setting controls whether application write failures are redirected to defined registry and file system locations. This policy setting mitigates applications that run as administrator and write run-time application data to %ProgramFiles%, %Windir%, %Windir%\system32, or HKLM\Software.
@@ -51835,7 +59062,6 @@ The options are:
• Enabled: (Default) Application write failures are redirected at run time to defined user locations for both the file system and registry.
• Disabled: Applications that write data to protected locations fail.
- 1
@@ -51848,7 +59074,10 @@ The options are:
text/plain
+ phone
+ Windows Settings~Security Settings~Local Policies~Security Options
+ User Account Control: Virtualize file and registry write failures to per-user locationsLastWrite
@@ -51878,8 +59107,8 @@ The options are:
- 0
+
@@ -51892,6 +59121,10 @@ The options are:
text/plain
+
+ LocationProviderAdm.admx
+ LocationProviderAdm~AT~LocationAndSensors~WindowsLocationProvider
+ DisableWindowsLocationProvider_1LastWrite
@@ -51921,8 +59154,8 @@ The options are:
- 1
+
@@ -51937,6 +59170,9 @@ The options are:
phone
+ EdgeUI.admx
+ EdgeUI~AT~WindowsComponents~EdgeUI
+ AllowEdgeSwipeLowestValueMostSecure
@@ -51966,8 +59202,8 @@ The options are:
- 65535
+
@@ -51990,8 +59226,8 @@ The options are:
- 65535
+
@@ -52005,6 +59241,9 @@ The options are:
text/plain
+ WinMaps.admx
+ WinMaps~AT~WindowsComponents~Maps
+ TurnOffAutoUpdateLastWrite
@@ -52034,8 +59273,8 @@ The options are:
- This policy setting allows backup and restore of cellular text messages to Microsoft's cloud services.1
+ This policy setting allows backup and restore of cellular text messages to Microsoft's cloud services.
@@ -52048,6 +59287,10 @@ The options are:
text/plain
+
+ messaging.admx
+ messaging~AT~WindowsComponents~Messaging_Category
+ AllowMessageSyncLowestValueMostSecure
@@ -52057,8 +59300,8 @@ The options are:
- This policy setting allows you to enable or disable the sending and receiving cellular MMS messages.1
+ This policy setting allows you to enable or disable the sending and receiving cellular MMS messages.
@@ -52071,6 +59314,7 @@ The options are:
text/plain
+ desktopLowestValueMostSecure
@@ -52081,8 +59325,8 @@ The options are:
- This policy setting allows you to enable or disable the sending and receiving of cellular RCS (Rich Communication Services) messages.1
+ This policy setting allows you to enable or disable the sending and receiving of cellular RCS (Rich Communication Services) messages.
@@ -52095,11 +59339,295 @@ The options are:
text/plain
+ desktopLowestValueMostSecure
+
+ MSSecurityGuide
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ ApplyUACRestrictionsToLocalAccountsOnNetworkLogon
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+ phone
+ SecGuide.admx
+ SecGuide~AT~Cat_SecGuide
+ Pol_SecGuide_0201_LATFP
+ LastWrite
+
+
+
+ ConfigureSMBV1ClientDriver
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+ phone
+ SecGuide.admx
+ SecGuide~AT~Cat_SecGuide
+ Pol_SecGuide_0002_SMBv1_ClientDriver
+ LastWrite
+
+
+
+ ConfigureSMBV1Server
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+ phone
+ SecGuide.admx
+ SecGuide~AT~Cat_SecGuide
+ Pol_SecGuide_0001_SMBv1_Server
+ LastWrite
+
+
+
+ EnableStructuredExceptionHandlingOverwriteProtection
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+ phone
+ SecGuide.admx
+ SecGuide~AT~Cat_SecGuide
+ Pol_SecGuide_0102_SEHOP
+ LastWrite
+
+
+
+ WDigestAuthentication
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+ phone
+ SecGuide.admx
+ SecGuide~AT~Cat_SecGuide
+ Pol_SecGuide_0202_WDigestAuthn
+ LastWrite
+
+
+
+
+ MSSLegacy
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ AllowICMPRedirectsToOverrideOSPFGeneratedRoutes
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+ phone
+ mss-legacy.admx
+ Mss-legacy~AT~Cat_MSS
+ Pol_MSS_EnableICMPRedirect
+ LastWrite
+
+
+
+ AllowTheComputerToIgnoreNetBIOSNameReleaseRequestsExceptFromWINSServers
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+ phone
+ mss-legacy.admx
+ Mss-legacy~AT~Cat_MSS
+ Pol_MSS_NoNameReleaseOnDemand
+ LastWrite
+
+
+
+ IPSourceRoutingProtectionLevel
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+ phone
+ mss-legacy.admx
+ Mss-legacy~AT~Cat_MSS
+ Pol_MSS_DisableIPSourceRouting
+ LastWrite
+
+
+
+ IPv6SourceRoutingProtectionLevel
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+ phone
+ mss-legacy.admx
+ Mss-legacy~AT~Cat_MSS
+ Pol_MSS_DisableIPSourceRoutingIPv6
+ LastWrite
+
+
+ NetworkIsolation
@@ -52125,8 +59653,8 @@ The options are:
-
+
@@ -52139,6 +59667,10 @@ The options are:
text/plain
+ NetworkIsolation.admx
+ WF_NetIsolation_EnterpriseCloudResourcesBox
+ NetworkIsolation~AT~Network~WF_Isolation
+ WF_NetIsolation_EnterpriseCloudResourcesLastWrite
@@ -52148,8 +59680,8 @@ The options are:
-
+
@@ -52162,6 +59694,10 @@ The options are:
text/plain
+ NetworkIsolation.admx
+ WF_NetIsolation_Intranet_ProxiesBox
+ NetworkIsolation~AT~Network~WF_Isolation
+ WF_NetIsolation_Intranet_ProxiesLastWrite
@@ -52171,8 +59707,8 @@ The options are:
-
+
@@ -52185,6 +59721,10 @@ The options are:
text/plain
+ NetworkIsolation.admx
+ WF_NetIsolation_PrivateSubnetBox
+ NetworkIsolation~AT~Network~WF_Isolation
+ WF_NetIsolation_PrivateSubnetLastWrite
@@ -52194,8 +59734,8 @@ The options are:
- 0
+
@@ -52208,6 +59748,10 @@ The options are:
text/plain
+
+ NetworkIsolation.admx
+ NetworkIsolation~AT~Network~WF_Isolation
+ WF_NetIsolation_Authoritative_SubnetLastWrite
@@ -52217,8 +59761,8 @@ The options are:
-
+
@@ -52240,8 +59784,8 @@ The options are:
-
+
@@ -52254,6 +59798,10 @@ The options are:
text/plain
+ NetworkIsolation.admx
+ WF_NetIsolation_Domain_ProxiesBox
+ NetworkIsolation~AT~Network~WF_Isolation
+ WF_NetIsolation_Domain_ProxiesLastWrite
@@ -52263,8 +59811,8 @@ The options are:
- 0
+
@@ -52277,6 +59825,10 @@ The options are:
text/plain
+
+ NetworkIsolation.admx
+ NetworkIsolation~AT~Network~WF_Isolation
+ WF_NetIsolation_Authoritative_ProxiesLastWrite
@@ -52286,8 +59838,8 @@ The options are:
-
+
@@ -52300,10 +59852,61 @@ The options are:
text/plain
+ NetworkIsolation.admx
+ WF_NetIsolation_NeutralResourcesBox
+ NetworkIsolation~AT~Network~WF_Isolation
+ WF_NetIsolation_NeutralResourcesLastWrite
+
+ Notifications
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ DisallowCloudNotification
+
+
+
+
+ 0
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+ WPN.admx
+ WPN~AT~StartMenu~NotificationsCategory
+ NoCloudNotification
+ LowestValueMostSecure
+
+
+ Power
@@ -52323,14 +59926,41 @@ The options are:
+
+ AllowStandbyStatesWhenSleepingOnBattery
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+ phone
+ power.admx
+ Power~AT~System~PowerManagementCat~PowerSleepSettingsCat
+ AllowStandbyStatesDC_2
+ LastWrite
+
+ AllowStandbyWhenSleepingPluggedIn
-
+
@@ -52356,8 +59986,8 @@ The options are:
-
+
@@ -52383,8 +60013,8 @@ The options are:
-
+
@@ -52410,8 +60040,8 @@ The options are:
-
+
@@ -52437,8 +60067,8 @@ The options are:
-
+
@@ -52464,8 +60094,8 @@ The options are:
-
+
@@ -52491,8 +60121,8 @@ The options are:
-
+
@@ -52518,8 +60148,8 @@ The options are:
-
+
@@ -52545,8 +60175,8 @@ The options are:
-
+
@@ -52592,8 +60222,8 @@ The options are:
-
+
@@ -52619,8 +60249,8 @@ The options are:
-
+
@@ -52666,8 +60296,8 @@ The options are:
- 0
+
@@ -52690,8 +60320,8 @@ The options are:
- 1
+
@@ -52706,6 +60336,9 @@ The options are:
10.0.10240
+ Globalization.admx
+ Globalization~AT~ControlPanel~RegionalOptions
+ AllowInputPersonalizationLowestValueMostSecure
@@ -52715,8 +60348,8 @@ The options are:
- 65535
+
@@ -52730,6 +60363,9 @@ The options are:
text/plain
+ UserProfiles.admx
+ UserProfiles~AT~System~UserProfiles
+ DisableAdvertisingIdLowestValueMostSecureZeroHasNoLimits
@@ -52739,8 +60375,8 @@ The options are:
- Enables ActivityFeed, which is responsible for mirroring different activity types (as applicable) across device graph of the user.1
+ Enables ActivityFeed, which is responsible for mirroring different activity types (as applicable) across device graph of the user.
@@ -52754,6 +60390,9 @@ The options are:
text/plain
+ OSPolicy.admx
+ OSPolicy~AT~System~PolicyPolicies
+ EnableActivityFeedHighestValueMostSecure
@@ -52763,8 +60402,8 @@ The options are:
- This policy setting specifies whether Windows apps can access account information.0
+ This policy setting specifies whether Windows apps can access account information.
@@ -52777,6 +60416,11 @@ The options are:
text/plain
+
+ AppPrivacy.admx
+ LetAppsAccessAccountInfo_Enum
+ AppPrivacy~AT~WindowsComponents~AppPrivacy
+ LetAppsAccessAccountInfoHighestValueMostSecure
@@ -52786,8 +60430,8 @@ The options are:
- List of semi-colon delimited Package Family Names of Windows apps. Listed Windows apps are allowed access to account information. This setting overrides the default LetAppsAccessAccountInfo policy setting for the specified Windows apps.
+ List of semi-colon delimited Package Family Names of Windows apps. Listed Windows apps are allowed access to account information. This setting overrides the default LetAppsAccessAccountInfo policy setting for the specified Windows apps.
@@ -52800,6 +60444,10 @@ The options are:
text/plain
+ AppPrivacy.admx
+ LetAppsAccessAccountInfo_ForceAllowTheseApps_List
+ AppPrivacy~AT~WindowsComponents~AppPrivacy
+ LetAppsAccessAccountInfoLastWrite;
@@ -52810,8 +60458,8 @@ The options are:
- List of semi-colon delimited Package Family Names of Windows apps. Listed Windows apps are denied access to account information. This setting overrides the default LetAppsAccessAccountInfo policy setting for the specified Windows apps.
+ List of semi-colon delimited Package Family Names of Windows apps. Listed Windows apps are denied access to account information. This setting overrides the default LetAppsAccessAccountInfo policy setting for the specified Windows apps.
@@ -52824,6 +60472,10 @@ The options are:
text/plain
+ AppPrivacy.admx
+ LetAppsAccessAccountInfo_ForceDenyTheseApps_List
+ AppPrivacy~AT~WindowsComponents~AppPrivacy
+ LetAppsAccessAccountInfoLastWrite;
@@ -52834,8 +60486,8 @@ The options are:
- List of semi-colon delimited Package Family Names of Windows apps. The user is able to control the account information privacy setting for the listed Windows apps. This setting overrides the default LetAppsAccessAccountInfo policy setting for the specified Windows apps.
+ List of semi-colon delimited Package Family Names of Windows apps. The user is able to control the account information privacy setting for the listed Windows apps. This setting overrides the default LetAppsAccessAccountInfo policy setting for the specified Windows apps.
@@ -52848,6 +60500,10 @@ The options are:
text/plain
+ AppPrivacy.admx
+ LetAppsAccessAccountInfo_UserInControlOfTheseApps_List
+ AppPrivacy~AT~WindowsComponents~AppPrivacy
+ LetAppsAccessAccountInfoLastWrite;
@@ -52858,8 +60514,8 @@ The options are:
- This policy setting specifies whether Windows apps can access the calendar.0
+ This policy setting specifies whether Windows apps can access the calendar.
@@ -52872,6 +60528,11 @@ The options are:
text/plain
+
+ AppPrivacy.admx
+ LetAppsAccessCalendar_Enum
+ AppPrivacy~AT~WindowsComponents~AppPrivacy
+ LetAppsAccessCalendarHighestValueMostSecure
@@ -52881,8 +60542,8 @@ The options are:
- List of semi-colon delimited Package Family Names of Windows apps. Listed Windows apps are allowed access to the calendar. This setting overrides the default LetAppsAccessCalendar policy setting for the specified Windows apps.
+ List of semi-colon delimited Package Family Names of Windows apps. Listed Windows apps are allowed access to the calendar. This setting overrides the default LetAppsAccessCalendar policy setting for the specified Windows apps.
@@ -52895,6 +60556,10 @@ The options are:
text/plain
+ AppPrivacy.admx
+ LetAppsAccessCalendar_ForceAllowTheseApps_List
+ AppPrivacy~AT~WindowsComponents~AppPrivacy
+ LetAppsAccessCalendarLastWrite;
@@ -52905,8 +60570,8 @@ The options are:
- List of semi-colon delimited Package Family Names of Windows apps. Listed Windows apps are denied access to the calendar. This setting overrides the default LetAppsAccessCalendar policy setting for the specified Windows apps.
+ List of semi-colon delimited Package Family Names of Windows apps. Listed Windows apps are denied access to the calendar. This setting overrides the default LetAppsAccessCalendar policy setting for the specified Windows apps.
@@ -52919,6 +60584,10 @@ The options are:
text/plain
+ AppPrivacy.admx
+ LetAppsAccessCalendar_ForceDenyTheseApps_List
+ AppPrivacy~AT~WindowsComponents~AppPrivacy
+ LetAppsAccessCalendarLastWrite;
@@ -52929,8 +60598,8 @@ The options are:
- List of semi-colon delimited Package Family Names of Windows apps. The user is able to control the calendar privacy setting for the listed Windows apps. This setting overrides the default LetAppsAccessCalendar policy setting for the specified Windows apps.
+ List of semi-colon delimited Package Family Names of Windows apps. The user is able to control the calendar privacy setting for the listed Windows apps. This setting overrides the default LetAppsAccessCalendar policy setting for the specified Windows apps.
@@ -52943,6 +60612,10 @@ The options are:
text/plain
+ AppPrivacy.admx
+ LetAppsAccessCalendar_UserInControlOfTheseApps_List
+ AppPrivacy~AT~WindowsComponents~AppPrivacy
+ LetAppsAccessCalendarLastWrite;
@@ -52953,8 +60626,8 @@ The options are:
- This policy setting specifies whether Windows apps can access call history.0
+ This policy setting specifies whether Windows apps can access call history.
@@ -52967,6 +60640,11 @@ The options are:
text/plain
+
+ AppPrivacy.admx
+ LetAppsAccessCallHistory_Enum
+ AppPrivacy~AT~WindowsComponents~AppPrivacy
+ LetAppsAccessCallHistoryHighestValueMostSecure
@@ -52976,8 +60654,8 @@ The options are:
- List of semi-colon delimited Package Family Names of Windows apps. Listed Windows apps are allowed access to call history. This setting overrides the default LetAppsAccessCallHistory policy setting for the specified Windows apps.
+ List of semi-colon delimited Package Family Names of Windows apps. Listed Windows apps are allowed access to call history. This setting overrides the default LetAppsAccessCallHistory policy setting for the specified Windows apps.
@@ -52990,6 +60668,10 @@ The options are:
text/plain
+ AppPrivacy.admx
+ LetAppsAccessCallHistory_ForceAllowTheseApps_List
+ AppPrivacy~AT~WindowsComponents~AppPrivacy
+ LetAppsAccessCallHistoryLastWrite;
@@ -53000,8 +60682,8 @@ The options are:
- List of semi-colon delimited Package Family Names of Windows apps. Listed Windows apps are denied access to call history. This setting overrides the default LetAppsAccessCallHistory policy setting for the specified Windows apps.
+ List of semi-colon delimited Package Family Names of Windows apps. Listed Windows apps are denied access to call history. This setting overrides the default LetAppsAccessCallHistory policy setting for the specified Windows apps.
@@ -53014,6 +60696,10 @@ The options are:
text/plain
+ AppPrivacy.admx
+ LetAppsAccessCallHistory_ForceDenyTheseApps_List
+ AppPrivacy~AT~WindowsComponents~AppPrivacy
+ LetAppsAccessCallHistoryLastWrite;
@@ -53024,8 +60710,8 @@ The options are:
- List of semi-colon delimited Package Family Names of Windows apps. The user is able to control the call history privacy setting for the listed Windows apps. This setting overrides the default LetAppsAccessCallHistory policy setting for the specified Windows apps.
+ List of semi-colon delimited Package Family Names of Windows apps. The user is able to control the call history privacy setting for the listed Windows apps. This setting overrides the default LetAppsAccessCallHistory policy setting for the specified Windows apps.
@@ -53038,6 +60724,10 @@ The options are:
text/plain
+ AppPrivacy.admx
+ LetAppsAccessCallHistory_UserInControlOfTheseApps_List
+ AppPrivacy~AT~WindowsComponents~AppPrivacy
+ LetAppsAccessCallHistoryLastWrite;
@@ -53048,8 +60738,8 @@ The options are:
- This policy setting specifies whether Windows apps can access the camera.0
+ This policy setting specifies whether Windows apps can access the camera.
@@ -53062,6 +60752,11 @@ The options are:
text/plain
+
+ AppPrivacy.admx
+ LetAppsAccessCamera_Enum
+ AppPrivacy~AT~WindowsComponents~AppPrivacy
+ LetAppsAccessCameraHighestValueMostSecure
@@ -53071,8 +60766,8 @@ The options are:
- List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are allowed access to the camera. This setting overrides the default LetAppsAccessCamera policy setting for the specified apps.
+ List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are allowed access to the camera. This setting overrides the default LetAppsAccessCamera policy setting for the specified apps.
@@ -53085,6 +60780,10 @@ The options are:
text/plain
+ AppPrivacy.admx
+ LetAppsAccessCamera_ForceAllowTheseApps_List
+ AppPrivacy~AT~WindowsComponents~AppPrivacy
+ LetAppsAccessCameraLastWrite;
@@ -53095,8 +60794,8 @@ The options are:
- List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are denied access to the camera. This setting overrides the default LetAppsAccessCamera policy setting for the specified apps.
+ List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are denied access to the camera. This setting overrides the default LetAppsAccessCamera policy setting for the specified apps.
@@ -53109,6 +60808,10 @@ The options are:
text/plain
+ AppPrivacy.admx
+ LetAppsAccessCamera_ForceDenyTheseApps_List
+ AppPrivacy~AT~WindowsComponents~AppPrivacy
+ LetAppsAccessCameraLastWrite;
@@ -53119,8 +60822,8 @@ The options are:
- List of semi-colon delimited Package Family Names of Windows Store Apps. The user is able to control the camera privacy setting for the listed apps. This setting overrides the default LetAppsAccessCamera policy setting for the specified apps.
+ List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the camera privacy setting for the listed apps. This setting overrides the default LetAppsAccessCamera policy setting for the specified apps.
@@ -53133,6 +60836,10 @@ The options are:
text/plain
+ AppPrivacy.admx
+ LetAppsAccessCamera_UserInControlOfTheseApps_List
+ AppPrivacy~AT~WindowsComponents~AppPrivacy
+ LetAppsAccessCameraLastWrite;
@@ -53143,8 +60850,8 @@ The options are:
- This policy setting specifies whether Windows apps can access contacts.0
+ This policy setting specifies whether Windows apps can access contacts.
@@ -53157,6 +60864,11 @@ The options are:
text/plain
+
+ AppPrivacy.admx
+ LetAppsAccessContacts_Enum
+ AppPrivacy~AT~WindowsComponents~AppPrivacy
+ LetAppsAccessContactsHighestValueMostSecure
@@ -53166,8 +60878,8 @@ The options are:
- List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are allowed access to contacts. This setting overrides the default LetAppsAccessContacts policy setting for the specified apps.
+ List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are allowed access to contacts. This setting overrides the default LetAppsAccessContacts policy setting for the specified apps.
@@ -53180,6 +60892,10 @@ The options are:
text/plain
+ AppPrivacy.admx
+ LetAppsAccessContacts_ForceAllowTheseApps_List
+ AppPrivacy~AT~WindowsComponents~AppPrivacy
+ LetAppsAccessContactsLastWrite;
@@ -53190,8 +60906,8 @@ The options are:
- List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are denied access to contacts. This setting overrides the default LetAppsAccessContacts policy setting for the specified apps.
+ List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are denied access to contacts. This setting overrides the default LetAppsAccessContacts policy setting for the specified apps.
@@ -53204,6 +60920,10 @@ The options are:
text/plain
+ AppPrivacy.admx
+ LetAppsAccessContacts_ForceDenyTheseApps_List
+ AppPrivacy~AT~WindowsComponents~AppPrivacy
+ LetAppsAccessContactsLastWrite;
@@ -53214,8 +60934,8 @@ The options are:
- List of semi-colon delimited Package Family Names of Windows Store Apps. The user is able to control the contacts privacy setting for the listed apps. This setting overrides the default LetAppsAccessContacts policy setting for the specified apps.
+ List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the contacts privacy setting for the listed apps. This setting overrides the default LetAppsAccessContacts policy setting for the specified apps.
@@ -53228,6 +60948,10 @@ The options are:
text/plain
+ AppPrivacy.admx
+ LetAppsAccessContacts_UserInControlOfTheseApps_List
+ AppPrivacy~AT~WindowsComponents~AppPrivacy
+ LetAppsAccessContactsLastWrite;
@@ -53238,8 +60962,8 @@ The options are:
- This policy setting specifies whether Windows apps can access email.0
+ This policy setting specifies whether Windows apps can access email.
@@ -53252,6 +60976,11 @@ The options are:
text/plain
+
+ AppPrivacy.admx
+ LetAppsAccessEmail_Enum
+ AppPrivacy~AT~WindowsComponents~AppPrivacy
+ LetAppsAccessEmailHighestValueMostSecure
@@ -53261,8 +60990,8 @@ The options are:
- List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are allowed access to email. This setting overrides the default LetAppsAccessEmail policy setting for the specified apps.
+ List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are allowed access to email. This setting overrides the default LetAppsAccessEmail policy setting for the specified apps.
@@ -53275,6 +61004,10 @@ The options are:
text/plain
+ AppPrivacy.admx
+ LetAppsAccessEmail_ForceAllowTheseApps_List
+ AppPrivacy~AT~WindowsComponents~AppPrivacy
+ LetAppsAccessEmailLastWrite;
@@ -53285,8 +61018,88 @@ The options are:
- List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are denied access to email. This setting overrides the default LetAppsAccessEmail policy setting for the specified apps.
+ List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are denied access to email. This setting overrides the default LetAppsAccessEmail policy setting for the specified apps.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+ AppPrivacy.admx
+ LetAppsAccessEmail_ForceDenyTheseApps_List
+ AppPrivacy~AT~WindowsComponents~AppPrivacy
+ LetAppsAccessEmail
+ LastWrite
+ ;
+
+
+
+ LetAppsAccessEmail_UserInControlOfTheseApps
+
+
+
+
+
+ List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the email privacy setting for the listed apps. This setting overrides the default LetAppsAccessEmail policy setting for the specified apps.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+ AppPrivacy.admx
+ LetAppsAccessEmail_UserInControlOfTheseApps_List
+ AppPrivacy~AT~WindowsComponents~AppPrivacy
+ LetAppsAccessEmail
+ LastWrite
+ ;
+
+
+
+ LetAppsAccessGazeInput
+
+
+
+
+ 0
+ This policy setting specifies whether Windows apps can access the eye tracker.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+ HighestValueMostSecure
+
+
+
+ LetAppsAccessGazeInput_ForceAllowTheseApps
+
+
+
+
+
+ List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are allowed access to the eye tracker. This setting overrides the default LetAppsAccessGazeInput policy setting for the specified apps.
@@ -53304,13 +61117,37 @@ The options are:
- LetAppsAccessEmail_UserInControlOfTheseApps
+ LetAppsAccessGazeInput_ForceDenyTheseApps
- List of semi-colon delimited Package Family Names of Windows Store Apps. The user is able to control the email privacy setting for the listed apps. This setting overrides the default LetAppsAccessEmail policy setting for the specified apps.
+ List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are denied access to the eye tracker. This setting overrides the default LetAppsAccessGazeInput policy setting for the specified apps.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+ LastWrite
+ ;
+
+
+
+ LetAppsAccessGazeInput_UserInControlOfTheseApps
+
+
+
+
+
+ List of semi-colon delimited Package Family Names of Windows Store Apps. The user is able to control the eye tracker privacy setting for the listed apps. This setting overrides the default LetAppsAccessGazeInput policy setting for the specified apps.
@@ -53333,8 +61170,8 @@ The options are:
- This policy setting specifies whether Windows apps can access location.0
+ This policy setting specifies whether Windows apps can access location.
@@ -53347,6 +61184,11 @@ The options are:
text/plain
+
+ AppPrivacy.admx
+ LetAppsAccessLocation_Enum
+ AppPrivacy~AT~WindowsComponents~AppPrivacy
+ LetAppsAccessLocationHighestValueMostSecure
@@ -53356,8 +61198,8 @@ The options are:
- List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are allowed access to location. This setting overrides the default LetAppsAccessLocation policy setting for the specified apps.
+ List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are allowed access to location. This setting overrides the default LetAppsAccessLocation policy setting for the specified apps.
@@ -53370,6 +61212,10 @@ The options are:
text/plain
+ AppPrivacy.admx
+ LetAppsAccessLocation_ForceAllowTheseApps_List
+ AppPrivacy~AT~WindowsComponents~AppPrivacy
+ LetAppsAccessLocationLastWrite;
@@ -53380,8 +61226,8 @@ The options are:
- List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are denied access to location. This setting overrides the default LetAppsAccessLocation policy setting for the specified apps.
+ List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are denied access to location. This setting overrides the default LetAppsAccessLocation policy setting for the specified apps.
@@ -53394,6 +61240,10 @@ The options are:
text/plain
+ AppPrivacy.admx
+ LetAppsAccessLocation_ForceDenyTheseApps_List
+ AppPrivacy~AT~WindowsComponents~AppPrivacy
+ LetAppsAccessLocationLastWrite;
@@ -53404,8 +61254,8 @@ The options are:
- List of semi-colon delimited Package Family Names of Windows Store Apps. The user is able to control the location privacy setting for the listed apps. This setting overrides the default LetAppsAccessLocation policy setting for the specified apps.
+ List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the location privacy setting for the listed apps. This setting overrides the default LetAppsAccessLocation policy setting for the specified apps.
@@ -53418,6 +61268,10 @@ The options are:
text/plain
+ AppPrivacy.admx
+ LetAppsAccessLocation_UserInControlOfTheseApps_List
+ AppPrivacy~AT~WindowsComponents~AppPrivacy
+ LetAppsAccessLocationLastWrite;
@@ -53428,8 +61282,8 @@ The options are:
- This policy setting specifies whether Windows apps can read or send messages (text or MMS).0
+ This policy setting specifies whether Windows apps can read or send messages (text or MMS).
@@ -53442,6 +61296,11 @@ The options are:
text/plain
+
+ AppPrivacy.admx
+ LetAppsAccessMessaging_Enum
+ AppPrivacy~AT~WindowsComponents~AppPrivacy
+ LetAppsAccessMessagingHighestValueMostSecure
@@ -53451,8 +61310,8 @@ The options are:
- List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are allowed to read or send messages (text or MMS). This setting overrides the default LetAppsAccessMessaging policy setting for the specified apps.
+ List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are allowed to read or send messages (text or MMS). This setting overrides the default LetAppsAccessMessaging policy setting for the specified apps.
@@ -53465,6 +61324,10 @@ The options are:
text/plain
+ AppPrivacy.admx
+ LetAppsAccessMessaging_ForceAllowTheseApps_List
+ AppPrivacy~AT~WindowsComponents~AppPrivacy
+ LetAppsAccessMessagingLastWrite;
@@ -53475,8 +61338,8 @@ The options are:
- List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are not allowed to read or send messages (text or MMS). This setting overrides the default LetAppsAccessMessaging policy setting for the specified apps.
+ List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are not allowed to read or send messages (text or MMS). This setting overrides the default LetAppsAccessMessaging policy setting for the specified apps.
@@ -53489,6 +61352,10 @@ The options are:
text/plain
+ AppPrivacy.admx
+ LetAppsAccessMessaging_ForceDenyTheseApps_List
+ AppPrivacy~AT~WindowsComponents~AppPrivacy
+ LetAppsAccessMessagingLastWrite;
@@ -53499,8 +61366,8 @@ The options are:
- List of semi-colon delimited Package Family Names of Windows Store Apps. The user is able to control the messaging privacy setting for the listed apps. This setting overrides the default LetAppsAccessMessaging policy setting for the specified apps.
+ List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the messaging privacy setting for the listed apps. This setting overrides the default LetAppsAccessMessaging policy setting for the specified apps.
@@ -53513,6 +61380,10 @@ The options are:
text/plain
+ AppPrivacy.admx
+ LetAppsAccessMessaging_UserInControlOfTheseApps_List
+ AppPrivacy~AT~WindowsComponents~AppPrivacy
+ LetAppsAccessMessagingLastWrite;
@@ -53523,8 +61394,8 @@ The options are:
- This policy setting specifies whether Windows apps can access the microphone.0
+ This policy setting specifies whether Windows apps can access the microphone.
@@ -53537,6 +61408,11 @@ The options are:
text/plain
+
+ AppPrivacy.admx
+ LetAppsAccessMicrophone_Enum
+ AppPrivacy~AT~WindowsComponents~AppPrivacy
+ LetAppsAccessMicrophoneHighestValueMostSecure
@@ -53546,8 +61422,8 @@ The options are:
- List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are allowed access to the microphone. This setting overrides the default LetAppsAccessMicrophone policy setting for the specified apps.
+ List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are allowed access to the microphone. This setting overrides the default LetAppsAccessMicrophone policy setting for the specified apps.
@@ -53560,6 +61436,10 @@ The options are:
text/plain
+ AppPrivacy.admx
+ LetAppsAccessMicrophone_ForceAllowTheseApps_List
+ AppPrivacy~AT~WindowsComponents~AppPrivacy
+ LetAppsAccessMicrophoneLastWrite;
@@ -53570,8 +61450,8 @@ The options are:
- List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are denied access to the microphone. This setting overrides the default LetAppsAccessMicrophone policy setting for the specified apps.
+ List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are denied access to the microphone. This setting overrides the default LetAppsAccessMicrophone policy setting for the specified apps.
@@ -53584,6 +61464,10 @@ The options are:
text/plain
+ AppPrivacy.admx
+ LetAppsAccessMicrophone_ForceDenyTheseApps_List
+ AppPrivacy~AT~WindowsComponents~AppPrivacy
+ LetAppsAccessMicrophoneLastWrite;
@@ -53594,8 +61478,8 @@ The options are:
- List of semi-colon delimited Package Family Names of Windows Store Apps. The user is able to control the microphone privacy setting for the listed apps. This setting overrides the default LetAppsAccessMicrophone policy setting for the specified apps.
+ List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the microphone privacy setting for the listed apps. This setting overrides the default LetAppsAccessMicrophone policy setting for the specified apps.
@@ -53608,6 +61492,10 @@ The options are:
text/plain
+ AppPrivacy.admx
+ LetAppsAccessMicrophone_UserInControlOfTheseApps_List
+ AppPrivacy~AT~WindowsComponents~AppPrivacy
+ LetAppsAccessMicrophoneLastWrite;
@@ -53618,8 +61506,8 @@ The options are:
- This policy setting specifies whether Windows apps can access motion data.0
+ This policy setting specifies whether Windows apps can access motion data.
@@ -53632,6 +61520,11 @@ The options are:
text/plain
+
+ AppPrivacy.admx
+ LetAppsAccessMotion_Enum
+ AppPrivacy~AT~WindowsComponents~AppPrivacy
+ LetAppsAccessMotionHighestValueMostSecure
@@ -53641,8 +61534,8 @@ The options are:
- List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are allowed access to motion data. This setting overrides the default LetAppsAccessMotion policy setting for the specified apps.
+ List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are allowed access to motion data. This setting overrides the default LetAppsAccessMotion policy setting for the specified apps.
@@ -53655,6 +61548,10 @@ The options are:
text/plain
+ AppPrivacy.admx
+ LetAppsAccessMotion_ForceAllowTheseApps_List
+ AppPrivacy~AT~WindowsComponents~AppPrivacy
+ LetAppsAccessMotionLastWrite;
@@ -53665,8 +61562,8 @@ The options are:
- List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are denied access to motion data. This setting overrides the default LetAppsAccessMotion policy setting for the specified apps.
+ List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are denied access to motion data. This setting overrides the default LetAppsAccessMotion policy setting for the specified apps.
@@ -53679,6 +61576,10 @@ The options are:
text/plain
+ AppPrivacy.admx
+ LetAppsAccessMotion_ForceDenyTheseApps_List
+ AppPrivacy~AT~WindowsComponents~AppPrivacy
+ LetAppsAccessMotionLastWrite;
@@ -53689,8 +61590,8 @@ The options are:
- List of semi-colon delimited Package Family Names of Windows Store Apps. The user is able to control the motion privacy setting for the listed apps. This setting overrides the default LetAppsAccessMotion policy setting for the specified apps.
+ List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the motion privacy setting for the listed apps. This setting overrides the default LetAppsAccessMotion policy setting for the specified apps.
@@ -53703,6 +61604,10 @@ The options are:
text/plain
+ AppPrivacy.admx
+ LetAppsAccessMotion_UserInControlOfTheseApps_List
+ AppPrivacy~AT~WindowsComponents~AppPrivacy
+ LetAppsAccessMotionLastWrite;
@@ -53713,8 +61618,8 @@ The options are:
- This policy setting specifies whether Windows apps can access notifications.0
+ This policy setting specifies whether Windows apps can access notifications.
@@ -53727,6 +61632,11 @@ The options are:
text/plain
+
+ AppPrivacy.admx
+ LetAppsAccessNotifications_Enum
+ AppPrivacy~AT~WindowsComponents~AppPrivacy
+ LetAppsAccessNotificationsHighestValueMostSecure
@@ -53736,8 +61646,8 @@ The options are:
- List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are allowed access to notifications. This setting overrides the default LetAppsAccessNotifications policy setting for the specified apps.
+ List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are allowed access to notifications. This setting overrides the default LetAppsAccessNotifications policy setting for the specified apps.
@@ -53750,6 +61660,10 @@ The options are:
text/plain
+ AppPrivacy.admx
+ LetAppsAccessNotifications_ForceAllowTheseApps_List
+ AppPrivacy~AT~WindowsComponents~AppPrivacy
+ LetAppsAccessNotificationsLastWrite;
@@ -53760,8 +61674,8 @@ The options are:
- List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are denied access to notifications. This setting overrides the default LetAppsAccessNotifications policy setting for the specified apps.
+ List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are denied access to notifications. This setting overrides the default LetAppsAccessNotifications policy setting for the specified apps.
@@ -53774,6 +61688,10 @@ The options are:
text/plain
+ AppPrivacy.admx
+ LetAppsAccessNotifications_ForceDenyTheseApps_List
+ AppPrivacy~AT~WindowsComponents~AppPrivacy
+ LetAppsAccessNotificationsLastWrite;
@@ -53784,8 +61702,8 @@ The options are:
- List of semi-colon delimited Package Family Names of Windows Store Apps. The user is able to control the notifications privacy setting for the listed apps. This setting overrides the default LetAppsAccessNotifications policy setting for the specified apps.
+ List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the notifications privacy setting for the listed apps. This setting overrides the default LetAppsAccessNotifications policy setting for the specified apps.
@@ -53798,6 +61716,10 @@ The options are:
text/plain
+ AppPrivacy.admx
+ LetAppsAccessNotifications_UserInControlOfTheseApps_List
+ AppPrivacy~AT~WindowsComponents~AppPrivacy
+ LetAppsAccessNotificationsLastWrite;
@@ -53808,8 +61730,8 @@ The options are:
- This policy setting specifies whether Windows apps can make phone calls0
+ This policy setting specifies whether Windows apps can make phone calls
@@ -53822,6 +61744,11 @@ The options are:
text/plain
+
+ AppPrivacy.admx
+ LetAppsAccessPhone_Enum
+ AppPrivacy~AT~WindowsComponents~AppPrivacy
+ LetAppsAccessPhoneHighestValueMostSecure
@@ -53831,8 +61758,8 @@ The options are:
- List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are allowed to make phone calls. This setting overrides the default LetAppsAccessPhone policy setting for the specified apps.
+ List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are allowed to make phone calls. This setting overrides the default LetAppsAccessPhone policy setting for the specified apps.
@@ -53845,6 +61772,10 @@ The options are:
text/plain
+ AppPrivacy.admx
+ LetAppsAccessPhone_ForceAllowTheseApps_List
+ AppPrivacy~AT~WindowsComponents~AppPrivacy
+ LetAppsAccessPhoneLastWrite;
@@ -53855,8 +61786,8 @@ The options are:
- List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are not allowed to make phone calls. This setting overrides the default LetAppsAccessPhone policy setting for the specified apps.
+ List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are not allowed to make phone calls. This setting overrides the default LetAppsAccessPhone policy setting for the specified apps.
@@ -53869,6 +61800,10 @@ The options are:
text/plain
+ AppPrivacy.admx
+ LetAppsAccessPhone_ForceDenyTheseApps_List
+ AppPrivacy~AT~WindowsComponents~AppPrivacy
+ LetAppsAccessPhoneLastWrite;
@@ -53879,8 +61814,8 @@ The options are:
- List of semi-colon delimited Package Family Names of Windows Store Apps. The user is able to control the phone call privacy setting for the listed apps. This setting overrides the default LetAppsAccessPhone policy setting for the specified apps.
+ List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the phone call privacy setting for the listed apps. This setting overrides the default LetAppsAccessPhone policy setting for the specified apps.
@@ -53893,6 +61828,10 @@ The options are:
text/plain
+ AppPrivacy.admx
+ LetAppsAccessPhone_UserInControlOfTheseApps_List
+ AppPrivacy~AT~WindowsComponents~AppPrivacy
+ LetAppsAccessPhoneLastWrite;
@@ -53903,8 +61842,8 @@ The options are:
- This policy setting specifies whether Windows apps have access to control radios.0
+ This policy setting specifies whether Windows apps have access to control radios.
@@ -53917,6 +61856,11 @@ The options are:
text/plain
+
+ AppPrivacy.admx
+ LetAppsAccessRadios_Enum
+ AppPrivacy~AT~WindowsComponents~AppPrivacy
+ LetAppsAccessRadiosHighestValueMostSecure
@@ -53926,8 +61870,8 @@ The options are:
- List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps will have access to control radios. This setting overrides the default LetAppsAccessRadios policy setting for the specified apps.
+ List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps will have access to control radios. This setting overrides the default LetAppsAccessRadios policy setting for the specified apps.
@@ -53940,6 +61884,10 @@ The options are:
text/plain
+ AppPrivacy.admx
+ LetAppsAccessRadios_ForceAllowTheseApps_List
+ AppPrivacy~AT~WindowsComponents~AppPrivacy
+ LetAppsAccessRadiosLastWrite;
@@ -53950,8 +61898,8 @@ The options are:
- List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps will not have access to control radios. This setting overrides the default LetAppsAccessRadios policy setting for the specified apps.
+ List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps will not have access to control radios. This setting overrides the default LetAppsAccessRadios policy setting for the specified apps.
@@ -53964,6 +61912,10 @@ The options are:
text/plain
+ AppPrivacy.admx
+ LetAppsAccessRadios_ForceDenyTheseApps_List
+ AppPrivacy~AT~WindowsComponents~AppPrivacy
+ LetAppsAccessRadiosLastWrite;
@@ -53974,8 +61926,8 @@ The options are:
- List of semi-colon delimited Package Family Names of Windows Store Apps. The user is able to control the radios privacy setting for the listed apps. This setting overrides the default LetAppsAccessRadios policy setting for the specified apps.
+ List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the radios privacy setting for the listed apps. This setting overrides the default LetAppsAccessRadios policy setting for the specified apps.
@@ -53988,6 +61940,10 @@ The options are:
text/plain
+ AppPrivacy.admx
+ LetAppsAccessRadios_UserInControlOfTheseApps_List
+ AppPrivacy~AT~WindowsComponents~AppPrivacy
+ LetAppsAccessRadiosLastWrite;
@@ -53998,8 +61954,8 @@ The options are:
- This policy setting specifies whether Windows apps can access tasks.0
+ This policy setting specifies whether Windows apps can access tasks.
@@ -54012,6 +61968,11 @@ The options are:
text/plain
+
+ AppPrivacy.admx
+ LetAppsAccessTasks_Enum
+ AppPrivacy~AT~WindowsComponents~AppPrivacy
+ LetAppsAccessTasksHighestValueMostSecure
@@ -54021,8 +61982,8 @@ The options are:
- List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are allowed access to tasks. This setting overrides the default LetAppsAccessTasks policy setting for the specified apps.
+ List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are allowed access to tasks. This setting overrides the default LetAppsAccessTasks policy setting for the specified apps.
@@ -54035,6 +61996,10 @@ The options are:
text/plain
+ AppPrivacy.admx
+ LetAppsAccessTasks_ForceAllowTheseApps_List
+ AppPrivacy~AT~WindowsComponents~AppPrivacy
+ LetAppsAccessTasksLastWrite;
@@ -54045,8 +62010,8 @@ The options are:
- List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are denied access to tasks. This setting overrides the default LetAppsAccessTasks policy setting for the specified apps.
+ List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are denied access to tasks. This setting overrides the default LetAppsAccessTasks policy setting for the specified apps.
@@ -54059,6 +62024,10 @@ The options are:
text/plain
+ AppPrivacy.admx
+ LetAppsAccessTasks_ForceDenyTheseApps_List
+ AppPrivacy~AT~WindowsComponents~AppPrivacy
+ LetAppsAccessTasksLastWrite;
@@ -54069,8 +62038,8 @@ The options are:
- List of semi-colon delimited Package Family Names of Windows Store Apps. The user is able to control the tasks privacy setting for the listed apps. This setting overrides the default LetAppsAccessTasks policy setting for the specified apps.
+ List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the tasks privacy setting for the listed apps. This setting overrides the default LetAppsAccessTasks policy setting for the specified apps.
@@ -54083,6 +62052,10 @@ The options are:
text/plain
+ AppPrivacy.admx
+ LetAppsAccessTasks_UserInControlOfTheseApps_List
+ AppPrivacy~AT~WindowsComponents~AppPrivacy
+ LetAppsAccessTasksLastWrite;
@@ -54093,8 +62066,8 @@ The options are:
- This policy setting specifies whether Windows apps can access trusted devices.0
+ This policy setting specifies whether Windows apps can access trusted devices.
@@ -54107,6 +62080,11 @@ The options are:
text/plain
+
+ AppPrivacy.admx
+ LetAppsAccessTrustedDevices_Enum
+ AppPrivacy~AT~WindowsComponents~AppPrivacy
+ LetAppsAccessTrustedDevicesHighestValueMostSecure
@@ -54116,8 +62094,8 @@ The options are:
- List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps will have access to trusted devices. This setting overrides the default LetAppsAccessTrustedDevices policy setting for the specified apps.
+ List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps will have access to trusted devices. This setting overrides the default LetAppsAccessTrustedDevices policy setting for the specified apps.
@@ -54130,6 +62108,10 @@ The options are:
text/plain
+ AppPrivacy.admx
+ LetAppsAccessTrustedDevices_ForceAllowTheseApps_List
+ AppPrivacy~AT~WindowsComponents~AppPrivacy
+ LetAppsAccessTrustedDevicesLastWrite;
@@ -54140,8 +62122,8 @@ The options are:
- List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps will not have access to trusted devices. This setting overrides the default LetAppsAccessTrustedDevices policy setting for the specified apps.
+ List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps will not have access to trusted devices. This setting overrides the default LetAppsAccessTrustedDevices policy setting for the specified apps.
@@ -54154,6 +62136,10 @@ The options are:
text/plain
+ AppPrivacy.admx
+ LetAppsAccessTrustedDevices_ForceDenyTheseApps_List
+ AppPrivacy~AT~WindowsComponents~AppPrivacy
+ LetAppsAccessTrustedDevicesLastWrite;
@@ -54164,8 +62150,8 @@ The options are:
- List of semi-colon delimited Package Family Names of Windows Store Apps. The user is able to control the 'trusted devices' privacy setting for the listed apps. This setting overrides the default LetAppsAccessTrustedDevices policy setting for the specified apps.
+ List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the 'trusted devices' privacy setting for the listed apps. This setting overrides the default LetAppsAccessTrustedDevices policy setting for the specified apps.
@@ -54178,6 +62164,10 @@ The options are:
text/plain
+ AppPrivacy.admx
+ LetAppsAccessTrustedDevices_UserInControlOfTheseApps_List
+ AppPrivacy~AT~WindowsComponents~AppPrivacy
+ LetAppsAccessTrustedDevicesLastWrite;
@@ -54188,8 +62178,8 @@ The options are:
- This policy setting specifies whether Windows apps can get diagnostic information about other apps, including user names.0
+ This policy setting specifies whether Windows apps can get diagnostic information about other apps, including user names.
@@ -54202,6 +62192,11 @@ The options are:
text/plain
+
+ AppPrivacy.admx
+ LetAppsGetDiagnosticInfo_Enum
+ AppPrivacy~AT~WindowsComponents~AppPrivacy
+ LetAppsGetDiagnosticInfoHighestValueMostSecure
@@ -54211,8 +62206,8 @@ The options are:
- List of semi-colon delimited Package Family Names of Windows apps. Listed Windows apps are allowed to get diagnostic information about other apps, including user names. This setting overrides the default LetAppsGetDiagnosticInfo policy setting for the specified Windows apps.
+ List of semi-colon delimited Package Family Names of Windows apps. Listed Windows apps are allowed to get diagnostic information about other apps, including user names. This setting overrides the default LetAppsGetDiagnosticInfo policy setting for the specified Windows apps.
@@ -54225,6 +62220,10 @@ The options are:
text/plain
+ AppPrivacy.admx
+ LetAppsGetDiagnosticInfo_ForceAllowTheseApps_List
+ AppPrivacy~AT~WindowsComponents~AppPrivacy
+ LetAppsGetDiagnosticInfoLastWrite;
@@ -54235,8 +62234,8 @@ The options are:
- List of semi-colon delimited Package Family Names of Windows apps. Listed Windows apps are not allowed to get diagnostic information about other apps, including user names. This setting overrides the default LetAppsGetDiagnosticInfo policy setting for the specified Windows apps.
+ List of semi-colon delimited Package Family Names of Windows apps. Listed Windows apps are not allowed to get diagnostic information about other apps, including user names. This setting overrides the default LetAppsGetDiagnosticInfo policy setting for the specified Windows apps.
@@ -54249,6 +62248,10 @@ The options are:
text/plain
+ AppPrivacy.admx
+ LetAppsGetDiagnosticInfo_ForceDenyTheseApps_List
+ AppPrivacy~AT~WindowsComponents~AppPrivacy
+ LetAppsGetDiagnosticInfoLastWrite;
@@ -54259,8 +62262,8 @@ The options are:
- List of semi-colon delimited Package Family Names of Windows apps. The user is able to control the app diagnostics privacy setting for the listed Windows apps. This setting overrides the default LetAppsGetDiagnosticInfo policy setting for the specified Windows apps.
+ List of semi-colon delimited Package Family Names of Windows apps. The user is able to control the app diagnostics privacy setting for the listed Windows apps. This setting overrides the default LetAppsGetDiagnosticInfo policy setting for the specified Windows apps.
@@ -54273,6 +62276,10 @@ The options are:
text/plain
+ AppPrivacy.admx
+ LetAppsGetDiagnosticInfo_UserInControlOfTheseApps_List
+ AppPrivacy~AT~WindowsComponents~AppPrivacy
+ LetAppsGetDiagnosticInfoLastWrite;
@@ -54283,8 +62290,8 @@ The options are:
- This policy setting specifies whether Windows apps can run in the background.0
+ This policy setting specifies whether Windows apps can run in the background.
@@ -54297,6 +62304,11 @@ The options are:
text/plain
+
+ AppPrivacy.admx
+ LetAppsRunInBackground_Enum
+ AppPrivacy~AT~WindowsComponents~AppPrivacy
+ LetAppsRunInBackgroundHighestValueMostSecure
@@ -54306,8 +62318,8 @@ The options are:
- List of semi-colon delimited Package Family Names of Windows apps. Listed Windows apps are allowed to run in the background. This setting overrides the default LetAppsRunInBackground policy setting for the specified Windows apps.
+ List of semi-colon delimited Package Family Names of Windows apps. Listed Windows apps are allowed to run in the background. This setting overrides the default LetAppsRunInBackground policy setting for the specified Windows apps.
@@ -54320,6 +62332,10 @@ The options are:
text/plain
+ AppPrivacy.admx
+ LetAppsRunInBackground_ForceAllowTheseApps_List
+ AppPrivacy~AT~WindowsComponents~AppPrivacy
+ LetAppsRunInBackgroundLastWrite;
@@ -54330,8 +62346,8 @@ The options are:
- List of semi-colon delimited Package Family Names of Windows apps. Listed Windows apps are not allowed to run in the background. This setting overrides the default LetAppsRunInBackground policy setting for the specified Windows apps.
+ List of semi-colon delimited Package Family Names of Windows apps. Listed Windows apps are not allowed to run in the background. This setting overrides the default LetAppsRunInBackground policy setting for the specified Windows apps.
@@ -54344,6 +62360,10 @@ The options are:
text/plain
+ AppPrivacy.admx
+ LetAppsRunInBackground_ForceDenyTheseApps_List
+ AppPrivacy~AT~WindowsComponents~AppPrivacy
+ LetAppsRunInBackgroundLastWrite;
@@ -54354,8 +62374,8 @@ The options are:
- List of semi-colon delimited Package Family Names of Windows apps. The user is able to control the background apps privacy setting for the listed Windows apps. This setting overrides the default LetAppsRunInBackground policy setting for the specified Windows apps.
+ List of semi-colon delimited Package Family Names of Windows apps. The user is able to control the background apps privacy setting for the listed Windows apps. This setting overrides the default LetAppsRunInBackground policy setting for the specified Windows apps.
@@ -54368,6 +62388,10 @@ The options are:
text/plain
+ AppPrivacy.admx
+ LetAppsRunInBackground_UserInControlOfTheseApps_List
+ AppPrivacy~AT~WindowsComponents~AppPrivacy
+ LetAppsRunInBackgroundLastWrite;
@@ -54378,8 +62402,8 @@ The options are:
- This policy setting specifies whether Windows apps can communicate with unpaired wireless devices.0
+ This policy setting specifies whether Windows apps can communicate with unpaired wireless devices.
@@ -54392,6 +62416,11 @@ The options are:
text/plain
+
+ AppPrivacy.admx
+ LetAppsSyncWithDevices_Enum
+ AppPrivacy~AT~WindowsComponents~AppPrivacy
+ LetAppsSyncWithDevicesHighestValueMostSecure
@@ -54401,8 +62430,8 @@ The options are:
- List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps will be allowed to communicate with unpaired wireless devices. This setting overrides the default LetAppsSyncWithDevices policy setting for the specified apps.
+ List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps will be allowed to communicate with unpaired wireless devices. This setting overrides the default LetAppsSyncWithDevices policy setting for the specified apps.
@@ -54415,6 +62444,10 @@ The options are:
text/plain
+ AppPrivacy.admx
+ LetAppsSyncWithDevices_ForceAllowTheseApps_List
+ AppPrivacy~AT~WindowsComponents~AppPrivacy
+ LetAppsSyncWithDevicesLastWrite;
@@ -54425,8 +62458,8 @@ The options are:
- List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps will not be allowed to communicate with unpaired wireless devices. This setting overrides the default LetAppsSyncWithDevices policy setting for the specified apps.
+ List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps will not be allowed to communicate with unpaired wireless devices. This setting overrides the default LetAppsSyncWithDevices policy setting for the specified apps.
@@ -54439,6 +62472,10 @@ The options are:
text/plain
+ AppPrivacy.admx
+ LetAppsSyncWithDevices_ForceDenyTheseApps_List
+ AppPrivacy~AT~WindowsComponents~AppPrivacy
+ LetAppsSyncWithDevicesLastWrite;
@@ -54449,8 +62486,8 @@ The options are:
- List of semi-colon delimited Package Family Names of Windows Store Apps. The user is able to control the 'Communicate with unpaired wireless devices' privacy setting for the listed apps. This setting overrides the default LetAppsSyncWithDevices policy setting for the specified apps.
+ List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the 'Communicate with unpaired wireless devices' privacy setting for the listed apps. This setting overrides the default LetAppsSyncWithDevices policy setting for the specified apps.
@@ -54463,6 +62500,10 @@ The options are:
text/plain
+ AppPrivacy.admx
+ LetAppsSyncWithDevices_UserInControlOfTheseApps_List
+ AppPrivacy~AT~WindowsComponents~AppPrivacy
+ LetAppsSyncWithDevicesLastWrite;
@@ -54473,8 +62514,8 @@ The options are:
- Allows apps/system to publish 'User Activities' into ActivityFeed.1
+ Allows apps/system to publish 'User Activities' into ActivityFeed.
@@ -54488,6 +62529,36 @@ The options are:
text/plain
+ OSPolicy.admx
+ OSPolicy~AT~System~PolicyPolicies
+ PublishUserActivities
+ HighestValueMostSecure
+
+
+
+ UploadUserActivities
+
+
+
+
+ 1
+ Allows ActivityFeed to upload published 'User Activities'.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+ OSPolicy.admx
+ OSPolicy~AT~System~PolicyPolicies
+ UploadUserActivitiesHighestValueMostSecure
@@ -54517,8 +62588,8 @@ The options are:
-
+
@@ -54544,8 +62615,8 @@ The options are:
-
+
@@ -54571,8 +62642,8 @@ The options are:
-
+
@@ -54598,8 +62669,8 @@ The options are:
-
+
@@ -54645,8 +62716,8 @@ The options are:
-
+
@@ -54672,8 +62743,8 @@ The options are:
-
+
@@ -54699,8 +62770,8 @@ The options are:
-
+
@@ -54726,8 +62797,8 @@ The options are:
-
+
@@ -54753,8 +62824,8 @@ The options are:
-
+
@@ -54780,8 +62851,8 @@ The options are:
-
+
@@ -54827,8 +62898,8 @@ The options are:
-
+
@@ -54854,8 +62925,8 @@ The options are:
-
+
@@ -54881,8 +62952,8 @@ The options are:
-
+
@@ -54908,8 +62979,8 @@ The options are:
-
+
@@ -54935,8 +63006,8 @@ The options are:
-
+
@@ -54962,8 +63033,8 @@ The options are:
-
+
@@ -54989,8 +63060,8 @@ The options are:
-
+
@@ -55016,8 +63087,8 @@ The options are:
-
+
@@ -55043,8 +63114,8 @@ The options are:
-
+
@@ -55070,8 +63141,8 @@ The options are:
-
+
@@ -55097,8 +63168,8 @@ The options are:
-
+
@@ -55124,8 +63195,8 @@ The options are:
-
+
@@ -55151,8 +63222,8 @@ The options are:
-
+
@@ -55178,8 +63249,8 @@ The options are:
-
+
@@ -55205,8 +63276,8 @@ The options are:
-
+
@@ -55252,8 +63323,8 @@ The options are:
-
+
@@ -55279,8 +63350,8 @@ The options are:
-
+
@@ -55326,8 +63397,8 @@ The options are:
-
+
@@ -55353,8 +63424,8 @@ The options are:
-
+
@@ -55380,8 +63451,8 @@ The options are:
-
+
@@ -55407,8 +63478,8 @@ The options are:
-
+
@@ -55434,8 +63505,8 @@ The options are:
-
+
@@ -55461,8 +63532,8 @@ The options are:
-
+
@@ -55488,8 +63559,8 @@ The options are:
-
+
@@ -55510,6 +63581,51 @@ The options are:
+
+ RestrictedGroups
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ ConfigureGroupMembership
+
+
+
+
+
+ This security setting allows an administrator to define the members of a security-sensitive (restricted) group. When a Restricted Groups Policy is enforced, any current member of a restricted group that is not on the Members list is removed. Any user on the Members list who is not currently a member of the restricted group is added. You can use Restricted Groups policy to control group membership. Using the policy, you can specify what members are part of a group. Any members that are not specified in the policy are removed during configuration or refresh. For example, you can create a Restricted Groups policy to only allow specified users (for example, Alice and John) to be members of the Administrators group. When policy is refreshed, only Alice and John will remain as members of the Administrators group.
+Caution: If a Restricted Groups policy is applied, any current member not on the Restricted Groups policy members list is removed. This can include default members, such as administrators. Restricted Groups should be used primarily to configure membership of local groups on workstation or member servers. An empty Members list means that the restricted group has no members.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+ phone
+ LastWrite
+
+
+ Search
@@ -55535,8 +63651,8 @@ The options are:
- 2
+
@@ -55549,6 +63665,39 @@ The options are:
text/plain
+
+ Search.admx
+ AllowCloudSearch_Dropdown
+ Search~AT~WindowsComponents~Search
+ AllowCloudSearch
+ LowestValueMostSecure
+
+
+
+ AllowCortanaInAAD
+
+
+
+
+ 0
+ This features allows you to show the cortana opt-in page during Windows Setup
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+ phone
+ Search.admx
+ Search~AT~WindowsComponents~Search
+ AllowCortanaInAADLowestValueMostSecure
@@ -55558,8 +63707,8 @@ The options are:
- 0
+
@@ -55573,6 +63722,9 @@ The options are:
text/plain
+ Search.admx
+ Search~AT~WindowsComponents~Search
+ AllowIndexingEncryptedStoresOrItemsLowestValueMostSecure
@@ -55582,8 +63734,8 @@ The options are:
- 1
+
@@ -55597,6 +63749,9 @@ The options are:
text/plain
+ Search.admx
+ Search~AT~WindowsComponents~Search
+ AllowSearchToUseLocationLowestValueMostSecure
@@ -55606,8 +63761,8 @@ The options are:
- 1
+
@@ -55630,8 +63785,8 @@ The options are:
- 0
+
@@ -55644,6 +63799,10 @@ The options are:
text/plain
+
+ Search.admx
+ Search~AT~WindowsComponents~Search
+ AllowUsingDiacriticsHighestValueMostSecure
@@ -55653,8 +63812,8 @@ The options are:
- 3
+
@@ -55667,6 +63826,7 @@ The options are:
text/plain
+ LowestValueMostSecure
@@ -55676,8 +63836,8 @@ The options are:
- 0
+
@@ -55690,6 +63850,10 @@ The options are:
text/plain
+
+ Search.admx
+ Search~AT~WindowsComponents~Search
+ AlwaysUseAutoLangDetectionHighestValueMostSecure
@@ -55699,8 +63863,8 @@ The options are:
- 0
+
@@ -55713,6 +63877,10 @@ The options are:
text/plain
+
+ Search.admx
+ Search~AT~WindowsComponents~Search
+ DisableBackoffHighestValueMostSecure
@@ -55722,8 +63890,8 @@ The options are:
- 0
+
@@ -55736,17 +63904,48 @@ The options are:
text/plain
+
+ Search.admx
+ Search~AT~WindowsComponents~Search
+ DisableRemovableDriveIndexingHighestValueMostSecure
+
+ DoNotUseWebResults
+
+
+
+
+ 1
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+ Search.admx
+ Search~AT~WindowsComponents~Search
+ DoNotUseWebResults
+ LowestValueMostSecure
+
+ PreventIndexingLowDiskSpaceMB
- 1
+
@@ -55759,6 +63958,10 @@ The options are:
text/plain
+
+ Search.admx
+ Search~AT~WindowsComponents~Search
+ StopIndexingOnLimitedHardDriveSpaceHighestValueMostSecure
@@ -55768,8 +63971,8 @@ The options are:
- 1
+
@@ -55782,6 +63985,10 @@ The options are:
text/plain
+
+ Search.admx
+ Search~AT~WindowsComponents~Search
+ PreventRemoteQueriesHighestValueMostSecure
@@ -55791,8 +63998,8 @@ The options are:
- 1
+
@@ -55805,6 +64012,7 @@ The options are:
text/plain
+ desktopHighestValueMostSecure
@@ -55835,8 +64043,8 @@ The options are:
- 1
+
@@ -55859,8 +64067,8 @@ The options are:
- 1
+
@@ -55884,8 +64092,8 @@ The options are:
- 1
+
@@ -55908,8 +64116,8 @@ The options are:
- 1
+
@@ -55933,8 +64141,8 @@ The options are:
- 0
+
@@ -55949,17 +64157,20 @@ The options are:
phone
+ TPM.admx
+ TPM~AT~System~TPMCategory
+ ClearTPMIfNotReady_NameHighestValueMostSecure
- PreventAutomaticDeviceEncryptionForAzureADJoinedDevices
+ ConfigureWindowsPasswords
-
- 0
+ 2
+ Configures the use of passwords for Windows features
@@ -55972,6 +64183,32 @@ The options are:
text/plain
+
+ phone
+ LastWrite
+
+
+
+ PreventAutomaticDeviceEncryptionForAzureADJoinedDevices
+
+
+
+
+ 0
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+ LastWrite
@@ -55981,8 +64218,8 @@ The options are:
- 0
+
@@ -55995,6 +64232,7 @@ The options are:
text/plain
+ HighestValueMostSecure
@@ -56004,8 +64242,8 @@ The options are:
- 0
+
@@ -56018,6 +64256,7 @@ The options are:
text/plain
+ HighestValueMostSecure
@@ -56027,8 +64266,8 @@ The options are:
- 0
+
@@ -56041,6 +64280,7 @@ The options are:
text/plain
+ HighestValueMostSecure
@@ -56070,8 +64310,8 @@ The options are:
- 1
+
@@ -56095,8 +64335,8 @@ The options are:
- 1
+
@@ -56119,8 +64359,8 @@ The options are:
- 1
+
@@ -56143,8 +64383,8 @@ The options are:
- 1
+
@@ -56167,8 +64407,8 @@ The options are:
- 1
+
@@ -56192,8 +64432,8 @@ The options are:
- 1
+
@@ -56207,6 +64447,10 @@ The options are:
text/plain
+ ControlPanel.admx
+ CheckBox_AllowOnlineTips
+ ControlPanel~AT~ControlPanel
+ AllowOnlineTipsLowestValueMostSecure
@@ -56216,8 +64460,8 @@ The options are:
- 1
+
@@ -56241,8 +64485,8 @@ The options are:
- 1
+
@@ -56266,8 +64510,8 @@ The options are:
- 1
+
@@ -56291,8 +64535,8 @@ The options are:
- 1
+
@@ -56315,8 +64559,8 @@ The options are:
- 1
+
@@ -56340,8 +64584,8 @@ The options are:
- 1
+
@@ -56364,8 +64608,8 @@ The options are:
-
+
@@ -56378,6 +64622,10 @@ The options are:
text/plain
+ ControlPanel.admx
+ SettingsPageVisibilityBox
+ ControlPanel~AT~ControlPanel
+ SettingsPageVisibilityLastWrite
@@ -56407,8 +64655,8 @@ The options are:
- 0
+
@@ -56423,6 +64671,9 @@ The options are:
phone
+ SmartScreen.admx
+ SmartScreen~AT~WindowsComponents~SmartScreen~Shell
+ ConfigureAppInstallControlHighestValueMostSecure
@@ -56432,8 +64683,8 @@ The options are:
- 1
+
@@ -56448,6 +64699,9 @@ The options are:
phone
+ SmartScreen.admx
+ SmartScreen~AT~WindowsComponents~SmartScreen~Shell
+ ShellConfigureSmartScreenHighestValueMostSecure
@@ -56457,8 +64711,8 @@ The options are:
- 0
+
@@ -56473,6 +64727,10 @@ The options are:
phone
+ SmartScreen.admx
+ ShellConfigureSmartScreen_Dropdown
+ SmartScreen~AT~WindowsComponents~SmartScreen~Shell
+ ShellConfigureSmartScreenHighestValueMostSecure
@@ -56502,8 +64760,8 @@ The options are:
- 1
+
@@ -56517,6 +64775,9 @@ The options are:
text/plain
+ Speech.admx
+ Speech~AT~WindowsComponents~Speech
+ AllowSpeechModelUpdateLowestValueMostSecure
@@ -56546,8 +64807,8 @@ The options are:
- This policy controls the visibility of the Documents shortcut on the Start menu. The possible values are 0 - means that the shortcut should be hidden and grays out the corresponding toggle in the Settings app, 1 - means that the shortcut should be visible and grays out the corresponding toggle in the Settings app, 65535 - means that there is no enforced configuration and the setting can be changed by the user.65535
+ This policy controls the visibility of the Documents shortcut on the Start menu. The possible values are 0 - means that the shortcut should be hidden and grays out the corresponding toggle in the Settings app, 1 - means that the shortcut should be visible and grays out the corresponding toggle in the Settings app, 65535 - means that there is no enforced configuration and the setting can be changed by the user.
@@ -56571,8 +64832,8 @@ The options are:
- This policy controls the visibility of the Downloads shortcut on the Start menu. The possible values are 0 - means that the shortcut should be hidden and grays out the corresponding toggle in the Settings app, 1 - means that the shortcut should be visible and grays out the corresponding toggle in the Settings app, 65535 - means that there is no enforced configuration and the setting can be changed by the user.65535
+ This policy controls the visibility of the Downloads shortcut on the Start menu. The possible values are 0 - means that the shortcut should be hidden and grays out the corresponding toggle in the Settings app, 1 - means that the shortcut should be visible and grays out the corresponding toggle in the Settings app, 65535 - means that there is no enforced configuration and the setting can be changed by the user.
@@ -56596,8 +64857,8 @@ The options are:
- This policy controls the visibility of the File Explorer shortcut on the Start menu. The possible values are 0 - means that the shortcut should be hidden and grays out the corresponding toggle in the Settings app, 1 - means that the shortcut should be visible and grays out the corresponding toggle in the Settings app, 65535 - means that there is no enforced configuration and the setting can be changed by the user.65535
+ This policy controls the visibility of the File Explorer shortcut on the Start menu. The possible values are 0 - means that the shortcut should be hidden and grays out the corresponding toggle in the Settings app, 1 - means that the shortcut should be visible and grays out the corresponding toggle in the Settings app, 65535 - means that there is no enforced configuration and the setting can be changed by the user.
@@ -56621,8 +64882,8 @@ The options are:
- This policy controls the visibility of the HomeGroup shortcut on the Start menu. The possible values are 0 - means that the shortcut should be hidden and grays out the corresponding toggle in the Settings app, 1 - means that the shortcut should be visible and grays out the corresponding toggle in the Settings app, 65535 - means that there is no enforced configuration and the setting can be changed by the user.65535
+ This policy controls the visibility of the HomeGroup shortcut on the Start menu. The possible values are 0 - means that the shortcut should be hidden and grays out the corresponding toggle in the Settings app, 1 - means that the shortcut should be visible and grays out the corresponding toggle in the Settings app, 65535 - means that there is no enforced configuration and the setting can be changed by the user.
@@ -56646,8 +64907,8 @@ The options are:
- This policy controls the visibility of the Music shortcut on the Start menu. The possible values are 0 - means that the shortcut should be hidden and grays out the corresponding toggle in the Settings app, 1 - means that the shortcut should be visible and grays out the corresponding toggle in the Settings app, 65535 - means that there is no enforced configuration and the setting can be changed by the user.65535
+ This policy controls the visibility of the Music shortcut on the Start menu. The possible values are 0 - means that the shortcut should be hidden and grays out the corresponding toggle in the Settings app, 1 - means that the shortcut should be visible and grays out the corresponding toggle in the Settings app, 65535 - means that there is no enforced configuration and the setting can be changed by the user.
@@ -56671,8 +64932,8 @@ The options are:
- This policy controls the visibility of the Network shortcut on the Start menu. The possible values are 0 - means that the shortcut should be hidden and grays out the corresponding toggle in the Settings app, 1 - means that the shortcut should be visible and grays out the corresponding toggle in the Settings app, 65535 - means that there is no enforced configuration and the setting can be changed by the user.65535
+ This policy controls the visibility of the Network shortcut on the Start menu. The possible values are 0 - means that the shortcut should be hidden and grays out the corresponding toggle in the Settings app, 1 - means that the shortcut should be visible and grays out the corresponding toggle in the Settings app, 65535 - means that there is no enforced configuration and the setting can be changed by the user.
@@ -56696,8 +64957,8 @@ The options are:
- This policy controls the visibility of the PersonalFolder shortcut on the Start menu. The possible values are 0 - means that the shortcut should be hidden and grays out the corresponding toggle in the Settings app, 1 - means that the shortcut should be visible and grays out the corresponding toggle in the Settings app, 65535 - means that there is no enforced configuration and the setting can be changed by the user.65535
+ This policy controls the visibility of the PersonalFolder shortcut on the Start menu. The possible values are 0 - means that the shortcut should be hidden and grays out the corresponding toggle in the Settings app, 1 - means that the shortcut should be visible and grays out the corresponding toggle in the Settings app, 65535 - means that there is no enforced configuration and the setting can be changed by the user.
@@ -56721,8 +64982,8 @@ The options are:
- This policy controls the visibility of the Pictures shortcut on the Start menu. The possible values are 0 - means that the shortcut should be hidden and grays out the corresponding toggle in the Settings app, 1 - means that the shortcut should be visible and grays out the corresponding toggle in the Settings app, 65535 - means that there is no enforced configuration and the setting can be changed by the user.65535
+ This policy controls the visibility of the Pictures shortcut on the Start menu. The possible values are 0 - means that the shortcut should be hidden and grays out the corresponding toggle in the Settings app, 1 - means that the shortcut should be visible and grays out the corresponding toggle in the Settings app, 65535 - means that there is no enforced configuration and the setting can be changed by the user.
@@ -56746,8 +65007,8 @@ The options are:
- This policy controls the visibility of the Settings shortcut on the Start menu. The possible values are 0 - means that the shortcut should be hidden and grays out the corresponding toggle in the Settings app, 1 - means that the shortcut should be visible and grays out the corresponding toggle in the Settings app, 65535 - means that there is no enforced configuration and the setting can be changed by the user.65535
+ This policy controls the visibility of the Settings shortcut on the Start menu. The possible values are 0 - means that the shortcut should be hidden and grays out the corresponding toggle in the Settings app, 1 - means that the shortcut should be visible and grays out the corresponding toggle in the Settings app, 65535 - means that there is no enforced configuration and the setting can be changed by the user.
@@ -56771,8 +65032,8 @@ The options are:
- This policy controls the visibility of the Videos shortcut on the Start menu. The possible values are 0 - means that the shortcut should be hidden and grays out the corresponding toggle in the Settings app, 1 - means that the shortcut should be visible and grays out the corresponding toggle in the Settings app, 65535 - means that there is no enforced configuration and the setting can be changed by the user.65535
+ This policy controls the visibility of the Videos shortcut on the Start menu. The possible values are 0 - means that the shortcut should be hidden and grays out the corresponding toggle in the Settings app, 1 - means that the shortcut should be visible and grays out the corresponding toggle in the Settings app, 65535 - means that there is no enforced configuration and the setting can be changed by the user.
@@ -56791,13 +65052,13 @@ The options are:
- ForceStartSize
+ DisableContextMenus
- 0
+ Enabling this policy prevents context menus from being invoked in the Start Menu.
@@ -56810,6 +65071,35 @@ The options are:
text/plain
+
+ phone
+ StartMenu.admx
+ StartMenu~AT~StartMenu
+ DisableContextMenusInStart
+ LowestValueMostSecure
+
+
+
+ ForceStartSize
+
+
+
+
+ 0
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+ phoneLastWrite
@@ -56820,8 +65110,8 @@ The options are:
- Setting the value of this policy to 1 or 2 collapses the app list. Setting the value of this policy to 3 removes the app list entirely. Setting the value of this policy to 2 or 3 disables the corresponding toggle in the Settings app.0
+ Setting the value of this policy to 1 or 2 collapses the app list. Setting the value of this policy to 3 removes the app list entirely. Setting the value of this policy to 2 or 3 disables the corresponding toggle in the Settings app.
@@ -56834,6 +65124,7 @@ The options are:
text/plain
+ phoneLastWrite
@@ -56844,8 +65135,8 @@ The options are:
- Enabling this policy hides "Change account settings" from appearing in the user tile in the start menu.0
+ Enabling this policy hides "Change account settings" from appearing in the user tile in the start menu.
@@ -56868,8 +65159,8 @@ The options are:
- Enabling this policy hides the most used apps from appearing on the start menu and disables the corresponding toggle in the Settings app.0
+ Enabling this policy hides the most used apps from appearing on the start menu and disables the corresponding toggle in the Settings app.
@@ -56893,8 +65184,8 @@ The options are:
- Enabling this policy hides "Hibernate" from appearing in the power button in the start menu.0
+ Enabling this policy hides "Hibernate" from appearing in the power button in the start menu.
@@ -56917,8 +65208,8 @@ The options are:
- Enabling this policy hides "Lock" from appearing in the user tile in the start menu.0
+ Enabling this policy hides "Lock" from appearing in the user tile in the start menu.
@@ -56941,8 +65232,8 @@ The options are:
- Enabling this policy hides the power button from appearing in the start menu.0
+ Enabling this policy hides the power button from appearing in the start menu.
@@ -56965,8 +65256,8 @@ The options are:
- Enabling this policy hides recent jumplists from appearing on the start menu/taskbar and disables the corresponding toggle in the Settings app.0
+ Enabling this policy hides recent jumplists from appearing on the start menu/taskbar and disables the corresponding toggle in the Settings app.
@@ -56990,8 +65281,8 @@ The options are:
- Enabling this policy hides recently added apps from appearing on the start menu and disables the corresponding toggle in the Settings app.0
+ Enabling this policy hides recently added apps from appearing on the start menu and disables the corresponding toggle in the Settings app.
@@ -57006,6 +65297,9 @@ The options are:
phone
+ StartMenu.admx
+ StartMenu~AT~StartMenu
+ HideRecentlyAddedAppsLowestValueMostSecure
@@ -57015,8 +65309,8 @@ The options are:
- Enabling this policy hides "Restart/Update and restart" from appearing in the power button in the start menu.0
+ Enabling this policy hides "Restart/Update and restart" from appearing in the power button in the start menu.
@@ -57039,8 +65333,8 @@ The options are:
- Enabling this policy hides "Shut down/Update and shut down" from appearing in the power button in the start menu.0
+ Enabling this policy hides "Shut down/Update and shut down" from appearing in the power button in the start menu.
@@ -57063,8 +65357,8 @@ The options are:
- Enabling this policy hides "Sign out" from appearing in the user tile in the start menu.0
+ Enabling this policy hides "Sign out" from appearing in the user tile in the start menu.
@@ -57087,8 +65381,8 @@ The options are:
- Enabling this policy hides "Sleep" from appearing in the power button in the start menu.0
+ Enabling this policy hides "Sleep" from appearing in the power button in the start menu.
@@ -57111,8 +65405,8 @@ The options are:
- Enabling this policy hides "Switch account" from appearing in the user tile in the start menu.0
+ Enabling this policy hides "Switch account" from appearing in the user tile in the start menu.
@@ -57135,8 +65429,8 @@ The options are:
- Enabling this policy hides the user tile from appearing in the start menu.0
+ Enabling this policy hides the user tile from appearing in the start menu.
@@ -57159,8 +65453,8 @@ The options are:
- This policy setting allows you to import Edge assets to be used with StartLayout policy. Start layout can contain secondary tile from Edge app which looks for Edge local asset file. Edge local asset would not exist and cause Edge secondary tile to appear empty in this case. This policy only gets applied when StartLayout policy is modified.
+ This policy setting allows you to import Edge assets to be used with StartLayout policy. Start layout can contain secondary tile from Edge app which looks for Edge local asset file. Edge local asset would not exist and cause Edge secondary tile to appear empty in this case. This policy only gets applied when StartLayout policy is modified.
@@ -57183,8 +65477,8 @@ The options are:
- This policy setting allows you to control pinning programs to the Taskbar. If you enable this policy setting, users cannot change the programs currently pinned to the Taskbar. If any programs are already pinned to the Taskbar, these programs continue to show in the Taskbar. However, users cannot unpin these programs already pinned to the Taskbar, and they cannot pin new programs to the Taskbar. If you disable or do not configure this policy setting, users can change the programs currently pinned to the Taskbar.0
+ This policy setting allows you to control pinning programs to the Taskbar. If you enable this policy setting, users cannot change the programs currently pinned to the Taskbar. If any programs are already pinned to the Taskbar, these programs continue to show in the Taskbar. However, users cannot unpin these programs already pinned to the Taskbar, and they cannot pin new programs to the Taskbar. If you disable or do not configure this policy setting, users can change the programs currently pinned to the Taskbar.
@@ -57208,8 +65502,8 @@ The options are:
-
+
@@ -57223,6 +65517,9 @@ The options are:
text/plainphone
+ StartMenu.admx
+ StartMenu~AT~StartMenu
+ LockedStartLayoutLastWrite
@@ -57252,8 +65549,8 @@ The options are:
- 1
+
@@ -57266,7 +65563,11 @@ The options are:
text/plain
+ phone
+ StorageHealth.admx
+ StorageHealth~AT~System~StorageHealth
+ SH_AllowDiskHealthModelUpdatesLastWrite
@@ -57276,8 +65577,8 @@ The options are:
-
+
@@ -57323,8 +65624,8 @@ The options are:
- 2
+
@@ -57337,6 +65638,10 @@ The options are:
text/plain
+
+ AllowBuildPreview.admx
+ AllowBuildPreview~AT~WindowsComponents~DataCollectionAndPreviewBuilds
+ AllowBuildPreviewLowestValueMostSecure
@@ -57346,8 +65651,8 @@ The options are:
- 0
+
@@ -57370,8 +65675,8 @@ The options are:
- 1
+
@@ -57384,6 +65689,7 @@ The options are:
text/plain
+ LowestValueMostSecure
@@ -57393,8 +65699,8 @@ The options are:
- 1
+
@@ -57408,6 +65714,9 @@ The options are:
text/plain
+ GroupPolicy.admx
+ GroupPolicy~AT~Network~NetworkFonts
+ EnableFontProvidersLowestValueMostSecure
@@ -57417,8 +65726,8 @@ The options are:
- 1
+
@@ -57431,6 +65740,10 @@ The options are:
text/plain
+
+ Sensors.admx
+ Sensors~AT~LocationAndSensors
+ DisableLocation_2LowestValueMostSecure
@@ -57440,8 +65753,8 @@ The options are:
- 1
+
@@ -57464,8 +65777,8 @@ The options are:
- 3
+
@@ -57478,6 +65791,11 @@ The options are:
text/plain
+
+ DataCollection.admx
+ AllowTelemetry
+ DataCollection~AT~WindowsComponents~DataCollectionAndPreviewBuilds
+ AllowTelemetryLowestValueMostSecure
@@ -57487,8 +65805,8 @@ The options are:
- 1
+
@@ -57511,8 +65829,8 @@ The options are:
-
+
@@ -57533,36 +65851,13 @@ The options are:
- DisableEnterpriseAuthProxy
+ ConfigureTelemetryOptInChangeNotification
- This policy setting blocks the Connected User Experience and Telemetry service from automatically using an authenticated proxy to send data back to Microsoft on Windows 10. If you disable or do not configure this policy setting, the Connected User Experience and Telemetry service will automatically use an authenticated proxy to send data back to Microsoft. Enabling this policy will block the Connected User Experience and Telemetry service from automatically using an authenticated proxy.
- 0
-
-
-
-
-
-
-
-
-
-
- text/plain
-
- LastWrite
-
-
-
- DisableOneDriveFileSync
-
-
-
-
- This policy setting lets you prevent apps and features from working with files on OneDrive. If you enable this policy setting: users can’t access OneDrive from the OneDrive app and file picker; Windows Store apps can’t access OneDrive using the WinRT API; OneDrive doesn’t appear in the navigation pane in File Explorer; OneDrive files aren’t kept in sync with the cloud; Users can’t automatically upload photos and videos from the camera roll folder. If you disable or do not configure this policy setting, apps and features can work with OneDrive file storage.0
+
@@ -57576,6 +65871,93 @@ The options are:
text/plain
+ DataCollection.admx
+ ConfigureTelemetryOptInChangeNotification
+ DataCollection~AT~WindowsComponents~DataCollectionAndPreviewBuilds
+ ConfigureTelemetryOptInChangeNotification
+ HighestValueMostSecure
+
+
+
+ ConfigureTelemetryOptInSettingsUx
+
+
+
+
+ 0
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+ DataCollection.admx
+ ConfigureTelemetryOptInSettingsUx
+ DataCollection~AT~WindowsComponents~DataCollectionAndPreviewBuilds
+ ConfigureTelemetryOptInSettingsUx
+ HighestValueMostSecure
+
+
+
+ DisableEnterpriseAuthProxy
+
+
+
+
+ 0
+ This policy setting blocks the Connected User Experience and Telemetry service from automatically using an authenticated proxy to send data back to Microsoft on Windows 10. If you disable or do not configure this policy setting, the Connected User Experience and Telemetry service will automatically use an authenticated proxy to send data back to Microsoft. Enabling this policy will block the Connected User Experience and Telemetry service from automatically using an authenticated proxy.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+ DataCollection.admx
+ DisableEnterpriseAuthProxy
+ DataCollection~AT~WindowsComponents~DataCollectionAndPreviewBuilds
+ DisableEnterpriseAuthProxy
+ LastWrite
+
+
+
+ DisableOneDriveFileSync
+
+
+
+
+ 0
+ This policy setting lets you prevent apps and features from working with files on OneDrive. If you enable this policy setting: users can’t access OneDrive from the OneDrive app and file picker; Microsoft Store apps can’t access OneDrive using the WinRT API; OneDrive doesn’t appear in the navigation pane in File Explorer; OneDrive files aren’t kept in sync with the cloud; Users can’t automatically upload photos and videos from the camera roll folder. If you disable or do not configure this policy setting, apps and features can work with OneDrive file storage.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+ SkyDrive.admx
+ SkyDrive~AT~WindowsComponents~OneDrive
+ PreventOnedriveFileSyncHighestValueMostSecure
@@ -57585,8 +65967,8 @@ The options are:
-
+
@@ -57612,31 +65994,8 @@ The options are:
+ 0Diagnostic files created when a feedback is filed in the Feedback Hub app will always be saved locally. If this policy is not present or set to false, users will be presented with the option to save locally. The default is to not save locally.
- 0
-
-
-
-
-
-
-
-
-
-
- text/plain
-
- LastWrite
-
-
-
- LimitEnhancedDiagnosticDataWindowsAnalytics
-
-
-
-
- This policy setting, in combination with the Allow Telemetry policy setting, enables organizations to send Microsoft a specific set of diagnostic data for IT insights via Windows Analytics services. To enable this behavior you must complete two steps: 1. Enable this policy setting 2. Set Allow Telemetry to level 2 (Enhanced) When you configure these policy settings, a Basic level of diagnostic data plus additional events that are required for Windows Analytics are sent to Microsoft. These events are documented here: https://go.microsoft.com/fwlink/?linkid=847594. Enabling Enhanced diagnostic data in the Allow Telemetry policy in combination with not configuring this policy will also send the required events for Windows Analytics, plus additional Enhanced level telemetry data. This setting has no effect on computers configured to send Full, Basic or Security level diagnostic data to Microsoft. If you disable or do not configure this policy setting, then the level of diagnostic data sent to Microsoft is determined by the Allow Telemetry policy.
- 0
@@ -57650,6 +66009,34 @@ The options are:
text/plain
+ LastWrite
+
+
+
+ LimitEnhancedDiagnosticDataWindowsAnalytics
+
+
+
+
+ 0
+ This policy setting, in combination with the Allow Telemetry policy setting, enables organizations to send Microsoft a specific set of diagnostic data for IT insights via Windows Analytics services. By configuring this setting, you're not stopping people from changing their Telemetry Settings; however, you are stopping them from choosing a higher level than you've set for the organization. To enable this behavior, you must complete two steps: 1. Enable this policy setting 2. Set Allow Telemetry to level 2 (Enhanced).If you configure these policy settings together, you'll send the Basic level of diagnostic data plus any additional events that are required for Windows Analytics, to Microsoft. The additional events are documented here: https://go.Microsoft.com/fwlink/?linked=847594. If you enable Enhanced diagnostic data in the Allow Telemetry policy setting, but you don't configure this policy setting, you'll send the required events for Windows Analytics, plus any additional Enhanced level telemetry data to Microsoft. This setting has no effect on computers configured to send Full, Basic, or Security level diagnostic data to Microsoft. If you disable or don't configure this policy setting, then the level of diagnostic data sent to Microsoft is determined by the Allow Telemetry policy setting.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+ DataCollection.admx
+ LimitEnhancedDiagnosticDataWindowsAnalytics
+ DataCollection~AT~WindowsComponents~DataCollectionAndPreviewBuilds
+ LimitEnhancedDiagnosticDataWindowsAnalyticsLowestValueMostSecure
@@ -57659,8 +66046,8 @@ The options are:
-
+
@@ -57673,6 +66060,237 @@ The options are:
text/plain
+ DataCollection.admx
+ TelemetryProxyName
+ DataCollection~AT~WindowsComponents~DataCollectionAndPreviewBuilds
+ TelemetryProxy
+ LastWrite
+
+
+
+
+ SystemServices
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ ConfigureHomeGroupListenerServiceStartupMode
+
+
+
+
+ 0
+ This setting determines whether the service's start type is Automaic(2), Manual(3), Disabled(4). Default: Manual.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+ phone
+ Windows Settings~Security Settings~System Services
+ HomeGroup Listener
+ LastWrite
+
+
+
+ ConfigureHomeGroupProviderServiceStartupMode
+
+
+
+
+ 0
+ This setting determines whether the service's start type is Automaic(2), Manual(3), Disabled(4). Default: Manual.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+ phone
+ Windows Settings~Security Settings~System Services
+ HomeGroup Provider
+ LastWrite
+
+
+
+ ConfigureXboxAccessoryManagementServiceStartupMode
+
+
+
+
+ 0
+ This setting determines whether the service's start type is Automaic(2), Manual(3), Disabled(4). Default: Manual.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+ phone
+ Windows Settings~Security Settings~System Services
+ Xbox Accessory Management Service
+ LastWrite
+
+
+
+ ConfigureXboxLiveAuthManagerServiceStartupMode
+
+
+
+
+ 0
+ This setting determines whether the service's start type is Automaic(2), Manual(3), Disabled(4). Default: Manual.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+ phone
+ Windows Settings~Security Settings~System Services
+ Xbox Live Auth Manager
+ LastWrite
+
+
+
+ ConfigureXboxLiveGameSaveServiceStartupMode
+
+
+
+
+ 0
+ This setting determines whether the service's start type is Automaic(2), Manual(3), Disabled(4). Default: Manual.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+ phone
+ Windows Settings~Security Settings~System Services
+ Xbox Live Game Save
+ LastWrite
+
+
+
+ ConfigureXboxLiveNetworkingServiceStartupMode
+
+
+
+
+ 0
+ This setting determines whether the service's start type is Automaic(2), Manual(3), Disabled(4). Default: Manual.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+ phone
+ Windows Settings~Security Settings~System Services
+ Xbox Live Networking Service
+ LastWrite
+
+
+
+
+ TaskScheduler
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ EnableXboxGameSaveTask
+
+
+
+
+ 0
+ This setting determines whether the specific task is enabled (1) or disabled (0). Default: Enabled.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+ phoneLastWrite
@@ -57696,14 +66314,38 @@ The options are:
+
+ AllowHardwareKeyboardTextSuggestions
+
+
+
+
+ 1
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+ LowestValueMostSecure
+
+ AllowIMELogging
- 1
+
@@ -57727,8 +66369,8 @@ The options are:
- 1
+
@@ -57752,8 +66394,8 @@ The options are:
- 1
+
@@ -57777,8 +66419,8 @@ The options are:
- 1
+
@@ -57791,6 +66433,7 @@ The options are:
text/plain
+ phoneHighestValueMostSecure
@@ -57801,8 +66444,8 @@ The options are:
- 1
+
@@ -57826,8 +66469,8 @@ The options are:
- 1
+
@@ -57851,8 +66494,8 @@ The options are:
- 1
+
@@ -57876,8 +66519,8 @@ The options are:
- 1
+
@@ -57900,8 +66543,8 @@ The options are:
- 1
+
@@ -57916,6 +66559,60 @@ The options are:
phone
+ TextInput.admx
+ TextInput~AT~WindowsComponents~TextInput
+ AllowLanguageFeaturesUninstall
+ LowestValueMostSecure
+
+
+
+ AllowLinguisticDataCollection
+
+
+
+
+ 1
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+ TextInput.admx
+ TextInput~AT~WindowsComponents~TextInput
+ AllowLinguisticDataCollection
+ LowestValueMostSecure
+
+
+
+ EnableTouchKeyboardAutoInvokeInDesktopMode
+
+
+
+
+ 0
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+ LowestValueMostSecure
@@ -57925,8 +66622,8 @@ The options are:
- 0
+
@@ -57939,6 +66636,7 @@ The options are:
text/plain
+ HighestValueMostSecure
@@ -57948,8 +66646,8 @@ The options are:
- 0
+
@@ -57962,6 +66660,7 @@ The options are:
text/plain
+ phoneHighestValueMostSecure
@@ -57972,8 +66671,8 @@ The options are:
- 0
+
@@ -57986,10 +66685,203 @@ The options are:
text/plain
+ phoneHighestValueMostSecure
+
+ ForceTouchKeyboardDockedState
+
+
+
+
+ 0
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+ HighestValueMostSecure
+
+
+
+ TouchKeyboardDictationButtonAvailability
+
+
+
+
+ 0
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+ HighestValueMostSecure
+
+
+
+ TouchKeyboardEmojiButtonAvailability
+
+
+
+
+ 0
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+ HighestValueMostSecure
+
+
+
+ TouchKeyboardFullModeAvailability
+
+
+
+
+ 0
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+ HighestValueMostSecure
+
+
+
+ TouchKeyboardHandwritingModeAvailability
+
+
+
+
+ 0
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+ HighestValueMostSecure
+
+
+
+ TouchKeyboardNarrowModeAvailability
+
+
+
+
+ 0
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+ HighestValueMostSecure
+
+
+
+ TouchKeyboardSplitModeAvailability
+
+
+
+
+ 0
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+ HighestValueMostSecure
+
+
+
+ TouchKeyboardWideModeAvailability
+
+
+
+
+ 0
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+ HighestValueMostSecure
+
+ TimeLanguageSettings
@@ -58016,8 +66908,8 @@ The options are:
- 0
+
@@ -58061,8 +66953,8 @@ The options are:
- 17
+
@@ -58075,6 +66967,11 @@ The options are:
text/plain
+
+ WindowsUpdate.admx
+ ActiveHoursEndTime
+ WindowsUpdate~AT~WindowsComponents~WindowsUpdateCat
+ ActiveHoursLastWrite
@@ -58084,8 +66981,8 @@ The options are:
- 18
+
@@ -58098,6 +66995,11 @@ The options are:
text/plain
+
+ WindowsUpdate.admx
+ ActiveHoursMaxRange
+ WindowsUpdate~AT~WindowsComponents~WindowsUpdateCat
+ ActiveHoursMaxRangeLastWrite
@@ -58107,8 +67009,8 @@ The options are:
- 8
+
@@ -58121,6 +67023,11 @@ The options are:
text/plain
+
+ WindowsUpdate.admx
+ ActiveHoursStartTime
+ WindowsUpdate~AT~WindowsComponents~WindowsUpdateCat
+ ActiveHoursLastWrite
@@ -58130,8 +67037,8 @@ The options are:
- 2
+
@@ -58144,6 +67051,11 @@ The options are:
text/plain
+
+ WindowsUpdate.admx
+ AutoUpdateMode
+ WindowsUpdate~AT~WindowsComponents~WindowsUpdateCat
+ AutoUpdateCfgLowestValueMostSecure
@@ -58153,8 +67065,8 @@ The options are:
- 0
+
@@ -58167,6 +67079,10 @@ The options are:
text/plain
+
+ WindowsUpdate.admx
+ WindowsUpdate~AT~WindowsComponents~WindowsUpdateCat
+ AllowAutoWindowsUpdateDownloadOverMeteredNetworkLastWrite
@@ -58176,8 +67092,8 @@ The options are:
- 0
+
@@ -58190,7 +67106,12 @@ The options are:
text/plain
+ phone
+ WindowsUpdate.admx
+ AllowMUUpdateServiceId
+ WindowsUpdate~AT~WindowsComponents~WindowsUpdateCat
+ AutoUpdateCfgLowestValueMostSecure
@@ -58200,8 +67121,8 @@ The options are:
- 1
+
@@ -58224,8 +67145,8 @@ The options are:
- 1
+
@@ -58239,6 +67160,9 @@ The options are:
text/plain
+ WindowsUpdate.admx
+ WindowsUpdate~AT~WindowsComponents~WindowsUpdateCat
+ CorpWuURLLowestValueMostSecure
@@ -58248,8 +67172,8 @@ The options are:
- 7
+
@@ -58262,6 +67186,11 @@ The options are:
text/plain
+
+ WindowsUpdate.admx
+ AutoRestartDeadline
+ WindowsUpdate~AT~WindowsComponents~WindowsUpdateCat
+ AutoRestartDeadlineLastWrite
@@ -58271,8 +67200,8 @@ The options are:
- 15
+
@@ -58286,6 +67215,10 @@ The options are:
text/plain
+ WindowsUpdate.admx
+ AutoRestartNotificationSchd
+ WindowsUpdate~AT~WindowsComponents~WindowsUpdateCat
+ AutoRestartNotificationConfigLastWrite
@@ -58295,8 +67228,8 @@ The options are:
- 1
+
@@ -58309,6 +67242,11 @@ The options are:
text/plain
+
+ WindowsUpdate.admx
+ AutoRestartRequiredNotificationDismissal
+ WindowsUpdate~AT~WindowsComponents~WindowsUpdateCat
+ AutoRestartRequiredNotificationDismissalLastWrite
@@ -58318,8 +67256,8 @@ The options are:
- 16
+
@@ -58333,6 +67271,34 @@ The options are:
text/plain
+ WindowsUpdate.admx
+ BranchReadinessLevelId
+ WindowsUpdate~AT~WindowsComponents~WindowsUpdateCat~DeferUpdateCat
+ DeferFeatureUpdates
+ LastWrite
+
+
+
+ ConfigureFeatureUpdateUninstallPeriod
+
+
+
+
+ 10
+ Enable enterprises/IT admin to configure feature update uninstall period
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+ LastWrite
@@ -58342,8 +67308,8 @@ The options are:
- 0
+
@@ -58356,6 +67322,11 @@ The options are:
text/plain
+
+ WindowsUpdate.admx
+ DeferFeatureUpdatesPeriodId
+ WindowsUpdate~AT~WindowsComponents~WindowsUpdateCat~DeferUpdateCat
+ DeferFeatureUpdatesLastWrite
@@ -58365,8 +67336,8 @@ The options are:
- 0
+
@@ -58379,6 +67350,11 @@ The options are:
text/plain
+
+ WindowsUpdate.admx
+ DeferQualityUpdatesPeriodId
+ WindowsUpdate~AT~WindowsComponents~WindowsUpdateCat~DeferUpdateCat
+ DeferQualityUpdatesLastWrite
@@ -58388,8 +67364,8 @@ The options are:
- 0
+
@@ -58402,6 +67378,11 @@ The options are:
text/plain
+
+ WindowsUpdate.admx
+ DeferUpdatePeriodId
+ WindowsUpdate~AT~WindowsComponents~WindowsUpdateCat
+ DeferUpgradeLastWrite
@@ -58411,8 +67392,8 @@ The options are:
- 0
+
@@ -58425,6 +67406,11 @@ The options are:
text/plain
+
+ WindowsUpdate.admx
+ DeferUpgradePeriodId
+ WindowsUpdate~AT~WindowsComponents~WindowsUpdateCat
+ DeferUpgradeLastWrite
@@ -58434,8 +67420,8 @@ The options are:
- 22
+
@@ -58448,6 +67434,11 @@ The options are:
text/plain
+
+ WindowsUpdate.admx
+ DetectionFrequency_Hour2
+ WindowsUpdate~AT~WindowsComponents~WindowsUpdateCat
+ DetectionFrequency_TitleLastWrite
@@ -58457,8 +67448,8 @@ The options are:
- Do not allow update deferral policies to cause scans against Windows Update0
+ Do not allow update deferral policies to cause scans against Windows Update
@@ -58471,6 +67462,10 @@ The options are:
text/plain
+
+ WindowsUpdate.admx
+ WindowsUpdate~AT~WindowsComponents~WindowsUpdateCat
+ DisableDualScanLastWrite
@@ -58480,8 +67475,8 @@ The options are:
- 14
+
@@ -58494,6 +67489,11 @@ The options are:
text/plain
+
+ WindowsUpdate.admx
+ EngagedRestartDeadline
+ WindowsUpdate~AT~WindowsComponents~WindowsUpdateCat
+ EngagedRestartTransitionScheduleLastWrite
@@ -58503,8 +67503,8 @@ The options are:
- 3
+
@@ -58517,6 +67517,11 @@ The options are:
text/plain
+
+ WindowsUpdate.admx
+ EngagedRestartSnoozeSchedule
+ WindowsUpdate~AT~WindowsComponents~WindowsUpdateCat
+ EngagedRestartTransitionScheduleLastWrite
@@ -58526,8 +67531,8 @@ The options are:
- 7
+
@@ -58540,6 +67545,11 @@ The options are:
text/plain
+
+ WindowsUpdate.admx
+ EngagedRestartTransitionSchedule
+ WindowsUpdate~AT~WindowsComponents~WindowsUpdateCat
+ EngagedRestartTransitionScheduleLastWrite
@@ -58549,8 +67559,8 @@ The options are:
- 0
+
@@ -58563,6 +67573,10 @@ The options are:
text/plain
+
+ WindowsUpdate.admx
+ WindowsUpdate~AT~WindowsComponents~WindowsUpdateCat~DeferUpdateCat
+ ExcludeWUDriversInQualityUpdateLastWrite
@@ -58572,8 +67586,8 @@ The options are:
- 0
+
@@ -58586,6 +67600,11 @@ The options are:
text/plain
+
+ WindowsUpdate.admx
+ CorpWUFillEmptyContentUrls
+ WindowsUpdate~AT~WindowsComponents~WindowsUpdateCat
+ CorpWuURLLastWrite
@@ -58595,8 +67614,8 @@ The options are:
- 0
+
@@ -58619,8 +67638,8 @@ The options are:
- 0
+
@@ -58643,8 +67662,8 @@ The options are:
- 3
+
@@ -58657,6 +67676,11 @@ The options are:
text/plain
+
+ WindowsUpdate.admx
+ ManagePreviewBuildsId
+ WindowsUpdate~AT~WindowsComponents~WindowsUpdateCat~DeferUpdateCat
+ ManagePreviewBuildsLastWrite
@@ -58666,8 +67690,8 @@ The options are:
- 0
+
@@ -58680,6 +67704,11 @@ The options are:
text/plain
+
+ WindowsUpdate.admx
+ PauseDeferralsId
+ WindowsUpdate~AT~WindowsComponents~WindowsUpdateCat
+ DeferUpgradeLastWrite
@@ -58689,8 +67718,8 @@ The options are:
- 0
+
@@ -58703,6 +67732,11 @@ The options are:
text/plain
+
+ WindowsUpdate.admx
+ PauseFeatureUpdatesId
+ WindowsUpdate~AT~WindowsComponents~WindowsUpdateCat~DeferUpdateCat
+ DeferFeatureUpdatesLastWrite
@@ -58712,8 +67746,8 @@ The options are:
-
+
@@ -58726,6 +67760,10 @@ The options are:
text/plain
+ WindowsUpdate.admx
+ PauseFeatureUpdatesStartId
+ WindowsUpdate~AT~WindowsComponents~WindowsUpdateCat~DeferUpdateCat
+ DeferFeatureUpdatesLastWrite
@@ -58735,8 +67773,8 @@ The options are:
- 0
+
@@ -58749,6 +67787,11 @@ The options are:
text/plain
+
+ WindowsUpdate.admx
+ PauseQualityUpdatesId
+ WindowsUpdate~AT~WindowsComponents~WindowsUpdateCat~DeferUpdateCat
+ DeferQualityUpdatesLastWrite
@@ -58758,8 +67801,8 @@ The options are:
-
+
@@ -58772,6 +67815,10 @@ The options are:
text/plain
+ WindowsUpdate.admx
+ PauseQualityUpdatesStartId
+ WindowsUpdate~AT~WindowsComponents~WindowsUpdateCat~DeferUpdateCat
+ DeferQualityUpdatesLastWrite
@@ -58781,8 +67828,8 @@ The options are:
- 4
+
@@ -58795,6 +67842,7 @@ The options are:
text/plain
+ LowestValueMostSecure
@@ -58804,8 +67852,8 @@ The options are:
- 0
+
@@ -58818,6 +67866,11 @@ The options are:
text/plain
+
+ WindowsUpdate.admx
+ DeferUpgradePeriodId
+ WindowsUpdate~AT~WindowsComponents~WindowsUpdateCat
+ DeferUpgradeLastWrite
@@ -58827,8 +67880,8 @@ The options are:
- 0
+
@@ -58841,6 +67894,7 @@ The options are:
text/plain
+ HighestValueMostSecure
@@ -58850,8 +67904,8 @@ The options are:
- 0
+
@@ -58864,6 +67918,11 @@ The options are:
text/plain
+
+ WindowsUpdate.admx
+ AutoUpdateSchDay
+ WindowsUpdate~AT~WindowsComponents~WindowsUpdateCat
+ AutoUpdateCfgLowestValueMostSecure
@@ -58873,8 +67932,8 @@ The options are:
- 1
+
@@ -58887,6 +67946,11 @@ The options are:
text/plain
+
+ WindowsUpdate.admx
+ AutoUpdateSchEveryWeek
+ WindowsUpdate~AT~WindowsComponents~WindowsUpdateCat
+ AutoUpdateCfgLowestValueMostSecure
@@ -58896,8 +67960,8 @@ The options are:
- 0
+
@@ -58910,6 +67974,11 @@ The options are:
text/plain
+
+ WindowsUpdate.admx
+ AutoUpdateSchFirstWeek
+ WindowsUpdate~AT~WindowsComponents~WindowsUpdateCat
+ AutoUpdateCfgLowestValueMostSecure
@@ -58919,8 +67988,8 @@ The options are:
- 0
+
@@ -58933,6 +68002,11 @@ The options are:
text/plain
+
+ WindowsUpdate.admx
+ ScheduledInstallFourthWeek
+ WindowsUpdate~AT~WindowsComponents~WindowsUpdateCat
+ AutoUpdateCfgLowestValueMostSecure
@@ -58942,8 +68016,8 @@ The options are:
- 0
+
@@ -58956,6 +68030,11 @@ The options are:
text/plain
+
+ WindowsUpdate.admx
+ ScheduledInstallSecondWeek
+ WindowsUpdate~AT~WindowsComponents~WindowsUpdateCat
+ AutoUpdateCfgLowestValueMostSecure
@@ -58965,8 +68044,8 @@ The options are:
- 0
+
@@ -58979,6 +68058,11 @@ The options are:
text/plain
+
+ WindowsUpdate.admx
+ ScheduledInstallThirdWeek
+ WindowsUpdate~AT~WindowsComponents~WindowsUpdateCat
+ AutoUpdateCfgLowestValueMostSecure
@@ -58988,8 +68072,8 @@ The options are:
- 3
+
@@ -59002,6 +68086,11 @@ The options are:
text/plain
+
+ WindowsUpdate.admx
+ AutoUpdateSchTime
+ WindowsUpdate~AT~WindowsComponents~WindowsUpdateCat
+ AutoUpdateCfgLowestValueMostSecure
@@ -59011,8 +68100,8 @@ The options are:
- 15
+
@@ -59026,6 +68115,10 @@ The options are:
text/plain
+ WindowsUpdate.admx
+ RestartWarn
+ WindowsUpdate~AT~WindowsComponents~WindowsUpdateCat
+ RestartWarnRemindLastWrite
@@ -59035,8 +68128,8 @@ The options are:
- 4
+
@@ -59050,6 +68143,10 @@ The options are:
text/plain
+ WindowsUpdate.admx
+ RestartWarnRemind
+ WindowsUpdate~AT~WindowsComponents~WindowsUpdateCat
+ RestartWarnRemindLastWrite
@@ -59059,8 +68156,8 @@ The options are:
- 0
+
@@ -59073,6 +68170,11 @@ The options are:
text/plain
+
+ WindowsUpdate.admx
+ AutoRestartNotificationSchd
+ WindowsUpdate~AT~WindowsComponents~WindowsUpdateCat
+ AutoRestartNotificationDisableLastWrite
@@ -59082,8 +68184,8 @@ The options are:
- 0
+
@@ -59096,6 +68198,10 @@ The options are:
text/plain
+
+ WindowsUpdate.admx
+ WindowsUpdate~AT~WindowsComponents~WindowsUpdateCat
+ SetEDURestartLastWrite
@@ -59105,8 +68211,8 @@ The options are:
- CorpWSUS
+
@@ -59119,6 +68225,10 @@ The options are:
text/plain
+ WindowsUpdate.admx
+ CorpWUURL_Name
+ WindowsUpdate~AT~WindowsComponents~WindowsUpdateCat
+ CorpWuURLLastWrite
@@ -59128,8 +68238,8 @@ The options are:
-
+
@@ -59143,10 +68253,821 @@ The options are:
text/plainphone
+ WindowsUpdate.admx
+ CorpWUContentHost_Name
+ WindowsUpdate~AT~WindowsComponents~WindowsUpdateCat
+ CorpWuURLLastWrite
+
+ UserRights
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ AccessCredentialManagerAsTrustedCaller
+
+
+
+
+
+ This user right is used by Credential Manager during Backup/Restore. No accounts should have this privilege, as it is only assigned to Winlogon. Users' saved credentials might be compromised if this privilege is given to other entities.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+ phone
+ Windows Settings~Security Settings~Local Policies~User Rights Assignment
+ Access Credential Manager ase a trusted caller
+ LastWrite
+ 0xF000
+
+
+
+ AccessFromNetwork
+
+
+
+
+
+ This user right determines which users and groups are allowed to connect to the computer over the network. Remote Desktop Services are not affected by this user right.Note: Remote Desktop Services was called Terminal Services in previous versions of Windows Server.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+ phone
+ Windows Settings~Security Settings~Local Policies~User Rights Assignment
+ Access this computer from the network
+ LastWrite
+ 0xF000
+
+
+
+ ActAsPartOfTheOperatingSystem
+
+
+
+
+
+ This user right allows a process to impersonate any user without authentication. The process can therefore gain access to the same local resources as that user. Processes that require this privilege should use the LocalSystem account, which already includes this privilege, rather than using a separate user account with this privilege specially assigned. Caution:Assigning this user right can be a security risk. Only assign this user right to trusted users.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+ phone
+ Windows Settings~Security Settings~Local Policies~User Rights Assignment
+ Act as part of the operating system
+ LastWrite
+ 0xF000
+
+
+
+ AllowLocalLogOn
+
+
+
+
+
+ This user right determines which users can log on to the computer. Note: Modifying this setting may affect compatibility with clients, services, and applications. For compatibility information about this setting, see Allow log on locally (https://go.microsoft.com/fwlink/?LinkId=24268 ) at the Microsoft website.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+ phone
+ Windows Settings~Security Settings~Local Policies~User Rights Assignment
+ Allow log on locally
+ LastWrite
+ 0xF000
+
+
+
+ BackupFilesAndDirectories
+
+
+
+
+
+ This user right determines which users can bypass file, directory, registry, and other persistent objects permissions when backing up files and directories.Specifically, this user right is similar to granting the following permissions to the user or group in question on all files and folders on the system:Traverse Folder/Execute File, Read. Caution: Assigning this user right can be a security risk. Since users with this user right can read any registry settings and files, only assign this user right to trusted users
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+ phone
+ Windows Settings~Security Settings~Local Policies~User Rights Assignment
+ Back up files and directories
+ LastWrite
+ 0xF000
+
+
+
+ ChangeSystemTime
+
+
+
+
+
+ This user right determines which users and groups can change the time and date on the internal clock of the computer. Users that are assigned this user right can affect the appearance of event logs. If the system time is changed, events that are logged will reflect this new time, not the actual time that the events occurred.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+ phone
+ Windows Settings~Security Settings~Local Policies~User Rights Assignment
+ Change the system time
+ LastWrite
+ 0xF000
+
+
+
+ CreateGlobalObjects
+
+
+
+
+
+ This security setting determines whether users can create global objects that are available to all sessions. Users can still create objects that are specific to their own session if they do not have this user right. Users who can create global objects could affect processes that run under other users' sessions, which could lead to application failure or data corruption. Caution: Assigning this user right can be a security risk. Assign this user right only to trusted users.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+ phone
+ Windows Settings~Security Settings~Local Policies~User Rights Assignment
+ Create global objects
+ LastWrite
+ 0xF000
+
+
+
+ CreatePageFile
+
+
+
+
+
+ This user right determines which users and groups can call an internal application programming interface (API) to create and change the size of a page file. This user right is used internally by the operating system and usually does not need to be assigned to any users
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+ phone
+ Windows Settings~Security Settings~Local Policies~User Rights Assignment
+ Create a pagefile
+ LastWrite
+ 0xF000
+
+
+
+ CreatePermanentSharedObjects
+
+
+
+
+
+ This user right determines which accounts can be used by processes to create a directory object using the object manager. This user right is used internally by the operating system and is useful to kernel-mode components that extend the object namespace. Because components that are running in kernel mode already have this user right assigned to them, it is not necessary to specifically assign it.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+ phone
+ Windows Settings~Security Settings~Local Policies~User Rights Assignment
+ Create permanent shared objects
+ LastWrite
+ 0xF000
+
+
+
+ CreateSymbolicLinks
+
+
+
+
+
+ This user right determines if the user can create a symbolic link from the computer he is logged on to. Caution: This privilege should only be given to trusted users. Symbolic links can expose security vulnerabilities in applications that aren't designed to handle them. Note: This setting can be used in conjunction a symlink filesystem setting that can be manipulated with the command line utility to control the kinds of symlinks that are allowed on the machine. Type 'fsutil behavior set symlinkevaluation /?' at the command line to get more information about fsutil and symbolic links.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+ phone
+ Windows Settings~Security Settings~Local Policies~User Rights Assignment
+ Create symbolic links
+ LastWrite
+ 0xF000
+
+
+
+ CreateToken
+
+
+
+
+
+ This user right determines which accounts can be used by processes to create a token that can then be used to get access to any local resources when the process uses an internal application programming interface (API) to create an access token. This user right is used internally by the operating system. Unless it is necessary, do not assign this user right to a user, group, or process other than Local System. Caution: Assigning this user right can be a security risk. Do not assign this user right to any user, group, or process that you do not want to take over the system.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+ phone
+ Windows Settings~Security Settings~Local Policies~User Rights Assignment
+ Create a token object
+ LastWrite
+ 0xF000
+
+
+
+ DebugPrograms
+
+
+
+
+
+ This user right determines which users can attach a debugger to any process or to the kernel. Developers who are debugging their own applications do not need to be assigned this user right. Developers who are debugging new system components will need this user right to be able to do so. This user right provides complete access to sensitive and critical operating system components. Caution:Assigning this user right can be a security risk. Only assign this user right to trusted users.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+ phone
+ Windows Settings~Security Settings~Local Policies~User Rights Assignment
+ Debug programs
+ LastWrite
+ 0xF000
+
+
+
+ DenyAccessFromNetwork
+
+
+
+
+
+ This user right determines which users are prevented from accessing a computer over the network. This policy setting supersedes the Access this computer from the network policy setting if a user account is subject to both policies.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+ phone
+ Windows Settings~Security Settings~Local Policies~User Rights Assignment
+ Deny access to this computer from the network
+ LastWrite
+ 0xF000
+
+
+
+ DenyLocalLogOn
+
+
+
+
+
+ This security setting determines which service accounts are prevented from registering a process as a service. Note: This security setting does not apply to the System, Local Service, or Network Service accounts.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+ phone
+ Windows Settings~Security Settings~Local Policies~User Rights Assignment
+ Deny log on as a service
+ LastWrite
+ 0xF000
+
+
+
+ DenyRemoteDesktopServicesLogOn
+
+
+
+
+
+ This user right determines which users and groups are prohibited from logging on as a Remote Desktop Services client.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+ phone
+ Windows Settings~Security Settings~Local Policies~User Rights Assignment
+ Deny log on through Remote Desktop Services
+ LastWrite
+ 0xF000
+
+
+
+ EnableDelegation
+
+
+
+
+
+ This user right determines which users can set the Trusted for Delegation setting on a user or computer object. The user or object that is granted this privilege must have write access to the account control flags on the user or computer object. A server process running on a computer (or under a user context) that is trusted for delegation can access resources on another computer using delegated credentials of a client, as long as the client account does not have the Account cannot be delegated account control flag set. Caution: Misuse of this user right, or of the Trusted for Delegation setting, could make the network vulnerable to sophisticated attacks using Trojan horse programs that impersonate incoming clients and use their credentials to gain access to network resources.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+ phone
+ Windows Settings~Security Settings~Local Policies~User Rights Assignment
+ Enable computer and user accounts to be trusted for delegation
+ LastWrite
+ 0xF000
+
+
+
+ GenerateSecurityAudits
+
+
+
+
+
+ This user right determines which accounts can be used by a process to add entries to the security log. The security log is used to trace unauthorized system access. Misuse of this user right can result in the generation of many auditing events, potentially hiding evidence of an attack or causing a denial of service. Shut down system immediately if unable to log security audits security policy setting is enabled.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+ phone
+ Windows Settings~Security Settings~Local Policies~User Rights Assignment
+ Generate security audits
+ LastWrite
+ 0xF000
+
+
+
+ ImpersonateClient
+
+
+
+
+
+ Assigning this user right to a user allows programs running on behalf of that user to impersonate a client. Requiring this user right for this kind of impersonation prevents an unauthorized user from convincing a client to connect (for example, by remote procedure call (RPC) or named pipes) to a service that they have created and then impersonating that client, which can elevate the unauthorized user's permissions to administrative or system levels. Caution: Assigning this user right can be a security risk. Only assign this user right to trusted users. Note: By default, services that are started by the Service Control Manager have the built-in Service group added to their access tokens. Component Object Model (COM) servers that are started by the COM infrastructure and that are configured to run under a specific account also have the Service group added to their access tokens. As a result, these services get this user right when they are started. In addition, a user can also impersonate an access token if any of the following conditions exist.
+1) The access token that is being impersonated is for this user.
+2) The user, in this logon session, created the access token by logging on to the network with explicit credentials.
+3) The requested level is less than Impersonate, such as Anonymous or Identify.
+Because of these factors, users do not usually need this user right. Warning: If you enable this setting, programs that previously had the Impersonate privilege may lose it, and they may not run.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+ phone
+ Windows Settings~Security Settings~Local Policies~User Rights Assignment
+ Impersonate a client after authentication
+ LastWrite
+ 0xF000
+
+
+
+ IncreaseSchedulingPriority
+
+
+
+
+
+ This user right determines which accounts can use a process with Write Property access to another process to increase the execution priority assigned to the other process. A user with this privilege can change the scheduling priority of a process through the Task Manager user interface.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+ phone
+ Windows Settings~Security Settings~Local Policies~User Rights Assignment
+ Increase scheduling priority
+ LastWrite
+ 0xF000
+
+
+
+ LoadUnloadDeviceDrivers
+
+
+
+
+
+ This user right determines which users can dynamically load and unload device drivers or other code in to kernel mode. This user right does not apply to Plug and Play device drivers. It is recommended that you do not assign this privilege to other users. Caution: Assigning this user right can be a security risk. Do not assign this user right to any user, group, or process that you do not want to take over the system.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+ phone
+ Windows Settings~Security Settings~Local Policies~User Rights Assignment
+ Load and unload device drivers
+ LastWrite
+ 0xF000
+
+
+
+ LockMemory
+
+
+
+
+
+ This user right determines which accounts can use a process to keep data in physical memory, which prevents the system from paging the data to virtual memory on disk. Exercising this privilege could significantly affect system performance by decreasing the amount of available random access memory (RAM).
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+ phone
+ Windows Settings~Security Settings~Local Policies~User Rights Assignment
+ Lock pages in memory
+ LastWrite
+ 0xF000
+
+
+
+ ManageAuditingAndSecurityLog
+
+
+
+
+
+ This user right determines which users can specify object access auditing options for individual resources, such as files, Active Directory objects, and registry keys. This security setting does not allow a user to enable file and object access auditing in general. You can view audited events in the security log of the Event Viewer. A user with this privilege can also view and clear the security log.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+ phone
+ Windows Settings~Security Settings~Local Policies~User Rights Assignment
+ Manage auditing and security log
+ LastWrite
+ 0xF000
+
+
+
+ ManageVolume
+
+
+
+
+
+ This user right determines which users and groups can run maintenance tasks on a volume, such as remote defragmentation. Use caution when assigning this user right. Users with this user right can explore disks and extend files in to memory that contains other data. When the extended files are opened, the user might be able to read and modify the acquired data.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+ phone
+ Windows Settings~Security Settings~Local Policies~User Rights Assignment
+ Perform volume maintenance tasks
+ LastWrite
+ 0xF000
+
+
+
+ ModifyFirmwareEnvironment
+
+
+
+
+
+ This user right determines who can modify firmware environment values. Firmware environment variables are settings stored in the nonvolatile RAM of non-x86-based computers. The effect of the setting depends on the processor.On x86-based computers, the only firmware environment value that can be modified by assigning this user right is the Last Known Good Configuration setting, which should only be modified by the system. On Itanium-based computers, boot information is stored in nonvolatile RAM. Users must be assigned this user right to run bootcfg.exe and to change the Default Operating System setting on Startup and Recovery in System Properties. On all computers, this user right is required to install or upgrade Windows.Note: This security setting does not affect who can modify the system environment variables and user environment variables that are displayed on the Advanced tab of System Properties.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+ phone
+ Windows Settings~Security Settings~Local Policies~User Rights Assignment
+ Modify firmware environment values
+ LastWrite
+ 0xF000
+
+
+
+ ModifyObjectLabel
+
+
+
+
+
+ This user right determines which user accounts can modify the integrity label of objects, such as files, registry keys, or processes owned by other users. Processes running under a user account can modify the label of an object owned by that user to a lower level without this privilege.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+ phone
+ Windows Settings~Security Settings~Local Policies~User Rights Assignment
+ Modify an object label
+ LastWrite
+ 0xF000
+
+
+
+ ProfileSingleProcess
+
+
+
+
+
+ This user right determines which users can use performance monitoring tools to monitor the performance of system processes.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+ phone
+ Windows Settings~Security Settings~Local Policies~User Rights Assignment
+ Profile single process
+ LastWrite
+ 0xF000
+
+
+
+ RemoteShutdown
+
+
+
+
+
+ This user right determines which users are allowed to shut down a computer from a remote location on the network. Misuse of this user right can result in a denial of service.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+ phone
+ Windows Settings~Security Settings~Local Policies~User Rights Assignment
+ Force shutdown from a remote system
+ LastWrite
+ 0xF000
+
+
+
+ RestoreFilesAndDirectories
+
+
+
+
+
+ This user right determines which users can bypass file, directory, registry, and other persistent objects permissions when restoring backed up files and directories, and determines which users can set any valid security principal as the owner of an object. Specifically, this user right is similar to granting the following permissions to the user or group in question on all files and folders on the system:Traverse Folder/Execute File, Write. Caution: Assigning this user right can be a security risk. Since users with this user right can overwrite registry settings, hide data, and gain ownership of system objects, only assign this user right to trusted users.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+ phone
+ Windows Settings~Security Settings~Local Policies~User Rights Assignment
+ Restore files and directories
+ LastWrite
+ 0xF000
+
+
+
+ TakeOwnership
+
+
+
+
+
+ This user right determines which users can take ownership of any securable object in the system, including Active Directory objects, files and folders, printers, registry keys, processes, and threads. Caution: Assigning this user right can be a security risk. Since owners of objects have full control of them, only assign this user right to trusted users.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+ phone
+ Windows Settings~Security Settings~Local Policies~User Rights Assignment
+ Take ownership of files or other objects
+ LastWrite
+ 0xF000
+
+
+ Wifi
@@ -59172,8 +69093,8 @@ The options are:
- 1
+
@@ -59187,6 +69108,9 @@ The options are:
text/plain
+ wlansvc.admx
+ wlansvc~AT~Network~WlanSvc_Category~WlanSettings_Category
+ WiFiSenseLowestValueMostSecure
@@ -59196,8 +69120,8 @@ The options are:
- 1
+
@@ -59211,6 +69135,9 @@ The options are:
text/plain
+ NetworkConnections.admx
+ NetworkConnections~AT~Network~NetworkConnections
+ NC_ShowSharedAccessUILowestValueMostSecure
@@ -59220,8 +69147,8 @@ The options are:
- 1
+
@@ -59244,8 +69171,8 @@ The options are:
- 1
+
@@ -59268,8 +69195,8 @@ The options are:
- 1
+
@@ -59292,8 +69219,8 @@ The options are:
- 0
+
@@ -59306,10 +69233,58 @@ The options are:
text/plain
+ HighestValueMostSecureZeroHasNoLimits
+
+ WindowsConnectionManager
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ ProhitConnectionToNonDomainNetworksWhenConnectedToDomainAuthenticatedNetwork
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+ phone
+ WCM.admx
+ WCM~AT~Network~WCM_Category
+ WCM_BlockNonDomain
+ LastWrite
+
+
+ WindowsDefenderSecurityCenter
@@ -59335,8 +69310,8 @@ The options are:
-
+
@@ -59350,6 +69325,38 @@ The options are:
text/plainphone
+ WindowsDefenderSecurityCenter.admx
+ Presentation_EnterpriseCustomization_CompanyName
+ WindowsDefenderSecurityCenter~AT~WindowsComponents~WindowsDefenderSecurityCenter~EnterpriseCustomization
+ EnterpriseCustomization_CompanyName
+ LastWrite
+
+
+
+ DisableAccountProtectionUI
+
+
+
+
+ 0
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+ phone
+ WindowsDefenderSecurityCenter.admx
+ WindowsDefenderSecurityCenter~AT~WindowsComponents~WindowsDefenderSecurityCenter~AccountProtection
+ AccountProtection_UILockdownLastWrite
@@ -59359,8 +69366,8 @@ The options are:
- 0
+
@@ -59373,7 +69380,39 @@ The options are:
text/plain
+ phone
+ WindowsDefenderSecurityCenter.admx
+ WindowsDefenderSecurityCenter~AT~WindowsComponents~WindowsDefenderSecurityCenter~AppBrowserProtection
+ AppBrowserProtection_UILockdown
+ LastWrite
+
+
+
+ DisableDeviceSecurityUI
+
+
+
+
+ 0
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+ phone
+ WindowsDefenderSecurityCenter.admx
+ WindowsDefenderSecurityCenter~AT~WindowsComponents~WindowsDefenderSecurityCenter~DeviceSecurity
+ DeviceSecurity_UILockdownLastWrite
@@ -59383,8 +69422,8 @@ The options are:
- 0
+
@@ -59397,7 +69436,11 @@ The options are:
text/plain
+ phone
+ WindowsDefenderSecurityCenter.admx
+ WindowsDefenderSecurityCenter~AT~WindowsComponents~WindowsDefenderSecurityCenter~Notifications
+ Notifications_DisableEnhancedNotificationsLastWrite
@@ -59407,8 +69450,8 @@ The options are:
- 0
+
@@ -59421,7 +69464,11 @@ The options are:
text/plain
+ phone
+ WindowsDefenderSecurityCenter.admx
+ WindowsDefenderSecurityCenter~AT~WindowsComponents~WindowsDefenderSecurityCenter~FamilyOptions
+ FamilyOptions_UILockdownLastWrite
@@ -59431,8 +69478,8 @@ The options are:
- 0
+
@@ -59445,7 +69492,11 @@ The options are:
text/plain
+ phone
+ WindowsDefenderSecurityCenter.admx
+ WindowsDefenderSecurityCenter~AT~WindowsComponents~WindowsDefenderSecurityCenter~DevicePerformanceHealth
+ DevicePerformanceHealth_UILockdownLastWrite
@@ -59455,8 +69506,8 @@ The options are:
- 0
+
@@ -59469,7 +69520,11 @@ The options are:
text/plain
+ phone
+ WindowsDefenderSecurityCenter.admx
+ WindowsDefenderSecurityCenter~AT~WindowsComponents~WindowsDefenderSecurityCenter~FirewallNetworkProtection
+ FirewallNetworkProtection_UILockdownLastWrite
@@ -59479,8 +69534,8 @@ The options are:
- 0
+
@@ -59493,7 +69548,11 @@ The options are:
text/plain
+ phone
+ WindowsDefenderSecurityCenter.admx
+ WindowsDefenderSecurityCenter~AT~WindowsComponents~WindowsDefenderSecurityCenter~Notifications
+ Notifications_DisableNotificationsLastWrite
@@ -59503,8 +69562,8 @@ The options are:
- 0
+
@@ -59517,7 +69576,11 @@ The options are:
text/plain
+ phone
+ WindowsDefenderSecurityCenter.admx
+ WindowsDefenderSecurityCenter~AT~WindowsComponents~WindowsDefenderSecurityCenter~VirusThreatProtection
+ VirusThreatProtection_UILockdownLastWrite
@@ -59527,8 +69590,8 @@ The options are:
- 0
+
@@ -59541,7 +69604,11 @@ The options are:
text/plain
+ phone
+ WindowsDefenderSecurityCenter.admx
+ WindowsDefenderSecurityCenter~AT~WindowsComponents~WindowsDefenderSecurityCenter~AppBrowserProtection
+ AppBrowserProtection_DisallowExploitProtectionOverrideLastWrite
@@ -59551,8 +69618,8 @@ The options are:
-
+
@@ -59566,6 +69633,10 @@ The options are:
text/plainphone
+ WindowsDefenderSecurityCenter.admx
+ Presentation_EnterpriseCustomization_Email
+ WindowsDefenderSecurityCenter~AT~WindowsComponents~WindowsDefenderSecurityCenter~EnterpriseCustomization
+ EnterpriseCustomization_EmailLastWrite
@@ -59575,8 +69646,8 @@ The options are:
- 0
+
@@ -59589,7 +69660,11 @@ The options are:
text/plain
+ phone
+ WindowsDefenderSecurityCenter.admx
+ WindowsDefenderSecurityCenter~AT~WindowsComponents~WindowsDefenderSecurityCenter~EnterpriseCustomization
+ EnterpriseCustomization_EnableCustomizedToastsLastWrite
@@ -59599,8 +69674,8 @@ The options are:
- 0
+
@@ -59613,7 +69688,95 @@ The options are:
text/plain
+ phone
+ WindowsDefenderSecurityCenter.admx
+ WindowsDefenderSecurityCenter~AT~WindowsComponents~WindowsDefenderSecurityCenter~EnterpriseCustomization
+ EnterpriseCustomization_EnableInAppCustomization
+ LastWrite
+
+
+
+ HideRansomwareDataRecovery
+
+
+
+
+ 0
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+ phone
+ WindowsDefenderSecurityCenter.admx
+ WindowsDefenderSecurityCenter~AT~WindowsComponents~WindowsDefenderSecurityCenter~VirusThreatProtection
+ VirusThreatProtection_HideRansomwareRecovery
+ LastWrite
+
+
+
+ HideSecureBoot
+
+
+
+
+ 0
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+ phone
+ WindowsDefenderSecurityCenter.admx
+ WindowsDefenderSecurityCenter~AT~WindowsComponents~WindowsDefenderSecurityCenter~DeviceSecurity
+ DeviceSecurity_HideSecureBoot
+ LastWrite
+
+
+
+ HideTPMTroubleshooting
+
+
+
+
+ 0
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+ phone
+ WindowsDefenderSecurityCenter.admx
+ WindowsDefenderSecurityCenter~AT~WindowsComponents~WindowsDefenderSecurityCenter~DeviceSecurity
+ DeviceSecurity_HideTPMTroubleshootingLastWrite
@@ -59623,8 +69786,8 @@ The options are:
-
+
@@ -59638,6 +69801,10 @@ The options are:
text/plainphone
+ WindowsDefenderSecurityCenter.admx
+ Presentation_EnterpriseCustomization_Phone
+ WindowsDefenderSecurityCenter~AT~WindowsComponents~WindowsDefenderSecurityCenter~EnterpriseCustomization
+ EnterpriseCustomization_PhoneLastWrite
@@ -59647,8 +69814,8 @@ The options are:
-
+
@@ -59662,6 +69829,10 @@ The options are:
text/plainphone
+ WindowsDefenderSecurityCenter.admx
+ Presentation_EnterpriseCustomization_URL
+ WindowsDefenderSecurityCenter~AT~WindowsComponents~WindowsDefenderSecurityCenter~EnterpriseCustomization
+ EnterpriseCustomization_URLLastWrite
@@ -59691,8 +69862,8 @@ The options are:
- 1
+
@@ -59707,6 +69878,9 @@ The options are:
phone
+ WindowsInkWorkspace.admx
+ WindowsInkWorkspace~AT~WindowsComponents~WindowsInkWorkspace
+ AllowSuggestedAppsInWindowsInkWorkspaceLowestValueMostSecure
@@ -59716,8 +69890,8 @@ The options are:
- 2
+
@@ -59730,7 +69904,12 @@ The options are:
text/plain
+ phone
+ WindowsInkWorkspace.admx
+ AllowWindowsInkWorkspaceDropdown
+ WindowsInkWorkspace~AT~WindowsComponents~WindowsInkWorkspace
+ AllowWindowsInkWorkspaceLowestValueMostSecure
@@ -59760,8 +69939,8 @@ The options are:
-
+
@@ -59787,8 +69966,8 @@ The options are:
-
+
@@ -59808,14 +69987,41 @@ The options are:
LastWrite
+
+ EnumerateLocalUsersOnDomainJoinedComputers
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+ phone
+ logon.admx
+ Logon~AT~System~Logon
+ EnumerateLocalUsers
+ LastWrite
+
+ HideFastUserSwitching
- This policy setting allows you to hide the Switch User interface in the Logon UI, the Start menu and the Task Manager. If you enable this policy setting, the Switch User interface is hidden from the user who is attempting to log on or is logged on to the computer that has this policy applied. The locations that Switch User interface appear are in the Logon UI, the Start menu and the Task Manager. If you disable or do not configure this policy setting, the Switch User interface is accessible to the user in the three locations.0
+ This policy setting allows you to hide the Switch User interface in the Logon UI, the Start menu and the Task Manager. If you enable this policy setting, the Switch User interface is hidden from the user who is attempting to log on or is logged on to the computer that has this policy applied. The locations that Switch User interface appear are in the Logon UI, the Start menu and the Task Manager. If you disable or do not configure this policy setting, the Switch User interface is accessible to the user in the three locations.
@@ -59829,9 +70035,86 @@ The options are:
text/plain
+ Logon.admx
+ Logon~AT~System~Logon
+ HideFastUserSwitchingHighestValueMostSecure
+
+ SignInLastInteractiveUserAutomaticallyAfterASystemInitiatedRestart
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+ phone
+ WinLogon.admx
+ WinLogon~AT~WindowsComponents~Logon
+ AutomaticRestartSignOn
+ LastWrite
+
+
+
+
+ WindowsPowerShell
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ TurnOnPowerShellScriptBlockLogging
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+ phone
+ PowerShellExecutionPolicy.admx
+ PowerShellExecutionPolicy~AT~WindowsComponents~PowerShell
+ EnableScriptBlockLogging
+ LastWrite
+
+ WirelessDisplay
@@ -59858,8 +70141,8 @@ The options are:
- This policy setting allows you to turn off the Wireless Display multicast DNS service advertisement from a Wireless Display receiver.1
+ This policy setting allows you to turn off the Wireless Display multicast DNS service advertisement from a Wireless Display receiver.
@@ -59882,8 +70165,8 @@ The options are:
- This policy setting allows you to turn off discovering the display service advertised over multicast DNS by a Wireless Display receiver.1
+ This policy setting allows you to turn off discovering the display service advertised over multicast DNS by a Wireless Display receiver.
@@ -59906,10 +70189,10 @@ The options are:
+ 1This policy allows you to turn off projection from a PC.
If you set it to 0, your PC cannot discover or project to other devices.
If you set it to 1, your PC can discover and project to other devices.
- 1
@@ -59932,10 +70215,10 @@ The options are:
+ 1This policy allows you to turn off projection from a PC over infrastructure.
If you set it to 0, your PC cannot discover or project to other infrastructure devices, though it may still be possible to discover and project over WiFi Direct.
If you set it to 1, your PC can discover and project to other devices over infrastructure.
- 1
@@ -59958,10 +70241,10 @@ The options are:
+ 1This policy setting allows you to turn off projection to a PC
If you set it to 0, your PC isn't discoverable and can't be projected to
If you set it to 1, your PC is discoverable and can be projected to above the lock screen only. The user has an option to turn it always on or off except for manual launch, too.
- 1
@@ -59976,6 +70259,9 @@ The options are:
phone
+ WirelessDisplay.admx
+ WirelessDisplay~AT~WindowsComponents~Connect
+ AllowProjectionToPCLowestValueMostSecure
@@ -59985,10 +70271,10 @@ The options are:
+ 1This policy setting allows you to turn off projection to a PC over infrastructure.
If you set it to 0, your PC cannot be discoverable and can't be projected to over infrastructure, though it may still be possible to project over WiFi Direct.
If you set it to 1, your PC can be discoverable and can be projected to over infrastructure.
- 1
@@ -60011,8 +70297,8 @@ The options are:
- 1
+
@@ -60035,10 +70321,10 @@ The options are:
+ 0This policy setting allows you to require a pin for pairing.
If you turn this on, the pairing ceremony for new devices will always require a PIN
If you turn it off or don't configure it, a pin isn't required for pairing.
- 0
@@ -60052,6 +70338,9 @@ The options are:
text/plain
+ WirelessDisplay.admx
+ WirelessDisplay~AT~WindowsComponents~Connect
+ RequirePinForPairingLowestValueMostSecure
diff --git a/windows/client-management/mdm/remotewipe-csp.md b/windows/client-management/mdm/remotewipe-csp.md
index 96c6d01d65..27677b6c69 100644
--- a/windows/client-management/mdm/remotewipe-csp.md
+++ b/windows/client-management/mdm/remotewipe-csp.md
@@ -7,12 +7,15 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
-ms.date: 11/13/2017
+ms.date: 01/29/2018
---
# RemoteWipe CSP
+> [!WARNING]
+> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
+
The RemoteWipe configuration service provider can be used by mobile operators DM server or enterprise management server to remotely wipe a device. The RemoteWipe configuration service provider can make the data stored in memory and hard disks difficult to recover if the device is remotely wiped after being lost or stolen.
The following diagram shows the RemoteWipe configuration service provider management object in tree format as used by both OMA DM and OMA Client Provisioning. Enterprise IT Professionals can update these settings by using the Exchange Server.
@@ -45,14 +48,27 @@ Supported operation is Exec.
**doWipePersistUserData**
Added in Windows 10, version 1709. Exec on this node will perform a remote reset on the device and persist user accounts and data. The return status code shows whether the device accepted the Exec command.
-## The Remote Wipe Process
+**AutomaticRedeployment**
+Added in Windows 10, version 1803. Node for the Automatic Redeployment operation.
+**AutomaticRedeployment/doAutomaticRedeployment**
+Added in Windows 10, version 1803. Exec on this node triggers Automatic Redeployment operation. This works like PC Reset, similar to other existing nodes in this RemoteWipe CSP, except that it keeps the device enrolled in Azure AD and MDM, keeps Wi-Fi profiles, and a few other settings like region, language, keyboard.
-The remote wipe command is sent as an XML provisioning file to the device. Since the RemoteWipe Configuration Service Provider uses OMA DM and WAP, authentication between client and server and delivery of the XML provisioning file is handled by provisioning.
+**AutomaticRedeployment/LastError**
+Added in Windows 10, version 1803. Error value, if any, associated with Automatic Redeployment operation (typically an HRESULT).
-In Windows 10 Mobile, the remote wipe command is implemented on the device by using the **ResetPhone** function. On the desktop, the remote wipe triggers the **Reset this PC** functionality with the **Remove everything** option.
+**AutomaticRedeployment/Status**
+Added in Windows 10, version 1803. Status value indicating current state of an Automatic Redeployment operation.
-> **Note** On the desktop, the remote wipe effectively performs a factory reset and the PC does not retain any information about the command once the wipe completes. Any response from the device about the actual status or result of the command may be inconsistent and unreliable because the MDM information has been removed.
+Supported values:
+
+- 0: Never run (not started). The default state.
+- 1: Complete.
+- 10: Reset has been scheduled.
+- 20: Reset is scheduled and waiting for a reboot.
+- 30: Failed during CSP Execute ("Exec" in SyncML).
+- 40: Failed: power requirements not met.
+- 50: Failed: reset internals failed during reset attempt.
diff --git a/windows/client-management/mdm/remotewipe-ddf-file.md b/windows/client-management/mdm/remotewipe-ddf-file.md
index c85f6ef82b..215cc85669 100644
--- a/windows/client-management/mdm/remotewipe-ddf-file.md
+++ b/windows/client-management/mdm/remotewipe-ddf-file.md
@@ -7,7 +7,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
-ms.date: 12/05/2017
+ms.date: 01/29/2018
---
# RemoteWipe DDF file
@@ -17,7 +17,7 @@ This topic shows the OMA DM device description framework (DDF) for the **RemoteW
Looking for the DDF XML files? See [CSP DDF files download](configuration-service-provider-reference.md#csp-ddf-files-download).
-The XML below is the DDF for Windows 10, version 1709.
+The XML below is the DDF for Windows 10, version 1803.
``` syntax
@@ -43,7 +43,7 @@ The XML below is the DDF for Windows 10, version 1709.
-
+ com.microsoft/1.1/MDM/RemoteWipeThe root node for remote wipe function.
@@ -131,8 +131,94 @@ The XML below is the DDF for Windows 10, version 1709.
Exec on this node will perform a remote reset on the device and persist user accounts and data. The return status code shows whether the device accepted the Exec command.
+
+ AutomaticRedeployment
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ doAutomaticRedeployment
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ LastError
+
+
+
+
+ 0
+ Error value, if any, associated with Automatic Redeployment operation (typically an HRESULT).
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ Status
+
+
+
+
+ 0
+ Status value indicating current state of an Automatic Redeployment operation. 0: Never run (not started). The default state. 1: Complete. 10: Reset has been scheduled. 20: Reset is scheduled and waiting for a reboot. 30: Failed during CSP Execute ("Exec" in SyncML). 40: Failed: power requirements not met. 50: Failed: reset internals failed during reset attempt.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+
```
## Related topics
diff --git a/windows/client-management/mdm/rest-api-reference-windows-store-for-business.md b/windows/client-management/mdm/rest-api-reference-windows-store-for-business.md
index bb8e58dd2c..465bbd98f8 100644
--- a/windows/client-management/mdm/rest-api-reference-windows-store-for-business.md
+++ b/windows/client-management/mdm/rest-api-reference-windows-store-for-business.md
@@ -1,6 +1,6 @@
---
-title: REST API reference for Micosoft Store for Business
-description: REST API reference for Micosoft Store for Business
+title: REST API reference for Microsoft Store for Business
+description: REST API reference for Microsoft Store for Business
MS-HAID:
- 'p\_phdevicemgmt.business\_store\_portal\_management\_rest\_api\_reference'
- 'p\_phDeviceMgmt.rest\_api\_reference\_windows\_store\_for\_Business'
@@ -13,7 +13,7 @@ author: nickbrower
ms.date: 09/18/2017
---
-# REST API reference for Micosoft Store for Business
+# REST API reference for Microsoft Store for Business
Here's the list of available operations:
diff --git a/windows/client-management/mdm/tpmpolicy-csp.md b/windows/client-management/mdm/tpmpolicy-csp.md
index a86a8fef94..5fa0f29fa7 100644
--- a/windows/client-management/mdm/tpmpolicy-csp.md
+++ b/windows/client-management/mdm/tpmpolicy-csp.md
@@ -12,7 +12,7 @@ ms.date: 11/01/2017
# TPMPolicy CSP
-The TPMPolicy configuration service provider (CSP) provides a mechanism to enable zero exhaust configuration on a Windows device for TPM software components. Zero exhaust is defined as no network traffic (telemetry or otherwise, such as downloading background images, Windows Updates, etc.) from Windows and inbox applications to public IP addresses unless directly intended by the user. This allows the enterprise admin to configure devices where no network communication is initiated by the system without explicit approval.
+The TPMPolicy configuration service provider (CSP) provides a mechanism to enable zero exhaust configuration on a Windows device for TPM software components. Zero exhaust is defined as no network traffic (diagnostic data or otherwise, such as downloading background images, Windows Updates, etc.) from Windows and inbox applications to public IP addresses unless directly intended by the user. This allows the enterprise admin to configure devices where no network communication is initiated by the system without explicit approval.
The TPMPolicy CSP was added in Windows 10, version 1703.
@@ -30,7 +30,7 @@ The following diagram shows the TPMPolicy configuration service provider in tree
There should be no traffic when machine is on idle. When the user is not interacting with the system/device, no traffic is expected.
There should be no traffic during installation of Windows and first logon when local ID is used.
Launching and using a local app (Notepad, Paint, etc.) should not send any traffic. Similarly, performing common tasks (clicking on start menu, browsing folders, etc.) should not send any traffic.
-
Launching and using Internet enabled apps should not send any unexpected traffic (for maintenance, diagnostic, telemetry, etc.) to Microsoft.
+
Launching and using Internet enabled apps should not send any unexpected traffic (for maintenance, diagnostic data, etc.) to Microsoft.
Here is an example:
diff --git a/windows/client-management/mdm/uefi-csp.md b/windows/client-management/mdm/uefi-csp.md
new file mode 100644
index 0000000000..d2a2fc6fef
--- /dev/null
+++ b/windows/client-management/mdm/uefi-csp.md
@@ -0,0 +1,87 @@
+---
+title: UEFI CSP
+description: The Uefi CSP interfaces to UEFI's Device Firmware Configuration Interface (DFCI) to make BIOS configuration changes.
+ms.author: maricia
+ms.topic: article
+ms.prod: w10
+ms.technology: windows
+author: nickbrower
+ms.date: 02/01/2018
+---
+
+# UEFI CSP
+
+
+> [!WARNING]
+> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
+
+The UEFI configuration service provider (CSP) interfaces to UEFI's Device Firmware Configuration Interface (DFCI) to make BIOS configuration changes. This CSP was added in Windows 10, version 1803.
+
+The following diagram shows the UEFI CSP in tree format.
+
+
+
+The following list describes the characteristics and parameters.
+
+**./Vendor/MSFT/Uefi**
+Root node.
+
+**UefiDeviceIdentifier**
+Retrieves XML from UEFI which describes the device identifier.
+
+Supported operation is Get.
+
+**IdentityInfo**
+Node for provisioned signers operations.
+
+
+**IdentityInfo/Current**
+Retrieves XML from UEFI which describes the current UEFI identity information.
+
+Supported operation is Get.
+
+**IdentityInfo/Apply**
+Apply an identity information package to UEFI. Input is the signed package in base64 encoded format.
+
+Supported operation is Replace.
+
+**IdentityInfo/ApplyResult**
+Retrieves XML describing the results of previous ApplyIdentityInfo operation.
+
+Supported operation is Get.
+
+**AuthInfo**
+Node for permission information operations.
+
+**AuthInfo/Current**
+Retrieves XML from UEFI which describes the current UEFI permission/authentication information.
+
+Supported operation is Get.
+
+**AuthInfo/Apply**
+Apply a permission/authentication information package to UEFI. Input is the signed package in base64 encoded format.
+
+Supported operation is Replace.
+
+**AuthInfo/ApplyResult**
+Retrieves XML describing the results of previous ApplyAuthInfo operation.
+
+Supported operation is Get.
+
+**Config**
+Node for device configuration
+
+**Config/Current**
+Retrieves XML from UEFI which describes the current UEFI configuration.
+
+Supported operation is Get.
+
+**Config/Apply**
+Apply a configuration package to UEFI. Input is the signed package in base64 encoded format.
+
+Supported operation is Replace.
+
+**Config/ApplyResult**
+Retrieves XML describing the results of previous ApplyConfig operation.
+
+Supported operation is Get.
diff --git a/windows/client-management/mdm/uefi-ddf.md b/windows/client-management/mdm/uefi-ddf.md
new file mode 100644
index 0000000000..5f8e6403eb
--- /dev/null
+++ b/windows/client-management/mdm/uefi-ddf.md
@@ -0,0 +1,330 @@
+---
+title: UEFI DDF file
+description: UEFI DDF file
+ms.author: maricia
+ms.topic: article
+ms.prod: w10
+ms.technology: windows
+author: nickbrower
+ms.date: 02/01/2018
+---
+
+# UEFI DDF file
+
+
+> [!WARNING]
+> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
+
+
+This topic shows the OMA DM device description framework (DDF) for the **Uefi** configuration service provider.
+
+Looking for the DDF XML files? See [CSP DDF files download](configuration-service-provider-reference.md#csp-ddf-files-download).
+
+The XML below is the current version for this CSP.
+
+``` syntax
+
+]>
+
+ 1.2
+
+ Uefi
+ ./Vendor/MSFT
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ com.microsoft/1.0/MDM/Uefi
+
+
+
+ UefiDeviceIdentifier
+
+
+
+
+ Retrieves XML from UEFI which describes the device identifier.
+
+
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ IdentityInfo
+
+
+
+
+ Provisioned signers
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ Current
+
+
+
+
+ Retrieves XML from UEFI which describes the current UEFI identity information
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ Apply
+
+
+
+
+ Apply an identity information package to UEFI. Input is the signed package in base64 encoded format.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ ApplyResult
+
+
+
+
+ Retrieves XML describing the results of previous ApplyIdentityInfo operation.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+
+ AuthInfo
+
+
+
+
+ Permission Information
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ Current
+
+
+
+
+ Retrieves XML from UEFI which describes the current UEFI permission/authentication information.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ Apply
+
+
+
+
+ Apply a permission/authentication information package to UEFI. Input is the signed package in base64 encoded format.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ ApplyResult
+
+
+
+
+ Retrieves XML describing the results of previous ApplyAuthInfo operation.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+
+ Config
+
+
+
+
+ Device Configuration
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ Current
+
+
+
+
+ Retrieves XML from UEFI which describes the current UEFI configuration.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ Apply
+
+
+
+
+ Apply a configuration package to UEFI. Input is the signed package in base64 encoded format.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ ApplyResult
+
+
+
+
+ Retrieves XML describing the results of previous ApplyConfig operation.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+
+
+```
\ No newline at end of file
diff --git a/windows/client-management/mdm/understanding-admx-backed-policies.md b/windows/client-management/mdm/understanding-admx-backed-policies.md
index 929b649c67..6e079fbf78 100644
--- a/windows/client-management/mdm/understanding-admx-backed-policies.md
+++ b/windows/client-management/mdm/understanding-admx-backed-policies.md
@@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
-ms.date: 08/11/2017
+ms.date: 03/02/2018
---
# Understanding ADMX-backed policies
@@ -47,6 +47,14 @@ An ADMX file can either be shipped with Windows (located at `%SystemRoot%\policy
Windows maps the name and category path of a Group Policy to a MDM policy area and policy name by parsing the associated ADMX file, finding the specified Group Policy, and storing the definition (metadata) in the MDM Policy CSP client store. When the MDM policy is referenced by a SyncML command and the Policy CSP URI, `.\[device|user]\vendor\msft\policy\[config|result]\\`, this metadata is referenced and determines which registry keys are set or removed. For a list of ADMX-backed policies supported by MDM, see [Policy CSP - ADMX-backed policies](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-configuration-service-provider#admx-backed-policies).
+Here is a video of how to create a custom xml to enable an ADMX-backed policy and deploy the XML in Intune.
+
+
+
+Here is a video of how to import a custom ADMX file to a device using Intune.
+
+
+
## ADMX files and the Group Policy Editor
To capture the end-to-end MDM handling of ADMX Group Policies, an IT administrator must use a UI, such as the Group Policy Editor (gpedit.msc), to gather the necessary data. The MDM ISV console UI determines how to gather the needed Group Policy data from the IT administrator. ADMX-backed Group Policies are organized in a hierarchy and can have a scope of machine, user, or both. The Group Policy example in the next section uses a machine-wide Group Policy named “Publishing Server 2 Settings.” When this Group Policy is selected, its available states are **Not Configured**, **Enabled**, and **Disabled**.
@@ -131,6 +139,7 @@ The following SyncML examples describe how to set a MDM policy that is defined b
./Device/Vendor/MSFT/Policy/Config/AppVirtualization/PublishingAllowServer2
+
]]>
+
diff --git a/windows/client-management/mdm/update-csp.md b/windows/client-management/mdm/update-csp.md
index 01af9b2577..67de432346 100644
--- a/windows/client-management/mdm/update-csp.md
+++ b/windows/client-management/mdm/update-csp.md
@@ -7,7 +7,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
-ms.date: 06/26/2017
+ms.date: 02/23/2018
---
# Update CSP
@@ -76,7 +76,7 @@ The following diagram shows the Update configuration service provider in tree fo
Supported operation is Get.
**FailedUpdates/*Failed Update Guid*/RevisionNumber**
-
Added in the next major update of Windows 10. The revision number for the update that must be passed in server to server sync to get the metadata for the update.
+
Added in Windows 10, version 1703. The revision number for the update that must be passed in server to server sync to get the metadata for the update.
Supported operation is Get.
@@ -91,7 +91,7 @@ The following diagram shows the Update configuration service provider in tree fo
Supported operation is Get.
**InstalledUpdates/*Installed Update Guid*/RevisionNumber**
-
Added in the next major update of Windows 10. The revision number for the update that must be passed in server to server sync to get the metadata for the update.
+
Added in Windows 10, version 1703. The revision number for the update that must be passed in server to server sync to get the metadata for the update.
Supported operation is Get.
@@ -135,7 +135,7 @@ The following diagram shows the Update configuration service provider in tree fo
Supported operation is Get.
**PendingRebootUpdates/*Pending Reboot Update Guid*/RevisionNumber**
-
Added in the next major update of Windows 10. The revision number for the update that must be passed in server to server sync to get the metadata for the update.
+
Added in Windows 10, version 1703. The revision number for the update that must be passed in server to server sync to get the metadata for the update.
Supported operation is Get.
@@ -149,6 +149,38 @@ The following diagram shows the Update configuration service provider in tree fo
Supported operation is Get.
+**Rollback**
+Added in Windows 10, version 1803. Node for the rollback operations.
+
+**Rollback/QualityUpdate**
+Added in Windows 10, version 1803. Roll back latest Quality Update, if the machine meets the following conditions:
+
+- Condition 1: Device must be Windows Update for Business Connected
+- Condition 2: Device must be in a Paused State
+- Condition 3: Device must have the Latest Quality Update installed on the device (Current State)
+
+If the conditions are not true, the device will not Roll Back the Latest Quality Update.
+
+**Rollback/FeatureUpdate**
+Added in Windows 10, version 1803. Roll Back Latest Feature Update, if the machine meets the following conditions:
+
+- Condition 1: Device must be Windows Update for Business Connnected
+- Condition 2: Device must be in Paused State
+- Condition 3: Device must have the Latest Feature Update Installed on the device (Current State)
+- Condition 4: Machine should be within the uninstall period
+
+> [!Note]
+> This only works for Semi Annual Channel Targeted devices.
+
+If the conditions are not true, the device will not Roll Back the Latest Feature Update.
+
+
+**Rollback/QualityUpdateStatus**
+Added in Windows 10, version 1803. Returns the result of last RollBack QualityUpdate operation.
+
+**Rollback/FeatureUpdateStatus**
+Added in Windows 10, version 1803. Returns the result of last RollBack FeatureUpdate operation.
+
## Related topics
[Configuration service provider reference](configuration-service-provider-reference.md)
diff --git a/windows/client-management/mdm/update-ddf-file.md b/windows/client-management/mdm/update-ddf-file.md
index 00056f6fc8..b628189e10 100644
--- a/windows/client-management/mdm/update-ddf-file.md
+++ b/windows/client-management/mdm/update-ddf-file.md
@@ -7,7 +7,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
-ms.date: 12/05/2017
+ms.date: 02/23/2018
---
# Update DDF file
@@ -16,522 +16,643 @@ This topic shows the OMA DM device description framework (DDF) for the **Update*
Looking for the DDF XML files? See [CSP DDF files download](configuration-service-provider-reference.md#csp-ddf-files-download).
-The XML below is the current version for this CSP.
+The XML below is for Windows 10, version 1803.
``` syntax
]>
+ "http://www.openmobilealliance.org/tech/DTD/DM_DDF-V1_2.dtd"
+ []>
- 1.2
+ 1.2
+
+ Update
+ ./Vendor/MSFT
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ com.microsoft/1.1/MDM/Update
+
+
- Update
- ./Vendor/MSFT
+ ApprovedUpdates
+
+
+
+
+
+
+ Approve of specific updates to be installed on a device and accept the EULA associated with the update on behalf of the end-user
+
+
+
+
+
+
+
+
+
+ Approved Updates
+
+
+
+
+
+
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
+
+
+
+ UpdateID field of the UpdateIdentity is used to display relevant update metadata to IT and approved updates to be installed on the device
+
+
+
+
+
+
+
+
+
+ Approved Update Guid
+
+
+
- ApprovedUpdates
-
-
-
-
-
-
- Approve of specific updates to be installed on a device and accept the EULA associated with the update on behalf of the end-user
-
-
-
-
-
-
-
-
-
- Approved Updates
-
-
-
-
-
-
-
-
-
-
- UpdateID field of the UpdateIdentity is used to display relevant update metadata to IT and approved updates to be installed on the device
-
-
-
-
-
-
-
-
-
- Approved Update Guid
-
-
-
-
-
- ApprovedTime
-
-
-
-
- 0
- The time updates get approved
-
-
-
-
-
-
-
-
-
- The time update get approved
-
- text/plain
-
-
-
-
-
-
- FailedUpdates
-
-
-
-
- Approved updates that failed to install on a device
-
-
-
-
-
-
-
-
-
- Failed Updates
-
-
-
-
-
-
-
-
-
-
- UpdateID field of the UpdateIdentity GUID that represent an update that failed to install
-
-
-
-
-
-
-
-
-
-
-
-
- Failed Update Guid
-
-
-
-
-
- HResult
-
-
-
-
- 0
- Update failure error code
-
-
-
-
-
-
-
-
-
- HResult
-
- text/plain
-
-
-
-
- Status
-
-
-
-
- Update failure status
-
-
-
-
-
-
-
-
-
-
-
-
- Failed update status
-
- text/plain
-
-
-
-
- RevisionNumber
-
-
-
-
- The revision number of the update
-
-
-
-
-
-
-
-
-
- Update's revision number
-
- text/plain
-
-
-
-
-
-
- InstalledUpdates
-
-
-
-
- Updates that are installed on the device
-
-
-
-
-
-
-
-
-
- Installed Updates
-
-
-
-
-
-
-
-
-
-
- UpdateIDs that represent the updates installed on a device
-
-
-
-
-
-
-
-
-
- Installed Update Guid
-
-
-
-
-
- RevisionNumber
-
-
-
-
- The revision number of the update
-
-
-
-
-
-
-
-
-
- Update's revision number
-
- text/plain
-
-
-
-
-
-
- InstallableUpdates
-
-
-
-
- Updates that are applicable and not yet installed on the device
-
-
-
-
-
-
-
-
-
- Installable Updates
-
-
-
-
-
-
-
-
-
-
- UpdateIDs that represent the updates applicable and not installed on a device
-
-
-
-
-
-
-
-
-
- Installable Update Guid
-
-
-
-
-
- Type
-
-
-
-
-
- The UpdateClassification value of the update
- Values:
- 0 = None
- 1 = Security
- 2 = Critical
-
-
-
-
-
-
-
-
-
-
- Type of update
-
- text/plain
-
-
-
-
- RevisionNumber
-
-
-
-
- The revision number of the update
-
-
-
-
-
-
-
-
-
- Update's revision number
-
- text/plain
-
-
-
-
-
-
- PendingRebootUpdates
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- Devices in the pending reboot state
-
-
-
-
-
-
-
-
-
-
-
-
- Pending Reboot Update Guid
-
-
-
-
-
- InstalledTime
-
-
-
-
- The time the update installed.
-
-
-
-
-
-
-
-
-
- InstalledTime
-
- text/plain
-
-
-
-
- RevisionNumber
-
-
-
-
- The revision number of the update
-
-
-
-
-
-
-
-
-
- Update's revision number
-
- text/plain
-
-
-
-
-
-
- LastSuccessfulScanTime
-
-
-
-
- 0
- Last success scan time.
-
-
-
-
-
-
-
-
-
-
-
-
- LastSuccessfulScanTime
-
- text/plain
-
-
-
-
- DeferUpgrade
-
-
-
-
- 0
- Defer upgrades till the next upgrade period (at least a few months).
-
-
-
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
+ ApprovedTime
+
+
+
+
+ 0
+ The time updates get approved
+
+
+
+
+
+
+
+
+
+ The time update get approved
+
+ text/plain
+
+
+
+
+ FailedUpdates
+
+
+
+
+ Approved updates that failed to install on a device
+
+
+
+
+
+
+
+
+
+ Failed Updates
+
+
+
+
+
+
+
+
+
+
+ UpdateID field of the UpdateIdentity GUID that represent an update that failed to install
+
+
+
+
+
+
+
+
+
+
+
+
+ Failed Update Guid
+
+
+
+
+
+ HResult
+
+
+
+
+ 0
+ Update failure error code
+
+
+
+
+
+
+
+
+
+ HResult
+
+ text/plain
+
+
+
+
+ Status
+
+
+
+
+ Update failure status
+
+
+
+
+
+
+
+
+
+
+
+
+ Failed update status
+
+ text/plain
+
+
+
+
+ RevisionNumber
+
+
+
+
+ The revision number of the update
+
+
+
+
+
+
+
+
+
+ Update's revision number
+
+ text/plain
+
+
+
+
+
+
+ InstalledUpdates
+
+
+
+
+ Updates that are installed on the device
+
+
+
+
+
+
+
+
+
+ Installed Updates
+
+
+
+
+
+
+
+
+
+
+ UpdateIDs that represent the updates installed on a device
+
+
+
+
+
+
+
+
+
+ Installed Update Guid
+
+
+
+
+
+ RevisionNumber
+
+
+
+
+ The revision number of the update
+
+
+
+
+
+
+
+
+
+ Update's revision number
+
+ text/plain
+
+
+
+
+
+
+ InstallableUpdates
+
+
+
+
+ Updates that are applicable and not yet installed on the device
+
+
+
+
+
+
+
+
+
+ Installable Updates
+
+
+
+
+
+
+
+
+
+
+ UpdateIDs that represent the updates applicable and not installed on a device
+
+
+
+
+
+
+
+
+
+ Installable Update Guid
+
+
+
+
+
+ Type
+
+
+
+
+
+ The UpdateClassification value of the update
+ Values:
+ 0 = None
+ 1 = Security
+ 2 = Critical
+
+
+
+
+
+
+
+
+
+
+ Type of update
+
+ text/plain
+
+
+
+
+ RevisionNumber
+
+
+
+
+ The revision number of the update
+
+
+
+
+
+
+
+
+
+ Update's revision number
+
+ text/plain
+
+
+
+
+
+
+ PendingRebootUpdates
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ Devices in the pending reboot state
+
+
+
+
+
+
+
+
+
+
+
+
+ Pending Reboot Update Guid
+
+
+
+
+
+ InstalledTime
+
+
+
+
+ The time the update installed.
+
+
+
+
+
+
+
+
+
+ InstalledTime
+
+ text/plain
+
+
+
+
+ RevisionNumber
+
+
+
+
+ The revision number of the update
+
+
+
+
+
+
+
+
+
+ Update's revision number
+
+ text/plain
+
+
+
+
+
+
+ LastSuccessfulScanTime
+
+
+
+
+ 0
+ Last success scan time.
+
+
+
+
+
+
+
+
+
+
+
+
+ LastSuccessfulScanTime
+
+ text/plain
+
+
+
+
+ DeferUpgrade
+
+
+
+
+ 0
+ Defer upgrades till the next upgrade period (at least a few months).
+
+
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ Rollback
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ QualityUpdate
+
+
+
+
+
+ Roll back Latest Quality Update, if the machine meets the following conditions:
+ Condition 1: Device must be WUfB Connected
+ Condition 2: Device must be in a Paused State
+ Condition 3: Device must have the Latest Quality Update installed on the device (Current State)
+ If the conditions are not true, the device will not Roll Back the Latest Quality Update.
+
+
+
+
+
+
+
+
+
+
+ QualityUpdate
+
+ text/plain
+
+
+
+
+ FeatureUpdate
+
+
+
+
+
+ Roll Back Latest Feature Update, if the machine meets the following conditions:
+ Condition 1: Device must be WUfB Connnected
+ Condition 2: Device must be in Paused State
+ Condition 3: Device must have the Latest Feature Update Installed on the device (Current State)
+ Condition 4: Machine should be within the uninstall period
+ If the conditions are not true, the device will not Roll Back the Latest Feature Update.
+
+
+
+
+
+
+
+
+
+
+ FeatureUpdate
+
+ text/plain
+
+
+
+
+ QualityUpdateStatus
+
+
+
+
+ Returns the result of last RollBack QualityUpdate opearation.
+
+
+
+
+
+
+
+
+
+ QualityUpdateStatus
+
+ text/plain
+
+
+
+
+ FeatureUpdateStatus
+
+
+
+
+ Returns the result of last RollBack FeatureUpdate opearation.
+
+
+
+
+
+
+
+
+
+ FeatureUpdateStatus
+
+ text/plain
+
+
+
+
+
```
diff --git a/windows/client-management/mdm/vpnv2-profile-xsd.md b/windows/client-management/mdm/vpnv2-profile-xsd.md
index 4934ae68ec..7f839bb83d 100644
--- a/windows/client-management/mdm/vpnv2-profile-xsd.md
+++ b/windows/client-management/mdm/vpnv2-profile-xsd.md
@@ -7,7 +7,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
-ms.date: 06/26/2017
+ms.date: 02/05/2018
---
# ProfileXML XSD
@@ -31,6 +31,8 @@ Here's the XSD for the ProfileXML node in VPNv2 CSP for Windows 10 and some pro
+
+
@@ -46,6 +48,20 @@ Here's the XSD for the ProfileXML node in VPNv2 CSP for Windows 10 and some pro
+
+
+
+
+
+
+
+
+
+
+
+
+
+
@@ -388,6 +404,8 @@ Here's the XSD for the ProfileXML node in VPNv2 CSP for Windows 10 and some pro
truefalse
+ false
+ falsecorp.contoso.comcontoso.com,test.corp.contoso.com
@@ -396,6 +414,14 @@ Here's the XSD for the ProfileXML node in VPNv2 CSP for Windows 10 and some pro
Helloworld.Com
+
+
+
+
+
+
+
+
```
diff --git a/windows/client-management/mdm/windowsadvancedthreatprotection-csp.md b/windows/client-management/mdm/windowsadvancedthreatprotection-csp.md
index 5999ebee5e..4e19920eef 100644
--- a/windows/client-management/mdm/windowsadvancedthreatprotection-csp.md
+++ b/windows/client-management/mdm/windowsadvancedthreatprotection-csp.md
@@ -77,7 +77,7 @@ The following list describes the characteristics and parameters.
Supported operations are Get and Replace.
**Configuration/TelemetryReportingFrequency**
-
Added in Windows 10, version 1703. Returns or sets the Windows Defender Advanced Threat Protection telemetry reporting frequency.
+
Added in Windows 10, version 1703. Returns or sets the Windows Defender Advanced Threat Protection diagnostic data reporting frequency.
The following list shows the supported values:
diff --git a/windows/client-management/mdm/windowsadvancedthreatprotection-ddf.md b/windows/client-management/mdm/windowsadvancedthreatprotection-ddf.md
index a47fcba793..d475e14ee4 100644
--- a/windows/client-management/mdm/windowsadvancedthreatprotection-ddf.md
+++ b/windows/client-management/mdm/windowsadvancedthreatprotection-ddf.md
@@ -227,7 +227,7 @@ The XML below is the current version for this CSP.
1
- Return or set Windows Defender Advanced Threat Protection telemetry reporting frequency. Allowed values are: 1 - Normal, 2 - Expedite
+ Return or set Windows Defender Advanced Threat Protection diagnostic data reporting frequency. Allowed values are: 1 - Normal, 2 - Expedite
diff --git a/windows/client-management/mdm/windowsdefenderapplicationguard-csp.md b/windows/client-management/mdm/windowsdefenderapplicationguard-csp.md
index 47b499d041..710bbc8021 100644
--- a/windows/client-management/mdm/windowsdefenderapplicationguard-csp.md
+++ b/windows/client-management/mdm/windowsdefenderapplicationguard-csp.md
@@ -34,14 +34,18 @@ The following diagram shows the WindowsDefenderApplicationGuard configuration se
**Settings/ClipboardFileType**
Determines the type of content that can be copied from the host to Application Guard environment and vice versa. Value type is integer. Supported operations are Add, Get, Replace, and Delete.
-- 0 - Allow text copying.
-- 1 - Allow text and image copying.
+- 0 - Disables content copying.
+- 1 - Allow text copying.
+- 2 - Allow image copying.
+- 3 - Allow text and image copying.
**Settings/ClipboardSettings**
This policy setting allows you to decide how the clipboard behaves while in Application Guard. Value type is integer. Supported operations are Add, Get, Replace, and Delete
- 0 (default) - Completely turns Off the clipboard functionality for the Application Guard.
-- 1 - Turns On the clipboard functionality and lets you choose whether to additionally enable copying of certain content from Application Guard into Microsoft Edge and enable copying of certain content from Microsoft Edge into Application Guard.
+- 1 - Turns On clipboard operation from an isolated session to the host
+- 2 - Turns On clipboard operation from the host to an isolated session
+- 3 - Turns On clipboard operation in both the directions
> [!Important]
> Allowing copied content to go from Microsoft Edge into Application Guard can cause potential security risks and isn't recommended.
@@ -83,6 +87,9 @@ The following diagram shows the WindowsDefenderApplicationGuard configuration se
**InstallWindowsDefenderApplicationGuard**
Initiates remote installation of Application Guard feature. Supported operations are Get and Execute.
+- Install - Will initiate feature install
+- Uninstall - Will initiate feature uninstall
+
**Audit**
Interior node. Supported operation is Get
diff --git a/windows/client-management/windows-10-mobile-and-mdm.md b/windows/client-management/windows-10-mobile-and-mdm.md
index f0535dc3e4..a330013d0d 100644
--- a/windows/client-management/windows-10-mobile-and-mdm.md
+++ b/windows/client-management/windows-10-mobile-and-mdm.md
@@ -2,7 +2,7 @@
title: Windows 10 Mobile deployment and management guide (Windows 10)
description: This guide helps IT professionals plan for and deploy Windows 10 Mobile devices.
ms.assetid: 6CAA1004-CB65-4FEC-9B84-61AAD2125E5E
-keywords: Mobile, telemetry, BYOD, MDM
+keywords: Mobile, diagnostic data, BYOD, MDM
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
@@ -14,7 +14,8 @@ ms.date: 09/21/2017
# Windows 10 Mobile deployment and management guide
-*Applies to: Windows 10 Mobile, version 1511 and Windows 10 Mobile, version 1607*
+**Applies to:**
+- Windows 10 Mobile, version 1511 and Windows 10 Mobile, version 1607
This guide helps IT professionals plan for and deploy Windows 10 Mobile devices.
@@ -189,7 +190,7 @@ Multiple MDM systems support Windows 10 and most support personal and corporate
In addition, Microsoft recently added MDM capabilities powered by Intune to Office 365. MDM for Office 365 supports mobile devices only, such as those running Windows 10 Mobile, iOS, and Android. MDM for Office 365 offers a subset of the management capabilities found in Intune, including the ability to remotely wipe a device, block a device from accessing Exchange Server email, and configure device policies (e.g., passcode requirements). For more information about MDM for Office 365 capabilities, see [Overview of Mobile Device Management for Office 365](http://technet.microsoft.com/en-us/library/ms.o365.cc.devicepolicy.aspx).
**Cloud services**
-On mobile devices that run Windows 10 Mobile, users can easily connect to cloud services that provide user notifications and collect telemetry (usage data). Windows 10 Mobile enables organizations to manage how devices consume these cloud services.
+On mobile devices that run Windows 10 Mobile, users can easily connect to cloud services that provide user notifications and collect diagnostic and usage data. Windows 10 Mobile enables organizations to manage how devices consume these cloud services.
**Windows Push Notification Services**
The Windows Push Notification Services enable software developers to send toast, tile, badge, and raw updates from their cloud services. It provides a mechanism to deliver updates to users in a power-efficient and dependable way.
@@ -795,9 +796,9 @@ While Windows 10 Mobile provides updates directly to user devices from Windows U
Upgrading to Windows 10 Mobile Enterprise edition provides additional device and app management capabilities for organizations that want to:
- **Defer, approve and deploy feature and quality updates:** Windows 10 Mobile devices get updates directly from Windows Update. If you want to curate updates prior to deploying them, an upgrade to Windows 10 Mobile Enterprise edition is required. Once Enterprise edition is enabled, the phone can be set to the Current Branch for Business servicing option, giving IT additional time to test updates before they are released.
- **Deploy an unlimited number of self-signed LOB apps to a single device:** To use an MDM system to deploy LOB apps directly to devices, you must cryptographically sign the software packages with a code signing certificate that your organization’s certificate authority (CA) generates. You can deploy a maximum of 20 self-signed LOB apps to a Windows 10 Mobile device. To deploy more than 20 self-signed LOB apps, Windows 10 Mobile Enterprise is required.
-- **Set the telemetry level:** Microsoft collects telemetry data to help keep Windows devices secure and to help Microsoft improve the quality of Windows and Microsoft services. An upgrade to Windows 10 Mobile Enterprise edition is required to set the telemetry level so that only telemetry information required to keep devices secured is gathered.
+- **Set the diagnostic data level:** Microsoft collects diagnostic data to help keep Windows devices secure and to help Microsoft improve the quality of Windows and Microsoft services. An upgrade to Windows 10 Mobile Enterprise edition is required to set the diagnostic data level so that only diagnostic information required to keep devices secured is gathered.
-To learn more about telemetry, visit [Configure Windows telemetry in your organization](/windows/configuration/configure-windows-telemetry-in-your-organization).
+To learn more about diagnostic, see [Configure Windows diagnostic data in your organization](/windows/configuration/configure-windows-diagnostic-data-in-your-organization).
To activate Windows 10 Mobile Enterprise, use your MDM system or a provisioning package to inject the Windows 10 Enterprise license on a Windows 10 Mobile device. Licenses can be obtained from the Volume Licensing portal. For testing purposes, you can obtain a licensing file from the MSDN download center. A valid MSDN subscription is required.
@@ -1007,17 +1008,17 @@ The following list shows examples of the Windows 10 Mobile software and hardware
- **Secure Boot state** Indicates whether Secure Boot is enabled
- **Enterprise encryption policy compliance** Indicates whether the device is encrypted
-### Manage telemetry
+### Manage diagnostic data
*Applies to: Corporate devices with Windows 10 Mobile Enterprise edition*
-Microsoft uses telemetry (diagnostics, performance, and usage data) from Windows devices to help inform decisions and focus efforts to provide the most robust and valuable platform for your business and the people who count on Windows to enable them to be as productive as possible. Telemetry helps keep Windows devices healthy, improve the operating system, and personalize features and services.
+Microsoft uses diagnostics, performance, and usage data from Windows devices to help inform decisions and focus efforts to provide the most robust and valuable platform for your business and the people who count on Windows to enable them to be as productive as possible. Diagnostic data helps keep Windows devices healthy, improve the operating system, and personalize features and services.
-You can control the level of data that telemetry systems collect. To configure devices, specify one of these levels in the Allow Telemetry setting with your MDM system.
+You can control the level of data that diagnostic data systems collect. To configure devices, specify one of these levels in the Allow Telemetry setting with your MDM system.
-For more information, see [Configure Windows telemetry in Your organization](/windows/configuration/configure-windows-telemetry-in-your-organization).
+For more information, see [Configure Windows diagnostic data in Your organization](/windows/configuration/configure-windows-diagnostic-data-in-your-organization).
->**Note:** Telemetry can only be managed when the device is upgraded to Windows 10 Mobile Enterprise edition.
+>**Note:** Diagnostic data can only be managed when the device is upgraded to Windows 10 Mobile Enterprise edition.
### Remote assistance
diff --git a/windows/configuration/TOC.md b/windows/configuration/TOC.md
index 24d1e1b2eb..e08ae3f4bd 100644
--- a/windows/configuration/TOC.md
+++ b/windows/configuration/TOC.md
@@ -1,10 +1,11 @@
# [Configure Windows 10](index.md)
-## [Configure Windows telemetry in your organization](configure-windows-telemetry-in-your-organization.md)
+## [Configure Windows diagnostic data in your organization](configure-windows-diagnostic-data-in-your-organization.md)
## [Diagnostic Data Viewer Overview](diagnostic-data-viewer-overview.md)
## [Windows 10, version 1709 basic level Windows diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields.md)
-## [Windows 10, version 1709 enhanced telemetry events and fields used by Windows Analytics](enhanced-telemetry-windows-analytics-events-and-fields.md)
## [Windows 10, version 1703 basic level Windows diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields-1703.md)
-## [Windows 10 diagnostic data for the Full telemetry level](windows-diagnostic-data-1703.md)
+## [Windows 10, version 1709 enhanced telemetry events and fields used by Windows Analytics](enhanced-diagnostic-data-windows-analytics-events-and-fields.md)
+## [Windows 10, version 1709 diagnostic data for the Full telemetry level](windows-diagnostic-data.md)
+## [Windows 10, version 1703 diagnostic data for the Full telemetry level](windows-diagnostic-data-1703.md)
## [Beginning your General Data Protection Regulation (GDPR) journey for Windows 10](gdpr-win10-whitepaper.md)
## [Manage connections from Windows operating system components to Microsoft services](manage-connections-from-windows-operating-system-components-to-microsoft-services.md)
## [Manage Windows 10 connection endpoints](manage-windows-endpoints-version-1709.md)
diff --git a/windows/configuration/basic-level-windows-diagnostic-events-and-fields-1703.md b/windows/configuration/basic-level-windows-diagnostic-events-and-fields-1703.md
index cf42ebfdaf..d6c2534f87 100644
--- a/windows/configuration/basic-level-windows-diagnostic-events-and-fields-1703.md
+++ b/windows/configuration/basic-level-windows-diagnostic-events-and-fields-1703.md
@@ -1,7 +1,7 @@
---
description: Use this article to learn more about what Windows diagnostic data is gathered at the basic level.
title: Windows 10, version 1703 basic diagnostic events and fields (Windows 10)
-keywords: privacy, telemetry
+keywords: privacy, diagnostic data
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
@@ -24,7 +24,7 @@ The Basic level gathers a limited set of information that is critical for unders
Use this article to learn about diagnostic events, grouped by event area, and the fields within each event. A brief description is provided for each field. Every event generated includes common data, which collects device data. You can learn more about Windows functional and diagnostic data through these articles:
- [Manage connections from Windows operating system components to Microsoft services](manage-connections-from-windows-operating-system-components-to-microsoft-services.md)
-- [Configure Windows telemetry in your organization](configure-windows-telemetry-in-your-organization.md)
+- [Configure Windows diagnostic data in your organization](configure-windows-diagnostic-data-in-your-organization.md)
>[!Note]
>Updated November 2017 to document new and modified events. We’ve added some new events and also added new fields to existing events to prepare for upgrades to the next release of Windows.
@@ -88,12 +88,12 @@ The following fields are available:
- **epoch** Represents the epoch and seqNum fields, which help track how many events were fired and how many events were uploaded, and enables identification of data lost during upload and de-duplication of events on the ingress server.
- **seqNum** Represents the sequence field used to track absolute order of uploaded events. It is an incrementing identifier for each event added to the upload queue. The Sequence helps track how many events were fired and how many events were uploaded and enables identification of data lost during upload and de-duplication of events on the ingress server.
- **iKey** Represents an ID for applications or other logical groupings of events.
-- **flags** Represents a collection of bits that describe how the event should be processed by the Connected User Experience and Telemetry component pipeline. The lowest-order byte is the event persistence. The next byte is the event latency.
+- **flags** Represents a collection of bits that describe how the event should be processed by the Connected User Experiences and Telemetry component pipeline. The lowest-order byte is the event persistence. The next byte is the event latency.
- **os** Represents the operating system name.
- **osVer** Represents the OS version, and its format is OS dependent.
- **appId** Represents a unique identifier of the client application currently loaded in the process producing the event; and is used to group events together and understand usage pattern, errors by application.
- **appVer** Represents the version number of the application. Used to understand errors by Version, Usage by Version across an app.
-- **cV** Represents the Correlation Vector: A single field for tracking partial order of related telemetry events across component boundaries.
+- **cV** Represents the Correlation Vector: A single field for tracking partial order of related diagnostic data events across component boundaries.
### Common Data Extensions.OS
@@ -135,7 +135,7 @@ The following fields are available:
### Common Data Extensions.Consent UI Event
-This User Account Control (UAC) telemetry point collects information on elevations that originate from low integrity levels. This occurs when a process running at low integrity level (IL) requires higher (administrator) privileges, and therefore requests for elevation via UAC (consent.exe). By better understanding the processes requesting these elevations, Microsoft can in turn improve the detection and handling of potentially malicious behavior in this path.
+This User Account Control (UAC) diagnostic data point collects information on elevations that originate from low integrity levels. This occurs when a process running at low integrity level (IL) requires higher (administrator) privileges, and therefore requests for elevation via UAC (consent.exe). By better understanding the processes requesting these elevations, Microsoft can in turn improve the detection and handling of potentially malicious behavior in this path.
The following fields are available:
@@ -198,7 +198,7 @@ The following fields are available:
- **HKCU_FlipAhead.HRESULT** The error code returned when trying to query Flip Ahead for the current user.
- **HKLM_TailoredExperiences.TailoredExperiencesWithDiagnosticDataEnabled** Is Tailored Experiences with Diagnostics Data enabled for the current user after the feature update had completed?
- **HKCU_TailoredExperiences.HRESULT** The error code returned when trying to query Tailored Experiences with Diagnostics Data for the current user.
-- **HKLM_AdvertisingID.Enabled** Is the adveristing ID enabled for the device?
+- **HKLM_AdvertisingID.Enabled** Is the adverising ID enabled for the device?
- **HKLM_AdvertisingID.HRESULT** The error code returned when trying to query the state of the advertising ID for the device.
- **HKCU_AdvertisingID.Enabled** Is the adveristing ID enabled for the current user?
- **HKCU_AdvertisingID.HRESULT** The error code returned when trying to query the state of the advertising ID for the user.
@@ -332,7 +332,7 @@ The following fields are available:
- **HasCitData** Is the file present in CIT data?
- **HasUpgradeExe** Does the anti-virus app have an upgrade.exe file?
- **IsAv** Is the file an anti-virus reporting EXE?
-- **ResolveAttempted** This will always be an empty string when sending telemetry.
+- **ResolveAttempted** This will always be an empty string when sending diagnostic data.
- **SdbEntries** An array of fields that indicates the SDB entries that apply to this file.
@@ -1032,7 +1032,7 @@ The following fields are available:
- **AppraiserBranch** The source branch in which the currently running version of Appraiser was built.
- **AppraiserVersion** The version of the Appraiser file generating the events.
-- **Context** Indicates what mode Appraiser is running in. Example: Setup or Telemetry.
+- **Context** Indicates what mode Appraiser is running in. Example: Setup or Diagnostic Data.
- **Time** The client time of the event.
- **AppraiserProcess** The name of the process that launched Appraiser.
- **PCFP** An ID for the system calculated by hashing hardware identifiers.
@@ -1354,35 +1354,35 @@ The following fields are available:
### Microsoft.Windows.Appraiser.General.TelemetryRunHealth
-A summary event indicating the parameters and result of a telemetry run. This allows the rest of the data sent over the course of the run to be properly contextualized and understood, which is then used to keep Windows up-to-date.
+A summary event indicating the parameters and result of a diagnostic data run. This allows the rest of the data sent over the course of the run to be properly contextualized and understood, which is then used to keep Windows up-to-date.
The following fields are available:
- **PerfBackoff** Indicates if the run was invoked with logic to stop running when a user is present. Helps to understand why a run may have a longer elapsed time than normal.
- **RunAppraiser** Indicates if Appraiser was set to run at all. If this if false, it is understood that data events will not be received from this device.
-- **ThrottlingUtc** Indicates if the Appraiser client is throttling its output of CUET events to avoid being disabled. This increases runtime but also telemetry reliability.
+- **ThrottlingUtc** Indicates if the Appraiser client is throttling its output of CUET events to avoid being disabled. This increases runtime but also diagnostic data reliability.
- **AuxInitial** Obsolete, indicates if Appraiser is writing data files to be read by the Get Windows 10 app.
- **Time** The client time of the event.
-- **RunDate** The date that the telemetry run was stated, expressed as a filetime.
+- **RunDate** The date that the diagnostic data run was stated, expressed as a filetime.
- **AppraiserProcess** The name of the process that launched Appraiser.
- **AppraiserVersion** The file version (major, minor and build) of the Appraiser DLL, concatenated without dots.
-- **SendingUtc** Indicates if the Appraiser client is sending events during the current telemetry run.
+- **SendingUtc** Indicates if the Appraiser client is sending events during the current diagnostic data run.
- **DeadlineDate** A timestamp representing the deadline date, which is the time until which appraiser will wait to do a full scan.
- **AppraiserBranch** The source branch in which the version of Appraiser that is running was built.
-- **EnterpriseRun** Indicates if the telemetry run is an enterprise run, which means appraiser was run from the command line with an extra enterprise parameter.
-- **RunGeneralTel** Indicates if the generaltel.dll component was run. Generaltel collects additional telemetry on an infrequent schedule and only from machines at telemetry levels higher than Basic.
+- **EnterpriseRun** Indicates if the diagnostic data run is an enterprise run, which means appraiser was run from the command line with an extra enterprise parameter.
+- **RunGeneralTel** Indicates if the generaltel.dll component was run. Generaltel collects additional diagnostic data on an infrequent schedule and only from machines at diagnostic data levels higher than Basic.
- **PerfBackoffInsurance** Indicates if appraiser is running without performance backoff because it has run with perf backoff and failed to complete several times in a row.
- **AuxFinal** Obsolete, always set to false
- **StoreHandleIsNotNull** Obsolete, always set to false
- **VerboseMode** Indicates if appraiser ran in Verbose mode, which is a test-only mode with extra logging.
-- **AppraiserDataVersion** The version of the data files being used by the Appraiser telemetry run.
+- **AppraiserDataVersion** The version of the data files being used by the Appraiser diagnostic data run.
- **FullSync** Indicates if Appraiser is performing a full sync, which means that full set of events representing the state of the machine are sent. Otherwise, only the changes from the previous run are sent.
- **InventoryFullSync** Indicates if inventory is performing a full sync, which means that the full set of events representing the inventory of machine are sent.
- **PCFP** An ID for the system calculated by hashing hardware identifiers.
- **RunOnline** Indicates if appraiser was able to connect to Windows Update and theefore is making decisions using up-to-date driver coverage information.
-- **TelementrySent** Indicates if telemetry was successfully sent.
+- **TelementrySent** Indicates if diagnostic data was successfully sent.
- **WhyFullSyncWithoutTablePrefix** Indicates the reason or reasons that a full sync was generated.
-- **RunResult** The hresult of the Appraiser telemetry run.
+- **RunResult** The hresult of the Appraiser diagnostic data run.
