Merge remote-tracking branch 'refs/remotes/origin/master' into atp-alertsuppression

2025-05-13 13:57:22 +00:00 · 2017-06-28 16:40:29 -07:00 · 2017-06-28 16:40:29 -07:00 · e890a2f291
commit e890a2f291
parent a465f64aab 1c2e99eaf9
17 changed files with 241 additions and 1145 deletions
--- a/devices/surface/change-history-for-surface.md
+++ b/devices/surface/change-history-for-surface.md
@ -11,6 +11,14 @@ author: jdeckerms
 This topic lists new and updated topics in the Surface documentation library.
 ## June 2017
 |New or changed topic | Description |
 | --- | --- |
 |[Surface Data Eraser](microsoft-surface-data-eraser.md) | Update compatible devices, added version 3.2.36 information  |
 |[Surface Deployment Accelerator](microsoft-surface-deployment-accelerator.md) | Added version 2.0.8.0 information  |
 |[Surface Dock Updater](surface-dock-updater.md) | Added version 2.1.15.0 information  |
 ## April 2017
--- a/devices/surface/microsoft-surface-data-eraser.md
+++ b/devices/surface/microsoft-surface-data-eraser.md
@ -23,6 +23,12 @@ Find out how the Microsoft Surface Data Eraser tool can help you securely wipe d
 Compatible Surface devices include:
 - Surface Studio
 - Surface Pro
 - Surface Laptop
 - Surface Book
 - Surface Pro 4
@ -35,6 +41,9 @@ Compatible Surface devices include:
 - Surface Pro 2
 >[!NOTE]
 >Surface Pro devices with 1 TB storage are not currently supported by Microsoft Surface Data Eraser.
 Some scenarios where Microsoft Surface Data Eraser can be helpful include:
 -   Prepare a Surface device to be sent for repair
@ -137,7 +146,20 @@ After you create a Microsoft Surface Data Eraser USB stick, you can boot a suppo
 8.  Click the **Yes** button to continue erasing data on the Surface device.
- 
+## Changes and updates
 Microsoft Surface Data Eraser is periodically updated by Microsoft. For information about the changes provided in each new version, see the following:
 ### Version 3.2.36
 This version of Microsoft Surface Data Eraser adds support for the following:
 - Surface Pro
 - Surface Laptop
 >[!NOTE]
 >The Microsoft Surface Data Eraser USB drive creation tool is unable to run on Windows 10 S. To wipe a Surface Laptop running Windows 10 S, you must first create the Microsoft Surface Data Eraser USB drive on another computer with Windows 10 Pro or Windows 10 Enterprise.
--- a/devices/surface/microsoft-surface-deployment-accelerator.md
+++ b/devices/surface/microsoft-surface-deployment-accelerator.md
@ -90,6 +90,13 @@ SDA is periodically updated by Microsoft. For instructions on how these features
 >[!NOTE]
 >To install a newer version of SDA on a server with a previous version of SDA installed, you only need to run the installation file for the new version of SDA. The installer will handle the upgrade process automatically. If you used SDA to create a deployment share prior to the upgrade and want to use new features of the new version of SDA, you will need to create a new deployment share. SDA does not support upgrades of an existing deployment share.
 ### Version 2.0.8.0
 This version of SDA supports deployment of the following:
 * Surface Pro
 >[!NOTE]
 >SDA version 2.0.8.0 includes support only for Surface Pro, and does not support other Surface devices such as Surface Pro 4 or Surface Book. To deploy these devices, please continue to use SDA version 1.96.0405.
 ### Version 1.96.0405
 This version of SDA adds support for the following:
--- a/devices/surface/surface-dock-updater.md
+++ b/devices/surface/surface-dock-updater.md
@ -111,6 +111,17 @@ Microsoft periodically updates Surface Dock Updater. To learn more about the app
 >[!Note]
 >Each update to Surface Dock firmware is included in a new version of Surface Dock Updater. To update a Surface Dock to the latest firmware, you must use the latest version of Surface Dock Updater.
 ### Version 2.1.15.0
 *Release date: June 19, 2017*
 This version of Surface Dock Updater adds support for the following:
 * Surface Laptop
 * Surface Pro
 >[!NOTE]
 >The Surface Dock Updater tool is unable to run on Windows 10 S. Surface Dock devices used with Surface Laptop with Windows 10 S will receive updates natively through Windows Update. To manually update a Surface Dock for use with Surface Laptop and Windows 10 S, connect the Surface Dock to another Surface device with a Windows 10 Pro or Windows 10 Enterprise environment.
 ### Version 1.0.8.0
 *Release date: April 26, 2016*
--- a/education/index.md
+++ b/education/index.md
@ -5,7 +5,6 @@ title: Microsoft Education documentation and resources | Microsoft Docs
 description: Learn about product documentation and resources available for school IT administrators, teachers, students, and education app developers.
 author: CelesteDG
 ms.author: celested
 ms.date: ms.date: 06/12/2017
 ---
 <div id="main" class="v2">
    <div class="container">
--- a/mdop/mbam-v25/copying-the-mbam-25-group-policy-templates.md
+++ b/mdop/mbam-v25/copying-the-mbam-25-group-policy-templates.md
@ -23,7 +23,7 @@ MDOP Group Policy templates are available for download in a self-extracting, com
 **How to download and deploy the MDOP Group Policy templates**
 1.  Download the MDOP Group Policy templates from [Microsoft Desktop Optimization Pack Group Policy Administrative Templates
-](https://www.microsoft.com/en-us/download/details.aspx?id=54957).
+](https://www.microsoft.com/en-us/download/details.aspx?id=55531).
 2.  Run the downloaded file to extract the template folders.
--- a/store-for-business/windows-store-for-business-overview.md
+++ b/store-for-business/windows-store-for-business-overview.md
@ -157,7 +157,8 @@ For more information, see [Manage settings in the Store for Business](manage-set
 Microsoft Store for Business and Education is currently available in these markets.
-<!--- <table>
+### Support for free and paid apps
 <table>
   <tr>
        <th align="center" colspan="4">Support for free and paid apps</th>
   </tr>
@ -302,185 +303,6 @@ Microsoft Store for Business and Education is currently available in these marke
   </tr>
 </table>
 <table>
   <tr>
        <th align="center">Support for free apps only</th>
   </tr>
   <tr align="left">
     <td>
        <ul>
            <li>Russia</li>
        </ul>
    </td>
   </tr>
 </table>
 <table>
   <tr>
        <th align="center">Support for free apps and Minecraft: Education Edition</th>
   </tr>
   <tr align="left">
     <td>
        <ul>
            <li>Albania</li>
            <li>Armenia</li>
            <li>Azerbaijan</li>
            <li>Belarus</li>
            <li>Bosnia</li>
            <li>Brazil</li>
            <li>Georgia</li>
            <li>India</li>
            <li>Kazakhstan</li>
            <li>Korea</li>
            <li>Kyrgyzstan</li>
            <li>Moldova</li>
            <li>Taiwan</li>
            <li>Tajikistan</li>
            <li>Turkmenistan</li>
            <li>Ukraine</li>
            <li>Uzbekistan</li>
        </ul>
    </td>
   </tr>
 </table> -->
 ### Support for free and paid apps
 <table>
   <tr>
        <th align="center" colspan="4">Support for free and paid apps</th>
   </tr>
   <tr align="left">
     <td>
        <ul>
            <li>Algeria</li>
            <li>Angola</li>
            <li>Argentina</li>
            <li>Australia</li>
            <li>Austria</li>
            <li>Bahamas</li>
            <li>Bahrain</li>
            <li>Bangladesh</li>
            <li>Barbados</li>
            <li>Belgium</li>
            <li>Belize</li>
            <li>Bermuda</li>
            <li>Bolivia</li>
            <li>Botswana</li>
            <li>Brunei Darussalam</li>
            <li>Bulgaria</li>
            <li>Cameroon</li>
            <li>Canada</li>
            <li>Republic of Cabo Verde</li>
            <li>Cayman Islands</li>
            <li>Chile</li>
            <li>Colombia</li>
            <li>Costa Rica</li>
            <li>C&ocirc;te D'ivoire</li>
            <li>Croatia</li>
            <li>Cur&ccedil;ao</li>
            <li>Cyprus</li>
            <li>Czech Republic</li>
            <li>Denmark</li>
        </ul>
    </td>
     <td>
        <ul>
            <li>Dominican Republic</li>
            <li>Ecuador</li>
            <li>Egypt</li>
            <li>El Salvador</li>
            <li>Estonia</li>
            <li>Faroe Islands</li>
