Boolean value. Supported operations are Add, Get, Replace, and Delete.
+Specifies the profiles to which the rule belongs: Domain, Private, Public. . See FW_PROFILE_TYPE for the bitmasks that are used to identify profile types.
+
+Value type is integer. Supported operations are Add, Get, Replace, and Delete.
+
Specifies the action for the rule.
Supported operation is Get.
@@ -229,14 +236,43 @@ If not specified - a new rule is disabled by default.
Value type is integer. Supported operations are Add, Get, Replace, and Delete.
+Comma separated list. The rule is enabled based on the traffic direction as following. Supported values:
+Value type is string. Supported operations are Add, Get, Replace, and Delete.
+
+Comma separated list of interface types. Valid values:
+Value type is string. Supported operations are Add, Get, Replace, and Delete.
+
List of ICMP types and codes separated by semicolon. "\*" indicates all ICMP types and codes.<
Value type is string. Supported operations are Add, Get, Replace, and Delete.
+Indicates whether edge traversal is enabled or disabled for this rule.
+The EdgeTraversal setting indicates that specific inbound traffic is allowed to tunnel through NATs and other edge devices using the Teredo tunneling technology. In order for this setting to work correctly, the application or service with the inbound firewall rule needs to support IPv6. The primary application of this setting allows listeners on the host to be globally addressable through a Teredo IPv6 address.
+New rules have the EdgeTraversal property disabled by default.
+Boolean value. Supported operations are Add, Get, Replace, and Delete.
+
Specifies the list of authorized local users for the app container. This is a string in Security Descriptor Definition Language (SDDL) format.
Value type is string. Supported operations are Add, Get, Replace, and Delete.
+Provides information about the specific verrsion of the rule in deployment for monitoring purposes.
+Value type is string. Supported operation is Get.
+
Specifies the friendly name of the rule. The string must not contain the "|" character.
Value type is string. Supported operations are Add, Get, Replace, and Delete.
diff --git a/windows/client-management/mdm/firewall-ddf-file.md b/windows/client-management/mdm/firewall-ddf-file.md
new file mode 100644
index 0000000000..ced7194e3a
--- /dev/null
+++ b/windows/client-management/mdm/firewall-ddf-file.md
@@ -0,0 +1,1815 @@
+---
+title: Firewall DDF file
+description: Firewall DDF file
+ms.author: maricia
+ms.topic: article
+ms.prod: w10
+ms.technology: windows
+author: nickbrower
+---
+
+# Firewall CSP
+
+> [!WARNING]
+> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
+
+This topic shows the OMA DM device description framework (DDF) for the **Firewall** configuration service provider. DDF files are used only with OMA DM provisioning XML.
+
+``` syntax
+
+]>
+
diff --git a/windows/client-management/mdm/passportforwork-csp.md b/windows/client-management/mdm/passportforwork-csp.md
index 8faa4ccb96..ed858a4dcc 100644
--- a/windows/client-management/mdm/passportforwork-csp.md
+++ b/windows/client-management/mdm/passportforwork-csp.md
@@ -201,9 +201,9 @@ This cloud service encrypts a recovery secret, which is stored locally on the cl
**Biometrics/FacialFeaturesUseEnhancedAntiSpoofing** (only for ./Device/Vendor/MSFT)
Boolean value used to enable or disable enhanced anti-spoofing for facial feature recognition on Windows Hello face authentication. This node was added in Windows 10, version 1511.
-
Default value is false. If you set this policy to true or don't configure this setting, Windows requires all users on managed devices to use enhanced anti-spoofing for Windows Hello face authentication. Windows Hello face authentication is disabled on devices that do not support enhanced anti-spoofing.
+
Default value is false. If you set this policy to false or don't configure this setting, Windows doesn't require enhanced anti-spoofing for Windows Hello face authentication.
-
If you set this policy to false, Windows doesn't require enhanced anti-spoofing for Windows Hello face authentication.
+
If you set this policy to true, Windows requires all users on managed devices to use enhanced anti-spoofing for Windows Hello face authentication. Windows Hello face authentication is disabled on devices that do not support enhanced anti-spoofing.
Note that enhanced anti-spoofing for Windows Hello face authentication is not required on unmanaged devices.
diff --git a/windows/client-management/mdm/policy-configuration-service-provider.md b/windows/client-management/mdm/policy-configuration-service-provider.md
index 5b81c0026b..1fb89dc1e2 100644
--- a/windows/client-management/mdm/policy-configuration-service-provider.md
+++ b/windows/client-management/mdm/policy-configuration-service-provider.md
@@ -11587,6 +11587,13 @@ fd00::-fdff:ffff:ffff:ffff:ffff:ffff:ffff:ffff
Added in Windows 10, version 1607. Boolean value that turns off notification mirroring.
+> [!IMPORTANT]
+> This node must be accessed using the following paths:
+>
+> - **./User/Vendor/MSFT/Policy/Config/Notifications/DisallowNotificationMirroring** to set the policy.
+> - **./User/Vendor/MSFT/Policy/Result/Notifications/DisallowNotificationMirroring** to get the result.
+
+
For each user logged into the device, if you enable this policy (set value to 1) the app and system notifications received by this user on this device will not get mirrored to other devices of the same logged in user. If you disable or do not configure this policy (set value to 0) the notifications received by this user on this device will be mirrored to other devices of the same logged in user. This feature can be turned off by apps that do not want to participate in Notification Mirroring. This feature can also be turned off by the user in the Cortana setting page.
No reboot or service restart is required for this policy to take effect.
@@ -15951,6 +15958,376 @@ ADMX Info:
- 0 – Not allowed.
- 1 (default) – Allowed.
+
+
+
+**Start/AllowPinnedFolderDocuments**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ MobileEnterprise |
+
+
+  |
+  2 |
+ |
+ 2 |
+ 2 |
+ |
+ |
+
+
+
+
+
+Added in Windows 10, version 1703. This policy controls the visibility of the Documents shortcut on the Start menu.
+
+
The following list shows the supported values:
+
+- 0 – The shortcut is hidden and disables the setting in the Settings app.
+- 1 – The shortcut is visible and disables the setting in the Settings app.
+- 65535 (default) - There is no enforced configuration and the setting can be changed by the user.
+
+
+
+
+**Start/AllowPinnedFolderDownloads**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ MobileEnterprise |
+
+
+ |
+ 2 |
+ |
+ 2 |
+ 2 |
+ |
+ |
+
+
+
+
+
+Added in Windows 10, version 1703. This policy controls the visibility of the Downloads shortcut on the Start menu.
+
+
The following list shows the supported values:
+
+- 0 – The shortcut is hidden and disables the setting in the Settings app.
+- 1 – The shortcut is visible and disables the setting in the Settings app.
+- 65535 (default) - There is no enforced configuration and the setting can be changed by the user.
+
+
+
+
+**Start/AllowPinnedFolderFileExplorer**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ MobileEnterprise |
+
+
+ |
+ 2 |
+ |
+ 2 |
+ 2 |
+ |
+ |
+
+
+
+
+
+Added in Windows 10, version 1703. This policy controls the visibility of the File Explorer shortcut on the Start menu.
+
+
The following list shows the supported values:
+
+- 0 – The shortcut is hidden and disables the setting in the Settings app.
+- 1 – The shortcut is visible and disables the setting in the Settings app.
+- 65535 (default) - There is no enforced configuration and the setting can be changed by the user.
+
+
+
+
+**Start/AllowPinnedFolderHomeGroup**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ MobileEnterprise |
+
+
+ |
+ 2 |
+ |
+ 2 |
+ 2 |
+ |
+ |
+
+
+
+
+
+Added in Windows 10, version 1703. This policy controls the visibility of the HomeGroup shortcut on the Start menu.
+
+
The following list shows the supported values:
+
+- 0 – The shortcut is hidden and disables the setting in the Settings app.
+- 1 – The shortcut is visible and disables the setting in the Settings app.
+- 65535 (default) - There is no enforced configuration and the setting can be changed by the user.
+
+
+
+
+**Start/AllowPinnedFolderMusic**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ MobileEnterprise |
+
+
+ |
+ 2 |
+ |
+ 2 |
+ 2 |
+ |
+ |
+
+
+
+
+
+Added in Windows 10, version 1703. This policy controls the visibility of the Music shortcut on the Start menu.
+
+
The following list shows the supported values:
+
+- 0 – The shortcut is hidden and disables the setting in the Settings app.
+- 1 – The shortcut is visible and disables the setting in the Settings app.
+- 65535 (default) - There is no enforced configuration and the setting can be changed by the user.
+
+
+
+
+**Start/AllowPinnedFolderNetwork**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ MobileEnterprise |
+
+
+ |
+ 2 |
+ |
+ 2 |
+ 2 |
+ |
+ |
+
+
+
+
+
+Added in Windows 10, version 1703. This policy controls the visibility of the Network shortcut on the Start menu.
+
+
The following list shows the supported values:
+
+- 0 – The shortcut is hidden and disables the setting in the Settings app.
+- 1 – The shortcut is visible and disables the setting in the Settings app.
+- 65535 (default) - There is no enforced configuration and the setting can be changed by the user.
+
+
+
+
+**Start/AllowPinnedFolderPersonalFolder**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ MobileEnterprise |
+
+
+ |
+ 2 |
+ |
+ 2 |
+ 2 |
+ |
+ |
+
+
+
+
+
+Added in Windows 10, version 1703. This policy controls the visibility of the PersonalFolder shortcut on the Start menu.
+
+
The following list shows the supported values:
+
+- 0 – The shortcut is hidden and disables the setting in the Settings app.
+- 1 – The shortcut is visible and disables the setting in the Settings app.
+- 65535 (default) - There is no enforced configuration and the setting can be changed by the user.
+
+
+
+
+**Start/AllowPinnedFolderPictures**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ MobileEnterprise |
+
+
+ |
+ 2 |
+ |
+ 2 |
+ 2 |
+ |
+ |
+
+
+
+
+
+Added in Windows 10, version 1703. This policy controls the visibility of the Pictures shortcut on the Start menu.
+
+
The following list shows the supported values:
+
+- 0 – The shortcut is hidden and disables the setting in the Settings app.
+- 1 – The shortcut is visible and disables the setting in the Settings app.
+- 65535 (default) - There is no enforced configuration and the setting can be changed by the user.
+
+
+
+
+**Start/AllowPinnedFolderSettings**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ MobileEnterprise |
+
+
+ |
+ 2 |
+ |
+ 2 |
+ 2 |
+ |
+ |
+
+
+
+
+
+Added in Windows 10, version 1703. This policy controls the visibility of the Settings shortcut on the Start menu.
+
+
The following list shows the supported values:
+
+- 0 – The shortcut is hidden and disables the setting in the Settings app.
+- 1 – The shortcut is visible and disables the setting in the Settings app.
+- 65535 (default) - There is no enforced configuration and the setting can be changed by the user.
+
+
+
+
+**Start/AllowPinnedFolderVideos**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ MobileEnterprise |
+
+
+ |
+ 2 |
+ |
+ 2 |
+ 2 |
+ |
+ |
+
+
+
+
+
+Added in Windows 10, version 1703. This policy controls the visibility of the Videos shortcut on the Start menu.
+
+
The following list shows the supported values:
+
+- 0 – The shortcut is hidden and disables the setting in the Settings app.