### Microsoft.Windows.Appraiser.General.WmdrmAdd
@@ -1502,14 +1502,14 @@ The following fields are available:
- **MSA_Accounts** Represents a list of hashed IDs of the Microsoft Accounts that are flighting (pre-release builds) on this device.
- **IsFlightsDisabled** Represents if the device is participating in the Windows Insider program.
- **FlightingBranchName** The name of the Windows Insider branch currently used by the device.
-- **DeviceSampleRate** The telemetry sample rate assigned to the device.
+- **DeviceSampleRate** The diagnostic data sample rate assigned to the device.
- **EnablePreviewBuilds** Used to enable Windows Insider builds on a device.
- **SSRK** Retrieves the mobile targeting settings.
### Census.Hardware
-This event sends data about the device, including hardware type, OEM brand, model line, model, telemetry level setting, and TPM support, to help keep Windows up-to-date.
+This event sends data about the device, including hardware type, OEM brand, model line, model, diagnostic data level setting, and TPM support, to help keep Windows up-to-date.
The following fields are available:
@@ -1532,8 +1532,8 @@ The following fields are available:
- **PowerPlatformRole** The OEM preferred power management profile. It's used to help to identify the basic form factor of the device.
- **TPMVersion** The supported Trusted Platform Module (TPM) on the device. If no TPM is present, the value is 0.
- **StudyID** Used to identify retail and non-retail device.
-- **TelemetryLevel** The telemetry level the user has opted into, such as Basic or Enhanced.
-- **TelemetrySettingAuthority** Determines who set the telemetry level, such as GP, MDM, or the user.
+- **TelemetryLevel** The diagnostic data level the user has opted into, such as Basic or Enhanced.
+- **TelemetrySettingAuthority** Determines who set the diagnostic data level, such as GP, MDM, or the user.
- **DeviceForm** Indicates the form as per the device classification.
- **DigitizerSupport** Is a digitizer supported?
- **OEMModelBaseBoard** The baseboard model used by the OEM.
@@ -1545,7 +1545,7 @@ The following fields are available:
- **Gyroscope** Indicates whether the device has a gyroscope.
- **Magnetometer** Indicates whether the device has a magnetometer.
- **NFCProximity** Indicates whether the device supports NFC.
-- **TelemetryLevelLimitEnhanced** The telemetry level for Windows Analytics-based solutions.
+- **TelemetryLevelLimitEnhanced** The diagnostic data level for Windows Analytics-based solutions.
### Census.Memory
@@ -1784,45 +1784,45 @@ This event provides information on about security settings used to help keep Win
### TelClientSynthetic.AuthorizationInfo_RuntimeTransition
-This event sends data indicating that a device has undergone a change of telemetry opt-in level during the runtime of the device (not at UTC boot or offline), to help keep Windows up to date.
+This event sends data indicating that a device has undergone a change of diagnostic data opt-in level during the runtime of the device (not at UTC boot or offline), to help keep Windows up to date.
The following fields are available:
-- **CanAddMsaToMsTelemetry** True if UTC is allowed to add MSA user identity onto telemetry from the OS provider groups.
-- **CanCollectAnyTelemetry** True if UTC is allowed to collect non-OS telemetry. Non-OS telemetry is responsible for providing its own opt-in mechanism.
+- **CanAddMsaToMsTelemetry** True if UTC is allowed to add MSA user identity onto diagnostic data from the OS provider groups.
+- **CanCollectAnyTelemetry** True if UTC is allowed to collect non-OS diagnostic data. Non-OS diagnostic data is responsible for providing its own opt-in mechanism.
- **CanCollectCoreTelemetry** True if UTC is allowed to collect data which is tagged with both MICROSOFT_KEYWORD_CRITICAL_DATA and MICROSOFT_EVENTTAG_CORE_DATA.
- **CanCollectHeartbeats** True if UTC is allowed to collect heartbeats.
-- **CanCollectOsTelemetry** True if UTC is allowed to collect telemetry from the OS provider groups (often called Microsoft Telemetry).
+- **CanCollectOsTelemetry** True if UTC is allowed to collect diagnostic data from the OS provider groups.
- **CanPerformDiagnosticEscalations** True if UTC is allowed to perform all scenario escalations.
- **CanPerformScripting** True if UTC is allowed to perform scripting.
- **CanPerformTraceEscalations** True if UTC is allowed to perform scenario escalations with tracing actions.
- **CanReportScenarios** True if UTC is allowed to load and report scenario completion, failure, and cancellation events.
-- **TransitionFromEverythingOff** True if this transition is moving from not allowing core telemetry to allowing core telemetry.
-- **PreviousPermissions** Bitmask representing the previously configured permissions since the telemetry opt-in level was last changed.
+- **TransitionFromEverythingOff** True if this transition is moving from not allowing core diagnostic data to allowing core diagnostic data.
+- **PreviousPermissions** Bitmask representing the previously configured permissions since the diagnostic data opt-in level was last changed.
### TelClientSynthetic.AuthorizationInfo_Startup
-This event sends data indicating that a device has undergone a change of telemetry opt-in level detected at UTC startup, to help keep Windows up to date.
+This event sends data indicating that a device has undergone a change of diagnostic data opt-in level detected at UTC startup, to help keep Windows up to date.
The following fields are available:
-- **TransitionFromEverythingOff** True if this transition is moving from not allowing core telemetry to allowing core telemetry.
-- **CanCollectAnyTelemetry** True if UTC is allowed to collect non-OS telemetry. Non-OS telemetry is responsible for providing its own opt-in mechanism.
+- **TransitionFromEverythingOff** True if this transition is moving from not allowing core diagnostic data to allowing core diagnostic data.
+- **CanCollectAnyTelemetry** True if UTC is allowed to collect non-OS diagnostic data. Non-OS diagnostic data is responsible for providing its own opt-in mechanism.
- **CanCollectHeartbeats** True if UTC is allowed to collect heartbeats.
- **CanCollectCoreTelemetry** True if UTC is allowed to collect data which is tagged with both MICROSOFT_KEYWORD_CRITICAL_DATA and MICROSOFT_EVENTTAG_CORE_DATA.
-- **CanCollectOsTelemetry** True if UTC is allowed to collect telemetry from the OS provider groups (often called Microsoft Telemetry).
+- **CanCollectOsTelemetry** True if UTC is allowed to collect diagnostic data from the OS provider groups.
- **CanReportScenarios** True if UTC is allowed to load and report scenario completion, failure, and cancellation events.
-- **CanAddMsaToMsTelemetry** True if UTC is allowed to add MSA user identity onto telemetry from the OS provider groups.
+- **CanAddMsaToMsTelemetry** True if UTC is allowed to add MSA user identity onto diagnostic data from the OS provider groups.
- **CanPerformTraceEscalations** True if UTC is allowed to perform scenario escalations with tracing actions.
- **CanPerformDiagnosticEscalations** True if UTC is allowed to perform all scenario escalations.
- **CanPerformScripting** True if UTC is allowed to perform scripting.
-- **PreviousPermissions** Bitmask representing the previously configured permissions since the telemetry client was last started.
+- **PreviousPermissions** Bitmask representing the previously configured permissions since the diagnostic data client was last started.
### TelClientSynthetic.ConnectivityHeartBeat_0
-This event sends data about the connectivity status of the Connected User Experience and Telemetry component that uploads telemetry events. If an unrestricted free network (such as Wi-Fi) is available, this event updates the last successful upload time. Otherwise, it checks whether a Connectivity Heartbeat event was fired in the past 24 hours, and if not, it fires an event. A Connectivity Heartbeat event also fires when a device recovers from costed network to free network.
+This event sends data about the connectivity status of the Connected User Experiences and Telemetry component that uploads diagnostic data events. If an unrestricted free network (such as Wi-Fi) is available, this event updates the last successful upload time. Otherwise, it checks whether a Connectivity Heartbeat event was fired in the past 24 hours, and if not, it fires an event. A Connectivity Heartbeat event also fires when a device recovers from costed network to free network.
The following fields are available:
@@ -1838,13 +1838,13 @@ The following fields are available:
### TelClientSynthetic.HeartBeat_5
-This event sends data about the health and quality of the telemetry data from the given device, to help keep Windows up to date. It also enables data analysts to determine how 'trusted' the data is from a given device.
+This event sends data about the health and quality of the diagnostic data data from the given device, to help keep Windows up to date. It also enables data analysts to determine how 'trusted' the data is from a given device.
The following fields are available:
- **PreviousHeartBeatTime** The time of last heartbeat event. This allows chaining of events.
-- **EtwDroppedCount** The number of events dropped by the ETW layer of the telemetry client.
-- **ConsumerDroppedCount** The number of events dropped by the consumer layer of the telemetry client.
+- **EtwDroppedCount** The number of events dropped by the ETW layer of the diagnostic data client.
+- **ConsumerDroppedCount** The number of events dropped by the consumer layer of the diagnostic data client.
- **DecodingDroppedCount** The number of events dropped because of decoding failures.
- **ThrottledDroppedCount** The number of events dropped due to throttling of noisy providers.
- **DbDroppedCount** The number of events that were dropped because the database was full.
@@ -1852,10 +1852,10 @@ The following fields are available:
- **EventSubStoreResetSizeSum** The total size of the event database across all resets reports in this instance.
- **CriticalOverflowEntersCounter** The number of times a critical overflow mode was entered into the event database.
- **EnteringCriticalOverflowDroppedCounter** The number of events that was dropped because a critical overflow mode was initiated.
-- **UploaderDroppedCount** The number of events dropped by the uploader layer of the telemetry client.
+- **UploaderDroppedCount** The number of events dropped by the uploader layer of the diagnostic data client.
- **InvalidHttpCodeCount** The number of invalid HTTP codes received from Vortex.
- **LastInvalidHttpCode** The last invalid HTTP code received from Vortex.
-- **MaxInUseScenarioCounter** The soft maximum number of scenarios loaded by the Connected User Experience and Telemetry component.
+- **MaxInUseScenarioCounter** The soft maximum number of scenarios loaded by the Connected User Experiences and Telemetry component.
- **LastEventSizeOffender** The name of the last event that exceeded the maximum event size.
- **SettingsHttpAttempts** The number of attempts to contact the OneSettings service.
- **SettingsHttpFailures** The number of failures from contacting the OneSettings service.
@@ -1957,7 +1957,7 @@ The following fields are available:
- **ProcessArchitecture** Architecture of the crashing process, as one of the PROCESSOR_ARCHITECTURE_* constants: 0: PROCESSOR_ARCHITECTURE_INTEL. 5: PROCESSOR_ARCHITECTURE_ARM. 9: PROCESSOR_ARCHITECTURE_AMD64. 12: PROCESSOR_ARCHITECTURE_ARM64.
- **ReportId** A GUID used to identify the report. This can used to track the report across Watson.
- **Flags** Flags indicating how reporting is done. For example, queue the report, do not offer JIT debugging, or do not terminate the process after reporting.
-- **AppSessionGuid** GUID made up of process ID and is used as a correlation vector for process instances in the telemetry backend.
+- **AppSessionGuid** GUID made up of process ID and is used as a correlation vector for process instances in the diagnostic data backend.
- **TargetAppId** The kernel reported AppId of the application being reported.
- **TargetAppVer** The specific version of the application being reported
- **TargetAsId** The sequence number for the hanging process.
@@ -1982,7 +1982,7 @@ The following fields are available:
- **ProcessArchitecture** Architecture of the hung process, as one of the PROCESSOR_ARCHITECTURE_* constants: 0: PROCESSOR_ARCHITECTURE_INTEL. 5: PROCESSOR_ARCHITECTURE_ARM. 9: PROCESSOR_ARCHITECTURE_AMD64. 12: PROCESSOR_ARCHITECTURE_ARM64.
- **WaitingOnPackageRelativeAppId** If this is a cross process hang waiting for a package, this has the relative application id of the package.
- **WaitingOnAppVersion** If this is a cross process hang, this has the version of the application for which it is waiting.
-- **AppSessionGuid** GUID made up of process id used as a correlation vector for process instances in the telemetry backend.
+- **AppSessionGuid** GUID made up of process id used as a correlation vector for process instances in the diagnostic data backend.
- **WaitingOnPackageFullName** If this is a cross process hang waiting for a package, this has the full name of the package for which it is waiting.
- **PackageFullName** Store application identity.
- **AppVersion** The version of the app that has hung.
diff --git a/windows/configuration/basic-level-windows-diagnostic-events-and-fields.md b/windows/configuration/basic-level-windows-diagnostic-events-and-fields.md
index d4a94c3455..eac9fde18a 100644
--- a/windows/configuration/basic-level-windows-diagnostic-events-and-fields.md
+++ b/windows/configuration/basic-level-windows-diagnostic-events-and-fields.md
@@ -1,7 +1,7 @@
---
-description: Use this article to learn more about what Windows diagnostic data is gathered at the basic level.
+description: Learn more about the Windows diagnostic data that is gathered at the basic level.
title: Windows 10, version 1709 basic diagnostic events and fields (Windows 10)
-keywords: privacy, telemetry
+keywords: privacy, diagnostic data
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
@@ -9,7 +9,7 @@ ms.pagetype: security
localizationpriority: high
author: eross-msft
ms.author: lizross
-ms.date: 10/26/2017
+ms.date: 02/12/2018
---
@@ -32,7 +32,7 @@ You can learn more about Windows functional and diagnostic data through these ar
- [Windows 10, version 1703 basic diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields-1703.md)
- [Manage connections from Windows operating system components to Microsoft services](manage-connections-from-windows-operating-system-components-to-microsoft-services.md)
-- [Configure Windows telemetry in your organization](configure-windows-telemetry-in-your-organization.md)
+- [Configure Windows diagnostic data in your organization](configure-windows-diagnostic-data-in-your-organization.md)
@@ -101,12 +101,12 @@ The following fields are available:
- **epoch** Represents the epoch and seqNum fields, which help track how many events were fired and how many events were uploaded, and enables identification of data lost during upload and de-duplication of events on the ingress server.
- **seqNum** Represents the sequence field used to track absolute order of uploaded events. It is an incrementing identifier for each event added to the upload queue. The Sequence helps track how many events were fired and how many events were uploaded and enables identification of data lost during upload and de-duplication of events on the ingress server.
- **iKey** Represents an ID for applications or other logical groupings of events.
-- **flags** Represents a collection of bits that describe how the event should be processed by the Connected User Experience and Telemetry component pipeline. The lowest-order byte is the event persistence. The next byte is the event latency.
+- **flags** Represents a collection of bits that describe how the event should be processed by the Connected User Experiences and Telemetry component pipeline. The lowest-order byte is the event persistence. The next byte is the event latency.
- **os** Represents the operating system name.
- **osVer** Represents the OS version, and its format is OS dependent.
- **appId** Represents a unique identifier of the client application currently loaded in the process producing the event; and is used to group events together and understand usage pattern, errors by application.
- **appVer** Represents the version number of the application. Used to understand errors by Version, Usage by Version across an app.
-- **cV** Represents the Correlation Vector: A single field for tracking partial order of related telemetry events across component boundaries.
+- **cV** Represents the Correlation Vector: A single field for tracking partial order of related diagnostic data events across component boundaries.
### Common Data Extensions.OS
@@ -148,7 +148,7 @@ The following fields are available:
### Common Data Extensions.Consent UI Event
-This User Account Control (UAC) telemetry point collects information on elevations that originate from low integrity levels. This occurs when a process running at low integrity level (IL) requires higher (administrator) privileges, and therefore requests for elevation via UAC (consent.exe). By better understanding the processes requesting these elevations, Microsoft can in turn improve the detection and handling of potentially malicious behavior in this path.
+This User Account Control (UAC) diagnostic data point collects information on elevations that originate from low integrity levels. This occurs when a process running at low integrity level (IL) requires higher (administrator) privileges, and therefore requests for elevation via UAC (consent.exe). By better understanding the processes requesting these elevations, Microsoft can in turn improve the detection and handling of potentially malicious behavior in this path.
The following fields are available:
@@ -255,46 +255,46 @@ The following fields are available:
### Microsoft.Windows.Appraiser.General.RunContext
-"This event indicates what should be expected in the data payload. "
+This event indicates what should be expected in the data payload.
The following fields are available:
- **AppraiserBranch** The source branch in which the currently running version of Appraiser was built.
- **AppraiserProcess** The name of the process that launched Appraiser.
- **AppraiserVersion** The version of the Appraiser file generating the events.
-- **Context** Indicates what mode Appraiser is running in. Example: Setup or Telemetry.
+- **Context** Indicates what mode Appraiser is running in. Example: Setup or Diagnostic Data.
- **PCFP** An ID for the system calculated by hashing hardware identifiers.
- **Time** The client time of the event.
### Microsoft.Windows.Appraiser.General.TelemetryRunHealth
-A summary event indicating the parameters and result of a telemetry run. This allows the rest of the data sent over the course of the run to be properly contextualized and understood, which is then used to keep Windows up-to-date.
+A summary event indicating the parameters and result of a diagnostic data run. This allows the rest of the data sent over the course of the run to be properly contextualized and understood, which is then used to keep Windows up-to-date.
The following fields are available:
- **AppraiserBranch** The source branch in which the version of Appraiser that is running was built.
-- **AppraiserDataVersion** The version of the data files being used by the Appraiser telemetry run.
+- **AppraiserDataVersion** The version of the data files being used by the Appraiser diagnostic data run.
- **AppraiserProcess** The name of the process that launched Appraiser.
- **AppraiserVersion** The file version (major, minor and build) of the Appraiser DLL, concatenated without dots.
- **AuxFinal** Obsolete, always set to false
- **AuxInitial** Obsolete, indicates if Appraiser is writing data files to be read by the Get Windows 10 app.
- **DeadlineDate** A timestamp representing the deadline date, which is the time until which appraiser will wait to do a full scan.
-- **EnterpriseRun** Indicates if the telemetry run is an enterprise run, which means appraiser was run from the command line with an extra enterprise parameter.
+- **EnterpriseRun** Indicates if the diagnostic data run is an enterprise run, which means appraiser was run from the command line with an extra enterprise parameter.
- **FullSync** Indicates if Appraiser is performing a full sync, which means that full set of events representing the state of the machine are sent. Otherwise, only the changes from the previous run are sent.
- **InventoryFullSync** Indicates if inventory is performing a full sync, which means that the full set of events representing the inventory of machine are sent.
- **PCFP** An ID for the system calculated by hashing hardware identifiers.
- **PerfBackoff** Indicates if the run was invoked with logic to stop running when a user is present. Helps to understand why a run may have a longer elapsed time than normal.
- **PerfBackoffInsurance** Indicates if appraiser is running without performance backoff because it has run with perf backoff and failed to complete several times in a row.
- **RunAppraiser** Indicates if Appraiser was set to run at all. If this if false, it is understood that data events will not be received from this device.
-- **RunDate** The date that the telemetry run was stated, expressed as a filetime.
-- **RunGeneralTel** Indicates if the generaltel.dll component was run. Generaltel collects additional telemetry on an infrequent schedule and only from machines at telemetry levels higher than Basic.
+- **RunDate** The date that the diagnostic data run was stated, expressed as a filetime.
+- **RunGeneralTel** Indicates if the generaltel.dll component was run. Generaltel collects additional diagnostic data on an infrequent schedule and only from machines at diagnostic data levels higher than Basic.
- **RunOnline** Indicates if appraiser was able to connect to Windows Update and theefore is making decisions using up-to-date driver coverage information.
-- **RunResult** The hresult of the Appraiser telemetry run.
-- **SendingUtc** Indicates if the Appraiser client is sending events during the current telemetry run.
+- **RunResult** The hresult of the Appraiser diagnostic data run.
+- **SendingUtc** Indicates if the Appraiser client is sending events during the current diagnostic data run.
- **StoreHandleIsNotNull** Obsolete, always set to false
-- **TelementrySent** Indicates if telemetry was successfully sent.
-- **ThrottlingUtc** Indicates if the Appraiser client is throttling its output of CUET events to avoid being disabled. This increases runtime but also telemetry reliability.
+- **TelementrySent** Indicates if diagnostic data was successfully sent.
+- **ThrottlingUtc** Indicates if the Appraiser client is throttling its output of CUET events to avoid being disabled. This increases runtime but also diagnostic data reliability.
- **Time** The client time of the event.
- **VerboseMode** Indicates if appraiser ran in Verbose mode, which is a test-only mode with extra logging.
- **WhyFullSyncWithoutTablePrefix** Indicates the reason or reasons that a full sync was generated.
@@ -1461,7 +1461,7 @@ This event sends Windows Insider data from customers participating in improvemen
The following fields are available:
-- **DeviceSampleRate** The telemetry sample rate assigned to the device.
+- **DeviceSampleRate** The diagnostic data sample rate assigned to the device.
- **EnablePreviewBuilds** Used to enable Windows Insider builds on a device.
- **FlightIds** A list of the different Windows Insider builds on this device.
- **FlightingBranchName** The name of the Windows Insider branch currently used by the device.
@@ -1472,7 +1472,7 @@ The following fields are available:
### Census.Hardware
-This event sends data about the device, including hardware type, OEM brand, model line, model, telemetry level setting, and TPM support, to help keep Windows up-to-date.
+This event sends data about the device, including hardware type, OEM brand, model line, model, diagnostic data level setting, and TPM support, to help keep Windows up-to-date.
The following fields are available:
@@ -1504,9 +1504,9 @@ The following fields are available:
- **PowerPlatformRole** The OEM preferred power management profile. It's used to help to identify the basic form factor of the device.
- **SoCName** The firmware manufacturer of the device.
- **StudyID** Used to identify retail and non-retail device.
-- **TelemetryLevel** The telemetry level the user has opted into, such as Basic or Enhanced.
-- **TelemetryLevelLimitEnhanced** The telemetry level for Windows Analytics-based solutions.
-- **TelemetrySettingAuthority** Determines who set the telemetry level, such as GP, MDM, or the user.
+- **TelemetryLevel** The diagnostic data level the user has opted into, such as Basic or Enhanced.
+- **TelemetryLevelLimitEnhanced** The diagnostic data level for Windows Analytics-based solutions.
+- **TelemetrySettingAuthority** Determines who set the diagnostic data level, such as GP, MDM, or the user.
- **TPMVersion** The supported Trusted Platform Module (TPM) on the device. If no TPM is present, the value is 0.
- **VoiceSupported** Does the device have a cellular radio capable of making voice calls?
@@ -1604,6 +1604,39 @@ The following fields are available:
- **SocketCount** Number of physical CPU sockets of the machine.
+### Census.Security
+
+This event provides information on about security settings used to help keep Windows up-to-date and secure.
+
+- **AvailableSecurityProperties** Enumerates and reports state on the relevant security properties for Device Guard.
+- **CGRunning** Is Credential Guard running?
+- **DGState** A summary of the Device Guard state.
+- **HVCIRunning** Is HVCI running?
+- **IsSawGuest** Describes whether the device is running as a Secure Admin Workstation Guest.
+- **IsSawHost** Describes whether the device is running as a Secure Admin Workstation Host.
+- **RequiredSecurityProperties** Describes the required security properties to enable virtualization-based security.
+- **SecureBootCapable** Is this device capable of running Secure Boot?
+- **VBSState** Is virtualization-based security enabled, disabled, or running?
+
+
+### Census.Speech
+
+This event is used to gather basic speech settings on the device.
+
+The following fields are available:
+
+- **AboveLockEnabled** Cortana setting that represents if Cortana can be invoked when the device is locked.
+- **GPAllowInputPersonalization** Indicates if a Group Policy setting has enabled speech functionalities.
+- **HolographicSpeechInputDisabled** Holographic setting that represents if the attached HMD devices have speech functionality disabled by the user.
+- **HolographicSpeechInputDisabledRemote** Indicates if a remote policy has disabled speech functionalities for the HMD devices.
+- **KWSEnabled** "Cortana setting that represents if a user has enabled the ""Hey Cortana"" keyword spotter (KWS)."
+- **MDMAllowInputPersonalization** Indicates if an MDM policy has enabled speech functionalities.
+- **RemotelyManaged** Indicates if the device is being controlled by a remote admininistrator (MDM or Group Policy) in the context of speech functionalities.
+- **SpeakerIdEnabled** Cortana setting that represents if keyword detection has been trained to try to respond to a single user's voice.
+- **SpeechServicesEnabled** Windows setting that represents whether a user is opted-in for speech services on the device.
+
+
+
### Census.Storage
This event sends data about the total capacity of the system volume and primary disk, to help keep Windows up to date.
@@ -1614,34 +1647,6 @@ The following fields are available:
- **PrimaryDiskType** Retrieves an enumerator value of type STORAGE_BUS_TYPE that indicates the type of bus to which the device is connected. This should be used to interpret the raw device properties at the end of this structure (if any).
- **SystemVolumeTotalCapacity** Retrieves the size of the partition that the System volume is installed on in MB.
-
-### Census.VM
-
-This event sends data indicating whether virtualization is enabled on the device, and its various characteristics, to help keep Windows up to date.
-
-The following fields are available:
-
-- **CloudService** Indicates which cloud service, if any, that this virtual machine is running within.
-- **HyperVisor** Retrieves whether the current OS is running on top of a Hypervisor.
-- **IOMMUPresent** Represents if an input/output memory management unit (IOMMU) is present.
-- **isVDI** Is the device using Virtual Desktop Infrastructure?
-- **IsVirtualDevice** Retrieves that when the Hypervisor is Microsoft's Hyper-V Hypervisor or other Hv#HASH#1 Hypervisor, this field will be set to FALSE for the Hyper-V host OS and TRUE for any guest OS's. This field should not be relied upon for non-Hv#HASH#1 Hypervisors.
-- **SLATSupported** Represents whether Second Level Address Translation (SLAT) is supported by the hardware.
-- **VirtualizationFirmwareEnabled** Represents whether virtualization is enabled in the firmware.
-
-
-### Census.Xbox
-
-This event sends data about the Xbox Console, such as Serial Number and DeviceId, to help keep Windows up to date.
-
-The following fields are available:
-
-- **XboxConsolePreferredLanguage** Retrieves the preferred language selected by the user on Xbox console.
-- **XboxConsoleSerialNumber** Retrieves the serial number of the Xbox console.
-- **XboxLiveDeviceId** Retrieves the unique device id of the console.
-- **XboxLiveSandboxId** Retrieves the developer sandbox id if the device is internal to MS.
-
-
### Census.Userdefault
This event sends data about the current user's default preferences for browser and several of the most popular extensions and protocols, to help keep Windows up to date.
@@ -1664,6 +1669,25 @@ The following fields are available:
- **KeyboardInputLanguages** The Keyboard input languages installed on the device.
- **SpeechInputLanguages** The Speech Input languages installed on the device.
+### Census.VM
+
+This event sends data indicating whether virtualization is enabled on the device, and its various characteristics, to help keep Windows up to date.
+
+The following fields are available:
+
+- **CloudService** Indicates which cloud service, if any, that this virtual machine is running within.
+- **HyperVisor** Retrieves whether the current OS is running on top of a Hypervisor.
+- **IOMMUPresent** Represents if an input/output memory management unit (IOMMU) is present.
+- **isVDI** Is the device using Virtual Desktop Infrastructure?
+- **IsVirtualDevice** Retrieves that when the Hypervisor is Microsoft's Hyper-V Hypervisor or other Hv#HASH#1 Hypervisor, this field will be set to FALSE for the Hyper-V host OS and TRUE for any guest OS's. This field should not be relied upon for non-Hv#HASH#1 Hypervisors.
+- **SLATSupported** Represents whether Second Level Address Translation (SLAT) is supported by the hardware.
+- **VirtualizationFirmwareEnabled** Represents whether virtualization is enabled in the firmware.
+
+
+
+
+
+
### Census.WU
@@ -1695,79 +1719,63 @@ The following fields are available:
- **WUPauseState** Retrieves WU setting to determine if updates are paused
- **WUServer** Retrieves the HTTP(S) URL of the WSUS server that is used by Automatic Updates and API callers (by default).
+### Census.Xbox
-### Census.Speech
-
-This event is used to gather basic speech settings on the device.
+This event sends data about the Xbox Console, such as Serial Number and DeviceId, to help keep Windows up to date.
The following fields are available:
-- **AboveLockEnabled** Cortana setting that represents if Cortana can be invoked when the device is locked.
-- **GPAllowInputPersonalization** Indicates if a Group Policy setting has enabled speech functionalities.
-- **HolographicSpeechInputDisabled** Holographic setting that represents if the attached HMD devices have speech functionality disabled by the user.
-- **HolographicSpeechInputDisabledRemote** Indicates if a remote policy has disabled speech functionalities for the HMD devices.
-- **KWSEnabled** "Cortana setting that represents if a user has enabled the ""Hey Cortana"" keyword spotter (KWS)."
-- **MDMAllowInputPersonalization** Indicates if an MDM policy has enabled speech functionalities.
-- **RemotelyManaged** Indicates if the device is being controlled by a remote admininistrator (MDM or Group Policy) in the context of speech functionalities.
-- **SpeakerIdEnabled** Cortana setting that represents if keyword detection has been trained to try to respond to a single user's voice.
-- **SpeechServicesEnabled** Windows setting that represents whether a user is opted-in for speech services on the device.
+- **XboxConsolePreferredLanguage** Retrieves the preferred language selected by the user on Xbox console.
+- **XboxConsoleSerialNumber** Retrieves the serial number of the Xbox console.
+- **XboxLiveDeviceId** Retrieves the unique device id of the console.
+- **XboxLiveSandboxId** Retrieves the developer sandbox id if the device is internal to MS.
-### Census.Security
-This event provides information on about security settings used to help keep Windows up-to-date and secure.
-
-- **AvailableSecurityProperties** Enumerates and reports state on the relevant security properties for Device Guard.
-- **CGRunning** Is Credential Guard running?
-- **DGState** A summary of the Device Guard state.
-- **HVCIRunning** Is HVCI running?
-- **RequiredSecurityProperties** Describes the required security properties to enable virtualization-based security.
-- **SecureBootCapable** Is this device capable of running Secure Boot?
-- **VBSState** Is virtualization-based security enabled, disabled, or running?
## Diagnostic data events
### TelClientSynthetic.AuthorizationInfo_Startup
-This event sends data indicating that a device has undergone a change of telemetry opt-in level detected at UTC startup, to help keep Windows up to date.
+This event sends data indicating that a device has undergone a change of diagnostic data opt-in level detected at UTC startup, to help keep Windows up to date.
The following fields are available:
-- **CanAddMsaToMsTelemetry** True if UTC is allowed to add MSA user identity onto telemetry from the OS provider groups.
-- **CanCollectAnyTelemetry** True if UTC is allowed to collect non-OS telemetry. Non-OS telemetry is responsible for providing its own opt-in mechanism.
+- **CanAddMsaToMsTelemetry** True if UTC is allowed to add MSA user identity onto diagnostic data from the OS provider groups.
+- **CanCollectAnyTelemetry** True if UTC is allowed to collect non-OS diagnostic data. Non-OS diagnostic data is responsible for providing its own opt-in mechanism.
- **CanCollectCoreTelemetry** True if UTC is allowed to collect data which is tagged with both MICROSOFT_KEYWORD_CRITICAL_DATA and MICROSOFT_EVENTTAG_CORE_DATA.
- **CanCollectHeartbeats** True if UTC is allowed to collect heartbeats.
-- **CanCollectOsTelemetry** True if UTC is allowed to collect telemetry from the OS provider groups (often called Microsoft Telemetry).
+- **CanCollectOsTelemetry** True if UTC is allowed to collect diagnostic data from the OS provider groups.
- **CanPerformDiagnosticEscalations** True if UTC is allowed to perform all scenario escalations.
- **CanPerformScripting** True if UTC is allowed to perform scripting.
- **CanPerformTraceEscalations** True if UTC is allowed to perform scenario escalations with tracing actions.
- **CanReportScenarios** True if UTC is allowed to load and report scenario completion, failure, and cancellation events.
-- **PreviousPermissions** Bitmask representing the previously configured permissions since the telemetry client was last started.
-- **TransitionFromEverythingOff** True if this transition is moving from not allowing core telemetry to allowing core telemetry.
+- **PreviousPermissions** Bitmask representing the previously configured permissions since the diagnostic data client was last started.
+- **TransitionFromEverythingOff** True if this transition is moving from not allowing core diagnostic data to allowing core diagnostic data.
### TelClientSynthetic.AuthorizationInfo_RuntimeTransition
-This event sends data indicating that a device has undergone a change of telemetry opt-in level during the runtime of the device (not at UTC boot or offline), to help keep Windows up to date.
+This event sends data indicating that a device has undergone a change of diagnostic data opt-in level during the runtime of the device (not at UTC boot or offline), to help keep Windows up to date.
The following fields are available:
-- **CanAddMsaToMsTelemetry** True if UTC is allowed to add MSA user identity onto telemetry from the OS provider groups.
-- **CanCollectAnyTelemetry** True if UTC is allowed to collect non-OS telemetry. Non-OS telemetry is responsible for providing its own opt-in mechanism.
+- **CanAddMsaToMsTelemetry** True if UTC is allowed to add MSA user identity onto diagnostic data from the OS provider groups.
+- **CanCollectAnyTelemetry** True if UTC is allowed to collect non-OS diagnostic data. Non-OS diagnostic data is responsible for providing its own opt-in mechanism.
- **CanCollectCoreTelemetry** True if UTC is allowed to collect data which is tagged with both MICROSOFT_KEYWORD_CRITICAL_DATA and MICROSOFT_EVENTTAG_CORE_DATA.
- **CanCollectHeartbeats** True if UTC is allowed to collect heartbeats.
-- **CanCollectOsTelemetry** True if UTC is allowed to collect telemetry from the OS provider groups (often called Microsoft Telemetry).
+- **CanCollectOsTelemetry** True if UTC is allowed to collect diagnostic data from the OS provider groups.
- **CanPerformDiagnosticEscalations** True if UTC is allowed to perform all scenario escalations.
- **CanPerformScripting** True if UTC is allowed to perform scripting.
- **CanPerformTraceEscalations** True if UTC is allowed to perform scenario escalations with tracing actions.
- **CanReportScenarios** True if UTC is allowed to load and report scenario completion, failure, and cancellation events.
-- **PreviousPermissions** Bitmask representing the previously configured permissions since the telemetry opt-in level was last changed.
-- **TransitionFromEverythingOff** True if this transition is moving from not allowing core telemetry to allowing core telemetry.
+- **PreviousPermissions** Bitmask representing the previously configured permissions since the diagnostic data opt-in level was last changed.
+- **TransitionFromEverythingOff** True if this transition is moving from not allowing core diagnostic data to allowing core diagnostic data.
### TelClientSynthetic.ConnectivityHeartBeat_0
-This event sends data about the connectivity status of the Connected User Experience and Telemetry component that uploads telemetry events. If an unrestricted free network (such as Wi-Fi) is available, this event updates the last successful upload time. Otherwise, it checks whether a Connectivity Heartbeat event was fired in the past 24 hours, and if not, it fires an event. A Connectivity Heartbeat event also fires when a device recovers from costed network to free network.
+This event sends data about the connectivity status of the Connected User Experience and Telemetry component that uploads diagnostic data events. If an unrestricted free network (such as Wi-Fi) is available, this event updates the last successful upload time. Otherwise, it checks whether a Connectivity Heartbeat event was fired in the past 24 hours, and if not, it fires an event. A Connectivity Heartbeat event also fires when a device recovers from costed network to free network.
The following fields are available:
@@ -1783,7 +1791,7 @@ The following fields are available:
### TelClientSynthetic.HeartBeat_5
-This event sends data about the health and quality of the telemetry data from the given device, to help keep Windows up to date. It also enables data analysts to determine how 'trusted' the data is from a given device.
+This event sends data about the health and quality of the diagnostic data data from the given device, to help keep Windows up to date. It also enables data analysts to determine how 'trusted' the data is from a given device.
The following fields are available:
@@ -1791,7 +1799,7 @@ The following fields are available:
- **CensusExitCode** The last exit code of the Census task.
- **CensusStartTime** The time of the last Census run.
- **CensusTaskEnabled** Indicates whether Census is enabled.
-- **ConsumerDroppedCount** The number of events dropped by the consumer layer of the telemetry client.
+- **ConsumerDroppedCount** The number of events dropped by the consumer layer of the diagnostic data client.
- **CriticalDataDbDroppedCount** The number of critical data sampled events that were dropped at the database layer.
- **CriticalDataThrottleDroppedCount** The number of critical data sampled events that were dropped because of throttling.
- **CriticalOverflowEntersCounter** The number of times a critical overflow mode was entered into the event database.
@@ -1800,7 +1808,7 @@ The following fields are available:
- **DecodingDroppedCount** The number of events dropped because of decoding failures.
- **EnteringCriticalOverflowDroppedCounter** The number of events that was dropped because a critical overflow mode was initiated.
- **EtwDroppedBufferCount** The number of buffers dropped in the CUET ETW session.
-- **EtwDroppedCount** The number of events dropped by the ETW layer of the telemetry client.
+- **EtwDroppedCount** The number of events dropped by the ETW layer of the diagnostic data client.
- **EventSubStoreResetCounter** The number of times the event database was reset.
- **EventSubStoreResetSizeSum** The total size of the event database across all resets reports in this instance.
- **EventsUploaded** The number of events that have been uploaded.
@@ -1812,12 +1820,12 @@ The following fields are available:
- **LastEventSizeOffender** The name of the last event that exceeded the maximum event size.
- **LastInvalidHttpCode** The last invalid HTTP code received from Vortex.
- **MaxActiveAgentConnectionCount** The maximum number of active agents during this heartbeat timeframe.
-- **MaxInUseScenarioCounter** The soft maximum number of scenarios loaded by the Connected User Experience and Telemetry component.
+- **MaxInUseScenarioCounter** The soft maximum number of scenarios loaded by the Connected User Experiences and Telemetry component.
- **PreviousHeartBeatTime** The time of last heartbeat event. This allows chaining of events.
- **SettingsHttpAttempts** The number of attempts to contact the OneSettings service.
- **SettingsHttpFailures** The number of failures from contacting the OneSettings service.
- **ThrottledDroppedCount** The number of events dropped due to throttling of noisy providers.
-- **UploaderDroppedCount** The number of events dropped by the uploader layer of the telemetry client.
+- **UploaderDroppedCount** The number of events dropped by the uploader layer of the diagnostic data client.
- **VortexFailuresTimeout** The number of timeout failures received from Vortex.
- **VortexHttpAttempts** The number of attempts to contact the Vortex service.
- **VortexHttpFailures4xx** The number of 400-499 error codes received from Vortex.
@@ -1888,7 +1896,7 @@ The following fields are available:
The following fields are available:
- **AppName** The name of the app that has crashed.
-- **AppSessionGuid** GUID made up of process ID and is used as a correlation vector for process instances in the telemetry backend.
+- **AppSessionGuid** GUID made up of process ID and is used as a correlation vector for process instances in the diagnostic data backend.
- **AppTimeStamp** The date/time stamp of the app.
- **AppVersion** The version of the app that has crashed.
- **ExceptionCode** The exception code returned by the process that has crashed.
@@ -1938,7 +1946,7 @@ This event sends data about hangs for both native and managed applications, to h
The following fields are available:
- **AppName** The name of the app that has hung.
-- **AppSessionGuid** GUID made up of process id used as a correlation vector for process instances in the telemetry backend.
+- **AppSessionGuid** GUID made up of process id used as a correlation vector for process instances in the diagnostic data backend.
- **AppVersion** The version of the app that has hung.
- **PackageFullName** Store application identity.
- **PackageRelativeAppId** Store application identity.
@@ -1990,8 +1998,9 @@ The following fields are available:
This event provides data on the installed Office Add-ins.
-- **AddInCLSID** The CLSID key office the Office addin.
-- **AddInId** The ID of the Office addin.
+- **AddInCLSID** The CLSID key office for the Office addin.
+- **AddInId** The identifier of the Office addin.
+- **AddinType** The type of the Office addin.
- **BinFileTimestamp** The timestamp of the Office addin.
- **BinFileVersion** The version of the Office addin.
- **Description** The description of the Office addin.
@@ -2004,8 +2013,58 @@ This event provides data on the installed Office Add-ins.
- **OfficeArchitecture** The architecture of the addin.
- **OfficeVersion** The Office version for this addin.
- **OutlookCrashingAddin** A boolean value that indicates if crashes have been found for this addin.
+- **ProductCompany** The name of the company associated with the Office addin.
+- **ProductName** The product name associated with the Office addin.
+- **ProductVersion** The version associated with the Office addin.
+- **ProgramId** The unique program identifier of the Office addin.
- **Provider** The provider name for this addin.
+### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeAddInRemove
+
+This event indicates that the particular data object represented by the objectInstanceId is no longer present.
+
+There are no fields in this event.
+
+
+### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeInsightsAdd
+
+This event provides insight data on the installed Office products.
+
+The following fields are available:
+
+- **OfficeApplication** The name of the Office application.
+- **OfficeArchitecture** The bitness of the Office application.
+- **OfficeVersion** The version of the Office application.
+- **Value** The insights collected about this entity.
+
+### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeInsightsRemove
+
+This event indicates that the particular data object represented by the objectInstanceId is no longer present.
+
+There are no fields in this event.
+
+### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeInsightsStartSync
+
+This diagnostic event indicates that a new sync is being generated for this object type.
+
+There are no fields in this event.
+
+
+### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeSettingsAdd
+
+This event describes various Office settings.
+
+The following fields are available:
+
+- **BrowserFlags** Browser flags for Office-related products.
+- **ExchangeProviderFlags** Provider policies for Office Exchange.
+- **SharedComputerLicensing** Office shared computer licensing policies.
+
+### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeSettingsStartSync
+
+Diagnostic event to indicate a new sync is being generated for this object type.
+
+There are no fields in this event.
### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeVBAAdd
@@ -2036,6 +2095,18 @@ The following fields are available:
- **Validation_x64** Count of files that require additional manual validation for 64-bit issues
+### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeVBARemove
+
+This event indicates that the particular data object represented by the objectInstanceId is no longer present.
+
+There are no fields in this event.
+
+### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeVBARuleViolationsRemove
+
+This event indicates that the particular data object represented by the objectInstanceId is no longer present.
+
+There are no fields in this event.
+
### Microsoft.Windows.Inventory.Core.InventoryApplicationFrameworkStartSync
This event indicates that a new set of InventoryApplicationFrameworkAdd events will be sent
@@ -2412,6 +2483,66 @@ This event indicates that a new sync is being generated for this object type.
There are no fields in this event.
+### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeIdentifiersAdd
+
+This event provides data on the installed Office identifiers.
+
+- **OAudienceData** The Office Audience descriptor.
+- **OAudienceId** The Office Audience ID.
+- **OMID** The Office machine ID.
+- **OPlatform** The Office architecture.
+- **OVersion** The Office version
+- **OTenantId** The Office 365 Tenant GUID.
+- **OWowMID** The Office machine ID.
+
+### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeIdentifiersStartSync
+
+This event indicates that a new sync is being generated for this object type.
+
+There are no fields in this event.
+
+
+### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeIESettingsAdd
+
+This event provides data on the installed Office-related Internet Explorer features.
+
+- **OIeFeatureAddon** For more information, see the Office-related [Internet Feature Control Keys](https://msdn.microsoft.com/en-us/library/ee330720.aspx).
+- **OIeMachineLockdown** For more information, see the Office-related [Internet Feature Control Keys](https://msdn.microsoft.com/en-us/library/ee330720.aspx).
+- **OIeMimeHandling** For more information, see the Office-related [Internet Feature Control Keys](https://msdn.microsoft.com/en-us/library/ee330720.aspx).
+- **OIeMimeSniffing** For more information, see the Office-related [Internet Feature Control Keys](https://msdn.microsoft.com/en-us/library/ee330720.aspx).
+- **OIeNoAxInstall** For more information, see the Office-related [Internet Feature Control Keys](https://msdn.microsoft.com/en-us/library/ee330720.aspx).
+- **OIeNoDownload** For more information, see the Office-related [Internet Feature Control Keys](https://msdn.microsoft.com/en-us/library/ee330720.aspx).
+- **OIeObjectCaching** For more information, see the Office-related [Internet Feature Control Keys](https://msdn.microsoft.com/en-us/library/ee330720.aspx).
+- **OIePasswordDisable** For more information, see the Office-related [Internet Feature Control Keys](https://msdn.microsoft.com/en-us/library/ee330720.aspx).
+- **OIeSafeBind** For more information, see the Office-related [Internet Feature Control Keys](https://msdn.microsoft.com/en-us/library/ee330720.aspx).
+- **OIeSecurityBand** For more information, see the Office-related [Internet Feature Control Keys](https://msdn.microsoft.com/en-us/library/ee330720.aspx).
+- **OIeUncSaveCheck** For more information, see the Office-related [Internet Feature Control Keys](https://msdn.microsoft.com/en-us/library/ee330720.aspx).
+- **OIeValidateUrl** For more information, see the Office-related [Internet Feature Control Keys](https://msdn.microsoft.com/en-us/library/ee330720.aspx).
+- **OIeWebOcPopup** For more information, see the Office-related [Internet Feature Control Keys](https://msdn.microsoft.com/en-us/library/ee330720.aspx).
+- **OIeWinRestrict** For more information, see the Office-related [Internet Feature Control Keys](https://msdn.microsoft.com/en-us/library/ee330720.aspx).
+- **OIeZoneElevate** For more information, see the Office-related [Internet Feature Control Keys](https://msdn.microsoft.com/en-us/library/ee330720.aspx).
+
+### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeIESettingsStartSync
+
+This event indicates that a new sync is being generated for this object type.
+
+There are no fields in this event.
+
+### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeProductsAdd
+
+This event describes the Office products that are installed.
+
+- **OC2rApps** The Office Click-to-Run apps.
+- **OC2rSkus** The Office Click-to-Run products.
+- **OMsiApps** The Office MSI apps.
+- **OProductCodes** The Office MSI product code.
+
+### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeProductsStartSync
+
+This event indicates that a new sync is being generated for this object type.
+
+There are no fields in this event.
+
### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeVBARuleViolationsStartSync
This event indicates that a new sync is being generated for this object type.
@@ -3185,7 +3316,7 @@ The following fields are available:
### Microsoft.Windows.UpdateNotificationPipeline.JavascriptJavascriptCriticalGenericMessage
-This event indicates that Javascript is reporting a schema and a set of values for critical telemetry
+This event indicates that Javascript is reporting a schema and a set of values for critical diagnostic data.
The following fields are available:
diff --git a/windows/configuration/change-history-for-configure-windows-10.md b/windows/configuration/change-history-for-configure-windows-10.md
index de4cac4bc0..144f6425e6 100644
--- a/windows/configuration/change-history-for-configure-windows-10.md
+++ b/windows/configuration/change-history-for-configure-windows-10.md
@@ -8,22 +8,34 @@ ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: high
author: jdeckerms
-ms.date: 01/24/2018
+ms.date: 02/12/2018
---
# Change history for Configure Windows 10
This topic lists new and updated topics in the [Configure Windows 10](index.md) documentation for Windows 10 and Windows 10 Mobile.
+## February 2018
+
+New or changed topic | Description
+--- | ---
+[Windows 10, version 1709 basic diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields.md) | Added events and fields that were added in the February update.
+[Create a Windows 10 kiosk that runs multiple apps](lock-down-windows-10-to-specific-apps.md) | Added steps for configuring a kiosk in Microsoft Intune.
+[Customize Windows 10 Start and taskbar with mobile device management (MDM)](customize-windows-10-start-screens-by-using-mobile-device-management.md) | Updated the instructions for applying a customized Start layout using Microsoft Intune.
+
## January 2018
New or changed topic | Description
--- | ---
+[Create a Windows 10 kiosk that runs multiple apps](lock-down-windows-10-to-specific-apps.md) | Added videos demonstrating how to use Microsoft Intune and how to use provisioning packages to configure multi-app kiosks.
[ConnectivityProfiles](wcd/wcd-connectivityprofiles.md) | Added settings for VPN **Native** and **Third Party** profile types.
[Start layout XML for desktop editions of Windows 10 (reference)](start-layout-xml-desktop.md) | Clarified that the TopMFUApps elements in layoutmodification.xml are not supported in Windows 10, version 1709.
| [Diagnostic Data Viewer Overview](diagnostic-data-viewer-overview.md) | New topic |
[Configure Windows 10 taskbar](configure-windows-10-taskbar.md) | Added section for removing default apps from the taskbar.
[Manage Windows 10 connection endpoints](manage-windows-endpoints-version-1709.md) | New topic for Windows 10, version 1709 that explains the purpose for connections to Microsoft services and how to manage them.
+[Configure Windows Spotlight on the lock screen](windows-spotlight.md) | Added section for resolution of custom lock screen images.
+[Set up a kiosk on Windows 10 Pro, Enterprise, or Education](set-up-a-kiosk-for-windows-10-for-desktop-editions.md) | Added section for automatic sign-in after restart on unmanaged devices.
+
## November 2017
@@ -46,7 +58,7 @@ The topics in this library have been updated for Windows 10, version 1709 (also
- [Create a Windows 10 kiosk that runs multiple apps](lock-down-windows-10-to-specific-apps.md)
- [Multi-app kiosk XML reference](multi-app-kiosk-xml.md)
- [Windows 10, version 1709 basic diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields.md)
-- [Windows 10, version 1709 enhanced telemetry events and fields used by Windows Analytics](enhanced-telemetry-windows-analytics-events-and-fields.md)
+- [Windows 10, version 1709 enhanced diagnostic data events and fields used by Windows Analytics](enhanced-diagnostic-data-windows-analytics-events-and-fields.md)
## September 2017
diff --git a/windows/configuration/configure-windows-10-taskbar.md b/windows/configuration/configure-windows-10-taskbar.md
index e96debef9c..ac50964c8f 100644
--- a/windows/configuration/configure-windows-10-taskbar.md
+++ b/windows/configuration/configure-windows-10-taskbar.md
@@ -32,17 +32,18 @@ The following example shows how apps will be pinned: Windows default apps to the
## Configure taskbar (general)
-To configure the taskbar:
+**To configure the taskbar:**
+
1. Create the XML file.
- * If you are also [customizing the Start layout](customize-and-export-start-layout.md), use `Export-StartLayout` to create the XML, and then add the `` section from the following sample to the file.
- * If you are only configuring the taskbar, use the following sample to create a layout modification XML file.
+ * If you are also [customizing the Start layout](customize-and-export-start-layout.md), use `Export-StartLayout` to create the XML, and then add the `` section from [the following sample](#sample-taskbar-configuration-added-to-start-layout-xml-file) to the file.
+ * If you are only configuring the taskbar, use [the following sample](#sample-taskbar-configuration-xml-file) to create a layout modification XML file.
2. Edit and save the XML file. You can use [AUMID](https://go.microsoft.com/fwlink/p/?LinkId=614867) or Desktop Application Link Path to identify the apps to pin to the taskbar.
* Use `` and [AUMID](https://go.microsoft.com/fwlink/p/?LinkId=614867) to pin Universal Windows Platform apps.
* Use `` and Desktop Application Link Path to pin desktop applications.
3. Apply the layout modification XML file to devices using [Group Policy](customize-windows-10-start-screens-by-using-group-policy.md) or a [provisioning package created in Windows Imaging and Configuration Designer (Windows ICD)](customize-windows-10-start-screens-by-using-provisioning-packages-and-icd.md).
>[!IMPORTANT]
->If you use a provisioning package to configure the taskbar, your configuration will be reapplied each time the explorer.exe process restarts. If your configuration pins an app and the user then unpins that app, the user's change will be overwritten the next time the configuration is applied. To apply a taskbar configuration that allows users to make changes that will persist, apply your configuration by using Group Policy.
+>If you use a provisioning package or import-startlayout to configure the taskbar, your configuration will be reapplied each time the explorer.exe process restarts. If your configuration pins an app and the user then unpins that app, the user's change will be overwritten the next time the configuration is applied. To apply a taskbar configuration that allows users to make changes that will persist, apply your configuration by using Group Policy.
>
>If you use Group Policy and your configuration only contains a taskbar layout, the default Windows tile layout will be applied and cannot be changed by users. If you use Group Policy and your configuration includes taskbar and a full Start layout, users can only make changes to the taskbar. If you use Group Policy and your configuration includes taskbar and a [partial Start layout](https://technet.microsoft.com/itpro/windows/manage/customize-and-export-start-layout#configure-a-partial-start-layout), users can make changes to the taskbar and to tile groups not defined in the partial Start layout.
diff --git a/windows/configuration/configure-windows-telemetry-in-your-organization.md b/windows/configuration/configure-windows-diagnostic-data-in-your-organization.md
similarity index 55%
rename from windows/configuration/configure-windows-telemetry-in-your-organization.md
rename to windows/configuration/configure-windows-diagnostic-data-in-your-organization.md
index 52483ff9cd..9529995ecb 100644
--- a/windows/configuration/configure-windows-telemetry-in-your-organization.md
+++ b/windows/configuration/configure-windows-diagnostic-data-in-your-organization.md
@@ -1,6 +1,6 @@
---
-description: Use this article to make informed decisions about how you can configure telemetry in your organization.
-title: Configure Windows telemetry in your organization (Windows 10)
+description: Use this article to make informed decisions about how you can configure diagnostic data in your organization.
+title: Configure Windows diagnostic data in your organization (Windows 10)
keywords: privacy
ms.prod: w10
ms.mktglfcycl: manage
@@ -11,7 +11,7 @@ author: brianlic-msft
ms.date: 10/17/2017
---
-# Configure Windows telemetry in your organization
+# Configure Windows diagnostic data in your organization
**Applies to**
@@ -19,54 +19,54 @@ ms.date: 10/17/2017
- Windows 10 Mobile
- Windows Server
-At Microsoft, we use Windows telemetry to inform our decisions and focus our efforts in providing the most robust, most valuable platform for your business and the people who count on Windows to enable them to be as productive as possible. Telemetry gives users a voice in the operating system’s development. This guide describes the importance of Windows telemetry and how we protect that data. Additionally, it differentiates between telemetry and functional data. It also describes the telemetry levels that Windows supports. Of course, you can choose how much telemetry is shared with Microsoft, and this guide demonstrates how.
+At Microsoft, we use Windows diagnostic data to inform our decisions and focus our efforts in providing the most robust, most valuable platform for your business and the people who count on Windows to enable them to be as productive as possible. Diagnostic data gives users a voice in the operating system’s development. This guide describes the importance of Windows diagnostic data and how we protect that data. Additionally, it differentiates between diagnostic data and functional data. It also describes the diagnostic data levels that Windows supports. Of course, you can choose how much diagnostic data is shared with Microsoft, and this guide demonstrates how.
-To frame a discussion about telemetry, it is important to understand Microsoft’s privacy principles. We earn customer trust every day by focusing on six key privacy principles as described at [privacy.microsoft.com](https://privacy.microsoft.com/). These principles guided the implementation of the Windows telemetry system in the following ways:
+To frame a discussion about diagnostic data, it is important to understand Microsoft’s privacy principles. We earn customer trust every day by focusing on six key privacy principles as described at [privacy.microsoft.com](https://privacy.microsoft.com/). These principles guided the implementation of the Windows diagnostic data system in the following ways:
-- **Control.** We offer customers control of the telemetry they share with us by providing easy-to-use management tools.
-- **Transparency.** We provide information about the telemetry that Windows and Windows Server collects so our customers can make informed decisions.
-- **Security.** We encrypt telemetry in transit from your device and protect that data at our secure data centers.
+- **Control.** We offer customers control of the diagnostic data they share with us by providing easy-to-use management tools.
+- **Transparency.** We provide information about the diagnostic data that Windows and Windows Server collects so our customers can make informed decisions.
+- **Security.** We encrypt diagnostic data in transit from your device and protect that data at our secure data centers.
- **Strong legal protections.** We respect customers’ local privacy laws and fight for legal protection of their privacy as a fundamental human right.
-- **No content-based targeting.** We take steps to avoid and minimize the collection of customer content, such as the content of files, chats, or emails, through the Windows telemetry system. Customer content inadvertently collected is kept confidential and not used for user targeting.
-- **Benefits to you.** We collect Windows telemetry to help provide you with an up-to-date, more secure, reliable and performant product, and to improve Windows for all our customers.
+- **No content-based targeting.** We take steps to avoid and minimize the collection of customer content, such as the content of files, chats, or emails, through the Windows diagnostic data system. Customer content inadvertently collected is kept confidential and not used for user targeting.
+- **Benefits to you.** We collect Windows diagnostic data to help provide you with an up-to-date, more secure, reliable and performant product, and to improve Windows for all our customers.
-This article applies to Windows and Windows Server telemetry only. Other Microsoft or third-party apps, such as System Center Configuration Manager, System Center Endpoint Protection, or System Center Data Protection Manager, might send data to their cloud services in ways that are inconsistent with this guide. Their publishers are responsible for notifying users of their privacy policies, telemetry controls, and so on. This article describes the types of telemetry we may gather, the ways you might manage it in your organization, and some examples of how telemetry can provide you with valuable insights into your enterprise deployments. Microsoft uses the data to quickly identify and address issues affecting its customers.
+This article applies to Windows and Windows Server diagnostic data only. Other Microsoft or third-party apps, such as System Center Configuration Manager, System Center Endpoint Protection, or System Center Data Protection Manager, might send data to their cloud services in ways that are inconsistent with this guide. Their publishers are responsible for notifying users of their privacy policies, diagnostic data controls, and so on. This article describes the types of diagnostic data we may gather, the ways you might manage it in your organization, and some examples of how diagnostic data can provide you with valuable insights into your enterprise deployments. Microsoft uses the data to quickly identify and address issues affecting its customers.
-Use this article to make informed decisions about how you might configure telemetry in your organization. Telemetry is a term that means different things to different people and organizations. For this article, we discuss telemetry as system data that is uploaded by the Connected User Experience and Telemetry component. The telemetry data is used to help keep Windows devices secure by identifying malware trends and other threats and to help Microsoft improve the quality of Windows and Microsoft services.
+Use this article to make informed decisions about how you might configure diagnostic data in your organization. Diagnostic data is a term that means different things to different people and organizations. For this article, we discuss diagnostic data as system data that is uploaded by the Connected User Experiences and Telemetry component. The diagnostic data data is used to help keep Windows devices secure by identifying malware trends and other threats and to help Microsoft improve the quality of Windows and Microsoft services.
We are always striving to improve our documentation and welcome your feedback. You can provide feedback by contacting telmhelp@microsoft.com.
## Overview
-In previous versions of Windows and Windows Server, Microsoft used telemetry to check for updated or new Windows Defender signatures, check whether Windows Update installations were successful, gather reliability information through the Reliability Analysis Component (RAC), and gather reliability information through the Windows Customer Experience Improvement Program (CEIP) on Windows. In Windows 10 and Windows Server 2016, you can control telemetry streams by using the Privacy option in Settings, Group Policy, or MDM.
+In previous versions of Windows and Windows Server, Microsoft used diagnostic data to check for updated or new Windows Defender signatures, check whether Windows Update installations were successful, gather reliability information through the Reliability Analysis Component (RAC), and gather reliability information through the Windows Customer Experience Improvement Program (CEIP) on Windows. In Windows 10 and Windows Server 2016, you can control diagnostic data streams by using the Privacy option in Settings, Group Policy, or MDM.
For Windows 10, we invite IT pros to join the [Windows Insider Program](http://insider.windows.com) to give us feedback on what we can do to make Windows work better for your organization.
-## Understanding Windows telemetry
+## Understanding Windows diagnostic data
Windows as a Service is a fundamental change in how Microsoft plans, builds, and delivers the operating system. Historically, we released a major Windows version every few years. The effort required to deploy large and infrequent Windows versions was substantial. That effort included updating the infrastructure to support the upgrade. Windows as a Service accelerates the cadence to provide rich updates more frequently, and these updates require substantially less effort to roll out than earlier versions of Windows. Since it provides more value to organizations in a shorter timeframe, delivering Windows as a Service is a top priority for us.
-The release cadence of Windows may be fast, so feedback is critical to its success. We rely on telemetry at each stage of the process to inform our decisions and prioritize our efforts.
+The release cadence of Windows may be fast, so feedback is critical to its success. We rely on diagnostic data at each stage of the process to inform our decisions and prioritize our efforts.
-### What is Windows telemetry?
-Windows telemetry is vital technical data from Windows devices about the device and how Windows and related software are performing. It's used in the following ways:
+### What is Windows diagnostic data?
+Windows diagnostic data is vital technical data from Windows devices about the device and how Windows and related software are performing. It's used in the following ways:
- Keep Windows up to date
- Keep Windows secure, reliable, and performant
- Improve Windows – through the aggregate analysis of the use of Windows
- Personalize Windows engagement surfaces
-Here are some specific examples of Windows telemetry data:
+Here are some specific examples of Windows diagnostic data data:
- Type of hardware being used
- Applications installed and usage details
- Reliability information on device drivers
-### What is NOT telemetry?
+### What is NOT diagnostic data?
-Telemetry can sometimes be confused with functional data. Some Windows components and apps connect to Microsoft services directly, but the data they exchange is not telemetry. For example, exchanging a user’s location for local weather or news is not an example of telemetry—it is functional data that the app or service requires to satisfy the user’s request.
+Diagnostic data can sometimes be confused with functional data. Some Windows components and apps connect to Microsoft services directly, but the data they exchange is not diagnostic data. For example, exchanging a user’s location for local weather or news is not an example of diagnostic data—it is functional data that the app or service requires to satisfy the user’s request.
-There are subtle differences between telemetry and functional data. Windows collects and sends telemetry in the background automatically. You can control how much information is gathered by setting the telemetry level. Microsoft tries to avoid collecting personal information wherever possible (for example, if a crash dump is collected and a document was in memory at the time of the crash). On the other hand, functional data can contain personal information. However, a user action, such as requesting news or asking Cortana a question, usually triggers collection and transmission of functional data.
+There are subtle differences between diagnostic data and functional data. Windows collects and sends diagnostic data in the background automatically. You can control how much information is gathered by setting the diagnostic data level. Microsoft tries to avoid collecting personal information wherever possible (for example, if a crash dump is collected and a document was in memory at the time of the crash). On the other hand, functional data can contain personal information. However, a user action, such as requesting news or asking Cortana a question, usually triggers collection and transmission of functional data.
If you’re an IT pro that wants to manage Windows functional data sent from your organization to Microsoft, see [Manage connections from Windows operating system components to Microsoft services](https://technet.microsoft.com/itpro/windows/manage/manage-connections-from-windows-operating-system-components-to-microsoft-services).
@@ -76,26 +76,26 @@ The following are specific examples of functional data:
- Bing searches
- Wallpaper and desktop settings synced across multiple devices
-### Telemetry gives users a voice
+### Diagnostic data gives users a voice
-Windows and Windows Server telemetry gives every user a voice in the operating system’s development and ongoing improvement. It helps us understand how Windows 10 and Windows Server 2016 behaves in the real world, focus on user priorities, and make informed decisions that benefit them. For our enterprise customers, representation in the dataset on which we will make future design decisions is a real benefit. The following sections offer real examples of these benefits.
+Windows and Windows Server diagnostic data gives every user a voice in the operating system’s development and ongoing improvement. It helps us understand how Windows 10 and Windows Server 2016 behaves in the real world, focus on user priorities, and make informed decisions that benefit them. For our enterprise customers, representation in the dataset on which we will make future design decisions is a real benefit. The following sections offer real examples of these benefits.
### Drive higher app and driver quality
-Our ability to collect telemetry that drives improvements to Windows and Windows Server helps raise the bar for app and device driver quality. Telemetry helps us to quickly identify and fix critical reliability and security issues with apps and device drivers on given configurations. For example, we can identify an app that hangs on devices using a specific version of a video driver, allowing us to work with the app and device driver vendor to quickly fix the issue. The result is less downtime and reduced costs and increased productivity associated with troubleshooting these issues.
+Our ability to collect diagnostic data that drives improvements to Windows and Windows Server helps raise the bar for app and device driver quality. Diagnostic data helps us to quickly identify and fix critical reliability and security issues with apps and device drivers on given configurations. For example, we can identify an app that hangs on devices using a specific version of a video driver, allowing us to work with the app and device driver vendor to quickly fix the issue. The result is less downtime and reduced costs and increased productivity associated with troubleshooting these issues.
-#### Real-world example of how Windows telemetry helps
-There was a version of a video driver that was crashing on some devices running Windows 10, causing the device to reboot. We detected the problem in our telemetry, and immediately contacted the third-party developer who builds the video driver. Working with the developer, we provided an updated driver to Windows Insiders within 24 hours. Based on telemetry from the Windows Insiders’ devices, we were able to validate the new version of the video driver, and rolled it out to the broad public as an update the next day. Telemetry helped us find, fix, and resolve this problem in just 48 hours, providing a better user experience and reducing costly support calls.
+#### Real-world example of how Windows diagnostic data helps
+There was a version of a video driver that was crashing on some devices running Windows 10, causing the device to reboot. We detected the problem in our diagnostic data, and immediately contacted the third-party developer who builds the video driver. Working with the developer, we provided an updated driver to Windows Insiders within 24 hours. Based on diagnostic data from the Windows Insiders’ devices, we were able to validate the new version of the video driver, and rolled it out to the broad public as an update the next day. Diagnostic data helped us find, fix, and resolve this problem in just 48 hours, providing a better user experience and reducing costly support calls.
### Improve end-user productivity
-Windows telemetry also helps Microsoft better understand how customers use (or do not use) the operating system’s features and related services. The insights we gain from this data helps us prioritize our engineering effort to directly impact our customers’ experiences. Examples are:
+Windows diagnostic data also helps Microsoft better understand how customers use (or do not use) the operating system’s features and related services. The insights we gain from this data helps us prioritize our engineering effort to directly impact our customers’ experiences. Examples are:
- **Start menu.** How do people change the Start menu layout? Do they pin other apps to it? Are there any apps that they frequently unpin? We use this dataset to adjust the default Start menu layout to better reflect people’s expectations when they turn on their device for the first time.
-- **Cortana.** We use telemetry to monitor the scalability of our cloud service, improving search performance.
-- **Application switching.** Research and observations from earlier Windows versions showed that people rarely used Alt+Tab to switch between applications. After discussing this with some users, we learned they loved the feature, saying that it would be highly productive, but they did not know about it previously. Based on this, we created the Task View button in Windows 10 to make this feature more discoverable. Later telemetry showed significantly higher usage of this feature.
+- **Cortana.** We use diagnostic data to monitor the scalability of our cloud service, improving search performance.
+- **Application switching.** Research and observations from earlier Windows versions showed that people rarely used Alt+Tab to switch between applications. After discussing this with some users, we learned they loved the feature, saying that it would be highly productive, but they did not know about it previously. Based on this, we created the Task View button in Windows 10 to make this feature more discoverable. Later diagnostic data showed significantly higher usage of this feature.
-**These examples show how the use of telemetry data enables Microsoft to build or enhance features which can help organizations increase employee productivity while lowering help desk calls.**
+**These examples show how the use of diagnostic data data enables Microsoft to build or enhance features which can help organizations increase employee productivity while lowering help desk calls.**
### Insights into your own organization
@@ -108,7 +108,7 @@ Upgrading to new operating system versions has traditionally been a challenging,
To better help customers through this difficult process, Microsoft developed Upgrade Readiness to give enterprises the tools to plan and manage the upgrade process end to end and allowing them to adopt new Windows releases more quickly and on an ongoing basis.
-With Windows telemetry enabled, Microsoft collects computer, application, and driver compatibility-related information for analysis. We then identify compatibility issues that can block your upgrade and suggest fixes when they are known to Microsoft.
+With Windows diagnostic data enabled, Microsoft collects computer, application, and driver compatibility-related information for analysis. We then identify compatibility issues that can block your upgrade and suggest fixes when they are known to Microsoft.
Use Upgrade Readiness to get:
@@ -122,50 +122,50 @@ Use Upgrade Readiness to get:
The Upgrade Readiness workflow steps you through the discovery and rationalization process until you have a list of computers that are ready to be upgraded.
-## How is telemetry data handled by Microsoft?
+## How is diagnostic data data handled by Microsoft?
### Data collection
-Windows 10 and Windows Server 2016 includes the Connected User Experience and Telemetry component, which uses Event Tracing for Windows (ETW) tracelogging technology that gathers and stores telemetry events and data. The operating system and some Microsoft management solutions, such as System Center, use the same logging technology.
+Windows 10 and Windows Server 2016 includes the Connected User Experiences and Telemetry component, which uses Event Tracing for Windows (ETW) tracelogging technology that gathers and stores diagnostic data events and data. The operating system and some Microsoft management solutions, such as System Center, use the same logging technology.
1. Operating system features and some management applications are instrumented to publish events and data. Examples of management applications include Virtual Machine Manager (VMM), Server Manager, and Storage Spaces.
2. Events are gathered using public operating system event logging and tracing APIs.
-3. You can configure the telemetry level by using MDM policy, Group Policy, or registry settings.
-4. The Connected User Experience and Telemetry component transmits the telemetry data.
+3. You can configure the diagnostic data level by using MDM policy, Group Policy, or registry settings.
+4. The Connected User Experiences and Telemetry component transmits the diagnostic data data.
-Info collected at the Enhanced and Full levels of telemetry is typically gathered at a fractional sampling rate, which can be as low as 1% of devices reporting data at those levels.
+Info collected at the Enhanced and Full levels of diagnostic data is typically gathered at a fractional sampling rate, which can be as low as 1% of devices reporting data at those levels.
### Data transmission
-All telemetry data is encrypted using SSL and uses certificate pinning during transfer from the device to the Microsoft Data Management Service. With Windows 10, data is uploaded on a schedule that is sensitive to event priority, battery use, and network cost. Real-time events, such as Windows Defender Advanced Threat Protection, are always sent immediately. Normal events are not uploaded on metered networks, unless you are on a metered server connection. On a free network, normal events can be uploaded every 4 hours if on battery, or every 15 minutes if on A/C power. Diagnostic and crash data are only uploaded on A/C power and free networks.
+All diagnostic data data is encrypted using SSL and uses certificate pinning during transfer from the device to the Microsoft Data Management Service. With Windows 10, data is uploaded on a schedule that is sensitive to event priority, battery use, and network cost. Real-time events, such as Windows Defender Advanced Threat Protection, are always sent immediately. Normal events are not uploaded on metered networks, unless you are on a metered server connection. On a free network, normal events can be uploaded every 4 hours if on battery, or every 15 minutes if on A/C power. Diagnostic and crash data are only uploaded on A/C power and free networks.
### Endpoints
The Microsoft Data Management Service routes data back to our secure cloud storage. Only Microsoft personnel with a valid business justification are permitted access.
-The following table defines the endpoints for telemetry services:
+The following table defines the endpoints for diagnostic data services:
| Service | Endpoint |
| - | - |
-| Connected User Experience and Telemetry component | v10.vortex-win.data.microsoft.com settings-win.data.microsoft.com |
+| Connected User Experiences and Telemetry component | v10.vortex-win.data.microsoft.com settings-win.data.microsoft.com |
| [Windows Error Reporting](http://msdn.microsoft.com/library/windows/desktop/bb513641.aspx) | watson.telemetry.microsoft.com |
| [Online Crash Analysis](http://msdn.microsoft.com/library/windows/desktop/ee416349.aspx) | oca.telemetry.microsoft.com |
| OneDrive app for Windows 10 | vortex.data.microsoft.com/collect/v1 |
### Data use and access
-The principle of least privileged access guides access to telemetry data. Microsoft does not share personal data of our customers with third parties, except at the customer’s discretion or for the limited purposes described in the [Privacy Statement](https://privacy.microsoft.com/privacystatement). Microsoft may share business reports with OEMs and third-party partners that include aggregated and anonymized telemetry information. Data-sharing decisions are made by an internal team including privacy, legal, and data management.
+The principle of least privileged access guides access to diagnostic data data. Microsoft does not share personal data of our customers with third parties, except at the customer’s discretion or for the limited purposes described in the [Privacy Statement](https://privacy.microsoft.com/privacystatement). Microsoft may share business reports with OEMs and third-party partners that include aggregated and anonymized diagnostic data information. Data-sharing decisions are made by an internal team including privacy, legal, and data management.
### Retention
Microsoft believes in and practices information minimization. We strive to gather only the info we need and to store it only for as long as it’s needed to provide a service or for analysis. Much of the info about how Windows and apps are functioning is deleted within 30 days. Other info may be retained longer, such as error reporting data or Microsoft Store purchase history.
-## Telemetry levels
-This section explains the different telemetry levels in Windows 10, Windows Server 2016, and System Center. These levels are available on all desktop and mobile editions of Windows 10, except for the **Security** level, which is limited to Windows 10 Enterprise, Windows 10 Education, Windows 10 Mobile Enterprise, Windows 10 IoT Core (IoT Core), and Windows Server 2016.
+## Diagnostic data levels
+This section explains the different diagnostic data levels in Windows 10, Windows Server 2016, and System Center. These levels are available on all desktop and mobile editions of Windows 10, except for the **Security** level, which is limited to Windows 10 Enterprise, Windows 10 Education, Windows 10 Mobile Enterprise, Windows 10 IoT Core (IoT Core), and Windows Server 2016.
-The telemetry data is categorized into four levels:
+The diagnostic data data is categorized into four levels:
-- **Security**. Information that’s required to help keep Windows, Windows Server, and System Center secure, including data about the Connected User Experience and Telemetry component settings, the Malicious Software Removal Tool, and Windows Defender.
+- **Security**. Information that’s required to help keep Windows, Windows Server, and System Center secure, including data about the Connected User Experiences and Telemetry component settings, the Malicious Software Removal Tool, and Windows Defender.
- **Basic**. Basic device info, including: quality-related data, app compatibility, app usage data, and data from the **Security** level.
@@ -175,20 +175,20 @@ The telemetry data is categorized into four levels:
The levels are cumulative and are illustrated in the following diagram. Also, these levels apply to all editions of Windows Server 2016.
-
+
### Security level
-The Security level gathers only the telemetry info that is required to keep Windows devices, Windows Server, and guests protected with the latest security updates. This level is only available on Windows Server 2016, Windows 10 Enterprise, Windows 10 Education, Windows 10 Mobile Enterprise, and Windows IoT Core editions.
+The Security level gathers only the diagnostic data info that is required to keep Windows devices, Windows Server, and guests protected with the latest security updates. This level is only available on Windows Server 2016, Windows 10 Enterprise, Windows 10 Education, Windows 10 Mobile Enterprise, and Windows IoT Core editions.
> [!NOTE]
> If your organization relies on Windows Update for updates, you shouldn’t use the **Security** level. Because no Windows Update information is gathered at this level, important information about update failures is not sent. Microsoft uses this information to fix the causes of those failures and improve the quality of our updates.
-Windows Server Update Services (WSUS) and System Center Configuration Manager functionality is not affected at this level, nor is telemetry data about Windows Server features or System Center gathered.
+Windows Server Update Services (WSUS) and System Center Configuration Manager functionality is not affected at this level, nor is diagnostic data data about Windows Server features or System Center gathered.
The data gathered at this level includes:
-- **Connected User Experience and Telemetry component settings**. If general telemetry data has been gathered and is queued, it is sent to Microsoft. Along with this telemetry, the Connected User Experience and Telemetry component may download a configuration settings file from Microsoft’s servers. This file is used to configure the Connected User Experience and Telemetry component itself. The data gathered by the client for this request includes OS information, device id (used to identify what specific device is requesting settings) and device class (for example, whether the device is server or desktop).
+- **Connected User Experiences and Telemetry component settings**. If general diagnostic data data has been gathered and is queued, it is sent to Microsoft. Along with this diagnostic data, the Connected User Experiences and Telemetry component may download a configuration settings file from Microsoft’s servers. This file is used to configure the Connected User Experiences and Telemetry component itself. The data gathered by the client for this request includes OS information, device id (used to identify what specific device is requesting settings) and device class (for example, whether the device is server or desktop).
- **Malicious Software Removal Tool (MSRT)** The MSRT infection report contains information, including device info and IP address.
@@ -202,15 +202,15 @@ The data gathered at this level includes:
Microsoft recommends that Windows Update, Windows Defender, and MSRT remain enabled unless the enterprise uses alternative solutions such as Windows Server Update Services, System Center Configuration Manager, or a third-party antimalware solution. Windows Update, Windows Defender, and MSRT provide core Windows functionality such as driver and OS updates, including security updates.
-For servers with default telemetry settings and no Internet connectivity, you should set the telemetry level to **Security**. This stops data gathering for events that would not be uploaded due to the lack of Internet connectivity.
+For servers with default diagnostic data settings and no Internet connectivity, you should set the diagnostic data level to **Security**. This stops data gathering for events that would not be uploaded due to the lack of Internet connectivity.
-No user content, such as user files or communications, is gathered at the **Security** telemetry level, and we take steps to avoid gathering any information that directly identifies a company or user, such as name, email address, or account ID. However, in rare circumstances, MSRT information may unintentionally contain personal information. For instance, some malware may create entries in a computer’s registry that include information such as a username, causing it to be gathered. MSRT reporting is optional and can be turned off at any time.
+No user content, such as user files or communications, is gathered at the **Security** diagnostic data level, and we take steps to avoid gathering any information that directly identifies a company or user, such as name, email address, or account ID. However, in rare circumstances, MSRT information may unintentionally contain personal information. For instance, some malware may create entries in a computer’s registry that include information such as a username, causing it to be gathered. MSRT reporting is optional and can be turned off at any time.
### Basic level
-The Basic level gathers a limited set of data that’s critical for understanding the device and its configuration. This level also includes the **Security** level data. This level helps to identify problems that can occur on a specific hardware or software configuration. For example, it can help determine if crashes are more frequent on devices with a specific amount of memory or that are running a specific driver version. The Connected User Experience and Telemetry component does not gather telemetry data about System Center, but it can transmit telemetry for other non-Windows applications if they have user consent.
+The Basic level gathers a limited set of data that’s critical for understanding the device and its configuration. This level also includes the **Security** level data. This level helps to identify problems that can occur on a specific hardware or software configuration. For example, it can help determine if crashes are more frequent on devices with a specific amount of memory or that are running a specific driver version. The Connected User Experiences and Telemetry component does not gather diagnostic data data about System Center, but it can transmit diagnostic data for other non-Windows applications if they have user consent.
-The normal upload range for the Basic telemetry level is between 109 KB - 159 KB per day, per device.
+The normal upload range for the Basic diagnostic data level is between 109 KB - 159 KB per day, per device.
The data gathered at this level includes:
@@ -232,7 +232,7 @@ The data gathered at this level includes:
- Storage attributes, such as number of drives, type, and size
-- **Connected User Experience and Telemetry component quality metrics**. Helps provide an understanding about how the Connected User Experience and Telemetry component is functioning, including % of uploaded events, dropped events, and the last upload time.
+- **Connected User Experiences and Telemetry component quality metrics**. Helps provide an understanding about how the Connected User Experiences and Telemetry component is functioning, including % of uploaded events, dropped events, and the last upload time.
- **Quality-related information**. Helps Microsoft develop a basic understanding of how a device and its operating system are performing. Some examples are the device characteristics of a Connected Standby device, the number of crashes or hangs, and application state change details, such as how much processor time and memory were used, and the total uptime for an app.
@@ -259,7 +259,7 @@ The Enhanced level gathers data about how Windows and apps are used and how they
This is the default level for Windows 10 Enterprise and Windows 10 Education editions, and the minimum level needed to quickly identify and address Windows, Windows Server, and System Center quality issues.
-The normal upload range for the Enhanced telemetry level is between 239 KB - 348 KB per day, per device.
+The normal upload range for the Enhanced diagnostic data level is between 239 KB - 348 KB per day, per device.
The data gathered at this level includes:
@@ -271,14 +271,14 @@ The data gathered at this level includes:
- **Some crash dump types**. All crash dump types, except for heap dumps and full dumps.
-If the Connected User Experience and Telemetry component detects a problem on Windows 10 that requires gathering more detailed instrumentation, the Connected User Experience and Telemetry component at the **Enhanced** telemetry level will only gather data about the events associated with the specific issue.
+If the Connected User Experiences and Telemetry component detects a problem on Windows 10 that requires gathering more detailed instrumentation, the Connected User Experiences and Telemetry component at the **Enhanced** diagnostic data level will only gather data about the events associated with the specific issue.
#### Limit Enhanced diagnostic data to the minimum required by Windows Analytics
Windows Analytics Device Health reports are powered by diagnostic data not included in the **Basic** level, such as crash reports and certain operating system events. In the past, organizations sending **Enhanced** or **Full** level diagnostic data were able to participate in Device Health. However, organizations that required detailed event and field level documentation were unable to move from **Basic** to **Enhanced**.
In Windows 10, version 1709, we introduce the **Limit Enhanced diagnostic data to the minimum required by Windows Analytics** feature. When enabled, this feature lets you send only the following subset of **Enhanced** level diagnostic data. For more info about Device Health, see the [Monitor the health of devices with Device Health](https://docs.microsoft.com/windows/deployment/update/device-health-monitor) topic.
-- **Operating system events.** Limited to a small set required for analytics reports and documented in the [Windows 10, version 1709 enhanced telemetry events and fields used by Windows Analytics](https://docs.microsoft.com/windows/configuration/eventname) topic.
+- **Operating system events.** Limited to a small set required for analytics reports and documented in the [Windows 10, version 1709 enhanced diagnostic data events and fields used by Windows Analytics](enhanced-diagnostic-data-windows-analytics-events-and-fields.md) topic.
- **Some crash dump types.** All crash dump types, except for heap and full dumps.
@@ -308,7 +308,7 @@ The **Full** level gathers data necessary to identify and to help fix problems,
Additionally, at this level, devices opted in to the [Windows Insider Program](http://insider.windows.com) will send events, such as reliability and app responsiveness. that can show Microsoft how pre-release binaries and features are performing. These events help us make decisions on which builds are flighted. All devices in the [Windows Insider Program](http://insider.windows.com) are automatically set to this level.
-If a device experiences problems that are difficult to identify or repeat using Microsoft’s internal testing, additional data becomes necessary. This data can include any user content that might have triggered the problem and is gathered from a small sample of devices that have both opted into the **Full** telemetry level and have exhibited the problem.
+If a device experiences problems that are difficult to identify or repeat using Microsoft’s internal testing, additional data becomes necessary. This data can include any user content that might have triggered the problem and is gathered from a small sample of devices that have both opted into the **Full** diagnostic data level and have exhibited the problem.
However, before more data is gathered, Microsoft’s privacy governance team, including privacy and other subject matter experts, must approve the diagnostics request made by a Microsoft engineer. If the request is approved, Microsoft engineers can use the following capabilities to get the information:
@@ -320,27 +320,27 @@ However, before more data is gathered, Microsoft’s privacy governance team, in
## Enterprise management
-Sharing telemetry data with Microsoft provides many benefits to enterprises, so we do not recommend turning it off. For most enterprise customers, simply adjusting the telemetry level and managing specific components is the best option.
+Sharing diagnostic data data with Microsoft provides many benefits to enterprises, so we do not recommend turning it off. For most enterprise customers, simply adjusting the diagnostic data level and managing specific components is the best option.
-Customers can set the telemetry level in both the user interface and with existing management tools. Users can change the telemetry level in the **Diagnostic data** setting. In the **Settings** app, it is in **Privacy\Feedback & diagnostics**. They can choose between Basic, Enhanced, and Full. The Security level is not available.
+Customers can set the diagnostic data level in both the user interface and with existing management tools. Users can change the diagnostic data level in the **Diagnostic data** setting. In the **Settings** app, it is in **Privacy\Feedback & diagnostics**. They can choose between Basic, Enhanced, and Full. The Security level is not available.
-IT pros can use various methods, including Group Policy and Mobile Device Management (MDM), to choose a telemetry level. If you’re using Windows 10 Enterprise, Windows 10 Education, or Windows Server 2016, the Security telemetry level is available when managing the policy. Setting the telemetry level through policy overrides users’ choices. The remainder of this section describes how to do that.
+IT pros can use various methods, including Group Policy and Mobile Device Management (MDM), to choose a diagnostic data level. If you’re using Windows 10 Enterprise, Windows 10 Education, or Windows Server 2016, the Security diagnostic data level is available when managing the policy. Setting the diagnostic data level through policy overrides users’ choices. The remainder of this section describes how to do that.
-### Manage your telemetry settings
+### Manage your diagnostic data settings
-We do not recommend that you turn off telemetry in your organization as valuable functionality may be impacted, but we recognize that in some scenarios this may be required. Use the steps in this section to do so for Windows, Windows Server, and System Center.
+We do not recommend that you turn off diagnostic data in your organization as valuable functionality may be impacted, but we recognize that in some scenarios this may be required. Use the steps in this section to do so for Windows, Windows Server, and System Center.
> [!IMPORTANT]
-> These telemetry levels only apply to Windows, Windows Server, and System Center components and apps that use the Connected User Experience and Telemetry component. Non-Windows components, such as Microsoft Office or other 3rd-party apps, may communicate with their cloud services outside of these telemetry levels. You should work with your app vendors to understand their telemetry policy, and how you can to opt in or opt out. For more information on how Microsoft Office uses telemetry, see [Overview of Office Telemetry](http://technet.microsoft.com/library/jj863580.aspx).
+> These diagnostic data levels only apply to Windows, Windows Server, and System Center components and apps that use the Connected User Experiences and Telemetry component. Non-Windows components, such as Microsoft Office or other 3rd-party apps, may communicate with their cloud services outside of these diagnostic data levels. You should work with your app vendors to understand their diagnostic data policy, and how you can to opt in or opt out. For more information on how Microsoft Office uses diagnostic data, see [Overview of Office Telemetry](http://technet.microsoft.com/library/jj863580.aspx).
-You can turn on or turn off System Center telemetry gathering. The default is on and the data gathered at this level represents what is gathered by default when System Center telemetry is turned on. However, setting the operating system telemetry level to **Basic** will turn off System Center telemetry, even if the System Center telemetry switch is turned on.
+You can turn on or turn off System Center diagnostic data gathering. The default is on and the data gathered at this level represents what is gathered by default when System Center diagnostic data is turned on. However, setting the operating system diagnostic data level to **Basic** will turn off System Center diagnostic data, even if the System Center diagnostic data switch is turned on.
-The lowest telemetry setting level supported through management policies is **Security**. The lowest telemetry setting supported through the Settings UI is **Basic**. The default telemetry setting for Windows Server 2016 is **Enhanced**.
+The lowest diagnostic data setting level supported through management policies is **Security**. The lowest diagnostic data setting supported through the Settings UI is **Basic**. The default diagnostic data setting for Windows Server 2016 is **Enhanced**.
-### Configure the operating system telemetry level
+### Configure the operating system diagnostic data level
-You can configure your operating system telemetry settings using the management tools you’re already using, such as Group Policy, MDM, or Windows Provisioning. You can also manually change your settings using Registry Editor. Setting your telemetry levels through a management policy overrides any device level settings.
+You can configure your operating system diagnostic data settings using the management tools you’re already using, such as Group Policy, MDM, or Windows Provisioning. You can also manually change your settings using Registry Editor. Setting your diagnostic data levels through a management policy overrides any device level settings.
Use the appropriate value in the table below when you configure the management policy.
@@ -352,9 +352,9 @@ Use the appropriate value in the table below when you configure the management p
| Full | Security data, basic system and quality data, enhanced insights and advanced reliability data, and full diagnostics data. | **3** |
-### Use Group Policy to set the telemetry level
+### Use Group Policy to set the diagnostic data level
-Use a Group Policy object to set your organization’s telemetry level.
+Use a Group Policy object to set your organization’s diagnostic data level.
1. From the Group Policy Management Console, go to **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Data Collection and Preview Builds**.
@@ -362,11 +362,11 @@ Use a Group Policy object to set your organization’s telemetry level.
3. In the **Options** box, select the level that you want to configure, and then click **OK**.
-### Use MDM to set the telemetry level
+### Use MDM to set the diagnostic data level
Use the [Policy Configuration Service Provider (CSP)](http://msdn.microsoft.com/library/windows/hardware/dn904962.aspx) to apply the System/AllowTelemetry MDM policy.
-### Use Registry Editor to set the telemetry level
+### Use Registry Editor to set the diagnostic data level
Use Registry Editor to manually set the registry level on each device in your organization or you can write a script to edit the registry. If a management policy already exists, such as Group Policy or MDM, it will override this registry setting.
@@ -380,25 +380,25 @@ Use Registry Editor to manually set the registry level on each device in your or
5. Click **File** > **Export**, and then save the file as a .reg file, such as **C:\\AllowTelemetry.reg**. You can run this file from a script on each device in your organization.
-### Configure System Center 2016 telemetry
+### Configure System Center 2016 diagnostic data
-For System Center 2016 Technical Preview, you can turn off System Center telemetry by following these steps:
+For System Center 2016 Technical Preview, you can turn off System Center diagnostic data by following these steps:
-- Turn off telemetry by using the System Center UI Console settings workspace.
+- Turn off diagnostic data by using the System Center UI Console settings workspace.
-- For information about turning off telemetry for Service Management Automation and Service Provider Foundation, see [How to disable telemetry for Service Management Automation and Service Provider Foundation](https://support.microsoft.com/kb/3096505).
+- For information about turning off diagnostic data for Service Management Automation and Service Provider Foundation, see [How to disable telemetry for Service Management Automation and Service Provider Foundation](https://support.microsoft.com/kb/3096505).
-### Additional telemetry controls
+### Additional diagnostic data controls
-There are a few more settings that you can turn off that may send telemetry information:
+There are a few more settings that you can turn off that may send diagnostic data information:
-- To turn off Windows Update telemetry, you have two choices. Either turn off Windows Update, or set your devices to be managed by an on premises update server, such as [Windows Server Update Services (WSUS)](http://technet.microsoft.com/library/hh852345.aspx) or [System Center Configuration Manager](http://www.microsoft.com/server-cloud/products/system-center-2012-r2-configuration-manager/).
+- To turn off Windows Update diagnostic data, you have two choices. Either turn off Windows Update, or set your devices to be managed by an on premises update server, such as [Windows Server Update Services (WSUS)](http://technet.microsoft.com/library/hh852345.aspx) or [System Center Configuration Manager](http://www.microsoft.com/server-cloud/products/system-center-2012-r2-configuration-manager/).
- Turn off **Windows Defender Cloud-based Protection** and **Automatic sample submission** in **Settings** > **Update & security** > **Windows Defender**.
- Manage the Malicious Software Removal Tool in your organization. For more info, see Microsoft KB article [891716](http://support.microsoft.com/kb/891716).
-- Turn off **Linguistic Data Collection** in **Settings** > **Privacy**. At telemetry levels **Enhanced** and **Full**, Microsoft uses Linguistic Data Collection info to improve language model features such as autocomplete, spellcheck, suggestions, input pattern recognition, and dictionary.
+- Turn off **Linguistic Data Collection** in **Settings** > **Privacy**. At diagnostic data levels **Enhanced** and **Full**, Microsoft uses Linguistic Data Collection info to improve language model features such as autocomplete, spellcheck, suggestions, input pattern recognition, and dictionary.
> [!NOTE]
> Microsoft does not intend to gather sensitive information, such as credit card numbers, usernames and passwords, email addresses, or other similarly sensitive information for Linguistic Data Collection. We guard against such events by using technologies to identify and remove sensitive information before linguistic data is sent from the user's device. If we determine that sensitive information has been inadvertently received, we delete the information.
diff --git a/windows/configuration/customize-and-export-start-layout.md b/windows/configuration/customize-and-export-start-layout.md
index cd236665b7..7d84bee306 100644
--- a/windows/configuration/customize-and-export-start-layout.md
+++ b/windows/configuration/customize-and-export-start-layout.md
@@ -82,7 +82,7 @@ To prepare a Start layout for export, you simply customize the Start layout on a
## Export the Start layout
-When you have the Start layout that you want your users to see, use the [Export-StartLayout](https://go.microsoft.com/fwlink/p/?LinkId=620879) cmdlet in Windows PowerShell to export the Start layout to an .xml file.
+When you have the Start layout that you want your users to see, use the [Export-StartLayout](https://docs.microsoft.com/powershell/module/startlayout/export-startlayout?view=win10-ps) cmdlet in Windows PowerShell to export the Start layout to an .xml file.
>[!IMPORTANT]
>If you include secondary Microsoft Edge tiles (tiles that link to specific websites in Microsoft Edge), see [Add custom images to Microsoft Edge secondary tiles](start-secondary-tiles.md) for instructions.
@@ -97,7 +97,7 @@ When you have the Start layout that you want your users to see, use the [Export-
In the previous command, `-path` is a required parameter that specifies the path and file name for the export file. You can specify a local path or a UNC path (for example, \\\\FileServer01\\StartLayouts\\StartLayoutMarketing.xml).
- Use a file name of your choice—for example, StartLayoutMarketing.xml. Include the .xml file name extension. The [Export-StartLayout](https://go.microsoft.com/fwlink/p/?LinkId=620879) cmdlet does not append the file name extension, and the policy settings require the extension.
+ Use a file name of your choice—for example, StartLayoutMarketing.xml. Include the .xml file name extension. The [Export-StartLayout](https://docs.microsoft.com/powershell/module/startlayout/export-startlayout?view=win10-ps) cmdlet does not append the file name extension, and the policy settings require the extension.
Example of a layout file produced by `Export-StartLayout`:
diff --git a/windows/configuration/customize-windows-10-start-screens-by-using-group-policy.md b/windows/configuration/customize-windows-10-start-screens-by-using-group-policy.md
index e205a7d93f..41f82753c8 100644
--- a/windows/configuration/customize-windows-10-start-screens-by-using-group-policy.md
+++ b/windows/configuration/customize-windows-10-start-screens-by-using-group-policy.md
@@ -44,7 +44,7 @@ The GPO can be configured from any computer on which the necessary ADMX and ADML
Three features enable Start and taskbar layout control:
-- The [Export-StartLayout](https://go.microsoft.com/fwlink/p/?LinkID=620879) cmdlet in Windows PowerShell exports a description of the current Start layout in .xml file format.
+- The [Export-StartLayout](https://docs.microsoft.com/powershell/module/startlayout/export-startlayout?view=win10-ps) cmdlet in Windows PowerShell exports a description of the current Start layout in .xml file format.
>[!NOTE]
>To import the layout of Start to a mounted Windows image, use the [Import-StartLayout](https://docs.microsoft.com/powershell/module/startlayout/import-startlayout) cmdlet.
diff --git a/windows/configuration/customize-windows-10-start-screens-by-using-mobile-device-management.md b/windows/configuration/customize-windows-10-start-screens-by-using-mobile-device-management.md
index 25187b8f0a..0fd4cae9da 100644
--- a/windows/configuration/customize-windows-10-start-screens-by-using-mobile-device-management.md
+++ b/windows/configuration/customize-windows-10-start-screens-by-using-mobile-device-management.md
@@ -8,7 +8,7 @@ ms.mktglfcycl: manage
ms.sitesec: library
author: jdeckerms
ms.localizationpriority: medium
-ms.date: 11/15/2017
+ms.date: 02/08/2018
---
# Customize Windows 10 Start and taskbar with mobile device management (MDM)
@@ -45,86 +45,37 @@ Two features enable Start layout control:
-- In MDM, you set the path to the .xml file that defines the Start layout using an OMA-URI setting, which is based on the [Policy configuration service provider (CSP)](https://go.microsoft.com/fwlink/p/?LinkID=623244).
+- In Microsoft Intune, you select the Start layout XML file and add it to a device configuration profile.
## Create a policy for your customized Start layout
This example uses Microsoft Intune to configure an MDM policy that applies a customized Start layout. See the documentation for your MDM solution for help in applying the policy.
-1. In the Start layout file created when you ran **Export-StartLayout**, replace markup characters with escape characters, and save the file. (You can replace the characters manually or use an online tool.)
+1. In the Microsoft Azure portal, search for **Intune** or go to **More services** > **Intune**.
- Example of a layout file produced by Export-StartLayout:
+2. Select **Device configuration**.
-
-
+3. Select **Profiles**.
- Example of the same layout file with escape characters replacing the markup characters:
+4. Select **Create profile**.
-```
- <wdcml:p xmlns:wdcml="http://microsoft.com/wdcml">Example of a layout file produced by Export-StartLayout:</wdcml:p><wdcml:snippet xmlns:wdcml="http://microsoft.com/wdcml"><![CDATA[<LayoutModificationTemplate Version="1" xmlns="http://schemas.microsoft.com/Start/2014/LayoutModification">
- <DefaultLayoutOverride>
- <StartLayoutCollection>
- <defaultlayout:StartLayout GroupCellWidth="6" xmlns:defaultlayout="http://schemas.microsoft.com/Start/2014/FullDefaultLayout">
- <start:Group Name="Life at a glance" xmlns:start="http://schemas.microsoft.com/Start/2014/StartLayout">
- <start:Tile Size="2x2" Column="0" Row="0" AppUserModelID="Microsoft.MicrosoftEdge_8wekyb3d8bbwe!MicrosoftEdge" />
- <start:Tile Size="2x2" Column="4" Row="0" AppUserModelID="Microsoft.Windows.Cortana_cw5n1h2txyewy!CortanaUI" />
- <start:Tile Size="2x2" Column="2" Row="0" AppUserModelID="Microsoft.BingWeather_8wekyb3d8bbwe!App" />
- </start:Group>
- </defaultlayout:StartLayout>
- </StartLayoutCollection>
- </DefaultLayoutOverride>
- </LayoutModificationTemplate>]]></wdcml:snippet>
-```
+5. Enter a friendly name for the profile.
-2. In the Microsoft Intune administration console, click **Policy** > **Add Policy**.
+6. Select **Windows 10 and later** for the platform.
-3. Under **Windows**, choose a **Custom Configuration (Windows 10 Desktop and Mobile and later)** policy.
+7. Select **Device restrictions for the profile type.
-4. Enter a name (mandatory) and description (optional) for the policy.
+8. Select **Start**.
-5. In the **OMA-URI Settings** section, click **Add.**
+9. In **Start menu layout**, browse to and select your Start layout XML File.
-6. In **Add or Edit OMA-URI Setting**, enter the following information.
+10. Select **OK** twice, and then select **Create**.
- | Item | Information |
- |----|----|
- | **Setting name** | Enter a unique name for the OMA-URI setting to help you identify it in the list of settings. |
- | **Setting description** | Provide a description that gives an overview of the setting and other relevant information to help you locate it. |
- | **Data type** | **String** |
- | **OMA-URI (case sensitive)** | **./User/Vendor/MSFT/Policy/Config/Start/StartLayout** |
- | **Value** | Paste the contents of the Start layout .xml file that you created. |
+11. Assign the profile to a device group.
-
-7. Click **OK** to save the setting and return to the **Create Policy** page.
+For other MDM solutions, you may need to use an OMA-URI setting for Start layout, based on the [Policy configuration service provider (CSP)](https://go.microsoft.com/fwlink/p/?LinkID=623244). The OMA-URI setting is `./User/Vendor/MSFT/Policy/Config/Start/StartLayout`.
-8. Click **Save Policy**.
## Related topics
diff --git a/windows/configuration/diagnostic-data-viewer-overview.md b/windows/configuration/diagnostic-data-viewer-overview.md
index 384f3b5dd1..fe1598c59f 100644
--- a/windows/configuration/diagnostic-data-viewer-overview.md
+++ b/windows/configuration/diagnostic-data-viewer-overview.md
@@ -47,10 +47,8 @@ You must start this app from the **Settings** panel.
2. Under **Diagnostic data**, select the **Diagnostic Data Viewer** button.
- 
-
- -OR-
-
+ 
-OR-
+
Go to **Start** and search for _Diagnostic Data Viewer_.
3. Close the Diagnostic Data Viewer app, use your device as you normally would for a few days, and then open Diagnostic Data Viewer again to review the updated list of diagnostic data.
@@ -98,12 +96,9 @@ When you're done reviewing your diagnostic data, you should turn of data viewing
You can review additional Windows Error Reporting diagnostic data in the **View problem reports** tool. This tool provides you with a summary of various crash reports that are sent to Microsoft as part of Windows Error Reporting. We use this data to find and fix specific issues that are hard to replicate and to improve the Windows operating system.
**To view your Windows Error Reporting diagnostic data**
-1. Go to **Start**, select **Control Panel** > **All Control Panel Items** > **Security and Maintenance** > **Problem Reports**.
-
-- OR -
-
- Go to **Start** and search for _Problem Reports_.
+1. Go to **Start**, select **Control Panel** > **All Control Panel Items** > **Security and Maintenance** > **Problem Reports**.
-OR-
+ Go to **Start** and search for _Problem Reports_.
The **Review problem reports** tool opens, showing you your Windows Error Reporting reports, along with a status about whether it was sent to Microsoft.
- 
\ No newline at end of file
+ 
diff --git a/windows/configuration/enhanced-telemetry-windows-analytics-events-and-fields.md b/windows/configuration/enhanced-diagnostic-data-windows-analytics-events-and-fields.md
similarity index 94%
rename from windows/configuration/enhanced-telemetry-windows-analytics-events-and-fields.md
rename to windows/configuration/enhanced-diagnostic-data-windows-analytics-events-and-fields.md
index 4463ec973b..385988b6d3 100644
--- a/windows/configuration/enhanced-telemetry-windows-analytics-events-and-fields.md
+++ b/windows/configuration/enhanced-diagnostic-data-windows-analytics-events-and-fields.md
@@ -1,7 +1,7 @@
---
-description: Use this article to learn more about the enhanced telemetry events used by Windows Analytics
+description: Use this article to learn more about the enhanced diagnostic data events used by Windows Analytics
title: Windows 10, version 1709 enhanced telemtry events and fields used by Windows Analytics (Windows 10)
-keywords: privacy, telemetry
+keywords: privacy, diagnostic data
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
@@ -13,15 +13,15 @@ ms.author: jaimeo
---
-# Windows 10, version 1709 enhanced telemetry events and fields used by Windows Analytics
+# Windows 10, version 1709 enhanced diagnostic data events and fields used by Windows Analytics
**Applies to**
- Windows 10, version 1709 and later
-Windows Analytics Device Health reports are powered by diagnostic data not included in the Basic level. This includes crash reports and certain OS telemetry events. Organizations sending Enhanced or Full level diagnostic data were able to participate in Device Health, but some organizations which required detailed event and field level documentation were unable to move from Basic to Enhanced.
+Windows Analytics Device Health reports are powered by diagnostic data not included in the Basic level. This includes crash reports and certain OS diagnostic data events. Organizations sending Enhanced or Full level diagnostic data were able to participate in Device Health, but some organizations which required detailed event and field level documentation were unable to move from Basic to Enhanced.
-In Windows 10, version 1709, we introduce a new feature: "Limit Enhanced diagnostic data to the minimum required by Windows Analytics". When enabled, this feature limits the operating system telemetry events included in the Enhanced level to only those described below. Note that the Enhanced level also includes limited crash reports, which are not described below. For more information on the Enhanced level, see [Configure Windows telemetry in your organization](configure-windows-telemetry-in-your-organization.md).
+In Windows 10, version 1709, we introduce a new feature: "Limit Enhanced diagnostic data to the minimum required by Windows Analytics". When enabled, this feature limits the operating system diagnostic data events included in the Enhanced level to only those described below. Note that the Enhanced level also includes limited crash reports, which are not described below. For more information on the Enhanced level, see [Configure Windows diagnostic data in your organization](configure-windows-diagnostic-data-in-your-organization.md).
## KernelProcess.AppStateChangeSummary
diff --git a/windows/configuration/gdpr-win10-whitepaper.md b/windows/configuration/gdpr-win10-whitepaper.md
index 434bb0239b..c7dd56e8df 100644
--- a/windows/configuration/gdpr-win10-whitepaper.md
+++ b/windows/configuration/gdpr-win10-whitepaper.md
@@ -179,7 +179,7 @@ The GDPR includes explicit requirements for breach notification where a personal
As noted in the Windows Security Center white paper, [Post Breach: Dealing with Advanced Threats](http://wincom.blob.core.windows.net/documents/Post_Breach_Dealing_with_Advanced_Threats_Whitepaper.pdf), “_Unlike pre-breach, post-breach assumes a breach has already occurred – acting as a flight recorder and Crime Scene Investigator (CSI). Post-breach provides security teams the information and toolset needed to identify, investigate, and respond to attacks that otherwise will stay undetected and below the radar._”
-#### Insightful security telemetry
+#### Insightful security diagnostic data
For nearly two decades, Microsoft has been turning threats into useful intelligence that can help fortify our platform and protect customers. Today, with the immense computing advantages afforded by the cloud, we are finding new ways to use our rich analytics engines driven by threat intelligence to protect our customers.
By applying a combination of automated and manual processes, machine learning and human experts, we can create an Intelligent Security Graph that learns from itself and evolves in real-time, reducing our collective time to detect and respond to new incidents across our products.
diff --git a/windows/configuration/images/auto-signin.png b/windows/configuration/images/auto-signin.png
new file mode 100644
index 0000000000..260376199e
Binary files /dev/null and b/windows/configuration/images/auto-signin.png differ
diff --git a/windows/configuration/index.md b/windows/configuration/index.md
index f41df7288e..d8cfdf2e49 100644
--- a/windows/configuration/index.md
+++ b/windows/configuration/index.md
@@ -19,11 +19,13 @@ Enterprises often need to apply custom configurations to devices for their users
| Topic | Description |
| --- | --- |
-| [Configure Windows telemetry in your organization](configure-windows-telemetry-in-your-organization.md) | Use this article to make informed decisions about how you can configure Windows telemetry in your organization. |
+| [Configure Windows diagnostic data in your organization](configure-windows-diagnostic-data-in-your-organization.md) | Use this article to make informed decisions about how you can configure Windows diagnostic data in your organization. |
+|[Diagnostic Data Viewer overview](diagnostic-data-viewer-overview.md) |Learn about the categories of diagnostic data your device is sending to Microsoft, along with how it's being used.|
| [Windows 10, version 1709 basic diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields.md) | Learn about diagnostic data that is collected at the basic level in Windows 10, version 1709. |
-|[Windows 10, version 1709 enhanced telemetry events and fields used by Windows Analytics](enhanced-telemetry-windows-analytics-events-and-fields.md)|Learn about diagnostic data that is collected by Windows Analytics.|
-| [Windows 10, version 1703 basic diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields-1703.md) | Learn about diagnostic data that is collected at the basic level in Windows 10, version 1703. |
-| [Windows 10 diagnostic data for the Full telemetry level](windows-diagnostic-data-1703.md) | Learn about the types of data that is collected at the full level in Windows 10, version 1703 and later. |
+| [Windows 10, version 1703 basic level Windows diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields-1703.md)| Learn about diagnostic data that is collected at the basic level in Windows 10, version 1703.|
+| [Windows 10, version 1709 enhanced telemetry events and fields used by Windows Analytics](enhanced-diagnostic-data-windows-analytics-events-and-fields.md)|Learn about diagnostic data that is collected by Windows Analytics.|
+| [Windows 10, version 1709 diagnostic data for the Full telemetry level](windows-diagnostic-data.md) | Learn about diagnostic data that is collected at the full level in Windows 10, version 1709. |
+| [Windows 10, version 1703 diagnostic data for the Full telemetry level](windows-diagnostic-data-1703.md) | Learn about diagnostic data that is collected at the full level in Windows 10, version 1703. |
|[Beginning your General Data Protection Regulation (GDPR) journey for Windows 10](gdpr-win10-whitepaper.md)|Learn about Windows 10 and the upcoming GDPR-compliance requirements.|
| [Manage connections from Windows operating system components to Microsoft services](manage-connections-from-windows-operating-system-components-to-microsoft-services.md) | Learn about the network connections that Windows components make to Microsoft and also the privacy settings that affect data that is shared with either Microsoft or apps and how they can be managed by an IT Pro. |
| [Manage Wi-Fi Sense in your company](manage-wifi-sense-in-enterprise.md) | Wi-Fi Sense automatically connects you to Wi-Fi, so you can get online quickly in more places. It can connect you to open Wi-Fi hotspots it knows about through crowdsourcing, or to Wi-Fi networks your contacts have shared with you by using Wi-Fi Sense. The initial settings for Wi-Fi Sense are determined by the options you chose when you first set up your PC with Windows 10. |
diff --git a/windows/configuration/lock-down-windows-10-to-specific-apps.md b/windows/configuration/lock-down-windows-10-to-specific-apps.md
index 06e04ade22..94ac63a7a7 100644
--- a/windows/configuration/lock-down-windows-10-to-specific-apps.md
+++ b/windows/configuration/lock-down-windows-10-to-specific-apps.md
@@ -9,7 +9,7 @@ ms.sitesec: library
ms.pagetype: edu, security
author: jdeckerms
ms.localizationpriority: high
-ms.date: 10/30/2017
+ms.date: 02/08/2018
ms.author: jdecker
---
@@ -20,31 +20,69 @@ ms.author: jdecker
- Windows 10
-A [kiosk device](set-up-a-kiosk-for-windows-10-for-desktop-editions.md) typically runs a single app, and users are prevented from accessing any features or functions on the device outside of the kiosk app. In Windows 10, version 1709, the [AssignedAccess configuration service provider (CSP)](https://docs.microsoft.com/windows/client-management/mdm/assignedaccess-csp) has been expanded to make it easy for administrators to create kiosks that run more than one app. You can configure multi-app kiosks using a provisioning package.
-
->[!NOTE]
->For devices running versions of Windows 10 earlier than version 1709, you can [create AppLocker rules](lock-down-windows-10-applocker.md) to configure a multi-app kiosk.
+A [kiosk device](set-up-a-kiosk-for-windows-10-for-desktop-editions.md) typically runs a single app, and users are prevented from accessing any features or functions on the device outside of the kiosk app. In Windows 10, version 1709, the [AssignedAccess configuration service provider (CSP)](https://docs.microsoft.com/windows/client-management/mdm/assignedaccess-csp) has been expanded to make it easy for administrators to create kiosks that run more than one app.
The benefit of a multi-app kiosk, or fixed-purpose device, is to provide an easy-to-understand experience for individuals by putting in front of them only the things they need to use, and removing from their view the things they don’t need to access.
>[!WARNING]
->The assigned access feature is intended for corporate-owned fixed-purpose devices, like kiosks. When the multi-app assigned access configuration is applied on the device, certain policies are enforced system-wide, and will impact other users on the device. Deleting the multi-app configuration will remove the assigned access lockdown profiles associated with the users, but it cannot revert all the enforced policies (such as Start layout). A factory reset is needed to clear all the policies enforced via assigned access.
+>The assigned access feature is intended for corporate-owned fixed-purpose devices, like kiosks. When the multi-app assigned access configuration is applied on the device, [certain policies](#policies-set-by-multi-app-kiosk-configuration) are enforced system-wide, and will impact other users on the device. Deleting the multi-app configuration will remove the assigned access lockdown profiles associated with the users, but it cannot revert all the enforced policies (such as Start layout). A factory reset is needed to clear all the policies enforced via assigned access.
+You can configure multi-app kiosks using [Microsoft Intune](#intune) or a [provisioning package](#provision).
+
+
+## Configure a kiosk in Microsoft Intune
+
+Watch how to use Intune to configure a multi-app kiosk.
+
+>[!VIDEO https://www.microsoft.com/videoplayer/embed/ce9992ab-9fea-465d-b773-ee960b990c4a?autoplay=false]
+
+1. [Generate the Start layout for the kiosk device.](#startlayout)
+2. In the Microsoft Azure portal, search for **Intune** or go to **More services** > **Intune**.
+3. Select **Device configuration**.
+4. Select **Profiles**.
+5. Select **Create profile**.
+6. Enter a friendly name for the profile.
+7. Select **Windows 10 and later** for the platform.
+8. Select **Device restrictions** for the profile type.
+9. Select **Kiosk**.
+10. In **Kiosk Mode**, select **Multi app kiosk**.
+11. Select **Add** to define a configuration, which specifies the apps that will run and the layout for the Start menu.
+12. Enter a friendly name for the configuration.
+13. Select an app type, either **Win32 App** for a classic desktop application or **UWP App** for a Universal Windows Platform app.
+ - For **Win32 App**, enter the fully qualified pathname of the executable, with respect to the device.
+ - For **UWP App**, enter the Application User Model ID for an installed app.
+14. Select whether to enable the taskbar.
+15. Browse to and select the Start layout XML file that you generated in step 1.
+16. Add one or more accounts. When the account signs in, only the apps defined in the configuration will be available.
+17. Select **OK**. You can add additional configurations or finish.
+18. Assign the profile to a device group to configure the devices in that group as kiosks.
+
+
+
+
+
+## Configure a kiosk using a provisioning package
Process:
1. [Create XML file](#create-xml-file)
2. [Add XML file to provisioning package](#add-xml)
3. [Apply provisioning package to device](#apply-ppkg)
+Watch how to use a provisioning package to configure a multi-app kiosk.
+
+>[!VIDEO https://www.microsoft.com/videoplayer/embed/fa125d0f-77e4-4f64-b03e-d634a4926884?autoplay=false]
+
If you don't want to use a provisioning package, you can deploy the configuration XML file using [mobile device management (MDM)](#alternate-methods) or you can configure assigned access using the [MDM Bridge WMI Provider](#bridge).
-## Prerequisites
+### Prerequisites
- Windows Configuration Designer (Windows 10, version 1709)
- The kiosk device must be running Windows 10 (S, Pro, Enterprise, or Education), version 1709
+>[!NOTE]
+>For devices running versions of Windows 10 earlier than version 1709, you can [create AppLocker rules](lock-down-windows-10-applocker.md) to configure a multi-app kiosk.
-## Create XML file
+### Create XML file
Let's start by looking at the basic structure of the XML file.
@@ -81,7 +119,7 @@ You can start your file by pasting the following XML (or any other examples in t
```
-### Profile
+#### Profile
A profile section in the XML has the following entries:
@@ -94,7 +132,7 @@ A profile section in the XML has the following entries:
- [**Taskbar**](#taskbar)
-#### Id
+##### Id
The profile **Id** is a GUID attribute to uniquely identify the profile. You can create a GUID using a GUID generator. The GUID just needs to be unique within this XML file.
@@ -104,7 +142,7 @@ The profile **Id** is a GUID attribute to uniquely identify the profile. You can
```
-#### AllowedApps
+##### AllowedApps
**AllowedApps** is a list of applications that are allowed to run. Apps can be Universal Windows Platform (UWP) apps or Classic Windows desktop apps.
@@ -146,7 +184,7 @@ The following example allows Groove Music, Movies & TV, Photos, Weather, Calcula
```
-#### StartLayout
+##### StartLayout
After you define the list of allowed applications, you can customize the Start layout for your kiosk experience. You can choose to pin all the allowed apps on the Start screen or just a subset, depending on whether you want the end user to directly access them on the Start screen.
@@ -193,7 +231,7 @@ This example pins Groove Music, Movies & TV, Photos, Weather, Calculator, Paint,
-#### Taskbar
+##### Taskbar
Define whether you want to have the taskbar present in the kiosk device. For tablet-based or touch-enabled all-in-one kiosks, when you don’t attach a keyboard and mouse, you can hide the taskbar as part of the multi-app experience if you want.
@@ -212,7 +250,7 @@ The following example hides the taskbar:
>[!NOTE]
>This is different from the **Automatically hide the taskbar** option in tablet mode, which shows the taskbar when swiping up from or moving the mouse pointer down to the bottom of the screen. Setting **ShowTaskbar** as **false** will always keep the taskbar hidden.
-### Configs
+#### Configs
Under **Configs**, define which user account will be associated with the profile. When this user account signs in on the device, the associated assigned access profile will be enforced, including the allowed apps, Start layout, and taskbar configuration, as well as other local group policies or mobile device management (MDM) policies set as part of the multi-app experience.
@@ -247,7 +285,7 @@ Before applying the multi-app configuration, make sure the specified user accoun
-## Add XML file to provisioning package
+### Add XML file to provisioning package
Before you add the XML file to a provisioning package, you can [validate your configuration XML against the XSD](multi-app-kiosk-xml.md#xsd-for-assignedaccess-configuration-xml).
@@ -308,12 +346,12 @@ Use the Windows Configuration Designer tool to create a provisioning package. [L
15. Copy the provisioning package to the root directory of a USB drive.
-## Apply provisioning package to device
+### Apply provisioning package to device
Provisioning packages can be applied to a device during the first-run experience (out-of-box experience or "OOBE") and after ("runtime").
-### During initial setup, from a USB drive
+#### During initial setup, from a USB drive
1. Start with a computer on the first-run setup screen. If the PC has gone past this screen, reset the PC to start over. To reset the PC, go to **Settings** > **Update & security** > **Recovery** > **Reset this PC**.
@@ -337,7 +375,7 @@ Provisioning packages can be applied to a device during the first-run experience
-### After setup, from a USB drive, network folder, or SharePoint site
+#### After setup, from a USB drive, network folder, or SharePoint site
1. Sign in with an admin account.
2. Insert the USB drive to a desktop computer, navigate to **Settings** > **Accounts** > **Access work or school** > **Add or remove a provisioning package** > **Add a package**, and select the package to install.
@@ -356,7 +394,7 @@ Provisioning packages can be applied to a device during the first-run experience
-## Use MDM to deploy the multi-app configuration
+### Use MDM to deploy the multi-app configuration
Multi-app kiosk mode is enabled by the [AssignedAccess configuration service provider (CSP)](https://docs.microsoft.com/windows/client-management/mdm/assignedaccess-csp). Your MDM policy can contain the assigned access configuration XML.
diff --git a/windows/configuration/manage-connections-from-windows-operating-system-components-to-microsoft-services.md b/windows/configuration/manage-connections-from-windows-operating-system-components-to-microsoft-services.md
index 6756fcb472..f37871b6d2 100644
--- a/windows/configuration/manage-connections-from-windows-operating-system-components-to-microsoft-services.md
+++ b/windows/configuration/manage-connections-from-windows-operating-system-components-to-microsoft-services.md
@@ -9,29 +9,38 @@ ms.sitesec: library
ms.localizationpriority: high
author: brianlic-msft
ms.author: brianlic-msft
-ms.date: 11/30/2017
+ms.date: 01/29/2018
---
# Manage connections from Windows operating system components to Microsoft services
**Applies to**
-- Windows 10
+- Windows 10 Enterprise edition
- Windows Server 2016
-If you're looking for content on what each telemetry level means and how to configure it in your organization, see [Configure Windows telemetry in your organization](configure-windows-telemetry-in-your-organization.md).
+If you're looking for content on what each diagnostic data level means and how to configure it in your organization, see [Configure Windows diagnostic data in your organization](configure-windows-diagnostic-data-in-your-organization.md).
Learn about the network connections that Windows components make to Microsoft and also the privacy settings that affect data that is shared with either Microsoft or apps and how they can be managed by an IT Pro.
-If you want to minimize connections from Windows to Microsoft services, or configure particular privacy settings, this article covers the settings that you could consider. You can configure telemetry at the lowest level for your edition of Windows, and also evaluate which other connections Windows makes to Microsoft services you want to turn off in your environment from the list in this article.
+If you want to minimize connections from Windows to Microsoft services, or configure particular privacy settings, this article covers the settings that you could consider. You can configure diagnostic data at the lowest level for your edition of Windows, and also evaluate which other connections Windows makes to Microsoft services you want to turn off in your environment from the list in this article.
-You can configure telemetry at the Security level, turn off Windows Defender telemetry and MSRT reporting, and turn off all other connections to Microsoft network endpoints as described in this article to help prevent Windows from sending any data to Microsoft. There are many reasons why these communications are enabled by default, such as updating malware definitions and maintain current certificate revocation lists, which is why we strongly recommend against this. This data helps us deliver a secure, reliable, and more delightful personalized experience.
+You can configure diagnostic data at the Security level, turn off Windows Defender diagnostic data and MSRT reporting, and turn off all other connections to Microsoft network endpoints as described in this article to help prevent Windows from sending any data to Microsoft. There are many reasons why these communications are enabled by default, such as updating malware definitions and maintain current certificate revocation lists, which is why we strongly recommend against this. This data helps us deliver a secure, reliable, and more delightful personalized experience.
-To help make it easier to deploy settings to restrict connections from Windows 10 to Microsoft, you can apply the [Windows Restricted Traffic Limited Functionality Baseline](https://go.microsoft.com/fwlink/?linkid=828887). This baseline was created in the same way as the [Windows security baselines](/windows/device-security/windows-security-baselines) that are often used to efficiently configure Windows to a known secure state. Running the Windows Restricted Traffic Limited Functionality Baseline on devices in your organization will allow you to quickly configure all of the settings covered in this document. However, some of the settings reduce the functionality and security configuration of your device and are therefore not recommended. Make sure should you've chosen the right settings configuration for your environment before applying. You should not extract this package to the windows\\system32 folder because it will not apply correctly. Applying this baseline is equivalent to applying the Windows 10 steps covered in this article.
+To help make it easier to deploy settings to restrict connections from Windows 10 to Microsoft, you can apply the [Windows Restricted Traffic Limited Functionality Baseline](https://go.microsoft.com/fwlink/?linkid=828887).
+This baseline was created in the same way as the [Windows security baselines](/windows/device-security/windows-security-baselines) that are often used to efficiently configure Windows to a known secure state.
+Running the Windows Restricted Traffic Limited Functionality Baseline on devices in your organization will allow you to quickly configure all of the settings covered in this document.
+However, some of the settings reduce the functionality and security configuration of your device and are therefore not recommended.
+Make sure should you've chosen the right settings configuration for your environment before applying.
+You should not extract this package to the windows\\system32 folder because it will not apply correctly.
+
+Applying the Windows Restricted Traffic Limited Functionality Baseline is the same as applying each setting covered in this article.
+It is recommended that you restart a device after making configuration changes to it.
+Note that **Get Help** and **Give us Feedback** links no longer work after the Windows Restricted Traffic Limited Functionality Baseline is applied.
We are always striving to improve our documentation and welcome your feedback. You can provide feedback by contacting telmhelp@microsoft.com.
-## What's new in Windows 10, version 1709
+## What's new in Windows 10, version 1709 Enterprise edition
Here's a list of changes that were made to this article for Windows 10, version 1709:
@@ -39,7 +48,7 @@ Here's a list of changes that were made to this article for Windows 10, version
- Added the Storage Health section.
- Added discussion of apps for websites in the Microsoft Store section.
-## What's new in Windows 10, version 1703
+## What's new in Windows 10, version 1703 Enterprise edition
Here's a list of changes that were made to this article for Windows 10, version 1703:
@@ -69,28 +78,28 @@ Here's a list of changes that were made to this article for Windows 10, version
## Management options for each setting
-The following sections list the components that make network connections to Microsoft services by default. You can configure these settings to control the data that is sent to Microsoft. To prevent Windows from sending any data to Microsoft, configure telemetry at the Security level, turn off Windows Defender telemetry and MSRT reporting, and turn off all of these connections.
+The following sections list the components that make network connections to Microsoft services by default. You can configure these settings to control the data that is sent to Microsoft. To prevent Windows from sending any data to Microsoft, configure diagnostic data at the Security level, turn off Windows Defender diagnostic data and MSRT reporting, and turn off all of these connections.
If you're running Windows 10, they will be included in the next update for the Long Term Servicing Branch.
-### Settings for Windows 10 Enterprise, version 1703
+### Settings for Windows 10 Enterprise edition
-See the following table for a summary of the management settings for Windows 10 Enterprise, version 1703.
+See the following table for a summary of the management settings for Windows 10 Enterprise, version 1709 and Windows 10 Enterprise, version 1703.
| Setting | UI | Group Policy | MDM policy | Registry | Command line |
| - | :-: | :-: | :-: | :-: | :-: |
| [1. Automatic Root Certificates Update](#automatic-root-certificates-update) | |  | | | |
-| [2. Cortana and Search](#bkmk-cortana) |  |  |  |  |  |
+| [2. Cortana and Search](#bkmk-cortana) |  |  |  |  | |
| [3. Date & Time](#bkmk-datetime) |  |  | |  | |
| [4. Device metadata retrieval](#bkmk-devinst) | |  | |  | |
| [5. Find My Device](#find-my-device) | |  | | | |
| [6. Font streaming](#font-streaming) | |  | |  | |
-| [7. Insider Preview builds](#bkmk-previewbuilds) |  |  |  |  |  |
+| [7. Insider Preview builds](#bkmk-previewbuilds) |  |  |  |  | |
| [8. Internet Explorer](#bkmk-ie) |  |  | |  | |
| [9. Live Tiles](#live-tiles) | |  | |  | |
| [10. Mail synchronization](#bkmk-mailsync) |  | |  |  | |
| [11. Microsoft Account](#bkmk-microsoft-account) | |  |  |  | |
-| [12. Microsoft Edge](#bkmk-edge) |  |  |  |  |  |
+| [12. Microsoft Edge](#bkmk-edge) |  |  |  |  | |
| [13. Network Connection Status Indicator](#bkmk-ncsi) | |  | |  | |
| [14. Offline maps](#bkmk-offlinemaps) |  |  | |  | |
| [15. OneDrive](#bkmk-onedrive) | |  | |  | |
@@ -362,7 +371,7 @@ Windows Insider Preview builds only apply to Windows 10 and are not available fo
> [!NOTE]
-> If you upgrade a device that is configured to minimize connections from Windows to Microsoft services (that is, a device configured for zero exhaust) to a Windows Insider Preview build, the Feedback & Diagnostic setting will automatically be set to **Full**. Although the telemetry level may initially appear as **Basic**, a few hours after the UI is refreshed or the machine is rebooted, the setting will become **Full**.
+> If you upgrade a device that is configured to minimize connections from Windows to Microsoft services (that is, a device configured for zero exhaust) to a Windows Insider Preview build, the Feedback & Diagnostic setting will automatically be set to **Full**. Although the diagnostic data level may initially appear as **Basic**, a few hours after the UI is refreshed or the machine is rebooted, the setting will become **Full**.
To turn off Insider Preview builds for a released version of Windows 10:
@@ -522,6 +531,7 @@ Find the Microsoft Edge Group Policy objects under **Computer Configuration** &g
| Policy | Description |
|------------------------------------------------------|-----------------------------------------------------------------------------------------------------|
+| Allow configuration updates for the Books Library | Choose whether configuration updates are done for the Books Library. Default: Not configured |
| Configure Autofill | Choose whether employees can use autofill on websites. Default: Enabled |
| Configure Do Not Track | Choose whether employees can send Do Not Track headers. Default: Disabled |
| Configure Password Manager | Choose whether employees can save passwords locally on their devices. Default: Enabled |
@@ -548,7 +558,8 @@ Alternatively, you can configure the Microsoft Group Policies using the followin
| Policy | Registry path |
| - | - |
-| Configure Autofill | HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\MicrosoftEdge\\Main!Use FormSuggest REG_SZ: **no** |
+| Allow configuration updates for the Books Library | HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\MicrosoftEdge\\BooksLibrary!AllowConfigurationUpdateForBooksLibrary REG_DWORD: **0** |
+| Configure Autofill | HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\MicrosoftEdge\\Main!Use FormSuggest REG_SZ: **no** |
| Configure Do Not Track | HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\MicrosoftEdge\\Main!DoNotTrack REG_DWORD: 1 |
| Configure Password Manager | HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\MicrosoftEdge\\Main!FormSuggest Passwords REG_SZ: **no** |
| Configure search suggestions in Address bar | HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\MicrosoftEdge\\SearchScopes!ShowSearchSuggestionsGlobal REG_DWORD: 0|
@@ -884,7 +895,7 @@ To turn off **Turn on SmartScreen Filter to check web content (URLs) that Micros
To turn off **Send Microsoft info about how I write to help us improve typing and writing in the future**:
> [!NOTE]
-> If the telemetry level is set to either **Basic** or **Security**, this is turned off automatically.
+> If the diagnostic data level is set to either **Basic** or **Security**, this is turned off automatically.
@@ -1055,7 +1066,17 @@ To turn off **Choose apps that can use your microphone**:
### 17.5 Notifications
-In the **Notifications** area, you can choose which apps have access to notifications.
+To turn off notifications network usage:
+
+- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Start Menu and Taskbar** > **Notifications** > **Turn off Notifications network usage**
+
+ - Set to **Enabled**.
+
+ -or-
+
+- Create a REG\_DWORD registry setting in **HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\CurrentVersion\\PushNotifications!NoCloudApplicationNotification**, with a value of 1 (one)
+
+In the **Notifications** area, you can also choose which apps have access to notifications.
To turn off **Let apps access my notifications**:
@@ -1428,11 +1449,14 @@ To change the level of diagnostic and usage data sent when you **Send your devic
-or-
-- Apply the Group Policy: **Computer Configuration\\Administrative Templates\\Windows Components\\Data Collection And Preview Builds\\Allow Telemetry**
+- Apply the Group Policy: **Computer Configuration\\Administrative Templates\\Windows Components\\Data Collection And Preview Builds\\Allow Telemetry** and select the appropriate option for your deployment.
-or-
-- Create a REG\_DWORD registry setting in **HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\Windows\\DataCollection\\AllowTelemetry**, with a value of 0 (zero).
+- Create a REG\_DWORD registry setting in **HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\Windows\\DataCollection\\AllowTelemetry**, with a value of 0-3, as appropriate for your deployment (see below for the values for each level).
+
+> [!NOTE]
+> If the **Security** option is configured by using Group Policy or the Registry, the value will not be reflected in the UI. The **Security** option is only available in Windows 10 Enterprise edition.
-or-
@@ -1472,7 +1496,11 @@ In the **Background Apps** area, you can choose which apps can run in the backgr
To turn off **Let apps run in the background**:
-- Turn off the feature in the UI for each app.
+- In **Background apps**, set **Let apps run in the background** to **Off**.
+
+ -or-
+
+- In **Background apps**, turn off the feature for each app.
-or-
@@ -1723,7 +1751,7 @@ For Windows 10 only, you can stop Enhanced Notifications:
- Turn off the feature in the UI.
-You can also use the registry to turn off Malicious Software Reporting Tool telemetry by setting the REG\_DWORD value **HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\MRT\\DontReportInfectionInformation** to 1.
+You can also use the registry to turn off Malicious Software Reporting Tool diagnostic data by setting the REG\_DWORD value **HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\MRT\\DontReportInfectionInformation** to 1.
### 24. Windows Media Player
@@ -1800,7 +1828,10 @@ For more info, see [Windows Spotlight on the lock screen](windows-spotlight.md).
### 26. Microsoft Store
-You can turn off the ability to launch apps from the Microsoft Store that were preinstalled or downloaded. This will also turn off automatic app updates, and the Microsoft Store will be disabled. On Windows Server 2016, this will block Microsoft Store calls from Universal Windows Apps.
+You can turn off the ability to launch apps from the Microsoft Store that were preinstalled or downloaded.
+This will also turn off automatic app updates, and the Microsoft Store will be disabled.
+In addition, new email accounts cannot be created by clicking **Settings** > **Accounts** > **Email & app accounts** > **Add an account**.
+On Windows Server 2016, this will block Microsoft Store calls from Universal Windows Apps.
- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Store** > **Disable all apps from Microsoft Store**.
diff --git a/windows/configuration/manage-windows-endpoints-version-1709.md b/windows/configuration/manage-windows-endpoints-version-1709.md
index dbecf39d02..1ce981a341 100644
--- a/windows/configuration/manage-windows-endpoints-version-1709.md
+++ b/windows/configuration/manage-windows-endpoints-version-1709.md
@@ -7,7 +7,7 @@ ms.mktglfcycl: manage
ms.sitesec: library
ms.localizationpriority: high
author: brianlic-msft
-ms.author: brianlic-msft
+ms.author: brianlic
ms.date: 11/21/2017
---
# Manage Windows 10 connection endpoints
@@ -133,7 +133,7 @@ If you [turn off traffic for this endpoint](manage-connections-from-windows-oper
|----------------|----------|------------|
| backgroundtaskhost | HTTPS | www.bing.com/proactive/v2/spark?cc=US&setlang=en-US |
-The following endpoint is used by Cortana to report diagnostic and telemetry information.
+The following endpoint is used by Cortana to report diagnostic and diagnostic data information.
If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-cortana), Microsoft won't be aware of issues with Cortana and won't be able to fix them.
| Source process | Protocol | Destination |
@@ -175,6 +175,30 @@ If you [turn off traffic for this endpoint](manage-connections-from-windows-oper
|----------------|----------|------------|
| | | dmd.metaservices.microsoft.com.akadns.net |
+## Diagnostic Data
+
+The following endpoint is used by the Connected User Experiences and Telemetry component and connects to the Microsoft Data Management service.
+If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-priv-feedback), diagnostic and usage information, which helps Microsoft find and fix problems and improve our products and services, will not be sent back to Microsoft.
+
+| Source process | Protocol | Destination |
+|----------------|----------|------------|
+| svchost | | cy2.vortex.data.microsoft.com.akadns.net |
+
+The following endpoint is used by the Connected User Experiences and Telemetry component and connects to the Microsoft Data Management service.
+If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-priv-feedback), diagnostic and usage information, which helps Microsoft find and fix problems and improve our products and services, will not be sent back to Microsoft.
+
+| Source process | Protocol | Destination |
+|----------------|----------|------------|
+| svchost | | v10.vortex-win.data.microsoft.com/collect/v1 |
+
+The following endpoints are used by Windows Error Reporting.
+To turn off traffic for these endpoints, enable the following Group Policy: Administrative Templates > Windows Components > Windows Error Reporting > Disable Windows Error Reporting. This means error reporting information will not be sent back to Microsoft.
+
+| Source process | Protocol | Destination |
+|----------------|----------|------------|
+| wermgr | | watson.telemetry.microsoft.com/Telemetry.Request |
+| |TLS v1.2 |modern.watson.data.microsoft.com.akadns.net|
+
## Font streaming
The following endpoints are used to download fonts on demand.
@@ -294,7 +318,6 @@ If you turn off traffic for these endpoints, users won't be able to save documen
| system32\Auth.Host.exe | HTTPS | outlook.office365.com |
The following endpoint is OfficeHub traffic used to get the metadata of Office apps. To turn off traffic for this endpoint, either uninstall the app or [disable the Microsoft Store](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore). If you disable the Microsoft store, other Microsoft Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious apps and users will still be able to open them.
-ently used documents.
| Source process | Protocol | Destination |
|----------------|----------|------------|
@@ -340,7 +363,7 @@ If you [turn off traffic for this endpoint](manage-connections-from-windows-oper
|----------------|----------|------------|
| dmclient | HTTPS | settings.data.microsoft.com |
-The following endpoint is used as a way for apps to dynamically update their configuration. Apps such as Windows Connected User Experience and Telemetry component and Windows Insider Program use it.
+The following endpoint is used as a way for apps to dynamically update their configuration. Apps such as Windows Connected User Experiences and Telemetry component and Windows Insider Program use it.
If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-priv-feedback), an app that uses this endpoint may stop working.
| Source process | Protocol | Destination |
@@ -355,29 +378,7 @@ The following endpoint is used to retrieve Skype configuration values. To turn o
|----------------|----------|------------|
|microsoft.windowscommunicationsapps.exe | HTTPS | config.edge.skype.com |
-## Telemetry
-The following endpoint is used by the Connected User Experience and Telemetry component and connects to the Microsoft Data Management service.
-If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-priv-feedback), diagnostic and usage information, which helps Microsoft find and fix problems and improve our products and services, will not be sent back to Microsoft.
-
-| Source process | Protocol | Destination |
-|----------------|----------|------------|
-| svchost | | cy2.vortex.data.microsoft.com.akadns.net |
-
-The following endpoint is used by the Connected User Experience and Telemetry component and connects to the Microsoft Data Management service.
-If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-priv-feedback), diagnostic and usage information, which helps Microsoft find and fix problems and improve our products and services, will not be sent back to Microsoft.
-
-| Source process | Protocol | Destination |
-|----------------|----------|------------|
-| svchost | | v10.vortex-win.data.microsoft.com/collect/v1 |
-
-The following endpoints are used by Windows Error Reporting.
-To turn off traffic for these endpoints, enable the following Group Policy: Administrative Templates > Windows Components > Windows Error Reporting > Disable Windows Error Reporting. This means error reporting information will not be sent back to Microsoft.
-
-| Source process | Protocol | Destination |
-|----------------|----------|------------|
-| wermgr | | watson.telemetry.microsoft.com/Telemetry.Request |
-| |TLS v1.2 |modern.watson.data.microsoft.com.akadns.net|
## Windows Defender
diff --git a/windows/configuration/provisioning-packages/provision-pcs-with-apps.md b/windows/configuration/provisioning-packages/provision-pcs-with-apps.md
index d933b0bc8f..4c5d461287 100644
--- a/windows/configuration/provisioning-packages/provision-pcs-with-apps.md
+++ b/windows/configuration/provisioning-packages/provision-pcs-with-apps.md
@@ -73,7 +73,7 @@ When you add an app in a Windows Configuration Designer wizard, the appropriate
-### Add a universal app to your package
+## Add a universal app to your package
Universal apps that you can distribute in the provisioning package can be line-of-business (LOB) apps developed by your organization, Microsoft Store for Business apps that you acquire with [offline licensing](/microsoft-store/acquire-apps-windows-store-for-business), or third-party apps. This procedure will assume you are distributing apps from the Microsoft Store for Business. For other apps, obtain the necessary information (such as the package family name) from the app developer.
@@ -108,7 +108,7 @@ Universal apps that you can distribute in the provisioning package can be line-o
-### Add a certificate to your package
+## Add a certificate to your package
1. In the **Available customizations** pane, go to **Runtime settings** > **Certificates** > **ClientCertificates**.
@@ -123,11 +123,11 @@ Universal apps that you can distribute in the provisioning package can be line-o
5. For **KeyLocation**, select **Software only**.
-### Add other settings to your package
+## Add other settings to your package
For details about the settings you can customize in provisioning packages, see [Windows Provisioning settings reference]( https://go.microsoft.com/fwlink/p/?LinkId=619012).
-### Build your package
+## Build your package
1. When you are done configuring the provisioning package, on the **File** menu, click **Save**.
diff --git a/windows/configuration/set-up-a-kiosk-for-windows-10-for-desktop-editions.md b/windows/configuration/set-up-a-kiosk-for-windows-10-for-desktop-editions.md
index fcbf41202b..d68048c98d 100644
--- a/windows/configuration/set-up-a-kiosk-for-windows-10-for-desktop-editions.md
+++ b/windows/configuration/set-up-a-kiosk-for-windows-10-for-desktop-editions.md
@@ -8,7 +8,7 @@ ms.mktglfcycl: manage
ms.sitesec: library
author: jdeckerms
ms.localizationpriority: high
-ms.date: 10/16/2017
+ms.date: 01/31/2018
---
# Set up a kiosk on Windows 10 Pro, Enterprise, or Education
@@ -32,14 +32,21 @@ A single-use or *kiosk* device is easy to set up in Windows 10 for desktop edit
- For a kiosk device to run a Classic Windows application, use [Shell Launcher](#shell-launcher) to set a custom user interface as the shell (Windows 10 Enterprise or Education only).
-To return the device to the regular shell, see [Sign out of assigned access](#sign-out-of-assigned-access).
+>[!TIP]
+>To return the device to the regular shell, see [Sign out of assigned access](#sign-out-of-assigned-access).
>[!NOTE]
>A Universal Windows app is built on the Universal Windows Platform (UWP), which was first introduced in Windows 8 as the Windows Runtime. A Classic Windows application uses the Classic Windows Platform (CWP) (e.g., COM, Win32, WPF, WinForms, etc.) and is typically launched using an .EXE or .DLL file.
-
+## Using a local device as a kiosk
+When your kiosk is a local device that is not managed by Active Directory or Azure Active Directory, there is a default setting that enables automatic sign-in after a restart. That means that when the device restarts, the last signed-in user will be signed in automatically. If the last signed-in user is the kiosk account, the kiosk app will be launched automatically after the device restarts.
+If you want the kiosk account signed in automatically and the kiosk app launched when the device restarts, there is nothing you need to do.
+
+If you do not want the kiosk account signed in automatically when the device restarts, you must change the default setting before you configure the device as a kiosk. Sign in with the account that you will assign as the kiosk account, go to **Settings** > **Accounts** > **Sign-in options**, and toggle the **Use my sign-in info to automatically finish setting up my device after an update or restart** setting to **Off**. After you change the setting, you can apply the kiosk configuration to the device.
+
+
## Set up a kiosk using Windows Configuration Designer
diff --git a/windows/configuration/set-up-shared-or-guest-pc.md b/windows/configuration/set-up-shared-or-guest-pc.md
index 7db69cb00b..196d95eb81 100644
--- a/windows/configuration/set-up-shared-or-guest-pc.md
+++ b/windows/configuration/set-up-shared-or-guest-pc.md
@@ -50,7 +50,7 @@ Apps can take advantage of shared PC mode with the following three APIs:
- [IsEnabled](https://docs.microsoft.com/uwp/api/windows.system.profile.sharedmodesettings) - This informs apps when the PC has been configured for shared use scenarios. For example, an app might only download content on demand on a device in shared PC mode, or might skip first run experiences.
- [ShouldAvoidLocalStorage](https://docs.microsoft.com/uwp/api/windows.system.profile.sharedmodesettings) - This informs apps when the PC has been configured to not allow the user to save to the local storage of the PC. Instead, only cloud save locations should be offered by the app or saved automatically by the app.
-- [IsEducationEnvironment](https://docs.microsoft.com/uwp/api/windows.system.profile.educationsettings) - This informs apps when the PC is used in an education environment. Apps may want to handle telemetry differently or hide advertising functionality.
+- [IsEducationEnvironment](https://docs.microsoft.com/uwp/api/windows.system.profile.educationsettings) - This informs apps when the PC is used in an education environment. Apps may want to handle diagnostic data differently or hide advertising functionality.
###Customization
diff --git a/windows/configuration/start-secondary-tiles.md b/windows/configuration/start-secondary-tiles.md
index bd8061516c..c12a8cf0c6 100644
--- a/windows/configuration/start-secondary-tiles.md
+++ b/windows/configuration/start-secondary-tiles.md
@@ -68,7 +68,7 @@ In Windows 10, version 1703, by using the PowerShell cmdlet `export-StartLayoutE
```
In the previous command, `-path` is a required parameter that specifies the path and file name for the export file. You can specify a local path or a UNC path (for example, \\\\FileServer01\\StartLayouts\\StartLayoutMarketing.xml).
- Use a file name of your choice—for example, StartLayoutMarketing.xml. Include the .xml file name extension. The [Export-StartLayout](https://go.microsoft.com/fwlink/p/?LinkId=620879) cmdlet does not append the file name extension, and the policy settings require the extension.
+ Use a file name of your choice—for example, StartLayoutMarketing.xml. Include the .xml file name extension. The [Export-StartLayout](https://docs.microsoft.com/powershell/module/startlayout/export-startlayout?view=win10-ps) cmdlet does not append the file name extension, and the policy settings require the extension.
3. If you’d like to change the image for a secondary tile to your own custom image, open the layout.xml file, and look for the images that the tile references.
- For example, your layout.xml contains `Square150x150LogoUri="ms-appdata:///local/PinnedTiles/21581260870/hires.png" Wide310x150LogoUri="ms-appx:///"`
diff --git a/windows/configuration/ue-v/uev-configuring-uev-with-group-policy-objects.md b/windows/configuration/ue-v/uev-configuring-uev-with-group-policy-objects.md
index 62ab60728d..f0eda613ab 100644
--- a/windows/configuration/ue-v/uev-configuring-uev-with-group-policy-objects.md
+++ b/windows/configuration/ue-v/uev-configuring-uev-with-group-policy-objects.md
@@ -51,7 +51,7 @@ The following policy settings can be configured for UE-V.
The default is enabled.
-
Roam Windows settings
+
Synchronize Windows settings
Computers and Users
This Group Policy setting configures the synchronization of Windows settings.
Select which Windows settings synchronize between computers.
diff --git a/windows/configuration/wcd/wcd-accounts.md b/windows/configuration/wcd/wcd-accounts.md
index 5be53d2953..2df8e81ee7 100644
--- a/windows/configuration/wcd/wcd-accounts.md
+++ b/windows/configuration/wcd/wcd-accounts.md
@@ -42,7 +42,7 @@ Specifies the settings you can configure when joining a device to a domain, incl
| --- | --- | --- |
| Account | string | Account to use to join computer to domain |
| AccountOU | string | Name of organizational unit for the computer account |
-| ComputerName | Specify a unique name for the domain-joined computers using %RAND:x%, where x is an integer less than 15 digits long, or using %SERIALNUMBER% characters in the name.ComputerName is a string with a maximum length of 15 bytes of content:- ComputerName can use ASCII characters (1 byte each) and/or multi-byte characters such as Kanji, so long as you do not exceed 15 bytes of content.- ComputerName cannot use spaces or any of the following characters: \{ | \} ~ \[ \\ \] ^ ' : ; < = > ? @ ! " \# $ % ` \( \) + / . , \* &, or contain any spaces.- ComputerName cannot use some non-standard characters, such as emoji.Computer names that cannot be validated through the DnsValidateName function cannot be used, for example, computer names that only contain numbers (0-9). For more information, see the [DnsValidateName function](http://go.microsoft.com/fwlink/?LinkId=257040). | Specifies the name of the Windows device (computer name on PCs) |
+| ComputerName | Specify a unique name for the domain-joined computers using %RAND:x%, where x is an integer less than 15 digits long, or using %SERIAL% characters in the name.ComputerName is a string with a maximum length of 15 bytes of content:- ComputerName can use ASCII characters (1 byte each) and/or multi-byte characters such as Kanji, so long as you do not exceed 15 bytes of content.- ComputerName cannot use spaces or any of the following characters: \{ | \} ~ \[ \\ \] ^ ' : ; < = > ? @ ! " \# $ % ` \( \) + / . , \* &, or contain any spaces.- ComputerName cannot use some non-standard characters, such as emoji.Computer names that cannot be validated through the DnsValidateName function cannot be used, for example, computer names that only contain numbers (0-9). For more information, see the [DnsValidateName function](http://go.microsoft.com/fwlink/?LinkId=257040). | Specifies the name of the Windows device (computer name on PCs) |
| DomainName | string (cannot be empty) | Specify the name of the domain that the device will join |
| Password | string (cannot be empty) | Corresponds to the password of the user account that's authorized to join the computer account to the domain. |
@@ -55,4 +55,4 @@ Use these settings to add local user accounts to the device.
| UserName | string (cannot be empty) | Specify a name for the local user account |
| HomeDir | string (cannot be ampty) | Specify the path of the home directory for the user |
| Password | string (cannot be empty) | Specify the password for the user account |
-| UserGroup | string (cannot be empty) | Specify the local user group for the user |
\ No newline at end of file
+| UserGroup | string (cannot be empty) | Specify the local user group for the user |
diff --git a/windows/configuration/wcd/wcd-cellcore.md b/windows/configuration/wcd/wcd-cellcore.md
index dc86093dd9..fa754b467b 100644
--- a/windows/configuration/wcd/wcd-cellcore.md
+++ b/windows/configuration/wcd/wcd-cellcore.md
@@ -425,6 +425,7 @@ The following table shows the scenarios supported by this customization:
Multivariant setting set?|SPN provisioned?|MSISDN (last 4 digits: 1234, for example) provisioned?|Default SIM name
+--- | --- | --- | ---
Yes|Yes|Yes|*MultivariantProvisionedSPN*1234 or *MultivariantProvisionedSPN*" "1234
Yes|No|No|*MultivariantProvisionedSPN* (up to 16 characters)
Yes|Yes|No|*MultivariantProvisionedSPN* (up to 16 characters)
diff --git a/windows/configuration/wcd/wcd-connectivityprofiles.md b/windows/configuration/wcd/wcd-connectivityprofiles.md
index 5c8c80dffc..0073f13e81 100644
--- a/windows/configuration/wcd/wcd-connectivityprofiles.md
+++ b/windows/configuration/wcd/wcd-connectivityprofiles.md
@@ -166,7 +166,7 @@ The **Config** settings are initial settings that can be overwritten when settin
### SystemCapabilities
-You can use these settings to configure system capabilities for Wi-Fi adapters, which is a new functionality in Windows 10. These system capabilities are added at image time to ensure that the information is at its most accurate. The capabilities allow the OS to have a better understanding of the underlying hardware that it's running on. Telemetry data is generated by the system to provide data that can be used to diagnose both software and hardware issues.
+You can use these settings to configure system capabilities for Wi-Fi adapters, which is a new functionality in Windows 10. These system capabilities are added at image time to ensure that the information is at its most accurate. The capabilities allow the OS to have a better understanding of the underlying hardware that it's running on. Diagnostic data data is generated by the system to provide data that can be used to diagnose both software and hardware issues.
| Setting | Description |
| --- | --- |
diff --git a/windows/configuration/wcd/wcd-policies.md b/windows/configuration/wcd/wcd-policies.md
index d95ae64429..25f5b58fc5 100644
--- a/windows/configuration/wcd/wcd-policies.md
+++ b/windows/configuration/wcd/wcd-policies.md
@@ -372,10 +372,10 @@ This section describes the **Policies** settings that you can configure in [prov
| [AllowExperimentation](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#system-allowexperimentation) | Determine the level that Microsoft can experiment with the product to study user preferences or device behavior. | X | X | | | |
| [AllowLocation](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#system-allowlocation) | Specify whether to allow app access to the Location service. | X | X | X | X | X |
| [AllowStorageCard](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#system-allowstoragecard) | Specify whether the user is allowed to use the storage card for device storage. | X | X | X | X | X |
-| [AllowTelemetry](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#system-allowtelemetry) | Allow the device to send diagnostic and useage telemetry data. | X | X | | | |
+| [AllowTelemetry](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#system-allowtelemetry) | Allow the device to send diagnostic and usage data. | X | X | | | |
| [AllowUserToResetPhone](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#system-allowusertoresetphone) | Allow the user to factory reset the phone. | X | X | | | |
| [DisableOneDriveFileSync](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#system-disableonedrivefilesync) | Prevent apps and features from working with files on OneDrive. | X | | | | |
-| [LimitEnhancedDiagnosticDataWindowsAnalytics](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-system#system-limitenhanceddiagnosticdatawindowsanalytics) | This policy setting, in combination with the System/AllowTelemetry policy setting, enables organizations to send Microsoft a specific set of diagnostic data for IT insights via Windows Analytics services. To enable this behavior you must enable this policy setting, and set Allow Telemetry to level 2 (Enhanced). When you configure these policy settings, a basic level of diagnostic data plus additional events that are required for Windows Analytics are sent to Microsoft. These events are documented in [Windows 10, version 1703 basic level Windows diagnostic events and fields](https://go.microsoft.com/fwlink/?linkid=847594). Enabling enhanced diagnostic data in the System/AllowTelemetry policy in combination with not configuring this policy will also send the required events for Windows Analytics, plus additional enhanced level telemetry data. This setting has no effect on computers configured to send full, basic or security level diagnostic data to Microsoft. If you disable or do not configure this policy setting, then the level of diagnostic data sent to Microsoft is determined by the System/AllowTelemetry policy. | X | X | | | |
+| [LimitEnhancedDiagnosticDataWindowsAnalytics](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-system#system-limitenhanceddiagnosticdatawindowsanalytics) | This policy setting, in combination with the System/AllowTelemetry policy setting, enables organizations to send Microsoft a specific set of diagnostic data for IT insights via Windows Analytics services. To enable this behavior you must enable this policy setting, and set Allow Telemetry to level 2 (Enhanced). When you configure these policy settings, a basic level of diagnostic data plus additional events that are required for Windows Analytics are sent to Microsoft. These events are documented in [Windows 10, version 1703 basic level Windows diagnostic events and fields](https://go.microsoft.com/fwlink/?linkid=847594). Enabling enhanced diagnostic data in the System/AllowTelemetry policy in combination with not configuring this policy will also send the required events for Windows Analytics, plus additional enhanced level diagnostic data. This setting has no effect on computers configured to send full, basic or security level diagnostic data to Microsoft. If you disable or do not configure this policy setting, then the level of diagnostic data sent to Microsoft is determined by the System/AllowTelemetry policy. | X | X | | | |
## TextInput
diff --git a/windows/configuration/windows-diagnostic-data-1703.md b/windows/configuration/windows-diagnostic-data-1703.md
index bb63c4b710..67fd23abec 100644
--- a/windows/configuration/windows-diagnostic-data-1703.md
+++ b/windows/configuration/windows-diagnostic-data-1703.md
@@ -1,6 +1,6 @@
---
-title: Windows 10 diagnostic data for the Full telemetry level (Windows 10)
-description: Use this article to learn about the types of data that is collected the the Full telemetry level.
+title: Windows 10 diagnostic data for the Full diagnostic data level (Windows 10)
+description: Use this article to learn about the types of data that is collected the the Full diagnostic data level.
keywords: privacy,Windows 10
ms.prod: w10
ms.mktglfcycl: manage
@@ -8,15 +8,15 @@ ms.sitesec: library
ms.localizationpriority: high
author: eross-msft
ms.author: lizross
-ms.date: 04/05/2017
+ms.date: 11/28/2017
---
-# Windows 10 diagnostic data for the Full telemetry level
+# Windows 10 diagnostic data for the Full diagnostic data level
**Applies to:**
-- Windows 10, version 1703 and later
+- Windows 10, version 1703
-Microsoft collects Windows diagnostic data to keep Windows up-to-date, secure, and operating properly. It also helps us improve Windows and, for users who have turned on “tailored experiences”, can be used to provide more relevant tips and recommendations to tailor Microsoft products to the user’s needs. This article describes all types diagnostic data collected by Windows at the Full telemetry level (inclusive of data collected at Basic), with comprehensive examples of data we collect per each type. For additional, detailed technical descriptions of Basic data items, see [Windows 10, version 1709 Basic level diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields.md) and [Windows 10, version 1703 Basic level diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields-1703.md).
+Microsoft collects Windows diagnostic data to keep Windows up-to-date, secure, and operating properly. It also helps us improve Windows and, for users who have turned on “tailored experiences”, can be used to provide more relevant tips and recommendations to tailor Microsoft products to the user’s needs. This article describes all types diagnostic data collected by Windows at the Full diagnostic data level (inclusive of data collected at Basic), with comprehensive examples of data we collect per each type. For additional, detailed technical descriptions of Basic data items, see [Windows 10, version 1709 Basic level diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields.md) and [Windows 10, version 1703 Basic level diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields-1703.md).
The data covered in this article is grouped into the following categories:
diff --git a/windows/configuration/windows-diagnostic-data.md b/windows/configuration/windows-diagnostic-data.md
new file mode 100644
index 0000000000..e3c5fb9fa4
--- /dev/null
+++ b/windows/configuration/windows-diagnostic-data.md
@@ -0,0 +1,262 @@
+---
+title: Windows 10, version 1709 diagnostic data for the Full level (Windows 10)
+description: Use this article to learn about the types of diagnostic data that is collected at the Full level.
+keywords: privacy,Windows 10
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.sitesec: library
+ms.localizationpriority: high
+author: brianlic-msft
+ms.author: brianlic
+ms.date: 01/30/2018
+---
+
+# Windows 10, version 1709 diagnostic data for the Full level
+
+Applies to:
+- Windows 10, version 1709
+
+Microsoft uses Windows diagnostic data to keep Windows secure and up-to-date, troubleshoot problems, and make product improvements. For users who have turned on "Tailored experiences", it can also be used to offer you personalized tips, ads, and recommendations to enhance Microsoft products and services for your needs. This article describes all types of diagnostic data collected by Windows at the Full level (inclusive of data collected at Basic), with comprehensive examples of data we collect per each type. For additional, detailed technical descriptions of Basic data items, see [Windows 10, version 1709 Basic level diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields.md).
+
+In addition, this article provides references to equivalent definitions for the data types and examples from [ISO/IEC 19944:2017 Information technology -- Cloud computing -- Cloud services and devices: Data flow, data categories and data use](https://www.iso.org/standard/66674.html). Each data type also has a Data Use statement, for diagnostics and for Tailored experiences on the device, using the terms as defined by the standard. These Data Use statements define the purposes for which Microsoft processes each type of Windows diagnostic data, using a uniform set of definitions referenced at the end of this document and based on the ISO standard. Reference to the ISO standard provides additional clarity about the information collected, and allows easy comparison with other services or guidance that also references the standard.
+
+The data covered in this article is grouped into the following types:
+
+- Common data (diagnostic header information)
+
+- Device, Connectivity, and Configuration data
+
+- Product and Service Usage data
+
+- Product and Service Performance data
+
+- Software Setup and Inventory data
+
+- Browsing History data
+
+- Inking, Typing, and Speech Utterance data
+
+## Common data
+Most diagnostic events contain a header of common data. In each example, the info in parentheses provides the equivalent definition for ISO/IEC 19944:2017.
+
+**Data Use for Common data**
+Header data supports the use of data associated with all diagnostic events. Therefore, Common data is used to [provide](#provide) Windows 10, and may be used to [improve](#improve), [personalize](#personalize), [recommend](#recommend), [offer](#offer), or [promote](#promote) Microsoft and third-party products and services, depending on the uses described in the **Data Use** statements for each data category.
+
+### Data Description for Common data type
+|Sub-type|Description and examples|
+|- |- |
+|Common Data|Information that is added to most diagnostic events, if relevant and available:
Diagnostic level -- Basic or Full, Sample level -- for sampled data, what sample level is this device opted into (8.2.3.2.4 Observed Usage of the Service Capability)
Operating system name, version, build, and locale (8.2.3.2.2 Telemetry data)
Event collection time (8.2.3.2.2 Telemetry data)
User ID -- a unique identifier associated with the user's Microsoft Account (if one is used) or local account. The user's Microsoft Account identifier is not collected from devices configured to send Basic diagnostic data (8.2.5 Account data)
Xbox UserID (8.2.5 Account data)
Device ID -- This is not the user provided device name, but an ID that is unique for that device. (8.2.3.2.3 Connectivity data)
Device class -- Desktop, Server, or Mobile (8.2.3.2.3 Connectivity data)
Environment from which the event was logged -- Application ID of app or component that logged the event, Session GUID. Used to track events over a given period of time, such as the amount of time an app is running or between boots of the operating system (8.2.4 Cloud service provider data)
Diagnostic event name, Event ID, ETW opcode, version, schema signature, keywords, and flags (8.2.4 Cloud service provider data)
HTTP header information, including the IP address. This IP address is the source address that’s provided by the network packet header and received by the diagnostics ingestion service (8.2.4 Cloud service provider data)
Various IDs that are used to correlate and sequence related events together (8.2.4 Cloud service provider data)
|
+
+## Device, Connectivity, and Configuration data
+This type of data includes details about the device, its configuration and connectivity capabilities, and status. Device, Connectivity, and Configuration Data is equivalent to ISO/IEC 19944:2017, 8.2.3.2.3 Connectivity data.
+
+### Data Use for Device, Connectivity, and Configuration data
+
+**For Diagnostics:**
+[Pseudonymized](#pseudo) Device, Connectivity, and Configuration data from Windows 10 is used by Microsoft to [provide](#provide) and [improve](#improve) Windows 10 and related Microsoft products and services. For example:
+
+- Device, Connectivity, and Configuration data is used to understand the unique device characteristics that can contribute to an error experienced on the device, to identify patterns, and to more quickly resolve problems that impact devices with unique hardware, capabilities, or settings. For example:
+
+ - Data about the use of cellular modems and their configuration on your devices is used to troubleshoot cellular modem issues.
+
+ - Data about the use of USB hubs use and their configuration on your devices is used to troubleshoot USB hub issues.
+
+ - Data about the use of connected Bluetooth devices is used to troubleshoot compatibility issues with Bluetooth devices.
+
+- Data about device properties, such as the operating system version and available memory, is used to determine whether the device is due to, and able to, receive a Windows update.
+
+- Data about device peripherals is used to determine whether a device has installed drivers that might be negatively impacted by a Windows update.
+
+- Data about which devices, peripherals, and settings are most-used by customers, is used to prioritize Windows 10 improvements to determine the greatest positive impact to the most Windows 10 users.
+
+**With (optional) Tailored experiences:**
+If a user has enabled Tailored experiences on the device, [Pseudonymized](#pseudo) Device, Connectivity, and Configuration data from Windows 10 is used by Microsoft to [personalize](#personalize), [recommend](#recommend), and [offer](#offer) Microsoft products and services to Windows 10 users. Also, if a user has enabled Tailored experiences on the device, [Pseudonymized](#pseudo) Device, Connectivity, and Configuration data from Windows 10 is used by Microsoft to [promote](#promote) third-party Windows apps, services, hardware, and peripherals to Windows 10 users. For example:
+
+- Data about device properties and capabilities is used to provide tips about how to use or configure the device to get the best performance and user experience.
+
+- Data about device capabilities, such as whether the device is pen-enabled, is used to recommend (Microsoft and third-party) apps that are appropriate for the device. These may be free or paid apps.
+
+### Data Description for Device, Connectivity, and Configuration data type
+|Sub-type|Description and examples|
+|- |- |
+|Device properties |Information about the operating system and device hardware, such as:
Operating system - version name, edition
Installation type, subscription status, and genuine operating system status
Processor architecture, speed, number of cores, manufacturer, and model
OEM details --manufacturer, model, and serial number
Device identifier and Xbox serial number
Firmware/BIOS operating system -- type, manufacturer, model, and version
Memory -- total memory, video memory, speed, and how much memory is available after the device has reserved memory
Storage -- total capacity and disk type
Battery -- charge capacity and InstantOn support
Hardware chassis type, color, and form factor
Is this a virtual machine?
|
+|Device capabilities|Information about the specific device capabilities, such as:
Camera -- whether the device has a front facing camera, a rear facing camera, or both.
Touch screen -- Whether the device has a touch screen? If yes, how many hardware touch points are supported?
Processor capabilities -- CompareExchange128, LahfSahf, NX, PrefetchW, and SSE2
Trusted Platform Module (TPM) -- whether a TPM exists and if yes, what version
Virtualization hardware -- whether an IOMMU exists, whether it includes SLAT support, and whether virtualization is enabled in the firmware
Voice -- whether voice interaction is supported and the number of active microphones
Number of displays, resolutions, and DPI
Wireless capabilities
OEM or platform face detection
OEM or platform video stabilization and quality-level set
Advanced Camera Capture mode (HDR versus Low Light), OEM versus platform implementation, HDR probability, and Low Light probability
|
+|Device preferences and settings |Information about the device settings and user preferences, such as:
User Settings -- System, Device, Network & Internet, Personalization, Cortana, Apps, Accounts, Time & Language, Gaming, Ease of Access, Privacy, Update & Security
User-provided device name
Whether device is domain-joined, or cloud-domain joined (for example, part of a company-managed network)
Hashed representation of the domain name
MDM (mobile device management) enrollment settings and status
BitLocker, Secure Boot, encryption settings, and status
Windows Update settings and status
Developer Unlock settings and status
Default app choices
Default browser choice
Default language settings for app, input, keyboard, speech, and display
App store update settings
Enterprise OrganizationID, Commercial ID
|
+|Device peripherals |Information about the device peripherals, such as:
Peripheral name, device model, class, manufacturer, and description
Peripheral device state, install state, and checksum
Driver name, package name, version, and manufacturer
HWID - A hardware vendor-defined ID to match a device to a driver [INF file](https://msdn.microsoft.com/windows/hardware/drivers/install/hardware-ids)
Driver state, problem code, and checksum
Whether driver is kernel mode, signed, and image size
|
+|Device network info |Information about the device network configuration, such as:
Network system capabilities
Local or Internet connectivity status
Proxy, gateway, DHCP, DNS details, and addresses
Whether it's a paid or free network
Whether the wireless driver is emulated
Whether it's access point mode-capable
Access point manufacturer, model, and MAC address
WDI Version
Name of networking driver service
Wi-Fi Direct details
Wi-Fi device hardware ID and manufacturer
Wi-Fi scan attempt and item counts
Whether MAC randomization is supported and enabled
Number of supported spatial streams and channel frequencies
Whether Manual or Auto-connect is enabled
Time and result of each connection attempt
Airplane mode status and attempts
Interface description provided by the manufacturer
Data transfer rates
Cipher algorithm
Mobile Equipment ID (IMEI) and Mobile Country Code (MCCO)
Mobile operator and service provider name
Available SSIDs and BSSIDs
IP Address type -- IPv4 or IPv6
Signal Quality percentage and changes
Hotspot presence detection and success rate
TCP connection performance
Miracast device names
Hashed IP address
+
+## Product and Service Usage data
+This type of data includes details about the usage of the device, operating system, applications and services. Product and Service Usage data is equivalent to ISO/IEC 19944:2017, 8.2.3.2.4 Observed Usage of the Service Capability.
+
+### Data Use for Product and Service Usage data
+
+**For Diagnostics:**
+[Pseudonymized](#pseudo) Product and Service Usage data from Windows 10 is used by Microsoft to [provide](#provide) and [improve](#improve) Windows 10 and related Microsoft product and services. For example:
+
+- Data about the specific apps that are in-use when an error occurs is used to troubleshoot and repair issues with Windows features and Microsoft apps.
+
+- Data about the specific apps that are most-used by customers, is used to prioritize Windows 10 improvements to determine the greatest positive impact to the most Windows 10 users.
+
+- Data about whether devices have Suggestions turned off from the **Settings Phone** screen is to improve the Suggestions feature.
+
+- Data about whether a user canceled the authentication process in their browser is used to help troubleshoot issues with and improve the authentication process.
+
+- Data about when and what feature invoked Cortana is used to prioritize efforts for improvement and innovation in Cortana.
+
+- Data about when a context menu in the photo app is closed is used to troubleshoot and improve the photo app.
+
+**With (optional) Tailored experiences:**
+If a user has enabled Tailored experiences on the device, [pseudonymized](#pseudo) Product and Service Usage data from Windows 10 is used by Microsoft to [personalize](#personalize), [recommend](#recommend), and [offer](#offer) Microsoft products and services to Windows 10 users. Also, if a user has enabled Tailored experiences on the device, [pseudonymized](#pseudo) Product and Service Usage data from Windows 10 is used by Microsoft to [promote](#promote) third-party Windows apps, services, hardware, and peripherals to Windows 10 users. For example:
+
+- If data shows that a user has not used a particular feature of Windows, we may recommend that the user try that feature.
+
+- Data about which apps are most-used on a device is used to provide recommendations for similar or complementary (Microsoft or third-party) apps. These may be free or paid apps.
+
+
+### Data Description for Product and Service Usage data type
+|Sub-type|Description and examples |
+|- |- |
+|App usage|Information about Windows and application usage, such as:
Operating system component and app feature usage
User navigation and interaction with app and Windows features. This could potentially include user input, such as name of a new alarm set, user menu choices, or user favorites
Time of and count of app and component launches, duration of use, session GUID, and process ID
App time in various states –- running in the foreground or background, sleeping, or receiving active user interaction
User interaction method and duration –- whether the user used a keyboard, mouse, pen, touch, speech, or game controller, and for how long
Cortana launch entry point and reason
Notification delivery requests and status
Apps used to edit images and videos
SMS, MMS, VCard, and broadcast message usage statistics on primary or secondary lines
Incoming and outgoing calls and voicemail usage statistics on primary or secondary lines
Emergency alerts are received or displayed statistics
Content searches within an app
Reading activity -- bookmarked, printed, or had the layout changed
|
+|App or product state|Information about Windows and application state, such as:
Start Menu and Taskbar pins
Online and offline status
App launch state –- with deep-links, such as Groove launching with an audio track to play or MMS launching to share a picture
Personalization impressions delivered
Whether the user clicked on, or hovered over, UI controls or hotspots
User provided feedback, such as Like, Dislike or a rating
Caret location or position within documents and media files -- how much has been read in a book in a single session, or how much of a song has been listened to.
|
+|Purchasing|Information about purchases made on the device, such as:
Product ID, edition ID and product URI
Offer details -- price
Date and time an order was requested
Microsoft Store client type -- web or native client
Purchase quantity and price
Payment type -- credit card type and PayPal
|
+|Login properties|Information about logins on the device, such as:
Login success or failure
Login sessions and state
|
+
+## Product and Service Performance data
+This type of data includes details about the health of the device, operating system, apps, and drivers. Product and Service Performance data is equivalent to ISO/IEC 19944:2017 8.2.3.2.2 EUII Telemetry data.
+
+### Data Use for Product and Service Performance data
+
+**For Diagnostics:**
+[Pseudonymized](#pseudo) Product and Service Performance data from Windows 10 is used by Microsoft to [provide](#provide) and [improve](#improve) Windows 10 and related Microsoft product and services. For example:
+
+- Data about the reliability of content that appears in the [Windows Spotlight](https://docs.microsoft.com/en-us/windows/configuration/windows-spotlight) (rotating lock screen images) is used for Windows Spotlight reliability investigations.
+
+- Timing data about how quickly Cortana responds to voice commands is used to improve Cortana listening peformance.
+
+- Timing data about how quickly the facial recognition feature starts up and finishes is used to improve facial recognition performance.
+
+- Data about when an Application Window fails to appear is used to investigate issues with Application Window reliability and performance.
+
+**With (optional) Tailored experiences:**
+If a user has enabled Tailored experiences on the device, [pseudonymized](#pseudo) Product and Service Performance data from Windows 10 is used by Microsoft to [personalize](#personalize), [recommend](#recommend), and [offer](#offer) Microsoft products and services to Windows 10 users. Also, if a user has enabled Tailored experiences on the device, [pseudonymized](#pseudo) Product and Service Performance data from Windows 10 is used by Microsoft to [promote](#promote) third-party Windows apps, services, hardware, and peripherals to Windows 10 users.
+
+- Data about battery performance on a device may be used to recommend settings changes that can improve battery performance.
+
+- If data shows a device is running low on file storage, we may recommend Windows-compatible cloud storage solutions to free up space.
+
+- If data shows the device is experiencing performance issues, we may provide recommendations for Windows apps that can help diagnose or resolve these issues. These may be free or paid apps.
+
+**Microsoft doesn't use crash and hang dump data to [personalize](#personalize), [recommend](#recommend), [offer](#offer), or [promote](#promote) any product or service.**
+
+### Data Description for Product and Service Performance data type
+|Sub-type|Description and examples |
+|- |- |
+|Device health and crash data|Information about the device and software health, such as:
Error codes and error messages, name and ID of the app, and process reporting the error
DLL library predicted to be the source of the error -- for example, xyz.dll
System generated files -- app or product logs and trace files to help diagnose a crash or hang
System settings, such as registry keys
User generated files -- files that are indicated as a potential cause for a crash or hang. For example, .doc, .ppt, .csv files
Details and counts of abnormal shutdowns, hangs, and crashes
Crash failure data -- operating system, operating system component, driver, device, and 1st and 3rd-party app data
Crash and hang dumps, including:
The recorded state of the working memory at the point of the crash
Memory in-use by the kernel at the point of the crash.
Memory in-use by the application at the point of the crash
All the physical memory used by Windows at the point of the crash
Class and function name within the module that failed.
|
+|Device performance and reliability data|Information about the device and software performance, such as:
User interface interaction durations -- Start menu display times, browser tab switch times, app launch and switch times, and Cortana and Search performance and reliability
Device on and off performance -- Device boot, shutdown, power on and off, lock and unlock times, and user authentication times (fingerprint and face recognition durations)
In-app responsiveness -- time to set alarm, time to fully render in-app navigation menus, time to sync reading list, time to start GPS navigation, time to attach picture MMS, and time to complete a Microsoft Store transaction
User input responsiveness -- onscreen keyboard invocation times for different languages, time to show auto-complete words, pen or touch latencies, latency for handwriting recognition to words, Narrator screen reader responsiveness, and CPU score
UI and media performance and glitches versus smoothness -- video playback frame rate, audio glitches, animation glitches (stutter when bringing up Start), graphics score, time to first frame, play/pause/stop/seek responsiveness, time to render PDF, dynamic streaming of video from OneDrive performance
Disk footprint -- Free disk space, out of memory conditions, and disk score
Excessive resource utilization -- components impacting performance or battery life through high CPU usage during different screen and power states
Background task performance -- download times, Windows Update scan duration, Windows Defender Antivirus scan times, disk defrag times, mail fetch times, service startup and state transition times, and time to index on-device files for search results
Peripheral and devices -- USB device connection times, time to connect to a wireless display, printing times, network availability and connection times (time to connect to Wi-Fi, time to get an IP address from DHCP etc.), smart card authentication times, automatic brightness, and environmental response times
Device setup -- first setup experience times (time to install updates, install apps, connect to network, and so on), time to recognize connected devices (printer and monitor), and time to set up a Microsoft Account
Power and Battery life -- power draw by component (Process/CPU/GPU/Display), hours of time the screen is off, sleep state transition details, temperature and thermal throttling, battery drain in a power state (screen off or screen on), processes and components requesting power use while the screen is off, auto-brightness details, time device is plugged into AC versus battery, and battery state transitions
Service responsiveness -- Service URI, operation, latency, service success and error codes, and protocol
Diagnostic heartbeat -- regular signal used to validate the health of the diagnostics system
|
+|Movies|Information about movie consumption functionality on the device. This isn't intended to capture user viewing, listening, or habits.
Video Width, height, color palette, encoding (compression) type, and encryption type
Instructions about how to stream content for the user -- the smooth streaming manifest of content file chunks that must be pieced together to stream the content based on screen resolution and bandwidth
URL for a specific two-second chunk of content if there is an error
Full-screen viewing mode details
|
+|Music & TV|Information about music and TV consumption on the device. This isn't intended to capture user viewing, listening, or habits.
Service URL for song being downloaded from the music service -- collected when an error occurs to facilitate restoration of service
Content type (video, audio, or surround audio)
Local media library collection statistics -- number of purchased tracks and number of playlists
Region mismatch -- User's operating system region and Xbox Live region
|
+|Reading|Information about reading consumption functionality on the device. This isn't intended to capture user viewing, listening, or habits.
App accessing content and status and options used to open a Microsoft Store book
Language of the book
Time spent reading content
Content type and size details
|
+|Photos App|Information about photos usage on the device. This isn't intended to capture user viewing, listening, or habits.
File source data -- local, SD card, network device, and OneDrive
Image and video resolution, video length, file sizes types, and encoding
Collection view or full screen viewer use and duration of view
|
+|On-device file query |Information about local search activity on the device, such as:
Kind of query issued and index type (ConstraintIndex or SystemIndex)
Number of items requested and retrieved
File extension of search result with which the user interacted
Launched item type, file extension, index of origin, and the App ID of the opening app
Name of process calling the indexer and the amount of time to service the query
A hash of the search scope (file, Outlook, OneNote, or IE history). The state of the indices (fully optimized, partially optimized, or being built)
|
+|Entitlements |Information about entitlements on the device, such as:
Service subscription status and errors
DRM and license rights details -- Groove subscription or operating system volume license
Entitlement ID, lease ID, and package ID of the install package
Entitlement revocation
License type (trial, offline versus online) and duration
License usage session
|
+
+## Software Setup and Inventory data
+This type of data includes software installation and update information on the device. Software Setup and Inventory Data is a sub-type of ISO/IEC 19944:2017 8.2.3.2.4 Observed Usage of the Service Capability.
+
+### Data Use for Software Setup and Inventory data
+
+**For Diagnostics:**
+[Pseudonymized](#pseudo) Software Setup and Inventory data from Windows 10 is used by Microsoft to [provide](#provide) and [improve](#improve) Windows 10 and related Microsoft product and services. For example:
+
+- Data about the specific drivers that are installed on a device is used to understand whether there are any hardware or driver compatibility issues which should block or delay a Windows update.
+
+- Data about when a download starts and finishes on a device is used to understand and address download problems.
+
+- Data about the specific Microsoft Store apps that are installed on a device is used to determine which app updates to provide to the device.
+
+- Data about the antimalware installed on a device is used to understand malware transmissions vectors.
+
+**With (optional) Tailored experiences:**
+If a user has enabled Tailored experiences on the device, [pseudonymized](#pseudo) Software Setup and Inventory data from Windows 10 is used by Microsoft to [personalize](#personalize), [recommend](#recommend), and [offer](#offer) Microsoft products and services to Windows 10 users. Also, if a user has enabled Tailored experiences on the device, [pseudonymized](#pseudo) Software Setup and Inventory data from Windows 10 is used by Microsoft to [promote](#promote) third-party Windows apps, services, hardware, and peripherals to Windows 10 users. For example:
+
+- Data about the specific apps that are installed on a device is used to provide recommendations for similar or complementary apps in the Microsoft Store.
+
+### Data Description for Software Setup and Inventory data type
+|Sub-type|Description and examples |
+|- |- |
+|Installed Applications and Install History|Information about apps, drivers, update packages, or operating system components installed on the device, such as:
App, driver, update package, or component’s Name, ID, or Package Family Name
Product, SKU, availability, catalog, content, and Bundle IDs
Operating system component, app or driver publisher, language, version and type (Win32 or UWP)
Install date, method, install directory, and count of install attempts
MSI package and product code
Original operating system version at install time
User, administrator, or mandatory installation or update
Installation type -- clean install, repair, restore, OEM, retail, upgrade, or update
|
+|Device update information |Information about Windows Update, such as:
Update Readiness analysis of device hardware, operating system components, apps, and drivers (progress, status, and results)
Number of applicable updates, importance, and type
Update download size and source -- CDN or LAN peers
Delay upgrade status and configuration
Operating system uninstall and rollback status and count
Windows Update server and service URL
Windows Update machine ID
Windows Insider build details
|
+
+## Browsing History data
+This type of data includes details about web browsing in the Microsoft browsers. Browsing History data is equivalent to ISO/IEC 19944:2017 8.2.3.2.8 Client side browsing history.
+
+### Data Use for Browsing History data
+
+**For Diagnostics:**
+[Pseudonymized](#pseudo) Browsing History data from Windows 10 is used by Microsoft to [provide](#provide) and [improve](#improve) Windows 10 and related Microsoft product and services. For example:
+
+- Data about when the **Block Content** dialog box has been shown is used for investigations of blocked content.
+
+- Data about potentially abusive or malicious domains is used to make updates to Microsoft Edge and Windows Defender SmartScreen to warn users about the domain.
+
+- Data about when the **Address** bar is used for navigation purposes is used to improve the Suggested Sites feature and to understand and address problems arising from navigation.
+
+- Data about when a Web Notes session starts is used to measure popular domains and URLs for the Web Notes feature.
+
+- Data about when a default **Home** page is changed by a user is used to measure which default **Home** pages are the most popular and how often users change the default **Home** page.
+
+**With (optional) Tailored experiences:**
+If a user has enabled Tailored experiences on the device, [pseudonymized](#pseudo) Browsing History data from Windows 10 is used by Microsoft to [personalize](#personalize), [recommend](#recommend), and [offer](#offer) Microsoft products and services to Windows 10 users. Also, if a user has enabled Tailored experiences on the device, [pseudonymized](#pseudo) Browsing History data from Windows 10 is used by Microsoft to [promote](#promote) third-party Windows apps, services, hardware, and peripherals to Windows 10 users. For example:
+
+- We may recommend that a user download a compatible app from the Microsoft Store if they have browsed to the related website. For example, if a user uses the Facebook website, we may recommend the Facebook app.
+
+### Data Description for Browsing History data type
+|Sub-type|Description and examples |
+|- |- |
+|Microsoft browser data|Information about **Address** bar and **Search** box performance on the device, such as:
Text typed in **Address** bar and **Search** box
Text selected for an **Ask Cortana** search
Service response time
Auto-completed text, if there was an auto-complete
Navigation suggestions provided based on local history and favorites
Browser ID
URLs (may include search terms)
Page title
|
+
+## Inking Typing and Speech Utterance data
+This type of data gathers details about the voice, inking, and typing input features on the device. Inking, Typing and Speech Utterance data is a sub-type of ISO/IEC 19944:2017 8.2.3.2.1 End User Identifiable information.
+
+### Data Use for Inking, Typing, and Speech Utterance data
+
+**For Diagnostics:**
+[Anonymized](#anon) Inking, Typing, and Speech Utterance data from Windows 10 is used by Microsoft to [improve](#improve) natural language capabilities in Microsoft products and services. For example:
+
+- Data about words marked as spelling mistakes and replaced with another word from the context menu is used to improve the spelling feature.
+
+- Data about alternate words shown and selected by the user after right-clicking is used to improve the word recommendation feature.
+
+- Data about auto-corrected words that were restored back to the original word by the user is used to improve the auto-correct feature.
+
+- Data about whether Narrator detected and recognized a touch gesture is used to improve touch gesture recognition.
+
+- Data about handwriting samples sent from the Handwriting Panel is used to help Microsoft improve handwriting recognition.
+
+**With (optional) Tailored experiences:**
+
+**Microsoft doesn't use Windows Inking, Typing, and Speech Utterance data for Tailored experiences.**
+
+### Data Description for Inking, Typing, and Speech Utterance data type
+|Sub-type|Description and examples |
+|- |- |
+|Voice, inking, and typing|Information about voice, inking and typing features, such as:
Type of pen used (highlighter, ball point, or pencil), pen color, stroke height and width, and how long it is used
Pen gestures (click, double click, pan, zoom, or rotate)
Palm Touch x,y coordinates
Input latency, missed pen signals, number of frames, strokes, first frame commit time, and sample rate
Ink strokes written, text before and after the ink insertion point, recognized text entered, input language -- processed to remove identifiers, sequencing information, and other data (such as email addresses and numeric values), which could be used to reconstruct the original content or associate the input to the user
Text input from Windows 10 Mobile on-screen keyboards, except from password fields and private sessions -- processed to remove identifiers, sequencing information, and other data (such as email addresses and numeric values), which could be used to reconstruct the original content or associate the input to the user
Text of speech recognition results -- result codes and recognized text
Language and model of the recognizer and the System Speech language
App ID using speech features
Whether user is known to be a child
Confidence and success or failure of speech recognition
|
+
+## ISO/IEC 19944:2017-specific terminology
+This table provides the ISO/IEC 19944:2017-specific definitions for use and de-identification qualifiers used in this article.
+
+|Term |ISO/IEC 19944:2017 Reference |Microsoft usage notes |
+|-|-|-|
+|Provide |9.3.2 Provide |Use of a specified data category by a Microsoft product or service to protect and provide the described service, including, (i) troubleshoot and fix issues with the product or service or (ii) provide product or service updates.|
+|Improve |9.3.3 Improve |Use of a specified data category to improve or increase the quality of a Microsoft product or service. Those improvements may be available to end users.|
+|Personalize |9.3.4 Personalize |Use of the specified data categories to create a customized experience for the end user in any Microsoft product or service.|
+|Recommend |9.3.4 Personalize |“Recommend” means use of the specified data categories to Personalize (9.3.4) the end user’s experience by recommending Microsoft products or services that can be accessed without the need to make a purchase or pay money.
Use of the specified data categories give recommendations about Microsoft products or services the end user may act on where the recommendation is (i) contextually relevant to the product or service in which it appears, (ii) that can be accessed without the need to make a purchase or pay money, and (iii) Microsoft receives no compensation for the placement.|
+|Offer |9.3.5 Offer upgrades or upsell |Implies the source of the data is Microsoft products and services, and the upgrades offered come from Microsoft products and services that are relevant to the context of the current capability. The target audience for the offer is Microsoft customers.
Specifically, use of the specified data categories to make an offer or upsell new capability or capacity of a Microsoft product or service which is (i) contextually relevant to the product or service in which it appears; (ii) likely to result in additional future revenue for Microsoft from end user; and (iii) Microsoft receives no consideration for placement.|
+|Promote|9.3.6 Market/advertise/promote|Use of the specified data categories to promote a product or service in or on a first-party Microsoft product or service.|
+
+
+|Data identification qualifiers |ISO/IEC 19944:2017 Reference |Microsoft usage notes |
+|-|-|-|
+|Pseudonymized Data |8.3.3 Pseudonymized data|As defined|
+|Anonymized Data |8.3.5 Anonymized data|As defined|
+|Aggregated Data |8.3.6 Aggregated data|As defined|
\ No newline at end of file
diff --git a/windows/configuration/windows-spotlight.md b/windows/configuration/windows-spotlight.md
index c1b5070e1d..6e1b327c7d 100644
--- a/windows/configuration/windows-spotlight.md
+++ b/windows/configuration/windows-spotlight.md
@@ -8,7 +8,7 @@ ms.mktglfcycl: explore
ms.sitesec: library
author: jdeckerms
ms.localizationpriority: high
-ms.date: 10/16/2017
+ms.date: 01/26/2018
---
# Configure Windows Spotlight on the lock screen
@@ -68,12 +68,23 @@ Windows Spotlight is enabled by default. Windows 10 provides Group Policy and mo
In addition to the specific policy settings for Windows Spotlight, administrators can replace Windows Spotlight with a selected image using the Group Policy setting **Computer Configuration** > **Administrative Templates** > **Control Panel** > **Personalization** > **Force a specific default lock screen image**.
+ >[!TIP]
+ >If you want to use a custom lock screen image that contains text, see [Resolution for custom lock screen image](#resolution-for-custom-lock-screen-image).
+
Pay attention to the checkbox in **Options**. In addition to providing the path to the lock screen image, administrators can choose to allow or **Turn off fun facts, tips, tricks, and more on lock screen**. If the checkbox is not selected, users will see the lock screen image that is defined in the policy setting, and will also see occasional messages.
+## Resolution for custom lock screen image
+A concern with custom lock screen images is how they will appear on different screen sizes and resolutions.