            <li>Fiji</li>
            <li>Finland</li>
            <li>France</li>
            <li>Germany</li>
            <li>Ghana</li>
            <li>Greece</li>
            <li>Guatemala</li>
            <li>Honduras</li>
            <li>Hong Kong SAR</li>
            <li>Hungary</li>
            <li>Iceland</li>
            <li>Indonesia</li>
            <li>Iraq</li>
            <li>Ireland</li>
            <li>Israel</li>
            <li>Italy</li>
            <li>Jamaica</li>
            <li>Japan</li>
            <li>Jordan</li>
            <li>Kenya</li>
            <li>Kuwait</li>
            <li>Latvia</li>
            <li>Lebanon</li>
        </ul>
    </td>
    <td>
        <ul>
            <li>Libya</li>
            <li>Liechtenstein</li>
            <li>Lithuania</li>
            <li>Luxembourg</li>
            <li>Malaysia</li>
            <li>Malta</li>
            <li>Mauritius</li>
            <li>Mexico</li>
            <li>Mongolia</li>
            <li>Montenegro</li>
            <li>Morocco</li>
            <li>Namibia</li>
            <li>Netherlands</li>
            <li>New Zealand</li>
            <li>Nicaragua</li>
            <li>Nigeria</li>
            <li>Norway</li>
            <li>Oman</li>
            <li>Pakistan</li>
            <li>Palestinian Authority</li>
            <li>Panama</li>
            <li>Paraguay</li>
            <li>Peru</li>
            <li>Philippines</li>
            <li>Poland</li>
            <li>Portugal</li>
            <li>Puerto Rico</li>
            <li>Qatar</li>
            <li>Romania</li>          
        </ul>
    </td>
    <td>
        <ul>
            <li>Rwanda</li>
            <li>Saint Kitts and Nevis</li>
            <li>Saudi Arabia</li>
            <li>Senegal</li>
            <li>Serbia</li>
            <li>Singapore</li>
            <li>Slovakia</li>
            <li>Slovenia</li>
            <li>South Africa</li>
            <li>Spain</li>
            <li>Sweden</li>
            <li>Switzerland</li>
            <li>Tanzania</li>
            <li>Thailand</li>
            <li>Trinidad and Tobago</li>
            <li>Tunisia</li>
            <li>Turkey</li>
            <li>Uganda</li>
            <li>United Arab Emirates</li>
            <li>United Kingdom</li>
            <li>United States</li>
            <li>Uruguay</li>
            <li>Vietnam</li>
            <li>Virgin Islands, U.S.</li>
            <li>Zambia</li>
            <li>Zimbabwe<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;</li>           
        </ul>
    </td>
   </tr>
 </table>
 ### Support for free apps
 Customers in these markets can use Microsoft Store for Business and Education to acquire free apps:
 - India
@ -489,11 +311,17 @@ Customers in these markets can use Microsoft Store for Business and Education to
 ### Support for free apps and Minecraft: Education Edition
 Customers in these markets can use Microsoft Store for Business and Education to acquire free apps and Minecraft: Education Edition:  
 - Albania
 - Aremenia
 - Azerbaijan
 - Belarus
 - Bosnia
 - Brazil
 - Georgia
 - Kazakhstan
 - Korea
 - Republic of Moldova
 - Taiwan
 - Tajikistan
 - Ukraine 
 This table summarize what customers can purchase, depending on which Microsoft Store they are using. 
--- a/windows/client-management/mdm/configuration-service-provider-reference.md
+++ b/windows/client-management/mdm/configuration-service-provider-reference.md
@ -7,7 +7,7 @@ ms.topic: article
 ms.prod: w10
 ms.technology: windows
 author: nickbrower
-ms.date: 06/19/2017
+ms.date: 06/27/2017
 ---
 # Configuration service provider reference
@ -26,6 +26,10 @@ Additional lists:
 - [List of CSPs supported in Windows 10 S](#windows10s)
 The following tables show the configuration service providers support in Windows 10.  
 Footnotes: 
 - 1 - Added in Windows 10, version 1607
 - 2 - Added in Windows 10, version 1703
 - 3 - Added in Windows 10, version 1709
 <!--StartCSPs-->
 <hr/>
@ -836,8 +840,8 @@ The following tables show the configuration service providers support in Windows
 	<td><img src="images/crossmark.png" alt="cross mark" /></td>
 	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
 	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
 </tr>
 </table>
--- a/windows/client-management/mdm/dmclient-csp.md
+++ b/windows/client-management/mdm/dmclient-csp.md
@ -36,7 +36,9 @@ Required. The root node for all settings that belong to a single management serv
 Supported operation is Get.
 <a href="" id="provider-providerid"></a>**Provider/****_ProviderID_**  
-Optional. This node contains the URI-encoded value of the bootstrapped device management account’s Provider ID. Scope is dynamic. As a best practice, use text that doesn’t require XML/URI escaping.
+Required. This node contains the URI-encoded value of the bootstrapped device management account’s Provider ID. Scope is dynamic. This value is set and controlled by the MDM server. As a best practice, use text that doesn’t require XML/URI escaping.
 For Intune, use **MS DM Server** for Windows desktop or **SCConfigMgr** for Windows mobile for the _ProviderID_.
 Supported operations are Get and Add.
--- a/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md
+++ b/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md
@ -10,7 +10,7 @@ ms.topic: article
 ms.prod: w10
 ms.technology: windows
 author: nickbrower
-ms.date: 06/19/2017
+ms.date: 06/28/2017
 ---
 # What's new in MDM enrollment and management
@ -969,7 +969,6 @@ The software version information from **DevDetail/SwV** does not match the versi
    -   In the SyncML, you must use lowercase product ID.
    -   Do not duplicate a product ID. Messaging and Skype Video use the same product ID. Duplicates cause an error.
    For additional details, see [ApplicationRestrictions in PolicyManager CSP](policymanager-csp.md#applicationmanagement-applicationrestrictions).
 -   Silverlight xaps may not install even if publisher policy is specified using Windows Phone 8.1 publisher rule. For example, Silverlight app "Level" will not install even if you specify &lt;Publisher PublisherName=”Microsoft Corporation” /&gt;.
@ -1232,6 +1231,10 @@ Also Added [Firewall DDF file](firewall-ddf-file.md).</td></tr>
 </ul>
 <p>Added the following new policies for Windows 10, version 1709:</p> 
 <ul>
 <li>CredentialProviders/EnableWindowsAutoPilotResetCredentials</li>
 <li>DeviceGuard/EnableVirtualizationBasedSecurity</li>
 <li>DeviceGuard/RequirePlatformSecurityFeatures</li>
 <li>DeviceGuard/LsaCfgFlags</li>
 <li>Power/DisplayOffTimeoutOnBattery</li>
 <li>Power/DisplayOffTimeoutPluggedIn</li>
 <li>Power/HibernateTimeoutOnBattery</li>
@ -1243,9 +1246,6 @@ Also Added [Firewall DDF file](firewall-ddf-file.md).</td></tr>
 <li>Update/ScheduledInstallFourthWeek</li>
 <li>Update/ScheduledInstallSecondWeek</li>
 <li>Update/ScheduledInstallThirdWeek</li>
 <li>DeviceGuard/EnableVirtualizationBasedSecurity</li>
 <li>DeviceGuard/RequirePlatformSecurityFeatures</li>
 <li>DeviceGuard/LsaCfgFlags</li>
 </ul>
 <p>EnterpriseCloudPrint/DiscoveryMaxPrinterLimit is only supported in Windows 10 Mobile and Mobile Enterprise.</p> 
 </td></tr>
@ -1257,6 +1257,10 @@ Also Added [Firewall DDF file](firewall-ddf-file.md).</td></tr>
 <li>DeviceTagging/Criticality</li>
 </ul>
 </td></tr>
 <tr class="even">
 <td style="vertical-align:top">[DynamicManagement CSP](dynamicmanagement-csp.md)</td>
 <td style="vertical-align:top">The DynamicManagement CSP is not supported in Windows 10 Mobile and Mobile Enterprise. The table of SKU information in the [Configuration service provider reference](configuration-service-provider-reference.md) was updated.</td>
 </tr>
 </tbody>
 </table>
--- a/windows/client-management/mdm/policy-configuration-service-provider.md
+++ b/windows/client-management/mdm/policy-configuration-service-provider.md
@ -7,7 +7,7 @@ ms.topic: article
 ms.prod: w10
 ms.technology: windows
 author: nickbrower
-ms.date: 06/19/2017
+ms.date: 06/28/2017
 ---
 # Policy CSP
@ -1781,12 +1781,15 @@ ADMX Info:
 <!--StartDescription-->
 <p style="margin-left: 20px">Specifies the BitLocker Drive Encryption method and cipher strength.
 > [!NOTE]
 > XTS-AES 128-bit and XTS-AES 256-bit values are only supported on Windows 10 for desktop.