+- 1 – The shortcut is visible and disables the setting in the Settings app.
+- 65535 (default) - There is no enforced configuration and the setting can be changed by the user.
+
@@ -15999,6 +16376,29 @@ ADMX Info:
**Start/HideAppList**
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ MobileEnterprise |
+
+
+ |
+ 2 |
+ |
+ 2 |
+ 2 |
+ |
+ |
+
+
+
+
> [!NOTE]
> This policy requires reboot to take effect.
@@ -16024,6 +16424,29 @@ ADMX Info:
**Start/HideChangeAccountSettings**
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ MobileEnterprise |
+
+
+ |
+ 2 |
+ |
+ 2 |
+ 2 |
+ |
+ |
+
+
+
+
Added in Windows 10, version 1703. Allows IT Admins to configure Start by hiding "Change account settings" from appearing in the user tile.
@@ -16042,6 +16465,29 @@ ADMX Info:
**Start/HideFrequentlyUsedApps**
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ MobileEnterprise |
+
+
+ |
+ 2 |
+ |
+ 2 |
+ 2 |
+ |
+ |
+
+
+
+
> [!NOTE]
> This policy requires reboot to take effect.
@@ -16067,6 +16513,29 @@ ADMX Info:
**Start/HideHibernate**
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ MobileEnterprise |
+
+
+ |
+ 2 |
+ |
+ 2 |
+ 2 |
+ |
+ |
+
+
+
+
Added in Windows 10, version 1703. Allows IT Admins to configure Start by hiding "Hibernate" from appearing in the Power button.
@@ -16088,6 +16557,29 @@ ADMX Info:
**Start/HideLock**
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ MobileEnterprise |
+
+
+ |
+ 2 |
+ |
+ 2 |
+ 2 |
+ |
+ |
+
+
+
+
Added in Windows 10, version 1703. Allows IT Admins to configure Start by hiding "Lock" from appearing in the user tile.
@@ -16106,6 +16598,29 @@ ADMX Info:
**Start/HidePowerButton**
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ MobileEnterprise |
+
+
+ |
+ 2 |
+ |
+ 2 |
+ 2 |
+ |
+ |
+
+
+
+
> [!NOTE]
> This policy requires reboot to take effect.
@@ -16127,6 +16642,29 @@ ADMX Info:
**Start/HideRecentJumplists**
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ MobileEnterprise |
+
+
+ |
+ 2 |
+ |
+ 2 |
+ 2 |
+ |
+ |
+
+
+
+
> [!NOTE]
> This policy requires reboot to take effect.
@@ -16155,6 +16693,29 @@ ADMX Info:
**Start/HideRecentlyAddedApps**
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ MobileEnterprise |
+
+
+ |
+ 2 |
+ |
+ 2 |
+ 2 |
+ |
+ |
+
+
+
+
> [!NOTE]
> This policy requires reboot to take effect.
@@ -16180,6 +16741,29 @@ ADMX Info:
**Start/HideRestart**
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ MobileEnterprise |
+
+
+ |
+ 2 |
+ |
+ 2 |
+ 2 |
+ |
+ |
+
+
+
+
Added in Windows 10, version 1703. Allows IT Admins to configure Start by hiding "Restart" and "Update and restart" from appearing in the Power button.
@@ -16198,6 +16782,29 @@ ADMX Info:
**Start/HideShutDown**
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ MobileEnterprise |
+
+
+ |
+ 2 |
+ |
+ 2 |
+ 2 |
+ |
+ |
+
+
+
+
Added in Windows 10, version 1703. Allows IT Admins to configure Start by hiding "Shut down" and "Update and shut down" from appearing in the Power button.
@@ -16216,6 +16823,29 @@ ADMX Info:
**Start/HideSignOut**
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ MobileEnterprise |
+
+
+ |
+ 2 |
+ |
+ 2 |
+ 2 |
+ |
+ |
+
+
+
+
Added in Windows 10, version 1703. Allows IT Admins to configure Start by hiding "Sign out" from appearing in the user tile.
@@ -16234,6 +16864,29 @@ ADMX Info:
**Start/HideSleep**
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ MobileEnterprise |
+
+
+ |
+ 2 |
+ |
+ 2 |
+ 2 |
+ |
+ |
+
+
+
+
Added in Windows 10, version 1703. Allows IT Admins to configure Start by hiding "Sleep" from appearing in the Power button.
@@ -16252,6 +16905,29 @@ ADMX Info:
**Start/HideSwitchAccount**
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ MobileEnterprise |
+
+
+ |
+ 2 |
+ |
+ 2 |
+ 2 |
+ |
+ |
+
+
+
+
Added in Windows 10, version 1703. Allows IT Admins to configure Start by hiding "Switch account" from appearing in the user tile.
@@ -16270,6 +16946,29 @@ ADMX Info:
**Start/HideUserTile**
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ MobileEnterprise |
+
+
+ |
+ 2 |
+ |
+ 2 |
+ 2 |
+ |
+ |
+
+
+
+
> [!NOTE]
> This policy requires reboot to take effect.
@@ -16292,6 +16991,29 @@ ADMX Info:
**Start/ImportEdgeAssets**
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ MobileEnterprise |
+
+
+ |
+ 2 |
+ 2 |
+ 2 |
+ 2 |
+ |
+ |
+
+
+
+
> [!NOTE]
> This policy requires reboot to take effect.
@@ -16315,6 +17037,29 @@ ADMX Info:
**Start/NoPinningToTaskbar**
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ MobileEnterprise |
+
+
+ |
+ 2 |
+ |
+ 2 |
+ 2 |
+ |
+ |
+
+
+
+
Added in Windows 10, version 1703. Allows IT Admins to configure the taskbar by disabling pinning and unpinning apps on the taskbar.
@@ -19410,81 +20155,251 @@ Footnote:
-## IoT Core Support
+## Policies Supported by IoT Core
-[ApplicationManagement/AllowDeveloperUnlock](#applicationmanagement-allowdeveloperunlock)
-[Authentication/AllowFastReconnect](#authentication-allowfastreconnect)
-[Bluetooth/AllowAdvertising](#bluetooth-allowadvertising)
-[Bluetooth/AllowDiscoverableMode](#bluetooth-allowdiscoverablemode)
-[Bluetooth/LocalDeviceName](#bluetooth-localdevicename)
-[Bluetooth/ServicesAllowedList](#bluetooth-servicesallowedlist)
-[Browser/AllowAutofill](#browser-allowautofill)
-[Browser/AllowBrowser](#browser-allowbrowser)
-[Browser/AllowCookies](#browser-allowcookies)
-[Browser/AllowDoNotTrack](#browser-allowdonottrack)
-[Browser/AllowInPrivate](#browser-allowinprivate)
-[Browser/AllowPasswordManager](#browser-allowpasswordmanager)
-[Browser/AllowPopups](#browser-allowpopups)
-[Browser/AllowSearchSuggestionsinAddressBar](#browser-allowsearchsuggestionsinaddressbar)
-[Browser/EnterpriseModeSiteList](#browser-enterprisemodesitelist)
-[Browser/EnterpriseSiteListServiceUrl](#browser-enterprisesitelistserviceurl)
-[Browser/SendIntranetTraffictoInternetExplorer](#browser-sendintranettraffictointernetexplorer)
-[Camera/AllowCamera](#camera-allowcamera)
-[Connectivity/AllowBluetooth](#connectivity-allowbluetooth)
-[Connectivity/AllowCellularDataRoaming](#connectivity-allowcellulardataroaming)
-[Connectivity/AllowNFC](#connectivity-allownfc)
-[Connectivity/AllowUSBConnection](#connectivity-allowusbconnection)
-[Connectivity/AllowVPNOverCellular](#connectivity-allowvpnovercellular)
-[Connectivity/AllowVPNRoamingOverCellular](#connectivity-allowvpnroamingovercellular)
-[DataProtection/AllowDirectMemoryAccess](#dataprotection-allowdirectmemoryaccess)
-[Security/AllowAddProvisioningPackage](#security-allowaddprovisioningpackage)
-[Security/AllowRemoveProvisioningPackage](#security-allowremoveprovisioningpackage)
-[Security/RequireDeviceEncryption](#security-requiredeviceencryption)
-[Security/RequireProvisioningPackageSignature](#security-requireprovisioningpackagesignature)
-[System/AllowEmbeddedMode](#system-allowembeddedmode)
-[System/AllowStorageCard](#system-allowstoragecard)
-[System/TelemetryProxy](#system-telemetryproxy)
-[Update/AllowNonMicrosoftSignedUpdate](#update-allownonmicrosoftsignedupdate)
-[Update/AllowUpdateService](#update-allowupdateservice)
-[Update/PauseDeferrals](#update-pausedeferrals)
-[Update/RequireDeferUpgrade](#update-requiredeferupgrade)
-[Update/RequireUpdateApproval](#update-requireupdateapproval)
-[Update/ScheduledInstallDay](#update-scheduledinstallday)
-[Update/ScheduledInstallTime](#update-scheduledinstalltime)
-[Update/UpdateServiceUrl](#update-updateserviceurl)
-[Wifi/AllowAutoConnectToWiFiSenseHotspots](#wifi-allowautoconnecttowifisensehotspots)
-[Wifi/AllowInternetSharing](#wifi-allowinternetsharing)
-[Wifi/AllowWiFi](#wifi-allowwifi)
-[Wifi/WLANScanMode](#wifi-wlanscanmode)
+- [ApplicationManagement/AllowDeveloperUnlock](#applicationmanagement-allowdeveloperunlock)
+- [Authentication/AllowFastReconnect](#authentication-allowfastreconnect)
+- [Bluetooth/AllowAdvertising](#bluetooth-allowadvertising)
+- [Bluetooth/AllowDiscoverableMode](#bluetooth-allowdiscoverablemode)
+- [Bluetooth/LocalDeviceName](#bluetooth-localdevicename)
+- [Bluetooth/ServicesAllowedList](#bluetooth-servicesallowedlist)
+- [Browser/AllowAutofill](#browser-allowautofill)
+- [Browser/AllowBrowser](#browser-allowbrowser)
+- [Browser/AllowCookies](#browser-allowcookies)
+- [Browser/AllowDoNotTrack](#browser-allowdonottrack)
+- [Browser/AllowInPrivate](#browser-allowinprivate)
+- [Browser/AllowPasswordManager](#browser-allowpasswordmanager)
+- [Browser/AllowPopups](#browser-allowpopups)
+- [Browser/AllowSearchSuggestionsinAddressBar](#browser-allowsearchsuggestionsinaddressbar)
+- [Browser/EnterpriseModeSiteList](#browser-enterprisemodesitelist)
+- [Browser/EnterpriseSiteListServiceUrl](#browser-enterprisesitelistserviceurl)
+- [Browser/SendIntranetTraffictoInternetExplorer](#browser-sendintranettraffictointernetexplorer)
+- [Camera/AllowCamera](#camera-allowcamera)
+- [Connectivity/AllowBluetooth](#connectivity-allowbluetooth)
+- [Connectivity/AllowCellularDataRoaming](#connectivity-allowcellulardataroaming)
+- [Connectivity/AllowNFC](#connectivity-allownfc)
+- [Connectivity/AllowUSBConnection](#connectivity-allowusbconnection)