+
+A custom lock screen image created in 16:9 aspect ratio (1600x900) will scale properly on devices using a 16:9 resolution, such as 1280x720 or 1920x1080. On devices using other aspect ratios, such as 4:3 (1024x768) or 16:10 (1280x800), height scales correctly and width is cropped to a size equal to the aspect ratio. The image will remain centered on the screen
+
+Lock screen images created at other aspect ratios may scale and center unpredictably on your device when changing aspect ratios.
+
+The recommendation for custom lock screen images that include text (such as a legal statement) is to create the lock screen image in 16:9 resolution with text contained in the 4:3 region, allowing the text to remain visible at any aspect ratio.
## Related topics
diff --git a/windows/deployment/TOC.md b/windows/deployment/TOC.md
index c5ccc885d1..df889e6bbf 100644
--- a/windows/deployment/TOC.md
+++ b/windows/deployment/TOC.md
@@ -8,12 +8,14 @@
### [Configure VDA for Subscription Activation](vda-subscription-activation.md)
### [Deploy Windows 10 Enterprise licenses](deploy-enterprise-licenses.md)
## [Resolve Windows 10 upgrade errors](upgrade/resolve-windows-10-upgrade-errors.md)
+### [Submit Windows 10 upgrade errors](upgrade/submit-errors.md)
## [Deploy Windows 10](deploy.md)
### [Overview of Windows AutoPilot](windows-autopilot/windows-10-autopilot.md)
### [Windows 10 upgrade paths](upgrade/windows-10-upgrade-paths.md)
+#### [Windows 10 downgrade paths](upgrade/windows-10-downgrade-paths.md)
### [Windows 10 edition upgrade](upgrade/windows-10-edition-upgrades.md)
### [Windows 10 volume license media](windows-10-media.md)
@@ -222,6 +224,7 @@
### [Manage device restarts after updates](update/waas-restart.md)
### [Manage additional Windows Update settings](update/waas-wu-settings.md)
### [Windows Insider Program for Business](update/waas-windows-insider-for-business.md)
+#### [Introduction to the Windows Insider Program for Business](update/WIP4Biz-intro.md)
#### [Windows Insider Program for Business Frequently Asked Questions](update/waas-windows-insider-for-business-faq.md)
#### [Olympia Corp enrollment](update/olympia/olympia-enrollment-guidelines.md)
### [Change history for Update Windows 10](update/change-history-for-update-windows-10.md)
diff --git a/windows/deployment/deploy-windows-mdt/create-a-windows-10-reference-image.md b/windows/deployment/deploy-windows-mdt/create-a-windows-10-reference-image.md
index 53297d9119..40c3fdf557 100644
--- a/windows/deployment/deploy-windows-mdt/create-a-windows-10-reference-image.md
+++ b/windows/deployment/deploy-windows-mdt/create-a-windows-10-reference-image.md
@@ -442,7 +442,7 @@ For that reason, add only a minimal set of rules to Bootstrap.ini, such as which
3. Click **Edit Bootstrap.ini** and modify using the following information:
``` syntax
- Settings]
+ [Settings]
Priority=Default
[Default]
DeployRoot=\\MDT01\MDTBuildLab$
diff --git a/windows/deployment/deploy.md b/windows/deployment/deploy.md
index 10dc612bdb..2040ebf2d1 100644
--- a/windows/deployment/deploy.md
+++ b/windows/deployment/deploy.md
@@ -21,7 +21,7 @@ Windows 10 upgrade options are discussed and information is provided about plann
|[Windows 10 upgrade paths](upgrade/windows-10-upgrade-paths.md) |This topic provides information about support for upgrading directly to Windows 10 from a previous operating system. |
|[Windows 10 edition upgrade](upgrade/windows-10-edition-upgrades.md) |This topic provides information about support for upgrading from one edition of Windows 10 to another. |
|[Windows 10 volume license media](windows-10-media.md) |This topic provides information about updates to volume licensing media in the current version of Windows 10. |
-|[Manage Windows upgrades with Upgrade Readiness](upgrade/manage-windows-upgrades-with-upgrade-readiness.md) |With Upgrade Readiness, enterprises now have the tools to plan and manage the upgrade process end to end, allowing them to adopt new Windows releases more quickly. With Windows telemetry enabled, Upgrade Readiness collects system, application, and driver data for analysis. We then identify compatibility issues that can block an upgrade and suggest fixes when they are known to Microsoft. The Upgrade Readiness workflow steps you through the discovery and rationalization process until you have a list of computers that are ready to be upgraded. |
+|[Manage Windows upgrades with Upgrade Readiness](upgrade/manage-windows-upgrades-with-upgrade-readiness.md) |With Upgrade Readiness, enterprises now have the tools to plan and manage the upgrade process end to end, allowing them to adopt new Windows releases more quickly. With Windows diagnostic data enabled, Upgrade Readiness collects system, application, and driver data for analysis. We then identify compatibility issues that can block an upgrade and suggest fixes when they are known to Microsoft. The Upgrade Readiness workflow steps you through the discovery and rationalization process until you have a list of computers that are ready to be upgraded. |
|[Windows 10 deployment test lab](windows-10-poc.md) |This guide contains instructions to configure a proof of concept (PoC) environment requiring a minimum amount of resources. The guide makes extensive use of Windows PowerShell and Hyper-V. Subsequent companion guides contain steps to deploy Windows 10 using the PoC environment. After completing this guide, additional guides are provided to deploy Windows 10 in the test lab using [Microsoft Deployment Toolkit](windows-10-poc-mdt.md) or [System Center Configuration Manager](windows-10-poc-sc-config-mgr.md). |
|[Plan for Windows 10 deployment](planning/index.md) | This section describes Windows 10 deployment considerations and provides information to assist in Windows 10 deployment planning. |
|[Deploy Windows 10 with the Microsoft Deployment Toolkit](deploy-windows-mdt/deploy-windows-10-with-the-microsoft-deployment-toolkit.md) |This guide will walk you through the process of deploying Windows 10 in an enterprise environment using the Microsoft Deployment Toolkit (MDT). |
diff --git a/windows/deployment/images/downlevel.PNG b/windows/deployment/images/downlevel.PNG
new file mode 100644
index 0000000000..dff0ebb02b
Binary files /dev/null and b/windows/deployment/images/downlevel.PNG differ
diff --git a/windows/deployment/images/event.PNG b/windows/deployment/images/event.PNG
new file mode 100644
index 0000000000..3950d795ca
Binary files /dev/null and b/windows/deployment/images/event.PNG differ
diff --git a/windows/deployment/images/feedback.PNG b/windows/deployment/images/feedback.PNG
new file mode 100644
index 0000000000..15e171c4ed
Binary files /dev/null and b/windows/deployment/images/feedback.PNG differ
diff --git a/windows/deployment/images/firstboot.PNG b/windows/deployment/images/firstboot.PNG
new file mode 100644
index 0000000000..dfb798c93c
Binary files /dev/null and b/windows/deployment/images/firstboot.PNG differ
diff --git a/windows/deployment/images/safeos.PNG b/windows/deployment/images/safeos.PNG
new file mode 100644
index 0000000000..88c31087a4
Binary files /dev/null and b/windows/deployment/images/safeos.PNG differ
diff --git a/windows/deployment/images/secondboot.PNG b/windows/deployment/images/secondboot.PNG
new file mode 100644
index 0000000000..670fdce7b0
Binary files /dev/null and b/windows/deployment/images/secondboot.PNG differ
diff --git a/windows/deployment/images/secondboot2.PNG b/windows/deployment/images/secondboot2.PNG
new file mode 100644
index 0000000000..0034737e90
Binary files /dev/null and b/windows/deployment/images/secondboot2.PNG differ
diff --git a/windows/deployment/images/secondboot3.PNG b/windows/deployment/images/secondboot3.PNG
new file mode 100644
index 0000000000..c63ef6939d
Binary files /dev/null and b/windows/deployment/images/secondboot3.PNG differ
diff --git a/windows/deployment/images/share.jpg b/windows/deployment/images/share.jpg
new file mode 100644
index 0000000000..e8365ad34c
Binary files /dev/null and b/windows/deployment/images/share.jpg differ
diff --git a/windows/deployment/index.md b/windows/deployment/index.md
index fe0e5d5f08..f63641d04f 100644
--- a/windows/deployment/index.md
+++ b/windows/deployment/index.md
@@ -32,7 +32,7 @@ Windows 10 upgrade options are discussed and information is provided about plann
|[Windows 10 upgrade paths](upgrade/windows-10-upgrade-paths.md) |This topic provides information about support for upgrading directly to Windows 10 from a previous operating system. |
|[Windows 10 edition upgrade](upgrade/windows-10-edition-upgrades.md) |This topic provides information about support for upgrading from one edition of Windows 10 to another. |
|[Windows 10 volume license media](windows-10-media.md) |This topic provides information about media available in the Microsoft Volume Licensing Service Center. |
-|[Manage Windows upgrades with Upgrade Readiness](upgrade/manage-windows-upgrades-with-upgrade-readiness.md) |With Upgrade Readiness, enterprises now have the tools to plan and manage the upgrade process end to end, allowing them to adopt new Windows releases more quickly. With Windows telemetry enabled, Upgrade Readiness collects system, application, and driver data for analysis. We then identify compatibility issues that can block an upgrade and suggest fixes when they are known to Microsoft. The Upgrade Readiness workflow steps you through the discovery and rationalization process until you have a list of computers that are ready to be upgraded. |
+|[Manage Windows upgrades with Upgrade Readiness](upgrade/manage-windows-upgrades-with-upgrade-readiness.md) |With Upgrade Readiness, enterprises now have the tools to plan and manage the upgrade process end to end, allowing them to adopt new Windows releases more quickly. With Windows diagnostic data enabled, Upgrade Readiness collects system, application, and driver data for analysis. We then identify compatibility issues that can block an upgrade and suggest fixes when they are known to Microsoft. The Upgrade Readiness workflow steps you through the discovery and rationalization process until you have a list of computers that are ready to be upgraded. |
|[Windows 10 deployment test lab](windows-10-poc.md) |This guide contains instructions to configure a proof of concept (PoC) environment requiring a minimum amount of resources. The guide makes extensive use of Windows PowerShell and Hyper-V. Subsequent companion guides contain steps to deploy Windows 10 using the PoC environment. After completing this guide, additional guides are provided to deploy Windows 10 in the test lab using [Microsoft Deployment Toolkit](windows-10-poc-mdt.md) or [System Center Configuration Manager](windows-10-poc-sc-config-mgr.md). |
|[Plan for Windows 10 deployment](planning/index.md) | This section describes Windows 10 deployment considerations and provides information to assist in Windows 10 deployment planning. |
|[Deploy Windows 10 with the Microsoft Deployment Toolkit](deploy-windows-mdt/deploy-windows-10-with-the-microsoft-deployment-toolkit.md) |This guide will walk you through the process of deploying Windows 10 in an enterprise environment using the Microsoft Deployment Toolkit (MDT). |
diff --git a/windows/deployment/mbr-to-gpt.md b/windows/deployment/mbr-to-gpt.md
index 1f0ef3d834..8e67035c39 100644
--- a/windows/deployment/mbr-to-gpt.md
+++ b/windows/deployment/mbr-to-gpt.md
@@ -7,7 +7,7 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: deploy
author: greg-lindsay
-ms.date: 10/27/2017
+ms.date: 02/13/2018
ms.localizationpriority: high
---
@@ -70,7 +70,7 @@ If any of these checks fails, the conversion will not proceed and an error will
|/disk:\| Specifies the disk number of the disk to be converted to GPT. If not specified, the system disk is used. The mechanism used is the same as that used by the diskpart.exe tool **SELECT DISK SYSTEM** command.|
|/logs:\| Specifies the directory where MBR2GPT.exe logs should be written. If not specified, **%windir%** is used. If specified, the directory must already exist, it will not be automatically created or overwritten.|
|/map:\=\| Specifies additional partition type mappings between MBR and GPT. The MBR partition number is specified in decimal notation, not hexidecimal. The GPT GUID can contain brackets, for example: **/map:42={af9b60a0-1431-4f62-bc68-3311714a69ad}**. Multiple /map options can be specified if multiple mappings are required. |
-|/allowFullOS| By default, MBR2GPT.exe is blocked unless it is run from Windows PE. This option overrides this block and enables disk conversion while running in the full Windows environment.|
+|/allowFullOS| By default, MBR2GPT.exe is blocked unless it is run from Windows PE. This option overrides this block and enables disk conversion while running in the full Windows environment. **Note**: Since the existing MBR system partition is in use while running the full Windows environment, it cannot be reused. In this case, a new ESP is created by shrinking the OS partition.|
## Examples
@@ -236,15 +236,18 @@ The following steps illustrate high-level phases of the MBR-to-GPT conversion pr
For Windows to remain bootable after the conversion, an EFI system partition (ESP) must be in place. MBR2GPT creates the ESP using the following rules:
-1. The existing MBR system partition is reused if it meets these requirements:
- a. It is not also the OS or Windows Recovery Environment partition
- b. It is at least 100MB (or 260MB for 4K sector size disks) in size
- c. It is less than or equal to 1GB in size. This is a safety precaution to ensure it is not a data partition.
- d. If the conversion is being performed from the full OS, the disk being converted is not the system disk.
+1. The existing MBR system partition is reused if it meets these requirements:
+ a. It is not also the OS or Windows Recovery Environment partition.
+ b. It is at least 100MB (or 260MB for 4K sector size disks) in size.
+ c. It is less than or equal to 1GB in size. This is a safety precaution to ensure it is not a data partition.
+ d. The conversion is not being performed from the full OS. In this case, the existing MBR system partition is in use and cannot be repurposed.
2. If the existing MBR system partition cannot be reused, a new ESP is created by shrinking the OS partition. This new partition has a size of 100MB (or 260MB for 4K sector size disks) and is formatted FAT32.
If the existing MBR system partition is not reused for the ESP, it is no longer used by the boot process after the conversion. Other partitions are not modified.
+>[!IMPORTANT]
+>If the existing MBR system partition is not reused for the ESP, it might be assigned a drive letter. If you do not wish to use this small partition, you must manually hide the drive letter.
+
### Partition type mapping and partition attributes
Since GPT partitions use a different set of type IDs than MBR partitions, each partition on the converted disk must be assigned a new type ID. The partition type mapping follows these rules:
diff --git a/windows/deployment/planning/act-technical-reference.md b/windows/deployment/planning/act-technical-reference.md
index 3d541198b1..a84f82eb0a 100644
--- a/windows/deployment/planning/act-technical-reference.md
+++ b/windows/deployment/planning/act-technical-reference.md
@@ -20,7 +20,7 @@ We've replaced the majority of functionality included in the Application Compati
Microsoft developed Upgrade Analytics in response to demand from enterprise customers looking for additional direction and details about upgrading to Windows 10. Upgrade Analytics was built taking into account multiple channels of customer feedback, testing, and Microsoft’s experience upgrading millions of devices to Windows 10.
-With Windows telemetry enabled, Upgrade Analytics collects system, application, and driver data for analysis. We then identify compatibility issues that can block an upgrade and suggest fixes when they are known to Microsoft.
+With Windows diagnostic data enabled, Upgrade Analytics collects system, application, and driver data for analysis. We then identify compatibility issues that can block an upgrade and suggest fixes when they are known to Microsoft.
Use Upgrade Analytics to get:
- A visual workflow that guides you from pilot to production
diff --git a/windows/deployment/update/WIP4Biz-intro.md b/windows/deployment/update/WIP4Biz-intro.md
new file mode 100644
index 0000000000..08b8659f6e
--- /dev/null
+++ b/windows/deployment/update/WIP4Biz-intro.md
@@ -0,0 +1,70 @@
+---
+title: Introduction to the Windows Insider Program for Business
+description: Introduction to the Windows Insider Program for Business and why IT Pros should join it
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.sitesec: library
+author: jaimeo
+ms.localizationpriority: high
+ms.author: jaimeo
+ms.date: 03/01/2018
+---
+
+# Introduction to the Windows Insider Program for Business
+
+
+**Applies to**
+
+- Windows 10
+
+> **Looking for information about Windows 10 for personal or home use?** See [Windows Update: FAQ](https://support.microsoft.com/help/12373/windows-update-faq)
+
+For many IT Pros, it's valuable to have visibility into feature updates early--before they’re available in the Semi-Annual Channel. With Windows 10, feature flighting enables participants in the Windows Insider Preview program can consume and deploy preproduction code to test devices, gaining early visibility into the next build. This is better for your organization because you can test the early builds of Windows 10 to discover possible issues with the code or with device and app compatibility in your organization before the update is ever publicly available. We at Microsoft also appreciate it because Insiders can report issues back to us in time for us to make improvements in a release before it is more generally available.
+
+The Windows Insider Program for Business gives you the opportunity to:
+
+* Get early access to Windows Insider Preview Builds.
+* Provide feedback to Microsoft in real time by using the Feedback Hub app.
+* Sign in with corporate credentials (Azure Active Directory) and increase the visibility of your organization's feedback with Microsoft – especially on features that support your productivity and business needs.
+* Register your Azure Active Directory domain in the program, allowing you to cover all users within your organization with just one registration.
+* Starting with Windows 10, version 1709, enable, disable, defer, and pause the installation of preview builds through policies.
+* Track feedback provided through the Feedback Hub App across your organization.
+
+Microsoft recommends that all organizations have at least a few devices enrolled in the Windows Insider Program, to include the Windows Insider Program in their deployment plans, and to provide feedback on any issues they encounter to Microsoft via our Feedback Hub App.
+
+The Windows Insider Program doesn't replace Semi-Annual Channel deployments in an organization. Rather, it provides IT Pros and other interested parties with pre-release Windows builds that they can test and ultimately provide feedback on to Microsoft.
+
+
+[](images/WIP4Biz_deployment.png)
+Windows 10 Insider Preview builds enable organizations to prepare sooner for Windows Semi-Annual releases and reduce the overall validation effort required with traditional deployments.
+
+
+## Explore new Windows 10 features in Insider Previews
+Windows 10 Insider Preview builds offer organizations a valuable and exciting opportunity to evaluate new Windows features well before general release. What’s more, by providing feedback to Microsoft on these features, you and other Insiders in your organization can help shape Windows for your specific business needs. Here’s how to get the most out of your feature exploration:
+
+|Objective |Feature exploration|
+|---------|---------|
+|Release channel |**Fast Ring:** Insider Preview builds in the Fast Ring are released approximately once a week and contain the very latest features. This makes them ideal for feature exploration.|
+|Users | Because Fast Ring builds are released so early in the development cycle, we recommend limiting feature exploration in your organization to IT administrators and developers running Insider Preview builds on secondary devices. |
+|Tasks | - Install and manage Insider Preview builds on devices (per device or centrally across multiple devices) - Explore new features in Windows designed for organizations, including new features related to current and planned line of business applications - Before running an Insider Preview build, check our [Windows Insider blog](https://blogs.windows.com/windowsexperience/tag/windows-insider-program/#k3WWwxKCTWHCO82H.97) for a summary of current features. |
+|Feedback | - Provide feedback via [Feedback Hub app](insiderhub://home/). This helps us make adjustments to features as quickly as possible. - Encourage users to sign into the Feedback Hub using their AAD work accounts. This enables both you and Microsoft to track feedback submitted by users within your specific organization. (Note: This tracking is only visible to Microsoft and registered Insiders within your organization’s domain.) - [Learn how to provide effective feedback in the Feedback Hub](https://insider.windows.com/en-us/how-to-feedback/) |
+
+## Validate Insider Preview builds
+Along with exploring new features, you also have the option to validate your apps and infrastructure on Insider Preview builds. This activity can play an important role in your [Windows 10 deployment strategy](https://docs.microsoft.com/en-us/windows/deployment/update/waas-windows-insider-for-business). Early validation has several benefits:
+
+- Get a head start on your Windows validation process
+- Identify issues sooner to accelerate your Windows deployment
+- Engage Microsoft earlier for help with potential compatibility issues
+- Deploy Windows 10 Semi-Annual releases faster and more confidently
+- Maximize the 18-month support Window that comes with each Semi-Annual release.
+
+
+
+|Objective |Feature exploration|
+|---------|---------|
+|Release channel |**Slow Ring:** Insider Preview builds in the Slow Ring are released approximately once a month. They are more stable than Fast Ring releases, making them better suited for validation purposes. Slow Ring releases can be run on either secondary or primary production devices by skilled users.|
+|Users | Application and infrastructure validation: In addition to Insiders who might have participated in feature exploration, we also recommend including a small group of application users from each business department to ensure a representative sample.|
+|Tasks | Application and infrastructure validation: Before running an Insider Preview build, check our [Windows Insider blog](https://blogs.windows.com/windowsexperience/tag/windows-insider-program/#k3WWwxKCTWHCO82H.97) and [Windows Insider Tech Community](https://techcommunity.microsoft.com/t5/Windows-Insider-Program/bd-p/WindowsInsiderProgram) pages for updates on current issues and fixes. |
+|Feedback | Application and infrastructure validation:Provide feedback in the Feedback Hub app and also inform app vendors of any significant issues. |
+|Guidance | Application and infrastructure validation: - [Use Upgrade Readiness to create an app inventory and identify mission-critical apps](https://technet.microsoft.com/itpro/windows/deploy/upgrade-readiness-identify-apps) - [Use Device Health to identify problem devices and device drivers](https://docs.microsoft.com/en-us/windows/deployment/update/device-health-monitor) - [Windows 10 application compatibility](https://technet.microsoft.com/windows/mt703793)|
+
diff --git a/windows/deployment/update/device-health-get-started.md b/windows/deployment/update/device-health-get-started.md
index 54f3d47f42..175f553534 100644
--- a/windows/deployment/update/device-health-get-started.md
+++ b/windows/deployment/update/device-health-get-started.md
@@ -23,17 +23,17 @@ Steps are provided in sections that follow the recommended setup process:
Device Health has the following requirements:
1. Device Health is currently only compatible with Windows 10 and Windows Server 2016 devices. The solution is intended to be used with desktop devices (Windows 10 workstations and laptops).
-2. The solution requires that at least the [enhanced level of telemetry](https://technet.microsoft.com/itpro/windows/manage/configure-windows-telemetry-in-your-organization#basic-level) is enabled on all devices that are intended to be displayed in the solution. To learn more about Windows telemetry, see [Configure Windows telemetry in your organization](/windows/configuration/configure-windows-telemetry-in-your-organization).
-3. The telemetry of your organization’s Windows devices must be successfully transmitted to Microsoft. Microsoft has specified [endpoints for each of the telemetry services](https://technet.microsoft.com/itpro/windows/manage/configure-windows-telemetry-in-your-organization#endpoints), which must be whitelisted by your organization so the data can be transmitted. The following table is taken from the article on telemetry endpoints and summarizes the use of each endpoint:
+2. The solution requires that at least the [enhanced level of diagnostic data](https://technet.microsoft.com/itpro/windows/manage/configure-windows-diagnostic-data-in-your-organization#basic-level) is enabled on all devices that are intended to be displayed in the solution. To learn more about Windows diagnostic data, see [Configure Windows diagnostic data in your organization](/windows/configuration/configure-windows-diagnostic-data-in-your-organization).
+3. The diagnostic data of your organization’s Windows devices must be successfully transmitted to Microsoft. Microsoft has specified [endpoints for each of the diagnostic data services](/windows/configuration//configure-windows-diagnostic-data-in-your-organization#endpoints), which must be whitelisted by your organization so the data can be transmitted. The following table is taken from the article on diagnostic data endpoints and summarizes the use of each endpoint:
Service | Endpoint
--- | ---
-Connected User Experience and Telemetry component | v10.vortex-win.data.microsoft.com settings-win.data.microsoft.com
+Connected User Experiences and Telemetry component | v10.vortex-win.data.microsoft.com settings-win.data.microsoft.com
Windows Error Reporting | watson.telemetry.microsoft.com
Online Crash Analysis | oca.telemetry.microsoft.com
>[!NOTE]
-> If your deployment includes devices running Windows 10 versions prior to Windows 10, version 1703, you must **exclude** *authentication* for the endpoints listed in Step 3. Windows Error Reporting did not support authenticating proxies until Windows 10, version 1703. See [Configure Windows telemetry in your organization](/windows/configuration/configure-windows-telemetry-in-your-organization) for steps to exclude authentication for these endpoints.
+> If your deployment includes devices running Windows 10 versions prior to Windows 10, version 1703, you must **exclude** *authentication* for the endpoints listed in Step 3. Windows Error Reporting did not support authenticating proxies until Windows 10, version 1703. See [Configure Windows diagnostic data in your organization](/windows/configuration/configure-windows-diagnostic-data-in-your-organization) for steps to exclude authentication for these endpoints.
## Add Device Health to Microsoft Operations Management Suite
@@ -79,7 +79,7 @@ After you have added Device Health and devices have a Commercial ID, you will be
>[!NOTE]
>You can unsubscribe from the Device Health solution if you no longer want to monitor your organization’s devices. User device data will continue to be shared with Microsoft while the opt-in keys are set on user devices and the proxy allows traffic.
-## Deploy your Commercial ID to your Windows 10 devices and set the telemetry level
+## Deploy your Commercial ID to your Windows 10 devices and set the diagnostic data level
In order for your devices to show up in Windows Analytics: Device Health, they must be configured with your organization’s Commercial ID. This is so that Microsoft knows that a given device is a member of your organization and to feed that device’s data back to you. There are two primary methods for widespread deployment of your Commercial ID: Group Policy and Mobile Device Management (MDM).
@@ -114,7 +114,7 @@ If you need further information on Windows Error Reporting (WER) settings, see [
Devices must be able to reach the endpoints specified in the "Device Health prerequisites" section of this topic.
>[!NOTE]
-> If your deployment includes devices running Windows 10 versions prior to Windows 10, version 1703, you must **exclude** *authentication* for the endpoints listed in Step 3 of the "Device Health prerequisites" section of this topic. Windows Error Reporting did not support authenticating proxies until Windows 10, version 1703. (If you need more information about telemetry endpoints and how to manage them, see [Configure Windows telemetry in your organization](https://docs.microsoft.com/windows/configuration/configure-windows-telemetry-in-your-organization).
+> If your deployment includes devices running Windows 10 versions prior to Windows 10, version 1703, you must **exclude** *authentication* for the endpoints listed in Step 3 of the "Device Health prerequisites" section of this topic. Windows Error Reporting did not support authenticating proxies until Windows 10, version 1703. (If you need more information about diagnostic data endpoints and how to manage them, see [Configure Windows diagnostic data in your organization](https://docs.microsoft.com/windows/configuration/configure-windows-diagnostic-data-in-your-organization).
If you are using proxy server authentication, it is worth taking extra care to check the configuration. Prior to Windows 10, version 1703, WER uploads error reports in the machine context. Both user (typically authenticated) and machine (typically anonymous) contexts require access through proxy servers to the diagnostic endpoints. In Windows 10, version 1703, and later WER will attempt to use the context of the user that is logged on for proxy authentication such that only the user account requires proxy access.
diff --git a/windows/deployment/update/device-health-monitor.md b/windows/deployment/update/device-health-monitor.md
index 2c35b7f05e..078a95742a 100644
--- a/windows/deployment/update/device-health-monitor.md
+++ b/windows/deployment/update/device-health-monitor.md
@@ -19,7 +19,7 @@ Device Health is the newest Windows Analytics solution that complements the exis
Like Upgrade Readiness and Update Compliance, Device Health is a solution built within Operations Management Suite (OMS), a cloud-based monitoring and automation service that has a flexible servicing subscription based on data usage and retention. This release is free for customers to try and will not incur charges on your OMS workspace for its use. For more information about OMS, see [Operations Management Suite overview](http://azure.microsoft.com/en-us/documentation/articles/operations-management-suite-overview/).
-Device Health uses Windows diagnostic data that is part of all Windows 10 devices. If you have already employed Upgrade Readiness or Update Compliance solutions, all you need to do is select Device Health from the OMS solution gallery and add it to your OMS workspace. Device Health requires enhanced telemetry, so you might need to implement this policy if you've not already done so.
+Device Health uses Windows diagnostic data that is part of all Windows 10 devices. If you have already employed Upgrade Readiness or Update Compliance solutions, all you need to do is select Device Health from the OMS solution gallery and add it to your OMS workspace. Device Health requires enhanced diagnostic data, so you might need to implement this policy if you've not already done so.
Device Health provides the following:
@@ -27,7 +27,7 @@ Device Health provides the following:
- Identification of devices that crash frequently, and therefore might need to be rebuilt or replaced
- Identification of device drivers that are causing device crashes, with suggestions of alternative versions of those drivers that might reduce the number of crashes
- Notification of Windows Information Protection misconfigurations that send prompts to end users
-- No need for new complex customized infrastructure, thanks to cloud-connected access using Windows 10 telemetry
+- No need for new complex customized infrastructure, thanks to cloud-connected access using Windows 10 diagnostic data
See the following topics in this guide for detailed information about configuring and using the Device Health solution:
@@ -56,10 +56,10 @@ The Device Health architecture and data flow is summarized by the following five
-**(1)** User computers send telemetry data to a secure Microsoft data center using the Microsoft Data Management Service.
-**(2)** Telemetry data is analyzed by the Microsoft Telemetry Service.
-**(3)** Telemetry data is pushed from the Microsoft Telemetry Service to your OMS workspace.
-**(4)** Telemetry data is available in the Device Health solution.
+**(1)** User computers send diagnostic data to a secure Microsoft data center using the Microsoft Data Management Service.
+**(2)** Diagnostic data is analyzed by the Microsoft Telemetry Service.
+**(3)** Diagnostic data is pushed from the Microsoft Telemetry Service to your OMS workspace.
+**(4)** Diagnostic data is available in the Device Health solution.
**(5)** You are now able to proactively monitor Device Health issues in your environment.
These steps are illustrated in following diagram:
@@ -67,7 +67,7 @@ These steps are illustrated in following diagram:
[](images/analytics-architecture.png)
>[!NOTE]
->This process assumes that Windows telemetry is enabled and you [have assigned your Commercial ID to devices](update-compliance-get-started.md#deploy-your-commercial-id-to-your-windows-10-devices).
+>This process assumes that Windows diagnostic data is enabled and you [have assigned your Commercial ID to devices](update-compliance-get-started.md#deploy-your-commercial-id-to-your-windows-10-devices).
diff --git a/windows/deployment/update/images/SAC_vid_crop.jpg b/windows/deployment/update/images/SAC_vid_crop.jpg
new file mode 100644
index 0000000000..9d08215fc9
Binary files /dev/null and b/windows/deployment/update/images/SAC_vid_crop.jpg differ
diff --git a/windows/deployment/update/images/UC-vid-crop.jpg b/windows/deployment/update/images/UC-vid-crop.jpg
new file mode 100644
index 0000000000..47e74febbc
Binary files /dev/null and b/windows/deployment/update/images/UC-vid-crop.jpg differ
diff --git a/windows/deployment/update/images/WIP4Biz_Deployment.png b/windows/deployment/update/images/WIP4Biz_Deployment.png
new file mode 100644
index 0000000000..bf267aa9eb
Binary files /dev/null and b/windows/deployment/update/images/WIP4Biz_Deployment.png differ
diff --git a/windows/deployment/update/images/WIP4Biz_Prompts.png b/windows/deployment/update/images/WIP4Biz_Prompts.png
new file mode 100644
index 0000000000..37acadde3a
Binary files /dev/null and b/windows/deployment/update/images/WIP4Biz_Prompts.png differ
diff --git a/windows/deployment/update/olympia/olympia-enrollment-guidelines.md b/windows/deployment/update/olympia/olympia-enrollment-guidelines.md
index 91d87362f3..dea0940ed3 100644
--- a/windows/deployment/update/olympia/olympia-enrollment-guidelines.md
+++ b/windows/deployment/update/olympia/olympia-enrollment-guidelines.md
@@ -5,47 +5,50 @@ ms.author: nibr
ms.topic: article
ms.prod: w10
ms.technology: windows
-author: nickbrower
-ms.date: 10/10/2017
+author: jaimeo
+ms.date: 03/02/2018
---
# Olympia Corp
## What is Windows Insider Lab for Enterprise and Olympia Corp?
-Windows Insider Lab for Enterprise is intended for Windows Insiders who want to try new experimental and pre-release Enterprise Privacy and Security features*. To get the complete experience of these Enterprise features, Olympia Corp, a virtual corporation has been set up to reflect the IT infrastructure of real world business. Selected customers are invited to join Olympia Corp and try these features.
+Windows Insider Lab for Enterprise is intended for Windows Insiders who want to try new experimental and pre-release Enterprise Privacy and Security features. To get the complete experience of these Enterprise features, Olympia Corp, a virtual corporation has been set up to reflect the IT infrastructure of real world business. Selected customers are invited to join Olympia Corp and try these features.
As an Olympia user, you will have an opportunity to:
-- Use various Enterprise features like WIP (Windows Information Protection), ATP (Advanced Threat Protection), WDAG (Windows Defender Application Guard), and APP-V (Application virtualization).
+- Use various Enterprise features like Windows Information Protection (WIP), Advanced Threat Protection (ATP), windows Defender Application Guard (WDAG), and Application Virtualization (APP-V).
- Learn how Microsoft is preparing for GDPR, as well as enabling enterprise customers to prepare for their own readiness.
- Validate and test pre-release software in your environment.
- Provide feedback.
- Interact with engineering team members through a variety of communication channels.
-\* Enterprise features may have reduced, or different security, privacy, accessibility, availability, and reliability standards relative to commercially provided services and software. We may change or discontinue any of the Enterprise features at any time without notice.
+>[!Note]
+>Enterprise features might have reduced or different security, privacy, accessibility, availability, and reliability standards relative to commercially provided services and software. We may change or discontinue any of the Enterprise features at any time without notice.
-For more information about Olympia Corp, please see [https://olympia.windows.com/Info/FAQ](https://olympia.windows.com/Info/FAQ).
+For more information about Olympia Corp, see [https://olympia.windows.com/Info/FAQ](https://olympia.windows.com/Info/FAQ).
-To request an Olympia Corp account, please fill out the survey at [https://aka.ms/RegisterOlympia](https://aka.ms/RegisterOlympia).
+To request an Olympia Corp account, fill out the survey at [https://aka.ms/RegisterOlympia](https://aka.ms/RegisterOlympia).
## Enrollment guidelines
-Welcome to Olympia Corp. Here are the steps to add your account to your PC.
+Welcome to Olympia Corp. Here are the steps needed to enroll.
As part of Windows Insider Lab for Enterprise, you can upgrade to Windows 10 Enterprise from Windows 10 Pro. This upgrade is optional. Since certain features such as Windows Defender Application Guard are only available on Windows 10 Enterprise, we recommend you to upgrade.
Choose one of the following two enrollment options:
-1. [Keep your current Windows 10 edition](#enrollment-keep-current-edition)
+- To set up an AAD-registered device, [follow these steps](#enrollment-keep-current-edition). In this case, you log onto the device by using an existing (non-Olympia) account.
-2. [Upgrade your Windows 10 edition from Pro to Enterprise](#enrollment-upgrade-to-enterprise)
+- If you are running Windows 10 Pro, we recommend that you upgrade to Windows 10 Enterprise by following these steps to [set up an Azure Active Directory-joined device](#enrollment-upgrade-to-enterprise). In this case, you will be able to log on to the device with your Olympia account.
-### Keep your current Windows 10 edition
+### Set up an Azure Active Directory-REGISTERED Windows 10 device
-1. Go to **Start > Settings > Accounts > Access work or school**. To see this setting, you need to have administrator rights to your PC (see [local administrator](https://support.microsoft.com/en-us/instantanswers/5de907f1-f8ba-4fd9-a89d-efd23fee918c/create-a-local-user-or-administrator-account-in-windows-10)).
+This is the Bring Your Own Device (BYOD) method--your device will receive Olympia policies and features, but a new account will not be created. See [Set up Azure Active Directory registered Windows 10 devices](https://docs.microsoft.com/azure/active-directory/device-management-azuread-registered-devices-windows10-setup) for additional information.
+
+1. Go to **Start > Settings > Accounts > Access work or school**. To see this setting, you need to have administrator rights to your device (see [local administrator](https://support.microsoft.com/instantanswers/5de907f1-f8ba-4fd9-a89d-efd23fee918c/create-a-local-user-or-administrator-account-in-windows-10)).
@@ -64,7 +67,7 @@ Choose one of the following two enrollment options:
5. Read the **Terms and Conditions**. Click **Accept** to participate in the program.
-6. If this is the first time you are logging in, please fill in the additional information to help you retrieve your account details.
+6. If this is the first time you are logging in, fill in the additional information to help you retrieve your account details.
7. Create a PIN for signing into your Olympia corporate account.
@@ -77,9 +80,11 @@ Choose one of the following two enrollment options:
-### Upgrade your Windows 10 edition from Pro to Enterprise
+### Set up Azure Active Directory-JOINED Windows 10 device
-1. Go to **Start > Settings > Accounts > Access work or school**. To see this setting, you need to have administrator rights to your PC (see [local administrator](https://support.microsoft.com/en-us/instantanswers/5de907f1-f8ba-4fd9-a89d-efd23fee918c/create-a-local-user-or-administrator-account-in-windows-10)).
+- This method will upgrade your Windows 10 Pro license to Enterprise and create a new account. See [Set up Azure Active Directory joined devices](https://docs.microsoft.com/azure/active-directory/device-management-azuread-joined-devices-setup) for more information.
+
+1. Go to **Start > Settings > Accounts > Access work or school**. To see this setting, you need to have administrator rights to your device (see [local administrator](https://support.microsoft.com/instantanswers/5de907f1-f8ba-4fd9-a89d-efd23fee918c/create-a-local-user-or-administrator-account-in-windows-10)).
@@ -102,15 +107,15 @@ Choose one of the following two enrollment options:
6. When asked to make sure this is your organization, verify that the information is correct. If so, click **Join**.
-7. If this is the first time you are signing in, please fill in the additional information to help you retrieve your account details.
+7. If this is the first time you are signing in, fill in the additional information to help you retrieve your account details.
8. Create a PIN for signing into your Olympia corporate account.
9. When asked to make sure this is your organization, verify that the information is correct. If so, click **Join**.
-10. Restart your PC.
+10. Restart your device.
-11. In the sign-in screen, choose **Other User** and sign in with your **Olympia corporate account**. Your PC will upgrade to Windows 10 Enterprise*.
+11. In the sign-in screen, choose **Other User** and sign in with your **Olympia corporate account**. Your device will upgrade to Windows 10 Enterprise.
12. Go to **Start > Settings > Update & Security > Windows Insider Program**. Click on the current Windows Insider account, and click **Change**. Sign in with your **Olympia corporate account**.
@@ -119,5 +124,6 @@ Choose one of the following two enrollment options:
13. Open the **Feedback Hub**, and sign in with your **Olympia corporate account**.
-\* Please note that your Windows 10 Enterprise license will not be renewed if your PC is not connected to Olympia.
+>[!NOTE]
+> Your Windows 10 Enterprise license will not be renewed if your device is not connected to Olympia.
diff --git a/windows/deployment/update/update-compliance-get-started.md b/windows/deployment/update/update-compliance-get-started.md
index 9a98859652..354ad86c3d 100644
--- a/windows/deployment/update/update-compliance-get-started.md
+++ b/windows/deployment/update/update-compliance-get-started.md
@@ -24,19 +24,19 @@ Steps are provided in sections that follow the recommended setup process:
Update Compliance has the following requirements:
1. Update Compliance is currently only compatible with Windows 10 devices. The solution is intended to be used with desktop devices (Windows 10 workstations and laptops).
-2. The solution requires that Windows 10 telemetry is enabled on all devices that are intended to be displayed in the solution. These devices must have at least the [basic level of telemetry](https://technet.microsoft.com/itpro/windows/manage/configure-windows-telemetry-in-your-organization#basic-level) enabled. To learn more about Windows telemetry, see [Configure Windows telemetry in your organization](/windows/configuration/configure-windows-telemetry-in-your-organization).
-3. The telemetry of your organization’s Windows devices must be successfully transmitted to Microsoft. Microsoft has specified [endpoints for each of the telemetry services](https://technet.microsoft.com/itpro/windows/manage/configure-windows-telemetry-in-your-organization#endpoints), which must be whitelisted by your organization so the data can be transmitted. The following table is taken from the article on telemetry endpoints and summarizes the use of each endpoint:
+2. The solution requires that Windows 10 diagnostic data is enabled on all devices that are intended to be displayed in the solution. These devices must have at least the [basic level of diagnostic data](/configuration/configure-windows-diagnostic-data-in-your-organization#basic-level) enabled. To learn more about Windows diagnostic data, see [Configure Windows diagnostic data in your organization](/windows/configuration/configure-windows-diagnostic-data-in-your-organization).
+3. The diagnostic data of your organization’s Windows devices must be successfully transmitted to Microsoft. Microsoft has specified [endpoints for each of the diagnostic data services](/configuration/configure-windows-diagnostic-data-in-your-organization#endpoints), which must be whitelisted by your organization so the data can be transmitted. The following table is taken from the article on diagnostic data endpoints and summarizes the use of each endpoint:
Service | Endpoint
--- | ---
- Connected User Experience and Telemetry component | v10.vortex-win.data.microsoft.com settings-win.data.microsoft.com
+ Connected User Experiences and Telemetry component | v10.vortex-win.data.microsoft.com settings-win.data.microsoft.com
Windows Error Reporting | watson.telemetry.microsoft.com
Online Crash Analysis | oca.telemetry.microsoft.com
4. To use Windows Defender Antivirus Assessment, devices must be protected by Windows Defender AV (and not a 3rd party AV program), and must have enabled [cloud-delivered protection](/windows/threat-protection/windows-defender-antivirus/utilize-microsoft-cloud-protection-windows-defender-antivirus). See the [Troublehsoot Windows Defender Antivirus reporting](/windows/threat-protection/windows-defender-antivirus/troubleshoot-reporting.md) topic for help on ensuring the configuration is correct.
- For endpoints running Windows 10, version 1607 or earlier, [Windows telemetry must also be set to **Enhanced**](https://docs.microsoft.com/en-us/windows/configuration/configure-windows-telemetry-in-your-organization#enhanced-level), to be compatible with Windows Defender Antivirus.
+ For endpoints running Windows 10, version 1607 or earlier, [Windows diagnostic data must also be set to **Enhanced**](https://docs.microsoft.com/windows/configuration/configure-windows-diagnostic-data-in-your-organization#enhanced-level), to be compatible with Windows Defender Antivirus.
See the [Windows Defender Antivirus in Windows 10](/windows/threat-protection/windows-defender-antivirus/windows-defender-antivirus-in-windows-10) content library for more information on enabling, configuring, and validating Windows Defender AV.
@@ -74,7 +74,7 @@ If you are not yet using OMS, use the following steps to subscribe to OMS Update
9. Click **Subscribe** to subscribe to OMS Update Compliance. You will then need to distribute your Commercial ID across all your organization’s devices. More information on the Commercial ID is provided below.
- 
+ 
After you are subscribed to OMS Update Compliance and your devices have a Commercial ID, you will begin receiving data. It will typically take 24 hours for the first data to begin appearing. The following section explains how to deploy your Commercial ID to your Windows 10 devices.
diff --git a/windows/deployment/update/update-compliance-monitor.md b/windows/deployment/update/update-compliance-monitor.md
index 30bf291b67..638cb4079e 100644
--- a/windows/deployment/update/update-compliance-monitor.md
+++ b/windows/deployment/update/update-compliance-monitor.md
@@ -6,9 +6,9 @@ ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: deploy
-author: DaniHalfin
-ms.author: daniha
-ms.date: 10/13/2017
+author: Jaimeo
+ms.author: jaimeo
+ms.date: 02/09/2018
---
# Monitor Windows Updates and Windows Defender Antivirus with Update Compliance
@@ -19,7 +19,7 @@ With Windows 10, organizations need to change the way they approach monitoring a
Update Compliance is a solution built within Operations Management Suite (OMS), a cloud-based monitoring and automation service which has a flexible servicing subscription based off data usage/retention. For more information about OMS, see [Operations Management Suite overview](http://azure.microsoft.com/documentation/articles/operations-management-suite-overview/).
-Update Compliance uses the Windows telemetry that is part of all Windows 10 devices. It collects system data including update installation progress, Windows Update for Business (WUfB) configuration data, Windows Defender Antivirus data, and other update-specific information, and then sends this data privately to a secure cloud to be stored for analysis and usage within the solution.
+Update Compliance uses the Windows diagnostic data that is part of all Windows 10 devices. It collects system data including update installation progress, Windows Update for Business (WUfB) configuration data, Windows Defender Antivirus data, and other update-specific information, and then sends this data privately to a secure cloud to be stored for analysis and usage within the solution.
Update Compliance provides the following:
@@ -28,25 +28,25 @@ Update Compliance provides the following:
- The ability to track protection and threat status for Windows Defender Antivirus-enabled devices
- An overview of WUfB deferral configurations (Windows 10 Anniversary Update [1607] and later)
- Powerful built-in [log analytics](https://www.microsoft.com/en-us/cloud-platform/insight-and-analytics?WT.srch=1&WT.mc_id=AID529558_SEM_%5B_uniqid%5D&utm_source=Bing&utm_medium=CPC&utm_term=log%20analytics&utm_campaign=Hybrid_Cloud_Management) to create useful custom queries
-- Cloud-connected access utilizing Windows 10 telemetry means no need for new complex, customized infrastructure
+- Cloud-connected access utilizing Windows 10 diagnostic data means no need for new complex, customized infrastructure
See the following topics in this guide for detailed information about configuring and using the Update Compliance solution:
- [Get started with Update Compliance](update-compliance-get-started.md): How to add Update Compliance to your environment.
- [Using Update Compliance](update-compliance-using.md): How to begin using Update Compliance.
-
+Click the following link to see a video demonstrating Update Compliance features.
-An overview of the processes used by the Update Compliance solution is provided below.
+[](https://www.youtube.com/embed/1cmF5c_R8I4)
## Update Compliance architecture
The Update Compliance architecture and data flow is summarized by the following five-step process:
-**(1)** User computers send telemetry data to a secure Microsoft data center using the Microsoft Data Management Service.
-**(2)** Telemetry data is analyzed by the Update Compliance Data Service.
-**(3)** Telemetry data is pushed from the Update Compliance Data Service to your OMS workspace.
-**(4)** Telemetry data is available in the Update Compliance solution.
+**(1)** User computers send diagnostic data to a secure Microsoft data center using the Microsoft Data Management Service.
+**(2)** Diagnostic data is analyzed by the Update Compliance Data Service.
+**(3)** Diagnostic data is pushed from the Update Compliance Data Service to your OMS workspace.
+**(4)** Diagnostic data is available in the Update Compliance solution.
**(5)** You are able to monitor and troubleshoot Windows updates and Windows Defender AV in your environment.
These steps are illustrated in following diagram:
@@ -54,7 +54,7 @@ These steps are illustrated in following diagram:
>[!NOTE]
->This process assumes that Windows telemetry is enabled and you [have assigned your Commercial ID to devices](update-compliance-get-started.md#deploy-your-commercial-id-to-your-windows-10-devices).
+>This process assumes that Windows diagnostic data is enabled and you [have assigned your Commercial ID to devices](update-compliance-get-started.md#deploy-your-commercial-id-to-your-windows-10-devices).
diff --git a/windows/deployment/update/update-compliance-using.md b/windows/deployment/update/update-compliance-using.md
index c97cf7439d..fe2d443d21 100644
--- a/windows/deployment/update/update-compliance-using.md
+++ b/windows/deployment/update/update-compliance-using.md
@@ -16,7 +16,7 @@ In this section you'll learn how to use Update Compliance to monitor your device
Update Compliance:
-- Uses telemetry gathered from user devices to form an all-up view of Windows 10 devices in your organization.
+- Uses diagnostic data gathered from user devices to form an all-up view of Windows 10 devices in your organization.
- Enables you to maintain a high-level perspective on the progress and status of updates across all devices.
- Provides a workflow that can be used to quickly identify which devices require attention.
- Enables you to track deployment compliance targets for updates.
diff --git a/windows/deployment/update/waas-configure-wufb.md b/windows/deployment/update/waas-configure-wufb.md
index 2fda260e22..b6260dbd6d 100644
--- a/windows/deployment/update/waas-configure-wufb.md
+++ b/windows/deployment/update/waas-configure-wufb.md
@@ -28,7 +28,7 @@ ms.date: 10/13/2017
You can use Group Policy or your mobile device management (MDM) service to configure Windows Update for Business settings for your devices. The sections in this topic provide the Group Policy and MDM policies for Windows 10, version 1511 and above. The MDM policies use the OMA-URI setting from the [Policy CSP](https://msdn.microsoft.com/en-us/library/windows/hardware/dn904962.aspx).
>[!IMPORTANT]
->For Windows Update for Business policies to be honored, the Telemetry level of the device must be set to **1 (Basic)** or higher. If it is set to **0 (Security)**, Windows Update for Business policies will have no effect. For instructions, see [Configure the operating system telemetry level](https://technet.microsoft.com/en-us/itpro/windows/manage/configure-windows-telemetry-in-your-organization#configure-the-operating-system-telemetry-level).
+>For Windows Update for Business policies to be honored, the Diagnostic Data level of the device must be set to **1 (Basic)** or higher. If it is set to **0 (Security)**, Windows Update for Business policies will have no effect. For instructions, see [Configure the operating system diagnostic data level](https://docs.microsoft.com/windows/configuration/configure-windows-diagnostic-data-in-your-organization#diagnostic-data-levels).
Some Windows Update for Business policies are not applicable or behave differently for devices running Windows 10 Mobile Enterprise. Specifically, policies pertaining to Feature Updates will not be applied to Windows 10 Mobile Enterprise. All Windows 10 Mobile updates are recognized as Quality Updates, and can only be deferred or paused using the Quality Update policy settings. Additional information is provided in this topic and in [Deploy updates for Windows 10 Mobile Enterprise and Windows 10 IoT Mobile](waas-mobile-updates.md).
diff --git a/windows/deployment/update/waas-manage-updates-wufb.md b/windows/deployment/update/waas-manage-updates-wufb.md
index e0d006761b..88a40b5473 100644
--- a/windows/deployment/update/waas-manage-updates-wufb.md
+++ b/windows/deployment/update/waas-manage-updates-wufb.md
@@ -25,7 +25,7 @@ ms.date: 10/13/2017
>
>In the following settings CB refers to Semi-Annual Channel (Targeted), while CBB refers to Semi-Annual Channel.
-Windows Update for Business enables information technology administrators to keep the Windows 10 devices in their organization always up to date with the latest security defenses and Windows features by directly connecting these systems to Windows Update service. You can use Group Policy or MDM solutions such as Intune to configure the Windows Update for Business settings that control how and when Windows 10 devices are updated. In addition, by using Intune, organizations can manage devices that are not joined to a domain at all or are joined to Microsoft Azure Active Directory (Azure AD) alongside your on-premises domain-joined machines.
+Windows Update for Business enables information technology administrators to keep the Windows 10 devices in their organization always up to date with the latest security defenses and Windows features by directly connecting these systems to Windows Update service. You can use Group Policy or MDM solutions such as Intune to configure the Windows Update for Business settings that control how and when Windows 10 devices are updated. In addition, by using Intune, organizations can manage devices that are not joined to a domain at all or are joined to Microsoft Azure Active Directory (Azure AD) alongside your on-premises domain-joined machines. Windows Update for Business leverages diagnostic data to provide reporting and insights into an organization's Windows 10 devices.
Specifically, Windows Update for Business allows for:
@@ -33,6 +33,7 @@ Specifically, Windows Update for Business allows for:
- Selectively including or excluding drivers as part of Microsoft-provided updates
- Integration with existing management tools such as Windows Server Update Services (WSUS), System Center Configuration Manager, and Microsoft Intune.
- Peer-to-peer delivery for Microsoft updates, which optimizes bandwidth efficiency and reduces the need for an on-site server caching solution.
+- Control over diagnostic data level to provide reporting and insights in Windows Analytics.
Windows Update for Business is a free service that is available for Windows Pro, Enterprise, Pro Education, and Education.
@@ -121,7 +122,7 @@ Windows Update for Business was first made available in Windows 10, version 1511
## Monitor Windows Updates using Update Compliance
-Update Compliance, now **available in public preview**, provides a holistic view of OS update compliance, update deployment progress, and failure troubleshooting for Windows 10 devices. This new service uses telemetry data including installation progress, Windows Update configuration, and other information to provide such insights, at no extra cost and without additional infrastructure requirements. Whether used with Windows Update for Business or other management tools, you can be assured that your devices are properly updated.
+Update Compliance, now **available in public preview**, provides a holistic view of OS update compliance, update deployment progress, and failure troubleshooting for Windows 10 devices. This new service uses diagnostic data including installation progress, Windows Update configuration, and other information to provide such insights, at no extra cost and without additional infrastructure requirements. Whether used with Windows Update for Business or other management tools, you can be assured that your devices are properly updated.
diff --git a/windows/deployment/update/waas-optimize-windows-10-updates.md b/windows/deployment/update/waas-optimize-windows-10-updates.md
index d694f2ff14..6af7a05dfe 100644
--- a/windows/deployment/update/waas-optimize-windows-10-updates.md
+++ b/windows/deployment/update/waas-optimize-windows-10-updates.md
@@ -51,7 +51,7 @@ Two methods of peer-to-peer content distribution are available in Windows 10.
Windows 10 quality update downloads can be large because every package contains all previously released fixes to ensure consistency and simplicity. Windows has been able to reduce the size of Windows Update downloads with a feature called Express.
>[!NOTE]
->Currently, Express update delivery only applies to quality update downloads.
+>Express update delivery applies to quality update downloads. Starting with Windows 10, version 1709, Express update delivery also applies to feature update downloads for clients connected to Windows Update and Windows Update for Business.
### How Microsoft supports Express
- **Express on System Center Configuration Manager** starting with version 1702 of Configuration Manager and Windows 10, version 1703 or 1607 with the April 2017 cumulative update.
diff --git a/windows/deployment/update/waas-overview.md b/windows/deployment/update/waas-overview.md
index 6c80c9612e..a3a8becf16 100644
--- a/windows/deployment/update/waas-overview.md
+++ b/windows/deployment/update/waas-overview.md
@@ -4,10 +4,10 @@ description: In Windows 10, Microsoft has streamlined servicing to make operatin
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
-author: DaniHalfin
+author: Jaimeo
ms.localizationpriority: high
-ms.author: daniha
-ms.date: 10/16/2017
+ms.author: jaimeo
+ms.date: 02/09/2018
---
# Overview of Windows as a service
@@ -23,7 +23,10 @@ ms.date: 10/16/2017
The Windows 10 operating system introduces a new way to build, deploy, and service Windows: Windows as a service. Microsoft has reimagined each part of the process, to simplify the lives of IT pros and maintain a consistent Windows 10 experience for its customers. These improvements focus on maximizing customer involvement in Windows development, simplifying the deployment and servicing of Windows client computers, and leveling out the resources needed to deploy and maintain Windows over time.
-
+Click the following Microsoft Mechanics video for an overview of the release model, particularly the Semi-Annual Channel.
+
+
+[](https://youtu.be/qSAsiM01GOU)
## Building
@@ -45,7 +48,7 @@ One of the biggest challenges for organizations when it comes to deploying a new
Application compatibility testing has historically been a burden when approaching a Windows deployment or upgrade. With Windows 10, application compatibility from the perspective of desktop applications, websites, and apps built on the Universal Windows Platform (UWP) has improved tremendously. Microsoft understands the challenges organizations experienced when they migrated from the Windows XP operating system to Windows 7 and has been working to make Windows 10 upgrades a much better experience.
-Most Windows 7–compatible desktop applications will be compatible with Windows 10 straight out of the box. Windows 10 achieved such high compatibility because the changes in the existing Win32 application programming interfaces were minimal. Combined with valuable feedback via the Windows Insider Program and telemetry data, this level of compatibility can be maintained through each feature update. As for websites, Windows 10 includes Internet Explorer 11 and its backward-compatibility modes for legacy websites. Finally, UWP apps follow a compatibility story similar to desktop applications, so most of them will be compatible with Windows 10.
+Most Windows 7–compatible desktop applications will be compatible with Windows 10 straight out of the box. Windows 10 achieved such high compatibility because the changes in the existing Win32 application programming interfaces were minimal. Combined with valuable feedback via the Windows Insider Program and diagnostic data, this level of compatibility can be maintained through each feature update. As for websites, Windows 10 includes Internet Explorer 11 and its backward-compatibility modes for legacy websites. Finally, UWP apps follow a compatibility story similar to desktop applications, so most of them will be compatible with Windows 10.
For the most important business-critical applications, organizations should still perform testing on a regular basis to validate compatibility with new builds. For remaining applications, consider validating them as part of a pilot deployment process to reduce the time spent on compatibility testing. If it’s unclear whether an application is compatible with Windows 10, IT pros can either consult with the ISV or check the supported software directory at [http://www.readyforwindows.com](http://www.readyforwindows.com).
@@ -98,7 +101,7 @@ In Windows 10, rather than receiving several updates each month and trying to fi
To align with the new method of delivering feature updates and quality updates in Windows 10, Microsoft introduced the concept of servicing channels to allow customers to designate how frequently their individual devices are updated. For example, an organization may have test devices that the IT department can update with new features as soon as possible, and then specialized devices that require a longer feature update cycle to ensure continuity.
-With that in mind, Windows 10 offers 3 servicing channels. The [Windows Insider Program](#windows-insider) provides organizations with the opportunity to test and provide feedback on features that will be shipped in the next feature update. The [Semi-Annual Channel](#semi-annual-channel) provides new functionality with twice-per-year feature update releases. Organizations can choose when to deploy updates from the Semi-Annual Channel. The [Long Term Servicing Channel](#long-term-servicing-channel), which is designed to be used only for specialized devices (which typically don't run Office) such as those that control medical equipment or ATM machines, receives new feature releases about every three years. For details about the versions in each servicing channel, see [Windows 10 release information](https://technet.microsoft.com/windows/release-info.aspx).
+With that in mind, Windows 10 offers 3 servicing channels. The [Windows Insider Program](#windows-insider) provides organizations with the opportunity to test and provide feedback on features that will be shipped in the next feature update. The [Semi-Annual Channel](#semi-annual-channel) provides new functionality with twice-per-year feature update releases. Organizations can choose when to deploy updates from the Semi-Annual Channel. The [Long Term Servicing Channel](#long-term-servicing-channel), which is designed to be used only for specialized devices (which typically don't run Office) such as those that control medical equipment or ATM machines, receives new feature releases every two to three years. For details about the versions in each servicing channel, see [Windows 10 release information](https://technet.microsoft.com/windows/release-info.aspx).
The concept of servicing channels is new, but organizations can use the same management tools they used to manage updates and upgrades in previous versions of Windows. For more information about the servicing tool options for Windows 10 and their capabilities, see [Servicing tools](#servicing-tools).
@@ -199,4 +202,4 @@ With all these options, which an organization chooses depends on the resources,
- [Walkthrough: use Group Policy to configure Windows Update for Business](waas-wufb-group-policy.md)
- [Walkthrough: use Intune to configure Windows Update for Business](waas-wufb-intune.md)
- [Manage device restarts after updates](waas-restart.md)
-
\ No newline at end of file
+
diff --git a/windows/deployment/update/waas-quick-start.md b/windows/deployment/update/waas-quick-start.md
index 8b85bf57aa..8ea214bbb5 100644
--- a/windows/deployment/update/waas-quick-start.md
+++ b/windows/deployment/update/waas-quick-start.md
@@ -4,10 +4,10 @@ description: In Windows 10, Microsoft has streamlined servicing to make operatin
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
-author: DaniHalfin
+author: Jaimeo
ms.localizationpriority: high
-ms.author: daniha
-ms.date: 07/27/2017
+ms.author: jaimeo
+ms.date: 02/09/2018
---
# Quick guide to Windows as a service
@@ -29,7 +29,7 @@ Some new terms have been introduced as part of Windows as a service, so you shou
- **Insider Preview** builds are made available during the development of the features that will be shipped in the next feature update, enabling organizations to validate new features as well as compatibility with existing apps and infrastructure, providing feedback to Microsoft on any issues encountered.
- **Servicing channels** allow organizations to choose when to deploy new features.
- The **Semi-Annual Channel** receives feature updates twice per year.
- - The **Long Term Servicing Channel**, which is designed to be used only for specialized devices (which typically don't run Office) such as those that control medical equipment or ATM machines, receives new feature releases about every three years.
+ - The **Long Term Servicing Channel**, which is designed to be used only for specialized devices (which typically don't run Office) such as those that control medical equipment or ATM machines, receives new feature releases every two to three years.
- **Deployment rings** are groups of devices used to initially pilot, and then to broadly deploy, each feature update in an organization.
See [Overview of Windows as a service](waas-overview.md) for more information.
@@ -58,7 +58,10 @@ See [Build deployment rings for Windows 10 updates](waas-deployment-rings-window
## Video: An overview of Windows as a service
-
+Click the following Microsoft Mechanics video for an overview of the updated release model, particularly the Semi-Annual Channel.
+
+
+[](https://youtu.be/qSAsiM01GOU)
## Learn more
diff --git a/windows/deployment/update/waas-windows-insider-for-business.md b/windows/deployment/update/waas-windows-insider-for-business.md
index b105a54d56..52a170184a 100644
--- a/windows/deployment/update/waas-windows-insider-for-business.md
+++ b/windows/deployment/update/waas-windows-insider-for-business.md
@@ -4,10 +4,10 @@ description: Overview of the Windows Insider Program for Business
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
-author: DaniHalfin
+author: jaimeo
ms.localizationpriority: high
-ms.author: daniha
-ms.date: 10/27/2017
+ms.author: jaimeo
+ms.date: 02/27/2018
---
# Windows Insider Program for Business
@@ -19,67 +19,76 @@ ms.date: 10/27/2017
> **Looking for information about Windows 10 for personal or home use?** See [Windows Update: FAQ](https://support.microsoft.com/help/12373/windows-update-faq)
-For many IT pros, gaining visibility into feature updates early, before they’re available to the Semi-Annual Channel, can be both intriguing and valuable for future end user communications as well as provide additional prestaging for Semi-Annual Channel devices. With Windows 10, feature flighting enables Windows Insiders to consume and deploy preproduction code to their test devices, gaining early visibility into the next build. Testing the early builds of Windows 10 helps both Microsoft and its customers because they have the opportunity to discover possible issues before the update is ever publicly available and can report it to Microsoft. Also, as flighted builds get closer to their release to the Semi-Annual Channel, organizations can test their deployment on test devices for compatibility validation.
-The Windows Insider Program for Business gives you the opportunity to:
-* Get early access to Windows Insider Preview Builds.
-* Provide feedback to Microsoft in real-time via the Feedback Hub app.
-* Sign-in with corporate credentials (Azure Active Directory) and increase the visibility of your organization's feedback with Microsoft – especially on features that support your productivity and business needs.
-* Register your Azure AD domain into the program, to cover all users within your organization with just one registration.
-* Starting with Windows 10, version 1709, enable, disable, defer and pause the installation of preview builds through policies.
-* Track feedback provided through the Feedback Hub App, across your organization.
-
-Microsoft recommends that all organizations have at least a few PCs enrolled in the Windows Insider Program, to include the Windows Insider Program in their deployment plans and to provide feedback on any issues they encounter to Microsoft via our Feedback Hub App.
-
-The Windows Insider Program isn’t intended to replace Semi-Annual Channel deployments in an organization. Rather, it provides IT Pros and other interested parties with pre-release Windows builds that they can test and ultimately provide feedback on to Microsoft.
## Getting started with Windows Insider Program for Business
-To get started with the Windows Insider Program for Business, you can follow a few simple steps:
+To get started with the Windows Insider Program for Business, follow these steps:
-1. [Register your organizational Azure AD account](#individual-registration) to the Windows Insider Program for Business.
+1. [Register your organization's Azure AD account](#individual-registration) to the Windows Insider Program for Business.
2. [Register your organization's Azure AD domain](#organizational-registration) to the Windows Insider Program for Business.**Note:** Registering user has to be a Global Administrator in the Azure AD domain.
3. [Set policies](#manage-windows-insider-preview-builds) to enable Windows Insider Preview builds and select flight rings.
>[!IMPORTANT]
->The **Allow Telemetry** setting has to be set to 2 or higher, to receive Windows Insider preview builds.
+>To receive Windows Insider Preview builds, set the **Allow Telemetry** setting in Group Policy to 2 or higher.
>
->The setting is available in **Group Policy**, through **Computer Configuration/Administrative Templates/Windows Components/Data Collection and Preview Builds - Allow Telemetry** or in **MDM**, through [**System/AllowTelemetry**](/windows/client-management/mdm/policy-csp-system#system-allowtelemetry).
+>In **Group Policy**, this setting is in **Computer Configuration/Administrative Templates/Windows Components/Data Collection and Preview Builds - Allow Telemetry**. In **MDM**, the setting is in [**System/AllowTelemetry**](/windows/client-management/mdm/policy-csp-system#system-allowtelemetry).
-Below are additional details to accomplish the steps described above.
-## Register to the Windows Insider Program for Business
+## Register in the Windows Insider Program for Business
-Registration in the Windows Insider Program for Business can be done individually per user or for an entire organization:
+The first step to installing a Windows 10 Insider Preview build is to register as a Windows Insider. You and your users have two registration options.
-### Individual registration
-
->[!IMPORTANT]
->This step is a prerequisite to register your organization's Azure AD domain.
-
-Navigate to the [**Getting Started**](https://insider.windows.com/en-us/getting-started/) page on [Windows Insider](https://insider.windows.com), go to **Register your organization account** and follow the instructions.
+### Register using your work account (recommended)
+Registering with your work account in Azure Active Directory (AAD) is required to submit feedback on behalf of your organization and manage Insider Preview builds on other devices in your domain.
>[!NOTE]
->Make sure your device is [connected to your company's Azure AD subscription](waas-windows-insider-for-business-faq.md#connected-to-aad).
+>Requires Windows 10 Version 1703 or later. Confirm by going to Settings>System>About. If you do not have an AAD account, [find out how to get an Azure Active Directory tenant](https://docs.microsoft.com/azure/active-directory/develop/active-directory-howto-tenant).
-### Organizational registration
+### Register your personal account
+Use the same account that you use for other Microsoft services. If you don’t have a Microsoft account, it is easy to get one. [Get a Microsoft account](https://account.microsoft.com/account).
-This method enables to your register your entire organization to the Windows Insider Program for Business, to avoid having to register each individual user.
+## Install Windows Insider Preview Builds
+You can install Windows 10 Insider Preview builds directly on individual devices, manage installation across multiple devices in an organization, or install on a virtual machine.
->[!IMPORTANT]
->The account performing these steps has to first be registered to the program individually. Additionally, Global Administrator privileges on the Azure AD domain are required.
+### Install on an individual device
-1. On the [Windows Insider](https://insider.windows.com) website, go to **For Business > Getting Started** to [register your organizational Azure AD account](https://insider.windows.com/en-us/insidersigninaad/).
-2. **Register your domain**. Rather than have each user register individually for Insider Preview builds, administrators can simply [register their domain](https://insider.windows.com/en-us/for-business-organization-admin/) and control settings centrally.**Note:** The signed-in user needs to be a **Global Administrator** of the Azure AD domain in order to be able to register the domain.
+1. Open [Windows Insider Program settings](ms-settings:windowsinsider) (On your Windows 10 device, go to Start > Settings > Update & security > Windows Insider Program). To see this setting, you must have administrator rights to your device.
+2. Click **Get started** and follow the prompts to link your Microsoft or work account that you used to register as a Windows Insider.
->[!NOTE]
->At this point, the Windows Insider Program for Business only supports [Azure Active Directory (Azure AD)](/azure/active-directory/active-directory-whatis) (and not Active Directory on premises) as a corporate authentication method.
->
->If your company is currently not using Azure AD – but has a paid subscription to Office 365, Microsoft Dynamics CRM Online, Enterprise Mobility Suite, or other Microsoft services – you have a free subscription to Microsoft Azure Active Directory. This subscription can be used to create users for enrollment in the Windows Insider Program for Business.
+
+[](images/WIP4Biz_Prompts.png)
+
+### Install across multiple devices
+
+Administrators can install and manage Insider Preview builds centrally across multiple devices within their domain. To register a domain, you must be registered in the Windows Insider Program with your work account in Azure Active Directory and you must be assigned a **Global Administrator** role on that Azure AD domain. Also requires Windows 10 Version 1703 or later.
+
+To register a domain, follow these steps:
+
+1. **Register your domain with the Windows Insider Program**
+Rather than have each user register individually for Insider Preview builds, administrators can simply [register their domain](https://insider.windows.com/for-business-organization-admin/) and control settings centrally.
+
+
+2. **Apply Policies**
+Once you have registered your enterprise domain, you can control how and when devices receive Windows Insider Preview builds on their devices. See: [How to manage Windows 10 Insider Preview builds across your organization](https://docs.microsoft.com/windows/deployment/update/waas-windows-insider-for-business).
+
+>[!Note]
+>- The signed-in user needs to be a **Global Administrator** of the Azure AD domain in order to be able to register the domain.
+>- Currently, the Windows Insider Program for Business supports [Azure Active Directory (Azure AD)](https://docs.microsoft.com/azure/active-directory/active-directory-whatis)--but not on-premises Active Directory--as a corporate authentication method.
+>- If your company has a paid subscription to Office 365, Microsoft Dynamics CRM Online, Enterprise Mobility Suite, or other Microsoft services--you have a free subscription to Microsoft Azure Active Directory. This subscription can be used to create users for enrollment in the Windows Insider Program for Business.
+>- If you do not have an AAD account, install Insider Preview builds on individual devices with a registered Microsoft account.
+
+### Install on a virtual machine
+This option enables you to run Insider Preview builds without changing the Windows 10 production build already running on a device.
+
+For guidance on setting up virtual machines on your device, see [Introduction to Hyper-V on Windows 10](https://docs.microsoft.com/virtualization/hyper-v-on-windows/about/).
+
+To download the latest Insider Preview build to run on your virtual machine, see
+[Windows Insider Preview downloads](https://www.microsoft.com/software-download/windowsinsiderpreviewadvanced)
## Manage Windows Insider Preview builds
-Starting with Windows 10, version 1709, administrators can control how and when devices receive Windows Insider Preview builds on their devices.
+Starting with Windows 10, version 1709, administrators can control how and when devices receive Windows Insider Preview builds.
The **Manage preview builds** setting gives enables or prevents preview build installation on a device. You can also decide to stop preview builds once the release is public.
* Group Policy: **Computer Configuration/Administrative Templates/Windows Components/Windows Update/Windows Update for Business** - *Manage preview builds*
@@ -96,60 +105,63 @@ The **Branch Readiness Level** settings allows you to choose between preview [fl
* Group Policy: **Computer Configuration/Administrative Templates/Windows Components/Windows Update/ Windows Update for Business** - *Select when Preview Builds and Feature Updates are received*
* MDM: [**Update/BranchReadinessLevel**](/windows/client-management/mdm/policy-csp-update#update-branchreadinesslevel)
-
+
### Individual enrollment
If you want to manage Windows Insider preview builds prior to Windows 10, version 1709, or wish to enroll a single device, follow these steps:
1. Enroll your device by going to **Start > Settings > Update & security > Windows Insider Program** and selecting **Get Started**. Sign-in using the account you used to register for the Windows Insider Program.
-2. After reading the privacy statement and clicking **Next**, **Confirm** and schedule a restart.
-3. You are ready to install your first preview build. To do so, go to **Start** > **Settings** > **Update & security** > **Windows Insider Program** to select your Windows Insider level. The device receives the most recent Windows Insider build for the Windows Insider level you select.
+2. Read the privacy statement and then click **Next**, **Confirm**,
+3. Schedule a restart. You are now ready to install your first preview build.
+4. To install the first preview, open **Start** > **Settings** > **Update & security** > **Windows Insider Program** and select your Windows Insider level. The device receives the most recent Windows Insider build for the Windows Insider level you select.
>[!NOTE]
->To enroll your PC, you’ll require administration rights on the machine and it needs to be running Windows 10, Version 1703 or later. If you are already registered in the Windows Insider Program using your Microsoft account, you’ll need to [switch enrollment to the organizational account](#how-to-switch-between-your-msa-and-your-corporate-aad-account).
+>To enroll your device, you’ll require administration rights on the device, which must be running Windows 10, Version 1703 or later. If you are already registered in the Windows Insider Program using your Microsoft account, you’ll need to [switch enrollment to the organizational account](#how-to-switch-between-your-msa-and-your-corporate-aad-account).
>[!TIP]
>Administrators have the option to use [Device Health](/windows/deployment/update/device-health-monitor) in Windows Analytics to monitor devices running Windows 10 Insider Preview builds.
## Flight rings
-Flighting rings are used to evaluate the quality of our software as it is released to progressively larger audiences. We will flight a Feature Update, application, etc. to the first ring if it passes all required automated testing in the lab. The flight will continue to be evaluated against a set of criteria to ensure it is ready to progress to the next ring.
+Flight rings are used to evaluate the quality of our software as it is released to progressively larger audiences. We will flight a Feature Update, application, etc. to the first ring if it passes all required automated testing in the lab. The flight will continue to be evaluated against a set of criteria to ensure it is ready to progress to the next ring.
These are the available flight rings:
### Release Preview
-Best for Insiders who enjoy getting early access to updates for the Semi-Annual Channel, Microsoft applications, and drivers, with minimal risk to their devices, and still want to provide feedback to make Windows devices great.
+Best for Insiders who prefer to get early access to updates for the Semi-Annual Channel, Microsoft applications, and drivers, with minimal risk to their devices, and still want to provide feedback to make Windows devices great.
-Insiders on this level receive builds of Windows just before Microsoft releases them to the Semi-Annual Channel. Although these builds aren’t final, they are the most complete and stable builds available to Windows Insider Program participants. This level provides the best testing platform for organizations that conduct early application compatibility testing on Windows Insider PCs.
+Insiders on this level receive builds of Windows just before Microsoft releases them to the Semi-Annual Channel. Although these builds aren’t final, they are the most complete and stable builds available to Windows Insider Program participants. This level provides the best testing platform for organizations that conduct early application compatibility testing on Windows Insider devices.
-* The Release Preview Ring will only be visible when your Windows build version is the same as the Semi-Annual Channel.
-* To go from a Preview build to the Semi-Annual Channel, use the [Media Creation Tool](http://go.microsoft.com/fwlink/?LinkId=691209) (for PC) or [Windows Device Recovery Tool](http://go.microsoft.com/fwlink/p/?LinkId=522381) (for Mobile) to reinstall Windows.
+The Release Preview Ring will only be visible when your Windows build version is the same as the Semi-Annual Channel.
+
+To move from a Preview build to the Semi-Annual Channel, use the [Media Creation Tool](http://go.microsoft.com/fwlink/?LinkId=691209) (for device) or [Windows Device Recovery Tool](http://go.microsoft.com/fwlink/p/?LinkId=522381) (for Mobile) to reinstall Windows.
### Slow
-The Slow Windows Insider level is for users who enjoy seeing new builds of Windows with minimal risk to their devices but still want to provide feedback to Microsoft about their experience with the new build.
+The Slow Windows Insider level is for users who prefer to see new builds of Windows with minimal risk to their devices but still want to provide feedback to Microsoft about their experience with the new build.
* Builds are sent to the Slow Ring after feedback has been received from Windows Insiders within the Fast Ring and analyzed by our Engineering teams.
* These builds will include updates to fix key issues that would prevent many Windows Insiders from being able to use the build on a daily basis.
-* These builds still may have issues that would be addressed in a future flight.
+* These builds still might have issues that would be addressed in a future flight.
### Fast
-Best for Windows Insiders who enjoy being the first to get access to builds and feature updates, with some risk to their devices in order to identify issues, and provide suggestions and ideas to make Windows software and devices great.
+Best for Windows Insiders who prefer being the first to get access to builds and feature updates--with some risk to their devices--in order to identify issues, and provide suggestions and ideas to make Windows software and devices great.
-* Windows Insiders with devices in the Fast Ring should be prepared for more issues that may block key activities that are important to you or may require significant workarounds.
-* Because we are also validating a build on a smaller set of devices before going to Fast, there is also a chance that some features may work on some devices but may fail in other device configurations.
+* Windows Insiders with devices in the Fast Ring should be prepared for more issues that might block key activities that are important to you or might require significant workarounds.
+* Because we are also validating a build on a smaller set of devices before going to Fast, there is also a chance that some features might work on some devices but might fail in other device configurations.
* Windows Insiders should be ready to reinstall Windows using the [Media Creation Tool](http://go.microsoft.com/fwlink/?LinkId=691209) or [Windows Device Recovery Tool](http://go.microsoft.com/fwlink/p/?LinkId=522381) when you are significantly blocked.
-* Please remember to report any issue to us through the Windows Insider Feedback Hub or the Windows Insider community forum.
+* Remember to report any issue to us through the Windows Insider Feedback Hub or the Windows Insider community forum.
>[!NOTE]
->Once your machine is updated to Windows 10 and you select your desired flight ring, the process known as "Compatibility check" will need to run in the background. There is no manual way to force this process to run. This process allows for the discovery of your OS type (32-bit, 64-bit), build edition (Home, Pro, Enterprise), country and language settings, and other required information. Once this process is complete, your machine will be auto-targeted for the next available flight for your selected ring. For the first build on any given machine, this may take up to 24 hours to complete.
+>Once your device is updated to Windows 10 and you select your desired flight ring, the process known as "Compatibility check" will need to run in the background. There is no manual way to force this process to run. This process allows for the discovery of your OS type (32-bit, 64-bit), build edition (Home, Pro, Enterprise), country and language settings, and other required information. Once this process is complete, your device will be auto-targeted for the next available flight for your selected ring. For the first build on any given device, this might take up to 24 hours to complete.
### How to switch between flight rings
-During your time in the Windows Insider Program, you may want to change between flight rings for any number of reasons. Starting with Windows 10, version 1709, use the **Branch Readiness Level** to switch between flight rings.
+During your time in the Windows Insider Program, you might want to change between flight rings for any number of reasons. Starting with Windows 10, version 1709, use the **Branch Readiness Level** to switch between flight rings.
+
* Group Policy: **Computer Configuration/Administrative Templates/Windows Components/Windows Update/ Windows Update for Business** - *Select when Preview Builds and Feature Updates are received*
* MDM: [**Update/BranchReadinessLevel**](/windows/client-management/mdm/policy-csp-update#update-branchreadinesslevel)
@@ -161,6 +173,7 @@ To switch flights prior to Windows 10, version 1709, follow these steps:
* [Windows Insider Slow](#slow)
* [Release Preview](#release-preview)
+
## How to switch between your MSA and your Corporate AAD account
If you were using your Microsoft Account (MSA) to enroll to the Windows Insider Program, switch to your organizational account by going to **Settings > Updates & Security > Windows Insider Program**, and under **Windows Insider account** select **Change**.
@@ -173,11 +186,11 @@ If you were using your Microsoft Account (MSA) to enroll to the Windows Insider
## Sharing Feedback Via the Feedback Hub
As you know a key benefit to being a Windows Insider is Feedback. It’s definitely a benefit to us, and we hope it’s a benefit to you. Feedback is vital for making changes and improvements in Windows 10. Receiving quality and actionable feedback is key in achieving these goals.
-Please use the [**Feedback Hub App**](feedback-hub://?referrer=wipForBizDocs&tabid=2) to submit your feedback to Microsoft.
+Use the [**Feedback Hub App**](feedback-hub://?referrer=wipForBizDocs&tabid=2) to submit your feedback to Microsoft.
-When providing feedback, please consider the following:
-1. Check for existing feedback on the topic you are preparing to log. Another user may have already shared the same feedback. If they have, please “upvote” the existing feedback to help prevent duplicate submissions. Adding additional comments to existing feedback can help others by providing clarity to existing information or additional scenarios to review.
-2. Provide as much information to us as possible: include reproduction steps, screenshots, any detail you think would help us experience the issue as you have, so that we can work on a fix and get it into a new build as soon as possible.
+When providing feedback, consider the following:
+* Check for existing feedback on the topic you are preparing to log. Another user might have already shared the same feedback. If they have, “upvote” the existing feedback to help prevent duplicate submissions. Adding additional comments to existing feedback can help others by providing clarity to existing information or additional scenarios to review.
+* Provide as much information to us as possible: include reproduction steps, screenshots, any detail you think would help us experience the issue as you have, so that we can work on a fix and get it into a new build as soon as possible.
>[!TIP]
>You can then track feedback provided by all users in your organization through the Feedback Hub. Simply filter by **My Organization**.
@@ -189,7 +202,7 @@ When providing feedback, please consider the following:
### User consent requirement
-With the current version of the Feedback Hub app, we need the user's consent to access their AAD account profile data (We read their name, organizational tenant ID and user ID). When they sign in for the first time with the AAD account, they will see a popup asking for their permission, like this:
+Feedback Hub needs the user’s consent to access their AAD account profile data (we read their name, organizational tenant ID, and user ID). When they sign in for the first time with the AAD account, they will see a popup asking for their permission, like this:
@@ -212,7 +225,7 @@ To do this through the **classic Azure portal**:
2. Switch to the **Active Directory** dashboard.
3. Select the appropriate directory and go to the **Configure** tab.
-4. Under the **integrated applications** section, enable **Users may give applications permissions to access their data**.
+4. Under the **integrated applications** section, enable **Users might give applications permissions to access their data**.
To do this through the **new Azure portal**:
@@ -228,7 +241,7 @@ To do this through the **new Azure portal**:
## Not receiving Windows 10 Insider Preview build updates?
-In some cases, your PC may not update to the latest Windows Insider Preview build as expected. Here are items that you can review to troubleshoot this issue:
+In some cases, your device might not update to the latest Windows Insider Preview build as expected. Here are items that you can review to troubleshoot this issue:
### Perform a manual check for updates
Go to **Settings > Updates & Security**. Review available updates or select **Check for updates**.
@@ -240,51 +253,59 @@ Go to **Settings > Updates & Security**. Review available updates or select **Ch
Go to **Settings > Updates & Security > Activation** to verify Windows is activated.
### Make sure your corporate account in AAD is connected to your device
-Open **Settings \ Accounts \ Access work or school**. If your PC is not listed as connected to your account in AAD, click Connect and enter your AAD account.
+Open **Settings \ Accounts \ Access work or school**. If your device is not listed as connected to your account in AAD, click Connect and enter your AAD account.
### Make sure you have selected a flight ring
Open **Settings > Update & Security > Windows Insider Program** and select your flight ring.
### Have you recently done a roll-back?
-If so, please double-check your flight settings under **Settings > Update & Security > Windows Insider Program**.
+If so, double-check your flight settings under **Settings > Update & Security > Windows Insider Program**.
-### Did you do a clean install?
-After a clean-install and initial setup of a Microsoft or corporate account (even one that has been used previously for flighting) the appropriate targeting needs to take place for your PC. This background process is known as Compatibility Checker and will run during idle time on your PC. This process may take up to 24 hours. Please leave your PC turned on to ensure this occurs in timely manner.
+### Did you do a clean installion?
+After a clean installation and initial setup of a Microsoft or corporate account (even one that has been used previously for flighting) the appropriate targeting needs to take place for your device. This background process is known as Compatibility Checker and will run during idle time on your device. This process might take up to 24 hours. To ensure that this occurs in a timely manner, leave your device turned on.
### Are there known issues for your current build?
-On rare occasion, there may be an issue with a build that could lead to issues with updates being received. Please check the most recent Blog Post or reach out to the Windows Insider team on Twitter for verification (*@WindowsInsider*). You can also check the **Feedback Hub** for announcements and known issues.
+On rare occasion, there might be an issue with a build that could lead to issues with updates being received. Check the most recent blog post or contact the Windows Insider team on Twitter for verification (*@WindowsInsider*). You can also check the **Feedback Hub** for announcements and known issues.
## Exiting flighting
-After you’ve tried the latest Windows Insider Preview builds, you may want to opt out. In order to do that, go to **Settings > Update & Security > Windows Insider Program** and select **Stop Insider Preview Builds**. Follow the on-screen instructions to stop flighting to your device.
+After you’ve tried the latest Windows Insider Preview builds, you might want to opt out. In order to do that, go to **Settings > Update & Security > Windows Insider Program** and select **Stop Insider Preview Builds**. Follow the on-screen instructions to stop flighting to your device.
-To go from a Preview build to the Semi-Annual Channel, use the [Media Creation Tool](http://go.microsoft.com/fwlink/?LinkId=691209) (for PC) or [Windows Device Recovery Tool](http://go.microsoft.com/fwlink/p/?LinkId=522381) (for Mobile) to reinstall Windows.
+To go from a Preview build to the Semi-Annual Channel, use the [Media Creation Tool](http://go.microsoft.com/fwlink/?LinkId=691209) (for device) or [Windows Device Recovery Tool](http://go.microsoft.com/fwlink/p/?LinkId=522381) (for Mobile) to reinstall Windows.
## Unregister
-If you no longer plan to manage Windows Insider Preview policies for your organization, you will need to [unregister your domain with the Windows Insider Program](https://insider.windows.com/en-us/insiderorgleaveprogram/).
+If you no longer plan to manage Windows Insider Preview policies for your organization, you will need to [unregister your domain with the Windows Insider Program](https://insider.windows.com/insiderorgleaveprogram/).
Unregistering will not allow any other administrators at your organization to continue to set policies to manage Windows Insider Preview builds across your organization.
-Your individual registration with the Insider program will not be impacted. If you wish to leave the Insider program, see the [leave the program](https://insider.windows.com/en-us/how-to-overview/#leave-the-program) instructions.
+Your individual registration with the Insider program will not be impacted. If you wish to leave the Insider program, see the [leave the program](https://insider.windows.com/how-to-overview/#leave-the-program) instructions.
>[!IMPORTANT]
>Once your domain is unregistered, setting the **Branch Readiness Level** to preview builds will have no effect. Return this setting to its unconfigured state in order to enable users to control it from their devices.
+## Community
+
+Windows Insiders are a part of a global community focused on innovation, creativity, and growth in their world.
+
+The Windows Insider program enables you to deepen connections to learn from peers and to connect to subject matter experts (inside Microsoft, Insiders in your local community and in another country) who understand your unique challenges, and who can provide strategic advice on how to maximize your impact.
+
+Collaborate and learn from experts in the [Windows Insider Tech Community](https://techcommunity.microsoft.com/t5/Windows-Insider-Program/bd-p/WindowsInsiderProgram)
+
+
## Additional help resources
-* [**Windows Blog**](https://blogs.windows.com/blog/tag/windows-insider-program/) - With each new build release we publish a Windows Blog post that outlines key feature changes as well as known issues that Insiders may encounter while using the build.
+* [**Windows Blog**](https://blogs.windows.com/blog/tag/windows-insider-program/) - With each new build release we publish a Windows Blog post that outlines key feature changes as well as known issues that Insiders might encounter while using the build.
* [**Microsoft Technical Community for Windows Insiders**](https://techcommunity.microsoft.com/t5/Windows-Insider-Program/bd-p/WindowsInsiderProgram) - Engage with Windows Insiders around the world in a community dedicated to the Windows Insider Program.
-* [**Windows Insider Preview community forum**](https://answers.microsoft.com/en-us/insider/forum/insider_wintp) - Answers is Microsoft’s forum platform and there is an entire area dedicated to the Windows Insider Program. Insiders can filter between PC, Office, Edge, and many others.
+* [**Windows Insider Preview community forum**](https://answers.microsoft.com/en-us/insider/forum/insider_wintp) - Answers is Microsoft’s forum platform and there is an entire area dedicated to the Windows Insider Program. Insiders can filter between device, Office, Edge, and many others.
## Learn More
- [Windows Insider Program for Business using Azure Active Directory](waas-windows-insider-for-business-aad.md)
- [Windows Insider Program for Business Frequently Asked Questions](waas-windows-insider-for-business-faq.md)
-
## Related Topics
- [Overview of Windows as a service](waas-overview.md)
- [Prepare servicing strategy for Windows 10 updates](waas-servicing-strategy-windows-10-updates.md)
- [Build deployment rings for Windows 10 updates](waas-deployment-rings-windows-10-updates.md)
- [Assign devices to servicing channels for Windows 10 updates](waas-servicing-channels-windows-10-updates.md)
-- [Optimize update delivery for Windows 10 updates](waas-optimize-windows-10-updates.md)
\ No newline at end of file
+- [Optimize update delivery for Windows 10 updates](waas-optimize-windows-10-updates.md)
diff --git a/windows/deployment/upgrade/manage-windows-upgrades-with-upgrade-readiness.md b/windows/deployment/upgrade/manage-windows-upgrades-with-upgrade-readiness.md
index 96bec400be..bd9b717522 100644
--- a/windows/deployment/upgrade/manage-windows-upgrades-with-upgrade-readiness.md
+++ b/windows/deployment/upgrade/manage-windows-upgrades-with-upgrade-readiness.md
@@ -14,7 +14,7 @@ With the release of Upgrade Readiness, enterprises now have the tools to plan an
Microsoft developed Upgrade Readiness in response to demand from enterprise customers looking for additional direction and details about upgrading to Windows 10. Upgrade Readiness was built taking into account multiple channels of customer feedback, testing, and Microsoft’s experience upgrading millions of devices to Windows 10.
-With Windows telemetry enabled, Upgrade Readiness collects system, application, and driver data for analysis. We then identify compatibility issues that can block an upgrade and suggest fixes when they are known to Microsoft.
+With Windows diagnostic data enabled, Upgrade Readiness collects system, application, and driver data for analysis. We then identify compatibility issues that can block an upgrade and suggest fixes when they are known to Microsoft.
Use Upgrade Readiness to get:
@@ -28,11 +28,11 @@ Use Upgrade Readiness to get:
The Upgrade Readiness workflow steps you through the discovery and rationalization process until you have a list of computers that are ready to be upgraded.
-**Important** For system, application, and driver data to be shared with Microsoft, you must configure user computers to send data. For information about what telemetry data Microsoft collects and how that data is used and protected by Microsoft, see:
+**Important** For system, application, and driver data to be shared with Microsoft, you must configure user computers to send data. For information about what diagnostic data Microsoft collects and how that data is used and protected by Microsoft, see:
-- [Configure Windows telemetry in your organization](/windows/configuration/configure-windows-telemetry-in-your-organization)
+- [Configure Windows diagnostic data in your organization](/windows/configuration/configure-windows-diagnostic-data-in-your-organization)
- [Manage connections from Windows operating system components to Microsoft services](/windows/configuration/manage-connections-from-windows-operating-system-components-to-microsoft-services)
-- [Windows 7, Windows 8, and Windows 8.1 appraiser telemetry events and fields](https://go.microsoft.com/fwlink/?LinkID=822965)
+- [Windows 7, Windows 8, and Windows 8.1 appraiser diagnostic data events and fields](https://go.microsoft.com/fwlink/?LinkID=822965)
##**Related topics**
diff --git a/windows/deployment/upgrade/resolve-windows-10-upgrade-errors.md b/windows/deployment/upgrade/resolve-windows-10-upgrade-errors.md
index d90228f2cb..d3d5edf9a2 100644
--- a/windows/deployment/upgrade/resolve-windows-10-upgrade-errors.md
+++ b/windows/deployment/upgrade/resolve-windows-10-upgrade-errors.md
@@ -7,7 +7,7 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: deploy
author: greg-lindsay
-ms.date: 01/11/2018
+ms.date: 02/22/2018
ms.localizationpriority: high
---
@@ -16,17 +16,19 @@ ms.localizationpriority: high
**Applies to**
- Windows 10
->**Important**: This topic contains technical instructions for IT administrators. If you are not an IT administrator, see [Get help with Windows 10 upgrade and installation errors](https://support.microsoft.com/en-us/help/10587/windows-10-get-help-with-upgrade-installation-errors) for more information.
+>**Important**: This topic contains technical instructions for IT administrators. If you are not an IT administrator, see the following topic: [Get help with Windows 10 upgrade and installation errors](https://support.microsoft.com/en-us/help/10587/windows-10-get-help-with-upgrade-installation-errors). You can also [Submit Windows 10 upgrade errors using Feedback Hub](submit-errors.md).
## In this topic
This topic contains a brief introduction to Windows 10 installation processes, and provides resolution procedures that IT administrators can use to resolve issues with Windows 10 upgrade. The following sections and procedures are provided in this guide:
+- [Troubleshooting upgrade errors](#troubleshooting-upgrade-errors): General advice and techniques for troubleshooting Windows 10 upgrade errors.
- [The Windows 10 upgrade process](#the-windows-10-upgrade-process): An explanation of phases used during the upgrade process.
- [Quick fixes](#quick-fixes): Steps you can take to eliminate many Windows upgrade errors.
- [Upgrade error codes](#upgrade-error-codes): The components of an error code are explained.
- [Result codes](#result-codes): Information about result codes.
- [Extend codes](#extend-codes): Information about extend codes.
+- [Windows Error Reporting](#windows-error-reporting): How to use Event Viewer to review details about a Windows 10 upgrade.
- [Log files](#log-files): A list and description of log files useful for troubleshooting.
- [Log entry structure](#log-entry-structure): The format of a log entry is described.
- [Analyze log files](#analyze-log-files): General procedures for log file analysis, and an example.
@@ -36,19 +38,61 @@ This topic contains a brief introduction to Windows 10 installation processes, a
- [Other result codes](#other-result-codes): Additional causes and mitigation procedures are provided for some result codes.
- [Other error codes](#other-error-codes): Additional causes and mitigation procedures are provided for some error codes.
+## Troubleshooting upgrade errors
+
+If a Windows 10 upgrade is not successful, it can be very helpful to understand *when* an error occurred in the upgrade process.
+
+Briefly, the upgrade process consists of four phases: **Downlevel**, **SafeOS**, **First boot**, and **Second boot**. The computer will reboot once between each phase.
+
+These phases are explained in greater detail [below](#the-windows-10-upgrade-process). First, let's summarize the actions performed during each phase because this affects the type of errors that can be encountered.
+
+1. **Downlevel phase**: Because this phase runs on the source OS, upgrade errors are not typically seen. If you do encounter an error, ensure the source OS is stable. Also ensure the Windows setup source and the destination drive are accessible.
+
+2. **SafeOS phase**: Errors most commonly occur during this phase due to hardware issues, firmware issues, or non-microsoft disk encryption software.
+
+ Since the computer is booted into Windows PE during the SafeOS phase, a useful troubleshooting technique is to boot into [Windows PE](https://docs.microsoft.com/windows-hardware/manufacture/desktop/winpe-intro) using installation media. You can use the [media creation tool](https://www.microsoft.com/software-download/windows10) to create bootable media, or you can use tools such as the [Windows ADK](https://developer.microsoft.com/windows/hardware/windows-assessment-deployment-kit), and then boot your device from this media to test for hardware and firmware compatibility issues.
+
+ **Do not proceed with the Windows 10 installation after booting from this media**. This method can only be used to perform a clean install which will not migrate any of your apps and settings, and you will be required re-enter your Windows 10 license information.
+
+ If the computer does not successfully boot into Windows PE using the media that you created, this is likely due to a hardware or firmware issue. Check with your hardware manufacturer and apply any recommended BIOS and firmware updates. If you are still unable to boot to installation media after applying updates, disconnect or replace legacy hardware.
+
+ If the computer successfully boots into Windows PE, but you are not able to browse the system drive on the computer, it is possible that non-Microsoft disk encryption software is blocking your ability to perform a Windows 10 upgrade. Update or temporarily remove the disk encryption.
+
+3. **First boot phase**: Boot failures in this phase are relatively rare, and almost exclusively caused by device drivers. Disconnect all peripheral devices except for the mouse, keyboard, and display. Obtain and install updated device drivers, then retry the upgrade.
+
+4. **Second boot phase**: In this phase, the system is running under the target OS with new drivers. Boot failures are most commonly due to anti-virus software or filter drivers. Disconnect all peripheral devices except for the mouse, keyboard, and display. Obtain and install updated device drivers, temporarily uninstall anti-virus software, then retry the upgrade.
+
+If the general troubleshooting techniques described above or the [quick fixes](#quick-fixes) detailed below do not resolve your issue, you can attempt to analyze [log files](#log-files) and interpret [upgrade error codes](#upgrade-error-codes). You can also [Submit Windows 10 upgrade errors using Feedback Hub](submit-errors.md) so that Microsoft can diagnose your issue.
+
## The Windows 10 upgrade process
-The Windows Setup application is used to upgrade a computer to Windows 10, or to perform a clean installation. Windows Setup starts and restarts the computer, gathers information, copies files, and creates or adjusts configuration settings. When performing an operating system upgrade, Windows Setup uses the following phases:
+The **Windows Setup** application is used to upgrade a computer to Windows 10, or to perform a clean installation. Windows Setup starts and restarts the computer, gathers information, copies files, and creates or adjusts configuration settings.
-1. **Downlevel phase**: The downlevel phase is run within the previous operating system. Installation components are gathered.
-2. **Safe OS phase**: A recovery partition is configured and updates are installed. An OS rollback is prepared if needed.
- - Example error codes: 0x2000C, 0x20017
-3. **First boot phase**: Initial settings are applied.
- - Example error codes: 0x30018, 0x3000D
-4. **Second boot phase**: Final settings are applied. This is also called the **OOBE boot phase**.
- - Example error: 0x4000D, 0x40017
-5. **Uninstall phase**: This phase occurs if upgrade is unsuccessful.
- - Example error: 0x50000
+When performing an operating system upgrade, Windows Setup uses phases described below. A reboot occurs between each of the phases. After the first reboot, the user interface will remain the same until the upgrade is completed. Percent progress is displayed and will advance as you move through each phase, reaching 100% at the end of the second boot phase.
+
+1. **Downlevel phase**: The downlevel phase is run within the previous operating system. Windows files are copied and installation components are gathered.
+
+ 
+
+2. **Safe OS phase**: A recovery partition is configured, Windows files are expanded, and updates are installed. An OS rollback is prepared if needed. Example error codes: 0x2000C, 0x20017.
+
+ 
+
+3. **First boot phase**: Initial settings are applied. Example error codes: 0x30018, 0x3000D.
+
+ 
+
+4. **Second boot phase**: Final settings are applied. This is also called the **OOBE boot phase**. Example error codes: 0x4000D, 0x40017.
+
+ At the end of the second boot phase, the **Welcome to Windows 10** screen is displayed, preferences are configured, and the Windows 10 sign-in prompt is displayed.
+
+ 
+
+ 
+
+ 
+
+5. **Uninstall phase**: This phase occurs if upgrade is unsuccessful (image not shown). Example error codes: 0x50000, 0x50015.
**Figure 1**: Phases of a successful Windows 10 upgrade (uninstall is not shown):
@@ -58,6 +102,7 @@ DU = Driver/device updates.
OOBE = Out of box experience.
WIM = Windows image (Microsoft)
+
## Quick fixes
The following steps can resolve many Windows upgrade problems.
@@ -92,34 +137,45 @@ The following steps can resolve many Windows upgrade problems.
If the upgrade process is not successful, Windows Setup will return two codes:
-1. **A result code**: The result code corresponds to a specific Win32 error.
-2. **An extend code**: The extend code contains information about both the *phase* in which an error occurred, and the *operation* that was being performed when the error occurred.
+1. **A result code**: The result code corresponds to a specific Win32 or NTSTATUS error.
+2. **An extend code**: The extend code contains information about both the *phase* in which an error occurred, and the *operation* that was being performed when the error occurred.
>For example, a result code of **0xC1900101** with an extend code of **0x4000D** will be returned as: **0xC1900101 - 0x4000D**.
Note: If only a result code is returned, this can be because a tool is being used that was not able to capture the extend code. For example, if you are using the [Windows 10 Upgrade Assistant](https://support.microsoft.com/en-us/kb/3159635) then only a result code might be returned.
+>[!TIP]
+>If you are unable to locate the result and extend error codes, you can attempt to find these codes using Event Viewer. For more information, see [Windows Error Reporting](#windows-error-reporting).
+
### Result codes
>A result code of **0xC1900101** is generic and indicates that a rollback occurred. In most cases, the cause is a driver compatibility issue. To troubleshoot a failed upgrade that has returned a result code of 0xC1900101, analyze the extend code to determine the Windows Setup phase, and see the [Resolution procedures](#resolution-procedures) section later in this topic.
Result codes can be matched to the type of error encountered. To match a result code to an error:
-1. Identify the error code type, either Win32 or NTSTATUS, using the first hexadecimal digit:
- 8 = Win32 error code (ex: 0x**8**0070070)
- C = NTSTATUS value (ex: 0x**C**1900107)
-2. Write down the last 4 digits of the error code (ex: 0x8007**0070** = 0070). These digits correspond to the last 16 bits of the [HRESULT](https://msdn.microsoft.com/en-us/library/cc231198.aspx) or the [NTSTATUS](https://msdn.microsoft.com/en-us/library/cc231200.aspx) structure.
-3. Based on the type of error code determined in the first step, match the 4 digits derived from the second step to either a [Win32 error code](https://msdn.microsoft.com/en-us/library/cc231199.aspx), or an [NTSTATUS value](https://msdn.microsoft.com/en-us/library/cc704588.aspx).
+1. Identify the error code type as either Win32 or NTSTATUS using the first hexadecimal digit:
+ **8** = Win32 error code (ex: 0x**8**0070070)
+ **C** = NTSTATUS value (ex: 0x**C**1900107)
+2. Write down the last 4 digits of the error code (ex: 0x8007**0070** = 0070). These digits are the actual error code type as defined in the [HRESULT](https://msdn.microsoft.com/en-us/library/cc231198.aspx) or the [NTSTATUS](https://msdn.microsoft.com/en-us/library/cc231200.aspx) structure. Other digits in the code identify things such as the device type that produced the error.
+3. Based on the type of error code determined in the first step (Win32 or NTSTATUS), match the 4 digits derived from the second step to either a Win32 error code or NTSTATUS value using the following links:
+ - [Win32 error code](https://msdn.microsoft.com/en-us/library/cc231199.aspx)
+ - [NTSTATUS value](https://msdn.microsoft.com/en-us/library/cc704588.aspx)
-For example:
-- 0x80070070 = Win32 = 0070 = 0x00000070 = ERROR_DISK_FULL
-- 0xC1900107 = NTSTATUS = 0107 = 0x00000107 = STATUS_SOME_NOT_MAPPED
+Examples:
+- 0x80070070
+ - Based on the "8" this is a Win32 error code
+ - The last four digits are 0070, so look up 0x00000070 in the [Win32 error code](https://msdn.microsoft.com/en-us/library/cc231199.aspx) table
+ - The error is: **ERROR_DISK_FULL**
+- 0xC1900107
+ - Based on the "C" this is an NTSTATUS error code
+ - The last four digits are 0107, so look up 0x00000107 in the [NTSTATUS value](https://msdn.microsoft.com/en-us/library/cc704588.aspx) table
+ - The error is: **STATUS_SOME_NOT_MAPPED**
Some result codes are self-explanatory, whereas others are more generic and require further analysis. In the examples shown above, ERROR_DISK_FULL indicates that the hard drive is full and additional room is needed to complete Windows upgrade. The message STATUS_SOME_NOT_MAPPED is more ambiguous, and means that an action is pending. In this case, the action pending is often the cleanup operation from a previous installation attempt, which can be resolved with a system reboot.
### Extend codes
->Important: Extend codes reflect the current Windows 10 upgrade process, and might change in future releases of Windows 10. The codes discussed in this section apply to Windows 10 version 1607, also known as the Anniversary Update.
+>**Important**: Extend codes reflect the current Windows 10 upgrade process, and might change in future releases of Windows 10. The codes discussed in this section apply to Windows 10 version 1607, also known as the Anniversary Update.
Extend codes can be matched to the phase and operation when an error occurred. To match an extend code to the phase and operation:
@@ -193,10 +249,50 @@ The following tables provide the corresponding phase and operation for values of
For example: An extend code of **0x4000D**, represents a problem during phase 4 (**0x4**) with data migration (**000D**).
+## Windows Error Reporting
+
+When Windows Setup fails, the result and extend code are recorded as an informational event in the Application log by Windows Error Reporting as event 1001. The event name is **WinSetupDiag02**. You can use Event Viewer to review this event, or you can use Windows PowerShell.
+
+To use Windows PowerShell, type the following commands from an elevated Windows PowerShell prompt:
+
+```
+$events = Get-WinEvent -FilterHashtable @{LogName="Application";ID="1001";Data="WinSetupDiag02"}
+$event = [xml]$events[0].ToXml()
+$event.Event.EventData.Data
+```
+
+To use Event Viewer:
+1. Open Event Viewer and navigate to **Windows Logs\Application**.
+2. Click **Find**, and then search for **winsetupdiag02**.
+3. Double-click the event that is highlighted.
+
+Note: For legacy operating systems, the Event Name was WinSetupDiag01.
+
+Ten parameters are listed in the event:
+
+
+
P1: The Setup Scenario (1=Media,5=WindowsUpdate,7=Media Creation Tool)
+
P2: Setup Mode (x=default,1=Downlevel,5=Rollback)
+
P3: New OS Architecture (x=default,0=X86,9=AMD64)
+
P4: Install Result (x=default,0=Success,1=Failure,2=Cancel,3=Blocked)
+
P5: Result Error Code (Ex: 0xc1900101)
+
P6: Extend Error Code (Ex: 0x20017)
+
P7: Source OS build (Ex: 9600)
+
P8: Source OS branch (not typically available)
+
P9: New OS build (Ex: 16299}
+
P10: New OS branch (Ex: rs3_release}
+
+
+The event will also contain links to log files that can be used to perform a detailed diagnosis of the error. An example of this event from a successful upgrade is shown below.
+
+
+
## Log files
Several log files are created during each phase of the upgrade process. These log files are essential for troubleshooting upgrade problems. By default, the folders that contain these log files are hidden on the upgrade target computer. To view the log files, configure Windows Explorer to view hidden items, or use a tool to automatically gather these logs. The most useful log is **setupact.log**. The log files are located in a different folder depending on the Windows Setup phase. Recall that you can determine the phase from the extend code.
+Note: Also see the [Windows Error Reporting](#windows-error-reporting) section in this document for help locating error codes and log files.
+
The following table describes some log files and how to use them for troubleshooting purposes:
@@ -561,7 +657,7 @@ For more information, see [How to perform a clean boot in Windows](https://suppo
Result codes starting with the digits 0x800 are also important to understand. These error codes indicate general operating system errors, and are not unique to the Windows upgrade process. Examples include timeouts, devices not functioning, and a process stopping unexpectedly.
- See the following general troubleshooting procedures associated with a result code of 0x800xxxxx:
+ See the following general troubleshooting procedures associated with a result code of 0x800xxxxx:
@@ -598,6 +694,39 @@ This error has more than one possible cause. Attempt [quick fixes](#quick-fixes)
+
+The requested system device cannot be found, there is a sharing violation, or there are multiple devices matching the identification criteria.
+
+
+
+
+
+
+
+
Mitigation
+
+
+These errors occur during partition analysis and validation, and can be caused by the presence of multiple system partitions. For example, if you installed a new system drive but left the previous system drive connected, this can cause a conflict. To resolve the errors, disconnect or temporarily disable drives that contain the unused system partition. You can reconnect the drive after the upgrade has completed. Alternatively, you can delete the unused system partition.
+
+
+
+
+
+
+
Code
diff --git a/windows/deployment/upgrade/submit-errors.md b/windows/deployment/upgrade/submit-errors.md
new file mode 100644
index 0000000000..2118867a21
--- /dev/null
+++ b/windows/deployment/upgrade/submit-errors.md
@@ -0,0 +1,69 @@
+---
+title: Submit Windows 10 upgrade errors using Feedback Hub
+description: Submit Windows 10 upgrade errors for diagnosis using feedback hub
+keywords: deploy, error, troubleshoot, windows, 10, upgrade, code, rollback, feedback
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: deploy
+author: greg-lindsay
+ms.date: 02/01/2018
+ms.localizationpriority: high
+---
+
+# Submit Windows 10 upgrade errors using Feedback Hub
+
+**Applies to**
+- Windows 10
+
+## In this topic
+
+This topic describes how to submit problems with a Windows 10 upgrade to Microsoft using the Windows 10 Feedback Hub.
+
+## About the Feedback Hub
+
+The Feedback Hub app lets you tell Microsoft about any problems you run in to while using Windows 10 and send suggestions to help us improve your Windows experience. Previously, you could only use the Feedback Hub if you were in the Windows Insider Program. Now anyone can use this tool. You can download the Feedback Hub app from the Microsoft Store [here](https://www.microsoft.com/en-us/store/p/feedback-hub/9nblggh4r32n?SilentAuth=1&wa=wsignin1.0).
+
+The Feedback Hub requires Windows 10 or Windows 10 mobile. If you are having problems upgrading from an older version of Windows to Windows 10, you can use the Feedback Hub to submit this information, but you must collect the log files from the legacy operating system and then attach these files to your feedback using a device that is running Windows 10. If you are upgrading to Windows 10 from a previous verion of Windows 10, the Feedback Hub will collect log files automatically.
+
+## Submit feedback
+
+To submit feedback about a failed Windows 10 upgrade, click the following link: [Feedback Hub](feedback-hub://?referrer=resolveUpgradeErrorsPage&tabid=2&contextid=81&newFeedback=true&feedbackType=2&topic=submit-errors.md)
+
+The Feedback Hub will open.
+
+- Under **Tell us about it**, and then under **Summarize your issue**, type **Upgrade failing**.
+- Under **Give us more detail**, provide additional information about the failed upgrade, such as:
+ - When did the failure occur?
+ - Were there any reboots?
+ - How many times did the system reboot?
+ - How did the upgrade fail?
+ - Were any error codes visible?
+ - Did the computer fail to a blue screen?
+ - Did the computer automatically roll back or did it hang, requiring you to power cycle it before it rolled back?
+- Additional details
+ - What type of security software is installed?
+ - Is the computer up to date with latest drivers and firmware?
+ - Are there any external devices connected?
+- If you used the link above, the category and subcategory will be automatically selected. If it is not selected, choose **Install and Update** and **Windows Installation**.
+
+You can attach a screenshot or file if desired. This is optional.
+
+Click **Submit** to send your feedback.
+
+See the following example:
+
+
+
+After you click Submit, that's all you need to do. Microsoft will receive your feedback and begin analyzing the issue. You can check on your feedback periodically to see what solutions have been provided.
+
+## Link to your feedback
+
+After your feedback is submitted, you can email or post links to it by opening the Feedback Hub, clicking My feedback at the top, clicking the feedback item you submitted, clicking **Share**, then copying the short link that is displayed.
+
+
+
+## Related topics
+
+[Windows 10 release information](https://technet.microsoft.com/windows/release-info.aspx)
+
diff --git a/windows/deployment/upgrade/troubleshoot-upgrade-readiness.md b/windows/deployment/upgrade/troubleshoot-upgrade-readiness.md
index bb097f89bb..a837d861dc 100644
--- a/windows/deployment/upgrade/troubleshoot-upgrade-readiness.md
+++ b/windows/deployment/upgrade/troubleshoot-upgrade-readiness.md
@@ -24,16 +24,16 @@ If you still don’t see data in Upgrade Readiness, follow these steps:
## Disable Upgrade Readiness
-If you want to stop using Upgrade Readiness and stop sending telemetry data to Microsoft, follow these steps:
+If you want to stop using Upgrade Readiness and stop sending diagnostic data data to Microsoft, follow these steps:
1. Unsubscribe from the Upgrade Readiness solution in the OMS portal. In the OMS portal, go to **Settings** > **Connected Sources** > **Windows Telemetry** and choose the **Unsubscribe** option.
-2. Disable the Commercial Data Opt-in Key on computers running Windows 7 SP1 or 8.1. On computers running Windows 10, set the telemetry level to **Security**:
+2. Disable the Commercial Data Opt-in Key on computers running Windows 7 SP1 or 8.1. On computers running Windows 10, set the diagnostic data level to **Security**:
**Windows 7 and Windows 8.1**: Delete CommercialDataOptIn registry property from *HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\DataCollection*
- **Windows 10**: Follow the instructions in the [Configure Windows telemetry in your organization](https://technet.microsoft.com/itpro/windows/manage/configure-windows-telemetry-in-your-organization#enterprise-management) topic.
+ **Windows 10**: Follow the instructions in the [Configure Windows diagnostic data in your organization](/configuration/configure-windows-diagnostic-data-in-your-organization.md) topic.
3. If you enabled **Internet Explorer Site Discovery**, you can disable Internet Explorer data collection by setting the *IEDataOptIn* registry key to value "0". The IEDataOptIn key can be found under: *HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\DataCollection*.
4. You can also remove the “CommercialId” key from: "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\DataCollection". **This is an optional step**.
diff --git a/windows/deployment/upgrade/upgrade-readiness-additional-insights.md b/windows/deployment/upgrade/upgrade-readiness-additional-insights.md
index 70e29d0699..858aed34fc 100644
--- a/windows/deployment/upgrade/upgrade-readiness-additional-insights.md
+++ b/windows/deployment/upgrade/upgrade-readiness-additional-insights.md
@@ -18,7 +18,7 @@ This topic provides information on additional features that are available in Upg
The site discovery feature in Upgrade Readiness provides an inventory of web sites that are accessed by client computers using Internet Explorer on Windows 7, Windows 8.1, and Windows 10. Site discovery does not include sites that are accessed using other Web browsers, such as Microsoft Edge. Site inventory information is provided as optional data related to upgrading to Windows 10 and Internet Explorer 11, and is meant to help prioritize compatibility testing for web applications. You can make more informed decisions about testing based on usage data.
> [!NOTE]
-> Site discovery data is disabled by default; you can find documentation on what is collected in the [Windows 7, Windows 8, and Windows 8.1 appraiser telemetry events and fields](https://go.microsoft.com/fwlink/?LinkID=822965). After you turn on this feature, data is collected on all sites visited by Internet Explorer, except during InPrivate sessions. In addition, data will be collected on all sites visited by Microsoft Edge on computers running Windows 10 version 1803 (including Insider Preview builds) or newer. The data collection process is silent, without notification to the employee. You are responsible for ensuring that your use of this feature complies with all applicable local laws and regulatory requirements, including any requirements to provide notice to employees.
+> Site discovery data is disabled by default; you can find documentation on what is collected in the [Windows 7, Windows 8, and Windows 8.1 appraiser diagnostic data events and fields](https://go.microsoft.com/fwlink/?LinkID=822965). After you turn on this feature, data is collected on all sites visited by Internet Explorer, except during InPrivate sessions. The data collection process is silent, without notification to the employee. You are responsible for ensuring that your use of this feature complies with all applicable local laws and regulatory requirements, including any requirements to provide notice to employees.
### Install prerequisite security update for Internet Explorer
@@ -27,7 +27,7 @@ Ensure the following prerequisites are met before using site discovery:
1. Install the prerequisite KBs to add Site Discovery support and the latest fixes from the [Microsoft Update Catalog](http://www.catalog.update.microsoft.com/home.aspx). Install the following:
- For Windows 7 and Windows 8.1 - March, 2017 (or later) Security Monthly Rollup
- For Windows 10 - Cumulative Update for Windows 10 Version 1607 (KB4015217) (or later)
-2. Enable Internet Explorer data collection, which is disabled by default. The best way to enable it is to modify the [Upgrade Readiness deployment script](upgrade-readiness-deployment-script.md) to allow Internet Explorer data collection before you run it. In addition, to enable Site Discovery on Windows 10 you must set computers to the **Enhanced Telemetry Level** for the Feedback and Diagnostics setting (Privacy > Feedback & Diagnostics settings), and enable **Page Prediction within Internet Explorer 11**.
+2. Enable Internet Explorer data collection, which is disabled by default. The best way to enable it is to modify the [Upgrade Readiness deployment script](upgrade-readiness-deployment-script.md) to allow Internet Explorer data collection before you run it. In addition, to enable Site Discovery on Windows 10 you must set computers to the **Enhanced** diagnostic data level for the Feedback and Diagnostics setting (Privacy > Feedback & Diagnostics settings), and enable **Page Prediction within Internet Explorer 11**.
If you do not plan to use the Upgrade Readiness deployment script to enable Site discovery, you must create the following registry entry.
diff --git a/windows/deployment/upgrade/upgrade-readiness-architecture.md b/windows/deployment/upgrade/upgrade-readiness-architecture.md
index a37441da3e..fd7e2605ab 100644
--- a/windows/deployment/upgrade/upgrade-readiness-architecture.md
+++ b/windows/deployment/upgrade/upgrade-readiness-architecture.md
@@ -8,7 +8,7 @@ ms.date: 04/25/2017
# Upgrade Readiness architecture
-Microsoft analyzes system, application, and driver telemetry data to help you determine when computers are upgrade-ready, allowing you to simplify and accelerate Windows upgrades in your organization. The diagram below illustrates how Upgrade Readiness components work together in a typical installation.
+Microsoft analyzes system, application, and driver diagnostic data to help you determine when computers are upgrade-ready, allowing you to simplify and accelerate Windows upgrades in your organization. The diagram below illustrates how Upgrade Readiness components work together in a typical installation.
@@ -47,13 +47,13 @@ Important: You can use either a Microsoft Account or a Work or School account to
Upgrade Readiness can be integrated with your installation of Configuration Manager. For more information, see [Integrate Upgrade Readiness with System Center Configuration Manager](https://docs.microsoft.com/sccm/core/clients/manage/upgrade/upgrade-analytics).
-## Telemetry and data sharing
+## Diagnostic data and data sharing
After you’ve signed in to Operations Management Suite and added the Upgrade Readiness solution to your workspace, you’ll need to complete the following tasks to allow user computer data to be shared with and assessed by Upgrade Readiness.
-See [Windows 7, Windows 8, and Windows 8.1 appraiser telemetry events and fields](https://go.microsoft.com/fwlink/?LinkID=822965) for more information about what user computer data Upgrade Readiness collects and assesses. See [Configure Windows telemetry in your organization](/windows/configuration/configure-windows-telemetry-in-your-organization) for more information about how Microsoft uses Windows telemetry data.
+See [Windows 7, Windows 8, and Windows 8.1 appraiser diagnostic data events and fields](https://go.microsoft.com/fwlink/?LinkID=822965) for more information about what user computer data Upgrade Readiness collects and assesses. See [Configure Windows diagnostic data in your organization](/windows/configuration/configure-windows-diagnostic-data-in-your-organization) for more information about how Microsoft uses Windows diagnostic data.
-**Whitelist telemetry endpoints.** To enable telemetry data to be sent to Microsoft, you’ll need to whitelist the following Microsoft telemetry endpoints on your proxy server or firewall. You may need to get approval from your security group to do this.
+**Whitelist diagnostic data endpoints.** To enable diagnostic data to be sent to Microsoft, you’ll need to whitelist the following Microsoft endpoints on your proxy server or firewall. You may need to get approval from your security group to do this.
`https://v10.vortex-win.data.microsoft.com/collect/v1`
`https://vortex-win.data.microsoft.com/health/keepalive`
@@ -68,7 +68,7 @@ See [Windows 7, Windows 8, and Windows 8.1 appraiser telemetry events and fields
**Subscribe your OMS workspace to Upgrade Readiness.** For Upgrade Readiness to receive and display upgrade readiness data from Microsoft, you’ll need to subscribe your OMS workspace to Upgrade Readiness.
-**Enable telemetry and connect data sources.** To allow Upgrade Readiness to collect system, application, and driver data and assess your organization’s upgrade readiness, communication must be established between Upgrade Readiness and user computers. You’ll need to connect Upgrade Readiness to your data sources and enable telemetry to establish communication.
+**Enable diagnostic data and connect data sources.** To allow Upgrade Readiness to collect system, application, and driver data and assess your organization’s upgrade readiness, communication must be established between Upgrade Readiness and user computers. You’ll need to connect Upgrade Readiness to your data sources and enable diagnostic data to establish communication.
**Deploy compatibility update and related KBs.** The compatibility update KB scans your systems and enables application usage tracking. If you don’t already have this KB installed, you can download the applicable version from the Microsoft Update Catalog or deploy it using Windows Server Update Services (WSUS) or your software distribution solution, such as System Center Configuration Manager.
@@ -82,7 +82,7 @@ Before you get started configuring Upgrade Anatlyics, review the following tips
**Upgrade Readiness does not support on-premises Windows deployments.** Upgrade Readiness is built as a cloud service, which allows Upgrade Readiness to provide you with insights based on the data from user computers and other Microsoft compatibility services. Cloud services are easy to get up and running and are cost-effective because there is no requirement to physically implement and maintain services on-premises.
-**In-region data storage requirements.** Windows telemetry data from user computers is encrypted, sent to, and processed at Microsoft-managed secure data centers located in the US. Our analysis of the upgrade readiness-related data is then provided to you through the Upgrade Readiness solution in the Microsoft Operations Management Suite (OMS) portal. At the time this topic is being published, only OMS workspaces created in the East US and West Europe are supported. We’re adding support for additional regions and we’ll update this information when new international regions are supported.
+**In-region data storage requirements.** Windows diagnostic data from user computers is encrypted, sent to, and processed at Microsoft-managed secure data centers located in the US. Our analysis of the upgrade readiness-related data is then provided to you through the Upgrade Readiness solution in the Microsoft Operations Management Suite (OMS) portal. Upgrade Readiness is supported in all OMS regions; however, selecting an international OMS region does not prevent diagnostic data from being sent to and processed in Microsoft's secure data centers in the US.
### Tips
diff --git a/windows/deployment/upgrade/upgrade-readiness-resolve-issues.md b/windows/deployment/upgrade/upgrade-readiness-resolve-issues.md
index b75afc225b..58ffa25e69 100644
--- a/windows/deployment/upgrade/upgrade-readiness-resolve-issues.md
+++ b/windows/deployment/upgrade/upgrade-readiness-resolve-issues.md
@@ -141,7 +141,7 @@ Applications and drivers that are meet certain criteria to be considered low ris
The first row reports the number of your apps that have an official statement of support on Windows 10 from the software vendor, so you can be confident that they will work on your target operating system.
-The second row (**Apps that are "Highly adopted"**) shows apps that have a ReadyForWindows status of "Highly adopted". This means that they have been installed on at least 100,000 commercial Windows 10 devices, and that Microsoft has not detected significant issues with the app in telemetry. Since these apps are prevalent in the ecosystem at large, you can be confident that they will work in your environment as well.
+The second row (**Apps that are "Highly adopted"**) shows apps that have a ReadyForWindows status of "Highly adopted". This means that they have been installed on at least 100,000 commercial Windows 10 devices, and that Microsoft has not detected significant issues with the app in diagnostic data. Since these apps are prevalent in the ecosystem at large, you can be confident that they will work in your environment as well.
Each row of the blade uses a different criterion to filter your apps or drivers. You can view a list of applications that meet the criterion by clicking into a row of the blade. For example, if you click the row that says "Apps that are 'Highly adopted'", the result is a list of apps that have a ReadyForWindows status of "Highly adopted". From here, you can bulk-select the results, select **Ready to upgrade**, and then click **Save**. This will mark all apps meeting the "Highly adopted" criterion as "Ready to upgrade"--no further validation is required. Any applications that you have marked as *Mission critical* or *Business critical* are filtered out, as well as any app that has an issue known to Microsoft. This allows you to work with apps in bulk without having to worry about missing a critical app.
diff --git a/windows/deployment/upgrade/upgrade-readiness-upgrade-overview.md b/windows/deployment/upgrade/upgrade-readiness-upgrade-overview.md
index 15cd2c2bf3..f1e9422095 100644
--- a/windows/deployment/upgrade/upgrade-readiness-upgrade-overview.md
+++ b/windows/deployment/upgrade/upgrade-readiness-upgrade-overview.md
@@ -35,7 +35,7 @@ The following color-coded status changes are reflected on the upgrade overview b
Click on a row to drill down and see details about individual computers. If KBs are missing, see [Deploy the compatibility update and related KBs](upgrade-readiness-get-started.md#deploy-the-compatibility-update-and-related-kbs) for information on required KBs.
-In the following example, there is no delay in data processing, less than 4% of computers (6k\294k) have incomplete data, there are no pending user changes, and the currently selected target OS version is the same as the recommended version:
+In the following example, there is no delay in data processing, more than 10% of computers (6k\8k) have incomplete data, more than 30% of computers (6k/8k) require a KB update, there are no pending user changes, and the currently selected target OS version is the same as the recommended version:
@@ -43,9 +43,9 @@ In the following example, there is no delay in data processing, less than 4% of
-->
-If data processing is delayed, you can continue using your workspace as normal. However, any changes or additional information that is added might not be displayed. Data is typically refreshed and the display will return to normal again within 24 hours.
+If data processing is delayed, the "Last updated" banner will indicate the date on which data was last updated. You can continue using your workspace as normal. However, any changes or additional information that is added might not be displayed until data is refreshed. When your workspace is in this state, there is no action required; data is typically refreshed and the display will return to normal again within 24 hours.
-If there are computers with incomplete data, verify that you have installed the latest compatibilty update and run the most recent [Update Readiness deployment script](https://go.microsoft.com/fwlink/?LinkID=822966&clcid=0x409) from the Microsoft download center.
+If there are computers with incomplete data, verify that you have installed the latest compatibilty update KBs. Install the updated KBs if necessary and then run the most recent [Update Readiness deployment script](https://go.microsoft.com/fwlink/?LinkID=822966&clcid=0x409) from the Microsoft download center. The updated data payload should appear in Upgrade Readiness within 48 hours of a successful run on the deployment script.
Select **Total computers** for a list of computers and details about them, including:
@@ -54,7 +54,7 @@ Select **Total computers** for a list of computers and details about them, inclu
- Computer model
- Operating system version and build
- Count of system requirement, application, and driver issues per computer
-- Upgrade assessment based on analysis of computer telemetry data
+- Upgrade assessment based on analysis of computer diagnostic data
- Upgrade decision status
Select **Total applications** for a list of applications discovered on user computers and details about them, including:
diff --git a/windows/deployment/upgrade/use-upgrade-readiness-to-manage-windows-upgrades.md b/windows/deployment/upgrade/use-upgrade-readiness-to-manage-windows-upgrades.md
index 8b8805f491..f0f332312c 100644
--- a/windows/deployment/upgrade/use-upgrade-readiness-to-manage-windows-upgrades.md
+++ b/windows/deployment/upgrade/use-upgrade-readiness-to-manage-windows-upgrades.md
@@ -10,7 +10,7 @@ ms.date: 08/30/2017
You can use Upgrade Readiness to prioritize and work through application and driver issues, assign and track issue resolution status, and identify computers that are ready to upgrade. Upgrade Readiness enables you to deploy Windows with confidence, knowing that you’ve addressed potential blocking issues.
-- Based on telemetry data from user computers, Upgrade Readiness identifies application and driver compatibility issues that may block Windows upgrades, allowing you to make data-driven decisions about your organization’s upgrade readiness.
+- Based on diagnostic data from user computers, Upgrade Readiness identifies application and driver compatibility issues that may block Windows upgrades, allowing you to make data-driven decisions about your organization’s upgrade readiness.
- Information is refreshed daily so you can monitor upgrade progress. Any changes your team makes, such as assigning application importance and marking applications as ready to upgrade, are reflected 24 hours after you make them.
When you are ready to begin the upgrade process, a workflow is provided to guide you through critical high-level tasks.
diff --git a/windows/deployment/upgrade/windows-10-downgrade-paths.md b/windows/deployment/upgrade/windows-10-downgrade-paths.md
new file mode 100644
index 0000000000..d095a3d449
--- /dev/null
+++ b/windows/deployment/upgrade/windows-10-downgrade-paths.md
@@ -0,0 +1,160 @@
+---
+title: Windows 10 downgrade paths (Windows 10)
+description: You can downgrade Windows 10 if the downgrade path is supported.
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.localizationpriority: high
+ms.pagetype: mobile
+author: greg-lindsay
+ms.date: 02/15/2018
+---
+
+# Windows 10 downgrade paths
+**Applies to**
+
+- Windows 10
+
+## Downgrading Windows 10
+
+This topic provides a summary of supported Windows 10 downgrade paths. You might need to downgrade the edition of Windows 10, for example, if an Enterprise license is expired.
+
+If a downgrade is supported, then your apps and settings can be migrated from the current edition to the downgraded edition. If a path is not supported, then a clean install is required.
+
+To perform a downgrade, you can use the same methods as when performing an [edition upgrade](windows-10-edition-upgrades.md).
+
+Downgrading from any edition of Windows 10 to Windows 7, 8, or 8.1 is not supported, unless you are performing a rollback of a previous upgrade. You also cannot downgrade from a later version to an earlier version of the same edition (Ex: Windows 10 Pro 1709 to 1703) unless the rollback process is used.
+
+>**Windows 10 LTSC/LTSB**: Due to [naming changes](https://docs.microsoft.com/en-us/windows/deployment/update/waas-overview#naming-changes), product versions that display Windows 10 LTSB will be replaced with Windows 10 LTSC in subsequent feature updates. The term LTSC is used here to refer to all long term servicing versions.
+
+>**Windows N/KN**: Windows "N" and "KN" SKUs follow the same rules shown below.
+
+### Supported Windows 10 downgrade paths
+
+>[!NOTE]
+>Edition changes that are considered upgrades (Ex: Pro to Enterprise) are not shown here. Switching between different editions of Pro is supported. This is not strictly considered an edition downgrade, but is included here for clarity.
+
+✔ = Supported downgrade path
+
+
+
+
+
Destination edition
+
+
+
+
+
Home
+
Pro
+
Pro for Workstations
+
Pro Education
+
S
+
Education
+
Enterprise LTSC
+
Enterprise
+
+
+
Starting edition
+
+
+
Home
+
+
+
+
+
+
+
+
+
+
+
Pro
+
+
+
✔
+
✔
+
✔
+
+
+
+
+
+
Pro for Workstations
+
+
✔
+
+
✔
+
✔
+
+
+
+
+
+
Pro Education
+
+
✔
+
✔
+
+
✔
+
+
+
+
+
+
S
+
+
✔
+
✔
+
✔
+
+
+
+
+
+
+
Education
+
+
✔
+
✔
+
✔
+
✔
+
+
+
+
+
+
Enterprise LTSC
+
+
+
+
+
+
+
+
+
+
+
Enterprise
+
+
✔
+
✔
+
✔
+
✔
+
✔
+
+
+
+
+
+
+## Related Topics
+
+[Windows 10 deployment scenarios](../windows-10-deployment-scenarios.md)
+[Windows upgrade and migration considerations](windows-upgrade-and-migration-considerations.md)
+[Windows 10 edition upgrade](windows-10-edition-upgrades.md)
+[Windows 10 upgrade paths](windows-10-upgrade-paths.md)
+
+
+
+
+
diff --git a/windows/deployment/upgrade/windows-10-edition-upgrades.md b/windows/deployment/upgrade/windows-10-edition-upgrades.md
index 359c1cb9bc..f46f0eb146 100644
--- a/windows/deployment/upgrade/windows-10-edition-upgrades.md
+++ b/windows/deployment/upgrade/windows-10-edition-upgrades.md
@@ -8,7 +8,7 @@ ms.localizationpriority: high
ms.sitesec: library
ms.pagetype: mobile
author: greg-lindsay
-ms.date: 01/18/2018
+ms.date: 02/9/2018
---
# Windows 10 edition upgrade
@@ -20,7 +20,7 @@ ms.date: 01/18/2018
With Windows 10, you can quickly upgrade from one edition of Windows 10 to another, provided the upgrade path is supported. For information on what edition of Windows 10 is right for you, see [Compare Windows 10 Editions](https://go.microsoft.com/fwlink/p/?LinkID=690882). For a comprehensive list of all possible upgrade paths to Windows 10, see [Windows 10 upgrade paths](windows-10-upgrade-paths.md).
-The following table shows the methods and paths available to change the edition of Windows 10 that is running on your computer. Note that the reboot requirement for upgrading from Pro to Enterprise was removed in version 1607.
+The following table shows the methods and paths available to change the edition of Windows 10 that is running on your computer. **Note**: The reboot requirement for upgrading from Pro to Enterprise was removed in version 1607.
 (X) = not supported
 (green checkmark) = supported, reboot required
@@ -46,25 +46,28 @@ X = unsupported
| **Home > Pro for Workstations** |  |  |  |  |  |  |
| **Home > Pro Education** |  |  |  |  |  |  |
| **Home > Education** |  |  |  |  |  |  |
-| **S > Pro** |  (version 1709) |  (version 1709) |  |  |  (version 1709) |  (version 1709) |
-| **S > Pro for Workstations** |  (version 1709) |  (version 1709) |  |  |  (version 1709) |  (version 1709) |
-| **S > Pro Education** |  (version 1709) |  (version 1709) |  |  (version 1709 - MSfB) |  (version 1709) |  |
-| **S > Education** |  |  |  |  (MSfB) |  |  |
-| **S > Enterprise** |  (version 1709) |  (version 1709) |  |  (version 1703 - PC), (version 1709 - MSfB) |  (version 1709) |  |
-| **Pro > Pro for Workstations** |  |  |  |  (MSfB) |  |  |
-| **Pro > Pro Education** |  |  |  |  (MSfB) |  |  |
-| **Pro > Education** |  |  |  | ) (MSfB) |  |  |
-| **Pro > Enterprise** |  |  |  |  (version 1703 - PC), (version 1709 - MSfB) |  |  |
-| **Pro for Workstations > Pro Education** |  |  |  |  (MSfB) |  |  |
-| **Pro for Workstations > Education** |  |  |  | ) (MSfB) |  |  |
-| **Pro for Workstations > Enterprise** |  |  |  |  (version 1703 - PC), (version 1709 - MSfB) |  |  |
-| **Pro Education > Education** |  |  |  | ) (MSfB) |  |  |
-| **Enterprise > Education** |  |  |  | ) (MSfB) |  |  |
+| **S > Pro** |  (1709) |  (1709) |  |  |  (1709) |  (1709) |
+| **S > Pro for Workstations** |  (1709) |  (1709) |  |  |  (1709) |  (1709) |
+| **S > Pro Education** |  (1709) |  (1709) |  |  (1709 - MSfB) |  (1709) |  |
+| **S > Education** |  |  |  |  (MSfB) |  |  |
+| **S > Enterprise** |  (1709) |  (1709) |  |  (1703 - PC) (1709 - MSfB) |  (1709) |  |
+| **Pro > Pro for Workstations** |  |  |  |  (MSfB) |  |  |
+| **Pro > Pro Education** |  |  |  |  (MSfB) |  |  |
+| **Pro > Education** |  |  |  |  (MSfB) |  |  |
+| **Pro > Enterprise** |  |  |  |  (1703 - PC) (1709 - MSfB) |  |  |
+| **Pro for Workstations > Pro Education** |  |  |  |  (MSfB) |  |  |
+| **Pro for Workstations > Education** |  |  |  |  (MSfB) |  |  |
+| **Pro for Workstations > Enterprise** |  |  |  |  (1703 - PC) (1709 - MSfB) |  |  |
+| **Pro Education > Education** |  |  |  |  (MSfB) |  |  |
+| **Enterprise > Education** |  |  |  |  (MSfB) |  |  |
+| **Enterprise LTSC > Enterprise** |  |  |  |  (MSfB) |  |  |
+| **Pro for Workstations > Pro Education** |  |  |  |  (MSfB) |  |  |
| **Mobile > Mobile Enterprise** |  | |  |  |  |  |
> [!NOTE]
> Each desktop edition in the table also has an N and KN SKU. These editions have had media-related functionality removed. Devices with N or KN SKUs installed can be upgraded to corresponding N or KN SKUs using the same methods.
-
+>
+> Due to [naming changes](https://docs.microsoft.com/en-us/windows/deployment/update/waas-overview#naming-changes) the term LTSB might still be displayed in some products. This name will change to LTSC with subsequent feature updates.
## Upgrade using mobile device management (MDM)
- To upgrade desktop editions of Windows 10 using MDM, you'll need to enter the product key for the upgraded edition in the **UpgradeEditionWithProductKey** policy setting of the **WindowsLicensing** CSP. For more info, see [WindowsLicensing CSP](https://go.microsoft.com/fwlink/p/?LinkID=690907).
@@ -88,6 +91,11 @@ You can run the changepk.exe command-line tool to upgrade devices to a supported
`changepk.exe /ProductKey `
+You can also upgrade using slmgr.vbs and a [KMS client setup key](https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/jj612867(v%3dws.11)). For example, the following command will upgrade to Windows 10 Enterprise.
+
+`Cscript.exe c:\windows\system32\slmgr.vbs /ipk NPPR9-FWDCX-D2C8J-H872K-2YT43`
+
+
## Upgrade by manually entering a product key
If you are upgrading only a few devices, you may want to enter a product key for the upgraded edition manually.
diff --git a/windows/deployment/upgrade/windows-10-upgrade-paths.md b/windows/deployment/upgrade/windows-10-upgrade-paths.md
index 4ac4288fcb..45eeec2f16 100644
--- a/windows/deployment/upgrade/windows-10-upgrade-paths.md
+++ b/windows/deployment/upgrade/windows-10-upgrade-paths.md
@@ -20,14 +20,17 @@ ms.date: 01/18/2018
This topic provides a summary of available upgrade paths to Windows 10. You can upgrade to Windows 10 from Windows 7 or a later operating system. This includes upgrading from one release of Windows 10 to later release of Windows 10. Migrating from one edition of Windows 10 to a different edition of the same release is also supported. For more information about migrating to a different edition of Windows 10, see [Windows 10 edition upgrade](windows-10-edition-upgrades.md).
->**Windows 10 LTSB**: The upgrade paths displayed below do not apply to Windows 10 LTSB. In-place upgrade from Windows 7 or Windows 8.1 to Windows 10 LTSB is not supported. (Note that Windows 10 LTSB 2015 did not block this upgrade path. This was corrected in the Windows 10 LTSB 2016 release, which will now only allow data-only and clean install options.)
+>**Windows 10 LTSC/LTSB**: Due to [naming changes](https://docs.microsoft.com/en-us/windows/deployment/update/waas-overview#naming-changes), product versions that display Windows 10 LTSB will be replaced with Windows 10 LTSC in subsequent feature updates. The term LTSC is used here to refer to all long term servicing versions.
+
+>In-place upgrade from Windows 7, Windows 8.1, or Windows 10 semi-annual channel to Windows 10 LTSC is not supported. **Note**: Windows 10 LTSC 2015 did not block this upgrade path. This was corrected in the Windows 10 LTSC 2016 release, which will now only allow data-only and clean install options. You can upgrade from Windows 10 LTSC to Windows 10 semi-annual channel, provided that you upgrade to the same or a newer build version. For example, Windows 10 Enterprise 2016 LTSB can be upgraded to Windows 10 Enterprise version 1607 or later.
>**Windows N/KN**: Windows "N" and "KN" SKUs follow the same upgrade paths shown below. If the pre-upgrade and post-upgrade editions are not the same type (e.g. Windows 8.1 Pro N to Windows 10 Pro), personal data will be kept but applications and settings will be removed during the upgrade process.
✔ = Full upgrade is supported including personal data, settings, and applications.
D = Edition downgrade; personal data is maintained, applications and settings are removed.
-
+
+
@@ -36,6 +39,7 @@ D = Edition downgrade; personal data is maintained, applications and settings ar
Windows 10 Pro Education
Windows 10 Education
Windows 10 Enterprise
+
Windows 10 Enterprise LTSC
Windows 10 Mobile
Windows 10 Mobile Enterprise
@@ -51,6 +55,7 @@ D = Edition downgrade; personal data is maintained, applications and settings ar
+
Home Basic
@@ -61,6 +66,7 @@ D = Edition downgrade; personal data is maintained, applications and settings ar
+
Home Premium
@@ -71,6 +77,7 @@ D = Edition downgrade; personal data is maintained, applications and settings ar
+
Professional
@@ -81,6 +88,7 @@ D = Edition downgrade; personal data is maintained, applications and settings ar
✔
+
Ultimate
@@ -91,6 +99,7 @@ D = Edition downgrade; personal data is maintained, applications and settings ar
✔
+
Enterprise
@@ -101,6 +110,7 @@ D = Edition downgrade; personal data is maintained, applications and settings ar
✔
+
Windows 8
@@ -114,6 +124,7 @@ D = Edition downgrade; personal data is maintained, applications and settings ar
+
Professional
@@ -124,6 +135,7 @@ D = Edition downgrade; personal data is maintained, applications and settings ar
✔
+
Professional WMC
@@ -134,6 +146,7 @@ D = Edition downgrade; personal data is maintained, applications and settings ar
✔
+
Enterprise
@@ -144,6 +157,7 @@ D = Edition downgrade; personal data is maintained, applications and settings ar
✔
+
Embedded Industry
@@ -154,6 +168,7 @@ D = Edition downgrade; personal data is maintained, applications and settings ar
✔
+
Windows RT
@@ -164,6 +179,7 @@ D = Edition downgrade; personal data is maintained, applications and settings ar
+
Windows Phone 8
@@ -174,6 +190,7 @@ D = Edition downgrade; personal data is maintained, applications and settings ar
+
Windows 8.1
@@ -187,6 +204,7 @@ D = Edition downgrade; personal data is maintained, applications and settings ar
+
Connected
@@ -197,6 +215,7 @@ D = Edition downgrade; personal data is maintained, applications and settings ar
+
Professional
@@ -207,6 +226,7 @@ D = Edition downgrade; personal data is maintained, applications and settings ar
✔
+
Professional Student
@@ -217,6 +237,7 @@ D = Edition downgrade; personal data is maintained, applications and settings ar
✔
+
Professional WMC
@@ -227,6 +248,7 @@ D = Edition downgrade; personal data is maintained, applications and settings ar
✔
+
Enterprise
@@ -237,6 +259,7 @@ D = Edition downgrade; personal data is maintained, applications and settings ar
✔
+
Embedded Industry
@@ -247,6 +270,7 @@ D = Edition downgrade; personal data is maintained, applications and settings ar
✔
+
Windows RT
@@ -257,6 +281,7 @@ D = Edition downgrade; personal data is maintained, applications and settings ar
+
Windows Phone 8.1
@@ -265,11 +290,12 @@ D = Edition downgrade; personal data is maintained, applications and settings ar
+
✔
-
Windows 10
+
Windows 10
Home
@@ -280,6 +306,7 @@ D = Edition downgrade; personal data is maintained, applications and settings ar
+
Professional
@@ -290,6 +317,7 @@ D = Edition downgrade; personal data is maintained, applications and settings ar
✔
+
Education
@@ -300,6 +328,7 @@ D = Edition downgrade; personal data is maintained, applications and settings ar
D
+
Enterprise
@@ -310,6 +339,18 @@ D = Edition downgrade; personal data is maintained, applications and settings ar
✔
+
+
+
+
Enterprise LTSC
+
+
+
+
+
✔
+
✔
+
+
Mobile
@@ -318,6 +359,7 @@ D = Edition downgrade; personal data is maintained, applications and settings ar
+
✔
✔
@@ -328,16 +370,19 @@ D = Edition downgrade; personal data is maintained, applications and settings ar
+
D
✔
+
## Related Topics
-[Windows 10 deployment scenarios](../windows-10-deployment-scenarios.md)
-[Windows upgrade and migration considerations](windows-upgrade-and-migration-considerations.md)
-
+[Windows 10 deployment scenarios](../windows-10-deployment-scenarios.md)
+[Windows upgrade and migration considerations](windows-upgrade-and-migration-considerations.md)
+[Windows 10 edition upgrade](windows-10-edition-upgrades.md)
+[Windows 10 downgrade paths](windows-10-downgrade-paths.md)
diff --git a/windows/deployment/windows-10-enterprise-subscription-activation.md b/windows/deployment/windows-10-enterprise-subscription-activation.md
index f7f5d176dd..de3ae148a3 100644
--- a/windows/deployment/windows-10-enterprise-subscription-activation.md
+++ b/windows/deployment/windows-10-enterprise-subscription-activation.md
@@ -68,7 +68,7 @@ With Windows 10 Enterprise, businesses can benefit from enterprise-level securit
You can benefit by moving to Windows as an online service in the following ways:
1. Licenses for Windows 10 Enterprise are checked based on Azure Active Directory (Azure AD) credentials, so now businesses have a systematic way to assign licenses to end users and groups in their organization.
-2. Azure AD logon triggers a silent edition upgrade, with no reboot required
+2. User logon triggers a silent edition upgrade, with no reboot required
3. Support for mobile worker/BYOD activation; transition away from on-prem KMS and MAK keys.
4. Compliance support via seat assignment.
diff --git a/windows/device-security/change-history-for-device-security.md b/windows/device-security/change-history-for-device-security.md
deleted file mode 100644
index 9f19b7a064..0000000000
--- a/windows/device-security/change-history-for-device-security.md
+++ /dev/null
@@ -1,52 +0,0 @@
----
-title: Change history for device security (Windows 10)
-description: This topic lists new and updated topics in the Windows 10 device security documentation for Windows 10 and Windows 10 Mobile.
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-author: brianlic-msft
-ms.date: 11/27/2017
----
-
-# Change history for device security
-This topic lists new and updated topics in the [Device security](index.md) documentation.
-
-## November 2017
-|New or changed topic |Description |
-|---------------------|------------|
-| [How to enable virtualization-based protection of code integrity](enable-virtualization-based-protection-of-code-integrity.md)| New. Explains how to enable HVCI. |
-
-## October 2017
-|New or changed topic |Description |
-|---------------------|------------|
-| [TPM fundamentals](tpm/tpm-fundamentals.md) [BitLocker Group Policy settings](bitlocker/bitlocker-group-policy-settings.md) | Explained the change to allow reducing the maximum PIN length from 6 characters to 4. |
-| [Windows security baselines](windows-security-baselines.md) | New. Security baselines added for Windows 10, versions 1703 and 1709. |
-| [Security Compliance Toolkit](security-compliance-toolkit-10.md) | New. Includes a link to tools for managing security baselines. |
-| [Get support for security baselines](get-support-for-security-baselines.md) | New. Explains supported versions for security baselines and other support questions. |
-
-
-
-## August 2017
-|New or changed topic |Description |
-|---------------------|------------|
-| [BitLocker: Management recommendations for enterprises](bitlocker/bitlocker-management-for-enterprises.md) | New BitLocker security topic. |
-| [Accounts: Block Microsoft accounts](security-policy-settings/accounts-block-microsoft-accounts.md) | Revised description |
-
-
-## July 2017
-|New or changed topic |Description |
-|---------------------|------------|
-| [How Windows 10 uses the Trusted Platform Module](tpm/how-windows-uses-the-tpm.md) | New TPM security topic. |
-
-
-## May 2017
-|New or changed topic |Description |
-|---------------------|------------|
-| [BitLocker Group Policy settings](bitlocker/bitlocker-group-policy-settings.md) | Changed startup PIN minimun length from 4 to 6. |
-| [Network access: Restrict clients allowed to make remote calls to SAM](security-policy-settings/network-access-restrict-clients-allowed-to-make-remote-sam-calls.md) | New security policy setting. |
-
-## March 2017
-|New or changed topic |Description |
-|---------------------|------------|
-|[Requirements and deployment planning guidelines for Device Guard](device-guard/requirements-and-deployment-planning-guidelines-for-device-guard.md) | Updated to include additional security qualifications starting with Windows 10, version 1703.|
\ No newline at end of file
diff --git a/windows/device-security/index.md b/windows/device-security/index.md
index 0aeca25c88..be91262028 100644
--- a/windows/device-security/index.md
+++ b/windows/device-security/index.md
@@ -1,27 +1,3 @@
---
-title: Device Security (Windows 10)
-description: Learn more about how to help secure your Windows 10 and Windows 10 Mobile devices.
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-author: brianlic-msft
-ms.date: 04/24/2017
----
-
-# Device Security
-
-Learn more about how to help secure your Windows 10 and Windows 10 Mobile devices.
-
-| Section | Description |
-|-|-|
-| [AppLocker](applocker/applocker-overview.md)| Describes AppLocker, and can help you decide if your organization can benefit from deploying AppLocker application control policies. AppLocker helps you control which apps and files users can run. These include executable files, scripts, Windows Installer files, dynamic-link libraries (DLLs), packaged apps, and packaged app installers.|
-| [BitLocker](bitlocker/bitlocker-overview.md)| Provides information about BitLocker, which is a data protection feature that integrates with the operating system and addresses the threats of data theft or exposure from lost, stolen, or inappropriately decommissioned computers. |
-| [Control the health of Windows 10-based devices](protect-high-value-assets-by-controlling-the-health-of-windows-10-based-devices.md) | Learn more about protecting high-value assets. |
-| [Device Guard deployment guide](device-guard/device-guard-deployment-guide.md) | Device Guard is a combination of hardware and software security features that, when configured together, will lock a device down so that it can only run trusted applications. If the app isn’t trusted it can’t run, period. It also means that even if an attacker manages to get control of the Windows kernel, he or she will be much less likely to be able to run malicious executable code after the computer restarts because of how decisions are made about what can run and when. |
-| [Encrypted Hard Drive](encrypted-hard-drive.md) | Provides information about Encrypted Hard Drive, which uses the rapid encryption that is provided by BitLocker Drive Encryption to enhance data security and management.|
-| [Security auditing](auditing/security-auditing-overview.md)| Describes how the IT professional can use the security auditing features in Windows, and how organizations can benefit from using these technologies, to enhance the security and manageability of networks.|
-| [Security policy settings](security-policy-settings/security-policy-settings.md)| Provides a collection of reference topics that describe the common scenarios, architecture, and processes for security settings.|
-| [Trusted Platform Module](tpm/trusted-platform-module-top-node.md)| Provides links to information about the Trusted Platform Module (TPM), which is a secure crypto-processor that helps you with actions such as generating, storing, and limiting the use of cryptographic keys. |
-| [Windows 10 Mobile security guide](windows-10-mobile-security-guide.md) | Learn more about securing your Windows 10 Mobile devices. |
-| [Windows security baselines](windows-security-baselines.md) | Learn why you should use security baselines in your organization. |
+redirect_url: https://docs.microsoft.com/windows/security/threat-protection/
+---
\ No newline at end of file
diff --git a/windows/hub/TOC.md b/windows/hub/TOC.md
index 61ac5b3dfc..43202e6dde 100644
--- a/windows/hub/TOC.md
+++ b/windows/hub/TOC.md
@@ -5,8 +5,6 @@
## [Configuration](/windows/configuration)
## [Client management](/windows/client-management)
## [Application management](/windows/application-management)
-## [Access protection](/windows/access-protection)
-## [Device security](/windows/device-security)
-## [Threat protection](/windows/threat-protection)
+## [Security](/windows/security)
## [Troubleshooting](/windows/client-management/windows-10-support-solutions)
## [Other Windows client versions](https://docs.microsoft.com/previous-versions/windows)
\ No newline at end of file
diff --git a/windows/hub/breadcrumb/toc.yml b/windows/hub/breadcrumb/toc.yml
index f876a162da..2d61591d22 100644
--- a/windows/hub/breadcrumb/toc.yml
+++ b/windows/hub/breadcrumb/toc.yml
@@ -6,31 +6,42 @@
tocHref: /windows
topicHref: /windows/windows-10
items:
- - name: What's new
- tocHref: /windows/whats-new/
- topicHref: /windows/whats-new/index
- - name: Configuration
- tocHref: /windows/configuration/
- topicHref: /windows/configuration/index
- - name: Deployment
- tocHref: /windows/deployment/
- topicHref: /windows/deployment/index
- - name: Application management
- tocHref: /windows/application-management/
- topicHref: /windows/application-management/index
- - name: Client management
- tocHref: /windows/client-management/
- topicHref: /windows/client-management/index
- items:
- - name: Mobile Device Management
- tocHref: /windows/client-management/mdm
- topicHref: /windows/client-management/mdm/index
- - name: Access protection
- tocHref: /windows/access-protection/
- topicHref: /windows/access-protection/index
- - name: Device security
- tocHref: /windows/device-security/
- topicHref: /windows/device-security/index
- - name: Threat protection
- tocHref: /windows/threat-protection/
- topicHref: /windows/threat-protection/index
\ No newline at end of file
+ - name: What's new
+ tocHref: /windows/whats-new/
+ topicHref: /windows/whats-new/index
+ - name: Configuration
+ tocHref: /windows/configuration/
+ topicHref: /windows/configuration/index
+ - name: Deployment
+ tocHref: /windows/deployment/
+ topicHref: /windows/deployment/index
+ - name: Application management
+ tocHref: /windows/application-management/
+ topicHref: /windows/application-management/index
+ - name: Client management
+ tocHref: /windows/client-management/
+ topicHref: /windows/client-management/index
+ items:
+ - name: Mobile Device Management
+ tocHref: /windows/client-management/mdm/
+ topicHref: /windows/client-management/mdm/index
+ - name: Security
+ tocHref: /windows/security/
+ topicHref: /windows/security/index
+ items:
+ - name: Identity and access protection
+ tocHref: /windows/security/identity-protection/
+ topicHref: /windows/security/identity-protection/index
+ items:
+ - name: Windows Hello for Business
+ tocHref: /windows/security/identity-protection/hello-for-business
+ topicHref: /windows/security/identity-protection/hello-for-business/hello-identity-verification
+ - name: Threat protection
+ tocHref: /windows/security/threat-protection/
+ topicHref: /windows/security/threat-protection/index
+ - name: Information protection
+ tocHref: /windows/security/information-protection/
+ topicHref: /windows/security/information-protection/index
+ - name: Hardware-based protection
+ tocHref: /windows/security/hardware-protection/
+ topicHref: /windows/security/hardware-protection/index
diff --git a/windows/hub/images/W10-WaaS-poster-old.PNG b/windows/hub/images/W10-WaaS-poster-old.PNG
new file mode 100644
index 0000000000..d3887faf89
Binary files /dev/null and b/windows/hub/images/W10-WaaS-poster-old.PNG differ
diff --git a/windows/hub/images/W10-WaaS-poster.PNG b/windows/hub/images/W10-WaaS-poster.PNG
index d3887faf89..de2251a9f2 100644
Binary files a/windows/hub/images/W10-WaaS-poster.PNG and b/windows/hub/images/W10-WaaS-poster.PNG differ
diff --git a/windows/hub/index.md b/windows/hub/index.md
index 7e87fea288..73eff095ff 100644
--- a/windows/hub/index.md
+++ b/windows/hub/index.md
@@ -8,63 +8,51 @@ author: greg-lindsay
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
-ms.date: 12/18/2017
+ms.date: 02/02/2018
---
# Windows 10 and Windows 10 Mobile
Find the latest how to and support content that IT pros need to evaluate, plan, deploy, secure and manage devices running Windows 10 or Windows 10 Mobile.
-
@@ -74,9 +62,9 @@ Find the latest how to and support content that IT pros need to evaluate, plan,
The Windows 10 operating system introduces a new way to build, deploy, and service Windows: Windows as a service. Microsoft has reimagined each part of the process, to simplify the lives of IT pros and maintain a consistent Windows 10 experience for its customers.
- These improvements focus on maximizing customer involvement in Windows development, simplifying the deployment and servicing of Windows client computers, and leveling out the resources needed to deploy and maintain Windows over time.
+These improvements focus on maximizing customer involvement in Windows development, simplifying the deployment and servicing of Windows client computers, and leveling out the resources needed to deploy and maintain Windows over time.
- - [Read more about Windows as a Service](/windows/deployment/update/waas-overview)
+- [Read more about Windows as a Service](/windows/deployment/update/waas-overview)
## Related topics
[Windows 10 TechCenter](https://go.microsoft.com/fwlink/?LinkId=620009)
diff --git a/windows/security/TOC.md b/windows/security/TOC.md
index 06913f7aef..1a508b07b8 100644
--- a/windows/security/TOC.md
+++ b/windows/security/TOC.md
@@ -1 +1,5 @@
-# [Index](index.md)
\ No newline at end of file
+# [Security](index.yml)
+## [Identity and access management](identity-protection/index.md)
+## [Threat protection](threat-protection/index.md)
+## [Information protection](information-protection/index.md)
+## [Hardware-based protection](hardware-protection/index.md)
\ No newline at end of file
diff --git a/windows/security/docfx.json b/windows/security/docfx.json
index 3df713a185..18fe87fb57 100644
--- a/windows/security/docfx.json
+++ b/windows/security/docfx.json
@@ -20,7 +20,8 @@
{
"files": [
"**/*.png",
- "**/*.jpg"
+ "**/*.jpg",
+ "**/*.gif"
],
"exclude": [
"**/obj/**",
@@ -35,8 +36,7 @@
"breadcrumb_path": "/windows/windows-10/breadcrumb/toc.json",
"ms.technology": "windows",
"ms.topic": "article",
- "ms.author": "justinha",
- "extendBreadcrumb": true
+ "ms.author": "justinha"
},
"fileMetadata": {},
"template": [],
diff --git a/windows/security/hardware-protection/TOC.md b/windows/security/hardware-protection/TOC.md
new file mode 100644
index 0000000000..86788da403
--- /dev/null
+++ b/windows/security/hardware-protection/TOC.md
@@ -0,0 +1,21 @@
+# [Hardware-based protection](index.md)
+
+## [Encrypted Hard Drive](encrypted-hard-drive.md)
+
+## [How hardware-based containers help protect Windows 10](how-hardware-based-containers-help-protect-windows.md)
+
+## [Secure the Windows 10 boot process](secure-the-windows-10-boot-process.md)
+
+## [Trusted Platform Module](tpm/trusted-platform-module-top-node.md)
+### [Trusted Platform Module Overview](tpm/trusted-platform-module-overview.md)
+### [TPM fundamentals](tpm/tpm-fundamentals.md)
+### [How Windows 10 uses the TPM](tpm/how-windows-uses-the-tpm.md)
+### [TPM Group Policy settings](tpm/trusted-platform-module-services-group-policy-settings.md)
+### [Back up the TPM recovery information to AD DS](tpm/backup-tpm-recovery-information-to-ad-ds.md)
+### [Manage TPM commands](tpm/manage-tpm-commands.md)
+### [Manage TPM lockout](tpm/manage-tpm-lockout.md)
+### [Change the TPM owner password](tpm/change-the-tpm-owner-password.md)
+### [View status, clear, or troubleshoot the TPM](tpm/initialize-and-configure-ownership-of-the-tpm.md)
+### [Understanding PCR banks on TPM 2.0 devices](tpm/switch-pcr-banks-on-tpm-2-0-devices.md)
+### [TPM recommendations](tpm/tpm-recommendations.md)
+
diff --git a/windows/device-security/encrypted-hard-drive.md b/windows/security/hardware-protection/encrypted-hard-drive.md
similarity index 100%
rename from windows/device-security/encrypted-hard-drive.md
rename to windows/security/hardware-protection/encrypted-hard-drive.md
diff --git a/windows/threat-protection/how-hardware-based-containers-help-protect-windows.md b/windows/security/hardware-protection/how-hardware-based-containers-help-protect-windows.md
similarity index 100%
rename from windows/threat-protection/how-hardware-based-containers-help-protect-windows.md
rename to windows/security/hardware-protection/how-hardware-based-containers-help-protect-windows.md
diff --git a/windows/threat-protection/images/application-guard-and-system-guard.png b/windows/security/hardware-protection/images/application-guard-and-system-guard.png
similarity index 100%
rename from windows/threat-protection/images/application-guard-and-system-guard.png
rename to windows/security/hardware-protection/images/application-guard-and-system-guard.png
diff --git a/windows/threat-protection/images/dn168167.boot_process(en-us,MSDN.10).png b/windows/security/hardware-protection/images/dn168167.boot_process(en-us,MSDN.10).png
similarity index 100%
rename from windows/threat-protection/images/dn168167.boot_process(en-us,MSDN.10).png
rename to windows/security/hardware-protection/images/dn168167.boot_process(en-us,MSDN.10).png
diff --git a/windows/threat-protection/images/dn168167.measure_boot(en-us,MSDN.10).png b/windows/security/hardware-protection/images/dn168167.measure_boot(en-us,MSDN.10).png
similarity index 100%
rename from windows/threat-protection/images/dn168167.measure_boot(en-us,MSDN.10).png
rename to windows/security/hardware-protection/images/dn168167.measure_boot(en-us,MSDN.10).png
diff --git a/windows/threat-protection/images/traditional-windows-software-stack.png b/windows/security/hardware-protection/images/traditional-windows-software-stack.png
similarity index 100%
rename from windows/threat-protection/images/traditional-windows-software-stack.png
rename to windows/security/hardware-protection/images/traditional-windows-software-stack.png
diff --git a/windows/threat-protection/images/windows-defender-system-guard.png b/windows/security/hardware-protection/images/windows-defender-system-guard.png
similarity index 100%
rename from windows/threat-protection/images/windows-defender-system-guard.png
rename to windows/security/hardware-protection/images/windows-defender-system-guard.png
diff --git a/windows/security/hardware-protection/index.md b/windows/security/hardware-protection/index.md
new file mode 100644
index 0000000000..454b0ec4e1
--- /dev/null
+++ b/windows/security/hardware-protection/index.md
@@ -0,0 +1,21 @@
+---
+title: Hardware-based Protection (Windows 10)
+description: Learn more about how to help protect against threats in Windows 10 and Windows 10 Mobile.
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+author: brianlic-msft
+ms.date: 02/05/2018
+---
+
+# Hardware-based protection
+
+Windows 10 leverages these hardware-based security features to protect and maintain system integrity.
+
+| Section | Description |
+|-|-|
+| [Encrypted Hard Drive](encrypted-hard-drive.md) | Provides information about Encrypted Hard Drive, which uses the rapid encryption that is provided by BitLocker Drive Encryption to enhance data security and management.|
+|[How hardware-based containers help protect Windows 10](how-hardware-based-containers-help-protect-windows.md) |Learn about how hardware-based containers can isolate sensitive system services and data, enabling them to remain secure even when the operating system has been compromised.|
+|[Secure the Windows 10 boot process](secure-the-windows-10-boot-process.md) |Learn about the Windows 10 security features that help to protect your PC from malware, including rootkits and other applications.|
+| [Trusted Platform Module](tpm/trusted-platform-module-top-node.md)| Provides links to information about the Trusted Platform Module (TPM), which is a secure crypto-processor that helps you with actions such as generating, storing, and limiting the use of cryptographic keys. |
diff --git a/windows/threat-protection/secure-the-windows-10-boot-process.md b/windows/security/hardware-protection/secure-the-windows-10-boot-process.md
similarity index 100%
rename from windows/threat-protection/secure-the-windows-10-boot-process.md
rename to windows/security/hardware-protection/secure-the-windows-10-boot-process.md
diff --git a/windows/device-security/tpm/backup-tpm-recovery-information-to-ad-ds.md b/windows/security/hardware-protection/tpm/backup-tpm-recovery-information-to-ad-ds.md
similarity index 100%
rename from windows/device-security/tpm/backup-tpm-recovery-information-to-ad-ds.md
rename to windows/security/hardware-protection/tpm/backup-tpm-recovery-information-to-ad-ds.md
diff --git a/windows/device-security/tpm/change-the-tpm-owner-password.md b/windows/security/hardware-protection/tpm/change-the-tpm-owner-password.md
similarity index 100%
rename from windows/device-security/tpm/change-the-tpm-owner-password.md
rename to windows/security/hardware-protection/tpm/change-the-tpm-owner-password.md
diff --git a/windows/device-security/tpm/how-windows-uses-the-tpm.md b/windows/security/hardware-protection/tpm/how-windows-uses-the-tpm.md
similarity index 100%
rename from windows/device-security/tpm/how-windows-uses-the-tpm.md
rename to windows/security/hardware-protection/tpm/how-windows-uses-the-tpm.md
diff --git a/windows/device-security/tpm/images/process-to-create-evidence-of-boot-software-and-configuration-using-tpm.png b/windows/security/hardware-protection/tpm/images/process-to-create-evidence-of-boot-software-and-configuration-using-tpm.png
similarity index 100%
rename from windows/device-security/tpm/images/process-to-create-evidence-of-boot-software-and-configuration-using-tpm.png
rename to windows/security/hardware-protection/tpm/images/process-to-create-evidence-of-boot-software-and-configuration-using-tpm.png
diff --git a/windows/device-security/tpm/images/tpm-capabilities.png b/windows/security/hardware-protection/tpm/images/tpm-capabilities.png
similarity index 100%
rename from windows/device-security/tpm/images/tpm-capabilities.png
rename to windows/security/hardware-protection/tpm/images/tpm-capabilities.png
diff --git a/windows/device-security/tpm/initialize-and-configure-ownership-of-the-tpm.md b/windows/security/hardware-protection/tpm/initialize-and-configure-ownership-of-the-tpm.md
similarity index 100%
rename from windows/device-security/tpm/initialize-and-configure-ownership-of-the-tpm.md
rename to windows/security/hardware-protection/tpm/initialize-and-configure-ownership-of-the-tpm.md
diff --git a/windows/device-security/tpm/manage-tpm-commands.md b/windows/security/hardware-protection/tpm/manage-tpm-commands.md
similarity index 100%
rename from windows/device-security/tpm/manage-tpm-commands.md
rename to windows/security/hardware-protection/tpm/manage-tpm-commands.md
diff --git a/windows/device-security/tpm/manage-tpm-lockout.md b/windows/security/hardware-protection/tpm/manage-tpm-lockout.md
similarity index 100%
rename from windows/device-security/tpm/manage-tpm-lockout.md
rename to windows/security/hardware-protection/tpm/manage-tpm-lockout.md
diff --git a/windows/device-security/tpm/switch-pcr-banks-on-tpm-2-0-devices.md b/windows/security/hardware-protection/tpm/switch-pcr-banks-on-tpm-2-0-devices.md
similarity index 100%
rename from windows/device-security/tpm/switch-pcr-banks-on-tpm-2-0-devices.md
rename to windows/security/hardware-protection/tpm/switch-pcr-banks-on-tpm-2-0-devices.md
diff --git a/windows/device-security/tpm/tpm-fundamentals.md b/windows/security/hardware-protection/tpm/tpm-fundamentals.md
similarity index 100%
rename from windows/device-security/tpm/tpm-fundamentals.md
rename to windows/security/hardware-protection/tpm/tpm-fundamentals.md
diff --git a/windows/device-security/tpm/tpm-recommendations.md b/windows/security/hardware-protection/tpm/tpm-recommendations.md
similarity index 100%
rename from windows/device-security/tpm/tpm-recommendations.md
rename to windows/security/hardware-protection/tpm/tpm-recommendations.md
diff --git a/windows/device-security/tpm/trusted-platform-module-overview.md b/windows/security/hardware-protection/tpm/trusted-platform-module-overview.md
similarity index 100%
rename from windows/device-security/tpm/trusted-platform-module-overview.md
rename to windows/security/hardware-protection/tpm/trusted-platform-module-overview.md
diff --git a/windows/device-security/tpm/trusted-platform-module-services-group-policy-settings.md b/windows/security/hardware-protection/tpm/trusted-platform-module-services-group-policy-settings.md
similarity index 100%
rename from windows/device-security/tpm/trusted-platform-module-services-group-policy-settings.md
rename to windows/security/hardware-protection/tpm/trusted-platform-module-services-group-policy-settings.md
diff --git a/windows/device-security/tpm/trusted-platform-module-top-node.md b/windows/security/hardware-protection/tpm/trusted-platform-module-top-node.md
similarity index 100%
rename from windows/device-security/tpm/trusted-platform-module-top-node.md
rename to windows/security/hardware-protection/tpm/trusted-platform-module-top-node.md
diff --git a/windows/access-protection/TOC.md b/windows/security/identity-protection/TOC.md
similarity index 98%
rename from windows/access-protection/TOC.md
rename to windows/security/identity-protection/TOC.md
index acb2519e1d..7fde2f9d2f 100644
--- a/windows/access-protection/TOC.md
+++ b/windows/security/identity-protection/TOC.md
@@ -1,4 +1,4 @@
-# [Access protection](access-control/access-control.md)
+# [Identity and access management](index.md)
## [Access Control Overview](access-control/access-control.md)
### [Dynamic Access Control Overview](access-control/dynamic-access-control.md)
@@ -17,6 +17,8 @@
## [Install digital certificates on Windows 10 Mobile](installing-digital-certificates-on-windows-10-mobile.md)
+## [How hardware-based containers help protect Windows 10](how-hardware-based-containers-help-protect-windows.md)
+
## [Protect derived domain credentials with Credential Guard](credential-guard/credential-guard.md)
### [How Credential Guard works](credential-guard/credential-guard-how-it-works.md)
### [Credential Guard Requirements](credential-guard/credential-guard-requirements.md)
@@ -65,6 +67,7 @@
### [VPN auto-triggered profile options](vpn\vpn-auto-trigger-profile.md)
### [VPN security features](vpn\vpn-security-features.md)
### [VPN profile options](vpn\vpn-profile-options.md)
+### [How to configure Diffie Hellman protocol over IKEv2 VPN connections](vpn\how-to-configure-diffie-hellman-protocol-over-ikev2-vpn-connections.md)
### [How to use single sign-on (SSO) over VPN and Wi-Fi connections](vpn\how-to-use-single-sign-on-sso-over-vpn-and-wi-fi-connections.md)
### [Windows 10 credential theft mitigation guide abstract](windows-credential-theft-mitigation-guide-abstract.md)
diff --git a/windows/access-protection/access-control/access-control.md b/windows/security/identity-protection/access-control/access-control.md
similarity index 100%
rename from windows/access-protection/access-control/access-control.md
rename to windows/security/identity-protection/access-control/access-control.md
diff --git a/windows/access-protection/access-control/active-directory-accounts.md b/windows/security/identity-protection/access-control/active-directory-accounts.md
similarity index 100%
rename from windows/access-protection/access-control/active-directory-accounts.md
rename to windows/security/identity-protection/access-control/active-directory-accounts.md
diff --git a/windows/access-protection/access-control/active-directory-security-groups.md b/windows/security/identity-protection/access-control/active-directory-security-groups.md
similarity index 100%
rename from windows/access-protection/access-control/active-directory-security-groups.md
rename to windows/security/identity-protection/access-control/active-directory-security-groups.md
diff --git a/windows/access-protection/access-control/dynamic-access-control.md b/windows/security/identity-protection/access-control/dynamic-access-control.md
similarity index 100%
rename from windows/access-protection/access-control/dynamic-access-control.md
rename to windows/security/identity-protection/access-control/dynamic-access-control.md
diff --git a/windows/access-protection/access-control/images/adlocalaccounts-proc1-sample1.gif b/windows/security/identity-protection/access-control/images/adlocalaccounts-proc1-sample1.gif
similarity index 100%
rename from windows/access-protection/access-control/images/adlocalaccounts-proc1-sample1.gif
rename to windows/security/identity-protection/access-control/images/adlocalaccounts-proc1-sample1.gif
diff --git a/windows/access-protection/access-control/images/adlocalaccounts-proc1-sample2.png b/windows/security/identity-protection/access-control/images/adlocalaccounts-proc1-sample2.png
similarity index 100%
rename from windows/access-protection/access-control/images/adlocalaccounts-proc1-sample2.png
rename to windows/security/identity-protection/access-control/images/adlocalaccounts-proc1-sample2.png
diff --git a/windows/access-protection/access-control/images/adlocalaccounts-proc1-sample3.png b/windows/security/identity-protection/access-control/images/adlocalaccounts-proc1-sample3.png
similarity index 100%
rename from windows/access-protection/access-control/images/adlocalaccounts-proc1-sample3.png
rename to windows/security/identity-protection/access-control/images/adlocalaccounts-proc1-sample3.png
diff --git a/windows/access-protection/access-control/images/adlocalaccounts-proc1-sample4.png b/windows/security/identity-protection/access-control/images/adlocalaccounts-proc1-sample4.png
similarity index 100%
rename from windows/access-protection/access-control/images/adlocalaccounts-proc1-sample4.png
rename to windows/security/identity-protection/access-control/images/adlocalaccounts-proc1-sample4.png
diff --git a/windows/access-protection/access-control/images/adlocalaccounts-proc1-sample5.png b/windows/security/identity-protection/access-control/images/adlocalaccounts-proc1-sample5.png
similarity index 100%
rename from windows/access-protection/access-control/images/adlocalaccounts-proc1-sample5.png
rename to windows/security/identity-protection/access-control/images/adlocalaccounts-proc1-sample5.png
diff --git a/windows/access-protection/access-control/images/adlocalaccounts-proc1-sample6.png b/windows/security/identity-protection/access-control/images/adlocalaccounts-proc1-sample6.png
similarity index 100%
rename from windows/access-protection/access-control/images/adlocalaccounts-proc1-sample6.png
rename to windows/security/identity-protection/access-control/images/adlocalaccounts-proc1-sample6.png
diff --git a/windows/access-protection/access-control/images/adlocalaccounts-proc1-sample7.png b/windows/security/identity-protection/access-control/images/adlocalaccounts-proc1-sample7.png
similarity index 100%
rename from windows/access-protection/access-control/images/adlocalaccounts-proc1-sample7.png
rename to windows/security/identity-protection/access-control/images/adlocalaccounts-proc1-sample7.png
diff --git a/windows/access-protection/access-control/images/adlocalaccounts-proc2-sample1.png b/windows/security/identity-protection/access-control/images/adlocalaccounts-proc2-sample1.png
similarity index 100%
rename from windows/access-protection/access-control/images/adlocalaccounts-proc2-sample1.png
rename to windows/security/identity-protection/access-control/images/adlocalaccounts-proc2-sample1.png
diff --git a/windows/access-protection/access-control/images/adlocalaccounts-proc2-sample2.png b/windows/security/identity-protection/access-control/images/adlocalaccounts-proc2-sample2.png
similarity index 100%
rename from windows/access-protection/access-control/images/adlocalaccounts-proc2-sample2.png
rename to windows/security/identity-protection/access-control/images/adlocalaccounts-proc2-sample2.png
diff --git a/windows/access-protection/access-control/images/adlocalaccounts-proc2-sample3.png b/windows/security/identity-protection/access-control/images/adlocalaccounts-proc2-sample3.png
similarity index 100%
rename from windows/access-protection/access-control/images/adlocalaccounts-proc2-sample3.png
rename to windows/security/identity-protection/access-control/images/adlocalaccounts-proc2-sample3.png
diff --git a/windows/access-protection/access-control/images/adlocalaccounts-proc2-sample4.png b/windows/security/identity-protection/access-control/images/adlocalaccounts-proc2-sample4.png
similarity index 100%
rename from windows/access-protection/access-control/images/adlocalaccounts-proc2-sample4.png
rename to windows/security/identity-protection/access-control/images/adlocalaccounts-proc2-sample4.png
diff --git a/windows/access-protection/access-control/images/adlocalaccounts-proc2-sample5.png b/windows/security/identity-protection/access-control/images/adlocalaccounts-proc2-sample5.png
similarity index 100%
rename from windows/access-protection/access-control/images/adlocalaccounts-proc2-sample5.png
rename to windows/security/identity-protection/access-control/images/adlocalaccounts-proc2-sample5.png
diff --git a/windows/access-protection/access-control/images/adlocalaccounts-proc2-sample6.png b/windows/security/identity-protection/access-control/images/adlocalaccounts-proc2-sample6.png
similarity index 100%
rename from windows/access-protection/access-control/images/adlocalaccounts-proc2-sample6.png
rename to windows/security/identity-protection/access-control/images/adlocalaccounts-proc2-sample6.png
diff --git a/windows/access-protection/access-control/images/adlocalaccounts-proc2-sample7.png b/windows/security/identity-protection/access-control/images/adlocalaccounts-proc2-sample7.png
similarity index 100%
rename from windows/access-protection/access-control/images/adlocalaccounts-proc2-sample7.png
rename to windows/security/identity-protection/access-control/images/adlocalaccounts-proc2-sample7.png
diff --git a/windows/access-protection/access-control/images/adlocalaccounts-proc3-sample1.png b/windows/security/identity-protection/access-control/images/adlocalaccounts-proc3-sample1.png
similarity index 100%
rename from windows/access-protection/access-control/images/adlocalaccounts-proc3-sample1.png
rename to windows/security/identity-protection/access-control/images/adlocalaccounts-proc3-sample1.png
diff --git a/windows/access-protection/access-control/images/authorizationandaccesscontrolprocess.gif b/windows/security/identity-protection/access-control/images/authorizationandaccesscontrolprocess.gif
similarity index 100%
rename from windows/access-protection/access-control/images/authorizationandaccesscontrolprocess.gif
rename to windows/security/identity-protection/access-control/images/authorizationandaccesscontrolprocess.gif
diff --git a/windows/access-protection/access-control/images/corpnet.gif b/windows/security/identity-protection/access-control/images/corpnet.gif
similarity index 100%
rename from windows/access-protection/access-control/images/corpnet.gif
rename to windows/security/identity-protection/access-control/images/corpnet.gif
diff --git a/windows/access-protection/access-control/images/localaccounts-proc1-sample1.png b/windows/security/identity-protection/access-control/images/localaccounts-proc1-sample1.png
similarity index 100%
rename from windows/access-protection/access-control/images/localaccounts-proc1-sample1.png
rename to windows/security/identity-protection/access-control/images/localaccounts-proc1-sample1.png
diff --git a/windows/access-protection/access-control/images/localaccounts-proc1-sample2.png b/windows/security/identity-protection/access-control/images/localaccounts-proc1-sample2.png
similarity index 100%
rename from windows/access-protection/access-control/images/localaccounts-proc1-sample2.png
rename to windows/security/identity-protection/access-control/images/localaccounts-proc1-sample2.png
diff --git a/windows/access-protection/access-control/images/localaccounts-proc1-sample3.png b/windows/security/identity-protection/access-control/images/localaccounts-proc1-sample3.png
similarity index 100%
rename from windows/access-protection/access-control/images/localaccounts-proc1-sample3.png
rename to windows/security/identity-protection/access-control/images/localaccounts-proc1-sample3.png
diff --git a/windows/access-protection/access-control/images/localaccounts-proc1-sample4.png b/windows/security/identity-protection/access-control/images/localaccounts-proc1-sample4.png
similarity index 100%
rename from windows/access-protection/access-control/images/localaccounts-proc1-sample4.png
rename to windows/security/identity-protection/access-control/images/localaccounts-proc1-sample4.png
diff --git a/windows/access-protection/access-control/images/localaccounts-proc1-sample5.png b/windows/security/identity-protection/access-control/images/localaccounts-proc1-sample5.png
similarity index 100%
rename from windows/access-protection/access-control/images/localaccounts-proc1-sample5.png
rename to windows/security/identity-protection/access-control/images/localaccounts-proc1-sample5.png
diff --git a/windows/access-protection/access-control/images/localaccounts-proc1-sample6.png b/windows/security/identity-protection/access-control/images/localaccounts-proc1-sample6.png
similarity index 100%
rename from windows/access-protection/access-control/images/localaccounts-proc1-sample6.png
rename to windows/security/identity-protection/access-control/images/localaccounts-proc1-sample6.png
diff --git a/windows/access-protection/access-control/images/localaccounts-proc2-sample1.png b/windows/security/identity-protection/access-control/images/localaccounts-proc2-sample1.png
similarity index 100%
rename from windows/access-protection/access-control/images/localaccounts-proc2-sample1.png
rename to windows/security/identity-protection/access-control/images/localaccounts-proc2-sample1.png
diff --git a/windows/access-protection/access-control/images/localaccounts-proc2-sample2.png b/windows/security/identity-protection/access-control/images/localaccounts-proc2-sample2.png
similarity index 100%
rename from windows/access-protection/access-control/images/localaccounts-proc2-sample2.png
rename to windows/security/identity-protection/access-control/images/localaccounts-proc2-sample2.png
diff --git a/windows/access-protection/access-control/images/localaccounts-proc2-sample3.png b/windows/security/identity-protection/access-control/images/localaccounts-proc2-sample3.png
similarity index 100%
rename from windows/access-protection/access-control/images/localaccounts-proc2-sample3.png
rename to windows/security/identity-protection/access-control/images/localaccounts-proc2-sample3.png
diff --git a/windows/access-protection/access-control/images/security-identifider-architecture.jpg b/windows/security/identity-protection/access-control/images/security-identifider-architecture.jpg
similarity index 100%
rename from windows/access-protection/access-control/images/security-identifider-architecture.jpg
rename to windows/security/identity-protection/access-control/images/security-identifider-architecture.jpg
diff --git a/windows/access-protection/access-control/local-accounts.md b/windows/security/identity-protection/access-control/local-accounts.md
similarity index 100%
rename from windows/access-protection/access-control/local-accounts.md
rename to windows/security/identity-protection/access-control/local-accounts.md
diff --git a/windows/access-protection/access-control/microsoft-accounts.md b/windows/security/identity-protection/access-control/microsoft-accounts.md
similarity index 100%
rename from windows/access-protection/access-control/microsoft-accounts.md
rename to windows/security/identity-protection/access-control/microsoft-accounts.md
diff --git a/windows/access-protection/access-control/security-identifiers.md b/windows/security/identity-protection/access-control/security-identifiers.md
similarity index 100%
rename from windows/access-protection/access-control/security-identifiers.md
rename to windows/security/identity-protection/access-control/security-identifiers.md
diff --git a/windows/access-protection/access-control/security-principals.md b/windows/security/identity-protection/access-control/security-principals.md
similarity index 100%
rename from windows/access-protection/access-control/security-principals.md
rename to windows/security/identity-protection/access-control/security-principals.md
diff --git a/windows/access-protection/access-control/service-accounts.md b/windows/security/identity-protection/access-control/service-accounts.md
similarity index 100%
rename from windows/access-protection/access-control/service-accounts.md
rename to windows/security/identity-protection/access-control/service-accounts.md
diff --git a/windows/access-protection/access-control/special-identities.md b/windows/security/identity-protection/access-control/special-identities.md
similarity index 100%
rename from windows/access-protection/access-control/special-identities.md
rename to windows/security/identity-protection/access-control/special-identities.md
diff --git a/windows/access-protection/change-history-for-access-protection.md b/windows/security/identity-protection/change-history-for-access-protection.md
similarity index 83%
rename from windows/access-protection/change-history-for-access-protection.md
rename to windows/security/identity-protection/change-history-for-access-protection.md
index 475c582f61..ceecf5c712 100644
--- a/windows/access-protection/change-history-for-access-protection.md
+++ b/windows/security/identity-protection/change-history-for-access-protection.md
@@ -17,6 +17,12 @@ This topic lists new and updated topics in the [Access protection](index.md) doc
|---------------------|------------|
|[Microsoft accounts](access-control/microsoft-accounts.md) |Revised to cover new Group Policy setting in Windows 10, version 1703, named **Block all consumer Microsoft account user authentication**.|
+## June 2017
+|New or changed topic |Description |
+|---------------------|------------|
+|[How hardware-based containers help protect Windows 10](how-hardware-based-containers-help-protect-windows.md) | New |
+
+
## March 2017
|New or changed topic |Description |
|---------------------|------------|
diff --git a/windows/access-protection/configure-s-mime.md b/windows/security/identity-protection/configure-s-mime.md
similarity index 100%
rename from windows/access-protection/configure-s-mime.md
rename to windows/security/identity-protection/configure-s-mime.md
diff --git a/windows/access-protection/credential-guard/additional-mitigations.md b/windows/security/identity-protection/credential-guard/additional-mitigations.md
similarity index 100%
rename from windows/access-protection/credential-guard/additional-mitigations.md
rename to windows/security/identity-protection/credential-guard/additional-mitigations.md
diff --git a/windows/access-protection/credential-guard/credential-guard-considerations.md b/windows/security/identity-protection/credential-guard/credential-guard-considerations.md
similarity index 100%
rename from windows/access-protection/credential-guard/credential-guard-considerations.md
rename to windows/security/identity-protection/credential-guard/credential-guard-considerations.md
diff --git a/windows/access-protection/credential-guard/credential-guard-how-it-works.md b/windows/security/identity-protection/credential-guard/credential-guard-how-it-works.md
similarity index 100%
rename from windows/access-protection/credential-guard/credential-guard-how-it-works.md
rename to windows/security/identity-protection/credential-guard/credential-guard-how-it-works.md
diff --git a/windows/access-protection/credential-guard/credential-guard-known-issues.md b/windows/security/identity-protection/credential-guard/credential-guard-known-issues.md
similarity index 100%
rename from windows/access-protection/credential-guard/credential-guard-known-issues.md
rename to windows/security/identity-protection/credential-guard/credential-guard-known-issues.md
diff --git a/windows/access-protection/credential-guard/credential-guard-manage.md b/windows/security/identity-protection/credential-guard/credential-guard-manage.md
similarity index 100%
rename from windows/access-protection/credential-guard/credential-guard-manage.md
rename to windows/security/identity-protection/credential-guard/credential-guard-manage.md
diff --git a/windows/access-protection/credential-guard/credential-guard-not-protected-scenarios.md b/windows/security/identity-protection/credential-guard/credential-guard-not-protected-scenarios.md
similarity index 100%
rename from windows/access-protection/credential-guard/credential-guard-not-protected-scenarios.md
rename to windows/security/identity-protection/credential-guard/credential-guard-not-protected-scenarios.md
diff --git a/windows/access-protection/credential-guard/credential-guard-protection-limits.md b/windows/security/identity-protection/credential-guard/credential-guard-protection-limits.md
similarity index 100%
rename from windows/access-protection/credential-guard/credential-guard-protection-limits.md
rename to windows/security/identity-protection/credential-guard/credential-guard-protection-limits.md
diff --git a/windows/access-protection/credential-guard/credential-guard-requirements.md b/windows/security/identity-protection/credential-guard/credential-guard-requirements.md
similarity index 100%
rename from windows/access-protection/credential-guard/credential-guard-requirements.md
rename to windows/security/identity-protection/credential-guard/credential-guard-requirements.md
diff --git a/windows/access-protection/credential-guard/credential-guard-scripts.md b/windows/security/identity-protection/credential-guard/credential-guard-scripts.md
similarity index 100%
rename from windows/access-protection/credential-guard/credential-guard-scripts.md
rename to windows/security/identity-protection/credential-guard/credential-guard-scripts.md
diff --git a/windows/access-protection/credential-guard/credential-guard.md b/windows/security/identity-protection/credential-guard/credential-guard.md
similarity index 100%
rename from windows/access-protection/credential-guard/credential-guard.md
rename to windows/security/identity-protection/credential-guard/credential-guard.md
diff --git a/windows/access-protection/credential-guard/images/credguard-gp.png b/windows/security/identity-protection/credential-guard/images/credguard-gp.png
similarity index 100%
rename from windows/access-protection/credential-guard/images/credguard-gp.png
rename to windows/security/identity-protection/credential-guard/images/credguard-gp.png
diff --git a/windows/access-protection/credential-guard/images/credguard-msinfo32.png b/windows/security/identity-protection/credential-guard/images/credguard-msinfo32.png
similarity index 100%
rename from windows/access-protection/credential-guard/images/credguard-msinfo32.png
rename to windows/security/identity-protection/credential-guard/images/credguard-msinfo32.png
diff --git a/windows/access-protection/credential-guard/images/credguard.png b/windows/security/identity-protection/credential-guard/images/credguard.png
similarity index 100%
rename from windows/access-protection/credential-guard/images/credguard.png
rename to windows/security/identity-protection/credential-guard/images/credguard.png
diff --git a/windows/access-protection/enterprise-certificate-pinning.md b/windows/security/identity-protection/enterprise-certificate-pinning.md
similarity index 100%
rename from windows/access-protection/enterprise-certificate-pinning.md
rename to windows/security/identity-protection/enterprise-certificate-pinning.md
diff --git a/windows/access-protection/hello-for-business/hello-adequate-domain-controllers.md b/windows/security/identity-protection/hello-for-business/hello-adequate-domain-controllers.md
similarity index 100%
rename from windows/access-protection/hello-for-business/hello-adequate-domain-controllers.md
rename to windows/security/identity-protection/hello-for-business/hello-adequate-domain-controllers.md
diff --git a/windows/access-protection/hello-for-business/hello-and-password-changes.md b/windows/security/identity-protection/hello-for-business/hello-and-password-changes.md
similarity index 100%
rename from windows/access-protection/hello-for-business/hello-and-password-changes.md
rename to windows/security/identity-protection/hello-for-business/hello-and-password-changes.md
diff --git a/windows/access-protection/hello-for-business/hello-biometrics-in-enterprise.md b/windows/security/identity-protection/hello-for-business/hello-biometrics-in-enterprise.md
similarity index 100%
rename from windows/access-protection/hello-for-business/hello-biometrics-in-enterprise.md
rename to windows/security/identity-protection/hello-for-business/hello-biometrics-in-enterprise.md
diff --git a/windows/access-protection/hello-for-business/hello-cert-trust-adfs.md b/windows/security/identity-protection/hello-for-business/hello-cert-trust-adfs.md
similarity index 100%
rename from windows/access-protection/hello-for-business/hello-cert-trust-adfs.md
rename to windows/security/identity-protection/hello-for-business/hello-cert-trust-adfs.md
diff --git a/windows/access-protection/hello-for-business/hello-cert-trust-deploy-mfa.md b/windows/security/identity-protection/hello-for-business/hello-cert-trust-deploy-mfa.md
similarity index 100%
rename from windows/access-protection/hello-for-business/hello-cert-trust-deploy-mfa.md
rename to windows/security/identity-protection/hello-for-business/hello-cert-trust-deploy-mfa.md
diff --git a/windows/access-protection/hello-for-business/hello-cert-trust-policy-settings.md b/windows/security/identity-protection/hello-for-business/hello-cert-trust-policy-settings.md
similarity index 100%
rename from windows/access-protection/hello-for-business/hello-cert-trust-policy-settings.md
rename to windows/security/identity-protection/hello-for-business/hello-cert-trust-policy-settings.md
diff --git a/windows/access-protection/hello-for-business/hello-cert-trust-validate-ad-prereq.md b/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-ad-prereq.md
similarity index 100%
rename from windows/access-protection/hello-for-business/hello-cert-trust-validate-ad-prereq.md
rename to windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-ad-prereq.md
diff --git a/windows/access-protection/hello-for-business/hello-cert-trust-validate-deploy-mfa.md b/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-deploy-mfa.md
similarity index 100%
rename from windows/access-protection/hello-for-business/hello-cert-trust-validate-deploy-mfa.md
rename to windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-deploy-mfa.md
diff --git a/windows/access-protection/hello-for-business/hello-cert-trust-validate-pki.md b/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-pki.md
similarity index 100%
rename from windows/access-protection/hello-for-business/hello-cert-trust-validate-pki.md
rename to windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-pki.md
diff --git a/windows/access-protection/hello-for-business/hello-deployment-cert-trust.md b/windows/security/identity-protection/hello-for-business/hello-deployment-cert-trust.md
similarity index 95%
rename from windows/access-protection/hello-for-business/hello-deployment-cert-trust.md
rename to windows/security/identity-protection/hello-for-business/hello-deployment-cert-trust.md
index 5fb663bb6a..be893d7fb9 100644
--- a/windows/access-protection/hello-for-business/hello-deployment-cert-trust.md
+++ b/windows/security/identity-protection/hello-for-business/hello-deployment-cert-trust.md
@@ -20,7 +20,7 @@ ms.date: 07/27/2017
Windows Hello for Business replaces username and password sign-in to Windows with strong user authentication based on asymmetric key pair. The following deployment guide provides the information needed to successfully deploy Windows Hello for Business in an existing environment.