 <p style="margin-left: 20px">The following list shows the supported values:
-   3- AES 128-bit
+-   3 - AES-CBC 128-bit
-   4- AES 256
+-   4 - AES-CBC 256-bit
-   6 -XTS 128
+-   6 - XTS-AES 128-bit (Desktop only)
-   7 - XTS 256
+-   7 - XTS-AES 256-bit (Desktop only)
 <!--EndDescription-->
 <!--EndPolicy-->
@ -3759,6 +3762,41 @@ ADMX Info:
 <!--EndADMX-->
 <!--EndPolicy-->
 <!--StartPolicy-->
 <a href="" id="credentialproviders-enablewindowsautopilotresetcredentials"></a>**CredentialProviders/EnableWindowsAutoPilotResetCredentials**  
 <!--StartSKU-->
 <table>
 <tr>
 	<th>Home</th>
 	<th>Pro</th>
 	<th>Business</th>
 	<th>Enterprise</th>
 	<th>Education</th>
 	<th>Mobile</th>
 	<th>MobileEnterprise</th>
 </tr>
 <tr>
 	<td><img src="images/crossmark.png" alt="cross mark" /></td>
 	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
 	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
 	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
 	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
 	<td><img src="images/crossmark.png" alt="cross mark" /></td>
 	<td><img src="images/crossmark.png" alt="cross mark" /></td>
 </tr>
 </table>
 <!--EndSKU-->
 <!--StartDescription-->
 Added in Windows 10, version 1709. Boolean policy to enable the credential provider that triggers the PC refresh on a device. This policy does not actually trigger the refresh. When the policy is enabled, a WNF notification is generated that would schedule a task to update the visibility of the new provider. The admin user is required to authenticate to trigger the refresh on the target device.
 The auto pilot reset feature allows admin to reset devices to a known good managed state while preserving the management enrollment. After the auto pilot reset is triggered the devices are for ready for use by information workers or students.
 Default value is 0.  
 <!--EndDescription-->
 <!--EndPolicy--> 
 <!--StartPolicy-->
 <a href="" id="credentialsui-disablepasswordreveal"></a>**CredentialsUI/DisablePasswordReveal**  
 <!--StartDescription-->
--- a/windows/client-management/mdm/policymanager-csp.md
+++ b/windows/client-management/mdm/policymanager-csp.md
@ -7,957 +7,16 @@ ms.topic: article
 ms.prod: w10
 ms.technology: windows
 author: nickbrower
-ms.date: 06/19/2017
+ms.date: 06/28/2017
 ---
 # PolicyManager CSP
-The PolicyManager configuration service provider enables the enterprise to configure company policies on Windows 10 Mobile.
+PolicyManager CSP is deprecated. Use [Policy CSP](policy-configuration-service-provider.md) instead.
-> **Note**   The PolicyManager CSP is supported in Windows 10 Mobile for backward compatibility. For Windows 10 devices you should use [Policy CSP](policy-configuration-service-provider.md), which replaces PolicyManager CSP. You can continue to use PolicyManager CSP for Windows Phone 8.1 and Windows Phone 8.1 GDR devices. The PolicyManager CSP will be deprecated some time in the future.
+> **Note**   The PolicyManager CSP is supported in Windows 10 Mobile for backward compatibility. For Windows 10 devices you should use [Policy CSP](policy-configuration-service-provider.md), which replaces PolicyManager CSP. You can continue to use PolicyManager CSP for Windows Phone 8.1 and Windows Phone 8.1 GDR devices.
 The PolicyManager CSP has the following sub-categories:
 -   PolicyManager/My/*AreaName* – Handles the policy configuration request from the server.
 -   PolicyManager/Device/*AreaName* – Provides a read-only path to policies enforced on the device.
 The configuration policies for the same *AreaName* must be wrapped in an Atomic command.
 The following image shows the PolicyManager configuration service provider in tree format as used by both the Open Mobile Alliance (OMA) Device Management (DM) and OMA Client Provisioning.
 ![provisioning\-csp\-policymanager](images/provisioning-csp-policymanager.png)
 The following list describes the characteristics and parameters.
 <a href="" id="--vendor-msft-policymanager"></a>**./Vendor/MSFT/PolicyManager**  
 The root node for the PolicyManager configuration service provider.
 Supported operation is Get.
 <a href="" id="my"></a>**My**  
 Node for policies for a specific provider that can be retrieved, modified, or deleted.
 Supported operation is Get.
 <a href="" id="my--areaname-"></a>**My/****_&lt;AreaName&gt;_**  
 The area group that can be configured by a single technology for a single provider. Once added, you cannot change the value.
 Supported operations are Add, Get, and Delete.
 <a href="" id="my--areaname---policyname-"></a>**My/_&lt;AreaName&gt;_/****_&lt;PolicyName&gt;_**  
 Specifies the name/value pair used in the policy. The following list shows some tips to help you when configuring policies:
 -   Separate multistring values by the Unicode &\#xF000; in the XML file.
 -   End multistrings with &\#xF000; For example, One string&\#xF000;two string&\#xF000;red string&\#xF000;blue string&\#xF000;&\#xF000;. Note that a query from different caller could provide a different value as each caller could have different values for a named policy.
 -   In Syncml, wrap this policy with the Atomic command so that the policy settings are treated as a single transaction.
 -   Supported operations are Add, Get, Delete, and Replace.
 -   Value type is string.
 For possible area and policy names, see [Supported company policies](#bkmk-supportedpolicies) below.
 <a href="" id="device"></a>**Device**  
 Groups the evaluated policies from all providers that can be configured. Supported operations is Get.
 <a href="" id="device--areaname-"></a>**Device/****_&lt;AreaName&gt;_**  
 The area group that can be configured by a single technology independent of the providers. Supported operation is Get.
 <a href="" id="device--areaname---policyname-"></a>**Device/_&lt;AreaName&gt;_/****_&lt;PolicyName&gt;_**  
 Specifies the name/value pair used in the policy. Supported operation is Get.
 ## <a href="" id="bkmk-supportedpolicies"></a>List of *&lt;AreaName&gt;*/*&lt;PolicyName&gt;*
 <a href="" id="devicelock-devicepasswordenabled"></a>**DeviceLock/DevicePasswordEnabled**  
 Specifies whether device lock is enabled.
 The following list shows the supported values:
 -   0 (default) - Enabled
 -   1 – Disabled
 > **Important**  
 >The DevicePasswordEnabled setting must be set to 0 (device password is enabled) for the following settings to take effect:
 >
 > -   AllowSimpleDevicePassword
 > -   MinDevicePasswordLength
 > -   AlphanumericDevicePasswordRequired
 > -   MaxDevicePasswordFailedAttempts
 > -   MaxInactivityTimeDeviceLock
 > -   MinDevicePasswordComplexCharacters
 Supported via MDM and EAS
 EAS policy name - DevicePasswordEnabled
 Min policy value is the most restricted
 <a href="" id="devicelock-allowsimpledevicepassword"></a>**DeviceLock/AllowSimpleDevicePassword**  
 Specifies whether passwords like “1111” or “1234” are allowed.
 The following list shows the supported values:
 -   0 - Not allowed.
 -   1 (default) – Allowed.
 Supported via MDM and EAS
 EAS policy name - AllowSimpleDevicePassword
 Min policy value is the most restricted
 <a href="" id="devicelock-mindevicepasswordlength"></a>**DeviceLock/MinDevicePasswordLength**  
 Specifies the minimum number or characters required in the PIN.
 The following list shows the supported values:
 -   An integer X where
    4 &lt;= X &lt;= 16.
 -   0- Not enforced.
 -   Default: 4.
 Supported via MDM and EAS
 EAS policy name - MinDevicePasswordLength
 Max policy value is the most restricted
 <a href="" id="devicelock-alphanumericdevicepasswordrequired"></a>**DeviceLock/AlphanumericDevicePasswordRequired**  
 Determines the type of password required. This policy only applies if DevicedPasswordEnabled policy is set to 0 (required).
 The following list shows the supported values:
 -   0 - Alphanumeric password required.
 -   1 - Numeric password required.
 -   2 (default) - Users can choose: Numeric Password, or Alphanumeric Password.
 Supported via MDM and EAS
 EAS policy name - AlphanumericDevicePasswordRequired
 Min policy value is the most restricted
 <a href="" id="devicelock-devicepasswordexpiration"></a>**DeviceLock/DevicePasswordExpiration**  
 Specifies when the password expires (in days).
 The following list shows the supported values:
 -   An integer X where
    0 &lt;= X &lt;= 730.
 -   0 (default) - Passwords do not expire.
 Supported via MDM and EAS
 EAS policy name - DevicePasswordExpiration
 If all policy values = 0 then 0; otherwise, Min policy value is the most secure value
 <a href="" id="devicelock-devicepasswordhistory"></a>**DeviceLock/DevicePasswordHistory**  
 Specifies how many passwords can be stored in the history that can’t be used.
 The following list shows the supported values:
 -   An integer X where
    0 &lt;= X &lt;=50.
 -   Default: 0
 Supported via MDM and EAS
 EAS policy name - DevicePasswordHistory
 Max policy value is the most restricted
 <a href="" id="devicelock-maxdevicepasswordfailedattempts"></a>**DeviceLock/MaxDevicePasswordFailedAttempts**  
 The number of authentication failures allowed before the device will be wiped. A value of 0 disables device wipe functionality.