+- [Connectivity/AllowVPNOverCellular](#connectivity-allowvpnovercellular)
+- [Connectivity/AllowVPNRoamingOverCellular](#connectivity-allowvpnroamingovercellular)
+- [DataProtection/AllowDirectMemoryAccess](#dataprotection-allowdirectmemoryaccess)
+- [Privacy/LetAppsGetDiagnosticInfo](#privacy-letappsgetdiagnosticinfo)
+- [Privacy/LetAppsGetDiagnosticInfo_ForceAllowTheseApps](#privacy-letappsgetdiagnosticinfo-forceallowtheseapps)
+- [Privacy/LetAppsGetDiagnosticInfo_ForceDenyTheseApps](#privacy-letappsgetdiagnosticinfo-forcedenytheseapps)
+- [Privacy/LetAppsGetDiagnosticInfo_UserInControlOfTheseApps](#privacy-letappsgetdiagnosticinfo-userincontroloftheseapps)
+- [Privacy/LetAppsRunInBackground](#privacy-letappsruninbackground)
+- [Privacy/LetAppsRunInBackground_ForceAllowTheseApps](#privacy-letappsruninbackground-forceallowtheseapps)
+- [Privacy/LetAppsRunInBackground_ForceDenyTheseApps](#privacy-letappsruninbackground-forcedenytheseapps)
+- [Privacy/LetAppsRunInBackground_UserInControlOfTheseApps](#privacy-letappsruninbackground-userincontroloftheseapps)
+- [Security/AllowAddProvisioningPackage](#security-allowaddprovisioningpackage)
+- [Security/AllowRemoveProvisioningPackage](#security-allowremoveprovisioningpackage)
+- [Security/RequireDeviceEncryption](#security-requiredeviceencryption)
+- [Security/RequireProvisioningPackageSignature](#security-requireprovisioningpackagesignature)
+- [System/AllowEmbeddedMode](#system-allowembeddedmode)
+- [System/AllowFontProviders](#system-allowfontproviders)
+- [System/AllowStorageCard](#system-allowstoragecard)
+- [System/TelemetryProxy](#system-telemetryproxy)
+- [Update/AllowNonMicrosoftSignedUpdate](#update-allownonmicrosoftsignedupdate)
+- [Update/AllowUpdateService](#update-allowupdateservice)
+- [Update/PauseDeferrals](#update-pausedeferrals)
+- [Update/RequireDeferUpgrade](#update-requiredeferupgrade)
+- [Update/RequireUpdateApproval](#update-requireupdateapproval)
+- [Update/ScheduledInstallDay](#update-scheduledinstallday)
+- [Update/ScheduledInstallTime](#update-scheduledinstalltime)
+- [Update/UpdateServiceUrl](#update-updateserviceurl)
+- [Wifi/AllowAutoConnectToWiFiSenseHotspots](#wifi-allowautoconnecttowifisensehotspots)
+- [Wifi/AllowInternetSharing](#wifi-allowinternetsharing)
+- [Wifi/AllowWiFi](#wifi-allowwifi)
+- [Wifi/WLANScanMode](#wifi-wlanscanmode)
+
+## Policies supported by Windows Holographic for Business
+
+- [Accounts/AllowMicrosoftAccountConnection](#accounts-allowmicrosoftaccountconnection)
+- [ApplicationManagement/AllowAllTrustedApps](#applicationmanagement-allowalltrustedapps)
+- [ApplicationManagement/AllowAppStoreAutoUpdate](#applicationmanagement-allowappstoreautoupdate)
+- [ApplicationManagement/AllowDeveloperUnlock](#applicationmanagement-allowdeveloperunlock)
+- [Authentication/AllowFastReconnect](#authentication-allowfastreconnect)
+- [Bluetooth/AllowAdvertising](#bluetooth-allowadvertising)
+- [Bluetooth/AllowDiscoverableMode](#bluetooth-allowdiscoverablemode)
+- [Bluetooth/LocalDeviceName](#bluetooth-localdevicename)
+- [Browser/AllowCookies](#browser-allowcookies)
+- [Browser/AllowDoNotTrack](#browser-allowdonottrack)
+- [Browser/AllowPasswordManager](#browser-allowpasswordmanager)
+- [Browser/AllowPopups](#browser-allowpopups)
+- [Browser/AllowSearchSuggestionsinAddressBar](#browser-allowsearchsuggestionsinaddressbar)
+- [Browser/AllowSmartScreen](#browser-allowsmartscreen)
+- [Connectivity/AllowBluetooth](#connectivity-allowbluetooth)
+- [DeviceLock/AllowIdleReturnWithoutPassword](#devicelock-allowidlereturnwithoutpassword)
+- [DeviceLock/DevicePasswordEnabled](#devicelock-devicepasswordenabled)
+- [Experience/AllowCortana](#experience-allowcortana)
+- [Experience/AllowManualMDMUnenrollment](#experience-allowmanualmdmunenrollment)
+- [Privacy/AllowInputPersonalization](#privacy-allowinputpersonalization)
+- [Privacy/LetAppsGetDiagnosticInfo](#privacy-letappsgetdiagnosticinfo)
+- [Privacy/LetAppsGetDiagnosticInfo_ForceAllowTheseApps](#privacy-letappsgetdiagnosticinfo-forceallowtheseapps)
+- [Privacy/LetAppsGetDiagnosticInfo_ForceDenyTheseApps](#privacy-letappsgetdiagnosticinfo-forcedenytheseapps)
+- [Privacy/LetAppsGetDiagnosticInfo_UserInControlOfTheseApps](#privacy-letappsgetdiagnosticinfo-userincontroloftheseapps)
+- [Privacy/LetAppsRunInBackground](#privacy-letappsruninbackground)
+- [Privacy/LetAppsRunInBackground_ForceAllowTheseApps](#privacy-letappsruninbackground-forceallowtheseapps)
+- [Privacy/LetAppsRunInBackground_ForceDenyTheseApps](#privacy-letappsruninbackground-forcedenytheseapps)
+- [Privacy/LetAppsRunInBackground_UserInControlOfTheseApps](#privacy-letappsruninbackground-userincontroloftheseapps)
+- [System/AllowFontProviders](#system-allowfontproviders)
+- [Search/AllowSearchToUseLocation](#search-allowsearchtouselocation)
+- [Security/RequireDeviceEncryption](#security-requiredeviceencryption)
+- [Settings/AllowDateTime](#settings-allowdatetime)
+- [Settings/AllowVPN](#settings-allowvpn)
+- [System/AllowLocation](#system-allowlocation)
+- [System/AllowTelemetry](#system-allowtelemetry)
+- [Update/AllowAutoUpdate](#update-allowautoupdate)
+- [Update/AllowUpdateService](#update-allowupdateservice)
+- [Update/RequireDeferUpgrade](#update-requiredeferupgrade)
+- [Update/RequireUpdateApproval](#update-requireupdateapproval)
+- [Update/UpdateServiceUrl](#update-updateserviceurl)
+
+
+
+## Policies supported by Microsoft Surface Hub
+
+- [ApplicationDefaults/DefaultAssociationsConfiguration](#applicationdefaults-defaultassociationsconfiguration)
+- [Bluetooth/AllowAdvertising](#bluetooth-allowadvertising)
+- [Bluetooth/AllowDiscoverableMode](#bluetooth-allowdiscoverablemode)
+- [Bluetooth/AllowPrepairing](#bluetooth-allowprepairing)
+- [Bluetooth/LocalDeviceName](#bluetooth-localdevicename)
+- [Bluetooth/ServicesAllowedList](#bluetooth-servicesallowedlist)
+- [Browser/AllowAddressBarDropdown](#browser-allowaddressbardropdown)
+- [Browser/AllowCookies](#browser-allowcookies)
+- [Browser/AllowDeveloperTools](#browser-allowdevelopertools)
+- [Browser/AllowDoNotTrack](#browser-allowdonottrack)
+- [Browser/AllowMicrosoftCompatibilityList](#browser-allowmicrosoftcompatibilitylist)
+- [Browser/AllowPopups](#browser-allowpopups)
+- [Browser/AllowSearchSuggestionsinAddressBar](#browser-allowsearchsuggestionsinaddressbar)
+- [Browser/AllowSmartScreen](#browser-allowsmartscreen)
+- [Browser/ClearBrowsingDataOnExit](#browser-clearbrowsingdataonexit)
+- [Browser/ConfigureAdditionalSearchEngines](#browser-configureadditionalsearchengines)
+- [Browser/DisableLockdownOfStartPages](#browser-disablelockdownofstartpages)
+- [Browser/HomePages](#browser-homepages)
+- [Browser/PreventLiveTileDataCollection](#browser-preventlivetiledatacollection)
+- [Browser/PreventSmartScreenPromptOverride](#browser-preventsmartscreenpromptoverride)
+- [Browser/PreventSmartScreenPromptOverrideForFiles](#browser-preventsmartscreenpromptoverrideforfiles)
+- [Browser/SetDefaultSearchEngine](#browser-setdefaultsearchengine)
+- [Camera/AllowCamera](#camera-allowcamera)
+- [ConfigOperations/ADMXInstall](#configoperations-admxinstall)
+- [Connectivity/AllowBluetooth](#connectivity-allowbluetooth)
+- [Connectivity/AllowConnectedDevices](#connectivity-allowconnecteddevices)
+- [Cryptography/AllowFipsAlgorithmPolicy](#cryptography-allowfipsalgorithmpolicy)
+- [Cryptography/TLSCipherSuites](#cryptography-tlsciphersuites)
+- [Defender/AllowArchiveScanning](#defender-allowarchivescanning)
+- [Defender/AllowBehaviorMonitoring](#defender-allowbehaviormonitoring)
+- [Defender/AllowCloudProtection](#defender-allowcloudprotection)
+- [Defender/AllowEmailScanning](#defender-allowemailscanning)
+- [Defender/AllowFullScanOnMappedNetworkDrives](#defender-allowfullscanonmappednetworkdrives)
+- [Defender/AllowFullScanRemovableDriveScanning](#defender-allowfullscanremovabledrivescanning)
+- [Defender/AllowIntrusionPreventionSystem](#defender-allowintrusionpreventionsystem)
+- [Defender/AllowIOAVProtection](#defender-allowioavprotection)
+- [Defender/AllowOnAccessProtection](#defender-allowonaccessprotection)
+- [Defender/AllowRealtimeMonitoring](#defender-allowrealtimemonitoring)
+- [Defender/AllowScanningNetworkFiles](#defender-allowscanningnetworkfiles)
+- [Defender/AllowScriptScanning](#defender-allowscriptscanning)
+- [Defender/AllowUserUIAccess](#defender-allowuseruiaccess)
+- [Defender/AvgCPULoadFactor](#defender-avgcpuloadfactor)
+- [Defender/DaysToRetainCleanedMalware](#defender-daystoretaincleanedmalware)
+- [Defender/ExcludedExtensions](#defender-excludedextensions)
+- [Defender/ExcludedPaths](#defender-excludedpaths)
+- [Defender/ExcludedProcesses](#defender-excludedprocesses)
+- [Defender/PUAProtection](#defender-puaprotection)
+- [Defender/RealTimeScanDirection](#defender-realtimescandirection)
+- [Defender/ScanParameter](#defender-scanparameter)
+- [Defender/ScheduleQuickScanTime](#defender-schedulequickscantime)
+- [Defender/ScheduleScanDay](#defender-schedulescanday)
+- [Defender/ScheduleScanTime](#defender-schedulescantime)