-Below, you can find all the infromation you will need to deploy Windows Hello for Business in a Certificate Trust Model in your on-premises environment:
+Below, you can find all the information you will need to deploy Windows Hello for Business in a Certificate Trust Model in your on-premises environment:
1. [Validate Active Directory prerequisites](hello-cert-trust-validate-ad-prereq.md)
2. [Validate and Configure Public Key Infrastructure](hello-cert-trust-validate-pki.md)
3. [Prepare and Deploy Windows Server 2016 Active Directory Federation Services](hello-cert-trust-adfs.md)
diff --git a/windows/access-protection/hello-for-business/hello-deployment-guide.md b/windows/security/identity-protection/hello-for-business/hello-deployment-guide.md
similarity index 51%
rename from windows/access-protection/hello-for-business/hello-deployment-guide.md
rename to windows/security/identity-protection/hello-for-business/hello-deployment-guide.md
index 4987bee4f7..0015a73387 100644
--- a/windows/access-protection/hello-for-business/hello-deployment-guide.md
+++ b/windows/security/identity-protection/hello-for-business/hello-deployment-guide.md
@@ -19,13 +19,13 @@ ms.date: 11/08/2017
> This guide only applies to Windows 10, version 1703 or higher.
-Windows Hello for Business is the springboard to a world without passwords. It replaces username and password sign-in to Windows with strong user authentication based on asymmetric key pair.
+Windows Hello for Business is the springboard to a world without passwords. It replaces username and password sign-in to Windows with strong user authentication based on an asymmetric key pair.
This deployment guide is to guide you through deploying Windows Hello for Business, based on the planning decisions made using the Planning a Windows Hello for Business Deployment Guide. It provides you with the information needed to successfully deploy Windows Hello for Business in an existing environment.
## Assumptions
-This guide assumes a baseline infrastructure exists that meets the requirements for your deployment. For either hybrid or on-premises deployments, it is expected that you have:
+This guide assumes that baseline infrastructure exists which meets the requirements for your deployment. For either hybrid or on-premises deployments, it is expected that you have:
* A well-connected, working network
* Internet access
* Multifactor Authentication Server to support MFA during Windows Hello for Business provisioning
@@ -34,17 +34,20 @@ This guide assumes a baseline infrastructure exists that meets the requirements
* Active Directory Certificate Services 2012 or later
* One or more workstation computers running Windows 10, version 1703
-If you are installing a role for the first time, ensure the appropriate server operating system is installed, updated with the latest patches, and joined to the domain. This document provides guidance to install and configure the specific roles on that server.
+If you are installing a server role for the first time, ensure the appropriate server operating system is installed, updated with the latest patches, and joined to the domain. This document provides guidance to install and configure the specific roles on that server.
Do not begin your deployment until the hosting servers and infrastructure (not roles) identified in your prerequisite worksheet are configured and properly working.
## Deployment and trust models
-Windows Hello for Business has two deployment models: Hybrid and On-premises. Each deployment model has two trust models: Key trust or certificate trust.
+Windows Hello for Business has two deployment models: Hybrid and On-premises. Each deployment model has two trust models: *Key trust* or *certificate trust*.
-Hybrid deployments are for enterprises that use Azure Active Directory. On-premises deployments are for enterprises who exclusively use on-premises Active Directory. Remember that the environments that use Azure Active Directory must use the hybrid deployment model for all domains in that forest.
+Hybrid deployments are for enterprises that use Azure Active Directory. On-premises deployments are for enterprises who exclusively use on-premises Active Directory. Remember that the environments that use Azure Active Directory must use the hybrid deployment model for all domains in that forest.
-The trust model determines how you want users to authentication to the on-premises Active Directory. Remember hybrid environments use Azure Active Directory and on-premises Active Directory. The key-trust model is for enterprises who do not want to issue end-entity certificates to their users and they have an adequate number of 2016 domain controllers in each site to support the authentication. The certificate-trust model is for enterprise that do want to issue end-entity certificates to their users and have the benefits of certificate expiration and renewal, similar to how smart cards work today. The certificate trust model is also enterprise who are not ready to deploy Windows Server 2016 domain controllers.
+The trust model determines how you want users to authenticate to the on-premises Active Directory:
+* The key-trust model is for enterprises who do not want to issue end-entity certificates to their users and have an adequate number of 2016 domain controllers in each site to support authentication.
+* The certificate-trust model is for enterprise that *do* want to issue end-entity certificates to their users and have the benefits of certificate expiration and renewal, similar to how smart cards work today.
+* The certificate trust model also supports enterprises which are not ready to deploy Windows Server 2016 Domain Controllers.
Following are the various deployment guides included in this topic:
* [Hybrid Key Trust Deployment](hello-hybrid-key-trust.md)
@@ -55,5 +58,5 @@ Following are the various deployment guides included in this topic:
## Provisioning
-The Windows Hello for Business provisioning begins immediately after the user has signed in, after the user profile is loaded, but before the user receives their desktop. Windows only launches the provisioning experience if all the prerequisite checks pass. You can determine the status of the prerequisite checks by viewing the **User Device Registration** in the **Event Viewer** under **Applications and Services Logs\Microsoft\Windows**.
+Windows Hello for Business provisioning begins immediately after the user has signed in, after the user profile is loaded, but before the user receives their desktop. Windows only launches the provisioning experience if all the prerequisite checks pass. You can determine the status of the prerequisite checks by viewing the **User Device Registration** in the **Event Viewer** under **Applications and Services Logs\Microsoft\Windows**.
diff --git a/windows/access-protection/hello-for-business/hello-deployment-key-trust.md b/windows/security/identity-protection/hello-for-business/hello-deployment-key-trust.md
similarity index 100%
rename from windows/access-protection/hello-for-business/hello-deployment-key-trust.md
rename to windows/security/identity-protection/hello-for-business/hello-deployment-key-trust.md
diff --git a/windows/access-protection/hello-for-business/hello-errors-during-pin-creation.md b/windows/security/identity-protection/hello-for-business/hello-errors-during-pin-creation.md
similarity index 100%
rename from windows/access-protection/hello-for-business/hello-errors-during-pin-creation.md
rename to windows/security/identity-protection/hello-for-business/hello-errors-during-pin-creation.md
diff --git a/windows/access-protection/hello-for-business/hello-event-300.md b/windows/security/identity-protection/hello-for-business/hello-event-300.md
similarity index 100%
rename from windows/access-protection/hello-for-business/hello-event-300.md
rename to windows/security/identity-protection/hello-for-business/hello-event-300.md
diff --git a/windows/access-protection/hello-for-business/hello-features.md b/windows/security/identity-protection/hello-for-business/hello-features.md
similarity index 100%
rename from windows/access-protection/hello-for-business/hello-features.md
rename to windows/security/identity-protection/hello-for-business/hello-features.md
diff --git a/windows/access-protection/hello-for-business/hello-how-it-works.md b/windows/security/identity-protection/hello-for-business/hello-how-it-works.md
similarity index 100%
rename from windows/access-protection/hello-for-business/hello-how-it-works.md
rename to windows/security/identity-protection/hello-for-business/hello-how-it-works.md
diff --git a/windows/access-protection/hello-for-business/hello-hybrid-cert-new-install.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-new-install.md
similarity index 100%
rename from windows/access-protection/hello-for-business/hello-hybrid-cert-new-install.md
rename to windows/security/identity-protection/hello-for-business/hello-hybrid-cert-new-install.md
diff --git a/windows/access-protection/hello-for-business/hello-hybrid-cert-trust-devreg.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-devreg.md
similarity index 100%
rename from windows/access-protection/hello-for-business/hello-hybrid-cert-trust-devreg.md
rename to windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-devreg.md
diff --git a/windows/access-protection/hello-for-business/hello-hybrid-cert-trust-prereqs.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-prereqs.md
similarity index 100%
rename from windows/access-protection/hello-for-business/hello-hybrid-cert-trust-prereqs.md
rename to windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-prereqs.md
diff --git a/windows/access-protection/hello-for-business/hello-hybrid-cert-trust.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust.md
similarity index 100%
rename from windows/access-protection/hello-for-business/hello-hybrid-cert-trust.md
rename to windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust.md
diff --git a/windows/access-protection/hello-for-business/hello-hybrid-cert-whfb-provision.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-provision.md
similarity index 100%
rename from windows/access-protection/hello-for-business/hello-hybrid-cert-whfb-provision.md
rename to windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-provision.md
diff --git a/windows/access-protection/hello-for-business/hello-hybrid-cert-whfb-settings-ad.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-ad.md
similarity index 100%
rename from windows/access-protection/hello-for-business/hello-hybrid-cert-whfb-settings-ad.md
rename to windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-ad.md
diff --git a/windows/access-protection/hello-for-business/hello-hybrid-cert-whfb-settings-adfs.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-adfs.md
similarity index 100%
rename from windows/access-protection/hello-for-business/hello-hybrid-cert-whfb-settings-adfs.md
rename to windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-adfs.md
diff --git a/windows/access-protection/hello-for-business/hello-hybrid-cert-whfb-settings-dir-sync.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-dir-sync.md
similarity index 100%
rename from windows/access-protection/hello-for-business/hello-hybrid-cert-whfb-settings-dir-sync.md
rename to windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-dir-sync.md
diff --git a/windows/access-protection/hello-for-business/hello-hybrid-cert-whfb-settings-pki.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-pki.md
similarity index 100%
rename from windows/access-protection/hello-for-business/hello-hybrid-cert-whfb-settings-pki.md
rename to windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-pki.md
diff --git a/windows/access-protection/hello-for-business/hello-hybrid-cert-whfb-settings-policy.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-policy.md
similarity index 100%
rename from windows/access-protection/hello-for-business/hello-hybrid-cert-whfb-settings-policy.md
rename to windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-policy.md
diff --git a/windows/access-protection/hello-for-business/hello-hybrid-cert-whfb-settings.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings.md
similarity index 100%
rename from windows/access-protection/hello-for-business/hello-hybrid-cert-whfb-settings.md
rename to windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings.md
diff --git a/windows/access-protection/hello-for-business/hello-hybrid-key-new-install.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-new-install.md
similarity index 100%
rename from windows/access-protection/hello-for-business/hello-hybrid-key-new-install.md
rename to windows/security/identity-protection/hello-for-business/hello-hybrid-key-new-install.md
diff --git a/windows/access-protection/hello-for-business/hello-hybrid-key-trust-devreg.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-devreg.md
similarity index 100%
rename from windows/access-protection/hello-for-business/hello-hybrid-key-trust-devreg.md
rename to windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-devreg.md
diff --git a/windows/access-protection/hello-for-business/hello-hybrid-key-trust-dirsync.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-dirsync.md
similarity index 100%
rename from windows/access-protection/hello-for-business/hello-hybrid-key-trust-dirsync.md
rename to windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-dirsync.md
diff --git a/windows/access-protection/hello-for-business/hello-hybrid-key-trust-prereqs.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-prereqs.md
similarity index 100%
rename from windows/access-protection/hello-for-business/hello-hybrid-key-trust-prereqs.md
rename to windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-prereqs.md
diff --git a/windows/access-protection/hello-for-business/hello-hybrid-key-trust.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust.md
similarity index 100%
rename from windows/access-protection/hello-for-business/hello-hybrid-key-trust.md
rename to windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust.md
diff --git a/windows/access-protection/hello-for-business/hello-hybrid-key-whfb-provision.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-provision.md
similarity index 100%
rename from windows/access-protection/hello-for-business/hello-hybrid-key-whfb-provision.md
rename to windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-provision.md
diff --git a/windows/access-protection/hello-for-business/hello-hybrid-key-whfb-settings-ad.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-ad.md
similarity index 100%
rename from windows/access-protection/hello-for-business/hello-hybrid-key-whfb-settings-ad.md
rename to windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-ad.md
diff --git a/windows/access-protection/hello-for-business/hello-hybrid-key-whfb-settings-dir-sync.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-dir-sync.md
similarity index 100%
rename from windows/access-protection/hello-for-business/hello-hybrid-key-whfb-settings-dir-sync.md
rename to windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-dir-sync.md
diff --git a/windows/access-protection/hello-for-business/hello-hybrid-key-whfb-settings-pki.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-pki.md
similarity index 100%
rename from windows/access-protection/hello-for-business/hello-hybrid-key-whfb-settings-pki.md
rename to windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-pki.md
diff --git a/windows/access-protection/hello-for-business/hello-hybrid-key-whfb-settings-policy.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-policy.md
similarity index 100%
rename from windows/access-protection/hello-for-business/hello-hybrid-key-whfb-settings-policy.md
rename to windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-policy.md
diff --git a/windows/access-protection/hello-for-business/hello-hybrid-key-whfb-settings.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings.md
similarity index 100%
rename from windows/access-protection/hello-for-business/hello-hybrid-key-whfb-settings.md
rename to windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings.md
diff --git a/windows/access-protection/hello-for-business/hello-identity-verification.md b/windows/security/identity-protection/hello-for-business/hello-identity-verification.md
similarity index 100%
rename from windows/access-protection/hello-for-business/hello-identity-verification.md
rename to windows/security/identity-protection/hello-for-business/hello-identity-verification.md
diff --git a/windows/access-protection/hello-for-business/hello-key-trust-adfs.md b/windows/security/identity-protection/hello-for-business/hello-key-trust-adfs.md
similarity index 100%
rename from windows/access-protection/hello-for-business/hello-key-trust-adfs.md
rename to windows/security/identity-protection/hello-for-business/hello-key-trust-adfs.md
diff --git a/windows/access-protection/hello-for-business/hello-key-trust-deploy-mfa.md b/windows/security/identity-protection/hello-for-business/hello-key-trust-deploy-mfa.md
similarity index 100%
rename from windows/access-protection/hello-for-business/hello-key-trust-deploy-mfa.md
rename to windows/security/identity-protection/hello-for-business/hello-key-trust-deploy-mfa.md
diff --git a/windows/access-protection/hello-for-business/hello-key-trust-policy-settings.md b/windows/security/identity-protection/hello-for-business/hello-key-trust-policy-settings.md
similarity index 100%
rename from windows/access-protection/hello-for-business/hello-key-trust-policy-settings.md
rename to windows/security/identity-protection/hello-for-business/hello-key-trust-policy-settings.md
diff --git a/windows/access-protection/hello-for-business/hello-key-trust-validate-ad-prereq.md b/windows/security/identity-protection/hello-for-business/hello-key-trust-validate-ad-prereq.md
similarity index 100%
rename from windows/access-protection/hello-for-business/hello-key-trust-validate-ad-prereq.md
rename to windows/security/identity-protection/hello-for-business/hello-key-trust-validate-ad-prereq.md
diff --git a/windows/access-protection/hello-for-business/hello-key-trust-validate-deploy-mfa.md b/windows/security/identity-protection/hello-for-business/hello-key-trust-validate-deploy-mfa.md
similarity index 100%
rename from windows/access-protection/hello-for-business/hello-key-trust-validate-deploy-mfa.md
rename to windows/security/identity-protection/hello-for-business/hello-key-trust-validate-deploy-mfa.md
diff --git a/windows/access-protection/hello-for-business/hello-key-trust-validate-pki.md b/windows/security/identity-protection/hello-for-business/hello-key-trust-validate-pki.md
similarity index 100%
rename from windows/access-protection/hello-for-business/hello-key-trust-validate-pki.md
rename to windows/security/identity-protection/hello-for-business/hello-key-trust-validate-pki.md
diff --git a/windows/access-protection/hello-for-business/hello-manage-in-organization.md b/windows/security/identity-protection/hello-for-business/hello-manage-in-organization.md
similarity index 100%
rename from windows/access-protection/hello-for-business/hello-manage-in-organization.md
rename to windows/security/identity-protection/hello-for-business/hello-manage-in-organization.md
diff --git a/windows/access-protection/hello-for-business/hello-overview.md b/windows/security/identity-protection/hello-for-business/hello-overview.md
similarity index 100%
rename from windows/access-protection/hello-for-business/hello-overview.md
rename to windows/security/identity-protection/hello-for-business/hello-overview.md
diff --git a/windows/access-protection/hello-for-business/hello-planning-guide.md b/windows/security/identity-protection/hello-for-business/hello-planning-guide.md
similarity index 100%
rename from windows/access-protection/hello-for-business/hello-planning-guide.md
rename to windows/security/identity-protection/hello-for-business/hello-planning-guide.md
diff --git a/windows/access-protection/hello-for-business/hello-prepare-people-to-use.md b/windows/security/identity-protection/hello-for-business/hello-prepare-people-to-use.md
similarity index 100%
rename from windows/access-protection/hello-for-business/hello-prepare-people-to-use.md
rename to windows/security/identity-protection/hello-for-business/hello-prepare-people-to-use.md
diff --git a/windows/access-protection/hello-for-business/hello-why-pin-is-better-than-password.md b/windows/security/identity-protection/hello-for-business/hello-why-pin-is-better-than-password.md
similarity index 100%
rename from windows/access-protection/hello-for-business/hello-why-pin-is-better-than-password.md
rename to windows/security/identity-protection/hello-for-business/hello-why-pin-is-better-than-password.md
diff --git a/windows/access-protection/hello-for-business/images/SetupAPin.png b/windows/security/identity-protection/hello-for-business/images/SetupAPin.png
similarity index 100%
rename from windows/access-protection/hello-for-business/images/SetupAPin.png
rename to windows/security/identity-protection/hello-for-business/images/SetupAPin.png
diff --git a/windows/access-protection/hello-for-business/images/authflow.png b/windows/security/identity-protection/hello-for-business/images/authflow.png
similarity index 100%
rename from windows/access-protection/hello-for-business/images/authflow.png
rename to windows/security/identity-protection/hello-for-business/images/authflow.png
diff --git a/windows/access-protection/hello-for-business/images/connect.png b/windows/security/identity-protection/hello-for-business/images/connect.png
similarity index 100%
rename from windows/access-protection/hello-for-business/images/connect.png
rename to windows/security/identity-protection/hello-for-business/images/connect.png
diff --git a/windows/access-protection/hello-for-business/images/corpown.png b/windows/security/identity-protection/hello-for-business/images/corpown.png
similarity index 100%
rename from windows/access-protection/hello-for-business/images/corpown.png
rename to windows/security/identity-protection/hello-for-business/images/corpown.png
diff --git a/windows/access-protection/hello-for-business/images/createPin.png b/windows/security/identity-protection/hello-for-business/images/createPin.png
similarity index 100%
rename from windows/access-protection/hello-for-business/images/createPin.png
rename to windows/security/identity-protection/hello-for-business/images/createPin.png
diff --git a/windows/access-protection/hello-for-business/images/dc-chart1.png b/windows/security/identity-protection/hello-for-business/images/dc-chart1.png
similarity index 100%
rename from windows/access-protection/hello-for-business/images/dc-chart1.png
rename to windows/security/identity-protection/hello-for-business/images/dc-chart1.png
diff --git a/windows/access-protection/hello-for-business/images/dc-chart2.png b/windows/security/identity-protection/hello-for-business/images/dc-chart2.png
similarity index 100%
rename from windows/access-protection/hello-for-business/images/dc-chart2.png
rename to windows/security/identity-protection/hello-for-business/images/dc-chart2.png
diff --git a/windows/access-protection/hello-for-business/images/dc-chart3.png b/windows/security/identity-protection/hello-for-business/images/dc-chart3.png
similarity index 100%
rename from windows/access-protection/hello-for-business/images/dc-chart3.png
rename to windows/security/identity-protection/hello-for-business/images/dc-chart3.png
diff --git a/windows/access-protection/hello-for-business/images/dc-chart4.png b/windows/security/identity-protection/hello-for-business/images/dc-chart4.png
similarity index 100%
rename from windows/access-protection/hello-for-business/images/dc-chart4.png
rename to windows/security/identity-protection/hello-for-business/images/dc-chart4.png
diff --git a/windows/access-protection/hello-for-business/images/dc-chart5.png b/windows/security/identity-protection/hello-for-business/images/dc-chart5.png
similarity index 100%
rename from windows/access-protection/hello-for-business/images/dc-chart5.png
rename to windows/security/identity-protection/hello-for-business/images/dc-chart5.png
diff --git a/windows/access-protection/hello-for-business/images/dsregcmd.png b/windows/security/identity-protection/hello-for-business/images/dsregcmd.png
similarity index 100%
rename from windows/access-protection/hello-for-business/images/dsregcmd.png
rename to windows/security/identity-protection/hello-for-business/images/dsregcmd.png
diff --git a/windows/access-protection/hello-for-business/images/event358.png b/windows/security/identity-protection/hello-for-business/images/event358.png
similarity index 100%
rename from windows/access-protection/hello-for-business/images/event358.png
rename to windows/security/identity-protection/hello-for-business/images/event358.png
diff --git a/windows/access-protection/hello-for-business/images/hello-adfs-configure-2012r2.png b/windows/security/identity-protection/hello-for-business/images/hello-adfs-configure-2012r2.png
similarity index 100%
rename from windows/access-protection/hello-for-business/images/hello-adfs-configure-2012r2.png
rename to windows/security/identity-protection/hello-for-business/images/hello-adfs-configure-2012r2.png
diff --git a/windows/access-protection/hello-for-business/images/hello-cmd-netdom.png b/windows/security/identity-protection/hello-for-business/images/hello-cmd-netdom.png
similarity index 100%
rename from windows/access-protection/hello-for-business/images/hello-cmd-netdom.png
rename to windows/security/identity-protection/hello-for-business/images/hello-cmd-netdom.png
diff --git a/windows/access-protection/hello-for-business/images/hello-internal-web-server-cert.png b/windows/security/identity-protection/hello-for-business/images/hello-internal-web-server-cert.png
similarity index 100%
rename from windows/access-protection/hello-for-business/images/hello-internal-web-server-cert.png
rename to windows/security/identity-protection/hello-for-business/images/hello-internal-web-server-cert.png
diff --git a/windows/access-protection/hello-for-business/images/hello-mfa-company-settings.png b/windows/security/identity-protection/hello-for-business/images/hello-mfa-company-settings.png
similarity index 100%
rename from windows/access-protection/hello-for-business/images/hello-mfa-company-settings.png
rename to windows/security/identity-protection/hello-for-business/images/hello-mfa-company-settings.png
diff --git a/windows/access-protection/hello-for-business/images/hello-mfa-content-edit-email.png b/windows/security/identity-protection/hello-for-business/images/hello-mfa-content-edit-email.png
similarity index 100%
rename from windows/access-protection/hello-for-business/images/hello-mfa-content-edit-email.png
rename to windows/security/identity-protection/hello-for-business/images/hello-mfa-content-edit-email.png
diff --git a/windows/access-protection/hello-for-business/images/hello-mfa-sync-item.png b/windows/security/identity-protection/hello-for-business/images/hello-mfa-sync-item.png
similarity index 100%
rename from windows/access-protection/hello-for-business/images/hello-mfa-sync-item.png
rename to windows/security/identity-protection/hello-for-business/images/hello-mfa-sync-item.png
diff --git a/windows/access-protection/hello-for-business/images/hello-mfa-user-portal-settings.png b/windows/security/identity-protection/hello-for-business/images/hello-mfa-user-portal-settings.png
similarity index 100%
rename from windows/access-protection/hello-for-business/images/hello-mfa-user-portal-settings.png
rename to windows/security/identity-protection/hello-for-business/images/hello-mfa-user-portal-settings.png
diff --git a/windows/access-protection/hello-for-business/images/hello-nlb-add-ip.png b/windows/security/identity-protection/hello-for-business/images/hello-nlb-add-ip.png
similarity index 100%
rename from windows/access-protection/hello-for-business/images/hello-nlb-add-ip.png
rename to windows/security/identity-protection/hello-for-business/images/hello-nlb-add-ip.png
diff --git a/windows/access-protection/hello-for-business/images/hello-nlb-cluster-ip-config.png b/windows/security/identity-protection/hello-for-business/images/hello-nlb-cluster-ip-config.png
similarity index 100%
rename from windows/access-protection/hello-for-business/images/hello-nlb-cluster-ip-config.png
rename to windows/security/identity-protection/hello-for-business/images/hello-nlb-cluster-ip-config.png
diff --git a/windows/access-protection/hello-for-business/images/hello-nlb-cluster-port-rule.png b/windows/security/identity-protection/hello-for-business/images/hello-nlb-cluster-port-rule.png
similarity index 100%
rename from windows/access-protection/hello-for-business/images/hello-nlb-cluster-port-rule.png
rename to windows/security/identity-protection/hello-for-business/images/hello-nlb-cluster-port-rule.png
diff --git a/windows/access-protection/hello-for-business/images/hello-nlb-cluster.png b/windows/security/identity-protection/hello-for-business/images/hello-nlb-cluster.png
similarity index 100%
rename from windows/access-protection/hello-for-business/images/hello-nlb-cluster.png
rename to windows/security/identity-protection/hello-for-business/images/hello-nlb-cluster.png
diff --git a/windows/access-protection/hello-for-business/images/hello-nlb-connect.png b/windows/security/identity-protection/hello-for-business/images/hello-nlb-connect.png
similarity index 100%
rename from windows/access-protection/hello-for-business/images/hello-nlb-connect.png
rename to windows/security/identity-protection/hello-for-business/images/hello-nlb-connect.png
diff --git a/windows/access-protection/hello-for-business/images/hello-nlb-feature-install.png b/windows/security/identity-protection/hello-for-business/images/hello-nlb-feature-install.png
similarity index 100%
rename from windows/access-protection/hello-for-business/images/hello-nlb-feature-install.png
rename to windows/security/identity-protection/hello-for-business/images/hello-nlb-feature-install.png
diff --git a/windows/access-protection/hello-for-business/images/hello-nlb-manager.png b/windows/security/identity-protection/hello-for-business/images/hello-nlb-manager.png
similarity index 100%
rename from windows/access-protection/hello-for-business/images/hello-nlb-manager.png
rename to windows/security/identity-protection/hello-for-business/images/hello-nlb-manager.png
diff --git a/windows/access-protection/hello-for-business/images/hello_filter.png b/windows/security/identity-protection/hello-for-business/images/hello_filter.png
similarity index 100%
rename from windows/access-protection/hello-for-business/images/hello_filter.png
rename to windows/security/identity-protection/hello-for-business/images/hello_filter.png
diff --git a/windows/access-protection/hello-for-business/images/hello_gear.png b/windows/security/identity-protection/hello-for-business/images/hello_gear.png
similarity index 100%
rename from windows/access-protection/hello-for-business/images/hello_gear.png
rename to windows/security/identity-protection/hello-for-business/images/hello_gear.png
diff --git a/windows/access-protection/hello-for-business/images/hello_lock.png b/windows/security/identity-protection/hello-for-business/images/hello_lock.png
similarity index 100%
rename from windows/access-protection/hello-for-business/images/hello_lock.png
rename to windows/security/identity-protection/hello-for-business/images/hello_lock.png
diff --git a/windows/access-protection/hello-for-business/images/hello_users.png b/windows/security/identity-protection/hello-for-business/images/hello_users.png
similarity index 100%
rename from windows/access-protection/hello-for-business/images/hello_users.png
rename to windows/security/identity-protection/hello-for-business/images/hello_users.png
diff --git a/windows/access-protection/hello-for-business/images/hellosettings.png b/windows/security/identity-protection/hello-for-business/images/hellosettings.png
similarity index 100%
rename from windows/access-protection/hello-for-business/images/hellosettings.png
rename to windows/security/identity-protection/hello-for-business/images/hellosettings.png
diff --git a/windows/access-protection/hello-for-business/images/hybridct/device1.png b/windows/security/identity-protection/hello-for-business/images/hybridct/device1.png
similarity index 100%
rename from windows/access-protection/hello-for-business/images/hybridct/device1.png
rename to windows/security/identity-protection/hello-for-business/images/hybridct/device1.png
diff --git a/windows/access-protection/hello-for-business/images/hybridct/device2.png b/windows/security/identity-protection/hello-for-business/images/hybridct/device2.png
similarity index 100%
rename from windows/access-protection/hello-for-business/images/hybridct/device2.png
rename to windows/security/identity-protection/hello-for-business/images/hybridct/device2.png
diff --git a/windows/access-protection/hello-for-business/images/hybridct/device3.png b/windows/security/identity-protection/hello-for-business/images/hybridct/device3.png
similarity index 100%
rename from windows/access-protection/hello-for-business/images/hybridct/device3.png
rename to windows/security/identity-protection/hello-for-business/images/hybridct/device3.png
diff --git a/windows/access-protection/hello-for-business/images/hybridct/device4.png b/windows/security/identity-protection/hello-for-business/images/hybridct/device4.png
similarity index 100%
rename from windows/access-protection/hello-for-business/images/hybridct/device4.png
rename to windows/security/identity-protection/hello-for-business/images/hybridct/device4.png
diff --git a/windows/access-protection/hello-for-business/images/hybridct/device5.png b/windows/security/identity-protection/hello-for-business/images/hybridct/device5.png
similarity index 100%
rename from windows/access-protection/hello-for-business/images/hybridct/device5.png
rename to windows/security/identity-protection/hello-for-business/images/hybridct/device5.png
diff --git a/windows/access-protection/hello-for-business/images/hybridct/device6.png b/windows/security/identity-protection/hello-for-business/images/hybridct/device6.png
similarity index 100%
rename from windows/access-protection/hello-for-business/images/hybridct/device6.png
rename to windows/security/identity-protection/hello-for-business/images/hybridct/device6.png
diff --git a/windows/access-protection/hello-for-business/images/hybridct/device7.png b/windows/security/identity-protection/hello-for-business/images/hybridct/device7.png
similarity index 100%
rename from windows/access-protection/hello-for-business/images/hybridct/device7.png
rename to windows/security/identity-protection/hello-for-business/images/hybridct/device7.png
diff --git a/windows/access-protection/hello-for-business/images/hybridct/device8.png b/windows/security/identity-protection/hello-for-business/images/hybridct/device8.png
similarity index 100%
rename from windows/access-protection/hello-for-business/images/hybridct/device8.png
rename to windows/security/identity-protection/hello-for-business/images/hybridct/device8.png
diff --git a/windows/access-protection/hello-for-business/images/mfa.png b/windows/security/identity-protection/hello-for-business/images/mfa.png
similarity index 100%
rename from windows/access-protection/hello-for-business/images/mfa.png
rename to windows/security/identity-protection/hello-for-business/images/mfa.png
diff --git a/windows/access-protection/hello-for-business/images/passport-fig3-logicalcontainer.png b/windows/security/identity-protection/hello-for-business/images/passport-fig3-logicalcontainer.png
similarity index 100%
rename from windows/access-protection/hello-for-business/images/passport-fig3-logicalcontainer.png
rename to windows/security/identity-protection/hello-for-business/images/passport-fig3-logicalcontainer.png
diff --git a/windows/access-protection/hello-for-business/images/pinerror.png b/windows/security/identity-protection/hello-for-business/images/pinerror.png
similarity index 100%
rename from windows/access-protection/hello-for-business/images/pinerror.png
rename to windows/security/identity-protection/hello-for-business/images/pinerror.png
diff --git a/windows/access-protection/hello-for-business/images/pinreset/pin-reset-service-application.png b/windows/security/identity-protection/hello-for-business/images/pinreset/pin-reset-service-application.png
similarity index 100%
rename from windows/access-protection/hello-for-business/images/pinreset/pin-reset-service-application.png
rename to windows/security/identity-protection/hello-for-business/images/pinreset/pin-reset-service-application.png
diff --git a/windows/access-protection/hello-for-business/images/pinreset/pin-reset-service-home-screen.png b/windows/security/identity-protection/hello-for-business/images/pinreset/pin-reset-service-home-screen.png
similarity index 100%
rename from windows/access-protection/hello-for-business/images/pinreset/pin-reset-service-home-screen.png
rename to windows/security/identity-protection/hello-for-business/images/pinreset/pin-reset-service-home-screen.png
diff --git a/windows/access-protection/hello-for-business/images/whfb-intune-reset-pin.jpg b/windows/security/identity-protection/hello-for-business/images/whfb-intune-reset-pin.jpg
similarity index 100%
rename from windows/access-protection/hello-for-business/images/whfb-intune-reset-pin.jpg
rename to windows/security/identity-protection/hello-for-business/images/whfb-intune-reset-pin.jpg
diff --git a/windows/access-protection/hello-for-business/images/whfb-pin-reset-phone-notification.png b/windows/security/identity-protection/hello-for-business/images/whfb-pin-reset-phone-notification.png
similarity index 100%
rename from windows/access-protection/hello-for-business/images/whfb-pin-reset-phone-notification.png
rename to windows/security/identity-protection/hello-for-business/images/whfb-pin-reset-phone-notification.png
diff --git a/windows/access-protection/hello-for-business/images/whfb-reset-pin-prompt.jpg b/windows/security/identity-protection/hello-for-business/images/whfb-reset-pin-prompt.jpg
similarity index 100%
rename from windows/access-protection/hello-for-business/images/whfb-reset-pin-prompt.jpg
rename to windows/security/identity-protection/hello-for-business/images/whfb-reset-pin-prompt.jpg
diff --git a/windows/access-protection/hello-for-business/images/whfb-reset-pin-settings.jpg b/windows/security/identity-protection/hello-for-business/images/whfb-reset-pin-settings.jpg
similarity index 100%
rename from windows/access-protection/hello-for-business/images/whfb-reset-pin-settings.jpg
rename to windows/security/identity-protection/hello-for-business/images/whfb-reset-pin-settings.jpg
diff --git a/windows/access-protection/hello-for-business/toc.md b/windows/security/identity-protection/hello-for-business/toc.md
similarity index 100%
rename from windows/access-protection/hello-for-business/toc.md
rename to windows/security/identity-protection/hello-for-business/toc.md
diff --git a/windows/security/identity-protection/how-hardware-based-containers-help-protect-windows.md b/windows/security/identity-protection/how-hardware-based-containers-help-protect-windows.md
new file mode 100644
index 0000000000..8b6124f000
--- /dev/null
+++ b/windows/security/identity-protection/how-hardware-based-containers-help-protect-windows.md
@@ -0,0 +1,60 @@
+---
+title: How hardware-based containers help protect Windows 10 (Windows 10)
+description: Windows 10 uses containers to isolate sensitive system services and data, enabling them to remain secure even when the operating system has been compromised.
+ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+author: justinha
+ms.date: 06/29/2017
+---
+
+# How hardware-based containers help protect Windows 10
+
+Windows 10 uses containers to isolate sensitive system services and data, enabling them to remain secure even when the operating system has been compromised.
+Windows 10 protects critical resources, such as the Windows authentication stack, single sign-on tokens, Windows Hello biometric stack, and Virtual Trusted Platform Module, by using a container type called Windows Defender System Guard.
+
+Protecting system services and data with Windows Defender System Guard is an important first step, but is just the beginning of what we need to do as it doesn’t protect the rest of the operating system, information on the device, other apps, or the network.
+Since systems are generally compromised through the application layer, and often though browsers, Windows 10 includes Windows Defender Application Guard to isolate Microsoft Edge from the operating system, information on the device, and the network.
+With this, Windows can start to protect the broader range of resources.
+
+The following diagram shows Windows Defender System Guard and Windows Defender Application Guard in relation to the Windows 10 operating system.
+
+
+
+## What security threats do containers protect against
+
+Exploiting zero days and vulnerabilities are an increasing threat that attackers are attempting to take advantage of.
+The following diagram shows the traditional Windows software stack: a kernel with an app platform, and an app running on top of it.
+Let’s look at how an attacker might elevate privileges and move down the stack.
+
+
+
+In desktop operating systems, those apps typically run under the context of the user’s privileges.
+If the app was malicious, it would have access to all the files in the file system, all the settings that you as a user Standard user have access to, and so on.
+
+A different type of app may run under the context of an Administrator.
+If attackers exploit a vulnerability in that app, they could gain Administrator privileges.
+Then they can start turning off defenses.
+
+They can poke down a little bit lower in the stack and maybe elevate to System, which is greater than Administrator.
+Or if they can exploit the kernel mode, they can turn on and turn off all defenses, while at the same time making the computer look healthy.
+SecOps tools could report the computer as healthy when in fact it’s completely under the control of someone else.
+
+One way to address this threat is to use a sandbox, as smartphones do.
+That puts a layer between the app layer and the Windows platform services.
+Universal Windows Platform (UWP) applications work this way.
+But what if a vulnerability in the sandbox exists?
+The attacker can escape and take control of the system.
+
+## How containers help protect Windows 10
+
+Windows 10 addresses this by using virtualization based security to isolate more and more components out of Windows (left side) over time and moving those components into a separate, isolated hardware container.
+The container helps prevent zero days and vulnerabilities from allowing an attacker to take control of a device.
+
+Anything that's running in that container on the right side will be safe, even from Windows, even if the kernel's compromised.
+Anything that's running in that container will also be secure against a compromised app.
+Initially, Windows Defender System Guard will protect things like authentication and other system services and data that needs to resist malware, and more things will be protected over time.
+
+
diff --git a/windows/security/identity-protection/images/application-guard-and-system-guard.png b/windows/security/identity-protection/images/application-guard-and-system-guard.png
new file mode 100644
index 0000000000..b4b883db90
Binary files /dev/null and b/windows/security/identity-protection/images/application-guard-and-system-guard.png differ
diff --git a/windows/access-protection/images/emailsecurity.png b/windows/security/identity-protection/images/emailsecurity.png
similarity index 100%
rename from windows/access-protection/images/emailsecurity.png
rename to windows/security/identity-protection/images/emailsecurity.png
diff --git a/windows/access-protection/images/enterprise-certificate-pinning-converting-a-duration.png b/windows/security/identity-protection/images/enterprise-certificate-pinning-converting-a-duration.png
similarity index 100%
rename from windows/access-protection/images/enterprise-certificate-pinning-converting-a-duration.png
rename to windows/security/identity-protection/images/enterprise-certificate-pinning-converting-a-duration.png
diff --git a/windows/access-protection/images/enterprise-certificate-pinning-converting-an-xml-date.png b/windows/security/identity-protection/images/enterprise-certificate-pinning-converting-an-xml-date.png
similarity index 100%
rename from windows/access-protection/images/enterprise-certificate-pinning-converting-an-xml-date.png
rename to windows/security/identity-protection/images/enterprise-certificate-pinning-converting-an-xml-date.png
diff --git a/windows/access-protection/images/enterprise-certificate-pinning-pinrules-properties.png b/windows/security/identity-protection/images/enterprise-certificate-pinning-pinrules-properties.png
similarity index 100%
rename from windows/access-protection/images/enterprise-certificate-pinning-pinrules-properties.png
rename to windows/security/identity-protection/images/enterprise-certificate-pinning-pinrules-properties.png
diff --git a/windows/access-protection/images/enterprise-certificate-pinning-representing-a-date.png b/windows/security/identity-protection/images/enterprise-certificate-pinning-representing-a-date.png
similarity index 100%
rename from windows/access-protection/images/enterprise-certificate-pinning-representing-a-date.png
rename to windows/security/identity-protection/images/enterprise-certificate-pinning-representing-a-date.png
diff --git a/windows/access-protection/images/enterprise-certificate-pinning-representing-a-duration.png b/windows/security/identity-protection/images/enterprise-certificate-pinning-representing-a-duration.png
similarity index 100%
rename from windows/access-protection/images/enterprise-certificate-pinning-representing-a-duration.png
rename to windows/security/identity-protection/images/enterprise-certificate-pinning-representing-a-duration.png
diff --git a/windows/access-protection/images/enterprise-pinning-registry-binary-information.png b/windows/security/identity-protection/images/enterprise-pinning-registry-binary-information.png
similarity index 100%
rename from windows/access-protection/images/enterprise-pinning-registry-binary-information.png
rename to windows/security/identity-protection/images/enterprise-pinning-registry-binary-information.png
diff --git a/windows/access-protection/images/installcert.png b/windows/security/identity-protection/images/installcert.png
similarity index 100%
rename from windows/access-protection/images/installcert.png
rename to windows/security/identity-protection/images/installcert.png
diff --git a/windows/access-protection/images/mailsettings.png b/windows/security/identity-protection/images/mailsettings.png
similarity index 100%
rename from windows/access-protection/images/mailsettings.png
rename to windows/security/identity-protection/images/mailsettings.png
diff --git a/windows/access-protection/images/rdp-to-a-server-without-windows-defender-remote-credential-guard.png b/windows/security/identity-protection/images/rdp-to-a-server-without-windows-defender-remote-credential-guard.png
similarity index 100%
rename from windows/access-protection/images/rdp-to-a-server-without-windows-defender-remote-credential-guard.png
rename to windows/security/identity-protection/images/rdp-to-a-server-without-windows-defender-remote-credential-guard.png
diff --git a/windows/access-protection/images/remote-credential-guard-gp.png b/windows/security/identity-protection/images/remote-credential-guard-gp.png
similarity index 100%
rename from windows/access-protection/images/remote-credential-guard-gp.png
rename to windows/security/identity-protection/images/remote-credential-guard-gp.png
diff --git a/windows/access-protection/images/remote-credential-guard.png b/windows/security/identity-protection/images/remote-credential-guard.png
similarity index 100%
rename from windows/access-protection/images/remote-credential-guard.png
rename to windows/security/identity-protection/images/remote-credential-guard.png
diff --git a/windows/access-protection/images/security-stages.png b/windows/security/identity-protection/images/security-stages.png
similarity index 100%
rename from windows/access-protection/images/security-stages.png
rename to windows/security/identity-protection/images/security-stages.png
diff --git a/windows/access-protection/images/signencrypt.png b/windows/security/identity-protection/images/signencrypt.png
similarity index 100%
rename from windows/access-protection/images/signencrypt.png
rename to windows/security/identity-protection/images/signencrypt.png
diff --git a/windows/security/identity-protection/images/traditional-windows-software-stack.png b/windows/security/identity-protection/images/traditional-windows-software-stack.png
new file mode 100644
index 0000000000..0da610c368
Binary files /dev/null and b/windows/security/identity-protection/images/traditional-windows-software-stack.png differ
diff --git a/windows/access-protection/images/windows-defender-remote-credential-guard-with-remote-admin-mode.png b/windows/security/identity-protection/images/windows-defender-remote-credential-guard-with-remote-admin-mode.png
similarity index 100%
rename from windows/access-protection/images/windows-defender-remote-credential-guard-with-remote-admin-mode.png
rename to windows/security/identity-protection/images/windows-defender-remote-credential-guard-with-remote-admin-mode.png
diff --git a/windows/security/identity-protection/images/windows-defender-system-guard.png b/windows/security/identity-protection/images/windows-defender-system-guard.png
new file mode 100644
index 0000000000..865af86b19
Binary files /dev/null and b/windows/security/identity-protection/images/windows-defender-system-guard.png differ
diff --git a/windows/security/identity-protection/index.md b/windows/security/identity-protection/index.md
new file mode 100644
index 0000000000..7208a54485
--- /dev/null
+++ b/windows/security/identity-protection/index.md
@@ -0,0 +1,29 @@
+---
+title: Identity and access management (Windows 10)
+description: Learn more about identity and access protection technologies in Windows 10 and Windows 10 Mobile.
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+author: brianlic-msft
+ms.date: 02/05/2018
+---
+
+# Identity and access management
+
+Learn more about identity annd access management technologies in Windows 10 and Windows 10 Mobile.
+
+| Section | Description |
+|-|-|
+| [Access control](access-control/access-control.md) | Describes access control in Windows, which is the process of authorizing users, groups, and computers to access objects on the network or computer. Key concepts that make up access control are permissions, ownership of objects, inheritance of permissions, user rights, and object auditing. |
+| [Configure S/MIME for Windows 10 and Windows 10 Mobile](configure-s-mime.md) | In Windows 10, S/MIME lets users encrypt outgoing messages and attachments so that only intended recipients who have a digital identification (ID), also known as a certificate, can read them. Users can digitally sign a message, which provides the recipients with a way to verify the identity of the sender and that the message hasn't been tampered with. |
+| [Install digital certificates on Windows 10 Mobile](installing-digital-certificates-on-windows-10-mobile.md) | Digital certificates bind the identity of a user or computer to a pair of keys that can be used to encrypt and sign digital information. Certificates are issued by a certification authority (CA) that vouches for the identity of the certificate holder, and they enable secure client communications with websites and services. |
+| [Protect derived domain credentials with Credential Guard](credential-guard/credential-guard.md) | Introduced in Windows 10 Enterprise, Credential Guard uses virtualization-based security to isolate secrets so that only privileged system software can access them. Unauthorized access to these secrets can lead to credential theft attacks, such as Pass-the-Hash or Pass-The-Ticket. Credential Guard helps prevent these attacks by protecting NTLM password hashes and Kerberos Ticket Granting Tickets. |
+| [Protect Remote Desktop credentials with Remote Credential Guard](remote-credential-guard.md) | Remote Credential Guard helps you protect your credentials over a Remote Desktop connection by redirecting the Kerberos requests back to the device that's requesting the connection. |
+| [User Account Control](user-account-control/user-account-control-overview.md)| Provides information about User Account Control (UAC), which helps prevent malware from damaging a PC and helps organizations deploy a better-managed desktop. UAC can help block the automatic installation of unauthorized apps and prevent inadvertent changes to system settings.|
+| [Virtual Smart Cards](virtual-smart-cards/virtual-smart-card-overview.md) | Provides information about deploying and managing virtual smart cards, which are functionally similar to physical smart cards and appear in Windows as smart cards that are always-inserted. Virtual smart cards use the Trusted Platform Module (TPM) chip that is available on computers in many organizations, rather than requiring the use of a separate physical smart card and reader. |
+| [VPN technical guide](vpn/vpn-guide.md) | Virtual private networks (VPN) let you give your users secure remote access to your company network. Windows 10 adds useful new VPN profile options to help you manage how users connect. |
+| [Smart Cards](smart-cards/smart-card-windows-smart-card-technical-reference.md) | Provides a collection of references topics about smart cards, which are tamper-resistant portable storage devices that can enhance the security of tasks such as authenticating clients, signing code, securing e-mail, and signing in with a Windows domain account. |
+| [Windows Hello for Business](hello-for-business/hello-identity-verification.md) | In Windows 10, Windows Hello replaces passwords with strong two-factor authentication on PCs and mobile devices. This authentication consists of a new type of user credential that is tied to a device and a biometric or PIN. |
+| [Windows Firewall with Advanced Security](windows-firewall/windows-firewall-with-advanced-security.md) | Provides information about Windows Firewall with Advanced Security, which is an important part of a layered security model. By providing host-based, two-way network traffic filtering for a device, Windows Firewall with Advanced Security blocks unauthorized network traffic flowing into or out of the local device. |
+| [Windows 10 Credential Theft Mitigation Guide Abstract](windows-credential-theft-mitigation-guide-abstract.md) | Learn more about credential theft mitigation in Windows 10. |
diff --git a/windows/access-protection/installing-digital-certificates-on-windows-10-mobile.md b/windows/security/identity-protection/installing-digital-certificates-on-windows-10-mobile.md
similarity index 100%
rename from windows/access-protection/installing-digital-certificates-on-windows-10-mobile.md
rename to windows/security/identity-protection/installing-digital-certificates-on-windows-10-mobile.md
diff --git a/windows/access-protection/remote-credential-guard.md b/windows/security/identity-protection/remote-credential-guard.md
similarity index 100%
rename from windows/access-protection/remote-credential-guard.md
rename to windows/security/identity-protection/remote-credential-guard.md
diff --git a/windows/access-protection/smart-cards/images/sc-image101.png b/windows/security/identity-protection/smart-cards/images/sc-image101.png
similarity index 100%
rename from windows/access-protection/smart-cards/images/sc-image101.png
rename to windows/security/identity-protection/smart-cards/images/sc-image101.png
diff --git a/windows/access-protection/smart-cards/images/sc-image201.gif b/windows/security/identity-protection/smart-cards/images/sc-image201.gif
similarity index 100%
rename from windows/access-protection/smart-cards/images/sc-image201.gif
rename to windows/security/identity-protection/smart-cards/images/sc-image201.gif
diff --git a/windows/access-protection/smart-cards/images/sc-image203.gif b/windows/security/identity-protection/smart-cards/images/sc-image203.gif
similarity index 100%
rename from windows/access-protection/smart-cards/images/sc-image203.gif
rename to windows/security/identity-protection/smart-cards/images/sc-image203.gif
diff --git a/windows/access-protection/smart-cards/images/sc-image205.png b/windows/security/identity-protection/smart-cards/images/sc-image205.png
similarity index 100%
rename from windows/access-protection/smart-cards/images/sc-image205.png
rename to windows/security/identity-protection/smart-cards/images/sc-image205.png
diff --git a/windows/access-protection/smart-cards/images/sc-image206.gif b/windows/security/identity-protection/smart-cards/images/sc-image206.gif
similarity index 100%
rename from windows/access-protection/smart-cards/images/sc-image206.gif
rename to windows/security/identity-protection/smart-cards/images/sc-image206.gif
diff --git a/windows/access-protection/smart-cards/images/sc-image302.gif b/windows/security/identity-protection/smart-cards/images/sc-image302.gif
similarity index 100%
rename from windows/access-protection/smart-cards/images/sc-image302.gif
rename to windows/security/identity-protection/smart-cards/images/sc-image302.gif
diff --git a/windows/access-protection/smart-cards/images/sc-image402.png b/windows/security/identity-protection/smart-cards/images/sc-image402.png
similarity index 100%
rename from windows/access-protection/smart-cards/images/sc-image402.png
rename to windows/security/identity-protection/smart-cards/images/sc-image402.png
diff --git a/windows/access-protection/smart-cards/images/sc-image403.png b/windows/security/identity-protection/smart-cards/images/sc-image403.png
similarity index 100%
rename from windows/access-protection/smart-cards/images/sc-image403.png
rename to windows/security/identity-protection/smart-cards/images/sc-image403.png
diff --git a/windows/access-protection/smart-cards/images/sc-image404.png b/windows/security/identity-protection/smart-cards/images/sc-image404.png
similarity index 100%
rename from windows/access-protection/smart-cards/images/sc-image404.png
rename to windows/security/identity-protection/smart-cards/images/sc-image404.png
diff --git a/windows/access-protection/smart-cards/images/sc-image405.png b/windows/security/identity-protection/smart-cards/images/sc-image405.png
similarity index 100%
rename from windows/access-protection/smart-cards/images/sc-image405.png
rename to windows/security/identity-protection/smart-cards/images/sc-image405.png
diff --git a/windows/access-protection/smart-cards/images/sc-image406.png b/windows/security/identity-protection/smart-cards/images/sc-image406.png
similarity index 100%
rename from windows/access-protection/smart-cards/images/sc-image406.png
rename to windows/security/identity-protection/smart-cards/images/sc-image406.png
diff --git a/windows/access-protection/smart-cards/images/sc-image407.png b/windows/security/identity-protection/smart-cards/images/sc-image407.png
similarity index 100%
rename from windows/access-protection/smart-cards/images/sc-image407.png
rename to windows/security/identity-protection/smart-cards/images/sc-image407.png
diff --git a/windows/access-protection/smart-cards/images/sc-image501.gif b/windows/security/identity-protection/smart-cards/images/sc-image501.gif
similarity index 100%
rename from windows/access-protection/smart-cards/images/sc-image501.gif
rename to windows/security/identity-protection/smart-cards/images/sc-image501.gif
diff --git a/windows/access-protection/smart-cards/smart-card-and-remote-desktop-services.md b/windows/security/identity-protection/smart-cards/smart-card-and-remote-desktop-services.md
similarity index 100%
rename from windows/access-protection/smart-cards/smart-card-and-remote-desktop-services.md
rename to windows/security/identity-protection/smart-cards/smart-card-and-remote-desktop-services.md
diff --git a/windows/access-protection/smart-cards/smart-card-architecture.md b/windows/security/identity-protection/smart-cards/smart-card-architecture.md
similarity index 100%
rename from windows/access-protection/smart-cards/smart-card-architecture.md
rename to windows/security/identity-protection/smart-cards/smart-card-architecture.md
diff --git a/windows/access-protection/smart-cards/smart-card-certificate-propagation-service.md b/windows/security/identity-protection/smart-cards/smart-card-certificate-propagation-service.md
similarity index 100%
rename from windows/access-protection/smart-cards/smart-card-certificate-propagation-service.md
rename to windows/security/identity-protection/smart-cards/smart-card-certificate-propagation-service.md
diff --git a/windows/access-protection/smart-cards/smart-card-certificate-requirements-and-enumeration.md b/windows/security/identity-protection/smart-cards/smart-card-certificate-requirements-and-enumeration.md
similarity index 100%
rename from windows/access-protection/smart-cards/smart-card-certificate-requirements-and-enumeration.md
rename to windows/security/identity-protection/smart-cards/smart-card-certificate-requirements-and-enumeration.md
diff --git a/windows/access-protection/smart-cards/smart-card-debugging-information.md b/windows/security/identity-protection/smart-cards/smart-card-debugging-information.md
similarity index 100%
rename from windows/access-protection/smart-cards/smart-card-debugging-information.md
rename to windows/security/identity-protection/smart-cards/smart-card-debugging-information.md
diff --git a/windows/access-protection/smart-cards/smart-card-events.md b/windows/security/identity-protection/smart-cards/smart-card-events.md
similarity index 100%
rename from windows/access-protection/smart-cards/smart-card-events.md
rename to windows/security/identity-protection/smart-cards/smart-card-events.md
diff --git a/windows/access-protection/smart-cards/smart-card-group-policy-and-registry-settings.md b/windows/security/identity-protection/smart-cards/smart-card-group-policy-and-registry-settings.md
similarity index 100%
rename from windows/access-protection/smart-cards/smart-card-group-policy-and-registry-settings.md
rename to windows/security/identity-protection/smart-cards/smart-card-group-policy-and-registry-settings.md
diff --git a/windows/access-protection/smart-cards/smart-card-how-smart-card-sign-in-works-in-windows.md b/windows/security/identity-protection/smart-cards/smart-card-how-smart-card-sign-in-works-in-windows.md
similarity index 100%
rename from windows/access-protection/smart-cards/smart-card-how-smart-card-sign-in-works-in-windows.md
rename to windows/security/identity-protection/smart-cards/smart-card-how-smart-card-sign-in-works-in-windows.md
diff --git a/windows/access-protection/smart-cards/smart-card-removal-policy-service.md b/windows/security/identity-protection/smart-cards/smart-card-removal-policy-service.md
similarity index 100%
rename from windows/access-protection/smart-cards/smart-card-removal-policy-service.md
rename to windows/security/identity-protection/smart-cards/smart-card-removal-policy-service.md
diff --git a/windows/access-protection/smart-cards/smart-card-smart-cards-for-windows-service.md b/windows/security/identity-protection/smart-cards/smart-card-smart-cards-for-windows-service.md
similarity index 100%
rename from windows/access-protection/smart-cards/smart-card-smart-cards-for-windows-service.md
rename to windows/security/identity-protection/smart-cards/smart-card-smart-cards-for-windows-service.md
diff --git a/windows/access-protection/smart-cards/smart-card-tools-and-settings.md b/windows/security/identity-protection/smart-cards/smart-card-tools-and-settings.md
similarity index 100%
rename from windows/access-protection/smart-cards/smart-card-tools-and-settings.md
rename to windows/security/identity-protection/smart-cards/smart-card-tools-and-settings.md
diff --git a/windows/access-protection/smart-cards/smart-card-windows-smart-card-technical-reference.md b/windows/security/identity-protection/smart-cards/smart-card-windows-smart-card-technical-reference.md
similarity index 100%
rename from windows/access-protection/smart-cards/smart-card-windows-smart-card-technical-reference.md
rename to windows/security/identity-protection/smart-cards/smart-card-windows-smart-card-technical-reference.md
diff --git a/windows/access-protection/user-account-control/how-user-account-control-works.md b/windows/security/identity-protection/user-account-control/how-user-account-control-works.md
similarity index 100%
rename from windows/access-protection/user-account-control/how-user-account-control-works.md
rename to windows/security/identity-protection/user-account-control/how-user-account-control-works.md
diff --git a/windows/access-protection/user-account-control/images/uacarchitecture.gif b/windows/security/identity-protection/user-account-control/images/uacarchitecture.gif
similarity index 100%
rename from windows/access-protection/user-account-control/images/uacarchitecture.gif
rename to windows/security/identity-protection/user-account-control/images/uacarchitecture.gif
diff --git a/windows/access-protection/user-account-control/images/uacconsentprompt.gif b/windows/security/identity-protection/user-account-control/images/uacconsentprompt.gif
similarity index 100%
rename from windows/access-protection/user-account-control/images/uacconsentprompt.gif
rename to windows/security/identity-protection/user-account-control/images/uacconsentprompt.gif
diff --git a/windows/access-protection/user-account-control/images/uaccredentialprompt.gif b/windows/security/identity-protection/user-account-control/images/uaccredentialprompt.gif
similarity index 100%
rename from windows/access-protection/user-account-control/images/uaccredentialprompt.gif
rename to windows/security/identity-protection/user-account-control/images/uaccredentialprompt.gif
diff --git a/windows/access-protection/user-account-control/images/uacshieldicon.png b/windows/security/identity-protection/user-account-control/images/uacshieldicon.png
similarity index 100%
rename from windows/access-protection/user-account-control/images/uacshieldicon.png
rename to windows/security/identity-protection/user-account-control/images/uacshieldicon.png
diff --git a/windows/access-protection/user-account-control/images/uacwindowslogonprocess.gif b/windows/security/identity-protection/user-account-control/images/uacwindowslogonprocess.gif
similarity index 100%
rename from windows/access-protection/user-account-control/images/uacwindowslogonprocess.gif
rename to windows/security/identity-protection/user-account-control/images/uacwindowslogonprocess.gif
diff --git a/windows/access-protection/user-account-control/user-account-control-group-policy-and-registry-key-settings.md b/windows/security/identity-protection/user-account-control/user-account-control-group-policy-and-registry-key-settings.md
similarity index 100%
rename from windows/access-protection/user-account-control/user-account-control-group-policy-and-registry-key-settings.md
rename to windows/security/identity-protection/user-account-control/user-account-control-group-policy-and-registry-key-settings.md
diff --git a/windows/access-protection/user-account-control/user-account-control-overview.md b/windows/security/identity-protection/user-account-control/user-account-control-overview.md
similarity index 100%
rename from windows/access-protection/user-account-control/user-account-control-overview.md
rename to windows/security/identity-protection/user-account-control/user-account-control-overview.md
diff --git a/windows/access-protection/user-account-control/user-account-control-security-policy-settings.md b/windows/security/identity-protection/user-account-control/user-account-control-security-policy-settings.md
similarity index 100%
rename from windows/access-protection/user-account-control/user-account-control-security-policy-settings.md
rename to windows/security/identity-protection/user-account-control/user-account-control-security-policy-settings.md
diff --git a/windows/access-protection/virtual-smart-cards/images/vsc-02-mmc-add-snap-in.png b/windows/security/identity-protection/virtual-smart-cards/images/vsc-02-mmc-add-snap-in.png
similarity index 100%
rename from windows/access-protection/virtual-smart-cards/images/vsc-02-mmc-add-snap-in.png
rename to windows/security/identity-protection/virtual-smart-cards/images/vsc-02-mmc-add-snap-in.png
diff --git a/windows/access-protection/virtual-smart-cards/images/vsc-03-add-certificate-templates-snap-in.png b/windows/security/identity-protection/virtual-smart-cards/images/vsc-03-add-certificate-templates-snap-in.png
similarity index 100%
rename from windows/access-protection/virtual-smart-cards/images/vsc-03-add-certificate-templates-snap-in.png
rename to windows/security/identity-protection/virtual-smart-cards/images/vsc-03-add-certificate-templates-snap-in.png
diff --git a/windows/access-protection/virtual-smart-cards/images/vsc-04-right-click-smartcard-logon-template.png b/windows/security/identity-protection/virtual-smart-cards/images/vsc-04-right-click-smartcard-logon-template.png
similarity index 100%
rename from windows/access-protection/virtual-smart-cards/images/vsc-04-right-click-smartcard-logon-template.png
rename to windows/security/identity-protection/virtual-smart-cards/images/vsc-04-right-click-smartcard-logon-template.png
diff --git a/windows/access-protection/virtual-smart-cards/images/vsc-05-certificate-template-compatibility.png b/windows/security/identity-protection/virtual-smart-cards/images/vsc-05-certificate-template-compatibility.png
similarity index 100%
rename from windows/access-protection/virtual-smart-cards/images/vsc-05-certificate-template-compatibility.png
rename to windows/security/identity-protection/virtual-smart-cards/images/vsc-05-certificate-template-compatibility.png
diff --git a/windows/access-protection/virtual-smart-cards/images/vsc-06-add-certification-authority-snap-in.png b/windows/security/identity-protection/virtual-smart-cards/images/vsc-06-add-certification-authority-snap-in.png
similarity index 100%
rename from windows/access-protection/virtual-smart-cards/images/vsc-06-add-certification-authority-snap-in.png
rename to windows/security/identity-protection/virtual-smart-cards/images/vsc-06-add-certification-authority-snap-in.png
diff --git a/windows/access-protection/virtual-smart-cards/images/vsc-07-right-click-certificate-templates.png b/windows/security/identity-protection/virtual-smart-cards/images/vsc-07-right-click-certificate-templates.png
similarity index 100%
rename from windows/access-protection/virtual-smart-cards/images/vsc-07-right-click-certificate-templates.png
rename to windows/security/identity-protection/virtual-smart-cards/images/vsc-07-right-click-certificate-templates.png
diff --git a/windows/access-protection/virtual-smart-cards/images/vsc-08-enable-certificate-template.png b/windows/security/identity-protection/virtual-smart-cards/images/vsc-08-enable-certificate-template.png
similarity index 100%
rename from windows/access-protection/virtual-smart-cards/images/vsc-08-enable-certificate-template.png
rename to windows/security/identity-protection/virtual-smart-cards/images/vsc-08-enable-certificate-template.png
diff --git a/windows/access-protection/virtual-smart-cards/images/vsc-09-stop-service-start-service.png b/windows/security/identity-protection/virtual-smart-cards/images/vsc-09-stop-service-start-service.png
similarity index 100%
rename from windows/access-protection/virtual-smart-cards/images/vsc-09-stop-service-start-service.png
rename to windows/security/identity-protection/virtual-smart-cards/images/vsc-09-stop-service-start-service.png
diff --git a/windows/access-protection/virtual-smart-cards/images/vsc-10-cmd-run-as-administrator.png b/windows/security/identity-protection/virtual-smart-cards/images/vsc-10-cmd-run-as-administrator.png
similarity index 100%
rename from windows/access-protection/virtual-smart-cards/images/vsc-10-cmd-run-as-administrator.png
rename to windows/security/identity-protection/virtual-smart-cards/images/vsc-10-cmd-run-as-administrator.png
diff --git a/windows/access-protection/virtual-smart-cards/images/vsc-11-certificates-request-new-certificate.png b/windows/security/identity-protection/virtual-smart-cards/images/vsc-11-certificates-request-new-certificate.png
similarity index 100%
rename from windows/access-protection/virtual-smart-cards/images/vsc-11-certificates-request-new-certificate.png
rename to windows/security/identity-protection/virtual-smart-cards/images/vsc-11-certificates-request-new-certificate.png
diff --git a/windows/access-protection/virtual-smart-cards/images/vsc-12-certificate-enrollment-select-certificate.png b/windows/security/identity-protection/virtual-smart-cards/images/vsc-12-certificate-enrollment-select-certificate.png
similarity index 100%
rename from windows/access-protection/virtual-smart-cards/images/vsc-12-certificate-enrollment-select-certificate.png
rename to windows/security/identity-protection/virtual-smart-cards/images/vsc-12-certificate-enrollment-select-certificate.png
diff --git a/windows/access-protection/virtual-smart-cards/images/vsc-physical-smart-card-lifecycle.png b/windows/security/identity-protection/virtual-smart-cards/images/vsc-physical-smart-card-lifecycle.png
similarity index 100%
rename from windows/access-protection/virtual-smart-cards/images/vsc-physical-smart-card-lifecycle.png
rename to windows/security/identity-protection/virtual-smart-cards/images/vsc-physical-smart-card-lifecycle.png
diff --git a/windows/access-protection/virtual-smart-cards/images/vsc-process-of-accessing-user-key.png b/windows/security/identity-protection/virtual-smart-cards/images/vsc-process-of-accessing-user-key.png
similarity index 100%
rename from windows/access-protection/virtual-smart-cards/images/vsc-process-of-accessing-user-key.png
rename to windows/security/identity-protection/virtual-smart-cards/images/vsc-process-of-accessing-user-key.png
diff --git a/windows/access-protection/virtual-smart-cards/images/vsc-virtual-smart-card-icon.png b/windows/security/identity-protection/virtual-smart-cards/images/vsc-virtual-smart-card-icon.png
similarity index 100%
rename from windows/access-protection/virtual-smart-cards/images/vsc-virtual-smart-card-icon.png
rename to windows/security/identity-protection/virtual-smart-cards/images/vsc-virtual-smart-card-icon.png
diff --git a/windows/access-protection/virtual-smart-cards/virtual-smart-card-deploy-virtual-smart-cards.md b/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-deploy-virtual-smart-cards.md
similarity index 100%
rename from windows/access-protection/virtual-smart-cards/virtual-smart-card-deploy-virtual-smart-cards.md
rename to windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-deploy-virtual-smart-cards.md
diff --git a/windows/access-protection/virtual-smart-cards/virtual-smart-card-evaluate-security.md b/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-evaluate-security.md
similarity index 100%
rename from windows/access-protection/virtual-smart-cards/virtual-smart-card-evaluate-security.md
rename to windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-evaluate-security.md
diff --git a/windows/access-protection/virtual-smart-cards/virtual-smart-card-get-started.md b/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-get-started.md
similarity index 100%
rename from windows/access-protection/virtual-smart-cards/virtual-smart-card-get-started.md
rename to windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-get-started.md
diff --git a/windows/access-protection/virtual-smart-cards/virtual-smart-card-overview.md b/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-overview.md
similarity index 100%
rename from windows/access-protection/virtual-smart-cards/virtual-smart-card-overview.md
rename to windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-overview.md
diff --git a/windows/access-protection/virtual-smart-cards/virtual-smart-card-tpmvscmgr.md b/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-tpmvscmgr.md
similarity index 100%
rename from windows/access-protection/virtual-smart-cards/virtual-smart-card-tpmvscmgr.md
rename to windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-tpmvscmgr.md
diff --git a/windows/access-protection/virtual-smart-cards/virtual-smart-card-understanding-and-evaluating.md b/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-understanding-and-evaluating.md
similarity index 100%
rename from windows/access-protection/virtual-smart-cards/virtual-smart-card-understanding-and-evaluating.md
rename to windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-understanding-and-evaluating.md
diff --git a/windows/access-protection/virtual-smart-cards/virtual-smart-card-use-virtual-smart-cards.md b/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-use-virtual-smart-cards.md
similarity index 100%
rename from windows/access-protection/virtual-smart-cards/virtual-smart-card-use-virtual-smart-cards.md
rename to windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-use-virtual-smart-cards.md
diff --git a/windows/security/identity-protection/vpn/how-to-configure-diffie-hellman-protocol-over-ikev2-vpn-connections.md b/windows/security/identity-protection/vpn/how-to-configure-diffie-hellman-protocol-over-ikev2-vpn-connections.md
new file mode 100644
index 0000000000..7b30f32d4d
--- /dev/null
+++ b/windows/security/identity-protection/vpn/how-to-configure-diffie-hellman-protocol-over-ikev2-vpn-connections.md
@@ -0,0 +1,44 @@
+---
+title: How to configure Diffie Hellman protocol over IKEv2 VPN connections (Windows 10)
+description: Explains how to secure VPN connections for Diffie Hellman Group 2
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security, networking
+author: shortpatti
+ms.author: pashort
+ms.localizationpriority: medium
+ms.date: 02/08/2018
+---
+
+# How to configure Diffie Hellman protocol over IKEv2 VPN connections
+
+>Applies To: Windows Server (Semi-Annual Channel), Windows Server 2016, Windows 10
+
+In IKEv2 VPN connections, the default configuration for Diffie Hellman group is Group 2, which is not secure for IKE exchanges.
+To secure the connections, update the configuration of VPN servers and clients by running VPN cmdlets.
+
+## VPN server
+
+For VPN servers that run Windows Server 2012 R2 or later, you need to run [Set-VpnServerConfiguration](https://docs.microsoft.com/powershell/module/remoteaccess/set-vpnserverconfiguration?view=win10-ps) to configure the tunnel type. This makes all IKE exchanges on IKEv2 tunnel use the secure configuration.
+
+```powershell
+Set-VpnServerConfiguration -TunnelType IKEv2 -CustomPolicy
+```
+
+On an earlier versions of Windows Server, run [Set-VpnServerIPsecConfiguration](https://technet.microsoft.com/library/hh918373(v=wps.620).aspx). Since `Set-VpnServerIPsecConfiguration` doesn’t have `-TunnelType`, the configuration applies to all tunnel types on the server.
+
+```powershell
+Set-VpnServerIPsecConfiguration -CustomPolicy
+```
+
+## VPN client
+
+For VPN client, you need to configure each VPN connection.
+For example, run [Set-VpnConnectionIPsecConfiguration (version 4.0)](https://docs.microsoft.com/powershell/module/vpnclient/set-vpnconnectionipsecconfiguration?view=win10-ps) and specify the name of the connection:
+
+
+```powershell
+Set-VpnConnectionIPsecConfiguration -ConnectionName
+```
+
diff --git a/windows/access-protection/vpn/how-to-use-single-sign-on-sso-over-vpn-and-wi-fi-connections.md b/windows/security/identity-protection/vpn/how-to-use-single-sign-on-sso-over-vpn-and-wi-fi-connections.md
similarity index 100%
rename from windows/access-protection/vpn/how-to-use-single-sign-on-sso-over-vpn-and-wi-fi-connections.md
rename to windows/security/identity-protection/vpn/how-to-use-single-sign-on-sso-over-vpn-and-wi-fi-connections.md
diff --git a/windows/access-protection/vpn/images/vpn-app-rules.png b/windows/security/identity-protection/vpn/images/vpn-app-rules.png
similarity index 100%
rename from windows/access-protection/vpn/images/vpn-app-rules.png
rename to windows/security/identity-protection/vpn/images/vpn-app-rules.png
diff --git a/windows/access-protection/vpn/images/vpn-app-trigger.PNG b/windows/security/identity-protection/vpn/images/vpn-app-trigger.PNG
similarity index 100%
rename from windows/access-protection/vpn/images/vpn-app-trigger.PNG
rename to windows/security/identity-protection/vpn/images/vpn-app-trigger.PNG
diff --git a/windows/access-protection/vpn/images/vpn-conditional-access-intune.png b/windows/security/identity-protection/vpn/images/vpn-conditional-access-intune.png
similarity index 100%
rename from windows/access-protection/vpn/images/vpn-conditional-access-intune.png
rename to windows/security/identity-protection/vpn/images/vpn-conditional-access-intune.png
diff --git a/windows/access-protection/vpn/images/vpn-connection-intune.png b/windows/security/identity-protection/vpn/images/vpn-connection-intune.png
similarity index 100%
rename from windows/access-protection/vpn/images/vpn-connection-intune.png
rename to windows/security/identity-protection/vpn/images/vpn-connection-intune.png
diff --git a/windows/access-protection/vpn/images/vpn-connection.png b/windows/security/identity-protection/vpn/images/vpn-connection.png
similarity index 100%
rename from windows/access-protection/vpn/images/vpn-connection.png
rename to windows/security/identity-protection/vpn/images/vpn-connection.png
diff --git a/windows/access-protection/vpn/images/vpn-custom-xml-intune.png b/windows/security/identity-protection/vpn/images/vpn-custom-xml-intune.png
similarity index 100%
rename from windows/access-protection/vpn/images/vpn-custom-xml-intune.png
rename to windows/security/identity-protection/vpn/images/vpn-custom-xml-intune.png
diff --git a/windows/access-protection/vpn/images/vpn-device-compliance.png b/windows/security/identity-protection/vpn/images/vpn-device-compliance.png
similarity index 100%
rename from windows/access-protection/vpn/images/vpn-device-compliance.png
rename to windows/security/identity-protection/vpn/images/vpn-device-compliance.png
diff --git a/windows/access-protection/vpn/images/vpn-eap-xml.png b/windows/security/identity-protection/vpn/images/vpn-eap-xml.png
similarity index 100%
rename from windows/access-protection/vpn/images/vpn-eap-xml.png
rename to windows/security/identity-protection/vpn/images/vpn-eap-xml.png
diff --git a/windows/access-protection/vpn/images/vpn-intune-policy.png b/windows/security/identity-protection/vpn/images/vpn-intune-policy.png
similarity index 100%
rename from windows/access-protection/vpn/images/vpn-intune-policy.png
rename to windows/security/identity-protection/vpn/images/vpn-intune-policy.png
diff --git a/windows/access-protection/vpn/images/vpn-name-intune.png b/windows/security/identity-protection/vpn/images/vpn-name-intune.png
similarity index 100%
rename from windows/access-protection/vpn/images/vpn-name-intune.png
rename to windows/security/identity-protection/vpn/images/vpn-name-intune.png
diff --git a/windows/access-protection/vpn/images/vpn-profilexml-intune.png b/windows/security/identity-protection/vpn/images/vpn-profilexml-intune.png
similarity index 100%
rename from windows/access-protection/vpn/images/vpn-profilexml-intune.png
rename to windows/security/identity-protection/vpn/images/vpn-profilexml-intune.png
diff --git a/windows/access-protection/vpn/images/vpn-split-route.png b/windows/security/identity-protection/vpn/images/vpn-split-route.png
similarity index 100%
rename from windows/access-protection/vpn/images/vpn-split-route.png
rename to windows/security/identity-protection/vpn/images/vpn-split-route.png
diff --git a/windows/access-protection/vpn/images/vpn-split.png b/windows/security/identity-protection/vpn/images/vpn-split.png
similarity index 100%
rename from windows/access-protection/vpn/images/vpn-split.png
rename to windows/security/identity-protection/vpn/images/vpn-split.png
diff --git a/windows/access-protection/vpn/images/vpn-traffic-rules.png b/windows/security/identity-protection/vpn/images/vpn-traffic-rules.png
similarity index 100%
rename from windows/access-protection/vpn/images/vpn-traffic-rules.png
rename to windows/security/identity-protection/vpn/images/vpn-traffic-rules.png
diff --git a/windows/access-protection/vpn/vpn-authentication.md b/windows/security/identity-protection/vpn/vpn-authentication.md
similarity index 100%
rename from windows/access-protection/vpn/vpn-authentication.md
rename to windows/security/identity-protection/vpn/vpn-authentication.md
diff --git a/windows/access-protection/vpn/vpn-auto-trigger-profile.md b/windows/security/identity-protection/vpn/vpn-auto-trigger-profile.md
similarity index 100%
rename from windows/access-protection/vpn/vpn-auto-trigger-profile.md
rename to windows/security/identity-protection/vpn/vpn-auto-trigger-profile.md
diff --git a/windows/access-protection/vpn/vpn-conditional-access.md b/windows/security/identity-protection/vpn/vpn-conditional-access.md
similarity index 100%
rename from windows/access-protection/vpn/vpn-conditional-access.md
rename to windows/security/identity-protection/vpn/vpn-conditional-access.md
diff --git a/windows/access-protection/vpn/vpn-connection-type.md b/windows/security/identity-protection/vpn/vpn-connection-type.md
similarity index 100%
rename from windows/access-protection/vpn/vpn-connection-type.md
rename to windows/security/identity-protection/vpn/vpn-connection-type.md
diff --git a/windows/access-protection/vpn/vpn-guide.md b/windows/security/identity-protection/vpn/vpn-guide.md
similarity index 100%
rename from windows/access-protection/vpn/vpn-guide.md
rename to windows/security/identity-protection/vpn/vpn-guide.md
diff --git a/windows/access-protection/vpn/vpn-name-resolution.md b/windows/security/identity-protection/vpn/vpn-name-resolution.md
similarity index 100%
rename from windows/access-protection/vpn/vpn-name-resolution.md
rename to windows/security/identity-protection/vpn/vpn-name-resolution.md
diff --git a/windows/access-protection/vpn/vpn-profile-options.md b/windows/security/identity-protection/vpn/vpn-profile-options.md
similarity index 100%
rename from windows/access-protection/vpn/vpn-profile-options.md
rename to windows/security/identity-protection/vpn/vpn-profile-options.md
diff --git a/windows/access-protection/vpn/vpn-routing.md b/windows/security/identity-protection/vpn/vpn-routing.md
similarity index 100%
rename from windows/access-protection/vpn/vpn-routing.md
rename to windows/security/identity-protection/vpn/vpn-routing.md
diff --git a/windows/access-protection/vpn/vpn-security-features.md b/windows/security/identity-protection/vpn/vpn-security-features.md
similarity index 100%
rename from windows/access-protection/vpn/vpn-security-features.md
rename to windows/security/identity-protection/vpn/vpn-security-features.md
diff --git a/windows/access-protection/windows-credential-theft-mitigation-guide-abstract.md b/windows/security/identity-protection/windows-credential-theft-mitigation-guide-abstract.md
similarity index 100%
rename from windows/access-protection/windows-credential-theft-mitigation-guide-abstract.md
rename to windows/security/identity-protection/windows-credential-theft-mitigation-guide-abstract.md
diff --git a/windows/access-protection/windows-firewall/add-production-devices-to-the-membership-group-for-a-zone.md b/windows/security/identity-protection/windows-firewall/add-production-devices-to-the-membership-group-for-a-zone.md
similarity index 100%
rename from windows/access-protection/windows-firewall/add-production-devices-to-the-membership-group-for-a-zone.md
rename to windows/security/identity-protection/windows-firewall/add-production-devices-to-the-membership-group-for-a-zone.md
diff --git a/windows/access-protection/windows-firewall/add-test-devices-to-the-membership-group-for-a-zone.md b/windows/security/identity-protection/windows-firewall/add-test-devices-to-the-membership-group-for-a-zone.md
similarity index 100%
rename from windows/access-protection/windows-firewall/add-test-devices-to-the-membership-group-for-a-zone.md
rename to windows/security/identity-protection/windows-firewall/add-test-devices-to-the-membership-group-for-a-zone.md
diff --git a/windows/access-protection/windows-firewall/appendix-a-sample-gpo-template-files-for-settings-used-in-this-guide.md b/windows/security/identity-protection/windows-firewall/appendix-a-sample-gpo-template-files-for-settings-used-in-this-guide.md
similarity index 100%
rename from windows/access-protection/windows-firewall/appendix-a-sample-gpo-template-files-for-settings-used-in-this-guide.md
rename to windows/security/identity-protection/windows-firewall/appendix-a-sample-gpo-template-files-for-settings-used-in-this-guide.md
diff --git a/windows/access-protection/windows-firewall/assign-security-group-filters-to-the-gpo.md b/windows/security/identity-protection/windows-firewall/assign-security-group-filters-to-the-gpo.md
similarity index 100%
rename from windows/access-protection/windows-firewall/assign-security-group-filters-to-the-gpo.md
rename to windows/security/identity-protection/windows-firewall/assign-security-group-filters-to-the-gpo.md
diff --git a/windows/access-protection/windows-firewall/basic-firewall-policy-design.md b/windows/security/identity-protection/windows-firewall/basic-firewall-policy-design.md
similarity index 100%
rename from windows/access-protection/windows-firewall/basic-firewall-policy-design.md
rename to windows/security/identity-protection/windows-firewall/basic-firewall-policy-design.md
diff --git a/windows/access-protection/windows-firewall/boundary-zone-gpos.md b/windows/security/identity-protection/windows-firewall/boundary-zone-gpos.md
similarity index 100%
rename from windows/access-protection/windows-firewall/boundary-zone-gpos.md
rename to windows/security/identity-protection/windows-firewall/boundary-zone-gpos.md
diff --git a/windows/access-protection/windows-firewall/boundary-zone.md b/windows/security/identity-protection/windows-firewall/boundary-zone.md
similarity index 100%
rename from windows/access-protection/windows-firewall/boundary-zone.md
rename to windows/security/identity-protection/windows-firewall/boundary-zone.md
diff --git a/windows/access-protection/windows-firewall/certificate-based-isolation-policy-design-example.md b/windows/security/identity-protection/windows-firewall/certificate-based-isolation-policy-design-example.md
similarity index 100%
rename from windows/access-protection/windows-firewall/certificate-based-isolation-policy-design-example.md
rename to windows/security/identity-protection/windows-firewall/certificate-based-isolation-policy-design-example.md
diff --git a/windows/access-protection/windows-firewall/certificate-based-isolation-policy-design.md b/windows/security/identity-protection/windows-firewall/certificate-based-isolation-policy-design.md
similarity index 100%
rename from windows/access-protection/windows-firewall/certificate-based-isolation-policy-design.md
rename to windows/security/identity-protection/windows-firewall/certificate-based-isolation-policy-design.md
diff --git a/windows/access-protection/windows-firewall/change-rules-from-request-to-require-mode.md b/windows/security/identity-protection/windows-firewall/change-rules-from-request-to-require-mode.md
similarity index 100%
rename from windows/access-protection/windows-firewall/change-rules-from-request-to-require-mode.md
rename to windows/security/identity-protection/windows-firewall/change-rules-from-request-to-require-mode.md
diff --git a/windows/access-protection/windows-firewall/checklist-configuring-basic-firewall-settings.md b/windows/security/identity-protection/windows-firewall/checklist-configuring-basic-firewall-settings.md
similarity index 100%
rename from windows/access-protection/windows-firewall/checklist-configuring-basic-firewall-settings.md
rename to windows/security/identity-protection/windows-firewall/checklist-configuring-basic-firewall-settings.md
diff --git a/windows/access-protection/windows-firewall/checklist-configuring-rules-for-an-isolated-server-zone.md b/windows/security/identity-protection/windows-firewall/checklist-configuring-rules-for-an-isolated-server-zone.md
similarity index 100%
rename from windows/access-protection/windows-firewall/checklist-configuring-rules-for-an-isolated-server-zone.md
rename to windows/security/identity-protection/windows-firewall/checklist-configuring-rules-for-an-isolated-server-zone.md
diff --git a/windows/access-protection/windows-firewall/checklist-configuring-rules-for-servers-in-a-standalone-isolated-server-zone.md b/windows/security/identity-protection/windows-firewall/checklist-configuring-rules-for-servers-in-a-standalone-isolated-server-zone.md
similarity index 100%
rename from windows/access-protection/windows-firewall/checklist-configuring-rules-for-servers-in-a-standalone-isolated-server-zone.md
rename to windows/security/identity-protection/windows-firewall/checklist-configuring-rules-for-servers-in-a-standalone-isolated-server-zone.md
diff --git a/windows/access-protection/windows-firewall/checklist-configuring-rules-for-the-boundary-zone.md b/windows/security/identity-protection/windows-firewall/checklist-configuring-rules-for-the-boundary-zone.md
similarity index 100%
rename from windows/access-protection/windows-firewall/checklist-configuring-rules-for-the-boundary-zone.md
rename to windows/security/identity-protection/windows-firewall/checklist-configuring-rules-for-the-boundary-zone.md
diff --git a/windows/access-protection/windows-firewall/checklist-configuring-rules-for-the-encryption-zone.md b/windows/security/identity-protection/windows-firewall/checklist-configuring-rules-for-the-encryption-zone.md
similarity index 100%
rename from windows/access-protection/windows-firewall/checklist-configuring-rules-for-the-encryption-zone.md
rename to windows/security/identity-protection/windows-firewall/checklist-configuring-rules-for-the-encryption-zone.md
diff --git a/windows/access-protection/windows-firewall/checklist-configuring-rules-for-the-isolated-domain.md b/windows/security/identity-protection/windows-firewall/checklist-configuring-rules-for-the-isolated-domain.md
similarity index 100%
rename from windows/access-protection/windows-firewall/checklist-configuring-rules-for-the-isolated-domain.md
rename to windows/security/identity-protection/windows-firewall/checklist-configuring-rules-for-the-isolated-domain.md
diff --git a/windows/access-protection/windows-firewall/checklist-creating-group-policy-objects.md b/windows/security/identity-protection/windows-firewall/checklist-creating-group-policy-objects.md
similarity index 100%
rename from windows/access-protection/windows-firewall/checklist-creating-group-policy-objects.md
rename to windows/security/identity-protection/windows-firewall/checklist-creating-group-policy-objects.md
diff --git a/windows/access-protection/windows-firewall/checklist-creating-inbound-firewall-rules.md b/windows/security/identity-protection/windows-firewall/checklist-creating-inbound-firewall-rules.md
similarity index 100%
rename from windows/access-protection/windows-firewall/checklist-creating-inbound-firewall-rules.md
rename to windows/security/identity-protection/windows-firewall/checklist-creating-inbound-firewall-rules.md
diff --git a/windows/access-protection/windows-firewall/checklist-creating-outbound-firewall-rules.md b/windows/security/identity-protection/windows-firewall/checklist-creating-outbound-firewall-rules.md
similarity index 100%
rename from windows/access-protection/windows-firewall/checklist-creating-outbound-firewall-rules.md
rename to windows/security/identity-protection/windows-firewall/checklist-creating-outbound-firewall-rules.md
diff --git a/windows/access-protection/windows-firewall/checklist-creating-rules-for-clients-of-a-standalone-isolated-server-zone.md b/windows/security/identity-protection/windows-firewall/checklist-creating-rules-for-clients-of-a-standalone-isolated-server-zone.md
similarity index 100%
rename from windows/access-protection/windows-firewall/checklist-creating-rules-for-clients-of-a-standalone-isolated-server-zone.md
rename to windows/security/identity-protection/windows-firewall/checklist-creating-rules-for-clients-of-a-standalone-isolated-server-zone.md
diff --git a/windows/access-protection/windows-firewall/checklist-implementing-a-basic-firewall-policy-design.md b/windows/security/identity-protection/windows-firewall/checklist-implementing-a-basic-firewall-policy-design.md
similarity index 100%
rename from windows/access-protection/windows-firewall/checklist-implementing-a-basic-firewall-policy-design.md
rename to windows/security/identity-protection/windows-firewall/checklist-implementing-a-basic-firewall-policy-design.md
diff --git a/windows/access-protection/windows-firewall/checklist-implementing-a-certificate-based-isolation-policy-design.md b/windows/security/identity-protection/windows-firewall/checklist-implementing-a-certificate-based-isolation-policy-design.md
similarity index 100%
rename from windows/access-protection/windows-firewall/checklist-implementing-a-certificate-based-isolation-policy-design.md
rename to windows/security/identity-protection/windows-firewall/checklist-implementing-a-certificate-based-isolation-policy-design.md
diff --git a/windows/access-protection/windows-firewall/checklist-implementing-a-domain-isolation-policy-design.md b/windows/security/identity-protection/windows-firewall/checklist-implementing-a-domain-isolation-policy-design.md
similarity index 100%
rename from windows/access-protection/windows-firewall/checklist-implementing-a-domain-isolation-policy-design.md
rename to windows/security/identity-protection/windows-firewall/checklist-implementing-a-domain-isolation-policy-design.md
diff --git a/windows/access-protection/windows-firewall/checklist-implementing-a-standalone-server-isolation-policy-design.md b/windows/security/identity-protection/windows-firewall/checklist-implementing-a-standalone-server-isolation-policy-design.md
similarity index 100%
rename from windows/access-protection/windows-firewall/checklist-implementing-a-standalone-server-isolation-policy-design.md
rename to windows/security/identity-protection/windows-firewall/checklist-implementing-a-standalone-server-isolation-policy-design.md
diff --git a/windows/access-protection/windows-firewall/configure-authentication-methods.md b/windows/security/identity-protection/windows-firewall/configure-authentication-methods.md
similarity index 100%
rename from windows/access-protection/windows-firewall/configure-authentication-methods.md
rename to windows/security/identity-protection/windows-firewall/configure-authentication-methods.md
diff --git a/windows/access-protection/windows-firewall/configure-data-protection-quick-mode-settings.md b/windows/security/identity-protection/windows-firewall/configure-data-protection-quick-mode-settings.md
similarity index 100%
rename from windows/access-protection/windows-firewall/configure-data-protection-quick-mode-settings.md
rename to windows/security/identity-protection/windows-firewall/configure-data-protection-quick-mode-settings.md
diff --git a/windows/access-protection/windows-firewall/configure-group-policy-to-autoenroll-and-deploy-certificates.md b/windows/security/identity-protection/windows-firewall/configure-group-policy-to-autoenroll-and-deploy-certificates.md
similarity index 100%
rename from windows/access-protection/windows-firewall/configure-group-policy-to-autoenroll-and-deploy-certificates.md
rename to windows/security/identity-protection/windows-firewall/configure-group-policy-to-autoenroll-and-deploy-certificates.md
diff --git a/windows/access-protection/windows-firewall/configure-key-exchange-main-mode-settings.md b/windows/security/identity-protection/windows-firewall/configure-key-exchange-main-mode-settings.md
similarity index 100%
rename from windows/access-protection/windows-firewall/configure-key-exchange-main-mode-settings.md
rename to windows/security/identity-protection/windows-firewall/configure-key-exchange-main-mode-settings.md
diff --git a/windows/access-protection/windows-firewall/configure-the-rules-to-require-encryption.md b/windows/security/identity-protection/windows-firewall/configure-the-rules-to-require-encryption.md
similarity index 100%
rename from windows/access-protection/windows-firewall/configure-the-rules-to-require-encryption.md
rename to windows/security/identity-protection/windows-firewall/configure-the-rules-to-require-encryption.md
diff --git a/windows/access-protection/windows-firewall/configure-the-windows-firewall-log.md b/windows/security/identity-protection/windows-firewall/configure-the-windows-firewall-log.md
similarity index 100%
rename from windows/access-protection/windows-firewall/configure-the-windows-firewall-log.md
rename to windows/security/identity-protection/windows-firewall/configure-the-windows-firewall-log.md
diff --git a/windows/access-protection/windows-firewall/configure-the-workstation-authentication-certificate-template.md b/windows/security/identity-protection/windows-firewall/configure-the-workstation-authentication-certificate-template.md
similarity index 100%
rename from windows/access-protection/windows-firewall/configure-the-workstation-authentication-certificate-template.md
rename to windows/security/identity-protection/windows-firewall/configure-the-workstation-authentication-certificate-template.md
diff --git a/windows/access-protection/windows-firewall/configure-windows-firewall-to-suppress-notifications-when-a-program-is-blocked.md b/windows/security/identity-protection/windows-firewall/configure-windows-firewall-to-suppress-notifications-when-a-program-is-blocked.md
similarity index 100%
rename from windows/access-protection/windows-firewall/configure-windows-firewall-to-suppress-notifications-when-a-program-is-blocked.md
rename to windows/security/identity-protection/windows-firewall/configure-windows-firewall-to-suppress-notifications-when-a-program-is-blocked.md
diff --git a/windows/access-protection/windows-firewall/confirm-that-certificates-are-deployed-correctly.md b/windows/security/identity-protection/windows-firewall/confirm-that-certificates-are-deployed-correctly.md
similarity index 100%
rename from windows/access-protection/windows-firewall/confirm-that-certificates-are-deployed-correctly.md
rename to windows/security/identity-protection/windows-firewall/confirm-that-certificates-are-deployed-correctly.md
diff --git a/windows/access-protection/windows-firewall/copy-a-gpo-to-create-a-new-gpo.md b/windows/security/identity-protection/windows-firewall/copy-a-gpo-to-create-a-new-gpo.md
similarity index 100%
rename from windows/access-protection/windows-firewall/copy-a-gpo-to-create-a-new-gpo.md
rename to windows/security/identity-protection/windows-firewall/copy-a-gpo-to-create-a-new-gpo.md
diff --git a/windows/access-protection/windows-firewall/create-a-group-account-in-active-directory.md b/windows/security/identity-protection/windows-firewall/create-a-group-account-in-active-directory.md
similarity index 100%
rename from windows/access-protection/windows-firewall/create-a-group-account-in-active-directory.md
rename to windows/security/identity-protection/windows-firewall/create-a-group-account-in-active-directory.md
diff --git a/windows/access-protection/windows-firewall/create-a-group-policy-object.md b/windows/security/identity-protection/windows-firewall/create-a-group-policy-object.md
similarity index 100%
rename from windows/access-protection/windows-firewall/create-a-group-policy-object.md
rename to windows/security/identity-protection/windows-firewall/create-a-group-policy-object.md
diff --git a/windows/access-protection/windows-firewall/create-an-authentication-exemption-list-rule.md b/windows/security/identity-protection/windows-firewall/create-an-authentication-exemption-list-rule.md
similarity index 100%
rename from windows/access-protection/windows-firewall/create-an-authentication-exemption-list-rule.md
rename to windows/security/identity-protection/windows-firewall/create-an-authentication-exemption-list-rule.md
diff --git a/windows/access-protection/windows-firewall/create-an-authentication-request-rule.md b/windows/security/identity-protection/windows-firewall/create-an-authentication-request-rule.md
similarity index 100%
rename from windows/access-protection/windows-firewall/create-an-authentication-request-rule.md
rename to windows/security/identity-protection/windows-firewall/create-an-authentication-request-rule.md
diff --git a/windows/access-protection/windows-firewall/create-an-inbound-icmp-rule.md b/windows/security/identity-protection/windows-firewall/create-an-inbound-icmp-rule.md
similarity index 100%
rename from windows/access-protection/windows-firewall/create-an-inbound-icmp-rule.md
rename to windows/security/identity-protection/windows-firewall/create-an-inbound-icmp-rule.md
diff --git a/windows/access-protection/windows-firewall/create-an-inbound-port-rule.md b/windows/security/identity-protection/windows-firewall/create-an-inbound-port-rule.md
similarity index 100%
rename from windows/access-protection/windows-firewall/create-an-inbound-port-rule.md
rename to windows/security/identity-protection/windows-firewall/create-an-inbound-port-rule.md
diff --git a/windows/access-protection/windows-firewall/create-an-inbound-program-or-service-rule.md b/windows/security/identity-protection/windows-firewall/create-an-inbound-program-or-service-rule.md
similarity index 100%
rename from windows/access-protection/windows-firewall/create-an-inbound-program-or-service-rule.md
rename to windows/security/identity-protection/windows-firewall/create-an-inbound-program-or-service-rule.md
diff --git a/windows/access-protection/windows-firewall/create-an-outbound-port-rule.md b/windows/security/identity-protection/windows-firewall/create-an-outbound-port-rule.md
similarity index 100%
rename from windows/access-protection/windows-firewall/create-an-outbound-port-rule.md
rename to windows/security/identity-protection/windows-firewall/create-an-outbound-port-rule.md
diff --git a/windows/access-protection/windows-firewall/create-an-outbound-program-or-service-rule.md b/windows/security/identity-protection/windows-firewall/create-an-outbound-program-or-service-rule.md
similarity index 100%
rename from windows/access-protection/windows-firewall/create-an-outbound-program-or-service-rule.md
rename to windows/security/identity-protection/windows-firewall/create-an-outbound-program-or-service-rule.md
diff --git a/windows/access-protection/windows-firewall/create-inbound-rules-to-support-rpc.md b/windows/security/identity-protection/windows-firewall/create-inbound-rules-to-support-rpc.md
similarity index 100%
rename from windows/access-protection/windows-firewall/create-inbound-rules-to-support-rpc.md
rename to windows/security/identity-protection/windows-firewall/create-inbound-rules-to-support-rpc.md
diff --git a/windows/access-protection/windows-firewall/create-wmi-filters-for-the-gpo.md b/windows/security/identity-protection/windows-firewall/create-wmi-filters-for-the-gpo.md
similarity index 100%
rename from windows/access-protection/windows-firewall/create-wmi-filters-for-the-gpo.md
rename to windows/security/identity-protection/windows-firewall/create-wmi-filters-for-the-gpo.md
diff --git a/windows/access-protection/windows-firewall/designing-a-windows-firewall-with-advanced-security-strategy.md b/windows/security/identity-protection/windows-firewall/designing-a-windows-firewall-with-advanced-security-strategy.md
similarity index 100%
rename from windows/access-protection/windows-firewall/designing-a-windows-firewall-with-advanced-security-strategy.md
rename to windows/security/identity-protection/windows-firewall/designing-a-windows-firewall-with-advanced-security-strategy.md
diff --git a/windows/access-protection/windows-firewall/determining-the-trusted-state-of-your-devices.md b/windows/security/identity-protection/windows-firewall/determining-the-trusted-state-of-your-devices.md
similarity index 100%
rename from windows/access-protection/windows-firewall/determining-the-trusted-state-of-your-devices.md
rename to windows/security/identity-protection/windows-firewall/determining-the-trusted-state-of-your-devices.md
diff --git a/windows/access-protection/windows-firewall/documenting-the-zones.md b/windows/security/identity-protection/windows-firewall/documenting-the-zones.md
similarity index 100%
rename from windows/access-protection/windows-firewall/documenting-the-zones.md
rename to windows/security/identity-protection/windows-firewall/documenting-the-zones.md
diff --git a/windows/access-protection/windows-firewall/domain-isolation-policy-design-example.md b/windows/security/identity-protection/windows-firewall/domain-isolation-policy-design-example.md
similarity index 100%
rename from windows/access-protection/windows-firewall/domain-isolation-policy-design-example.md
rename to windows/security/identity-protection/windows-firewall/domain-isolation-policy-design-example.md
diff --git a/windows/access-protection/windows-firewall/domain-isolation-policy-design.md b/windows/security/identity-protection/windows-firewall/domain-isolation-policy-design.md
similarity index 100%
rename from windows/access-protection/windows-firewall/domain-isolation-policy-design.md
rename to windows/security/identity-protection/windows-firewall/domain-isolation-policy-design.md
diff --git a/windows/access-protection/windows-firewall/enable-predefined-inbound-rules.md b/windows/security/identity-protection/windows-firewall/enable-predefined-inbound-rules.md
similarity index 100%
rename from windows/access-protection/windows-firewall/enable-predefined-inbound-rules.md
rename to windows/security/identity-protection/windows-firewall/enable-predefined-inbound-rules.md
diff --git a/windows/access-protection/windows-firewall/enable-predefined-outbound-rules.md b/windows/security/identity-protection/windows-firewall/enable-predefined-outbound-rules.md
similarity index 100%
rename from windows/access-protection/windows-firewall/enable-predefined-outbound-rules.md
rename to windows/security/identity-protection/windows-firewall/enable-predefined-outbound-rules.md
diff --git a/windows/access-protection/windows-firewall/encryption-zone-gpos.md b/windows/security/identity-protection/windows-firewall/encryption-zone-gpos.md
similarity index 100%
rename from windows/access-protection/windows-firewall/encryption-zone-gpos.md
rename to windows/security/identity-protection/windows-firewall/encryption-zone-gpos.md
diff --git a/windows/access-protection/windows-firewall/encryption-zone.md b/windows/security/identity-protection/windows-firewall/encryption-zone.md
similarity index 100%
rename from windows/access-protection/windows-firewall/encryption-zone.md
rename to windows/security/identity-protection/windows-firewall/encryption-zone.md
diff --git a/windows/access-protection/windows-firewall/evaluating-windows-firewall-with-advanced-security-design-examples.md b/windows/security/identity-protection/windows-firewall/evaluating-windows-firewall-with-advanced-security-design-examples.md
similarity index 100%
rename from windows/access-protection/windows-firewall/evaluating-windows-firewall-with-advanced-security-design-examples.md
rename to windows/security/identity-protection/windows-firewall/evaluating-windows-firewall-with-advanced-security-design-examples.md
diff --git a/windows/access-protection/windows-firewall/exempt-icmp-from-authentication.md b/windows/security/identity-protection/windows-firewall/exempt-icmp-from-authentication.md
similarity index 100%
rename from windows/access-protection/windows-firewall/exempt-icmp-from-authentication.md
rename to windows/security/identity-protection/windows-firewall/exempt-icmp-from-authentication.md
diff --git a/windows/access-protection/windows-firewall/exemption-list.md b/windows/security/identity-protection/windows-firewall/exemption-list.md
similarity index 100%
rename from windows/access-protection/windows-firewall/exemption-list.md
rename to windows/security/identity-protection/windows-firewall/exemption-list.md
diff --git a/windows/access-protection/windows-firewall/firewall-gpos.md b/windows/security/identity-protection/windows-firewall/firewall-gpos.md
similarity index 100%
rename from windows/access-protection/windows-firewall/firewall-gpos.md
rename to windows/security/identity-protection/windows-firewall/firewall-gpos.md
diff --git a/windows/access-protection/windows-firewall/firewall-policy-design-example.md b/windows/security/identity-protection/windows-firewall/firewall-policy-design-example.md
similarity index 100%
rename from windows/access-protection/windows-firewall/firewall-policy-design-example.md
rename to windows/security/identity-protection/windows-firewall/firewall-policy-design-example.md
diff --git a/windows/access-protection/windows-firewall/gathering-information-about-your-active-directory-deployment.md b/windows/security/identity-protection/windows-firewall/gathering-information-about-your-active-directory-deployment.md
similarity index 100%
rename from windows/access-protection/windows-firewall/gathering-information-about-your-active-directory-deployment.md
rename to windows/security/identity-protection/windows-firewall/gathering-information-about-your-active-directory-deployment.md
diff --git a/windows/access-protection/windows-firewall/gathering-information-about-your-current-network-infrastructure.md b/windows/security/identity-protection/windows-firewall/gathering-information-about-your-current-network-infrastructure.md
similarity index 100%
rename from windows/access-protection/windows-firewall/gathering-information-about-your-current-network-infrastructure.md
rename to windows/security/identity-protection/windows-firewall/gathering-information-about-your-current-network-infrastructure.md
diff --git a/windows/access-protection/windows-firewall/gathering-information-about-your-devices.md b/windows/security/identity-protection/windows-firewall/gathering-information-about-your-devices.md
similarity index 100%
rename from windows/access-protection/windows-firewall/gathering-information-about-your-devices.md
rename to windows/security/identity-protection/windows-firewall/gathering-information-about-your-devices.md
diff --git a/windows/access-protection/windows-firewall/gathering-other-relevant-information.md b/windows/security/identity-protection/windows-firewall/gathering-other-relevant-information.md
similarity index 100%
rename from windows/access-protection/windows-firewall/gathering-other-relevant-information.md
rename to windows/security/identity-protection/windows-firewall/gathering-other-relevant-information.md
diff --git a/windows/access-protection/windows-firewall/gathering-the-information-you-need.md b/windows/security/identity-protection/windows-firewall/gathering-the-information-you-need.md
similarity index 100%
rename from windows/access-protection/windows-firewall/gathering-the-information-you-need.md
rename to windows/security/identity-protection/windows-firewall/gathering-the-information-you-need.md
diff --git a/windows/access-protection/windows-firewall/gpo-domiso-boundary.md b/windows/security/identity-protection/windows-firewall/gpo-domiso-boundary.md
similarity index 100%
rename from windows/access-protection/windows-firewall/gpo-domiso-boundary.md
rename to windows/security/identity-protection/windows-firewall/gpo-domiso-boundary.md
diff --git a/windows/access-protection/windows-firewall/gpo-domiso-encryption.md b/windows/security/identity-protection/windows-firewall/gpo-domiso-encryption.md
similarity index 100%
rename from windows/access-protection/windows-firewall/gpo-domiso-encryption.md
rename to windows/security/identity-protection/windows-firewall/gpo-domiso-encryption.md
diff --git a/windows/access-protection/windows-firewall/gpo-domiso-firewall.md b/windows/security/identity-protection/windows-firewall/gpo-domiso-firewall.md
similarity index 100%
rename from windows/access-protection/windows-firewall/gpo-domiso-firewall.md
rename to windows/security/identity-protection/windows-firewall/gpo-domiso-firewall.md
diff --git a/windows/access-protection/windows-firewall/gpo-domiso-isolateddomain-clients.md b/windows/security/identity-protection/windows-firewall/gpo-domiso-isolateddomain-clients.md
similarity index 100%
rename from windows/access-protection/windows-firewall/gpo-domiso-isolateddomain-clients.md
rename to windows/security/identity-protection/windows-firewall/gpo-domiso-isolateddomain-clients.md
diff --git a/windows/access-protection/windows-firewall/gpo-domiso-isolateddomain-servers.md b/windows/security/identity-protection/windows-firewall/gpo-domiso-isolateddomain-servers.md
similarity index 100%
rename from windows/access-protection/windows-firewall/gpo-domiso-isolateddomain-servers.md
rename to windows/security/identity-protection/windows-firewall/gpo-domiso-isolateddomain-servers.md
diff --git a/windows/access-protection/windows-firewall/identifying-your-windows-firewall-with-advanced-security-deployment-goals.md b/windows/security/identity-protection/windows-firewall/identifying-your-windows-firewall-with-advanced-security-deployment-goals.md
similarity index 100%
rename from windows/access-protection/windows-firewall/identifying-your-windows-firewall-with-advanced-security-deployment-goals.md
rename to windows/security/identity-protection/windows-firewall/identifying-your-windows-firewall-with-advanced-security-deployment-goals.md
diff --git a/windows/access-protection/windows-firewall/images/corpnet.gif b/windows/security/identity-protection/windows-firewall/images/corpnet.gif
similarity index 100%
rename from windows/access-protection/windows-firewall/images/corpnet.gif
rename to windows/security/identity-protection/windows-firewall/images/corpnet.gif
diff --git a/windows/access-protection/windows-firewall/images/createipsecrule.gif b/windows/security/identity-protection/windows-firewall/images/createipsecrule.gif
similarity index 100%
rename from windows/access-protection/windows-firewall/images/createipsecrule.gif
rename to windows/security/identity-protection/windows-firewall/images/createipsecrule.gif
diff --git a/windows/access-protection/windows-firewall/images/powershelllogosmall.gif b/windows/security/identity-protection/windows-firewall/images/powershelllogosmall.gif
similarity index 100%
rename from windows/access-protection/windows-firewall/images/powershelllogosmall.gif
rename to windows/security/identity-protection/windows-firewall/images/powershelllogosmall.gif
diff --git a/windows/access-protection/windows-firewall/images/qmcryptoset.gif b/windows/security/identity-protection/windows-firewall/images/qmcryptoset.gif
similarity index 100%
rename from windows/access-protection/windows-firewall/images/qmcryptoset.gif
rename to windows/security/identity-protection/windows-firewall/images/qmcryptoset.gif
diff --git a/windows/access-protection/windows-firewall/images/wfas-design2example1.gif b/windows/security/identity-protection/windows-firewall/images/wfas-design2example1.gif
similarity index 100%
rename from windows/access-protection/windows-firewall/images/wfas-design2example1.gif
rename to windows/security/identity-protection/windows-firewall/images/wfas-design2example1.gif
diff --git a/windows/access-protection/windows-firewall/images/wfas-design3example1.gif b/windows/security/identity-protection/windows-firewall/images/wfas-design3example1.gif
similarity index 100%
rename from windows/access-protection/windows-firewall/images/wfas-design3example1.gif
rename to windows/security/identity-protection/windows-firewall/images/wfas-design3example1.gif
diff --git a/windows/access-protection/windows-firewall/images/wfas-designexample1.gif b/windows/security/identity-protection/windows-firewall/images/wfas-designexample1.gif
similarity index 100%
rename from windows/access-protection/windows-firewall/images/wfas-designexample1.gif
rename to windows/security/identity-protection/windows-firewall/images/wfas-designexample1.gif
diff --git a/windows/access-protection/windows-firewall/images/wfas-designflowchart1.gif b/windows/security/identity-protection/windows-firewall/images/wfas-designflowchart1.gif
similarity index 100%
rename from windows/access-protection/windows-firewall/images/wfas-designflowchart1.gif
rename to windows/security/identity-protection/windows-firewall/images/wfas-designflowchart1.gif
diff --git a/windows/access-protection/windows-firewall/images/wfas-domainiso.gif b/windows/security/identity-protection/windows-firewall/images/wfas-domainiso.gif
similarity index 100%
rename from windows/access-protection/windows-firewall/images/wfas-domainiso.gif
rename to windows/security/identity-protection/windows-firewall/images/wfas-domainiso.gif
diff --git a/windows/access-protection/windows-firewall/images/wfas-domainisoencrypt.gif b/windows/security/identity-protection/windows-firewall/images/wfas-domainisoencrypt.gif
similarity index 100%
rename from windows/access-protection/windows-firewall/images/wfas-domainisoencrypt.gif
rename to windows/security/identity-protection/windows-firewall/images/wfas-domainisoencrypt.gif
diff --git a/windows/access-protection/windows-firewall/images/wfas-domainisohighsec.gif b/windows/security/identity-protection/windows-firewall/images/wfas-domainisohighsec.gif
similarity index 100%
rename from windows/access-protection/windows-firewall/images/wfas-domainisohighsec.gif
rename to windows/security/identity-protection/windows-firewall/images/wfas-domainisohighsec.gif
diff --git a/windows/access-protection/windows-firewall/images/wfas-domainnag.gif b/windows/security/identity-protection/windows-firewall/images/wfas-domainnag.gif
similarity index 100%
rename from windows/access-protection/windows-firewall/images/wfas-domainnag.gif
rename to windows/security/identity-protection/windows-firewall/images/wfas-domainnag.gif
diff --git a/windows/access-protection/windows-firewall/images/wfas-icon-checkbox.gif b/windows/security/identity-protection/windows-firewall/images/wfas-icon-checkbox.gif
similarity index 100%
rename from windows/access-protection/windows-firewall/images/wfas-icon-checkbox.gif
rename to windows/security/identity-protection/windows-firewall/images/wfas-icon-checkbox.gif
diff --git a/windows/access-protection/windows-firewall/images/wfas-implement.gif b/windows/security/identity-protection/windows-firewall/images/wfas-implement.gif
similarity index 100%
rename from windows/access-protection/windows-firewall/images/wfas-implement.gif
rename to windows/security/identity-protection/windows-firewall/images/wfas-implement.gif
diff --git a/windows/access-protection/windows-firewall/images/wfasdomainisoboundary.gif b/windows/security/identity-protection/windows-firewall/images/wfasdomainisoboundary.gif
similarity index 100%
rename from windows/access-protection/windows-firewall/images/wfasdomainisoboundary.gif
rename to windows/security/identity-protection/windows-firewall/images/wfasdomainisoboundary.gif
diff --git a/windows/access-protection/windows-firewall/implementing-your-windows-firewall-with-advanced-security-design-plan.md b/windows/security/identity-protection/windows-firewall/implementing-your-windows-firewall-with-advanced-security-design-plan.md
similarity index 100%
rename from windows/access-protection/windows-firewall/implementing-your-windows-firewall-with-advanced-security-design-plan.md
rename to windows/security/identity-protection/windows-firewall/implementing-your-windows-firewall-with-advanced-security-design-plan.md
diff --git a/windows/access-protection/windows-firewall/isolated-domain-gpos.md b/windows/security/identity-protection/windows-firewall/isolated-domain-gpos.md
similarity index 100%
rename from windows/access-protection/windows-firewall/isolated-domain-gpos.md
rename to windows/security/identity-protection/windows-firewall/isolated-domain-gpos.md
diff --git a/windows/access-protection/windows-firewall/isolated-domain.md b/windows/security/identity-protection/windows-firewall/isolated-domain.md
similarity index 100%
rename from windows/access-protection/windows-firewall/isolated-domain.md
rename to windows/security/identity-protection/windows-firewall/isolated-domain.md
diff --git a/windows/access-protection/windows-firewall/isolating-apps-on-your-network.md b/windows/security/identity-protection/windows-firewall/isolating-apps-on-your-network.md
similarity index 100%
rename from windows/access-protection/windows-firewall/isolating-apps-on-your-network.md
rename to windows/security/identity-protection/windows-firewall/isolating-apps-on-your-network.md
diff --git a/windows/access-protection/windows-firewall/link-the-gpo-to-the-domain.md b/windows/security/identity-protection/windows-firewall/link-the-gpo-to-the-domain.md
similarity index 100%
rename from windows/access-protection/windows-firewall/link-the-gpo-to-the-domain.md
rename to windows/security/identity-protection/windows-firewall/link-the-gpo-to-the-domain.md
diff --git a/windows/access-protection/windows-firewall/mapping-your-deployment-goals-to-a-windows-firewall-with-advanced-security-design.md b/windows/security/identity-protection/windows-firewall/mapping-your-deployment-goals-to-a-windows-firewall-with-advanced-security-design.md
similarity index 100%
rename from windows/access-protection/windows-firewall/mapping-your-deployment-goals-to-a-windows-firewall-with-advanced-security-design.md
rename to windows/security/identity-protection/windows-firewall/mapping-your-deployment-goals-to-a-windows-firewall-with-advanced-security-design.md
diff --git a/windows/access-protection/windows-firewall/modify-gpo-filters-to-apply-to-a-different-zone-or-version-of-windows.md b/windows/security/identity-protection/windows-firewall/modify-gpo-filters-to-apply-to-a-different-zone-or-version-of-windows.md
similarity index 100%
rename from windows/access-protection/windows-firewall/modify-gpo-filters-to-apply-to-a-different-zone-or-version-of-windows.md
rename to windows/security/identity-protection/windows-firewall/modify-gpo-filters-to-apply-to-a-different-zone-or-version-of-windows.md
diff --git a/windows/access-protection/windows-firewall/open-the-group-policy-management-console-to-ip-security-policies.md b/windows/security/identity-protection/windows-firewall/open-the-group-policy-management-console-to-ip-security-policies.md
similarity index 100%
rename from windows/access-protection/windows-firewall/open-the-group-policy-management-console-to-ip-security-policies.md
rename to windows/security/identity-protection/windows-firewall/open-the-group-policy-management-console-to-ip-security-policies.md
diff --git a/windows/access-protection/windows-firewall/open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md b/windows/security/identity-protection/windows-firewall/open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md
similarity index 100%
rename from windows/access-protection/windows-firewall/open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md
rename to windows/security/identity-protection/windows-firewall/open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md
diff --git a/windows/access-protection/windows-firewall/open-the-group-policy-management-console-to-windows-firewall.md b/windows/security/identity-protection/windows-firewall/open-the-group-policy-management-console-to-windows-firewall.md
similarity index 100%
rename from windows/access-protection/windows-firewall/open-the-group-policy-management-console-to-windows-firewall.md
rename to windows/security/identity-protection/windows-firewall/open-the-group-policy-management-console-to-windows-firewall.md
diff --git a/windows/access-protection/windows-firewall/open-windows-firewall-with-advanced-security.md b/windows/security/identity-protection/windows-firewall/open-windows-firewall-with-advanced-security.md
similarity index 100%
rename from windows/access-protection/windows-firewall/open-windows-firewall-with-advanced-security.md
rename to windows/security/identity-protection/windows-firewall/open-windows-firewall-with-advanced-security.md
diff --git a/windows/access-protection/windows-firewall/planning-certificate-based-authentication.md b/windows/security/identity-protection/windows-firewall/planning-certificate-based-authentication.md
similarity index 100%
rename from windows/access-protection/windows-firewall/planning-certificate-based-authentication.md
rename to windows/security/identity-protection/windows-firewall/planning-certificate-based-authentication.md
diff --git a/windows/access-protection/windows-firewall/planning-domain-isolation-zones.md b/windows/security/identity-protection/windows-firewall/planning-domain-isolation-zones.md
similarity index 100%
rename from windows/access-protection/windows-firewall/planning-domain-isolation-zones.md
rename to windows/security/identity-protection/windows-firewall/planning-domain-isolation-zones.md
diff --git a/windows/access-protection/windows-firewall/planning-gpo-deployment.md b/windows/security/identity-protection/windows-firewall/planning-gpo-deployment.md
similarity index 100%
rename from windows/access-protection/windows-firewall/planning-gpo-deployment.md
rename to windows/security/identity-protection/windows-firewall/planning-gpo-deployment.md
diff --git a/windows/access-protection/windows-firewall/planning-group-policy-deployment-for-your-isolation-zones.md b/windows/security/identity-protection/windows-firewall/planning-group-policy-deployment-for-your-isolation-zones.md
similarity index 100%
rename from windows/access-protection/windows-firewall/planning-group-policy-deployment-for-your-isolation-zones.md
rename to windows/security/identity-protection/windows-firewall/planning-group-policy-deployment-for-your-isolation-zones.md
diff --git a/windows/access-protection/windows-firewall/planning-isolation-groups-for-the-zones.md b/windows/security/identity-protection/windows-firewall/planning-isolation-groups-for-the-zones.md
similarity index 100%
rename from windows/access-protection/windows-firewall/planning-isolation-groups-for-the-zones.md
rename to windows/security/identity-protection/windows-firewall/planning-isolation-groups-for-the-zones.md
diff --git a/windows/access-protection/windows-firewall/planning-network-access-groups.md b/windows/security/identity-protection/windows-firewall/planning-network-access-groups.md
similarity index 100%
rename from windows/access-protection/windows-firewall/planning-network-access-groups.md
rename to windows/security/identity-protection/windows-firewall/planning-network-access-groups.md
diff --git a/windows/access-protection/windows-firewall/planning-server-isolation-zones.md b/windows/security/identity-protection/windows-firewall/planning-server-isolation-zones.md
similarity index 100%
rename from windows/access-protection/windows-firewall/planning-server-isolation-zones.md
rename to windows/security/identity-protection/windows-firewall/planning-server-isolation-zones.md
diff --git a/windows/access-protection/windows-firewall/planning-settings-for-a-basic-firewall-policy.md b/windows/security/identity-protection/windows-firewall/planning-settings-for-a-basic-firewall-policy.md
similarity index 100%
rename from windows/access-protection/windows-firewall/planning-settings-for-a-basic-firewall-policy.md
rename to windows/security/identity-protection/windows-firewall/planning-settings-for-a-basic-firewall-policy.md
diff --git a/windows/access-protection/windows-firewall/planning-the-gpos.md b/windows/security/identity-protection/windows-firewall/planning-the-gpos.md
similarity index 100%
rename from windows/access-protection/windows-firewall/planning-the-gpos.md
rename to windows/security/identity-protection/windows-firewall/planning-the-gpos.md
diff --git a/windows/access-protection/windows-firewall/planning-to-deploy-windows-firewall-with-advanced-security.md b/windows/security/identity-protection/windows-firewall/planning-to-deploy-windows-firewall-with-advanced-security.md
similarity index 100%
rename from windows/access-protection/windows-firewall/planning-to-deploy-windows-firewall-with-advanced-security.md
rename to windows/security/identity-protection/windows-firewall/planning-to-deploy-windows-firewall-with-advanced-security.md
diff --git a/windows/access-protection/windows-firewall/planning-your-windows-firewall-with-advanced-security-design.md b/windows/security/identity-protection/windows-firewall/planning-your-windows-firewall-with-advanced-security-design.md
similarity index 100%
rename from windows/access-protection/windows-firewall/planning-your-windows-firewall-with-advanced-security-design.md
rename to windows/security/identity-protection/windows-firewall/planning-your-windows-firewall-with-advanced-security-design.md
diff --git a/windows/access-protection/windows-firewall/procedures-used-in-this-guide.md b/windows/security/identity-protection/windows-firewall/procedures-used-in-this-guide.md
similarity index 100%
rename from windows/access-protection/windows-firewall/procedures-used-in-this-guide.md
rename to windows/security/identity-protection/windows-firewall/procedures-used-in-this-guide.md
diff --git a/windows/access-protection/windows-firewall/protect-devices-from-unwanted-network-traffic.md b/windows/security/identity-protection/windows-firewall/protect-devices-from-unwanted-network-traffic.md
similarity index 100%
rename from windows/access-protection/windows-firewall/protect-devices-from-unwanted-network-traffic.md
rename to windows/security/identity-protection/windows-firewall/protect-devices-from-unwanted-network-traffic.md
diff --git a/windows/access-protection/windows-firewall/require-encryption-when-accessing-sensitive-network-resources.md b/windows/security/identity-protection/windows-firewall/require-encryption-when-accessing-sensitive-network-resources.md
similarity index 100%
rename from windows/access-protection/windows-firewall/require-encryption-when-accessing-sensitive-network-resources.md
rename to windows/security/identity-protection/windows-firewall/require-encryption-when-accessing-sensitive-network-resources.md
diff --git a/windows/access-protection/windows-firewall/restrict-access-to-only-specified-users-or-devices.md b/windows/security/identity-protection/windows-firewall/restrict-access-to-only-specified-users-or-devices.md
similarity index 100%
rename from windows/access-protection/windows-firewall/restrict-access-to-only-specified-users-or-devices.md
rename to windows/security/identity-protection/windows-firewall/restrict-access-to-only-specified-users-or-devices.md
diff --git a/windows/access-protection/windows-firewall/restrict-access-to-only-trusted-devices.md b/windows/security/identity-protection/windows-firewall/restrict-access-to-only-trusted-devices.md
similarity index 100%
rename from windows/access-protection/windows-firewall/restrict-access-to-only-trusted-devices.md
rename to windows/security/identity-protection/windows-firewall/restrict-access-to-only-trusted-devices.md
diff --git a/windows/access-protection/windows-firewall/restrict-server-access-to-members-of-a-group-only.md b/windows/security/identity-protection/windows-firewall/restrict-server-access-to-members-of-a-group-only.md
similarity index 100%
rename from windows/access-protection/windows-firewall/restrict-server-access-to-members-of-a-group-only.md
rename to windows/security/identity-protection/windows-firewall/restrict-server-access-to-members-of-a-group-only.md
diff --git a/windows/access-protection/windows-firewall/securing-end-to-end-ipsec-connections-by-using-ikev2.md b/windows/security/identity-protection/windows-firewall/securing-end-to-end-ipsec-connections-by-using-ikev2.md
similarity index 100%
rename from windows/access-protection/windows-firewall/securing-end-to-end-ipsec-connections-by-using-ikev2.md
rename to windows/security/identity-protection/windows-firewall/securing-end-to-end-ipsec-connections-by-using-ikev2.md
diff --git a/windows/access-protection/windows-firewall/server-isolation-gpos.md b/windows/security/identity-protection/windows-firewall/server-isolation-gpos.md
similarity index 100%
rename from windows/access-protection/windows-firewall/server-isolation-gpos.md
rename to windows/security/identity-protection/windows-firewall/server-isolation-gpos.md
diff --git a/windows/access-protection/windows-firewall/server-isolation-policy-design-example.md b/windows/security/identity-protection/windows-firewall/server-isolation-policy-design-example.md
similarity index 100%
rename from windows/access-protection/windows-firewall/server-isolation-policy-design-example.md
rename to windows/security/identity-protection/windows-firewall/server-isolation-policy-design-example.md
diff --git a/windows/access-protection/windows-firewall/server-isolation-policy-design.md b/windows/security/identity-protection/windows-firewall/server-isolation-policy-design.md
similarity index 100%
rename from windows/access-protection/windows-firewall/server-isolation-policy-design.md
rename to windows/security/identity-protection/windows-firewall/server-isolation-policy-design.md
diff --git a/windows/access-protection/windows-firewall/turn-on-windows-firewall-and-configure-default-behavior.md b/windows/security/identity-protection/windows-firewall/turn-on-windows-firewall-and-configure-default-behavior.md
similarity index 100%
rename from windows/access-protection/windows-firewall/turn-on-windows-firewall-and-configure-default-behavior.md
rename to windows/security/identity-protection/windows-firewall/turn-on-windows-firewall-and-configure-default-behavior.md
diff --git a/windows/access-protection/windows-firewall/understanding-the-windows-firewall-with-advanced-security-design-process.md b/windows/security/identity-protection/windows-firewall/understanding-the-windows-firewall-with-advanced-security-design-process.md
similarity index 100%
rename from windows/access-protection/windows-firewall/understanding-the-windows-firewall-with-advanced-security-design-process.md
rename to windows/security/identity-protection/windows-firewall/understanding-the-windows-firewall-with-advanced-security-design-process.md
diff --git a/windows/access-protection/windows-firewall/verify-that-network-traffic-is-authenticated.md b/windows/security/identity-protection/windows-firewall/verify-that-network-traffic-is-authenticated.md
similarity index 100%
rename from windows/access-protection/windows-firewall/verify-that-network-traffic-is-authenticated.md
rename to windows/security/identity-protection/windows-firewall/verify-that-network-traffic-is-authenticated.md
diff --git a/windows/access-protection/windows-firewall/windows-firewall-with-advanced-security-administration-with-windows-powershell.md b/windows/security/identity-protection/windows-firewall/windows-firewall-with-advanced-security-administration-with-windows-powershell.md
similarity index 100%
rename from windows/access-protection/windows-firewall/windows-firewall-with-advanced-security-administration-with-windows-powershell.md
rename to windows/security/identity-protection/windows-firewall/windows-firewall-with-advanced-security-administration-with-windows-powershell.md
diff --git a/windows/access-protection/windows-firewall/windows-firewall-with-advanced-security-deployment-guide.md b/windows/security/identity-protection/windows-firewall/windows-firewall-with-advanced-security-deployment-guide.md
similarity index 100%
rename from windows/access-protection/windows-firewall/windows-firewall-with-advanced-security-deployment-guide.md
rename to windows/security/identity-protection/windows-firewall/windows-firewall-with-advanced-security-deployment-guide.md
diff --git a/windows/access-protection/windows-firewall/windows-firewall-with-advanced-security-design-guide.md b/windows/security/identity-protection/windows-firewall/windows-firewall-with-advanced-security-design-guide.md
similarity index 100%
rename from windows/access-protection/windows-firewall/windows-firewall-with-advanced-security-design-guide.md
rename to windows/security/identity-protection/windows-firewall/windows-firewall-with-advanced-security-design-guide.md
diff --git a/windows/access-protection/windows-firewall/windows-firewall-with-advanced-security.md b/windows/security/identity-protection/windows-firewall/windows-firewall-with-advanced-security.md
similarity index 100%
rename from windows/access-protection/windows-firewall/windows-firewall-with-advanced-security.md
rename to windows/security/identity-protection/windows-firewall/windows-firewall-with-advanced-security.md
diff --git a/windows/security/images/fall-creators-update-next-gen-security.png b/windows/security/images/fall-creators-update-next-gen-security.png
new file mode 100644
index 0000000000..62aaa46f8d
Binary files /dev/null and b/windows/security/images/fall-creators-update-next-gen-security.png differ
diff --git a/windows/security/images/next-generation-windows-security-vision.png b/windows/security/images/next-generation-windows-security-vision.png
new file mode 100644
index 0000000000..a598365cb7
Binary files /dev/null and b/windows/security/images/next-generation-windows-security-vision.png differ
diff --git a/windows/security/index.md b/windows/security/index.md
deleted file mode 100644
index 898f74389c..0000000000
--- a/windows/security/index.md
+++ /dev/null
@@ -1 +0,0 @@
-# Welcome to security!
\ No newline at end of file
diff --git a/windows/security/index.yml b/windows/security/index.yml
new file mode 100644
index 0000000000..7a1ed6b87c
--- /dev/null
+++ b/windows/security/index.yml
@@ -0,0 +1,276 @@
+### YamlMime:YamlDocument
+
+documentType: LandingData
+
+title: Windows 10 Enterprise Security
+
+metadata:
+
+ document_id:
+
+ title: Windows 10 Enterprise Security
+
+ description: Learn about enterprise-grade security features for Windows 10.
+
+ keywords: protect, company, data, Windows, device, app, management, Microsoft365, e5, e3
+
+ ms.localizationpriority: high
+
+ author: brianlic-msft
+
+ ms.author: brianlic
+
+ manager: brianlic
+
+ ms.date: 02/06/2018
+
+ ms.topic: article
+
+ ms.devlang: na
+
+sections:
+
+- items:
+
+ - type: markdown
+
+ text: Secure corporate data and manage risk.
+
+- items:
+
+ - type: list
+
+ style: cards
+
+ className: cardsM
+
+ columns: 3
+
+ items:
+
+ - href: \windows\security\identity-protection\
+
+ html:
Deploy secure enterprise-grade authentication and access control to protect accounts and data
Prevent accidental data leaks from enterprise devices
+
+ image:
+
+ src: https://docs.microsoft.com/media/common/i_information-protection.svg
+
+ title: Windows Information Protection
+
+- title: Security features in Microsoft 365 E5
+
+ items:
+
+ - type: paragraph
+
+ text: 'Get all of the protection from Microsoft 365 E3 security, plus these cloud-based security features to help you defend against even the most advanced threats.'
+
+ - type: list
+
+ style: cards
+
+ className: cardsM
+
+ columns: 3
+
+ items:
+
+ - href: https://docs.microsoft.com/azure/active-directory/active-directory-identityprotection
+
+ html:
Identity Protection and Privileged Identity Management
+
+ image:
+
+ src: https://docs.microsoft.com/media/common/i_information-protection.svg
+
+ title: Azure Information Protection P2
+
+- title: Videos
+
+ items:
+
+ - type: markdown
+
+ text: ">[](https://www.youtube.com/watch?v=IvZySDNfNpo)"
+
+ - type: markdown
+
+ text: ">[](https://www.youtube.com/watch?v=JDGMNFwyUg8)"
+
+- title: Additional security features in Windows 10
+
+ items:
+
+ - type: paragraph
+
+ text: 'These additional security features are also built in to Windows 10 Enterprise.'
+
+ - type: list
+
+ style: unordered
+
+ items:
+
+ - html: Windows Defender Firewall
+ - html: Windows Defender Exploit Guard
+ - html: Windows Defender Credential Guard
+ - html: Windows Defender Device Guard
+ - html: Windows Defender Application Guard
+ - html: Windows Defender SmartScreen
+ - html: Windows Defender Security Center
+
+- title: Security Resources
+
+ items:
+
+ - type: list
+
+ style: unordered
+
+ items:
+
+ - html: Windows Defender Security Intelligence
+ - html: Microsoft Secure blog
+ - html: Security Update blog
+ - html: Microsoft Security Response Center (MSRC)
+ - html: MSRC Blog
+ - html: Ransomware FAQ
+
+
diff --git a/windows/security/information-protection/TOC.md b/windows/security/information-protection/TOC.md
new file mode 100644
index 0000000000..ab9300961a
--- /dev/null
+++ b/windows/security/information-protection/TOC.md
@@ -0,0 +1,45 @@
+# [Information protection](index.md)
+
+## [BitLocker](bitlocker\bitlocker-overview.md)
+### [Overview of BitLocker Device Encryption in Windows 10](bitlocker\bitlocker-device-encryption-overview-windows-10.md)
+### [BitLocker frequently asked questions (FAQ)](bitlocker\bitlocker-frequently-asked-questions.md)
+### [Prepare your organization for BitLocker: Planning and policies](bitlocker\prepare-your-organization-for-bitlocker-planning-and-policies.md)
+### [BitLocker basic deployment](bitlocker\bitlocker-basic-deployment.md)
+### [BitLocker: How to deploy on Windows Server 2012 and later](bitlocker\bitlocker-how-to-deploy-on-windows-server.md)
+### [BitLocker: Management recommendations for enterprises](bitlocker\bitlocker-management-for-enterprises.md)
+### [BitLocker: How to enable Network Unlock](bitlocker\bitlocker-how-to-enable-network-unlock.md)
+### [BitLocker: Use BitLocker Drive Encryption Tools to manage BitLocker](bitlocker\bitlocker-use-bitlocker-drive-encryption-tools-to-manage-bitlocker.md)
+### [BitLocker: Use BitLocker Recovery Password Viewer](bitlocker\bitlocker-use-bitlocker-recovery-password-viewer.md)
+### [BitLocker Group Policy settings](bitlocker\bitlocker-group-policy-settings.md)
+### [BCD settings and BitLocker](bitlocker\bcd-settings-and-bitlocker.md)
+### [BitLocker Recovery Guide](bitlocker\bitlocker-recovery-guide-plan.md)
+### [Protect BitLocker from pre-boot attacks](bitlocker\protect-bitlocker-from-pre-boot-attacks.md)
+#### [Types of attacks for volume encryption keys](bitlocker\types-of-attacks-for-volume-encryption-keys.md)
+#### [BitLocker Countermeasures](bitlocker\bitlocker-countermeasures.md)
+#### [Choose the Right BitLocker Countermeasure](bitlocker\choose-the-right-bitlocker-countermeasure.md)
+### [Protecting cluster shared volumes and storage area networks with BitLocker](bitlocker\protecting-cluster-shared-volumes-and-storage-area-networks-with-bitlocker.md)
+
+
+## [Protect your enterprise data using Windows Information Protection (WIP)](windows-information-protection\protect-enterprise-data-using-wip.md)
+### [Create a Windows Information Protection (WIP) policy using Microsoft Intune](windows-information-protection\overview-create-wip-policy.md)
+#### [Create a Windows Information Protection (WIP) policy using the classic console for Microsoft Intune](windows-information-protection\create-wip-policy-using-intune.md)
+##### [Deploy your Windows Information Protection (WIP) policy using the classic console for Microsoft Intune](windows-information-protection\deploy-wip-policy-using-intune.md)
+##### [Associate and deploy a VPN policy for Windows Information Protection (WIP) using the classic console for Microsoft Intune](windows-information-protection\create-vpn-and-wip-policy-using-intune.md)
+#### [Create a Windows Information Protection (WIP) policy with MDM using the Azure portal for Microsoft Intune](windows-information-protection\create-wip-policy-using-intune-azure.md)
+##### [Deploy your Windows Information Protection (WIP) policy using the Azure portal for Microsoft Intune](windows-information-protection\deploy-wip-policy-using-intune-azure.md)
+##### [Associate and deploy a VPN policy for Windows Information Protection (WIP) using the Azure portal for Microsoft Intune](windows-information-protection\create-vpn-and-wip-policy-using-intune-azure.md)
+#### [Create a Windows Information Protection (WIP) policy with MAM using the Azure portal for Microsoft Intune](windows-information-protection\create-wip-policy-using-mam-intune-azure.md)
+### [Create a Windows Information Protection (WIP) policy using System Center Configuration Manager](windows-information-protection\overview-create-wip-policy-sccm.md)
+#### [Create and deploy a Windows Information Protection (WIP) policy using System Center Configuration Manager](windows-information-protection\create-wip-policy-using-sccm.md)
+### [Create and verify an Encrypting File System (EFS) Data Recovery Agent (DRA) certificate](windows-information-protection\create-and-verify-an-efs-dra-certificate.md)
+### [Determine the Enterprise Context of an app running in Windows Information Protection (WIP)](windows-information-protection\wip-app-enterprise-context.md)
+### [Mandatory tasks and settings required to turn on Windows Information Protection (WIP)](windows-information-protection\mandatory-settings-for-wip.md)
+### [Testing scenarios for Windows Information Protection (WIP)](windows-information-protection\testing-scenarios-for-wip.md)
+### [Limitations while using Windows Information Protection (WIP)](windows-information-protection\limitations-with-wip.md)
+### [How to collect Windows Information Protection (WIP) audit event logs](windows-information-protection\collect-wip-audit-event-logs.md)
+### [General guidance and best practices for Windows Information Protection (WIP)](windows-information-protection\guidance-and-best-practices-wip.md)
+#### [Enlightened apps for use with Windows Information Protection (WIP)](windows-information-protection\enlightened-microsoft-apps-and-wip.md)
+#### [Unenlightened and enlightened app behavior while using Windows Information Protection (WIP)](windows-information-protection\app-behavior-with-wip.md)
+#### [Recommended Enterprise Cloud Resources and Neutral Resources network settings with Windows Information Protection (WIP)](windows-information-protection\recommended-network-definitions-for-wip.md)
+#### [Using Outlook Web Access with Windows Information Protection (WIP)](windows-information-protection\using-owa-with-wip.md)
+
diff --git a/windows/device-security/bitlocker/bcd-settings-and-bitlocker.md b/windows/security/information-protection/bitlocker/bcd-settings-and-bitlocker.md
similarity index 100%
rename from windows/device-security/bitlocker/bcd-settings-and-bitlocker.md
rename to windows/security/information-protection/bitlocker/bcd-settings-and-bitlocker.md
diff --git a/windows/device-security/bitlocker/bitlocker-basic-deployment.md b/windows/security/information-protection/bitlocker/bitlocker-basic-deployment.md
similarity index 97%
rename from windows/device-security/bitlocker/bitlocker-basic-deployment.md
rename to windows/security/information-protection/bitlocker/bitlocker-basic-deployment.md
index 8a37191b30..529ff6e574 100644
--- a/windows/device-security/bitlocker/bitlocker-basic-deployment.md
+++ b/windows/security/information-protection/bitlocker/bitlocker-basic-deployment.md
@@ -17,14 +17,7 @@ ms.date: 04/19/2017
This topic for the IT professional explains how BitLocker features can be used to protect your data through drive encryption.
-The following sections provide information that will help you put together your basic deployment plan for implementing BitLocker in your organization:
-
-- [Using BitLocker to encrypt volumes](#bkmk-dep1)
-- [Down-level compatibility](#bkmk-dep2)
-- [Using manage-bde to encrypt volumes with BitLocker](#bkmk-dep3)
-- [Using PowerShell to encrypt volumes with BitLocker](#bkmk-dep4)
-
-## Using BitLocker to encrypt volumes
+## Using BitLocker to encrypt volumes
BitLocker provides full volume encryption (FVE) for operating system volumes, as well as fixed and removable data volumes. To support fully encrypted operating system volumes, BitLocker uses an unencrypted system volume for the files required to boot, decrypt, and load the operating system. This volume is automatically created during a new installation of both client and server operating systems.
@@ -182,8 +175,9 @@ Table 1: Cross compatibility for Windows 10, Windows 8.1, Windows 8, and Window
-
-### Encrypting volumes using the manage-bde command line interface
+
+
+## Encrypting volumes using the manage-bde command line interface
Manage-bde is a command-line utility that can be used for scripting BitLocker operations. Manage-bde offers additional options not displayed in the BitLocker control panel. For a complete list of the options, see [Manage-bde](http://technet.microsoft.com/library/ff829849.aspx).
Manage-bde offers a multitude of wider options for configuring BitLocker. This means that using the command syntax may require care and possibly later customization by the user. For example, using just the `manage-bde -on` command on a data volume will fully encrypt the volume without any authenticating protectors. A volume encrypted in this manner still requires user interaction to turn on BitLocker protection, even though the command successfully completed because an authentication method needs to be added to the volume for it to be fully protected.
@@ -240,9 +234,8 @@ A common protector for a data volume is the password protector. In the example b
manage-bde -protectors -add -pw C:
manage-bde -on C:
```
-## Using manage-bde to encrypt volumes with BitLocker
-### Encrypting volumes using the BitLocker Windows PowerShell cmdlets
+## Encrypting volumes using the BitLocker Windows PowerShell cmdlets
Windows PowerShell cmdlets provide an alternative way to work with BitLocker. Using Windows PowerShell's scripting capabilities, administrators can integrate BitLocker options into existing scripts with ease. The list below displays the available BitLocker cmdlets.
@@ -442,9 +435,7 @@ Add-BitLockerKeyProtector C: -ADAccountOrGroupProtector -ADAccountOrGroup "
```
> **Note:** Active Directory-based protectors are normally used to unlock Failover Cluster enabled volumes.
-## Using PowerShell to encrypt volumes with BitLocker
-
-### Checking BitLocker status
+## Checking BitLocker status
To check the BitLocker status of a particular volume, administrators can look at the status of the drive in the BitLocker control panel applet, Windows Explorer, manage-bde command line tool, or Windows PowerShell cmdlets. Each option offers different levels of detail and ease of use. We will look at each of the available methods in the following section.
diff --git a/windows/device-security/bitlocker/bitlocker-countermeasures.md b/windows/security/information-protection/bitlocker/bitlocker-countermeasures.md
similarity index 100%
rename from windows/device-security/bitlocker/bitlocker-countermeasures.md
rename to windows/security/information-protection/bitlocker/bitlocker-countermeasures.md
diff --git a/windows/device-security/bitlocker/bitlocker-device-encryption-overview-windows-10.md b/windows/security/information-protection/bitlocker/bitlocker-device-encryption-overview-windows-10.md
similarity index 99%
rename from windows/device-security/bitlocker/bitlocker-device-encryption-overview-windows-10.md
rename to windows/security/information-protection/bitlocker/bitlocker-device-encryption-overview-windows-10.md
index c3833b7707..bb2ff3ed96 100644
--- a/windows/device-security/bitlocker/bitlocker-device-encryption-overview-windows-10.md
+++ b/windows/security/information-protection/bitlocker/bitlocker-device-encryption-overview-windows-10.md
@@ -89,7 +89,7 @@ Exercise caution when encrypting only used space on an existing volume on which
SEDs have been available for years, but Microsoft couldn’t support their use with some earlier versions of Windows because the drives lacked important key management features. Microsoft worked with storage vendors to improve the hardware capabilities, and now BitLocker supports the next generation of SEDs, which are called encrypted hard drives.
Encrypted hard drives provide onboard cryptographic capabilities to encrypt data on drives, which improves both drive and system performance by offloading cryptographic calculations from the PC’s processor to the drive itself and rapidly encrypting the drive by using dedicated, purpose-built hardware. If you plan to use whole-drive encryption with Windows 10, Microsoft recommends that you investigate hard drive manufacturers and models to determine whether any of their encrypted hard drives meet your security and budget requirements.
-For more information about encrypted hard drives, see [Encrypted Hard Drive](../encrypted-hard-drive.md).
+For more information about encrypted hard drives, see [Encrypted Hard Drive](/windows/security/hardware-protection/encrypted-hard-drive.md).
## Preboot information protection
diff --git a/windows/device-security/bitlocker/bitlocker-frequently-asked-questions.md b/windows/security/information-protection/bitlocker/bitlocker-frequently-asked-questions.md
similarity index 100%
rename from windows/device-security/bitlocker/bitlocker-frequently-asked-questions.md
rename to windows/security/information-protection/bitlocker/bitlocker-frequently-asked-questions.md
diff --git a/windows/device-security/bitlocker/bitlocker-group-policy-settings.md b/windows/security/information-protection/bitlocker/bitlocker-group-policy-settings.md
similarity index 100%
rename from windows/device-security/bitlocker/bitlocker-group-policy-settings.md
rename to windows/security/information-protection/bitlocker/bitlocker-group-policy-settings.md
diff --git a/windows/device-security/bitlocker/bitlocker-how-to-deploy-on-windows-server.md b/windows/security/information-protection/bitlocker/bitlocker-how-to-deploy-on-windows-server.md
similarity index 100%
rename from windows/device-security/bitlocker/bitlocker-how-to-deploy-on-windows-server.md
rename to windows/security/information-protection/bitlocker/bitlocker-how-to-deploy-on-windows-server.md
diff --git a/windows/device-security/bitlocker/bitlocker-how-to-enable-network-unlock.md b/windows/security/information-protection/bitlocker/bitlocker-how-to-enable-network-unlock.md
similarity index 99%
rename from windows/device-security/bitlocker/bitlocker-how-to-enable-network-unlock.md
rename to windows/security/information-protection/bitlocker/bitlocker-how-to-enable-network-unlock.md
index c292812427..7ed9c2166c 100644
--- a/windows/device-security/bitlocker/bitlocker-how-to-enable-network-unlock.md
+++ b/windows/security/information-protection/bitlocker/bitlocker-how-to-enable-network-unlock.md
@@ -260,7 +260,7 @@ After adding the Network Unlock template to the Certification Authority, this ce
By default, all clients with the correct Network Unlock Certificate and valid Network Unlock protectors that have wired access to a Network Unlock-enabled WDS server via DHCP are unlocked by the server. A subnet policy configuration file on the WDS server can be created to limit which subnet(s) Network Unlock clients can use to unlock.
-The configuration file, called bde-network-unlock.ini, must be located in the same directory as the Network Unlock provider DLL and it applies to both IPv6 and IPv4 DHCP implementations. If the subnet configuration policy becomes corrupted, the provider will fail and stop responding to requests.
+The configuration file, called bde-network-unlock.ini, must be located in the same directory as the Network Unlock provider DLL (%windir%\System32\Nkpprov.dll) and it applies to both IPv6 and IPv4 DHCP implementations. If the subnet configuration policy becomes corrupted, the provider will fail and stop responding to requests.
The subnet policy configuration file must use a “\[SUBNETS\]” section to identify the specific subnets. The named subnets may then be used to specify restrictions in certificate subsections. Subnets are defined as simple name-value pairs, in the common INI format, where each subnet has its own line, with the name on the left of the equals sign, and the subnet identified on the right of the equal sign as a Classless Inter-Domain Routing (CIDR) address or range. The key word “ENABLED” is disallowed for subnet names.
diff --git a/windows/device-security/bitlocker/bitlocker-management-for-enterprises.md b/windows/security/information-protection/bitlocker/bitlocker-management-for-enterprises.md
similarity index 100%
rename from windows/device-security/bitlocker/bitlocker-management-for-enterprises.md
rename to windows/security/information-protection/bitlocker/bitlocker-management-for-enterprises.md
diff --git a/windows/device-security/bitlocker/bitlocker-overview.md b/windows/security/information-protection/bitlocker/bitlocker-overview.md
similarity index 100%
rename from windows/device-security/bitlocker/bitlocker-overview.md
rename to windows/security/information-protection/bitlocker/bitlocker-overview.md
diff --git a/windows/device-security/bitlocker/bitlocker-recovery-guide-plan.md b/windows/security/information-protection/bitlocker/bitlocker-recovery-guide-plan.md
similarity index 99%
rename from windows/device-security/bitlocker/bitlocker-recovery-guide-plan.md
rename to windows/security/information-protection/bitlocker/bitlocker-recovery-guide-plan.md
index 3463fb30d9..9e780394d7 100644
--- a/windows/device-security/bitlocker/bitlocker-recovery-guide-plan.md
+++ b/windows/security/information-protection/bitlocker/bitlocker-recovery-guide-plan.md
@@ -100,15 +100,16 @@ Before you create a thorough BitLocker recovery process, we recommend that you t
1. Click the **Start** button, type **cmd** in the **Start Search** box, right-click **cmd.exe**, and then click **Run as administrator**.
2. At the command prompt, type the following command and then press ENTER:
- `manage-bde -forcerecovery `
+ `manage-bde -forcerecovery `
+
**To force recovery for a remote computer**
1. On the Start screen, type **cmd.exe**, and then click **Run as administrator**.
2. At the command prompt, type the following command and then press ENTER:
- `manage-bde. -ComputerName -forcerecovery `
+ `manage-bde. -ComputerName -forcerecovery `
-> **Note:** *ComputerName* represents the name of the remote computer. *Volume* represents the volume on the remote computer that is protected with BitLocker.
+> **Note:** Recovery triggered by `-forcerecovery` persists for multiple restarts until a TPM protector is added or protection is suspended by the user.
## Planning your recovery process
diff --git a/windows/device-security/bitlocker/bitlocker-use-bitlocker-drive-encryption-tools-to-manage-bitlocker.md b/windows/security/information-protection/bitlocker/bitlocker-use-bitlocker-drive-encryption-tools-to-manage-bitlocker.md
similarity index 100%
rename from windows/device-security/bitlocker/bitlocker-use-bitlocker-drive-encryption-tools-to-manage-bitlocker.md
rename to windows/security/information-protection/bitlocker/bitlocker-use-bitlocker-drive-encryption-tools-to-manage-bitlocker.md
diff --git a/windows/device-security/bitlocker/bitlocker-use-bitlocker-recovery-password-viewer.md b/windows/security/information-protection/bitlocker/bitlocker-use-bitlocker-recovery-password-viewer.md
similarity index 100%
rename from windows/device-security/bitlocker/bitlocker-use-bitlocker-recovery-password-viewer.md
rename to windows/security/information-protection/bitlocker/bitlocker-use-bitlocker-recovery-password-viewer.md
diff --git a/windows/device-security/bitlocker/choose-the-right-bitlocker-countermeasure.md b/windows/security/information-protection/bitlocker/choose-the-right-bitlocker-countermeasure.md
similarity index 100%
rename from windows/device-security/bitlocker/choose-the-right-bitlocker-countermeasure.md
rename to windows/security/information-protection/bitlocker/choose-the-right-bitlocker-countermeasure.md
diff --git a/windows/device-security/bitlocker/images/bitlockernetworkunlocksequence.png b/windows/security/information-protection/bitlocker/images/bitlockernetworkunlocksequence.png
similarity index 100%
rename from windows/device-security/bitlocker/images/bitlockernetworkunlocksequence.png
rename to windows/security/information-protection/bitlocker/images/bitlockernetworkunlocksequence.png
diff --git a/windows/device-security/bitlocker/images/bitlockerprebootprotection-bios-uefi-startup.jpg b/windows/security/information-protection/bitlocker/images/bitlockerprebootprotection-bios-uefi-startup.jpg
similarity index 100%
rename from windows/device-security/bitlocker/images/bitlockerprebootprotection-bios-uefi-startup.jpg
rename to windows/security/information-protection/bitlocker/images/bitlockerprebootprotection-bios-uefi-startup.jpg
diff --git a/windows/device-security/bitlocker/images/bitlockerprebootprotection-counterwin7.jpg b/windows/security/information-protection/bitlocker/images/bitlockerprebootprotection-counterwin7.jpg
similarity index 100%
rename from windows/device-security/bitlocker/images/bitlockerprebootprotection-counterwin7.jpg
rename to windows/security/information-protection/bitlocker/images/bitlockerprebootprotection-counterwin7.jpg
diff --git a/windows/device-security/bitlocker/images/bitlockerprebootprotection-counterwin8.jpg b/windows/security/information-protection/bitlocker/images/bitlockerprebootprotection-counterwin8.jpg
similarity index 100%
rename from windows/device-security/bitlocker/images/bitlockerprebootprotection-counterwin8.jpg
rename to windows/security/information-protection/bitlocker/images/bitlockerprebootprotection-counterwin8.jpg
diff --git a/windows/device-security/bitlocker/images/bitlockerprebootprotection-counterwin81.jpg b/windows/security/information-protection/bitlocker/images/bitlockerprebootprotection-counterwin81.jpg
similarity index 100%
rename from windows/device-security/bitlocker/images/bitlockerprebootprotection-counterwin81.jpg
rename to windows/security/information-protection/bitlocker/images/bitlockerprebootprotection-counterwin81.jpg
diff --git a/windows/device-security/bitlocker/images/feedback-app-icon.png b/windows/security/information-protection/bitlocker/images/feedback-app-icon.png
similarity index 100%
rename from windows/device-security/bitlocker/images/feedback-app-icon.png
rename to windows/security/information-protection/bitlocker/images/feedback-app-icon.png
diff --git a/windows/device-security/bitlocker/images/manage-bde-status.png b/windows/security/information-protection/bitlocker/images/manage-bde-status.png
similarity index 100%
rename from windows/device-security/bitlocker/images/manage-bde-status.png
rename to windows/security/information-protection/bitlocker/images/manage-bde-status.png
diff --git a/windows/device-security/bitlocker/prepare-your-organization-for-bitlocker-planning-and-policies.md b/windows/security/information-protection/bitlocker/prepare-your-organization-for-bitlocker-planning-and-policies.md
similarity index 99%
rename from windows/device-security/bitlocker/prepare-your-organization-for-bitlocker-planning-and-policies.md
rename to windows/security/information-protection/bitlocker/prepare-your-organization-for-bitlocker-planning-and-policies.md
index a88e1e8413..0fbd75a787 100644
--- a/windows/device-security/bitlocker/prepare-your-organization-for-bitlocker-planning-and-policies.md
+++ b/windows/security/information-protection/bitlocker/prepare-your-organization-for-bitlocker-planning-and-policies.md
@@ -245,8 +245,8 @@ However, you cannot use recovery passwords generated on a system in FIPS mode fo
## More information
-- [Trusted Platform Module](../tpm/trusted-platform-module-overview.md)
-- [TPM Group Policy settings](../tpm/trusted-platform-module-services-group-policy-settings.md)
+- [Trusted Platform Module](/windows/security/hardware-protection/tpm/trusted-platform-module-overview.md)
+- [TPM Group Policy settings](/windows/security/hardware-protection/tpm/trusted-platform-module-services-group-policy-settings.md)
- [BitLocker frequently asked questions (FAQ)](bitlocker-frequently-asked-questions.md)
- [BitLocker](bitlocker-overview.md)
- [BitLocker Group Policy settings](bitlocker-group-policy-settings.md)
diff --git a/windows/device-security/bitlocker/protect-bitlocker-from-pre-boot-attacks.md b/windows/security/information-protection/bitlocker/protect-bitlocker-from-pre-boot-attacks.md
similarity index 100%
rename from windows/device-security/bitlocker/protect-bitlocker-from-pre-boot-attacks.md
rename to windows/security/information-protection/bitlocker/protect-bitlocker-from-pre-boot-attacks.md
diff --git a/windows/device-security/bitlocker/protecting-cluster-shared-volumes-and-storage-area-networks-with-bitlocker.md b/windows/security/information-protection/bitlocker/protecting-cluster-shared-volumes-and-storage-area-networks-with-bitlocker.md
similarity index 100%
rename from windows/device-security/bitlocker/protecting-cluster-shared-volumes-and-storage-area-networks-with-bitlocker.md
rename to windows/security/information-protection/bitlocker/protecting-cluster-shared-volumes-and-storage-area-networks-with-bitlocker.md
diff --git a/windows/device-security/bitlocker/types-of-attacks-for-volume-encryption-keys.md b/windows/security/information-protection/bitlocker/types-of-attacks-for-volume-encryption-keys.md
similarity index 100%
rename from windows/device-security/bitlocker/types-of-attacks-for-volume-encryption-keys.md
rename to windows/security/information-protection/bitlocker/types-of-attacks-for-volume-encryption-keys.md
diff --git a/windows/security/information-protection/index.md b/windows/security/information-protection/index.md
new file mode 100644
index 0000000000..4afe213341
--- /dev/null
+++ b/windows/security/information-protection/index.md
@@ -0,0 +1,19 @@
+---
+title: Information protection (Windows 10)
+description: Learn more about how to protect sesnsitive data across your ogranization.
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+author: brianlic-msft
+ms.date: 02/05/2018
+---
+
+# Information protection
+
+Learn more about how to secure documents and and other data across your organization.