 The following list shows the supported values:
 -   An integer X where
    0 &lt;= X &lt;= 999.
 -   Default: 0. The device is never wiped after wrong passwords are entered.
 Supported via MDM and EAS
 EAS policy name - MaxDevicePasswordFailedAttempts
 If all policy values = 0 then 0; otherwise, Min policy value is the most restricted value.
 <a href="" id="devicelock-maxinactivitytimedevicelock"></a>**DeviceLock/MaxInactivityTimeDeviceLock**  
 Specifies the amount of time (in minutes) after the device is idle that will cause the device to become password locked.
 The following list shows the supported values:
 -   An integer X where
    0 &lt;= X &lt;= 999.
 -   0 (default) - No timeout is defined. The default of "0" is Mango parity and is interpreted by as "No timeout is defined."
 Supported via MDM and EAS
 EAS policy name - MaxInactivityTimeDeviceLock
 Min policy value (except ‘0’) is the most restricted value.
 <a href="" id="devicelock-mindevicepasswordcomplexcharacters"></a>**DeviceLock/MinDevicePasswordComplexCharacters**  
 The number of complex element types (uppercase and lowercase letters, numbers, and punctuation) required for a strong password.
 The following list shows the supported values:
 -   An integer X where
    1 &lt;= X &lt;= 4.
 The default value is 1.
 Supported via MDM and EAS.
 EAS policy name - MinDevicePasswordComplexCharacters
 Max policy value is the most restricted
 <a href="" id="devicelock-allowidlereturnwithoutpassword"></a>**DeviceLock/AllowIdleReturnWithoutPassword**  
 Force the user to input password every time the device returns from an idle state.
 > **Note**  This policy is only supported in Windows 10 Mobile.
 The following list shows the supported values:
 -   0 - user is not able to set the password grace period timer, and the value is set as "each time."
    1 (default) - user is able to set the password grace period timer.
 Supported via MDM and EAS.
 Most restricted value is 0.
 <a href="" id="wifi-allowwifi"></a>**WiFi/AllowWiFi**  
 Allow or disallow Wi-Fi connection. (Configurable by Exchange as well – definition will be consistent with EAS definition.)
 > **Note**  The policy is only supported in Windows 10 Mobile.
 The following list shows the supported values:
 -   0 – Use Wi-Fi connection is disallowed.
 -   1 (default) – Use Wi-Fi connection is allowed.
 Supported via MDM and EAS.
 EAS policy name - AllowWiFi
 Most restricted value is 0.
 <a href="" id="wifi-allowinternetsharing"></a>**WiFi/AllowInternetSharing**  
 Allow or disallow internet sharing.
 (Configurable by Exchange as well – definition will be consistent with EAS definition.)
 The following list shows the supported values:
 -   0 – Do not allow the use of Internet Sharing.
 -   1 (default) – Allow the use of Internet Sharing.
 Supported via MDM and EAS.
 EAS policy name - AllowInternetSharing
 Most restricted value is 0.
 <a href="" id="wifi-allowautoconnecttowifisensehotspots"></a>**WiFi/AllowAutoConnectToWiFiSenseHotspots**  
 Allow or disallow the device to automatically connect to Wi-Fi hotspots and friend social network.
 The following list shows the supported values:
 -   0 – Not allowed.
 -   1 (default) – Allowed.
 Most restricted value is 0.
 <a href="" id="wifi-allowwifihotspotreporting"></a>**WiFi/AllowWiFiHotSpotReporting**  
 Allow or disallow Wi-Fi Hotspot information reporting to Microsoft. Once disallowed, the user cannot turn it on.
 The following list shows the supported values:
 -   0 – HotSpot reporting is not allowed.
 -   1 (default) – HotSpot reporting is allowed.
 Most restricted value is 0.
 <a href="" id="wifi-allowmanualwificonfiguration"></a>**WiFi/AllowManualWiFiConfiguration**  
 Allow or disallow connecting to Wi-Fi outside of MDM server-installed networks.
 > **Note**  The policy is only supported in Windows 10 Mobile.
 The following list shows the supported values:
 -   0 – No Wi-Fi connection outside of MDM provisioned network is allowed.
 -   1 (default) – Adding new network SSIDs beyond the already MDM provisioned ones is allowed.
 Most restricted value is 0.
 <a href="" id="connectivity-allownfc"></a>**Connectivity/AllowNFC**  
 Allow or disallow near field communication (NFC) on the device.
 > **Note**  This policy is only supported in Windows 10 Mobile.
 The following list shows the supported values:
 -   0 – Do not allow NFC capabilities.
 -   1 (default) – Allow NFC capabilities.
 Most restricted value is 0.
 <a href="" id="connectivity-allowcellulardataroaming"></a>**Connectivity/AllowCellularDataRoaming**  
 Allows or disallows cellular data roaming on the device.
 The following list shows the supported values:
 -   0 – Not allowed.
 -   1 (default) – Allowed.
 Most restricted value is 0.
 <a href="" id="connectivity-allowusbconnection"></a>**Connectivity/AllowUSBConnection**  
 Enables USB connection between the device and a computer to sync files with the device or to use developer tools to deploy or debug applications. Changing this policy does not affect USB charging.
 Both Media Transfer Protocol (MTP) and IP over USB are disabled when this policy is enforced.
 > **Note**  This policy is only supported in Windows 10 Mobile.
 The following list shows the supported values:
 -   0 - Not allowed.
 -   1 (default) - Allowed.
 Most restricted value is 0.
 <a href="" id="connectivity-allowvpnovercellular"></a>**Connectivity/AllowVPNOverCellular**  
 This policy specifies what type of underlying connections VPN is allowed to use.
 The following list shows the supported values:
 -   0 - VPN is not allowed over cellular.
 -   1 (default) – VPN could use any connection including cellular.
 Most restricted value is 0.
 <a href="" id="connectivity-allowvpnroamingovercellular"></a>**Connectivity/AllowVPNRoamingOverCellular**  
 This policy, when enforced, will prevent the device from connecting VPN when the device roams over cellular networks.
 The following list shows the supported values:
 -   0 – Not allowed.
 -   1 (default) - Allowed.
 Most restricted value is 0.
 <a href="" id="connectivity-allowbluetooth"></a>**Connectivity/AllowBluetooth**  
 Allow the user to enable Bluetooth or restrict access.
 The following list shows the possible values:
 -   0 – Disable Bluetooth.
 -   1 – Not supported in Windows 10 Mobile for MDM and EAS Disable Bluetooth, but allow the configuration of hands-free profiles.
 -   2 (default) – Allow Bluetooth.
 Supported via MDM and EAS.
 EAS policy name - AllowBluetooth
 Most restricted value is 0.
 <a href="" id="system-allowstoragecard"></a>**System/AllowStorageCard**  
 Controls whether the user is allowed to use the storage card for device storage. This setting does not prevent programmatic access to the storage card, it only prevents the user from using the card as a storage location.
 The following list shows the supported values:
 -   0 – SD card use is not allowed. This does not prevent programmatic access to the storage card.
 -   1 (default) – Allow a storage card.
 EAS policy name - AllowStorageCard
 Most restricted value is 0.
 <a href="" id="system-allowlocation"></a>**System/AllowLocation**  
 Specifies whether to allow a location service.
 The following list shows the supported values:
 -   0 – Not allowed.
 -   1 (default) – Allowed.
 Most restricted value is 0.
 <a href="" id="system-allowtelemetry"></a>**System/AllowTelemetry**  
 Allow the device to send telemetry information (such as Software Quality Management (SQM) and Watson).
 The following list shows the supported values:
 -   0 – Not allowed.
 -   1 – Allowed, except for Secondary Data Requests.
 -   2 (default) – Allowed.
 Most restricted value is 0.
 <a href="" id="system-allowusertoresetphone"></a>**System/AllowUserToResetPhone**  
 Specifies whether to allow the user to factory reset the phone by using control panel and hardware key combination.
 > **Note**  This policy is only supported in Windows 10 Mobile.
 The following list shows the possible values:
 -   0 - Not allowed.
 -   1 (default) - Allowed to reset to factory default settings.
 Most restricted value is 0.
 <a href="" id="experience-allowsaveasofofficefiles"></a>**Experience/AllowSaveAsOfOfficeFiles**  
 Specifies whether the user is allowed to save a file on the device as an office file.
 > **Note**  This policy is not supported and deprecated in Windows 10.
 The following list shows the supported values:
 -   0 – Not allowed.
 -   1 (default) – Allowed.
 Most restricted value is 0.
 <a href="" id="experience-allowcopypaste"></a>**Experience/AllowCopyPaste**  
 Specifies whether copy and paste is allowed.
 > **Note**  This policy is only supported in Windows 10 Mobile.
 The following list shows the supported values:
 -   0 – Not allowed.
 -   1 (default) – Allowed.
 Most restricted value is 0.