+- [Defender/SignatureUpdateInterval](#defender-signatureupdateinterval)
+- [Defender/SubmitSamplesConsent](#defender-submitsamplesconsent)
+- [Defender/ThreatSeverityDefaultAction](#defender-threatseveritydefaultaction)
+- [DeliveryOptimization/DOAbsoluteMaxCacheSize](#deliveryoptimization-doabsolutemaxcachesize)
+- [DeliveryOptimization/DOAllowVPNPeerCaching](#deliveryoptimization-doallowvpnpeercaching)
+- [DeliveryOptimization/DODownloadMode](#deliveryoptimization-dodownloadmode)
+- [DeliveryOptimization/DOGroupId](#deliveryoptimization-dogroupid)
+- [DeliveryOptimization/DOMaxCacheAge](#deliveryoptimization-domaxcacheage)
+- [DeliveryOptimization/DOMaxCacheSize](#deliveryoptimization-domaxcachesize)
+- [DeliveryOptimization/DOMaxDownloadBandwidth](#deliveryoptimization-domaxdownloadbandwidth)
+- [DeliveryOptimization/DOMaxUploadBandwidth](#deliveryoptimization-domaxuploadbandwidth)
+- [DeliveryOptimization/DOMinBackgroundQos](#deliveryoptimization-dominbackgroundqos)
+- [DeliveryOptimization/DOMinDiskSizeAllowedToPeer](#deliveryoptimization-domindisksizeallowedtopeer)
+- [DeliveryOptimization/DOMinFileSizeToCache](#deliveryoptimization-dominfilesizetocache)
+- [DeliveryOptimization/DOMinRAMAllowedToPeer](#deliveryoptimization-dominramallowedtopeer)
+- [DeliveryOptimization/DOModifyCacheDrive](#deliveryoptimization-domodifycachedrive)
+- [DeliveryOptimization/DOMonthlyUploadDataCap](#deliveryoptimization-domonthlyuploaddatacap)
+- [DeliveryOptimization/DOPercentageMaxDownloadBandwidth](#deliveryoptimization-dopercentagemaxdownloadbandwidth)
+- [DeviceGuard/AllowKernelControlFlowGuard](#deviceguard-allowkernelcontrolflowguard)
+- [Privacy/LetAppsGetDiagnosticInfo](#privacy-letappsgetdiagnosticinfo)
+- [Privacy/LetAppsGetDiagnosticInfo_ForceAllowTheseApps](#privacy-letappsgetdiagnosticinfo-forceallowtheseapps)
+- [Privacy/LetAppsGetDiagnosticInfo_ForceDenyTheseApps](#privacy-letappsgetdiagnosticinfo-forcedenytheseapps)
+- [Privacy/LetAppsGetDiagnosticInfo_UserInControlOfTheseApps](#privacy-letappsgetdiagnosticinfo-userincontroloftheseapps)
+- [Privacy/LetAppsRunInBackground](#privacy-letappsruninbackground)
+- [Privacy/LetAppsRunInBackground_ForceAllowTheseApps](#privacy-letappsruninbackground-forceallowtheseapps)
+- [Privacy/LetAppsRunInBackground_ForceDenyTheseApps](#privacy-letappsruninbackground-forcedenytheseapps)
+- [Privacy/LetAppsRunInBackground_UserInControlOfTheseApps](#privacy-letappsruninbackground-userincontroloftheseapps)
+- [Security/RequireProvisioningPackageSignature](#security-requireprovisioningpackagesignature)
+- [Security/RequireRetrieveHealthCertificateOnBoot](#security-requireretrievehealthcertificateonboot)
+- [System/AllowFontProviders](#system-allowfontproviders)
+- [System/AllowLocation](#system-allowlocation)
+- [System/AllowTelemetry](#system-allowtelemetry)
+- [TextInput/AllowIMELogging](#textinput-allowimelogging)
+- [TextInput/AllowIMENetworkAccess](#textinput-allowimenetworkaccess)
+- [TextInput/AllowInputPanel](#textinput-allowinputpanel)
+- [TextInput/AllowJapaneseIMESurrogatePairCharacters](#textinput-allowjapaneseimesurrogatepaircharacters)
+- [TextInput/AllowJapaneseIVSCharacters](#textinput-allowjapaneseivscharacters)
+- [TextInput/AllowJapaneseNonPublishingStandardGlyph](#textinput-allowjapanesenonpublishingstandardglyph)
+- [TextInput/AllowJapaneseUserDictionary](#textinput-allowjapaneseuserdictionary)
+- [TextInput/AllowLanguageFeaturesUninstall](#textinput-allowlanguagefeaturesuninstall)
+- [TextInput/ExcludeJapaneseIMEExceptJIS0208](#textinput-excludejapaneseimeexceptjis0208)
+- [TextInput/ExcludeJapaneseIMEExceptJIS0208andEUDC](#textinput-excludejapaneseimeexceptjis0208andeudc)
+- [TextInput/ExcludeJapaneseIMEExceptShiftJIS](#textinput-excludejapaneseimeexceptshiftjis)
+- [TimeLanguageSettings/Set24HourClock](#timelanguagesettings-set24hourclock)
+- [TimeLanguageSettings/SetCountry](#timelanguagesettings-setcountry)
+- [TimeLanguageSettings/SetLanguage](#timelanguagesettings-setlanguage)
+- [Update/AllowAutoUpdate](#update-allowautoupdate)
+- [Update/AllowUpdateService](#update-allowupdateservice)
+- [Update/AutoRestartNotificationSchedule](#update-autorestartnotificationschedule)
+- [Update/AutoRestartRequiredNotificationDismissal](#update-autorestartrequirednotificationdismissal)
+- [Update/BranchReadinessLevel](#update-branchreadinesslevel)
+- [Update/DeferFeatureUpdatesPeriodInDays](#update-deferfeatureupdatesperiodindays)
+- [Update/DeferQualityUpdatesPeriodInDays](#update-deferqualityupdatesperiodindays)
+- [Update/DetectionFrequency](#update-detectionfrequency)
+- [Update/PauseFeatureUpdates](#update-pausefeatureupdates)
+- [Update/PauseQualityUpdates](#update-pausequalityupdates)
+- [Update/ScheduleImminentRestartWarning](#update-scheduleimminentrestartwarning)
+- [Update/ScheduleRestartWarning](#update-schedulerestartwarning)
+- [Update/SetAutoRestartNotificationDisable](#update-setautorestartnotificationdisable)
+- [Update/UpdateServiceUrl](#update-updateserviceurl)
+- [Update/UpdateServiceUrlAlternate](#update-updateserviceurlalternate)
+
+
-## Can be set using Exchange Active Sync (EAS)
+## Policies that can be set using Exchange Active Sync (EAS)
-[Browser/AllowBrowser](#browser-allowbrowser)
-[Camera/AllowCamera](#camera-allowcamera)
-[Connectivity/AllowBluetooth](#connectivity-allowbluetooth)
-[Connectivity/AllowCellularDataRoaming](#connectivity-allowcellulardataroaming)
-[Connectivity/AllowUSBConnection](#connectivity-allowusbconnection)
-[DeviceLock/AllowSimpleDevicePassword](#devicelock-allowsimpledevicepassword)
-[DeviceLock/AlphanumericDevicePasswordRequired](#devicelock-alphanumericdevicepasswordrequired)
-[DeviceLock/DevicePasswordEnabled](#devicelock-devicepasswordenabled)
-[DeviceLock/DevicePasswordExpiration](#devicelock-devicepasswordexpiration)
-[DeviceLock/DevicePasswordHistory](#devicelock-devicepasswordhistory)
-[DeviceLock/MaxDevicePasswordFailedAttempts](#devicelock-maxdevicepasswordfailedattempts)
-[DeviceLock/MaxInactivityTimeDeviceLock](#devicelock-maxinactivitytimedevicelock)
-[DeviceLock/MinDevicePasswordComplexCharacters](#devicelock-mindevicepasswordcomplexcharacters)
-[DeviceLock/MinDevicePasswordLength](#devicelock-mindevicepasswordlength)
-[Search/AllowSearchToUseLocation](#search-allowsearchtouselocation)
-[Security/RequireDeviceEncryption](#security-requiredeviceencryption)
-[System/AllowStorageCard](#system-allowstoragecard)
-[System/TelemetryProxy](#system-telemetryproxy)
-[Wifi/AllowInternetSharing](#wifi-allowinternetsharing)
-[Wifi/AllowWiFi](#wifi-allowwifi)
+- [Browser/AllowBrowser](#browser-allowbrowser)
+- [Camera/AllowCamera](#camera-allowcamera)
+- [Connectivity/AllowBluetooth](#connectivity-allowbluetooth)
+- [Connectivity/AllowCellularDataRoaming](#connectivity-allowcellulardataroaming)
+- [Connectivity/AllowUSBConnection](#connectivity-allowusbconnection)
+- [DeviceLock/AllowSimpleDevicePassword](#devicelock-allowsimpledevicepassword)
+- [DeviceLock/AlphanumericDevicePasswordRequired](#devicelock-alphanumericdevicepasswordrequired)
+- [DeviceLock/DevicePasswordEnabled](#devicelock-devicepasswordenabled)
+- [DeviceLock/DevicePasswordExpiration](#devicelock-devicepasswordexpiration)
+- [DeviceLock/DevicePasswordHistory](#devicelock-devicepasswordhistory)
+- [DeviceLock/MaxDevicePasswordFailedAttempts](#devicelock-maxdevicepasswordfailedattempts)
+- [DeviceLock/MaxInactivityTimeDeviceLock](#devicelock-maxinactivitytimedevicelock)
+- [DeviceLock/MinDevicePasswordComplexCharacters](#devicelock-mindevicepasswordcomplexcharacters)
+- [DeviceLock/MinDevicePasswordLength](#devicelock-mindevicepasswordlength)
+- [Search/AllowSearchToUseLocation](#search-allowsearchtouselocation)
+- [Security/RequireDeviceEncryption](#security-requiredeviceencryption)
+- [System/AllowStorageCard](#system-allowstoragecard)
+- [System/TelemetryProxy](#system-telemetryproxy)
+- [Wifi/AllowInternetSharing](#wifi-allowinternetsharing)
+- [Wifi/AllowWiFi](#wifi-allowwifi)
-
-
## Examples
Set the minimum password length to 4 characters.
diff --git a/windows/client-management/mdm/tpmpolicy-csp.md b/windows/client-management/mdm/tpmpolicy-csp.md
new file mode 100644
index 0000000000..239e679672
--- /dev/null
+++ b/windows/client-management/mdm/tpmpolicy-csp.md
@@ -0,0 +1,55 @@
+---
+title: TPMPolicy CSP
+description: TPMPolicy CSP
+ms.author: maricia
+ms.topic: article
+ms.prod: w10
+ms.technology: windows
+author: nickbrower
+---
+
+# TPMPolicy CSP
+
+> [!WARNING]
+> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
+
+The TPMPolicy configuration service provider (CSP) provides a mechanism to enable zero exhaust configuration on a Windows device for TPM software components. Zero exhaust is defined as no network traffic (telemetry or otherwise, such as downloading background images, Windows Updates, etc.) from Windows and inbox applications to public IP addresses unless directly intended by the user. This allows the enterprise admin to configure devices where no network communication is initiated by the system without explicit approval.
+
+The TPMPolicy CSP was added in Windows 10, version 1703.
+
+The following diagram shows the TPMPolicy configuration service provider in tree format.
+
+
+
+**./Device/Vendor/MSFT/TPMPolicy**
+
Defines the root node.
+
+**IsActiveZeroExhaust**
+Boolean value that indicates whether network traffic from the device to public IP addresses are not allowed unless directly intended by the user (zero exhaust). Default value is false. Some examples when zero exhaust is configured:
+
+
+- There should be no traffic when machine is on idle. When the user is not interacting with the system/device, no traffic is expected.
+- There should be no traffic during installation of Windows and first logon when local ID is used.
+- Launching and using a local app (Notepad, Paint, etc.) should not send any traffic. Similarly, performing common tasks (clicking on start menu, browsing folders, etc.) should not send any traffic.
+- Launching and using Internet enabled apps should not send any unexpected traffic (for maintenance, diagnostic, telemetry, etc.) to Microsoft.
+
+
+Here is an example:
+
+``` syntax
+
+ 101
+ -
+
+
+ ./Vendor/MSFT/TpmPolicy/IsActiveZeroExhaust
+
+
+
+ bool
+ text/plain
+
+ true
+
+
+```
\ No newline at end of file
diff --git a/windows/client-management/mdm/tpmpolicy-ddf-file.md b/windows/client-management/mdm/tpmpolicy-ddf-file.md
new file mode 100644
index 0000000000..35a90ff87b
--- /dev/null
+++ b/windows/client-management/mdm/tpmpolicy-ddf-file.md
@@ -0,0 +1,71 @@
+---
+title: TPMPolicy DDF file
+description: TPMPolicy DDF file
+ms.author: maricia
+ms.topic: article
+ms.prod: w10
+ms.technology: windows
+author: nickbrower
+---
+
+# TPMPolicy DDF file
+
+> [!WARNING]
+> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
+
+This topic shows the OMA DM device description framework (DDF) for the **TPMPolicy** configuration service provider. The TPMPolicy CSP was added in Windows 10, version 1703.
+
+The XML below is the current version for this CSP.
+
+``` syntax
+
+]>
+
+ 1.2
+
+ TPMPolicy
+ ./Vendor/MSFT
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ com.microsoft/1.0/MDM/TPMPolicy
+
+
+
+ IsActiveZeroExhaust
+
+
+
+
+
+ False
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+
+```
\ No newline at end of file
diff --git a/windows/client-management/mdm/understanding-admx-backed-policies.md b/windows/client-management/mdm/understanding-admx-backed-policies.md
index a308149484..5f3d54fbb1 100644
--- a/windows/client-management/mdm/understanding-admx-backed-policies.md
+++ b/windows/client-management/mdm/understanding-admx-backed-policies.md
@@ -240,17 +240,13 @@ This section describes sample SyncML for the various ADMX elements like Text, Mu
### How a Group Policy policy category path and name are mapped to a MDM area and policy name
-Below is the internal OS mapping of a Group Policy to a MDM area and name. This is part of a set of Windows manifests (extension **wm.xml**) that when compiled parses out the associated ADMX file, finds the specified Group Policy policy and stores that definition (metadata) in the MDM Policy CSP client store. ADMX backed policies are organized hierarchically. Their scope can be **machine**, **user**, or have a scope of **both**. When the MDM policy is referred to through a SyncML command and the Policy CSP URI, as shown below, this metadata is referenced and determines what registry keys are set or removed. Machine-scope policies are referenced via .\Device and the user scope policies via .\User.
+Below is the internal OS mapping of a Group Policy to a MDM area and name. This is part of a set of Windows manifest that when compiled parses out the associated ADMX file, finds the specified Group Policy policy and stores that definition (metadata) in the MDM Policy CSP client store. ADMX backed policies are organized hierarchically. Their scope can be **machine**, **user**, or have a scope of **both**. When the MDM policy is referred to through a SyncML command and the Policy CSP URI, as shown below, this metadata is referenced and determines what registry keys are set or removed. Machine-scope policies are referenced via .\Device and the user scope policies via .\User.
`./[Device|User]/Vendor/MSFT/Policy/Config/[config|result]//`
-The **wm.xml** for each mapped area can be found in its own directory under:
-
-`\\SDXROOT\onecoreuap\admin\enterprisemgmt\policymanager\policydefinition\`
-
Note that the data payload of the SyncML needs to be encoded so that it does not conflict with the boilerplate SyncML XML tags. Use this online tool for encoding and encoding the policy data [Coder's Toolbox](http://coderstoolbox.net/string/#!encoding=xml&action=encode&charset=us_ascii)
-**Snippet of wm.xml for AppVirtualization area:**
+**Snippet of manifest for AppVirtualization area:**
```XML
diff --git a/windows/client-management/mdm/win32-and-centennial-app-policy-configuration.md b/windows/client-management/mdm/win32-and-centennial-app-policy-configuration.md
index 17d48bf9fe..3cfa5fbda0 100644
--- a/windows/client-management/mdm/win32-and-centennial-app-policy-configuration.md
+++ b/windows/client-management/mdm/win32-and-centennial-app-policy-configuration.md
@@ -24,8 +24,27 @@ author: nickbrower
Starting in Windows 10, version 1703, you can import ADMX files (also called ADMX ingestion) and set those ADMX-backed policies for Win32 and Desktop Bridge apps by using Windows 10 Mobile Device Management (MDM) on desktop SKUs. The ADMX files that define policy information can be ingested to your device by using the Policy CSP URI, `./Device/Vendor/MSFT/Policy/ConfigOperations/ADMXInstall`. The ingested ADMX file is then processed into MDM policies.
-When the ADMX policies are imported, the registry keys to which each policy is written are checked so that known system registry keys, or registry keys that are used by existing inbox policies or system components, are not overwritten. This precaution helps to avoid security concerns over opening the entire registry. Currently, the ingested policies are not allowed to write to locations within the **System**, **Software\Microsoft**, and **Software\Policies\Microsoft** keys.
+When the ADMX policies are imported, the registry keys to which each policy is written are checked so that known system registry keys, or registry keys that are used by existing inbox policies or system components, are not overwritten. This precaution helps to avoid security concerns over opening the entire registry. Currently, the ingested policies are not allowed to write to locations within the **System**, **Software\Microsoft**, and **Software\Policies\Microsoft** keys, except for the following locations:
+- Software\Policies\Microsoft\Office\
+- Software\Microsoft\Office\
+- Software\Microsoft\Windows\CurrentVersion\Explorer\
+- Software\Microsoft\Internet Explorer\
+- software\policies\microsoft\shared tools\proofing tools\
+- software\policies\microsoft\imejp\
+- software\policies\microsoft\ime\shared\
+- software\policies\microsoft\shared tools\graphics filters\
+- software\policies\microsoft\windows\currentversion\explorer\
+- software\policies\microsoft\softwareprotectionplatform\
+- software\policies\microsoft\officesoftwareprotectionplatform\
+- software\policies\microsoft\windows\windows search\preferences\
+- software\policies\microsoft\exchange\
+- software\microsoft\shared tools\proofing tools\
+- software\microsoft\shared tools\graphics filters\
+- software\microsoft\windows\windows search\preferences\
+- software\microsoft\exchange\
+- software\policies\microsoft\vba\security\
+- software\microsoft\onedrive
## Ingesting an app ADMX file
diff --git a/windows/deployment/update/images/uc-01-wdav.png b/windows/deployment/update/images/uc-01-wdav.png
new file mode 100644
index 0000000000..c0ef37ebc6
Binary files /dev/null and b/windows/deployment/update/images/uc-01-wdav.png differ
diff --git a/windows/deployment/update/update-compliance-get-started.md b/windows/deployment/update/update-compliance-get-started.md
index 2b42051399..822dbf7bd1 100644
--- a/windows/deployment/update/update-compliance-get-started.md
+++ b/windows/deployment/update/update-compliance-get-started.md
@@ -1,6 +1,7 @@
---
title: Get started with Update Compliance (Windows 10)
-description: Explains how to configure Update Compliance.
+description: Configure Update Compliance in OMS to see the status of updates and antimalware protection on devices in your network.
+keywords: update compliance, oms, operations management suite, prerequisites, requirements, updates, upgrades, antivirus, antimalware, signature, log analytics, wdav
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
@@ -10,100 +11,99 @@ author: greg-lindsay
# Get started with Update Compliance
-This topic explains the steps necessary to configure your environment for Windows Analytics: Update Compliance.
+This topic explains the steps necessary to configure your environment for Windows Analytics: Update Compliance.
Steps are provided in sections that follow the recommended setup process:
1. Ensure that [prerequisites](#update-compliance-prerequisites) are met.
-2. [Add Update Compliance](#add-update-compliance-to-microsoft-operations-management-suite) to Microsoft Operations Management Suite
-3. [Deploy your Commercial ID](#deploy-your-commercial-id-to-your-windows-10-devices) to your organization’s devices
+2. [Add Update Compliance](#add-update-compliance-to-microsoft-operations-management-suite) to Microsoft Operations Management Suite.
+3. [Deploy your Commercial ID](#deploy-your-commercial-id-to-your-windows-10-devices) to your organization’s devices.
-## Update Compliance Prerequisites
+## Update Compliance prerequisites
-Update Compliance has the following requirements:
-1. Update Compliance is currently only compatible with Windows 10 devices. The solution is intended to be used with desktop devices (Windows 10 workstations and laptops).
-2. The solution requires that Windows 10 telemetry is enabled on all devices that are intended to be displayed in the solution. These devices must have at least the [basic level of telemetry](https://technet.microsoft.com/itpro/windows/manage/configure-windows-telemetry-in-your-organization#basic-level) enabled. To learn more about Windows telemetry, see [Configure Windows telemetry in your organization](/windows/configuration/configure-windows-telemetry-in-your-organization).
-3. The telemetry of your organization’s Windows devices must be successfully transmitted to Microsoft. Microsoft has specified [endpoints for different aspects of telemetry](https://technet.microsoft.com/itpro/windows/manage/configure-windows-telemetry-in-your-organization#endpoints), which must be whitelisted by your organization so the data can be transmitted. The following table is taken from the article on telemetry endpoints and summarizes the use of each endpoint:
+Update Compliance has the following requirements:
+1. Update Compliance is currently only compatible with Windows 10 devices. The solution is intended to be used with desktop devices (Windows 10 workstations and laptops).
+2. The solution requires that Windows 10 telemetry is enabled on all devices that are intended to be displayed in the solution. These devices must have at least the [basic level of telemetry](https://technet.microsoft.com/itpro/windows/manage/configure-windows-telemetry-in-your-organization#basic-level) enabled. To learn more about Windows telemetry, see [Configure Windows telemetry in your organization](/windows/configuration/configure-windows-telemetry-in-your-organization).
+3. The telemetry of your organization’s Windows devices must be successfully transmitted to Microsoft. Microsoft has specified [endpoints for each of the telemetry services](https://technet.microsoft.com/itpro/windows/manage/configure-windows-telemetry-in-your-organization#endpoints), which must be whitelisted by your organization so the data can be transmitted. The following table is taken from the article on telemetry endpoints and summarizes the use of each endpoint:
-
- | Service | Endpoint
- |
| Connected User Experience and Telemetry component | v10.vortex-win.data.microsoft.com
-
settings-win.data.microsoft.com
- |
| Windows Error Reporting | watson.telemetry.microsoft.com
- |
| Online Crash Analysis | oca.telemetry.microsoft.com
- |
+Service | Endpoint
+--- | ---
+Connected User Experience and Telemetry component | v10.vortex-win.data.microsoft.com
settings-win.data.microsoft.com
+Windows Error Reporting | watson.telemetry.microsoft.com
+Online Crash Analysis | oca.telemetry.microsoft.com
-4. To use Windows Defender Antivirus Assessment, devices must be protected by Windows Defender AV (and not a 3rd party AV program), and must have enabled [cloud-delivered protection](/windows/threat-protection/windows-defender-antivirus/utilize-microsoft-cloud-protection-windows-defender-antivirus). See the [Windows Defender Antivirus in Windows 10](/windows/threat-protection/windows-defender-antivirus/windows-defender-antivirus-in-windows-10) content library for more information on enabling, configuring, and validating Windows Defender AV.
+
+ 4. To use Windows Defender Antivirus Assessment, devices must be protected by Windows Defender AV (and not a 3rd party AV program), and must have enabled [cloud-delivered protection](/windows/threat-protection/windows-defender-antivirus/utilize-microsoft-cloud-protection-windows-defender-antivirus). See the [Windows Defender Antivirus in Windows 10](/windows/threat-protection/windows-defender-antivirus/windows-defender-antivirus-in-windows-10) content library for more information on enabling, configuring, and validating Windows Defender AV.
## Add Update Compliance to Microsoft Operations Management Suite
-Update Compliance is offered as a solution in the Microsoft Operations Management Suite (OMS), a collection of cloud-based servicing for monitoring and automating your on-premises and cloud environments. For more information about OMS, see [Operations Management Suite overview](https://azure.microsoft.com/en-us/documentation/articles/operations-management-suite-overview/).
+Update Compliance is offered as a solution in the Microsoft Operations Management Suite (OMS), a collection of cloud-based servicing for monitoring and automating your on-premise and cloud environments. For more information about OMS, see [Operations Management Suite overview](https://azure.microsoft.com/en-us/documentation/articles/operations-management-suite-overview/).
If you are already using OMS, you’ll find Update Compliance in the Solutions Gallery. Select the **Update Compliance** tile in the gallery and then click **Add** on the solution's details page. Update Compliance is now visible in your workspace.
If you are not yet using OMS, use the following steps to subscribe to OMS Update Compliance:
-1. Go to [Operations Management Suite’s page](https://www.microsoft.com/en-us/cloud-platform/operations-management-suite) on Microsoft.com and click **Sign in**.
+1. Go to [Operations Management Suite](https://www.microsoft.com/en-us/cloud-platform/operations-management-suite) on Microsoft.com and click **Sign in**.
+
+
+ [](images/uc-02.png)
-
- 
-
2. Sign in to Operations Management Suite (OMS). You can use either a Microsoft Account or a Work or School account to create a workspace. If your company is already using Azure Active Directory (Azure AD), use a Work or School account when you sign in to OMS. Using a Work or School account allows you to use identities from your Azure AD to manage permissions in OMS.
-
- 
-
-3. Create a new OMS workspace.
+ [](images/uc-03.png)
-
- 
-
+3. Create a new OMS workspace.
+
+
+ [](images/uc-04.png)
+
4. Enter a name for the workspace, select the workspace region, and provide the email address that you want associated with this workspace. Click **Create**.
-
- 
-
+
+ [](images/uc-05.png)
+
5. If your organization already has an Azure subscription, you can link it to your workspace. Note that you may need to request access from your organization’s Azure administrator. If your organization does not have an Azure subscription, create a new one or select the default OMS Azure subscription from the list. If you do not yet have an Azure subscription, follow [this guide](https://blogs.technet.microsoft.com/upgradeanalytics/2016/11/08/linking-operations-management-suite-workspaces-to-microsoft-azure/) to create and link an Azure subscription to an OMS workspace.
-
- 
-
+
+ [](images/uc-06.png)
+
6. To add the Update Compliance solution to your workspace, go to the Solutions Gallery.
-
- 
-
-7. Select the **Update Compliance** tile in the gallery and then select **Add** on the solution’s details page. You might need to scroll to find **Update Compliance**. The solution is now visible on your workspace.
+ [](images/uc-07.png)
+
+
+7. Select the **Update Compliance** tile in the gallery and then select **Add** on the solution’s details page. You might need to scroll to find **Update Compliance**. The solution is now visible in your workspace.
+
+
+ [](images/uc-08.png)
-
- 
-
8. Click the **Update Compliance** tile to configure the solution. The **Settings Dashboard** opens.
-
- 
-
+
+ [](images/uc-09.png)
+
9. Click **Subscribe** to subscribe to OMS Update Compliance. You will then need to distribute your Commercial ID across all your organization’s devices. More information on the Commercial ID is provided below.
-
- 
-
+
+ [](images/uc-10.png)
+
After you are subscribed to OMS Update Compliance and your devices have a Commercial ID, you will begin receiving data. It will typically take 24 hours for the first data to begin appearing. The following section explains how to deploy your Commercial ID to your Windows 10 devices.
+>[!NOTE]
>You can unsubscribe from the Update Compliance solution if you no longer want to monitor your organization’s devices. User device data will continue to be shared with Microsoft while the opt-in keys are set on user devices and the proxy allows traffic.
## Deploy your Commercial ID to your Windows 10 devices
-In order for your devices to show up in Windows Analytics: Update Compliance, they must be configured with your organization’s Commercial ID. This is so that Microsoft knows that a given device is a member of your organization and to feed that device’s data back to you. There are two primary methods for widespread deployment of your Commercial ID: Group Policy and Mobile Device Management (MDM).
+In order for your devices to show up in Windows Analytics: Update Compliance, they must be configured with your organization’s Commercial ID. This is so that Microsoft knows that a given device is a member of your organization and to feed that device’s data back to you. There are two primary methods for widespread deployment of your Commercial ID: Group Policy and Mobile Device Management (MDM).
- Using Group Policy
Deploying your Commercial ID using Group Policy can be accomplished by configuring domain Group Policy Objects with the Group Policy Management Editor, or by configuring local Group Policy using the Local Group Policy Editor.
@@ -117,4 +117,4 @@ In order for your devices to show up in Windows Analytics: Update Compliance, th
## Related topics
-[Use Update Compliance to monitor Windows Updates](update-compliance-using.md)
+[Use Update Compliance to monitor Windows Updates](update-compliance-using.md)
\ No newline at end of file
diff --git a/windows/deployment/update/update-compliance-monitor.md b/windows/deployment/update/update-compliance-monitor.md
index 9ee49a1e9d..1be2149594 100644
--- a/windows/deployment/update/update-compliance-monitor.md
+++ b/windows/deployment/update/update-compliance-monitor.md
@@ -1,6 +1,7 @@
---
-title: Monitor Windows Updates with Update Compliance (Windows 10)
-description: Introduction to Update Compliance.
+title: Monitor Windows Updates and Windows Defender AV with Update Compliance (Windows 10)
+description: You can use Update Compliance in OMS to monitor the progress of updates and key antimalware protection features on devices in your network.
+keywords: oms, operations management suite, wdav, updates, upgrades, antivirus, antimalware, signature, log analytics
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
@@ -8,26 +9,26 @@ ms.pagetype: deploy
author: greg-lindsay
---
-# Monitor Windows Updates with Update Compliance
+# Monitor Windows Updates and Windows Defender Antivirus with Update Compliance
## Introduction
-With Windows 10, organizations need to change the way they approach monitoring and deploying updates. Update Compliance is a powerful set of tools that enable organizations to monitor and track all important aspects of Microsoft’s new servicing strategy: [Windows as a Service](waas-overview.md).
+With Windows 10, organizations need to change the way they approach monitoring and deploying updates. Update Compliance is a powerful set of tools that enable organizations to monitor and track all important aspects of the new servicing strategy from Microsoft: [Windows as a Service](waas-overview.md).
Update Compliance is a solution built within Operations Management Suite (OMS), a cloud-based monitoring and automation service which has a flexible servicing subscription based off data usage/retention. For more information about OMS, see [Operations Management Suite overview](http://azure.microsoft.com/en-us/documentation/articles/operations-management-suite-overview/).
-Update Compliance uses the Windows telemetry that is part of all Windows 10 devices. It collects system data including update installation progress, Windows Update for Business (WUfB) configuration data, and other update-specific information, and then sends this data privately to a secure cloud to be stored for analysis and usage within the solution.
+Update Compliance uses the Windows telemetry that is part of all Windows 10 devices. It collects system data including update installation progress, Windows Update for Business (WUfB) configuration data, Windows Defender Antivirus data, and other update-specific information, and then sends this data privately to a secure cloud to be stored for analysis and usage within the solution.
Update Compliance provides the following:
-- An overview of your organization’s devices that just works.
-- Dedicated drill-downs for devices that might need attention.
-- An inventory of devices, including the version of Windows they are running and their update status.
-- An overview of WUfB deferral configurations (Windows 10 Anniversary Update [1607] and later).
-- Powerful built-in [log analytics](https://www.microsoft.com/en-us/cloud-platform/insight-and-analytics?WT.srch=1&WT.mc_id=AID529558_SEM_%5B_uniqid%5D&utm_source=Bing&utm_medium=CPC&utm_term=log%20analytics&utm_campaign=Hybrid_Cloud_Management) to create useful custom queries.
-- Cloud-connected access utilizing Windows 10 telemetry means no need for new complex, customized infrastructure.
+- Dedicated drill-downs for devices that might need attention
+- An inventory of devices, including the version of Windows they are running and their update status
+- The ability to track protection and threat status for Windows Defender Antivirus-enabled devices
+- An overview of WUfB deferral configurations (Windows 10 Anniversary Update [1607] and later)
+- Powerful built-in [log analytics](https://www.microsoft.com/en-us/cloud-platform/insight-and-analytics?WT.srch=1&WT.mc_id=AID529558_SEM_%5B_uniqid%5D&utm_source=Bing&utm_medium=CPC&utm_term=log%20analytics&utm_campaign=Hybrid_Cloud_Management) to create useful custom queries
+- Cloud-connected access utilizing Windows 10 telemetry means no need for new complex, customized infrastructure
-See the following topics in this guide for detailed information about configuring and use the Update Compliance solution:
+See the following topics in this guide for detailed information about configuring and using the Update Compliance solution:
- [Get started with Update Compliance](update-compliance-get-started.md): How to add Update Compliance to your environment.
- [Using Update Compliance](update-compliance-using.md): How to begin using Update Compliance.
@@ -36,19 +37,20 @@ An overview of the processes used by the Update Compliance solution is provided
## Update Compliance architecture
-The Update Compliance architecture and data flow is summarized by the following five step process:
+The Update Compliance architecture and data flow is summarized by the following five-step process:
**(1)** User computers send telemetry data to a secure Microsoft data center using the Microsoft Data Management Service.
**(2)** Telemetry data is analyzed by the Update Compliance Data Service.
**(3)** Telemetry data is pushed from the Update Compliance Data Service to your OMS workspace.
**(4)** Telemetry data is available in the Update Compliance solution.
-**(5)** You are able to monitor and troubleshoot Windows updates on your network.
+**(5)** You are able to monitor and troubleshoot Windows updates and Windows Defender AV in your environment.
These steps are illustrated in following diagram:
-
+
->This process assumes that Windows telemetry is enabled and devices are assigned your Commercial ID.
+>[!NOTE]
+>This process assumes that Windows telemetry is enabled and you [have assigned your Commercial ID to devices](update-compliance-get-started#deploy-your-commercial-id-to-your-windows-10-devices.
diff --git a/windows/deployment/update/update-compliance-using.md b/windows/deployment/update/update-compliance-using.md
index 08daf13df1..9daa1a5103 100644
--- a/windows/deployment/update/update-compliance-using.md
+++ b/windows/deployment/update/update-compliance-using.md
@@ -19,6 +19,7 @@ Update Compliance:
- Provides a workflow that can be used to quickly identify which devices require attention.
- Enables you to track deployment compliance targets for updates.
+>[!NOTE]
>Information is refreshed daily so that update progress can be monitored. Changes will be displayed about 24 hours after their occurrence, so you always have a recent snapshot of your devices.
In OMS, the aspects of a solution's dashboard are usually divided into blades. Blades are a slice of information, typically with a summarization tile and an enumeration of the items that makes up that data. All data is presented through queries. Perspectives are also possible, wherein a given query has a unique view designed to display custom data. The terminology of blades, tiles, and perspectives will be used in the sections that follow.
diff --git a/windows/device-security/windows-security-baselines.md b/windows/device-security/windows-security-baselines.md
deleted file mode 100644
index f62ee298ba..0000000000
--- a/windows/device-security/windows-security-baselines.md
+++ /dev/null
@@ -1,74 +0,0 @@
----
-title: Windows security baselines (Windows 10)
-description: Use this topic to learn what security baselines are and how you can use them in your organization to help keep your devices secure.
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-localizationpriority: high
-author: brianlic-msft
----
-
-# Windows security baselines
-
-**Applies to**
-
-- Windows 10
-- Windows Server 2016
-- Windows Server 2012 R2
-
-Microsoft is dedicated to provide our customers with a secure operating system, such as Windows 10 and Windows Server, as well as secure apps, such as Microsoft Edge. In addition to the security assurance of its products, Microsoft also enables you to have fine control of your environments by providing various configuration capabilities. Even though Windows and Windows Server are designed to be secure out-of-the-box, a large number of organizations still want more granular control of their security configurations. To navigate these large number of controls, organizations need guidance for configuring various security features. Microsoft provides this guidance in the form of security baselines.
-
-We recommend implementing an industry-standard configuration that is broadly known and well-tested, such as a Microsoft security baseline, as opposed to creating one yourself. This helps increase flexibility and reduce costs.
-
- > [!NOTE]
- > Microsoft Security Compliance Manager 4.0 is available from the [Microsoft Download Center](https://www.microsoft.com/en-us/download/details.aspx?id=53353).
-
-## What are security baselines?
-
-Every organization faces security threats. However, the types of security threats that are of most concern to one organization can be completely different from another organization. For example, an e-commerce company may focus on protecting their Internet-facing web apps, while a hospital may focus on protecting confidential patient information. The one thing that all organizations have in common is a need to keep their apps and devices secure. These devices must be compliant with the security standards (or security baselines) defined by the organization.
-
-A security baseline is a collection of settings that have a security impact and include Microsoft’s recommended value for configuring those settings along with guidance on the security impact of those settings. These settings are based on feedback from Microsoft security engineering teams, product groups, partners, and
-customers.
-
-## Why are security baselines needed?
-
-Security baselines are an essential benefit to customers because they bring together expert knowlege from Microsoft, partners, and customers.
-
-For example, there are over 3,000 Group Policy settings for Windows 10, which does not include over 1,800 Internet Explorer 11 settings. Of those 4,800 settings, only some of them are security-related. While Microsoft provides extensive guidance on different security features, going through each of them can take a long time. You would have to determine the security impact of each setting on your own. After you've done that, you still need to determine what values each of these settings should be.
-
-In modern organizations, the security threat landscape is constantly evolving. IT pros and policy makers must keep current with security threats and changes to Windows security settings to help mitigate these threats.
-
-To help faster deployments and increase the ease of managing Windows, Microsoft provides customers with security baselines that are available in formats that can be consumed, such as Group Policy Objects backups.
-
-## How can you use security baselines?
-
- You can use security baselines to:
-
- - Ensure that user and device configuration settings are compliant with the baseline.
- - Set configuration settings. For example, you can use Group Policy, System Center Configuration Manager, or Microsoft Intune to configure a device with the setting values specified in the baseline.
-
-## Where can I get the security baselines?
-
- Here's a list of security baselines that are currently available.
-
- > [!NOTE]
- > If you want to know what has changed with each security baseline, or if you want to stay up-to-date on what’s happening with them, check out the [Microsoft Security Guidance](http://blogs.technet.microsoft.com/secguide) blog.
-
-### Windows 10 security baselines
-
- - [Windows 10, version 1607 and Windows Server 2016 security baseline](https://go.microsoft.com/fwlink/?linkid=831663)
- - [Windows 10, Version 1511 security baseline](https://go.microsoft.com/fwlink/p/?LinkID=799381)
- - [Windows 10, Version 1507 security baseline](https://go.microsoft.com/fwlink/p/?LinkID=799380)
-
-### Windows Server security baselines
-
- - [Windows 10, version 1607 and Windows Server 2016 security baseline](https://go.microsoft.com/fwlink/?linkid=831663)
- - [Windows Server 2012 R2 security baseline](https://go.microsoft.com/fwlink/p/?LinkID=799382)
-
-## How can I monitor security baseline deployments?
-
-Microsoft’s Operation Management Services (OMS) helps you monitor security baseline deployments across your servers. To find out more, check out [Operations Management Suite](https://aka.ms/omssecscm).
-
-You can use [System Center Configuration Manager](https://www.microsoft.com/cloud-platform/system-center-configuration-manager) to monitor security baseline deployments on client devices within your organization.
-
\ No newline at end of file
diff --git a/windows/threat-protection/TOC.md b/windows/threat-protection/TOC.md
index c0eb96f69d..681794b4f9 100644
--- a/windows/threat-protection/TOC.md
+++ b/windows/threat-protection/TOC.md
@@ -1,5 +1,5 @@
# [Threat protection](index.md)
-
+## [Windows Defender Security Center](windows-defender-security-center\windows-defender-security-center.md)
## [Windows Defender Advanced Threat Protection](windows-defender-atp\windows-defender-advanced-threat-protection.md)
### [Minimum requirements](windows-defender-atp\minimum-requirements-windows-defender-advanced-threat-protection.md)
### [Preview features](windows-defender-atp\preview-windows-defender-advanced-threat-protection.md)
diff --git a/windows/threat-protection/windows-defender-antivirus/deploy-manage-report-windows-defender-antivirus.md b/windows/threat-protection/windows-defender-antivirus/deploy-manage-report-windows-defender-antivirus.md
index 9b7c69fbe1..1c76376a0b 100644
--- a/windows/threat-protection/windows-defender-antivirus/deploy-manage-report-windows-defender-antivirus.md
+++ b/windows/threat-protection/windows-defender-antivirus/deploy-manage-report-windows-defender-antivirus.md
@@ -33,7 +33,7 @@ You'll also see additional links for:
- Reporting on Windows Defender Antivirus protection
> [!IMPORTANT]
-> In most cases, Windows 10 will disable Windows Defender Antivirus if it finds another antivirus product running and up-to-date. You must disable or uninstall third-party antivirus products before Windows Defender Antivirus will be functioning. If you re-enable or install third-part antivirus products, then Windows 10 will automatically disable Windows Defender Antivirus.
+> In most cases, Windows 10 will disable Windows Defender Antivirus if it finds another antivirus product running and up-to-date. You must disable or uninstall third-party antivirus products before Windows Defender Antivirus will be functioning. If you re-enable or install third-party antivirus products, then Windows 10 will automatically disable Windows Defender Antivirus.
Tool|Deployment options (2)|Management options (network-wide configuration and policy or baseline deployment) ([3](#fn3))|Reporting options
diff --git a/windows/threat-protection/windows-defender-antivirus/windows-defender-antivirus-compatibility.md b/windows/threat-protection/windows-defender-antivirus/windows-defender-antivirus-compatibility.md
index 7fa6451710..6bef064955 100644
--- a/windows/threat-protection/windows-defender-antivirus/windows-defender-antivirus-compatibility.md
+++ b/windows/threat-protection/windows-defender-antivirus/windows-defender-antivirus-compatibility.md
@@ -31,11 +31,11 @@ See the [Windows Defender Advanced Threat Protection](../windows-defender-atp/wi
If you are enrolled in Windows Defender ATP, and you are not using Windows Defender AV as your real-time protection service on your endpoints, Windows Defender will automatically enter into a passive mode. On Windows Server 2016 SKUs, Windows Defender AV will not enter into the passive mode and will run alongside your other antivirus product.
-In passive mode, Windows Defender will continue to run (using the *msmpeng.exe* process), and will continue to be updated, however there will be no Windows Defender user interface, scheduled scans won't run, and Windows Defender will not provide real-time protection from malware.
+In passive mode, Windows Defender AV will continue to run (using the *msmpeng.exe* process), and will continue to be updated, however there will be no Windows Defender user interface, scheduled scans won't run, and Windows Defender AV will not provide real-time protection from malware.
-You can still [manage updates for Windows Defender](manage-updates-baselines-windows-defender-antivirus.md), however you can't move Windows Defender into the normal active mode if your endpoints have an up-to-date third-party product providing real-time protection from malware.
+You can still [manage updates for Windows Defender](manage-updates-baselines-windows-defender-antivirus.md), however you can't move Windows Defender AV into the normal active mode if your endpoints have an up-to-date third-party product providing real-time protection from malware.
-If you uninstall the other product, and choose to use Windows Defender to provide protection to your endpoints, Windows Defender will automatically return to its normal active mode.
+If you uninstall the other product, and choose to use Windows Defender AV to provide protection to your endpoints, Windows Defender AV will automatically return to its normal active mode.
## Related topics
diff --git a/windows/threat-protection/windows-defender-antivirus/windows-defender-antivirus-on-windows-server-2016.md b/windows/threat-protection/windows-defender-antivirus/windows-defender-antivirus-on-windows-server-2016.md
index b350ed550f..b3305b6b1c 100644
--- a/windows/threat-protection/windows-defender-antivirus/windows-defender-antivirus-on-windows-server-2016.md
+++ b/windows/threat-protection/windows-defender-antivirus/windows-defender-antivirus-on-windows-server-2016.md
@@ -36,12 +36,12 @@ author: iaanw
Windows Defender Antivirus is available on Windows Server 2016. In some instances it is referred to as Endpoint Protection - however, the protection engine is the same.
-See [Windows Defender Overview for Windows Server](https://technet.microsoft.com/windows-server-docs/security/windows-defender/windows-defender-overview-windows-server) for more information on enabling the client interface and configuring roles and specific server features.
+See the [Windows Defender Overview for Windows Server](https://technet.microsoft.com/windows-server-docs/security/windows-defender/windows-defender-overview-windows-server) for more information on enabling the client interface and configuring roles and specific server features.
While the functionality, configuration, and management is largely the same for Windows Defender AV either on Windows 10 or Windows Server 2016, there are a few key differences:
- In Windows Server 2016, [automatic exclusions](configure-server-exclusions-windows-defender-antivirus.md) are applied based on your defined Server Role.
-- In Windows Server 2016, [Windows Defender AV will not disable itself if you are running another antivirus product](windows-defender-antivirus-on-windows-server-2016.md).
+- In Windows Server 2016, Windows Defender AV will not disable itself if you are running another antivirus product.
## Related topics
diff --git a/windows/threat-protection/windows-defender-antivirus/windows-defender-security-center-antivirus.md b/windows/threat-protection/windows-defender-antivirus/windows-defender-security-center-antivirus.md
index 0a4d40cb54..2a053cc803 100644
--- a/windows/threat-protection/windows-defender-antivirus/windows-defender-security-center-antivirus.md
+++ b/windows/threat-protection/windows-defender-antivirus/windows-defender-security-center-antivirus.md
@@ -35,12 +35,16 @@ In Windows 10, version 1703 (also known as the Creators Update), the Windows Def
Settings that were previously part of the Windows Defender client and main Windows Settings have been combined and moved to the new app, which is installed by default as part of Windows 10, version 1703.
-The app also includes the settings and status of:
+> [!IMPORTANT]
+> Disabling the Windows Security Center service will not disable Windows Defender AV or [Windows Firewall](https://docs.microsoft.com/en-us/windows/access-protection/windows-firewall/windows-firewall-with-advanced-security). These will be disabled automatically when a 3rd party antivirus or firewall product is installed and kept up to date.
-- The PC (as "device health")
-- Windows Firewall
-- Windows Defender SmartScreen Filter
-- Parental and Family Controls
+> [!WARNING]
+> If you do disable the Windows Security Center service, or configure its associated Group Policy settings to prevent it from starting or running, the Windows Defender Security Center may display stale or inaccurate information about any antivirus or firewall products you have installed on the device.
+>It may also prevent Windows Defender AV from enabling itself if you have an old or outdated 3rd party antivirus, or if you uninstall any 3rd party antivirus products you may have previously installed.
+>This will significantly lower the protection of your device and could lead to malware infection.
+
+
+See the [Windows Defender Security Center topic](/windows/threat-protection/windows-defender-security-center) for more information on other Windows security features that can be monitored in the app.
>[!NOTE]
>The Windows Defender Security Center app is a client interface on Windows 10, version 1703. It is not the Windows Defender Security Center web portal that is used to review and manage [Windows Defender Advanced Threat Protection](../windows-defender-atp/windows-defender-advanced-threat-protection.md).
diff --git a/windows/threat-protection/windows-defender-security-center/images/security-center-home.png b/windows/threat-protection/windows-defender-security-center/images/security-center-home.png
new file mode 100644
index 0000000000..601b2a32b8
Binary files /dev/null and b/windows/threat-protection/windows-defender-security-center/images/security-center-home.png differ
diff --git a/windows/threat-protection/windows-defender-security-center/images/security-center-start-menu.png b/windows/threat-protection/windows-defender-security-center/images/security-center-start-menu.png
new file mode 100644
index 0000000000..e3d744df4c
Binary files /dev/null and b/windows/threat-protection/windows-defender-security-center/images/security-center-start-menu.png differ
diff --git a/windows/threat-protection/windows-defender-security-center/images/security-center-taskbar.png b/windows/threat-protection/windows-defender-security-center/images/security-center-taskbar.png
new file mode 100644
index 0000000000..a35daeb1f4
Binary files /dev/null and b/windows/threat-protection/windows-defender-security-center/images/security-center-taskbar.png differ
diff --git a/windows/threat-protection/windows-defender-security-center/images/security-center-turned-off.png b/windows/threat-protection/windows-defender-security-center/images/security-center-turned-off.png
new file mode 100644
index 0000000000..eec35c6dcf
Binary files /dev/null and b/windows/threat-protection/windows-defender-security-center/images/security-center-turned-off.png differ
diff --git a/windows/threat-protection/windows-defender-security-center/windows-defender-security-center.md b/windows/threat-protection/windows-defender-security-center/windows-defender-security-center.md
new file mode 100644
index 0000000000..f8376c934c
--- /dev/null
+++ b/windows/threat-protection/windows-defender-security-center/windows-defender-security-center.md
@@ -0,0 +1,119 @@
+---
+title: Windows Defender Security Center
+description: The Windows Defender Security Center brings together common Windows security features into one place
+keywords: wdav, smartscreen, antivirus, wdsc, firewall, device health, performance, Edge, browser, family, parental options, security, windows
+search.product: eADQiWindows 10XVcnh
+ms.pagetype: security
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.sitesec: library
+ms.pagetype: security
+localizationpriority: medium
+author: iaanw
+---
+
+
+
+
+
+# The Windows Defender Security Center
+
+**Applies to**
+
+- Windows 10, version 1703
+
+
+
+
+In Windows 10, version 1703 we introduced the new Windows Defender Security Center, which brings together common Windows security features into one, easy-to-use app.
+
+
+
+
+
+
+
+
+
+Many settings that were previously part of the individual features and main Windows Settings have been combined and moved to the new app, which is installed out-of-the-box as part of Windows 10, version 1703.
+
+The app includes the settings and status for the following security features:
+
+- Virus & threat protection, including settings for Windows Defender Antivirus
+- Device performance & health, which includes information about drivers, storage space, and general Windows Update issues
+- Firewall & network protection, including Windows Firewall
+- App & browser control, covering Windows Defender SmartScreen settings
+- Family options, which include a number of parental controls along with tips and information for keeping kids safe online
+
+
+
+The Windows Defender Security Center uses the [Windows Security Center service](https://technet.microsoft.com/en-us/library/bb457154.aspx#EDAA) to provide the status and information on 3rd party antivirus and firewall products that are installed on the device.
+
+> [!IMPORTANT]
+> Disabling the Windows Security Center service will not disable Windows Defender AV or [Windows Firewall](https://docs.microsoft.com/en-us/windows/access-protection/windows-firewall/windows-firewall-with-advanced-security). These will be disabled automatically when a 3rd party antivirus or firewall product is installed and kept up to date.
+
+> [!WARNING]
+> If you do disable the Windows Security Center service, or configure its associated Group Policy settings to prevent it from starting or running, the Windows Defender Security Center may display stale or inaccurate information about any antivirus or firewall products you have installed on the device.
+>It may also prevent Windows Defender AV from enabling itself if you have an old or outdated 3rd party antivirus, or if you uninstall any 3rd party antivirus products you may have previously installed.
+>This will significantly lower the protection of your device and could lead to malware infection.
+
+
+## Open the Windows Defender Security Center
+- Right-click the icon in the notification area on the taskbar and click **Open**.
+
+ 
+- Search the Start menu for **Windows Defender Security Center**.
+
+ 
+
+
+> [!NOTE]
+> Settings configured with management tools, such as Group Policy, Microsoft Intune, or System Center Configuration Manager, will generally take precedence over the settings in the Windows Defender Security Center. Review the settings for each feature in its appropriate library. Links for both home user and enterprise or commercial audiences are listed below.
+
+## How the Windows Defender Security Center works with Windows security features
+
+
+
+
+The Windows Defender Security Center operates as a separate app or process from each of the individual features, and will display notifications through the Action Center.
+
+It acts as a collector or single place to see the status and perform some configuration for each of the features.
+
+Disabling any of the individual features (through Group Policy or other management tools, such as System Center Configuration Manager) will prevent that feature from reporting its status in the Windows Defender Security Center. The Windows Defender Security Center itself will still run and show status for the other security features.
+
+> [!IMPORTANT]
+> Individually disabling any of the services will not disable the other services or the Windows Defender Security Center itself.
+
+For example, [using a 3rd party antivirus will disable Windows Defender Antivirus](https://docs.microsoft.com/en-us/windows/threat-protection/windows-defender-antivirus/deploy-manage-report-windows-defender-antivirus). However, the Windows Defender Security Center will still run, show its icon in the taskbar, and display information about the other features, such as Windows Defender SmartScreen and Windows Firewall.
+
+The presence of the 3rd party antivirus will be indicated under the **Virus & threat protection** section in the Windows Defender Security Center.
+
+
+
+## More information
+
+See the following links for more information on the features in the Windows Defender Security Center:
+- Windows Defender Antivirus
+ - IT administrators and IT pros can get configuration guidance from the [Windows Defender Antivirus in the Windows Defender Security Center topic](https://docs.microsoft.com/en-us/windows/threat-protection/windows-defender-antivirus/windows-defender-security-center-antivirus) and the [Windows Defender Antivirus documentation library](https://docs.microsoft.com/en-us/windows/threat-protection/windows-defender-antivirus/windows-defender-antivirus-in-windows-10)
+ - Home users can learn more at the [Virus & threat protection in Windows Defender Security Center topic at support.microsoft.com](https://support.microsoft.com/en-us/help/4012987/windows-10-virus-threat-protection-windows-defender-security-center)
+- Device performance & health
+ - It administrators and IT pros can [configure the Load and unload device drivers security policy setting](https://docs.microsoft.com/en-us/windows/device-security/security-policy-settings/load-and-unload-device-drivers), and learn how to [deploy drivers during Windows 10 deployment using System Center Configuration Manager](https://docs.microsoft.com/en-us/windows/deployment/deploy-windows-sccm/add-drivers-to-a-windows-10-deployment-with-windows-pe-using-configuration-manager)
+ - Home users can learn more at the [Track your device and performance health in Windows Defender Security Center topic at support.microsoft.com](https://support.microsoft.com/en-us/help/4012986/windows-defender-track-your-device-performance-health)
+- Windows Firewall
+ - IT administrators and IT pros can get configuration guidance from the [Windows Firewall with Advanced Security documentation library](https://docs.microsoft.com/en-us/windows/access-protection/windows-firewall/windows-firewall-with-advanced-security)
+ - Home users can learn more at the [Firewall & network protection in Windows Defender Security Center topic at support.microsoft.com](https://support.microsoft.com/en-us/help/4012988/windows-10-firewall-network-protection-windows-defender-security-center)
+- Windows Defender SmartScreen
+ - IT administrators and IT pros can get configuration guidance from the [Windows Defender SmartScreen documentation library](https://docs.microsoft.com/en-us/windows/threat-protection/windows-defender-smartscreen/windows-defender-smartscreen-overview)
+ - Home users can learn more at the [App & browser control in Windows Defender Security Center topic at support.microsoft.com](https://support.microsoft.com/en-us/help/4013218/windows-10-app-browser-control-in-windows-defender)
+- Family options, which include a number of parental controls along with tips and information for keeping kids safe online
+ - Home users can learn more at the [Help protection your family online in Windows Defender Security Center topic at support.microsoft.com](https://support.microsoft.com/en-us/help/4013209/windows-10-protect-your-family-online-in-windows-defender)
+
+
+
+>[!NOTE]
+>The Windows Defender Security Center app is a client interface on Windows 10, version 1703. It is not the Windows Defender Security Center web portal that is used to review and manage [Windows Defender Advanced Threat Protection](https://docs.microsoft.com/en-us/windows/threat-protection/windows-defender-atp/windows-defender-advanced-threat-protection).
+
+
+
+
+
|
|
|
|
|
|
|
|
|
+ 
