Merge remote-tracking branch 'refs/remotes/origin/rs5' into jd5wcd

2025-05-16 07:17:24 +00:00 · 2018-08-01 06:30:47 -07:00 · 2018-08-01 06:30:47 -07:00 · db8d751f0b
commit db8d751f0b
parent a2bfe87845 b28c063d81
84 changed files with 2114 additions and 1552 deletions
--- a/.openpublishing.redirection.json
+++ b/.openpublishing.redirection.json
@ -6566,6 +6566,21 @@
 "redirect_document_id": true
 },
 {
 "source_path": "windows/configuration/kiosk-shared-pc.md",
 "redirect_url": "/windows/configuration/kiosk-methods",
 "redirect_document_id": true
 },
 {
 "source_path": "windows/configuration/setup-kiosk-digital-signage.md",
 "redirect_url": "/windows/configuration/kiosk-single-app",
 "redirect_document_id": true
 },
 {
 "source_path": "windows/configuration/multi-app-kiosk-xml.md",
 "redirect_url": "/windows/configuration/kiosk-xml",
 "redirect_document_id": true
 },
 {
 "source_path": "windows/configure/lock-down-windows-10-to-specific-apps.md",
 "redirect_url": "/windows/configuration/lock-down-windows-10-to-specific-apps",
 "redirect_document_id": true
@ -6686,11 +6701,6 @@
 "redirect_document_id": true
 },
 {
 "source_path": "windows/configuration/multi-app-kiosk-xml.md",
 "redirect_url": "windows/configuration/kiosk-xml.md",
 "redirect_document_id": true     
 },
 {
 "source_path": "windows/configure/provisioning-uninstall-package.md",
 "redirect_url": "/windows/configuration/provisioning-packages/provisioning-uninstall-package",
 "redirect_document_id": true
--- a/browsers/edge/includes/configure-browser-telemetry-for-m365-analytics-include.md
+++ b/browsers/edge/includes/configure-browser-telemetry-for-m365-analytics-include.md
@ -14,6 +14,10 @@
 |Enabled |3 |3 |Send both intranet and Internet history | |
 ---
 >>You can find this setting in the following location of the Group Policy Editor:
 >> 
 >>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;**_Computer Configuration\\Administrative Templates\\Windows Components\\Data Collection and Preview Builds\\_**
 >[!IMPORTANT]
 >For this policy to work, enable the Allow Telemetry policy with the _Enhanced_ option and enable the Configure the Commercial ID policy by providing the Commercial ID.
--- a/browsers/edge/new-policies.md
+++ b/browsers/edge/new-policies.md
@ -22,7 +22,7 @@ We are discontinuing the use of the **Configure Favorites** group policy. Use th
->>You can find the Microsoft Edge Group Policy settings in the following location of the Group Policy Editor:
+>>You can find the Microsoft Edge Group Policy settings in the following location of the Group Policy Editor unless otherwise noted in the policy:
 >> 
 >>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;**_Computer Configuration\\Administrative Templates\\Windows Components\\Microsoft Edge\\_**
 <p>
--- a/devices/surface-hub/index.md
+++ b/devices/surface-hub/index.md
@ -51,3 +51,10 @@ In some ways, adding your new Surface Hub is just like adding any other Microsof
 ## Additional resources
 - [Surface Hub update history](https://support.microsoft.com/help/4037666/surface-surface-hub-update-history)
 - [Surface IT Pro Blog](https://blogs.technet.microsoft.com/surface/)
 - [Surface Playlist of videos](https://www.youtube.com/playlist?list=PLXtHYVsvn_b__1Baibdu4elN4SoF3JTBZ)
 - [Microsoft Surface on Twitter](https://twitter.com/surface)
--- a/devices/surface/surface-dock-updater.md
+++ b/devices/surface/surface-dock-updater.md
@ -117,6 +117,14 @@ Microsoft periodically updates Surface Dock Updater. To learn more about the app
 >[!Note]
 >Each update to Surface Dock firmware is included in a new version of Surface Dock Updater. To update a Surface Dock to the latest firmware, you must use the latest version of Surface Dock Updater.
 ### Version 2.22.139.0
 *Release Date: 26 July 2018*
 This version of Surface Dock Updater adds support for the following:
 - Increase update reliability
 - Add support for Surface Go
 ### Version 2.12.136.0
 *Release Date: 29 January 2018*
--- a/devices/surface/windows-autopilot-and-surface-devices.md
+++ b/devices/surface/windows-autopilot-and-surface-devices.md
@ -49,4 +49,8 @@ Surface devices with support for out-of-box deployment with Windows Autopilot, e
 ## Surface partners enabled for Windows Autopilot
 Enrolling Surface devices in Windows Autopilot at the time of purchase is a capability provided by select Surface partners that are enabled with the capability to identify individual Surface devices during the purchase process and perform enrollment on an organization’s behalf. Devices enrolled by a Surface partner at time of purchase can be shipped directly to users and configured entirely through the zero-touch process of Windows Autopilot, Azure Active Directory, and Mobile Device Management.
-You can find a list of Surface partners enabled for Windows Autopilot at the [Windows Autopilot for Surface portal](https://www.microsoft.com/en-us/itpro/surface/windows-autopilot-for-surface).
+When you purchase Surface devices from a Surface partner enabled for Windows Autopilot, your new devices can be enrolled in your Windows Autopilot deployment for you by the partner. Surface partners enabled for Windows Autopilot include: 
 - [SHI](https://www.shi.com/?reseller=shi)
 - [Insight](https://www.insight.com/en_US/buy/partner/microsoft/surface.html)
 - [Atea](https://www.atea.com/)
--- a/education/windows/use-set-up-school-pcs-app.md
+++ b/education/windows/use-set-up-school-pcs-app.md
@ -15,7 +15,7 @@ ms.date: 07/11/2018
 # Use the Set up School PCs app  
-IT administrators and technical teachers can use the **Set up School PCs** app to quickly set up Windows 10 PCs for students. The app configures PCs with the apps and features students need, and it removes the ones they don't need. During setup, if licensed in your tenant, the app anrolls each student PC into a mobile device management (MDM) provider, such as Intune for Education. You can then manage all the settings Set up School PCs configures through the MDM.   
+IT administrators and technical teachers can use the **Set up School PCs** app to quickly set up Windows 10 PCs for students. The app configures PCs with the apps and features students need, and it removes the ones they don't need. During setup, if licensed in your tenant, the app enrolls each student PC into a mobile device management (MDM) provider, such as Intune for Education. You can then manage all the settings Set up School PCs configures through the MDM.   
 Set up School PCs also:  
 * Joins each student PC to your organization's Office 365 and Azure Active Directory tenant.  
--- a/mdop/mbam-v25/getting-started-with-mbam-25.md
+++ b/mdop/mbam-v25/getting-started-with-mbam-25.md
@ -20,8 +20,6 @@ See the following resources for additional MBAM documentation:
 -   [Microsoft BitLocker Administration and Monitoring Deployment Guide](https://go.microsoft.com/fwlink/?LinkId=396653)
 -   [Microsoft Training Overview](https://go.microsoft.com/fwlink/p/?LinkId=80347)
 Before you deploy MBAM to a production environment, we recommend that you validate your deployment plan in a test environment.
 ## Getting started with MBAM 2.5
--- a/mdop/mbam-v25/mbam-25-supported-configurations.md
+++ b/mdop/mbam-v25/mbam-25-supported-configurations.md
@ -365,7 +365,7 @@ https://www.microsoft.com/en-us/download/details.aspx?id=54967<td align="left"><
 </table>
 **Note**  
-In order to support SQL 2016 you must install the March 2017 Servicing Release for MDOP https://www.microsoft.com/en-us/download/details.aspx?id=54967 .  In general stay current by always using the most recent servicing update as it also includes all bugfixes and new features.
+In order to support SQL 2016 you must install the March 2017 Servicing Release for MDOP https://www.microsoft.com/en-us/download/details.aspx?id=54967  and to support SQL 2017 you must install the July 2018 Servicing Release for MDOP https://www.microsoft.com/en-us/download/details.aspx?id=57157. In general stay current by always using the most recent servicing update as it also includes all bugfixes and new features.
 ### <a href="" id="bkmk-sql-stand-alone-ramreqs"></a>SQL Server processor, RAM, and disk space requirements – Stand-alone topology
--- a/windows/client-management/mdm/configuration-service-provider-reference.md
+++ b/windows/client-management/mdm/configuration-service-provider-reference.md
@ -7,7 +7,7 @@ ms.topic: article
 ms.prod: w10
 ms.technology: windows
 author: MariciaAlforque
-ms.date: 04/24/2018
+ms.date: 07/27/2018
 ---
 # Configuration service provider reference
@ -2660,6 +2660,7 @@ The following list shows the configuration service providers supported in Window
 | [NodeCache CSP](nodecache-csp.md)  | ![check mark](images/checkmark.png) | ![check mark](images/checkmark.png)       |
 [PassportForWork CSP](passportforwork-csp.md) | ![cross mark](images/crossmark.png) | ![check mark](images/checkmark.png) |
 | [Policy CSP](policy-configuration-service-provider.md)    | ![cross mark](images/crossmark.png) | ![check mark](images/checkmark.png)       |
 | [RemoteFind CSP](remotefind-csp.md)    | ![cross mark](images/crossmark.png) | ![check mark](images/checkmark.png)4       |
 | [RemoteWipe CSP](remotewipe-csp.md)    | ![cross mark](images/crossmark.png) | ![check mark](images/checkmark.png)4       |
 | [RootCATrustedCertificates CSP](rootcacertificates-csp.md)   | ![cross mark](images/crossmark.png) | ![check mark](images/checkmark.png)       |
 | [Update CSP](update-csp.md)     | ![cross mark](images/crossmark.png) | ![check mark](images/checkmark.png)       |
--- a/windows/client-management/mdm/devicestatus-csp.md
+++ b/windows/client-management/mdm/devicestatus-csp.md
@ -7,7 +7,7 @@ ms.topic: article
 ms.prod: w10
 ms.technology: windows
 author: MariciaAlforque
-ms.date: 03/12/2018
+ms.date: 07/26/2018
 ---
 # DeviceStatus CSP
@ -178,11 +178,24 @@ Supported operation is Get.
 <a href="" id="devicestatus-antispyware-signaturestatus"></a>**DeviceStatus/Antispyware/SignatureStatus**  
 Added in Windows, version 1607. Integer that specifies the status of the antispyware signature.
 Valid values:
 -  0 - The security software reports that it is not the most recent version.
 -  1 - The security software reports that it is the most recent version.
 -  2 - Not applicable. This is returned for devices like the phone that do not have an antivirus (where the API doesn’t exist.)
 Supported operation is Get.
 <a href="" id="devicestatus-antispyware-status"></a>**DeviceStatus/Antispyware/Status**  
 Added in Windows, version 1607. Integer that specifies the status of the antispyware.
 Valid values:
 -  0 - The status of the security provider category is good and does not need user attention.
 -  1 - The status of the security provider category is not monitored by Windows Security Center (WSC).
 -  2 - The status of the security provider category is poor and the computer may be at risk.
 -  3 - The security provider category is in snooze state. Snooze indicates that WSC is not actively protecting the computer.
 Supported operation is Get.
 <a href="" id="devicestatus-firewall"></a>**DeviceStatus/Firewall**  
--- a/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md
+++ b/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md
@ -10,7 +10,7 @@ ms.topic: article
 ms.prod: w10
 ms.technology: windows
 author: MariciaAlforque
-ms.date: 07/23/2018
+ms.date: 07/27/2018
 ---
 # What's new in MDM enrollment and management
@ -1638,32 +1638,36 @@ The DM agent for [push-button reset](https://msdn.microsoft.com/windows/hardware
 </thead>
 <tbody>
 <tr>
 <td style="vertical-align:top">[PassportForWork  CSP](passportforwork-csp.md)</td>
 <td style="vertical-align:top"><p>Added new settings in Windows 10, next major version.</p>
 </td></tr>
 <tr>
 <td style="vertical-align:top">[EnterpriseModernAppManagement  CSP](enterprisemodernappmanagement-csp.md)</td>
-<td style="vertical-align:top"><p>Added NonRemovable setting under AppManagement node.</p>
+<td style="vertical-align:top"><p>Added NonRemovable setting under AppManagement node in Windows 10, next major version.</p>
 </td></tr>
 <tr>
 <td style="vertical-align:top">[Win32CompatibilityAppraiser  CSP](win32compatibilityappraiser-csp.md)</td>
-<td style="vertical-align:top"><p>Added new configuration service provider.</p>
+<td style="vertical-align:top"><p>Added new configuration service provider in Windows 10, next major version.</p>
 </td></tr>
 <tr>
 <td style="vertical-align:top">[WindowsLicensing  CSP](windowslicensing-csp.md)</td>
-<td style="vertical-align:top"><p>Added S mode settings and SyncML examples.</p>
+<td style="vertical-align:top"><p>Added S mode settings and SyncML examples in Windows 10, next major version.</p>
 </td></tr>
 <tr>
 <td style="vertical-align:top">[SUPL CSP](supl-csp.md)</td>
-<td style="vertical-align:top"><p>Added 3 new certificate nodes.</p>
+<td style="vertical-align:top"><p>Added 3 new certificate nodes in Windows 10, next major version.</p>
 </td></tr>
 <tr>
 <td style="vertical-align:top">[Defender CSP](defender-csp.md)</td>
-<td style="vertical-align:top"><p>Added a new node Health/ProductStatus.</p>
+<td style="vertical-align:top"><p>Added a new node Health/ProductStatus in Windows 10, next major version.</p>
 </td></tr>
 <tr>
 <td style="vertical-align:top">[BitLocker CSP](bitlocker-csp.md)</td>
-<td style="vertical-align:top"><p>Added a new node AllowStandardUserEncryption.</p>
+<td style="vertical-align:top"><p>Added a new node AllowStandardUserEncryption in Windows 10, next major version.</p>
 </td></tr>
 <tr>
 <td style="vertical-align:top">[DevDetail CSP](devdetail-csp.md)</td>
-<td style="vertical-align:top"><p>Added a new node SMBIOSSerialNumber.</p>
+<td style="vertical-align:top"><p>Added a new node SMBIOSSerialNumber in Windows 10, next major version.</p>
 </td></tr>
 <tr>
 <td style="vertical-align:top">[Policy CSP](policy-configuration-service-provider.md)</td>
--- a/windows/client-management/mdm/policy-configuration-service-provider.md
+++ b/windows/client-management/mdm/policy-configuration-service-provider.md
@ -365,6 +365,15 @@ The following diagram shows the Policy configuration service provider in tree fo
  <dd>
    <a href="./policy-csp-authentication.md#authentication-allowsecondaryauthenticationdevice" id="authentication-allowsecondaryauthenticationdevice">Authentication/AllowSecondaryAuthenticationDevice</a>
  </dd>
  <dd>
    <a href="./policy-csp-authentication.md#authentication-enablefastfirstsignin" id="authentication-enablefastfirstsignin">Authentication/EnableFastFirstSignIn</a>
  </dd>
  <dd>
    <a href="./policy-csp-authentication.md#authentication-enablewebsignin" id="authentication-enablewebsignin">Authentication/EnableWebSignIn</a>
  </dd>
  <dd>
    <a href="./policy-csp-authentication.md#authentication-preferredaadtenantdomainname" id="authentication-preferredaadtenantdomainname">Authentication/PreferredAadTenantDomainName</a>
  </dd>
 </dl>
 ### Autoplay policies
@ -979,6 +988,9 @@ The following diagram shows the Policy configuration service provider in tree fo
 ### DeviceGuard policies
 <dl>
  <dd>
    <a href="./policy-csp-deviceguard.md#deviceguard-enablesystemguard" id="deviceguard-enablesystemguard">DeviceGuard/EnableSystemGuard</a>
  </dd>
  <dd>
    <a href="./policy-csp-deviceguard.md#deviceguard-enablevirtualizationbasedsecurity" id="deviceguard-enablevirtualizationbasedsecurity">DeviceGuard/EnableVirtualizationBasedSecurity</a>
  </dd>
@ -1246,6 +1258,12 @@ The following diagram shows the Policy configuration service provider in tree fo
  <dd>
    <a href="./policy-csp-experience.md#experience-donotshowfeedbacknotifications" id="experience-donotshowfeedbacknotifications">Experience/DoNotShowFeedbackNotifications</a>
  </dd>
  <dd>
    <a href="./policy-csp-experience.md#experience-donotsyncbrowsersetting" id="experience-donotsyncbrowsersetting">Experience/DoNotSyncBrowserSetting</a>
  </dd>
  <dd>
    <a href="./policy-csp-experience.md#experience-preventusersfromturningonbrowsersyncing" id="experience-preventusersfromturningonbrowsersyncing">Experience/PreventUsersFromTurningOnBrowserSyncing</a>
  </dd>
 </dl>
 ### ExploitGuard policies
@ -4278,6 +4296,7 @@ The following diagram shows the Policy configuration service provider in tree fo
 -   [DeliveryOptimization/DOSetHoursToLimitBackgroundDownloadBandwidth](./policy-csp-deliveryoptimization.md#deliveryoptimization-dosethourstolimitbackgrounddownloadbandwidth)
 -   [DeliveryOptimization/DOSetHoursToLimitForegroundDownloadBandwidth](./policy-csp-deliveryoptimization.md#deliveryoptimization-dosethourstolimitforegrounddownloadbandwidth)
 -   [Desktop/PreventUserRedirectionOfProfileFolders](./policy-csp-desktop.md#desktop-preventuserredirectionofprofilefolders)
 -   [DeviceGuard/EnableSystemGuard](./policy-csp-deviceguard.md#deviceguard-enablesystemguard)
 -   [DeviceGuard/EnableVirtualizationBasedSecurity](./policy-csp-deviceguard.md#deviceguard-enablevirtualizationbasedsecurity)
 -   [DeviceGuard/LsaCfgFlags](./policy-csp-deviceguard.md#deviceguard-lsacfgflags)
 -   [DeviceGuard/RequirePlatformSecurityFeatures](./policy-csp-deviceguard.md#deviceguard-requireplatformsecurityfeatures)
@ -4319,6 +4338,8 @@ The following diagram shows the Policy configuration service provider in tree fo
 -   [Experience/AllowWindowsTips](./policy-csp-experience.md#experience-allowwindowstips)
 -   [Experience/ConfigureWindowsSpotlightOnLockScreen](./policy-csp-experience.md#experience-configurewindowsspotlightonlockscreen)
 -   [Experience/DoNotShowFeedbackNotifications](./policy-csp-experience.md#experience-donotshowfeedbacknotifications)
 -   [Experience/DoNotSyncBrowserSetting](./policy-csp-experience.md#experience-donotsyncbrowsersetting)
 -   [Experience/PreventUsersFromTurningOnBrowserSyncing](./policy-csp-experience.md#experience-preventusersfromturningonbrowsersyncing)
 -   [ExploitGuard/ExploitProtectionSettings](./policy-csp-exploitguard.md#exploitguard-exploitprotectionsettings)
 -   [FileExplorer/TurnOffDataExecutionPreventionForExplorer](./policy-csp-fileexplorer.md#fileexplorer-turnoffdataexecutionpreventionforexplorer)
 -   [FileExplorer/TurnOffHeapTerminationOnCorruption](./policy-csp-fileexplorer.md#fileexplorer-turnoffheapterminationoncorruption)
--- a/windows/client-management/mdm/policy-csp-accounts.md
+++ b/windows/client-management/mdm/policy-csp-accounts.md
@ -6,7 +6,7 @@ ms.topic: article
 ms.prod: w10
 ms.technology: windows
 author: MariciaAlforque
-ms.date: 05/14/2018
+ms.date: 07/30/2018
 ---
 # Policy CSP - Accounts
@ -248,9 +248,4 @@ Footnote:
 <!--/Policies-->
 <!--StartHoloLens-->
 ## <a href="" id="hololenspolicies"></a>Accounts policies supported by Windows Holographic for Business  
 -   [Accounts/AllowMicrosoftAccountConnection](#accounts-allowmicrosoftaccountconnection)  
 <!--EndHoloLens-->
--- a/windows/client-management/mdm/policy-csp-applicationmanagement.md
+++ b/windows/client-management/mdm/policy-csp-applicationmanagement.md
@ -6,7 +6,7 @@ ms.topic: article
 ms.prod: w10
 ms.technology: windows
 author: MariciaAlforque
-ms.date: 07/11/2018
+ms.date: 07/30/2018
 ---
 # Policy CSP - ApplicationManagement
@ -1050,17 +1050,3 @@ Footnote:
 <!--/Policies-->
 <!--StartHoloLens-->
 ## <a href="" id="hololenspolicies"></a>ApplicationManagement policies supported by Windows Holographic for Business  
 -   [ApplicationManagement/AllowAllTrustedApps](#applicationmanagement-allowalltrustedapps)  
 -   [ApplicationManagement/AllowAppStoreAutoUpdate](#applicationmanagement-allowappstoreautoupdate)  
 -   [ApplicationManagement/AllowDeveloperUnlock](#applicationmanagement-allowdeveloperunlock)  
 <!--EndHoloLens-->
 <!--StartIoTCore-->
 ## <a href="" id="iotcore"></a>ApplicationManagement policies supported by IoT Core  
 -   [ApplicationManagement/AllowDeveloperUnlock](#applicationmanagement-allowdeveloperunlock)  
 <!--EndIoTCore-->
--- a/windows/client-management/mdm/policy-csp-authentication.md
+++ b/windows/client-management/mdm/policy-csp-authentication.md
@ -6,11 +6,13 @@ ms.topic: article
 ms.prod: w10
 ms.technology: windows
 author: MariciaAlforque
-ms.date: 05/14/2018
+ms.date: 07/30/2018
 ---
 # Policy CSP - Authentication
 > [!WARNING]
 > Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
 <hr/>
@ -34,6 +36,15 @@ ms.date: 05/14/2018
  <dd>
    <a href="#authentication-allowsecondaryauthenticationdevice">Authentication/AllowSecondaryAuthenticationDevice</a>
  </dd>
  <dd>
    <a href="#authentication-enablefastfirstsignin">Authentication/EnableFastFirstSignIn</a>
  </dd>
  <dd>
    <a href="#authentication-enablewebsignin">Authentication/EnableWebSignIn</a>
  </dd>
  <dd>
    <a href="#authentication-preferredaadtenantdomainname">Authentication/PreferredAadTenantDomainName</a>
  </dd>
 </dl>
@ -302,6 +313,182 @@ The following list shows the supported values:
 <!--/SupportedValues-->
 <!--/Policy-->
 <hr/>
 <!--Policy-->
 <a href="" id="authentication-enablefastfirstsignin"></a>**Authentication/EnableFastFirstSignIn**  
 <!--SupportedSKUs-->
 <table>
 <tr>
 	<th>Home</th>
 	<th>Pro</th>
 	<th>Business</th>
 	<th>Enterprise</th>
 	<th>Education</th>
 	<th>Mobile</th>
 	<th>Mobile Enterprise</th>
 </tr>
 <tr>
 	<td><img src="images/crossmark.png" alt="cross mark" /></td>
 	<td><img src="images/checkmark.png" alt="check mark" /><sup>5</sup></td>
 	<td><img src="images/checkmark.png" alt="check mark" /><sup>5</sup></td>
 	<td><img src="images/checkmark.png" alt="check mark" /><sup>5</sup></td>
 	<td><img src="images/checkmark.png" alt="check mark" /><sup>5</sup></td>
 	<td></td>
 	<td></td>
 </tr>
 </table>
 <!--/SupportedSKUs-->
 <!--Scope-->
 [Scope](./policy-configuration-service-provider.md#policy-scope):
 > [!div class = "checklist"]
 > * Device
 <hr/>
 <!--/Scope-->
 <!--Description-->
 This policy is intended for use on Shared PCs to enable a quick first sign-in experience for a user. It works by automatically connecting new non-admin Azure Active Directory (Azure AD) accounts to the pre-configured candidate local accounts.
 Value type is integer. Supported values:
 - 0 - (default) The feature defaults to the existing SKU and device capabilities.
 - 1 - Enabled. Auto connect new non-admin AZure AD accounts to pre-configured candidate local accounts
 - 2 - Disabled. Do not auto connect new non-admin Azure AD accounts to pre-configured local accounts
 <!--/Description-->
 <!--SupportedValues-->
 <!--/SupportedValues-->
 <!--Example-->
 <!--/Example-->
 <!--Validation-->
 <!--/Validation-->
 <!--/Policy-->
 <hr/>
 <!--Policy-->
 <a href="" id="authentication-enablewebsignin"></a>**Authentication/EnableWebSignIn**  
 <!--SupportedSKUs-->
 <table>
 <tr>
 	<th>Home</th>
 	<th>Pro</th>
 	<th>Business</th>
 	<th>Enterprise</th>
 	<th>Education</th>
 	<th>Mobile</th>
 	<th>Mobile Enterprise</th>
 </tr>
 <tr>
 	<td><img src="images/crossmark.png" alt="cross mark" /></td>
 	<td><img src="images/checkmark.png" alt="check mark" /><sup>5</sup></td>
 	<td><img src="images/checkmark.png" alt="check mark" /><sup>5</sup></td>
 	<td><img src="images/checkmark.png" alt="check mark" /><sup>5</sup></td>
 	<td><img src="images/checkmark.png" alt="check mark" /><sup>5</sup></td>
 	<td></td>
 	<td></td>
 </tr>
 </table>
 <!--/SupportedSKUs-->
 <!--Scope-->
 [Scope](./policy-configuration-service-provider.md#policy-scope):
 > [!div class = "checklist"]
 > * Device
 <hr/>
 <!--/Scope-->
 <!--Description-->
 "Web Sign-in" is a new way of signing into a Windows PC. It enables Windows logon support for non-ADFS federated providers (e.g. SAML). 
 > [!Note]  
 > Web Sign-in is only supported on Azure AD Joined PCs.
 Value type is integer. Supported values:
 - 0 - (default) The feature defaults to the existing SKU and device capabilities.
 - 1 - Enabled. Web Credential Provider will be enabled for Sign In
 - 2 - Disabled. Web Credential Provider will not be enabled for Sign In
 <!--/Description-->
 <!--SupportedValues-->
 <!--/SupportedValues-->
 <!--Example-->
 <!--/Example-->
 <!--Validation-->
 <!--/Validation-->
 <!--/Policy-->
 <hr/>
 <!--Policy-->
 <a href="" id="authentication-preferredaadtenantdomainname"></a>**Authentication/PreferredAadTenantDomainName**  
 <!--SupportedSKUs-->
 <table>
 <tr>
 	<th>Home</th>
 	<th>Pro</th>
 	<th>Business</th>
 	<th>Enterprise</th>
 	<th>Education</th>
 	<th>Mobile</th>
 	<th>Mobile Enterprise</th>
 </tr>
 <tr>
 	<td><img src="images/crossmark.png" alt="cross mark" /></td>
 	<td><img src="images/checkmark.png" alt="check mark" /><sup>5</sup></td>
 	<td><img src="images/checkmark.png" alt="check mark" /><sup>5</sup></td>
 	<td><img src="images/checkmark.png" alt="check mark" /><sup>5</sup></td>
 	<td><img src="images/checkmark.png" alt="check mark" /><sup>5</sup></td>
 	<td></td>
 	<td></td>
 </tr>
 </table>
 <!--/SupportedSKUs-->
 <!--Scope-->
 [Scope](./policy-configuration-service-provider.md#policy-scope):
 > [!div class = "checklist"]
 > * Device
 <hr/>
 <!--/Scope-->
 <!--Description-->
 Specifies the preferred domain among available domains in the Azure AD tenant.
 Example: If your organization is using the "@contoso.com" tenant domain name, the policy value should be "contoso.com". For the user "abby@constoso.com", she would then be able to sign in using "abby" in the username field instead of "abby@contoso.com".