 <a href="" id="experience-allowscreencapture"></a>**Experience/AllowScreenCapture**  
 Specifies whether screen capture is allowed.
 > **Note**  This policy is only supported in Windows 10 Mobile.
 The following list shows the supported values:
 -   0 – Not allowed.
 -   1 (default) – Allowed.
 Most restricted value is 0.
 <a href="" id="experience-allowvoicerecording"></a>**Experience/AllowVoiceRecording**  
 Specifies whether voice recording is allowed.
 > **Note**  This policy is only supported in Windows 10 Mobile.
 The following list shows the supported values:
 -   0 – Not allowed.
 -   1 (default) – Allowed.
 Most restricted value is 0.
 <a href="" id="experience-allowcortana"></a>**Experience/AllowCortana**  
 Specifies whether Cortana is allowed on the device.
 The following list shows the supported values:
 -   0 – Not allowed.
 -   1 (default) – Allowed.
 Most restricted value is 0.
 <a href="" id="experience-allowsyncmysettings"></a>**Experience/AllowSyncMySettings**  
 Allows the enterprise to disallow roaming settings among devices (in/from a device). If not enforced, whether or not roaming is allowed may depend on other factors.
 The following list shows the supported values:
 -   0 – Roaming is not allowed.
 -   1 (default) – The enterprise does not enforce roaming restrictions.
 Most restricted value is 0.
 <a href="" id="-experience-allowmanualmdmunenrollment"></a> **Experience/AllowManualMDMUnenrollment**  
 Specifies whether to allow the user to delete the workplace account using the workplace control panel. The MDM server can always remotely delete the account.
 -   0 - Not allowed server.
 -   1 – Allowed.
 Most restricted value is 0.
 <a href="" id="-experience-allowsharingofofficefiles"></a> **Experience/AllowSharingOfOfficeFiles**  
 Specifies whether the user is allowed to share Office files.
 The following list shows the supported values:
 > **Note**  This policy is not supported in Windows 10.
 -   0 – Not allowed.
 -   1 (default) – Allowed.
 Most restricted value is 0.
 <a href="" id="accounts-allowmicrosoftaccountconnection"></a>**Accounts/AllowMicrosoftAccountConnection**  
 Specifies whether user is allowed to use an MSA account for non-email related connection authentication and services.
 The following list shows the supported values:
 -   0 – Not allowed.
 -   1 (default) – Allowed.
 Most restricted value is 0.
 <a href="" id="accounts-allowaddingnonmicrosoftaccountsmanually"></a>**Accounts/AllowAddingNonMicrosoftAccountsManually**  
 Specifies whether user is allowed to add non-MSA email accounts.
 The following list shows the supported values:
 -   0 – Not allowed.
 -   1 (default) – Allowed.
 Most restricted value is 0.
 <a href="" id="security-allowmanualrootcertificateinstallation"></a>**Security/AllowManualRootCertificateInstallation**  
 Specifies whether the user is allowed to manually install root and intermediate CAP certificates.
 > **Note**  This policy is only supported in Windows 10 Mobile.
 The following list shows the supported values:
 -   0 – Not allowed.
 -   1 (default) – Allowed.
 Most restricted value is 0.
 <a href="" id="security-requiredeviceencryption"></a>**Security/RequireDeviceEncryption**  
 Allows enterprise to turn on internal storage encryption. Note that once turned on, it cannot be turned off via policy.
 The following list shows the supported values:
 -   0 (default) – Encryption is not required.
 -   1 – Encryption is required.
 Supported via MDM and EAS.
 EAS policy name - RequireDeviceEncryption
 Most restricted value is 1.
 <a href="" id="browser-allowbrowser"></a>**Browser/AllowBrowser**  
 Specifies whether Internet Explorer is allowed in the device.
 > **Note**  This policy in only supported in Windows 10 Mobile.
 The following list shows the supported values:
 -   0 – Not allowed.
 -   1 (default) – Allowed.
 Supported via MDM and EAS.
 EAS policy name - AllowBrowser
 Most restricted value is 0.
 <a href="" id="camera-allowcamera"></a>**Camera/AllowCamera**  
 Disables or enables the camera.
 The following list shows the supported values:
 -   0 – Use of camera is disallowed.
 -   1 (default) – Use of camera is allowed.
 Most restricted value is 0.
 <a href="" id="applicationmanagement-allowstore"></a>**ApplicationManagement/AllowStore**  
 Specifies whether app store is allowed at the device.
 > **Note**  This policy is only supported in Windows 10 Mobile.
 The following list shows the supported values:
 -   0 – Not allowed.
 -   1 (default) – Allowed.
 Most restricted value is 0.
 <a href="" id="applicationmanagement-applicationrestrictions"></a>**ApplicationManagement/ApplicationRestrictions**  
 An XML blob that specifies the application restrictions company want to put to the device. It could be app allow list, app disallow list, allowed publisher IDs, etc. An application that is running may not be immediately terminated.
 > **Note**  This policy is only supported in Windows 10 Mobile.
 > **Note**  List of known issues:
 -   When you upgrade Windows Phone 8.1 devices to Windows 10 Mobile with a list of allowed apps, some Windows inbox apps get blocked causing unexpected behavior. To work around this issue, you must include the [inbox apps](applocker-csp.md#inboxappsandcomponents) that you need to your list of allowed apps.
    Here's additional guidance for the upgrade process:
    -   Use Windows 10 product IDs for the apps listed in [inbox apps](applocker-csp.md#inboxappsandcomponents).
    -   Use the new Microsoft publisher name (PublisherName="CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US") and Publisher="CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US" if you are using the publisher policy. Do not remove the Windows Phone 8.1 publisher if you are using it.
    -   In the SyncML, you must use lowercase product ID.
    -   Do not duplicate a product ID. Messaging and Skype Video use the same product ID. Duplicates cause an error.
    For a sample SyncML, see [Examples](#examples).
 -   You cannot disable or enable **Contact Support** and **Windows Feedback** apps using ApplicationManagement/ApplicationRestrictions policy, although these are listed in the [inbox apps](applocker-csp.md#inboxappsandcomponents).
 -   When ApplicationManagement/ApplicationRestrictions policy is deployed to Windows 10 Mobile, installation and update of apps dependent on Microsoft Frameworks may get blocked with error 0x80073CF9. To work around this issue, you must include the Microsoft Framework Id to your list of allowed apps.
    ``` syntax
    <App ProductId="{00000000-0000-0000-0000-000000000000}" PublisherName="CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US" />
    ```
 Value type is chr.
 Value evaluation rule - The information for PolicyManager is opaque. There is no most restricted value evaluation. Whenever there is a change to the value, the device parses the node value and enforces specified policies.
 <a href="" id="applicationmanagement-allowdeveloperunlock"></a>**ApplicationManagement/AllowDeveloperUnlock**  
 Specifies whether developer unlock is allowed at the device.
 The following list shows the supported values:
 -   0 – Not allowed.
 -   1 (default) – Allowed.
 Most restricted value is 0.
 <a href="" id="search-allowsearchtouselocation"></a>**Search/AllowSearchToUseLocation**  
 Specifies whether search could leverage location information.
 The following list shows the supported values:
 -   0 – Not allowed.
 -   1 (default) – Allowed.
 Most restricted value is 0.
 <a href="" id="search-safesearchpermissions"></a>**Search/SafeSearchPermissions**  
 Specifies what level of safe search (filtering adult content) is required.
 > **Note**  This policy is only supported in Windows 10 Mobile.
 The following list shows the supported values:
 -   0 – Strict, highest filtering against adult content.
 -   1 (default) – Moderate filtering against adult content (valid search results will not be filtered.
 Most restricted value is 0.
 <a href="" id="search-allowstoringimagesfromvisionsearch"></a>**Search/AllowStoringImagesFromVisionSearch**  
 Specifies whether to allow Bing Vision to store the contents of the images captured when performing Bing Vision search.
 > **Note**  This policy is not supported in Windows 10.
 The following list shows the supported values:
 -   0 – Not allowed.
 -   1 (default) – Allowed.
 Most restricted value is 0.
 <a href="" id="abovelock-allowactioncenternotifications"></a>**AboveLock/AllowActionCenterNotifications**  
 Specifies whether to allow action center notifications above the device lock screen.
 > **Note**  This policy is only supported in Windows 10 Mobile.
 The following list shows the supported values:
 -   0 – Not allowed.
 -   1 (default) – Allowed.
 Most restricted value is 0.
 ## Examples
 Here is an example SyncML for ApplicationRestrictions for adding all the inbox apps listed in [inbox apps](applocker-csp.md#inboxappsandcomponents).