+
+| Section | Description |
+|-|-|
+| [BitLocker](bitlocker/bitlocker-overview.md)| Provides information about BitLocker, which is a data protection feature that integrates with the operating system and addresses the threats of data theft or exposure from lost, stolen, or inappropriately decommissioned computers. |
+| [Protect your enterprise data using Windows Information Protection (WIP)](windows-information-protection/protect-enterprise-data-using-wip.md)|Provides info about how to create a Windows Information Protection policy that can help protect against potential corporate data leakage.|
diff --git a/windows/threat-protection/windows-information-protection/app-behavior-with-wip.md b/windows/security/information-protection/windows-information-protection/app-behavior-with-wip.md
similarity index 100%
rename from windows/threat-protection/windows-information-protection/app-behavior-with-wip.md
rename to windows/security/information-protection/windows-information-protection/app-behavior-with-wip.md
diff --git a/windows/threat-protection/windows-information-protection/collect-wip-audit-event-logs.md b/windows/security/information-protection/windows-information-protection/collect-wip-audit-event-logs.md
similarity index 100%
rename from windows/threat-protection/windows-information-protection/collect-wip-audit-event-logs.md
rename to windows/security/information-protection/windows-information-protection/collect-wip-audit-event-logs.md
diff --git a/windows/threat-protection/windows-information-protection/create-and-verify-an-efs-dra-certificate.md b/windows/security/information-protection/windows-information-protection/create-and-verify-an-efs-dra-certificate.md
similarity index 100%
rename from windows/threat-protection/windows-information-protection/create-and-verify-an-efs-dra-certificate.md
rename to windows/security/information-protection/windows-information-protection/create-and-verify-an-efs-dra-certificate.md
diff --git a/windows/threat-protection/windows-information-protection/create-vpn-and-wip-policy-using-intune-azure.md b/windows/security/information-protection/windows-information-protection/create-vpn-and-wip-policy-using-intune-azure.md
similarity index 100%
rename from windows/threat-protection/windows-information-protection/create-vpn-and-wip-policy-using-intune-azure.md
rename to windows/security/information-protection/windows-information-protection/create-vpn-and-wip-policy-using-intune-azure.md
diff --git a/windows/threat-protection/windows-information-protection/create-vpn-and-wip-policy-using-intune.md b/windows/security/information-protection/windows-information-protection/create-vpn-and-wip-policy-using-intune.md
similarity index 100%
rename from windows/threat-protection/windows-information-protection/create-vpn-and-wip-policy-using-intune.md
rename to windows/security/information-protection/windows-information-protection/create-vpn-and-wip-policy-using-intune.md
diff --git a/windows/threat-protection/windows-information-protection/create-wip-policy-using-intune-azure.md b/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md
similarity index 100%
rename from windows/threat-protection/windows-information-protection/create-wip-policy-using-intune-azure.md
rename to windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md
diff --git a/windows/threat-protection/windows-information-protection/create-wip-policy-using-intune.md b/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune.md
similarity index 100%
rename from windows/threat-protection/windows-information-protection/create-wip-policy-using-intune.md
rename to windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune.md
diff --git a/windows/threat-protection/windows-information-protection/create-wip-policy-using-mam-intune-azure.md b/windows/security/information-protection/windows-information-protection/create-wip-policy-using-mam-intune-azure.md
similarity index 100%
rename from windows/threat-protection/windows-information-protection/create-wip-policy-using-mam-intune-azure.md
rename to windows/security/information-protection/windows-information-protection/create-wip-policy-using-mam-intune-azure.md
diff --git a/windows/threat-protection/windows-information-protection/create-wip-policy-using-sccm.md b/windows/security/information-protection/windows-information-protection/create-wip-policy-using-sccm.md
similarity index 100%
rename from windows/threat-protection/windows-information-protection/create-wip-policy-using-sccm.md
rename to windows/security/information-protection/windows-information-protection/create-wip-policy-using-sccm.md
diff --git a/windows/threat-protection/windows-information-protection/deploy-wip-policy-using-intune-azure.md b/windows/security/information-protection/windows-information-protection/deploy-wip-policy-using-intune-azure.md
similarity index 100%
rename from windows/threat-protection/windows-information-protection/deploy-wip-policy-using-intune-azure.md
rename to windows/security/information-protection/windows-information-protection/deploy-wip-policy-using-intune-azure.md
diff --git a/windows/threat-protection/windows-information-protection/deploy-wip-policy-using-intune.md b/windows/security/information-protection/windows-information-protection/deploy-wip-policy-using-intune.md
similarity index 100%
rename from windows/threat-protection/windows-information-protection/deploy-wip-policy-using-intune.md
rename to windows/security/information-protection/windows-information-protection/deploy-wip-policy-using-intune.md
diff --git a/windows/threat-protection/windows-information-protection/enlightened-microsoft-apps-and-wip.md b/windows/security/information-protection/windows-information-protection/enlightened-microsoft-apps-and-wip.md
similarity index 100%
rename from windows/threat-protection/windows-information-protection/enlightened-microsoft-apps-and-wip.md
rename to windows/security/information-protection/windows-information-protection/enlightened-microsoft-apps-and-wip.md
diff --git a/windows/threat-protection/windows-information-protection/guidance-and-best-practices-wip.md b/windows/security/information-protection/windows-information-protection/guidance-and-best-practices-wip.md
similarity index 100%
rename from windows/threat-protection/windows-information-protection/guidance-and-best-practices-wip.md
rename to windows/security/information-protection/windows-information-protection/guidance-and-best-practices-wip.md
diff --git a/windows/threat-protection/windows-information-protection/images/intune-add-applocker-xml-file.png b/windows/security/information-protection/windows-information-protection/images/intune-add-applocker-xml-file.png
similarity index 100%
rename from windows/threat-protection/windows-information-protection/images/intune-add-applocker-xml-file.png
rename to windows/security/information-protection/windows-information-protection/images/intune-add-applocker-xml-file.png
diff --git a/windows/threat-protection/windows-information-protection/images/intune-add-classic-apps.png b/windows/security/information-protection/windows-information-protection/images/intune-add-classic-apps.png
similarity index 100%
rename from windows/threat-protection/windows-information-protection/images/intune-add-classic-apps.png
rename to windows/security/information-protection/windows-information-protection/images/intune-add-classic-apps.png
diff --git a/windows/threat-protection/windows-information-protection/images/intune-add-uwp-apps.png b/windows/security/information-protection/windows-information-protection/images/intune-add-uwp-apps.png
similarity index 100%
rename from windows/threat-protection/windows-information-protection/images/intune-add-uwp-apps.png
rename to windows/security/information-protection/windows-information-protection/images/intune-add-uwp-apps.png
diff --git a/windows/threat-protection/windows-information-protection/images/intune-add-uwp.png b/windows/security/information-protection/windows-information-protection/images/intune-add-uwp.png
similarity index 100%
rename from windows/threat-protection/windows-information-protection/images/intune-add-uwp.png
rename to windows/security/information-protection/windows-information-protection/images/intune-add-uwp.png
diff --git a/windows/threat-protection/windows-information-protection/images/intune-addapps.png b/windows/security/information-protection/windows-information-protection/images/intune-addapps.png
similarity index 100%
rename from windows/threat-protection/windows-information-protection/images/intune-addapps.png
rename to windows/security/information-protection/windows-information-protection/images/intune-addapps.png
diff --git a/windows/threat-protection/windows-information-protection/images/intune-applocker-before-begin.png b/windows/security/information-protection/windows-information-protection/images/intune-applocker-before-begin.png
similarity index 100%
rename from windows/threat-protection/windows-information-protection/images/intune-applocker-before-begin.png
rename to windows/security/information-protection/windows-information-protection/images/intune-applocker-before-begin.png
diff --git a/windows/threat-protection/windows-information-protection/images/intune-applocker-permissions.png b/windows/security/information-protection/windows-information-protection/images/intune-applocker-permissions.png
similarity index 100%
rename from windows/threat-protection/windows-information-protection/images/intune-applocker-permissions.png
rename to windows/security/information-protection/windows-information-protection/images/intune-applocker-permissions.png
diff --git a/windows/threat-protection/windows-information-protection/images/intune-applocker-publisher-with-app.png b/windows/security/information-protection/windows-information-protection/images/intune-applocker-publisher-with-app.png
similarity index 100%
rename from windows/threat-protection/windows-information-protection/images/intune-applocker-publisher-with-app.png
rename to windows/security/information-protection/windows-information-protection/images/intune-applocker-publisher-with-app.png
diff --git a/windows/threat-protection/windows-information-protection/images/intune-applocker-publisher.png b/windows/security/information-protection/windows-information-protection/images/intune-applocker-publisher.png
similarity index 100%
rename from windows/threat-protection/windows-information-protection/images/intune-applocker-publisher.png
rename to windows/security/information-protection/windows-information-protection/images/intune-applocker-publisher.png
diff --git a/windows/threat-protection/windows-information-protection/images/intune-applocker-select-apps.png b/windows/security/information-protection/windows-information-protection/images/intune-applocker-select-apps.png
similarity index 100%
rename from windows/threat-protection/windows-information-protection/images/intune-applocker-select-apps.png
rename to windows/security/information-protection/windows-information-protection/images/intune-applocker-select-apps.png
diff --git a/windows/threat-protection/windows-information-protection/images/intune-corporate-identity.png b/windows/security/information-protection/windows-information-protection/images/intune-corporate-identity.png
similarity index 100%
rename from windows/threat-protection/windows-information-protection/images/intune-corporate-identity.png
rename to windows/security/information-protection/windows-information-protection/images/intune-corporate-identity.png
diff --git a/windows/threat-protection/windows-information-protection/images/intune-createnewpolicy.png b/windows/security/information-protection/windows-information-protection/images/intune-createnewpolicy.png
similarity index 100%
rename from windows/threat-protection/windows-information-protection/images/intune-createnewpolicy.png
rename to windows/security/information-protection/windows-information-protection/images/intune-createnewpolicy.png
diff --git a/windows/threat-protection/windows-information-protection/images/intune-data-recovery.png b/windows/security/information-protection/windows-information-protection/images/intune-data-recovery.png
similarity index 100%
rename from windows/threat-protection/windows-information-protection/images/intune-data-recovery.png
rename to windows/security/information-protection/windows-information-protection/images/intune-data-recovery.png
diff --git a/windows/threat-protection/windows-information-protection/images/intune-deploy-vpn.png b/windows/security/information-protection/windows-information-protection/images/intune-deploy-vpn.png
similarity index 100%
rename from windows/threat-protection/windows-information-protection/images/intune-deploy-vpn.png
rename to windows/security/information-protection/windows-information-protection/images/intune-deploy-vpn.png
diff --git a/windows/threat-protection/windows-information-protection/images/intune-empty-addapps.png b/windows/security/information-protection/windows-information-protection/images/intune-empty-addapps.png
similarity index 100%
rename from windows/threat-protection/windows-information-protection/images/intune-empty-addapps.png
rename to windows/security/information-protection/windows-information-protection/images/intune-empty-addapps.png
diff --git a/windows/threat-protection/windows-information-protection/images/intune-generalinfo.png b/windows/security/information-protection/windows-information-protection/images/intune-generalinfo.png
similarity index 100%
rename from windows/threat-protection/windows-information-protection/images/intune-generalinfo.png
rename to windows/security/information-protection/windows-information-protection/images/intune-generalinfo.png
diff --git a/windows/threat-protection/windows-information-protection/images/intune-groupselection.png b/windows/security/information-protection/windows-information-protection/images/intune-groupselection.png
similarity index 100%
rename from windows/threat-protection/windows-information-protection/images/intune-groupselection.png
rename to windows/security/information-protection/windows-information-protection/images/intune-groupselection.png
diff --git a/windows/threat-protection/windows-information-protection/images/intune-groupselection_vpnlink.png b/windows/security/information-protection/windows-information-protection/images/intune-groupselection_vpnlink.png
similarity index 100%
rename from windows/threat-protection/windows-information-protection/images/intune-groupselection_vpnlink.png
rename to windows/security/information-protection/windows-information-protection/images/intune-groupselection_vpnlink.png
diff --git a/windows/threat-protection/windows-information-protection/images/intune-local-security-export.png b/windows/security/information-protection/windows-information-protection/images/intune-local-security-export.png
similarity index 100%
rename from windows/threat-protection/windows-information-protection/images/intune-local-security-export.png
rename to windows/security/information-protection/windows-information-protection/images/intune-local-security-export.png
diff --git a/windows/threat-protection/windows-information-protection/images/intune-local-security-snapin-updated.png b/windows/security/information-protection/windows-information-protection/images/intune-local-security-snapin-updated.png
similarity index 100%
rename from windows/threat-protection/windows-information-protection/images/intune-local-security-snapin-updated.png
rename to windows/security/information-protection/windows-information-protection/images/intune-local-security-snapin-updated.png
diff --git a/windows/threat-protection/windows-information-protection/images/intune-local-security-snapin.png b/windows/security/information-protection/windows-information-protection/images/intune-local-security-snapin.png
similarity index 100%
rename from windows/threat-protection/windows-information-protection/images/intune-local-security-snapin.png
rename to windows/security/information-protection/windows-information-protection/images/intune-local-security-snapin.png
diff --git a/windows/threat-protection/windows-information-protection/images/intune-managedeployment.png b/windows/security/information-protection/windows-information-protection/images/intune-managedeployment.png
similarity index 100%
rename from windows/threat-protection/windows-information-protection/images/intune-managedeployment.png
rename to windows/security/information-protection/windows-information-protection/images/intune-managedeployment.png
diff --git a/windows/threat-protection/windows-information-protection/images/intune-network-detection-boxes.png b/windows/security/information-protection/windows-information-protection/images/intune-network-detection-boxes.png
similarity index 100%
rename from windows/threat-protection/windows-information-protection/images/intune-network-detection-boxes.png
rename to windows/security/information-protection/windows-information-protection/images/intune-network-detection-boxes.png
diff --git a/windows/threat-protection/windows-information-protection/images/intune-networklocation.png b/windows/security/information-protection/windows-information-protection/images/intune-networklocation.png
similarity index 100%
rename from windows/threat-protection/windows-information-protection/images/intune-networklocation.png
rename to windows/security/information-protection/windows-information-protection/images/intune-networklocation.png
diff --git a/windows/threat-protection/windows-information-protection/images/intune-optional-settings.png b/windows/security/information-protection/windows-information-protection/images/intune-optional-settings.png
similarity index 100%
rename from windows/threat-protection/windows-information-protection/images/intune-optional-settings.png
rename to windows/security/information-protection/windows-information-protection/images/intune-optional-settings.png
diff --git a/windows/threat-protection/windows-information-protection/images/intune-protection-mode.png b/windows/security/information-protection/windows-information-protection/images/intune-protection-mode.png
similarity index 100%
rename from windows/threat-protection/windows-information-protection/images/intune-protection-mode.png
rename to windows/security/information-protection/windows-information-protection/images/intune-protection-mode.png
diff --git a/windows/threat-protection/windows-information-protection/images/intune-vpn-authentication.png b/windows/security/information-protection/windows-information-protection/images/intune-vpn-authentication.png
similarity index 100%
rename from windows/threat-protection/windows-information-protection/images/intune-vpn-authentication.png
rename to windows/security/information-protection/windows-information-protection/images/intune-vpn-authentication.png
diff --git a/windows/threat-protection/windows-information-protection/images/intune-vpn-createpolicy.png b/windows/security/information-protection/windows-information-protection/images/intune-vpn-createpolicy.png
similarity index 100%
rename from windows/threat-protection/windows-information-protection/images/intune-vpn-createpolicy.png
rename to windows/security/information-protection/windows-information-protection/images/intune-vpn-createpolicy.png
diff --git a/windows/threat-protection/windows-information-protection/images/intune-vpn-customconfig.png b/windows/security/information-protection/windows-information-protection/images/intune-vpn-customconfig.png
similarity index 100%
rename from windows/threat-protection/windows-information-protection/images/intune-vpn-customconfig.png
rename to windows/security/information-protection/windows-information-protection/images/intune-vpn-customconfig.png
diff --git a/windows/threat-protection/windows-information-protection/images/intune-vpn-omaurisettings.png b/windows/security/information-protection/windows-information-protection/images/intune-vpn-omaurisettings.png
similarity index 100%
rename from windows/threat-protection/windows-information-protection/images/intune-vpn-omaurisettings.png
rename to windows/security/information-protection/windows-information-protection/images/intune-vpn-omaurisettings.png
diff --git a/windows/threat-protection/windows-information-protection/images/intune-vpn-titledescription.png b/windows/security/information-protection/windows-information-protection/images/intune-vpn-titledescription.png
similarity index 100%
rename from windows/threat-protection/windows-information-protection/images/intune-vpn-titledescription.png
rename to windows/security/information-protection/windows-information-protection/images/intune-vpn-titledescription.png
diff --git a/windows/threat-protection/windows-information-protection/images/intune-vpn-vpnsettings.png b/windows/security/information-protection/windows-information-protection/images/intune-vpn-vpnsettings.png
similarity index 100%
rename from windows/threat-protection/windows-information-protection/images/intune-vpn-vpnsettings.png
rename to windows/security/information-protection/windows-information-protection/images/intune-vpn-vpnsettings.png
diff --git a/windows/threat-protection/windows-information-protection/images/intune-vpn-wipmodeid.png b/windows/security/information-protection/windows-information-protection/images/intune-vpn-wipmodeid.png
similarity index 100%
rename from windows/threat-protection/windows-information-protection/images/intune-vpn-wipmodeid.png
rename to windows/security/information-protection/windows-information-protection/images/intune-vpn-wipmodeid.png
diff --git a/windows/threat-protection/windows-information-protection/images/wip-applocker-default-rule-warning.png b/windows/security/information-protection/windows-information-protection/images/wip-applocker-default-rule-warning.png
similarity index 100%
rename from windows/threat-protection/windows-information-protection/images/wip-applocker-default-rule-warning.png
rename to windows/security/information-protection/windows-information-protection/images/wip-applocker-default-rule-warning.png
diff --git a/windows/threat-protection/windows-information-protection/images/wip-applocker-secpol-1.png b/windows/security/information-protection/windows-information-protection/images/wip-applocker-secpol-1.png
similarity index 100%
rename from windows/threat-protection/windows-information-protection/images/wip-applocker-secpol-1.png
rename to windows/security/information-protection/windows-information-protection/images/wip-applocker-secpol-1.png
diff --git a/windows/threat-protection/windows-information-protection/images/wip-applocker-secpol-app-and-permissions-desktop.png b/windows/security/information-protection/windows-information-protection/images/wip-applocker-secpol-app-and-permissions-desktop.png
similarity index 100%
rename from windows/threat-protection/windows-information-protection/images/wip-applocker-secpol-app-and-permissions-desktop.png
rename to windows/security/information-protection/windows-information-protection/images/wip-applocker-secpol-app-and-permissions-desktop.png
diff --git a/windows/threat-protection/windows-information-protection/images/wip-applocker-secpol-app-and-permissions.png b/windows/security/information-protection/windows-information-protection/images/wip-applocker-secpol-app-and-permissions.png
similarity index 100%
rename from windows/threat-protection/windows-information-protection/images/wip-applocker-secpol-app-and-permissions.png
rename to windows/security/information-protection/windows-information-protection/images/wip-applocker-secpol-app-and-permissions.png
diff --git a/windows/threat-protection/windows-information-protection/images/wip-applocker-secpol-auto-generate-rules.png b/windows/security/information-protection/windows-information-protection/images/wip-applocker-secpol-auto-generate-rules.png
similarity index 100%
rename from windows/threat-protection/windows-information-protection/images/wip-applocker-secpol-auto-generate-rules.png
rename to windows/security/information-protection/windows-information-protection/images/wip-applocker-secpol-auto-generate-rules.png
diff --git a/windows/threat-protection/windows-information-protection/images/wip-applocker-secpol-create.png b/windows/security/information-protection/windows-information-protection/images/wip-applocker-secpol-create.png
similarity index 100%
rename from windows/threat-protection/windows-information-protection/images/wip-applocker-secpol-create.png
rename to windows/security/information-protection/windows-information-protection/images/wip-applocker-secpol-create.png
diff --git a/windows/threat-protection/windows-information-protection/images/wip-applocker-secpol-export-rules-desktop.png b/windows/security/information-protection/windows-information-protection/images/wip-applocker-secpol-export-rules-desktop.png
similarity index 100%
rename from windows/threat-protection/windows-information-protection/images/wip-applocker-secpol-export-rules-desktop.png
rename to windows/security/information-protection/windows-information-protection/images/wip-applocker-secpol-export-rules-desktop.png
diff --git a/windows/threat-protection/windows-information-protection/images/wip-applocker-secpol-export-rules.png b/windows/security/information-protection/windows-information-protection/images/wip-applocker-secpol-export-rules.png
similarity index 100%
rename from windows/threat-protection/windows-information-protection/images/wip-applocker-secpol-export-rules.png
rename to windows/security/information-protection/windows-information-protection/images/wip-applocker-secpol-export-rules.png
diff --git a/windows/threat-protection/windows-information-protection/images/wip-applocker-secpol-export.png b/windows/security/information-protection/windows-information-protection/images/wip-applocker-secpol-export.png
similarity index 100%
rename from windows/threat-protection/windows-information-protection/images/wip-applocker-secpol-export.png
rename to windows/security/information-protection/windows-information-protection/images/wip-applocker-secpol-export.png
diff --git a/windows/threat-protection/windows-information-protection/images/wip-applocker-secpol-review-rules.png b/windows/security/information-protection/windows-information-protection/images/wip-applocker-secpol-review-rules.png
similarity index 100%
rename from windows/threat-protection/windows-information-protection/images/wip-applocker-secpol-review-rules.png
rename to windows/security/information-protection/windows-information-protection/images/wip-applocker-secpol-review-rules.png
diff --git a/windows/threat-protection/windows-information-protection/images/wip-applocker-secpol-rule-preferences.png b/windows/security/information-protection/windows-information-protection/images/wip-applocker-secpol-rule-preferences.png
similarity index 100%
rename from windows/threat-protection/windows-information-protection/images/wip-applocker-secpol-rule-preferences.png
rename to windows/security/information-protection/windows-information-protection/images/wip-applocker-secpol-rule-preferences.png
diff --git a/windows/threat-protection/windows-information-protection/images/wip-applocker-secpol-wizard-1.png b/windows/security/information-protection/windows-information-protection/images/wip-applocker-secpol-wizard-1.png
similarity index 100%
rename from windows/threat-protection/windows-information-protection/images/wip-applocker-secpol-wizard-1.png
rename to windows/security/information-protection/windows-information-protection/images/wip-applocker-secpol-wizard-1.png
diff --git a/windows/threat-protection/windows-information-protection/images/wip-applocker-secpol-wizard-2.png b/windows/security/information-protection/windows-information-protection/images/wip-applocker-secpol-wizard-2.png
similarity index 100%
rename from windows/threat-protection/windows-information-protection/images/wip-applocker-secpol-wizard-2.png
rename to windows/security/information-protection/windows-information-protection/images/wip-applocker-secpol-wizard-2.png
diff --git a/windows/threat-protection/windows-information-protection/images/wip-applocker-secpol-wizard-3.png b/windows/security/information-protection/windows-information-protection/images/wip-applocker-secpol-wizard-3.png
similarity index 100%
rename from windows/threat-protection/windows-information-protection/images/wip-applocker-secpol-wizard-3.png
rename to windows/security/information-protection/windows-information-protection/images/wip-applocker-secpol-wizard-3.png
diff --git a/windows/threat-protection/windows-information-protection/images/wip-applocker-secpol-wizard-4.png b/windows/security/information-protection/windows-information-protection/images/wip-applocker-secpol-wizard-4.png
similarity index 100%
rename from windows/threat-protection/windows-information-protection/images/wip-applocker-secpol-wizard-4.png
rename to windows/security/information-protection/windows-information-protection/images/wip-applocker-secpol-wizard-4.png
diff --git a/windows/threat-protection/windows-information-protection/images/wip-applocker-secpol-wizard-5.png b/windows/security/information-protection/windows-information-protection/images/wip-applocker-secpol-wizard-5.png
similarity index 100%
rename from windows/threat-protection/windows-information-protection/images/wip-applocker-secpol-wizard-5.png
rename to windows/security/information-protection/windows-information-protection/images/wip-applocker-secpol-wizard-5.png
diff --git a/windows/threat-protection/windows-information-protection/images/wip-azure-access-options.png b/windows/security/information-protection/windows-information-protection/images/wip-azure-access-options.png
similarity index 100%
rename from windows/threat-protection/windows-information-protection/images/wip-azure-access-options.png
rename to windows/security/information-protection/windows-information-protection/images/wip-azure-access-options.png
diff --git a/windows/threat-protection/windows-information-protection/images/wip-azure-add-desktop-apps.png b/windows/security/information-protection/windows-information-protection/images/wip-azure-add-desktop-apps.png
similarity index 100%
rename from windows/threat-protection/windows-information-protection/images/wip-azure-add-desktop-apps.png
rename to windows/security/information-protection/windows-information-protection/images/wip-azure-add-desktop-apps.png
diff --git a/windows/threat-protection/windows-information-protection/images/wip-azure-add-policy.png b/windows/security/information-protection/windows-information-protection/images/wip-azure-add-policy.png
similarity index 100%
rename from windows/threat-protection/windows-information-protection/images/wip-azure-add-policy.png
rename to windows/security/information-protection/windows-information-protection/images/wip-azure-add-policy.png
diff --git a/windows/threat-protection/windows-information-protection/images/wip-azure-add-recommended-apps.png b/windows/security/information-protection/windows-information-protection/images/wip-azure-add-recommended-apps.png
similarity index 100%
rename from windows/threat-protection/windows-information-protection/images/wip-azure-add-recommended-apps.png
rename to windows/security/information-protection/windows-information-protection/images/wip-azure-add-recommended-apps.png
diff --git a/windows/threat-protection/windows-information-protection/images/wip-azure-add-store-apps.png b/windows/security/information-protection/windows-information-protection/images/wip-azure-add-store-apps.png
similarity index 100%
rename from windows/threat-protection/windows-information-protection/images/wip-azure-add-store-apps.png
rename to windows/security/information-protection/windows-information-protection/images/wip-azure-add-store-apps.png
diff --git a/windows/threat-protection/windows-information-protection/images/wip-azure-add-uri-desktop-apps.png b/windows/security/information-protection/windows-information-protection/images/wip-azure-add-uri-desktop-apps.png
similarity index 100%
rename from windows/threat-protection/windows-information-protection/images/wip-azure-add-uri-desktop-apps.png
rename to windows/security/information-protection/windows-information-protection/images/wip-azure-add-uri-desktop-apps.png
diff --git a/windows/threat-protection/windows-information-protection/images/wip-azure-add-uri-store-apps.png b/windows/security/information-protection/windows-information-protection/images/wip-azure-add-uri-store-apps.png
similarity index 100%
rename from windows/threat-protection/windows-information-protection/images/wip-azure-add-uri-store-apps.png
rename to windows/security/information-protection/windows-information-protection/images/wip-azure-add-uri-store-apps.png
diff --git a/windows/threat-protection/windows-information-protection/images/wip-azure-add-user-groups.png b/windows/security/information-protection/windows-information-protection/images/wip-azure-add-user-groups.png
similarity index 100%
rename from windows/threat-protection/windows-information-protection/images/wip-azure-add-user-groups.png
rename to windows/security/information-protection/windows-information-protection/images/wip-azure-add-user-groups.png
diff --git a/windows/threat-protection/windows-information-protection/images/wip-azure-advanced-settings-efsdra.png b/windows/security/information-protection/windows-information-protection/images/wip-azure-advanced-settings-efsdra.png
similarity index 100%
rename from windows/threat-protection/windows-information-protection/images/wip-azure-advanced-settings-efsdra.png
rename to windows/security/information-protection/windows-information-protection/images/wip-azure-advanced-settings-efsdra.png
diff --git a/windows/threat-protection/windows-information-protection/images/wip-azure-advanced-settings-network-autodetect.png b/windows/security/information-protection/windows-information-protection/images/wip-azure-advanced-settings-network-autodetect.png
similarity index 100%
rename from windows/threat-protection/windows-information-protection/images/wip-azure-advanced-settings-network-autodetect.png
rename to windows/security/information-protection/windows-information-protection/images/wip-azure-advanced-settings-network-autodetect.png
diff --git a/windows/threat-protection/windows-information-protection/images/wip-azure-advanced-settings-network.png b/windows/security/information-protection/windows-information-protection/images/wip-azure-advanced-settings-network.png
similarity index 100%
rename from windows/threat-protection/windows-information-protection/images/wip-azure-advanced-settings-network.png
rename to windows/security/information-protection/windows-information-protection/images/wip-azure-advanced-settings-network.png
diff --git a/windows/threat-protection/windows-information-protection/images/wip-azure-advanced-settings-optional.png b/windows/security/information-protection/windows-information-protection/images/wip-azure-advanced-settings-optional.png
similarity index 100%
rename from windows/threat-protection/windows-information-protection/images/wip-azure-advanced-settings-optional.png
rename to windows/security/information-protection/windows-information-protection/images/wip-azure-advanced-settings-optional.png
diff --git a/windows/threat-protection/windows-information-protection/images/wip-azure-allowed-apps-pane.png b/windows/security/information-protection/windows-information-protection/images/wip-azure-allowed-apps-pane.png
similarity index 100%
rename from windows/threat-protection/windows-information-protection/images/wip-azure-allowed-apps-pane.png
rename to windows/security/information-protection/windows-information-protection/images/wip-azure-allowed-apps-pane.png
diff --git a/windows/threat-protection/windows-information-protection/images/wip-azure-allowed-apps-with-apps.png b/windows/security/information-protection/windows-information-protection/images/wip-azure-allowed-apps-with-apps.png
similarity index 100%
rename from windows/threat-protection/windows-information-protection/images/wip-azure-allowed-apps-with-apps.png
rename to windows/security/information-protection/windows-information-protection/images/wip-azure-allowed-apps-with-apps.png
diff --git a/windows/threat-protection/windows-information-protection/images/wip-azure-configure-desktop-apps-using-uri.png b/windows/security/information-protection/windows-information-protection/images/wip-azure-configure-desktop-apps-using-uri.png
similarity index 100%
rename from windows/threat-protection/windows-information-protection/images/wip-azure-configure-desktop-apps-using-uri.png
rename to windows/security/information-protection/windows-information-protection/images/wip-azure-configure-desktop-apps-using-uri.png
diff --git a/windows/threat-protection/windows-information-protection/images/wip-azure-configure-store-apps-using-uri.png b/windows/security/information-protection/windows-information-protection/images/wip-azure-configure-store-apps-using-uri.png
similarity index 100%
rename from windows/threat-protection/windows-information-protection/images/wip-azure-configure-store-apps-using-uri.png
rename to windows/security/information-protection/windows-information-protection/images/wip-azure-configure-store-apps-using-uri.png
diff --git a/windows/threat-protection/windows-information-protection/images/wip-azure-import-apps.png b/windows/security/information-protection/windows-information-protection/images/wip-azure-import-apps.png
similarity index 100%
rename from windows/threat-protection/windows-information-protection/images/wip-azure-import-apps.png
rename to windows/security/information-protection/windows-information-protection/images/wip-azure-import-apps.png
diff --git a/windows/threat-protection/windows-information-protection/images/wip-azure-portal-add-policy.png b/windows/security/information-protection/windows-information-protection/images/wip-azure-portal-add-policy.png
similarity index 100%
rename from windows/threat-protection/windows-information-protection/images/wip-azure-portal-add-policy.png
rename to windows/security/information-protection/windows-information-protection/images/wip-azure-portal-add-policy.png
diff --git a/windows/threat-protection/windows-information-protection/images/wip-azure-portal-addpolicy-mam.png b/windows/security/information-protection/windows-information-protection/images/wip-azure-portal-addpolicy-mam.png
similarity index 100%
rename from windows/threat-protection/windows-information-protection/images/wip-azure-portal-addpolicy-mam.png
rename to windows/security/information-protection/windows-information-protection/images/wip-azure-portal-addpolicy-mam.png
diff --git a/windows/threat-protection/windows-information-protection/images/wip-azure-portal-start-mam.png b/windows/security/information-protection/windows-information-protection/images/wip-azure-portal-start-mam.png
similarity index 100%
rename from windows/threat-protection/windows-information-protection/images/wip-azure-portal-start-mam.png
rename to windows/security/information-protection/windows-information-protection/images/wip-azure-portal-start-mam.png
diff --git a/windows/threat-protection/windows-information-protection/images/wip-azure-portal-start.png b/windows/security/information-protection/windows-information-protection/images/wip-azure-portal-start.png
similarity index 100%
rename from windows/threat-protection/windows-information-protection/images/wip-azure-portal-start.png
rename to windows/security/information-protection/windows-information-protection/images/wip-azure-portal-start.png
diff --git a/windows/threat-protection/windows-information-protection/images/wip-azure-required-settings-corp-identity.png b/windows/security/information-protection/windows-information-protection/images/wip-azure-required-settings-corp-identity.png
similarity index 100%
rename from windows/threat-protection/windows-information-protection/images/wip-azure-required-settings-corp-identity.png
rename to windows/security/information-protection/windows-information-protection/images/wip-azure-required-settings-corp-identity.png
diff --git a/windows/threat-protection/windows-information-protection/images/wip-azure-required-settings-protection-mode.png b/windows/security/information-protection/windows-information-protection/images/wip-azure-required-settings-protection-mode.png
similarity index 100%
rename from windows/threat-protection/windows-information-protection/images/wip-azure-required-settings-protection-mode.png
rename to windows/security/information-protection/windows-information-protection/images/wip-azure-required-settings-protection-mode.png
diff --git a/windows/threat-protection/windows-information-protection/images/wip-azure-vpn-configure-policy.png b/windows/security/information-protection/windows-information-protection/images/wip-azure-vpn-configure-policy.png
similarity index 100%
rename from windows/threat-protection/windows-information-protection/images/wip-azure-vpn-configure-policy.png
rename to windows/security/information-protection/windows-information-protection/images/wip-azure-vpn-configure-policy.png
diff --git a/windows/threat-protection/windows-information-protection/images/wip-azure-vpn-custom-omauri.png b/windows/security/information-protection/windows-information-protection/images/wip-azure-vpn-custom-omauri.png
similarity index 100%
rename from windows/threat-protection/windows-information-protection/images/wip-azure-vpn-custom-omauri.png
rename to windows/security/information-protection/windows-information-protection/images/wip-azure-vpn-custom-omauri.png
diff --git a/windows/threat-protection/windows-information-protection/images/wip-azure-vpn-device-policy.png b/windows/security/information-protection/windows-information-protection/images/wip-azure-vpn-device-policy.png
similarity index 100%
rename from windows/threat-protection/windows-information-protection/images/wip-azure-vpn-device-policy.png
rename to windows/security/information-protection/windows-information-protection/images/wip-azure-vpn-device-policy.png
diff --git a/windows/threat-protection/windows-information-protection/images/wip-intune-app-reconfig-warning.png b/windows/security/information-protection/windows-information-protection/images/wip-intune-app-reconfig-warning.png
similarity index 100%
rename from windows/threat-protection/windows-information-protection/images/wip-intune-app-reconfig-warning.png
rename to windows/security/information-protection/windows-information-protection/images/wip-intune-app-reconfig-warning.png
diff --git a/windows/threat-protection/windows-information-protection/images/wip-sccm-add-network-domain.png b/windows/security/information-protection/windows-information-protection/images/wip-sccm-add-network-domain.png
similarity index 100%
rename from windows/threat-protection/windows-information-protection/images/wip-sccm-add-network-domain.png
rename to windows/security/information-protection/windows-information-protection/images/wip-sccm-add-network-domain.png
diff --git a/windows/threat-protection/windows-information-protection/images/wip-sccm-addapplockerfile.png b/windows/security/information-protection/windows-information-protection/images/wip-sccm-addapplockerfile.png
similarity index 100%
rename from windows/threat-protection/windows-information-protection/images/wip-sccm-addapplockerfile.png
rename to windows/security/information-protection/windows-information-protection/images/wip-sccm-addapplockerfile.png
diff --git a/windows/threat-protection/windows-information-protection/images/wip-sccm-adddesktopapp.png b/windows/security/information-protection/windows-information-protection/images/wip-sccm-adddesktopapp.png
similarity index 100%
rename from windows/threat-protection/windows-information-protection/images/wip-sccm-adddesktopapp.png
rename to windows/security/information-protection/windows-information-protection/images/wip-sccm-adddesktopapp.png
diff --git a/windows/threat-protection/windows-information-protection/images/wip-sccm-additionalsettings.png b/windows/security/information-protection/windows-information-protection/images/wip-sccm-additionalsettings.png
similarity index 100%
rename from windows/threat-protection/windows-information-protection/images/wip-sccm-additionalsettings.png
rename to windows/security/information-protection/windows-information-protection/images/wip-sccm-additionalsettings.png
diff --git a/windows/threat-protection/windows-information-protection/images/wip-sccm-addpolicy.png b/windows/security/information-protection/windows-information-protection/images/wip-sccm-addpolicy.png
similarity index 100%
rename from windows/threat-protection/windows-information-protection/images/wip-sccm-addpolicy.png
rename to windows/security/information-protection/windows-information-protection/images/wip-sccm-addpolicy.png
diff --git a/windows/threat-protection/windows-information-protection/images/wip-sccm-adduniversalapp.png b/windows/security/information-protection/windows-information-protection/images/wip-sccm-adduniversalapp.png
similarity index 100%
rename from windows/threat-protection/windows-information-protection/images/wip-sccm-adduniversalapp.png
rename to windows/security/information-protection/windows-information-protection/images/wip-sccm-adduniversalapp.png
diff --git a/windows/threat-protection/windows-information-protection/images/wip-sccm-appmgmt.png b/windows/security/information-protection/windows-information-protection/images/wip-sccm-appmgmt.png
similarity index 100%
rename from windows/threat-protection/windows-information-protection/images/wip-sccm-appmgmt.png
rename to windows/security/information-protection/windows-information-protection/images/wip-sccm-appmgmt.png
diff --git a/windows/threat-protection/windows-information-protection/images/wip-sccm-corp-identity.png b/windows/security/information-protection/windows-information-protection/images/wip-sccm-corp-identity.png
similarity index 100%
rename from windows/threat-protection/windows-information-protection/images/wip-sccm-corp-identity.png
rename to windows/security/information-protection/windows-information-protection/images/wip-sccm-corp-identity.png
diff --git a/windows/threat-protection/windows-information-protection/images/wip-sccm-devicesettings.png b/windows/security/information-protection/windows-information-protection/images/wip-sccm-devicesettings.png
similarity index 100%
rename from windows/threat-protection/windows-information-protection/images/wip-sccm-devicesettings.png
rename to windows/security/information-protection/windows-information-protection/images/wip-sccm-devicesettings.png
diff --git a/windows/threat-protection/windows-information-protection/images/wip-sccm-dra.png b/windows/security/information-protection/windows-information-protection/images/wip-sccm-dra.png
similarity index 100%
rename from windows/threat-protection/windows-information-protection/images/wip-sccm-dra.png
rename to windows/security/information-protection/windows-information-protection/images/wip-sccm-dra.png
diff --git a/windows/threat-protection/windows-information-protection/images/wip-sccm-generalscreen.png b/windows/security/information-protection/windows-information-protection/images/wip-sccm-generalscreen.png
similarity index 100%
rename from windows/threat-protection/windows-information-protection/images/wip-sccm-generalscreen.png
rename to windows/security/information-protection/windows-information-protection/images/wip-sccm-generalscreen.png
diff --git a/windows/threat-protection/windows-information-protection/images/wip-sccm-network-domain.png b/windows/security/information-protection/windows-information-protection/images/wip-sccm-network-domain.png
similarity index 100%
rename from windows/threat-protection/windows-information-protection/images/wip-sccm-network-domain.png
rename to windows/security/information-protection/windows-information-protection/images/wip-sccm-network-domain.png
diff --git a/windows/threat-protection/windows-information-protection/images/wip-sccm-optsettings.png b/windows/security/information-protection/windows-information-protection/images/wip-sccm-optsettings.png
similarity index 100%
rename from windows/threat-protection/windows-information-protection/images/wip-sccm-optsettings.png
rename to windows/security/information-protection/windows-information-protection/images/wip-sccm-optsettings.png
diff --git a/windows/threat-protection/windows-information-protection/images/wip-sccm-summaryscreen.png b/windows/security/information-protection/windows-information-protection/images/wip-sccm-summaryscreen.png
similarity index 100%
rename from windows/threat-protection/windows-information-protection/images/wip-sccm-summaryscreen.png
rename to windows/security/information-protection/windows-information-protection/images/wip-sccm-summaryscreen.png
diff --git a/windows/threat-protection/windows-information-protection/images/wip-sccm-supportedplat.png b/windows/security/information-protection/windows-information-protection/images/wip-sccm-supportedplat.png
similarity index 100%
rename from windows/threat-protection/windows-information-protection/images/wip-sccm-supportedplat.png
rename to windows/security/information-protection/windows-information-protection/images/wip-sccm-supportedplat.png
diff --git a/windows/threat-protection/windows-information-protection/images/wip-select-column.png b/windows/security/information-protection/windows-information-protection/images/wip-select-column.png
similarity index 100%
rename from windows/threat-protection/windows-information-protection/images/wip-select-column.png
rename to windows/security/information-protection/windows-information-protection/images/wip-select-column.png
diff --git a/windows/threat-protection/windows-information-protection/images/wip-taskmgr.png b/windows/security/information-protection/windows-information-protection/images/wip-taskmgr.png
similarity index 100%
rename from windows/threat-protection/windows-information-protection/images/wip-taskmgr.png
rename to windows/security/information-protection/windows-information-protection/images/wip-taskmgr.png
diff --git a/windows/threat-protection/windows-information-protection/limitations-with-wip.md b/windows/security/information-protection/windows-information-protection/limitations-with-wip.md
similarity index 100%
rename from windows/threat-protection/windows-information-protection/limitations-with-wip.md
rename to windows/security/information-protection/windows-information-protection/limitations-with-wip.md
diff --git a/windows/threat-protection/windows-information-protection/mandatory-settings-for-wip.md b/windows/security/information-protection/windows-information-protection/mandatory-settings-for-wip.md
similarity index 100%
rename from windows/threat-protection/windows-information-protection/mandatory-settings-for-wip.md
rename to windows/security/information-protection/windows-information-protection/mandatory-settings-for-wip.md
diff --git a/windows/threat-protection/windows-information-protection/overview-create-wip-policy-sccm.md b/windows/security/information-protection/windows-information-protection/overview-create-wip-policy-sccm.md
similarity index 100%
rename from windows/threat-protection/windows-information-protection/overview-create-wip-policy-sccm.md
rename to windows/security/information-protection/windows-information-protection/overview-create-wip-policy-sccm.md
diff --git a/windows/threat-protection/windows-information-protection/overview-create-wip-policy.md b/windows/security/information-protection/windows-information-protection/overview-create-wip-policy.md
similarity index 100%
rename from windows/threat-protection/windows-information-protection/overview-create-wip-policy.md
rename to windows/security/information-protection/windows-information-protection/overview-create-wip-policy.md
diff --git a/windows/threat-protection/windows-information-protection/protect-enterprise-data-using-wip.md b/windows/security/information-protection/windows-information-protection/protect-enterprise-data-using-wip.md
similarity index 100%
rename from windows/threat-protection/windows-information-protection/protect-enterprise-data-using-wip.md
rename to windows/security/information-protection/windows-information-protection/protect-enterprise-data-using-wip.md
diff --git a/windows/threat-protection/windows-information-protection/recommended-network-definitions-for-wip.md b/windows/security/information-protection/windows-information-protection/recommended-network-definitions-for-wip.md
similarity index 100%
rename from windows/threat-protection/windows-information-protection/recommended-network-definitions-for-wip.md
rename to windows/security/information-protection/windows-information-protection/recommended-network-definitions-for-wip.md
diff --git a/windows/threat-protection/windows-information-protection/testing-scenarios-for-wip.md b/windows/security/information-protection/windows-information-protection/testing-scenarios-for-wip.md
similarity index 100%
rename from windows/threat-protection/windows-information-protection/testing-scenarios-for-wip.md
rename to windows/security/information-protection/windows-information-protection/testing-scenarios-for-wip.md
diff --git a/windows/threat-protection/windows-information-protection/using-owa-with-wip.md b/windows/security/information-protection/windows-information-protection/using-owa-with-wip.md
similarity index 100%
rename from windows/threat-protection/windows-information-protection/using-owa-with-wip.md
rename to windows/security/information-protection/windows-information-protection/using-owa-with-wip.md
diff --git a/windows/threat-protection/windows-information-protection/wip-app-enterprise-context.md b/windows/security/information-protection/windows-information-protection/wip-app-enterprise-context.md
similarity index 100%
rename from windows/threat-protection/windows-information-protection/wip-app-enterprise-context.md
rename to windows/security/information-protection/windows-information-protection/wip-app-enterprise-context.md
diff --git a/windows/device-security/TOC.md b/windows/security/threat-protection/TOC.md
similarity index 67%
rename from windows/device-security/TOC.md
rename to windows/security/threat-protection/TOC.md
index 13af847a45..e0c3ba2050 100644
--- a/windows/device-security/TOC.md
+++ b/windows/security/threat-protection/TOC.md
@@ -1,4 +1,289 @@
-# [Device security](index.md)
+# [Threat protection](index.md)
+
+
+## [The Windows Defender Security Center app](windows-defender-security-center\windows-defender-security-center.md)
+### [Customize the Windows Defender Security Center app for your organization](windows-defender-security-center\wdsc-customize-contact-information.md)
+### [Hide Windows Defender Security Center app notifications](windows-defender-security-center\wdsc-hide-notifications.md)
+### [Virus and threat protection](windows-defender-security-center\wdsc-virus-threat-protection.md)
+### [Device performance and health](windows-defender-security-center\wdsc-device-performance-health.md)
+### [Firewall and network protection](windows-defender-security-center\wdsc-firewall-network-protection.md)
+### [App and browser control](windows-defender-security-center\wdsc-app-browser-control.md)
+### [Family options](windows-defender-security-center\wdsc-family-options.md)
+
+
+
+
+
+
+## [Windows Defender Advanced Threat Protection](windows-defender-atp\windows-defender-advanced-threat-protection.md)
+###Get started
+#### [Minimum requirements](windows-defender-atp\minimum-requirements-windows-defender-advanced-threat-protection.md)
+#### [Validate licensing and complete setup](windows-defender-atp\licensing-windows-defender-advanced-threat-protection.md)
+#### [Troubleshoot subscription and portal access issues](windows-defender-atp\troubleshoot-onboarding-error-messages-windows-defender-advanced-threat-protection.md)
+#### [Preview features](windows-defender-atp\preview-windows-defender-advanced-threat-protection.md)
+#### [Data storage and privacy](windows-defender-atp\data-storage-privacy-windows-defender-advanced-threat-protection.md)
+#### [Assign user access to the portal](windows-defender-atp\assign-portal-access-windows-defender-advanced-threat-protection.md)
+### [Onboard endpoints and set up access](windows-defender-atp\onboard-configure-windows-defender-advanced-threat-protection.md)
+#### [Configure client endpoints](windows-defender-atp\configure-endpoints-windows-defender-advanced-threat-protection.md)
+##### [Configure endpoints using Group Policy](windows-defender-atp\configure-endpoints-gp-windows-defender-advanced-threat-protection.md)
+##### [Configure endpoints using System Center Configuration Manager](windows-defender-atp\configure-endpoints-sccm-windows-defender-advanced-threat-protection.md)
+##### [Configure endpoints using Mobile Device Management tools](windows-defender-atp\configure-endpoints-mdm-windows-defender-advanced-threat-protection.md)
+###### [Configure endpoints using Microsoft Intune](windows-defender-atp\configure-endpoints-mdm-windows-defender-advanced-threat-protection.md#configure-endpoints-using-microsoft-intune)
+##### [Configure endpoints using a local script](windows-defender-atp\configure-endpoints-script-windows-defender-advanced-threat-protection.md)
+##### [Configure non-persistent virtual desktop infrastructure (VDI) machines](windows-defender-atp\configure-endpoints-vdi-windows-defender-advanced-threat-protection.md)
+#### [Configure server endpoints](windows-defender-atp\configure-server-endpoints-windows-defender-advanced-threat-protection.md)
+#### [Configure non-Windows endpoints](windows-defender-atp\configure-endpoints-non-windows-windows-defender-advanced-threat-protection.md)
+#### [Run a detection test on a newly onboarded endpoint](windows-defender-atp\run-detection-test-windows-defender-advanced-threat-protection.md)
+#### [Configure proxy and Internet connectivity settings](windows-defender-atp\configure-proxy-internet-windows-defender-advanced-threat-protection.md)
+#### [Troubleshoot onboarding issues](windows-defender-atp\troubleshoot-onboarding-windows-defender-advanced-threat-protection.md)
+### [Understand the Windows Defender ATP portal](windows-defender-atp\use-windows-defender-advanced-threat-protection.md)
+#### [Portal overview](windows-defender-atp\portal-overview-windows-defender-advanced-threat-protection.md)
+#### [View the Security operations dashboard](windows-defender-atp\dashboard-windows-defender-advanced-threat-protection.md)
+#### [View the Security analytics dashboard](windows-defender-atp\security-analytics-dashboard-windows-defender-advanced-threat-protection.md)
+#### [View the Threat analytics dashboard](windows-defender-atp\threat-analytics-windows-defender-advanced-threat-protection.md)
+
+###Investigate and remediate threats
+####Alerts queue
+##### [View and organize the Alerts queue](windows-defender-atp\alerts-queue-windows-defender-advanced-threat-protection.md)
+##### [Manage alerts](windows-defender-atp\manage-alerts-windows-defender-advanced-threat-protection.md)
+##### [Investigate alerts](windows-defender-atp\investigate-alerts-windows-defender-advanced-threat-protection.md)
+##### [Investigate files](windows-defender-atp\investigate-files-windows-defender-advanced-threat-protection.md)
+##### [Investigate machines](windows-defender-atp\investigate-machines-windows-defender-advanced-threat-protection.md)
+##### [Investigate an IP address](windows-defender-atp\investigate-ip-windows-defender-advanced-threat-protection.md)
+##### [Investigate a domain](windows-defender-atp\investigate-domain-windows-defender-advanced-threat-protection.md)
+##### [Investigate a user account](windows-defender-atp\investigate-user-windows-defender-advanced-threat-protection.md)
+
+####Machines list
+##### [View and organize the Machines list](windows-defender-atp\machines-view-overview-windows-defender-advanced-threat-protection.md)
+##### [Manage machine group and tags](windows-defender-atp\investigate-machines-windows-defender-advanced-threat-protection.md#manage-machine-group-and-tags)
+##### [Alerts related to this machine](windows-defender-atp\investigate-machines-windows-defender-advanced-threat-protection.md#alerts-related-to-this-machine)
+##### [Machine timeline](windows-defender-atp\investigate-machines-windows-defender-advanced-threat-protection.md#machine-timeline)
+###### [Search for specific events](windows-defender-atp\investigate-machines-windows-defender-advanced-threat-protection.md#search-for-specific-events)
+###### [Filter events from a specific date](windows-defender-atp\investigate-machines-windows-defender-advanced-threat-protection.md#filter-events-from-a-specific-date)
+###### [Export machine timeline events](windows-defender-atp\investigate-machines-windows-defender-advanced-threat-protection.md#export-machine-timeline-events)
+###### [Navigate between pages](windows-defender-atp\investigate-machines-windows-defender-advanced-threat-protection.md#navigate-between-pages)
+
+
+#### [Take response actions](windows-defender-atp\response-actions-windows-defender-advanced-threat-protection.md)
+##### [Take response actions on a machine](windows-defender-atp\respond-machine-alerts-windows-defender-advanced-threat-protection.md)
+###### [Collect investigation package](windows-defender-atp\respond-machine-alerts-windows-defender-advanced-threat-protection.md#collect-investigation-package-from-machines)
+###### [Run antivirus scan](windows-defender-atp\respond-machine-alerts-windows-defender-advanced-threat-protection.md#run-windows-defender-antivirus-scan-on-machines)
+###### [Restrict app execution](windows-defender-atp\respond-machine-alerts-windows-defender-advanced-threat-protection.md#restrict-app-execution)
+###### [Remove app restriction](windows-defender-atp\respond-machine-alerts-windows-defender-advanced-threat-protection.md#remove-app-restriction)
+###### [Isolate machines from the network](windows-defender-atp\respond-machine-alerts-windows-defender-advanced-threat-protection.md#isolate-machines-from-the-network)
+###### [Release machine from isolation](windows-defender-atp\respond-machine-alerts-windows-defender-advanced-threat-protection.md#release-machine-from-isolation)
+###### [Check activity details in Action center](windows-defender-atp\respond-machine-alerts-windows-defender-advanced-threat-protection.md#check-activity-details-in-action-center)
+##### [Take response actions on a file](windows-defender-atp\respond-file-alerts-windows-defender-advanced-threat-protection.md)
+###### [Stop and quarantine files in your network](windows-defender-atp\respond-file-alerts-windows-defender-advanced-threat-protection.md#stop-and-quarantine-files-in-your-network)
+###### [Remove file from quarantine](windows-defender-atp\respond-file-alerts-windows-defender-advanced-threat-protection.md#remove-file-from-quarantine)
+###### [Block files in your network](windows-defender-atp\respond-file-alerts-windows-defender-advanced-threat-protection.md#block-files-in-your-network)
+###### [Remove file from blocked list](windows-defender-atp\respond-file-alerts-windows-defender-advanced-threat-protection.md#remove-file-from-blocked-list)
+###### [Check activity details in Action center](windows-defender-atp\respond-file-alerts-windows-defender-advanced-threat-protection.md#check-activity-details-in-action-center)
+###### [Deep analysis](windows-defender-atp\respond-file-alerts-windows-defender-advanced-threat-protection.md#deep-analysis)
+####### [Submit files for analysis](windows-defender-atp\respond-file-alerts-windows-defender-advanced-threat-protection.md#submit-files-for-analysis)
+####### [View deep analysis reports](windows-defender-atp\respond-file-alerts-windows-defender-advanced-threat-protection.md#view-deep-analysis-reports)
+####### [Troubleshoot deep analysis](windows-defender-atp\respond-file-alerts-windows-defender-advanced-threat-protection.md#troubleshoot-deep-analysis)
+
+###API and SIEM support
+#### [Pull alerts to your SIEM tools](windows-defender-atp\configure-siem-windows-defender-advanced-threat-protection.md)
+##### [Enable SIEM integration](windows-defender-atp\enable-siem-integration-windows-defender-advanced-threat-protection.md)
+##### [Configure Splunk to pull alerts](windows-defender-atp\configure-splunk-windows-defender-advanced-threat-protection.md)
+##### [Configure HP ArcSight to pull alerts](windows-defender-atp\configure-arcsight-windows-defender-advanced-threat-protection.md)
+##### [Windows Defender ATP alert API fields](windows-defender-atp\api-portal-mapping-windows-defender-advanced-threat-protection.md)
+##### [Pull alerts using REST API](windows-defender-atp\pull-alerts-using-rest-api-windows-defender-advanced-threat-protection.md)
+##### [Troubleshoot SIEM tool integration issues](windows-defender-atp\troubleshoot-siem-windows-defender-advanced-threat-protection.md)
+
+#### [Use the threat intelligence API to create custom alerts](windows-defender-atp\use-custom-ti-windows-defender-advanced-threat-protection.md)
+##### [Understand threat intelligence concepts](windows-defender-atp\threat-indicator-concepts-windows-defender-advanced-threat-protection.md)
+##### [Enable the custom threat intelligence application](windows-defender-atp\enable-custom-ti-windows-defender-advanced-threat-protection.md)
+##### [Create custom threat intelligence alerts](windows-defender-atp\custom-ti-api-windows-defender-advanced-threat-protection.md)
+##### [PowerShell code examples](windows-defender-atp\powershell-example-code-windows-defender-advanced-threat-protection.md)
+##### [Python code examples](windows-defender-atp\python-example-code-windows-defender-advanced-threat-protection.md)
+##### [Experiment with custom threat intelligence alerts](windows-defender-atp\experiment-custom-ti-windows-defender-advanced-threat-protection.md)
+##### [Troubleshoot custom threat intelligence issues](windows-defender-atp\troubleshoot-custom-ti-windows-defender-advanced-threat-protection.md)
+#### [Use the Windows Defender ATP exposed APIs](windows-defender-atp\exposed-apis-windows-defender-advanced-threat-protection.md)
+##### [Supported Windows Defender ATP APIs](windows-defender-atp\supported-apis-windows-defender-advanced-threat-protection.md)
+######Actor
+####### [Get actor information](windows-defender-atp\get-actor-information-windows-defender-advanced-threat-protection.md)
+####### [Get actor related alerts](windows-defender-atp\get-actor-related-alerts-windows-defender-advanced-threat-protection.md)
+######Alerts
+####### [Get alerts](windows-defender-atp\get-alerts-windows-defender-advanced-threat-protection.md)
+####### [Get alert information by ID](windows-defender-atp\get-alert-info-by-id-windows-defender-advanced-threat-protection.md)
+####### [Get alert related actor information](windows-defender-atp\get-alert-related-actor-info-windows-defender-advanced-threat-protection.md)
+####### [Get alert related domain information](windows-defender-atp\get-alert-related-domain-info-windows-defender-advanced-threat-protection.md)
+####### [Get alert related file information](windows-defender-atp\get-alert-related-files-info-windows-defender-advanced-threat-protection.md)
+####### [Get alert related IP information](windows-defender-atp\get-alert-related-ip-info-windows-defender-advanced-threat-protection.md)
+####### [Get alert related machine information](windows-defender-atp\get-alert-related-machine-info-windows-defender-advanced-threat-protection.md)
+######Domain
+####### [Get domain related alerts](windows-defender-atp\get-domain-related-alerts-windows-defender-advanced-threat-protection.md)
+####### [Get domain related machines](windows-defender-atp\get-domain-related-machines-windows-defender-advanced-threat-protection.md)
+####### [Get domain statistics](windows-defender-atp\get-domain-statistics-windows-defender-advanced-threat-protection.md)
+####### [Is domain seen in organization](windows-defender-atp\is-domain-seen-in-org-windows-defender-advanced-threat-protection.md)
+
+######File
+####### [Block file API](windows-defender-atp\block-file-windows-defender-advanced-threat-protection.md)
+####### [Get file information](windows-defender-atp\get-file-information-windows-defender-advanced-threat-protection.md)
+####### [Get file related alerts](windows-defender-atp\get-file-related-alerts-windows-defender-advanced-threat-protection.md)
+####### [Get file related machines](windows-defender-atp\get-file-related-machines-windows-defender-advanced-threat-protection.md)
+####### [Get file statistics](windows-defender-atp\get-file-statistics-windows-defender-advanced-threat-protection.md)
+####### [Get FileActions collection API](windows-defender-atp\get-fileactions-collection-windows-defender-advanced-threat-protection.md)
+####### [Unblock file API](windows-defender-atp\unblock-file-windows-defender-advanced-threat-protection.md)
+
+######IP
+####### [Get IP related alerts](windows-defender-atp\get-ip-related-alerts-windows-defender-advanced-threat-protection.md)
+####### [Get IP related machines](windows-defender-atp\get-ip-related-machines-windows-defender-advanced-threat-protection.md)
+####### [Get IP statistics](windows-defender-atp\get-ip-statistics-windows-defender-advanced-threat-protection.md)
+####### [Is IP seen in organization](windows-defender-atp\is-ip-seen-org-windows-defender-advanced-threat-protection.md)
+######Machines
+####### [Collect investigation package API](windows-defender-atp\collect-investigation-package-windows-defender-advanced-threat-protection.md)
+####### [Find machine information by IP](windows-defender-atp\find-machine-info-by-ip-windows-defender-advanced-threat-protection.md)
+####### [Get machines](windows-defender-atp\get-machines-windows-defender-advanced-threat-protection.md)
+####### [Get FileMachineAction object API](windows-defender-atp\get-filemachineaction-object-windows-defender-advanced-threat-protection.md)
+####### [Get FileMachineActions collection API](windows-defender-atp\get-filemachineactions-collection-windows-defender-advanced-threat-protection.md)
+####### [Get machine by ID](windows-defender-atp\get-machine-by-id-windows-defender-advanced-threat-protection.md)
+####### [Get machine log on users](windows-defender-atp\get-machine-log-on-users-windows-defender-advanced-threat-protection.md)
+####### [Get machine related alerts](windows-defender-atp\get-machine-related-alerts-windows-defender-advanced-threat-protection.md)
+####### [Get MachineAction object API](windows-defender-atp\get-machineaction-object-windows-defender-advanced-threat-protection.md)
+####### [Get MachineActions collection API](windows-defender-atp\get-machineactions-collection-windows-defender-advanced-threat-protection.md)
+####### [Get machines](windows-defender-atp\get-machines-windows-defender-advanced-threat-protection.md)
+####### [Get package SAS URI API](windows-defender-atp\get-package-sas-uri-windows-defender-advanced-threat-protection.md)
+####### [Isolate machine API](windows-defender-atp\isolate-machine-windows-defender-advanced-threat-protection.md)
+####### [Release machine from isolation API](windows-defender-atp\unisolate-machine-windows-defender-advanced-threat-protection.md)
+####### [Remove app restriction API](windows-defender-atp\unrestrict-code-execution-windows-defender-advanced-threat-protection.md)
+####### [Request sample API](windows-defender-atp\request-sample-windows-defender-advanced-threat-protection.md)
+####### [Restrict app execution API](windows-defender-atp\restrict-code-execution-windows-defender-advanced-threat-protection.md)
+####### [Run antivirus scan API](windows-defender-atp\run-av-scan-windows-defender-advanced-threat-protection.md)
+####### [Stop and quarantine file API](windows-defender-atp\stop-quarantine-file-windows-defender-advanced-threat-protection.md)
+
+
+
+######User
+####### [Get alert related user information](windows-defender-atp\get-alert-related-user-info-windows-defender-advanced-threat-protection.md)
+####### [Get user information](windows-defender-atp\get-user-information-windows-defender-advanced-threat-protection.md)
+####### [Get user related alerts](windows-defender-atp\get-user-related-alerts-windows-defender-advanced-threat-protection.md)
+####### [Get user related machines](windows-defender-atp\get-user-related-machines-windows-defender-advanced-threat-protection.md)
+
+###Reporting
+#### [Create and build Power BI reports using Windows Defender ATP data](windows-defender-atp\powerbi-reports-windows-defender-advanced-threat-protection.md)
+
+###Check service health and sensor state
+#### [Check sensor state](windows-defender-atp\check-sensor-status-windows-defender-advanced-threat-protection.md)
+##### [Fix unhealthy sensors](windows-defender-atp\fix-unhealhty-sensors-windows-defender-advanced-threat-protection.md)
+##### [Inactive machines](windows-defender-atp\fix-unhealhty-sensors-windows-defender-advanced-threat-protection.md#inactive-machines)
+##### [Misconfigured machines](windows-defender-atp\fix-unhealhty-sensors-windows-defender-advanced-threat-protection.md#misconfigured-machines)
+#### [Check service health](windows-defender-atp\service-status-windows-defender-advanced-threat-protection.md)
+### [Configure Windows Defender ATP preferences settings](windows-defender-atp\preferences-setup-windows-defender-advanced-threat-protection.md)
+#### [Update general settings](windows-defender-atp\general-settings-windows-defender-advanced-threat-protection.md)
+#### [Enable advanced features](windows-defender-atp\advanced-features-windows-defender-advanced-threat-protection.md)
+#### [Enable preview experience](windows-defender-atp\preview-settings-windows-defender-advanced-threat-protection.md)
+#### [Configure email notifications](windows-defender-atp\configure-email-notifications-windows-defender-advanced-threat-protection.md)
+#### [Enable SIEM integration](windows-defender-atp\enable-siem-integration-windows-defender-advanced-threat-protection.md)
+#### [Enable Threat intel API](windows-defender-atp\enable-custom-ti-windows-defender-advanced-threat-protection.md)
+#### [Enable and create Power BI reports using Windows Defender ATP data](windows-defender-atp\powerbi-reports-windows-defender-advanced-threat-protection.md)
+#### [Enable Security Analytics security controls](windows-defender-atp\enable-security-analytics-windows-defender-advanced-threat-protection.md)
+
+### [Configure Windows Defender ATP time zone settings](windows-defender-atp\settings-windows-defender-advanced-threat-protection.md)
+### [Access the Windows Defender ATP Community Center](windows-defender-atp\community-windows-defender-advanced-threat-protection.md)
+### [Troubleshoot Windows Defender ATP](windows-defender-atp\troubleshoot-windows-defender-advanced-threat-protection.md)
+#### [Review events and errors on endpoints with Event Viewer](windows-defender-atp\event-error-codes-windows-defender-advanced-threat-protection.md)
+### [Windows Defender Antivirus compatibility with Windows Defender ATP](windows-defender-atp\defender-compatibility-windows-defender-advanced-threat-protection.md)
+
+## [Windows Defender Antivirus in Windows 10](windows-defender-antivirus\windows-defender-antivirus-in-windows-10.md)
+### [Windows Defender AV in the Windows Defender Security Center app](windows-defender-antivirus\windows-defender-security-center-antivirus.md)
+
+### [Windows Defender AV on Windows Server 2016](windows-defender-antivirus\windows-defender-antivirus-on-windows-server-2016.md)
+
+### [Windows Defender Antivirus compatibility](windows-defender-antivirus\windows-defender-antivirus-compatibility.md)
+#### [Use limited periodic scanning in Windows Defender AV](windows-defender-antivirus\limited-periodic-scanning-windows-defender-antivirus.md)
+
+
+### [Evaluate Windows Defender Antivirus protection](windows-defender-antivirus\evaluate-windows-defender-antivirus.md)
+
+
+### [Deploy, manage updates, and report on Windows Defender Antivirus](windows-defender-antivirus\deploy-manage-report-windows-defender-antivirus.md)
+#### [Deploy and enable Windows Defender Antivirus](windows-defender-antivirus\deploy-windows-defender-antivirus.md)
+##### [Deployment guide for VDI environments](windows-defender-antivirus\deployment-vdi-windows-defender-antivirus.md)
+#### [Report on Windows Defender Antivirus protection](windows-defender-antivirus\report-monitor-windows-defender-antivirus.md)
+##### [Troubleshoot Windows Defender Antivirus reporting in Update Compliance](windows-defender-antivirus\troubleshoot-reporting.md)
+#### [Manage updates and apply baselines](windows-defender-antivirus\manage-updates-baselines-windows-defender-antivirus.md)
+##### [Manage protection and definition updates](windows-defender-antivirus\manage-protection-updates-windows-defender-antivirus.md)
+##### [Manage when protection updates should be downloaded and applied](windows-defender-antivirus\manage-protection-update-schedule-windows-defender-antivirus.md)
+##### [Manage updates for endpoints that are out of date](windows-defender-antivirus\manage-outdated-endpoints-windows-defender-antivirus.md)
+##### [Manage event-based forced updates](windows-defender-antivirus\manage-event-based-updates-windows-defender-antivirus.md)
+##### [Manage updates for mobile devices and VMs](windows-defender-antivirus\manage-updates-mobile-devices-vms-windows-defender-antivirus.md)
+
+
+### [Configure Windows Defender Antivirus features](windows-defender-antivirus\configure-windows-defender-antivirus-features.md)
+#### [Utilize Microsoft cloud-delivered protection](windows-defender-antivirus\utilize-microsoft-cloud-protection-windows-defender-antivirus.md)
+##### [Enable cloud-delivered protection](windows-defender-antivirus\enable-cloud-protection-windows-defender-antivirus.md)
+##### [Specify the cloud-delivered protection level](windows-defender-antivirus\specify-cloud-protection-level-windows-defender-antivirus.md)
+##### [Configure and validate network connections](windows-defender-antivirus\configure-network-connections-windows-defender-antivirus.md)
+##### [Enable the Block at First Sight feature](windows-defender-antivirus\configure-block-at-first-sight-windows-defender-antivirus.md)
+##### [Configure the cloud block timeout period](windows-defender-antivirus\configure-cloud-block-timeout-period-windows-defender-antivirus.md)
+#### [Configure behavioral, heuristic, and real-time protection](windows-defender-antivirus\configure-protection-features-windows-defender-antivirus.md)
+##### [Detect and block Potentially Unwanted Applications](windows-defender-antivirus\detect-block-potentially-unwanted-apps-windows-defender-antivirus.md)
+##### [Enable and configure always-on protection and monitoring](windows-defender-antivirus\configure-real-time-protection-windows-defender-antivirus.md)
+#### [Configure end-user interaction with Windows Defender AV](windows-defender-antivirus\configure-end-user-interaction-windows-defender-antivirus.md)
+##### [Configure the notifications that appear on endpoints](windows-defender-antivirus\configure-notifications-windows-defender-antivirus.md)
+##### [Prevent users from seeing or interacting with the user interface](windows-defender-antivirus\prevent-end-user-interaction-windows-defender-antivirus.md)
+##### [Prevent or allow users to locally modify policy settings](windows-defender-antivirus\configure-local-policy-overrides-windows-defender-antivirus.md)
+
+
+### [Customize, initiate, and review the results of scans and remediation](windows-defender-antivirus\customize-run-review-remediate-scans-windows-defender-antivirus.md)
+#### [Configure and validate exclusions in Windows Defender AV scans](windows-defender-antivirus\configure-exclusions-windows-defender-antivirus.md)
+##### [Configure and validate exclusions based on file name, extension, and folder location](windows-defender-antivirus\configure-extension-file-exclusions-windows-defender-antivirus.md)
+##### [Configure and validate exclusions for files opened by processes](windows-defender-antivirus\configure-process-opened-file-exclusions-windows-defender-antivirus.md)
+##### [Configure exclusions in Windows Defender AV on Windows Server 2016](windows-defender-antivirus\configure-server-exclusions-windows-defender-antivirus.md)
+#### [Configure scanning options in Windows Defender AV](windows-defender-antivirus\configure-advanced-scan-types-windows-defender-antivirus.md)
+#### [Configure remediation for scans](windows-defender-antivirus\configure-remediation-windows-defender-antivirus.md)
+#### [Configure scheduled scans](windows-defender-antivirus\scheduled-catch-up-scans-windows-defender-antivirus.md)
+#### [Configure and run scans](windows-defender-antivirus\run-scan-windows-defender-antivirus.md)
+#### [Review scan results](windows-defender-antivirus\review-scan-results-windows-defender-antivirus.md)
+#### [Run and review the results of a Windows Defender Offline scan](windows-defender-antivirus\windows-defender-offline.md)
+
+
+### [Review event logs and error codes to troubleshoot issues](windows-defender-antivirus\troubleshoot-windows-defender-antivirus.md)
+
+
+
+### [Manage Windows Defender AV in your business](windows-defender-antivirus\configuration-management-reference-windows-defender-antivirus.md)
+#### [Use Group Policy settings to configure and manage Windows Defender AV](windows-defender-antivirus\use-group-policy-windows-defender-antivirus.md)
+#### [Use System Center Configuration Manager and Microsoft Intune to configure and manage Windows Defender AV](windows-defender-antivirus\use-intune-config-manager-windows-defender-antivirus.md)
+#### [Use PowerShell cmdlets to configure and manage Windows Defender AV](windows-defender-antivirus\use-powershell-cmdlets-windows-defender-antivirus.md)
+#### [Use Windows Management Instrumentation (WMI) to configure and manage Windows Defender AV](windows-defender-antivirus\use-wmi-windows-defender-antivirus.md)
+#### [Use the mpcmdrun.exe commandline tool to configure and manage Windows Defender AV](windows-defender-antivirus\command-line-arguments-windows-defender-antivirus.md)
+
+
+
+## [Windows Defender Exploit Guard](windows-defender-exploit-guard\windows-defender-exploit-guard.md)
+### [Evaluate Windows Defender Exploit Guard](windows-defender-exploit-guard\evaluate-windows-defender-exploit-guard.md)
+#### [Use auditing mode to evaluate Windows Defender Exploit Guard](windows-defender-exploit-guard\audit-windows-defender-exploit-guard.md)
+#### [View Exploit Guard events](windows-defender-exploit-guard\event-views-exploit-guard.md)
+
+### [Exploit protection](windows-defender-exploit-guard\exploit-protection-exploit-guard.md)
+#### [Comparison with Enhanced Mitigation Experience Toolkit](windows-defender-exploit-guard\emet-exploit-protection-exploit-guard.md)
+#### [Evaluate Exploit protection](windows-defender-exploit-guard\evaluate-exploit-protection.md)
+#### [Enable Exploit protection](windows-defender-exploit-guard\enable-exploit-protection.md)
+#### [Customize Exploit protection](windows-defender-exploit-guard\customize-exploit-protection.md)
+##### [Import, export, and deploy Exploit protection configurations](windows-defender-exploit-guard\import-export-exploit-protection-emet-xml.md)
+### [Attack surface reduction](windows-defender-exploit-guard\attack-surface-reduction-exploit-guard.md)
+#### [Evaluate Attack surface reduction](windows-defender-exploit-guard\evaluate-attack-surface-reduction.md)
+#### [Enable Attack surface reduction](windows-defender-exploit-guard\enable-attack-surface-reduction.md)
+#### [Customize Attack surface reduction](windows-defender-exploit-guard\customize-attack-surface-reduction.md)
+#### [Troubleshoot Attack surface reduction rules](windows-defender-exploit-guard\troubleshoot-asr.md)
+### [Network Protection](windows-defender-exploit-guard\network-protection-exploit-guard.md)
+#### [Evaluate Network Protection](windows-defender-exploit-guard\evaluate-network-protection.md)
+#### [Enable Network Protection](windows-defender-exploit-guard\enable-network-protection.md)
+#### [Troubleshoot Network protection](windows-defender-exploit-guard\troubleshoot-np.md)
+### [Controlled folder access](windows-defender-exploit-guard\controlled-folders-exploit-guard.md)
+#### [Evaluate Controlled folder access](windows-defender-exploit-guard\evaluate-controlled-folder-access.md)
+#### [Enable Controlled folder access](windows-defender-exploit-guard\enable-controlled-folders-exploit-guard.md)
+#### [Customize Controlled folder access](windows-defender-exploit-guard\customize-controlled-folders-exploit-guard.md)
+
+
+## [Windows Defender Application Control](windows-defender-application-control.md)
+
+## [Enable HVCI](enable-virtualization-based-protection-of-code-integrity.md)
## [AppLocker](applocker\applocker-overview.md)
### [Administer AppLocker](applocker\administer-applocker.md)
@@ -88,44 +373,41 @@
##### [Using Event Viewer with AppLocker](applocker\using-event-viewer-with-applocker.md)
#### [AppLocker Settings](applocker\applocker-settings.md)
-## [BitLocker](bitlocker\bitlocker-overview.md)
-### [Overview of BitLocker Device Encryption in Windows 10](bitlocker\bitlocker-device-encryption-overview-windows-10.md)
-### [BitLocker frequently asked questions (FAQ)](bitlocker\bitlocker-frequently-asked-questions.md)
-### [Prepare your organization for BitLocker: Planning and policies](bitlocker\prepare-your-organization-for-bitlocker-planning-and-policies.md)
-### [BitLocker basic deployment](bitlocker\bitlocker-basic-deployment.md)
-### [BitLocker: How to deploy on Windows Server 2012 and later](bitlocker\bitlocker-how-to-deploy-on-windows-server.md)
-### [BitLocker: Management recommendations for enterprises](bitlocker\bitlocker-management-for-enterprises.md)
-### [BitLocker: How to enable Network Unlock](bitlocker\bitlocker-how-to-enable-network-unlock.md)
-### [BitLocker: Use BitLocker Drive Encryption Tools to manage BitLocker](bitlocker\bitlocker-use-bitlocker-drive-encryption-tools-to-manage-bitlocker.md)
-### [BitLocker: Use BitLocker Recovery Password Viewer](bitlocker\bitlocker-use-bitlocker-recovery-password-viewer.md)
-### [BitLocker Group Policy settings](bitlocker\bitlocker-group-policy-settings.md)
-### [BCD settings and BitLocker](bitlocker\bcd-settings-and-bitlocker.md)
-### [BitLocker Recovery Guide](bitlocker\bitlocker-recovery-guide-plan.md)
-### [Protect BitLocker from pre-boot attacks](bitlocker\protect-bitlocker-from-pre-boot-attacks.md)
-#### [Types of attacks for volume encryption keys](bitlocker\types-of-attacks-for-volume-encryption-keys.md)
-#### [BitLocker Countermeasures](bitlocker\bitlocker-countermeasures.md)
-#### [Choose the Right BitLocker Countermeasure](bitlocker\choose-the-right-bitlocker-countermeasure.md)
-### [Protecting cluster shared volumes and storage area networks with BitLocker](bitlocker\protecting-cluster-shared-volumes-and-storage-area-networks-with-bitlocker.md)
-
## [Control the health of Windows 10-based devices](protect-high-value-assets-by-controlling-the-health-of-windows-10-based-devices.md)
## [Device Guard deployment guide](device-guard/device-guard-deployment-guide.md)
-### [Introduction to Device Guard: virtualization-based security and code integrity policies](device-guard/introduction-to-device-guard-virtualization-based-security-and-code-integrity-policies.md)
+### [Introduction to Device Guard: virtualization-based security and WDAC](device-guard/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control.md)
### [Requirements and deployment planning guidelines for Device Guard](device-guard/requirements-and-deployment-planning-guidelines-for-device-guard.md)
### [Planning and getting started on the Device Guard deployment process](device-guard/planning-and-getting-started-on-the-device-guard-deployment-process.md)
-### [Deploy Device Guard: deploy code integrity policies](device-guard/deploy-device-guard-deploy-code-integrity-policies.md)
-#### [Optional: Create a code signing certificate for code integrity policies](device-guard/optional-create-a-code-signing-certificate-for-code-integrity-policies.md)
-#### [Deploy code integrity policies: policy rules and file rules](device-guard/deploy-code-integrity-policies-policy-rules-and-file-rules.md)
-#### [Deploy code integrity policies: steps](device-guard/deploy-code-integrity-policies-steps.md)
-#### [Deploy catalog files to support code integrity policies](device-guard/deploy-catalog-files-to-support-code-integrity-policies.md)
+### [Deploy WDAC](device-guard/deploy-windows-defender-application-control.md)
+#### [Optional: Create a code signing certificate for WDAC](device-guard/optional-create-a-code-signing-certificate-for-windows-defender-application-control.md)
+#### [Deploy WDAC: policy rules and file rules](device-guard/deploy-windows-defender-application-control-policy-rules-and-file-rules.md)
+#### [Steps to deploy WDAC](device-guard/steps-to-deploy-windows-defender-application-control.md)
+#### [Deploy catalog files to support WDAC](device-guard/deploy-catalog-files-to-support-windows-defender-application-control.md)
#### [Deploy Managed Installer for Device Guard](device-guard/deploy-managed-installer-for-device-guard.md)
### [Deploy Device Guard: enable virtualization-based security](device-guard/deploy-device-guard-enable-virtualization-based-security.md)
-## [Encrypted Hard Drive](encrypted-hard-drive.md)
-## [Enable HVCI](enable-virtualization-based-protection-of-code-integrity.md)
+## [Windows Defender SmartScreen](windows-defender-smartscreen\windows-defender-smartscreen-overview.md)
+### [Available Windows Defender SmartScreen Group Policy and mobile device management (MDM) settings](windows-defender-smartscreen\windows-defender-smartscreen-available-settings.md)
+### [Set up and use Windows Defender SmartScreen on individual devices](windows-defender-smartscreen\windows-defender-smartscreen-set-individual-device.md)
+
+##[Windows Defender Application Guard](windows-defender-application-guard\wd-app-guard-overview.md)
+###[System requirements for Windows Defender Application Guard](windows-defender-application-guard\reqs-wd-app-guard.md)
+###[Prepare and install Windows Defender Application Guard](windows-defender-application-guard\install-wd-app-guard.md)
+###[Configure the Group Policy settings for Windows Defender Application Guard](windows-defender-application-guard\configure-wd-app-guard.md)
+###[Testing scenarios using Windows Defender Application Guard in your business or organization](windows-defender-application-guard\test-scenarios-wd-app-guard.md)
+###[Frequently Asked Questions - Windows Defender Application Guard](windows-defender-application-guard\faq-wd-app-guard.md)
+
+## [Mitigate threats by using Windows 10 security features](overview-of-threat-mitigations-in-windows-10.md)
+
+## [Override Process Mitigation Options to help enforce app-related security policies](override-mitigation-options-for-app-related-security-policies.md)
+
+## [Use Windows Event Forwarding to help with intrusion detection](use-windows-event-forwarding-to-assist-in-intrusion-detection.md)
+
+## [Block untrusted fonts in an enterprise](block-untrusted-fonts-in-enterprise.md)
## [Security auditing](auditing\security-auditing-overview.md)
### [Basic security audit policies](auditing\basic-security-audit-policies.md)
@@ -649,18 +931,6 @@
##### [Synchronize directory service data](security-policy-settings/synchronize-directory-service-data.md)
##### [Take ownership of files or other objects](security-policy-settings/take-ownership-of-files-or-other-objects.md)
-## [Trusted Platform Module](tpm/trusted-platform-module-top-node.md)
-### [Trusted Platform Module Overview](tpm/trusted-platform-module-overview.md)
-### [TPM fundamentals](tpm/tpm-fundamentals.md)
-### [How Windows 10 uses the TPM](tpm/how-windows-uses-the-tpm.md)
-### [TPM Group Policy settings](tpm/trusted-platform-module-services-group-policy-settings.md)
-### [Back up the TPM recovery information to AD DS](tpm/backup-tpm-recovery-information-to-ad-ds.md)
-### [Manage TPM commands](tpm/manage-tpm-commands.md)
-### [Manage TPM lockout](tpm/manage-tpm-lockout.md)
-### [Change the TPM owner password](tpm/change-the-tpm-owner-password.md)
-### [View status, clear, or troubleshoot the TPM](tpm/initialize-and-configure-ownership-of-the-tpm.md)
-### [Understanding PCR banks on TPM 2.0 devices](tpm/switch-pcr-banks-on-tpm-2-0-devices.md)
-### [TPM recommendations](tpm/tpm-recommendations.md)
## [Windows security baselines](windows-security-baselines.md)
### [Security Compliance Toolkit](security-compliance-toolkit-10.md)
@@ -668,4 +938,4 @@
## [Windows 10 Mobile security guide](windows-10-mobile-security-guide.md)
-## [Change history for device security](change-history-for-device-security.md)
\ No newline at end of file
+## [Change history for Threat protection](change-history-for-threat-protection.md)
diff --git a/windows/device-security/applocker/add-rules-for-packaged-apps-to-existing-applocker-rule-set.md b/windows/security/threat-protection/applocker/add-rules-for-packaged-apps-to-existing-applocker-rule-set.md
similarity index 100%
rename from windows/device-security/applocker/add-rules-for-packaged-apps-to-existing-applocker-rule-set.md
rename to windows/security/threat-protection/applocker/add-rules-for-packaged-apps-to-existing-applocker-rule-set.md
diff --git a/windows/device-security/applocker/administer-applocker.md b/windows/security/threat-protection/applocker/administer-applocker.md
similarity index 100%
rename from windows/device-security/applocker/administer-applocker.md
rename to windows/security/threat-protection/applocker/administer-applocker.md
diff --git a/windows/device-security/applocker/applocker-architecture-and-components.md b/windows/security/threat-protection/applocker/applocker-architecture-and-components.md
similarity index 100%
rename from windows/device-security/applocker/applocker-architecture-and-components.md
rename to windows/security/threat-protection/applocker/applocker-architecture-and-components.md
diff --git a/windows/device-security/applocker/applocker-functions.md b/windows/security/threat-protection/applocker/applocker-functions.md
similarity index 100%
rename from windows/device-security/applocker/applocker-functions.md
rename to windows/security/threat-protection/applocker/applocker-functions.md
diff --git a/windows/device-security/applocker/applocker-overview.md b/windows/security/threat-protection/applocker/applocker-overview.md
similarity index 100%
rename from windows/device-security/applocker/applocker-overview.md
rename to windows/security/threat-protection/applocker/applocker-overview.md
diff --git a/windows/device-security/applocker/applocker-policies-deployment-guide.md b/windows/security/threat-protection/applocker/applocker-policies-deployment-guide.md
similarity index 100%
rename from windows/device-security/applocker/applocker-policies-deployment-guide.md
rename to windows/security/threat-protection/applocker/applocker-policies-deployment-guide.md
diff --git a/windows/device-security/applocker/applocker-policies-design-guide.md b/windows/security/threat-protection/applocker/applocker-policies-design-guide.md
similarity index 100%
rename from windows/device-security/applocker/applocker-policies-design-guide.md
rename to windows/security/threat-protection/applocker/applocker-policies-design-guide.md
diff --git a/windows/device-security/applocker/applocker-policy-use-scenarios.md b/windows/security/threat-protection/applocker/applocker-policy-use-scenarios.md
similarity index 100%
rename from windows/device-security/applocker/applocker-policy-use-scenarios.md
rename to windows/security/threat-protection/applocker/applocker-policy-use-scenarios.md
diff --git a/windows/device-security/applocker/applocker-processes-and-interactions.md b/windows/security/threat-protection/applocker/applocker-processes-and-interactions.md
similarity index 100%
rename from windows/device-security/applocker/applocker-processes-and-interactions.md
rename to windows/security/threat-protection/applocker/applocker-processes-and-interactions.md
diff --git a/windows/device-security/applocker/applocker-settings.md b/windows/security/threat-protection/applocker/applocker-settings.md
similarity index 100%
rename from windows/device-security/applocker/applocker-settings.md
rename to windows/security/threat-protection/applocker/applocker-settings.md
diff --git a/windows/device-security/applocker/applocker-technical-reference.md b/windows/security/threat-protection/applocker/applocker-technical-reference.md
similarity index 100%
rename from windows/device-security/applocker/applocker-technical-reference.md
rename to windows/security/threat-protection/applocker/applocker-technical-reference.md
diff --git a/windows/device-security/applocker/configure-an-applocker-policy-for-audit-only.md b/windows/security/threat-protection/applocker/configure-an-applocker-policy-for-audit-only.md
similarity index 100%
rename from windows/device-security/applocker/configure-an-applocker-policy-for-audit-only.md
rename to windows/security/threat-protection/applocker/configure-an-applocker-policy-for-audit-only.md
diff --git a/windows/device-security/applocker/configure-an-applocker-policy-for-enforce-rules.md b/windows/security/threat-protection/applocker/configure-an-applocker-policy-for-enforce-rules.md
similarity index 100%
rename from windows/device-security/applocker/configure-an-applocker-policy-for-enforce-rules.md
rename to windows/security/threat-protection/applocker/configure-an-applocker-policy-for-enforce-rules.md
diff --git a/windows/device-security/applocker/configure-exceptions-for-an-applocker-rule.md b/windows/security/threat-protection/applocker/configure-exceptions-for-an-applocker-rule.md
similarity index 100%
rename from windows/device-security/applocker/configure-exceptions-for-an-applocker-rule.md
rename to windows/security/threat-protection/applocker/configure-exceptions-for-an-applocker-rule.md
diff --git a/windows/device-security/applocker/configure-the-appLocker-reference-device.md b/windows/security/threat-protection/applocker/configure-the-appLocker-reference-device.md
similarity index 100%
rename from windows/device-security/applocker/configure-the-appLocker-reference-device.md
rename to windows/security/threat-protection/applocker/configure-the-appLocker-reference-device.md
diff --git a/windows/device-security/applocker/configure-the-application-identity-service.md b/windows/security/threat-protection/applocker/configure-the-application-identity-service.md
similarity index 100%
rename from windows/device-security/applocker/configure-the-application-identity-service.md
rename to windows/security/threat-protection/applocker/configure-the-application-identity-service.md
diff --git a/windows/device-security/applocker/create-a-rule-for-packaged-apps.md b/windows/security/threat-protection/applocker/create-a-rule-for-packaged-apps.md
similarity index 100%
rename from windows/device-security/applocker/create-a-rule-for-packaged-apps.md
rename to windows/security/threat-protection/applocker/create-a-rule-for-packaged-apps.md
diff --git a/windows/device-security/applocker/create-a-rule-that-uses-a-file-hash-condition.md b/windows/security/threat-protection/applocker/create-a-rule-that-uses-a-file-hash-condition.md
similarity index 100%
rename from windows/device-security/applocker/create-a-rule-that-uses-a-file-hash-condition.md
rename to windows/security/threat-protection/applocker/create-a-rule-that-uses-a-file-hash-condition.md
diff --git a/windows/device-security/applocker/create-a-rule-that-uses-a-path-condition.md b/windows/security/threat-protection/applocker/create-a-rule-that-uses-a-path-condition.md
similarity index 100%
rename from windows/device-security/applocker/create-a-rule-that-uses-a-path-condition.md
rename to windows/security/threat-protection/applocker/create-a-rule-that-uses-a-path-condition.md
diff --git a/windows/device-security/applocker/create-a-rule-that-uses-a-publisher-condition.md b/windows/security/threat-protection/applocker/create-a-rule-that-uses-a-publisher-condition.md
similarity index 100%
rename from windows/device-security/applocker/create-a-rule-that-uses-a-publisher-condition.md
rename to windows/security/threat-protection/applocker/create-a-rule-that-uses-a-publisher-condition.md
diff --git a/windows/device-security/applocker/create-applocker-default-rules.md b/windows/security/threat-protection/applocker/create-applocker-default-rules.md
similarity index 100%
rename from windows/device-security/applocker/create-applocker-default-rules.md
rename to windows/security/threat-protection/applocker/create-applocker-default-rules.md
diff --git a/windows/device-security/applocker/create-list-of-applications-deployed-to-each-business-group.md b/windows/security/threat-protection/applocker/create-list-of-applications-deployed-to-each-business-group.md
similarity index 100%
rename from windows/device-security/applocker/create-list-of-applications-deployed-to-each-business-group.md
rename to windows/security/threat-protection/applocker/create-list-of-applications-deployed-to-each-business-group.md
diff --git a/windows/device-security/applocker/create-your-applocker-planning-document.md b/windows/security/threat-protection/applocker/create-your-applocker-planning-document.md
similarity index 100%
rename from windows/device-security/applocker/create-your-applocker-planning-document.md
rename to windows/security/threat-protection/applocker/create-your-applocker-planning-document.md
diff --git a/windows/device-security/applocker/create-your-applocker-policies.md b/windows/security/threat-protection/applocker/create-your-applocker-policies.md
similarity index 100%
rename from windows/device-security/applocker/create-your-applocker-policies.md
rename to windows/security/threat-protection/applocker/create-your-applocker-policies.md
diff --git a/windows/device-security/applocker/create-your-applocker-rules.md b/windows/security/threat-protection/applocker/create-your-applocker-rules.md
similarity index 100%
rename from windows/device-security/applocker/create-your-applocker-rules.md
rename to windows/security/threat-protection/applocker/create-your-applocker-rules.md
diff --git a/windows/device-security/applocker/delete-an-applocker-rule.md b/windows/security/threat-protection/applocker/delete-an-applocker-rule.md
similarity index 100%
rename from windows/device-security/applocker/delete-an-applocker-rule.md
rename to windows/security/threat-protection/applocker/delete-an-applocker-rule.md
diff --git a/windows/device-security/applocker/deploy-applocker-policies-by-using-the-enforce-rules-setting.md b/windows/security/threat-protection/applocker/deploy-applocker-policies-by-using-the-enforce-rules-setting.md
similarity index 100%
rename from windows/device-security/applocker/deploy-applocker-policies-by-using-the-enforce-rules-setting.md
rename to windows/security/threat-protection/applocker/deploy-applocker-policies-by-using-the-enforce-rules-setting.md
diff --git a/windows/device-security/applocker/deploy-the-applocker-policy-into-production.md b/windows/security/threat-protection/applocker/deploy-the-applocker-policy-into-production.md
similarity index 100%
rename from windows/device-security/applocker/deploy-the-applocker-policy-into-production.md
rename to windows/security/threat-protection/applocker/deploy-the-applocker-policy-into-production.md
diff --git a/windows/device-security/applocker/determine-group-policy-structure-and-rule-enforcement.md b/windows/security/threat-protection/applocker/determine-group-policy-structure-and-rule-enforcement.md
similarity index 100%
rename from windows/device-security/applocker/determine-group-policy-structure-and-rule-enforcement.md
rename to windows/security/threat-protection/applocker/determine-group-policy-structure-and-rule-enforcement.md
diff --git a/windows/device-security/applocker/determine-which-applications-are-digitally-signed-on-a-reference-computer.md b/windows/security/threat-protection/applocker/determine-which-applications-are-digitally-signed-on-a-reference-computer.md
similarity index 100%
rename from windows/device-security/applocker/determine-which-applications-are-digitally-signed-on-a-reference-computer.md
rename to windows/security/threat-protection/applocker/determine-which-applications-are-digitally-signed-on-a-reference-computer.md
diff --git a/windows/device-security/applocker/determine-your-application-control-objectives.md b/windows/security/threat-protection/applocker/determine-your-application-control-objectives.md
similarity index 100%
rename from windows/device-security/applocker/determine-your-application-control-objectives.md
rename to windows/security/threat-protection/applocker/determine-your-application-control-objectives.md
diff --git a/windows/device-security/applocker/display-a-custom-url-message-when-users-try-to-run-a-blocked-application.md b/windows/security/threat-protection/applocker/display-a-custom-url-message-when-users-try-to-run-a-blocked-application.md
similarity index 100%
rename from windows/device-security/applocker/display-a-custom-url-message-when-users-try-to-run-a-blocked-application.md
rename to windows/security/threat-protection/applocker/display-a-custom-url-message-when-users-try-to-run-a-blocked-application.md
diff --git a/windows/device-security/applocker/dll-rules-in-applocker.md b/windows/security/threat-protection/applocker/dll-rules-in-applocker.md
similarity index 100%
rename from windows/device-security/applocker/dll-rules-in-applocker.md
rename to windows/security/threat-protection/applocker/dll-rules-in-applocker.md
diff --git a/windows/device-security/applocker/document-group-policy-structure-and-applocker-rule-enforcement.md b/windows/security/threat-protection/applocker/document-group-policy-structure-and-applocker-rule-enforcement.md
similarity index 100%
rename from windows/device-security/applocker/document-group-policy-structure-and-applocker-rule-enforcement.md
rename to windows/security/threat-protection/applocker/document-group-policy-structure-and-applocker-rule-enforcement.md
diff --git a/windows/device-security/applocker/document-your-application-control-management-processes.md b/windows/security/threat-protection/applocker/document-your-application-control-management-processes.md
similarity index 100%
rename from windows/device-security/applocker/document-your-application-control-management-processes.md
rename to windows/security/threat-protection/applocker/document-your-application-control-management-processes.md
diff --git a/windows/device-security/applocker/document-your-application-list.md b/windows/security/threat-protection/applocker/document-your-application-list.md
similarity index 100%
rename from windows/device-security/applocker/document-your-application-list.md
rename to windows/security/threat-protection/applocker/document-your-application-list.md
diff --git a/windows/device-security/applocker/document-your-applocker-rules.md b/windows/security/threat-protection/applocker/document-your-applocker-rules.md
similarity index 100%
rename from windows/device-security/applocker/document-your-applocker-rules.md
rename to windows/security/threat-protection/applocker/document-your-applocker-rules.md
diff --git a/windows/device-security/applocker/edit-an-applocker-policy.md b/windows/security/threat-protection/applocker/edit-an-applocker-policy.md
similarity index 100%
rename from windows/device-security/applocker/edit-an-applocker-policy.md
rename to windows/security/threat-protection/applocker/edit-an-applocker-policy.md
diff --git a/windows/device-security/applocker/edit-applocker-rules.md b/windows/security/threat-protection/applocker/edit-applocker-rules.md
similarity index 100%
rename from windows/device-security/applocker/edit-applocker-rules.md
rename to windows/security/threat-protection/applocker/edit-applocker-rules.md
diff --git a/windows/device-security/applocker/enable-the-dll-rule-collection.md b/windows/security/threat-protection/applocker/enable-the-dll-rule-collection.md
similarity index 100%
rename from windows/device-security/applocker/enable-the-dll-rule-collection.md
rename to windows/security/threat-protection/applocker/enable-the-dll-rule-collection.md
diff --git a/windows/device-security/applocker/enforce-applocker-rules.md b/windows/security/threat-protection/applocker/enforce-applocker-rules.md
similarity index 100%
rename from windows/device-security/applocker/enforce-applocker-rules.md
rename to windows/security/threat-protection/applocker/enforce-applocker-rules.md
diff --git a/windows/device-security/applocker/executable-rules-in-applocker.md b/windows/security/threat-protection/applocker/executable-rules-in-applocker.md
similarity index 100%
rename from windows/device-security/applocker/executable-rules-in-applocker.md
rename to windows/security/threat-protection/applocker/executable-rules-in-applocker.md
diff --git a/windows/device-security/applocker/export-an-applocker-policy-from-a-gpo.md b/windows/security/threat-protection/applocker/export-an-applocker-policy-from-a-gpo.md
similarity index 100%
rename from windows/device-security/applocker/export-an-applocker-policy-from-a-gpo.md
rename to windows/security/threat-protection/applocker/export-an-applocker-policy-from-a-gpo.md
diff --git a/windows/device-security/applocker/export-an-applocker-policy-to-an-xml-file.md b/windows/security/threat-protection/applocker/export-an-applocker-policy-to-an-xml-file.md
similarity index 100%
rename from windows/device-security/applocker/export-an-applocker-policy-to-an-xml-file.md
rename to windows/security/threat-protection/applocker/export-an-applocker-policy-to-an-xml-file.md
diff --git a/windows/device-security/applocker/how-applocker-works-techref.md b/windows/security/threat-protection/applocker/how-applocker-works-techref.md
similarity index 100%
rename from windows/device-security/applocker/how-applocker-works-techref.md
rename to windows/security/threat-protection/applocker/how-applocker-works-techref.md
diff --git a/windows/device-security/applocker/images/applocker-plan-inheritance.gif b/windows/security/threat-protection/applocker/images/applocker-plan-inheritance.gif
similarity index 100%
rename from windows/device-security/applocker/images/applocker-plan-inheritance.gif
rename to windows/security/threat-protection/applocker/images/applocker-plan-inheritance.gif
diff --git a/windows/device-security/applocker/images/applocker-plandeploy-quickreference.gif b/windows/security/threat-protection/applocker/images/applocker-plandeploy-quickreference.gif
similarity index 100%
rename from windows/device-security/applocker/images/applocker-plandeploy-quickreference.gif
rename to windows/security/threat-protection/applocker/images/applocker-plandeploy-quickreference.gif
diff --git a/windows/device-security/applocker/images/blockedappmsg.gif b/windows/security/threat-protection/applocker/images/blockedappmsg.gif
similarity index 100%
rename from windows/device-security/applocker/images/blockedappmsg.gif
rename to windows/security/threat-protection/applocker/images/blockedappmsg.gif
diff --git a/windows/device-security/applocker/import-an-applocker-policy-from-another-computer.md b/windows/security/threat-protection/applocker/import-an-applocker-policy-from-another-computer.md
similarity index 100%
rename from windows/device-security/applocker/import-an-applocker-policy-from-another-computer.md
rename to windows/security/threat-protection/applocker/import-an-applocker-policy-from-another-computer.md
diff --git a/windows/device-security/applocker/import-an-applocker-policy-into-a-gpo.md b/windows/security/threat-protection/applocker/import-an-applocker-policy-into-a-gpo.md
similarity index 100%
rename from windows/device-security/applocker/import-an-applocker-policy-into-a-gpo.md
rename to windows/security/threat-protection/applocker/import-an-applocker-policy-into-a-gpo.md
diff --git a/windows/device-security/applocker/maintain-applocker-policies.md b/windows/security/threat-protection/applocker/maintain-applocker-policies.md
similarity index 100%
rename from windows/device-security/applocker/maintain-applocker-policies.md
rename to windows/security/threat-protection/applocker/maintain-applocker-policies.md
diff --git a/windows/device-security/applocker/manage-packaged-apps-with-applocker.md b/windows/security/threat-protection/applocker/manage-packaged-apps-with-applocker.md
similarity index 100%
rename from windows/device-security/applocker/manage-packaged-apps-with-applocker.md
rename to windows/security/threat-protection/applocker/manage-packaged-apps-with-applocker.md
diff --git a/windows/device-security/applocker/merge-applocker-policies-by-using-set-applockerpolicy.md b/windows/security/threat-protection/applocker/merge-applocker-policies-by-using-set-applockerpolicy.md
similarity index 100%
rename from windows/device-security/applocker/merge-applocker-policies-by-using-set-applockerpolicy.md
rename to windows/security/threat-protection/applocker/merge-applocker-policies-by-using-set-applockerpolicy.md
diff --git a/windows/device-security/applocker/merge-applocker-policies-manually.md b/windows/security/threat-protection/applocker/merge-applocker-policies-manually.md
similarity index 100%
rename from windows/device-security/applocker/merge-applocker-policies-manually.md
rename to windows/security/threat-protection/applocker/merge-applocker-policies-manually.md
diff --git a/windows/device-security/applocker/monitor-application-usage-with-applocker.md b/windows/security/threat-protection/applocker/monitor-application-usage-with-applocker.md
similarity index 100%
rename from windows/device-security/applocker/monitor-application-usage-with-applocker.md
rename to windows/security/threat-protection/applocker/monitor-application-usage-with-applocker.md
diff --git a/windows/device-security/applocker/optimize-applocker-performance.md b/windows/security/threat-protection/applocker/optimize-applocker-performance.md
similarity index 100%
rename from windows/device-security/applocker/optimize-applocker-performance.md
rename to windows/security/threat-protection/applocker/optimize-applocker-performance.md
diff --git a/windows/device-security/applocker/packaged-apps-and-packaged-app-installer-rules-in-applocker.md b/windows/security/threat-protection/applocker/packaged-apps-and-packaged-app-installer-rules-in-applocker.md
similarity index 100%
rename from windows/device-security/applocker/packaged-apps-and-packaged-app-installer-rules-in-applocker.md
rename to windows/security/threat-protection/applocker/packaged-apps-and-packaged-app-installer-rules-in-applocker.md
diff --git a/windows/device-security/applocker/plan-for-applocker-policy-management.md b/windows/security/threat-protection/applocker/plan-for-applocker-policy-management.md
similarity index 100%
rename from windows/device-security/applocker/plan-for-applocker-policy-management.md
rename to windows/security/threat-protection/applocker/plan-for-applocker-policy-management.md
diff --git a/windows/device-security/applocker/refresh-an-applocker-policy.md b/windows/security/threat-protection/applocker/refresh-an-applocker-policy.md
similarity index 100%
rename from windows/device-security/applocker/refresh-an-applocker-policy.md
rename to windows/security/threat-protection/applocker/refresh-an-applocker-policy.md
diff --git a/windows/device-security/applocker/requirements-for-deploying-applocker-policies.md b/windows/security/threat-protection/applocker/requirements-for-deploying-applocker-policies.md
similarity index 100%
rename from windows/device-security/applocker/requirements-for-deploying-applocker-policies.md
rename to windows/security/threat-protection/applocker/requirements-for-deploying-applocker-policies.md
diff --git a/windows/device-security/applocker/requirements-to-use-applocker.md b/windows/security/threat-protection/applocker/requirements-to-use-applocker.md
similarity index 100%
rename from windows/device-security/applocker/requirements-to-use-applocker.md
rename to windows/security/threat-protection/applocker/requirements-to-use-applocker.md
diff --git a/windows/device-security/applocker/run-the-automatically-generate-rules-wizard.md b/windows/security/threat-protection/applocker/run-the-automatically-generate-rules-wizard.md
similarity index 100%
rename from windows/device-security/applocker/run-the-automatically-generate-rules-wizard.md
rename to windows/security/threat-protection/applocker/run-the-automatically-generate-rules-wizard.md
diff --git a/windows/device-security/applocker/script-rules-in-applocker.md b/windows/security/threat-protection/applocker/script-rules-in-applocker.md
similarity index 100%
rename from windows/device-security/applocker/script-rules-in-applocker.md
rename to windows/security/threat-protection/applocker/script-rules-in-applocker.md
diff --git a/windows/device-security/applocker/security-considerations-for-applocker.md b/windows/security/threat-protection/applocker/security-considerations-for-applocker.md
similarity index 100%
rename from windows/device-security/applocker/security-considerations-for-applocker.md
rename to windows/security/threat-protection/applocker/security-considerations-for-applocker.md
diff --git a/windows/device-security/applocker/select-types-of-rules-to-create.md b/windows/security/threat-protection/applocker/select-types-of-rules-to-create.md
similarity index 100%
rename from windows/device-security/applocker/select-types-of-rules-to-create.md
rename to windows/security/threat-protection/applocker/select-types-of-rules-to-create.md
diff --git a/windows/device-security/applocker/test-an-applocker-policy-by-using-test-applockerpolicy.md b/windows/security/threat-protection/applocker/test-an-applocker-policy-by-using-test-applockerpolicy.md
similarity index 100%
rename from windows/device-security/applocker/test-an-applocker-policy-by-using-test-applockerpolicy.md
rename to windows/security/threat-protection/applocker/test-an-applocker-policy-by-using-test-applockerpolicy.md
diff --git a/windows/device-security/applocker/test-and-update-an-applocker-policy.md b/windows/security/threat-protection/applocker/test-and-update-an-applocker-policy.md
similarity index 100%
rename from windows/device-security/applocker/test-and-update-an-applocker-policy.md
rename to windows/security/threat-protection/applocker/test-and-update-an-applocker-policy.md
diff --git a/windows/device-security/applocker/tools-to-use-with-applocker.md b/windows/security/threat-protection/applocker/tools-to-use-with-applocker.md
similarity index 100%
rename from windows/device-security/applocker/tools-to-use-with-applocker.md
rename to windows/security/threat-protection/applocker/tools-to-use-with-applocker.md
diff --git a/windows/device-security/applocker/understand-applocker-enforcement-settings.md b/windows/security/threat-protection/applocker/understand-applocker-enforcement-settings.md
similarity index 100%
rename from windows/device-security/applocker/understand-applocker-enforcement-settings.md
rename to windows/security/threat-protection/applocker/understand-applocker-enforcement-settings.md
diff --git a/windows/device-security/applocker/understand-applocker-policy-design-decisions.md b/windows/security/threat-protection/applocker/understand-applocker-policy-design-decisions.md
similarity index 100%
rename from windows/device-security/applocker/understand-applocker-policy-design-decisions.md
rename to windows/security/threat-protection/applocker/understand-applocker-policy-design-decisions.md
diff --git a/windows/device-security/applocker/understand-applocker-rules-and-enforcement-setting-inheritance-in-group-policy.md b/windows/security/threat-protection/applocker/understand-applocker-rules-and-enforcement-setting-inheritance-in-group-policy.md
similarity index 100%
rename from windows/device-security/applocker/understand-applocker-rules-and-enforcement-setting-inheritance-in-group-policy.md
rename to windows/security/threat-protection/applocker/understand-applocker-rules-and-enforcement-setting-inheritance-in-group-policy.md
diff --git a/windows/device-security/applocker/understand-the-applocker-policy-deployment-process.md b/windows/security/threat-protection/applocker/understand-the-applocker-policy-deployment-process.md
similarity index 100%
rename from windows/device-security/applocker/understand-the-applocker-policy-deployment-process.md
rename to windows/security/threat-protection/applocker/understand-the-applocker-policy-deployment-process.md
diff --git a/windows/device-security/applocker/understanding-applocker-allow-and-deny-actions-on-rules.md b/windows/security/threat-protection/applocker/understanding-applocker-allow-and-deny-actions-on-rules.md
similarity index 100%
rename from windows/device-security/applocker/understanding-applocker-allow-and-deny-actions-on-rules.md
rename to windows/security/threat-protection/applocker/understanding-applocker-allow-and-deny-actions-on-rules.md
diff --git a/windows/device-security/applocker/understanding-applocker-default-rules.md b/windows/security/threat-protection/applocker/understanding-applocker-default-rules.md
similarity index 100%
rename from windows/device-security/applocker/understanding-applocker-default-rules.md
rename to windows/security/threat-protection/applocker/understanding-applocker-default-rules.md
diff --git a/windows/device-security/applocker/understanding-applocker-rule-behavior.md b/windows/security/threat-protection/applocker/understanding-applocker-rule-behavior.md
similarity index 100%
rename from windows/device-security/applocker/understanding-applocker-rule-behavior.md
rename to windows/security/threat-protection/applocker/understanding-applocker-rule-behavior.md
diff --git a/windows/device-security/applocker/understanding-applocker-rule-collections.md b/windows/security/threat-protection/applocker/understanding-applocker-rule-collections.md
similarity index 100%
rename from windows/device-security/applocker/understanding-applocker-rule-collections.md
rename to windows/security/threat-protection/applocker/understanding-applocker-rule-collections.md
diff --git a/windows/device-security/applocker/understanding-applocker-rule-condition-types.md b/windows/security/threat-protection/applocker/understanding-applocker-rule-condition-types.md
similarity index 100%
rename from windows/device-security/applocker/understanding-applocker-rule-condition-types.md
rename to windows/security/threat-protection/applocker/understanding-applocker-rule-condition-types.md
diff --git a/windows/device-security/applocker/understanding-applocker-rule-exceptions.md b/windows/security/threat-protection/applocker/understanding-applocker-rule-exceptions.md
similarity index 100%
rename from windows/device-security/applocker/understanding-applocker-rule-exceptions.md
rename to windows/security/threat-protection/applocker/understanding-applocker-rule-exceptions.md
diff --git a/windows/device-security/applocker/understanding-the-file-hash-rule-condition-in-applocker.md b/windows/security/threat-protection/applocker/understanding-the-file-hash-rule-condition-in-applocker.md
similarity index 100%
rename from windows/device-security/applocker/understanding-the-file-hash-rule-condition-in-applocker.md
rename to windows/security/threat-protection/applocker/understanding-the-file-hash-rule-condition-in-applocker.md
diff --git a/windows/device-security/applocker/understanding-the-path-rule-condition-in-applocker.md b/windows/security/threat-protection/applocker/understanding-the-path-rule-condition-in-applocker.md
similarity index 100%
rename from windows/device-security/applocker/understanding-the-path-rule-condition-in-applocker.md
rename to windows/security/threat-protection/applocker/understanding-the-path-rule-condition-in-applocker.md
diff --git a/windows/device-security/applocker/understanding-the-publisher-rule-condition-in-applocker.md b/windows/security/threat-protection/applocker/understanding-the-publisher-rule-condition-in-applocker.md
similarity index 100%
rename from windows/device-security/applocker/understanding-the-publisher-rule-condition-in-applocker.md
rename to windows/security/threat-protection/applocker/understanding-the-publisher-rule-condition-in-applocker.md
diff --git a/windows/device-security/applocker/use-a-reference-computer-to-create-and-maintain-applocker-policies.md b/windows/security/threat-protection/applocker/use-a-reference-computer-to-create-and-maintain-applocker-policies.md
similarity index 100%
rename from windows/device-security/applocker/use-a-reference-computer-to-create-and-maintain-applocker-policies.md
rename to windows/security/threat-protection/applocker/use-a-reference-computer-to-create-and-maintain-applocker-policies.md
diff --git a/windows/device-security/applocker/use-applocker-and-software-restriction-policies-in-the-same-domain.md b/windows/security/threat-protection/applocker/use-applocker-and-software-restriction-policies-in-the-same-domain.md
similarity index 100%
rename from windows/device-security/applocker/use-applocker-and-software-restriction-policies-in-the-same-domain.md
rename to windows/security/threat-protection/applocker/use-applocker-and-software-restriction-policies-in-the-same-domain.md
diff --git a/windows/device-security/applocker/use-the-applocker-windows-powershell-cmdlets.md b/windows/security/threat-protection/applocker/use-the-applocker-windows-powershell-cmdlets.md
similarity index 100%
rename from windows/device-security/applocker/use-the-applocker-windows-powershell-cmdlets.md
rename to windows/security/threat-protection/applocker/use-the-applocker-windows-powershell-cmdlets.md
diff --git a/windows/device-security/applocker/using-event-viewer-with-applocker.md b/windows/security/threat-protection/applocker/using-event-viewer-with-applocker.md
similarity index 100%
rename from windows/device-security/applocker/using-event-viewer-with-applocker.md
rename to windows/security/threat-protection/applocker/using-event-viewer-with-applocker.md
diff --git a/windows/device-security/applocker/using-software-restriction-policies-and-applocker-policies.md b/windows/security/threat-protection/applocker/using-software-restriction-policies-and-applocker-policies.md
similarity index 100%
rename from windows/device-security/applocker/using-software-restriction-policies-and-applocker-policies.md
rename to windows/security/threat-protection/applocker/using-software-restriction-policies-and-applocker-policies.md
diff --git a/windows/device-security/applocker/what-is-applocker.md b/windows/security/threat-protection/applocker/what-is-applocker.md
similarity index 100%
rename from windows/device-security/applocker/what-is-applocker.md
rename to windows/security/threat-protection/applocker/what-is-applocker.md
diff --git a/windows/device-security/applocker/windows-installer-rules-in-applocker.md b/windows/security/threat-protection/applocker/windows-installer-rules-in-applocker.md
similarity index 100%
rename from windows/device-security/applocker/windows-installer-rules-in-applocker.md
rename to windows/security/threat-protection/applocker/windows-installer-rules-in-applocker.md
diff --git a/windows/device-security/applocker/working-with-applocker-policies.md b/windows/security/threat-protection/applocker/working-with-applocker-policies.md
similarity index 100%
rename from windows/device-security/applocker/working-with-applocker-policies.md
rename to windows/security/threat-protection/applocker/working-with-applocker-policies.md
diff --git a/windows/device-security/applocker/working-with-applocker-rules.md b/windows/security/threat-protection/applocker/working-with-applocker-rules.md
similarity index 100%
rename from windows/device-security/applocker/working-with-applocker-rules.md
rename to windows/security/threat-protection/applocker/working-with-applocker-rules.md
diff --git a/windows/device-security/auditing/advanced-security-audit-policy-settings.md b/windows/security/threat-protection/auditing/advanced-security-audit-policy-settings.md
similarity index 100%
rename from windows/device-security/auditing/advanced-security-audit-policy-settings.md
rename to windows/security/threat-protection/auditing/advanced-security-audit-policy-settings.md
diff --git a/windows/device-security/auditing/advanced-security-auditing-faq.md b/windows/security/threat-protection/auditing/advanced-security-auditing-faq.md
similarity index 100%
rename from windows/device-security/auditing/advanced-security-auditing-faq.md
rename to windows/security/threat-protection/auditing/advanced-security-auditing-faq.md
diff --git a/windows/device-security/auditing/advanced-security-auditing.md b/windows/security/threat-protection/auditing/advanced-security-auditing.md
similarity index 100%
rename from windows/device-security/auditing/advanced-security-auditing.md
rename to windows/security/threat-protection/auditing/advanced-security-auditing.md
diff --git a/windows/device-security/auditing/appendix-a-security-monitoring-recommendations-for-many-audit-events.md b/windows/security/threat-protection/auditing/appendix-a-security-monitoring-recommendations-for-many-audit-events.md
similarity index 100%
rename from windows/device-security/auditing/appendix-a-security-monitoring-recommendations-for-many-audit-events.md
rename to windows/security/threat-protection/auditing/appendix-a-security-monitoring-recommendations-for-many-audit-events.md
diff --git a/windows/device-security/auditing/apply-a-basic-audit-policy-on-a-file-or-folder.md b/windows/security/threat-protection/auditing/apply-a-basic-audit-policy-on-a-file-or-folder.md
similarity index 100%
rename from windows/device-security/auditing/apply-a-basic-audit-policy-on-a-file-or-folder.md
rename to windows/security/threat-protection/auditing/apply-a-basic-audit-policy-on-a-file-or-folder.md
diff --git a/windows/device-security/auditing/audit-account-lockout.md b/windows/security/threat-protection/auditing/audit-account-lockout.md
similarity index 100%
rename from windows/device-security/auditing/audit-account-lockout.md
rename to windows/security/threat-protection/auditing/audit-account-lockout.md
diff --git a/windows/device-security/auditing/audit-application-generated.md b/windows/security/threat-protection/auditing/audit-application-generated.md
similarity index 100%
rename from windows/device-security/auditing/audit-application-generated.md
rename to windows/security/threat-protection/auditing/audit-application-generated.md
diff --git a/windows/device-security/auditing/audit-application-group-management.md b/windows/security/threat-protection/auditing/audit-application-group-management.md
similarity index 100%
rename from windows/device-security/auditing/audit-application-group-management.md
rename to windows/security/threat-protection/auditing/audit-application-group-management.md
diff --git a/windows/device-security/auditing/audit-audit-policy-change.md b/windows/security/threat-protection/auditing/audit-audit-policy-change.md
similarity index 100%
rename from windows/device-security/auditing/audit-audit-policy-change.md
rename to windows/security/threat-protection/auditing/audit-audit-policy-change.md
diff --git a/windows/device-security/auditing/audit-authentication-policy-change.md b/windows/security/threat-protection/auditing/audit-authentication-policy-change.md
similarity index 100%
rename from windows/device-security/auditing/audit-authentication-policy-change.md
rename to windows/security/threat-protection/auditing/audit-authentication-policy-change.md
diff --git a/windows/device-security/auditing/audit-authorization-policy-change.md b/windows/security/threat-protection/auditing/audit-authorization-policy-change.md
similarity index 100%
rename from windows/device-security/auditing/audit-authorization-policy-change.md
rename to windows/security/threat-protection/auditing/audit-authorization-policy-change.md
diff --git a/windows/device-security/auditing/audit-central-access-policy-staging.md b/windows/security/threat-protection/auditing/audit-central-access-policy-staging.md
similarity index 100%
rename from windows/device-security/auditing/audit-central-access-policy-staging.md
rename to windows/security/threat-protection/auditing/audit-central-access-policy-staging.md
diff --git a/windows/device-security/auditing/audit-certification-services.md b/windows/security/threat-protection/auditing/audit-certification-services.md
similarity index 100%
rename from windows/device-security/auditing/audit-certification-services.md
rename to windows/security/threat-protection/auditing/audit-certification-services.md
diff --git a/windows/device-security/auditing/audit-computer-account-management.md b/windows/security/threat-protection/auditing/audit-computer-account-management.md
similarity index 100%
rename from windows/device-security/auditing/audit-computer-account-management.md
rename to windows/security/threat-protection/auditing/audit-computer-account-management.md
diff --git a/windows/device-security/auditing/audit-credential-validation.md b/windows/security/threat-protection/auditing/audit-credential-validation.md
similarity index 100%
rename from windows/device-security/auditing/audit-credential-validation.md
rename to windows/security/threat-protection/auditing/audit-credential-validation.md
diff --git a/windows/device-security/auditing/audit-detailed-directory-service-replication.md b/windows/security/threat-protection/auditing/audit-detailed-directory-service-replication.md
similarity index 100%
rename from windows/device-security/auditing/audit-detailed-directory-service-replication.md
rename to windows/security/threat-protection/auditing/audit-detailed-directory-service-replication.md
diff --git a/windows/device-security/auditing/audit-detailed-file-share.md b/windows/security/threat-protection/auditing/audit-detailed-file-share.md
similarity index 100%
rename from windows/device-security/auditing/audit-detailed-file-share.md
rename to windows/security/threat-protection/auditing/audit-detailed-file-share.md
diff --git a/windows/device-security/auditing/audit-directory-service-access.md b/windows/security/threat-protection/auditing/audit-directory-service-access.md
similarity index 100%
rename from windows/device-security/auditing/audit-directory-service-access.md
rename to windows/security/threat-protection/auditing/audit-directory-service-access.md
diff --git a/windows/device-security/auditing/audit-directory-service-changes.md b/windows/security/threat-protection/auditing/audit-directory-service-changes.md
similarity index 100%
rename from windows/device-security/auditing/audit-directory-service-changes.md
rename to windows/security/threat-protection/auditing/audit-directory-service-changes.md
diff --git a/windows/device-security/auditing/audit-directory-service-replication.md b/windows/security/threat-protection/auditing/audit-directory-service-replication.md
similarity index 100%
rename from windows/device-security/auditing/audit-directory-service-replication.md
rename to windows/security/threat-protection/auditing/audit-directory-service-replication.md
diff --git a/windows/device-security/auditing/audit-distribution-group-management.md b/windows/security/threat-protection/auditing/audit-distribution-group-management.md
similarity index 100%
rename from windows/device-security/auditing/audit-distribution-group-management.md
rename to windows/security/threat-protection/auditing/audit-distribution-group-management.md
diff --git a/windows/device-security/auditing/audit-dpapi-activity.md b/windows/security/threat-protection/auditing/audit-dpapi-activity.md
similarity index 100%
rename from windows/device-security/auditing/audit-dpapi-activity.md
rename to windows/security/threat-protection/auditing/audit-dpapi-activity.md
diff --git a/windows/device-security/auditing/audit-file-share.md b/windows/security/threat-protection/auditing/audit-file-share.md
similarity index 100%
rename from windows/device-security/auditing/audit-file-share.md
rename to windows/security/threat-protection/auditing/audit-file-share.md
diff --git a/windows/device-security/auditing/audit-file-system.md b/windows/security/threat-protection/auditing/audit-file-system.md
similarity index 100%
rename from windows/device-security/auditing/audit-file-system.md
rename to windows/security/threat-protection/auditing/audit-file-system.md
diff --git a/windows/device-security/auditing/audit-filtering-platform-connection.md b/windows/security/threat-protection/auditing/audit-filtering-platform-connection.md
similarity index 100%
rename from windows/device-security/auditing/audit-filtering-platform-connection.md
rename to windows/security/threat-protection/auditing/audit-filtering-platform-connection.md
diff --git a/windows/device-security/auditing/audit-filtering-platform-packet-drop.md b/windows/security/threat-protection/auditing/audit-filtering-platform-packet-drop.md
similarity index 100%
rename from windows/device-security/auditing/audit-filtering-platform-packet-drop.md
rename to windows/security/threat-protection/auditing/audit-filtering-platform-packet-drop.md
diff --git a/windows/device-security/auditing/audit-filtering-platform-policy-change.md b/windows/security/threat-protection/auditing/audit-filtering-platform-policy-change.md
similarity index 100%
rename from windows/device-security/auditing/audit-filtering-platform-policy-change.md
rename to windows/security/threat-protection/auditing/audit-filtering-platform-policy-change.md
diff --git a/windows/device-security/auditing/audit-group-membership.md b/windows/security/threat-protection/auditing/audit-group-membership.md
similarity index 100%
rename from windows/device-security/auditing/audit-group-membership.md
rename to windows/security/threat-protection/auditing/audit-group-membership.md
diff --git a/windows/device-security/auditing/audit-handle-manipulation.md b/windows/security/threat-protection/auditing/audit-handle-manipulation.md
similarity index 100%
rename from windows/device-security/auditing/audit-handle-manipulation.md
rename to windows/security/threat-protection/auditing/audit-handle-manipulation.md
diff --git a/windows/device-security/auditing/audit-ipsec-driver.md b/windows/security/threat-protection/auditing/audit-ipsec-driver.md
similarity index 100%
rename from windows/device-security/auditing/audit-ipsec-driver.md
rename to windows/security/threat-protection/auditing/audit-ipsec-driver.md
diff --git a/windows/device-security/auditing/audit-ipsec-extended-mode.md b/windows/security/threat-protection/auditing/audit-ipsec-extended-mode.md
similarity index 100%
rename from windows/device-security/auditing/audit-ipsec-extended-mode.md
rename to windows/security/threat-protection/auditing/audit-ipsec-extended-mode.md
diff --git a/windows/device-security/auditing/audit-ipsec-main-mode.md b/windows/security/threat-protection/auditing/audit-ipsec-main-mode.md
similarity index 100%
rename from windows/device-security/auditing/audit-ipsec-main-mode.md
rename to windows/security/threat-protection/auditing/audit-ipsec-main-mode.md
diff --git a/windows/device-security/auditing/audit-ipsec-quick-mode.md b/windows/security/threat-protection/auditing/audit-ipsec-quick-mode.md
similarity index 100%
rename from windows/device-security/auditing/audit-ipsec-quick-mode.md
rename to windows/security/threat-protection/auditing/audit-ipsec-quick-mode.md
diff --git a/windows/device-security/auditing/audit-kerberos-authentication-service.md b/windows/security/threat-protection/auditing/audit-kerberos-authentication-service.md
similarity index 100%
rename from windows/device-security/auditing/audit-kerberos-authentication-service.md
rename to windows/security/threat-protection/auditing/audit-kerberos-authentication-service.md
diff --git a/windows/device-security/auditing/audit-kerberos-service-ticket-operations.md b/windows/security/threat-protection/auditing/audit-kerberos-service-ticket-operations.md
similarity index 100%
rename from windows/device-security/auditing/audit-kerberos-service-ticket-operations.md
rename to windows/security/threat-protection/auditing/audit-kerberos-service-ticket-operations.md
diff --git a/windows/device-security/auditing/audit-kernel-object.md b/windows/security/threat-protection/auditing/audit-kernel-object.md
similarity index 100%
rename from windows/device-security/auditing/audit-kernel-object.md
rename to windows/security/threat-protection/auditing/audit-kernel-object.md
diff --git a/windows/device-security/auditing/audit-logoff.md b/windows/security/threat-protection/auditing/audit-logoff.md
similarity index 100%
rename from windows/device-security/auditing/audit-logoff.md
rename to windows/security/threat-protection/auditing/audit-logoff.md
diff --git a/windows/device-security/auditing/audit-logon.md b/windows/security/threat-protection/auditing/audit-logon.md
similarity index 100%
rename from windows/device-security/auditing/audit-logon.md
rename to windows/security/threat-protection/auditing/audit-logon.md
diff --git a/windows/device-security/auditing/audit-mpssvc-rule-level-policy-change.md b/windows/security/threat-protection/auditing/audit-mpssvc-rule-level-policy-change.md
similarity index 100%
rename from windows/device-security/auditing/audit-mpssvc-rule-level-policy-change.md
rename to windows/security/threat-protection/auditing/audit-mpssvc-rule-level-policy-change.md
diff --git a/windows/device-security/auditing/audit-network-policy-server.md b/windows/security/threat-protection/auditing/audit-network-policy-server.md
similarity index 100%
rename from windows/device-security/auditing/audit-network-policy-server.md
rename to windows/security/threat-protection/auditing/audit-network-policy-server.md
diff --git a/windows/device-security/auditing/audit-non-sensitive-privilege-use.md b/windows/security/threat-protection/auditing/audit-non-sensitive-privilege-use.md
similarity index 100%
rename from windows/device-security/auditing/audit-non-sensitive-privilege-use.md
rename to windows/security/threat-protection/auditing/audit-non-sensitive-privilege-use.md
diff --git a/windows/device-security/auditing/audit-other-account-logon-events.md b/windows/security/threat-protection/auditing/audit-other-account-logon-events.md
similarity index 100%
rename from windows/device-security/auditing/audit-other-account-logon-events.md
rename to windows/security/threat-protection/auditing/audit-other-account-logon-events.md
diff --git a/windows/device-security/auditing/audit-other-account-management-events.md b/windows/security/threat-protection/auditing/audit-other-account-management-events.md
similarity index 100%
rename from windows/device-security/auditing/audit-other-account-management-events.md
rename to windows/security/threat-protection/auditing/audit-other-account-management-events.md
diff --git a/windows/device-security/auditing/audit-other-logonlogoff-events.md b/windows/security/threat-protection/auditing/audit-other-logonlogoff-events.md
similarity index 100%
rename from windows/device-security/auditing/audit-other-logonlogoff-events.md
rename to windows/security/threat-protection/auditing/audit-other-logonlogoff-events.md
diff --git a/windows/device-security/auditing/audit-other-object-access-events.md b/windows/security/threat-protection/auditing/audit-other-object-access-events.md
similarity index 100%
rename from windows/device-security/auditing/audit-other-object-access-events.md
rename to windows/security/threat-protection/auditing/audit-other-object-access-events.md
diff --git a/windows/device-security/auditing/audit-other-policy-change-events.md b/windows/security/threat-protection/auditing/audit-other-policy-change-events.md
similarity index 100%
rename from windows/device-security/auditing/audit-other-policy-change-events.md
rename to windows/security/threat-protection/auditing/audit-other-policy-change-events.md
diff --git a/windows/device-security/auditing/audit-other-privilege-use-events.md b/windows/security/threat-protection/auditing/audit-other-privilege-use-events.md
similarity index 100%
rename from windows/device-security/auditing/audit-other-privilege-use-events.md
rename to windows/security/threat-protection/auditing/audit-other-privilege-use-events.md
diff --git a/windows/device-security/auditing/audit-other-system-events.md b/windows/security/threat-protection/auditing/audit-other-system-events.md
similarity index 100%
rename from windows/device-security/auditing/audit-other-system-events.md
rename to windows/security/threat-protection/auditing/audit-other-system-events.md
diff --git a/windows/device-security/auditing/audit-pnp-activity.md b/windows/security/threat-protection/auditing/audit-pnp-activity.md
similarity index 100%
rename from windows/device-security/auditing/audit-pnp-activity.md
rename to windows/security/threat-protection/auditing/audit-pnp-activity.md
diff --git a/windows/device-security/auditing/audit-process-creation.md b/windows/security/threat-protection/auditing/audit-process-creation.md
similarity index 100%
rename from windows/device-security/auditing/audit-process-creation.md
rename to windows/security/threat-protection/auditing/audit-process-creation.md
diff --git a/windows/device-security/auditing/audit-process-termination.md b/windows/security/threat-protection/auditing/audit-process-termination.md
similarity index 100%
rename from windows/device-security/auditing/audit-process-termination.md
rename to windows/security/threat-protection/auditing/audit-process-termination.md
diff --git a/windows/device-security/auditing/audit-registry.md b/windows/security/threat-protection/auditing/audit-registry.md
similarity index 100%
rename from windows/device-security/auditing/audit-registry.md
rename to windows/security/threat-protection/auditing/audit-registry.md
diff --git a/windows/device-security/auditing/audit-removable-storage.md b/windows/security/threat-protection/auditing/audit-removable-storage.md
similarity index 100%
rename from windows/device-security/auditing/audit-removable-storage.md
rename to windows/security/threat-protection/auditing/audit-removable-storage.md
diff --git a/windows/device-security/auditing/audit-rpc-events.md b/windows/security/threat-protection/auditing/audit-rpc-events.md
similarity index 100%
rename from windows/device-security/auditing/audit-rpc-events.md
rename to windows/security/threat-protection/auditing/audit-rpc-events.md
diff --git a/windows/device-security/auditing/audit-sam.md b/windows/security/threat-protection/auditing/audit-sam.md
similarity index 100%
rename from windows/device-security/auditing/audit-sam.md
rename to windows/security/threat-protection/auditing/audit-sam.md
diff --git a/windows/device-security/auditing/audit-security-group-management.md b/windows/security/threat-protection/auditing/audit-security-group-management.md
similarity index 93%
rename from windows/device-security/auditing/audit-security-group-management.md
rename to windows/security/threat-protection/auditing/audit-security-group-management.md
index 6f5966a3e8..20caac1504 100644
--- a/windows/device-security/auditing/audit-security-group-management.md
+++ b/windows/security/threat-protection/auditing/audit-security-group-management.md
@@ -31,9 +31,9 @@ This subcategory allows you to audit events generated by changes to security gro
| Computer Type | General Success | General Failure | Stronger Success | Stronger Failure | Comments |
|-------------------|-----------------|-----------------|------------------|------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
-| Domain Controller | Yes | No | Yes | No | We recommend Success auditing of security groups, to see new group creation events, changes and deletion of critical groups. Also you will get information about new members of security groups, when a member was removed from a group and when security group membership was enumerated. This subcategory doesn’t have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. |
-| Member Server | Yes | No | Yes | No | We recommend Success auditing of security groups, to see new group creation events, changes and deletion of critical groups. Also you will get information about new members of security groups, when a member was removed from a group and when security group membership was enumerated. This subcategory doesn’t have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. |
-| Workstation | Yes | No | Yes | No | We recommend Success auditing of security groups, to see new group creation events, changes and deletion of critical groups. Also you will get information about new members of security groups, when a member was removed from a group and when security group membership was enumerated. This subcategory doesn’t have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. |
+| Domain Controller | Yes | No | Yes | No | We recommend Success auditing of security groups, to see new group creation events, changes and deletion of critical groups. Also you will get information about new members of security groups, when a member was removed from a group and when security group membership was enumerated. We recommend Failure auditing, to collect information about failed attempts to create, change, or delete new security groups.|
+| Member Server | Yes | No | Yes | No | We recommend Success auditing of security groups, to see new group creation events, changes and deletion of critical groups. Also you will get information about new members of security groups, when a member was removed from a group and when security group membership was enumerated. We recommend Failure auditing, to collect information about failed attempts to create, change, or delete new security groups.|
+| Workstation | Yes | No | Yes | No | We recommend Success auditing of security groups, to see new group creation events, changes and deletion of critical groups. Also you will get information about new members of security groups, when a member was removed from a group and when security group membership was enumerated. We recommend Failure auditing, to collect information about failed attempts to create, change, or delete new security groups.|
**Events List:**
diff --git a/windows/device-security/auditing/audit-security-state-change.md b/windows/security/threat-protection/auditing/audit-security-state-change.md
similarity index 100%
rename from windows/device-security/auditing/audit-security-state-change.md
rename to windows/security/threat-protection/auditing/audit-security-state-change.md
diff --git a/windows/device-security/auditing/audit-security-system-extension.md b/windows/security/threat-protection/auditing/audit-security-system-extension.md
similarity index 100%
rename from windows/device-security/auditing/audit-security-system-extension.md
rename to windows/security/threat-protection/auditing/audit-security-system-extension.md
diff --git a/windows/device-security/auditing/audit-sensitive-privilege-use.md b/windows/security/threat-protection/auditing/audit-sensitive-privilege-use.md
similarity index 100%
rename from windows/device-security/auditing/audit-sensitive-privilege-use.md
rename to windows/security/threat-protection/auditing/audit-sensitive-privilege-use.md
diff --git a/windows/device-security/auditing/audit-special-logon.md b/windows/security/threat-protection/auditing/audit-special-logon.md
similarity index 100%
rename from windows/device-security/auditing/audit-special-logon.md
rename to windows/security/threat-protection/auditing/audit-special-logon.md
diff --git a/windows/device-security/auditing/audit-system-integrity.md b/windows/security/threat-protection/auditing/audit-system-integrity.md
similarity index 100%
rename from windows/device-security/auditing/audit-system-integrity.md
rename to windows/security/threat-protection/auditing/audit-system-integrity.md
diff --git a/windows/device-security/auditing/audit-user-account-management.md b/windows/security/threat-protection/auditing/audit-user-account-management.md
similarity index 100%
rename from windows/device-security/auditing/audit-user-account-management.md
rename to windows/security/threat-protection/auditing/audit-user-account-management.md
diff --git a/windows/device-security/auditing/audit-user-device-claims.md b/windows/security/threat-protection/auditing/audit-user-device-claims.md
similarity index 100%
rename from windows/device-security/auditing/audit-user-device-claims.md
rename to windows/security/threat-protection/auditing/audit-user-device-claims.md
diff --git a/windows/device-security/auditing/basic-audit-account-logon-events.md b/windows/security/threat-protection/auditing/basic-audit-account-logon-events.md
similarity index 100%
rename from windows/device-security/auditing/basic-audit-account-logon-events.md
rename to windows/security/threat-protection/auditing/basic-audit-account-logon-events.md
diff --git a/windows/device-security/auditing/basic-audit-account-management.md b/windows/security/threat-protection/auditing/basic-audit-account-management.md
similarity index 100%
rename from windows/device-security/auditing/basic-audit-account-management.md
rename to windows/security/threat-protection/auditing/basic-audit-account-management.md
diff --git a/windows/device-security/auditing/basic-audit-directory-service-access.md b/windows/security/threat-protection/auditing/basic-audit-directory-service-access.md
similarity index 100%
rename from windows/device-security/auditing/basic-audit-directory-service-access.md
rename to windows/security/threat-protection/auditing/basic-audit-directory-service-access.md
diff --git a/windows/device-security/auditing/basic-audit-logon-events.md b/windows/security/threat-protection/auditing/basic-audit-logon-events.md
similarity index 100%
rename from windows/device-security/auditing/basic-audit-logon-events.md
rename to windows/security/threat-protection/auditing/basic-audit-logon-events.md
diff --git a/windows/device-security/auditing/basic-audit-object-access.md b/windows/security/threat-protection/auditing/basic-audit-object-access.md
similarity index 100%
rename from windows/device-security/auditing/basic-audit-object-access.md
rename to windows/security/threat-protection/auditing/basic-audit-object-access.md
diff --git a/windows/device-security/auditing/basic-audit-policy-change.md b/windows/security/threat-protection/auditing/basic-audit-policy-change.md
similarity index 100%
rename from windows/device-security/auditing/basic-audit-policy-change.md
rename to windows/security/threat-protection/auditing/basic-audit-policy-change.md
diff --git a/windows/device-security/auditing/basic-audit-privilege-use.md b/windows/security/threat-protection/auditing/basic-audit-privilege-use.md
similarity index 100%
rename from windows/device-security/auditing/basic-audit-privilege-use.md
rename to windows/security/threat-protection/auditing/basic-audit-privilege-use.md
diff --git a/windows/device-security/auditing/basic-audit-process-tracking.md b/windows/security/threat-protection/auditing/basic-audit-process-tracking.md
similarity index 100%
rename from windows/device-security/auditing/basic-audit-process-tracking.md
rename to windows/security/threat-protection/auditing/basic-audit-process-tracking.md
diff --git a/windows/device-security/auditing/basic-audit-system-events.md b/windows/security/threat-protection/auditing/basic-audit-system-events.md
similarity index 100%
rename from windows/device-security/auditing/basic-audit-system-events.md
rename to windows/security/threat-protection/auditing/basic-audit-system-events.md
diff --git a/windows/device-security/auditing/basic-security-audit-policies.md b/windows/security/threat-protection/auditing/basic-security-audit-policies.md
similarity index 100%
rename from windows/device-security/auditing/basic-security-audit-policies.md
rename to windows/security/threat-protection/auditing/basic-security-audit-policies.md
diff --git a/windows/device-security/auditing/basic-security-audit-policy-settings.md b/windows/security/threat-protection/auditing/basic-security-audit-policy-settings.md
similarity index 100%
rename from windows/device-security/auditing/basic-security-audit-policy-settings.md
rename to windows/security/threat-protection/auditing/basic-security-audit-policy-settings.md
diff --git a/windows/device-security/auditing/create-a-basic-audit-policy-settings-for-an-event-category.md b/windows/security/threat-protection/auditing/create-a-basic-audit-policy-settings-for-an-event-category.md
similarity index 100%
rename from windows/device-security/auditing/create-a-basic-audit-policy-settings-for-an-event-category.md
rename to windows/security/threat-protection/auditing/create-a-basic-audit-policy-settings-for-an-event-category.md
diff --git a/windows/device-security/auditing/event-1100.md b/windows/security/threat-protection/auditing/event-1100.md
similarity index 100%
rename from windows/device-security/auditing/event-1100.md
rename to windows/security/threat-protection/auditing/event-1100.md
diff --git a/windows/device-security/auditing/event-1102.md b/windows/security/threat-protection/auditing/event-1102.md
similarity index 100%
rename from windows/device-security/auditing/event-1102.md
rename to windows/security/threat-protection/auditing/event-1102.md
diff --git a/windows/device-security/auditing/event-1104.md b/windows/security/threat-protection/auditing/event-1104.md
similarity index 100%
rename from windows/device-security/auditing/event-1104.md
rename to windows/security/threat-protection/auditing/event-1104.md
diff --git a/windows/device-security/auditing/event-1105.md b/windows/security/threat-protection/auditing/event-1105.md
similarity index 100%
rename from windows/device-security/auditing/event-1105.md
rename to windows/security/threat-protection/auditing/event-1105.md
diff --git a/windows/device-security/auditing/event-1108.md b/windows/security/threat-protection/auditing/event-1108.md
similarity index 100%
rename from windows/device-security/auditing/event-1108.md
rename to windows/security/threat-protection/auditing/event-1108.md
diff --git a/windows/device-security/auditing/event-4608.md b/windows/security/threat-protection/auditing/event-4608.md
similarity index 100%
rename from windows/device-security/auditing/event-4608.md
rename to windows/security/threat-protection/auditing/event-4608.md
diff --git a/windows/device-security/auditing/event-4610.md b/windows/security/threat-protection/auditing/event-4610.md
similarity index 100%
rename from windows/device-security/auditing/event-4610.md
rename to windows/security/threat-protection/auditing/event-4610.md
diff --git a/windows/device-security/auditing/event-4611.md b/windows/security/threat-protection/auditing/event-4611.md
similarity index 100%
rename from windows/device-security/auditing/event-4611.md
rename to windows/security/threat-protection/auditing/event-4611.md
diff --git a/windows/device-security/auditing/event-4612.md b/windows/security/threat-protection/auditing/event-4612.md
similarity index 100%
rename from windows/device-security/auditing/event-4612.md
rename to windows/security/threat-protection/auditing/event-4612.md
diff --git a/windows/device-security/auditing/event-4614.md b/windows/security/threat-protection/auditing/event-4614.md
similarity index 100%
rename from windows/device-security/auditing/event-4614.md
rename to windows/security/threat-protection/auditing/event-4614.md
diff --git a/windows/device-security/auditing/event-4615.md b/windows/security/threat-protection/auditing/event-4615.md
similarity index 100%
rename from windows/device-security/auditing/event-4615.md
rename to windows/security/threat-protection/auditing/event-4615.md
diff --git a/windows/device-security/auditing/event-4616.md b/windows/security/threat-protection/auditing/event-4616.md
similarity index 100%
rename from windows/device-security/auditing/event-4616.md
rename to windows/security/threat-protection/auditing/event-4616.md
diff --git a/windows/device-security/auditing/event-4618.md b/windows/security/threat-protection/auditing/event-4618.md
similarity index 100%
rename from windows/device-security/auditing/event-4618.md
rename to windows/security/threat-protection/auditing/event-4618.md
diff --git a/windows/device-security/auditing/event-4621.md b/windows/security/threat-protection/auditing/event-4621.md
similarity index 100%
rename from windows/device-security/auditing/event-4621.md
rename to windows/security/threat-protection/auditing/event-4621.md
diff --git a/windows/device-security/auditing/event-4622.md b/windows/security/threat-protection/auditing/event-4622.md
similarity index 100%
rename from windows/device-security/auditing/event-4622.md
rename to windows/security/threat-protection/auditing/event-4622.md
diff --git a/windows/device-security/auditing/event-4624.md b/windows/security/threat-protection/auditing/event-4624.md
similarity index 100%
rename from windows/device-security/auditing/event-4624.md
rename to windows/security/threat-protection/auditing/event-4624.md
diff --git a/windows/device-security/auditing/event-4625.md b/windows/security/threat-protection/auditing/event-4625.md
similarity index 100%
rename from windows/device-security/auditing/event-4625.md
rename to windows/security/threat-protection/auditing/event-4625.md
diff --git a/windows/device-security/auditing/event-4626.md b/windows/security/threat-protection/auditing/event-4626.md
similarity index 100%
rename from windows/device-security/auditing/event-4626.md
rename to windows/security/threat-protection/auditing/event-4626.md
diff --git a/windows/device-security/auditing/event-4627.md b/windows/security/threat-protection/auditing/event-4627.md
similarity index 100%
rename from windows/device-security/auditing/event-4627.md
rename to windows/security/threat-protection/auditing/event-4627.md
diff --git a/windows/device-security/auditing/event-4634.md b/windows/security/threat-protection/auditing/event-4634.md
similarity index 100%
rename from windows/device-security/auditing/event-4634.md
rename to windows/security/threat-protection/auditing/event-4634.md
diff --git a/windows/device-security/auditing/event-4647.md b/windows/security/threat-protection/auditing/event-4647.md
similarity index 100%
rename from windows/device-security/auditing/event-4647.md
rename to windows/security/threat-protection/auditing/event-4647.md
diff --git a/windows/device-security/auditing/event-4648.md b/windows/security/threat-protection/auditing/event-4648.md
similarity index 100%
rename from windows/device-security/auditing/event-4648.md
rename to windows/security/threat-protection/auditing/event-4648.md
diff --git a/windows/device-security/auditing/event-4649.md b/windows/security/threat-protection/auditing/event-4649.md
similarity index 100%
rename from windows/device-security/auditing/event-4649.md
rename to windows/security/threat-protection/auditing/event-4649.md
diff --git a/windows/device-security/auditing/event-4656.md b/windows/security/threat-protection/auditing/event-4656.md
similarity index 100%
rename from windows/device-security/auditing/event-4656.md
rename to windows/security/threat-protection/auditing/event-4656.md
diff --git a/windows/device-security/auditing/event-4657.md b/windows/security/threat-protection/auditing/event-4657.md
similarity index 100%
rename from windows/device-security/auditing/event-4657.md
rename to windows/security/threat-protection/auditing/event-4657.md
diff --git a/windows/device-security/auditing/event-4658.md b/windows/security/threat-protection/auditing/event-4658.md
similarity index 100%
rename from windows/device-security/auditing/event-4658.md
rename to windows/security/threat-protection/auditing/event-4658.md
diff --git a/windows/device-security/auditing/event-4660.md b/windows/security/threat-protection/auditing/event-4660.md
similarity index 100%
rename from windows/device-security/auditing/event-4660.md
rename to windows/security/threat-protection/auditing/event-4660.md
diff --git a/windows/device-security/auditing/event-4661.md b/windows/security/threat-protection/auditing/event-4661.md
similarity index 100%
rename from windows/device-security/auditing/event-4661.md
rename to windows/security/threat-protection/auditing/event-4661.md
diff --git a/windows/device-security/auditing/event-4662.md b/windows/security/threat-protection/auditing/event-4662.md
similarity index 100%
rename from windows/device-security/auditing/event-4662.md
rename to windows/security/threat-protection/auditing/event-4662.md
diff --git a/windows/device-security/auditing/event-4663.md b/windows/security/threat-protection/auditing/event-4663.md
similarity index 100%
rename from windows/device-security/auditing/event-4663.md
rename to windows/security/threat-protection/auditing/event-4663.md
diff --git a/windows/device-security/auditing/event-4664.md b/windows/security/threat-protection/auditing/event-4664.md
similarity index 100%
rename from windows/device-security/auditing/event-4664.md
rename to windows/security/threat-protection/auditing/event-4664.md
diff --git a/windows/device-security/auditing/event-4670.md b/windows/security/threat-protection/auditing/event-4670.md
similarity index 100%
rename from windows/device-security/auditing/event-4670.md
rename to windows/security/threat-protection/auditing/event-4670.md
diff --git a/windows/device-security/auditing/event-4671.md b/windows/security/threat-protection/auditing/event-4671.md
similarity index 100%
rename from windows/device-security/auditing/event-4671.md
rename to windows/security/threat-protection/auditing/event-4671.md
diff --git a/windows/device-security/auditing/event-4672.md b/windows/security/threat-protection/auditing/event-4672.md
similarity index 100%
rename from windows/device-security/auditing/event-4672.md
rename to windows/security/threat-protection/auditing/event-4672.md
diff --git a/windows/device-security/auditing/event-4673.md b/windows/security/threat-protection/auditing/event-4673.md
similarity index 100%
rename from windows/device-security/auditing/event-4673.md
rename to windows/security/threat-protection/auditing/event-4673.md
diff --git a/windows/device-security/auditing/event-4674.md b/windows/security/threat-protection/auditing/event-4674.md
similarity index 100%
rename from windows/device-security/auditing/event-4674.md
rename to windows/security/threat-protection/auditing/event-4674.md
diff --git a/windows/device-security/auditing/event-4675.md b/windows/security/threat-protection/auditing/event-4675.md
similarity index 100%
rename from windows/device-security/auditing/event-4675.md
rename to windows/security/threat-protection/auditing/event-4675.md
diff --git a/windows/device-security/auditing/event-4688.md b/windows/security/threat-protection/auditing/event-4688.md
similarity index 100%
rename from windows/device-security/auditing/event-4688.md
rename to windows/security/threat-protection/auditing/event-4688.md
diff --git a/windows/device-security/auditing/event-4689.md b/windows/security/threat-protection/auditing/event-4689.md
similarity index 100%
rename from windows/device-security/auditing/event-4689.md
rename to windows/security/threat-protection/auditing/event-4689.md
diff --git a/windows/device-security/auditing/event-4690.md b/windows/security/threat-protection/auditing/event-4690.md
similarity index 100%
rename from windows/device-security/auditing/event-4690.md
rename to windows/security/threat-protection/auditing/event-4690.md
diff --git a/windows/device-security/auditing/event-4691.md b/windows/security/threat-protection/auditing/event-4691.md
similarity index 100%
rename from windows/device-security/auditing/event-4691.md
rename to windows/security/threat-protection/auditing/event-4691.md
diff --git a/windows/device-security/auditing/event-4692.md b/windows/security/threat-protection/auditing/event-4692.md
similarity index 100%
rename from windows/device-security/auditing/event-4692.md
rename to windows/security/threat-protection/auditing/event-4692.md
diff --git a/windows/device-security/auditing/event-4693.md b/windows/security/threat-protection/auditing/event-4693.md
similarity index 100%
rename from windows/device-security/auditing/event-4693.md
rename to windows/security/threat-protection/auditing/event-4693.md
diff --git a/windows/device-security/auditing/event-4694.md b/windows/security/threat-protection/auditing/event-4694.md
similarity index 100%
rename from windows/device-security/auditing/event-4694.md
rename to windows/security/threat-protection/auditing/event-4694.md
diff --git a/windows/device-security/auditing/event-4695.md b/windows/security/threat-protection/auditing/event-4695.md
similarity index 100%
rename from windows/device-security/auditing/event-4695.md
rename to windows/security/threat-protection/auditing/event-4695.md
diff --git a/windows/device-security/auditing/event-4696.md b/windows/security/threat-protection/auditing/event-4696.md
similarity index 100%
rename from windows/device-security/auditing/event-4696.md
rename to windows/security/threat-protection/auditing/event-4696.md
diff --git a/windows/device-security/auditing/event-4697.md b/windows/security/threat-protection/auditing/event-4697.md
similarity index 100%
rename from windows/device-security/auditing/event-4697.md
rename to windows/security/threat-protection/auditing/event-4697.md
diff --git a/windows/device-security/auditing/event-4698.md b/windows/security/threat-protection/auditing/event-4698.md
similarity index 100%
rename from windows/device-security/auditing/event-4698.md
rename to windows/security/threat-protection/auditing/event-4698.md
diff --git a/windows/device-security/auditing/event-4699.md b/windows/security/threat-protection/auditing/event-4699.md
similarity index 100%
rename from windows/device-security/auditing/event-4699.md
rename to windows/security/threat-protection/auditing/event-4699.md
diff --git a/windows/device-security/auditing/event-4700.md b/windows/security/threat-protection/auditing/event-4700.md
similarity index 100%
rename from windows/device-security/auditing/event-4700.md
rename to windows/security/threat-protection/auditing/event-4700.md
diff --git a/windows/device-security/auditing/event-4701.md b/windows/security/threat-protection/auditing/event-4701.md
similarity index 100%
rename from windows/device-security/auditing/event-4701.md
rename to windows/security/threat-protection/auditing/event-4701.md
diff --git a/windows/device-security/auditing/event-4702.md b/windows/security/threat-protection/auditing/event-4702.md
similarity index 100%
rename from windows/device-security/auditing/event-4702.md
rename to windows/security/threat-protection/auditing/event-4702.md
diff --git a/windows/device-security/auditing/event-4703.md b/windows/security/threat-protection/auditing/event-4703.md
similarity index 100%
rename from windows/device-security/auditing/event-4703.md
rename to windows/security/threat-protection/auditing/event-4703.md
diff --git a/windows/device-security/auditing/event-4704.md b/windows/security/threat-protection/auditing/event-4704.md
similarity index 100%
rename from windows/device-security/auditing/event-4704.md
rename to windows/security/threat-protection/auditing/event-4704.md
diff --git a/windows/device-security/auditing/event-4705.md b/windows/security/threat-protection/auditing/event-4705.md
similarity index 100%
rename from windows/device-security/auditing/event-4705.md
rename to windows/security/threat-protection/auditing/event-4705.md
diff --git a/windows/device-security/auditing/event-4706.md b/windows/security/threat-protection/auditing/event-4706.md
similarity index 100%
rename from windows/device-security/auditing/event-4706.md
rename to windows/security/threat-protection/auditing/event-4706.md
diff --git a/windows/device-security/auditing/event-4707.md b/windows/security/threat-protection/auditing/event-4707.md
similarity index 100%
rename from windows/device-security/auditing/event-4707.md
rename to windows/security/threat-protection/auditing/event-4707.md
diff --git a/windows/device-security/auditing/event-4713.md b/windows/security/threat-protection/auditing/event-4713.md
similarity index 100%
rename from windows/device-security/auditing/event-4713.md
rename to windows/security/threat-protection/auditing/event-4713.md
diff --git a/windows/device-security/auditing/event-4714.md b/windows/security/threat-protection/auditing/event-4714.md
similarity index 100%
rename from windows/device-security/auditing/event-4714.md
rename to windows/security/threat-protection/auditing/event-4714.md
diff --git a/windows/device-security/auditing/event-4715.md b/windows/security/threat-protection/auditing/event-4715.md
similarity index 100%
rename from windows/device-security/auditing/event-4715.md
rename to windows/security/threat-protection/auditing/event-4715.md
diff --git a/windows/device-security/auditing/event-4716.md b/windows/security/threat-protection/auditing/event-4716.md
similarity index 100%
rename from windows/device-security/auditing/event-4716.md
rename to windows/security/threat-protection/auditing/event-4716.md
diff --git a/windows/device-security/auditing/event-4717.md b/windows/security/threat-protection/auditing/event-4717.md
similarity index 100%
rename from windows/device-security/auditing/event-4717.md
rename to windows/security/threat-protection/auditing/event-4717.md
diff --git a/windows/device-security/auditing/event-4718.md b/windows/security/threat-protection/auditing/event-4718.md
similarity index 100%
rename from windows/device-security/auditing/event-4718.md
rename to windows/security/threat-protection/auditing/event-4718.md
diff --git a/windows/device-security/auditing/event-4719.md b/windows/security/threat-protection/auditing/event-4719.md
similarity index 100%
rename from windows/device-security/auditing/event-4719.md
rename to windows/security/threat-protection/auditing/event-4719.md
diff --git a/windows/device-security/auditing/event-4720.md b/windows/security/threat-protection/auditing/event-4720.md
similarity index 100%
rename from windows/device-security/auditing/event-4720.md
rename to windows/security/threat-protection/auditing/event-4720.md
diff --git a/windows/device-security/auditing/event-4722.md b/windows/security/threat-protection/auditing/event-4722.md
similarity index 100%
rename from windows/device-security/auditing/event-4722.md
rename to windows/security/threat-protection/auditing/event-4722.md
diff --git a/windows/device-security/auditing/event-4723.md b/windows/security/threat-protection/auditing/event-4723.md
similarity index 100%
rename from windows/device-security/auditing/event-4723.md
rename to windows/security/threat-protection/auditing/event-4723.md
diff --git a/windows/device-security/auditing/event-4724.md b/windows/security/threat-protection/auditing/event-4724.md
similarity index 100%
rename from windows/device-security/auditing/event-4724.md
rename to windows/security/threat-protection/auditing/event-4724.md
diff --git a/windows/device-security/auditing/event-4725.md b/windows/security/threat-protection/auditing/event-4725.md
similarity index 100%
rename from windows/device-security/auditing/event-4725.md
rename to windows/security/threat-protection/auditing/event-4725.md
diff --git a/windows/device-security/auditing/event-4726.md b/windows/security/threat-protection/auditing/event-4726.md
similarity index 100%
rename from windows/device-security/auditing/event-4726.md
rename to windows/security/threat-protection/auditing/event-4726.md
diff --git a/windows/device-security/auditing/event-4731.md b/windows/security/threat-protection/auditing/event-4731.md
similarity index 100%
rename from windows/device-security/auditing/event-4731.md
rename to windows/security/threat-protection/auditing/event-4731.md
diff --git a/windows/device-security/auditing/event-4732.md b/windows/security/threat-protection/auditing/event-4732.md
similarity index 100%
rename from windows/device-security/auditing/event-4732.md
rename to windows/security/threat-protection/auditing/event-4732.md
diff --git a/windows/device-security/auditing/event-4733.md b/windows/security/threat-protection/auditing/event-4733.md
similarity index 100%
rename from windows/device-security/auditing/event-4733.md
rename to windows/security/threat-protection/auditing/event-4733.md
diff --git a/windows/device-security/auditing/event-4734.md b/windows/security/threat-protection/auditing/event-4734.md
similarity index 100%
rename from windows/device-security/auditing/event-4734.md
rename to windows/security/threat-protection/auditing/event-4734.md
diff --git a/windows/device-security/auditing/event-4735.md b/windows/security/threat-protection/auditing/event-4735.md
similarity index 100%
rename from windows/device-security/auditing/event-4735.md
rename to windows/security/threat-protection/auditing/event-4735.md
diff --git a/windows/device-security/auditing/event-4738.md b/windows/security/threat-protection/auditing/event-4738.md
similarity index 100%
rename from windows/device-security/auditing/event-4738.md
rename to windows/security/threat-protection/auditing/event-4738.md
diff --git a/windows/device-security/auditing/event-4739.md b/windows/security/threat-protection/auditing/event-4739.md
similarity index 100%
rename from windows/device-security/auditing/event-4739.md
rename to windows/security/threat-protection/auditing/event-4739.md
diff --git a/windows/device-security/auditing/event-4740.md b/windows/security/threat-protection/auditing/event-4740.md
similarity index 100%
rename from windows/device-security/auditing/event-4740.md
rename to windows/security/threat-protection/auditing/event-4740.md
diff --git a/windows/device-security/auditing/event-4741.md b/windows/security/threat-protection/auditing/event-4741.md
similarity index 100%
rename from windows/device-security/auditing/event-4741.md
rename to windows/security/threat-protection/auditing/event-4741.md
diff --git a/windows/device-security/auditing/event-4742.md b/windows/security/threat-protection/auditing/event-4742.md
similarity index 100%
rename from windows/device-security/auditing/event-4742.md
rename to windows/security/threat-protection/auditing/event-4742.md
diff --git a/windows/device-security/auditing/event-4743.md b/windows/security/threat-protection/auditing/event-4743.md
similarity index 100%
rename from windows/device-security/auditing/event-4743.md
rename to windows/security/threat-protection/auditing/event-4743.md
diff --git a/windows/device-security/auditing/event-4749.md b/windows/security/threat-protection/auditing/event-4749.md
similarity index 100%
rename from windows/device-security/auditing/event-4749.md
rename to windows/security/threat-protection/auditing/event-4749.md
diff --git a/windows/device-security/auditing/event-4750.md b/windows/security/threat-protection/auditing/event-4750.md
similarity index 100%
rename from windows/device-security/auditing/event-4750.md
rename to windows/security/threat-protection/auditing/event-4750.md
diff --git a/windows/device-security/auditing/event-4751.md b/windows/security/threat-protection/auditing/event-4751.md
similarity index 100%
rename from windows/device-security/auditing/event-4751.md
rename to windows/security/threat-protection/auditing/event-4751.md
diff --git a/windows/device-security/auditing/event-4752.md b/windows/security/threat-protection/auditing/event-4752.md
similarity index 100%
rename from windows/device-security/auditing/event-4752.md
rename to windows/security/threat-protection/auditing/event-4752.md
diff --git a/windows/device-security/auditing/event-4753.md b/windows/security/threat-protection/auditing/event-4753.md
similarity index 100%
rename from windows/device-security/auditing/event-4753.md
rename to windows/security/threat-protection/auditing/event-4753.md
diff --git a/windows/device-security/auditing/event-4764.md b/windows/security/threat-protection/auditing/event-4764.md
similarity index 100%
rename from windows/device-security/auditing/event-4764.md
rename to windows/security/threat-protection/auditing/event-4764.md
diff --git a/windows/device-security/auditing/event-4765.md b/windows/security/threat-protection/auditing/event-4765.md
similarity index 100%
rename from windows/device-security/auditing/event-4765.md
rename to windows/security/threat-protection/auditing/event-4765.md
diff --git a/windows/device-security/auditing/event-4766.md b/windows/security/threat-protection/auditing/event-4766.md
similarity index 100%
rename from windows/device-security/auditing/event-4766.md
rename to windows/security/threat-protection/auditing/event-4766.md
diff --git a/windows/device-security/auditing/event-4767.md b/windows/security/threat-protection/auditing/event-4767.md
similarity index 100%
rename from windows/device-security/auditing/event-4767.md
rename to windows/security/threat-protection/auditing/event-4767.md
diff --git a/windows/device-security/auditing/event-4768.md b/windows/security/threat-protection/auditing/event-4768.md
similarity index 100%
rename from windows/device-security/auditing/event-4768.md
rename to windows/security/threat-protection/auditing/event-4768.md
diff --git a/windows/device-security/auditing/event-4769.md b/windows/security/threat-protection/auditing/event-4769.md
similarity index 100%
rename from windows/device-security/auditing/event-4769.md
rename to windows/security/threat-protection/auditing/event-4769.md
diff --git a/windows/device-security/auditing/event-4770.md b/windows/security/threat-protection/auditing/event-4770.md
similarity index 100%
rename from windows/device-security/auditing/event-4770.md
rename to windows/security/threat-protection/auditing/event-4770.md
diff --git a/windows/device-security/auditing/event-4771.md b/windows/security/threat-protection/auditing/event-4771.md
similarity index 100%
rename from windows/device-security/auditing/event-4771.md
rename to windows/security/threat-protection/auditing/event-4771.md
diff --git a/windows/device-security/auditing/event-4772.md b/windows/security/threat-protection/auditing/event-4772.md
similarity index 100%
rename from windows/device-security/auditing/event-4772.md
rename to windows/security/threat-protection/auditing/event-4772.md
diff --git a/windows/device-security/auditing/event-4773.md b/windows/security/threat-protection/auditing/event-4773.md
similarity index 100%
rename from windows/device-security/auditing/event-4773.md
rename to windows/security/threat-protection/auditing/event-4773.md
diff --git a/windows/device-security/auditing/event-4774.md b/windows/security/threat-protection/auditing/event-4774.md
similarity index 100%
rename from windows/device-security/auditing/event-4774.md
rename to windows/security/threat-protection/auditing/event-4774.md
diff --git a/windows/device-security/auditing/event-4775.md b/windows/security/threat-protection/auditing/event-4775.md
similarity index 100%
rename from windows/device-security/auditing/event-4775.md
rename to windows/security/threat-protection/auditing/event-4775.md
diff --git a/windows/device-security/auditing/event-4776.md b/windows/security/threat-protection/auditing/event-4776.md
similarity index 100%
rename from windows/device-security/auditing/event-4776.md
rename to windows/security/threat-protection/auditing/event-4776.md
diff --git a/windows/device-security/auditing/event-4777.md b/windows/security/threat-protection/auditing/event-4777.md
similarity index 100%
rename from windows/device-security/auditing/event-4777.md
rename to windows/security/threat-protection/auditing/event-4777.md
diff --git a/windows/device-security/auditing/event-4778.md b/windows/security/threat-protection/auditing/event-4778.md
similarity index 100%
rename from windows/device-security/auditing/event-4778.md
rename to windows/security/threat-protection/auditing/event-4778.md
diff --git a/windows/device-security/auditing/event-4779.md b/windows/security/threat-protection/auditing/event-4779.md
similarity index 100%
rename from windows/device-security/auditing/event-4779.md
rename to windows/security/threat-protection/auditing/event-4779.md
diff --git a/windows/device-security/auditing/event-4780.md b/windows/security/threat-protection/auditing/event-4780.md
similarity index 100%
rename from windows/device-security/auditing/event-4780.md
rename to windows/security/threat-protection/auditing/event-4780.md
diff --git a/windows/device-security/auditing/event-4781.md b/windows/security/threat-protection/auditing/event-4781.md
similarity index 100%
rename from windows/device-security/auditing/event-4781.md
rename to windows/security/threat-protection/auditing/event-4781.md
diff --git a/windows/device-security/auditing/event-4782.md b/windows/security/threat-protection/auditing/event-4782.md
similarity index 100%
rename from windows/device-security/auditing/event-4782.md
rename to windows/security/threat-protection/auditing/event-4782.md
diff --git a/windows/device-security/auditing/event-4793.md b/windows/security/threat-protection/auditing/event-4793.md
similarity index 100%
rename from windows/device-security/auditing/event-4793.md
rename to windows/security/threat-protection/auditing/event-4793.md
diff --git a/windows/device-security/auditing/event-4794.md b/windows/security/threat-protection/auditing/event-4794.md
similarity index 100%
rename from windows/device-security/auditing/event-4794.md
rename to windows/security/threat-protection/auditing/event-4794.md
diff --git a/windows/device-security/auditing/event-4798.md b/windows/security/threat-protection/auditing/event-4798.md
similarity index 100%
rename from windows/device-security/auditing/event-4798.md
rename to windows/security/threat-protection/auditing/event-4798.md
diff --git a/windows/device-security/auditing/event-4799.md b/windows/security/threat-protection/auditing/event-4799.md
similarity index 100%
rename from windows/device-security/auditing/event-4799.md
rename to windows/security/threat-protection/auditing/event-4799.md
diff --git a/windows/device-security/auditing/event-4800.md b/windows/security/threat-protection/auditing/event-4800.md
similarity index 100%
rename from windows/device-security/auditing/event-4800.md
rename to windows/security/threat-protection/auditing/event-4800.md
diff --git a/windows/device-security/auditing/event-4801.md b/windows/security/threat-protection/auditing/event-4801.md
similarity index 100%
rename from windows/device-security/auditing/event-4801.md
rename to windows/security/threat-protection/auditing/event-4801.md
diff --git a/windows/device-security/auditing/event-4802.md b/windows/security/threat-protection/auditing/event-4802.md
similarity index 100%
rename from windows/device-security/auditing/event-4802.md
rename to windows/security/threat-protection/auditing/event-4802.md
diff --git a/windows/device-security/auditing/event-4803.md b/windows/security/threat-protection/auditing/event-4803.md
similarity index 100%
rename from windows/device-security/auditing/event-4803.md
rename to windows/security/threat-protection/auditing/event-4803.md
diff --git a/windows/device-security/auditing/event-4816.md b/windows/security/threat-protection/auditing/event-4816.md
similarity index 100%
rename from windows/device-security/auditing/event-4816.md
rename to windows/security/threat-protection/auditing/event-4816.md
diff --git a/windows/device-security/auditing/event-4817.md b/windows/security/threat-protection/auditing/event-4817.md
similarity index 100%
rename from windows/device-security/auditing/event-4817.md
rename to windows/security/threat-protection/auditing/event-4817.md
diff --git a/windows/device-security/auditing/event-4818.md b/windows/security/threat-protection/auditing/event-4818.md
similarity index 100%
rename from windows/device-security/auditing/event-4818.md
rename to windows/security/threat-protection/auditing/event-4818.md
diff --git a/windows/device-security/auditing/event-4819.md b/windows/security/threat-protection/auditing/event-4819.md
similarity index 100%
rename from windows/device-security/auditing/event-4819.md
rename to windows/security/threat-protection/auditing/event-4819.md
diff --git a/windows/device-security/auditing/event-4826.md b/windows/security/threat-protection/auditing/event-4826.md
similarity index 100%
rename from windows/device-security/auditing/event-4826.md
rename to windows/security/threat-protection/auditing/event-4826.md
diff --git a/windows/device-security/auditing/event-4864.md b/windows/security/threat-protection/auditing/event-4864.md
similarity index 100%
rename from windows/device-security/auditing/event-4864.md
rename to windows/security/threat-protection/auditing/event-4864.md
diff --git a/windows/device-security/auditing/event-4865.md b/windows/security/threat-protection/auditing/event-4865.md
similarity index 100%
rename from windows/device-security/auditing/event-4865.md
rename to windows/security/threat-protection/auditing/event-4865.md
diff --git a/windows/device-security/auditing/event-4866.md b/windows/security/threat-protection/auditing/event-4866.md
similarity index 100%
rename from windows/device-security/auditing/event-4866.md
rename to windows/security/threat-protection/auditing/event-4866.md
diff --git a/windows/device-security/auditing/event-4867.md b/windows/security/threat-protection/auditing/event-4867.md
similarity index 100%
rename from windows/device-security/auditing/event-4867.md
rename to windows/security/threat-protection/auditing/event-4867.md
diff --git a/windows/device-security/auditing/event-4902.md b/windows/security/threat-protection/auditing/event-4902.md
similarity index 100%
rename from windows/device-security/auditing/event-4902.md
rename to windows/security/threat-protection/auditing/event-4902.md
diff --git a/windows/device-security/auditing/event-4904.md b/windows/security/threat-protection/auditing/event-4904.md
similarity index 100%
rename from windows/device-security/auditing/event-4904.md
rename to windows/security/threat-protection/auditing/event-4904.md
diff --git a/windows/device-security/auditing/event-4905.md b/windows/security/threat-protection/auditing/event-4905.md
similarity index 100%
rename from windows/device-security/auditing/event-4905.md
rename to windows/security/threat-protection/auditing/event-4905.md
diff --git a/windows/device-security/auditing/event-4906.md b/windows/security/threat-protection/auditing/event-4906.md
similarity index 100%
rename from windows/device-security/auditing/event-4906.md
rename to windows/security/threat-protection/auditing/event-4906.md
diff --git a/windows/device-security/auditing/event-4907.md b/windows/security/threat-protection/auditing/event-4907.md
similarity index 100%
rename from windows/device-security/auditing/event-4907.md
rename to windows/security/threat-protection/auditing/event-4907.md
diff --git a/windows/device-security/auditing/event-4908.md b/windows/security/threat-protection/auditing/event-4908.md
similarity index 100%
rename from windows/device-security/auditing/event-4908.md
rename to windows/security/threat-protection/auditing/event-4908.md
diff --git a/windows/device-security/auditing/event-4909.md b/windows/security/threat-protection/auditing/event-4909.md
similarity index 100%
rename from windows/device-security/auditing/event-4909.md
rename to windows/security/threat-protection/auditing/event-4909.md
diff --git a/windows/device-security/auditing/event-4910.md b/windows/security/threat-protection/auditing/event-4910.md
similarity index 100%
rename from windows/device-security/auditing/event-4910.md
rename to windows/security/threat-protection/auditing/event-4910.md
diff --git a/windows/device-security/auditing/event-4911.md b/windows/security/threat-protection/auditing/event-4911.md
similarity index 100%
rename from windows/device-security/auditing/event-4911.md
rename to windows/security/threat-protection/auditing/event-4911.md
diff --git a/windows/device-security/auditing/event-4912.md b/windows/security/threat-protection/auditing/event-4912.md
similarity index 100%
rename from windows/device-security/auditing/event-4912.md
rename to windows/security/threat-protection/auditing/event-4912.md
diff --git a/windows/device-security/auditing/event-4913.md b/windows/security/threat-protection/auditing/event-4913.md
similarity index 100%
rename from windows/device-security/auditing/event-4913.md
rename to windows/security/threat-protection/auditing/event-4913.md
diff --git a/windows/device-security/auditing/event-4928.md b/windows/security/threat-protection/auditing/event-4928.md
similarity index 100%
rename from windows/device-security/auditing/event-4928.md
rename to windows/security/threat-protection/auditing/event-4928.md
diff --git a/windows/device-security/auditing/event-4929.md b/windows/security/threat-protection/auditing/event-4929.md
similarity index 100%
rename from windows/device-security/auditing/event-4929.md
rename to windows/security/threat-protection/auditing/event-4929.md
diff --git a/windows/device-security/auditing/event-4930.md b/windows/security/threat-protection/auditing/event-4930.md
similarity index 100%
rename from windows/device-security/auditing/event-4930.md
rename to windows/security/threat-protection/auditing/event-4930.md
diff --git a/windows/device-security/auditing/event-4931.md b/windows/security/threat-protection/auditing/event-4931.md
similarity index 100%
rename from windows/device-security/auditing/event-4931.md
rename to windows/security/threat-protection/auditing/event-4931.md
diff --git a/windows/device-security/auditing/event-4932.md b/windows/security/threat-protection/auditing/event-4932.md
similarity index 100%
rename from windows/device-security/auditing/event-4932.md
rename to windows/security/threat-protection/auditing/event-4932.md
diff --git a/windows/device-security/auditing/event-4933.md b/windows/security/threat-protection/auditing/event-4933.md
similarity index 100%
rename from windows/device-security/auditing/event-4933.md
rename to windows/security/threat-protection/auditing/event-4933.md
diff --git a/windows/device-security/auditing/event-4934.md b/windows/security/threat-protection/auditing/event-4934.md
similarity index 100%
rename from windows/device-security/auditing/event-4934.md
rename to windows/security/threat-protection/auditing/event-4934.md
diff --git a/windows/device-security/auditing/event-4935.md b/windows/security/threat-protection/auditing/event-4935.md
similarity index 100%
rename from windows/device-security/auditing/event-4935.md
rename to windows/security/threat-protection/auditing/event-4935.md
diff --git a/windows/device-security/auditing/event-4936.md b/windows/security/threat-protection/auditing/event-4936.md
similarity index 100%
rename from windows/device-security/auditing/event-4936.md
rename to windows/security/threat-protection/auditing/event-4936.md
diff --git a/windows/device-security/auditing/event-4937.md b/windows/security/threat-protection/auditing/event-4937.md
similarity index 100%
rename from windows/device-security/auditing/event-4937.md
rename to windows/security/threat-protection/auditing/event-4937.md
diff --git a/windows/device-security/auditing/event-4944.md b/windows/security/threat-protection/auditing/event-4944.md
similarity index 100%
rename from windows/device-security/auditing/event-4944.md
rename to windows/security/threat-protection/auditing/event-4944.md
diff --git a/windows/device-security/auditing/event-4945.md b/windows/security/threat-protection/auditing/event-4945.md
similarity index 100%
rename from windows/device-security/auditing/event-4945.md
rename to windows/security/threat-protection/auditing/event-4945.md
diff --git a/windows/device-security/auditing/event-4946.md b/windows/security/threat-protection/auditing/event-4946.md
similarity index 100%
rename from windows/device-security/auditing/event-4946.md
rename to windows/security/threat-protection/auditing/event-4946.md
diff --git a/windows/device-security/auditing/event-4947.md b/windows/security/threat-protection/auditing/event-4947.md
similarity index 100%
rename from windows/device-security/auditing/event-4947.md
rename to windows/security/threat-protection/auditing/event-4947.md
diff --git a/windows/device-security/auditing/event-4948.md b/windows/security/threat-protection/auditing/event-4948.md
similarity index 100%
rename from windows/device-security/auditing/event-4948.md
rename to windows/security/threat-protection/auditing/event-4948.md
diff --git a/windows/device-security/auditing/event-4949.md b/windows/security/threat-protection/auditing/event-4949.md
similarity index 100%
rename from windows/device-security/auditing/event-4949.md
rename to windows/security/threat-protection/auditing/event-4949.md
diff --git a/windows/device-security/auditing/event-4950.md b/windows/security/threat-protection/auditing/event-4950.md
similarity index 100%
rename from windows/device-security/auditing/event-4950.md
rename to windows/security/threat-protection/auditing/event-4950.md
diff --git a/windows/device-security/auditing/event-4951.md b/windows/security/threat-protection/auditing/event-4951.md
similarity index 100%
rename from windows/device-security/auditing/event-4951.md
rename to windows/security/threat-protection/auditing/event-4951.md
diff --git a/windows/device-security/auditing/event-4952.md b/windows/security/threat-protection/auditing/event-4952.md
similarity index 100%
rename from windows/device-security/auditing/event-4952.md
rename to windows/security/threat-protection/auditing/event-4952.md
diff --git a/windows/device-security/auditing/event-4953.md b/windows/security/threat-protection/auditing/event-4953.md
similarity index 100%
rename from windows/device-security/auditing/event-4953.md
rename to windows/security/threat-protection/auditing/event-4953.md
diff --git a/windows/device-security/auditing/event-4954.md b/windows/security/threat-protection/auditing/event-4954.md
similarity index 100%
rename from windows/device-security/auditing/event-4954.md
rename to windows/security/threat-protection/auditing/event-4954.md
diff --git a/windows/device-security/auditing/event-4956.md b/windows/security/threat-protection/auditing/event-4956.md
similarity index 100%
rename from windows/device-security/auditing/event-4956.md
rename to windows/security/threat-protection/auditing/event-4956.md
diff --git a/windows/device-security/auditing/event-4957.md b/windows/security/threat-protection/auditing/event-4957.md
similarity index 100%
rename from windows/device-security/auditing/event-4957.md
rename to windows/security/threat-protection/auditing/event-4957.md
diff --git a/windows/device-security/auditing/event-4958.md b/windows/security/threat-protection/auditing/event-4958.md
similarity index 100%
rename from windows/device-security/auditing/event-4958.md
rename to windows/security/threat-protection/auditing/event-4958.md
diff --git a/windows/device-security/auditing/event-4964.md b/windows/security/threat-protection/auditing/event-4964.md
similarity index 100%
rename from windows/device-security/auditing/event-4964.md
rename to windows/security/threat-protection/auditing/event-4964.md
diff --git a/windows/device-security/auditing/event-4985.md b/windows/security/threat-protection/auditing/event-4985.md
similarity index 100%
rename from windows/device-security/auditing/event-4985.md
rename to windows/security/threat-protection/auditing/event-4985.md
diff --git a/windows/device-security/auditing/event-5024.md b/windows/security/threat-protection/auditing/event-5024.md
similarity index 100%
rename from windows/device-security/auditing/event-5024.md
rename to windows/security/threat-protection/auditing/event-5024.md
diff --git a/windows/device-security/auditing/event-5025.md b/windows/security/threat-protection/auditing/event-5025.md
similarity index 100%
rename from windows/device-security/auditing/event-5025.md
rename to windows/security/threat-protection/auditing/event-5025.md
diff --git a/windows/device-security/auditing/event-5027.md b/windows/security/threat-protection/auditing/event-5027.md
similarity index 100%
rename from windows/device-security/auditing/event-5027.md
rename to windows/security/threat-protection/auditing/event-5027.md
diff --git a/windows/device-security/auditing/event-5028.md b/windows/security/threat-protection/auditing/event-5028.md
similarity index 100%
rename from windows/device-security/auditing/event-5028.md
rename to windows/security/threat-protection/auditing/event-5028.md
diff --git a/windows/device-security/auditing/event-5029.md b/windows/security/threat-protection/auditing/event-5029.md
similarity index 100%
rename from windows/device-security/auditing/event-5029.md
rename to windows/security/threat-protection/auditing/event-5029.md
diff --git a/windows/device-security/auditing/event-5030.md b/windows/security/threat-protection/auditing/event-5030.md
similarity index 100%
rename from windows/device-security/auditing/event-5030.md
rename to windows/security/threat-protection/auditing/event-5030.md
diff --git a/windows/device-security/auditing/event-5031.md b/windows/security/threat-protection/auditing/event-5031.md
similarity index 100%
rename from windows/device-security/auditing/event-5031.md
rename to windows/security/threat-protection/auditing/event-5031.md
diff --git a/windows/device-security/auditing/event-5032.md b/windows/security/threat-protection/auditing/event-5032.md
similarity index 100%
rename from windows/device-security/auditing/event-5032.md
rename to windows/security/threat-protection/auditing/event-5032.md
diff --git a/windows/device-security/auditing/event-5033.md b/windows/security/threat-protection/auditing/event-5033.md
similarity index 100%
rename from windows/device-security/auditing/event-5033.md
rename to windows/security/threat-protection/auditing/event-5033.md
diff --git a/windows/device-security/auditing/event-5034.md b/windows/security/threat-protection/auditing/event-5034.md
similarity index 100%
rename from windows/device-security/auditing/event-5034.md
rename to windows/security/threat-protection/auditing/event-5034.md
diff --git a/windows/device-security/auditing/event-5035.md b/windows/security/threat-protection/auditing/event-5035.md
similarity index 100%
rename from windows/device-security/auditing/event-5035.md
rename to windows/security/threat-protection/auditing/event-5035.md
diff --git a/windows/device-security/auditing/event-5037.md b/windows/security/threat-protection/auditing/event-5037.md
similarity index 100%
rename from windows/device-security/auditing/event-5037.md
rename to windows/security/threat-protection/auditing/event-5037.md
diff --git a/windows/device-security/auditing/event-5038.md b/windows/security/threat-protection/auditing/event-5038.md
similarity index 100%
rename from windows/device-security/auditing/event-5038.md
rename to windows/security/threat-protection/auditing/event-5038.md
diff --git a/windows/device-security/auditing/event-5039.md b/windows/security/threat-protection/auditing/event-5039.md
similarity index 100%
rename from windows/device-security/auditing/event-5039.md
rename to windows/security/threat-protection/auditing/event-5039.md
diff --git a/windows/device-security/auditing/event-5051.md b/windows/security/threat-protection/auditing/event-5051.md
similarity index 100%
rename from windows/device-security/auditing/event-5051.md
rename to windows/security/threat-protection/auditing/event-5051.md
diff --git a/windows/device-security/auditing/event-5056.md b/windows/security/threat-protection/auditing/event-5056.md
similarity index 100%
rename from windows/device-security/auditing/event-5056.md
rename to windows/security/threat-protection/auditing/event-5056.md
diff --git a/windows/device-security/auditing/event-5057.md b/windows/security/threat-protection/auditing/event-5057.md
similarity index 100%
rename from windows/device-security/auditing/event-5057.md
rename to windows/security/threat-protection/auditing/event-5057.md
diff --git a/windows/device-security/auditing/event-5058.md b/windows/security/threat-protection/auditing/event-5058.md
similarity index 100%
rename from windows/device-security/auditing/event-5058.md
rename to windows/security/threat-protection/auditing/event-5058.md
diff --git a/windows/device-security/auditing/event-5059.md b/windows/security/threat-protection/auditing/event-5059.md
similarity index 100%
rename from windows/device-security/auditing/event-5059.md
rename to windows/security/threat-protection/auditing/event-5059.md
diff --git a/windows/device-security/auditing/event-5060.md b/windows/security/threat-protection/auditing/event-5060.md
similarity index 100%
rename from windows/device-security/auditing/event-5060.md
rename to windows/security/threat-protection/auditing/event-5060.md
diff --git a/windows/device-security/auditing/event-5061.md b/windows/security/threat-protection/auditing/event-5061.md
similarity index 100%
rename from windows/device-security/auditing/event-5061.md
rename to windows/security/threat-protection/auditing/event-5061.md
diff --git a/windows/device-security/auditing/event-5062.md b/windows/security/threat-protection/auditing/event-5062.md
similarity index 100%
rename from windows/device-security/auditing/event-5062.md
rename to windows/security/threat-protection/auditing/event-5062.md
diff --git a/windows/device-security/auditing/event-5063.md b/windows/security/threat-protection/auditing/event-5063.md
similarity index 100%
rename from windows/device-security/auditing/event-5063.md
rename to windows/security/threat-protection/auditing/event-5063.md
diff --git a/windows/device-security/auditing/event-5064.md b/windows/security/threat-protection/auditing/event-5064.md
similarity index 100%
rename from windows/device-security/auditing/event-5064.md
rename to windows/security/threat-protection/auditing/event-5064.md
diff --git a/windows/device-security/auditing/event-5065.md b/windows/security/threat-protection/auditing/event-5065.md
similarity index 100%
rename from windows/device-security/auditing/event-5065.md
rename to windows/security/threat-protection/auditing/event-5065.md
diff --git a/windows/device-security/auditing/event-5066.md b/windows/security/threat-protection/auditing/event-5066.md
similarity index 100%
rename from windows/device-security/auditing/event-5066.md
rename to windows/security/threat-protection/auditing/event-5066.md
diff --git a/windows/device-security/auditing/event-5067.md b/windows/security/threat-protection/auditing/event-5067.md
similarity index 100%
rename from windows/device-security/auditing/event-5067.md
rename to windows/security/threat-protection/auditing/event-5067.md
diff --git a/windows/device-security/auditing/event-5068.md b/windows/security/threat-protection/auditing/event-5068.md
similarity index 100%
rename from windows/device-security/auditing/event-5068.md
rename to windows/security/threat-protection/auditing/event-5068.md
diff --git a/windows/device-security/auditing/event-5069.md b/windows/security/threat-protection/auditing/event-5069.md
similarity index 100%
rename from windows/device-security/auditing/event-5069.md
rename to windows/security/threat-protection/auditing/event-5069.md
diff --git a/windows/device-security/auditing/event-5070.md b/windows/security/threat-protection/auditing/event-5070.md
similarity index 100%
rename from windows/device-security/auditing/event-5070.md
rename to windows/security/threat-protection/auditing/event-5070.md
diff --git a/windows/device-security/auditing/event-5136.md b/windows/security/threat-protection/auditing/event-5136.md
similarity index 100%
rename from windows/device-security/auditing/event-5136.md
rename to windows/security/threat-protection/auditing/event-5136.md
diff --git a/windows/device-security/auditing/event-5137.md b/windows/security/threat-protection/auditing/event-5137.md
similarity index 100%
rename from windows/device-security/auditing/event-5137.md
rename to windows/security/threat-protection/auditing/event-5137.md
diff --git a/windows/device-security/auditing/event-5138.md b/windows/security/threat-protection/auditing/event-5138.md
similarity index 100%
rename from windows/device-security/auditing/event-5138.md
rename to windows/security/threat-protection/auditing/event-5138.md
diff --git a/windows/device-security/auditing/event-5139.md b/windows/security/threat-protection/auditing/event-5139.md
similarity index 100%
rename from windows/device-security/auditing/event-5139.md
rename to windows/security/threat-protection/auditing/event-5139.md
diff --git a/windows/device-security/auditing/event-5140.md b/windows/security/threat-protection/auditing/event-5140.md
similarity index 100%
rename from windows/device-security/auditing/event-5140.md
rename to windows/security/threat-protection/auditing/event-5140.md
diff --git a/windows/device-security/auditing/event-5141.md b/windows/security/threat-protection/auditing/event-5141.md
similarity index 100%
rename from windows/device-security/auditing/event-5141.md
rename to windows/security/threat-protection/auditing/event-5141.md
diff --git a/windows/device-security/auditing/event-5142.md b/windows/security/threat-protection/auditing/event-5142.md
similarity index 100%
rename from windows/device-security/auditing/event-5142.md
rename to windows/security/threat-protection/auditing/event-5142.md
diff --git a/windows/device-security/auditing/event-5143.md b/windows/security/threat-protection/auditing/event-5143.md
similarity index 100%
rename from windows/device-security/auditing/event-5143.md
rename to windows/security/threat-protection/auditing/event-5143.md
diff --git a/windows/device-security/auditing/event-5144.md b/windows/security/threat-protection/auditing/event-5144.md
similarity index 100%
rename from windows/device-security/auditing/event-5144.md
rename to windows/security/threat-protection/auditing/event-5144.md
diff --git a/windows/device-security/auditing/event-5145.md b/windows/security/threat-protection/auditing/event-5145.md
similarity index 100%
rename from windows/device-security/auditing/event-5145.md
rename to windows/security/threat-protection/auditing/event-5145.md
diff --git a/windows/device-security/auditing/event-5148.md b/windows/security/threat-protection/auditing/event-5148.md
similarity index 100%
rename from windows/device-security/auditing/event-5148.md
rename to windows/security/threat-protection/auditing/event-5148.md
diff --git a/windows/device-security/auditing/event-5149.md b/windows/security/threat-protection/auditing/event-5149.md
similarity index 100%
rename from windows/device-security/auditing/event-5149.md
rename to windows/security/threat-protection/auditing/event-5149.md
diff --git a/windows/device-security/auditing/event-5150.md b/windows/security/threat-protection/auditing/event-5150.md
similarity index 100%
rename from windows/device-security/auditing/event-5150.md
rename to windows/security/threat-protection/auditing/event-5150.md
diff --git a/windows/device-security/auditing/event-5151.md b/windows/security/threat-protection/auditing/event-5151.md
similarity index 100%
rename from windows/device-security/auditing/event-5151.md
rename to windows/security/threat-protection/auditing/event-5151.md
diff --git a/windows/device-security/auditing/event-5152.md b/windows/security/threat-protection/auditing/event-5152.md
similarity index 100%
rename from windows/device-security/auditing/event-5152.md
rename to windows/security/threat-protection/auditing/event-5152.md
diff --git a/windows/device-security/auditing/event-5153.md b/windows/security/threat-protection/auditing/event-5153.md
similarity index 100%
rename from windows/device-security/auditing/event-5153.md
rename to windows/security/threat-protection/auditing/event-5153.md
diff --git a/windows/device-security/auditing/event-5154.md b/windows/security/threat-protection/auditing/event-5154.md
similarity index 100%
rename from windows/device-security/auditing/event-5154.md
rename to windows/security/threat-protection/auditing/event-5154.md
diff --git a/windows/device-security/auditing/event-5155.md b/windows/security/threat-protection/auditing/event-5155.md
similarity index 100%
rename from windows/device-security/auditing/event-5155.md
rename to windows/security/threat-protection/auditing/event-5155.md
diff --git a/windows/device-security/auditing/event-5156.md b/windows/security/threat-protection/auditing/event-5156.md
similarity index 100%
rename from windows/device-security/auditing/event-5156.md
rename to windows/security/threat-protection/auditing/event-5156.md
diff --git a/windows/device-security/auditing/event-5157.md b/windows/security/threat-protection/auditing/event-5157.md
similarity index 100%
rename from windows/device-security/auditing/event-5157.md
rename to windows/security/threat-protection/auditing/event-5157.md
diff --git a/windows/device-security/auditing/event-5158.md b/windows/security/threat-protection/auditing/event-5158.md
similarity index 100%
rename from windows/device-security/auditing/event-5158.md
rename to windows/security/threat-protection/auditing/event-5158.md
diff --git a/windows/device-security/auditing/event-5159.md b/windows/security/threat-protection/auditing/event-5159.md
similarity index 100%
rename from windows/device-security/auditing/event-5159.md
rename to windows/security/threat-protection/auditing/event-5159.md
diff --git a/windows/device-security/auditing/event-5168.md b/windows/security/threat-protection/auditing/event-5168.md
similarity index 100%
rename from windows/device-security/auditing/event-5168.md
rename to windows/security/threat-protection/auditing/event-5168.md
diff --git a/windows/device-security/auditing/event-5376.md b/windows/security/threat-protection/auditing/event-5376.md
similarity index 100%
rename from windows/device-security/auditing/event-5376.md
rename to windows/security/threat-protection/auditing/event-5376.md
diff --git a/windows/device-security/auditing/event-5377.md b/windows/security/threat-protection/auditing/event-5377.md
similarity index 100%
rename from windows/device-security/auditing/event-5377.md
rename to windows/security/threat-protection/auditing/event-5377.md
diff --git a/windows/device-security/auditing/event-5378.md b/windows/security/threat-protection/auditing/event-5378.md
similarity index 100%
rename from windows/device-security/auditing/event-5378.md
rename to windows/security/threat-protection/auditing/event-5378.md
diff --git a/windows/device-security/auditing/event-5447.md b/windows/security/threat-protection/auditing/event-5447.md
similarity index 100%
rename from windows/device-security/auditing/event-5447.md
rename to windows/security/threat-protection/auditing/event-5447.md
diff --git a/windows/device-security/auditing/event-5632.md b/windows/security/threat-protection/auditing/event-5632.md
similarity index 100%
rename from windows/device-security/auditing/event-5632.md
rename to windows/security/threat-protection/auditing/event-5632.md
diff --git a/windows/device-security/auditing/event-5633.md b/windows/security/threat-protection/auditing/event-5633.md
similarity index 100%
rename from windows/device-security/auditing/event-5633.md
rename to windows/security/threat-protection/auditing/event-5633.md
diff --git a/windows/device-security/auditing/event-5712.md b/windows/security/threat-protection/auditing/event-5712.md
similarity index 100%
rename from windows/device-security/auditing/event-5712.md
rename to windows/security/threat-protection/auditing/event-5712.md
diff --git a/windows/device-security/auditing/event-5888.md b/windows/security/threat-protection/auditing/event-5888.md
similarity index 100%
rename from windows/device-security/auditing/event-5888.md
rename to windows/security/threat-protection/auditing/event-5888.md
diff --git a/windows/device-security/auditing/event-5889.md b/windows/security/threat-protection/auditing/event-5889.md
similarity index 100%
rename from windows/device-security/auditing/event-5889.md
rename to windows/security/threat-protection/auditing/event-5889.md
diff --git a/windows/device-security/auditing/event-5890.md b/windows/security/threat-protection/auditing/event-5890.md
similarity index 100%
rename from windows/device-security/auditing/event-5890.md
rename to windows/security/threat-protection/auditing/event-5890.md
diff --git a/windows/device-security/auditing/event-6144.md b/windows/security/threat-protection/auditing/event-6144.md
similarity index 100%
rename from windows/device-security/auditing/event-6144.md
rename to windows/security/threat-protection/auditing/event-6144.md
diff --git a/windows/device-security/auditing/event-6145.md b/windows/security/threat-protection/auditing/event-6145.md
similarity index 100%
rename from windows/device-security/auditing/event-6145.md
rename to windows/security/threat-protection/auditing/event-6145.md
diff --git a/windows/device-security/auditing/event-6281.md b/windows/security/threat-protection/auditing/event-6281.md
similarity index 100%
rename from windows/device-security/auditing/event-6281.md
rename to windows/security/threat-protection/auditing/event-6281.md
diff --git a/windows/device-security/auditing/event-6400.md b/windows/security/threat-protection/auditing/event-6400.md
similarity index 100%
rename from windows/device-security/auditing/event-6400.md
rename to windows/security/threat-protection/auditing/event-6400.md
diff --git a/windows/device-security/auditing/event-6401.md b/windows/security/threat-protection/auditing/event-6401.md
similarity index 100%
rename from windows/device-security/auditing/event-6401.md
rename to windows/security/threat-protection/auditing/event-6401.md
diff --git a/windows/device-security/auditing/event-6402.md b/windows/security/threat-protection/auditing/event-6402.md
similarity index 100%
rename from windows/device-security/auditing/event-6402.md
rename to windows/security/threat-protection/auditing/event-6402.md
diff --git a/windows/device-security/auditing/event-6403.md b/windows/security/threat-protection/auditing/event-6403.md
similarity index 100%
rename from windows/device-security/auditing/event-6403.md
rename to windows/security/threat-protection/auditing/event-6403.md
diff --git a/windows/device-security/auditing/event-6404.md b/windows/security/threat-protection/auditing/event-6404.md
similarity index 100%
rename from windows/device-security/auditing/event-6404.md
rename to windows/security/threat-protection/auditing/event-6404.md
diff --git a/windows/device-security/auditing/event-6405.md b/windows/security/threat-protection/auditing/event-6405.md
similarity index 100%
rename from windows/device-security/auditing/event-6405.md
rename to windows/security/threat-protection/auditing/event-6405.md
diff --git a/windows/device-security/auditing/event-6406.md b/windows/security/threat-protection/auditing/event-6406.md
similarity index 100%
rename from windows/device-security/auditing/event-6406.md
rename to windows/security/threat-protection/auditing/event-6406.md
diff --git a/windows/device-security/auditing/event-6407.md b/windows/security/threat-protection/auditing/event-6407.md
similarity index 100%
rename from windows/device-security/auditing/event-6407.md
rename to windows/security/threat-protection/auditing/event-6407.md
diff --git a/windows/device-security/auditing/event-6408.md b/windows/security/threat-protection/auditing/event-6408.md
similarity index 100%
rename from windows/device-security/auditing/event-6408.md
rename to windows/security/threat-protection/auditing/event-6408.md
diff --git a/windows/device-security/auditing/event-6409.md b/windows/security/threat-protection/auditing/event-6409.md
similarity index 100%
rename from windows/device-security/auditing/event-6409.md
rename to windows/security/threat-protection/auditing/event-6409.md
diff --git a/windows/device-security/auditing/event-6410.md b/windows/security/threat-protection/auditing/event-6410.md
similarity index 100%
rename from windows/device-security/auditing/event-6410.md
rename to windows/security/threat-protection/auditing/event-6410.md
diff --git a/windows/device-security/auditing/event-6416.md b/windows/security/threat-protection/auditing/event-6416.md
similarity index 100%
rename from windows/device-security/auditing/event-6416.md
rename to windows/security/threat-protection/auditing/event-6416.md
diff --git a/windows/device-security/auditing/event-6419.md b/windows/security/threat-protection/auditing/event-6419.md
similarity index 100%
rename from windows/device-security/auditing/event-6419.md
rename to windows/security/threat-protection/auditing/event-6419.md
diff --git a/windows/device-security/auditing/event-6420.md b/windows/security/threat-protection/auditing/event-6420.md
similarity index 100%
rename from windows/device-security/auditing/event-6420.md
rename to windows/security/threat-protection/auditing/event-6420.md
diff --git a/windows/device-security/auditing/event-6421.md b/windows/security/threat-protection/auditing/event-6421.md
similarity index 100%
rename from windows/device-security/auditing/event-6421.md
rename to windows/security/threat-protection/auditing/event-6421.md
diff --git a/windows/device-security/auditing/event-6422.md b/windows/security/threat-protection/auditing/event-6422.md
similarity index 100%
rename from windows/device-security/auditing/event-6422.md
rename to windows/security/threat-protection/auditing/event-6422.md
diff --git a/windows/device-security/auditing/event-6423.md b/windows/security/threat-protection/auditing/event-6423.md
similarity index 100%
rename from windows/device-security/auditing/event-6423.md
rename to windows/security/threat-protection/auditing/event-6423.md
diff --git a/windows/device-security/auditing/event-6424.md b/windows/security/threat-protection/auditing/event-6424.md
similarity index 100%
rename from windows/device-security/auditing/event-6424.md
rename to windows/security/threat-protection/auditing/event-6424.md
diff --git a/windows/device-security/auditing/file-system-global-object-access-auditing.md b/windows/security/threat-protection/auditing/file-system-global-object-access-auditing.md
similarity index 100%
rename from windows/device-security/auditing/file-system-global-object-access-auditing.md
rename to windows/security/threat-protection/auditing/file-system-global-object-access-auditing.md
diff --git a/windows/device-security/auditing/images/ad-sites-and-services.png b/windows/security/threat-protection/auditing/images/ad-sites-and-services.png
similarity index 100%
rename from windows/device-security/auditing/images/ad-sites-and-services.png
rename to windows/security/threat-protection/auditing/images/ad-sites-and-services.png
diff --git a/windows/device-security/auditing/images/advanced-sharing.png b/windows/security/threat-protection/auditing/images/advanced-sharing.png
similarity index 100%
rename from windows/device-security/auditing/images/advanced-sharing.png
rename to windows/security/threat-protection/auditing/images/advanced-sharing.png
diff --git a/windows/device-security/auditing/images/auditpol-list-subcategory.png b/windows/security/threat-protection/auditing/images/auditpol-list-subcategory.png
similarity index 100%
rename from windows/device-security/auditing/images/auditpol-list-subcategory.png
rename to windows/security/threat-protection/auditing/images/auditpol-list-subcategory.png
diff --git a/windows/device-security/auditing/images/auditpol-list-user.png b/windows/security/threat-protection/auditing/images/auditpol-list-user.png
similarity index 100%
rename from windows/device-security/auditing/images/auditpol-list-user.png
rename to windows/security/threat-protection/auditing/images/auditpol-list-user.png
diff --git a/windows/device-security/auditing/images/branchcache-properties.png b/windows/security/threat-protection/auditing/images/branchcache-properties.png
similarity index 100%
rename from windows/device-security/auditing/images/branchcache-properties.png
rename to windows/security/threat-protection/auditing/images/branchcache-properties.png
diff --git a/windows/device-security/auditing/images/certutil-command.png b/windows/security/threat-protection/auditing/images/certutil-command.png
similarity index 100%
rename from windows/device-security/auditing/images/certutil-command.png
rename to windows/security/threat-protection/auditing/images/certutil-command.png
diff --git a/windows/device-security/auditing/images/computer-management.png b/windows/security/threat-protection/auditing/images/computer-management.png
similarity index 100%
rename from windows/device-security/auditing/images/computer-management.png
rename to windows/security/threat-protection/auditing/images/computer-management.png
diff --git a/windows/device-security/auditing/images/diskpart.png b/windows/security/threat-protection/auditing/images/diskpart.png
similarity index 100%
rename from windows/device-security/auditing/images/diskpart.png
rename to windows/security/threat-protection/auditing/images/diskpart.png
diff --git a/windows/device-security/auditing/images/event-1100.png b/windows/security/threat-protection/auditing/images/event-1100.png
similarity index 100%
rename from windows/device-security/auditing/images/event-1100.png
rename to windows/security/threat-protection/auditing/images/event-1100.png
diff --git a/windows/device-security/auditing/images/event-1102.png b/windows/security/threat-protection/auditing/images/event-1102.png
similarity index 100%
rename from windows/device-security/auditing/images/event-1102.png
rename to windows/security/threat-protection/auditing/images/event-1102.png
diff --git a/windows/device-security/auditing/images/event-1104.png b/windows/security/threat-protection/auditing/images/event-1104.png
similarity index 100%
rename from windows/device-security/auditing/images/event-1104.png
rename to windows/security/threat-protection/auditing/images/event-1104.png
diff --git a/windows/device-security/auditing/images/event-1105.png b/windows/security/threat-protection/auditing/images/event-1105.png
similarity index 100%
rename from windows/device-security/auditing/images/event-1105.png
rename to windows/security/threat-protection/auditing/images/event-1105.png
diff --git a/windows/device-security/auditing/images/event-1108.png b/windows/security/threat-protection/auditing/images/event-1108.png
similarity index 100%
rename from windows/device-security/auditing/images/event-1108.png
rename to windows/security/threat-protection/auditing/images/event-1108.png
diff --git a/windows/device-security/auditing/images/event-4608.png b/windows/security/threat-protection/auditing/images/event-4608.png
similarity index 100%
rename from windows/device-security/auditing/images/event-4608.png
rename to windows/security/threat-protection/auditing/images/event-4608.png
diff --git a/windows/device-security/auditing/images/event-4610.png b/windows/security/threat-protection/auditing/images/event-4610.png
similarity index 100%
rename from windows/device-security/auditing/images/event-4610.png
rename to windows/security/threat-protection/auditing/images/event-4610.png
diff --git a/windows/device-security/auditing/images/event-4611.png b/windows/security/threat-protection/auditing/images/event-4611.png
similarity index 100%
rename from windows/device-security/auditing/images/event-4611.png
rename to windows/security/threat-protection/auditing/images/event-4611.png
diff --git a/windows/device-security/auditing/images/event-4614.png b/windows/security/threat-protection/auditing/images/event-4614.png
similarity index 100%
rename from windows/device-security/auditing/images/event-4614.png
rename to windows/security/threat-protection/auditing/images/event-4614.png
diff --git a/windows/device-security/auditing/images/event-4616.png b/windows/security/threat-protection/auditing/images/event-4616.png
similarity index 100%
rename from windows/device-security/auditing/images/event-4616.png
rename to windows/security/threat-protection/auditing/images/event-4616.png
diff --git a/windows/device-security/auditing/images/event-4618.png b/windows/security/threat-protection/auditing/images/event-4618.png
similarity index 100%
rename from windows/device-security/auditing/images/event-4618.png
rename to windows/security/threat-protection/auditing/images/event-4618.png
diff --git a/windows/device-security/auditing/images/event-4622.png b/windows/security/threat-protection/auditing/images/event-4622.png
similarity index 100%
rename from windows/device-security/auditing/images/event-4622.png
rename to windows/security/threat-protection/auditing/images/event-4622.png
diff --git a/windows/device-security/auditing/images/event-4624.png b/windows/security/threat-protection/auditing/images/event-4624.png
similarity index 100%
rename from windows/device-security/auditing/images/event-4624.png
rename to windows/security/threat-protection/auditing/images/event-4624.png
diff --git a/windows/device-security/auditing/images/event-4625.png b/windows/security/threat-protection/auditing/images/event-4625.png
similarity index 100%
rename from windows/device-security/auditing/images/event-4625.png
rename to windows/security/threat-protection/auditing/images/event-4625.png
diff --git a/windows/device-security/auditing/images/event-4626.png b/windows/security/threat-protection/auditing/images/event-4626.png
similarity index 100%
rename from windows/device-security/auditing/images/event-4626.png
rename to windows/security/threat-protection/auditing/images/event-4626.png
diff --git a/windows/device-security/auditing/images/event-4627.png b/windows/security/threat-protection/auditing/images/event-4627.png
similarity index 100%
rename from windows/device-security/auditing/images/event-4627.png
rename to windows/security/threat-protection/auditing/images/event-4627.png
diff --git a/windows/device-security/auditing/images/event-4634.png b/windows/security/threat-protection/auditing/images/event-4634.png
similarity index 100%
rename from windows/device-security/auditing/images/event-4634.png
rename to windows/security/threat-protection/auditing/images/event-4634.png
diff --git a/windows/device-security/auditing/images/event-4647.png b/windows/security/threat-protection/auditing/images/event-4647.png
similarity index 100%
rename from windows/device-security/auditing/images/event-4647.png
rename to windows/security/threat-protection/auditing/images/event-4647.png
diff --git a/windows/device-security/auditing/images/event-4648.png b/windows/security/threat-protection/auditing/images/event-4648.png
similarity index 100%
rename from windows/device-security/auditing/images/event-4648.png
rename to windows/security/threat-protection/auditing/images/event-4648.png
diff --git a/windows/device-security/auditing/images/event-4656.png b/windows/security/threat-protection/auditing/images/event-4656.png
similarity index 100%
rename from windows/device-security/auditing/images/event-4656.png
rename to windows/security/threat-protection/auditing/images/event-4656.png
diff --git a/windows/device-security/auditing/images/event-4657.png b/windows/security/threat-protection/auditing/images/event-4657.png
similarity index 100%
rename from windows/device-security/auditing/images/event-4657.png
rename to windows/security/threat-protection/auditing/images/event-4657.png
diff --git a/windows/device-security/auditing/images/event-4658.png b/windows/security/threat-protection/auditing/images/event-4658.png
similarity index 100%
rename from windows/device-security/auditing/images/event-4658.png
rename to windows/security/threat-protection/auditing/images/event-4658.png
diff --git a/windows/device-security/auditing/images/event-4660.png b/windows/security/threat-protection/auditing/images/event-4660.png
similarity index 100%
rename from windows/device-security/auditing/images/event-4660.png
rename to windows/security/threat-protection/auditing/images/event-4660.png
diff --git a/windows/device-security/auditing/images/event-4661.png b/windows/security/threat-protection/auditing/images/event-4661.png
similarity index 100%
rename from windows/device-security/auditing/images/event-4661.png
rename to windows/security/threat-protection/auditing/images/event-4661.png
diff --git a/windows/device-security/auditing/images/event-4662.png b/windows/security/threat-protection/auditing/images/event-4662.png
similarity index 100%
rename from windows/device-security/auditing/images/event-4662.png
rename to windows/security/threat-protection/auditing/images/event-4662.png
diff --git a/windows/device-security/auditing/images/event-4663.png b/windows/security/threat-protection/auditing/images/event-4663.png
similarity index 100%
rename from windows/device-security/auditing/images/event-4663.png
rename to windows/security/threat-protection/auditing/images/event-4663.png
diff --git a/windows/device-security/auditing/images/event-4664.png b/windows/security/threat-protection/auditing/images/event-4664.png
similarity index 100%
rename from windows/device-security/auditing/images/event-4664.png
rename to windows/security/threat-protection/auditing/images/event-4664.png
diff --git a/windows/device-security/auditing/images/event-4670.png b/windows/security/threat-protection/auditing/images/event-4670.png
similarity index 100%
rename from windows/device-security/auditing/images/event-4670.png
rename to windows/security/threat-protection/auditing/images/event-4670.png
diff --git a/windows/device-security/auditing/images/event-4672.png b/windows/security/threat-protection/auditing/images/event-4672.png
similarity index 100%
rename from windows/device-security/auditing/images/event-4672.png
rename to windows/security/threat-protection/auditing/images/event-4672.png
diff --git a/windows/device-security/auditing/images/event-4673.png b/windows/security/threat-protection/auditing/images/event-4673.png
similarity index 100%
rename from windows/device-security/auditing/images/event-4673.png
rename to windows/security/threat-protection/auditing/images/event-4673.png
diff --git a/windows/device-security/auditing/images/event-4674.png b/windows/security/threat-protection/auditing/images/event-4674.png
similarity index 100%
rename from windows/device-security/auditing/images/event-4674.png
rename to windows/security/threat-protection/auditing/images/event-4674.png
diff --git a/windows/device-security/auditing/images/event-4688.png b/windows/security/threat-protection/auditing/images/event-4688.png
similarity index 100%
rename from windows/device-security/auditing/images/event-4688.png
rename to windows/security/threat-protection/auditing/images/event-4688.png
diff --git a/windows/device-security/auditing/images/event-4689.png b/windows/security/threat-protection/auditing/images/event-4689.png
similarity index 100%
rename from windows/device-security/auditing/images/event-4689.png
rename to windows/security/threat-protection/auditing/images/event-4689.png
diff --git a/windows/device-security/auditing/images/event-4690.png b/windows/security/threat-protection/auditing/images/event-4690.png
similarity index 100%
rename from windows/device-security/auditing/images/event-4690.png
rename to windows/security/threat-protection/auditing/images/event-4690.png
diff --git a/windows/device-security/auditing/images/event-4691.png b/windows/security/threat-protection/auditing/images/event-4691.png
similarity index 100%
rename from windows/device-security/auditing/images/event-4691.png
rename to windows/security/threat-protection/auditing/images/event-4691.png
diff --git a/windows/device-security/auditing/images/event-4692.png b/windows/security/threat-protection/auditing/images/event-4692.png
similarity index 100%
rename from windows/device-security/auditing/images/event-4692.png
rename to windows/security/threat-protection/auditing/images/event-4692.png
diff --git a/windows/device-security/auditing/images/event-4693.png b/windows/security/threat-protection/auditing/images/event-4693.png
similarity index 100%
rename from windows/device-security/auditing/images/event-4693.png
rename to windows/security/threat-protection/auditing/images/event-4693.png
diff --git a/windows/device-security/auditing/images/event-4696.png b/windows/security/threat-protection/auditing/images/event-4696.png
similarity index 100%
rename from windows/device-security/auditing/images/event-4696.png
rename to windows/security/threat-protection/auditing/images/event-4696.png
diff --git a/windows/device-security/auditing/images/event-4697.png b/windows/security/threat-protection/auditing/images/event-4697.png
similarity index 100%
rename from windows/device-security/auditing/images/event-4697.png
rename to windows/security/threat-protection/auditing/images/event-4697.png
diff --git a/windows/device-security/auditing/images/event-4698.png b/windows/security/threat-protection/auditing/images/event-4698.png
similarity index 100%
rename from windows/device-security/auditing/images/event-4698.png
rename to windows/security/threat-protection/auditing/images/event-4698.png
diff --git a/windows/device-security/auditing/images/event-4699.png b/windows/security/threat-protection/auditing/images/event-4699.png
similarity index 100%
rename from windows/device-security/auditing/images/event-4699.png
rename to windows/security/threat-protection/auditing/images/event-4699.png
diff --git a/windows/device-security/auditing/images/event-4700.png b/windows/security/threat-protection/auditing/images/event-4700.png
similarity index 100%
rename from windows/device-security/auditing/images/event-4700.png
rename to windows/security/threat-protection/auditing/images/event-4700.png
diff --git a/windows/device-security/auditing/images/event-4701.png b/windows/security/threat-protection/auditing/images/event-4701.png
similarity index 100%
rename from windows/device-security/auditing/images/event-4701.png
rename to windows/security/threat-protection/auditing/images/event-4701.png
diff --git a/windows/device-security/auditing/images/event-4702.png b/windows/security/threat-protection/auditing/images/event-4702.png
similarity index 100%
rename from windows/device-security/auditing/images/event-4702.png
rename to windows/security/threat-protection/auditing/images/event-4702.png
diff --git a/windows/device-security/auditing/images/event-4703-partial.png b/windows/security/threat-protection/auditing/images/event-4703-partial.png
similarity index 100%
rename from windows/device-security/auditing/images/event-4703-partial.png
rename to windows/security/threat-protection/auditing/images/event-4703-partial.png
diff --git a/windows/device-security/auditing/images/event-4703.png b/windows/security/threat-protection/auditing/images/event-4703.png
similarity index 100%
rename from windows/device-security/auditing/images/event-4703.png
rename to windows/security/threat-protection/auditing/images/event-4703.png
diff --git a/windows/device-security/auditing/images/event-4704.png b/windows/security/threat-protection/auditing/images/event-4704.png
similarity index 100%
rename from windows/device-security/auditing/images/event-4704.png
rename to windows/security/threat-protection/auditing/images/event-4704.png
diff --git a/windows/device-security/auditing/images/event-4705.png b/windows/security/threat-protection/auditing/images/event-4705.png
similarity index 100%
rename from windows/device-security/auditing/images/event-4705.png
rename to windows/security/threat-protection/auditing/images/event-4705.png
diff --git a/windows/device-security/auditing/images/event-4706.png b/windows/security/threat-protection/auditing/images/event-4706.png
similarity index 100%
rename from windows/device-security/auditing/images/event-4706.png
rename to windows/security/threat-protection/auditing/images/event-4706.png
diff --git a/windows/device-security/auditing/images/event-4707.png b/windows/security/threat-protection/auditing/images/event-4707.png
similarity index 100%
rename from windows/device-security/auditing/images/event-4707.png
rename to windows/security/threat-protection/auditing/images/event-4707.png
diff --git a/windows/device-security/auditing/images/event-4713.png b/windows/security/threat-protection/auditing/images/event-4713.png
similarity index 100%
rename from windows/device-security/auditing/images/event-4713.png
rename to windows/security/threat-protection/auditing/images/event-4713.png
diff --git a/windows/device-security/auditing/images/event-4714.png b/windows/security/threat-protection/auditing/images/event-4714.png
similarity index 100%
rename from windows/device-security/auditing/images/event-4714.png
rename to windows/security/threat-protection/auditing/images/event-4714.png
diff --git a/windows/device-security/auditing/images/event-4715.png b/windows/security/threat-protection/auditing/images/event-4715.png
similarity index 100%
rename from windows/device-security/auditing/images/event-4715.png
rename to windows/security/threat-protection/auditing/images/event-4715.png
diff --git a/windows/device-security/auditing/images/event-4716.png b/windows/security/threat-protection/auditing/images/event-4716.png
similarity index 100%
rename from windows/device-security/auditing/images/event-4716.png
rename to windows/security/threat-protection/auditing/images/event-4716.png
diff --git a/windows/device-security/auditing/images/event-4717.png b/windows/security/threat-protection/auditing/images/event-4717.png
similarity index 100%
rename from windows/device-security/auditing/images/event-4717.png
rename to windows/security/threat-protection/auditing/images/event-4717.png
diff --git a/windows/device-security/auditing/images/event-4718.png b/windows/security/threat-protection/auditing/images/event-4718.png
similarity index 100%
rename from windows/device-security/auditing/images/event-4718.png
rename to windows/security/threat-protection/auditing/images/event-4718.png
diff --git a/windows/device-security/auditing/images/event-4719.png b/windows/security/threat-protection/auditing/images/event-4719.png
similarity index 100%
rename from windows/device-security/auditing/images/event-4719.png
rename to windows/security/threat-protection/auditing/images/event-4719.png
diff --git a/windows/device-security/auditing/images/event-4720.png b/windows/security/threat-protection/auditing/images/event-4720.png
similarity index 100%
rename from windows/device-security/auditing/images/event-4720.png
rename to windows/security/threat-protection/auditing/images/event-4720.png
diff --git a/windows/device-security/auditing/images/event-4722.png b/windows/security/threat-protection/auditing/images/event-4722.png
similarity index 100%
rename from windows/device-security/auditing/images/event-4722.png
rename to windows/security/threat-protection/auditing/images/event-4722.png
diff --git a/windows/device-security/auditing/images/event-4723.png b/windows/security/threat-protection/auditing/images/event-4723.png
similarity index 100%
rename from windows/device-security/auditing/images/event-4723.png
rename to windows/security/threat-protection/auditing/images/event-4723.png
diff --git a/windows/device-security/auditing/images/event-4724.png b/windows/security/threat-protection/auditing/images/event-4724.png
similarity index 100%
rename from windows/device-security/auditing/images/event-4724.png
rename to windows/security/threat-protection/auditing/images/event-4724.png
diff --git a/windows/device-security/auditing/images/event-4725.png b/windows/security/threat-protection/auditing/images/event-4725.png
similarity index 100%
rename from windows/device-security/auditing/images/event-4725.png
rename to windows/security/threat-protection/auditing/images/event-4725.png
diff --git a/windows/device-security/auditing/images/event-4726.png b/windows/security/threat-protection/auditing/images/event-4726.png
similarity index 100%
rename from windows/device-security/auditing/images/event-4726.png
rename to windows/security/threat-protection/auditing/images/event-4726.png
diff --git a/windows/device-security/auditing/images/event-4731.png b/windows/security/threat-protection/auditing/images/event-4731.png
similarity index 100%
rename from windows/device-security/auditing/images/event-4731.png
rename to windows/security/threat-protection/auditing/images/event-4731.png
diff --git a/windows/device-security/auditing/images/event-4732.png b/windows/security/threat-protection/auditing/images/event-4732.png
similarity index 100%
rename from windows/device-security/auditing/images/event-4732.png
rename to windows/security/threat-protection/auditing/images/event-4732.png
diff --git a/windows/device-security/auditing/images/event-4733.png b/windows/security/threat-protection/auditing/images/event-4733.png
similarity index 100%
rename from windows/device-security/auditing/images/event-4733.png
rename to windows/security/threat-protection/auditing/images/event-4733.png
diff --git a/windows/device-security/auditing/images/event-4734.png b/windows/security/threat-protection/auditing/images/event-4734.png
similarity index 100%
rename from windows/device-security/auditing/images/event-4734.png
rename to windows/security/threat-protection/auditing/images/event-4734.png
diff --git a/windows/device-security/auditing/images/event-4735.png b/windows/security/threat-protection/auditing/images/event-4735.png
similarity index 100%
rename from windows/device-security/auditing/images/event-4735.png
rename to windows/security/threat-protection/auditing/images/event-4735.png
diff --git a/windows/device-security/auditing/images/event-4738.png b/windows/security/threat-protection/auditing/images/event-4738.png
similarity index 100%
rename from windows/device-security/auditing/images/event-4738.png
rename to windows/security/threat-protection/auditing/images/event-4738.png
diff --git a/windows/device-security/auditing/images/event-4739.png b/windows/security/threat-protection/auditing/images/event-4739.png
similarity index 100%
rename from windows/device-security/auditing/images/event-4739.png
rename to windows/security/threat-protection/auditing/images/event-4739.png
diff --git a/windows/device-security/auditing/images/event-4740.png b/windows/security/threat-protection/auditing/images/event-4740.png
similarity index 100%
rename from windows/device-security/auditing/images/event-4740.png
rename to windows/security/threat-protection/auditing/images/event-4740.png
diff --git a/windows/device-security/auditing/images/event-4741.png b/windows/security/threat-protection/auditing/images/event-4741.png
similarity index 100%
rename from windows/device-security/auditing/images/event-4741.png
rename to windows/security/threat-protection/auditing/images/event-4741.png
diff --git a/windows/device-security/auditing/images/event-4742.png b/windows/security/threat-protection/auditing/images/event-4742.png
similarity index 100%
rename from windows/device-security/auditing/images/event-4742.png
rename to windows/security/threat-protection/auditing/images/event-4742.png
diff --git a/windows/device-security/auditing/images/event-4743.png b/windows/security/threat-protection/auditing/images/event-4743.png
similarity index 100%
rename from windows/device-security/auditing/images/event-4743.png
rename to windows/security/threat-protection/auditing/images/event-4743.png
diff --git a/windows/device-security/auditing/images/event-4749.png b/windows/security/threat-protection/auditing/images/event-4749.png
similarity index 100%
rename from windows/device-security/auditing/images/event-4749.png
rename to windows/security/threat-protection/auditing/images/event-4749.png
diff --git a/windows/device-security/auditing/images/event-4750.png b/windows/security/threat-protection/auditing/images/event-4750.png
similarity index 100%
rename from windows/device-security/auditing/images/event-4750.png
rename to windows/security/threat-protection/auditing/images/event-4750.png
diff --git a/windows/device-security/auditing/images/event-4751.png b/windows/security/threat-protection/auditing/images/event-4751.png
similarity index 100%
rename from windows/device-security/auditing/images/event-4751.png
rename to windows/security/threat-protection/auditing/images/event-4751.png
diff --git a/windows/device-security/auditing/images/event-4752.png b/windows/security/threat-protection/auditing/images/event-4752.png
similarity index 100%
rename from windows/device-security/auditing/images/event-4752.png
rename to windows/security/threat-protection/auditing/images/event-4752.png
diff --git a/windows/device-security/auditing/images/event-4753.png b/windows/security/threat-protection/auditing/images/event-4753.png
similarity index 100%
rename from windows/device-security/auditing/images/event-4753.png
rename to windows/security/threat-protection/auditing/images/event-4753.png
diff --git a/windows/device-security/auditing/images/event-4764.png b/windows/security/threat-protection/auditing/images/event-4764.png
similarity index 100%
rename from windows/device-security/auditing/images/event-4764.png
rename to windows/security/threat-protection/auditing/images/event-4764.png
diff --git a/windows/device-security/auditing/images/event-4767.png b/windows/security/threat-protection/auditing/images/event-4767.png
similarity index 100%
rename from windows/device-security/auditing/images/event-4767.png
rename to windows/security/threat-protection/auditing/images/event-4767.png
diff --git a/windows/device-security/auditing/images/event-4768.png b/windows/security/threat-protection/auditing/images/event-4768.png
similarity index 100%
rename from windows/device-security/auditing/images/event-4768.png
rename to windows/security/threat-protection/auditing/images/event-4768.png
diff --git a/windows/device-security/auditing/images/event-4769.png b/windows/security/threat-protection/auditing/images/event-4769.png
similarity index 100%
rename from windows/device-security/auditing/images/event-4769.png
rename to windows/security/threat-protection/auditing/images/event-4769.png
diff --git a/windows/device-security/auditing/images/event-4770.png b/windows/security/threat-protection/auditing/images/event-4770.png
similarity index 100%
rename from windows/device-security/auditing/images/event-4770.png
rename to windows/security/threat-protection/auditing/images/event-4770.png
diff --git a/windows/device-security/auditing/images/event-4771.png b/windows/security/threat-protection/auditing/images/event-4771.png
similarity index 100%
rename from windows/device-security/auditing/images/event-4771.png
rename to windows/security/threat-protection/auditing/images/event-4771.png
diff --git a/windows/device-security/auditing/images/event-4776.png b/windows/security/threat-protection/auditing/images/event-4776.png
similarity index 100%
rename from windows/device-security/auditing/images/event-4776.png
rename to windows/security/threat-protection/auditing/images/event-4776.png
diff --git a/windows/device-security/auditing/images/event-4778.png b/windows/security/threat-protection/auditing/images/event-4778.png
similarity index 100%
rename from windows/device-security/auditing/images/event-4778.png
rename to windows/security/threat-protection/auditing/images/event-4778.png
diff --git a/windows/device-security/auditing/images/event-4779.png b/windows/security/threat-protection/auditing/images/event-4779.png
similarity index 100%
rename from windows/device-security/auditing/images/event-4779.png
rename to windows/security/threat-protection/auditing/images/event-4779.png
diff --git a/windows/device-security/auditing/images/event-4781.png b/windows/security/threat-protection/auditing/images/event-4781.png
similarity index 100%
rename from windows/device-security/auditing/images/event-4781.png
rename to windows/security/threat-protection/auditing/images/event-4781.png
diff --git a/windows/device-security/auditing/images/event-4782.png b/windows/security/threat-protection/auditing/images/event-4782.png
similarity index 100%
rename from windows/device-security/auditing/images/event-4782.png
rename to windows/security/threat-protection/auditing/images/event-4782.png
diff --git a/windows/device-security/auditing/images/event-4793.png b/windows/security/threat-protection/auditing/images/event-4793.png
similarity index 100%
rename from windows/device-security/auditing/images/event-4793.png
rename to windows/security/threat-protection/auditing/images/event-4793.png
diff --git a/windows/device-security/auditing/images/event-4794.png b/windows/security/threat-protection/auditing/images/event-4794.png
similarity index 100%
rename from windows/device-security/auditing/images/event-4794.png
rename to windows/security/threat-protection/auditing/images/event-4794.png
diff --git a/windows/device-security/auditing/images/event-4798.png b/windows/security/threat-protection/auditing/images/event-4798.png
similarity index 100%
rename from windows/device-security/auditing/images/event-4798.png
rename to windows/security/threat-protection/auditing/images/event-4798.png
diff --git a/windows/device-security/auditing/images/event-4799.png b/windows/security/threat-protection/auditing/images/event-4799.png
similarity index 100%
rename from windows/device-security/auditing/images/event-4799.png
rename to windows/security/threat-protection/auditing/images/event-4799.png
diff --git a/windows/device-security/auditing/images/event-4800.png b/windows/security/threat-protection/auditing/images/event-4800.png
similarity index 100%
rename from windows/device-security/auditing/images/event-4800.png
rename to windows/security/threat-protection/auditing/images/event-4800.png
diff --git a/windows/device-security/auditing/images/event-4801.png b/windows/security/threat-protection/auditing/images/event-4801.png
similarity index 100%
rename from windows/device-security/auditing/images/event-4801.png
rename to windows/security/threat-protection/auditing/images/event-4801.png
diff --git a/windows/device-security/auditing/images/event-4802.png b/windows/security/threat-protection/auditing/images/event-4802.png
similarity index 100%
rename from windows/device-security/auditing/images/event-4802.png
rename to windows/security/threat-protection/auditing/images/event-4802.png
diff --git a/windows/device-security/auditing/images/event-4803.png b/windows/security/threat-protection/auditing/images/event-4803.png
similarity index 100%
rename from windows/device-security/auditing/images/event-4803.png
rename to windows/security/threat-protection/auditing/images/event-4803.png
diff --git a/windows/device-security/auditing/images/event-4817.png b/windows/security/threat-protection/auditing/images/event-4817.png
similarity index 100%
rename from windows/device-security/auditing/images/event-4817.png
rename to windows/security/threat-protection/auditing/images/event-4817.png
diff --git a/windows/device-security/auditing/images/event-4818.png b/windows/security/threat-protection/auditing/images/event-4818.png
similarity index 100%
rename from windows/device-security/auditing/images/event-4818.png
rename to windows/security/threat-protection/auditing/images/event-4818.png
diff --git a/windows/device-security/auditing/images/event-4819.png b/windows/security/threat-protection/auditing/images/event-4819.png
similarity index 100%
rename from windows/device-security/auditing/images/event-4819.png
rename to windows/security/threat-protection/auditing/images/event-4819.png
diff --git a/windows/device-security/auditing/images/event-4826.png b/windows/security/threat-protection/auditing/images/event-4826.png
similarity index 100%
rename from windows/device-security/auditing/images/event-4826.png
rename to windows/security/threat-protection/auditing/images/event-4826.png
diff --git a/windows/device-security/auditing/images/event-4865.png b/windows/security/threat-protection/auditing/images/event-4865.png
similarity index 100%
rename from windows/device-security/auditing/images/event-4865.png
rename to windows/security/threat-protection/auditing/images/event-4865.png
diff --git a/windows/device-security/auditing/images/event-4866.png b/windows/security/threat-protection/auditing/images/event-4866.png
similarity index 100%
rename from windows/device-security/auditing/images/event-4866.png
rename to windows/security/threat-protection/auditing/images/event-4866.png
diff --git a/windows/device-security/auditing/images/event-4867.png b/windows/security/threat-protection/auditing/images/event-4867.png
similarity index 100%
rename from windows/device-security/auditing/images/event-4867.png
rename to windows/security/threat-protection/auditing/images/event-4867.png
diff --git a/windows/device-security/auditing/images/event-4902.png b/windows/security/threat-protection/auditing/images/event-4902.png
similarity index 100%
rename from windows/device-security/auditing/images/event-4902.png
rename to windows/security/threat-protection/auditing/images/event-4902.png
diff --git a/windows/device-security/auditing/images/event-4904.png b/windows/security/threat-protection/auditing/images/event-4904.png
similarity index 100%
rename from windows/device-security/auditing/images/event-4904.png
rename to windows/security/threat-protection/auditing/images/event-4904.png
diff --git a/windows/device-security/auditing/images/event-4905.png b/windows/security/threat-protection/auditing/images/event-4905.png
similarity index 100%
rename from windows/device-security/auditing/images/event-4905.png
rename to windows/security/threat-protection/auditing/images/event-4905.png
diff --git a/windows/device-security/auditing/images/event-4906.png b/windows/security/threat-protection/auditing/images/event-4906.png
similarity index 100%
rename from windows/device-security/auditing/images/event-4906.png
rename to windows/security/threat-protection/auditing/images/event-4906.png
diff --git a/windows/device-security/auditing/images/event-4907.png b/windows/security/threat-protection/auditing/images/event-4907.png
similarity index 100%
rename from windows/device-security/auditing/images/event-4907.png
rename to windows/security/threat-protection/auditing/images/event-4907.png
diff --git a/windows/device-security/auditing/images/event-4908.png b/windows/security/threat-protection/auditing/images/event-4908.png
similarity index 100%
rename from windows/device-security/auditing/images/event-4908.png
rename to windows/security/threat-protection/auditing/images/event-4908.png
diff --git a/windows/device-security/auditing/images/event-4911.png b/windows/security/threat-protection/auditing/images/event-4911.png
similarity index 100%
rename from windows/device-security/auditing/images/event-4911.png
rename to windows/security/threat-protection/auditing/images/event-4911.png
diff --git a/windows/device-security/auditing/images/event-4912.png b/windows/security/threat-protection/auditing/images/event-4912.png
similarity index 100%
rename from windows/device-security/auditing/images/event-4912.png
rename to windows/security/threat-protection/auditing/images/event-4912.png
diff --git a/windows/device-security/auditing/images/event-4913.png b/windows/security/threat-protection/auditing/images/event-4913.png
similarity index 100%
rename from windows/device-security/auditing/images/event-4913.png
rename to windows/security/threat-protection/auditing/images/event-4913.png
diff --git a/windows/device-security/auditing/images/event-4928.png b/windows/security/threat-protection/auditing/images/event-4928.png
similarity index 100%
rename from windows/device-security/auditing/images/event-4928.png
rename to windows/security/threat-protection/auditing/images/event-4928.png
diff --git a/windows/device-security/auditing/images/event-4929.png b/windows/security/threat-protection/auditing/images/event-4929.png
similarity index 100%
rename from windows/device-security/auditing/images/event-4929.png
rename to windows/security/threat-protection/auditing/images/event-4929.png
diff --git a/windows/device-security/auditing/images/event-4930.png b/windows/security/threat-protection/auditing/images/event-4930.png
similarity index 100%
rename from windows/device-security/auditing/images/event-4930.png
rename to windows/security/threat-protection/auditing/images/event-4930.png
diff --git a/windows/device-security/auditing/images/event-4931.png b/windows/security/threat-protection/auditing/images/event-4931.png
similarity index 100%
rename from windows/device-security/auditing/images/event-4931.png
rename to windows/security/threat-protection/auditing/images/event-4931.png
diff --git a/windows/device-security/auditing/images/event-4932.png b/windows/security/threat-protection/auditing/images/event-4932.png
similarity index 100%
rename from windows/device-security/auditing/images/event-4932.png
rename to windows/security/threat-protection/auditing/images/event-4932.png
diff --git a/windows/device-security/auditing/images/event-4933.png b/windows/security/threat-protection/auditing/images/event-4933.png
similarity index 100%
rename from windows/device-security/auditing/images/event-4933.png
rename to windows/security/threat-protection/auditing/images/event-4933.png
diff --git a/windows/device-security/auditing/images/event-4935.png b/windows/security/threat-protection/auditing/images/event-4935.png
similarity index 100%
rename from windows/device-security/auditing/images/event-4935.png
rename to windows/security/threat-protection/auditing/images/event-4935.png
diff --git a/windows/device-security/auditing/images/event-4944.png b/windows/security/threat-protection/auditing/images/event-4944.png
similarity index 100%
rename from windows/device-security/auditing/images/event-4944.png
rename to windows/security/threat-protection/auditing/images/event-4944.png
diff --git a/windows/device-security/auditing/images/event-4945.png b/windows/security/threat-protection/auditing/images/event-4945.png
similarity index 100%
rename from windows/device-security/auditing/images/event-4945.png
rename to windows/security/threat-protection/auditing/images/event-4945.png
diff --git a/windows/device-security/auditing/images/event-4946.png b/windows/security/threat-protection/auditing/images/event-4946.png
similarity index 100%
rename from windows/device-security/auditing/images/event-4946.png
rename to windows/security/threat-protection/auditing/images/event-4946.png
diff --git a/windows/device-security/auditing/images/event-4947.png b/windows/security/threat-protection/auditing/images/event-4947.png
similarity index 100%
rename from windows/device-security/auditing/images/event-4947.png
rename to windows/security/threat-protection/auditing/images/event-4947.png
diff --git a/windows/device-security/auditing/images/event-4948.png b/windows/security/threat-protection/auditing/images/event-4948.png
similarity index 100%
rename from windows/device-security/auditing/images/event-4948.png
rename to windows/security/threat-protection/auditing/images/event-4948.png
diff --git a/windows/device-security/auditing/images/event-4949.png b/windows/security/threat-protection/auditing/images/event-4949.png
similarity index 100%
rename from windows/device-security/auditing/images/event-4949.png
rename to windows/security/threat-protection/auditing/images/event-4949.png
diff --git a/windows/device-security/auditing/images/event-4950.png b/windows/security/threat-protection/auditing/images/event-4950.png
similarity index 100%
rename from windows/device-security/auditing/images/event-4950.png
rename to windows/security/threat-protection/auditing/images/event-4950.png
diff --git a/windows/device-security/auditing/images/event-4951.png b/windows/security/threat-protection/auditing/images/event-4951.png
similarity index 100%
rename from windows/device-security/auditing/images/event-4951.png
rename to windows/security/threat-protection/auditing/images/event-4951.png
diff --git a/windows/device-security/auditing/images/event-4953.png b/windows/security/threat-protection/auditing/images/event-4953.png
similarity index 100%
rename from windows/device-security/auditing/images/event-4953.png
rename to windows/security/threat-protection/auditing/images/event-4953.png
diff --git a/windows/device-security/auditing/images/event-4954.png b/windows/security/threat-protection/auditing/images/event-4954.png
similarity index 100%
rename from windows/device-security/auditing/images/event-4954.png
rename to windows/security/threat-protection/auditing/images/event-4954.png
diff --git a/windows/device-security/auditing/images/event-4956.png b/windows/security/threat-protection/auditing/images/event-4956.png
similarity index 100%
rename from windows/device-security/auditing/images/event-4956.png
rename to windows/security/threat-protection/auditing/images/event-4956.png
diff --git a/windows/device-security/auditing/images/event-4957.png b/windows/security/threat-protection/auditing/images/event-4957.png
similarity index 100%
rename from windows/device-security/auditing/images/event-4957.png
rename to windows/security/threat-protection/auditing/images/event-4957.png
diff --git a/windows/device-security/auditing/images/event-4964.png b/windows/security/threat-protection/auditing/images/event-4964.png
similarity index 100%
rename from windows/device-security/auditing/images/event-4964.png
rename to windows/security/threat-protection/auditing/images/event-4964.png
diff --git a/windows/device-security/auditing/images/event-4985.png b/windows/security/threat-protection/auditing/images/event-4985.png
similarity index 100%
rename from windows/device-security/auditing/images/event-4985.png
rename to windows/security/threat-protection/auditing/images/event-4985.png
diff --git a/windows/device-security/auditing/images/event-5024.png b/windows/security/threat-protection/auditing/images/event-5024.png
similarity index 100%
rename from windows/device-security/auditing/images/event-5024.png
rename to windows/security/threat-protection/auditing/images/event-5024.png
diff --git a/windows/device-security/auditing/images/event-5025.png b/windows/security/threat-protection/auditing/images/event-5025.png
similarity index 100%
rename from windows/device-security/auditing/images/event-5025.png
rename to windows/security/threat-protection/auditing/images/event-5025.png
diff --git a/windows/device-security/auditing/images/event-5027.png b/windows/security/threat-protection/auditing/images/event-5027.png
similarity index 100%
rename from windows/device-security/auditing/images/event-5027.png
rename to windows/security/threat-protection/auditing/images/event-5027.png
diff --git a/windows/device-security/auditing/images/event-5028.png b/windows/security/threat-protection/auditing/images/event-5028.png
similarity index 100%
rename from windows/device-security/auditing/images/event-5028.png
rename to windows/security/threat-protection/auditing/images/event-5028.png
diff --git a/windows/device-security/auditing/images/event-5031.png b/windows/security/threat-protection/auditing/images/event-5031.png
similarity index 100%
rename from windows/device-security/auditing/images/event-5031.png
rename to windows/security/threat-protection/auditing/images/event-5031.png
diff --git a/windows/device-security/auditing/images/event-5033.png b/windows/security/threat-protection/auditing/images/event-5033.png
similarity index 100%
rename from windows/device-security/auditing/images/event-5033.png
rename to windows/security/threat-protection/auditing/images/event-5033.png
diff --git a/windows/device-security/auditing/images/event-5034.png b/windows/security/threat-protection/auditing/images/event-5034.png
similarity index 100%
rename from windows/device-security/auditing/images/event-5034.png
rename to windows/security/threat-protection/auditing/images/event-5034.png
diff --git a/windows/device-security/auditing/images/event-5058.png b/windows/security/threat-protection/auditing/images/event-5058.png
similarity index 100%
rename from windows/device-security/auditing/images/event-5058.png
rename to windows/security/threat-protection/auditing/images/event-5058.png
diff --git a/windows/device-security/auditing/images/event-5059.png b/windows/security/threat-protection/auditing/images/event-5059.png
similarity index 100%
rename from windows/device-security/auditing/images/event-5059.png
rename to windows/security/threat-protection/auditing/images/event-5059.png
diff --git a/windows/device-security/auditing/images/event-5061.png b/windows/security/threat-protection/auditing/images/event-5061.png
similarity index 100%
rename from windows/device-security/auditing/images/event-5061.png
rename to windows/security/threat-protection/auditing/images/event-5061.png
diff --git a/windows/device-security/auditing/images/event-5136.png b/windows/security/threat-protection/auditing/images/event-5136.png
similarity index 100%
rename from windows/device-security/auditing/images/event-5136.png
rename to windows/security/threat-protection/auditing/images/event-5136.png
diff --git a/windows/device-security/auditing/images/event-5137.png b/windows/security/threat-protection/auditing/images/event-5137.png
similarity index 100%
rename from windows/device-security/auditing/images/event-5137.png
rename to windows/security/threat-protection/auditing/images/event-5137.png
diff --git a/windows/device-security/auditing/images/event-5138.png b/windows/security/threat-protection/auditing/images/event-5138.png
similarity index 100%
rename from windows/device-security/auditing/images/event-5138.png
rename to windows/security/threat-protection/auditing/images/event-5138.png
diff --git a/windows/device-security/auditing/images/event-5139.png b/windows/security/threat-protection/auditing/images/event-5139.png
similarity index 100%
rename from windows/device-security/auditing/images/event-5139.png
rename to windows/security/threat-protection/auditing/images/event-5139.png
diff --git a/windows/device-security/auditing/images/event-5140.png b/windows/security/threat-protection/auditing/images/event-5140.png
similarity index 100%
rename from windows/device-security/auditing/images/event-5140.png
rename to windows/security/threat-protection/auditing/images/event-5140.png
diff --git a/windows/device-security/auditing/images/event-5141.png b/windows/security/threat-protection/auditing/images/event-5141.png
similarity index 100%
rename from windows/device-security/auditing/images/event-5141.png
rename to windows/security/threat-protection/auditing/images/event-5141.png
diff --git a/windows/device-security/auditing/images/event-5142.png b/windows/security/threat-protection/auditing/images/event-5142.png
similarity index 100%
rename from windows/device-security/auditing/images/event-5142.png
rename to windows/security/threat-protection/auditing/images/event-5142.png
diff --git a/windows/device-security/auditing/images/event-5143.png b/windows/security/threat-protection/auditing/images/event-5143.png
similarity index 100%
rename from windows/device-security/auditing/images/event-5143.png
rename to windows/security/threat-protection/auditing/images/event-5143.png
diff --git a/windows/device-security/auditing/images/event-5144.png b/windows/security/threat-protection/auditing/images/event-5144.png
similarity index 100%
rename from windows/device-security/auditing/images/event-5144.png
rename to windows/security/threat-protection/auditing/images/event-5144.png
diff --git a/windows/device-security/auditing/images/event-5145.png b/windows/security/threat-protection/auditing/images/event-5145.png
similarity index 100%
rename from windows/device-security/auditing/images/event-5145.png
rename to windows/security/threat-protection/auditing/images/event-5145.png
diff --git a/windows/device-security/auditing/images/event-5152.png b/windows/security/threat-protection/auditing/images/event-5152.png
similarity index 100%
rename from windows/device-security/auditing/images/event-5152.png
rename to windows/security/threat-protection/auditing/images/event-5152.png
diff --git a/windows/device-security/auditing/images/event-5154.png b/windows/security/threat-protection/auditing/images/event-5154.png
similarity index 100%
rename from windows/device-security/auditing/images/event-5154.png
rename to windows/security/threat-protection/auditing/images/event-5154.png
diff --git a/windows/device-security/auditing/images/event-5156.png b/windows/security/threat-protection/auditing/images/event-5156.png
similarity index 100%
rename from windows/device-security/auditing/images/event-5156.png
rename to windows/security/threat-protection/auditing/images/event-5156.png
diff --git a/windows/device-security/auditing/images/event-5157.png b/windows/security/threat-protection/auditing/images/event-5157.png
similarity index 100%
rename from windows/device-security/auditing/images/event-5157.png
rename to windows/security/threat-protection/auditing/images/event-5157.png
diff --git a/windows/device-security/auditing/images/event-5158.png b/windows/security/threat-protection/auditing/images/event-5158.png
similarity index 100%
rename from windows/device-security/auditing/images/event-5158.png
rename to windows/security/threat-protection/auditing/images/event-5158.png
diff --git a/windows/device-security/auditing/images/event-5168.png b/windows/security/threat-protection/auditing/images/event-5168.png
similarity index 100%
rename from windows/device-security/auditing/images/event-5168.png
rename to windows/security/threat-protection/auditing/images/event-5168.png
diff --git a/windows/device-security/auditing/images/event-5376.png b/windows/security/threat-protection/auditing/images/event-5376.png
similarity index 100%
rename from windows/device-security/auditing/images/event-5376.png
rename to windows/security/threat-protection/auditing/images/event-5376.png
diff --git a/windows/device-security/auditing/images/event-5377.png b/windows/security/threat-protection/auditing/images/event-5377.png
similarity index 100%
rename from windows/device-security/auditing/images/event-5377.png
rename to windows/security/threat-protection/auditing/images/event-5377.png
diff --git a/windows/device-security/auditing/images/event-5378.png b/windows/security/threat-protection/auditing/images/event-5378.png
similarity index 100%
rename from windows/device-security/auditing/images/event-5378.png
rename to windows/security/threat-protection/auditing/images/event-5378.png
diff --git a/windows/device-security/auditing/images/event-5447.png b/windows/security/threat-protection/auditing/images/event-5447.png
similarity index 100%
rename from windows/device-security/auditing/images/event-5447.png
rename to windows/security/threat-protection/auditing/images/event-5447.png
diff --git a/windows/device-security/auditing/images/event-5632.png b/windows/security/threat-protection/auditing/images/event-5632.png
similarity index 100%
rename from windows/device-security/auditing/images/event-5632.png
rename to windows/security/threat-protection/auditing/images/event-5632.png
diff --git a/windows/device-security/auditing/images/event-5633.png b/windows/security/threat-protection/auditing/images/event-5633.png
similarity index 100%
rename from windows/device-security/auditing/images/event-5633.png
rename to windows/security/threat-protection/auditing/images/event-5633.png
diff --git a/windows/device-security/auditing/images/event-5888.png b/windows/security/threat-protection/auditing/images/event-5888.png
similarity index 100%
rename from windows/device-security/auditing/images/event-5888.png
rename to windows/security/threat-protection/auditing/images/event-5888.png
diff --git a/windows/device-security/auditing/images/event-5889.png b/windows/security/threat-protection/auditing/images/event-5889.png
similarity index 100%
rename from windows/device-security/auditing/images/event-5889.png
rename to windows/security/threat-protection/auditing/images/event-5889.png
diff --git a/windows/device-security/auditing/images/event-5890.png b/windows/security/threat-protection/auditing/images/event-5890.png
similarity index 100%
rename from windows/device-security/auditing/images/event-5890.png
rename to windows/security/threat-protection/auditing/images/event-5890.png
diff --git a/windows/device-security/auditing/images/event-6144.png b/windows/security/threat-protection/auditing/images/event-6144.png
similarity index 100%
rename from windows/device-security/auditing/images/event-6144.png
rename to windows/security/threat-protection/auditing/images/event-6144.png
diff --git a/windows/device-security/auditing/images/event-6145.png b/windows/security/threat-protection/auditing/images/event-6145.png
similarity index 100%
rename from windows/device-security/auditing/images/event-6145.png
rename to windows/security/threat-protection/auditing/images/event-6145.png
diff --git a/windows/device-security/auditing/images/event-6416.png b/windows/security/threat-protection/auditing/images/event-6416.png
similarity index 100%
rename from windows/device-security/auditing/images/event-6416.png
rename to windows/security/threat-protection/auditing/images/event-6416.png
diff --git a/windows/device-security/auditing/images/event-6419.png b/windows/security/threat-protection/auditing/images/event-6419.png
similarity index 100%
rename from windows/device-security/auditing/images/event-6419.png
rename to windows/security/threat-protection/auditing/images/event-6419.png
diff --git a/windows/device-security/auditing/images/event-6420.png b/windows/security/threat-protection/auditing/images/event-6420.png
similarity index 100%
rename from windows/device-security/auditing/images/event-6420.png
rename to windows/security/threat-protection/auditing/images/event-6420.png
diff --git a/windows/device-security/auditing/images/event-6421.png b/windows/security/threat-protection/auditing/images/event-6421.png
similarity index 100%
rename from windows/device-security/auditing/images/event-6421.png
rename to windows/security/threat-protection/auditing/images/event-6421.png
diff --git a/windows/device-security/auditing/images/event-6422.png b/windows/security/threat-protection/auditing/images/event-6422.png
similarity index 100%
rename from windows/device-security/auditing/images/event-6422.png
rename to windows/security/threat-protection/auditing/images/event-6422.png
diff --git a/windows/device-security/auditing/images/event-6423.png b/windows/security/threat-protection/auditing/images/event-6423.png
similarity index 100%
rename from windows/device-security/auditing/images/event-6423.png
rename to windows/security/threat-protection/auditing/images/event-6423.png
diff --git a/windows/device-security/auditing/images/filters-xml-file.png b/windows/security/threat-protection/auditing/images/filters-xml-file.png
similarity index 100%
rename from windows/device-security/auditing/images/filters-xml-file.png
rename to windows/security/threat-protection/auditing/images/filters-xml-file.png
diff --git a/windows/device-security/auditing/images/firewall-settings-public-profile.png b/windows/security/threat-protection/auditing/images/firewall-settings-public-profile.png
similarity index 100%
rename from windows/device-security/auditing/images/firewall-settings-public-profile.png
rename to windows/security/threat-protection/auditing/images/firewall-settings-public-profile.png
diff --git a/windows/device-security/auditing/images/group-policy-editor.png b/windows/security/threat-protection/auditing/images/group-policy-editor.png
similarity index 100%
rename from windows/device-security/auditing/images/group-policy-editor.png
rename to windows/security/threat-protection/auditing/images/group-policy-editor.png
diff --git a/windows/device-security/auditing/images/group-policy.png b/windows/security/threat-protection/auditing/images/group-policy.png
similarity index 100%
rename from windows/device-security/auditing/images/group-policy.png
rename to windows/security/threat-protection/auditing/images/group-policy.png
diff --git a/windows/device-security/auditing/images/impact-property.png b/windows/security/threat-protection/auditing/images/impact-property.png
similarity index 100%
rename from windows/device-security/auditing/images/impact-property.png
rename to windows/security/threat-protection/auditing/images/impact-property.png
diff --git a/windows/device-security/auditing/images/ipconfig-command.png b/windows/security/threat-protection/auditing/images/ipconfig-command.png
similarity index 100%
rename from windows/device-security/auditing/images/ipconfig-command.png
rename to windows/security/threat-protection/auditing/images/ipconfig-command.png
diff --git a/windows/device-security/auditing/images/logging-settings-public-profile.png b/windows/security/threat-protection/auditing/images/logging-settings-public-profile.png
similarity index 100%
rename from windows/device-security/auditing/images/logging-settings-public-profile.png
rename to windows/security/threat-protection/auditing/images/logging-settings-public-profile.png
diff --git a/windows/device-security/auditing/images/msb.png b/windows/security/threat-protection/auditing/images/msb.png
similarity index 100%
rename from windows/device-security/auditing/images/msb.png
rename to windows/security/threat-protection/auditing/images/msb.png
diff --git a/windows/device-security/auditing/images/netsh-advfirewall-command.png b/windows/security/threat-protection/auditing/images/netsh-advfirewall-command.png
similarity index 100%
rename from windows/device-security/auditing/images/netsh-advfirewall-command.png
rename to windows/security/threat-protection/auditing/images/netsh-advfirewall-command.png
diff --git a/windows/device-security/auditing/images/netsh-command.png b/windows/security/threat-protection/auditing/images/netsh-command.png
similarity index 100%
rename from windows/device-security/auditing/images/netsh-command.png
rename to windows/security/threat-protection/auditing/images/netsh-command.png
diff --git a/windows/device-security/auditing/images/netsh-lan-command.png b/windows/security/threat-protection/auditing/images/netsh-lan-command.png
similarity index 100%
rename from windows/device-security/auditing/images/netsh-lan-command.png
rename to windows/security/threat-protection/auditing/images/netsh-lan-command.png
diff --git a/windows/device-security/auditing/images/offline-settings.png b/windows/security/threat-protection/auditing/images/offline-settings.png
similarity index 100%
rename from windows/device-security/auditing/images/offline-settings.png
rename to windows/security/threat-protection/auditing/images/offline-settings.png
diff --git a/windows/device-security/auditing/images/query-session.png b/windows/security/threat-protection/auditing/images/query-session.png
similarity index 100%
rename from windows/device-security/auditing/images/query-session.png
rename to windows/security/threat-protection/auditing/images/query-session.png
diff --git a/windows/device-security/auditing/images/registry-editor-audit.png b/windows/security/threat-protection/auditing/images/registry-editor-audit.png
similarity index 100%
rename from windows/device-security/auditing/images/registry-editor-audit.png
rename to windows/security/threat-protection/auditing/images/registry-editor-audit.png
diff --git a/windows/device-security/auditing/images/registry-editor-firewallrules.png b/windows/security/threat-protection/auditing/images/registry-editor-firewallrules.png
similarity index 100%
rename from windows/device-security/auditing/images/registry-editor-firewallrules.png
rename to windows/security/threat-protection/auditing/images/registry-editor-firewallrules.png
diff --git a/windows/device-security/auditing/images/schema-search.png b/windows/security/threat-protection/auditing/images/schema-search.png
similarity index 100%
rename from windows/device-security/auditing/images/schema-search.png
rename to windows/security/threat-protection/auditing/images/schema-search.png
diff --git a/windows/device-security/auditing/images/subkeys-under-security-key.png b/windows/security/threat-protection/auditing/images/subkeys-under-security-key.png
similarity index 100%
rename from windows/device-security/auditing/images/subkeys-under-security-key.png
rename to windows/security/threat-protection/auditing/images/subkeys-under-security-key.png
diff --git a/windows/device-security/auditing/images/subtree-deletion.png b/windows/security/threat-protection/auditing/images/subtree-deletion.png
similarity index 100%
rename from windows/device-security/auditing/images/subtree-deletion.png
rename to windows/security/threat-protection/auditing/images/subtree-deletion.png
diff --git a/windows/device-security/auditing/images/synaptics.png b/windows/security/threat-protection/auditing/images/synaptics.png
similarity index 100%
rename from windows/device-security/auditing/images/synaptics.png
rename to windows/security/threat-protection/auditing/images/synaptics.png
diff --git a/windows/device-security/auditing/images/synaptics1.png b/windows/security/threat-protection/auditing/images/synaptics1.png
similarity index 100%
rename from windows/device-security/auditing/images/synaptics1.png
rename to windows/security/threat-protection/auditing/images/synaptics1.png
diff --git a/windows/device-security/auditing/images/synaptics2.png b/windows/security/threat-protection/auditing/images/synaptics2.png
similarity index 100%
rename from windows/device-security/auditing/images/synaptics2.png
rename to windows/security/threat-protection/auditing/images/synaptics2.png
diff --git a/windows/device-security/auditing/images/synaptics3.png b/windows/security/threat-protection/auditing/images/synaptics3.png
similarity index 100%
rename from windows/device-security/auditing/images/synaptics3.png
rename to windows/security/threat-protection/auditing/images/synaptics3.png
diff --git a/windows/device-security/auditing/images/synaptics4.png b/windows/security/threat-protection/auditing/images/synaptics4.png
similarity index 100%
rename from windows/device-security/auditing/images/synaptics4.png
rename to windows/security/threat-protection/auditing/images/synaptics4.png
diff --git a/windows/device-security/auditing/images/synaptics5.png b/windows/security/threat-protection/auditing/images/synaptics5.png
similarity index 100%
rename from windows/device-security/auditing/images/synaptics5.png
rename to windows/security/threat-protection/auditing/images/synaptics5.png
diff --git a/windows/device-security/auditing/images/synaptics6.png b/windows/security/threat-protection/auditing/images/synaptics6.png
similarity index 100%
rename from windows/device-security/auditing/images/synaptics6.png
rename to windows/security/threat-protection/auditing/images/synaptics6.png
diff --git a/windows/device-security/auditing/images/synaptics7.png b/windows/security/threat-protection/auditing/images/synaptics7.png
similarity index 100%
rename from windows/device-security/auditing/images/synaptics7.png
rename to windows/security/threat-protection/auditing/images/synaptics7.png
diff --git a/windows/device-security/auditing/images/task-manager.png b/windows/security/threat-protection/auditing/images/task-manager.png
similarity index 100%
rename from windows/device-security/auditing/images/task-manager.png
rename to windows/security/threat-protection/auditing/images/task-manager.png
diff --git a/windows/device-security/auditing/images/wfpstate-xml.png b/windows/security/threat-protection/auditing/images/wfpstate-xml.png
similarity index 100%
rename from windows/device-security/auditing/images/wfpstate-xml.png
rename to windows/security/threat-protection/auditing/images/wfpstate-xml.png
diff --git a/windows/device-security/auditing/images/whoami-privilege-list.png b/windows/security/threat-protection/auditing/images/whoami-privilege-list.png
similarity index 100%
rename from windows/device-security/auditing/images/whoami-privilege-list.png
rename to windows/security/threat-protection/auditing/images/whoami-privilege-list.png
diff --git a/windows/device-security/auditing/images/windows-firewall-state-off.png b/windows/security/threat-protection/auditing/images/windows-firewall-state-off.png
similarity index 100%
rename from windows/device-security/auditing/images/windows-firewall-state-off.png
rename to windows/security/threat-protection/auditing/images/windows-firewall-state-off.png
diff --git a/windows/device-security/auditing/images/windows-firewall-with-advanced-security.png b/windows/security/threat-protection/auditing/images/windows-firewall-with-advanced-security.png
similarity index 100%
rename from windows/device-security/auditing/images/windows-firewall-with-advanced-security.png
rename to windows/security/threat-protection/auditing/images/windows-firewall-with-advanced-security.png
diff --git a/windows/device-security/auditing/images/windows-powershell-get-gpo.png b/windows/security/threat-protection/auditing/images/windows-powershell-get-gpo.png
similarity index 100%
rename from windows/device-security/auditing/images/windows-powershell-get-gpo.png
rename to windows/security/threat-protection/auditing/images/windows-powershell-get-gpo.png
diff --git a/windows/device-security/auditing/monitor-central-access-policy-and-rule-definitions.md b/windows/security/threat-protection/auditing/monitor-central-access-policy-and-rule-definitions.md
similarity index 100%
rename from windows/device-security/auditing/monitor-central-access-policy-and-rule-definitions.md
rename to windows/security/threat-protection/auditing/monitor-central-access-policy-and-rule-definitions.md
diff --git a/windows/device-security/auditing/monitor-claim-types.md b/windows/security/threat-protection/auditing/monitor-claim-types.md
similarity index 100%
rename from windows/device-security/auditing/monitor-claim-types.md
rename to windows/security/threat-protection/auditing/monitor-claim-types.md
diff --git a/windows/device-security/auditing/monitor-resource-attribute-definitions.md b/windows/security/threat-protection/auditing/monitor-resource-attribute-definitions.md
similarity index 100%
rename from windows/device-security/auditing/monitor-resource-attribute-definitions.md
rename to windows/security/threat-protection/auditing/monitor-resource-attribute-definitions.md
diff --git a/windows/device-security/auditing/monitor-the-central-access-policies-associated-with-files-and-folders.md b/windows/security/threat-protection/auditing/monitor-the-central-access-policies-associated-with-files-and-folders.md
similarity index 100%
rename from windows/device-security/auditing/monitor-the-central-access-policies-associated-with-files-and-folders.md
rename to windows/security/threat-protection/auditing/monitor-the-central-access-policies-associated-with-files-and-folders.md
diff --git a/windows/device-security/auditing/monitor-the-central-access-policies-that-apply-on-a-file-server.md b/windows/security/threat-protection/auditing/monitor-the-central-access-policies-that-apply-on-a-file-server.md
similarity index 100%
rename from windows/device-security/auditing/monitor-the-central-access-policies-that-apply-on-a-file-server.md
rename to windows/security/threat-protection/auditing/monitor-the-central-access-policies-that-apply-on-a-file-server.md
diff --git a/windows/device-security/auditing/monitor-the-resource-attributes-on-files-and-folders.md b/windows/security/threat-protection/auditing/monitor-the-resource-attributes-on-files-and-folders.md
similarity index 100%
rename from windows/device-security/auditing/monitor-the-resource-attributes-on-files-and-folders.md
rename to windows/security/threat-protection/auditing/monitor-the-resource-attributes-on-files-and-folders.md
diff --git a/windows/device-security/auditing/monitor-the-use-of-removable-storage-devices.md b/windows/security/threat-protection/auditing/monitor-the-use-of-removable-storage-devices.md
similarity index 100%
rename from windows/device-security/auditing/monitor-the-use-of-removable-storage-devices.md
rename to windows/security/threat-protection/auditing/monitor-the-use-of-removable-storage-devices.md
diff --git a/windows/device-security/auditing/monitor-user-and-device-claims-during-sign-in.md b/windows/security/threat-protection/auditing/monitor-user-and-device-claims-during-sign-in.md
similarity index 100%
rename from windows/device-security/auditing/monitor-user-and-device-claims-during-sign-in.md
rename to windows/security/threat-protection/auditing/monitor-user-and-device-claims-during-sign-in.md
diff --git a/windows/device-security/auditing/other-events.md b/windows/security/threat-protection/auditing/other-events.md
similarity index 100%
rename from windows/device-security/auditing/other-events.md
rename to windows/security/threat-protection/auditing/other-events.md
diff --git a/windows/device-security/auditing/planning-and-deploying-advanced-security-audit-policies.md b/windows/security/threat-protection/auditing/planning-and-deploying-advanced-security-audit-policies.md
similarity index 100%
rename from windows/device-security/auditing/planning-and-deploying-advanced-security-audit-policies.md
rename to windows/security/threat-protection/auditing/planning-and-deploying-advanced-security-audit-policies.md
diff --git a/windows/device-security/auditing/registry-global-object-access-auditing.md b/windows/security/threat-protection/auditing/registry-global-object-access-auditing.md
similarity index 100%
rename from windows/device-security/auditing/registry-global-object-access-auditing.md
rename to windows/security/threat-protection/auditing/registry-global-object-access-auditing.md
diff --git a/windows/device-security/auditing/security-auditing-overview.md b/windows/security/threat-protection/auditing/security-auditing-overview.md
similarity index 100%
rename from windows/device-security/auditing/security-auditing-overview.md
rename to windows/security/threat-protection/auditing/security-auditing-overview.md
diff --git a/windows/device-security/auditing/using-advanced-security-auditing-options-to-monitor-dynamic-access-control-objects.md b/windows/security/threat-protection/auditing/using-advanced-security-auditing-options-to-monitor-dynamic-access-control-objects.md
similarity index 100%
rename from windows/device-security/auditing/using-advanced-security-auditing-options-to-monitor-dynamic-access-control-objects.md
rename to windows/security/threat-protection/auditing/using-advanced-security-auditing-options-to-monitor-dynamic-access-control-objects.md
diff --git a/windows/device-security/auditing/view-the-security-event-log.md b/windows/security/threat-protection/auditing/view-the-security-event-log.md
similarity index 100%
rename from windows/device-security/auditing/view-the-security-event-log.md
rename to windows/security/threat-protection/auditing/view-the-security-event-log.md
diff --git a/windows/device-security/auditing/which-editions-of-windows-support-advanced-audit-policy-configuration.md b/windows/security/threat-protection/auditing/which-editions-of-windows-support-advanced-audit-policy-configuration.md
similarity index 100%
rename from windows/device-security/auditing/which-editions-of-windows-support-advanced-audit-policy-configuration.md
rename to windows/security/threat-protection/auditing/which-editions-of-windows-support-advanced-audit-policy-configuration.md
diff --git a/windows/threat-protection/block-untrusted-fonts-in-enterprise.md b/windows/security/threat-protection/block-untrusted-fonts-in-enterprise.md
similarity index 100%
rename from windows/threat-protection/block-untrusted-fonts-in-enterprise.md
rename to windows/security/threat-protection/block-untrusted-fonts-in-enterprise.md
diff --git a/windows/security/threat-protection/change-history-for-threat-protection.md b/windows/security/threat-protection/change-history-for-threat-protection.md
new file mode 100644
index 0000000000..4c10382574
--- /dev/null
+++ b/windows/security/threat-protection/change-history-for-threat-protection.md
@@ -0,0 +1,81 @@
+---
+title: Change history for threat protection (Windows 10)
+description: This topic lists new and updated topics in the Windows 10 threat protection documentation for Windows 10 and Windows 10 Mobile.