 Value type is string.
 <!--/Description-->
 <!--SupportedValues-->
 <!--/SupportedValues-->
 <!--Example-->
 <!--/Example-->
 <!--Validation-->
 <!--/Validation-->
 <!--/Policy-->
 <hr/>
 Footnote:
@ -310,18 +497,6 @@ Footnote:
 -   2 - Added in Windows 10, version 1703.
 -   3 - Added in Windows 10, version 1709.
 -   4 - Added in Windows 10, version 1803.
 -   5 - Added in the next major release of Windows 10.
 <!--/Policies-->
 <!--StartHoloLens-->
 ## <a href="" id="hololenspolicies"></a>Authentication policies supported by Windows Holographic for Business  
 -   [Authentication/AllowFastReconnect](#authentication-allowfastreconnect)  
 <!--EndHoloLens-->
 <!--StartIoTCore-->
 ## <a href="" id="iotcore"></a>Authentication policies supported by IoT Core  
 -   [Authentication/AllowFastReconnect](#authentication-allowfastreconnect)  
 <!--EndIoTCore-->
--- a/windows/client-management/mdm/policy-csp-bluetooth.md
+++ b/windows/client-management/mdm/policy-csp-bluetooth.md
@ -6,7 +6,7 @@ ms.topic: article
 ms.prod: w10
 ms.technology: windows
 author: MariciaAlforque
-ms.date: 05/14/2018
+ms.date: 07/30/2018
 ---
 # Policy CSP - Bluetooth
@ -439,30 +439,4 @@ Footnote: * The Surface pen uses the HID over GATT profile
 {00001105-0000-1000-8000-00805F9B34FB};{00000008-0000-1000-8000-00805F9B34FB};{0000111E-0000-1000-8000-00805F9B34FB};{00001800-0000-1000-8000-00805F9B34FB};{0000180A-0000-1000-8000-00805F9B34FB};{00001813-0000-1000-8000-00805F9B34FB}
 <!--StartHoloLens-->
 ## <a href="" id="hololenspolicies"></a>Bluetooth policies supported by Windows Holographic for Business  
 -   [Bluetooth/AllowAdvertising](#bluetooth-allowadvertising)  
 -   [Bluetooth/AllowDiscoverableMode](#bluetooth-allowdiscoverablemode)  
 -   [Bluetooth/LocalDeviceName](#bluetooth-localdevicename)  
 <!--EndHoloLens-->
 <!--StartIoTCore-->
 ## <a href="" id="iotcore"></a>Bluetooth policies supported by IoT Core  
 -   [Bluetooth/AllowAdvertising](#bluetooth-allowadvertising)  
 -   [Bluetooth/AllowDiscoverableMode](#bluetooth-allowdiscoverablemode)  
 -   [Bluetooth/LocalDeviceName](#bluetooth-localdevicename)  
 -   [Bluetooth/ServicesAllowedList](#bluetooth-servicesallowedlist)  
 <!--EndIoTCore-->
 <!--StartSurfaceHub-->
 ## <a href="" id="surfacehubpolicies"></a>Bluetooth policies supported by Microsoft Surface Hub  
 -   [Bluetooth/AllowAdvertising](#bluetooth-allowadvertising)  
 -   [Bluetooth/AllowDiscoverableMode](#bluetooth-allowdiscoverablemode)  
 -   [Bluetooth/AllowPrepairing](#bluetooth-allowprepairing)  
 -   [Bluetooth/LocalDeviceName](#bluetooth-localdevicename)  
 -   [Bluetooth/ServicesAllowedList](#bluetooth-servicesallowedlist)  
 <!--EndSurfaceHub-->
--- a/windows/client-management/mdm/policy-csp-browser.md
+++ b/windows/client-management/mdm/policy-csp-browser.md
@ -6,7 +6,7 @@ ms.prod: w10
 ms.technology: windows
 author: shortpatti
 ms.author: pashort
-ms.date: 07/18/2018
+ms.date: 07/30/2018
 ---
 # Policy CSP - Browser
@ -3974,57 +3974,3 @@ Footnote:
 <!--/Policies-->
 <!--StartEAS-->
 ## <a href="" id="eas"></a>Browser policies that can be set using Exchange Active Sync (EAS)  
 -   [Browser/AllowBrowser](#browser-allowbrowser)  
 <!--EndEAS-->
 <!--StartHoloLens-->
 ## <a href="" id="hololenspolicies"></a>Browser policies supported by Windows Holographic for Business  
 -   [Browser/AllowCookies](#browser-allowcookies)  
 -   [Browser/AllowDoNotTrack](#browser-allowdonottrack)  
 -   [Browser/AllowPasswordManager](#browser-allowpasswordmanager)  
 -   [Browser/AllowPopups](#browser-allowpopups)  
 -   [Browser/AllowSearchSuggestionsinAddressBar](#browser-allowsearchsuggestionsinaddressbar)  
 -   [Browser/AllowSmartScreen](#browser-allowsmartscreen)  
 <!--EndHoloLens-->
 <!--StartIoTCore-->
 ## <a href="" id="iotcore"></a>Browser policies supported by IoT Core  
 -   [Browser/AllowAutofill](#browser-allowautofill)  
 -   [Browser/AllowBrowser](#browser-allowbrowser)  
 -   [Browser/AllowCookies](#browser-allowcookies)  
 -   [Browser/AllowDoNotTrack](#browser-allowdonottrack)  
 -   [Browser/AllowInPrivate](#browser-allowinprivate)  
 -   [Browser/AllowPasswordManager](#browser-allowpasswordmanager)  
 -   [Browser/AllowPopups](#browser-allowpopups)  
 -   [Browser/AllowSearchSuggestionsinAddressBar](#browser-allowsearchsuggestionsinaddressbar)  
 -   [Browser/EnterpriseModeSiteList](#browser-enterprisemodesitelist)  
 -   [Browser/EnterpriseSiteListServiceUrl](#browser-enterprisesitelistserviceurl)  
 -   [Browser/SendIntranetTraffictoInternetExplorer](#browser-sendintranettraffictointernetexplorer)  
 <!--EndIoTCore-->
 <!--StartSurfaceHub-->
 ## <a href="" id="surfacehubpolicies"></a>Browser policies supported by Microsoft Surface Hub  
 -   [Browser/AllowAddressBarDropdown](#browser-allowaddressbardropdown)  
 -   [Browser/AllowCookies](#browser-allowcookies)  
 -   [Browser/AllowDeveloperTools](#browser-allowdevelopertools)  
 -   [Browser/AllowDoNotTrack](#browser-allowdonottrack)  
 -   [Browser/AllowMicrosoftCompatibilityList](#browser-allowmicrosoftcompatibilitylist)  
 -   [Browser/AllowPopups](#browser-allowpopups)  
 -   [Browser/AllowSearchSuggestionsinAddressBar](#browser-allowsearchsuggestionsinaddressbar)  
 -   [Browser/AllowSmartScreen](#browser-allowsmartscreen)  
 -   [Browser/ClearBrowsingDataOnExit](#browser-clearbrowsingdataonexit)  
 -   [Browser/ConfigureAdditionalSearchEngines](#browser-configureadditionalsearchengines)  
 -   [Browser/DisableLockdownOfStartPages](#browser-disablelockdownofstartpages)  
 -   [Browser/HomePages](#browser-homepages)  
 -   [Browser/PreventLiveTileDataCollection](#browser-preventlivetiledatacollection)  
 -   [Browser/PreventSmartScreenPromptOverride](#browser-preventsmartscreenpromptoverride)  
 -   [Browser/PreventSmartScreenPromptOverrideForFiles](#browser-preventsmartscreenpromptoverrideforfiles)  
 -   [Browser/SetDefaultSearchEngine](#browser-setdefaultsearchengine)  
 <!--EndSurfaceHub-->
--- a/windows/client-management/mdm/policy-csp-connectivity.md
+++ b/windows/client-management/mdm/policy-csp-connectivity.md
@ -6,7 +6,7 @@ ms.topic: article
 ms.prod: w10
 ms.technology: windows
 author: MariciaAlforque
-ms.date: 05/14/2018
+ms.date: 07/30/2018
 ---
 # Policy CSP - Connectivity
@ -972,40 +972,5 @@ Footnote:
 <!--/Policies-->
 <!--StartEAS-->
 ## <a href="" id="eas"></a>Connectivity policies that can be set using Exchange Active Sync (EAS)  
 -   [Connectivity/AllowBluetooth](#connectivity-allowbluetooth)  
 -   [Connectivity/AllowCellularDataRoaming](#connectivity-allowcellulardataroaming)  
 -   [Connectivity/AllowUSBConnection](#connectivity-allowusbconnection)  
 <!--EndEAS-->
 <!--StartHoloLens-->
 ## <a href="" id="hololenspolicies"></a>Connectivity policies supported by Windows Holographic for Business  
 -   [Connectivity/AllowBluetooth](#connectivity-allowbluetooth)  
 <!--EndHoloLens-->
 <!--StartIoTCore-->
 ## <a href="" id="iotcore"></a>Connectivity policies supported by IoT Core  
 -   [Connectivity/AllowBluetooth](#connectivity-allowbluetooth)  
 -   [Connectivity/AllowCellularDataRoaming](#connectivity-allowcellulardataroaming)  
 -   [Connectivity/AllowNFC](#connectivity-allownfc)  
 -   [Connectivity/AllowUSBConnection](#connectivity-allowusbconnection)  
 -   [Connectivity/AllowVPNOverCellular](#connectivity-allowvpnovercellular)  
 -   [Connectivity/AllowVPNRoamingOverCellular](#connectivity-allowvpnroamingovercellular)  
 -   [Connectivity/DiablePrintingOverHTTP](#connectivity-diableprintingoverhttp)  
 -   [Connectivity/DisableDownloadingOfPrintDriversOverHTTP](#connectivity-disabledownloadingofprintdriversoverhttp)  
 -   [Connectivity/DisableInternetDownloadForWebPublishingAndOnlineOrderingWizards](#connectivity-disableinternetdownloadforwebpublishingandonlineorderingwizards)  
 -   [Connectivity/HardenedUNCPaths](#connectivity-hardeneduncpaths)  
 -   [Connectivity/ProhibitInstallationAndConfigurationOfNetworkBridge](#connectivity-prohibitinstallationandconfigurationofnetworkbridge)  
 <!--EndIoTCore-->
 <!--StartSurfaceHub-->
 ## <a href="" id="surfacehubpolicies"></a>Connectivity policies supported by Microsoft Surface Hub  
 -   [Connectivity/AllowBluetooth](#connectivity-allowbluetooth)  
 -   [Connectivity/AllowConnectedDevices](#connectivity-allowconnecteddevices)  
 <!--EndSurfaceHub-->
--- a/windows/client-management/mdm/policy-csp-deviceguard.md
+++ b/windows/client-management/mdm/policy-csp-deviceguard.md
@ -6,11 +6,13 @@ ms.topic: article
 ms.prod: w10
 ms.technology: windows
 author: MariciaAlforque
-ms.date: 03/12/2018
+ms.date: 07/30/2018
 ---
 # Policy CSP - DeviceGuard
 > [!WARNING]
 > Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
 <hr/>
@ -19,6 +21,9 @@ ms.date: 03/12/2018
 ## DeviceGuard policies  
 <dl>
  <dd>
    <a href="#deviceguard-enablesystemguard">DeviceGuard/EnableSystemGuard</a>
  </dd>
  <dd>
    <a href="#deviceguard-enablevirtualizationbasedsecurity">DeviceGuard/EnableVirtualizationBasedSecurity</a>
  </dd>
@ -31,6 +36,75 @@ ms.date: 03/12/2018
 </dl>
 <hr/>
 <!--Policy-->
 <a href="" id="deviceguard-enablesystemguard"></a>**DeviceGuard/EnableSystemGuard**  
 <!--SupportedSKUs-->
 <table>
 <tr>
 	<th>Home</th>
 	<th>Pro</th>
 	<th>Business</th>
 	<th>Enterprise</th>
 	<th>Education</th>
 	<th>Mobile</th>
 	<th>Mobile Enterprise</th>
 </tr>
 <tr>
 	<td><img src="images/crossmark.png" alt="cross mark" /></td>
 	<td><img src="images/crossmark.png" alt="cross mark" /></td>
 	<td><img src="images/crossmark.png" alt="cross mark" /></td>
 	<td><img src="images/checkmark.png" alt="check mark" /><sup>5</sup></td>
 	<td><img src="images/checkmark.png" alt="check mark" /><sup>5</sup></td>
 	<td></td>
 	<td></td>
 </tr>
 </table>
 <!--/SupportedSKUs-->
 <!--Scope-->
 [Scope](./policy-configuration-service-provider.md#policy-scope):
 > [!div class = "checklist"]
 > * Device
 <hr/>
 <!--/Scope-->
 <!--Description-->
 This policy allows the IT admin to configure the launch of System Guard.
 Secure Launch configuration:
 - 0 - Unmanaged, configurable by Administrative user
 - 1 - Enables Secure Launch if supported by hardware
 - 2 - Disables Secure Launch.
 For more information about System Guard, see [Introducing Windows Defender System Guard runtime attestation](https://cloudblogs.microsoft.com/microsoftsecure/2018/04/19/introducing-windows-defender-system-guard-runtime-attestation/) and [How hardware-based containers help protect Windows 10](https://docs.microsoft.com/en-us/windows/security/hardware-protection/how-hardware-based-containers-help-protect-windows).
 <!--/Description-->
 <!--ADMXMapped-->
 ADMX Info:  
 -   GP English name: *Turn On Virtualization Based Security*
 -   GP name: *VirtualizationBasedSecurity*
 -   GP element: *SystemGuardDrop*
 -   GP path: *System/Device Guard*
 -   GP ADMX file name: *DeviceGuard.admx*
 <!--/ADMXMapped-->
 <!--SupportedValues-->
 <!--/SupportedValues-->
 <!--Example-->
 <!--/Example-->
 <!--Validation-->
 <!--/Validation-->
 <!--/Policy-->
 <hr/>
 <!--Policy-->
@ -215,6 +289,7 @@ Footnote:
 -   2 - Added in Windows 10, version 1703.
 -   3 - Added in Windows 10, version 1709.
 -   4 - Added in Windows 10, version 1803.
 -   5 - Added in the next major release of Windows 10.
 <!--/Policies-->
--- a/windows/client-management/mdm/policy-csp-devicelock.md
+++ b/windows/client-management/mdm/policy-csp-devicelock.md
@ -6,7 +6,7 @@ ms.topic: article
 ms.prod: w10
 ms.technology: windows
 author: MariciaAlforque
-ms.date: 05/14/2018
+ms.date: 07/30/2018
 ---
 # Policy CSP - DeviceLock
@ -1217,32 +1217,3 @@ Footnote:
 <!--/Policies-->
 <!--StartEAS-->
 ## <a href="" id="eas"></a>DeviceLock policies that can be set using Exchange Active Sync (EAS)  
 -   [DeviceLock/AllowSimpleDevicePassword](#devicelock-allowsimpledevicepassword)  
 -   [DeviceLock/AlphanumericDevicePasswordRequired](#devicelock-alphanumericdevicepasswordrequired)  
 -   [DeviceLock/DevicePasswordEnabled](#devicelock-devicepasswordenabled)  
 -   [DeviceLock/DevicePasswordExpiration](#devicelock-devicepasswordexpiration)  
 -   [DeviceLock/DevicePasswordHistory](#devicelock-devicepasswordhistory)  
 -   [DeviceLock/MaxDevicePasswordFailedAttempts](#devicelock-maxdevicepasswordfailedattempts)  
 -   [DeviceLock/MaxInactivityTimeDeviceLock](#devicelock-maxinactivitytimedevicelock)  
 -   [DeviceLock/MinDevicePasswordComplexCharacters](#devicelock-mindevicepasswordcomplexcharacters)  
 -   [DeviceLock/MinDevicePasswordLength](#devicelock-mindevicepasswordlength)  
 -   [DeviceLock/PreventLockScreenSlideShow](#devicelock-preventlockscreenslideshow)  
 <!--EndEAS-->
 <!--StartHoloLens-->
 ## <a href="" id="hololenspolicies"></a>DeviceLock policies supported by Windows Holographic for Business  
 -   [DeviceLock/AllowIdleReturnWithoutPassword](#devicelock-allowidlereturnwithoutpassword)
 -   [DeviceLock/AllowSimpleDevicePassword](#devicelock-allowsimpledevicepassword)
 -   [DeviceLock/AlphanumericDevicePasswordRequired](#devicelock-alphanumericdevicepasswordrequired)
 -   [DeviceLock/DevicePasswordEnabled](#devicelock-devicepasswordenabled)
 -   [DeviceLock/DevicePasswordHistory](#devicelock-devicepasswordhistory)
 -   [DeviceLock/MaxDevicePasswordFailedAttempts](#devicelock-maxdevicepasswordfailedattempts)
 -   [DeviceLock/MaxInactivityTimeDeviceLock](#devicelock-maxinactivitytimedevicelock)
 -   [DeviceLock/MinDevicePasswordComplexCharacters](#devicelock-mindevicepasswordcomplexcharacters) 
 -   [DeviceLock/MinDevicePasswordLength](#devicelock-mindevicepasswordlength)   
 <!--EndHoloLens-->
--- a/windows/client-management/mdm/policy-csp-experience.md
+++ b/windows/client-management/mdm/policy-csp-experience.md
@ -6,7 +6,7 @@ ms.topic: article
 ms.prod: w10
 ms.technology: windows
 author: MariciaAlforque
-ms.date: 07/13/2018
+ms.date: 07/30/2018
 ---
 # Policy CSP - Experience
@ -90,6 +90,12 @@ ms.date: 07/13/2018
  <dd>
    <a href="#experience-donotshowfeedbacknotifications">Experience/DoNotShowFeedbackNotifications</a>
  </dd>
  <dd>
    <a href="#experience-donotsyncbrowsersetting">Experience/DoNotSyncBrowserSetting</a>
  </dd>
  <dd>
    <a href="#experience-preventusersfromturningonbrowsersyncing">Experience/PreventUsersFromTurningOnBrowserSyncing</a>
  </dd>
 </dl>
@ -1392,6 +1398,159 @@ The following list shows the supported values:
 <hr/>
 <!--Policy-->
 <a href="" id="experience-donotsyncbrowsersetting"></a>**Experience/DoNotSyncBrowserSetting**  
 <!--SupportedSKUs-->
 <table>
 <tr>
 	<th>Home</th>
 	<th>Pro</th>
 	<th>Business</th>
 	<th>Enterprise</th>
 	<th>Education</th>
 	<th>Mobile</th>
 	<th>Mobile Enterprise</th>
 </tr>
 <tr>
 	<td><img src="images/crossmark.png" alt="cross mark" /></td>
 	<td><img src="images/crossmark.png" alt="cross mark" /></td>
 	<td><img src="images/crossmark.png" alt="cross mark" /></td>
 	<td><img src="images/checkmark.png" alt="check mark" /><sup>5</sup></td>
 	<td><img src="images/checkmark.png" alt="check mark" /><sup>5</sup></td>
 	<td></td>
 	<td></td>
 </tr>
 </table>
 <!--/SupportedSKUs-->
 <!--Scope-->
 [Scope](./policy-configuration-service-provider.md#policy-scope):
 > [!div class = "checklist"]
 > * Device
 <hr/>
 <!--/Scope-->
 <!--Description-->
 By default, the "browser" group syncs automatically between user’s devices and allowing users to choose to make changes. The "browser" group uses the **Sync your Settings** option in Settings to sync information like history and favorites. Enabling this policy prevents the "browser" group from using the **Sync your Settings** option. If you want syncing turned off by default but not disabled, select the Allow users to turn "browser" syncing option.
 Related policy: PreventUsersFromTurningOnBrowserSyncing.
 Value type is integer. Supported values:  
 -  0 (default) - Allowed/turned on. The "browser" group syncs automatically between user’s devices and lets users to make changes.
 -  2 - Prevented/turned off. The "browser" group does not use the **Sync your Settings** option.
 <!--/Description-->
 <!--ADMXMapped-->
 ADMX Info:  
 -   GP English name: *Do not sync browser settings*
 -   GP name: *DisableWebBrowserSettingSync*
 -   GP path: *Windows Components/Sync your settings*
 -   GP ADMX file name: *SettingSync.admx*
 <!--/ADMXMapped-->
 <!--SupportedValues-->
 <!--/SupportedValues-->
 <!--Example-->
 <!--/Example-->
 <!--Validation-->
 <!--/Validation-->
 <!--/Policy-->
 <hr/>
 <!--Policy-->
 <a href="" id="experience-preventusersfromturningonbrowsersyncing"></a>**Experience/PreventUsersFromTurningOnBrowserSyncing**  
 <!--SupportedSKUs-->
 <table>
 <tr>
 	<th>Home</th>
 	<th>Pro</th>
 	<th>Business</th>
 	<th>Enterprise</th>
 	<th>Education</th>
 	<th>Mobile</th>
 	<th>Mobile Enterprise</th>
 </tr>
 <tr>
 	<td><img src="images/crossmark.png" alt="cross mark" /></td>
 	<td><img src="images/crossmark.png" alt="cross mark" /></td>
 	<td><img src="images/crossmark.png" alt="cross mark" /></td>
 	<td><img src="images/checkmark.png" alt="check mark" /><sup>5</sup></td>
 	<td><img src="images/checkmark.png" alt="check mark" /><sup>5</sup></td>
 	<td></td>
 	<td></td>
 </tr>
 </table>
 <!--/SupportedSKUs-->
 <!--Scope-->
 [Scope](./policy-configuration-service-provider.md#policy-scope):
 > [!div class = "checklist"]
 > * Device
 <hr/>
 <!--/Scope-->
 <!--Description-->
 By default, the "browser" group syncs automatically between the user’s devices, letting users make changes. With this policy, though, you can prevent the "browser" group from syncing and prevent users from turning on the Sync your Settings toggle in Settings. If you want syncing turned off by default but not disabled, select the Allow users to turn "browser" syncing option in the Do not sync browser policy. For this policy to work correctly, you must enable the Do not sync browser policy.
 Related policy: DoNotSyncBrowserSetting
 Value type is integer. Supported values:  
 -  0 - Allowed/turned on. Users can sync the browser settings.
 -  1 (default) - Prevented/turned off.
 This policy only works with the Experience/DoNotSyncBrowserSetting policy, and for this policy to work correctly, you must set Experience/DoNotSynBrowserSettings to 2 (enabled). By default, when you set this policy and the Experience/DoNotSyncBrowserSetting policy to 0 (disabled or not configured), the browser settings sync automatically. However, with this policy, you can prevent the syncing of browser settings and prevent users from turning on the Sync your Settings option. Additionally, you can prevent syncing the browser settings but give users a choice to turn on syncing. 
 If you want to prevent syncing of browser settings and prevent users from turning it on:  
 1. Set Experience/DoNotSyncBrowserSetting to 2 (enabled).
 1. Set this policy (Experience/PreventUsersFromTurningOnBrowserSyncing) to 1 (enabled or not configured).
 If you want to prevent syncing of browser settings but give users a choice to turn on syncing:  
 1. Set Experience/DoNotSyncBrowserSetting to 2 (enabled).
 1. Set this policy (Experience/PreventUsersFromTurningOnBrowserSyncing) to 0 (disabled).
 <!--/Description-->
 <!--ADMXMapped-->
 ADMX Info:  
 -   GP English name: *Do not sync browser settings*
 -   GP name: *DisableWebBrowserSettingSync*
 -   GP element: *CheckBox_UserOverride*
 -   GP path: *Windows Components/Sync your settings*
 -   GP ADMX file name: *SettingSync.admx*
 <!--/ADMXMapped-->
 <!--SupportedValues-->
 <!--/SupportedValues-->
 <!--Example-->
 <!--/Example-->
 <!--Validation-->
 **Validation procedure:**  
 Microsoft Edge on your PC:
 1. Select More  > Settings.
 1. See if the setting is enabled or disabled based on your setting.
 <!--/Validation-->
 <!--/Policy-->
 <<<<<<< HEAD
 =======
 >>>>>>> 3c06afe9875ad82fff960313bea663f49a2f7d2c
 <hr/>
 Footnote:
 -   1 - Added in Windows 10, version 1607.
@ -1402,10 +1561,4 @@ Footnote:
 <!--/Policies-->
 <!--StartHoloLens-->
 ## <a href="" id="hololenspolicies"></a>Experience policies supported by Windows Holographic for Business  
 -   [Experience/AllowCortana](#experience-allowcortana)  
 -   [Experience/AllowManualMDMUnenrollment](#experience-allowmanualmdmunenrollment)  
 <!--EndHoloLens-->
--- a/windows/client-management/mdm/policy-csp-privacy.md
+++ b/windows/client-management/mdm/policy-csp-privacy.md
@ -6,7 +6,7 @@ ms.topic: article
 ms.prod: w10
 ms.technology: windows
 author: MariciaAlforque
-ms.date: 06/05/2018
+ms.date: 07/30/2018
 ---
 # Policy CSP - Privacy
@ -4844,43 +4844,4 @@ Footnote:
 <!--/Policies-->
 <!--StartHoloLens-->
 ## <a href="" id="hololenspolicies"></a>Privacy policies supported by Windows Holographic for Business  
 -   [Privacy/AllowCrossDeviceClipboard](#privacy-allowcrossdeviceclipboard)  
 -   [Privacy/AllowInputPersonalization](#privacy-allowinputpersonalization)  
 -   [Privacy/LetAppsAccessGazeInput](#privacy-letappsaccessgazeinput)  
 -   [Privacy/LetAppsAccessGazeInput_ForceAllowTheseApps](#privacy-letappsaccessgazeinput-forceallowtheseapps)  
 -   [Privacy/LetAppsAccessGazeInput_ForceDenyTheseApps](#privacy-letappsaccessgazeinput-forcedenytheseapps)  
 -   [Privacy/LetAppsAccessGazeInput_UserInControlOfTheseApps](#privacy-letappsaccessgazeinput-userincontroloftheseapps)  
 -   [Privacy/UploadUserActivities](#privacy-uploaduseractivities)  
 <!--EndHoloLens-->
 <!--StartIoTCore-->
 ## <a href="" id="iotcore"></a>Privacy policies supported by IoT Core  
 -   [Privacy/LetAppsGetDiagnosticInfo](#privacy-letappsgetdiagnosticinfo)  
 -   [Privacy/LetAppsGetDiagnosticInfo_ForceAllowTheseApps](#privacy-letappsgetdiagnosticinfo-forceallowtheseapps)  
 -   [Privacy/LetAppsGetDiagnosticInfo_ForceDenyTheseApps](#privacy-letappsgetdiagnosticinfo-forcedenytheseapps)  
 -   [Privacy/LetAppsGetDiagnosticInfo_UserInControlOfTheseApps](#privacy-letappsgetdiagnosticinfo-userincontroloftheseapps)  
 -   [Privacy/LetAppsRunInBackground](#privacy-letappsruninbackground)  
 -   [Privacy/LetAppsRunInBackground_ForceAllowTheseApps](#privacy-letappsruninbackground-forceallowtheseapps)  
 -   [Privacy/LetAppsRunInBackground_ForceDenyTheseApps](#privacy-letappsruninbackground-forcedenytheseapps)  
 -   [Privacy/LetAppsRunInBackground_UserInControlOfTheseApps](#privacy-letappsruninbackground-userincontroloftheseapps)  
 <!--EndIoTCore-->
 <!--StartSurfaceHub-->
 ## <a href="" id="surfacehubpolicies"></a>Privacy policies supported by Microsoft Surface Hub  
 -   [Privacy/EnableActivityFeed](#privacy-enableactivityfeed)  
 -   [Privacy/LetAppsGetDiagnosticInfo](#privacy-letappsgetdiagnosticinfo)  
 -   [Privacy/LetAppsGetDiagnosticInfo_ForceAllowTheseApps](#privacy-letappsgetdiagnosticinfo-forceallowtheseapps)  
 -   [Privacy/LetAppsGetDiagnosticInfo_ForceDenyTheseApps](#privacy-letappsgetdiagnosticinfo-forcedenytheseapps)  
 -   [Privacy/LetAppsGetDiagnosticInfo_UserInControlOfTheseApps](#privacy-letappsgetdiagnosticinfo-userincontroloftheseapps)  
 -   [Privacy/LetAppsRunInBackground](#privacy-letappsruninbackground)  
 -   [Privacy/LetAppsRunInBackground_ForceAllowTheseApps](#privacy-letappsruninbackground-forceallowtheseapps)  
 -   [Privacy/LetAppsRunInBackground_ForceDenyTheseApps](#privacy-letappsruninbackground-forcedenytheseapps)  
 -   [Privacy/LetAppsRunInBackground_UserInControlOfTheseApps](#privacy-letappsruninbackground-userincontroloftheseapps)  
 -   [Privacy/PublishUserActivities](#privacy-publishuseractivities)  
 <!--EndSurfaceHub-->
--- a/windows/client-management/mdm/policy-csp-search.md
+++ b/windows/client-management/mdm/policy-csp-search.md
@ -6,7 +6,7 @@ ms.topic: article
 ms.prod: w10
 ms.technology: windows
 author: MariciaAlforque
-ms.date: 05/14/2018
+ms.date: 07/30/2018
 ---
 # Policy CSP - Search
@ -860,15 +860,5 @@ Footnote:
 <!--/Policies-->
 <!--StartEAS-->
 ## <a href="" id="eas"></a>Search policies that can be set using Exchange Active Sync (EAS)  
 -   [Search/AllowSearchToUseLocation](#search-allowsearchtouselocation)  
 <!--EndEAS-->
 <!--StartHoloLens-->
 ## <a href="" id="hololenspolicies"></a>Search policies supported by Windows Holographic for Business  
 -   [Search/AllowSearchToUseLocation](#search-allowsearchtouselocation)  
 <!--EndHoloLens-->
--- a/windows/client-management/mdm/policy-csp-security.md
+++ b/windows/client-management/mdm/policy-csp-security.md
@ -6,7 +6,7 @@ ms.topic: article
 ms.prod: w10
 ms.technology: windows
 author: MariciaAlforque
-ms.date: 06/26/2018
+ms.date: 07/30/2018
 ---
 # Policy CSP - Security
@ -664,31 +664,5 @@ Footnote:
 <!--/Policies-->
 <!--StartEAS-->
 ## <a href="" id="eas"></a>Security policies that can be set using Exchange Active Sync (EAS)  
 -   [Security/RequireDeviceEncryption](#security-requiredeviceencryption)  
 <!--EndEAS-->
 <!--StartHoloLens-->
 ## <a href="" id="hololenspolicies"></a>Security policies supported by Windows Holographic for Business  
 -   [Security/RequireDeviceEncryption](#security-requiredeviceencryption)  
 <!--EndHoloLens-->
 <!--StartIoTCore-->
 ## <a href="" id="iotcore"></a>Security policies supported by IoT Core  
 -   [Security/AllowAddProvisioningPackage](#security-allowaddprovisioningpackage)  
 -   [Security/AllowRemoveProvisioningPackage](#security-allowremoveprovisioningpackage)  
 -   [Security/RequireDeviceEncryption](#security-requiredeviceencryption)  
 -   [Security/RequireProvisioningPackageSignature](#security-requireprovisioningpackagesignature)  
 <!--EndIoTCore-->
 <!--StartSurfaceHub-->
 ## <a href="" id="surfacehubpolicies"></a>Security policies supported by Microsoft Surface Hub  
 -   [Security/RequireProvisioningPackageSignature](#security-requireprovisioningpackagesignature)  
 -   [Security/RequireRetrieveHealthCertificateOnBoot](#security-requireretrievehealthcertificateonboot)  
 <!--EndSurfaceHub-->
--- a/windows/client-management/mdm/policy-csp-settings.md
+++ b/windows/client-management/mdm/policy-csp-settings.md
@ -6,7 +6,7 @@ ms.topic: article
 ms.prod: w10
 ms.technology: windows
 author: MariciaAlforque
-ms.date: 05/14/2018
+ms.date: 07/30/2018
 ---
 # Policy CSP - Settings
@ -849,10 +849,5 @@ Footnote:
 <!--/Policies-->
 <!--StartHoloLens-->
 ## <a href="" id="hololenspolicies"></a>Settings policies supported by Windows Holographic for Business  
 -   [Settings/AllowDateTime](#settings-allowdatetime)  
 -   [Settings/AllowVPN](#settings-allowvpn)  
 <!--EndHoloLens-->
--- a/windows/client-management/mdm/policy-csp-system.md
+++ b/windows/client-management/mdm/policy-csp-system.md
@ -6,7 +6,7 @@ ms.topic: article
 ms.prod: w10
 ms.technology: windows
 author: MariciaAlforque
-ms.date: 06/05/2018
+ms.date: 07/30/2018
 ---
 # Policy CSP - System
@ -1194,34 +1194,5 @@ Footnote:
 <!--/Policies-->
 <!--StartEAS-->
 ## <a href="" id="eas"></a>System policies that can be set using Exchange Active Sync (EAS)  
 -   [System/AllowStorageCard](#system-allowstoragecard)  
 -   [System/TelemetryProxy](#system-telemetryproxy)  
 <!--EndEAS-->
 <!--StartHoloLens-->
 ## <a href="" id="hololenspolicies"></a>System policies supported by Windows Holographic for Business  
 -   [System/AllowLocation](#system-allowlocation)  
 -   [System/AllowTelemetry](#system-allowtelemetry)  
 <!--EndHoloLens-->
 <!--StartIoTCore-->
 ## <a href="" id="iotcore"></a>System policies supported by IoT Core  
 -   [System/AllowEmbeddedMode](#system-allowembeddedmode)  
 -   [System/AllowFontProviders](#system-allowfontproviders)  
 -   [System/AllowStorageCard](#system-allowstoragecard)  
 -   [System/TelemetryProxy](#system-telemetryproxy)  
 <!--EndIoTCore-->
 <!--StartSurfaceHub-->
 ## <a href="" id="surfacehubpolicies"></a>System policies supported by Microsoft Surface Hub  
 -   [System/AllowFontProviders](#system-allowfontproviders)  
 -   [System/AllowLocation](#system-allowlocation)  
 -   [System/AllowTelemetry](#system-allowtelemetry)  
 <!--EndSurfaceHub-->
--- a/windows/client-management/mdm/policy-csp-update.md
+++ b/windows/client-management/mdm/policy-csp-update.md
@ -6,7 +6,7 @@ ms.topic: article
 ms.prod: w10
 ms.technology: windows
 author: MariciaAlforque
-ms.date: 07/18/2018
+ms.date: 07/30/2018
 ---
 # Policy CSP - Update
@ -3551,52 +3551,4 @@ Footnote:
 <!--/Policies-->
 <!--StartHoloLens-->
 ## <a href="" id="hololenspolicies"></a>Update policies supported by Windows Holographic for Business  
 -   [Update/AllowAutoUpdate](#update-allowautoupdate)  
 -   [Update/AllowUpdateService](#update-allowupdateservice)  
 -   [Update/RequireDeferUpgrade](#update-requiredeferupgrade)  
 -   [Update/RequireUpdateApproval](#update-requireupdateapproval)  
 -   [Update/UpdateServiceUrl](#update-updateserviceurl)  
 <!--EndHoloLens-->
 <!--StartIoTCore-->
 ## <a href="" id="iotcore"></a>Update policies supported by IoT Core  
 -   [Update/AllowNonMicrosoftSignedUpdate](#update-allownonmicrosoftsignedupdate)  
 -   [Update/AllowUpdateService](#update-allowupdateservice)  
 -   [Update/AutoRestartDeadlinePeriodInDaysForFeatureUpdates](#update-autorestartdeadlineperiodindaysforfeatureupdates)  
 -   [Update/EngagedRestartDeadlineForFeatureUpdates](#update-engagedrestartdeadlineforfeatureupdates)  
 -   [Update/EngagedRestartSnoozeScheduleForFeatureUpdates](#update-engagedrestartsnoozescheduleforfeatureupdates)  
 -   [Update/EngagedRestartTransitionScheduleForFeatureUpdates](#update-engagedrestarttransitionscheduleforfeatureupdates)  
 -   [Update/PauseDeferrals](#update-pausedeferrals)  
 -   [Update/RequireDeferUpgrade](#update-requiredeferupgrade)  
 -   [Update/RequireUpdateApproval](#update-requireupdateapproval)  
 -   [Update/ScheduledInstallDay](#update-scheduledinstallday)  
 -   [Update/ScheduledInstallTime](#update-scheduledinstalltime)  
 -   [Update/SetDisablePauseUXAccess](#update-setdisablepauseuxaccess)  
 -   [Update/SetDisableUXWUAccess](#update-setdisableuxwuaccess)  
 -   [Update/UpdateServiceUrl](#update-updateserviceurl)  
 <!--EndIoTCore-->
 <!--StartSurfaceHub-->
 ## <a href="" id="surfacehubpolicies"></a>Update policies supported by Microsoft Surface Hub  
 -   [Update/AllowAutoUpdate](#update-allowautoupdate)  
 -   [Update/AllowUpdateService](#update-allowupdateservice)  
 -   [Update/AutoRestartNotificationSchedule](#update-autorestartnotificationschedule)  
 -   [Update/AutoRestartRequiredNotificationDismissal](#update-autorestartrequirednotificationdismissal)  
 -   [Update/BranchReadinessLevel](#update-branchreadinesslevel)  
 -   [Update/DeferFeatureUpdatesPeriodInDays](#update-deferfeatureupdatesperiodindays)  
 -   [Update/DeferQualityUpdatesPeriodInDays](#update-deferqualityupdatesperiodindays)  
 -   [Update/DetectionFrequency](#update-detectionfrequency)  
 -   [Update/PauseFeatureUpdates](#update-pausefeatureupdates)  
 -   [Update/PauseQualityUpdates](#update-pausequalityupdates)  
 -   [Update/ScheduleImminentRestartWarning](#update-scheduleimminentrestartwarning)  
 -   [Update/ScheduleRestartWarning](#update-schedulerestartwarning)  
 -   [Update/SetAutoRestartNotificationDisable](#update-setautorestartnotificationdisable)  
 -   [Update/UpdateServiceUrl](#update-updateserviceurl)  
 -   [Update/UpdateServiceUrlAlternate](#update-updateserviceurlalternate)  
 <!--EndSurfaceHub-->
--- a/windows/client-management/mdm/vpnv2-csp.md
+++ b/windows/client-management/mdm/vpnv2-csp.md
@ -255,7 +255,14 @@ An optional flag to enable Always On mode. This will automatically connect the V
 > **Note**  Always On only works for the active profile. The first profile provisioned that can be auto triggered will automatically be set as active.
- 
+Preserving user Always On preference
 Windows has a feature to preserve a user’s AlwaysOn preference.  In the event that a user manually unchecks the “Connect    automatically” checkbox, Windows will remember this user preference for this profile name by adding the profile name to the value AutoTriggerDisabledProfilesList.  
 Should a management tool remove/add the same profile name back and set AlwaysOn to true, Windows will not check the box if the profile name exists in the below registry value in order to preserve user preference.
 Key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RasMan\Config
 Value: AutoTriggerDisabledProfilesList
 Type: REG_MULTI_SZ
 Valid values:
--- a/windows/configuration/TOC.md
+++ b/windows/configuration/TOC.md
@ -1,13 +1,20 @@
 # [Configure Windows 10](index.md)
 ## [Manage Wi-Fi Sense in your company](manage-wifi-sense-in-enterprise.md)
-## [Configure kiosk and shared devices running Windows 10 desktop editions](kiosk-shared-pc.md)
+## [Set up a shared or guest PC with Windows 10](set-up-shared-or-guest-pc.md)
-### [Set up a shared or guest PC with Windows 10](set-up-shared-or-guest-pc.md)
+## [Configure kiosks and digital signs on Windows desktop editions](kiosk-methods.md)
-### [Set up a kiosk or digital signage on Windows 10 Pro, Enterprise, or Education](setup-kiosk-digital-signage.md)
+### [Prepare a device for kiosk configuration](kiosk-prepare.md)
-### [Guidelines for choosing an app for assigned access (kiosk mode)](guidelines-for-assigned-access-app.md)
+### [Set up digital signs on Windows 10](setup-digital-signage.md)
-### [Create a Windows 10 kiosk that runs multiple apps](lock-down-windows-10-to-specific-apps.md)
+### [Set up a single-app kiosk](kiosk-single-app.md)
 ### [Set up a multi-app kiosk](lock-down-windows-10-to-specific-apps.md)
 ### [More kiosk methods and reference information](kiosk-additional-reference.md)
 #### [Validate your kiosk configuration](kiosk-validate.md)
 #### [Guidelines for choosing an app for assigned access (kiosk mode)](guidelines-for-assigned-access-app.md)
 #### [Policies enforced on kiosk devices](kiosk-policies.md)
 #### [Assigned access XML reference](kiosk-xml.md)
 #### [Use AppLocker to create a Windows 10 kiosk](lock-down-windows-10-applocker.md)
 #### [Use Shell Launcher to create a Windows 10 kiosk](kiosk-shelllauncher.md)
 #### [Use MDM Bridge WMI Provider to create a Windows 10 kiosk](kiosk-mdm-bridge.md)
 #### [Troubleshoot multi-app kiosk](multi-app-kiosk-troubleshoot.md)
 #### [Use AppLocker to create a Windows 10 kiosk that runs multiple apps](lock-down-windows-10-applocker.md)
 ### [Assigned Access configuration (kiosk) XML reference](kiosk-xml.md)
 ## [Configure Windows 10 Mobile devices](mobile-devices/configure-mobile.md)
 ### [Set up a kiosk on Windows 10 Mobile or Windows 10 Mobile Enterprise](mobile-devices/set-up-a-kiosk-for-windows-10-for-mobile-edition.md)
 ### [Use Windows Configuration Designer to configure Windows 10 Mobile devices](mobile-devices/provisioning-configure-mobile.md)
--- a/windows/configuration/change-history-for-configure-windows-10.md
+++ b/windows/configuration/change-history-for-configure-windows-10.md
@ -10,14 +10,18 @@ ms.localizationpriority: medium
 author: jdeckerms
 ms.author: jdecker
 ms.topic: article
-ms.date: 06/27/2018
+ms.date: 07/30/2018
 ---
 # Change history for Configure Windows 10
 This topic lists new and updated topics in the [Configure Windows 10](index.md) documentation for Windows 10 and Windows 10 Mobile.
 ## July 2018
 New or changed topic | Description 
 --- | ---
 [Configure kiosks and child topics](kiosk-methods.md) | Reorganized the information for configuring kiosks into new topics, and moved [Set up shared or guest PC with Windows 10](set-up-shared-or-guest-pc.md).
 ## June 2018
@ -70,7 +74,7 @@ New or changed topic | Description
 New or changed topic | Description
 --- | ---
 [Windows 10, version 1709 basic diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields.md) and [Windows 10, version 1703 basic level Windows diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields-1703.md) | Added events and fields that were added in the March update.
-Set up a kiosk on Windows 10 Pro, Enterprise, or Education | Renamed it [Set up a kiosk or digital signage on Windows 10 Pro, Enterprise, or Education](setup-kiosk-digital-signage.md) and reorganized the information to make the choices clearer.
+Set up a kiosk on Windows 10 Pro, Enterprise, or Education | Renamed it **Set up a kiosk or digital signage on Windows 10 Pro, Enterprise, or Education** and reorganized the information to make the choices clearer.
 ## February 2018
--- a/windows/configuration/guidelines-for-assigned-access-app.md
+++ b/windows/configuration/guidelines-for-assigned-access-app.md
@ -1,6 +1,6 @@
 ---
 title: Guidelines for choosing an app for assigned access (Windows 10)
-description: You can configure Windows 10 as a kiosk device, so that users can only interact with a single app.
+description: The following guidelines may help you choose an appropriate Windows app for your assigned access experience.
 keywords: ["kiosk", "lockdown", "assigned access"]
 ms.prod: w10
 ms.mktglfcycl: manage
@ -9,7 +9,7 @@ author: jdeckerms
 ms.localizationpriority: medium
 ms.author: jdecker
 ms.topic: article
-ms.date: 05/31/2018
+ms.date: 07/30/2018
 ---
 # Guidelines for choosing an app for assigned access (kiosk mode)
@ -55,12 +55,12 @@ In Windows 10, version 1803, you can install the **Kiosk Browser** app from Micr
 >[!NOTE]
 >If you configure the kiosk using a provisioning package, you must apply the provisioning package after the device completes the out-of-box experience (OOBE).
-#### Kiosk Browser settings
+### Kiosk Browser settings
 Kiosk Browser settings | Use this setting to
 --- | ---
-Blocked URL Exceptions | Specify URLs that people can navigate to, even though the URL is in your blocked URL list. You can use wildcards.<br><br>For example, if you want people to be limited to `contoso.com` only, you would add `contoso.com` to blocked URL exception list and then block all other URLs.
+Blocked URL Exceptions | Specify URLs that people can navigate to, even though the URL is in your blocked URL list. You can use wildcards. Separate multiple URLs using `&#xF000;`.<br><br>For example, if you want people to be limited to `contoso.com` only, you would add `contoso.com` to blocked URL exception list and then block all other URLs.
-Blocked URLs | Specify URLs that people can't navigate to. You can use wildcards.<br><br>If you want to limit people to a specific site, add `https://*` to the blocked URL list, and then specify the site to be allowed in the blocked URL exceptions list.
+Blocked URLs | Specify URLs that people can't navigate to. You can use wildcards. Separate multiple URLs using `&#xF000;`.<br><br>If you want to limit people to a specific site, add `https://*` to the blocked URL list, and then specify the site to be allowed in the blocked URL exceptions list.
 Default URL | Specify the URL that Kiosk Browser will open with. **Tip!** Make sure your blocked URLs don't include your default URL.
 Enable End Session Button | Show a button in Kiosk Browser that people can use to reset the browser. End Session will clear all browsing data and navigate back to the default URL.
 Enable Home Button | Show a Home button in Kiosk Browser. Home will return the browser to the default URL.
--- a/windows/configuration/images/kiosk-desktop.PNG
+++ b/windows/configuration/images/kiosk-desktop.PNG
--- a/windows/configuration/images/kiosk-fullscreen-sm.png
+++ b/windows/configuration/images/kiosk-fullscreen-sm.png
--- a/windows/configuration/images/kiosk-fullscreen.PNG
+++ b/windows/configuration/images/kiosk-fullscreen.PNG
--- a/windows/configuration/images/kiosk-intune.PNG
+++ b/windows/configuration/images/kiosk-intune.PNG
--- a/windows/configuration/images/kiosk-settings.PNG
+++ b/windows/configuration/images/kiosk-settings.PNG
--- a/windows/configuration/images/kiosk-wizard.png
+++ b/windows/configuration/images/kiosk-wizard.png
--- a/windows/configuration/images/kiosk.png
+++ b/windows/configuration/images/kiosk.png
--- a/windows/configuration/images/office-logo.png
+++ b/windows/configuration/images/office-logo.png
--- a/windows/configuration/images/set-assignedaccess.png
+++ b/windows/configuration/images/set-assignedaccess.png
--- a/windows/configuration/images/user.PNG
+++ b/windows/configuration/images/user.PNG
--- a/windows/configuration/images/windows.png
+++ b/windows/configuration/images/windows.png
--- a/windows/configuration/index.md
+++ b/windows/configuration/index.md
@ -22,7 +22,8 @@ Enterprises often need to apply custom configurations to devices for their users
 | Topic | Description |
 | --- | --- |
 | [Manage Wi-Fi Sense in your company](manage-wifi-sense-in-enterprise.md) | Wi-Fi Sense automatically connects you to Wi-Fi, so you can get online quickly in more places. It can connect you to open Wi-Fi hotspots it knows about through crowdsourcing, or to Wi-Fi networks your contacts have shared with you by using Wi-Fi Sense. The initial settings for Wi-Fi Sense are determined by the options you chose when you first set up your PC with Windows 10.  |
-| [Configure kiosk and shared devices running Windows 10 desktop editions](kiosk-shared-pc.md) | These topics help you configure Windows 10 devices to be shared by multiple users or to run as a kiosk device that runs a single app. |
+| [Set up a shared or guest PC with Windows 10](set-up-shared-or-guest-pc.md) | Windows 10, version 1607, introduced *shared PC mode*, which optimizes Windows 10 for shared use scenarios, such as touchdown spaces in an enterprise and temporary customer use in retail.  |
 | [Configure kiosk and digital signage devices running Windows 10 desktop editions](kiosk-methods.md) | These topics help you configure Windows 10 devices to run as a kiosk device. |
 | [Configure Windows 10 Mobile devices](mobile-devices/configure-mobile.md) | These topics help you configure the features and apps and Start screen for a device running Windows 10 Mobile, as well as how to configure a kiosk device that runs a single app.  |
 | [Configure cellular settings for tablets and PCs](provisioning-apn.md) | Enterprises can provision cellular settings for tablets and PC with built-in cellular modems or plug-in USB modem dongles. |
 | [Configure Start, taskbar, and lock screen](start-taskbar-lockscreen.md) | A standard, customized Start layout can be useful on devices that are common to multiple users and devices that are locked down for specialized purposes. Configuring the taskbar allows the organization to pin useful apps for their employees and to remove apps that are pinned by default. |
--- a/windows/configuration/kiosk-additional-reference.md
+++ b/windows/configuration/kiosk-additional-reference.md
@ -0,0 +1,37 @@
 ---
 title: More kiosk methods and reference information (Windows 10)
 description: Find more information for configuring, validating, and troubleshooting kiosk configuration.
 ms.assetid: 428680AE-A05F-43ED-BD59-088024D1BFCC
 keywords: ["assigned access", "kiosk", "lockdown", "digital sign", "digital signage"]
 ms.prod: w10
 ms.mktglfcycl: manage
 ms.sitesec: library
 author: jdeckerms
 ms.localizationpriority: high
 ms.date: 07/30/2018
 ---
 # More kiosk methods and reference information
 **Applies to**
 -   Windows 10 Pro, Enterprise, and Education
 ## In this section
 Topic | Description
 --- | ---
 [Validate your kiosk configuration](kiosk-validate.md) | This topic explain what to expect on a multi-app kiosk.
 [Guidelines for choosing an app for assigned access (kiosk mode)](guidelines-for-assigned-access-app.md) | These guidelines will help you choose an appropriate Windows app for your assigned access experience.
 [Policies enforced on kiosk devices](kiosk-policies.md) | Learn about the policies enforced on a device when you configure it as a kiosk.
 [Assigned access XML reference](kiosk-xml.md) | The XML and XSD for kiosk device configuration.
 [Use AppLocker to create a Windows 10 kiosk](lock-down-windows-10-applocker.md) | Learn how to use AppLocker to configure a kiosk device running Windows 10 Enterprise or Windows 10 Education, version 1703 and earlier, so that users can only run a few specific apps.
 [Use Shell Launcher to create a Windows 10 kiosk](kiosk-shelllauncher.md) |  Using Shell Launcher, you can configure a kiosk device that runs a Windows desktop application as the user interface.
 [Use MDM Bridge WMI Provider to create a Windows 10 kiosk](kiosk-mdm-bridge.md) | Environments that use Windows Management Instrumentation (WMI) can use the MDM Bridge WMI Provider to configure the MDM_AssignedAccess class.
 [Troubleshoot multi-app kiosk](multi-app-kiosk-troubleshoot.md) | Tips for troubleshooting multi-app kiosk configuration.
--- a/windows/configuration/kiosk-mdm-bridge.md
+++ b/windows/configuration/kiosk-mdm-bridge.md
@ -0,0 +1,86 @@
 ---
 title: Use MDM Bridge WMI Provider to create a Windows 10 kiosk (Windows 10)
 description: Environments that use Windows Management Instrumentation (WMI)can use the MDM Bridge WMI Provider to configure the MDM_AssignedAccess class.
 ms.assetid: 428680AE-A05F-43ED-BD59-088024D1BFCC
 keywords: ["assigned access", "kiosk", "lockdown", "digital sign", "digital signage"]
 ms.prod: w10
 ms.mktglfcycl: manage
 ms.sitesec: library
 author: jdeckerms
 ms.localizationpriority: high
 ms.date: 07/30/2018
 ---
 # Use MDM Bridge WMI Provider to create a Windows 10 kiosk
 **Applies to**
 -   Windows 10 Pro, Enterprise, and Education
 Environments that use [Windows Management Instrumentation (WMI)](https://msdn.microsoft.com/library/aa394582.aspx) can use the [MDM Bridge WMI Provider](https://msdn.microsoft.com/library/windows/desktop/dn905224.aspx) to configure the MDM_AssignedAccess class. See [PowerShell Scripting with WMI Bridge Provider](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/using-powershell-scripting-with-the-wmi-bridge-provider) for more details about using a PowerShell script to configure AssignedAccess. 
 Here’s an example to set AssignedAccess configuration:
 1. Download the [psexec tool](https://technet.microsoft.com/sysinternals/bb897553.aspx).  
 2. Run `psexec.exe -i -s cmd.exe`.
 3. In the command prompt launched by psexec.exe, enter `powershell.exe` to open PowerShell. 
 4. Execute the following script:
 ```ps
 $nameSpaceName="root\cimv2\mdm\dmmap"
 $className="MDM_AssignedAccess"
 $obj = Get-CimInstance -Namespace $namespaceName -ClassName $className
 $obj.Configuration = @"
 &lt;?xml version=&quot;1.0&quot; encoding=&quot;utf-8&quot; ?&gt;
 &lt;AssignedAccessConfiguration xmlns=&quot;http://schemas.microsoft.com/AssignedAccess/2017/config&quot;&gt;
  &lt;Profiles&gt;
    &lt;Profile Id=&quot;{9A2A490F-10F6-4764-974A-43B19E722C23}&quot;&gt;
      &lt;AllAppsList&gt;
        &lt;AllowedApps&gt;
          &lt;App AppUserModelId=&quot;Microsoft.ZuneMusic_8wekyb3d8bbwe!Microsoft.ZuneMusic&quot; /&gt;
          &lt;App AppUserModelId=&quot;Microsoft.ZuneVideo_8wekyb3d8bbwe!Microsoft.ZuneVideo&quot; /&gt;
          &lt;App AppUserModelId=&quot;Microsoft.Windows.Photos_8wekyb3d8bbwe!App&quot; /&gt;
          &lt;App AppUserModelId=&quot;Microsoft.BingWeather_8wekyb3d8bbwe!App&quot; /&gt;
          &lt;App AppUserModelId=&quot;Microsoft.WindowsCalculator_8wekyb3d8bbwe!App&quot; /&gt;
          &lt;App DesktopAppPath=&quot;%windir%\system32\mspaint.exe&quot; /&gt;
          &lt;App DesktopAppPath=&quot;C:\Windows\System32\notepad.exe&quot; /&gt;
        &lt;/AllowedApps&gt;
      &lt;/AllAppsList&gt;
      &lt;StartLayout&gt;
        &lt;![CDATA[&lt;LayoutModificationTemplate xmlns:defaultlayout=&quot;http://schemas.microsoft.com/Start/2014/FullDefaultLayout&quot; xmlns:start=&quot;http://schemas.microsoft.com/Start/2014/StartLayout&quot; Version=&quot;1&quot; xmlns=&quot;http://schemas.microsoft.com/Start/2014/LayoutModification&quot;&gt;
                      &lt;LayoutOptions StartTileGroupCellWidth=&quot;6&quot; /&gt;
                      &lt;DefaultLayoutOverride&gt;
                        &lt;StartLayoutCollection&gt;
                          &lt;defaultlayout:StartLayout GroupCellWidth=&quot;6&quot;&gt;
                            &lt;start:Group Name=&quot;Group1&quot;&gt;
                              &lt;start:Tile Size=&quot;4x4&quot; Column=&quot;0&quot; Row=&quot;0&quot; AppUserModelID=&quot;Microsoft.ZuneMusic_8wekyb3d8bbwe!Microsoft.ZuneMusic&quot; /&gt;
                              &lt;start:Tile Size=&quot;2x2&quot; Column=&quot;4&quot; Row=&quot;2&quot; AppUserModelID=&quot;Microsoft.ZuneVideo_8wekyb3d8bbwe!Microsoft.ZuneVideo&quot; /&gt;
                              &lt;start:Tile Size=&quot;2x2&quot; Column=&quot;4&quot; Row=&quot;0&quot; AppUserModelID=&quot;Microsoft.Windows.Photos_8wekyb3d8bbwe!App&quot; /&gt;
                              &lt;start:Tile Size=&quot;2x2&quot; Column=&quot;4&quot; Row=&quot;4&quot; AppUserModelID=&quot;Microsoft.BingWeather_8wekyb3d8bbwe!App&quot; /&gt;
                              &lt;start:Tile Size=&quot;4x2&quot; Column=&quot;0&quot; Row=&quot;4&quot; AppUserModelID=&quot;Microsoft.WindowsCalculator_8wekyb3d8bbwe!App&quot; /&gt;
                            &lt;/start:Group&gt;
                            &lt;start:Group Name=&quot;Group2&quot;&gt;
                              &lt;start:DesktopApplicationTile Size=&quot;2x2&quot; Column=&quot;2&quot; Row=&quot;0&quot; DesktopApplicationLinkPath=&quot;%ALLUSERSPROFILE%\Microsoft\Windows\Start Menu\Programs\Accessories\Paint.lnk&quot; /&gt;
                              &lt;start:DesktopApplicationTile Size=&quot;2x2&quot; Column=&quot;0&quot; Row=&quot;0&quot; DesktopApplicationLinkPath=&quot;%APPDATA%\Microsoft\Windows\Start Menu\Programs\Accessories\Notepad.lnk&quot; /&gt;
                            &lt;/start:Group&gt;
                          &lt;/defaultlayout:StartLayout&gt;
                        &lt;/StartLayoutCollection&gt;
                      &lt;/DefaultLayoutOverride&gt;
                    &lt;/LayoutModificationTemplate&gt;
                ]]&gt;
      &lt;/StartLayout&gt;
      &lt;Taskbar ShowTaskbar=&quot;true&quot;/&gt;
    &lt;/Profile&gt;
  &lt;/Profiles&gt;
  &lt;Configs&gt;
    &lt;Config&gt;
      &lt;Account&gt;MultiAppKioskUser&lt;/Account&gt;
      &lt;DefaultProfile Id=&quot;{9A2A490F-10F6-4764-974A-43B19E722C23}&quot;/&gt;
    &lt;/Config&gt;
  &lt;/Configs&gt;
 &lt;/AssignedAccessConfiguration&gt;
 "@
 Set-CimInstance -CimInstance $obj
 ```
--- a/windows/configuration/kiosk-methods.md
+++ b/windows/configuration/kiosk-methods.md
@ -0,0 +1,77 @@
 ---
 title: Configure kiosks and digital signs on Windows desktop editions (Windows 10)
 description: Learn about the methods for configuring kiosks.
 ms.prod: w10
 ms.mktglfcycl: manage
 ms.sitesec: library
 ms.pagetype: security
 ms.localizationpriority: medium
 author: jdeckerms
 ms.date: 07/30/2018
 ---
 # Configure kiosks and digital signs on Windows desktop editions
 Some desktop devices in an enterprise serve a special purpose, such as a PC in the lobby that customers can use to view your product catalog or a PC displaying visual content as a digital sign. Windows 10 offers two different locked-down experiences for public or specialized use:
 |  |  |
 --- | ---
 | **A single-app kiosk**, which runs a single Universal Windows Platform (UWP) app in fullscreen above the lockscreen. People using the kiosk can see only that app.<br><br>When the kiosk account (a local standard user account) signs in, the kiosk app will launch automatically, and you can configure the kiosk account to sign in automatically as well. If the kiosk app is closed, it will automatically restart.<br><br>A single-app kiosk is ideal for public use.<br><br>(Using [ShellLauncher WMI](kiosk-shelllauncher.md), you can configure a kiosk device that runs a Windows desktop application as the user interface. The application that you specify replaces the default shell (explorer.exe) that usually runs when a user logs on. This type of single-app kiosk does not run above the lockscreen.) | ![Illustration of a full-screen kiosk experience](images/kiosk-fullscreen.png)
 |  **A multi-app kiosk**, which runs one or more apps from the desktop. People using the kiosk see a customized Start that shows only the tiles for the apps that are allowed. With this approach, you can configure a locked-down experience for different account types.<br><br>A multi-app kiosk is appropriate for devices that are shared by multiple people.<br><br>When you configure a multi-app kiosk, [specific policies are enforced](kiosk-policies.md) that will affect **all** non-administrator users on the device. | ![Illustration of a kiosk Start screen](images/kiosk-desktop.png)
 Kiosk configurations are based on **Assigned Access**, a feature in Windows 10 that allows an administrator to manage the user's experience by limiting the application entry points exposed to the user. 
 There are several kiosk configuration methods that you can choose from, depending on your answers to the following questions.
 |  |  |
 --- | ---
 ![icon that represents apps](images/office-logo.png) | **Which type of app will your kiosk run?** Your kiosk can run a Universal Windows Platform (UWP) app or a Windows desktop application. For [digital signage](setup-digital-signage.md), simply select a digital sign player as your kiosk app. [Check out the guidelines for kiosk apps.](guidelines-for-assigned-access-app.md) 
 ![icon that represents a kiosk](images/kiosk.png) | **Which type of kiosk do you need?** If you want your kiosk to run a single app for anyone to see or use, consider a single-app kiosk that runs either a [Universal Windows Platform (UWP) app](#uwp) or a [Windows desktop application](#classic). For a kiosk that people can sign in to with their accounts or that runs more than one app, choose [a multi-app kiosk](#desktop). 
 ![icon that represents Windows](images/windows.png) | **Which edition of Windows 10 will the kiosk run?** All of the configuration methods work for Windows 10 Enterprise and Education; some of the methods work for Windows 10 Pro. Kiosk mode is not available on Windows 10 Home. 
 ![icon that represents a user account](images/user.png) | **Which type of user account will be the kiosk account?** The kiosk account can be a local standard user account, a local administrator account, a domain account, or an Azure Active Directory (Azure AD) account, depending on the method that you use to configure the kiosk. If you want people to sign in and authenticate on the device, you should use a multi-app kiosk configuration. The single-app kiosk configuration doesn't require people to sign in to the device, although they can sign in to the kiosk app if you select an app that has a sign-in method.     
 <span id="uwp" />
 ## Methods for a single-app kiosk running a UWP app
 You can use this method | For this edition | For this kiosk account type 
 --- | --- | ---
 [Assigned access in Settings](kiosk-single-app.md#local) | Pro, Ent, Edu | Local standard user
 [Assigned access cmdlets](kiosk-single-app.md#powershell)  | Pro, Ent, Edu | Local standard user
 [The kiosk wizard in Windows Configuration Designer](kiosk-single-app.md#wizard)  | Pro (version 1709), Ent, Edu | Local standard user, Active Directory, Azure AD 
 [Microsoft Intune or other mobile device management (MDM)](kiosk-single-app.md#mdm) | Pro (version 1709), Ent, Edu | Local standard user, Azure AD
 <span id="classic" />
 ## Methods for a single-app kiosk running a Windows desktop application
 You can use this method | For this edition | For this kiosk account type 
 --- | --- | ---
 [The kiosk wizard in Windows Configuration Designer](kiosk-single-app.md#wizard) | Ent, Edu | Local standard user, Active Directory, Azure AD 
 [ShellLauncher WMI](kiosk-shelllauncher.md) | Ent, Edu | Local standard user, Active Directory, Azure AD
 [Microsoft Intune or other mobile device management (MDM)](kiosk-single-app.md#mdm) | Pro (version 1709), Ent, Edu | Local standard user, Azure AD
 <span id="desktop" />
 ## Methods for a multi-app kiosk
 You can use this method | For this edition | For this kiosk account type 
 --- | --- | ---
 [XML in a provisioning package](lock-down-windows-10-to-specific-apps.md) | Pro, Ent, Edu | Local standard user, Active Directory, Azure AD
 [Microsoft Intune or other MDM](lock-down-windows-10-to-specific-apps.md) | Pro, Ent, Edu | Local standard user, Azure AD
 [MDM WMI Bridge Provider](kiosk-mdm-bridge.md) | Pro, Ent, Edu | Local standard user, Active Directory, Azure AD  
 ## Summary of kiosk configuration methods
 Method | App type | Account type | Single-app kiosk | Multi-app kiosk
 --- | --- | --- | :---: | :---:
 [Assigned access in Settings](kiosk-single-app.md#local) | UWP | Local account | X  |
 [Assigned access cmdlets](kiosk-single-app.md#powershell) | UWP | Local account | X |
 [The kiosk wizard in Windows Configuration Designer](kiosk-single-app.md#wizard) | UWP, Windows desktop app | Local standard user, Active Directory, Azure AD | X  |
 [XML in a provisioning package](lock-down-windows-10-to-specific-apps.md)  | UWP, Windows desktop app | Local standard user, Active Directory, Azure AD | X  | X
 Microsoft Intune or other MDM [for full-screen single-app kiosk](kiosk-single-app.md#mdm) or [for multi-app kiosk with desktop](lock-down-windows-10-to-specific-apps.md) | UWP, Windows desktop app | Local standard user, Azure AD | X | X
 [ShellLauncher WMI](kiosk-shelllauncher.md) |Windows desktop app | Local standard user, Active Directory, Azure AD | X | 
 [MDM Bridge WMI Provider](kiosk-mdm-bridge.md) | UWP, Windows desktop app | Local standard user, Active Directory, Azure AD |  | X
 >[!NOTE]
 >For devices running Windows 10 Enterprise and Education, version 1703 and earlier, you can use [AppLocker](lock-down-windows-10-applocker.md) to lock down a device to specific apps. 
--- a/windows/configuration/kiosk-policies.md
+++ b/windows/configuration/kiosk-policies.md
@ -0,0 +1,82 @@
 ---
 title: Policies enforced on kiosk devices (Windows 10)
 description: Learn about the policies enforced on a device when you configure it as a kiosk.
 ms.assetid: 14DDDC96-88C7-4181-8415-B371F25726C8
 keywords: ["lockdown", "app restrictions", "applocker"]
 ms.prod: w10
 ms.mktglfcycl: manage
 ms.sitesec: library
 ms.pagetype: edu, security
 author: jdeckerms
 ms.localizationpriority: high
 ms.date: 07/30/2018
 ms.author: jdecker
 ---
 # Policies enforced on kiosk devices
 **Applies to**
 -   Windows 10 Pro, Enterprise, and Education
 It is not recommended to set policies enforced in assigned access kiosk mode to different values using other channels, as the kiosk mode has been optimized to provide a locked-down experience.
 When the assigned access kiosk configuration is applied on the device, certain policies are enforced system-wide, and will impact other users on the device.
 ## Group Policy
 The following local policies affect all **non-administrator** users on the system, regardless whether the user is configured as an assigned access user or not.  This includes local users, domain users, and Azure Active Directory users.
 | Setting |	Value |
 | --- | --- |
 Remove access to the context menus for the task bar	| Enabled
 Clear history of recently opened documents on exit |	Enabled
 Prevent users from customizing their Start Screen |	Enabled
 Prevent users from uninstalling applications from Start |		Enabled
 Remove All Programs list from the Start menu |		Enabled
 Remove Run menu from Start Menu	 |	Enabled
 Disable showing balloon notifications as toast |		Enabled
 Do not allow pinning items in Jump Lists |		Enabled
 Do not allow pinning programs to the Taskbar |		Enabled
 Do not display or track items in Jump Lists from remote locations |		Enabled
 Remove Notifications and Action Center |		Enabled
 Lock all taskbar settings |		Enabled
 Lock the Taskbar	 |	Enabled
 Prevent users from adding or removing toolbars |		Enabled
 Prevent users from resizing the taskbar	 |	Enabled
 Remove frequent programs list from the Start Menu |		Enabled
 Remove Pinned programs from the taskbar	 |	Enabled
 Remove the Security and Maintenance icon	 |	Enabled
 Turn off all balloon notifications |		Enabled
 Turn off feature advertisement balloon notifications	 |	Enabled
 Turn off toast notifications |		Enabled
 Remove Task Manager |		Enabled
 Remove Change Password option in Security Options UI |		Enabled
 Remove Sign Out option in Security Options UI	 |	Enabled
 Remove All Programs list from the Start Menu	 |	Enabled – Remove and disable setting
 Prevent access to drives from My Computer	 |	Enabled - Restrict all drivers
 >[!NOTE]
 >When **Prevent access to drives from My Computer** is enabled, users can browse the directory structure in File Explorer, but they cannot open folders and access the contents. Also, they cannot use the **Run** dialog box or the **Map Network Drive** dialog box to view the directories on these drives. The icons representing the specified drives still appear in File Explorer, but if users double-click the icons, a message appears expalining that a setting prevents the action. This setting does not prevent users from using programs to access local and network drives. It does not prevent users from using the Disk Management snap-in to view and change drive characteristics.
 ## MDM policy
 Some of the MDM policies based on the [Policy configuration service provider (CSP)](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider) affect all users on the system (i.e. system-wide).
 Setting	| 	Value	| System-wide
 --- | --- | ---
 [Experience/AllowCortana](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-experience#experience-allowcortana)		| 0 - Not allowed	| 	Yes
 [Start/AllowPinnedFolderSettings](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-start#start-allowpinnedfoldersettings)	| 	0 - Shortcut is hidden and disables the setting in the Settings app	| 	Yes
 Start/HidePeopleBar		| 1 - True (hide)	| 	No
 [Start/HideChangeAccountSettings](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-start#start-hidechangeaccountsettings)		| 1 - True (hide) | Yes
 [WindowsInkWorkspace/AllowWindowsInkWorkspace](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-windowsinkworkspace#windowsinkworkspace-allowwindowsinkworkspace)	| 	0 - Access to ink workspace is disabled and the feature is turned off	| 	Yes
 [Start/StartLayout](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-start#start-startlayout)	| Configuration dependent	| 	No
 [WindowsLogon/DontDisplayNetworkSelectionUI](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-windowslogon#windowslogon-dontdisplaynetworkselectionui)	| 	&lt;Enabled/&gt;	| 	Yes
--- a/windows/configuration/kiosk-prepare.md
+++ b/windows/configuration/kiosk-prepare.md
@ -0,0 +1,81 @@
 ---
 title: Prepare a device for kiosk configuration (Windows 10)
 description: Some tips for device settings on kiosks.
 ms.assetid: 428680AE-A05F-43ED-BD59-088024D1BFCC
 keywords: ["assigned access", "kiosk", "lockdown", "digital sign", "digital signage"]
 ms.prod: w10
 ms.mktglfcycl: manage
 ms.sitesec: library
 author: jdeckerms
 ms.localizationpriority: high
 ms.date: 07/30/2018
 ---
 # Prepare a device for kiosk configuration
 **Applies to**
 -   Windows 10 Pro, Enterprise, and Education
 >[!WARNING]
 >For kiosks in public-facing environments with auto sign-in enabled, you should use a user account with least privilege, such as a local standard user account.
 >
 >Assigned access can be configured via Windows Management Instrumentation (WMI) or configuration service provider (CSP) to run its applications under a domain user or service account, rather than a local account. However, use of domain user or service accounts introduces risks that an attacker subverting the assigned access application might gain access to sensitive domain resources that have been inadvertently left accessible to any domain account. We recommend that customers proceed with caution when using domain accounts with assigned access, and consider the domain resources potentially exposed by the decision to do so.
 For a more secure kiosk experience, we recommend that you make the following configuration changes to the device before you configure it as a kiosk:
 Recommendation | How to
 --- | ---
 Replace "blue screen" with blank screen for OS errors   | Add the following registry key as DWORD (32-bit) type with a value of `1`:</br></br>`HKLM\SYSTEM\CurrentControlSet\Control\CrashControl\DisplayDisabled`</br></br>[Learn how to modify the Windows registry](https://go.microsoft.com/fwlink/p/?LinkId=615002)</br></br>You must restart the device after changing the registry.
 Put device in **Tablet mode**. | If you want users to be able to use the touch (on screen) keyboard, go to **Settings** &gt; **System** &gt; **Tablet mode** and choose **On.** Do not turn on this setting if users will not interact with the kiosk, such as for a digital sign.
 Hide **Ease of access** feature on the sign-in screen. |     Go to **Control Panel** &gt; **Ease of Access** &gt; **Ease of Access Center**, and turn off all accessibility tools.
 Disable the hardware power button. |     Go to **Power Options** &gt; **Choose what the power button does**, change the setting to **Do nothing**, and then **Save changes**.
 Remove the power button from the sign-in screen. |     Go to **Computer Configuration** &gt; **Windows Settings** &gt; **Security Settings** &gt; **Local Policies** &gt;**Security Options** &gt; **Shutdown: Allow system to be shut down without having to log on** and select **Disabled.**
 Disable the camera. |     Go to **Settings** &gt; **Privacy** &gt; **Camera**, and turn off **Let apps use my camera**.
 Turn off app notifications on the lock screen. |     Go to **Group Policy Editor** &gt; **Computer Configuration** &gt; **Administrative Templates\\System\\Logon\\Turn off app notifications on the lock screen**.
 Disable removable media. |     Go to **Group Policy Editor** &gt; **Computer Configuration** &gt; **Administrative Templates\\System\\Device Installation\\Device Installation Restrictions**. Review the policy settings available in **Device Installation Restrictions** for the settings applicable to your situation.</br></br>**NOTE**: To prevent this policy from affecting a member of the Administrators group, in **Device Installation Restrictions**, enable **Allow administrators to override Device Installation Restriction policies**.
 In addition to the settings in the table, you may want to set up **automatic logon** for your kiosk device. When your kiosk device restarts, whether from an update or power outage, you can sign in the assigned access account manually or you can configure the device to sign in to the assigned access account automatically. Make sure that Group Policy settings applied to the device do not prevent automatic sign in.
 >[!TIP]
 >If you use the [kiosk wizard in Windows Configuration Designer](kiosk-single-app.md#wizard) or [XML in a provisioning package](lock-down-windows-10-to-specific-apps.md) to configure your kiosk, you can set an account to sign in automatically in the wizard or XML. 
 **How to edit the registry to have an account sign in automatically**
 1.  Open Registry Editor (regedit.exe).
    >[!NOTE]  
    >If you are not familiar with Registry Editor, [learn how to modify the Windows registry](https://go.microsoft.com/fwlink/p/?LinkId=615002).
 2.  Go to
    **HKEY\_LOCAL\_MACHINE\SOFTWARE\\Microsoft\WindowsNT\CurrentVersion\Winlogon**
 3.  Set the values for the following keys.
    -   *AutoAdminLogon*: set value as **1**.
    -   *DefaultUserName*: set value as the account that you want signed in.
    -   *DefaultPassword*: set value as the password for the account.
       > [!NOTE]
       > If *DefaultUserName* and *DefaultPassword* aren't there, add them as **New** &gt; **String Value**.
    -   *DefaultDomainName*: set value for domain, only for domain accounts. For local accounts, do not add this key.
 4.  Close Registry Editor. The next time the computer restarts, the account will sign in automatically.
 >[!TIP]
 >You can also configure automatic sign-in [using the Autologon tool from Sysinternals](https://docs.microsoft.com/sysinternals/downloads/autologon).
--- a/windows/configuration/kiosk-shared-pc.md
+++ b/windows/configuration/kiosk-shared-pc.md
@ -1,26 +0,0 @@
 ---
 title: Configure kiosk and shared devices running Windows desktop editions (Windows 10)
 description: 
 ms.prod: w10
 ms.mktglfcycl: manage
 ms.sitesec: library
 ms.pagetype: security
 ms.localizationpriority: medium
 author: jdeckerms
 ms.author: jdecker
 ms.topic: article
 ms.date: 08/08/2017
 ---
 # Configure kiosk and shared devices running Windows desktop editions
 Some desktop devices in an enterprise serve a special purpose, such as a common PC in a touchdown space that any employee can sign in to, or a PC in the lobby that customers can use to view your product catalog. Windows 10 is easy to configure for shared use or for use as a kiosk (single app).
 ## In this section
 | Topic | Description |
 | --- | --- |
 | [Set up a shared or guest PC with Windows 10](set-up-shared-or-guest-pc.md) | Windows 10, version 1607, introduced *shared PC mode*, which optimizes Windows 10 for shared use scenarios, such as touchdown spaces in an enterprise and temporary customer use in retail.  |
 |  [Set up a kiosk or digital signage on Windows 10 Pro, Enterprise, or Education](setup-kiosk-digital-signage.md) | You can configure a device running Windows 10 Pro, Windows 10 Enterprise, or Windows 10 Education as a kiosk device, so that users can only interact with a single application that you select.  |
 | [Guidelines for choosing an app for assigned access (kiosk mode)](guidelines-for-assigned-access-app.md) | You can choose almost any Windows app for assigned access; however, some apps may not provide a good user experience. This topic provides guidelines to help you choose an approprate app for a kiosk device.  |
 | [Create a Windows 10 kiosk that runs multiple apps](lock-down-windows-10-to-specific-apps.md) | Learn how to configure a device running Windows 10 Enterprise or Windows 10 Education so that users can only run a few specific apps. The result is similar to a kiosk device, but with multiple apps available. For example, you might set up a library computer so that users can search the catalog and browse the Internet, but can't run any other apps or change computer settings. |
--- a/windows/configuration/kiosk-shelllauncher.md
+++ b/windows/configuration/kiosk-shelllauncher.md
@ -0,0 +1,201 @@
 ---
 title: Use Shell Launcher to create a Windows 10 kiosk (Windows 10)
 description: A single-use device such as a digital sign is easy to set up in Windows 10 for desktop editions (Pro, Enterprise, and Education).
 ms.assetid: 428680AE-A05F-43ED-BD59-088024D1BFCC
 keywords: ["assigned access", "kiosk", "lockdown", "digital sign", "digital signage"]
 ms.prod: w10
 ms.mktglfcycl: manage
 ms.sitesec: library
 author: jdeckerms
 ms.localizationpriority: high
 ms.date: 07/30/2018
 ---
 # Use Shell Launcher to create a Windows 10 kiosk
 **Applies to**
 >App type: Windows desktop application
 >
 >OS edition: Windows 10 Ent, Edu
 >
 >Account type: Local standard user or administrator, Active Directory, Azure AD
 Using Shell Launcher, you can configure a kiosk device that runs a Windows desktop application as the user interface. The application that you specify replaces the default shell (explorer.exe) that usually runs when a user logs on.
 >[!NOTE]
 >You can also configure a kiosk device that runs a Windows desktop application by using the [Provision kiosk devices wizard](#wizard).
 >[!WARNING]
 >- Windows 10 doesn’t support setting a custom shell prior to OOBE. If you do, you won’t be able to deploy the resulting image.
 >- Shell Launcher doesn't support a custom shell with an application that launches a different process and exits. For example, you cannot specify **write.exe** in Shell Launcher. Shell Launcher launches a custom shell and monitors the process to identify when the custom shell exits. **Write.exe** creates a 32-bit wordpad.exe process and exits. Because Shell Launcher is not aware of the newly created wordpad.exe process, Shell Launcher will take action based on the exit code of **Write.exe**, such as restarting the custom shell.  
 ### Requirements
 -   A domain or local user account.
 -   A Windows desktop application that is installed for that account. The app can be your own company application or a common app like Internet Explorer.
 [See the technical reference for the shell launcher component.](https://go.microsoft.com/fwlink/p/?LinkId=618603)
 ### Configure Shell Launcher
 To set a Windows desktop application as the shell, you first turn on the Shell Launcher feature, and then you can set your custom shell as the default using PowerShell.
 **To turn on Shell Launcher in Windows features**
 1. Go to Control Panel &gt; **Programs and features** &gt; **Turn Windows features on or off**.
 2. Expand **Device Lockdown**.
 2. Select **Shell Launcher** and **OK**.
 Alternatively, you can turn on Shell Launcher using Windows Configuration Designer in a provisioning package, using `SMISettings > ShellLauncher`, or the Deployment Image Servicing and Management (DISM.exe) tool.
 **To turn on Shell Launcher using DISM**
 1.  Open a command prompt as an administrator.
 2.  Enter the following command.
    ```
    Dism /online /Enable-Feature /all /FeatureName:Client-EmbeddedShellLauncher
    ```
 **To set your custom shell**
 Modify the following PowerShell script as appropriate. The comments in the sample script explain the purpose of each section and tell you where you will want to change the script for your purposes. Save your script with the extension .ps1, open Windows PowerShell as administrator, and run the script on the kiosk device.
 ```
 # Check if shell launcher license is enabled
 function Check-ShellLauncherLicenseEnabled
 {
    [string]$source = @"
 using System;
 using System.Runtime.InteropServices;
 static class CheckShellLauncherLicense
 {
    const int S_OK = 0;
    public static bool IsShellLauncherLicenseEnabled()
    {
        int enabled = 0;
        if (NativeMethods.SLGetWindowsInformationDWORD("EmbeddedFeature-ShellLauncher-Enabled", out enabled) != S_OK) {
            enabled = 0;
        }
        return (enabled != 0);
    }
    static class NativeMethods
    {
        [DllImport("Slc.dll")]
        internal static extern int SLGetWindowsInformationDWORD([MarshalAs(UnmanagedType.LPWStr)]string valueName, out int value);
    }
 }
 "@
    $type = Add-Type -TypeDefinition $source -PassThru
    return $type[0]::IsShellLauncherLicenseEnabled()
 }
 [bool]$result = $false
 $result = Check-ShellLauncherLicenseEnabled
 "`nShell Launcher license enabled is set to " + $result
 if (-not($result))
 {
    "`nThis device doesn't have required license to use Shell Launcher"
    exit
 }
 $COMPUTER = "localhost"
 $NAMESPACE = "root\standardcimv2\embedded"
 # Create a handle to the class instance so we can call the static methods.
 try {
    $ShellLauncherClass = [wmiclass]"\\$COMPUTER\${NAMESPACE}:WESL_UserSetting"
    } catch [Exception] {
    write-host $_.Exception.Message; 
    write-host "Make sure Shell Launcher feature is enabled"
    exit
    }
 # This well-known security identifier (SID) corresponds to the BUILTIN\Administrators group.
 $Admins_SID = "S-1-5-32-544"
 # Create a function to retrieve the SID for a user account on a machine.
 function Get-UsernameSID($AccountName) {
    $NTUserObject = New-Object System.Security.Principal.NTAccount($AccountName)
    $NTUserSID = $NTUserObject.Translate([System.Security.Principal.SecurityIdentifier])
    return $NTUserSID.Value
 }
 # Get the SID for a user account named "Cashier". Rename "Cashier" to an existing account on your system to test this script.
 $Cashier_SID = Get-UsernameSID("Cashier")
 # Define actions to take when the shell program exits.
 $restart_shell = 0
 $restart_device = 1
 $shutdown_device = 2
 # Examples. You can change these examples to use the program that you want to use as the shell.
 # This example sets the command prompt as the default shell, and restarts the device if the command prompt is closed. 
 $ShellLauncherClass.SetDefaultShell("cmd.exe", $restart_device)
 # Display the default shell to verify that it was added correctly.
 $DefaultShellObject = $ShellLauncherClass.GetDefaultShell()
 "`nDefault Shell is set to " + $DefaultShellObject.Shell + " and the default action is set to " + $DefaultShellObject.defaultaction
 # Set Internet Explorer as the shell for "Cashier", and restart the machine if Internet Explorer is closed.
 $ShellLauncherClass.SetCustomShell($Cashier_SID, "c:\program files\internet explorer\iexplore.exe www.microsoft.com", ($null), ($null), $restart_shell)
 # Set Explorer as the shell for administrators.
 $ShellLauncherClass.SetCustomShell($Admins_SID, "explorer.exe")
 # View all the custom shells defined.
 "`nCurrent settings for custom shells:"
 Get-WmiObject -namespace $NAMESPACE -computer $COMPUTER -class WESL_UserSetting | Select Sid, Shell, DefaultAction
 # Enable Shell Launcher
 $ShellLauncherClass.SetEnabled($TRUE)
 $IsShellLauncherEnabled = $ShellLauncherClass.IsEnabled()
 "`nEnabled is set to " + $IsShellLauncherEnabled.Enabled
 # Remove the new custom shells.
 $ShellLauncherClass.RemoveCustomShell($Admins_SID)
 $ShellLauncherClass.RemoveCustomShell($Cashier_SID)
 # Disable Shell Launcher
 $ShellLauncherClass.SetEnabled($FALSE)
 $IsShellLauncherEnabled = $ShellLauncherClass.IsEnabled()
 "`nEnabled is set to " + $IsShellLauncherEnabled.Enabled
 ```
--- a/windows/configuration/kiosk-single-app.md
+++ b/windows/configuration/kiosk-single-app.md
@ -0,0 +1,244 @@
 ---
 title: Set up a single-app kiosk (Windows 10)
 description: A single-use device is easy to set up in Windows 10 for desktop editions (Pro, Enterprise, and Education).
 ms.assetid: 428680AE-A05F-43ED-BD59-088024D1BFCC
 keywords: ["assigned access", "kiosk", "lockdown", "digital sign", "digital signage"]
 ms.prod: w10
 ms.mktglfcycl: manage
 ms.sitesec: library
 author: jdeckerms
 ms.localizationpriority: high
 ms.date: 07/30/2018
 ---
 # Set up a single-app kiosk
 **Applies to**
 -   Windows 10 Pro, Enterprise, and Education
 |  |  |
 --- | ---
 A single-app kiosk uses the Assigned Access feature to run a single app above the lockscreen.<br><br> When the kiosk account signs in, the app is launched automatically. The person using the kiosk cannot do anything on the device outside of the kiosk app. | ![Illustration of a single-app kiosk experience](images/kiosk-fullscreen-sm.png)
 You have several options for configuring your single-app kiosk. 
 Method | Description
 --- | ---
 [Assigned access in Settings](#local) | The **Assigned Access** option in **Settings** is a quick and easy method to set up a single device as a kiosk for a local standard user account. First, you need to [create the user account](https://support.microsoft.com/help/4026923/windows-create-a-local-user-or-administrator-account-in-windows-10) on the device and install the kiosk app for that account.<br><br>This method is supported on Windows 10 Pro, Enterprise, and Education.
 [PowerShell](#powershell) | You can use Windows PowerShell cmdlets to set up a single-app kiosk. First, you need to [create the user account](https://support.microsoft.com/help/4026923/windows-create-a-local-user-or-administrator-account-in-windows-10) on the device and install the kiosk app for that account.<br><br>This method is supported on Windows 10 Pro, Enterprise, and Education.
 [The kiosk wizard in Windows Configuration Designer](#wizard) | Windows Configuration Designer is a tool that produces a *provisioning package*, which is a package of configuration settings that can be applied to one or more devices during the first-run experience (OOBE) or after OOBE is done (runtime). You can also create the kiosk user account and install the kiosk app, as well as other useful settings, using the kiosk wizard.<br><br>This method is supported on Windows 10 Pro (version 1709 and later), Enterprise, and Education.
 [Microsoft Intune or other mobile device management (MDM) provider](#mdm) | For managed devices, you can use MDM to set up a kiosk configuration.<br><br>This method is supported on Windows 10 Pro (version 1709 and later), Enterprise, and Education.
 >[!TIP]
 >You can also configure a kiosk account and app for single-app kiosk within [XML in a provisioning package](lock-down-windows-10-to-specific-apps.md) by using a [kiosk profile](lock-down-windows-10-to-specific-apps.md#profile).  
 <span id="local"/>
 ## Set up a kiosk in local Settings
 >App type: UWP
 >
 >OS edition: Windows 10 Pro, Ent, Edu
 >
 >Account type: Local standard user
 You can use **Settings** to quickly configure one or a few devices as a kiosk.  When you set up a kiosk (also known as *assigned access*) in **Settings**, you must select a local standard user account. [Learn how to create a local standard user account.](https://support.microsoft.com/help/4026923/windows-create-a-local-user-or-administrator-account-in-windows-10)
 ![The Set up assigned access page in Settings](images/kiosk-settings.png)
 **To set up assigned access in PC settings**
 1.  Go to **Start** &gt; **Settings** &gt; **Accounts** &gt; **Other people**.
 2.  Choose **Set up assigned access**.
 3.  Choose an account.
 4.  Choose an app. Only apps that can run above the lock screen will be available in the list of apps to choose from. For more information, see [Guidelines for choosing an app for assigned access](guidelines-for-assigned-access-app.md).
 5.  Close **Settings** – your choices are saved automatically, and will be applied the next time that user account logs on.
 To remove assigned access, choose **Turn off assigned access and sign out of the selected account**.
 When your kiosk is a local device that is not managed by Active Directory or Azure Active Directory, there is a default setting that enables automatic sign-in after a restart. That means that when the device restarts, the last signed-in user will be signed in automatically. If the last signed-in user is the kiosk account, the kiosk app will be launched automatically after the device restarts.
 - If you want the kiosk account signed in automatically and the kiosk app launched when the device restarts, there is nothing you need to do.
 - If you do not want the kiosk account signed in automatically when the device restarts, you must change the default setting before you configure the device as a kiosk. Sign in with the account that you will assign as the kiosk account, go to **Settings** > **Accounts** > **Sign-in options**, and toggle the **Use my sign-in info to automatically finish setting up my device after an update or restart** setting to **Off**. After you change the setting, you can apply the kiosk configuration to the device.
 ![Screenshot of automatic sign-in setting](images/auto-signin.png)
 <span id="powershell"/>
 ## Set up a kiosk using Windows PowerShell
 >App type: UWP
 >
 >OS edition: Windows 10 Pro, Ent, Edu
 >
 >Account type: Local standard user
 ![PowerShell windows displaying Set-AssignedAccess cmdlet](images/set-assignedaccess.png)
 You can use any of the following PowerShell cmdlets to set up assigned access on multiple devices. 
 Before you run the cmdlet:
 1. Log in as administrator.
 2. [Create the user account](https://support.microsoft.com/help/4026923/windows-create-a-local-user-or-administrator-account-in-windows-10) for Assigned Access.
 3. Log in as the Assigned Access user account.
 4. Install the Universal Windows app that follows the assigned access/above the lock guidelines.
 5. Log out as the Assigned Access user account.
 6. Log in as administrator.
 To open PowerShell on Windows 10, search for PowerShell and find **Windows PowerShell Desktop app** in the results. Run PowerShell as administrator.
 **Configure assigned access by AppUserModelID and user name**
 ```
 Set-AssignedAccess -AppUserModelId <AUMID> -UserName <username>
 ```
 **Configure assigned access by AppUserModelID and user SID**
 ```
 Set-AssignedAccess -AppUserModelId <AUMID> -UserSID <usersid>
 ```
 **Configure assigned access by app name and user name**
 ```
 Set-AssignedAccess -AppName <CustomApp> -UserName <username>
 ```
 **Configure assigned access by app name and user SID**
 ```
 Set-AssignedAccess -AppName <CustomApp> -UserSID <usersid>
 ```
 > [!NOTE]
 > To set up assigned access using `-AppName`, the user account that you specify for assigned access must have logged on at least once. 
 [Learn how to get the AUMID](https://go.microsoft.com/fwlink/p/?LinkId=614867).
 [Learn how to get the AppName](https://msdn.microsoft.com/library/windows/hardware/mt620046%28v=vs.85%29.aspx) (see **Parameters**).
 [Learn how to get the SID](https://go.microsoft.com/fwlink/p/?LinkId=615517).
 To remove assigned access, using PowerShell, run the following cmdlet.
 ```
 Clear-AssignedAccess
 ```
 <span id="wizard" />
 ## Set up a kiosk using the kiosk wizard in Windows Configuration Designer
 >App type: UWP or Windows desktop application
 >
 >OS edition: Windows 10 Pro (version 1709 and later) for UWP only; Ent, Edu for both app types
 >
 >Account type: Local standard user, Active Directory 
 ![Kiosk wizard option in Windows Configuration Designer](images/kiosk-wizard.png)
 >[!IMPORTANT]
 >When Exchange Active Sync (EAS) password restrictions are active on the device, the autologon feature does not work. This behavior is by design. For more informations, see [How to turn on automatic logon in Windows}(https://support.microsoft.com/help/324737/how-to-turn-on-automatic-logon-in-windows).
 When you use the **Provision kiosk devices** wizard in Windows Configuration Designer, you can configure the kiosk to run either a Universal Windows app or a Windows desktop application.
 [Install Windows Configuration Designer](provisioning-packages/provisioning-install-icd.md), then open Windows Configuration Designer and select **Provision kiosk devices**. After you name your project, and click **Next**, configure the settings as shown in the following table.
 <table>
 <tr><td  style="width:45%" valign="top">![step one](images/one.png)![set up device](images/set-up-device.png)</br></br>Enable device setup if you want to configure settings on this page.</br></br>**If enabled:**</br></br>Enter a name for the device.</br></br>(Optional) Select a license file to upgrade Windows 10 to a different edition. [See the permitted upgrades.](https://technet.microsoft.com/itpro/windows/deploy/windows-10-edition-upgrades)</br></br>Toggle **Configure devices for shared use** off. This setting optimizes Windows 10 for shared use scenarios and isn't necessary for a kiosk scenario.</br></br>You can also select to remove pre-installed software from the device. </td><td>![device name, upgrade to enterprise, shared use, remove pre-installed software](images/set-up-device-details.png)</td></tr>
 <tr><td  style="width:45%" valign="top">![step two](images/two.png)  ![set up network](images/set-up-network.png)</br></br>Enable network setup if you want to configure settings on this page.</br></br>**If enabled:**</br></br>Toggle **On** or **Off** for wireless network connectivity. If you select **On**, enter the SSID, the network type (**Open** or **WPA2-Personal**), and (if **WPA2-Personal**) the password for the wireless network.</td><td>![Enter network SSID and type](images/set-up-network-details.png)</td></tr>
 <tr><td  style="width:45%" valign="top">![step three](images/three.png)  ![account management](images/account-management.png)</br></br>Enable account management if you want to configure settings on this page. </br></br>**If enabled:**</br></br>You can enroll the device in Active Directory, enroll in Azure Active Directory, or create a local administrator account on the device</br></br>To enroll the device in Active Directory, enter the credentials for a least-privileged user account to join the device to the domain.</br></br>Before you use a Windows Configuration Designer wizard to configure bulk Azure AD enrollment, [set up Azure AD join in your organization](https://docs.microsoft.com/azure/active-directory/active-directory-azureadjoin-setup). The **maximum number of devices per user** setting in your Azure AD tenant determines how many times the bulk token that you get in the wizard can be used. To enroll the device in Azure AD, select that option and enter a friendly name for the bulk token you will get using the wizard. Set an expiration date for the token (maximum is 30 days from the date you get the token). Click **Get bulk token**. In the **Let's get you signed in** window, enter an account that has permissions to join a device to Azure AD, and then the password. Click **Accept** to give Windows Configuration Designer the necessary permissions.</br></br>**Warning:** You must run Windows Configuration Designer on Windows 10 to configure Azure Active Directory enrollment using any of the wizards.</br></br>To create a local administrator account, select that option and enter a user name and password. </br></br>**Important:** If you create a local account in the provisioning package, you must change the password using the **Settings** app every 42 days. If the password is not changed during that period, the account might be locked out and unable to sign in.  </td><td>![join Active Directory, Azure AD, or create a local admin account](images/account-management-details.png)</td></tr>
 <tr><td  style="width:45%" valign="top">![step four](images/four.png) ![add applications](images/add-applications.png)</br></br>You can provision the kiosk app in the **Add applications** step. You can install multiple applications, both Windows desktop applications (Win32) and Universal Windows Platform (UWP) apps, in a provisioning package. The settings in this step vary according to the application that you select. For help with the settings, see [Provision PCs with apps](provisioning-packages/provision-pcs-with-apps.md)</br></br>**Warning:** If you click the plus button to add an application, you must specify an application for the provisioning package to validate. If you click the plus button in error, select any executable file in **Installer Path**, and then a **Cancel** button becomes available, allowing you to complete the provisioning package without an application. </td><td>![add an application](images/add-applications-details.png)</td></tr>
 <tr><td  style="width:45%" valign="top">![step five](images/five.png) ![add certificates](images/add-certificates.png)</br></br>To provision the device with a certificate for the kiosk app, click **Add a certificate**. Enter a name for the certificate, and then browse to and select the certificate to be used.</td><td>![add a certificate](images/add-certificates-details.png)</td></tr> 
 <tr><td  style="width:45%" valign="top">![step six](images/six.png)  ![Configure kiosk account and app](images/kiosk-account.png)</br></br>You can create a local standard user account that will be used to run the kiosk app. If you toggle **No**, make sure that you have an existing user account to run the kiosk app.</br></br>If you want to create an account, enter the user name and password, and then toggle **Yes** or **No** to automatically sign in the account when the device starts.</br></br>In **Configure the kiosk mode app**, enter the name of the user account that will run the kiosk mode app. Select the type of app to run in kiosk mode, and then enter the path or filename (for a Windows desktop application) or the AUMID (for a Universal Windows app). For a Windows desktop application, you can use the filename if the path to the file is in the PATH environment variable, otherwise the full path is required.</td><td>![Configure kiosk account and app](images/kiosk-account-details.png)</td></tr>
 <tr><td  style="width:45%" valign="top">![step seven](images/seven.png)  ![configure kiosk common settings](images/kiosk-common.png)</br></br>On this step, select your options for tablet mode, the user experience on the Welcome and shutdown screens, and the timeout settings.</td><td>![set tablet mode and configure welcome and shutdown and turn off timeout settings](images/kiosk-common-details.png)</td></tr>
 <tr><td  style="width:45%" valign="top">  ![finish](images/finish.png)</br></br>You can set a password to protect your provisioning package. You must enter this password when you apply the provisioning package to a device.</td><td>![Protect your package](images/finish-details.png)</td></tr>
 </table>
 >[!NOTE]
 >If you want to use [the advanced editor in Windows Configuration Designer](provisioning-packages/provisioning-create-package.md#configure-settings), specify the user account and app (by AUMID) in **Runtime settings** &gt; **AssignedAccess** &gt; **AssignedAccessSettings**
 >[!IMPORTANT]
 >When you build a provisioning package, you may include sensitive information in the project files and in the provisioning package (.ppkg) file. Although you have the option to encrypt the .ppkg file, project files are not encrypted. You should store the project files in a secure location and delete the project files when they are no longer needed.
 [Learn how to apply a provisioning package.](provisioning-packages/provisioning-apply-package.md)
 <span id="mdm" />
 ## Set up a kiosk or digital sign using Microsoft Intune or other MDM service
 >App type: UWP 
 >
 >OS edition: Windows 10 Pro (version 1709), Ent, Edu
 >
 >Account type: Local standard user, Azure AD
 ![The configuration settings for single-app kiosk in Microsoft Intune](images/kiosk-intune.png)
 Microsoft Intune and other MDM services enable kiosk configuration through the [AssignedAccess configuration service provider (CSP)](https://docs.microsoft.com/windows/client-management/mdm/assignedaccess-csp). Assigned Access has a `KioskModeApp` setting. In the `KioskModeApp` setting, you enter the user account name and the [AUMID](https://docs.microsoft.com/windows-hardware/customize/enterprise/find-the-application-user-model-id-of-an-installed-app) for the app to run in kiosk mode.
 >[!TIP]
 >Starting in Windows 10, version 1803, a ShellLauncher node has been added to the [AssignedAccess CSP](https://docs.microsoft.com/windows/client-management/mdm/assignedaccess-csp). 
 The following steps explain how to configure a kiosk in Microsoft Intune. For other MDM services, see the documentation for your provider.
 **To configure kiosk in Microsoft Intune**
 2. In the Microsoft Azure portal, search for **Intune** or go to **More services** > **Intune**.
 3. Select **Device configuration**.
 4. Select **Profiles**.
 5. Select **Create profile**.
 6. Enter a friendly name for the profile.
 7. Select **Windows 10 and later** for the platform.
 8. Select **Device restrictions** for the profile type.
 9. Select **Kiosk**.
 10. In **Kiosk Mode**, select **Single app kiosk**.
 1. Enter the user account (Azure AD or a local standard user account).
 11. Enter the Application User Model ID for an installed app.
 14. Select **OK**, and then select **Create**.
 18. Assign the profile to a device group to configure the devices in that group as kiosks.
 ## Sign out of assigned access
 To exit the assigned access (kiosk) app, press **Ctrl + Alt + Del**, and then sign in using another account. When you press **Ctrl + Alt + Del** to sign out of assigned access, the kiosk app will exit automatically. If you sign in again as the assigned access account or wait for the login screen timeout, the kiosk app will be re-launched. The assigned access user will remain signed in until an admin account opens **Task Manager** > **Users** and signs out the user account.
 If you press **Ctrl + Alt + Del** and do not sign in to another account, after a set time, assigned access will resume. The default time is 30 seconds, but you can change that in the following registry key:
 **HKEY\_LOCAL\_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\LogonUI**
 To change the default time for assigned access to resume, add *IdleTimeOut* (DWORD) and enter the value data as milliseconds in hexadecimal.
--- a/windows/configuration/kiosk-validate.md
+++ b/windows/configuration/kiosk-validate.md
@ -0,0 +1,94 @@
 ---
 title: Validate kiosk configuration (Windows 10)
 description: This topic explains what to expect on a multi-app kiosk.
 ms.assetid: 428680AE-A05F-43ED-BD59-088024D1BFCC
 keywords: ["assigned access", "kiosk", "lockdown", "digital sign", "digital signage"]
 ms.prod: w10
 ms.mktglfcycl: manage
 ms.sitesec: library
 author: jdeckerms
 ms.localizationpriority: high
 ms.date: 07/30/2018
 ---
 # Validate kiosk configuration
 **Applies to**
 -   Windows 10 Pro, Enterprise, and Education
 To identify the provisioning packages applied to a device, go to **Settings** > **Accounts** > **Access work or school**, and then click **Add or remove a provisioning package**. You should see a list of packages that were applied to the device.
 Optionally, run Event Viewer (eventvwr.exe) and look through logs under **Applications and Services Logs** > **Microsoft** > **Windows** > **Provisioning-Diagnostics-Provider** > **Admin**.
 To test the kiosk, sign in with the assigned access user account you specified in the configuration to check out the multi-app experience. 
 >[!NOTE] 
 >The kiosk configuration setting will take effect the next time the assigned access user signs in. If that user account is signed in when you apply the configuration, make sure the user signs out and signs back in to validate the experience. 
 The following sections explain what to expect on a multi-app kiosk.
 ### App launching and switching experience
 In the multi-app mode, to maximize the user productivity and streamline the experience, an app will be always launched in full screen when the users click the tile on the Start. The users can minimize and close the app, but cannot resize the app window.  
 The users can switch apps just as they do today in Windows. They can use the Task View button, Alt + Tab hotkey, and the swipe in from the left gesture to view all the open apps in task view. They can click the Windows button to show Start, from which they can open apps, and they can switch to an opened app by clicking it on the taskbar. 
 ### Start changes
 When the assigned access user signs in, you should see a restricted Start experience:
 - Start gets launched in full screen and prevents the end user from accessing the desktop. 
 - Start shows the layout aligned with what you defined in the multi-app configuration XML. 
 - Start prevents the end user from changing the tile layout.
  - The user cannot resize, reposition, and unpin the tiles.
  - The user cannot pin additional tiles on the start.
 - Start hides **All Apps** list.
 - Start hides all the folders on Start (including File Explorer, Settings, Documents, Downloads, Music, Pictures, Videos, HomeGroup, Network, and Personal folders). 
 - Only **User** and **Power** buttons are available. (You can control whether to show the **User/Power** buttons using [existing policies](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-start).) 
 - Start hides **Change account settings** option under **User** button.
 ### Taskbar changes
 If the applied multi-app configuration enables taskbar, when the assigned access user signs in, you should see a restricted Taskbar experience:
 - Disables context menu of Start button (Quick Link)
 - Disables context menu of taskbar
 - Prevents the end user from changing the taskbar
 - Disables Cortana and Search Windows
 - Hides notification icons and system icons, e.g. Action Center, People, Windows Ink Workspace
 - Allows the end user to view the status of the network connection and power state, but disables the flyout of **Network/Power** to prevent end user from changing the settings
 ### Blocked hotkeys
 The multi-app mode blocks the following hotkeys, which are not relevant for the lockdown experience. 
 | Hotkey | Action |
 | --- | --- |
 | Windows logo key  + A	 | Open Action center |
 | Windows logo key  + Shift + C |	Open Cortana in listening mode |
 | Windows logo key  + D	| Display and hide the desktop |
 | Windows logo key  + Alt + D	| Display and hide the date and time on the desktop |
 | Windows logo key  + E	| Open File Explorer |
 | Windows logo key  + F |	Open Feedback Hub |
 | Windows logo key  + G	| Open Game bar when a game is open |
 | Windows logo key  + I	| Open Settings |
 | Windows logo key  + J |	Set focus to a Windows tip when one is available. |
 | Windows logo key  + O	| Lock device orientation |
 | Windows logo key  + Q	 | Open search |
 | Windows logo key  + R	| Open the Run dialog box |
 | Windows logo key  + S	| Open search |
 | Windows logo key  + X	| Open the Quick Link menu |
 | Windows logo key  + comma (,) |	Temporarily peek at the desktop |
 | Windows logo key  + Ctrl + F |	Search for PCs (if you're on a network) |
 ### Locked-down Ctrl+Alt+Del screen
 The multi-app mode removes options (e.g. **Change a password**, **Task Manager**, **Network**) in the Ctrl+Alt+Del screen to ensure the users cannot access the functionalities that are not allowed in the lockdown experience. 
 ### Auto-trigger touch keyboard
 In the multi-app mode, the touch keyboard will be automatically triggered when there is an input needed and no physical keyboard is attached on touch-enabled devices. You don’t need to configure any other setting to enforce this behavior. 
--- a/windows/configuration/kiosk-xml.md
+++ b/windows/configuration/kiosk-xml.md
@ -9,7 +9,7 @@ ms.sitesec: library
 ms.pagetype: edu, security
 author: jdeckerms
 ms.localizationpriority: medium
-ms.date: 04/30/2018
+ms.date: 07/30/2018
 ms.author: jdecker
 ms.topic: article
 ---
--- a/windows/configuration/lock-down-windows-10-applocker.md
+++ b/windows/configuration/lock-down-windows-10-applocker.md
@ -9,7 +9,7 @@ ms.sitesec: library
 ms.pagetype: edu, security
 author: jdeckerms
 ms.localizationpriority: medium
-ms.date: 08/14/2017
+ms.date: 07/30/2018
 ms.author: jdecker
 ms.topic: article
 ---
@ -37,7 +37,7 @@ This topic describes how to lock down apps on a local device. You can also use A
 ## Install apps
-First, install the desired apps on the device for the target user account(s). This works for both Store and Win32. For Store apps, you must log on as that user for the app to install. For Win32 you can install an app for all users without logging on to the particular account.
+First, install the desired apps on the device for the target user account(s). This works for both Unified Windows Platform (UWP) apps and Windows desktop apps. For UWP apps, you must log on as that user for the app to install. For desktop apps, you can install an app for all users without logging on to the particular account.
 ## Use AppLocker to set rules for apps
--- a/windows/configuration/lock-down-windows-10-to-specific-apps.md
+++ b/windows/configuration/lock-down-windows-10-to-specific-apps.md
@ -1,5 +1,5 @@
 ---
-title: Create a Windows 10 kiosk that runs multiple apps (Windows 10)
+title: Set up a multi-app kiosk  (Windows 10)
 description: Learn how to configure a kiosk device running Windows 10 so that users can only run a few specific apps.
 ms.assetid: 14DDDC96-88C7-4181-8415-B371F25726C8
 keywords: ["lockdown", "app restrictions", "applocker"]
@ -9,29 +9,29 @@ ms.sitesec: library
 ms.pagetype: edu, security
 author: jdeckerms
 ms.localizationpriority: medium
-ms.date: 06/21/2018
+ms.date: 07/30/2018
 ms.author: jdecker
 ms.topic: article
 ---
-# Create a Windows 10 kiosk that runs multiple apps
+# Set up a multi-app kiosk
 **Applies to**
 -   Windows 10 Pro, Enterprise, and Education
-A [kiosk device](set-up-a-kiosk-for-windows-10-for-desktop-editions.md) typically runs a single app, and users are prevented from accessing any features or functions on the device outside of the kiosk app. In Windows 10, version 1709, the [AssignedAccess configuration service provider (CSP)](https://docs.microsoft.com/windows/client-management/mdm/assignedaccess-csp) has been expanded to make it easy for administrators to create kiosks that run more than one app. In Windows 10, version 1803, you can also:
+
 A [kiosk device](set-up-a-kiosk-for-windows-10-for-desktop-editions.md) typically runs a single app, and users are prevented from accessing any features or functions on the device outside of the kiosk app. In Windows 10, version 1709, the [AssignedAccess configuration service provider (CSP)](https://docs.microsoft.com/windows/client-management/mdm/assignedaccess-csp) was expanded to make it easy for administrators to create kiosks that run more than one app. In Windows 10, version 1803, you can also:
 - Configure [a single-app kiosk profile](#profile) in your XML file.
 - Assign [group accounts to a config profile](#config-for-group-accounts).
 - Configure [an account to sign in automatically](#config-for-autologon-account).
-
+The benefit of a kiosk with desktop that runs only one or more specified apps is to provide an easy-to-understand experience for individuals by putting in front of them only the things they need to use, and removing from their view the things they don’t need to access. 
 The benefit of a multi-app kiosk, or fixed-purpose device, is to provide an easy-to-understand experience for individuals by putting in front of them only the things they need to use, and removing from their view the things they don’t need to access. 
 >[!WARNING]
->The assigned access feature is intended for corporate-owned fixed-purpose devices, like kiosks. When the multi-app assigned access configuration is applied on the device, [certain policies](#policies-set-by-multi-app-kiosk-configuration) are enforced system-wide, and will impact other users on the device. Deleting the multi-app configuration will remove the assigned access lockdown profiles associated with the users, but it cannot revert all the enforced policies (such as Start layout). A factory reset is needed to clear all the policies enforced via assigned access.
+>The assigned access feature is intended for corporate-owned fixed-purpose devices, like kiosks. When the multi-app assigned access configuration is applied on the device, [certain policies](kiosk-policies.md) are enforced system-wide, and will impact other users on the device. Deleting the kiosk configuration will remove the assigned access lockdown profiles associated with the users, but it cannot revert all the enforced policies (such as Start layout). A factory reset is needed to clear all the policies enforced via assigned access.
 You can configure multi-app kiosks using [Microsoft Intune](#intune) or a [provisioning package](#provision).
@ -65,7 +65,6 @@ You can configure multi-app kiosks using [Microsoft Intune](#intune) or a [provi
 >Managed apps are apps that are in the Microsoft Store for Business that is synced with your Intune subscription.
 ## Configure a kiosk using a provisioning package
 Process:
@ -77,12 +76,12 @@ Watch how to use a provisioning package to configure a multi-app kiosk.
 >[!VIDEO https://www.microsoft.com/videoplayer/embed/fa125d0f-77e4-4f64-b03e-d634a4926884?autoplay=false]
-If you don't want to use a provisioning package, you can deploy the configuration XML file using [mobile device management (MDM)](#alternate-methods) or you can configure assigned access using the [MDM Bridge WMI Provider](#bridge).
+If you don't want to use a provisioning package, you can deploy the configuration XML file using [mobile device management (MDM)](#alternate-methods) or you can configure assigned access using the [MDM Bridge WMI Provider](kiosk-mdm-bridge.md).
 ### Prerequisites
- Windows Configuration Designer (Windows 10, version 1709)
+- Windows Configuration Designer (Windows 10, version 1709 or later)
- The kiosk device must be running Windows 10 (S, Pro, Enterprise, or Education), version 1709
+- The kiosk device must be running Windows 10 (S, Pro, Enterprise, or Education), version 1709 or later
 >[!NOTE]
 >For devices running versions of Windows 10 earlier than version 1709, you can [create AppLocker rules](lock-down-windows-10-applocker.md) to configure a multi-app kiosk. 
@ -161,7 +160,7 @@ The profile **Id** is a GUID attribute to uniquely identify the profile. You can
 ##### AllowedApps
-**AllowedApps** is a list of applications that are allowed to run. Apps can be Universal Windows Platform (UWP) apps or Classic Windows desktop apps. 
+**AllowedApps** is a list of applications that are allowed to run. Apps can be Universal Windows Platform (UWP) apps or Windows desktop applications. 
 Based on the purpose of the kiosk device, define the list of applications that are allowed to run. This list can contain both UWP apps and desktop apps. When the mult-app kiosk configuration is applied to a device, AppLocker rules will be generated to allow the apps that are listed in the configuration.
@ -479,10 +478,7 @@ Provisioning packages can be applied to a device during the first-run experience
 ### Validate provisioning
 -	Go to **Settings** > **Accounts** > **Access work or school**, and then click **Add or remove a provisioning package**. You should see a list of packages that were applied to the device, including the one you applied for the multi-app configuration.
 - Optionally, run Event Viewer (eventvwr.exe) and look through logs under **Applications and Services Logs** > **Microsoft** > **Windows** > **Provisioning-Diagnostics-Provider** > **Admin**.
 <span id="alternate-methods" />
@ -496,147 +492,9 @@ If your device is enrolled with a MDM server which supports applying the assigne
 The OMA-URI for multi-app policy is `./Device/Vendor/MSFT/AssignedAccess/Configuration`.
 <span id="bridge" />
 ## Use MDM Bridge WMI Provider to configure assigned access
 Environments that use WMI can use the [MDM Bridge WMI Provider](https://msdn.microsoft.com/library/windows/desktop/dn905224.aspx) to configure the MDM_AssignedAccess class. See [PowerShell Scripting with WMI Bridge Provider](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/using-powershell-scripting-with-the-wmi-bridge-provider) for more details about using a PowerShell script to configure AssignedAccess. 
 Here’s an example to set AssignedAccess configuration:
 1. Download the [psexec tool](https://technet.microsoft.com/sysinternals/bb897553.aspx).  
 2. Run `psexec.exe -i -s cmd.exe`.
 3. In the command prompt launched by psexec.exe, enter `powershell.exe` to open PowerShell. 
 4. Execute the following script:
 ```ps
 $nameSpaceName="root\cimv2\mdm\dmmap"
 $className="MDM_AssignedAccess"
 $obj = Get-CimInstance -Namespace $namespaceName -ClassName $className
 $obj.Configuration = @"
 &lt;?xml version=&quot;1.0&quot; encoding=&quot;utf-8&quot; ?&gt;
 &lt;AssignedAccessConfiguration xmlns=&quot;http://schemas.microsoft.com/AssignedAccess/2017/config&quot;&gt;
  &lt;Profiles&gt;
    &lt;Profile Id=&quot;{9A2A490F-10F6-4764-974A-43B19E722C23}&quot;&gt;
      &lt;AllAppsList&gt;
        &lt;AllowedApps&gt;
          &lt;App AppUserModelId=&quot;Microsoft.ZuneMusic_8wekyb3d8bbwe!Microsoft.ZuneMusic&quot; /&gt;
          &lt;App AppUserModelId=&quot;Microsoft.ZuneVideo_8wekyb3d8bbwe!Microsoft.ZuneVideo&quot; /&gt;
          &lt;App AppUserModelId=&quot;Microsoft.Windows.Photos_8wekyb3d8bbwe!App&quot; /&gt;
          &lt;App AppUserModelId=&quot;Microsoft.BingWeather_8wekyb3d8bbwe!App&quot; /&gt;
          &lt;App AppUserModelId=&quot;Microsoft.WindowsCalculator_8wekyb3d8bbwe!App&quot; /&gt;
          &lt;App DesktopAppPath=&quot;%windir%\system32\mspaint.exe&quot; /&gt;
          &lt;App DesktopAppPath=&quot;C:\Windows\System32\notepad.exe&quot; /&gt;
        &lt;/AllowedApps&gt;
      &lt;/AllAppsList&gt;
      &lt;StartLayout&gt;
        &lt;![CDATA[&lt;LayoutModificationTemplate xmlns:defaultlayout=&quot;http://schemas.microsoft.com/Start/2014/FullDefaultLayout&quot; xmlns:start=&quot;http://schemas.microsoft.com/Start/2014/StartLayout&quot; Version=&quot;1&quot; xmlns=&quot;http://schemas.microsoft.com/Start/2014/LayoutModification&quot;&gt;
                      &lt;LayoutOptions StartTileGroupCellWidth=&quot;6&quot; /&gt;
                      &lt;DefaultLayoutOverride&gt;
                        &lt;StartLayoutCollection&gt;
                          &lt;defaultlayout:StartLayout GroupCellWidth=&quot;6&quot;&gt;
                            &lt;start:Group Name=&quot;Group1&quot;&gt;
                              &lt;start:Tile Size=&quot;4x4&quot; Column=&quot;0&quot; Row=&quot;0&quot; AppUserModelID=&quot;Microsoft.ZuneMusic_8wekyb3d8bbwe!Microsoft.ZuneMusic&quot; /&gt;
                              &lt;start:Tile Size=&quot;2x2&quot; Column=&quot;4&quot; Row=&quot;2&quot; AppUserModelID=&quot;Microsoft.ZuneVideo_8wekyb3d8bbwe!Microsoft.ZuneVideo&quot; /&gt;
                              &lt;start:Tile Size=&quot;2x2&quot; Column=&quot;4&quot; Row=&quot;0&quot; AppUserModelID=&quot;Microsoft.Windows.Photos_8wekyb3d8bbwe!App&quot; /&gt;
                              &lt;start:Tile Size=&quot;2x2&quot; Column=&quot;4&quot; Row=&quot;4&quot; AppUserModelID=&quot;Microsoft.BingWeather_8wekyb3d8bbwe!App&quot; /&gt;
                              &lt;start:Tile Size=&quot;4x2&quot; Column=&quot;0&quot; Row=&quot;4&quot; AppUserModelID=&quot;Microsoft.WindowsCalculator_8wekyb3d8bbwe!App&quot; /&gt;
                            &lt;/start:Group&gt;
                            &lt;start:Group Name=&quot;Group2&quot;&gt;
                              &lt;start:DesktopApplicationTile Size=&quot;2x2&quot; Column=&quot;2&quot; Row=&quot;0&quot; DesktopApplicationLinkPath=&quot;%ALLUSERSPROFILE%\Microsoft\Windows\Start Menu\Programs\Accessories\Paint.lnk&quot; /&gt;
                              &lt;start:DesktopApplicationTile Size=&quot;2x2&quot; Column=&quot;0&quot; Row=&quot;0&quot; DesktopApplicationLinkPath=&quot;%APPDATA%\Microsoft\Windows\Start Menu\Programs\Accessories\Notepad.lnk&quot; /&gt;
                            &lt;/start:Group&gt;
                          &lt;/defaultlayout:StartLayout&gt;
                        &lt;/StartLayoutCollection&gt;
                      &lt;/DefaultLayoutOverride&gt;
                    &lt;/LayoutModificationTemplate&gt;
                ]]&gt;
      &lt;/StartLayout&gt;
      &lt;Taskbar ShowTaskbar=&quot;true&quot;/&gt;
    &lt;/Profile&gt;
  &lt;/Profiles&gt;
  &lt;Configs&gt;
    &lt;Config&gt;
      &lt;Account&gt;MultiAppKioskUser&lt;/Account&gt;
      &lt;DefaultProfile Id=&quot;{9A2A490F-10F6-4764-974A-43B19E722C23}&quot;/&gt;
    &lt;/Config&gt;
  &lt;/Configs&gt;
 &lt;/AssignedAccessConfiguration&gt;
 "@
 Set-CimInstance -CimInstance $obj
 ```
 ## Validate multi-app kiosk configuration
 Sign in with the assigned access user account you specified in the configuration to check out the multi-app experience. 
 >[!NOTE] 
 >The setting will take effect the next time the assigned access user signs in. If that user account is signed in when you apply the configuration, make sure the user signs out and signs back in to validate the experience. 
 The following sections explain what to expect on a multi-app kiosk.
 ### App launching and switching experience
 In the multi-app mode, to maximize the user productivity and streamline the experience, an app will be always launched in full screen when the users click the tile on the Start. The users can minimize and close the app, but cannot resize the app window.  
 The users can switch apps just as they do today in Windows. They can use the Task View button, Alt + Tab hotkey, and the swipe in from the left gesture to view all the open apps in task view. They can click the Windows button to show Start, from which they can open apps, and they can switch to an opened app by clicking it on the taskbar. 
 ### Start changes
 When the assigned access user signs in, you should see a restricted Start experience:
 - Start gets launched in full screen and prevents the end user from accessing the desktop. 
 - Start shows the layout aligned with what you defined in the multi-app configuration XML. 
 - Start prevents the end user from changing the tile layout.
  - The user cannot resize, reposition, and unpin the tiles.
  - The user cannot pin additional tiles on the start.
 - Start hides **All Apps** list.
 - Start hides all the folders on Start (including File Explorer, Settings, Documents, Downloads, Music, Pictures, Videos, HomeGroup, Network, and Personal folders). 
 - Only **User** and **Power** buttons are available. (You can control whether to show the **User/Power** buttons using [existing policies](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-start).) 
 - Start hides **Change account settings** option under **User** button.
 ### Taskbar changes
 If the applied multi-app configuration enables taskbar, when the assigned access user signs in, you should see a restricted Taskbar experience:
 - Disables context menu of Start button (Quick Link)
 - Disables context menu of taskbar
 - Prevents the end user from changing the taskbar
 - Disables Cortana and Search Windows
 - Hides notification icons and system icons, e.g. Action Center, People, Windows Ink Workspace
 - Allows the end user to view the status of the network connection and power state, but disables the flyout of **Network/Power** to prevent end user from changing the settings
 ### Blocked hotkeys
 The multi-app mode blocks the following hotkeys, which are not relevant for the lockdown experience. 
 | Hotkey | Action |
 | --- | --- |
 | Windows logo key  + A	 | Open Action center |
 | Windows logo key  + Shift + C |	Open Cortana in listening mode |
 | Windows logo key  + D	| Display and hide the desktop |
 | Windows logo key  + Alt + D	| Display and hide the date and time on the desktop |
 | Windows logo key  + E	| Open File Explorer |
 | Windows logo key  + F |	Open Feedback Hub |
 | Windows logo key  + G	| Open Game bar when a game is open |
 | Windows logo key  + I	| Open Settings |
 | Windows logo key  + J |	Set focus to a Windows tip when one is available. |
 | Windows logo key  + O	| Lock device orientation |
 | Windows logo key  + Q	 | Open search |
 | Windows logo key  + R	| Open the Run dialog box |
 | Windows logo key  + S	| Open search |
 | Windows logo key  + X	| Open the Quick Link menu |
 | Windows logo key  + comma (,) |	Temporarily peek at the desktop |
 | Windows logo key  + Ctrl + F |	Search for PCs (if you're on a network) |
 ### Locked-down Ctrl+Alt+Del screen
 The multi-app mode removes options (e.g. **Change a password**, **Task Manager**, **Network**) in the Ctrl+Alt+Del screen to ensure the users cannot access the functionalities that are not allowed in the lockdown experience. 
 ### Auto-trigger touch keyboard
 In the multi-app mode, the touch keyboard will be automatically triggered when there is an input needed and no physical keyboard is attached on touch-enabled devices. You don’t need to configure any other setting to enforce this behavior. 
@ -756,3 +614,6 @@ In Windows Configuration Designer, under **ProvisioningCommands** > **DeviceCont
 - Under **CommandLine**, enter `cmd /c *FileName*.bat`.
 ## Other methods
 Environments that use WMI can use the [MDM Bridge WMI Provider to configure a kiosk](kiosk-mdm-bridge.md).
--- a/windows/configuration/lockdown-features-windows-10.md
+++ b/windows/configuration/lockdown-features-windows-10.md
@ -52,10 +52,10 @@ Many of the lockdown features available in Windows Embedded 8.1 Industry have be
 <td align="left"><p>Keyboard filter is added in Windows 10, version 1511. As in Windows Embedded Industry 8.1, Keyboard Filter is an optional component that can be turned on via <strong>Turn Windows Features On/Off</strong>. Keyboard Filter (in addition to the WMI configuration previously available) will be configurable through Windows Imaging and Configuration Designer (ICD) in the SMISettings path.</p></td>
 </tr>
 <tr class="even">
-<td align="left"><p>[Shell Launcher](https://go.microsoft.com/fwlink/p/?LinkId=626676): launch a Classic Windows application on sign-on</p></td>
+<td align="left"><p>[Shell Launcher](https://go.microsoft.com/fwlink/p/?LinkId=626676): launch a Windows desktop application on sign-on</p></td>
 <td align="left">[Shell Launcher](https://go.microsoft.com/fwlink/p/?LinkId=618603)</td>
 <td align="left"><p>Shell Launcher continues in Windows 10. It is now configurable in Windows ICD under the <strong>SMISettings</strong> category.</p>
-<p>Learn [how to use Shell Launcher to create a kiosk device](https://go.microsoft.com/fwlink/p/?LinkId=626922) that runs a Classic Windows application.</p></td>
+<p>Learn [how to use Shell Launcher to create a kiosk device](https://go.microsoft.com/fwlink/p/?LinkId=626922) that runs a Windows desktop application.</p></td>
 </tr>
 <tr class="odd">
 <td align="left"><p>[Application Launcher]( https://go.microsoft.com/fwlink/p/?LinkId=626675): launch a Universal Windows Platform (UWP) app on sign-on</p></td>
--- a/windows/configuration/multi-app-kiosk-troubleshoot.md
+++ b/windows/configuration/multi-app-kiosk-troubleshoot.md
@ -9,7 +9,7 @@ ms.sitesec: library
 ms.pagetype: edu, security
 author: jdeckerms
 ms.localizationpriority: medium
-ms.date: 09/27/2017
+ms.date: 07/30/2018
 ms.author: jdecker
 ms.topic: article
 ---
@ -31,7 +31,7 @@ For example:
 **Troubleshooting steps**
-1. [Verify that the provisioning package is applied successfully](lock-down-windows-10-to-specific-apps.md#validate-provisioning).
+1. [Verify that the provisioning package is applied successfully](kiosk-validate.md).
 2. Verify that the account (config) is mapped to a profile in the configuration XML file.
 3. Verify that the configuration XML file is authored and formatted correctly. Correct any configuration errors, then create and apply a new provisioning package. Sign out and sign in again to check the new configuration.
--- a/windows/configuration/provisioning-packages/provision-pcs-for-initial-deployment.md
+++ b/windows/configuration/provisioning-packages/provision-pcs-for-initial-deployment.md
@ -82,7 +82,7 @@ Use the Windows Configuration Designer tool to create a provisioning package. [L
 <tr><td style="width:45%" valign="top">![step one](../images/one.png)![set up device](../images/set-up-device.png)</br></br>Enter a name for the device.</br></br>(Optional) Select a license file to upgrade Windows 10 to a different edition. [See the permitted upgrades.](https://technet.microsoft.com/itpro/windows/deploy/windows-10-edition-upgrades)</br></br>Toggle **Yes** or **No** to **Configure devices for shared use**. This setting optimizes Windows 10 for shared use scenarios. [Learn more about shared PC configuration.](../set-up-shared-or-guest-pc.md)</br></br>You can also select to remove pre-installed software from the device. </td><td>![device name, upgrade to enterprise, shared use, remove pre-installed software](../images/set-up-device-details-desktop.png)</td></tr>
 <tr><td style="width:45%" valign="top">![step two](../images/two.png)  ![set up network](../images/set-up-network.png)</br></br>Toggle **On** or **Off** for wireless network connectivity. If you select **On**, enter the SSID, the network type (**Open** or **WPA2-Personal**), and (if **WPA2-Personal**) the password for the wireless network.</td><td>![Enter network SSID and type](../images/set-up-network-details-desktop.png)</td></tr>
 <tr><td style="width:45%" valign="top">![step three](../images/three.png)  ![account management](../images/account-management.png)</br></br>Enable account management if you want to configure settings on this page. </br></br>You can enroll the device in Active Directory, enroll in Azure Active Directory, or create a local administrator account on the device</br></br>To enroll the device in Active Directory, enter the credentials for a least-privileged user account to join the device to the domain.</br></br>Before you use a Windows Configuration Designer wizard to configure bulk Azure AD enrollment, [set up Azure AD join in your organization](https://docs.microsoft.com/azure/active-directory/active-directory-azureadjoin-setup). The **maximum number of devices per user** setting in your Azure AD tenant determines how many times the bulk token that you get in the wizard can be used. To enroll the device in Azure AD, select that option and enter a friendly name for the bulk token you will get using the wizard. Set an expiration date for the token (maximum is 30 days from the date you get the token). Click **Get bulk token**. In the **Let's get you signed in** window, enter an account that has permissions to join a device to Azure AD, and then the password. Click **Accept** to give Windows Configuration Designer the necessary permissions. </br></br>To create a local administrator account, select that option and enter a user name and password. </br></br>**Important:** If you create a local account in the provisioning package, you must change the password using the **Settings** app every 42 days. If the password is not changed during that period, the account might be locked out and unable to sign in.  </td><td>![join Active Directory, Azure AD, or create a local admin account](../images/account-management-details.png)</td></tr>
-<tr><td style="width:45%" valign="top">![step four](../images/four.png) ![add applications](../images/add-applications.png)</br></br>You can install multiple applications, both Classic Windows (Win32) apps and Universal Windows Platform (UWP) apps, in a provisioning package. The settings in this step vary according to the application that you select. For help with the settings, see [Provision PCs with apps](provision-pcs-with-apps.md). </td><td>![add an application](../images/add-applications-details.png)</td></tr>
+<tr><td style="width:45%" valign="top">![step four](../images/four.png) ![add applications](../images/add-applications.png)</br></br>You can install multiple applications, both Windows desktop applications (Win32) and Universal Windows Platform (UWP) apps, in a provisioning package. The settings in this step vary according to the application that you select. For help with the settings, see [Provision PCs with apps](provision-pcs-with-apps.md). </td><td>![add an application](../images/add-applications-details.png)</td></tr>
 <tr><td style="width:45%" valign="top">![step five](../images/five.png) ![add certificates](../images/add-certificates.png)</br></br>To provision the device with a certificate, click **Add a certificate**. Enter a name for the certificate, and then browse to and select the certificate to be used.</td><td>![add a certificate](../images/add-certificates-details.png)</td></tr> 
 <tr><td style="width:45%" valign="top">  ![finish](../images/finish.png)</br></br>You can set a password to protect your provisioning package. You must enter this password when you apply the provisioning package to a device.</td><td>![Protect your package](../images/finish-details.png)</td></tr>
 </table>
--- a/windows/configuration/provisioning-packages/provision-pcs-with-apps.md
+++ b/windows/configuration/provisioning-packages/provision-pcs-with-apps.md
@ -20,7 +20,7 @@ ms.date: 09/06/2017
 - Windows 10
-In Windows 10, version 1703, you can install multiple Universal Windows Platform (UWP) apps and Classic Windows (Win32) applications in a provisioning package. This topic explains the various settings in [Windows Configuration Designer](provisioning-install-icd.md) for app install.
+In Windows 10, version 1703, you can install multiple Universal Windows Platform (UWP) apps and Windows desktop applications (Win32) in a provisioning package. This topic explains the various settings in [Windows Configuration Designer](provisioning-install-icd.md) for app install.
 When you add an app in a Windows Configuration Designer wizard, the appropriate settings are displayed based on the app that you select. For instructions on adding an app using the advanced editor in Windows Configuration Designer, see [Add an app using advanced editor](#adv).
@ -35,7 +35,7 @@ When you add an app in a Windows Configuration Designer wizard, the appropriate
 - **Required appx dependencies**: Specify the appx dependency packages that are required for the installation of the app 
-## Settings for Classic Windows apps
+## Settings for Windows desktop applications
 ### MSI installer
@ -61,7 +61,7 @@ When you add an app in a Windows Configuration Designer wizard, the appropriate
 <span id="adv" />
-## Add a Classic Windows app using advanced editor in Windows Configuration Designer
+## Add a Windows desktop application using advanced editor in Windows Configuration Designer
 1. In the **Available customizations** pane, go to **Runtime settings** > **ProvisioningCommands** > **PrimaryContext** > **Command**. 
--- a/windows/configuration/provisioning-packages/provisioning-create-package.md
+++ b/windows/configuration/provisioning-packages/provisioning-create-package.md
@ -43,7 +43,7 @@ You use Windows Configuration Designer to create a provisioning package (.ppkg)
        - [Instructions for the desktop wizard](provision-pcs-for-initial-deployment.md)
        - [Instructions for the mobile wizard](../mobile-devices/provisioning-configure-mobile.md)
-        - [Instructions for the kiosk wizard](../setup-kiosk-digital-signage.md#wizard)
+        - [Instructions for the kiosk wizard](../kiosk-single-app.md#wizard)
        - [Instructions for HoloLens wizard](https://technet.microsoft.com/itpro/hololens/hololens-provisioning)
        - [Instructions for Surface Hub wizard](https://technet.microsoft.com/itpro/surface-hub/provisioning-packages-for-certificates-surface-hub)
--- a/windows/configuration/provisioning-packages/provisioning-packages.md
+++ b/windows/configuration/provisioning-packages/provisioning-packages.md
@ -86,7 +86,7 @@ The following table describes settings that you can configure using the wizards
 - [Instructions for the desktop wizard](provision-pcs-for-initial-deployment.md)
 - [Instructions for the mobile wizard](../mobile-devices/provisioning-configure-mobile.md)
- [Instructions for the kiosk wizard](../setup-kiosk-digital-signage.md#wizard)
+- [Instructions for the kiosk wizard](../kiosk-single-app.md#wizard)
 - [Instructions for the HoloLens wizard](https://docs.microsoft.com/hololens/hololens-provisioning#wizard)
--- a/windows/configuration/setup-digital-signage.md
+++ b/windows/configuration/setup-digital-signage.md
@ -0,0 +1,87 @@
 ---
 title: Set up digital signs on Windows 10  (Windows 10)
 description: A single-use device such as a digital sign is easy to set up in Windows 10 (Pro, Enterprise, and Education).
 ms.assetid: 428680AE-A05F-43ED-BD59-088024D1BFCC
 keywords: ["assigned access", "kiosk", "lockdown", "digital sign", "digital signage", "kiosk browser", "browser"]
 ms.prod: w10
 ms.mktglfcycl: manage
 ms.sitesec: library
 author: jdeckerms
 ms.localizationpriority: high
 ms.date: 07/30/2018
 ---
 # Set up digital signs on Windows 10
 **Applies to**
 -   Windows 10 Pro, Enterprise, and Education
 Digital signage can be a useful and exciting business tool. Use digital signs to showcase your products and services, to display testimonials, or to advertise promotions and campaigns. A digital sign can be a static display, such as a building directory or menu, or it can be dynamic, such as repeating videos or a social media feed. 
 For digital signage, simply select a digital sign player as your kiosk app. You can also use the Kiosk Browser app (a new Microsoft app for Windows 10, version 1803) and configure it to show your online content.
 >[!TIP]
 >Kiosk Browser can also be used in [single-app kiosks](kiosk-single-app.md) and [multi-app kiosk](lock-down-windows-10-to-specific-apps.md) as a web browser. For more information, see [Guidelines for web browsers](guidelines-for-assigned-access-app.md#guidelines-for-web-browsers). 
 Kiosk Browser must be downloaded for offline licensing using Microsoft Store for Business. You can deploy Kiosk Browser to devices running Windows 10, version 1803.
 >[!NOTE]
 >If you haven't set up your Microsoft Store for Business yet, check out [the prerequisites](https://docs.microsoft.com/microsoft-store/prerequisites-microsoft-store-for-business) and then [sign up](https://docs.microsoft.com/microsoft-store/sign-up-microsoft-store-for-business).
 This procedure explains how to configure digital signage using Kiosk Browser on a device running Windows 10, version 1803, that has already been set up (completed the first-run experience). 
 1. [Get **Kiosk Browser** in Microsoft Store for Business with offline, unencoded license type.](https://docs.microsoft.com/microsoft-store/acquire-apps-microsoft-store-for-business#acquire-apps) 
 2. [Download the **Kiosk Browser** package, license file, and all required frameworks.](https://docs.microsoft.com/microsoft-store/distribute-offline-apps#download-an-offline-licensed-app)
 2. [Install Windows Configuration Designer.](~/provisioning-packages/provisioning-install-icd.md)
 3. Open Windows Configuration Designer and select **Provision kiosk devices**.
 4. Enter a friendly name for the project, and select **Finish**.
 5. On **Set up device**, select **Disabled**, and select **Next**.
 6. On **Set up network**, enable network setup. 
    - Toggle **On** wireless network connectivity. 
    - Enter the SSID, the network type (**Open** or **WPA2-Personal**), and (if **WPA2-Personal**) the password for the wireless network.
 7. On **Account management**, select **Disabled**, and select **Next**.
 8. On **Add applications**, select **Add an application**.
    - For **Application name**, enter `Kiosk Browser`.
    - For **Installer path**, browse to and select the AppxBundle that you downloaded from Microsoft Store for Business. After you select the package, additional fields are displayed.
    - For **License file path**, browse to and select the XML license file that you downloaded from Microsoft Store for Business.
    - The **Package family name** is populated automatically.
    - Select **Next**.
 9. On **Add certificates**, select **Next**.
 10. On **Configure kiosk account and app**, toggle **Yes** to create a local user account for your digital signage. 
    - Enter a user name and password, and toggle **Auto sign-in** to **Yes**.
    - Under **Configure the kiosk mode app**, enter the user name for the account that you're creating.
    - For **App type**, select **Universal Windows App**.
    - In **Enter the AUMID for the app**, enter `Microsoft.KioskBrowser_8wekyb3d8bbwe`.
 11. In the bottom left corner of Windows Configuration Designer, select **Switch to advanced editor**. 
 12. Go to **Runtime settings** > **Policies** > **KioskBrowser**. Let's assume that the URL for your digital signage content is contoso.com/menu.
    - In **BlockedUrlExceptions**, enter `https://www.contoso.com/menu`.
    - In **BlockedUrl**, enter `*`.
    - In **DefaultUrl**, enter `https://www.contoso.com/menu`.
    - Set **EnableEndSessionButton**, **EnableHomeButton**, and **EnableNavigationButtons** to **No**.
 13. On the **File** menu, select **Save**, and select **OK** in the **Keep your info secure** dialog box.
 14. On the **Export** menu, select **Provisioning package**.
 15. Change the **Owner** to **IT Admin**, and select **Next**.
 16. On **Select security details for the provisioning package**, select **Next**.
 17. On **Select where to save the provisioning package**, select **Next**.
 18. On **Build the provisioning package**, select **Build**.
 19. On the **All done!** screen, click the **Output location**.
 20. Copy the .ppkg file to a USB drive.
 21. Attach the USB drive to the device that you want to use for your digital sign.
 22. Go to **Settings** > **Accounts** > **Access work or school** > **Add or remove a provisioning package** > **Add a package**, and select the package on the USB drive.
--- a/windows/configuration/setup-kiosk-digital-signage.md
+++ b/windows/configuration/setup-kiosk-digital-signage.md
@ -1,487 +0,0 @@
 ---
 title: Set up a kiosk or digital signage on Windows 10 Pro, Enterprise, or Education (Windows 10)
 description: A single-use device such as a digital sign is easy to set up in Windows 10 for desktop editions (Pro, Enterprise, and Education).
 ms.assetid: 428680AE-A05F-43ED-BD59-088024D1BFCC
 keywords: ["assigned access", "kiosk", "lockdown", "digital sign", "digital signage"]
 ms.prod: w10
 ms.mktglfcycl: manage
 ms.sitesec: library
 author: jdeckerms
 ms.author: jdecker
 ms.topic: article
 ms.localizationpriority: medium
 ms.date: 06/05/2018
 ---
 # Set up a kiosk or digital signage on Windows 10 Pro, Enterprise, or Education
 **Applies to**
 -   Windows 10 Pro, Enterprise, and Education
 Some desktop devices in an enterprise serve a special purpose, such as a PC in the lobby that customers can use to view your product catalog or a PC displaying visual content as a digital sign. A single-use, kiosk device is easy to set up in Windows 10. (For kiosks that run more than one more app, see [Create a Windows 10 kiosk that runs multiple apps](lock-down-windows-10-to-specific-apps.md).)
 ## Choose a method for configuring your kiosks and digitals signs
 **Which type of app will your kiosk run?** Your kiosk can run a Universal Windows Platform (UWP) app or a Classic Windows desktop application. When the kiosk account signs in, the kiosk app will launch automatically. If the kiosk app is closed, it will automatically restart.
 >[!TIP]
 >For **digital signage**, simply select a digital sign player as your kiosk app. You can also use the **Kiosk Browser** app ([new in Windows 10, version 1803)](guidelines-for-assigned-access-app.md#guidelines-for-web-browsers) and configure it to show your online content.
 **Which type of user account will be the kiosk account?** The kiosk account can be a local standard user account, a local administrator account, a domain account, or an Azure Active Directory (Azure AD) account, depending on the method that you use to configure the kiosk. 
 >[!WARNING]
 >For kiosks in public-facing environments with auto sign-in enabled, you should use a user account with least privilege, such as a local standard user account.
 >
 >Assigned access can be configured via Windows Management Instrumentation (WMI) or configuration service provider (CSP) to run its applications under a domain user or service account, rather than a local account. However, use of domain user or service accounts introduces risks that an attacker subverting the assigned access application might gain access to sensitive domain resources that have been inadvertently left accessible to any domain account. We recommend that customers proceed with caution when using domain accounts with assigned access, and consider the domain resources potentially exposed by the decision to do so.
 **Which edition of Windows 10 will the kiosk run?** All of the configuration methods work for Windows 10 Enterprise and Education; some of the methods work for Windows 10 Pro. Kiosk mode is not available on Windows 10 Home. 
 ### Methods for kiosks and digital signs running a UWP app
 Choose this method | For this edition | For this kiosk account type 
 --- | --- | ---
 [Local settings](#local) (for 1 or a few devices) | Pro, Ent, Edu | Local standard user
 [PowerShell](#powershell)  | Pro, Ent, Edu | Local standard user
 [Provisioning](#wizard)  | Pro (version 1709), Ent, Edu | Local standard user, Active Directory 
 [Intune or other mobile device management (MDM)](#set-up-assigned-access-in-mdm)  | Pro (version 1709), Ent, Edu | Local standard user, Azure AD
 ### Methods for kiosks and digital signs running a Classic Windows app
 Choose this method | For this edition | For this kiosk account type 
 --- | --- | ---
 [Provisioning](#wizard) | Ent, Edu | Local standard user, Active Directory 
 [ShellLauncher](#shelllauncher) | Ent, Edu | Local standard user or administrator, Active Directory, Azure AD
 ### Other settings to lock down
 For a more secure kiosk experience, we recommend that you make the following configuration changes to the device before you configure it as a kiosk:
 Recommendation | How to
 --- | ---
 Replace "blue screen" with blank screen for OS errors   | Add the following registry key as DWORD (32-bit) type with a value of `1`:</br></br>`HKLM\SYSTEM\CurrentControlSet\Control\CrashControl\DisplayDisabled`</br></br>[Learn how to modify the Windows registry](https://go.microsoft.com/fwlink/p/?LinkId=615002)</br></br>You must restart the device after changing the registry.
 Put device in **Tablet mode**. | If you want users to be able to use the touch (on screen) keyboard, go to **Settings** &gt; **System** &gt; **Tablet mode** and choose **On.** Do not turn on this setting if users will not interact with the kiosk, such as for a digital sign.
 Hide **Ease of access** feature on the logon screen. |     Go to **Control Panel** &gt; **Ease of Access** &gt; **Ease of Access Center**, and turn off all accessibility tools.
 Disable the hardware power button. |     Go to **Power Options** &gt; **Choose what the power button does**, change the setting to **Do nothing**, and then **Save changes**.
 Remove the power button from the sign-in screen. |     Go to **Computer Configuration** &gt; **Windows Settings** &gt; **Security Settings** &gt; **Local Policies** &gt;**Security Options** &gt; **Shutdown: Allow system to be shut down without having to log on** and select **Disabled.**
 Disable the camera. |     Go to **Settings** &gt; **Privacy** &gt; **Camera**, and turn off **Let apps use my camera**.
 Turn off app notifications on the lock screen. |     Go to **Group Policy Editor** &gt; **Computer Configuration** &gt; **Administrative Templates\\System\\Logon\\Turn off app notifications on the lock screen**.
 Disable removable media. |     Go to **Group Policy Editor** &gt; **Computer Configuration** &gt; **Administrative Templates\\System\\Device Installation\\Device Installation Restrictions**. Review the policy settings available in **Device Installation Restrictions** for the settings applicable to your situation.</br></br>**NOTE**: To prevent this policy from affecting a member of the Administrators group, in **Device Installation Restrictions**, enable **Allow administrators to override Device Installation Restriction policies**.
 In addition to the settings in the table, you may want to set up **automatic logon** for your kiosk device. When your kiosk device restarts, whether from an update or power outage, you can log on the assigned access account manually or you can configure the device to log on to the assigned access account automatically. Make sure that Group Policy settings applied to the device do not prevent automatic logon.
 **How to edit the registry to have an account automatically logged on**
 1.  Open Registry Editor (regedit.exe).
    >[!NOTE]  
    >If you are not familiar with Registry Editor, [learn how to modify the Windows registry](https://go.microsoft.com/fwlink/p/?LinkId=615002).
 2.  Go to
    **HKEY\_LOCAL\_MACHINE\SOFTWARE\\Microsoft\WindowsNT\CurrentVersion\Winlogon**
 3.  Set the values for the following keys.
    -   *AutoAdminLogon*: set value as **1**.
    -   *DefaultUserName*: set value as the account that you want logged in.
    -   *DefaultPassword*: set value as the password for the account.
       > [!NOTE]
       > If *DefaultUserName* and *DefaultPassword* aren't there, add them as **New** &gt; **String Value**.
    -   *DefaultDomainName*: set value for domain, only for domain accounts. For local accounts, do not add this key.
 4.  Close Registry Editor. The next time the computer restarts, the account will be logged on automatically.
 >[!TIP]
 >You can also configure automatic logon [using the Autologon tool from Sysinternals](https://docs.microsoft.com/sysinternals/downloads/autologon).
 <span id="local"/>
 ## Set up a kiosk or digital sign in local Settings
 >App type: UWP
 >
 >OS edition: Windows 10 Pro, Ent, Edu
 >
 >Account type: Local standard user
 You can use **Settings** to quickly configure one or a few devices as a kiosk. (Using **Settings** isn't practical for configuring a lot of devices, but it would work.) When you set up a kiosk (also known as *assigned access*) in **Settings**, you must select a local standard user account. [Learn how to create a local standard user account.](https://support.microsoft.com/help/4026923/windows-create-a-local-user-or-administrator-account-in-windows-10)
 When your kiosk is a local device that is not managed by Active Directory or Azure Active Directory, there is a default setting that enables automatic sign-in after a restart. That means that when the device restarts, the last signed-in user will be signed in automatically. If the last signed-in user is the kiosk account, the kiosk app will be launched automatically after the device restarts.
 If you want the kiosk account signed in automatically and the kiosk app launched when the device restarts, there is nothing you need to do.
 If you do not want the kiosk account signed in automatically when the device restarts, you must change the default setting before you configure the device as a kiosk. Sign in with the account that you will assign as the kiosk account, go to **Settings** > **Accounts** > **Sign-in options**, and toggle the **Use my sign-in info to automatically finish setting up my device after an update or restart** setting to **Off**. After you change the setting, you can apply the kiosk configuration to the device.
 ![Screenshot of automatic sign-in setting](images/auto-signin.png)
 **To set up assigned access in PC settings**
 1.  Go to **Start** &gt; **Settings** &gt; **Accounts** &gt; **Other people**.
 2.  Choose **Set up assigned access**.
 3.  Choose an account.
 4.  Choose an app. Only apps that can run above the lock screen will be available in the list of apps to choose from. For more information, see [Guidelines for choosing an app for assigned access](guidelines-for-assigned-access-app.md).
 5.  Close **Settings** – your choices are saved automatically, and will be applied the next time that user account logs on.
 To remove assigned access, choose **Turn off assigned access and sign out of the selected account**.
 <span id="powershell"/>
 ## Set up a kiosk or digital sign using Windows PowerShell
 >App type: UWP
 >
 >OS edition: Windows 10 Pro, Ent, Edu
 >
 >Account type: Local standard user
 You can use any of the following PowerShell cmdlets to set up assigned access on multiple devices. 
 To open PowerShell on Windows 10, search for PowerShell and find **Windows PowerShell Desktop app** in the results. Run PowerShell as administrator.
 ```
 Set-AssignedAccess -AppUserModelId <AUMID> -UserName <username>
 ```
 ```
 Set-AssignedAccess -AppUserModelId <AUMID> -UserSID <usersid>
 ```
 ```
 Set-AssignedAccess -AppName <CustomApp> -UserName <username>
 ```
 ```
 Set-AssignedAccess -AppName <CustomApp> -UserSID <usersid>
 ```
 > [!NOTE]
 > To set up assigned access using `-AppName`, the user account that you specify for assigned access must have logged on at least once. 
 [Learn how to get the AUMID](https://go.microsoft.com/fwlink/p/?LinkId=614867).
 [Learn how to get the AppName](https://msdn.microsoft.com/library/windows/hardware/mt620046%28v=vs.85%29.aspx) (see **Parameters**).
 [Learn how to get the SID](https://go.microsoft.com/fwlink/p/?LinkId=615517).
 To remove assigned access, using PowerShell, run the following cmdlet.
 ```
 Clear-AssignedAccess
 ```
 <span id="wizard" />
 ## Set up a kiosk or digital sign using a provisioning package
 >App type: UWP or Classic Windows
 >
 >OS edition: Windows 10 Pro (version 1709) for UWP only; Ent, Edu for both app types
 >
 >Account type: Local standard user, Active Directory 
 >[!IMPORTANT]
 >When Exchange Active Sync (EAS) password restrictions are active on the device, the autologon feature does not work. This behavior is by design. For more informations, see [How to turn on automatic logon in Windows](https://support.microsoft.com/help/324737/how-to-turn-on-automatic-logon-in-windows).
 When you use the **Provision kiosk devices** wizard in Windows Configuration Designer, you can configure the kiosk to run either a Universal Windows app or a Classic Windows application.
 [Install Windows Configuration Designer](provisioning-packages/provisioning-install-icd.md), then open Windows Configuration Designer and select **Provision kiosk devices**. After you name your project, and click **Next**, configure the settings as shown in the following table.
 <table>
 <tr><td  style="width:45%" valign="top">![step one](images/one.png)![set up device](images/set-up-device.png)</br></br>Enable device setup if you want to configure settings on this page.</br></br>**If enabled:**</br></br>Enter a name for the device.</br></br>(Optional) Select a license file to upgrade Windows 10 to a different edition. [See the permitted upgrades.](https://technet.microsoft.com/itpro/windows/deploy/windows-10-edition-upgrades)</br></br>Toggle **Configure devices for shared use** off. This setting optimizes Windows 10 for shared use scenarios and isn't necessary for a kiosk scenario.</br></br>You can also select to remove pre-installed software from the device. </td><td>![device name, upgrade to enterprise, shared use, remove pre-installed software](images/set-up-device-details.png)</td></tr>
 <tr><td  style="width:45%" valign="top">![step two](images/two.png)  ![set up network](images/set-up-network.png)</br></br>Enable network setup if you want to configure settings on this page.</br></br>**If enabled:**</br></br>Toggle **On** or **Off** for wireless network connectivity. If you select **On**, enter the SSID, the network type (**Open** or **WPA2-Personal**), and (if **WPA2-Personal**) the password for the wireless network.</td><td>![Enter network SSID and type](images/set-up-network-details.png)</td></tr>
 <tr><td  style="width:45%" valign="top">![step three](images/three.png)  ![account management](images/account-management.png)</br></br>Enable account management if you want to configure settings on this page. </br></br>**If enabled:**</br></br>You can enroll the device in Active Directory, enroll in Azure Active Directory, or create a local administrator account on the device</br></br>To enroll the device in Active Directory, enter the credentials for a least-privileged user account to join the device to the domain.</br></br>Before you use a Windows Configuration Designer wizard to configure bulk Azure AD enrollment, [set up Azure AD join in your organization](https://docs.microsoft.com/azure/active-directory/active-directory-azureadjoin-setup). The **maximum number of devices per user** setting in your Azure AD tenant determines how many times the bulk token that you get in the wizard can be used. To enroll the device in Azure AD, select that option and enter a friendly name for the bulk token you will get using the wizard. Set an expiration date for the token (maximum is 30 days from the date you get the token). Click **Get bulk token**. In the **Let's get you signed in** window, enter an account that has permissions to join a device to Azure AD, and then the password. Click **Accept** to give Windows Configuration Designer the necessary permissions.</br></br>**Warning:** You must run Windows Configuration Designer on Windows 10 to configure Azure Active Directory enrollment using any of the wizards.</br></br>To create a local administrator account, select that option and enter a user name and password. </br></br>**Important:** If you create a local account in the provisioning package, you must change the password using the **Settings** app every 42 days. If the password is not changed during that period, the account might be locked out and unable to sign in.  </td><td>![join Active Directory, Azure AD, or create a local admin account](images/account-management-details.png)</td></tr>
 <tr><td  style="width:45%" valign="top">![step four](images/four.png) ![add applications](images/add-applications.png)</br></br>You can provision the kiosk app in the **Add applications** step. You can install multiple applications, both Classic Windows (Win32) apps and Universal Windows Platform (UWP) apps, in a provisioning package. The settings in this step vary according to the application that you select. For help with the settings, see [Provision PCs with apps](provisioning-packages/provision-pcs-with-apps.md)</br></br>**Warning:** If you click the plus button to add an application, you must specify an application for the provisioning package to validate. If you click the plus button in error, select any executable file in **Installer Path**, and then a **Cancel** button becomes available, allowing you to complete the provisioning package without an application. </td><td>![add an application](images/add-applications-details.png)</td></tr>
 <tr><td  style="width:45%" valign="top">![step five](images/five.png) ![add certificates](images/add-certificates.png)</br></br>To provision the device with a certificate for the kiosk app, click **Add a certificate**. Enter a name for the certificate, and then browse to and select the certificate to be used.</td><td>![add a certificate](images/add-certificates-details.png)</td></tr> 
 <tr><td  style="width:45%" valign="top">![step six](images/six.png)  ![Configure kiosk account and app](images/kiosk-account.png)</br></br>You can create a local standard user account that will be used to run the kiosk app. If you toggle **No**, make sure that you have an existing user account to run the kiosk app.</br></br>If you want to create an account, enter the user name and password, and then toggle **Yes** or **No** to automatically sign in the account when the device starts.</br></br>In **Configure the kiosk mode app**, enter the name of the user account that will run the kiosk mode app. Select the type of app to run in kiosk mode, and then enter the path or filename (for a Classic Windows app) or the AUMID (for a Universal Windows app). For a Classic Windows app, you can use the filename if the path to the file is in the PATH environment variable, otherwise the full path is required.</td><td>![Configure kiosk account and app](images/kiosk-account-details.png)</td></tr>
 <tr><td  style="width:45%" valign="top">![step seven](images/seven.png)  ![configure kiosk common settings](images/kiosk-common.png)</br></br>On this step, select your options for tablet mode, the user experience on the Welcome and shutdown screens, and the timeout settings.</td><td>![set tablet mode and configure welcome and shutdown and turn off timeout settings](images/kiosk-common-details.png)</td></tr>
 <tr><td  style="width:45%" valign="top">  ![finish](images/finish.png)</br></br>You can set a password to protect your provisioning package. You must enter this password when you apply the provisioning package to a device.</td><td>![Protect your package](images/finish-details.png)</td></tr>
 </table>
 >[!NOTE]
 >If you want to use [the advanced editor in Windows Configuration Designer](provisioning-packages/provisioning-create-package.md#configure-settings), specify the user account and app (by AUMID) in **Runtime settings** &gt; **AssignedAccess** &gt; **AssignedAccessSettings**
 >[!TIP]
 >You can also use [an XML file to configure both multi-app and single-app kiosks.](lock-down-windows-10-to-specific-apps.md)
 >[!IMPORTANT]
 >When you build a provisioning package, you may include sensitive information in the project files and in the provisioning package (.ppkg) file. Although you have the option to encrypt the .ppkg file, project files are not encrypted. You should store the project files in a secure location and delete the project files when they are no longer needed.
 [Learn how to apply a provisioning package.](provisioning-packages/provisioning-apply-package.md)
 ## Set up a kiosk or digital sign in Intune or other MDM service
 >App type: UWP 
 >
 >OS edition: Windows 10 Pro (version 1709), Ent, Edu
 >
 >Account type: Local standard user, Azure AD
 Microsoft Intune and other MDM services enable kiosk configuration through the [AssignedAccess configuration service provider (CSP)](https://docs.microsoft.com/windows/client-management/mdm/assignedaccess-csp). Assigned Access has a KioskModeApp setting. In the KioskModeApp setting, you enter the user account name and [AUMID](https://docs.microsoft.com/windows-hardware/customize/enterprise/find-the-application-user-model-id-of-an-installed-app) for the app to run in kiosk mode.
 The following steps explain how to configure a kiosk in Microsoft Intune. For other MDM services, see the documentation for your provider.
 **To configure kiosk in Microsoft Intune**
 2. In the Microsoft Azure portal, search for **Intune** or go to **More services** > **Intune**.
 3. Select **Device configuration**.
 4. Select **Profiles**.
 5. Select **Create profile**.
 6. Enter a friendly name for the profile.
 7. Select **Windows 10 and later** for the platform.
 8. Select **Kiosk (Preview)** for the profile type.
 9. Enter a friendly name for the kiosk configuration.
 10. Select **Kiosk - 1 setting available**.
 10. Select **Add** to add a kiosk configuration.
 10. Enter a friendly name for the kiosk configuration, and then in **Kiosk Mode**, select **Single full-screen app kiosk**.
 10. Select either **Select a managed app** to choose a kiosk app that is managed by Intune, or **Enter UWP app AUMID** to specify the kiosk app by AUMID, and then select the app or enter the AUMID as appropriate.
 1. For the user account, select either **Autologon** to create a user account for the kiosk that will sign in automatically, or **Local user account** to configure an existing user account to run the kiosk. **Local user account** can be a local standard user account on the device or an Azure Active Directory account.
 14. Select **OK**, and then select **Create**.
 18. Assign the profile to a device group to configure the devices in that group as kiosks.
 <span id="shelllauncher" />
 ## Set up a kiosk or digital sign using Shell Launcher 
 >App type: Classic Windows
 >
 >OS edition: Windows 10 Ent, Edu
 >
 >Account type: Local standard user or administrator, Active Directory, Azure AD
 Using Shell Launcher, you can configure a kiosk device that runs a Classic Windows application as the user interface. The application that you specify replaces the default shell (explorer.exe) that usually runs when a user logs on.
 >[!NOTE]
 >In Windows 10, version 1803, you can configure Shell Launcher using the **ShellLauncher** node of the [Assigned Access CSP](https://docs.microsoft.com/en-us/windows/client-management/mdm/assignedaccess-csp).
 >
 >You can also configure a kiosk device that runs a Classic Windows application by using the [Provision kiosk devices wizard](#wizard).
 >[!WARNING]
 >- Windows 10 doesn’t support setting a custom shell prior to OOBE. If you do, you won’t be able to deploy the resulting image.
 >- Shell Launcher doesn't support a custom shell with an application that launches a different process and exits. For example, you cannot specify **write.exe** in Shell Launcher. Shell Launcher launches a custom shell and monitors the process to identify when the custom shell exits. **Write.exe** creates a 32-bit wordpad.exe process and exits. Because Shell Launcher is not aware of the newly created wordpad.exe process, Shell Launcher will take action based on the exit code of **Write.exe**, such as restarting the custom shell.  
 ### Requirements
 -   A domain or local user account.
 -   A Classic Windows application that is installed for that account. The app can be your own company application or a common app like Internet Explorer.
 [See the technical reference for the shell launcher component.](https://go.microsoft.com/fwlink/p/?LinkId=618603)
 ### Configure Shell Launcher
 To set a Classic Windows application as the shell, you first turn on the Shell Launcher feature, and then you can set your custom shell as the default using PowerShell.
 **To turn on Shell Launcher in Windows features**
 1. Go to Control Panel &gt; **Programs and features** &gt; **Turn Windows features on or off**.
 2. Expand **Device Lockdown**.
 2. Select **Shell Launcher** and **OK**.
 Alternatively, you can turn on Shell Launcher using Windows Configuration Designer in a provisioning package, using `SMISettings > ShellLauncher`, or the Deployment Image Servicing and Management (DISM.exe) tool.
 **To turn on Shell Launcher using DISM**
 1.  Open a command prompt as an administrator.
 2.  Enter the following command.
    ```
    Dism /online /Enable-Feature /all /FeatureName:Client-EmbeddedShellLauncher
    ```
 **To set your custom shell**
 Modify the following PowerShell script as appropriate. The comments in the sample script explain the purpose of each section and tell you where you will want to change the script for your purposes. Save your script with the extension .ps1, open Windows PowerShell as administrator, and run the script on the kiosk device.
 ```
 # Check if shell launcher license is enabled
 function Check-ShellLauncherLicenseEnabled
 {
    [string]$source = @"
 using System;
 using System.Runtime.InteropServices;
 static class CheckShellLauncherLicense
 {
    const int S_OK = 0;
    public static bool IsShellLauncherLicenseEnabled()
    {
        int enabled = 0;
        if (NativeMethods.SLGetWindowsInformationDWORD("EmbeddedFeature-ShellLauncher-Enabled", out enabled) != S_OK) {
            enabled = 0;
        }
        return (enabled != 0);
    }
    static class NativeMethods
    {
        [DllImport("Slc.dll")]
        internal static extern int SLGetWindowsInformationDWORD([MarshalAs(UnmanagedType.LPWStr)]string valueName, out int value);
    }
 }
 "@
    $type = Add-Type -TypeDefinition $source -PassThru
    return $type[0]::IsShellLauncherLicenseEnabled()
 }
 [bool]$result = $false
 $result = Check-ShellLauncherLicenseEnabled
 "`nShell Launcher license enabled is set to " + $result
 if (-not($result))
 {
    "`nThis device doesn't have required license to use Shell Launcher"
    exit
 }
 $COMPUTER = "localhost"
 $NAMESPACE = "root\standardcimv2\embedded"
 # Create a handle to the class instance so we can call the static methods.
 try {
    $ShellLauncherClass = [wmiclass]"\\$COMPUTER\${NAMESPACE}:WESL_UserSetting"
    } catch [Exception] {
    write-host $_.Exception.Message; 
    write-host "Make sure Shell Launcher feature is enabled"
    exit
    }
 # This well-known security identifier (SID) corresponds to the BUILTIN\Administrators group.
 $Admins_SID = "S-1-5-32-544"
 # Create a function to retrieve the SID for a user account on a machine.
 function Get-UsernameSID($AccountName) {
    $NTUserObject = New-Object System.Security.Principal.NTAccount($AccountName)
    $NTUserSID = $NTUserObject.Translate([System.Security.Principal.SecurityIdentifier])
    return $NTUserSID.Value
 }
 # Get the SID for a user account named "Cashier". Rename "Cashier" to an existing account on your system to test this script.
 $Cashier_SID = Get-UsernameSID("Cashier")
 # Define actions to take when the shell program exits.
 $restart_shell = 0
 $restart_device = 1
 $shutdown_device = 2
 # Examples. You can change these examples to use the program that you want to use as the shell.
 # This example sets the command prompt as the default shell, and restarts the device if the command prompt is closed. 
 $ShellLauncherClass.SetDefaultShell("cmd.exe", $restart_device)
 # Display the default shell to verify that it was added correctly.
 $DefaultShellObject = $ShellLauncherClass.GetDefaultShell()
 "`nDefault Shell is set to " + $DefaultShellObject.Shell + " and the default action is set to " + $DefaultShellObject.defaultaction
 # Set Internet Explorer as the shell for "Cashier", and restart the machine if Internet Explorer is closed.
 $ShellLauncherClass.SetCustomShell($Cashier_SID, "c:\program files\internet explorer\iexplore.exe www.microsoft.com", ($null), ($null), $restart_shell)
 # Set Explorer as the shell for administrators.
 $ShellLauncherClass.SetCustomShell($Admins_SID, "explorer.exe")
 # View all the custom shells defined.
 "`nCurrent settings for custom shells:"
 Get-WmiObject -namespace $NAMESPACE -computer $COMPUTER -class WESL_UserSetting | Select Sid, Shell, DefaultAction
 # Enable Shell Launcher
 $ShellLauncherClass.SetEnabled($TRUE)
 $IsShellLauncherEnabled = $ShellLauncherClass.IsEnabled()
 "`nEnabled is set to " + $IsShellLauncherEnabled.Enabled
 # Remove the new custom shells.
 $ShellLauncherClass.RemoveCustomShell($Admins_SID)
 $ShellLauncherClass.RemoveCustomShell($Cashier_SID)
 # Disable Shell Launcher
 $ShellLauncherClass.SetEnabled($FALSE)
 $IsShellLauncherEnabled = $ShellLauncherClass.IsEnabled()
 "`nEnabled is set to " + $IsShellLauncherEnabled.Enabled
 ```
 ## Sign out of assigned access
 To exit the assigned access (kiosk) app, press **Ctrl + Alt + Del**, and then sign in using another account. When you press **Ctrl + Alt + Del** to sign out of assigned access, the kiosk app will exit automatically. If you sign in again as the assigned access account or wait for the login screen timeout, the kiosk app will be re-launched. The assigned access user will remain signed in until an admin account opens **Task Manager** > **Users** and signs out the user account.
 If you press **Ctrl + Alt + Del** and do not sign in to another account, after a set time, assigned access will resume. The default time is 30 seconds, but you can change that in the following registry key:
 **HKEY\_LOCAL\_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\LogonUI**
 To change the default time for assigned access to resume, add *IdleTimeOut* (DWORD) and enter the value data as milliseconds in hexadecimal.
 ## Related topics
 - [Set up a kiosk on Windows 10 Mobile or Windows 10 Mobile Enterprise](mobile-devices/set-up-a-kiosk-for-windows-10-for-mobile-edition.md)
--- a/windows/configuration/wcd/wcd-accounts.md
+++ b/windows/configuration/wcd/wcd-accounts.md
@ -30,7 +30,7 @@ The **Azure > Authority** and **Azure > BPRT** settings for bulk Azure Active Di
 - [Instructions for desktop wizard](../provisioning-packages/provision-pcs-for-initial-deployment.md)
 - [Instructions for the mobile wizard](../mobile-devices/provisioning-configure-mobile.md)
- [Instructions for the kiosk wizard](../setup-kiosk-digital-signage.md#wizard)
+- [Instructions for the kiosk wizard](../kiosk-single-app.md#wizard)
 ## ComputerAccount
--- a/windows/configuration/wcd/wcd-policies.md
+++ b/windows/configuration/wcd/wcd-policies.md
@ -290,8 +290,8 @@ These settings apply to the **Kiosk Browser** app available in Microsoft Store.
 | Setting | Description | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core |
 | --- | --- | :---: | :---: | :---: | :---: | :---: |
-[BlockedUrlExceptions](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-kioskbrowser#kioskbrowser-blockedurlexceptions) | List of exceptions to the blocked website URLs (with wildcard support). This is used to configure URLs kiosk browsers are allowed to navigate to, which are a subset of the blocked URLs. | X |  |  |  |  |
+[BlockedUrlExceptions](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-kioskbrowser#kioskbrowser-blockedurlexceptions) | List of exceptions to the blocked website URLs (with wildcard support). Separate multiple URLs using `&#xF000;`. This is used to configure URLs kiosk browsers are allowed to navigate to, which are a subset of the blocked URLs. | X |  |  |  |  |
-[BlockedUrls](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-kioskbrowser#kioskbrowser-blockedurls) | List of blocked website URLs (with wildcard support). This is used to configure blocked URLs kiosk browsers cannot navigate to. | X |  |  |  |  |
+[BlockedUrls](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-kioskbrowser#kioskbrowser-blockedurls) | List of blocked website URLs (with wildcard support). Separate multiple URLs using `&#xF000;`. This is used to configure blocked URLs kiosk browsers cannot navigate to. | X |  |  |  |  |
 [DefaultURL](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-kioskbrowser#kioskbrowser-defaulturl) | Configures the default URL kiosk browsers to navigate on launch and restart.  | X |  |  |  |  |
 [EnableHomeButton](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-kioskbrowser#kioskbrowser-enablehomebutton) | Enable/disable kiosk browser's home button.  | X |  |  |  |  |
 [EnableNavigationButtons](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-kioskbrowser#kioskbrowser-enablenavigationbuttons) | Enable/disable kiosk browser's navigation buttons (forward/back). | X |  |  |  |  |
@ -439,7 +439,7 @@ ConfigureTelemetryOptInSettingsUx | This policy setting determines whether peopl
 | [ActiveHoursEnd](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#update-activehoursend) | Use with **Update/ActiveHoursStart** to manage the range of active hours where update rboots are not scheduled. | X | X | X |  | X |
 | [ActiveHoursMaxRange](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#update-activehoursmaxrange) | Specify the maximum active hours range. | X | X | X |  | X |
 | [ActiveHoursStart](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#update-activehoursstart) | Use with **Update/ActiveHoursEnd** to manage the range of active hours where update reboots are not scheduled. | X | X | X |  | X |
-| [AllowautoUpdate](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#update-allowautoupdate) | Configure automatic update behavior to scan, download, and install updates. | X | X | X | X | X |
+| [AllowAutoUpdate](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#update-allowautoupdate) | Configure automatic update behavior to scan, download, and install updates. | X | X | X | X | X |
 | [AllowAutoWindowsUpdateDownloadOverMeteredNetwork](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-update#update-allowautowindowsupdatedownloadovermeterednetwork)| Option to download updates automatically over metered connections (off by default). Enter `0` for not allowed, or `1` for allowed. | X | X | X |  | X |
 | [AllowMUUpdateService](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#update-allowmuupdateservice) | Manage whether to scan for app updates from Microsoft Update. | X | X | X | X | X |
 | [AllowNonMicrosoftSignedUpdate](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#update-allownonmicrosoftsignedupdate) | Manage whether Automatic Updates accepts updates signed by entities other than Microsoft when the update is found at the UpdateServiceUrl location. | X | X | X |  | X |
--- a/windows/configuration/wcd/wcd-provisioningcommands.md
+++ b/windows/configuration/wcd/wcd-provisioningcommands.md
@ -13,7 +13,7 @@ ms.date: 09/06/2017
 # ProvisioningCommands (Windows Configuration Designer reference)
-Use ProvisioningCommands settings to install Classic Windows apps using a provisioning package. 
+Use ProvisioningCommands settings to install Windows desktop applications using a provisioning package. 
 ## Applies to
--- a/windows/configuration/wcd/wcd-smisettings.md
+++ b/windows/configuration/wcd/wcd-smisettings.md
@ -93,7 +93,7 @@ When you **enable** KeyboardFilter, a number of other settings become available
 ## ShellLauncher settings
-Use ShellLauncher to specify the application or executable to use as the default custom shell. One use of ShellLauncher is to [create a kiosk (fixed-purpose) device running a Classic Windows application](https://docs.microsoft.com/windows/configuration/set-up-a-kiosk-for-windows-10-for-desktop-editions#shell-launcher-for-classic-windows-applications).
+Use ShellLauncher to specify the application or executable to use as the default custom shell. One use of ShellLauncher is to [create a kiosk (fixed-purpose) device running a Windows desktop application](https://docs.microsoft.com/windows/configuration/set-up-a-kiosk-for-windows-10-for-desktop-editions#shell-launcher-for-classic-windows-applications).
 >[!WARNING]
 >Windows 10 doesn’t support setting a custom shell prior to OOBE. If you do, you won’t be able to deploy the resulting image.
--- a/windows/configuration/windows-10-start-layout-options-and-policies.md
+++ b/windows/configuration/windows-10-start-layout-options-and-policies.md
@ -29,7 +29,7 @@ Organizations might want to deploy a customized Start and taskbar configuration
 >
 >Start and taskbar configuration can be applied to devices running Windows 10 Pro, version 1703.
 >
->Using the layout modification XML to configure Start is not supported with roaming user profiles. For more information, see [Deploy Roaming User Profiles](https://technet.microsoft.com/library/jj649079.aspx).
+>For information on using the layout modification XML to configure Start with roaming user profiles, see [Deploy Roaming User Profiles](https://docs.microsoft.com/windows-server/storage/folder-redirection/deploy-roaming-user-profiles#step-7-optionally-specify-a-start-layout-for-windows-10-pcs).
 >
 >Using CopyProfile for Start menu customization in Windows 10 isn't supported. For more information [Customize the Default User Profile by Using CopyProfile](https://docs.microsoft.com/en-us/windows-hardware/manufacture/desktop/customize-the-default-user-profile-by-using-copyprofile)
--- a/windows/deployment/update/waas-overview.md
+++ b/windows/deployment/update/waas-overview.md
@ -70,7 +70,7 @@ To align with this new update delivery model, Windows 10 has three servicing cha
 ### Naming changes
 As part of the alignment with Windows 10 and Office 365 ProPlus, we are adopting common terminology to make it as easy as possible to understand the servicing process. Going forward, these are the new terms we will be using:
-* Semi-Annual Channel - We will be referreing to Current Branch (CB) as "Semi-Annual Channel (Targeted)", while Current Branch for Business (CBB) will simply be referred to as "Semi-Annual Channel". 
+* Semi-Annual Channel - We will be referring to Current Branch (CB) as "Semi-Annual Channel (Targeted)", while Current Branch for Business (CBB) will simply be referred to as "Semi-Annual Channel". 
 * Long-Term Servicing Channel -  The Long-Term Servicing Branch (LTSB) will be referred to as Long-Term Servicing Channel (LTSC).
 >[!IMPORTANT]
--- a/windows/privacy/configure-windows-diagnostic-data-in-your-organization.md
+++ b/windows/privacy/configure-windows-diagnostic-data-in-your-organization.md
@ -379,7 +379,7 @@ Use the [Policy Configuration Service Provider (CSP)](http://msdn.microsoft.com/
 Use Registry Editor to manually set the registry level on each device in your organization or you can write a script to edit the registry. If a management policy already exists, such as Group Policy or MDM, it will override this registry setting.
-1.  Open Registry Editor, and go to **HKEY\_LOCAL\_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\DataCollection**.
+1.  Open Registry Editor, and go to **HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\Windows\\DataCollection**.
 2.  Right-click **DataCollection**, click New, and then click **DWORD (32-bit) Value**.
--- a/windows/security/hardware-protection/tpm/change-the-tpm-owner-password.md
+++ b/windows/security/hardware-protection/tpm/change-the-tpm-owner-password.md
@ -45,7 +45,7 @@ To change to a new TPM owner password, in TPM.msc, click **Change Owner Password
 ## Use the TPM cmdlets
-You can manage the TPM using Windows PowerShell. For details, see [TPM Cmdlets in Windows PowerShell](http://technet.microsoft.com/library/jj603116.aspx).
+You can manage the TPM using Windows PowerShell. For details, see [TPM Cmdlets in Windows PowerShell](https://docs.microsoft.com/en-us/powershell/module/trustedplatformmodule).
 ## Related topics
--- a/windows/security/hardware-protection/tpm/trusted-platform-module-overview.md
+++ b/windows/security/hardware-protection/tpm/trusted-platform-module-overview.md
@ -68,7 +68,7 @@ Some things that you can check on the device are:
 -   Is SecureBoot supported and enabled?
 > [!NOTE]
-> The device must be running Windows 10 and it must support at least TPM 2.0.
+> The device must be running Windows 10 and it must support at least TPM 2.0 in order to utilize Device Health Attestation.
 ## Supported versions
--- a/windows/security/identity-protection/access-control/local-accounts.md
+++ b/windows/security/identity-protection/access-control/local-accounts.md
@ -5,7 +5,7 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
-ms.date: 04/19/2017
+ms.date: 07/30/2018
 ---
 # Local Accounts
@ -114,11 +114,11 @@ Even when the Administrator account has been disabled, it can still be used to g
 ### <a href="" id="sec-guest"></a>Guest account
-The Guest account (SID S-1-5-32-546) is disabled by default on installation. The Guest account lets occasional or one-time users, who do not have an account on the computer, temporarily sign in to the local server or client computer with limited user rights. By default, the Guest account has a blank password. Because the Guest account can provide anonymous access, it is a security risk. For this reason, it is a best practice to leave the Guest account disabled, unless its use is entirely necessary.
+The Guest account is disabled by default on installation. The Guest account lets occasional or one-time users, who do not have an account on the computer, temporarily sign in to the local server or client computer with limited user rights. By default, the Guest account has a blank password. Because the Guest account can provide anonymous access, it is a security risk. For this reason, it is a best practice to leave the Guest account disabled, unless its use is entirely necessary.
 **Account group membership**
-By default, the Guest account is the only member of the default Guests group, which lets a user sign in to a server. On occasion, an administrator who is a member of the Administrators group can set up a user with a Guest account on one or more computers.
+By default, the Guest account is the only member of the default Guests group (SID S-1-5-32-546), which lets a user sign in to a server. On occasion, an administrator who is a member of the Administrators group can set up a user with a Guest account on one or more computers.
 **Security considerations**
--- a/windows/security/identity-protection/vpn/vpn-auto-trigger-profile.md
+++ b/windows/security/identity-protection/vpn/vpn-auto-trigger-profile.md
@ -58,6 +58,15 @@ When the trigger occurs, VPN tries to connect. If an error occurs or any user in
 When a device has multiple profiles with Always On triggers, the user can specify the active profile in **Settings** > **Network & Internet** > **VPN** > *VPN profile* by selecting the **Let apps automatically use this VPN connection** checkbox. By default, the first MDM-configured profile is marked as **Active**. 
 Preserving user Always On preference
 Windows has a feature to preserve a user’s AlwaysOn preference.  In the event that a user manually unchecks the “Connect automatically” checkbox, Windows will remember this user preference for this profile name by adding the profile name to the value AutoTriggerDisabledProfilesList.  
 Should a management tool remove/add the same profile name back and set AlwaysOn to true, Windows will not check the box if the profile name exists in the below registry value in order to preserve user preference.
 Key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RasMan\Config
 Value: AutoTriggerDisabledProfilesList
 Type: REG_MULTI_SZ
 ## Trusted network detection
 This feature configures the VPN such that it would not get triggered if a user is on a trusted corporate network. The value of this setting is a list of DNS suffices. The VPN stack will look at the DNS suffix on the physical interface and if it matches any in the configured list and the network is private or provisioned by MDM, then VPN will not get triggered.
--- a/windows/security/identity-protection/windows-firewall/configure-the-workstation-authentication-certificate-template.md
+++ b/windows/security/identity-protection/windows-firewall/configure-the-workstation-authentication-certificate-template.md
@ -6,8 +6,8 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
-author: brianlic-msft
+author: Justinha
-ms.date: 04/19/2017
+ms.date: 07/30/2018
 ---
 # Configure the Workstation Authentication Certificate Template
@ -36,7 +36,7 @@ To complete these procedures, you must be a member of both the Domain Admins gro
 6.  Click the **Subject Name** tab. Make sure that **Build from this Active Directory information** is selected. In **Subject name format**, select **Fully distinguished name**.
-7.  Click the **Request Handling** tab. You must determine the best minimum key size for your environment. Large key sizes provide better security, but they can affect server performance. We recommended that you use the default setting of 2048.
+7.  Click the **Cryptography** tab. You must determine the best minimum key size for your environment. Large key sizes provide better security, but they can affect server performance. We recommended that you use the default setting of 2048.
 8.  Click the **Security** tab. In **Group or user names**, click **Domain Computers**, under **Allow**, select **Enroll** and **Autoenroll**, and then click **OK**.
--- a/windows/security/information-protection/bitlocker/types-of-attacks-for-volume-encryption-keys.md
+++ b/windows/security/information-protection/bitlocker/types-of-attacks-for-volume-encryption-keys.md
@ -85,13 +85,13 @@ DMA-based expansion slots are another avenue of attack, but these slots generall
 To mitigate a port-based DMA attack an administrator can configure policy settings to disable FireWire and other device types that have DMA. Also, many PCs allow those devices to be disabled by using firmware settings. Although the need for pre-boot authentication can be eliminated at the device level or through Windows configuration, the BitLocker pre-boot authentication feature is still available when needed. When used, it successfully mitigates all types of DMA port and expansion slot attacks on any type of device.
-### Hyberfil.sys Attacks
+### Hiberfil.sys Attacks
-The hyberfil.sys file is the Windows hibernation file. It contains a snapshot of system memory that is generated when a device goes into hibernation and includes the encryption key for BitLocker and other encryption technologies. Attackers have claimed that they have successfully extracted encryption keys from the hyberfil.sys file.
+The hiberfil.sys file is the Windows hibernation file. It contains a snapshot of system memory that is generated when a device goes into hibernation and includes the encryption key for BitLocker and other encryption technologies. Attackers have claimed that they have successfully extracted encryption keys from the hiberfil.sys file.
-Like the DMA port attack discussed in the previous section, tools are available that can scan the hyberfile.sys file and locate the encryption key, including a tool made by [Passware](http://www.lostpassword.com/). Microsoft does not consider Windows to be vulnerable to this type of attack, because Windows stores the hyberfil.sys file within the encrypted system volume. As a result, the file would be accessible only if the attacker had both physical and sign-in access to the PC. When an attacker has sign-in access to the PC, there are few reasons for the attacker to decrypt the drive, because they would already have full access to the data within it.
+Like the DMA port attack discussed in the previous section, tools are available that can scan the hiberfile.sys file and locate the encryption key, including a tool made by [Passware](http://www.lostpassword.com/). Microsoft does not consider Windows to be vulnerable to this type of attack, because Windows stores the hiberfil.sys file within the encrypted system volume. As a result, the file would be accessible only if the attacker had both physical and sign-in access to the PC. When an attacker has sign-in access to the PC, there are few reasons for the attacker to decrypt the drive, because they would already have full access to the data within it.
-In practice, the only reason an attack on hyberfil.sys would grant an attacker additional access is if an administrator had changed the default Windows configuration and stored the hyberfil.sys file on an unencrypted drive. By default, Windows 10 is designed to be secure against this type of attack.
+In practice, the only reason an attack on hiberfil.sys would grant an attacker additional access is if an administrator had changed the default Windows configuration and stored the hiberfil.sys file on an unencrypted drive. By default, Windows 10 is designed to be secure against this type of attack.
 ### Memory Remanence Attacks
--- a/windows/security/threat-protection/security-policy-settings/allow-log-on-locally.md
+++ b/windows/security/threat-protection/security-policy-settings/allow-log-on-locally.md
@ -50,7 +50,7 @@ By default, the members of the following groups have this right on domain contro
 ### Location
-Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\User Rights Assignment
+Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\User Rights Assignment
 ### Default values
--- a/windows/security/threat-protection/windows-defender-atp/configure-server-endpoints-windows-defender-advanced-threat-protection.md
+++ b/windows/security/threat-protection/windows-defender-atp/configure-server-endpoints-windows-defender-advanced-threat-protection.md
@ -9,7 +9,7 @@ ms.sitesec: library
 ms.pagetype: security
 author: mjcaparas
 ms.localizationpriority: medium
-ms.date: 05/08/2018
+ms.date: 07/30/2018
 ---
 # Onboard servers to the Windows Defender ATP service
@ -114,6 +114,25 @@ You’ll be able to onboard in the same method available for Windows 10 client m
    If the result is ‘The specified service does not exist as an installed service’, then you'll need to install Windows Defender AV. For more information, see [Windows Defender Antivirus in Windows 10](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-in-windows-10).
 ## Integration with Azure Security Center
 Windows Defender ATP integrates with Azure Security Center to provide a comprehensive server protection solution. With this integration Azure Security Center can leverage the power of Windows Defender ATP to provide improved threat detection for Windows Servers.
 The following capabilities are included in this integration:
 - Automated onboarding - Windows Defender ATP sensor is automatically enabled on Windows Servers that are onboarded to ASC. For more information on onboarding to ASC, see [Onboarding to Azure Security Center Standard for enhanced security](https://docs.microsoft.com/en-us/azure/security-center/security-center-onboarding).
    >[!NOTE]
    > Automated onboarding is only applicable for Windows Server 2012 R2 and Windows Server 2016.
 - Servers monitored by  Azure Security Center will also be available in Windows Defender ATP - ASC seamlessly connects to the Windows Defender ATP tenant, providing a single view across clients and servers.  In addition, Windows Defender ATP alerts will be available in the Azure Security Center console.
 - Server investigation -  Azure Security Center customers can access the Windows Defender ATP portal to perform detailed investigation to uncover the scope of a potential breach
 >[!IMPORTANT]
 >- When you use Azure Security Center to monitor servers, a Windows Defender ATP tenant is automatically created. The Windows Defender ATP data is stored in Europe by default. 
 >- If you use Windows Defender ATP before using Azure Security Center, your data will be stored in the location you specified when you created your tenant even if you integrate with Azure Security Center at a later time.
 ## Offboard servers 
 You can offboard Windows Server, version 1803 in the same method available for Windows 10 client machines. 
--- a/windows/security/threat-protection/windows-defender-atp/preview-windows-defender-advanced-threat-protection.md
+++ b/windows/security/threat-protection/windows-defender-atp/preview-windows-defender-advanced-threat-protection.md
@ -10,7 +10,7 @@ ms.pagetype: security
 ms.author: macapara
 author: mjcaparas
 ms.localizationpriority: medium
-ms.date: 06/21/2018
+ms.date: 07/30/2018
 ---
 # Windows Defender ATP preview features
@ -49,6 +49,10 @@ Onboard supported versions of Windows machines so that they can send sensor data
  - Windows 8.1 Enterprise
  - Windows 8.1 Pro 
 - [Integration with Azure Security Center](configure-server-endpoints-windows-defender-advanced-threat-protection.md#integration-with-azure-security-center)<br>
 Windows Defender ATP integrates with Azure Security Center to provide a comprehensive server protection solution. With this integration Azure Security Center can leverage the power of Windows Defender ATP to provide improved threat detection for Windows Servers.
 >Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-preview-belowfoldlink)  
--- a/windows/security/threat-protection/windows-defender-atp/troubleshoot-windows-defender-advanced-threat-protection.md
+++ b/windows/security/threat-protection/windows-defender-atp/troubleshoot-windows-defender-advanced-threat-protection.md
@ -10,7 +10,7 @@ ms.pagetype: security
 ms.author: macapara
 author: mjcaparas
 ms.localizationpriority: medium
-ms.date: 07/12/2017
+ms.date: 07/30/2018
 ---
 # Troubleshoot service issues
@ -22,11 +22,11 @@ ms.date: 07/12/2017
 This section addresses issues that might arise as you use the Windows Defender Advanced Threat service.
-### Server error - Access is denied due to invalid credentials
+## Server error - Access is denied due to invalid credentials
 If you encounter a server error when trying to access the service, you’ll need to change your browser cookie settings.
 Configure your browser to allow cookies.
-### Elements or data missing on the portal
+## Elements or data missing on the portal
 If some UI elements or data is missing on Windows Defender Security Center it’s possible that proxy settings are blocking it.
 Make sure that `*.securitycenter.windows.com` is included the proxy whitelist.
@ -35,17 +35,17 @@ Make sure that `*.securitycenter.windows.com` is included the proxy whitelist.
 > [!NOTE]
 > You must use the HTTPS protocol when adding the following endpoints.
-### Windows Defender ATP service shows event or error logs in the Event Viewer
+## Windows Defender ATP service shows event or error logs in the Event Viewer
 See the topic [Review events and errors using Event Viewer](event-error-codes-windows-defender-advanced-threat-protection.md) for a list of event IDs that are reported by the Windows Defender ATP service. The topic also contains troubleshooting steps for event errors.
-### Windows Defender ATP service fails to start after a reboot and shows error 577
+## Windows Defender ATP service fails to start after a reboot and shows error 577
 If onboarding machines successfully completes but Windows Defender ATP does not start after a reboot and shows error 577, check that Windows Defender is not disabled by a policy.
 For more information, see [Ensure that Windows Defender Antivirus is not disabled by policy](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md#ensure-that-windows-defender-antivirus-is-not-disabled-by-a-policy).
-#### Known issues with regional formats
+## Known issues with regional formats
 **Date and time formats**<br>
 There are some known issues with the time and date formats. 
@ -65,6 +65,20 @@ Support of use of comma as a separator in numbers are not supported. Regions whe
 >Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-troubleshoot-belowfoldlink)
 ## Windows Defender ATP tenant was automatically created in Europe
 When you use Azure Security Center to monitor servers, a Windows Defender ATP tenant is automatically created. The Windows Defender ATP data is stored in Europe by default.
 ## Related topics
 - [Troubleshoot Windows Defender Advanced Threat Protection onboarding issues](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md)
--- a/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md
+++ b/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md
@ -11,7 +11,7 @@ ms.pagetype: security
 ms.localizationpriority: medium
 author: andreabichsel
 ms.author: v-anbic
-ms.date: 06/29/2018
+ms.date: 07/30/2018
 ---
@ -103,6 +103,7 @@ Block credential stealing from the Windows local security authority subsystem (l
 Block process creations originating from PSExec and WMI commands | d1e49aac-8f56-4280-b9ba-993a6d77406c
 Block untrusted and unsigned processes that run from USB | b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4
 Block Office communication applications from creating child processes (available for beta testing) | 26190899-1602-49e8-8b27-eb1d0a1ce869
 Block Adobe Reader from creating child processes (available for beta testing) | 7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c
 The rules apply to the following Office apps running on Windows 10, version 1709. See the **Applies to** section at the start of this topic for a list of supported Office version.
@ -214,12 +215,16 @@ With this rule, admins can prevent unsigned or untrusted executable files from r
 - Executable files (such as .exe, .dll, or .scr) 
 - Script files (such as a PowerShell .ps, VisualBasic .vbs, or JavaScript .js file)
-### Rule: Block Office communication applications from creating child processes
+### Rule: Block Office communication applications from creating child processes (available for beta testing)
 Office communication apps will not be allowed to create child processes. This includes Outlook.
 This is a typical malware behavior, especially for macro-based attacks that attempt to use Office apps to launch or download malicious executables.
 ### Rule: Block Adobe Reader from creating child processes (available for beta testing)
 This rule blocks Adobe Reader from creating child processes.
 ## Review Attack surface reduction events in Windows Event Viewer
 You can review the Windows event log to see events that are created when an Attack surface reduction rule is triggered (or audited):
--- a/windows/security/threat-protection/windows-defender-exploit-guard/customize-attack-surface-reduction.md
+++ b/windows/security/threat-protection/windows-defender-exploit-guard/customize-attack-surface-reduction.md
@ -11,7 +11,7 @@ ms.pagetype: security
 ms.localizationpriority: medium
 author: andreabichsel
 ms.author: v-anbic
-ms.date: 06/29/2018
+ms.date: 07/30/2018
 ---
 # Customize Attack surface reduction
@ -76,7 +76,8 @@ Use advanced protection against ransomware | [!include[Check mark yes](images/sv
 Block credential stealing from the Windows local security authority subsystem (lsass.exe) | [!include[Check mark no](images/svg/check-no.svg)] | 9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2
 Block process creations originating from PSExec and WMI commands | [!include[Check mark yes](images/svg/check-yes.svg)] | d1e49aac-8f56-4280-b9ba-993a6d77406c
 Block untrusted and unsigned processes that run from USB | [!include[Check mark yes](images/svg/check-yes.svg)] | b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4
-Block Office communication applications from creating child processes (available for beta testing) | [!include[Check mark no](images/svg/check-yes.svg)] | 26190899-1602-49e8-8b27-eb1d0a1ce869
+Block Office communication applications from creating child processes (available for beta testing) | [!include[Check mark yes](images/svg/check-yes.svg)] | 26190899-1602-49e8-8b27-eb1d0a1ce869
 Block Adobe Reader from creating child processes (available for beta testing) | [!include[Check mark yes](images/svg/check-yes.svg)] | 7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c
 See the [Attack surface reduction](attack-surface-reduction-exploit-guard.md) topic for details on each rule.
--- a/windows/security/threat-protection/windows-defender-exploit-guard/enable-attack-surface-reduction.md
+++ b/windows/security/threat-protection/windows-defender-exploit-guard/enable-attack-surface-reduction.md
@ -11,7 +11,7 @@ ms.pagetype: security
 ms.localizationpriority: medium
 author: andreabichsel
 ms.author: v-anbic
-ms.date: 06/29/2018
+ms.date: 07/30/2018
 ---
@ -65,6 +65,7 @@ Block credential stealing from the Windows local security authority subsystem (l
 Block process creations originating from PSExec and WMI commands | d1e49aac-8f56-4280-b9ba-993a6d77406c
 Block untrusted and unsigned processes that run from USB | b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4
 Block Office communication applications from creating child processes (available for beta testing) | 26190899-1602-49e8-8b27-eb1d0a1ce869
 Block Adobe Reader from creating child processes (available for beta testing) | 7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c
 See the [Attack surface reduction](attack-surface-reduction-exploit-guard.md) topic for details on each rule.