 ``` syntax
 <SyncML>
  <SyncBody>
    <Atomic>
      <CmdID>144-0</CmdID>
      <Replace>
        <CmdID>144-1</CmdID>
        <Item>
          <Target>
            <LocURI>./Vendor/MSFT/PolicyManager/My/ApplicationManagement/ApplicationRestrictions</LocURI>
          </Target>
          <Meta>
            <Format xmlns="syncml:metinf">chr</Format>
            <Type xmlns="syncml:metinf">text/plain</Type>
          </Meta>
          <Data>
 &lt;AppPolicy Version=&quot;1&quot; xmlns=&quot;http://schemas.microsoft.com/phone/2013/policy&quot;&gt;
 &lt;Allow&gt;
            &lt;!-- Alarms and clock --&gt;
            &lt;App ProductId=&quot;{44f7d2b4-553d-4bec-a8b7-634ce897ed5f}&quot; /&gt;
            &lt;!--Calculator --&gt;
            &lt;App ProductId=&quot;{b58171c6-c70c-4266-a2e8-8f9c994f4456}&quot; /&gt;
            &lt;!--Camera --&gt;
            &lt;App ProductId=&quot;{f0d8fefd-31cd-43a1-a45a-d0276db069f1}&quot; /&gt;
            &lt;App ProductId=&quot;{0db5fcff-4544-458a-b320-e352dfd9ca2b}&quot; /&gt;
            &lt;!--Cortana --&gt;
            &lt;App ProductId=&quot;{fd68dcf4-166f-4c55-a4ca-348020f71b94}&quot; /&gt;
            &lt;!--Excel --&gt;
            &lt;App ProductId=&quot;{ead3e7c0-fae6-4603-8699-6a448138f4dc}&quot; /&gt;
            &lt;!--Facebook --&gt;
            &lt;App ProductId=&quot;{82a23635-5bd9-df11-a844-00237de2db9e}&quot; /&gt;
            &lt;!--File Explorer --&gt;
            &lt;App ProductId=&quot;{c5e2524a-ea46-4f67-841f-6a9465d9d515}&quot; /&gt;
            &lt;!--FM Radio --&gt;
            &lt;App ProductId=&quot;{f725010e-455d-4c09-ac48-bcdef0d4b626}&quot; /&gt;
            &lt;!--Get Started --&gt;
            &lt;App ProductId=&quot;{b3726308-3d74-4a14-a84c-867c8c735c3c}&quot; /&gt;
            &lt;!--Groove Music --&gt;
            &lt;App ProductId=&quot;{d2b6a184-da39-4c9a-9e0a-8b589b03dec0}&quot; /&gt;
            &lt;!--Maps --&gt;
            &lt;App ProductId=&quot;{ed27a07e-af57-416b-bc0c-2596b622ef7d}&quot; /&gt;
            &lt;!--Messaging --&gt;
            &lt;App ProductId=&quot;{27e26f40-e031-48a6-b130-d1f20388991a}&quot; /&gt;
            &lt;!--Microsoft Edge --&gt;
            &lt;App ProductId=&quot;{395589fb-5884-4709-b9df-f7d558663ffd}&quot; /&gt;
            &lt;!--Money --&gt;
            &lt;App ProductId=&quot;{1e0440f1-7abf-4b9a-863d-177970eefb5e}&quot; /&gt;
            &lt;!--Movies and TV --&gt;
            &lt;App ProductId=&quot;{6affe59e-0467-4701-851f-7ac026e21665}&quot; /&gt;
            &lt;!--News --&gt;
            &lt;App ProductId=&quot;{9c3e8cad-6702-4842-8f61-b8b33cc9caf1}&quot; /&gt;
            &lt;!--OneDrive --&gt;
            &lt;App ProductId=&quot;{ad543082-80ec-45bb-aa02-ffe7f4182ba8}&quot; /&gt;
            &lt;!--OneNote --&gt;
            &lt;App ProductId=&quot;{ca05b3ab-f157-450c-8c49-a1f127f5e71d}&quot; /&gt;
            &lt;!--Outlook Mail Calendar --&gt;
            &lt;App ProductId=&quot;{a558feba-85d7-4665-b5d8-a2ff9c19799b}&quot; /&gt;
            &lt;!--People --&gt;
            &lt;App ProductId=&quot;{60be1fb8-3291-4b21-bd39-2221ab166481}&quot; /&gt;
            &lt;!--Phone (dialer) --&gt;
            &lt;App ProductId=&quot;{f41b5d0e-ee94-4f47-9cfe-3d3934c5a2c7}&quot; /&gt;
            &lt;!--Photos --&gt;
            &lt;App ProductId=&quot;{fca55e1b-b9a4-4289-882f-084ef4145005}&quot; /&gt;
            &lt;!--Podcasts --&gt;
            &lt;App ProductId=&quot;{c3215724-b279-4206-8c3e-61d1a9d63ed3}&quot; /&gt;
            &lt;!--Powerpoint --&gt;
            &lt;App ProductId=&quot;{b50483c4-8046-4e1b-81ba-590b24935798}&quot; /&gt;
            &lt;!--Settings --&gt;
            &lt;App ProductId=&quot;{2a4e62d8-8809-4787-89f8-69d0f01654fb}&quot; /&gt;
            &lt;!--Skype --&gt;
            &lt;App ProductId=&quot;{c3f8e570-68b3-4d6a-bdbb-c0a3f4360a51}&quot; /&gt;
            &lt;!--Skype Video GUID is same as Messaging --&gt;
            &lt;!--Sports --&gt;
            &lt;App ProductId=&quot;{0f4c8c7e-7114-4e1e-a84c-50664db13b17}&quot; /&gt;
            &lt;!--Storage --&gt;
            &lt;App ProductId=&quot;{5b04b775-356b-4aa0-aaf8-6491ffea564d}&quot; /&gt;
            &lt;!--Store --&gt;
            &lt;App ProductId=&quot;{7d47d89a-7900-47c5-93f2-46eb6d94c159}&quot; /&gt;
            &lt;!--Voice recorder --&gt;
            &lt;App ProductId=&quot;{7311b9c5-a4e9-4c74-bc3c-55b06ba95ad0}&quot; /&gt;
            &lt;!--Wallet --&gt;
            &lt;App ProductId=&quot;{587a4577-7868-4745-a29e-f996203f1462}&quot; /&gt;
            &lt;!--Weather --&gt;
            &lt;App ProductId=&quot;{63c2a117-8604-44e7-8cef-df10be3a57c8}&quot; /&gt;
            &lt;App ProductId=&quot;{7604089d-d13f-4a2d-9998-33fc02b63ce3}&quot; /&gt;
            &lt;!--Word --&gt;
            &lt;App ProductId=&quot;{258f115c-48f4-4adb-9a68-1387e634459b}&quot; /&gt;
            &lt;!--Xbox --&gt;
            &lt;App ProductId=&quot;{b806836f-eebe-41c9-8669-19e243b81b83}&quot; /&gt;
            &lt;!-- CloudExperienceHost --&gt;
            &lt;App ProductId=&quot;{3a4fae89-7b7e-44b4-867b-f7e2772b8253}&quot; /&gt;
            &lt;!-- AAD BrokerPlugin --&gt;
            &lt;App ProductId=&quot;{e5f8b2c4-75ae-45ee-9be8-212e34f77747}&quot; /&gt;
            &lt;!-- Ringtone --&gt;
            &lt;App ProductId=&quot;{3e962450-486b-406b-abb5-d38b4ee7e6fe}&quot; /&gt;
            &lt;!-- Advanced Info --&gt;
            &lt;App ProductId=&quot;{b6e3e590-9fa5-40c0-86ac-ef475de98e88}&quot; /&gt;
            &lt;!-- Glance --&gt;
            &lt;App ProductId=&quot;{106e0a97-8b19-42cf-8879-a8ed2598fcbb}&quot; /&gt;
            &lt;!-- Connect --&gt;
            &lt;App ProductId=&quot;{af7d2801-56c0-4eb1-824b-dd91cdf7ece5}&quot; /&gt;
            &lt;!-- Miracast View --&gt;
            &lt;App ProductId=&quot;{906beeda-b7e6-4ddc-ba8d-ad5031223ef9}&quot; /&gt;
            &lt;!-- PrintDialog --&gt;
            &lt;App ProductId=&quot;{0d32eeb1-32f0-40da-8558-cea6fcbec4a4}&quot; /&gt;
            &lt;!-- Music downloads--&gt;
            &lt;App ProductId=&quot;{3da8a0c1-f7e5-47c0-a680-be8fd013f747}&quot; /&gt;
            &lt;!-- App downloads--&gt;
            &lt;App ProductId=&quot;{20bf77a0-19c7-4daa-8db5-bc3dfdfa44ac}&quot; /&gt;
            &lt;!-- Podcast downloads--&gt;
            &lt;App ProductId=&quot;{063773e7-f26f-4a92-81f0-aa71a1161e30}&quot; /&gt;
            &lt;!-- Email and accounts--&gt;
            &lt;App ProductId=&quot;{39cf127b-8c67-c149-539a-c02271d07060}&quot; /&gt;
            &lt;!-- Assigned Access Lock app--&gt;
            &lt;App ProductId=&quot;{b84f4722-313e-4f85-8f41-cf5417c9c5cb}&quot; /&gt;
            &lt;!-- Windows Hello Setup--&gt;
            &lt;App ProductId=&quot;{01293c37-72ec-3c8b-0eb3-1de4f7d0cdc4}&quot; /&gt;
            &lt;!-- Purchase Dialog--&gt;
            &lt;App ProductId=&quot;{c60e79ca-063b-4e5d-9177-1309357b2c3f}&quot; /&gt;
            &lt;!-- Xbox Identity Provider--&gt;
            &lt;App ProductId=&quot;{ba88225b-059a-45a2-a8eb-d3580283e49d}&quot; /&gt;
            &lt;!-- Block and Filter--&gt;
            &lt;App ProductId=&quot;{59553c14-5701-49a2-9909-264d034deb3d}&quot; /&gt;
            &lt;!-- Sharing--&gt;
            &lt;App ProductId=&quot;{b0894dfd-4671-4bb9-bc17-a8b39947ffb6}&quot; /&gt;
            &lt;!-- Setup wizard--&gt;
            &lt;App ProductId=&quot;{07d87655-e4f0-474b-895a-773790ad4a32}&quot; /&gt;
            &lt;!-- Phone Reset Dialog--&gt;
            &lt;App ProductId=&quot;{2864278d-09b5-46f7-b502-1c24139ecbdd}&quot; /&gt;