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+author: brianlic-msft
+ms.date: 10/31/2017
+---
+
+# Change history for threat protection
+This topic lists new and updated topics in the [Threat protection](index.md) documentation.
+
+## February 2018
+
+New or changed topic | Description
+---------------------|------------
+[Security Compliance Toolkit](security-compliance-toolkit-10.md) | Added Office 2016 Security Baseline.
+[Audit security group management](auditing/audit-security-group-management.md)| Added recommendation to audit Failure events.
+
+## January 2018
+|New or changed topic |Description |
+|---------------------|------------|
+|[Windows Defender Application Control](windows-defender-application-control.md)|New topic. WDAC replaces cofigurable code integrity policies. |
+
+## November 2017
+|New or changed topic |Description |
+|---------------------|------------|
+| [How to enable virtualization-based protection of code integrity](enable-virtualization-based-protection-of-code-integrity.md)| New. Explains how to enable HVCI. |
+
+
+## October 2017
+|New or changed topic |Description |
+|---------------------|------------|
+|[Create and verify an Encrypting File System (EFS) Data Recovery Agent (DRA) certificate](/windows/security/information-protection/windows-information-protection/create-and-verify-an-efs-dra-certificate.md)|Added auto-recovery section.
+|[Create a Windows Information Protection (WIP) policy with MAM using the Azure portal for Microsoft Intune](/windows/security/information-protection/windows-information-protection/create-wip-policy-using-mam-intune-azure.md)|New topic for MAM using the Azure portal.|
+| [TPM fundamentals](/windows/security/hardware-protection/tpm/tpm-fundamentals.md) [BitLocker Group Policy settings](/windows/security/information-protection/bitlocker/bitlocker-group-policy-settings.md) | Explained the change to allow reducing the maximum PIN length from 6 characters to 4. |
+| [Windows security baselines](windows-security-baselines.md) | New. Security baselines added for Windows 10, versions 1703 and 1709. |
+| [Security Compliance Toolkit](security-compliance-toolkit-10.md) | New. Includes a link to tools for managing security baselines. |
+| [Get support for security baselines](get-support-for-security-baselines.md) | New. Explains supported versions for security baselines and other support questions. |
+
+## August 2017
+|New or changed topic |Description |
+|---------------------|------------|
+| [BitLocker: Management recommendations for enterprises](/windows/security/information-protection/bitlocker/bitlocker-management-for-enterprises.md) | New BitLocker security topic. |
+| [Accounts: Block Microsoft accounts](security-policy-settings/accounts-block-microsoft-accounts.md) | Revised description |
+
+
+## July 2017
+|New or changed topic |Description |
+|---------------------|------------|
+| [How Windows 10 uses the Trusted Platform Module](/windows/security/hardware-protection/tpm/how-windows-uses-the-tpm.md) | New TPM security topic. |
+
+
+## June 2017
+|New or changed topic |Description |
+|---------------------|------------|
+|[Create a Windows Information Protection (WIP) with enrollment policy using the Azure portal for Microsoft Intune](\windows\security\information-protection\windows-information-protection\create-wip-policy-using-intune-azure.md)|New topic for MDM using the Azure portal.|
+|[Deploy your Windows Information Protection (WIP) policy using the Azure portal for Microsoft Intune](\windows\security\information-protection\windows-information-protection\deploy-wip-policy-using-intune-azure.md)|New topic for MDM using the Azure portal.|
+|[Associate and deploy a VPN policy for Windows Information Protection (WIP) using the Azure portal for Microsoft Intune](\windows\security\information-protection\windows-information-protection\create-vpn-and-wip-policy-using-intune-azure.md)|New topic for MDM using the Azure portal.|
+|[List of enlightened Microsoft apps for use with Windows Information Protection (WIP)](\windows\security\information-protection\windows-information-protection\enlightened-microsoft-apps-and-wip.md)|Updated to include newly enlightened and supported apps.|
+|[Secure the Windows 10 boot process](/windows/security/hardware-protection/secure-the-windows-10-boot-process.md)| Updated from existing applicable and relevant Windows 8.1 content |
+
+## May 2017
+|New or changed topic |Description |
+|---------------------|------------|
+| [BitLocker Group Policy settings](/windows/security//information-protection/bitlocker/bitlocker-group-policy-settings.md) | Changed startup PIN minimun length from 4 to 6. |
+| [Network access: Restrict clients allowed to make remote calls to SAM](security-policy-settings/network-access-restrict-clients-allowed-to-make-remote-sam-calls.md) | New security policy setting. |
+
+
+## March 2017
+|New or changed topic |Description |
+|---------------------|------------|
+|[How to collect Windows Information Protection (WIP) audit event logs](/windows/security//information-protection/windows-information-protection/collect-wip-audit-event-logs.md) |New |
+|[Mandatory tasks and settings required to turn on Windows Information Protection (WIP)](/windows/security//information-protection/windows-information-protection/mandatory-settings-for-wip.md) |Updated based on Windows 10, version 1703. |
+|[Limitations while using Windows Information Protection (WIP)](/windows/security//information-protection/windows-information-protection/limitations-with-wip.md) |Added additional limitations for Windows 10, version 1703.|
+|[Windows Defender SmartScreen overview](windows-defender-smartscreen\windows-defender-smartscreen-overview.md)|New |
+|[Available Windows Defender SmartScreen Group Policy and mobile device management (MDM) settings](windows-defender-smartscreen\windows-defender-smartscreen-available-settings.md)|New |
+|[Use Windows Defender Security Center to set Windows Defender SmartScreen for individual devices](windows-defender-smartscreen\windows-defender-smartscreen-set-individual-device.md)|New |
+|[Overview of threat mitigations in Windows 10](overview-of-threat-mitigations-in-windows-10.md) | Reorganized from existing content, to provide a better overview of threat mitigations. Explains how mitigations in the Enhanced Mitigation Experience Toolkit (EMET) relate to those in Windows 10. |
diff --git a/windows/device-security/device-guard/deploy-catalog-files-to-support-code-integrity-policies.md b/windows/security/threat-protection/device-guard/deploy-catalog-files-to-support-windows-defender-application-control.md
similarity index 95%
rename from windows/device-security/device-guard/deploy-catalog-files-to-support-code-integrity-policies.md
rename to windows/security/threat-protection/device-guard/deploy-catalog-files-to-support-windows-defender-application-control.md
index 3c9fd5f347..1cdb8061a7 100644
--- a/windows/device-security/device-guard/deploy-catalog-files-to-support-code-integrity-policies.md
+++ b/windows/security/threat-protection/device-guard/deploy-catalog-files-to-support-windows-defender-application-control.md
@@ -29,7 +29,7 @@ To create a catalog file, you use a tool called **Package Inspector**. You must
1. Be sure that a WDAC policy is currently deployed in audit mode on the computer on which you will run Package Inspector.
- Package Inspector does not always detect temporary installation files that are added and then removed from the computer during the installation process. To ensure that these binaries are also included in your catalog file, deploy a WDAC policy in audit mode. You can use the WDAC policy that you created and audited in [Create a Windows Defender Application Control policy from a reference computer](deploy-code-integrity-policies-steps.md#create-a-windows-defender-application-control-policy-from-a-reference-computer) and [Audit Windows Defender Application Control policies](deploy-code-integrity-policies-steps.md#audit-windows-defender-application-control-policies).
+ Package Inspector does not always detect temporary installation files that are added and then removed from the computer during the installation process. To ensure that these binaries are also included in your catalog file, deploy a WDAC policy in audit mode. You can use the WDAC policy that you created and audited in [Create a Windows Defender Application Control policy from a reference computer](steps-to-deploy-windows-defender-application-control.md#create-a-windows-defender-application-control-policy-from-a-reference-computer) and [Audit Windows Defender Application Control policies](steps-to-deploy-windows-defender-application-control.md#audit-windows-defender-application-control-policies).
> **Note** This process should **not** be performed on a system with an enforced Windows Defender Application Control policy, only with a policy in audit mode. If a policy is currently being enforced, you will not be able to install and run the application unless the policy already allows it.
@@ -108,7 +108,7 @@ In this section, you sign a catalog file you generated by using PackageInspector
- An internal certification authority (CA) code signing certificate or purchased code signing certificate
-If you do not have a code signing certificate, see [Optional: Create a code signing certificate for Windows Defender Application Control](optional-create-a-code-signing-certificate-for-code-integrity-policies.md) for a walkthrough of how to create one. That topic uses an example certificate name of **ContosoDGSigningCert**, and the procedure that follows uses that example certificate name to sign the catalog file that you created in [Create catalog files](#create-catalog-files), earlier in this topic. If you are using an alternate certificate or catalog file, update the following steps with the appropriate variables and certificate.
+If you do not have a code signing certificate, see [Optional: Create a code signing certificate for Windows Defender Application Control](optional-create-a-code-signing-certificate-for-windows-defender-application-control.md) for a walkthrough of how to create one. That topic uses an example certificate name of **ContosoDGSigningCert**, and the procedure that follows uses that example certificate name to sign the catalog file that you created in [Create catalog files](#create-catalog-files), earlier in this topic. If you are using an alternate certificate or catalog file, update the following steps with the appropriate variables and certificate.
To sign the existing catalog file, copy each of the following commands into an elevated Windows PowerShell session.
@@ -120,7 +120,7 @@ To sign the existing catalog file, copy each of the following commands into an e
> **Note** This example specifies the catalog file you created in the [Create catalog files](#create-catalog-files) section. If you are signing another catalog file, update the *$ExamplePath* and *$CatFileName* variables with the correct information.
-2. Import the code signing certificate that will be used to sign the catalog file. Import it to the signing user’s personal store. This example uses the certificate name from [Optional: Create a code signing certificate for Windows Defender Application Control](optional-create-a-code-signing-certificate-for-code-integrity-policies.md).
+2. Import the code signing certificate that will be used to sign the catalog file. Import it to the signing user’s personal store. This example uses the certificate name from [Optional: Create a code signing certificate for Windows Defender Application Control](optional-create-a-code-signing-certificate-for-windows-defender-application-control.md).
3. Sign the catalog file with Signtool.exe:
@@ -156,7 +156,7 @@ After the catalog file is signed, add the signing certificate to a WDAC policy,
` Add-SignerRule -FilePath -CertificatePath -User `
-If you used step 2 to create a new WDAC policy, and want information about merging policies together, see [Merge Windows Defender Application Control policies](deploy-code-integrity-policies-steps.md#merge-windows-defender-application-control-policies).
+If you used step 2 to create a new WDAC policy, and want information about merging policies together, see [Merge Windows Defender Application Control policies](steps-to-deploy-windows-defender-application-control.md#merge-windows-defender-application-control-policies).
## Deploy catalog files with Group Policy
@@ -338,9 +338,9 @@ At the time of the next software inventory cycle, when the targeted clients rece
## Related topics
-- [Introduction to Windows Defender Device Guard: virtualization-based security and Windows Defender Application Control](introduction-to-device-guard-virtualization-based-security-and-code-integrity-policies.md)
+- [Introduction to Windows Defender Device Guard: virtualization-based security and Windows Defender Application Control](introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control.md)
- [Planning and getting started on the Windows Defender Device Guard deployment process](planning-and-getting-started-on-the-device-guard-deployment-process.md)
-- [Deploy Windows Defender Application Control](deploy-device-guard-deploy-code-integrity-policies.md)
+- [Deploy Windows Defender Application Control](deploy-windows-defender-application-control.md)
diff --git a/windows/device-security/device-guard/deploy-device-guard-enable-virtualization-based-security.md b/windows/security/threat-protection/device-guard/deploy-device-guard-enable-virtualization-based-security.md
similarity index 96%
rename from windows/device-security/device-guard/deploy-device-guard-enable-virtualization-based-security.md
rename to windows/security/threat-protection/device-guard/deploy-device-guard-enable-virtualization-based-security.md
index 524725b8f7..ab3baf28eb 100644
--- a/windows/device-security/device-guard/deploy-device-guard-enable-virtualization-based-security.md
+++ b/windows/security/threat-protection/device-guard/deploy-device-guard-enable-virtualization-based-security.md
@@ -70,7 +70,7 @@ If you don't want to use the [hardware readiness tool](https://www.microsoft.com
5. Select the **Enabled** button. For **Select Platform Security Level**:
- **Secure Boot** provides as much protection as a computer’s hardware can support. If the computer does not have input/output memory management units (IOMMUs), enable **Secure Boot**.
- - **Secure Boot with DMA** enables Secure Boot—and VBS itself—only on a computer that supports DMA, that is, a computer with IOMMUs. With this setting, any computer without IOMMUs will not have VBS or HVCI protection, although it can have WDAC enabled. For information about how VBS uses the hypervisor to strengthen protections provided by WDAC, see [How Windows Defender Device Guard features help protect against threats](introduction-to-device-guard-virtualization-based-security-and-code-integrity-policies.md#how-windows-defender-device-guard-features-help-protect-against-threats).
+ - **Secure Boot with DMA** enables Secure Boot—and VBS itself—only on a computer that supports DMA, that is, a computer with IOMMUs. With this setting, any computer without IOMMUs will not have VBS or HVCI protection, although it can have WDAC enabled. For information about how VBS uses the hypervisor to strengthen protections provided by WDAC, see [How Windows Defender Device Guard features help protect against threats](introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control.md#how-windows-defender-device-guard-features-help-protect-against-threats).
For **Virtualization Based Protection of Code Integrity**:
@@ -93,7 +93,7 @@ Set the following registry keys to enable HVCI. This provides exactly the same s
> [!IMPORTANT]
-> - Among the commands that follow, you can choose settings for **Secure Boot** and **Secure Boot with DMA**. In most situations, we recommend that you choose **Secure Boot**. This option provides Secure Boot with as much protection as is supported by a given computer’s hardware. A computer with input/output memory management units (IOMMUs) will have Secure Boot with DMA protection. A computer without IOMMUs will simply have Secure Boot enabled. In contrast, with **Secure Boot with DMA**, the setting will enable Secure Boot—and VBS itself—only on a computer that supports DMA, that is, a computer with IOMMUs. With this setting, any computer without IOMMUs will not have VBS or HVCI protection, although it can still have WDAC enabled. For information about how VBS uses the hypervisor to strengthen protections provided by WDAC, see [How Windows Defender Device Guard features help protect against threats](introduction-to-device-guard-virtualization-based-security-and-code-integrity-policies.md#how-windows-defender-device-guard-features-help-protect-against-threats).
+> - Among the commands that follow, you can choose settings for **Secure Boot** and **Secure Boot with DMA**. In most situations, we recommend that you choose **Secure Boot**. This option provides Secure Boot with as much protection as is supported by a given computer’s hardware. A computer with input/output memory management units (IOMMUs) will have Secure Boot with DMA protection. A computer without IOMMUs will simply have Secure Boot enabled. In contrast, with **Secure Boot with DMA**, the setting will enable Secure Boot—and VBS itself—only on a computer that supports DMA, that is, a computer with IOMMUs. With this setting, any computer without IOMMUs will not have VBS or HVCI protection, although it can still have WDAC enabled. For information about how VBS uses the hypervisor to strengthen protections provided by WDAC, see [How Windows Defender Device Guard features help protect against threats](introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control.md#how-windows-defender-device-guard-features-help-protect-against-threats).
> - All drivers on the system must be compatible with virtualization-based protection of code integrity; otherwise, your system may fail. We recommend that you enable these features on a group of test computers before you enable them on users' computers.
#### For Windows 1607 and above
@@ -289,6 +289,6 @@ Figure 6. Windows Defender Device Guard properties in the System Summary
## Related topics
-- [Introduction to Windows Defender Device Guard: virtualization-based security and Windows Defender Application Control](introduction-to-device-guard-virtualization-based-security-and-code-integrity-policies.md)
+- [Introduction to Windows Defender Device Guard: virtualization-based security and Windows Defender Application Control](introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control.md)
-- [Deploy Windows Defender Application Control](deploy-device-guard-deploy-code-integrity-policies.md)
+- [Deploy Windows Defender Application Control](deploy-windows-defender-application-control.md)
diff --git a/windows/device-security/device-guard/deploy-managed-installer-for-device-guard.md b/windows/security/threat-protection/device-guard/deploy-managed-installer-for-device-guard.md
similarity index 98%
rename from windows/device-security/device-guard/deploy-managed-installer-for-device-guard.md
rename to windows/security/threat-protection/device-guard/deploy-managed-installer-for-device-guard.md
index ef1f576075..c3cefa3e19 100644
--- a/windows/device-security/device-guard/deploy-managed-installer-for-device-guard.md
+++ b/windows/security/threat-protection/device-guard/deploy-managed-installer-for-device-guard.md
@@ -29,7 +29,7 @@ If there are no deny rules present for the file, it will be authorized based on
> Admins needs to ensure that there is a WDAC policy in place to allow the system to boot and run any other authorized applications that may not be deployed through a managed installer.
>
> Examples of WDAC policies available in C:\Windows\schemas\CodeIntegrity\ExamplePolicies help authorize Windows OS components, WHQL signed drivers and all Store apps.
-> Admins can reference and customize them as needed for their Windows Defender Application Control deployment or create a custom WDAC policy as described in [Deploy Windows Defender Application Control: steps](deploy-code-integrity-policies-steps.md#create-a-windows-defender-application-control-policy-from-a-reference-computer).
+> Admins can reference and customize them as needed for their Windows Defender Application Control deployment or create a custom WDAC policy as described in [Deploy Windows Defender Application Control: steps](steps-to-deploy-windows-defender-application-control.md#create-a-windows-defender-application-control-policy-from-a-reference-computer).
## Configuring a managed installer with AppLocker and Windows Defender Application Control
diff --git a/windows/device-security/device-guard/deploy-code-integrity-policies-policy-rules-and-file-rules.md b/windows/security/threat-protection/device-guard/deploy-windows-defender-application-control-policy-rules-and-file-rules.md
similarity index 94%
rename from windows/device-security/device-guard/deploy-code-integrity-policies-policy-rules-and-file-rules.md
rename to windows/security/threat-protection/device-guard/deploy-windows-defender-application-control-policy-rules-and-file-rules.md
index 4dc169b2f3..891d33a3be 100644
--- a/windows/device-security/device-guard/deploy-code-integrity-policies-policy-rules-and-file-rules.md
+++ b/windows/security/threat-protection/device-guard/deploy-windows-defender-application-control-policy-rules-and-file-rules.md
@@ -16,10 +16,10 @@ ms.date: 10/20/2017
- Windows Server 2016
Windows Defender Application Control (WDAC) provides control over a computer running Windows 10 by specifying whether a driver or application is trusted and can be run. For an overview of WDAC, see:
-- [How Windows Defender Device Guard features help protect against threats](introduction-to-device-guard-virtualization-based-security-and-code-integrity-policies.md#how-windows-defender-device-guard-features-help-protect-against-threats) in "Introduction to Windows Defender Device Guard: virtualization-based security and Windows Defender Application Control."
+- [How Windows Defender Device Guard features help protect against threats](introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control.md#how-windows-defender-device-guard-features-help-protect-against-threats) in "Introduction to Windows Defender Device Guard: virtualization-based security and Windows Defender Application Control."
- [Windows Defender Application Control policy formats and signing](requirements-and-deployment-planning-guidelines-for-device-guard.md#windows-defender-application-control-policy-formats-and-signing) in "Requirements and deployment planning guidelines for Windows Defender Device Guard."
-If you already understand the basics of WDAC and want procedures for creating, auditing, and merging WDAC policies, see [Deploy Windows Defender Application Control: steps](deploy-code-integrity-policies-steps.md).
+If you already understand the basics of WDAC and want procedures for creating, auditing, and merging WDAC policies, see [Deploy Windows Defender Application Control: steps](steps-to-deploy-windows-defender-application-control.md).
This topic includes the following sections:
@@ -36,7 +36,7 @@ A common system imaging practice in today’s IT organization is to establish a
Optionally, WDAC can align with your software catalog as well as any IT department–approved applications. One straightforward method to implement WDAC is to use existing images to create one master WDAC policy. You do so by creating a WDAC policy from each image, and then by merging the policies. This way, what is installed on all of those images will be allowed to run, if the applications are installed on a computer based on a different image. Alternatively, you may choose to create a base applications policy and add policies based on the computer’s role or department. Organizations have a choice of how their policies are created, merged or serviced, and managed.
-If you plan to use an internal CA to sign catalog files or WDAC policies, see the steps in [Optional: Create a code signing certificate for Windows Defender Application Control](optional-create-a-code-signing-certificate-for-code-integrity-policies.md).
+If you plan to use an internal CA to sign catalog files or WDAC policies, see the steps in [Optional: Create a code signing certificate for Windows Defender Application Control](optional-create-a-code-signing-certificate-for-windows-defender-application-control.md).
## Windows Defender Application Control policy rules
@@ -70,13 +70,13 @@ RuleOption -Help** in a Windows PowerShell session. Table 2 describes each rule
| **2 Required:WHQL** | By default, legacy drivers that are not Windows Hardware Quality Labs (WHQL) signed are allowed to execute. Enabling this rule requires that every executed driver is WHQL signed and removes legacy driver support. Going forward, every new Windows 10–compatible driver must be WHQL certified. |
| **3 Enabled:Audit Mode (Default)** | Enables the execution of binaries outside of the WDAC policy but logs each occurrence in the CodeIntegrity event log, which can be used to update the existing policy before enforcement. To begin enforcing a WDAC policy, delete this option. |
| **4 Disabled:Flight Signing** | If enabled, WDAC policies will not trust flightroot-signed binaries. This would be used in the scenario in which organizations only want to run released binaries, not flighted builds. |
-| **5 Enabled:Inherent Default Policy** | This option is not currently supported. |
+| **5 Enabled:Inherit Default Policy** | This option is not currently supported. |
| **6 Enabled:Unsigned System Integrity Policy (Default)** | Allows the policy to remain unsigned. When this option is removed, the policy must be signed and have UpdatePolicySigners added to the policy to enable future policy modifications. |
| **7 Allowed:Debug Policy Augmented** | This option is not currently supported. |
| **8 Required:EV Signers** | In addition to being WHQL signed, this rule requires that drivers must have been submitted by a partner that has an Extended Verification (EV) certificate. All future Windows 10 and later drivers will meet this requirement. |
| **9 Enabled:Advanced Boot Options Menu** | The F8 preboot menu is disabled by default for all WDAC policies. Setting this rule option allows the F8 menu to appear to physically present users. |
| **10 Enabled:Boot Audit on Failure** | Used when the WDAC policy is in enforcement mode. When a driver fails during startup, the WDAC policy will be placed in audit mode so that Windows will load. Administrators can validate the reason for the failure in the CodeIntegrity event log. |
-| **11 Disabled:Script Enforcement** | WDAC policies also restrict scripts and MSIs, and PowerShell runs in constrained language mode. Enabling this rule option will allow unsigned scripts to run and will leave PowerShell in full language mode. |
+| **11 Disabled:Script Enforcement** | This option is not currently supported. |
| **12 Required:Enforce Store Applications** | If this rule option is enabled, WDAC policies will also apply to Universal Windows applications. |
| **13 Enabled:Managed Installer** | Use this option to automatically allow applications installed by a software distribution solution, such as System Center Configuration Manager, that has been defined as a managed installer. |
| **14 Enabled:Intelligent Security Graph Authorization** | Use this option to automatically allow applications with "known good" reputation as defined by Microsoft’s Intelligent Security Graph (ISG). |
@@ -120,5 +120,5 @@ They could also choose to create a catalog that captures information about the u
## Related topics
-- [How Windows Defender Device Guard features help protect against threats](introduction-to-device-guard-virtualization-based-security-and-code-integrity-policies.md#how-windows-defender-device-guard-features-help-protect-against-threats)
-- [Deploy Windows Defender Application Control: steps](deploy-code-integrity-policies-steps.md)
+- [How Windows Defender Device Guard features help protect against threats](introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control.md#how-windows-defender-device-guard-features-help-protect-against-threats)
+- [Deploy Windows Defender Application Control: steps](steps-to-deploy-windows-defender-application-control.md)
diff --git a/windows/device-security/device-guard/deploy-device-guard-deploy-code-integrity-policies.md b/windows/security/threat-protection/device-guard/deploy-windows-defender-application-control.md
similarity index 80%
rename from windows/device-security/device-guard/deploy-device-guard-deploy-code-integrity-policies.md
rename to windows/security/threat-protection/device-guard/deploy-windows-defender-application-control.md
index 73677dec64..8becbe0a0e 100644
--- a/windows/device-security/device-guard/deploy-device-guard-deploy-code-integrity-policies.md
+++ b/windows/security/threat-protection/device-guard/deploy-windows-defender-application-control.md
@@ -17,10 +17,10 @@ ms.date: 10/20/2017
This section includes the following topics:
-- [Optional: Create a code signing certificate for Windows Defender Application Control](optional-create-a-code-signing-certificate-for-code-integrity-policies.md)
-- [Deploy Windows Defender Application Control: policy rules and file rules](deploy-code-integrity-policies-policy-rules-and-file-rules.md)
-- [Deploy Windows Defender Application Control: steps](deploy-code-integrity-policies-steps.md)
-- [Deploy catalog files to support Windows Defender Application Control](deploy-catalog-files-to-support-code-integrity-policies.md)
+- [Optional: Create a code signing certificate for Windows Defender Application Control](optional-create-a-code-signing-certificate-for-windows-defender-application-control.md)
+- [Deploy Windows Defender Application Control: policy rules and file rules](deploy-windows-defender-application-control-policy-rules-and-file-rules.md)
+- [Deploy Windows Defender Application Control: steps](steps-to-deploy-windows-defender-application-control.md)
+- [Deploy catalog files to support Windows Defender Application Control](deploy-catalog-files-to-support-windows-defender-application-control.md)
- [Deploy Managed Installer for Windows Defender Application Control](deploy-managed-installer-for-device-guard.md)
To increase the protection for devices that meet certain hardware requirements, you can use virtualization-based protection of code integrity with your Windows Defender Application Control (WDAC) policies.
@@ -29,5 +29,5 @@ To increase the protection for devices that meet certain hardware requirements,
## Related topics
-[Introduction to Windows Defender Device Guard: virtualization-based security and Windows Defender Application Control](introduction-to-device-guard-virtualization-based-security-and-code-integrity-policies.md)
+[Introduction to Windows Defender Device Guard: virtualization-based security and Windows Defender Application Control](introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control.md)
diff --git a/windows/device-security/device-guard/device-guard-deployment-guide.md b/windows/security/threat-protection/device-guard/device-guard-deployment-guide.md
similarity index 86%
rename from windows/device-security/device-guard/device-guard-deployment-guide.md
rename to windows/security/threat-protection/device-guard/device-guard-deployment-guide.md
index 19bc9e6601..0408fa63d3 100644
--- a/windows/device-security/device-guard/device-guard-deployment-guide.md
+++ b/windows/security/threat-protection/device-guard/device-guard-deployment-guide.md
@@ -22,21 +22,21 @@ Windows Defender Device Guard also uses virtualization-based security to isolate
This guide explores the individual features in Windows Defender Device Guard as well as how to plan for, configure, and deploy them. It includes:
-- [Introduction to Windows Defender Device Guard: virtualization-based security and Windows Defender Application Control](introduction-to-device-guard-virtualization-based-security-and-code-integrity-policies.md)
+- [Introduction to Windows Defender Device Guard: virtualization-based security and Windows Defender Application Control](introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control.md)
- [Requirements and deployment planning guidelines for Windows Defender Device Guard](requirements-and-deployment-planning-guidelines-for-device-guard.md)
- [Planning and getting started on the Windows Defender Device Guard deployment process](planning-and-getting-started-on-the-device-guard-deployment-process.md)
-- [Deploy Windows Defender Application Control](deploy-device-guard-deploy-code-integrity-policies.md)
+- [Deploy Windows Defender Application Control](deploy-windows-defender-application-control.md)
- - [Optional: Create a code signing certificate for Windows Defender Application Control](optional-create-a-code-signing-certificate-for-code-integrity-policies.md)
+ - [Optional: Create a code signing certificate for Windows Defender Application Control](optional-create-a-code-signing-certificate-for-windows-defender-application-control.md)
- - [Deploy Windows Defender Application Control: policy rules and file rules](deploy-code-integrity-policies-policy-rules-and-file-rules.md)
+ - [Deploy Windows Defender Application Control: policy rules and file rules](deploy-windows-defender-application-control-policy-rules-and-file-rules.md)
- - [Deploy Windows Defender Application Control: steps](deploy-code-integrity-policies-steps.md)
+ - [Deploy Windows Defender Application Control: steps](steps-to-deploy-windows-defender-application-control.md)
- - [Deploy catalog files to support Windows Defender Application Control](deploy-catalog-files-to-support-code-integrity-policies.md)
+ - [Deploy catalog files to support Windows Defender Application Control](deploy-catalog-files-to-support-windows-defender-application-control.md)
- [Enable virtualization-based protection of code integrity](deploy-device-guard-enable-virtualization-based-security.md)
diff --git a/windows/device-security/device-guard/images/device-guard-gp.png b/windows/security/threat-protection/device-guard/images/device-guard-gp.png
similarity index 100%
rename from windows/device-security/device-guard/images/device-guard-gp.png
rename to windows/security/threat-protection/device-guard/images/device-guard-gp.png
diff --git a/windows/device-security/device-guard/images/dg-fig1-enableos.png b/windows/security/threat-protection/device-guard/images/dg-fig1-enableos.png
similarity index 100%
rename from windows/device-security/device-guard/images/dg-fig1-enableos.png
rename to windows/security/threat-protection/device-guard/images/dg-fig1-enableos.png
diff --git a/windows/device-security/device-guard/images/dg-fig10-enablecredentialguard.png b/windows/security/threat-protection/device-guard/images/dg-fig10-enablecredentialguard.png
similarity index 100%
rename from windows/device-security/device-guard/images/dg-fig10-enablecredentialguard.png
rename to windows/security/threat-protection/device-guard/images/dg-fig10-enablecredentialguard.png
diff --git a/windows/device-security/device-guard/images/dg-fig11-dgproperties.png b/windows/security/threat-protection/device-guard/images/dg-fig11-dgproperties.png
similarity index 100%
rename from windows/device-security/device-guard/images/dg-fig11-dgproperties.png
rename to windows/security/threat-protection/device-guard/images/dg-fig11-dgproperties.png
diff --git a/windows/device-security/device-guard/images/dg-fig12-verifysigning.png b/windows/security/threat-protection/device-guard/images/dg-fig12-verifysigning.png
similarity index 100%
rename from windows/device-security/device-guard/images/dg-fig12-verifysigning.png
rename to windows/security/threat-protection/device-guard/images/dg-fig12-verifysigning.png
diff --git a/windows/device-security/device-guard/images/dg-fig13-createnewgpo.png b/windows/security/threat-protection/device-guard/images/dg-fig13-createnewgpo.png
similarity index 100%
rename from windows/device-security/device-guard/images/dg-fig13-createnewgpo.png
rename to windows/security/threat-protection/device-guard/images/dg-fig13-createnewgpo.png
diff --git a/windows/device-security/device-guard/images/dg-fig14-createnewfile.png b/windows/security/threat-protection/device-guard/images/dg-fig14-createnewfile.png
similarity index 100%
rename from windows/device-security/device-guard/images/dg-fig14-createnewfile.png
rename to windows/security/threat-protection/device-guard/images/dg-fig14-createnewfile.png
diff --git a/windows/device-security/device-guard/images/dg-fig15-setnewfileprops.png b/windows/security/threat-protection/device-guard/images/dg-fig15-setnewfileprops.png
similarity index 100%
rename from windows/device-security/device-guard/images/dg-fig15-setnewfileprops.png
rename to windows/security/threat-protection/device-guard/images/dg-fig15-setnewfileprops.png
diff --git a/windows/device-security/device-guard/images/dg-fig16-specifyinfo.png b/windows/security/threat-protection/device-guard/images/dg-fig16-specifyinfo.png
similarity index 100%
rename from windows/device-security/device-guard/images/dg-fig16-specifyinfo.png
rename to windows/security/threat-protection/device-guard/images/dg-fig16-specifyinfo.png
diff --git a/windows/device-security/device-guard/images/dg-fig17-specifyinfo.png b/windows/security/threat-protection/device-guard/images/dg-fig17-specifyinfo.png
similarity index 100%
rename from windows/device-security/device-guard/images/dg-fig17-specifyinfo.png
rename to windows/security/threat-protection/device-guard/images/dg-fig17-specifyinfo.png
diff --git a/windows/device-security/device-guard/images/dg-fig18-specifyux.png b/windows/security/threat-protection/device-guard/images/dg-fig18-specifyux.png
similarity index 100%
rename from windows/device-security/device-guard/images/dg-fig18-specifyux.png
rename to windows/security/threat-protection/device-guard/images/dg-fig18-specifyux.png
diff --git a/windows/device-security/device-guard/images/dg-fig19-customsettings.png b/windows/security/threat-protection/device-guard/images/dg-fig19-customsettings.png
similarity index 100%
rename from windows/device-security/device-guard/images/dg-fig19-customsettings.png
rename to windows/security/threat-protection/device-guard/images/dg-fig19-customsettings.png
diff --git a/windows/device-security/device-guard/images/dg-fig2-createou.png b/windows/security/threat-protection/device-guard/images/dg-fig2-createou.png
similarity index 100%
rename from windows/device-security/device-guard/images/dg-fig2-createou.png
rename to windows/security/threat-protection/device-guard/images/dg-fig2-createou.png
diff --git a/windows/device-security/device-guard/images/dg-fig20-setsoftwareinv.png b/windows/security/threat-protection/device-guard/images/dg-fig20-setsoftwareinv.png
similarity index 100%
rename from windows/device-security/device-guard/images/dg-fig20-setsoftwareinv.png
rename to windows/security/threat-protection/device-guard/images/dg-fig20-setsoftwareinv.png
diff --git a/windows/device-security/device-guard/images/dg-fig21-pathproperties.png b/windows/security/threat-protection/device-guard/images/dg-fig21-pathproperties.png
similarity index 100%
rename from windows/device-security/device-guard/images/dg-fig21-pathproperties.png
rename to windows/security/threat-protection/device-guard/images/dg-fig21-pathproperties.png
diff --git a/windows/device-security/device-guard/images/dg-fig22-deploycode.png b/windows/security/threat-protection/device-guard/images/dg-fig22-deploycode.png
similarity index 100%
rename from windows/device-security/device-guard/images/dg-fig22-deploycode.png
rename to windows/security/threat-protection/device-guard/images/dg-fig22-deploycode.png
diff --git a/windows/device-security/device-guard/images/dg-fig23-exceptionstocode.png b/windows/security/threat-protection/device-guard/images/dg-fig23-exceptionstocode.png
similarity index 100%
rename from windows/device-security/device-guard/images/dg-fig23-exceptionstocode.png
rename to windows/security/threat-protection/device-guard/images/dg-fig23-exceptionstocode.png
diff --git a/windows/device-security/device-guard/images/dg-fig24-creategpo.png b/windows/security/threat-protection/device-guard/images/dg-fig24-creategpo.png
similarity index 100%
rename from windows/device-security/device-guard/images/dg-fig24-creategpo.png
rename to windows/security/threat-protection/device-guard/images/dg-fig24-creategpo.png
diff --git a/windows/device-security/device-guard/images/dg-fig25-editcode.png b/windows/security/threat-protection/device-guard/images/dg-fig25-editcode.png
similarity index 100%
rename from windows/device-security/device-guard/images/dg-fig25-editcode.png
rename to windows/security/threat-protection/device-guard/images/dg-fig25-editcode.png
diff --git a/windows/device-security/device-guard/images/dg-fig26-enablecode.png b/windows/security/threat-protection/device-guard/images/dg-fig26-enablecode.png
similarity index 100%
rename from windows/device-security/device-guard/images/dg-fig26-enablecode.png
rename to windows/security/threat-protection/device-guard/images/dg-fig26-enablecode.png
diff --git a/windows/device-security/device-guard/images/dg-fig27-managecerttemp.png b/windows/security/threat-protection/device-guard/images/dg-fig27-managecerttemp.png
similarity index 100%
rename from windows/device-security/device-guard/images/dg-fig27-managecerttemp.png
rename to windows/security/threat-protection/device-guard/images/dg-fig27-managecerttemp.png
diff --git a/windows/device-security/device-guard/images/dg-fig29-enableconstraints.png b/windows/security/threat-protection/device-guard/images/dg-fig29-enableconstraints.png
similarity index 100%
rename from windows/device-security/device-guard/images/dg-fig29-enableconstraints.png
rename to windows/security/threat-protection/device-guard/images/dg-fig29-enableconstraints.png
diff --git a/windows/device-security/device-guard/images/dg-fig3-enablevbs.png b/windows/security/threat-protection/device-guard/images/dg-fig3-enablevbs.png
similarity index 100%
rename from windows/device-security/device-guard/images/dg-fig3-enablevbs.png
rename to windows/security/threat-protection/device-guard/images/dg-fig3-enablevbs.png
diff --git a/windows/device-security/device-guard/images/dg-fig30-selectnewcert.png b/windows/security/threat-protection/device-guard/images/dg-fig30-selectnewcert.png
similarity index 100%
rename from windows/device-security/device-guard/images/dg-fig30-selectnewcert.png
rename to windows/security/threat-protection/device-guard/images/dg-fig30-selectnewcert.png
diff --git a/windows/device-security/device-guard/images/dg-fig31-getmoreinfo.png b/windows/security/threat-protection/device-guard/images/dg-fig31-getmoreinfo.png
similarity index 100%
rename from windows/device-security/device-guard/images/dg-fig31-getmoreinfo.png
rename to windows/security/threat-protection/device-guard/images/dg-fig31-getmoreinfo.png
diff --git a/windows/device-security/device-guard/images/dg-fig5-createnewou.png b/windows/security/threat-protection/device-guard/images/dg-fig5-createnewou.png
similarity index 100%
rename from windows/device-security/device-guard/images/dg-fig5-createnewou.png
rename to windows/security/threat-protection/device-guard/images/dg-fig5-createnewou.png
diff --git a/windows/device-security/device-guard/images/dg-fig6-enablevbs.png b/windows/security/threat-protection/device-guard/images/dg-fig6-enablevbs.png
similarity index 100%
rename from windows/device-security/device-guard/images/dg-fig6-enablevbs.png
rename to windows/security/threat-protection/device-guard/images/dg-fig6-enablevbs.png
diff --git a/windows/device-security/device-guard/images/dg-fig7-enablevbsofkmci.png b/windows/security/threat-protection/device-guard/images/dg-fig7-enablevbsofkmci.png
similarity index 100%
rename from windows/device-security/device-guard/images/dg-fig7-enablevbsofkmci.png
rename to windows/security/threat-protection/device-guard/images/dg-fig7-enablevbsofkmci.png
diff --git a/windows/device-security/device-guard/images/dg-fig8-createoulinked.png b/windows/security/threat-protection/device-guard/images/dg-fig8-createoulinked.png
similarity index 100%
rename from windows/device-security/device-guard/images/dg-fig8-createoulinked.png
rename to windows/security/threat-protection/device-guard/images/dg-fig8-createoulinked.png
diff --git a/windows/device-security/device-guard/images/dg-fig9-enablevbs.png b/windows/security/threat-protection/device-guard/images/dg-fig9-enablevbs.png
similarity index 100%
rename from windows/device-security/device-guard/images/dg-fig9-enablevbs.png
rename to windows/security/threat-protection/device-guard/images/dg-fig9-enablevbs.png
diff --git a/windows/security/threat-protection/device-guard/images/wdac-edit-gp.png b/windows/security/threat-protection/device-guard/images/wdac-edit-gp.png
new file mode 100644
index 0000000000..9b423ea8ab
Binary files /dev/null and b/windows/security/threat-protection/device-guard/images/wdac-edit-gp.png differ
diff --git a/windows/device-security/device-guard/introduction-to-device-guard-virtualization-based-security-and-code-integrity-policies.md b/windows/security/threat-protection/device-guard/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control.md
similarity index 94%
rename from windows/device-security/device-guard/introduction-to-device-guard-virtualization-based-security-and-code-integrity-policies.md
rename to windows/security/threat-protection/device-guard/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control.md
index 0e87f67867..a1b6bbcab8 100644
--- a/windows/device-security/device-guard/introduction-to-device-guard-virtualization-based-security-and-code-integrity-policies.md
+++ b/windows/security/threat-protection/device-guard/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control.md
@@ -42,7 +42,7 @@ In this guide, you learn about the individual features found within Windows Defe
Prior to Windows 10, version 1709, Windows Defender Application Control (WDAC) was known as configurable code integrity policies.
-Beginning with Windows 10, version 1703, you can use WDAC not only to control applications, but also to control whether specific plug-ins, add-ins, and modules can run from specific apps (such as a line-of-business application or a browser). For more information, see [Use a Windows Defender Application Control policy to control specific plug-ins, add-ins, and modules](deploy-code-integrity-policies-steps.md#plug-ins).
+Beginning with Windows 10, version 1703, you can use WDAC not only to control applications, but also to control whether specific plug-ins, add-ins, and modules can run from specific apps (such as a line-of-business application or a browser). For more information, see [Use a Windows Defender Application Control policy to control specific plug-ins, add-ins, and modules](steps-to-deploy-windows-defender-application-control.md#use-a-windows-defender-application-control-policy-to-control-specific-plug-ins-add-ins-and-modules).
## Tools for managing Windows Defender Device Guard features
@@ -53,18 +53,18 @@ You can easily manage Windows Defender Device Guard features by using familiar e
- **Group Policy**. Windows 10 provides an administrative template to configure and deploy the configurable WDAC policies for your organization. Another template allows you to specify which hardware-based security features you would like to enable and deploy. You can manage these settings along with your existing Group Policy Objects (GPOs), which makes it simpler to implement Windows Defender Device Guard features. In addition to these WDAC and hardware-based security features, you can use Group Policy to help you manage your catalog files.
- For a description of catalog files, see the table row describing **Exposure to unsigned code** in [How Windows Defender Device Guard features help protect against threats](#how-windows-defender-device-guard-features-help-protect-against-threats), earlier in this topic.
- - For information about using Group Policy as a deployment tool, see: [Deploy catalog files with Group Policy](deploy-catalog-files-to-support-code-integrity-policies.md#deploy-catalog-files-with-group-policy) [Deploy and manage WDAC with Group Policy](deploy-code-integrity-policies-steps.md#deploy-and-manage-windows-defender-application-control-with-group-policy)
+ - For information about using Group Policy as a deployment tool, see: [Deploy catalog files with Group Policy](deploy-catalog-files-to-support-windows-defender-application-control.md#deploy-catalog-files-with-group-policy) [Deploy and manage WDAC with Group Policy](steps-to-deploy-windows-defender-application-control.md#deploy-and-manage-windows-defender-application-control-with-group-policy)
-- **Microsoft System Center Configuration Manager**. You can use System Center Configuration Manager to simplify deployment and management of catalog files, WDAC policies, and hardware-based security features, as well as provide version control. For more information, see [Deploy catalog files with System Center Configuration Manager](deploy-catalog-files-to-support-code-integrity-policies.md#deploy-catalog-files-with-system-center-configuration-manager).
+- **Microsoft System Center Configuration Manager**. You can use System Center Configuration Manager to simplify deployment and management of catalog files, WDAC policies, and hardware-based security features, as well as provide version control. For more information, see [Deploy catalog files with System Center Configuration Manager](deploy-catalog-files-to-support-windows-defender-application-control.md#deploy-catalog-files-with-system-center-configuration-manager).
- **Microsoft Intune**. You can use Microsoft Intune to simplify deployment and management of WDAC policies, as well as provide version control. In a future release of Microsoft Intune, Microsoft is considering including features that will support the deployment and management of catalog files.
-- **Windows PowerShell**. You can use Windows PowerShell to create and service WDAC policies. For more information, see [Deploy Windows Defender Application Control: steps](deploy-code-integrity-policies-steps.md).
+- **Windows PowerShell**. You can use Windows PowerShell to create and service WDAC policies. For more information, see [Deploy Windows Defender Application Control: steps](steps-to-deploy-windows-defender-application-control.md).
These options provide the same experience you're used to in order to manage your existing enterprise management solutions.
For more information about the deployment of Windows Defender Device Guard features, see:
-- [Deploy Windows Defender Application Control](deploy-device-guard-deploy-code-integrity-policies.md)
+- [Deploy Windows Defender Application Control](deploy-windows-defender-application-control.md)
- [Deploy virtualization-based protection of code integrity](deploy-device-guard-enable-virtualization-based-security.md)
## Other features that relate to Windows Defender Device Guard
diff --git a/windows/device-security/device-guard/optional-create-a-code-signing-certificate-for-code-integrity-policies.md b/windows/security/threat-protection/device-guard/optional-create-a-code-signing-certificate-for-windows-defender-application-control.md
similarity index 95%
rename from windows/device-security/device-guard/optional-create-a-code-signing-certificate-for-code-integrity-policies.md
rename to windows/security/threat-protection/device-guard/optional-create-a-code-signing-certificate-for-windows-defender-application-control.md
index 42a717bb3d..668316004b 100644
--- a/windows/device-security/device-guard/optional-create-a-code-signing-certificate-for-code-integrity-policies.md
+++ b/windows/security/threat-protection/device-guard/optional-create-a-code-signing-certificate-for-windows-defender-application-control.md
@@ -15,7 +15,7 @@ ms.date: 10/20/2017
- Windows 10
- Windows Server 2016
-As you deploy Windows Defender Application Control (WDAC) (also part of Windows Defender Device Guard), you might need to sign catalog files or WDAC policies internally. To do this, you will either need a publicly issued code signing certificate or an internal CA. If you have purchased a code signing certificate, you can skip this topic and instead follow other topics listed in [Deploy Windows Defender Application Control](deploy-device-guard-deploy-code-integrity-policies.md).
+As you deploy Windows Defender Application Control (WDAC) (also part of Windows Defender Device Guard), you might need to sign catalog files or WDAC policies internally. To do this, you will either need a publicly issued code signing certificate or an internal CA. If you have purchased a code signing certificate, you can skip this topic and instead follow other topics listed in [Deploy Windows Defender Application Control](deploy-windows-defender-application-control.md).
If you have an internal CA, complete these steps to create a code signing certificate.
Only RSA algorithm is supported for the code signing certificate, and signatures must be PKCS 1.5 padded.
@@ -99,7 +99,7 @@ When the certificate has been exported, import it into the personal store for th
## Related topics
-- [Introduction to Windows Defender Device Guard: virtualization-based security and Windows Defender Application Control](introduction-to-device-guard-virtualization-based-security-and-code-integrity-policies.md)
+- [Introduction to Windows Defender Device Guard: virtualization-based security and Windows Defender Application Control](introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control.md)
-- [Deploy Windows Defender Application Control](deploy-device-guard-deploy-code-integrity-policies.md)
+- [Deploy Windows Defender Application Control](deploy-windows-defender-application-control.md)
diff --git a/windows/device-security/device-guard/planning-and-getting-started-on-the-device-guard-deployment-process.md b/windows/security/threat-protection/device-guard/planning-and-getting-started-on-the-device-guard-deployment-process.md
similarity index 81%
rename from windows/device-security/device-guard/planning-and-getting-started-on-the-device-guard-deployment-process.md
rename to windows/security/threat-protection/device-guard/planning-and-getting-started-on-the-device-guard-deployment-process.md
index 30e5408409..b2c2cb7926 100644
--- a/windows/device-security/device-guard/planning-and-getting-started-on-the-device-guard-deployment-process.md
+++ b/windows/security/threat-protection/device-guard/planning-and-getting-started-on-the-device-guard-deployment-process.md
@@ -19,7 +19,7 @@ This topic provides a roadmap for planning and getting started on the Windows De
## Planning
-1. **Review requirements, especially hardware requirements for VBS**. Review the virtualization-based security (VBS) features described in [How Windows Defender Device Guard features help protect against threats](introduction-to-device-guard-virtualization-based-security-and-code-integrity-policies.md#how-windows-defender-device-guard-features-help-protect-against-threats). Then you can assess your end-user systems to see how many support the VBS features you are interested in, as described in [Hardware, firmware, and software requirements for Windows Defender Device Guard](requirements-and-deployment-planning-guidelines-for-device-guard.md#hardware-firmware-and-software-requirements-for-windows-defender-device-guard).
+1. **Review requirements, especially hardware requirements for VBS**. Review the virtualization-based security (VBS) features described in [How Windows Defender Device Guard features help protect against threats](introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control.md#how-windows-defender-device-guard-features-help-protect-against-threats). Then you can assess your end-user systems to see how many support the VBS features you are interested in, as described in [Hardware, firmware, and software requirements for Windows Defender Device Guard](requirements-and-deployment-planning-guidelines-for-device-guard.md#hardware-firmware-and-software-requirements-for-windows-defender-device-guard).
2. **Group devices by degree of control needed**. Group devices according to the table in [Windows Defender Device Guard deployment in different scenarios: types of devices](requirements-and-deployment-planning-guidelines-for-device-guard.md#windows-defender-device-guard-deployment-in-different-scenarios-types-of-devices). Do most devices fit neatly into a few categories, or are they scattered across all categories? Are users allowed to install any application or must they choose from a list? Are users allowed to use their own peripheral devices? Deployment is simpler if everything is locked down in the same way, but meeting individual departments’ needs, and working with a wide variety of devices, may require a more complicated and flexible deployment.
@@ -33,42 +33,42 @@ This topic provides a roadmap for planning and getting started on the Windows De
- Is there already a list of accepted applications? A list of accepted applications can be used to help create a baseline WDAC policy. As of Windows 10, version 1703, it might also be useful to have a list of plug-ins, add-ins, or modules that you want to allow only in a specific app (such as a line-of-business app). Similarly, it might be useful to have a list of plug-ins, add-ins, or modules that you want to block in a specific app (such as a browser).
- As part of a threat review process, have you reviewed systems for software that can load arbitrary DLLs or run code or scripts?
- In day-to-day operations, your organization’s security policy may allow certain applications, code, or scripts to run on your systems depending on their role and the context. However, if your security policy requires that you run only trusted applications, code, and scripts on your systems, you may decide to lock these systems down securely with Windows Defender Application Control policies. You can also fine-tune your control by using Windows Defender Application Control in combination with AppLocker, as described in [Windows Defender Device Guard with AppLocker](introduction-to-device-guard-virtualization-based-security-and-code-integrity-policies.md#windows-defender-device-guard-with-applocker).
+ In day-to-day operations, your organization’s security policy may allow certain applications, code, or scripts to run on your systems depending on their role and the context. However, if your security policy requires that you run only trusted applications, code, and scripts on your systems, you may decide to lock these systems down securely with Windows Defender Application Control policies. You can also fine-tune your control by using Windows Defender Application Control in combination with AppLocker, as described in [Windows Defender Device Guard with AppLocker](introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control.md#windows-defender-device-guard-with-applocker).
Legitimate applications from trusted vendors provide valid functionality. However, an attacker could also potentially use that same functionality to run malicious executable code that could bypass WDAC.
For operational scenarios that require elevated security, certain applications with known Code Integrity bypasses may represent a security risk if you whitelist them in your WDAC policies. Other applications where older versions of the application had vulnerabilities also represent a risk. Therefore, you may want to deny or block such applications from your WDAC policies. For applications with vulnerabilities, once the vulnerabilities are fixed you can create a rule that only allows the fixed or newer versions of that application. The decision to allow or block applications depends on the context and on how the reference system is being used.
- Security professionals collaborate with Microsoft continuously to help protect customers. With the help of their valuable reports, Microsoft has identified a list of known applications that an attacker could potentially use to bypass Windows Defender Application Control. Depending on the context, you may want to block these applications. To view this list of applications and for use case examples, such as disabling msbuild.exe, see [Deploy Windows Defender Application Control: steps](deploy-code-integrity-policies-steps.md).
+ Security professionals collaborate with Microsoft continuously to help protect customers. With the help of their valuable reports, Microsoft has identified a list of known applications that an attacker could potentially use to bypass Windows Defender Application Control. Depending on the context, you may want to block these applications. To view this list of applications and for use case examples, such as disabling msbuild.exe, see [Deploy Windows Defender Application Control: steps](steps-to-deploy-windows-defender-application-control.md).
-4. **Identify LOB applications that are currently unsigned**. Although requiring signed code (through WDAC) protects against many threats, your organization might use unsigned LOB applications, for which the process of signing might be difficult. You might also have applications that are signed, but you want to add a secondary signature to them. If so, identify these applications, because you will need to create a catalog file for them. For a basic description of catalog files, see the table in [Introduction to Windows Defender Device Guard: virtualization-based security and Windows Defender Application Control](introduction-to-device-guard-virtualization-based-security-and-code-integrity-policies.md). For more background information about catalog files, see [Reviewing your applications: application signing and catalog files](requirements-and-deployment-planning-guidelines-for-device-guard.md#reviewing-your-applications-application-signing-and-catalog-files).
+4. **Identify LOB applications that are currently unsigned**. Although requiring signed code (through WDAC) protects against many threats, your organization might use unsigned LOB applications, for which the process of signing might be difficult. You might also have applications that are signed, but you want to add a secondary signature to them. If so, identify these applications, because you will need to create a catalog file for them. For a basic description of catalog files, see the table in [Introduction to Windows Defender Device Guard: virtualization-based security and Windows Defender Application Control](introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control.md). For more background information about catalog files, see [Reviewing your applications: application signing and catalog files](requirements-and-deployment-planning-guidelines-for-device-guard.md#reviewing-your-applications-application-signing-and-catalog-files).
## Getting started on the deployment process
-1. **Optionally, create a signing certificate for Windows Defender Application Control**. As you deploy WDAC, you might need to sign catalog files or WDAC policies internally. To do this, you will either need a publicly issued code signing certificate (that you purchase) or an internal CA. If you choose to use an internal CA, you will need to create a code signing certificate. For more information, see [Optional: Create a code signing certificate for Windows Defender Application Control](optional-create-a-code-signing-certificate-for-code-integrity-policies.md).
+1. **Optionally, create a signing certificate for Windows Defender Application Control**. As you deploy WDAC, you might need to sign catalog files or WDAC policies internally. To do this, you will either need a publicly issued code signing certificate (that you purchase) or an internal CA. If you choose to use an internal CA, you will need to create a code signing certificate. For more information, see [Optional: Create a code signing certificate for Windows Defender Application Control](optional-create-a-code-signing-certificate-for-windows-defender-application-control.md).
2. **Create WDAC policies from “golden” computers**. When you have identified departments or roles that use distinctive or partly-distinctive sets of hardware and software, you can set up “golden” computers containing that software and hardware. In this respect, creating and managing WDAC policies to align with the needs of roles or departments can be similar to managing corporate images. From each “golden” computer, you can create a WDAC policy, and decide how to manage that policy. You can merge WDAC policies to create a broader policy or a master policy, or you can manage and deploy each policy individually. For more information, see:
- - [Deploy Windows Defender Application Control: policy rules and file rules](deploy-code-integrity-policies-policy-rules-and-file-rules.md)
- - [Deploy Windows Defender Application Control: steps](deploy-code-integrity-policies-steps.md)
+ - [Deploy Windows Defender Application Control: policy rules and file rules](deploy-windows-defender-application-control-policy-rules-and-file-rules.md)
+ - [Deploy Windows Defender Application Control: steps](steps-to-deploy-windows-defender-application-control.md)
-3. **Audit the WDAC policy and capture information about applications that are outside the policy**. We recommend that you use “audit mode” to carefully test each WDAC policy before you enforce it. With audit mode, no application is blocked—the policy just logs an event whenever an application outside the policy is started. Later, you can expand the policy to allow these applications, as needed. For more information, see [Audit Windows Defender Application Control policies](deploy-code-integrity-policies-steps.md#audit-windows-defender-application-control-policies).
+3. **Audit the WDAC policy and capture information about applications that are outside the policy**. We recommend that you use “audit mode” to carefully test each WDAC policy before you enforce it. With audit mode, no application is blocked—the policy just logs an event whenever an application outside the policy is started. Later, you can expand the policy to allow these applications, as needed. For more information, see [Audit Windows Defender Application Control policies](steps-to-deploy-windows-defender-application-control.md#audit-windows-defender-application-control-policies).
-4. **Create a “catalog file” for unsigned LOB applications**. Use the Package Inspector tool to create and sign a catalog file for your unsigned LOB applications. For more information, review step 4 **Identify LOB applications that are currently unsigned**, earlier in this list, and see [Deploy catalog files to support Windows Defender Application Control](deploy-catalog-files-to-support-code-integrity-policies.md). In later steps, you can merge the catalog file's signature into your WDAC policy, so that applications in the catalog will be allowed by the policy.
+4. **Create a “catalog file” for unsigned LOB applications**. Use the Package Inspector tool to create and sign a catalog file for your unsigned LOB applications. For more information, review step 4 **Identify LOB applications that are currently unsigned**, earlier in this list, and see [Deploy catalog files to support Windows Defender Application Control](deploy-catalog-files-to-support-windows-defender-application-control.md). In later steps, you can merge the catalog file's signature into your WDAC policy, so that applications in the catalog will be allowed by the policy.
6. **Capture needed policy information from the event log, and merge information into the existing policy as needed**. After a WDAC policy has been running for a time in audit mode, the event log will contain information about applications that are outside the policy. To expand the policy so that it allows for these applications, use Windows PowerShell commands to capture the needed policy information from the event log, and then merge that information into the existing policy. You can merge WDAC policies from other sources also, for flexibility in how you create your final WDAC policies. For more information, see:
- - [Create a Windows Defender Application Control policy that captures audit information from the event log](deploy-code-integrity-policies-steps.md#create-a-windows-defender-application-control-policy-that-captures-audit-information-from-the-event-log)
- - [Merge Windows Defender Application Control policies](deploy-code-integrity-policies-steps.md#merge-windows-defender-application-control-policies)
+ - [Create a Windows Defender Application Control policy that captures audit information from the event log](steps-to-deploy-windows-defender-application-control.md#create-a-windows-defender-application-control-policy-that-captures-audit-information-from-the-event-log)
+ - [Merge Windows Defender Application Control policies](steps-to-deploy-windows-defender-application-control.md#merge-windows-defender-application-control-policies)
7. **Deploy WDAC policies and catalog files**. After you confirm that you have completed all the preceding steps, you can begin deploying catalog files and taking WDAC policies out of auditing mode. We strongly recommend that you begin this process with a test group of users. This provides a final quality-control validation before you deploy the catalog files and WDAC policies more broadly. For more information, see:
- - [Enforce Windows Defender Application Control policies](deploy-code-integrity-policies-steps.md#enforce-windows-defender-application-control-policies)
- - [Deploy and manage Windows Defender Application Control with Group Policy](deploy-code-integrity-policies-steps.md#deploy-and-manage-windows-defender-application-control-with-group-policy)
+ - [Enforce Windows Defender Application Control policies](steps-to-deploy-windows-defender-application-control.md#enforce-windows-defender-application-control-policies)
+ - [Deploy and manage Windows Defender Application Control with Group Policy](steps-to-deploy-windows-defender-application-control.md#deploy-and-manage-windows-defender-application-control-with-group-policy)
-8. **Enable desired virtualization-based security (VBS) features**. Hardware-based security features—also called virtualization-based security (VBS) features—strengthen the protections offered by Windows Defender Application Control, as described in [How Windows Defender Device Guard features help protect against threats](introduction-to-device-guard-virtualization-based-security-and-code-integrity-policies.md#how-windows-defender-device-guard-features-help-protect-against-threats).
+8. **Enable desired virtualization-based security (VBS) features**. Hardware-based security features—also called virtualization-based security (VBS) features—strengthen the protections offered by Windows Defender Application Control, as described in [How Windows Defender Device Guard features help protect against threats](introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control.md#how-windows-defender-device-guard-features-help-protect-against-threats).
> [!WARNING]
> Virtualization-based protection of code integrity may be incompatible with some devices and applications. We strongly recommend testing this configuration in your lab before enabling virtualization-based protection of code integrity on production systems. Failure to do so may result in unexpected failures up to and including data loss or a blue screen error (also called a stop error).
diff --git a/windows/device-security/device-guard/requirements-and-deployment-planning-guidelines-for-device-guard.md b/windows/security/threat-protection/device-guard/requirements-and-deployment-planning-guidelines-for-device-guard.md
similarity index 98%
rename from windows/device-security/device-guard/requirements-and-deployment-planning-guidelines-for-device-guard.md
rename to windows/security/threat-protection/device-guard/requirements-and-deployment-planning-guidelines-for-device-guard.md
index 52e334ee8c..418d67676f 100644
--- a/windows/device-security/device-guard/requirements-and-deployment-planning-guidelines-for-device-guard.md
+++ b/windows/security/threat-protection/device-guard/requirements-and-deployment-planning-guidelines-for-device-guard.md
@@ -23,7 +23,7 @@ The information in this article is intended for IT professionals, and provides a
To deploy Windows Defender Device Guard in a way that uses all of its virtualization-based security (VBS) features, the computers you are protecting must meet certain hardware, firmware, and software requirements. However, computers lacking some of the hardware and firmware requirements will still receive some protection when you deploy Windows Defender Application Control (WDAC) policies—the difference is that those computers will not be as hardened against certain threats.
-For example, hardware that includes CPU virtualization extensions and SLAT will be hardened against malware that attempts to gain access to the kernel, but without protected BIOS options such as “Boot only from internal hard drive,” the computer could be booted (by a malicious person who has physical access) into an operating system on bootable media. For an outline of how VBS-related hardware strengthens the hardening offered by Windows Defender Device Guard, see [Introduction to Windows Defender Device Guard: virtualization-based security and Windows Defender Application Control](introduction-to-device-guard-virtualization-based-security-and-code-integrity-policies.md).
+For example, hardware that includes CPU virtualization extensions and SLAT will be hardened against malware that attempts to gain access to the kernel, but without protected BIOS options such as “Boot only from internal hard drive,” the computer could be booted (by a malicious person who has physical access) into an operating system on bootable media. For an outline of how VBS-related hardware strengthens the hardening offered by Windows Defender Device Guard, see [Introduction to Windows Defender Device Guard: virtualization-based security and Windows Defender Application Control](introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control.md).
You can deploy Windows Defender Device Guard in phases, and plan these phases in relation to the computer purchases you plan for your next hardware refresh.
@@ -33,7 +33,7 @@ You can deploy Windows Defender Device Guard in phases, and plan these phases in
The following tables provide more information about the hardware, firmware, and software required for deployment of various Windows Defender Device Guard features. The tables describe baseline protections, plus protections for improved security that are associated with hardware and firmware options available in 2015, 2016, and 2017.
> **Notes**
-> • To understand the requirements in the following tables, you will need to be familiar with the main features in Windows Defender Device Guard: Windows Defender Application Control (WDAC), virtualization-based protection of code integrity, and Universal Extensible Firmware Interface (UEFI) Secure Boot. For information about these features, see [How Windows Defender Device Guard features help protect against threats](introduction-to-device-guard-virtualization-based-security-and-code-integrity-policies.md#how-windows-defender-device-guard-features-help-protect-against-threats).
+> • To understand the requirements in the following tables, you will need to be familiar with the main features in Windows Defender Device Guard: Windows Defender Application Control (WDAC), virtualization-based protection of code integrity, and Universal Extensible Firmware Interface (UEFI) Secure Boot. For information about these features, see [How Windows Defender Device Guard features help protect against threats](introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control.md#how-windows-defender-device-guard-features-help-protect-against-threats).
> • Beginning with Windows 10, version 1607, Trusted Platform Module (TPM 2.0) must be enabled by default on new computers.
## Baseline protections
@@ -139,7 +139,7 @@ After you have created and signed your catalog files, you can configure your WDA
> **Note** Package Inspector only works on operating systems that support Windows Defender Device Guard, such as Windows 10 Enterprise, Windows 10 Education, Windows 2016 Server, or Windows Enterprise IoT.
-For information about how creating catalog files fits into Windows Defender Device Guard deployment, see [Planning and getting started on the Windows Defender Device Guard deployment process](planning-and-getting-started-on-the-device-guard-deployment-process.md). For procedures for working with catalog files, see [Deploy catalog files to support Windows Defender Application Control](deploy-catalog-files-to-support-code-integrity-policies.md).
+For information about how creating catalog files fits into Windows Defender Device Guard deployment, see [Planning and getting started on the Windows Defender Device Guard deployment process](planning-and-getting-started-on-the-device-guard-deployment-process.md). For procedures for working with catalog files, see [Deploy catalog files to support Windows Defender Application Control](deploy-catalog-files-to-support-windows-defender-application-control.md).
## Windows Defender Application Control policy formats and signing
@@ -152,6 +152,6 @@ When the WDAC policy is deployed, it restricts the software that can run on a de
## Related topics
- [Planning and getting started on the Windows Defender Device Guard deployment process](planning-and-getting-started-on-the-device-guard-deployment-process.md)
-- [Deploy Windows Defender Application Control](deploy-device-guard-deploy-code-integrity-policies.md)
+- [Deploy Windows Defender Application Control](deploy-windows-defender-application-control.md)
diff --git a/windows/device-security/device-guard/deploy-code-integrity-policies-steps.md b/windows/security/threat-protection/device-guard/steps-to-deploy-windows-defender-application-control.md
similarity index 87%
rename from windows/device-security/device-guard/deploy-code-integrity-policies-steps.md
rename to windows/security/threat-protection/device-guard/steps-to-deploy-windows-defender-application-control.md
index 2b14a66d3f..be8ccb2590 100644
--- a/windows/device-security/device-guard/deploy-code-integrity-policies-steps.md
+++ b/windows/security/threat-protection/device-guard/steps-to-deploy-windows-defender-application-control.md
@@ -6,16 +6,16 @@ ms.prod: w10
ms.mktglfcycl: deploy
ms.localizationpriority: high
author: brianlic-msft
-ms.date: 11/02/2017
+ms.date: 02/13/2018
---
-# Deploy Windows Defender Application Control: steps
+# Steps to Deploy Windows Defender Application Control
**Applies to**
- Windows 10
- Windows Server 2016
-For an overview of the process described in the following procedures, see [Deploy Windows Defender Application Control: policy rules and file rules](deploy-code-integrity-policies-policy-rules-and-file-rules.md). To understand how the deployment of Windows Defender Application Control (WDAC) fits with other steps in the Windows Defender Device Guard deployment process, see [Planning and getting started on the Windows Defender Device Guard deployment process](planning-and-getting-started-on-the-device-guard-deployment-process.md).
+For an overview of the process described in the following procedures, see [Deploy Windows Defender Application Control: policy rules and file rules](deploy-windows-defender-application-control-policy-rules-and-file-rules.md). To understand how the deployment of Windows Defender Application Control (WDAC) fits with other steps in the Windows Defender Device Guard deployment process, see [Planning and getting started on the Windows Defender Device Guard deployment process](planning-and-getting-started-on-the-device-guard-deployment-process.md).
## Create a Windows Defender Application Control policy from a reference computer
@@ -33,7 +33,7 @@ Each installed software application should be validated as trustworthy before yo
We recommend that you review the reference computer for software that can load arbitrary DLLs and run code or scripts that could render the PC more vulnerable.
Examples include software aimed at development or scripting such as msbuild.exe (part of Visual Studio and the .NET Framework) which can be removed if you do not want it to run scripts.
You can remove or disable such software on the reference computer.
-You can also fine-tune your control by [using Windows Defender Application Control in combination with AppLocker](introduction-to-device-guard-virtualization-based-security-and-code-integrity-policies.md#windows-defender-device-guard-with-applocker).
+You can also fine-tune your control by [using Windows Defender Application Control in combination with AppLocker](introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control.md#windows-defender-device-guard-with-applocker).
Members of the security community\* continuously collaborate with Microsoft to help protect customers. With the help of their valuable reports, Microsoft has identified a list of valid applications that an attacker could also potentially use to bypass Windows Defender Application Control.
@@ -142,6 +142,12 @@ Microsoft recommends that you block the following Microsoft-signed applications
+
+
+
+
+
+
@@ -392,7 +398,58 @@ Microsoft recommends that you block the following Microsoft-signed applications
-
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
@@ -430,6 +487,12 @@ Microsoft recommends that you block the following Microsoft-signed applications
+
+
+
+
+
+
@@ -678,6 +741,40 @@ Microsoft recommends that you block the following Microsoft-signed applications
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
@@ -708,7 +805,7 @@ To create a WDAC policy, copy each of the following commands into an elevated Wi
> - When you specify the **-UserPEs** parameter (to include user mode executables in the scan), rule option **0 Enabled:UMCI** is automatically added to the WDAC policy. In contrast, if you do not specify **-UserPEs**, the policy will be empty of user mode executables and will only have rules for kernel mode binaries like drivers, in other words, the whitelist will not include applications. If you create such a policy and later add rule option **0 Enabled:UMCI**, all attempts to start applications will cause a response from Windows Defender Application Control. In audit mode, the response is logging an event, and in enforced mode, the response is blocking the application.
- > - You can add the **-Fallback** parameter to catch any applications not discovered using the primary file rule level specified by the **-Level** parameter. For more information about file rule level options, see [Windows Defender Application Control file rule levels](deploy-code-integrity-policies-policy-rules-and-file-rules.md#windows-defender-application-control-file-rule-levels) in “Deploy Windows Defender Application Control: policy rules and file rules.”
+ > - You can add the **-Fallback** parameter to catch any applications not discovered using the primary file rule level specified by the **-Level** parameter. For more information about file rule level options, see [Windows Defender Application Control file rule levels](deploy-windows-defender-application-control-policy-rules-and-file-rules.md#windows-defender-application-control-file-rule-levels) in “Deploy Windows Defender Application Control: policy rules and file rules.”
> - To specify that the WDAC policy scan only a specific drive, include the **-ScanPath** parameter followed by a path. Without this parameter, the entire system is scanned.
@@ -768,7 +865,7 @@ When WDAC policies are run in audit mode, it allows administrators to discover a
You will be reviewing the exceptions that appear in the event log, and making a list of any applications that should be allowed to run in your environment.
-6. If you want to create a catalog file to simplify the process of including unsigned LOB applications in your WDAC policy, this is a good time to create it. For information, see [Deploy catalog files to support Windows Defender Application Control](deploy-catalog-files-to-support-code-integrity-policies.md).
+6. If you want to create a catalog file to simplify the process of including unsigned LOB applications in your WDAC policy, this is a good time to create it. For information, see [Deploy catalog files to support Windows Defender Application Control](deploy-catalog-files-to-support-windows-defender-application-control.md).
Now that you have a WDAC policy deployed in audit mode, you can capture any audit information that appears in the event log. This is described in the next section.
@@ -780,7 +877,7 @@ Use the following procedure after you have been running a computer with a WDAC p
1. Review the audit information in the event log. From the WDAC policy exceptions that you see, make a list of any applications that should be allowed to run in your environment, and decide on the file rule level that should be used to trust these applications.
- Although the Hash file rule level will catch all of these exceptions, it may not be the best way to trust all of them. For information about file rule levels, see [Windows Defender Application Control file rule levels](deploy-code-integrity-policies-policy-rules-and-file-rules.md#windows-defender-application-control-file-rule-levels) in "Deploy Windows Defender Application Control: policy rules and file rules."
+ Although the Hash file rule level will catch all of these exceptions, it may not be the best way to trust all of them. For information about file rule levels, see [Windows Defender Application Control file rule levels](deploy-windows-defender-application-control-policy-rules-and-file-rules.md#windows-defender-application-control-file-rule-levels) in "Deploy Windows Defender Application Control: policy rules and file rules."
Your event log might also contain exceptions for applications that you eventually want your WDAC policy to block. If these appear, make a list of these also, for a later step in this procedure.
@@ -808,7 +905,7 @@ You can now use this file to update the existing WDAC policy that you ran in aud
> [!Note]
> You may have noticed that you did not generate a binary version of this policy as you did in [Create a Windows Defender Application Control policy from a reference computer](#create-a-windows-defender-application-control-policy-from-a-reference-computer). This is because WDAC policies created from an audit log are not intended to run as stand-alone policies but rather to update existing WDAC policies.
-## Use a Windows Defender Application Control policy to control specific plug-ins, add-ins, and modules
+## Use a Windows Defender Application Control policy to control specific plug-ins, add-ins, and modules
As of Windows 10, version 1703, you can use WDAC policies not only to control applications, but also to control whether specific plug-ins, add-ins, and modules can run from specific apps (such as a line-of-business application or a browser):
@@ -922,9 +1019,9 @@ With this in mind, it is much more difficult to remove signed WDAC policies.
Before you sign and deploy a signed WDAC policy, we recommend that you [audit the policy](#audit-windows-defender-application-control-policies) to discover any blocked applications that should be allowed to run.
Signing WDAC policies by using an on-premises CA-generated certificate or a purchased code signing certificate is straightforward.
-If you do not currently have a code signing certificate exported in .pfx format (containing private keys, extensions, and root certificates), see [Optional: Create a code signing certificate for Windows Defender Application Control](optional-create-a-code-signing-certificate-for-code-integrity-policies.md) to create one with your on-premises CA.
+If you do not currently have a code signing certificate exported in .pfx format (containing private keys, extensions, and root certificates), see [Optional: Create a code signing certificate for Windows Defender Application Control](optional-create-a-code-signing-certificate-for-windows-defender-application-control.md) to create one with your on-premises CA.
-Before signing WDAC policies for the first time, be sure to enable rule options 9 (“Advanced Boot Options Menu”) and 10 (“Boot Audit on Failure”) to leave troubleshooting options available to administrators. To ensure that a rule option is enabled, you can run a command such as `Set-RuleOption -FilePath -Option 9` even if you're not sure whether the option is already enabled—if so, the command has no effect. When validated and ready for enterprise deployment, you can remove these options. For more information about rule options, see [Windows Defender Application Control policy rules](deploy-code-integrity-policies-policy-rules-and-file-rules.md#windows-defender-application-control-policy-rules) in "Deploy Windows Defender Application Control: policy rules and file rules."
+Before signing WDAC policies for the first time, be sure to enable rule options 9 (“Advanced Boot Options Menu”) and 10 (“Boot Audit on Failure”) to leave troubleshooting options available to administrators. To ensure that a rule option is enabled, you can run a command such as `Set-RuleOption -FilePath -Option 9` even if you're not sure whether the option is already enabled—if so, the command has no effect. When validated and ready for enterprise deployment, you can remove these options. For more information about rule options, see [Windows Defender Application Control policy rules](deploy-windows-defender-application-control-policy-rules-and-file-rules.md#windows-defender-application-control-policy-rules) in "Deploy Windows Defender Application Control: policy rules and file rules."
To sign a WDAC policy with SignTool.exe, you need the following components:
@@ -934,7 +1031,7 @@ To sign a WDAC policy with SignTool.exe, you need the following components:
- An internal CA code signing certificate or a purchased code signing certificate
-If you do not have a code signing certificate, see the [Optional: Create a code signing certificate for Windows Defender Application Control](optional-create-a-code-signing-certificate-for-code-integrity-policies.md) section for instructions on how to create one. If you use an alternate certificate or WDAC policy, be sure to update the following steps with the appropriate variables and certificate so that the commands will function properly. To sign the existing WDAC policy, copy each of the following commands into an elevated Windows PowerShell session:
+If you do not have a code signing certificate, see the [Optional: Create a code signing certificate for Windows Defender Application Control](optional-create-a-code-signing-certificate-for-windows-defender-application-control.md) section for instructions on how to create one. If you use an alternate certificate or WDAC policy, be sure to update the following steps with the appropriate variables and certificate so that the commands will function properly. To sign the existing WDAC policy, copy each of the following commands into an elevated Windows PowerShell session:
1. Initialize the variables that will be used:
@@ -947,7 +1044,7 @@ If you do not have a code signing certificate, see the [Optional: Create a code
> [!Note]
> This example uses the WDAC policy that you created in the [Create a Windows Defender Application Control policy from a reference computer](#create-a-windows-defender-application-control-policy-from-a-reference-computer) section. If you are signing another policy, be sure to update the **$CIPolicyPath** and **$CIPolicyBin** variables with the correct information.
-2. Import the .pfx code signing certificate. Import the code signing certificate that you will use to sign the WDAC policy into the signing user’s personal store on the computer that will be doing the signing. In this example, you use the certificate that was created in [Optional: Create a code signing certificate for Windows Defender Application Control](optional-create-a-code-signing-certificate-for-code-integrity-policies.md).
+2. Import the .pfx code signing certificate. Import the code signing certificate that you will use to sign the WDAC policy into the signing user’s personal store on the computer that will be doing the signing. In this example, you use the certificate that was created in [Optional: Create a code signing certificate for Windows Defender Application Control](optional-create-a-code-signing-certificate-for-windows-defender-application-control.md).
3. Export the .cer code signing certificate. After the code signing certificate has been imported, export the .cer version to your desktop. This version will be added to the policy so that it can be updated later.
@@ -1056,43 +1153,43 @@ To deploy and manage a WDAC policy with Group Policy:
1. On a domain controller on a client computer on which RSAT is installed, open the GPMC by running **GPMC.MSC** or searching for “Group Policy Management” in Windows Search.
-2. Create a new GPO: right-click an OU, for example, the **DG Enabled PCs OU**, and then click **Create a GPO in this domain, and Link it here**, as shown in Figure 3.
+2. Create a new GPO: right-click an OU and then click **Create a GPO in this domain, and Link it here**, as shown in Figure 3.
> **Note** You can use any OU name. Also, security group filtering is an option when you consider different ways of combining WDAC policies (or keeping them separate), as discussed in [Planning and getting started on the Windows Defender Device Guard deployment process](planning-and-getting-started-on-the-device-guard-deployment-process.md).
- 
+ 
- Figure 3. Create a GPO
+ Figure 3. Create a GPO
-3. Name new GPO **Contoso GPO Test**. This example uses Contoso GPO Test as the name of the GPO. You can choose any name that you prefer for this example.
+3. Name the new GPO. You can choose any name.
4. Open the Group Policy Management Editor: right-click the new GPO, and then click **Edit**.
-5. In the selected GPO, navigate to Computer Configuration\\Administrative Templates\\System\\Windows Defender Device Guard. Right-click **Deploy Windows Defender Application Control** and then click **Edit**.
+5. In the selected GPO, navigate to Computer Configuration\\Administrative Templates\\System\\Device Guard. Right-click **Deploy Windows Defender Application Control** and then click **Edit**.
- 
+ 
- Figure 4. Edit the group policy for Windows Defender Application Control
+ Figure 4. Edit the Group Policy for Windows Defender Application Control
6. In the **Deploy Windows Defender Application Control** dialog box, select the **Enabled** option, and then specify the code integrity policy deployment path.
- In this policy setting, you specify either the local path in which the policy will exist on the client computer or a Universal Naming Convention (UNC) path that the client computers will look to retrieve the latest version of the policy. For example, with DeviceGuardPolicy.bin on the test computer, the example file path would be C:\\Windows\\System32\\CodeIntegrity\\DeviceGuardPolicy.bin, as shown in Figure 5.
+ In this policy setting, you specify either the local path in which the policy will exist on the client computer or a Universal Naming Convention (UNC) path that the client computers will look to retrieve the latest version of the policy. For example, with DeviceGuardPolicy.bin on the test computer, the example file path would be C:\\Windows\\System32\\CodeIntegrity\\DeviceGuardPolicy.bin, as shown in Figure 5.
- > [!Note]
- > The illustration shows the example file name *DeviceGuardPolicy.bin* because this name was used earlier in this topic, in [Create a Windows Defender Application Control policy from a reference computer](#create-a-windows-defender-application-control-policy-from-a-reference-computer). Also, this policy file does not need to be copied to every computer. You can instead copy the WDAC policies to a file share to which all computer accounts have access. Any policy selected here is converted to SIPolicy.p7b when it is deployed to the individual client computers.
+ > [!Note]
+ > The illustration shows the example file name *DeviceGuardPolicy.bin* because this name was used earlier in this topic, in [Create a Windows Defender Application Control policy from a reference computer](#create-a-windows-defender-application-control-policy-from-a-reference-computer). Also, this policy file does not need to be copied to every computer. You can instead copy the WDAC policies to a file share to which all computer accounts have access. Any policy selected here is converted to SIPolicy.p7b when it is deployed to the individual client computers.
- 
+ 
- Figure 5. Enable the Windows Defender Application Control policy
+ Figure 5. Enable the Windows Defender Application Control policy
- > [!Note]
- > You may have noticed that the GPO setting references a .p7b file and this example uses a .bin file for the policy. Regardless of the type of policy you deploy (.bin, .p7b, or .p7), they are all converted to SIPolicy.p7b when dropped on the client computer running Windows 10. Make your WDAC policies friendly and allow the system to convert the policy names for you to ensure that the policies are easily distinguishable when viewed in a share or any other central repository.
+ > [!Note]
+ > You may have noticed that the GPO setting references a .p7b file and this example uses a .bin file for the policy. Regardless of the type of policy you deploy (.bin, .p7b, or .p7), they are all converted to SIPolicy.p7b when dropped on the client computer running Windows 10. Make your WDAC policies friendly and allow the system to convert the policy names for you to ensure that the policies are easily distinguishable when viewed in a share or any other central repository.
7. Close the Group Policy Management Editor, and then restart the Windows 10 test computer. Restarting the computer updates the WDAC policy. For information about how to audit WDAC policies, see the [Audit Windows Defender Application Control policies](#audit-windows-defender-application-control-policies) section.
## Related topics
-[Introduction to Windows Defender Device Guard: virtualization-based security and Windows Defender Application Control](introduction-to-device-guard-virtualization-based-security-and-code-integrity-policies.md)
+[Introduction to Windows Defender Device Guard: virtualization-based security and Windows Defender Application Control](introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control.md)
[Enable virtualization-based protection of code integrity](deploy-device-guard-enable-virtualization-based-security.md)
diff --git a/windows/device-security/enable-virtualization-based-protection-of-code-integrity.md b/windows/security/threat-protection/enable-virtualization-based-protection-of-code-integrity.md
similarity index 98%
rename from windows/device-security/enable-virtualization-based-protection-of-code-integrity.md
rename to windows/security/threat-protection/enable-virtualization-based-protection-of-code-integrity.md
index 4483edb168..158b2fede1 100644
--- a/windows/device-security/enable-virtualization-based-protection-of-code-integrity.md
+++ b/windows/security/threat-protection/enable-virtualization-based-protection-of-code-integrity.md
@@ -16,7 +16,7 @@ ms.date: 11/28/2017
- Windows 10
- Windows Server 2016
-Virtualization-based protection of code integrity (herein referred to as Hypervisor-protected Code Integrity, or HVCI) is a powerful system mitigation that leverages hardware virtualization and the Windows Hyper-V hypervisor to protect Windows kernel-mode processes against the injection and execution of malicious or unverified code.
+Virtualization-based protection of code integrity (herein referred to as hypervisor-protected code integrity, or HVCI) is a powerful system mitigation that leverages hardware virtualization and the Windows Hyper-V hypervisor to protect Windows kernel-mode processes against the injection and execution of malicious or unverified code.
Code integrity validation is performed in a secure environment that is resistant to attack from malicious software, and page permissions for kernel mode are set and maintained by the Hyper-V hypervisor.
Some applications, including device drivers, may be incompatible with HVCI.
diff --git a/windows/device-security/get-support-for-security-baselines.md b/windows/security/threat-protection/get-support-for-security-baselines.md
similarity index 100%
rename from windows/device-security/get-support-for-security-baselines.md
rename to windows/security/threat-protection/get-support-for-security-baselines.md
diff --git a/windows/threat-protection/images/capi-gpo.png b/windows/security/threat-protection/images/capi-gpo.png
similarity index 100%
rename from windows/threat-protection/images/capi-gpo.png
rename to windows/security/threat-protection/images/capi-gpo.png
diff --git a/windows/device-security/images/community.png b/windows/security/threat-protection/images/community.png
similarity index 100%
rename from windows/device-security/images/community.png
rename to windows/security/threat-protection/images/community.png
diff --git a/windows/device-security/images/get-support.png b/windows/security/threat-protection/images/get-support.png
similarity index 100%
rename from windows/device-security/images/get-support.png
rename to windows/security/threat-protection/images/get-support.png
diff --git a/windows/threat-protection/images/gp-process-mitigation-options-bit-flag-image.png b/windows/security/threat-protection/images/gp-process-mitigation-options-bit-flag-image.png
similarity index 100%
rename from windows/threat-protection/images/gp-process-mitigation-options-bit-flag-image.png
rename to windows/security/threat-protection/images/gp-process-mitigation-options-bit-flag-image.png
diff --git a/windows/threat-protection/images/gp-process-mitigation-options-show.png b/windows/security/threat-protection/images/gp-process-mitigation-options-show.png
similarity index 100%
rename from windows/threat-protection/images/gp-process-mitigation-options-show.png
rename to windows/security/threat-protection/images/gp-process-mitigation-options-show.png
diff --git a/windows/threat-protection/images/gp-process-mitigation-options.png b/windows/security/threat-protection/images/gp-process-mitigation-options.png
similarity index 100%
rename from windows/threat-protection/images/gp-process-mitigation-options.png
rename to windows/security/threat-protection/images/gp-process-mitigation-options.png
diff --git a/windows/device-security/images/hva-fig1-endtoend1.png b/windows/security/threat-protection/images/hva-fig1-endtoend1.png
similarity index 100%
rename from windows/device-security/images/hva-fig1-endtoend1.png
rename to windows/security/threat-protection/images/hva-fig1-endtoend1.png
diff --git a/windows/device-security/images/hva-fig10-conditionalaccesscontrol.png b/windows/security/threat-protection/images/hva-fig10-conditionalaccesscontrol.png
similarity index 100%
rename from windows/device-security/images/hva-fig10-conditionalaccesscontrol.png
rename to windows/security/threat-protection/images/hva-fig10-conditionalaccesscontrol.png
diff --git a/windows/device-security/images/hva-fig11-office365.png b/windows/security/threat-protection/images/hva-fig11-office365.png
similarity index 100%
rename from windows/device-security/images/hva-fig11-office365.png
rename to windows/security/threat-protection/images/hva-fig11-office365.png
diff --git a/windows/device-security/images/hva-fig12-conditionalaccess12.png b/windows/security/threat-protection/images/hva-fig12-conditionalaccess12.png
similarity index 100%
rename from windows/device-security/images/hva-fig12-conditionalaccess12.png
rename to windows/security/threat-protection/images/hva-fig12-conditionalaccess12.png
diff --git a/windows/device-security/images/hva-fig2-assessfromcloud2.png b/windows/security/threat-protection/images/hva-fig2-assessfromcloud2.png
similarity index 100%
rename from windows/device-security/images/hva-fig2-assessfromcloud2.png
rename to windows/security/threat-protection/images/hva-fig2-assessfromcloud2.png
diff --git a/windows/device-security/images/hva-fig3-endtoendoverview3.png b/windows/security/threat-protection/images/hva-fig3-endtoendoverview3.png
similarity index 100%
rename from windows/device-security/images/hva-fig3-endtoendoverview3.png
rename to windows/security/threat-protection/images/hva-fig3-endtoendoverview3.png
diff --git a/windows/device-security/images/hva-fig4-hardware.png b/windows/security/threat-protection/images/hva-fig4-hardware.png
similarity index 100%
rename from windows/device-security/images/hva-fig4-hardware.png
rename to windows/security/threat-protection/images/hva-fig4-hardware.png
diff --git a/windows/device-security/images/hva-fig5-virtualbasedsecurity.png b/windows/security/threat-protection/images/hva-fig5-virtualbasedsecurity.png
similarity index 100%
rename from windows/device-security/images/hva-fig5-virtualbasedsecurity.png
rename to windows/security/threat-protection/images/hva-fig5-virtualbasedsecurity.png
diff --git a/windows/device-security/images/hva-fig6-logs.png b/windows/security/threat-protection/images/hva-fig6-logs.png
similarity index 100%
rename from windows/device-security/images/hva-fig6-logs.png
rename to windows/security/threat-protection/images/hva-fig6-logs.png
diff --git a/windows/device-security/images/hva-fig7-measurement.png b/windows/security/threat-protection/images/hva-fig7-measurement.png
similarity index 100%
rename from windows/device-security/images/hva-fig7-measurement.png
rename to windows/security/threat-protection/images/hva-fig7-measurement.png
diff --git a/windows/device-security/images/hva-fig8-evaldevicehealth8.png b/windows/security/threat-protection/images/hva-fig8-evaldevicehealth8.png
similarity index 100%
rename from windows/device-security/images/hva-fig8-evaldevicehealth8.png
rename to windows/security/threat-protection/images/hva-fig8-evaldevicehealth8.png
diff --git a/windows/device-security/images/hva-fig8a-healthattest8a.png b/windows/security/threat-protection/images/hva-fig8a-healthattest8a.png
similarity index 100%
rename from windows/device-security/images/hva-fig8a-healthattest8a.png
rename to windows/security/threat-protection/images/hva-fig8a-healthattest8a.png
diff --git a/windows/device-security/images/hva-fig9-intune.png b/windows/security/threat-protection/images/hva-fig9-intune.png
similarity index 100%
rename from windows/device-security/images/hva-fig9-intune.png
rename to windows/security/threat-protection/images/hva-fig9-intune.png
diff --git a/windows/device-security/images/mobile-security-guide-fig1.png b/windows/security/threat-protection/images/mobile-security-guide-fig1.png
similarity index 100%
rename from windows/device-security/images/mobile-security-guide-fig1.png
rename to windows/security/threat-protection/images/mobile-security-guide-fig1.png
diff --git a/windows/device-security/images/mobile-security-guide-fig2.png b/windows/security/threat-protection/images/mobile-security-guide-fig2.png
similarity index 100%
rename from windows/device-security/images/mobile-security-guide-fig2.png
rename to windows/security/threat-protection/images/mobile-security-guide-fig2.png
diff --git a/windows/device-security/images/mobile-security-guide-figure3.png b/windows/security/threat-protection/images/mobile-security-guide-figure3.png
similarity index 100%
rename from windows/device-security/images/mobile-security-guide-figure3.png
rename to windows/security/threat-protection/images/mobile-security-guide-figure3.png
diff --git a/windows/device-security/images/mobile-security-guide-figure4.png b/windows/security/threat-protection/images/mobile-security-guide-figure4.png
similarity index 100%
rename from windows/device-security/images/mobile-security-guide-figure4.png
rename to windows/security/threat-protection/images/mobile-security-guide-figure4.png
diff --git a/windows/threat-protection/images/runkey.png b/windows/security/threat-protection/images/runkey.png
similarity index 100%
rename from windows/threat-protection/images/runkey.png
rename to windows/security/threat-protection/images/runkey.png
diff --git a/windows/threat-protection/images/runoncekey.png b/windows/security/threat-protection/images/runoncekey.png
similarity index 100%
rename from windows/threat-protection/images/runoncekey.png
rename to windows/security/threat-protection/images/runoncekey.png
diff --git a/windows/device-security/images/security-compliance-toolkit-1.png b/windows/security/threat-protection/images/security-compliance-toolkit-1.png
similarity index 100%
rename from windows/device-security/images/security-compliance-toolkit-1.png
rename to windows/security/threat-protection/images/security-compliance-toolkit-1.png
diff --git a/windows/threat-protection/images/security-fig4-aslr.png b/windows/security/threat-protection/images/security-fig4-aslr.png
similarity index 100%
rename from windows/threat-protection/images/security-fig4-aslr.png
rename to windows/security/threat-protection/images/security-fig4-aslr.png
diff --git a/windows/threat-protection/images/security-fig5-dep.png b/windows/security/threat-protection/images/security-fig5-dep.png
similarity index 100%
rename from windows/threat-protection/images/security-fig5-dep.png
rename to windows/security/threat-protection/images/security-fig5-dep.png
diff --git a/windows/threat-protection/images/security-update.png b/windows/security/threat-protection/images/security-update.png
similarity index 100%
rename from windows/threat-protection/images/security-update.png
rename to windows/security/threat-protection/images/security-update.png
diff --git a/windows/threat-protection/images/threat-mitigations-pre-breach-post-breach-conceptual.png b/windows/security/threat-protection/images/threat-mitigations-pre-breach-post-breach-conceptual.png
similarity index 100%
rename from windows/threat-protection/images/threat-mitigations-pre-breach-post-breach-conceptual.png
rename to windows/security/threat-protection/images/threat-mitigations-pre-breach-post-breach-conceptual.png
diff --git a/windows/device-security/images/tpm-capabilities.png b/windows/security/threat-protection/images/tpm-capabilities.png
similarity index 100%
rename from windows/device-security/images/tpm-capabilities.png
rename to windows/security/threat-protection/images/tpm-capabilities.png
diff --git a/windows/device-security/images/tpm-remote-attestation.png b/windows/security/threat-protection/images/tpm-remote-attestation.png
similarity index 100%
rename from windows/device-security/images/tpm-remote-attestation.png
rename to windows/security/threat-protection/images/tpm-remote-attestation.png
diff --git a/windows/device-security/images/turn-windows-features-on-or-off.png b/windows/security/threat-protection/images/turn-windows-features-on-or-off.png
similarity index 100%
rename from windows/device-security/images/turn-windows-features-on-or-off.png
rename to windows/security/threat-protection/images/turn-windows-features-on-or-off.png
diff --git a/windows/threat-protection/images/wanna1.png b/windows/security/threat-protection/images/wanna1.png
similarity index 100%
rename from windows/threat-protection/images/wanna1.png
rename to windows/security/threat-protection/images/wanna1.png
diff --git a/windows/threat-protection/images/wanna2.png b/windows/security/threat-protection/images/wanna2.png
similarity index 100%
rename from windows/threat-protection/images/wanna2.png
rename to windows/security/threat-protection/images/wanna2.png
diff --git a/windows/threat-protection/images/wanna3.png b/windows/security/threat-protection/images/wanna3.png
similarity index 100%
rename from windows/threat-protection/images/wanna3.png
rename to windows/security/threat-protection/images/wanna3.png
diff --git a/windows/threat-protection/images/wanna4.png b/windows/security/threat-protection/images/wanna4.png
similarity index 100%
rename from windows/threat-protection/images/wanna4.png
rename to windows/security/threat-protection/images/wanna4.png
diff --git a/windows/threat-protection/images/wanna5.png b/windows/security/threat-protection/images/wanna5.png
similarity index 100%
rename from windows/threat-protection/images/wanna5.png
rename to windows/security/threat-protection/images/wanna5.png
diff --git a/windows/threat-protection/images/wanna6.png b/windows/security/threat-protection/images/wanna6.png
similarity index 100%
rename from windows/threat-protection/images/wanna6.png
rename to windows/security/threat-protection/images/wanna6.png
diff --git a/windows/threat-protection/images/wanna7.png b/windows/security/threat-protection/images/wanna7.png
similarity index 100%
rename from windows/threat-protection/images/wanna7.png
rename to windows/security/threat-protection/images/wanna7.png
diff --git a/windows/threat-protection/images/wanna8.png b/windows/security/threat-protection/images/wanna8.png
similarity index 100%
rename from windows/threat-protection/images/wanna8.png
rename to windows/security/threat-protection/images/wanna8.png
diff --git a/windows/threat-protection/images/wef-client-config.png b/windows/security/threat-protection/images/wef-client-config.png
similarity index 100%
rename from windows/threat-protection/images/wef-client-config.png
rename to windows/security/threat-protection/images/wef-client-config.png
diff --git a/windows/security/threat-protection/index.md b/windows/security/threat-protection/index.md
new file mode 100644
index 0000000000..eb51bd3da1
--- /dev/null
+++ b/windows/security/threat-protection/index.md
@@ -0,0 +1,28 @@
+---
+title: Threat Protection (Windows 10)
+description: Learn more about how to help protect against threats in Windows 10 and Windows 10 Mobile.
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+author: brianlic-msft
+ms.date: 02/05/2018
+---
+
+# Threat Protection
+
+Learn more about how to help protect against threats in Windows 10 and Windows 10 Mobile.
+
+| Section | Description |
+|-|-|
+|[Windows Defender Security Center](windows-defender-security-center/windows-defender-security-center.md)|Learn about the easy-to-use app that brings together common Windows security features.|
+|[Windows Defender Advanced Threat Protection](windows-defender-atp/windows-defender-advanced-threat-protection.md)|Provides info about Windows Defender Advanced Threat Protection (Windows Defender ATP), an out-of-the-box Windows enterprise security service that enables enterprise cybersecurity teams to detect and respond to advanced threats on their networks.|
+|[Windows Defender Antivirus in Windows 10](windows-defender-antivirus/windows-defender-antivirus-in-windows-10.md)|Provides info about Windows Defender Antivirus, a built-in antimalware solution that helps provide security and antimalware management for desktops, portable computers, and servers. Includes a list of system requirements and new features.|
+|[Windows Defender Application Guard](windows-defender-application-guard/wd-app-guard-overview.md)|Provides info about Windows Defender Application Guard, the hardware-based virtualization solution that helps to isolate a device and operating system from an untrusted browser session.|
+|[Windows Defender Application Control](enable-virtualization-based-protection-of-code-integrity.md)|Explains how Windows Defender Application Control restricts the applications that users are allowed to run and the code that runs in the System Core (kernel).|
+|[Enable HVCI](windows-defender-application-control.md)|Explains how to enable HVCI to protect Windows kernel-mode processes against the injection and execution of malicious or unverified code.|
+|[Windows Defender SmartScreen](windows-defender-smartscreen/windows-defender-smartscreen-overview.md) |Learn more about Windows Defender SmartScreen.|
+|[Mitigate threats by using Windows 10 security features](overview-of-threat-mitigations-in-windows-10.md) |Learn more about mitigating threats in Windows 10.|
+|[Override Process Mitigation Options to help enforce app-related security policies](override-mitigation-options-for-app-related-security-policies.md) |Use Group Policy to override individual **Process Mitigation Options** settings and help to enforce specific app-related security policies.|
+|[Use Windows Event Forwarding to help with intrusion detection](use-windows-event-forwarding-to-assist-in-intrusion-detection.md) |Learn about an approach to collect events from devices in your organization. This article talks about events in both normal operations and when an intrusion is suspected. |
+|[Block untrusted fonts in an enterprise](block-untrusted-fonts-in-enterprise.md) |Provides info about how to help protect your company from attacks which may originate from untrusted or attacker controlled font files. |
diff --git a/windows/threat-protection/override-mitigation-options-for-app-related-security-policies.md b/windows/security/threat-protection/override-mitigation-options-for-app-related-security-policies.md
similarity index 100%
rename from windows/threat-protection/override-mitigation-options-for-app-related-security-policies.md
rename to windows/security/threat-protection/override-mitigation-options-for-app-related-security-policies.md
diff --git a/windows/threat-protection/overview-of-threat-mitigations-in-windows-10.md b/windows/security/threat-protection/overview-of-threat-mitigations-in-windows-10.md
similarity index 100%
rename from windows/threat-protection/overview-of-threat-mitigations-in-windows-10.md
rename to windows/security/threat-protection/overview-of-threat-mitigations-in-windows-10.md
diff --git a/windows/device-security/protect-high-value-assets-by-controlling-the-health-of-windows-10-based-devices.md b/windows/security/threat-protection/protect-high-value-assets-by-controlling-the-health-of-windows-10-based-devices.md
similarity index 100%
rename from windows/device-security/protect-high-value-assets-by-controlling-the-health-of-windows-10-based-devices.md
rename to windows/security/threat-protection/protect-high-value-assets-by-controlling-the-health-of-windows-10-based-devices.md
diff --git a/windows/device-security/security-compliance-toolkit-10.md b/windows/security/threat-protection/security-compliance-toolkit-10.md
similarity index 97%
rename from windows/device-security/security-compliance-toolkit-10.md
rename to windows/security/threat-protection/security-compliance-toolkit-10.md
index 06f04138ac..28676d4b1b 100644
--- a/windows/device-security/security-compliance-toolkit-10.md
+++ b/windows/security/threat-protection/security-compliance-toolkit-10.md
@@ -7,7 +7,7 @@ ms.mktglfcycl: deploy
ms.localizationpriority: high
ms.author: sagaudre
author: brianlic-msft
-ms.date: 10/16/2017
+ms.date: 02/16/2018
---
# Microsoft Security Compliance Toolkit 1.0
@@ -32,6 +32,9 @@ The Security Compliance Toolkit consists of:
- Windows Server 2016
- Windows Server 2012 R2
+- Microsoft Office Security Baselines
+ - Office 2016
+
- Tools
- Policy Analyzer tool
- Local Group Policy Object (LGPO) tool
diff --git a/windows/device-security/security-policy-settings/access-credential-manager-as-a-trusted-caller.md b/windows/security/threat-protection/security-policy-settings/access-credential-manager-as-a-trusted-caller.md
similarity index 100%
rename from windows/device-security/security-policy-settings/access-credential-manager-as-a-trusted-caller.md
rename to windows/security/threat-protection/security-policy-settings/access-credential-manager-as-a-trusted-caller.md
diff --git a/windows/device-security/security-policy-settings/access-this-computer-from-the-network.md b/windows/security/threat-protection/security-policy-settings/access-this-computer-from-the-network.md
similarity index 100%
rename from windows/device-security/security-policy-settings/access-this-computer-from-the-network.md
rename to windows/security/threat-protection/security-policy-settings/access-this-computer-from-the-network.md
diff --git a/windows/device-security/security-policy-settings/account-lockout-duration.md b/windows/security/threat-protection/security-policy-settings/account-lockout-duration.md
similarity index 100%
rename from windows/device-security/security-policy-settings/account-lockout-duration.md
rename to windows/security/threat-protection/security-policy-settings/account-lockout-duration.md
diff --git a/windows/device-security/security-policy-settings/account-lockout-policy.md b/windows/security/threat-protection/security-policy-settings/account-lockout-policy.md
similarity index 100%
rename from windows/device-security/security-policy-settings/account-lockout-policy.md
rename to windows/security/threat-protection/security-policy-settings/account-lockout-policy.md
diff --git a/windows/device-security/security-policy-settings/account-lockout-threshold.md b/windows/security/threat-protection/security-policy-settings/account-lockout-threshold.md
similarity index 100%
rename from windows/device-security/security-policy-settings/account-lockout-threshold.md
rename to windows/security/threat-protection/security-policy-settings/account-lockout-threshold.md
diff --git a/windows/device-security/security-policy-settings/account-policies.md b/windows/security/threat-protection/security-policy-settings/account-policies.md
similarity index 100%
rename from windows/device-security/security-policy-settings/account-policies.md
rename to windows/security/threat-protection/security-policy-settings/account-policies.md
diff --git a/windows/device-security/security-policy-settings/accounts-administrator-account-status.md b/windows/security/threat-protection/security-policy-settings/accounts-administrator-account-status.md
similarity index 100%
rename from windows/device-security/security-policy-settings/accounts-administrator-account-status.md
rename to windows/security/threat-protection/security-policy-settings/accounts-administrator-account-status.md
diff --git a/windows/device-security/security-policy-settings/accounts-block-microsoft-accounts.md b/windows/security/threat-protection/security-policy-settings/accounts-block-microsoft-accounts.md
similarity index 100%
rename from windows/device-security/security-policy-settings/accounts-block-microsoft-accounts.md
rename to windows/security/threat-protection/security-policy-settings/accounts-block-microsoft-accounts.md
diff --git a/windows/device-security/security-policy-settings/accounts-guest-account-status.md b/windows/security/threat-protection/security-policy-settings/accounts-guest-account-status.md
similarity index 100%
rename from windows/device-security/security-policy-settings/accounts-guest-account-status.md
rename to windows/security/threat-protection/security-policy-settings/accounts-guest-account-status.md
diff --git a/windows/device-security/security-policy-settings/accounts-limit-local-account-use-of-blank-passwords-to-console-logon-only.md b/windows/security/threat-protection/security-policy-settings/accounts-limit-local-account-use-of-blank-passwords-to-console-logon-only.md
similarity index 100%
rename from windows/device-security/security-policy-settings/accounts-limit-local-account-use-of-blank-passwords-to-console-logon-only.md
rename to windows/security/threat-protection/security-policy-settings/accounts-limit-local-account-use-of-blank-passwords-to-console-logon-only.md
diff --git a/windows/device-security/security-policy-settings/accounts-rename-administrator-account.md b/windows/security/threat-protection/security-policy-settings/accounts-rename-administrator-account.md
similarity index 100%
rename from windows/device-security/security-policy-settings/accounts-rename-administrator-account.md
rename to windows/security/threat-protection/security-policy-settings/accounts-rename-administrator-account.md
diff --git a/windows/device-security/security-policy-settings/accounts-rename-guest-account.md b/windows/security/threat-protection/security-policy-settings/accounts-rename-guest-account.md
similarity index 100%
rename from windows/device-security/security-policy-settings/accounts-rename-guest-account.md
rename to windows/security/threat-protection/security-policy-settings/accounts-rename-guest-account.md
diff --git a/windows/device-security/security-policy-settings/act-as-part-of-the-operating-system.md b/windows/security/threat-protection/security-policy-settings/act-as-part-of-the-operating-system.md
similarity index 100%
rename from windows/device-security/security-policy-settings/act-as-part-of-the-operating-system.md
rename to windows/security/threat-protection/security-policy-settings/act-as-part-of-the-operating-system.md
diff --git a/windows/device-security/security-policy-settings/add-workstations-to-domain.md b/windows/security/threat-protection/security-policy-settings/add-workstations-to-domain.md
similarity index 100%
rename from windows/device-security/security-policy-settings/add-workstations-to-domain.md
rename to windows/security/threat-protection/security-policy-settings/add-workstations-to-domain.md
diff --git a/windows/device-security/security-policy-settings/adjust-memory-quotas-for-a-process.md b/windows/security/threat-protection/security-policy-settings/adjust-memory-quotas-for-a-process.md
similarity index 100%
rename from windows/device-security/security-policy-settings/adjust-memory-quotas-for-a-process.md
rename to windows/security/threat-protection/security-policy-settings/adjust-memory-quotas-for-a-process.md
diff --git a/windows/device-security/security-policy-settings/administer-security-policy-settings.md b/windows/security/threat-protection/security-policy-settings/administer-security-policy-settings.md
similarity index 100%
rename from windows/device-security/security-policy-settings/administer-security-policy-settings.md
rename to windows/security/threat-protection/security-policy-settings/administer-security-policy-settings.md
diff --git a/windows/device-security/security-policy-settings/allow-log-on-locally.md b/windows/security/threat-protection/security-policy-settings/allow-log-on-locally.md
similarity index 100%
rename from windows/device-security/security-policy-settings/allow-log-on-locally.md
rename to windows/security/threat-protection/security-policy-settings/allow-log-on-locally.md
diff --git a/windows/device-security/security-policy-settings/allow-log-on-through-remote-desktop-services.md b/windows/security/threat-protection/security-policy-settings/allow-log-on-through-remote-desktop-services.md
similarity index 100%
rename from windows/device-security/security-policy-settings/allow-log-on-through-remote-desktop-services.md
rename to windows/security/threat-protection/security-policy-settings/allow-log-on-through-remote-desktop-services.md
diff --git a/windows/device-security/security-policy-settings/audit-audit-the-access-of-global-system-objects.md b/windows/security/threat-protection/security-policy-settings/audit-audit-the-access-of-global-system-objects.md
similarity index 100%
rename from windows/device-security/security-policy-settings/audit-audit-the-access-of-global-system-objects.md
rename to windows/security/threat-protection/security-policy-settings/audit-audit-the-access-of-global-system-objects.md
diff --git a/windows/device-security/security-policy-settings/audit-audit-the-use-of-backup-and-restore-privilege.md b/windows/security/threat-protection/security-policy-settings/audit-audit-the-use-of-backup-and-restore-privilege.md
similarity index 100%
rename from windows/device-security/security-policy-settings/audit-audit-the-use-of-backup-and-restore-privilege.md
rename to windows/security/threat-protection/security-policy-settings/audit-audit-the-use-of-backup-and-restore-privilege.md
diff --git a/windows/device-security/security-policy-settings/audit-force-audit-policy-subcategory-settings-to-override.md b/windows/security/threat-protection/security-policy-settings/audit-force-audit-policy-subcategory-settings-to-override.md
similarity index 100%
rename from windows/device-security/security-policy-settings/audit-force-audit-policy-subcategory-settings-to-override.md
rename to windows/security/threat-protection/security-policy-settings/audit-force-audit-policy-subcategory-settings-to-override.md
diff --git a/windows/device-security/security-policy-settings/audit-policy.md b/windows/security/threat-protection/security-policy-settings/audit-policy.md
similarity index 100%
rename from windows/device-security/security-policy-settings/audit-policy.md
rename to windows/security/threat-protection/security-policy-settings/audit-policy.md
diff --git a/windows/device-security/security-policy-settings/audit-shut-down-system-immediately-if-unable-to-log-security-audits.md b/windows/security/threat-protection/security-policy-settings/audit-shut-down-system-immediately-if-unable-to-log-security-audits.md
similarity index 100%
rename from windows/device-security/security-policy-settings/audit-shut-down-system-immediately-if-unable-to-log-security-audits.md
rename to windows/security/threat-protection/security-policy-settings/audit-shut-down-system-immediately-if-unable-to-log-security-audits.md
diff --git a/windows/device-security/security-policy-settings/back-up-files-and-directories.md b/windows/security/threat-protection/security-policy-settings/back-up-files-and-directories.md
similarity index 100%
rename from windows/device-security/security-policy-settings/back-up-files-and-directories.md
rename to windows/security/threat-protection/security-policy-settings/back-up-files-and-directories.md
diff --git a/windows/device-security/security-policy-settings/bypass-traverse-checking.md b/windows/security/threat-protection/security-policy-settings/bypass-traverse-checking.md
similarity index 100%
rename from windows/device-security/security-policy-settings/bypass-traverse-checking.md
rename to windows/security/threat-protection/security-policy-settings/bypass-traverse-checking.md
diff --git a/windows/device-security/security-policy-settings/change-the-system-time.md b/windows/security/threat-protection/security-policy-settings/change-the-system-time.md
similarity index 100%
rename from windows/device-security/security-policy-settings/change-the-system-time.md
rename to windows/security/threat-protection/security-policy-settings/change-the-system-time.md
diff --git a/windows/device-security/security-policy-settings/change-the-time-zone.md b/windows/security/threat-protection/security-policy-settings/change-the-time-zone.md
similarity index 100%
rename from windows/device-security/security-policy-settings/change-the-time-zone.md
rename to windows/security/threat-protection/security-policy-settings/change-the-time-zone.md
diff --git a/windows/device-security/security-policy-settings/create-a-pagefile.md b/windows/security/threat-protection/security-policy-settings/create-a-pagefile.md
similarity index 100%
rename from windows/device-security/security-policy-settings/create-a-pagefile.md
rename to windows/security/threat-protection/security-policy-settings/create-a-pagefile.md
diff --git a/windows/device-security/security-policy-settings/create-a-token-object.md b/windows/security/threat-protection/security-policy-settings/create-a-token-object.md
similarity index 100%
rename from windows/device-security/security-policy-settings/create-a-token-object.md
rename to windows/security/threat-protection/security-policy-settings/create-a-token-object.md
diff --git a/windows/device-security/security-policy-settings/create-global-objects.md b/windows/security/threat-protection/security-policy-settings/create-global-objects.md
similarity index 100%
rename from windows/device-security/security-policy-settings/create-global-objects.md
rename to windows/security/threat-protection/security-policy-settings/create-global-objects.md
diff --git a/windows/device-security/security-policy-settings/create-permanent-shared-objects.md b/windows/security/threat-protection/security-policy-settings/create-permanent-shared-objects.md
similarity index 100%
rename from windows/device-security/security-policy-settings/create-permanent-shared-objects.md
rename to windows/security/threat-protection/security-policy-settings/create-permanent-shared-objects.md
diff --git a/windows/device-security/security-policy-settings/create-symbolic-links.md b/windows/security/threat-protection/security-policy-settings/create-symbolic-links.md
similarity index 100%
rename from windows/device-security/security-policy-settings/create-symbolic-links.md
rename to windows/security/threat-protection/security-policy-settings/create-symbolic-links.md
diff --git a/windows/device-security/security-policy-settings/dcom-machine-access-restrictions-in-security-descriptor-definition-language-sddl-syntax.md b/windows/security/threat-protection/security-policy-settings/dcom-machine-access-restrictions-in-security-descriptor-definition-language-sddl-syntax.md
similarity index 100%
rename from windows/device-security/security-policy-settings/dcom-machine-access-restrictions-in-security-descriptor-definition-language-sddl-syntax.md
rename to windows/security/threat-protection/security-policy-settings/dcom-machine-access-restrictions-in-security-descriptor-definition-language-sddl-syntax.md
diff --git a/windows/device-security/security-policy-settings/dcom-machine-launch-restrictions-in-security-descriptor-definition-language-sddl-syntax.md b/windows/security/threat-protection/security-policy-settings/dcom-machine-launch-restrictions-in-security-descriptor-definition-language-sddl-syntax.md
similarity index 100%
rename from windows/device-security/security-policy-settings/dcom-machine-launch-restrictions-in-security-descriptor-definition-language-sddl-syntax.md
rename to windows/security/threat-protection/security-policy-settings/dcom-machine-launch-restrictions-in-security-descriptor-definition-language-sddl-syntax.md
diff --git a/windows/device-security/security-policy-settings/debug-programs.md b/windows/security/threat-protection/security-policy-settings/debug-programs.md
similarity index 100%
rename from windows/device-security/security-policy-settings/debug-programs.md
rename to windows/security/threat-protection/security-policy-settings/debug-programs.md
diff --git a/windows/device-security/security-policy-settings/deny-access-to-this-computer-from-the-network.md b/windows/security/threat-protection/security-policy-settings/deny-access-to-this-computer-from-the-network.md
similarity index 100%
rename from windows/device-security/security-policy-settings/deny-access-to-this-computer-from-the-network.md
rename to windows/security/threat-protection/security-policy-settings/deny-access-to-this-computer-from-the-network.md
diff --git a/windows/device-security/security-policy-settings/deny-log-on-as-a-batch-job.md b/windows/security/threat-protection/security-policy-settings/deny-log-on-as-a-batch-job.md
similarity index 100%
rename from windows/device-security/security-policy-settings/deny-log-on-as-a-batch-job.md
rename to windows/security/threat-protection/security-policy-settings/deny-log-on-as-a-batch-job.md
diff --git a/windows/device-security/security-policy-settings/deny-log-on-as-a-service.md b/windows/security/threat-protection/security-policy-settings/deny-log-on-as-a-service.md
similarity index 100%
rename from windows/device-security/security-policy-settings/deny-log-on-as-a-service.md
rename to windows/security/threat-protection/security-policy-settings/deny-log-on-as-a-service.md
diff --git a/windows/device-security/security-policy-settings/deny-log-on-locally.md b/windows/security/threat-protection/security-policy-settings/deny-log-on-locally.md
similarity index 100%
rename from windows/device-security/security-policy-settings/deny-log-on-locally.md
rename to windows/security/threat-protection/security-policy-settings/deny-log-on-locally.md
diff --git a/windows/device-security/security-policy-settings/deny-log-on-through-remote-desktop-services.md b/windows/security/threat-protection/security-policy-settings/deny-log-on-through-remote-desktop-services.md
similarity index 100%
rename from windows/device-security/security-policy-settings/deny-log-on-through-remote-desktop-services.md
rename to windows/security/threat-protection/security-policy-settings/deny-log-on-through-remote-desktop-services.md
diff --git a/windows/device-security/security-policy-settings/devices-allow-undock-without-having-to-log-on.md b/windows/security/threat-protection/security-policy-settings/devices-allow-undock-without-having-to-log-on.md
similarity index 100%
rename from windows/device-security/security-policy-settings/devices-allow-undock-without-having-to-log-on.md
rename to windows/security/threat-protection/security-policy-settings/devices-allow-undock-without-having-to-log-on.md
diff --git a/windows/device-security/security-policy-settings/devices-allowed-to-format-and-eject-removable-media.md b/windows/security/threat-protection/security-policy-settings/devices-allowed-to-format-and-eject-removable-media.md
similarity index 100%
rename from windows/device-security/security-policy-settings/devices-allowed-to-format-and-eject-removable-media.md
rename to windows/security/threat-protection/security-policy-settings/devices-allowed-to-format-and-eject-removable-media.md
diff --git a/windows/device-security/security-policy-settings/devices-prevent-users-from-installing-printer-drivers.md b/windows/security/threat-protection/security-policy-settings/devices-prevent-users-from-installing-printer-drivers.md
similarity index 100%
rename from windows/device-security/security-policy-settings/devices-prevent-users-from-installing-printer-drivers.md
rename to windows/security/threat-protection/security-policy-settings/devices-prevent-users-from-installing-printer-drivers.md
diff --git a/windows/device-security/security-policy-settings/devices-restrict-cd-rom-access-to-locally-logged-on-user-only.md b/windows/security/threat-protection/security-policy-settings/devices-restrict-cd-rom-access-to-locally-logged-on-user-only.md
similarity index 100%
rename from windows/device-security/security-policy-settings/devices-restrict-cd-rom-access-to-locally-logged-on-user-only.md
rename to windows/security/threat-protection/security-policy-settings/devices-restrict-cd-rom-access-to-locally-logged-on-user-only.md
diff --git a/windows/device-security/security-policy-settings/devices-restrict-floppy-access-to-locally-logged-on-user-only.md b/windows/security/threat-protection/security-policy-settings/devices-restrict-floppy-access-to-locally-logged-on-user-only.md
similarity index 100%
rename from windows/device-security/security-policy-settings/devices-restrict-floppy-access-to-locally-logged-on-user-only.md
rename to windows/security/threat-protection/security-policy-settings/devices-restrict-floppy-access-to-locally-logged-on-user-only.md
diff --git a/windows/device-security/security-policy-settings/domain-controller-allow-server-operators-to-schedule-tasks.md b/windows/security/threat-protection/security-policy-settings/domain-controller-allow-server-operators-to-schedule-tasks.md
similarity index 100%
rename from windows/device-security/security-policy-settings/domain-controller-allow-server-operators-to-schedule-tasks.md
rename to windows/security/threat-protection/security-policy-settings/domain-controller-allow-server-operators-to-schedule-tasks.md
diff --git a/windows/device-security/security-policy-settings/domain-controller-ldap-server-signing-requirements.md b/windows/security/threat-protection/security-policy-settings/domain-controller-ldap-server-signing-requirements.md
similarity index 100%
rename from windows/device-security/security-policy-settings/domain-controller-ldap-server-signing-requirements.md
rename to windows/security/threat-protection/security-policy-settings/domain-controller-ldap-server-signing-requirements.md
diff --git a/windows/device-security/security-policy-settings/domain-controller-refuse-machine-account-password-changes.md b/windows/security/threat-protection/security-policy-settings/domain-controller-refuse-machine-account-password-changes.md
similarity index 100%
rename from windows/device-security/security-policy-settings/domain-controller-refuse-machine-account-password-changes.md
rename to windows/security/threat-protection/security-policy-settings/domain-controller-refuse-machine-account-password-changes.md
diff --git a/windows/device-security/security-policy-settings/domain-member-digitally-encrypt-or-sign-secure-channel-data-always.md b/windows/security/threat-protection/security-policy-settings/domain-member-digitally-encrypt-or-sign-secure-channel-data-always.md
similarity index 100%
rename from windows/device-security/security-policy-settings/domain-member-digitally-encrypt-or-sign-secure-channel-data-always.md
rename to windows/security/threat-protection/security-policy-settings/domain-member-digitally-encrypt-or-sign-secure-channel-data-always.md
diff --git a/windows/device-security/security-policy-settings/domain-member-digitally-encrypt-secure-channel-data-when-possible.md b/windows/security/threat-protection/security-policy-settings/domain-member-digitally-encrypt-secure-channel-data-when-possible.md
similarity index 100%
rename from windows/device-security/security-policy-settings/domain-member-digitally-encrypt-secure-channel-data-when-possible.md
rename to windows/security/threat-protection/security-policy-settings/domain-member-digitally-encrypt-secure-channel-data-when-possible.md
diff --git a/windows/device-security/security-policy-settings/domain-member-digitally-sign-secure-channel-data-when-possible.md b/windows/security/threat-protection/security-policy-settings/domain-member-digitally-sign-secure-channel-data-when-possible.md
similarity index 100%
rename from windows/device-security/security-policy-settings/domain-member-digitally-sign-secure-channel-data-when-possible.md
rename to windows/security/threat-protection/security-policy-settings/domain-member-digitally-sign-secure-channel-data-when-possible.md
diff --git a/windows/device-security/security-policy-settings/domain-member-disable-machine-account-password-changes.md b/windows/security/threat-protection/security-policy-settings/domain-member-disable-machine-account-password-changes.md
similarity index 100%
rename from windows/device-security/security-policy-settings/domain-member-disable-machine-account-password-changes.md
rename to windows/security/threat-protection/security-policy-settings/domain-member-disable-machine-account-password-changes.md
diff --git a/windows/device-security/security-policy-settings/domain-member-maximum-machine-account-password-age.md b/windows/security/threat-protection/security-policy-settings/domain-member-maximum-machine-account-password-age.md
similarity index 100%
rename from windows/device-security/security-policy-settings/domain-member-maximum-machine-account-password-age.md
rename to windows/security/threat-protection/security-policy-settings/domain-member-maximum-machine-account-password-age.md
diff --git a/windows/device-security/security-policy-settings/domain-member-require-strong-windows-2000-or-later-session-key.md b/windows/security/threat-protection/security-policy-settings/domain-member-require-strong-windows-2000-or-later-session-key.md
similarity index 100%
rename from windows/device-security/security-policy-settings/domain-member-require-strong-windows-2000-or-later-session-key.md
rename to windows/security/threat-protection/security-policy-settings/domain-member-require-strong-windows-2000-or-later-session-key.md
diff --git a/windows/device-security/security-policy-settings/enable-computer-and-user-accounts-to-be-trusted-for-delegation.md b/windows/security/threat-protection/security-policy-settings/enable-computer-and-user-accounts-to-be-trusted-for-delegation.md
similarity index 100%
rename from windows/device-security/security-policy-settings/enable-computer-and-user-accounts-to-be-trusted-for-delegation.md
rename to windows/security/threat-protection/security-policy-settings/enable-computer-and-user-accounts-to-be-trusted-for-delegation.md
diff --git a/windows/device-security/security-policy-settings/enforce-password-history.md b/windows/security/threat-protection/security-policy-settings/enforce-password-history.md
similarity index 100%
rename from windows/device-security/security-policy-settings/enforce-password-history.md
rename to windows/security/threat-protection/security-policy-settings/enforce-password-history.md
diff --git a/windows/device-security/security-policy-settings/enforce-user-logon-restrictions.md b/windows/security/threat-protection/security-policy-settings/enforce-user-logon-restrictions.md
similarity index 100%
rename from windows/device-security/security-policy-settings/enforce-user-logon-restrictions.md
rename to windows/security/threat-protection/security-policy-settings/enforce-user-logon-restrictions.md
diff --git a/windows/device-security/security-policy-settings/force-shutdown-from-a-remote-system.md b/windows/security/threat-protection/security-policy-settings/force-shutdown-from-a-remote-system.md
similarity index 100%
rename from windows/device-security/security-policy-settings/force-shutdown-from-a-remote-system.md
rename to windows/security/threat-protection/security-policy-settings/force-shutdown-from-a-remote-system.md
diff --git a/windows/device-security/security-policy-settings/generate-security-audits.md b/windows/security/threat-protection/security-policy-settings/generate-security-audits.md
similarity index 100%
rename from windows/device-security/security-policy-settings/generate-security-audits.md
rename to windows/security/threat-protection/security-policy-settings/generate-security-audits.md
diff --git a/windows/device-security/security-policy-settings/how-to-configure-security-policy-settings.md b/windows/security/threat-protection/security-policy-settings/how-to-configure-security-policy-settings.md
similarity index 100%
rename from windows/device-security/security-policy-settings/how-to-configure-security-policy-settings.md
rename to windows/security/threat-protection/security-policy-settings/how-to-configure-security-policy-settings.md
diff --git a/windows/device-security/security-policy-settings/images/privacy-setting-in-sign-in-options.png b/windows/security/threat-protection/security-policy-settings/images/privacy-setting-in-sign-in-options.png
similarity index 100%
rename from windows/device-security/security-policy-settings/images/privacy-setting-in-sign-in-options.png
rename to windows/security/threat-protection/security-policy-settings/images/privacy-setting-in-sign-in-options.png
diff --git a/windows/device-security/security-policy-settings/images/secpol-architecture.gif b/windows/security/threat-protection/security-policy-settings/images/secpol-architecture.gif
similarity index 100%
rename from windows/device-security/security-policy-settings/images/secpol-architecture.gif
rename to windows/security/threat-protection/security-policy-settings/images/secpol-architecture.gif
diff --git a/windows/device-security/security-policy-settings/images/secpol-components.gif b/windows/security/threat-protection/security-policy-settings/images/secpol-components.gif
similarity index 100%
rename from windows/device-security/security-policy-settings/images/secpol-components.gif
rename to windows/security/threat-protection/security-policy-settings/images/secpol-components.gif
diff --git a/windows/device-security/security-policy-settings/images/secpol-multigpomerge.gif b/windows/security/threat-protection/security-policy-settings/images/secpol-multigpomerge.gif
similarity index 100%
rename from windows/device-security/security-policy-settings/images/secpol-multigpomerge.gif
rename to windows/security/threat-protection/security-policy-settings/images/secpol-multigpomerge.gif
diff --git a/windows/device-security/security-policy-settings/images/secpol-processes.gif b/windows/security/threat-protection/security-policy-settings/images/secpol-processes.gif
similarity index 100%
rename from windows/device-security/security-policy-settings/images/secpol-processes.gif
rename to windows/security/threat-protection/security-policy-settings/images/secpol-processes.gif
diff --git a/windows/device-security/security-policy-settings/images/uac-admin-approval-mode-for-the-built-in-administrator-account.png b/windows/security/threat-protection/security-policy-settings/images/uac-admin-approval-mode-for-the-built-in-administrator-account.png
similarity index 100%
rename from windows/device-security/security-policy-settings/images/uac-admin-approval-mode-for-the-built-in-administrator-account.png
rename to windows/security/threat-protection/security-policy-settings/images/uac-admin-approval-mode-for-the-built-in-administrator-account.png
diff --git a/windows/device-security/security-policy-settings/images/uac-behavior-of-the-elevation-prompt-for-administrators-in-admin-approval-mode.png b/windows/security/threat-protection/security-policy-settings/images/uac-behavior-of-the-elevation-prompt-for-administrators-in-admin-approval-mode.png
similarity index 100%
rename from windows/device-security/security-policy-settings/images/uac-behavior-of-the-elevation-prompt-for-administrators-in-admin-approval-mode.png
rename to windows/security/threat-protection/security-policy-settings/images/uac-behavior-of-the-elevation-prompt-for-administrators-in-admin-approval-mode.png
diff --git a/windows/device-security/security-policy-settings/images/uac-notify-me-only-when-apps-try-to-make-changes-to-my-pc.png b/windows/security/threat-protection/security-policy-settings/images/uac-notify-me-only-when-apps-try-to-make-changes-to-my-pc.png
similarity index 100%
rename from windows/device-security/security-policy-settings/images/uac-notify-me-only-when-apps-try-to-make-changes-to-my-pc.png
rename to windows/security/threat-protection/security-policy-settings/images/uac-notify-me-only-when-apps-try-to-make-changes-to-my-pc.png
diff --git a/windows/device-security/security-policy-settings/impersonate-a-client-after-authentication.md b/windows/security/threat-protection/security-policy-settings/impersonate-a-client-after-authentication.md
similarity index 100%
rename from windows/device-security/security-policy-settings/impersonate-a-client-after-authentication.md
rename to windows/security/threat-protection/security-policy-settings/impersonate-a-client-after-authentication.md
diff --git a/windows/device-security/security-policy-settings/increase-a-process-working-set.md b/windows/security/threat-protection/security-policy-settings/increase-a-process-working-set.md
similarity index 100%
rename from windows/device-security/security-policy-settings/increase-a-process-working-set.md
rename to windows/security/threat-protection/security-policy-settings/increase-a-process-working-set.md
diff --git a/windows/device-security/security-policy-settings/increase-scheduling-priority.md b/windows/security/threat-protection/security-policy-settings/increase-scheduling-priority.md
similarity index 100%
rename from windows/device-security/security-policy-settings/increase-scheduling-priority.md
rename to windows/security/threat-protection/security-policy-settings/increase-scheduling-priority.md
diff --git a/windows/device-security/security-policy-settings/interactive-logon-display-user-information-when-the-session-is-locked.md b/windows/security/threat-protection/security-policy-settings/interactive-logon-display-user-information-when-the-session-is-locked.md
similarity index 100%
rename from windows/device-security/security-policy-settings/interactive-logon-display-user-information-when-the-session-is-locked.md
rename to windows/security/threat-protection/security-policy-settings/interactive-logon-display-user-information-when-the-session-is-locked.md
diff --git a/windows/device-security/security-policy-settings/interactive-logon-do-not-display-last-user-name.md b/windows/security/threat-protection/security-policy-settings/interactive-logon-do-not-display-last-user-name.md
similarity index 100%
rename from windows/device-security/security-policy-settings/interactive-logon-do-not-display-last-user-name.md
rename to windows/security/threat-protection/security-policy-settings/interactive-logon-do-not-display-last-user-name.md
diff --git a/windows/device-security/security-policy-settings/interactive-logon-do-not-require-ctrl-alt-del.md b/windows/security/threat-protection/security-policy-settings/interactive-logon-do-not-require-ctrl-alt-del.md
similarity index 100%
rename from windows/device-security/security-policy-settings/interactive-logon-do-not-require-ctrl-alt-del.md
rename to windows/security/threat-protection/security-policy-settings/interactive-logon-do-not-require-ctrl-alt-del.md
diff --git a/windows/device-security/security-policy-settings/interactive-logon-dont-display-username-at-sign-in.md b/windows/security/threat-protection/security-policy-settings/interactive-logon-dont-display-username-at-sign-in.md
similarity index 100%
rename from windows/device-security/security-policy-settings/interactive-logon-dont-display-username-at-sign-in.md
rename to windows/security/threat-protection/security-policy-settings/interactive-logon-dont-display-username-at-sign-in.md
diff --git a/windows/device-security/security-policy-settings/interactive-logon-machine-account-lockout-threshold.md b/windows/security/threat-protection/security-policy-settings/interactive-logon-machine-account-lockout-threshold.md
similarity index 100%
rename from windows/device-security/security-policy-settings/interactive-logon-machine-account-lockout-threshold.md
rename to windows/security/threat-protection/security-policy-settings/interactive-logon-machine-account-lockout-threshold.md
diff --git a/windows/device-security/security-policy-settings/interactive-logon-machine-inactivity-limit.md b/windows/security/threat-protection/security-policy-settings/interactive-logon-machine-inactivity-limit.md
similarity index 100%
rename from windows/device-security/security-policy-settings/interactive-logon-machine-inactivity-limit.md
rename to windows/security/threat-protection/security-policy-settings/interactive-logon-machine-inactivity-limit.md
diff --git a/windows/device-security/security-policy-settings/interactive-logon-message-text-for-users-attempting-to-log-on.md b/windows/security/threat-protection/security-policy-settings/interactive-logon-message-text-for-users-attempting-to-log-on.md
similarity index 100%
rename from windows/device-security/security-policy-settings/interactive-logon-message-text-for-users-attempting-to-log-on.md
rename to windows/security/threat-protection/security-policy-settings/interactive-logon-message-text-for-users-attempting-to-log-on.md
diff --git a/windows/device-security/security-policy-settings/interactive-logon-message-title-for-users-attempting-to-log-on.md b/windows/security/threat-protection/security-policy-settings/interactive-logon-message-title-for-users-attempting-to-log-on.md
similarity index 100%
rename from windows/device-security/security-policy-settings/interactive-logon-message-title-for-users-attempting-to-log-on.md
rename to windows/security/threat-protection/security-policy-settings/interactive-logon-message-title-for-users-attempting-to-log-on.md
diff --git a/windows/device-security/security-policy-settings/interactive-logon-number-of-previous-logons-to-cache-in-case-domain-controller-is-not-available.md b/windows/security/threat-protection/security-policy-settings/interactive-logon-number-of-previous-logons-to-cache-in-case-domain-controller-is-not-available.md
similarity index 100%
rename from windows/device-security/security-policy-settings/interactive-logon-number-of-previous-logons-to-cache-in-case-domain-controller-is-not-available.md
rename to windows/security/threat-protection/security-policy-settings/interactive-logon-number-of-previous-logons-to-cache-in-case-domain-controller-is-not-available.md
diff --git a/windows/device-security/security-policy-settings/interactive-logon-prompt-user-to-change-password-before-expiration.md b/windows/security/threat-protection/security-policy-settings/interactive-logon-prompt-user-to-change-password-before-expiration.md
similarity index 97%
rename from windows/device-security/security-policy-settings/interactive-logon-prompt-user-to-change-password-before-expiration.md
rename to windows/security/threat-protection/security-policy-settings/interactive-logon-prompt-user-to-change-password-before-expiration.md
index 86e3a1b15f..b32948c986 100644
--- a/windows/device-security/security-policy-settings/interactive-logon-prompt-user-to-change-password-before-expiration.md
+++ b/windows/security/threat-protection/security-policy-settings/interactive-logon-prompt-user-to-change-password-before-expiration.md
@@ -34,7 +34,7 @@ The **Interactive logon: Prompt user to change password before expiration** poli
### Location
-Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options
+Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options
### Default values
diff --git a/windows/device-security/security-policy-settings/interactive-logon-require-domain-controller-authentication-to-unlock-workstation.md b/windows/security/threat-protection/security-policy-settings/interactive-logon-require-domain-controller-authentication-to-unlock-workstation.md
similarity index 100%
rename from windows/device-security/security-policy-settings/interactive-logon-require-domain-controller-authentication-to-unlock-workstation.md
rename to windows/security/threat-protection/security-policy-settings/interactive-logon-require-domain-controller-authentication-to-unlock-workstation.md
diff --git a/windows/device-security/security-policy-settings/interactive-logon-require-smart-card.md b/windows/security/threat-protection/security-policy-settings/interactive-logon-require-smart-card.md
similarity index 100%
rename from windows/device-security/security-policy-settings/interactive-logon-require-smart-card.md
rename to windows/security/threat-protection/security-policy-settings/interactive-logon-require-smart-card.md
diff --git a/windows/device-security/security-policy-settings/interactive-logon-smart-card-removal-behavior.md b/windows/security/threat-protection/security-policy-settings/interactive-logon-smart-card-removal-behavior.md
similarity index 100%
rename from windows/device-security/security-policy-settings/interactive-logon-smart-card-removal-behavior.md
rename to windows/security/threat-protection/security-policy-settings/interactive-logon-smart-card-removal-behavior.md
diff --git a/windows/device-security/security-policy-settings/kerberos-policy.md b/windows/security/threat-protection/security-policy-settings/kerberos-policy.md
similarity index 100%
rename from windows/device-security/security-policy-settings/kerberos-policy.md
rename to windows/security/threat-protection/security-policy-settings/kerberos-policy.md
diff --git a/windows/device-security/security-policy-settings/load-and-unload-device-drivers.md b/windows/security/threat-protection/security-policy-settings/load-and-unload-device-drivers.md
similarity index 100%
rename from windows/device-security/security-policy-settings/load-and-unload-device-drivers.md
rename to windows/security/threat-protection/security-policy-settings/load-and-unload-device-drivers.md
diff --git a/windows/device-security/security-policy-settings/lock-pages-in-memory.md b/windows/security/threat-protection/security-policy-settings/lock-pages-in-memory.md
similarity index 100%
rename from windows/device-security/security-policy-settings/lock-pages-in-memory.md
rename to windows/security/threat-protection/security-policy-settings/lock-pages-in-memory.md
diff --git a/windows/device-security/security-policy-settings/log-on-as-a-batch-job.md b/windows/security/threat-protection/security-policy-settings/log-on-as-a-batch-job.md
similarity index 100%
rename from windows/device-security/security-policy-settings/log-on-as-a-batch-job.md
rename to windows/security/threat-protection/security-policy-settings/log-on-as-a-batch-job.md
diff --git a/windows/device-security/security-policy-settings/log-on-as-a-service.md b/windows/security/threat-protection/security-policy-settings/log-on-as-a-service.md
similarity index 100%
rename from windows/device-security/security-policy-settings/log-on-as-a-service.md
rename to windows/security/threat-protection/security-policy-settings/log-on-as-a-service.md
diff --git a/windows/device-security/security-policy-settings/manage-auditing-and-security-log.md b/windows/security/threat-protection/security-policy-settings/manage-auditing-and-security-log.md
similarity index 100%
rename from windows/device-security/security-policy-settings/manage-auditing-and-security-log.md
rename to windows/security/threat-protection/security-policy-settings/manage-auditing-and-security-log.md
diff --git a/windows/device-security/security-policy-settings/maximum-lifetime-for-service-ticket.md b/windows/security/threat-protection/security-policy-settings/maximum-lifetime-for-service-ticket.md
similarity index 100%
rename from windows/device-security/security-policy-settings/maximum-lifetime-for-service-ticket.md
rename to windows/security/threat-protection/security-policy-settings/maximum-lifetime-for-service-ticket.md
diff --git a/windows/device-security/security-policy-settings/maximum-lifetime-for-user-ticket-renewal.md b/windows/security/threat-protection/security-policy-settings/maximum-lifetime-for-user-ticket-renewal.md
similarity index 100%
rename from windows/device-security/security-policy-settings/maximum-lifetime-for-user-ticket-renewal.md
rename to windows/security/threat-protection/security-policy-settings/maximum-lifetime-for-user-ticket-renewal.md
diff --git a/windows/device-security/security-policy-settings/maximum-lifetime-for-user-ticket.md b/windows/security/threat-protection/security-policy-settings/maximum-lifetime-for-user-ticket.md
similarity index 100%
rename from windows/device-security/security-policy-settings/maximum-lifetime-for-user-ticket.md
rename to windows/security/threat-protection/security-policy-settings/maximum-lifetime-for-user-ticket.md
diff --git a/windows/device-security/security-policy-settings/maximum-password-age.md b/windows/security/threat-protection/security-policy-settings/maximum-password-age.md
similarity index 100%
rename from windows/device-security/security-policy-settings/maximum-password-age.md
rename to windows/security/threat-protection/security-policy-settings/maximum-password-age.md
diff --git a/windows/device-security/security-policy-settings/maximum-tolerance-for-computer-clock-synchronization.md b/windows/security/threat-protection/security-policy-settings/maximum-tolerance-for-computer-clock-synchronization.md
similarity index 100%
rename from windows/device-security/security-policy-settings/maximum-tolerance-for-computer-clock-synchronization.md
rename to windows/security/threat-protection/security-policy-settings/maximum-tolerance-for-computer-clock-synchronization.md
diff --git a/windows/device-security/security-policy-settings/microsoft-network-client-digitally-sign-communications-always.md b/windows/security/threat-protection/security-policy-settings/microsoft-network-client-digitally-sign-communications-always.md
similarity index 100%
rename from windows/device-security/security-policy-settings/microsoft-network-client-digitally-sign-communications-always.md
rename to windows/security/threat-protection/security-policy-settings/microsoft-network-client-digitally-sign-communications-always.md
diff --git a/windows/device-security/security-policy-settings/microsoft-network-client-digitally-sign-communications-if-server-agrees.md b/windows/security/threat-protection/security-policy-settings/microsoft-network-client-digitally-sign-communications-if-server-agrees.md
similarity index 100%
rename from windows/device-security/security-policy-settings/microsoft-network-client-digitally-sign-communications-if-server-agrees.md
rename to windows/security/threat-protection/security-policy-settings/microsoft-network-client-digitally-sign-communications-if-server-agrees.md
diff --git a/windows/device-security/security-policy-settings/microsoft-network-client-send-unencrypted-password-to-third-party-smb-servers.md b/windows/security/threat-protection/security-policy-settings/microsoft-network-client-send-unencrypted-password-to-third-party-smb-servers.md
similarity index 100%
rename from windows/device-security/security-policy-settings/microsoft-network-client-send-unencrypted-password-to-third-party-smb-servers.md
rename to windows/security/threat-protection/security-policy-settings/microsoft-network-client-send-unencrypted-password-to-third-party-smb-servers.md
diff --git a/windows/device-security/security-policy-settings/microsoft-network-server-amount-of-idle-time-required-before-suspending-session.md b/windows/security/threat-protection/security-policy-settings/microsoft-network-server-amount-of-idle-time-required-before-suspending-session.md
similarity index 100%
rename from windows/device-security/security-policy-settings/microsoft-network-server-amount-of-idle-time-required-before-suspending-session.md
rename to windows/security/threat-protection/security-policy-settings/microsoft-network-server-amount-of-idle-time-required-before-suspending-session.md
diff --git a/windows/device-security/security-policy-settings/microsoft-network-server-attempt-s4u2self-to-obtain-claim-information.md b/windows/security/threat-protection/security-policy-settings/microsoft-network-server-attempt-s4u2self-to-obtain-claim-information.md
similarity index 100%
rename from windows/device-security/security-policy-settings/microsoft-network-server-attempt-s4u2self-to-obtain-claim-information.md
rename to windows/security/threat-protection/security-policy-settings/microsoft-network-server-attempt-s4u2self-to-obtain-claim-information.md
diff --git a/windows/device-security/security-policy-settings/microsoft-network-server-digitally-sign-communications-always.md b/windows/security/threat-protection/security-policy-settings/microsoft-network-server-digitally-sign-communications-always.md
similarity index 100%
rename from windows/device-security/security-policy-settings/microsoft-network-server-digitally-sign-communications-always.md
rename to windows/security/threat-protection/security-policy-settings/microsoft-network-server-digitally-sign-communications-always.md
diff --git a/windows/device-security/security-policy-settings/microsoft-network-server-digitally-sign-communications-if-client-agrees.md b/windows/security/threat-protection/security-policy-settings/microsoft-network-server-digitally-sign-communications-if-client-agrees.md
similarity index 100%
rename from windows/device-security/security-policy-settings/microsoft-network-server-digitally-sign-communications-if-client-agrees.md
rename to windows/security/threat-protection/security-policy-settings/microsoft-network-server-digitally-sign-communications-if-client-agrees.md
diff --git a/windows/device-security/security-policy-settings/microsoft-network-server-disconnect-clients-when-logon-hours-expire.md b/windows/security/threat-protection/security-policy-settings/microsoft-network-server-disconnect-clients-when-logon-hours-expire.md
similarity index 100%
rename from windows/device-security/security-policy-settings/microsoft-network-server-disconnect-clients-when-logon-hours-expire.md
rename to windows/security/threat-protection/security-policy-settings/microsoft-network-server-disconnect-clients-when-logon-hours-expire.md
diff --git a/windows/device-security/security-policy-settings/microsoft-network-server-server-spn-target-name-validation-level.md b/windows/security/threat-protection/security-policy-settings/microsoft-network-server-server-spn-target-name-validation-level.md
similarity index 100%
rename from windows/device-security/security-policy-settings/microsoft-network-server-server-spn-target-name-validation-level.md
rename to windows/security/threat-protection/security-policy-settings/microsoft-network-server-server-spn-target-name-validation-level.md
diff --git a/windows/device-security/security-policy-settings/minimum-password-age.md b/windows/security/threat-protection/security-policy-settings/minimum-password-age.md
similarity index 100%
rename from windows/device-security/security-policy-settings/minimum-password-age.md
rename to windows/security/threat-protection/security-policy-settings/minimum-password-age.md
diff --git a/windows/device-security/security-policy-settings/minimum-password-length.md b/windows/security/threat-protection/security-policy-settings/minimum-password-length.md
similarity index 100%
rename from windows/device-security/security-policy-settings/minimum-password-length.md
rename to windows/security/threat-protection/security-policy-settings/minimum-password-length.md
diff --git a/windows/device-security/security-policy-settings/modify-an-object-label.md b/windows/security/threat-protection/security-policy-settings/modify-an-object-label.md
similarity index 100%
rename from windows/device-security/security-policy-settings/modify-an-object-label.md
rename to windows/security/threat-protection/security-policy-settings/modify-an-object-label.md
diff --git a/windows/device-security/security-policy-settings/modify-firmware-environment-values.md b/windows/security/threat-protection/security-policy-settings/modify-firmware-environment-values.md
similarity index 100%
rename from windows/device-security/security-policy-settings/modify-firmware-environment-values.md
rename to windows/security/threat-protection/security-policy-settings/modify-firmware-environment-values.md
diff --git a/windows/device-security/security-policy-settings/network-access-allow-anonymous-sidname-translation.md b/windows/security/threat-protection/security-policy-settings/network-access-allow-anonymous-sidname-translation.md
similarity index 100%
rename from windows/device-security/security-policy-settings/network-access-allow-anonymous-sidname-translation.md
rename to windows/security/threat-protection/security-policy-settings/network-access-allow-anonymous-sidname-translation.md
diff --git a/windows/device-security/security-policy-settings/network-access-do-not-allow-anonymous-enumeration-of-sam-accounts-and-shares.md b/windows/security/threat-protection/security-policy-settings/network-access-do-not-allow-anonymous-enumeration-of-sam-accounts-and-shares.md
similarity index 100%
rename from windows/device-security/security-policy-settings/network-access-do-not-allow-anonymous-enumeration-of-sam-accounts-and-shares.md
rename to windows/security/threat-protection/security-policy-settings/network-access-do-not-allow-anonymous-enumeration-of-sam-accounts-and-shares.md
diff --git a/windows/device-security/security-policy-settings/network-access-do-not-allow-anonymous-enumeration-of-sam-accounts.md b/windows/security/threat-protection/security-policy-settings/network-access-do-not-allow-anonymous-enumeration-of-sam-accounts.md
similarity index 100%
rename from windows/device-security/security-policy-settings/network-access-do-not-allow-anonymous-enumeration-of-sam-accounts.md
rename to windows/security/threat-protection/security-policy-settings/network-access-do-not-allow-anonymous-enumeration-of-sam-accounts.md
diff --git a/windows/device-security/security-policy-settings/network-access-do-not-allow-storage-of-passwords-and-credentials-for-network-authentication.md b/windows/security/threat-protection/security-policy-settings/network-access-do-not-allow-storage-of-passwords-and-credentials-for-network-authentication.md
similarity index 100%
rename from windows/device-security/security-policy-settings/network-access-do-not-allow-storage-of-passwords-and-credentials-for-network-authentication.md
rename to windows/security/threat-protection/security-policy-settings/network-access-do-not-allow-storage-of-passwords-and-credentials-for-network-authentication.md
diff --git a/windows/device-security/security-policy-settings/network-access-let-everyone-permissions-apply-to-anonymous-users.md b/windows/security/threat-protection/security-policy-settings/network-access-let-everyone-permissions-apply-to-anonymous-users.md
similarity index 100%
rename from windows/device-security/security-policy-settings/network-access-let-everyone-permissions-apply-to-anonymous-users.md
rename to windows/security/threat-protection/security-policy-settings/network-access-let-everyone-permissions-apply-to-anonymous-users.md
diff --git a/windows/device-security/security-policy-settings/network-access-named-pipes-that-can-be-accessed-anonymously.md b/windows/security/threat-protection/security-policy-settings/network-access-named-pipes-that-can-be-accessed-anonymously.md
similarity index 100%
rename from windows/device-security/security-policy-settings/network-access-named-pipes-that-can-be-accessed-anonymously.md
rename to windows/security/threat-protection/security-policy-settings/network-access-named-pipes-that-can-be-accessed-anonymously.md
diff --git a/windows/device-security/security-policy-settings/network-access-remotely-accessible-registry-paths-and-subpaths.md b/windows/security/threat-protection/security-policy-settings/network-access-remotely-accessible-registry-paths-and-subpaths.md
similarity index 100%
rename from windows/device-security/security-policy-settings/network-access-remotely-accessible-registry-paths-and-subpaths.md
rename to windows/security/threat-protection/security-policy-settings/network-access-remotely-accessible-registry-paths-and-subpaths.md
diff --git a/windows/device-security/security-policy-settings/network-access-remotely-accessible-registry-paths.md b/windows/security/threat-protection/security-policy-settings/network-access-remotely-accessible-registry-paths.md
similarity index 100%
rename from windows/device-security/security-policy-settings/network-access-remotely-accessible-registry-paths.md
rename to windows/security/threat-protection/security-policy-settings/network-access-remotely-accessible-registry-paths.md
diff --git a/windows/device-security/security-policy-settings/network-access-restrict-anonymous-access-to-named-pipes-and-shares.md b/windows/security/threat-protection/security-policy-settings/network-access-restrict-anonymous-access-to-named-pipes-and-shares.md
similarity index 100%
rename from windows/device-security/security-policy-settings/network-access-restrict-anonymous-access-to-named-pipes-and-shares.md
rename to windows/security/threat-protection/security-policy-settings/network-access-restrict-anonymous-access-to-named-pipes-and-shares.md
diff --git a/windows/device-security/security-policy-settings/network-access-restrict-clients-allowed-to-make-remote-sam-calls.md b/windows/security/threat-protection/security-policy-settings/network-access-restrict-clients-allowed-to-make-remote-sam-calls.md
similarity index 100%
rename from windows/device-security/security-policy-settings/network-access-restrict-clients-allowed-to-make-remote-sam-calls.md
rename to windows/security/threat-protection/security-policy-settings/network-access-restrict-clients-allowed-to-make-remote-sam-calls.md
diff --git a/windows/device-security/security-policy-settings/network-access-shares-that-can-be-accessed-anonymously.md b/windows/security/threat-protection/security-policy-settings/network-access-shares-that-can-be-accessed-anonymously.md
similarity index 100%
rename from windows/device-security/security-policy-settings/network-access-shares-that-can-be-accessed-anonymously.md
rename to windows/security/threat-protection/security-policy-settings/network-access-shares-that-can-be-accessed-anonymously.md
diff --git a/windows/device-security/security-policy-settings/network-access-sharing-and-security-model-for-local-accounts.md b/windows/security/threat-protection/security-policy-settings/network-access-sharing-and-security-model-for-local-accounts.md
similarity index 100%
rename from windows/device-security/security-policy-settings/network-access-sharing-and-security-model-for-local-accounts.md
rename to windows/security/threat-protection/security-policy-settings/network-access-sharing-and-security-model-for-local-accounts.md
diff --git a/windows/device-security/security-policy-settings/network-list-manager-policies.md b/windows/security/threat-protection/security-policy-settings/network-list-manager-policies.md
similarity index 100%
rename from windows/device-security/security-policy-settings/network-list-manager-policies.md
rename to windows/security/threat-protection/security-policy-settings/network-list-manager-policies.md
diff --git a/windows/device-security/security-policy-settings/network-security-allow-local-system-to-use-computer-identity-for-ntlm.md b/windows/security/threat-protection/security-policy-settings/network-security-allow-local-system-to-use-computer-identity-for-ntlm.md
similarity index 100%
rename from windows/device-security/security-policy-settings/network-security-allow-local-system-to-use-computer-identity-for-ntlm.md
rename to windows/security/threat-protection/security-policy-settings/network-security-allow-local-system-to-use-computer-identity-for-ntlm.md
diff --git a/windows/device-security/security-policy-settings/network-security-allow-localsystem-null-session-fallback.md b/windows/security/threat-protection/security-policy-settings/network-security-allow-localsystem-null-session-fallback.md
similarity index 100%
rename from windows/device-security/security-policy-settings/network-security-allow-localsystem-null-session-fallback.md
rename to windows/security/threat-protection/security-policy-settings/network-security-allow-localsystem-null-session-fallback.md
diff --git a/windows/device-security/security-policy-settings/network-security-allow-pku2u-authentication-requests-to-this-computer-to-use-online-identities.md b/windows/security/threat-protection/security-policy-settings/network-security-allow-pku2u-authentication-requests-to-this-computer-to-use-online-identities.md
similarity index 100%
rename from windows/device-security/security-policy-settings/network-security-allow-pku2u-authentication-requests-to-this-computer-to-use-online-identities.md
rename to windows/security/threat-protection/security-policy-settings/network-security-allow-pku2u-authentication-requests-to-this-computer-to-use-online-identities.md
diff --git a/windows/device-security/security-policy-settings/network-security-configure-encryption-types-allowed-for-kerberos.md b/windows/security/threat-protection/security-policy-settings/network-security-configure-encryption-types-allowed-for-kerberos.md
similarity index 100%
rename from windows/device-security/security-policy-settings/network-security-configure-encryption-types-allowed-for-kerberos.md
rename to windows/security/threat-protection/security-policy-settings/network-security-configure-encryption-types-allowed-for-kerberos.md
diff --git a/windows/device-security/security-policy-settings/network-security-do-not-store-lan-manager-hash-value-on-next-password-change.md b/windows/security/threat-protection/security-policy-settings/network-security-do-not-store-lan-manager-hash-value-on-next-password-change.md
similarity index 100%
rename from windows/device-security/security-policy-settings/network-security-do-not-store-lan-manager-hash-value-on-next-password-change.md
rename to windows/security/threat-protection/security-policy-settings/network-security-do-not-store-lan-manager-hash-value-on-next-password-change.md
diff --git a/windows/device-security/security-policy-settings/network-security-force-logoff-when-logon-hours-expire.md b/windows/security/threat-protection/security-policy-settings/network-security-force-logoff-when-logon-hours-expire.md
similarity index 100%
rename from windows/device-security/security-policy-settings/network-security-force-logoff-when-logon-hours-expire.md
rename to windows/security/threat-protection/security-policy-settings/network-security-force-logoff-when-logon-hours-expire.md
diff --git a/windows/device-security/security-policy-settings/network-security-lan-manager-authentication-level.md b/windows/security/threat-protection/security-policy-settings/network-security-lan-manager-authentication-level.md
similarity index 100%
rename from windows/device-security/security-policy-settings/network-security-lan-manager-authentication-level.md
rename to windows/security/threat-protection/security-policy-settings/network-security-lan-manager-authentication-level.md
diff --git a/windows/device-security/security-policy-settings/network-security-ldap-client-signing-requirements.md b/windows/security/threat-protection/security-policy-settings/network-security-ldap-client-signing-requirements.md
similarity index 100%
rename from windows/device-security/security-policy-settings/network-security-ldap-client-signing-requirements.md
rename to windows/security/threat-protection/security-policy-settings/network-security-ldap-client-signing-requirements.md
diff --git a/windows/device-security/security-policy-settings/network-security-minimum-session-security-for-ntlm-ssp-based-including-secure-rpc-clients.md b/windows/security/threat-protection/security-policy-settings/network-security-minimum-session-security-for-ntlm-ssp-based-including-secure-rpc-clients.md
similarity index 100%
rename from windows/device-security/security-policy-settings/network-security-minimum-session-security-for-ntlm-ssp-based-including-secure-rpc-clients.md
rename to windows/security/threat-protection/security-policy-settings/network-security-minimum-session-security-for-ntlm-ssp-based-including-secure-rpc-clients.md
diff --git a/windows/device-security/security-policy-settings/network-security-minimum-session-security-for-ntlm-ssp-based-including-secure-rpc-servers.md b/windows/security/threat-protection/security-policy-settings/network-security-minimum-session-security-for-ntlm-ssp-based-including-secure-rpc-servers.md
similarity index 100%
rename from windows/device-security/security-policy-settings/network-security-minimum-session-security-for-ntlm-ssp-based-including-secure-rpc-servers.md
rename to windows/security/threat-protection/security-policy-settings/network-security-minimum-session-security-for-ntlm-ssp-based-including-secure-rpc-servers.md
diff --git a/windows/device-security/security-policy-settings/network-security-restrict-ntlm-add-remote-server-exceptions-for-ntlm-authentication.md b/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-add-remote-server-exceptions-for-ntlm-authentication.md
similarity index 100%
rename from windows/device-security/security-policy-settings/network-security-restrict-ntlm-add-remote-server-exceptions-for-ntlm-authentication.md
rename to windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-add-remote-server-exceptions-for-ntlm-authentication.md
diff --git a/windows/device-security/security-policy-settings/network-security-restrict-ntlm-add-server-exceptions-in-this-domain.md b/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-add-server-exceptions-in-this-domain.md
similarity index 100%
rename from windows/device-security/security-policy-settings/network-security-restrict-ntlm-add-server-exceptions-in-this-domain.md
rename to windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-add-server-exceptions-in-this-domain.md
diff --git a/windows/device-security/security-policy-settings/network-security-restrict-ntlm-audit-incoming-ntlm-traffic.md b/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-audit-incoming-ntlm-traffic.md
similarity index 100%
rename from windows/device-security/security-policy-settings/network-security-restrict-ntlm-audit-incoming-ntlm-traffic.md
rename to windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-audit-incoming-ntlm-traffic.md
diff --git a/windows/device-security/security-policy-settings/network-security-restrict-ntlm-audit-ntlm-authentication-in-this-domain.md b/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-audit-ntlm-authentication-in-this-domain.md
similarity index 100%
rename from windows/device-security/security-policy-settings/network-security-restrict-ntlm-audit-ntlm-authentication-in-this-domain.md
rename to windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-audit-ntlm-authentication-in-this-domain.md
diff --git a/windows/device-security/security-policy-settings/network-security-restrict-ntlm-incoming-ntlm-traffic.md b/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-incoming-ntlm-traffic.md
similarity index 100%
rename from windows/device-security/security-policy-settings/network-security-restrict-ntlm-incoming-ntlm-traffic.md
rename to windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-incoming-ntlm-traffic.md
diff --git a/windows/device-security/security-policy-settings/network-security-restrict-ntlm-ntlm-authentication-in-this-domain.md b/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-ntlm-authentication-in-this-domain.md
similarity index 100%
rename from windows/device-security/security-policy-settings/network-security-restrict-ntlm-ntlm-authentication-in-this-domain.md
rename to windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-ntlm-authentication-in-this-domain.md
diff --git a/windows/device-security/security-policy-settings/network-security-restrict-ntlm-outgoing-ntlm-traffic-to-remote-servers.md b/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-outgoing-ntlm-traffic-to-remote-servers.md
similarity index 100%
rename from windows/device-security/security-policy-settings/network-security-restrict-ntlm-outgoing-ntlm-traffic-to-remote-servers.md
rename to windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-outgoing-ntlm-traffic-to-remote-servers.md
diff --git a/windows/device-security/security-policy-settings/password-must-meet-complexity-requirements.md b/windows/security/threat-protection/security-policy-settings/password-must-meet-complexity-requirements.md
similarity index 100%
rename from windows/device-security/security-policy-settings/password-must-meet-complexity-requirements.md
rename to windows/security/threat-protection/security-policy-settings/password-must-meet-complexity-requirements.md
diff --git a/windows/device-security/security-policy-settings/password-policy.md b/windows/security/threat-protection/security-policy-settings/password-policy.md
similarity index 100%
rename from windows/device-security/security-policy-settings/password-policy.md
rename to windows/security/threat-protection/security-policy-settings/password-policy.md
diff --git a/windows/device-security/security-policy-settings/perform-volume-maintenance-tasks.md b/windows/security/threat-protection/security-policy-settings/perform-volume-maintenance-tasks.md
similarity index 100%
rename from windows/device-security/security-policy-settings/perform-volume-maintenance-tasks.md
rename to windows/security/threat-protection/security-policy-settings/perform-volume-maintenance-tasks.md
diff --git a/windows/device-security/security-policy-settings/profile-single-process.md b/windows/security/threat-protection/security-policy-settings/profile-single-process.md
similarity index 100%
rename from windows/device-security/security-policy-settings/profile-single-process.md
rename to windows/security/threat-protection/security-policy-settings/profile-single-process.md
diff --git a/windows/device-security/security-policy-settings/profile-system-performance.md b/windows/security/threat-protection/security-policy-settings/profile-system-performance.md
similarity index 100%
rename from windows/device-security/security-policy-settings/profile-system-performance.md
rename to windows/security/threat-protection/security-policy-settings/profile-system-performance.md
diff --git a/windows/device-security/security-policy-settings/recovery-console-allow-automatic-administrative-logon.md b/windows/security/threat-protection/security-policy-settings/recovery-console-allow-automatic-administrative-logon.md
similarity index 100%
rename from windows/device-security/security-policy-settings/recovery-console-allow-automatic-administrative-logon.md
rename to windows/security/threat-protection/security-policy-settings/recovery-console-allow-automatic-administrative-logon.md
diff --git a/windows/device-security/security-policy-settings/recovery-console-allow-floppy-copy-and-access-to-all-drives-and-folders.md b/windows/security/threat-protection/security-policy-settings/recovery-console-allow-floppy-copy-and-access-to-all-drives-and-folders.md
similarity index 100%
rename from windows/device-security/security-policy-settings/recovery-console-allow-floppy-copy-and-access-to-all-drives-and-folders.md
rename to windows/security/threat-protection/security-policy-settings/recovery-console-allow-floppy-copy-and-access-to-all-drives-and-folders.md
diff --git a/windows/device-security/security-policy-settings/remove-computer-from-docking-station.md b/windows/security/threat-protection/security-policy-settings/remove-computer-from-docking-station.md
similarity index 100%
rename from windows/device-security/security-policy-settings/remove-computer-from-docking-station.md
rename to windows/security/threat-protection/security-policy-settings/remove-computer-from-docking-station.md
diff --git a/windows/device-security/security-policy-settings/replace-a-process-level-token.md b/windows/security/threat-protection/security-policy-settings/replace-a-process-level-token.md
similarity index 100%
rename from windows/device-security/security-policy-settings/replace-a-process-level-token.md
rename to windows/security/threat-protection/security-policy-settings/replace-a-process-level-token.md
diff --git a/windows/device-security/security-policy-settings/reset-account-lockout-counter-after.md b/windows/security/threat-protection/security-policy-settings/reset-account-lockout-counter-after.md
similarity index 100%
rename from windows/device-security/security-policy-settings/reset-account-lockout-counter-after.md
rename to windows/security/threat-protection/security-policy-settings/reset-account-lockout-counter-after.md
diff --git a/windows/device-security/security-policy-settings/restore-files-and-directories.md b/windows/security/threat-protection/security-policy-settings/restore-files-and-directories.md
similarity index 100%
rename from windows/device-security/security-policy-settings/restore-files-and-directories.md
rename to windows/security/threat-protection/security-policy-settings/restore-files-and-directories.md
diff --git a/windows/device-security/security-policy-settings/secpol-advanced-security-audit-policy-settings.md b/windows/security/threat-protection/security-policy-settings/secpol-advanced-security-audit-policy-settings.md
similarity index 100%
rename from windows/device-security/security-policy-settings/secpol-advanced-security-audit-policy-settings.md
rename to windows/security/threat-protection/security-policy-settings/secpol-advanced-security-audit-policy-settings.md
diff --git a/windows/device-security/security-policy-settings/security-options.md b/windows/security/threat-protection/security-policy-settings/security-options.md
similarity index 100%
rename from windows/device-security/security-policy-settings/security-options.md
rename to windows/security/threat-protection/security-policy-settings/security-options.md
diff --git a/windows/device-security/security-policy-settings/security-policy-settings-reference.md b/windows/security/threat-protection/security-policy-settings/security-policy-settings-reference.md
similarity index 100%
rename from windows/device-security/security-policy-settings/security-policy-settings-reference.md
rename to windows/security/threat-protection/security-policy-settings/security-policy-settings-reference.md
diff --git a/windows/device-security/security-policy-settings/security-policy-settings.md b/windows/security/threat-protection/security-policy-settings/security-policy-settings.md
similarity index 100%
rename from windows/device-security/security-policy-settings/security-policy-settings.md
rename to windows/security/threat-protection/security-policy-settings/security-policy-settings.md
diff --git a/windows/device-security/security-policy-settings/shut-down-the-system.md b/windows/security/threat-protection/security-policy-settings/shut-down-the-system.md
similarity index 100%
rename from windows/device-security/security-policy-settings/shut-down-the-system.md
rename to windows/security/threat-protection/security-policy-settings/shut-down-the-system.md
diff --git a/windows/device-security/security-policy-settings/shutdown-allow-system-to-be-shut-down-without-having-to-log-on.md b/windows/security/threat-protection/security-policy-settings/shutdown-allow-system-to-be-shut-down-without-having-to-log-on.md
similarity index 100%
rename from windows/device-security/security-policy-settings/shutdown-allow-system-to-be-shut-down-without-having-to-log-on.md
rename to windows/security/threat-protection/security-policy-settings/shutdown-allow-system-to-be-shut-down-without-having-to-log-on.md
diff --git a/windows/device-security/security-policy-settings/shutdown-clear-virtual-memory-pagefile.md b/windows/security/threat-protection/security-policy-settings/shutdown-clear-virtual-memory-pagefile.md
similarity index 100%
rename from windows/device-security/security-policy-settings/shutdown-clear-virtual-memory-pagefile.md
rename to windows/security/threat-protection/security-policy-settings/shutdown-clear-virtual-memory-pagefile.md
diff --git a/windows/device-security/security-policy-settings/store-passwords-using-reversible-encryption.md b/windows/security/threat-protection/security-policy-settings/store-passwords-using-reversible-encryption.md
similarity index 100%
rename from windows/device-security/security-policy-settings/store-passwords-using-reversible-encryption.md
rename to windows/security/threat-protection/security-policy-settings/store-passwords-using-reversible-encryption.md
diff --git a/windows/device-security/security-policy-settings/synchronize-directory-service-data.md b/windows/security/threat-protection/security-policy-settings/synchronize-directory-service-data.md
similarity index 100%
rename from windows/device-security/security-policy-settings/synchronize-directory-service-data.md
rename to windows/security/threat-protection/security-policy-settings/synchronize-directory-service-data.md
diff --git a/windows/device-security/security-policy-settings/system-cryptography-force-strong-key-protection-for-user-keys-stored-on-the-computer.md b/windows/security/threat-protection/security-policy-settings/system-cryptography-force-strong-key-protection-for-user-keys-stored-on-the-computer.md
similarity index 100%
rename from windows/device-security/security-policy-settings/system-cryptography-force-strong-key-protection-for-user-keys-stored-on-the-computer.md
rename to windows/security/threat-protection/security-policy-settings/system-cryptography-force-strong-key-protection-for-user-keys-stored-on-the-computer.md
diff --git a/windows/device-security/security-policy-settings/system-cryptography-use-fips-compliant-algorithms-for-encryption-hashing-and-signing.md b/windows/security/threat-protection/security-policy-settings/system-cryptography-use-fips-compliant-algorithms-for-encryption-hashing-and-signing.md
similarity index 100%
rename from windows/device-security/security-policy-settings/system-cryptography-use-fips-compliant-algorithms-for-encryption-hashing-and-signing.md
rename to windows/security/threat-protection/security-policy-settings/system-cryptography-use-fips-compliant-algorithms-for-encryption-hashing-and-signing.md
diff --git a/windows/device-security/security-policy-settings/system-objects-require-case-insensitivity-for-non-windows-subsystems.md b/windows/security/threat-protection/security-policy-settings/system-objects-require-case-insensitivity-for-non-windows-subsystems.md
similarity index 100%
rename from windows/device-security/security-policy-settings/system-objects-require-case-insensitivity-for-non-windows-subsystems.md
rename to windows/security/threat-protection/security-policy-settings/system-objects-require-case-insensitivity-for-non-windows-subsystems.md
diff --git a/windows/device-security/security-policy-settings/system-objects-strengthen-default-permissions-of-internal-system-objects.md b/windows/security/threat-protection/security-policy-settings/system-objects-strengthen-default-permissions-of-internal-system-objects.md
similarity index 100%
rename from windows/device-security/security-policy-settings/system-objects-strengthen-default-permissions-of-internal-system-objects.md
rename to windows/security/threat-protection/security-policy-settings/system-objects-strengthen-default-permissions-of-internal-system-objects.md
diff --git a/windows/device-security/security-policy-settings/system-settings-optional-subsystems.md b/windows/security/threat-protection/security-policy-settings/system-settings-optional-subsystems.md
similarity index 100%
rename from windows/device-security/security-policy-settings/system-settings-optional-subsystems.md
rename to windows/security/threat-protection/security-policy-settings/system-settings-optional-subsystems.md
diff --git a/windows/device-security/security-policy-settings/system-settings-use-certificate-rules-on-windows-executables-for-software-restriction-policies.md b/windows/security/threat-protection/security-policy-settings/system-settings-use-certificate-rules-on-windows-executables-for-software-restriction-policies.md
similarity index 100%
rename from windows/device-security/security-policy-settings/system-settings-use-certificate-rules-on-windows-executables-for-software-restriction-policies.md
rename to windows/security/threat-protection/security-policy-settings/system-settings-use-certificate-rules-on-windows-executables-for-software-restriction-policies.md
diff --git a/windows/device-security/security-policy-settings/take-ownership-of-files-or-other-objects.md b/windows/security/threat-protection/security-policy-settings/take-ownership-of-files-or-other-objects.md
similarity index 100%
rename from windows/device-security/security-policy-settings/take-ownership-of-files-or-other-objects.md
rename to windows/security/threat-protection/security-policy-settings/take-ownership-of-files-or-other-objects.md
diff --git a/windows/device-security/security-policy-settings/user-account-control-admin-approval-mode-for-the-built-in-administrator-account.md b/windows/security/threat-protection/security-policy-settings/user-account-control-admin-approval-mode-for-the-built-in-administrator-account.md
similarity index 100%
rename from windows/device-security/security-policy-settings/user-account-control-admin-approval-mode-for-the-built-in-administrator-account.md
rename to windows/security/threat-protection/security-policy-settings/user-account-control-admin-approval-mode-for-the-built-in-administrator-account.md
diff --git a/windows/device-security/security-policy-settings/user-account-control-allow-uiaccess-applications-to-prompt-for-elevation-without-using-the-secure-desktop.md b/windows/security/threat-protection/security-policy-settings/user-account-control-allow-uiaccess-applications-to-prompt-for-elevation-without-using-the-secure-desktop.md
similarity index 100%
rename from windows/device-security/security-policy-settings/user-account-control-allow-uiaccess-applications-to-prompt-for-elevation-without-using-the-secure-desktop.md
rename to windows/security/threat-protection/security-policy-settings/user-account-control-allow-uiaccess-applications-to-prompt-for-elevation-without-using-the-secure-desktop.md
diff --git a/windows/device-security/security-policy-settings/user-account-control-behavior-of-the-elevation-prompt-for-administrators-in-admin-approval-mode.md b/windows/security/threat-protection/security-policy-settings/user-account-control-behavior-of-the-elevation-prompt-for-administrators-in-admin-approval-mode.md
similarity index 100%
rename from windows/device-security/security-policy-settings/user-account-control-behavior-of-the-elevation-prompt-for-administrators-in-admin-approval-mode.md
rename to windows/security/threat-protection/security-policy-settings/user-account-control-behavior-of-the-elevation-prompt-for-administrators-in-admin-approval-mode.md
diff --git a/windows/device-security/security-policy-settings/user-account-control-behavior-of-the-elevation-prompt-for-standard-users.md b/windows/security/threat-protection/security-policy-settings/user-account-control-behavior-of-the-elevation-prompt-for-standard-users.md
similarity index 100%
rename from windows/device-security/security-policy-settings/user-account-control-behavior-of-the-elevation-prompt-for-standard-users.md
rename to windows/security/threat-protection/security-policy-settings/user-account-control-behavior-of-the-elevation-prompt-for-standard-users.md
diff --git a/windows/device-security/security-policy-settings/user-account-control-detect-application-installations-and-prompt-for-elevation.md b/windows/security/threat-protection/security-policy-settings/user-account-control-detect-application-installations-and-prompt-for-elevation.md
similarity index 100%
rename from windows/device-security/security-policy-settings/user-account-control-detect-application-installations-and-prompt-for-elevation.md
rename to windows/security/threat-protection/security-policy-settings/user-account-control-detect-application-installations-and-prompt-for-elevation.md
diff --git a/windows/device-security/security-policy-settings/user-account-control-only-elevate-executables-that-are-signed-and-validated.md b/windows/security/threat-protection/security-policy-settings/user-account-control-only-elevate-executables-that-are-signed-and-validated.md
similarity index 100%
rename from windows/device-security/security-policy-settings/user-account-control-only-elevate-executables-that-are-signed-and-validated.md
rename to windows/security/threat-protection/security-policy-settings/user-account-control-only-elevate-executables-that-are-signed-and-validated.md
diff --git a/windows/device-security/security-policy-settings/user-account-control-only-elevate-uiaccess-applications-that-are-installed-in-secure-locations.md b/windows/security/threat-protection/security-policy-settings/user-account-control-only-elevate-uiaccess-applications-that-are-installed-in-secure-locations.md
similarity index 100%
rename from windows/device-security/security-policy-settings/user-account-control-only-elevate-uiaccess-applications-that-are-installed-in-secure-locations.md
rename to windows/security/threat-protection/security-policy-settings/user-account-control-only-elevate-uiaccess-applications-that-are-installed-in-secure-locations.md
diff --git a/windows/device-security/security-policy-settings/user-account-control-run-all-administrators-in-admin-approval-mode.md b/windows/security/threat-protection/security-policy-settings/user-account-control-run-all-administrators-in-admin-approval-mode.md
similarity index 100%
rename from windows/device-security/security-policy-settings/user-account-control-run-all-administrators-in-admin-approval-mode.md
rename to windows/security/threat-protection/security-policy-settings/user-account-control-run-all-administrators-in-admin-approval-mode.md
diff --git a/windows/device-security/security-policy-settings/user-account-control-switch-to-the-secure-desktop-when-prompting-for-elevation.md b/windows/security/threat-protection/security-policy-settings/user-account-control-switch-to-the-secure-desktop-when-prompting-for-elevation.md
similarity index 100%
rename from windows/device-security/security-policy-settings/user-account-control-switch-to-the-secure-desktop-when-prompting-for-elevation.md
rename to windows/security/threat-protection/security-policy-settings/user-account-control-switch-to-the-secure-desktop-when-prompting-for-elevation.md
diff --git a/windows/device-security/security-policy-settings/user-account-control-virtualize-file-and-registry-write-failures-to-per-user-locations.md b/windows/security/threat-protection/security-policy-settings/user-account-control-virtualize-file-and-registry-write-failures-to-per-user-locations.md
similarity index 100%
rename from windows/device-security/security-policy-settings/user-account-control-virtualize-file-and-registry-write-failures-to-per-user-locations.md
rename to windows/security/threat-protection/security-policy-settings/user-account-control-virtualize-file-and-registry-write-failures-to-per-user-locations.md
diff --git a/windows/device-security/security-policy-settings/user-rights-assignment.md b/windows/security/threat-protection/security-policy-settings/user-rights-assignment.md
similarity index 100%
rename from windows/device-security/security-policy-settings/user-rights-assignment.md
rename to windows/security/threat-protection/security-policy-settings/user-rights-assignment.md
diff --git a/windows/threat-protection/use-windows-event-forwarding-to-assist-in-intrusion-detection.md b/windows/security/threat-protection/use-windows-event-forwarding-to-assist-in-intrusion-detection.md
similarity index 99%
rename from windows/threat-protection/use-windows-event-forwarding-to-assist-in-intrusion-detection.md
rename to windows/security/threat-protection/use-windows-event-forwarding-to-assist-in-intrusion-detection.md
index 6ab49143bd..75dda71497 100644
--- a/windows/threat-protection/use-windows-event-forwarding-to-assist-in-intrusion-detection.md
+++ b/windows/security/threat-protection/use-windows-event-forwarding-to-assist-in-intrusion-detection.md
@@ -7,7 +7,7 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
author: tedhardyMSFT
-ms.date: 10/27/2017
+ms.date: 02/16/2018
---
# Use Windows Event Forwarding to help with intrusion detection
@@ -636,9 +636,9 @@ Here are the minimum steps for WEF to operate:
-
+
-
+
```
diff --git a/windows/threat-protection/wannacrypt-ransomware-worm-targets-out-of-date-systems-wdsi.md b/windows/security/threat-protection/wannacrypt-ransomware-worm-targets-out-of-date-systems-wdsi.md
similarity index 97%
rename from windows/threat-protection/wannacrypt-ransomware-worm-targets-out-of-date-systems-wdsi.md
rename to windows/security/threat-protection/wannacrypt-ransomware-worm-targets-out-of-date-systems-wdsi.md
index 4c6000558a..6e8c26d829 100644
--- a/windows/threat-protection/wannacrypt-ransomware-worm-targets-out-of-date-systems-wdsi.md
+++ b/windows/security/threat-protection/wannacrypt-ransomware-worm-targets-out-of-date-systems-wdsi.md
@@ -17,7 +17,7 @@ ms.date: 07/27/2017
On May 12, 2017 we detected a new ransomware that spreads like a worm by leveraging vulnerabilities that have been previously fixed. While security updates are automatically applied in most computers, some users and enterprises may delay deployment of patches. Unfortunately, the ransomware, known as [WannaCrypt](https://www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Ransom:Win32/WannaCrypt), appears to have affected computers that have not applied the patch for these vulnerabilities. While the attack is unfolding, we remind users to install [MS17-010](https://technet.microsoft.com/en-us/library/security/ms17-010.aspx) if they have not already done so.
-Microsoft antimalware telemetry immediately picked up signs of this campaign. Our expert systems gave us visibility and context into this new attack as it happened, allowing [Windows Defender Antivirus](https://technet.microsoft.com/en-us/itpro/windows/keep-secure/windows-defender-in-windows-10) to deliver real-time defense. Through automated analysis, machine learning, and predictive modeling, we were able to rapidly protect against this malware.
+Microsoft antimalware diagnostic data immediately picked up signs of this campaign. Our expert systems gave us visibility and context into this new attack as it happened, allowing [Windows Defender Antivirus](https://technet.microsoft.com/en-us/itpro/windows/keep-secure/windows-defender-in-windows-10) to deliver real-time defense. Through automated analysis, machine learning, and predictive modeling, we were able to rapidly protect against this malware.
In this blog, we provide an early analysis of the end-to-end ransomware attack. Please note this threat is still under investigation. The attack is still active, and there is a possibility that the attacker will attempt to react to our detection response.
diff --git a/windows/device-security/windows-10-mobile-security-guide.md b/windows/security/threat-protection/windows-10-mobile-security-guide.md
similarity index 100%
rename from windows/device-security/windows-10-mobile-security-guide.md
rename to windows/security/threat-protection/windows-10-mobile-security-guide.md
diff --git a/windows/threat-protection/windows-defender-antivirus/collect-diagnostic-data-update-compliance.md b/windows/security/threat-protection/windows-defender-antivirus/collect-diagnostic-data-update-compliance.md
similarity index 100%
rename from windows/threat-protection/windows-defender-antivirus/collect-diagnostic-data-update-compliance.md
rename to windows/security/threat-protection/windows-defender-antivirus/collect-diagnostic-data-update-compliance.md
diff --git a/windows/threat-protection/windows-defender-antivirus/command-line-arguments-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/command-line-arguments-windows-defender-antivirus.md
similarity index 100%
rename from windows/threat-protection/windows-defender-antivirus/command-line-arguments-windows-defender-antivirus.md
rename to windows/security/threat-protection/windows-defender-antivirus/command-line-arguments-windows-defender-antivirus.md
diff --git a/windows/threat-protection/windows-defender-antivirus/configuration-management-reference-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/configuration-management-reference-windows-defender-antivirus.md
similarity index 83%
rename from windows/threat-protection/windows-defender-antivirus/configuration-management-reference-windows-defender-antivirus.md
rename to windows/security/threat-protection/windows-defender-antivirus/configuration-management-reference-windows-defender-antivirus.md
index ad3743b16b..09fefe72e5 100644
--- a/windows/threat-protection/windows-defender-antivirus/configuration-management-reference-windows-defender-antivirus.md
+++ b/windows/security/threat-protection/windows-defender-antivirus/configuration-management-reference-windows-defender-antivirus.md
@@ -1,6 +1,6 @@
---
-title: Windows Defender AV reference for management tools
-description: Learn how Group Policy, Configuration Manager, PowerShell, WMI, Intune, and the comman line can be used to manage Windows Defender AV
+title: Manage Windows Defender AV in your business
+description: Learn how to use Group Policy, Configuration Manager, PowerShell, WMI, Intune, and the comman line to manage Windows Defender AV
keywords: group policy, gpo, config manager, sccm, scep, powershell, wmi, intune, defender, antivirus, antimalware, security, protection
search.product: eADQiWindows 10XVcnh
ms.pagetype: security
@@ -9,12 +9,12 @@ ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
-author: iaanw
-ms.author: iawilt
-ms.date: 08/26/2017
+author: andreabichsel
+ms.author: v-anbic
+ms.date: 03/01/2018
---
-# Reference topics for management and configuration tools
+# Manage Windows Defender AV in your business
**Applies to:**
@@ -24,7 +24,7 @@ ms.date: 08/26/2017
- Enterprise security administrators
-Windows Defender Antivirus can be managed and configured with the following tools:
+You can manage and configure Windows Defender Antivirus with the following tools:
- Group Policy
- System Center Configuration Manager and Microsoft Intune
diff --git a/windows/threat-protection/windows-defender-antivirus/configure-advanced-scan-types-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/configure-advanced-scan-types-windows-defender-antivirus.md
similarity index 100%
rename from windows/threat-protection/windows-defender-antivirus/configure-advanced-scan-types-windows-defender-antivirus.md
rename to windows/security/threat-protection/windows-defender-antivirus/configure-advanced-scan-types-windows-defender-antivirus.md
diff --git a/windows/threat-protection/windows-defender-antivirus/configure-block-at-first-sight-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/configure-block-at-first-sight-windows-defender-antivirus.md
similarity index 93%
rename from windows/threat-protection/windows-defender-antivirus/configure-block-at-first-sight-windows-defender-antivirus.md
rename to windows/security/threat-protection/windows-defender-antivirus/configure-block-at-first-sight-windows-defender-antivirus.md
index 84a88683e7..7efd232814 100644
--- a/windows/threat-protection/windows-defender-antivirus/configure-block-at-first-sight-windows-defender-antivirus.md
+++ b/windows/security/threat-protection/windows-defender-antivirus/configure-block-at-first-sight-windows-defender-antivirus.md
@@ -9,9 +9,9 @@ ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
-author: iaanw
-ms.author: iawilt
-ms.date: 11/20/2017
+author: andreabichsel
+ms.author: v-anbic
+ms.date: 02/08/2018
---
@@ -38,7 +38,9 @@ Block at first sight is a feature of Windows Defender Antivirus cloud-delivered
It is enabled by default when certain pre-requisite settings are also enabled. In most cases, these pre-requisite settings are also enabled by default, so the feature is running without any intervention. You can use group policy settings to confirm the feature is enabled.
-You can also [specify how long the file should be prevented from running](configure-cloud-block-timeout-period-windows-defender-antivirus.md) while the cloud-based protection service analyzes the file.
+You can [specify how long the file should be prevented from running](configure-cloud-block-timeout-period-windows-defender-antivirus.md) while the cloud-based protection service analyzes the file.
+
+You can also [customize the message displayed on users' desktops](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-security-center/wdsc-customize-contact-information) when a file is blocked. You can change the company name, contact information, and message URL.
> [!IMPORTANT]
> There is no specific individual setting in System Center Configuration Manager to enable or disable Block at First Sight. It is enabled by default when the pre-requisite settings are configured correctly. You must use Group Policy settings to enable or disable the feature.
diff --git a/windows/threat-protection/windows-defender-antivirus/configure-cloud-block-timeout-period-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/configure-cloud-block-timeout-period-windows-defender-antivirus.md
similarity index 100%
rename from windows/threat-protection/windows-defender-antivirus/configure-cloud-block-timeout-period-windows-defender-antivirus.md
rename to windows/security/threat-protection/windows-defender-antivirus/configure-cloud-block-timeout-period-windows-defender-antivirus.md
diff --git a/windows/threat-protection/windows-defender-antivirus/configure-end-user-interaction-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/configure-end-user-interaction-windows-defender-antivirus.md
similarity index 100%
rename from windows/threat-protection/windows-defender-antivirus/configure-end-user-interaction-windows-defender-antivirus.md
rename to windows/security/threat-protection/windows-defender-antivirus/configure-end-user-interaction-windows-defender-antivirus.md
diff --git a/windows/threat-protection/windows-defender-antivirus/configure-exclusions-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/configure-exclusions-windows-defender-antivirus.md
similarity index 100%
rename from windows/threat-protection/windows-defender-antivirus/configure-exclusions-windows-defender-antivirus.md
rename to windows/security/threat-protection/windows-defender-antivirus/configure-exclusions-windows-defender-antivirus.md
diff --git a/windows/threat-protection/windows-defender-antivirus/configure-extension-file-exclusions-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/configure-extension-file-exclusions-windows-defender-antivirus.md
similarity index 100%
rename from windows/threat-protection/windows-defender-antivirus/configure-extension-file-exclusions-windows-defender-antivirus.md
rename to windows/security/threat-protection/windows-defender-antivirus/configure-extension-file-exclusions-windows-defender-antivirus.md
diff --git a/windows/threat-protection/windows-defender-antivirus/configure-local-policy-overrides-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/configure-local-policy-overrides-windows-defender-antivirus.md
similarity index 100%
rename from windows/threat-protection/windows-defender-antivirus/configure-local-policy-overrides-windows-defender-antivirus.md
rename to windows/security/threat-protection/windows-defender-antivirus/configure-local-policy-overrides-windows-defender-antivirus.md
diff --git a/windows/threat-protection/windows-defender-antivirus/configure-network-connections-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/configure-network-connections-windows-defender-antivirus.md
similarity index 96%
rename from windows/threat-protection/windows-defender-antivirus/configure-network-connections-windows-defender-antivirus.md
rename to windows/security/threat-protection/windows-defender-antivirus/configure-network-connections-windows-defender-antivirus.md
index 1a68cfc212..f44c485e39 100644
--- a/windows/threat-protection/windows-defender-antivirus/configure-network-connections-windows-defender-antivirus.md
+++ b/windows/security/threat-protection/windows-defender-antivirus/configure-network-connections-windows-defender-antivirus.md
@@ -133,10 +133,10 @@ https://msdl.microsoft.com/download/symbols
Universal Telemetry Client
-Used by Windows to send client telemetry, Windows Defender Antivirus uses this for product quality monitoring purposes
+Used by Windows to send client diagnostic data, Windows Defender Antivirus uses this for product quality monitoring purposes
-This update uses SSL (TCP Port 443) to download manifests and upload telemetry to Microsoft that uses the following DNS endpoints:
vortex-win.data.microsoft.com
settings-win.data.microsoft.com
+This update uses SSL (TCP Port 443) to download manifests and upload diagnostic data to Microsoft that uses the following DNS endpoints:
vortex-win.data.microsoft.com
settings-win.data.microsoft.com
diff --git a/windows/threat-protection/windows-defender-antivirus/configure-notifications-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/configure-notifications-windows-defender-antivirus.md
similarity index 100%
rename from windows/threat-protection/windows-defender-antivirus/configure-notifications-windows-defender-antivirus.md
rename to windows/security/threat-protection/windows-defender-antivirus/configure-notifications-windows-defender-antivirus.md
diff --git a/windows/threat-protection/windows-defender-antivirus/configure-process-opened-file-exclusions-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/configure-process-opened-file-exclusions-windows-defender-antivirus.md
similarity index 100%
rename from windows/threat-protection/windows-defender-antivirus/configure-process-opened-file-exclusions-windows-defender-antivirus.md
rename to windows/security/threat-protection/windows-defender-antivirus/configure-process-opened-file-exclusions-windows-defender-antivirus.md
diff --git a/windows/threat-protection/windows-defender-antivirus/configure-protection-features-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/configure-protection-features-windows-defender-antivirus.md
similarity index 100%
rename from windows/threat-protection/windows-defender-antivirus/configure-protection-features-windows-defender-antivirus.md
rename to windows/security/threat-protection/windows-defender-antivirus/configure-protection-features-windows-defender-antivirus.md
diff --git a/windows/threat-protection/windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus.md
similarity index 98%
rename from windows/threat-protection/windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus.md
rename to windows/security/threat-protection/windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus.md
index 96199b29be..ab4cd78ac7 100644
--- a/windows/threat-protection/windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus.md
+++ b/windows/security/threat-protection/windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus.md
@@ -1,6 +1,6 @@
---
title: Configure always-on real-time protection in Windows Defender AV
-description: Enable and configure real-time protectoin features such as behavior monitoring, heuristics, and machine-learning in Windows Defender AV
+description: Enable and configure real-time protection features such as behavior monitoring, heuristics, and machine-learning in Windows Defender AV
keywords: real-time protection, rtp, machine-learning, behavior monitoring, heuristics
search.product: eADQiWindows 10XVcnh
ms.pagetype: security
@@ -100,4 +100,4 @@ The main real-time protection capability is enabled by default, but you can disa
## Related topics
- [Configure behavioral, heuristic, and real-time protection](configure-protection-features-windows-defender-antivirus.md)
-- [Windows Defender Antivirus in Windows 10](windows-defender-antivirus-in-windows-10.md)
\ No newline at end of file
+- [Windows Defender Antivirus in Windows 10](windows-defender-antivirus-in-windows-10.md)
diff --git a/windows/threat-protection/windows-defender-antivirus/configure-remediation-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/configure-remediation-windows-defender-antivirus.md
similarity index 100%
rename from windows/threat-protection/windows-defender-antivirus/configure-remediation-windows-defender-antivirus.md
rename to windows/security/threat-protection/windows-defender-antivirus/configure-remediation-windows-defender-antivirus.md
diff --git a/windows/threat-protection/windows-defender-antivirus/configure-server-exclusions-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/configure-server-exclusions-windows-defender-antivirus.md
similarity index 100%
rename from windows/threat-protection/windows-defender-antivirus/configure-server-exclusions-windows-defender-antivirus.md
rename to windows/security/threat-protection/windows-defender-antivirus/configure-server-exclusions-windows-defender-antivirus.md
diff --git a/windows/threat-protection/windows-defender-antivirus/configure-windows-defender-antivirus-features.md b/windows/security/threat-protection/windows-defender-antivirus/configure-windows-defender-antivirus-features.md
similarity index 100%
rename from windows/threat-protection/windows-defender-antivirus/configure-windows-defender-antivirus-features.md
rename to windows/security/threat-protection/windows-defender-antivirus/configure-windows-defender-antivirus-features.md
diff --git a/windows/threat-protection/windows-defender-antivirus/customize-run-review-remediate-scans-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/customize-run-review-remediate-scans-windows-defender-antivirus.md
similarity index 100%
rename from windows/threat-protection/windows-defender-antivirus/customize-run-review-remediate-scans-windows-defender-antivirus.md
rename to windows/security/threat-protection/windows-defender-antivirus/customize-run-review-remediate-scans-windows-defender-antivirus.md
diff --git a/windows/threat-protection/windows-defender-antivirus/deploy-manage-report-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/deploy-manage-report-windows-defender-antivirus.md
similarity index 100%
rename from windows/threat-protection/windows-defender-antivirus/deploy-manage-report-windows-defender-antivirus.md
rename to windows/security/threat-protection/windows-defender-antivirus/deploy-manage-report-windows-defender-antivirus.md
diff --git a/windows/threat-protection/windows-defender-antivirus/deploy-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/deploy-windows-defender-antivirus.md
similarity index 100%
rename from windows/threat-protection/windows-defender-antivirus/deploy-windows-defender-antivirus.md
rename to windows/security/threat-protection/windows-defender-antivirus/deploy-windows-defender-antivirus.md
diff --git a/windows/threat-protection/windows-defender-antivirus/deployment-vdi-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/deployment-vdi-windows-defender-antivirus.md
similarity index 97%
rename from windows/threat-protection/windows-defender-antivirus/deployment-vdi-windows-defender-antivirus.md
rename to windows/security/threat-protection/windows-defender-antivirus/deployment-vdi-windows-defender-antivirus.md
index 0ba067be64..a45301b39d 100644
--- a/windows/threat-protection/windows-defender-antivirus/deployment-vdi-windows-defender-antivirus.md
+++ b/windows/security/threat-protection/windows-defender-antivirus/deployment-vdi-windows-defender-antivirus.md
@@ -86,7 +86,15 @@ First, you should create your base image according to your business needs, apply
After creating the image, you should ensure it is fully updated. See [Configure Windows Defender in Windows 10]( https://technet.microsoft.com/en-us/itpro/windows/keep-secure/configure-windows-defender-in-windows-10) for instructions on how to update Windows Defender AV protection via WSUS, Microsoft Update, the MMPC site, or UNC file shares. You should ensure that your initial base image is also fully patched with Microsoft and Windows updates and patches.
### Seal the base image
-When the base image is fully updated, you should run a quick scan on the image. This “sealing” or “locking” of the image helps Windows Defender AV build a cache of known-good files and avoid scanning them again on your VMs. In turn, this can help ensure performance on the VM is not impacted.
+When the base image is fully updated, you should run a quick scan on the image.
+
+After running a scan and buliding the cache, remove the machine GUID that uniquely identifies the device in telemetry for both Windows Defender Antivirus and the Microsoft Security Removal Tool. This key is located here:
+
+'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemovalTools\MRT'
+
+Remove the string found in the 'GUID' value
+
+This “sealing” or “locking” of the image helps Windows Defender AV build a cache of known-good files and avoid scanning them again on your VMs. In turn, this can help ensure performance on the VM is not impacted.
You can run a quick scan [from the command line](command-line-arguments-windows-defender-antivirus.md) or via [System Center Configuration Manager](run-scan-windows-defender-antivirus.md).
diff --git a/windows/threat-protection/windows-defender-antivirus/detect-block-potentially-unwanted-apps-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/detect-block-potentially-unwanted-apps-windows-defender-antivirus.md
similarity index 100%
rename from windows/threat-protection/windows-defender-antivirus/detect-block-potentially-unwanted-apps-windows-defender-antivirus.md
rename to windows/security/threat-protection/windows-defender-antivirus/detect-block-potentially-unwanted-apps-windows-defender-antivirus.md
diff --git a/windows/threat-protection/windows-defender-antivirus/enable-cloud-protection-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/enable-cloud-protection-windows-defender-antivirus.md
similarity index 100%
rename from windows/threat-protection/windows-defender-antivirus/enable-cloud-protection-windows-defender-antivirus.md
rename to windows/security/threat-protection/windows-defender-antivirus/enable-cloud-protection-windows-defender-antivirus.md
diff --git a/windows/threat-protection/windows-defender-antivirus/evaluate-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/evaluate-windows-defender-antivirus.md
similarity index 98%
rename from windows/threat-protection/windows-defender-antivirus/evaluate-windows-defender-antivirus.md
rename to windows/security/threat-protection/windows-defender-antivirus/evaluate-windows-defender-antivirus.md
index 6323444135..2636c7abd9 100644
--- a/windows/threat-protection/windows-defender-antivirus/evaluate-windows-defender-antivirus.md
+++ b/windows/security/threat-protection/windows-defender-antivirus/evaluate-windows-defender-antivirus.md
@@ -43,7 +43,7 @@ The guide is available in PDF format for offline viewing:
- [Download the guide in PDF format](https://www.microsoft.com/download/details.aspx?id=54795)
You can also download a PowerShell that will enable all the settings described in the guide automatically. You can obtain the script alongside the PDF download above, or individually from PowerShell Gallery:
-- [Download the PowerShell script to automatically configure the settings](https://www.powershellgallery.com/packages/WindowsDefender_InternalEvaluationSettings/1.0/DisplayScript)
+- [Download the PowerShell script to automatically configure the settings](https://www.powershellgallery.com/packages/WindowsDefender_InternalEvaluationSettings/1.2/DisplayScript)
> [!IMPORTANT]
> The guide is currently intended for single-machine evaluation of Windows Defender Antivirus protection. Enabling all of the settings in this guide may not be suitable for real-world deployment.
diff --git a/windows/threat-protection/windows-defender-antivirus/images/defender-updatedefs2.png b/windows/security/threat-protection/windows-defender-antivirus/images/defender-updatedefs2.png
similarity index 100%
rename from windows/threat-protection/windows-defender-antivirus/images/defender-updatedefs2.png
rename to windows/security/threat-protection/windows-defender-antivirus/images/defender-updatedefs2.png
diff --git a/windows/threat-protection/windows-defender-antivirus/images/defender/client.png b/windows/security/threat-protection/windows-defender-antivirus/images/defender/client.png
similarity index 100%
rename from windows/threat-protection/windows-defender-antivirus/images/defender/client.png
rename to windows/security/threat-protection/windows-defender-antivirus/images/defender/client.png
diff --git a/windows/threat-protection/windows-defender-antivirus/images/defender/notification.png b/windows/security/threat-protection/windows-defender-antivirus/images/defender/notification.png
similarity index 100%
rename from windows/threat-protection/windows-defender-antivirus/images/defender/notification.png
rename to windows/security/threat-protection/windows-defender-antivirus/images/defender/notification.png
diff --git a/windows/threat-protection/windows-defender-antivirus/images/defender/sccm-wdo.png b/windows/security/threat-protection/windows-defender-antivirus/images/defender/sccm-wdo.png
similarity index 100%
rename from windows/threat-protection/windows-defender-antivirus/images/defender/sccm-wdo.png
rename to windows/security/threat-protection/windows-defender-antivirus/images/defender/sccm-wdo.png
diff --git a/windows/threat-protection/windows-defender-antivirus/images/defender/wdav-bafs-edge.png b/windows/security/threat-protection/windows-defender-antivirus/images/defender/wdav-bafs-edge.png
similarity index 100%
rename from windows/threat-protection/windows-defender-antivirus/images/defender/wdav-bafs-edge.png
rename to windows/security/threat-protection/windows-defender-antivirus/images/defender/wdav-bafs-edge.png
diff --git a/windows/threat-protection/windows-defender-antivirus/images/defender/wdav-bafs-ie.png b/windows/security/threat-protection/windows-defender-antivirus/images/defender/wdav-bafs-ie.png
similarity index 100%
rename from windows/threat-protection/windows-defender-antivirus/images/defender/wdav-bafs-ie.png
rename to windows/security/threat-protection/windows-defender-antivirus/images/defender/wdav-bafs-ie.png
diff --git a/windows/threat-protection/windows-defender-antivirus/images/defender/wdav-extension-exclusions.png b/windows/security/threat-protection/windows-defender-antivirus/images/defender/wdav-extension-exclusions.png
similarity index 100%
rename from windows/threat-protection/windows-defender-antivirus/images/defender/wdav-extension-exclusions.png
rename to windows/security/threat-protection/windows-defender-antivirus/images/defender/wdav-extension-exclusions.png
diff --git a/windows/threat-protection/windows-defender-antivirus/images/defender/wdav-get-mpthreat.png b/windows/security/threat-protection/windows-defender-antivirus/images/defender/wdav-get-mpthreat.png
similarity index 100%
rename from windows/threat-protection/windows-defender-antivirus/images/defender/wdav-get-mpthreat.png
rename to windows/security/threat-protection/windows-defender-antivirus/images/defender/wdav-get-mpthreat.png
diff --git a/windows/threat-protection/windows-defender-antivirus/images/defender/wdav-get-mpthreatdetection.png b/windows/security/threat-protection/windows-defender-antivirus/images/defender/wdav-get-mpthreatdetection.png
similarity index 100%
rename from windows/threat-protection/windows-defender-antivirus/images/defender/wdav-get-mpthreatdetection.png
rename to windows/security/threat-protection/windows-defender-antivirus/images/defender/wdav-get-mpthreatdetection.png
diff --git a/windows/threat-protection/windows-defender-antivirus/images/defender/wdav-headless-mode-1607.png b/windows/security/threat-protection/windows-defender-antivirus/images/defender/wdav-headless-mode-1607.png
similarity index 100%
rename from windows/threat-protection/windows-defender-antivirus/images/defender/wdav-headless-mode-1607.png
rename to windows/security/threat-protection/windows-defender-antivirus/images/defender/wdav-headless-mode-1607.png
diff --git a/windows/threat-protection/windows-defender-antivirus/images/defender/wdav-headless-mode-1703.png b/windows/security/threat-protection/windows-defender-antivirus/images/defender/wdav-headless-mode-1703.png
similarity index 100%
rename from windows/threat-protection/windows-defender-antivirus/images/defender/wdav-headless-mode-1703.png
rename to windows/security/threat-protection/windows-defender-antivirus/images/defender/wdav-headless-mode-1703.png
diff --git a/windows/threat-protection/windows-defender-antivirus/images/defender/wdav-headless-mode-off-1703.png b/windows/security/threat-protection/windows-defender-antivirus/images/defender/wdav-headless-mode-off-1703.png
similarity index 100%
rename from windows/threat-protection/windows-defender-antivirus/images/defender/wdav-headless-mode-off-1703.png
rename to windows/security/threat-protection/windows-defender-antivirus/images/defender/wdav-headless-mode-off-1703.png
diff --git a/windows/threat-protection/windows-defender-antivirus/images/defender/wdav-history-wdsc.png b/windows/security/threat-protection/windows-defender-antivirus/images/defender/wdav-history-wdsc.png
similarity index 100%
rename from windows/threat-protection/windows-defender-antivirus/images/defender/wdav-history-wdsc.png
rename to windows/security/threat-protection/windows-defender-antivirus/images/defender/wdav-history-wdsc.png
diff --git a/windows/threat-protection/windows-defender-antivirus/images/defender/wdav-malware-detected.png b/windows/security/threat-protection/windows-defender-antivirus/images/defender/wdav-malware-detected.png
similarity index 100%
rename from windows/threat-protection/windows-defender-antivirus/images/defender/wdav-malware-detected.png
rename to windows/security/threat-protection/windows-defender-antivirus/images/defender/wdav-malware-detected.png
diff --git a/windows/threat-protection/windows-defender-antivirus/images/defender/wdav-order-update-sources.png b/windows/security/threat-protection/windows-defender-antivirus/images/defender/wdav-order-update-sources.png
similarity index 100%
rename from windows/threat-protection/windows-defender-antivirus/images/defender/wdav-order-update-sources.png
rename to windows/security/threat-protection/windows-defender-antivirus/images/defender/wdav-order-update-sources.png
diff --git a/windows/threat-protection/windows-defender-antivirus/images/defender/wdav-path-exclusions.png b/windows/security/threat-protection/windows-defender-antivirus/images/defender/wdav-path-exclusions.png
similarity index 100%
rename from windows/threat-protection/windows-defender-antivirus/images/defender/wdav-path-exclusions.png
rename to windows/security/threat-protection/windows-defender-antivirus/images/defender/wdav-path-exclusions.png
diff --git a/windows/threat-protection/windows-defender-antivirus/images/defender/wdav-powershell-get-exclusions-all.png b/windows/security/threat-protection/windows-defender-antivirus/images/defender/wdav-powershell-get-exclusions-all.png
similarity index 100%
rename from windows/threat-protection/windows-defender-antivirus/images/defender/wdav-powershell-get-exclusions-all.png
rename to windows/security/threat-protection/windows-defender-antivirus/images/defender/wdav-powershell-get-exclusions-all.png
diff --git a/windows/threat-protection/windows-defender-antivirus/images/defender/wdav-powershell-get-exclusions-variable.png b/windows/security/threat-protection/windows-defender-antivirus/images/defender/wdav-powershell-get-exclusions-variable.png
similarity index 100%
rename from windows/threat-protection/windows-defender-antivirus/images/defender/wdav-powershell-get-exclusions-variable.png
rename to windows/security/threat-protection/windows-defender-antivirus/images/defender/wdav-powershell-get-exclusions-variable.png
diff --git a/windows/threat-protection/windows-defender-antivirus/images/defender/wdav-process-exclusions.png b/windows/security/threat-protection/windows-defender-antivirus/images/defender/wdav-process-exclusions.png
similarity index 100%
rename from windows/threat-protection/windows-defender-antivirus/images/defender/wdav-process-exclusions.png
rename to windows/security/threat-protection/windows-defender-antivirus/images/defender/wdav-process-exclusions.png
diff --git a/windows/threat-protection/windows-defender-antivirus/images/defender/wdav-protection-settings-wdsc.png b/windows/security/threat-protection/windows-defender-antivirus/images/defender/wdav-protection-settings-wdsc.png
similarity index 100%
rename from windows/threat-protection/windows-defender-antivirus/images/defender/wdav-protection-settings-wdsc.png
rename to windows/security/threat-protection/windows-defender-antivirus/images/defender/wdav-protection-settings-wdsc.png
diff --git a/windows/threat-protection/windows-defender-antivirus/images/defender/wdav-quarantined-history-wdsc.png b/windows/security/threat-protection/windows-defender-antivirus/images/defender/wdav-quarantined-history-wdsc.png
similarity index 100%
rename from windows/threat-protection/windows-defender-antivirus/images/defender/wdav-quarantined-history-wdsc.png
rename to windows/security/threat-protection/windows-defender-antivirus/images/defender/wdav-quarantined-history-wdsc.png
diff --git a/windows/threat-protection/windows-defender-antivirus/images/defender/wdav-settings-old.png b/windows/security/threat-protection/windows-defender-antivirus/images/defender/wdav-settings-old.png
similarity index 100%
rename from windows/threat-protection/windows-defender-antivirus/images/defender/wdav-settings-old.png
rename to windows/security/threat-protection/windows-defender-antivirus/images/defender/wdav-settings-old.png
diff --git a/windows/threat-protection/windows-defender-antivirus/images/defender/wdav-wdsc-defs.png b/windows/security/threat-protection/windows-defender-antivirus/images/defender/wdav-wdsc-defs.png
similarity index 100%
rename from windows/threat-protection/windows-defender-antivirus/images/defender/wdav-wdsc-defs.png
rename to windows/security/threat-protection/windows-defender-antivirus/images/defender/wdav-wdsc-defs.png
diff --git a/windows/threat-protection/windows-defender-antivirus/images/defender/wdav-wdsc.png b/windows/security/threat-protection/windows-defender-antivirus/images/defender/wdav-wdsc.png
similarity index 100%
rename from windows/threat-protection/windows-defender-antivirus/images/defender/wdav-wdsc.png
rename to windows/security/threat-protection/windows-defender-antivirus/images/defender/wdav-wdsc.png
diff --git a/windows/threat-protection/windows-defender-antivirus/images/defender/wdav-windows-defender-app-old.png b/windows/security/threat-protection/windows-defender-antivirus/images/defender/wdav-windows-defender-app-old.png
similarity index 100%
rename from windows/threat-protection/windows-defender-antivirus/images/defender/wdav-windows-defender-app-old.png
rename to windows/security/threat-protection/windows-defender-antivirus/images/defender/wdav-windows-defender-app-old.png
diff --git a/windows/threat-protection/windows-defender-antivirus/images/server-add-gui.png b/windows/security/threat-protection/windows-defender-antivirus/images/server-add-gui.png
similarity index 100%
rename from windows/threat-protection/windows-defender-antivirus/images/server-add-gui.png
rename to windows/security/threat-protection/windows-defender-antivirus/images/server-add-gui.png
diff --git a/windows/threat-protection/windows-defender-antivirus/images/svg/check-no.svg b/windows/security/threat-protection/windows-defender-antivirus/images/svg/check-no.svg
similarity index 100%
rename from windows/threat-protection/windows-defender-antivirus/images/svg/check-no.svg
rename to windows/security/threat-protection/windows-defender-antivirus/images/svg/check-no.svg
diff --git a/windows/threat-protection/windows-defender-antivirus/images/svg/check-yes.svg b/windows/security/threat-protection/windows-defender-antivirus/images/svg/check-yes.svg
similarity index 100%
rename from windows/threat-protection/windows-defender-antivirus/images/svg/check-yes.svg
rename to windows/security/threat-protection/windows-defender-antivirus/images/svg/check-yes.svg
diff --git a/windows/threat-protection/windows-defender-antivirus/images/vtp-3ps-lps-on.png b/windows/security/threat-protection/windows-defender-antivirus/images/vtp-3ps-lps-on.png
similarity index 100%
rename from windows/threat-protection/windows-defender-antivirus/images/vtp-3ps-lps-on.png
rename to windows/security/threat-protection/windows-defender-antivirus/images/vtp-3ps-lps-on.png
diff --git a/windows/threat-protection/windows-defender-antivirus/images/vtp-3ps-lps.png b/windows/security/threat-protection/windows-defender-antivirus/images/vtp-3ps-lps.png
similarity index 100%
rename from windows/threat-protection/windows-defender-antivirus/images/vtp-3ps-lps.png
rename to windows/security/threat-protection/windows-defender-antivirus/images/vtp-3ps-lps.png
diff --git a/windows/threat-protection/windows-defender-antivirus/images/vtp-3ps.png b/windows/security/threat-protection/windows-defender-antivirus/images/vtp-3ps.png
similarity index 100%
rename from windows/threat-protection/windows-defender-antivirus/images/vtp-3ps.png
rename to windows/security/threat-protection/windows-defender-antivirus/images/vtp-3ps.png
diff --git a/windows/threat-protection/windows-defender-antivirus/images/vtp-wdav.png b/windows/security/threat-protection/windows-defender-antivirus/images/vtp-wdav.png
similarity index 100%
rename from windows/threat-protection/windows-defender-antivirus/images/vtp-wdav.png
rename to windows/security/threat-protection/windows-defender-antivirus/images/vtp-wdav.png
diff --git a/windows/threat-protection/windows-defender-antivirus/limited-periodic-scanning-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/limited-periodic-scanning-windows-defender-antivirus.md
similarity index 100%
rename from windows/threat-protection/windows-defender-antivirus/limited-periodic-scanning-windows-defender-antivirus.md
rename to windows/security/threat-protection/windows-defender-antivirus/limited-periodic-scanning-windows-defender-antivirus.md
diff --git a/windows/threat-protection/windows-defender-antivirus/manage-event-based-updates-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/manage-event-based-updates-windows-defender-antivirus.md
similarity index 100%
rename from windows/threat-protection/windows-defender-antivirus/manage-event-based-updates-windows-defender-antivirus.md
rename to windows/security/threat-protection/windows-defender-antivirus/manage-event-based-updates-windows-defender-antivirus.md
diff --git a/windows/threat-protection/windows-defender-antivirus/manage-outdated-endpoints-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/manage-outdated-endpoints-windows-defender-antivirus.md
similarity index 100%
rename from windows/threat-protection/windows-defender-antivirus/manage-outdated-endpoints-windows-defender-antivirus.md
rename to windows/security/threat-protection/windows-defender-antivirus/manage-outdated-endpoints-windows-defender-antivirus.md
diff --git a/windows/threat-protection/windows-defender-antivirus/manage-protection-update-schedule-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/manage-protection-update-schedule-windows-defender-antivirus.md
similarity index 100%
rename from windows/threat-protection/windows-defender-antivirus/manage-protection-update-schedule-windows-defender-antivirus.md
rename to windows/security/threat-protection/windows-defender-antivirus/manage-protection-update-schedule-windows-defender-antivirus.md
diff --git a/windows/threat-protection/windows-defender-antivirus/manage-protection-updates-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/manage-protection-updates-windows-defender-antivirus.md
similarity index 100%
rename from windows/threat-protection/windows-defender-antivirus/manage-protection-updates-windows-defender-antivirus.md
rename to windows/security/threat-protection/windows-defender-antivirus/manage-protection-updates-windows-defender-antivirus.md
diff --git a/windows/threat-protection/windows-defender-antivirus/manage-updates-baselines-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/manage-updates-baselines-windows-defender-antivirus.md
similarity index 100%
rename from windows/threat-protection/windows-defender-antivirus/manage-updates-baselines-windows-defender-antivirus.md
rename to windows/security/threat-protection/windows-defender-antivirus/manage-updates-baselines-windows-defender-antivirus.md
diff --git a/windows/threat-protection/windows-defender-antivirus/manage-updates-mobile-devices-vms-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/manage-updates-mobile-devices-vms-windows-defender-antivirus.md
similarity index 100%
rename from windows/threat-protection/windows-defender-antivirus/manage-updates-mobile-devices-vms-windows-defender-antivirus.md
rename to windows/security/threat-protection/windows-defender-antivirus/manage-updates-mobile-devices-vms-windows-defender-antivirus.md
diff --git a/windows/threat-protection/windows-defender-antivirus/prevent-end-user-interaction-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/prevent-end-user-interaction-windows-defender-antivirus.md
similarity index 100%
rename from windows/threat-protection/windows-defender-antivirus/prevent-end-user-interaction-windows-defender-antivirus.md
rename to windows/security/threat-protection/windows-defender-antivirus/prevent-end-user-interaction-windows-defender-antivirus.md
diff --git a/windows/threat-protection/windows-defender-antivirus/report-monitor-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/report-monitor-windows-defender-antivirus.md
similarity index 100%
rename from windows/threat-protection/windows-defender-antivirus/report-monitor-windows-defender-antivirus.md
rename to windows/security/threat-protection/windows-defender-antivirus/report-monitor-windows-defender-antivirus.md
diff --git a/windows/threat-protection/windows-defender-antivirus/review-scan-results-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/review-scan-results-windows-defender-antivirus.md
similarity index 100%
rename from windows/threat-protection/windows-defender-antivirus/review-scan-results-windows-defender-antivirus.md
rename to windows/security/threat-protection/windows-defender-antivirus/review-scan-results-windows-defender-antivirus.md
diff --git a/windows/threat-protection/windows-defender-antivirus/run-scan-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/run-scan-windows-defender-antivirus.md
similarity index 100%
rename from windows/threat-protection/windows-defender-antivirus/run-scan-windows-defender-antivirus.md
rename to windows/security/threat-protection/windows-defender-antivirus/run-scan-windows-defender-antivirus.md
diff --git a/windows/threat-protection/windows-defender-antivirus/scheduled-catch-up-scans-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/scheduled-catch-up-scans-windows-defender-antivirus.md
similarity index 100%
rename from windows/threat-protection/windows-defender-antivirus/scheduled-catch-up-scans-windows-defender-antivirus.md
rename to windows/security/threat-protection/windows-defender-antivirus/scheduled-catch-up-scans-windows-defender-antivirus.md
diff --git a/windows/threat-protection/windows-defender-antivirus/specify-cloud-protection-level-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/specify-cloud-protection-level-windows-defender-antivirus.md
similarity index 100%
rename from windows/threat-protection/windows-defender-antivirus/specify-cloud-protection-level-windows-defender-antivirus.md
rename to windows/security/threat-protection/windows-defender-antivirus/specify-cloud-protection-level-windows-defender-antivirus.md
diff --git a/windows/threat-protection/windows-defender-antivirus/troubleshoot-reporting.md b/windows/security/threat-protection/windows-defender-antivirus/troubleshoot-reporting.md
similarity index 94%
rename from windows/threat-protection/windows-defender-antivirus/troubleshoot-reporting.md
rename to windows/security/threat-protection/windows-defender-antivirus/troubleshoot-reporting.md
index f5ba563109..0dd2646921 100644
--- a/windows/threat-protection/windows-defender-antivirus/troubleshoot-reporting.md
+++ b/windows/security/threat-protection/windows-defender-antivirus/troubleshoot-reporting.md
@@ -51,7 +51,7 @@ In order for devices to properly show up in Update Compliance, you have to meet
>- Endpoints are using Windows Defender Antivirus as the sole antivirus protection app. [Using any other antivirus app will cause Windows Defender AV to disable itself](windows-defender-antivirus-compatibility.md) and the endpoint will not be reported in Update Compliance.
> - [Cloud-delivered protection is enabled](enable-cloud-protection-windows-defender-antivirus.md).
> - Endpoints can [connect to the Windows Defender AV cloud](configure-network-connections-windows-defender-antivirus.md#validate-connections-between-your-network-and-the-cloud)
-> - If the endpoint is running Windows 10 version 1607 or earlier, [Windows 10 telemetry must be set to the Enhanced level](https://docs.microsoft.com/en-us/windows/configuration/configure-windows-telemetry-in-your-organization#enhanced-level).
+> - If the endpoint is running Windows 10 version 1607 or earlier, [Windows 10 diagnostic data must be set to the Enhanced level](https://docs.microsoft.com/en-us/windows/configuration/configure-windows-diagnostic-data-in-your-organization#enhanced-level).
> - It has been 3 days since all requirements have been met
If the above pre-requisites have all been met, you may need to proceed to the next step to collect diagnostic information and send it to us.
diff --git a/windows/threat-protection/windows-defender-antivirus/troubleshoot-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/troubleshoot-windows-defender-antivirus.md
similarity index 100%
rename from windows/threat-protection/windows-defender-antivirus/troubleshoot-windows-defender-antivirus.md
rename to windows/security/threat-protection/windows-defender-antivirus/troubleshoot-windows-defender-antivirus.md
diff --git a/windows/threat-protection/windows-defender-antivirus/use-group-policy-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/use-group-policy-windows-defender-antivirus.md
similarity index 100%
rename from windows/threat-protection/windows-defender-antivirus/use-group-policy-windows-defender-antivirus.md
rename to windows/security/threat-protection/windows-defender-antivirus/use-group-policy-windows-defender-antivirus.md
diff --git a/windows/threat-protection/windows-defender-antivirus/use-intune-config-manager-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/use-intune-config-manager-windows-defender-antivirus.md
similarity index 100%
rename from windows/threat-protection/windows-defender-antivirus/use-intune-config-manager-windows-defender-antivirus.md
rename to windows/security/threat-protection/windows-defender-antivirus/use-intune-config-manager-windows-defender-antivirus.md
diff --git a/windows/threat-protection/windows-defender-antivirus/use-powershell-cmdlets-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/use-powershell-cmdlets-windows-defender-antivirus.md
similarity index 100%
rename from windows/threat-protection/windows-defender-antivirus/use-powershell-cmdlets-windows-defender-antivirus.md
rename to windows/security/threat-protection/windows-defender-antivirus/use-powershell-cmdlets-windows-defender-antivirus.md
diff --git a/windows/threat-protection/windows-defender-antivirus/use-wmi-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/use-wmi-windows-defender-antivirus.md
similarity index 100%
rename from windows/threat-protection/windows-defender-antivirus/use-wmi-windows-defender-antivirus.md
rename to windows/security/threat-protection/windows-defender-antivirus/use-wmi-windows-defender-antivirus.md
diff --git a/windows/threat-protection/windows-defender-antivirus/utilize-microsoft-cloud-protection-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/utilize-microsoft-cloud-protection-windows-defender-antivirus.md
similarity index 100%
rename from windows/threat-protection/windows-defender-antivirus/utilize-microsoft-cloud-protection-windows-defender-antivirus.md
rename to windows/security/threat-protection/windows-defender-antivirus/utilize-microsoft-cloud-protection-windows-defender-antivirus.md
diff --git a/windows/threat-protection/windows-defender-antivirus/windows-defender-antivirus-compatibility.md b/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-compatibility.md
similarity index 100%
rename from windows/threat-protection/windows-defender-antivirus/windows-defender-antivirus-compatibility.md
rename to windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-compatibility.md
diff --git a/windows/threat-protection/windows-defender-antivirus/windows-defender-antivirus-in-windows-10.md b/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-in-windows-10.md
similarity index 100%
rename from windows/threat-protection/windows-defender-antivirus/windows-defender-antivirus-in-windows-10.md
rename to windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-in-windows-10.md
diff --git a/windows/threat-protection/windows-defender-antivirus/windows-defender-antivirus-on-windows-server-2016.md b/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-on-windows-server-2016.md
similarity index 100%
rename from windows/threat-protection/windows-defender-antivirus/windows-defender-antivirus-on-windows-server-2016.md
rename to windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-on-windows-server-2016.md
diff --git a/windows/threat-protection/windows-defender-antivirus/windows-defender-offline.md b/windows/security/threat-protection/windows-defender-antivirus/windows-defender-offline.md
similarity index 100%
rename from windows/threat-protection/windows-defender-antivirus/windows-defender-offline.md
rename to windows/security/threat-protection/windows-defender-antivirus/windows-defender-offline.md
diff --git a/windows/threat-protection/windows-defender-antivirus/windows-defender-security-center-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/windows-defender-security-center-antivirus.md
similarity index 100%
rename from windows/threat-protection/windows-defender-antivirus/windows-defender-security-center-antivirus.md
rename to windows/security/threat-protection/windows-defender-antivirus/windows-defender-security-center-antivirus.md
diff --git a/windows/security/threat-protection/windows-defender-application-control.md b/windows/security/threat-protection/windows-defender-application-control.md
new file mode 100644
index 0000000000..74adeafb06
--- /dev/null
+++ b/windows/security/threat-protection/windows-defender-application-control.md
@@ -0,0 +1,49 @@
+---
+title: Windows Defender Application Control (WDAC) (Windows 10)
+description: Windows Defender Application Control restricts which applications users are allowed to run and the code that runs in the system core.
+ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+author: jsuther1974
+ms.date: 01/24/2018
+---
+
+# Windows Defender Application Control
+
+**Applies to:**
+
+- Windows 10
+- Windows Server 2016
+
+With thousands of new malicious files created every day, using traditional methods like antivirus solutions—signature-based detection to fight against malware—provides an inadequate defense against new attacks.
+In most organizations, information is the most valuable asset, and ensuring that only approved users have access to that information is imperative.
+
+However, when a user runs a process, that process has the same level of access to data that the user has.
+As a result, sensitive information could easily be deleted or transmitted out of the organization if a user knowingly or unknowingly runs malicious software.
+
+Application control is a crucial line of defense for protecting enterprises given today’s threat landscape, and it has an inherent advantage over traditional antivirus solutions.
+Specifically, application control moves away from the traditional application trust model where all applications are assumed trustworthy by default to one where applications must earn trust in order to run.
+Many organizations, like the Australian Signals Directorate, understand this and frequently cite application control as one of the most effective means for addressing the threat of executable file-based malware (.exe, .dll, etc.).
+
+Windows Defender Application Control (WDAC) can help mitigate these types of security threats by restricting the applications that users are allowed to run and the code that runs in the System Core (kernel).
+WDAC policies also block unsigned scripts and MSIs, and Windows PowerShell runs in [Constrained Language Mode](https://docs.microsoft.com/powershell/module/microsoft.powershell.core/about/about_language_modes?view=powershell-5.1).
+
+> [!NOTE]
+> Prior to Windows 10, version 1709, Windows Defender Application Control was known as configurable code integrity policies.
+
+## WDAC System Requirements
+
+WDAC policies can only be created on computers running Windows 10 Enterprise or Windows Server 2016.
+They can be applied to computers running any edition of Windows 10 and managed via Mobile Device Management (MDM), such as Microsoft Intune.
+Group Policy can also be used to distribute Group Policy Objects that contain WDAC policies on computers running Windows 10 Enterprise or Windows Server 2016.
+
+## New and changed functionality
+
+Prior to Windows 10, version 1709, Windows Defender Application Control was known as Windows Defender Device Guard configurable code integrity policies.
+
+Beginning with Windows 10, version 1703, you can use WDAC not only to control applications, but also to control whether specific plug-ins, add-ins, and modules can run from specific apps (such as a line-of-business application or a browser).
+For more information, see [Use a Windows Defender Application Control policy to control specific plug-ins, add-ins, and modules](https://docs.microsoft.com/windows/device-security/device-guard/steps-to-deploy-windows-defender-application-control#use-a-windows-defender-application-control-policy-to-control-specific-plug-ins-add-ins-and-modules).
+
+
diff --git a/windows/threat-protection/windows-defender-application-guard/configure-wd-app-guard.md b/windows/security/threat-protection/windows-defender-application-guard/configure-wd-app-guard.md
similarity index 100%
rename from windows/threat-protection/windows-defender-application-guard/configure-wd-app-guard.md
rename to windows/security/threat-protection/windows-defender-application-guard/configure-wd-app-guard.md
diff --git a/windows/threat-protection/windows-defender-application-guard/faq-wd-app-guard.md b/windows/security/threat-protection/windows-defender-application-guard/faq-wd-app-guard.md
similarity index 97%
rename from windows/threat-protection/windows-defender-application-guard/faq-wd-app-guard.md
rename to windows/security/threat-protection/windows-defender-application-guard/faq-wd-app-guard.md
index 71c3fac2d7..387b02dde9 100644
--- a/windows/threat-protection/windows-defender-application-guard/faq-wd-app-guard.md
+++ b/windows/security/threat-protection/windows-defender-application-guard/faq-wd-app-guard.md
@@ -37,7 +37,7 @@ Answering frequently asked questions about Windows Defender Application Guard (A
| | |
|---|----------------------------|
|**Q:** |Can employees copy and paste between the host device and the Application Guard Edge session?|
-|**A:** |Depending on your organization's settings, employees can copy and paste images and text (.bmp) to and from the isolated container.|
+|**A:** |Depending on your organization's settings, employees can copy and paste images (.bmp) and text to and from the isolated container.|
| | |
diff --git a/windows/threat-protection/windows-defender-application-guard/images/appguard-gp-clipboard.png b/windows/security/threat-protection/windows-defender-application-guard/images/appguard-gp-clipboard.png
similarity index 100%
rename from windows/threat-protection/windows-defender-application-guard/images/appguard-gp-clipboard.png
rename to windows/security/threat-protection/windows-defender-application-guard/images/appguard-gp-clipboard.png
diff --git a/windows/threat-protection/windows-defender-application-guard/images/appguard-gp-network-isolation-neutral.png b/windows/security/threat-protection/windows-defender-application-guard/images/appguard-gp-network-isolation-neutral.png
similarity index 100%
rename from windows/threat-protection/windows-defender-application-guard/images/appguard-gp-network-isolation-neutral.png
rename to windows/security/threat-protection/windows-defender-application-guard/images/appguard-gp-network-isolation-neutral.png
diff --git a/windows/threat-protection/windows-defender-application-guard/images/appguard-gp-network-isolation.png b/windows/security/threat-protection/windows-defender-application-guard/images/appguard-gp-network-isolation.png
similarity index 100%
rename from windows/threat-protection/windows-defender-application-guard/images/appguard-gp-network-isolation.png
rename to windows/security/threat-protection/windows-defender-application-guard/images/appguard-gp-network-isolation.png
diff --git a/windows/threat-protection/windows-defender-application-guard/images/appguard-gp-persistence.png b/windows/security/threat-protection/windows-defender-application-guard/images/appguard-gp-persistence.png
similarity index 100%
rename from windows/threat-protection/windows-defender-application-guard/images/appguard-gp-persistence.png
rename to windows/security/threat-protection/windows-defender-application-guard/images/appguard-gp-persistence.png
diff --git a/windows/threat-protection/windows-defender-application-guard/images/appguard-gp-print.png b/windows/security/threat-protection/windows-defender-application-guard/images/appguard-gp-print.png
similarity index 100%
rename from windows/threat-protection/windows-defender-application-guard/images/appguard-gp-print.png
rename to windows/security/threat-protection/windows-defender-application-guard/images/appguard-gp-print.png
diff --git a/windows/threat-protection/windows-defender-application-guard/images/appguard-gp-turn-on.png b/windows/security/threat-protection/windows-defender-application-guard/images/appguard-gp-turn-on.png
similarity index 100%
rename from windows/threat-protection/windows-defender-application-guard/images/appguard-gp-turn-on.png
rename to windows/security/threat-protection/windows-defender-application-guard/images/appguard-gp-turn-on.png
diff --git a/windows/threat-protection/windows-defender-application-guard/images/appguard-hardware-isolation.png b/windows/security/threat-protection/windows-defender-application-guard/images/appguard-hardware-isolation.png
similarity index 100%
rename from windows/threat-protection/windows-defender-application-guard/images/appguard-hardware-isolation.png
rename to windows/security/threat-protection/windows-defender-application-guard/images/appguard-hardware-isolation.png
diff --git a/windows/threat-protection/windows-defender-application-guard/images/appguard-new-window.png b/windows/security/threat-protection/windows-defender-application-guard/images/appguard-new-window.png
similarity index 100%
rename from windows/threat-protection/windows-defender-application-guard/images/appguard-new-window.png
rename to windows/security/threat-protection/windows-defender-application-guard/images/appguard-new-window.png
diff --git a/windows/threat-protection/windows-defender-application-guard/images/appguard-turned-on-with-trusted-site.png b/windows/security/threat-protection/windows-defender-application-guard/images/appguard-turned-on-with-trusted-site.png
similarity index 100%
rename from windows/threat-protection/windows-defender-application-guard/images/appguard-turned-on-with-trusted-site.png
rename to windows/security/threat-protection/windows-defender-application-guard/images/appguard-turned-on-with-trusted-site.png
diff --git a/windows/threat-protection/windows-defender-application-guard/images/appguard-visual-cues.png b/windows/security/threat-protection/windows-defender-application-guard/images/appguard-visual-cues.png
similarity index 100%
rename from windows/threat-protection/windows-defender-application-guard/images/appguard-visual-cues.png
rename to windows/security/threat-protection/windows-defender-application-guard/images/appguard-visual-cues.png
diff --git a/windows/threat-protection/windows-defender-application-guard/images/application-guard-container-v-host.png b/windows/security/threat-protection/windows-defender-application-guard/images/application-guard-container-v-host.png
similarity index 100%
rename from windows/threat-protection/windows-defender-application-guard/images/application-guard-container-v-host.png
rename to windows/security/threat-protection/windows-defender-application-guard/images/application-guard-container-v-host.png
diff --git a/windows/threat-protection/windows-defender-application-guard/images/host-screen-no-application-guard.png b/windows/security/threat-protection/windows-defender-application-guard/images/host-screen-no-application-guard.png
similarity index 100%
rename from windows/threat-protection/windows-defender-application-guard/images/host-screen-no-application-guard.png
rename to windows/security/threat-protection/windows-defender-application-guard/images/host-screen-no-application-guard.png
diff --git a/windows/threat-protection/windows-defender-application-guard/images/turn-windows-features-on.png b/windows/security/threat-protection/windows-defender-application-guard/images/turn-windows-features-on.png
similarity index 100%
rename from windows/threat-protection/windows-defender-application-guard/images/turn-windows-features-on.png
rename to windows/security/threat-protection/windows-defender-application-guard/images/turn-windows-features-on.png
diff --git a/windows/threat-protection/windows-defender-application-guard/install-wd-app-guard.md b/windows/security/threat-protection/windows-defender-application-guard/install-wd-app-guard.md
similarity index 100%
rename from windows/threat-protection/windows-defender-application-guard/install-wd-app-guard.md
rename to windows/security/threat-protection/windows-defender-application-guard/install-wd-app-guard.md
diff --git a/windows/threat-protection/windows-defender-application-guard/reqs-wd-app-guard.md b/windows/security/threat-protection/windows-defender-application-guard/reqs-wd-app-guard.md
similarity index 100%
rename from windows/threat-protection/windows-defender-application-guard/reqs-wd-app-guard.md
rename to windows/security/threat-protection/windows-defender-application-guard/reqs-wd-app-guard.md
diff --git a/windows/threat-protection/windows-defender-application-guard/test-scenarios-wd-app-guard.md b/windows/security/threat-protection/windows-defender-application-guard/test-scenarios-wd-app-guard.md
similarity index 100%
rename from windows/threat-protection/windows-defender-application-guard/test-scenarios-wd-app-guard.md
rename to windows/security/threat-protection/windows-defender-application-guard/test-scenarios-wd-app-guard.md
diff --git a/windows/threat-protection/windows-defender-application-guard/wd-app-guard-overview.md b/windows/security/threat-protection/windows-defender-application-guard/wd-app-guard-overview.md
similarity index 100%
rename from windows/threat-protection/windows-defender-application-guard/wd-app-guard-overview.md
rename to windows/security/threat-protection/windows-defender-application-guard/wd-app-guard-overview.md
diff --git a/windows/threat-protection/windows-defender-atp/advanced-features-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/advanced-features-windows-defender-advanced-threat-protection.md
similarity index 100%
rename from windows/threat-protection/windows-defender-atp/advanced-features-windows-defender-advanced-threat-protection.md
rename to windows/security/threat-protection/windows-defender-atp/advanced-features-windows-defender-advanced-threat-protection.md
diff --git a/windows/threat-protection/windows-defender-atp/alerts-queue-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/alerts-queue-windows-defender-advanced-threat-protection.md
similarity index 100%
rename from windows/threat-protection/windows-defender-atp/alerts-queue-windows-defender-advanced-threat-protection.md
rename to windows/security/threat-protection/windows-defender-atp/alerts-queue-windows-defender-advanced-threat-protection.md
diff --git a/windows/threat-protection/windows-defender-atp/api-portal-mapping-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/api-portal-mapping-windows-defender-advanced-threat-protection.md
similarity index 100%
rename from windows/threat-protection/windows-defender-atp/api-portal-mapping-windows-defender-advanced-threat-protection.md
rename to windows/security/threat-protection/windows-defender-atp/api-portal-mapping-windows-defender-advanced-threat-protection.md
diff --git a/windows/threat-protection/windows-defender-atp/assign-portal-access-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/assign-portal-access-windows-defender-advanced-threat-protection.md
similarity index 100%
rename from windows/threat-protection/windows-defender-atp/assign-portal-access-windows-defender-advanced-threat-protection.md
rename to windows/security/threat-protection/windows-defender-atp/assign-portal-access-windows-defender-advanced-threat-protection.md
diff --git a/windows/threat-protection/windows-defender-atp/block-file-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/block-file-windows-defender-advanced-threat-protection.md
similarity index 100%
rename from windows/threat-protection/windows-defender-atp/block-file-windows-defender-advanced-threat-protection.md
rename to windows/security/threat-protection/windows-defender-atp/block-file-windows-defender-advanced-threat-protection.md
diff --git a/windows/threat-protection/windows-defender-atp/check-sensor-status-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/check-sensor-status-windows-defender-advanced-threat-protection.md
similarity index 100%
rename from windows/threat-protection/windows-defender-atp/check-sensor-status-windows-defender-advanced-threat-protection.md
rename to windows/security/threat-protection/windows-defender-atp/check-sensor-status-windows-defender-advanced-threat-protection.md
diff --git a/windows/threat-protection/windows-defender-atp/collect-investigation-package-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/collect-investigation-package-windows-defender-advanced-threat-protection.md
similarity index 100%
rename from windows/threat-protection/windows-defender-atp/collect-investigation-package-windows-defender-advanced-threat-protection.md
rename to windows/security/threat-protection/windows-defender-atp/collect-investigation-package-windows-defender-advanced-threat-protection.md
diff --git a/windows/threat-protection/windows-defender-atp/community-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/community-windows-defender-advanced-threat-protection.md
similarity index 100%
rename from windows/threat-protection/windows-defender-atp/community-windows-defender-advanced-threat-protection.md
rename to windows/security/threat-protection/windows-defender-atp/community-windows-defender-advanced-threat-protection.md
diff --git a/windows/threat-protection/windows-defender-atp/configure-arcsight-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/configure-arcsight-windows-defender-advanced-threat-protection.md
similarity index 100%
rename from windows/threat-protection/windows-defender-atp/configure-arcsight-windows-defender-advanced-threat-protection.md
rename to windows/security/threat-protection/windows-defender-atp/configure-arcsight-windows-defender-advanced-threat-protection.md
diff --git a/windows/threat-protection/windows-defender-atp/configure-email-notifications-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/configure-email-notifications-windows-defender-advanced-threat-protection.md
similarity index 100%
rename from windows/threat-protection/windows-defender-atp/configure-email-notifications-windows-defender-advanced-threat-protection.md
rename to windows/security/threat-protection/windows-defender-atp/configure-email-notifications-windows-defender-advanced-threat-protection.md
diff --git a/windows/threat-protection/windows-defender-atp/configure-endpoints-gp-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/configure-endpoints-gp-windows-defender-advanced-threat-protection.md
similarity index 100%
rename from windows/threat-protection/windows-defender-atp/configure-endpoints-gp-windows-defender-advanced-threat-protection.md
rename to windows/security/threat-protection/windows-defender-atp/configure-endpoints-gp-windows-defender-advanced-threat-protection.md
diff --git a/windows/threat-protection/windows-defender-atp/configure-endpoints-mdm-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/configure-endpoints-mdm-windows-defender-advanced-threat-protection.md
similarity index 77%
rename from windows/threat-protection/windows-defender-atp/configure-endpoints-mdm-windows-defender-advanced-threat-protection.md
rename to windows/security/threat-protection/windows-defender-atp/configure-endpoints-mdm-windows-defender-advanced-threat-protection.md
index ad0296fcc4..1da2319b09 100644
--- a/windows/threat-protection/windows-defender-atp/configure-endpoints-mdm-windows-defender-advanced-threat-protection.md
+++ b/windows/security/threat-protection/windows-defender-atp/configure-endpoints-mdm-windows-defender-advanced-threat-protection.md
@@ -106,11 +106,11 @@ Health Status for onboarded machines: Sense Is Running | ./Device/Vendor/MSFT/Wi
Health Status for onboarded machines: Onboarding State | ./Device/Vendor/MSFT/WindowsAdvancedThreatProtection/HealthState/OnBoardingState | Integer | 1 | Onboarded to Windows Defender ATP
Health Status for onboarded machines: Organization ID | ./Device/Vendor/MSFT/WindowsAdvancedThreatProtection/HealthState/OrgId | String | Use OrgID from onboarding file | Onboarded to Organization ID
Configuration for onboarded machines | ./Device/Vendor/MSFT/WindowsAdvancedThreatProtection/Configuration/SampleSharing | Integer | 0 or 1 Default value: 1 | Windows Defender ATP Sample sharing is enabled
-Configuration for onboarded machines: telemetry reporting frequency | ./Device/Vendor/MSFT/WindowsAdvancedThreatProtection/Configuration/TelemetryReportingFrequency | Integer | 1 or 2 1: Normal (default)
2: Expedite | Windows Defender ATP telemetry reporting
+Configuration for onboarded machines: diagnostic data reporting frequency | ./Device/Vendor/MSFT/WindowsAdvancedThreatProtection/Configuration/TelemetryReportingFrequency | Integer | 1 or 2 1: Normal (default)
2: Expedite | Windows Defender ATP diagnostic data reporting
> [!NOTE]
> - The **Health Status for onboarded machines** policy uses read-only properties and can't be remediated.
-> - Configuration of telemetry reporting frequency is only available for machines on Windows 10, version 1703.
+> - Configuration of diagnostic data reporting frequency is only available for machines on Windows 10, version 1703.
> - Using the Expedite mode might have an impact on the machine's battery usage and actual bandwidth used for sensor data. You should consider this when these measures are critical.
@@ -118,66 +118,6 @@ Configuration for onboarded machines: telemetry reporting frequency | ./Device/V
> After onboarding the endpoint, you can choose to run a detection test to verify that an endpoint is properly onboarded to the service. For more information, see [Run a detection test on a newly onboarded Windows Defender ATP endpoint](run-detection-test-windows-defender-advanced-threat-protection.md).
-### Using the Azure Intune Portal to deploy Windows Defender Advanced Threat Protection policies on Windows 10 1607 and higher
-
-1. Open the Microsoft Intune configuration package .zip file (*WindowsDefenderATPOnboardingPackage.zip*) that you downloaded from the service onboarding wizard. You can also get the package from the [Windows Defender ATP portal](https://securitycenter.windows.com/):
-
- a. Select **Endpoint management** > **Clients** on the **Navigation pane**.
-
- b. Select **Mobile Device Management/Microsoft Intune** > **Download package** and save the .zip file.
-
- 
-
-2. Extract the contents of the .zip file to a shared, read-only location that can be accessed by the network administrators who will deploy the package. You should have a file named *WindowsDefenderATP.onboarding*.
-
-3. Login to the [Microsoft Azure portal](https://portal.azure.com).
-
-4. From the Intune blade, choose **Device configuration**.
-
- 
-
-5. Under **Manage**, choose **Profiles** and click **Create Profile**.
-
- 
-
-6. Type a name, description and choose **Windows 10 and later** as the Platform and **Custom** as the Profile type.
-
- 
-
-7. Click **Settings** > **Configure**.
-
- 
-
-8. Under Custom OMA-URI Settings, click **Add**.
-
- 
-
-9. Enter the following values, then click **OK**.
-
- 
-
- - **Name**: Type a name for the setting.
- - **Description**: Type a description for the setting.
- - **OMA-URI**: _./Device/Vendor/MSFT/WindowsAdvancedThreatProtection/Onboarding_
- - **Value**: Copy and paste the contents of the WindowsDefenderATP.onboarding file you downloaded.
-
-10. Save the settings by clicking **OK**.
-
-11. Click **Create**.
-
- 
-
-12. To deploy the Profile, click **Assignments**.
-
- 
-
-13. Search for and select the Group you want to apply the Configuration Profile to, then click **Select**.
-
- 
-
-14. Click **Save** to finish deploying the Configuration Profile.
-
- 
### Offboard and monitor endpoints
diff --git a/windows/threat-protection/windows-defender-atp/configure-endpoints-non-windows-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/configure-endpoints-non-windows-windows-defender-advanced-threat-protection.md
similarity index 96%
rename from windows/threat-protection/windows-defender-atp/configure-endpoints-non-windows-windows-defender-advanced-threat-protection.md
rename to windows/security/threat-protection/windows-defender-atp/configure-endpoints-non-windows-windows-defender-advanced-threat-protection.md
index 221265a041..f98fcf98cf 100644
--- a/windows/threat-protection/windows-defender-atp/configure-endpoints-non-windows-windows-defender-advanced-threat-protection.md
+++ b/windows/security/threat-protection/windows-defender-atp/configure-endpoints-non-windows-windows-defender-advanced-threat-protection.md
@@ -60,7 +60,7 @@ To effectively offboard the endpoints from the service, you'll need to disable t
2. In Windows Defender Security Center portal, select **Endpoint management**> **Non-Windows**.
-3. Toggle the third-party provider switch button to turn stop telemetry from endpoints.
+3. Toggle the third-party provider switch button to turn stop diagnostic data from endpoints.
>[!WARNING]
>If you decide to turn on the third-party integration again after disabling the integration, you'll need to regenerate the token and reapply it on endpoints.
diff --git a/windows/threat-protection/windows-defender-atp/configure-endpoints-sccm-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/configure-endpoints-sccm-windows-defender-advanced-threat-protection.md
similarity index 100%
rename from windows/threat-protection/windows-defender-atp/configure-endpoints-sccm-windows-defender-advanced-threat-protection.md
rename to windows/security/threat-protection/windows-defender-atp/configure-endpoints-sccm-windows-defender-advanced-threat-protection.md
diff --git a/windows/threat-protection/windows-defender-atp/configure-endpoints-script-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/configure-endpoints-script-windows-defender-advanced-threat-protection.md
similarity index 100%
rename from windows/threat-protection/windows-defender-atp/configure-endpoints-script-windows-defender-advanced-threat-protection.md
rename to windows/security/threat-protection/windows-defender-atp/configure-endpoints-script-windows-defender-advanced-threat-protection.md
diff --git a/windows/threat-protection/windows-defender-atp/configure-endpoints-vdi-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/configure-endpoints-vdi-windows-defender-advanced-threat-protection.md
similarity index 100%
rename from windows/threat-protection/windows-defender-atp/configure-endpoints-vdi-windows-defender-advanced-threat-protection.md
rename to windows/security/threat-protection/windows-defender-atp/configure-endpoints-vdi-windows-defender-advanced-threat-protection.md
diff --git a/windows/threat-protection/windows-defender-atp/configure-endpoints-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/configure-endpoints-windows-defender-advanced-threat-protection.md
similarity index 100%
rename from windows/threat-protection/windows-defender-atp/configure-endpoints-windows-defender-advanced-threat-protection.md
rename to windows/security/threat-protection/windows-defender-atp/configure-endpoints-windows-defender-advanced-threat-protection.md
diff --git a/windows/threat-protection/windows-defender-atp/configure-proxy-internet-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/configure-proxy-internet-windows-defender-advanced-threat-protection.md
similarity index 97%
rename from windows/threat-protection/windows-defender-atp/configure-proxy-internet-windows-defender-advanced-threat-protection.md
rename to windows/security/threat-protection/windows-defender-atp/configure-proxy-internet-windows-defender-advanced-threat-protection.md
index 3a456f6352..cd4942e214 100644
--- a/windows/threat-protection/windows-defender-atp/configure-proxy-internet-windows-defender-advanced-threat-protection.md
+++ b/windows/security/threat-protection/windows-defender-atp/configure-proxy-internet-windows-defender-advanced-threat-protection.md
@@ -47,7 +47,7 @@ The WinHTTP configuration setting is independent of the Windows Internet (WinINe
- WinHTTP configured using netsh command – Suitable only for desktops in a stable topology (for example: a desktop in a corporate network behind the same proxy)
## Configure the proxy server manually using a registry-based static proxy
-Configure a registry-based static proxy to allow only Windows Defender ATP sensor to report telemetry and communicate with Windows Defender ATP services if a computer is not be permitted to connect to the Internet.
+Configure a registry-based static proxy to allow only Windows Defender ATP sensor to report diagnostic data and communicate with Windows Defender ATP services if a computer is not be permitted to connect to the Internet.
The static proxy is configurable through Group Policy (GP). The group policy can be found under: **Administrative Templates > Windows Components > Data Collection and Preview Builds > Configure connected user experiences and telemetry**.
diff --git a/windows/threat-protection/windows-defender-atp/configure-server-endpoints-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/configure-server-endpoints-windows-defender-advanced-threat-protection.md
similarity index 100%
rename from windows/threat-protection/windows-defender-atp/configure-server-endpoints-windows-defender-advanced-threat-protection.md
rename to windows/security/threat-protection/windows-defender-atp/configure-server-endpoints-windows-defender-advanced-threat-protection.md
diff --git a/windows/threat-protection/windows-defender-atp/configure-siem-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/configure-siem-windows-defender-advanced-threat-protection.md
similarity index 93%
rename from windows/threat-protection/windows-defender-atp/configure-siem-windows-defender-advanced-threat-protection.md
rename to windows/security/threat-protection/windows-defender-atp/configure-siem-windows-defender-advanced-threat-protection.md
index 6cdf425a42..e3847a41ad 100644
--- a/windows/threat-protection/windows-defender-atp/configure-siem-windows-defender-advanced-threat-protection.md
+++ b/windows/security/threat-protection/windows-defender-atp/configure-siem-windows-defender-advanced-threat-protection.md
@@ -57,8 +57,8 @@ For more information, see [Pull Windows Defender ATP alerts using REST API](pull
Topic | Description
:---|:---
[Enable SIEM integration in Windows Defender ATP](enable-siem-integration-windows-defender-advanced-threat-protection.md)| Learn about enabling the SIEM integration feature in the **Preferences setup** page in the portal so that you can use and generate the required information to configure supported SIEM tools.
-[Configure ArcSight to pull Windows Defender ATP alerts](configure-arcsight-windows-defender-advanced-threat-protection.md)| Learn about installing the HP ArcSight REST FlexConnector package and the files you need to configure ArcSight to pull Windows Defender ATP alerts.
[Configure Splunk to pull Windows Defender ATP alerts](configure-splunk-windows-defender-advanced-threat-protection.md)| Learn about installing the REST API Modular Input app and other configuration settings to enable Splunk to pull Windows Defender ATP alerts.
+[Configure HP ArcSight to pull Windows Defender ATP alerts](configure-arcsight-windows-defender-advanced-threat-protection.md)| Learn about installing the HP ArcSight REST FlexConnector package and the files you need to configure ArcSight to pull Windows Defender ATP alerts.
[Windows Defender ATP alert API fields](api-portal-mapping-windows-defender-advanced-threat-protection.md) | Understand what data fields are exposed as part of the alerts API and how they map to the Windows Defender ATP portal.
[Pull Windows Defender ATP alerts using REST API](pull-alerts-using-rest-api-windows-defender-advanced-threat-protection.md) | Use the Client credentials OAuth 2.0 flow to pull alerts from Windows Defender ATP using REST API.
[Troubleshoot SIEM tool integration issues](troubleshoot-siem-windows-defender-advanced-threat-protection.md) | Address issues you might encounter when using the SIEM integration feature.
diff --git a/windows/threat-protection/windows-defender-atp/configure-splunk-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/configure-splunk-windows-defender-advanced-threat-protection.md
similarity index 100%
rename from windows/threat-protection/windows-defender-atp/configure-splunk-windows-defender-advanced-threat-protection.md
rename to windows/security/threat-protection/windows-defender-atp/configure-splunk-windows-defender-advanced-threat-protection.md
diff --git a/windows/threat-protection/windows-defender-atp/custom-ti-api-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/custom-ti-api-windows-defender-advanced-threat-protection.md
similarity index 100%
rename from windows/threat-protection/windows-defender-atp/custom-ti-api-windows-defender-advanced-threat-protection.md
rename to windows/security/threat-protection/windows-defender-atp/custom-ti-api-windows-defender-advanced-threat-protection.md
diff --git a/windows/threat-protection/windows-defender-atp/dashboard-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/dashboard-windows-defender-advanced-threat-protection.md
similarity index 100%
rename from windows/threat-protection/windows-defender-atp/dashboard-windows-defender-advanced-threat-protection.md
rename to windows/security/threat-protection/windows-defender-atp/dashboard-windows-defender-advanced-threat-protection.md
diff --git a/windows/threat-protection/windows-defender-atp/data-storage-privacy-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/data-storage-privacy-windows-defender-advanced-threat-protection.md
similarity index 89%
rename from windows/threat-protection/windows-defender-atp/data-storage-privacy-windows-defender-advanced-threat-protection.md
rename to windows/security/threat-protection/windows-defender-atp/data-storage-privacy-windows-defender-advanced-threat-protection.md
index a15378b6ad..a650f8fe1f 100644
--- a/windows/threat-protection/windows-defender-atp/data-storage-privacy-windows-defender-advanced-threat-protection.md
+++ b/windows/security/threat-protection/windows-defender-atp/data-storage-privacy-windows-defender-advanced-threat-protection.md
@@ -10,7 +10,7 @@ ms.pagetype: security
ms.author: macapara
author: mjcaparas
ms.localizationpriority: high
-ms.date: 11/14/2017
+ms.date: 03/06/2018
---
# Windows Defender ATP data storage and privacy
@@ -40,6 +40,15 @@ Microsoft uses this data to:
Microsoft does not use your data for advertising or for any other purpose other than providing you the service.
+## Data protection and encryption
+The Windows Defender ATP service utilizes state of the art data protection technologies which are based on Microsoft Azure infrastructure.
+
+
+There are various aspects relevant to data protection that our service takes care of. Encryption is one of the most critical and it includes data encryption at rest, encryption in flight, and key management with Key Vault. For more information on other technologies used by the Windows Defender ATP service, see [Azure encryption overview](https://docs.microsoft.com/en-us/azure/security/security-azure-encryption-overview).
+
+In all scenarios, data is encrypted using 256-bit [AES encyption](https://en.wikipedia.org/wiki/Advanced_Encryption_Standard) at the minimum.
+
+
## Do I have the flexibility to select where to store my data?
When onboarding the service for the first time, you can choose to store your data in Microsoft Azure datacenters in Europe or in the United States. Once configured, you cannot change the location where your data is stored. This provides a convenient way to minimize compliance risk by actively selecting the geographic locations where your data will reside. Microsoft will not under any circumstance, transfer the data from the specified geolocation into another geolocation.
diff --git a/windows/threat-protection/windows-defender-atp/defender-compatibility-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/defender-compatibility-windows-defender-advanced-threat-protection.md
similarity index 100%
rename from windows/threat-protection/windows-defender-atp/defender-compatibility-windows-defender-advanced-threat-protection.md
rename to windows/security/threat-protection/windows-defender-atp/defender-compatibility-windows-defender-advanced-threat-protection.md
diff --git a/windows/threat-protection/windows-defender-atp/enable-custom-ti-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/enable-custom-ti-windows-defender-advanced-threat-protection.md
similarity index 100%
rename from windows/threat-protection/windows-defender-atp/enable-custom-ti-windows-defender-advanced-threat-protection.md
rename to windows/security/threat-protection/windows-defender-atp/enable-custom-ti-windows-defender-advanced-threat-protection.md
diff --git a/windows/threat-protection/windows-defender-atp/enable-security-analytics-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/enable-security-analytics-windows-defender-advanced-threat-protection.md
similarity index 100%
rename from windows/threat-protection/windows-defender-atp/enable-security-analytics-windows-defender-advanced-threat-protection.md
rename to windows/security/threat-protection/windows-defender-atp/enable-security-analytics-windows-defender-advanced-threat-protection.md
diff --git a/windows/threat-protection/windows-defender-atp/enable-siem-integration-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/enable-siem-integration-windows-defender-advanced-threat-protection.md
similarity index 100%
rename from windows/threat-protection/windows-defender-atp/enable-siem-integration-windows-defender-advanced-threat-protection.md
rename to windows/security/threat-protection/windows-defender-atp/enable-siem-integration-windows-defender-advanced-threat-protection.md
diff --git a/windows/threat-protection/windows-defender-atp/event-error-codes-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/event-error-codes-windows-defender-advanced-threat-protection.md
similarity index 96%
rename from windows/threat-protection/windows-defender-atp/event-error-codes-windows-defender-advanced-threat-protection.md
rename to windows/security/threat-protection/windows-defender-atp/event-error-codes-windows-defender-advanced-threat-protection.md
index 43244d2c7b..79a751c4a0 100644
--- a/windows/threat-protection/windows-defender-atp/event-error-codes-windows-defender-advanced-threat-protection.md
+++ b/windows/security/threat-protection/windows-defender-atp/event-error-codes-windows-defender-advanced-threat-protection.md
@@ -155,7 +155,7 @@ The service could not contact the external processing servers at that URL.
17
Windows Defender Advanced Threat Protection service failed to change the Connected User Experiences and Telemetry service location. Failure code: ```variable```.
An error occurred with the Windows telemetry service.
-
[Ensure the telemetry service is enabled](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md#ensure-the-telemetry-and-diagnostics-service-is-enabled).
+
[Ensure the diagnostic data service is enabled](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md#ensure-the-diagnostics-service-is-enabled).
Check that the onboarding settings and scripts were deployed properly. Try to redeploy the configuration packages.
See [Configure Windows Defender ATP endpoints](configure-endpoints-windows-defender-advanced-threat-protection.md).
Windows Defender Advanced Threat Protection Connected User Experiences and Telemetry service registration failed. Failure code: ```variable```.
An error occurred with the Windows telemetry service.
-
[Ensure the telemetry service is enabled](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md#ensure-the-telemetry-and-diagnostics-service-is-enabled).
+
[Ensure the diagnostic data service is enabled](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md#ensure-the-diagnostic-data-service-is-enabled).
Check that the onboarding settings and scripts were deployed properly. Try to redeploy the configuration packages.
See [Configure Windows Defender ATP endpoints](configure-endpoints-windows-defender-advanced-threat-protection.md).
Windows Defender Advanced Threat Protection Connected User Experiences and Telemetry service unregistration failed. Failure code: ```variable```.
An error occurred with the Windows telemetry service during onboarding. The offboarding process continues.
-
[Check for errors with the Windows telemetry service](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md#ensure-the-telemetry-and-diagnostics-service-is-enabled).
+
[Check for errors with the Windows telemetry service](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md#ensure-the-diagnostic-data-service-is-enabled).
32
@@ -241,7 +241,7 @@ If the identifier does not persist, the same machine might appear twice in the p
34
Windows Defender Advanced Threat Protection service failed to add itself as a dependency on the Connected User Experiences and Telemetry service, causing onboarding process to fail. Failure code: ```variable```.
An error occurred with the Windows telemetry service.
-
[Ensure the telemetry service is enabled](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md#ensure-the-telemetry-and-diagnostics-service-is-enabled).
+
[Ensure the diagnostic data service is enabled](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md#ensure-the-diagnostic-data-service-is-enabled).
Check that the onboarding settings and scripts were deployed properly. Try to redeploy the configuration packages.
See [Configure Windows Defender ATP endpoints](configure-endpoints-windows-defender-advanced-threat-protection.md).
@@ -250,7 +250,7 @@ See [Configure Windows Defender ATP endpoints](configure-endpoints-windows-defen
Windows Defender Advanced Threat Protection service failed to remove itself as a dependency on the Connected User Experiences and Telemetry service. Failure code: ```variable```.
An error occurred with the Windows telemetry service during offboarding. The offboarding process continues.
-
Check for errors with the Windows telemetry service.
+
Check for errors with the Windows diagnostic data service.
36
diff --git a/windows/threat-protection/windows-defender-atp/experiment-custom-ti-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/experiment-custom-ti-windows-defender-advanced-threat-protection.md
similarity index 100%
rename from windows/threat-protection/windows-defender-atp/experiment-custom-ti-windows-defender-advanced-threat-protection.md
rename to windows/security/threat-protection/windows-defender-atp/experiment-custom-ti-windows-defender-advanced-threat-protection.md
diff --git a/windows/threat-protection/windows-defender-atp/exposed-apis-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/exposed-apis-windows-defender-advanced-threat-protection.md
similarity index 100%
rename from windows/threat-protection/windows-defender-atp/exposed-apis-windows-defender-advanced-threat-protection.md
rename to windows/security/threat-protection/windows-defender-atp/exposed-apis-windows-defender-advanced-threat-protection.md
diff --git a/windows/threat-protection/windows-defender-atp/find-machine-info-by-ip-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/find-machine-info-by-ip-windows-defender-advanced-threat-protection.md
similarity index 100%
rename from windows/threat-protection/windows-defender-atp/find-machine-info-by-ip-windows-defender-advanced-threat-protection.md
rename to windows/security/threat-protection/windows-defender-atp/find-machine-info-by-ip-windows-defender-advanced-threat-protection.md
diff --git a/windows/threat-protection/windows-defender-atp/fix-unhealhty-sensors-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/fix-unhealhty-sensors-windows-defender-advanced-threat-protection.md
similarity index 94%
rename from windows/threat-protection/windows-defender-atp/fix-unhealhty-sensors-windows-defender-advanced-threat-protection.md
rename to windows/security/threat-protection/windows-defender-atp/fix-unhealhty-sensors-windows-defender-advanced-threat-protection.md
index 05f7de339c..b31dad703f 100644
--- a/windows/threat-protection/windows-defender-atp/fix-unhealhty-sensors-windows-defender-advanced-threat-protection.md
+++ b/windows/security/threat-protection/windows-defender-atp/fix-unhealhty-sensors-windows-defender-advanced-threat-protection.md
@@ -72,8 +72,8 @@ Follow theses actions to correct known issues related to a misconfigured machine
- [Verify client connectivity to Windows Defender ATP service URLs](configure-proxy-internet-windows-defender-advanced-threat-protection.md#verify-client-connectivity-to-windows-defender-atp-service-urls)
Verify the proxy configuration completed successfully, that WinHTTP can discover and communicate through the proxy server in your environment, and that the proxy server allows traffic to the Windows Defender ATP service URLs.
-- [Ensure the telemetry and diagnostics service is enabled](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md#ensure-the-telemetry-and-diagnostics-service-is-enabled)
-If the endpoints aren't reporting correctly, you might need to check that the Windows 10 telemetry and diagnostics service is set to automatically start and is running on the endpoint.
+- [Ensure the diagnostic data service is enabled](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md#ensure-the-diagnostics-service-is-enabled)
+If the endpoints aren't reporting correctly, you might need to check that the Windows 10 diagnostic data service is set to automatically start and is running on the endpoint.
- [Ensure that Windows Defender Antivirus is not disabled by policy](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md#ensure-that-windows-defender-antivirus-is-not-disabled-by-a-policy)
If your endpoints are running a third-party antimalware client, the Windows Defender ATP agent needs the Windows Defender Antivirus Early Launch Antimalware (ELAM) driver to be enabled.
diff --git a/windows/threat-protection/windows-defender-atp/general-settings-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/general-settings-windows-defender-advanced-threat-protection.md
similarity index 100%
rename from windows/threat-protection/windows-defender-atp/general-settings-windows-defender-advanced-threat-protection.md
rename to windows/security/threat-protection/windows-defender-atp/general-settings-windows-defender-advanced-threat-protection.md
diff --git a/windows/threat-protection/windows-defender-atp/get-actor-information-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/get-actor-information-windows-defender-advanced-threat-protection.md
similarity index 100%
rename from windows/threat-protection/windows-defender-atp/get-actor-information-windows-defender-advanced-threat-protection.md
rename to windows/security/threat-protection/windows-defender-atp/get-actor-information-windows-defender-advanced-threat-protection.md
diff --git a/windows/threat-protection/windows-defender-atp/get-actor-related-alerts-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/get-actor-related-alerts-windows-defender-advanced-threat-protection.md
similarity index 100%
rename from windows/threat-protection/windows-defender-atp/get-actor-related-alerts-windows-defender-advanced-threat-protection.md
rename to windows/security/threat-protection/windows-defender-atp/get-actor-related-alerts-windows-defender-advanced-threat-protection.md
diff --git a/windows/threat-protection/windows-defender-atp/get-alert-info-by-id-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/get-alert-info-by-id-windows-defender-advanced-threat-protection.md
similarity index 100%
rename from windows/threat-protection/windows-defender-atp/get-alert-info-by-id-windows-defender-advanced-threat-protection.md
rename to windows/security/threat-protection/windows-defender-atp/get-alert-info-by-id-windows-defender-advanced-threat-protection.md
diff --git a/windows/threat-protection/windows-defender-atp/get-alert-related-actor-info-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/get-alert-related-actor-info-windows-defender-advanced-threat-protection.md
similarity index 100%
rename from windows/threat-protection/windows-defender-atp/get-alert-related-actor-info-windows-defender-advanced-threat-protection.md
rename to windows/security/threat-protection/windows-defender-atp/get-alert-related-actor-info-windows-defender-advanced-threat-protection.md
diff --git a/windows/threat-protection/windows-defender-atp/get-alert-related-domain-info-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/get-alert-related-domain-info-windows-defender-advanced-threat-protection.md
similarity index 100%
rename from windows/threat-protection/windows-defender-atp/get-alert-related-domain-info-windows-defender-advanced-threat-protection.md
rename to windows/security/threat-protection/windows-defender-atp/get-alert-related-domain-info-windows-defender-advanced-threat-protection.md
diff --git a/windows/threat-protection/windows-defender-atp/get-alert-related-files-info-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/get-alert-related-files-info-windows-defender-advanced-threat-protection.md
similarity index 100%
rename from windows/threat-protection/windows-defender-atp/get-alert-related-files-info-windows-defender-advanced-threat-protection.md
rename to windows/security/threat-protection/windows-defender-atp/get-alert-related-files-info-windows-defender-advanced-threat-protection.md
diff --git a/windows/threat-protection/windows-defender-atp/get-alert-related-ip-info-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/get-alert-related-ip-info-windows-defender-advanced-threat-protection.md
similarity index 100%
rename from windows/threat-protection/windows-defender-atp/get-alert-related-ip-info-windows-defender-advanced-threat-protection.md
rename to windows/security/threat-protection/windows-defender-atp/get-alert-related-ip-info-windows-defender-advanced-threat-protection.md
diff --git a/windows/threat-protection/windows-defender-atp/get-alert-related-machine-info-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/get-alert-related-machine-info-windows-defender-advanced-threat-protection.md
similarity index 100%
rename from windows/threat-protection/windows-defender-atp/get-alert-related-machine-info-windows-defender-advanced-threat-protection.md
rename to windows/security/threat-protection/windows-defender-atp/get-alert-related-machine-info-windows-defender-advanced-threat-protection.md
diff --git a/windows/threat-protection/windows-defender-atp/get-alert-related-user-info-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/get-alert-related-user-info-windows-defender-advanced-threat-protection.md
similarity index 100%
rename from windows/threat-protection/windows-defender-atp/get-alert-related-user-info-windows-defender-advanced-threat-protection.md
rename to windows/security/threat-protection/windows-defender-atp/get-alert-related-user-info-windows-defender-advanced-threat-protection.md
diff --git a/windows/threat-protection/windows-defender-atp/get-alerts-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/get-alerts-windows-defender-advanced-threat-protection.md
similarity index 100%
rename from windows/threat-protection/windows-defender-atp/get-alerts-windows-defender-advanced-threat-protection.md
rename to windows/security/threat-protection/windows-defender-atp/get-alerts-windows-defender-advanced-threat-protection.md
diff --git a/windows/threat-protection/windows-defender-atp/get-domain-related-alerts-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/get-domain-related-alerts-windows-defender-advanced-threat-protection.md
similarity index 100%
rename from windows/threat-protection/windows-defender-atp/get-domain-related-alerts-windows-defender-advanced-threat-protection.md
rename to windows/security/threat-protection/windows-defender-atp/get-domain-related-alerts-windows-defender-advanced-threat-protection.md
diff --git a/windows/threat-protection/windows-defender-atp/get-domain-related-machines-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/get-domain-related-machines-windows-defender-advanced-threat-protection.md
similarity index 100%
rename from windows/threat-protection/windows-defender-atp/get-domain-related-machines-windows-defender-advanced-threat-protection.md
rename to windows/security/threat-protection/windows-defender-atp/get-domain-related-machines-windows-defender-advanced-threat-protection.md
diff --git a/windows/threat-protection/windows-defender-atp/get-domain-statistics-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/get-domain-statistics-windows-defender-advanced-threat-protection.md
similarity index 100%
rename from windows/threat-protection/windows-defender-atp/get-domain-statistics-windows-defender-advanced-threat-protection.md
rename to windows/security/threat-protection/windows-defender-atp/get-domain-statistics-windows-defender-advanced-threat-protection.md
diff --git a/windows/threat-protection/windows-defender-atp/get-file-information-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/get-file-information-windows-defender-advanced-threat-protection.md
similarity index 100%
rename from windows/threat-protection/windows-defender-atp/get-file-information-windows-defender-advanced-threat-protection.md
rename to windows/security/threat-protection/windows-defender-atp/get-file-information-windows-defender-advanced-threat-protection.md
diff --git a/windows/threat-protection/windows-defender-atp/get-file-related-alerts-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/get-file-related-alerts-windows-defender-advanced-threat-protection.md
similarity index 100%
rename from windows/threat-protection/windows-defender-atp/get-file-related-alerts-windows-defender-advanced-threat-protection.md
rename to windows/security/threat-protection/windows-defender-atp/get-file-related-alerts-windows-defender-advanced-threat-protection.md
diff --git a/windows/threat-protection/windows-defender-atp/get-file-related-machines-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/get-file-related-machines-windows-defender-advanced-threat-protection.md
similarity index 100%
rename from windows/threat-protection/windows-defender-atp/get-file-related-machines-windows-defender-advanced-threat-protection.md
rename to windows/security/threat-protection/windows-defender-atp/get-file-related-machines-windows-defender-advanced-threat-protection.md
diff --git a/windows/threat-protection/windows-defender-atp/get-file-statistics-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/get-file-statistics-windows-defender-advanced-threat-protection.md
similarity index 100%
rename from windows/threat-protection/windows-defender-atp/get-file-statistics-windows-defender-advanced-threat-protection.md
rename to windows/security/threat-protection/windows-defender-atp/get-file-statistics-windows-defender-advanced-threat-protection.md
diff --git a/windows/threat-protection/windows-defender-atp/get-fileactions-collection-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/get-fileactions-collection-windows-defender-advanced-threat-protection.md
similarity index 100%
rename from windows/threat-protection/windows-defender-atp/get-fileactions-collection-windows-defender-advanced-threat-protection.md
rename to windows/security/threat-protection/windows-defender-atp/get-fileactions-collection-windows-defender-advanced-threat-protection.md
diff --git a/windows/threat-protection/windows-defender-atp/get-filemachineaction-object-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/get-filemachineaction-object-windows-defender-advanced-threat-protection.md
similarity index 100%
rename from windows/threat-protection/windows-defender-atp/get-filemachineaction-object-windows-defender-advanced-threat-protection.md
rename to windows/security/threat-protection/windows-defender-atp/get-filemachineaction-object-windows-defender-advanced-threat-protection.md
diff --git a/windows/threat-protection/windows-defender-atp/get-filemachineactions-collection-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/get-filemachineactions-collection-windows-defender-advanced-threat-protection.md
similarity index 100%
rename from windows/threat-protection/windows-defender-atp/get-filemachineactions-collection-windows-defender-advanced-threat-protection.md
rename to windows/security/threat-protection/windows-defender-atp/get-filemachineactions-collection-windows-defender-advanced-threat-protection.md
diff --git a/windows/threat-protection/windows-defender-atp/get-ip-related-alerts-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/get-ip-related-alerts-windows-defender-advanced-threat-protection.md
similarity index 100%
rename from windows/threat-protection/windows-defender-atp/get-ip-related-alerts-windows-defender-advanced-threat-protection.md
rename to windows/security/threat-protection/windows-defender-atp/get-ip-related-alerts-windows-defender-advanced-threat-protection.md
diff --git a/windows/threat-protection/windows-defender-atp/get-ip-related-machines-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/get-ip-related-machines-windows-defender-advanced-threat-protection.md
similarity index 100%
rename from windows/threat-protection/windows-defender-atp/get-ip-related-machines-windows-defender-advanced-threat-protection.md
rename to windows/security/threat-protection/windows-defender-atp/get-ip-related-machines-windows-defender-advanced-threat-protection.md
diff --git a/windows/threat-protection/windows-defender-atp/get-ip-statistics-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/get-ip-statistics-windows-defender-advanced-threat-protection.md
similarity index 100%
rename from windows/threat-protection/windows-defender-atp/get-ip-statistics-windows-defender-advanced-threat-protection.md
rename to windows/security/threat-protection/windows-defender-atp/get-ip-statistics-windows-defender-advanced-threat-protection.md
diff --git a/windows/threat-protection/windows-defender-atp/get-machine-by-id-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/get-machine-by-id-windows-defender-advanced-threat-protection.md
similarity index 100%
rename from windows/threat-protection/windows-defender-atp/get-machine-by-id-windows-defender-advanced-threat-protection.md
rename to windows/security/threat-protection/windows-defender-atp/get-machine-by-id-windows-defender-advanced-threat-protection.md
diff --git a/windows/threat-protection/windows-defender-atp/get-machine-log-on-users-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/get-machine-log-on-users-windows-defender-advanced-threat-protection.md
similarity index 100%
rename from windows/threat-protection/windows-defender-atp/get-machine-log-on-users-windows-defender-advanced-threat-protection.md
rename to windows/security/threat-protection/windows-defender-atp/get-machine-log-on-users-windows-defender-advanced-threat-protection.md
diff --git a/windows/threat-protection/windows-defender-atp/get-machine-related-alerts-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/get-machine-related-alerts-windows-defender-advanced-threat-protection.md
similarity index 100%
rename from windows/threat-protection/windows-defender-atp/get-machine-related-alerts-windows-defender-advanced-threat-protection.md
rename to windows/security/threat-protection/windows-defender-atp/get-machine-related-alerts-windows-defender-advanced-threat-protection.md
diff --git a/windows/threat-protection/windows-defender-atp/get-machineaction-object-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/get-machineaction-object-windows-defender-advanced-threat-protection.md
similarity index 100%
rename from windows/threat-protection/windows-defender-atp/get-machineaction-object-windows-defender-advanced-threat-protection.md
rename to windows/security/threat-protection/windows-defender-atp/get-machineaction-object-windows-defender-advanced-threat-protection.md
diff --git a/windows/threat-protection/windows-defender-atp/get-machineactions-collection-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/get-machineactions-collection-windows-defender-advanced-threat-protection.md
similarity index 100%
rename from windows/threat-protection/windows-defender-atp/get-machineactions-collection-windows-defender-advanced-threat-protection.md
rename to windows/security/threat-protection/windows-defender-atp/get-machineactions-collection-windows-defender-advanced-threat-protection.md
diff --git a/windows/threat-protection/windows-defender-atp/get-machines-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/get-machines-windows-defender-advanced-threat-protection.md
similarity index 100%
rename from windows/threat-protection/windows-defender-atp/get-machines-windows-defender-advanced-threat-protection.md
rename to windows/security/threat-protection/windows-defender-atp/get-machines-windows-defender-advanced-threat-protection.md
diff --git a/windows/threat-protection/windows-defender-atp/get-package-sas-uri-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/get-package-sas-uri-windows-defender-advanced-threat-protection.md
similarity index 100%
rename from windows/threat-protection/windows-defender-atp/get-package-sas-uri-windows-defender-advanced-threat-protection.md
rename to windows/security/threat-protection/windows-defender-atp/get-package-sas-uri-windows-defender-advanced-threat-protection.md
diff --git a/windows/threat-protection/windows-defender-atp/get-user-information-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/get-user-information-windows-defender-advanced-threat-protection.md
similarity index 100%
rename from windows/threat-protection/windows-defender-atp/get-user-information-windows-defender-advanced-threat-protection.md
rename to windows/security/threat-protection/windows-defender-atp/get-user-information-windows-defender-advanced-threat-protection.md
diff --git a/windows/threat-protection/windows-defender-atp/get-user-related-alerts-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/get-user-related-alerts-windows-defender-advanced-threat-protection.md
similarity index 100%
rename from windows/threat-protection/windows-defender-atp/get-user-related-alerts-windows-defender-advanced-threat-protection.md
rename to windows/security/threat-protection/windows-defender-atp/get-user-related-alerts-windows-defender-advanced-threat-protection.md
diff --git a/windows/threat-protection/windows-defender-atp/get-user-related-machines-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/get-user-related-machines-windows-defender-advanced-threat-protection.md
similarity index 100%
rename from windows/threat-protection/windows-defender-atp/get-user-related-machines-windows-defender-advanced-threat-protection.md
rename to windows/security/threat-protection/windows-defender-atp/get-user-related-machines-windows-defender-advanced-threat-protection.md
diff --git a/windows/threat-protection/windows-defender-atp/images/1.png b/windows/security/threat-protection/windows-defender-atp/images/1.png
similarity index 100%
rename from windows/threat-protection/windows-defender-atp/images/1.png
rename to windows/security/threat-protection/windows-defender-atp/images/1.png
diff --git a/windows/threat-protection/windows-defender-atp/images/active-threat-icon.png b/windows/security/threat-protection/windows-defender-atp/images/active-threat-icon.png
similarity index 100%
rename from windows/threat-protection/windows-defender-atp/images/active-threat-icon.png
rename to windows/security/threat-protection/windows-defender-atp/images/active-threat-icon.png
diff --git a/windows/threat-protection/windows-defender-atp/images/alert-details.png b/windows/security/threat-protection/windows-defender-atp/images/alert-details.png
similarity index 100%
rename from windows/threat-protection/windows-defender-atp/images/alert-details.png
rename to windows/security/threat-protection/windows-defender-atp/images/alert-details.png
diff --git a/windows/threat-protection/windows-defender-atp/images/alert-icon.png b/windows/security/threat-protection/windows-defender-atp/images/alert-icon.png
similarity index 100%
rename from windows/threat-protection/windows-defender-atp/images/alert-icon.png
rename to windows/security/threat-protection/windows-defender-atp/images/alert-icon.png
diff --git a/windows/threat-protection/windows-defender-atp/images/alerts-q-bulk.png b/windows/security/threat-protection/windows-defender-atp/images/alerts-q-bulk.png
similarity index 100%
rename from windows/threat-protection/windows-defender-atp/images/alerts-q-bulk.png
rename to windows/security/threat-protection/windows-defender-atp/images/alerts-q-bulk.png
diff --git a/windows/threat-protection/windows-defender-atp/images/alerts-queue-numbered.png b/windows/security/threat-protection/windows-defender-atp/images/alerts-queue-numbered.png
similarity index 100%
rename from windows/threat-protection/windows-defender-atp/images/alerts-queue-numbered.png
rename to windows/security/threat-protection/windows-defender-atp/images/alerts-queue-numbered.png
diff --git a/windows/threat-protection/windows-defender-atp/images/analysis-results.png b/windows/security/threat-protection/windows-defender-atp/images/analysis-results.png
similarity index 100%
rename from windows/threat-protection/windows-defender-atp/images/analysis-results.png
rename to windows/security/threat-protection/windows-defender-atp/images/analysis-results.png
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-Application-Guard-events-icon.png b/windows/security/threat-protection/windows-defender-atp/images/atp-Application-Guard-events-icon.png
similarity index 100%
rename from windows/threat-protection/windows-defender-atp/images/atp-Application-Guard-events-icon.png
rename to windows/security/threat-protection/windows-defender-atp/images/atp-Application-Guard-events-icon.png
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-Device-Guard-events-icon.png b/windows/security/threat-protection/windows-defender-atp/images/atp-Device-Guard-events-icon.png
similarity index 100%
rename from windows/threat-protection/windows-defender-atp/images/atp-Device-Guard-events-icon.png
rename to windows/security/threat-protection/windows-defender-atp/images/atp-Device-Guard-events-icon.png
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-ETW-event-icon.png b/windows/security/threat-protection/windows-defender-atp/images/atp-ETW-event-icon.png
similarity index 100%
rename from windows/threat-protection/windows-defender-atp/images/atp-ETW-event-icon.png
rename to windows/security/threat-protection/windows-defender-atp/images/atp-ETW-event-icon.png
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-Exploit-Guard-events-icon.png b/windows/security/threat-protection/windows-defender-atp/images/atp-Exploit-Guard-events-icon.png
similarity index 100%
rename from windows/threat-protection/windows-defender-atp/images/atp-Exploit-Guard-events-icon.png
rename to windows/security/threat-protection/windows-defender-atp/images/atp-Exploit-Guard-events-icon.png
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-File-path-icon.png b/windows/security/threat-protection/windows-defender-atp/images/atp-File-path-icon.png
similarity index 100%
rename from windows/threat-protection/windows-defender-atp/images/atp-File-path-icon.png
rename to windows/security/threat-protection/windows-defender-atp/images/atp-File-path-icon.png
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-Firewall-events-icon.png b/windows/security/threat-protection/windows-defender-atp/images/atp-Firewall-events-icon.png
similarity index 100%
rename from windows/threat-protection/windows-defender-atp/images/atp-Firewall-events-icon.png
rename to windows/security/threat-protection/windows-defender-atp/images/atp-Firewall-events-icon.png
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-O365-admin-portal-customer.png b/windows/security/threat-protection/windows-defender-atp/images/atp-O365-admin-portal-customer.png
similarity index 100%
rename from windows/threat-protection/windows-defender-atp/images/atp-O365-admin-portal-customer.png
rename to windows/security/threat-protection/windows-defender-atp/images/atp-O365-admin-portal-customer.png
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-Other-events-icon.png b/windows/security/threat-protection/windows-defender-atp/images/atp-Other-events-icon.png
similarity index 100%
rename from windows/threat-protection/windows-defender-atp/images/atp-Other-events-icon.png
rename to windows/security/threat-protection/windows-defender-atp/images/atp-Other-events-icon.png
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-Smart-Screen-events-icon.png b/windows/security/threat-protection/windows-defender-atp/images/atp-Smart-Screen-events-icon.png
similarity index 100%
rename from windows/threat-protection/windows-defender-atp/images/atp-Smart-Screen-events-icon.png
rename to windows/security/threat-protection/windows-defender-atp/images/atp-Smart-Screen-events-icon.png
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-access-token-modification-icon.png b/windows/security/threat-protection/windows-defender-atp/images/atp-access-token-modification-icon.png
similarity index 100%
rename from windows/threat-protection/windows-defender-atp/images/atp-access-token-modification-icon.png
rename to windows/security/threat-protection/windows-defender-atp/images/atp-access-token-modification-icon.png
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-action-block-file.png b/windows/security/threat-protection/windows-defender-atp/images/atp-action-block-file.png
similarity index 100%
rename from windows/threat-protection/windows-defender-atp/images/atp-action-block-file.png
rename to windows/security/threat-protection/windows-defender-atp/images/atp-action-block-file.png
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-action-center-app-restriction.png b/windows/security/threat-protection/windows-defender-atp/images/atp-action-center-app-restriction.png
similarity index 100%
rename from windows/threat-protection/windows-defender-atp/images/atp-action-center-app-restriction.png
rename to windows/security/threat-protection/windows-defender-atp/images/atp-action-center-app-restriction.png
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-action-center-package-collection.png b/windows/security/threat-protection/windows-defender-atp/images/atp-action-center-package-collection.png
similarity index 100%
rename from windows/threat-protection/windows-defender-atp/images/atp-action-center-package-collection.png
rename to windows/security/threat-protection/windows-defender-atp/images/atp-action-center-package-collection.png
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-action-center-restrict-app.png b/windows/security/threat-protection/windows-defender-atp/images/atp-action-center-restrict-app.png
similarity index 100%
rename from windows/threat-protection/windows-defender-atp/images/atp-action-center-restrict-app.png
rename to windows/security/threat-protection/windows-defender-atp/images/atp-action-center-restrict-app.png
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-action-center-with-info.png b/windows/security/threat-protection/windows-defender-atp/images/atp-action-center-with-info.png
similarity index 100%
rename from windows/threat-protection/windows-defender-atp/images/atp-action-center-with-info.png
rename to windows/security/threat-protection/windows-defender-atp/images/atp-action-center-with-info.png
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-actions-action-center.png b/windows/security/threat-protection/windows-defender-atp/images/atp-actions-action-center.png
similarity index 100%
rename from windows/threat-protection/windows-defender-atp/images/atp-actions-action-center.png
rename to windows/security/threat-protection/windows-defender-atp/images/atp-actions-action-center.png
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-actions-collect-investigation-package.png b/windows/security/threat-protection/windows-defender-atp/images/atp-actions-collect-investigation-package.png
similarity index 100%
rename from windows/threat-protection/windows-defender-atp/images/atp-actions-collect-investigation-package.png
rename to windows/security/threat-protection/windows-defender-atp/images/atp-actions-collect-investigation-package.png
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-actions-isolate-machine.png b/windows/security/threat-protection/windows-defender-atp/images/atp-actions-isolate-machine.png
similarity index 100%
rename from windows/threat-protection/windows-defender-atp/images/atp-actions-isolate-machine.png
rename to windows/security/threat-protection/windows-defender-atp/images/atp-actions-isolate-machine.png
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-actions-manage-tags.png b/windows/security/threat-protection/windows-defender-atp/images/atp-actions-manage-tags.png
similarity index 100%
rename from windows/threat-protection/windows-defender-atp/images/atp-actions-manage-tags.png
rename to windows/security/threat-protection/windows-defender-atp/images/atp-actions-manage-tags.png
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-actions-release-from-isolation.png b/windows/security/threat-protection/windows-defender-atp/images/atp-actions-release-from-isolation.png
similarity index 100%
rename from windows/threat-protection/windows-defender-atp/images/atp-actions-release-from-isolation.png
rename to windows/security/threat-protection/windows-defender-atp/images/atp-actions-release-from-isolation.png
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-actions-release-from-isoloation.png b/windows/security/threat-protection/windows-defender-atp/images/atp-actions-release-from-isoloation.png
similarity index 100%
rename from windows/threat-protection/windows-defender-atp/images/atp-actions-release-from-isoloation.png
rename to windows/security/threat-protection/windows-defender-atp/images/atp-actions-release-from-isoloation.png
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-actions-remove-app-restrictions.png b/windows/security/threat-protection/windows-defender-atp/images/atp-actions-remove-app-restrictions.png
similarity index 100%
rename from windows/threat-protection/windows-defender-atp/images/atp-actions-remove-app-restrictions.png
rename to windows/security/threat-protection/windows-defender-atp/images/atp-actions-remove-app-restrictions.png
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-actions-restrict-app-execution.png b/windows/security/threat-protection/windows-defender-atp/images/atp-actions-restrict-app-execution.png
similarity index 100%
rename from windows/threat-protection/windows-defender-atp/images/atp-actions-restrict-app-execution.png
rename to windows/security/threat-protection/windows-defender-atp/images/atp-actions-restrict-app-execution.png
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-actions-run-av.png b/windows/security/threat-protection/windows-defender-atp/images/atp-actions-run-av.png
similarity index 100%
rename from windows/threat-protection/windows-defender-atp/images/atp-actions-run-av.png
rename to windows/security/threat-protection/windows-defender-atp/images/atp-actions-run-av.png
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-actor-alert.png b/windows/security/threat-protection/windows-defender-atp/images/atp-actor-alert.png
similarity index 100%
rename from windows/threat-protection/windows-defender-atp/images/atp-actor-alert.png
rename to windows/security/threat-protection/windows-defender-atp/images/atp-actor-alert.png
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-actor-report.png b/windows/security/threat-protection/windows-defender-atp/images/atp-actor-report.png
similarity index 100%
rename from windows/threat-protection/windows-defender-atp/images/atp-actor-report.png
rename to windows/security/threat-protection/windows-defender-atp/images/atp-actor-report.png
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-actor.png b/windows/security/threat-protection/windows-defender-atp/images/atp-actor.png
similarity index 100%
rename from windows/threat-protection/windows-defender-atp/images/atp-actor.png
rename to windows/security/threat-protection/windows-defender-atp/images/atp-actor.png
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-add-application-name.png b/windows/security/threat-protection/windows-defender-atp/images/atp-add-application-name.png
similarity index 100%
rename from windows/threat-protection/windows-defender-atp/images/atp-add-application-name.png
rename to windows/security/threat-protection/windows-defender-atp/images/atp-add-application-name.png
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-add-application.png b/windows/security/threat-protection/windows-defender-atp/images/atp-add-application.png
similarity index 100%
rename from windows/threat-protection/windows-defender-atp/images/atp-add-application.png
rename to windows/security/threat-protection/windows-defender-atp/images/atp-add-application.png
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-add-intune-policy.png b/windows/security/threat-protection/windows-defender-atp/images/atp-add-intune-policy.png
similarity index 100%
rename from windows/threat-protection/windows-defender-atp/images/atp-add-intune-policy.png
rename to windows/security/threat-protection/windows-defender-atp/images/atp-add-intune-policy.png
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-alert-details.png b/windows/security/threat-protection/windows-defender-atp/images/atp-alert-details.png
similarity index 100%
rename from windows/threat-protection/windows-defender-atp/images/atp-alert-details.png
rename to windows/security/threat-protection/windows-defender-atp/images/atp-alert-details.png
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-alert-mgt-pane.png b/windows/security/threat-protection/windows-defender-atp/images/atp-alert-mgt-pane.png
similarity index 100%
rename from windows/threat-protection/windows-defender-atp/images/atp-alert-mgt-pane.png
rename to windows/security/threat-protection/windows-defender-atp/images/atp-alert-mgt-pane.png
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-alert-page.png b/windows/security/threat-protection/windows-defender-atp/images/atp-alert-page.png
similarity index 100%
rename from windows/threat-protection/windows-defender-atp/images/atp-alert-page.png
rename to windows/security/threat-protection/windows-defender-atp/images/atp-alert-page.png
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-alert-process-tree.png b/windows/security/threat-protection/windows-defender-atp/images/atp-alert-process-tree.png
similarity index 100%
rename from windows/threat-protection/windows-defender-atp/images/atp-alert-process-tree.png
rename to windows/security/threat-protection/windows-defender-atp/images/atp-alert-process-tree.png
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-alert-source.png b/windows/security/threat-protection/windows-defender-atp/images/atp-alert-source.png
similarity index 100%
rename from windows/threat-protection/windows-defender-atp/images/atp-alert-source.png
rename to windows/security/threat-protection/windows-defender-atp/images/atp-alert-source.png
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-alert-status.png b/windows/security/threat-protection/windows-defender-atp/images/atp-alert-status.png
similarity index 100%
rename from windows/threat-protection/windows-defender-atp/images/atp-alert-status.png
rename to windows/security/threat-protection/windows-defender-atp/images/atp-alert-status.png
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-alert-timeline-numbered.png b/windows/security/threat-protection/windows-defender-atp/images/atp-alert-timeline-numbered.png
similarity index 100%
rename from windows/threat-protection/windows-defender-atp/images/atp-alert-timeline-numbered.png
rename to windows/security/threat-protection/windows-defender-atp/images/atp-alert-timeline-numbered.png
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-alert-timeline.png b/windows/security/threat-protection/windows-defender-atp/images/atp-alert-timeline.png
similarity index 100%
rename from windows/threat-protection/windows-defender-atp/images/atp-alert-timeline.png
rename to windows/security/threat-protection/windows-defender-atp/images/atp-alert-timeline.png
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-alerts-group.png b/windows/security/threat-protection/windows-defender-atp/images/atp-alerts-group.png
similarity index 100%
rename from windows/threat-protection/windows-defender-atp/images/atp-alerts-group.png
rename to windows/security/threat-protection/windows-defender-atp/images/atp-alerts-group.png
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-alerts-q.png b/windows/security/threat-protection/windows-defender-atp/images/atp-alerts-q.png
similarity index 100%
rename from windows/threat-protection/windows-defender-atp/images/atp-alerts-q.png
rename to windows/security/threat-protection/windows-defender-atp/images/atp-alerts-q.png
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-alerts-queue-user.png b/windows/security/threat-protection/windows-defender-atp/images/atp-alerts-queue-user.png
similarity index 100%
rename from windows/threat-protection/windows-defender-atp/images/atp-alerts-queue-user.png
rename to windows/security/threat-protection/windows-defender-atp/images/atp-alerts-queue-user.png
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-alerts-queue.png b/windows/security/threat-protection/windows-defender-atp/images/atp-alerts-queue.png
similarity index 100%
rename from windows/threat-protection/windows-defender-atp/images/atp-alerts-queue.png
rename to windows/security/threat-protection/windows-defender-atp/images/atp-alerts-queue.png
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-alerts-related-to-file.png b/windows/security/threat-protection/windows-defender-atp/images/atp-alerts-related-to-file.png
similarity index 100%
rename from windows/threat-protection/windows-defender-atp/images/atp-alerts-related-to-file.png
rename to windows/security/threat-protection/windows-defender-atp/images/atp-alerts-related-to-file.png
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-alerts-related-to-machine.PNG b/windows/security/threat-protection/windows-defender-atp/images/atp-alerts-related-to-machine.PNG
similarity index 100%
rename from windows/threat-protection/windows-defender-atp/images/atp-alerts-related-to-machine.PNG
rename to windows/security/threat-protection/windows-defender-atp/images/atp-alerts-related-to-machine.PNG
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-alerts-selected.png b/windows/security/threat-protection/windows-defender-atp/images/atp-alerts-selected.png
similarity index 100%
rename from windows/threat-protection/windows-defender-atp/images/atp-alerts-selected.png
rename to windows/security/threat-protection/windows-defender-atp/images/atp-alerts-selected.png
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-alerts-tile.png b/windows/security/threat-protection/windows-defender-atp/images/atp-alerts-tile.png
similarity index 100%
rename from windows/threat-protection/windows-defender-atp/images/atp-alerts-tile.png
rename to windows/security/threat-protection/windows-defender-atp/images/atp-alerts-tile.png
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-alertsq1.png b/windows/security/threat-protection/windows-defender-atp/images/atp-alertsq1.png
similarity index 100%
rename from windows/threat-protection/windows-defender-atp/images/atp-alertsq1.png
rename to windows/security/threat-protection/windows-defender-atp/images/atp-alertsq1.png
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-alertsq2.png b/windows/security/threat-protection/windows-defender-atp/images/atp-alertsq2.png
similarity index 100%
rename from windows/threat-protection/windows-defender-atp/images/atp-alertsq2.png
rename to windows/security/threat-protection/windows-defender-atp/images/atp-alertsq2.png
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-app-restriction.png b/windows/security/threat-protection/windows-defender-atp/images/atp-app-restriction.png
similarity index 100%
rename from windows/threat-protection/windows-defender-atp/images/atp-app-restriction.png
rename to windows/security/threat-protection/windows-defender-atp/images/atp-app-restriction.png
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-application-information.png b/windows/security/threat-protection/windows-defender-atp/images/atp-application-information.png
similarity index 100%
rename from windows/threat-protection/windows-defender-atp/images/atp-application-information.png
rename to windows/security/threat-protection/windows-defender-atp/images/atp-application-information.png
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-av-scan-action-center.png b/windows/security/threat-protection/windows-defender-atp/images/atp-av-scan-action-center.png
similarity index 100%
rename from windows/threat-protection/windows-defender-atp/images/atp-av-scan-action-center.png
rename to windows/security/threat-protection/windows-defender-atp/images/atp-av-scan-action-center.png
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-av-scan-notification.png b/windows/security/threat-protection/windows-defender-atp/images/atp-av-scan-notification.png
similarity index 100%
rename from windows/threat-protection/windows-defender-atp/images/atp-av-scan-notification.png
rename to windows/security/threat-protection/windows-defender-atp/images/atp-av-scan-notification.png
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-azure-api-access.png b/windows/security/threat-protection/windows-defender-atp/images/atp-azure-api-access.png
similarity index 100%
rename from windows/threat-protection/windows-defender-atp/images/atp-azure-api-access.png
rename to windows/security/threat-protection/windows-defender-atp/images/atp-azure-api-access.png
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-azure-atp-app.png b/windows/security/threat-protection/windows-defender-atp/images/atp-azure-atp-app.png
similarity index 100%
rename from windows/threat-protection/windows-defender-atp/images/atp-azure-atp-app.png
rename to windows/security/threat-protection/windows-defender-atp/images/atp-azure-atp-app.png
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-azure-create.png b/windows/security/threat-protection/windows-defender-atp/images/atp-azure-create.png
similarity index 100%
rename from windows/threat-protection/windows-defender-atp/images/atp-azure-create.png
rename to windows/security/threat-protection/windows-defender-atp/images/atp-azure-create.png
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-azure-intune-category.png b/windows/security/threat-protection/windows-defender-atp/images/atp-azure-intune-category.png
similarity index 100%
rename from windows/threat-protection/windows-defender-atp/images/atp-azure-intune-category.png
rename to windows/security/threat-protection/windows-defender-atp/images/atp-azure-intune-category.png
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-azure-intune-configure.png b/windows/security/threat-protection/windows-defender-atp/images/atp-azure-intune-configure.png
similarity index 100%
rename from windows/threat-protection/windows-defender-atp/images/atp-azure-intune-configure.png
rename to windows/security/threat-protection/windows-defender-atp/images/atp-azure-intune-configure.png
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-azure-intune-create-policy-configure.png b/windows/security/threat-protection/windows-defender-atp/images/atp-azure-intune-create-policy-configure.png
similarity index 100%
rename from windows/threat-protection/windows-defender-atp/images/atp-azure-intune-create-policy-configure.png
rename to windows/security/threat-protection/windows-defender-atp/images/atp-azure-intune-create-policy-configure.png
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-azure-intune-create-policy-name.png b/windows/security/threat-protection/windows-defender-atp/images/atp-azure-intune-create-policy-name.png
similarity index 100%
rename from windows/threat-protection/windows-defender-atp/images/atp-azure-intune-create-policy-name.png
rename to windows/security/threat-protection/windows-defender-atp/images/atp-azure-intune-create-policy-name.png
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-azure-intune-create-policy.png b/windows/security/threat-protection/windows-defender-atp/images/atp-azure-intune-create-policy.png
similarity index 100%
rename from windows/threat-protection/windows-defender-atp/images/atp-azure-intune-create-policy.png
rename to windows/security/threat-protection/windows-defender-atp/images/atp-azure-intune-create-policy.png
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-azure-intune-create-profile.png b/windows/security/threat-protection/windows-defender-atp/images/atp-azure-intune-create-profile.png
similarity index 100%
rename from windows/threat-protection/windows-defender-atp/images/atp-azure-intune-create-profile.png
rename to windows/security/threat-protection/windows-defender-atp/images/atp-azure-intune-create-profile.png
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-azure-intune-create.png b/windows/security/threat-protection/windows-defender-atp/images/atp-azure-intune-create.png
similarity index 100%
rename from windows/threat-protection/windows-defender-atp/images/atp-azure-intune-create.png
rename to windows/security/threat-protection/windows-defender-atp/images/atp-azure-intune-create.png
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-azure-intune-device-config.png b/windows/security/threat-protection/windows-defender-atp/images/atp-azure-intune-device-config.png
similarity index 100%
rename from windows/threat-protection/windows-defender-atp/images/atp-azure-intune-device-config.png
rename to windows/security/threat-protection/windows-defender-atp/images/atp-azure-intune-device-config.png
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-azure-intune-save-policy.png b/windows/security/threat-protection/windows-defender-atp/images/atp-azure-intune-save-policy.png
similarity index 100%
rename from windows/threat-protection/windows-defender-atp/images/atp-azure-intune-save-policy.png
rename to windows/security/threat-protection/windows-defender-atp/images/atp-azure-intune-save-policy.png
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-azure-intune-save.png b/windows/security/threat-protection/windows-defender-atp/images/atp-azure-intune-save.png
similarity index 100%
rename from windows/threat-protection/windows-defender-atp/images/atp-azure-intune-save.png
rename to windows/security/threat-protection/windows-defender-atp/images/atp-azure-intune-save.png
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-azure-intune-select-group.png b/windows/security/threat-protection/windows-defender-atp/images/atp-azure-intune-select-group.png
similarity index 100%
rename from windows/threat-protection/windows-defender-atp/images/atp-azure-intune-select-group.png
rename to windows/security/threat-protection/windows-defender-atp/images/atp-azure-intune-select-group.png
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-azure-intune-settings-configure.png b/windows/security/threat-protection/windows-defender-atp/images/atp-azure-intune-settings-configure.png
similarity index 100%
rename from windows/threat-protection/windows-defender-atp/images/atp-azure-intune-settings-configure.png
rename to windows/security/threat-protection/windows-defender-atp/images/atp-azure-intune-settings-configure.png
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-azure-intune.png b/windows/security/threat-protection/windows-defender-atp/images/atp-azure-intune.png
similarity index 100%
rename from windows/threat-protection/windows-defender-atp/images/atp-azure-intune.png
rename to windows/security/threat-protection/windows-defender-atp/images/atp-azure-intune.png
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-azure-license-icon.png b/windows/security/threat-protection/windows-defender-atp/images/atp-azure-license-icon.png
similarity index 100%
rename from windows/threat-protection/windows-defender-atp/images/atp-azure-license-icon.png
rename to windows/security/threat-protection/windows-defender-atp/images/atp-azure-license-icon.png
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-azure-new-app.png b/windows/security/threat-protection/windows-defender-atp/images/atp-azure-new-app.png
similarity index 100%
rename from windows/threat-protection/windows-defender-atp/images/atp-azure-new-app.png
rename to windows/security/threat-protection/windows-defender-atp/images/atp-azure-new-app.png
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-azure-required-permissions.png b/windows/security/threat-protection/windows-defender-atp/images/atp-azure-required-permissions.png
similarity index 100%
rename from windows/threat-protection/windows-defender-atp/images/atp-azure-required-permissions.png
rename to windows/security/threat-protection/windows-defender-atp/images/atp-azure-required-permissions.png
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-azure-select-permissions.png b/windows/security/threat-protection/windows-defender-atp/images/atp-azure-select-permissions.png
similarity index 100%
rename from windows/threat-protection/windows-defender-atp/images/atp-azure-select-permissions.png
rename to windows/security/threat-protection/windows-defender-atp/images/atp-azure-select-permissions.png
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-azure-ui-user-access.png b/windows/security/threat-protection/windows-defender-atp/images/atp-azure-ui-user-access.png
similarity index 100%
rename from windows/threat-protection/windows-defender-atp/images/atp-azure-ui-user-access.png
rename to windows/security/threat-protection/windows-defender-atp/images/atp-azure-ui-user-access.png
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-billing-licenses.png b/windows/security/threat-protection/windows-defender-atp/images/atp-billing-licenses.png
similarity index 100%
rename from windows/threat-protection/windows-defender-atp/images/atp-billing-licenses.png
rename to windows/security/threat-protection/windows-defender-atp/images/atp-billing-licenses.png
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-billing-subscriptions.png b/windows/security/threat-protection/windows-defender-atp/images/atp-billing-subscriptions.png
similarity index 100%
rename from windows/threat-protection/windows-defender-atp/images/atp-billing-subscriptions.png
rename to windows/security/threat-protection/windows-defender-atp/images/atp-billing-subscriptions.png
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-block-file-confirm.png b/windows/security/threat-protection/windows-defender-atp/images/atp-block-file-confirm.png
similarity index 100%
rename from windows/threat-protection/windows-defender-atp/images/atp-block-file-confirm.png
rename to windows/security/threat-protection/windows-defender-atp/images/atp-block-file-confirm.png
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-blockfile.png b/windows/security/threat-protection/windows-defender-atp/images/atp-blockfile.png
similarity index 100%
rename from windows/threat-protection/windows-defender-atp/images/atp-blockfile.png
rename to windows/security/threat-protection/windows-defender-atp/images/atp-blockfile.png
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-collect-investigation-package.png b/windows/security/threat-protection/windows-defender-atp/images/atp-collect-investigation-package.png
similarity index 100%
rename from windows/threat-protection/windows-defender-atp/images/atp-collect-investigation-package.png
rename to windows/security/threat-protection/windows-defender-atp/images/atp-collect-investigation-package.png
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-command-line-icon.png b/windows/security/threat-protection/windows-defender-atp/images/atp-command-line-icon.png
similarity index 100%
rename from windows/threat-protection/windows-defender-atp/images/atp-command-line-icon.png
rename to windows/security/threat-protection/windows-defender-atp/images/atp-command-line-icon.png
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-confirm-isolate.png b/windows/security/threat-protection/windows-defender-atp/images/atp-confirm-isolate.png
similarity index 100%
rename from windows/threat-protection/windows-defender-atp/images/atp-confirm-isolate.png
rename to windows/security/threat-protection/windows-defender-atp/images/atp-confirm-isolate.png
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-create-dashboard.png b/windows/security/threat-protection/windows-defender-atp/images/atp-create-dashboard.png
similarity index 100%
rename from windows/threat-protection/windows-defender-atp/images/atp-create-dashboard.png
rename to windows/security/threat-protection/windows-defender-atp/images/atp-create-dashboard.png
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-create-suppression-rule.png b/windows/security/threat-protection/windows-defender-atp/images/atp-create-suppression-rule.png
similarity index 100%
rename from windows/threat-protection/windows-defender-atp/images/atp-create-suppression-rule.png
rename to windows/security/threat-protection/windows-defender-atp/images/atp-create-suppression-rule.png
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-custom-oma-uri.png b/windows/security/threat-protection/windows-defender-atp/images/atp-custom-oma-uri.png
similarity index 100%
rename from windows/threat-protection/windows-defender-atp/images/atp-custom-oma-uri.png
rename to windows/security/threat-protection/windows-defender-atp/images/atp-custom-oma-uri.png
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-custom-ti-mapping.png b/windows/security/threat-protection/windows-defender-atp/images/atp-custom-ti-mapping.png
similarity index 100%
rename from windows/threat-protection/windows-defender-atp/images/atp-custom-ti-mapping.png
rename to windows/security/threat-protection/windows-defender-atp/images/atp-custom-ti-mapping.png
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-daily-machines-reporting.png b/windows/security/threat-protection/windows-defender-atp/images/atp-daily-machines-reporting.png
similarity index 100%
rename from windows/threat-protection/windows-defender-atp/images/atp-daily-machines-reporting.png
rename to windows/security/threat-protection/windows-defender-atp/images/atp-daily-machines-reporting.png
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-dashboard-security-analytics-full.png b/windows/security/threat-protection/windows-defender-atp/images/atp-dashboard-security-analytics-full.png
similarity index 100%
rename from windows/threat-protection/windows-defender-atp/images/atp-dashboard-security-analytics-full.png
rename to windows/security/threat-protection/windows-defender-atp/images/atp-dashboard-security-analytics-full.png
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-dashboard-security-analytics.png b/windows/security/threat-protection/windows-defender-atp/images/atp-dashboard-security-analytics.png
similarity index 100%
rename from windows/threat-protection/windows-defender-atp/images/atp-dashboard-security-analytics.png
rename to windows/security/threat-protection/windows-defender-atp/images/atp-dashboard-security-analytics.png
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-data-not-available.png b/windows/security/threat-protection/windows-defender-atp/images/atp-data-not-available.png
similarity index 100%
rename from windows/threat-protection/windows-defender-atp/images/atp-data-not-available.png
rename to windows/security/threat-protection/windows-defender-atp/images/atp-data-not-available.png
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-data-retention-policy.png b/windows/security/threat-protection/windows-defender-atp/images/atp-data-retention-policy.png
similarity index 100%
rename from windows/threat-protection/windows-defender-atp/images/atp-data-retention-policy.png
rename to windows/security/threat-protection/windows-defender-atp/images/atp-data-retention-policy.png
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-detailed-actor.png b/windows/security/threat-protection/windows-defender-atp/images/atp-detailed-actor.png
similarity index 100%
rename from windows/threat-protection/windows-defender-atp/images/atp-detailed-actor.png
rename to windows/security/threat-protection/windows-defender-atp/images/atp-detailed-actor.png
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-disableantispyware-regkey.png b/windows/security/threat-protection/windows-defender-atp/images/atp-disableantispyware-regkey.png
similarity index 100%
rename from windows/threat-protection/windows-defender-atp/images/atp-disableantispyware-regkey.png
rename to windows/security/threat-protection/windows-defender-atp/images/atp-disableantispyware-regkey.png
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-download-connector.png b/windows/security/threat-protection/windows-defender-atp/images/atp-download-connector.png
similarity index 100%
rename from windows/threat-protection/windows-defender-atp/images/atp-download-connector.png
rename to windows/security/threat-protection/windows-defender-atp/images/atp-download-connector.png
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-enable-security-analytics.png b/windows/security/threat-protection/windows-defender-atp/images/atp-enable-security-analytics.png
similarity index 100%
rename from windows/threat-protection/windows-defender-atp/images/atp-enable-security-analytics.png
rename to windows/security/threat-protection/windows-defender-atp/images/atp-enable-security-analytics.png
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-example-email-notification.png b/windows/security/threat-protection/windows-defender-atp/images/atp-example-email-notification.png
similarity index 100%
rename from windows/threat-protection/windows-defender-atp/images/atp-example-email-notification.png
rename to windows/security/threat-protection/windows-defender-atp/images/atp-example-email-notification.png
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-export-machine-timeline-events.png b/windows/security/threat-protection/windows-defender-atp/images/atp-export-machine-timeline-events.png
similarity index 100%
rename from windows/threat-protection/windows-defender-atp/images/atp-export-machine-timeline-events.png
rename to windows/security/threat-protection/windows-defender-atp/images/atp-export-machine-timeline-events.png
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-file-action.png b/windows/security/threat-protection/windows-defender-atp/images/atp-file-action.png
similarity index 100%
rename from windows/threat-protection/windows-defender-atp/images/atp-file-action.png
rename to windows/security/threat-protection/windows-defender-atp/images/atp-file-action.png
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-file-creation-icon.png b/windows/security/threat-protection/windows-defender-atp/images/atp-file-creation-icon.png
similarity index 100%
rename from windows/threat-protection/windows-defender-atp/images/atp-file-creation-icon.png
rename to windows/security/threat-protection/windows-defender-atp/images/atp-file-creation-icon.png
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-file-details.png b/windows/security/threat-protection/windows-defender-atp/images/atp-file-details.png
similarity index 100%
rename from windows/threat-protection/windows-defender-atp/images/atp-file-details.png
rename to windows/security/threat-protection/windows-defender-atp/images/atp-file-details.png
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-file-in-org.png b/windows/security/threat-protection/windows-defender-atp/images/atp-file-in-org.png
similarity index 100%
rename from windows/threat-protection/windows-defender-atp/images/atp-file-in-org.png
rename to windows/security/threat-protection/windows-defender-atp/images/atp-file-in-org.png
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-file-information.png b/windows/security/threat-protection/windows-defender-atp/images/atp-file-information.png
similarity index 100%
rename from windows/threat-protection/windows-defender-atp/images/atp-file-information.png
rename to windows/security/threat-protection/windows-defender-atp/images/atp-file-information.png
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-file-observed-icon.png b/windows/security/threat-protection/windows-defender-atp/images/atp-file-observed-icon.png
similarity index 100%
rename from windows/threat-protection/windows-defender-atp/images/atp-file-observed-icon.png
rename to windows/security/threat-protection/windows-defender-atp/images/atp-file-observed-icon.png
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-final-onboard-endpoints-warning-before-atp-access.png b/windows/security/threat-protection/windows-defender-atp/images/atp-final-onboard-endpoints-warning-before-atp-access.png
similarity index 100%
rename from windows/threat-protection/windows-defender-atp/images/atp-final-onboard-endpoints-warning-before-atp-access.png
rename to windows/security/threat-protection/windows-defender-atp/images/atp-final-onboard-endpoints-warning-before-atp-access.png
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-final-preference-setup.png b/windows/security/threat-protection/windows-defender-atp/images/atp-final-preference-setup.png
similarity index 100%
rename from windows/threat-protection/windows-defender-atp/images/atp-final-preference-setup.png
rename to windows/security/threat-protection/windows-defender-atp/images/atp-final-preference-setup.png
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-geographic-location-setup.png b/windows/security/threat-protection/windows-defender-atp/images/atp-geographic-location-setup.png
similarity index 100%
rename from windows/threat-protection/windows-defender-atp/images/atp-geographic-location-setup.png
rename to windows/security/threat-protection/windows-defender-atp/images/atp-geographic-location-setup.png
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-improv-opps.png b/windows/security/threat-protection/windows-defender-atp/images/atp-improv-opps.png
similarity index 100%
rename from windows/threat-protection/windows-defender-atp/images/atp-improv-opps.png
rename to windows/security/threat-protection/windows-defender-atp/images/atp-improv-opps.png
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-improv-ops.png b/windows/security/threat-protection/windows-defender-atp/images/atp-improv-ops.png
similarity index 100%
rename from windows/threat-protection/windows-defender-atp/images/atp-improv-ops.png
rename to windows/security/threat-protection/windows-defender-atp/images/atp-improv-ops.png
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-incident-graph.png b/windows/security/threat-protection/windows-defender-atp/images/atp-incident-graph.png
similarity index 100%
rename from windows/threat-protection/windows-defender-atp/images/atp-incident-graph.png
rename to windows/security/threat-protection/windows-defender-atp/images/atp-incident-graph.png
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-industry-information.png b/windows/security/threat-protection/windows-defender-atp/images/atp-industry-information.png
similarity index 100%
rename from windows/threat-protection/windows-defender-atp/images/atp-industry-information.png
rename to windows/security/threat-protection/windows-defender-atp/images/atp-industry-information.png
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-intune-add-oma.png b/windows/security/threat-protection/windows-defender-atp/images/atp-intune-add-oma.png
similarity index 100%
rename from windows/threat-protection/windows-defender-atp/images/atp-intune-add-oma.png
rename to windows/security/threat-protection/windows-defender-atp/images/atp-intune-add-oma.png
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-intune-add-policy.png b/windows/security/threat-protection/windows-defender-atp/images/atp-intune-add-policy.png
similarity index 100%
rename from windows/threat-protection/windows-defender-atp/images/atp-intune-add-policy.png
rename to windows/security/threat-protection/windows-defender-atp/images/atp-intune-add-policy.png
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-intune-assignments.png b/windows/security/threat-protection/windows-defender-atp/images/atp-intune-assignments.png
similarity index 100%
rename from windows/threat-protection/windows-defender-atp/images/atp-intune-assignments.png
rename to windows/security/threat-protection/windows-defender-atp/images/atp-intune-assignments.png
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-intune-configure.png b/windows/security/threat-protection/windows-defender-atp/images/atp-intune-configure.png
similarity index 100%
rename from windows/threat-protection/windows-defender-atp/images/atp-intune-configure.png
rename to windows/security/threat-protection/windows-defender-atp/images/atp-intune-configure.png
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-intune-create-policy.png b/windows/security/threat-protection/windows-defender-atp/images/atp-intune-create-policy.png
similarity index 100%
rename from windows/threat-protection/windows-defender-atp/images/atp-intune-create-policy.png
rename to windows/security/threat-protection/windows-defender-atp/images/atp-intune-create-policy.png
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-intune-custom.png b/windows/security/threat-protection/windows-defender-atp/images/atp-intune-custom.png
similarity index 100%
rename from windows/threat-protection/windows-defender-atp/images/atp-intune-custom.png
rename to windows/security/threat-protection/windows-defender-atp/images/atp-intune-custom.png
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-intune-deploy-policy.png b/windows/security/threat-protection/windows-defender-atp/images/atp-intune-deploy-policy.png
similarity index 100%
rename from windows/threat-protection/windows-defender-atp/images/atp-intune-deploy-policy.png
rename to windows/security/threat-protection/windows-defender-atp/images/atp-intune-deploy-policy.png
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-intune-group.png b/windows/security/threat-protection/windows-defender-atp/images/atp-intune-group.png
similarity index 100%
rename from windows/threat-protection/windows-defender-atp/images/atp-intune-group.png
rename to windows/security/threat-protection/windows-defender-atp/images/atp-intune-group.png
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-intune-manage-deployment.png b/windows/security/threat-protection/windows-defender-atp/images/atp-intune-manage-deployment.png
similarity index 100%
rename from windows/threat-protection/windows-defender-atp/images/atp-intune-manage-deployment.png
rename to windows/security/threat-protection/windows-defender-atp/images/atp-intune-manage-deployment.png
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-intune-new-policy.png b/windows/security/threat-protection/windows-defender-atp/images/atp-intune-new-policy.png
similarity index 100%
rename from windows/threat-protection/windows-defender-atp/images/atp-intune-new-policy.png
rename to windows/security/threat-protection/windows-defender-atp/images/atp-intune-new-policy.png
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-intune-oma-uri-setting.png b/windows/security/threat-protection/windows-defender-atp/images/atp-intune-oma-uri-setting.png
similarity index 100%
rename from windows/threat-protection/windows-defender-atp/images/atp-intune-oma-uri-setting.png
rename to windows/security/threat-protection/windows-defender-atp/images/atp-intune-oma-uri-setting.png
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-intune-policy-name.png b/windows/security/threat-protection/windows-defender-atp/images/atp-intune-policy-name.png
similarity index 100%
rename from windows/threat-protection/windows-defender-atp/images/atp-intune-policy-name.png
rename to windows/security/threat-protection/windows-defender-atp/images/atp-intune-policy-name.png
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-intune-save-deployment.png b/windows/security/threat-protection/windows-defender-atp/images/atp-intune-save-deployment.png
similarity index 100%
rename from windows/threat-protection/windows-defender-atp/images/atp-intune-save-deployment.png
rename to windows/security/threat-protection/windows-defender-atp/images/atp-intune-save-deployment.png
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-intune-save-policy.png b/windows/security/threat-protection/windows-defender-atp/images/atp-intune-save-policy.png
similarity index 100%
rename from windows/threat-protection/windows-defender-atp/images/atp-intune-save-policy.png
rename to windows/security/threat-protection/windows-defender-atp/images/atp-intune-save-policy.png
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-investigation-package-action-center.png b/windows/security/threat-protection/windows-defender-atp/images/atp-investigation-package-action-center.png
similarity index 100%
rename from windows/threat-protection/windows-defender-atp/images/atp-investigation-package-action-center.png
rename to windows/security/threat-protection/windows-defender-atp/images/atp-investigation-package-action-center.png
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-isolate-machine.png b/windows/security/threat-protection/windows-defender-atp/images/atp-isolate-machine.png
similarity index 100%
rename from windows/threat-protection/windows-defender-atp/images/atp-isolate-machine.png
rename to windows/security/threat-protection/windows-defender-atp/images/atp-isolate-machine.png
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-licensing-azure-portal.png b/windows/security/threat-protection/windows-defender-atp/images/atp-licensing-azure-portal.png
similarity index 100%
rename from windows/threat-protection/windows-defender-atp/images/atp-licensing-azure-portal.png
rename to windows/security/threat-protection/windows-defender-atp/images/atp-licensing-azure-portal.png
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-logo-icon.png b/windows/security/threat-protection/windows-defender-atp/images/atp-logo-icon.png
similarity index 100%
rename from windows/threat-protection/windows-defender-atp/images/atp-logo-icon.png
rename to windows/security/threat-protection/windows-defender-atp/images/atp-logo-icon.png
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-machine-actions-undo.png b/windows/security/threat-protection/windows-defender-atp/images/atp-machine-actions-undo.png
similarity index 100%
rename from windows/threat-protection/windows-defender-atp/images/atp-machine-actions-undo.png
rename to windows/security/threat-protection/windows-defender-atp/images/atp-machine-actions-undo.png
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-machine-actions.png b/windows/security/threat-protection/windows-defender-atp/images/atp-machine-actions.png
similarity index 100%
rename from windows/threat-protection/windows-defender-atp/images/atp-machine-actions.png
rename to windows/security/threat-protection/windows-defender-atp/images/atp-machine-actions.png
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-machine-details-view.png b/windows/security/threat-protection/windows-defender-atp/images/atp-machine-details-view.png
similarity index 100%
rename from windows/threat-protection/windows-defender-atp/images/atp-machine-details-view.png
rename to windows/security/threat-protection/windows-defender-atp/images/atp-machine-details-view.png
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-machine-health-details.png b/windows/security/threat-protection/windows-defender-atp/images/atp-machine-health-details.png
similarity index 100%
rename from windows/threat-protection/windows-defender-atp/images/atp-machine-health-details.png
rename to windows/security/threat-protection/windows-defender-atp/images/atp-machine-health-details.png
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-machine-health.png b/windows/security/threat-protection/windows-defender-atp/images/atp-machine-health.png
similarity index 100%
rename from windows/threat-protection/windows-defender-atp/images/atp-machine-health.png
rename to windows/security/threat-protection/windows-defender-atp/images/atp-machine-health.png
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-machine-icon.png b/windows/security/threat-protection/windows-defender-atp/images/atp-machine-icon.png
similarity index 100%
rename from windows/threat-protection/windows-defender-atp/images/atp-machine-icon.png
rename to windows/security/threat-protection/windows-defender-atp/images/atp-machine-icon.png
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-machine-investigation-package.png b/windows/security/threat-protection/windows-defender-atp/images/atp-machine-investigation-package.png
similarity index 100%
rename from windows/threat-protection/windows-defender-atp/images/atp-machine-investigation-package.png
rename to windows/security/threat-protection/windows-defender-atp/images/atp-machine-investigation-package.png
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-machine-isolation.png b/windows/security/threat-protection/windows-defender-atp/images/atp-machine-isolation.png
similarity index 100%
rename from windows/threat-protection/windows-defender-atp/images/atp-machine-isolation.png
rename to windows/security/threat-protection/windows-defender-atp/images/atp-machine-isolation.png
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-machine-timeline-details-panel.png b/windows/security/threat-protection/windows-defender-atp/images/atp-machine-timeline-details-panel.png
similarity index 100%
rename from windows/threat-protection/windows-defender-atp/images/atp-machine-timeline-details-panel.png
rename to windows/security/threat-protection/windows-defender-atp/images/atp-machine-timeline-details-panel.png
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-machine-timeline-export.png b/windows/security/threat-protection/windows-defender-atp/images/atp-machine-timeline-export.png
similarity index 100%
rename from windows/threat-protection/windows-defender-atp/images/atp-machine-timeline-export.png
rename to windows/security/threat-protection/windows-defender-atp/images/atp-machine-timeline-export.png
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-machine-timeline-filter.png b/windows/security/threat-protection/windows-defender-atp/images/atp-machine-timeline-filter.png
similarity index 100%
rename from windows/threat-protection/windows-defender-atp/images/atp-machine-timeline-filter.png
rename to windows/security/threat-protection/windows-defender-atp/images/atp-machine-timeline-filter.png
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-machine-timeline.png b/windows/security/threat-protection/windows-defender-atp/images/atp-machine-timeline.png
similarity index 100%
rename from windows/threat-protection/windows-defender-atp/images/atp-machine-timeline.png
rename to windows/security/threat-protection/windows-defender-atp/images/atp-machine-timeline.png
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-machine-view-ata.png b/windows/security/threat-protection/windows-defender-atp/images/atp-machine-view-ata.png
similarity index 100%
rename from windows/threat-protection/windows-defender-atp/images/atp-machine-view-ata.png
rename to windows/security/threat-protection/windows-defender-atp/images/atp-machine-view-ata.png
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-machines-active-threats-tile.png b/windows/security/threat-protection/windows-defender-atp/images/atp-machines-active-threats-tile.png
similarity index 100%
rename from windows/threat-protection/windows-defender-atp/images/atp-machines-active-threats-tile.png
rename to windows/security/threat-protection/windows-defender-atp/images/atp-machines-active-threats-tile.png
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-machines-at-risk.png b/windows/security/threat-protection/windows-defender-atp/images/atp-machines-at-risk.png
similarity index 100%
rename from windows/threat-protection/windows-defender-atp/images/atp-machines-at-risk.png
rename to windows/security/threat-protection/windows-defender-atp/images/atp-machines-at-risk.png
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-machines-list-misconfigured.png b/windows/security/threat-protection/windows-defender-atp/images/atp-machines-list-misconfigured.png
similarity index 100%
rename from windows/threat-protection/windows-defender-atp/images/atp-machines-list-misconfigured.png
rename to windows/security/threat-protection/windows-defender-atp/images/atp-machines-list-misconfigured.png
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-machines-list-view.png b/windows/security/threat-protection/windows-defender-atp/images/atp-machines-list-view.png
similarity index 100%
rename from windows/threat-protection/windows-defender-atp/images/atp-machines-list-view.png
rename to windows/security/threat-protection/windows-defender-atp/images/atp-machines-list-view.png
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-machines-timeline.png b/windows/security/threat-protection/windows-defender-atp/images/atp-machines-timeline.png
similarity index 100%
rename from windows/threat-protection/windows-defender-atp/images/atp-machines-timeline.png
rename to windows/security/threat-protection/windows-defender-atp/images/atp-machines-timeline.png
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-machines-view-list.png b/windows/security/threat-protection/windows-defender-atp/images/atp-machines-view-list.png
similarity index 100%
rename from windows/threat-protection/windows-defender-atp/images/atp-machines-view-list.png
rename to windows/security/threat-protection/windows-defender-atp/images/atp-machines-view-list.png
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-main-portal.png b/windows/security/threat-protection/windows-defender-atp/images/atp-main-portal.png
similarity index 100%
rename from windows/threat-protection/windows-defender-atp/images/atp-main-portal.png
rename to windows/security/threat-protection/windows-defender-atp/images/atp-main-portal.png
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-manage-tags.png b/windows/security/threat-protection/windows-defender-atp/images/atp-manage-tags.png
similarity index 100%
rename from windows/threat-protection/windows-defender-atp/images/atp-manage-tags.png
rename to windows/security/threat-protection/windows-defender-atp/images/atp-manage-tags.png
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-mapping 3.png b/windows/security/threat-protection/windows-defender-atp/images/atp-mapping 3.png
similarity index 100%
rename from windows/threat-protection/windows-defender-atp/images/atp-mapping 3.png
rename to windows/security/threat-protection/windows-defender-atp/images/atp-mapping 3.png
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-mapping1.png b/windows/security/threat-protection/windows-defender-atp/images/atp-mapping1.png
similarity index 100%
rename from windows/threat-protection/windows-defender-atp/images/atp-mapping1.png
rename to windows/security/threat-protection/windows-defender-atp/images/atp-mapping1.png
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-mapping2.png b/windows/security/threat-protection/windows-defender-atp/images/atp-mapping2.png
similarity index 100%
rename from windows/threat-protection/windows-defender-atp/images/atp-mapping2.png
rename to windows/security/threat-protection/windows-defender-atp/images/atp-mapping2.png
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-mapping3.png b/windows/security/threat-protection/windows-defender-atp/images/atp-mapping3.png
similarity index 100%
rename from windows/threat-protection/windows-defender-atp/images/atp-mapping3.png
rename to windows/security/threat-protection/windows-defender-atp/images/atp-mapping3.png
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-mapping4.png b/windows/security/threat-protection/windows-defender-atp/images/atp-mapping4.png
similarity index 100%
rename from windows/threat-protection/windows-defender-atp/images/atp-mapping4.png
rename to windows/security/threat-protection/windows-defender-atp/images/atp-mapping4.png
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-mapping5.png b/windows/security/threat-protection/windows-defender-atp/images/atp-mapping5.png
similarity index 100%
rename from windows/threat-protection/windows-defender-atp/images/atp-mapping5.png
rename to windows/security/threat-protection/windows-defender-atp/images/atp-mapping5.png
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-mapping6.png b/windows/security/threat-protection/windows-defender-atp/images/atp-mapping6.png
similarity index 100%
rename from windows/threat-protection/windows-defender-atp/images/atp-mapping6.png
rename to windows/security/threat-protection/windows-defender-atp/images/atp-mapping6.png
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-mapping7.png b/windows/security/threat-protection/windows-defender-atp/images/atp-mapping7.png
similarity index 100%
rename from windows/threat-protection/windows-defender-atp/images/atp-mapping7.png
rename to windows/security/threat-protection/windows-defender-atp/images/atp-mapping7.png
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-mdm-onboarding-package.png b/windows/security/threat-protection/windows-defender-atp/images/atp-mdm-onboarding-package.png
similarity index 100%
rename from windows/threat-protection/windows-defender-atp/images/atp-mdm-onboarding-package.png
rename to windows/security/threat-protection/windows-defender-atp/images/atp-mdm-onboarding-package.png
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-memory-allocation-icon.png b/windows/security/threat-protection/windows-defender-atp/images/atp-memory-allocation-icon.png
similarity index 100%
rename from windows/threat-protection/windows-defender-atp/images/atp-memory-allocation-icon.png
rename to windows/security/threat-protection/windows-defender-atp/images/atp-memory-allocation-icon.png
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-mma-properties.png b/windows/security/threat-protection/windows-defender-atp/images/atp-mma-properties.png
similarity index 100%
rename from windows/threat-protection/windows-defender-atp/images/atp-mma-properties.png
rename to windows/security/threat-protection/windows-defender-atp/images/atp-mma-properties.png
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-module-load-icon.png b/windows/security/threat-protection/windows-defender-atp/images/atp-module-load-icon.png
similarity index 100%
rename from windows/threat-protection/windows-defender-atp/images/atp-module-load-icon.png
rename to windows/security/threat-protection/windows-defender-atp/images/atp-module-load-icon.png
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-network-communications-icon.png b/windows/security/threat-protection/windows-defender-atp/images/atp-network-communications-icon.png
similarity index 100%
rename from windows/threat-protection/windows-defender-atp/images/atp-network-communications-icon.png
rename to windows/security/threat-protection/windows-defender-atp/images/atp-network-communications-icon.png
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-new-suppression-rule.png b/windows/security/threat-protection/windows-defender-atp/images/atp-new-suppression-rule.png
similarity index 100%
rename from windows/threat-protection/windows-defender-atp/images/atp-new-suppression-rule.png
rename to windows/security/threat-protection/windows-defender-atp/images/atp-new-suppression-rule.png
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-no-network-connection.png b/windows/security/threat-protection/windows-defender-atp/images/atp-no-network-connection.png
similarity index 100%
rename from windows/threat-protection/windows-defender-atp/images/atp-no-network-connection.png
rename to windows/security/threat-protection/windows-defender-atp/images/atp-no-network-connection.png
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-no-subscriptions-found.png b/windows/security/threat-protection/windows-defender-atp/images/atp-no-subscriptions-found.png
similarity index 100%
rename from windows/threat-protection/windows-defender-atp/images/atp-no-subscriptions-found.png
rename to windows/security/threat-protection/windows-defender-atp/images/atp-no-subscriptions-found.png
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-not-authorized-to-access-portal.png b/windows/security/threat-protection/windows-defender-atp/images/atp-not-authorized-to-access-portal.png
similarity index 100%
rename from windows/threat-protection/windows-defender-atp/images/atp-not-authorized-to-access-portal.png
rename to windows/security/threat-protection/windows-defender-atp/images/atp-not-authorized-to-access-portal.png
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-notification-collect-package.png b/windows/security/threat-protection/windows-defender-atp/images/atp-notification-collect-package.png
similarity index 100%
rename from windows/threat-protection/windows-defender-atp/images/atp-notification-collect-package.png
rename to windows/security/threat-protection/windows-defender-atp/images/atp-notification-collect-package.png
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-notification-file.png b/windows/security/threat-protection/windows-defender-atp/images/atp-notification-file.png
similarity index 100%
rename from windows/threat-protection/windows-defender-atp/images/atp-notification-file.png
rename to windows/security/threat-protection/windows-defender-atp/images/atp-notification-file.png
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-notification-isolate.png b/windows/security/threat-protection/windows-defender-atp/images/atp-notification-isolate.png
similarity index 100%
rename from windows/threat-protection/windows-defender-atp/images/atp-notification-isolate.png
rename to windows/security/threat-protection/windows-defender-atp/images/atp-notification-isolate.png
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-notification-restrict.png b/windows/security/threat-protection/windows-defender-atp/images/atp-notification-restrict.png
similarity index 100%
rename from windows/threat-protection/windows-defender-atp/images/atp-notification-restrict.png
rename to windows/security/threat-protection/windows-defender-atp/images/atp-notification-restrict.png
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-observed-in-organization.png b/windows/security/threat-protection/windows-defender-atp/images/atp-observed-in-organization.png
similarity index 100%
rename from windows/threat-protection/windows-defender-atp/images/atp-observed-in-organization.png
rename to windows/security/threat-protection/windows-defender-atp/images/atp-observed-in-organization.png
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-observed-machines.png b/windows/security/threat-protection/windows-defender-atp/images/atp-observed-machines.png
similarity index 100%
rename from windows/threat-protection/windows-defender-atp/images/atp-observed-machines.png
rename to windows/security/threat-protection/windows-defender-atp/images/atp-observed-machines.png
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-oma-uri-values.png b/windows/security/threat-protection/windows-defender-atp/images/atp-oma-uri-values.png
similarity index 100%
rename from windows/threat-protection/windows-defender-atp/images/atp-oma-uri-values.png
rename to windows/security/threat-protection/windows-defender-atp/images/atp-oma-uri-values.png
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-onboard-endpoints-WDATP-portal-border-test.png b/windows/security/threat-protection/windows-defender-atp/images/atp-onboard-endpoints-WDATP-portal-border-test.png
similarity index 100%
rename from windows/threat-protection/windows-defender-atp/images/atp-onboard-endpoints-WDATP-portal-border-test.png
rename to windows/security/threat-protection/windows-defender-atp/images/atp-onboard-endpoints-WDATP-portal-border-test.png
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-onboard-endpoints-WDATP-portal.png b/windows/security/threat-protection/windows-defender-atp/images/atp-onboard-endpoints-WDATP-portal.png
similarity index 100%
rename from windows/threat-protection/windows-defender-atp/images/atp-onboard-endpoints-WDATP-portal.png
rename to windows/security/threat-protection/windows-defender-atp/images/atp-onboard-endpoints-WDATP-portal.png
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-onboard-endpoints-run-detection-test.png b/windows/security/threat-protection/windows-defender-atp/images/atp-onboard-endpoints-run-detection-test.png
similarity index 100%
rename from windows/threat-protection/windows-defender-atp/images/atp-onboard-endpoints-run-detection-test.png
rename to windows/security/threat-protection/windows-defender-atp/images/atp-onboard-endpoints-run-detection-test.png
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-onboard-endpoints.png b/windows/security/threat-protection/windows-defender-atp/images/atp-onboard-endpoints.png
similarity index 100%
rename from windows/threat-protection/windows-defender-atp/images/atp-onboard-endpoints.png
rename to windows/security/threat-protection/windows-defender-atp/images/atp-onboard-endpoints.png
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-onboard-mdm.png b/windows/security/threat-protection/windows-defender-atp/images/atp-onboard-mdm.png
similarity index 100%
rename from windows/threat-protection/windows-defender-atp/images/atp-onboard-mdm.png
rename to windows/security/threat-protection/windows-defender-atp/images/atp-onboard-mdm.png
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-org-score.png b/windows/security/threat-protection/windows-defender-atp/images/atp-org-score.png
similarity index 100%
rename from windows/threat-protection/windows-defender-atp/images/atp-org-score.png
rename to windows/security/threat-protection/windows-defender-atp/images/atp-org-score.png
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-org-sec-score.png b/windows/security/threat-protection/windows-defender-atp/images/atp-org-sec-score.png
similarity index 100%
rename from windows/threat-protection/windows-defender-atp/images/atp-org-sec-score.png
rename to windows/security/threat-protection/windows-defender-atp/images/atp-org-sec-score.png
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-organization-size.png b/windows/security/threat-protection/windows-defender-atp/images/atp-organization-size.png
similarity index 100%
rename from windows/threat-protection/windows-defender-atp/images/atp-organization-size.png
rename to windows/security/threat-protection/windows-defender-atp/images/atp-organization-size.png
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-permissions-applications.png b/windows/security/threat-protection/windows-defender-atp/images/atp-permissions-applications.png
similarity index 100%
rename from windows/threat-protection/windows-defender-atp/images/atp-permissions-applications.png
rename to windows/security/threat-protection/windows-defender-atp/images/atp-permissions-applications.png
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-portal-sensor.png b/windows/security/threat-protection/windows-defender-atp/images/atp-portal-sensor.png
similarity index 100%
rename from windows/threat-protection/windows-defender-atp/images/atp-portal-sensor.png
rename to windows/security/threat-protection/windows-defender-atp/images/atp-portal-sensor.png
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-portal-welcome-screen.png b/windows/security/threat-protection/windows-defender-atp/images/atp-portal-welcome-screen.png
similarity index 100%
rename from windows/threat-protection/windows-defender-atp/images/atp-portal-welcome-screen.png
rename to windows/security/threat-protection/windows-defender-atp/images/atp-portal-welcome-screen.png
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-portal.png b/windows/security/threat-protection/windows-defender-atp/images/atp-portal.png
similarity index 100%
rename from windows/threat-protection/windows-defender-atp/images/atp-portal.png
rename to windows/security/threat-protection/windows-defender-atp/images/atp-portal.png
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-powerbi-consent.png b/windows/security/threat-protection/windows-defender-atp/images/atp-powerbi-consent.png
similarity index 100%
rename from windows/threat-protection/windows-defender-atp/images/atp-powerbi-consent.png
rename to windows/security/threat-protection/windows-defender-atp/images/atp-powerbi-consent.png
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-powerbi-get-data.png b/windows/security/threat-protection/windows-defender-atp/images/atp-powerbi-get-data.png
similarity index 100%
rename from windows/threat-protection/windows-defender-atp/images/atp-powerbi-get-data.png
rename to windows/security/threat-protection/windows-defender-atp/images/atp-powerbi-get-data.png
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-powerbi-navigator.png b/windows/security/threat-protection/windows-defender-atp/images/atp-powerbi-navigator.png
similarity index 100%
rename from windows/threat-protection/windows-defender-atp/images/atp-powerbi-navigator.png
rename to windows/security/threat-protection/windows-defender-atp/images/atp-powerbi-navigator.png
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-powerbi-options.png b/windows/security/threat-protection/windows-defender-atp/images/atp-powerbi-options.png
similarity index 100%
rename from windows/threat-protection/windows-defender-atp/images/atp-powerbi-options.png
rename to windows/security/threat-protection/windows-defender-atp/images/atp-powerbi-options.png
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-powerbi-preview.png b/windows/security/threat-protection/windows-defender-atp/images/atp-powerbi-preview.png
similarity index 100%
rename from windows/threat-protection/windows-defender-atp/images/atp-powerbi-preview.png
rename to windows/security/threat-protection/windows-defender-atp/images/atp-powerbi-preview.png
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-powershell-command-run-icon.png b/windows/security/threat-protection/windows-defender-atp/images/atp-powershell-command-run-icon.png
similarity index 100%
rename from windows/threat-protection/windows-defender-atp/images/atp-powershell-command-run-icon.png
rename to windows/security/threat-protection/windows-defender-atp/images/atp-powershell-command-run-icon.png
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-preferences-setup.png b/windows/security/threat-protection/windows-defender-atp/images/atp-preferences-setup.png
similarity index 100%
rename from windows/threat-protection/windows-defender-atp/images/atp-preferences-setup.png
rename to windows/security/threat-protection/windows-defender-atp/images/atp-preferences-setup.png
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-preview-experience.png b/windows/security/threat-protection/windows-defender-atp/images/atp-preview-experience.png
similarity index 100%
rename from windows/threat-protection/windows-defender-atp/images/atp-preview-experience.png
rename to windows/security/threat-protection/windows-defender-atp/images/atp-preview-experience.png
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-preview-features.png b/windows/security/threat-protection/windows-defender-atp/images/atp-preview-features.png
similarity index 100%
rename from windows/threat-protection/windows-defender-atp/images/atp-preview-features.png
rename to windows/security/threat-protection/windows-defender-atp/images/atp-preview-features.png
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-process-event-icon.png b/windows/security/threat-protection/windows-defender-atp/images/atp-process-event-icon.png
similarity index 100%
rename from windows/threat-protection/windows-defender-atp/images/atp-process-event-icon.png
rename to windows/security/threat-protection/windows-defender-atp/images/atp-process-event-icon.png
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-process-injection.png b/windows/security/threat-protection/windows-defender-atp/images/atp-process-injection.png
similarity index 100%
rename from windows/threat-protection/windows-defender-atp/images/atp-process-injection.png
rename to windows/security/threat-protection/windows-defender-atp/images/atp-process-injection.png
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-process-tree.png b/windows/security/threat-protection/windows-defender-atp/images/atp-process-tree.png
similarity index 100%
rename from windows/threat-protection/windows-defender-atp/images/atp-process-tree.png
rename to windows/security/threat-protection/windows-defender-atp/images/atp-process-tree.png
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-refresh-token.png b/windows/security/threat-protection/windows-defender-atp/images/atp-refresh-token.png
similarity index 100%
rename from windows/threat-protection/windows-defender-atp/images/atp-refresh-token.png
rename to windows/security/threat-protection/windows-defender-atp/images/atp-refresh-token.png
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-region-control-panel.png b/windows/security/threat-protection/windows-defender-atp/images/atp-region-control-panel.png
similarity index 100%
rename from windows/threat-protection/windows-defender-atp/images/atp-region-control-panel.png
rename to windows/security/threat-protection/windows-defender-atp/images/atp-region-control-panel.png
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-registry-event-icon.png b/windows/security/threat-protection/windows-defender-atp/images/atp-registry-event-icon.png
similarity index 100%
rename from windows/threat-protection/windows-defender-atp/images/atp-registry-event-icon.png
rename to windows/security/threat-protection/windows-defender-atp/images/atp-registry-event-icon.png
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-remediated-alert.png b/windows/security/threat-protection/windows-defender-atp/images/atp-remediated-alert.png
similarity index 100%
rename from windows/threat-protection/windows-defender-atp/images/atp-remediated-alert.png
rename to windows/security/threat-protection/windows-defender-atp/images/atp-remediated-alert.png
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-remove-blocked-file.png b/windows/security/threat-protection/windows-defender-atp/images/atp-remove-blocked-file.png
similarity index 100%
rename from windows/threat-protection/windows-defender-atp/images/atp-remove-blocked-file.png
rename to windows/security/threat-protection/windows-defender-atp/images/atp-remove-blocked-file.png
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-respond-action-icon.png b/windows/security/threat-protection/windows-defender-atp/images/atp-respond-action-icon.png
similarity index 100%
rename from windows/threat-protection/windows-defender-atp/images/atp-respond-action-icon.png
rename to windows/security/threat-protection/windows-defender-atp/images/atp-respond-action-icon.png
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-restrict-app.png b/windows/security/threat-protection/windows-defender-atp/images/atp-restrict-app.png
similarity index 100%
rename from windows/threat-protection/windows-defender-atp/images/atp-restrict-app.png
rename to windows/security/threat-protection/windows-defender-atp/images/atp-restrict-app.png
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-run-av-scan.png b/windows/security/threat-protection/windows-defender-atp/images/atp-run-av-scan.png
similarity index 100%
rename from windows/threat-protection/windows-defender-atp/images/atp-run-av-scan.png
rename to windows/security/threat-protection/windows-defender-atp/images/atp-run-av-scan.png
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-running-script.png b/windows/security/threat-protection/windows-defender-atp/images/atp-running-script.png
similarity index 100%
rename from windows/threat-protection/windows-defender-atp/images/atp-running-script.png
rename to windows/security/threat-protection/windows-defender-atp/images/atp-running-script.png
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-sample-custom-ti-alert.png b/windows/security/threat-protection/windows-defender-atp/images/atp-sample-custom-ti-alert.png
similarity index 100%
rename from windows/threat-protection/windows-defender-atp/images/atp-sample-custom-ti-alert.png
rename to windows/security/threat-protection/windows-defender-atp/images/atp-sample-custom-ti-alert.png
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-save-tag.png b/windows/security/threat-protection/windows-defender-atp/images/atp-save-tag.png
similarity index 100%
rename from windows/threat-protection/windows-defender-atp/images/atp-save-tag.png
rename to windows/security/threat-protection/windows-defender-atp/images/atp-save-tag.png
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-sec-coverage.png b/windows/security/threat-protection/windows-defender-atp/images/atp-sec-coverage.png
similarity index 100%
rename from windows/threat-protection/windows-defender-atp/images/atp-sec-coverage.png
rename to windows/security/threat-protection/windows-defender-atp/images/atp-sec-coverage.png
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-security-analytics-dashboard.png b/windows/security/threat-protection/windows-defender-atp/images/atp-security-analytics-dashboard.png
similarity index 100%
rename from windows/threat-protection/windows-defender-atp/images/atp-security-analytics-dashboard.png
rename to windows/security/threat-protection/windows-defender-atp/images/atp-security-analytics-dashboard.png
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-security-analytics-view-machines.png b/windows/security/threat-protection/windows-defender-atp/images/atp-security-analytics-view-machines.png
similarity index 100%
rename from windows/threat-protection/windows-defender-atp/images/atp-security-analytics-view-machines.png
rename to windows/security/threat-protection/windows-defender-atp/images/atp-security-analytics-view-machines.png
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-security-analytics-view-machines2.png b/windows/security/threat-protection/windows-defender-atp/images/atp-security-analytics-view-machines2.png
similarity index 100%
rename from windows/threat-protection/windows-defender-atp/images/atp-security-analytics-view-machines2.png
rename to windows/security/threat-protection/windows-defender-atp/images/atp-security-analytics-view-machines2.png
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-security-coverage.png b/windows/security/threat-protection/windows-defender-atp/images/atp-security-coverage.png
similarity index 100%
rename from windows/threat-protection/windows-defender-atp/images/atp-security-coverage.png
rename to windows/security/threat-protection/windows-defender-atp/images/atp-security-coverage.png
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-security-improvements.png b/windows/security/threat-protection/windows-defender-atp/images/atp-security-improvements.png
similarity index 100%
rename from windows/threat-protection/windows-defender-atp/images/atp-security-improvements.png
rename to windows/security/threat-protection/windows-defender-atp/images/atp-security-improvements.png
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-security-score-over-time.png b/windows/security/threat-protection/windows-defender-atp/images/atp-security-score-over-time.png
similarity index 100%
rename from windows/threat-protection/windows-defender-atp/images/atp-security-score-over-time.png
rename to windows/security/threat-protection/windows-defender-atp/images/atp-security-score-over-time.png
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-sensor-filter.png b/windows/security/threat-protection/windows-defender-atp/images/atp-sensor-filter.png
similarity index 100%
rename from windows/threat-protection/windows-defender-atp/images/atp-sensor-filter.png
rename to windows/security/threat-protection/windows-defender-atp/images/atp-sensor-filter.png
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-sensor-health-filter-resized.png b/windows/security/threat-protection/windows-defender-atp/images/atp-sensor-health-filter-resized.png
similarity index 100%
rename from windows/threat-protection/windows-defender-atp/images/atp-sensor-health-filter-resized.png
rename to windows/security/threat-protection/windows-defender-atp/images/atp-sensor-health-filter-resized.png
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-sensor-health-filter-tile.png b/windows/security/threat-protection/windows-defender-atp/images/atp-sensor-health-filter-tile.png
similarity index 100%
rename from windows/threat-protection/windows-defender-atp/images/atp-sensor-health-filter-tile.png
rename to windows/security/threat-protection/windows-defender-atp/images/atp-sensor-health-filter-tile.png
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-sensor-health-filter.png b/windows/security/threat-protection/windows-defender-atp/images/atp-sensor-health-filter.png
similarity index 100%
rename from windows/threat-protection/windows-defender-atp/images/atp-sensor-health-filter.png
rename to windows/security/threat-protection/windows-defender-atp/images/atp-sensor-health-filter.png
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-sensor-health-nonav.png b/windows/security/threat-protection/windows-defender-atp/images/atp-sensor-health-nonav.png
similarity index 100%
rename from windows/threat-protection/windows-defender-atp/images/atp-sensor-health-nonav.png
rename to windows/security/threat-protection/windows-defender-atp/images/atp-sensor-health-nonav.png
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-sensor-health-tile.png b/windows/security/threat-protection/windows-defender-atp/images/atp-sensor-health-tile.png
similarity index 100%
rename from windows/threat-protection/windows-defender-atp/images/atp-sensor-health-tile.png
rename to windows/security/threat-protection/windows-defender-atp/images/atp-sensor-health-tile.png
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-server-onboarding.png b/windows/security/threat-protection/windows-defender-atp/images/atp-server-onboarding.png
similarity index 100%
rename from windows/threat-protection/windows-defender-atp/images/atp-server-onboarding.png
rename to windows/security/threat-protection/windows-defender-atp/images/atp-server-onboarding.png
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-services.png b/windows/security/threat-protection/windows-defender-atp/images/atp-services.png
similarity index 100%
rename from windows/threat-protection/windows-defender-atp/images/atp-services.png
rename to windows/security/threat-protection/windows-defender-atp/images/atp-services.png
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-setup-complete.png b/windows/security/threat-protection/windows-defender-atp/images/atp-setup-complete.png
similarity index 100%
rename from windows/threat-protection/windows-defender-atp/images/atp-setup-complete.png
rename to windows/security/threat-protection/windows-defender-atp/images/atp-setup-complete.png
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-setup-incomplete.png b/windows/security/threat-protection/windows-defender-atp/images/atp-setup-incomplete.png
similarity index 100%
rename from windows/threat-protection/windows-defender-atp/images/atp-setup-incomplete.png
rename to windows/security/threat-protection/windows-defender-atp/images/atp-setup-incomplete.png
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-setup-permissions-wdatp-portal.png b/windows/security/threat-protection/windows-defender-atp/images/atp-setup-permissions-wdatp-portal.png
similarity index 100%
rename from windows/threat-protection/windows-defender-atp/images/atp-setup-permissions-wdatp-portal.png
rename to windows/security/threat-protection/windows-defender-atp/images/atp-setup-permissions-wdatp-portal.png
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-siem-integration.png b/windows/security/threat-protection/windows-defender-atp/images/atp-siem-integration.png
similarity index 100%
rename from windows/threat-protection/windows-defender-atp/images/atp-siem-integration.png
rename to windows/security/threat-protection/windows-defender-atp/images/atp-siem-integration.png
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-siem-mapping1.png b/windows/security/threat-protection/windows-defender-atp/images/atp-siem-mapping1.png
similarity index 100%
rename from windows/threat-protection/windows-defender-atp/images/atp-siem-mapping1.png
rename to windows/security/threat-protection/windows-defender-atp/images/atp-siem-mapping1.png
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-siem-mapping13.png b/windows/security/threat-protection/windows-defender-atp/images/atp-siem-mapping13.png
similarity index 100%
rename from windows/threat-protection/windows-defender-atp/images/atp-siem-mapping13.png
rename to windows/security/threat-protection/windows-defender-atp/images/atp-siem-mapping13.png
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-siem-mapping2.png b/windows/security/threat-protection/windows-defender-atp/images/atp-siem-mapping2.png
similarity index 100%
rename from windows/threat-protection/windows-defender-atp/images/atp-siem-mapping2.png
rename to windows/security/threat-protection/windows-defender-atp/images/atp-siem-mapping2.png
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-siem-mapping3.png b/windows/security/threat-protection/windows-defender-atp/images/atp-siem-mapping3.png
similarity index 100%
rename from windows/threat-protection/windows-defender-atp/images/atp-siem-mapping3.png
rename to windows/security/threat-protection/windows-defender-atp/images/atp-siem-mapping3.png
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-siem-mapping4.png b/windows/security/threat-protection/windows-defender-atp/images/atp-siem-mapping4.png
similarity index 100%
rename from windows/threat-protection/windows-defender-atp/images/atp-siem-mapping4.png
rename to windows/security/threat-protection/windows-defender-atp/images/atp-siem-mapping4.png
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-signer-icon.png b/windows/security/threat-protection/windows-defender-atp/images/atp-signer-icon.png
similarity index 100%
rename from windows/threat-protection/windows-defender-atp/images/atp-signer-icon.png
rename to windows/security/threat-protection/windows-defender-atp/images/atp-signer-icon.png
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-simulate-custom-ti.png b/windows/security/threat-protection/windows-defender-atp/images/atp-simulate-custom-ti.png
similarity index 100%
rename from windows/threat-protection/windows-defender-atp/images/atp-simulate-custom-ti.png
rename to windows/security/threat-protection/windows-defender-atp/images/atp-simulate-custom-ti.png
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-stop-quarantine-file.png b/windows/security/threat-protection/windows-defender-atp/images/atp-stop-quarantine-file.png
similarity index 100%
rename from windows/threat-protection/windows-defender-atp/images/atp-stop-quarantine-file.png
rename to windows/security/threat-protection/windows-defender-atp/images/atp-stop-quarantine-file.png
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-stop-quarantine.png b/windows/security/threat-protection/windows-defender-atp/images/atp-stop-quarantine.png
similarity index 100%
rename from windows/threat-protection/windows-defender-atp/images/atp-stop-quarantine.png
rename to windows/security/threat-protection/windows-defender-atp/images/atp-stop-quarantine.png
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-stopnquarantine-file.png b/windows/security/threat-protection/windows-defender-atp/images/atp-stopnquarantine-file.png
similarity index 100%
rename from windows/threat-protection/windows-defender-atp/images/atp-stopnquarantine-file.png
rename to windows/security/threat-protection/windows-defender-atp/images/atp-stopnquarantine-file.png
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-subscription-expired.png b/windows/security/threat-protection/windows-defender-atp/images/atp-subscription-expired.png
similarity index 100%
rename from windows/threat-protection/windows-defender-atp/images/atp-subscription-expired.png
rename to windows/security/threat-protection/windows-defender-atp/images/atp-subscription-expired.png
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-suppression-rules.png b/windows/security/threat-protection/windows-defender-atp/images/atp-suppression-rules.png
similarity index 100%
rename from windows/threat-protection/windows-defender-atp/images/atp-suppression-rules.png
rename to windows/security/threat-protection/windows-defender-atp/images/atp-suppression-rules.png
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-tag-management.png b/windows/security/threat-protection/windows-defender-atp/images/atp-tag-management.png
similarity index 100%
rename from windows/threat-protection/windows-defender-atp/images/atp-tag-management.png
rename to windows/security/threat-protection/windows-defender-atp/images/atp-tag-management.png
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-task-manager.png b/windows/security/threat-protection/windows-defender-atp/images/atp-task-manager.png
similarity index 100%
rename from windows/threat-protection/windows-defender-atp/images/atp-task-manager.png
rename to windows/security/threat-protection/windows-defender-atp/images/atp-task-manager.png
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-threat-intel-api.png b/windows/security/threat-protection/windows-defender-atp/images/atp-threat-intel-api.png
similarity index 100%
rename from windows/threat-protection/windows-defender-atp/images/atp-threat-intel-api.png
rename to windows/security/threat-protection/windows-defender-atp/images/atp-threat-intel-api.png
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-thunderbolt-icon.png b/windows/security/threat-protection/windows-defender-atp/images/atp-thunderbolt-icon.png
similarity index 100%
rename from windows/threat-protection/windows-defender-atp/images/atp-thunderbolt-icon.png
rename to windows/security/threat-protection/windows-defender-atp/images/atp-thunderbolt-icon.png
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-tile-sensor-health.png b/windows/security/threat-protection/windows-defender-atp/images/atp-tile-sensor-health.png
similarity index 100%
rename from windows/threat-protection/windows-defender-atp/images/atp-tile-sensor-health.png
rename to windows/security/threat-protection/windows-defender-atp/images/atp-tile-sensor-health.png
diff --git a/windows/security/threat-protection/windows-defender-atp/images/atp-time-zone.png b/windows/security/threat-protection/windows-defender-atp/images/atp-time-zone.png
new file mode 100644
index 0000000000..13b0392123
Binary files /dev/null and b/windows/security/threat-protection/windows-defender-atp/images/atp-time-zone.png differ
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-undo-isolation.png b/windows/security/threat-protection/windows-defender-atp/images/atp-undo-isolation.png
similarity index 100%
rename from windows/threat-protection/windows-defender-atp/images/atp-undo-isolation.png
rename to windows/security/threat-protection/windows-defender-atp/images/atp-undo-isolation.png
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-unsigned-file-icon.png b/windows/security/threat-protection/windows-defender-atp/images/atp-unsigned-file-icon.png
similarity index 100%
rename from windows/threat-protection/windows-defender-atp/images/atp-unsigned-file-icon.png
rename to windows/security/threat-protection/windows-defender-atp/images/atp-unsigned-file-icon.png
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-user-details-pane.png b/windows/security/threat-protection/windows-defender-atp/images/atp-user-details-pane.png
similarity index 100%
rename from windows/threat-protection/windows-defender-atp/images/atp-user-details-pane.png
rename to windows/security/threat-protection/windows-defender-atp/images/atp-user-details-pane.png
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-user-details-view-tdp.png b/windows/security/threat-protection/windows-defender-atp/images/atp-user-details-view-tdp.png
similarity index 100%
rename from windows/threat-protection/windows-defender-atp/images/atp-user-details-view-tdp.png
rename to windows/security/threat-protection/windows-defender-atp/images/atp-user-details-view-tdp.png
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-user-details-view.png b/windows/security/threat-protection/windows-defender-atp/images/atp-user-details-view.png
similarity index 100%
rename from windows/threat-protection/windows-defender-atp/images/atp-user-details-view.png
rename to windows/security/threat-protection/windows-defender-atp/images/atp-user-details-view.png
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-user-details.png b/windows/security/threat-protection/windows-defender-atp/images/atp-user-details.png
similarity index 100%
rename from windows/threat-protection/windows-defender-atp/images/atp-user-details.png
rename to windows/security/threat-protection/windows-defender-atp/images/atp-user-details.png
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-user-view-ata.png b/windows/security/threat-protection/windows-defender-atp/images/atp-user-view-ata.png
similarity index 100%
rename from windows/threat-protection/windows-defender-atp/images/atp-user-view-ata.png
rename to windows/security/threat-protection/windows-defender-atp/images/atp-user-view-ata.png
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-users-at-risk.png b/windows/security/threat-protection/windows-defender-atp/images/atp-users-at-risk.png
similarity index 100%
rename from windows/threat-protection/windows-defender-atp/images/atp-users-at-risk.png
rename to windows/security/threat-protection/windows-defender-atp/images/atp-users-at-risk.png
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-windows-cloud-instance-creation.png b/windows/security/threat-protection/windows-defender-atp/images/atp-windows-cloud-instance-creation.png
similarity index 100%
rename from windows/threat-protection/windows-defender-atp/images/atp-windows-cloud-instance-creation.png
rename to windows/security/threat-protection/windows-defender-atp/images/atp-windows-cloud-instance-creation.png
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-windows-defender-av-events-icon.png b/windows/security/threat-protection/windows-defender-atp/images/atp-windows-defender-av-events-icon.png
similarity index 100%
rename from windows/threat-protection/windows-defender-atp/images/atp-windows-defender-av-events-icon.png
rename to windows/security/threat-protection/windows-defender-atp/images/atp-windows-defender-av-events-icon.png
diff --git a/windows/threat-protection/windows-defender-atp/images/atp.png b/windows/security/threat-protection/windows-defender-atp/images/atp.png
similarity index 100%
rename from windows/threat-protection/windows-defender-atp/images/atp.png
rename to windows/security/threat-protection/windows-defender-atp/images/atp.png
diff --git a/windows/threat-protection/windows-defender-atp/images/components.png b/windows/security/threat-protection/windows-defender-atp/images/components.png
similarity index 100%
rename from windows/threat-protection/windows-defender-atp/images/components.png
rename to windows/security/threat-protection/windows-defender-atp/images/components.png
diff --git a/windows/threat-protection/windows-defender-atp/images/detection-icon.png b/windows/security/threat-protection/windows-defender-atp/images/detection-icon.png
similarity index 100%
rename from windows/threat-protection/windows-defender-atp/images/detection-icon.png
rename to windows/security/threat-protection/windows-defender-atp/images/detection-icon.png
diff --git a/windows/threat-protection/windows-defender-atp/images/filter-log.png b/windows/security/threat-protection/windows-defender-atp/images/filter-log.png
similarity index 100%
rename from windows/threat-protection/windows-defender-atp/images/filter-log.png
rename to windows/security/threat-protection/windows-defender-atp/images/filter-log.png
diff --git a/windows/threat-protection/windows-defender-atp/images/licensing-windows-defender-advanced-threat-protection.png b/windows/security/threat-protection/windows-defender-atp/images/licensing-windows-defender-advanced-threat-protection.png
similarity index 100%
rename from windows/threat-protection/windows-defender-atp/images/licensing-windows-defender-advanced-threat-protection.png
rename to windows/security/threat-protection/windows-defender-atp/images/licensing-windows-defender-advanced-threat-protection.png
diff --git a/windows/threat-protection/windows-defender-atp/images/machines-active-threats-tile.png b/windows/security/threat-protection/windows-defender-atp/images/machines-active-threats-tile.png
similarity index 100%
rename from windows/threat-protection/windows-defender-atp/images/machines-active-threats-tile.png
rename to windows/security/threat-protection/windows-defender-atp/images/machines-active-threats-tile.png
diff --git a/windows/threat-protection/windows-defender-atp/images/machines-at-risk.png b/windows/security/threat-protection/windows-defender-atp/images/machines-at-risk.png
similarity index 100%
rename from windows/threat-protection/windows-defender-atp/images/machines-at-risk.png
rename to windows/security/threat-protection/windows-defender-atp/images/machines-at-risk.png
diff --git a/windows/threat-protection/windows-defender-atp/images/machines-reporting-tile.png b/windows/security/threat-protection/windows-defender-atp/images/machines-reporting-tile.png
similarity index 100%
rename from windows/threat-protection/windows-defender-atp/images/machines-reporting-tile.png
rename to windows/security/threat-protection/windows-defender-atp/images/machines-reporting-tile.png
diff --git a/windows/threat-protection/windows-defender-atp/images/menu-icon.png b/windows/security/threat-protection/windows-defender-atp/images/menu-icon.png
similarity index 100%
rename from windows/threat-protection/windows-defender-atp/images/menu-icon.png
rename to windows/security/threat-protection/windows-defender-atp/images/menu-icon.png
diff --git a/windows/threat-protection/windows-defender-atp/images/not-remediated-icon.png b/windows/security/threat-protection/windows-defender-atp/images/not-remediated-icon.png
similarity index 100%
rename from windows/threat-protection/windows-defender-atp/images/not-remediated-icon.png
rename to windows/security/threat-protection/windows-defender-atp/images/not-remediated-icon.png
diff --git a/windows/threat-protection/windows-defender-atp/images/overview.png b/windows/security/threat-protection/windows-defender-atp/images/overview.png
similarity index 100%
rename from windows/threat-protection/windows-defender-atp/images/overview.png
rename to windows/security/threat-protection/windows-defender-atp/images/overview.png
diff --git a/windows/threat-protection/windows-defender-atp/images/remediated-icon.png b/windows/security/threat-protection/windows-defender-atp/images/remediated-icon.png
similarity index 100%
rename from windows/threat-protection/windows-defender-atp/images/remediated-icon.png
rename to windows/security/threat-protection/windows-defender-atp/images/remediated-icon.png
diff --git a/windows/threat-protection/windows-defender-atp/images/rules-legend.png b/windows/security/threat-protection/windows-defender-atp/images/rules-legend.png
similarity index 100%
rename from windows/threat-protection/windows-defender-atp/images/rules-legend.png
rename to windows/security/threat-protection/windows-defender-atp/images/rules-legend.png
diff --git a/windows/threat-protection/windows-defender-atp/images/run-as-admin.png b/windows/security/threat-protection/windows-defender-atp/images/run-as-admin.png
similarity index 100%
rename from windows/threat-protection/windows-defender-atp/images/run-as-admin.png
rename to windows/security/threat-protection/windows-defender-atp/images/run-as-admin.png
diff --git a/windows/threat-protection/windows-defender-atp/images/sccm-deployment.png b/windows/security/threat-protection/windows-defender-atp/images/sccm-deployment.png
similarity index 100%
rename from windows/threat-protection/windows-defender-atp/images/sccm-deployment.png
rename to windows/security/threat-protection/windows-defender-atp/images/sccm-deployment.png
diff --git a/windows/threat-protection/windows-defender-atp/images/settings.png b/windows/security/threat-protection/windows-defender-atp/images/settings.png
similarity index 100%
rename from windows/threat-protection/windows-defender-atp/images/settings.png
rename to windows/security/threat-protection/windows-defender-atp/images/settings.png
diff --git a/windows/threat-protection/windows-defender-atp/images/status-tile.png b/windows/security/threat-protection/windows-defender-atp/images/status-tile.png
similarity index 100%
rename from windows/threat-protection/windows-defender-atp/images/status-tile.png
rename to windows/security/threat-protection/windows-defender-atp/images/status-tile.png
diff --git a/windows/threat-protection/windows-defender-atp/images/submit-file.png b/windows/security/threat-protection/windows-defender-atp/images/submit-file.png
similarity index 100%
rename from windows/threat-protection/windows-defender-atp/images/submit-file.png
rename to windows/security/threat-protection/windows-defender-atp/images/submit-file.png
diff --git a/windows/threat-protection/windows-defender-atp/images/windefatp-sc-qc-diagtrack.png b/windows/security/threat-protection/windows-defender-atp/images/windefatp-sc-qc-diagtrack.png
similarity index 100%
rename from windows/threat-protection/windows-defender-atp/images/windefatp-sc-qc-diagtrack.png
rename to windows/security/threat-protection/windows-defender-atp/images/windefatp-sc-qc-diagtrack.png
diff --git a/windows/threat-protection/windows-defender-atp/images/windefatp-sc-query-diagtrack.png b/windows/security/threat-protection/windows-defender-atp/images/windefatp-sc-query-diagtrack.png
similarity index 100%
rename from windows/threat-protection/windows-defender-atp/images/windefatp-sc-query-diagtrack.png
rename to windows/security/threat-protection/windows-defender-atp/images/windefatp-sc-query-diagtrack.png
diff --git a/windows/threat-protection/windows-defender-atp/images/windefatp-sc-query.png b/windows/security/threat-protection/windows-defender-atp/images/windefatp-sc-query.png
similarity index 100%
rename from windows/threat-protection/windows-defender-atp/images/windefatp-sc-query.png
rename to windows/security/threat-protection/windows-defender-atp/images/windefatp-sc-query.png
diff --git a/windows/threat-protection/windows-defender-atp/images/windefatp-utc-console-autostart.png b/windows/security/threat-protection/windows-defender-atp/images/windefatp-utc-console-autostart.png
similarity index 100%
rename from windows/threat-protection/windows-defender-atp/images/windefatp-utc-console-autostart.png
rename to windows/security/threat-protection/windows-defender-atp/images/windefatp-utc-console-autostart.png
diff --git a/windows/threat-protection/windows-defender-atp/investigate-alerts-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/investigate-alerts-windows-defender-advanced-threat-protection.md
similarity index 100%
rename from windows/threat-protection/windows-defender-atp/investigate-alerts-windows-defender-advanced-threat-protection.md
rename to windows/security/threat-protection/windows-defender-atp/investigate-alerts-windows-defender-advanced-threat-protection.md
diff --git a/windows/threat-protection/windows-defender-atp/investigate-domain-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/investigate-domain-windows-defender-advanced-threat-protection.md
similarity index 100%
rename from windows/threat-protection/windows-defender-atp/investigate-domain-windows-defender-advanced-threat-protection.md
rename to windows/security/threat-protection/windows-defender-atp/investigate-domain-windows-defender-advanced-threat-protection.md
diff --git a/windows/threat-protection/windows-defender-atp/investigate-files-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/investigate-files-windows-defender-advanced-threat-protection.md
similarity index 100%
rename from windows/threat-protection/windows-defender-atp/investigate-files-windows-defender-advanced-threat-protection.md
rename to windows/security/threat-protection/windows-defender-atp/investigate-files-windows-defender-advanced-threat-protection.md
diff --git a/windows/threat-protection/windows-defender-atp/investigate-ip-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/investigate-ip-windows-defender-advanced-threat-protection.md
similarity index 100%
rename from windows/threat-protection/windows-defender-atp/investigate-ip-windows-defender-advanced-threat-protection.md
rename to windows/security/threat-protection/windows-defender-atp/investigate-ip-windows-defender-advanced-threat-protection.md
diff --git a/windows/threat-protection/windows-defender-atp/investigate-machines-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/investigate-machines-windows-defender-advanced-threat-protection.md
similarity index 100%
rename from windows/threat-protection/windows-defender-atp/investigate-machines-windows-defender-advanced-threat-protection.md
rename to windows/security/threat-protection/windows-defender-atp/investigate-machines-windows-defender-advanced-threat-protection.md
diff --git a/windows/threat-protection/windows-defender-atp/investigate-user-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/investigate-user-windows-defender-advanced-threat-protection.md
similarity index 100%
rename from windows/threat-protection/windows-defender-atp/investigate-user-windows-defender-advanced-threat-protection.md
rename to windows/security/threat-protection/windows-defender-atp/investigate-user-windows-defender-advanced-threat-protection.md
diff --git a/windows/threat-protection/windows-defender-atp/is-domain-seen-in-org-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/is-domain-seen-in-org-windows-defender-advanced-threat-protection.md
similarity index 100%
rename from windows/threat-protection/windows-defender-atp/is-domain-seen-in-org-windows-defender-advanced-threat-protection.md
rename to windows/security/threat-protection/windows-defender-atp/is-domain-seen-in-org-windows-defender-advanced-threat-protection.md
diff --git a/windows/threat-protection/windows-defender-atp/is-ip-seen-org-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/is-ip-seen-org-windows-defender-advanced-threat-protection.md
similarity index 100%
rename from windows/threat-protection/windows-defender-atp/is-ip-seen-org-windows-defender-advanced-threat-protection.md
rename to windows/security/threat-protection/windows-defender-atp/is-ip-seen-org-windows-defender-advanced-threat-protection.md
diff --git a/windows/threat-protection/windows-defender-atp/isolate-machine-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/isolate-machine-windows-defender-advanced-threat-protection.md
similarity index 100%
rename from windows/threat-protection/windows-defender-atp/isolate-machine-windows-defender-advanced-threat-protection.md
rename to windows/security/threat-protection/windows-defender-atp/isolate-machine-windows-defender-advanced-threat-protection.md
diff --git a/windows/threat-protection/windows-defender-atp/licensing-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/licensing-windows-defender-advanced-threat-protection.md
similarity index 100%
rename from windows/threat-protection/windows-defender-atp/licensing-windows-defender-advanced-threat-protection.md
rename to windows/security/threat-protection/windows-defender-atp/licensing-windows-defender-advanced-threat-protection.md
diff --git a/windows/threat-protection/windows-defender-atp/machines-view-overview-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/machines-view-overview-windows-defender-advanced-threat-protection.md
similarity index 100%
rename from windows/threat-protection/windows-defender-atp/machines-view-overview-windows-defender-advanced-threat-protection.md
rename to windows/security/threat-protection/windows-defender-atp/machines-view-overview-windows-defender-advanced-threat-protection.md
diff --git a/windows/threat-protection/windows-defender-atp/manage-alerts-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/manage-alerts-windows-defender-advanced-threat-protection.md
similarity index 100%
rename from windows/threat-protection/windows-defender-atp/manage-alerts-windows-defender-advanced-threat-protection.md
rename to windows/security/threat-protection/windows-defender-atp/manage-alerts-windows-defender-advanced-threat-protection.md
diff --git a/windows/threat-protection/windows-defender-atp/minimum-requirements-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/minimum-requirements-windows-defender-advanced-threat-protection.md
similarity index 92%
rename from windows/threat-protection/windows-defender-atp/minimum-requirements-windows-defender-advanced-threat-protection.md
rename to windows/security/threat-protection/windows-defender-atp/minimum-requirements-windows-defender-advanced-threat-protection.md
index 8fc3acc6fa..3027bbe7f9 100644
--- a/windows/threat-protection/windows-defender-atp/minimum-requirements-windows-defender-advanced-threat-protection.md
+++ b/windows/security/threat-protection/windows-defender-atp/minimum-requirements-windows-defender-advanced-threat-protection.md
@@ -72,13 +72,14 @@ The Windows Defender ATP sensor can utilize up to 5MB daily of bandwidth to com
For more information on additional proxy configuration settings see, [Configure Windows Defender ATP endpoint proxy and Internet connectivity settings](configure-proxy-internet-windows-defender-advanced-threat-protection.md) .
-Before you configure endpoints, the telemetry and diagnostics service must be enabled. The service is enabled by default in Windows 10.
+Before you configure endpoints, the diagnostic data service must be enabled. The service is enabled by default in Windows 10.
-### Telemetry and diagnostics settings
-You must ensure that the telemetry and diagnostics service is enabled on all the endpoints in your organization.
+
+### Diagnostic data settings
+You must ensure that the diagnostic data service is enabled on all the endpoints in your organization.
By default, this service is enabled, but it's good practice to check to ensure that you'll get sensor data from them.
-**Use the command line to check the Windows 10 telemetry and diagnostics service startup type**:
+**Use the command line to check the Windows 10 diagnostic data service startup type**:
1. Open an elevated command-line prompt on the endpoint:
@@ -100,7 +101,7 @@ If the **START_TYPE** is not set to **AUTO_START**, then you'll need to set the
-**Use the command line to set the Windows 10 telemetry and diagnostics service to automatically start:**
+**Use the command line to set the Windows 10 diagnostic data service to automatically start:**
1. Open an elevated command-line prompt on the endpoint:
diff --git a/windows/threat-protection/windows-defender-atp/onboard-configure-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/onboard-configure-windows-defender-advanced-threat-protection.md
similarity index 100%
rename from windows/threat-protection/windows-defender-atp/onboard-configure-windows-defender-advanced-threat-protection.md
rename to windows/security/threat-protection/windows-defender-atp/onboard-configure-windows-defender-advanced-threat-protection.md
diff --git a/windows/threat-protection/windows-defender-atp/portal-overview-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/portal-overview-windows-defender-advanced-threat-protection.md
similarity index 100%
rename from windows/threat-protection/windows-defender-atp/portal-overview-windows-defender-advanced-threat-protection.md
rename to windows/security/threat-protection/windows-defender-atp/portal-overview-windows-defender-advanced-threat-protection.md
diff --git a/windows/threat-protection/windows-defender-atp/powerbi-reports-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/powerbi-reports-windows-defender-advanced-threat-protection.md
similarity index 100%
rename from windows/threat-protection/windows-defender-atp/powerbi-reports-windows-defender-advanced-threat-protection.md
rename to windows/security/threat-protection/windows-defender-atp/powerbi-reports-windows-defender-advanced-threat-protection.md
diff --git a/windows/threat-protection/windows-defender-atp/powershell-example-code-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/powershell-example-code-windows-defender-advanced-threat-protection.md
similarity index 100%
rename from windows/threat-protection/windows-defender-atp/powershell-example-code-windows-defender-advanced-threat-protection.md
rename to windows/security/threat-protection/windows-defender-atp/powershell-example-code-windows-defender-advanced-threat-protection.md
diff --git a/windows/threat-protection/windows-defender-atp/preferences-setup-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/preferences-setup-windows-defender-advanced-threat-protection.md
similarity index 100%
rename from windows/threat-protection/windows-defender-atp/preferences-setup-windows-defender-advanced-threat-protection.md
rename to windows/security/threat-protection/windows-defender-atp/preferences-setup-windows-defender-advanced-threat-protection.md
diff --git a/windows/threat-protection/windows-defender-atp/prerelease.md b/windows/security/threat-protection/windows-defender-atp/prerelease.md
similarity index 100%
rename from windows/threat-protection/windows-defender-atp/prerelease.md
rename to windows/security/threat-protection/windows-defender-atp/prerelease.md
diff --git a/windows/threat-protection/windows-defender-atp/preview-settings-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/preview-settings-windows-defender-advanced-threat-protection.md
similarity index 100%
rename from windows/threat-protection/windows-defender-atp/preview-settings-windows-defender-advanced-threat-protection.md
rename to windows/security/threat-protection/windows-defender-atp/preview-settings-windows-defender-advanced-threat-protection.md
diff --git a/windows/threat-protection/windows-defender-atp/preview-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/preview-windows-defender-advanced-threat-protection.md
similarity index 100%
rename from windows/threat-protection/windows-defender-atp/preview-windows-defender-advanced-threat-protection.md
rename to windows/security/threat-protection/windows-defender-atp/preview-windows-defender-advanced-threat-protection.md
diff --git a/windows/threat-protection/windows-defender-atp/pull-alerts-using-rest-api-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/pull-alerts-using-rest-api-windows-defender-advanced-threat-protection.md
similarity index 100%
rename from windows/threat-protection/windows-defender-atp/pull-alerts-using-rest-api-windows-defender-advanced-threat-protection.md
rename to windows/security/threat-protection/windows-defender-atp/pull-alerts-using-rest-api-windows-defender-advanced-threat-protection.md
diff --git a/windows/threat-protection/windows-defender-atp/python-example-code-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/python-example-code-windows-defender-advanced-threat-protection.md
similarity index 100%
rename from windows/threat-protection/windows-defender-atp/python-example-code-windows-defender-advanced-threat-protection.md
rename to windows/security/threat-protection/windows-defender-atp/python-example-code-windows-defender-advanced-threat-protection.md
diff --git a/windows/threat-protection/windows-defender-atp/request-sample-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/request-sample-windows-defender-advanced-threat-protection.md
similarity index 100%
rename from windows/threat-protection/windows-defender-atp/request-sample-windows-defender-advanced-threat-protection.md
rename to windows/security/threat-protection/windows-defender-atp/request-sample-windows-defender-advanced-threat-protection.md
diff --git a/windows/threat-protection/windows-defender-atp/respond-file-alerts-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/respond-file-alerts-windows-defender-advanced-threat-protection.md
similarity index 98%
rename from windows/threat-protection/windows-defender-atp/respond-file-alerts-windows-defender-advanced-threat-protection.md
rename to windows/security/threat-protection/windows-defender-atp/respond-file-alerts-windows-defender-advanced-threat-protection.md
index 6708631bb3..c3162d20c2 100644
--- a/windows/threat-protection/windows-defender-atp/respond-file-alerts-windows-defender-advanced-threat-protection.md
+++ b/windows/security/threat-protection/windows-defender-atp/respond-file-alerts-windows-defender-advanced-threat-protection.md
@@ -10,7 +10,7 @@ ms.pagetype: security
ms.author: macapara
author: mjcaparas
ms.localizationpriority: high
-ms.date: 11/09/2017
+ms.date: 03/06/2018
---
# Take response actions on a file
@@ -48,7 +48,7 @@ The **Stop and Quarantine File** action includes stopping running processes, qua
The action takes effect on machines with Windows 10, version 1703 or later, where the file was observed in the last 30 days.
>[!NOTE]
->You’ll be able to remove the file from quarantine at any time.
+>You’ll be able to restore the file from quarantine at any time.
### Stop and quarantine files
1. Select the file you want to stop and quarantine. You can select a file from any of the following views or use the Search box:
@@ -101,7 +101,7 @@ You can roll back and remove a file from quarantine if you’ve determined that
```
> [!NOTE]
-> Windows Defender ATP will remove all files that were quarantined on this machine in the last 30 days.
+> Windows Defender ATP will restore all files that were quarantined on this machine in the last 30 days.
## Block files in your network
You can prevent further propagation of an attack in your organization by banning potentially malicious files or suspected malware. If you know a potentially malicious portable executable (PE) file, you can block it. This operation will prevent it from being read, written, or executed on machines in your organization.
diff --git a/windows/threat-protection/windows-defender-atp/respond-machine-alerts-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/respond-machine-alerts-windows-defender-advanced-threat-protection.md
similarity index 100%
rename from windows/threat-protection/windows-defender-atp/respond-machine-alerts-windows-defender-advanced-threat-protection.md
rename to windows/security/threat-protection/windows-defender-atp/respond-machine-alerts-windows-defender-advanced-threat-protection.md
diff --git a/windows/threat-protection/windows-defender-atp/response-actions-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/response-actions-windows-defender-advanced-threat-protection.md
similarity index 100%
rename from windows/threat-protection/windows-defender-atp/response-actions-windows-defender-advanced-threat-protection.md
rename to windows/security/threat-protection/windows-defender-atp/response-actions-windows-defender-advanced-threat-protection.md
diff --git a/windows/threat-protection/windows-defender-atp/restrict-code-execution-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/restrict-code-execution-windows-defender-advanced-threat-protection.md
similarity index 100%
rename from windows/threat-protection/windows-defender-atp/restrict-code-execution-windows-defender-advanced-threat-protection.md
rename to windows/security/threat-protection/windows-defender-atp/restrict-code-execution-windows-defender-advanced-threat-protection.md
diff --git a/windows/threat-protection/windows-defender-atp/run-av-scan-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/run-av-scan-windows-defender-advanced-threat-protection.md
similarity index 100%
rename from windows/threat-protection/windows-defender-atp/run-av-scan-windows-defender-advanced-threat-protection.md
rename to windows/security/threat-protection/windows-defender-atp/run-av-scan-windows-defender-advanced-threat-protection.md
diff --git a/windows/threat-protection/windows-defender-atp/run-detection-test-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/run-detection-test-windows-defender-advanced-threat-protection.md
similarity index 100%
rename from windows/threat-protection/windows-defender-atp/run-detection-test-windows-defender-advanced-threat-protection.md
rename to windows/security/threat-protection/windows-defender-atp/run-detection-test-windows-defender-advanced-threat-protection.md
diff --git a/windows/threat-protection/windows-defender-atp/security-analytics-dashboard-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/security-analytics-dashboard-windows-defender-advanced-threat-protection.md
similarity index 98%
rename from windows/threat-protection/windows-defender-atp/security-analytics-dashboard-windows-defender-advanced-threat-protection.md
rename to windows/security/threat-protection/windows-defender-atp/security-analytics-dashboard-windows-defender-advanced-threat-protection.md
index c3705bb1d8..a7f177c650 100644
--- a/windows/threat-protection/windows-defender-atp/security-analytics-dashboard-windows-defender-advanced-threat-protection.md
+++ b/windows/security/threat-protection/windows-defender-atp/security-analytics-dashboard-windows-defender-advanced-threat-protection.md
@@ -72,7 +72,7 @@ The numbers beside the green triangle icon on each recommended action represents
>[!IMPORTANT]
>Recommendations that do not display a green triangle icon are informational only and no action is required.
-Clicking **View machines** in a specific recommendation opens up the **Machines list** with filters applied to show only the list of machines where the the recommendation is applicable. You can export the list in Excel to create a target collection and apply relevant policies using a management solution of your choice.
+Clicking **View machines** in a specific recommendation opens up the **Machines list** with filters applied to show only the list of machines where the recommendation is applicable. You can export the list in Excel to create a target collection and apply relevant policies using a management solution of your choice.
The following image shows an example list of machines where the EDR sensor is not turned on.
diff --git a/windows/threat-protection/windows-defender-atp/service-status-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/service-status-windows-defender-advanced-threat-protection.md
similarity index 100%
rename from windows/threat-protection/windows-defender-atp/service-status-windows-defender-advanced-threat-protection.md
rename to windows/security/threat-protection/windows-defender-atp/service-status-windows-defender-advanced-threat-protection.md
diff --git a/windows/threat-protection/windows-defender-atp/settings-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/settings-windows-defender-advanced-threat-protection.md
similarity index 87%
rename from windows/threat-protection/windows-defender-atp/settings-windows-defender-advanced-threat-protection.md
rename to windows/security/threat-protection/windows-defender-atp/settings-windows-defender-advanced-threat-protection.md
index d928035ce4..b376019c6a 100644
--- a/windows/threat-protection/windows-defender-atp/settings-windows-defender-advanced-threat-protection.md
+++ b/windows/security/threat-protection/windows-defender-atp/settings-windows-defender-advanced-threat-protection.md
@@ -1,5 +1,5 @@
---
-title: Windows Defender Advanced Threat Protection settings
+title: Windows Defender Advanced Threat Protection time zone settings
description: Use the menu to configure the time zone and view license information.
keywords: Windows Defender ATP settings, Windows Defender, cybersecurity threat intelligence, advanced threat protection, time zone, utc, local time, license
search.product: eADQiWindows 10XVcnh
@@ -8,12 +8,12 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.author: macapara
-author: DulceMV
+author: mjcaparas
ms.localizationpriority: high
-ms.date: 10/30/2017
+ms.date: 02/13/2018
---
-# Windows Defender Advanced Threat Protection settings
+# Windows Defender Advanced Threat Protection time zone settings
**Applies to:**
@@ -27,7 +27,7 @@ ms.date: 10/30/2017
>Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-settings-abovefoldlink)
-Use the **Settings** menu  to configure the time zone and view license information.
+Use the **Time zone** menu  to configure the time zone and view license information.
## Time zone settings
The aspect of time is important in the assessment and analysis of perceived and actual cyberattacks.
@@ -36,7 +36,7 @@ Cyberforensic investigations often rely on time stamps to piece together the seq
Windows Defender ATP can display either Coordinated Universal Time (UTC) or local time.
-Your current time zone setting is shown in the Windows Defender ATP menu. You can change the displayed time zone in the **Settings** menu .
+Your current time zone setting is shown in the Windows Defender ATP menu. You can change the displayed time zone in the **Time zone** menu .
### UTC time zone
Windows Defender ATP uses UTC time by default.
@@ -55,7 +55,7 @@ The Windows Defender ATP time zone is set by default to UTC.
Setting the time zone also changes the times for all Windows Defender ATP views.
To set the time zone:
-1. Click the **Settings** menu .
+1. Click the **Time zone** menu .
2. Select the **Timezone UTC** indicator.
3. Select **Timezone UTC** or your local time zone, for example -7:00.
@@ -88,5 +88,4 @@ The following date and time formats are currently not supported:
**Decimal symbol used in numbers**
Decimal symbol used is always a dot, even if a comma is selected in the **Numbers** format settings in **Region** settings. For example, 15,5K is displayed as 15.5K.
-## License
-Click the license link in the **Settings** menu to view the license agreement information for Windows Defender ATP.
+
diff --git a/windows/threat-protection/windows-defender-atp/stop-quarantine-file-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/stop-quarantine-file-windows-defender-advanced-threat-protection.md
similarity index 100%
rename from windows/threat-protection/windows-defender-atp/stop-quarantine-file-windows-defender-advanced-threat-protection.md
rename to windows/security/threat-protection/windows-defender-atp/stop-quarantine-file-windows-defender-advanced-threat-protection.md
diff --git a/windows/threat-protection/windows-defender-atp/supported-apis-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/supported-apis-windows-defender-advanced-threat-protection.md
similarity index 100%
rename from windows/threat-protection/windows-defender-atp/supported-apis-windows-defender-advanced-threat-protection.md
rename to windows/security/threat-protection/windows-defender-atp/supported-apis-windows-defender-advanced-threat-protection.md
diff --git a/windows/threat-protection/windows-defender-atp/supported-response-apis-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/supported-response-apis-windows-defender-advanced-threat-protection.md
similarity index 100%
rename from windows/threat-protection/windows-defender-atp/supported-response-apis-windows-defender-advanced-threat-protection.md
rename to windows/security/threat-protection/windows-defender-atp/supported-response-apis-windows-defender-advanced-threat-protection.md
diff --git a/windows/security/threat-protection/windows-defender-atp/threat-analytics-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/threat-analytics-windows-defender-advanced-threat-protection.md
new file mode 100644
index 0000000000..e2bb30d5ac
--- /dev/null
+++ b/windows/security/threat-protection/windows-defender-atp/threat-analytics-windows-defender-advanced-threat-protection.md
@@ -0,0 +1,54 @@
+---
+title: Windows Defender Advanced Threat Protection Threat analytics
+description: Get a tailored organizational risk evaluation and actionable steps you can take to minimize risks in your organization.
+keywords: threat analytics, risk evaluation, OS mitigation, microcode mitigation, mitigation status
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: macapara
+author: mjcaparas
+ms.localizationpriority: high
+ms.date: 03/06/2018
+---
+
+# Threat analytics for Spectre and Meltdown
+
+**Applies to:**
+
+- Windows 10 Enterprise
+- Windows 10 Education
+- Windows 10 Pro
+- Windows 10 Pro Education
+- Windows Defender Advanced Threat Protection (Windows Defender ATP)
+
+
+
+[Spectre and Meltdown](https://cloudblogs.microsoft.com/microsoftsecure/2018/01/09/understanding-the-performance-impact-of-spectre-and-meltdown-mitigations-on-windows-systems/) is a new class of exploits that take advantage of critical vulnerabilities in the CPU processors, allowing attackers running user-level, non-admin code to steal data from kernel memory. These exploits can potentially allow arbitrary non-admin code running on a host machine to harvest sensitive data belonging to other apps or system processes, including apps on guest VMs.
+
+Mitigating these vulnerabilities involves a complex multivendor update. It requires updates to Windows and Microsoft browsers using the [January 2018 Security Updates from Microsoft](https://portal.msrc.microsoft.com/en-us/security-guidance/releasenotedetail/858123b8-25ca-e711-a957-000d3a33cf99) and updates to processor microcode using fixes released by OEM and CPU vendors.
+
+## Prerequisites
+Note the following requirements and limitations of the charts and what you might be able to do to improve visibility of the mitigation status of machines in your network:
+
+- Only active machines running Windows 10 are checked for OS mitigations.
+- When checking for microcode mitgations, Windows Defender ATP currently checks for updates applicable to Intel CPU processors only.
+- To determine microcode mitigation status, machines must enable Windows Defender Antivirus and update to definition version 1.259.1545.0 or above.
+- To be covered under the overall mitigation status, machines must have both OS and microcode mitigation information.
+
+## Assess organizational risk with Threat analytics
+
+Threat analytics helps you continually assess and control risk exposure to Spectre and Meltdown. Use the charts to quickly identify machines for the presence or absence of the following mitigations:
+
+- **OS mitigation**: Identifies machines that have installed the January 2018 Security Updates from Microsoft and have not explicitly disabled any of the OS mitigations provided with these updates
+- **Microcode mitigation**: Identifies machines that have installed the necessary microcode updates or those that do not require them
+- **Overall mitigation status**: Identifies the completeness by which machines have mitigated against the Spectre and Meltdown exploits
+
+
+To access Threat analytics, from the navigation pane select **Dashboards** > **Threat analytics**.
+
+Click a section of each chart to get a list of the machines in the corresponding mitigation status.
+
+
+
diff --git a/windows/threat-protection/windows-defender-atp/threat-indicator-concepts-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/threat-indicator-concepts-windows-defender-advanced-threat-protection.md
similarity index 100%
rename from windows/threat-protection/windows-defender-atp/threat-indicator-concepts-windows-defender-advanced-threat-protection.md
rename to windows/security/threat-protection/windows-defender-atp/threat-indicator-concepts-windows-defender-advanced-threat-protection.md
diff --git a/windows/threat-protection/windows-defender-atp/troubleshoot-custom-ti-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/troubleshoot-custom-ti-windows-defender-advanced-threat-protection.md
similarity index 85%
rename from windows/threat-protection/windows-defender-atp/troubleshoot-custom-ti-windows-defender-advanced-threat-protection.md
rename to windows/security/threat-protection/windows-defender-atp/troubleshoot-custom-ti-windows-defender-advanced-threat-protection.md
index 1e32ef16a7..d6dbef14e6 100644
--- a/windows/threat-protection/windows-defender-atp/troubleshoot-custom-ti-windows-defender-advanced-threat-protection.md
+++ b/windows/security/threat-protection/windows-defender-atp/troubleshoot-custom-ti-windows-defender-advanced-threat-protection.md
@@ -10,7 +10,7 @@ ms.pagetype: security
ms.author: macapara
author: mjcaparas
ms.localizationpriority: high
-ms.date: 10/16/2017
+ms.date: 02/26/2018
---
# Troubleshoot custom threat intelligence issues
@@ -33,15 +33,15 @@ This page provides detailed steps to troubleshoot issues you might encounter whi
## Learn how to get a new client secret
If your client secret expires or if you've misplaced the copy provided when you were enabling the custom threat intelligence application, you'll need to get a new secret.
-1. Login to the [Azure management portal](https://ms.portal.azure.com).
+1. Login to the [Azure management portal](https://portal.azure.com).
2. Select **Active Directory**.
3. Select your tenant.
-4. Click **Application**, then select your custom threat intelligence application. The application name is **WindowsDefenderATPThreatIntelAPI** (formerly known as **WindowsDefenderATPCustomerTiConnector**).
+4. Click **App registrations** > **All apps**. Then select the application name **WindowsDefenderATPThreatIntelAPI** (formerly known as **WindowsDefenderATPCustomerTiConnector**).
-5. Select **Keys** section, then provide a key description and specify the key validity duration.
+5. Under **Settings**, select **Keys**, then provide a key description and specify the key validity duration.
6. Click **Save**. The key value is displayed.
diff --git a/windows/threat-protection/windows-defender-atp/troubleshoot-onboarding-error-messages-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/troubleshoot-onboarding-error-messages-windows-defender-advanced-threat-protection.md
similarity index 100%
rename from windows/threat-protection/windows-defender-atp/troubleshoot-onboarding-error-messages-windows-defender-advanced-threat-protection.md
rename to windows/security/threat-protection/windows-defender-atp/troubleshoot-onboarding-error-messages-windows-defender-advanced-threat-protection.md
diff --git a/windows/threat-protection/windows-defender-atp/troubleshoot-onboarding-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/troubleshoot-onboarding-windows-defender-advanced-threat-protection.md
similarity index 97%
rename from windows/threat-protection/windows-defender-atp/troubleshoot-onboarding-windows-defender-advanced-threat-protection.md
rename to windows/security/threat-protection/windows-defender-atp/troubleshoot-onboarding-windows-defender-advanced-threat-protection.md
index b4176ad214..0dd01e9e60 100644
--- a/windows/threat-protection/windows-defender-atp/troubleshoot-onboarding-windows-defender-advanced-threat-protection.md
+++ b/windows/security/threat-protection/windows-defender-atp/troubleshoot-onboarding-windows-defender-advanced-threat-protection.md
@@ -128,7 +128,7 @@ ID | Severity | Event description | Troubleshooting steps
## Troubleshoot onboarding issues on the endpoint
If the deployment tools used does not indicate an error in the onboarding process, but endpoints are still not appearing in the machines list in an hour, go through the following verification topics to check if an error occurred with the Windows Defender ATP agent:
- [View agent onboarding errors in the endpoint event log](#view-agent-onboarding-errors-in-the-endpoint-event-log)
-- [Ensure the telemetry and diagnostics service is enabled](#ensure-the-telemetry-and-diagnostics-service-is-enabled)
+- [Ensure the diagnostic data service is enabled](#ensure-the-diagnostics-service-is-enabled)
- [Ensure the service is set to start](#ensure-the-service-is-set-to-start)
- [Ensure the endpoint has an Internet connection](#ensure-the-endpoint-has-an-internet-connection)
- [Ensure that Windows Defender Antivirus is not disabled by a policy](#ensure-that-windows-defender-antivirus-is-not-disabled-by-a-policy)
@@ -176,14 +176,15 @@ Event ID | Message | Resolution steps
There are additional components on the endpoint that the Windows Defender ATP agent depends on to function properly. If there are no onboarding related errors in the Windows Defender ATP agent event log, proceed with the following steps to ensure that the additional components are configured correctly.
-### Ensure the telemetry and diagnostics service is enabled
-If the endpoints aren't reporting correctly, you might need to check that the Windows 10 telemetry and diagnostics service is set to automatically start and is running on the endpoint. The service might have been disabled by other programs or user configuration changes.
+
+### Ensure the diagnostic data service is enabled
+If the endpoints aren't reporting correctly, you might need to check that the Windows 10 diagnostic data service is set to automatically start and is running on the endpoint. The service might have been disabled by other programs or user configuration changes.
First, you should check that the service is set to start automatically when Windows starts, then you should check that the service is currently running (and start it if it isn't).
### Ensure the service is set to start
-**Use the command line to check the Windows 10 telemetry and diagnostics service startup type**:
+**Use the command line to check the Windows 10 diagnostic data service startup type**:
1. Open an elevated command-line prompt on the endpoint:
@@ -204,7 +205,7 @@ First, you should check that the service is set to start automatically when Wind
If the `START_TYPE` is not set to `AUTO_START`, then you'll need to set the service to automatically start.
-**Use the command line to set the Windows 10 telemetry and diagnostics service to automatically start:**
+**Use the command line to set the Windows 10 diagnostic data service to automatically start:**
1. Open an elevated command-line prompt on the endpoint:
@@ -306,5 +307,6 @@ For more information, see [Windows 10 Licensing](https://www.microsoft.com/en-us
## Related topics
+- [Troubleshoot Windows Defender ATP](troubleshoot-windows-defender-advanced-threat-protection.md)
- [Configure Windows Defender ATP endpoints](configure-endpoints-windows-defender-advanced-threat-protection.md)
- [Configure endpoint proxy and Internet connectivity settings](configure-proxy-internet-windows-defender-advanced-threat-protection.md)
diff --git a/windows/threat-protection/windows-defender-atp/troubleshoot-siem-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/troubleshoot-siem-windows-defender-advanced-threat-protection.md
similarity index 66%
rename from windows/threat-protection/windows-defender-atp/troubleshoot-siem-windows-defender-advanced-threat-protection.md
rename to windows/security/threat-protection/windows-defender-atp/troubleshoot-siem-windows-defender-advanced-threat-protection.md
index 114d11828b..4d77042ae0 100644
--- a/windows/threat-protection/windows-defender-atp/troubleshoot-siem-windows-defender-advanced-threat-protection.md
+++ b/windows/security/threat-protection/windows-defender-atp/troubleshoot-siem-windows-defender-advanced-threat-protection.md
@@ -10,7 +10,7 @@ ms.pagetype: security
ms.author: macapara
author: mjcaparas
ms.localizationpriority: high
-ms.date: 10/16/2017
+ms.date: 02/13/2018
---
# Troubleshoot SIEM tool integration issues
@@ -34,13 +34,13 @@ This page provides detailed steps to troubleshoot issues you might encounter.
## Learn how to get a new client secret
If your client secret expires or if you've misplaced the copy provided when you were enabling the SIEM tool application, you'll need to get a new secret.
-1. Login to the [Azure management portal](https://ms.portal.azure.com).
+1. Login to the [Azure management portal](https://portal.azure.com).
-2. Select **Active Directory**.
+2. Select **Azure Active Directory**.
3. Select your tenant.
-4. Click **Application**, then select your SIEM tool application. The application name is `https://windowsdefenderatpsiemconnector`.
+4. Click **App registrations** > **All apps**, then select your SIEM tool application. The application name is `https://windowsdefenderatpsiemconnector`.
5. Select **Keys** section, then provide a key description and specify the key validity duration.
@@ -49,8 +49,26 @@ If your client secret expires or if you've misplaced the copy provided when you
7. Copy the value and save it in a safe place.
->Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-troubleshootsiem-belowfoldlink)
+## Error when getting a refresh access token
+If you encounter an error when trying to get a refresh token when using the threat intelligence API or SIEM tools, you'll need to add reply URL for relevant application in Azure Active Directory.
+1. Login to the [Azure management portal](https://ms.portal.azure.com).
+
+2. Select **Azure Active Directory**.
+
+3. Select your tenant.
+
+4. Click **App Registrations**. Then in the applications list, select the application:
+ - For SIEM: `https://WindowsDefenderATPSiemConnector`
+ - For Threat intelligence API: `https://WindowsDefenderATPCustomerTiConnector`
+
+5. Add the following URL:
+ - For US: `https://winatpmanagement-us.securitycenter.windows.com/UserAuthenticationCallback`.
+ - For Europe: `https://winatpmanagement-eu.securitycenter.windows.com/UserAuthenticationCallback`
+
+6. Click **Save**.
+
+>Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-troubleshootsiem-belowfoldlink)
## Related topics
- [Enable SIEM integration in Windows Defender ATP](enable-siem-integration-windows-defender-advanced-threat-protection.md)
diff --git a/windows/threat-protection/windows-defender-atp/troubleshoot-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/troubleshoot-windows-defender-advanced-threat-protection.md
similarity index 99%
rename from windows/threat-protection/windows-defender-atp/troubleshoot-windows-defender-advanced-threat-protection.md
rename to windows/security/threat-protection/windows-defender-atp/troubleshoot-windows-defender-advanced-threat-protection.md
index 336ff2d686..64bd439f18 100644
--- a/windows/threat-protection/windows-defender-atp/troubleshoot-windows-defender-advanced-threat-protection.md
+++ b/windows/security/threat-protection/windows-defender-atp/troubleshoot-windows-defender-advanced-threat-protection.md
@@ -71,6 +71,6 @@ Support of use of comma as a separator in numbers are not supported. Regions whe
>Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-troubleshoot-belowfoldlink)
-### Related topic
+## Related topics
- [Troubleshoot Windows Defender Advanced Threat Protection onboarding issues](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md)
- [Review events and errors on endpoints with Event Viewer](event-error-codes-windows-defender-advanced-threat-protection.md)
diff --git a/windows/threat-protection/windows-defender-atp/unblock-file-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/unblock-file-windows-defender-advanced-threat-protection.md
similarity index 100%
rename from windows/threat-protection/windows-defender-atp/unblock-file-windows-defender-advanced-threat-protection.md
rename to windows/security/threat-protection/windows-defender-atp/unblock-file-windows-defender-advanced-threat-protection.md
diff --git a/windows/threat-protection/windows-defender-atp/unisolate-machine-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/unisolate-machine-windows-defender-advanced-threat-protection.md
similarity index 100%
rename from windows/threat-protection/windows-defender-atp/unisolate-machine-windows-defender-advanced-threat-protection.md
rename to windows/security/threat-protection/windows-defender-atp/unisolate-machine-windows-defender-advanced-threat-protection.md
diff --git a/windows/threat-protection/windows-defender-atp/unrestrict-code-execution-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/unrestrict-code-execution-windows-defender-advanced-threat-protection.md
similarity index 100%
rename from windows/threat-protection/windows-defender-atp/unrestrict-code-execution-windows-defender-advanced-threat-protection.md
rename to windows/security/threat-protection/windows-defender-atp/unrestrict-code-execution-windows-defender-advanced-threat-protection.md
diff --git a/windows/threat-protection/windows-defender-atp/use-custom-ti-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/use-custom-ti-windows-defender-advanced-threat-protection.md
similarity index 90%
rename from windows/threat-protection/windows-defender-atp/use-custom-ti-windows-defender-advanced-threat-protection.md
rename to windows/security/threat-protection/windows-defender-atp/use-custom-ti-windows-defender-advanced-threat-protection.md
index 8e87ecf9ea..c4691b7324 100644
--- a/windows/threat-protection/windows-defender-atp/use-custom-ti-windows-defender-advanced-threat-protection.md
+++ b/windows/security/threat-protection/windows-defender-atp/use-custom-ti-windows-defender-advanced-threat-protection.md
@@ -40,4 +40,5 @@ Topic | Description
[Create custom threat intelligence alerts](custom-ti-api-windows-defender-advanced-threat-protection.md) | Create custom threat intelligence alerts so that you can generate specific alerts that are applicable to your organization.
[PowerShell code examples](powershell-example-code-windows-defender-advanced-threat-protection.md) | Use the PowerShell code examples to guide you in using the custom threat intelligence API.
[Python code examples](python-example-code-windows-defender-advanced-threat-protection.md) | Use the Python code examples to guide you in using the custom threat intelligence API.
+[Experiment with custom threat intelligence alerts](experiment-custom-ti-windows-defender-advanced-threat-protection.md) | This article demonstrates an end-to-end usage of the threat intelligence API to get you started in using the threat intelligence API.
[Troubleshoot custom threat intelligence issues](troubleshoot-custom-ti-windows-defender-advanced-threat-protection.md) | Learn how to address possible issues you might encounter while using the threat intelligence API.
diff --git a/windows/security/threat-protection/windows-defender-atp/use-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/use-windows-defender-advanced-threat-protection.md
new file mode 100644
index 0000000000..75aed7ba70
--- /dev/null
+++ b/windows/security/threat-protection/windows-defender-atp/use-windows-defender-advanced-threat-protection.md
@@ -0,0 +1,45 @@
+---
+title: Use the Windows Defender Advanced Threat Protection portal
+description: Learn about the features on Windows Defender ATP portal, including how alerts work, and suggestions on how to investigate possible breaches and attacks.
+keywords: dashboard, alerts queue, manage alerts, investigation, investigate alerts, investigate machines, submit files, deep analysis, high, medium, low, severity, ioc, ioa
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: macapara
+author: mjcaparas
+ms.localizationpriority: high
+ms.date: 02/13/2018
+---
+
+# Use the Windows Defender Advanced Threat Protection portal
+
+**Applies to:**
+
+- Windows 10 Enterprise
+- Windows 10 Education
+- Windows 10 Pro
+- Windows 10 Pro Education
+- Windows Defender Advanced Threat Protection (Windows Defender ATP)
+
+
+
+>Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-usewdatp-abovefoldlink)
+
+You can use the Windows Defender ATP portal to carry out an end-to-end security breach investigation through the dashboards.
+
+Use the **Security operations** dashboard to gain insight on the various alerts on machines and users in your network.
+
+Use the **Security analytics** dashboard to expand your visibility on the overall security posture of your organization. You'll see machines that require attention and recommendations that can help you reduce the attack surface in your organization.
+
+
+### In this section
+
+Topic | Description
+:---|:---
+[Portal overview](portal-overview-windows-defender-advanced-threat-protection.md) | Understand the portal layout and area descriptions.
+[View the Windows Defender Advanced Threat Protection Security operations dashboard](dashboard-windows-defender-advanced-threat-protection.md) | The Windows Defender ATP **Security operations dashboard** provides a snapshot of your network. You can view aggregates of alerts, the overall status of the service of the endpoints on your network, investigate machines, files, and URLs, and see snapshots of threats seen on machines.
+[View the Windows Defender Advanced Threat Protection Security analytics dashboard](security-analytics-dashboard-windows-defender-advanced-threat-protection.md) | The **Security Analytics dashboard** expands your visibility into the overall security posture of your organization. From this dashboard, you'll be able to quickly assess the security posture of your organization, see machines that require attention, as well as recommendations for actions to further reduce the attack surface in your organization - all in one place.
+
+
diff --git a/windows/threat-protection/windows-defender-atp/windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/windows-defender-advanced-threat-protection.md
similarity index 100%
rename from windows/threat-protection/windows-defender-atp/windows-defender-advanced-threat-protection.md
rename to windows/security/threat-protection/windows-defender-atp/windows-defender-advanced-threat-protection.md
diff --git a/windows/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md b/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md
similarity index 100%
rename from windows/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md
rename to windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md
diff --git a/windows/threat-protection/windows-defender-exploit-guard/audit-windows-defender-exploit-guard.md b/windows/security/threat-protection/windows-defender-exploit-guard/audit-windows-defender-exploit-guard.md
similarity index 100%
rename from windows/threat-protection/windows-defender-exploit-guard/audit-windows-defender-exploit-guard.md
rename to windows/security/threat-protection/windows-defender-exploit-guard/audit-windows-defender-exploit-guard.md
diff --git a/windows/threat-protection/windows-defender-exploit-guard/collect-cab-files-exploit-guard-submission.md b/windows/security/threat-protection/windows-defender-exploit-guard/collect-cab-files-exploit-guard-submission.md
similarity index 100%
rename from windows/threat-protection/windows-defender-exploit-guard/collect-cab-files-exploit-guard-submission.md
rename to windows/security/threat-protection/windows-defender-exploit-guard/collect-cab-files-exploit-guard-submission.md
diff --git a/windows/threat-protection/windows-defender-exploit-guard/controlled-folders-exploit-guard.md b/windows/security/threat-protection/windows-defender-exploit-guard/controlled-folders-exploit-guard.md
similarity index 100%
rename from windows/threat-protection/windows-defender-exploit-guard/controlled-folders-exploit-guard.md
rename to windows/security/threat-protection/windows-defender-exploit-guard/controlled-folders-exploit-guard.md
diff --git a/windows/threat-protection/windows-defender-exploit-guard/customize-attack-surface-reduction.md b/windows/security/threat-protection/windows-defender-exploit-guard/customize-attack-surface-reduction.md
similarity index 100%
rename from windows/threat-protection/windows-defender-exploit-guard/customize-attack-surface-reduction.md
rename to windows/security/threat-protection/windows-defender-exploit-guard/customize-attack-surface-reduction.md
diff --git a/windows/threat-protection/windows-defender-exploit-guard/customize-controlled-folders-exploit-guard.md b/windows/security/threat-protection/windows-defender-exploit-guard/customize-controlled-folders-exploit-guard.md
similarity index 100%
rename from windows/threat-protection/windows-defender-exploit-guard/customize-controlled-folders-exploit-guard.md
rename to windows/security/threat-protection/windows-defender-exploit-guard/customize-controlled-folders-exploit-guard.md
diff --git a/windows/threat-protection/windows-defender-exploit-guard/customize-exploit-protection.md b/windows/security/threat-protection/windows-defender-exploit-guard/customize-exploit-protection.md
similarity index 100%
rename from windows/threat-protection/windows-defender-exploit-guard/customize-exploit-protection.md
rename to windows/security/threat-protection/windows-defender-exploit-guard/customize-exploit-protection.md
diff --git a/windows/threat-protection/windows-defender-exploit-guard/emet-exploit-protection-exploit-guard.md b/windows/security/threat-protection/windows-defender-exploit-guard/emet-exploit-protection-exploit-guard.md
similarity index 100%
rename from windows/threat-protection/windows-defender-exploit-guard/emet-exploit-protection-exploit-guard.md
rename to windows/security/threat-protection/windows-defender-exploit-guard/emet-exploit-protection-exploit-guard.md
diff --git a/windows/threat-protection/windows-defender-exploit-guard/enable-attack-surface-reduction.md b/windows/security/threat-protection/windows-defender-exploit-guard/enable-attack-surface-reduction.md
similarity index 100%
rename from windows/threat-protection/windows-defender-exploit-guard/enable-attack-surface-reduction.md
rename to windows/security/threat-protection/windows-defender-exploit-guard/enable-attack-surface-reduction.md
diff --git a/windows/threat-protection/windows-defender-exploit-guard/enable-controlled-folders-exploit-guard.md b/windows/security/threat-protection/windows-defender-exploit-guard/enable-controlled-folders-exploit-guard.md
similarity index 100%
rename from windows/threat-protection/windows-defender-exploit-guard/enable-controlled-folders-exploit-guard.md
rename to windows/security/threat-protection/windows-defender-exploit-guard/enable-controlled-folders-exploit-guard.md
diff --git a/windows/threat-protection/windows-defender-exploit-guard/enable-exploit-protection.md b/windows/security/threat-protection/windows-defender-exploit-guard/enable-exploit-protection.md
similarity index 100%
rename from windows/threat-protection/windows-defender-exploit-guard/enable-exploit-protection.md
rename to windows/security/threat-protection/windows-defender-exploit-guard/enable-exploit-protection.md
diff --git a/windows/threat-protection/windows-defender-exploit-guard/enable-network-protection.md b/windows/security/threat-protection/windows-defender-exploit-guard/enable-network-protection.md
similarity index 100%
rename from windows/threat-protection/windows-defender-exploit-guard/enable-network-protection.md
rename to windows/security/threat-protection/windows-defender-exploit-guard/enable-network-protection.md
diff --git a/windows/threat-protection/windows-defender-exploit-guard/evaluate-attack-surface-reduction.md b/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-attack-surface-reduction.md
similarity index 100%
rename from windows/threat-protection/windows-defender-exploit-guard/evaluate-attack-surface-reduction.md
rename to windows/security/threat-protection/windows-defender-exploit-guard/evaluate-attack-surface-reduction.md
diff --git a/windows/threat-protection/windows-defender-exploit-guard/evaluate-controlled-folder-access.md b/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-controlled-folder-access.md
similarity index 100%
rename from windows/threat-protection/windows-defender-exploit-guard/evaluate-controlled-folder-access.md
rename to windows/security/threat-protection/windows-defender-exploit-guard/evaluate-controlled-folder-access.md
diff --git a/windows/threat-protection/windows-defender-exploit-guard/evaluate-exploit-protection.md b/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-exploit-protection.md
similarity index 100%
rename from windows/threat-protection/windows-defender-exploit-guard/evaluate-exploit-protection.md
rename to windows/security/threat-protection/windows-defender-exploit-guard/evaluate-exploit-protection.md
diff --git a/windows/threat-protection/windows-defender-exploit-guard/evaluate-network-protection.md b/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-network-protection.md
similarity index 100%
rename from windows/threat-protection/windows-defender-exploit-guard/evaluate-network-protection.md
rename to windows/security/threat-protection/windows-defender-exploit-guard/evaluate-network-protection.md
diff --git a/windows/threat-protection/windows-defender-exploit-guard/evaluate-windows-defender-exploit-guard.md b/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-windows-defender-exploit-guard.md
similarity index 100%
rename from windows/threat-protection/windows-defender-exploit-guard/evaluate-windows-defender-exploit-guard.md
rename to windows/security/threat-protection/windows-defender-exploit-guard/evaluate-windows-defender-exploit-guard.md
diff --git a/windows/threat-protection/windows-defender-exploit-guard/event-views-exploit-guard.md b/windows/security/threat-protection/windows-defender-exploit-guard/event-views-exploit-guard.md
similarity index 100%
rename from windows/threat-protection/windows-defender-exploit-guard/event-views-exploit-guard.md
rename to windows/security/threat-protection/windows-defender-exploit-guard/event-views-exploit-guard.md
diff --git a/windows/threat-protection/windows-defender-exploit-guard/exploit-protection-exploit-guard.md b/windows/security/threat-protection/windows-defender-exploit-guard/exploit-protection-exploit-guard.md
similarity index 100%
rename from windows/threat-protection/windows-defender-exploit-guard/exploit-protection-exploit-guard.md
rename to windows/security/threat-protection/windows-defender-exploit-guard/exploit-protection-exploit-guard.md
diff --git a/windows/threat-protection/windows-defender-exploit-guard/graphics.md b/windows/security/threat-protection/windows-defender-exploit-guard/graphics.md
similarity index 100%
rename from windows/threat-protection/windows-defender-exploit-guard/graphics.md
rename to windows/security/threat-protection/windows-defender-exploit-guard/graphics.md
diff --git a/windows/threat-protection/windows-defender-exploit-guard/images/Untitled-1.png b/windows/security/threat-protection/windows-defender-exploit-guard/images/Untitled-1.png
similarity index 100%
rename from windows/threat-protection/windows-defender-exploit-guard/images/Untitled-1.png
rename to windows/security/threat-protection/windows-defender-exploit-guard/images/Untitled-1.png
diff --git a/windows/threat-protection/windows-defender-exploit-guard/images/asr-notif.png b/windows/security/threat-protection/windows-defender-exploit-guard/images/asr-notif.png
similarity index 100%
rename from windows/threat-protection/windows-defender-exploit-guard/images/asr-notif.png
rename to windows/security/threat-protection/windows-defender-exploit-guard/images/asr-notif.png
diff --git a/windows/threat-protection/windows-defender-exploit-guard/images/asr-rules-gp.png b/windows/security/threat-protection/windows-defender-exploit-guard/images/asr-rules-gp.png
similarity index 100%
rename from windows/threat-protection/windows-defender-exploit-guard/images/asr-rules-gp.png
rename to windows/security/threat-protection/windows-defender-exploit-guard/images/asr-rules-gp.png
diff --git a/windows/threat-protection/windows-defender-exploit-guard/images/asr-test-tool.png b/windows/security/threat-protection/windows-defender-exploit-guard/images/asr-test-tool.png
similarity index 100%
rename from windows/threat-protection/windows-defender-exploit-guard/images/asr-test-tool.png
rename to windows/security/threat-protection/windows-defender-exploit-guard/images/asr-test-tool.png
diff --git a/windows/threat-protection/windows-defender-exploit-guard/images/cfa-allow-app-ps.png b/windows/security/threat-protection/windows-defender-exploit-guard/images/cfa-allow-app-ps.png
similarity index 100%
rename from windows/threat-protection/windows-defender-exploit-guard/images/cfa-allow-app-ps.png
rename to windows/security/threat-protection/windows-defender-exploit-guard/images/cfa-allow-app-ps.png
diff --git a/windows/threat-protection/windows-defender-exploit-guard/images/cfa-allow-app.png b/windows/security/threat-protection/windows-defender-exploit-guard/images/cfa-allow-app.png
similarity index 100%
rename from windows/threat-protection/windows-defender-exploit-guard/images/cfa-allow-app.png
rename to windows/security/threat-protection/windows-defender-exploit-guard/images/cfa-allow-app.png
diff --git a/windows/threat-protection/windows-defender-exploit-guard/images/cfa-allow-folder-ps.png b/windows/security/threat-protection/windows-defender-exploit-guard/images/cfa-allow-folder-ps.png
similarity index 100%
rename from windows/threat-protection/windows-defender-exploit-guard/images/cfa-allow-folder-ps.png
rename to windows/security/threat-protection/windows-defender-exploit-guard/images/cfa-allow-folder-ps.png
diff --git a/windows/threat-protection/windows-defender-exploit-guard/images/cfa-audit-gp.png b/windows/security/threat-protection/windows-defender-exploit-guard/images/cfa-audit-gp.png
similarity index 100%
rename from windows/threat-protection/windows-defender-exploit-guard/images/cfa-audit-gp.png
rename to windows/security/threat-protection/windows-defender-exploit-guard/images/cfa-audit-gp.png
diff --git a/windows/threat-protection/windows-defender-exploit-guard/images/cfa-filecreator.png b/windows/security/threat-protection/windows-defender-exploit-guard/images/cfa-filecreator.png
similarity index 100%
rename from windows/threat-protection/windows-defender-exploit-guard/images/cfa-filecreator.png
rename to windows/security/threat-protection/windows-defender-exploit-guard/images/cfa-filecreator.png
diff --git a/windows/threat-protection/windows-defender-exploit-guard/images/cfa-gp-enable.png b/windows/security/threat-protection/windows-defender-exploit-guard/images/cfa-gp-enable.png
similarity index 100%
rename from windows/threat-protection/windows-defender-exploit-guard/images/cfa-gp-enable.png
rename to windows/security/threat-protection/windows-defender-exploit-guard/images/cfa-gp-enable.png
diff --git a/windows/threat-protection/windows-defender-exploit-guard/images/cfa-notif.png b/windows/security/threat-protection/windows-defender-exploit-guard/images/cfa-notif.png
similarity index 100%
rename from windows/threat-protection/windows-defender-exploit-guard/images/cfa-notif.png
rename to windows/security/threat-protection/windows-defender-exploit-guard/images/cfa-notif.png
diff --git a/windows/threat-protection/windows-defender-exploit-guard/images/cfa-on.png b/windows/security/threat-protection/windows-defender-exploit-guard/images/cfa-on.png
similarity index 100%
rename from windows/threat-protection/windows-defender-exploit-guard/images/cfa-on.png
rename to windows/security/threat-protection/windows-defender-exploit-guard/images/cfa-on.png
diff --git a/windows/threat-protection/windows-defender-exploit-guard/images/cfa-prot-folders.png b/windows/security/threat-protection/windows-defender-exploit-guard/images/cfa-prot-folders.png
similarity index 100%
rename from windows/threat-protection/windows-defender-exploit-guard/images/cfa-prot-folders.png
rename to windows/security/threat-protection/windows-defender-exploit-guard/images/cfa-prot-folders.png
diff --git a/windows/threat-protection/windows-defender-exploit-guard/images/check-no.png b/windows/security/threat-protection/windows-defender-exploit-guard/images/check-no.png
similarity index 100%
rename from windows/threat-protection/windows-defender-exploit-guard/images/check-no.png
rename to windows/security/threat-protection/windows-defender-exploit-guard/images/check-no.png
diff --git a/windows/threat-protection/windows-defender-exploit-guard/images/ep-default.png b/windows/security/threat-protection/windows-defender-exploit-guard/images/ep-default.png
similarity index 100%
rename from windows/threat-protection/windows-defender-exploit-guard/images/ep-default.png
rename to windows/security/threat-protection/windows-defender-exploit-guard/images/ep-default.png
diff --git a/windows/threat-protection/windows-defender-exploit-guard/images/ep-prog.png b/windows/security/threat-protection/windows-defender-exploit-guard/images/ep-prog.png
similarity index 100%
rename from windows/threat-protection/windows-defender-exploit-guard/images/ep-prog.png
rename to windows/security/threat-protection/windows-defender-exploit-guard/images/ep-prog.png
diff --git a/windows/threat-protection/windows-defender-exploit-guard/images/event-viewer-import.png b/windows/security/threat-protection/windows-defender-exploit-guard/images/event-viewer-import.png
similarity index 100%
rename from windows/threat-protection/windows-defender-exploit-guard/images/event-viewer-import.png
rename to windows/security/threat-protection/windows-defender-exploit-guard/images/event-viewer-import.png
diff --git a/windows/threat-protection/windows-defender-exploit-guard/images/event-viewer.gif b/windows/security/threat-protection/windows-defender-exploit-guard/images/event-viewer.gif
similarity index 100%
rename from windows/threat-protection/windows-defender-exploit-guard/images/event-viewer.gif
rename to windows/security/threat-protection/windows-defender-exploit-guard/images/event-viewer.gif
diff --git a/windows/threat-protection/windows-defender-exploit-guard/images/events-create.gif b/windows/security/threat-protection/windows-defender-exploit-guard/images/events-create.gif
similarity index 100%
rename from windows/threat-protection/windows-defender-exploit-guard/images/events-create.gif
rename to windows/security/threat-protection/windows-defender-exploit-guard/images/events-create.gif
diff --git a/windows/threat-protection/windows-defender-exploit-guard/images/events-import.gif b/windows/security/threat-protection/windows-defender-exploit-guard/images/events-import.gif
similarity index 100%
rename from windows/threat-protection/windows-defender-exploit-guard/images/events-import.gif
rename to windows/security/threat-protection/windows-defender-exploit-guard/images/events-import.gif
diff --git a/windows/threat-protection/windows-defender-exploit-guard/images/exp-prot-gp.png b/windows/security/threat-protection/windows-defender-exploit-guard/images/exp-prot-gp.png
similarity index 100%
rename from windows/threat-protection/windows-defender-exploit-guard/images/exp-prot-gp.png
rename to windows/security/threat-protection/windows-defender-exploit-guard/images/exp-prot-gp.png
diff --git a/windows/threat-protection/windows-defender-exploit-guard/images/np-notif.png b/windows/security/threat-protection/windows-defender-exploit-guard/images/np-notif.png
similarity index 100%
rename from windows/threat-protection/windows-defender-exploit-guard/images/np-notif.png
rename to windows/security/threat-protection/windows-defender-exploit-guard/images/np-notif.png
diff --git a/windows/threat-protection/windows-defender-exploit-guard/images/svg/check-no.svg b/windows/security/threat-protection/windows-defender-exploit-guard/images/svg/check-no.svg
similarity index 100%
rename from windows/threat-protection/windows-defender-exploit-guard/images/svg/check-no.svg
rename to windows/security/threat-protection/windows-defender-exploit-guard/images/svg/check-no.svg
diff --git a/windows/threat-protection/windows-defender-exploit-guard/images/svg/check-yes.svg b/windows/security/threat-protection/windows-defender-exploit-guard/images/svg/check-yes.svg
similarity index 100%
rename from windows/threat-protection/windows-defender-exploit-guard/images/svg/check-yes.svg
rename to windows/security/threat-protection/windows-defender-exploit-guard/images/svg/check-yes.svg
diff --git a/windows/threat-protection/windows-defender-exploit-guard/images/wdsc-exp-prot-app-settings-options.png b/windows/security/threat-protection/windows-defender-exploit-guard/images/wdsc-exp-prot-app-settings-options.png
similarity index 100%
rename from windows/threat-protection/windows-defender-exploit-guard/images/wdsc-exp-prot-app-settings-options.png
rename to windows/security/threat-protection/windows-defender-exploit-guard/images/wdsc-exp-prot-app-settings-options.png
diff --git a/windows/threat-protection/windows-defender-exploit-guard/images/wdsc-exp-prot-app-settings.png b/windows/security/threat-protection/windows-defender-exploit-guard/images/wdsc-exp-prot-app-settings.png
similarity index 100%
rename from windows/threat-protection/windows-defender-exploit-guard/images/wdsc-exp-prot-app-settings.png
rename to windows/security/threat-protection/windows-defender-exploit-guard/images/wdsc-exp-prot-app-settings.png
diff --git a/windows/threat-protection/windows-defender-exploit-guard/images/wdsc-exp-prot-export.png b/windows/security/threat-protection/windows-defender-exploit-guard/images/wdsc-exp-prot-export.png
similarity index 100%
rename from windows/threat-protection/windows-defender-exploit-guard/images/wdsc-exp-prot-export.png
rename to windows/security/threat-protection/windows-defender-exploit-guard/images/wdsc-exp-prot-export.png
diff --git a/windows/threat-protection/windows-defender-exploit-guard/images/wdsc-exp-prot-sys-settings.png b/windows/security/threat-protection/windows-defender-exploit-guard/images/wdsc-exp-prot-sys-settings.png
similarity index 100%
rename from windows/threat-protection/windows-defender-exploit-guard/images/wdsc-exp-prot-sys-settings.png
rename to windows/security/threat-protection/windows-defender-exploit-guard/images/wdsc-exp-prot-sys-settings.png
diff --git a/windows/threat-protection/windows-defender-exploit-guard/images/wdsc-exp-prot.png b/windows/security/threat-protection/windows-defender-exploit-guard/images/wdsc-exp-prot.png
similarity index 100%
rename from windows/threat-protection/windows-defender-exploit-guard/images/wdsc-exp-prot.png
rename to windows/security/threat-protection/windows-defender-exploit-guard/images/wdsc-exp-prot.png
diff --git a/windows/threat-protection/windows-defender-exploit-guard/import-export-exploit-protection-emet-xml.md b/windows/security/threat-protection/windows-defender-exploit-guard/import-export-exploit-protection-emet-xml.md
similarity index 100%
rename from windows/threat-protection/windows-defender-exploit-guard/import-export-exploit-protection-emet-xml.md
rename to windows/security/threat-protection/windows-defender-exploit-guard/import-export-exploit-protection-emet-xml.md
diff --git a/windows/threat-protection/windows-defender-exploit-guard/network-protection-exploit-guard.md b/windows/security/threat-protection/windows-defender-exploit-guard/network-protection-exploit-guard.md
similarity index 100%
rename from windows/threat-protection/windows-defender-exploit-guard/network-protection-exploit-guard.md
rename to windows/security/threat-protection/windows-defender-exploit-guard/network-protection-exploit-guard.md
diff --git a/windows/threat-protection/windows-defender-exploit-guard/prerelease.md b/windows/security/threat-protection/windows-defender-exploit-guard/prerelease.md
similarity index 100%
rename from windows/threat-protection/windows-defender-exploit-guard/prerelease.md
rename to windows/security/threat-protection/windows-defender-exploit-guard/prerelease.md
diff --git a/windows/threat-protection/windows-defender-exploit-guard/troubleshoot-asr.md b/windows/security/threat-protection/windows-defender-exploit-guard/troubleshoot-asr.md
similarity index 100%
rename from windows/threat-protection/windows-defender-exploit-guard/troubleshoot-asr.md
rename to windows/security/threat-protection/windows-defender-exploit-guard/troubleshoot-asr.md
diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/troubleshoot-exploit-protection-mitigations.md b/windows/security/threat-protection/windows-defender-exploit-guard/troubleshoot-exploit-protection-mitigations.md
new file mode 100644
index 0000000000..eb71a22518
--- /dev/null
+++ b/windows/security/threat-protection/windows-defender-exploit-guard/troubleshoot-exploit-protection-mitigations.md
@@ -0,0 +1,217 @@
+---
+title: Deploy Exploit protection mitigations across your organization
+keywords: Exploit protection, mitigations, troubleshoot, import, export, configure, emet, convert, conversion, deploy, install
+description: Remove unwanted Exploit protection mitigations.
+search.product: eADQiWindows 10XVcnh
+ms.pagetype: security
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.sitesec: library
+ms.pagetype: security
+localizationpriority: medium
+author: andreabichsel
+ms.author: v-anbic
+ms.date: 01/31/18
+---
+
+
+
+# Troubleshoot Exploit protection mitigations
+
+
+**Applies to:**
+
+- Windows 10, version 1709
+
+
+
+**Audience**
+
+- Enterprise security administrators
+
+
+**Manageability available with**
+
+- Windows Defender Security Center app
+- PowerShell
+
+
+When you create a set of Exploit protection mitigations (known as a configuration), you might find that the configuration export and import process does not remove all unwanted mitigations.
+
+You can manually remove unwanted mitigations in Windows Defender Security Center, or you can use the following process to remove all mitigations and then import a baseline configuration file instead.
+
+1. Remove all process mitigations with this PowerShell script:
+
+ ```PowerShell
+ # Check if Admin-Privileges are available
+ function Test-IsAdmin {
+ ([Security.Principal.WindowsPrincipal] [Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole] "Administrator")
+ }
+
+ # Delete ExploitGuard ProcessMitigations for a given key in the registry. If no other settings exist under the specified key,
+ # the key is deleted as well
+ function Remove-ProcessMitigations([Object] $Key, [string] $Name) {
+ Try {
+ if ($Key.GetValue("MitigationOptions")) {
+ Write-Host "Removing MitigationOptions for: " $Name
+ Remove-ItemProperty -Path $Key.PSPath -Name "MitigationOptions" -ErrorAction Stop;
+ }
+ if ($Key.GetValue("MitigationAuditOptions")) {
+ Write-Host "Removing MitigationAuditOptions for: " $Name
+ Remove-ItemProperty -Path $Key.PSPath -Name "MitigationAuditOptions" -ErrorAction Stop;
+ }
+
+ # Remove the FilterFullPath value if there is nothing else
+ if (($Key.SubKeyCount -eq 0) -and ($Key.ValueCount -eq 1) -and ($Key.GetValue("FilterFullPath"))) {
+ Remove-ItemProperty -Path $Key.PSPath -Name "FilterFullPath" -ErrorAction Stop;
+ }
+
+ # If the key is empty now, delete it
+ if (($Key.SubKeyCount -eq 0) -and ($Key.ValueCount -eq 0)) {
+ Write-Host "Removing empty Entry: " $Name
+ Remove-Item -Path $Key.PSPath -ErrorAction Stop
+ }
+ }
+ Catch {
+ Write-Host "ERROR:" $_.Exception.Message "- at ($MitigationItemName)"
+ }
+ }
+
+ # Delete all ExploitGuard ProcessMitigations
+ function Remove-All-ProcessMitigations {
+ if (!(Test-IsAdmin)) {
+ throw "ERROR: No Administrator-Privileges detected!"; return
+ }
+
+ Get-ChildItem -Path "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options" | ForEach-Object {
+ $MitigationItem = $_;
+ $MitigationItemName = $MitigationItem.PSChildName
+
+ Try {
+ Remove-ProcessMitigations $MitigationItem $MitigationItemName
+
+ # "UseFilter" indicate full path filters may be present
+ if ($MitigationItem.GetValue("UseFilter")) {
+ Get-ChildItem -Path $MitigationItem.PSPath | ForEach-Object {
+ $FullPathItem = $_
+ if ($FullPathItem.GetValue("FilterFullPath")) {
+ $Name = $MitigationItemName + "-" + $FullPathItem.GetValue("FilterFullPath")
+ Write-Host "Removing FullPathEntry: " $Name
+ Remove-ProcessMitigations $FullPathItem $Name
+ }
+
+ # If there are no subkeys now, we can delete the "UseFilter" value
+ if ($MitigationItem.SubKeyCount -eq 0) {
+ Remove-ItemProperty -Path $MitigationItem.PSPath -Name "UseFilter" -ErrorAction Stop
+ }
+ }
+ }
+ if (($MitigationItem.SubKeyCount -eq 0) -and ($MitigationItem.ValueCount -eq 0)) {
+ Write-Host "Removing empty Entry: " $MitigationItemName
+ Remove-Item -Path $MitigationItem.PSPath -ErrorAction Stop
+ }
+ }
+ Catch {
+ Write-Host "ERROR:" $_.Exception.Message "- at ($MitigationItemName)"
+ }
+ }
+ }
+
+ # Delete all ExploitGuard System-wide Mitigations
+ function Remove-All-SystemMitigations {
+
+ if (!(Test-IsAdmin)) {
+ throw "ERROR: No Administrator-Privileges detected!"; return
+ }
+
+ $Kernel = Get-Item -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager\kernel"
+
+ Try {
+ if ($Kernel.GetValue("MitigationOptions"))
+ { Write-Host "Removing System MitigationOptions"
+ Remove-ItemProperty -Path $Kernel.PSPath -Name "MitigationOptions" -ErrorAction Stop;
+ }
+ if ($Kernel.GetValue("MitigationAuditOptions"))
+ { Write-Host "Removing System MitigationAuditOptions"
+ Remove-ItemProperty -Path $Kernel.PSPath -Name "MitigationAuditOptions" -ErrorAction Stop;
+ }
+ } Catch {
+ Write-Host "ERROR:" $_.Exception.Message "- System"
+ }
+ }
+
+ Remove-All-ProcessMitigations
+ Remove-All-SystemMitigations
+ ```
+
+2. Create and import an XML configuration file with the following default mitigations, as described in Import, export, and deploy Exploit Protection configurations:
+
+ ```xml
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ ```
+
+If you haven’t already, it's a good idea to download and use the [Windows Security Baselines](https://docs.microsoft.com/en-us/windows/device-security/windows-security-baselines) to complete your Exploit protection customization.
+
+## Related topics
+
+- [Protect devices from exploits with Windows Defender Exploit Guard](exploit-protection-exploit-guard.md)
+- [Comparison with Enhanced Mitigation Experience Toolkit](emet-exploit-protection-exploit-guard.md)
+- [Evaluate Exploit protection](evaluate-exploit-protection.md)
+- [Enable Exploit protection](enable-exploit-protection.md)
+- [Configure and audit Exploit protection mitigations](customize-exploit-protection.md)
+- [Import, export, and deploy Exploit protection configurations](import-export-exploit-protection-emet-xml.md)
diff --git a/windows/threat-protection/windows-defender-exploit-guard/troubleshoot-np.md b/windows/security/threat-protection/windows-defender-exploit-guard/troubleshoot-np.md
similarity index 100%
rename from windows/threat-protection/windows-defender-exploit-guard/troubleshoot-np.md
rename to windows/security/threat-protection/windows-defender-exploit-guard/troubleshoot-np.md
diff --git a/windows/threat-protection/windows-defender-exploit-guard/windows-defender-exploit-guard.md b/windows/security/threat-protection/windows-defender-exploit-guard/windows-defender-exploit-guard.md
similarity index 94%
rename from windows/threat-protection/windows-defender-exploit-guard/windows-defender-exploit-guard.md
rename to windows/security/threat-protection/windows-defender-exploit-guard/windows-defender-exploit-guard.md
index 817038ca1c..d75309c31b 100644
--- a/windows/threat-protection/windows-defender-exploit-guard/windows-defender-exploit-guard.md
+++ b/windows/security/threat-protection/windows-defender-exploit-guard/windows-defender-exploit-guard.md
@@ -9,8 +9,8 @@ ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: security
localizationpriority: medium
-author: iaanw
-ms.author: iawilt
+author: andreabichsel
+ms.author: v-anbic
ms.date: 12/12/2017
---
@@ -33,10 +33,10 @@ Windows Defender Exploit Guard (Windows Defender EG) is a new set of host intrus
There are four features in Windows Defender EG:
-- [Exploit protection](exploit-protection-exploit-guard.md) can apply exploit mitigation techniques to apps your organization uses, both individually and to all apps
-- [Attack surface reduction rules](attack-surface-reduction-exploit-guard.md) can reduce the attack surface of your applications with intelligent rules that stop the vectors used by Office-, script- and mail-based malware
-- [Network protection](network-protection-exploit-guard.md) extends the malware and social engineering protection offered by Windows Defender SmartScreen in Microsoft Edge to cover network traffic and connectivity on your organization's devices
-- [Controlled folder access](controlled-folders-exploit-guard.md) helps protect files in key system folders from changes made by malicious and suspicious apps, including file-encrypting ransomware malware
+- [Exploit protection](exploit-protection-exploit-guard.md) can apply exploit mitigation techniques to apps your organization uses, both individually and to all apps. Works with third-party antivirus solutions and Windows Defender Antivirus (Windows Defender AV).
+- [Attack surface reduction rules](attack-surface-reduction-exploit-guard.md) can reduce the attack surface of your applications with intelligent rules that stop the vectors used by Office-, script- and mail-based malware. Requires Windows Defender AV.
+- [Network protection](network-protection-exploit-guard.md) extends the malware and social engineering protection offered by Windows Defender SmartScreen in Microsoft Edge to cover network traffic and connectivity on your organization's devices. Requires Windows Defender AV.
+- [Controlled folder access](controlled-folders-exploit-guard.md) helps protect files in key system folders from changes made by malicious and suspicious apps, including file-encrypting ransomware malware. Requires Windows Defender AV.
You can evaluate each feature of Windows Defender EG with the guides at the following link, which provide pre-built PowerShell scripts and testing tools so you can see the features in action:
diff --git a/windows/threat-protection/windows-defender-security-center/images/security-center-custom-flyout.png b/windows/security/threat-protection/windows-defender-security-center/images/security-center-custom-flyout.png
similarity index 100%
rename from windows/threat-protection/windows-defender-security-center/images/security-center-custom-flyout.png
rename to windows/security/threat-protection/windows-defender-security-center/images/security-center-custom-flyout.png
diff --git a/windows/threat-protection/windows-defender-security-center/images/security-center-custom-notif.png b/windows/security/threat-protection/windows-defender-security-center/images/security-center-custom-notif.png
similarity index 100%
rename from windows/threat-protection/windows-defender-security-center/images/security-center-custom-notif.png
rename to windows/security/threat-protection/windows-defender-security-center/images/security-center-custom-notif.png
diff --git a/windows/threat-protection/windows-defender-security-center/images/security-center-home.png b/windows/security/threat-protection/windows-defender-security-center/images/security-center-home.png
similarity index 100%
rename from windows/threat-protection/windows-defender-security-center/images/security-center-home.png
rename to windows/security/threat-protection/windows-defender-security-center/images/security-center-home.png
diff --git a/windows/threat-protection/windows-defender-security-center/images/security-center-start-menu.png b/windows/security/threat-protection/windows-defender-security-center/images/security-center-start-menu.png
similarity index 100%
rename from windows/threat-protection/windows-defender-security-center/images/security-center-start-menu.png
rename to windows/security/threat-protection/windows-defender-security-center/images/security-center-start-menu.png
diff --git a/windows/threat-protection/windows-defender-security-center/images/security-center-taskbar.png b/windows/security/threat-protection/windows-defender-security-center/images/security-center-taskbar.png
similarity index 100%
rename from windows/threat-protection/windows-defender-security-center/images/security-center-taskbar.png
rename to windows/security/threat-protection/windows-defender-security-center/images/security-center-taskbar.png
diff --git a/windows/threat-protection/windows-defender-security-center/images/security-center-turned-off.png b/windows/security/threat-protection/windows-defender-security-center/images/security-center-turned-off.png
similarity index 100%
rename from windows/threat-protection/windows-defender-security-center/images/security-center-turned-off.png
rename to windows/security/threat-protection/windows-defender-security-center/images/security-center-turned-off.png
diff --git a/windows/threat-protection/windows-defender-security-center/images/wdsc-all-hide.png b/windows/security/threat-protection/windows-defender-security-center/images/wdsc-all-hide.png
similarity index 100%
rename from windows/threat-protection/windows-defender-security-center/images/wdsc-all-hide.png
rename to windows/security/threat-protection/windows-defender-security-center/images/wdsc-all-hide.png
diff --git a/windows/threat-protection/windows-defender-security-center/wdsc-app-browser-control.md b/windows/security/threat-protection/windows-defender-security-center/wdsc-app-browser-control.md
similarity index 100%
rename from windows/threat-protection/windows-defender-security-center/wdsc-app-browser-control.md
rename to windows/security/threat-protection/windows-defender-security-center/wdsc-app-browser-control.md
diff --git a/windows/threat-protection/windows-defender-security-center/wdsc-customize-contact-information.md b/windows/security/threat-protection/windows-defender-security-center/wdsc-customize-contact-information.md
similarity index 100%
rename from windows/threat-protection/windows-defender-security-center/wdsc-customize-contact-information.md
rename to windows/security/threat-protection/windows-defender-security-center/wdsc-customize-contact-information.md
diff --git a/windows/threat-protection/windows-defender-security-center/wdsc-device-performance-health.md b/windows/security/threat-protection/windows-defender-security-center/wdsc-device-performance-health.md
similarity index 100%
rename from windows/threat-protection/windows-defender-security-center/wdsc-device-performance-health.md
rename to windows/security/threat-protection/windows-defender-security-center/wdsc-device-performance-health.md
diff --git a/windows/threat-protection/windows-defender-security-center/wdsc-family-options.md b/windows/security/threat-protection/windows-defender-security-center/wdsc-family-options.md
similarity index 100%
rename from windows/threat-protection/windows-defender-security-center/wdsc-family-options.md
rename to windows/security/threat-protection/windows-defender-security-center/wdsc-family-options.md
diff --git a/windows/threat-protection/windows-defender-security-center/wdsc-firewall-network-protection.md b/windows/security/threat-protection/windows-defender-security-center/wdsc-firewall-network-protection.md
similarity index 100%
rename from windows/threat-protection/windows-defender-security-center/wdsc-firewall-network-protection.md
rename to windows/security/threat-protection/windows-defender-security-center/wdsc-firewall-network-protection.md
diff --git a/windows/threat-protection/windows-defender-security-center/wdsc-hide-notifications.md b/windows/security/threat-protection/windows-defender-security-center/wdsc-hide-notifications.md
similarity index 100%
rename from windows/threat-protection/windows-defender-security-center/wdsc-hide-notifications.md
rename to windows/security/threat-protection/windows-defender-security-center/wdsc-hide-notifications.md
diff --git a/windows/threat-protection/windows-defender-security-center/wdsc-virus-threat-protection.md b/windows/security/threat-protection/windows-defender-security-center/wdsc-virus-threat-protection.md
similarity index 100%
rename from windows/threat-protection/windows-defender-security-center/wdsc-virus-threat-protection.md
rename to windows/security/threat-protection/windows-defender-security-center/wdsc-virus-threat-protection.md
diff --git a/windows/threat-protection/windows-defender-security-center/windows-defender-security-center.md b/windows/security/threat-protection/windows-defender-security-center/windows-defender-security-center.md
similarity index 100%
rename from windows/threat-protection/windows-defender-security-center/windows-defender-security-center.md
rename to windows/security/threat-protection/windows-defender-security-center/windows-defender-security-center.md
diff --git a/windows/threat-protection/windows-defender-smartscreen/images/windows-defender-security-center.png b/windows/security/threat-protection/windows-defender-smartscreen/images/windows-defender-security-center.png
similarity index 100%
rename from windows/threat-protection/windows-defender-smartscreen/images/windows-defender-security-center.png
rename to windows/security/threat-protection/windows-defender-smartscreen/images/windows-defender-security-center.png
diff --git a/windows/security/threat-protection/windows-defender-smartscreen/images/windows-defender-smartscreen-control.png b/windows/security/threat-protection/windows-defender-smartscreen/images/windows-defender-smartscreen-control.png
new file mode 100644
index 0000000000..e51cd9384c
Binary files /dev/null and b/windows/security/threat-protection/windows-defender-smartscreen/images/windows-defender-smartscreen-control.png differ
diff --git a/windows/threat-protection/windows-defender-smartscreen/windows-defender-smartscreen-available-settings.md b/windows/security/threat-protection/windows-defender-smartscreen/windows-defender-smartscreen-available-settings.md
similarity index 95%
rename from windows/threat-protection/windows-defender-smartscreen/windows-defender-smartscreen-available-settings.md
rename to windows/security/threat-protection/windows-defender-smartscreen/windows-defender-smartscreen-available-settings.md
index bd04f6e218..9bffa0146b 100644
--- a/windows/threat-protection/windows-defender-smartscreen/windows-defender-smartscreen-available-settings.md
+++ b/windows/security/threat-protection/windows-defender-smartscreen/windows-defender-smartscreen-available-settings.md
@@ -6,9 +6,9 @@ ms.prod: w10
ms.mktglfcycl: explore
ms.sitesec: library
ms.pagetype: security
-author: eross-msft
+author: jasongerend
ms.localizationpriority: high
-ms.date: 10/13/2017
+ms.date: 1/26/2018
---
# Available Windows Defender SmartScreen Group Policy and mobile device management (MDM) settings
**Applies to:**
@@ -69,7 +69,8 @@ SmartScreen uses registry-based Administrative Template policy settings. For mor
## MDM settings
-If you manage your policies using Microsoft Intune, you'll want to use these MDM policy settings. All settings support both desktop computers (running Windows 10 Pro or Windows 10 Enterprise, enrolled with Microsoft Intune) and Windows 10 Mobile devices.
+If you manage your policies using Microsoft Intune, you'll want to use these MDM policy settings. All settings support both desktop computers (running Windows 10 Pro or Windows 10 Enterprise, enrolled with Microsoft Intune) and Windows 10 Mobile devices.
+For SmartScreen Internet Explorer MDM policies, see [Policy CSP - InternetExplorer](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-internetexplorer).
Setting
@@ -84,8 +85,8 @@ If you manage your policies using Microsoft Intune, you'll want to use these MDM
URI full path. ./Vendor/MSFT/Policy/Config/Browser/AllowSmartScreen
Data type. Integer
Allowed values:
-
0 . Turns off Windows Defender SmartScreen.
-
1. Turns on Windows Defender SmartScreen.
+
0 . Turns off Windows Defender SmartScreen in Edge.
+
1. Turns on Windows Defender SmartScreen in Edge.
@@ -108,8 +109,8 @@ If you manage your policies using Microsoft Intune, you'll want to use these MDM
URI full path. ./Vendor/MSFT/Policy/Config/SmartScreen/EnableSmartScreenInShell
Data type. Integer
Allowed values:
-
0 . Turns off SmartScreen in Windows.
-
1. Turns on SmartScreen in Windows.
+
0 . Turns off SmartScreen in Windows for app and file execution.
+
1. Turns on SmartScreen in Windows for app and file execution.
diff --git a/windows/threat-protection/windows-defender-smartscreen/windows-defender-smartscreen-overview.md b/windows/security/threat-protection/windows-defender-smartscreen/windows-defender-smartscreen-overview.md
similarity index 94%
rename from windows/threat-protection/windows-defender-smartscreen/windows-defender-smartscreen-overview.md
rename to windows/security/threat-protection/windows-defender-smartscreen/windows-defender-smartscreen-overview.md
index 356afd413a..e5b587a7fe 100644
--- a/windows/threat-protection/windows-defender-smartscreen/windows-defender-smartscreen-overview.md
+++ b/windows/security/threat-protection/windows-defender-smartscreen/windows-defender-smartscreen-overview.md
@@ -43,7 +43,7 @@ Windows Defender SmartScreen helps to provide an early warning system against we
- **Operating system integration.** SmartScreen is integrated into the Windows 10 operating system, meaning that it checks any files an app (including 3rd-party browsers and email clients) attempts to download and run.
-- **Improved heuristics and telemetry.** SmartScreen is constantly learning and endeavoring to stay up-to-date, so it can help to protect you against potentially malicious sites and files.
+- **Improved heuristics and diagnostic data.** SmartScreen is constantly learning and endeavoring to stay up-to-date, so it can help to protect you against potentially malicious sites and files.
- **Management through Group Policy and Microsoft Intune.** SmartScreen supports using both Group Policy and Microsoft Intune settings. For more info about all available settings, see [Available Windows Defender SmartScreen Group Policy and mobile device management (MDM) settings](windows-defender-smartscreen-available-settings.md).
diff --git a/windows/threat-protection/windows-defender-smartscreen/windows-defender-smartscreen-set-individual-device.md b/windows/security/threat-protection/windows-defender-smartscreen/windows-defender-smartscreen-set-individual-device.md
similarity index 95%
rename from windows/threat-protection/windows-defender-smartscreen/windows-defender-smartscreen-set-individual-device.md
rename to windows/security/threat-protection/windows-defender-smartscreen/windows-defender-smartscreen-set-individual-device.md
index f24e15d243..508f23802e 100644
--- a/windows/threat-protection/windows-defender-smartscreen/windows-defender-smartscreen-set-individual-device.md
+++ b/windows/security/threat-protection/windows-defender-smartscreen/windows-defender-smartscreen-set-individual-device.md
@@ -50,7 +50,7 @@ Starting with Windows 10, version 1703 your employees can use Windows Defender S
- In the **SmartScreen from Microsoft Store apps** area:
- - **Block** or **Warn.** Warns employees that the sites and downloads used by Microsoft Store apps are potentially dangerous, but allows the action to continue.
+ - **Warn.** Warns employees that the sites and downloads used by Microsoft Store apps are potentially dangerous, but allows the action to continue.
- **Off.** Turns off SmartScreen, so an employee isn't alerted or stopped from visiting sites or from downloading potentially malicious apps and files.
diff --git a/windows/device-security/windows-security-baselines.md b/windows/security/threat-protection/windows-security-baselines.md
similarity index 100%
rename from windows/device-security/windows-security-baselines.md
rename to windows/security/threat-protection/windows-security-baselines.md
diff --git a/windows/threat-protection/TOC.md b/windows/threat-protection/TOC.md
deleted file mode 100644
index 30f102d99c..0000000000
--- a/windows/threat-protection/TOC.md
+++ /dev/null
@@ -1,322 +0,0 @@
-# [Threat protection](index.md)
-
-
-## [The Windows Defender Security Center app](windows-defender-security-center\windows-defender-security-center.md)
-### [Customize the Windows Defender Security Center app for your organization](windows-defender-security-center\wdsc-customize-contact-information.md)
-### [Hide Windows Defender Security Center app notifications](windows-defender-security-center\wdsc-hide-notifications.md)
-### [Virus and threat protection](windows-defender-security-center\wdsc-virus-threat-protection.md)
-### [Device performance and health](windows-defender-security-center\wdsc-device-performance-health.md)
-### [Firewall and network protection](windows-defender-security-center\wdsc-firewall-network-protection.md)
-### [App and browser control](windows-defender-security-center\wdsc-app-browser-control.md)
-### [Family options](windows-defender-security-center\wdsc-family-options.md)
-
-
-
-
-
-
-## [Windows Defender Advanced Threat Protection](windows-defender-atp\windows-defender-advanced-threat-protection.md)
-### [Minimum requirements](windows-defender-atp\minimum-requirements-windows-defender-advanced-threat-protection.md)
-### [Validate licensing and complete setup](windows-defender-atp\licensing-windows-defender-advanced-threat-protection.md)
-#### [Troubleshoot subscription and portal access issues](windows-defender-atp\troubleshoot-onboarding-error-messages-windows-defender-advanced-threat-protection.md)
-### [Preview features](windows-defender-atp\preview-windows-defender-advanced-threat-protection.md)
-### [Data storage and privacy](windows-defender-atp\data-storage-privacy-windows-defender-advanced-threat-protection.md)
-### [Assign user access to the portal](windows-defender-atp\assign-portal-access-windows-defender-advanced-threat-protection.md)
-### [Onboard endpoints and set up access](windows-defender-atp\onboard-configure-windows-defender-advanced-threat-protection.md)
-#### [Configure client endpoints](windows-defender-atp\configure-endpoints-windows-defender-advanced-threat-protection.md)
-##### [Configure endpoints using Group Policy](windows-defender-atp\configure-endpoints-gp-windows-defender-advanced-threat-protection.md)
-##### [Configure endpoints using System Center Configuration Manager](windows-defender-atp\configure-endpoints-sccm-windows-defender-advanced-threat-protection.md)
-##### [Configure endpoints using Mobile Device Management tools](windows-defender-atp\configure-endpoints-mdm-windows-defender-advanced-threat-protection.md)
-###### [Configure endpoints using Microsoft Intune](windows-defender-atp\configure-endpoints-mdm-windows-defender-advanced-threat-protection.md#configure-endpoints-using-microsoft-intune)
-##### [Configure endpoints using a local script](windows-defender-atp\configure-endpoints-script-windows-defender-advanced-threat-protection.md)
-##### [Configure non-persistent virtual desktop infrastructure (VDI) machines](windows-defender-atp\configure-endpoints-vdi-windows-defender-advanced-threat-protection.md)
-#### [Configure non-Windows endpoints](windows-defender-atp\configure-endpoints-non-windows-windows-defender-advanced-threat-protection.md)
-#### [Configure server endpoints](windows-defender-atp\configure-server-endpoints-windows-defender-advanced-threat-protection.md)
-#### [Run a detection test on a newly onboarded endpoint](windows-defender-atp\run-detection-test-windows-defender-advanced-threat-protection.md)
-#### [Configure proxy and Internet connectivity settings](windows-defender-atp\configure-proxy-internet-windows-defender-advanced-threat-protection.md)
-#### [Troubleshoot onboarding issues](windows-defender-atp\troubleshoot-onboarding-windows-defender-advanced-threat-protection.md)
-### [Portal overview](windows-defender-atp\portal-overview-windows-defender-advanced-threat-protection.md)
-### [Use the Windows Defender ATP portal](windows-defender-atp\use-windows-defender-advanced-threat-protection.md)
-#### [View the Security operations dashboard](windows-defender-atp\dashboard-windows-defender-advanced-threat-protection.md)
-#### [View the Security analytics dashboard](windows-defender-atp\security-analytics-dashboard-windows-defender-advanced-threat-protection.md)
-#### [View and organize the Alerts queue](windows-defender-atp\alerts-queue-windows-defender-advanced-threat-protection.md)
-#### [Investigate alerts](windows-defender-atp\investigate-alerts-windows-defender-advanced-threat-protection.md)
-##### [Alert process tree](windows-defender-atp\investigate-alerts-windows-defender-advanced-threat-protection.md#alert-process-tree)
-##### [Incident graph](windows-defender-atp\investigate-alerts-windows-defender-advanced-threat-protection.md#incident-graph)
-##### [Alert timeline](windows-defender-atp\investigate-alerts-windows-defender-advanced-threat-protection.md#alert-timeline)
-#### [Investigate files](windows-defender-atp\investigate-files-windows-defender-advanced-threat-protection.md)
-#### [Investigate an IP address](windows-defender-atp\investigate-ip-windows-defender-advanced-threat-protection.md)
-#### [Investigate a domain](windows-defender-atp\investigate-domain-windows-defender-advanced-threat-protection.md)
-#### [View and organize the Machines list](windows-defender-atp\machines-view-overview-windows-defender-advanced-threat-protection.md)
-#### [Investigate machines](windows-defender-atp\investigate-machines-windows-defender-advanced-threat-protection.md)
-##### [Manage machine group and tags](windows-defender-atp\investigate-machines-windows-defender-advanced-threat-protection.md#manage-machine-group-and-tags)
-##### [Alerts related to this machine](windows-defender-atp\investigate-machines-windows-defender-advanced-threat-protection.md#alerts-related-to-this-machine)
-##### [Machine timeline](windows-defender-atp\investigate-machines-windows-defender-advanced-threat-protection.md#machine-timeline)
-###### [Search for specific events](windows-defender-atp\investigate-machines-windows-defender-advanced-threat-protection.md#search-for-specific-events)
-###### [Filter events from a specific date](windows-defender-atp\investigate-machines-windows-defender-advanced-threat-protection.md#filter-events-from-a-specific-date)
-###### [Export machine timeline events](windows-defender-atp\investigate-machines-windows-defender-advanced-threat-protection.md#export-machine-timeline-events)
-###### [Navigate between pages](windows-defender-atp\investigate-machines-windows-defender-advanced-threat-protection.md#navigate-between-pages)
-#### [Investigate a user account](windows-defender-atp\investigate-user-windows-defender-advanced-threat-protection.md)
-#### [Manage alerts](windows-defender-atp\manage-alerts-windows-defender-advanced-threat-protection.md)
-#### [Take response actions](windows-defender-atp\response-actions-windows-defender-advanced-threat-protection.md)
-##### [Take response actions on a machine](windows-defender-atp\respond-machine-alerts-windows-defender-advanced-threat-protection.md)
-###### [Collect investigation package](windows-defender-atp\respond-machine-alerts-windows-defender-advanced-threat-protection.md#collect-investigation-package-from-machines)
-###### [Run antivirus scan](windows-defender-atp\respond-machine-alerts-windows-defender-advanced-threat-protection.md#run-windows-defender-antivirus-scan-on-machines)
-###### [Restrict app execution](windows-defender-atp\respond-machine-alerts-windows-defender-advanced-threat-protection.md#restrict-app-execution)
-###### [Remove app restriction](windows-defender-atp\respond-machine-alerts-windows-defender-advanced-threat-protection.md#remove-app-restriction)
-###### [Isolate machines from the network](windows-defender-atp\respond-machine-alerts-windows-defender-advanced-threat-protection.md#isolate-machines-from-the-network)
-###### [Release machine from isolation](windows-defender-atp\respond-machine-alerts-windows-defender-advanced-threat-protection.md#release-machine-from-isolation)
-###### [Check activity details in Action center](windows-defender-atp\respond-machine-alerts-windows-defender-advanced-threat-protection.md#check-activity-details-in-action-center)
-##### [Take response actions on a file](windows-defender-atp\respond-file-alerts-windows-defender-advanced-threat-protection.md)
-###### [Stop and quarantine files in your network](windows-defender-atp\respond-file-alerts-windows-defender-advanced-threat-protection.md#stop-and-quarantine-files-in-your-network)
-###### [Remove file from quarantine](windows-defender-atp\respond-file-alerts-windows-defender-advanced-threat-protection.md#remove-file-from-quarantine)
-###### [Block files in your network](windows-defender-atp\respond-file-alerts-windows-defender-advanced-threat-protection.md#block-files-in-your-network)
-###### [Remove file from blocked list](windows-defender-atp\respond-file-alerts-windows-defender-advanced-threat-protection.md#remove-file-from-blocked-list)
-###### [Check activity details in Action center](windows-defender-atp\respond-file-alerts-windows-defender-advanced-threat-protection.md#check-activity-details-in-action-center)
-###### [Deep analysis](windows-defender-atp\respond-file-alerts-windows-defender-advanced-threat-protection.md#deep-analysis)
-####### [Submit files for analysis](windows-defender-atp\respond-file-alerts-windows-defender-advanced-threat-protection.md#submit-files-for-analysis)
-####### [View deep analysis reports](windows-defender-atp\respond-file-alerts-windows-defender-advanced-threat-protection.md#view-deep-analysis-reports)
-####### [Troubleshoot deep analysis](windows-defender-atp\respond-file-alerts-windows-defender-advanced-threat-protection.md#troubleshoot-deep-analysis)
-### [Pull alerts to your SIEM tools](windows-defender-atp\configure-siem-windows-defender-advanced-threat-protection.md)
-#### [Enable SIEM integration](windows-defender-atp\enable-siem-integration-windows-defender-advanced-threat-protection.md)
-#### [Configure Splunk to pull alerts](windows-defender-atp\configure-splunk-windows-defender-advanced-threat-protection.md)
-#### [Configure HP ArcSight to pull alerts](windows-defender-atp\configure-arcsight-windows-defender-advanced-threat-protection.md)
-#### [Windows Defender ATP alert API fields](windows-defender-atp\api-portal-mapping-windows-defender-advanced-threat-protection.md)
-#### [Pull alerts using REST API](windows-defender-atp\pull-alerts-using-rest-api-windows-defender-advanced-threat-protection.md)
-#### [Troubleshoot SIEM tool integration issues](windows-defender-atp\troubleshoot-siem-windows-defender-advanced-threat-protection.md)
-### [Use the threat intelligence API to create custom alerts](windows-defender-atp\use-custom-ti-windows-defender-advanced-threat-protection.md)
-#### [Understand threat intelligence concepts](windows-defender-atp\threat-indicator-concepts-windows-defender-advanced-threat-protection.md)
-#### [Enable the custom threat intelligence application](windows-defender-atp\enable-custom-ti-windows-defender-advanced-threat-protection.md)
-#### [Create custom threat intelligence alerts](windows-defender-atp\custom-ti-api-windows-defender-advanced-threat-protection.md)
-#### [PowerShell code examples](windows-defender-atp\powershell-example-code-windows-defender-advanced-threat-protection.md)
-#### [Python code examples](windows-defender-atp\python-example-code-windows-defender-advanced-threat-protection.md)
-#### [Experiment with custom threat intelligence alerts](windows-defender-atp\experiment-custom-ti-windows-defender-advanced-threat-protection.md)
-#### [Troubleshoot custom threat intelligence issues](windows-defender-atp\troubleshoot-custom-ti-windows-defender-advanced-threat-protection.md)
-### [Use the Windows Defender ATP exposed APIs](windows-defender-atp\exposed-apis-windows-defender-advanced-threat-protection.md)
-#### [Supported Windows Defender ATP APIs](windows-defender-atp\supported-apis-windows-defender-advanced-threat-protection.md)
-##### Actor
-###### [Get actor information](windows-defender-atp\get-actor-information-windows-defender-advanced-threat-protection.md)
-###### [Get actor related alerts](windows-defender-atp\get-actor-related-alerts-windows-defender-advanced-threat-protection.md)
-##### Alerts
-###### [Get alerts](windows-defender-atp\get-alerts-windows-defender-advanced-threat-protection.md)
-###### [Get alert information by ID](windows-defender-atp\get-alert-info-by-id-windows-defender-advanced-threat-protection.md)
-###### [Get alert related actor information](windows-defender-atp\get-alert-related-actor-info-windows-defender-advanced-threat-protection.md)
-###### [Get alert related domain information](windows-defender-atp\get-alert-related-domain-info-windows-defender-advanced-threat-protection.md)
-###### [Get alert related file information](windows-defender-atp\get-alert-related-files-info-windows-defender-advanced-threat-protection.md)
-###### [Get alert related IP information](windows-defender-atp\get-alert-related-ip-info-windows-defender-advanced-threat-protection.md)
-###### [Get alert related machine information](windows-defender-atp\get-alert-related-machine-info-windows-defender-advanced-threat-protection.md)
-##### Domain
-###### [Get domain related alerts](windows-defender-atp\get-domain-related-alerts-windows-defender-advanced-threat-protection.md)
-###### [Get domain related machines](windows-defender-atp\get-domain-related-machines-windows-defender-advanced-threat-protection.md)
-###### [Get domain statistics](windows-defender-atp\get-domain-statistics-windows-defender-advanced-threat-protection.md)
-###### [Is domain seen in organization](windows-defender-atp\is-domain-seen-in-org-windows-defender-advanced-threat-protection.md)
-
-##### File
-###### [Block file API](windows-defender-atp\block-file-windows-defender-advanced-threat-protection.md)
-###### [Get file information](windows-defender-atp\get-file-information-windows-defender-advanced-threat-protection.md)
-###### [Get file related alerts](windows-defender-atp\get-file-related-alerts-windows-defender-advanced-threat-protection.md)
-###### [Get file related machines](windows-defender-atp\get-file-related-machines-windows-defender-advanced-threat-protection.md)
-###### [Get file statistics](windows-defender-atp\get-file-statistics-windows-defender-advanced-threat-protection.md)
-###### [Get FileActions collection API](windows-defender-atp\get-fileactions-collection-windows-defender-advanced-threat-protection.md)
-###### [Unblock file API](windows-defender-atp\unblock-file-windows-defender-advanced-threat-protection.md)
-
-##### IP
-###### [Get IP related alerts](windows-defender-atp\get-ip-related-alerts-windows-defender-advanced-threat-protection.md)
-###### [Get IP related machines](windows-defender-atp\get-ip-related-machines-windows-defender-advanced-threat-protection.md)
-###### [Get IP statistics](windows-defender-atp\get-ip-statistics-windows-defender-advanced-threat-protection.md)
-###### [Is IP seen in organization](windows-defender-atp\is-ip-seen-org-windows-defender-advanced-threat-protection.md)
-##### Machines
-###### [Collect investigation package API](windows-defender-atp\collect-investigation-package-windows-defender-advanced-threat-protection.md)
-###### [Find machine information by IP](windows-defender-atp\find-machine-info-by-ip-windows-defender-advanced-threat-protection.md)
-###### [Get machines](windows-defender-atp\get-machines-windows-defender-advanced-threat-protection.md)
-###### [Get FileMachineAction object API](windows-defender-atp\get-filemachineaction-object-windows-defender-advanced-threat-protection.md)
-###### [Get FileMachineActions collection API](windows-defender-atp\get-filemachineactions-collection-windows-defender-advanced-threat-protection.md)
-###### [Get machine by ID](windows-defender-atp\get-machine-by-id-windows-defender-advanced-threat-protection.md)
-###### [Get machine log on users](windows-defender-atp\get-machine-log-on-users-windows-defender-advanced-threat-protection.md)
-###### [Get machine related alerts](windows-defender-atp\get-machine-related-alerts-windows-defender-advanced-threat-protection.md)
-###### [Get MachineAction object API](windows-defender-atp\get-machineaction-object-windows-defender-advanced-threat-protection.md)
-###### [Get MachineActions collection API](windows-defender-atp\get-machineactions-collection-windows-defender-advanced-threat-protection.md)
-###### [Get machines](windows-defender-atp\get-machines-windows-defender-advanced-threat-protection.md)
-###### [Get package SAS URI API](windows-defender-atp\get-package-sas-uri-windows-defender-advanced-threat-protection.md)
-###### [Isolate machine API](windows-defender-atp\isolate-machine-windows-defender-advanced-threat-protection.md)
-###### [Release machine from isolation API](windows-defender-atp\unisolate-machine-windows-defender-advanced-threat-protection.md)
-###### [Remove app restriction API](windows-defender-atp\unrestrict-code-execution-windows-defender-advanced-threat-protection.md)
-###### [Request sample API](windows-defender-atp\request-sample-windows-defender-advanced-threat-protection.md)
-###### [Restrict app execution API](windows-defender-atp\restrict-code-execution-windows-defender-advanced-threat-protection.md)
-###### [Run antivirus scan API](windows-defender-atp\run-av-scan-windows-defender-advanced-threat-protection.md)
-###### [Stop and quarantine file API](windows-defender-atp\stop-quarantine-file-windows-defender-advanced-threat-protection.md)
-
-
-
-##### User
-###### [Get alert related user information](windows-defender-atp\get-alert-related-user-info-windows-defender-advanced-threat-protection.md)
-###### [Get user information](windows-defender-atp\get-user-information-windows-defender-advanced-threat-protection.md)
-###### [Get user related alerts](windows-defender-atp\get-user-related-alerts-windows-defender-advanced-threat-protection.md)
-###### [Get user related machines](windows-defender-atp\get-user-related-machines-windows-defender-advanced-threat-protection.md)
-
-
-### [Create and build Power BI reports using Windows Defender ATP data](windows-defender-atp\powerbi-reports-windows-defender-advanced-threat-protection.md)
-### [Check sensor state](windows-defender-atp\check-sensor-status-windows-defender-advanced-threat-protection.md)
-#### [Fix unhealthy sensors](windows-defender-atp\fix-unhealhty-sensors-windows-defender-advanced-threat-protection.md)
-##### [Inactive machines](windows-defender-atp\fix-unhealhty-sensors-windows-defender-advanced-threat-protection.md#inactive-machines)
-##### [Misconfigured machines](windows-defender-atp\fix-unhealhty-sensors-windows-defender-advanced-threat-protection.md#misconfigured-machines)
-### [Windows Defender ATP service health](windows-defender-atp\service-status-windows-defender-advanced-threat-protection.md)
-### [Configure Windows Defender ATP preferences settings](windows-defender-atp\preferences-setup-windows-defender-advanced-threat-protection.md)
-#### [Update general settings](windows-defender-atp\general-settings-windows-defender-advanced-threat-protection.md)
-#### [Turn on advanced features](windows-defender-atp\advanced-features-windows-defender-advanced-threat-protection.md)
-#### [Turn on preview experience](windows-defender-atp\preview-settings-windows-defender-advanced-threat-protection.md)
-#### [Configure email notifications](windows-defender-atp\configure-email-notifications-windows-defender-advanced-threat-protection.md)
-#### [Enable SIEM integration](windows-defender-atp\enable-siem-integration-windows-defender-advanced-threat-protection.md)
-#### [Enable Threat intel API](windows-defender-atp\enable-custom-ti-windows-defender-advanced-threat-protection.md)
-#### [Enable and create Power BI reports using Windows Defender ATP data](windows-defender-atp\powerbi-reports-windows-defender-advanced-threat-protection.md)
-#### [Enable Security Analytics security controls](windows-defender-atp\enable-security-analytics-windows-defender-advanced-threat-protection.md)
-
-### [Windows Defender ATP settings](windows-defender-atp\settings-windows-defender-advanced-threat-protection.md)
-### [Access the Windows Defender ATP Community Center](windows-defender-atp\community-windows-defender-advanced-threat-protection.md)
-### [Troubleshoot Windows Defender ATP](windows-defender-atp\troubleshoot-windows-defender-advanced-threat-protection.md)
-### [Review events and errors on endpoints with Event Viewer](windows-defender-atp\event-error-codes-windows-defender-advanced-threat-protection.md)
-### [Windows Defender Antivirus compatibility with Windows Defender ATP](windows-defender-atp\defender-compatibility-windows-defender-advanced-threat-protection.md)
-## [Windows Defender Antivirus in Windows 10](windows-defender-antivirus\windows-defender-antivirus-in-windows-10.md)
-### [Windows Defender AV in the Windows Defender Security Center app](windows-defender-antivirus\windows-defender-security-center-antivirus.md)
-
-### [Windows Defender AV on Windows Server 2016](windows-defender-antivirus\windows-defender-antivirus-on-windows-server-2016.md)
-
-### [Windows Defender Antivirus compatibility](windows-defender-antivirus\windows-defender-antivirus-compatibility.md)
-#### [Use limited periodic scanning in Windows Defender AV](windows-defender-antivirus\limited-periodic-scanning-windows-defender-antivirus.md)
-
-
-### [Evaluate Windows Defender Antivirus protection](windows-defender-antivirus\evaluate-windows-defender-antivirus.md)
-
-
-### [Deploy, manage updates, and report on Windows Defender Antivirus](windows-defender-antivirus\deploy-manage-report-windows-defender-antivirus.md)
-#### [Deploy and enable Windows Defender Antivirus](windows-defender-antivirus\deploy-windows-defender-antivirus.md)
-##### [Deployment guide for VDI environments](windows-defender-antivirus\deployment-vdi-windows-defender-antivirus.md)
-#### [Report on Windows Defender Antivirus protection](windows-defender-antivirus\report-monitor-windows-defender-antivirus.md)
-##### [Troubleshoot Windows Defender Antivirus reporting in Update Compliance](windows-defender-antivirus\troubleshoot-reporting.md)
-#### [Manage updates and apply baselines](windows-defender-antivirus\manage-updates-baselines-windows-defender-antivirus.md)
-##### [Manage protection and definition updates](windows-defender-antivirus\manage-protection-updates-windows-defender-antivirus.md)
-##### [Manage when protection updates should be downloaded and applied](windows-defender-antivirus\manage-protection-update-schedule-windows-defender-antivirus.md)
-##### [Manage updates for endpoints that are out of date](windows-defender-antivirus\manage-outdated-endpoints-windows-defender-antivirus.md)
-##### [Manage event-based forced updates](windows-defender-antivirus\manage-event-based-updates-windows-defender-antivirus.md)
-##### [Manage updates for mobile devices and VMs](windows-defender-antivirus\manage-updates-mobile-devices-vms-windows-defender-antivirus.md)
-
-
-### [Configure Windows Defender Antivirus features](windows-defender-antivirus\configure-windows-defender-antivirus-features.md)
-#### [Utilize Microsoft cloud-delivered protection](windows-defender-antivirus\utilize-microsoft-cloud-protection-windows-defender-antivirus.md)
-##### [Enable cloud-delivered protection](windows-defender-antivirus\enable-cloud-protection-windows-defender-antivirus.md)
-##### [Specify the cloud-delivered protection level](windows-defender-antivirus\specify-cloud-protection-level-windows-defender-antivirus.md)
-##### [Configure and validate network connections](windows-defender-antivirus\configure-network-connections-windows-defender-antivirus.md)
-##### [Enable the Block at First Sight feature](windows-defender-antivirus\configure-block-at-first-sight-windows-defender-antivirus.md)
-##### [Configure the cloud block timeout period](windows-defender-antivirus\configure-cloud-block-timeout-period-windows-defender-antivirus.md)
-#### [Configure behavioral, heuristic, and real-time protection](windows-defender-antivirus\configure-protection-features-windows-defender-antivirus.md)
-##### [Detect and block Potentially Unwanted Applications](windows-defender-antivirus\detect-block-potentially-unwanted-apps-windows-defender-antivirus.md)
-##### [Enable and configure always-on protection and monitoring](windows-defender-antivirus\configure-real-time-protection-windows-defender-antivirus.md)
-#### [Configure end-user interaction with Windows Defender AV](windows-defender-antivirus\configure-end-user-interaction-windows-defender-antivirus.md)
-##### [Configure the notifications that appear on endpoints](windows-defender-antivirus\configure-notifications-windows-defender-antivirus.md)
-##### [Prevent users from seeing or interacting with the user interface](windows-defender-antivirus\prevent-end-user-interaction-windows-defender-antivirus.md)
-##### [Prevent or allow users to locally modify policy settings](windows-defender-antivirus\configure-local-policy-overrides-windows-defender-antivirus.md)
-
-
-### [Customize, initiate, and review the results of scans and remediation](windows-defender-antivirus\customize-run-review-remediate-scans-windows-defender-antivirus.md)
-#### [Configure and validate exclusions in Windows Defender AV scans](windows-defender-antivirus\configure-exclusions-windows-defender-antivirus.md)
-##### [Configure and validate exclusions based on file name, extension, and folder location](windows-defender-antivirus\configure-extension-file-exclusions-windows-defender-antivirus.md)
-##### [Configure and validate exclusions for files opened by processes](windows-defender-antivirus\configure-process-opened-file-exclusions-windows-defender-antivirus.md)
-##### [Configure exclusions in Windows Defender AV on Windows Server 2016](windows-defender-antivirus\configure-server-exclusions-windows-defender-antivirus.md)
-#### [Configure scanning options in Windows Defender AV](windows-defender-antivirus\configure-advanced-scan-types-windows-defender-antivirus.md)
-#### [Configure remediation for scans](windows-defender-antivirus\configure-remediation-windows-defender-antivirus.md)
-#### [Configure scheduled scans](windows-defender-antivirus\scheduled-catch-up-scans-windows-defender-antivirus.md)
-#### [Configure and run scans](windows-defender-antivirus\run-scan-windows-defender-antivirus.md)
-#### [Review scan results](windows-defender-antivirus\review-scan-results-windows-defender-antivirus.md)
-#### [Run and review the results of a Windows Defender Offline scan](windows-defender-antivirus\windows-defender-offline.md)
-
-
-### [Review event logs and error codes to troubleshoot issues](windows-defender-antivirus\troubleshoot-windows-defender-antivirus.md)
-
-
-
-### [Reference topics for management and configuration tools](windows-defender-antivirus\configuration-management-reference-windows-defender-antivirus.md)
-#### [Use Group Policy settings to configure and manage Windows Defender AV](windows-defender-antivirus\use-group-policy-windows-defender-antivirus.md)
-#### [Use System Center Configuration Manager and Microsoft Intune to configure and manage Windows Defender AV](windows-defender-antivirus\use-intune-config-manager-windows-defender-antivirus.md)
-#### [Use PowerShell cmdlets to configure and manage Windows Defender AV](windows-defender-antivirus\use-powershell-cmdlets-windows-defender-antivirus.md)
-#### [Use Windows Management Instrumentation (WMI) to configure and manage Windows Defender AV](windows-defender-antivirus\use-wmi-windows-defender-antivirus.md)
-#### [Use the mpcmdrun.exe commandline tool to configure and manage Windows Defender AV](windows-defender-antivirus\command-line-arguments-windows-defender-antivirus.md)
-
-
-
-## [Windows Defender Exploit Guard](windows-defender-exploit-guard\windows-defender-exploit-guard.md)
-### [Evaluate Windows Defender Exploit Guard](windows-defender-exploit-guard\evaluate-windows-defender-exploit-guard.md)
-#### [Use auditing mode to evaluate Windows Defender Exploit Guard](windows-defender-exploit-guard\audit-windows-defender-exploit-guard.md)
-#### [View Exploit Guard events](windows-defender-exploit-guard\event-views-exploit-guard.md)
-
-### [Exploit protection](windows-defender-exploit-guard\exploit-protection-exploit-guard.md)
-#### [Comparison with Enhanced Mitigation Experience Toolkit](windows-defender-exploit-guard\emet-exploit-protection-exploit-guard.md)
-#### [Evaluate Exploit protection](windows-defender-exploit-guard\evaluate-exploit-protection.md)
-#### [Enable Exploit protection](windows-defender-exploit-guard\enable-exploit-protection.md)
-#### [Customize Exploit protection](windows-defender-exploit-guard\customize-exploit-protection.md)
-##### [Import, export, and deploy Exploit protection configurations](windows-defender-exploit-guard\import-export-exploit-protection-emet-xml.md)
-### [Attack surface reduction](windows-defender-exploit-guard\attack-surface-reduction-exploit-guard.md)
-#### [Evaluate Attack surface reduction](windows-defender-exploit-guard\evaluate-attack-surface-reduction.md)
-#### [Enable Attack surface reduction](windows-defender-exploit-guard\enable-attack-surface-reduction.md)
-#### [Customize Attack surface reduction](windows-defender-exploit-guard\customize-attack-surface-reduction.md)
-#### [Troubleshoot Attack surface reduction rules](windows-defender-exploit-guard\troubleshoot-asr.md)
-### [Network Protection](windows-defender-exploit-guard\network-protection-exploit-guard.md)
-#### [Evaluate Network Protection](windows-defender-exploit-guard\evaluate-network-protection.md)
-#### [Enable Network Protection](windows-defender-exploit-guard\enable-network-protection.md)
-#### [Troubleshoot Network protection](windows-defender-exploit-guard\troubleshoot-np.md)
-### [Controlled folder access](windows-defender-exploit-guard\controlled-folders-exploit-guard.md)
-#### [Evaluate Controlled folder access](windows-defender-exploit-guard\evaluate-controlled-folder-access.md)
-#### [Enable Controlled folder access](windows-defender-exploit-guard\enable-controlled-folders-exploit-guard.md)
-#### [Customize Controlled folder access](windows-defender-exploit-guard\customize-controlled-folders-exploit-guard.md)
-
-
-
-
-
-
-## [Windows Defender SmartScreen](windows-defender-smartscreen\windows-defender-smartscreen-overview.md)
-### [Available Windows Defender SmartScreen Group Policy and mobile device management (MDM) settings](windows-defender-smartscreen\windows-defender-smartscreen-available-settings.md)
-### [Set up and use Windows Defender SmartScreen on individual devices](windows-defender-smartscreen\windows-defender-smartscreen-set-individual-device.md)
-
-##[Windows Defender Application Guard](windows-defender-application-guard\wd-app-guard-overview.md)
-###[System requirements for Windows Defender Application Guard](windows-defender-application-guard\reqs-wd-app-guard.md)
-###[Prepare and install Windows Defender Application Guard](windows-defender-application-guard\install-wd-app-guard.md)
-###[Configure the Group Policy settings for Windows Defender Application Guard](windows-defender-application-guard\configure-wd-app-guard.md)
-###[Testing scenarios using Windows Defender Application Guard in your business or organization](windows-defender-application-guard\test-scenarios-wd-app-guard.md)
-###[Frequently Asked Questions - Windows Defender Application Guard](windows-defender-application-guard\faq-wd-app-guard.md)
-
-## [Protect your enterprise data using Windows Information Protection (WIP)](windows-information-protection\protect-enterprise-data-using-wip.md)
-### [Create a Windows Information Protection (WIP) policy using Microsoft Intune](windows-information-protection\overview-create-wip-policy.md)
-#### [Create a Windows Information Protection (WIP) policy using the classic console for Microsoft Intune](windows-information-protection\create-wip-policy-using-intune.md)
-##### [Deploy your Windows Information Protection (WIP) policy using the classic console for Microsoft Intune](windows-information-protection\deploy-wip-policy-using-intune.md)
-##### [Associate and deploy a VPN policy for Windows Information Protection (WIP) using the classic console for Microsoft Intune](windows-information-protection\create-vpn-and-wip-policy-using-intune.md)
-#### [Create a Windows Information Protection (WIP) policy with MDM using the Azure portal for Microsoft Intune](windows-information-protection\create-wip-policy-using-intune-azure.md)
-##### [Deploy your Windows Information Protection (WIP) policy using the Azure portal for Microsoft Intune](windows-information-protection\deploy-wip-policy-using-intune-azure.md)
-##### [Associate and deploy a VPN policy for Windows Information Protection (WIP) using the Azure portal for Microsoft Intune](windows-information-protection\create-vpn-and-wip-policy-using-intune-azure.md)
-#### [Create a Windows Information Protection (WIP) policy with MAM using the Azure portal for Microsoft Intune](windows-information-protection\create-wip-policy-using-mam-intune-azure.md)
-### [Create a Windows Information Protection (WIP) policy using System Center Configuration Manager](windows-information-protection\overview-create-wip-policy-sccm.md)
-#### [Create and deploy a Windows Information Protection (WIP) policy using System Center Configuration Manager](windows-information-protection\create-wip-policy-using-sccm.md)
-### [Create and verify an Encrypting File System (EFS) Data Recovery Agent (DRA) certificate](windows-information-protection\create-and-verify-an-efs-dra-certificate.md)
-### [Determine the Enterprise Context of an app running in Windows Information Protection (WIP)](windows-information-protection\wip-app-enterprise-context.md)
-### [Mandatory tasks and settings required to turn on Windows Information Protection (WIP)](windows-information-protection\mandatory-settings-for-wip.md)
-### [Testing scenarios for Windows Information Protection (WIP)](windows-information-protection\testing-scenarios-for-wip.md)
-### [Limitations while using Windows Information Protection (WIP)](windows-information-protection\limitations-with-wip.md)
-### [How to collect Windows Information Protection (WIP) audit event logs](windows-information-protection\collect-wip-audit-event-logs.md)
-### [General guidance and best practices for Windows Information Protection (WIP)](windows-information-protection\guidance-and-best-practices-wip.md)
-#### [Enlightened apps for use with Windows Information Protection (WIP)](windows-information-protection\enlightened-microsoft-apps-and-wip.md)
-#### [Unenlightened and enlightened app behavior while using Windows Information Protection (WIP)](windows-information-protection\app-behavior-with-wip.md)
-#### [Recommended Enterprise Cloud Resources and Neutral Resources network settings with Windows Information Protection (WIP)](windows-information-protection\recommended-network-definitions-for-wip.md)
-#### [Using Outlook Web Access with Windows Information Protection (WIP)](windows-information-protection\using-owa-with-wip.md)
-
-## [Mitigate threats by using Windows 10 security features](overview-of-threat-mitigations-in-windows-10.md)
-
-## [Override Process Mitigation Options to help enforce app-related security policies](override-mitigation-options-for-app-related-security-policies.md)
-
-## [How hardware-based containers help protect Windows 10](how-hardware-based-containers-help-protect-windows.md)
-
-## [Secure the Windows 10 boot process](secure-the-windows-10-boot-process.md)
-
-## [Use Windows Event Forwarding to help with intrusion detection](use-windows-event-forwarding-to-assist-in-intrusion-detection.md)
-
-## [Block untrusted fonts in an enterprise](block-untrusted-fonts-in-enterprise.md)
-
-## [Change history for Threat Protection](change-history-for-threat-protection.md)
diff --git a/windows/threat-protection/change-history-for-threat-protection.md b/windows/threat-protection/change-history-for-threat-protection.md
deleted file mode 100644
index 6f573cc55e..0000000000
--- a/windows/threat-protection/change-history-for-threat-protection.md
+++ /dev/null
@@ -1,41 +0,0 @@
----
-title: Change history for threat protection (Windows 10)
-description: This topic lists new and updated topics in the Windows 10 threat protection documentation for Windows 10 and Windows 10 Mobile.
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-author: brianlic-msft
-ms.date: 10/31/2017
----
-
-# Change history for threat protection
-This topic lists new and updated topics in the [Threat protection](index.md) documentation.
-
-## October 2017
-|New or changed topic |Description |
-|---------------------|------------|
-|[Create and verify an Encrypting File System (EFS) Data Recovery Agent (DRA) certificate](windows-information-protection\create-and-verify-an-efs-dra-certificate.md)|Added auto-recovery section.
-|[Create a Windows Information Protection (WIP) policy with MAM using the Azure portal for Microsoft Intune](windows-information-protection\create-wip-policy-using-mam-intune-azure.md)|New topic for MAM using the Azure portal.|
-
-## June 2017
-|New or changed topic |Description |
-|---------------------|------------|
-|[How hardware-based containers help protect Windows 10](how-hardware-based-containers-help-protect-windows.md) | New |
-|[Create a Windows Information Protection (WIP) with enrollment policy using the Azure portal for Microsoft Intune](windows-information-protection\create-wip-policy-using-intune-azure.md)|New topic for MDM using the Azure portal.|
-|[Deploy your Windows Information Protection (WIP) policy using the Azure portal for Microsoft Intune](windows-information-protection\deploy-wip-policy-using-intune-azure.md)|New topic for MDM using the Azure portal.|
-|[Associate and deploy a VPN policy for Windows Information Protection (WIP) using the Azure portal for Microsoft Intune](windows-information-protection\create-vpn-and-wip-policy-using-intune-azure.md)|New topic for MDM using the Azure portal.|
-|[List of enlightened Microsoft apps for use with Windows Information Protection (WIP)](windows-information-protection\enlightened-microsoft-apps-and-wip.md)|Updated to include newly enlightened and supported apps.|
-|[Secure the Windows 10 boot process](secure-the-windows-10-boot-process.md)| Updated from existing applicable and relevant Windows 8.1 content |
-
-
-## March 2017
-|New or changed topic |Description |
-|---------------------|------------|
-|[How to collect Windows Information Protection (WIP) audit event logs](windows-information-protection\collect-wip-audit-event-logs.md) |New |
-|[Mandatory tasks and settings required to turn on Windows Information Protection (WIP)](windows-information-protection\mandatory-settings-for-wip.md) |Updated based on Windows 10, version 1703. |
-|[Limitations while using Windows Information Protection (WIP)](windows-information-protection\limitations-with-wip.md) |Added additional limitations for Windows 10, version 1703.|
-|[Windows Defender SmartScreen overview](windows-defender-smartscreen\windows-defender-smartscreen-overview.md)|New |
-|[Available Windows Defender SmartScreen Group Policy and mobile device management (MDM) settings](windows-defender-smartscreen\windows-defender-smartscreen-available-settings.md)|New |
-|[Use Windows Defender Security Center to set Windows Defender SmartScreen for individual devices](windows-defender-smartscreen\windows-defender-smartscreen-set-individual-device.md)|New |
-|[Overview of threat mitigations in Windows 10](overview-of-threat-mitigations-in-windows-10.md) | Reorganized from existing content, to provide a better overview of threat mitigations. Explains how mitigations in the Enhanced Mitigation Experience Toolkit (EMET) relate to those in Windows 10. |
diff --git a/windows/threat-protection/index.md b/windows/threat-protection/index.md
index e33a61e7c8..1417ec0534 100644
--- a/windows/threat-protection/index.md
+++ b/windows/threat-protection/index.md
@@ -1,29 +1,3 @@
---
-title: Threat Protection (Windows 10)
-description: Learn more about how to help protect against threats in Windows 10 and Windows 10 Mobile.
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-author: brianlic-msft
-ms.date: 08/11/2017
+redirect_url: https://docs.microsoft.com/windows/security/threat-protection/
---
-
-# Threat Protection
-
-Learn more about how to help protect against threats in Windows 10 and Windows 10 Mobile.
-
-| Section | Description |
-|-|-|
-|[Windows Defender Security Center](windows-defender-security-center/windows-defender-security-center.md)|Learn about the easy-to-use app that brings together common Windows security features.|
-|[Windows Defender Advanced Threat Protection](windows-defender-atp/windows-defender-advanced-threat-protection.md)|Provides info about Windows Defender Advanced Threat Protection (Windows Defender ATP), an out-of-the-box Windows enterprise security service that enables enterprise cybersecurity teams to detect and respond to advanced threats on their networks.|
-|[Windows Defender Antivirus in Windows 10](windows-defender-antivirus/windows-defender-antivirus-in-windows-10.md)|Provides info about Windows Defender, a built-in antimalware solution that helps provide security and antimalware management for desktops, portable computers, and servers. Includes a list of system requirements and new features.|
-|[Windows Defender Application Guard](windows-defender-application-guard/wd-app-guard-overview.md)|Provides info about Windows Defender Application Guard, the hardware-based virtualization solution that helps to isolate a device and operating system from an untrusted browser session.|
-|[Windows Defender SmartScreen](windows-defender-smartscreen/windows-defender-smartscreen-overview.md) |Learn more about Windows Defender SmartScreen.|
-|[Protect your enterprise data using Windows Information Protection (WIP)](windows-information-protection/protect-enterprise-data-using-wip.md)|Provides info about how to create a Windows Information Protection policy that can help protect against potential corporate data leakage.|
-|[Mitigate threats by using Windows 10 security features](overview-of-threat-mitigations-in-windows-10.md) |Learn more about mitigating threats in Windows 10.|
-|[Override Process Mitigation Options to help enforce app-related security policies](override-mitigation-options-for-app-related-security-policies.md) |Use Group Policy to override individual **Process Mitigation Options** settings and help to enforce specific app-related security policies.|
-|[How hardware-based containers help protect Windows 10](how-hardware-based-containers-help-protect-windows.md) |Learn about how hardware-based containers can isolate sensitive system services and data, enabling them to remain secure even when the operating system has been compromised.|
-|[Secure the Windows 10 boot process](secure-the-windows-10-boot-process.md) |Learn about the Windows 10 security features that help to protect your PC from malware, including rootkits and other applications.|
-|[Use Windows Event Forwarding to help with intrusion detection](use-windows-event-forwarding-to-assist-in-instrusion-detection.md) |Learn about an approach to collect events from devices in your organization. This article talks about events in both normal operations and when an intrusion is suspected. |
-|[Block untrusted fonts in an enterprise](block-untrusted-fonts-in-enterprise.md) |Provides info about how to help protect your company from attacks which may originate from untrusted or attacker controlled font files. |
diff --git a/windows/threat-protection/windows-defender-atp/use-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/use-windows-defender-advanced-threat-protection.md
deleted file mode 100644
index 7068cb4a06..0000000000
--- a/windows/threat-protection/windows-defender-atp/use-windows-defender-advanced-threat-protection.md
+++ /dev/null
@@ -1,58 +0,0 @@
----
-title: Use the Windows Defender Advanced Threat Protection portal
-description: Learn about the features on Windows Defender ATP portal, including how alerts work, and suggestions on how to investigate possible breaches and attacks.
-keywords: dashboard, alerts queue, manage alerts, investigation, investigate alerts, investigate machines, submit files, deep analysis, high, medium, low, severity, ioc, ioa
-search.product: eADQiWindows 10XVcnh
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: macapara
-author: mjcaparas
-ms.localizationpriority: high
-ms.date: 10/16/2017
----
-
-# Use the Windows Defender Advanced Threat Protection portal
-
-**Applies to:**
-
-- Windows 10 Enterprise
-- Windows 10 Education
-- Windows 10 Pro
-- Windows 10 Pro Education
-- Windows Defender Advanced Threat Protection (Windows Defender ATP)
-
-
-
->Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-usewdatp-abovefoldlink)
-
-A typical security breach investigation requires a member of a security operations team to:
-
-1. View an alert on the **Security operations dashboard** or **Alerts queue**
-2. Review the indicators of compromise (IOC) or indications of attack (IOAs)
-3. Review a timeline of alerts, behaviors, and events from the machine
-4. Manage alerts, understand the threat or potential breach, collect information to support taking action, and resolve the alert
-
-
-
-Security operation teams can use Windows Defender ATP portal to carry out this end-to-end process without having to leave the portal.
-
-Teams can monitor the overall status of enterprise endpoints from the **Security operations dashboard**, gain insight on the various alerts, their category, when they were observed, and how long they’ve been in the network at a glance.
-
-### In this section
-
-Topic | Description
-:---|:---
-[View the Windows Defender Advanced Threat Protection Security operations dashboard](dashboard-windows-defender-advanced-threat-protection.md) | The Windows Defender ATP **Security operations dashboard** provides a snapshot of your network. You can view aggregates of alerts, the overall status of the service of the endpoints on your network, investigate machines, files, and URLs, and see snapshots of threats seen on machines.
-[View the Windows Defender Advanced Threat Protection Security analytics dashboard](security-analytics-dashboard-windows-defender-advanced-threat-protection.md) | The **Security Analytics dashboard** expands your visibility into the overall security posture of your organization. From this dashboard, you'll be able to quickly assess the security posture of your organization, see machines that require attention, as well as recommendations for actions to further reduce the attack surface in your organization - all in one place.
-[View and organize the Alerts queue](alerts-queue-windows-defender-advanced-threat-protection.md) | You can sort and filter alerts across your network, and drill down on individual alert queues such as new, in progress, or resolved queues.
-[Investigate alerts](investigate-alerts-windows-defender-advanced-threat-protection.md)| Investigate alerts in Windows Defender ATP which might indicate possible security breaches on endpoints in your organization.
-[Investigate files](investigate-files-windows-defender-advanced-threat-protection.md) | Investigate the details of a file associated with a specific alert, behavior, or event to help determine if the file exhibits malicious activities, identify the attack motivation, and understand the potential scope of the breach.
-[Investigate an IP address](investigate-ip-windows-defender-advanced-threat-protection.md) | Examine possible communication between your machines and external Internet protocol (IP) addresses.
-[Investigate a domain](investigate-domain-windows-defender-advanced-threat-protection.md) | Investigate a domain to see if machines and servers in your enterprise network have been communicating with a known malicious domain.
-[View and organize the Machines list](machines-view-overview-windows-defender-advanced-threat-protection.md)| You can sort, filter, and exporting the machine list.
-[Investigate machines](investigate-machines-windows-defender-advanced-threat-protection.md) | The **Machines list** shows a list of the machines in your network, the corresponding number of active alerts for each machine categorized by alert severity levels, as well as the number of threats.
-[Investigate a user account](investigate-user-windows-defender-advanced-threat-protection.md)| Investigate user accounts with the most active alerts.
-[Manage alerts](manage-alerts-windows-defender-advanced-threat-protection.md) | The **Manage Alert** menu on every alert lets you change an alert's status, resolve it, suppress it, or contribute comments about the alert.
-[Take response actions](response-actions-windows-defender-advanced-threat-protection.md)| Take action on a machine or file to quickly respond to detected attacks.
diff --git a/windows/threat-protection/windows-defender-smartscreen/images/windows-defender-smartscreen-control.png b/windows/threat-protection/windows-defender-smartscreen/images/windows-defender-smartscreen-control.png
deleted file mode 100644
index b2700addba..0000000000
Binary files a/windows/threat-protection/windows-defender-smartscreen/images/windows-defender-smartscreen-control.png and /dev/null differ
diff --git a/windows/whats-new/images/video-1709.jpg b/windows/whats-new/images/video-1709.jpg
new file mode 100644
index 0000000000..b54fe67cf6
Binary files /dev/null and b/windows/whats-new/images/video-1709.jpg differ
diff --git a/windows/whats-new/images/video-1709s.jpg b/windows/whats-new/images/video-1709s.jpg
new file mode 100644
index 0000000000..7abc313dd8
Binary files /dev/null and b/windows/whats-new/images/video-1709s.jpg differ
diff --git a/windows/whats-new/whats-new-windows-10-version-1607.md b/windows/whats-new/whats-new-windows-10-version-1607.md
index dfcecb8b7a..b296cc0cdf 100644
--- a/windows/whats-new/whats-new-windows-10-version-1607.md
+++ b/windows/whats-new/whats-new-windows-10-version-1607.md
@@ -35,7 +35,7 @@ Windows ICD now includes simplified workflows for creating provisioning packages
Microsoft developed Upgrade Readiness in response to demand from enterprise customers looking for additional direction and details about upgrading to Windows 10. Upgrade Readiness was built taking into account multiple channels of customer feedback, testing, and Microsoft’s experience upgrading millions of devices to Windows 10.
-With Windows telemetry enabled, Upgrade Readiness collects system, application, and driver data for analysis. We then identify compatibility issues that can block an upgrade and suggest fixes when they are known to Microsoft.
+With Windows diagnostic data enabled, Upgrade Readiness collects system, application, and driver data for analysis. We then identify compatibility issues that can block an upgrade and suggest fixes when they are known to Microsoft.
Use Upgrade Readiness to get:
@@ -81,7 +81,7 @@ Additional changes for Windows Hello in Windows 10, version 1607:
### VPN
-- The VPN client can integrate with the Conditional Access Framework, a cloud-pased policy engine built into Azure Active Directory, to provide a device compliance option for remote clients.
+- The VPN client can integrate with the Conditional Access Framework, a cloud-based policy engine built into Azure Active Directory, to provide a device compliance option for remote clients.
- The VPN client can integrate with Windows Information Protection (WIP) policy to provide additional security. [Learn more about Windows Information Protection](/windows/threat-protection/windows-information-protection/protect-enterprise-data-using-wip), previously known as Enterprise Data Protection.
- New VPNv2 configuration service provider (CSP) adds configuration settings. For details, see [What's new in MDM enrollment and management](https://msdn.microsoft.com/en-us/library/windows/hardware/mt299056%28v=vs.85%29.aspx#whatsnew_1607)
- Microsoft Intune: *VPN Profile (Windows 10 Desktop and Mobile and later)* policy template includes support for native VPN plug-ins.
diff --git a/windows/whats-new/whats-new-windows-10-version-1703.md b/windows/whats-new/whats-new-windows-10-version-1703.md
index 3b14218ea5..9beb4709cd 100644
--- a/windows/whats-new/whats-new-windows-10-version-1703.md
+++ b/windows/whats-new/whats-new-windows-10-version-1703.md
@@ -122,7 +122,7 @@ New features in Windows Defender Advanced Threat Protection (ATP) for Windows 10
You can read more about ransomware mitigations and detection capability in Windows Defender Advanced Threat Protection in the blog: [Averting ransomware epidemics in corporate networks with Windows Defender ATP](https://blogs.technet.microsoft.com/mmpc/2017/01/30/averting-ransomware-epidemics-in-corporate-networks-with-windows-defender-atp/).
-Get a quick, but in-depth overview of Windows Defender ATP for Windows 10 and the new capabilities in Windows 10, version 1703 see (Windows Defender ATP for Windows 10 Creators Update)[https://technet.microsoft.com/en-au/windows/mt782787].
+Get a quick, but in-depth overview of Windows Defender ATP for Windows 10 and the new capabilities in Windows 10, version 1703 see [Windows Defender ATP for Windows 10 Creators Update](https://technet.microsoft.com/en-au/windows/mt782787).
### Windows Defender Antivirus
Windows Defender is now called Windows Defender Antivirus, and we've [increased the breadth of the documentation library for enterprise security admins](/windows/threat-protection/windows-defender-antivirus/windows-defender-antivirus-in-windows-10).
@@ -169,7 +169,7 @@ For Windows Phone devices, an administrator is able to initiate a remote PIN res
For Windows desktops, users are able to reset a forgotten PIN through **Settings > Accounts > Sign-in options**.
-For more details, check out [What if I forget my PIN?](/windows/access-protection/hello-for-business/hello-why-pin-is-better-than-password#what-if-i-forget-my-pin).
+For more details, check out [What if I forget my PIN?](/windows/security/identity-protection/hello-for-business/hello-features#pin-reset).
### Windows Information Protection (WIP) and Azure Active Directory (Azure AD)
Microsoft Intune helps you create and deploy your Windows Information Protection (WIP) policy, including letting you choose your allowed apps, your WIP-protection level, and how to find enterprise data on the network. For more info, see [Create a Windows Information Protection (WIP) policy using Microsoft Intune](/windows/threat-protection/windows-information-protection/create-wip-policy-using-intune) and [Associate and deploy your Windows Information Protection (WIP) and VPN policies by using Microsoft Intune](/windows/threat-protection/windows-information-protection/create-vpn-and-wip-policy-using-intune).
diff --git a/windows/whats-new/whats-new-windows-10-version-1709.md b/windows/whats-new/whats-new-windows-10-version-1709.md
index 5f24153730..8bf610b344 100644
--- a/windows/whats-new/whats-new-windows-10-version-1709.md
+++ b/windows/whats-new/whats-new-windows-10-version-1709.md
@@ -6,7 +6,7 @@ ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
author: greg-lindsay
-ms.date: 01/23/2018
+ms.date: 01/24/2018
ms.localizationpriority: high
---
@@ -21,11 +21,7 @@ A brief description of new or updated features in this version of Windows 10 is
-
-
-
-
+> [!video https://www.microsoft.com/en-us/videoplayer/embed/43942201-bec9-4f8b-8ba7-2d9bfafa8bba?autoplay=false]
## Deployment
- 
- 
- --
- --
- --
- --
- --
- --
- --
- --
- --
- --
- --
- --
- --
- --
- --
- --
- --
- --
- --
- --
- --
- --
- --
- --
- --
- --
- --
- --
- --
- --
- --
- --
- --
- --
- --
- 
- 
- 
3
-->
-If data processing is delayed, you can continue using your workspace as normal. However, any changes or additional information that is added might not be displayed. Data is typically refreshed and the display will return to normal again within 24 hours.
+If data processing is delayed, the "Last updated" banner will indicate the date on which data was last updated. You can continue using your workspace as normal. However, any changes or additional information that is added might not be displayed until data is refreshed. When your workspace is in this state, there is no action required; data is typically refreshed and the display will return to normal again within 24 hours.
-If there are computers with incomplete data, verify that you have installed the latest compatibilty update and run the most recent [Update Readiness deployment script](https://go.microsoft.com/fwlink/?LinkID=822966&clcid=0x409) from the Microsoft download center.
+If there are computers with incomplete data, verify that you have installed the latest compatibilty update KBs. Install the updated KBs if necessary and then run the most recent [Update Readiness deployment script](https://go.microsoft.com/fwlink/?LinkID=822966&clcid=0x409) from the Microsoft download center. The updated data payload should appear in Upgrade Readiness within 48 hours of a successful run on the deployment script.
Select **Total computers** for a list of computers and details about them, including:
@@ -54,7 +54,7 @@ Select **Total computers** for a list of computers and details about them, inclu
- Computer model
- Operating system version and build
- Count of system requirement, application, and driver issues per computer
-- Upgrade assessment based on analysis of computer telemetry data
+- Upgrade assessment based on analysis of computer diagnostic data
- Upgrade decision status
Select **Total applications** for a list of applications discovered on user computers and details about them, including:
diff --git a/windows/deployment/upgrade/use-upgrade-readiness-to-manage-windows-upgrades.md b/windows/deployment/upgrade/use-upgrade-readiness-to-manage-windows-upgrades.md
index 8b8805f491..f0f332312c 100644
--- a/windows/deployment/upgrade/use-upgrade-readiness-to-manage-windows-upgrades.md
+++ b/windows/deployment/upgrade/use-upgrade-readiness-to-manage-windows-upgrades.md
@@ -10,7 +10,7 @@ ms.date: 08/30/2017
You can use Upgrade Readiness to prioritize and work through application and driver issues, assign and track issue resolution status, and identify computers that are ready to upgrade. Upgrade Readiness enables you to deploy Windows with confidence, knowing that you’ve addressed potential blocking issues.
-- Based on telemetry data from user computers, Upgrade Readiness identifies application and driver compatibility issues that may block Windows upgrades, allowing you to make data-driven decisions about your organization’s upgrade readiness.
+- Based on diagnostic data from user computers, Upgrade Readiness identifies application and driver compatibility issues that may block Windows upgrades, allowing you to make data-driven decisions about your organization’s upgrade readiness.
- Information is refreshed daily so you can monitor upgrade progress. Any changes your team makes, such as assigning application importance and marking applications as ready to upgrade, are reflected 24 hours after you make them.
When you are ready to begin the upgrade process, a workflow is provided to guide you through critical high-level tasks.
diff --git a/windows/deployment/upgrade/windows-10-downgrade-paths.md b/windows/deployment/upgrade/windows-10-downgrade-paths.md
new file mode 100644
index 0000000000..d095a3d449
--- /dev/null
+++ b/windows/deployment/upgrade/windows-10-downgrade-paths.md
@@ -0,0 +1,160 @@
+---
+title: Windows 10 downgrade paths (Windows 10)
+description: You can downgrade Windows 10 if the downgrade path is supported.
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.localizationpriority: high
+ms.pagetype: mobile
+author: greg-lindsay
+ms.date: 02/15/2018
+---
+
+# Windows 10 downgrade paths
+**Applies to**
+
+- Windows 10
+
+## Downgrading Windows 10
+
+This topic provides a summary of supported Windows 10 downgrade paths. You might need to downgrade the edition of Windows 10, for example, if an Enterprise license is expired.
+
+If a downgrade is supported, then your apps and settings can be migrated from the current edition to the downgraded edition. If a path is not supported, then a clean install is required.
+
+To perform a downgrade, you can use the same methods as when performing an [edition upgrade](windows-10-edition-upgrades.md).
+
+Downgrading from any edition of Windows 10 to Windows 7, 8, or 8.1 is not supported, unless you are performing a rollback of a previous upgrade. You also cannot downgrade from a later version to an earlier version of the same edition (Ex: Windows 10 Pro 1709 to 1703) unless the rollback process is used.
+
+>**Windows 10 LTSC/LTSB**: Due to [naming changes](https://docs.microsoft.com/en-us/windows/deployment/update/waas-overview#naming-changes), product versions that display Windows 10 LTSB will be replaced with Windows 10 LTSC in subsequent feature updates. The term LTSC is used here to refer to all long term servicing versions.
+
+>**Windows N/KN**: Windows "N" and "KN" SKUs follow the same rules shown below.
+
+### Supported Windows 10 downgrade paths
+
+>[!NOTE]
+>Edition changes that are considered upgrades (Ex: Pro to Enterprise) are not shown here. Switching between different editions of Pro is supported. This is not strictly considered an edition downgrade, but is included here for clarity.
+
+✔ = Supported downgrade path
- 
- 
- 
- 
- 
- 
-