            &lt;!-- SaveRingtone--&gt;
            &lt;App ProductId=&quot;{d8cf8ec7-ec6d-4892-aab9-1e3a4b5fa24b}&quot; /&gt;
            &lt;!-- HAP Update Background Worker--&gt;
            &lt;App ProductId=&quot;{73c73cdd-4dea-462c-bd83-fa983056a4ef}&quot; /&gt;
            &lt;!-- Windows Default Lock Screen--&gt;
            &lt;App ProductId=&quot;{cdd63e31-9307-4ccb-ab62-1ffa5721b503}&quot; /&gt;
            &lt;!-- navigation bar--&gt;
            &lt;App ProductId=&quot;{2cd23676-8f68-4d07-8dd2-e693d4b01279}&quot; /&gt;
            &lt;!-- SSMHost--&gt;
            &lt;App ProductId=&quot;{e232aa77-2b6d-442c-b0c3-f3bb9788af2a}&quot; /&gt;
            &lt;!-- Bing lock images--&gt;
            &lt;App ProductId=&quot;{5f28c179-2780-41df-b966-27807b8de02c}&quot; /&gt;
            &lt;!-- CertInstaller--&gt;
            &lt;App ProductId=&quot;{4c4ad968-7100-49de-8cd1-402e198d869e}&quot; /&gt;
            &lt;!-- Age Out Worker--&gt;
            &lt;App ProductId=&quot;{09296e27-c9f3-4ab9-aa76-ecc4497d94bb}&quot; /&gt;
            &lt;!-- EnterpriseInstall App--&gt;
            &lt;App ProductId=&quot;{da52fa01-ac0f-479d-957f-bfe4595941cb}&quot; /&gt;
            &lt;!-- Hands-Free Activation--&gt;
            &lt;App ProductId=&quot;{df6c9621-e873-4e86-bb56-93e9f21b1d6f}&quot; /&gt;
            &lt;!-- Hands-Free Activation--&gt;
            &lt;App ProductId=&quot;{72803bd5-4f36-41a4-a349-e83e027c4722}&quot; /&gt;
            &lt;!--Field Medic --&gt;
            &lt;App ProductId=&quot;{73c58570-d5a7-46f8-b1b2-2a90024fc29c}&quot; /&gt;
            &lt;!--Windows Insider --&gt;
            &lt;App ProductId=&quot;{ed2b1421-6414-4544-bd8d-06d58ee402a5}&quot; /&gt;
            &lt;!-- Microsoft Frameworks --&gt;
            &lt;App ProductId=&quot;{00000000-0000-0000-0000-000000000000}&quot; PublisherName=&quot;CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US&quot; /&gt;
            &lt;/Allow&gt;
 &lt;/AppPolicy&gt;
          </Data>
        </Item>
      </Replace>
    </Atomic>
    <Final />
  </SyncBody>
 </SyncML>
 ```
 ## Related topics
 [Configuration service provider reference](configuration-service-provider-reference.md)
--- a/windows/deployment/windows-10-auto-pilot.md
+++ b/windows/deployment/windows-10-auto-pilot.md
@ -0,0 +1,107 @@
 ---
 title: Overview of Windows AutoPilot
 description: This topic goes over Auto-Pilot and how it helps setup OOBE Windows 10 devices.
 keywords: mdm, setup, windows, windows 10, oobe, manage, deploy, autopilot, ztd, zero-touch, partner, msfb, intune
 ms.prod: w10
 ms.mktglfcycl: deploy
 localizationpriority: high
 ms.sitesec: library
 ms.pagetype: deploy
 author: DaniHalfin
 ---
 # Overview of Windows AutoPilot
 **Applies to**
 -   Windows 10
 Windows AutoPilot is a collection of technologies used to setup and pre-configure new devices, getting them ready for productive use. In addition, you can use Windows AutoPilot to reset, repurpose and recover devices.</br>
 This solution enables the IT department to achieve the above with little to no infrastructure to manage, with a process that's easy and simple.
 ## Benefits of Windows AutoPilot
 Traditionally, IT Pros spend a lot of time on building and customizing images that will later be deployed to devices with a perfectly good OS already installed on them. Windows AutoPilot introduces a new approach.
 From the users' perspective, it only takes a few simple operations to make their device ready to use. 
 From the IT Pros' perspective, the only interaction required from the end-user, is to connect to a network and to verify their credentials. Everything past that is automated.
 Windows AutoPilot allows you to:
 * Automatically join devices to Azure Active Directory
 * Auto-enroll devices into MDM services, such as Intune ([*Requires an Azure AD Premium subscription*](#prerequisites))
 * Restrict the Administrator account creation
 * Create and auto-assign devices to configuration groups based on the devices' profile
 * Customize OOBE content specific to the organization
 ### Prerequisites
 * [Devices must be registered to the organization](#registering-devices-to-your-organization)
 * Devices have to be pre-installed with Windows 10, version 1703 or later
 * Devices must have access to the internet
 * [Azure AD premium P1 or P2](https://www.microsoft.com/cloud-platform/azure-active-directory-features)
 * Microsoft Intune or other MDM services to manage your devices
 ## Windows AutoPilot Scenarios
 ### Cloud-Driven
 The Cloud-Driven scenario enables you to pre-register devices through the Windows AutoPilot Deployment Program. Your devices will be fully configured with no additional intervention required on the users' side. 
 #### The Windows AutoPilot Deployment Program experience
 The end user unboxes and turns on a new device. What follows are a few simple configuration steps:
 * Select a language and keyboard layout
 * Connect to the network
 * Provide email address (the email of the user's Azure Active Directory account) and password
 Multiple additional settings are skipped here, since the device automatically recognizes that [it belongs to an organization](#registering-devices-to-your-organization). Following this process the device is joined to Azure Active Directory, enrolled in Microsoft Intune (or any other MDM service).
 MDM enrollment ensures policies are applied, apps are installed and setting are configured on the device. Windows Update for Business applies the latest updates to ensure the device is up to date.
 </br>
 <iframe width="560" height="315" align="center" src="https://www.youtube.com/embed/4K4hC5NchbE" frameborder="0" allowfullscreen></iframe>
 #### Registering devices to your organization
 In order to register devices, you will need to acquire their hardware ID and register it. We are actively working with various hardware vendors to enable them to provide the required information to you, or upload it on your behalf. 
 If you would like to capture that information by yourself, the following PowerShell script will generate a text file with the device's hardware ID.
 ```PowerShell
 $wmi = Get-WMIObject -Namespace root/cimv2/mdm/dmmap -Class MDM_DevDetail_Ext01 -Filter "InstanceID='Ext' AND ParentID='./DevDetail'"
 $wmi.DeviceHardwareData | Out-File "$($env:COMPUTERNAME).txt"
 ```
 >[!NOTE]
 >This PowerShell script requires elevated permissions. The output format might not fit the upload method. Check out the [Microsoft Store for Business](/microsoft-store/add-profile-to-devices) or [Partner Center](https://msdn.microsoft.com/partner-center/autopilot) for additional guidance.
 By uploading this information to the Microsoft Store for Business or Partner Center admin portal, you'll be able to assign devices to your organization.
 Additional options and customization is available through these portals to pre-configure the devices.
 Options available for Windows 10, Version 1703:
 * Skipping Work or Home usage selection (*Automatic*)
 * Skipping OEM registration, OneDrive and Cortana (*Automatic*)
 * Skipping privacy settings
 * Preventing the account used to set-up the device from getting local administrator permissions
 Additional options we are working on for the next Windows 10 release:
 * Skipping EULA
 * Personalizing the setup experience
 * MDM Support
 To see additional details on how to customize the OOBE experience and how to follow this process, see guidance for [Microsoft Store for Business](/microsoft-store/add-profile-to-devices) or [Partner Center](https://msdn.microsoft.com/partner-center/autopilot).
 ### IT-Driven
 If you are planning to use to configure these devices with traditional on-premises or cloud-based solutions, the [Windows Configuration Designer](https://www.microsoft.com/store/p/windows-configuration-designer/9nblggh4tx22) can be used to help automate the process. This is more suited to scenarios in which you require a higher level of control over the provisioning process. For more information on creating provisioning packages with WCD, see [Create a provisioning package for Windows 10](/windows/configuration/provisioning-packages/provisioning-create-package).
 ### Teacher-Driven
 If you're an IT Pro or a technical staff member at a school, your scenario might be simpler. The [Set Up School PCs](http://www.microsoft.com/store/p/set-up-school-pcs/9nblggh4ls40) app can be used to quickly set up PCs for students and will get you to a productive state faster and simpler. Please see [Use the Set up School PCs app](https://docs.microsoft.com/education/windows/use-set-up-school-pcs-app) for all the details.
 ## Ensuring your device can be auto-enrolled to MDM
 In order for your devices to be auto-enrolled into MDM management, MDM auto-enrollment needs to be configured in Azure AD. To do that with Intune, please follow [Enroll Windows devices for Microsoft Intune](https://docs.microsoft.com/intune/windows-enroll). For other MDM vendors, please consult your vendor for further details.
 >[!NOTE]
 >MDM Auto-enrollment requires an Azure AD Premium P1 or P2 subscription.
--- a/windows/device-security/device-guard/deploy-code-integrity-policies-steps.md
+++ b/windows/device-security/device-guard/deploy-code-integrity-policies-steps.md
@ -38,7 +38,9 @@ Unless your use scenarios explicitly require them, Microsoft recommends that you
 - csi.exe
 - dnx.exe
 - fsi.exe
 - fsiAnyCpu.exe
 - kd.exe
 - ntkd.exe
 - lxssmanager.dll
 - msbuild.exe<sup>[1]</sup>
 - mshta.exe
@ -59,6 +61,7 @@ Unless your use scenarios explicitly require them, Microsoft recommends that you
 |Matt Graeber | @mattifestation| 
 |Matt Nelson | @enigma0x3| 
 |Oddvar Moe |@Oddvarmoe|
 |Alex Ionescu | @aionescu|
 <br />
@ -101,6 +104,7 @@ Microsoft recommends that you block the following Microsoft-signed applications
    <Deny  ID="ID_DENY_BGINFO"        FriendlyName="bginfo.exe"         FileName="BGINFO.Exe" MinimumFileVersion = "4.21.0.0" />
    <Deny  ID="ID_DENY_CBD"           FriendlyName="cdb.exe"            FileName="CDB.Exe" MinimumFileVersion = "65535.65535.65535.65535" />
    <Deny  ID="ID_DENY_KD"            FriendlyName="kd.exe"             FileName="kd.Exe" MinimumFileVersion = "65535.65535.65535.65535" />
    <Deny  ID="ID_DENY_NTKD"          FriendlyName="ntkd.exe"           FileName="ntkd.Exe" MinimumFileVersion = "65535.65535.65535.65535" />
    <Deny  ID="ID_DENY_WINDBG"        FriendlyName="windbg.exe"         FileName="windbg.Exe" MinimumFileVersion = "65535.65535.65535.65535" />
    <Deny  ID="ID_DENY_MSBUILD"       FriendlyName="MSBuild.exe"        FileName="MSBuild.Exe" MinimumFileVersion = "65535.65535.65535.65535" />
    <Deny  ID="ID_DENY_CSI"           FriendlyName="csi.exe"            FileName="csi.Exe" MinimumFileVersion = "65535.65535.65535.65535" />
@ -110,6 +114,7 @@ Microsoft recommends that you block the following Microsoft-signed applications
    <Deny  ID="ID_DENY_LXSS"          FriendlyName="LxssManager.dll"    FileName="LxssManager.dll" MinimumFileVersion = "65535.65535.65535.65535" />
    <Deny  ID="ID_DENY_BASH"          FriendlyName="bash.exe"           FileName="bash.exe" MinimumFileVersion = "65535.65535.65535.65535" />
    <Deny  ID="ID_DENY_FSI"           FriendlyName="fsi.exe"            FileName="fsi.exe" MinimumFileVersion = "65535.65535.65535.65535" />
    <Deny  ID="ID_DENY_FSI_ANYCPU"    FriendlyName="fsiAnyCpu.exe"      FileName="fsiAnyCpu.exe" MinimumFileVersion = "65535.65535.65535.65535" />
    <Deny  ID="ID_DENY_MSHTA"         FriendlyName="mshta.exe"          FileName="mshta.exe" MinimumFileVersion = "65535.65535.65535.65535" />
    <Deny  ID="ID_DENY_SMA"           FriendlyName="System.Management.Automation.dll" FileName="System.Management.Automation.dll" MinimumFileVersion = "10.0.16215.999" />
@ -166,6 +171,7 @@ Microsoft recommends that you block the following Microsoft-signed applications
          <FileRuleRef RuleID="ID_DENY_BGINFO"/>
          <FileRuleRef RuleID="ID_DENY_CBD"/>
          <FileRuleRef RuleID="ID_DENY_KD"/>
          <FileRuleRef RuleID="ID_DENY_NTKD"/>
          <FileRuleRef RuleID="ID_DENY_WINDBG"/>
          <FileRuleRef RuleID="ID_DENY_MSBUILD"/>
          <FileRuleRef RuleID="ID_DENY_CSI"/>
@ -175,6 +181,7 @@ Microsoft recommends that you block the following Microsoft-signed applications
          <FileRuleRef RuleID="ID_DENY_LXSS"/>
          <FileRuleRef RuleID="ID_DENY_BASH"/>
          <FileRuleRef RuleID="ID_DENY_FSI"/>
          <FileRuleRef RuleID="ID_DENY_FSI_ANYCPU"/>
          <FileRuleRef RuleID="ID_DENY_MSHTA"/>
          <FileRuleRef RuleID="ID_DENY_SMA"/>
          <FileRuleRef RuleID="ID_DENY_D_1" />
--- a/windows/device-security/tpm/tpm-recommendations.md
+++ b/windows/device-security/tpm/tpm-recommendations.md
@ -84,7 +84,7 @@ For end consumers, TPM is behind the scenes but is still very relevant. TPM is u
 ### Windows 10 for desktop editions (Home, Pro, Enterprise, and Education)
-   Since July 28, 2016, all new device models, lines or series (or if you are updating the hardware configuration of a existing model, line or series with a major update, such as CPU, graphic cards) must implement and enable by default TPM 2.0 (details in section 3.7 of the [Minimum hardware requirements](https://msdn.microsoft.com/library/windows/hardware/dn915086(v=vs.85).aspx) page).
+-   Since July 28, 2016, all new device models, lines or series (or if you are updating the hardware configuration of a existing model, line or series with a major update, such as CPU, graphic cards) must implement and enable by default TPM 2.0 (details in section 3.7 of the [Minimum hardware requirements](https://msdn.microsoft.com/library/windows/hardware/dn91508.aspx) page). The requirement to enable TPM 2.0 only applies to the manufacturing of new devices. For TPM recommendations for specific Windows features, see [TPM and Windows Features](#tpm-and-windows-features).
 ### IoT Core
--- a/windows/threat-protection/windows-defender-antivirus/enable-cloud-protection-windows-defender-antivirus.md
+++ b/windows/threat-protection/windows-defender-antivirus/enable-cloud-protection-windows-defender-antivirus.md
@ -18,7 +18,7 @@ author: iaanw
 **Applies to:**
- Windows 10, version 1703
+- Windows 10
 **Audience**
--- a/windows/threat-protection/windows-defender-atp/configure-proxy-internet-windows-defender-advanced-threat-protection.md
+++ b/windows/threat-protection/windows-defender-atp/configure-proxy-internet-windows-defender-advanced-threat-protection.md
@ -45,7 +45,7 @@ Configure a registry-based static proxy to allow only Windows Defender ATP senso
 The static proxy is configurable through Group Policy (GP). The group policy can be found under: **Administrative Templates > Windows Components > Data Collection and Preview Builds > Configure connected user experiences and telemetry**.
-The policy sets two registry values `TelemetryProxyServer` as REG_SZ and `DisableEnterpriseAuthProxy` as REG_DWORD under the registry key `HKLM\Software\Policies\Microsoft\Windows\DisableEnterpriseAuthProxy\DataCollection`.
+The policy sets two registry values `TelemetryProxyServer` as REG_SZ and `DisableEnterpriseAuthProxy` as REG_DWORD under the registry key `HKLM\Software\Policies\Microsoft\Windows\DataCollection`.
 The registry value `TelemetryProxyServer` takes the following string format: