diff --git a/devices/surface-hub/TOC.md b/devices/surface-hub/TOC.md
index 240bcc485e..74d61c7720 100644
--- a/devices/surface-hub/TOC.md
+++ b/devices/surface-hub/TOC.md
@@ -33,6 +33,7 @@
### [Install apps on your Surface Hub](install-apps-on-surface-hub.md)
### [Set up and use Whiteboard to Whiteboard collaboration](whiteboard-collaboration.md)
### [End a Surface Hub meeting with End session](i-am-done-finishing-your-surface-hub-meeting.md)
+### [Sign in to Surface Hub with Microsoft Authenticator](surface-hub-authenticator-app.md)
### [Save your BitLocker key](save-bitlocker-key-surface-hub.md)
### [Connect other devices and display with Surface Hub](connect-and-display-with-surface-hub.md)
### [Miracast on existing wireless network or LAN](miracast-over-infrastructure.md)
diff --git a/devices/surface-hub/change-history-surface-hub.md b/devices/surface-hub/change-history-surface-hub.md
index 60353013ed..6fc60ccb51 100644
--- a/devices/surface-hub/change-history-surface-hub.md
+++ b/devices/surface-hub/change-history-surface-hub.md
@@ -18,9 +18,14 @@ This topic lists new and updated topics in the [Surface Hub Admin Guide]( surfac
## August 2017
-New or changed topic | Description
---- | ---
+
+| New or changed topic | Description |
+| --- | --- |
[Accessibility](accessibility-surface-hub.md) | Added information about Narrator
+[Sign in to Surface Hub with Microsoft Authenticator](surface-hub-authenticator-app.md) | New
+
+
+
## July 2017
diff --git a/devices/surface-hub/images/approve-signin.png b/devices/surface-hub/images/approve-signin.png
new file mode 100644
index 0000000000..7736b95431
Binary files /dev/null and b/devices/surface-hub/images/approve-signin.png differ
diff --git a/devices/surface-hub/images/approve-signin2.png b/devices/surface-hub/images/approve-signin2.png
new file mode 100644
index 0000000000..2ccfc40ecc
Binary files /dev/null and b/devices/surface-hub/images/approve-signin2.png differ
diff --git a/devices/surface-hub/images/attendees.png b/devices/surface-hub/images/attendees.png
new file mode 100644
index 0000000000..fd468aa971
Binary files /dev/null and b/devices/surface-hub/images/attendees.png differ
diff --git a/devices/surface-hub/images/mfa-options.png b/devices/surface-hub/images/mfa-options.png
new file mode 100644
index 0000000000..5bd3defd01
Binary files /dev/null and b/devices/surface-hub/images/mfa-options.png differ
diff --git a/devices/surface-hub/images/sign-in.png b/devices/surface-hub/images/sign-in.png
new file mode 100644
index 0000000000..bd34f642a7
Binary files /dev/null and b/devices/surface-hub/images/sign-in.png differ
diff --git a/devices/surface-hub/manage-surface-hub.md b/devices/surface-hub/manage-surface-hub.md
index ce6d076d19..25cca9e168 100644
--- a/devices/surface-hub/manage-surface-hub.md
+++ b/devices/surface-hub/manage-surface-hub.md
@@ -34,6 +34,7 @@ Learn about managing and updating Surface Hub.
| [Install apps on your Surface Hub]( https://technet.microsoft.com/itpro/surface-hub/install-apps-on-surface-hub) | Admins can install apps can from either the Microsoft Store or the Microsoft Store for Business.|
| [Set up and use Whiteboard to Whiteboard collaboration](whiteboard-collaboration.md) | Microsoft Whiteboard’s latest update includes the capability for two Surface Hubs to collaborate in real time on the same board. |
| [End a meeting with End session](https://technet.microsoft.com/itpro/surface-hub/i-am-done-finishing-your-surface-hub-meeting) | At the end of a meeting, users can tap **End session** to clean up any sensitive data and prepare the device for the next meeting.|
+| [Sign in to Surface Hub with Microsoft Authenticator](surface-hub-authenticator-app.md) | You can sign in to a Surface Hub without a password using the Microsoft Authenticator app, available on Android and iOS. |
| [Save your BitLocker key](https://technet.microsoft.com/itpro/surface-hub/save-bitlocker-key-surface-hub) | Every Surface Hub is automatically set up with BitLocker drive encryption software. Microsoft strongly recommends that you make sure you back up your BitLocker recovery keys.|
| [Connect other devices and display with Surface Hub](https://technet.microsoft.com/itpro/surface-hub/connect-and-display-with-surface-hub) | You can connect other device to your Surface Hub to display content.|
| [Miracast on existing wireless network or LAN](miracast-over-infrastructure.md) | You can use Miracast on your wireless network or LAN to connect to Surface Hub. |
diff --git a/devices/surface-hub/surface-hub-authenticator-app.md b/devices/surface-hub/surface-hub-authenticator-app.md
new file mode 100644
index 0000000000..d859d73c38
--- /dev/null
+++ b/devices/surface-hub/surface-hub-authenticator-app.md
@@ -0,0 +1,89 @@
+---
+title: Sign in to Surface Hub with Microsoft Authenticator
+description: Use Microsoft Authenticator on your mobile device to sign in to Surface Hub.
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.sitesec: library
+ms.pagetype: surfacehub
+author: jdeckerms
+ms.author: jdecker
+ms.date: 07/27/2017
+localizationpriority: medium
+---
+
+# Sign in to Surface Hub with Microsoft Authenticator
+
+People in your organization can sign in to a Surface Hub without a password using the Microsoft Authenticator app, available on Android and iOS.
+
+
+## Organization prerequisites
+
+To let people in your organization sign in to Surface Hub with their phones and other devices instead of a password, you’ll need to make sure that your organization meets these prerequisites:
+
+- Your organization must be a hybrid or cloud-only organization, backed by Azure Active Directory (Azure AD). For more information, see [What is Azure Active Directory?](https://docs.microsoft.com/azure/active-directory/active-directory-whatis)
+
+- Make sure you have at minimum an Office 365 E3 subscription.
+
+- [Configure Multi-Factor Authentication](https://docs.microsoft.com/azure/multi-factor-authentication/multi-factor-authentication). Make sure **Notification through mobile app** is selected.
+
+ 
+
+- Enable content hosting on Azure AD services such as Office online, SharePoint, etc.
+
+- Surface Hub must be running Windows 10, version 1703 or later.
+
+- Surface Hub is set up with either a local or domain-joined account.
+
+Currently, you cannot use Microsoft Authenticator to sign in to Surface Hubs that are joined to an Active Directory domain or to Azure AD.
+
+## Individual prerequisites
+
+- An Android phone running 6.0 or later, or an iPhone or iPad running iOS9 or later
+
+- The most recent version of the Microsoft Authenticator app from the appropriate app store
+ >[!NOTE]
+ >On iOS, the app version must be 5.4.0 or higher.
+ >
+ >The Microsoft Authenticator app on phones running a Windows operating system can't be used to sign in to Surface Hub.
+
+- Passcode or screen lock on your device is enabled
+
+- A standard SMTP email address (example: joe@contoso.com). Non-standard or vanity SMTP email addresses (example: firstname.lastname@contoso.com) currently don’t work.
+
+
+## How to set up the Microsoft Authenticator app
+
+>[!NOTE]
+>If Company Portal is installed on your Android device, uninstall it before you set up Microsoft Authenticator. After you set up the app, you can reinstall Company Portal.
+>
+>If you have already set up Microsoft Authenticator on your phone and registered your device, go to the [sign-in instructions](#signin).
+
+1. Add your work or school account to Microsoft Authenticator for Multi-Factor Authentication. You will need a QR code provided by your IT department. For help, see [Get started with the Microsoft Authenticator app](https://docs.microsoft.com/azure/multi-factor-authentication/end-user/microsoft-authenticator-app-how-to).
+2. Go to **Settings** and register your device.
+1. Return to the accounts page and choose **Enable phone sign-in** from the account dropdown menu.
+
+
+
+## How to sign in to Surface Hub during a meeting
+
+1. After you’ve set up a meeting, go to the Surface Hub and select **Sign in to see your meetings and files**.
+
+ >[!NOTE]
+ >If you’re not sure how to schedule a meeting on a Surface Hub, see [Schedule a meeting on Surface Hub](https://support.microsoft.com/help/17325/surfacehub-schedulemeeting).
+
+ 
+
+2. You’ll see a list of the people invited to the meeting. Select yourself (or the person who wants to sign in – make sure this person has gone through the steps to set up their device before your meeting), and then select **Continue**.
+
+ 
+
+ You'll see a code on the Surface Hub.
+
+ 
+
+3. To approve the sign-in, open the Authenticator app, enter the four-digit code that’s displayed on the Surface Hub, and select **Approve**. You will then be asked to enter the PIN or use your fingerprint to complete the sign in.
+
+ 
+
+You can now access all files through the OneDrive app.
+
diff --git a/devices/surface-hub/surface-hub-downloads.md b/devices/surface-hub/surface-hub-downloads.md
index 0adb44a4fc..10a0151d96 100644
--- a/devices/surface-hub/surface-hub-downloads.md
+++ b/devices/surface-hub/surface-hub-downloads.md
@@ -23,7 +23,7 @@ This topic provides links to useful Surface Hub documents, such as product datas
| [Surface Hub User Guide (PDF)](http://download.microsoft.com/download/3/6/B/36B6331E-0C63-4E71-A05D-EE88D05081F8/surface-hub-user-guide-en-us.pdf) | Learn how to use Surface Hub in scheduled or ad-hoc meetings. Invite remote participants, use the built-in tools, save data from your meeting, and more. |
| [Surface Hub Replacement PC Drivers](https://www.microsoft.com/download/details.aspx?id=52210) | The Surface Hub Replacement PC driver set is available for those customers who have chosen to disable the Surface Hub’s internal PC and use an external computer with their 84” or 55” Surface Hub. This download is meant to be used with the Surface Hub Admin Guide , which contains further details on configuring a Surface Hub Replacement PC. |
| [Surface Hub SSD Replacement Guide (PDF)](https://www.microsoft.com/surface/en-us/support/surfacehubssd) | Learn how to replace the solid state drive (SSD) for the 55- and 84-inch Surface Hub. |
-| [Microsoft Surface Hub Rollout and Adoption Success Kit (ZIP)](http://download.microsoft.com/download/F/A/3/FA3ADEA4-4966-456B-8BDE-0A594FD52C6C/Surface%20Hub%20RASK.zip) | Best practices for generating awareness and implementing change management to maximize adoption, usage, and benefits of Microsoft Surface Hub. The Rollout and Adoption Success Kit zip file includes the Rollout and Adoption Success Kit detailed document, Surface Hub presentation, demo guidance, awareness graphics, and more. |
+| [Microsoft Surface Hub Rollout and Adoption Success Kit (ZIP)](http://download.microsoft.com/download/F/A/3/FA3ADEA4-4966-456B-8BDE-0A594FD52C6C/Surface_Hub_Adoption_Kit_Final_0519.pdf) | Best practices for generating awareness and implementing change management to maximize adoption, usage, and benefits of Microsoft Surface Hub. The Rollout and Adoption Success Kit zip file includes the Rollout and Adoption Success Kit detailed document, Surface Hub presentation, demo guidance, awareness graphics, and more. |
| [Unpacking Guide for 84-inch Surface Hub (PDF)](https://www.microsoft.com/surface/support/surface-hub/surface-hub-unpacking-guide-84) | Learn how to unpack your 84-inch Surface Hub efficiently and safely. [Watch the video (opens in a pop-up media player)](http://compass.xbox.com/assets/75/2b/752b73dc-6e9d-4692-8ba1-0f9fc03bff6b.mov?n=04.07.16_installation_video_03_unpacking_84.mov) |
| [Unpacking Guide for 55-inch Surface Hub (PDF)](https://www.microsoft.com/surface/support/surface-hub/surface-hub-unpacking-guide-55) | Learn how to unpack your 55-inch Surface Hub efficiently and safely. [Watch the video (opens in a pop-up media player)](http://compass.xbox.com/assets/a9/d6/a9d6b4d7-d33f-4e8b-be92-28f7fc2c06d7.mov?n=04.07.16_installation_video_02_unpacking_55.mov) |
| [Wall Mounting and Assembly Guide (PDF)](https://www.microsoft.com/surface/support/surface-hub/surface-hub-wall-mounting-assembly-guide) | Detailed instructions on how to safely and securely assemble the wall brackets, and how to mount your Surface Hub onto them. [Watch the video (opens in a pop-up media player)](http://compass.xbox.com/assets/bf/4d/bf4d6f06-370c-45ee-88e6-c409873914e8.mov?n=04.07.16_installation_video_05_wall_mount.mov) |
diff --git a/mdop/dart-v8/creating-the-dart-80-recovery-image-dart-8.md b/mdop/dart-v8/creating-the-dart-80-recovery-image-dart-8.md
index b0f7f20fd2..5753d059e3 100644
--- a/mdop/dart-v8/creating-the-dart-80-recovery-image-dart-8.md
+++ b/mdop/dart-v8/creating-the-dart-80-recovery-image-dart-8.md
@@ -189,7 +189,7 @@ The available image file types are:
- **Windows Imaging File (WIM)** - used to deploy DaRT to a preboot execution environment (PXE) or local partition).
-- **International Standards Organization (ISO)** – used to deploy to CD or DVD, or for use in virtual machines (VM)s). The wizard requires that the ISO image have an .iso file name extension because most programs that burn a CD or DVD require that extension. If you do not specify a different location, the ISO image is created on your desktop with the name DaRT8.ISO.
+- **ISO image file** – used to deploy to CD or DVD, or for use in virtual machines (VM)s). The wizard requires that the ISO image have an .iso file name extension because most programs that burn a CD or DVD require that extension. If you do not specify a different location, the ISO image is created on your desktop with the name DaRT8.ISO.
- **PowerShell script** – creates a DaRT recovery image with commands that provide essentially the same options that you can select by using the DaRT Recovery Image wizard. The script also enables you to add or changes files in the DaRT recovery image.
diff --git a/mdop/mbam-v25/determining-why-a-device-receives-a-noncompliance-message.md b/mdop/mbam-v25/determining-why-a-device-receives-a-noncompliance-message.md
index ed35926a8b..e9c656984d 100644
--- a/mdop/mbam-v25/determining-why-a-device-receives-a-noncompliance-message.md
+++ b/mdop/mbam-v25/determining-why-a-device-receives-a-noncompliance-message.md
@@ -89,6 +89,14 @@ You can use your preferred method to view WMI. If you use PowerShell, run `gwmi
14
AutoUnlock unsafe unless the OS volume is encrypted.
+
+
15
+
Policy requires minimum cypher strength is XTS-AES-128 bit, actual cypher strength is weaker than that.
+
+
+
16
+
Policy requires minimum cypher strength is XTS-AES-256 bit, actual cypher strength is weaker than that.
+
diff --git a/windows/access-protection/credential-guard/additional-mitigations.md b/windows/access-protection/credential-guard/additional-mitigations.md
index fe6a8ad882..b51485e74c 100644
--- a/windows/access-protection/credential-guard/additional-mitigations.md
+++ b/windows/access-protection/credential-guard/additional-mitigations.md
@@ -1,6 +1,6 @@
---
-title: Scripts for Certificate Issuance Policies in Credential Guard (Windows 10)
-description: Scripts listed in this topic for obtaining the available issuance policies on the certificate authority for Credential Guard on Windows 10.
+title: Additional mitigations
+description: Scripts listed in this topic for obtaining the available issuance policies on the certificate authority for Windows Defender Credential Guard on Windows 10.
ms.prod: w10
ms.mktglfcycl: explore
ms.sitesec: library
@@ -11,11 +11,11 @@ author: brianlic-msft
## Additional mitigations
-Credential Guard can provide mitigations against attacks on derived credentials and prevent the use of stolen credentials elsewhere. However, PCs can still be vulnerable to certain attacks, even if the derived credentials are protected by Credential Guard. These attacks can include abusing privileges and use of derived credentials directly from a compromised device, reusing previously stolen credentials prior to Device Guard, and abuse of management tools and weak application configurations. Because of this, additional mitigations also must be deployed to make the domain environment more robust.
+Windows Defender Credential Guard can provide mitigations against attacks on derived credentials and prevent the use of stolen credentials elsewhere. However, PCs can still be vulnerable to certain attacks, even if the derived credentials are protected by Windows Defender Credential Guard. These attacks can include abusing privileges and use of derived credentials directly from a compromised device, re-using previously stolen credentials prior to Windows Defender Device Guard, and abuse of management tools and weak application configurations. Because of this, additional mitigations also must be deployed to make the domain environment more robust.
### Restricting domain users to specific domain-joined devices
-Credential theft attacks allow the attacker to steal secrets from one device and use them from another device. If a user can sign on to multiple devices then any device could be used to steal credentials. How do you ensure that users only sign on using devices that have Credential Guard enabled? By deploying authentication policies that restrict them to specific domain-joined devices that have been configured with Credential Guard. For the domain controller to know what device a user is signing on from, Kerberos armoring must be used.
+Credential theft attacks allow the attacker to steal secrets from one device and use them from another device. If a user can sign on to multiple devices then any device could be used to steal credentials. How do you ensure that users only sign on using devices that have Windows Defender Credential Guard enabled? By deploying authentication policies that restrict them to specific domain-joined devices that have been configured with Windows Defender Credential Guard. For the domain controller to know what device a user is signing on from, Kerberos armoring must be used.
#### Kerberos armoring
@@ -25,11 +25,11 @@ Kerberos armoring is part of RFC 6113. When a device supports Kerberos armoring,
- Users need to be in domains that are running Windows Server 2012 R2 or higher
- All the domain controllers in these domains must be configured to support Kerberos armoring. Set the **KDC support for claims, compound authentication, and Kerberos armoring** Group Policy setting to either **Supported** or **Always provide claims**.
-- All the devices with Credential Guard that the users will be restricted to must be configured to support Kerberos armoring. Enable the **Kerberos client support for claims, compound authentication and Kerberos armoring** Group Policy settings under **Computer Configuration** -> **Administrative Templates** -> **System** -> **Kerberos**.
+- All the devices with Windows Defender Credential Guard that the users will be restricted to must be configured to support Kerberos armoring. Enable the **Kerberos client support for claims, compound authentication and Kerberos armoring** Group Policy settings under **Computer Configuration** -> **Administrative Templates** -> **System** -> **Kerberos**.
#### Protecting domain-joined device secrets
-Since domain-joined devices also use shared secrets for authentication, attackers can steal those secrets as well. By deploying device certificates with Credential Guard, the private key can be protected. Then authentication policies can require that users sign on devices that authenticate using those certificates. This prevents shared secrets stolen from the device to be used with stolen user credentials to sign on as the user.
+Since domain-joined devices also use shared secrets for authentication, attackers can steal those secrets as well. By deploying device certificates with Windows Defender Credential Guard, the private key can be protected. Then authentication policies can require that users sign on devices that authenticate using those certificates. This prevents shared secrets stolen from the device to be used with stolen user credentials to sign on as the user.
Domain-joined device certificate authentication has the following requirements:
- Devices' accounts are in Windows Server 2012 domain functional level or higher.
@@ -59,7 +59,7 @@ For example, let's say you wanted to use the High Assurance policy only on these
8. Under **Issuance Policies**, click**High Assurance**.
9. On the **Subject name** tab, clear the **DNS name** check box, and then select the **User Principal Name (UPN)** check box.
-Then on the devices that are running Credential Guard, enroll the devices using the certificate you just created.
+Then on the devices that are running Windows Defender Credential Guard, enroll the devices using the certificate you just created.
**Enrolling devices in a certificate**
@@ -126,7 +126,7 @@ Authentication policies have the following requirements:
To make tracking authentication failures due to authentication policies easier, an operational log exists with just those events. To enable the logs on the domain controllers, in Event Viewer, navigate to **Applications and Services Logs\\Microsoft\\Windows\\Authentication, right-click AuthenticationPolicyFailures-DomainController**, and then click **Enable Log**.
-To learn more about authentication policy events, see [Authentication Policies and Authentication Policy Silos](https://technet.microsoft.com/en-us/library/dn486813(v=ws.11).aspx).
+To learn more about authentication policy events, see [Authentication Policies and Authentication Policy Silos](https://technet.microsoft.com/library/dn486813(v=ws.11).aspx).
### Appendix: Scripts
@@ -607,6 +607,6 @@ write-host $tmp -Foreground Red
## See also
-**Deep Dive into Credential Guard: Related videos**
+**Deep Dive into Windows Defender Credential Guard: Related videos**
-[Protecting privileged users with Credential Guard](https://mva.microsoft.com/en-us/training-courses/deep-dive-into-credential-guard-16651?l=JNbjYMJyC_8104300474)
+[Protecting privileged users with Windows Defender Credential Guard](https://mva.microsoft.com/en-us/training-courses/deep-dive-into-credential-guard-16651?l=JNbjYMJyC_8104300474)
diff --git a/windows/access-protection/credential-guard/credential-guard-considerations.md b/windows/access-protection/credential-guard/credential-guard-considerations.md
index 482e4b2c85..185eecd968 100644
--- a/windows/access-protection/credential-guard/credential-guard-considerations.md
+++ b/windows/access-protection/credential-guard/credential-guard-considerations.md
@@ -1,6 +1,6 @@
---
-title: Considerations when using Credential Guard (Windows 10)
-description: Considerations and recommendations for certain scenarios when using Credential Guard in Windows 10.
+title: Considerations when using Windows Defender Credential Guard (Windows 10)
+description: Considerations and recommendations for certain scenarios when using Windows Defender Credential Guard in Windows 10.
ms.prod: w10
ms.mktglfcycl: explore
ms.sitesec: library
@@ -9,35 +9,35 @@ ms.localizationpriority: high
author: brianlic-msft
---
-# Considerations when using Credential Guard
+# Considerations when using Windows Defender Credential Guard
**Applies to**
- Windows 10
- Windows Server 2016
-Prefer video? See [Credentials Protected by Credential Guard](https://mva.microsoft.com/en-us/training-courses/deep-dive-into-credential-guard-16651?l=mD3geLJyC_8304300474)
-in the Deep Dive into Credential Guard video series.
+Prefer video? See [Credentials Protected by Windows Defender Credential Guard](https://mva.microsoft.com/en-us/training-courses/deep-dive-into-credential-guard-16651?l=mD3geLJyC_8304300474)
+in the **Deep Dive into Windows Defender Credential Guard** video series.
-- Passwords are still weak so we recommend that your organization deploy Credential Guard and move away from passwords and to other authentication methods, such as physical smart cards, virtual smart cards, or Windows Hello for Business.
-- Some 3rd party Security Support Providers (SSPs and APs) might not be compatible with Credential Guard. Credential Guard does not allow 3rd party SSPs to ask for password hashes from LSA. However, SSPs and APs still get notified of the password when a user logs on and/or changes their password. Any use of undocumented APIs within custom SSPs and APs are not supported. We recommend that custom implementations of SSPs/APs are tested against Credential Guard to ensure that the SSPs and APs do not depend on any undocumented or unsupported behaviors. For example, using the KerbQuerySupplementalCredentialsMessage API is not supported. You should not replace the NTLM or Kerberos SSPs with custom SSPs and APs. For more info, see [Restrictions around Registering and Installing a Security Package](http://msdn.microsoft.com/library/windows/desktop/dn865014.aspx) on MSDN.
-- As the depth and breadth of protections provided by Credential Guard are increased, subsequent releases of Windows 10 with Credential Guard running may impact scenarios that were working in the past. For example, Credential Guard may block the use of a particular type of credential or a particular component to prevent malware from taking advantage of vulnerabilities. Therefore, we recommend that scenarios required for operations in an organization are tested before upgrading a device that has Credential Guard running.
+- Passwords are still weak so we recommend that your organization deploy Windows Defender Credential Guard and move away from passwords and to other authentication methods, such as physical smart cards, virtual smart cards, or Windows Hello for Business.
+- Some 3rd party Security Support Providers (SSPs and APs) might not be compatible with Windows Defender Credential Guard because it does not allow third-party SSPs to ask for password hashes from LSA. However, SSPs and APs still get notified of the password when a user logs on and/or changes their password. Any use of undocumented APIs within custom SSPs and APs are not supported. We recommend that custom implementations of SSPs/APs are tested against Windows Defender Credential Guard to ensure that the SSPs and APs do not depend on any undocumented or unsupported behaviors. For example, using the KerbQuerySupplementalCredentialsMessage API is not supported. You should not replace the NTLM or Kerberos SSPs with custom SSPs and APs. For more info, see [Restrictions around Registering and Installing a Security Package](http://msdn.microsoft.com/library/windows/desktop/dn865014.aspx) on MSDN.
+- As the depth and breadth of protections provided by Windows Defender Credential Guard are increased, subsequent releases of Windows 10 with Windows Defender Credential Guard running may impact scenarios that were working in the past. For example, Windows Defender Credential Guard may block the use of a particular type of credential or a particular component to prevent malware from taking advantage of vulnerabilities. Therefore, we recommend that scenarios required for operations in an organization are tested before upgrading a device that has Windows Defender Credential Guard running.
-- Starting with Windows 10, version 1511, domain credentials that are stored with Credential Manager are protected with Credential Guard. Credential Manager allows you to store credentials, such as user names and passwords that you use to log on to websites or other computers on a network. The following considerations apply to the Credential Guard protections for Credential Manager:
+- Starting with Windows 10, version 1511, domain credentials that are stored with Credential Manager are protected with Windows Defender Credential Guard. Credential Manager allows you to store credentials, such as user names and passwords that you use to log on to websites or other computers on a network. The following considerations apply to the Windows Defender Credential Guard protections for Credential Manager:
- Credentials saved by Remote Desktop Services cannot be used to remotely connect to another machine without supplying the password. Attempts to use saved credentials will fail, displaying the error message "Logon attempt failed".
- Applications that extract derived domain credentials from Credential Manager will no longer be able to use those credentials.
- - You cannot restore credentials using the Credential Manager control panel if the credentials were backed up from a PC that has Credential Guard turned on. If you need to back up your credentials, you must do this before you enable Credential Guard. Otherwise, you won't be able to restore those credentials.
- - Credential Guard uses hardware security so some features, such as Windows To Go, are not supported.
+ - You cannot restore credentials using the Credential Manager control panel if the credentials were backed up from a PC that has Windows Defender Credential Guard turned on. If you need to back up your credentials, you must do this before you enable Windows Defender Credential Guard. Otherwise, you won't be able to restore those credentials.
+ - Windows Defender Credential Guard uses hardware security, so some features such as Windows To Go, are not supported.
## Wi-fi and VPN Considerations
-When you enable Credential Guard, you can no longer use NTLM v1 authentication. If you are using WiFi and VPN endpoints that are based on MS-CHAPv2, they are subject to similar attacks as for NTLMv1. For WiFi and VPN connections, Microsoft recommends that organizations move from MSCHAPv2-based connections such as PEAP-MSCHAPv2 and EAP-MSCHAPv2, to certificate-based authentication such as PEAP-TLS or EAP-TLS.
+When you enable Windows Defender Credential Guard, you can no longer use NTLM v1 authentication. If you are using WiFi and VPN endpoints that are based on MS-CHAPv2, they are subject to similar attacks as for NTLMv1. For WiFi and VPN connections, Microsoft recommends that organizations move from MSCHAPv2-based connections such as PEAP-MSCHAPv2 and EAP-MSCHAPv2, to certificate-based authentication such as PEAP-TLS or EAP-TLS.
## Kerberos Considerations
-When you enable Credential Guard, you can no longer use Kerberos unconstrained delegation or DES encryption. Unconstrained delegation could allow attackers to extract Kerberos keys from the isolated LSA process. You must use constrained or resource-based Kerberos delegation instead.
+When you enable Windows Defender Credential Guard, you can no longer use Kerberos unconstrained delegation or DES encryption. Unconstrained delegation could allow attackers to extract Kerberos keys from the isolated LSA process. You must use constrained or resource-based Kerberos delegation instead.
## See also
-**Deep Dive into Credential Guard: Related videos**
+**Deep Dive into Windows Defender Credential Guard: Related videos**
[Virtualization-based security](https://mva.microsoft.com/en-us/training-courses/deep-dive-into-credential-guard-16651?l=1CoELLJyC_6704300474)
diff --git a/windows/access-protection/credential-guard/credential-guard-how-it-works.md b/windows/access-protection/credential-guard/credential-guard-how-it-works.md
index 45c936d341..77e7afc566 100644
--- a/windows/access-protection/credential-guard/credential-guard-how-it-works.md
+++ b/windows/access-protection/credential-guard/credential-guard-how-it-works.md
@@ -1,6 +1,6 @@
---
-title: How Credential Guard works
-description: Using virtualization-based security, Credential Guard features a new component called the isolated LSA process, which stores and protects secrets, isolating them from the rest of the operating system, so that only privileged system software can access them.
+title: How Windows Defender Credential Guard works
+description: Using virtualization-based security, Windows Defender Credential Guard features a new component called the isolated LSA process, which stores and protects secrets, isolating them from the rest of the operating system, so that only privileged system software can access them.
ms.prod: w10
ms.mktglfcycl: explore
ms.sitesec: library
@@ -9,36 +9,35 @@ ms.localizationpriority: high
author: brianlic-msft
---
-# How Credential Guard works
+# How Windows Defender Credential Guard works
**Applies to**
- Windows 10
- Windows Server 2016
-Prefer video? See [Credential Guard Design](https://mva.microsoft.com/en-us/training-courses/deep-dive-into-credential-guard-16651?l=mD3geLJyC_8304300474) in the Deep Dive into Credential Guard video series.
+Prefer video? See [Windows Defender Credential Guard Design](https://mva.microsoft.com/en-us/training-courses/deep-dive-into-credential-guard-16651?l=mD3geLJyC_8304300474) in the **Deep Dive into Windows Defender Credential Guard** video series.
-
-Kerberos, NTLM, and Credential manager isolate secrets by using virtualization-based security. Previous versions of Windows stored secrets in the Local Security Authority (LSA). Prior to Windows 10, the LSA stored secrets used by the operating system in its process memory. With Credential Guard enabled, the LSA process in the operating system talks to a new component called the isolated LSA process that stores and protects those secrets. Data stored by the isolated LSA process is protected using virtualization-based security and is not accessible to the rest of the operating system. LSA uses remote procedure calls to communicate with the isolated LSA process.
+Kerberos, NTLM, and Credential manager isolate secrets by using virtualization-based security. Previous versions of Windows stored secrets in the Local Security Authority (LSA). Prior to Windows 10, the LSA stored secrets used by the operating system in its process memory. With Windows Defender Credential Guard enabled, the LSA process in the operating system talks to a new component called the isolated LSA process that stores and protects those secrets. Data stored by the isolated LSA process is protected using virtualization-based security and is not accessible to the rest of the operating system. LSA uses remote procedure calls to communicate with the isolated LSA process.
For security reasons, the isolated LSA process doesn't host any device drivers. Instead, it only hosts a small subset of operating system binaries that are needed for security and nothing else. All of these binaries are signed with a certificate that is trusted by virtualization-based security and these signatures are validated before launching the file in the protected environment.
-When Credential Guard is enabled, NTLMv1, MS-CHAPv2, Digest, and CredSSP cannot use the signed-in credentials. Thus, single sign-on does not work with these protocols. However, applications can prompt for credentials or use credentials stored in the Windows Vault which are not protected by Credential Guard with any of these protocols. It is strongly recommended that valuable credentials, such as the sign-in credentials, not be used with any of these protocols. If these protocols must be used by domain or Azure AD users, secondary credentials should be provisioned for these use cases.
+When Windows Defender Credential Guard is enabled, NTLMv1, MS-CHAPv2, Digest, and CredSSP cannot use the signed-in credentials. Thus, single sign-on does not work with these protocols. However, applications can prompt for credentials or use credentials stored in the Windows Vault which are not protected by Windows Defender Credential Guard with any of these protocols. It is strongly recommended that valuable credentials, such as the sign-in credentials, not be used with any of these protocols. If these protocols must be used by domain or Azure AD users, secondary credentials should be provisioned for these use cases.
-When Credential Guard is enabled, Kerberos does not allow unconstrained Kerberos delegation or DES encryption, not only for signed-in credentials, but also prompted or saved credentials.
+When Windows Defender Credential Guard is enabled, Kerberos does not allow unconstrained Kerberos delegation or DES encryption, not only for signed-in credentials, but also prompted or saved credentials.
Here's a high-level overview on how the LSA is isolated by using virtualization-based security:
-
+
## See also
-**Deep Dive into Credential Guard: Related videos**
+**Deep Dive into Windows Defender Credential Guard: Related videos**
[Credential Theft and Lateral Traversal](https://mva.microsoft.com/en-us/training-courses/deep-dive-into-credential-guard-16651?l=cfGBPlIyC_9404300474)
[Virtualization-based security](https://mva.microsoft.com/en-us/training-courses/deep-dive-into-credential-guard-16651?l=1CoELLJyC_6704300474)
-[Credentials protected by Credential Guard](https://mva.microsoft.com/en-us/training-courses/deep-dive-into-credential-guard-16651?l=pdc37LJyC_1204300474)
\ No newline at end of file
+[Credentials protected by Windows Defender Credential Guard](https://mva.microsoft.com/en-us/training-courses/deep-dive-into-credential-guard-16651?l=pdc37LJyC_1204300474)
\ No newline at end of file
diff --git a/windows/access-protection/credential-guard/credential-guard-known-issues.md b/windows/access-protection/credential-guard/credential-guard-known-issues.md
index 2241fb465d..9e81fbf823 100644
--- a/windows/access-protection/credential-guard/credential-guard-known-issues.md
+++ b/windows/access-protection/credential-guard/credential-guard-known-issues.md
@@ -1,6 +1,6 @@
---
-title: Credential Guard Known issues (Windows 10)
-description: Credential Guard - Known issues in Windows 10 Enterprise
+title: Windows Defender Credential Guard - Known issues (Windows 10)
+description: Windows Defender Credential Guard - Known issues in Windows 10 Enterprise
ms.prod: w10
ms.mktglfcycl: explore
ms.sitesec: library
@@ -9,22 +9,22 @@ ms.localizationpriority: high
author: brianlic-msft
---
-# Credential Guard: Known issues
+# Windows Defender Credential Guard: Known issues
**Applies to**
- Windows 10
- Windows Server 2016
-Credential Guard has certain application requirements. Credential Guard blocks specific authentication capabilities. Therefore applications that require such capabilities will not function when Credential Guard is enabled. For further information, see [Application requirements](https://docs.microsoft.com/windows/access-protection/credential-guard/credential-guard-requirements#application-requirements).
+Windows Defender Credential Guard has certain application requirements. Windows Defender Credential Guard blocks specific authentication capabilities. Therefore applications that require such capabilities will not function when it is enabled. For further information, see [Application requirements](https://docs.microsoft.com/windows/access-protection/credential-guard/credential-guard-requirements#application-requirements).
The following known issues have been fixed by servicing releases made available in the Cumulative Security Updates for April 2017:
-- [KB4015217 Credential Guard generates double bad password count on Active Directory domain-joined Windows 10 machines](https://support.microsoft.com/help/4015217/windows-10-update-kb4015217)
+- [KB4015217 Windows Defender Credential Guard generates double bad password count on Active Directory domain-joined Windows 10 machines](https://support.microsoft.com/help/4015217/windows-10-update-kb4015217)
This issue can potentially lead to unexpected account lockouts. See also Microsoft® Knowledge Base articles [KB4015219](https://support.microsoft.com/help/4015219/windows-10-update-kb4015219) and [KB4015221](https://support.microsoft.com/help/4015221/windows-10-update-kb4015221)
-- [KB4033236 Two incorrect logon attempts sent to Active Directory after Credential Guard installed on Windows 10](https://support.microsoft.com/help/4033236/two-incorrect-logon-attempts-sent-to-active-directory-after-credential?preview)
+- [KB4033236 Two incorrect logon attempts sent to Active Directory after Windows Defender Credential Guard installed on Windows 10](https://support.microsoft.com/help/4033236/two-incorrect-logon-attempts-sent-to-active-directory-after-credential?preview)
This issue can potentially lead to unexpected account lockouts. The issue was fixed in servicing updates for each of the following operating systems:
@@ -37,29 +37,28 @@ The following known issues have been fixed by servicing releases made available
The following issue affects the Java GSS API. See the following Oracle bug database article:
-- [JDK-8161921: Windows 10 Credential Guard does not allow sharing of TGT with Java](http://bugs.java.com/bugdatabase/view_bug.do?bug_id=8161921)
-
-When Credential Guard is enabled on Windows 10, the Java GSS API will not authenticate. This is expected behavior because Credential Guard blocks specific application authentication capabilities and will not provide the TGT session key to applications regardless of registry key settings. For further information see [Application requirements](https://docs.microsoft.com/windows/access-protection/credential-guard/credential-guard-requirements#application-requirements).
+- [JDK-8161921: Windows 10 Windows Defender Credential Guard does not allow sharing of TGT with Java](http://bugs.java.com/bugdatabase/view_bug.do?bug_id=8161921)
+When Windows Defender Credential Guard is enabled on Windows 10, the Java GSS API will not authenticate. This is expected behavior because Windows Defender Credential Guard blocks specific application authentication capabilities and will not provide the TGT session key to applications regardless of registry key settings. For further information see [Application requirements](https://docs.microsoft.com/windows/access-protection/credential-guard/credential-guard-requirements#application-requirements).
The following issue affects Cisco AnyConnect Secure Mobility Client:
-- [Blue screen on Windows 10 computers running Device Guard and Credential Guard with Cisco Anyconnect 4.3.04027](https://quickview.cloudapps.cisco.com/quickview/bug/CSCvc66692) \*
+- [Blue screen on Windows 10 computers running Windows Defender Device Guard and Windows Defender Credential Guard with Cisco Anyconnect 4.3.04027](https://quickview.cloudapps.cisco.com/quickview/bug/CSCvc66692) \*
*Registration required to access this article.
The following issue affects McAfee Application and Change Control (MACC):
-- [KB88869 Windows 10 machines exhibit high CPU sage with McAfee Application and Change Control (MACC) installed when Credential Guard is enabled](https://kc.mcafee.com/corporate/index?page=content&id=KB88869) [1]
+- [KB88869 Windows 10 machines exhibit high CPU usage with McAfee Application and Change Control (MACC) installed when Windows Defender Credential Guard is enabled](https://kc.mcafee.com/corporate/index?page=content&id=KB88869) [1]
The following issue affects AppSense Environment Manager.
For further information, see the following Knowledge Base article:
-- [Installing AppSense Environment Manager on Windows 10 machines causes LSAISO.exe to exhibit high CPU usage when Credential Guard is enabled](http://www.appsense.com/kb/160525073917945) [1] \**
+- [Installing AppSense Environment Manager on Windows 10 machines causes LSAISO.exe to exhibit high CPU usage when Windows Defender Credential Guard is enabled](http://www.appsense.com/kb/160525073917945) [1] \**
The following issue affects Citrix applications:
-- Windows 10 machines exhibit high CPU usage with Citrix applications installed when Credential Guard is enabled. [1]
+- Windows 10 machines exhibit high CPU usage with Citrix applications installed when Windows Defender Credential Guard is enabled. [1]
-[1] Products that connect to Virtualization Based Security (VBS) protected processes can cause Credential Guard-enabled Windows 10 or Windows Server 2016 machines to exhibit high CPU usage. For technical and troubleshooting information, see the following Microsoft Knowledge Base article:
+[1] Products that connect to Virtualization Based Security (VBS) protected processes can cause Windows Defender Credential Guard-enabled Windows 10 or Windows Server 2016 machines to exhibit high CPU usage. For technical and troubleshooting information, see the following Microsoft Knowledge Base article:
- [KB4032786 High CPU usage in the LSAISO process on Windows 10 or Windows Server 2016](https://support.microsoft.com/help/4032786)
@@ -74,23 +73,23 @@ For further technical information on LSAISO.exe, see the MSDN article: [Isolated
See the following article on Citrix support for Secure Boot:
- [Citrix Support for Secure Boot](https://www.citrix.com/blogs/2016/12/08/windows-server-2016-hyper-v-secure-boot-support-now-available-in-xenapp-7-12/)
-Credential Guard is not supported by either these products, products versions, computer systems, or Windows 10 versions:
+Windows Defender Credential Guard is not supported by either these products, products versions, computer systems, or Windows 10 versions:
-- For Credential Guard on Windows 10 with McAfee Encryption products, see:
-[Support for Device Guard and Credential Guard on Windows 10 with McAfee encryption products](https://kc.mcafee.com/corporate/index?page=content&id=KB86009)
+- For Windows Defender Credential Guard on Windows 10 with McAfee Encryption products, see:
+[Support for Windows Defender Device Guard and Windows Defender Credential Guard on Windows 10 with McAfee encryption products](https://kc.mcafee.com/corporate/index?page=content&id=KB86009)
-- For Credential Guard on Windows 10 with Check Point Endpoint Security Client, see:
-[Check Point Endpoint Security Client support for Microsoft Windows 10 Credential Guard and Device Guard features](https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk113912)
+- For Windows Defender Credential Guard on Windows 10 with Check Point Endpoint Security Client, see:
+[Check Point Endpoint Security Client support for Microsoft Windows 10 Windows Defender Credential Guard and Windows Defender Device Guard features](https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk113912)
-- For Credential Guard on Windows 10 with VMWare Workstation
-[Windows 10 host fails when running VMWare Workstation when Credential Guard is enabled](https://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=2146361)
+- For Windows Defender Credential Guard on Windows 10 with VMWare Workstation
+[Windows 10 host fails when running VMWare Workstation when Windows Defender Credential Guard is enabled](https://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=2146361)
-- For Credential Guard on Windows 10 with specific versions of the Lenovo ThinkPad
-[ThinkPad support for Device Guard and Credential Guard in Microsoft Windows 10 – ThinkPad](https://support.lenovo.com/in/en/solutions/ht503039)
+- For Windows Defender Credential Guard on Windows 10 with specific versions of the Lenovo ThinkPad
+[ThinkPad support for Windows Defender Device Guard and Windows Defender Credential Guard in Microsoft Windows 10 – ThinkPad](https://support.lenovo.com/in/en/solutions/ht503039)
-- For Credential Guard on Windows 10 with Symantec Endpoint Protection
-[Windows 10 with Credential Guard and Symantec Endpoint Protection 12.1](https://www.symantec.com/connect/forums/windows-10-device-guard-credentials-guard-and-sep-121)
+- For Windows Defender Credential Guard on Windows 10 with Symantec Endpoint Protection
+[Windows 10 with Windows Defender Credential Guard and Symantec Endpoint Protection 12.1](https://www.symantec.com/connect/forums/windows-10-device-guard-credentials-guard-and-sep-121)
- This is not a comprehensive list. Check whether your product vendor, product version, or computer system, supports Credential guard on systems that run Windows 10 or specific versions of Windows 10. Specific computer system models may be incompatible with Credential Guard.
+ This is not a comprehensive list. Check whether your product vendor, product version, or computer system, supports Windows Defender Credential Guard on systems that run Windows 10 or specific versions of Windows 10. Specific computer system models may be incompatible with Windows Defender Credential Guard.
Microsoft encourages third-party vendors to contribute to this page by providing relevant product support information and by adding links to their own product support statements.
\ No newline at end of file
diff --git a/windows/access-protection/credential-guard/credential-guard-manage.md b/windows/access-protection/credential-guard/credential-guard-manage.md
index 79307f8a3e..46fce57a6e 100644
--- a/windows/access-protection/credential-guard/credential-guard-manage.md
+++ b/windows/access-protection/credential-guard/credential-guard-manage.md
@@ -1,6 +1,6 @@
---
-title: Manage Credential Guard (Windows 10)
-description: Deploying and managing Credential Guard using Group Policy, the registry, or the Device Guard and Credential Guard hardware readiness tool.
+title: Manage Windows Defender Credential Guard (Windows 10)
+description: Deploying and managing Windows Defender Credential Guard using Group Policy, the registry, or the Windows Defender Device Guard and Windows Defender Credential Guard hardware readiness tool.
ms.prod: w10
ms.mktglfcycl: explore
ms.sitesec: library
@@ -9,38 +9,38 @@ ms.localizationpriority: high
author: brianlic-msft
---
-# Manage Credential Guard
+# Manage Windows Defender Credential Guard
**Applies to**
- Windows 10
- Windows Server 2016
-Prefer video? See [Credential Guard Deployment](https://mva.microsoft.com/en-us/training-courses/deep-dive-into-credential-guard-16651?l=sRcyvLJyC_3304300474) in the Deep Dive into Credential Guard video series.
+Prefer video? See [Windows Defender Credential Guard Deployment](https://mva.microsoft.com/en-us/training-courses/deep-dive-into-credential-guard-16651?l=sRcyvLJyC_3304300474) in the Deep Dive into Windows Defender Credential Guard video series.
-## Enable Credential Guard
-Credential Guard can be enabled either by using [Group Policy](#enable-credential-guard-by-using-group-policy), the [registry](#enable-credential-guard-by-using-the-registry), or the Device Guard and Credential Guard [hardware readiness tool](#hardware-readiness-tool). Credential Guard can also protect secrets in a Hyper-V virtual machine, just as it would on a physical machine.
-The same set of procedures used to enable Credential Guard on physical machines applies also to virtual machines.
+## Enable Windows Defender Credential Guard
+Windows Defender Credential Guard can be enabled either by using [Group Policy](#enable-credential-guard-by-using-group-policy), the [registry](#enable-credential-guard-by-using-the-registry), or the Windows Defender Device Guard and Windows Defender Credential Guard [hardware readiness tool](#hardware-readiness-tool). Windows Defender Credential Guard can also protect secrets in a Hyper-V virtual machine, just as it would on a physical machine.
+The same set of procedures used to enable Windows Defender Credential Guard on physical machines applies also to virtual machines.
-### Enable Credential Guard by using Group Policy
+### Enable Windows Defender Credential Guard by using Group Policy
-You can use Group Policy to enable Credential Guard. This will add and enable the virtualization-based security features for you if needed.
+You can use Group Policy to enable Windows Defender Credential Guard. This will add and enable the virtualization-based security features for you if needed.
-1. From the Group Policy Management Console, go to **Computer Configuration** -> **Administrative Templates** -> **System** -> **Device Guard**.
+1. From the Group Policy Management Console, go to **Computer Configuration** -> **Administrative Templates** -> **System** -> **Windows Defender Device Guard**.
2. Double-click **Turn On Virtualization Based Security**, and then click the **Enabled** option.
3. **Select Platform Security Level** box, choose **Secure Boot** or **Secure Boot and DMA Protection**.
-4. In the **Credential Guard Configuration** box, click **Enabled with UEFI lock**, and then click **OK**. If you want to be able to turn off Credential Guard remotely, choose **Enabled without lock**.
+4. In the **Windows Defender Credential Guard Configuration** box, click **Enabled with UEFI lock**, and then click **OK**. If you want to be able to turn off Windows Defender Credential Guard remotely, choose **Enabled without lock**.
- 
+ 
5. Close the Group Policy Management Console.
To enforce processing of the group policy, you can run ```gpupdate /force```.
-### Enable Credential Guard by using the registry
+### Enable Windows Defender Credential Guard by using the registry
-If you don't use Group Policy, you can enable Credential Guard by using the registry. Credential Guard uses virtualization-based security features which have to be enabled first on some operating systems.
+If you don't use Group Policy, you can enable Windows Defender Credential Guard by using the registry. Windows Defender Credential Guard uses virtualization-based security features which have to be enabled first on some operating systems.
#### Add the virtualization-based security features
@@ -49,7 +49,7 @@ Starting with Windows 10, version 1607 and Windows Server 2016, enabling Windows
If you are using Windows 10, version 1507 (RTM) or Windows 10, version 1511, Windows features have to be enabled to use virtualization-based security.
You can do this by using either the Control Panel or the Deployment Image Servicing and Management tool (DISM).
> [!NOTE]
-If you enable Credential Guard by using Group Policy, the steps to enable Windows features through Control Panel or DISM are not required. Group Policy will install Windows features for you.
+If you enable Windows Defender Credential Guard by using Group Policy, the steps to enable Windows features through Control Panel or DISM are not required. Group Policy will install Windows features for you.
**Add the virtualization-based security features by using Programs and Features**
@@ -75,46 +75,46 @@ If you enable Credential Guard by using Group Policy, the steps to enable Window
> [!NOTE]
> You can also add these features to an online image by using either DISM or Configuration Manager.
-#### Enable virtualization-based security and Credential Guard
+#### Enable virtualization-based security and Windows Defender Credential Guard
1. Open Registry Editor.
2. Enable virtualization-based security:
- Go to HKEY\_LOCAL\_MACHINE\\System\\CurrentControlSet\\Control\\DeviceGuard.
- Add a new DWORD value named **EnableVirtualizationBasedSecurity**. Set the value of this registry setting to 1 to enable virtualization-based security and set it to 0 to disable it.
- Add a new DWORD value named **RequirePlatformSecurityFeatures**. Set the value of this registry setting to 1 to use **Secure Boot** only or set it to 3 to use **Secure Boot and DMA protection**.
-3. Enable Credential Guard:
+3. Enable Windows Defender Credential Guard:
- Go to HKEY\_LOCAL\_MACHINE\\System\\CurrentControlSet\\Control\\LSA.
- - Add a new DWORD value named **LsaCfgFlags**. Set the value of this registry setting to 1 to enable Credential Guard with UEFI lock, set it to 2 to enable Credential Guard without lock, and set it to 0 to disable it.
+ - Add a new DWORD value named **LsaCfgFlags**. Set the value of this registry setting to 1 to enable Windows Defender Credential Guard with UEFI lock, set it to 2 to enable Windows Defender Credential Guard without lock, and set it to 0 to disable it.
4. Close Registry Editor.
> [!NOTE]
-> You can also enable Credential Guard by setting the registry entries in the [FirstLogonCommands](http://msdn.microsoft.com/library/windows/hardware/dn922797.aspx) unattend setting.
+> You can also enable Windows Defender Credential Guard by setting the registry entries in the [FirstLogonCommands](http://msdn.microsoft.com/library/windows/hardware/dn922797.aspx) unattend setting.
-### Enable Credential Guard by using the Device Guard and Credential Guard hardware readiness tool
+### Enable Windows Defender Credential Guard by using the Windows Defender Device Guard and Windows Defender Credential Guard hardware readiness tool
-You can also enable Credential Guard by using the [Device Guard and Credential Guard hardware readiness tool](https://www.microsoft.com/download/details.aspx?id=53337).
+You can also enable Windows Defender Credential Guard by using the [Windows Defender Device Guard and Windows Defender Credential Guard hardware readiness tool](https://www.microsoft.com/download/details.aspx?id=53337).
```
DG_Readiness_Tool_v3.2.ps1 -Enable -AutoReboot
```
-### Review Credential Guard performance
+### Review Windows Defender Credential Guard performance
-**Is Credential Guard running?**
+**Is Windows Defender Credential Guard running?**
-You can view System Information to check that Credential Guard is running on a PC.
+You can view System Information to check that Windows Defender Credential Guard is running on a PC.
1. Click **Start**, type **msinfo32.exe**, and then click **System Information**.
2. Click **System Summary**.
-3. Confirm that **Credential Guard** is shown next to **Device Guard Security Services Running**.
+3. Confirm that **Windows Defender Credential Guard** is shown next to **Windows Defender Device Guard Security Services Running**.
Here's an example:
-You can also check that Credential Guard is running by using the [Device Guard and Credential Guard hardware readiness tool](https://www.microsoft.com/download/details.aspx?id=53337).
+You can also check that Windows Defender Credential Guard is running by using the [Windows Defender Device Guard and Windows Defender Credential Guard hardware readiness tool](https://www.microsoft.com/download/details.aspx?id=53337).
```
DG_Readiness_Tool_v3.2.ps1 -Ready
@@ -124,24 +124,24 @@ DG_Readiness_Tool_v3.2.ps1 -Ready
For client machines that are running Windows 10 1703, LSAIso is running whenever Virtualization based security is enabled for other features.
-- If Credential Guard is enabled on a device after it's joined to a domain, the user and device secrets may already be compromised. We recommend that Credential Guard should be enabled before the PC is joined to a domain.
+- If Windows Defender Credential Guard is enabled on a device after it's joined to a domain, the user and device secrets may already be compromised. We recommend that Windows Defender Credential Guard should be enabled before the PC is joined to a domain.
-- You should perform regular reviews of the PCs that have Credential Guard enabled. This can be done with security audit policies or WMI queries. Here's a list of WinInit event IDs to look for:
- - **Event ID 13** Credential Guard (LsaIso.exe) was started and will protect LSA credentials.
- - **Event ID 14** Credential Guard (LsaIso.exe) configuration: 0x1, 0
- - The first variable: 0x1 means Credential Guard is configured to run. 0x0 means it’s not configured to run.
+- You should perform regular reviews of the PCs that have Windows Defender Credential Guard enabled. This can be done with security audit policies or WMI queries. Here's a list of WinInit event IDs to look for:
+ - **Event ID 13** Windows Defender Credential Guard (LsaIso.exe) was started and will protect LSA credentials.
+ - **Event ID 14** Windows Defender Credential Guard (LsaIso.exe) configuration: 0x1, 0
+ - The first variable: 0x1 means Windows Defender Credential Guard is configured to run. 0x0 means it’s not configured to run.
- The second variable: 0 means it’s configured to run in protect mode. 1 means it's configured to run in test mode. This variable should always be 0.
- - **Event ID 15** Credential Guard (LsaIso.exe) is configured but the secure kernel is not running; continuing without Credential Guard.
- - **Event ID 16** Credential Guard (LsaIso.exe) failed to launch: \[error code\]
- - **Event ID 17** Error reading Credential Guard (LsaIso.exe) UEFI configuration: \[error code\]
+ - **Event ID 15** Windows Defender Credential Guard (LsaIso.exe) is configured but the secure kernel is not running; continuing without Windows Defender Credential Guard.
+ - **Event ID 16** Windows Defender Credential Guard (LsaIso.exe) failed to launch: \[error code\]
+ - **Event ID 17** Error reading Windows Defender Credential Guard (LsaIso.exe) UEFI configuration: \[error code\]
You can also verify that TPM is being used for key protection by checking Event ID 51 in the **Microsoft** -> **Windows** -> **Kernel-Boot** event source. If you are running with a TPM, the TPM PCR mask value will be something other than 0.
- **Event ID 51** VSM Master Encryption Key Provisioning. Using cached copy status: 0x0. Unsealing cached copy status: 0x1. New key generation status: 0x1. Sealing status: 0x1. TPM PCR mask: 0x0.
-## Disable Credential Guard
+## Disable Windows Defender Credential Guard
-If you have to disable Credential Guard on a PC, you can use the following set of procedures, or you can [use the Device Guard and Credential Guard hardware readiness tool](#turn-off-with-hardware-readiness-tool).
+If you have to disable Windows Defender Credential Guard on a PC, you can use the following set of procedures, or you can [use the Windows Defender Device Guard and Windows Defender Credential Guard hardware readiness tool](#turn-off-with-hardware-readiness-tool).
-1. If you used Group Policy, disable the Group Policy setting that you used to enable Credential Guard (**Computer Configuration** -> **Administrative Templates** -> **System** -> **Device Guard** -> **Turn on Virtualization Based Security**).
+1. If you used Group Policy, disable the Group Policy setting that you used to enable Windows Defender Credential Guard (**Computer Configuration** -> **Administrative Templates** -> **System** -> **Windows Defender Device Guard** -> **Turn on Virtualization Based Security**).
2. Delete the following registry settings:
- HKEY\_LOCAL\_MACHINE\\System\\CurrentControlSet\\Control\\LSA\LsaCfgFlags
- HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\Windows\\DeviceGuard\\EnableVirtualizationBasedSecurity
@@ -150,7 +150,7 @@ If you have to disable Credential Guard on a PC, you can use the following set o
> [!IMPORTANT]
> If you manually remove these registry settings, make sure to delete them all. If you don't remove them all, the device might go into BitLocker recovery.
-3. Delete the Credential Guard EFI variables by using bcdedit. From an elevated command prompt, type the following commands:
+3. Delete the Windows Defender Credential Guard EFI variables by using bcdedit. From an elevated command prompt, type the following commands:
``` syntax
mountvol X: /s
@@ -171,26 +171,26 @@ If you have to disable Credential Guard on a PC, you can use the following set o
```
2. Restart the PC.
-3. Accept the prompt to disable Credential Guard.
-4. Alternatively, you can disable the virtualization-based security features to turn off Credential Guard.
+3. Accept the prompt to disable Windows Defender Credential Guard.
+4. Alternatively, you can disable the virtualization-based security features to turn off Windows Defender Credential Guard.
> [!NOTE]
-> The PC must have one-time access to a domain controller to decrypt content, such as files that were encrypted with EFS. If you want to turn off both Credential Guard and virtualization-based security, run the following bcdedit command after turning off all virtualization-based security Group Policy and registry settings: bcdedit /set {0cb3b571-2f2e-4343-a879-d86a476d7215} loadoptions DISABLE-LSA-ISO,DISABLE-VBS
+> The PC must have one-time access to a domain controller to decrypt content, such as files that were encrypted with EFS. If you want to turn off both Windows Defender Credential Guard and virtualization-based security, run the following bcdedit command after turning off all virtualization-based security Group Policy and registry settings: bcdedit /set {0cb3b571-2f2e-4343-a879-d86a476d7215} loadoptions DISABLE-LSA-ISO,DISABLE-VBS
-For more info on virtualization-based security and Device Guard, see [Device Guard deployment guide](/windows/device-security/device-guard/device-guard-deployment-guide).
+For more info on virtualization-based security and Windows Defender Device Guard, see [Windows Defender Device Guard deployment guide](/windows/device-security/device-guard/device-guard-deployment-guide).
-#### Disable Credential Guard by using the Device Guard and Credential Guard hardware readiness tool
+#### Disable Windows Defender Credential Guard by using the Windows Defender Device Guard and Windows Defender Credential Guard hardware readiness tool
-You can also disable Credential Guard by using the [Device Guard and Credential Guard hardware readiness tool](https://www.microsoft.com/download/details.aspx?id=53337).
+You can also disable Windows Defender Credential Guard by using the [Windows Defender Device Guard and Windows Defender Credential Guard hardware readiness tool](https://www.microsoft.com/download/details.aspx?id=53337).
```
DG_Readiness_Tool_v3.2.ps1 -Disable -AutoReboot
```
-#### Disable Credential Guard for a virtual machine
+#### Disable Windows Defender Credential Guard for a virtual machine
-From the host, you can disable Credential Guard for a virtual machine:
+From the host, you can disable Windows Defender Credential Guard for a virtual machine:
``` PowerShell
Set-VMSecurity -VMName -VirtualizationBasedSecurityOptOut $true
diff --git a/windows/access-protection/credential-guard/credential-guard-not-protected-scenarios.md b/windows/access-protection/credential-guard/credential-guard-not-protected-scenarios.md
index 3d3e584993..40cba9bb70 100644
--- a/windows/access-protection/credential-guard/credential-guard-not-protected-scenarios.md
+++ b/windows/access-protection/credential-guard/credential-guard-not-protected-scenarios.md
@@ -1,6 +1,6 @@
---
-title: Credential Guard protection limits (Windows 10)
-description: Scenarios not protected by Credential Guard in Windows 10.
+title: Windows Defender Credential Guard protection limits (Windows 10)
+description: Scenarios not protected by Windows Defender Credential Guard in Windows 10.
ms.prod: w10
ms.mktglfcycl: explore
ms.sitesec: library
@@ -9,38 +9,38 @@ ms.localizationpriority: high
author: brianlic-msft
---
-# Credential Guard protection limits
+# Windows Defender Credential Guard protection limits
**Applies to**
- Windows 10
- Windows Server 2016
-Prefer video? See [Credentials protected by Credential Guard](https://mva.microsoft.com/en-us/training-courses/deep-dive-into-credential-guard-16651?l=pdc37LJyC_1204300474)
-in the Deep Dive into Credential Guard video series.
+Prefer video? See [Credentials protected by Windows Defender Credential Guard](https://mva.microsoft.com/en-us/training-courses/deep-dive-into-credential-guard-16651?l=pdc37LJyC_1204300474)
+in the Deep Dive into Windows Defender Credential Guard video series.
-Some ways to store credentials are not protected by Credential Guard, including:
+Some ways to store credentials are not protected by Windows Defender Credential Guard, including:
- Software that manages credentials outside of Windows feature protection
- Local accounts and Microsoft Accounts
-- Credential Guard does not protect the Active Directory database running on Windows Server 2016 domain controllers. It also does not protect credential input pipelines, such as Windows Server 2016 servers running Remote Desktop Gateway. If you're using a Windows Server 2016 server as a client PC, it will get the same protection as it would when running Windows 10 Enterprise.
+- Windows Defender Credential Guard does not protect the Active Directory database running on Windows Server 2016 domain controllers. It also does not protect credential input pipelines, such as Windows Server 2016 servers running Remote Desktop Gateway. If you're using a Windows Server 2016 server as a client PC, it will get the same protection as it would when running Windows 10 Enterprise.
- Key loggers
- Physical attacks
- Does not prevent an attacker with malware on the PC from using the privileges associated with any credential. We recommend using dedicated PCs for high value accounts, such as IT Pros and users with access to high value assets in your organization.
- Third-party security packages
- Digest and CredSSP credentials
- - When Credential Guard is enabled, neither Digest nor CredSSP have access to users' logon credentials. This implies no Single Sign-On use for these protocols.
+ - When Windows Defender Credential Guard is enabled, neither Digest nor CredSSP have access to users' logon credentials. This implies no Single Sign-On use for these protocols.
- Supplied credentials for NTLM authentication are not protected. If a user is prompted for and enters credentials for NTLM authentication, these credentials are vulnerable to be read from LSASS memory. Note that these same credentials are vulnerable to key loggers as well.-
-- When Credential Guard is deployed on a VM, Credential Guard protects secrets from attacks inside the VM. However, it does not provide additional protection from privileged system attacks originating from the host.
+- When Windows Defender Credential Guard is deployed on a VM, Windows Defender Credential Guard protects secrets from attacks inside the VM. However, it does not provide additional protection from privileged system attacks originating from the host.
- Windows logon cached password verifiers (commonly called "cached credentials")
do not qualify as credentials because they cannot be presented to another computer for authentication, and can only be used locally to verify credentials. They are stored in the registry on the local computer and provide validation for credentials when a domain-joined computer cannot connect to AD DS during user logon. These “cached logons”, or more specifically, cached domain account information, can be managed using the security policy setting **Interactive logon: Number of previous logons to cache** if a domain controller is not available.
## Additional mitigations
-Credential Guard can provide mitigations against attacks on derived credentials and prevent the use of stolen credentials elsewhere. However, PCs can still be vulnerable to certain attacks, even if the derived credentials are protected by Credential Guard. These attacks can include abusing privileges and use of derived credentials directly from a compromised device, reusing previously stolen credentials prior to Device Guard, and abuse of management tools and weak application configurations. Because of this, additional mitigations also must be deployed to make the domain environment more robust.
+Windows Defender Credential Guard can provide mitigations against attacks on derived credentials and prevent the use of stolen credentials elsewhere. However, PCs can still be vulnerable to certain attacks, even if the derived credentials are protected by Windows Defender Credential Guard. These attacks can include abusing privileges and use of derived credentials directly from a compromised device, reusing previously stolen credentials prior to Windows Defender Device Guard, and abuse of management tools and weak application configurations. Because of this, additional mitigations also must be deployed to make the domain environment more robust.
### Restricting domain users to specific domain-joined devices
-Credential theft attacks allow the attacker to steal secrets from one device and use them from another device. If a user can sign on to multiple devices then any device could be used to steal credentials. How do you ensure that users only sign on using devices that have Credential Guard enabled? By deploying authentication policies that restrict them to specific domain-joined devices that have been configured with Credential Guard. For the domain controller to know what device a user is signing on from, Kerberos armoring must be used.
+Credential theft attacks allow the attacker to steal secrets from one device and use them from another device. If a user can sign on to multiple devices then any device could be used to steal credentials. How do you ensure that users only sign on using devices that have Windows Defender Credential Guard enabled? By deploying authentication policies that restrict them to specific domain-joined devices that have been configured with Windows Defender Credential Guard. For the domain controller to know what device a user is signing on from, Kerberos armoring must be used.
#### Kerberos armoring
@@ -50,11 +50,11 @@ Kerberos armoring is part of RFC 6113. When a device supports Kerberos armoring,
- Users need to be in domains that are running Windows Server 2012 R2 or higher
- All the domain controllers in these domains must be configured to support Kerberos armoring. Set the **KDC support for claims, compound authentication, and Kerberos armoring** Group Policy setting to either **Supported** or **Always provide claims**.
-- All the devices with Credential Guard that the users will be restricted to must be configured to support Kerberos armoring. Enable the **Kerberos client support for claims, compound authentication and Kerberos armoring** Group Policy settings under **Computer Configuration** -> **Administrative Templates** -> **System** -> **Kerberos**.
+- All the devices with Windows Defender Credential Guard that the users will be restricted to must be configured to support Kerberos armoring. Enable the **Kerberos client support for claims, compound authentication and Kerberos armoring** Group Policy settings under **Computer Configuration** -> **Administrative Templates** -> **System** -> **Kerberos**.
#### Protecting domain-joined device secrets
-Since domain-joined devices also use shared secrets for authentication, attackers can steal those secrets as well. By deploying device certificates with Credential Guard, the private key can be protected. Then authentication policies can require that users sign on devices that authenticate using those certificates. This prevents shared secrets stolen from the device to be used with stolen user credentials to sign on as the user.
+Since domain-joined devices also use shared secrets for authentication, attackers can steal those secrets as well. By deploying device certificates with Windows Defender Credential Guard, the private key can be protected. Then authentication policies can require that users sign on devices that authenticate using those certificates. This prevents shared secrets stolen from the device to be used with stolen user credentials to sign on as the user.
Domain-joined device certificate authentication has the following requirements:
- Devices' accounts are in Windows Server 2012 domain functional level or higher.
@@ -84,7 +84,7 @@ For example, let's say you wanted to use the High Assurance policy only on these
8. Under **Issuance Policies**, click**High Assurance**.
9. On the **Subject name** tab, clear the **DNS name** check box, and then select the **User Principal Name (UPN)** check box.
-Then on the devices that are running Credential Guard, enroll the devices using the certificate you just created.
+Then on the devices that are running Windows Defender Credential Guard, enroll the devices using the certificate you just created.
**Enrolling devices in a certificate**
@@ -636,6 +636,6 @@ write-host $tmp -Foreground Red
## See also
-**Deep Dive into Credential Guard: Related videos**
+**Deep Dive into Windows Defender Credential Guard: Related videos**
-[Protecting privileged users with Credential Guard](https://mva.microsoft.com/en-us/training-courses/deep-dive-into-credential-guard-16651?l=JNbjYMJyC_8104300474)
+[Protecting privileged users with Windows Defender Credential Guard](https://mva.microsoft.com/en-us/training-courses/deep-dive-into-credential-guard-16651?l=JNbjYMJyC_8104300474)
diff --git a/windows/access-protection/credential-guard/credential-guard-protection-limits.md b/windows/access-protection/credential-guard/credential-guard-protection-limits.md
index 5cdc85cd2c..4d45a1518b 100644
--- a/windows/access-protection/credential-guard/credential-guard-protection-limits.md
+++ b/windows/access-protection/credential-guard/credential-guard-protection-limits.md
@@ -1,6 +1,6 @@
---
-title: Credential Guard protection limits (Windows 10)
-description: Scenarios not protected by Credential Guard in Windows 10.
+title: Windows Defender Credential Guard protection limits (Windows 10)
+description: Scenarios not protected by Windows Defender Credential Guard in Windows 10.
ms.prod: w10
ms.mktglfcycl: explore
ms.sitesec: library
@@ -9,33 +9,33 @@ ms.localizationpriority: high
author: brianlic-msft
---
-# Credential Guard protection limits
+# Windows Defender Credential Guard protection limits
**Applies to**
- Windows 10
- Windows Server 2016
-Prefer video? See [Credentials protected by Credential Guard](https://mva.microsoft.com/en-us/training-courses/deep-dive-into-credential-guard-16651?l=pdc37LJyC_1204300474)
-in the Deep Dive into Credential Guard video series.
+Prefer video? See [Credentials protected by Windows Defender Credential Guard](https://mva.microsoft.com/en-us/training-courses/deep-dive-into-credential-guard-16651?l=pdc37LJyC_1204300474)
+in the Deep Dive into Windows Defender Credential Guard video series.
-Some ways to store credentials are not protected by Credential Guard, including:
+Some ways to store credentials are not protected by Windows Defender Credential Guard, including:
- Software that manages credentials outside of Windows feature protection
- Local accounts and Microsoft Accounts
-- Credential Guard does not protect the Active Directory database running on Windows Server 2016 domain controllers. It also does not protect credential input pipelines, such as Windows Server 2016 servers running Remote Desktop Gateway. If you're using a Windows Server 2016 server as a client PC, it will get the same protection as it would when running Windows 10 Enterprise.
+- Windows Defender Credential Guard does not protect the Active Directory database running on Windows Server 2016 domain controllers. It also does not protect credential input pipelines, such as Windows Server 2016 servers running Remote Desktop Gateway. If you're using a Windows Server 2016 server as a client PC, it will get the same protection as it would when running Windows 10 Enterprise.
- Key loggers
- Physical attacks
- Does not prevent an attacker with malware on the PC from using the privileges associated with any credential. We recommend using dedicated PCs for high value accounts, such as IT Pros and users with access to high value assets in your organization.
- Third-party security packages
- Digest and CredSSP credentials
- - When Credential Guard is enabled, neither Digest nor CredSSP have access to users' logon credentials. This implies no Single Sign-On use for these protocols.
+ - When Windows Defender Credential Guard is enabled, neither Digest nor CredSSP have access to users' logon credentials. This implies no Single Sign-On use for these protocols.
- Supplied credentials for NTLM authentication are not protected. If a user is prompted for and enters credentials for NTLM authentication, these credentials are vulnerable to be read from LSASS memory. Note that these same credentials are vulnerable to key loggers as well.-
-- When Credential Guard is deployed on a VM, Credential Guard protects secrets from attacks inside the VM. However, it does not provide additional protection from privileged system attacks originating from the host.
+- When Windows Defender Credential Guard is deployed on a VM, Windows Defender Credential Guard protects secrets from attacks inside the VM. However, it does not provide additional protection from privileged system attacks originating from the host.
- Windows logon cached password verifiers (commonly called "cached credentials")
do not qualify as credentials because they cannot be presented to another computer for authentication, and can only be used locally to verify credentials. They are stored in the registry on the local computer and provide validation for credentials when a domain-joined computer cannot connect to AD DS during user logon. These “cached logons”, or more specifically, cached domain account information, can be managed using the security policy setting **Interactive logon: Number of previous logons to cache** if a domain controller is not available.
## See also
-**Deep Dive into Credential Guard: Related videos**
+**Deep Dive into Windows Defender Credential Guard: Related videos**
-[Protecting privileged users with Credential Guard](https://mva.microsoft.com/en-us/training-courses/deep-dive-into-credential-guard-16651?l=JNbjYMJyC_8104300474)
+[Protecting privileged users with Windows Defender Credential Guard](https://mva.microsoft.com/en-us/training-courses/deep-dive-into-credential-guard-16651?l=JNbjYMJyC_8104300474)
diff --git a/windows/access-protection/credential-guard/credential-guard-requirements.md b/windows/access-protection/credential-guard/credential-guard-requirements.md
index 443e6e1167..0f1c09fb9e 100644
--- a/windows/access-protection/credential-guard/credential-guard-requirements.md
+++ b/windows/access-protection/credential-guard/credential-guard-requirements.md
@@ -1,6 +1,6 @@
---
-title: Credential Guard Requirements (Windows 10)
-description: Credential Guard baseline hardware, firmware, and software requirements, and additional protections for improved security associated with available hardware and firmware options.
+title: Windows Defender Credential Guard Requirements (Windows 10)
+description: Windows Defender Credential Guard baseline hardware, firmware, and software requirements, and additional protections for improved security associated with available hardware and firmware options.
ms.prod: w10
ms.mktglfcycl: explore
ms.sitesec: library
@@ -9,22 +9,22 @@ ms.localizationpriority: high
author: brianlic-msft
---
-# Credential Guard: Requirements
+# Windows Defender Credential Guard: Requirements
**Applies to**
- Windows 10
- Windows Server 2016
Prefer video? See
-[Credential Guard Deployment](https://mva.microsoft.com/en-us/training-courses/deep-dive-into-credential-guard-16651?l=sRcyvLJyC_3304300474)
-in the Deep Dive into Credential Guard video series.
+[Windows Defender Credential Guard Deployment](https://mva.microsoft.com/en-us/training-courses/deep-dive-into-credential-guard-16651?l=sRcyvLJyC_3304300474)
+in the Deep Dive into Windows Defender Credential Guard video series.
-For Credential Guard to provide protections, the computers you are protecting must meet certain baseline hardware, firmware, and software requirements which we will refer to as [Hardware and software requirements](#hardware-and-software-requirements). Additionally, Credential Guard blocks specific authentication capabilities, so applications that require such capabilities will break. We will refer to this as [Application requirements](#application-requirements). Beyond that, computers can meet additional hardware and firmware qualifications, and receive additional protections. Those computers will be more hardened against certain threats. For detailed information on baseline protections, plus protections for improved security that are associated with hardware and firmware options available in 2015, 2016, and 2017, refer to the tables in [Security Considerations](#security-considerations).
+For Windows Defender Credential Guard to provide protections, the computers you are protecting must meet certain baseline hardware, firmware, and software requirements which we will refer to as [Hardware and software requirements](#hardware-and-software-requirements). Additionally, Windows Defender Credential Guard blocks specific authentication capabilities, so applications that require such capabilities will break. We will refer to this as [Application requirements](#application-requirements). Beyond that, computers can meet additional hardware and firmware qualifications, and receive additional protections. Those computers will be more hardened against certain threats. For detailed information on baseline protections, plus protections for improved security that are associated with hardware and firmware options available in 2015, 2016, and 2017, refer to the tables in [Security Considerations](#security-considerations).
## Hardware and software requirements
-To provide basic protections against OS level attempts to read Credential Manager domain credentials, NTLM and Kerberos derived credentials, Credential Guard uses:
+To provide basic protections against OS level attempts to read Credential Manager domain credentials, NTLM and Kerberos derived credentials, Windows Defender Credential Guard uses:
- Support for Virtualization-based security (required)
- Secure boot (required)
- TPM 2.0 either discrete or firmware (preferred - provides binding to hardware)
@@ -35,29 +35,29 @@ The Virtualization-based security requires:
- CPU virtualization extensions plus extended page tables
- Windows hypervisor
-### Credential Guard deployment in virtual machines
+### Windows Defender Credential Guard deployment in virtual machines
Credential Guard can protect secrets in a Hyper-V virtual machine, just as it would on a physical machine. When Credential Guard is deployed on a VM, secrets are protected from attacks inside the VM. Credential Guard does not provide additional protection from privileged system attacks originating from the host.
-#### Requirements for running Credential Guard in Hyper-V virtual machines
+#### Requirements for running Windows Defender Credential Guard in Hyper-V virtual machines
- The Hyper-V host must have an IOMMU, and run at least Windows Server 2016 or Windows 10 version 1607.
- The Hyper-V virtual machine must be Generation 2, have an enabled virtual TPM, and be running at least Windows Server 2016 or Windows 10.
For information about other host platforms, see [Enabling Windows Server 2016 and Hyper-V virtualization based security features on other platforms](https://blogs.technet.microsoft.com/windowsserver/2016/09/29/enabling-windows-server-2016-and-hyper-v-virtualization-based-security-features-on-other-platforms/)
-For information about Remote Credential Guard hardware and software requirements, see [Remote Credential Guard requirements](https://docs.microsoft.com/en-us/windows/access-protection/remote-credential-guard#hardware-and-software-requirements)
+For information about Windows Defender Remote Credential Guard hardware and software requirements, see [Windows Defender Remote Credential Guard requirements](https://docs.microsoft.com/en-us/windows/access-protection/remote-credential-guard#hardware-and-software-requirements)
## Application requirements
-When Credential Guard is enabled, specific authentication capabilities are blocked, so applications that require such capabilities will break. Applications should be tested prior to deployment to ensure compatiblity with the reduced functionality.
+When Windows Defender Credential Guard is enabled, specific authentication capabilities are blocked, so applications that require such capabilities will break. Applications should be tested prior to deployment to ensure compatiblity with the reduced functionality.
>[!WARNING]
-> Enabling Credential Guard on domain controllers is not supported.
-> The domain controller hosts authentication services which integrate with processes isolated when Credential Guard is enabled, causing crashes.
+> Enabling Windows Defender Credential Guard on domain controllers is not supported.
+> The domain controller hosts authentication services which integrate with processes isolated when Windows Defender Credential Guard is enabled, causing crashes.
>[!NOTE]
-> Credential Guard does not provide protections for the Active Directory database or the Security Accounts Manager (SAM). The credentials protected by Kerberos and NTLM when Credential Guard is enabled are also in the Active Directory database (on domain controllers) and the SAM (for local accounts).
+> Windows Defender Credential Guard does not provide protections for the Active Directory database or the Security Accounts Manager (SAM). The credentials protected by Kerberos and NTLM when Windows Defender Credential Guard is enabled are also in the Active Directory database (on domain controllers) and the SAM (for local accounts).
Applications will break if they require:
- Kerberos DES encryption support
@@ -70,20 +70,20 @@ Applications will prompt and expose credentials to risk if they require:
- Credential delegation
- MS-CHAPv2
-Applications may cause performance issues when they attempt to hook the isolated Credential Guard process.
+Applications may cause performance issues when they attempt to hook the isolated Windows Defender Credential Guard process.
-See this video: [Credentials Protected by Credential Guard](https://mva.microsoft.com/en-us/training-courses/deep-dive-into-credential-guard-16651?l=pdc37LJyC_1204300474)
+See this video: [Credentials Protected by Windows Defender Credential Guard](https://mva.microsoft.com/en-us/training-courses/deep-dive-into-credential-guard-16651?l=pdc37LJyC_1204300474)
## Security considerations
-All computers that meet baseline protections for hardware, firmware, and software can use Credential Guard.
+All computers that meet baseline protections for hardware, firmware, and software can use Windows Defender Credential Guard.
Computers that meet additional qualifications can provide additional protections to further reduce the attack surface.
The following tables describe baseline protections, plus protections for improved security that are associated with hardware and firmware options available in 2015, 2016, and 2017.
> [!NOTE]
> Beginning with Windows 10, version 1607, Trusted Platform Module (TPM 2.0) must be enabled by default on new shipping computers.
-> If you are an OEM, see [PC OEM requirements for Device Guard and Credential Guard](https://msdn.microsoft.com/library/windows/hardware/mt767514.aspx).
+> If you are an OEM, see [PC OEM requirements for Windows Defender Device Guard and Windows Defender Credential Guard](https://msdn.microsoft.com/library/windows/hardware/mt767514.aspx).
### Baseline protections
@@ -94,10 +94,10 @@ The following tables describe baseline protections, plus protections for improve
| Hardware: **Trusted Platform Module (TPM)** | **Requirement**: TPM 1.2 or TPM 2.0, either discrete or firmware. [TPM recommendations](https://technet.microsoft.com/itpro/windows/keep-secure/tpm-recommendations) | A TPM provides protection for VBS encryption keys that are stored in the firmware. This helps protect against attacks involving a physically present user with BIOS access. |
| Firmware: **UEFI firmware version 2.3.1.c or higher with UEFI Secure Boot** | **Requirements**: See the following Windows Hardware Compatibility Program requirement: [System.Fundamentals.Firmware.UEFISecureBoot](http://msdn.microsoft.com/library/windows/hardware/dn932805.aspx#system-fundamentals-firmware-uefisecureboot)| UEFI Secure Boot helps ensure that the device boots only authorized code. This can prevent boot kits and root kits from installing and persisting across reboots. |
| Firmware: **Secure firmware update process** | **Requirements**: UEFI firmware must support secure firmware update found under the following Windows Hardware Compatibility Program requirement: [System.Fundamentals.Firmware.UEFISecureBoot](http://msdn.microsoft.com/library/windows/hardware/dn932805.aspx#system-fundamentals-firmware-uefisecureboot).| UEFI firmware just like software can have security vulnerabilities that, when found, need to be patched through firmware updates. Patching helps prevent root kits from getting installed. |
-| Software: Qualified **Windows operating system** | **Requirement**: Windows 10 Enterprise, Windows 10 Education, Windows Server 2016, or Windows 10 IoT Enterprise
Important: Windows Server 2016 running as a domain controller does not support Credential Guard. Only Device Guard is supported in this configuration.
|Support for VBS and for management features that simplify configuration of Credential Guard. |
+| Software: Qualified **Windows operating system** | **Requirement**: Windows 10 Enterprise, Windows 10 Education, Windows Server 2016, or Windows 10 IoT Enterprise
Important: Windows Server 2016 running as a domain controller does not support Windows Defender Credential Guard. Only Windows Defender Device Guard is supported in this configuration.
|Support for VBS and for management features that simplify configuration of Windows Defender Credential Guard. |
> [!IMPORTANT]
-> The following tables list additional qualifications for improved security. We strongly recommend meeting the additional qualifications to significantly strengthen the level of security that Credential Guard can provide.
+> The following tables list additional qualifications for improved security. We strongly recommend meeting the additional qualifications to significantly strengthen the level of security that Windows Defender Credential Guard can provide.
### 2015 Additional security qualifications starting with Windows 10, version 1507, and Windows Server 2016 Technical Preview 4
diff --git a/windows/access-protection/credential-guard/credential-guard-scripts.md b/windows/access-protection/credential-guard/credential-guard-scripts.md
index ec3e0f5c91..cd00d7fe8c 100644
--- a/windows/access-protection/credential-guard/credential-guard-scripts.md
+++ b/windows/access-protection/credential-guard/credential-guard-scripts.md
@@ -1,6 +1,6 @@
---
-title: Scripts for Certificate Issuance Policies in Credential Guard (Windows 10)
-description: Scripts listed in this topic for obtaining the available issuance policies on the certificate authority for Credential Guard on Windows 10.
+title: Scripts for Certificate Issuance Policies in Windows Defender Credential Guard (Windows 10)
+description: Scripts listed in this topic for obtaining the available issuance policies on the certificate authority for Windows Defender Credential Guard on Windows 10.
ms.prod: w10
ms.mktglfcycl: explore
ms.sitesec: library
@@ -9,7 +9,7 @@ ms.localizationpriority: high
author: brianlic-msft
---
-# Credential Guard: Scripts for Certificate Authority Issuance Policies
+# Windows Defender Credential Guard: Scripts for Certificate Authority Issuance Policies
Here is a list of scripts mentioned in this topic.
diff --git a/windows/access-protection/credential-guard/credential-guard.md b/windows/access-protection/credential-guard/credential-guard.md
index 6ce7661b47..56949895b5 100644
--- a/windows/access-protection/credential-guard/credential-guard.md
+++ b/windows/access-protection/credential-guard/credential-guard.md
@@ -1,6 +1,6 @@
---
-title: Protect derived domain credentials with Credential Guard (Windows 10)
-description: Introduced in Windows 10 Enterprise, Credential Guard uses virtualization-based security to isolate secrets so that only privileged system software can access them.
+title: Protect derived domain credentials with Windows Defender Credential Guard (Windows 10)
+description: Introduced in Windows 10 Enterprise, Windows Defender Credential Guard uses virtualization-based security to isolate secrets so that only privileged system software can access them.
ms.assetid: 4F1FE390-A166-4A24-8530-EA3369FEB4B1
ms.prod: w10
ms.mktglfcycl: explore
@@ -10,21 +10,21 @@ ms.localizationpriority: high
author: brianlic-msft
---
-# Protect derived domain credentials with Credential Guard
+# Protect derived domain credentials with Windows Defender Credential Guard
**Applies to**
- Windows 10
- Windows Server 2016
-Prefer video? See [Credential Theft and Lateral Traversal](https://mva.microsoft.com/en-us/training-courses/deep-dive-into-credential-guard-16651?l=cfGBPlIyC_9404300474) in the Deep Dive into Credential Guard video series.
+Prefer video? See [Credential Theft and Lateral Traversal](https://mva.microsoft.com/en-us/training-courses/deep-dive-into-credential-guard-16651?l=cfGBPlIyC_9404300474) in the Deep Dive into Windows Defender Credential Guard video series.
-Introduced in Windows 10 Enterprise and Windows Server 2016, Credential Guard uses virtualization-based security to isolate secrets so that only privileged system software can access them. Unauthorized access to these secrets can lead to credential theft attacks, such as Pass-the-Hash or Pass-The-Ticket. Credential Guard prevents these attacks by protecting NTLM password hashes, Kerberos Ticket Granting Tickets, and credentials stored by applications as domain credentials.
+Introduced in Windows 10 Enterprise and Windows Server 2016, Windows Defender Credential Guard uses virtualization-based security to isolate secrets so that only privileged system software can access them. Unauthorized access to these secrets can lead to credential theft attacks, such as Pass-the-Hash or Pass-The-Ticket. Windows Defender Credential Guard prevents these attacks by protecting NTLM password hashes, Kerberos Ticket Granting Tickets, and credentials stored by applications as domain credentials.
-By enabling Credential Guard, the following features and solutions are provided:
+By enabling Windows Defender Credential Guard, the following features and solutions are provided:
- **Hardware security** NTLM, Kerberos, and Credential Manager take advantage of platform security features, including Secure Boot and virtualization, to protect credentials.
- **Virtualization-based security** Windows NTLM and Kerberos derived credentials and other secrets run in a protected environment that is isolated from the running operating system.
-- **Better protection against advanced persistent threats** When Credential Manager domain credentials, NTLM, and Kerberos derived credentials are protected using virtualization-based security, the credential theft attack techniques and tools used in many targeted attacks are blocked. Malware running in the operating system with administrative privileges cannot extract secrets that are protected by virtualization-based security. While Credential Guard is a powerful mitigation, persistent threat attacks will likely shift to new attack techniques and you should also incorporate Device Guard and other security strategies and architectures.
+- **Better protection against advanced persistent threats** When Credential Manager domain credentials, NTLM, and Kerberos derived credentials are protected using virtualization-based security, the credential theft attack techniques and tools used in many targeted attacks are blocked. Malware running in the operating system with administrative privileges cannot extract secrets that are protected by virtualization-based security. While Windows Defender Credential Guard is a powerful mitigation, persistent threat attacks will likely shift to new attack techniques and you should also incorporate Windows Defender Device Guard and other security strategies and architectures.
## Related topics
@@ -33,7 +33,7 @@ By enabling Credential Guard, the following features and solutions are provided:
- [Isolated User Mode Processes and Features in Windows 10 with Logan Gabriel (Channel 9)](http://channel9.msdn.com/Blogs/Seth-Juarez/Isolated-User-Mode-Processes-and-Features-in-Windows-10-with-Logan-Gabriel)
- [More on Processes and Features in Windows 10 Isolated User Mode with Dave Probert (Channel 9)](https://channel9.msdn.com/Blogs/Seth-Juarez/More-on-Processes-and-Features-in-Windows-10-Isolated-User-Mode-with-Dave-Probert)
- [Mitigating Credential Theft using the Windows 10 Isolated User Mode (Channel 9)](https://channel9.msdn.com/Blogs/Seth-Juarez/Mitigating-Credential-Theft-using-the-Windows-10-Isolated-User-Mode)
-- [Protecting network passwords with Windows 10 Credential Guard](https://www.microsoft.com/itshowcase/Article/Content/831/Protecting-network-passwords-with-Windows-10-Credential-Guard)
+- [Protecting network passwords with Windows Defender Credential Guard](https://www.microsoft.com/itshowcase/Article/Content/831/Protecting-network-passwords-with-Windows-10-Credential-Guard)
- [Enabling Strict KDC Validation in Windows Kerberos](http://www.microsoft.com/download/details.aspx?id=6382)
- [What's New in Kerberos Authentication for Windows Server 2012](http://technet.microsoft.com/library/hh831747.aspx)
- [Authentication Mechanism Assurance for AD DS in Windows Server 2008 R2 Step-by-Step Guide](http://technet.microsoft.com/library/dd378897.aspx)
@@ -42,6 +42,6 @@ By enabling Credential Guard, the following features and solutions are provided:
## See also
-**Deep Dive into Credential Guard: Related videos**
+**Deep Dive into Windows Defender Credential Guard: Related videos**
-[Credentials protected by Credential Guard](https://mva.microsoft.com/en-us/training-courses/deep-dive-into-credential-guard-16651?l=pdc37LJyC_1204300474)
\ No newline at end of file
+[Credentials protected by Windows Defender Credential Guard](https://mva.microsoft.com/en-us/training-courses/deep-dive-into-credential-guard-16651?l=pdc37LJyC_1204300474)
\ No newline at end of file
diff --git a/windows/access-protection/remote-credential-guard.md b/windows/access-protection/remote-credential-guard.md
index b53a7213e7..f57a685f07 100644
--- a/windows/access-protection/remote-credential-guard.md
+++ b/windows/access-protection/remote-credential-guard.md
@@ -1,40 +1,40 @@
---
-title: Protect Remote Desktop credentials with Remote Credential Guard (Windows 10)
-description: Remote Credential Guard helps to secure your Remote Desktop credentials by never sending them to the target device.
+title: Protect Remote Desktop credentials with Windows Defender Remote Credential Guard (Windows 10)
+description: Windows Defender Remote Credential Guard helps to secure your Remote Desktop credentials by never sending them to the target device.
ms.prod: w10
ms.mktglfcycl: explore
ms.sitesec: library
ms.pagetype: security
author: brianlic-msft
---
-# Protect Remote Desktop credentials with Remote Credential Guard
+# Protect Remote Desktop credentials with Windows Defender Remote Credential Guard
**Applies to**
- Windows 10
- Windows Server 2016
-Introduced in Windows 10, version 1607, Remote Credential Guard helps you protect your credentials over a Remote Desktop connection by redirecting the Kerberos requests back to the device that's requesting the connection. It also provides single sign on experiences for Remote Desktop sessions. If the target device is compromised, your credentials are not exposed because both credential and credential derivatives are never sent to the target device.
+Introduced in Windows 10, version 1607, Windows Defender Remote Credential Guard helps you protect your credentials over a Remote Desktop connection by redirecting the Kerberos requests back to the device that's requesting the connection. It also provides single sign on experiences for Remote Desktop sessions. If the target device is compromised, your credentials are not exposed because both credential and credential derivatives are never sent to the target device.
You can use Remote Credential Guard in the following ways:
- Administrator credentials are highly privileged and must be protected. By using Remote Credential Guard to connect, you can be assured that your credentials are not passed over the network to the target device.
-- Helpdesk employees in your organization must connect to domain-joined devices that could be compromised. With Remote Credential Guard, the helpdesk employee can use RDP to connect to the target device without compromising their credentials to malware.
+- Helpdesk employees in your organization must connect to domain-joined devices that could be compromised. With Windows Defender Remote Credential Guard, the helpdesk employee can use RDP to connect to the target device without compromising their credentials to malware.
-## Comparing Remote Credential Guard with a server protected with Credential Guard
+## Comparing Windows Defender Remote Credential Guard with a server protected with Credential Guard
-Use the following diagrams to help understand how Remote Credential Guard works, what it helps protect against, and how it compares with using a server protected with Credential Guard. As the diagram shows, Remote Credential Guard blocks NTLM (allowing only Kerberos), prevents Pass the Hash, and prevents usage of a credential after disconnection.
+Use the following diagrams to help understand how Windows Defender Remote Credential Guard works, what it helps protect against, and how it compares with using a server protected with Credential Guard. As the diagram shows, Windows Defender Remote Credential Guard blocks NTLM (allowing only Kerberos), prevents Pass the Hash, and prevents usage of a credential after disconnection.
-
+
-## Comparing Remote Credential Guard with other options for Remote Desktop connections
+## Comparing Windows Defender Remote Credential Guard with other Remote Desktop connection options
Use the following table to compare different security options for Remote Desktop connections.
> [!NOTE]
> This table compares different options than are shown in the previous diagram.
-| Remote Desktop | Remote Credential Guard | Restricted Admin mode |
+| Remote Desktop | Windows Defender Remote Credential Guard | Restricted Admin mode |
|---|---|---|
| Protection: Provides **less protection** than other modes in this table. | Protection: Provides **moderate protection**, compared to other modes in this table. | Protection: Provides **the most protection** of the modes in this table. However, it also requires you to be in the local “Administrators” group on the remote computer. |
| Version support: The remote computer can be running **any operating system that supports credential delegation**, which was introduced in Windows Vista. | Version support: The remote computer must be running **at least Windows 10, version 1607, or Windows Server 2016**. | Version support: The remote computer must be running **at least patched Windows 7 or patched Windows Server 2008 R2**.
For more information about patches (software updates) related to Restricted Admin mode, see [Microsoft Security Advisory 2871997](https://technet.microsoft.com/library/security/2871997.aspx). |
@@ -47,25 +47,25 @@ Use the following table to compare different security options for Remote Desktop
## Hardware and software requirements
-To use Remote Credential Guard, the Remote Desktop client and server must meet the following requirements:
+To use Windows Defender Remote Credential Guard, the Remote Desktop client and server must meet the following requirements:
- In order to connect using credentials other than signed-in credentials, the Remote Desktop client device must be running at least Windows 10, version 1703.
> [!NOTE]
> Remote Desktop client devices running earlier versions, at minimum Windows 10 version 1607, only support signed-in credentials, so the client device must also be joined to an Active Directory domain. Both Remote Desktop client and server must either be joined to the same domain, or the Remote Desktop server can be joined to a domain that has a trust relationship to the client device's domain.
-- For Remote Credential Guard to be supported, the user must authenticate to the remote host using Kerberos authentication
+- For Windows Defender Remote Credential Guard to be supported, the user must authenticate to the remote host using Kerberos authentication
- The remote host must be running at least Windows 10 version 1607, or Windows Server 2016.
-- The Remote Desktop classic Windows app is required. The Remote Desktop Universal Windows Platform app doesn't support Remote Credential Guard.
+- The Remote Desktop classic Windows app is required. The Remote Desktop Universal Windows Platform app doesn't support Windows Defender Remote Credential Guard.
-## Enable Remote Credential Guard
+## Enable Windows Defender Remote Credential Guard
-You must enable Remote Credential Guard on the target device by using the registry.
+You must enable Windows Defender Remote Credential Guard on the target device by using the registry.
1. Open Registry Editor.
-2. Enable Remote Credential Guard:
+2. Enable Windows Defender Remote Credential Guard:
- Go to HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa.
- - Add a new DWORD value named **DisableRestrictedAdmin**. Set the value of this registry setting to 0 to turn on Remote Credential Guard.
+ - Add a new DWORD value named **DisableRestrictedAdmin**. Set the value of this registry setting to 0 to turn on Windows Defender Remote Credential Guard.
3. Close Registry Editor.
You can add this by running the following from an elevated command prompt:
@@ -74,26 +74,26 @@ You can add this by running the following from an elevated command prompt:
reg add HKLM\SYSTEM\CurrentControlSet\Control\Lsa /v DisableRestrictedAdmin /d 0 /t REG_DWORD
```
-## Using Remote Credential Guard
+## Using Windows Defender Remote Credential Guard
-You can use Remote Credential Guard on the client device by setting a Group Policy or by using a parameter with Remote Desktop Connection.
+You can use Windows Defender Remote Credential Guard on the client device by setting a Group Policy or by using a parameter with Remote Desktop Connection.
-### Turn on Remote Credential Guard by using Group Policy
+### Turn on Windows Defender Remote Credential Guard by using Group Policy
1. From the Group Policy Management Console, go to **Computer Configuration** -> **Administrative Templates** -> **System** -> **Credentials Delegation**.
2. Double-click **Restrict delegation of credentials to remote servers**.
- 
+ 
3. Under **Use the following restricted mode**:
- - If you want to require either [Restricted Admin mode](http://social.technet.microsoft.com/wiki/contents/articles/32905.how-to-enable-restricted-admin-mode-for-remote-desktop.aspx) or Remote Credential Guard, choose **Prefer Remote Credential Guard**. In this configuration, Remote Credential Guard is preferred, but it will use Restricted Admin mode (if supported) when Remote Credential Guard cannot be used.
+ - If you want to require either [Restricted Admin mode](http://social.technet.microsoft.com/wiki/contents/articles/32905.how-to-enable-restricted-admin-mode-for-remote-desktop.aspx) or Windows Defender Remote Credential Guard, choose **Prefer Windows Defender Remote Credential Guard**. In this configuration, Windows Defender Remote Credential Guard is preferred, but it will use Restricted Admin mode (if supported) when Windows Defender Remote Credential Guard cannot be used.
- > **Note:** Neither Remote Credential Guard nor Restricted Admin mode will send credentials in clear text to the Remote Desktop server.
+ > **Note:** Neither Windows Defender Remote Credential Guard nor Restricted Admin mode will send credentials in clear text to the Remote Desktop server.
- - If you want to require Remote Credential Guard, choose **Require Remote Credential Guard**. With this setting, a Remote Desktop connection will succeed only if the remote computer meets the [Hardware and software requirements](#hardware-and-software-requirements) listed earlier in this topic.
+ - If you want to require Windows Defender Remote Credential Guard, choose **Require Windows Defender Remote Credential Guard**. With this setting, a Remote Desktop connection will succeed only if the remote computer meets the [Hardware and software requirements](#hardware-and-software-requirements) listed earlier in this topic.
- - If you want to require Restricted Admin mode, choose **Require Restricted Admin**. For information about Restricted Admin mode, see the table in [Comparing Remote Credential Guard with other options for Remote Desktop connections](#comparing-remote-credential-guard-with-other-options-for-remote-desktop-connections), earlier in this topic.
+ - If you want to require Restricted Admin mode, choose **Require Restricted Admin**. For information about Restricted Admin mode, see the table in [Comparing Windows Defender Remote Credential Guard with other options for Remote Desktop connections](#comparing-remote-credential-guard-with-other-options-for-remote-desktop-connections), earlier in this topic.
4. Click **OK**.
@@ -102,26 +102,26 @@ You can use Remote Credential Guard on the client device by setting a Group Poli
6. From a command prompt, run **gpupdate.exe /force** to ensure that the Group Policy object is applied.
-### Use Remote Credential Guard with a parameter to Remote Desktop Connection
+### Use Windows Defender Remote Credential Guard with a parameter to Remote Desktop Connection
-If you don't use Group Policy in your organization, you can add the remoteGuard parameter when you start Remote Desktop Connection to turn on Remote Credential Guard for that connection.
+If you don't use Group Policy in your organization, you can add the remoteGuard parameter when you start Remote Desktop Connection to turn on Windows Defender Remote Credential Guard for that connection.
```
mstsc.exe /remoteGuard
```
-## Considerations when using Remote Credential Guard
+## Considerations when using Windows Defender Remote Credential Guard
-- Remote Credential Guard does not include device claims. For example, if you’re trying to access a file server from the remote and the file server requires device claim, access will be denied.
+- Windows Defender Remote Credential Guard does not include device claims. For example, if you’re trying to access a file server from the remote and the file server requires device claim, access will be denied.
-- Remote Credential Guard cannot be used to connect to a device that is joined to Azure Active Directory.
+- Windows Defender Remote Credential Guard cannot be used to connect to a device that is joined to Azure Active Directory.
- Remote Desktop Credential Guard only works with the RDP protocol.
- No credentials are sent to the target device, but the target device still acquires the Kerberos Service Tickets on its own.
-- Remote Desktop Gateway is not compatible with Remote Credential Guard.
+- Remote Desktop Gateway is not compatible with Windows Defender Remote Credential Guard.
- You cannot use saved credentials or credentials that are different than yours. You must use the credentials of the user who is logged into the device.
diff --git a/windows/access-protection/windows-firewall/basic-firewall-policy-design.md b/windows/access-protection/windows-firewall/basic-firewall-policy-design.md
index bbc34eda26..e462485fa4 100644
--- a/windows/access-protection/windows-firewall/basic-firewall-policy-design.md
+++ b/windows/access-protection/windows-firewall/basic-firewall-policy-design.md
@@ -35,15 +35,15 @@ Many network administrators do not want to tackle the difficult task of determin
With few exceptions, the firewall can be enabled on all configurations. Therefore, we recommended that you enable the firewall on every device in your organization. This includes servers in your perimeter network, on mobile and remote clients that connect to the network, and on all servers and clients in your internal network.
->**Caution:** Stopping the service associated with Windows Firewall with Advanced Security is not supported by Microsoft.
+>**Caution:** Stopping the service associated with Windows Defender Firewall with Advanced Security is not supported by Microsoft.
-By default, in new installations, Windows Firewall is turned on in Windows Server 2012, Windows 8, and later.
+By default, in new installations, Windows Defender Firewall with Advanced Security is turned on in Windows Server 2012, Windows 8, and later.
-If you turn off the Windows Firewall with Advanced Security service you lose other benefits provided by the service, such as the ability to use IPsec connection security rules, Windows Service Hardening, and network protection from forms of attacks that use network fingerprinting.
+If you turn off the Windows Defender Firewall service you lose other benefits provided by the service, such as the ability to use IPsec connection security rules, Windows Service Hardening, and network protection from forms of attacks that use network fingerprinting.
-Compatible third-party firewall software can programmatically disable only the parts of Windows Firewall with Advanced Security that might need to be disabled for compatibility. This is the recommended approach for third-party firewalls to coexist with the Windows Firewall; third-party party firewalls that comply with this recommendation have the certified logo from Microsoft.
+Compatible third-party firewall software can programmatically disable only the parts of Windows Defender Firewall that might need to be disabled for compatibility. This is the recommended approach for third-party firewalls to coexist with the Windows Defender Firewall; third-party party firewalls that comply with this recommendation have the certified logo from Microsoft.
-An organization typically uses this design as a first step toward a more comprehensive Windows Firewall with Advanced Security design that adds server isolation and domain isolation.
+An organization typically uses this design as a first step toward a more comprehensive Windows Defender Firewall design that adds server isolation and domain isolation.
After implementing this design, you will have centralized management of the firewall rules applied to all devices that are running Windows in your organization.
@@ -57,7 +57,7 @@ For more information about this design:
- To learn more about this design, see [Firewall Policy Design Example](firewall-policy-design-example.md).
-- Before completing the design, gather the information described in [Designing a Windows Firewall with Advanced Security Strategy](designing-a-windows-firewall-with-advanced-security-strategy.md).
+- Before completing the design, gather the information described in [Designing a Windows Defender Firewall with Advanced Security Strategy](designing-a-windows-firewall-with-advanced-security-strategy.md).
- To help you make the decisions required in this design, see [Planning Settings for a Basic Firewall Policy](planning-settings-for-a-basic-firewall-policy.md).
diff --git a/windows/access-protection/windows-firewall/certificate-based-isolation-policy-design-example.md b/windows/access-protection/windows-firewall/certificate-based-isolation-policy-design-example.md
index 0c3612bef6..a5da7eb1c8 100644
--- a/windows/access-protection/windows-firewall/certificate-based-isolation-policy-design-example.md
+++ b/windows/access-protection/windows-firewall/certificate-based-isolation-policy-design-example.md
@@ -49,4 +49,4 @@ By using the Active Directory Users and Computers snap-in, Woodgrove Bank create
Woodgrove Bank then created a GPO that contains the certificate, and then attached security group filters to the GPO that allow read and apply permissions to only members of the NAG\_COMPUTER\_WGBUNIX group. The GPO places the certificate in the **Local Computer / Personal / Certificates** certificate store. The certificate used must chain back to a certificate that is in the **Trusted Root Certification Authorities** store on the local device.
-**Next: **[Designing a Windows Firewall with Advanced Security Strategy](designing-a-windows-firewall-with-advanced-security-strategy.md)
+**Next: **[Designing a Windows Defender Firewall with Advanced Security Strategy](designing-a-windows-firewall-with-advanced-security-strategy.md)
diff --git a/windows/access-protection/windows-firewall/certificate-based-isolation-policy-design.md b/windows/access-protection/windows-firewall/certificate-based-isolation-policy-design.md
index 6a1a244f5c..b1c4462af5 100644
--- a/windows/access-protection/windows-firewall/certificate-based-isolation-policy-design.md
+++ b/windows/access-protection/windows-firewall/certificate-based-isolation-policy-design.md
@@ -31,10 +31,10 @@ For more info about this design:
- To learn more about this design, see [Certificate-based Isolation Policy Design Example](certificate-based-isolation-policy-design-example.md).
-- Before completing the design, gather the information described in [Designing a Windows Firewall with Advanced Security Strategy](designing-a-windows-firewall-with-advanced-security-strategy.md).
+- Before completing the design, gather the information described in [Designing a Windows Defender Firewall with Advanced Security Strategy](designing-a-windows-firewall-with-advanced-security-strategy.md).
- To help you make the decisions required in this design, see [Planning Certificate-based Authentication](planning-certificate-based-authentication.md).
- For a list of tasks that you can use to deploy your certificate-based policy design, see [Checklist: Implementing a Certificate-based Isolation Policy Design](checklist-implementing-a-certificate-based-isolation-policy-design.md).
-**Next: **[Evaluating Windows Firewall with Advanced Security Design Examples](evaluating-windows-firewall-with-advanced-security-design-examples.md)
+**Next: **[Evaluating Windows Defender Firewall with Advanced Security Design Examples](evaluating-windows-firewall-with-advanced-security-design-examples.md)
diff --git a/windows/access-protection/windows-firewall/change-rules-from-request-to-require-mode.md b/windows/access-protection/windows-firewall/change-rules-from-request-to-require-mode.md
index 747345df41..edc76c960f 100644
--- a/windows/access-protection/windows-firewall/change-rules-from-request-to-require-mode.md
+++ b/windows/access-protection/windows-firewall/change-rules-from-request-to-require-mode.md
@@ -29,9 +29,9 @@ In this topic:
## To convert a rule from request to require mode
-1. [Open the Group Policy Management Console to Windows Firewall with Advanced Security](open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md).
+1. Open the Group Policy Management Console to [Windows Defender Firewall with Advanced Security](open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md).
-2. In the navigation pane, click **Connection Security Rules**.
+2. In the right navigation pane, click **Connection Security Rules**.
3. In the details pane, double-click the connection security rule that you want to modify.
diff --git a/windows/access-protection/windows-firewall/checklist-configuring-basic-firewall-settings.md b/windows/access-protection/windows-firewall/checklist-configuring-basic-firewall-settings.md
index af8be53831..2688b42949 100644
--- a/windows/access-protection/windows-firewall/checklist-configuring-basic-firewall-settings.md
+++ b/windows/access-protection/windows-firewall/checklist-configuring-basic-firewall-settings.md
@@ -21,6 +21,6 @@ This checklist includes tasks for configuring a GPO with firewall defaults and s
| Task | Reference |
| - | - |
-| Turn the firewall on and set the default inbound and outbound behavior.| [Turn on Windows Firewall and Configure Default Behavior](turn-on-windows-firewall-and-configure-default-behavior.md)|
-| Configure the firewall to not display notifications to the user when a program is blocked, and to ignore locally defined firewall and connection security rules. | [Configure Windows Firewall to Suppress Notifications When a Program Is Blocked](configure-windows-firewall-to-suppress-notifications-when-a-program-is-blocked.md) |
-| Configure the firewall to record a log file. | [Configure the Windows Firewall Log](configure-the-windows-firewall-log.md)|
+| Turn the firewall on and set the default inbound and outbound behavior.| [Turn on Windows Defender Firewall with Advanced Security and Configure Default Behavior](turn-on-windows-firewall-and-configure-default-behavior.md)|
+| Configure the firewall to not display notifications to the user when a program is blocked, and to ignore locally defined firewall and connection security rules. | [Configure Windows Defender Firewall with Advanced Security to Suppress Notifications When a Program Is Blocked](configure-windows-firewall-to-suppress-notifications-when-a-program-is-blocked.md) |
+| Configure the firewall to record a log file. | [Configure the Windows Defender Firewall with Advanced Security Log](configure-the-windows-firewall-log.md)|
diff --git a/windows/access-protection/windows-firewall/checklist-creating-group-policy-objects.md b/windows/access-protection/windows-firewall/checklist-creating-group-policy-objects.md
index 207e94a1a5..bf5a3ef044 100644
--- a/windows/access-protection/windows-firewall/checklist-creating-group-policy-objects.md
+++ b/windows/access-protection/windows-firewall/checklist-creating-group-policy-objects.md
@@ -25,7 +25,7 @@ For most GPO deployment tasks, you must determine which devices must receive and
## About exclusion groups
-A Windows Firewall with Advanced Security design must often take into account domain-joined devices on the network that cannot or must not apply the rules and settings in the GPOs. Because these devices are typically fewer in number than the devices that must apply the GPO, it is easier to use the Domain Members group in the GPO membership group, and then place these exception devices into an exclusion group that is denied Apply Group Policy permissions on the GPO. Because deny permissions take precedence over allow permissions, a device that is a member of both the membership group and the exception group is prevented from applying the GPO. Devices typically found in a GPO exclusion group for domain isolation include the domain controllers, DHCP servers, and DNS servers.
+A Windows Defender Firewall with Advanced Security design must often take into account domain-joined devices on the network that cannot or must not apply the rules and settings in the GPOs. Because these devices are typically fewer in number than the devices that must apply the GPO, it is easier to use the Domain Members group in the GPO membership group, and then place these exception devices into an exclusion group that is denied Apply Group Policy permissions on the GPO. Because deny permissions take precedence over allow permissions, a device that is a member of both the membership group and the exception group is prevented from applying the GPO. Devices typically found in a GPO exclusion group for domain isolation include the domain controllers, DHCP servers, and DNS servers.
You can also use a membership group for one zone as an exclusion group for another zone. For example, devices in the boundary and encryption zones are technically in the main domain isolation zone, but must apply only the GPO for their assigned role. To do this, the GPOs for the main isolation zone deny Apply Group Policy permissions to members of the boundary and encryption zones.
@@ -33,11 +33,11 @@ You can also use a membership group for one zone as an exclusion group for anoth
| Task | Reference |
| - | - |
-| Review important concepts and examples for deploying GPOs in a way that best meets the needs of your organization.| [Identifying Your Windows Firewall with Advanced Security Deployment Goals](identifying-your-windows-firewall-with-advanced-security-deployment-goals.md) [Planning Group Policy Deployment for Your Isolation Zones](planning-group-policy-deployment-for-your-isolation-zones.md)|
+| Review important concepts and examples for deploying GPOs in a way that best meets the needs of your organization.| [Identifying Your Windows Defender Firewall with Advanced Security Deployment Goals](identifying-your-windows-firewall-with-advanced-security-deployment-goals.md) [Planning Group Policy Deployment for Your Isolation Zones](planning-group-policy-deployment-for-your-isolation-zones.md)|
| Create the membership group in AD DS that will be used to contain device accounts that must receive the GPO. If some devices in the membership group are running an operating system that does not support WMI filters, such as Windows 2000, create an exclusion group to contain the device accounts for the devices that cannot be blocked by using a WMI filter.| [Create a Group Account in Active Directory](create-a-group-account-in-active-directory.md)|
| Create a GPO for each version of Windows that has different implementation requirements.| [Create a Group Policy Object](create-a-group-policy-object.md) |
| Create security group filters to limit the GPO to only devices that are members of the membership group and to exclude devices that are members of the exclusion group.|[Assign Security Group Filters to the GPO](assign-security-group-filters-to-the-gpo.md) |
| Create WMI filters to limit each GPO to only the devices that match the criteria in the filter.| [Create WMI Filters for the GPO](create-wmi-filters-for-the-gpo.md) |
| If you are working on a GPO that was copied from another, modify the group memberships and WMI filters so that they are correct for the new zone or version of Windows for which this GPO is intended.|[Modify GPO Filters to Apply to a Different Zone or Version of Windows](modify-gpo-filters-to-apply-to-a-different-zone-or-version-of-windows.md) |
| Link the GPO to the domain level of the Active Directory organizational unit hierarchy.| [Link the GPO to the Domain](link-the-gpo-to-the-domain.md) |
-| Before adding any rules or configuring the GPO, add a few test devices to the membership group, and make sure that the correct GPO is received and applied to each member of the group.| [Add Test Devices to the Membership Group for a Zone](add-test-devices-to-the-membership-group-for-a-zone.md) |
+| Before adding any rules or configuring the GPO, add a few test devices to the membership group, and make sure that the correct GPO is received and applied to each member of the group.| [Add Test Devices to the Membership Group for a Zone](add-test-devices-to-the-membership-group-for-a-zone.md) |
\ No newline at end of file
diff --git a/windows/access-protection/windows-firewall/checklist-implementing-a-basic-firewall-policy-design.md b/windows/access-protection/windows-firewall/checklist-implementing-a-basic-firewall-policy-design.md
index 0e170e2c53..64462fc07c 100644
--- a/windows/access-protection/windows-firewall/checklist-implementing-a-basic-firewall-policy-design.md
+++ b/windows/access-protection/windows-firewall/checklist-implementing-a-basic-firewall-policy-design.md
@@ -19,13 +19,13 @@ This parent checklist includes cross-reference links to important concepts about
>**Note:** Complete the tasks in this checklist in order. When a reference link takes you to a procedure, return to this topic after you complete the steps in that procedure so that you can proceed with the remaining tasks in this checklist.
-The procedures in this section use the Group Policy MMC snap-in interfaces to configure the GPOs, but you can also use Windows PowerShell. For more info, see [Windows Firewall with Advanced Security Administration with Windows PowerShell](windows-firewall-with-advanced-security-administration-with-windows-powershell.md).
+The procedures in this section use the Group Policy MMC snap-in interfaces to configure the GPOs, but you can also use Windows PowerShell. For more info, see [Windows Defender Firewall with Advanced Security Administration with Windows PowerShell](windows-firewall-with-advanced-security-administration-with-windows-powershell.md).
**Checklist: Implementing a basic firewall policy design**
| Task | Reference |
| - | - |
-| Review important concepts and examples for the basic firewall policy design to determine if this design meets the needs of your organization. | [Identifying Your Windows Firewall with Advanced Security Deployment Goals](identifying-your-windows-firewall-with-advanced-security-deployment-goals.md) [Basic Firewall Policy Design](basic-firewall-policy-design.md) [Firewall Policy Design Example](firewall-policy-design-example.md) [Planning Settings for a Basic Firewall Policy](planning-settings-for-a-basic-firewall-policy.md)|
+| Review important concepts and examples for the basic firewall policy design to determine if this design meets the needs of your organization. | [Identifying Your Windows Defender Firewall with Advanced Security Deployment Goals](identifying-your-windows-firewall-with-advanced-security-deployment-goals.md) [Basic Firewall Policy Design](basic-firewall-policy-design.md) [Firewall Policy Design Example](firewall-policy-design-example.md) [Planning Settings for a Basic Firewall Policy](planning-settings-for-a-basic-firewall-policy.md)|
| Create the membership group and a GPO for each set of devices that require different firewall rules. Where GPOs will be similar, such as for Windows 10 and Windows Server 2016, create one GPO, configure it by using the tasks in this checklist, and then make a copy of the GPO for the other version of Windows. For example, create and configure the GPO for Windows 10, make a copy of it for Windows Server 2016, and then follow the steps in this checklist to make the few required changes to the copy. | [Checklist: Creating Group Policy Objects](checklist-creating-group-policy-objects.md) [Copy a GPO to Create a New GPO](copy-a-gpo-to-create-a-new-gpo.md)|
| If you are working on a GPO that was copied from another, modify the group membership and WMI filters so that they are correct for the devices for which this GPO is intended.| [Modify GPO Filters to Apply to a Different Zone or Version of Windows](modify-gpo-filters-to-apply-to-a-different-zone-or-version-of-windows.md)|
| Configure the GPO with firewall default settings appropriate for your design.| [Checklist: Configuring Basic Firewall Settings](checklist-configuring-basic-firewall-settings.md)|
diff --git a/windows/access-protection/windows-firewall/checklist-implementing-a-certificate-based-isolation-policy-design.md b/windows/access-protection/windows-firewall/checklist-implementing-a-certificate-based-isolation-policy-design.md
index 6a65e70ac2..6eafbc017b 100644
--- a/windows/access-protection/windows-firewall/checklist-implementing-a-certificate-based-isolation-policy-design.md
+++ b/windows/access-protection/windows-firewall/checklist-implementing-a-certificate-based-isolation-policy-design.md
@@ -23,7 +23,7 @@ This parent checklist includes cross-reference links to important concepts about
| Task | Reference |
| - | - |
-| Review important concepts and examples for certificate-based authentication to determine if this design meets your deployment goals and the needs of your organization.| [Identifying Your Windows Firewall with Advanced Security Deployment Goals](identifying-your-windows-firewall-with-advanced-security-deployment-goals.md) [Certificate-based Isolation Policy Design](certificate-based-isolation-policy-design.md) [Certificate-based Isolation Policy Design Example](certificate-based-isolation-policy-design-example.md) [Planning Certificate-based Authentication](planning-certificate-based-authentication.md) |
+| Review important concepts and examples for certificate-based authentication to determine if this design meets your deployment goals and the needs of your organization.| [Identifying Your Windows Defender Firewall with Advanced Security Deployment Goals](identifying-your-windows-firewall-with-advanced-security-deployment-goals.md) [Certificate-based Isolation Policy Design](certificate-based-isolation-policy-design.md) [Certificate-based Isolation Policy Design Example](certificate-based-isolation-policy-design-example.md) [Planning Certificate-based Authentication](planning-certificate-based-authentication.md) |
| Install the Active Directory Certificate Services (AD CS) role as an enterprise root issuing certification authority (CA). This step is required only if you have not already deployed a CA on your network.| |
| Configure the certificate template for workstation authentication certificates.| [Configure the Workstation Authentication Certificate Template](configure-the-workstation-authentication-certificate-template.md)|
| Configure Group Policy to automatically deploy certificates based on your template to workstation devices. | [Configure Group Policy to Autoenroll and Deploy Certificates](configure-group-policy-to-autoenroll-and-deploy-certificates.md)|
diff --git a/windows/access-protection/windows-firewall/checklist-implementing-a-domain-isolation-policy-design.md b/windows/access-protection/windows-firewall/checklist-implementing-a-domain-isolation-policy-design.md
index 1c370cc0c7..4d8969d702 100644
--- a/windows/access-protection/windows-firewall/checklist-implementing-a-domain-isolation-policy-design.md
+++ b/windows/access-protection/windows-firewall/checklist-implementing-a-domain-isolation-policy-design.md
@@ -19,13 +19,13 @@ This parent checklist includes cross-reference links to important concepts about
>**Note:** Complete the tasks in this checklist in order. When a reference link takes you to a procedure, return to this topic after you complete the steps in that procedure so that you can proceed with the remaining tasks in this checklist.
-The procedures in this section use the Group Policy MMC snap-ins to configure the GPOs, but you can also use Windows PowerShell to configure GPOs. For more info, see [Windows Firewall with Advanced Security Administration with Windows PowerShell](windows-firewall-with-advanced-security-administration-with-windows-powershell.md).
+The procedures in this section use the Group Policy MMC snap-ins to configure the GPOs, but you can also use Windows PowerShell to configure GPOs. For more info, see [Windows Defender Firewall with Advanced Security Administration with Windows PowerShell](windows-firewall-with-advanced-security-administration-with-windows-powershell.md).
**Checklist: Implementing a domain isolation policy design**
| Task | Reference |
| - | - |
-| Review important concepts and examples for the domain isolation policy design, determine your Windows Firewall with Advanced Security deployment goals, and customize this design to meet the needs of your organization.| [Identifying Your Windows Firewall with Advanced Security Deployment Goals](identifying-your-windows-firewall-with-advanced-security-deployment-goals.md) [Domain Isolation Policy Design](domain-isolation-policy-design.md) [Domain Isolation Policy Design Example](domain-isolation-policy-design-example.md) [Planning Domain Isolation Zones](planning-domain-isolation-zones.md) |
+| Review important concepts and examples for the domain isolation policy design, determine your Windows Defender Firewall with Advanced Security deployment goals, and customize this design to meet the needs of your organization.| [Identifying Your Windows Defender Firewall with Advanced Security Deployment Goals](identifying-your-windows-firewall-with-advanced-security-deployment-goals.md) [Domain Isolation Policy Design](domain-isolation-policy-design.md) [Domain Isolation Policy Design Example](domain-isolation-policy-design-example.md) [Planning Domain Isolation Zones](planning-domain-isolation-zones.md) |
| Create the GPOs and connection security rules for the isolated domain.| [Checklist: Configuring Rules for the Isolated Domain](checklist-configuring-rules-for-the-isolated-domain.md)|
| Create the GPOs and connection security rules for the boundary zone.| [Checklist: Configuring Rules for the Boundary Zone](checklist-configuring-rules-for-the-boundary-zone.md)|
| Create the GPOs and connection security rules for the encryption zone.| [Checklist: Configuring Rules for the Encryption Zone](checklist-configuring-rules-for-the-encryption-zone.md)|
diff --git a/windows/access-protection/windows-firewall/checklist-implementing-a-standalone-server-isolation-policy-design.md b/windows/access-protection/windows-firewall/checklist-implementing-a-standalone-server-isolation-policy-design.md
index 533859a661..f05114fabb 100644
--- a/windows/access-protection/windows-firewall/checklist-implementing-a-standalone-server-isolation-policy-design.md
+++ b/windows/access-protection/windows-firewall/checklist-implementing-a-standalone-server-isolation-policy-design.md
@@ -25,7 +25,7 @@ This parent checklist includes cross-reference links to important concepts about
| Task | Reference |
| - | - |
-| Review important concepts and examples for the server isolation policy design to determine if this design meets your deployment goals and the needs of your organization.| [Identifying Your Windows Firewall with Advanced Security Deployment Goals](identifying-your-windows-firewall-with-advanced-security-deployment-goals.md) [Server Isolation Policy Design](server-isolation-policy-design.md) [Server Isolation Policy Design Example](server-isolation-policy-design-example.md) [Planning Server Isolation Zones](planning-server-isolation-zones.md) |
+| Review important concepts and examples for the server isolation policy design to determine if this design meets your deployment goals and the needs of your organization.| [Identifying Your Windows Defender Firewall with Advanced Security Deployment Goals](identifying-your-windows-firewall-with-advanced-security-deployment-goals.md) [Server Isolation Policy Design](server-isolation-policy-design.md) [Server Isolation Policy Design Example](server-isolation-policy-design-example.md) [Planning Server Isolation Zones](planning-server-isolation-zones.md) |
| Create the GPOs and connection security rules for isolated servers.| [Checklist: Configuring Rules for Servers in a Standalone Isolated Server Zone](checklist-configuring-rules-for-servers-in-a-standalone-isolated-server-zone.md)|
| Create the GPOs and connection security rules for the client devices that must connect to the isolated servers. | [Checklist: Creating Rules for Clients of a Standalone Isolated Server Zone](checklist-creating-rules-for-clients-of-a-standalone-isolated-server-zone.md)|
| Verify that the connection security rules are protecting network traffic on your test devices. | [Verify That Network Traffic Is Authenticated](verify-that-network-traffic-is-authenticated.md)|
diff --git a/windows/access-protection/windows-firewall/configure-authentication-methods.md b/windows/access-protection/windows-firewall/configure-authentication-methods.md
index cee5bff4da..9b01cccb54 100644
--- a/windows/access-protection/windows-firewall/configure-authentication-methods.md
+++ b/windows/access-protection/windows-firewall/configure-authentication-methods.md
@@ -26,15 +26,15 @@ To complete these procedures, you must be a member of the Domain Administrators
**To configure authentication methods**
-1. [Open the Group Policy Management Console to Windows Firewall with Advanced Security](open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md).
+1. Open the Group Policy Management Console to [Windows Defender Firewall with Advanced Security] (open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md).
-2. In the details pane on the main Windows Firewall with Advanced Security page, click **Windows Firewall Properties**.
+2. In the details pane on the main Windows Defender Firewall with Advanced Security page, click **Windows Defender Firewall Properties**.
3. On the **IPsec Settings** tab, click **Customize**.
4. In the **Authentication Method** section, select the type of authentication that you want to use from among the following:
- 1. **Default**. Selecting this option tells the computer to use the authentication method currently defined by the local administrator in Windows Firewall with Advanced Security or by Group Policy as the default.
+ 1. **Default**. Selecting this option tells the computer to use the authentication method currently defined by the local administrator in Windows Defender Firewall or by Group Policy as the default.
2. **Computer and User (using Kerberos V5)**. Selecting this option tells the computer to use and require authentication of both the computer and the currently logged-on user by using their domain credentials.
diff --git a/windows/access-protection/windows-firewall/configure-data-protection-quick-mode-settings.md b/windows/access-protection/windows-firewall/configure-data-protection-quick-mode-settings.md
index 4c7f4c94ea..53f6cd4935 100644
--- a/windows/access-protection/windows-firewall/configure-data-protection-quick-mode-settings.md
+++ b/windows/access-protection/windows-firewall/configure-data-protection-quick-mode-settings.md
@@ -23,9 +23,9 @@ To complete these procedures, you must be a member of the Domain Administrators
**To configure quick mode settings**
-1. [Open the Group Policy Management Console to Windows Firewall with Advanced Security](open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md).
+1. Open the Group Policy Management Console to [Windows Defender Firewall with Advanced Security](open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md).
-2. In the details pane on the main Windows Firewall with Advanced Security page, click **Windows Firewall Properties**.
+2. In the details pane on the main Windows Defender Firewall with Advanced Security page, click **Windows Defender Firewall Properties**.
3. On the **IPsec Settings** tab, click **Customize**.
diff --git a/windows/access-protection/windows-firewall/configure-key-exchange-main-mode-settings.md b/windows/access-protection/windows-firewall/configure-key-exchange-main-mode-settings.md
index dd11e2d12d..ceb70e603a 100644
--- a/windows/access-protection/windows-firewall/configure-key-exchange-main-mode-settings.md
+++ b/windows/access-protection/windows-firewall/configure-key-exchange-main-mode-settings.md
@@ -23,9 +23,9 @@ To complete these procedures, you must be a member of the Domain Administrators
**To configure key exchange settings**
-1. [Open the Group Policy Management Console to Windows Firewall with Advanced Security](open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md).
+1. Open the Group Policy Management Console to [Windows Defender Firewall with Advanced Security](open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md).
-2. In the details pane on the main Windows Firewall with Advanced Security page, click **Windows Firewall Properties**.
+2. In the details pane on the main Windows Defender Firewall with Advanced Security page, click **Windows Defender Firewall Properties**.
3. On the **IPsec Settings** tab, click **Customize**.
diff --git a/windows/access-protection/windows-firewall/configure-the-rules-to-require-encryption.md b/windows/access-protection/windows-firewall/configure-the-rules-to-require-encryption.md
index cdc97d2167..51751f2455 100644
--- a/windows/access-protection/windows-firewall/configure-the-rules-to-require-encryption.md
+++ b/windows/access-protection/windows-firewall/configure-the-rules-to-require-encryption.md
@@ -19,7 +19,7 @@ To complete this procedure, you must be a member of the Domain Administrators gr
**To modify an authentication request rule to also require encryption**
-1. [Open the Group Policy Management Console to Windows Firewall with Advanced Security](open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md).
+1. Open the Group Policy Management Console to [Windows Defender Firewall with Advanced Security](open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md).
2. In the navigation pane, click **Connection Security Rules**.
@@ -27,7 +27,7 @@ To complete this procedure, you must be a member of the Domain Administrators gr
4. On the **Name** page, rename the connection security rule, edit the description to reflect the new use for the rule, and then click **OK**.
-5. In the navigation pane, right-click **Windows Firewall with Advanced Security – LDAP://CN={***guid***}**, and then click **Properties**.
+5. In the navigation pane, right-click **Windows Defender Firewall – LDAP://CN={***guid***}**, and then click **Properties**.
6. Click the **IPsec Settings** tab.
@@ -42,11 +42,11 @@ To complete this procedure, you must be a member of the Domain Administrators gr
10. If you need to add an algorithm combination, click **Add**, and then select the combination of encryption and integrity algorithms. The options are described in [Configure Data Protection (Quick Mode) Settings](configure-data-protection-quick-mode-settings.md).
**Note**
- Not all of the algorithms available in Windows 8 or Windows Server 2012 and later can be selected in the Windows Firewall with Advanced Security user interface. To select them, you can use Windows PowerShell.
+ Not all of the algorithms available in Windows 8 or Windows Server 2012 and later can be selected in the Windows Defender Firewall with Advanced Security user interface. To select them, you can use Windows PowerShell.
- Quick mode settings can also be configured on a per-rule basis, but not by using the Windows Firewall with Advanced Security user interface. Instead, you can create or modify the rules by using Windows PowerShell.
+ Quick mode settings can also be configured on a per-rule basis, but not by using the Windows Defender Firewall user interface. Instead, you can create or modify the rules by using Windows PowerShell.
- For more info, see [Windows Firewall with Advanced Security Administration with Windows PowerShell](windows-firewall-with-advanced-security-administration-with-windows-powershell.md)
+ For more info, see [Windows Defender Firewall with Advanced Security Administration with Windows PowerShell](windows-firewall-with-advanced-security-administration-with-windows-powershell.md)
11. During negotiation, algorithm combinations are proposed in the order shown in the list. Make sure that the more secure combinations are at the top of the list so that the negotiating devices select the most secure combination that they can jointly support.
diff --git a/windows/access-protection/windows-firewall/configure-the-windows-firewall-log.md b/windows/access-protection/windows-firewall/configure-the-windows-firewall-log.md
index 086d294c27..435bb8f776 100644
--- a/windows/access-protection/windows-firewall/configure-the-windows-firewall-log.md
+++ b/windows/access-protection/windows-firewall/configure-the-windows-firewall-log.md
@@ -1,6 +1,6 @@
---
-title: Configure the Windows Firewall Log (Windows 10)
-description: Configure the Windows Firewall Log
+title: Configure the Windows Defender Firewall Log (Windows 10)
+description: Configure the Windows Defender Firewall Log
ms.assetid: f037113d-506b-44d3-b9c0-0b79d03e7d18
ms.prod: w10
ms.mktglfcycl: deploy
@@ -10,13 +10,13 @@ ms.pagetype: security
author: brianlic-msft
---
-# Configure the Windows Firewall Log
+# Configure the Windows Defender Firewall with Advanced Security Log
**Applies to**
- Windows 10
- Windows Server 2016
-To configure Windows Firewall to log dropped packets or successful connections, use the Windows Firewall with Advanced Security node in the Group Policy Management MMC snap-in.
+To configure Windows Defender Firewall with Advanced Security to log dropped packets or successful connections, use the Windows Defender Firewall with Advanced Security node in the Group Policy Management MMC snap-in.
**Administrative credentials**
@@ -24,13 +24,13 @@ To complete these procedures, you must be a member of the Domain Administrators
In this topic:
-- [To configure the Windows Firewall log](#to-configure-the-windows-firewall-log)
+- [To configure the Windows Defender Firewall with Advanced Security log](#to-configure-the-windows-firewall-log)
-## To configure the Windows Firewall log
+## To configure the Windows Defender Firewall with Advanced Security log
-1. [Open the Group Policy Management Console to Windows Firewall with Advanced Security](open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md).
+1. Open the Group Policy Management Console to [Windows Defender Firewall with Advanced Security](open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md).
-2. In the details pane, in the **Overview** section, click **Windows Firewall Properties**.
+2. In the details pane, in the **Overview** section, click **Windows Defender Firewall Properties**.
3. For each network location type (Domain, Private, Public), perform the following steps.
@@ -40,14 +40,14 @@ In this topic:
3. The default path for the log is **%windir%\\system32\\logfiles\\firewall\\pfirewall.log**. If you want to change this, clear the **Not configured** check box and type the path to the new location, or click **Browse** to select a file location.
- >**Important:** The location you specify must have permissions assigned that permit the Windows Firewall service to write to the log file.
+ >**Important:** The location you specify must have permissions assigned that permit the Windows Defender Firewall service to write to the log file.
4. The default maximum file size for the log is 4,096 kilobytes (KB). If you want to change this, clear the **Not configured** check box, and type in the new size in KB, or use the up and down arrows to select a size. The file will not grow beyond this size; when the limit is reached, old log entries are deleted to make room for the newly created ones.
5. No logging occurs until you set one of following two options:
- - To create a log entry when Windows Firewall drops an incoming network packet, change **Log dropped packets** to **Yes**.
+ - To create a log entry when Windows Defender Firewall drops an incoming network packet, change **Log dropped packets** to **Yes**.
- - To create a log entry when Windows Firewall allows an inbound connection, change **Log successful connections** to **Yes**.
+ - To create a log entry when Windows Defender Firewall allows an inbound connection, change **Log successful connections** to **Yes**.
6. Click **OK** twice.
diff --git a/windows/access-protection/windows-firewall/configure-windows-firewall-to-suppress-notifications-when-a-program-is-blocked.md b/windows/access-protection/windows-firewall/configure-windows-firewall-to-suppress-notifications-when-a-program-is-blocked.md
index 057dd20255..4ca087720c 100644
--- a/windows/access-protection/windows-firewall/configure-windows-firewall-to-suppress-notifications-when-a-program-is-blocked.md
+++ b/windows/access-protection/windows-firewall/configure-windows-firewall-to-suppress-notifications-when-a-program-is-blocked.md
@@ -1,6 +1,6 @@
---
-title: Configure Windows Firewall to Suppress Notifications When a Program Is Blocked (Windows 10)
-description: Configure Windows Firewall to Suppress Notifications When a Program Is Blocked
+title: Configure Windows Defender Firewall with Advanced Security to Suppress Notifications When a Program is Blocked (Windows 10)
+description: Configure Windows Defender Firewall with Advanced Security to suppress notifications when a program is Bbocked
ms.assetid: b7665d1d-f4d2-4b5a-befc-8b6bd940f69b
ms.prod: w10
ms.mktglfcycl: deploy
@@ -9,13 +9,13 @@ ms.pagetype: security
author: brianlic-msft
---
-# Configure Windows Firewall to Suppress Notifications When a Program Is Blocked
+# Configure Windows Defender Firewall with Advanced Security to Suppress Notifications When a Program Is Blocked
**Applies to**
- Windows 10
- Windows Server 2016
-To configure Windows Firewall to suppress the display of a notification when it blocks a program that tries to listen for network traffic and to prohibit locally defined rules, use the Windows Firewall with Advanced Security node in the Group Policy Management console.
+To configure Windows Defender Firewall with Advanced Security to suppress the display of a notification when it blocks a program that tries to listen for network traffic and to prohibit locally defined rules, use the Windows Defender Firewall with Advanced Security node in the Group Policy Management console.
>**Caution:** If you choose to disable alerts and prohibit locally defined rules, then you must create firewall rules that allow your users’ programs to send and receive the required network traffic. If a firewall rule is missing, then the user does not receive any kind of warning, the network traffic is silently blocked, and the program might fail.
@@ -25,11 +25,11 @@ We recommend that you do not enable these settings until you have created and te
To complete these procedures, you must be a member of the Domain Administrators group, or otherwise be delegated permissions to modify the GPOs.
-## To configure Windows Firewall to suppress the display of a notification for a blocked program and to ignore locally defined rules
+## To configure Windows Defender Firewall to suppress the display of a notification for a blocked program and to ignore locally defined rules
-1. [Open the Group Policy Management Console to Windows Firewall with Advanced Security](open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md).
+1. Open the Group Policy Management Console to [Windows Defender Firewall with Advanced Security](open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md).
-2. In the details pane, in the **Overview** section, click **Windows Firewall Properties**.
+2. In the details pane, in the **Overview** section, click **Windows Defender Firewall Properties**.
3. For each network location type (Domain, Private, Public), perform the following steps.
diff --git a/windows/access-protection/windows-firewall/create-an-authentication-exemption-list-rule.md b/windows/access-protection/windows-firewall/create-an-authentication-exemption-list-rule.md
index e48455f5e9..00b30c104b 100644
--- a/windows/access-protection/windows-firewall/create-an-authentication-exemption-list-rule.md
+++ b/windows/access-protection/windows-firewall/create-an-authentication-exemption-list-rule.md
@@ -18,17 +18,16 @@ author: brianlic-msft
In almost any isolated server or isolated domain scenario, there are some devices or devices that cannot communicate by using IPsec. This procedure shows you how to create rules that exempt those devices from the authentication requirements of your isolation policies.
**Important**
-Adding devices to the exemption list for a zone reduces security because it permits devices in the zone to send network traffic that is unprotected by IPsec to the devices on the list. As discussed in the Windows Firewall with Advanced Security Design Guide, you must add only managed and trusted devices to the exemption list.
+Adding devices to the exemption list for a zone reduces security because it permits devices in the zone to send network traffic that is unprotected by IPsec to the devices on the list. As discussed in the Windows Defender Firewall with Advanced Security Design Guide, you must add only managed and trusted devices to the exemption list.
-
**Administrative credentials**
To complete these procedures, you must be a member of the Domain Administrators group, or otherwise be delegated permissions to modify the GPOs.
**To create a rule that exempts specified hosts from authentication**
-1. [Open the Group Policy Management Console to Windows Firewall with Advanced Security](open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md).
+1. Open the Group Policy Management Console to [Windows Defender Firewall with Advanced Security](open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md).
2. In the navigation pane, click **Connection Security Rules**.
diff --git a/windows/access-protection/windows-firewall/create-an-authentication-request-rule.md b/windows/access-protection/windows-firewall/create-an-authentication-request-rule.md
index 42617dc699..2b9f10a74c 100644
--- a/windows/access-protection/windows-firewall/create-an-authentication-request-rule.md
+++ b/windows/access-protection/windows-firewall/create-an-authentication-request-rule.md
@@ -23,7 +23,7 @@ To complete this procedure, you must be a member of the Domain Administrators gr
To create the authentication request rule
-1. [Open the Group Policy Management Console to Windows Firewall with Advanced Security](open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md).
+1. Open the Group Policy Management Console to [Windows Defender Firewall with Advanced Security](open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md).
2. In the navigation pane, right-click **Connection Security Rules**, and then click **New Rule**.
diff --git a/windows/access-protection/windows-firewall/create-an-inbound-icmp-rule.md b/windows/access-protection/windows-firewall/create-an-inbound-icmp-rule.md
index 83983389da..e9d89fe583 100644
--- a/windows/access-protection/windows-firewall/create-an-inbound-icmp-rule.md
+++ b/windows/access-protection/windows-firewall/create-an-inbound-icmp-rule.md
@@ -15,7 +15,7 @@ author: brianlic-msft
- Windows 10
- Windows Server 2016
-To allow inbound Internet Control Message Protocol (ICMP) network traffic, use the Windows Firewall with Advanced Security node in the Group Policy Management MMC snap-in to create firewall rules. This type of rule allows ICMP requests and responses to be sent and received by computers on the network.
+To allow inbound Internet Control Message Protocol (ICMP) network traffic, use the Windows Defender Firewall with Advanced Security node in the Group Policy Management MMC snap-in to create firewall rules. This type of rule allows ICMP requests and responses to be sent and received by computers on the network.
**Administrative credentials**
@@ -29,7 +29,7 @@ This topic describes how to create a port rule that allows inbound ICMP network
To create an inbound ICMP rule
-1. [Open the Group Policy Management Console to Windows Firewall with Advanced Security](open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md).
+1. Open the Group Policy Management Console to [Windows Defender Firewall with Advanced Security](open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md).
2. In the navigation pane, click **Inbound Rules**.
diff --git a/windows/access-protection/windows-firewall/create-an-inbound-port-rule.md b/windows/access-protection/windows-firewall/create-an-inbound-port-rule.md
index 212bf9a8fc..e7d860e7e1 100644
--- a/windows/access-protection/windows-firewall/create-an-inbound-port-rule.md
+++ b/windows/access-protection/windows-firewall/create-an-inbound-port-rule.md
@@ -15,7 +15,8 @@ author: brianlic-msft
- Windows 10
- Windows Server 2016
-To allow inbound network traffic on only a specified TCP or UDP port number, use the Windows Firewall with Advanced Security node in the Group Policy Management MMC snap-in to create firewall rules. This type of rule allows any program that listens on a specified TCP or UDP port to receive network traffic sent to that port.
+To allow inbound network traffic on only a specified TCP or UDP port number, use the Windows Defender Firewall
+with Advanced Security node in the Group Policy Management MMC snap-in to create firewall rules. This type of rule allows any program that listens on a specified TCP or UDP port to receive network traffic sent to that port.
**Administrative credentials**
@@ -29,7 +30,7 @@ This topic describes how to create a standard port rule for a specified protocol
**To create an inbound port rule**
-1. [Open the Group Policy Management Console to Windows Firewall with Advanced Security](open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md).
+1. Open the Group Policy Management Console to [Windows Defender Firewall with Advanced Security] (open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md).
2. In the navigation pane, click **Inbound Rules**.
diff --git a/windows/access-protection/windows-firewall/create-an-inbound-program-or-service-rule.md b/windows/access-protection/windows-firewall/create-an-inbound-program-or-service-rule.md
index 62c8e83e1b..73ff4dd9d1 100644
--- a/windows/access-protection/windows-firewall/create-an-inbound-program-or-service-rule.md
+++ b/windows/access-protection/windows-firewall/create-an-inbound-program-or-service-rule.md
@@ -15,7 +15,7 @@ author: brianlic-msft
- Windows 10
- Windows Server 2016
-To allow inbound network traffic to a specified program or service, use the Windows Firewall with Advanced Security node in the Group Policy Management MMC snap-in to create firewall rules. This type of rule allows the program to listen and receive inbound network traffic on any port.
+To allow inbound network traffic to a specified program or service, use the Windows Defender Firewall with Advanced Securitynode in the Group Policy Management MMC snap-in to create firewall rules. This type of rule allows the program to listen and receive inbound network traffic on any port.
>**Note:** This type of rule is often combined with a program or service rule. If you combine the rule types, you get a firewall rule that limits traffic to a specified port and allows the traffic only when the specified program is running. The program cannot receive network traffic on other ports, and other programs cannot receive network traffic on the specified port. To combine the program and port rule types into a single rule, follow the steps in the [Create an Inbound Port Rule](create-an-inbound-port-rule.md) procedure in addition to the steps in this procedure.
@@ -25,7 +25,7 @@ To complete these procedures, you must be a member of the Domain Administrators
To create an inbound firewall rule for a program or service
-1. [Open the Group Policy Management Console to Windows Firewall with Advanced Security](open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md).
+1. Open the Group Policy Management Console to [Windows Defender Firewall with Advanced Security](open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md).
2. In the navigation pane, click **Inbound Rules**.
diff --git a/windows/access-protection/windows-firewall/create-an-outbound-port-rule.md b/windows/access-protection/windows-firewall/create-an-outbound-port-rule.md
index 9a06f49266..5118794bc7 100644
--- a/windows/access-protection/windows-firewall/create-an-outbound-port-rule.md
+++ b/windows/access-protection/windows-firewall/create-an-outbound-port-rule.md
@@ -15,7 +15,7 @@ author: brianlic-msft
- Windows 10
- Windows Server 2016
-By default, Windows Firewall with Advanced Security allows all outbound network traffic unless it matches a rule that prohibits the traffic. To block outbound network traffic on a specified TCP or UDP port number, use the Windows Firewall with Advanced Security node in the Group Policy Management console to create firewall rules. This type of rule blocks any outbound network traffic that matches the specified TCP or UDP port numbers.
+By default, Windows Defender Firewall allows all outbound network traffic unless it matches a rule that prohibits the traffic. To block outbound network traffic on a specified TCP or UDP port number, use the Windows Defender Firewall with Advanced Security node in the Group Policy Management console to create firewall rules. This type of rule blocks any outbound network traffic that matches the specified TCP or UDP port numbers.
**Administrative credentials**
@@ -23,7 +23,7 @@ To complete these procedures, you must be a member of the Domain Administrators
To create an outbound port rule
-1. [Open the Group Policy Management Console to Windows Firewall with Advanced Security](open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md).
+1. Open the Group Policy Management Console to [Windows Defender Firewall with Advanced Security](open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md).
2. In the navigation pane, click **Outbound Rules**.
@@ -37,7 +37,7 @@ To create an outbound port rule
6. On the **Protocol and Ports** page, select the protocol type that you want to block. To restrict the rule to a specified port number, you must select either **TCP** or **UDP**. Because this is an outbound rule, you typically configure only the remote port number.
- If you select another protocol, then only packets whose protocol field in the IP header match this rule are blocked by Windows Firewall. Network traffic for protocols is allowed as long as other rules that match do not block it.
+ If you select another protocol, then only packets whose protocol field in the IP header match this rule are blocked by Windows Defender Firewall. Network traffic for protocols is allowed as long as other rules that match do not block it.
To select a protocol by its number, select **Custom** from the list, and then type the number in the **Protocol number** box.
diff --git a/windows/access-protection/windows-firewall/create-an-outbound-program-or-service-rule.md b/windows/access-protection/windows-firewall/create-an-outbound-program-or-service-rule.md
index 2e7e5c2e1e..a45c1e27a4 100644
--- a/windows/access-protection/windows-firewall/create-an-outbound-program-or-service-rule.md
+++ b/windows/access-protection/windows-firewall/create-an-outbound-program-or-service-rule.md
@@ -15,7 +15,7 @@ author: brianlic-msft
- Windows 10
- Windows Server 2016
-By default, Windows Firewall with Advanced Security allows all outbound network traffic unless it matches a rule that prohibits the traffic. To block outbound network traffic for a specified program or service, use the Windows Firewall with Advanced Security node in the Group Policy Management console to create firewall rules. This type of rule prevents the program from sending any outbound network traffic on any port.
+By default, Windows Defender Firewall allows all outbound network traffic unless it matches a rule that prohibits the traffic. To block outbound network traffic for a specified program or service, use the Windows Defender Firewall with Advanced Security node in the Group Policy Management console to create firewall rules. This type of rule prevents the program from sending any outbound network traffic on any port.
**Administrative credentials**
@@ -23,7 +23,7 @@ To complete these procedures, you must be a member of the Domain Administrators
To create an outbound firewall rule for a program or service
-1. [Open the Group Policy Management Console to Windows Firewall with Advanced Security](open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md).
+1. Open the Group Policy Management Console to [Windows Defender Firewall with Advanced Security](open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md).
2. In the navigation pane, click **Outbound Rules**.
diff --git a/windows/access-protection/windows-firewall/create-inbound-rules-to-support-rpc.md b/windows/access-protection/windows-firewall/create-inbound-rules-to-support-rpc.md
index a7cf60c649..b1042decfd 100644
--- a/windows/access-protection/windows-firewall/create-inbound-rules-to-support-rpc.md
+++ b/windows/access-protection/windows-firewall/create-inbound-rules-to-support-rpc.md
@@ -15,7 +15,7 @@ author: brianlic-msft
- Windows 10
- Windows Server 2016
-To allow inbound remote procedure call (RPC) network traffic, use the Windows Firewall with Advanced Security node in the Group Policy Management console to create two firewall rules. The first rule allows incoming network packets on TCP port 135 to the RPC Endpoint Mapper service. The incoming traffic consists of requests to communicate with a specified network service. The RPC Endpoint Mapper replies with a dynamically-assigned port number that the client must use to communicate with the service. The second rule allows the network traffic that is sent to the dynamically-assigned port number. Using the two rules configured as described in this topic helps to protect your device by allowing network traffic only from devices that have received RPC dynamic port redirection and to only those TCP port numbers assigned by the RPC Endpoint Mapper.
+To allow inbound remote procedure call (RPC) network traffic, use the Windows Defender Firewall with Advanced Security node in the Group Policy Management console to create two firewall rules. The first rule allows incoming network packets on TCP port 135 to the RPC Endpoint Mapper service. The incoming traffic consists of requests to communicate with a specified network service. The RPC Endpoint Mapper replies with a dynamically-assigned port number that the client must use to communicate with the service. The second rule allows the network traffic that is sent to the dynamically-assigned port number. Using the two rules configured as described in this topic helps to protect your device by allowing network traffic only from devices that have received RPC dynamic port redirection and to only those TCP port numbers assigned by the RPC Endpoint Mapper.
**Administrative credentials**
@@ -35,7 +35,7 @@ In this topic:
## To create a rule to allow inbound network traffic to the RPC Endpoint Mapper service
-1. [Open the Group Policy Management Console to Windows Firewall with Advanced Security](open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md).
+1. Open the Group Policy Management Console to [Windows Defender Firewall with Advanced Security](open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md).
2. In the navigation pane, click **Inbound Rules**.
diff --git a/windows/access-protection/windows-firewall/designing-a-windows-firewall-with-advanced-security-strategy.md b/windows/access-protection/windows-firewall/designing-a-windows-firewall-with-advanced-security-strategy.md
index df45d7bcb2..7f241a26ff 100644
--- a/windows/access-protection/windows-firewall/designing-a-windows-firewall-with-advanced-security-strategy.md
+++ b/windows/access-protection/windows-firewall/designing-a-windows-firewall-with-advanced-security-strategy.md
@@ -1,6 +1,6 @@
---
-title: Designing a Windows Firewall with Advanced Security Strategy (Windows 10)
-description: Designing a Windows Firewall with Advanced Security Strategy
+title: Designing a Windows Defender Firewall with Advanced Security Strategy (Windows 10)
+description: Designing a Windows Defender Firewall Strategy
ms.assetid: 6d98b184-33d6-43a5-9418-4f24905cfd71
ms.prod: w10
ms.mktglfcycl: deploy
@@ -9,7 +9,7 @@ ms.pagetype: security
author: brianlic-msft
---
-# Designing a Windows Firewall with Advanced Security Strategy
+# Designing a Windows Defender Firewall with Advanced Security Strategy
**Applies to**
- Windows 10
diff --git a/windows/access-protection/windows-firewall/determining-the-trusted-state-of-your-devices.md b/windows/access-protection/windows-firewall/determining-the-trusted-state-of-your-devices.md
index 01ed85051c..9bf8f022de 100644
--- a/windows/access-protection/windows-firewall/determining-the-trusted-state-of-your-devices.md
+++ b/windows/access-protection/windows-firewall/determining-the-trusted-state-of-your-devices.md
@@ -136,4 +136,4 @@ With the other information that you have gathered in this section, this informat
The costs identified in this section only capture the projected cost of the device upgrades. Many additional design, support, test, and training costs should be accounted for in the overall project plan.
-**Next: **[Planning Your Windows Firewall with Advanced Security Design](planning-your-windows-firewall-with-advanced-security-design.md)
+**Next: **[Planning Your Windows Defender Firewall with Advanced Security Design](planning-your-windows-firewall-with-advanced-security-design.md)
diff --git a/windows/access-protection/windows-firewall/documenting-the-zones.md b/windows/access-protection/windows-firewall/documenting-the-zones.md
index 9c120835e8..626dcb014a 100644
--- a/windows/access-protection/windows-firewall/documenting-the-zones.md
+++ b/windows/access-protection/windows-firewall/documenting-the-zones.md
@@ -15,7 +15,7 @@ author: brianlic-msft
- Windows 10
- Windows Server 2016
-Generally, the task of determining zone membership is not complex, but it can be time-consuming. Use the information generated during the [Designing a Windows Firewall with Advanced Security Strategy](designing-a-windows-firewall-with-advanced-security-strategy.md) section of this guide to determine the zone in which to put each host. You can document this zone placement by adding a Group column to the inventory table shown in the Designing a Windows Firewall with Advanced Security Strategy section. A sample is shown here:
+Generally, the task of determining zone membership is not complex, but it can be time-consuming. Use the information generated during the [Designing a Windows Defender Firewall with Advanced Security Strategy](designing-a-windows-firewall-with-advanced-security-strategy.md) section of this guide to determine the zone in which to put each host. You can document this zone placement by adding a Group column to the inventory table shown in the Designing a Windows Defender Firewall with Advanced Security Strategy section. A sample is shown here:
| Host name | Hardware reqs met | Software reqs met | Configuration required | Details | Projected cost | Group |
| - | - | - | - | - | - |
diff --git a/windows/access-protection/windows-firewall/domain-isolation-policy-design.md b/windows/access-protection/windows-firewall/domain-isolation-policy-design.md
index 6f15c8338f..c574eb7ab3 100644
--- a/windows/access-protection/windows-firewall/domain-isolation-policy-design.md
+++ b/windows/access-protection/windows-firewall/domain-isolation-policy-design.md
@@ -55,7 +55,7 @@ For more info about this design:
- To learn more about this design, see the [Domain Isolation Policy Design Example](domain-isolation-policy-design-example.md).
-- Before completing the design, gather the info described in [Designing a Windows Firewall with Advanced Security Strategy](designing-a-windows-firewall-with-advanced-security-strategy.md).
+- Before completing the design, gather the info described in [Designing a Windows Defender Firewall with Advanced Security Strategy](designing-a-windows-firewall-with-advanced-security-strategy.md).
- To help you make the decisions required in this design, see [Planning Domain Isolation Zones](planning-domain-isolation-zones.md) and [Planning Group Policy Deployment for Your Isolation Zones](planning-group-policy-deployment-for-your-isolation-zones.md).
diff --git a/windows/access-protection/windows-firewall/enable-predefined-inbound-rules.md b/windows/access-protection/windows-firewall/enable-predefined-inbound-rules.md
index 59e8325dac..7533422632 100644
--- a/windows/access-protection/windows-firewall/enable-predefined-inbound-rules.md
+++ b/windows/access-protection/windows-firewall/enable-predefined-inbound-rules.md
@@ -15,7 +15,7 @@ author: brianlic-msft
- Windows 10
- Windows Server 2016
-Windows Firewall with Advanced Security includes many predefined rules for common networking roles and functions. When you install a new server role on a device or enable a network feature on a client device, the installer typically enables the rules required for that role instead of creating new ones. When deploying firewall rules to the devices on the network, you can take advantage of these predefined rules instead of creating new ones. Doing this helps to ensure consistency and accuracy, because the rules have been thoroughly tested and are ready for use.
+Windows Defender Firewall with Advanced Security includes many predefined rules for common networking roles and functions. When you install a new server role on a device or enable a network feature on a client device, the installer typically enables the rules required for that role instead of creating new ones. When deploying firewall rules to the devices on the network, you can take advantage of these predefined rules instead of creating new ones. Doing this helps to ensure consistency and accuracy, because the rules have been thoroughly tested and are ready for use.
**Administrative credentials**
@@ -23,7 +23,7 @@ To complete these procedures, you must be a member of the Domain Administrators
To deploy predefined firewall rules that allow inbound network traffic for common network functions
-1. [Open the Group Policy Management Console to Windows Firewall with Advanced Security](open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md).
+1. Open the Group Policy Management Console to [Windows Defender Firewall with Advanced Security](open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md).
2. In the navigation pane, click **Inbound Rules**.
diff --git a/windows/access-protection/windows-firewall/enable-predefined-outbound-rules.md b/windows/access-protection/windows-firewall/enable-predefined-outbound-rules.md
index 137de67aa2..a21658eba7 100644
--- a/windows/access-protection/windows-firewall/enable-predefined-outbound-rules.md
+++ b/windows/access-protection/windows-firewall/enable-predefined-outbound-rules.md
@@ -15,7 +15,7 @@ author: brianlic-msft
- Windows 10
- Windows Server 2016
-By default, Windows Firewall with Advanced Security allows all outbound network traffic unless it matches a rule that prohibits the traffic. Windows Firewall with Advanced Security includes many predefined outbound rules that can be used to block network traffic for common networking roles and functions. When you install a new server role on a computer or enable a network feature on a client computer, the installer can install, but typically does not enable, outbound block rules for that role. When deploying firewall rules to the computers on the network, you can take advantage of these predefined rules instead of creating new ones. Doing this helps to ensure consistency and accuracy, because the rules have been thoroughly tested and are ready for use.
+By default, Windows Defender Firewall with Advanced Security allows all outbound network traffic unless it matches a rule that prohibits the traffic. Windows Defender Firewall includes many predefined outbound rules that can be used to block network traffic for common networking roles and functions. When you install a new server role on a computer or enable a network feature on a client computer, the installer can install, but typically does not enable, outbound block rules for that role. When deploying firewall rules to the computers on the network, you can take advantage of these predefined rules instead of creating new ones. Doing this helps to ensure consistency and accuracy, because the rules have been thoroughly tested and are ready for use.
**Administrative credentials**
@@ -23,7 +23,7 @@ To complete these procedures, you must be a member of the Domain Administrators
To deploy predefined firewall rules that block outbound network traffic for common network functions
-1. [Open the Group Policy Management Console to Windows Firewall with Advanced Security](open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md).
+1. Open the Group Policy Management Console to [Windows Defender Firewall with Advanced Security](open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md).
2. In the navigation pane, click **Outbound Rules**.
diff --git a/windows/access-protection/windows-firewall/evaluating-windows-firewall-with-advanced-security-design-examples.md b/windows/access-protection/windows-firewall/evaluating-windows-firewall-with-advanced-security-design-examples.md
index c7fe4f7637..46b8f6f71f 100644
--- a/windows/access-protection/windows-firewall/evaluating-windows-firewall-with-advanced-security-design-examples.md
+++ b/windows/access-protection/windows-firewall/evaluating-windows-firewall-with-advanced-security-design-examples.md
@@ -1,6 +1,6 @@
---
-title: Evaluating Windows Firewall with Advanced Security Design Examples (Windows 10)
-description: Evaluating Windows Firewall with Advanced Security Design Examples
+title: Evaluating Windows Defender Firewall with Advanced Security Design Examples (Windows 10)
+description: Evaluating Windows Defender Firewall with Advanced Security Design Examples
ms.assetid: a591389b-18fa-4a39-ba07-b6fb61961cbd
ms.prod: w10
ms.mktglfcycl: deploy
@@ -9,15 +9,15 @@ ms.pagetype: security
author: brianlic-msft
---
-# Evaluating Windows Firewall with Advanced Security Design Examples
+# Evaluating Windows Defender Firewall with Advanced Security Design Examples
**Applies to**
- Windows 10
- Windows Server 2016
-The following Windows Firewall with Advanced Security design examples illustrate how you can use Windows Firewall with Advanced Security to improve the security of the devices connected to the network. You can use these topics to evaluate how the firewall and connection security rules work across all Windows Firewall with Advanced Security designs and to determine which design or combination of designs best suits the goals of your organization.
+The following Windows Defender Firewall with Advanced Security design examples illustrate how you can use Windows Defender Firewall to improve the security of the devices connected to the network. You can use these topics to evaluate how the firewall and connection security rules work across all Windows Defender Firewall designs and to determine which design or combination of designs best suits the goals of your organization.
-- [Firewall Policy Design Example](firewall-policy-design-example.md)
+- [Firewall Policy with Advanced Security Design Example](firewall-policy-design-example.md)
- [Domain Isolation Policy Design Example](domain-isolation-policy-design-example.md)
diff --git a/windows/access-protection/windows-firewall/exempt-icmp-from-authentication.md b/windows/access-protection/windows-firewall/exempt-icmp-from-authentication.md
index 21100a9674..59b17edc20 100644
--- a/windows/access-protection/windows-firewall/exempt-icmp-from-authentication.md
+++ b/windows/access-protection/windows-firewall/exempt-icmp-from-authentication.md
@@ -23,8 +23,8 @@ To complete this procedure, you must be a member of the Domain Administrators gr
To exempt ICMP network traffic from authentication
-1. [Open the Group Policy Management Console to Windows Firewall with Advanced Security](open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md).
+1. Open the Group Policy Management Console to [Windows Defender Firewall with Advanced Security](open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md).
-2. On the main Windows Firewall with Advanced Security page, click **Windows Firewall Properties**.
+2. On the main Windows Defender Firewall with Advanced Security page, click **Windows Defender Firewall Properties**.
3. On the **IPsec settings** tab, change **Exempt ICMP from IPsec** to **Yes**, and then click **OK**.
diff --git a/windows/access-protection/windows-firewall/firewall-policy-design-example.md b/windows/access-protection/windows-firewall/firewall-policy-design-example.md
index 8dad2b48f7..c78fdb7508 100644
--- a/windows/access-protection/windows-firewall/firewall-policy-design-example.md
+++ b/windows/access-protection/windows-firewall/firewall-policy-design-example.md
@@ -25,7 +25,7 @@ A key line-of-business program called WGBank consists of a client program runnin
## Design requirements
-The network administrators want to implement Windows Firewall with Advanced Security throughout their organization to provide an additional security layer to their overall security strategy. They want to create firewall rules that allow their business programs to operate, while blocking network traffic that is not wanted.
+The network administrators want to implement Windows Defender Firewall with Advanced Security throughout their organization to provide an additional security layer to their overall security strategy. They want to create firewall rules that allow their business programs to operate, while blocking network traffic that is not wanted.
The following illustration shows the traffic protection needs for this design example.
@@ -82,7 +82,7 @@ The following groups were created by using the Active Directory Users and Comput
The two device types (client and server) are distinguished by using a WMI filters to ensure that only the policy intended for devices that are running a client version of Windows can be applied to that computer. A similar WMI filter on the server GPO ensures that only devices that are running server versions of Windows can apply that GPO. Each of the GPOs also have security group filters to prevent members of the group FIREWALL\_NO\_DEFAULT from receiving either of these two GPOs.
- - Client devices receive a GPO that configures Windows Firewall with Advanced Security to enforce the default Windows Firewall behavior (allow outbound, block unsolicited inbound). The client default GPO also includes the built-in firewall rule groups Core Networking and File and Printer Sharing. The Core Networking group is enabled for all profiles, whereas the File and Printer Sharing group is enabled for only the Domain and Private profiles. The GPO also includes inbound firewall rules to allow the WGBank front-end server dashboard update traffic, and rules to prevent company-prohibited programs from sending or receiving network traffic, both inbound and outbound.
+ - Client devices receive a GPO that configures Windows Defender Firewall to enforce the default Windows Defender Firewall behavior (allow outbound, block unsolicited inbound). The client default GPO also includes the built-in firewall rule groups Core Networking and File and Printer Sharing. The Core Networking group is enabled for all profiles, whereas the File and Printer Sharing group is enabled for only the Domain and Private profiles. The GPO also includes inbound firewall rules to allow the WGBank front-end server dashboard update traffic, and rules to prevent company-prohibited programs from sending or receiving network traffic, both inbound and outbound.
- Server devices receive a GPO that includes similar firewall configuration to the client computer GPO. The primary difference is that the rules are enabled for all profiles (not just domain and private). Also, the rules for WGBank dashboard update are not included, because it is not needed on server devices.
@@ -90,15 +90,15 @@ The following groups were created by using the Active Directory Users and Comput
- **CG\_FIREWALL\_NO\_DEFAULT**. Members of this group do not receive the default firewall GPO. Devices are added to this group if there is a business requirement for it to be exempted from the default firewall behavior. The use of a group to represent the exceptions instead of the group members directly makes it easier to support the dynamic nature of the client computer population. A new computer joined to the domain is automatically given the appropriate default firewall GPO, unless it is a member of this group.
-- **CG\_FIREWALL\_WGB\_FE**. This group contains the computer accounts for all the WGBank front-end server devices. Members of this group receive a GPO that configures Windows Firewall with Advanced Security with inbound firewall rules to allow unsolicited WGBank client traffic. Devices in this group also receive the default firewall GPO.
+- **CG\_FIREWALL\_WGB\_FE**. This group contains the computer accounts for all the WGBank front-end server devices. Members of this group receive a GPO that configures Windows Defender Firewall with inbound firewall rules to allow unsolicited WGBank client traffic. Devices in this group also receive the default firewall GPO.
-- **CG\_FIREWALL\_WGB\_SQL**. This group contains the computer accounts for all the WGBank back-end devices that run SQL Server. Members of this group receive a GPO that configures Windows Firewall with Advanced Security with inbound firewall rules to allow the SQL Server program to receive unsolicited queries only from the WGBank front-end servers. Devices in this group also receive the default firewall GPO.
+- **CG\_FIREWALL\_WGB\_SQL**. This group contains the computer accounts for all the WGBank back-end devices that run SQL Server. Members of this group receive a GPO that configures Windows Defender Firewall with inbound firewall rules to allow the SQL Server program to receive unsolicited queries only from the WGBank front-end servers. Devices in this group also receive the default firewall GPO.
- **CG\_FIREWALL\_BOUNDARY\_WGBANKFE**. This group contains the computer accounts for the servers that host Web services that can be accessed from the Internet. Members of this group receive a GPO that adds an inbound firewall rule to allow inbound HTTP and HTTPS network traffic from any address, including the Internet. Devices in this group also receive the default firewall GPO.
-- **CG\_FIREWALL\_WINS**. This group contains the computer accounts for all the WINS server devices. Members of this group receive a GPO that configures Windows Firewall with Advanced Security with an inbound firewall rule to allow unsolicited inbound requests from WINS clients. Devices in this group also receive the default firewall GPO.
+- **CG\_FIREWALL\_WINS**. This group contains the computer accounts for all the WINS server devices. Members of this group receive a GPO that configures Windows Defender Firewall with an inbound firewall rule to allow unsolicited inbound requests from WINS clients. Devices in this group also receive the default firewall GPO.
-- **CG\_FIREWALL\_ADDC**. This group contains all the computer accounts for the Active Directory domain controller server devices. Members of this group receive a GPO that configures Windows Firewall with Advanced Security with inbound firewall rules to allow unsolicited Active Directory client and server-to-server traffic. Devices in this group also receive the default firewall GPO.
+- **CG\_FIREWALL\_ADDC**. This group contains all the computer accounts for the Active Directory domain controller server devices. Members of this group receive a GPO that configures Windows Defender Firewall with inbound firewall rules to allow unsolicited Active Directory client and server-to-server traffic. Devices in this group also receive the default firewall GPO.
In your own design, create a group for each computer role in your organization that requires different or additional firewall rules. For example, file servers and print servers require additional rules to allow the incoming network traffic for those functions. If a function is ordinarily performed on most devices on the network, you might consider adding devices performing those roles to the common default firewall GPO set, unless there is a security reason not to include it there.
diff --git a/windows/access-protection/windows-firewall/gathering-information-about-your-active-directory-deployment.md b/windows/access-protection/windows-firewall/gathering-information-about-your-active-directory-deployment.md
index 0c507fdc73..fdbe2852e0 100644
--- a/windows/access-protection/windows-firewall/gathering-information-about-your-active-directory-deployment.md
+++ b/windows/access-protection/windows-firewall/gathering-information-about-your-active-directory-deployment.md
@@ -15,7 +15,7 @@ author: brianlic-msft
- Windows 10
- Windows Server 2016
-Active Directory is another important item about which you must gather information. You must understand the forest structure. This includes domain layout, organizational unit (OU) architecture, and site topology. This information makes it possible to know where devices are currently placed, their configuration, and the impact of changes to Active Directory that result from implementing Windows Firewall with Advanced Security. Review the following list for information needed:
+Active Directory is another important item about which you must gather information. You must understand the forest structure. This includes domain layout, organizational unit (OU) architecture, and site topology. This information makes it possible to know where devices are currently placed, their configuration, and the impact of changes to Active Directory that result from implementing Windows Defender Firewall with Advanced Security. Review the following list for information needed:
- **Names and number of forests**. The forest (not the domain) is the security boundary in an Active Directory implementation. You must understand the current Active Directory architecture to determine the most effective strategy for deploying your firewall and connection security rules using Group Policy. It also enables you to understand which devices can be isolated and how best to accomplish the required degree of isolation.
@@ -27,6 +27,6 @@ Active Directory is another important item about which you must gather informati
- **OU structure**. OUs are logical constructs and can therefore be molded to fit many different requirements and goals. The OU structure is an ideal place to examine how Group Policy is currently used and how the OUs are laid out. You do not have to redesign an already implemented OU structure in order to effectively deploy firewall and connection security policy, but an understanding of the structure helps you know what WMI or group filtering is required to apply each GPO to the correct devices.
-- **Existing IPsec policy**. Because this project culminates in the implementation of IPsec policy, you must understand how the network currently uses IPsec (if at all). Windows Firewall with Advanced Security connection security rules for versions of Windows prior to Windows Vista and Windows Server 2008 are not compatible with earlier versions of Windows. If you already have IPsec policies deployed to devices running Windows XP and Windows Server 2003 in your organization, you must ensure that the new IPsec policies you deploy enable devices using either the old or new IPsec policies to communicate with each other.
+- **Existing IPsec policy**. Because this project culminates in the implementation of IPsec policy, you must understand how the network currently uses IPsec (if at all). Windows Defender Firewall connection security rules for versions of Windows prior to Windows Vista and Windows Server 2008 are not compatible with earlier versions of Windows. If you already have IPsec policies deployed to devices running Windows XP and Windows Server 2003 in your organization, you must ensure that the new IPsec policies you deploy enable devices using either the old or new IPsec policies to communicate with each other.
**Next: **[Gathering Information about Your Devices](gathering-information-about-your-devices.md)
diff --git a/windows/access-protection/windows-firewall/gathering-information-about-your-current-network-infrastructure.md b/windows/access-protection/windows-firewall/gathering-information-about-your-current-network-infrastructure.md
index 67dcea5661..46a4a1d89c 100644
--- a/windows/access-protection/windows-firewall/gathering-information-about-your-current-network-infrastructure.md
+++ b/windows/access-protection/windows-firewall/gathering-information-about-your-current-network-infrastructure.md
@@ -15,7 +15,7 @@ author: brianlic-msft
- Windows 10
- Windows Server 2016
-Perhaps the most important aspect of planning for Windows Firewall with Advanced Security deployment is the network architecture, because IPsec is layered on the Internet Protocol itself. An incomplete or inaccurate understanding of the network can prevent any Windows Firewall with Advanced Security solution from being successful. Understanding subnet layout, IP addressing schemes, and traffic patterns are part of this effort, but accurately documenting the following components are important to completing the planning phase of this project:
+Perhaps the most important aspect of planning for Windows Defender Firewall with Advanced Security deployment is the network architecture, because IPsec is layered on the Internet Protocol itself. An incomplete or inaccurate understanding of the network can prevent any Windows Defender Firewall solution from being successful. Understanding subnet layout, IP addressing schemes, and traffic patterns are part of this effort, but accurately documenting the following components are important to completing the planning phase of this project:
- **Network segmentation**. This includes IP addressing maps, showing how your routers separate each network segment. It includes information about how the routers are configured, and what security filters they impose on network traffic flowing through them.
@@ -31,7 +31,7 @@ The goal is to have enough information to be able to identify an asset by its ne
Do not use a complex and poorly documented network as a starting point for the design, because it can leave too many unidentified areas that are likely to cause problems during implementation.
-This guidance helps obtain the most relevant information for planning Windows Firewall with Advanced Security implementation, but it does not try to address other issues, such as TCP/IP addressing or virtual local area network (VLAN) segmentation.
+This guidance helps obtain the most relevant information for planning Windows Defender Firewall implementation, but it does not try to address other issues, such as TCP/IP addressing or virtual local area network (VLAN) segmentation.
## Network segmentation
@@ -100,7 +100,7 @@ When you examine traffic flow, look closely at how all managed and unmanaged dev
- How do servers and clients communicate with each other?
-- Are there security devices or projects currently implemented or planned that could affect an isolation deployment? For example, if you use Windows Firewall on your devices to "lock down" specific ports, such as UDP 500, IKE negotiations fail.
+- Are there security devices or projects currently implemented or planned that could affect an isolation deployment? For example, if you use Windows Defender Firewall on your devices to "lock down" specific ports, such as UDP 500, IKE negotiations fail.
Some of the more common applications and protocols are as follows:
@@ -108,6 +108,6 @@ Some of the more common applications and protocols are as follows:
- **Remote procedure call (RPC)**. RPC operates by listening on a port known as the *endpoint mapper*, TCP port 135. The response to a query on this port is an instruction to begin communication on another port in the ephemeral range (ports numbered over 1024). In a network that is segmented by firewalls, RPC communication presents a configuration challenge because it means opening the RPC listener port and all ports greater than 1024. Opening so many ports increases the attack surface of the whole network and reduces the effectiveness of the firewalls. Because many applications depend on RPC for basic functionality, any firewall and connection security policy must take RPC requirements into account.
-- **Other traffic**. Windows Firewall with Advanced Security can help secure transmissions between devices by providing authentication of the packets in addition to encrypting the data that they contain. The important thing to do is to identify what must be protected, and the threats that must be mitigated. Examine and model other traffic or traffic types that must be secured.
+- **Other traffic**. Windows Defender Firewall can help secure transmissions between devices by providing authentication of the packets in addition to encrypting the data that they contain. The important thing to do is to identify what must be protected, and the threats that must be mitigated. Examine and model other traffic or traffic types that must be secured.
**Next: **[Gathering Information about Your Active Directory Deployment](gathering-information-about-your-active-directory-deployment.md)
diff --git a/windows/access-protection/windows-firewall/gathering-information-about-your-devices.md b/windows/access-protection/windows-firewall/gathering-information-about-your-devices.md
index 3643e51814..cdb060488d 100644
--- a/windows/access-protection/windows-firewall/gathering-information-about-your-devices.md
+++ b/windows/access-protection/windows-firewall/gathering-information-about-your-devices.md
@@ -49,6 +49,6 @@ You can use Windows PowerShell to create a script file that can collect the syst
Whether you use an automatic, manual, or hybrid option to gather the information, one of the biggest issues that can cause problems to the design is capturing the changes between the original inventory scan and the point at which the implementation is ready to start. After the first scan has been completed, make support staff aware that all additional changes must be recorded and the updates noted in the inventory.
-This inventory will be critical for planning and implementing your Windows Firewall with Advanced Security design.
+This inventory will be critical for planning and implementing your Windows Defender Firewall design.
**Next: **[Gathering Other Relevant Information](gathering-other-relevant-information.md)
diff --git a/windows/access-protection/windows-firewall/gathering-other-relevant-information.md b/windows/access-protection/windows-firewall/gathering-other-relevant-information.md
index 85e9be98dc..f66f69ec44 100644
--- a/windows/access-protection/windows-firewall/gathering-other-relevant-information.md
+++ b/windows/access-protection/windows-firewall/gathering-other-relevant-information.md
@@ -15,7 +15,7 @@ author: brianlic-msft
- Windows 10
- Windows Server 2016
-This topic discusses several other things that you should examine to see whether they will cause any complications in your ability to deploy Windows Firewall with Advanced Security policies in your organization.
+This topic discusses several other things that you should examine to see whether they will cause any complications in your ability to deploy Windows Defender Firewall with Advanced Security policies in your organization.
## Capacity considerations
@@ -35,7 +35,7 @@ Because IPsec uses mathematically intensive cryptographic techniques, it can con
## Group Policy deployment groups and WMI filters
-You do not have to rearrange the organization unit (OU) hierarchy of your Active Directory domains to effectively deploy Windows Firewall with Advanced Security GPOs. Instead, you can link your GPOs at the domain level (or another high level container), and then use security group filtering or WMI filtering to ensure that only the appropriate devices or users can apply the GPO settings. We recommend that you use WMI filtering to dynamically ensure that GPOs apply only to devices that are running the correct operating system. It is not necessary to use this technique if your network consists of devices.
+You do not have to rearrange the organization unit (OU) hierarchy of your Active Directory domains to effectively deploy Windows Defender Firewall GPOs. Instead, you can link your GPOs at the domain level (or another high level container), and then use security group filtering or WMI filtering to ensure that only the appropriate devices or users can apply the GPO settings. We recommend that you use WMI filtering to dynamically ensure that GPOs apply only to devices that are running the correct operating system. It is not necessary to use this technique if your network consists of devices.
## Different Active Directory trust environments
diff --git a/windows/access-protection/windows-firewall/gathering-the-information-you-need.md b/windows/access-protection/windows-firewall/gathering-the-information-you-need.md
index a11fbf67c8..6955fdcf1b 100644
--- a/windows/access-protection/windows-firewall/gathering-the-information-you-need.md
+++ b/windows/access-protection/windows-firewall/gathering-the-information-you-need.md
@@ -15,7 +15,7 @@ author: brianlic-msft
- Windows 10
- Windows Server 2016
-Before starting the planning process for a Windows Firewall with Advanced Security deployment, you must collect and analyze up-to-date information about the network, the directory services, and the devices that are already deployed in the organization. This information enables you to create a design that accounts for all possible elements of the existing infrastructure. If the gathered information is not accurate, problems can occur when devices and devices that were not considered during the planning phase are encountered during implementation.
+Before starting the planning process for a Windows Defender Firewall with Advanced Security deployment, you must collect and analyze up-to-date information about the network, the directory services, and the devices that are already deployed in the organization. This information enables you to create a design that accounts for all possible elements of the existing infrastructure. If the gathered information is not accurate, problems can occur when devices and devices that were not considered during the planning phase are encountered during implementation.
Review each of the following topics for guidance about the kinds of information that you must gather:
diff --git a/windows/access-protection/windows-firewall/gpo-domiso-boundary.md b/windows/access-protection/windows-firewall/gpo-domiso-boundary.md
index 00fb043b7a..f608fcdc53 100644
--- a/windows/access-protection/windows-firewall/gpo-domiso-boundary.md
+++ b/windows/access-protection/windows-firewall/gpo-domiso-boundary.md
@@ -15,7 +15,7 @@ author: brianlic-msft
- Windows 10
- Windows Server 2016
-This GPO is authored by using the Windows Firewall with Advanced Security interface in the Group Policy editing tools. Woodgrove Bank began by copying and pasting the GPO for the Windows Server 2008 version of the isolated domain GPO, and then renamed the copy to reflect its new purpose.
+This GPO is authored by using the Windows Defender Firewall with Advanced Security interface in the Group Policy editing tools. Woodgrove Bank began by copying and pasting the GPO for the Windows Server 2008 version of the isolated domain GPO, and then renamed the copy to reflect its new purpose.
This GPO supports the ability for devices that are not part of the isolated domain to access specific servers that must be available to those untrusted devices. It is intended to only apply to server devices that are running at least Windows Server 2008.
diff --git a/windows/access-protection/windows-firewall/gpo-domiso-encryption.md b/windows/access-protection/windows-firewall/gpo-domiso-encryption.md
index b5d3c6801e..b86a8385ac 100644
--- a/windows/access-protection/windows-firewall/gpo-domiso-encryption.md
+++ b/windows/access-protection/windows-firewall/gpo-domiso-encryption.md
@@ -12,7 +12,7 @@ ms.pagetype: security
# GPO\_DOMISO\_Encryption\_WS2008
-This GPO is authored by using the Windows Firewall with Advanced Security interface in the Group Policy editing tools. Woodgrove Bank began by copying and pasting the GPO for the Windows Server 2008 version of the isolated domain GPO, and then renamed the copy to reflect its new purpose.
+This GPO is authored by using the Windows Defender Firewall with Advanced Security interface in the Group Policy editing tools. Woodgrove Bank began by copying and pasting the GPO for the Windows Server 2008 version of the isolated domain GPO, and then renamed the copy to reflect its new purpose.
This GPO supports the ability for servers that contain sensitive data to require encryption for all connection requests. It is intended to only apply to server computers that are running Windows Server 2012, Windows Server 2008 R2 or Windows Server 2008.
diff --git a/windows/access-protection/windows-firewall/gpo-domiso-firewall.md b/windows/access-protection/windows-firewall/gpo-domiso-firewall.md
index d1349941e1..fea48288ad 100644
--- a/windows/access-protection/windows-firewall/gpo-domiso-firewall.md
+++ b/windows/access-protection/windows-firewall/gpo-domiso-firewall.md
@@ -15,7 +15,8 @@ author: brianlic-msft
- Windows 10
- Windows Server 2016
-This GPO is authored by using the Windows Firewall with Advanced Security interface in the Group Policy editing tools. The User Configuration section of the GPO is disabled. It is intended to only apply to devices that are running at least Windows 7 or Windows Server 2008.
+This GPO is authored by using the Windows Defender Firewall
+with Advanced Security interface in the Group Policy editing tools. The User Configuration section of the GPO is disabled. It is intended to only apply to devices that are running at least Windows 7 or Windows Server 2008.
## Firewall settings
@@ -53,7 +54,7 @@ This GPO provides the following rules:
- Remote Volume Management
- - Windows Firewall Remote Management
+ - Windows Defender Firewall Remote Management
- Windows Management Instrumentation (WMI)
diff --git a/windows/access-protection/windows-firewall/gpo-domiso-isolateddomain-clients.md b/windows/access-protection/windows-firewall/gpo-domiso-isolateddomain-clients.md
index a6ab80ad09..6e47c03677 100644
--- a/windows/access-protection/windows-firewall/gpo-domiso-isolateddomain-clients.md
+++ b/windows/access-protection/windows-firewall/gpo-domiso-isolateddomain-clients.md
@@ -15,7 +15,7 @@ author: brianlic-msft
- Windows 10
- Windows Server 2016
-This GPO is authored by using the Windows Firewall with Advanced Security interface in the Group Policy editing tools. The User Configuration section of the GPO is disabled. It is intended to only apply to client devices that are running Windows 8, Windows 7, or Windows Vista.
+This GPO is authored by using the Windows Defender Firewall with Advanced Security interface in the Group Policy editing tools. The User Configuration section of the GPO is disabled. It is intended to only apply to client devices that are running Windows 8, Windows 7, or Windows Vista.
Because client devices can sometimes be portable, the settings and rules for this GPO are applied to only the domain profile.
diff --git a/windows/access-protection/windows-firewall/gpo-domiso-isolateddomain-servers.md b/windows/access-protection/windows-firewall/gpo-domiso-isolateddomain-servers.md
index 91cd4e3890..6270e8529e 100644
--- a/windows/access-protection/windows-firewall/gpo-domiso-isolateddomain-servers.md
+++ b/windows/access-protection/windows-firewall/gpo-domiso-isolateddomain-servers.md
@@ -15,9 +15,9 @@ author: brianlic-msft
- Windows 10
- Windows Server 2016
-This GPO is authored by using the Windows Firewall with Advanced Security interface in the Group Policy editing tools. The User Configuration section of the GPO is disabled. It is intended to only apply to server devices that are running at least Windows Server 2008.
+This GPO is authored by using the Windows Defender Firewall interface in the Group Policy editing tools. The User Configuration section of the GPO is disabled. It is intended to only apply to server devices that are running at least Windows Server 2008.
-Because so many of the settings and rules for this GPO are common to those in the GPO for at least Windows Vista, you can save time by exporting the Windows Firewall with Advanced Security piece of the GPO for at least Windows Vista, and importing it to the GPO for at least Windows Server 2008. After the import, change only the items specified here:
+Because so many of the settings and rules for this GPO are common to those in the GPO for at least Windows Vista, you can save time by exporting the Windows Defender Firewall piece of the GPO for at least Windows Vista, and importing it to the GPO for at least Windows Server 2008. After the import, change only the items specified here:
- This GPO applies all its settings to all profiles: Domain, Private, and Public. Because a server is not expected to be mobile and changing networks, configuring the GPO in this way prevents a network failure or the addition of a new network adapter from unintentionally switching the device to the Public profile with a different set of rules (in the case of a server running Windows Server 2008).
diff --git a/windows/access-protection/windows-firewall/identifying-your-windows-firewall-with-advanced-security-deployment-goals.md b/windows/access-protection/windows-firewall/identifying-your-windows-firewall-with-advanced-security-deployment-goals.md
index 092982bd0a..96bd9ea465 100644
--- a/windows/access-protection/windows-firewall/identifying-your-windows-firewall-with-advanced-security-deployment-goals.md
+++ b/windows/access-protection/windows-firewall/identifying-your-windows-firewall-with-advanced-security-deployment-goals.md
@@ -1,6 +1,6 @@
---
-title: Identifying Your Windows Firewall with Advanced Security Deployment Goals (Windows 10)
-description: Identifying Your Windows Firewall with Advanced Security Deployment Goals
+title: Identifying Your Windows Defender Firewall with Advanced Security Deployment Goals (Windows 10)
+description: Identifying Your Windows Defender Firewall with Advanced Security Deployment Goals
ms.assetid: 598cf45e-2e1c-4947-970f-361dfa264bba
ms.prod: w10
ms.mktglfcycl: deploy
@@ -9,52 +9,21 @@ ms.pagetype: security
author: brianlic-msft
---
-# Identifying Your Windows Firewall with Advanced Security Deployment Goals
+# Identifying Your Windows Defender Firewall with Advanced Security Deployment Goals
**Applies to**
- Windows 10
- Windows Server 2016
-Correctly identifying your Windows Firewall with Advanced Security deployment goals is essential for the success of your Windows Firewall with Advanced Security design project. Form a project team that can clearly articulate deployment issues in a vision statement. When you write your vision statement, identify, clarify, and refine your deployment goals. Prioritize and, if possible, combine your deployment goals so that you can design and deploy Windows Firewall with Advanced Security by using an iterative approach. You can take advantage of the predefined Windows Firewall with Advanced Security deployment goals presented in this guide that are relevant to your scenarios.
+Correctly identifying your Windows Defender Firewall with Advanced Security deployment goals is essential for the success of your Windows Defender Firewall design project. Form a project team that can clearly articulate deployment issues in a vision statement. When you write your vision statement, identify, clarify, and refine your deployment goals. Prioritize and, if possible, combine your deployment goals so that you can design and deploy Windows Defender Firewall by using an iterative approach. You can take advantage of the predefined Windows Defender Firewall deployment goals presented in this guide that are relevant to your scenarios.
-The following table lists the three main tasks for articulating, refining, and subsequently documenting your Windows Firewall with Advanced Security deployment goals.
+The following table lists the three main tasks for articulating, refining, and subsequently documenting your Windows Defender Firewall deployment goals:
-
-
-
-
-
-
-
-
Deployment goal tasks
-
Reference links
-
-
-
-
-
Evaluate predefined Windows Firewall with Advanced Security deployment goals that are provided in this section of the guide, and combine one or more goals to reach your organizational objectives.
-
Predefined deployment goals:
-
-
[Protect Devices from Unwanted Network Traffic](protect-devices-from-unwanted-network-traffic.md)
-
[Restrict Access to Only Trusted Devices](restrict-access-to-only-trusted-devices.md)
-
[Require Encryption When Accessing Sensitive Network Resources](require-encryption-when-accessing-sensitive-network-resources.md)
-
[Restrict Access to Sensitive Resources to Only Specified Users or Devices](restrict-access-to-only-specified-users-or-devices.md)
-
-
-
-
Map one goal or a combination of the predefined deployment goals to an existing Windows Firewall with Advanced Security design.
-
-
[Mapping Your Deployment Goals to a Windows Firewall with Advanced Security Design](mapping-your-deployment-goals-to-a-windows-firewall-with-advanced-security-design.md)
-
-
-
-
Based on the status of your current infrastructure, document your deployment goals for your Windows Firewall with Advanced Security design into a deployment plan.
-
-
[Designing A Windows Firewall with Advanced Security Strategy](designing-a-windows-firewall-with-advanced-security-strategy.md)
-
[Planning Your Windows Firewall with Advanced Security Design](planning-your-windows-firewall-with-advanced-security-design.md)
-
-
-
-
+| Deployment goal tasks | Reference links |
+| --- | --- |
+| Evaluate predefined Windows Defender Firewall with Advanced Security deployment goals that are provided in this section of the guide, and combine one or more goals to reach your organizational objectives. | Predefined deployment goals:
[Protect Devices from Unwanted Network Traffic](protect-devices-from-unwanted-network-traffic.md)
[Restrict Access to Only Trusted Devices](restrict-access-to-only-trusted-devices.md)
[Require Encryption When Accessing Sensitive Network Resources](require-encryption-when-accessing-sensitive-network-resources.md)
[Restrict Access to Sensitive Resources to Only Specified Users or Devices](restrict-access-to-only-specified-users-or-devices.md)
+| Map one goal or a combination of the predefined deployment goals to an existing Windows Defender Firewall with Advanced Security design. |
[Mapping Your Deployment Goals to a Windows Defender Firewall with Advanced Security Design](mapping-your-deployment-goals-to-a-windows-firewall-with-advanced-security-design.md)
+| Based on the status of your current infrastructure, document your deployment goals for your Windows Defender Firewall with Advanced Security design into a deployment plan. |
[Designing A Windows Defender Firewall Strategy](designing-a-windows-firewall-with-advanced-security-strategy.md)
[Planning Your Windows Defender Firewall Design with Advanced Security](planning-your-windows-firewall-with-advanced-security-design.md)
+
-**Next:** [Protect Devices from Unwanted Network Traffic](protect-devices-from-unwanted-network-traffic.md)
+**Next:** [Protect Devices from Unwanted Network Traffic](protect-devices-from-unwanted-network-traffic.md)
diff --git a/windows/access-protection/windows-firewall/implementing-your-windows-firewall-with-advanced-security-design-plan.md b/windows/access-protection/windows-firewall/implementing-your-windows-firewall-with-advanced-security-design-plan.md
index 6099d183c9..63e24245d4 100644
--- a/windows/access-protection/windows-firewall/implementing-your-windows-firewall-with-advanced-security-design-plan.md
+++ b/windows/access-protection/windows-firewall/implementing-your-windows-firewall-with-advanced-security-design-plan.md
@@ -1,6 +1,6 @@
---
-title: Implementing Your Windows Firewall with Advanced Security Design Plan (Windows 10)
-description: Implementing Your Windows Firewall with Advanced Security Design Plan
+title: Implementing Your Windows Defender Firewall with Advanced Security Design Plan (Windows 10)
+description: Implementing Your Windows Defender Firewall with Advanced Security Design Plan
ms.assetid: 15f609d5-5e4e-4a71-9eff-493a2e3e40f9
ms.prod: w10
ms.mktglfcycl: deploy
@@ -9,15 +9,15 @@ ms.pagetype: security
author: brianlic-msft
---
-# Implementing Your Windows Firewall with Advanced Security Design Plan
+# Implementing Your Windows Defender Firewall with Advanced Security Design Plan
**Applies to**
- Windows 10
- Windows Server 2016
-The following are important factors in the implementation of your Windows Firewall with Advanced Security design plan:
+The following are important factors in the implementation of your Windows Defender Firewall design plan:
-- **Group Policy**. The Windows Firewall with Advanced Security designs make extensive use of Group Policy deployed by Active Directory Domain Services (AD DS). A sound Group Policy infrastructure is required to successfully deploy the firewall and IPsec settings and rules to the devices on your network.
+- **Group Policy**. The Windows Defender Firewall with Advanced Security designs make extensive use of Group Policy deployed by Active Directory Domain Services (AD DS). A sound Group Policy infrastructure is required to successfully deploy the firewall and IPsec settings and rules to the devices on your network.
- **Perimeter firewall**. Most organizations use a perimeter firewall to help protect the devices on the network from potentially malicious network traffic from outside of the organization's network boundaries. If you plan a deployment that includes a boundary zone to enable external devices to connect to devices in that zone, then you must allow that traffic through the perimeter firewall to the devices in the boundary zone.
@@ -27,14 +27,14 @@ The following are important factors in the implementation of your Windows Firewa
- Include the device in the authentication exemption list included in your design. You can choose this option if for any reason the device cannot participate in the isolated domain design.
-## How to implement your Windows Firewall with Advanced Security design using this guide
+## How to implement your Windows Defender Firewall with Advanced Security design using this guide
The next step in implementing your design is to determine in what order each of the deployment steps must be performed. This guide uses checklists to help you accomplish the various deployment tasks that are required to implement your design plan. As the following diagram shows, checklists and subchecklists are used as necessary to provide the end-to-end procedure for deploying a design.
-Use the following parent checklists in this section of the guide to become familiar with the deployment tasks for implementing your organization's Windows Firewall with Advanced Security design.
+Use the following parent checklists in this section of the guide to become familiar with the deployment tasks for implementing your organization's Windows Defender Firewall with Advanced Security design.
- [Checklist: Implementing a Basic Firewall Policy Design](checklist-implementing-a-basic-firewall-policy-design.md)
@@ -44,4 +44,4 @@ Use the following parent checklists in this section of the guide to become famil
- [Checklist: Implementing a Certificate-based Isolation Policy Design](checklist-implementing-a-certificate-based-isolation-policy-design.md)
-The procedures in these checklists use the Group Policy MMC snap-in interfaces to configure firewall and connection security rules in GPOs, but you can also use Windows PowerShell. For more information, see [Windows Firewall with Advanced Security Administration with Windows PowerShell](windows-firewall-with-advanced-security-administration-with-windows-powershell.md). This guide recommends using GPOs in a specific way to deploy the rules and settings for your design. For information about deploying your GPOs, see [Planning Group Policy Deployment for Your Isolation Zones](planning-group-policy-deployment-for-your-isolation-zones.md) and the checklist [Checklist: Creating Group Policy Objects](checklist-creating-group-policy-objects.md).
+The procedures in these checklists use the Group Policy MMC snap-in interfaces to configure firewall and connection security rules in GPOs, but you can also use Windows PowerShell. For more information, see [Windows Defender Firewall with Advanced Security Administration with Windows PowerShell](windows-firewall-with-advanced-security-administration-with-windows-powershell.md). This guide recommends using GPOs in a specific way to deploy the rules and settings for your design. For information about deploying your GPOs, see [Planning Group Policy Deployment for Your Isolation Zones](planning-group-policy-deployment-for-your-isolation-zones.md) and the checklist [Checklist: Creating Group Policy Objects](checklist-creating-group-policy-objects.md).
diff --git a/windows/access-protection/windows-firewall/isolating-apps-on-your-network.md b/windows/access-protection/windows-firewall/isolating-apps-on-your-network.md
index 9743da28c0..a488a96fe2 100644
--- a/windows/access-protection/windows-firewall/isolating-apps-on-your-network.md
+++ b/windows/access-protection/windows-firewall/isolating-apps-on-your-network.md
@@ -14,7 +14,7 @@ author: brianlic-msft
- Windows 10
- Windows Server 2016
-When you add new devices to your network, you may want to customize your Windows Firewall configuration to isolate the network access of the new Windows Store apps that run on them. Developers who build Windows Store apps can declare certain app capabilities that enable different classes of network access. A developer can decide what kind of network access the app requires and configure this capability for the app. When the app is installed on a device, appropriate firewall rules are automatically created to enable access. You can then customize the firewall configuration to further fine-tune this access if they desire more control over the network access for the app.
+When you add new devices to your network, you may want to customize your Windows Defender Firewall with Advanced Security configuration to isolate the network access of the new Windows Store apps that run on them. Developers who build Windows Store apps can declare certain app capabilities that enable different classes of network access. A developer can decide what kind of network access the app requires and configure this capability for the app. When the app is installed on a device, appropriate firewall rules are automatically created to enable access. You can then customize the firewall configuration to further fine-tune this access if they desire more control over the network access for the app.
For example, a developer can decide that their app should only connect to trusted local networks (such as at home or work), and not to the Internet. In this way, developers can define the scope of network access for their app. This network isolation prevents an app from accessing a network and a connection type (inbound or outbound) if the connection has not been configured for the app. Then the network administrator can customize the firewall to further restrict the resources that the app can access.
@@ -54,7 +54,7 @@ To isolate Windows Store apps on your network, you need to use Group Policy to d
- Your Windows Store app is installed on the client device.
-- The Remote Server Administration Tools (RSAT) are installed on your client device. When you perform the following steps from your client device, you can select your Windows Store app when you create Windows Firewall rules.
+- The Remote Server Administration Tools (RSAT) are installed on your client device. When you perform the following steps from your client device, you can select your Windows Store app when you create Windows Defender Firewall rules.
>**Note:** You can install the RSAT on your device running Windows 10 from the [Microsoft Download Center](https://www.microsoft.com/download/details.aspx?id=45520).
@@ -134,9 +134,9 @@ The following table provides a complete list of the possible app capabilities.
| **Webcam** | webcam| Provides access to the webcam's video feed.|
| **Other devices (represented by GUIDs)** | <GUID>| Includes specialized devices and Windows Portable Devices.|
-You can create a Windows Firewall policy that is scoped to a set of apps that use a specified capability or scoped to a specific Windows Store app.
+You can create a Windows Defender Firewall policy that is scoped to a set of apps that use a specified capability or scoped to a specific Windows Store app.
-For example, you could create a Windows Firewall policy to block Internet access for any apps on your network that have the Documents Library capability.
+For example, you could create a Windows Defender Firewall policy to block Internet access for any apps on your network that have the Documents Library capability.
**To block Internet access for any apps on your network that have the Documents Library capability**
@@ -148,7 +148,7 @@ For example, you could create a Windows Firewall policy to block Internet access
4. Right-click the new GPO, and then click **Edit**.
-5. In the Group Policy Management Editor, expand **Computer Configuration**, expand **Policies**, expand **Windows Settings**, expand **Security Settings**, expand **Windows Firewall with Advanced Security**, and click **Windows Firewall with Advanced Security – LDAP://…**
+5. In the Group Policy Management Editor, expand **Computer Configuration**, expand **Policies**, expand **Windows Settings**, expand **Security Settings**, expand **Windows Defender Firewall with Advanced Security**, and click **Windows Defender Firewall – LDAP://…**
6. Right-click **Outbound Rules**, and then click **New Rule**.
@@ -206,7 +206,7 @@ Use the following procedure if you want to block intranet access for a specific
4. Right-click your new GPO, and then click **Edit**.
-5. From the Group Policy Management Editor, expand **Computer Configuration**, expand **Policies**, expand **Windows Settings**, expand **Security Settings**, expand **Windows Firewall with Advanced Security**, and then click **Windows Firewall with Advanced Security – LDAP://**…
+5. From the Group Policy Management Editor, expand **Computer Configuration**, expand **Policies**, expand **Windows Settings**, expand **Security Settings**, expand **Windows Defender Firewall**, and then click **Windows Defender Firewall – LDAP://**…
6. Right-click **Outbound Rules**, and then click **New Rule**.
@@ -246,4 +246,4 @@ Use the following procedure if you want to block intranet access for a specific
## See also
-- [Windows Firewall with Advanced Security Overview](windows-firewall-with-advanced-security.md)
+- [Windows Defender Firewall with Advanced Security Overview](windows-firewall-with-advanced-security.md)
diff --git a/windows/access-protection/windows-firewall/open-the-group-policy-management-console-to-windows-firewall.md b/windows/access-protection/windows-firewall/open-the-group-policy-management-console-to-windows-firewall.md
index 9712af0076..59c2f98643 100644
--- a/windows/access-protection/windows-firewall/open-the-group-policy-management-console-to-windows-firewall.md
+++ b/windows/access-protection/windows-firewall/open-the-group-policy-management-console-to-windows-firewall.md
@@ -1,6 +1,6 @@
---
-title: Open the Group Policy Management Console to Windows Firewall (Windows 10)
-description: Open the Group Policy Management Console to Windows Firewall
+title: Open the Group Policy Management Console to Windows Defender Firewall with Advanced Security (Windows 10)
+description: Open the Group Policy Management Console to Windows Defender Firewall with Advanced Security
ms.assetid: 5090b2c8-e038-4905-b238-19ecf8227760
ms.prod: w10
ms.mktglfcycl: deploy
@@ -9,13 +9,13 @@ ms.pagetype: security
author: brianlic-msft
---
-# Open the Group Policy Management Console to Windows Firewall
+# Open the Group Policy Management Console to Windows Defender Firewall with Advanced Security
**Applies to**
- Windows 10
- Windows Server 2016
-To open a GPO to Windows Firewall
+To open a GPO to Windows Defender Firewall:
1. Open the Active Directory Users and Computers console.
@@ -23,4 +23,4 @@ To open a GPO to Windows Firewall
3. Click the **Group Policy** tab, select your GPO, and then click **Edit**.
-4. In the navigation pane of the Group Policy Object Editor, navigate to **Computer Configuration** > **Administrative Templates** > **Network** > **Network Connections** > **Windows Firewall**.
+4. In the navigation pane of the Group Policy Object Editor, navigate to **Computer Configuration** > **Administrative Templates** > **Network** > **Network Connections** > **Windows Defender Firewall**.
\ No newline at end of file
diff --git a/windows/access-protection/windows-firewall/open-windows-firewall-with-advanced-security.md b/windows/access-protection/windows-firewall/open-windows-firewall-with-advanced-security.md
index 8f20a73c1c..5cfa7929ea 100644
--- a/windows/access-protection/windows-firewall/open-windows-firewall-with-advanced-security.md
+++ b/windows/access-protection/windows-firewall/open-windows-firewall-with-advanced-security.md
@@ -1,6 +1,6 @@
---
-title: Open Windows Firewall with Advanced Security (Windows 10)
-description: Open Windows Firewall with Advanced Security
+title: Open Windows Defender Firewall with Advanced Security (Windows 10)
+description: Open Windows Defender Firewall with Advanced Security
ms.assetid: 788faff2-0f50-4e43-91f2-3e2595c0b6a1
ms.prod: w10
ms.mktglfcycl: deploy
@@ -9,29 +9,29 @@ ms.pagetype: security
author: brianlic-msft
---
-# Open Windows Firewall with Advanced Security
+# Open Windows Defender Firewall with Advanced Security
**Applies to**
- Windows 10
- Windows Server 2016
-This procedure shows you how to open the Windows Firewall with Advanced Security console.
+This procedure shows you how to open the Windows Defender Firewall with Advanced Security console.
**Administrative credentials**
To complete this procedure, you must be a member of the Administrators group. For more information, see Additional considerations.
-## Opening Windows Firewall with Advanced Security
+## Opening Windows Defender Firewall
- [Using the Windows interface](#to-open-windows-firewall-with-advanced-security-using-the-ui)
- [Using a command line](#to-open-windows-firewall-with-advanced-security-from-a-command-prompt)
-## To open Windows Firewall with Advanced Security using the UI
+## To open Windows Defender Firewall using the UI
-Click Start, type **Windows Firewall with Advanced Security**, and the press ENTER.
+Click Start, type **Windows Defender Firewall**, and the press ENTER.
-## To open Windows Firewall with Advanced Security from a command prompt
+## To open Windows Defender Firewall from a command prompt
1. Open a command prompt window.
@@ -43,4 +43,4 @@ Click Start, type **Windows Firewall with Advanced Security**, and the press ENT
**Additional considerations**
-Although standard users can start the Windows Firewall with Advanced Security MMC snap-in, to change most settings the user must be a member of a group with the permissions to modify those settings, such as Administrators.
+Although standard users can start the Windows Defender Firewall MMC snap-in, to change most settings the user must be a member of a group with the permissions to modify those settings, such as Administrators.
diff --git a/windows/access-protection/windows-firewall/planning-gpo-deployment.md b/windows/access-protection/windows-firewall/planning-gpo-deployment.md
index abdff4b8ca..78351be73b 100644
--- a/windows/access-protection/windows-firewall/planning-gpo-deployment.md
+++ b/windows/access-protection/windows-firewall/planning-gpo-deployment.md
@@ -41,11 +41,11 @@ After you have deployed your GPOs and added some test devices to the groups, con
- Examine the GPOs that are both assigned to and filtered from the device. Run the **gpresult** tool at a command prompt.
-- Examine the rules deployed to the device. Open the Windows Firewall with Advanced Security MMC snap-in, expand the **Monitoring** node, and then expand the **Firewall** and **Connection Security** nodes.
+- Examine the rules deployed to the device. Open the Windows Defender Firewall MMC snap-in, expand the **Monitoring** node, and then expand the **Firewall** and **Connection Security** nodes.
-- Verify that communications are authenticated. Open the Windows Firewall with Advanced Security MMC snap-in, expand the **Monitoring** node, expand the **Security Associations** node, and then click **Main Mode**.
+- Verify that communications are authenticated. Open the Windows Defender Firewall MMC snap-in, expand the **Monitoring** node, expand the **Security Associations** node, and then click **Main Mode**.
-- Verify that communications are encrypted when the devices require it. Open the Windows Firewall with Advanced Security MMC snap-in, expand the **Monitoring** node, expand the **Security Associations** node, and then select **Quick Mode**. Encrypted connections display a value other than **None** in the **ESP Confidentiality** column.
+- Verify that communications are encrypted when the devices require it. Open the Windows Defender Firewall MMC snap-in, expand the **Monitoring** node, expand the **Security Associations** node, and then select **Quick Mode**. Encrypted connections display a value other than **None** in the **ESP Confidentiality** column.
- Verify that your programs are unaffected. Run them and confirm that they still work as expected.
diff --git a/windows/access-protection/windows-firewall/planning-settings-for-a-basic-firewall-policy.md b/windows/access-protection/windows-firewall/planning-settings-for-a-basic-firewall-policy.md
index fdcf972088..506da52a87 100644
--- a/windows/access-protection/windows-firewall/planning-settings-for-a-basic-firewall-policy.md
+++ b/windows/access-protection/windows-firewall/planning-settings-for-a-basic-firewall-policy.md
@@ -37,7 +37,7 @@ The following is a list of the firewall settings that you might consider for inc
- **Apply local connection security rules: No**. We recommend that you prevent users from creating and using their own connection security rules. Connection failures caused by conflicting rules can be difficult to troubleshoot.
-- **Logging**. We recommend that you enable logging to a file on the local hard disk. Be sure to limit the size, such as 4096 KB, to avoid causing performance problems by filling the user's hard disk. Be sure to specify a folder to which the Windows Firewall service account has write permissions.
+- **Logging**. We recommend that you enable logging to a file on the local hard disk. Be sure to limit the size, such as 4096 KB, to avoid causing performance problems by filling the user's hard disk. Be sure to specify a folder to which the Windows Defender Firewall with Advanced Security service account has write permissions.
- **Inbound rules**. Create inbound rules for programs that must be able to receive unsolicited inbound network packets from another device on the network. Make the rules as specific as possible to reduce the risk of malicious programs exploiting the rules. For example, specify both program and port numbers. Specifying a program ensures that the rule is only active when the program is actually running, and specifying the port number ensures that the program cannot receive unexpected traffic on a different port.
diff --git a/windows/access-protection/windows-firewall/planning-the-gpos.md b/windows/access-protection/windows-firewall/planning-the-gpos.md
index 84b3750822..83b84c2132 100644
--- a/windows/access-protection/windows-firewall/planning-the-gpos.md
+++ b/windows/access-protection/windows-firewall/planning-the-gpos.md
@@ -31,15 +31,17 @@ A few things to consider as you plan the GPOs:
>**Caution:** It is **critical** that you begin with all your GPOs set to request authentication instead of requiring it. Since the GPOs are delivered to the devices over time, applying a require policy to one device breaks its ability to communicate with another device that has not yet received its policy. Using request mode at the beginning enables devices to continue communicating by using plaintext connections if required. After you confirm that your devices are using IPsec where expected, you can schedule a conversion of the rules in the GPOs from requesting to requiring authentication, as required by each zone.
-- Windows Firewall with Advanced Security in Windows Vista and Windows Server 2008 only support one network location profile at a time. If you add a second network adapter that is connected to a different network, or not connected at all, you could unintentionally change the profile that is currently active on the device. If your GPO specifies different firewall and connection security rules based on the current network location profile, the behavior of how the device handles network traffic will change accordingly. We recommend for stationary devices, such as desktops and servers, that you assign any rule for the device to all profiles. Apply GPOs that change rules per network location to devices that must move between networks, such as your portable devices. Consider creating a separate domain isolation GPO for your servers that uses the same settings as the GPO for the clients, except that the server GPO specifies the same rules for all network location profiles.
+- Windows Defender Firewall* in Windows Vista and Windows Server 2008 only support one network location profile at a time. If you add a second network adapter that is connected to a different network, or not connected at all, you could unintentionally change the profile that is currently active on the device. If your GPO specifies different firewall and connection security rules based on the current network location profile, the behavior of how the device handles network traffic will change accordingly. We recommend for stationary devices, such as desktops and servers, that you assign any rule for the device to all profiles. Apply GPOs that change rules per network location to devices that must move between networks, such as your portable devices. Consider creating a separate domain isolation GPO for your servers that uses the same settings as the GPO for the clients, except that the server GPO specifies the same rules for all network location profiles.
- >**Note:** Devices running Windows 7, Windows Server 2008 R2, and later support different network location types, and therefore profiles, for each network adapter at the same time. Each network adapter is assigned the network location appropriate for the network to which it is connected. Windows Firewall then enforces only those rules that apply to that network type’s profile. So certain types of traffic are blocked when coming from a network adapter connected to a public network, but those same types might be permitted when coming from a private or domain network.
+*Windows Defender Firewall is now called Windows Defender Firewall with Advanced Security in Windows 10.
+
+ > [!NOTE]
+ > Devices running Windows 7, Windows Server 2008 R2, and later support different network location types, and therefore profiles, for each network adapter at the same time. Each network adapter is assigned the network location appropriate for the network to which it is connected. Windows Defender Firewall then enforces only those rules that apply to that network type’s profile. So certain types of traffic are blocked when coming from a network adapter connected to a public network, but those same types might be permitted when coming from a private or domain network.
After considering these issues, document each GPO that you require, and the details about the connection security and firewall rules that it needs.
## Woodgrove Bank example GPOs
-
The Woodgrove Bank example uses the following set of GPOs to support its domain isolation requirements. This section only discusses the rules and settings for server and domain isolation. GPO settings that affect which devices receive the GPO, such as security group filtering and WMI filtering, are discussed in the [Planning GPO Deployment](planning-gpo-deployment.md) section.
In this section you can find information about the following:
diff --git a/windows/access-protection/windows-firewall/planning-to-deploy-windows-firewall-with-advanced-security.md b/windows/access-protection/windows-firewall/planning-to-deploy-windows-firewall-with-advanced-security.md
index 8423e4b94f..3e0692fba7 100644
--- a/windows/access-protection/windows-firewall/planning-to-deploy-windows-firewall-with-advanced-security.md
+++ b/windows/access-protection/windows-firewall/planning-to-deploy-windows-firewall-with-advanced-security.md
@@ -1,6 +1,6 @@
---
-title: Planning to Deploy Windows Firewall with Advanced Security (Windows 10)
-description: Planning to Deploy Windows Firewall with Advanced Security
+title: Planning to Deploy Windows Defender Firewall with Advanced Security (Windows 10)
+description: Planning to Deploy Windows Defender Firewall with Advanced Security
ms.assetid: 891a30c9-dbf5-4a88-a279-00662b9da48e
ms.prod: w10
ms.mktglfcycl: deploy
@@ -9,19 +9,19 @@ ms.pagetype: security
author: brianlic-msft
---
-# Planning to Deploy Windows Firewall with Advanced Security
+# Planning to Deploy Windows Defender Firewall with Advanced Security
**Applies to**
- Windows 10
- Windows Server 2016
-After you collect information about your environment and decide on a design by following the guidance in the [Windows Firewall with Advanced Security Design Guide](windows-firewall-with-advanced-security-design-guide.md), you can begin to plan the deployment of your design. With the completed design and the information in this topic, you can determine which tasks to perform to deploy Windows Firewall with Advanced Security in your organization.
+After you collect information about your environment and decide on a design by following the guidance in the [Windows Defender Firewall with Advanced Security Design Guide](windows-firewall-with-advanced-security-design-guide.md), you can begin to plan the deployment of your design. With the completed design and the information in this topic, you can determine which tasks to perform to deploy Windows Defender Firewall with Advanced Security in your organization.
-## Reviewing your Windows Firewall with Advanced Security Design
+## Reviewing your Windows Defender Firewall with Advanced Security Design
-If the design team that created the Windows Firewall with Advanced Security design for your organization is different from the deployment team that will implement it, make sure that the deployment team reviews the final design with the design team. Review the following points:
+If the design team that created the Windows Defender Firewall design for your organization is different from the deployment team that will implement it, make sure that the deployment team reviews the final design with the design team. Review the following points:
-- The design team's strategy for determining how WMI and security group filters attached to the GPOs will determine which devices apply to which GPO. The deployment team can refer to the following topics in the Windows Firewall with Advanced Security Design Guide:
+- The design team's strategy for determining how WMI and security group filters attached to the GPOs will determine which devices apply to which GPO. The deployment team can refer to the following topics in the Windows Defender Firewall with Advanced Security Design Guide:
- [Planning Isolation Groups for the Zones](planning-isolation-groups-for-the-zones.md)
@@ -45,4 +45,4 @@ If the design team that created the Windows Firewall with Advanced Security desi
If at least one set of each does not match between two devices, then the devices cannot successfully communicate.
-After the design and deployment teams agree on these issues, they can proceed with the deployment of the Windows Firewall with Advanced Security design. For more information, see [Implementing Your Windows Firewall with Advanced Security Design Plan](implementing-your-windows-firewall-with-advanced-security-design-plan.md).
+After the design and deployment teams agree on these issues, they can proceed with the deployment of the Windows Defender Firewall design. For more information, see [Implementing Your Windows Defender Firewall with Advanced Security Design Plan](implementing-your-windows-firewall-with-advanced-security-design-plan.md).
diff --git a/windows/access-protection/windows-firewall/planning-your-windows-firewall-with-advanced-security-design.md b/windows/access-protection/windows-firewall/planning-your-windows-firewall-with-advanced-security-design.md
index 736612379f..28331f84ac 100644
--- a/windows/access-protection/windows-firewall/planning-your-windows-firewall-with-advanced-security-design.md
+++ b/windows/access-protection/windows-firewall/planning-your-windows-firewall-with-advanced-security-design.md
@@ -1,6 +1,6 @@
---
-title: Planning Your Windows Firewall with Advanced Security Design (Windows 10)
-description: Planning Your Windows Firewall with Advanced Security Design
+title: Planning Your Windows Defender Firewall with Advanced Security Design (Windows 10)
+description: Planning Your Windows Defender Firewall with Advanced Security Design
ms.assetid: f3ac3d49-ef4c-4f3c-a16c-e107284e169f
ms.prod: w10
ms.mktglfcycl: deploy
@@ -9,7 +9,7 @@ ms.pagetype: security
author: brianlic-msft
---
-# Planning Your Windows Firewall with Advanced Security Design
+# Planning Your Windows Defender Firewall with Advanced Security Design
**Applies to**
- Windows 10
@@ -76,7 +76,6 @@ When you are ready to examine the options for using certificate-based authentica
## Documenting your design
-
After you finish selecting the designs that you will use, you must assign each of your devices to the appropriate isolation zone and document the assignment for use by the deployment team.
- [Documenting the Zones](documenting-the-zones.md)
diff --git a/windows/access-protection/windows-firewall/procedures-used-in-this-guide.md b/windows/access-protection/windows-firewall/procedures-used-in-this-guide.md
index 7374820ed8..9d3f5fadb0 100644
--- a/windows/access-protection/windows-firewall/procedures-used-in-this-guide.md
+++ b/windows/access-protection/windows-firewall/procedures-used-in-this-guide.md
@@ -35,11 +35,11 @@ The procedures in this section appear in the checklists found earlier in this do
- [Configure the Rules to Require Encryption](configure-the-rules-to-require-encryption.md)
-- [Configure the Windows Firewall Log](configure-the-windows-firewall-log.md)
+- [Configure the Windows Defender Firewall with Advanced Security Log](configure-the-windows-firewall-log.md)
- [Configure the Workstation Authentication Certificate Template](configure-the-workstation-authentication-certificate-template.md)
-- [Configure Windows Firewall to Suppress Notifications When a Program Is Blocked](configure-windows-firewall-to-suppress-notifications-when-a-program-is-blocked.md)
+- [Configure Windows Defender Firewall with Advanced Security to Suppress Notifications When a Program Is Blocked](configure-windows-firewall-to-suppress-notifications-when-a-program-is-blocked.md)
- [Confirm That Certificates Are Deployed Correctly](confirm-that-certificates-are-deployed-correctly.md)
@@ -79,14 +79,12 @@ The procedures in this section appear in the checklists found earlier in this do
- [Open the Group Policy Management Console to IP Security Policies](open-the-group-policy-management-console-to-ip-security-policies.md)
-- [Open the Group Policy Management Console to Windows Firewall](open-the-group-policy-management-console-to-windows-firewall.md)
+- [Open the Group Policy Management Console to Windows Defender Firewall with Advanced Security](open-the-group-policy-management-console-to-windows-firewall.md)
-- [Open the Group Policy Management Console to Windows Firewall with Advanced Security](open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md)
-
-- [Open Windows Firewall with Advanced Security](open-windows-firewall-with-advanced-security.md)
+- [Open Windows Defender Firewall with Advanced Security](open-windows-firewall-with-advanced-security.md)
- [Restrict Server Access to Members of a Group Only](restrict-server-access-to-members-of-a-group-only.md)
-- [Turn on Windows Firewall and Configure Default Behavior](turn-on-windows-firewall-and-configure-default-behavior.md)
+- [Turn on Windows Defender Firewall with Advanced Security and Configure Default Behavior](turn-on-windows-firewall-and-configure-default-behavior.md)
- [Verify That Network Traffic Is Authenticated](verify-that-network-traffic-is-authenticated.md)
diff --git a/windows/access-protection/windows-firewall/require-encryption-when-accessing-sensitive-network-resources.md b/windows/access-protection/windows-firewall/require-encryption-when-accessing-sensitive-network-resources.md
index 42da77aa05..1072f58a99 100644
--- a/windows/access-protection/windows-firewall/require-encryption-when-accessing-sensitive-network-resources.md
+++ b/windows/access-protection/windows-firewall/require-encryption-when-accessing-sensitive-network-resources.md
@@ -17,7 +17,7 @@ author: brianlic-msft
The use of authentication in the previously described goal ([Restrict Access to Only Trusted Devices](restrict-access-to-only-trusted-devices.md)) enables a device in the isolated domain to block traffic from untrusted devices. However, it does not prevent an untrusted device from eavesdropping on the network traffic shared between two trusted devices, because by default network packets are not encrypted.
-For devices that share sensitive information over the network, Windows Firewall with Advanced Security allows you to require that all such network traffic be encrypted. Using encryption can help you comply with regulatory and legislative requirements such as those found in the Federal Information Security Management Act of 2002 (FISMA), the Sarbanes-Oxley Act of 2002, the Health Insurance Portability and Accountability Act of 1996 (HIPAA), and other government and industry regulations. By creating connection security rules that apply to devices that host and exchange sensitive data, you can help protect the confidentiality of that data by encrypting it.
+For devices that share sensitive information over the network, Windows Defender Firewall with Advanced Security allows you to require that all such network traffic be encrypted. Using encryption can help you comply with regulatory and legislative requirements such as those found in the Federal Information Security Management Act of 2002 (FISMA), the Sarbanes-Oxley Act of 2002, the Health Insurance Portability and Accountability Act of 1996 (HIPAA), and other government and industry regulations. By creating connection security rules that apply to devices that host and exchange sensitive data, you can help protect the confidentiality of that data by encrypting it.
The following illustration shows an encryption zone in an isolated domain. The rules that implement both the isolated domain and the different zones are deployed by using Group Policy and Active Directory.
diff --git a/windows/access-protection/windows-firewall/restrict-access-to-only-specified-users-or-devices.md b/windows/access-protection/windows-firewall/restrict-access-to-only-specified-users-or-devices.md
index fa2225b9c4..4d303d685c 100644
--- a/windows/access-protection/windows-firewall/restrict-access-to-only-specified-users-or-devices.md
+++ b/windows/access-protection/windows-firewall/restrict-access-to-only-specified-users-or-devices.md
@@ -17,7 +17,7 @@ author: brianlic-msft
Domain isolation (as described in the previous goal [Restrict Access to Only Trusted Devices](restrict-access-to-only-trusted-devices.md)) prevents devices that are members of the isolated domain from accepting network traffic from untrusted devices. However, some devices on the network might host sensitive data that must be additionally restricted to only those users and computers that have a business requirement to access the data.
-Windows Firewall with Advanced Security enables you to restrict access to devices and users that are members of domain groups authorized to access that device. These groups are called *network access groups (NAGs)*. When a device authenticates to a server, the server checks the group membership of the computer account and the user account, and grants access only if membership in the NAG is confirmed. Adding this check creates a virtual "secure zone" within the domain isolation zone. You can have multiple devices in a single secure zone, and it is likely that you will create a separate zone for each set of servers that have specific security access needs. Devices that are part of this server isolation zone are often also part of the encryption zone (see [Require Encryption When Accessing Sensitive Network Resources](require-encryption-when-accessing-sensitive-network-resources.md)).
+Windows Defender Firewall with Advanced Security enables you to restrict access to devices and users that are members of domain groups authorized to access that device. These groups are called *network access groups (NAGs)*. When a device authenticates to a server, the server checks the group membership of the computer account and the user account, and grants access only if membership in the NAG is confirmed. Adding this check creates a virtual "secure zone" within the domain isolation zone. You can have multiple devices in a single secure zone, and it is likely that you will create a separate zone for each set of servers that have specific security access needs. Devices that are part of this server isolation zone are often also part of the encryption zone (see [Require Encryption When Accessing Sensitive Network Resources](require-encryption-when-accessing-sensitive-network-resources.md)).
Restricting access to only users and devices that have a business requirement can help you comply with regulatory and legislative requirements, such as those found in the Federal Information Security Management Act of 2002 (FISMA), the Sarbanes-Oxley Act of 2002, the Health Insurance Portability and Accountability Act of 1996 (HIPAA), and other government and industry regulations.
@@ -41,4 +41,4 @@ The following components are required for this deployment goal:
- **Active Directory**: Active Directory supports centralized management of connection security rules by configuring the rules in one or more GPOs that can be automatically applied to all relevant devices in the domain.
-**Next: **[Mapping Your Deployment Goals to a Windows Firewall with Advanced Security Design](mapping-your-deployment-goals-to-a-windows-firewall-with-advanced-security-design.md)
+**Next: **[Mapping Your Deployment Goals to a Windows Defender Firewall with Advanced Security Design](mapping-your-deployment-goals-to-a-windows-firewall-with-advanced-security-design.md)
diff --git a/windows/access-protection/windows-firewall/restrict-access-to-only-trusted-devices.md b/windows/access-protection/windows-firewall/restrict-access-to-only-trusted-devices.md
index dc34b9ac84..c7e586ce8b 100644
--- a/windows/access-protection/windows-firewall/restrict-access-to-only-trusted-devices.md
+++ b/windows/access-protection/windows-firewall/restrict-access-to-only-trusted-devices.md
@@ -17,7 +17,7 @@ author: brianlic-msft
Your organizational network likely has a connection to the Internet. You also likely have partners, vendors, or contractors who attach devices that are not owned by your organization to your network. Because you do not manage those devices, you cannot trust them to be free of malicious software, maintained with the latest security updates, or in any way in compliance with your organization's security policies. These untrustworthy devices both on and outside of your physical network must not be permitted to access your organization's devices except where it is truly required.
-To mitigate this risk, you must be able to isolate the devices you trust, and restrict their ability to receive unsolicited network traffic from untrusted devices. By using connection security and firewall rules available in Windows Firewall with Advanced Security, you can logically isolate the devices that you trust by requiring that all unsolicited inbound network traffic be authenticated. Authentication ensures that each device or user can positively identify itself by using credentials that are trusted by the other device. Connection security rules can be configured to use IPsec with the Kerberos V5 protocol available in Active Directory, or certificates issued by a trusted certification authority as the authentication method.
+To mitigate this risk, you must be able to isolate the devices you trust, and restrict their ability to receive unsolicited network traffic from untrusted devices. By using connection security and firewall rules available in Windows Defender Firewall with Advanced Security, you can logically isolate the devices that you trust by requiring that all unsolicited inbound network traffic be authenticated. Authentication ensures that each device or user can positively identify itself by using credentials that are trusted by the other device. Connection security rules can be configured to use IPsec with the Kerberos V5 protocol available in Active Directory, or certificates issued by a trusted certification authority as the authentication method.
>**Note:** Because the primary authentication method recommended for devices that are running Windows is to use the Kerberos V5 protocol with membership in an Active Directory domain, this guide refers to this logical separation of computers as *domain isolation*, even when certificates are used to extend the protection to devices that are not part of an Active Directory domain.
@@ -35,7 +35,7 @@ These goals, which correspond to [Domain Isolation Policy Design](domain-isolati
- Devices in the isolated domain can still send outbound network traffic to untrusted devices and receive the responses to the outbound requests.
- For example, Woodgrove Bank wants its users at client devices to be able to access Web sites on the Internet. The default Windows Firewall with Advanced Security settings for outbound network traffic allow this. No additional rules are required.
+ For example, Woodgrove Bank wants its users at client devices to be able to access Web sites on the Internet. The default Windows Defender Firewall settings for outbound network traffic allow this. No additional rules are required.
These goals also support optional zones that can be created to add customized protection to meet the needs of subsets of an organization's devices:
diff --git a/windows/access-protection/windows-firewall/restrict-server-access-to-members-of-a-group-only.md b/windows/access-protection/windows-firewall/restrict-server-access-to-members-of-a-group-only.md
index 57d1bc1e9d..8323fcc41c 100644
--- a/windows/access-protection/windows-firewall/restrict-server-access-to-members-of-a-group-only.md
+++ b/windows/access-protection/windows-firewall/restrict-server-access-to-members-of-a-group-only.md
@@ -27,7 +27,7 @@ To complete these procedures, you must be a member of the Domain Administrators
## To create a firewall rule that grants access to an isolated server
-1. [Open the Group Policy Management Console to Windows Firewall with Advanced Security](open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md). You must edit the GPO that applies settings to servers in the isolated server zone.
+1. Open the Group Policy Management Console to [Windows Defender Firewall with Advanced Security](open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md). You must edit the GPO that applies settings to servers in the isolated server zone.
2. In the navigation pane, right-click **Inbound Rules**, and then click **New Rule**.
diff --git a/windows/access-protection/windows-firewall/securing-end-to-end-ipsec-connections-by-using-ikev2.md b/windows/access-protection/windows-firewall/securing-end-to-end-ipsec-connections-by-using-ikev2.md
index c6875dfdd6..102a3a95f7 100644
--- a/windows/access-protection/windows-firewall/securing-end-to-end-ipsec-connections-by-using-ikev2.md
+++ b/windows/access-protection/windows-firewall/securing-end-to-end-ipsec-connections-by-using-ikev2.md
@@ -133,11 +133,11 @@ Make sure that you install the required certificates on the participating comput
Follow these procedures to verify and troubleshoot your IKEv2 IPsec connections:
-**Use the Windows Firewall with Advanced Security snap-in to verify that a connection security rule is enabled.**
+**Use the Windows Defender Firewall with Advanced Security snap-in to verify that a connection security rule is enabled.**
-1. Open the Windows Firewall with Advanced Security console.
+1. Open the Windows Defender Firewall with Advanced Security console.
-2. In the left pane of the Windows Firewall with Advanced Security snap-in, click **Connection Security Rules**, and then verify that there is an enabled connection security rule.
+2. In the left pane of the Windows Defender Firewall with Advanced Security snap-in, click **Connection Security Rules**, and then verify that there is an enabled connection security rule.
3. Expand **Monitoring**, and then click **Connection Security Rules** to verify that your IKEv2 rule is active for your currently active profile.
@@ -177,7 +177,7 @@ You might not find the exact answer for the issue, but you can find good hints.
## See also
-- [Windows Firewall with Advanced Security](windows-firewall-with-advanced-security.md)
+- [Windows Defender Firewall with Advanced Security](windows-firewall-with-advanced-security.md)
diff --git a/windows/access-protection/windows-firewall/server-isolation-policy-design.md b/windows/access-protection/windows-firewall/server-isolation-policy-design.md
index de45c1b7c7..bd4d603e43 100644
--- a/windows/access-protection/windows-firewall/server-isolation-policy-design.md
+++ b/windows/access-protection/windows-firewall/server-isolation-policy-design.md
@@ -45,7 +45,7 @@ For more info about this design:
- To learn more about this design, see [Server Isolation Policy Design Example](server-isolation-policy-design-example.md).
-- Before completing the design, gather the information described in [Designing a Windows Firewall with Advanced Security Strategy](designing-a-windows-firewall-with-advanced-security-strategy.md).
+- Before completing the design, gather the information described in [Designing a Windows Defender Firewall with Advanced Security Strategy](designing-a-windows-firewall-with-advanced-security-strategy.md).
- To help you make the decisions required in this design, see [Planning Server Isolation Zones](planning-server-isolation-zones.md) and [Planning Group Policy Deployment for Your Isolation Zones](planning-group-policy-deployment-for-your-isolation-zones.md).
diff --git a/windows/access-protection/windows-firewall/turn-on-windows-firewall-and-configure-default-behavior.md b/windows/access-protection/windows-firewall/turn-on-windows-firewall-and-configure-default-behavior.md
index 618894db96..16618245b9 100644
--- a/windows/access-protection/windows-firewall/turn-on-windows-firewall-and-configure-default-behavior.md
+++ b/windows/access-protection/windows-firewall/turn-on-windows-firewall-and-configure-default-behavior.md
@@ -1,6 +1,6 @@
---
-title: Turn on Windows Firewall and Configure Default Behavior (Windows 10)
-description: Turn on Windows Firewall and Configure Default Behavior
+title: Turn on Windows Defender Firewall with Advanced Security and Configure Default Behavior (Windows 10)
+description: Turn on Windows Defender Firewall with Advanced Security and Configure Default Behavior
ms.assetid: 3c3fe832-ea81-4227-98d7-857a3129db74
ms.prod: w10
ms.mktglfcycl: deploy
@@ -9,23 +9,23 @@ ms.pagetype: security
author: brianlic-msft
---
-# Turn on Windows Firewall and Configure Default Behavior
+# Turn on Windows Defender Firewall with Advanced Security and Configure Default Behavior
**Applies to**
- Windows 10
- Windows Server 2016
-To enable Windows Firewall and configure its default behavior, use the Windows Firewall with Advanced Security node in the Group Policy Management console.
+To enable Windows Defender Firewall with Advanced Security and configure its default behavior, use the Windows Defender Firewall with Advanced Security node in the Group Policy Management console.
**Administrative credentials**
To complete these procedures, you must be a member of the Domain Administrators group, or otherwise be delegated permissions to modify the GPOs.
-## To enable Windows Firewall and configure the default behavior
+## To enable Windows Defender Firewall and configure the default behavior
-1. [Open the Group Policy Management Console to Windows Firewall with Advanced Security](open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md).
+1. Open the Group Policy Management Console to [Windows Defender Firewall with Advanced Security](open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md).
-2. In the details pane, in the **Overview** section, click **Windows Firewall Properties**.
+2. In the details pane, in the **Overview** section, click **Windows Defender Firewall Properties**.
3. For each network location type (Domain, Private, Public), perform the following steps.
diff --git a/windows/access-protection/windows-firewall/understanding-the-windows-firewall-with-advanced-security-design-process.md b/windows/access-protection/windows-firewall/understanding-the-windows-firewall-with-advanced-security-design-process.md
index 82f6355c8a..5fa4bdd089 100644
--- a/windows/access-protection/windows-firewall/understanding-the-windows-firewall-with-advanced-security-design-process.md
+++ b/windows/access-protection/windows-firewall/understanding-the-windows-firewall-with-advanced-security-design-process.md
@@ -1,6 +1,6 @@
---
-title: Understanding the Windows Firewall with Advanced Security Design Process (Windows 10)
-description: Understanding the Windows Firewall with Advanced Security Design Process
+title: Understanding the Windows Defender Firewall with Advanced Security Design Process (Windows 10)
+description: Understanding the Windows Defender Firewall with Advanced Security Design Process
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
@@ -8,20 +8,20 @@ ms.pagetype: security
author: brianlic-msft
---
-# Understanding the Windows Firewall with Advanced Security Design Process
+# Understanding the Windows Defender Firewall with Advanced Security Design Process
Designing any deployment starts by performing several important tasks:
-- [Identifying Your Windows Firewall with Advanced Security Design Goals](identifying-your-windows-firewall-with-advanced-security-deployment-goals.md)
+- [Identifying Your Windows Defender Firewall with Advanced Security Design Goals](identifying-your-windows-firewall-with-advanced-security-deployment-goals.md)
-- [Mapping Your Deployment Goals to a Windows Firewall with Advanced Security Design](mapping-your-deployment-goals-to-a-windows-firewall-with-advanced-security-design.md)
+- [Mapping Your Deployment Goals to a Windows Defender Firewall with Advanced Security Design](mapping-your-deployment-goals-to-a-windows-firewall-with-advanced-security-design.md)
-- [Evaluating Windows Firewall with Advanced Security Design Examples](evaluating-windows-firewall-with-advanced-security-design-examples.md)
+- [Evaluating Windows Defender Firewall with Advanced Security Design Examples](evaluating-windows-firewall-with-advanced-security-design-examples.md)
-After you identify your deployment goals and map them to a Windows Firewall with Advanced Security design, you can begin documenting the design based on the processes that are described in the following topics:
+After you identify your deployment goals and map them to a Windows Defender Firewall with Advanced Security design, you can begin documenting the design based on the processes that are described in the following topics:
-- [Designing A Windows Firewall with Advanced Security Strategy](designing-a-windows-firewall-with-advanced-security-strategy.md)
+- [Designing A Windows Defender Firewall with Advanced Security Strategy](designing-a-windows-firewall-with-advanced-security-strategy.md)
-- [Planning Your Windows Firewall with Advanced Security Design](planning-your-windows-firewall-with-advanced-security-design.md)
+- [Planning Your Windows Defender Firewall with Advanced Security Design](planning-your-windows-firewall-with-advanced-security-design.md)
-**Next:** [Identifying Your Windows Firewall with Advanced Security Design Goals](identifying-your-windows-firewall-with-advanced-security-deployment-goals.md)
+**Next:** [Identifying Your Windows Defender Firewall with Advanced Security Design Goals](identifying-your-windows-firewall-with-advanced-security-deployment-goals.md)
diff --git a/windows/access-protection/windows-firewall/verify-that-network-traffic-is-authenticated.md b/windows/access-protection/windows-firewall/verify-that-network-traffic-is-authenticated.md
index 88ab773159..21a8dd0059 100644
--- a/windows/access-protection/windows-firewall/verify-that-network-traffic-is-authenticated.md
+++ b/windows/access-protection/windows-firewall/verify-that-network-traffic-is-authenticated.md
@@ -27,15 +27,14 @@ In these procedures, you confirm that the rules you deployed are working correct
>**Note:** In addition to the steps shown in this procedure, you can also use network traffic capture tools such as Microsoft Network Monitor, which can be downloaded from . Network Monitor and similar tools allow you to capture, parse, and display the network packets received by the network adapter on your device. Current versions of these tools include full support for IPsec. They can identify encrypted network packets, but they cannot decrypt them.
-
-
**Administrative credentials**
To complete these procedures, you must be a member of the Domain Administrators group, or otherwise be delegated permissions to modify the GPOs.
-## To verify that network connections are authenticated by using the Windows Firewall with Advanced Security console
+## To verify that network connections are authenticated by using the Windows Defender Firewall with Advanced Security console
-1. Open the Windows Firewall with Advanced Security console.
+1. Open the Windows Defender Firewall with Advanced Security
+console.
2. In the navigation pane, expand **Monitoring**, and then click **Connection Security Rules**.
diff --git a/windows/access-protection/windows-firewall/windows-firewall-with-advanced-security-administration-with-windows-powershell.md b/windows/access-protection/windows-firewall/windows-firewall-with-advanced-security-administration-with-windows-powershell.md
index 498b42fa47..8825386438 100644
--- a/windows/access-protection/windows-firewall/windows-firewall-with-advanced-security-administration-with-windows-powershell.md
+++ b/windows/access-protection/windows-firewall/windows-firewall-with-advanced-security-administration-with-windows-powershell.md
@@ -1,6 +1,6 @@
---
-title: Windows Firewall with Advanced Security Administration with Windows PowerShell (Windows 10)
-description: Windows Firewall with Advanced Security Administration with Windows PowerShell
+title: Windows Defender Firewall with Advanced Security Administration with Windows PowerShell (Windows 10)
+description: Windows Defender Firewall with Advanced Security Administration with Windows PowerShell
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
@@ -8,29 +8,29 @@ ms.pagetype: security
author: brianlic-msft
---
-# Windows Firewall with Advanced Security Administration with Windows PowerShell
+# Windows Defender Firewall with Advanced Security Administration with Windows PowerShell
**Applies to**
- Windows 10
- Windows Server 2016
-The Windows Firewall with Advanced Security Administration with Windows PowerShell Guide provides essential scriptlets for automating Windows Firewall with Advanced Security management. It is designed for IT pros, system administrators, IT managers, and others who use and need to automate Windows Firewall with Advanced Security management in Windows.
+The Windows Defender Firewall with Advanced Security Administration with Windows PowerShell Guide provides essential scriptlets for automating Windows Defender Firewall management. It is designed for IT pros, system administrators, IT managers, and others who use and need to automate Windows Defender Firewall management in Windows.
You can use Windows PowerShell to manage your firewall and IPsec deployments. This object-oriented scripting environment will make it easier for you to manage policies and monitor network conditions than was possible in netsh. Windows PowerShell allows network settings to be self-discoverable through the syntax and parameters in each of the cmdlets. This guide demonstrates how common tasks were performed in netsh and how you can use Windows PowerShell to accomplish them.
-In future versions of Windows, Microsoft might remove the netsh functionality for Windows Firewall with Advanced Security. Microsoft recommends that you transition to Windows PowerShell if you currently use netsh to configure and manage Windows Firewall with Advanced Security.
+In future versions of Windows, Microsoft might remove the netsh functionality for Windows Defender Firewall. Microsoft recommends that you transition to Windows PowerShell if you currently use netsh to configure and manage Windows Defender Firewall.
Windows PowerShell and netsh command references are at the following locations.
-- [Netsh Commands for Windows Firewall with Advanced Security](http://technet.microsoft.com/library/cc771920)
+- [Netsh Commands for Windows Defender Firewall](http://technet.microsoft.com/library/cc771920)
## Scope
-This guide does not teach you the fundamentals of Windows Firewall with Advanced Security, which can be found in [Windows Firewall with Advanced Security](windows-firewall-with-advanced-security.md). It does not teach the fundamentals of Windows PowerShell, and it assumes that you are familiar with the Windows PowerShell language and the basic concepts of Windows PowerShell. For more info about Windows PowerShell concepts and usage, see the reference topics in the [Additional resources](#additional-resources) section of this guide.
+This guide does not teach you the fundamentals of Windows Defender Firewall, which can be found in [Windows Defender Firewall](windows-firewall-with-advanced-security.md). It does not teach the fundamentals of Windows PowerShell, and it assumes that you are familiar with the Windows PowerShell language and the basic concepts of Windows PowerShell. For more info about Windows PowerShell concepts and usage, see the reference topics in the [Additional resources](#additional-resources) section of this guide.
## Audience and user requirements
-This guide is intended for IT pros, system administrators, and IT managers, and it assumes that you are familiar with Windows Firewall with Advanced Security, the Windows PowerShell language, and the basic concepts of Windows PowerShell.
+This guide is intended for IT pros, system administrators, and IT managers, and it assumes that you are familiar with Windows Defender Firewall, the Windows PowerShell language, and the basic concepts of Windows PowerShell.
## In this topic
@@ -45,11 +45,11 @@ This guide is intended for IT pros, system administrators, and IT managers, and
## Set profile global defaults
-Global defaults set the device behavior in a per-profile basis. Windows Firewall with Advanced Security supports Domain, Private, and Public profiles.
+Global defaults set the device behavior in a per-profile basis. Windows Defender Firewall supports Domain, Private, and Public profiles.
-### Enable Windows Firewall
+### Enable Windows Defender Firewall with Advanced Security
-Windows Firewall drops traffic that does not correspond to allowed unsolicited traffic, or traffic that is sent in response to a request by the device. If you find that the rules you create are not being enforced, you may need to enable Windows Firewall. Here is how to do this on a local domain device:
+Windows Defender Firewall drops traffic that does not correspond to allowed unsolicited traffic, or traffic that is sent in response to a request by the device. If you find that the rules you create are not being enforced, you may need to enable Windows Defender Firewall. Here is how to do this on a local domain device:
**Netsh**
@@ -63,9 +63,9 @@ netsh advfirewall set allprofiles state on
Set-NetFirewallProfile -Profile Domain,Public,Private -Enabled True
```
-### Control Windows Firewall behavior
+### Control Windows Defender Firewall with Advanced Security behavior
-The global default settings can be defined through the command-line interface. These modifications are also available through the Windows Firewall with Advanced Security console.
+The global default settings can be defined through the command-line interface. These modifications are also available through the Windows Defender Firewall with Advanced Security console.
The following scriptlets set the default inbound and outbound actions, specifies protected network connections, and allows notifications to be displayed to the user when a program is blocked from receiving inbound connections. It allows unicast response to multicast or broadcast network traffic, and it specifies logging settings for troubleshooting.
@@ -84,31 +84,31 @@ Windows PowerShell
Set-NetFirewallProfile -DefaultInboundAction Block -DefaultOutboundAction Allow –NotifyOnListen True -AllowUnicastResponseToMulticast True –LogFileName %SystemRoot%\System32\LogFiles\Firewall\pfirewall.log
```
-### Disable Windows Firewall
+### Disable Windows Defender Firewall with Advanced Security
-Microsoft recommends that you do not disable Windows Firewall because you lose other benefits provided by the service, such as the ability to use Internet Protocol security (IPsec) connection security rules, network protection from attacks that employ network fingerprinting, [Windows Service Hardening](http://go.microsoft.com/fwlink/?linkid=104976), and [boot time filters](https://blogs.technet.microsoft.com/networking/2009/03/24/stopping-the-windows-authenticating-firewall-service-and-the-boot-time-policy/).
+Microsoft recommends that you do not disable Windows Defender Firewall because you lose other benefits provided by the service, such as the ability to use Internet Protocol security (IPsec) connection security rules, network protection from attacks that employ network fingerprinting, [Windows Service Hardening](http://go.microsoft.com/fwlink/?linkid=104976), and [boot time filters](https://blogs.technet.microsoft.com/networking/2009/03/24/stopping-the-windows-authenticating-firewall-service-and-the-boot-time-policy/).
-Disabling Windows Firewall with Advanced Security can also cause problems, including:
+Disabling Windows Defender Firewall with Advanced Security can also cause problems, including:
- Start menu can stop working
- Modern applications can fail to install or update
- Activation of Windows via phone fails
-- Application or OS incompatibilities that depend on Windows Firewall
+- Application or OS incompatibilities that depend on Windows Defender Firewall
-Microsoft recommends disabling Windows Firewall with Advanced Security only when installing a third-party firewall, and resetting Windows Firewall back to defaults when the third-party software is disabled or removed.
+Microsoft recommends disabling Windows Defender Firewall only when installing a third-party firewall, and resetting Windows Defender Firewall back to defaults when the third-party software is disabled or removed.
-If disabling Windows Firewall with Advanced Security is required, do not disable it by stopping the Windows Firewall service (in the **Services** snap-in, the display name is Windows Firewall and the service name is MpsSvc).
-Stopping the Windows Firewall service is not supported by Microsoft.
+If disabling Windows Defender Firewall is required, do not disable it by stopping the Windows Defender Firewall service (in the **Services** snap-in, the display name is Windows Defender Firewall and the service name is MpsSvc).
+Stopping the Windows Defender Firewall service is not supported by Microsoft.
-Non-Microsoft firewall software can programmatically disable only the parts of Windows Firewall with Advanced Security that need to be disabled for compatibility.
+Non-Microsoft firewall software can programmatically disable only the parts of Windows Defender Firewall that need to be disabled for compatibility.
You should not disable the firewall yourself for this purpose.
-The proper method to disable the Windows Firewall is to disable the Windows Firewall Profiles and leave the service running.
+The proper method to disable the Windows Defender Firewall is to disable the Windows Defender Firewall Profiles and leave the service running.
-Use the following procedure to turn the firewall off, or disable the Group Policy setting **Computer Configuration|Administrative Templates|Network|Network Connections|Windows Firewall|Domain Prolfile|Windows Firewall:Protect all network connections**.
-For more information, see [Windows firewall with advanced security deployment guide](windows-firewall-with-advanced-security-deployment-guide.md).
+Use the following procedure to turn the firewall off, or disable the Group Policy setting **Computer Configuration|Administrative Templates|Network|Network Connections|Windows Defender Firewall|Domain Prolfile|Windows Defender Firewall:Protect all network connections**.
+For more information, see [Windows Defender Firewall with Advanced Security deployment guide](windows-firewall-with-advanced-security-deployment-guide.md).
-The following example disables Windows Firewall with Advanced Security for all profiles.
+The following example disables Windows Defender Firewall for all profiles.
```powershell
Set-NetFirewallProfile -Profile Domain,Public,Private -Enabled False
@@ -237,13 +237,13 @@ The following scriptlet enables all rules in a predefined group containing remot
**Netsh**
``` syntax
-netsh advfirewall firewall set rule group="windows firewall remote management" new enable=yes
+netsh advfirewall firewall set rule group="Windows Defender Firewall remote management" new enable=yes
```
Windows PowerShell
``` syntax
-Set-NetFirewallRule -DisplayGroup “Windows Firewall Remote Management” –Enabled True
+Set-NetFirewallRule -DisplayGroup “Windows Defender Firewall Remote Management” –Enabled True
```
There is also a separate `Enable-NetFirewallRule` cmdlet for enabling rules by group or by other properties of the rule.
@@ -251,7 +251,7 @@ There is also a separate `Enable-NetFirewallRule` cmdlet for enabling rules by g
Windows PowerShell
``` syntax
-Enable-NetFirewallRule -DisplayGroup “Windows Firewall Remote Management” -Verbose
+Enable-NetFirewallRule -DisplayGroup “Windows Defender Firewall Remote Management” -Verbose
```
### Delete a firewall rule
@@ -315,7 +315,7 @@ Remove-NetFirewallRule –DisplayName “AllowWeb80” –CimSession $RemoteSess
An Internet Protocol security (IPsec) policy consists of rules that determine IPsec behavior. IPsec supports network-level peer authentication, data origin authentication, data integrity, data confidentiality (encryption), and replay protection.
-Windows PowerShell can create powerful, complex IPsec policies like in Netsh and the Windows Firewall with Advanced Security console. However, because Windows PowerShell is object-based rather than string token-based, configuration in Windows PowerShell offers greater control and flexibility.
+Windows PowerShell can create powerful, complex IPsec policies like in Netsh and the Windows Defender Firewall with Advanced Security console. However, because Windows PowerShell is object-based rather than string token-based, configuration in Windows PowerShell offers greater control and flexibility.
In Netsh, the authentication and cryptographic sets were specified as a list of comma-separated tokens in a specific format. In Windows PowerShell, rather than using default settings, you first create your desired authentication or cryptographic proposal objects and bundle them into lists in your preferred order. Then, you create one or more IPsec rules that reference these sets. The benefit of this model is that programmatic access to the information in the rules is much easier. See the following sections for clarifying examples.
@@ -524,7 +524,7 @@ New-NetIPSecRule -DisplayName “Tunnel from HQ to Dallas Branch” -Mode Tunnel
## Deploy secure firewall rules with IPsec
-In situations where only secure traffic can be allowed through the Windows Firewall, a combination of manually configured firewall and IPsec rules are necessary. The firewall rules determine the level of security for allowed packets, and the underlying IPsec rules secure the traffic. The scenarios can be accomplished in Windows PowerShell and in Netsh, with many similarities in deployment.
+In situations where only secure traffic can be allowed through the Windows Defender Firewall, a combination of manually configured firewall and IPsec rules are necessary. The firewall rules determine the level of security for allowed packets, and the underlying IPsec rules secure the traffic. The scenarios can be accomplished in Windows PowerShell and in Netsh, with many similarities in deployment.
### Create a secure firewall rule (allow if secure)
@@ -579,7 +579,7 @@ The following firewall rule allows Telnet traffic from user accounts that are me
A Security Descriptor Definition Language (SDDL) string is created by extending a user or group’s security identifier (SID). For more information about finding a group’s SID, see: [Finding the SID for a group account](http://technet.microsoft.com/library/cc753463(WS.10).aspx#bkmk_FINDSID).
-Restricting access to a group allows administrations to extend strong authentication support through Windows Firewall/and or IPsec policies.
+Restricting access to a group allows administrations to extend strong authentication support through Windows Defender Firewall and/or IPsec policies.
The following example shows you how to create an SDDL string that represents security groups.
diff --git a/windows/access-protection/windows-firewall/windows-firewall-with-advanced-security-deployment-guide.md b/windows/access-protection/windows-firewall/windows-firewall-with-advanced-security-deployment-guide.md
index 9cfe29f6c0..664f6f51f9 100644
--- a/windows/access-protection/windows-firewall/windows-firewall-with-advanced-security-deployment-guide.md
+++ b/windows/access-protection/windows-firewall/windows-firewall-with-advanced-security-deployment-guide.md
@@ -1,6 +1,6 @@
---
-title: Windows Firewall with Advanced Security Deployment Guide (Windows 10)
-description: Windows Firewall with Advanced Security Deployment Guide
+title: Windows Defender Firewall with Advanced Security Deployment Guide (Windows 10)
+description: Windows Defender Firewall with Advanced Security Deployment Guide
ms.assetid: 56b51b97-1c38-481e-bbda-540f1216ad56
ms.prod: w10
ms.mktglfcycl: deploy
@@ -9,25 +9,25 @@ ms.pagetype: security
author: brianlic-msft
---
-# Windows Firewall with Advanced Security Deployment Guide
+# Windows Defender Firewall with Advanced Security Deployment Guide
**Applies to**
- Windows 10
- Windows Server 2016
-You can use the Windows Firewall with Advanced Security MMC snap-in with devices running at least Windows Vista or Windows Server 2008 to help protect the devices and the data that they share across a network.
+You can use the Windows Defender Firewall with Advanced Security MMC snap-in with devices running at least Windows Vista or Windows Server 2008 to help protect the devices and the data that they share across a network.
-You can use Windows Firewall to control access to the device from the network. You can create rules that allow or block network traffic in either direction based on your business requirements. You can also create IPsec connection security rules to help protect your data as it travels across the network from device to device.
+You can use Windows Defender Firewall to control access to the device from the network. You can create rules that allow or block network traffic in either direction based on your business requirements. You can also create IPsec connection security rules to help protect your data as it travels across the network from device to device.
## About this guide
-This guide is intended for use by system administrators and system engineers. It provides detailed guidance for deploying a Windows Firewall with Advanced Security design that you or an infrastructure specialist or system architect in your organization has selected.
+This guide is intended for use by system administrators and system engineers. It provides detailed guidance for deploying a Windows Defender Firewall with Advanced Security design that you or an infrastructure specialist or system architect in your organization has selected.
-Begin by reviewing the information in [Planning to Deploy Windows Firewall with Advanced Security](planning-to-deploy-windows-firewall-with-advanced-security.md).
+Begin by reviewing the information in [Planning to Deploy Windows Defender Firewall with Advanced Security](planning-to-deploy-windows-firewall-with-advanced-security.md).
-If you have not yet selected a design, we recommend that you wait to follow the instructions in this guide until after you have reviewed the design options in the [Windows Firewall with Advanced Security Design Guide](windows-firewall-with-advanced-security-design-guide.md) and selected the one most appropriate for your organization.
+If you have not yet selected a design, we recommend that you wait to follow the instructions in this guide until after you have reviewed the design options in the [Windows Defender Firewall with Advanced Security Design Guide](windows-firewall-with-advanced-security-design-guide.md) and selected the one most appropriate for your organization.
-After you select your design and gather the required information about the zones (isolation, boundary, and encryption), operating systems to support, and other details, you can then use this guide to deploy your Windows Firewall with Advanced Security design in your production environment. This guide provides steps for deploying any of the following primary designs that are described in the Design Guide:
+After you select your design and gather the required information about the zones (isolation, boundary, and encryption), operating systems to support, and other details, you can then use this guide to deploy your Windows Defender Firewall with Advanced Security design in your production environment. This guide provides steps for deploying any of the following primary designs that are described in the Design Guide:
- [Basic Firewall Policy Design](basic-firewall-policy-design.md)
@@ -37,7 +37,7 @@ After you select your design and gather the required information about the zones
- [Certificate-based Isolation Policy Design](certificate-based-isolation-policy-design.md)
-Use the checklists in [Implementing Your Windows Firewall with Advanced Security Design Plan](implementing-your-windows-firewall-with-advanced-security-design-plan.md) to determine how best to use the instructions in this guide to deploy your particular design.
+Use the checklists in [Implementing Your Windows Defender Firewall with Advanced Security Design Plan](implementing-your-windows-firewall-with-advanced-security-design-plan.md) to determine how best to use the instructions in this guide to deploy your particular design.
>**Caution:** We recommend that you use the techniques documented in this guide only for GPOs that must be deployed to the majority of the devices in your organization, and only when the OU hierarchy in your Active Directory domain does not match the deployment needs of these GPOs. These characteristics are typical of GPOs for server and domain isolation scenarios, but are not typical of most other GPOs. When the OU hierarchy supports it, deploy a GPO by linking it to the lowest level OU that contains all of the accounts to which the GPO applies.
@@ -47,16 +47,16 @@ In a large enterprise environment with hundreds or thousands of GPOs, using this
This guide does not provide:
-- Guidance for creating firewall rules for specific network applications. For this information, see [Planning Settings for a Basic Firewall Policy](planning-settings-for-a-basic-firewall-policy.md) in the Windows Firewall with Advanced Security Design Guide.
+- Guidance for creating firewall rules for specific network applications. For this information, see [Planning Settings for a Basic Firewall Policy](planning-settings-for-a-basic-firewall-policy.md) in the Windows Defender Firewall with Advanced Security Design Guide.
- Guidance for setting up Active Directory Domain Services (AD DS) to support Group Policy.
- Guidance for setting up certification authorities (CAs) to create certificates for certificate-based authentication.
-## Overview of Windows Firewall with Advanced Security
+## Overview of Windows Defender Firewall with Advanced Security
-Windows Firewall with Advanced Security in Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, and Windows Server 2008 R2 is a stateful host firewall that helps secure the device by allowing you to create rules that determine which network traffic is permitted to enter the device from the network and which network traffic the device is allowed to send to the network. Windows Firewall with Advanced Security also supports Internet Protocol security (IPsec), which you can use to require authentication from any device that is attempting to communicate with your device. When authentication is required, devices that cannot be authenticated as a trusted device cannot communicate with your device. You can also use IPsec to require that certain network traffic is encrypted to prevent it from being read by network packet analyzers that could be attached to the network by a malicious user.
+Windows Defender Firewall in Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, and Windows Server 2008 R2 is a stateful host firewall that helps secure the device by allowing you to create rules that determine which network traffic is permitted to enter the device from the network and which network traffic the device is allowed to send to the network. Windows Defender Firewall also supports Internet Protocol security (IPsec), which you can use to require authentication from any device that is attempting to communicate with your device. When authentication is required, devices that cannot be authenticated as a trusted device cannot communicate with your device. You can also use IPsec to require that certain network traffic is encrypted to prevent it from being read by network packet analyzers that could be attached to the network by a malicious user.
-The Windows Firewall with Advanced Security MMC snap-in is more flexible and provides much more functionality than the consumer-friendly Windows Firewall interface found in the Control Panel. Both interfaces interact with the same underlying services, but provide different levels of control over those services. While the Windows Firewall Control Panel program can protect a single device in a home environment, it does not provide enough centralized management or security features to help secure more complex network traffic found in a typical business enterprise environment.
+The Windows Defender Firewall with Advanced Security MMC snap-in is more flexible and provides much more functionality than the consumer-friendly Windows Defender Firewall interface found in the Control Panel. Both interfaces interact with the same underlying services, but provide different levels of control over those services. While the Windows Defender Firewall Control Panel program can protect a single device in a home environment, it does not provide enough centralized management or security features to help secure more complex network traffic found in a typical business enterprise environment.
-For more information about Windows Firewall with Advanced Security, see [Windows Firewall with Advanced Security Overview](windows-firewall-with-advanced-security.md).
+For more information about Windows Defender Firewall with Advanced Security, see [Windows Defender Firewall with Advanced Security Overview](windows-firewall-with-advanced-security.md).
diff --git a/windows/access-protection/windows-firewall/windows-firewall-with-advanced-security-design-guide.md b/windows/access-protection/windows-firewall/windows-firewall-with-advanced-security-design-guide.md
index 47830f44c9..47ca379543 100644
--- a/windows/access-protection/windows-firewall/windows-firewall-with-advanced-security-design-guide.md
+++ b/windows/access-protection/windows-firewall/windows-firewall-with-advanced-security-design-guide.md
@@ -1,6 +1,7 @@
---
-title: Windows Firewall with Advanced Security Design Guide (Windows 10)
-description: Windows Firewall with Advanced Security Design Guide
+title: Windows Defender Firewall with Advanced Security Design Guide (Windows 10)
+description: Windows Defender Firewall with Advanced Security
+Design Guide
ms.assetid: 5c631389-f232-4b95-9e48-ec02b8677d51
ms.prod: w10
ms.mktglfcycl: deploy
@@ -9,29 +10,30 @@ ms.pagetype: security
author: brianlic-msft
---
-# Windows Firewall with Advanced Security Design Guide
+# Windows Defender Firewall with Advanced Security
+Design Guide
**Applies to**
- Windows 10
- Windows Server 2016
-Windows Firewall with Advanced Security is a host firewall that helps secure the device in two ways. First, it can filter the network traffic permitted to enter the device from the network, and also control what network traffic the device is allowed to send to the network. Second, Windows Firewall with Advanced Security supports IPsec, which enables you to require authentication from any device that is attempting to communicate with your device. When authentication is required, devices that cannot authenticate cannot communicate with your device. By using IPsec, you can also require that specific network traffic be encrypted to prevent it from being read or intercepted while in transit between devices.
+Windows Defender Firewall with Advanced Security is a host firewall that helps secure the device in two ways. First, it can filter the network traffic permitted to enter the device from the network, and also control what network traffic the device is allowed to send to the network. Second, Windows Defender Firewall supports IPsec, which enables you to require authentication from any device that is attempting to communicate with your device. When authentication is required, devices that cannot authenticate cannot communicate with your device. By using IPsec, you can also require that specific network traffic be encrypted to prevent it from being read or intercepted while in transit between devices.
-The interface for Windows Firewall with Advanced Security is much more capable and flexible than the consumer-friendly interface found in the Windows Firewall Control Panel. They both interact with the same underlying services, but provide different levels of control over those services. While the Windows Firewall Control Panel meets the needs for protecting a single device in a home environment, it does not provide enough centralized management or security features to help secure more complex network traffic found in a typical business enterprise environment.
+The interface for Windows Defender Firewall is much more capable and flexible than the consumer-friendly interface found in the Windows Defender Firewall Control Panel. They both interact with the same underlying services, but provide different levels of control over those services. While the Windows Defender Firewall Control Panel meets the needs for protecting a single device in a home environment, it does not provide enough centralized management or security features to help secure more complex network traffic found in a typical business enterprise environment.
-For more overview information about Windows Firewall with Advanced Security and see [Windows Firewall with Advanced Security](windows-firewall-with-advanced-security.md).
+For more overview information, see [Windows Defender Firewall with Advanced Security](windows-firewall-with-advanced-security.md).
## About this guide
-This guide provides recommendations to help you to choose or create a design for deploying Windows Firewall with Advanced Security in your enterprise environment. The guide describes some of the common goals for using Windows Firewall with Advanced Security, and then helps you map the goals that apply to your scenario to the designs that are presented in this guide.
+This guide provides recommendations to help you to choose or create a design for deploying Windows Defender Firewall in your enterprise environment. The guide describes some of the common goals for using Windows Defender Firewall, and then helps you map the goals that apply to your scenario to the designs that are presented in this guide.
This guide is intended for the IT professional who has been assigned the task of deploying firewall and IPsec technologies on an organization's network to help meet the organization's security goals.
-Windows Firewall with Advanced Security should be part of a comprehensive security solution that implements a variety of security technologies, such as perimeter firewalls, intrusion detection systems, virtual private networking (VPN), IEEE 802.1X authentication for wireless and wired connections, and IPsec connection security rules.
+Windows Defender Firewall should be part of a comprehensive security solution that implements a variety of security technologies, such as perimeter firewalls, intrusion detection systems, virtual private networking (VPN), IEEE 802.1X authentication for wireless and wired connections, and IPsec connection security rules.
-To successfully use this guide, you need a good understanding of both the capabilities provided by Windows Firewall with Advanced Security, and how to deliver configuration settings to your managed devices by using Group Policy in Active Directory.
+To successfully use this guide, you need a good understanding of both the capabilities provided by Windows Defender Firewall, and how to deliver configuration settings to your managed devices by using Group Policy in Active Directory.
-You can use the deployment goals to form one of these Windows Firewall with Advanced Security designs, or a custom design that combines elements from those presented here:
+You can use the deployment goals to form one of these Windows Defender Firewall with Advanced Security designs, or a custom design that combines elements from those presented here:
- **Basic firewall policy design**. Restricts network traffic in and out of your devices to only that which is needed and authorized.
@@ -45,9 +47,10 @@ You can use the deployment goals to form one of these Windows Firewall with Adva
- **Certificate-based isolation policy design**. This design is a complement to either of the previous two designs, and supports any of their capabilities. It uses cryptographic certificates that are deployed to clients and servers for authentication, instead of the Kerberos V5 authentication used by default in Active Directory. This enables devices that are not part of an Active Directory domain, such as devices running operating systems other than Windows, to participate in your isolation solution.
-In addition to descriptions and example for each design, you will find guidelines for gathering required data about your environment. You can then use these guidelines to plan and design your Windows Firewall with Advanced Security deployment. After you read this guide, and finish gathering, documenting, and mapping your organization's requirements, you have the information that you need to begin deploying Windows Firewall with Advanced Security using the guidance in the Windows Firewall with Advanced Security Deployment Guide.
+In addition to descriptions and example for each design, you will find guidelines for gathering required data about your environment. You can then use these guidelines to plan and design your Windows Defender Firewall with Advanced Security deployment. After you read this guide, and finish gathering, documenting, and mapping your organization's requirements, you have the information that you need to begin deploying Windows Defender Firewall using the guidance in the Windows Defender Firewall with Advanced Security Deployment Guide.
-You can find the Windows Firewall with Advanced Security Deployment Guide at these locations:
+You can find the Windows Defender Firewal with Advanced Security
+Deployment Guide at these locations:
- (Web page)
@@ -57,12 +60,12 @@ You can find the Windows Firewall with Advanced Security Deployment Guide at the
| Topic | Description
| - | - |
-| [Understanding the Windows Firewall with Advanced Security Design Process](understanding-the-windows-firewall-with-advanced-security-design-process.md) | Learn how to get started with the Windows Firewall with Advanced Security design process. |
-| [Identifying Your Windows Firewall with Advanced Security Deployment Goals](identifying-your-windows-firewall-with-advanced-security-deployment-goals.md) | Learn how to identify your Windows Firewall with Advanced Security deployment goals. |
-| [Mapping Your Deployment Goals to a Windows Firewall with Advanced Security Design](mapping-your-deployment-goals-to-a-windows-firewall-with-advanced-security-design.md) | After you finish reviewing the existing Windows Firewall with Advanced Security deployment goals and you determine which goals are important to your specific deployment, you can map those goals to a specific Windows Firewall with Advanced Security design. |
-| [Evaluating Windows Firewall with Advanced Security Design Examples](evaluating-windows-firewall-with-advanced-security-design-examples.md) | Learn how to use Windows Firewall with Advanced Security to improve the security of the computers connected to the network. |
-| [Designing a Windows Firewall with Advanced Security Strategy](designing-a-windows-firewall-with-advanced-security-strategy.md) | To select the most effective design for helping to protect the network, you must spend time collecting key information about your current computer environment. |
-| [Planning Your Windows Firewall with Advanced Security Design](planning-your-windows-firewall-with-advanced-security-design.md) | After you have gathered the relevant information in the previous sections, and understand the basics of the designs as described earlier in this guide, you can select the design (or combination of designs) that meet your needs. |
+| [Understanding the Windows Defender Firewall with Advanced Security Design Process](understanding-the-windows-firewall-with-advanced-security-design-process.md) | Learn how to get started with the Windows Defender Firewall with Advanced Security design process. |
+| [Identifying Your Windows Defender Firewall with Advanced Security Deployment Goals](identifying-your-windows-firewall-with-advanced-security-deployment-goals.md) | Learn how to identify your Windows Defender Firewall with Advanced Security deployment goals. |
+| [Mapping Your Deployment Goals to a Windows Defender Firewall with Advanced Security Design](mapping-your-deployment-goals-to-a-windows-firewall-with-advanced-security-design.md) | After you finish reviewing the existing Windows Defender Firewall with Advanced Security deployment goals and you determine which goals are important to your specific deployment, you can map those goals to a specific Windows Defender Firewall with Advanced Security design. |
+| [Evaluating Windows Defender Firewall with Advanced Security Design Examples](evaluating-windows-firewall-with-advanced-security-design-examples.md) | Learn how to use Windows Defender Firewall to improve the security of the computers connected to the network. |
+| [Designing a Windows Defender Firewall with Advanced Security Strategy](designing-a-windows-firewall-with-advanced-security-strategy.md) | To select the most effective design for helping to protect the network, you must spend time collecting key information about your current computer environment. |
+| [Planning Your Windows Defender Firewall with Advanced Security Design](planning-your-windows-firewall-with-advanced-security-design.md) | After you have gathered the relevant information in the previous sections, and understand the basics of the designs as described earlier in this guide, you can select the design (or combination of designs) that meet your needs. |
| [Appendix A: Sample GPO Template Files for Settings Used in this Guide](appendix-a-sample-gpo-template-files-for-settings-used-in-this-guide.md) | You can import an XML file containing customized registry preferences into a Group Policy Object (GPO) by using the Preferences feature of the Group Policy Management Console (GPMC). |
## Terminology used in this guide
@@ -74,20 +77,20 @@ The following table identifies and defines terms used throughout this guide.
| Active Directory domain | A group of devices and users managed by an administrator by using Active Directory Domain Services (AD DS). Devices in a domain share a common directory database and security policies. Multiple domains can co-exist in a "forest," with trust relationships that establish the forest as the security boundary. |
| Authentication | A process that enables the sender of a message to prove its identity to the receiver. For connection security in Windows, authentication is implemented by the IPsec protocol suite.|
| Boundary zone | A subset of the devices in an isolated domain that must be able to receive unsolicited and non-authenticated network traffic from devices that are not members of the isolated domain. Devices in the boundary zone request but do not require authentication. They use IPsec to communicate with other devices in the isolated domain.|
-| Connection security rule | A rule in Windows Firewall with Advanced Security that contains a set of conditions and an action to be applied to network packets that match the conditions. The action can allow the packet, block the packet, or require the packet to be protected by IPsec. In previous versions of Windows, this was called an *IPsec rule*.|
+| Connection security rule | A rule in Windows Defender Firewall that contains a set of conditions and an action to be applied to network packets that match the conditions. The action can allow the packet, block the packet, or require the packet to be protected by IPsec. In previous versions of Windows, this was called an *IPsec rule*.|
| Certificate-based isolation | A way to add devices that cannot use Kerberos V5 authentication to an isolated domain, by using an alternate authentication technique. Every device in the isolated domain and the devices that cannot use Kerberos V5 are provided with a device certificate that can be used to authenticate with each other. Certificate-based isolation requires a way to create and distribute an appropriate certificate (if you choose not to purchase one from a commercial certificate provider).|
| Domain isolation | A technique for helping protect the devices in an organization by requiring that the devices authenticate each other's identity before exchanging information, and refusing connection requests from devices that cannot authenticate. Domain isolation takes advantage of Active Directory domain membership and the Kerberos V5 authentication protocol available to all members of the domain. Also see "Isolated domain" in this table.|
| Encryption zone | A subset of the devices in an isolated domain that process sensitive data. Devices that are part of the encryption zone have all network traffic encrypted to prevent viewing by non-authorized users. Devices that are part of the encryption zone also typically are subject to the access control restrictions of server isolation.|
-| Firewall rule | A rule in Windows Firewall with Advanced Security that contains a set of conditions used to determine whether a network packet is allowed to pass through the firewall. By default, the firewall rules in Windows Server 2012, Windows Server 2008 R2, Windows Server 2008, Windows 8, Windows 7, and Windows Vista block unsolicited inbound network traffic. Likewise, by default, all outbound network traffic is allowed. The firewall included in previous versions of Windows only filtered inbound network traffic. |
+| Firewall rule | A rule in Windows Defender Firewall that contains a set of conditions used to determine whether a network packet is allowed to pass through the firewall. By default, the firewall rules in Windows Server 2012, Windows Server 2008 R2, Windows Server 2008, Windows 8, Windows 7, and Windows Vista block unsolicited inbound network traffic. Likewise, by default, all outbound network traffic is allowed. The firewall included in previous versions of Windows only filtered inbound network traffic. |
| Internet Protocol security (IPsec) | A set of industry-standard, cryptography-based protection services and protocols. IPsec protects all protocols in the TCP/IP protocol suite except Address Resolution Protocol (ARP).|
| IPsec policy | A collection of connection security rules that provide the required protection to network traffic entering and leaving the device. The protection includes authentication of both the sending and receiving device, integrity protection of the network traffic exchanged between them, and can include encryption.|
| Isolated domain | An Active Directory domain (or an Active Directory forest, or set of domains with two-way trust relationships) that has Group Policy settings applied to help protect its member devices by using IPsec connection security rules. Members of the isolated domain require authentication on all unsolicited inbound connections (with exceptions handled by the other zones). In this guide, the term *isolated domain* refers to the IPsec concept of a group of devices that can share authentication. The term *Active Directory domain* refers to the group of devices that share a security database by using Active Directory.|
| Server isolation | A technique for using group membership to restrict access to a server that is typically already a member of an isolated domain. The additional protection comes from using the authentication credentials of the requesting device to determine its group membership, and then only allowing access if the computer account (and optionally the user account) is a member of an authorized group.|
-| Solicited network traffic | Network traffic that is sent in response to a request. By default, Windows Firewall with Advanced Security allows all solicited network traffic through.|
-| Unsolicited network traffic | Network traffic that is not a response to an earlier request, and that the receiving device cannot necessarily anticipate. By default, Windows Firewall with Advanced Security blocks all unsolicited network traffic. |
+| Solicited network traffic | Network traffic that is sent in response to a request. By default, Windows Defender Firewall allows all solicited network traffic through.|
+| Unsolicited network traffic | Network traffic that is not a response to an earlier request, and that the receiving device cannot necessarily anticipate. By default, Windows Defender Firewall blocks all unsolicited network traffic. |
| Zone | A zone is a logical grouping of devices that share common IPsec policies because of their communications requirements. For example, the boundary zone permits inbound connections from non-trusted devices. The encryption zone requires that all connections be encrypted. This is not related to the term zone as used by Domain Name System (DNS). |
-**Next:** [Understanding the Windows Firewall with Advanced Security Design Process](understanding-the-windows-firewall-with-advanced-security-design-process.md)
+**Next:** [Understanding the Windows Defender Firewall with Advanced Security Design Process](understanding-the-windows-firewall-with-advanced-security-design-process.md)
diff --git a/windows/access-protection/windows-firewall/windows-firewall-with-advanced-security.md b/windows/access-protection/windows-firewall/windows-firewall-with-advanced-security.md
index 4433aaf633..cb9ac4105d 100644
--- a/windows/access-protection/windows-firewall/windows-firewall-with-advanced-security.md
+++ b/windows/access-protection/windows-firewall/windows-firewall-with-advanced-security.md
@@ -1,6 +1,6 @@
---
-title: Windows Firewall with Advanced Security (Windows 10)
-description: Windows Firewall with Advanced Security
+title: Windows Defender Firewall with Advanced Security (Windows 10)
+description: Windows Defender Firewall with Advanced Security
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
@@ -8,35 +8,36 @@ ms.pagetype: security
author: brianlic-msft
---
-# Windows Firewall with Advanced Security
+# Windows Defender Firewall with Advanced Security
**Applies to**
- Windows 10
- Windows Server 2016
-This is an overview of the Windows Firewall with Advanced Security (WFAS) and Internet Protocol security (IPsec) features.
+This is an overview of the Windows Defender Firewall with Advanced Security (WFAS) and Internet Protocol security (IPsec) features.
## Feature description
-Windows Firewall with Advanced Security is an important part of a layered security model. By providing host-based, two-way network traffic filtering for a device, Windows Firewall with Advanced Security blocks unauthorized network traffic flowing into or out of the local device. Windows Firewall with Advanced Security also works with Network Awareness so that it can apply security settings appropriate to the types of networks to which the device is connected. Windows Firewall and Internet Protocol Security (IPsec) configuration settings are integrated into a single Microsoft Management Console (MMC) named Windows Firewall with Advanced Security, so Windows Firewall is also an important part of your network’s isolation strategy.
+Windows Defender Firewall with Advanced Security
+is an important part of a layered security model. By providing host-based, two-way network traffic filtering for a device, Windows Defender Firewall blocks unauthorized network traffic flowing into or out of the local device. Windows Defender Firewall also works with Network Awareness so that it can apply security settings appropriate to the types of networks to which the device is connected. Windows Defender Firewall and Internet Protocol Security (IPsec) configuration settings are integrated into a single Microsoft Management Console (MMC) named Windows Defender Firewall, so Windows Defender Firewall is also an important part of your network’s isolation strategy.
## Practical applications
-To help address your organizational network security challenges, Windows Firewall with Advanced Security offers the following benefits:
+To help address your organizational network security challenges, Windows Defender Firewall offers the following benefits:
-- **Reduces the risk of network security threats.** Windows Firewall with Advanced Security reduces the attack surface of a device, providing an additional layer to the defense-in-depth model. Reducing the attack surface of a device increases manageability and decreases the likelihood of a successful attack.
+- **Reduces the risk of network security threats.** Windows Defender Firewall reduces the attack surface of a device, providing an additional layer to the defense-in-depth model. Reducing the attack surface of a device increases manageability and decreases the likelihood of a successful attack.
-- **Safeguards sensitive data and intellectual property.** With its integration with IPsec, Windows Firewall with Advanced Security provides a simple way to enforce authenticated, end-to-end network communications. It provides scalable, tiered access to trusted network resources, helping to enforce integrity of the data, and optionally helping to protect the confidentiality of the data.
+- **Safeguards sensitive data and intellectual property.** With its integration with IPsec, Windows Defender Firewall provides a simple way to enforce authenticated, end-to-end network communications. It provides scalable, tiered access to trusted network resources, helping to enforce integrity of the data, and optionally helping to protect the confidentiality of the data.
-- **Extends the value of existing investments.** Because Windows Firewall with Advanced Security is a host-based firewall that is included with the operating system, there is no additional hardware or software required. Windows Firewall with Advanced Security is also designed to complement existing non-Microsoft network security solutions through a documented application programming interface (API).
+- **Extends the value of existing investments.** Because Windows Defender Firewall is a host-based firewall that is included with the operating system, there is no additional hardware or software required. Windows Defender Firewall is also designed to complement existing non-Microsoft network security solutions through a documented application programming interface (API).
## In this section
| Topic | Description
| - | - |
-| [Isolating Windows Store Apps on Your Network](isolating-apps-on-your-network.md) | You can customize your Windows Firewall configuration to isolate the network access of Windows Store apps that run on devices. |
+| [Isolating Windows Store Apps on Your Network](isolating-apps-on-your-network.md) | You can customize your Windows Defender Firewall configuration to isolate the network access of Windows Store apps that run on devices. |
| [Securing End-to-End IPsec Connections by Using IKEv2 in Windows Server 2012](securing-end-to-end-ipsec-connections-by-using-ikev2.md) | You can use IKEv2 to help secure your end-to-end IPSec connections. |
-| [Windows Firewall with Advanced Security Administration with Windows PowerShell](windows-firewall-with-advanced-security-administration-with-windows-powershell.md) | Learn more about using Windows PowerShell to manage the Windows Firewall. |
-| [Windows Firewall with Advanced Security Design Guide](windows-firewall-with-advanced-security-design-guide.md) | Learn how to create a design for deploying Windows Firewall with Advanced Security. |
-| [Windows Firewall with Advanced Security Deployment Guide](windows-firewall-with-advanced-security-deployment-guide.md) | Learn how to deploy Windows Firewall with Advanced Security. |
+| [Windows Defender Firewall with Advanced Security Administration with Windows PowerShell](windows-firewall-with-advanced-security-administration-with-windows-powershell.md) | Learn more about using Windows PowerShell to manage the Windows Defender Firewall. |
+| [Windows Defender Firewall with Advanced Security Design Guide](windows-firewall-with-advanced-security-design-guide.md) | Learn how to create a design for deploying Windows Defender Firewall with Advanced Security. |
+| [Windows Defender Firewall with Advanced Security Deployment Guide](windows-firewall-with-advanced-security-deployment-guide.md) | Learn how to deploy Windows Defender Firewall with Advanced Security. |
diff --git a/windows/client-management/mdm/devdetail-csp.md b/windows/client-management/mdm/devdetail-csp.md
index 45e1aa1d54..5eb786803f 100644
--- a/windows/client-management/mdm/devdetail-csp.md
+++ b/windows/client-management/mdm/devdetail-csp.md
@@ -150,32 +150,32 @@ The following diagram shows the DevDetail configuration service provider managem
> [!NOTE]
> This is not supported in Windows 10 for desktop editions.
-**VoLTEServiceSetting**
+**Ext/VoLTEServiceSetting**
Returns the VoLTE service to on or off. This is only exposed to mobile operator OMA-DM servers.
Supported operation is Get.
-**WlanIPv4Address**
+**Ext/WlanIPv4Address**
Returns the IPv4 address of the active Wi-Fi connection. This is only exposed to enterprise OMA DM servers.
Supported operation is Get.
-**WlanIPv6Address**
+**Ext/WlanIPv6Address**
Returns the IPv6 address of the active Wi-Fi connection. This is only exposed to enterprise OMA-DM servers.
Supported operation is Get.
-**WlanDnsSuffix**
+**Ext/WlanDnsSuffix**
Returns the DNS suffix of the active Wi-Fi connection. This is only exposed to enterprise OMA-DM servers.
Supported operation is Get.
-**WlanSubnetMask**
+**Ext/WlanSubnetMask**
Returns the subnet mask for the active Wi-Fi connection. This is only exposed to enterprise OMA-DM servers.
Supported operation is Get.
-**DeviceHardwareData**
+**Ext/DeviceHardwareData**
Added in Windows 10 version 1703. Returns a base64-encoded string of the hardware parameters of a device.
> [!Note]
diff --git a/windows/client-management/mdm/device-update-management.md b/windows/client-management/mdm/device-update-management.md
index 7b74bff2f6..1edda04b19 100644
--- a/windows/client-management/mdm/device-update-management.md
+++ b/windows/client-management/mdm/device-update-management.md
@@ -54,7 +54,7 @@ This section describes how this is done. The following diagram shows the server-
MSDN provides much information about the Server-Server sync protocol. In particular:
- It is a SOAP-based protocol, and you can get the WSDL in [Server Sync Web Service](http://go.microsoft.com/fwlink/p/?LinkId=526727). The WSDL can be used to generate calling proxies for many programming environments, which will simplify your development.
-- You can find code samples in [Protocol Examples](http://go.microsoft.com/fwlink/p/?LinkId=526720). The sample code shows raw SOAP commands, which can be used. Although it’s even simpler to make the call from a programming language like .NET (calling the WSDL-generated proxies). The stub generated by the Server Sync WSDL from the MSDN link above generates an incorrect binding URL. The binding URL should be set to https://fe2.update.microsoft.com/v6/ServerSyncWebService/serversyncwebservice.asmx.
+- You can find code samples in [Protocol Examples](http://go.microsoft.com/fwlink/p/?LinkId=526720). The sample code shows raw SOAP commands, which can be used. Although it’s even simpler to make the call from a programming language like .NET (calling the WSDL-generated proxies). The stub generated by the Server Sync WSDL from the MSDN link above generates an incorrect binding URL. The binding URL should be set to https://sws.update.microsoft.com/ServerSyncWebService/serversyncwebservice.asmx.
Some important highlights:
diff --git a/windows/client-management/mdm/firewall-csp.md b/windows/client-management/mdm/firewall-csp.md
index 71cc5e3867..ea9ebb3cb7 100644
--- a/windows/client-management/mdm/firewall-csp.md
+++ b/windows/client-management/mdm/firewall-csp.md
@@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
-ms.date: 06/19/2017
+ms.date: 08/18/2017
---
# Firewall CSP
@@ -33,35 +33,45 @@ The following diagram shows the Firewall configuration service provider in tree
**MdmStore/Global**
Interior node.
-
Supported operations are Get and Replace.
+
Supported operations are Get.
**MdmStore/Global/PolicyVersionSupported**
-
DWORD value that contains the maximum policy version that the server host can accept. The version number is two octets in size. The lowest-order octet is the minor version; the second-to-lowest octet is the major version. This value is not merged and is always a fixed value for a particular firewall and advanced security components software build.
+
Integer value that contains the maximum policy version that the server host can accept. The version number is two octets in size. The lowest-order octet is the minor version; the second-to-lowest octet is the major version. This value is not merged and is always a fixed value for a particular firewall and advanced security components software build.
Value type in integer. Supported operation is Get.
**MdmStore/Global/CurrentProfiles**
-
DWORD value that contains a bitmask of the current enforced profiles that are maintained by the server firewall host. See FW_PROFILE_TYPE for the bitmasks that are used to identify profile types. This value is available only in the dynamic store; therefore, it is not merged and has no merge law.
+
Integer value that contains a bitmask of the current enforced profiles that are maintained by the server firewall host. See [FW_PROFILE_TYPE](https://msdn.microsoft.com/en-us/library/cc231559.aspx) for the bitmasks that are used to identify profile types. This value is available only in the dynamic store; therefore, it is not merged and has no merge law.
Value type in integer. Supported operation is Get.
**MdmStore/Global/DisableStatefulFtp**
-
This value is an on/off switch. If off, the firewall performs stateful File Transfer Protocol (FTP) filtering to allow secondary connections. The value is a DWORD; 0x00000000 means off; 0x00000001 means on. The merge law for this option is to let "on" values win.
-
Boolean value. Supported operations are Get and Replace.
+
Boolean value. If false, the firewall performs stateful File Transfer Protocol (FTP) filtering to allow secondary connections. True means stateful FTP is disabled. The merge law for this option is to let "true" values win.
+
Default value is false.
+
Data type is bool. Supported operations are Add, Get, Replace, and Delete.
**MdmStore/Global/SaIdleTime**
-
This value configures the security association idle time, in seconds. Security associations are deleted after network traffic is not seen for this specified period of time. The value is a DWORD and MUST be a value in the range of 300 to 3,600 inclusive. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, use the local store value.<
-
Value type is integer. Supported operations are Get and Replace.
+
This value configures the security association idle time, in seconds. Security associations are deleted after network traffic is not seen for this specified period of time. The value is integer and MUST be in the range of 300 to 3,600 inclusive. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, use the local store value.
+
Default value is 300.
+
Value type is integer. Supported operations are Add, Get, Replace, and Delete.
-**MdmStore/Global/TPresharedKeyEncodingBD**
-
Specifies the preshared key encoding that is used. The value is a DWORD and MUST be a valid value from the PRESHARED_KEY_ENCODING_VALUES enumeration. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, use the local store value.
-
Value type is integer. Supported operations are Get and Replace.
+**MdmStore/Global/PresharedKeyEncoding**
+
Specifies the preshared key encoding that is used. The value is integer and MUST be a valid value from the [PRESHARED_KEY_ENCODING_VALUES enumeration](https://msdn.microsoft.com/en-us/library/cc231525.aspx). The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, use the local store value.
+
Default value is 1.
+
Value type is integer. Supported operations are Add, Get, Replace, and Delete.
**MdmStore/Global/IPsecExempt**
-
This configuration value configures IPsec exceptions. The value is a DWORD and MUST be a combination of the valid flags that are defined in IPSEC_EXEMPT_VALUES; therefore, the maximum value MUST always be IPSEC_EXEMPT_MAX-1 for servers supporting a schema version of 0x0201 and IPSEC_EXEMPT_MAX_V2_0-1 for servers supporting a schema version of 0x0200. If the maximum value is exceeded when the method RRPC_FWSetGlobalConfig (Opnum 4) is called, the method returns ERROR_INVALID_PARAMETER. This error code is returned if no other preceding error is discovered. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, use the local store value.
-
Value type is integer. Supported operations are Get and Replace.
+
This value configures IPsec exceptions. The value is integer and MUST be a combination of the valid flags that are defined in [IPSEC_EXEMPT_VALUES](https://msdn.microsoft.com/en-us/library/cc231523.aspx); therefore, the maximum value MUST always be IPSEC_EXEMPT_MAX-1 for servers supporting a schema version of 0x0201 and IPSEC_EXEMPT_MAX_V2_0-1 for servers supporting a schema version of 0x0200. If the maximum value is exceeded when the method RRPC_FWSetGlobalConfig (Opnum 4) is called, the method returns ERROR_INVALID_PARAMETER. This error code is returned if no other preceding error is discovered. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, use the local store value.
+
Default value is 0.
+
Value type is integer. Supported operations are Add, Get, Replace, and Delete.
**MdmStore/Global/CRLcheck**
-
This value specifies how certificate revocation list (CRL) verification is enforced. The value is a DWORD and MUST be 0, 1, or 2. A value of 0 disables CRL checking. A value of 1 specifies that CRL checking is attempted and that certificate validation fails only if the certificate is revoked. Other failures that are encountered during CRL checking (such as the revocation URL being unreachable) do not cause certificate validation to fail. A value of 2 means that checking is required and that certificate validation fails if any error is encountered during CRL processing. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, use the local store value.
-
Value type is integer. Supported operations are Get and Replace.
+
This value specifies how certificate revocation list (CRL) verification is enforced. The value is integer and MUST be 0, 1, or 2. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, use the local store value. Valid valued:
+
+
0 disables CRL checking
+
1 specifies that CRL checking is attempted and that certificate validation fails only if the certificate is revoked. Other failures that are encountered during CRL checking (such as the revocation URL being unreachable) do not cause certificate validation to fail.
+
2 means that checking is required and that certificate validation fails if any error is encountered during CRL processing
+
+
Default value is 0.
+
Value type is integer. Supported operations are Add, Get, Replace, and Delete.
**MdmStore/Global/PolicyVersion**
This value contains the policy version of the policy store being managed. This value is not merged and therefore, has no merge law.
@@ -72,12 +82,20 @@ The following diagram shows the Firewall configuration service provider in tree
This value is a DWORD used as an on/off switch. When this option is off, keying modules MUST ignore the entire authentication set if they do not support all of the authentication suites specified in the set. When this option is on, keying modules MUST ignore only the authentication suites that they don’t support. For schema versions 0x0200, 0x0201, and 0x020A, this value is invalid and MUST NOT be used.
-
Boolean value. Supported operations are Get and Replace.
+
This value is bool used as an on/off switch. When this option is false (off), keying modules MUST ignore the entire authentication set if they do not support all of the authentication suites specified in the set. When this option is true (on), keying modules MUST ignore only the authentication suites that they don’t support. For schema versions 0x0200, 0x0201, and 0x020A, this value is invalid and MUST NOT be used.
+
Boolean value. Supported operations are Add, Get, Replace, and Delete.
**MdmStore/Global/EnablePacketQueue**
-
This value specifies how scaling for the software on the receive side is enabled for both the encrypted receive and clear text forward path for the IPsec tunnel gateway scenario. Use of this option also ensures that the packet order is preserved. The data type for this option value is a DWORD and is a combination of flags. A value of 0x00 indicates that all queuing is to be disabled. A value of 0x01 specifies that inbound encrypted packets are to be queued. A value of 0x02 specifies that packets are to be queued after decryption is performed for forwarding.
-
Value type is integer. Supported operations are Get and Replace.
+
This value specifies how scaling for the software on the receive side is enabled for both the encrypted receive and clear text forward path for the IPsec tunnel gateway scenario. Use of this option also ensures that the packet order is preserved. The data type for this option value is integer and is a combination of flags. Valid values:
+
+
+
0x00 indicates that all queuing is to be disabled
+
0x01 specifies that inbound encrypted packets are to be queued
+
0x02 specifies that packets are to be queued after decryption is performed for forwarding
+
+
+
Default value is 0.
+
Value type is integer. Supported operations are Add, Get, Replace, and Delete.
**MdmStore/DomainProfile**
Interior node. Supported operation is Get.
@@ -89,58 +107,79 @@ The following diagram shows the Firewall configuration service provider in tree
Interior node. Supported operation is Get.
**/EnableFirewall**
-
This value is an on/off switch for the firewall and advanced security enforcement. It is a DWORD type value; 0x00000000 is off; 0x00000001 is on. If this value is off, the server MUST NOT block any network traffic, regardless of other policy settings. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used.
-
Value type is integer. Supported operations are Get and Replace.
+
Boolean value for the firewall and advanced security enforcement. If this value is false, the server MUST NOT block any network traffic, regardless of other policy settings. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used.
+
Default value is true.
+
Value type is bool. Supported operations are Add, Get and Replace.
**/DisableStealthMode**
-
This value is a DWORD used as an on/off switch. When this option is off, the server operates in stealth mode. The firewall rules used to enforce stealth mode are implementation-specific. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used.
-
Value type is integer. Supported operations are Get and Replace.
+
Boolean value. When this option is false, the server operates in stealth mode. The firewall rules used to enforce stealth mode are implementation-specific. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used.
+
Default value is false.
+
Value type is bool. Supported operations are Add, Get and Replace.
**/Shielded**
-
This value is a DWORD used as an on/off switch. If this value is on and EnableFirewall is on, the server MUST block all incoming traffic regardless of other policy settings. The merge law for this option is to let "on" values win.
-
Value type is integer. Supported operations are Get and Replace.
+
Boolean value. If this value is true and EnableFirewall is on, the server MUST block all incoming traffic regardless of other policy settings. The merge law for this option is to let "true" values win.
+
Default value is false.
+
Value type is bool. Supported operations are Get and Replace.
This value is a DWORD used as an on/off switch. If it is on, unicast responses to multicast broadcast traffic is blocked. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used.
-
Value type is integer. Supported operations are Get and Replace.
+
Boolean value. If it is true, unicast responses to multicast broadcast traffic is blocked. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used.
+
Default value is false.
+
Value type is bool. Supported operations are Add, Get and Replace.
**/DisableInboundNotifications**
-
This value is a DWORD used as an on/off switch. If this value is off, the firewall MAY display a notification to the user when an application is blocked from listening on a port. If this value is on, the firewall MUST NOT display such a notification. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used.
-
Value type is integer. Supported operations are Get and Replace.
+
Boolean value. If this value is false, the firewall MAY display a notification to the user when an application is blocked from listening on a port. If this value is on, the firewall MUST NOT display such a notification. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used.
+
Default value is false.
+
Value type is bool. Supported operations are Add, Get and Replace.
**/AuthAppsAllowUserPrefMerge**
-
This value is a DWORD used as an on/off switch. If this value is off, authorized application firewall rules in the local store are ignored and not enforced. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used.
-
Value type is integer. Supported operations are Get and Replace.
+
Boolean value. If this value is false, authorized application firewall rules in the local store are ignored and not enforced. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used.
+
Default value is true.
+
Value type is bool. Supported operations are Add, Get and Replace.
**/GlobalPortsAllowUserPrefMerge**
-
This value is a DWORD used as an on/off switch. If this value is off, global port firewall rules in the local store are ignored and not enforced. The setting only has meaning if it is set or enumerated in the Group Policy store or if it is enumerated from the GroupPolicyRSoPStore. The merge law for this option is to let the value GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used.
-
Value type is integer. Supported operations are Get and Replace.
+
Boolean value. If this value is false, global port firewall rules in the local store are ignored and not enforced. The setting only has meaning if it is set or enumerated in the Group Policy store or if it is enumerated from the GroupPolicyRSoPStore. The merge law for this option is to let the value GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used.
+
Default value is true.
+
Value type is bool. Supported operations are Add, Get and Replace.
**/AllowLocalPolicyMerge**
-
This value is a DWORD used as an on/off switch. If this value is off, firewall rules from the local store are ignored and not enforced. The merge law for this option is to always use the value of the GroupPolicyRSoPStore. This value is valid for all schema versions.
-
Value type is integer. Supported operations are Get and Replace.
+
Boolean value. If this value is false, firewall rules from the local store are ignored and not enforced. The merge law for this option is to always use the value of the GroupPolicyRSoPStore. This value is valid for all schema versions.
+
Default value is true.
+
Value type is bool. Supported operations are Add, Get and Replace.
**/AllowLocalIpsecPolicyMerge**
-
This value is a DWORD; it is an on/off switch. If this value is off, connection security rules from the local store are ignored and not enforced, regardless of the schema version and connection security rule version. The merge law for this option is to always use the value of the GroupPolicyRSoPStore.
-
Value type is integer. Supported operations are Get and Replace.
+
Boolean value. If this value is false, connection security rules from the local store are ignored and not enforced, regardless of the schema version and connection security rule version. The merge law for this option is to always use the value of the GroupPolicyRSoPStore.
+
Default value is true.
+
Value type is bool. Supported operations are Add, Get and Replace.
**/DefaultOutboundAction**
-
This value is the action that the firewall does by default (and evaluates at the very end) on outbound connections. The allow action is represented by 0x00000000; 0x00000001 represents a block action. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used.
-
Value type is integer. Supported operations are Get and Replace.
+
This value is the action that the firewall does by default (and evaluates at the very end) on outbound connections. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used.
+
+
0x00000000 - allow
+
0x00000001 - block
+
+
Default value is 0 (allow).
+
Value type is integer. Supported operations are Add, Get and Replace.
**/DefaultInboundAction**
-
This value is the action that the firewall does by default (and evaluates at the very end) on inbound connections. The allow action is represented by 0x00000000; 0x00000001 represents a block action. The merge law for this option is to let the value of the GroupPolicyRSoPStore.win if it is configured; otherwise, the local store value is used.
-
Value type is integer. Supported operations are Get and Replace.
+
This value is the action that the firewall does by default (and evaluates at the very end) on inbound connections. The merge law for this option is to let the value of the GroupPolicyRSoPStore.win if it is configured; otherwise, the local store value is used.
+
+
0x00000000 - allow
+
0x00000001 - block
+
+
Default value is 1 (block).
+
Value type is integer. Supported operations are Add, Get and Replace.
This value is a DWORD used as an on/off switch. This option is ignored if DisableStealthMode is on. Otherwise, when this option is on, the firewall's stealth mode rules MUST NOT prevent the host computer from responding to unsolicited network traffic if that traffic is secured by IPsec. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used. For schema versions 0x0200, 0x0201, and 0x020A, this value is invalid and MUST NOT be used.
-
Value type is integer. Supported operations are Get and Replace.
+
Boolean value. This option is ignored if DisableStealthMode is true. Otherwise, when this option is true, the firewall's stealth mode rules MUST NOT prevent the host computer from responding to unsolicited network traffic if that traffic is secured by IPsec. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used. For schema versions 0x0200, 0x0201, and 0x020A, this value is invalid and MUST NOT be used.
+
Default value is true.
+
Value type is bool. Supported operations are Add, Get and Replace.
**FirewallRules**
A list of rules controlling traffic through the Windows Firewall. Each Rule ID is OR'ed. Within each rule ID each Filter type is AND'ed.
**FirewallRules/_FirewallRuleName_**
Unique alpha numeric identifier for the rule. The rule name must not include a forward slash (/).
+
Supported operations are Add, Get, Replace, and Delete.
**FirewallRules/_FirewallRuleName_/App**
Rules that control connections for an app, program, or service. Specified based on the intersection of the following nodes:
@@ -150,6 +189,7 @@ The following diagram shows the Firewall configuration service provider in tree
FQBN
ServiceName
+
If not specified, the default is All.
Supported operation is Get.
**FirewallRules/_FirewallRuleName_/App/PackageFamilyName**
@@ -170,14 +210,17 @@ The following diagram shows the Firewall configuration service provider in tree
**FirewallRules/_FirewallRuleName_/Protocol**
0-255 number representing the ip protocol (TCP = 6, UDP = 17)
+
If not specified, the default is All.
Value type is integer. Supported operations are Add, Get, Replace, and Delete.
Comma separated list of ranges, For example, 100-120,200,300-320.
+
If not specified, the default is All.
Value type is string. Supported operations are Add, Get, Replace, and Delete.
**FirewallRules/_FirewallRuleName_/LocalAddressRanges**
@@ -189,6 +232,7 @@ The following diagram shows the Firewall configuration service provider in tree
An IPv4 address range in the format of "start address - end address" with no spaces included.
An IPv6 address range in the format of "start address - end address" with no spaces included.
+
If not specified, the default is All.
Value type is string. Supported operations are Add, Get, Replace, and Delete.
**FirewallRules/_FirewallRuleName_/RemoteAddressRanges**
@@ -209,6 +253,7 @@ The following diagram shows the Firewall configuration service provider in tree
An IPv4 address range in the format of "start address - end address" with no spaces included.
An IPv6 address range in the format of "start address - end address" with no spaces included.
+
If not specified, the default is All.
Value type is string. Supported operations are Add, Get, Replace, and Delete.
**FirewallRules/_FirewallRuleName_/Description**
@@ -217,13 +262,13 @@ The following diagram shows the Firewall configuration service provider in tree
**FirewallRules/_FirewallRuleName_/Enabled**
Indicates whether the rule is enabled or disabled. If the rule must be enabled, this value must be set to true.
-If not specified - a new rule is disabled by default.
-
Boolean value. Supported operations are Add, Get, Replace, and Delete.
+
If not specified - a new rule is disabled by default.
+
Boolean value. Supported operations are Get and Replace.
**FirewallRules_FirewallRuleName_/Profiles**
-
Specifies the profiles to which the rule belongs: Domain, Private, Public. . See FW_PROFILE_TYPE for the bitmasks that are used to identify profile types.
-
-
Value type is integer. Supported operations are Add, Get, Replace, and Delete.
+
Specifies the profiles to which the rule belongs: Domain, Private, Public. . See [FW_PROFILE_TYPE](https://msdn.microsoft.com/en-us/library/cc231559.aspx) for the bitmasks that are used to identify profile types.
+
If not specified, the default is All.
+
Value type is integer. Supported operations are Get and Replace.
**FirewallRules/_FirewallRuleName_/Action**
Specifies the action for the rule.
@@ -235,7 +280,8 @@ If not specified - a new rule is disabled by default.
0 - Block
1 - Allow
-
Value type is integer. Supported operations are Add, Get, Replace, and Delete.
+
If not specified, the default is allow.
+
Value type is integer. Supported operations are Get and Replace.
**FirewallRules/_FirewallRuleName_/Direction**
Comma separated list. The rule is enabled based on the traffic direction as following. Supported values:
@@ -244,27 +290,24 @@ If not specified - a new rule is disabled by default.
OUT - the rule applies to outbound traffic.
If not specified, the default is IN.
-
Value type is string. Supported operations are Add, Get, Replace, and Delete.
+
Value type is string. Supported operations are Get and Replace.
**FirewallRules/FirewallRuleName/InterfaceTypes**
Comma separated list of interface types. Valid values:
RemoteAccess
Wireless
+
Lan
MobileBroadband
-
All
-
Value type is string. Supported operations are Add, Get, Replace, and Delete.
Indicates whether edge traversal is enabled or disabled for this rule.
The EdgeTraversal setting indicates that specific inbound traffic is allowed to tunnel through NATs and other edge devices using the Teredo tunneling technology. In order for this setting to work correctly, the application or service with the inbound firewall rule needs to support IPv6. The primary application of this setting allows listeners on the host to be globally addressable through a Teredo IPv6 address.
New rules have the EdgeTraversal property disabled by default.
-
Boolean value. Supported operations are Add, Get, Replace, and Delete.
+
Value type is bool. Supported operations are Add, Get, Replace, and Delete.
Specifies the friendly name of the rule. The string must not contain the "|" character.
-
Value type is string. Supported operations are Add, Get, Replace, and Delete.
-
**FirewallRules/_FirewallRuleName_/Name**
Name of the rule.
Value type is string. Supported operations are Add, Get, Replace, and Delete.
diff --git a/windows/client-management/mdm/firewall-ddf-file.md b/windows/client-management/mdm/firewall-ddf-file.md
index 9456acd05e..7a8de5174f 100644
--- a/windows/client-management/mdm/firewall-ddf-file.md
+++ b/windows/client-management/mdm/firewall-ddf-file.md
@@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
-ms.date: 06/19/2017
+ms.date: 08/18/2017
---
# Firewall CSP
@@ -30,6 +30,7 @@ This topic shows the OMA DM device description framework (DDF) for the **Firewal
+ Root node for the Firewall configuration service provider.
@@ -67,7 +68,6 @@ This topic shows the OMA DM device description framework (DDF) for the **Firewal
-
@@ -88,7 +88,7 @@ This topic shows the OMA DM device description framework (DDF) for the **Firewal
- This value is a DWORD containing the maximum policy version that the server host can accept. The version number is two octets in size. The lowest-order octet is the minor version; the second-to-lowest octet is the major version. This value is not merged and is always a fixed value for a particular firewall and advanced security components software build.
+ Value that contains the maximum policy version that the server host can accept. The version number is two octets in size. The lowest-order octet is the minor version; the second-to-lowest octet is the major version. This value is not merged and is always a fixed value for a particular firewall and advanced security components software build.
@@ -109,7 +109,7 @@ This topic shows the OMA DM device description framework (DDF) for the **Firewal
- This value is a DWORD and contains a bitmask of the current enforced profiles that are maintained by the server firewall host. See FW_PROFILE_TYPE for the bitmasks that are used to identify profile types. This value is available only in the dynamic store; therefore, it is not merged and has no merge law.
+ Value that contains a bitmask of the current enforced profiles that are maintained by the server firewall host. See FW_PROFILE_TYPE for the bitmasks that are used to identify profile types. This value is available only in the dynamic store; therefore, it is not merged and has no merge law.
@@ -130,8 +130,11 @@ This topic shows the OMA DM device description framework (DDF) for the **Firewal
+
+
- This value is an on/off switch. If off, the firewall performs stateful File Transfer Protocol (FTP) filtering to allow secondary connections. The value is a DWORD; 0x00000000 means off; 0x00000001 means on. The merge law for this option is to let "on" values win.
+ FALSE
+ This value is an on/off switch. If off, the firewall performs stateful File Transfer Protocol (FTP) filtering to allow secondary connections. FALSE means off; TRUE means on, so the stateful FTP is disabled. The merge law for this option is to let "on" values win.
@@ -152,8 +155,11 @@ This topic shows the OMA DM device description framework (DDF) for the **Firewal
+
+
- This value configures the security association idle time, in seconds. Security associations are deleted after network traffic is not seen for this specified period of time. The value is a DWORD and MUST be a value in the range of 300 to 3,600 inclusive. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, use the local store value.
+ 300
+ This value configures the security association idle time, in seconds. Security associations are deleted after network traffic is not seen for this specified period of time. The value MUST be in the range of 300 to 3,600 inclusive. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, use the local store value.
@@ -174,8 +180,11 @@ This topic shows the OMA DM device description framework (DDF) for the **Firewal
+
+
- This configuration value specifies the preshared key encoding that is used. The value is a DWORD and MUST be a valid value from the PRESHARED_KEY_ENCODING_VALUES enumeration. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, use the local store value.
+ 1
+ Specifies the preshared key encoding that is used. MUST be a valid value from the PRESHARED_KEY_ENCODING_VALUES enumeration. Default is 1 [UTF-8]. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, use the local store value.
@@ -196,8 +205,11 @@ This topic shows the OMA DM device description framework (DDF) for the **Firewal
+
+
- This configuration value configures IPsec exceptions. The value is a DWORD and MUST be a combination of the valid flags that are defined in IPSEC_EXEMPT_VALUES; therefore, the maximum value MUST always be IPSEC_EXEMPT_MAX-1 for servers supporting a schema version of 0x0201 and IPSEC_EXEMPT_MAX_V2_0-1 for servers supporting a schema version of 0x0200. If the maximum value is exceeded when the method RRPC_FWSetGlobalConfig (Opnum 4) is called, the method returns ERROR_INVALID_PARAMETER. This error code is returned if no other preceding error is discovered. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, use the local store value.
+ 0
+ This value configures IPsec exceptions and MUST be a combination of the valid flags that are defined in IPSEC_EXEMPT_VALUES; therefore, the maximum value MUST always be IPSEC_EXEMPT_MAX-1 for servers supporting a schema version of 0x0201 and IPSEC_EXEMPT_MAX_V2_0-1 for servers supporting a schema version of 0x0200. If the maximum value is exceeded when the method RRPC_FWSetGlobalConfig (Opnum 4) is called, the method returns ERROR_INVALID_PARAMETER. This error code is returned if no other preceding error is discovered. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, use the local store value.
@@ -218,8 +230,10 @@ This topic shows the OMA DM device description framework (DDF) for the **Firewal
+
+
- This value specifies how certificate revocation list (CRL) verification is enforced. The value is a DWORD and MUST be 0, 1, or 2. A value of 0 disables CRL checking. A value of 1 specifies that CRL checking is attempted and that certificate validation fails only if the certificate is revoked. Other failures that are encountered during CRL checking (such as the revocation URL being unreachable) do not cause certificate validation to fail. A value of 2 means that checking is required and that certificate validation fails if any error is encountered during CRL processing. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, use the local store value.
+ This value specifies how certificate revocation list (CRL) verification is enforced. The value MUST be 0, 1, or 2. A value of 0 disables CRL checking. A value of 1 specifies that CRL checking is attempted and that certificate validation fails only if the certificate is revoked. Other failures that are encountered during CRL checking (such as the revocation URL being unreachable) do not cause certificate validation to fail. A value of 2 means that checking is required and that certificate validation fails if any error is encountered during CRL processing. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, use the local store value.
@@ -282,8 +296,10 @@ This topic shows the OMA DM device description framework (DDF) for the **Firewal
+
+
- This value is a DWORD used as an on/off switch. When this option is off, keying modules MUST ignore the entire authentication set if they do not support all of the authentication suites specified in the set. When this option is on, keying modules MUST ignore only the authentication suites that they do not support. For schema versions 0x0200, 0x0201, and 0x020A, this value is invalid and MUST NOT be used.
+ This value is used as an on/off switch. When this option is false, keying modules MUST ignore the entire authentication set if they do not support all of the authentication suites specified in the set. When this option is true, keying modules MUST ignore only the authentication suites that they don’t support. For schema versions 0x0200, 0x0201, and 0x020A, this value is invalid and MUST NOT be used.
@@ -304,8 +320,11 @@ This topic shows the OMA DM device description framework (DDF) for the **Firewal
+
+
- This value specifies how scaling for the software on the receive side is enabled for both the encrypted receive and clear text forward path for the IPsec tunnel gateway scenario. Use of this option also ensures that the packet order is preserved. The data type for this option value is a DWORD and is a combination of flags. A value of 0x00 indicates that all queuing is to be disabled. A value of 0x01 specifies that inbound encrypted packets are to be queued. A value of 0x02 specifies that packets are to be queued after decryption is performed for forwarding.
+ 0
+ This value specifies how scaling for the software on the receive side is enabled for both the encrypted receive and clear text forward path for the IPsec tunnel gateway scenario. Use of this option also ensures that the packet order is preserved. The data type for this option value is a integer and is a combination of flags. A value of 0x00 indicates that all queuing is to be disabled. A value of 0x01 specifies that inbound encrypted packets are to be queued. A value of 0x02 specifies that packets are to be queued after decryption is performed for forwarding.
@@ -346,10 +365,12 @@ This topic shows the OMA DM device description framework (DDF) for the **Firewal
+
- This value is an on/off switch for the firewall and advanced security enforcement. It is a DWORD type value; 0x00000000 is off; 0x00000001 is on. If this value is off, the server MUST NOT block any network traffic, regardless of other policy settings. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used.
+ 1
+ This value is an on/off switch for the firewall and advanced security enforcement. If this value is false, the server MUST NOT block any network traffic, regardless of other policy settings. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used.
-
+
@@ -368,10 +389,12 @@ This topic shows the OMA DM device description framework (DDF) for the **Firewal
+
- This value is a DWORD used as an on/off switch. When this option is off, the server operates in stealth mode. The firewall rules used to enforce stealth mode are implementation-specific. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used.
+ 0
+ This value is an on/off switch. When this option is false, the server operates in stealth mode. The firewall rules used to enforce stealth mode are implementation-specific. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used.
-
+
@@ -391,9 +414,10 @@ This topic shows the OMA DM device description framework (DDF) for the **Firewal
- This value is a DWORD used as an on/off switch. If this value is on and EnableFirewall is on, the server MUST block all incoming traffic regardless of other policy settings. The merge law for this option is to let "on" values win.
+ 0
+ This value is used as an on/off switch. If this value is on and EnableFirewall is on, the server MUST block all incoming traffic regardless of other policy settings. The merge law for this option is to let "on" values win.
-
+
@@ -412,10 +436,12 @@ This topic shows the OMA DM device description framework (DDF) for the **Firewal
+
- This value is a DWORD used as an on/off switch. If it is on, unicast responses to multicast broadcast traffic is blocked. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used.
+ 0
+ This value is used as an on/off switch. If it is true, unicast responses to multicast broadcast traffic is blocked. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used.
-
+
@@ -434,10 +460,12 @@ This topic shows the OMA DM device description framework (DDF) for the **Firewal
+
- This value is a DWORD used as an on/off switch. If this value is off, the firewall MAY display a notification to the user when an application is blocked from listening on a port. If this value is on, the firewall MUST NOT display such a notification. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used.
+ 0
+ This value is an on/off switch. If this value is false, the firewall MAY display a notification to the user when an application is blocked from listening on a port. If this value is on, the firewall MUST NOT display such a notification. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used.
-
+
@@ -456,10 +484,12 @@ This topic shows the OMA DM device description framework (DDF) for the **Firewal
+
- This value is a DWORD used as an on/off switch. If this value is off, authorized application firewall rules in the local store are ignored and not enforced. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used.
+ 1
+ This value is used as an on/off switch. If this value is false, authorized application firewall rules in the local store are ignored and not enforced. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used.
-
+
@@ -478,10 +508,12 @@ This topic shows the OMA DM device description framework (DDF) for the **Firewal
+
- This value is a DWORD used as an on/off switch. If this value is off, global port firewall rules in the local store are ignored and not enforced. The setting only has meaning if it is set or enumerated in the Group Policy store or if it is enumerated from the GroupPolicyRSoPStore. The merge law for this option is to let the value GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used.
+ 1
+ This value is used as an on/off switch. If this value is false, global port firewall rules in the local store are ignored and not enforced. The setting only has meaning if it is set or enumerated in the Group Policy store or if it is enumerated from the GroupPolicyRSoPStore. The merge law for this option is to let the value GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used.
-
+
@@ -500,10 +532,12 @@ This topic shows the OMA DM device description framework (DDF) for the **Firewal
+
- This value is a DWORD used as an on/off switch. If this value is off, firewall rules from the local store are ignored and not enforced. The merge law for this option is to always use the value of the GroupPolicyRSoPStore. This value is valid for all schema versions.
+ 1
+ This value is used as an on/off switch. If this value is false, firewall rules from the local store are ignored and not enforced. The merge law for this option is to always use the value of the GroupPolicyRSoPStore. This value is valid for all schema versions.
-
+
@@ -522,10 +556,12 @@ This topic shows the OMA DM device description framework (DDF) for the **Firewal
+
- This value is a DWORD; it is an on/off switch. If this value is off, connection security rules from the local store are ignored and not enforced, regardless of the schema version and connection security rule version. The merge law for this option is to always use the value of the GroupPolicyRSoPStore.
+ 1
+ This value is an on/off switch. If this value is false, connection security rules from the local store are ignored and not enforced, regardless of the schema version and connection security rule version. The merge law for this option is to always use the value of the GroupPolicyRSoPStore.
-
+
@@ -544,8 +580,10 @@ This topic shows the OMA DM device description framework (DDF) for the **Firewal
+
- This value is the action that the firewall does by default (and evaluates at the very end) on outbound connections. The allow action is represented by 0x00000000; 0x00000001 represents a block action. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used.
+ 0
+ This value is the action that the firewall does by default (and evaluates at the very end) on outbound connections. The allow action is represented by 0x00000000; 0x00000001 represents a block action. Default value is 0 [Allow]. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used.
@@ -566,8 +604,10 @@ This topic shows the OMA DM device description framework (DDF) for the **Firewal
+
- This value is the action that the firewall does by default (and evaluates at the very end) on inbound connections. The allow action is represented by 0x00000000; 0x00000001 represents a block action. The merge law for this option is to let the value of the GroupPolicyRSoPStore.win if it is configured; otherwise, the local store value is used.
+ 1
+ This value is the action that the firewall does by default (and evaluates at the very end) on inbound connections. The allow action is represented by 0x00000000; 0x00000001 represents a block action. Default value is 1 [Block]. The merge law for this option is to let the value of the GroupPolicyRSoPStore.win if it is configured; otherwise, the local store value is used.
@@ -588,10 +628,12 @@ This topic shows the OMA DM device description framework (DDF) for the **Firewal
+
- This value is a DWORD used as an on/off switch. This option is ignored if DisableStealthMode is on. Otherwise, when this option is on, the firewall's stealth mode rules MUST NOT prevent the host computer from responding to unsolicited network traffic if that traffic is secured by IPsec. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used. For schema versions 0x0200, 0x0201, and 0x020A, this value is invalid and MUST NOT be used.
+ 1
+ This value is an on/off switch. This option is ignored if DisableStealthMode is on. Otherwise, when this option is true, the firewall's stealth mode rules MUST NOT prevent the host computer from responding to unsolicited network traffic if that traffic is secured by IPsec. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used. For schema versions 0x0200, 0x0201, and 0x020A, this value is invalid and MUST NOT be used.
-
+
@@ -630,10 +672,12 @@ This topic shows the OMA DM device description framework (DDF) for the **Firewal
+
- This value is an on/off switch for the firewall and advanced security enforcement. It is a DWORD type value; 0x00000000 is off; 0x00000001 is on. If this value is off, the server MUST NOT block any network traffic, regardless of other policy settings. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used.
+ 1
+ This value is an on/off switch for the firewall and advanced security enforcement. If this value is false, the server MUST NOT block any network traffic, regardless of other policy settings. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used.
-
+
@@ -652,10 +696,12 @@ This topic shows the OMA DM device description framework (DDF) for the **Firewal
+
- This value is a DWORD used as an on/off switch. When this option is off, the server operates in stealth mode. The firewall rules used to enforce stealth mode are implementation-specific. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used.
+ 0
+ This value is an on/off switch. When this option is false, the server operates in stealth mode. The firewall rules used to enforce stealth mode are implementation-specific. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used.
-
+
@@ -675,9 +721,10 @@ This topic shows the OMA DM device description framework (DDF) for the **Firewal
- This value is a DWORD used as an on/off switch. If this value is on and EnableFirewall is on, the server MUST block all incoming traffic regardless of other policy settings. The merge law for this option is to let "on" values win.
+ 0
+ This value is used as an on/off switch. If this value is on and EnableFirewall is on, the server MUST block all incoming traffic regardless of other policy settings. The merge law for this option is to let "on" values win.
-
+
@@ -696,10 +743,12 @@ This topic shows the OMA DM device description framework (DDF) for the **Firewal
+
- This value is a DWORD used as an on/off switch. If it is on, unicast responses to multicast broadcast traffic is blocked. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used.
+ 0
+ This value is used as an on/off switch. If it is true, unicast responses to multicast broadcast traffic is blocked. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used.
-
+
@@ -718,10 +767,12 @@ This topic shows the OMA DM device description framework (DDF) for the **Firewal
+
- This value is a DWORD used as an on/off switch. If this value is off, the firewall MAY display a notification to the user when an application is blocked from listening on a port. If this value is on, the firewall MUST NOT display such a notification. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used.
+ 0
+ This value is an on/off switch. If this value is false, the firewall MAY display a notification to the user when an application is blocked from listening on a port. If this value is on, the firewall MUST NOT display such a notification. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used.
-
+
@@ -740,10 +791,12 @@ This topic shows the OMA DM device description framework (DDF) for the **Firewal
+
- This value is a DWORD used as an on/off switch. If this value is off, authorized application firewall rules in the local store are ignored and not enforced. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used.
+ 1
+ This value is used as an on/off switch. If this value is false, authorized application firewall rules in the local store are ignored and not enforced. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used.
-
+
@@ -762,10 +815,12 @@ This topic shows the OMA DM device description framework (DDF) for the **Firewal
+
- This value is a DWORD used as an on/off switch. If this value is off, global port firewall rules in the local store are ignored and not enforced. The setting only has meaning if it is set or enumerated in the Group Policy store or if it is enumerated from the GroupPolicyRSoPStore. The merge law for this option is to let the value GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used.
+ 1
+ This value is used as an on/off switch. If this value is false, global port firewall rules in the local store are ignored and not enforced. The setting only has meaning if it is set or enumerated in the Group Policy store or if it is enumerated from the GroupPolicyRSoPStore. The merge law for this option is to let the value GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used.
-
+
@@ -784,10 +839,12 @@ This topic shows the OMA DM device description framework (DDF) for the **Firewal
+
- This value is a DWORD used as an on/off switch. If this value is off, firewall rules from the local store are ignored and not enforced. The merge law for this option is to always use the value of the GroupPolicyRSoPStore. This value is valid for all schema versions.
+ 1
+ This value is used as an on/off switch. If this value is false, firewall rules from the local store are ignored and not enforced. The merge law for this option is to always use the value of the GroupPolicyRSoPStore. This value is valid for all schema versions.
-
+
@@ -806,10 +863,12 @@ This topic shows the OMA DM device description framework (DDF) for the **Firewal
+
- This value is a DWORD; it is an on/off switch. If this value is off, connection security rules from the local store are ignored and not enforced, regardless of the schema version and connection security rule version. The merge law for this option is to always use the value of the GroupPolicyRSoPStore.
+ 1
+ This value is an on/off switch. If this value is false, connection security rules from the local store are ignored and not enforced, regardless of the schema version and connection security rule version. The merge law for this option is to always use the value of the GroupPolicyRSoPStore.
-
+
@@ -828,8 +887,10 @@ This topic shows the OMA DM device description framework (DDF) for the **Firewal
+
- This value is the action that the firewall does by default (and evaluates at the very end) on outbound connections. The allow action is represented by 0x00000000; 0x00000001 represents a block action. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used.
+ 0
+ This value is the action that the firewall does by default (and evaluates at the very end) on outbound connections. The allow action is represented by 0x00000000; 0x00000001 represents a block action. Default value is 0 [Allow]. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used.
@@ -850,8 +911,10 @@ This topic shows the OMA DM device description framework (DDF) for the **Firewal
+
- This value is the action that the firewall does by default (and evaluates at the very end) on inbound connections. The allow action is represented by 0x00000000; 0x00000001 represents a block action. The merge law for this option is to let the value of the GroupPolicyRSoPStore.win if it is configured; otherwise, the local store value is used.
+ 1
+ This value is the action that the firewall does by default (and evaluates at the very end) on inbound connections. The allow action is represented by 0x00000000; 0x00000001 represents a block action. Default value is 1 [Block]. The merge law for this option is to let the value of the GroupPolicyRSoPStore.win if it is configured; otherwise, the local store value is used.
@@ -872,10 +935,12 @@ This topic shows the OMA DM device description framework (DDF) for the **Firewal
+
- This value is a DWORD used as an on/off switch. This option is ignored if DisableStealthMode is on. Otherwise, when this option is on, the firewall's stealth mode rules MUST NOT prevent the host computer from responding to unsolicited network traffic if that traffic is secured by IPsec. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used. For schema versions 0x0200, 0x0201, and 0x020A, this value is invalid and MUST NOT be used.
+ 1
+ This value is an on/off switch. This option is ignored if DisableStealthMode is on. Otherwise, when this option is true, the firewall's stealth mode rules MUST NOT prevent the host computer from responding to unsolicited network traffic if that traffic is secured by IPsec. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used. For schema versions 0x0200, 0x0201, and 0x020A, this value is invalid and MUST NOT be used.
-
+
@@ -914,10 +979,12 @@ This topic shows the OMA DM device description framework (DDF) for the **Firewal
+
- This value is an on/off switch for the firewall and advanced security enforcement. It is a DWORD type value; 0x00000000 is off; 0x00000001 is on. If this value is off, the server MUST NOT block any network traffic, regardless of other policy settings. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used.
+ 1
+ This value is an on/off switch for the firewall and advanced security enforcement. If this value is false, the server MUST NOT block any network traffic, regardless of other policy settings. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used.
-
+
@@ -936,10 +1003,12 @@ This topic shows the OMA DM device description framework (DDF) for the **Firewal
+
- This value is a DWORD used as an on/off switch. When this option is off, the server operates in stealth mode. The firewall rules used to enforce stealth mode are implementation-specific. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used.
+ 0
+ This value is an on/off switch. When this option is false, the server operates in stealth mode. The firewall rules used to enforce stealth mode are implementation-specific. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used.
-
+
@@ -959,9 +1028,10 @@ This topic shows the OMA DM device description framework (DDF) for the **Firewal
- This value is a DWORD used as an on/off switch. If this value is on and EnableFirewall is on, the server MUST block all incoming traffic regardless of other policy settings. The merge law for this option is to let "on" values win.
+ 0
+ This value is used as an on/off switch. If this value is on and EnableFirewall is on, the server MUST block all incoming traffic regardless of other policy settings. The merge law for this option is to let "on" values win.
-
+
@@ -980,10 +1050,12 @@ This topic shows the OMA DM device description framework (DDF) for the **Firewal
+
- This value is a DWORD used as an on/off switch. If it is on, unicast responses to multicast broadcast traffic is blocked. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used.
+ 0
+ This value is used as an on/off switch. If it is true, unicast responses to multicast broadcast traffic is blocked. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used.
-
+
@@ -1002,10 +1074,12 @@ This topic shows the OMA DM device description framework (DDF) for the **Firewal
+
- This value is a DWORD used as an on/off switch. If this value is off, the firewall MAY display a notification to the user when an application is blocked from listening on a port. If this value is on, the firewall MUST NOT display such a notification. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used.
+ 0
+ This value is an on/off switch. If this value is false, the firewall MAY display a notification to the user when an application is blocked from listening on a port. If this value is on, the firewall MUST NOT display such a notification. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used.
-
+
@@ -1024,10 +1098,12 @@ This topic shows the OMA DM device description framework (DDF) for the **Firewal
+
- This value is a DWORD used as an on/off switch. If this value is off, authorized application firewall rules in the local store are ignored and not enforced. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used.
+ 1
+ This value is used as an on/off switch. If this value is false, authorized application firewall rules in the local store are ignored and not enforced. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used.
-
+
@@ -1046,10 +1122,12 @@ This topic shows the OMA DM device description framework (DDF) for the **Firewal
+
- This value is a DWORD used as an on/off switch. If this value is off, global port firewall rules in the local store are ignored and not enforced. The setting only has meaning if it is set or enumerated in the Group Policy store or if it is enumerated from the GroupPolicyRSoPStore. The merge law for this option is to let the value GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used.
+ 1
+ This value is used as an on/off switch. If this value is false, global port firewall rules in the local store are ignored and not enforced. The setting only has meaning if it is set or enumerated in the Group Policy store or if it is enumerated from the GroupPolicyRSoPStore. The merge law for this option is to let the value GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used.
-
+
@@ -1068,10 +1146,12 @@ This topic shows the OMA DM device description framework (DDF) for the **Firewal
+
- This value is a DWORD used as an on/off switch. If this value is off, firewall rules from the local store are ignored and not enforced. The merge law for this option is to always use the value of the GroupPolicyRSoPStore. This value is valid for all schema versions.
+ 1
+ This value is used as an on/off switch. If this value is false, firewall rules from the local store are ignored and not enforced. The merge law for this option is to always use the value of the GroupPolicyRSoPStore. This value is valid for all schema versions.
-
+
@@ -1090,10 +1170,12 @@ This topic shows the OMA DM device description framework (DDF) for the **Firewal
+
- This value is a DWORD; it is an on/off switch. If this value is off, connection security rules from the local store are ignored and not enforced, regardless of the schema version and connection security rule version. The merge law for this option is to always use the value of the GroupPolicyRSoPStore.
+ 1
+ This value is an on/off switch. If this value is false, connection security rules from the local store are ignored and not enforced, regardless of the schema version and connection security rule version. The merge law for this option is to always use the value of the GroupPolicyRSoPStore.
-
+
@@ -1112,8 +1194,10 @@ This topic shows the OMA DM device description framework (DDF) for the **Firewal
+
- This value is the action that the firewall does by default (and evaluates at the very end) on outbound connections. The allow action is represented by 0x00000000; 0x00000001 represents a block action. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used.
+ 0
+ This value is the action that the firewall does by default (and evaluates at the very end) on outbound connections. The allow action is represented by 0x00000000; 0x00000001 represents a block action. Default value is 0 [Allow]. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used.
@@ -1134,8 +1218,10 @@ This topic shows the OMA DM device description framework (DDF) for the **Firewal
+
- This value is the action that the firewall does by default (and evaluates at the very end) on inbound connections. The allow action is represented by 0x00000000; 0x00000001 represents a block action. The merge law for this option is to let the value of the GroupPolicyRSoPStore.win if it is configured; otherwise, the local store value is used.
+ 1
+ This value is the action that the firewall does by default (and evaluates at the very end) on inbound connections. The allow action is represented by 0x00000000; 0x00000001 represents a block action. Default value is 1 [Block]. The merge law for this option is to let the value of the GroupPolicyRSoPStore.win if it is configured; otherwise, the local store value is used.
@@ -1156,10 +1242,12 @@ This topic shows the OMA DM device description framework (DDF) for the **Firewal
+
- This value is a DWORD used as an on/off switch. This option is ignored if DisableStealthMode is on. Otherwise, when this option is on, the firewall's stealth mode rules MUST NOT prevent the host computer from responding to unsolicited network traffic if that traffic is secured by IPsec. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used. For schema versions 0x0200, 0x0201, and 0x020A, this value is invalid and MUST NOT be used.
+ 1
+ This value is an on/off switch. This option is ignored if DisableStealthMode is on. Otherwise, when this option is true, the firewall's stealth mode rules MUST NOT prevent the host computer from responding to unsolicited network traffic if that traffic is secured by IPsec. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used. For schema versions 0x0200, 0x0201, and 0x020A, this value is invalid and MUST NOT be used.
-
+
@@ -1200,6 +1288,7 @@ This topic shows the OMA DM device description framework (DDF) for the **Firewal
+ Unique alpha numeric identifier for the rule. The rule name must not include a forward slash (/).
@@ -1349,7 +1438,7 @@ ServiceName
- 0-255 number representing the ip protocol (TCP = 6, UDP = 17)
+ 0-255 number representing the ip protocol (TCP = 6, UDP = 17). If not specified the default is All.
@@ -1373,7 +1462,7 @@ ServiceName
- Comma Separated list of ranges for eg. 100-120,200,300-320
+ Comma Separated list of ranges for eg. 100-120,200,300-320. If not specified the default is All.
@@ -1397,7 +1486,7 @@ ServiceName
- Comma Separated list of ranges for eg. 100-120,200,300-320
+ Comma Separated list of ranges for eg. 100-120,200,300-320. If not specified the default is All.
@@ -1428,7 +1517,7 @@ Valid tokens include:
A subnet can be specified using either the subnet mask or network prefix notation. If neither a subnet mask not a network prefix is specified, the subnet mask defaults to 255.255.255.255.
A valid IPv6 address.
An IPv4 address range in the format of "start address - end address" with no spaces included.
-An IPv6 address range in the format of "start address - end address" with no spaces included.
+An IPv6 address range in the format of "start address - end address" with no spaces included. If not specified the default is All.
@@ -1466,7 +1555,7 @@ An IPv6 address range in the format of "start address - end address" with no spa
A subnet can be specified using either the subnet mask or network prefix notation. If neither a subnet mask not a network prefix is specified, the subnet mask defaults to 255.255.255.255.
A valid IPv6 address.
An IPv4 address range in the format of "start address - end address" with no spaces included.
-An IPv6 address range in the format of "start address - end address" with no spaces included.
+An IPv6 address range in the format of "start address - end address" with no spaces included. If not specified the default is All.
@@ -1509,8 +1598,6 @@ An IPv6 address range in the format of "start address - end address" with no spa
Enabled
-
-
@@ -1534,12 +1621,10 @@ If not specified - a new rule is disabled by default.
Profiles
-
-
- Specifies the profiles to which the rule belongs: Domain, Private, Public. See FW_PROFILE_TYPE for the bitmasks that are used to identify profile types.
+ Specifies the profiles to which the rule belongs: Domain, Private, Public. See FW_PROFILE_TYPE for the bitmasks that are used to identify profile types. If not specified, the default is All.
@@ -1560,13 +1645,7 @@ If not specified - a new rule is disabled by default.
- Specifies the action for the rule.
-
-BLOCK - block the connection.
-ALLOW - allow the connection.
-
-
-If not specified the default action is BLOCK.
+ Specifies the action for the rule.
@@ -1584,11 +1663,10 @@ If not specified the default action is BLOCK.
Type
-
-
+ 1Specifies the action the rule enforces:
0 - Block
1 - Allow
@@ -1611,11 +1689,10 @@ If not specified the default action is BLOCK.
Direction
-
-
+ INComma separated list. The rule is enabled based on the traffic direction as following.
IN - the rule applies to inbound traffic.
@@ -1640,11 +1717,10 @@ If not specified the detault is IN.InterfaceTypes
-
-
+ AllString value. Multiple interface types can be included in the string by separating each value with a ",". Acceptable values are "RemoteAccess", "Wireless", "Lan", "MobileBroadband", and "All".
If more than one interface type is specified, the strings must be separated by a comma.
@@ -1661,30 +1737,6 @@ If not specified the detault is IN.
-
- IcmpTypesAndCodes
-
-
-
-
-
-
-
- The icmpTypesAndCodes parameter is a list of ICMP types and codes separated by semicolon. "*" indicates all ICMP types and codes.
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
- EdgeTraversal
@@ -1760,31 +1812,6 @@ This is a string in Security Descriptor Definition Language (SDDL) format..
-
- FriendlyName
-
-
-
-
-
-
-
- Specifies the friendly name of the rule.
-The string must not contain the "|" character.
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
- Name
diff --git a/windows/client-management/mdm/images/provisioning-csp-firewall.png b/windows/client-management/mdm/images/provisioning-csp-firewall.png
index f31e4c749d..4720e51cd7 100644
Binary files a/windows/client-management/mdm/images/provisioning-csp-firewall.png and b/windows/client-management/mdm/images/provisioning-csp-firewall.png differ
diff --git a/windows/client-management/mdm/images/provisioning-csp-office.png b/windows/client-management/mdm/images/provisioning-csp-office.png
index caa243a136..c361494236 100644
Binary files a/windows/client-management/mdm/images/provisioning-csp-office.png and b/windows/client-management/mdm/images/provisioning-csp-office.png differ
diff --git a/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md b/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md
index c2218a1fab..0dc3060c96 100644
--- a/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md
+++ b/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md
@@ -10,7 +10,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
-ms.date: 08/14/2017
+ms.date: 08/25/2017
---
# What's new in MDM enrollment and management
@@ -52,7 +52,7 @@ For details about Microsoft mobile device management protocols for Windows 10 s
## What's new in Windows 10, version 1511
-
+
@@ -184,7 +184,7 @@ For details about Microsoft mobile device management protocols for Windows 10 s
## What's new in Windows 10, version 1607
-
+
@@ -495,7 +495,7 @@ For details about Microsoft mobile device management protocols for Windows 10 s
## What's new in Windows 10, version 1703
-
+
@@ -678,12 +678,11 @@ For details about Microsoft mobile device management protocols for Windows 10 s
Update/ActiveHoursMaxRange
Update/AutoRestartDeadlinePeriodInDays
Update/AutoRestartNotificationSchedule
-
Update/AutoRestartNotificationStyle
Update/AutoRestartRequiredNotificationDismissal
Update/DetectionFrequency
Update/EngagedRestartDeadline
Update/EngagedRestartSnoozeSchedule
-
Update/EngagedRestartTransistionSchedule
+
Update/EngagedRestartTransitionSchedule
Update/IgnoreMOAppDownloadLimit
Update/IgnoreMOUpdateDownloadLimit
Update/PauseFeatureUpdatesStartTime
@@ -917,7 +916,7 @@ For details about Microsoft mobile device management protocols for Windows 10 s
## What's new in Windows 10, version 1709
-
+
@@ -975,9 +974,18 @@ For details about Microsoft mobile device management protocols for Windows 10 s
+
[Office CSP](office-csp.md)
+
Added the following setting in Windows 10, version 1709:
@@ -1316,7 +1326,7 @@ The DM agent for [push-button reset](https://msdn.microsoft.com/windows/hardware
### August 2017
-
+
@@ -1366,13 +1376,41 @@ The DM agent for [push-button reset](https://msdn.microsoft.com/windows/hardware
+
[Office CSP](office-csp.md)
+
Added the following setting in Windows 10, version 1709:
+
+
Installation/CurrentStatus
+
+
+
[BitLocker CSP](bitlocker-csp.md)
Added information to the ADMX-backed policies.
+
+
[Firewall CSP](firewall-csp.md)
+
Updated the CSP and DDF topics. Here are the changes:
+
+
Removed the two settings - FirewallRules/FirewallRuleName/FriendlyName and FirewallRules/FirewallRuleName/IcmpTypesAndCodes.
+
Changed some data types from integer to bool.
+
Updated the list of supported operations for some settings.
+
Added default values.
+
+
+
+
[Policy DDF file](policy-ddf-file.md)
+
Added another Policy DDF file [download](http://download.microsoft.com/download/6/1/C/61C022FD-6F5D-4F73-9047-17F630899DC4/PolicyDDF_all_version1607_8C.xml) for the 8C release of Windows 10, version 1607, which added the following policies:
+
Changed the name of new policy to CredentialProviders/DisableAutomaticReDeploymentCredentials from CredentialProviders/EnableWindowsAutoPilotResetCredentials.
+
Changed the names of the following policies:
+
+
Defender/GuardedFoldersAllowedApplications to Defender/ControlledFolderAccessAllowedApplications
+
Defender/GuardedFoldersList to Defender/ControlledFolderAccessProtectedFolders
+
Defender/EnableGuardMyFolders to Defender/EnableControlledFolderAccess
+
Added links to the additional [ADMX-backed BitLocker policies](policy-csp-bitlocker.md).
+
There were issues reported with the previous release of the following policies. These issues were fixed in Window 10, version 1709:
@@ -2006,11 +2057,10 @@ Also Added [Firewall DDF file](firewall-ddf-file.md).
TimeLanguageSettings/AllowSet24HourClock
Update/ActiveHoursMaxRange
Update/AutoRestartNotificationSchedule
-
Update/AutoRestartNotificationStyle
Update/AutoRestartRequiredNotificationDismissal
Update/EngagedRestartDeadline
Update/EngagedRestartSnoozeSchedule
-
Update/EngagedRestartTransistionSchedule
+
Update/EngagedRestartTransitionSchedule
Update/SetAutoRestartNotificationDisable
WindowsLogon/HideFastUserSwitching
diff --git a/windows/client-management/mdm/office-csp.md b/windows/client-management/mdm/office-csp.md
index 8b62bdd0c7..96b82f9aa7 100644
--- a/windows/client-management/mdm/office-csp.md
+++ b/windows/client-management/mdm/office-csp.md
@@ -6,11 +6,14 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
-ms.date: 06/19/2017
+ms.date: 08/22/2017
---
# Office CSP
+> [!WARNING]
+> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
+
The Office configuration service provider (CSP) enables a Microsoft Office client to be installed on a device via the Office Deployment Tool. For more information, see [Configuration options for the Office Deployment Tool](https://technet.microsoft.com/en-us/library/jj219426.aspx).
This CSP was added in Windows 10, version 1703.
@@ -38,7 +41,7 @@ The following diagram shows the Office configuration service provider in tree fo
**Install**
-
Installs office by using the XML data specified in the configuration.xml file.
+
Installs Office by using the XML data specified in the configuration.xml file.
The supported operations are Get and Execute.
@@ -48,13 +51,18 @@ The following diagram shows the Office configuration service provider in tree fo
The only supported operation is Get.
+**CurrentStatus**
+
+
Returns an XML of current Office 365 installation status on the device.
+
+
The only supported operation is Get.
## Examples
Sample SyncML to install Office 365 Business Retail from current channel.
```syntax
-
+7
@@ -76,7 +84,7 @@ Sample SyncML to install Office 365 Business Retail from current channel.
To uninstall the Office 365 from the system:
```syntax
-
+7
@@ -95,6 +103,24 @@ To uninstall the Office 365 from the system:
```
+To get the current status of Office 365 on the device.
+
+``` syntax
+
+
+
+ 7
+
+
+ ./Vendor/MSFT/Office/Installation/CurrentStatus
+
+
+
+
+
+
+```
+
## Status code
diff --git a/windows/client-management/mdm/office-ddf.md b/windows/client-management/mdm/office-ddf.md
index 0fd89434b4..ebd7f2b843 100644
--- a/windows/client-management/mdm/office-ddf.md
+++ b/windows/client-management/mdm/office-ddf.md
@@ -7,11 +7,14 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
-ms.date: 06/19/2017
+ms.date: 08/22/2017
---
# Office DDF
+> [!WARNING]
+> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
+
This topic shows the OMA DM device description framework (DDF) for the **Office** configuration service provider. DDF files are used only with OMA DM provisioning XML.
You can download the DDF files from the links below:
@@ -19,7 +22,7 @@ You can download the DDF files from the links below:
- [Download all the DDF files for Windows 10, version 1703](http://download.microsoft.com/download/C/7/C/C7C94663-44CF-4221-ABCA-BC895F42B6C2/Windows10_1703_DDF_download.zip)
- [Download all the DDF files for Windows 10, version 1607](http://download.microsoft.com/download/2/3/E/23E27D6B-6E23-4833-B143-915EDA3BDD44/Windows10_1607_DDF.zip)
-The XML below is the current version for this CSP.
+The XML below is for Windows 10, version 1709.
``` syntax
@@ -30,12 +33,12 @@ The XML below is the current version for this CSP.
1.2Office
- ./Vendor/MSFT
+ ./User/Vendor/MSFT
- Root of the office CSP.
+ Root of the Office CSP.
@@ -46,7 +49,7 @@ The XML below is the current version for this CSP.
- com.microsoft/1.0/MDM/Office
+ com.microsoft/1.3/MDM/Office
@@ -55,7 +58,7 @@ The XML below is the current version for this CSP.
- Installation options for the office CSP.
+ Installation options for the Office CSP.
@@ -100,7 +103,7 @@ The XML below is the current version for this CSP.
- The install action will install office given the configuration in the data. The string data is the xml configuration to use in order to install office.
+ The install action will install Office given the configuration in the data. The string data is the xml configuration to use in order to install Office.
@@ -137,6 +140,27 @@ The XML below is the current version for this CSP.
+
+ CurrentStatus
+
+
+
+
+ The current Office 365 installation status on the machine
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
@@ -156,7 +180,7 @@ The XML below is the current version for this CSP.
-
+ com.microsoft/1.3/MDM/Office
@@ -243,6 +267,27 @@ The XML below is the current version for this CSP.
+
+ CurrentStatus
+
+
+
+
+ The current Office 365 installation status on the machine
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
diff --git a/windows/client-management/mdm/policy-configuration-service-provider.md b/windows/client-management/mdm/policy-configuration-service-provider.md
index 017e7eb94f..cf20c306d2 100644
--- a/windows/client-management/mdm/policy-configuration-service-provider.md
+++ b/windows/client-management/mdm/policy-configuration-service-provider.md
@@ -7,7 +7,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
-ms.date: 08/14/2017
+ms.date: 08/25/2017
---
# Policy CSP
@@ -456,6 +456,9 @@ The following diagram shows the Policy configuration service provider in tree fo
### RemoteAssistance policies
@@ -3504,6 +3516,7 @@ The following diagram shows the Policy configuration service provider in tree fo
- [DeliveryOptimization/DOPercentageMaxDownloadBandwidth](#deliveryoptimization-dopercentagemaxdownloadbandwidth)
- [Desktop/PreventUserRedirectionOfProfileFolders](#desktop-preventuserredirectionofprofilefolders)
- [DeviceGuard/AllowKernelControlFlowGuard](#deviceguard-allowkernelcontrolflowguard)
+- [Privacy/EnableActivityFeed](#privacy-enableactivityfeed)
- [Privacy/LetAppsGetDiagnosticInfo](#privacy-letappsgetdiagnosticinfo)
- [Privacy/LetAppsGetDiagnosticInfo_ForceAllowTheseApps](#privacy-letappsgetdiagnosticinfo-forceallowtheseapps)
- [Privacy/LetAppsGetDiagnosticInfo_ForceDenyTheseApps](#privacy-letappsgetdiagnosticinfo-forcedenytheseapps)
@@ -3512,6 +3525,7 @@ The following diagram shows the Policy configuration service provider in tree fo
- [Privacy/LetAppsRunInBackground_ForceAllowTheseApps](#privacy-letappsruninbackground-forceallowtheseapps)
- [Privacy/LetAppsRunInBackground_ForceDenyTheseApps](#privacy-letappsruninbackground-forcedenytheseapps)
- [Privacy/LetAppsRunInBackground_UserInControlOfTheseApps](#privacy-letappsruninbackground-userincontroloftheseapps)
+- [Privacy/PublishUserActivities](#privacy-publishuseractivities)
- [Security/RequireProvisioningPackageSignature](#security-requireprovisioningpackagesignature)
- [Security/RequireRetrieveHealthCertificateOnBoot](#security-requireretrievehealthcertificateonboot)
- [System/AllowFontProviders](#system-allowfontproviders)
diff --git a/windows/client-management/mdm/policy-csp-browser.md b/windows/client-management/mdm/policy-csp-browser.md
index f0d50ff7ac..263cff9d57 100644
--- a/windows/client-management/mdm/policy-csp-browser.md
+++ b/windows/client-management/mdm/policy-csp-browser.md
@@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
-ms.date: 08/09/2017
+ms.date: 08/25/2017
---
# Policy CSP - Browser
@@ -679,6 +679,39 @@ By default, the Microsoft compatibility list is enabled and can be viewed by vis
3. Click **Settings** in the drop down list, and select **View Advanced Settings**.
4. Verify the setting **Help protect me from malicious sites and download with SmartScreen Filter** is greyed out.
+
+
+
+**Browser/AlwaysEnableBooksLibrary**
+
+
+
+
+
Home
+
Pro
+
Business
+
Enterprise
+
Education
+
Mobile
+
Mobile Enterprise
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
This is only a placeholder.
+
@@ -965,6 +998,51 @@ Employees cannot remove these search engines, but they can set any one as the de
> [!NOTE]
> Turning this setting off, or not configuring it, sets your default Start pages to the webpages specified in App settings.
+
+
+
+**Browser/LockdownFavorites**
+
+
+
+
+
Home
+
Pro
+
Business
+
Enterprise
+
Education
+
Mobile
+
Mobile Enterprise
+
+
+
+
3
+
3
+
3
+
3
+
3
+
3
+
+
+
+
+
+
Added in Windows 10, version 1709. This policy setting lets you decide whether employees can add, import, sort, or edit the Favorites list on Microsoft Edge.
+
+
If you enable this setting, employees won't be able to add, import, or change anything in the Favorites list. Also as part of this, Save a Favorite, Import settings, and the context menu items (such as, Create a new folder) are all turned off.
+
+> [!Important]
+> Don't enable both this setting and the Keep favorites in sync between Internet Explorer and Microsoft Edge setting. Enabling both settings stops employees from syncing their favorites between Internet Explorer and Microsoft Edge.
+
+
+
0 - Disabled. Do not lockdown Favorites.
+
1 - Enabled. Lockdown Favorites.
+
+
+
If you disable or don't configure this setting (default), employees can add, import and make changes to the Favorites list.
+
+
Data type is integer. Supported operations are Add, Get, Replace, and Delete.
+
@@ -1191,6 +1269,50 @@ Employees cannot remove these search engines, but they can set any one as the de
- 0 (default) – The localhost IP address is shown.
- 1 – The localhost IP address is hidden.
+
+
+
+**Browser/ProvisionFavorites**
+
+
+
+
+
Home
+
Pro
+
Business
+
Enterprise
+
Education
+
Mobile
+
Mobile Enterprise
+
+
+
+
3
+
3
+
3
+
3
+
3
+
3
+
+
+
+
+
+
Added in Windows 10, version 1709. This policy setting allows you to configure a default set of favorites, which will appear for employees. Employees cannot modify, sort, move, export or delete these provisioned favorites. Specify the URL which points to the file that has all the data for provisioning favorites (in html format). You can export a set of favorites from Edge and use that html file for provisioning user machines.
+
+
URL can be specified as:
+
+- HTTP location: "SiteList"="http://localhost:8080/URLs.html"
+- Local network: "SiteList"="\\network\shares\URLs.html"
+- Local file: "SiteList"="file:///c:\\Users\\\\Documents\\URLs.html"
+
+> [!Important]
+> Don't enable both this setting and the Keep favorites in sync between Internet Explorer and Microsoft Edge setting. Enabling both settings stops employees from syncing their favorites between Internet Explorer and Microsoft Edge.
+
+
If you disable or don't configure this setting, employees will see the favorites they set in the Hub and Favorites Bar.
+
+
Data type is string. Supported operations are Add, Get, Replace, and Delete.
+
diff --git a/windows/client-management/mdm/policy-csp-defender.md b/windows/client-management/mdm/policy-csp-defender.md
index 42421382a1..2ab2afa893 100644
--- a/windows/client-management/mdm/policy-csp-defender.md
+++ b/windows/client-management/mdm/policy-csp-defender.md
@@ -782,7 +782,7 @@ Value type is string.
-**Defender/EnableGuardMyFolders**
+**Defender/EnableControlledFolderAccess**
@@ -809,13 +809,13 @@ Value type is string.
> [!NOTE]
-> This policy is only enforced in Windows 10 for desktop.
+> This policy is only enforced in Windows 10 for desktop. The previous name was EnableGuardMyFolders and changed to EnableControlledFolderAccess.
Added in Windows 10, version 1709. This policy enables setting the state (On/Off/Audit) for the guard my folders feature. The guard my folders feature removes modify and delete permissions from untrusted applications to certain folders such as My Documents. Value type is integer and the range is 0 - 2.
-- 0 (default) - Off
-- 1 - Audit mode
-- 2 - Enforcement mode
+- 0 (default) - Disabled
+- 1 - Enabled
+- 2 - Audit Mode
@@ -977,7 +977,7 @@ Value type is string.
-**Defender/GuardedFoldersAllowedApplications**
+**Defender/ControlledFolderAccessAllowedApplications**
@@ -1004,14 +1004,14 @@ Value type is string.
> [!NOTE]
-> This policy is only enforced in Windows 10 for desktop.
+> This policy is only enforced in Windows 10 for desktop. The previous name was GuardedFoldersAllowedApplications and changed to ControlledFolderAccessAllowedApplications.
Added in Windows 10, version 1709. This policy setting allows user-specified applications to the guard my folders feature. Adding an allowed application means the guard my folders feature will allow the application to modify or delete content in certain folders such as My Documents. In most cases it will not be necessary to add entries. Windows Defender Antivirus will automatically detect and dynamically add applications that are friendly. Value type is string. Use the Unicode as the substring separator.
-**Defender/GuardedFoldersList**
+**Defender/ControlledFolderAccessProtectedFolders**
@@ -1038,7 +1038,7 @@ Value type is string.
> [!NOTE]
-> This policy is only enforced in Windows 10 for desktop.
+> This policy is only enforced in Windows 10 for desktop. The previous name was GuardedFoldersList and changed to ControlledFolderAccessProtectedFolders.
Added in Windows 10, version 1709. This policy settings allows adding user-specified folder locations to the guard my folders feature. These folders will complement the system defined folders such as My Documents and My Pictures. The list of system folders will be displayed in the user interface and can not be changed. Value type is string. Use the Unicode as the substring separator.
diff --git a/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions.md b/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions.md
index e24b65ed09..627363f336 100644
--- a/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions.md
+++ b/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions.md
@@ -677,7 +677,7 @@ Value type is integer. Supported operations are Add, Get, Replace, and Delete.
-**LocalPoliciesSecurityOptions/TBUserAccountControl_RunAllAdministratorsInAdminApprovalModeD**
+**LocalPoliciesSecurityOptions/UserAccountControl_RunAllAdministratorsInAdminApprovalMode**
Allows or disallows the automatic acceptance of the pairing and privacy user consent dialog when launching apps.
+> [!Note]
+> There were issues reported with the previous release of this policy and a fix was added in Windows 10, version 1709.
+
The following list shows the supported values:
- 0 (default)– Not allowed.
@@ -133,6 +136,42 @@ ms.date: 08/09/2017
Most restricted value is 0.
+
+
+
+**Privacy/EnableActivityFeed**
+
+
+
+
+
Home
+
Pro
+
Business
+
Enterprise
+
Education
+
Mobile
+
Mobile Enterprise
+
+
+
3
+
3
+
3
+
3
+
3
+
3
+
3
+
+
+
+
+
+Added in Windows 10, version 1709. Allows IT Admins to allow Apps/OS to publish to the activity feed.
+
+The following list shows the supported values:
+
+- 0 – Disabled. Apps/OS can't publish the activities and roaming is disabled. (not published to the cloud).
+- 1 – (default) Enabled. Apps/OS can publish the activities and will be roamed across device graph.
+
@@ -2503,6 +2542,42 @@ ms.date: 08/09/2017
Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. The user is able to control the 'sync with devices' privacy setting for the listed apps. This setting overrides the default LetAppsSyncWithDevices policy setting for the specified apps.
+
+
+
+**Privacy/PublishUserActivities**
+
+
+
+
+
Home
+
Pro
+
Business
+
Enterprise
+
Education
+
Mobile
+
Mobile Enterprise
+
+
+
3
+
3
+
3
+
3
+
3
+
3
+
3
+
+
+
+
+
+Added in Windows 10, version 1709. Allows It Admins to enable publishing of user activities to the activity feed.
+
+The following list shows the supported values:
+
+- 0 – Disabled. Apps/OS can't publish the *user activities*.
+- 1 – (default) Enabled. Apps/OS can publish the *user activities*.
+
@@ -2518,7 +2593,7 @@ Footnote:
## Privacy policies supported by Windows Holographic for Business
-- [Privacy/AllowInputPersonalization](#privacy-allowinputpersonalization)
+- [Privacy/AllowInputPersonalization](#privacy-allowinputpersonalization)
- [Privacy/LetAppsGetDiagnosticInfo](#privacy-letappsgetdiagnosticinfo)
- [Privacy/LetAppsGetDiagnosticInfo_ForceAllowTheseApps](#privacy-letappsgetdiagnosticinfo-forceallowtheseapps)
- [Privacy/LetAppsGetDiagnosticInfo_ForceDenyTheseApps](#privacy-letappsgetdiagnosticinfo-forcedenytheseapps)
@@ -2545,6 +2620,7 @@ Footnote:
## Privacy policies supported by Microsoft Surface Hub
+- [Privacy/EnableActivityFeed](#privacy-enableactivityfeed)
- [Privacy/LetAppsGetDiagnosticInfo](#privacy-letappsgetdiagnosticinfo)
- [Privacy/LetAppsGetDiagnosticInfo_ForceAllowTheseApps](#privacy-letappsgetdiagnosticinfo-forceallowtheseapps)
- [Privacy/LetAppsGetDiagnosticInfo_ForceDenyTheseApps](#privacy-letappsgetdiagnosticinfo-forcedenytheseapps)
@@ -2553,5 +2629,7 @@ Footnote:
- [Privacy/LetAppsRunInBackground_ForceAllowTheseApps](#privacy-letappsruninbackground-forceallowtheseapps)
- [Privacy/LetAppsRunInBackground_ForceDenyTheseApps](#privacy-letappsruninbackground-forcedenytheseapps)
- [Privacy/LetAppsRunInBackground_UserInControlOfTheseApps](#privacy-letappsruninbackground-userincontroloftheseapps)
+- [Privacy/PublishUserActivities](#privacy-publishuseractivities)
+
diff --git a/windows/client-management/mdm/policy-csp-start.md b/windows/client-management/mdm/policy-csp-start.md
index 6c0dd2a75b..c33b8625ee 100644
--- a/windows/client-management/mdm/policy-csp-start.md
+++ b/windows/client-management/mdm/policy-csp-start.md
@@ -448,10 +448,10 @@ ms.date: 08/09/2017
-
2
+
3
-
2
-
2
+
3
+
3
@@ -462,7 +462,10 @@ ms.date: 08/09/2017
> [!NOTE]
> This policy requires reboot to take effect.
-
Added in Windows 10, version 1703. Allows IT Admins to configure Start by collapsing or removing the all apps list.
+
Allows IT Admins to configure Start by collapsing or removing the all apps list.
+
+> [!Note]
+> There were issues reported with the previous release of this policy and a fix was added in Windows 10, version 1709.
The following list shows the supported values:
diff --git a/windows/client-management/mdm/policy-ddf-file.md b/windows/client-management/mdm/policy-ddf-file.md
index ec16e08ca7..3e242783d4 100644
--- a/windows/client-management/mdm/policy-ddf-file.md
+++ b/windows/client-management/mdm/policy-ddf-file.md
@@ -7,7 +7,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
-ms.date: 06/30/2017
+ms.date: 08/23/2017
---
# Policy DDF file
@@ -21,6 +21,7 @@ You can download the DDF files from the links below:
- [Download the Policy DDF file for Windows 10, version 1703](http://download.microsoft.com/download/7/2/C/72C36C37-20F9-41BF-8E23-721F6FFC253E/PolicyDDF_all.xml)
- [Download the Policy DDF file for Windows 10, version 1607](http://download.microsoft.com/download/6/1/C/61C022FD-6F5D-4F73-9047-17F630899DC4/PolicyDDF_all_version1607.xml)
+- [Download the Policy DDF file for Windows 10, version 1607 release 8C](http://download.microsoft.com/download/6/1/C/61C022FD-6F5D-4F73-9047-17F630899DC4/PolicyDDF_all_version1607_8C.xml)
- [Download all the DDF files for Windows 10, version 1607](http://download.microsoft.com/download/2/3/E/23E27D6B-6E23-4833-B143-915EDA3BDD44/Windows10_1607_DDF.zip)
The XML below is the DDF for Windows 10, version 1709.
@@ -353,6 +354,941 @@ The XML below is the DDF for Windows 10, version 1709.
+
+ Browser
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ AllowAddressBarDropdown
+
+
+
+
+
+
+
+ This policy setting lets you decide whether the Address bar drop-down functionality is available in Microsoft Edge. We recommend disabling this setting if you want to minimize network connections from Microsoft Edge to Microsoft services.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ AllowAutofill
+
+
+
+
+
+
+
+ This setting lets you decide whether employees can use Autofill to automatically fill in form fields while using Microsoft Edge.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ AllowBrowser
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ AllowCookies
+
+
+
+
+
+
+
+ This setting lets you configure how your company deals with cookies.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ AllowDeveloperTools
+
+
+
+
+
+
+
+ This setting lets you decide whether employees can use F12 Developer Tools on Microsoft Edge.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ AllowDoNotTrack
+
+
+
+
+
+
+
+ This setting lets you decide whether employees can send Do Not Track headers to websites that request tracking info.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ AllowExtensions
+
+
+
+
+
+
+
+ This setting lets you decide whether employees can load extensions in Microsoft Edge.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ AllowFlash
+
+
+
+
+
+
+
+ This setting lets you decide whether employees can run Adobe Flash in Microsoft Edge.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ AllowFlashClickToRun
+
+
+
+
+
+
+
+ Configure the Adobe Flash Click-to-Run setting.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ AllowInPrivate
+
+
+
+
+
+
+
+ This setting lets you decide whether employees can browse using InPrivate website browsing.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ AllowMicrosoftCompatibilityList
+
+
+
+
+
+
+
+ This policy setting lets you decide whether the Microsoft Compatibility List is enabled or disabled in Microsoft Edge. This feature uses a Microsoft-provided list to ensure that any sites with known compatibility issues are displayed correctly when a user navigates to them. By default, the Microsoft Compatibility List is enabled and can be viewed by navigating to about:compat.
+
+If you enable or don’t configure this setting, Microsoft Edge will periodically download the latest version of the list from Microsoft and will apply the configurations specified there during browser navigation. If a user visits a site on the Microsoft Compatibility List, he or she will be prompted to open the site in Internet Explorer 11. Once in Internet Explorer, the site will automatically be rendered as if the user is viewing it in the previous version of Internet Explorer it requires to display correctly.
+
+If you disable this setting, the Microsoft Compatibility List will not be used during browser navigation.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ AllowPasswordManager
+
+
+
+
+
+
+
+ This setting lets you decide whether employees can save their passwords locally, using Password Manager.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ AllowPopups
+
+
+
+
+
+
+
+ This setting lets you decide whether to turn on Pop-up Blocker and whether to allow pop-ups to appear in secondary windows.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ AllowSearchEngineCustomization
+
+
+
+
+
+
+
+ Allow search engine customization for MDM enrolled devices. Users can change their default search engine.
+
+If this setting is turned on or not configured, users can add new search engines and change the default used in the address bar from within Microsoft Edge Settings.
+If this setting is disabled, users will be unable to add search engines or change the default used in the address bar.
+
+This policy will only apply on domain joined machines or when the device is MDM enrolled. For more information, see Microsoft browser extension policy (aka.ms/browserpolicy).
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ AllowSearchSuggestionsinAddressBar
+
+
+
+
+
+
+
+ This setting lets you decide whether search suggestions should appear in the Address bar of Microsoft Edge.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ AllowSmartScreen
+
+
+
+
+
+
+
+ This setting lets you decide whether to turn on Windows Defender SmartScreen.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ AlwaysEnableBooksLibrary
+
+
+
+
+
+
+
+ Specifies whether the Books Library in Microsoft Edge will always be visible regardless of the country or region setting for the device.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ ClearBrowsingDataOnExit
+
+
+
+
+
+
+
+ Specifies whether to always clear browsing history on exiting Microsoft Edge.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ ConfigureAdditionalSearchEngines
+
+
+
+
+
+
+
+ Allows you to add up to 5 additional search engines for MDM-enrolled devices.
+
+If this setting is turned on, you can add up to 5 additional search engines for your employee. For each additional search engine you wish to add, you must specify a link to the OpenSearch XML file that contains, at minimum, the short name and the URL to the search engine. This policy does not affect the default search engine. Employees will not be able to remove these search engines, but they can set any one of these as the default.
+
+If this setting is not configured, the search engines are the ones specified in the App settings. If this setting is disabled, the search engines you had added will be deleted from your employee's machine.
+
+Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on domain-joined machines or when the device is MDM-enrolled.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ DisableLockdownOfStartPages
+
+
+
+
+
+
+
+ Boolean policy that specifies whether the lockdown on the Start pages is disabled. This policy works with the Browser/HomePages policy, which locks down the Start pages that the users cannot modify. You can use the DisableLockdownOfStartPages policy to allow users to modify the Start pages when Browser/HomePages policy is in effect.
+
+Note: This policy has no effect when Browser/HomePages is not configured.
+
+Important
+This setting can only be used with domain-joined or MDM-enrolled devices. For more info, see the Microsoft browser extension policy (aka.ms/browserpolicy).
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ EnterpriseModeSiteList
+
+
+
+
+
+
+
+ This setting lets you configure whether your company uses Enterprise Mode and the Enterprise Mode Site List to address common compatibility problems with legacy websites.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ EnterpriseSiteListServiceUrl
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ FirstRunURL
+
+
+
+
+
+
+
+ Configure first run URL.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ HomePages
+
+
+
+
+
+
+
+ Configure the Start page URLs for your employees.
+Example:
+If you wanted to allow contoso.com and fabrikam.com then you would append /support to the site strings like contoso.com/support and fabrikam.com/support.
+Encapsulate each string with greater than and less than characters like any other XML tag.
+
+Version 1703 or later: If you don't want to send traffic to Microsoft, you can use the about:blank value (encapsulate with greater than and less than characters like any other XML tag), which is honored for both domain- and non-domain-joined machines, when it's the only configured URL.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ LockdownFavorites
+
+
+
+
+
+
+
+ This policy setting lets you decide whether employees can add, import, sort, or edit the Favorites list on Microsoft Edge.
+
+If you enable this setting, employees won't be able to add, import, or change anything in the Favorites list. Also as part of this, Save a Favorite, Import settings, and the context menu items (such as, Create a new folder) are all turned off.
+
+Important
+Don't enable both this setting and the Keep favorites in sync between Internet Explorer and Microsoft Edge setting. Enabling both settings stops employees from syncing their favorites between Internet Explorer and Microsoft Edge.
+
+If you disable or don't configure this setting (default), employees can add, import and make changes to the Favorites list.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ PreventAccessToAboutFlagsInMicrosoftEdge
+
+
+
+
+
+
+
+ Prevent access to the about:flags page in Microsoft Edge.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ PreventFirstRunPage
+
+
+
+
+
+
+
+ Specifies whether the First Run webpage is prevented from automatically opening on the first launch of Microsoft Edge. This policy is only available for Windows 10 version 1703 or later for desktop.
+
+Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on domain-joined machines or when the device is MDM-enrolled.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ PreventLiveTileDataCollection
+
+
+
+
+
+
+
+ This policy lets you decide whether Microsoft Edge can gather Live Tile metadata from the ieonline.microsoft.com service to provide a better experience while pinning a Live Tile to the Start menu.
+
+Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on domain-joined machines or when the device is MDM-enrolled.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ PreventSmartScreenPromptOverride
+
+
+
+
+
+
+
+ Don't allow Windows Defender SmartScreen warning overrides
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ PreventSmartScreenPromptOverrideForFiles
+
+
+
+
+
+
+
+ Don't allow Windows Defender SmartScreen warning overrides for unverified files.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ PreventUsingLocalHostIPAddressForWebRTC
+
+
+
+
+
+
+
+ Prevent using localhost IP address for WebRTC
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ ProvisionFavorites
+
+
+
+
+
+
+
+ This policy setting allows you to configure a default set of favorites, which will appear for employees. Employees cannot modify, sort, move, export or delete these provisioned favorites.
+
+If you enable this setting, you can set favorite URL's and favorite folders to appear on top of users' favorites list (either in the Hub or Favorites Bar). The user favorites will appear after these provisioned favorites.
+
+Important
+Don't enable both this setting and the Keep favorites in sync between Internet Explorer and Microsoft Edge setting. Enabling both settings stops employees from syncing their favorites between Internet Explorer and Microsoft Edge.
+
+If you disable or don't configure this setting, employees will see the favorites they set in the Hub and Favorites Bar.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ SendIntranetTraffictoInternetExplorer
+
+
+
+
+
+
+
+ Sends all intranet traffic over to Internet Explorer.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ SetDefaultSearchEngine
+
+
+
+
+
+
+
+ Sets the default search engine for MDM-enrolled devices. Users can still change their default search engine.
+
+If this setting is turned on, you are setting the default search engine that you would like your employees to use. Employees can still change the default search engine, unless you apply the AllowSearchEngineCustomization policy which will disable the ability to change it. You must specify a link to the OpenSearch XML file that contains, at minimum, the short name and the URL to the search engine. If you would like for your employees to use the Edge factory settings for the default search engine for their market, set the string EDGEDEFAULT; if you would like for your employees to use Bing as the default search engine, set the string EDGEBING.
+
+If this setting is not configured, the default search engine is set to the one specified in App settings and can be changed by your employees. If this setting is disabled, the policy-set search engine will be removed, and, if it is the current default, the default will be set back to the factory Microsoft Edge search engine for the market.
+
+Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on domain-joined machines or when the device is MDM-enrolled.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ ShowMessageWhenOpeningSitesInInternetExplorer
+
+
+
+
+
+
+
+ Show message when opening sites in Internet Explorer
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ SyncFavoritesBetweenIEAndMicrosoftEdge
+
+
+
+
+
+
+
+ Specifies whether favorites are kept in sync between Internet Explorer and Microsoft Edge. Changes to favorites in one browser are reflected in the other, including: additions, deletions, modifications, and ordering.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+ CredentialsUI
@@ -467,7 +1403,7 @@ The XML below is the DDF for Windows 10, version 1709.
- AllowUserPrinterInstallation
+ DefaultPrinterName
@@ -475,9 +1411,9 @@ The XML below is the DDF for Windows 10, version 1709.
- Boolean that specifies whether or not to allow user to install new printers
+ This policy sets user's default printer
-
+
@@ -491,7 +1427,7 @@ The XML below is the DDF for Windows 10, version 1709.
- DefaultPrinterName
+ PreventAddingNewPrinters
@@ -499,9 +1435,9 @@ The XML below is the DDF for Windows 10, version 1709.
- This policy sets user's default printer
+ Boolean that specifies whether or not to prevent user to install new printers
-
+
@@ -1133,7 +2069,7 @@ The XML below is the DDF for Windows 10, version 1709.
- AllowInternetExplorer7PolicyList
+ AllowInternetExplorer7PolicyList
@@ -1757,7 +2693,7 @@ The XML below is the DDF for Windows 10, version 1709.
- DisableDeletingUserVisitedWebsites
+ DisableDeletingUserVisitedWebsites
@@ -2357,7 +3293,7 @@ The XML below is the DDF for Windows 10, version 1709.
- InternetZoneAllowLoadingOfXAMLFilesWRONG
+ InternetZoneAllowLoadingOfXAMLFiles
@@ -2597,31 +3533,7 @@ The XML below is the DDF for Windows 10, version 1709.
- InternetZoneDoNotRunAntimalwareAgainstActiveXControlsWRONG1
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- InternetZoneDoNotRunAntimalwareAgainstActiveXControlsWRONG2
+ InternetZoneDoNotRunAntimalwareAgainstActiveXControls
@@ -2861,55 +3773,7 @@ The XML below is the DDF for Windows 10, version 1709.
- InternetZoneInitializeAndScriptActiveXControlsNotMarkedSafe
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- InternetZoneJavaPermissionsWRONG1
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- InternetZoneJavaPermissionsWRONG2
+ InternetZoneJavaPermissions
@@ -3340,6 +4204,30 @@ The XML below is the DDF for Windows 10, version 1709.
+
+ IntranetZoneDoNotRunAntimalwareAgainstActiveXControls
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+ IntranetZoneInitializeAndScriptActiveXControls
@@ -3364,6 +4252,54 @@ The XML below is the DDF for Windows 10, version 1709.
+
+ IntranetZoneInitializeAndScriptActiveXControlsNotMarkedSafe
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ IntranetZoneJavaPermissions
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+ IntranetZoneNavigateWindowsAndFrames
@@ -5501,31 +6437,7 @@ The XML below is the DDF for Windows 10, version 1709.
- RestrictedSitesZoneAllowFontDownloadsWRONG1
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- RestrictedSitesZoneAllowFontDownloadsWRONG2
+ RestrictedSitesZoneAllowFontDownloads
@@ -5908,6 +6820,30 @@ The XML below is the DDF for Windows 10, version 1709.
+
+ RestrictedSitesZoneEnableCrossSiteScriptingFilter
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+ RestrictedSitesZoneEnableDraggingOfContentFromDifferentDomainsAcrossWindows
@@ -6221,7 +7157,7 @@ The XML below is the DDF for Windows 10, version 1709.
- RestrictedSitesZoneWRONG
+ RestrictedSitesZoneScriptingOfJavaApplets
@@ -6245,7 +7181,7 @@ The XML below is the DDF for Windows 10, version 1709.
- RestrictedSitesZoneWRONG2
+ RestrictedSitesZoneShowSecurityWarningForPotentiallyUnsafeFiles
@@ -6269,7 +7205,7 @@ The XML below is the DDF for Windows 10, version 1709.
- RestrictedSitesZoneWRONG3
+ RestrictedSitesZoneTurnOnCrossSiteScriptingFilter
@@ -6293,7 +7229,7 @@ The XML below is the DDF for Windows 10, version 1709.
- RestrictedSitesZoneWRONG4
+ RestrictedSitesZoneTurnOnProtectedMode
@@ -6317,7 +7253,7 @@ The XML below is the DDF for Windows 10, version 1709.
- RestrictedSitesZoneWRONG5
+ RestrictedSitesZoneUsePopupBlocker
@@ -6652,6 +7588,54 @@ The XML below is the DDF for Windows 10, version 1709.
+
+ TrustedSitesZoneDoNotRunAntimalwareAgainstActiveXControls
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ TrustedSitesZoneDontRunAntimalwareProgramsAgainstActiveXControls
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+ TrustedSitesZoneInitializeAndScriptActiveXControls
@@ -6676,6 +7660,54 @@ The XML below is the DDF for Windows 10, version 1709.
+
+ TrustedSitesZoneInitializeAndScriptActiveXControlsNotMarkedAsSafe
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ TrustedSitesZoneInitializeAndScriptActiveXControlsNotMarkedSafe
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+ TrustedSitesZoneJavaPermissions
@@ -6724,54 +7756,6 @@ The XML below is the DDF for Windows 10, version 1709.
-
- TrustedSitesZoneWRONG1
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- TrustedSitesZoneWRONG2
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
- Notifications
@@ -7062,6 +8046,7 @@ The XML below is the DDF for Windows 10, version 1709.
text/plain
+ HighestValueMostSecure
@@ -7108,6 +8093,7 @@ The XML below is the DDF for Windows 10, version 1709.
AttachmentManager.admxAttachmentManager~AT~WindowsComponents~AM_AMAM_MarkZoneOnSavedAtttachments
+ LastWrite
@@ -7134,6 +8120,7 @@ The XML below is the DDF for Windows 10, version 1709.
AttachmentManager.admxAttachmentManager~AT~WindowsComponents~AM_AMAM_RemoveZoneInfo
+ LastWrite
@@ -7160,6 +8147,7 @@ The XML below is the DDF for Windows 10, version 1709.
AttachmentManager.admxAttachmentManager~AT~WindowsComponents~AM_AMAM_CallIOfficeAntiVirus
+ LastWrite
@@ -7202,6 +8190,7 @@ The XML below is the DDF for Windows 10, version 1709.
text/plain
+ LowestValueMostSecure
@@ -7248,6 +8237,7 @@ The XML below is the DDF for Windows 10, version 1709.
AutoPlay.admxAutoPlay~AT~WindowsComponents~AutoPlayNoAutoplayfornonVolume
+ LastWrite
@@ -7274,6 +8264,7 @@ The XML below is the DDF for Windows 10, version 1709.
AutoPlay.admxAutoPlay~AT~WindowsComponents~AutoPlayNoAutorun
+ LastWrite
@@ -7300,6 +8291,921 @@ The XML below is the DDF for Windows 10, version 1709.
AutoPlay.admxAutoPlay~AT~WindowsComponents~AutoPlayAutorun
+ LastWrite
+
+
+
+
+ Browser
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ AllowAddressBarDropdown
+
+
+
+
+ This policy setting lets you decide whether the Address bar drop-down functionality is available in Microsoft Edge. We recommend disabling this setting if you want to minimize network connections from Microsoft Edge to Microsoft services.
+ 1
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+ phone
+ LowestValueMostSecure
+
+
+
+ AllowAutofill
+
+
+
+
+ This setting lets you decide whether employees can use Autofill to automatically fill in form fields while using Microsoft Edge.
+ 0
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+ LowestValueMostSecure
+
+
+
+ AllowBrowser
+
+
+
+
+
+ 1
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+ desktop
+ LowestValueMostSecure
+
+
+
+ AllowCookies
+
+
+
+
+ This setting lets you configure how your company deals with cookies.
+ 2
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+ LowestValueMostSecure
+
+
+
+ AllowDeveloperTools
+
+
+
+
+ This setting lets you decide whether employees can use F12 Developer Tools on Microsoft Edge.
+ 1
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+ phone
+ LowestValueMostSecure
+
+
+
+ AllowDoNotTrack
+
+
+
+
+ This setting lets you decide whether employees can send Do Not Track headers to websites that request tracking info.
+ 0
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+ LowestValueMostSecure
+
+
+
+ AllowExtensions
+
+
+
+
+ This setting lets you decide whether employees can load extensions in Microsoft Edge.
+ 1
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+ phone
+ LowestValueMostSecure
+
+
+
+ AllowFlash
+
+
+
+
+ This setting lets you decide whether employees can run Adobe Flash in Microsoft Edge.
+ 1
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+ phone
+ HighestValueMostSecure
+
+
+
+ AllowFlashClickToRun
+
+
+
+
+ Configure the Adobe Flash Click-to-Run setting.
+ 1
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+ phone
+ HighestValueMostSecure
+
+
+
+ AllowInPrivate
+
+
+
+
+ This setting lets you decide whether employees can browse using InPrivate website browsing.
+ 1
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+ LowestValueMostSecure
+
+
+
+ AllowMicrosoftCompatibilityList
+
+
+
+
+ This policy setting lets you decide whether the Microsoft Compatibility List is enabled or disabled in Microsoft Edge. This feature uses a Microsoft-provided list to ensure that any sites with known compatibility issues are displayed correctly when a user navigates to them. By default, the Microsoft Compatibility List is enabled and can be viewed by navigating to about:compat.
+
+If you enable or don’t configure this setting, Microsoft Edge will periodically download the latest version of the list from Microsoft and will apply the configurations specified there during browser navigation. If a user visits a site on the Microsoft Compatibility List, he or she will be prompted to open the site in Internet Explorer 11. Once in Internet Explorer, the site will automatically be rendered as if the user is viewing it in the previous version of Internet Explorer it requires to display correctly.
+
+If you disable this setting, the Microsoft Compatibility List will not be used during browser navigation.
+ 1
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+ LowestValueMostSecure
+
+
+
+ AllowPasswordManager
+
+
+
+
+ This setting lets you decide whether employees can save their passwords locally, using Password Manager.
+ 1
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+ LowestValueMostSecure
+
+
+
+ AllowPopups
+
+
+
+
+ This setting lets you decide whether to turn on Pop-up Blocker and whether to allow pop-ups to appear in secondary windows.
+ 0
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+ phone
+ LowestValueMostSecure
+
+
+
+ AllowSearchEngineCustomization
+
+
+
+
+ Allow search engine customization for MDM enrolled devices. Users can change their default search engine.
+
+If this setting is turned on or not configured, users can add new search engines and change the default used in the address bar from within Microsoft Edge Settings.
+If this setting is disabled, users will be unable to add search engines or change the default used in the address bar.
+
+This policy will only apply on domain joined machines or when the device is MDM enrolled. For more information, see Microsoft browser extension policy (aka.ms/browserpolicy).
+ 1
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+ LowestValueMostSecure
+
+
+
+ AllowSearchSuggestionsinAddressBar
+
+
+
+
+ This setting lets you decide whether search suggestions should appear in the Address bar of Microsoft Edge.
+ 1
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+ LowestValueMostSecure
+
+
+
+ AllowSmartScreen
+
+
+
+
+ This setting lets you decide whether to turn on Windows Defender SmartScreen.
+ 1
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+ LowestValueMostSecure
+
+
+
+ AlwaysEnableBooksLibrary
+
+
+
+
+ Specifies whether the Books Library in Microsoft Edge will always be visible regardless of the country or region setting for the device.
+ 0
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+ LowestValueMostSecure
+
+
+
+ ClearBrowsingDataOnExit
+
+
+
+
+ Specifies whether to always clear browsing history on exiting Microsoft Edge.
+ 0
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+ phone
+ LowestValueMostSecure
+
+
+
+ ConfigureAdditionalSearchEngines
+
+
+
+
+ Allows you to add up to 5 additional search engines for MDM-enrolled devices.
+
+If this setting is turned on, you can add up to 5 additional search engines for your employee. For each additional search engine you wish to add, you must specify a link to the OpenSearch XML file that contains, at minimum, the short name and the URL to the search engine. This policy does not affect the default search engine. Employees will not be able to remove these search engines, but they can set any one of these as the default.
+
+If this setting is not configured, the search engines are the ones specified in the App settings. If this setting is disabled, the search engines you had added will be deleted from your employee's machine.
+
+Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on domain-joined machines or when the device is MDM-enrolled.
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+ LastWrite
+
+
+
+ DisableLockdownOfStartPages
+
+
+
+
+ Boolean policy that specifies whether the lockdown on the Start pages is disabled. This policy works with the Browser/HomePages policy, which locks down the Start pages that the users cannot modify. You can use the DisableLockdownOfStartPages policy to allow users to modify the Start pages when Browser/HomePages policy is in effect.
+
+Note: This policy has no effect when Browser/HomePages is not configured.
+
+Important
+This setting can only be used with domain-joined or MDM-enrolled devices. For more info, see the Microsoft browser extension policy (aka.ms/browserpolicy).
+ 0
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+ phone
+ LowestValueMostSecure
+
+
+
+ EnterpriseModeSiteList
+
+
+
+
+ This setting lets you configure whether your company uses Enterprise Mode and the Enterprise Mode Site List to address common compatibility problems with legacy websites.
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+ phone
+ LastWrite
+
+
+
+ EnterpriseSiteListServiceUrl
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+ phone
+ LastWrite
+
+
+
+ FirstRunURL
+
+
+
+
+ Configure first run URL.
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+ desktop
+ LastWrite
+
+
+
+ HomePages
+
+
+
+
+ Configure the Start page URLs for your employees.
+Example:
+If you wanted to allow contoso.com and fabrikam.com then you would append /support to the site strings like contoso.com/support and fabrikam.com/support.
+Encapsulate each string with greater than and less than characters like any other XML tag.
+
+Version 1703 or later: If you don't want to send traffic to Microsoft, you can use the about:blank value (encapsulate with greater than and less than characters like any other XML tag), which is honored for both domain- and non-domain-joined machines, when it's the only configured URL.
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+ phone
+ LastWrite
+
+
+
+ LockdownFavorites
+
+
+
+
+ This policy setting lets you decide whether employees can add, import, sort, or edit the Favorites list on Microsoft Edge.
+
+If you enable this setting, employees won't be able to add, import, or change anything in the Favorites list. Also as part of this, Save a Favorite, Import settings, and the context menu items (such as, Create a new folder) are all turned off.
+
+Important
+Don't enable both this setting and the Keep favorites in sync between Internet Explorer and Microsoft Edge setting. Enabling both settings stops employees from syncing their favorites between Internet Explorer and Microsoft Edge.
+
+If you disable or don't configure this setting (default), employees can add, import and make changes to the Favorites list.
+ 0
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+ LowestValueMostSecure
+
+
+
+ PreventAccessToAboutFlagsInMicrosoftEdge
+
+
+
+
+ Prevent access to the about:flags page in Microsoft Edge.
+ 0
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+ HighestValueMostSecure
+
+
+
+ PreventFirstRunPage
+
+
+
+
+ Specifies whether the First Run webpage is prevented from automatically opening on the first launch of Microsoft Edge. This policy is only available for Windows 10 version 1703 or later for desktop.
+
+Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on domain-joined machines or when the device is MDM-enrolled.
+ 0
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+ phone
+ HighestValueMostSecure
+
+
+
+ PreventLiveTileDataCollection
+
+
+
+
+ This policy lets you decide whether Microsoft Edge can gather Live Tile metadata from the ieonline.microsoft.com service to provide a better experience while pinning a Live Tile to the Start menu.
+
+Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on domain-joined machines or when the device is MDM-enrolled.
+ 0
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+ HighestValueMostSecure
+
+
+
+ PreventSmartScreenPromptOverride
+
+
+
+
+ Don't allow Windows Defender SmartScreen warning overrides
+ 0
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+ HighestValueMostSecure
+
+
+
+ PreventSmartScreenPromptOverrideForFiles
+
+
+
+
+ Don't allow Windows Defender SmartScreen warning overrides for unverified files.
+ 0
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+ HighestValueMostSecure
+
+
+
+ PreventUsingLocalHostIPAddressForWebRTC
+
+
+
+
+ Prevent using localhost IP address for WebRTC
+ 0
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+ HighestValueMostSecure
+
+
+
+ ProvisionFavorites
+
+
+
+
+ This policy setting allows you to configure a default set of favorites, which will appear for employees. Employees cannot modify, sort, move, export or delete these provisioned favorites.
+
+If you enable this setting, you can set favorite URL's and favorite folders to appear on top of users' favorites list (either in the Hub or Favorites Bar). The user favorites will appear after these provisioned favorites.
+
+Important
+Don't enable both this setting and the Keep favorites in sync between Internet Explorer and Microsoft Edge setting. Enabling both settings stops employees from syncing their favorites between Internet Explorer and Microsoft Edge.
+
+If you disable or don't configure this setting, employees will see the favorites they set in the Hub and Favorites Bar.
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+ LastWrite
+
+
+
+ SendIntranetTraffictoInternetExplorer
+
+
+
+
+ Sends all intranet traffic over to Internet Explorer.
+ 0
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+ phone
+ HighestValueMostSecure
+
+
+
+ SetDefaultSearchEngine
+
+
+
+
+ Sets the default search engine for MDM-enrolled devices. Users can still change their default search engine.
+
+If this setting is turned on, you are setting the default search engine that you would like your employees to use. Employees can still change the default search engine, unless you apply the AllowSearchEngineCustomization policy which will disable the ability to change it. You must specify a link to the OpenSearch XML file that contains, at minimum, the short name and the URL to the search engine. If you would like for your employees to use the Edge factory settings for the default search engine for their market, set the string EDGEDEFAULT; if you would like for your employees to use Bing as the default search engine, set the string EDGEBING.
+
+If this setting is not configured, the default search engine is set to the one specified in App settings and can be changed by your employees. If this setting is disabled, the policy-set search engine will be removed, and, if it is the current default, the default will be set back to the factory Microsoft Edge search engine for the market.
+
+Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on domain-joined machines or when the device is MDM-enrolled.
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+ LastWrite
+
+
+
+ ShowMessageWhenOpeningSitesInInternetExplorer
+
+
+
+
+ Show message when opening sites in Internet Explorer
+ 0
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+ phone
+ HighestValueMostSecure
+
+
+
+ SyncFavoritesBetweenIEAndMicrosoftEdge
+
+
+
+
+ Specifies whether favorites are kept in sync between Internet Explorer and Microsoft Edge. Changes to favorites in one browser are reflected in the other, including: additions, deletions, modifications, and ordering.
+ 0
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+ phone
+ LowestValueMostSecure
@@ -7346,6 +9252,7 @@ The XML below is the DDF for Windows 10, version 1709.
credui.admxCredUI~AT~WindowsComponents~CredUIDisablePasswordReveal
+ LastWrite
@@ -7392,6 +9299,7 @@ The XML below is the DDF for Windows 10, version 1709.
desktop.admxdesktop~AT~DesktopDisablePersonalDirChange
+ LastWrite
@@ -7414,28 +9322,6 @@ The XML below is the DDF for Windows 10, version 1709.
-
- AllowUserPrinterInstallation
-
-
-
-
- Boolean that specifies whether or not to allow user to install new printers
-
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
- DefaultPrinterName
@@ -7456,6 +9342,30 @@ The XML below is the DDF for Windows 10, version 1709.
text/plain
+ LastWrite
+
+
+
+ PreventAddingNewPrinters
+
+
+
+
+ Boolean that specifies whether or not to prevent user to install new printers
+ 0
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+ HighestValueMostSecure
@@ -7478,6 +9388,7 @@ The XML below is the DDF for Windows 10, version 1709.
text/plain
+ LastWrite
@@ -7520,6 +9431,7 @@ The XML below is the DDF for Windows 10, version 1709.
text/plain
+ LastWrite
@@ -7542,6 +9454,7 @@ The XML below is the DDF for Windows 10, version 1709.
text/plain
+ LastWrite
@@ -7551,7 +9464,7 @@ The XML below is the DDF for Windows 10, version 1709.
A GUID identifying the client application authorized to retrieve OAuth tokens from the OAuthAuthority
- E1CF1107-FF90-4228-93BF-26052DD2C714
+
@@ -7564,6 +9477,7 @@ The XML below is the DDF for Windows 10, version 1709.
text/plain
+ LastWrite
@@ -7586,6 +9500,7 @@ The XML below is the DDF for Windows 10, version 1709.
text/plain
+ LastWrite
@@ -7608,6 +9523,7 @@ The XML below is the DDF for Windows 10, version 1709.
text/plain
+ LastWrite
@@ -7630,6 +9546,7 @@ The XML below is the DDF for Windows 10, version 1709.
text/plain
+ LastWrite
@@ -7672,6 +9589,7 @@ The XML below is the DDF for Windows 10, version 1709.
text/plain
+ LowestValueMostSecure
@@ -7695,6 +9613,7 @@ The XML below is the DDF for Windows 10, version 1709.
text/plainphone
+ LowestValueMostSecure
@@ -7718,6 +9637,7 @@ The XML below is the DDF for Windows 10, version 1709.
text/plainphone
+ LowestValueMostSecure
@@ -7741,6 +9661,7 @@ The XML below is the DDF for Windows 10, version 1709.
text/plainphone
+ LowestValueMostSecure
@@ -7763,6 +9684,7 @@ The XML below is the DDF for Windows 10, version 1709.
text/plain
+ LowestValueMostSecure
@@ -7785,6 +9707,7 @@ The XML below is the DDF for Windows 10, version 1709.
text/plain
+ LowestValueMostSecure
@@ -7808,6 +9731,7 @@ The XML below is the DDF for Windows 10, version 1709.
text/plainphone
+ LowestValueMostSecure
@@ -7854,6 +9778,7 @@ The XML below is the DDF for Windows 10, version 1709.
inetres.admxinetres~AT~WindowsComponents~InternetExplorerAddSearchProvider
+ LastWrite
@@ -7880,6 +9805,7 @@ The XML below is the DDF for Windows 10, version 1709.
inetres.admxinetres~AT~WindowsComponents~InternetExplorerTurnOnActiveXFiltering
+ LastWrite
@@ -7906,6 +9832,7 @@ The XML below is the DDF for Windows 10, version 1709.
inetres.admxinetres~AT~WindowsComponents~InternetExplorer~SecurityFeatures~IESF_AddOnManagementAddonManagement_AddOnList
+ LastWrite
@@ -7932,6 +9859,7 @@ The XML below is the DDF for Windows 10, version 1709.
inetres.admxinetres~AT~WindowsComponents~InternetExplorerRestrictFormSuggestPW
+ LastWrite
@@ -7958,6 +9886,7 @@ The XML below is the DDF for Windows 10, version 1709.
inetres.admxinetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPageIZ_PolicyWarnCertMismatch
+ LastWrite
@@ -7984,6 +9913,7 @@ The XML below is the DDF for Windows 10, version 1709.
inetres.admxinetres~AT~WindowsComponents~InternetExplorer~DeleteBrowsingHistoryDBHDisableDeleteOnExit
+ LastWrite
@@ -8010,6 +9940,7 @@ The XML below is the DDF for Windows 10, version 1709.
inetres.admxinetres~AT~WindowsComponents~InternetExplorer~InternetCPL~AdvancedPageAdvanced_EnableEnhancedProtectedMode
+ LastWrite
@@ -8036,6 +9967,7 @@ The XML below is the DDF for Windows 10, version 1709.
inetres.admxinetres~AT~WindowsComponents~InternetExplorerEnterpriseModeEnable
+ LastWrite
@@ -8062,10 +9994,11 @@ The XML below is the DDF for Windows 10, version 1709.
inetres.admxinetres~AT~WindowsComponents~InternetExplorerEnterpriseModeSiteList
+ LastWrite
- AllowInternetExplorer7PolicyList
+ AllowInternetExplorer7PolicyList
@@ -8088,6 +10021,7 @@ The XML below is the DDF for Windows 10, version 1709.
inetres.admxinetres~AT~WindowsComponents~InternetExplorer~CategoryCompatViewCompatView_UsePolicyList
+ LastWrite
@@ -8114,6 +10048,7 @@ The XML below is the DDF for Windows 10, version 1709.
inetres.admxinetres~AT~WindowsComponents~InternetExplorer~CategoryCompatViewCompatView_IntranetSites
+ LastWrite
@@ -8140,6 +10075,7 @@ The XML below is the DDF for Windows 10, version 1709.
inetres.admxinetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPageIZ_PolicyInternetZoneTemplate
+ LastWrite
@@ -8166,6 +10102,7 @@ The XML below is the DDF for Windows 10, version 1709.
inetres.admxinetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPageIZ_PolicyIntranetZoneTemplate
+ LastWrite
@@ -8192,6 +10129,7 @@ The XML below is the DDF for Windows 10, version 1709.
inetres.admxinetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPageIZ_PolicyLocalMachineZoneTemplate
+ LastWrite
@@ -8218,6 +10156,7 @@ The XML below is the DDF for Windows 10, version 1709.
inetres.admxinetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPageIZ_PolicyInternetZoneLockdownTemplate
+ LastWrite
@@ -8244,6 +10183,7 @@ The XML below is the DDF for Windows 10, version 1709.
inetres.admxinetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPageIZ_PolicyIntranetZoneLockdownTemplate
+ LastWrite
@@ -8270,6 +10210,7 @@ The XML below is the DDF for Windows 10, version 1709.
inetres.admxinetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPageIZ_PolicyLocalMachineZoneLockdownTemplate
+ LastWrite
@@ -8296,6 +10237,7 @@ The XML below is the DDF for Windows 10, version 1709.
inetres.admxinetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPageIZ_PolicyRestrictedSitesZoneLockdownTemplate
+ LastWrite
@@ -8322,6 +10264,7 @@ The XML below is the DDF for Windows 10, version 1709.
inetres.admxinetres~AT~WindowsComponents~InternetExplorer~InternetSettings~Advanced~BrowsingUseIntranetSiteForOneWordEntry
+ LastWrite
@@ -8348,6 +10291,7 @@ The XML below is the DDF for Windows 10, version 1709.
inetres.admxinetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPageIZ_Zonemaps
+ LastWrite
@@ -8374,6 +10318,7 @@ The XML below is the DDF for Windows 10, version 1709.
inetres.admxinetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPageIZ_PolicyTrustedSitesZoneLockdownTemplate
+ LastWrite
@@ -8400,6 +10345,7 @@ The XML below is the DDF for Windows 10, version 1709.
inetres.admxinetres~AT~WindowsComponents~InternetExplorer~InternetCPL~AdvancedPageAdvanced_InvalidSignatureBlock
+ LastWrite
@@ -8426,6 +10372,7 @@ The XML below is the DDF for Windows 10, version 1709.
inetres.admxinetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPageIZ_PolicyRestrictedSitesZoneTemplate
+ LastWrite
@@ -8452,6 +10399,7 @@ The XML below is the DDF for Windows 10, version 1709.
inetres.admxinetres~AT~WindowsComponents~InternetExplorerEnableSuggestedSites
+ LastWrite
@@ -8478,6 +10426,7 @@ The XML below is the DDF for Windows 10, version 1709.
inetres.admxinetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPageIZ_PolicyTrustedSitesZoneTemplate
+ LastWrite
@@ -8504,6 +10453,7 @@ The XML below is the DDF for Windows 10, version 1709.
inetres.admxinetres~AT~WindowsComponents~InternetExplorer~InternetCPL~AdvancedPageAdvanced_CertificateRevocation
+ LastWrite
@@ -8530,6 +10480,7 @@ The XML below is the DDF for Windows 10, version 1709.
inetres.admxinetres~AT~WindowsComponents~InternetExplorer~InternetCPL~AdvancedPageAdvanced_DownloadSignatures
+ LastWrite
@@ -8556,6 +10507,7 @@ The XML below is the DDF for Windows 10, version 1709.
inetres.admxinetres~AT~WindowsComponents~InternetExplorer~SecurityFeatures~IESF_CategoryBinaryBehaviorSecurityRestrictionIESF_PolicyExplorerProcesses_2
+ LastWrite
@@ -8582,6 +10534,7 @@ The XML below is the DDF for Windows 10, version 1709.
inetres.admxinetres~AT~WindowsComponents~InternetExplorer~SecurityFeatures~IESF_AddOnManagementDisableFlashInIE
+ LastWrite
@@ -8608,6 +10561,7 @@ The XML below is the DDF for Windows 10, version 1709.
inetres.admxinetres~AT~WindowsComponents~InternetExplorer~SecurityFeatures~IESF_AddOnManagementVerMgmtDisable
+ LastWrite
@@ -8634,6 +10588,7 @@ The XML below is the DDF for Windows 10, version 1709.
inetres.admxinetres~AT~WindowsComponents~InternetExplorerDisableSafetyFilterOverride
+ LastWrite
@@ -8660,6 +10615,7 @@ The XML below is the DDF for Windows 10, version 1709.
inetres.admxinetres~AT~WindowsComponents~InternetExplorerDisableSafetyFilterOverrideForAppRepUnknown
+ LastWrite
@@ -8686,6 +10642,7 @@ The XML below is the DDF for Windows 10, version 1709.
inetres.admxinetres~AT~WindowsComponents~InternetExplorer~DeleteBrowsingHistoryRestrictHistory
+ LastWrite
@@ -8712,6 +10669,7 @@ The XML below is the DDF for Windows 10, version 1709.
inetres.admxinetres~AT~WindowsComponents~InternetExplorerAddonManagement_RestrictCrashDetection
+ LastWrite
@@ -8738,10 +10696,11 @@ The XML below is the DDF for Windows 10, version 1709.
inetres.admxinetres~AT~WindowsComponents~InternetExplorerSQM_DisableCEIP
+ LastWrite
- DisableDeletingUserVisitedWebsites
+ DisableDeletingUserVisitedWebsites
@@ -8764,6 +10723,7 @@ The XML below is the DDF for Windows 10, version 1709.
inetres.admxinetres~AT~WindowsComponents~InternetExplorer~DeleteBrowsingHistoryDBHDisableDeleteHistory
+ LastWrite
@@ -8790,6 +10750,7 @@ The XML below is the DDF for Windows 10, version 1709.
inetres.admxinetres~AT~WindowsComponents~RSS_FeedsDisable_Downloading_of_Enclosures
+ LastWrite
@@ -8816,6 +10777,7 @@ The XML below is the DDF for Windows 10, version 1709.
inetres.admxinetres~AT~WindowsComponents~InternetExplorer~InternetCPL~AdvancedPageAdvanced_SetWinInetProtocols
+ LastWrite
@@ -8842,6 +10804,7 @@ The XML below is the DDF for Windows 10, version 1709.
inetres.admxinetres~AT~WindowsComponents~InternetExplorerNoFirstRunCustomise
+ LastWrite
@@ -8868,6 +10831,7 @@ The XML below is the DDF for Windows 10, version 1709.
inetres.admxinetres~AT~WindowsComponents~InternetExplorer~InternetCPL~AdvancedPageAdvanced_DisableFlipAhead
+ LastWrite
@@ -8894,6 +10858,7 @@ The XML below is the DDF for Windows 10, version 1709.
inetres.admxinetres~AT~WindowsComponents~InternetExplorerRestrictHomePage
+ LastWrite
@@ -8920,6 +10885,7 @@ The XML below is the DDF for Windows 10, version 1709.
inetres.admxinetres~AT~WindowsComponents~InternetExplorer~InternetCPLNoCertError
+ LastWrite
@@ -8946,6 +10912,7 @@ The XML below is the DDF for Windows 10, version 1709.
inetres.admxinetres~AT~WindowsComponents~InternetExplorer~CategoryPrivacyDisableInPrivateBrowsing
+ LastWrite
@@ -8972,6 +10939,7 @@ The XML below is the DDF for Windows 10, version 1709.
inetres.admxinetres~AT~WindowsComponents~InternetExplorer~InternetCPL~AdvancedPageAdvanced_EnableEnhancedProtectedMode64Bit
+ LastWrite
@@ -8998,6 +10966,7 @@ The XML below is the DDF for Windows 10, version 1709.
inetres.admxinetres~AT~WindowsComponents~InternetExplorerRestrictProxy
+ LastWrite
@@ -9024,6 +10993,7 @@ The XML below is the DDF for Windows 10, version 1709.
inetres.admxinetres~AT~WindowsComponents~InternetExplorerNoSearchProvider
+ LastWrite
@@ -9050,6 +11020,7 @@ The XML below is the DDF for Windows 10, version 1709.
inetres.admxinetres~AT~WindowsComponents~InternetExplorerSecondaryHomePages
+ LastWrite
@@ -9076,6 +11047,7 @@ The XML below is the DDF for Windows 10, version 1709.
inetres.admxinetres~AT~WindowsComponents~InternetExplorerDisable_Security_Settings_Check
+ LastWrite
@@ -9102,6 +11074,7 @@ The XML below is the DDF for Windows 10, version 1709.
inetres.admxinetres~AT~WindowsComponents~InternetExplorer~InternetCPL~AdvancedPageAdvanced_DisableEPMCompat
+ LastWrite
@@ -9128,6 +11101,7 @@ The XML below is the DDF for Windows 10, version 1709.
inetres.admxinetres~AT~WindowsComponents~InternetExplorer~SecurityFeatures~IESF_AddOnManagementVerMgmtDisable
+ LastWrite
@@ -9154,6 +11128,7 @@ The XML below is the DDF for Windows 10, version 1709.
inetres.admxinetres~AT~WindowsComponents~InternetExplorer~SecurityFeatures~IESF_AddOnManagementVerMgmtDomainAllowlist
+ LastWrite
@@ -9180,6 +11155,7 @@ The XML below is the DDF for Windows 10, version 1709.
inetres.admxinetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPageIZ_IncludeUnspecifiedLocalSites
+ LastWrite
@@ -9206,6 +11182,7 @@ The XML below is the DDF for Windows 10, version 1709.
inetres.admxinetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPageIZ_UNCAsIntranet
+ LastWrite
@@ -9232,6 +11209,7 @@ The XML below is the DDF for Windows 10, version 1709.
inetres.admxinetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZoneIZ_PolicyAccessDataSourcesAcrossDomains_1
+ LastWrite
@@ -9258,6 +11236,7 @@ The XML below is the DDF for Windows 10, version 1709.
inetres.admxinetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZoneIZ_PolicyNotificationBarActiveXURLaction_1
+ LastWrite
@@ -9284,6 +11263,7 @@ The XML below is the DDF for Windows 10, version 1709.
inetres.admxinetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZoneIZ_PolicyNotificationBarDownloadURLaction_1
+ LastWrite
@@ -9310,6 +11290,7 @@ The XML below is the DDF for Windows 10, version 1709.
inetres.admxinetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZoneIZ_PolicyAllowPasteViaScript_1
+ LastWrite
@@ -9336,6 +11317,7 @@ The XML below is the DDF for Windows 10, version 1709.
inetres.admxinetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZoneIZ_PolicyDropOrPasteFiles_1
+ LastWrite
@@ -9362,6 +11344,7 @@ The XML below is the DDF for Windows 10, version 1709.
inetres.admxinetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZoneIZ_PolicyFontDownload_1
+ LastWrite
@@ -9388,10 +11371,11 @@ The XML below is the DDF for Windows 10, version 1709.
inetres.admxinetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZoneIZ_PolicyZoneElevationURLaction_1
+ LastWrite
- InternetZoneAllowLoadingOfXAMLFilesWRONG
+ InternetZoneAllowLoadingOfXAMLFiles
@@ -9414,6 +11398,7 @@ The XML below is the DDF for Windows 10, version 1709.
inetres.admxinetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZoneIZ_Policy_XAML_1
+ LastWrite
@@ -9440,6 +11425,7 @@ The XML below is the DDF for Windows 10, version 1709.
inetres.admxinetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZoneIZ_PolicyUnsignedFrameworkComponentsURLaction_1
+ LastWrite
@@ -9464,8 +11450,9 @@ The XML below is the DDF for Windows 10, version 1709.
phoneinetres.admx
- inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_IntranetZone
- IZ_PolicyOnlyAllowApprovedDomainsToUseActiveXWithoutPrompt_Both_Intranet
+ inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone
+ IZ_PolicyOnlyAllowApprovedDomainsToUseActiveXWithoutPrompt_Both_Internet
+ LastWrite
@@ -9490,8 +11477,9 @@ The XML below is the DDF for Windows 10, version 1709.
phoneinetres.admx
- inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_LocalMachineZone
- IZ_PolicyAllowTDCControl_Both_LocalMachine
+ inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone
+ IZ_PolicyAllowTDCControl_Both_Internet
+ LastWrite
@@ -9518,6 +11506,7 @@ The XML below is the DDF for Windows 10, version 1709.
inetres.admxinetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZoneIZ_Policy_WebBrowserControl_1
+ LastWrite
@@ -9542,8 +11531,9 @@ The XML below is the DDF for Windows 10, version 1709.
phoneinetres.admx
- inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_TrustedSitesZoneLockdown
- IZ_PolicyWindowsRestrictionsURLaction_6
+ inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone
+ IZ_PolicyWindowsRestrictionsURLaction_1
+ LastWrite
@@ -9570,6 +11560,7 @@ The XML below is the DDF for Windows 10, version 1709.
inetres.admxinetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZoneIZ_Policy_AllowScriptlets_1
+ LastWrite
@@ -9596,6 +11587,7 @@ The XML below is the DDF for Windows 10, version 1709.
inetres.admxinetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZoneIZ_Policy_Phishing_1
+ LastWrite
@@ -9622,6 +11614,7 @@ The XML below is the DDF for Windows 10, version 1709.
inetres.admxinetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZoneIZ_Policy_ScriptStatusBar_1
+ LastWrite
@@ -9648,10 +11641,11 @@ The XML below is the DDF for Windows 10, version 1709.
inetres.admxinetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZoneIZ_PolicyUserdataPersistence_1
+ LastWrite
- InternetZoneDoNotRunAntimalwareAgainstActiveXControlsWRONG1
+ InternetZoneDoNotRunAntimalwareAgainstActiveXControls
@@ -9674,32 +11668,7 @@ The XML below is the DDF for Windows 10, version 1709.
inetres.admxinetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZoneIZ_PolicyAntiMalwareCheckingOfActiveXControls_1
-
-
-
- InternetZoneDoNotRunAntimalwareAgainstActiveXControlsWRONG2
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- text/plain
-
- phone
- inetres.admx
- inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_IntranetZone
- IZ_PolicyAntiMalwareCheckingOfActiveXControls_3
+ LastWrite
@@ -9724,8 +11693,9 @@ The XML below is the DDF for Windows 10, version 1709.
phoneinetres.admx
- inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_IntranetZone
- IZ_PolicyDownloadSignedActiveX_3
+ inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone
+ IZ_PolicyDownloadSignedActiveX_1
+ LastWrite
@@ -9752,6 +11722,7 @@ The XML below is the DDF for Windows 10, version 1709.
inetres.admxinetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZoneIZ_PolicyDownloadUnsignedActiveX_1
+ LastWrite
@@ -9776,8 +11747,9 @@ The XML below is the DDF for Windows 10, version 1709.
phoneinetres.admx
- inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_LocalMachineZone
- IZ_PolicyTurnOnXSSFilter_Both_LocalMachine
+ inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone
+ IZ_PolicyTurnOnXSSFilter_Both_Internet
+ LastWrite
@@ -9804,6 +11776,7 @@ The XML below is the DDF for Windows 10, version 1709.
inetres.admxinetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZoneIZ_PolicyDragDropAcrossDomainsAcrossWindows_Both_Internet
+ LastWrite
@@ -9830,6 +11803,7 @@ The XML below is the DDF for Windows 10, version 1709.
inetres.admxinetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZoneIZ_PolicyDragDropAcrossDomainsWithinWindow_Both_Internet
+ LastWrite
@@ -9856,6 +11830,7 @@ The XML below is the DDF for Windows 10, version 1709.
inetres.admxinetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZoneIZ_PolicyMimeSniffingURLaction_1
+ LastWrite
@@ -9880,8 +11855,9 @@ The XML below is the DDF for Windows 10, version 1709.
phoneinetres.admx
- inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZoneLockdown
- IZ_Policy_TurnOnProtectedMode_2
+ inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone
+ IZ_Policy_TurnOnProtectedMode_1
+ LastWrite
@@ -9908,6 +11884,7 @@ The XML below is the DDF for Windows 10, version 1709.
inetres.admxinetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZoneIZ_Policy_LocalPathForUpload_1
+ LastWrite
@@ -9934,36 +11911,11 @@ The XML below is the DDF for Windows 10, version 1709.
inetres.admxinetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZoneIZ_PolicyScriptActiveXNotMarkedSafe_1
+ LastWrite
- InternetZoneInitializeAndScriptActiveXControlsNotMarkedSafe
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- text/plain
-
- phone
- inetres.admx
- inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone
- IZ_PolicyScriptActiveXNotMarkedSafe_1
-
-
-
- InternetZoneJavaPermissionsWRONG1
+ InternetZoneJavaPermissions
@@ -9986,32 +11938,7 @@ The XML below is the DDF for Windows 10, version 1709.
inetres.admxinetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZoneIZ_PolicyJavaPermissions_1
-
-
-
- InternetZoneJavaPermissionsWRONG2
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- text/plain
-
- phone
- inetres.admx
- inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_IntranetZone
- IZ_PolicyJavaPermissions_3
+ LastWrite
@@ -10038,6 +11965,7 @@ The XML below is the DDF for Windows 10, version 1709.
inetres.admxinetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZoneIZ_PolicyLaunchAppsAndFilesInIFRAME_1
+ LastWrite
@@ -10064,6 +11992,7 @@ The XML below is the DDF for Windows 10, version 1709.
inetres.admxinetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZoneIZ_PolicyLogon_1
+ LastWrite
@@ -10090,6 +12019,7 @@ The XML below is the DDF for Windows 10, version 1709.
inetres.admxinetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZoneIZ_PolicyNavigateSubframesAcrossDomains_1
+ LastWrite
@@ -10116,6 +12046,7 @@ The XML below is the DDF for Windows 10, version 1709.
inetres.admxinetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZoneIZ_PolicyUnsignedFrameworkComponentsURLaction_1
+ LastWrite
@@ -10142,6 +12073,7 @@ The XML below is the DDF for Windows 10, version 1709.
inetres.admxinetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZoneIZ_PolicySignedFrameworkComponentsURLaction_1
+ LastWrite
@@ -10168,6 +12100,7 @@ The XML below is the DDF for Windows 10, version 1709.
inetres.admxinetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZoneIZ_Policy_UnsafeFiles_1
+ LastWrite
@@ -10194,6 +12127,7 @@ The XML below is the DDF for Windows 10, version 1709.
inetres.admxinetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZoneIZ_PolicyBlockPopupWindows_1
+ LastWrite
@@ -10220,6 +12154,7 @@ The XML below is the DDF for Windows 10, version 1709.
inetres.admxinetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZoneIZ_PolicyZoneElevationURLaction_1
+ LastWrite
@@ -10246,6 +12181,7 @@ The XML below is the DDF for Windows 10, version 1709.
inetres.admxinetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_IntranetZoneIZ_PolicyAccessDataSourcesAcrossDomains_3
+ LastWrite
@@ -10272,6 +12208,7 @@ The XML below is the DDF for Windows 10, version 1709.
inetres.admxinetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_IntranetZoneIZ_PolicyNotificationBarActiveXURLaction_3
+ LastWrite
@@ -10298,6 +12235,7 @@ The XML below is the DDF for Windows 10, version 1709.
inetres.admxinetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_IntranetZoneIZ_PolicyNotificationBarDownloadURLaction_3
+ LastWrite
@@ -10324,6 +12262,7 @@ The XML below is the DDF for Windows 10, version 1709.
inetres.admxinetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_IntranetZoneIZ_PolicyFontDownload_3
+ LastWrite
@@ -10350,6 +12289,7 @@ The XML below is the DDF for Windows 10, version 1709.
inetres.admxinetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_IntranetZoneIZ_PolicyZoneElevationURLaction_3
+ LastWrite
@@ -10376,6 +12316,7 @@ The XML below is the DDF for Windows 10, version 1709.
inetres.admxinetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_IntranetZoneIZ_PolicyUnsignedFrameworkComponentsURLaction_3
+ LastWrite
@@ -10402,6 +12343,7 @@ The XML below is the DDF for Windows 10, version 1709.
inetres.admxinetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_IntranetZoneIZ_Policy_AllowScriptlets_3
+ LastWrite
@@ -10428,6 +12370,7 @@ The XML below is the DDF for Windows 10, version 1709.
inetres.admxinetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_IntranetZoneIZ_Policy_Phishing_3
+ LastWrite
@@ -10454,6 +12397,34 @@ The XML below is the DDF for Windows 10, version 1709.
inetres.admxinetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_IntranetZoneIZ_PolicyUserdataPersistence_3
+ LastWrite
+
+
+
+ IntranetZoneDoNotRunAntimalwareAgainstActiveXControls
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+ phone
+ inetres.admx
+ inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_IntranetZone
+ IZ_PolicyAntiMalwareCheckingOfActiveXControls_3
+ LastWrite
@@ -10480,6 +12451,61 @@ The XML below is the DDF for Windows 10, version 1709.
inetres.admxinetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_IntranetZoneIZ_PolicyScriptActiveXNotMarkedSafe_3
+ LastWrite
+
+
+
+ IntranetZoneInitializeAndScriptActiveXControlsNotMarkedSafe
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+ phone
+ inetres.admx
+ inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_IntranetZone
+ IZ_PolicyScriptActiveXNotMarkedSafe_3
+ LastWrite
+
+
+
+ IntranetZoneJavaPermissions
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+ phone
+ inetres.admx
+ inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_IntranetZone
+ IZ_PolicyJavaPermissions_3
+ LastWrite
@@ -10506,6 +12532,7 @@ The XML below is the DDF for Windows 10, version 1709.
inetres.admxinetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_IntranetZoneIZ_PolicyNavigateSubframesAcrossDomains_3
+ LastWrite
@@ -10532,6 +12559,7 @@ The XML below is the DDF for Windows 10, version 1709.
inetres.admxinetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_LocalMachineZoneIZ_PolicyAccessDataSourcesAcrossDomains_9
+ LastWrite
@@ -10558,6 +12586,7 @@ The XML below is the DDF for Windows 10, version 1709.
inetres.admxinetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_LocalMachineZoneIZ_PolicyNotificationBarActiveXURLaction_9
+ LastWrite
@@ -10584,6 +12613,7 @@ The XML below is the DDF for Windows 10, version 1709.
inetres.admxinetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_LocalMachineZoneIZ_PolicyNotificationBarDownloadURLaction_9
+ LastWrite
@@ -10610,6 +12640,7 @@ The XML below is the DDF for Windows 10, version 1709.
inetres.admxinetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_LocalMachineZoneIZ_PolicyFontDownload_9
+ LastWrite
@@ -10636,6 +12667,7 @@ The XML below is the DDF for Windows 10, version 1709.
inetres.admxinetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_LocalMachineZoneIZ_PolicyZoneElevationURLaction_9
+ LastWrite
@@ -10662,6 +12694,7 @@ The XML below is the DDF for Windows 10, version 1709.
inetres.admxinetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_LocalMachineZoneIZ_PolicyUnsignedFrameworkComponentsURLaction_9
+ LastWrite
@@ -10688,6 +12721,7 @@ The XML below is the DDF for Windows 10, version 1709.
inetres.admxinetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_LocalMachineZoneIZ_Policy_AllowScriptlets_9
+ LastWrite
@@ -10714,6 +12748,7 @@ The XML below is the DDF for Windows 10, version 1709.
inetres.admxinetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_LocalMachineZoneIZ_Policy_Phishing_9
+ LastWrite
@@ -10740,6 +12775,7 @@ The XML below is the DDF for Windows 10, version 1709.
inetres.admxinetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_LocalMachineZoneIZ_PolicyUserdataPersistence_9
+ LastWrite
@@ -10764,8 +12800,9 @@ The XML below is the DDF for Windows 10, version 1709.
phoneinetres.admx
- inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_IntranetZone~IZ_LocalMachineZone
+ inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_LocalMachineZoneIZ_PolicyAntiMalwareCheckingOfActiveXControls_9
+ LastWrite
@@ -10792,6 +12829,7 @@ The XML below is the DDF for Windows 10, version 1709.
inetres.admxinetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_LocalMachineZoneIZ_PolicyScriptActiveXNotMarkedSafe_9
+ LastWrite
@@ -10818,6 +12856,7 @@ The XML below is the DDF for Windows 10, version 1709.
inetres.admxinetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_LocalMachineZoneIZ_PolicyJavaPermissions_9
+ LastWrite
@@ -10844,6 +12883,7 @@ The XML below is the DDF for Windows 10, version 1709.
inetres.admxinetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_LocalMachineZoneIZ_PolicyNavigateSubframesAcrossDomains_9
+ LastWrite
@@ -10870,6 +12910,7 @@ The XML below is the DDF for Windows 10, version 1709.
inetres.admxinetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZoneLockdownIZ_PolicyAccessDataSourcesAcrossDomains_2
+ LastWrite
@@ -10896,6 +12937,7 @@ The XML below is the DDF for Windows 10, version 1709.
inetres.admxinetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZoneLockdownIZ_PolicyNotificationBarActiveXURLaction_2
+ LastWrite
@@ -10922,6 +12964,7 @@ The XML below is the DDF for Windows 10, version 1709.
inetres.admxinetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZoneLockdownIZ_PolicyNotificationBarDownloadURLaction_2
+ LastWrite
@@ -10948,6 +12991,7 @@ The XML below is the DDF for Windows 10, version 1709.
inetres.admxinetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZoneLockdownIZ_PolicyFontDownload_2
+ LastWrite
@@ -10974,6 +13018,7 @@ The XML below is the DDF for Windows 10, version 1709.
inetres.admxinetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZoneLockdownIZ_PolicyZoneElevationURLaction_2
+ LastWrite
@@ -11000,6 +13045,7 @@ The XML below is the DDF for Windows 10, version 1709.
inetres.admxinetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZoneLockdownIZ_PolicyUnsignedFrameworkComponentsURLaction_2
+ LastWrite
@@ -11026,6 +13072,7 @@ The XML below is the DDF for Windows 10, version 1709.
inetres.admxinetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZoneLockdownIZ_Policy_AllowScriptlets_2
+ LastWrite
@@ -11052,6 +13099,7 @@ The XML below is the DDF for Windows 10, version 1709.
inetres.admxinetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZoneLockdownIZ_Policy_Phishing_2
+ LastWrite
@@ -11078,6 +13126,7 @@ The XML below is the DDF for Windows 10, version 1709.
inetres.admxinetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZoneLockdownIZ_PolicyUserdataPersistence_2
+ LastWrite
@@ -11104,6 +13153,7 @@ The XML below is the DDF for Windows 10, version 1709.
inetres.admxinetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZoneLockdownIZ_PolicyScriptActiveXNotMarkedSafe_2
+ LastWrite
@@ -11130,6 +13180,7 @@ The XML below is the DDF for Windows 10, version 1709.
inetres.admxinetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZoneLockdownIZ_PolicyJavaPermissions_2
+ LastWrite
@@ -11156,6 +13207,7 @@ The XML below is the DDF for Windows 10, version 1709.
inetres.admxinetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZoneLockdownIZ_PolicyNavigateSubframesAcrossDomains_2
+ LastWrite
@@ -11182,6 +13234,7 @@ The XML below is the DDF for Windows 10, version 1709.
inetres.admxinetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_IntranetZoneLockdownIZ_PolicyAccessDataSourcesAcrossDomains_4
+ LastWrite
@@ -11208,6 +13261,7 @@ The XML below is the DDF for Windows 10, version 1709.
inetres.admxinetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_IntranetZoneLockdownIZ_PolicyNotificationBarActiveXURLaction_4
+ LastWrite
@@ -11234,6 +13288,7 @@ The XML below is the DDF for Windows 10, version 1709.
inetres.admxinetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_IntranetZoneLockdownIZ_PolicyNotificationBarDownloadURLaction_4
+ LastWrite
@@ -11260,6 +13315,7 @@ The XML below is the DDF for Windows 10, version 1709.
inetres.admxinetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_IntranetZoneLockdownIZ_PolicyFontDownload_4
+ LastWrite
@@ -11286,6 +13342,7 @@ The XML below is the DDF for Windows 10, version 1709.
inetres.admxinetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_IntranetZoneLockdownIZ_PolicyZoneElevationURLaction_4
+ LastWrite
@@ -11312,6 +13369,7 @@ The XML below is the DDF for Windows 10, version 1709.
inetres.admxinetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_IntranetZoneLockdownIZ_PolicyUnsignedFrameworkComponentsURLaction_4
+ LastWrite
@@ -11338,6 +13396,7 @@ The XML below is the DDF for Windows 10, version 1709.
inetres.admxinetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_IntranetZoneLockdownIZ_Policy_AllowScriptlets_4
+ LastWrite
@@ -11364,6 +13423,7 @@ The XML below is the DDF for Windows 10, version 1709.
inetres.admxinetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_IntranetZoneLockdownIZ_Policy_Phishing_4
+ LastWrite
@@ -11390,6 +13450,7 @@ The XML below is the DDF for Windows 10, version 1709.
inetres.admxinetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_IntranetZoneLockdownIZ_PolicyUserdataPersistence_4
+ LastWrite
@@ -11416,6 +13477,7 @@ The XML below is the DDF for Windows 10, version 1709.
inetres.admxinetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_IntranetZoneLockdownIZ_PolicyScriptActiveXNotMarkedSafe_4
+ LastWrite
@@ -11442,6 +13504,7 @@ The XML below is the DDF for Windows 10, version 1709.
inetres.admxinetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_IntranetZoneLockdownIZ_PolicyNavigateSubframesAcrossDomains_4
+ LastWrite
@@ -11468,6 +13531,7 @@ The XML below is the DDF for Windows 10, version 1709.
inetres.admxinetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_LocalMachineZoneLockdownIZ_PolicyAccessDataSourcesAcrossDomains_10
+ LastWrite
@@ -11494,6 +13558,7 @@ The XML below is the DDF for Windows 10, version 1709.
inetres.admxinetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_LocalMachineZoneLockdownIZ_PolicyNotificationBarActiveXURLaction_10
+ LastWrite
@@ -11520,6 +13585,7 @@ The XML below is the DDF for Windows 10, version 1709.
inetres.admxinetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_LocalMachineZoneLockdownIZ_PolicyNotificationBarDownloadURLaction_10
+ LastWrite
@@ -11546,6 +13612,7 @@ The XML below is the DDF for Windows 10, version 1709.
inetres.admxinetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_LocalMachineZoneLockdownIZ_PolicyFontDownload_10
+ LastWrite
@@ -11572,6 +13639,7 @@ The XML below is the DDF for Windows 10, version 1709.
inetres.admxinetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_LocalMachineZoneLockdownIZ_PolicyZoneElevationURLaction_10
+ LastWrite
@@ -11598,6 +13666,7 @@ The XML below is the DDF for Windows 10, version 1709.
inetres.admxinetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_LocalMachineZoneLockdownIZ_PolicyUnsignedFrameworkComponentsURLaction_10
+ LastWrite
@@ -11624,6 +13693,7 @@ The XML below is the DDF for Windows 10, version 1709.
inetres.admxinetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_LocalMachineZoneLockdownIZ_Policy_AllowScriptlets_10
+ LastWrite
@@ -11650,6 +13720,7 @@ The XML below is the DDF for Windows 10, version 1709.
inetres.admxinetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_LocalMachineZoneLockdownIZ_Policy_Phishing_10
+ LastWrite
@@ -11676,6 +13747,7 @@ The XML below is the DDF for Windows 10, version 1709.
inetres.admxinetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_LocalMachineZoneLockdownIZ_PolicyUserdataPersistence_10
+ LastWrite
@@ -11702,6 +13774,7 @@ The XML below is the DDF for Windows 10, version 1709.
inetres.admxinetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_LocalMachineZoneLockdownIZ_PolicyScriptActiveXNotMarkedSafe_10
+ LastWrite
@@ -11728,6 +13801,7 @@ The XML below is the DDF for Windows 10, version 1709.
inetres.admxinetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_LocalMachineZoneLockdownIZ_PolicyJavaPermissions_10
+ LastWrite
@@ -11754,6 +13828,7 @@ The XML below is the DDF for Windows 10, version 1709.
inetres.admxinetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_LocalMachineZoneLockdownIZ_PolicyNavigateSubframesAcrossDomains_10
+ LastWrite
@@ -11780,6 +13855,7 @@ The XML below is the DDF for Windows 10, version 1709.
inetres.admxinetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZoneLockdownIZ_PolicyAccessDataSourcesAcrossDomains_8
+ LastWrite
@@ -11806,6 +13882,7 @@ The XML below is the DDF for Windows 10, version 1709.
inetres.admxinetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZoneLockdownIZ_PolicyNotificationBarActiveXURLaction_8
+ LastWrite
@@ -11832,6 +13909,7 @@ The XML below is the DDF for Windows 10, version 1709.
inetres.admxinetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZoneLockdownIZ_PolicyNotificationBarDownloadURLaction_8
+ LastWrite
@@ -11858,6 +13936,7 @@ The XML below is the DDF for Windows 10, version 1709.
inetres.admxinetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZoneLockdownIZ_PolicyFontDownload_8
+ LastWrite
@@ -11884,6 +13963,7 @@ The XML below is the DDF for Windows 10, version 1709.
inetres.admxinetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZoneLockdownIZ_PolicyZoneElevationURLaction_8
+ LastWrite
@@ -11910,6 +13990,7 @@ The XML below is the DDF for Windows 10, version 1709.
inetres.admxinetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZoneLockdownIZ_PolicyUnsignedFrameworkComponentsURLaction_8
+ LastWrite
@@ -11936,6 +14017,7 @@ The XML below is the DDF for Windows 10, version 1709.
inetres.admxinetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZoneLockdownIZ_Policy_AllowScriptlets_8
+ LastWrite
@@ -11962,6 +14044,7 @@ The XML below is the DDF for Windows 10, version 1709.
inetres.admxinetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZoneLockdownIZ_Policy_Phishing_8
+ LastWrite
@@ -11988,6 +14071,7 @@ The XML below is the DDF for Windows 10, version 1709.
inetres.admxinetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZoneLockdownIZ_PolicyUserdataPersistence_8
+ LastWrite
@@ -12014,6 +14098,7 @@ The XML below is the DDF for Windows 10, version 1709.
inetres.admxinetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZoneLockdownIZ_PolicyScriptActiveXNotMarkedSafe_8
+ LastWrite
@@ -12040,6 +14125,7 @@ The XML below is the DDF for Windows 10, version 1709.
inetres.admxinetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZoneLockdownIZ_PolicyJavaPermissions_8
+ LastWrite
@@ -12066,6 +14152,7 @@ The XML below is the DDF for Windows 10, version 1709.
inetres.admxinetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZoneLockdownIZ_PolicyNavigateSubframesAcrossDomains_8
+ LastWrite
@@ -12092,6 +14179,7 @@ The XML below is the DDF for Windows 10, version 1709.
inetres.admxinetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_TrustedSitesZoneLockdownIZ_PolicyAccessDataSourcesAcrossDomains_6
+ LastWrite
@@ -12118,6 +14206,7 @@ The XML below is the DDF for Windows 10, version 1709.
inetres.admxinetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_TrustedSitesZoneLockdownIZ_PolicyNotificationBarActiveXURLaction_6
+ LastWrite
@@ -12144,6 +14233,7 @@ The XML below is the DDF for Windows 10, version 1709.
inetres.admxinetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_TrustedSitesZoneLockdownIZ_PolicyNotificationBarDownloadURLaction_6
+ LastWrite
@@ -12170,6 +14260,7 @@ The XML below is the DDF for Windows 10, version 1709.
inetres.admxinetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_TrustedSitesZoneLockdownIZ_PolicyFontDownload_6
+ LastWrite
@@ -12196,6 +14287,7 @@ The XML below is the DDF for Windows 10, version 1709.
inetres.admxinetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_TrustedSitesZoneLockdownIZ_PolicyZoneElevationURLaction_6
+ LastWrite
@@ -12222,6 +14314,7 @@ The XML below is the DDF for Windows 10, version 1709.
inetres.admxinetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_TrustedSitesZoneLockdownIZ_PolicyUnsignedFrameworkComponentsURLaction_6
+ LastWrite
@@ -12248,6 +14341,7 @@ The XML below is the DDF for Windows 10, version 1709.
inetres.admxinetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_TrustedSitesZoneLockdownIZ_Policy_AllowScriptlets_6
+ LastWrite
@@ -12274,6 +14368,7 @@ The XML below is the DDF for Windows 10, version 1709.
inetres.admxinetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_TrustedSitesZoneLockdownIZ_Policy_Phishing_6
+ LastWrite
@@ -12300,6 +14395,7 @@ The XML below is the DDF for Windows 10, version 1709.
inetres.admxinetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_TrustedSitesZoneLockdownIZ_PolicyUserdataPersistence_6
+ LastWrite
@@ -12326,6 +14422,7 @@ The XML below is the DDF for Windows 10, version 1709.
inetres.admxinetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_TrustedSitesZoneLockdownIZ_PolicyScriptActiveXNotMarkedSafe_6
+ LastWrite
@@ -12352,6 +14449,7 @@ The XML below is the DDF for Windows 10, version 1709.
inetres.admxinetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_TrustedSitesZoneLockdownIZ_PolicyJavaPermissions_6
+ LastWrite
@@ -12378,6 +14476,7 @@ The XML below is the DDF for Windows 10, version 1709.
inetres.admxinetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_TrustedSitesZoneLockdownIZ_PolicyNavigateSubframesAcrossDomains_6
+ LastWrite
@@ -12404,6 +14503,7 @@ The XML below is the DDF for Windows 10, version 1709.
inetres.admxinetres~AT~WindowsComponents~InternetExplorer~SecurityFeatures~IESF_CategoryMimeSniffingSafetyFeatureIESF_PolicyExplorerProcesses_6
+ LastWrite
@@ -12430,6 +14530,7 @@ The XML below is the DDF for Windows 10, version 1709.
inetres.admxinetres~AT~WindowsComponents~InternetExplorer~SecurityFeatures~IESF_CategoryMKProtocolSecurityRestrictionIESF_PolicyExplorerProcesses_3
+ LastWrite
@@ -12456,6 +14557,7 @@ The XML below is the DDF for Windows 10, version 1709.
inetres.admxinetres~AT~WindowsComponents~InternetExplorer~SecurityFeatures~IESF_CategoryInformationBarIESF_PolicyExplorerProcesses_10
+ LastWrite
@@ -12480,8 +14582,9 @@ The XML below is the DDF for Windows 10, version 1709.
phoneinetres.admx
- inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone
- IZ_PolicyDownloadSignedActiveX_1
+ inetres~AT~WindowsComponents~InternetExplorer
+ Disable_Managing_Safety_Filter_IE9
+ LastWrite
@@ -12508,6 +14611,7 @@ The XML below is the DDF for Windows 10, version 1709.
inetres.admxinetres~AT~WindowsComponents~InternetExplorerDisablePerUserActiveXInstall
+ LastWrite
@@ -12534,6 +14638,7 @@ The XML below is the DDF for Windows 10, version 1709.
inetres.admxinetres~AT~WindowsComponents~InternetExplorer~SecurityFeatures~IESF_CategoryProtectionFromZoneElevationIESF_PolicyAllProcesses_9
+ LastWrite
@@ -12560,6 +14665,7 @@ The XML below is the DDF for Windows 10, version 1709.
inetres.admxinetres~AT~WindowsComponents~InternetExplorer~SecurityFeatures~IESF_AddOnManagementVerMgmtDisableRunThisTime
+ LastWrite
@@ -12586,6 +14692,7 @@ The XML below is the DDF for Windows 10, version 1709.
inetres.admxinetres~AT~WindowsComponents~InternetExplorer~SecurityFeatures~IESF_CategoryRestrictActiveXInstallIESF_PolicyAllProcesses_11
+ LastWrite
@@ -12612,6 +14719,7 @@ The XML below is the DDF for Windows 10, version 1709.
inetres.admxinetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZoneIZ_PolicyAccessDataSourcesAcrossDomains_7
+ LastWrite
@@ -12636,8 +14744,9 @@ The XML below is the DDF for Windows 10, version 1709.
phoneinetres.admx
- inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone
- IZ_PolicyActiveScripting_1
+ inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone
+ IZ_PolicyActiveScripting_7
+ LastWrite
@@ -12664,6 +14773,7 @@ The XML below is the DDF for Windows 10, version 1709.
inetres.admxinetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZoneIZ_PolicyNotificationBarActiveXURLaction_7
+ LastWrite
@@ -12690,6 +14800,7 @@ The XML below is the DDF for Windows 10, version 1709.
inetres.admxinetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZoneIZ_PolicyNotificationBarDownloadURLaction_7
+ LastWrite
@@ -12714,8 +14825,9 @@ The XML below is the DDF for Windows 10, version 1709.
phoneinetres.admx
- inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone
- IZ_PolicyBinaryBehaviors_1
+ inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone
+ IZ_PolicyBinaryBehaviors_7
+ LastWrite
@@ -12742,6 +14854,7 @@ The XML below is the DDF for Windows 10, version 1709.
inetres.admxinetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZoneIZ_PolicyAllowPasteViaScript_7
+ LastWrite
@@ -12768,6 +14881,7 @@ The XML below is the DDF for Windows 10, version 1709.
inetres.admxinetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZoneIZ_PolicyDropOrPasteFiles_7
+ LastWrite
@@ -12792,12 +14906,13 @@ The XML below is the DDF for Windows 10, version 1709.
phoneinetres.admx
- inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone
- IZ_PolicyFileDownload_1
+ inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone
+ IZ_PolicyFileDownload_7
+ LastWrite
- RestrictedSitesZoneAllowFontDownloadsWRONG1
+ RestrictedSitesZoneAllowFontDownloads
@@ -12820,32 +14935,7 @@ The XML below is the DDF for Windows 10, version 1709.
inetres.admxinetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZoneIZ_PolicyFontDownload_7
-
-
-
- RestrictedSitesZoneAllowFontDownloadsWRONG2
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- text/plain
-
- phone
- inetres.admx
- inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone
- IZ_PolicyFontDownload_1
+ LastWrite
@@ -12872,6 +14962,7 @@ The XML below is the DDF for Windows 10, version 1709.
inetres.admxinetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZoneIZ_PolicyZoneElevationURLaction_7
+ LastWrite
@@ -12898,6 +14989,7 @@ The XML below is the DDF for Windows 10, version 1709.
inetres.admxinetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZoneIZ_Policy_XAML_7
+ LastWrite
@@ -12922,8 +15014,9 @@ The XML below is the DDF for Windows 10, version 1709.
phoneinetres.admx
- inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone
- IZ_PolicyAllowMETAREFRESH_1
+ inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone
+ IZ_PolicyAllowMETAREFRESH_7
+ LastWrite
@@ -12950,6 +15043,7 @@ The XML below is the DDF for Windows 10, version 1709.
inetres.admxinetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZoneIZ_PolicyUnsignedFrameworkComponentsURLaction_7
+ LastWrite
@@ -12976,6 +15070,7 @@ The XML below is the DDF for Windows 10, version 1709.
inetres.admxinetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZoneIZ_PolicyOnlyAllowApprovedDomainsToUseActiveXWithoutPrompt_Both_Restricted
+ LastWrite
@@ -13002,6 +15097,7 @@ The XML below is the DDF for Windows 10, version 1709.
inetres.admxinetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZoneIZ_PolicyAllowTDCControl_Both_Restricted
+ LastWrite
@@ -13028,6 +15124,7 @@ The XML below is the DDF for Windows 10, version 1709.
inetres.admxinetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZoneIZ_Policy_WebBrowserControl_7
+ LastWrite
@@ -13054,6 +15151,7 @@ The XML below is the DDF for Windows 10, version 1709.
inetres.admxinetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZoneIZ_PolicyWindowsRestrictionsURLaction_7
+ LastWrite
@@ -13080,6 +15178,7 @@ The XML below is the DDF for Windows 10, version 1709.
inetres.admxinetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZoneIZ_Policy_AllowScriptlets_7
+ LastWrite
@@ -13106,6 +15205,7 @@ The XML below is the DDF for Windows 10, version 1709.
inetres.admxinetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZoneIZ_Policy_Phishing_7
+ LastWrite
@@ -13132,6 +15232,7 @@ The XML below is the DDF for Windows 10, version 1709.
inetres.admxinetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZoneIZ_Policy_ScriptStatusBar_7
+ LastWrite
@@ -13158,6 +15259,7 @@ The XML below is the DDF for Windows 10, version 1709.
inetres.admxinetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZoneIZ_PolicyUserdataPersistence_7
+ LastWrite
@@ -13184,6 +15286,7 @@ The XML below is the DDF for Windows 10, version 1709.
inetres.admxinetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZoneIZ_PolicyAntiMalwareCheckingOfActiveXControls_7
+ LastWrite
@@ -13210,6 +15313,7 @@ The XML below is the DDF for Windows 10, version 1709.
inetres.admxinetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZoneIZ_PolicyDownloadSignedActiveX_7
+ LastWrite
@@ -13236,6 +15340,34 @@ The XML below is the DDF for Windows 10, version 1709.
inetres.admxinetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZoneIZ_PolicyDownloadUnsignedActiveX_7
+ LastWrite
+
+
+
+ RestrictedSitesZoneEnableCrossSiteScriptingFilter
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+ phone
+ inetres.admx
+ inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone
+ IZ_PolicyTurnOnXSSFilter_Both_Restricted
+ LastWrite
@@ -13262,6 +15394,7 @@ The XML below is the DDF for Windows 10, version 1709.
inetres.admxinetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZoneIZ_PolicyDragDropAcrossDomainsAcrossWindows_Both_Restricted
+ LastWrite
@@ -13288,6 +15421,7 @@ The XML below is the DDF for Windows 10, version 1709.
inetres.admxinetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZoneIZ_PolicyDragDropAcrossDomainsWithinWindow_Both_Restricted
+ LastWrite
@@ -13314,6 +15448,7 @@ The XML below is the DDF for Windows 10, version 1709.
inetres.admxinetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZoneIZ_PolicyMimeSniffingURLaction_7
+ LastWrite
@@ -13340,6 +15475,7 @@ The XML below is the DDF for Windows 10, version 1709.
inetres.admxinetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZoneIZ_Policy_LocalPathForUpload_7
+ LastWrite
@@ -13366,6 +15502,7 @@ The XML below is the DDF for Windows 10, version 1709.
inetres.admxinetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZoneIZ_PolicyScriptActiveXNotMarkedSafe_7
+ LastWrite
@@ -13392,6 +15529,7 @@ The XML below is the DDF for Windows 10, version 1709.
inetres.admxinetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZoneIZ_PolicyJavaPermissions_7
+ LastWrite
@@ -13418,6 +15556,7 @@ The XML below is the DDF for Windows 10, version 1709.
inetres.admxinetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZoneIZ_PolicyLaunchAppsAndFilesInIFRAME_7
+ LastWrite
@@ -13444,6 +15583,7 @@ The XML below is the DDF for Windows 10, version 1709.
inetres.admxinetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZoneIZ_PolicyLogon_7
+ LastWrite
@@ -13470,6 +15610,7 @@ The XML below is the DDF for Windows 10, version 1709.
inetres.admxinetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZoneIZ_PolicyNavigateSubframesAcrossDomains_7
+ LastWrite
@@ -13494,8 +15635,9 @@ The XML below is the DDF for Windows 10, version 1709.
phoneinetres.admx
- inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone
- IZ_PolicyNavigateSubframesAcrossDomains_1
+ inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone
+ IZ_PolicyNavigateSubframesAcrossDomains_7
+ LastWrite
@@ -13520,8 +15662,9 @@ The XML below is the DDF for Windows 10, version 1709.
phoneinetres.admx
- inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone
- IZ_PolicyRunActiveXControls_1
+ inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone
+ IZ_PolicyRunActiveXControls_7
+ LastWrite
@@ -13548,6 +15691,7 @@ The XML below is the DDF for Windows 10, version 1709.
inetres.admxinetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZoneIZ_PolicySignedFrameworkComponentsURLaction_7
+ LastWrite
@@ -13572,12 +15716,13 @@ The XML below is the DDF for Windows 10, version 1709.
phoneinetres.admx
- inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone
- IZ_PolicyScriptActiveXMarkedSafe_1
+ inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone
+ IZ_PolicyScriptActiveXMarkedSafe_7
+ LastWrite
- RestrictedSitesZoneWRONG
+ RestrictedSitesZoneScriptingOfJavaApplets
@@ -13598,12 +15743,13 @@ The XML below is the DDF for Windows 10, version 1709.
phoneinetres.admx
- inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_TrustedSitesZoneLockdown
- IZ_PolicyScriptingOfJavaApplets_6
+ inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone
+ IZ_PolicyScriptingOfJavaApplets_7
+ LastWrite
- RestrictedSitesZoneWRONG2
+ RestrictedSitesZoneShowSecurityWarningForPotentiallyUnsafeFiles
@@ -13626,10 +15772,11 @@ The XML below is the DDF for Windows 10, version 1709.
inetres.admxinetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZoneIZ_Policy_UnsafeFiles_7
+ LastWrite
- RestrictedSitesZoneWRONG3
+ RestrictedSitesZoneTurnOnCrossSiteScriptingFilter
@@ -13652,10 +15799,11 @@ The XML below is the DDF for Windows 10, version 1709.
inetres.admxinetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZoneIZ_PolicyTurnOnXSSFilter_Both_Restricted
+ LastWrite
- RestrictedSitesZoneWRONG4
+ RestrictedSitesZoneTurnOnProtectedMode
@@ -13678,10 +15826,11 @@ The XML below is the DDF for Windows 10, version 1709.
inetres.admxinetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZoneIZ_Policy_TurnOnProtectedMode_7
+ LastWrite
- RestrictedSitesZoneWRONG5
+ RestrictedSitesZoneUsePopupBlocker
@@ -13704,6 +15853,7 @@ The XML below is the DDF for Windows 10, version 1709.
inetres.admxinetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZoneIZ_PolicyBlockPopupWindows_7
+ LastWrite
@@ -13730,6 +15880,7 @@ The XML below is the DDF for Windows 10, version 1709.
inetres.admxinetres~AT~WindowsComponents~InternetExplorer~SecurityFeatures~IESF_CategoryRestrictFileDownloadIESF_PolicyAllProcesses_12
+ LastWrite
@@ -13756,6 +15907,7 @@ The XML below is the DDF for Windows 10, version 1709.
inetres.admxinetres~AT~WindowsComponents~InternetExplorer~SecurityFeatures~IESF_CategoryScriptedWindowSecurityRestrictionsIESF_PolicyAllProcesses_8
+ LastWrite
@@ -13782,6 +15934,7 @@ The XML below is the DDF for Windows 10, version 1709.
inetres.admxinetres~AT~WindowsComponents~InternetExplorerSpecificSearchProvider
+ LastWrite
@@ -13808,6 +15961,7 @@ The XML below is the DDF for Windows 10, version 1709.
inetres.admxinetres~AT~WindowsComponents~InternetExplorerOnlyUseAXISForActiveXInstall
+ LastWrite
@@ -13834,6 +15988,7 @@ The XML below is the DDF for Windows 10, version 1709.
inetres.admxinetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_TrustedSitesZoneIZ_PolicyAccessDataSourcesAcrossDomains_5
+ LastWrite
@@ -13860,6 +16015,7 @@ The XML below is the DDF for Windows 10, version 1709.
inetres.admxinetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_TrustedSitesZoneIZ_PolicyNotificationBarActiveXURLaction_5
+ LastWrite
@@ -13886,6 +16042,7 @@ The XML below is the DDF for Windows 10, version 1709.
inetres.admxinetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_TrustedSitesZoneIZ_PolicyNotificationBarDownloadURLaction_5
+ LastWrite
@@ -13912,6 +16069,7 @@ The XML below is the DDF for Windows 10, version 1709.
inetres.admxinetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_TrustedSitesZoneIZ_PolicyFontDownload_5
+ LastWrite
@@ -13938,6 +16096,7 @@ The XML below is the DDF for Windows 10, version 1709.
inetres.admxinetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_TrustedSitesZoneIZ_PolicyZoneElevationURLaction_5
+ LastWrite
@@ -13964,6 +16123,7 @@ The XML below is the DDF for Windows 10, version 1709.
inetres.admxinetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_TrustedSitesZoneIZ_PolicyUnsignedFrameworkComponentsURLaction_5
+ LastWrite
@@ -13990,6 +16150,7 @@ The XML below is the DDF for Windows 10, version 1709.
inetres.admxinetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_TrustedSitesZoneIZ_Policy_AllowScriptlets_5
+ LastWrite
@@ -14016,6 +16177,7 @@ The XML below is the DDF for Windows 10, version 1709.
inetres.admxinetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_TrustedSitesZoneIZ_Policy_Phishing_5
+ LastWrite
@@ -14042,6 +16204,61 @@ The XML below is the DDF for Windows 10, version 1709.
inetres.admxinetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_TrustedSitesZoneIZ_PolicyUserdataPersistence_5
+ LastWrite
+
+
+
+ TrustedSitesZoneDoNotRunAntimalwareAgainstActiveXControls
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+ phone
+ inetres.admx
+ inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_TrustedSitesZone
+ IZ_PolicyAntiMalwareCheckingOfActiveXControls_5
+ LastWrite
+
+
+
+ TrustedSitesZoneDontRunAntimalwareProgramsAgainstActiveXControls
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+ phone
+ inetres.admx
+ inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_TrustedSitesZone
+ IZ_PolicyAntiMalwareCheckingOfActiveXControls_5
+ LastWrite
@@ -14068,6 +16285,61 @@ The XML below is the DDF for Windows 10, version 1709.
inetres.admxinetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_TrustedSitesZoneIZ_PolicyScriptActiveXNotMarkedSafe_5
+ LastWrite
+
+
+
+ TrustedSitesZoneInitializeAndScriptActiveXControlsNotMarkedAsSafe
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+ phone
+ inetres.admx
+ inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_TrustedSitesZone
+ IZ_PolicyScriptActiveXNotMarkedSafe_5
+ LastWrite
+
+
+
+ TrustedSitesZoneInitializeAndScriptActiveXControlsNotMarkedSafe
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+ phone
+ inetres.admx
+ inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_TrustedSitesZone
+ IZ_PolicyScriptActiveXNotMarkedSafe_5
+ LastWrite
@@ -14094,6 +16366,7 @@ The XML below is the DDF for Windows 10, version 1709.
inetres.admxinetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_TrustedSitesZoneIZ_PolicyJavaPermissions_5
+ LastWrite
@@ -14120,58 +16393,7 @@ The XML below is the DDF for Windows 10, version 1709.
inetres.admxinetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_TrustedSitesZoneIZ_PolicyNavigateSubframesAcrossDomains_5
-
-
-
- TrustedSitesZoneWRONG1
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- text/plain
-
- phone
- inetres.admx
- inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_TrustedSitesZone
- IZ_PolicyAntiMalwareCheckingOfActiveXControls_5
-
-
-
- TrustedSitesZoneWRONG2
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- text/plain
-
- phone
- inetres.admx
- inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_TrustedSitesZone
- IZ_PolicyScriptActiveXNotMarkedSafe_5
+ LastWrite
@@ -14214,6 +16436,7 @@ The XML below is the DDF for Windows 10, version 1709.
text/plain
+ LowestValueMostSecure
@@ -14260,6 +16483,7 @@ The XML below is the DDF for Windows 10, version 1709.
Printing.admxPrinting~AT~ControlPanel~CplPrintersPointAndPrint_Restrictions
+ LastWrite
@@ -14302,6 +16526,7 @@ The XML below is the DDF for Windows 10, version 1709.
text/plain
+ LastWrite
@@ -14345,6 +16570,7 @@ The XML below is the DDF for Windows 10, version 1709.
text/plainphone
+ LastWrite
@@ -14387,6 +16613,7 @@ The XML below is the DDF for Windows 10, version 1709.
text/plain
+ LowestValueMostSecure
@@ -14642,87 +16869,6 @@ The XML below is the DDF for Windows 10, version 1709.
-
- AccountPolicies
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- MinDevicePasswordLength
-
-
-
-
-
-
-
- This security setting determines the least number of characters that a password for a user account may contain. You can set a value of between 1 and 14 characters, or you can establish that no password is required by setting the number of characters to 0.
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- PasswordMustMeetComplexityRequirement
-
-
-
-
-
-
-
- This security setting determines whether passwords must meet complexity requirements.
-
-If this policy is enabled, passwords must meet the following minimum requirements:
-
-Not contain the user's account name or parts of the user's full name that exceed two consecutive characters
-Be at least six characters in length
-Contain characters from three of the following four categories:
-English uppercase characters (A through Z)
-English lowercase characters (a through z)
-Base 10 digits (0 through 9)
-Non-alphabetic characters (for example, !, $, #, %)
-Complexity requirements are enforced when passwords are changed or created.
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
- Accounts
@@ -15910,6 +18056,30 @@ Complexity requirements are enforced when passwords are changed or created.
+
+ AllowAadPasswordReset
+
+
+
+
+
+
+
+ Specifies whether password reset is enabled for AAD accounts.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+ AllowFastReconnect
@@ -16537,7 +18707,7 @@ Complexity requirements are enforced when passwords are changed or created.
This policy setting lets you decide whether the Microsoft Compatibility List is enabled or disabled in Microsoft Edge. This feature uses a Microsoft-provided list to ensure that any sites with known compatibility issues are displayed correctly when a user navigates to them. By default, the Microsoft Compatibility List is enabled and can be viewed by navigating to about:compat.
-If you enable or don’t configure this setting, Microsoft Edge will periodically download the latest version of the list from Microsoft and will apply the configurations specified there during browser navigation. If a user visits a site on the Microsoft Compatibility List, he or she will be prompted to open the site in Internet Explorer 11. Once in Internet Explorer, the site will automatically be rendered as if the user is viewing it in the previous version of Internet Explorer it requires to display correctly.
+If you enable or don’t configure this setting, Microsoft Edge will periodically download the latest version of the list from Microsoft and will apply the configurations specified there during browser navigation. If a user visits a site on the Microsoft Compatibility List, he or she will be prompted to open the site in Internet Explorer 11. Once in Internet Explorer, the site will automatically be rendered as if the user is viewing it in the previous version of Internet Explorer it requires to display correctly.
If you disable this setting, the Microsoft Compatibility List will not be used during browser navigation.
@@ -16679,6 +18849,30 @@ This policy will only apply on domain joined machines or when the device is MDM
+
+ AlwaysEnableBooksLibrary
+
+
+
+
+
+
+
+ Specifies whether the Books Library in Microsoft Edge will always be visible regardless of the country or region setting for the device.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+ ClearBrowsingDataOnExit
@@ -16848,7 +19042,7 @@ Example:
If you wanted to allow contoso.com and fabrikam.com then you would append /support to the site strings like contoso.com/support and fabrikam.com/support.
Encapsulate each string with greater than and less than characters like any other XML tag.
-Version 1703 or later:  If you don't want to send traffic to Microsoft, you can use the about:blank value (encapsulate with greater than and less than characters like any other XML tag), which is honored for both domain- and non-domain-joined machines, when it's the only configured URL.
+Version 1703 or later: If you don't want to send traffic to Microsoft, you can use the about:blank value (encapsulate with greater than and less than characters like any other XML tag), which is honored for both domain- and non-domain-joined machines, when it's the only configured URL.
@@ -16863,6 +19057,37 @@ Version 1703 or later:  If you don't want to send traffic to Microsoft, yo
+
+ LockdownFavorites
+
+
+
+
+
+
+
+ This policy setting lets you decide whether employees can add, import, sort, or edit the Favorites list on Microsoft Edge.
+
+If you enable this setting, employees won't be able to add, import, or change anything in the Favorites list. Also as part of this, Save a Favorite, Import settings, and the context menu items (such as, Create a new folder) are all turned off.
+
+Important
+Don't enable both this setting and the Keep favorites in sync between Internet Explorer and Microsoft Edge setting. Enabling both settings stops employees from syncing their favorites between Internet Explorer and Microsoft Edge.
+
+If you disable or don't configure this setting (default), employees can add, import and make changes to the Favorites list.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+ PreventAccessToAboutFlagsInMicrosoftEdge
@@ -17011,6 +19236,37 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
+
+ ProvisionFavorites
+
+
+
+
+
+
+
+ This policy setting allows you to configure a default set of favorites, which will appear for employees. Employees cannot modify, sort, move, export or delete these provisioned favorites.
+
+If you enable this setting, you can set favorite URL's and favorite folders to appear on top of users' favorites list (either in the Hub or Favorites Bar). The user favorites will appear after these provisioned favorites.
+
+Important
+Don't enable both this setting and the Keep favorites in sync between Internet Explorer and Microsoft Edge setting. Enabling both settings stops employees from syncing their favorites between Internet Explorer and Microsoft Edge.
+
+If you disable or don't configure this setting, employees will see the favorites they set in the Hub and Favorites Bar.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+ SendIntranetTraffictoInternetExplorer
@@ -17181,6 +19437,102 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
+
+ LetAppsAccessCellularData
+
+
+
+
+
+
+
+ This policy setting specifies whether Windows apps can access cellular data.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ LetAppsAccessCellularData_ForceAllowTheseApps
+
+
+
+
+
+
+
+ List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are allowed access to cellular data. This setting overrides the default LetAppsAccessCellularData policy setting for the specified apps.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ LetAppsAccessCellularData_ForceDenyTheseApps
+
+
+
+
+
+
+
+ List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are denied access to cellular data. This setting overrides the default LetAppsAccessCellularData policy setting for the specified apps.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ LetAppsAccessCellularData_UserInControlOfTheseApps
+
+
+
+
+
+
+
+ List of semi-colon delimited Package Family Names of Windows Store Apps. The user is able to control the cellular data access setting for the listed apps. This setting overrides the default LetAppsAccessCellularData policy setting for the specified apps.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+ ShowAppCellularAccessUI
@@ -17633,6 +19985,30 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
+
+ EnableWindowsAutoPilotResetCredentials
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+ CredentialsUI
@@ -18845,6 +21221,30 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
+
+ DOCacheHost
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+ DODownloadMode
@@ -19520,7 +21920,7 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
- Specifies how many passwords can be stored in the history that can’t be used.
+ Specifies how many passwords can be stored in the history that can’t be used.
@@ -20468,6 +22868,52 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
+
+ ExploitGuard
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ ExploitProtectionSettings
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+ Games
@@ -20514,6 +22960,52 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
+
+ Handwriting
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ PanelDefaultModeDocked
+
+
+
+
+
+
+
+ Specifies whether the handwriting panel comes up floating near the text box or attached to the bottom of the screen
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+ InternetExplorer
@@ -20752,7 +23244,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
- AllowInternetExplorer7PolicyList
+ AllowInternetExplorer7PolicyList
@@ -21376,7 +23868,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
- DisableDeletingUserVisitedWebsites
+ DisableDeletingUserVisitedWebsites
@@ -22024,7 +24516,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
- InternetZoneAllowLoadingOfXAMLFilesWRONG
+ InternetZoneAllowLoadingOfXAMLFiles
@@ -22264,31 +24756,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
- InternetZoneDoNotRunAntimalwareAgainstActiveXControlsWRONG1
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- InternetZoneDoNotRunAntimalwareAgainstActiveXControlsWRONG2
+ InternetZoneDoNotRunAntimalwareAgainstActiveXControls
@@ -22528,55 +24996,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
- InternetZoneInitializeAndScriptActiveXControlsNotMarkedSafe
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- InternetZoneJavaPermissionsWRONG1
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- InternetZoneJavaPermissionsWRONG2
+ InternetZoneJavaPermissions
@@ -23007,6 +25427,30 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
+
+ IntranetZoneDoNotRunAntimalwareAgainstActiveXControls
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+ IntranetZoneInitializeAndScriptActiveXControls
@@ -23031,6 +25475,54 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
+
+ IntranetZoneInitializeAndScriptActiveXControlsNotMarkedSafe
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ IntranetZoneJavaPermissions
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+ IntranetZoneNavigateWindowsAndFrames
@@ -25168,31 +27660,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
- RestrictedSitesZoneAllowFontDownloadsWRONG1
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- RestrictedSitesZoneAllowFontDownloadsWRONG2
+ RestrictedSitesZoneAllowFontDownloads
@@ -25575,6 +28043,30 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
+
+ RestrictedSitesZoneEnableCrossSiteScriptingFilter
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+ RestrictedSitesZoneEnableDraggingOfContentFromDifferentDomainsAcrossWindows
@@ -25888,7 +28380,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
- RestrictedSitesZoneWRONG
+ RestrictedSitesZoneScriptingOfJavaApplets
@@ -25912,7 +28404,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
- RestrictedSitesZoneWRONG2
+ RestrictedSitesZoneShowSecurityWarningForPotentiallyUnsafeFiles
@@ -25936,7 +28428,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
- RestrictedSitesZoneWRONG3
+ RestrictedSitesZoneTurnOnCrossSiteScriptingFilter
@@ -25960,7 +28452,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
- RestrictedSitesZoneWRONG4
+ RestrictedSitesZoneTurnOnProtectedMode
@@ -25984,7 +28476,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
- RestrictedSitesZoneWRONG5
+ RestrictedSitesZoneUsePopupBlocker
@@ -26080,7 +28572,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
- SecurityZonesUseOnlyMachineSettings
+ SecurityZonesUseOnlyMachineSettings
@@ -26343,6 +28835,54 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
+
+ TrustedSitesZoneDoNotRunAntimalwareAgainstActiveXControls
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ TrustedSitesZoneDontRunAntimalwareProgramsAgainstActiveXControls
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+ TrustedSitesZoneInitializeAndScriptActiveXControls
@@ -26367,6 +28907,54 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
+
+ TrustedSitesZoneInitializeAndScriptActiveXControlsNotMarkedAsSafe
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ TrustedSitesZoneInitializeAndScriptActiveXControlsNotMarkedSafe
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+ TrustedSitesZoneJavaPermissions
@@ -26415,54 +29003,6 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
- TrustedSitesZoneWRONG1
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- TrustedSitesZoneWRONG2
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
- Kerberos
@@ -26708,9 +29248,9 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
This policy setting prevents users from adding new Microsoft accounts on this computer.
-If you select the "Users can’t add Microsoft accounts" option, users will not be able to create new Microsoft accounts on this computer, switch a local account to a Microsoft account, or connect a domain account to a Microsoft account. This is the preferred option if you need to limit the use of Microsoft accounts in your enterprise.
+If you select the "Users can’t add Microsoft accounts" option, users will not be able to create new Microsoft accounts on this computer, switch a local account to a Microsoft account, or connect a domain account to a Microsoft account. This is the preferred option if you need to limit the use of Microsoft accounts in your enterprise.
-If you select the "Users can’t add or log on with Microsoft accounts" option, existing Microsoft account users will not be able to log on to Windows. Selecting this option might make it impossible for an existing administrator on this computer to log on and manage the system.
+If you select the "Users can’t add or log on with Microsoft accounts" option, existing Microsoft account users will not be able to log on to Windows. Selecting this option might make it impossible for an existing administrator on this computer to log on and manage the system.
If you disable or do not configure this policy (recommended), users will be able to use Microsoft accounts with Windows.
@@ -26883,6 +29423,130 @@ Default: Guest.
+
+ Devices_AllowedToFormatAndEjectRemovableMedia
+
+
+
+
+
+
+
+ Devices: Allowed to format and eject removable media
+
+This security setting determines who is allowed to format and eject removable NTFS media. This capability can be given to:
+
+Administrators
+Administrators and Interactive Users
+
+Default: This policy is not defined and only Administrators have this ability.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ Devices_AllowUndockWithoutHavingToLogon
+
+
+
+
+
+
+
+ Devices: Allow undock without having to log on
+This security setting determines whether a portable computer can be undocked without having to log on. If this policy is enabled, logon is not required and an external hardware eject button can be used to undock the computer. If disabled, a user must log on and have the Remove computer from docking station privilege to undock the computer.
+Default: Enabled.
+
+Caution
+Disabling this policy may tempt users to try and physically remove the laptop from its docking station using methods other than the external hardware eject button. Since this may cause damage to the hardware, this setting, in general, should only be disabled on laptop configurations that are physically securable.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ Devices_PreventUsersFromInstallingPrinterDriversWhenConnectingToSharedPrinters
+
+
+
+
+
+
+
+ Devices: Prevent users from installing printer drivers when connecting to shared printers
+
+For a computer to print to a shared printer, the driver for that shared printer must be installed on the local computer. This security setting determines who is allowed to install a printer driver as part of connecting to a shared printer. If this setting is enabled, only Administrators can install a printer driver as part of connecting to a shared printer. If this setting is disabled, any user can install a printer driver as part of connecting to a shared printer.
+
+Default on servers: Enabled.
+Default on workstations: Disabled
+
+Notes
+
+This setting does not affect the ability to add a local printer.
+This setting does not affect Administrators.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ Devices_RestrictCDROMAccessToLocallyLoggedOnUserOnly
+
+
+
+
+
+
+
+ Devices: Restrict CD-ROM access to locally logged-on user only
+
+This security setting determines whether a CD-ROM is accessible to both local and remote users simultaneously.
+
+If this policy is enabled, it allows only the interactively logged-on user to access removable CD-ROM media. If this policy is enabled and no one is logged on interactively, the CD-ROM can be accessed over the network.
+
+Default: This policy is not defined and CD-ROM access is not restricted to the locally logged-on user.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+ InteractiveLogon_DisplayUserInformationWhenTheSessionIsLocked
@@ -26911,7 +29575,7 @@ Do not display user information (3)
- Interactivelogon_DoNotDisplayLastSignedIn
+ InteractiveLogon_DoNotDisplayLastSignedIn
@@ -26941,7 +29605,7 @@ Default: Disabled.
- Interactivelogon_DoNotDisplayUsernameAtSignIn
+ InteractiveLogon_DoNotDisplayUsernameAtSignIn
@@ -26971,7 +29635,7 @@ Default: Disabled.
- Interactivelogon_DoNotRequireCTRLALTDEL
+ InteractiveLogon_DoNotRequireCTRLALTDEL
@@ -27233,6 +29897,39 @@ Default: This policy is not defined and automatic administrative logon is not al
+
+ Shutdown_AllowSystemToBeShutDownWithoutHavingToLogOn
+
+
+
+
+
+
+
+ Shutdown: Allow system to be shut down without having to log on
+
+This security setting determines whether a computer can be shut down without having to log on to Windows.
+
+When this policy is enabled, the Shut Down command is available on the Windows logon screen.
+
+When this policy is disabled, the option to shut down the computer does not appear on the Windows logon screen. In this case, users must be able to log on to the computer successfully and have the Shut down the system user right before they can perform a system shutdown.
+
+Default on workstations: Enabled.
+Default on servers: Disabled.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+ Shutdown_ClearVirtualMemoryPageFile
@@ -27278,9 +29975,9 @@ Default: Disabled.
This policy setting controls whether User Interface Accessibility (UIAccess or UIA) programs can automatically disable the secure desktop for elevation prompts used by a standard user.
-• Enabled: UIA programs, including Windows Remote Assistance, automatically disable the secure desktop for elevation prompts. If you do not disable the "User Account Control: Switch to the secure desktop when prompting for elevation" policy setting, the prompts appear on the interactive user's desktop instead of the secure desktop.
+• Enabled: UIA programs, including Windows Remote Assistance, automatically disable the secure desktop for elevation prompts. If you do not disable the "User Account Control: Switch to the secure desktop when prompting for elevation" policy setting, the prompts appear on the interactive user's desktop instead of the secure desktop.
-• Disabled: (Default) The secure desktop can be disabled only by the user of the interactive desktop or by disabling the "User Account Control: Switch to the secure desktop when prompting for elevation" policy setting.
+• Disabled: (Default) The secure desktop can be disabled only by the user of the interactive desktop or by disabling the "User Account Control: Switch to the secure desktop when prompting for elevation" policy setting.
@@ -27310,17 +30007,17 @@ This policy setting controls the behavior of the elevation prompt for administra
The options are:
-• Elevate without prompting: Allows privileged accounts to perform an operation that requires elevation without requiring consent or credentials. Note: Use this option only in the most constrained environments.
+• Elevate without prompting: Allows privileged accounts to perform an operation that requires elevation without requiring consent or credentials. Note: Use this option only in the most constrained environments.
-• Prompt for credentials on the secure desktop: When an operation requires elevation of privilege, the user is prompted on the secure desktop to enter a privileged user name and password. If the user enters valid credentials, the operation continues with the user's highest available privilege.
+• Prompt for credentials on the secure desktop: When an operation requires elevation of privilege, the user is prompted on the secure desktop to enter a privileged user name and password. If the user enters valid credentials, the operation continues with the user's highest available privilege.
-• Prompt for consent on the secure desktop: When an operation requires elevation of privilege, the user is prompted on the secure desktop to select either Permit or Deny. If the user selects Permit, the operation continues with the user's highest available privilege.
+• Prompt for consent on the secure desktop: When an operation requires elevation of privilege, the user is prompted on the secure desktop to select either Permit or Deny. If the user selects Permit, the operation continues with the user's highest available privilege.
-• Prompt for credentials: When an operation requires elevation of privilege, the user is prompted to enter an administrative user name and password. If the user enters valid credentials, the operation continues with the applicable privilege.
+• Prompt for credentials: When an operation requires elevation of privilege, the user is prompted to enter an administrative user name and password. If the user enters valid credentials, the operation continues with the applicable privilege.
-• Prompt for consent: When an operation requires elevation of privilege, the user is prompted to select either Permit or Deny. If the user selects Permit, the operation continues with the user's highest available privilege.
+• Prompt for consent: When an operation requires elevation of privilege, the user is prompted to select either Permit or Deny. If the user selects Permit, the operation continues with the user's highest available privilege.
-• Prompt for consent for non-Windows binaries: (Default) When an operation for a non-Microsoft application requires elevation of privilege, the user is prompted on the secure desktop to select either Permit or Deny. If the user selects Permit, the operation continues with the user's highest available privilege.
+• Prompt for consent for non-Windows binaries: (Default) When an operation for a non-Microsoft application requires elevation of privilege, the user is prompted on the secure desktop to select either Permit or Deny. If the user selects Permit, the operation continues with the user's highest available privilege.
@@ -27349,11 +30046,43 @@ This policy setting controls the behavior of the elevation prompt for standard u
The options are:
-• Prompt for credentials: (Default) When an operation requires elevation of privilege, the user is prompted to enter an administrative user name and password. If the user enters valid credentials, the operation continues with the applicable privilege.
+• Prompt for credentials: (Default) When an operation requires elevation of privilege, the user is prompted to enter an administrative user name and password. If the user enters valid credentials, the operation continues with the applicable privilege.
-• Automatically deny elevation requests: When an operation requires elevation of privilege, a configurable access denied error message is displayed. An enterprise that is running desktops as standard user may choose this setting to reduce help desk calls.
+• Automatically deny elevation requests: When an operation requires elevation of privilege, a configurable access denied error message is displayed. An enterprise that is running desktops as standard user may choose this setting to reduce help desk calls.
-• Prompt for credentials on the secure desktop: When an operation requires elevation of privilege, the user is prompted on the secure desktop to enter a different user name and password. If the user enters valid credentials, the operation continues with the applicable privilege.
+• Prompt for credentials on the secure desktop: When an operation requires elevation of privilege, the user is prompted on the secure desktop to enter a different user name and password. If the user enters valid credentials, the operation continues with the applicable privilege.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ UserAccountControl_DetectApplicationInstallationsAndPromptForElevation
+
+
+
+
+
+
+
+ User Account Control: Detect application installations and prompt for elevation
+
+This policy setting controls the behavior of application installation detection for the computer.
+
+The options are:
+
+Enabled: (Default) When an application installation package is detected that requires elevation of privilege, the user is prompted to enter an administrative user name and password. If the user enters valid credentials, the operation continues with the applicable privilege.
+
+Disabled: Application installation packages are not detected and prompted for elevation. Enterprises that are running standard user desktops and use delegated installation technologies such as Group Policy Software Installation or Systems Management Server (SMS) should disable this policy setting. In this case, installer detection is unnecessary.
@@ -27383,9 +30112,9 @@ This policy setting enforces public key infrastructure (PKI) signature checks fo
The options are:
-• Enabled: Enforces the PKI certification path validation for a given executable file before it is permitted to run.
+• Enabled: Enforces the PKI certification path validation for a given executable file before it is permitted to run.
-• Disabled: (Default) Does not enforce PKI certification path validation before a given executable file is permitted to run.
+• Disabled: (Default) Does not enforce PKI certification path validation before a given executable file is permitted to run.
@@ -27413,17 +30142,17 @@ The options are:
This policy setting controls whether applications that request to run with a User Interface Accessibility (UIAccess) integrity level must reside in a secure location in the file system. Secure locations are limited to the following:
-- …\Program Files\, including subfolders
-- …\Windows\system32\
-- …\Program Files (x86)\, including subfolders for 64-bit versions of Windows
+- …\Program Files\, including subfolders
+- …\Windows\system32\
+- …\Program Files (x86)\, including subfolders for 64-bit versions of Windows
Note: Windows enforces a public key infrastructure (PKI) signature check on any interactive application that requests to run with a UIAccess integrity level regardless of the state of this security setting.
The options are:
-• Enabled: (Default) If an application resides in a secure location in the file system, it runs only with UIAccess integrity.
+• Enabled: (Default) If an application resides in a secure location in the file system, it runs only with UIAccess integrity.
-• Disabled: An application runs with UIAccess integrity even if it does not reside in a secure location in the file system.
+• Disabled: An application runs with UIAccess integrity even if it does not reside in a secure location in the file system.
@@ -27453,9 +30182,9 @@ This policy setting controls the behavior of all User Account Control (UAC) poli
The options are:
-• Enabled: (Default) Admin Approval Mode is enabled. This policy must be enabled and related UAC policy settings must also be set appropriately to allow the built-in Administrator account and all other users who are members of the Administrators group to run in Admin Approval Mode.
+• Enabled: (Default) Admin Approval Mode is enabled. This policy must be enabled and related UAC policy settings must also be set appropriately to allow the built-in Administrator account and all other users who are members of the Administrators group to run in Admin Approval Mode.
-• Disabled: Admin Approval Mode and all related UAC policy settings are disabled. Note: If this policy setting is disabled, the Security Center notifies you that the overall security of the operating system has been reduced.
+• Disabled: Admin Approval Mode and all related UAC policy settings are disabled. Note: If this policy setting is disabled, the Security Center notifies you that the overall security of the operating system has been reduced.
@@ -27485,9 +30214,9 @@ This policy setting controls whether the elevation request prompt is displayed o
The options are:
-• Enabled: (Default) All elevation requests go to the secure desktop regardless of prompt behavior policy settings for administrators and standard users.
+• Enabled: (Default) All elevation requests go to the secure desktop regardless of prompt behavior policy settings for administrators and standard users.
-• Disabled: All elevation requests go to the interactive user's desktop. Prompt behavior policy settings for administrators and standard users are used.
+• Disabled: All elevation requests go to the interactive user's desktop. Prompt behavior policy settings for administrators and standard users are used.
@@ -27517,9 +30246,9 @@ This policy setting controls the behavior of Admin Approval Mode for the built-i
The options are:
-• Enabled: The built-in Administrator account uses Admin Approval Mode. By default, any operation that requires elevation of privilege will prompt the user to approve the operation.
+• Enabled: The built-in Administrator account uses Admin Approval Mode. By default, any operation that requires elevation of privilege will prompt the user to approve the operation.
-• Disabled: (Default) The built-in Administrator account runs all applications with full administrative privilege.
+• Disabled: (Default) The built-in Administrator account runs all applications with full administrative privilege.
@@ -27549,9 +30278,9 @@ This policy setting controls whether application write failures are redirected t
The options are:
-• Enabled: (Default) Application write failures are redirected at run time to defined user locations for both the file system and registry.
+• Enabled: (Default) Application write failures are redirected at run time to defined user locations for both the file system and registry.
-• Disabled: Applications that write data to protected locations fail.
+• Disabled: Applications that write data to protected locations fail.
@@ -28846,102 +31575,6 @@ The options are:
-
- LetAppsAccessCellularData
-
-
-
-
-
-
-
- This policy setting specifies whether Windows apps can access cellular data.
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- LetAppsAccessCellularData_ForceAllowTheseApps
-
-
-
-
-
-
-
- List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are allowed access to cellular data. This setting overrides the default LetAppsAccessCellularData policy setting for the specified apps.
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- LetAppsAccessCellularData_ForceDenyTheseApps
-
-
-
-
-
-
-
- List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are denied access to cellular data. This setting overrides the default LetAppsAccessCellularData policy setting for the specified apps.
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- LetAppsAccessCellularData_UserInControlOfTheseApps
-
-
-
-
-
-
-
- List of semi-colon delimited Package Family Names of Windows Store Apps. The user is able to control the cellular data privacy setting for the listed apps. This setting overrides the default LetAppsAccessCellularData policy setting for the specified apps.
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
- LetAppsAccessContacts
@@ -30199,7 +32832,7 @@ The options are:
- This policy setting specifies whether Windows apps can sync with devices.
+ This policy setting specifies whether Windows apps can communicate with unpaired wireless devices.
@@ -30223,7 +32856,7 @@ The options are:
- List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps will have access to sync with devices. This setting overrides the default LetAppsSyncWithDevices policy setting for the specified apps.
+ List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps will be allowed to communicate with unpaired wireless devices. This setting overrides the default LetAppsSyncWithDevices policy setting for the specified apps.
@@ -30247,7 +32880,7 @@ The options are:
- List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps will not have access to sync with devices. This setting overrides the default LetAppsSyncWithDevices policy setting for the specified apps.
+ List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps will not be allowed to communicate with unpaired wireless devices. This setting overrides the default LetAppsSyncWithDevices policy setting for the specified apps.
@@ -30271,7 +32904,7 @@ The options are:
- List of semi-colon delimited Package Family Names of Windows Store Apps. The user is able to control the 'sync with devices' privacy setting for the listed apps. This setting overrides the default LetAppsSyncWithDevices policy setting for the specified apps.
+ List of semi-colon delimited Package Family Names of Windows Store Apps. The user is able to control the 'Communicate with unpaired wireless devices' privacy setting for the listed apps. This setting overrides the default LetAppsSyncWithDevices policy setting for the specified apps.
@@ -31258,6 +33891,30 @@ The options are:
+
+ AllowCloudSearch
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+ AllowIndexingEncryptedStoresOrItems
@@ -32950,6 +35607,30 @@ The options are:
+
+ AllowDiskHealthModelUpdates
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+ EnhancedStorageDevices
@@ -33221,7 +35902,7 @@ The options are:
- This policy setting lets you prevent apps and features from working with files on OneDrive. If you enable this policy setting: users can’t access OneDrive from the OneDrive app and file picker; Windows Store apps can’t access OneDrive using the WinRT API; OneDrive doesn’t appear in the navigation pane in File Explorer; OneDrive files aren’t kept in sync with the cloud; Users can’t automatically upload photos and videos from the camera roll folder. If you disable or do not configure this policy setting, apps and features can work with OneDrive file storage.
+ This policy setting lets you prevent apps and features from working with files on OneDrive. If you enable this policy setting: users can’t access OneDrive from the OneDrive app and file picker; Windows Store apps can’t access OneDrive using the WinRT API; OneDrive doesn’t appear in the navigation pane in File Explorer; OneDrive files aren’t kept in sync with the cloud; Users can’t automatically upload photos and videos from the camera roll folder. If you disable or do not configure this policy setting, apps and features can work with OneDrive file storage.
@@ -33260,6 +35941,30 @@ The options are:
+
+ FeedbackHubAlwaysSaveDiagnosticsLocally
+
+
+
+
+
+
+
+ Diagnostic files created when a feedback is filed in the Feedback Hub app will always be saved locally. If this policy is not present or set to false, users will be presented with the option to save locally. The default is to not save locally.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+ TelemetryProxy
@@ -34070,6 +36775,30 @@ The options are:
+
+ DisableDualScan
+
+
+
+
+
+
+
+ Do not allow update deferral policies to cause scans against Windows Update
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+ EngagedRestartDeadline
@@ -34239,7 +36968,7 @@ The options are:
- ManageBuildPreview
+ ManagePreviewBuilds
@@ -35739,6 +38468,7 @@ The options are:
text/plaindesktop
+ LowestValueMostSecure
@@ -35761,6 +38491,7 @@ The options are:
text/plain
+ LowestValueMostSecure
@@ -35783,83 +38514,7 @@ The options are:
text/plain
-
-
-
-
- AccountPolicies
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- MinDevicePasswordLength
-
-
-
-
- This security setting determines the least number of characters that a password for a user account may contain. You can set a value of between 1 and 14 characters, or you can establish that no password is required by setting the number of characters to 0.
- 7
-
-
-
-
-
-
-
-
-
-
- text/plain
-
- phone
-
-
-
- PasswordMustMeetComplexityRequirement
-
-
-
-
- This security setting determines whether passwords must meet complexity requirements.
-
-If this policy is enabled, passwords must meet the following minimum requirements:
-
-Not contain the user's account name or parts of the user's full name that exceed two consecutive characters
-Be at least six characters in length
-Contain characters from three of the following four categories:
-English uppercase characters (A through Z)
-English lowercase characters (a through z)
-Base 10 digits (0 through 9)
-Non-alphabetic characters (for example, !, $, #, %)
-Complexity requirements are enforced when passwords are changed or created.
- 0
-
-
-
-
-
-
-
-
-
-
- text/plain
-
- phone
+ LowestValueMostSecure
@@ -35902,6 +38557,7 @@ Complexity requirements are enforced when passwords are changed or created.
text/plain
+ LowestValueMostSecure
@@ -35924,6 +38580,7 @@ Complexity requirements are enforced when passwords are changed or created.
text/plain
+ LowestValueMostSecure
@@ -35946,6 +38603,7 @@ Complexity requirements are enforced when passwords are changed or created.
text/plain
+ LastWrite
@@ -35968,6 +38626,7 @@ Complexity requirements are enforced when passwords are changed or created.
text/plain
+ LastWrite
@@ -36014,6 +38673,7 @@ Complexity requirements are enforced when passwords are changed or created.ActiveXInstallService.admx
ActiveXInstallService~AT~WindowsComponents~AxInstSvApprovedActiveXInstallSites
+ LastWrite
@@ -36057,6 +38717,7 @@ Complexity requirements are enforced when passwords are changed or created.text/plain
phone
+ LastWrite
@@ -36099,6 +38760,7 @@ Complexity requirements are enforced when passwords are changed or created.
text/plain
+ LowestValueMostSecure
@@ -36121,6 +38783,7 @@ Complexity requirements are enforced when passwords are changed or created.
text/plain
+ LowestValueMostSecure
@@ -36143,6 +38806,7 @@ Complexity requirements are enforced when passwords are changed or created.
text/plain
+ LowestValueMostSecure
@@ -36166,6 +38830,7 @@ Complexity requirements are enforced when passwords are changed or created.text/plain
phone
+ LowestValueMostSecure
@@ -36188,6 +38853,7 @@ Complexity requirements are enforced when passwords are changed or created.
text/plain
+ LowestValueMostSecure
@@ -36211,6 +38877,7 @@ Complexity requirements are enforced when passwords are changed or created.text/plain
desktop
+ LowestValueMostSecure
@@ -36234,6 +38901,7 @@ Complexity requirements are enforced when passwords are changed or created.text/plain
desktop
+ LastWrite
@@ -36256,6 +38924,7 @@ Complexity requirements are enforced when passwords are changed or created.
text/plain
+ LowestValueMostSecure
@@ -36278,6 +38947,7 @@ Complexity requirements are enforced when passwords are changed or created.
text/plain
+ LowestValueMostSecure
@@ -36300,6 +38970,7 @@ Complexity requirements are enforced when passwords are changed or created.
text/plain
+ LowestValueMostSecure
@@ -36346,6 +39017,7 @@ Complexity requirements are enforced when passwords are changed or created.appv.admx
appv~AT~System~CAT_AppVEnableAppV
+ LastWrite
@@ -36372,6 +39044,7 @@ Complexity requirements are enforced when passwords are changed or created.appv.admx
appv~AT~System~CAT_AppV~CAT_VirtualizationVirtualization_JITVEnable
+ LastWrite
@@ -36398,6 +39071,7 @@ Complexity requirements are enforced when passwords are changed or created.appv.admx
appv~AT~System~CAT_AppV~CAT_PackageManagementPackageManagement_AutoCleanupEnable
+ LastWrite
@@ -36424,6 +39098,7 @@ Complexity requirements are enforced when passwords are changed or created.appv.admx
appv~AT~System~CAT_AppV~CAT_ScriptingScripting_Enable_Package_Scripts
+ LastWrite
@@ -36450,6 +39125,7 @@ Complexity requirements are enforced when passwords are changed or created.appv.admx
appv~AT~System~CAT_AppV~CAT_PublishingEnable_Publishing_Refresh_UX
+ LastWrite
@@ -36476,6 +39152,7 @@ Complexity requirements are enforced when passwords are changed or created.appv.admx
appv~AT~System~CAT_AppV~CAT_ReportingReporting_Server_Policy
+ LastWrite
@@ -36502,6 +39179,7 @@ Complexity requirements are enforced when passwords are changed or created.appv.admx
appv~AT~System~CAT_AppV~CAT_IntegrationIntegration_Roaming_File_Exclusions
+ LastWrite
@@ -36528,6 +39206,7 @@ Complexity requirements are enforced when passwords are changed or created.appv.admx
appv~AT~System~CAT_AppV~CAT_IntegrationIntegration_Roaming_Registry_Exclusions
+ LastWrite
@@ -36554,6 +39233,7 @@ Complexity requirements are enforced when passwords are changed or created.appv.admx
appv~AT~System~CAT_AppV~CAT_StreamingSteaming_Autoload
+ LastWrite
@@ -36580,6 +39260,7 @@ Complexity requirements are enforced when passwords are changed or created.appv.admx
appv~AT~System~CAT_AppV~CAT_Client_CoexistenceClient_Coexistence_Enable_Migration_mode
+ LastWrite
@@ -36606,6 +39287,7 @@ Complexity requirements are enforced when passwords are changed or created.appv.admx
appv~AT~System~CAT_AppV~CAT_IntegrationIntegration_Root_User
+ LastWrite
@@ -36632,6 +39314,7 @@ Complexity requirements are enforced when passwords are changed or created.appv.admx
appv~AT~System~CAT_AppV~CAT_IntegrationIntegration_Root_Global
+ LastWrite
@@ -36658,6 +39341,7 @@ Complexity requirements are enforced when passwords are changed or created.appv.admx
appv~AT~System~CAT_AppV~CAT_PublishingPublishing_Server1_Policy
+ LastWrite
@@ -36684,6 +39368,7 @@ Complexity requirements are enforced when passwords are changed or created.appv.admx
appv~AT~System~CAT_AppV~CAT_PublishingPublishing_Server2_Policy
+ LastWrite
@@ -36710,6 +39395,7 @@ Complexity requirements are enforced when passwords are changed or created.appv.admx
appv~AT~System~CAT_AppV~CAT_PublishingPublishing_Server3_Policy
+ LastWrite
@@ -36736,6 +39422,7 @@ Complexity requirements are enforced when passwords are changed or created.appv.admx
appv~AT~System~CAT_AppV~CAT_PublishingPublishing_Server4_Policy
+ LastWrite
@@ -36762,6 +39449,7 @@ Complexity requirements are enforced when passwords are changed or created.appv.admx
appv~AT~System~CAT_AppV~CAT_PublishingPublishing_Server5_Policy
+ LastWrite
@@ -36788,6 +39476,7 @@ Complexity requirements are enforced when passwords are changed or created.appv.admx
appv~AT~System~CAT_AppV~CAT_StreamingStreaming_Certificate_Filter_For_Client_SSL
+ LastWrite
@@ -36814,6 +39503,7 @@ Complexity requirements are enforced when passwords are changed or created.appv.admx
appv~AT~System~CAT_AppV~CAT_StreamingStreaming_Allow_High_Cost_Launch
+ LastWrite
@@ -36840,6 +39530,7 @@ Complexity requirements are enforced when passwords are changed or created.appv.admx
appv~AT~System~CAT_AppV~CAT_StreamingStreaming_Location_Provider
+ LastWrite
@@ -36866,6 +39557,7 @@ Complexity requirements are enforced when passwords are changed or created.appv.admx
appv~AT~System~CAT_AppV~CAT_StreamingStreaming_Package_Installation_Root
+ LastWrite
@@ -36892,6 +39584,7 @@ Complexity requirements are enforced when passwords are changed or created.appv.admx
appv~AT~System~CAT_AppV~CAT_StreamingStreaming_Package_Source_Root
+ LastWrite
@@ -36918,6 +39611,7 @@ Complexity requirements are enforced when passwords are changed or created.appv.admx
appv~AT~System~CAT_AppV~CAT_StreamingStreaming_Reestablishment_Interval
+ LastWrite
@@ -36944,6 +39638,7 @@ Complexity requirements are enforced when passwords are changed or created.appv.admx
appv~AT~System~CAT_AppV~CAT_StreamingStreaming_Reestablishment_Retries
+ LastWrite
@@ -36970,6 +39665,7 @@ Complexity requirements are enforced when passwords are changed or created.appv.admx
appv~AT~System~CAT_AppV~CAT_StreamingStreaming_Shared_Content_Store_Mode
+ LastWrite
@@ -36996,6 +39692,7 @@ Complexity requirements are enforced when passwords are changed or created.appv.admx
appv~AT~System~CAT_AppV~CAT_StreamingStreaming_Support_Branch_Cache
+ LastWrite
@@ -37022,6 +39719,7 @@ Complexity requirements are enforced when passwords are changed or created.appv.admx
appv~AT~System~CAT_AppV~CAT_StreamingStreaming_Verify_Certificate_Revocation_List
+ LastWrite
@@ -37048,6 +39746,7 @@ Complexity requirements are enforced when passwords are changed or created.appv.admx
appv~AT~System~CAT_AppV~CAT_VirtualizationVirtualization_JITVAllowList
+ LastWrite
@@ -37070,6 +39769,30 @@ Complexity requirements are enforced when passwords are changed or created.
+
+ AllowAadPasswordReset
+
+
+
+
+ Specifies whether password reset is enabled for AAD accounts.
+ 0
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+ phone
+ LowestValueMostSecure
+
+ AllowFastReconnect
@@ -37090,6 +39813,7 @@ Complexity requirements are enforced when passwords are changed or created.
text/plain
+ LowestValueMostSecure
@@ -37113,6 +39837,7 @@ Complexity requirements are enforced when passwords are changed or created.text/plain
phone
+ LowestValueMostSecure
@@ -37135,6 +39860,7 @@ Complexity requirements are enforced when passwords are changed or created.
text/plain
+ LowestValueMostSecure
@@ -37181,6 +39907,7 @@ Complexity requirements are enforced when passwords are changed or created.AutoPlay.admx
AutoPlay~AT~WindowsComponents~AutoPlayNoAutoplayfornonVolume
+ LastWrite
@@ -37207,6 +39934,7 @@ Complexity requirements are enforced when passwords are changed or created.AutoPlay.admx
AutoPlay~AT~WindowsComponents~AutoPlayNoAutorun
+ LastWrite
@@ -37233,6 +39961,7 @@ Complexity requirements are enforced when passwords are changed or created.AutoPlay.admx
AutoPlay~AT~WindowsComponents~AutoPlayAutorun
+ LastWrite
@@ -37275,6 +40004,7 @@ Complexity requirements are enforced when passwords are changed or created.
text/plain
+ LastWrite
@@ -37317,6 +40047,7 @@ Complexity requirements are enforced when passwords are changed or created.
text/plain
+ LowestValueMostSecure
@@ -37339,6 +40070,7 @@ Complexity requirements are enforced when passwords are changed or created.
text/plain
+ LowestValueMostSecure
@@ -37361,6 +40093,7 @@ Complexity requirements are enforced when passwords are changed or created.
text/plain
+ LowestValueMostSecure
@@ -37383,6 +40116,7 @@ Complexity requirements are enforced when passwords are changed or created.
text/plain
+ LastWrite
@@ -37405,6 +40139,7 @@ Complexity requirements are enforced when passwords are changed or created.
text/plain
+ LastWrite
@@ -37448,6 +40183,7 @@ Complexity requirements are enforced when passwords are changed or created.text/plain
phone
+ LowestValueMostSecure
@@ -37470,6 +40206,7 @@ Complexity requirements are enforced when passwords are changed or created.
text/plain
+ LowestValueMostSecure
@@ -37493,6 +40230,7 @@ Complexity requirements are enforced when passwords are changed or created.text/plain
desktop
+ LowestValueMostSecure
@@ -37515,6 +40253,7 @@ Complexity requirements are enforced when passwords are changed or created.
text/plain
+ LowestValueMostSecure
@@ -37538,6 +40277,7 @@ Complexity requirements are enforced when passwords are changed or created.text/plain
phone
+ LowestValueMostSecure
@@ -37560,6 +40300,7 @@ Complexity requirements are enforced when passwords are changed or created.
text/plain
+ LowestValueMostSecure
@@ -37583,6 +40324,7 @@ Complexity requirements are enforced when passwords are changed or created.text/plain
phone
+ LowestValueMostSecure
@@ -37606,6 +40348,7 @@ Complexity requirements are enforced when passwords are changed or created.text/plain
phone
+ HighestValueMostSecure
@@ -37629,6 +40372,7 @@ Complexity requirements are enforced when passwords are changed or created.text/plain
phone
+ HighestValueMostSecure
@@ -37651,6 +40395,7 @@ Complexity requirements are enforced when passwords are changed or created.
text/plain
+ LowestValueMostSecure
@@ -37661,7 +40406,7 @@ Complexity requirements are enforced when passwords are changed or created.
This policy setting lets you decide whether the Microsoft Compatibility List is enabled or disabled in Microsoft Edge. This feature uses a Microsoft-provided list to ensure that any sites with known compatibility issues are displayed correctly when a user navigates to them. By default, the Microsoft Compatibility List is enabled and can be viewed by navigating to about:compat.
-If you enable or don’t configure this setting, Microsoft Edge will periodically download the latest version of the list from Microsoft and will apply the configurations specified there during browser navigation. If a user visits a site on the Microsoft Compatibility List, he or she will be prompted to open the site in Internet Explorer 11. Once in Internet Explorer, the site will automatically be rendered as if the user is viewing it in the previous version of Internet Explorer it requires to display correctly.
+If you enable or don’t configure this setting, Microsoft Edge will periodically download the latest version of the list from Microsoft and will apply the configurations specified there during browser navigation. If a user visits a site on the Microsoft Compatibility List, he or she will be prompted to open the site in Internet Explorer 11. Once in Internet Explorer, the site will automatically be rendered as if the user is viewing it in the previous version of Internet Explorer it requires to display correctly.
If you disable this setting, the Microsoft Compatibility List will not be used during browser navigation.1
@@ -37677,6 +40422,7 @@ If you disable this setting, the Microsoft Compatibility List will not be used d
text/plain
+ LowestValueMostSecure
@@ -37699,6 +40445,7 @@ If you disable this setting, the Microsoft Compatibility List will not be used d
text/plain
+ LowestValueMostSecure
@@ -37722,6 +40469,7 @@ If you disable this setting, the Microsoft Compatibility List will not be used d
text/plainphone
+ LowestValueMostSecure
@@ -37749,6 +40497,7 @@ This policy will only apply on domain joined machines or when the device is MDM
text/plain
+ LowestValueMostSecure
@@ -37771,6 +40520,7 @@ This policy will only apply on domain joined machines or when the device is MDM
text/plain
+ LowestValueMostSecure
@@ -37793,6 +40543,30 @@ This policy will only apply on domain joined machines or when the device is MDM
text/plain
+ LowestValueMostSecure
+
+
+
+ AlwaysEnableBooksLibrary
+
+
+
+
+ Specifies whether the Books Library in Microsoft Edge will always be visible regardless of the country or region setting for the device.
+ 0
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+ LowestValueMostSecure
@@ -37816,6 +40590,7 @@ This policy will only apply on domain joined machines or when the device is MDM
text/plainphone
+ LowestValueMostSecure
@@ -37844,6 +40619,7 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
text/plain
+ LastWrite
@@ -37872,6 +40648,7 @@ This setting can only be used with domain-joined or MDM-enrolled devices. For mo
text/plainphone
+ LowestValueMostSecure
@@ -37895,6 +40672,7 @@ This setting can only be used with domain-joined or MDM-enrolled devices. For mo
text/plainphone
+ LastWrite
@@ -37918,6 +40696,7 @@ This setting can only be used with domain-joined or MDM-enrolled devices. For mo
text/plainphone
+ LastWrite
@@ -37941,6 +40720,7 @@ This setting can only be used with domain-joined or MDM-enrolled devices. For mo
text/plaindesktop
+ LastWrite
@@ -37954,7 +40734,7 @@ Example:
If you wanted to allow contoso.com and fabrikam.com then you would append /support to the site strings like contoso.com/support and fabrikam.com/support.
Encapsulate each string with greater than and less than characters like any other XML tag.
-Version 1703 or later:  If you don't want to send traffic to Microsoft, you can use the about:blank value (encapsulate with greater than and less than characters like any other XML tag), which is honored for both domain- and non-domain-joined machines, when it's the only configured URL.
+Version 1703 or later: If you don't want to send traffic to Microsoft, you can use the about:blank value (encapsulate with greater than and less than characters like any other XML tag), which is honored for both domain- and non-domain-joined machines, when it's the only configured URL.
@@ -37969,6 +40749,37 @@ Version 1703 or later:  If you don't want to send traffic to Microsoft, yo
text/plainphone
+ LastWrite
+
+
+
+ LockdownFavorites
+
+
+
+
+ This policy setting lets you decide whether employees can add, import, sort, or edit the Favorites list on Microsoft Edge.
+
+If you enable this setting, employees won't be able to add, import, or change anything in the Favorites list. Also as part of this, Save a Favorite, Import settings, and the context menu items (such as, Create a new folder) are all turned off.
+
+Important
+Don't enable both this setting and the Keep favorites in sync between Internet Explorer and Microsoft Edge setting. Enabling both settings stops employees from syncing their favorites between Internet Explorer and Microsoft Edge.
+
+If you disable or don't configure this setting (default), employees can add, import and make changes to the Favorites list.
+ 0
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+ LowestValueMostSecure
@@ -37991,6 +40802,7 @@ Version 1703 or later:  If you don't want to send traffic to Microsoft, yo
text/plain
+ HighestValueMostSecure
@@ -38016,6 +40828,7 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
text/plainphone
+ HighestValueMostSecure
@@ -38040,6 +40853,7 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
text/plain
+ HighestValueMostSecure
@@ -38062,6 +40876,7 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
text/plain
+ HighestValueMostSecure
@@ -38084,6 +40899,7 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
text/plain
+ HighestValueMostSecure
@@ -38106,6 +40922,37 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
text/plain
+ HighestValueMostSecure
+
+
+
+ ProvisionFavorites
+
+
+
+
+ This policy setting allows you to configure a default set of favorites, which will appear for employees. Employees cannot modify, sort, move, export or delete these provisioned favorites.
+
+If you enable this setting, you can set favorite URL's and favorite folders to appear on top of users' favorites list (either in the Hub or Favorites Bar). The user favorites will appear after these provisioned favorites.
+
+Important
+Don't enable both this setting and the Keep favorites in sync between Internet Explorer and Microsoft Edge setting. Enabling both settings stops employees from syncing their favorites between Internet Explorer and Microsoft Edge.
+
+If you disable or don't configure this setting, employees will see the favorites they set in the Hub and Favorites Bar.
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+ LastWrite
@@ -38129,6 +40976,7 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
text/plainphone
+ HighestValueMostSecure
@@ -38157,6 +41005,7 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
text/plain
+ LastWrite
@@ -38180,6 +41029,7 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
text/plainphone
+ HighestValueMostSecure
@@ -38203,6 +41053,7 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
text/plainphone
+ LowestValueMostSecure
@@ -38245,6 +41096,7 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
text/plain
+ LowestValueMostSecure
@@ -38267,6 +41119,101 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
+
+ LetAppsAccessCellularData
+
+
+
+
+ This policy setting specifies whether Windows apps can access cellular data.
+ 0
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+ HighestValueMostSecure
+
+
+
+ LetAppsAccessCellularData_ForceAllowTheseApps
+
+
+
+
+ List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are allowed access to cellular data. This setting overrides the default LetAppsAccessCellularData policy setting for the specified apps.
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+ LastWrite
+ ;
+
+
+
+ LetAppsAccessCellularData_ForceDenyTheseApps
+
+
+
+
+ List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are denied access to cellular data. This setting overrides the default LetAppsAccessCellularData policy setting for the specified apps.
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+ LastWrite
+ ;
+
+
+
+ LetAppsAccessCellularData_UserInControlOfTheseApps
+
+
+
+
+ List of semi-colon delimited Package Family Names of Windows Store Apps. The user is able to control the cellular data access setting for the listed apps. This setting overrides the default LetAppsAccessCellularData policy setting for the specified apps.
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+ LastWrite
+ ;
+
+ ShowAppCellularAccessUI
@@ -38290,6 +41237,7 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
wwansvc.admxwwansvc~AT~Network~WwanSvc_Category~UISettings_CategoryShowAppCellularAccessUI
+ LastWrite
@@ -38332,6 +41280,7 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
text/plain
+ LowestValueMostSecure
@@ -38354,6 +41303,7 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
text/plain
+ LowestValueMostSecure
@@ -38376,6 +41326,7 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
text/plain
+ LowestValueMostSecure
@@ -38398,6 +41349,7 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
text/plain
+ LowestValueMostSecure
@@ -38421,6 +41373,7 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
text/plaindesktop
+ LowestValueMostSecure
@@ -38444,6 +41397,7 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
text/plaindesktop
+ LowestValueMostSecure
@@ -38466,6 +41420,7 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
text/plain
+ LowestValueMostSecure
@@ -38488,6 +41443,7 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
text/plain
+ LowestValueMostSecure
@@ -38514,6 +41470,7 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
ICM.admxICM~AT~System~InternetManagement~InternetManagement_SettingsDisableHTTPPrinting_2
+ LastWrite
@@ -38540,6 +41497,7 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
ICM.admxICM~AT~System~InternetManagement~InternetManagement_SettingsDisableWebPnPDownload_2
+ LastWrite
@@ -38566,6 +41524,7 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
ICM.admxICM~AT~System~InternetManagement~InternetManagement_SettingsShellPreventWPWDownload_2
+ LastWrite
@@ -38588,6 +41547,7 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
text/plain
+ HighestValueMostSecure
@@ -38614,6 +41574,7 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
networkprovider.admxNetworkProvider~AT~Network~Cat_NetworkProviderPol_HardenedPaths
+ LastWrite
@@ -38640,6 +41601,7 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
NetworkConnections.admxNetworkConnections~AT~Network~NetworkConnectionsNC_AllowNetBridge_NLA
+ LastWrite
@@ -38686,6 +41648,7 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
credentialproviders.admxCredentialProviders~AT~System~LogonAllowDomainPINLogon
+ LastWrite
@@ -38712,6 +41675,30 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
credentialproviders.admxCredentialProviders~AT~System~LogonBlockDomainPicturePassword
+ LastWrite
+
+
+
+ EnableWindowsAutoPilotResetCredentials
+
+
+
+
+
+ 0
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+ LowestValueMostSecure
@@ -38758,6 +41745,7 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
credui.admxCredUI~AT~WindowsComponents~CredUIDisablePasswordReveal
+ LastWrite
@@ -38784,6 +41772,7 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
credui.admxCredUI~AT~WindowsComponents~CredUIEnumerateAdministrators
+ LastWrite
@@ -38826,6 +41815,7 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
text/plain
+ LastWrite
@@ -38848,6 +41838,7 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
text/plain
+ LastWrite
@@ -38890,6 +41881,7 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
text/plain
+ LowestValueMostSecure
@@ -38912,6 +41904,7 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
text/plain
+ LastWrite
@@ -38957,6 +41950,7 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
wwansvc.admxwwansvc~AT~Network~WwanSvc_Category~NetworkCost_CategorySetCost3G
+ LastWrite
@@ -38982,6 +41976,7 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
wwansvc.admxwwansvc~AT~Network~WwanSvc_Category~NetworkCost_CategorySetCost4G
+ LastWrite
@@ -39025,6 +42020,7 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
text/plainphone
+ HighestValueMostSecure
@@ -39048,6 +42044,7 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
text/plainphone
+ HighestValueMostSecure
@@ -39071,6 +42068,7 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
text/plainphone
+ HighestValueMostSecure
@@ -39094,6 +42092,7 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
text/plainphone
+ HighestValueMostSecure
@@ -39117,6 +42116,7 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
text/plainphone
+ HighestValueMostSecure
@@ -39140,6 +42140,7 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
text/plainphone
+ HighestValueMostSecure
@@ -39163,6 +42164,7 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
text/plainphone
+ HighestValueMostSecure
@@ -39186,6 +42188,7 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
text/plainphone
+ HighestValueMostSecure
@@ -39209,6 +42212,7 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
text/plainphone
+ HighestValueMostSecure
@@ -39232,6 +42236,7 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
text/plainphone
+ HighestValueMostSecure
@@ -39255,6 +42260,7 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
text/plainphone
+ HighestValueMostSecure
@@ -39278,6 +42284,7 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
text/plainphone
+ HighestValueMostSecure
@@ -39301,6 +42308,7 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
text/plainphone
+ LastWrite
@@ -39324,6 +42332,7 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
text/plainphone
+ LastWrite
@@ -39347,6 +42356,7 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
text/plainphone
+ LastWrite
@@ -39370,6 +42380,7 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
text/plainphone
+ LastWrite
@@ -39393,6 +42404,7 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
text/plainphone
+ LastWrite
@@ -39416,6 +42428,7 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
text/plainphone
+ LastWrite
@@ -39439,6 +42452,7 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
text/plainphone
+ LastWrite
@@ -39462,6 +42476,7 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
text/plainphone
+ LastWrite
@@ -39485,6 +42500,7 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
text/plainphone
+ LastWrite
@@ -39508,6 +42524,7 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
text/plainphone
+ LastWrite
@@ -39531,6 +42548,7 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
text/plainphone
+ LastWrite
@@ -39554,6 +42572,7 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
text/plainphone
+ LastWrite
@@ -39577,6 +42596,7 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
text/plainphone
+ LastWrite
@@ -39600,6 +42620,7 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
text/plainphone
+ LastWrite
@@ -39623,6 +42644,7 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
text/plainphone
+ LastWrite
@@ -39646,6 +42668,7 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
text/plainphone
+ LowestValueMostSecure
@@ -39669,6 +42692,7 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
text/plainphone
+ LastWrite
@@ -39692,6 +42716,7 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
text/plainphone
+ LastWrite
@@ -39715,6 +42740,7 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
text/plainphone
+ LastWrite
@@ -39738,6 +42764,7 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
text/plainphone
+ LastWrite
@@ -39761,6 +42788,7 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
text/plainphone
+ LastWrite
@@ -39784,6 +42812,7 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
text/plainphone
+ HighestValueMostSecure
@@ -39807,6 +42836,7 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
text/plainphone
+ LastWrite
@@ -39850,6 +42880,7 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
text/plainphone
+ LastWrite
@@ -39873,6 +42904,31 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
text/plainphone
+ LowestValueMostSecure
+
+
+
+ DOCacheHost
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+ phone
+ LastWrite
@@ -39896,6 +42952,7 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
text/plainphone
+ LastWrite
@@ -39919,6 +42976,7 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
text/plainphone
+ LastWrite
@@ -39942,6 +43000,7 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
text/plainphone
+ LastWrite
@@ -39965,6 +43024,7 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
text/plainphone
+ LastWrite
@@ -39988,6 +43048,7 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
text/plainphone
+ LastWrite
@@ -40011,6 +43072,7 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
text/plainphone
+ LastWrite
@@ -40034,6 +43096,7 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
text/plainphone
+ LastWrite
@@ -40057,6 +43120,7 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
text/plainphone
+ LastWrite
@@ -40080,6 +43144,7 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
text/plainphone
+ LastWrite
@@ -40103,6 +43168,7 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
text/plainphone
+ LastWrite
@@ -40126,6 +43192,7 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
text/plainphone
+ LastWrite
@@ -40149,6 +43216,7 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
text/plainphone
+ LastWrite
@@ -40172,6 +43240,7 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
text/plainphone
+ LastWrite
@@ -40195,6 +43264,7 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
text/plainphone
+ LastWrite
@@ -40238,6 +43308,7 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
text/plainphone
+ HighestValueMostSecure
@@ -40261,6 +43332,7 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
text/plainphone
+ LowestValueMostSecureZeroHasNoLimits
@@ -40284,6 +43356,7 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
text/plainphone
+ HighestValueMostSecure
@@ -40330,6 +43403,7 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
deviceinstallation.admxDeviceInstallation~AT~System~DeviceInstall_Category~DeviceInstall_Restrictions_CategoryDeviceInstall_IDs_Deny
+ LastWrite
@@ -40356,6 +43430,7 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
deviceinstallation.admxDeviceInstallation~AT~System~DeviceInstall_Category~DeviceInstall_Restrictions_CategoryDeviceInstall_Classes_Deny
+ LastWrite
@@ -40399,6 +43474,7 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
text/plaindesktop
+ LowestValueMostSecure
@@ -40421,6 +43497,7 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
text/plain
+ LastWrite
@@ -40443,6 +43520,7 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
text/plain
+ LowestValueMostSecure
@@ -40465,6 +43543,7 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
text/plain
+ LowestValueMostSecure
@@ -40487,6 +43566,7 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
text/plain
+ LowestValueMostSecure
@@ -40509,6 +43589,7 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
text/plain
+ LowestValueMostSecureZeroHasNoLimits
@@ -40517,7 +43598,7 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
- Specifies how many passwords can be stored in the history that can’t be used.
+ Specifies how many passwords can be stored in the history that can’t be used.0
@@ -40531,6 +43612,7 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
text/plain
+ HighestValueMostSecure
@@ -40554,6 +43636,7 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
text/plainphone
+ LastWrite
@@ -40576,6 +43659,7 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
text/plain
+ LastWrite
@@ -40598,6 +43682,7 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
text/plain
+ LowestValueMostSecureZeroHasNoLimits
@@ -40620,6 +43705,7 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
text/plain
+ LowestValueMostSecureZeroHasNoLimits
@@ -40643,6 +43729,7 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
text/plaindesktop
+ LowestValueMostSecure
@@ -40665,6 +43752,7 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
text/plain
+ HighestValueMostSecure
@@ -40687,6 +43775,7 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
text/plain
+ HighestValueMostSecureZeroHasNoLimits
@@ -40714,6 +43803,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
text/plainphone
+ HighestValueMostSecure
@@ -40740,6 +43830,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
ControlPanelDisplay.admxControlPanelDisplay~AT~ControlPanel~PersonalizationCPL_Personalization_NoLockScreenSlideshow
+ LastWrite
@@ -40762,6 +43853,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
text/plain
+ LastWrite
@@ -40805,6 +43897,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
text/plainphone
+ LastWrite
@@ -40828,6 +43921,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
text/plainphone
+ LastWrite
@@ -40874,6 +43968,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
ErrorReporting.admxErrorReporting~AT~WindowsComponents~CAT_WindowsErrorReportingWerConsentCustomize_2
+ LastWrite
@@ -40900,6 +43995,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
ErrorReporting.admxErrorReporting~AT~WindowsComponents~CAT_WindowsErrorReportingWerDisable_2
+ LastWrite
@@ -40926,6 +44022,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
ErrorReporting.admxErrorReporting~AT~WindowsComponents~CAT_WindowsErrorReportingPCH_ShowUI
+ LastWrite
@@ -40952,6 +44049,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
ErrorReporting.admxErrorReporting~AT~WindowsComponents~CAT_WindowsErrorReportingWerNoSecondLevelData_2
+ LastWrite
@@ -40978,6 +44076,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
ErrorReporting.admxErrorReporting~AT~WindowsComponents~CAT_WindowsErrorReportingWerDoNotShowUI
+ LastWrite
@@ -41024,6 +44123,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
eventlog.admxEventLog~AT~WindowsComponents~EventLogCategory~EventLog_ApplicationChannel_Log_Retention_1
+ LastWrite
@@ -41050,6 +44150,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
eventlog.admxEventLog~AT~WindowsComponents~EventLogCategory~EventLog_ApplicationChannel_LogMaxSize_1
+ LastWrite
@@ -41076,6 +44177,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
eventlog.admxEventLog~AT~WindowsComponents~EventLogCategory~EventLog_SecurityChannel_LogMaxSize_2
+ LastWrite
@@ -41102,6 +44204,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
eventlog.admxEventLog~AT~WindowsComponents~EventLogCategory~EventLog_SystemChannel_LogMaxSize_4
+ LastWrite
@@ -41145,6 +44248,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
text/plaindesktop
+ LowestValueMostSecure
@@ -41167,6 +44271,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
text/plain
+ LowestValueMostSecure
@@ -41189,6 +44294,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
text/plain
+ LowestValueMostSecure
@@ -41211,6 +44317,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
text/plain
+ LowestValueMostSecure
@@ -41233,6 +44340,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
text/plain
+ LowestValueMostSecure
@@ -41255,6 +44363,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
text/plain
+ LowestValueMostSecure
@@ -41277,6 +44386,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
text/plain
+ LowestValueMostSecure
@@ -41299,6 +44409,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
text/plain
+ LowestValueMostSecure
@@ -41321,6 +44432,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
text/plain
+ HighestValueMostSecure
@@ -41343,6 +44455,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
text/plain
+ LowestValueMostSecure
@@ -41366,6 +44479,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
text/plaindesktop
+ LowestValueMostSecure
@@ -41389,6 +44503,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
text/plaindesktop
+ LowestValueMostSecure
@@ -41412,6 +44527,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
text/plainphone
+ LowestValueMostSecure
@@ -41434,6 +44550,50 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
text/plain
+ HighestValueMostSecure
+
+
+
+
+ ExploitGuard
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ ExploitProtectionSettings
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+ LastWrite
@@ -41476,6 +44636,51 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
text/plain
+ LowestValueMostSecure
+
+
+
+
+ Handwriting
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ PanelDefaultModeDocked
+
+
+
+
+ Specifies whether the handwriting panel comes up floating near the text box or attached to the bottom of the screen
+ 0
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+ phone
+ LowestValueMostSecure
@@ -41522,6 +44727,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
inetres.admxinetres~AT~WindowsComponents~InternetExplorerAddSearchProvider
+ LastWrite
@@ -41548,6 +44754,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
inetres.admxinetres~AT~WindowsComponents~InternetExplorerTurnOnActiveXFiltering
+ LastWrite
@@ -41574,6 +44781,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
inetres.admxinetres~AT~WindowsComponents~InternetExplorer~SecurityFeatures~IESF_AddOnManagementAddonManagement_AddOnList
+ LastWrite
@@ -41600,6 +44808,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
inetres.admxinetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPageIZ_PolicyWarnCertMismatch
+ LastWrite
@@ -41626,6 +44835,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
inetres.admxinetres~AT~WindowsComponents~InternetExplorer~DeleteBrowsingHistoryDBHDisableDeleteOnExit
+ LastWrite
@@ -41652,6 +44862,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
inetres.admxinetres~AT~WindowsComponents~InternetExplorer~InternetCPL~AdvancedPageAdvanced_EnableEnhancedProtectedMode
+ LastWrite
@@ -41678,6 +44889,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
inetres.admxinetres~AT~WindowsComponents~InternetExplorerEnterpriseModeEnable
+ LastWrite
@@ -41704,6 +44916,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
inetres.admxinetres~AT~WindowsComponents~InternetExplorerEnterpriseModeSiteList
+ LastWrite
@@ -41730,10 +44943,11 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
inetres.admxinetres~AT~WindowsComponents~InternetExplorer~SecurityFeaturesAdvanced_EnableSSL3Fallback
+ LastWrite
- AllowInternetExplorer7PolicyList
+ AllowInternetExplorer7PolicyList
@@ -41756,6 +44970,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
inetres.admxinetres~AT~WindowsComponents~InternetExplorer~CategoryCompatViewCompatView_UsePolicyList
+ LastWrite
@@ -41782,6 +44997,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
inetres.admxinetres~AT~WindowsComponents~InternetExplorer~CategoryCompatViewCompatView_IntranetSites
+ LastWrite
@@ -41808,6 +45024,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
inetres.admxinetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPageIZ_PolicyInternetZoneTemplate
+ LastWrite
@@ -41834,6 +45051,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
inetres.admxinetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPageIZ_PolicyIntranetZoneTemplate
+ LastWrite
@@ -41860,6 +45078,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
inetres.admxinetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPageIZ_PolicyLocalMachineZoneTemplate
+ LastWrite
@@ -41886,6 +45105,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
inetres.admxinetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPageIZ_PolicyInternetZoneLockdownTemplate
+ LastWrite
@@ -41912,6 +45132,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
inetres.admxinetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPageIZ_PolicyIntranetZoneLockdownTemplate
+ LastWrite
@@ -41938,6 +45159,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
inetres.admxinetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPageIZ_PolicyLocalMachineZoneLockdownTemplate
+ LastWrite
@@ -41964,6 +45186,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
inetres.admxinetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPageIZ_PolicyRestrictedSitesZoneLockdownTemplate
+ LastWrite
@@ -41990,6 +45213,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
inetres.admxinetres~AT~WindowsComponents~InternetExplorer~InternetSettings~Advanced~BrowsingUseIntranetSiteForOneWordEntry
+ LastWrite
@@ -42016,6 +45240,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
inetres.admxinetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPageIZ_Zonemaps
+ LastWrite
@@ -42042,6 +45267,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
inetres.admxinetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPageIZ_PolicyTrustedSitesZoneLockdownTemplate
+ LastWrite
@@ -42068,6 +45294,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
inetres.admxinetres~AT~WindowsComponents~InternetExplorer~InternetCPL~AdvancedPageAdvanced_InvalidSignatureBlock
+ LastWrite
@@ -42094,6 +45321,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
inetres.admxinetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPageIZ_PolicyRestrictedSitesZoneTemplate
+ LastWrite
@@ -42120,6 +45348,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
inetres.admxinetres~AT~WindowsComponents~InternetExplorerEnableSuggestedSites
+ LastWrite
@@ -42146,6 +45375,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
inetres.admxinetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPageIZ_PolicyTrustedSitesZoneTemplate
+ LastWrite
@@ -42172,6 +45402,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
inetres.admxinetres~AT~WindowsComponents~InternetExplorer~InternetCPL~AdvancedPageAdvanced_CertificateRevocation
+ LastWrite
@@ -42198,6 +45429,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
inetres.admxinetres~AT~WindowsComponents~InternetExplorer~InternetCPL~AdvancedPageAdvanced_DownloadSignatures
+ LastWrite
@@ -42224,6 +45456,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
inetres.admxinetres~AT~WindowsComponents~InternetExplorer~SecurityFeatures~IESF_CategoryBinaryBehaviorSecurityRestrictionIESF_PolicyExplorerProcesses_2
+ LastWrite
@@ -42250,6 +45483,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
inetres.admxinetres~AT~WindowsComponents~InternetExplorer~SecurityFeatures~IESF_AddOnManagementDisableFlashInIE
+ LastWrite
@@ -42276,6 +45510,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
inetres.admxinetres~AT~WindowsComponents~InternetExplorer~SecurityFeatures~IESF_AddOnManagementVerMgmtDisable
+ LastWrite
@@ -42300,6 +45535,9 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
phoneinetres.admx
+ inetres~AT~WindowsComponents~InternetExplorer
+ DisableSafetyFilterOverride
+ LastWrite
@@ -42324,6 +45562,9 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
phoneinetres.admx
+ inetres~AT~WindowsComponents~InternetExplorer
+ DisableSafetyFilterOverrideForAppRepUnknown
+ LastWrite
@@ -42350,6 +45591,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
inetres.admxinetres~AT~WindowsComponents~InternetExplorer~DeleteBrowsingHistoryRestrictHistory
+ LastWrite
@@ -42374,6 +45616,9 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
phoneinetres.admx
+ inetres~AT~WindowsComponents~InternetExplorer
+ AddonManagement_RestrictCrashDetection
+ LastWrite
@@ -42400,10 +45645,11 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
inetres.admxinetres~AT~WindowsComponents~InternetExplorerSQM_DisableCEIP
+ LastWrite
- DisableDeletingUserVisitedWebsites
+ DisableDeletingUserVisitedWebsites
@@ -42426,6 +45672,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
inetres.admxinetres~AT~WindowsComponents~InternetExplorer~DeleteBrowsingHistoryDBHDisableDeleteHistory
+ LastWrite
@@ -42452,6 +45699,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
inetres.admxinetres~AT~WindowsComponents~RSS_FeedsDisable_Downloading_of_Enclosures
+ LastWrite
@@ -42478,6 +45726,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
inetres.admxinetres~AT~WindowsComponents~InternetExplorer~InternetCPL~AdvancedPageAdvanced_SetWinInetProtocols
+ LastWrite
@@ -42504,6 +45753,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
inetres.admxinetres~AT~WindowsComponents~InternetExplorerNoFirstRunCustomise
+ LastWrite
@@ -42530,6 +45780,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
inetres.admxinetres~AT~WindowsComponents~InternetExplorer~InternetCPL~AdvancedPageAdvanced_DisableFlipAhead
+ LastWrite
@@ -42556,6 +45807,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
inetres.admxinetres~AT~WindowsComponents~InternetExplorer~InternetCPLNoCertError
+ LastWrite
@@ -42582,6 +45834,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
inetres.admxinetres~AT~WindowsComponents~InternetExplorer~CategoryPrivacyDisableInPrivateBrowsing
+ LastWrite
@@ -42608,6 +45861,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
inetres.admxinetres~AT~WindowsComponents~InternetExplorer~InternetCPL~AdvancedPageAdvanced_EnableEnhancedProtectedMode64Bit
+ LastWrite
@@ -42632,6 +45886,9 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
phoneinetres.admx
+ inetres~AT~WindowsComponents~InternetExplorer
+ RestrictProxy
+ LastWrite
@@ -42658,6 +45915,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
inetres.admxinetres~AT~WindowsComponents~InternetExplorerNoSearchProvider
+ LastWrite
@@ -42684,6 +45942,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
inetres.admxinetres~AT~WindowsComponents~InternetExplorerSecondaryHomePages
+ LastWrite
@@ -42710,6 +45969,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
inetres.admxinetres~AT~WindowsComponents~InternetExplorerDisable_Security_Settings_Check
+ LastWrite
@@ -42736,6 +45996,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
inetres.admxinetres~AT~WindowsComponents~InternetExplorerNoUpdateCheck
+ LastWrite
@@ -42762,6 +46023,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
inetres.admxinetres~AT~WindowsComponents~InternetExplorer~InternetCPL~AdvancedPageAdvanced_DisableEPMCompat
+ LastWrite
@@ -42788,6 +46050,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
inetres.admxinetres~AT~WindowsComponents~InternetExplorerSecurity_zones_map_edit
+ LastWrite
@@ -42814,6 +46077,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
inetres.admxinetres~AT~WindowsComponents~InternetExplorerSecurity_options_edit
+ LastWrite
@@ -42840,6 +46104,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
inetres.admxinetres~AT~WindowsComponents~InternetExplorer~SecurityFeatures~IESF_AddOnManagementVerMgmtDisable
+ LastWrite
@@ -42866,6 +46131,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
inetres.admxinetres~AT~WindowsComponents~InternetExplorer~SecurityFeatures~IESF_AddOnManagementVerMgmtDomainAllowlist
+ LastWrite
@@ -42892,6 +46158,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
inetres.admxinetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPageIZ_IncludeUnspecifiedLocalSites
+ LastWrite
@@ -42918,6 +46185,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
inetres.admxinetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPageIZ_UNCAsIntranet
+ LastWrite
@@ -42944,6 +46212,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
inetres.admxinetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZoneIZ_PolicyAccessDataSourcesAcrossDomains_1
+ LastWrite
@@ -42970,6 +46239,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
inetres.admxinetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZoneIZ_PolicyNotificationBarActiveXURLaction_1
+ LastWrite
@@ -42996,6 +46266,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
inetres.admxinetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZoneIZ_PolicyNotificationBarDownloadURLaction_1
+ LastWrite
@@ -43022,6 +46293,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
inetres.admxinetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZoneIZ_PolicyAllowPasteViaScript_1
+ LastWrite
@@ -43048,6 +46320,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
inetres.admxinetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZoneIZ_PolicyDropOrPasteFiles_1
+ LastWrite
@@ -43074,6 +46347,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
inetres.admxinetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZoneIZ_PolicyFontDownload_1
+ LastWrite
@@ -43100,10 +46374,11 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
inetres.admxinetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZoneIZ_PolicyZoneElevationURLaction_1
+ LastWrite
- InternetZoneAllowLoadingOfXAMLFilesWRONG
+ InternetZoneAllowLoadingOfXAMLFiles
@@ -43126,6 +46401,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
inetres.admxinetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZoneIZ_Policy_XAML_1
+ LastWrite
@@ -43152,6 +46428,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
inetres.admxinetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZoneIZ_PolicyUnsignedFrameworkComponentsURLaction_1
+ LastWrite
@@ -43176,8 +46453,9 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
phoneinetres.admx
- inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_IntranetZone
- IZ_PolicyOnlyAllowApprovedDomainsToUseActiveXWithoutPrompt_Both_Intranet
+ inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone
+ IZ_PolicyOnlyAllowApprovedDomainsToUseActiveXWithoutPrompt_Both_Internet
+ LastWrite
@@ -43202,8 +46480,9 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
phoneinetres.admx
- inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_LocalMachineZone
- IZ_PolicyAllowTDCControl_Both_LocalMachine
+ inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone
+ IZ_PolicyAllowTDCControl_Both_Internet
+ LastWrite
@@ -43230,6 +46509,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
inetres.admxinetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZoneIZ_Policy_WebBrowserControl_1
+ LastWrite
@@ -43254,8 +46534,9 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
phoneinetres.admx
- inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_TrustedSitesZoneLockdown
- IZ_PolicyWindowsRestrictionsURLaction_6
+ inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone
+ IZ_PolicyWindowsRestrictionsURLaction_1
+ LastWrite
@@ -43282,6 +46563,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
inetres.admxinetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZoneIZ_Policy_AllowScriptlets_1
+ LastWrite
@@ -43308,6 +46590,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
inetres.admxinetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZoneIZ_Policy_Phishing_1
+ LastWrite
@@ -43334,6 +46617,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
inetres.admxinetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZoneIZ_Policy_ScriptStatusBar_1
+ LastWrite
@@ -43360,10 +46644,11 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
inetres.admxinetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZoneIZ_PolicyUserdataPersistence_1
+ LastWrite
- InternetZoneDoNotRunAntimalwareAgainstActiveXControlsWRONG1
+ InternetZoneDoNotRunAntimalwareAgainstActiveXControls
@@ -43386,32 +46671,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
inetres.admxinetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZoneIZ_PolicyAntiMalwareCheckingOfActiveXControls_1
-
-
-
- InternetZoneDoNotRunAntimalwareAgainstActiveXControlsWRONG2
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- text/plain
-
- phone
- inetres.admx
- inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_IntranetZone
- IZ_PolicyAntiMalwareCheckingOfActiveXControls_3
+ LastWrite
@@ -43436,8 +46696,9 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
phoneinetres.admx
- inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_IntranetZone
- IZ_PolicyDownloadSignedActiveX_3
+ inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone
+ IZ_PolicyDownloadSignedActiveX_1
+ LastWrite
@@ -43464,6 +46725,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
inetres.admxinetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZoneIZ_PolicyDownloadUnsignedActiveX_1
+ LastWrite
@@ -43488,8 +46750,9 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
phoneinetres.admx
- inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_LocalMachineZone
- IZ_PolicyTurnOnXSSFilter_Both_LocalMachine
+ inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone
+ IZ_PolicyTurnOnXSSFilter_Both_Internet
+ LastWrite
@@ -43516,6 +46779,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
inetres.admxinetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZoneIZ_PolicyDragDropAcrossDomainsAcrossWindows_Both_Internet
+ LastWrite
@@ -43542,6 +46806,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
inetres.admxinetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZoneIZ_PolicyDragDropAcrossDomainsWithinWindow_Both_Internet
+ LastWrite
@@ -43568,6 +46833,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
inetres.admxinetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZoneIZ_PolicyMimeSniffingURLaction_1
+ LastWrite
@@ -43592,8 +46858,9 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
phoneinetres.admx
- inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZoneLockdown
- IZ_Policy_TurnOnProtectedMode_2
+ inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone
+ IZ_Policy_TurnOnProtectedMode_1
+ LastWrite
@@ -43620,6 +46887,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
inetres.admxinetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZoneIZ_Policy_LocalPathForUpload_1
+ LastWrite
@@ -43646,36 +46914,11 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
inetres.admxinetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZoneIZ_PolicyScriptActiveXNotMarkedSafe_1
+ LastWrite
- InternetZoneInitializeAndScriptActiveXControlsNotMarkedSafe
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- text/plain
-
- phone
- inetres.admx
- inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone
- IZ_PolicyScriptActiveXNotMarkedSafe_1
-
-
-
- InternetZoneJavaPermissionsWRONG1
+ InternetZoneJavaPermissions
@@ -43698,32 +46941,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
inetres.admxinetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZoneIZ_PolicyJavaPermissions_1
-
-
-
- InternetZoneJavaPermissionsWRONG2
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- text/plain
-
- phone
- inetres.admx
- inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_IntranetZone
- IZ_PolicyJavaPermissions_3
+ LastWrite
@@ -43750,6 +46968,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
inetres.admxinetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZoneIZ_PolicyLaunchAppsAndFilesInIFRAME_1
+ LastWrite
@@ -43776,6 +46995,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
inetres.admxinetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZoneIZ_PolicyLogon_1
+ LastWrite
@@ -43802,6 +47022,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
inetres.admxinetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZoneIZ_PolicyNavigateSubframesAcrossDomains_1
+ LastWrite
@@ -43828,6 +47049,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
inetres.admxinetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZoneIZ_PolicyUnsignedFrameworkComponentsURLaction_1
+ LastWrite
@@ -43854,6 +47076,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
inetres.admxinetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZoneIZ_PolicySignedFrameworkComponentsURLaction_1
+ LastWrite
@@ -43880,6 +47103,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
inetres.admxinetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZoneIZ_Policy_UnsafeFiles_1
+ LastWrite
@@ -43906,6 +47130,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
inetres.admxinetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZoneIZ_PolicyBlockPopupWindows_1
+ LastWrite
@@ -43932,6 +47157,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
inetres.admxinetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZoneIZ_PolicyZoneElevationURLaction_1
+ LastWrite
@@ -43958,6 +47184,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
inetres.admxinetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_IntranetZoneIZ_PolicyAccessDataSourcesAcrossDomains_3
+ LastWrite
@@ -43984,6 +47211,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
inetres.admxinetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_IntranetZoneIZ_PolicyNotificationBarActiveXURLaction_3
+ LastWrite
@@ -44010,6 +47238,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
inetres.admxinetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_IntranetZoneIZ_PolicyNotificationBarDownloadURLaction_3
+ LastWrite
@@ -44036,6 +47265,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
inetres.admxinetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_IntranetZoneIZ_PolicyFontDownload_3
+ LastWrite
@@ -44062,6 +47292,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
inetres.admxinetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_IntranetZoneIZ_PolicyZoneElevationURLaction_3
+ LastWrite
@@ -44088,6 +47319,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
inetres.admxinetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_IntranetZoneIZ_PolicyUnsignedFrameworkComponentsURLaction_3
+ LastWrite
@@ -44114,6 +47346,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
inetres.admxinetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_IntranetZoneIZ_Policy_AllowScriptlets_3
+ LastWrite
@@ -44140,6 +47373,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
inetres.admxinetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_IntranetZoneIZ_Policy_Phishing_3
+ LastWrite
@@ -44166,6 +47400,34 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
inetres.admxinetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_IntranetZoneIZ_PolicyUserdataPersistence_3
+ LastWrite
+
+
+
+ IntranetZoneDoNotRunAntimalwareAgainstActiveXControls
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+ phone
+ inetres.admx
+ inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_IntranetZone
+ IZ_PolicyAntiMalwareCheckingOfActiveXControls_3
+ LastWrite
@@ -44192,6 +47454,61 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
inetres.admxinetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_IntranetZoneIZ_PolicyScriptActiveXNotMarkedSafe_3
+ LastWrite
+
+
+
+ IntranetZoneInitializeAndScriptActiveXControlsNotMarkedSafe
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+ phone
+ inetres.admx
+ inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_IntranetZone
+ IZ_PolicyScriptActiveXNotMarkedSafe_3
+ LastWrite
+
+
+
+ IntranetZoneJavaPermissions
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+ phone
+ inetres.admx
+ inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_IntranetZone
+ IZ_PolicyJavaPermissions_3
+ LastWrite
@@ -44218,6 +47535,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
inetres.admxinetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_IntranetZoneIZ_PolicyNavigateSubframesAcrossDomains_3
+ LastWrite
@@ -44244,6 +47562,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
inetres.admxinetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_LocalMachineZoneIZ_PolicyAccessDataSourcesAcrossDomains_9
+ LastWrite
@@ -44270,6 +47589,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
inetres.admxinetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_LocalMachineZoneIZ_PolicyNotificationBarActiveXURLaction_9
+ LastWrite
@@ -44296,6 +47616,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
inetres.admxinetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_LocalMachineZoneIZ_PolicyNotificationBarDownloadURLaction_9
+ LastWrite
@@ -44322,6 +47643,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
inetres.admxinetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_LocalMachineZoneIZ_PolicyFontDownload_9
+ LastWrite
@@ -44348,6 +47670,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
inetres.admxinetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_LocalMachineZoneIZ_PolicyZoneElevationURLaction_9
+ LastWrite
@@ -44374,6 +47697,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
inetres.admxinetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_LocalMachineZoneIZ_PolicyUnsignedFrameworkComponentsURLaction_9
+ LastWrite
@@ -44400,6 +47724,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
inetres.admxinetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_LocalMachineZoneIZ_Policy_AllowScriptlets_9
+ LastWrite
@@ -44426,6 +47751,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
inetres.admxinetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_LocalMachineZoneIZ_Policy_Phishing_9
+ LastWrite
@@ -44452,6 +47778,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
inetres.admxinetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_LocalMachineZoneIZ_PolicyUserdataPersistence_9
+ LastWrite
@@ -44476,8 +47803,9 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
phoneinetres.admx
- inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_IntranetZone~IZ_LocalMachineZone
+ inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_LocalMachineZoneIZ_PolicyAntiMalwareCheckingOfActiveXControls_9
+ LastWrite
@@ -44504,6 +47832,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
inetres.admxinetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_LocalMachineZoneIZ_PolicyScriptActiveXNotMarkedSafe_9
+ LastWrite
@@ -44530,6 +47859,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
inetres.admxinetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_LocalMachineZoneIZ_PolicyJavaPermissions_9
+ LastWrite
@@ -44556,6 +47886,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
inetres.admxinetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_LocalMachineZoneIZ_PolicyNavigateSubframesAcrossDomains_9
+ LastWrite
@@ -44582,6 +47913,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
inetres.admxinetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZoneLockdownIZ_PolicyAccessDataSourcesAcrossDomains_2
+ LastWrite
@@ -44608,6 +47940,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
inetres.admxinetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZoneLockdownIZ_PolicyNotificationBarActiveXURLaction_2
+ LastWrite
@@ -44634,6 +47967,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
inetres.admxinetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZoneLockdownIZ_PolicyNotificationBarDownloadURLaction_2
+ LastWrite
@@ -44660,6 +47994,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
inetres.admxinetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZoneLockdownIZ_PolicyFontDownload_2
+ LastWrite
@@ -44686,6 +48021,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
inetres.admxinetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZoneLockdownIZ_PolicyZoneElevationURLaction_2
+ LastWrite
@@ -44712,6 +48048,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
inetres.admxinetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZoneLockdownIZ_PolicyUnsignedFrameworkComponentsURLaction_2
+ LastWrite
@@ -44738,6 +48075,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
inetres.admxinetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZoneLockdownIZ_Policy_AllowScriptlets_2
+ LastWrite
@@ -44764,6 +48102,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
inetres.admxinetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZoneLockdownIZ_Policy_Phishing_2
+ LastWrite
@@ -44790,6 +48129,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
inetres.admxinetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZoneLockdownIZ_PolicyUserdataPersistence_2
+ LastWrite
@@ -44816,6 +48156,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
inetres.admxinetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZoneLockdownIZ_PolicyScriptActiveXNotMarkedSafe_2
+ LastWrite
@@ -44842,6 +48183,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
inetres.admxinetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZoneLockdownIZ_PolicyJavaPermissions_2
+ LastWrite
@@ -44868,6 +48210,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
inetres.admxinetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZoneLockdownIZ_PolicyNavigateSubframesAcrossDomains_2
+ LastWrite
@@ -44894,6 +48237,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
inetres.admxinetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_IntranetZoneLockdownIZ_PolicyAccessDataSourcesAcrossDomains_4
+ LastWrite
@@ -44920,6 +48264,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
inetres.admxinetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_IntranetZoneLockdownIZ_PolicyNotificationBarActiveXURLaction_4
+ LastWrite
@@ -44946,6 +48291,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
inetres.admxinetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_IntranetZoneLockdownIZ_PolicyNotificationBarDownloadURLaction_4
+ LastWrite
@@ -44972,6 +48318,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
inetres.admxinetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_IntranetZoneLockdownIZ_PolicyFontDownload_4
+ LastWrite
@@ -44998,6 +48345,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
inetres.admxinetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_IntranetZoneLockdownIZ_PolicyZoneElevationURLaction_4
+ LastWrite
@@ -45024,6 +48372,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
inetres.admxinetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_IntranetZoneLockdownIZ_PolicyUnsignedFrameworkComponentsURLaction_4
+ LastWrite
@@ -45050,6 +48399,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
inetres.admxinetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_IntranetZoneLockdownIZ_Policy_AllowScriptlets_4
+ LastWrite
@@ -45076,6 +48426,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
inetres.admxinetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_IntranetZoneLockdownIZ_Policy_Phishing_4
+ LastWrite
@@ -45102,6 +48453,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
inetres.admxinetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_IntranetZoneLockdownIZ_PolicyUserdataPersistence_4
+ LastWrite
@@ -45128,6 +48480,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
inetres.admxinetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_IntranetZoneLockdownIZ_PolicyScriptActiveXNotMarkedSafe_4
+ LastWrite
@@ -45154,6 +48507,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
inetres.admxinetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_IntranetZoneLockdownIZ_PolicyNavigateSubframesAcrossDomains_4
+ LastWrite
@@ -45180,6 +48534,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
inetres.admxinetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_LocalMachineZoneLockdownIZ_PolicyAccessDataSourcesAcrossDomains_10
+ LastWrite
@@ -45206,6 +48561,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
inetres.admxinetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_LocalMachineZoneLockdownIZ_PolicyNotificationBarActiveXURLaction_10
+ LastWrite
@@ -45232,6 +48588,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
inetres.admxinetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_LocalMachineZoneLockdownIZ_PolicyNotificationBarDownloadURLaction_10
+ LastWrite
@@ -45258,6 +48615,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
inetres.admxinetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_LocalMachineZoneLockdownIZ_PolicyFontDownload_10
+ LastWrite
@@ -45284,6 +48642,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
inetres.admxinetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_LocalMachineZoneLockdownIZ_PolicyZoneElevationURLaction_10
+ LastWrite
@@ -45310,6 +48669,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
inetres.admxinetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_LocalMachineZoneLockdownIZ_PolicyUnsignedFrameworkComponentsURLaction_10
+ LastWrite
@@ -45336,6 +48696,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
inetres.admxinetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_LocalMachineZoneLockdownIZ_Policy_AllowScriptlets_10
+ LastWrite
@@ -45362,6 +48723,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
inetres.admxinetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_LocalMachineZoneLockdownIZ_Policy_Phishing_10
+ LastWrite
@@ -45388,6 +48750,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
inetres.admxinetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_LocalMachineZoneLockdownIZ_PolicyUserdataPersistence_10
+ LastWrite
@@ -45414,6 +48777,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
inetres.admxinetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_LocalMachineZoneLockdownIZ_PolicyScriptActiveXNotMarkedSafe_10
+ LastWrite
@@ -45440,6 +48804,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
inetres.admxinetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_LocalMachineZoneLockdownIZ_PolicyJavaPermissions_10
+ LastWrite
@@ -45466,6 +48831,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
inetres.admxinetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_LocalMachineZoneLockdownIZ_PolicyNavigateSubframesAcrossDomains_10
+ LastWrite
@@ -45492,6 +48858,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
inetres.admxinetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZoneLockdownIZ_PolicyAccessDataSourcesAcrossDomains_8
+ LastWrite
@@ -45518,6 +48885,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
inetres.admxinetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZoneLockdownIZ_PolicyNotificationBarActiveXURLaction_8
+ LastWrite
@@ -45544,6 +48912,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
inetres.admxinetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZoneLockdownIZ_PolicyNotificationBarDownloadURLaction_8
+ LastWrite
@@ -45570,6 +48939,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
inetres.admxinetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZoneLockdownIZ_PolicyFontDownload_8
+ LastWrite
@@ -45596,6 +48966,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
inetres.admxinetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZoneLockdownIZ_PolicyZoneElevationURLaction_8
+ LastWrite
@@ -45622,6 +48993,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
inetres.admxinetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZoneLockdownIZ_PolicyUnsignedFrameworkComponentsURLaction_8
+ LastWrite
@@ -45648,6 +49020,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
inetres.admxinetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZoneLockdownIZ_Policy_AllowScriptlets_8
+ LastWrite
@@ -45674,6 +49047,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
inetres.admxinetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZoneLockdownIZ_Policy_Phishing_8
+ LastWrite
@@ -45700,6 +49074,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
inetres.admxinetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZoneLockdownIZ_PolicyUserdataPersistence_8
+ LastWrite
@@ -45726,6 +49101,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
inetres.admxinetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZoneLockdownIZ_PolicyScriptActiveXNotMarkedSafe_8
+ LastWrite
@@ -45752,6 +49128,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
inetres.admxinetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZoneLockdownIZ_PolicyJavaPermissions_8
+ LastWrite
@@ -45778,6 +49155,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
inetres.admxinetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZoneLockdownIZ_PolicyNavigateSubframesAcrossDomains_8
+ LastWrite
@@ -45804,6 +49182,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
inetres.admxinetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_TrustedSitesZoneLockdownIZ_PolicyAccessDataSourcesAcrossDomains_6
+ LastWrite
@@ -45830,6 +49209,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
inetres.admxinetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_TrustedSitesZoneLockdownIZ_PolicyNotificationBarActiveXURLaction_6
+ LastWrite
@@ -45856,6 +49236,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
inetres.admxinetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_TrustedSitesZoneLockdownIZ_PolicyNotificationBarDownloadURLaction_6
+ LastWrite
@@ -45882,6 +49263,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
inetres.admxinetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_TrustedSitesZoneLockdownIZ_PolicyFontDownload_6
+ LastWrite
@@ -45908,6 +49290,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
inetres.admxinetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_TrustedSitesZoneLockdownIZ_PolicyZoneElevationURLaction_6
+ LastWrite
@@ -45934,6 +49317,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
inetres.admxinetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_TrustedSitesZoneLockdownIZ_PolicyUnsignedFrameworkComponentsURLaction_6
+ LastWrite
@@ -45960,6 +49344,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
inetres.admxinetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_TrustedSitesZoneLockdownIZ_Policy_AllowScriptlets_6
+ LastWrite
@@ -45986,6 +49371,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
inetres.admxinetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_TrustedSitesZoneLockdownIZ_Policy_Phishing_6
+ LastWrite
@@ -46012,6 +49398,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
inetres.admxinetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_TrustedSitesZoneLockdownIZ_PolicyUserdataPersistence_6
+ LastWrite
@@ -46038,6 +49425,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
inetres.admxinetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_TrustedSitesZoneLockdownIZ_PolicyScriptActiveXNotMarkedSafe_6
+ LastWrite
@@ -46064,6 +49452,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
inetres.admxinetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_TrustedSitesZoneLockdownIZ_PolicyJavaPermissions_6
+ LastWrite
@@ -46090,6 +49479,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
inetres.admxinetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_TrustedSitesZoneLockdownIZ_PolicyNavigateSubframesAcrossDomains_6
+ LastWrite
@@ -46116,6 +49506,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
inetres.admxinetres~AT~WindowsComponents~InternetExplorer~SecurityFeatures~IESF_CategoryMimeSniffingSafetyFeatureIESF_PolicyExplorerProcesses_6
+ LastWrite
@@ -46142,6 +49533,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
inetres.admxinetres~AT~WindowsComponents~InternetExplorer~SecurityFeatures~IESF_CategoryMKProtocolSecurityRestrictionIESF_PolicyExplorerProcesses_3
+ LastWrite
@@ -46168,6 +49560,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
inetres.admxinetres~AT~WindowsComponents~InternetExplorer~SecurityFeatures~IESF_CategoryInformationBarIESF_PolicyExplorerProcesses_10
+ LastWrite
@@ -46192,8 +49585,9 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
phoneinetres.admx
- inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone
- IZ_PolicyDownloadSignedActiveX_1
+ inetres~AT~WindowsComponents~InternetExplorer
+ Disable_Managing_Safety_Filter_IE9
+ LastWrite
@@ -46220,6 +49614,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
inetres.admxinetres~AT~WindowsComponents~InternetExplorerDisablePerUserActiveXInstall
+ LastWrite
@@ -46246,6 +49641,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
inetres.admxinetres~AT~WindowsComponents~InternetExplorer~SecurityFeatures~IESF_CategoryProtectionFromZoneElevationIESF_PolicyAllProcesses_9
+ LastWrite
@@ -46272,6 +49668,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
inetres.admxinetres~AT~WindowsComponents~InternetExplorer~SecurityFeatures~IESF_AddOnManagementVerMgmtDisableRunThisTime
+ LastWrite
@@ -46298,6 +49695,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
inetres.admxinetres~AT~WindowsComponents~InternetExplorer~SecurityFeatures~IESF_CategoryRestrictActiveXInstallIESF_PolicyAllProcesses_11
+ LastWrite
@@ -46324,6 +49722,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
inetres.admxinetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZoneIZ_PolicyAccessDataSourcesAcrossDomains_7
+ LastWrite
@@ -46348,8 +49747,9 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
phoneinetres.admx
- inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone
- IZ_PolicyActiveScripting_1
+ inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone
+ IZ_PolicyActiveScripting_7
+ LastWrite
@@ -46376,6 +49776,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
inetres.admxinetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZoneIZ_PolicyNotificationBarActiveXURLaction_7
+ LastWrite
@@ -46402,6 +49803,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
inetres.admxinetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZoneIZ_PolicyNotificationBarDownloadURLaction_7
+ LastWrite
@@ -46426,8 +49828,9 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
phoneinetres.admx
- inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone
- IZ_PolicyBinaryBehaviors_1
+ inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone
+ IZ_PolicyBinaryBehaviors_7
+ LastWrite
@@ -46454,6 +49857,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
inetres.admxinetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZoneIZ_PolicyAllowPasteViaScript_7
+ LastWrite
@@ -46480,6 +49884,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
inetres.admxinetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZoneIZ_PolicyDropOrPasteFiles_7
+ LastWrite
@@ -46504,12 +49909,13 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
phoneinetres.admx
- inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone
- IZ_PolicyFileDownload_1
+ inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone
+ IZ_PolicyFileDownload_7
+ LastWrite
- RestrictedSitesZoneAllowFontDownloadsWRONG1
+ RestrictedSitesZoneAllowFontDownloads
@@ -46532,32 +49938,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
inetres.admxinetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZoneIZ_PolicyFontDownload_7
-
-
-
- RestrictedSitesZoneAllowFontDownloadsWRONG2
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- text/plain
-
- phone
- inetres.admx
- inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone
- IZ_PolicyFontDownload_1
+ LastWrite
@@ -46584,6 +49965,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
inetres.admxinetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZoneIZ_PolicyZoneElevationURLaction_7
+ LastWrite
@@ -46610,6 +49992,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
inetres.admxinetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZoneIZ_Policy_XAML_7
+ LastWrite
@@ -46634,8 +50017,9 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
phoneinetres.admx
- inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone
- IZ_PolicyAllowMETAREFRESH_1
+ inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone
+ IZ_PolicyAllowMETAREFRESH_7
+ LastWrite
@@ -46662,6 +50046,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
inetres.admxinetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZoneIZ_PolicyUnsignedFrameworkComponentsURLaction_7
+ LastWrite
@@ -46688,6 +50073,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
inetres.admxinetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZoneIZ_PolicyOnlyAllowApprovedDomainsToUseActiveXWithoutPrompt_Both_Restricted
+ LastWrite
@@ -46714,6 +50100,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
inetres.admxinetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZoneIZ_PolicyAllowTDCControl_Both_Restricted
+ LastWrite
@@ -46740,6 +50127,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
inetres.admxinetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZoneIZ_Policy_WebBrowserControl_7
+ LastWrite
@@ -46766,6 +50154,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
inetres.admxinetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZoneIZ_PolicyWindowsRestrictionsURLaction_7
+ LastWrite
@@ -46792,6 +50181,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
inetres.admxinetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZoneIZ_Policy_AllowScriptlets_7
+ LastWrite
@@ -46818,6 +50208,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
inetres.admxinetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZoneIZ_Policy_Phishing_7
+ LastWrite
@@ -46844,6 +50235,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
inetres.admxinetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZoneIZ_Policy_ScriptStatusBar_7
+ LastWrite
@@ -46870,6 +50262,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
inetres.admxinetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZoneIZ_PolicyUserdataPersistence_7
+ LastWrite
@@ -46896,6 +50289,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
inetres.admxinetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZoneIZ_PolicyAntiMalwareCheckingOfActiveXControls_7
+ LastWrite
@@ -46922,6 +50316,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
inetres.admxinetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZoneIZ_PolicyDownloadSignedActiveX_7
+ LastWrite
@@ -46948,6 +50343,34 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
inetres.admxinetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZoneIZ_PolicyDownloadUnsignedActiveX_7
+ LastWrite
+
+
+
+ RestrictedSitesZoneEnableCrossSiteScriptingFilter
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+ phone
+ inetres.admx
+ inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone
+ IZ_PolicyTurnOnXSSFilter_Both_Restricted
+ LastWrite
@@ -46974,6 +50397,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
inetres.admxinetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZoneIZ_PolicyDragDropAcrossDomainsAcrossWindows_Both_Restricted
+ LastWrite
@@ -47000,6 +50424,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
inetres.admxinetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZoneIZ_PolicyDragDropAcrossDomainsWithinWindow_Both_Restricted
+ LastWrite
@@ -47026,6 +50451,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
inetres.admxinetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZoneIZ_PolicyMimeSniffingURLaction_7
+ LastWrite
@@ -47052,6 +50478,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
inetres.admxinetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZoneIZ_Policy_LocalPathForUpload_7
+ LastWrite
@@ -47078,6 +50505,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
inetres.admxinetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZoneIZ_PolicyScriptActiveXNotMarkedSafe_7
+ LastWrite
@@ -47104,6 +50532,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
inetres.admxinetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZoneIZ_PolicyJavaPermissions_7
+ LastWrite
@@ -47130,6 +50559,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
inetres.admxinetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZoneIZ_PolicyLaunchAppsAndFilesInIFRAME_7
+ LastWrite
@@ -47156,6 +50586,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
inetres.admxinetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZoneIZ_PolicyLogon_7
+ LastWrite
@@ -47182,6 +50613,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
inetres.admxinetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZoneIZ_PolicyNavigateSubframesAcrossDomains_7
+ LastWrite
@@ -47206,8 +50638,9 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
phoneinetres.admx
- inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone
- IZ_PolicyNavigateSubframesAcrossDomains_1
+ inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone
+ IZ_PolicyNavigateSubframesAcrossDomains_7
+ LastWrite
@@ -47232,8 +50665,9 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
phoneinetres.admx
- inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone
- IZ_PolicyRunActiveXControls_1
+ inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone
+ IZ_PolicyRunActiveXControls_7
+ LastWrite
@@ -47260,6 +50694,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
inetres.admxinetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZoneIZ_PolicySignedFrameworkComponentsURLaction_7
+ LastWrite
@@ -47284,12 +50719,13 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
phoneinetres.admx
- inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone
- IZ_PolicyScriptActiveXMarkedSafe_1
+ inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone
+ IZ_PolicyScriptActiveXMarkedSafe_7
+ LastWrite
- RestrictedSitesZoneWRONG
+ RestrictedSitesZoneScriptingOfJavaApplets
@@ -47310,12 +50746,13 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
phoneinetres.admx
- inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_TrustedSitesZoneLockdown
- IZ_PolicyScriptingOfJavaApplets_6
+ inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone
+ IZ_PolicyScriptingOfJavaApplets_7
+ LastWrite
- RestrictedSitesZoneWRONG2
+ RestrictedSitesZoneShowSecurityWarningForPotentiallyUnsafeFiles
@@ -47338,10 +50775,11 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
inetres.admxinetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZoneIZ_Policy_UnsafeFiles_7
+ LastWrite
- RestrictedSitesZoneWRONG3
+ RestrictedSitesZoneTurnOnCrossSiteScriptingFilter
@@ -47364,10 +50802,11 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
inetres.admxinetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZoneIZ_PolicyTurnOnXSSFilter_Both_Restricted
+ LastWrite
- RestrictedSitesZoneWRONG4
+ RestrictedSitesZoneTurnOnProtectedMode
@@ -47390,10 +50829,11 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
inetres.admxinetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZoneIZ_Policy_TurnOnProtectedMode_7
+ LastWrite
- RestrictedSitesZoneWRONG5
+ RestrictedSitesZoneUsePopupBlocker
@@ -47416,6 +50856,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
inetres.admxinetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZoneIZ_PolicyBlockPopupWindows_7
+ LastWrite
@@ -47442,6 +50883,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
inetres.admxinetres~AT~WindowsComponents~InternetExplorer~SecurityFeatures~IESF_CategoryRestrictFileDownloadIESF_PolicyAllProcesses_12
+ LastWrite
@@ -47468,6 +50910,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
inetres.admxinetres~AT~WindowsComponents~InternetExplorer~SecurityFeatures~IESF_CategoryScriptedWindowSecurityRestrictionsIESF_PolicyAllProcesses_8
+ LastWrite
@@ -47494,10 +50937,11 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
inetres.admxinetres~AT~WindowsComponents~InternetExplorerSpecificSearchProvider
+ LastWrite
- SecurityZonesUseOnlyMachineSettings
+ SecurityZonesUseOnlyMachineSettings
@@ -47520,6 +50964,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
inetres.admxinetres~AT~WindowsComponents~InternetExplorerSecurity_HKLM_only
+ LastWrite
@@ -47546,6 +50991,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
inetres.admxinetres~AT~WindowsComponents~InternetExplorerOnlyUseAXISForActiveXInstall
+ LastWrite
@@ -47572,6 +51018,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
inetres.admxinetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_TrustedSitesZoneIZ_PolicyAccessDataSourcesAcrossDomains_5
+ LastWrite
@@ -47598,6 +51045,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
inetres.admxinetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_TrustedSitesZoneIZ_PolicyNotificationBarActiveXURLaction_5
+ LastWrite
@@ -47624,6 +51072,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
inetres.admxinetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_TrustedSitesZoneIZ_PolicyNotificationBarDownloadURLaction_5
+ LastWrite
@@ -47650,6 +51099,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
inetres.admxinetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_TrustedSitesZoneIZ_PolicyFontDownload_5
+ LastWrite
@@ -47676,6 +51126,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
inetres.admxinetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_TrustedSitesZoneIZ_PolicyZoneElevationURLaction_5
+ LastWrite
@@ -47702,6 +51153,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
inetres.admxinetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_TrustedSitesZoneIZ_PolicyUnsignedFrameworkComponentsURLaction_5
+ LastWrite
@@ -47728,6 +51180,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
inetres.admxinetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_TrustedSitesZoneIZ_Policy_AllowScriptlets_5
+ LastWrite
@@ -47754,6 +51207,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
inetres.admxinetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_TrustedSitesZoneIZ_Policy_Phishing_5
+ LastWrite
@@ -47780,6 +51234,61 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
inetres.admxinetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_TrustedSitesZoneIZ_PolicyUserdataPersistence_5
+ LastWrite
+
+
+
+ TrustedSitesZoneDoNotRunAntimalwareAgainstActiveXControls
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+ phone
+ inetres.admx
+ inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_TrustedSitesZone
+ IZ_PolicyAntiMalwareCheckingOfActiveXControls_5
+ LastWrite
+
+
+
+ TrustedSitesZoneDontRunAntimalwareProgramsAgainstActiveXControls
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+ phone
+ inetres.admx
+ inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_TrustedSitesZone
+ IZ_PolicyAntiMalwareCheckingOfActiveXControls_5
+ LastWrite
@@ -47806,6 +51315,61 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
inetres.admxinetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_TrustedSitesZoneIZ_PolicyScriptActiveXNotMarkedSafe_5
+ LastWrite
+
+
+
+ TrustedSitesZoneInitializeAndScriptActiveXControlsNotMarkedAsSafe
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+ phone
+ inetres.admx
+ inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_TrustedSitesZone
+ IZ_PolicyScriptActiveXNotMarkedSafe_5
+ LastWrite
+
+
+
+ TrustedSitesZoneInitializeAndScriptActiveXControlsNotMarkedSafe
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+ phone
+ inetres.admx
+ inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_TrustedSitesZone
+ IZ_PolicyScriptActiveXNotMarkedSafe_5
+ LastWrite
@@ -47832,6 +51396,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
inetres.admxinetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_TrustedSitesZoneIZ_PolicyJavaPermissions_5
+ LastWrite
@@ -47858,58 +51423,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
inetres.admxinetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_TrustedSitesZoneIZ_PolicyNavigateSubframesAcrossDomains_5
-
-
-
- TrustedSitesZoneWRONG1
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- text/plain
-
- phone
- inetres.admx
- inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_TrustedSitesZone
- IZ_PolicyAntiMalwareCheckingOfActiveXControls_5
-
-
-
- TrustedSitesZoneWRONG2
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- text/plain
-
- phone
- inetres.admx
- inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_TrustedSitesZone
- IZ_PolicyScriptActiveXNotMarkedSafe_5
+ LastWrite
@@ -47956,6 +51470,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
Kerberos.admxKerberos~AT~System~kerberosForestSearch
+ LastWrite
@@ -47982,6 +51497,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
Kerberos.admxKerberos~AT~System~kerberosEnableCbacAndArmor
+ LastWrite
@@ -48008,6 +51524,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
Kerberos.admxKerberos~AT~System~kerberosClientRequireFast
+ LastWrite
@@ -48034,6 +51551,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
Kerberos.admxKerberos~AT~System~kerberosValidateKDC
+ LastWrite
@@ -48060,6 +51578,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
Kerberos.admxKerberos~AT~System~kerberosMaxTokenSize
+ LastWrite
@@ -48103,6 +51622,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
text/plainphone
+ LowestValueMostSecure
@@ -48126,6 +51646,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
text/plainphone
+ LowestValueMostSecure
@@ -48156,9 +51677,9 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
This policy setting prevents users from adding new Microsoft accounts on this computer.
-If you select the "Users can’t add Microsoft accounts" option, users will not be able to create new Microsoft accounts on this computer, switch a local account to a Microsoft account, or connect a domain account to a Microsoft account. This is the preferred option if you need to limit the use of Microsoft accounts in your enterprise.
+If you select the "Users can’t add Microsoft accounts" option, users will not be able to create new Microsoft accounts on this computer, switch a local account to a Microsoft account, or connect a domain account to a Microsoft account. This is the preferred option if you need to limit the use of Microsoft accounts in your enterprise.
-If you select the "Users can’t add or log on with Microsoft accounts" option, existing Microsoft account users will not be able to log on to Windows. Selecting this option might make it impossible for an existing administrator on this computer to log on and manage the system.
+If you select the "Users can’t add or log on with Microsoft accounts" option, existing Microsoft account users will not be able to log on to Windows. Selecting this option might make it impossible for an existing administrator on this computer to log on and manage the system.
If you disable or do not configure this policy (recommended), users will be able to use Microsoft accounts with Windows.0
@@ -48175,6 +51696,7 @@ If you disable or do not configure this policy (recommended), users will be able
text/plainphone
+ LastWrite
@@ -48206,7 +51728,8 @@ Default: Disabled.
text/plain
- desktop
+ phone
+ LastWrite
@@ -48233,7 +51756,8 @@ Note: If the Guest account is disabled and the security option Network Access: S
text/plain
- desktop
+ phone
+ LastWrite
@@ -48272,6 +51796,7 @@ It is possible for applications that use remote interactive logons to bypass thi
text/plainphone
+ LastWrite
@@ -48285,7 +51810,7 @@ It is possible for applications that use remote interactive logons to bypass thi
This security setting determines whether a different account name is associated with the security identifier (SID) for the account Administrator. Renaming the well-known Administrator account makes it slightly more difficult for unauthorized persons to guess this privileged user name and password combination.
Default: Administrator.
-
+ Administrator
@@ -48299,6 +51824,7 @@ Default: Administrator.
text/plainphone
+ LastWrite
@@ -48312,7 +51838,7 @@ Default: Administrator.
This security setting determines whether a different account name is associated with the security identifier (SID) for the account "Guest." Renaming the well-known Guest account makes it slightly more difficult for unauthorized persons to guess this user name and password combination.
Default: Guest.
-
+ Guest
@@ -48326,6 +51852,131 @@ Default: Guest.
text/plainphone
+ LastWrite
+
+
+
+ Devices_AllowedToFormatAndEjectRemovableMedia
+
+
+
+
+ Devices: Allowed to format and eject removable media
+
+This security setting determines who is allowed to format and eject removable NTFS media. This capability can be given to:
+
+Administrators
+Administrators and Interactive Users
+
+Default: This policy is not defined and only Administrators have this ability.
+ 0
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+ phone
+ LastWrite
+
+
+
+ Devices_AllowUndockWithoutHavingToLogon
+
+
+
+
+ Devices: Allow undock without having to log on
+This security setting determines whether a portable computer can be undocked without having to log on. If this policy is enabled, logon is not required and an external hardware eject button can be used to undock the computer. If disabled, a user must log on and have the Remove computer from docking station privilege to undock the computer.
+Default: Enabled.
+
+Caution
+Disabling this policy may tempt users to try and physically remove the laptop from its docking station using methods other than the external hardware eject button. Since this may cause damage to the hardware, this setting, in general, should only be disabled on laptop configurations that are physically securable.
+ 1
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+ phone
+ LastWrite
+
+
+
+ Devices_PreventUsersFromInstallingPrinterDriversWhenConnectingToSharedPrinters
+
+
+
+
+ Devices: Prevent users from installing printer drivers when connecting to shared printers
+
+For a computer to print to a shared printer, the driver for that shared printer must be installed on the local computer. This security setting determines who is allowed to install a printer driver as part of connecting to a shared printer. If this setting is enabled, only Administrators can install a printer driver as part of connecting to a shared printer. If this setting is disabled, any user can install a printer driver as part of connecting to a shared printer.
+
+Default on servers: Enabled.
+Default on workstations: Disabled
+
+Notes
+
+This setting does not affect the ability to add a local printer.
+This setting does not affect Administrators.
+ 0
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+ phone
+ LastWrite
+
+
+
+ Devices_RestrictCDROMAccessToLocallyLoggedOnUserOnly
+
+
+
+
+ Devices: Restrict CD-ROM access to locally logged-on user only
+
+This security setting determines whether a CD-ROM is accessible to both local and remote users simultaneously.
+
+If this policy is enabled, it allows only the interactively logged-on user to access removable CD-ROM media. If this policy is enabled and no one is logged on interactively, the CD-ROM can be accessed over the network.
+
+Default: This policy is not defined and CD-ROM access is not restricted to the locally logged-on user.
+ 0
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+ phone
+ LastWrite
@@ -48352,10 +52003,11 @@ Do not display user information (3)
text/plainphone
+ LastWrite
- Interactivelogon_DoNotDisplayLastSignedIn
+ InteractiveLogon_DoNotDisplayLastSignedIn
@@ -48381,10 +52033,11 @@ Default: Disabled.
text/plainphone
+ LastWrite
- Interactivelogon_DoNotDisplayUsernameAtSignIn
+ InteractiveLogon_DoNotDisplayUsernameAtSignIn
@@ -48396,7 +52049,7 @@ If this policy is enabled, the username will not be shown.
If this policy is disabled, the username will be shown.
Default: Disabled.
- 0
+ 1
@@ -48410,10 +52063,11 @@ Default: Disabled.
text/plainphone
+ LastWrite
- Interactivelogon_DoNotRequireCTRLALTDEL
+ InteractiveLogon_DoNotRequireCTRLALTDEL
@@ -48442,6 +52096,7 @@ Default on stand-alone computers: Enabled.
text/plainphone
+ LastWrite
@@ -48468,6 +52123,8 @@ Default: not enforced.
text/plain
+ phone
+ LastWrite
@@ -48497,6 +52154,8 @@ Default: No message.
text/plainphone
+ LastWrite
+ 0xF000
@@ -48524,6 +52183,7 @@ Default: No message.
text/plainphone
+ LastWrite
@@ -48553,6 +52213,7 @@ Default: Disabled.
text/plainphone
+ LastWrite
@@ -48582,6 +52243,7 @@ Default: Enabled.
text/plainphone
+ LastWrite
@@ -48611,6 +52273,7 @@ This policy is supported on at least Windows Server 2016.
text/plainphone
+ LastWrite
@@ -48636,6 +52299,7 @@ This policy will be turned off by default on domain joined machines. This would
text/plainphone
+ LastWrite
@@ -48663,6 +52327,40 @@ Default: This policy is not defined and automatic administrative logon is not al
text/plainphone
+ LastWrite
+
+
+
+ Shutdown_AllowSystemToBeShutDownWithoutHavingToLogOn
+
+
+
+
+ Shutdown: Allow system to be shut down without having to log on
+
+This security setting determines whether a computer can be shut down without having to log on to Windows.
+
+When this policy is enabled, the Shut Down command is available on the Windows logon screen.
+
+When this policy is disabled, the option to shut down the computer does not appear on the Windows logon screen. In this case, users must be able to log on to the computer successfully and have the Shut down the system user right before they can perform a system shutdown.
+
+Default on workstations: Enabled.
+Default on servers: Disabled.
+ 1
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+ phone
+ LastWrite
@@ -48694,6 +52392,7 @@ Default: Disabled.
text/plainphone
+ LastWrite
@@ -48706,10 +52405,10 @@ Default: Disabled.
This policy setting controls whether User Interface Accessibility (UIAccess or UIA) programs can automatically disable the secure desktop for elevation prompts used by a standard user.
-• Enabled: UIA programs, including Windows Remote Assistance, automatically disable the secure desktop for elevation prompts. If you do not disable the "User Account Control: Switch to the secure desktop when prompting for elevation" policy setting, the prompts appear on the interactive user's desktop instead of the secure desktop.
+• Enabled: UIA programs, including Windows Remote Assistance, automatically disable the secure desktop for elevation prompts. If you do not disable the "User Account Control: Switch to the secure desktop when prompting for elevation" policy setting, the prompts appear on the interactive user's desktop instead of the secure desktop.
-• Disabled: (Default) The secure desktop can be disabled only by the user of the interactive desktop or by disabling the "User Account Control: Switch to the secure desktop when prompting for elevation" policy setting.
- 1
+• Disabled: (Default) The secure desktop can be disabled only by the user of the interactive desktop or by disabling the "User Account Control: Switch to the secure desktop when prompting for elevation" policy setting.
+ 0
@@ -48723,6 +52422,7 @@ This policy setting controls whether User Interface Accessibility (UIAccess or U
text/plainphone
+ LastWrite
@@ -48737,18 +52437,18 @@ This policy setting controls the behavior of the elevation prompt for administra
The options are:
-• Elevate without prompting: Allows privileged accounts to perform an operation that requires elevation without requiring consent or credentials. Note: Use this option only in the most constrained environments.
+• Elevate without prompting: Allows privileged accounts to perform an operation that requires elevation without requiring consent or credentials. Note: Use this option only in the most constrained environments.
-• Prompt for credentials on the secure desktop: When an operation requires elevation of privilege, the user is prompted on the secure desktop to enter a privileged user name and password. If the user enters valid credentials, the operation continues with the user's highest available privilege.
+• Prompt for credentials on the secure desktop: When an operation requires elevation of privilege, the user is prompted on the secure desktop to enter a privileged user name and password. If the user enters valid credentials, the operation continues with the user's highest available privilege.
-• Prompt for consent on the secure desktop: When an operation requires elevation of privilege, the user is prompted on the secure desktop to select either Permit or Deny. If the user selects Permit, the operation continues with the user's highest available privilege.
+• Prompt for consent on the secure desktop: When an operation requires elevation of privilege, the user is prompted on the secure desktop to select either Permit or Deny. If the user selects Permit, the operation continues with the user's highest available privilege.
-• Prompt for credentials: When an operation requires elevation of privilege, the user is prompted to enter an administrative user name and password. If the user enters valid credentials, the operation continues with the applicable privilege.
+• Prompt for credentials: When an operation requires elevation of privilege, the user is prompted to enter an administrative user name and password. If the user enters valid credentials, the operation continues with the applicable privilege.
-• Prompt for consent: When an operation requires elevation of privilege, the user is prompted to select either Permit or Deny. If the user selects Permit, the operation continues with the user's highest available privilege.
+• Prompt for consent: When an operation requires elevation of privilege, the user is prompted to select either Permit or Deny. If the user selects Permit, the operation continues with the user's highest available privilege.
-• Prompt for consent for non-Windows binaries: (Default) When an operation for a non-Microsoft application requires elevation of privilege, the user is prompted on the secure desktop to select either Permit or Deny. If the user selects Permit, the operation continues with the user's highest available privilege.
- 0
+• Prompt for consent for non-Windows binaries: (Default) When an operation for a non-Microsoft application requires elevation of privilege, the user is prompted on the secure desktop to select either Permit or Deny. If the user selects Permit, the operation continues with the user's highest available privilege.
+ 5
@@ -48762,6 +52462,7 @@ The options are:
text/plainphone
+ LastWrite
@@ -48775,12 +52476,12 @@ This policy setting controls the behavior of the elevation prompt for standard u
The options are:
-• Prompt for credentials: (Default) When an operation requires elevation of privilege, the user is prompted to enter an administrative user name and password. If the user enters valid credentials, the operation continues with the applicable privilege.
+• Prompt for credentials: (Default) When an operation requires elevation of privilege, the user is prompted to enter an administrative user name and password. If the user enters valid credentials, the operation continues with the applicable privilege.
-• Automatically deny elevation requests: When an operation requires elevation of privilege, a configurable access denied error message is displayed. An enterprise that is running desktops as standard user may choose this setting to reduce help desk calls.
+• Automatically deny elevation requests: When an operation requires elevation of privilege, a configurable access denied error message is displayed. An enterprise that is running desktops as standard user may choose this setting to reduce help desk calls.
-• Prompt for credentials on the secure desktop: When an operation requires elevation of privilege, the user is prompted on the secure desktop to enter a different user name and password. If the user enters valid credentials, the operation continues with the applicable privilege.
- 0
+• Prompt for credentials on the secure desktop: When an operation requires elevation of privilege, the user is prompted on the secure desktop to enter a different user name and password. If the user enters valid credentials, the operation continues with the applicable privilege.
+ 3
@@ -48794,6 +52495,39 @@ The options are:
text/plainphone
+ LastWrite
+
+
+
+ UserAccountControl_DetectApplicationInstallationsAndPromptForElevation
+
+
+
+
+ User Account Control: Detect application installations and prompt for elevation
+
+This policy setting controls the behavior of application installation detection for the computer.
+
+The options are:
+
+Enabled: (Default) When an application installation package is detected that requires elevation of privilege, the user is prompted to enter an administrative user name and password. If the user enters valid credentials, the operation continues with the applicable privilege.
+
+Disabled: Application installation packages are not detected and prompted for elevation. Enterprises that are running standard user desktops and use delegated installation technologies such as Group Policy Software Installation or Systems Management Server (SMS) should disable this policy setting. In this case, installer detection is unnecessary.
+ 1
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+ phone
+ LastWrite
@@ -48808,77 +52542,9 @@ This policy setting enforces public key infrastructure (PKI) signature checks fo
The options are:
-• Enabled: Enforces the PKI certification path validation for a given executable file before it is permitted to run.
+• Enabled: Enforces the PKI certification path validation for a given executable file before it is permitted to run.
-• Disabled: (Default) Does not enforce PKI certification path validation before a given executable file is permitted to run.
- 1
-
-
-
-
-
-
-
-
-
-
- text/plain
-
- phone
-
-
-
- UserAccountControl_OnlyElevateUIAccessApplicationsThatAreInstalledInSecureLocations
-
-
-
-
- User Account Control: Only elevate UIAccess applications that are installed in secure locations
-
-This policy setting controls whether applications that request to run with a User Interface Accessibility (UIAccess) integrity level must reside in a secure location in the file system. Secure locations are limited to the following:
-
-- …\Program Files\, including subfolders
-- …\Windows\system32\
-- …\Program Files (x86)\, including subfolders for 64-bit versions of Windows
-
-Note: Windows enforces a public key infrastructure (PKI) signature check on any interactive application that requests to run with a UIAccess integrity level regardless of the state of this security setting.
-
-The options are:
-
-• Enabled: (Default) If an application resides in a secure location in the file system, it runs only with UIAccess integrity.
-
-• Disabled: An application runs with UIAccess integrity even if it does not reside in a secure location in the file system.
- 1
-
-
-
-
-
-
-
-
-
-
- text/plain
-
- phone
-
-
-
- UserAccountControl_RunAllAdministratorsInAdminApprovalMode
-
-
-
-
- User Account Control: Turn on Admin Approval Mode
-
-This policy setting controls the behavior of all User Account Control (UAC) policy settings for the computer. If you change this policy setting, you must restart your computer.
-
-The options are:
-
-• Enabled: (Default) Admin Approval Mode is enabled. This policy must be enabled and related UAC policy settings must also be set appropriately to allow the built-in Administrator account and all other users who are members of the Administrators group to run in Admin Approval Mode.
-
-• Disabled: Admin Approval Mode and all related UAC policy settings are disabled. Note: If this policy setting is disabled, the Security Center notifies you that the overall security of the operating system has been reduced.
+• Disabled: (Default) Does not enforce PKI certification path validation before a given executable file is permitted to run.
0
@@ -48893,6 +52559,77 @@ The options are:
text/plainphone
+ LastWrite
+
+
+
+ UserAccountControl_OnlyElevateUIAccessApplicationsThatAreInstalledInSecureLocations
+
+
+
+
+ User Account Control: Only elevate UIAccess applications that are installed in secure locations
+
+This policy setting controls whether applications that request to run with a User Interface Accessibility (UIAccess) integrity level must reside in a secure location in the file system. Secure locations are limited to the following:
+
+- …\Program Files\, including subfolders
+- …\Windows\system32\
+- …\Program Files (x86)\, including subfolders for 64-bit versions of Windows
+
+Note: Windows enforces a public key infrastructure (PKI) signature check on any interactive application that requests to run with a UIAccess integrity level regardless of the state of this security setting.
+
+The options are:
+
+• Enabled: (Default) If an application resides in a secure location in the file system, it runs only with UIAccess integrity.
+
+• Disabled: An application runs with UIAccess integrity even if it does not reside in a secure location in the file system.
+ 1
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+ phone
+ LastWrite
+
+
+
+ UserAccountControl_RunAllAdministratorsInAdminApprovalMode
+
+
+
+
+ User Account Control: Turn on Admin Approval Mode
+
+This policy setting controls the behavior of all User Account Control (UAC) policy settings for the computer. If you change this policy setting, you must restart your computer.
+
+The options are:
+
+• Enabled: (Default) Admin Approval Mode is enabled. This policy must be enabled and related UAC policy settings must also be set appropriately to allow the built-in Administrator account and all other users who are members of the Administrators group to run in Admin Approval Mode.
+
+• Disabled: Admin Approval Mode and all related UAC policy settings are disabled. Note: If this policy setting is disabled, the Security Center notifies you that the overall security of the operating system has been reduced.
+ 1
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+ phone
+ LastWrite
@@ -48907,9 +52644,9 @@ This policy setting controls whether the elevation request prompt is displayed o
The options are:
-• Enabled: (Default) All elevation requests go to the secure desktop regardless of prompt behavior policy settings for administrators and standard users.
+• Enabled: (Default) All elevation requests go to the secure desktop regardless of prompt behavior policy settings for administrators and standard users.
-• Disabled: All elevation requests go to the interactive user's desktop. Prompt behavior policy settings for administrators and standard users are used.
+• Disabled: All elevation requests go to the interactive user's desktop. Prompt behavior policy settings for administrators and standard users are used.
1
@@ -48924,6 +52661,7 @@ The options are:
text/plainphone
+ LastWrite
@@ -48938,10 +52676,10 @@ This policy setting controls the behavior of Admin Approval Mode for the built-i
The options are:
-• Enabled: The built-in Administrator account uses Admin Approval Mode. By default, any operation that requires elevation of privilege will prompt the user to approve the operation.
+• Enabled: The built-in Administrator account uses Admin Approval Mode. By default, any operation that requires elevation of privilege will prompt the user to approve the operation.
-• Disabled: (Default) The built-in Administrator account runs all applications with full administrative privilege.
- 1
+• Disabled: (Default) The built-in Administrator account runs all applications with full administrative privilege.
+ 0
@@ -48955,6 +52693,7 @@ The options are:
text/plainphone
+ LastWrite
@@ -48969,9 +52708,9 @@ This policy setting controls whether application write failures are redirected t
The options are:
-• Enabled: (Default) Application write failures are redirected at run time to defined user locations for both the file system and registry.
+• Enabled: (Default) Application write failures are redirected at run time to defined user locations for both the file system and registry.
-• Disabled: Applications that write data to protected locations fail.
+• Disabled: Applications that write data to protected locations fail.
1
@@ -48986,6 +52725,7 @@ The options are:
text/plainphone
+ LastWrite
@@ -49028,6 +52768,7 @@ The options are:
text/plain
+ LastWrite
@@ -49071,6 +52812,7 @@ The options are:
text/plainphone
+ LowestValueMostSecure
@@ -49113,6 +52855,7 @@ The options are:
text/plain
+ LastWrite
@@ -49135,6 +52878,7 @@ The options are:
text/plain
+ LastWrite
@@ -49178,6 +52922,7 @@ The options are:
text/plaindesktop
+ LowestValueMostSecure
@@ -49201,6 +52946,7 @@ The options are:
text/plaindesktop
+ LowestValueMostSecure
@@ -49224,6 +52970,7 @@ The options are:
text/plaindesktop
+ LowestValueMostSecure
@@ -49266,6 +53013,7 @@ The options are:
text/plain
+ LastWrite
@@ -49288,6 +53036,7 @@ The options are:
text/plain
+ LastWrite
@@ -49310,6 +53059,7 @@ The options are:
text/plain
+ LastWrite
@@ -49332,6 +53082,7 @@ The options are:
text/plain
+ LastWrite
@@ -49354,6 +53105,7 @@ The options are:
text/plain
+ LastWrite
@@ -49376,6 +53128,7 @@ The options are:
text/plain
+ LastWrite
@@ -49398,6 +53151,7 @@ The options are:
text/plain
+ LastWrite
@@ -49420,6 +53174,7 @@ The options are:
text/plain
+ LastWrite
@@ -49466,6 +53221,7 @@ The options are:
power.admxPower~AT~System~PowerManagementCat~PowerSleepSettingsCatAllowStandbyStatesAC_2
+ LastWrite
@@ -49492,6 +53248,7 @@ The options are:
power.admxPower~AT~System~PowerManagementCat~PowerVideoSettingsCatVideoPowerDownTimeOutDC_2
+ LastWrite
@@ -49518,6 +53275,7 @@ The options are:
power.admxPower~AT~System~PowerManagementCat~PowerVideoSettingsCatVideoPowerDownTimeOutAC_2
+ LastWrite
@@ -49544,6 +53302,7 @@ The options are:
power.admxPower~AT~System~PowerManagementCat~PowerSleepSettingsCatDCHibernateTimeOut_2
+ LastWrite
@@ -49570,6 +53329,7 @@ The options are:
power.admxPower~AT~System~PowerManagementCat~PowerSleepSettingsCatACHibernateTimeOut_2
+ LastWrite
@@ -49596,6 +53356,7 @@ The options are:
power.admxPower~AT~System~PowerManagementCat~PowerSleepSettingsCatDCPromptForPasswordOnResume_2
+ LastWrite
@@ -49622,6 +53383,7 @@ The options are:
power.admxPower~AT~System~PowerManagementCat~PowerSleepSettingsCatACPromptForPasswordOnResume_2
+ LastWrite
@@ -49648,6 +53410,7 @@ The options are:
power.admxPower~AT~System~PowerManagementCat~PowerSleepSettingsCatDCStandbyTimeOut_2
+ LastWrite
@@ -49674,6 +53437,7 @@ The options are:
power.admxPower~AT~System~PowerManagementCat~PowerSleepSettingsCatACStandbyTimeOut_2
+ LastWrite
@@ -49720,6 +53484,7 @@ The options are:
Printing.admxPrinting~AT~ControlPanel~CplPrintersPointAndPrint_Restrictions_Win7
+ LastWrite
@@ -49746,6 +53511,7 @@ The options are:
Printing2.admxPrinting2~AT~PrintersPublishPrinters
+ LastWrite
@@ -49788,7 +53554,7 @@ The options are:
text/plain
- desktop
+ LowestValueMostSecure
@@ -49812,6 +53578,7 @@ The options are:
text/plain10.0.10240
+ LowestValueMostSecure
@@ -49834,6 +53601,7 @@ The options are:
text/plain
+ LowestValueMostSecureZeroHasNoLimits
@@ -49856,6 +53624,7 @@ The options are:
text/plain
+ HighestValueMostSecure
@@ -49878,6 +53647,7 @@ The options are:
text/plain
+ HighestValueMostSecure
@@ -49900,6 +53670,8 @@ The options are:
text/plain
+ LastWrite
+ ;
@@ -49922,6 +53694,8 @@ The options are:
text/plain
+ LastWrite
+ ;
@@ -49944,6 +53718,8 @@ The options are:
text/plain
+ LastWrite
+ ;
@@ -49966,6 +53742,7 @@ The options are:
text/plain
+ HighestValueMostSecure
@@ -49988,6 +53765,8 @@ The options are:
text/plain
+ LastWrite
+ ;
@@ -50010,6 +53789,8 @@ The options are:
text/plain
+ LastWrite
+ ;
@@ -50032,6 +53813,8 @@ The options are:
text/plain
+ LastWrite
+ ;
@@ -50054,6 +53837,7 @@ The options are:
text/plain
+ HighestValueMostSecure
@@ -50076,6 +53860,8 @@ The options are:
text/plain
+ LastWrite
+ ;
@@ -50098,6 +53884,8 @@ The options are:
text/plain
+ LastWrite
+ ;
@@ -50120,6 +53908,8 @@ The options are:
text/plain
+ LastWrite
+ ;
@@ -50142,6 +53932,7 @@ The options are:
text/plain
+ HighestValueMostSecure
@@ -50164,6 +53955,8 @@ The options are:
text/plain
+ LastWrite
+ ;
@@ -50186,6 +53979,8 @@ The options are:
text/plain
+ LastWrite
+ ;
@@ -50208,94 +54003,8 @@ The options are:
text/plain
-
-
-
- LetAppsAccessCellularData
-
-
-
-
- This policy setting specifies whether Windows apps can access cellular data.
- 0
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- LetAppsAccessCellularData_ForceAllowTheseApps
-
-
-
-
- List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are allowed access to cellular data. This setting overrides the default LetAppsAccessCellularData policy setting for the specified apps.
-
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- LetAppsAccessCellularData_ForceDenyTheseApps
-
-
-
-
- List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are denied access to cellular data. This setting overrides the default LetAppsAccessCellularData policy setting for the specified apps.
-
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- LetAppsAccessCellularData_UserInControlOfTheseApps
-
-
-
-
- List of semi-colon delimited Package Family Names of Windows Store Apps. The user is able to control the cellular data privacy setting for the listed apps. This setting overrides the default LetAppsAccessCellularData policy setting for the specified apps.
-
-
-
-
-
-
-
-
-
-
-
- text/plain
-
+ LastWrite
+ ;
@@ -50318,6 +54027,7 @@ The options are:
text/plain
+ HighestValueMostSecure
@@ -50340,6 +54050,8 @@ The options are:
text/plain
+ LastWrite
+ ;
@@ -50362,6 +54074,8 @@ The options are:
text/plain
+ LastWrite
+ ;
@@ -50384,6 +54098,8 @@ The options are:
text/plain
+ LastWrite
+ ;
@@ -50406,6 +54122,7 @@ The options are:
text/plain
+ HighestValueMostSecure
@@ -50428,6 +54145,8 @@ The options are:
text/plain
+ LastWrite
+ ;
@@ -50450,6 +54169,8 @@ The options are:
text/plain
+ LastWrite
+ ;
@@ -50472,6 +54193,8 @@ The options are:
text/plain
+ LastWrite
+ ;
@@ -50494,6 +54217,7 @@ The options are:
text/plain
+ HighestValueMostSecure
@@ -50516,6 +54240,8 @@ The options are:
text/plain
+ LastWrite
+ ;
@@ -50538,6 +54264,8 @@ The options are:
text/plain
+ LastWrite
+ ;
@@ -50560,6 +54288,8 @@ The options are:
text/plain
+ LastWrite
+ ;
@@ -50582,6 +54312,7 @@ The options are:
text/plain
+ HighestValueMostSecure
@@ -50604,6 +54335,8 @@ The options are:
text/plain
+ LastWrite
+ ;
@@ -50626,6 +54359,8 @@ The options are:
text/plain
+ LastWrite
+ ;
@@ -50648,6 +54383,8 @@ The options are:
text/plain
+ LastWrite
+ ;
@@ -50670,6 +54407,7 @@ The options are:
text/plain
+ HighestValueMostSecure
@@ -50692,6 +54430,8 @@ The options are:
text/plain
+ LastWrite
+ ;
@@ -50714,6 +54454,8 @@ The options are:
text/plain
+ LastWrite
+ ;
@@ -50736,6 +54478,8 @@ The options are:
text/plain
+ LastWrite
+ ;
@@ -50758,6 +54502,7 @@ The options are:
text/plain
+ HighestValueMostSecure
@@ -50780,6 +54525,8 @@ The options are:
text/plain
+ LastWrite
+ ;
@@ -50802,6 +54549,8 @@ The options are:
text/plain
+ LastWrite
+ ;
@@ -50824,6 +54573,8 @@ The options are:
text/plain
+ LastWrite
+ ;
@@ -50846,6 +54597,7 @@ The options are:
text/plain
+ HighestValueMostSecure
@@ -50868,6 +54620,8 @@ The options are:
text/plain
+ LastWrite
+ ;
@@ -50890,6 +54644,8 @@ The options are:
text/plain
+ LastWrite
+ ;
@@ -50912,6 +54668,8 @@ The options are:
text/plain
+ LastWrite
+ ;
@@ -50934,6 +54692,7 @@ The options are:
text/plain
+ HighestValueMostSecure
@@ -50956,6 +54715,8 @@ The options are:
text/plain
+ LastWrite
+ ;
@@ -50978,6 +54739,8 @@ The options are:
text/plain
+ LastWrite
+ ;
@@ -51000,6 +54763,8 @@ The options are:
text/plain
+ LastWrite
+ ;
@@ -51022,6 +54787,7 @@ The options are:
text/plain
+ HighestValueMostSecure
@@ -51044,6 +54810,8 @@ The options are:
text/plain
+ LastWrite
+ ;
@@ -51066,6 +54834,8 @@ The options are:
text/plain
+ LastWrite
+ ;
@@ -51088,6 +54858,8 @@ The options are:
text/plain
+ LastWrite
+ ;
@@ -51110,6 +54882,7 @@ The options are:
text/plain
+ HighestValueMostSecure
@@ -51132,6 +54905,8 @@ The options are:
text/plain
+ LastWrite
+ ;
@@ -51154,6 +54929,8 @@ The options are:
text/plain
+ LastWrite
+ ;
@@ -51176,6 +54953,8 @@ The options are:
text/plain
+ LastWrite
+ ;
@@ -51198,6 +54977,7 @@ The options are:
text/plain
+ HighestValueMostSecure
@@ -51220,6 +55000,8 @@ The options are:
text/plain
+ LastWrite
+ ;
@@ -51242,6 +55024,8 @@ The options are:
text/plain
+ LastWrite
+ ;
@@ -51264,6 +55048,8 @@ The options are:
text/plain
+ LastWrite
+ ;
@@ -51286,6 +55072,7 @@ The options are:
text/plain
+ HighestValueMostSecure
@@ -51308,6 +55095,8 @@ The options are:
text/plain
+ LastWrite
+ ;
@@ -51330,6 +55119,8 @@ The options are:
text/plain
+ LastWrite
+ ;
@@ -51352,6 +55143,8 @@ The options are:
text/plain
+ LastWrite
+ ;
@@ -51374,6 +55167,7 @@ The options are:
text/plain
+ HighestValueMostSecure
@@ -51396,6 +55190,8 @@ The options are:
text/plain
+ LastWrite
+ ;
@@ -51418,6 +55214,8 @@ The options are:
text/plain
+ LastWrite
+ ;
@@ -51440,6 +55238,8 @@ The options are:
text/plain
+ LastWrite
+ ;
@@ -51448,7 +55248,7 @@ The options are:
- This policy setting specifies whether Windows apps can sync with devices.
+ This policy setting specifies whether Windows apps can communicate with unpaired wireless devices.0
@@ -51462,6 +55262,7 @@ The options are:
text/plain
+ HighestValueMostSecure
@@ -51470,7 +55271,7 @@ The options are:
- List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps will have access to sync with devices. This setting overrides the default LetAppsSyncWithDevices policy setting for the specified apps.
+ List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps will be allowed to communicate with unpaired wireless devices. This setting overrides the default LetAppsSyncWithDevices policy setting for the specified apps.
@@ -51484,6 +55285,8 @@ The options are:
text/plain
+ LastWrite
+ ;
@@ -51492,7 +55295,7 @@ The options are:
- List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps will not have access to sync with devices. This setting overrides the default LetAppsSyncWithDevices policy setting for the specified apps.
+ List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps will not be allowed to communicate with unpaired wireless devices. This setting overrides the default LetAppsSyncWithDevices policy setting for the specified apps.
@@ -51506,6 +55309,8 @@ The options are:
text/plain
+ LastWrite
+ ;
@@ -51514,7 +55319,7 @@ The options are:
- List of semi-colon delimited Package Family Names of Windows Store Apps. The user is able to control the 'sync with devices' privacy setting for the listed apps. This setting overrides the default LetAppsSyncWithDevices policy setting for the specified apps.
+ List of semi-colon delimited Package Family Names of Windows Store Apps. The user is able to control the 'Communicate with unpaired wireless devices' privacy setting for the listed apps. This setting overrides the default LetAppsSyncWithDevices policy setting for the specified apps.
@@ -51528,6 +55333,8 @@ The options are:
text/plain
+ LastWrite
+ ;
@@ -51550,6 +55357,7 @@ The options are:
text/plain
+ HighestValueMostSecure
@@ -51596,6 +55404,7 @@ The options are:
remoteassistance.admxRemoteAssistance~AT~System~RemoteAssistRA_Options
+ LastWrite
@@ -51622,6 +55431,7 @@ The options are:
remoteassistance.admxRemoteAssistance~AT~System~RemoteAssistRA_Logging
+ LastWrite
@@ -51648,6 +55458,7 @@ The options are:
remoteassistance.admxRemoteAssistance~AT~System~RemoteAssistRA_Solicit
+ LastWrite
@@ -51674,6 +55485,7 @@ The options are:
remoteassistance.admxRemoteAssistance~AT~System~RemoteAssistRA_Unsolicit
+ LastWrite
@@ -51720,6 +55532,7 @@ The options are:
terminalserver.admxTerminalServer~AT~WindowsComponents~TS_GP_NODE~TS_TERMINAL_SERVER~TS_CONNECTIONSTS_DISABLE_CONNECTIONS
+ LastWrite
@@ -51746,6 +55559,7 @@ The options are:
terminalserver.admxTerminalServer~AT~WindowsComponents~TS_GP_NODE~TS_TERMINAL_SERVER~TS_SECURITYTS_ENCRYPTION_POLICY
+ LastWrite
@@ -51772,6 +55586,7 @@ The options are:
terminalserver.admxTerminalServer~AT~WindowsComponents~TS_GP_NODE~TS_TERMINAL_SERVER~TS_REDIRECTIONTS_CLIENT_DRIVE_M
+ LastWrite
@@ -51798,6 +55613,7 @@ The options are:
terminalserver.admxTerminalServer~AT~WindowsComponents~TS_GP_NODE~TS_CLIENTTS_CLIENT_DISABLE_PASSWORD_SAVING_2
+ LastWrite
@@ -51824,6 +55640,7 @@ The options are:
terminalserver.admxTerminalServer~AT~WindowsComponents~TS_GP_NODE~TS_TERMINAL_SERVER~TS_SECURITYTS_PASSWORD
+ LastWrite
@@ -51850,6 +55667,7 @@ The options are:
terminalserver.admxTerminalServer~AT~WindowsComponents~TS_GP_NODE~TS_TERMINAL_SERVER~TS_SECURITYTS_RPC_ENCRYPTION
+ LastWrite
@@ -51896,6 +55714,7 @@ The options are:
WindowsRemoteManagement.admxWindowsRemoteManagement~AT~WindowsComponents~WinRM~WinRMClientAllowBasic_2
+ LastWrite
@@ -51922,6 +55741,7 @@ The options are:
WindowsRemoteManagement.admxWindowsRemoteManagement~AT~WindowsComponents~WinRM~WinRMServiceAllowBasic_1
+ LastWrite
@@ -51946,8 +55766,9 @@ The options are:
phoneWindowsRemoteManagement.admx
- WindowsRemoteManagement~AT~WindowsComponents~WinRM~WinRMService
- AllowCredSSP_1
+ WindowsRemoteManagement~AT~WindowsComponents~WinRMClient
+ AllowCredSSP_2
+ LastWrite
@@ -51973,7 +55794,8 @@ The options are:
phoneWindowsRemoteManagement.admxWindowsRemoteManagement~AT~WindowsComponents~WinRM~WinRMService
- AllowCredSSP_2
+ AllowCredSSP_1
+ LastWrite
@@ -52000,6 +55822,7 @@ The options are:
WindowsRemoteManagement.admxWindowsRemoteManagement~AT~WindowsComponents~WinRM~WinRMServiceAllowAutoConfig
+ LastWrite
@@ -52026,6 +55849,7 @@ The options are:
WindowsRemoteManagement.admxWindowsRemoteManagement~AT~WindowsComponents~WinRM~WinRMClientAllowUnencrypted_2
+ LastWrite
@@ -52052,6 +55876,7 @@ The options are:
WindowsRemoteManagement.admxWindowsRemoteManagement~AT~WindowsComponents~WinRM~WinRMServiceAllowUnencrypted_1
+ LastWrite
@@ -52078,6 +55903,7 @@ The options are:
WindowsRemoteManagement.admxWindowsRemoteManagement~AT~WindowsComponents~WinRM~WinRMClientDisallowDigest
+ LastWrite
@@ -52102,8 +55928,9 @@ The options are:
phoneWindowsRemoteManagement.admx
- WindowsRemoteManagement~AT~WindowsComponents~WinRM~WinRMService
- DisallowNegotiate_1
+ WindowsRemoteManagement~AT~WindowsComponents~WinRM~WinRMClient
+ DisallowNegotiate_2
+ LastWrite
@@ -52128,8 +55955,9 @@ The options are:
phoneWindowsRemoteManagement.admx
- WindowsRemoteManagement~AT~WindowsComponents~WinRM~WinRMClient
- DisallowNegotiate_2
+ WindowsRemoteManagement~AT~WindowsComponents~WinRM~WinRMService
+ DisallowNegotiate_1
+ LastWrite
@@ -52156,6 +55984,7 @@ The options are:
WindowsRemoteManagement.admxWindowsRemoteManagement~AT~WindowsComponents~WinRM~WinRMServiceDisableRunAs
+ LastWrite
@@ -52182,6 +56011,7 @@ The options are:
WindowsRemoteManagement.admxWindowsRemoteManagement~AT~WindowsComponents~WinRM~WinRMServiceCBTHardeningLevel_1
+ LastWrite
@@ -52208,6 +56038,7 @@ The options are:
WindowsRemoteManagement.admxWindowsRemoteManagement~AT~WindowsComponents~WinRM~WinRMClientTrustedHosts
+ LastWrite
@@ -52234,6 +56065,7 @@ The options are:
WindowsRemoteManagement.admxWindowsRemoteManagement~AT~WindowsComponents~WinRM~WinRMServiceHttpCompatibilityListener
+ LastWrite
@@ -52260,6 +56092,7 @@ The options are:
WindowsRemoteManagement.admxWindowsRemoteManagement~AT~WindowsComponents~WinRM~WinRMServiceHttpsCompatibilityListener
+ LastWrite
@@ -52306,6 +56139,7 @@ The options are:
rpc.admxRPC~AT~System~RpcRpcRestrictRemoteClients
+ LastWrite
@@ -52332,6 +56166,7 @@ The options are:
rpc.admxRPC~AT~System~RpcRpcEnableAuthEpResolution
+ LastWrite
@@ -52378,6 +56213,7 @@ The options are:
WindowsRemoteShell.admxWindowsRemoteShell~AT~WindowsComponents~WinRSAllowRemoteShellAccess
+ LastWrite
@@ -52404,6 +56240,7 @@ The options are:
WindowsRemoteShell.admxWindowsRemoteShell~AT~WindowsComponents~WinRSMaxConcurrentUsers
+ LastWrite
@@ -52430,6 +56267,7 @@ The options are:
WindowsRemoteShell.admxWindowsRemoteShell~AT~WindowsComponents~WinRSIdleTimeout
+ LastWrite
@@ -52456,6 +56294,7 @@ The options are:
WindowsRemoteShell.admxWindowsRemoteShell~AT~WindowsComponents~WinRSMaxMemoryPerShellMB
+ LastWrite
@@ -52482,6 +56321,7 @@ The options are:
WindowsRemoteShell.admxWindowsRemoteShell~AT~WindowsComponents~WinRSMaxProcessesPerShell
+ LastWrite
@@ -52508,6 +56348,7 @@ The options are:
WindowsRemoteShell.admxWindowsRemoteShell~AT~WindowsComponents~WinRSMaxShellsPerUser
+ LastWrite
@@ -52534,6 +56375,7 @@ The options are:
WindowsRemoteShell.admxWindowsRemoteShell~AT~WindowsComponents~WinRSShellTimeOut
+ LastWrite
@@ -52556,6 +56398,29 @@ The options are:
+
+ AllowCloudSearch
+
+
+
+
+
+ 2
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+ LowestValueMostSecure
+
+ AllowIndexingEncryptedStoresOrItems
@@ -52576,6 +56441,7 @@ The options are:
text/plain
+ LowestValueMostSecure
@@ -52598,6 +56464,7 @@ The options are:
text/plain
+ LowestValueMostSecure
@@ -52620,6 +56487,7 @@ The options are:
text/plain
+ LowestValueMostSecure
@@ -52642,6 +56510,7 @@ The options are:
text/plain
+ HighestValueMostSecure
@@ -52664,6 +56533,7 @@ The options are:
text/plain
+ LowestValueMostSecure
@@ -52686,6 +56556,7 @@ The options are:
text/plain
+ HighestValueMostSecure
@@ -52708,6 +56579,7 @@ The options are:
text/plain
+ HighestValueMostSecure
@@ -52730,6 +56602,7 @@ The options are:
text/plain
+ HighestValueMostSecure
@@ -52752,6 +56625,7 @@ The options are:
text/plain
+ HighestValueMostSecure
@@ -52774,6 +56648,7 @@ The options are:
text/plain
+ HighestValueMostSecure
@@ -52797,6 +56672,7 @@ The options are:
text/plaindesktop
+ HighestValueMostSecure
@@ -52839,6 +56715,7 @@ The options are:
text/plain
+ LowestValueMostSecure
@@ -52862,6 +56739,7 @@ The options are:
text/plaindesktop
+ LowestValueMostSecure
@@ -52884,6 +56762,7 @@ The options are:
text/plain
+ LowestValueMostSecure
@@ -52907,6 +56786,7 @@ The options are:
text/plaindesktop
+ LowestValueMostSecure
@@ -52930,6 +56810,7 @@ The options are:
text/plainphone
+ HighestValueMostSecure
@@ -52952,6 +56833,7 @@ The options are:
text/plain
+ LastWrite
@@ -52974,6 +56856,7 @@ The options are:
text/plain
+ HighestValueMostSecure
@@ -52996,6 +56879,7 @@ The options are:
text/plain
+ HighestValueMostSecure
@@ -53018,6 +56902,7 @@ The options are:
text/plain
+ HighestValueMostSecure
@@ -53061,6 +56946,7 @@ The options are:
text/plainphone
+ LowestValueMostSecure
@@ -53083,6 +56969,7 @@ The options are:
text/plain
+ LowestValueMostSecure
@@ -53105,6 +56992,7 @@ The options are:
text/plain
+ LowestValueMostSecure
@@ -53127,6 +57015,7 @@ The options are:
text/plain
+ LowestValueMostSecure
@@ -53150,6 +57039,7 @@ The options are:
text/plainphone
+ LowestValueMostSecure
@@ -53173,6 +57063,7 @@ The options are:
text/plainphone
+ LowestValueMostSecure
@@ -53196,6 +57087,7 @@ The options are:
text/plainphone
+ LowestValueMostSecure
@@ -53219,6 +57111,7 @@ The options are:
text/plainphone
+ LowestValueMostSecure
@@ -53241,6 +57134,7 @@ The options are:
text/plain
+ LowestValueMostSecure
@@ -53264,6 +57158,7 @@ The options are:
text/plainphone
+ LowestValueMostSecure
@@ -53286,6 +57181,7 @@ The options are:
text/plain
+ LowestValueMostSecure
@@ -53308,6 +57204,7 @@ The options are:
text/plain
+ LastWrite
@@ -53351,6 +57248,7 @@ The options are:
text/plainphone
+ HighestValueMostSecure
@@ -53374,6 +57272,7 @@ The options are:
text/plainphone
+ HighestValueMostSecure
@@ -53397,6 +57296,7 @@ The options are:
text/plainphone
+ HighestValueMostSecure
@@ -53439,6 +57339,7 @@ The options are:
text/plain
+ LowestValueMostSecure
@@ -53482,6 +57383,7 @@ The options are:
text/plainphone
+ LowestValueMostSecure
@@ -53505,6 +57407,7 @@ The options are:
text/plainphone
+ LowestValueMostSecure
@@ -53528,6 +57431,7 @@ The options are:
text/plainphone
+ LowestValueMostSecure
@@ -53551,6 +57455,7 @@ The options are:
text/plainphone
+ LowestValueMostSecure
@@ -53574,6 +57479,7 @@ The options are:
text/plainphone
+ LowestValueMostSecure
@@ -53597,6 +57503,7 @@ The options are:
text/plainphone
+ LowestValueMostSecure
@@ -53620,6 +57527,7 @@ The options are:
text/plainphone
+ LowestValueMostSecure
@@ -53643,6 +57551,7 @@ The options are:
text/plainphone
+ LowestValueMostSecure
@@ -53666,6 +57575,7 @@ The options are:
text/plainphone
+ LowestValueMostSecure
@@ -53689,6 +57599,7 @@ The options are:
text/plainphone
+ LowestValueMostSecure
@@ -53712,6 +57623,7 @@ The options are:
text/plainphone
+ LastWrite
@@ -53735,6 +57647,7 @@ The options are:
text/plainphone
+ LastWrite
@@ -53757,6 +57670,7 @@ The options are:
text/plain
+ LowestValueMostSecure
@@ -53780,6 +57694,7 @@ The options are:
text/plainphone
+ LowestValueMostSecure
@@ -53802,6 +57717,7 @@ The options are:
text/plain
+ LowestValueMostSecure
@@ -53824,6 +57740,7 @@ The options are:
text/plain
+ LowestValueMostSecure
@@ -53847,6 +57764,7 @@ The options are:
text/plainphone
+ LowestValueMostSecure
@@ -53869,6 +57787,7 @@ The options are:
text/plain
+ LowestValueMostSecure
@@ -53892,6 +57811,7 @@ The options are:
text/plainphone
+ LowestValueMostSecure
@@ -53915,6 +57835,7 @@ The options are:
text/plainphone
+ LowestValueMostSecure
@@ -53937,6 +57858,7 @@ The options are:
text/plain
+ LowestValueMostSecure
@@ -53959,6 +57881,7 @@ The options are:
text/plain
+ LowestValueMostSecure
@@ -53981,6 +57904,7 @@ The options are:
text/plain
+ LowestValueMostSecure
@@ -54003,6 +57927,7 @@ The options are:
text/plain
+ LowestValueMostSecure
@@ -54025,6 +57950,7 @@ The options are:
text/plain
+ LowestValueMostSecure
@@ -54047,6 +57973,7 @@ The options are:
text/plain
+ LowestValueMostSecure
@@ -54070,6 +57997,7 @@ The options are:
text/plainphone
+ LastWrite
@@ -54093,6 +58021,7 @@ The options are:
text/plainphone
+ HighestValueMostSecure
@@ -54116,6 +58045,7 @@ The options are:
text/plainphone
+ LastWrite
@@ -54138,6 +58068,30 @@ The options are:
+
+ AllowDiskHealthModelUpdates
+
+
+
+
+
+ 1
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+ phone
+ LastWrite
+
+ EnhancedStorageDevices
@@ -54162,6 +58116,7 @@ The options are:
enhancedstorage.admxEnhancedStorage~AT~System~EnStorDeviceAccessTCGSecurityActivationDisabled
+ LastWrite
@@ -54204,6 +58159,7 @@ The options are:
text/plain
+ LowestValueMostSecure
@@ -54226,6 +58182,7 @@ The options are:
text/plain
+ LowestValueMostSecure
@@ -54248,6 +58205,7 @@ The options are:
text/plain
+ LowestValueMostSecure
@@ -54270,6 +58228,7 @@ The options are:
text/plain
+ LowestValueMostSecure
@@ -54292,6 +58251,7 @@ The options are:
text/plain
+ LowestValueMostSecure
@@ -54314,6 +58274,7 @@ The options are:
text/plain
+ LowestValueMostSecure
@@ -54336,6 +58297,7 @@ The options are:
text/plain
+ LowestValueMostSecure
@@ -54358,6 +58320,7 @@ The options are:
text/plain
+ LowestValueMostSecure
@@ -54384,6 +58347,7 @@ The options are:
earlylauncham.admxEarlyLaunchAM~AT~System~ELAMCategoryPOL_DriverLoadPolicy_Name
+ LastWrite
@@ -54392,7 +58356,7 @@ The options are:
- This policy setting lets you prevent apps and features from working with files on OneDrive. If you enable this policy setting: users can’t access OneDrive from the OneDrive app and file picker; Windows Store apps can’t access OneDrive using the WinRT API; OneDrive doesn’t appear in the navigation pane in File Explorer; OneDrive files aren’t kept in sync with the cloud; Users can’t automatically upload photos and videos from the camera roll folder. If you disable or do not configure this policy setting, apps and features can work with OneDrive file storage.
+ This policy setting lets you prevent apps and features from working with files on OneDrive. If you enable this policy setting: users can’t access OneDrive from the OneDrive app and file picker; Windows Store apps can’t access OneDrive using the WinRT API; OneDrive doesn’t appear in the navigation pane in File Explorer; OneDrive files aren’t kept in sync with the cloud; Users can’t automatically upload photos and videos from the camera roll folder. If you disable or do not configure this policy setting, apps and features can work with OneDrive file storage.0
@@ -54406,6 +58370,7 @@ The options are:
text/plain
+ HighestValueMostSecure
@@ -54432,6 +58397,30 @@ The options are:
systemrestore.admxSystemRestore~AT~System~SRSR_DisableSR
+ LastWrite
+
+
+
+ FeedbackHubAlwaysSaveDiagnosticsLocally
+
+
+
+
+ Diagnostic files created when a feedback is filed in the Feedback Hub app will always be saved locally. If this policy is not present or set to false, users will be presented with the option to save locally. The default is to not save locally.
+ 0
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+ LastWrite
@@ -54454,6 +58443,7 @@ The options are:
text/plain
+ LastWrite
@@ -54497,6 +58487,7 @@ The options are:
text/plainphone
+ LowestValueMostSecure
@@ -54520,6 +58511,7 @@ The options are:
text/plainphone
+ LowestValueMostSecure
@@ -54543,6 +58535,7 @@ The options are:
text/plainphone
+ LowestValueMostSecure
@@ -54566,6 +58559,7 @@ The options are:
text/plainphone
+ HighestValueMostSecure
@@ -54589,6 +58583,7 @@ The options are:
text/plainphone
+ LowestValueMostSecure
@@ -54612,6 +58607,7 @@ The options are:
text/plainphone
+ LowestValueMostSecure
@@ -54635,6 +58631,7 @@ The options are:
text/plainphone
+ LowestValueMostSecure
@@ -54657,6 +58654,7 @@ The options are:
text/plain
+ LowestValueMostSecure
@@ -54680,6 +58678,7 @@ The options are:
text/plainphone
+ LowestValueMostSecure
@@ -54702,6 +58701,7 @@ The options are:
text/plain
+ HighestValueMostSecure
@@ -54725,6 +58725,7 @@ The options are:
text/plainphone
+ HighestValueMostSecure
@@ -54748,6 +58749,7 @@ The options are:
text/plainphone
+ HighestValueMostSecure
@@ -54791,6 +58793,7 @@ The options are:
text/plaindesktop
+ LowestValueMostSecure
@@ -54833,6 +58836,7 @@ The options are:
text/plain
+ LastWrite
@@ -54855,6 +58859,7 @@ The options are:
text/plain
+ LastWrite
@@ -54877,6 +58882,7 @@ The options are:
text/plain
+ LastWrite
@@ -54899,6 +58905,7 @@ The options are:
text/plain
+ LowestValueMostSecure
@@ -54921,6 +58928,7 @@ The options are:
text/plain
+ LastWrite
@@ -54944,6 +58952,7 @@ The options are:
text/plainphone
+ LowestValueMostSecure
@@ -54966,6 +58975,7 @@ The options are:
text/plain
+ LowestValueMostSecure
@@ -54988,6 +58998,7 @@ The options are:
text/plain
+ LowestValueMostSecure
@@ -55010,6 +59021,7 @@ The options are:
text/plain
+ LastWrite
@@ -55032,6 +59044,7 @@ The options are:
text/plain
+ LastWrite
@@ -55054,6 +59067,7 @@ The options are:
text/plain
+ LastWrite
@@ -55076,6 +59090,7 @@ The options are:
text/plain
+ LastWrite
@@ -55098,6 +59113,7 @@ The options are:
text/plain
+ LastWrite
@@ -55120,6 +59136,7 @@ The options are:
text/plain
+ LastWrite
@@ -55142,6 +59159,7 @@ The options are:
text/plain
+ LastWrite
@@ -55164,6 +59182,7 @@ The options are:
text/plain
+ LastWrite
@@ -55186,6 +59205,30 @@ The options are:
text/plain
+ LastWrite
+
+
+
+ DisableDualScan
+
+
+
+
+ Do not allow update deferral policies to cause scans against Windows Update
+ 0
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+ LastWrite
@@ -55208,6 +59251,7 @@ The options are:
text/plain
+ LastWrite
@@ -55230,6 +59274,7 @@ The options are:
text/plain
+ LastWrite
@@ -55252,6 +59297,7 @@ The options are:
text/plain
+ LastWrite
@@ -55274,6 +59320,7 @@ The options are:
text/plain
+ LastWrite
@@ -55296,6 +59343,7 @@ The options are:
text/plain
+ LastWrite
@@ -55318,6 +59366,7 @@ The options are:
text/plain
+ LowestValueMostSecure
@@ -55340,10 +59389,11 @@ The options are:
text/plain
+ LowestValueMostSecure
- ManageBuildPreview
+ ManagePreviewBuilds
@@ -55362,6 +59412,7 @@ The options are:
text/plain
+ LastWrite
@@ -55384,6 +59435,7 @@ The options are:
text/plain
+ LastWrite
@@ -55406,6 +59458,7 @@ The options are:
text/plain
+ LastWrite
@@ -55428,6 +59481,7 @@ The options are:
text/plain
+ LastWrite
@@ -55450,6 +59504,7 @@ The options are:
text/plain
+ LastWrite
@@ -55472,6 +59527,7 @@ The options are:
text/plain
+ LastWrite
@@ -55494,6 +59550,7 @@ The options are:
text/plain
+ LowestValueMostSecure
@@ -55516,6 +59573,7 @@ The options are:
text/plain
+ LastWrite
@@ -55538,6 +59596,7 @@ The options are:
text/plain
+ HighestValueMostSecure
@@ -55560,6 +59619,7 @@ The options are:
text/plain
+ LowestValueMostSecure
@@ -55582,6 +59642,7 @@ The options are:
text/plain
+ LowestValueMostSecure
@@ -55604,6 +59665,7 @@ The options are:
text/plain
+ LowestValueMostSecure
@@ -55626,6 +59688,7 @@ The options are:
text/plain
+ LowestValueMostSecure
@@ -55648,6 +59711,7 @@ The options are:
text/plain
+ LowestValueMostSecure
@@ -55670,6 +59734,7 @@ The options are:
text/plain
+ LowestValueMostSecure
@@ -55692,6 +59757,7 @@ The options are:
text/plain
+ LowestValueMostSecure
@@ -55714,6 +59780,7 @@ The options are:
text/plain
+ LastWrite
@@ -55736,6 +59803,7 @@ The options are:
text/plain
+ LastWrite
@@ -55758,6 +59826,7 @@ The options are:
text/plain
+ LastWrite
@@ -55780,6 +59849,7 @@ The options are:
text/plain
+ LastWrite
@@ -55802,6 +59872,7 @@ The options are:
text/plain
+ LastWrite
@@ -55825,6 +59896,7 @@ The options are:
text/plainphone
+ LastWrite
@@ -55867,6 +59939,7 @@ The options are:
text/plain
+ LowestValueMostSecure
@@ -55889,6 +59962,7 @@ The options are:
text/plain
+ LowestValueMostSecure
@@ -55911,6 +59985,7 @@ The options are:
text/plain
+ LowestValueMostSecure
@@ -55933,6 +60008,7 @@ The options are:
text/plain
+ LowestValueMostSecure
@@ -55955,6 +60031,7 @@ The options are:
text/plain
+ LowestValueMostSecure
@@ -55977,6 +60054,7 @@ The options are:
text/plain
+ HighestValueMostSecureZeroHasNoLimits
@@ -56020,6 +60098,7 @@ The options are:
text/plainphone
+ LastWrite
@@ -56043,6 +60122,7 @@ The options are:
text/plainphone
+ LastWrite
@@ -56066,6 +60146,7 @@ The options are:
text/plainphone
+ LastWrite
@@ -56089,6 +60170,7 @@ The options are:
text/plainphone
+ LastWrite
@@ -56112,6 +60194,7 @@ The options are:
text/plainphone
+ LastWrite
@@ -56135,6 +60218,7 @@ The options are:
text/plainphone
+ LastWrite
@@ -56158,6 +60242,7 @@ The options are:
text/plainphone
+ LastWrite
@@ -56181,6 +60266,7 @@ The options are:
text/plainphone
+ LastWrite
@@ -56204,6 +60290,7 @@ The options are:
text/plainphone
+ LastWrite
@@ -56227,6 +60314,7 @@ The options are:
text/plainphone
+ LastWrite
@@ -56250,6 +60338,7 @@ The options are:
text/plainphone
+ LastWrite
@@ -56273,6 +60362,7 @@ The options are:
text/plainphone
+ LastWrite
@@ -56296,6 +60386,7 @@ The options are:
text/plainphone
+ LastWrite
@@ -56319,6 +60410,7 @@ The options are:
text/plainphone
+ LastWrite
@@ -56362,6 +60454,7 @@ The options are:
text/plainphone
+ LowestValueMostSecure
@@ -56385,6 +60478,7 @@ The options are:
text/plainphone
+ LowestValueMostSecure
@@ -56431,6 +60525,7 @@ The options are:
logon.admxLogon~AT~System~LogonDisableLockScreenAppNotifications
+ LastWrite
@@ -56457,6 +60552,7 @@ The options are:
logon.admxLogon~AT~System~LogonDontDisplayNetworkSelectionUI
+ LastWrite
@@ -56479,6 +60575,7 @@ The options are:
text/plain
+ HighestValueMostSecure
@@ -56521,6 +60618,7 @@ The options are:
text/plain
+ LowestValueMostSecure
@@ -56543,6 +60641,7 @@ The options are:
text/plain
+ LowestValueMostSecure
@@ -56567,6 +60666,7 @@ The options are:
text/plain
+ LowestValueMostSecure
@@ -56591,6 +60691,7 @@ The options are:
text/plain
+ LowestValueMostSecure
@@ -56616,6 +60717,7 @@ The options are:
text/plainphone
+ LowestValueMostSecure
@@ -56640,6 +60742,7 @@ The options are:
text/plain
+ LowestValueMostSecure
@@ -56662,6 +60765,7 @@ The options are:
text/plain
+ LowestValueMostSecure
@@ -56686,6 +60790,7 @@ The options are:
text/plain
+ LowestValueMostSecure
diff --git a/windows/configuration/TOC.md b/windows/configuration/TOC.md
index f4a06d5d6a..8ccede5240 100644
--- a/windows/configuration/TOC.md
+++ b/windows/configuration/TOC.md
@@ -58,9 +58,65 @@
### [Provision PCs with common settings for initial deployment (desktop wizard)](provisioning-packages/provision-pcs-for-initial-deployment.md)
### [Provision PCs with apps](provisioning-packages/provision-pcs-with-apps.md)
### [Use a script to install a desktop app in provisioning packages](provisioning-packages/provisioning-script-to-install-app.md)
+### [Create a provisioning package with multivariant settings](provisioning-packages/provisioning-multivariant.md)
### [PowerShell cmdlets for provisioning Windows 10 (reference)](provisioning-packages/provisioning-powershell.md)
### [Windows Configuration Designer command-line interface (reference)](provisioning-packages/provisioning-command-line.md)
-### [Create a provisioning package with multivariant settings](provisioning-packages/provisioning-multivariant.md)
+### [Windows Configuration Designer provisioning settings (reference)](wcd/wcd.md)
+#### [Accounts](wcd/wcd-accounts.md)
+#### [ADMXIngestion](wcd/wcd-admxingestion.md)
+#### [ApplicationManagement](wcd/wcd-applicationmanagement.md)
+#### [AssignedAccess](wcd/wcd-assignedaccess.md)
+#### [AutomaticTime](wcd/wcd-automatictime.md)
+#### [Browser](wcd/wcd-browser.md)
+#### [CallAndMessagingEnhancement](wcd/wcd-callandmessagingenhancement.md)
+#### [Cellular](wcd/wcd-cellular.md)
+#### [Certificates](wcd/wcd-certificates.md)
+#### [CleanPC](wcd/wcd-cleanpc.md)
+#### [Connections](wcd/wcd-connections.md)
+#### [ConnectivityProfiles](wcd/wcd-connectivityprofiles.md)
+#### [CountryAndRegion](wcd/wcd-countryandregion.md)
+#### [DesktopBackgroundAndColors](wcd/wcd-desktopbackgroundandcolors.md)
+#### [DeveloperSetup](wcd/wcd-developersetup.md)
+#### [DeviceFormFactor](wcd/wcd-deviceformfactor.md)
+#### [DeviceManagement](wcd/wcd-devicemanagement.md)
+#### [DMClient](wcd/wcd-dmclient.md)
+#### [EditionUpgrade](wcd/wcd-editionupgrade.md)
+#### [EmbeddedLockdownProfiles](wcd/wcd-embeddedlockdownprofiles.md)
+#### [FirewallConfiguration](wcd/wcd-firewallconfiguration.md)
+#### [FirstExperience](wcd/wcd-firstexperience.md)
+#### [Folders](wcd/wcd-folders.md)
+#### [InitialSetup](wcd/wcd-initialsetup.md)
+#### [InternetExplorer](wcd/wcd-internetexplorer.md)
+#### [Licensing](wcd/wcd-licensing.md)
+#### [Maps](wcd/wcd-maps.md)
+#### [Messaging](wcd/wcd-messaging.md)
+#### [ModemConfigurations](wcd/wcd-modemconfigurations.md)
+#### [Multivariant](wcd/wcd-multivariant.md)
+#### [NetworkProxy](wcd/wcd-networkproxy.md)
+#### [NetworkQOSPolicy](wcd/wcd-networkqospolicy.md)
+#### [NFC](wcd/wcd-nfc.md)
+#### [OOBE](wcd/wcd-oobe.md)
+#### [OtherAssets](wcd/wcd-otherassets.md)
+#### [Personalization](wcd/wcd-personalization.md)
+#### [Policies](wcd/wcd-policies.md)
+#### [ProvisioningCommands](wcd/wcd-provisioningcommands.md)
+#### [SharedPC](wcd/wcd-sharedpc.md)
+#### [Shell](wcd/wcd-shell.md)
+#### [SMISettings](wcd/wcd-smisettings.md)
+#### [Start](wcd/wcd-start.md)
+#### [StartupApp](wcd/wcd-startupapp.md)
+#### [StartupBackgroundTasks](wcd/wcd-startupbackgroundtasks.md)
+#### [SurfaceHubManagement](wcd/wcd-surfacehubmanagement.md)
+#### [TabletMode](wcd/wcd-tabletmode.md)
+#### [TakeATest](wcd/wcd-takeatest.md)
+#### [Theme](wcd/wcd-theme.md)
+#### [UnifiedWriteFilter](wcd/wcd-unifiedwritefilter.md)
+#### [UniversalAppInstall](wcd/wcd-universalappinstall.md)
+#### [UniversalAppUninstall](wcd/wcd-universalappuninstall.md)
+#### [WeakCharger](wcd/wcd-weakcharger.md)
+#### [WindowsTeamSettings](wcd/wcd-windowsteamsettings.md)
+#### [WLAN](wcd/wcd-wlan.md)
+#### [Workplace](wcd/wcd-workplace.md)
## [Lockdown features from Windows Embedded 8.1 Industry](lockdown-features-windows-10.md)
## [User Experience Virtualization (UE-V) for Windows](ue-v/uev-for-windows.md)
### [Get Started with UE-V](ue-v/uev-getting-started.md)
diff --git a/windows/configuration/change-history-for-configure-windows-10.md b/windows/configuration/change-history-for-configure-windows-10.md
index 9d2b98bf69..76c39cc45d 100644
--- a/windows/configuration/change-history-for-configure-windows-10.md
+++ b/windows/configuration/change-history-for-configure-windows-10.md
@@ -14,6 +14,12 @@ author: jdeckerms
This topic lists new and updated topics in the [Configure Windows 10](index.md) documentation for Windows 10 and Windows 10 Mobile.
+## August 2017
+
+New or changed topic | Description
+--- | ---
+ [Windows Configuration Designer provisioning settings (reference)](wcd/wcd.md) | New section; reference content from [Windows Provisioning settings reference](https://msdn.microsoft.com/library/windows/hardware/dn965990.aspx) is being relocated here from MSDN.
+
## July 2017
| New or changed topic | Description |
| --- | --- |
@@ -38,6 +44,7 @@ This topic lists new and updated topics in the [Configure Windows 10](index.md)
| [Configure cellular settings for tablets and PCs](provisioning-apn.md) | New |
| [ Manage connections from Windows operating system components to Microsoft services](manage-connections-from-windows-operating-system-components-to-microsoft-services.md) | Added MDM policies for privacy settings |
+
## April 2017
| New or changed topic | Description |
@@ -45,6 +52,7 @@ This topic lists new and updated topics in the [Configure Windows 10](index.md)
| [Set up a shared or guest PC with Windows 10](set-up-shared-or-guest-pc.md) | Added instructions for using WMI bridge to configure shared PC |
+
## RELEASE: Windows 10, version 1703
The topics in this library have been updated for Windows 10, version 1703 (also known as the Creators Update). The following new topics have been added:
diff --git a/windows/configuration/images/admx-category.PNG b/windows/configuration/images/admx-category.PNG
new file mode 100644
index 0000000000..465dd53fe3
Binary files /dev/null and b/windows/configuration/images/admx-category.PNG differ
diff --git a/windows/configuration/images/admx-policy.PNG b/windows/configuration/images/admx-policy.PNG
new file mode 100644
index 0000000000..c3c7b9a088
Binary files /dev/null and b/windows/configuration/images/admx-policy.PNG differ
diff --git a/windows/configuration/manage-connections-from-windows-operating-system-components-to-microsoft-services.md b/windows/configuration/manage-connections-from-windows-operating-system-components-to-microsoft-services.md
index 2f2bd2b989..e5ebed0c80 100644
--- a/windows/configuration/manage-connections-from-windows-operating-system-components-to-microsoft-services.md
+++ b/windows/configuration/manage-connections-from-windows-operating-system-components-to-microsoft-services.md
@@ -457,7 +457,7 @@ To turn off Live Tiles:
- Create a REG\_DWORD registry setting called **HKEY\_CURRENT\_USER\\SOFTWARE\\Policies\\Microsoft\\Windows\\CurrentVersion\\PushNotifications!NoCloudApplicationNotification**, with a value of 1 (one).
-You must also unpin all tiles that are pinned to Start.
+In Windows 10 Mobile, you must also unpin all tiles that are pinned to Start.
### 10. Mail synchronization
@@ -1261,7 +1261,7 @@ To turn off **Let apps read or send messages (text or MMS)**:
-or-
-- Create a REG\_DWORD registry setting in **HKEY\_LOCAL\_MACHINE\\Policies\\Microsoft\\Windows\\AppPrivacy!LetAppsAccessMessaging**, with a value of 2 (two).
+- Create a REG\_DWORD registry setting in **HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\Windows\\AppPrivacy!LetAppsAccessMessaging**, with a value of 2 (two).
To turn off **Choose apps that can read or send messages**:
diff --git a/windows/configuration/provisioning-packages/provisioning-apply-package.md b/windows/configuration/provisioning-packages/provisioning-apply-package.md
index c12120567c..baa60ac6fd 100644
--- a/windows/configuration/provisioning-packages/provisioning-apply-package.md
+++ b/windows/configuration/provisioning-packages/provisioning-apply-package.md
@@ -18,6 +18,9 @@ ms.localizationpriority: high
Provisioning packages can be applied to a device during the first-run experience (out-of-box experience or "OOBE") and after ("runtime").
+>[!NOTE]
+>Applying a provisioning package to a desktop device requires administrator privileges on the device.
+
## Desktop editions
### During initial setup, from a USB drive
diff --git a/windows/configuration/wcd/wcd-accounts.md b/windows/configuration/wcd/wcd-accounts.md
new file mode 100644
index 0000000000..d3dd731cdf
--- /dev/null
+++ b/windows/configuration/wcd/wcd-accounts.md
@@ -0,0 +1,58 @@
+---
+title: Accounts (Windows 10)
+description: This section describes the account settings that you can configure in provisioning packages for Windows 10 using Windows Configuration Designer.
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: jdeckerMS
+localizationpriority: medium
+ms.author: jdecker
+ms.date: 08/21/2017
+---
+
+# Accounts (Windows Configuration Designer reference)
+
+Use these settings to join a device to an Active Directory domain or an Azure Active Directory tenant, or to add local user accounts to the device.
+
+## Applies to
+
+| Setting groups | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core |
+| --- | :---: | :---: | :---: | :---: | :---: |
+| [Azure](#azure) | X | X | X | | |
+| [ComputerAccount](#computeraccount) | X | | X | | X |
+| [Users](#users) | X | | X | X | |
+
+
+## Azure
+
+The **Azure > Authority** and **Azure > BPRT** settings for bulk Azure Active Directory (Azure AD) enrollment can only be configured using one of the provisioning wizards. After you get a bulk token for Azure AD enrollment in a wizard, you can switch to the advanced editor to configure additional provisioning settings. For information about using the wizards, see:
+
+- [Instructions for desktop wizard](../provisioning-packages/provision-pcs-for-initial-deployment.md)
+- [Instructions for the mobile wizard](../mobile-devices/provisioning-configure-mobile.md)
+- [Instructions for the kiosk wizard](../set-up-a-kiosk-for-windows-10-for-desktop-editions.md#wizard)
+
+## ComputerAccount
+
+Specifies the settings you can configure when joining a device to a domain, including the computer name and the account to use for joining the computer to the domain.
+
+>[!NOTE]
+>If you want to create a provisioning package that joins a device to Active Directory AND sets `HideOobe`, and you want to apply that package during OOBE, we also recommend setting the `ComputerName` and creating a local admin account in the provisioning package.
+
+| Setting | Value | Description |
+| --- | --- | --- |
+| Account | string | Account to use to join computer to domain |
+| AccountOU | string | Name of organizational unit for the computer account |
+| ComputerName | Specify a unique name for the domain-joined computers using %RAND:x%, where x is an integer less than 15 digits long, or using %SERIALNUMBER% characters in the name.ComputerName is a string with a maximum length of 15 bytes of content:- ComputerName can use ASCII characters (1 byte each) and/or multi-byte characters such as Kanji, so long as you do not exceed 15 bytes of content.- ComputerName cannot use spaces or any of the following characters: \{ | \} ~ \[ \\ \] ^ ' : ; < = > ? @ ! " \# $ % ` \( \) + / . , \* &, or contain any spaces.- ComputerName cannot use some non-standard characters, such as emoji.Computer names that cannot be validated through the DnsValidateName function cannot be used, for example, computer names that only contain numbers (0-9). For more information, see the [DnsValidateName function](http://go.microsoft.com/fwlink/?LinkId=257040). | Specifies the name of the Windows device (computer name on PCs) |
+| DomainName | string (cannot be empty) | Specify the name of the domain that the device will join |
+| Password | string (cannot be empty) | Corresponds to the password of the user account that's authorized to join the computer account to the domain. |
+
+## Users
+
+Use these settings to add local user accounts to the device.
+
+| Setting | Value | Description |
+| --- | --- | --- |
+| UserName | string (cannot be empty) | Specify a name for the local user account |
+| HomeDir | string (cannot be ampty) | Specify the path of the home directory for the user |
+| Password | string (cannot be empty) | Specify the password for the user account |
+| UserGroup | string (cannot be empty) | Specify the local user group for the user |
\ No newline at end of file
diff --git a/windows/configuration/wcd/wcd-admxingestion.md b/windows/configuration/wcd/wcd-admxingestion.md
new file mode 100644
index 0000000000..daa6ca5eb8
--- /dev/null
+++ b/windows/configuration/wcd/wcd-admxingestion.md
@@ -0,0 +1,97 @@
+---
+title: ADMXIngestion (Windows 10)
+description: This section describes the ADMXIngestion settings that you can configure in provisioning packages for Windows 10 using Windows Configuration Designer.
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: jdeckerMS
+localizationpriority: medium
+ms.author: jdecker
+ms.date: 08/21/2017
+---
+
+# ADMXIngestion (Windows Configuration Designer reference)
+
+Starting in Windows 10, version 1703, you can import (*ingest*) select Group Policy administrative templates (ADMX files) and configure values for ADMX-backed policies in a provisioning package. To see which types of ADMX-backed policies can be applied, see [Win32 and Desktop Bridge app policy configuration overview](https://docs.microsoft.com/windows/client-management/mdm/win32-and-centennial-app-policy-configuration).
+
+- The settings under [ConfigADMXInstalledPolicy](#configadmxinstalledpolicy) allow you to set values for policies in the imported ADMX file.
+- The settings under [ConfigOperations](#configoperations) specify the ADMX file to be imported.
+
+
+>[!IMPORTANT]
+>Only per-device policies can be set using a provisioning package.
+
+## Applies to
+
+| Setting groups | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core |
+| --- | :---: | :---: | :---: | :---: | :---: |
+| [ConfigADMXInstalledPolicy](#configadmxinstalledpolicy) | X | | | | |
+| [ConfigOperations](#configoperations) | X | | | | |
+
+## ConfigADMXInstalledPolicy
+
+>[!IMPORTANT]
+>Configure the settings to import the ADMX file in [ConfigOperations](#configoperations) first.
+
+In **ConfigADMXInstalledPolicy**, you provide a policy setting and value for that policy from the imported ADMX. You will need information from the ADMX that you import in **ConfigOperations** to complete **ConfigADMXInstalledPolicy**.
+
+1. Enter an area name, and then click **Add**. The structure of the area name is the following:
+
+ `AppName (from ConfigOperations)`~`SettingType`~`category name from ADMX`
+
+ See [Category and policy in ADMX](#category-and-policy-in-admx) for more information. A setting may have multiple levels of category names, as in the following example.
+
+ Example: `Office16~Policy~L_MicrosoftOfficemachine~L_Updates`
+
+2. Select the area name in the Customization pane, enter a policy name from the ADMX, and then click **Add**. For example, `L_HideEnableDisableUpdates`.
+3. Select the policy name in the Customization pane, and then enter a value from the ADMX in the text field. For example, ``.
+
+## ConfigOperations
+
+Use **ConfigOperations** to import an ADXM file or policies from an ADMX file.
+
+1. Enter an app name, and then click **Add**.
+
+ This can be any name you assign, so choose something descriptive to help you identify its purpose. For example, if you are importing ADMX for Office 16, enter an app name of **Office 16**.
+
+2. Select the app name in the Customizations pane, select a setting type, and then click **Add**.
+
+ The choices, **Policy** and **Preference**, have no impact on the behavior of the settings, and are only provided for your convenience should you want to categorize the settings you add.
+
+3. Select the setting type in the Customizations pane. In the **AdmxFileUid** field, enter the name of the ADMX file or a unique ID for the file, and then click **Add**.
+
+ The **AdmxFileUid** can be any string, but must be unique in the provisioning package. Using the name of the ADMX file will help you identify the file in the future.
+
+4. Select the AdmxFileUid in the Customizations pane, and paste the contents of the ADMX file in the text field. Before copying the contents of the ADMX file, you must convert it to a single-line. See [Convert multi-line to single line](#convert) for instructions.
+
+ >[!NOTE]
+ >When you have a large ADMX file, you may want to only include specific settings. Instead of pasting in the entire ADMX file, you can paste just one or more specific policies (after converting them to single-line).
+
+5. Repeat for each ADMX, or set of ADMX policies, that you want to add, and then configure [ConfigADMXInstalledPolicy](#configadmxinstalledpolicy) for each one.
+
+
+
+## Convert multi-line to single line
+
+Use the following PowerShell cmdlet to remove carriage returns and line feeds from a multi-line file to create a single-line file that you can paste in **AdmxFileUid**.
+
+```PS
+$path="file path"
+Get-Content $path -Raw).Replace("'r'n","") | Set-Content $path -Force
+```
+
+## Category and policy in ADMX
+
+The following images show snippets of the ADMX file for Office 16 that are used in the examples in the procedures above. The first image highlights the category names.
+
+
+
+The next image highlights the specific policy.
+
+
+
+
+## Related topics
+
+- [Policy configuration service provider (CSP): ADMX-backed policies](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-admx-backed)
+- [Understanding ADMX-backed policies](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/understanding-admx-backed-policies)
\ No newline at end of file
diff --git a/windows/configuration/wcd/wcd-applicationmanagement.md b/windows/configuration/wcd/wcd-applicationmanagement.md
new file mode 100644
index 0000000000..f032ce168c
--- /dev/null
+++ b/windows/configuration/wcd/wcd-applicationmanagement.md
@@ -0,0 +1,69 @@
+---
+title: ApplicationManagement (Windows 10)
+description: This section describes the ApplicationManagement settings that you can configure in provisioning packages for Windows 10 using Windows Configuration Designer.
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: jdeckerMS
+localizationpriority: medium
+ms.author: jdecker
+ms.date: 08/21/2017
+---
+
+# ApplicationManagement (Windows Configuration Designer reference)
+
+Use these settings to manage app installation and management.
+
+## Applies to
+
+| Settings | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core |
+| --- | :---: | :---: | :---: | :---: | :---: |
+| [AllowAllTrustedApps](#allowalltrustedapps) | | | | | X |
+| [AllowAppStoreAutoUpdate](#allowappstoreautoupdate) | | | | | X |
+| [RestrictAppDataToSystemVolume](#restrictappdatatosystemvolume) | | | | | X |
+| [RestrictAppToSystemVolume](#restrictapptosystemvolume) | | | | | X |
+
+## AllowAllTrustedApps
+
+Specifies whether non-Microsoft Store apps are allowed.
+
+| Value | Description |
+| --- | --- |
+| No | Only Microsoft Store apps are allowed |
+| Yes | Non-Microsoft Store apps are allowed |
+
+## AllowAppStoreAutoUpdate
+
+Specifies whether automatic update of apps from Microsoft Store are allowed
+
+| Value | Description |
+| --- | --- |
+| Disallowed | Automatic update of apps is not allowed |
+| Allowed | Automatic update of apps is allowed |
+
+
+## RestrictAppDataToSystemVolume
+
+Specifies whether application data is restricted to the system drive.
+
+| Value | Description |
+| --- | --- |
+| 0 | Not restricted |
+| 1 | Restricted |
+
+
+## RestrictAppToSystemVolume
+
+Specifies whether the installation of applications is restricted to the system drive.
+
+| Value | Description |
+| --- | --- |
+| 0 | Not restricted |
+| 1 | Restricted |
+
+## Related topics
+
+- [Policy configuration service provider (CSP): ApplicationManagement/AllowAllTrustedApps](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#applicationmanagement-allowalltrustedapps)
+- [Policy CSP: ApplicationManagement/AllowAppStoreAutoUpdate](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#applicationmanagement-allowappstoreautoupdate)
+- [Policy CSP: ApplicationManagement/RestrictAppDataToSystemVolume](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#applicationmanagement-restrictappdatatosystemvolume)
+- [Policy CSP: ApplicationManagement/RestrictAppToSystemVolume](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#applicationmanagement-restrictapptosystemvolume)
\ No newline at end of file
diff --git a/windows/configuration/wcd/wcd-assignedaccess.md b/windows/configuration/wcd/wcd-assignedaccess.md
new file mode 100644
index 0000000000..ad5d7551fb
--- /dev/null
+++ b/windows/configuration/wcd/wcd-assignedaccess.md
@@ -0,0 +1,35 @@
+---
+title: AssignedAccess (Windows 10)
+description: This section describes the AssignedAccess setting that you can configure in provisioning packages for Windows 10 using Windows Configuration Designer.
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: jdeckerMS
+localizationpriority: medium
+ms.author: jdecker
+ms.date: 08/21/2017
+---
+
+# AssignedAccess (Windows Configuration Designer reference)
+
+Use this setting to configure single use (kiosk) devices.
+
+## Applies to
+
+| Setting | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core |
+| --- | :---: | :---: | :---: | :---: | :---: |
+| [AssignedAccessSettings](#assignedaccesssettings) | X | | | X | |
+
+
+## AssignedAccessSettings
+
+Enter the account and the application you want to use for Assigned access, using [the AUMID](https://msdn.microsoft.com/windows/hardware/commercialize/customize/enterprise/find-the-application-user-model-id-of-an-installed-app). When that user account signs in on the device, only the specified app will run.
+
+**Example**:
+
+```
+"Account":"domain\user", "AUMID":"Microsoft.WindowsCalculator_8wekyb3d8bbwe!App"
+```
+## Related topics
+
+- [AssignedAccess configuration service provider (CSP)](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/assignedaccess-csp)
\ No newline at end of file
diff --git a/windows/configuration/wcd/wcd-automatictime.md b/windows/configuration/wcd/wcd-automatictime.md
new file mode 100644
index 0000000000..abb8bbd179
--- /dev/null
+++ b/windows/configuration/wcd/wcd-automatictime.md
@@ -0,0 +1,45 @@
+---
+title: AutomaticTime (Windows 10)
+description: This section describes the AutomaticTime settings that you can configure in provisioning packages for Windows 10 using Windows Configuration Designer.
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: jdeckerMS
+localizationpriority: medium
+ms.author: jdecker
+ms.date: 08/21/2017
+---
+
+# AutomaticTime (Windows Configuration Designer reference)
+
+Use these settings to configure automatic time updates.
+
+## Applies to
+
+| Settings | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core |
+| --- | :---: | :---: | :---: | :---: | :---: |
+| [NTPRegularSyncInterval](#ntpregularsyncinterval) | | X | | | |
+| [NTPRetryInterval](#ntpretryinterval) | | X | | | |
+| [NTPServer](#ntpserver) | | X | | | |
+
+
+## NTPRegularSyncInterval
+
+Set the regular sync interval for phones that are set to use Network Time Protocol (NTP) time servers. Select a value between `1` and `168` hours, inclusive, The default sync interval is `12` hours.
+
+
+## NTPRetryInterval
+
+Set the retry interval if the regular sync fails. Select a value between `1` and `24` hours, inclusive.
+
+## NTPServer
+
+Change the default NTP server for phones that are set to use NTP. To enumerate the NTP source server(s) used by the NTP client, set the value for NTPServer to a list of server names, delimited by semi-colons.
+
+**Example**:
+
+```
+ntpserver1.contoso.com;ntpserver2.fabrikam.com;ntpserver3.contoso.com
+```
+
+The list should contain one or more server names. The default NTP source server value is `time.windows.com`.
diff --git a/windows/configuration/wcd/wcd-browser.md b/windows/configuration/wcd/wcd-browser.md
new file mode 100644
index 0000000000..787b6fa65b
--- /dev/null
+++ b/windows/configuration/wcd/wcd-browser.md
@@ -0,0 +1,86 @@
+---
+title: Browser (Windows 10)
+description: This section describes the Browser settings that you can configure in provisioning packages for Windows 10 using Windows Configuration Designer.
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: jdeckerMS
+localizationpriority: medium
+ms.author: jdecker
+ms.date: 08/21/2017
+---
+
+# Browser (Windows Configuration Designer reference)
+
+Use to configure browser settings that should only be set by OEMs who are part of the Partner Search Code program.
+
+## Applies to
+
+| Setting groups | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core |
+| --- | :---: | :---: | :---: | :---: | :---: |
+| [Favorites](#favorites) | | X | | | |
+| [PartnerSearchCode](#partnersearchcode) | X | X | X | X | |
+| [SearchProviders](#searchproviders) | | X | | | |
+
+## Favorites
+
+Use to configure the default list of Favorites that show up in the browser.
+
+To add a new item under the browser's **Favorites** list:
+
+1. In the **Name** field, enter a friendly name for the item, and then click **Add**.
+
+2. In the **Available customizations** pane, select the friendly name that you just created, and in the text field, enter the URL for the item.
+
+For example, to include the corporate Web site to the list of browser favorites, a company called Contoso can specify **Contoso** as the value for the name and "http://www.contoso.com" for the URL.
+
+
+## PartnerSearchCode
+
+>[!IMPORTANT]
+>This setting should only be set by OEMs who are part of the Partner Search Code program.
+
+Set the value to a character string that corresponds to the OEM's Partner Search Code. This identification code must match the one assigned to you by Microsoft.
+
+OEMs who are part of the program only have one PartnerSearchCode and this should be used for all Windows 10 for desktop editions images.
+
+
+
+
+## SearchProviders
+
+Contains the settings you can use to configure the default and additional search providers.
+
+Microsoft Bing is the default search provider for Windows 10 Mobile. The default search provider must be set to Bing, except for devices shipping to certain countries where a different default search provider is required as specified in the [Specific region guidance](#specific-region-guidance) section of [Default](#default).
+
+
+### Default
+
+Use *Default* to specify a name that matches one of the search providers you enter in [SearchProviderList](#searchproviderlist). If you don't specify a default search provider, this will default to Microsoft Bing.
+
+#### Specific region guidance
+
+Some countries require specific, default search providers. The following table lists the applicable countries and information for configuring the necessary search provider.
+
+>[!NOTE]
+>For Russia + Commonwealth of Independent States (CIS), the independent states consist of Russia, Ukraine, Georgia, The Republic of Azerbaijan, Republic Of Belarus, The Republic of Kazakhstan, The Kyrgyz Republic, The Republic of Moldova, The Republic of Tajikistan, The Republic of Armenia, Turkmenistan, The Republic of Uzbekistan, and Turkey.
+
+
+
+### SearchProviderList
+
+Use to specify a list of additional search providers.
+
+1. In the **Name** field, enter a name for the item, and then click **Add**.
+
+2. In the **Available customizations** pane, select the name that you just created, and in the text field, enter the URL for the additional search provider.
+
+For example, to specify Yandex in Russia and Commonwealth of Independent States (CIS), set the value of URL to "https://yandex.ru/search/touch/?text={searchTerm}&clid=2234144".
+
+When configured with multiple search providers, the browser can display up to ten search providers.
+
+>[!IMPORTANT]
+>Microsoft Bing is the default search provider for Windows 10 Mobile. The default search provider must be set to Bing, except for devices shipping to certain countries where a different default search provider is required as specified in the [Specific region guidance](#specific-region-guidance) section of [Default](#default).
+
+
+
diff --git a/windows/configuration/wcd/wcd-callandmessagingenhancement.md b/windows/configuration/wcd/wcd-callandmessagingenhancement.md
new file mode 100644
index 0000000000..bb07ccc02c
--- /dev/null
+++ b/windows/configuration/wcd/wcd-callandmessagingenhancement.md
@@ -0,0 +1,36 @@
+---
+title: CallAndMessageEnhancement (Windows 10)
+description: This section describes the CallAndMessagingEnhancement settings that you can configure in provisioning packages for Windows 10 using Windows Configuration Designer.
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: jdeckerMS
+localizationpriority: medium
+ms.author: jdecker
+ms.date: 08/21/2017
+---
+
+# CallAndMessagingEnhancement (Windows Configuration Designer reference)
+
+Use to configure call origin and blocking apps.
+
+## Applies to
+
+| Setting groups | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core |
+| --- | :---: | :---: | :---: | :---: | :---: |
+| [BlockingApp](#blockingapp) | | X | | | |
+| [CallOriginApp](#calloriginapp) | | X | | | |
+
+## BlockingApp
+
+| Setting | Value | Description |
+| --- | --- | --- |
+| ActiveBlockingAppUserModelId | AUMID | The AUMID of the application that will be set as the active blocking app by default. |
+| DefaultBlockingAppUserModelId | AUMID | The AUMID of the application that the OS will select as the active blocking app if the user uninstalls the current active blocking app. This app should be uninstallable. |
+
+## CallOriginApp
+
+| Setting | Value | Description |
+| --- | --- | --- |
+| ActiveCallOriginAppUserModelId | AUMID | The AUMID of the application to be set as the active call origin provider app by default. |
+| DefaultCallOriginAppUserModelId | AUMID | The AUMID of the application that the OS will select as the active call origin provider app if the user uninstalls the current active call origin app. This app should be uninstallable. |
diff --git a/windows/configuration/wcd/wcd-cellular.md b/windows/configuration/wcd/wcd-cellular.md
new file mode 100644
index 0000000000..64258bbe02
--- /dev/null
+++ b/windows/configuration/wcd/wcd-cellular.md
@@ -0,0 +1,43 @@
+---
+title: Cellular (Windows 10)
+description: This section describes the Cellular settings that you can configure in provisioning packages for Windows 10 using Windows Configuration Designer.
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: jdeckerMS
+localizationpriority: medium
+ms.author: jdecker
+ms.date: 08/21/2017
+---
+
+# Cellular (Windows Configuration Designer reference)
+
+Use to configure settings for cellular connections.
+
+## Applies to
+
+| Setting groups | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core |
+| --- | :---: | :---: | :---: | :---: | :---: |
+| [AccountExperienceURL](#accountexperienceurl) | X | | | | |
+| [AppID](#appid) | X | | | | |
+| [NetworkBlockList](#networkblocklist) | X | | | | |
+| [SIMBlockList](#simblocklist) | X | | | | |
+
+
+To begin, enter a SIM integrated circuit card identifier (**SimIccid**), and click **Add**. In the **Customizations** pane, select the SimIccid that you just entered and configure the following settings for it.
+
+## AccountExperienceURL
+
+Enter the URL for the mobile operator's web page.
+
+## AppID
+
+Enter the AppID for the mobile operator's app in Microsoft Store.
+
+## NetworkBlockList
+
+Enter a comma-separated list of mobile country code (MCC) and mobile network code (MCC) pairs (MCC:MNC).
+
+## SIMBlockList
+
+Enter a comma-separated list of mobile country code (MCC) and mobile network code (MCC) pairs (MCC:MNC).
\ No newline at end of file
diff --git a/windows/configuration/wcd/wcd-certificates.md b/windows/configuration/wcd/wcd-certificates.md
new file mode 100644
index 0000000000..6347a4795d
--- /dev/null
+++ b/windows/configuration/wcd/wcd-certificates.md
@@ -0,0 +1,71 @@
+---
+title: Certificates (Windows 10)
+description: This section describes the Certificates settings that you can configure in provisioning packages for Windows 10 using Windows Configuration Designer.
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: jdeckerMS
+localizationpriority: medium
+ms.author: jdecker
+ms.date: 08/21/2017
+---
+
+# Certificates (Windows Configuration Designer reference)
+
+Use to deploy Root Certificate Authority (CA) certificates to devices. The following list describes the purpose of each setting group.
+
+- In [CACertificates](#cacertificates), you specify a certificate that will be added to the Intermediate CA store on the target device.
+- In [ClientCertificates](#clientcertificates), you specify a certificate that will be added to the Personal store on the target device, and provide (password, keylocation), (and configure whether the certificate can be exported).
+- In [RootCertificates](#rootcertificates), you specify a certificate that will be added to the Trusted Root CA store on the target device.
+- In [TrustedPeopleCertificates](#trustedpeoplecertificates), you specify a certificate that will be added to the Trusted People store on the target device.
+- In [TrustedProvisioners](#trustedprovisioners), you specify a certificate which allows devices to automatically trust packages from the specified publisher.
+
+## Applies to
+
+| Setting groups | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core |
+| --- | :---: | :---: | :---: | :---: | :---: |
+| All setting groups | X | X | X | X | X |
+
+
+## CACertificates
+
+1. In **Available customizations**, select **CACertificates**, enter a friendly name for the certificate, and then click **Add**.
+2. In **Available customizations**, select the name that you just created.
+3. In **CertificatePath**, browse to or enter the path to the certificate.
+
+
+## ClientCertificates
+
+1. In **Available customizations**, select **ClientCertificates**, enter a friendly name for the certificate, and then click **Add**.
+2. In **Available customizations**, select the name that you just created. The following table describes the settings you can configure. Settings in **bold** are required.
+
+| Setting | Value | Description |
+| --- | --- | ---- |
+| **CertificatePassword** | | |
+| **CertificatePath** | | Adds the selected certificate to the Personal store on the target device. |
+| ExportCertificate | True or false | Set to **True** to allow certificate export. |
+| **KeyLocation** | - TPM only- TPM with software fallback- Software only | |
+
+## RootCertificates
+
+1. In **Available customizations**, select **RootCertificates**, enter a friendly name for the certificate, and then click **Add**.
+2. In **Available customizations**, select the name that you just created.
+3. In **CertificatePath**, browse to or enter the path to the certificate.
+
+## TrustedPeopleCertificates
+
+1. In **Available customizations**, select **TrustedPeopleCertificates**, enter a friendly name for the certificate, and then click **Add**.
+2. In **Available customizations**, select the name that you just created.
+3. In **TrustedCertificate**, browse to or enter the path to the certificate.
+
+
+## TrustedProvisioners
+
+1. In **Available customizations**, select **TrustedPprovisioners**, enter a CertificateHash, and then click **Add**.
+2. In **Available customizations**, select the name that you just created.
+3. In **TrustedProvisioner**, browse to or enter the path to the certificate.
+
+## Related topics
+
+
+- [RootCATrustedCertficates configuration service provider (CSP)](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/rootcacertificates-csp)
\ No newline at end of file
diff --git a/windows/configuration/wcd/wcd-cleanpc.md b/windows/configuration/wcd/wcd-cleanpc.md
new file mode 100644
index 0000000000..ec1f5eaadc
--- /dev/null
+++ b/windows/configuration/wcd/wcd-cleanpc.md
@@ -0,0 +1,28 @@
+---
+title: CleanPC (Windows 10)
+description: This section describes the CleanPC settings that you can configure in provisioning packages for Windows 10 using Windows Configuration Designer.
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: jdeckerMS
+localizationpriority: medium
+ms.author: jdecker
+ms.date: 08/21/2017
+---
+
+# CleanPC (Windows Configuration Designer reference)
+
+Use to remove user-installed and pre-installed applications, with the option to persist user data.
+
+## Applies to
+
+| Settings | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core |
+| --- | :---: | :---: | :---: | :---: | :---: |
+| CleanPCRetainingUserData | X | | | | |
+| CleanPCWithoutRetainingUserData | X | | | | |
+
+For each setting, the options are **Enable** and **Not configured**.
+
+## Related topics
+
+- [CleanPC configuration service provider (CSP)](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/cleanpc-csp)
\ No newline at end of file
diff --git a/windows/configuration/wcd/wcd-connections.md b/windows/configuration/wcd/wcd-connections.md
new file mode 100644
index 0000000000..1ce0db8e5b
--- /dev/null
+++ b/windows/configuration/wcd/wcd-connections.md
@@ -0,0 +1,45 @@
+---
+title: Connections (Windows 10)
+description: This section describes the Connections settings that you can configure in provisioning packages for Windows 10 using Windows Configuration Designer.
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: jdeckerMS
+localizationpriority: medium
+ms.author: jdecker
+ms.date: 08/21/2017
+---
+
+# Connections (Windows Configuration Designer reference)
+
+Use to configure settings related to variou types of phone connections.
+
+## Applies to
+
+| Setting groups | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core |
+| --- | :---: | :---: | :---: | :---: | :---: |
+| [Cellular](#cellular) | X | X | X | X | |
+| [EnterpriseAPN](#enterpriseapn) | X | X | X | X | |
+| [Policies](#policies) | X | X | X | X | |
+| [Proxies](#proxies) | X | X | X | X | |
+
+For each setting group:
+1. In **Available customizations**, select the setting group (such as **Cellular**), enter a friendly name for the connection, and then click **Add**.
+2. In **Available customizations**, select the name that you just created.
+
+## Cellular
+
+See [CM_CellularEntries configuration service provider (CSP)](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/cm-cellularentries-csp) for settings and values.
+
+## EnterpriseAPN
+
+See [Configure cellular settings for tablets and PCs](https://docs.microsoft.com/windows/configuration/provisioning-apn) and
+[EnterpriseAPN CSP](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/enterpriseapn-csp) for settings and values.
+
+## Policies
+
+See [CMPolicy CSP](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/cmpolicy-csp) for settings and values.
+
+## Proxies
+
+See [CM_ProxyEntries CSP](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/cm-proxyentries-csp) for settings and values.
\ No newline at end of file
diff --git a/windows/configuration/wcd/wcd-connectivityprofiles.md b/windows/configuration/wcd/wcd-connectivityprofiles.md
new file mode 100644
index 0000000000..bb7d3366c0
--- /dev/null
+++ b/windows/configuration/wcd/wcd-connectivityprofiles.md
@@ -0,0 +1,183 @@
+---
+title: ConnectivityProfiles (Windows 10)
+description: This section describes the ConnectivityProfile settings that you can configure in provisioning packages for Windows 10 using Windows Configuration Designer.
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: jdeckerMS
+localizationpriority: medium
+ms.author: jdecker
+ms.date: 08/21/2017
+---
+
+# ConnectivityProfiles (Windows Configuration Designer reference)
+
+Use to configure profiles that a user will connect with, such as an email account or VPN profile.
+
+## Applies to
+
+| Setting groups | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core |
+| --- | :---: | :---: | :---: | :---: | :---: |
+| [Email](#email) | X | X | X | X | X |
+| [Exchange](#exchange) | X | X | X | X | X |
+| [KnownAccounts](#knownaccounts) | X | X | X | X | X |
+| [VPN](#vpn) | X | X | X | X | X |
+| [WiFiSense](#wifisense) | X | X | X | X | X |
+| [WLAN](#wlan) | X | X | X | X | X |
+
+## Email
+
+Specify an email account to be automatically set up on the device.
+
+1. In **Available customizations**, select **Email**, enter a friendly name for the account, and then click **Add**.
+2. In **Available customizations**, select the name that you just created. The following table describes the settings you can configure for each account. Settings in **bold** are required.
+
+| Setting | Description |
+| --- | --- |
+| **AccountType** | Select between **Normal email** and **Visual voice mail** |
+| AuthForOutgoingMail | Set to **True** if the outgoing server requires authentication |
+| Domain | Enter the domain for the account |
+| HaveAlternateCredentialsForSMTP | Specify whether the user's alternate SMTP account is enabled. If enabled, configure the **SMTPDomain**, **SMTPName**, and **SMTPPassword** settings |
+| InboxUpdateFrequency | Specify the time between email send/receive updates, in minutes. Available values are:- Manual update- Every 2 hours- Every 15 minutes- Every 30 minutes- Every hour |
+| **IncomingMailServerName** | Enter the name of the messaging service's incoming email server |
+| **OutgoingServerName** | Enter the name of the messaging service's outgoing mail server |
+| Password | Enter the password for the account |
+| ReplyAddress | Enter the reply address for the account |
+| SenderName | Enter the name of the sender for the account |
+| **ServiceName** | Enter the name of the email service |
+| **ServiceType** | Select **IMAP4** or **POP3** for service type |
+| SMTPDomain | Enter the domain name for the user's alternate SMTP account, if **HaveAlternateCredentialsForSMTP** is enabled |
+| SMTPName | Enter the display name associated with the user's alternate SMTP account, if **HaveAlternateCredentialsForSMTP** is enabled |
+| SMTPPassword | Enter the password for the user's alternate SMTP account, if **HaveAlternateCredentialsForSMTP** is enabled |
+| SSLIncoming | Specify whether the incoming email server uses SSL |
+| SSLOutgoing | Specify whether the outgoing email server uses SSL |
+| SyncOptions | Specify how many days' worth of emails should be downloaded from the server. Available values are:- All mail- Two weeks- One month- One week |
+| **UserName** | Enter the user name for the account |
+
+## Exchange
+
+Configure settings related to Exchange email server. These settings are related to the [ActiveSync configuration service provider (CSP)](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/activesync-csp).
+
+
+1. In **Available customizations**, select **Exchange**, enter a name for the account, and then click **Add**. A globally unique identifier (GUID) is generated for the account.
+2. In **Available customizations**, select the GUID that you just created. The following table describes the settings you can configure. Settings in **bold** are required.
+
+| Setting | Description |
+| --- | --- |
+| AccountIcon | Specify the location of the icon associated with the account.The account icon can be used as a tile in the Start list or as an icon in the applications list under **Settings > Email & accounts**. Some icons are already provided on the device. The suggested icon for POP/IMAP or generic ActiveSync accounts is at `res://AccountSettingsSharedRes{ScreenResolution}!%s.genericmail.png`. The suggested icon for Exchange Accounts is at `res://AccountSettingsSharedRes{ScreenResolution}!%s.office.outlook.png`. Custom icons can be added if desired. |
+| **AccountName** | Enter the name that refers to the account on the device |
+| **AccountType** | Select **Exchange** |
+| **DiagnosticLogging** | Select whether to disable logging, enable basic logging, or enable advanced logging |
+| Domain | Enter the domain name of the Exchange server |
+| **EmailAddress** | Enter the email address associated with the Exchange ActiveSync account. |
+| **MailAgeFilter** | Specify the time window used for syncing email items to the device. Available values are:- All email is synced- Only email up to three days old is synced-Email up to a week old is synced (default)- Email up to two weeks old is synced- Email up to a month old is synced |
+| **Password** | Enter the password for the account |
+| **Schedule** | Specify the time until the next sync is performed, in minutes. Available values are:- As items are received (default)- Sync manually- Every 15 minutes- Every 30 minutes- Every 60 minutes |
+| **ServerName**| Enter the server name used by the account |
+| SyncCalendar_Enable | Enable or disable calendar sync |
+| SyncCalendar_Name | If you enable calendar sync, enter **Calendar** |
+| SyncContacts_Enable | Enable or disable contacts sync |
+| SyncContacts_Name | If you enable contacts sync, enter **Contacts** |
+| SyncEmail_Enable| Enable or disable email sync |
+| SyncEmail_Name | If you enable email sync, enter **Email** |
+| SyncTasks_Enable | Enable or disable tasks sync |
+| SyncTasks_Name | If you enable tasks sync, enter **Tasks** |
+| **UserName** | Enter the user name for the account |
+| UseSSL | Specify whether to use Secure Sockets Layer (SSL) |
+
+## KnownAccounts
+
+Configure the settings to add additional email accounts.
+
+| Setting | Description |
+| --- | --- |
+| KnownAccountsOEM |Enter the source or file location of the KnownAccountsOEM.xml file on your development workstation. |
+| OemFilePath | Enter the name of the XML file that defines the new account to be added. The name must be KnownAccountsOEM.xml. |
+
+## VPN
+
+Configure settings to change the default maximum transmission unit ([MTU](#mtu)) size settings for Point-to-Point Protocol (PPP) connections or for virtual private network (VPN) connections, or to create a [VPN profile](#vpn).
+
+### MTU
+
+| Setting | Description |
+| --- | --- |
+| PPPProtocolType | Select **VPNPPPProtocolType** |
+| ProtocolType | Select **VPNProtocolType** |
+| TunnelMTU | Enter the desired MTU size, between **1** and **1500** |
+
+### VPN
+
+1. In **Available customizations**, select **VPNSetting**, enter a friendly name for the account, and then click **Add**.
+2. In **Available customizations**, select the name that you just created. The following table describes the settings you can configure. Settings in **bold** are required.
+
+| Setting | Description |
+| --- | --- |
+| **ProfileType** | Choose between **Native** and **Third Party** |
+| RememberCredentials | Select whether credentials should be cached |
+| AlwaysOn | Set to **True** to automatically connect the VPN at sign-in |
+| LockDown | When set to **True**:- Profile automatically becomes an "always on" profile- VPN cannot be disconnected-If the profile is not connected, the user has no network connectivity- No other profiles can be connected or modified |
+| ByPassForLocal | When set to **True**, requests to local resources on the same Wi-Fi neetwork as the VPN client can bypass VPN |
+| DnsSuffix | Enter one or more comma-separated DNS suffixes. The first suffix listed is usedas the primary connection-specific DNS suffix for the VPN interface. The list is added to the SuffixSearchList. |
+| TrustedNetworkDetection | Enter a comma-separated string to identify the trusted network. VPN will not connect automatically when the user is on their corporate wireless network where protected resources are directly accessible to the device. |
+| Proxy | Configure to **Automatic** or **Manual** |
+| ProxyAutoConfigUrl | When **Proxy** is set to **Automatic**, enter the URL to automatically retrieve the proxy settings |
+| ProxyServer | When **Proxy** is set to **Manual**, enter the proxy server address as a fully qualified hostname or enter `IP address:Port` |
+
+## WiFiSense
+
+Configure settings related to Wi-Fi Sense.
+
+### Config
+
+The **Config** settings are initial settings that can be overwritten when settings are pushed to the device by the cloud.
+
+| Setting | Description |
+| --- | --- |
+| WiFiSharingFacebookInitial | Enable or disable sharing of Wi-Fi networks with Facebook contacts |
+| WiFiSharingOutlookInitial | Enable or disable sharing of Wi-Fi networks with Outlook contacts |
+| WiFiSharingSkypeInitial | Enable or disable sharing of Wi-Fi networks with Skype contacts |
+
+### FirstBoot
+
+| Setting | Description |
+| --- | --- |
+| DefaultAutoConnectOpenState | When enabled, the OOBE Wi-Fi Sense checkbox to automatically connect to open networks will be checked. |
+| DefaultAutoConnectSharedState | When enabled, the OOBE Wi-Fi Sense checkbox to share networks with contacts will be checked. |
+| WiFiSenseAllowed | Enable or disable Wi-Fi Sense. Wi-Fi Sense features include auto-connect to Wi-Fi hotspots and credential sharing. |
+
+### SystemCapabilities
+
+You can use these settings to configure system capabilities for Wi-Fi adapters, which is a new functionality in Windows 10. These system capabilities are added at image time to ensure that the information is at its most accurate. The capabilities allow the OS to have a better understanding of the underlying hardware that it's running on. Telemetry data is generated by the system to provide data that can be used to diagnose both software and hardware issues.
+
+| Setting | Description |
+| --- | --- |
+| CoexistenceSupport | Specify the type of co-existence that's supported on the device:- **Both**: Both Wi-Fi and Bluetooth work at the same performance level during co-existence- **Wi-Fi reduced**: On a 2X2 system, Wi-Fi performance is reduced to 1X1 level- **Bluetooth centered**: When co-existing, Bluetooth has priority and restricts Wi-Fi performance- **One**: Either Wi-Fi or Bluetooth will stop working |
+| NumAntennaConnected | Enter the number of antennas that are connected to the WLAN radio |
+| SimultaneousMultiChannelSupported | Enter the maximum number of channels that the Wi-Fi device can simultaneously operate on. For example, you can use this to specify support for Station mode and Wi-Fi Direct GO on separate channels simultaneously. |
+| WLANFunctionLevelDeviceResetSupported | Select whether the device supports functional level device reset (FLDR). The FLDR feature in the OS checks this system capability exclusively to determine if it can run. |
+| WLANPlatformLevelDeviceResetSupported | Select whether the device supports platform level device reset (PLDR). The PLDR feature in the OS checks this system capability exclusively to determine if it can run. |
+
+
+## WLAN
+
+Configure settings for wireless connectivity.
+
+### Profiles
+
+**To add a profile**
+
+1. Create [the wireless profile XML](https://msdn.microsoft.com/library/windows/desktop/aa369853.aspx).
+2. In **WLAN > Profiles**, browse to and select the profile XML file.
+3. Click **Add**.
+
+### WLANXmlSettings
+
+Enter a SSID, click **Add**, and then configure the following settings for the SSID.
+
+| Settings | Description |
+| --- | --- |
+| ProxyServerPort | (Optional) Specify the configuration of the network proxy as **host:port**. A proxy server host and port can be specified per connection for Windows 10 for mobile devices. The host can be server name, FQDN, or SLN or IPv4 or IPv6 address. This proxy configuration is only supported in Windows 10 for mobile devices. Using this configuration in Windows 10 for desktop editions will result in failure. |
+| AutoConnect | (Optional) Select **True** or **false** to specify whether to automatically connect to WLAN. |
+| HiddenNetwork | (Optional) Select **True** or **false** to specify whether the network is hidden. |
+| SecurityType | Choose between **Open**, **WEP**, and **WPA2-Personal**. If you select **WEP** or **WPA2-Personal**, enter the **SecurityKey** required by the WLAN. |
\ No newline at end of file
diff --git a/windows/configuration/wcd/wcd-countryandregion.md b/windows/configuration/wcd/wcd-countryandregion.md
new file mode 100644
index 0000000000..aea53e22de
--- /dev/null
+++ b/windows/configuration/wcd/wcd-countryandregion.md
@@ -0,0 +1,23 @@
+---
+title: CountryAndRegion (Windows 10)
+description: This section describes the CountryAndRegion settings that you can configure in provisioning packages for Windows 10 using Windows Configuration Designer.
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: jdeckerMS
+localizationpriority: medium
+ms.author: jdecker
+ms.date: 08/21/2017
+---
+
+# CountryAndRegion (Windows Configuration Designer reference)
+
+Use to configure a setting that partners must customize to ship Windows devices to specific countries/regions.
+
+## Applies to
+
+| Setting groups | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core |
+| --- | :---: | :---: | :---: | :---: | :---: |
+| CountryCodeForExtendedCapabilityPrompts | X | X | X | X | |
+
+You can set the **CountryCodeForExtendedCapabilityPrompts** setting for **China** to enable additional capability prompts when apps use privacy-sensitive features (such as Contacts or Microphone).
diff --git a/windows/configuration/wcd/wcd-desktopbackgroundandcolors.md b/windows/configuration/wcd/wcd-desktopbackgroundandcolors.md
new file mode 100644
index 0000000000..1cf770db9b
--- /dev/null
+++ b/windows/configuration/wcd/wcd-desktopbackgroundandcolors.md
@@ -0,0 +1,22 @@
+---
+title: DesktopBackgrounAndColors (Windows 10)
+description: This section describes the DesktopBackgrounAndColors settings that you can configure in provisioning packages for Windows 10 using Windows Configuration Designer.
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: jdeckerMS
+localizationpriority: medium
+ms.author: jdecker
+ms.date: 08/21/2017
+---
+
+# DesktopBackgrounAndColors (Windows Configuration Designer reference)
+
+Do not use. Instead, use the [Personalization settings](wcd-personalization.md).
+
+## Applies to
+
+| Setting groups | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core |
+| --- | :---: | :---: | :---: | :---: | :---: |
+| All settings | X | | | | |
+
diff --git a/windows/configuration/wcd/wcd-developersetup.md b/windows/configuration/wcd/wcd-developersetup.md
new file mode 100644
index 0000000000..e7c4378477
--- /dev/null
+++ b/windows/configuration/wcd/wcd-developersetup.md
@@ -0,0 +1,37 @@
+---
+title: DeveloperSetup (Windows 10)
+description: This section describes the DeveloperSetup settings that you can configure in provisioning packages for Windows 10 using Windows Configuration Designer.
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: jdeckerMS
+localizationpriority: medium
+ms.author: jdecker
+ms.date: 08/21/2017
+---
+
+# DeveloperSetup (Windows Configuration Designer reference)
+
+Use to unlock developer mode on HoloLens devices and configure authentication to Windows Device Portal.
+
+## Applies to
+
+| Setting groups | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core |
+| --- | :---: | :---: | :---: | :---: | :---: |
+| [EnableDeveloperMode](#enabledevelopermode) | | | | X | |
+| [AuthenticationMode](#authenticationmode) | | | | X | |
+
+
+
+## DeveloperSetupSettings: EnableDeveloperMode
+
+When this setting is configured as **True**, the device is unlocked for developer functionality.
+
+
+## WindowsDevicePortalSettings: Authentication Mode
+
+When AuthenticationMode is set to **Basic Auth**, enter a user name and password to enable the device to connect to and authenticate with the Windows Device Portal.
+
+## Related topics
+
+- [Device Portal for HoloLens](https://docs.microsoft.com/windows/uwp/debug-test-perf/device-portal-hololens)
\ No newline at end of file
diff --git a/windows/configuration/wcd/wcd-deviceformfactor.md b/windows/configuration/wcd/wcd-deviceformfactor.md
new file mode 100644
index 0000000000..dc1e5cd524
--- /dev/null
+++ b/windows/configuration/wcd/wcd-deviceformfactor.md
@@ -0,0 +1,67 @@
+---
+title: DeviceFormFactor (Windows 10)
+description: This section describes the DeviceFormFactor setting that you can configure in provisioning packages for Windows 10 using Windows Configuration Designer.
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: jdeckerMS
+localizationpriority: medium
+ms.author: jdecker
+ms.date: 08/21/2017
+---
+
+# DeviceFormFactor (Windows Configuration Designer reference)
+
+Use to identify the form factor of the device.
+
+## Applies to
+
+| Setting | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core |
+| --- | :---: | :---: | :---: | :---: | :---: |
+| DeviceForm | X | X | X | X | |
+
+Specifies the device form factor running Windows 10. Generally, the device form is set by the original equipment manufacturer (OEM), however you might want to change the device form based on its usage in your organization.
+
+DeviceForm supports the following features or components:
+
+- Cortana and Bing use the DeviceForm value to determine the accuracy of specific signals, such as location (GPS versus Wi-Fi versus reverse IP address lookup).
+- Windows 10 features, such as Bluetooth and camera, may require DeviceForm to be accurately configured for full functionality.
+
+Select the appropriate form from the dropdown menu.
+
+| Device form | Description |
+| --- | --- |
+| Phone | A typical smartphone combines cellular connectivity, a touch screen, rechargeable power source, and other components into a single chassis. |
+| LargeScreen | Microsoft Surface Hub |
+| HMD | (Head-mounted display) A holographic computer that is completely untethered - no wires, phones, or connection to a PC needed. |
+| IndustryHandheld | A device screen less than 7” diagonal designed for industrial solutions. May or may not have a cellular stack. |
+| IndustryTablet | A device with an integrated screen greater than 7” diagonal and no attached keyboard designed for industrial solutions as opposed to consumer personal computer. May or may not have a cellular stack. |
+| Banking | A machine at a bank branch or another location that enables customers to perform basic banking activities including withdrawing money and checking one's bank balance. |
+| BuildingAutomation | A controller for industrial environments that can include the scheduling and automatic operation of certain systems such as conferencing, heating and air conditioning, and lighting. |
+| DigitalSignage | A computer or playback device that's connected to a large digital screen and displays video or multimedia content for informational or advertising purposes. |
+| Gaming | A device that's used for playing a game. It can be mechanical, electronic, or electromechanical equipment. |
+| HomeAutomation | A controller that can include the scheduling and automatic operation of certain systems including heating and air conditioning, security, and lighting. |
+| Industrial Automation | Computers that are used to automate manufacturing systems such as controlling an assembly line where each station is occupied by industrial robots. |
+| Tablet | A device with an integrated screen that's less than 18". It combines a touch screen, rechargeable power source, and other components into a single chassis with an optional attachable keyboard. |
+| Kiosk | An unattended structure that can include a keyboard and touch screen and provides a user interface to display interactive information and allow users to get more information. |
+| MakerBoard | A low-cost and compact development board that's used for prototyping any number IoT-related things. |
+| Medical | Devices built specifically to provide medical staff with information about the health and well-being of a patient. |
+| Networking | A device or software that determines where messages, packets, and other signals will go next. |
+| POS | (Point of Service) An electronic cash register or self-service checkout. |
+| Printing | A printer, copy machine, or a combination of both. |
+| ThinClient | A device that connects to a server to perform computing tasks as opposed to running apps locally. |
+| Toy | A device used solely for enjoyment or entertainment. |
+| Vending | A machine that dispenses items in exchange for payment in the form of coin, currency, or credit/debit card. |
+| IndustryOther |A device that doesn't fit into any of the previous categories. |
+| Desktop | A desktop PC form factor traditional comes in an upright tower or small desktop chassis and does not have an integrated screen. |
+| Notebook | A notebook is a portable clamshell device with an attached keyboard that cannot be removed. |
+| Convertible | A convertible device is an evolution of the traditional notebook where the keyboard can be swiveled, rotated or flipped, but not completely removed. It is a blend between a traditional notebook and tablet, also called a 2-in-1. |
+| Detachable | A detachable device is an evolution of the traditional notebook where the keyboard can be completely removed. It is a blend between a traditional notebook and tablet, also called a 2-in-1. |
+| AIO | An All-in-One (AIO) device is an evolution of the traditional desktop with an attached display. |
+| Stick | A device that turns your TV into a Windows computer. Plug the stick into the HDMI slot on the TV and connect a USB or Bluetooth keyboard or mouse. |
+| Puck | A small-size PC that users can use to plug in a monitor and keyboard. |
+
+
+
+
+
diff --git a/windows/configuration/wcd/wcd-devicemanagement.md b/windows/configuration/wcd/wcd-devicemanagement.md
new file mode 100644
index 0000000000..9297174468
--- /dev/null
+++ b/windows/configuration/wcd/wcd-devicemanagement.md
@@ -0,0 +1,92 @@
+---
+title: DeviceManagement (Windows 10)
+description: This section describes the DeviceManagement setting that you can configure in provisioning packages for Windows 10 using Windows Configuration Designer.
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: jdeckerMS
+localizationpriority: medium
+ms.author: jdecker
+ms.date: 08/21/2017
+---
+
+# DeviceManagement (Windows Configuration Designer reference)
+
+Use to...
+
+## Applies to
+
+| Setting | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core |
+| --- | :---: | :---: | :---: | :---: | :---: |
+| [Accounts](#accounts) | X | X | X | X | |
+| [PGList](#pglist) | X | X | X | X | |
+| [Policies](#policies) | X | X | X | X | |
+| [TrustedProvisioningSource](#trustedprovisioningsource) | X | X | X | X | |
+
+## Accounts
+
+1. In **Available customizations**, select **Accounts**, enter a friendly name for the account, and then click **Add**.
+2. In **Available customizations**, select the account that you just created. The following table describes the settings you can configure. Settings in **bold** are required.
+
+| Setting | Description |
+| --- | --- |
+| **Address** | Enter the OMA DM server address |
+| **AddressType** | Choose between **IPv4** and **URI** for the type of OMA DM server address. The default value of **URI** specifies that the OMA DM account address is a URI address. A value of **IPv4** specifies that the OMA DM account address is an IP address. |
+| **AppID** | Select **w7** |
+| Authentication > Credentials | 1. Select a credentials level (CLCRED or SRVCRED). A value of **CLCRED** indicates that the credentials client will authenticate itself to the OMA DM server at the OMA DM protocol level. A value of **SRVCRED** indicates that the credentials server will authenticate itself to the OMA DM Client at the OMA DM protocol level. 2. In **Available customizations**, select the level.3. For **Data**, enter the authentication nonce as a Base64 encoded string.4. For **Level**, select **CLCRED** or **SRVCRED**.5. For **Name**, enter the authentication name.6. For **Secret**, enter the password or secret used for authentication.7. For **Type**, select between **Basic**, **Digest**, and **HMAC**. For **CLCRED**, the supported values are **BASIC** and **DIGEST**. For **SRVCRED**, the supported value is **DIGEST**. |
+| AuthenticationPreference | Select between **Basic**, **Digest**, and **HMAC** |
+| BackCompatRetryDisabled | Specify whether to retry resending a package with an older protocol version (for example, 1.1) in the SyncHdr on subsequent attempts (not including the first time). The default value of "FALSE" indicates that backward-compatible retries are enabled. A value of "TRUE" indicates that backward-compatible retries are disabled. |
+| ConnectionRetries | Enter a number to specify how many retries the DM client performs when there are Connection Manager-level or wininet-level errors. The default value is `3`. |
+| CRLCheck | Specify whether a CRL Check should be performed. Allows connection to the DM server to check the Certificate Revocation List (CRL). Set to **True** to enable SSL revocation. |
+| DefaultEncoding | Select whether the OMA DM client will use **WBXML** or **XML** for the DM package when communicating with the server |
+| DisableOnRoaming | Specify whether the client will connect while cellular roaming |
+| InitialBackOffTime | Specify the initial amount of time (in milliseconds) that the DM client waits before attempting a connection retry |
+| InitiateSession | Specify whether a session should be started with the MDM server when the account is provisioned |
+| MaxBackOffTime | Specify the maximum number of milliseconds to wait before attemption a connection retry |
+| Name | Enter a display name for the management server |
+| Port | Enter the OMA DM server port |
+| PrefConRef | Enter a URI to NAP management object or a connection GUID used by the device Connection Manager |
+| ProtocolVersion | Select between **1.1** and **1.2** for the OMA DM protocol version that the server supports |
+| **Role** | Select between **Enterprise** and **Mobile Operator** for the role mask that the DM session runs with when it communicates with the server |
+| **ServerID** | Enter the OMA DM server's unique identifier for the current OMA DM account |
+| SSLClientCertSearchCriteria | Specify the client certificate search criteria, by subject attribute and certficate stores. For details, see [DMAcc configuration service provider (CSP)](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/dmacc-csp). |
+| UseHardwareDeviceID | Specify whether to use the hardware ID for the ./DevInfo/DevID parameter in the DM account to identify the device |
+| UseNonceResync | Specify whether the OMA DM client should use the nonce resynchronization procedure if the server trigger notification fails authentication |
+
+
+## PGList
+
+1. In **Available customizations**, select **PGList**, enter a LogicalProxyName, and then click **Add**.
+2. In **Available customizations**, select the LogicalProxyName that you just created, and then select **PhysicalProxies**.
+3. Enter a PhysicalProxyName, and then click **Add**. The following table describes the settings you can configure for the physical proxy and for **Trust**.
+
+| Setting | Description |
+| --- | --- |
+| Address | Enter the address of the physical proxy |
+| AddressType | Select between **E164**, **IPV4**, and **IPV^** for the format and protocol of the PXADDR element for a physical proxy |
+| MatchedNapID | Enter a string that defines the SMS bearer. This string must match the NAPID exactly. The value must contains MVID macro if it is an IPv4 PXADDRTYPE. |
+| PushEnabled | Select whether push operations are enabled |
+| Trust | Specify whether or not the physical proxies in this logical proxy are privileged |
+
+
+## Policies
+
+The following table describes the settings you can configure for **Policies**.
+
+| Setting | Description |
+| --- | --- |
+| MMS > MMSMessageRoles | Select between **SECROLE_KNOWN_PPG**, **SECROLE_ANY_PUSH_SOURCE**, and **SECROLE_KNOWN_PPG_OR_SECROLE_ANY_PUSH_SOURCE**. If a message contains at least one of the roles in the selected role mask, then the message is processed. |
+| OMACP > NetwpinRoles | Select a policy role to specify whether OMA network PIN-signed messages will be accepted. OMA Client Provisioning Network PIN policy determines whether the OMA network PIN signed message will be accepted. The message's role mask and the policy's role mask are combined using the AND operator. If the result is non-zero, then the message is accepted.Available roles are: **SECROLE_OPERATOR_TIPS**, **SECROLE_KNOWN_PPG**, **SECROLE_OPERATOR_TPS_OR_SECROLE_KNOWN_PPG**, **SECROLE_ANY_PUSH_SOURCE**, **SECROLE_OPERATOR_TPS_OR_SECROLE_ANY_PUSH_SOURCE**, **SECROLE_KNOWN_PPG_OR_SECROLE_ANY_PUSH_SOURCE**, and **SECROLE_OPERATOR_TPS_OR_SECROLE_KNOWN_PPG_OR_SECROLE_ANY_PUSH_SOURCE**.**Note** IMSI-based NETWPIN and USERNETWPIN may not work for dual SIM phones. The OMA-CP authentication provider only uses the IMSI from executor 0 (the current, active data SIM) when hashing these messages. OMA-CP payloads targeting executor 1 are rejected by the phone. For more information about executors, see Dual SIM. |
+| OMACP > UsernetwpinRoles | Select a policy role to specify whether the OMA user network PIN-signed message will be accepted. The message's role mask and the policy's role mask are combined using the AND operator. If the result is non-zero, then the message is accepted.Available roles are: **SECROLE_OPERATOR_TIPS**, **SECROLE_KNOWN_PPG**, **SECROLE_OPERATOR_TPS_OR_SECROLE_KNOWN_PPG**, **SECROLE_ANY_PUSH_SOURCE**, **SECROLE_OPERATOR_TPS_OR_SECROLE_ANY_PUSH_SOURCE**, **SECROLE_KNOWN_PPG_OR_SECROLE_ANY_PUSH_SOURCE**, and **SECROLE_OPERATOR_TPS_OR_SECROLE_KNOWN_PPG_OR_SECROLE_ANY_PUSH_SOURCE**.**Note** IMSI-based NETWPIN and USERNETWPIN may not work for dual SIM phones. The OMA-CP authentication provider only uses the IMSI from executor 0 (the current, active data SIM) when hashing these messages. OMA-CP payloads targeting executor 1 are rejected by the phone. For more information about executors, see Dual SIM. |
+| OMACP > UserpinRoles | Select a policy role to specify whether the OMA user PIN or user MAC signed message will be accepted. OMA Client Provisioning User PIN policy determines whether the OMA user PIN or user MAC signed message will be accepted. The message's role mask and the policy's role mask are combined using the AND operator. If the result is non-zero, then the message is accepted.Available roles are: **SECROLE_OPERATOR_TIPS**, **SECROLE_KNOWN_PPG**, **SECROLE_OPERATOR_TPS_OR_SECROLE_KNOWN_PPG**, **SECROLE_ANY_PUSH_SOURCE**, **SECROLE_OPERATOR_TPS_OR_SECROLE_ANY_PUSH_SOURCE**, **SECROLE_KNOWN_PPG_OR_SECROLE_ANY_PUSH_SOURCE**, and **SECROLE_OPERATOR_TPS_OR_SECROLE_KNOWN_PPG_OR_SECROLE_ANY_PUSH_SOURCE**. |
+| SISL > ServiceIndicationRoles | Specify the security roles that can accept SI messages. Service Indication (SI) Message policy indicates whether SI messages are accepted by specifying the security roles that can accept SI messages. An SI message is sent to the phone to notify users of new services, service updates, and provisioning services.Available roles are: **SECROLE_KNOWN_PPG**, **SECROLE_ANY_PUSH_SOURCE**, and **SECROLE_KNOWN_PPG_OR_SECROLE_ANY_PUSH_SOURCE**. |
+| SISL > ServiceLoadingRoles | Specify the security roles that can accept SL messages. Service Loading (SL) Message policy indicates whether SL messages are accepted by specifying the security roles that can accept SL messages. An SL message downloads new services or provisioning XML to the phone.Available roles are: **SECROLE_KNOWN_PPG**, **SECROLE_ANY_PUSH_SOURCE**, and **SECROLE_KNOWN_PPG_OR_SECROLE_ANY_PUSH_SOURCE**. |
+
+## TrustedProvisioningSource
+
+In **PROVURL**, enter the URL for a Trusted Provisioning Server (TPS).
+
+## Related topics
+
+- [DMAcc configuration service provider (CSP)](https://docs.microsoft.com/windows/client-management/mdm/dmacc-csp)
+- [PXLOGICAL CSP](https://docs.microsoft.com/windows/client-management/mdm/pxlogical-csp)
\ No newline at end of file
diff --git a/windows/configuration/wcd/wcd-dmclient.md b/windows/configuration/wcd/wcd-dmclient.md
new file mode 100644
index 0000000000..4efec80320
--- /dev/null
+++ b/windows/configuration/wcd/wcd-dmclient.md
@@ -0,0 +1,27 @@
+---
+title: DMClient (Windows 10)
+description: This section describes the DMClient setting that you can configure in provisioning packages for Windows 10 using Windows Configuration Designer.
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: jdeckerMS
+localizationpriority: medium
+ms.author: jdecker
+ms.date: 08/21/2017
+---
+
+# DMClient (Windows Configuration Designer reference)
+
+Use to specify enterprise-specific mobile device management configuration setting.
+
+## Applies to
+
+| Setting | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core |
+| --- | :---: | :---: | :---: | :---: | :---: |
+| UpdateManagementServiceAddress | X | X | X | X | X |
+
+For the **UpdateManagementServiceAddress** setting, enter a list of servers. The first server in the semi-colon delimited list is the server that will be used to instantiate MDM sessions.
+
+## Related topics
+
+- [DMClient configuration service provider (CSP)](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/dmclient-csp)
\ No newline at end of file
diff --git a/windows/configuration/wcd/wcd-editionupgrade.md b/windows/configuration/wcd/wcd-editionupgrade.md
new file mode 100644
index 0000000000..cb2fd133b6
--- /dev/null
+++ b/windows/configuration/wcd/wcd-editionupgrade.md
@@ -0,0 +1,46 @@
+---
+title: EditionUpgrade (Windows 10)
+description: This section describes the EditionUpgrade settings that you can configure in provisioning packages for Windows 10 using Windows Configuration Designer.
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: jdeckerMS
+localizationpriority: medium
+ms.author: jdecker
+ms.date: 08/21/2017
+---
+
+# EditionUpgrade (Windows Configuration Designer reference)
+
+Use to upgrade the edition of Windows 10 on the device. [Learn about Windows 10 edition upgrades.](https://docs.microsoft.com/windows/deployment/upgrade/windows-10-edition-upgrades)
+
+## Applies to
+
+| Setting | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core |
+| --- | :---: | :---: | :---: | :---: | :---: |
+| [ChangeProductKey](#changeproductkey) | X | X | | X | |
+| [UpgradeEditionWithLicense](#upgradeeditionwithlicense) | X | X | | X | |
+| [UpgradeEditionWithProductKey](#upgradeeditionwithproductkey) | X | X | | X | |
+
+
+## ChangeProductKey
+
+Enter a product key, which will be used to update the existing product key on the device.
+
+## UpgradeEditionWithLicense
+
+Browse to and select a license XML file for the edition upgrade.
+
+
+## UpgradeEditionWithProductKey
+
+Enter a product key for an edition upgrade of Windows 10 devices.
+
+If a product key is entered in a provisioning package and the user begins installation of the package, a notification is shown to the user that their system will restart to complete the package installation. Upon explicit consent from the user to proceed, the package continues installation and changepk.exe runs using the product key. The user will receive a reminder notification 30 seconds before the automatic restart.
+
+After the device restarts, the edition upgrade process completes. The user will receive a notification of the successful upgrade.
+
+
+## Related topics
+
+- [WindowsLicensing configuration service provider (CSP)](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/windowslicensing-csp)
diff --git a/windows/configuration/wcd/wcd-embeddedlockdownprofiles.md b/windows/configuration/wcd/wcd-embeddedlockdownprofiles.md
new file mode 100644
index 0000000000..833b66a43a
--- /dev/null
+++ b/windows/configuration/wcd/wcd-embeddedlockdownprofiles.md
@@ -0,0 +1,29 @@
+---
+title: EmbeddedLockdownProfiles (Windows 10)
+description: This section describes the EmbeddedLockdownProfiles setting that you can configure in provisioning packages for Windows 10 using Windows Configuration Designer.
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: jdeckerMS
+localizationpriority: medium
+ms.author: jdecker
+ms.date: 08/21/2017
+---
+
+# EmbeddedLockdownProfiles (Windows Configuration Designer reference)
+
+Use to apply an XML configuration to a mobile device that locks down the device, configures custom layouts, and define multiple roles.
+
+## Applies to
+
+| Setting | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core |
+| --- | :---: | :---: | :---: | :---: | :---: |
+| AssignedAccessXml | | X | | | |
+
+1. Create a lockdown XML file, either by using [the Lockdown Designer app](../mobile-devices/mobile-lockdown-designer.md) or [manually](../mobile-devices/lockdown-xml.md).
+2. In the **AssignedAccessXml** setting, browse to and select the lockdown XML file that you created.
+
+
+## Related topics
+
+- [EnterpriseAssignedAccess configuration service provider (CSP)](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/enterpriseassignedaccess-csp)
\ No newline at end of file
diff --git a/windows/configuration/wcd/wcd-firewallconfiguration.md b/windows/configuration/wcd/wcd-firewallconfiguration.md
new file mode 100644
index 0000000000..5e394b2f6b
--- /dev/null
+++ b/windows/configuration/wcd/wcd-firewallconfiguration.md
@@ -0,0 +1,27 @@
+---
+title: FirewallConfiguration (Windows 10)
+description: This section describes the FirewallConfiguration setting that you can configure in provisioning packages for Windows 10 using Windows Configuration Designer.
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: jdeckerMS
+localizationpriority: medium
+ms.author: jdecker
+ms.date: 08/21/2017
+---
+
+# FirewallConfiguration (Windows Configuration Designer reference)
+
+Use to enable AllJoyn router to work on public networks.
+
+## Applies to
+
+| Setting | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core |
+| --- | :---: | :---: | :---: | :---: | :---: |
+| EnableAllJoynOnPublicNetwork | | | | | X |
+
+Set to **True** or **False**.
+
+## Related topics
+
+- [AllJoyn](https://developer.microsoft.com/windows/iot/docs/alljoyn)
\ No newline at end of file
diff --git a/windows/configuration/wcd/wcd-firstexperience.md b/windows/configuration/wcd/wcd-firstexperience.md
new file mode 100644
index 0000000000..b3a53776ff
--- /dev/null
+++ b/windows/configuration/wcd/wcd-firstexperience.md
@@ -0,0 +1,16 @@
+---
+title: FirstExperience (Windows 10)
+description: This section describes the FirstExperience settings that you can configure in provisioning packages for Windows 10 using Windows Configuration Designer.
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: jdeckerMS
+localizationpriority: medium
+ms.author: jdecker
+ms.date: 08/21/2017
+---
+
+# FirstExperience (Windows Configuration Designer reference)
+
+Do not configure **FirstExperience** in provisioning packages at this time. These settings will be available to configure the out-of-box experience (OOBE) to set up HoloLens in a future release.
+
diff --git a/windows/configuration/wcd/wcd-folders.md b/windows/configuration/wcd/wcd-folders.md
new file mode 100644
index 0000000000..bbad0c9cb9
--- /dev/null
+++ b/windows/configuration/wcd/wcd-folders.md
@@ -0,0 +1,23 @@
+---
+title: Folders (Windows 10)
+description: This section describes the Folders settings that you can configure in provisioning packages for Windows 10 using Windows Configuration Designer.
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: jdeckerMS
+localizationpriority: medium
+ms.author: jdecker
+ms.date: 08/21/2017
+---
+
+# Folders (Windows Configuration Designer reference)
+
+Use to add files to the device.
+
+## Applies to
+
+| Setting | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core |
+| --- | :---: | :---: | :---: | :---: | :---: |
+| PublicDocuments | X | X | X | X | |
+
+Browse to and select a file or files that will be included in the provisioning package and added to the public profile documents folder on the target device. You can use the **Relative path to directory on target device** field to create a new folder within the public profile documents folder.
\ No newline at end of file
diff --git a/windows/configuration/wcd/wcd-initialsetup.md b/windows/configuration/wcd/wcd-initialsetup.md
new file mode 100644
index 0000000000..db5b9cee8b
--- /dev/null
+++ b/windows/configuration/wcd/wcd-initialsetup.md
@@ -0,0 +1,30 @@
+---
+title: InitialSetup (Windows 10)
+description: This section describes the InitialSetup setting that you can configure in provisioning packages for Windows 10 using Windows Configuration Designer.
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: jdeckerMS
+localizationpriority: medium
+ms.author: jdecker
+ms.date: 08/21/2017
+---
+
+# InitialSetup (Windows Configuration Designer reference)
+
+Use to set the name of the Windows mobile device.
+
+## Applies to
+
+| Setting | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core |
+| --- | :---: | :---: | :---: | :---: | :---: |
+| DeviceName | | X | | | |
+
+In **DeviceName**, enter a name for the device. If **DeviceName** is set to an asterisk (*) or is an empty string, a random device name will be generated.
+
+**DeviceName** is a string with a maximum length of 15 bytes of content:
+
+- **DeviceName** can use ASCII characters (1 byte each) and/or multi-byte characters such as Kanji, so long as you do not exceed 15 bytes of content.
+- **DeviceName** cannot use spaces or any of the following characters: { | } ~ [ \ ] ^ ' : ; < = > ? @ ! " # $ % ` ( ) + / . , * &, or contain any spaces.
+- **DeviceName** cannot use some non-standard characters, such as emoji.
+
diff --git a/windows/configuration/wcd/wcd-internetexplorer.md b/windows/configuration/wcd/wcd-internetexplorer.md
new file mode 100644
index 0000000000..d1a2e56c56
--- /dev/null
+++ b/windows/configuration/wcd/wcd-internetexplorer.md
@@ -0,0 +1,95 @@
+---
+title: InternetExplorer (Windows 10)
+description: This section describes the InternetExplorer settings that you can configure in provisioning packages for Windows 10 using Windows Configuration Designer.
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: jdeckerMS
+localizationpriority: medium
+ms.author: jdecker
+ms.date: 08/21/2017
+---
+
+# InternetExplorer (Windows Configuration Designer reference)
+
+Use to configure settings related to Internet Explorer.
+
+## Applies to
+
+| Setting | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core |
+| --- | :---: | :---: | :---: | :---: | :---: |
+| [CustomHTTPHeaders](#customhttpheaders) | | X | | | |
+| [CustomUserAgentString](#customuseragentstring) | | X | | | |
+| DataSaving > [BrowseDataSaver](#browsedatasaver) | | X | | | |
+| DataSaving > [ShowPicturesAutomatically](#showpicturesautomatically) | | X | | | |
+| [FirstRunURL](#firstrunurl) | | X | | | |
+
+## CustomHTTPHeaders
+
+Configure Microsoft Edge to send custom HTTP headers. These will be sent in addition to the default HTTP headers with all HTTP and HTTPS requests. The header is the portion of the HTTP request that defines the form of the message.
+
+- A maximum of 16 custom headers can be defined.
+- Custom headers cannot be used to modify the user agent string.
+- Each header must be no more than 1 KB in length.
+
+The following header names are reserved and must not be overwritten:
+
+- Accept
+- Accept-Charset
+- Accept-Encoding
+- Authorization
+- Expect
+- Host
+- If-Match
+- If-Modified-Since
+- If-None-Match
+- If-Range
+- If-Unmodified-Since
+- Max-Forwards
+- Proxy-Authorization
+- Range
+- Referer
+- TE
+- USER-AGENT
+- X-WAP-PROFILE
+
+1. In **Available customizations**, select **CustomHTTPHeaders**, enter a name, and then click **Add**.
+2. In **Available customizations**, select the name that you just created.
+3. Enter the custom header.
+
+## CustomUserAgentString
+
+The user agent string indicates which browser you are using, its version number, and details about your system, such as operating system and version. A web server can use this information to provide content that is tailored for your specific browser and phone.
+
+The user agent string for the browser cannot be modified. By default, the string has the following format:
+
+`Mozilla/5.0 (Windows Phone 10.0; Android 4.2.1; ; ) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.135 Mobile Safari/537.36 Edge/12.10166`
+
+- is automatically replaced with the OEM name. This is the same as the PhoneManufacturer setting value that is set as part of the customization Phone metadata in DeviceTargetingInfo.
+- is replaced with the device name or phone name. This is the same as the PhoneModelName setting value that is set as part of the customization Phone metadata in DeviceTargetingInfo.
+
+
+**Limitations and restrictions:**
+
+- The user agent string for the browser cannot be modified outside of the customizations listed above.
+- The user agent type registry setting cannot be modified or used to change the default browser view from Mobile to Desktop.
+
+
+
+## BrowseDataSaver
+
+Use to set the browser data saver default setting. **True** turns on the browser data saver feature.
+
+Partners can configure the default setting for the browser data saver feature by turning the browser optimization service (through the BrowserDataSaver setting) on or off.
+
+
+## ShowPicturesAutomatically
+
+Use to enable or disable whether the **Show pictures automatically** setting is available in Internet Explorer **advanced settings**.
+
+
+## FirstRunURL
+
+Use to set the home page that appears the first time that Microsoft Edge is opened. This page is only shown the first time the browser is opened. After that, the browser displays either the most recently viewed page or an empty page if the user has closed all tabs or opens a new tab.
+
+Specify the **FirstRunURL** value with a valid link that starts with http://. It is recommended you use a forward link that redirects the user to a localized page.
diff --git a/windows/configuration/wcd/wcd-licensing.md b/windows/configuration/wcd/wcd-licensing.md
new file mode 100644
index 0000000000..5b3ebb4f41
--- /dev/null
+++ b/windows/configuration/wcd/wcd-licensing.md
@@ -0,0 +1,30 @@
+---
+title: Licensing (Windows 10)
+description: This section describes the Licensing settings that you can configure in provisioning packages for Windows 10 using Windows Configuration Designer.
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: jdeckerMS
+localizationpriority: medium
+ms.author: jdecker
+ms.date: 08/21/2017
+---
+
+# Licensing (Windows Configuration Designer reference)
+
+Use for settings related to Microsoft licensing programs.
+
+## Applies to
+
+| Setting | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core |
+| --- | :---: | :---: | :---: | :---: | :---: |
+| [AllowWindowsEntitlementReactivation](#allowwindowsentitlementreactivation) | X | | | | |
+| [DisallowKMSClientOnlineAVSValidation](#disallowkmsclientonlineavsvalidation) | X | | | | |
+
+## AllowWindowsEntitlementReactivation
+
+Enable or disable Windows license reactivation.
+
+## DisallowKMSClientOnlineAVSValidation
+
+Enable this setting to prevent the device from sending data to Microsoft regarding its activation state.
diff --git a/windows/configuration/wcd/wcd-maps.md b/windows/configuration/wcd/wcd-maps.md
new file mode 100644
index 0000000000..4a1bfc4a7a
--- /dev/null
+++ b/windows/configuration/wcd/wcd-maps.md
@@ -0,0 +1,48 @@
+---
+title: Maps (Windows 10)
+description: This section describes the Maps settings that you can configure in provisioning packages for Windows 10 using Windows Configuration Designer.
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: jdeckerMS
+localizationpriority: medium
+ms.author: jdecker
+ms.date: 08/21/2017
+---
+
+# Maps (Windows Configuration Designer reference)
+
+Use for settings related to Maps.
+
+## Applies to
+
+| Setting | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core |
+| --- | :---: | :---: | :---: | :---: | :---: |
+| [ChinaVariantWin10](#chinavariantwin10) | X | X | X | X | |
+| [UseExternalStorage](#useexternalstorage) | X | X | X | X | |
+| [UseSmallerCache](#usesmallercache) | X | X | X | X | |
+
+
+## ChinaVariantWin10
+
+Use **ChinaVariantWin10** to specify that the Windows device is intended to ship in China. When set to **True**, maps approved by the State Bureau of Surveying and Mapping in China are used, which are obtained from a server located in China.
+
+This customization may result in different maps, servers, or other configuration changes on the device.
+
+
+## UseExternalStorage
+
+Use to store map data on an SD card.
+
+Map data is used by the Maps application and the map control for third-party applications. This data can be store on an SD card, which provides the advantage of saving internal memory space for user data and allows the user to download more offline map data. Microsoft recommends enabling the **UseExternalStorage** setting on devices that have less than 8 GB of user storage and an SD card slot.
+
+You can use **UseExternalStorage** whether or not you include an SD card with preloaded map data on the phone. If set to **True**, the OS only allows the user to download offline maps when an SD card is present. If an SD card is not present, users can still view and cache maps, but they will not be able to download a region of offline maps until an SD card is inserted.
+
+If set to **False**, map data will always be stored on the internal data partition of the device.
+
+>[!NOTE]
+>SD card performance can affect the quality of the Maps experience when maps are stored on the SD card. When an SD card is used, Microsoft recommends that you test the Maps experience and the speed of map downloads with the specific SD card part that will be used on retail phones to determine if performance is satisfactory.
+
+## UseSmallerCache
+
+Do not use.
diff --git a/windows/configuration/wcd/wcd-messaging.md b/windows/configuration/wcd/wcd-messaging.md
new file mode 100644
index 0000000000..a00378d147
--- /dev/null
+++ b/windows/configuration/wcd/wcd-messaging.md
@@ -0,0 +1,171 @@
+---
+title: Messaging (Windows 10)
+description: This section describes the Messaging settings that you can configure in provisioning packages for Windows 10 using Windows Configuration Designer.
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: jdeckerMS
+localizationpriority: medium
+ms.author: jdecker
+ms.date: 08/21/2017
+---
+
+# Messaging (Windows Configuration Designer reference)
+
+Use for settings related to Messaging.
+
+## Applies to
+
+| Setting | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core |
+| --- | :---: | :---: | :---: | :---: | :---: |
+| All settings | | X | | | |
+
+## GlobalSettings > ShowSendingStatus
+
+Set **ShowSendingStatus** to **True** to display the sending status for SMS/MMS messages.
+
+## PerSimSettings > _ICCID
+
+Use to configure settings for each subscriber identification module (SIM) card.
+
+### AllowSelectAllContacts
+
+Set to **True** to show the select all contacts/unselect all menu option to allow users to easily select multiple recipients for an SMS or MMS message. This menu option provides users with an easier way to add multiple recipients and may also meet a mandatory requirement for some mobile operator networks.
+
+Windows 10 Mobile supports the following select multiple recipients features:
+
+- A multi-select chooser, which enables users to choose multiple contacts.
+- A **select all contacts/unselect all** menu option, which enables users to select or unselect all their contacts. This option is not shown by default and must be enabled by the OEM.
+
+### AllowSendingDeliveryReport
+
+Specify whether the phone automatically sends a receipt acknowledgment for MMS messages. Partners can specify whether the phone automatically sends a receipt acknowledgment for MMS messages when they arrive, and they can determine whether users can control the receipt acknowledgments by using the **Send MMS acknowledgment** toggle in **Messaging > settings**. By default, this user setting is visible and turned on.
+
+| Setting | Description |
+| --- | --- |
+| AllowSendingDeliveryReport | **True** sets the **Send MMS acknowledgment** toggle to **On** |
+| AllowSendingDeliveryReportIsSupported | **True** shows the **Send MMS acknowledgment** toggle, and **False** hides the toggle |
+
+### AutomaticallyDownload
+
+Specify whether MMS messages are automatically downloaded.
+
+| Setting | Description |
+| --- | --- |
+| AutomaticallyDownload | **True** sets the **Automatically download MMS** toggle to **On** |
+| ShowAutomaticallyDownloadMMSToggle | **True** shows the **Automatically download MMS** toggle, and **False** hides the toggle |
+
+### DefaultContentLocationUrl
+
+For networks that require it, you can specify the default GET path within the MMSC to use when the GET URL is missing from the WAP push MMS notification.
+
+Set **DefaultContentLocationUrl** to specify the default GET path within the MMSC.
+
+### ErrorCodeEnabled
+
+You can choose to display additional content in the conversation view when an SMS or MMS message fails to send. This content includes a specific error code in decimal format that the user can report to technical support. Common errors also include a friendly string to help the user self-diagnose and fix the problem.
+
+Set to **True** to display the error message with an explanation of the problem and the decimal-format error codes. When set to **False**, the full error message is not displayed.
+
+
+### ImsiAuthenticationToken
+
+Configure whether MMS messages include the IMSI in the GET and POST header.
+
+Set **ImsiAuthenticationToken** to the token used as the header for authentication. The string value should match the IMSI provided by the UICC.
+
+### MaxRetryCount
+
+You can specify the number of times that the phone can retry sending the failed MMS message and photo before the user receives a notification that the photo could not be sent.
+
+Specify MaxRetryCount to specify the number of times the MMS transport will attempt resending the MMS message. This value has a maximum limit of 3.
+
+
+### RcsOptions
+
+Set options for Rich Communications Services (RCS).
+
+| Setting | Description |
+| --- | --- |
+| RcsEnabled | Toggle to enable/disable RCS service. Set to **True** to enable. |
+| RcsFileTransferAutoAccept | Set to **True** to auto-accept RCS incoming file transfer if the file size is less than warning file size.|
+| RcsSendReadReceipt | Set to **True** to send read receipt to the sender when a message is read. |
+| ShowRcsEnabled | Set to **True** to show the toggle for RCS activation. |
+
+
+### RequestDeliveryReport
+
+Set options related to MMS message notifications. You can specify whether users receive notification that MMS messages could not be delivered, and determine whether users can control this by using the MMS delivery confirmation toggle in **Messaging > settings**. By default, this user setting is visible but turned off.
+
+| Setting | Description |
+| --- | --- |
+| RequestDeliveryReport | Set to **True** to set the default value to on. |
+| RequestDeliveryReportIsSupported | **True** shows the toggle for MMS delivery confirmation, and **False** hides the toggle. |
+
+
+### TargetVideoFormat
+
+You can specify the transcoding to use for video files sent as attachments in MMS messages.
+
+Set TargetVideoFormat to one of the following values to configure the default transcoding for video files sent as attachments in MMS messages:
+
+| Value | Description |
+| --- | --- |
+| 0 or 0x0 | Sets the transcoding to H.264 + AAC + MP4. This is the default set by the OS. |
+| 1 or 0x1 | Sets the transcoding to H.264 + AAC + 3GP. |
+| 2 or 0x2 | Sets the transcoding to H.263 + AMR.NB + 3GP. |
+| 3 or 0x3 | Sets the transcoding to MPEG4 + AMR.NB + 3GP. |
+
+
+### UAProf
+
+You can specify a user agent profile to use on the phone for MMS messages. The user agent profile XML file details a phone’s hardware specifications and media capabilities so that an MMS application server (MMSC) can return supported optimized media content to the phone. The user agent profile XML file is generally stored on the MMSC.
+
+There are two ways to correlate a user agent profile with a given phone:
+- You can take the user agent string of the phone that is sent with MMS requests and use it as a hash to map to the user agent profile on the MMSC. The user agent string cannot be modified.
+- Alternatively, you can directly set the URI of the user agent profile on the phone.
+
+Set **UAProf** to the full URI of your user agent profile file. Optionally, you can also specify the custom user agent property name for MMS that is sent in the header by setting **UAProfToken** to either `x-wap-profile` or `profile`.
+
+
+### UAProfToken
+
+You can specify a user agent profile to use on the phone for MMS messages. The user agent profile XML file details a phone’s hardware specifications and media capabilities so that an MMS application server (MMSC) can return supported optimized media content to the phone. The user agent profile XML file is generally stored on the MMSC.
+
+Optionally, in addition to specifying **UAProf**, you can also specify the custom user agent property name for MMS that is sent in the header by setting **UAProfToken** to either `x-wap-profile` or `profile`.
+
+
+### UserAgentString
+
+Set **UserAgentString** to the new user agent string for MMS in its entirely.
+
+By default, this string has the format WindowsPhoneMMS/MicrosoftMMSVersionNumber WindowsPhoneOS/OSVersion-buildNumber OEM-deviceName, in which the italicized text is replaced with the appropriate values for the phone.
+
+
+### w4
+
+| Setting | Description |
+| --- | --- |
+| ADDR | Specify the absolute MMSC URL. The possible values to configure the ADDR parameter are:- A Uniform Resource Identifier (URI)- An IPv4 address represented in decimal format with dots as delimiters- A fully qualified Internet domain name |
+| APPID | Set to `w4` |
+| MS | (optional) Specify the maximum size of MMS, in KB. If the value is not a number, or is less than or equal to 10, it will be ignored and outgoing MMS will not be resized. |
+| NAME | (optional) Enter user–readable application identity. This parameter is also used to define part of the registry path for the APPLICATION parameters. The possible values to configure the **NAME** parameter are:- Character string containing the name- no value specifiedIf no value is specified, the registry location will default to . If **NAME** is greater than 40 characters, it will be truncated to 40 characters. |
+| TONAPID | Specify the network access point identification name (NAPID) defined in the provisioning file. This parameter takes a string value. It is only possible to refer to network access points defined within the same provisioning file (except if the INTERNET attribute is set in the NAPDEF characteristic). For more information about the NAPDEF characteristic, see [NAPDEF configuration service provider](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/napdef-csp). |
+| TOPROXY | Specify one logical proxy with a matching PROXY-ID. It is only possible to refer to proxies defined within the same provisioning file. Only one proxy can be listed. The TO-PROXY value must be set to the value of the PROXY ID in PXLOGICAL that defines the MMS specific-proxy. |
+
+
+
+### WapPushTechnology
+
+For networks that require non-standard handling of single-segment incoming MMS WAP Push notifications, you can specify that MMS messages may have some of their content truncated and that they may require special handling to reconstruct truncated field values.
+
+| Value | Description |
+| --- | --- |
+| 1 or 0x1 | Enables MMS messages to have some of their content truncated. |
+| 0 or 0x0 | Disables MMS messages from being truncated. |
+
+
+
+## Related topics
+
+- [w4 APPLICATION CSP](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/w4-application-csp)
\ No newline at end of file
diff --git a/windows/configuration/wcd/wcd-modemconfigurations.md b/windows/configuration/wcd/wcd-modemconfigurations.md
new file mode 100644
index 0000000000..dc45dff1ef
--- /dev/null
+++ b/windows/configuration/wcd/wcd-modemconfigurations.md
@@ -0,0 +1,22 @@
+---
+title: ModemConfiguration (Windows 10)
+description: This section describes the ModemConfiguration settings that you can configure in provisioning packages for Windows 10 using Windows Configuration Designer.
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: jdeckerMS
+localizationpriority: medium
+ms.author: jdecker
+ms.date: 08/21/2017
+---
+
+# ModemConfiguration (Windows Configuration Designer reference)
+
+Documentation not available at this time.
+
+## Applies to
+
+| Setting | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core |
+| --- | :---: | :---: | :---: | :---: | :---: |
+| All settings | | X | | | |
+
diff --git a/windows/configuration/wcd/wcd-multivariant.md b/windows/configuration/wcd/wcd-multivariant.md
new file mode 100644
index 0000000000..37a5519dfd
--- /dev/null
+++ b/windows/configuration/wcd/wcd-multivariant.md
@@ -0,0 +1,23 @@
+---
+title: Multivariant (Windows 10)
+description: This section describes the Multivariant settings that you can configure in provisioning packages for Windows 10 using Windows Configuration Designer.
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: jdeckerMS
+localizationpriority: medium
+ms.author: jdecker
+ms.date: 08/21/2017
+---
+
+# Multivariant (Windows Configuration Designer reference)
+
+Use to select a default profile for mobile devices that have multivariant configurations.
+
+## Applies to
+
+| Setting | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core |
+| --- | :---: | :---: | :---: | :---: | :---: |
+| DefaultProfile | | X | | | |
+
+If you will be adding [multivariant settings](https://docs.microsoft.com/windows/configuration/provisioning-packages/provisioning-multivariant) to your provisioning package, you can use the **DefaultProfile** setting to specify which variant should be applied by default if OOBE is skipped. In the **DefaultProfile** field, enter the UINAME from your customizations.xml that you want to use as default.
\ No newline at end of file
diff --git a/windows/configuration/wcd/wcd-networkproxy.md b/windows/configuration/wcd/wcd-networkproxy.md
new file mode 100644
index 0000000000..7eb31bc61c
--- /dev/null
+++ b/windows/configuration/wcd/wcd-networkproxy.md
@@ -0,0 +1,51 @@
+---
+title: NetworkProxy (Windows 10)
+description: This section describes the NetworkProxy settings that you can configure in provisioning packages for Windows 10 using Windows Configuration Designer.
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: jdeckerMS
+localizationpriority: medium
+ms.author: jdecker
+ms.date: 08/21/2017
+---
+
+# NetworkProxy (Windows Configuration Designer reference)
+
+Use for settings related to NetworkProxy.
+
+## Applies to
+
+| Setting | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core |
+| --- | :---: | :---: | :---: | :---: | :---: |
+| All settings | | | X | | |
+
+
+## AutoDetect
+
+Automatically detect network proxy settings.
+
+| Value | Description |
+| --- | --- |
+| 0 | Disabled. Do not automatically detect settings. |
+| 1 | Enabled. Automatically detect settings. |
+
+## ProxyServer
+
+Node for configuring a static proxy for Ethernet and Wi-Fi connections. The same proxy server is used for all protocols - including HTTP, HTTPS, FTP, and SOCKS. These settings do not apply to VPN connections.
+
+| Setting | Description |
+| --- | --- |
+| ProxyAddress | Address to the proxy server. Specify an address in the format `server:port`. |
+| ProxyExceptions | Addresses that should not use the proxy server. The system will not use the proxy server for addresses that begin with the values specified in this node. Use semicolons (;) to separate entries. |
+| UseProxyForLocalAddresses | Whether the proxy server should be used for local (intranet) addresses.- 0 = Disabled. Do not use the proxy server for local addresses.- 1 = Enabled. Use the proxy server for local addresses. |
+
+
+## SetupScriptUrl
+
+Address to the PAC script you want to use.
+
+
+## Related topics
+
+- [NetworkProxy configuration service provider (CSP)](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/networkproxy-csp)
\ No newline at end of file
diff --git a/windows/configuration/wcd/wcd-networkqospolicy.md b/windows/configuration/wcd/wcd-networkqospolicy.md
new file mode 100644
index 0000000000..5906d70cdd
--- /dev/null
+++ b/windows/configuration/wcd/wcd-networkqospolicy.md
@@ -0,0 +1,37 @@
+---
+title: NetworkQoSPolicy (Windows 10)
+description: This section describes the NetworkQoSPolicy settings that you can configure in provisioning packages for Windows 10 using Windows Configuration Designer.
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: jdeckerMS
+localizationpriority: medium
+ms.author: jdecker
+ms.date: 08/21/2017
+---
+
+# NetworkQoSPolicy (Windows Configuration Designer reference)
+
+Use to create network Quality of Service (QoS) policies. A QoS policy performs a set of actions on network traffic based on a set of matching conditions.
+
+## Applies to
+
+| Setting | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core |
+| --- | :---: | :---: | :---: | :---: | :---: |
+| All settings | | | X | | |
+
+1. In **Available customizations**, select **NetworkQ0SPolicy**, enter a friendly name for the account, and then click **Add**.
+2. In **Available customizations**, select the name that you just created. The following table describes the settings you can configure.
+
+| Setting | Description |
+| --- | --- |
+| AppPathNameMatchCondition | Enter the name of an application to be sued to match the network traffic, such as application.exe or %ProgramFiles%\application.exe. |
+| DestinationPortMatchCondition | Specify a port or a range of ports to be used to match the network traffic. Valid values are [first port number]-[last port number], or [port number]. |
+| DSCPAction | Enter the differentiated services code point (DSCP) value to apply to match with network traffic. Valid values are 0-63. |
+| IPProtocolMatchCondition | Select between **Both TCP and UDP**, **TCP**, and **UDP** to specify the IP protocol used to match the network traffic. |
+| PriorityValue8021Action | Specify the IEEE 802.1p value. Valid values are 0 through 7. |
+| SourcePortMatchCondition | Specify a single port or range of ports. Valid values are [first port number]-[last port number], or [port number]. |
+
+## Related topics
+
+- [NetworkQoSPolicy configuration service provider (CSP)](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/networkqospolicy-csp)
\ No newline at end of file
diff --git a/windows/configuration/wcd/wcd-nfc.md b/windows/configuration/wcd/wcd-nfc.md
new file mode 100644
index 0000000000..c03217c87e
--- /dev/null
+++ b/windows/configuration/wcd/wcd-nfc.md
@@ -0,0 +1,29 @@
+---
+title: NFC (Windows 10)
+description: This section describes the NFC settings that you can configure in provisioning packages for Windows 10 using Windows Configuration Designer.
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: jdeckerMS
+localizationpriority: medium
+ms.author: jdecker
+ms.date: 08/21/2017
+---
+
+# NFC (Windows Configuration Designer reference)
+
+Use to configure settings related to near field communications (NFC) subsystem.
+
+## Applies to
+
+| Setting | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core |
+| --- | :---: | :---: | :---: | :---: | :---: |
+| All settings | | X | | | |
+
+Expand **NFC** > **SEMgr** > **UI**. The following table describes the settings you can configure.
+
+| Setting | Description |
+| --- | --- |
+| CardEmulationState | Configure the default state of **Tap to pay**. Select between **OFF**, **When Phone Unlocked**, **When Screen On**, and **Anytime**. |
+| DefaultFastCardSetting | Configure the default fast card usage for NFC payments. Select between **When Phone Unlocked**, **When Screen On**, and **Anytime**. |
+| HideFastCardsOption | Show or hide the fast cards options drop-down menu in the **NFC** > **Tap to pay** control panel. |
\ No newline at end of file
diff --git a/windows/configuration/wcd/wcd-oobe.md b/windows/configuration/wcd/wcd-oobe.md
new file mode 100644
index 0000000000..7a72de6bb0
--- /dev/null
+++ b/windows/configuration/wcd/wcd-oobe.md
@@ -0,0 +1,47 @@
+---
+title: OOBE (Windows 10)
+description: This section describes the OOBE settings that you can configure in provisioning packages for Windows 10 using Windows Configuration Designer.
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: jdeckerMS
+localizationpriority: medium
+ms.author: jdecker
+ms.date: 08/21/2017
+---
+
+# OOBE (Windows Configuration Designer reference)
+
+Use to configure settings for the Out Of Box Experience (OOBE).
+
+## Applies to
+
+| Setting | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core |
+| --- | :---: | :---: | :---: | :---: | :---: |
+| [Mobile > EnforceEnterpriseProvisioning](#nforce) | | X | | | |
+| [Mobile > HideOobe](#hidem) | | X | | | |
+| [Desktop > HideOobe](#hided) | X | | | | |
+
+
+## EnforceEnterpriseProvisioning
+
+When set to **True**, it forces the OOBE flow into using the enterprise provisioning page without making the user interact with the Windows button. This is the default setting.
+
+When set to **False**, it does not force the OOBE flow to the enterprise provisioning page.
+
+
+## HideOobe for mobile
+
+When set to **True**, it hides the interactive OOBE flow for Windows 10 Mobile.
+
+When set to **False**, the OOBE screens are displayed.
+
+
+## HideOobe for desktop
+
+When set to **True**, it hides the interactive OOBE flow for Windows 10.
+
+>[!NOTE]
+>You must create a user account if you set the value to true or the device will not be usable.
+
+When set to **False**, the OOBE screens are displayed.
\ No newline at end of file
diff --git a/windows/configuration/wcd/wcd-otherassets.md b/windows/configuration/wcd/wcd-otherassets.md
new file mode 100644
index 0000000000..f5f33e19a2
--- /dev/null
+++ b/windows/configuration/wcd/wcd-otherassets.md
@@ -0,0 +1,27 @@
+---
+title: OtherAssets (Windows 10)
+description: This section describes the OtherAssets settings that you can configure in provisioning packages for Windows 10 using Windows Configuration Designer.
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: jdeckerMS
+localizationpriority: medium
+ms.author: jdecker
+ms.date: 08/21/2017
+---
+
+# OtherAssets (Windows Configuration Designer reference)
+
+Use to configure settings for Map data.
+
+## Applies to
+
+| Setting | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core |
+| --- | :---: | :---: | :---: | :---: | :---: |
+| MapData | | X | | | |
+
+Use **MapData** to specify the source directory location of the map region you want to include.
+
+For example, if C:\Path\Maps\Europe contains the downloaded map data that you want to preload, set the value to that directory.
+
+To add additional maps, add a new MapData setting and set the source to the directory location of the map region you want to include.
diff --git a/windows/configuration/wcd/wcd-personalization.md b/windows/configuration/wcd/wcd-personalization.md
new file mode 100644
index 0000000000..27f82ea825
--- /dev/null
+++ b/windows/configuration/wcd/wcd-personalization.md
@@ -0,0 +1,44 @@
+---
+title: Personalization (Windows 10)
+description: This section describes the Personalization settings that you can configure in provisioning packages for Windows 10 using Windows Configuration Designer.
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: jdeckerMS
+localizationpriority: medium
+ms.author: jdecker
+ms.date: 08/21/2017
+---
+
+# Personalization (Windows Configuration Designer reference)
+
+Use to configure settings to personalize a PC.
+
+## Applies to
+
+| Setting | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core |
+| --- | :---: | :---: | :---: | :---: | :---: |
+| [DeployDesktopImage](#deploydesktopimage) | X | | | | |
+| [DeployLockScreenImage](#deploylockscreenimage) | X | | | | |
+| [DesktopImageUrl](#desktopimageurl) | X | | | | |
+| [LockScreenImageUrl](#lockscreenimageurl) | X | | | | |
+
+## DeployDesktopImage
+
+Deploy a jpg, jpeg or png image to the device to be used as desktop image. If you have a local file and want to embed it into the package being deployed, you configure this setting and [DesktopImageUrl](#desktopimageurl).
+
+When using **DeployDesktopImage** and [DeployLockScreenImageFile](#deploylockscreenimage, the file names need to be different.
+
+## DeployLockScreenImage
+
+Deploy a jpg, jpeg or png image to the device to be used as lock screen image. If you have a local file and want to embed it into the package being deployed, you configure this setting and [LockScreenImageUrl](#lockscreenimageurl).
+
+When using [DeployDesktopImage](#deploydesktopimage) and **DeployLockScreenImageFile**, the file names need to be different.
+
+## DesktopImageUrl
+
+Specify a jpg, jpeg or png image to be used as desktop image. This setting can take a http or https url to a remote image to be downloaded or a file url to a local image. If you have a local file and want to embed it into the package being deployed, you also set [DeployDesktopImage](#deploydesktopimage).
+
+## LockScreenImageUrl
+
+Specify a jpg, jpeg or png image to be used as Lock Screen Image. This setting can take a http or https Url to a remote image to be downloaded or a file Url to an existing local image. If you have a local file and want to embed it into the package being deployed, you also set [DeployLockScreenImage](#deploylockscreenimage).
\ No newline at end of file
diff --git a/windows/configuration/wcd/wcd-policies.md b/windows/configuration/wcd/wcd-policies.md
new file mode 100644
index 0000000000..72357237a0
--- /dev/null
+++ b/windows/configuration/wcd/wcd-policies.md
@@ -0,0 +1,449 @@
+---
+title: Policies (Windows 10)
+description: This section describes the Policies settings that you can configure in provisioning packages for Windows 10 using Windows Configuration Designer.
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: jdeckerMS
+localizationpriority: medium
+ms.author: jdecker
+ms.date: 08/21/2017
+---
+
+# Policies (Windows Configuration Designer reference)
+
+This section describes the **Policies** settings that you can configure in [provisioning packages](../provisioning-packages/provisioning-packages.md) for Windows 10 using Windows Configuration Designer. Each setting below links to its supported values, as documented in the [Policy configuration service provider (CSP)](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider).
+
+## AboveLock
+
+| Setting | Description | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core |
+| --- | --- | :---: | :---: | :---: | :---: | :---: |
+| [AllowActionCenterNotifications](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#abovelock-allowactioncenternotifications) | Allow Action Center notifications above the device lock screen. | | X | | | |
+| [AllowToasts](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#abovelock-allowtoasts) | Allow toast notifications above the device lock screen. | X | X | | | |
+
+## Accounts
+
+| Setting | Description | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core |
+| --- | --- | :---: | :---: | :---: | :---: | :---: |
+| [AllowAddingNonMicrosoftAccountManually](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#accounts-allowaddingnonmicrosoftaccountsmanually) | Whether users can add non-Microsoft email accounts | X | X | | | |
+| [AllowMicrosoftAccountConnection](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#accounts-allowmicrosoftaccountconnection) | Whether users can use a Microsoft account for non-email-related connection authentication and services | X | X | | | |
+| [AllowMicrosoftAccountSigninAssistant](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#accounts-allowmicrosoftaccountsigninassistant) | Disable the **Microsoft Account Sign-In Assistant** (wlidsvc) NT service | X | X | | | |
+| [DomainNamesForEmailSync](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#accounts-domainnamesforemailsync) | List of domains that are allowed to sync email on the devices | X | X | | | |
+
+
+## ApplicationDefaults
+
+| Setting | Description | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core |
+| --- | --- | :---: | :---: | :---: | :---: | :---: |
+| [DefaultAssociationsConfiguration](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#applicationdefaults-defaultassociationsconfiguration) | Set default file type and protocol associations | X | | | | |
+
+
+##ApplicationManagement
+
+
+| Setting | Description | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core |
+| --- | --- | :---: | :---: | :---: | :---: | :---: |
+| [AllowAllTrustedApps](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#applicationmanagement-allowalltrustedapps) | Whether non-Windows Store apps are allowed | X | X | | | |
+| [AllowAppStoreAutoUpdate](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#applicationmanagement-allowappstoreautoupdate) | Whether automatic update of apps from Windows Store is allowed | X | X | | | |
+| [AllowDeveloperUnlock](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#applicationmanagement-allowdeveloperunlock) | Whether developer unlock of device is allowed | X | X | X | X | X |
+| [AllowGameDVR](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#applicationmanagement-allowgamedvr) |Whether DVR and broadcasting is allowed | X | | | | |
+| [AllowSharedUserAppData](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#applicationmanagement-allowshareduserappdata) | Whether multiple users of the same app can share data | X | X | | | |
+| [AllowStore](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#applicationmanagement-allowstore) | Whether app store is allowed at device (?) | | X | | | |
+| [ApplicationRestrictions](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#applicationmanagement-applicationrestrictions) | An XML blob that specifies app restrictions, such as an allow list, disallow list, etc. | | x | | | |
+| [RestrictAppDataToSystemVolume](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#applicationmanagement-restrictappdatatosystemvolume) | Whether app data is restricted to the system drive | X | X | | | |
+| [RestrictAppToSystemVolume](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#applicationmanagement-restrictapptosystemvolume) | Whether the installation of apps is restricted to the system drive | X | X | | | |
+
+
+
+
+## Authentication
+
+| Setting | Description | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core |
+| --- | --- | :---: | :---: | :---: | :---: | :---: |
+| [AllowFastReconnect](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#authentication-allowfastreconnect) | Allows EAP Fast Reconnect from being attempted for EAP Method TLS. | X | X | X | X | X |
+
+
+## BitLocker
+
+| Setting | Description | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core |
+| --- | --- | :---: | :---: | :---: | :---: | :---: |
+| [EncryptionMethod](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#bitlocker-encryptionmethod) | Specify BitLocker drive encryption method and cipher strength | X | X | | | |
+
+
+## Bluetooth
+
+| Setting | Description | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core |
+| --- | --- | :---: | :---: | :---: | :---: | :---: |
+| [AllowAdvertising](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#bluetooth-allowadvertising) | Whether the device can send out Bluetooth advertisements | X | X | X | X | X |
+| [AllowDiscoverableMode](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#bluetooth-allowdiscoverablemode) | Whether other Bluetooth-enabled devices can discover the device | X | X | X | X | X |
+| [AllowPrepairing](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#bluetooth-allowprepairing) | Whether to allow specific bundled Bluetooth peripherals to automatically pair with the host device | X | X | X | X | X |
+| [LocalDeviceName](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#bluetooth-localdevicename) | Set the local Bluetooth device name | X | X | X | X | X |
+| [ServicesAllowedList](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#bluetooth-servicesallowedlist) | Set a list of allowable services and profiles | X | X | | | |
+
+## Browser
+
+| Setting | Description | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core |
+| --- | --- | :---: | :---: | :---: | :---: | :---: |
+| [AllowAddressBarDropdown](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#browser-allowaddressbardropdown) | Specify whether to allow the address bar drop-down functionality in Microsoft Edge. If you want to minimize network connections from Microsoft Edge to Microsoft services, we recommend disabling this functionality. | X | | | | |
+| [AllowAutofill](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#browser-allowautofill) | Specify whether autofill on websites is allowed. | X | X | X | | |
+| [AllowBrowser](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#browser-allowbrowser) | Specify whether the browser is allowed on the device. | | X | | | |
+| [AllowCookies](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#browser-allowcookies) | Specify whether cookies are allowed. | X | X | X | | |
+| [AllowDeveloperTools](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#browser-allowdevelopertools) | Specify whether employees can use F12 Developer Tools on Microsoft Edge. | X | | | | |
+| [AllowDoNotTrack](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#browser-allowdonottrack) | Specify whether Do Not Track headers are allowed. | X | X | X | | |
+| [AllowExtensions](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#browser-allowextensions) | Specify whether Microsoft Edge extensions are allowed. | X | | | | |
+| [AllowFlash](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#browser-allowflash) | Specify whether Adobe Flash can run in Microsoft Edge. | X | | | | |
+| [AllowFlashClickToRun](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#browser-allowflashclicktorun) | Specify whether users must take an action, such as clicking the content or a Click-to-Run button, before seeing content in Adobe Flash. | X | | | | |
+| [AllowInPrivate](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#browser-allowinprivate) | Specify whether InPrivate browsing is allowed on corporate networks. | X | X | X | | |
+| [AllowMicrosoftCompatibilityList](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#browser-allowmicrosoftcompatibilitylist) | Specify whether to use the Microsoft compatibility list in Microsoft Edge. | X | X | X | | |
+| [AllowPasswordManager](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#browser-allowpasswordmanager) | Specify whether saving and managing passwords locally on the device is allowed. | X | X | X | | |
+| [AllowPopups](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#browser-allowpopups) | Specify whether pop-up blocker is allowed or enabled. | X | | | | |
+| [AllowSearchEngineCustomization](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#browser-allowsearchenginecustomization) | Allow search engine customization for MDM-enrolled devices. | X | | | | |
+| [AllowSearchSuggestionsinAddressBar](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#browser-allowsearchsuggestionsinaddressbar) | Specify whether search suggestions are allowed in the address bar. | X | X | X | | |
+| [AllowSmartScreen](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#browser-allowsmartscreen) | Specify whether Windows Defender SmartScreen is allowed. | X | X | X | | |
+| [ClearBrowsingDataOnExit](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#browser-clearbrowsingdataonexit) | Specify whether to clear browsing data when exiting Microsoft Edge. | X | | | | |
+| [ConfigureAdditionalSearchEngines](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#browser-configureadditionalsearchengines) | Allows you to add up to 5 addtional search engines for MDM-enrolled devices. | X | X | X | | |
+| [DisableLockdownOfStartPages](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#browser-disablelockdownofstartpages) | Specify whether the lockdown on the Start pages is disabled. | X | | | | |
+| [EnterpriseModeSiteList](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#browser-enterprisemodesitelist) | Allow the user to specify a URL of an enterprise site list. | X | | | | |
+| EnterpriseSiteListServiceUrl | This policy (introduced in Windows 10, version 1507) was deprecated in Windows 10, version 1511 by [Browser/EnterpriseModeSiteList](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#browser-enterprisemodesitelist). | X | | | | |
+| [FirstRunURL](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#browser-firstrunurl) | Specify the URL that Microsoft Edge will use when it is opened for the first time. | | X | | | |
+| [HomePages](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#browser-homepages) | Specify your Start pages for MDM-enrolled devices. | X | | | | |
+| [PreventAccessToAboutFlagsInMicrosoftEdge](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#browser-preventaccesstoaboutflagsinmicrosoftedge) | Specify whether users can access the **about:flags** page, which is used to change developer settings and to enable experimental features. | X | X | X | | |
+| [PreventFirstRunPage](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#browser-preventfirstrunpage) | Specify whether to enable or disable the First Run webpage. | X | | | | |
+| [PreventLiveTileDataCollection](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#browser-preventlivetiledatacollection) | Specify whether Microsoft can collect information to create a Live Tile when pinning a site to Start from Microsoft Edge. | X | X | X | | |
+| [PreventSmartScreenPromptOverride](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#browser-preventsmartscreenpromptoverride) | Specify whether users can override the Windows Defender SmartScreen Filter warnings about potentially malicious websites. | X | X | X | | |
+| [PreventSmartScreenPromptOverrideForFiles](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#browser-preventsmartscreenpromptoverrideforfiles) | Specify whether users can override the Windows Defender SmartScreen Filter warnings about downloading unverified files. | X | X | X | | |
+| [PreventUsingLocalHostIPAddressForWebRTC](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#browser-preventusinglocalhostipaddressforwebrtc) | Specify whether a user's localhost IP address is displayed while making phone calls using the WebRTC protocol. | X | X | X | | |
+| [SendIntranetTraffictoInternetExplorer ](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#browser-sendintranettraffictointernetexplorer) | Specify whether to send intranet traffic to Internet Explorer. | X | | | | |
+| [SetDefaultSearchEngine](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#browser-setdefaultsearchengine) | Configure the default search engine for your employees. | X | X | X | | |
+| [howMessageWhenOpeningSitesInInternetExplorer](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#browser-showmessagewhenopeningsitesininternetexplorer) | Specify whether users should see a full interstitial page in Microsoft Edge when opening sites that are configured to open in Internet Explorer using the Enterprise Site list. | X | | | | |
+| [SyncFavoritesBetweenIEAndMicrosoftEdge](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#browser-syncfavoritesbetweenieandmicrosoftedge) | Specify whether favorites are kept in sync between Internet Explorer and Microsoft Edge. | X | | | | |
+
+
+## Camera
+
+| Setting | Description | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core |
+| --- | --- | :---: | :---: | :---: | :---: | :---: |
+| [AllowCamera](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#camera-allowcamera) | Disable or enable the camera. | X | X | X | | |
+
+
+## Connectivity
+
+| Setting | Description | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core |
+| --- | --- | :---: | :---: | :---: | :---: | :---: |
+| [AllowBluetooth](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#connectivity-allowbluetooth) | Allow the user to enable Bluetooth or restrict access. | X | X | X | | |
+| [AllowCellularData](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#connectivity-allowcellulardata) | Allow the cellular data channel on the device. | X | X | X | | |
+| [AllowCellularDataRoaming](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#connectivity-allowcellulardataroaming) | Allow or disallow cellular data roaming on the device. | X | X | X | | |
+| [AllowConnectedDevices](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#connectivity-allowconnecteddevices) | Allows IT admins the ability to disable the Connected Devices Platform component. | X | X | X | | |
+| [AllowNFC](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#connectivity-allownfc) | Allow or disallow near field communication (NFC) on the device. | | X | | | |
+| [AllowUSBConnection](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#connectivity-allowusbconnection) | Enable USB connection between the device and a computer to sync files with the device or to use developer tools or to deploy or debug applications. | | X | | | |
+| [AllowVPNOverCellular](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#connectivity-allowvpnovercellular) | Specify what type of underlyinng connections VPN is allowed to use. |X | X | X | | |
+| [AllowVPNRoamingOverCellular](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#connectivity-allowvpnroamingovercellular) | Prevent the device from connecting to VPN when the device roams over cellular networks. | X | X | X | | |
+| HideCellularConnectionMode | Hide the checkbox that lets the user change the connection mode. | X | X | X | | |
+| HideCellularRoamingOption | Hide the dropdown menu that lets the user change the roaming preferences. | X | X | X | | |
+
+## Cryptography
+
+| Setting | Description | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core |
+| --- | --- | :---: | :---: | :---: | :---: | :---: |
+| [AllowFipsAlgorithmPolicy](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#cryptography-allowfipsalgorithmpolicy) | Allow or disallow the Federal Information Processing Standard (FIPS) policy. | X | X | | | |
+| [TLSCiperSuites](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#cryptography-tlsciphersuites) | List the Cryptographic Cipher Algorithms allowed for SSL connections. Format is a semicolon delimited list. Last write win. | X | X | | | |
+
+## Defender
+
+| Setting | Description | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core |
+| --- | --- | :---: | :---: | :---: | :---: | :---: |
+| [AllowArchiveScanning](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#defender-allowarchivescanning) | Allow or disallow scanning of archives. | X | | | | |
+| [AllowBehaviorMonitoring](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#defender-allowbehaviormonitoring) | Allow or disallow Windows Defender Behavior Monitoring functionality. | X | | | | |
+| [AllowCloudProtection](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#defender-allowcloudprotection) | To best protect your PC, Windows Defender will send information to Microsoft about any problems it finds. Microsoft will analyze that information, learn more about problems affecting you and other customers, and offer improved solutions. | X | | | | |
+| [AllowEmailScanning](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#defender-allowemailscanning) | Allow or disallow scanning of email. | X | | | | |
+| [AllowFullScanOnMappedNetworkDrives](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#defender-allowfullscanonmappednetworkdrives) | Allow or disallow a full scan of mapped network drives. | X | | | | |
+| [AllowFullScanRemovableDriveScanning](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#defender-allowfullscanremovabledrivescanning) | Allow or disallow a full scan of removable drives. | X | | | | |
+| [AllowIntrusionPreventionSystem](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#defender-allowintrusionpreventionsystem) | Allow or disallow Windows Defender Intrusion Prevention functionality. | X | | | | |
+| [AllowIOAVProtection](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#defender-allowioavprotection) | Allow or disallow Windows Defender IOAVP Protection functionality. | X | | | | |
+| [AllowOnAccessProtection](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#defender-allowonaccessprotection) | Allow or disallow Windows Defender On Access Protection functionality. | X | | | | |
+| [AllowRealtimeMonitoring](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#defender-allowrealtimemonitoring) | Allow or disallow Windows Defender Realtime Monitoring functionality. | X | | | | |
+| [AllowScanningNetworkFiles](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#defender-allowscanningnetworkfiles) | Allow or disallow scanning of network files. | X | | | | |
+| [AllowScriptScanning](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#defender-allowscriptscanning) | Allow or disallow Windows Defender Script Scanning functionality. | X | | | | |
+| [AllowUserUIAccess](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#defender-allowuseruiaccess) | Allow or disallow user access to the Windows Defender UI. | X | | | | |
+| [AvgCPULoadFactor](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#defender-avgcpuloadfactor) | Represents the average CPU load factor for the Windows Defeder scan (in percent). | X | | | | |
+| [DaysToRetainCleanedMalware](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#defender-daystoretaincleanedmalware) | Specify time period (in days) that quarantine items will be stored on the system. | X | | | | |
+| [ExcludedExtensions](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#defender-excludedextensions) | Specify a list of file type extensions to ignore durinng a scan. Separate each file type in the list by using \|. | X | | | | |
+| [ExcludedPaths](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#defender-excludedpaths) | Specify a list of directory paths to ignore during a scan. Separate each path in the list by using \|. | X | | | | |
+| [ExcludedProcesses](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#defender-excludedprocesses) | Specify a list of files opened by processes to ignore durinng a scan. Separate each file type in the list by using \|. The process itself is not excluded from the scan, but can be excluded by using the [Defender/ExcludedPaths](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#defender-excludedpaths) policy to exclude its path. | X | | | | |
+| [RealTimeScanDirection](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#defender-realtimescandirection) | Control which sets of files should be monitored. | X | | | | |
+| [ScanParameter](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#defender-scanparameter) | Select whether to perform a quick scan or full scan. | X | | | | |
+| [ScheduleQuickScanTime](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#defender-schedulequickscantime) | Specify the time of day that Windows Defender quick scan should run. | X | | | | |
+| [ScheduleScanDay](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#defender-schedulescanday) | Select the day that Windows Defender scan should run. | X | | | | |
+| [ScheduleScanTime](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#defender-schedulescantime) | Select the time of day that the Windows Defender scan should run. | X | | | | |
+| [SignatureUpdateInterval](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#defender-signatureupdateinterval) | Specify the interval (in hours) that will be used to check for signatures, so instead of using the ScheduleDay and ScheduleTime the check for new signatures will be set according to the interval. | X | | | | |
+| [SubmitSamplesConsent](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#defender-submitsamplesconsent) | Checks for the user consent level in Windows Defender to send data. | X | | | | |
+| [ThreatSeverityDefaultAction](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#defender-threatseveritydefaultaction) | Specify any valid threat severity levels and the corresponding default action ID to take. | X | | | | |
+
+## DeliveryOptimization
+
+| Setting | Description | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core |
+| --- | --- | :---: | :---: | :---: | :---: | :---: |
+| [DOAbsoluteMaxCacheSize](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#deliveryoptimization-doabsolutemaxcachesize) | Specify the maximum size in GB of Delivery Optimization cache. | X | | | | |
+| [DOAllowVPNPeerCaching](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#deliveryoptimization-doallowvpnpeercaching) | Specify whether the device is allowed to participate in Peer Caching while connected via VPN to the domain network. | X | | | | |
+| [DODownloadMode](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#deliveryoptimization-dodownloadmode) | Specify the download method that Delivery Optimization can use in downloads of Windows Updates, apps, and app updates. | X | | | | |
+| [DOGroupId](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#deliveryoptimization-dogroupid) | Specify an arbitrary group ID that the device belongs to. | X | | | | |
+| [DOMaxCacheAge](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#deliveryoptimization-domaxcacheage) | Specify the maximum time in seconds that each file is held in the Delivery Optimization cache after downloading successfully. | X | | | | |
+| [DOMaxCacheSize](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#deliveryoptimization-domaxcachesize) | Specify the maximum cache size that Delivery Optimization can utilize, as a percentage of disk size (1-100). | X | | | | |
+| [DOMaxDownloadBandwidth](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#deliveryoptimization-domaxdownloadbandwidth) | Specify the maximum download bandwidth in kilobytes/second that the device can use across all concurrent download activities using Delivery Optimization. | X | | | | |
+| [DOMaxUploadBandwidth](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#deliveryoptimization-domaxuploadbandwidth) | Specify the maximum upload bandwidth in kilobytes/second that a device will use across all concurrent upload activity usinng Delivery Optimization. | X | | | | |
+| [DOMinBackgroundQos](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#deliveryoptimization-dominbackgroundqos) | Specify the minimum download QoS (Quality of Service or speed) i kilobytes/second for background downloads. | X | | | | |
+| [DOMinBatteryPercentageAllowedToUpload](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#deliveryoptimization-dominbatterypercentageallowedtoupload) | Specify any value between 1 and 100 (in percentage) to allow the device to upload data to LAN and group peers while on battery power. | X | | | | |
+| [DOMinDiskSizeAllowedToPeer](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#deliveryoptimization-domindisksizeallowedtopeer) | Specify the required minimum disk size (capabity in GB) for the device to use Peer Caching. | X | | | | |
+| [DOMinFileSizeToCache](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#deliveryoptimization-dominfilesizetocache) | Specify the minimum content file size in MB enabled to use Peer Caching. | X | | | | |
+| [DOMinRAMAllowedToPeer](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#deliveryoptimization-dominramallowedtopeer) | Specify the minimum RAM size in GB requried to use Peer Caching. | X | | | | |
+| [DOModifyCacheDrive](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#deliveryoptimization-domodifycachedrive) | Specify the drive that Delivery Optimization should use for its cache. | X | | | | |
+| [DOMonthlyUploadDataCap](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#deliveryoptimization-domonthlyuploaddatacap) | Specify the maximum total bytes in GB that Delivery Optimization is allowed to upload to Internet peers in each calendar month. | X | | | | |
+| [DOPercentageMaxDownloadBandwidth](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#deliveryoptimization-dopercentagemaxdownloadbandwidth) | Specify the maximum download bandwidth that Delivery Optimization uses across all concurrent download activities as a percentage of available download bandwidth. | X | | | | |
+
+
+## DeviceLock
+
+| Setting | Description | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core |
+| --- | --- | :---: | :---: | :---: | :---: | :---: |
+| [AllowIdleReturnWithoutPassword](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#devicelock-allowidlereturnwithoutpassword) | Specify whether the user must input a PIN or password when the device resumes from an idle state. | | X | | | |
+| [AllowScreenTimeoutWhileLockedUserConfig](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#devicelock-allowscreentimeoutwhilelockeduserconfig) | Specify whether to show a user-configurable setting to control the screen timeout while on the lock screen. | | X | | | |
+| [AllowSimpleDevicePassword](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#devicelock-allowsimpledevicepassword) | Specify whether PINs or passwords such as "1111" or "1234" are allowed. For the desktop, it also controls the use of picture passwords. | X | X | | | |
+|[AlphanumericDevicePasswordRequired](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#devicelock-alphanumericdevicepasswordrequired) | Select the type of PIN or password required. | X | X | | | |
+| [DevicePasswordEnabled](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#devicelock-devicepasswordenabled) | Specify whether device password is enabled. | X | X | | | |
+| [DevicePasswordExpiration](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#devicelock-devicepasswordexpiration) | Specify when the password expires (in days). | X | X | | | |
+| [DevicePasswordHistory](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#devicelock-devicepasswordhistory) | Specify how many passwords can be stored in the history that can't be reused. | X | X | | | |
+| [MaxDevicePasswordFailedAttempts](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#devicelock-maxdevicepasswordfailedattempts) | Specify the number of authentication failures allowed before the device will be wiped. | X | X | | | |
+| [MaxInactivityTimeDeviceLock](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#devicelock-maxinactivitytimedevicelock) |Specify the maximum amount of time (in minutes) allowed after the device is idle that will cause the device to become PIN or password locked. | X | X | | | |
+| [MinDevicePasswordComplexCharacters](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#devicelock-mindevicepasswordcomplexcharacters) | Specify the number of complex element types (uppercase and lowercase letters, numbers, and punctuation) required for a strong PIN or password. | X | X | | | |
+| [MinDevicePasswordLength](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#devicelock-mindevicepasswordlength) | Specify the minimum number or characters required in the PIN or password. | X | X | | | |
+| [ScreenTimeoutWhileLocked](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#devicelock-screentimeoutwhilelocked) | Specify the duration in seconds for the screen timeout while on the lock screen. | | X | | | |
+
+
+## DeviceManagement
+
+| Setting | Description | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core |
+| --- | --- | :---: | :---: | :---: | :---: | :---: |
+| DisableMDMEnrollment | Use this setting to prevent the device from enrolling in MDM. | X | | | | |
+
+
+
+## Experience
+
+| Setting | Description | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core |
+| --- | --- | :---: | :---: | :---: | :---: | :---: |
+| [AllowCopyPaste](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#experience-allowcopypaste) | Specify whether copy and paste is allowed. | | X | | | |
+| [AllowCortana](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#experience-allowcortana) | Specify whether Cortana is allowed on the device. | X | X | | | |
+| [AllowDeviceDiscovery](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#experience-allowdevicediscovery) | Allow users to turn device discovery on or off in the UI. | X | X | | | |
+| [AllowFindMyDevice](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#experience-allowfindmydevice) | Turn on **Find my device** feature. | X | X | | | |
+| [AllowManualMDMUnenrollment](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#experience-allowmanualmdmunenrollment) | Specify whether the user is allowed to delete the workplace account. | X | X | | | |
+| [AllowScreenCapture](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#experience-allowscreencapture) | Specify whether screen capture is allowed. | | X | | | |
+| [AllowSIMErrorDialogPromptWhenNoSIM](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#experience-allowsimerrordialogpromptwhennosim) | Specify whether to display a dialog prompt when no SIM card is detected. | | X | | | |
+| [AllowSyncMySettings](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#experience-allowsyncmysettings) | Allow or disallow all Windows sync settings on the device. | X | | | | |
+| [AllowTailoredExperiencesWithDiagnosticData](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#experience-allowtailoredexperienceswithdiagnosticdata) | Prevent Windows from using diagnostic data to provide customized experiences to the user. | X | | | | |
+| [AllowTaskSwitcher](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#experience-allowtaskswitcher) | Allow or disallow task switching on the device. | | X | | | |
+| [AllowThirdPartySuggestionsInWindowsSpotlight](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#experience-allowthirdpartysuggestionsinwindowsspotlight) | Specify whether to allow app and content suggestions from third-party software publishers in Windows Spotlight. | X | | | | |
+| [AllowVoiceRecording](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#experience-allowvoicerecording) | Specify whether voice recording is allowed for apps. | | X | | | |
+| [AllowWindowsConsumerFeatures](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#experience-allowwindowsconsumerfeatures) | Turn on experiences that are typically for consumers only, such as Start suggetions, membership notifications, post-OOBE app install, and redirect tiles. | X | | | | |
+| [AllowWindowsSpotlight](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#experience-allowwindowsspotlight) |Specify whether to turn off all Windows Spotlight features at once. | X | | | | |
+| [AllowWindowsSpotlightOnActionCenter](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#experience-allowwindowsspotlightonactioncenter) | Prevent Windows Spotlight notifications from being displayed in the Action Center. | X | | | | |
+| [AllowWindowsSpotlightWindowsWelcomeExperience](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#experience-allowwindowsspotlightwindowswelcomeexperience) | Turn off the Windows Spotlight Windows welcome experience feature. | X | | | | |
+| [AllowWindowsTips](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#experience-allowwindowstips) | Enable or disable Windows Tips. | X | | | | |
+| [ConfigureWindowsSpotlightOnLockScreen](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#experience-configurewindowsspotlightonlockscreen) | Specify whether Spotlight should be used on the user's lock screen. | X | | | | |
+
+
+## Games
+
+| Setting | Description | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core |
+| --- | --- | :---: | :---: | :---: | :---: | :---: |
+| [AllowAdvancedGamingServices](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#games-allowadvancedgamingservices) | Currently not supported. | X | | | | |
+
+
+## Location
+
+| Setting | Description | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core |
+| --- | --- | :---: | :---: | :---: | :---: | :---: |
+| [EnableLocation](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#location-enablelocation) | Configure whether the the Location Service's Device Switch is enabled or disabled for the device. | X | X | | | |
+
+
+## Privacy
+
+| Setting | Description | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core |
+| --- | --- | :---: | :---: | :---: | :---: | :---: |
+| [AllowAutoAcceptPairingAndPrivacyConsentPrompts](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#privacy-allowautoacceptpairingandprivacyconsentprompts) | Allow or disallow the automatic acceptance of the pairing and privacy user consent dialog boxes when launching apps. | | X | | | |
+| [AllowInputPersonalization](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#privacy-allowinputpersonalization) | Allow the use of cloud-based speech services for Cortana, dictation, or Store apps. | X | X | | | |
+
+
+## Search
+
+| Setting | Description | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core |
+| --- | --- | :---: | :---: | :---: | :---: | :---: |
+| [AllowIndexingEncryptedStoresOrItems](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#search-allowindexingencryptedstoresoritems) | Allow or disallow the indexing of items. | X | X | | | |
+| [AllowSearchToUseLocation](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#search-allowsearchtouselocation) | Specify whether search can use location information. | X | X | | | |
+| [AllowUsingDiacritics](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#search-allowusingdiacritics) | Allow the use of diacritics. | X | X | | | |
+| AllowWindowsIndexer | The indexer provides fast file, email, and web history search for apps and system components including Cortana, Outlook, file explorer, and Edge. To do this, it requires access to the file system and app data stores such as Outlook OST files.- **Off** setting disables Windows indexer- **EnterpriseSecure** setting stops the indexer from indexing encrypted files or stores, and is recommended for enterprises using Windows Information Protection (WIP)- **Enterprise** setting reduces potential network loads for enterprises- **Standard** setting is appropriate for consuemrs | X | X | | | |
+| [AlwaysUseAutoLangDetection](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#search-alwaysuseautolangdetection) | Specify whether to always use automatic language detection when indexing content and properties. | X | X | | | |
+| [DisableBackoff](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#search-disablebackoff) | If enabled, the search indexer backoff feature will be disabled. | X | X | | | |
+| [DisableRemovableDriveIndexing](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#search-disableremovabledriveindexing) | Configure whether locations on removable drives can be added to libraries. | X | X | | | |
+| [PreventIndexingLowDiskSpaceMB](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#search-preventindexinglowdiskspacemb) | Prevent indexing from continuing after less than the specified amount of hard drive space is left on the same drive as the index location. | X | X | | | |
+| [PreventRemoteQueries](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#search-preventremotequeries) | If enabled, clients will be unable to query this device's index remotely. | X | X | | | |
+| [SafeSearchPermissions](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#search-safesearchpermissions) | Specify the level of safe search (filtering adult content) required. | | X | | | |
+
+
+
+## Security
+
+| Setting | Description | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core |
+| --- | --- | :---: | :---: | :---: | :---: | :---: |
+| [AllowAddProvisioningPackage](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#security-allowaddprovisioningpackage) | Specify whether to allow installation of provisioning packages. | X | X | X | X | X |
+| [AllowManualRootCertificateInstallation](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#security-allowmanualrootcertificateinstallation) | Specify whether the user is allowed to manually install root and intermediate CA certificates. | | X | | | |
+| [AllowRemoveProvisioningPackage](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#security-allowremoveprovisioningpackage) | Specify whether removal of provisioning packages is allowed. | X | X | X | X | X |
+| [AntiTheftMode](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#security-antitheftmode) | Allow or disallow Anti Theft Mode on the device. | | X | | | |
+| [RequireDeviceEncryption](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#security-requiredeviceencryption) | Specify whether encryption is required. | X | X | X | X | X |
+| [RequireProvisioningPackageSignature](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#security-requireprovisioningpackagesignature) | Specify whether provisioning packages must have a certificate signed by a device-trusted authority. | X | X | X | X | X |
+| [RequireRetrieveHealthCertificateOnBoot](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#security-requireretrievehealthcertificateonboot) | Specify whether to retrieve and post TCG Boot logs, and get or cache an encrypted or signed Health Attestation Report from the Microsoft Health Attestation Service when a device boots or reboots. | X | X | | | |
+
+## Settings
+
+| Setting | Description | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core |
+| --- | --- | :---: | :---: | :---: | :---: | :---: |
+| [AllowAutoPlay](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#settings-allowautoplay) | Allow the user to change AutoPlay settings. | | X | | | |
+| [AllowDataSense](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#settings-allowdatasense) | Allow the user to change Data Sense settings. | | X | | | |
+| [AllowVPN](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#settings-allowvpn) | Allow the user to change VPN settings. | | X | | | |
+| [ConfigureTaskbarCalendar](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#settings-configuretaskbarcalendar) | Configure the default setting for showing additional calendars (besides the default calendar for the locale) in the taskbar clock and calendar flyout. | X | | | | |
+
+## Start
+
+| Setting | Description | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core |
+| --- | --- | :---: | :---: | :---: | :---: | :---: |
+| AllowPinnedFolderDocuments | Control the visibility of the Documents shortcut on the Start menu. | X | | | | |
+| AllowPinnedFolderDownloads | Control the visibility of the Downloadds shortcut on the Start menu. | X | | | | |
+| AllowPinnedFolderFileExplorer | Control the visibility of the File Explorer shortcut on the Start menu. | X | | | | |
+| AllowPinnedFolderHomeGroup | Control the visibility of the Home Group shortcut on the Start menu. | X | | | | |
+| AllowPinnedFolderMusic | Control the visibility of the Music shortcut on the Start menu. | X | | | | |
+| AllowPinnedFolderNetwork | Control the visibility of the Network shortcut on the Start menu. | X | | | | |
+| AllowPinnedFolderPersonalFolder | Control the visibility of the Personal Folder shortcut on the Start menu. | X | | | | |
+| AllowPinnedFolderPictures | Control the visibility of the Pictures shortcut on the Start menu. | X | | | | |
+| AllowPinnedFolderSettings | Control the visibility of the Settings shortcut on the Start menu. | X | | | | |
+| AllowPinnedFolderVideos |Control the visibility of the Videos shortcut on the Start menu. | X | | | | |
+| [ForceStartSize](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#start-forcestartsize) | Force the size of the Start screen. | X | | | | |
+| [HideAppList](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#start-hideapplist) | Collapse or remove the all apps list. | X | | | | |
+| [HideChangeAccountSettings](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#start-hidechangeaccountsettings) | Hide **Change account settings** from appearing in the user tile. | X | | | | |
+| [HideFrequentlyUsedApps](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#start-hidefrequentlyusedapps) | Hide **Most used** section of Start. | X | | | | |
+| [HideHibernate](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#start-hidehibernate) | Prevent **Hibernate** option from appearing in the Power button. | X | | | | |
+| [HideLock](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#start-hidelock) | Prevent **Lock** from appearing in the user tile. | X | | | | |
+| [HidePowerButton](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#start-hidepowerbutton) | Hide the **Power** button. | X | | | | |
+| [HideRecentJumplists](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#start-hiderecentjumplists) | Hide jumplists of recently opened items. | X | | | | |
+| [HideRecentlyAddedApps](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#start-hiderecentlyaddedapps) | Hide **Recently added** section of Start. | X | | | | |
+| [HideRestart](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#start-hiderestart) | Prevent **Restart** and **Update and restart** from appearing in the Power button. | X | | | | |
+| [HideShutDown](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#start-hideshutdown) | Prevent **Shut down** and **Update and shut down** from appearing in the Power button. | X | | | | |
+| [HideSignOut](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#start-hidesignout) | Prevent **Sign out** from appearing in the user tile. | X | | | | |
+| [HideSleep](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#start-hidesleep) | Prevent **Sleep** from appearing in the Power button. | X | | | | |
+| [HideSwitchAccount](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#start-hideswitchaccount) | Prevent **Switch account** from appearing in the user tile. | X | | | | |
+| [HideUserTile](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#start-hideusertile) | Hide the user tile. | X | | | | |
+| [ImportEdgeAssets](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#start-importedgeassets) | Import Edge assets for secondary tiles. For more information, see [Add image for secondary Microsoft Edge tiles](https://docs.microsoft.com/windows/configuration/start-secondary-tiles). | X | | | | |
+| [NoPinningToTaskbar](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#start-nopinningtotaskbar) | Prevent users from pinning and unpinning apps on the taskbar. | X | | | | |
+| [StartLayout](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#start-startlayout) | Apply a custom Start layout. For more information, see [Customize Windows 10 Start and taskbar with provisioning packages](https://docs.microsoft.com/windows/configuration/customize-windows-10-start-screens-by-using-provisioning-packages-and-icd) | X | | | | |
+
+## System
+
+| Setting | Description | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core |
+| --- | --- | :---: | :---: | :---: | :---: | :---: |
+| [AllowBuildPreview](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#system-allowbuildpreview) | Specify whether users can access the Insider build controls in the **Advanced Options** for Windows Update. | X | X | | | |
+| [AllowEmbeddedMode](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#system-allowembeddedmode) | Specify whether to set general purpose device to be in embedded mode. | X | X | X | X | X |
+| [AllowExperimentation](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#system-allowexperimentation) | Determine the level that Microsoft can experiment with the product to study user preferences or device behavior. | X | X | | | |
+| [AllowLocation](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#system-allowlocation) | Specify whether to allow app access to the Location service. | X | X | X | X | X |
+| [AllowStorageCard](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#system-allowstoragecard) | Specify whether the user is allowed to use the storage card for device storage. | X | X | X | X | X |
+| [AllowTelemetry](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#system-allowtelemetry) | Allow the device to send diagnostic and useage telemetry data. | X | X | | | |
+| [AllowUserToResetPhone](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#system-allowusertoresetphone) | Allow the user to factory reset the phone. | X | X | | | |
+| [DisableOneDriveFileSync](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#system-disableonedrivefilesync) | Prevent apps and features from working with files on OneDrive. | X | | | | |
+
+
+## TextInput
+
+| Setting | Description | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core |
+| --- | --- | :---: | :---: | :---: | :---: | :---: |
+| [AllowIMELogging](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#textinput-allowimelogging) | Allow the user to turn on and off the logging for incorrect conversion and saving auto-tuning result to a file and history-based predictive input. | X | | | | |
+| [AllowIMENetworkAccess](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#textinput-allowimenetworkaccess) | Allow the user to turn on Open Extended Dictionary, Internet search integration, or cloud candidate features to provide input suggestions that do not exist in the device's local dictionary. | X | | | | |
+| [AllowInputPanel](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#textinput-allowinputpanel) | Disable the touch/handwriting keyboard. | X | | | | |
+| [AllowJapaneseIMESurrogatePairCharacters](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#textinput-allowjapaneseimesurrogatepaircharacters) | Allow the Japanese IME surrogate pair characters. | X | | | | |
+| [AllowJapaneseIVSCharacters](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#textinput-allowjapaneseivscharacters) | Allow Japanese Ideographic Variation Sequence (IVS) characters. | X | | | | |
+| [AllJapaneseNonPublishingStandardGlyph](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#textinput-allowjapanesenonpublishingstandardglyph) | All the Japanese non-publishing standard glyph. | X | | | | |
+| [AllowJapaneseUserDictionary](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#textinput-allowjapaneseuserdictionary) | Allow the Japanese user dictionary. | X | | | | |
+| [AllowKeyboardTextSuggestions](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#textinput-allowkeyboardtextsuggestions) | Specify whether text prediction is enabled or disabled for the on-screen keyboard, touch keyboard, and handwriting recognition tool. | X | | | | |
+| [AllowLanguageFeaturesUninstall](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#textinput-allowlanguagefeaturesuninstall) | All language features to be uninstalled. | X | | | | |
+| AllowUserInputsFromMiracastRecevier | Do not use. Instead, use [WirelessDisplay](#wirelessdisplay)/[AllowUserInputFromWirelessDisplayReceiver](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#wirelessdisplay-allowuserinputfromwirelessdisplayreceiver) | | | | | |
+| [ExcludeJapaneseIMEExceptISO208](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#textinput-excludejapaneseimeexceptjis0208) | Allow users to restrict character code range of conversion by setting the character filter. | X | | | | |
+| [ExcludeJapaneseIMEExceptISO208andEUDC](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#textinput-excludejapaneseimeexceptjis0208andeudc) | Allow users to restrict character code range of conversion by setting the character filter. | X | | | | |
+| [ExcludeJapaneseIMEExceptShiftJIS](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#textinput-excludejapaneseimeexceptshiftjis) | Allow users to restrict character code range of conversion by setting the character filter. | X | | | | |
+
+
+## TimeLanguageSettings
+
+| Setting | Description | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core |
+| --- | --- | :---: | :---: | :---: | :---: | :---: |
+| [AllowSet24HourClock](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#timelanguagesettings-allowset24hourclock) | Configure the default clock setting to be the 24 hour format. | | X | | | |
+
+
+## Update
+
+| Setting | Description | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core |
+| --- | --- | :---: | :---: | :---: | :---: | :---: |
+| [ActiveHoursEnd](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#update-activehoursend) | Use with **Update/ActiveHoursStart** to manage the range of active hours where update rboots are not scheduled. | X | X | X | X | X |
+| [ActiveHoursMaxRange](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#update-activehoursmaxrange) | Specify the maximum active hours range. | X | X | X | X | X |
+| [ActiveHoursStart](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#update-activehoursstart) | Use with **Update/ActiveHoursEnd** to manage the range of active hours where update rboots are not scheduled. | X | X | X | X | X |
+| [AllowautoUpdate](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#update-allowautoupdate) | Configure automatic update behavior to scan, download, and install updates. | X | X | X | X | X |
+| [AllowMUUpdateService](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#update-allowmuupdateservice) | Manage whether to scan for app updates from Microsoft Update. | X | X | X | X | X |
+| [AllowNonMicrosoftSignedUpdate](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#update-allownonmicrosoftsignedupdate) | Manage whether Automatic Updates accepts updates signed by entities other than Microsoft when the update is found at the UpdateServiceUrl location. | X | X | X | X | X |
+| [AllowUpdateService](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#update-allowupdateservice) | Specify whether the device can use Microsoft Update, Windows Server Update Services (WSUS), or Windows Store. | X | X | X | X | X |
+| AutoRestartDeadlinePeriodInDays | Specify number of days (between 2 and 30) after which a forced restart will occur outside of active hours when restart is pending. | X | X | X | X | X |
+| [AutoRestartNotificationSchedule](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#update-autorestartnotificationschedule) | Specify the period for auto-restart reminder notifications. | X | X | X | X | X |
+| [AutoRestartRequiredNotificationDismissal](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#update-autorestartrequirednotificationdismissal) | Specify the method by which the auto-restart required notification is dismissed. | X | X | X | X | X |
+| [BranchReadinessLevel](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#update-branchreadinesslevel) | Select which branch a device receives their updates from. | X | X | X | X | X |
+| [DeferFeatureUpdatesPeriodInDays](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#update-deferfeatureupdatesperiodindays) | Defer Feature Updates for the specified number of days. | X | X | X | X | X |
+| [DeferQualityUpdatesPeriodInDays](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#update-deferqualityupdatesperiodindays) | Defer Quality Updates for the specified number of days. | X | X | X | X | X |
+| [DetectionFrequency](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#update-detectionfrequency) | Specify the frequency to scan for updates, from every 1-22 hours. | X | X | X | X | X |
+| [EngagedRestartDeadline](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#update-engagedrestartdeadline) | Specify the deadline in days before automatically scheduling and executing a pending restart outside of active hours. | X | X | X | X | X |
+| [EngagedRestartSnoozeSchedule](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#update-engagedrestartsnoozeschedule) | Specify the number of days a user can snooze Engaged restart reminder notifications. | X | X | X | X | X |
+| [EngagedRestartTransitionSchedule](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#update-engagedrestarttransitionschedule) | Specify the timing before transitioning from Auto restarts scheduled outside of active hours to Engaged restart, which requires the user to schedule. | X | X | X | X | X |
+| [FillEmptyContentUrls](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#update-fillemptycontenturls) | Allow Windows Update Agent to determine the download URL when it is missing from the metadata. | X | X | X | X | X |
+| PhoneUpdateRestrictions | Deprecated | | X | | | |
+| [RequireDeferUpgrade](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#update-requiredeferupgrade) | Configure device to receive updates from Current Branch for Business (CBB). | X | X | X | X | X |
+| [ScheduledInstallDay](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#update-scheduledinstallday) | Schedule the day for update installation. | X | X | X | X | X |
+| [ScheduledInstallTime](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#update-scheduledinstalltime) | Schedule the time for update installation. | X | X | X | X | X |
+| [ScheduleImminentRestartWarning](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#update-scheduleimminentrestartwarning) | Specify the period for auto-restart imminent warning notifications. | X | X | X | X | X ||
+| [ScheduleRestartWarning](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#update-schedulerestartwarning) | Specify the period for auto-restart warning reminder notifications. | X | X | X | X | X |
+| [SetAutoRestartNotificationDisable](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#update-setautorestartnotificationdisable) | Disable auto-restart notifications for update installations. | X | X | X | X | X |
+| [SetEDURestart](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#update-setedurestart) | Skip the check for battery level to ensure that the reboot will happen at ScheduledInstallTime. | X | X | X | X | X |
+| [UpdateServiceUrl](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#update-updateserviceurl) | Configure the device to check for updates from a WSUS server instead of Microsoft Update. | X | X | X | X | X |
+| [UpdateServiceUrlAlternate](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#update-updateserviceurlalternate) | Specify an alternate intranet server to host updates from Microsoft Update. | X | X | X | X | X |
+
+
+## WiFi
+
+| Setting | Description | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core |
+| --- | --- | :---: | :---: | :---: | :---: | :---: |
+| [AllowAutoConnectToWiFiSenseHotspots](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#wifi-allowautoconnecttowifisensehotspots) | Allow the device to connect automatically to Wi-Fi hotspots. | X | X | | | |
+| [AllowInternetSharing](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#wifi-allowinternetsharing) | Allow Internet sharing. | X | X | | | |
+| [AllowManualWiFiConfiguration](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#wifi-allowmanualwificonfiguration) | Allow connecting to Wi-Fi outside of MDM server-installed networks. | | X | | | |
+| [AllowWiFi](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#wifi-allowwifi) | Allow Wi-Fi connections. | | X | | | |
+| [WLANScanMode](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#wifi-wlanscanmode) | Configure the WLAN scanning behavior and how aggressively devices should be actively scanning for Wi-Fi networks to get devices connected. | X | X | X | X | X |
+
+## WindowsInkWorkspace
+
+| Setting | Description | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core |
+| --- | --- | :---: | :---: | :---: | :---: | :---: |
+| [AllowSuggestedAppsInWindowsInkWorkspace](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#windowsinkworkspace-allowsuggestedappsinwindowsinkworkspace) | Show recommended app suggestions in the ink workspace. | X | | | | |
+| [AllowWindowsInkWorkspace](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#windowsinkworkspace-allowwindowsinkworkspace) | Specify whether to allow the user to access the ink workspace. | X | | | | |
+
+
+## WindowsLogon
+
+| Setting | Description | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core |
+| --- | --- | :---: | :---: | :---: | :---: | :---: |
+| [HideFastUserSwitching](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#windowslogon-hidefastuserswitching) | Hide the **Switch account** button on the sign-in screen, Start, and the Task Manager. | X | | | | |
+
+## WirelessDisplay
+
+| Setting | Description | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core |
+| --- | --- | :---: | :---: | :---: | :---: | :---: |
+| [AllowUserInputFromWirelessDisplayReceiver](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#wirelessdisplay-allowuserinputfromwirelessdisplayreceiver) | This policy controls whether or not the wireless display can send input (keyboard, mouse, pen, and touch, dependent upon display support) back to the source device. For example, a Surface Laptop is projecting wirelessly to a Surface Hub. If input from the wireless display receiver is allowed, users can draw with a pen on the Surface Hub. | X | X | | | |
\ No newline at end of file
diff --git a/windows/configuration/wcd/wcd-provisioningcommands.md b/windows/configuration/wcd/wcd-provisioningcommands.md
new file mode 100644
index 0000000000..5ed43d8d18
--- /dev/null
+++ b/windows/configuration/wcd/wcd-provisioningcommands.md
@@ -0,0 +1,27 @@
+---
+title: ProvisioningCommands (Windows 10)
+description: This section describes the ProvisioningCommands settings that you can configure in provisioning packages for Windows 10 using Windows Configuration Designer.
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: jdeckerMS
+localizationpriority: medium
+ms.author: jdecker
+ms.date: 08/21/2017
+---
+
+# ProvisioningCommands (Windows Configuration Designer reference)
+
+Use ProvisioningCommands settings to install Classic Windows apps using a provisioning package.
+
+## Applies to
+
+| Setting | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core |
+| --- | :---: | :---: | :---: | :---: | :---: |
+| All settings | X | | | | |
+
+For instructions on adding apps to provisioning packages, see [Provision PCs with apps](../provisioning-packages/provision-pcs-with-apps.md).
+
+
+
+
diff --git a/windows/configuration/wcd/wcd-sharedpc.md b/windows/configuration/wcd/wcd-sharedpc.md
new file mode 100644
index 0000000000..d771bbee7b
--- /dev/null
+++ b/windows/configuration/wcd/wcd-sharedpc.md
@@ -0,0 +1,61 @@
+---
+title: SharedPC (Windows 10)
+description: This section describes the SharedPC settings that you can configure in provisioning packages for Windows 10 using Windows Configuration Designer.
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: jdeckerMS
+localizationpriority: medium
+ms.author: jdecker
+ms.date: 08/21/2017
+---
+
+# SharedPC (Windows Configuration Designer reference)
+
+Use SharedPC settings to optimize Windows 10 for shared use scenarios, such as touchdown spaces in an enterprise and temporary customer use in retail.
+
+## Applies to
+
+| Setting | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core |
+| --- | :---: | :---: | :---: | :---: | :---: |
+| All settings | X | | | | |
+
+## AccountManagement
+
+Use these settings to configure settings for accounts allowed on the shared PC.
+
+| Setting | Value | Description |
+| --- | --- | --- |
+| AccountModel | - Only guest- Domain-joined only- Domain-joined and guest | This option controls how users can sign-in on the PC. Choosing domain-joined will enable any user in the domain to sign-in. Specifying the guest option will add the Guest option to the sign-in screen and enable anonymous guest access to the PC. - Only guest allows anyone to use the PC as a local standard (non-admin) account.- Domain-joined only allows users to sign in with an Active Directory or Azure AD account.- Domain-joined and guest allows users to sign in with an Active Directory, Azure AD, or local standard account. |
+| DeletionPolicy | - Delete immediately - Delete at disk space threshold- Delete at disk space threshold and inactive threshold | - Delete immediately will delete the account on sign-out.- Delete at disk space threshold will start deleting accounts when available disk space falls below the threshold you set for DiskLevelDeletion, and it will stop deleting accounts when the available disk space reaches the threshold you set for DiskLevelCaching. Accounts are deleted in order of oldest accessed to most recently accessed.- Delete at disk space threshold and inactive threshold will apply the same disk space checks as noted above, but also delete accounts if they have not signed in within the number of days specified by InactiveThreshold |
+| DiskLevelCaching | A number between 0 and 100 | If you set **DeletionPolicy** to **Delete at disk space threshold**, set the percent of total disk space to be used as the disk space threshold for account caching. |
+| DiskLevelDeletion | A number between 0 and 100 | If you set **DeletionPolicy** to **Delete at disk space threshold**, set the percent of total disk space to be used as the disk space threshold for account deletion. |
+| EnableAccountManager | True or false | Set as **True** to enable automatic account management. If this is not set to true, no automatic account management will be done. |
+| InactiveThreshold | Number | If you set **DeletionPolicy** to **Delete at disk space threshold and inactive threshold**, set the number of days after which an account that has not signed in will be deleted. |
+| KioskModeAUMID | String | Set an Application User Model ID (AUMID) to enable the kiosk account on the sign-in screen. A new account will be created and will use assigned access to only run the app specified by the AUMID. Note that the app must be installed on the PC. Set the name of the account using **KioskModeUserTileDisplayText**, or a default name will be used. [Find the Application User Model ID of an installed app](https://msdn.microsoft.com/library/dn449300.aspx) |
+| KioskModeUserTileDisplayText | String | Sets the display text on the kiosk account if **KioskModeAUMID** has been set. |
+
+
+## EnableSharedPCMode
+
+Set as **True**. If this is not set to **True**, shared PC mode is not turned on and none of the other settings apply. This setting controls this API: [IsEnabled](https://docs.microsoft.com/uwp/api/windows.system.profile.sharedmodesettings).
+
+Some of the remaining settings in SharedPC are optional, but we strongly recommend that you also set **EnableAccountManager** to **True**.
+
+## PolicyCustomization
+
+Use these settings to configure policies for shared PC mode.
+
+| Setting | Value | Description |
+| --- | --- | --- |
+| MaintenanceStartTime | A number between 0 and 1440 | By default, the maintenance start time (which is when automatic maintenance tasks run, such as Windows Update) is midnight. You can adjust the start time in this setting by entering a new start time in minutes from midnight. For example, if you want maintenance to begin at 2 AM, enter `120` as the value. |
+| MaxPageFileSizeMB | A number between 1024 and 2048 | Adjusts the maximum page file size in MB. This can be used to fine-tune page file behavior, especially on low end PCs. |
+| RestrictLocalStorage | True or false | Set as **True** to restrict the user from saving or viewing local storage when using File Explorer. This setting controls this API: [ShouldAvoidLocalStorage](https://docs.microsoft.com/uwp/api/windows.system.profile.sharedmodesettings) |
+| SetEduPolicies | True or false | Set to **True** for PCs that will be used in a school. For more information, see [Windows 10 configuration recommendations for education customers](https://docs.microsoft.com/education/windows/configure-windows-for-education). This setting controls this API: [IsEducationEnvironment](https://docs.microsoft.com/uwp/api/windows.system.profile.educationsettings) |
+| SetPowerPolicies | True or false | When set as **True**:- Prevents users from changing power settings- Turns off hibernate- Overrides all power state transitions to sleep (e.g. lid close) |
+| SignInOnResume | True or false | This setting specifies if the user is required to sign in with a password when the PC wakes from sleep. |
+| SleepTimeout | Number | Specifies all timeouts for when the PC should sleep. Enter the amount of idle time in seconds. If you don't set sleep timeout, the default of 1 hour applies. |
+
+## Related topics
+
+- [Set up shared or guest PC](../set-up-shared-or-guest-pc.md)
\ No newline at end of file
diff --git a/windows/configuration/wcd/wcd-shell.md b/windows/configuration/wcd/wcd-shell.md
new file mode 100644
index 0000000000..8d7ad0b7ff
--- /dev/null
+++ b/windows/configuration/wcd/wcd-shell.md
@@ -0,0 +1,23 @@
+---
+title: Shell (Windows 10)
+description: This section describes the Shell settings that you can configure in provisioning packages for Windows 10 using Windows Configuration Designer.
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: jdeckerMS
+localizationpriority: medium
+ms.author: jdecker
+ms.date: 08/21/2017
+---
+
+# Shell (Windows Configuration Designer reference)
+
+Do not use. Use [Start > StartLayout](wcd-start.md#startlayout)
+
+## Applies to
+
+| Setting | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core |
+| --- | :---: | :---: | :---: | :---: | :---: |
+| All settings | | X | | | |
+
+
diff --git a/windows/configuration/wcd/wcd-smisettings.md b/windows/configuration/wcd/wcd-smisettings.md
new file mode 100644
index 0000000000..ce6de17758
--- /dev/null
+++ b/windows/configuration/wcd/wcd-smisettings.md
@@ -0,0 +1,107 @@
+---
+title: SMISettings (Windows 10)
+description: This section describes the SMISettings settings that you can configure in provisioning packages for Windows 10 using Windows Configuration Designer.
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: jdeckerMS
+localizationpriority: medium
+ms.author: jdecker
+ms.date: 08/21/2017
+---
+
+# SMISettings (Windows Configuration Designer reference)
+
+Use SMISettings settings to customize the device with custom shell, suppress Windows UI during boot and sign-in, and block or allow specific keys.
+
+## Applies to
+
+| Setting | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core |
+| --- | :---: | :---: | :---: | :---: | :---: |
+| All settings | X | | | | |
+
+## All settings in SMISettings
+
+The following table describes the settings in SMISettings. Some settings have additional details in sections after the table.
+
+| Setting | Value | Description |
+| --- | --- | --- |
+| AutoLogon | EnableDomain namePasswordUserName | Allows automatic sign-in at startup so that the user does not need to enter a user name and password. |
+| BrandingNeutral | See [BrandingNeutral values](#brandingneutral-values) | Specifies which UI elements display on the Welcome screen. |
+| CrashDumpEnabled | See [CrashDumpEnabled values](#crashdumpenabled-values) | Specifies the type of information to be saved in the event of a crash. |
+| DisableBootMenu | True or false | Disables the F8 and F10 keys during startup to prevent access to the **Advanced Startup Options** menu. |
+| DisplayDisabled | True or false | Configures the device to display a blank screen when the OS encounters an error that it cannot recover from. |
+| HideAllBootUI | True or false | Suppresses all Windows UI elements (logo, status indicator, and status message) during startup. |
+| HideAutologonUI | True or false | Hides the Welcome screen when automatic sign-in (AutoLogon) is enabled. |
+| HideBootLogo | True or false | Suppresses the default Windows logo that displays during the OS loading phase. |
+| HideBootStatusIndicator | True or false | Suppresses the status indicator that displays during the OS loading phase. |
+| HideBootStatusMessages | True or false | Suppresses the startup status text that displays during the OS loading phase. |
+| HideFirstLogonAnimation | True or false | Disable the animation during the first sign-in. |
+| KeyboardFilter | See [KeyboardFilter settings](#keyboardfilter-settings) | Use these settings to configure devices to suppress key presses or key combinations. |
+| NoLockScreen | True or false | Disables the lock screen functionality and UI elements |
+| ShellLauncher | See [ShellLauncher settings](#shelllauncher-settings) | Settings used to specify the application or executable to use as the default custom shell. |
+| UIVerbosityLevel | Suppress or do not suppress | Disables the Windows status messages during device startup, sign-in, and shut down. |
+
+## BrandingNeutral values
+
+The following table shows the possible values. You can combine these values using bitwise exclusive-OR logic to disable multiple Welcome screen UI elements.
+
+The default value is **17**, which disables all Welcome screen UI elements and the Switch user button.
+
+| Value | Description |
+| --- | --- |
+| 1 | Disables all Welcome screen UI elements |
+| 2 | Disables the Power button |
+| 4 | Disables the Language button |
+| 8 | Disables the Ease of access button |
+| 16 | Disables the Switch user button |
+| 32 | Disables the blocked shutdown resolver (BSDR) screen so that restarting or shutting down the system causes the OS to immediately force close any applications that are blocking system shut down. No UI is displayed and users are not given a chance to cancel the shutdown process. This can result in a loss of data if any open applications have unsaved data. |
+
+## CrashDumpEnabled values
+
+Contains an integer that specifies the type of information to capture in a dump (.dmp) file that is generated when the system stops unexpectedly.
+
+The .dmp file is typically saved in %SystemRoot% as Memory.dmp.
+
+Set CrashDumpEnabled to one of the following values:
+
+| Value | Description |
+| --- | --- |
+| 1 | Records all the contents of system memory. This dump file may contain data from processes that were running when the information was collected. |
+| 2 | Records only the kernel memory. This dump file includes only memory that is allocated to the kernel, kernel-mode drivers, and other kernel-mode programs. It does not include unallocated memory or any memory that is allocated to user-mode programs.For most purposes, this kind of dump file is the most useful because it is significantly smaller than the complete memory dump file, but it contains information that is most likely to have been involved in the issue.If a second problem occurs, the dump file is overwritten with new information. |
+| 3 | Records the smallest amount of useful information that may help identify why the device stopped unexpectedly. This type of dump file includes the following information:- A list of loaded drivers- The processor context (PRCB) for the processor that stopped- The process information and kernel context (EPROCESS) for the process that stopped- The process information and kernel context (ETHREAD) for the thread that stopped- The kernel-mode call stack for the thread that stoppedThis kind of dump file can be useful when space is limited. However, because of the limited information included, errors that were not directly caused by the thread that was running at the time of the problem may not be discovered by analyzing this file.The date is encoded in the file name. If a second problem occurs, the previous file is preserved and the new file is given a distinct name. A list of all small memory dump files is kept in the %SystemRoot%\Minidump folder. |
+| 4 | Records the smallest amount of useful information. This value produces the same results as entering a value of 3. |
+| 7 | Records only the kernel memory. This value produces the same results as entering a value of 2. This is the default value. |
+| Any other value | Disables crash dump and does not record anything. |
+
+## KeyboardFilter settings
+
+You can use KeyboardFilter to suppress undesirable key presses or key combinations. KeyboardFilter works with physical keyboards, the Windows on-screen keyboard, and the touch keyboard.
+
+When you **enable** KeyboardFilter, a number of other settings become available for configuration.
+
+| Setting | Value | Description |
+| --- | --- | --- |
+| CustomKeyFilters | Allow or block | Add your own key filters to meet any special requirements that you may have that are not included in the predefined key filters. Enter a custom key combination in **CustomKeyFilter**, and then select it to allow or block it. The format to add custom filter combinations is "Alt+F9." This also appears as the CustomKey name, which is specified without "+". For more information, see [WEKF_CustomKey](https://docs.microsoft.com/windows-hardware/customize/enterprise/wekf-customkey). |
+| CustomScancodeFilters | Allow or block | Blocks the list of custom scan codes. When a key is pressed on a physical keyboard, the keyboard sends a scan code to the keyboard driver. The driver then sends the scan code to the OS and the OS converts the scan code into a virtual key based on the current active layout.Enter a custom scancode in **CustomScancodeFilter**, and then select it to allow or block it. For more information, see [WEKF_Scancode](https://docs.microsoft.com/windows-hardware/customize/enterprise/wekf-scancode). |
+| DisableKeyboardFilterForAdministrators | True or false | Disables the keyboard filter for administrators. |
+| ForceOffAccessibility | True or false | Disables all Ease of Access features and prevents users from enabling them. |
+| PredefinedKeyFilters | Allow or block | Specifies the list of predefined keys. For each key, the value will default to **Allow**. Specifying **Block** will suppress the key combination. |
+
+[Learn more about using keyboard filters.](https://docs.microsoft.com/windows-hardware/customize/enterprise/keyboardfilter)
+
+## ShellLauncher settings
+
+Use ShellLauncher to specify the application or executable to use as the default custom shell. One use of ShellLauncher is to [create a kiosk (fixed-purpose) device running a Classic Windows application](https://docs.microsoft.com/windows/configuration/set-up-a-kiosk-for-windows-10-for-desktop-editions#shell-launcher-for-classic-windows-applications).
+
+You can also configure ShellLauncher to launch different shell applications for different users or user groups.
+
+>[!IMPORTANT]
+>You may specify any executable file to be the default shell except C:\Windows\System32\Eshell.exe. Using Eshell.exe as the default shell will result in a blank screen after a user signs in.
+>
+>You cannot use ShellLauncher to launch a Windows app as a custom shell. However, you can use Windows 10 application launcher to launch a Windows app at startup.
+
+ShellLauncher processes the Run and RunOnce registry keys before starting the custom shell, so your custom shell doesn't need to handle the automatic startup of other applications or services. ShellLauncher also handles the behavior of the system when your custom shell exits. You can configure the shell exit behavior if the default behavior does not meet your needs.
+
+>[!IMPORTANT]
+>A custom shell is launched with the same level of user rights as the account that is signed in. This means that a user with administrator rights can perform any system action that requires administrator rights, including launching other applications with administrator rights, while a user without administrator rights cannot. If your shell application requires administrator rights and needs to be elevated, and User Account Control (UAC) is present on your device, you must disable UAC in order for ShellLauncher to launch the shell application.
\ No newline at end of file
diff --git a/windows/configuration/wcd/wcd-start.md b/windows/configuration/wcd/wcd-start.md
new file mode 100644
index 0000000000..25fcc57075
--- /dev/null
+++ b/windows/configuration/wcd/wcd-start.md
@@ -0,0 +1,35 @@
+---
+title: Start (Windows 10)
+description: This section describes the Start settings that you can configure in provisioning packages for Windows 10 using Windows Configuration Designer.
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: jdeckerMS
+localizationpriority: medium
+ms.author: jdecker
+ms.date: 08/21/2017
+---
+
+# Start (Windows Configuration Designer reference)
+
+Use Start settings to apply a customized Start screen to devices.
+
+## Applies to
+
+| Setting | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core |
+| --- | :---: | :---: | :---: | :---: | :---: |
+| StartLayout | X | X | | | |
+| StartLayoutFilePath | | X | | | |
+
+>[!IMPORTANT]
+>The StartLayout setting is available in the advanced provisioning for Windows 10 desktop editions, but should only be used to apply a layout to Windows 10 Mobile devices. For desktop editions, use [Policies > StartLayout](wcd-policies.md#start).
+
+## StartLayout
+
+Use StartLayout to select the LayoutModification.xml file that applies a customized Start screen to a device.
+
+For more information, see [Start layout XML for mobile editions of Windows 10 ](../mobile-devices/lockdown-xml.md)).
+
+## StartLayoutFilePath
+
+Do not use.
diff --git a/windows/configuration/wcd/wcd-startupapp.md b/windows/configuration/wcd/wcd-startupapp.md
new file mode 100644
index 0000000000..06c5b20b7a
--- /dev/null
+++ b/windows/configuration/wcd/wcd-startupapp.md
@@ -0,0 +1,23 @@
+---
+title: StartupApp (Windows 10)
+description: This section describes the StartupApp settings that you can configure in provisioning packages for Windows 10 using Windows Configuration Designer.
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: jdeckerMS
+localizationpriority: medium
+ms.author: jdecker
+ms.date: 08/21/2017
+---
+
+# StartupApp (Windows Configuration Designer reference)
+
+Use StartupApp settings to configure the default app that will run on start for Windows 10 IoT Core (IoT Core) devices.
+
+## Applies to
+
+| Setting | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core |
+| --- | :---: | :---: | :---: | :---: | :---: |
+| Default | | | | | X |
+
+Enter the [Application User Model ID (AUMID)](https://docs.microsoft.com/windows-hardware/customize/enterprise/find-the-application-user-model-id-of-an-installed-app) for the default app.
\ No newline at end of file
diff --git a/windows/configuration/wcd/wcd-startupbackgroundtasks.md b/windows/configuration/wcd/wcd-startupbackgroundtasks.md
new file mode 100644
index 0000000000..6b0840c310
--- /dev/null
+++ b/windows/configuration/wcd/wcd-startupbackgroundtasks.md
@@ -0,0 +1,22 @@
+---
+title: StartupBackgroundTasks (Windows 10)
+description: This section describes the StartupBackgroundTasks settings that you can configure in provisioning packages for Windows 10 using Windows Configuration Designer.
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: jdeckerMS
+localizationpriority: medium
+ms.author: jdecker
+ms.date: 08/21/2017
+---
+
+# StartupBackgroundTasks (Windows Configuration Designer reference)
+
+Documentation not available at this time.
+
+## Applies to
+
+| Setting | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core |
+| --- | :---: | :---: | :---: | :---: | :---: |
+| All settings | | | | | X |
+
diff --git a/windows/configuration/wcd/wcd-surfacehubmanagement.md b/windows/configuration/wcd/wcd-surfacehubmanagement.md
new file mode 100644
index 0000000000..f2da4a2dd6
--- /dev/null
+++ b/windows/configuration/wcd/wcd-surfacehubmanagement.md
@@ -0,0 +1,35 @@
+---
+title: SurfaceHubManagement (Windows 10)
+description: This section describes the SurfaceHubManagement settings that you can configure in provisioning packages for Windows 10 using Windows Configuration Designer.
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: jdeckerMS
+localizationpriority: medium
+ms.author: jdecker
+ms.date: 08/21/2017
+---
+
+# SurfaceHubManagement (Windows Configuration Designer reference)
+
+Use SurfaceHubManagement settings to set the administrator group that will manage a Surface Hub that is joined to the domain.
+
+>[!IMPORTANT]
+>These settings should be used only in provisioning packages that are applied during OOBE.
+
+
+
+## Applies to
+
+| Setting | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core |
+| --- | :---: | :---: | :---: | :---: | :---: |
+| All settings | | | X | | |
+
+
+## GroupName
+
+Enter the group name for the administrators group in Active Directory.
+
+## GroupSid
+
+Enter the SID or the administrators group in Active Directory.
\ No newline at end of file
diff --git a/windows/configuration/wcd/wcd-tabletmode.md b/windows/configuration/wcd/wcd-tabletmode.md
new file mode 100644
index 0000000000..a8d2ea900a
--- /dev/null
+++ b/windows/configuration/wcd/wcd-tabletmode.md
@@ -0,0 +1,29 @@
+---
+title: TabletMode (Windows 10)
+description: This section describes the TabletMode settings that you can configure in provisioning packages for Windows 10 using Windows Configuration Designer.
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: jdeckerMS
+localizationpriority: medium
+ms.author: jdecker
+ms.date: 08/21/2017
+---
+
+# TabletMode (Windows Configuration Designer reference)
+
+Use TabletMode to configure settings related to tablet mode.
+
+## Applies to
+
+| Setting | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core |
+| --- | :---: | :---: | :---: | :---: | :---: |
+| All settings | X | X | X | X | X |
+
+## ConvertibleSlateModePromptPreference
+
+Set the default for hardware-based prompts.
+
+## SignInMode
+
+Specify whether users switch to table mode by default after signing in.
\ No newline at end of file
diff --git a/windows/configuration/wcd/wcd-takeatest.md b/windows/configuration/wcd/wcd-takeatest.md
new file mode 100644
index 0000000000..75613f3b2e
--- /dev/null
+++ b/windows/configuration/wcd/wcd-takeatest.md
@@ -0,0 +1,48 @@
+---
+title: TakeATest (Windows 10)
+description: This section describes the TakeATest settings that you can configure in provisioning packages for Windows 10 using Windows Configuration Designer.
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: jdeckerMS
+localizationpriority: medium
+ms.author: jdecker
+ms.date: 08/21/2017
+---
+
+# TakeATest (Windows Configuration Designer reference)
+
+Use TakeATest to configure the Take A Test app, a secure browser for test-taking. Many schools use online testing for formative and summative assessments. It's critical that students use a secure browser that prevents them from using other computer or Internet resources during the test. For more information, see [Take tests in Windows 10](https://docs.microsoft.com/education/windows/take-tests-in-windows-10).
+
+## Applies to
+
+| Setting | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core |
+| --- | :---: | :---: | :---: | :---: | :---: |
+| All settings | X | | | | |
+
+## AllowScreenMonitoring
+
+When set to True, students are able to record and take screen captures in the Take A Test app.
+
+## AllowTextSuggestions
+
+When set to True, students can see autofill suggestions from onscreen keyboards when typing in the Take A Test app.
+
+## LaunchURI
+
+Enter a link to an assessment that will be automatically loaded when the Take A Test app is opened.
+
+## RequirePrinting
+
+When set to True, students can print in the Take A Test app.
+
+## TesterAccount
+
+Enter the account to use when taking a test.
+
+To specify a domain account, enter **domain\user**. To specify an AAD account, enter **username@tenant.com**. To specify a local account, enter the username.
+
+
+## Related topics
+
+- [SecureAssessment configuration service provider (CSP)](https://docs.microsoft.com/windows/client-management/mdm/secureassessment-csp)
\ No newline at end of file
diff --git a/windows/configuration/wcd/wcd-theme.md b/windows/configuration/wcd/wcd-theme.md
new file mode 100644
index 0000000000..2d3e643f85
--- /dev/null
+++ b/windows/configuration/wcd/wcd-theme.md
@@ -0,0 +1,35 @@
+---
+title: Theme (Windows 10)
+description: This section describes the Theme settings that you can configure in provisioning packages for Windows 10 using Windows Configuration Designer.
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: jdeckerMS
+localizationpriority: medium
+ms.author: jdecker
+ms.date: 08/21/2017
+---
+
+# Theme (reference)
+
+Use Theme to configure accent and background colors on Windows 10 Mobile.
+
+## Applies to
+
+| Setting | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core |
+| --- | :---: | :---: | :---: | :---: | :---: |
+| All settings | | X | | | |
+
+## DefaultAccentColor
+
+In the dropdown menu for DefaultAccentColor, select from the list of colors. The accent color is used for the background of the start tiles, some text, the progress indicator, the user’s My Phone web site, and so on.
+
+
+## DefaultBackgroundColor
+
+Select between **Light** and **Dark** for theme.
+
+
+## Related topics
+
+- [Themes and accent colors](https://msdn.microsoft.com/library/windows/hardware/dn772323(v=vs.85).aspx)
diff --git a/windows/configuration/wcd/wcd-unifiedwritefilter.md b/windows/configuration/wcd/wcd-unifiedwritefilter.md
new file mode 100644
index 0000000000..fe65f8413f
--- /dev/null
+++ b/windows/configuration/wcd/wcd-unifiedwritefilter.md
@@ -0,0 +1,65 @@
+---
+title: UnifiedWriteFilter (Windows 10)
+description: This section describes the UnifiedWriteFilter settings that you can configure in provisioning packages for Windows 10 using Windows Configuration Designer.
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: jdeckerMS
+localizationpriority: medium
+ms.author: jdecker
+ms.date: 08/21/2017
+---
+
+# UnifiedWriteFilter (reference)
+
+
+Use UnifiedWriteFilter to configure settings for the Unified Write Filter (UWF) in your device to help protect your physical storage media, including most standard writable storage types that are supported by the OS, such as physical hard disks, solidate-state drives, internal USB devices, external SATA devices, and so on. You can also use UWF to make read-only media appear to the OS as a writeable volume.
+
+>[!IMPORTANT]
+>You cannot use UWF to protect external USB devices or flash drives.
+
+UWF intercepts all write attempts to a protected volume and redirects those write attempts to a virtual overlay. This improves the reliability and stability of your device and reduces the wear on write-sensitive media, such as flash memory media like solid-state drives.
+
+The overlay does not mirror the entire volume, but dynamically grows to keep track of redirected writes. Generally the overlay is stored in system memory, although you can cache a portion of the overlay on a physical volume.
+
+>[!NOTE]
+>UWF fully supports the NTFS system; however, during device startup, NTFS file system journal files can write to a protected volume before UWF has loaded and started protecting the volume.
+
+[Learn more about the Unified Write Filter feature.](https://docs.microsoft.com/windows-hardware/customize/enterprise/unified-write-filter)
+
+
+## Applies to
+
+| Setting | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core |
+| --- | :---: | :---: | :---: | :---: | :---: |
+| All settings | X | | | | X |
+
+## FilterEnabled
+
+Set to **True** to enable UWF.
+
+## OverlaySize
+
+Enter the maximum overlay size, in megabytes (MB), for the UWF overlay. The minimum value for maximum overlay size is 1024.
+
+>[!NOTE]
+>UnifiedWriteFilter must be enabled for this setting to work.
+
+## OverlayType
+
+OverlayType specifies where the overlay is stored. Select between **RAM** (default) and **Disk** (pre-allocated file on the system volume).
+
+## RegistryExclusions
+
+You can add or remove registry entries that will be excluded from UWF filtering. When a registry key is in the exclusion list, all writes to that registry key bypass UWF filtering and are written directly to the registry and persist after the device restarts.
+
+Use **Add** to add a registry entry to the exclusion list after you restart the device.
+
+Use **Remove** to remove a registry entry from the exclusion list after you restart the device.
+
+## Volumes
+
+Enter a drive letter for a volume to be protected by UWF.
+
+>[!NOTE]
+>In the current OS release, Windows Configuration Designer contains a validation bug. To work around this issue, you must include a ":" after the drive letter when specifying the value for the setting. For example, if you are specifying the C drive, you must set DriveLetter to "C:" instead of just "C".
\ No newline at end of file
diff --git a/windows/configuration/wcd/wcd-universalappinstall.md b/windows/configuration/wcd/wcd-universalappinstall.md
new file mode 100644
index 0000000000..6ba1b3993a
--- /dev/null
+++ b/windows/configuration/wcd/wcd-universalappinstall.md
@@ -0,0 +1,79 @@
+---
+title: UniversalAppInstall (Windows 10)
+description: This section describes the UniversalAppInstall settings that you can configure in provisioning packages for Windows 10 using Windows Configuration Designer.
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: jdeckerMS
+localizationpriority: medium
+ms.author: jdecker
+ms.date: 08/21/2017
+---
+
+# UniversalAppInstall (reference)
+
+
+Use UniversalAppInstall settings to install Windows apps from the Microsoft Store or a hosted location.
+
+>[!NOTE]
+>You can only use the Windows provisioning settings and provisioning packages for apps where you have the available installation files, namely with sideloaded apps that have an offline license. [Learn more about offline app distribution.](https://docs.microsoft.com/microsoft-store/distribute-offline-apps)
+
+## Applies to
+
+| Setting | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core |
+| --- | :---: | :---: | :---: | :---: | :---: |
+| [DeviceContextApp](#devicecontextapp) | X | | X | | |
+| [DeviceContextAppLicense](#devicecontextapplicense) | X | | X | | |
+| [UserContextApp](#usercontextapp) | X | X | X | X | X |
+| [UserContextAppLicense](#usercontextapplicense) | X | X | X | X | X |
+
+## DeviceContextApp
+
+Enter an app package family name to install an app for all users of the device. You can use the [Get-AppxPackage cmdlet](https://technet.microsoft.com/itpro/powershell/windows/appx/get-appxpackage) to get the package family name for an installed app.
+
+>[!NOTE]
+>For XAP files, enter the product ID.
+
+For each app that you add to the package, configure the settings in the following table.
+
+| Setting | Value | Description |
+| --- | --- | --- |
+| ApplicationFile | .appx or .appxbundle | Set the value to the app file that you want to install on the device. In addition, you must also enable the [AllowAllTrustedApps setting](wcd-policies.md#applicationmanagement) and add a root certificate or license file. |
+| DependencyAppxFiles | any required frameworks | In Microsoft Store for Business, any dependencies for the app are listed in the **Required frameworks** section of the download page. |
+| DeploymentOptions | - None-Force application shutdown: If this package, or any package that depends on this package, is currently in use, the processes associated with the package are shut down forcibly so that registration can continue- Development mode: do not use- Install all resources: When you set ths option, the app is instructed to skip resource applicability checks.- Force target application shutdown: If this package is currently in use, the processes associated with the package are shut down forcibly so that registration can continue | Select a deployment option. |
+| LaunchAppAtLogin | - Do not launch app- Launch app | Set the value for app behavior when a user signs in. |
+| OptionalPackageFiles | additional files required by the package | Browse to, select, and add the optional package files. |
+
+For more information on deployment options, see [DeploymentOptions Enum](https://docs.microsoft.com/uwp/api/windows.management.deployment.deploymentoptions).
+
+## DeviceContextAppLicense
+
+Use to specify the license file for the provisioned app.
+
+1. Specify a **LicenseProductId** for the app. You can find the license ID in the root header of the license file. Here is an example, `LicenseID="aaaaaaaa-dddd-8848-f8d0-7d6a93dfcccc"`. Enter it in the LicenseProductId field, and click **Add**.
+
+2. Select the LicenseProductId in the Available Customizations pane, and then browse to and select the app license file.
+
+
+## UserContextApp
+
+Use to add a new user context app.
+
+1. Specify a **PackageFamilyName** for the app, and then click **Add**.
+2. Select the PackageFamilyName in the Available Customizations pane, and then configure the following settings.
+
+Setting | Value | Description
+--- | --- | ---
+ApplicationFile | app file | Browse to, select, and add the application file,
+DependencyAppxFiles | additional files required by the app | Browse to, select, and add dependency files.
+DeploymentOptions | - None- Force application shutdown- Development mode- Install all resources- Force target application shutdown | Select a deployment option.
+LaunchAppAtLogin | - Do not launch app- Launch app | Select whether the app should be started when a user signs in.
+
+
+## UserContextAppLicense
+
+Use to specify the license file for the user context app.
+
+1. Specify a **LicenseProductId** for the app. You can find the license ID in the root header of the license file. Here is an example, `LicenseID="aaaaaaaa-dddd-8848-f8d0-7d6a93dfcccc"`. Enter it in the LicenseProductId field, and click **Add**.
+
+2. Select the LicenseProductId in the Available Customizations pane, and then browse to and select the app license file.
\ No newline at end of file
diff --git a/windows/configuration/wcd/wcd-universalappuninstall.md b/windows/configuration/wcd/wcd-universalappuninstall.md
new file mode 100644
index 0000000000..17bbc8f15b
--- /dev/null
+++ b/windows/configuration/wcd/wcd-universalappuninstall.md
@@ -0,0 +1,40 @@
+---
+title: UniversalAppUninstall (Windows 10)
+description: This section describes the UniversalAppUninstall settings that you can configure in provisioning packages for Windows 10 using Windows Configuration Designer.
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: jdeckerMS
+localizationpriority: medium
+ms.author: jdecker
+ms.date: 08/21/2017
+---
+
+# UniversalAppUninstall (reference)
+
+
+Use UniversalAppUninstall settings to uninstall or remove Windows apps.
+
+
+## Applies to
+
+| Setting | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core |
+| --- | :---: | :---: | :---: | :---: | :---: |
+| [RemoveProvisionedApp](#removeprovisionedapp) | X | | | | |
+| [Uninstall](#uninstall) | X | X | X | X | X |
+
+## RemoveProvisionedApp
+
+Universal apps can be *provisioned*, which means that they are available on the device for installation in user context. When a user runs the provisioned app, the app is then installed for that user.
+
+Use **RemoveProvisionedApp** to remove app packages that are available on the device. Any instances of the app that have already been installed by a user are not uninstalled. To uninstall provisioned apps that have been installed by a user, use the [Uninstall](#uninstall) setting.
+
+1. Enter the PackageFamilyName for the app package, and then click **Add**.
+2. Select the PackageFamilyName in the Available Customizations pane, and then select **RemoveProvisionedApp**.
+
+## Uninstall
+
+Use **Uninstall** to remove provisioned apps that have been installed by a user.
+
+1. Enter the PackageFamilyName for the app package, and then click **Add**.
+2. Select the PackageFamilyName in the Available Customizations pane, and then select **Uninstall**.
\ No newline at end of file
diff --git a/windows/configuration/wcd/wcd-usberrorsoemoverride.md b/windows/configuration/wcd/wcd-usberrorsoemoverride.md
new file mode 100644
index 0000000000..7175b5e14b
--- /dev/null
+++ b/windows/configuration/wcd/wcd-usberrorsoemoverride.md
@@ -0,0 +1,27 @@
+---
+title: UsbErrorsOEMOverride (Windows 10)
+description: This section describes the UsbErrorsOEMOverride settings that you can configure in provisioning packages for Windows 10 using Windows Configuration Designer.
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: jdeckerMS
+localizationpriority: medium
+ms.author: jdecker
+ms.date: 08/21/2017
+---
+
+# UsbErrorsOEMOverride (reference)
+
+
+Use UsbErrorsOEMOverride settings to .
+
+
+## Applies to
+
+| Setting | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core |
+| --- | :---: | :---: | :---: | :---: | :---: |
+| [HideUsbErrorNotifyOptionUI](#hideusberrornotifyoptionui) | X | X | X | X | |
+
+## HideUsbErrorNotifyOptionUI
+
+
diff --git a/windows/configuration/wcd/wcd-weakcharger.md b/windows/configuration/wcd/wcd-weakcharger.md
new file mode 100644
index 0000000000..f1316bc77a
--- /dev/null
+++ b/windows/configuration/wcd/wcd-weakcharger.md
@@ -0,0 +1,43 @@
+---
+title: WeakCharger (Windows 10)
+description: This section describes the WeakCharger settings that you can configure in provisioning packages for Windows 10 using Windows Configuration Designer.
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: jdeckerMS
+localizationpriority: medium
+ms.author: jdecker
+ms.date: 08/21/2017
+---
+
+# WeakCharger (reference)
+
+
+Use WeakCharger settings to configure the charger notification UI.
+
+
+## Applies to
+
+| Setting | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core |
+| --- | :---: | :---: | :---: | :---: | :---: |
+| [HideWeakChargerNotifyOptionUI](#hideweakchargernotifyoptionui) | X | X | X | X | |
+| [NotifyOnWeakCharger](#notifyonweakcharger) | X | X | X | X | |
+
+
+## HideWeakChargerNotifyOptionUI
+
+This setting determines whether the user sees the dialog that's displayed when the user connects the device to an incompatible charging source. By default, the OS shows the weak charger notification option UI.
+
+Select between **Show Weak Charger Notifications UI** and **Hide Weak Charger Notifications UI**.
+
+## NotifyOnWeakCharger
+
+This setting displays a warning when the user connects the device to an incompatible charging source. This warning is intended to notify users that their device may take longer to charge or may not charge at all with the current charging source.
+
+An incompatible charging source is one that does not behave like one of the following port types as defined by the USB Battery Charging Specification, Revision 1.2, available on the USB.org website:
+- Charging downstream port
+- Standard downstream port
+- Dedicated charging port
+
+Select between **Disable Weak Charger Notifications UI** and **Enable Weak Charger Notifications UI**.
+
diff --git a/windows/configuration/wcd/wcd-windowsteamsettings.md b/windows/configuration/wcd/wcd-windowsteamsettings.md
new file mode 100644
index 0000000000..b9ee438e22
--- /dev/null
+++ b/windows/configuration/wcd/wcd-windowsteamsettings.md
@@ -0,0 +1,103 @@
+---
+title: WindowsTeamSettings (Windows 10)
+description: This section describes the WindowsTeamSettings settings that you can configure in provisioning packages for Windows 10 using Windows Configuration Designer.
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: jdeckerMS
+localizationpriority: medium
+ms.author: jdecker
+ms.date: 08/21/2017
+---
+
+# WindowsTeamSettings (reference)
+
+
+Use WindowsTeamSettings settings to configure Surface Hub.
+
+
+## Applies to
+
+| Setting | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core |
+| --- | :---: | :---: | :---: | :---: | :---: |
+| All settings | | | X | | |
+
+## Connect
+
+| Setting | Value | Description |
+| --- | --- | --- |
+| AutoLaunch | True or false | Open the Connect app automatically when someone projects. |
+| Channel | - 1, 3, 4, 5, 6, 7, 8, 9, 10, 11 (works with all Miracast senders in all regions)- 36, 40, 44, 48 (works with all 5ghz band Miracast senders in all regions)- 149, 153, 157, 161, 165 (works with all 5ghz band Miracast senders in all regions except Japan) | Wireless channel to use for Miracast operation. The supported channels are defined by the Wi-Fi Alliance Wi-Fi Direct specification. Integer specifying the channel. The default value is 255. Outside of regulatory concerns, if the channel is configured incorrectly the driver will either not boot, or will broadcast on the wrong channel (which senders won't be looking for). |
+| Enabled | True or false | Enables wireless projection to the device. |
+| PINRequired | True or false | Requires presenters to enter a PIN to connect wirelessly to the device. |
+
+## DeviceAccount
+
+A device account is a Microsoft Exchange account that is connected with Skype for Business, which allows people to join scheduled meetings, make Skype for Business calls, and share content from the device.
+
+| Setting | Value | Description |
+| --- | --- | --- |
+| CalendarSyncEnabled | True or false | Specifies whether calendar sync and other Exchange Server services are enabled. |
+| DomainName | Domain of the device account when you are using Active Directory | To use a device account from Active Directory, you should specify both **DomainName** and **UserName** for the device account. |
+| Email | Email address | Email address of the device account. |
+| ExchangeServer | Exchange Server | Normally, the device will try to automatically discover the Exchange server. This field is only required if automatic discovery fails. |
+| Password | Password | Password for the device account. |
+| PasswordRotationEnabled | 0 = enabled1 = disabled | Specifies whether automatic password rotation is enabled. If you enforce a password expiration policy on the device account, use this setting to allow the device to manage its own password by changing it frequently, without requiring you to manually update the account information when the password expires. You can reset the password at any time using Active Directory or Azure AD. |
+| SipAddress | Session Initiation Protocol (SIP) address | Normally, the device will try to automatically discover the SIP. This field is only required if automatic discovery fails. |
+| UserName | User name | Username of the device account when you are using Active Directory. |
+| UserPrincipalName | User principal name (UPN) | To use a device account from Azure Active Directory or a hybrid deployment, you should specify the UPN of the device account. |
+| ValidateAndCommit | Any text | Validates the data provided and then commits the changes. This process occurs automatically after the other DeviceAccount settings are applied. The text you enter for the ValidateAndCommit setting doesn't matter. |
+
+
+## FriendlyName
+
+Enter the name that users will see when they want to project wirelessly to the device.
+
+## MaintenanceHours
+
+Maintenance hours are the period of time during which automatic maintenance tasks are performed.
+
+| Setting | Value | Description |
+| --- | --- | --- |
+| Duration | Duration in minutes. For example, to set a 3-hour duration, set this value to 180. | The amount of time the device will be in maintenance, when the device will continue to download or install updates. |
+| StartTime | Start time in minutes from midnight. For example, to set a 2:00 am start time, set this value to 120 | Start time for when device is allowed to start downloading and installing updates. |
+
+## OMSAgent
+
+Configures the Operations Management Suite workspace.
+
+| Setting | Value | Description |
+| --- | --- | --- |
+| WorkspaceID | GUID | GUID identifying the Operations Management Suite workspace ID to collect the data. Set this to an empty string to disable the MOM agent. |
+| WorkspaceKey | Key | Primary key for authenticating with the workspace. |
+
+## Properties
+
+| Setting | Value | Description |
+| --- | --- | --- |
+| AllowAutoProxyAuth | True or false | Specifies if the Surface Hub can use the device account to authenticate into proxy servers requiring authentication. |
+| AllowSessionResume | True or false | Specifies if users are allowed to resume their session after session timeout. |
+| DefaultVolume | Numeric value between 0 and 100 | Default speaker volume. Speaker volume will be set to this value at every session startup. |
+| DisableSigninSuggestions | True or false | Specifies if the Surface Hub will not show suggestions when users try to sign in to see their meetings and files. |
+| DoNotShowMyMeetingsAndFiles | True or false | Specifies if users can sign in and have full access to personal meetings and most recently used documents. |
+| ScreenTimeout | Select minutes from dropdown menu | The time (in minutes) of inactivity after which the Surface Hub will turn off its screen. |
+| SessionTimeout | Select minutes from dropdown menu | The time (in minutes) of inactivity after which the Surface Hub will time out the current session and return to the welcome screen. |
+| SleepTimeout | Select minutes from dropdown menu | The time (in minutes) of inactivity after which the Surface Hub will go into a sleep state. |
+
+## SkypeForBusiness
+
+| Setting | Value | Description |
+| --- | --- | --- |
+| DomainName | Domain name | Specifies the domain name of the target server when the Skype for Business server is in a domain that's different from the device account. |
+
+## Welcome
+
+| Setting | Value | Description |
+| --- | --- | --- |
+| AutoWakeScreen | True or false | Specifies whether to automatically turn on the screen using motion sensors. |
+| CurrentBackgroundPath | Https URL to a PNG file | Background image for the welcome screen. |
+| MeetingInfoOption | 0 = organizer and time only1 = organizer, time, and subject (subject is hidden for private meetings) | Specifies whether meeting information is displayed on the welcome screen. |
+
+## Related topics
+
+- [SurfaceHub configuration service provider (CSP)](https://docs.microsoft.com/windows/client-management/mdm/surfacehub-csp)
\ No newline at end of file
diff --git a/windows/configuration/wcd/wcd-wlan.md b/windows/configuration/wcd/wcd-wlan.md
new file mode 100644
index 0000000000..6b641db70f
--- /dev/null
+++ b/windows/configuration/wcd/wcd-wlan.md
@@ -0,0 +1,24 @@
+---
+title: WLAN (Windows 10)
+description: This section describes the WLAN settings that you can configure in provisioning packages for Windows 10 using Windows Configuration Designer.
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: jdeckerMS
+localizationpriority: medium
+ms.author: jdecker
+ms.date: 08/21/2017
+---
+
+# WLAN (reference)
+
+
+Do not use at this time. Instead, use [ConnectivityProfiles > WLAN](wcd-connectivityprofiles.md#wlan)
+
+
+## Applies to
+
+| Setting | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core |
+| --- | :---: | :---: | :---: | :---: | :---: |
+| All settings | | | | X | |
+
diff --git a/windows/configuration/wcd/wcd-workplace.md b/windows/configuration/wcd/wcd-workplace.md
new file mode 100644
index 0000000000..901e30a048
--- /dev/null
+++ b/windows/configuration/wcd/wcd-workplace.md
@@ -0,0 +1,38 @@
+---
+title: Workplace (Windows 10)
+description: This section describes the Workplace settings that you can configure in provisioning packages for Windows 10 using Windows Configuration Designer.
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: jdeckerMS
+localizationpriority: medium
+ms.author: jdecker
+ms.date: 08/21/2017
+---
+
+# Workplace (reference)
+
+
+Use Workplace settings to configure bulk user enrollment to a mobile device management (MDM) service. For more information, see [Bulk enrollment step-by-step](https://docs.microsoft.com/windows/client-management/mdm/bulk-enrollment-using-windows-provisioning-tool).
+
+## Applies to
+
+| Setting | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core |
+| --- | :---: | :---: | :---: | :---: | :---: |
+| [Enrollments](#enrollments) | X | X | X | X | X |
+
+## Enrollments
+
+Select **Enrollments**, enter a UPN, and then click **Add** to configure the settings for the enrollment. The UPN is a unique identifier for enrollment. For bulk enrollment, this must a service account that is allowed to enroll multiple users. Example, "generic-device@contoso.com"
+
+| Settings | Value | Description |
+| --- | --- | --- |
+| AuthPolicy | - OnPremise- Certificate | The authentication policy used by the MDM service |
+| DiscoveryServiceFullUrl | URL | The full URL for the discovery service |
+| EnrollmentServiceFullUrl | URL | The full URL for the enrollment service |
+| PolicyServiceFullUrl | URL | The full URL for the policy service |
+| Secret | - Password string for on-premise authentication enrollment- Federated security token for federated enrollment- Certificate thumb print for certificate-based enrollment | Enter the appropriate value for the selected AuthPolicy |
+
+## Related topics
+
+- [Provisioning configuration service provider (CSP)](https://docs.microsoft.com/windows/client-management/mdm/provisioning-csp)
diff --git a/windows/configuration/wcd/wcd.md b/windows/configuration/wcd/wcd.md
new file mode 100644
index 0000000000..38f6061d9f
--- /dev/null
+++ b/windows/configuration/wcd/wcd.md
@@ -0,0 +1,77 @@
+---
+title: Windows Configuration Designer provisioning settings (Windows 10)
+description: This section describes the settings that you can configure in provisioning packages for Windows 10 using Windows Configuration Designer.
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: jdeckerMS
+localizationpriority: medium
+ms.author: jdecker
+ms.date: 08/21/2017
+---
+
+# Windows Configuration Designer provisioning settings (reference)
+
+This section describes the settings that you can configure in [provisioning packages](../provisioning-packages/provisioning-packages.md) for Windows 10 using Windows Configuration Designer.
+
+## Edition that each group of settings applies to
+
+| Setting group | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core |
+| --- | :---: | :---: | :---: | :---: | :---: |
+| [Accounts](wcd-accounts.md) | X | X | X | X | X |
+| [ADMXIngestion](wcd-admxingestion.md) | X | | | | |
+| [ApplicationManagement](wcd-applicationmanagement.md) | X | X | X | X | X |
+| [AssignedAccess](wcd-assignedaccess.md) | X | X | | X | |
+| [AutomaticTime](wcd-automatictime.md) | | X | | | |
+| [Browser](wcd-browser.md) | X | X | X | X | |
+| [CallAndMessagingEnhancement](wcd-callandmessagingenhancement.md) | | X | | | |
+| [Cellular](wcd-cellular.md) | X | | | | |
+| [Certificates](wcd-certificates.md) | X | X | X | X | X |
+| [CleanPC](wcd-cleanpc.md) | X | | | | |
+| [Connections](wcd-connections.md) | X | X | X | X | |
+| [ConnectivityProfiles](wcd-connectivityprofiles.md) | X | X | X | X | X |
+| [CountryAndRegion](wcd-countryandregion.md) | X | X | X | X | |
+| [DesktopBackgroundAndColors](wcd-desktopbackgroundandcolors.md) | X | | | | |
+| [DeveloperSetup](wcd-developersetup.md) | | | | X | |
+| [DeviceFormFactor](wcd-deviceformfactor.md) | X | X | X | X | |
+| [DeviceManagement](wcd-devicemanagement.md) | X | X | X | X | |
+| [DMClient](wcd-dmclient.md) | X | X | X | X | X |
+| [EditionUpgrade](wcd-editionupgrade.md) | X | X | X | X | |
+| [EmbeddedLockdownProfiles](wcd-embeddedlockdownprofiles.md) | | X | | | |
+| [FirewallConfiguration](wcd-firewallconfiguration.md) | | | | | X |
+| [FirstExperience](wcd-firstexperience.md) | | | | X | |
+| [Folders](wcd-folders.md) |X | X | X | X | |
+| [InitialSetup](wcd-initialsetup.md) | | X | | | |
+| [InternetExplorer](wcd-internetexplorer.md) | | X | | | |
+| [Licensing](wcd-licensing.md) | X | | | | |
+| [Maps](wcd-maps.md) |X | X | X | X | |
+| [Messaging](wcd-messaging.md) | | X | | | |
+| [ModemConfigurations](wcd-modemconfigurations.md) | | X | | | |
+| [Multivariant](wcd-multivariant.md) | | X | | | |
+| [NetworkProxy](wcd-networkproxy.md) | | | X | | |
+| [NetworkQOSPolicy](wcd-networkqospolicy.md) | | | X | | |
+| [NFC](wcd-nfc.md) | | X | | | |
+| [OOBE](wcd-oobe.md) | X | X | | | |
+| [OtherAssets](wcd-otherassets.md) | | X | | | |
+| [Personalization](wcd-personalization.md) | X | | | | |
+| [Policies](wcd-policies.md) | X | X | X | X | X |
+| [ProvisioningCommands](wcd-provisioningcommands.md) | X | | | | |
+| [SharedPC](wcd-sharedpc.md) | X | | | | |
+| [Shell](wcd-shell.md) | | X | | | |
+| [SMISettings](wcd-smisettings.md) | X | | | | |
+| [Start](wcd-start.md) | X | X | | | |
+| [StartupApp](wcd-startupapp.md) | | | | | X |
+| [StartupBackgroundTasks](wcd-startupbackgroundtasks.md) | | | | | X |
+| [SurfaceHubManagement](wcd-surfacehubmanagement.md) | | | X | | |
+| [TabletMode](wcd-tabletmode.md) |X | X | X | X | |
+| [TakeATest](wcd-takeatest.md) | X | | | | |
+| [Theme](wcd-theme.md) | | X | | | |
+| [UnifiedWriteFilter](wcd-unifiedwritefilter.md) | X | | | | |
+| [UniversalAppInstall](wcd-universalappinstall.md) | X | X | X | X | X |
+| [UniversalAppUninstall](wcd-universalappuninstall.md) | X | X | X | X | X |
+| [WeakCharger](wcd-weakcharger.md) |X | X | X | X | |
+| [WindowsTeamSettings](wcd-windowsteamsettings.md) | | | X | | |
+| [WLAN](wcd-wlan.md) | | | | X | |
+| [Workplace](wcd-workplace.md) |X | X | X | X | X |
+
+
diff --git a/windows/deployment/Windows-AutoPilot-EULA-note.md b/windows/deployment/Windows-AutoPilot-EULA-note.md
new file mode 100644
index 0000000000..941c15911e
--- /dev/null
+++ b/windows/deployment/Windows-AutoPilot-EULA-note.md
@@ -0,0 +1,20 @@
+---
+title: Windows Autopilot EULA dismissal – important information
+description: A notice about EULA dismissal through Windows AutoPilot
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: deploy
+ms.localizationpriority: high
+ms.author: mayam
+ms.date: 08/22/2017
+ROBOTS: noindex,nofollow
+---
+# Windows Autopilot EULA dismissal – important information
+
+>[!IMPORTANT]
+>The information below isn't the EULA. It is a notice of awareness to the administrator that's configuring to skip End User License Agreement (EULA) during the OOBE (Out-of-Box Experience).
+
+Using this tool allows you to configure individual installations of Windows on devices managed by your organization. You may choose to suppress or hide certain set-up screens that are normally presented to users when setting up Windows, including the EULA acceptance screen.
+
+By using this function, you agree that suppressing or hiding any screens that are designed to provide users with notice or acceptance of terms means that you, on behalf of your organization or the individual user as the case may be, have consented to the notices and accepted the applicable terms. This includes your agreement to the terms and conditions of the license or notice that would be presented to the user if you did not suppress or hide it using this tool. You and your users may not use the Windows software on those devices if you have not validly acquired a license for the software from Microsoft or its licensed distributors.
\ No newline at end of file
diff --git a/windows/deployment/deploy-enterprise-licenses.md b/windows/deployment/deploy-enterprise-licenses.md
index 40f279e10f..a05a03bbe9 100644
--- a/windows/deployment/deploy-enterprise-licenses.md
+++ b/windows/deployment/deploy-enterprise-licenses.md
@@ -7,6 +7,7 @@ ms.mktglfcycl: deploy
localizationpriority: high
ms.sitesec: library
ms.pagetype: mdt
+ms.date: 08/23/2017
author: greg-lindsay
---
diff --git a/windows/deployment/deploy-whats-new.md b/windows/deployment/deploy-whats-new.md
index fddacf3a05..e11c92867c 100644
--- a/windows/deployment/deploy-whats-new.md
+++ b/windows/deployment/deploy-whats-new.md
@@ -7,6 +7,7 @@ ms.localizationpriority: high
ms.prod: w10
ms.sitesec: library
ms.pagetype: deploy
+ms.date: 08/23/2017
author: greg-lindsay
---
diff --git a/windows/deployment/planning/windows-10-enterprise-faq-itpro.md b/windows/deployment/planning/windows-10-enterprise-faq-itpro.md
index 69ba2f2170..ac8ae9af63 100644
--- a/windows/deployment/planning/windows-10-enterprise-faq-itpro.md
+++ b/windows/deployment/planning/windows-10-enterprise-faq-itpro.md
@@ -1,7 +1,7 @@
---
title: Windows 10 Enterprise FAQ for IT pros (Windows 10)
description: Get answers to common questions around compatibility, installation, and support for Windows 10 Enterprise.
-keywords: Windows 10 Enterprise, download, system requirements, drivers, appcompat, manage udpates, Windows as a service, servicing branches, deployment tools
+keywords: Windows 10 Enterprise, download, system requirements, drivers, appcompat, manage udpates, Windows as a service, servicing channels, deployment tools
ms.prod: w10
ms.mktglfcycl: plan
ms.localizationpriority: high
@@ -80,9 +80,9 @@ The Windows 10 operating system introduces a new way to build, deploy, and servi
Traditional Windows servicing has included several release types: major revisions (e.g., the Windows 8.1, Windows 8, and Windows 7 operating systems), service packs, and monthly updates. With Windows 10, there are two release types: feature updates that add new functionality two to three times per year, and quality updates that provide security and reliability fixes at least once a month.
-### What are the servicing branches?
+### What are the servicing channels?
-To align with the new method of delivering feature updates and quality updates in Windows 10, Microsoft introduced the concept of servicing branches to allow customers to designate how aggressively their individual devices are updated. For example, an organization may have test devices that the IT department can update with new features as soon as possible, and then specialized devices that require a longer feature update cycle to ensure continuity. With that in mind, Microsoft offers three servicing branches for Windows 10: Current Branch (CB), Current Branch for Business (CBB), and Long-Term Servicing Branch (LTSB). For details about the versions in each servicing branch, see [Windows 10 release information](https://technet.microsoft.com/windows/release-info.aspx). For more information on each branch, see [servicing branches](https://technet.microsoft.com/en-us/itpro/windows/manage/waas-overview#servicing-branches).
+To align with the new method of delivering feature updates and quality updates in Windows 10, Microsoft introduced the concept of servicing channels to allow customers to designate how aggressively their individual devices are updated. For example, an organization may have test devices that the IT department can update with new features as soon as possible, and then specialized devices that require a longer feature update cycle to ensure continuity. With that in mind, Microsoft offers two servicing channels for Windows 10: Semi-Annual Channel, and Long-Term Servicing Channel (LTSC). For details about the versions in each servicing channel, see [Windows 10 release information](https://technet.microsoft.com/windows/release-info.aspx). For more information on each channel, see [servicing channels](/windows/deployment/update/waas-overview#servicing-channels).
### What tools can I use to manage Windows as a service updates?
@@ -92,13 +92,13 @@ There are many tools are available. You can choose from these:
- Windows Server Update Services
- System Center Configuration Manager
-For more information on pros and cons for these tools, see [Servicing Tools](https://technet.microsoft.com/itpro/windows/manage/waas-overview#servicing-branches).
+For more information on pros and cons for these tools, see [Servicing Tools](/windows/deployment/update/waas-overview#servicing-tools).
## User experience
### Where can I find information about new features and changes in Windows 10 Enterprise?
-For an overview of the new enterprise features in Windows 10 Enterprise, see [What's new in Windows 10](https://technet.microsoft.com/itpro/windows/whats-new/index) and [What's new in Windows 10, version 1703](https://tnstage.redmond.corp.microsoft.com/itpro/windows/whats-new/whats-new-windows-10-version-1703?branch=rs2) in the TechNet library.
+For an overview of the new enterprise features in Windows 10 Enterprise, see [What's new in Windows 10](https://technet.microsoft.com/itpro/windows/whats-new/index) and [What's new in Windows 10, version 1703](/windows/whats-new/whats-new-windows-10-version-1703) in the Docs library.
Another place to track the latest information about new features of interest to IT professionals is the [Windows for IT Pros blog](https://blogs.technet.microsoft.com/windowsitpro/). Here you’ll find announcements of new features, information on updates to the Windows servicing model, and details about the latest resources to help you more easily deploy and manage Windows 10.
diff --git a/windows/deployment/update/waas-servicing-channels-windows-10-updates.md b/windows/deployment/update/waas-servicing-channels-windows-10-updates.md
index dd5cbaf8b7..cddacc1917 100644
--- a/windows/deployment/update/waas-servicing-channels-windows-10-updates.md
+++ b/windows/deployment/update/waas-servicing-channels-windows-10-updates.md
@@ -181,12 +181,12 @@ During the life of a device, it may be necessary or desirable to switch between
Use media to upgrade to the latest Windows Insider Program build.
-
Long-Term Servicing Channel (Targeted)
-
Use media to upgrade to a later Long-Term Servicing Channel build. (Note that the Long-Term Servicing Channel build must be a later build.)
+
Semi-Annual Channel (Targeted)
+
Use media to upgrade. Note that the Semi-Annual Channel build must be a later build.
-
Long-Term Servicing Channel
-
Use media to upgrade to a later Long-Term Servicing Channel for Business build (Long-Term Servicing Channel build plus fixes). Note that it must be a later build.
+
Semi-Annual Channel
+
Use media to upgrade. Note that the Semi-Annual Channel build must be a later build.
diff --git a/windows/deployment/vda-subscription-activation.md b/windows/deployment/vda-subscription-activation.md
index 8d3a787f3c..a6f560cc33 100644
--- a/windows/deployment/vda-subscription-activation.md
+++ b/windows/deployment/vda-subscription-activation.md
@@ -7,6 +7,7 @@ ms.mktglfcycl: deploy
localizationpriority: high
ms.sitesec: library
ms.pagetype: mdt
+ms.date: 08/23/2017
author: greg-lindsay
---
diff --git a/windows/deployment/windows-10-enterprise-e3-overview.md b/windows/deployment/windows-10-enterprise-e3-overview.md
index f76208ce9c..5f663ae222 100644
--- a/windows/deployment/windows-10-enterprise-e3-overview.md
+++ b/windows/deployment/windows-10-enterprise-e3-overview.md
@@ -7,6 +7,7 @@ ms.mktglfcycl: deploy
ms.localizationpriority: high
ms.sitesec: library
ms.pagetype: mdt
+ms.date: 08/23/2017
author: greg-lindsay
---
diff --git a/windows/deployment/windows-10-enterprise-subscription-activation.md b/windows/deployment/windows-10-enterprise-subscription-activation.md
index 8e9912ed68..c767d18075 100644
--- a/windows/deployment/windows-10-enterprise-subscription-activation.md
+++ b/windows/deployment/windows-10-enterprise-subscription-activation.md
@@ -7,6 +7,7 @@ ms.mktglfcycl: deploy
localizationpriority: high
ms.sitesec: library
ms.pagetype: mdt
+ms.date: 08/23/2017
author: greg-lindsay
---
diff --git a/windows/deployment/windows-10-poc-mdt.md b/windows/deployment/windows-10-poc-mdt.md
index d9870313ca..f7f79e2f18 100644
--- a/windows/deployment/windows-10-poc-mdt.md
+++ b/windows/deployment/windows-10-poc-mdt.md
@@ -7,6 +7,7 @@ ms.sitesec: library
ms.pagetype: deploy
keywords: deployment, automate, tools, configure, mdt
ms.localizationpriority: high
+ms.date: 08/23/2017
author: greg-lindsay
---
diff --git a/windows/deployment/windows-10-poc-sc-config-mgr.md b/windows/deployment/windows-10-poc-sc-config-mgr.md
index 63e2727b2a..eb042d424b 100644
--- a/windows/deployment/windows-10-poc-sc-config-mgr.md
+++ b/windows/deployment/windows-10-poc-sc-config-mgr.md
@@ -7,6 +7,7 @@ ms.sitesec: library
ms.pagetype: deploy
keywords: deployment, automate, tools, configure, sccm
ms.localizationpriority: high
+ms.date: 08/23/2017
author: greg-lindsay
---
diff --git a/windows/deployment/windows-10-poc.md b/windows/deployment/windows-10-poc.md
index 621de876bd..5a67eebb9e 100644
--- a/windows/deployment/windows-10-poc.md
+++ b/windows/deployment/windows-10-poc.md
@@ -7,6 +7,7 @@ ms.sitesec: library
ms.pagetype: deploy
keywords: deployment, automate, tools, configure, mdt, sccm
ms.localizationpriority: high
+ms.date: 08/23/2017
author: greg-lindsay
---
@@ -771,6 +772,27 @@ The second Windows Server 2012 R2 VHD needs to be expanded in size from 40GB to
Add-DnsServerForwarder -IPAddress 192.168.0.2
+ **Configure service and user accounts**
+
+ Windows 10 deployment with MDT and System Center Configuration Manager requires specific accounts to perform some actions. Service accounts will be created to use for these tasks. A user account is also added in the contoso.com domain that can be used for testing purposes. In the test lab environment, passwords are set to never expire.
+
+ >To keep this test lab relatively simple, we will not create a custom OU structure and set permissions. Required permissions are enabled by adding accounts to the Domain Admins group. To configure these settings in a production environment, see [Prepare for Zero Touch Installation of Windows 10 with Configuration Manager](deploy-windows-sccm/prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md)
+
+ On DC1, open an elevated Windows PowerShell prompt and type the following commands:
+
+
+
12. Minimize the DC1 VM window but **do not stop** the VM.
Next, the client VM will be started and joined to the contoso.com domain. This is done before adding a gateway to the PoC network so that there is no danger of duplicate DNS registrations for the physical client and its cloned VM in the corporate domain.
@@ -984,27 +1006,6 @@ The second Windows Server 2012 R2 VHD needs to be expanded in size from 40GB to
Restart-Computer
-### Configure service and user accounts
-
-Windows 10 deployment with MDT and System Center Configuration Manager requires specific accounts to perform some actions. Service accounts will be created to use for these tasks. A user account is also added in the contoso.com domain that can be used for testing purposes. In the test lab environment, passwords are set to never expire.
-
->To keep this test lab relatively simple, we will not create a custom OU structure and set permissions. Required permissions are enabled by adding accounts to the Domain Admins group. To configure these settings in a production environment, see [Prepare for Zero Touch Installation of Windows 10 with Configuration Manager](deploy-windows-sccm/prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md)
-
-On DC1, open an elevated Windows PowerShell prompt and type the following commands:
-
-
-
This completes configuration of the starting PoC environment. Additional services and tools are installed in subsequent guides.
## Appendix A: Verify the configuration
diff --git a/windows/device-security/bitlocker/bitlocker-device-encryption-overview-windows-10.md b/windows/device-security/bitlocker/bitlocker-device-encryption-overview-windows-10.md
index db72ab90ec..97e9d04fb9 100644
--- a/windows/device-security/bitlocker/bitlocker-device-encryption-overview-windows-10.md
+++ b/windows/device-security/bitlocker/bitlocker-device-encryption-overview-windows-10.md
@@ -1,6 +1,6 @@
---
-title: Overview of BitLocker and device encryption in Windows 10
-description: This topic provides an overview of how BitLocker and device encryption can help protect data on devices running Windows 10.
+title: Overview of BitLocker Device Encryption in Windows 10
+description: This topic provides an overview of how BitLocker Device Encryption can help protect data on devices running Windows 10.
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
@@ -8,13 +8,13 @@ ms.pagetype: security
author: Justinha
---
-# Overview of BitLocker and device encryption in Windows 10
+# Overview of BitLocker Device Encryption in Windows 10
**Applies to**
- Windows 10
-This topic explains how BitLocker and device encryption can help protect data on devices running Windows 10.
-For an architectural overview about how device encryption works with Secure Boot, see [Secure boot and device encryption overview](https://docs.microsoft.com/windows-hardware/drivers/bringup/secure-boot-and-device-encryption-overview).
+This topic explains how BitLocker Device Encryption can help protect data on devices running Windows 10.
+For an architectural overview about how BitLocker Device Encryption works with Secure Boot, see [Secure boot and BitLocker Device Encryption overview](https://docs.microsoft.com/windows-hardware/drivers/bringup/secure-boot-and-device-encryption-overview).
For a general overview and list of topics about BitLocker, see [BitLocker](bitlocker-overview.md).
When users travel, their organization’s confidential data goes with them. Wherever confidential data is stored, it must be protected against unauthorized access. Windows has a long history of providing at-rest data-protection solutions that guard against nefarious attackers, beginning with the Encrypting File System in the Windows 2000 operating system. More recently, BitLocker has provided encryption for full drives and portable drives; in Windows 10, BitLocker will even protect individual files, with data loss prevention capabilities. Windows consistently improves data protection by improving existing options and by providing new strategies.
@@ -25,14 +25,14 @@ Table 2 lists specific data-protection concerns and how they are addressed in Wi
| Windows 7 | Windows 10 |
|---|---|
-| When BitLocker is used with a PIN to protect startup, PCs such as kiosks cannot be restarted remotely. | Modern Windows devices are increasingly protected with device encryption out of the box and support SSO to seamlessly protect the BitLocker encryption keys from cold boot attacks.
Network Unlock allows PCs to start automatically when connected to the internal network. |
+| When BitLocker is used with a PIN to protect startup, PCs such as kiosks cannot be restarted remotely. | Modern Windows devices are increasingly protected with BitLocker Device Encryption out of the box and support SSO to seamlessly protect the BitLocker encryption keys from cold boot attacks.
Network Unlock allows PCs to start automatically when connected to the internal network. |
| Users must contact the IT department to change their BitLocker PIN or password. | Modern Windows devices no longer require a PIN in the pre-boot environment to protect BitLocker encryption keys from cold boot attacks.
Users who have standard privileges can change their BitLocker PIN or password on legacy devices that require a PIN. |
| When BitLocker is enabled, the provisioning process can take several hours. | BitLocker pre-provisioning, encrypting hard drives, and Used Space Only encryption allow administrators to enable BitLocker quickly on new computers. |
| There is no support for using BitLocker with self-encrypting drives (SEDs). | BitLocker supports offloading encryption to encrypted hard drives. |
| Administrators have to use separate tools to manage encrypted hard drives. | BitLocker supports encrypted hard drives with onboard encryption hardware built in, which allows administrators to use the familiar BitLocker administrative tools to manage them. |
| Encrypting a new flash drive can take more than 20 minutes. | Used Space Only encryption in BitLocker To Go allows users to encrypt drives in seconds. |
| BitLocker could require users to enter a recovery key when system configuration changes occur. | BitLocker requires the user to enter a recovery key only when disk corruption occurs or when he or she loses the PIN or password. |
-| Users need to enter a PIN to start the PC, and then their password to sign in to Windows. | Modern Windows devices are increasingly protected with device encryption out of the box and support SSO to help protect the BitLocker encryption keys from cold boot attacks. |
+| Users need to enter a PIN to start the PC, and then their password to sign in to Windows. | Modern Windows devices are increasingly protected with BitLocker Device Encryption out of the box and support SSO to help protect the BitLocker encryption keys from cold boot attacks. |
The sections that follow describe these improvements in more detail. Also see:
@@ -60,23 +60,23 @@ Microsoft includes instrumentation in Windows 10 that enables the operating sys
BitLocker is capable of encrypting entire hard drives, including both system and data drives. BitLocker pre-provisioning can drastically reduce the time required to provision new PCs with BitLocker enabled. With Windows 10, administrators can turn on BitLocker and the TPM from within the Windows Preinstallation Environment before they install Windows or as part of an automated deployment task sequence without any user interaction. Combined with Used Disk Space Only encryption and a mostly empty drive (because Windows is not yet installed), it takes only a few seconds to enable BitLocker.
With earlier versions of Windows, administrators had to enable BitLocker after Windows had been installed. Although this process could be automated, BitLocker would need to encrypt the entire drive, a process that could take anywhere from several hours to more than a day depending on drive size and performance, which significantly delayed deployment. Microsoft has improved this process through multiple features in Windows 10.
-## Device encryption
+## BitLocker Device Encryption
-Beginning in Windows 8.1, Windows automatically enables BitLocker device encryption on devices that support InstantGo. With Windows 10, Microsoft offers device encryption support on a much broader range of devices, including those that are InstantGo. Microsoft expects that most devices in the future will pass the testing requirements, which makes device encryption pervasive across modern Windows devices. Device encryption further protects the system by transparently implementing device-wide data encryption.
+Beginning in Windows 8.1, Windows automatically enables BitLocker Device Encryption on devices that support InstantGo. With Windows 10, Microsoft offers BitLocker Device Encryption support on a much broader range of devices, including those that are InstantGo. Microsoft expects that most devices in the future will pass the testing requirements, which makes BitLocker Device Encryption pervasive across modern Windows devices. BitLocker Device Encryption further protects the system by transparently implementing device-wide data encryption.
-Unlike a standard BitLocker implementation, device encryption is enabled automatically so that the device is always protected. The following list outlines how this happens:
+Unlike a standard BitLocker implementation, BitLocker Device Encryption is enabled automatically so that the device is always protected. The following list outlines how this happens:
-* When a clean installation of Windows 10 is completed and the out-of-box experience is finished, the computer is prepared for first use. As part of this preparation, device encryption is initialized on the operating system drive and fixed data drives on the computer with a clear key (this is the equivalent of standard BitLocker suspended state).
+* When a clean installation of Windows 10 is completed and the out-of-box experience is finished, the computer is prepared for first use. As part of this preparation, BitLocker Device Encryption is initialized on the operating system drive and fixed data drives on the computer with a clear key (this is the equivalent of standard BitLocker suspended state).
* If the device is not domain joined, a Microsoft account that has been granted administrative privileges on the device is required. When the administrator uses a Microsoft account to sign in, the clear key is removed, a recovery key is uploaded to the online Microsoft account, and a TPM protector is created. Should a device require the recovery key, the user will be guided to use an alternate device and navigate to a recovery key access URL to retrieve the recovery key by using his or her Microsoft account credentials.
* If the user uses a domain account to sign in, the clear key is not removed until the user joins the device to a domain and the recovery key is successfully backed up to Active Directory Domain Services (AD DS). You must enable the **Computer Configuration\\Administrative Templates\\Windows Components\\BitLocker Drive Encryption\\Operating System Drives** Group Policy setting, and select the **Do not enable BitLocker until recovery information is stored in AD DS for operating system drives** option. With this configuration, the recovery password is created automatically when the computer joins the domain, and then the recovery key is backed up to AD DS, the TPM protector is created, and the clear key is removed.
* Similar to signing in with a domain account, the clear key is removed when the user logs on to an Azure AD account on the device. As described in the bullet point above, the recovery password is created automatically when the user authenticates to Azure AD. Then, the recovery key is backed up to Azure AD, the TPM protector is created, and the clear key is removed.
-Microsoft recommends that device encryption be enabled on any systems that support it, but the automatic device encryption process can be prevented by changing the following registry setting:
+Microsoft recommends that BitLocker Device Encryption be enabled on any systems that support it, but the automatic BitLocker Device Encryption process can be prevented by changing the following registry setting:
- **Subkey**: HKEY\_LOCAL\_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\BitLocker
- **Value**: PreventDeviceEncryption equal to True (1)
- **Type**: REG\_DWORD
-Administrators can manage domain-joined devices that have device encryption enabled through Microsoft BitLocker Administration and Monitoring (MBAM). In this case, device encryption automatically makes additional BitLocker options available. No conversion or encryption is required, and MBAM can manage the full BitLocker policy set if any configuration changes are required.
+Administrators can manage domain-joined devices that have BitLocker Device Encryption enabled through Microsoft BitLocker Administration and Monitoring (MBAM). In this case, BitLocker Device Encryption automatically makes additional BitLocker options available. No conversion or encryption is required, and MBAM can manage the full BitLocker policy set if any configuration changes are required.
## Used Disk Space Only encryption
diff --git a/windows/device-security/bitlocker/bitlocker-management-for-enterprises.md b/windows/device-security/bitlocker/bitlocker-management-for-enterprises.md
index e8a02af1fd..2315455956 100644
--- a/windows/device-security/bitlocker/bitlocker-management-for-enterprises.md
+++ b/windows/device-security/bitlocker/bitlocker-management-for-enterprises.md
@@ -50,7 +50,7 @@ Though much Windows BitLocker [documentation](bitlocker-overview.md) has been p
## Recommendations for domain-joined computers
-Windows continues to be the focus for new features and improvements for built-in encryption management, for example, automatically enabling encryption on devices that support InstantGo beginning with Windows 8.1. For more information, see [Overview of BitLocker and device encryption in Windows 10](bitlocker-device-encryption-overview-windows-10.md#device-encryption).
+Windows continues to be the focus for new features and improvements for built-in encryption management, for example, automatically enabling encryption on devices that support InstantGo beginning with Windows 8.1. For more information, see [Overview of BitLocker Device Encryption in Windows 10](bitlocker-device-encryption-overview-windows-10.md#bitlocker-device-encryption).
Companies that image their own computers using Microsoft System Center 2012 Configuration Manager SP1 (SCCM) or later can use an existing task sequence to [pre-provision BitLocker](https://technet.microsoft.com/library/hh846237.aspx#BKMK_PreProvisionBitLocker) encryption while in Windows Preinstallation Environment (WinPE) and can then [enable protection](https://technet.microsoft.com/library/hh846237.aspx#BKMK_EnableBitLocker). This can help ensure that computers are encrypted from the start, even before users receive them. As part of the imaging process, a company could also decide to use SCCM to pre-set any desired [BitLocker Group Policy](https://technet.microsoft.com/library/ee706521(v=ws.10).aspx).
@@ -71,17 +71,17 @@ For older client computers with BitLocker that are domain joined on-premises, Mi
-Devices joined to Azure Active Directory (Azure AD) are managed using Mobile Device Management (MDM) policy such as [Microsoft Intune](https://www.microsoft.com/cloud-platform/microsoft-intune). Device encryption status can be queried from managed machines via the [Policy Configuration Settings Provider](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider) (CSP), which reports on whether BitLocker device encryption is enabled on the device. Compliance with device encryption policy can be a requirement for [Conditional Access](https://www.microsoft.com/cloud-platform/conditional-access) to services like Exchange Online and SharePoint Online.
+Devices joined to Azure Active Directory (Azure AD) are managed using Mobile Device Management (MDM) policy such as [Microsoft Intune](https://www.microsoft.com/cloud-platform/microsoft-intune). BitLocker Device Encryption status can be queried from managed machines via the [Policy Configuration Settings Provider](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider) (CSP), which reports on whether BitLocker Device Encryption is enabled on the device. Compliance with BitLocker Device Encryption policy can be a requirement for [Conditional Access](https://www.microsoft.com/cloud-platform/conditional-access) to services like Exchange Online and SharePoint Online.
-Starting with Windows 10 version 1703 (also known as the Windows Creators Update), the enablement of BitLocker can be triggered over MDM either by the [Policy CSP](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider) or the [Bitlocker CSP](https://docs.microsoft.com/windows/client-management/mdm/bitlocker-csp). The BitLocker CSP adds policy options that go beyond ensuring that encryption has occurred, and is available on computers that run Windows 10 Business or Enterprise editions and on Windows Phones.
+Starting with Windows 10 version 1703 (also known as the Windows Creators Update), the enablement of BitLocker can be triggered over MDM either by the [Policy CSP](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider) or the [BitLocker CSP](https://docs.microsoft.com/windows/client-management/mdm/bitlocker-csp). The BitLocker CSP adds policy options that go beyond ensuring that encryption has occurred, and is available on computers that run Windows 10 Business or Enterprise editions and on Windows Phones.
-For hardware that is compliant with InstantGo and HSTI, when using either of these features, device encryption is automatically turned on whenever the user joins a device to Azure AD. Azure AD provides a portal where recovery keys are also backed up, so users can retrieve their own recovery key for self-service, if required. For older devices that are not yet encrypted, beginning with Windows 10 version 1703 (the Windows 10 Creators Update), admins can use the [BitLocker CSP](https://docs.microsoft.com/windows/client-management/mdm/bitlocker-csp) to trigger encryption and store the recovery key in Azure AD.
+For hardware that is compliant with InstantGo and HSTI, when using either of these features, BitLocker Device Encryption is automatically turned on whenever the user joins a device to Azure AD. Azure AD provides a portal where recovery keys are also backed up, so users can retrieve their own recovery key for self-service, if required. For older devices that are not yet encrypted, beginning with Windows 10 version 1703 (the Windows 10 Creators Update), admins can use the [BitLocker CSP](https://docs.microsoft.com/windows/client-management/mdm/bitlocker-csp) to trigger encryption and store the recovery key in Azure AD.
## Workplace-joined PCs and phones
-For Windows PCs and Windows Phones that enroll using **Connect to work or school account**, BitLocker device encryption is managed over MDM, and similarly for Azure AD domain join.
+For Windows PCs and Windows Phones that enroll using **Connect to work or school account**, BitLocker Device Encryption is managed over MDM, and similarly for Azure AD domain join.
@@ -139,11 +139,11 @@ PS C:\> Enable-BitLocker -MountPoint "C:" -EncryptionMethod XtsAes256 -UsedSpace
## Related Articles
-[Bitlocker: FAQs](bitlocker-frequently-asked-questions.md)
+[BitLocker: FAQs](bitlocker-frequently-asked-questions.md)
[Microsoft BitLocker Administration and Management (MBAM)](https://technet.microsoft.com/windows/hh826072.aspx)
-[Overview of BitLocker and automatic encryption in Windows 10](bitlocker-device-encryption-overview-windows-10.md#device-encryption)
+[Overview of BitLocker Device Encryption in Windows 10](bitlocker-device-encryption-overview-windows-10.md#bitlocker-device-encryption)
[System Center 2012 Configuration Manager SP1](https://technet.microsoft.com/library/hh846237.aspx#BKMK_PreProvisionBitLocker) *(Pre-provision BitLocker task sequence)*
diff --git a/windows/device-security/bitlocker/bitlocker-overview.md b/windows/device-security/bitlocker/bitlocker-overview.md
index b9308ded1b..6a94dab8c8 100644
--- a/windows/device-security/bitlocker/bitlocker-overview.md
+++ b/windows/device-security/bitlocker/bitlocker-overview.md
@@ -67,7 +67,7 @@ When installing the BitLocker optional component on a server you will also need
| Topic | Description |
| - | - |
-| [Overview of BitLocker and device encryption in Windows 10](bitlocker-device-encryption-overview-windows-10.md) | This topic for the IT professional provides an overview of the ways that BitLocker and device encryption can help protect data on devices running Windows 10. |
+| [Overview of BitLocker Device Encryption in Windows 10](bitlocker-device-encryption-overview-windows-10.md) | This topic for the IT professional provides an overview of the ways that BitLocker Device Encryption can help protect data on devices running Windows 10. |
| [BitLocker frequently asked questions (FAQ)](bitlocker-frequently-asked-questions.md) | This topic for the IT professional answers frequently asked questions concerning the requirements to use, upgrade, deploy and administer, and key management policies for BitLocker.|
| [Prepare your organization for BitLocker: Planning and policies](prepare-your-organization-for-bitlocker-planning-and-policies.md)| This topic for the IT professional explains how can you plan your BitLocker deployment. |
| [BitLocker basic deployment](bitlocker-basic-deployment.md) | This topic for the IT professional explains how BitLocker features can be used to protect your data through drive encryption. |
diff --git a/windows/device-security/bitlocker/bitlocker-recovery-guide-plan.md b/windows/device-security/bitlocker/bitlocker-recovery-guide-plan.md
index 557719c15c..5ffc817153 100644
--- a/windows/device-security/bitlocker/bitlocker-recovery-guide-plan.md
+++ b/windows/device-security/bitlocker/bitlocker-recovery-guide-plan.md
@@ -44,7 +44,7 @@ BitLocker recovery is the process by which you can restore access to a BitLocker
The following list provides examples of specific events that will cause BitLocker to enter recovery mode when attempting to start the operating system drive:
-- On PCs that use either BitLocker or Device Encryption, when an attack is detected, the device will immediately reboot and enter into BitLocker recovery mode. To take advantage of this functionality Administrators can set the **Interactive logon: Machine account lockout threshold** Group Policy setting located in **\\Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options** in the Local Group Policy Editor, or use the **MaxFailedPasswordAttempts** policy of [Exchange ActiveSync](http://technet.microsoft.com/library/aa998357.aspx) (also configurable through [Windows Intune](http://technet.microsoft.com/library/jj733621.aspx)), to limit the number of failed password attempts before the device goes into Device Lockout.
+- On PCs that use BitLocker, or on devices such as tablets or phones that use Device Encryption only, when an attack is detected, the device will immediately reboot and enter into BitLocker recovery mode. To take advantage of this functionality Administrators can set the **Interactive logon: Machine account lockout threshold** Group Policy setting located in **\\Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options** in the Local Group Policy Editor, or use the **MaxFailedPasswordAttempts** policy of [Exchange ActiveSync](http://technet.microsoft.com/library/aa998357.aspx) (also configurable through [Windows Intune](http://technet.microsoft.com/library/jj733621.aspx)), to limit the number of failed password attempts before the device goes into Device Lockout.
- On devices with TPM 1.2, changing the BIOS or firmware boot device order causes BitLocker recovery. However, devices with TPM 2.0 do not start BitLocker recovery in this case. TPM 2.0 does not consider a firmware change of boot device order as a security threat because the OS Boot Loader is not compromised.
- Having the CD or DVD drive before the hard drive in the BIOS boot order and then inserting or removing a CD or DVD.
- Failing to boot from a network drive before booting from the hard drive.
@@ -250,9 +250,9 @@ If you have lost the USB flash drive that contains the startup key, then you mus
This error might occur if you updated the firmware. As a best practice you should suspend BitLocker before making changes the firmware and then resume protection after the update has completed. This prevents the computer from going into recovery mode. However if changes were made when BitLocker protection was on you can simply log on to the computer using the recovery password and the platform validation profile will be updated so that recovery will not occur the next time.
-## Windows RE and BitLocker
+## Windows RE and BitLocker Device Encryption
-Windows Recovery Environment (RE) can be used to recover access to a drive protected by BitLocker or by Device Encryption. If a PC is unable to boot after two failures, Startup Repair will automatically start. When Startup Repair is launched automatically due to boot failures, it will only execute operating system and driver file repairs, provided that the boot logs or any available crash dump point to a specific corrupted file. In Windows 8.1 and later, devices that include firmware to support specific TPM measurements for PCR\[7\] the TPM can validate that Windows RE is a trusted operating environment and will unlock any BitLocker-protected drives if Windows RE has not been modified. If the Windows RE environment has been modified, for example the TPM has been disabled, the drives will stay locked until the BitLocker recovery key is provided. If Startup Repair is not able to be run automatically from the PC and instead Windows RE is manually started from a repair disk, the BitLocker recovery key must be provided to unlock the BitLocker–protected drives.
+Windows Recovery Environment (RE) can be used to recover access to a drive protected by BitLocker Device Encryption. If a PC is unable to boot after two failures, Startup Repair will automatically start. When Startup Repair is launched automatically due to boot failures, it will only execute operating system and driver file repairs, provided that the boot logs or any available crash dump point to a specific corrupted file. In Windows 8.1 and later, devices that include firmware to support specific TPM measurements for PCR\[7\] the TPM can validate that Windows RE is a trusted operating environment and will unlock any BitLocker-protected drives if Windows RE has not been modified. If the Windows RE environment has been modified, for example the TPM has been disabled, the drives will stay locked until the BitLocker recovery key is provided. If Startup Repair is not able to be run automatically from the PC and instead Windows RE is manually started from a repair disk, the BitLocker recovery key must be provided to unlock the BitLocker–protected drives.
## Using additional recovery information
diff --git a/windows/device-security/device-guard/deploy-catalog-files-to-support-code-integrity-policies.md b/windows/device-security/device-guard/deploy-catalog-files-to-support-code-integrity-policies.md
index 905dcc1550..0e2e0995b9 100644
--- a/windows/device-security/device-guard/deploy-catalog-files-to-support-code-integrity-policies.md
+++ b/windows/device-security/device-guard/deploy-catalog-files-to-support-code-integrity-policies.md
@@ -1,6 +1,6 @@
---
title: Deploy catalog files to support code integrity policies (Windows 10)
-description: This article describes how to deploy catalog files to support code integrity policies, one of the main features that are part of Device Guard in Windows 10.
+description: This article describes how to deploy catalog files to support code integrity policies, one of the main features that are part of Windows Defender Device Guard in Windows 10.
keywords: virtualization, security, malware
ms.prod: w10
ms.mktglfcycl: deploy
@@ -16,7 +16,7 @@ author: brianlic-msft
Catalog files can be important in your deployment of code integrity polices if you have unsigned line-of-business (LOB) applications for which the process of signing is difficult. To prepare to create code integrity policies that allow these trusted applications but block unsigned code (most malware is unsigned), you create a *catalog file* that contains information about the trusted applications. After you sign and distribute the catalog, your trusted applications can be handled by code integrity policies in the same way as any other signed application. With this foundation, you can more easily block all unsigned applications, allowing only signed applications to run.
-For more description of catalog files, see [Reviewing your applications: application signing and catalog files](requirements-and-deployment-planning-guidelines-for-device-guard.md#reviewing-your-applications-application-signing-and-catalog-files) in "Requirements and deployment planning guidelines for Device Guard."
+For more description of catalog files, see [Reviewing your applications: application signing and catalog files](requirements-and-deployment-planning-guidelines-for-device-guard.md#reviewing-your-applications-application-signing-and-catalog-files) in "Requirements and deployment planning guidelines for Windows Defender Device Guard."
## Create catalog files
@@ -30,7 +30,7 @@ To create a catalog file, you use a tool called **Package Inspector**. You must
Package Inspector does not always detect installation files that have been removed from the computer during the installation process. To ensure that these binaries are also trusted, deploy a code integrity policy in audit mode. You can use the code integrity policy that you created and audited in [Create a code integrity policy from a golden computer](deploy-code-integrity-policies-steps.md#create-a-code-integrity-policy-from-a-golden-computer) and [Audit code integrity policies](deploy-code-integrity-policies-steps.md#audit-code-integrity-policies).
- > **Note** This process should **not** be performed on a system with an enforced Device Guard policy, only with a policy in audit mode. If a policy is currently being enforced, you will not be able to install and run the application.
+ > **Note** This process should **not** be performed on a system with an enforced Windows Defender Device Guard policy, only with a policy in audit mode. If a policy is currently being enforced, you will not be able to install and run the application.
2. Start Package Inspector, and then start scanning a local drive, for example, drive C:
@@ -150,7 +150,7 @@ To simplify the management of catalog files, you can use Group Policy preference
2. Create a new GPO: right-click an OU, for example, the **DG Enabled PCs OU**, and then click **Create a GPO in this domain, and Link it here**, as shown in Figure 2.
- > **Note** You can use any OU name. Also, security group filtering is an option when you consider different ways of combining code integrity policies (or keeping them separate), as discussed in [Planning and getting started on the Device Guard deployment process](planning-and-getting-started-on-the-device-guard-deployment-process.md).
+ > **Note** You can use any OU name. Also, security group filtering is an option when you consider different ways of combining code integrity policies (or keeping them separate), as discussed in [Planning and getting started on the Windows Defender Device Guard deployment process](planning-and-getting-started-on-the-device-guard-deployment-process.md).
@@ -318,9 +318,9 @@ At the time of the next software inventory cycle, when the targeted clients rece
## Related topics
-- [Introduction to Device Guard: virtualization-based security and code integrity policies](introduction-to-device-guard-virtualization-based-security-and-code-integrity-policies.md)
+- [Introduction to Windows Defender Device Guard: virtualization-based security and code integrity policies](introduction-to-device-guard-virtualization-based-security-and-code-integrity-policies.md)
-- [Planning and getting started on the Device Guard deployment process](planning-and-getting-started-on-the-device-guard-deployment-process.md)
+- [Planning and getting started on the Windows Defender Device Guard deployment process](planning-and-getting-started-on-the-device-guard-deployment-process.md)
-- [Deploy Device Guard: deploy code integrity policies](deploy-device-guard-deploy-code-integrity-policies.md)
+- [Deploy Windows Defender Device Guard: deploy code integrity policies](deploy-device-guard-deploy-code-integrity-policies.md)
diff --git a/windows/device-security/device-guard/deploy-code-integrity-policies-policy-rules-and-file-rules.md b/windows/device-security/device-guard/deploy-code-integrity-policies-policy-rules-and-file-rules.md
index ab8015ffad..71f007b12c 100644
--- a/windows/device-security/device-guard/deploy-code-integrity-policies-policy-rules-and-file-rules.md
+++ b/windows/device-security/device-guard/deploy-code-integrity-policies-policy-rules-and-file-rules.md
@@ -1,6 +1,6 @@
---
title: Deploy code integrity policies - policy rules and file rules (Windows 10)
-description: This article provides information about two elements in code integrity policies, called policy rules and file rules. Code integrity policies are part of Device Guard in Windows 10.
+description: This article provides information about two elements in code integrity policies, called policy rules and file rules. Code integrity policies are part of Windows Defender Device Guard in Windows 10.
keywords: virtualization, security, malware
ms.prod: w10
ms.mktglfcycl: deploy
@@ -15,8 +15,8 @@ author: brianlic-msft
- Windows Server 2016
Code integrity policies provide control over a computer running Windows 10 by specifying whether a driver or application is trusted and can be run. For an overview of code integrity, see:
-- [How Device Guard features help protect against threats](introduction-to-device-guard-virtualization-based-security-and-code-integrity-policies.md#how-device-guard-features-help-protect-against-threats) in "Introduction to Device Guard: virtualization-based security and code integrity policies."
-- [Code integrity policy formats and signing](requirements-and-deployment-planning-guidelines-for-device-guard.md#code-integrity-policy-formats-and-signing) in "Requirements and deployment planning guidelines for Device Guard."
+- [How Windows Defender Device Guard features help protect against threats](introduction-to-device-guard-virtualization-based-security-and-code-integrity-policies.md#how-windows-defender-device-guard-features-help-protect-against-threats) in "Introduction to Windows Defender Device Guard: virtualization-based security and code integrity policies."
+- [Code integrity policy formats and signing](requirements-and-deployment-planning-guidelines-for-device-guard.md#code-integrity-policy-formats-and-signing) in "Requirements and deployment planning guidelines for Windows Defender Device Guard."
If you already understand the basics of code integrity policy and want procedures for creating, auditing, and merging code integrity policies, see [Deploy code integrity policies: steps](deploy-code-integrity-policies-steps.md).
@@ -29,7 +29,7 @@ This topic includes the following sections:
## Overview of the process of creating code integrity policies
-A common system imaging practice in today’s IT organization is to establish a “golden” image as a reference for what an ideal system should look like, and then use that image to clone additional company assets. Code integrity policies follow a similar methodology, that begins with the establishment of a golden computer. As with imaging, you can have multiple golden computers based on model, department, application set, and so on. Although the thought process around the creation of code integrity policies is similar to imaging, these policies should be maintained independently. Assess the necessity of additional code integrity policies based on what should be allowed to be installed and run and for whom. For more details on doing this assessment, see the planning steps in [Planning and getting started on the Device Guard deployment process](planning-and-getting-started-on-the-device-guard-deployment-process.md).
+A common system imaging practice in today’s IT organization is to establish a “golden” image as a reference for what an ideal system should look like, and then use that image to clone additional company assets. Code integrity policies follow a similar methodology, that begins with the establishment of a golden computer. As with imaging, you can have multiple golden computers based on model, department, application set, and so on. Although the thought process around the creation of code integrity policies is similar to imaging, these policies should be maintained independently. Assess the necessity of additional code integrity policies based on what should be allowed to be installed and run and for whom. For more details on doing this assessment, see the planning steps in [Planning and getting started on the Windows Defender Device Guard deployment process](planning-and-getting-started-on-the-device-guard-deployment-process.md).
> **Note** Each computer can have only **one** code integrity policy at a time. Whichever way you deploy this policy, it is renamed to SIPolicy.p7b and copied to **C:\\Windows\\System32\\CodeIntegrity** and, for UEFI computers, **<EFI System Partition>\\Microsoft\\Boot**. Keep this in mind when you create your code integrity policies.
@@ -47,7 +47,7 @@ To modify the policy rule options of an existing code integrity policy, use the
` Set-RuleOption -FilePath -Option 0`
- Note that a policy that was created without the `-UserPEs` option is empty of user mode executables, that is, applications. If you enable UMCI (Option 0) for such a policy and then attempt to run an application, Device Guard will see that the application is not on its list (which is empty of applications), and respond. In audit mode, the response is logging an event, and in enforced mode, the response is blocking the application. To create a policy that includes user mode executables (applications), when you run `New-CIPolicy`, include the `-UserPEs` option.
+ Note that a policy that was created without the `-UserPEs` option is empty of user mode executables, that is, applications. If you enable UMCI (Option 0) for such a policy and then attempt to run an application, Windows Defender Device Guard will see that the application is not on its list (which is empty of applications), and respond. In audit mode, the response is logging an event, and in enforced mode, the response is blocking the application. To create a policy that includes user mode executables (applications), when you run `New-CIPolicy`, include the `-UserPEs` option.
- To disable UMCI on an existing code integrity policy, delete rule option 0 by running the following command:
@@ -80,7 +80,7 @@ RuleOption -Help** in a Windows PowerShell session. Table 2 describes each rule
File rule levels allow administrators to specify the level at which they want to trust their applications. This level of trust could be as fine-tuned as the hash of each binary or as general as a CA certificate. You specify file rule levels both when you create a new code integrity policy from a scan and when you create a policy from audit events. In addition, to combine rule levels found in multiple policies, you can merge the policies. When merged, code integrity policies combine their file rules, so that any application that would be allowed by either of the original policies will be allowed by the combined policy.
-Each file rule level has its benefit and disadvantage. Use Table 3 to select the appropriate protection level for your available administrative resources and Device Guard deployment scenario.
+Each file rule level has its benefit and disadvantage. Use Table 3 to select the appropriate protection level for your available administrative resources and Windows Defender Device Guard deployment scenario.
Table 3. Code integrity policy - file rule levels
@@ -113,5 +113,5 @@ They could also choose to create a catalog that captures information about the u
## Related topics
-- [How Device Guard features help protect against threats](introduction-to-device-guard-virtualization-based-security-and-code-integrity-policies.md#how-device-guard-features-help-protect-against-threats)
+- [How Windows Defender Device Guard features help protect against threats](introduction-to-device-guard-virtualization-based-security-and-code-integrity-policies.md#how-windows-defender-device-guard-features-help-protect-against-threats)
- [Deploy code integrity policies: steps](deploy-code-integrity-policies-steps.md)
diff --git a/windows/device-security/device-guard/deploy-code-integrity-policies-steps.md b/windows/device-security/device-guard/deploy-code-integrity-policies-steps.md
index 390575abd4..9f7bef9162 100644
--- a/windows/device-security/device-guard/deploy-code-integrity-policies-steps.md
+++ b/windows/device-security/device-guard/deploy-code-integrity-policies-steps.md
@@ -1,6 +1,6 @@
---
title: Deploy code integrity policies - steps (Windows 10)
-description: This article describes how to deploy code integrity policies, one of the main features that are part of Device Guard in Windows 10.
+description: This article describes how to deploy code integrity policies, one of the main features that are part of Windows Defender Device Guard in Windows 10.
keywords: virtualization, security, malware
ms.prod: w10
ms.mktglfcycl: deploy
@@ -14,7 +14,7 @@ author: brianlic-msft
- Windows 10
- Windows Server 2016
-For an overview of the process described in the following procedures, see [Deploy code integrity policies: policy rules and file rules](deploy-code-integrity-policies-policy-rules-and-file-rules.md). To understand how the deployment of code integrity policies fits with other steps in the Device Guard deployment process, see [Planning and getting started on the Device Guard deployment process](planning-and-getting-started-on-the-device-guard-deployment-process.md).
+For an overview of the process described in the following procedures, see [Deploy code integrity policies: policy rules and file rules](deploy-code-integrity-policies-policy-rules-and-file-rules.md). To understand how the deployment of code integrity policies fits with other steps in the Windows Defender Device Guard deployment process, see [Planning and getting started on the Windows Defender Device Guard deployment process](planning-and-getting-started-on-the-device-guard-deployment-process.md).
## Create a code integrity policy from a golden computer
@@ -26,11 +26,11 @@ The process for creating a golden code integrity policy from a reference system
### Scripting and applications
Each installed software application should be validated as trustworthy before you create a policy. We recommend that you review the reference PC for software that can load arbitrary DLLs and run code or scripts that could render the PC more vulnerable. Examples include software aimed at development or scripting such as msbuild.exe (part of Visual Studio and the .NET Framework) which can be removed if you do not want it to run scripts.
-You can remove or disable such software on reference PCs used to create code integrity policies. You can also fine-tune your control by using Device Guard in combination with AppLocker, as described in [Device Guard with AppLocker](https://technet.microsoft.com/itpro/windows/keep-secure/introduction-to-device-guard-virtualization-based-security-and-code-integrity-policies#device-guard-with-applocker).
+You can remove or disable such software on reference PCs used to create code integrity policies. You can also fine-tune your control by using Windows Defender Device Guard in combination with AppLocker, as described in [Windows Defender Device Guard with AppLocker](https://technet.microsoft.com/itpro/windows/keep-secure/introduction-to-device-guard-virtualization-based-security-and-code-integrity-policies#device-guard-with-applocker).
-Members of the security community\* continuously collaborate with Microsoft® to help protect customers. With the help of their valuable reports, Microsoft has identified a list of valid applications that an attacker could also potentially use to bypass Device Guard code integrity policies.
+Members of the security community\* continuously collaborate with Microsoft® to help protect customers. With the help of their valuable reports, Microsoft has identified a list of valid applications that an attacker could also potentially use to bypass Windows Defender Device Guard code integrity policies.
-Unless your use scenarios explicitly require them, Microsoft recommends that you block the following applications. These applications or files can be used by an attacker to circumvent Application Whitelisting policies, including Device Guard:
+Unless your use scenarios explicitly require them, Microsoft recommends that you block the following applications. These applications or files can be used by an attacker to circumvent Application Whitelisting policies, including Windows Defender Device Guard:
- bash.exe
- bginfo.exe[1]
@@ -46,7 +46,6 @@ Unless your use scenarios explicitly require them, Microsoft recommends that you
- mshta.exe
- ntsd.exe
- rcsi.exe
-- SyncAppVPublishingServer.exe
- system.management.automation.dll
- windbg.exe
@@ -65,16 +64,15 @@ Unless your use scenarios explicitly require them, Microsoft recommends that you
|Matt Nelson | @enigma0x3|
|Oddvar Moe |@Oddvarmoe|
|Alex Ionescu | @aionescu|
-|Nick Landers | @monoxgas|
>[!Note]
>This application list is fluid and will be updated with the latest vendor information as application vulnerabilities are resolved and new issues are discovered.
-Certain software applications may allow additional code to run by design. These types of applications should be blocked by your Device Guard policy. In addition, when an application version is upgraded to fix a security vulnerability or potential Device Guard bypass, you should add deny rules to your code integrity policies for that application’s previous, less secure versions.
+Certain software applications may allow additional code to run by design. These types of applications should be blocked by your Windows Defender Device Guard policy. In addition, when an application version is upgraded to fix a security vulnerability or potential Windows Defender Device Guard bypass, you should add deny rules to your code integrity policies for that application’s previous, less secure versions.
-Microsoft recommends that you install the latest security updates. The June 2017 Windows updates resolve several issues in in-box PowerShell modules that allowed an attacker to bypass Device Guard code integrity policies. These modules cannot be blocked by name or version, and therefore must be blocked by their corresponding hashes.
+Microsoft recommends that you install the latest security updates. The June 2017 Windows updates resolve several issues in in-box PowerShell modules that allowed an attacker to bypass Windows Defender Device Guard code integrity policies. These modules cannot be blocked by name or version, and therefore must be blocked by their corresponding hashes.
Microsoft recommends that you block the following Microsoft-signed applications and PowerShell files by merging the following policy into your existing policy to add these deny rules using the Merge-CIPolicy cmdlet:
@@ -118,7 +116,6 @@ Microsoft recommends that you block the following Microsoft-signed applications
-
@@ -187,7 +184,6 @@ Microsoft recommends that you block the following Microsoft-signed applications
-
@@ -252,7 +248,7 @@ To create a code integrity policy, copy each of the following commands into an e
> [!Notes]
- > - When you specify the **-UserPEs** parameter (to include user mode executables in the scan), rule option **0 Enabled:UMCI** is automatically added to the code integrity policy. In contrast, if you do not specify **-UserPEs**, the policy will be empty of user mode executables and will only have rules for kernel mode binaries like drivers, in other words, the whitelist will not include applications. If you create such a policy and later add rule option **0 Enabled:UMCI**, all attempts to start applications will cause a response from Device Guard. In audit mode, the response is logging an event, and in enforced mode, the response is blocking the application.
+ > - When you specify the **-UserPEs** parameter (to include user mode executables in the scan), rule option **0 Enabled:UMCI** is automatically added to the code integrity policy. In contrast, if you do not specify **-UserPEs**, the policy will be empty of user mode executables and will only have rules for kernel mode binaries like drivers, in other words, the whitelist will not include applications. If you create such a policy and later add rule option **0 Enabled:UMCI**, all attempts to start applications will cause a response from Windows Defender Device Guard. In audit mode, the response is logging an event, and in enforced mode, the response is blocking the application.
> - You can add the **-Fallback** parameter to catch any applications not discovered using the primary file rule level specified by the **-Level** parameter. For more information about file rule level options, see [Code integrity file rule levels](deploy-code-integrity-policies-policy-rules-and-file-rules.md#code-integrity-file-rule-levels) in “Deploy code integrity policies: policy rules and file rules.”
@@ -264,7 +260,7 @@ To create a code integrity policy, copy each of the following commands into an e
` ConvertFrom-CIPolicy $InitialCIPolicy $CIPolicyBin`
-After you complete these steps, the Device Guard binary file (DeviceGuardPolicy.bin) and original .xml file (IntialScan.xml) will be available on your desktop. You can use the binary version as a code integrity policy or sign it for additional security.
+After you complete these steps, the Windows Defender Device Guard binary file (DeviceGuardPolicy.bin) and original .xml file (IntialScan.xml) will be available on your desktop. You can use the binary version as a code integrity policy or sign it for additional security.
> [!Note]
> We recommend that you keep the original .xml file of the policy for use when you need to merge the code integrity policy with another policy or update its rule options. Alternatively, you would have to create a new policy from a new scan for servicing. For more information about how to merge code integrity policies, see [Merge code integrity policies](#merge-code-integrity-policies).
@@ -290,7 +286,7 @@ When code integrity policies are run in audit mode, it allows administrators to
> - An alternative method to test a policy is to rename the test file to SIPolicy.p7b and drop it into C:\\Windows\\System32\\CodeIntegrity, rather than deploy it by using the Local Group Policy Editor.
-3. Navigate to **Computer Configuration\\Administrative Templates\\System\\Device Guard**, and then select **Deploy Code Integrity Policy**. Enable this setting by using the appropriate file path, for example, C:\\Windows\\System32\\CodeIntegrity\\DeviceGuardPolicy.bin, as shown in Figure 1.
+3. Navigate to **Computer Configuration\\Administrative Templates\\System\\Windows Defender Device Guard**, and then select **Deploy Code Integrity Policy**. Enable this setting by using the appropriate file path, for example, C:\\Windows\\System32\\CodeIntegrity\\DeviceGuardPolicy.bin, as shown in Figure 1.
> [!Note]
@@ -343,7 +339,7 @@ Use the following procedure after you have been running a computer with a code i
> [!Note]
> When you create policies from audit events, you should carefully consider the file rule level that you select to trust. The preceding example uses the **Hash** rule level, which is the most specific. Any change to the file (such as replacing the file with a newer version of the same file) will change the Hash value, and require an update to the policy.
-4. Find and review the Device Guard audit policy .xml file that you created. If you used the example variables as shown, the filename will be **DeviceGuardAuditPolicy.xml**, and it will be on your desktop. Look for the following:
+4. Find and review the Windows Defender Device Guard audit policy .xml file that you created. If you used the example variables as shown, the filename will be **DeviceGuardAuditPolicy.xml**, and it will be on your desktop. Look for the following:
- Any applications that were caught as exceptions, but should be allowed to run in your environment. These are applications that should be in the .xml file. Leave these as-is in the file.
@@ -588,7 +584,7 @@ There may be a time when signed code integrity policies cause a boot failure. Be
## Deploy and manage code integrity policies with Group Policy
-Code integrity policies can easily be deployed and managed with Group Policy. A Device Guard administrative template will be available in Windows Server 2016 that allows you to simplify deployment of Device Guard hardware-based security features and code integrity policies. The following procedure walks you through how to deploy a code integrity policy called **DeviceGuardPolicy.bin** to a test OU called *DG Enabled PCs* by using a GPO called **Contoso GPO Test**.
+Code integrity policies can easily be deployed and managed with Group Policy. A Windows Defender Device Guard administrative template will be available in Windows Server 2016 that allows you to simplify deployment of Windows Defender Device Guard hardware-based security features and code integrity policies. The following procedure walks you through how to deploy a code integrity policy called **DeviceGuardPolicy.bin** to a test OU called *DG Enabled PCs* by using a GPO called **Contoso GPO Test**.
> [!Note]
> This walkthrough requires that you have previously created a code integrity policy and have a computer running Windows 10 on which to test a Group Policy deployment. For more information about how to create a code integrity policy, see [Create a code integrity policy from a golden computer](#create-a-code-integrity-policy-from-a-golden-computer), earlier in this topic.
@@ -602,7 +598,7 @@ To deploy and manage a code integrity policy with Group Policy:
2. Create a new GPO: right-click an OU, for example, the **DG Enabled PCs OU**, and then click **Create a GPO in this domain, and Link it here**, as shown in Figure 3.
- > **Note** You can use any OU name. Also, security group filtering is an option when you consider different ways of combining code integrity policies (or keeping them separate), as discussed in [Planning and getting started on the Device Guard deployment process](planning-and-getting-started-on-the-device-guard-deployment-process.md).
+ > **Note** You can use any OU name. Also, security group filtering is an option when you consider different ways of combining code integrity policies (or keeping them separate), as discussed in [Planning and getting started on the Windows Defender Device Guard deployment process](planning-and-getting-started-on-the-device-guard-deployment-process.md).
@@ -612,7 +608,7 @@ To deploy and manage a code integrity policy with Group Policy:
4. Open the Group Policy Management Editor: right-click the new GPO, and then click **Edit**.
-5. In the selected GPO, navigate to Computer Configuration\\Administrative Templates\\System\\Device Guard. Right-click **Deploy Code Integrity Policy** and then click **Edit**.
+5. In the selected GPO, navigate to Computer Configuration\\Administrative Templates\\System\\Windows Defender Device Guard. Right-click **Deploy Code Integrity Policy** and then click **Edit**.
@@ -636,7 +632,7 @@ To deploy and manage a code integrity policy with Group Policy:
## Related topics
-[Introduction to Device Guard: virtualization-based security and code integrity policies](introduction-to-device-guard-virtualization-based-security-and-code-integrity-policies.md)
+[Introduction to Windows Defender Device Guard: virtualization-based security and code integrity policies](introduction-to-device-guard-virtualization-based-security-and-code-integrity-policies.md)
-[Deploy Device Guard: enable virtualization-based security](deploy-device-guard-enable-virtualization-based-security.md)
+[Deploy Windows Defender Device Guard: enable virtualization-based security](deploy-device-guard-enable-virtualization-based-security.md)
diff --git a/windows/device-security/device-guard/deploy-device-guard-deploy-code-integrity-policies.md b/windows/device-security/device-guard/deploy-device-guard-deploy-code-integrity-policies.md
index 012a60e785..886d093664 100644
--- a/windows/device-security/device-guard/deploy-device-guard-deploy-code-integrity-policies.md
+++ b/windows/device-security/device-guard/deploy-device-guard-deploy-code-integrity-policies.md
@@ -1,6 +1,6 @@
---
-title: Deploy Device Guard - deploy code integrity policies (Windows 10)
-description: This article, and the articles it links to, describe how to create code integrity policies, one of the main features that are part of Device Guard in Windows 10.
+title: Deploy Windows Defender Device Guard - deploy code integrity policies (Windows 10)
+description: This article, and the articles it links to, describe how to create code integrity policies, one of the main features that are part of Windows Defender Device Guard in Windows 10.
keywords: virtualization, security, malware
ms.prod: w10
ms.mktglfcycl: deploy
@@ -8,7 +8,7 @@ ms.localizationpriority: high
author: brianlic-msft
---
-# Deploy Device Guard: deploy code integrity policies
+# Deploy Windows Defender Device Guard: deploy code integrity policies
**Applies to**
- Windows 10
@@ -20,13 +20,13 @@ This section includes the following topics:
- [Deploy code integrity policies: policy rules and file rules](deploy-code-integrity-policies-policy-rules-and-file-rules.md)
- [Deploy code integrity policies: steps](deploy-code-integrity-policies-steps.md)
- [Deploy catalog files to support code integrity policies](deploy-catalog-files-to-support-code-integrity-policies.md)
-- [Deploy Managed Installer for Device Guard](deploy-managed-installer-for-device-guard.md)
+- [Deploy Managed Installer for Windows Defender Device Guard](deploy-managed-installer-for-device-guard.md)
To increase the protection for devices that meet certain hardware requirements, you can use virtualization-based security (VBS) with your code integrity policies.
-- For requirements, see [Hardware, firmware, and software requirements for Device Guard](requirements-and-deployment-planning-guidelines-for-device-guard.md#hardware-firmware-and-software-requirements-for-device-guard) in "Requirements and deployment planning guidelines for Device Guard."
-- For steps, see [Deploy Device Guard: enable virtualization-based security](deploy-device-guard-enable-virtualization-based-security.md).
+- For requirements, see [Hardware, firmware, and software requirements for Windows Defender Device Guard](requirements-and-deployment-planning-guidelines-for-device-guard.md#hardware-firmware-and-software-requirements-for-windows-defender-device-guard) in "Requirements and deployment planning guidelines for Windows Defender Device Guard."
+- For steps, see [Deploy Windows Defender Device Guard: enable virtualization-based security](deploy-device-guard-enable-virtualization-based-security.md).
## Related topics
-[Introduction to Device Guard: virtualization-based security and code integrity policies](introduction-to-device-guard-virtualization-based-security-and-code-integrity-policies.md)
+[Introduction to Windows Defender Device Guard: virtualization-based security and code integrity policies](introduction-to-device-guard-virtualization-based-security-and-code-integrity-policies.md)
diff --git a/windows/device-security/device-guard/deploy-device-guard-enable-virtualization-based-security.md b/windows/device-security/device-guard/deploy-device-guard-enable-virtualization-based-security.md
index 45c3ca1f45..7f3deced86 100644
--- a/windows/device-security/device-guard/deploy-device-guard-enable-virtualization-based-security.md
+++ b/windows/device-security/device-guard/deploy-device-guard-enable-virtualization-based-security.md
@@ -1,6 +1,6 @@
---
-title: Deploy Device Guard - enable virtualization-based security (Windows 10)
-description: This article describes how to enable virtualization-based security, one of the main features that are part of Device Guard in Windows 10.
+title: Deploy Windows Defender Device Guard - enable virtualization-based security (Windows 10)
+description: This article describes how to enable virtualization-based security, one of the main features that are part of Windows Defender Device Guard in Windows 10.
keywords: virtualization, security, malware
ms.prod: w10
ms.mktglfcycl: deploy
@@ -8,27 +8,27 @@ ms.localizationpriority: high
author: brianlic-msft
---
-# Deploy Device Guard: enable virtualization-based security
+# Deploy Windows Defender Device Guard: enable virtualization-based security
**Applies to**
- Windows 10
- Windows Server 2016
-Hardware-based security features, also called virtualization-based security or VBS, make up a large part of Device Guard security offerings. VBS reinforces the most important feature of Device Guard: configurable code integrity. There are a few steps to configure hardware-based security features in Device Guard:
+Hardware-based security features, also called virtualization-based security or VBS, make up a large part of Windows Defender Device Guard security offerings. VBS reinforces the most important feature of Windows Defender Device Guard: configurable code integrity. There are a few steps to configure hardware-based security features in Windows Defender Device Guard:
-1. **Decide whether to use the procedures in this topic, or to use the Device Guard readiness tool**. To enable VBS, you can download and use [the hardware readiness tool on the Microsoft Download Center](https://www.microsoft.com/en-us/download/details.aspx?id=53337), or follow the procedures in this topic.
+1. **Decide whether to use the procedures in this topic, or to use the Windows Defender Device Guard readiness tool**. To enable VBS, you can download and use [the hardware readiness tool on the Microsoft Download Center](https://www.microsoft.com/en-us/download/details.aspx?id=53337), or follow the procedures in this topic.
-2. **Verify that hardware and firmware requirements are met**. Verify that your client computers possess the necessary hardware and firmware to run these features. A list of requirements for hardware-based security features is available in [Hardware, firmware, and software requirements for Device Guard](requirements-and-deployment-planning-guidelines-for-device-guard.md#hardware-firmware-and-software-requirements-for-device-guard).
+2. **Verify that hardware and firmware requirements are met**. Verify that your client computers possess the necessary hardware and firmware to run these features. A list of requirements for hardware-based security features is available in [Hardware, firmware, and software requirements for Windows Defender Device Guard](requirements-and-deployment-planning-guidelines-for-device-guard.md#hardware-firmware-and-software-requirements-for-windows-defender-device-guard).
-3. **Enable the necessary Windows features**. There are several ways to enable the Windows features required for hardware-based security. You can use the [Device Guard and Credential Guard hardware readiness tool](https://www.microsoft.com/en-us/download/details.aspx?id=53337), or see the following section, [Windows feature requirements for virtualization-based security](#windows-feature-requirements-for-virtualization-based-security-and-device-guard).
+3. **Enable the necessary Windows features**. There are several ways to enable the Windows features required for hardware-based security. You can use the [Windows Defender Device Guard and Windows Defender Credential Guard hardware readiness tool](https://www.microsoft.com/en-us/download/details.aspx?id=53337), or see the following section, [Windows feature requirements for virtualization-based security](#windows-feature-requirements-for-virtualization-based-security-and-device-guard).
-4. **Enable additional features as desired**. When the necessary Windows features have been enabled, you can enable additional hardware-based security features as desired. You can use the [Device Guard and Credential Guard hardware readiness tool](https://www.microsoft.com/en-us/download/details.aspx?id=53337), or see [Enable virtualization-based security (VBS)](#enable-virtualization-based-security-vbs-and-device-guard), later in this topic.
+4. **Enable additional features as desired**. When the necessary Windows features have been enabled, you can enable additional hardware-based security features as desired. You can use the [Windows Defender Device Guard and Windows Defender Credential Guard hardware readiness tool](https://www.microsoft.com/en-us/download/details.aspx?id=53337), or see [Enable virtualization-based security (VBS)](#enable-virtualization-based-security-vbs-and-device-guard), later in this topic.
-For information about enabling Credential Guard, see [Protect derived domain credentials with Credential Guard](/windows/access-protection/credential-guard/credential-guard).
+For information about enabling Windows Defender Credential Guard, see [Protect derived domain credentials with Windows Defender Credential Guard](/windows/access-protection/credential-guard/credential-guard).
-## Windows feature requirements for virtualization-based security and Device Guard
+## Windows feature requirements for virtualization-based security and Windows Defender Device Guard
-In addition to the hardware requirements found in [Hardware, firmware, and software requirements for Device Guard](requirements-and-deployment-planning-guidelines-for-device-guard.md#hardware-firmware-and-software-requirements-for-device-guard), you must confirm that certain operating system features are enabled before you can enable VBS:
+In addition to the hardware requirements found in [Hardware, firmware, and software requirements for Windows Defender Device Guard](requirements-and-deployment-planning-guidelines-for-device-guard.md#hardware-firmware-and-software-requirements-for-windows-defender-device-guard), you must confirm that certain operating system features are enabled before you can enable VBS:
- Beginning with Windows 10, version 1607 or Windows Server 2016:
Hyper-V Hypervisor, which is enabled automatically. No further action is needed.
@@ -42,17 +42,17 @@ Hyper-V Hypervisor and Isolated User Mode (shown in Figure 1).
**Figure 1. Enable operating system features for VBS, Windows 10, version 1511**
-## Enable Virtualization Based Security (VBS) and Device Guard
+## Enable Virtualization Based Security (VBS) and Windows Defender Device Guard
-There are multiple ways to configure VBS features for Device Guard:
+There are multiple ways to configure VBS features for Windows Defender Device Guard:
- You can use the [readiness tool](https://www.microsoft.com/en-us/download/details.aspx?id=53337) rather than the procedures in this topic.
- You can use Group Policy, as described in the procedure that follows.
-- You can configure VBS manually, as described in [Use registry keys to enable VBS and Device Guard](#use-registry-keys-to-enable-vbs-and-device-guard), later in this topic.
+- You can configure VBS manually, as described in [Use registry keys to enable VBS and Windows Defender Device Guard](#use-registry-keys-to-enable-vbs-and-device-guard), later in this topic.
> **Note** We recommend that you test-enable these features on a group of test computers before you enable them on users' computers. If untested, there is a possibility that this feature can cause system instability and ultimately cause the client operating system to fail.
-### Use Group Policy to enable VBS and Device Guard
+### Use Group Policy to enable VBS and Windows Defender Device Guard
1. To create a new GPO, right-click the OU to which you want to link the GPO, and then click **Create a GPO in this domain, and Link it here**.
@@ -64,7 +64,7 @@ There are multiple ways to configure VBS features for Device Guard:
3. Open the Group Policy Management Editor: right-click the new GPO, and then click **Edit**.
-4. Within the selected GPO, navigate to Computer Configuration\\Policies\\Administrative Templates\\System\\Device Guard. Right-click **Turn On Virtualization Based Security**, and then click **Edit**.
+4. Within the selected GPO, navigate to Computer Configuration\\Policies\\Administrative Templates\\System\\Windows Defender Device Guard. Right-click **Turn On Virtualization Based Security**, and then click **Edit**.
@@ -76,7 +76,7 @@ There are multiple ways to configure VBS features for Device Guard:
Figure 4. Configure VBS, Secure Boot setting (in Windows 10, version 1607)
- > **Important** These settings include **Secure Boot** and **Secure Boot with DMA**. In most situations we recommend that you choose **Secure Boot**. This option provides secure boot with as much protection as is supported by a given computer’s hardware. A computer with input/output memory management units (IOMMUs) will have secure boot with DMA protection. A computer without IOMMUs will simply have secure boot enabled. In contrast, with **Secure Boot with DMA**, the setting will enable secure boot—and VBS itself—only on a computer that supports DMA, that is, a computer with IOMMUs. With this setting, any computer without IOMMUs will not have VBS (hardware-based) protection, although it can have code integrity policies enabled. For information about how VBS uses the hypervisor to strengthen protections provided by a code integrity policy, see [How Device Guard features help protect against threats](introduction-to-device-guard-virtualization-based-security-and-code-integrity-policies.md#how-device-guard-features-help-protect-against-threats).
+ > **Important** These settings include **Secure Boot** and **Secure Boot with DMA**. In most situations we recommend that you choose **Secure Boot**. This option provides secure boot with as much protection as is supported by a given computer’s hardware. A computer with input/output memory management units (IOMMUs) will have secure boot with DMA protection. A computer without IOMMUs will simply have secure boot enabled. In contrast, with **Secure Boot with DMA**, the setting will enable secure boot—and VBS itself—only on a computer that supports DMA, that is, a computer with IOMMUs. With this setting, any computer without IOMMUs will not have VBS (hardware-based) protection, although it can have code integrity policies enabled. For information about how VBS uses the hypervisor to strengthen protections provided by a code integrity policy, see [How Windows Defender Device Guard features help protect against threats](introduction-to-device-guard-virtualization-based-security-and-code-integrity-policies.md#how-windows-defender-device-guard-features-help-protect-against-threats).
6. For **Virtualization Based Protection of Code Integrity**, select the appropriate option.
@@ -95,15 +95,15 @@ There are multiple ways to configure VBS features for Device Guard:
7. Close the Group Policy Management Editor, and then restart the Windows 10 test computer. The settings will take effect upon restart.
-8. Check the test computer’s event log for Device Guard GPOs.
+8. Check the test computer’s event log for Windows Defender Device Guard GPOs.
- Processed Device Guard policies are logged in event viewer at **Applications and Services Logs\\Microsoft\\Windows\\DeviceGuard-GPEXT\\Operational**. When the **Turn On Virtualization Based Security** policy is successfully processed, event ID 7000 is logged, which contains the selected settings within the policy.
+ Processed Windows Defender Device Guard policies are logged in event viewer at **Applications and Services Logs\\Microsoft\\Windows\\DeviceGuard-GPEXT\\Operational**. When the **Turn On Virtualization Based Security** policy is successfully processed, event ID 7000 is logged, which contains the selected settings within the policy.
->**Note** Events will be logged in this event channel only when Group Policy is used to enable Device Guard features, not through other methods. If other methods such as registry keys are used, Device Guard features will be enabled but the events won’t be logged in this event channel.
+>**Note** Events will be logged in this event channel only when Group Policy is used to enable Windows Defender Device Guard features, not through other methods. If other methods such as registry keys are used, Windows Defender Device Guard features will be enabled but the events won’t be logged in this event channel.
-### Use registry keys to enable VBS and Device Guard
+### Use registry keys to enable VBS and Windows Defender Device Guard
-Set the following registry keys to enable VBS and Device Guard. This provides exactly the same set of configuration options provided by Group Policy.
+Set the following registry keys to enable VBS and Windows Defender Device Guard. This provides exactly the same set of configuration options provided by Group Policy.
> [!WARNING]
> Virtualization-based protection of code integrity (controlled through the registry key **HypervisorEnforcedCodeIntegrity**) may be incompatible with some devices and applications. We strongly recommend testing this configuration in your lab before enabling virtualization-based protection of code integrity on production systems. Failure to do so may result in unexpected failures up to and including data loss or a blue screen error (also called a stop error).
@@ -111,7 +111,7 @@ Set the following registry keys to enable VBS and Device Guard. This provides ex
> **Important**
-> - Among the commands that follow, you can choose settings for **Secure Boot** and **Secure Boot with DMA**. In most situations we recommend that you simply choose **Secure Boot**. This option provides secure boot with as much protection as is supported by a given computer’s hardware. A computer with input/output memory management units (IOMMUs) will have secure boot with DMA protection. A computer without IOMMUs will simply have secure boot enabled. In contrast, with **Secure Boot with DMA**, the setting will enable secure boot—and VBS itself—only on a computer that supports DMA, that is, a computer with IOMMUs. With this setting, any computer without IOMMUs will not have VBS (hardware-based) protection, although it can still have code integrity policies enabled. For information about how VBS uses the hypervisor to strengthen protections provided by a code integrity policy, see [How Device Guard features help protect against threats](introduction-to-device-guard-virtualization-based-security-and-code-integrity-policies.md#how-device-guard-features-help-protect-against-threats).
+> - Among the commands that follow, you can choose settings for **Secure Boot** and **Secure Boot with DMA**. In most situations we recommend that you simply choose **Secure Boot**. This option provides secure boot with as much protection as is supported by a given computer’s hardware. A computer with input/output memory management units (IOMMUs) will have secure boot with DMA protection. A computer without IOMMUs will simply have secure boot enabled. In contrast, with **Secure Boot with DMA**, the setting will enable secure boot—and VBS itself—only on a computer that supports DMA, that is, a computer with IOMMUs. With this setting, any computer without IOMMUs will not have VBS (hardware-based) protection, although it can still have code integrity policies enabled. For information about how VBS uses the hypervisor to strengthen protections provided by a code integrity policy, see [How Windows Defender Device Guard features help protect against threats](introduction-to-device-guard-virtualization-based-security-and-code-integrity-policies.md#how-windows-defender-device-guard-features-help-protect-against-threats).
> - All drivers on the system must be compatible with virtualization-based protection of code integrity; otherwise, your system may fail. We recommend that you enable these features on a group of test computers before you enable them on users' computers.
#### For Windows 1607 and above
@@ -210,9 +210,9 @@ reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "HypervisorEnforc
reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "Unlocked" /t REG_DWORD /d 1 /f
```
-### Validate enabled Device Guard hardware-based security features
+### Validate enabled Windows Defender Device Guard hardware-based security features
-Windows 10 and Windows Server 2016 and later have a WMI class for Device Guard–related properties and features: *Win32\_DeviceGuard*. This class can be queried from an elevated Windows PowerShell session by using the following command:
+Windows 10 and Windows Server 2016 and later have a WMI class for Windows Defender Device Guard–related properties and features: *Win32\_DeviceGuard*. This class can be queried from an elevated Windows PowerShell session by using the following command:
` Get-CimInstance –ClassName Win32_DeviceGuard –Namespace root\Microsoft\Windows\DeviceGuard`
@@ -238,7 +238,7 @@ Table 1. Win32\_DeviceGuard properties
AvailableSecurityProperties
-
This field helps to enumerate and report state on the relevant security properties for Device Guard.
+
This field helps to enumerate and report state on the relevant security properties for Windows Defender Device Guard.
0. If present, no relevant properties exist on the device.
-Another method to determine the available and enabled Device Guard features is to run msinfo32.exe from an elevated PowerShell session. When you run this program, the Device Guard properties are displayed at the bottom of the **System Summary** section, as shown in Figure 6.
+Another method to determine the available and enabled Windows Defender Device Guard features is to run msinfo32.exe from an elevated PowerShell session. When you run this program, the Windows Defender Device Guard properties are displayed at the bottom of the **System Summary** section, as shown in Figure 6.
-
+
-Figure 6. Device Guard properties in the System Summary
+Figure 6. Windows Defender Device Guard properties in the System Summary
## Related topics
-- [Introduction to Device Guard: virtualization-based security and code integrity policies](introduction-to-device-guard-virtualization-based-security-and-code-integrity-policies.md)
+- [Introduction to Windows Defender Device Guard: virtualization-based security and code integrity policies](introduction-to-device-guard-virtualization-based-security-and-code-integrity-policies.md)
-- [Deploy Device Guard: deploy code integrity policies](deploy-device-guard-deploy-code-integrity-policies.md)
+- [Deploy Windows Defender Device Guard: deploy code integrity policies](deploy-device-guard-deploy-code-integrity-policies.md)
diff --git a/windows/device-security/device-guard/deploy-managed-installer-for-device-guard.md b/windows/device-security/device-guard/deploy-managed-installer-for-device-guard.md
index f5754dfb28..53d92d3c77 100644
--- a/windows/device-security/device-guard/deploy-managed-installer-for-device-guard.md
+++ b/windows/device-security/device-guard/deploy-managed-installer-for-device-guard.md
@@ -1,5 +1,5 @@
---
-title: Deploy Managed Installer for Device Guard (Windows 10)
+title: Deploy Managed Installer for Windows Defender Device Guard (Windows 10)
description: Explains how you can use a managed installer to automatically authorize applications deployed and installed by a designated software distribution solution, such as System Center Configuration Manager.
keywords: virtualization, security, malware
ms.prod: w10
@@ -8,9 +8,9 @@ ms.localizationpriority: high
author: mdsakibMSFT
---
-# Deploy Managed Installer for Device Guard
+# Deploy Managed Installer for Windows Defender Device Guard
-Creating and maintaining application execution control policies has always been challenging, and finding ways to address this issue has been a frequently-cited request for customers of AppLocker and Device Guard [configurable code integrity (CI)](device-guard-deployment-guide.md).
+Creating and maintaining application execution control policies has always been challenging, and finding ways to address this issue has been a frequently-cited request for customers of AppLocker and Windows Defender Device Guard [configurable code integrity (CI)](device-guard-deployment-guide.md).
This is especially true for enterprises with large, ever changing software catalogs.
Windows 10, version 1703 (also known as the Windows 10 Creators Update) provides a new option, known as a managed installer, that allows IT administrators to automatically authorize applications deployed and installed by a designated software distribution solution, such as System Center Configuration Manager.
@@ -21,14 +21,14 @@ A managed installer helps an IT admin balance security and manageability require
A managed installer uses a new rule collection in AppLocker to specify one or more executables that are trusted by the organization as an authorized source for application deployment.
Specifying an executable as a managed installer will cause Windows to tag files that are written from the executable’s process (or processes it launches) as having originated from a trusted installation authority.
-Once the IT administrator adds the Allow: Managed Installer option to a configurable CI policy for Device Guard, the configurable CI component will subsequently check for the presence of the origin information when evaluating other application execution control rules specified in the policy.
+Once the IT administrator adds the Allow: Managed Installer option to a configurable CI policy for Windows Defender Device Guard, the configurable CI component will subsequently check for the presence of the origin information when evaluating other application execution control rules specified in the policy.
If there are no deny rules present for the file, it will be authorized based on the managed installer origin information.
> [!NOTE]
> Admins needs to ensure that there is a CI policy in place to allow the system to boot and run any other authorized applications that may not be deployed through a managed installer.
>
> Examples of CI policies available in C:\Windows\schemas\CodeIntegrity\ExamplePolicies help authorize Windows OS components, WHQL signed drivers and all Store apps.
-> Admins can reference and customize them as needed for their Device Guard deployment.
+> Admins can reference and customize them as needed for their Windows Defender Device Guard deployment.
## Configuring a managed installer with AppLocker and configurable code integrity policy
@@ -151,8 +151,8 @@ An example of the managed installer option being set in policy is shown below.
Since managed installer is a heuristic-based mechanism, it does not provide the same security guarantees that explicit allow or deny rules do.
It is best suited for deployment to systems where each user is configured as a standard user and where all software is deployed and installed by a software distribution solution, such as System Center Configuration Manager.
-Users with administrator privileges on the system may be able to circumvent the intent of Device Guard configurable CI when the managed installer option is allowed.
-If the authorized managed installer process performs installations in the context of a user with standard privileges, then it is possible that standard users may be able to circumvent the intent of Device Guard configurable CI policy.
+Users with administrator privileges on the system may be able to circumvent the intent of Windows Defender Device Guard configurable CI when the managed installer option is allowed.
+If the authorized managed installer process performs installations in the context of a user with standard privileges, then it is possible that standard users may be able to circumvent the intent of Windows Defender Device Guard configurable CI policy.
In some cases, the heuristic tracking and authorizing applications may be active on the first execution of an application that is laid down from a designated managed installer.
Typically, this would occur if the managed installer executes the application directly as part of the installation process.
To avoid this, ensure that the application deployment solution being used as a managed installer limits running applications as part of installation.
diff --git a/windows/device-security/device-guard/device-guard-deployment-guide.md b/windows/device-security/device-guard/device-guard-deployment-guide.md
index da932fc370..2b460c583b 100644
--- a/windows/device-security/device-guard/device-guard-deployment-guide.md
+++ b/windows/device-security/device-guard/device-guard-deployment-guide.md
@@ -1,6 +1,6 @@
---
-title: Device Guard deployment guide (Windows 10)
-description: Microsoft Device Guard is a feature set that consists of both hardware and software system integrity hardening features that revolutionize the Windows operating system’s security.
+title: Windows Defender Device Guard deployment guide (Windows 10)
+description: Microsoft Windows Defender Device Guard is a feature set that consists of both hardware and software system integrity hardening features that revolutionize the Windows operating system’s security.
ms.assetid: 4BA52AA9-64D3-41F3-94B2-B87EC2717486
keywords: virtualization, security, malware
ms.prod: w10
@@ -9,23 +9,23 @@ ms.localizationpriority: high
author: brianlic-msft
---
-# Device Guard deployment guide
+# Windows Defender Device Guard deployment guide
**Applies to**
- Windows 10
- Windows Server 2016
-Device Guard is a combination of enterprise-related hardware and software security features that, when configured together, will lock a device down so that it can only run trusted applications that you define in your code integrity policies. If the app isn’t trusted it can’t run, period. With hardware that meets basic requirements, it also means that even if an attacker manages to get control of the Windows kernel, he or she will be much less likely to be able to run malicious executable code. With appropriate hardware, Device Guard can use the new virtualization-based security in Windows 10 (available in Enterprise and Education desktop SKUs and in all Server SKUs) to isolate the Code Integrity service from the Microsoft Windows kernel itself. In this case, the Code Integrity service runs alongside the kernel in a Windows hypervisor-protected container.
+Windows Defender Device Guard is a combination of enterprise-related hardware and software security features that, when configured together, will lock a device down so that it can only run trusted applications that you define in your code integrity policies. If the app isn’t trusted it can’t run, period. With hardware that meets basic requirements, it also means that even if an attacker manages to get control of the Windows kernel, he or she will be much less likely to be able to run malicious executable code. With appropriate hardware, Windows Defender Device Guard can use the new virtualization-based security in Windows 10 (available in Enterprise and Education desktop SKUs and in all Server SKUs) to isolate the Code Integrity service from the Microsoft Windows kernel itself. In this case, the Code Integrity service runs alongside the kernel in a Windows hypervisor-protected container.
-This guide explores the individual features in Device Guard as well as how to plan for, configure, and deploy them. It includes:
+This guide explores the individual features in Windows Defender Device Guard as well as how to plan for, configure, and deploy them. It includes:
-- [Introduction to Device Guard: virtualization-based security and code integrity policies](introduction-to-device-guard-virtualization-based-security-and-code-integrity-policies.md)
+- [Introduction to Windows Defender Device Guard: virtualization-based security and code integrity policies](introduction-to-device-guard-virtualization-based-security-and-code-integrity-policies.md)
-- [Requirements and deployment planning guidelines for Device Guard](requirements-and-deployment-planning-guidelines-for-device-guard.md)
+- [Requirements and deployment planning guidelines for Windows Defender Device Guard](requirements-and-deployment-planning-guidelines-for-device-guard.md)
-- [Planning and getting started on the Device Guard deployment process](planning-and-getting-started-on-the-device-guard-deployment-process.md)
+- [Planning and getting started on the Windows Defender Device Guard deployment process](planning-and-getting-started-on-the-device-guard-deployment-process.md)
-- [Deploy Device Guard: deploy code integrity policies](deploy-device-guard-deploy-code-integrity-policies.md)
+- [Deploy Windows Defender Device Guard: deploy code integrity policies](deploy-device-guard-deploy-code-integrity-policies.md)
- [Optional: Create a code signing certificate for code integrity policies](optional-create-a-code-signing-certificate-for-code-integrity-policies.md)
@@ -35,7 +35,7 @@ This guide explores the individual features in Device Guard as well as how to pl
- [Deploy catalog files to support code integrity policies](deploy-catalog-files-to-support-code-integrity-policies.md)
-- [Deploy Device Guard: enable virtualization-based security](deploy-device-guard-enable-virtualization-based-security.md)
+- [Deploy Windows Defender Device Guard: enable virtualization-based security](deploy-device-guard-enable-virtualization-based-security.md)
## Related topics
@@ -45,10 +45,10 @@ This guide explores the individual features in Device Guard as well as how to pl
[Code integrity](https://technet.microsoft.com/library/dd348642.aspx)
-[Protect derived domain credentials with Credential Guard](/windows/access-protection/credential-guard/credential-guard)
+[Protect derived domain credentials with Windows Defender Credential Guard](/windows/access-protection/credential-guard/credential-guard)
-[Driver compatibility with Device Guard in Windows 10](https://blogs.msdn.microsoft.com/windows_hardware_certification/2015/05/22/driver-compatibility-with-device-guard-in-windows-10)
+[Driver compatibility with Windows Defender Device Guard in Windows 10](https://blogs.msdn.microsoft.com/windows_hardware_certification/2015/05/22/driver-compatibility-with-device-guard-in-windows-10)
-[Dropping the Hammer Down on Malware Threats with Windows 10’s Device Guard](https://channel9.msdn.com/Events/Ignite/2015/BRK2336)
+[Dropping the Hammer Down on Malware Threats with Windows 10’s Windows Defender Device Guard](https://channel9.msdn.com/Events/Ignite/2015/BRK2336)
diff --git a/windows/device-security/device-guard/introduction-to-device-guard-virtualization-based-security-and-code-integrity-policies.md b/windows/device-security/device-guard/introduction-to-device-guard-virtualization-based-security-and-code-integrity-policies.md
index 8c995bb3fe..e5593fe7b8 100644
--- a/windows/device-security/device-guard/introduction-to-device-guard-virtualization-based-security-and-code-integrity-policies.md
+++ b/windows/device-security/device-guard/introduction-to-device-guard-virtualization-based-security-and-code-integrity-policies.md
@@ -1,6 +1,6 @@
---
-title: Introduction to Device Guard - virtualization-based security and code integrity policies (Windows 10)
-description: Microsoft Device Guard is a feature set that consists of both hardware and software system integrity hardening features that revolutionize the Windows operating system’s security.
+title: Introduction to Windows Defender Device Guard - virtualization-based security and code integrity policies (Windows 10)
+description: Microsoft Windows Defender Device Guard is a feature set that consists of both hardware and software system integrity hardening features that revolutionize the Windows operating system’s security.
keywords: virtualization, security, malware
ms.prod: w10
ms.mktglfcycl: deploy
@@ -8,47 +8,47 @@ ms.localizationpriority: high
author: brianlic-msft
---
-# Introduction to Device Guard: virtualization-based security and code integrity policies
+# Introduction to Windows Defender Device Guard: virtualization-based security and code integrity policies
**Applies to**
- Windows 10
- Windows Server 2016
-With thousands of new malicious files created every day, using traditional methods like antivirus solutions—signature-based detection to fight against malware—provides an inadequate defense against new attacks. Device Guard on Windows 10 Enterprise changes from a mode where apps are trusted unless blocked by an antivirus or other security solution, to a mode where the operating system trusts only apps authorized by your enterprise. You designate these trusted apps by creating *code integrity policies*.
+With thousands of new malicious files created every day, using traditional methods like antivirus solutions—signature-based detection to fight against malware—provides an inadequate defense against new attacks. Windows Defender Device Guard on Windows 10 Enterprise changes from a mode where apps are trusted unless blocked by an antivirus or other security solution, to a mode where the operating system trusts only apps authorized by your enterprise. You designate these trusted apps by creating *code integrity policies*.
Like the operating system, code integrity contains two primary components: kernel mode code integrity (KMCI) and user mode code integrity (UMCI). KMCI has been available in previous versions of the Windows operating system, and protects the kernel mode from running unsigned drivers. In Windows 10 and Windows Server 2016, UMCI is also available, to help protect against viruses and malware.
-To increase the security level offered by code integrity policies, Device Guard can leverage advanced hardware features on hardware that supports them. These features include CPU virtualization extensions (called "Intel VT-x" or "AMD-V") and second-level address translation (SLAT). In addition, hardware that includes input/output memory management units (IOMMUs) provides even stronger protections. When you enable the features associated with CPU virtualization extensions and SLAT, the Code Integrity service can run alongside the kernel in a Windows hypervisor-protected container. The following table provides more information about how Device Guard and these hardware features can help protect against various threats.
+To increase the security level offered by code integrity policies, Windows Defender Device Guard can leverage advanced hardware features on hardware that supports them. These features include CPU virtualization extensions (called "Intel VT-x" or "AMD-V") and second-level address translation (SLAT). In addition, hardware that includes input/output memory management units (IOMMUs) provides even stronger protections. When you enable the features associated with CPU virtualization extensions and SLAT, the Code Integrity service can run alongside the kernel in a Windows hypervisor-protected container. The following table provides more information about how Windows Defender Device Guard and these hardware features can help protect against various threats.
-For an overview of the process of deploying Device Guard features, see [Planning and getting started on the Device Guard deployment process](planning-and-getting-started-on-the-device-guard-deployment-process.md).
+For an overview of the process of deploying Windows Defender Device Guard features, see [Planning and getting started on the Windows Defender Device Guard deployment process](planning-and-getting-started-on-the-device-guard-deployment-process.md).
-## How Device Guard features help protect against threats
+## How Windows Defender Device Guard features help protect against threats
-The following table lists security threats and describes the corresponding Device Guard features:
+The following table lists security threats and describes the corresponding Windows Defender Device Guard features:
-| Security threat in the enterprise | How a Device Guard feature helps protect against the threat |
+| Security threat in the enterprise | How a Windows Defender Device Guard feature helps protect against the threat |
| --------------------------------- | ----------------------------------------------------------- |
| **Exposure to new malware**, for which the "signature" is not yet known | **Code integrity policies**: You can maintain a whitelist of software that is allowed to run (a configurable code integrity policy), rather than trying to stay ahead of attackers by maintaining a constantly-updated list of "signatures" of software that should be blocked. This approach uses the trust-nothing model well known in mobile device operating systems. Only code that is verified by Code Integrity, usually through the digital signature that you have identified as being from a trusted signer, is allowed to run. This allows full control over allowed code in both kernel and user mode.
**Specialized hardware required?** No security-related hardware features are required, although code integrity policies are strengthened by such features, as described in the last three rows of this table. |
| **Exposure to unsigned code** (most malware is unsigned) | **Code integrity policies, plus catalog files as needed**: Because most malware is unsigned, using a code integrity policy (which in most cases requires signed code) can immediately help protect against a large number of threats. However, many organizations use unsigned line-of-business (LOB) applications, for which the process of signing might be difficult. This has changed in Windows 10, because you can use a tool called Package Inspector to create a *catalog* of all deployed and executed binary files for your trusted applications. After you sign and distribute the catalog, your trusted applications can be handled by code integrity policies in the same way as any other signed application. With this foundation, you can more easily block all unsigned applications, allowing only signed applications to run.
**Specialized hardware required?** No security-related hardware features are required for creating and using code integrity policies and catalogs. However, code integrity policies and catalogs are strengthened by the hardware features, as described in later rows of this table. |
-| **Malware that gains access to the kernel** and then, from within the kernel, captures sensitive information or damages the system | **Virtualization-based security (VBS)**: This is protection that uses the hypervisor to help protect the kernel and other parts of the operating system. When VBS is enabled, it strengthens either the default kernel-mode code integrity policy (which protects against bad drivers or system files), or the configurable code integrity policy that you deploy. With VBS, even if malware gains access to the kernel, the effects can be severely limited, because the hypervisor can prevent the malware from executing code. The hypervisor, the most privileged level of system software, enforces R/W/X permissions across system memory. Code integrity checks are performed in a secure environment which is resistant to attack from kernel mode software, and page permissions for kernel mode are set and maintained by the hypervisor. Even if there are vulnerabilities that allow memory modification, like a buffer overflow, the modified memory cannot be executed.
**Specialized hardware required?** Yes, VBS requires at least CPU virtualization extensions and SLAT, as described in [Hardware, firmware, and software requirements for Device Guard](requirements-and-deployment-planning-guidelines-for-device-guard.md#hardware-firmware-and-software-requirements-for-device-guard). |
+| **Malware that gains access to the kernel** and then, from within the kernel, captures sensitive information or damages the system | **Virtualization-based security (VBS)**: This is protection that uses the hypervisor to help protect the kernel and other parts of the operating system. When VBS is enabled, it strengthens either the default kernel-mode code integrity policy (which protects against bad drivers or system files), or the configurable code integrity policy that you deploy. With VBS, even if malware gains access to the kernel, the effects can be severely limited, because the hypervisor can prevent the malware from executing code. The hypervisor, the most privileged level of system software, enforces R/W/X permissions across system memory. Code integrity checks are performed in a secure environment which is resistant to attack from kernel mode software, and page permissions for kernel mode are set and maintained by the hypervisor. Even if there are vulnerabilities that allow memory modification, like a buffer overflow, the modified memory cannot be executed.
**Specialized hardware required?** Yes, VBS requires at least CPU virtualization extensions and SLAT, as described in [Hardware, firmware, and software requirements for Windows Defender Device Guard](requirements-and-deployment-planning-guidelines-for-device-guard.md#hardware-firmware-and-software-requirements-for-windows-defender-device-guard). |
| **DMA-based attacks**, for example, attacks launched from a malicious device that reads secrets from memory, making the enterprise more vulnerable to attack | **Virtualization-based security (VBS) using IOMMUs**: With this type of VBS protection, when the DMA-based attack makes a memory request, input/output memory management units (IOMMUs) will evaluate the request and deny access.
**Specialized hardware required?** Yes, IOMMUs are a hardware feature that supports the hypervisor, and if you choose hardware that includes them, they can help protect against malicious attempts to access memory. |
-| **Exposure to boot kits or to a physically present attacker at boot time** | **Universal Extensible Firmware Interface (UEFI) Secure Boot**: Secure Boot and related methods protect the boot process and firmware from tampering. This tampering can come from a physically present attacker or from forms of malware that run early in the boot process or in kernel after startup. UEFI is locked down (Boot order, Boot entries, Secure Boot, Virtualization extensions, IOMMU, Microsoft UEFI CA), so the settings in UEFI cannot be changed to compromise Device Guard security.
**Specialized hardware required?** With UEFI Secure Boot, the requirements are firmware requirements. For more information, see [Hardware, firmware, and software requirements for Device Guard](requirements-and-deployment-planning-guidelines-for-device-guard.md#hardware-firmware-and-software-requirements-for-device-guard). |
+| **Exposure to boot kits or to a physically present attacker at boot time** | **Universal Extensible Firmware Interface (UEFI) Secure Boot**: Secure Boot and related methods protect the boot process and firmware from tampering. This tampering can come from a physically present attacker or from forms of malware that run early in the boot process or in kernel after startup. UEFI is locked down (Boot order, Boot entries, Secure Boot, Virtualization extensions, IOMMU, Microsoft UEFI CA), so the settings in UEFI cannot be changed to compromise Windows Defender Device Guard security.
**Specialized hardware required?** With UEFI Secure Boot, the requirements are firmware requirements. For more information, see [Hardware, firmware, and software requirements for Windows Defender Device Guard](requirements-and-deployment-planning-guidelines-for-device-guard.md#hardware-firmware-and-software-requirements-for-windows-defender-device-guard). |
-In this guide, you learn about the individual features found within Device Guard as well as how to plan for, configure, and deploy them. Device Guard with configurable code integrity is intended for deployment alongside additional threat-mitigating Windows features such as [Credential Guard](/windows/access-protection/credential-guard/credential-guard) and [AppLocker](/windows/device-security/applocker/applocker-overview).
+In this guide, you learn about the individual features found within Windows Defender Device Guard as well as how to plan for, configure, and deploy them. Windows Defender Device Guard with configurable code integrity is intended for deployment alongside additional threat-mitigating Windows features such as [Windows Defender Credential Guard](/windows/access-protection/credential-guard/credential-guard) and [AppLocker](/windows/device-security/applocker/applocker-overview).
## New and changed functionality
As of Windows 10, version 1703, you can use code integrity policies not only to control applications, but also to control whether specific plug-ins, add-ins, and modules can run from specific apps (such as a line-of-business application or a browser). For more information, see [Use a code integrity policy to control specific plug-ins, add-ins, and modules](deploy-code-integrity-policies-steps.md#plug-ins).
-## Tools for managing Device Guard features
+## Tools for managing Windows Defender Device Guard features
-You can easily manage Device Guard features by using familiar enterprise and client-management tools that IT pros use every day:
+You can easily manage Windows Defender Device Guard features by using familiar enterprise and client-management tools that IT pros use every day:
-- **Group Policy**. Windows 10 provides an administrative template to configure and deploy the configurable code integrity policies for your organization. This template also allows you to specify which hardware-based security features you would like to enable and deploy. You can manage these settings along with your existing Group Policy Objects (GPOs), which makes it simpler to implement Device Guard features. In addition to these code integrity and hardware-based security features, you can use Group Policy to help you manage your catalog files.
+- **Group Policy**. Windows 10 provides an administrative template to configure and deploy the configurable code integrity policies for your organization. This template also allows you to specify which hardware-based security features you would like to enable and deploy. You can manage these settings along with your existing Group Policy Objects (GPOs), which makes it simpler to implement Windows Defender Device Guard features. In addition to these code integrity and hardware-based security features, you can use Group Policy to help you manage your catalog files.
- - For a description of catalog files, see the table row describing **Exposure to unsigned code** in [How Device Guard features help protect against threats](#how-device-guard-features-help-protect-against-threats), earlier in this topic.
+ - For a description of catalog files, see the table row describing **Exposure to unsigned code** in [How Windows Defender Device Guard features help protect against threats](#how-windows-defender-device-guard-features-help-protect-against-threats), earlier in this topic.
- For information about using Group Policy as a deployment tool, see: [Deploy catalog files with Group Policy](deploy-catalog-files-to-support-code-integrity-policies.md#deploy-catalog-files-with-group-policy) [Deploy and manage code integrity policies with Group Policy](deploy-code-integrity-policies-steps.md#deploy-and-manage-code-integrity-policies-with-group-policy)
- **Microsoft System Center Configuration Manager**. You can use System Center Configuration Manager to simplify deployment and management of catalog files, code integrity policies, and hardware-based security features, as well as provide version control. For more information, see [Deploy catalog files with System Center Configuration Manager](deploy-catalog-files-to-support-code-integrity-policies.md#deploy-catalog-files-with-system-center-configuration-manager).
@@ -59,25 +59,25 @@ You can easily manage Device Guard features by using familiar enterprise and cli
These options provide the same experience you're used to in order to manage your existing enterprise management solutions.
-For more information about the deployment of Device Guard features, see:
-- [Deploy Device Guard: deploy code integrity policies](deploy-device-guard-deploy-code-integrity-policies.md)
-- [Deploy Device Guard: enable virtualization-based security](deploy-device-guard-enable-virtualization-based-security.md)
+For more information about the deployment of Windows Defender Device Guard features, see:
+- [Deploy Windows Defender Device Guard: deploy code integrity policies](deploy-device-guard-deploy-code-integrity-policies.md)
+- [Deploy Windows Defender Device Guard: enable virtualization-based security](deploy-device-guard-enable-virtualization-based-security.md)
-## Other features that relate to Device Guard
+## Other features that relate to Windows Defender Device Guard
-### Device Guard with AppLocker
+### Windows Defender Device Guard with AppLocker
-Although [AppLocker](/windows/device-security/applocker/applocker-overview) is not considered a new Device Guard feature, it complements Device Guard functionality when enforced code integrity cannot be fully implemented or its functionality does not cover every desired scenario. There are many scenarios in which code integrity policies would be used alongside AppLocker rules. As a best practice, you should enforce code integrity policies at the most restrictive level possible for your organization, and then you can use AppLocker to fine-tune the restrictions to an even lower level.
+Although [AppLocker](/windows/device-security/applocker/applocker-overview) is not considered a new Windows Defender Device Guard feature, it complements Windows Defender Device Guard functionality when enforced code integrity cannot be fully implemented or its functionality does not cover every desired scenario. There are many scenarios in which code integrity policies would be used alongside AppLocker rules. As a best practice, you should enforce code integrity policies at the most restrictive level possible for your organization, and then you can use AppLocker to fine-tune the restrictions to an even lower level.
-> **Note** One example of how Device Guard functionality can be enhanced by AppLocker is when you want to limit universal applications. Universal applications have already been validated by Microsoft to be trustworthy to run, but an organization may not want to allow specific universal applications to run in their environment. You can accomplish this enforcement by using an AppLocker rule.
+> **Note** One example of how Windows Defender Device Guard functionality can be enhanced by AppLocker is when you want to limit universal applications. Universal applications have already been validated by Microsoft to be trustworthy to run, but an organization may not want to allow specific universal applications to run in their environment. You can accomplish this enforcement by using an AppLocker rule.
-AppLocker and Device Guard should run side-by-side in your organization, which offers the best of both security features at the same time and provides the most comprehensive security to as many devices as possible. In addition to these features, we recommend that you continue to maintain an enterprise antivirus solution for a well-rounded enterprise security portfolio.
+AppLocker and Windows Defender Device Guard should run side-by-side in your organization, which offers the best of both security features at the same time and provides the most comprehensive security to as many devices as possible. In addition to these features, we recommend that you continue to maintain an enterprise antivirus solution for a well-rounded enterprise security portfolio.
-### Device Guard with Credential Guard
+### Windows Defender Device Guard with Windows Defender Credential Guard
-Another Windows 10 feature that employs VBS is [Credential Guard](/windows/access-protection/credential-guard/credential-guard). Credential Guard provides additional protection to Active Directory domain users by storing domain credentials within the same type of VBS virtualization container that hosts code integrity. By isolating these domain credentials from the active user mode and kernel mode, they have a much lower risk of being stolen. For more information about Credential Guard (which is not a feature within Device Guard), see [Protect derived domain credentials with Credential Guard](/windows/access-protection/credential-guard/credential-guard).
+Another Windows 10 feature that employs VBS is [Windows Defender Credential Guard](/windows/access-protection/credential-guard/credential-guard). Windows Defender Credential Guard provides additional protection to Active Directory domain users by storing domain credentials within the same type of VBS virtualization container that hosts code integrity. By isolating these domain credentials from the active user mode and kernel mode, they have a much lower risk of being stolen. For more information about Windows Defender Credential Guard (which is not a feature within Windows Defender Device Guard), see [Protect derived domain credentials with Windows Defender Credential Guard](/windows/access-protection/credential-guard/credential-guard).
-Credential Guard is targeted at resisting pass-the-hash and pass-the-ticket techniques. By employing multifactor authentication with Credential Guard, organizations can gain additional protection against such threats.
+Windows Defender Credential Guard is targeted at resisting pass-the-hash and pass-the-ticket techniques. By employing multifactor authentication with Windows Defender Credential Guard, organizations can gain additional protection against such threats.
diff --git a/windows/device-security/device-guard/optional-create-a-code-signing-certificate-for-code-integrity-policies.md b/windows/device-security/device-guard/optional-create-a-code-signing-certificate-for-code-integrity-policies.md
index 32732cc6a1..dbd9304e45 100644
--- a/windows/device-security/device-guard/optional-create-a-code-signing-certificate-for-code-integrity-policies.md
+++ b/windows/device-security/device-guard/optional-create-a-code-signing-certificate-for-code-integrity-policies.md
@@ -1,6 +1,6 @@
---
title: Optional - Create a code signing certificate for code integrity policies (Windows 10)
-description: This article describes how to create a code signing certificate for code integrity policies, one of the main features that are part of Device Guard in Windows 10.
+description: This article describes how to create a code signing certificate for code integrity policies, one of the main features that are part of Windows Defender Device Guard in Windows 10.
keywords: virtualization, security, malware
ms.prod: w10
ms.mktglfcycl: deploy
@@ -14,7 +14,7 @@ author: brianlic-msft
- Windows 10
- Windows Server 2016
-As you deploy code integrity policies (part of Device Guard), you might need to sign catalog files or code integrity policies internally. To do this, you will either need a publicly issued code signing certificate or an internal CA. If you have purchased a code signing certificate, you can skip this topic and instead follow other topics listed in [Deploy Device Guard: deploy code integrity policies](deploy-device-guard-deploy-code-integrity-policies.md).
+As you deploy code integrity policies (part of Windows Defender Device Guard), you might need to sign catalog files or code integrity policies internally. To do this, you will either need a publicly issued code signing certificate or an internal CA. If you have purchased a code signing certificate, you can skip this topic and instead follow other topics listed in [Deploy Windows Defender Device Guard: deploy code integrity policies](deploy-device-guard-deploy-code-integrity-policies.md).
If you have not purchased a certificate but have an internal CA, complete these steps to create a code signing certificate:
@@ -96,7 +96,7 @@ When the certificate has been exported, import it into the personal store for th
## Related topics
-- [Introduction to Device Guard: virtualization-based security and code integrity policies](introduction-to-device-guard-virtualization-based-security-and-code-integrity-policies.md)
+- [Introduction to Windows Defender Device Guard: virtualization-based security and code integrity policies](introduction-to-device-guard-virtualization-based-security-and-code-integrity-policies.md)
-- [Deploy Device Guard: deploy code integrity policies](deploy-device-guard-deploy-code-integrity-policies.md)
+- [Deploy Windows Defender Device Guard: deploy code integrity policies](deploy-device-guard-deploy-code-integrity-policies.md)
diff --git a/windows/device-security/device-guard/planning-and-getting-started-on-the-device-guard-deployment-process.md b/windows/device-security/device-guard/planning-and-getting-started-on-the-device-guard-deployment-process.md
index c822167621..3cff963c28 100644
--- a/windows/device-security/device-guard/planning-and-getting-started-on-the-device-guard-deployment-process.md
+++ b/windows/device-security/device-guard/planning-and-getting-started-on-the-device-guard-deployment-process.md
@@ -1,6 +1,6 @@
---
-title: Planning and getting started on the Device Guard deployment process (Windows 10)
-description: To help you plan and begin the initial test stages of a deployment of Microsoft Device Guard, this article outlines how to gather information, create a plan, and begin to create and test initial code integrity policies.
+title: Planning and getting started on the Windows Defender Device Guard deployment process (Windows 10)
+description: To help you plan and begin the initial test stages of a deployment of Microsoft Windows Defender Device Guard, this article outlines how to gather information, create a plan, and begin to create and test initial code integrity policies.
keywords: virtualization, security, malware
ms.prod: w10
ms.mktglfcycl: deploy
@@ -8,19 +8,20 @@ ms.localizationpriority: high
author: brianlic-msft
---
-# Planning and getting started on the Device Guard deployment process
+# Planning and getting started on the Windows Defender Device Guard deployment process
**Applies to**
- Windows 10
- Windows Server 2016
-This topic provides a roadmap for planning and getting started on the Device Guard deployment process, with links to topics that provide additional detail. Planning for Device Guard deployment involves looking at both the end-user and the IT pro impact of your choices. Use the following steps to guide you.
+This topic provides a roadmap for planning and getting started on the Windows Defender Device Guard deployment process, with links to topics that provide additional detail. Planning for Windows Defender Device Guard deployment involves looking at both the end-user and the IT pro impact of your choices. Use the following steps to guide you.
## Planning
-1. **Review requirements, especially hardware requirements for VBS**. Review the virtualization-based security (VBS) features described in [How Device Guard features help protect against threats](introduction-to-device-guard-virtualization-based-security-and-code-integrity-policies.md#how-device-guard-features-help-protect-against-threats). Then you can assess your end-user systems to see how many support the VBS features you are interested in, as described in [Hardware, firmware, and software requirements for Device Guard](requirements-and-deployment-planning-guidelines-for-device-guard.md#hardware-firmware-and-software-requirements-for-device-guard).
+1. **Review requirements, especially hardware requirements for VBS**. Review the virtualization-based security (VBS) features described in [How Windows Defender Device Guard features help protect against threats](introduction-to-device-guard-virtualization-based-security-and-code-integrity-policies.md#how-windows-defender-device-guard-features-help-protect-against-threats). Then you can assess your end-user systems to see how many support the VBS features you are interested in, as described in [Hardware, firmware, and software requirements for Windows Defender Device Guard(requirements-and-deployment-planning-guidelines-for-device-guard.md#windows-defender-hardware-firmware-and-software-requirements-for-
+windows-defender-device-guard).
-2. **Group devices by degree of control needed**. Group devices according to the table in [Device Guard deployment in different scenarios: types of devices](requirements-and-deployment-planning-guidelines-for-device-guard.md#device-guard-deployment-in-different-scenarios-types-of-devices). Do most devices fit neatly into a few categories, or are they scattered across all categories? Are users allowed to install any application or must they choose from a list? Are users allowed to use their own peripheral devices? Deployment is simpler if everything is locked down in the same way, but meeting individual departments’ needs, and working with a wide variety of devices, may require a more complicated and flexible deployment.
+2. **Group devices by degree of control needed**. Group devices according to the table in [Windows Defender Device Guard deployment in different scenarios: types of devices](requirements-and-deployment-planning-guidelines-for-device-guard.md#windows-defender-device-guard-deployment-in-different-scenarios-types-of-devices). Do most devices fit neatly into a few categories, or are they scattered across all categories? Are users allowed to install any application or must they choose from a list? Are users allowed to use their own peripheral devices? Deployment is simpler if everything is locked down in the same way, but meeting individual departments’ needs, and working with a wide variety of devices, may require a more complicated and flexible deployment.
3. **Review how much variety in software and hardware is needed by roles or departments**. When several departments all use the same hardware and software, you might need to deploy only one code integrity policy for them. More variety across departments might mean you need to create and manage more code integrity policies. The following questions can help you clarify how many code integrity policies to create:
- How standardized is the hardware? This can be relevant because of drivers. You could create a code integrity policy on hardware that uses a particular set of drivers, and if other drivers in your environment use the same signature, they would also be allowed to run. However, you might need to create several code integrity policies on different "reference" hardware, then merge the policies together, to ensure that the resulting policy recognizes all the drivers in your environment.
@@ -32,20 +33,20 @@ This topic provides a roadmap for planning and getting started on the Device Gua
- Is there already a list of accepted applications? A list of accepted applications can be used to help create a baseline code integrity policy. As of Windows 10, version 1703, it might also be useful to have a list of plug-ins, add-ins, or modules that you want to allow only in a specific app (such as a line-of-business app). Similarly, it might be useful to have a list of plug-ins, add-ins, or modules that you want to block in a specific app (such as a browser).
- As part of a threat review process, have you reviewed systems for software that can load arbitrary DLLs or run code or scripts?
- In day-to-day operations, your organization’s security policy may allow certain applications, code, or scripts to run on your systems depending on their role and the context. However, if your security policy requires that you run only trusted applications, code, and scripts on your systems, you may decide to lock these systems down securely with Device Guard code integrity policies. You can also fine-tune your control by using Device Guard in combination with AppLocker, as described in [Device Guard with AppLocker](https://technet.microsoft.com/itpro/windows/keep-secure/introduction-to-device-guard-virtualization-based-security-and-code-integrity-policies#device-guard-with-applocker).
+ In day-to-day operations, your organization’s security policy may allow certain applications, code, or scripts to run on your systems depending on their role and the context. However, if your security policy requires that you run only trusted applications, code, and scripts on your systems, you may decide to lock these systems down securely with Windows Defender Device Guard code integrity policies. You can also fine-tune your control by using Windows Defender Device Guard in combination with AppLocker, as described in [Windows Defender Device Guard with AppLocker](https://technet.microsoft.com/itpro/windows/keep-secure/introduction-to-device-guard-virtualization-based-security-and-code-integrity-policies#device-guard-with-applocker).
Legitimate applications from trusted vendors provide valid functionality. However, an attacker could also potentially use that same functionality to run malicious executable code that could bypass code integrity policies.
For operational scenarios that require elevated security, certain applications with known Code Integrity bypasses may represent a security risk if you whitelist them in your code integrity policies. Other applications where older versions of the application had vulnerabilities also represent a risk. Therefore, you may want to deny or block such applications from your code integrity policies. For applications with vulnerabilities, once the vulnerabilities are fixed you can create a rule that only allows the fixed or newer versions of that application. The decision to allow or block applications depends on the context and on how the reference system is being used.
- Security professionals collaborate with Microsoft continuously to help protect customers. With the help of their valuable reports, Microsoft has identified a list of known applications that an attacker could potentially use to bypass Device Guard code integrity policies. Depending on the context, you may want to block these applications. To view this list of applications and for use case examples, such as disabling msbuild.exe, see [Deploy code integrity policies: steps](https://technet.microsoft.com/itpro/windows/keep-secure/deploy-code-integrity-policies-steps).
+ Security professionals collaborate with Microsoft continuously to help protect customers. With the help of their valuable reports, Microsoft has identified a list of known applications that an attacker could potentially use to bypass Windows Defender Device Guard code integrity policies. Depending on the context, you may want to block these applications. To view this list of applications and for use case examples, such as disabling msbuild.exe, see [Deploy code integrity policies: steps](https://technet.microsoft.com/itpro/windows/keep-secure/deploy-code-integrity-policies-steps).
-4. **Identify LOB applications that are currently unsigned**. Although requiring signed code (through code integrity policies) protects against many threats, your organization might use unsigned LOB applications, for which the process of signing might be difficult. You might also have applications that are signed, but you want to add a secondary signature to them. If so, identify these applications, because you will need to create a catalog file for them. For a basic description of catalog files, see the table in [Introduction to Device Guard: virtualization-based security and code integrity policies](introduction-to-device-guard-virtualization-based-security-and-code-integrity-policies.md). For more background information about catalog files, see [Reviewing your applications: application signing and catalog files](requirements-and-deployment-planning-guidelines-for-device-guard.md#reviewing-your-applications-application-signing-and-catalog-files).
+4. **Identify LOB applications that are currently unsigned**. Although requiring signed code (through code integrity policies) protects against many threats, your organization might use unsigned LOB applications, for which the process of signing might be difficult. You might also have applications that are signed, but you want to add a secondary signature to them. If so, identify these applications, because you will need to create a catalog file for them. For a basic description of catalog files, see the table in [Introduction to Windows Defender Device Guard: virtualization-based security and code integrity policies](introduction-to-device-guard-virtualization-based-security-and-code-integrity-policies.md). For more background information about catalog files, see [Reviewing your applications: application signing and catalog files](requirements-and-deployment-planning-guidelines-for-device-guard.md#reviewing-your-applications-application-signing-and-catalog-files).
## Getting started on the deployment process
@@ -67,11 +68,11 @@ This topic provides a roadmap for planning and getting started on the Device Gua
- [Enforce code integrity policies](deploy-code-integrity-policies-steps.md#enforce-code-integrity-policies)
- [Deploy and manage code integrity policies with Group Policy](deploy-code-integrity-policies-steps.md#deploy-and-manage-code-integrity-policies-with-group-policy)
-8. **Enable desired hardware (VBS) security features**. Hardware-based security features—also called virtualization-based security (VBS) features—strengthen the protections offered by code integrity policies, as described in [How Device Guard features help protect against threats](introduction-to-device-guard-virtualization-based-security-and-code-integrity-policies.md#how-device-guard-features-help-protect-against-threats).
+8. **Enable desired hardware (VBS) security features**. Hardware-based security features—also called virtualization-based security (VBS) features—strengthen the protections offered by code integrity policies, as described in [How Windows Defender Device Guard features help protect against threats](introduction-to-device-guard-virtualization-based-security-and-code-integrity-policies.md#how-windows-defender-device-guard-features-help-protect-against-threats).
> [!WARNING]
> Virtualization-based protection of code integrity may be incompatible with some devices and applications. We strongly recommend testing this configuration in your lab before enabling virtualization-based protection of code integrity on production systems. Failure to do so may result in unexpected failures up to and including data loss or a blue screen error (also called a stop error).
- For information about enabling VBS features, see [Deploy Device Guard: enable virtualization-based security](deploy-device-guard-enable-virtualization-based-security.md).
+ For information about enabling VBS features, see [Deploy Windows Defender Device Guard: enable virtualization-based security](deploy-device-guard-enable-virtualization-based-security.md).
\ No newline at end of file
diff --git a/windows/device-security/device-guard/requirements-and-deployment-planning-guidelines-for-device-guard.md b/windows/device-security/device-guard/requirements-and-deployment-planning-guidelines-for-device-guard.md
index 9b22432875..ec2f600b51 100644
--- a/windows/device-security/device-guard/requirements-and-deployment-planning-guidelines-for-device-guard.md
+++ b/windows/device-security/device-guard/requirements-and-deployment-planning-guidelines-for-device-guard.md
@@ -1,6 +1,6 @@
---
-title: Requirements and deployment planning guidelines for Device Guard (Windows 10)
-description: To help you plan a deployment of Microsoft Device Guard, this article describes hardware requirements for Device Guard, outlines deployment approaches, and describes methods for code signing and the deployment of code integrity policies.
+title: Requirements and deployment planning guidelines for Windows Defender Device Guard (Windows 10)
+description: To help you plan a deployment of Microsoft Windows Defender Device Guard, this article describes hardware requirements for Windows Defender Device Guard, outlines deployment approaches, and describes methods for code signing and the deployment of code integrity policies.
keywords: virtualization, security, malware
ms.prod: w10
ms.mktglfcycl: deploy
@@ -8,31 +8,31 @@ ms.localizationpriority: high
author: brianlic-msft
---
-# Requirements and deployment planning guidelines for Device Guard
+# Requirements and deployment planning guidelines for Windows Defender Device Guard
**Applies to**
- Windows 10
- Windows Server 2016
-The information in this article is intended for IT professionals, and provides a foundation for [Planning and getting started on the Device Guard deployment process](planning-and-getting-started-on-the-device-guard-deployment-process.md).
+The information in this article is intended for IT professionals, and provides a foundation for [Planning and getting started on the Windows Defender Device Guard deployment process](planning-and-getting-started-on-the-device-guard-deployment-process.md).
->**Note** If you are an OEM, see the requirements information at [PC OEM requirements for Device Guard and Credential Guard](https://msdn.microsoft.com/library/windows/hardware/mt767514.aspx).
+>**Note** If you are an OEM, see the requirements information at [PC OEM requirements for Windows Defender Device Guard and Windows Defender Credential Guard](https://msdn.microsoft.com/library/windows/hardware/mt767514.aspx).
-## Hardware, firmware, and software requirements for Device Guard
+## Hardware, firmware, and software requirements for Windows Defender Device Guard
-To deploy Device Guard in a way that uses all of its virtualization-based security (VBS) features, the computers you are protecting must meet certain hardware, firmware, and software requirements. However, computers lacking some of the hardware and firmware requirements will still receive some protection when you deploy code integrity policies—the difference is that those computers will not be as hardened against certain threats.
+To deploy Windows Defender Device Guard in a way that uses all of its virtualization-based security (VBS) features, the computers you are protecting must meet certain hardware, firmware, and software requirements. However, computers lacking some of the hardware and firmware requirements will still receive some protection when you deploy code integrity policies—the difference is that those computers will not be as hardened against certain threats.
-For example, hardware that includes CPU virtualization extensions and SLAT will be hardened against malware that attempts to gain access to the kernel, but without protected BIOS options such as “Boot only from internal hard drive,” the computer could be booted (by a malicious person who has physical access) into an operating system on bootable media. For an outline of how VBS-related hardware strengthens the hardening offered by Device Guard, see [Introduction to Device Guard: virtualization-based security and code integrity policies](introduction-to-device-guard-virtualization-based-security-and-code-integrity-policies.md).
+For example, hardware that includes CPU virtualization extensions and SLAT will be hardened against malware that attempts to gain access to the kernel, but without protected BIOS options such as “Boot only from internal hard drive,” the computer could be booted (by a malicious person who has physical access) into an operating system on bootable media. For an outline of how VBS-related hardware strengthens the hardening offered by Windows Defender Device Guard, see [Introduction to Windows Defender Device Guard: virtualization-based security and code integrity policies](introduction-to-device-guard-virtualization-based-security-and-code-integrity-policies.md).
-You can deploy Device Guard in phases, and plan these phases in relation to the computer purchases you plan for your next hardware refresh.
+You can deploy Windows Defender Device Guard in phases, and plan these phases in relation to the computer purchases you plan for your next hardware refresh.
> [!WARNING]
> Virtualization-based protection of code integrity may be incompatible with some devices and applications. We strongly recommend testing this configuration in your lab before enabling virtualization-based protection of code integrity on production systems. Failure to do so may result in unexpected failures up to and including data loss or a blue screen error (also called a stop error).
-The following tables provide more information about the hardware, firmware, and software required for deployment of various Device Guard features. The tables describe baseline protections, plus protections for improved security that are associated with hardware and firmware options available in 2015, 2016, and 2017.
+The following tables provide more information about the hardware, firmware, and software required for deployment of various Windows Defender Device Guard features. The tables describe baseline protections, plus protections for improved security that are associated with hardware and firmware options available in 2015, 2016, and 2017.
> **Notes**
-> • To understand the requirements in the following tables, you will need to be familiar with the main features in Device Guard: configurable code integrity policies, virtualization-based security (VBS), and Universal Extensible Firmware Interface (UEFI) Secure Boot. For information about these features, see [How Device Guard features help protect against threats](introduction-to-device-guard-virtualization-based-security-and-code-integrity-policies.md#how-device-guard-features-help-protect-against-threats).
+> • To understand the requirements in the following tables, you will need to be familiar with the main features in Windows Defender Device Guard: configurable code integrity policies, virtualization-based security (VBS), and Universal Extensible Firmware Interface (UEFI) Secure Boot. For information about these features, see [How Windows Defender Device Guard features help protect against threats](introduction-to-device-guard-virtualization-based-security-and-code-integrity-policies.md#how-windows-defender-device-guard-features-help-protect-against-threats).
> • Beginning with Windows 10, version 1607, Trusted Platform Module (TPM 2.0) must be enabled by default on new computers.
## Baseline protections
@@ -44,9 +44,9 @@ The following tables provide more information about the hardware, firmware, and
| Firmware: **UEFI firmware version 2.3.1.c or higher with UEFI Secure Boot** | See the following Windows Hardware Compatibility Program requirement: [System.Fundamentals.Firmware.UEFISecureBoot](http://msdn.microsoft.com/library/windows/hardware/dn932805.aspx#system-fundamentals-firmware-uefisecureboot) | UEFI Secure Boot helps ensure that the device boots only authorized code. This can prevent boot kits and root kits from installing and persisting across reboots. |
| Firmware: **Secure firmware update process** | UEFI firmware must support secure firmware update found under the following Windows Hardware Compatibility Program requirement: [System.Fundamentals.Firmware.UEFISecureBoot](http://msdn.microsoft.com/library/windows/hardware/dn932805.aspx#system-fundamentals-firmware-uefisecureboot). | UEFI firmware just like software can have security vulnerabilities that, when found, need to be patched through firmware updates. Patching helps prevent root kits from getting installed. |
| Software: **HVCI compatible drivers** | See the Windows Hardware Compatibility Program requirements under [Filter.Driver.DeviceGuard.DriverCompatibility](https://msdn.microsoft.com/library/windows/hardware/mt589732(v=vs.85).aspx).| [HVCI Compatible](https://blogs.msdn.microsoft.com/windows_hardware_certification/2015/05/22/driver-compatibility-with-device-guard-in-windows-10/) drivers help ensure that VBS can maintain appropriate memory permissions. This increases resistance to bypassing vulnerable kernel drivers and helps ensure that malware cannot run in kernel. Only code verified through code integrity can run in kernel mode. |
-| Software: Qualified **Windows operating system** | Windows 10 Enterprise, Windows 10 Education, Windows Server 2016, or Windows 10 IoT Enterprise
Important: Windows Server 2016 running as a domain controller does not support Credential Guard. Only Device Guard is supported in this configuration.
| Support for VBS and for management features that simplify configuration of Device Guard. |
+| Software: Qualified **Windows operating system** | Windows 10 Enterprise, Windows 10 Education, Windows Server 2016, or Windows 10 IoT Enterprise
Important: Windows Server 2016 running as a domain controller does not support Windows Defender Credential Guard. Only Windows Defender Device Guard is supported in this configuration.
| Support for VBS and for management features that simplify configuration of Windows Defender Device Guard. |
-> **Important** The following tables list additional qualifications for improved security. You can use Device Guard with hardware, firmware, and software that support baseline protections, even if they do not support protections for improved security. However, we strongly recommend meeting these additional qualifications to significantly strengthen the level of security that Device Guard can provide.
+> **Important** The following tables list additional qualifications for improved security. You can use Windows Defender Device Guard with hardware, firmware, and software that support baseline protections, even if they do not support protections for improved security. However, we strongly recommend meeting these additional qualifications to significantly strengthen the level of security that Windows Defender Device Guard can provide.
## Additional qualifications for improved security
@@ -80,32 +80,32 @@ The following tables describe additional hardware and firmware qualifications, a
| Firmware: **VBS enablement of NX protection for UEFI runtime services** | • VBS will enable No-Execute (NX) protection on UEFI runtime service code and data memory regions. UEFI runtime service code must support read-only page protections, and UEFI runtime service data must not be exceutable. • UEFI runtime service must meet these requirements: • Implement UEFI 2.6 EFI_MEMORY_ATTRIBUTES_TABLE. All UEFI runtime service memory (code and data) must be described by this table. • PE sections need to be page-aligned in memory (not required for in non-volitile storage). • The Memory Attributes Table needs to correctly mark code and data as RO/NX for configuration by the OS: • All entries must include attributes EFI_MEMORY_RO, EFI_MEMORY_XP, or both • No entries may be left with neither of the above attributes, indicating memory that is both exceutable and writable. Memory must be either readable and executable or writeable and non-executable.
Notes: • This only applies to UEFI runtime service memory, and not UEFI boot service memory. • This protection is applied by VBS on OS page tables.
Please also note the following: • Do not use sections that are both writeable and exceutable • Do not attempt to directly modify executable system memory • Do not use dynamic code | • Vulnerabilities in UEFI runtime, if any, will be blocked from compromising VBS (such as in functions like UpdateCapsule and SetVariable) • Reduces the attack surface to VBS from system firmware. |
| Firmware: **Firmware support for SMM protection** | The [Windows SMM Security Mitigations Table (WSMT) specification](http://download.microsoft.com/download/1/8/A/18A21244-EB67-4538-BAA2-1A54E0E490B6/WSMT.docx) contains details of an Advanced Configuration and Power Interface (ACPI) table that was created for use with Windows operating systems that support Windows virtualization-based security (VBS) features.| • Protects against potential vulnerabilities in UEFI runtime services, if any, will be blocked from compromising VBS (such as in functions like UpdateCapsule and SetVariable) • Reduces the attack surface to VBS from system firmware. • Blocks additional security attacks against SMM. |
-## Device Guard deployment in different scenarios: types of devices
+## Windows Defender Device Guard deployment in different scenarios: types of devices
-Typically, deployment of Device Guard happens best in phases, rather than being a feature that you simply “turn on.” The choice and sequence of phases depends on the way various computers and other devices are used in your organization, and to what degree IT manages those devices. The following table can help you begin to develop a plan for deploying Device Guard in your organization.
+Typically, deployment of Windows Defender Device Guard happens best in phases, rather than being a feature that you simply “turn on.” The choice and sequence of phases depends on the way various computers and other devices are used in your organization, and to what degree IT manages those devices. The following table can help you begin to develop a plan for deploying Windows Defender Device Guard in your organization.
-| **Type of device** | **How Device Guard relates to this type of device** | **Device Guard components that you can use to protect this kind of device** |
+| **Type of device** | **How Windows Defender Device Guard relates to this type of device** | **Windows Defender Device Guard components that you can use to protect this kind of device** |
|------------------------------------|------------------------------------------------------|--------------------------------------------------------------------------------|
-| **Fixed-workload devices**: Perform same tasks every day. Lists of approved applications rarely change. Examples: kiosks, point-of-sale systems, call center computers. | Device Guard can be deployed fully, and deployment and ongoing administration are relatively straightforward. After Device Guard deployment, only approved applications can run. This is because of protections offered by the Hypervisor Code Integrity (HVCI) service. | - VBS (hardware-based) protections, enabled.
• Code integrity policies in enforced mode, with UMCI enabled. |
+| **Fixed-workload devices**: Perform same tasks every day. Lists of approved applications rarely change. Examples: kiosks, point-of-sale systems, call center computers. | Windows Defender Device Guard can be deployed fully, and deployment and ongoing administration are relatively straightforward. After Windows Defender Device Guard deployment, only approved applications can run. This is because of protections offered by the Hypervisor Code Integrity (HVCI) service. | - VBS (hardware-based) protections, enabled.
• Code integrity policies in enforced mode, with UMCI enabled. |
| **Fully managed devices**: Allowed software is restricted by IT department. Users can request additional software, or install from a list of applications provided by IT department. Examples: locked-down, company-owned desktops and laptops. | An initial baseline code integrity policy can be established and enforced. Whenever the IT department approves additional applications, it will update the code integrity policy and (for unsigned LOB applications) the catalog. Code integrity policies are supported by the HVCI service. | - VBS (hardware-based) protections, enabled.
• Code integrity policies in enforced mode, with UMCI enabled. |
-| **Lightly managed devices**: Company-owned, but users are free to install software. Devices are required to run organization's antivirus solution and client management tools. | Device Guard can be used to help protect the kernel, and to monitor (audit) for problem applications rather than limiting the applications that can be run. | - VBS (hardware-based) protections, enabled. When enabled with a code integrity policy in audit mode only, VBS means the hypervisor helps enforce the default kernel-mode code integrity policy, which protects against unsigned drivers or system files.
• Code integrity policies, with UMCI enabled, but running in audit mode only. This means applications are not blocked—the policy just logs an event whenever an application outside the policy is started. |
-| **Bring Your Own Device**: Employees are allowed to bring their own devices, and also use those devices away from work. | Device Guard does not apply. Instead, you can explore other hardening and security features with MDM-based conditional access solutions, such as Microsoft Intune. | N/A |
+| **Lightly managed devices**: Company-owned, but users are free to install software. Devices are required to run organization's antivirus solution and client management tools. | Windows Defender Device Guard can be used to help protect the kernel, and to monitor (audit) for problem applications rather than limiting the applications that can be run. | - VBS (hardware-based) protections, enabled. When enabled with a code integrity policy in audit mode only, VBS means the hypervisor helps enforce the default kernel-mode code integrity policy, which protects against unsigned drivers or system files.
• Code integrity policies, with UMCI enabled, but running in audit mode only. This means applications are not blocked—the policy just logs an event whenever an application outside the policy is started. |
+| **Bring Your Own Device**: Employees are allowed to bring their own devices, and also use those devices away from work. | Windows Defender Device Guard does not apply. Instead, you can explore other hardening and security features with MDM-based conditional access solutions, such as Microsoft Intune. | N/A |
-## Device Guard deployment in virtual machines
+## Windows Defender Device Guard deployment in virtual machines
-Device Guard can protect a Hyper-V virtual machine, just as it would a physical machine. The steps to enable Device Guard are the same from within the virtual machine.
+Windows Defender Device Guard can protect a Hyper-V virtual machine, just as it would a physical machine. The steps to enable Windows Defender Device Guard are the same from within the virtual machine.
-Device Guard protects against malware running in the guest virtual machine. It does not provide additional protection from the host administrator. From the host, you can disable Device Guard for a virtual machine:
+Windows Defender Device Guard protects against malware running in the guest virtual machine. It does not provide additional protection from the host administrator. From the host, you can disable Windows Defender Device Guard for a virtual machine:
` Set-VMSecurity -VMName -VirtualizationBasedSecurityOptOut $true`
-### Requirements for running Device Guard in Hyper-V virtual machines
+### Requirements for running Windows Defender Device Guard in Hyper-V virtual machines
- The Hyper-V host must run at least Windows Server 2016 or Windows 10 version 1607.
- The Hyper-V virtual machine must be Generation 2, and running at least Windows Server 2016 or Windows 10.
- - Device Guard and [nested virtualization](https://docs.microsoft.com/en-us/virtualization/hyper-v-on-windows/user-guide/nested-virtualization) cannot be enabled at the same time.
- - Virtual Fibre Channel adapters are not compatible with Device Guard. Before attaching a virtual Fibre Channel Adapter to a virtual machine, you must first opt out of virtualization-based security using Set-VMSecurity.
- - The AllowFullSCSICommandSet option for pass-through disks is not compatible with Device Guard. Before configuring a pass-through disk with AllowFullSCSICommandSet, you must first opt out of virtualization-based security using Set-VMSecurity.
+ - Windows Defender Device Guard and [nested virtualization](https://docs.microsoft.com/en-us/virtualization/hyper-v-on-windows/user-guide/nested-virtualization) cannot be enabled at the same time.
+ - Virtual Fibre Channel adapters are not compatible with Windows Defender Device Guard. Before attaching a virtual Fibre Channel Adapter to a virtual machine, you must first opt out of virtualization-based security using Set-VMSecurity.
+ - The AllowFullSCSICommandSet option for pass-through disks is not compatible with Windows Defender Device Guard. Before configuring a pass-through disk with AllowFullSCSICommandSet, you must first opt out of virtualization-based security using Set-VMSecurity.
## Reviewing your applications: application signing and catalog files
@@ -124,9 +124,9 @@ To obtain signed applications or embed signatures in your in-house applications,
To use catalog signing, you can choose from the following options:
-- Use the Device Guard signing portal available in the Windows Store for Business. The portal is a Microsoft web service that you can use to sign your Classic Windows applications. For more information, see [Device Guard signing](https://technet.microsoft.com/itpro/windows/manage/device-guard-signing-portal).
+- Use the Windows Defender Device Guard signing portal available in the Windows Store for Business. The portal is a Microsoft web service that you can use to sign your Classic Windows applications. For more information, see [Windows Defender Device Guard signing](https://technet.microsoft.com/itpro/windows/manage/device-guard-signing-portal).
-- Create your own catalog files, which are described in the next section. For information about how creating catalog files fits into Device Guard deployment, see [Planning and getting started on the Device Guard deployment process](planning-and-getting-started-on-the-device-guard-deployment-process.md).
+- Create your own catalog files, which are described in the next section. For information about how creating catalog files fits into Windows Defender Device Guard deployment, see [Planning and getting started on the Windows Defender Device Guard deployment process](planning-and-getting-started-on-the-device-guard-deployment-process.md).
### Catalog files
@@ -136,9 +136,9 @@ Catalog files are simply Secure Hash Algorithm 2 (SHA2) hash lists of discovered
After you have created and signed your catalog files, you can configure your code integrity policies to trust the signer or signing certificate of those files.
-> **Note** Package Inspector only works on operating systems that support Device Guard, such as Windows 10 Enterprise, Windows 10 Education, Windows 2016 Server, or Windows Enterprise IoT.
+> **Note** Package Inspector only works on operating systems that support Windows Defender Device Guard, such as Windows 10 Enterprise, Windows 10 Education, Windows 2016 Server, or Windows Enterprise IoT.
-For information about how creating catalog files fits into Device Guard deployment, see [Planning and getting started on the Device Guard deployment process](planning-and-getting-started-on-the-device-guard-deployment-process.md). For procedures for working with catalog files, see [Deploy catalog files to support code integrity policies](deploy-catalog-files-to-support-code-integrity-policies.md).
+For information about how creating catalog files fits into Windows Defender Device Guard deployment, see [Planning and getting started on the Windows Defender Device Guard deployment process](planning-and-getting-started-on-the-device-guard-deployment-process.md). For procedures for working with catalog files, see [Deploy catalog files to support code integrity policies](deploy-catalog-files-to-support-code-integrity-policies.md).
## Code integrity policy formats and signing
@@ -150,7 +150,7 @@ When the code integrity policy is deployed, it restricts the software that can r
## Related topics
-- [Planning and getting started on the Device Guard deployment process](planning-and-getting-started-on-the-device-guard-deployment-process.md)
-- [Deploy Device Guard: deploy code integrity policies](deploy-device-guard-deploy-code-integrity-policies.md)
+- [Planning and getting started on the Windows Defender Device Guard deployment process](planning-and-getting-started-on-the-device-guard-deployment-process.md)
+- [Deploy Windows Defender Device Guard: deploy code integrity policies](deploy-device-guard-deploy-code-integrity-policies.md)
diff --git a/windows/threat-protection/TOC.md b/windows/threat-protection/TOC.md
index 74c6e5b0d6..2e3b61ee92 100644
--- a/windows/threat-protection/TOC.md
+++ b/windows/threat-protection/TOC.md
@@ -148,24 +148,25 @@
## [Windows Defender Exploit Guard](windows-defender-exploit-guard\windows-defender-exploit-guard.md)
### [Evaluate Windows Defender Exploit Guard](windows-defender-exploit-guard\evaluate-windows-defender-exploit-guard.md)
#### [Use auditing mode to evaluate Windows Defender Exploit Guard](windows-defender-exploit-guard\audit-windows-defender-exploit-guard.md)
-### [Protect devices from exploits with Windows Defender Exploit Guard](windows-defender-exploit-guard\exploit-protection-exploit-guard.md)
+#### [View Exploit Guard events](windows-defender-exploit-guard\event-views-exploit-guard.md)
+
+### [Exploit Protection](windows-defender-exploit-guard\exploit-protection-exploit-guard.md)
#### [Comparison with Enhanced Mitigation Experience Toolkit](windows-defender-exploit-guard\emet-exploit-protection-exploit-guard.md)
#### [Evaluate Exploit Protection](windows-defender-exploit-guard\evaluate-exploit-protection.md)
#### [Enable Exploit Protection](windows-defender-exploit-guard\enable-exploit-protection.md)
#### [Customize Exploit Protection](windows-defender-exploit-guard\customize-exploit-protection.md)
-##### [Configure system-wide settings for Exploit Protection](windows-defender-exploit-guard\configure-system-exploit-protection.md)
-##### [Individually configure apps for Exploit Protection](windows-defender-exploit-guard\configure-app-exploit-protection.md)
-### [Reduce attack surfaces with Windows Defender Exploit Guard](windows-defender-exploit-guard\attack-surface-reduction-exploit-guard.md)
+##### [Import, export, and deploy Exploit Protection configurations](windows-defender-exploit-guard\import-export-exploit-protection-emet-xml.md)
+### [Attack Surface Reduction](windows-defender-exploit-guard\attack-surface-reduction-exploit-guard.md)
#### [Evaluate Attack Surface Reduction](windows-defender-exploit-guard\evaluate-attack-surface-reduction.md)
#### [Enable Attack Surface Reduction](windows-defender-exploit-guard\enable-attack-surface-reduction.md)
#### [Customize Attack Surface Reduction](windows-defender-exploit-guard\customize-attack-surface-reduction.md)
-### [Protect your network with Windows Defender Exploit Guard](windows-defender-exploit-guard\network-protection-exploit-guard.md)
+### [Network Protection](windows-defender-exploit-guard\network-protection-exploit-guard.md)
#### [Evaluate Network Protection](windows-defender-exploit-guard\evaluate-network-protection.md)
#### [Enable Network Protection](windows-defender-exploit-guard\enable-network-protection.md)
-### [Protect important folders with controlled folder access](windows-defender-exploit-guard\controlled-folders-exploit-guard.md)
+### [Controlled Folder Access](windows-defender-exploit-guard\controlled-folders-exploit-guard.md)
#### [Evaluate Controlled Folder Access](windows-defender-exploit-guard\evaluate-controlled-folder-access.md)
-#### [Customize Controlled Folder Access](windows-defender-exploit-guard\customize-controlled-folders-exploit-guard.md)
#### [Enable Controlled Folder Access](windows-defender-exploit-guard\enable-controlled-folders-exploit-guard.md)
+#### [Customize Controlled Folder Access](windows-defender-exploit-guard\customize-controlled-folders-exploit-guard.md)
diff --git a/windows/threat-protection/windows-defender-antivirus/command-line-arguments-windows-defender-antivirus.md b/windows/threat-protection/windows-defender-antivirus/command-line-arguments-windows-defender-antivirus.md
index fdb8d3eec8..7e6a5244b8 100644
--- a/windows/threat-protection/windows-defender-antivirus/command-line-arguments-windows-defender-antivirus.md
+++ b/windows/threat-protection/windows-defender-antivirus/command-line-arguments-windows-defender-antivirus.md
@@ -11,6 +11,7 @@ ms.pagetype: security
ms.localizationpriority: medium
author: iaanw
ms.author: iawilt
+ms.date: 08/25/2017
---
diff --git a/windows/threat-protection/windows-defender-antivirus/configuration-management-reference-windows-defender-antivirus.md b/windows/threat-protection/windows-defender-antivirus/configuration-management-reference-windows-defender-antivirus.md
index 66f292c972..7c7eed2793 100644
--- a/windows/threat-protection/windows-defender-antivirus/configuration-management-reference-windows-defender-antivirus.md
+++ b/windows/threat-protection/windows-defender-antivirus/configuration-management-reference-windows-defender-antivirus.md
@@ -10,6 +10,8 @@ ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
author: iaanw
+ms.author: iawilt
+ms.date: 08/25/2017
---
# Reference topics for management and configuration tools
diff --git a/windows/threat-protection/windows-defender-antivirus/configure-advanced-scan-types-windows-defender-antivirus.md b/windows/threat-protection/windows-defender-antivirus/configure-advanced-scan-types-windows-defender-antivirus.md
index 28d95b5f7c..bc92d0c50e 100644
--- a/windows/threat-protection/windows-defender-antivirus/configure-advanced-scan-types-windows-defender-antivirus.md
+++ b/windows/threat-protection/windows-defender-antivirus/configure-advanced-scan-types-windows-defender-antivirus.md
@@ -10,6 +10,9 @@ ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
author: iaanw
+ms.author: iawilt
+ms.date: 08/25/2017
+
---
# Configure scanning options in Windows Defender AV
diff --git a/windows/threat-protection/windows-defender-antivirus/configure-block-at-first-sight-windows-defender-antivirus.md b/windows/threat-protection/windows-defender-antivirus/configure-block-at-first-sight-windows-defender-antivirus.md
index 51e4da766a..01bec5d98d 100644
--- a/windows/threat-protection/windows-defender-antivirus/configure-block-at-first-sight-windows-defender-antivirus.md
+++ b/windows/threat-protection/windows-defender-antivirus/configure-block-at-first-sight-windows-defender-antivirus.md
@@ -10,6 +10,8 @@ ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
author: iaanw
+ms.author: iawilt
+ms.date: 08/25/2017
---
diff --git a/windows/threat-protection/windows-defender-antivirus/configure-cloud-block-timeout-period-windows-defender-antivirus.md b/windows/threat-protection/windows-defender-antivirus/configure-cloud-block-timeout-period-windows-defender-antivirus.md
index 9db9a1a011..ffae20dfe9 100644
--- a/windows/threat-protection/windows-defender-antivirus/configure-cloud-block-timeout-period-windows-defender-antivirus.md
+++ b/windows/threat-protection/windows-defender-antivirus/configure-cloud-block-timeout-period-windows-defender-antivirus.md
@@ -10,6 +10,8 @@ ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
author: iaanw
+ms.author: iawilt
+ms.date: 08/25/2017
---
# Configure the cloud block timeout period
diff --git a/windows/threat-protection/windows-defender-antivirus/configure-end-user-interaction-windows-defender-antivirus.md b/windows/threat-protection/windows-defender-antivirus/configure-end-user-interaction-windows-defender-antivirus.md
index 6483bcb53a..6843c1e01d 100644
--- a/windows/threat-protection/windows-defender-antivirus/configure-end-user-interaction-windows-defender-antivirus.md
+++ b/windows/threat-protection/windows-defender-antivirus/configure-end-user-interaction-windows-defender-antivirus.md
@@ -10,6 +10,8 @@ ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
author: iaanw
+ms.author: iawilt
+ms.date: 08/25/2017
---
# Configure end-user interaction with Windows Defender Antivirus
diff --git a/windows/threat-protection/windows-defender-antivirus/configure-local-policy-overrides-windows-defender-antivirus.md b/windows/threat-protection/windows-defender-antivirus/configure-local-policy-overrides-windows-defender-antivirus.md
index 4b7b42f001..885b929ee5 100644
--- a/windows/threat-protection/windows-defender-antivirus/configure-local-policy-overrides-windows-defender-antivirus.md
+++ b/windows/threat-protection/windows-defender-antivirus/configure-local-policy-overrides-windows-defender-antivirus.md
@@ -10,6 +10,8 @@ ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
author: iaanw
+ms.author: iawilt
+ms.date: 08/25/2017
---
# Prevent or allow users to locally modify Windows Defender AV policy settings
diff --git a/windows/threat-protection/windows-defender-antivirus/configure-network-connections-windows-defender-antivirus.md b/windows/threat-protection/windows-defender-antivirus/configure-network-connections-windows-defender-antivirus.md
index 1d44078c65..cc04c936e3 100644
--- a/windows/threat-protection/windows-defender-antivirus/configure-network-connections-windows-defender-antivirus.md
+++ b/windows/threat-protection/windows-defender-antivirus/configure-network-connections-windows-defender-antivirus.md
@@ -10,6 +10,8 @@ ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
author: iaanw
+ms.author: iawilt
+ms.date: 08/25/2017
---
# Configure and validate network connections for Windows Defender Antivirus
diff --git a/windows/threat-protection/windows-defender-antivirus/configure-notifications-windows-defender-antivirus.md b/windows/threat-protection/windows-defender-antivirus/configure-notifications-windows-defender-antivirus.md
index 8cce4e1f03..92cb4eab33 100644
--- a/windows/threat-protection/windows-defender-antivirus/configure-notifications-windows-defender-antivirus.md
+++ b/windows/threat-protection/windows-defender-antivirus/configure-notifications-windows-defender-antivirus.md
@@ -10,6 +10,8 @@ ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
author: iaanw
+ms.author: iawilt
+ms.date: 08/25/2017
---
# Configure the notifications that appear on endpoints
diff --git a/windows/threat-protection/windows-defender-antivirus/configure-protection-features-windows-defender-antivirus.md b/windows/threat-protection/windows-defender-antivirus/configure-protection-features-windows-defender-antivirus.md
index c1996876ef..882fec2cbe 100644
--- a/windows/threat-protection/windows-defender-antivirus/configure-protection-features-windows-defender-antivirus.md
+++ b/windows/threat-protection/windows-defender-antivirus/configure-protection-features-windows-defender-antivirus.md
@@ -10,6 +10,8 @@ ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
author: iaanw
+ms.author: iawilt
+ms.date: 08/25/2017
---
# Configure behavioral, heuristic, and real-time protection
diff --git a/windows/threat-protection/windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus.md b/windows/threat-protection/windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus.md
index 34adf05d43..2f73f17890 100644
--- a/windows/threat-protection/windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus.md
+++ b/windows/threat-protection/windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus.md
@@ -10,6 +10,8 @@ ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
author: iaanw
+ms.author: iawilt
+ms.date: 08/25/2017
---
diff --git a/windows/threat-protection/windows-defender-antivirus/configure-remediation-windows-defender-antivirus.md b/windows/threat-protection/windows-defender-antivirus/configure-remediation-windows-defender-antivirus.md
index 2ae2cc1683..3c3d477567 100644
--- a/windows/threat-protection/windows-defender-antivirus/configure-remediation-windows-defender-antivirus.md
+++ b/windows/threat-protection/windows-defender-antivirus/configure-remediation-windows-defender-antivirus.md
@@ -10,6 +10,8 @@ ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
author: iaanw
+ms.author: iawilt
+ms.date: 08/25/2017
---
diff --git a/windows/threat-protection/windows-defender-antivirus/configure-windows-defender-antivirus-features.md b/windows/threat-protection/windows-defender-antivirus/configure-windows-defender-antivirus-features.md
index 1e58b44fb0..315e1bc411 100644
--- a/windows/threat-protection/windows-defender-antivirus/configure-windows-defender-antivirus-features.md
+++ b/windows/threat-protection/windows-defender-antivirus/configure-windows-defender-antivirus-features.md
@@ -10,6 +10,8 @@ ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
author: iaanw
+ms.author: iawilt
+ms.date: 08/25/2017
---
# Configure Windows Defender Antivirus features
diff --git a/windows/threat-protection/windows-defender-antivirus/customize-run-review-remediate-scans-windows-defender-antivirus.md b/windows/threat-protection/windows-defender-antivirus/customize-run-review-remediate-scans-windows-defender-antivirus.md
index 6eb5d98e2e..98b3c9615d 100644
--- a/windows/threat-protection/windows-defender-antivirus/customize-run-review-remediate-scans-windows-defender-antivirus.md
+++ b/windows/threat-protection/windows-defender-antivirus/customize-run-review-remediate-scans-windows-defender-antivirus.md
@@ -10,6 +10,8 @@ ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
author: iaanw
+ms.author: iawilt
+ms.date: 08/25/2017
---
# Customize, initiate, and review the results of Windows Defender AV scans and remediation
diff --git a/windows/threat-protection/windows-defender-antivirus/deploy-manage-report-windows-defender-antivirus.md b/windows/threat-protection/windows-defender-antivirus/deploy-manage-report-windows-defender-antivirus.md
index 447437331e..02fb05242b 100644
--- a/windows/threat-protection/windows-defender-antivirus/deploy-manage-report-windows-defender-antivirus.md
+++ b/windows/threat-protection/windows-defender-antivirus/deploy-manage-report-windows-defender-antivirus.md
@@ -10,6 +10,8 @@ ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
author: iaanw
+ms.author: iawilt
+ms.date: 08/25/2017
---
# Deploy, manage, and report on Windows Defender Antivirus
diff --git a/windows/threat-protection/windows-defender-antivirus/deploy-windows-defender-antivirus.md b/windows/threat-protection/windows-defender-antivirus/deploy-windows-defender-antivirus.md
index 8424255df1..adf719ad5b 100644
--- a/windows/threat-protection/windows-defender-antivirus/deploy-windows-defender-antivirus.md
+++ b/windows/threat-protection/windows-defender-antivirus/deploy-windows-defender-antivirus.md
@@ -10,6 +10,8 @@ ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
author: iaanw
+ms.author: iawilt
+ms.date: 08/25/2017
---
# Deploy and enable Windows Defender Antivirus
diff --git a/windows/threat-protection/windows-defender-antivirus/deployment-vdi-windows-defender-antivirus.md b/windows/threat-protection/windows-defender-antivirus/deployment-vdi-windows-defender-antivirus.md
index c1f14fe426..e33ddf160c 100644
--- a/windows/threat-protection/windows-defender-antivirus/deployment-vdi-windows-defender-antivirus.md
+++ b/windows/threat-protection/windows-defender-antivirus/deployment-vdi-windows-defender-antivirus.md
@@ -10,6 +10,8 @@ ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
author: iaanw
+ms.author: iawilt
+ms.date: 08/25/2017
---
# Deployment guide for Windows Defender Antivirus in a virtual desktop infrastructure (VDI) environment
diff --git a/windows/threat-protection/windows-defender-antivirus/detect-block-potentially-unwanted-apps-windows-defender-antivirus.md b/windows/threat-protection/windows-defender-antivirus/detect-block-potentially-unwanted-apps-windows-defender-antivirus.md
index 256b81f90d..c0f1e340b7 100644
--- a/windows/threat-protection/windows-defender-antivirus/detect-block-potentially-unwanted-apps-windows-defender-antivirus.md
+++ b/windows/threat-protection/windows-defender-antivirus/detect-block-potentially-unwanted-apps-windows-defender-antivirus.md
@@ -10,6 +10,8 @@ ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
author: iaanw
+ms.author: iawilt
+ms.date: 08/25/2017
---
# Detect and block Potentially Unwanted Applications
diff --git a/windows/threat-protection/windows-defender-antivirus/enable-cloud-protection-windows-defender-antivirus.md b/windows/threat-protection/windows-defender-antivirus/enable-cloud-protection-windows-defender-antivirus.md
index 755d7bb810..a997f2b43b 100644
--- a/windows/threat-protection/windows-defender-antivirus/enable-cloud-protection-windows-defender-antivirus.md
+++ b/windows/threat-protection/windows-defender-antivirus/enable-cloud-protection-windows-defender-antivirus.md
@@ -10,6 +10,8 @@ ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
author: iaanw
+ms.author: iawilt
+ms.date: 08/25/2017
---
# Enable cloud-delivered protection in Windows Defender AV
diff --git a/windows/threat-protection/windows-defender-antivirus/evaluate-windows-defender-antivirus.md b/windows/threat-protection/windows-defender-antivirus/evaluate-windows-defender-antivirus.md
index 15297f3b96..ebc5c3cbc4 100644
--- a/windows/threat-protection/windows-defender-antivirus/evaluate-windows-defender-antivirus.md
+++ b/windows/threat-protection/windows-defender-antivirus/evaluate-windows-defender-antivirus.md
@@ -10,6 +10,8 @@ ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
author: iaanw
+ms.author: iawilt
+ms.date: 08/25/2017
---
# Evaluate Windows Defender Antivirus protection
diff --git a/windows/threat-protection/windows-defender-antivirus/manage-event-based-updates-windows-defender-antivirus.md b/windows/threat-protection/windows-defender-antivirus/manage-event-based-updates-windows-defender-antivirus.md
index 123057dc01..201de035c2 100644
--- a/windows/threat-protection/windows-defender-antivirus/manage-event-based-updates-windows-defender-antivirus.md
+++ b/windows/threat-protection/windows-defender-antivirus/manage-event-based-updates-windows-defender-antivirus.md
@@ -10,6 +10,8 @@ ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
author: iaanw
+ms.author: iawilt
+ms.date: 08/25/2017
---
# Manage event-based forced updates
diff --git a/windows/threat-protection/windows-defender-antivirus/manage-outdated-endpoints-windows-defender-antivirus.md b/windows/threat-protection/windows-defender-antivirus/manage-outdated-endpoints-windows-defender-antivirus.md
index 8e92f2d2cd..bf8666ecc1 100644
--- a/windows/threat-protection/windows-defender-antivirus/manage-outdated-endpoints-windows-defender-antivirus.md
+++ b/windows/threat-protection/windows-defender-antivirus/manage-outdated-endpoints-windows-defender-antivirus.md
@@ -11,6 +11,7 @@ ms.pagetype: security
ms.localizationpriority: medium
author: iaanw
ms.author: iawilt
+ms.date: 08/25/2017
---
# Manage updates and scans for endpoints that are out of date
diff --git a/windows/threat-protection/windows-defender-antivirus/manage-protection-update-schedule-windows-defender-antivirus.md b/windows/threat-protection/windows-defender-antivirus/manage-protection-update-schedule-windows-defender-antivirus.md
index d5838972b1..06ac450ee6 100644
--- a/windows/threat-protection/windows-defender-antivirus/manage-protection-update-schedule-windows-defender-antivirus.md
+++ b/windows/threat-protection/windows-defender-antivirus/manage-protection-update-schedule-windows-defender-antivirus.md
@@ -10,6 +10,8 @@ ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
author: iaanw
+ms.author: iawilt
+ms.date: 08/25/2017
---
# Manage the schedule for when protection updates should be downloaded and applied
diff --git a/windows/threat-protection/windows-defender-antivirus/manage-protection-updates-windows-defender-antivirus.md b/windows/threat-protection/windows-defender-antivirus/manage-protection-updates-windows-defender-antivirus.md
index 214f619f3f..554e426b6d 100644
--- a/windows/threat-protection/windows-defender-antivirus/manage-protection-updates-windows-defender-antivirus.md
+++ b/windows/threat-protection/windows-defender-antivirus/manage-protection-updates-windows-defender-antivirus.md
@@ -11,6 +11,7 @@ ms.pagetype: security
ms.localizationpriority: medium
author: iaanw
ms.author: iawilt
+ms.date: 08/25/2017
---
# Manage the sources for Windows Defender Antivirus protection updates
diff --git a/windows/threat-protection/windows-defender-antivirus/manage-updates-baselines-windows-defender-antivirus.md b/windows/threat-protection/windows-defender-antivirus/manage-updates-baselines-windows-defender-antivirus.md
index 374162b001..77c6833644 100644
--- a/windows/threat-protection/windows-defender-antivirus/manage-updates-baselines-windows-defender-antivirus.md
+++ b/windows/threat-protection/windows-defender-antivirus/manage-updates-baselines-windows-defender-antivirus.md
@@ -10,6 +10,8 @@ ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
author: iaanw
+ms.author: iawilt
+ms.date: 08/25/2017
---
# Manage Windows Defender Antivirus updates and apply baselines
diff --git a/windows/threat-protection/windows-defender-antivirus/manage-updates-mobile-devices-vms-windows-defender-antivirus.md b/windows/threat-protection/windows-defender-antivirus/manage-updates-mobile-devices-vms-windows-defender-antivirus.md
index efcdb994fa..638419e42b 100644
--- a/windows/threat-protection/windows-defender-antivirus/manage-updates-mobile-devices-vms-windows-defender-antivirus.md
+++ b/windows/threat-protection/windows-defender-antivirus/manage-updates-mobile-devices-vms-windows-defender-antivirus.md
@@ -10,6 +10,8 @@ ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
author: iaanw
+ms.author: iawilt
+ms.date: 08/25/2017
---
# Manage updates for mobile devices and virtual machines (VMs)
diff --git a/windows/threat-protection/windows-defender-antivirus/prevent-end-user-interaction-windows-defender-antivirus.md b/windows/threat-protection/windows-defender-antivirus/prevent-end-user-interaction-windows-defender-antivirus.md
index 1da8e5b737..0c2af7f269 100644
--- a/windows/threat-protection/windows-defender-antivirus/prevent-end-user-interaction-windows-defender-antivirus.md
+++ b/windows/threat-protection/windows-defender-antivirus/prevent-end-user-interaction-windows-defender-antivirus.md
@@ -10,6 +10,8 @@ ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
author: iaanw
+ms.author: iawilt
+ms.date: 08/25/2017
---
# Prevent users from seeing or interacting with the Windows Defender AV user interface
diff --git a/windows/threat-protection/windows-defender-antivirus/report-monitor-windows-defender-antivirus.md b/windows/threat-protection/windows-defender-antivirus/report-monitor-windows-defender-antivirus.md
index 2082f44329..ba5043b800 100644
--- a/windows/threat-protection/windows-defender-antivirus/report-monitor-windows-defender-antivirus.md
+++ b/windows/threat-protection/windows-defender-antivirus/report-monitor-windows-defender-antivirus.md
@@ -10,6 +10,8 @@ ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
author: iaanw
+ms.author: iawilt
+ms.date: 08/25/2017
---
# Report on Windows Defender Antivirus protection
diff --git a/windows/threat-protection/windows-defender-antivirus/review-scan-results-windows-defender-antivirus.md b/windows/threat-protection/windows-defender-antivirus/review-scan-results-windows-defender-antivirus.md
index 3307e84851..90bc57e8a3 100644
--- a/windows/threat-protection/windows-defender-antivirus/review-scan-results-windows-defender-antivirus.md
+++ b/windows/threat-protection/windows-defender-antivirus/review-scan-results-windows-defender-antivirus.md
@@ -10,6 +10,8 @@ ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
author: iaanw
+ms.author: iawilt
+ms.date: 08/25/2017
---
# Review Windows Defender AV scan results
diff --git a/windows/threat-protection/windows-defender-antivirus/run-scan-windows-defender-antivirus.md b/windows/threat-protection/windows-defender-antivirus/run-scan-windows-defender-antivirus.md
index 0fb07edd90..e4f58850f2 100644
--- a/windows/threat-protection/windows-defender-antivirus/run-scan-windows-defender-antivirus.md
+++ b/windows/threat-protection/windows-defender-antivirus/run-scan-windows-defender-antivirus.md
@@ -10,6 +10,8 @@ ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
author: iaanw
+ms.author: iawilt
+ms.date: 08/25/2017
---
diff --git a/windows/threat-protection/windows-defender-antivirus/scheduled-catch-up-scans-windows-defender-antivirus.md b/windows/threat-protection/windows-defender-antivirus/scheduled-catch-up-scans-windows-defender-antivirus.md
index f9ad88746b..deb05534d1 100644
--- a/windows/threat-protection/windows-defender-antivirus/scheduled-catch-up-scans-windows-defender-antivirus.md
+++ b/windows/threat-protection/windows-defender-antivirus/scheduled-catch-up-scans-windows-defender-antivirus.md
@@ -10,6 +10,8 @@ ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
author: iaanw
+ms.author: iawilt
+ms.date: 08/25/2017
---
diff --git a/windows/threat-protection/windows-defender-antivirus/specify-cloud-protection-level-windows-defender-antivirus.md b/windows/threat-protection/windows-defender-antivirus/specify-cloud-protection-level-windows-defender-antivirus.md
index 8e3ea5d3bf..8a1f3a3a08 100644
--- a/windows/threat-protection/windows-defender-antivirus/specify-cloud-protection-level-windows-defender-antivirus.md
+++ b/windows/threat-protection/windows-defender-antivirus/specify-cloud-protection-level-windows-defender-antivirus.md
@@ -10,6 +10,8 @@ ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
author: iaanw
+ms.author: iawilt
+ms.date: 08/25/2017
---
# Specify the cloud-delivered protection level
diff --git a/windows/threat-protection/windows-defender-antivirus/use-group-policy-windows-defender-antivirus.md b/windows/threat-protection/windows-defender-antivirus/use-group-policy-windows-defender-antivirus.md
index 79abd8d757..55a97e770f 100644
--- a/windows/threat-protection/windows-defender-antivirus/use-group-policy-windows-defender-antivirus.md
+++ b/windows/threat-protection/windows-defender-antivirus/use-group-policy-windows-defender-antivirus.md
@@ -10,6 +10,8 @@ ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
author: iaanw
+ms.author: iawilt
+ms.date: 08/25/2017
---
# Use Group Policy settings to configure and manage Windows Defender AV
@@ -82,7 +84,7 @@ Reporting | Configure time out for detections in non-critical failed state | Not
Reporting | Configure time out for detections in recently remediated state | Not used
Reporting | Configure time out for detections requiring additional action | Not used
Reporting | Turn off enhanced notifications | [Configure the notifications that appear on endpoints](configure-notifications-windows-defender-antivirus.md)
-Root | Turn off Windows Defender Antivirus | Not used
+Root | Turn off Windows Defender Antivirus | Not used (This setting must be set to **Not configured** to ensure any installed third-party antivirus apps work correctly)
Root | Define addresses to bypass proxy server | Not used
Root | Define proxy auto-config (.pac) for connecting to the network | Not used
Root | Define proxy server for connecting to the network | Not used
diff --git a/windows/threat-protection/windows-defender-antivirus/use-intune-config-manager-windows-defender-antivirus.md b/windows/threat-protection/windows-defender-antivirus/use-intune-config-manager-windows-defender-antivirus.md
index 49226c4cf3..914d50f8b3 100644
--- a/windows/threat-protection/windows-defender-antivirus/use-intune-config-manager-windows-defender-antivirus.md
+++ b/windows/threat-protection/windows-defender-antivirus/use-intune-config-manager-windows-defender-antivirus.md
@@ -10,6 +10,8 @@ ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
author: iaanw
+ms.author: iawilt
+ms.date: 08/25/2017
---
# Use System Center Configuration Manager and Microsoft Intune to configure and manage Windows Defender AV
diff --git a/windows/threat-protection/windows-defender-antivirus/use-powershell-cmdlets-windows-defender-antivirus.md b/windows/threat-protection/windows-defender-antivirus/use-powershell-cmdlets-windows-defender-antivirus.md
index 91fc5c207e..6a3cb8e8bd 100644
--- a/windows/threat-protection/windows-defender-antivirus/use-powershell-cmdlets-windows-defender-antivirus.md
+++ b/windows/threat-protection/windows-defender-antivirus/use-powershell-cmdlets-windows-defender-antivirus.md
@@ -10,6 +10,8 @@ ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
author: iaanw
+ms.author: iawilt
+ms.date: 08/25/2017
---
# Use PowerShell cmdlets to configure and manage Windows Defender AV
diff --git a/windows/threat-protection/windows-defender-antivirus/use-wmi-windows-defender-antivirus.md b/windows/threat-protection/windows-defender-antivirus/use-wmi-windows-defender-antivirus.md
index 306bf240d2..e009932162 100644
--- a/windows/threat-protection/windows-defender-antivirus/use-wmi-windows-defender-antivirus.md
+++ b/windows/threat-protection/windows-defender-antivirus/use-wmi-windows-defender-antivirus.md
@@ -10,6 +10,8 @@ ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
author: iaanw
+ms.author: iawilt
+ms.date: 08/25/2017
---
# Use Windows Management Instrumentation (WMI) to configure and manage Windows Defender AV
diff --git a/windows/threat-protection/windows-defender-antivirus/utilize-microsoft-cloud-protection-windows-defender-antivirus.md b/windows/threat-protection/windows-defender-antivirus/utilize-microsoft-cloud-protection-windows-defender-antivirus.md
index 49d63c897a..b8b5733748 100644
--- a/windows/threat-protection/windows-defender-antivirus/utilize-microsoft-cloud-protection-windows-defender-antivirus.md
+++ b/windows/threat-protection/windows-defender-antivirus/utilize-microsoft-cloud-protection-windows-defender-antivirus.md
@@ -10,6 +10,8 @@ ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
author: iaanw
+ms.author: iawilt
+ms.date: 08/25/2017
---
# Utilize Microsoft cloud-delivered protection in Windows Defender Antivirus
diff --git a/windows/threat-protection/windows-defender-antivirus/windows-defender-antivirus-in-windows-10.md b/windows/threat-protection/windows-defender-antivirus/windows-defender-antivirus-in-windows-10.md
index 8b27b216a4..2f90715cf9 100644
--- a/windows/threat-protection/windows-defender-antivirus/windows-defender-antivirus-in-windows-10.md
+++ b/windows/threat-protection/windows-defender-antivirus/windows-defender-antivirus-in-windows-10.md
@@ -10,6 +10,8 @@ ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
author: iaanw
+ms.author: iawilt
+ms.date: 08/25/2017
---
# Windows Defender Antivirus in Windows 10 and Windows Server 2016
diff --git a/windows/threat-protection/windows-defender-antivirus/windows-defender-antivirus-on-windows-server-2016.md b/windows/threat-protection/windows-defender-antivirus/windows-defender-antivirus-on-windows-server-2016.md
index f15f7b81a6..91520bc734 100644
--- a/windows/threat-protection/windows-defender-antivirus/windows-defender-antivirus-on-windows-server-2016.md
+++ b/windows/threat-protection/windows-defender-antivirus/windows-defender-antivirus-on-windows-server-2016.md
@@ -10,6 +10,8 @@ ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
author: iaanw
+ms.author: iawilt
+ms.date: 08/25/2017
---
diff --git a/windows/threat-protection/windows-defender-antivirus/windows-defender-offline.md b/windows/threat-protection/windows-defender-antivirus/windows-defender-offline.md
index 4672b5eff4..3168581911 100644
--- a/windows/threat-protection/windows-defender-antivirus/windows-defender-offline.md
+++ b/windows/threat-protection/windows-defender-antivirus/windows-defender-offline.md
@@ -10,6 +10,8 @@ ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
author: iaanw
+ms.author: iawilt
+ms.date: 08/25/2017
---
# Run and review the results of a Windows Defender Offline scan
diff --git a/windows/threat-protection/windows-defender-antivirus/windows-defender-security-center-antivirus.md b/windows/threat-protection/windows-defender-antivirus/windows-defender-security-center-antivirus.md
index 107ae34521..dc8b0b0597 100644
--- a/windows/threat-protection/windows-defender-antivirus/windows-defender-security-center-antivirus.md
+++ b/windows/threat-protection/windows-defender-antivirus/windows-defender-security-center-antivirus.md
@@ -10,6 +10,8 @@ ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
author: iaanw
+ms.author: iawilt
+ms.date: 08/25/2017
---
diff --git a/windows/threat-protection/windows-defender-application-guard/reqs-wd-app-guard.md b/windows/threat-protection/windows-defender-application-guard/reqs-wd-app-guard.md
index a03b3514c2..c9f657f6f9 100644
--- a/windows/threat-protection/windows-defender-application-guard/reqs-wd-app-guard.md
+++ b/windows/threat-protection/windows-defender-application-guard/reqs-wd-app-guard.md
@@ -25,7 +25,9 @@ Your environment needs the following hardware to run Application Guard.
|--------|-----------|
|64-bit CPU|A 64-bit computer is required for hypervisor and virtualization-based security (VBS). For more info about Hyper-V, see [Hyper-V on Windows Server 2016](https://docs.microsoft.com/en-us/windows-server/virtualization/hyper-v/hyper-v-on-windows-server) or [Introduction to Hyper-V on Windows 10](https://docs.microsoft.com/en-us/virtualization/hyper-v-on-windows/about/). For more info about hypervisor, see [Hypervisor Specifications](https://docs.microsoft.com/en-us/virtualization/hyper-v-on-windows/reference/tlfs).|
|CPU virtualization extensions|Extended page tables, also called _Second Level Address Translation (SLAT)_
**-AND-**
One of the following virtualization extensions for VBS:
VT-x (Intel)
**-OR-**
AMD-V|
-|Hardware memory|4 GB minimum, 8 GB recommended|
+|Hardware memory|8 GB minimum, 16 GB recommended|
+|Hard disk|5 GB free space, solid state disk (SSD) recommended|
+|Input/Output Memory Management Unit (IOMMU) support|Not required, but strongly recommended|
## Software requirements
Your environment needs the following hardware to run Application Guard.
@@ -34,4 +36,4 @@ Your environment needs the following hardware to run Application Guard.
|--------|-----------|
|Operating system|Windows 10, Windows Insider Program (Enterprise edition, Build 16188 or later)|
|Browser|Microsoft Edge and Internet Explorer|
-|Management system|[Microsoft Intune](https://docs.microsoft.com/en-us/intune/)
**-OR-**
[System Center Configuration Manager](https://docs.microsoft.com/en-us/sccm/)
Your current company-wide 3rd party mobile device management (MDM) solution. For info about 3rd party MDM solutions, see the documentation that came with your product.|
\ No newline at end of file
+|Management system|[Microsoft Intune](https://docs.microsoft.com/en-us/intune/)
**-OR-**
[System Center Configuration Manager](https://docs.microsoft.com/en-us/sccm/)
Your current company-wide 3rd party mobile device management (MDM) solution. For info about 3rd party MDM solutions, see the documentation that came with your product.|
diff --git a/windows/threat-protection/windows-defender-atp/event-error-codes-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/event-error-codes-windows-defender-advanced-threat-protection.md
index cea3a9d683..3419078fcb 100644
--- a/windows/threat-protection/windows-defender-atp/event-error-codes-windows-defender-advanced-threat-protection.md
+++ b/windows/threat-protection/windows-defender-atp/event-error-codes-windows-defender-advanced-threat-protection.md
@@ -7,8 +7,8 @@ ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
-ms.author: iawilt
-author: iaanw
+ms.author: macapara
+author: mjcaparas
ms.localizationpriority: high
---
diff --git a/windows/threat-protection/windows-defender-atp/manage-alerts-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/manage-alerts-windows-defender-advanced-threat-protection.md
index fb191cc3b3..82f32619ad 100644
--- a/windows/threat-protection/windows-defender-atp/manage-alerts-windows-defender-advanced-threat-protection.md
+++ b/windows/threat-protection/windows-defender-atp/manage-alerts-windows-defender-advanced-threat-protection.md
@@ -52,10 +52,9 @@ Whenever a change or comment is made to an alert, it is recorded in the **Commen
Added comments instantly appear on the pane.
## Suppress alerts
+There might be scenarios where you need to suppress alerts from appearing in the Windows Defender ATP portal. Windows Defender ATP lets you create suppression rules for specific alerts that are known to be innocuous such as known tools or processes in your organization.
-Windows Defender ATP lets you create suppression rules so you can limit the alerts you see in the **Alerts queue**.
-
-Suppression rules can be created from an existing alert.
+Suppression rules can be created from an existing alert. They can be disabled and reenabled if needed.
When a suppression rule is created, it will take effect from the point when the rule is created. The rule will not affect existing alerts already in the queue prior to the rule creation. The rule will only be applied on alerts that satisfy the conditions set after the rule is created.
@@ -64,7 +63,9 @@ There are two contexts for a suppression rule that you can choose from:
- **Suppress alert on this machine**
- **Suppress alert in my organization**
-The context of the rule lets you tailor the queue to ensure that only alerts you are interested in will appear. You can use the examples in the following table to help you choose the context for a suppression rule:
+The context of the rule lets you tailor what gets surfaced into the portal and ensure that only real security alerts are surfaced into the portal.
+
+You can use the examples in the following table to help you choose the context for a suppression rule:
| **Context** | **Definition** | **Example scenarios** |
|:--------------------------------------|:------------------------------------------------------------------------------------------------------------------------------------------------------------|:-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
@@ -87,35 +88,28 @@ Create custom rules to control when alerts are suppressed, or resolved. You can
> [!NOTE]
> You cannot create a custom or blank suppression rule. You must start from an existing alert.
+
4. Specify the conditions for when the rule is applied:
- - Alert title
- - Indicator of compromise (IOC)
- - Suppression conditions
+ - Alert title
+ - Indicator of compromise (IOC)
+ - Suppression conditions
> [!NOTE]
- > The SHA1 of the alert cannot be modified
-5. Specify the action and scope on the alert. You can automatically resolve an alert or hide it from the portal. Alerts that are automatically resolved will appear in the resolved section of the alerts queue. You can also specify to suppress the alert on the machine only or the whole organization.
+ > The SHA1 of the alert cannot be modified, however you can clear the SHA1 to remove it from the suppression conditions.
+
+5. Specify the action and scope on the alert.
+ You can automatically resolve an alert or hide it from the portal. Alerts that are automatically resolved will appear in the resolved section of the alerts queue. Alerts that are marked as hidden will be suppressed from the entire system, both on the machine's associated alerts and from the dashboard. You can also specify to suppress the alert on the machine only or the whole organization.
6. Click **Save and close**.
-**See the list of suppression rules:**
+### View the list of suppression rules
-1. Click the settings icon  on the main menu bar at the top of the Windows Defender ATP screen.
-2. Click **Suppression rules**.
+1. Click **Alerts queue** > **Suppression rules**.
- 
-
-The list of suppression rules shows all the rules that users in your organization have created.
-
-
-Each rule shows:
-
-- (1) The title of the alert that is suppressed
-- (2) Whether the alert was suppressed for a single machine (clicking the machine name will allow you to investigate the machine) or the entire organization
-- (3) The date when the alert was suppressed
-- (4) An option to delete the suppression rule, which will cause alerts with this title to be displayed in the queue from this point onwards.
+2. The list of suppression rules shows all the rules that users in your organization have created.
+You can select rules to open up the **Alert management** pane. From there, you can activate previously disabled rules.
## Related topics
- [View the Windows Defender Advanced Threat Protection Dashboard](dashboard-windows-defender-advanced-threat-protection.md)
diff --git a/windows/threat-protection/windows-defender-atp/minimum-requirements-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/minimum-requirements-windows-defender-advanced-threat-protection.md
index 2232344229..897439c53a 100644
--- a/windows/threat-protection/windows-defender-atp/minimum-requirements-windows-defender-advanced-threat-protection.md
+++ b/windows/threat-protection/windows-defender-atp/minimum-requirements-windows-defender-advanced-threat-protection.md
@@ -7,8 +7,8 @@ ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
-ms.author: iawilt
-author: iaanw
+ms.author: macapara
+author: mjcaparas
ms.localizationpriority: high
---
diff --git a/windows/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md b/windows/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md
index 25f91f1191..0916abe7b6 100644
--- a/windows/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md
+++ b/windows/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md
@@ -11,15 +11,19 @@ ms.pagetype: security
localizationpriority: medium
author: iaanw
ms.author: iawilt
+ms.date: 08/25/2017
---
+
# Reduce attack surfaces with Windows Defender Exploit Guard
**Applies to:**
-- Windows 10 Insider Preview
+- Windows 10 Insider Preview
+
+[!include[Prerelease information](prerelease.md)]
**Audience**
@@ -37,7 +41,7 @@ Attack Surface Reduction helps prevent actions and apps that are typically used
It is part of [Windows Defender Exploit Guard](windows-defender-exploit-guard.md).
-Attack Surface Reduction works best with [Windows Defender Advanced Threat Protection](../windows-defender-atp/windows-defender-advanced-threat-protection) - which gives you detailed reporting into Windows Defender EG events and blocks as part of the usual [alert investigation scenarios](../windows-defender-atp/investigate-alerts-windows-defender-advanced-threat-protection).
+Attack Surface Reduction works best with [Windows Defender Advanced Threat Protection](../windows-defender-atp/windows-defender-advanced-threat-protection.md) - which gives you detailed reporting into Windows Defender EG events and blocks as part of the usual [alert investigation scenarios](../windows-defender-atp/investigate-alerts-windows-defender-advanced-threat-protection.md).
The feature is comprised of a number of rules, each of which target specific behaviors that are typically used by malware and malicious apps to infect machines, such as:
@@ -45,10 +49,78 @@ The feature is comprised of a number of rules, each of which target specific beh
- Scripts that are obfuscated or otherwise suspicious
- Behaviors that apps undertake that are not usually inititated during normal day-to-day work
+See the [Attack Surface Reduction rules](#attack-surface-reduction-rules) section in this topic for more information on each rule.
+
When a rule is triggered, a notification will be displayed from the Action Center. You can [customize the notification](customize-attack-surface-reduction.md#customize-the-notification) with your company details and contact information. You can also enable the rules individually to customize what techniques the feature monitors.
You can also use [audit mode](audit-windows-defender-exploit-guard.md) to evaluate how Attack Surface Reduction would impact your organization if it were enabled.
+## Attack Surface Reduction rules
+
+The following sections describe what each rule does. Each rule is identified by a rule GUID, as in the following table:
+
+Rule name | GUIDs
+-|-
+Block executable content from email client and webmail | BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550
+Block Office applications from creating child processes | D4F940AB-401B-4EFC-AADC-AD5F3C50688A
+Block Office applications from creating executable content | 3B576869-A4EC-4529-8536-B80A7769E899
+Block Office applications from injecting into other processes | 75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84
+Impede JavaScript and VBScript to launch executables | D3E037E1-3EB8-44C8-A917-57927947596D
+Block execution of potentially obfuscated scripts | 5BEB7EFE-FD9A-4556-801D-275E5FFC04CC
+Block Win32 imports from Macro code in Office | 92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B
+
+
+### Rule: Block executable content from email client and webmail
+
+
+This rule blocks the following file types from being run or launched from an email seen in either Microsoft Outlook or webmail (such as Gmail.com or Outlook.com):
+
+- Executable files (such as .exe, .dll, or .scr)
+- Script files (such as a PowerShell .ps, VisualBasic .vbs, or JavaScript .js file)
+- Script archive files
+
+
+
+### Rule: Block Office applications from creating child processes
+
+Office apps, such as Word or Excel, will not be allowed to create child processes.
+
+This is a typical malware behavior, especially for macro-based attacks that attempt to use Office apps to launch or download malicious executables.
+
+### Rule: Block Office applications from creating executable content
+
+This rule targets typical behaviors used by suspicious and malicious add-ons and scripts (extensions) that create or launch executable files. This is a typical malware technique.
+
+Extensions will be blocked from being used by Office apps. Typically these extensions use the Windows Scripting Host (.wsh files) to run scripts that automate certain tasks or provide user-created add-on features.
+
+
+### Rule: Block Office applications from injecting into other processes
+
+
+Office apps, such as Word, Excel, or PowerPoint, will not be able to inject code into other processes.
+
+This is typically used by malware to run malicious code in an attempt to hide the activity from antivirus scanning engines.
+
+
+
+### Rule: Impede JavaScript and VBScript to launch executables
+
+JavaScript and VBScript scripts can be used by malware to launch other malicious apps.
+
+This rule prevents these scripts from being allowed to launch apps, thus preventing malicious use of the scripts to spread malware and infect machines.
+
+
+
+### Rule: Block execution of potentially obfuscated scripts
+
+Malware and other threats can attempt to obfuscate or hide their malicious code in some script files.
+
+This rule prevents scripts that appear to be obfuscated from running.
+
+It uses the [AntiMalwareScanInterface (AMSI)](https://msdn.microsoft.com/en-us/library/windows/desktop/dn889587(v=vs.85).aspx) to determine if a script is potentially obfuscated, and then blocks such a script, or blocks scripts when an attempt is made to access them.
+
+
+
## Requirements
@@ -60,17 +132,21 @@ Windows 10 version | Windows Defender Antivirus
Insider Preview build 16232 or later (dated July 1, 2017 or later) | [Windows Defender AV real-time protection](../windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus.md) and [cloud-delivered protection](../windows-defender-antivirus/enable-cloud-protection-windows-defender-antivirus.md) must be enabled
+
+
## Review Attack Surface Reduction events in Windows Event Viewer
-You can review the Windows event log to see events there are created when an Attack Surface Reduction rule is triggered:
+You can review the Windows event log to see events that are created when an Attack Surface Reduction rule is triggered (or audited):
-1. Download the [Exploit Guard Evaluation Package](#) and extract the file *asr-events.xml* to an easily accessible location on the machine.
+1. Download the [Exploit Guard Evaluation Package](https://aka.ms/mp7z2w) and extract the file *asr-events.xml* to an easily accessible location on the machine.
1. Type **Event viewer** in the Start menu to open the Windows Event Viewer.
2. On the left panel, under **Actions**, click **Import custom view...**
-3. Navigate to the Exploit Guard Evaluation Package, and select the file *asr-events.xml*. Alternatively, [download the XML directly](scripts/asr-events.xml).
+ 
+
+3. Navigate to the Exploit Guard Evaluation Package, and select the file *asr-events.xml*. Alternatively, [copy the XML directly](event-views-exploit-guard.md).
4. Click **OK**.
@@ -88,7 +164,7 @@ You can review the Windows event log to see events there are created when an Att
- **ID**: matches with the Rule-ID that triggered the block/audit.
- **Detection time**: Time of detection
-- **Process Name**: The process that performed the operation that was blocked/audited
+- **Process Name**: The process that performed the "operation" that was blocked/audited
- **Description**: Additional details about the event or audit, including the signature, engine, and product version of Windows Defender Antivirus
diff --git a/windows/threat-protection/windows-defender-exploit-guard/audit-windows-defender-exploit-guard.md b/windows/threat-protection/windows-defender-exploit-guard/audit-windows-defender-exploit-guard.md
index d3ce46793b..e2f11fc337 100644
--- a/windows/threat-protection/windows-defender-exploit-guard/audit-windows-defender-exploit-guard.md
+++ b/windows/threat-protection/windows-defender-exploit-guard/audit-windows-defender-exploit-guard.md
@@ -1,6 +1,6 @@
---
-title: Test how the features will work in your organization
-description: Auditing mode lets you use the event log to see how Windows Defender Exploit Guard would protect your devices if it were enabled
+title: Test how Windows Defender EG features will work in your organization
+description: Audit mode lets you use the event log to see how Windows Defender Exploit Guard would protect your devices if it were enabled
keywords: exploit guard, audit, auditing, mode, enabled, disabled, test, demo, evaluate, lab
search.product: eADQiWindows 10XVcnh
ms.pagetype: security
@@ -11,51 +11,72 @@ ms.pagetype: security
localizationpriority: medium
author: iaanw
ms.author: iawilt
+ms.date: 08/25/2017
---
-# Use auditing mode to evaluate Windows Defender Exploit Guard features
+# Use audit mode to evaluate Windows Defender Exploit Guard features
+
+**Applies to:**
+
+- Windows 10 Insider Preview
+
+[!include[Prerelease information](prerelease.md)]
+
+**Audience**
+
+- Enterprise security administrators
-You can enable each of the features of Windows Defender Explot Guard in auditing mode. This lets you see a record of what *would* have happened if you had enabled the feature.
+You can enable each of the features of Windows Defender Explot Guard in audit mode. This lets you see a record of what *would* have happened if you had enabled the feature.
You might want to do this when testing how the feature will work in your organization, to ensure it doesn't affect your line-of-business apps, and to get an idea of how many suspicious file modification attempts generally occur over a certain period.
-While the features will not block or prevent apps, scripts, or files from being modified, the Windows Event Log will record events as if the features were fully enabled. This means you can enable auditing mode and then review the event log to see what impact the feature would have had were it enabled.
+While the features will not block or prevent apps, scripts, or files from being modified, the Windows Event Log will record events as if the features were fully enabled. This means you can enable audit mode and then review the event log to see what impact the feature would have had were it enabled.
-You can use Windows Defender Advanced Threat Protection to get greater granularity into each event, especially for investigating Attack Surface Reduction rules. Using the Windows Defender ATP console lets you [investigate issues as part of the alert timeline and investigation scenarios](../windows-defender-atp/investigate-alerts-windows-defender-advanced-threat-protection).
+You can use Windows Defender Advanced Threat Protection to get greater granularity into each event, especially for investigating Attack Surface Reduction rules. Using the Windows Defender ATP console lets you [investigate issues as part of the alert timeline and investigation scenarios](../windows-defender-atp/investigate-alerts-windows-defender-advanced-threat-protection.md).
-This topic links to topics that describe how to enable the auditing functionality for each feature and how to view events in the Windows Event Viewer.
+This topic provides links that describe how to enable the audit functionality for each feature and how to view events in the Windows Event Viewer.
-You can use Group Policy, PowerShell, and configuration servicer providers (CSPs) to enable auditing mode.
+You can use Group Policy, PowerShell, and configuration servicer providers (CSPs) to enable audit mode.
-
-Auditing options | How to enable auditing mode | How to view events
+Audit options | How to enable audit mode | How to view events
- | - | -
-Auditing applies to all events | [Enable Controlled Folder Access](enable-controlled-folders-exploit-guard.md#enable-and-audit-controlled-folder-access) | [Controlled Folder Access events](controlled-folders-exploit-guard.md#review-controlled-folder-access-events-in-windows-event-viewer)
-Auditing applies to individual rules | [Enable Attack Surface Reduction rules](enable-attack-surface-reduction.md#enable-and-audit-attack-surface-reduction-rules) | [Attack Surface Reduction events](attack-surface-reduction-exploit-guard.md#review-attack-surface-reduction-events-in-windows-event-viewer)
-Auditing applies to all events | [Enable Network Protection](enable-network-protection.md#enable-and-audit-network-protection) | [Network Protection events](network-protection-exploit-guard.md#review-network-protection-events-in-windows-event-viewer)
-Auditing applies to individual mitigations | [Enable Exploit Protection](enable-exploit-protection.md#enable-and-audit-exploit-protection) | [Exploit Protection events](exploit-protection-exploit-guard.md#review-exploit-protection-events-in-windows-event-viewer)
+Audit applies to all events | [Enable Controlled Folder Access](enable-controlled-folders-exploit-guard.md#enable-and-audit-controlled-folder-access) | [Controlled Folder Access events](controlled-folders-exploit-guard.md#review-controlled-folder-access-events-in-windows-event-viewer)
+Audit applies to individual rules | [Enable Attack Surface Reduction rules](enable-attack-surface-reduction.md#enable-and-audit-attack-surface-reduction-rules) | [Attack Surface Reduction events](attack-surface-reduction-exploit-guard.md#review-attack-surface-reduction-events-in-windows-event-viewer)
+Audit applies to all events | [Enable Network Protection](enable-network-protection.md#enable-and-audit-network-protection) | [Network Protection events](network-protection-exploit-guard.md#review-network-protection-events-in-windows-event-viewer)
+Audit applies to individual mitigations | [Enable Exploit Protection](enable-exploit-protection.md#enable-and-audit-exploit-protection) | [Exploit Protection events](exploit-protection-exploit-guard.md#review-exploit-protection-events-in-windows-event-viewer)
+
+
+You can also use the a custom PowerShell script that enables the features in audit mode automatically:
+
+1. Download the [Exploit Guard Evaluation Package](https://aka.ms/mp7z2w) and extract the file *Enable-ExploitGuardAuditMode.ps1* to an easily accessible location on the machine.
+
+1. Type **powershell** in the Start menu.
+
+2. Right-click **Windows PowerShell**, click **Run as administrator** and click **Yes** or enter admin credentials at the prompt.
+
+3. Enter the following in the PowerShell window to enable Controlled Folder Access and Attack Surface Reduction in audie mode:
+ ```PowerShell
+ Set-ExecutionPolicy Bypass -Force
+ \Enable-ExploitGuardAuditMode.ps1
+ ```
+
+ Replace \ with the folder path where you placed the file.
+
+ A message should appear to indicate that audit mode was enabled.
## Related topics
Topic | Description
---|---
-- [Protect devices from exploits with Windows Defender Exploit Guard](exploit-protection-exploit-guard)
+- [Protect devices from exploits with Windows Defender Exploit Guard](exploit-protection-exploit-guard.md)
- [Reduce attack surfaces with Windows Defender Exploit Guard](attack-surface-reduction-exploit-guard.md)
- [Protect your network with Windows Defender Exploit Guard](network-protection-exploit-guard.md)
- [Protect important folders with Controlled Folder Access](controlled-folders-exploit-guard.md)
-
-## Enabling Windows Defender EG rules in audit mode
-Use the script Enable-ExploitGuardAuditMode.ps1 to turn on the ASR rules and Controlled Folder Access into audit mode via Local GP on a device. This allows one to observe how the rules would perform across various machines in your system, and determine which can be turned on in Block mode and if any exclusions need to be applied.
-**Note:** Rename Enable-ExploitGuardAuditMode.rename to Enable-ExploitGuardAuditMode.ps1
-Run the following in an elevated powershell prompt:
-- Set-ExecutionPolicy Bypass -Force
-- .\Enable-ExploitGuardAuditMode.ps1
-Successful output should indicate ASR and Controlled Folder Access were turned on in audit mode
\ No newline at end of file
diff --git a/windows/threat-protection/windows-defender-exploit-guard/configure-app-exploit-protection.md b/windows/threat-protection/windows-defender-exploit-guard/configure-app-exploit-protection.md
deleted file mode 100644
index 95abdbbd6f..0000000000
--- a/windows/threat-protection/windows-defender-exploit-guard/configure-app-exploit-protection.md
+++ /dev/null
@@ -1,53 +0,0 @@
----
-title: Configure how ASR works so you can finetune the protection in your network
-description: You can individually set rules in audit, block, or disabled modes, and add files and folders that should be excluded from ASR
-keywords: Attack Surface Reduction, hips, host intrusion prevention system, protection rules, anti-exploit, antiexploit, exploit, infection prevention, customize, configure, exclude
-search.product: eADQiWindows 10XVcnh
-ms.pagetype: security
-ms.prod: w10
-ms.mktglfcycl: manage
-ms.sitesec: library
-ms.pagetype: security
-localizationpriority: medium
-author: iaanw
-ms.author: iawilt
----
-
-# Customize Attack Surface Reduction
-
-**Applies to:**
-
-- Windows 10 Insider Preview
-
-**Audience**
-
-- Enterprise security administrators
-
-
-**Manageability available with**
-
-- Windows Defender Security Center app
-- Group Policy
-- PowerShell
-- Configuration service providers for mobile device management
-
-
-
-## App-specific mitigations
-
- What is the scope for these? Any app? Only Windows/system services? Signed apps? Known bad apps?
-
- 1. Configure
- 2. Export
- 3. Import
-
-
-
-
-
-## Related topics
-
-- [Reduce attack surfaces with Windows Defender Exploit Guard](attack-surface-reduction-exploit-guard.md)
-- [Enable Attack Surface Reduction](enable-attack-surface-reduction.md)
-- [Evaluate Attack Surface Reduction](evaluate-attack-surface-reduction.md)
-
diff --git a/windows/threat-protection/windows-defender-exploit-guard/configure-system-exploit-protection.md b/windows/threat-protection/windows-defender-exploit-guard/configure-system-exploit-protection.md
deleted file mode 100644
index 6df66b8dab..0000000000
--- a/windows/threat-protection/windows-defender-exploit-guard/configure-system-exploit-protection.md
+++ /dev/null
@@ -1,100 +0,0 @@
----
-title: Configure how ASR works so you can finetune the protection in your network
-description: You can individually set rules in audit, block, or disabled modes, and add files and folders that should be excluded from ASR
-keywords: Attack Surface Reduction, hips, host intrusion prevention system, protection rules, anti-exploit, antiexploit, exploit, infection prevention, customize, configure, exclude
-search.product: eADQiWindows 10XVcnh
-ms.pagetype: security
-ms.prod: w10
-ms.mktglfcycl: manage
-ms.sitesec: library
-ms.pagetype: security
-localizationpriority: medium
-author: iaanw
-ms.author: iawilt
----
-
-# Customize Attack Surface Reduction
-
-**Applies to:**
-
-- Windows 10 Insider Preview
-
-**Audience**
-
-- Enterprise security administrators
-
-
-**Manageability available with**
-
-- Windows Defender Security Center app
-- Group Policy
-- PowerShell
-- Configuration service providers for mobile device management
-
-
-## System-level mitigations
-
-What is the scope for these? Any app? Only Windows/system services? Signed apps? Known bad apps?
-
-System-level mitigations are applied to...
-
-You can set each of the following system-level mitigations to on, off, or the default value:
-
-Mitigation | Default value
-Control flow guard | On
-Data execution prevention | On
-Force randomization for images (Mandatory ASLR) | Off
-Randomize memory allocations (Bottom-up ASLR) | On
-Validate exception chains (SEHOP) | On
-Validate heap integrity | Off
-
-Generally, the default values should be used to...
-
-
-
-### Control flow guard
-
-
-
-### Data execution prevention
-
-
-
-### Force randomization for images (Mandatory ASLR)
-
-
-
-### Randomize memory allocations (Bottom-up ASLR)
-
-
-
-### Validate exception chains (SEHOP)
-
-
-
-### Validate heap integrity
-
-
-### Configure system-level mitigations
-
-1. Open the Windows Defender Security Center by clicking the shield icon in the task bar or searching the start menu for **Defender**.
-
-2. Click the **Virus & threat protection** tile (or the shield icon on the left menu bar) and then the **Virus & threat protection settings** label:
-
- 
-
-3. Under the **Controlled folder access** section, click **Protected folders**
-
-4. Click **Add a protected folder** and follow the prompts to add apps.
-
- 
-
-You can now export these settings as an XML file. This allows you to copy the configuration from one machine onto other machines.
-
-
-## Related topics
-
-- [Reduce attack surfaces with Windows Defender Exploit Guard](attack-surface-reduction-exploit-guard.md)
-- [Enable Attack Surface Reduction](enable-attack-surface-reduction.md)
-- [Evaluate Attack Surface Reduction](evaluate-attack-surface-reduction.md)
-
diff --git a/windows/threat-protection/windows-defender-exploit-guard/controlled-folders-exploit-guard.md b/windows/threat-protection/windows-defender-exploit-guard/controlled-folders-exploit-guard.md
index 1c9e0ee9e5..c64d76ea70 100644
--- a/windows/threat-protection/windows-defender-exploit-guard/controlled-folders-exploit-guard.md
+++ b/windows/threat-protection/windows-defender-exploit-guard/controlled-folders-exploit-guard.md
@@ -11,6 +11,7 @@ ms.pagetype: security
localizationpriority: medium
author: iaanw
ms.author: iawilt
+ms.date: 08/25/2017
---
@@ -22,6 +23,8 @@ ms.author: iawilt
- Windows 10 Insider Preview
+[!include[Prerelease information](prerelease.md)]
+
**Audience**
- Enterprise security administrators
@@ -39,13 +42,13 @@ Controlled Folder Access helps you protect valuable data from malicious apps and
It is part of [Windows Defender Exploit Guard](windows-defender-exploit-guard.md).
-Controlled Folder Access works best with [Windows Defender Advanced Threat Protection](../windows-defender-atp/windows-defender-advanced-threat-protection) - which gives you detailed reporting into Windows Defender EG events and blocks as part of the usual [alert investigation scenarios](../windows-defender-atp/investigate-alerts-windows-defender-advanced-threat-protection).
+Controlled Folder Access works best with [Windows Defender Advanced Threat Protection](../windows-defender-atp/windows-defender-advanced-threat-protection.md) - which gives you detailed reporting into Windows Defender EG events and blocks as part of the usual [alert investigation scenarios](../windows-defender-atp/investigate-alerts-windows-defender-advanced-threat-protection.md).
All apps (any executable file, including .exe, .scr, .dll files and others) are assessed by Windows Defender Antivirus, which then determines if the app is malicious or safe. If the app is determined to be malicious or suspicious, then it will not be allowed to make changes to any files in any protected folder.
This is especially useful in helping to protect your documents and information from [ransomware](https://www.microsoft.com/en-us/wdsi/threats/ransomware) that can attempt to encrypt your files and hold them hostage.
-A notification will appear on the machine where the app attempted to make changes to a protected folder.
+A notification will appear on the machine where the app attempted to make changes to a protected folder. You can [customize the notification](customize-attack-surface-reduction.md#customize-the-notification) with your company details and contact information. You can also enable the rules individually to customize what techniques the feature monitors.
The protected folders include common system folders, and you can [add additional folders](customize-controlled-folders-exploit-guard.md#protect-additional-folders). You can also [allow or whitelist apps](customize-controlled-folders-exploit-guard.md#allow-specifc-apps-to-make-changes-to-controlled-folders) to give them access to the protected folders.
@@ -64,15 +67,17 @@ Insider Preview build 16232 or later (dated July 1, 2017 or later) | [Windows De
## Review Controlled Folder Access events in Windows Event Viewer
-You can review the Windows event log to see events there are created when Controlled Folder Access blocks (or audits) an app:
+You can review the Windows event log to see events that are created when Controlled Folder Access blocks (or audits) an app:
-1. Download the [Exploit Guard Evaluation Package](#) and extract the file *cfa-events.xml* to an easily accessible location on the machine.
+1. Download the [Exploit Guard Evaluation Package](https://aka.ms/mp7z2w) and extract the file *cfa-events.xml* to an easily accessible location on the machine.
2. Type **Event viewer** in the Start menu to open the Windows Event Viewer.
3. On the left panel, under **Actions**, click **Import custom view...**
-4. Navigate to where you extracted *cfa-events.xml* and select it. Alternatively, [download the XML directly](scripts/cfa-events.xml).
+ 
+
+4. Navigate to where you extracted *cfa-events.xml* and select it. Alternatively, [copy the XML directly](event-views-exploit-guard.md).
4. Click **OK**.
diff --git a/windows/threat-protection/windows-defender-exploit-guard/customize-attack-surface-reduction.md b/windows/threat-protection/windows-defender-exploit-guard/customize-attack-surface-reduction.md
index 57aa7dde33..72256aa36b 100644
--- a/windows/threat-protection/windows-defender-exploit-guard/customize-attack-surface-reduction.md
+++ b/windows/threat-protection/windows-defender-exploit-guard/customize-attack-surface-reduction.md
@@ -11,6 +11,7 @@ ms.pagetype: security
localizationpriority: medium
author: iaanw
ms.author: iawilt
+ms.date: 08/25/2017
---
# Customize Attack Surface Reduction
@@ -19,6 +20,8 @@ ms.author: iawilt
- Windows 10 Insider Preview
+[!include[Prerelease information](prerelease.md)]
+
**Audience**
- Enterprise security administrators
@@ -79,7 +82,7 @@ Use the [./Vendor/MSFT/Policy/Config/Defender/AttackSurfaceReductionOnlyExclusio
## Customize the notification
-See the [Windows Defender Security Center](../windows-defender-security-center/windows-defender-security-center#customize-notifications-from-the-windows-defender-security-center) topic for more information about customizing the notification when a rule is triggered and blocks an app or file.
+See the [Windows Defender Security Center](../windows-defender-security-center/windows-defender-security-center.md#customize-notifications-from-the-windows-defender-security-center) topic for more information about customizing the notification when a rule is triggered and blocks an app or file.
diff --git a/windows/threat-protection/windows-defender-exploit-guard/customize-controlled-folders-exploit-guard.md b/windows/threat-protection/windows-defender-exploit-guard/customize-controlled-folders-exploit-guard.md
index 42fccdb3c0..9bde74faf6 100644
--- a/windows/threat-protection/windows-defender-exploit-guard/customize-controlled-folders-exploit-guard.md
+++ b/windows/threat-protection/windows-defender-exploit-guard/customize-controlled-folders-exploit-guard.md
@@ -11,6 +11,7 @@ ms.pagetype: security
localizationpriority: medium
author: iaanw
ms.author: iawilt
+ms.date: 08/25/2017
---
@@ -22,6 +23,8 @@ ms.author: iawilt
- Windows 10 Insider Preview
+[!include[Prerelease information](prerelease.md)]
+
**Audience**
- Enterprise security administrators
@@ -54,7 +57,7 @@ You can also enter network shares and mapped drives, but environment variables a
You can use the Windows Defender Security Center app or Group Policy to add and remove additional protected folders.
-### Use the Windows Defender Security app to protect additional folders
+### Use the Windows Defender Security Center app to protect additional folders
1. Open the Windows Defender Security Center by clicking the shield icon in the task bar or searching the start menu for **Defender**.
@@ -79,7 +82,7 @@ You can use the Windows Defender Security Center app or Group Policy to add and
5. Expand the tree to **Windows components > Windows Defender Antivirus > Windows Defender Exploit Guard > Controlled Folder Access**.
-6. Double-click the **Configured protected folders** setting and set the option to **Enabled**. Click **Show** and enter each folder as Value? Or Value Name?
+6. Double-click the **Configured protected folders** setting and set the option to **Enabled**. Click **Show** and enter each folder.
> [!IMPORTANT]
> Environment variables and wildcards are not supported.
@@ -181,7 +184,9 @@ Continue to use `Add-MpPreference -ControlledFolderAccessAllowedApplications` to
Use the [./Vendor/MSFT/Policy/Config/Defender/GuardedFoldersAllowedApplications](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-defender#defender-guardedfoldersallowedapplications) configuration service provider (CSP) to allow apps to make changes to protected folders.
+## Customize the notification
+See the [Windows Defender Security Center](../windows-defender-security-center/windows-defender-security-center.md#customize-notifications-from-the-windows-defender-security-center) topic for more information about customizing the notification when a rule is triggered and blocks an app or file.
## Related topics
- [Protect important folders with controlled folder access](controlled-folders-exploit-guard.md)
diff --git a/windows/threat-protection/windows-defender-exploit-guard/customize-exploit-protection.md b/windows/threat-protection/windows-defender-exploit-guard/customize-exploit-protection.md
index 57aa7dde33..86c947101d 100644
--- a/windows/threat-protection/windows-defender-exploit-guard/customize-exploit-protection.md
+++ b/windows/threat-protection/windows-defender-exploit-guard/customize-exploit-protection.md
@@ -1,7 +1,7 @@
---
-title: Configure how ASR works so you can finetune the protection in your network
-description: You can individually set rules in audit, block, or disabled modes, and add files and folders that should be excluded from ASR
-keywords: Attack Surface Reduction, hips, host intrusion prevention system, protection rules, anti-exploit, antiexploit, exploit, infection prevention, customize, configure, exclude
+title: Enable or disable specific mitigations used by Exploit Protection
+keywords: exploit protection, mitigations, enable, powershell, dep, cfg, emet, aslr
+description: You can enable individual mitigations using the Windows Defender Security Center app or PowerShell. You can also audit mitigations and export configurations.
search.product: eADQiWindows 10XVcnh
ms.pagetype: security
ms.prod: w10
@@ -11,14 +11,17 @@ ms.pagetype: security
localizationpriority: medium
author: iaanw
ms.author: iawilt
+ms.date: 08/25/2017
---
-# Customize Attack Surface Reduction
+# Customize Exploit Protection
**Applies to:**
- Windows 10 Insider Preview
+[!include[Prerelease information](prerelease.md)]
+
**Audience**
- Enterprise security administrators
@@ -29,63 +32,229 @@ ms.author: iawilt
- Windows Defender Security Center app
- Group Policy
- PowerShell
-- Configuration service providers for mobile device management
-Attack Surface Reduction is a feature that is part of Windows Defender Exploit Guard. It helps prevent actions and apps that are typically used by exploit-seeking malware to infect machines.
-This topic describes how to customize Attack Surface Reduction by [excluding files and folders](#exclude-files-and-folders) or [adding custom text to the notification](#customize-the-notification) alert that appears on a user's computer.
+Exploit Protection automatically applies a number of exploit mitigation techniques on both the operating system processes and on individual apps.
-You can use Group Policy, PowerShell, and MDM CSPs to configure these settings.
+ It is part of [Windows Defender Exploit Guard](windows-defender-exploit-guard.md).
+
+You configure these settings using the Windows Defender Security Center on an individual machine, and then export the configuration as an XML file that you can deploy to other machines. You can use Group Policy to distribute the XML file to multiple devices at once. You can also configure the mitigations with PowerShell.
-## Exclude files and folders
+ This topic lists each of the mitigations available in Exploit Protection, indicates whether the mitigation can be applied system-wide or to individual apps, and provides a brief description of how the mitigation works.
-You can exclude files and folders from being evaluated by Attack Surface Reduction rules.
-
-You can specify individual files or folders (using folder paths or fully qualified resource names) but you cannot specify if the exclusions should only be applied to individual rules: the exclusions will apply to all rules that are enabled (or placed in audit mode).
-
-### Use Group Policy to exclude files and folders
-
-1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
-
-3. In the **Group Policy Management Editor** go to **Computer configuration**.
-
-4. Click **Policies** then **Administrative templates**.
-
-5. Expand the tree to **Windows components > Windows Defender Antivirus > Windows Defender Exploit Guard > Attack Surface Reduction**.
-
-6. Double-click the **Exclude files and paths from Attack Surface Reduction Rules** setting and set the option to **Enabled**. Click **Show** and enter each file or folder in the **Value name** column. Enter **0** in the **Value** column for each item.
-
-### Use PowerShell to exclude files and folderss
-
-1. Type **powershell** in the Start menu, right click **Windows PowerShell** and click **Run as administrator**
-2. Enter the following cmdlet:
-
- ```PowerShell
- Add-MpPreference -AttackSurfaceReductionOnlyExclusions ""
- ```
-
-Continue to use `Add-MpPreference -AttackSurfaceReductionOnlyExclusions` to add more folders to the list.
+It also describes how to enable or configure the mitigations using Windows Defender Security Center, PowerShell, and MDM CSPs. This is the first step in creating a configuration that you can deploy across your network. The next step involves [generating or exporting, importing, and deploying the configuration to multiple devices](import-export-exploit-protection-emet-xml.md).
->[!IMPORTANT]
->Use `Add-MpPreference` to append or add apps to the list. Using the `Set-MpPreference` cmdlet will overwrite the existing list.
+## Exploit Protection mitigations
-### Use MDM CSPs to exclude files and folders
+All mitigations can be configured for individual apps. Some mitigations can also be applied at the operating system level.
-Use the [./Vendor/MSFT/Policy/Config/Defender/AttackSurfaceReductionOnlyExclusions](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-defender#defender-attacksurfacereductiononlyexclusions) configuration service provider (CSP) to add exclusions.
+You can set each of the mitigations to on, off, or to their default value as indicated in the following table. Some mitigations have additional options, these are indicated in the description in the table.
+For the associated PowerShell cmdlets for each mitigation, see the [PowerShell reference table](#cmdlets-table) at the bottom of this topic.
+
+Mitigation | Description | Can be applied to, and default value for system mitigations | Audit mode available
+- | - | - | -
+Control flow guard (CFG) | Ensures control flow integrity for indirect calls. Can optionally suppress exports and use strict CFG. | System and app-level (system default: **On** | No
+Data Execution Prevention (DEP) | Prevents code from being run from data-only memory pages such as the heap and stacks. Only configurable for 32-bit (x86) apps, permanently enabled for all other architectures. Can optionally enable ATL thunk emulation. | System and app-level (system default: **On** | No
+Force randomization for images (Mandatory ASLR) | Forcibly relocates images not compiled with /DYNAMICBASE. Can optionally fail loading images that don't have relocation information. | System and app-level (system default: **Off** | No
+Randomize memory allocations (Bottom-Up ASLR) | Randomizes locations for virtual memory allocations including those for system structures heaps, stacks, TEBs, and PEBs. Can optionally use a wider randomization variance for 64-bit processes. | System and app-level (system default: **On** | No
+Validate exception chains (SEHOP) | Ensures the integrity of an exception chain during exception dispatch. Only configurable for 32-bit (x86) applications. | System and app-level (system default: **On** | No
+Validate heap integrity | Terminates a process when heap corruption is detected. | System and app-level (system default: **Off** | No
+Arbitrary code guard (ACG) | Prevents the introduction of non-image-backed executable code and prevents code pages from being modified. Can optionally allow thread opt-out and allow remote downgrade (configurable only with PowerShell). | App-level only | Yes
+Block low integrity images | Prevents the loading of images marked with Low Integrity. | App-level only | Yes
+Block remote images | Prevents loading of images from remote devices. | App-level only | Yes
+Block untrusted fonts | Prevents loading any GDI-based fonts not installed in the system fonts directory, notably fonts from the web. | App-level only | Yes
+Code integrity guard | Restricts loading of images signed by Microsoft, WQL, and higher. Can optionally allow Windows Store signed images. | App-level only | Yes
+Disable extension points | Disables various extensibility mechanisms that allow DLL injection into all processes, such as AppInit DLLs, window hooks, and Winsock service providers. | App-level only | No
+Disable Win32k system calls | Prevents an app from using the Win32k system call table. | App-level only | Yes
+Do not allow child processes | Prevents an app from creating child processes. | App-level only | Yes
+Export address filtering (EAF) | Detects dangerous operations being resolved by malicious code. Can optionally validate access by modules commonly used by exploits. | App-level only | Yes
+Import address filtering (IAF) | Detects dangerous operations being resolved by malicious code. Can optionally validate access by modules commonly used by exploits. | App-level only | Yes
+Simulate execution (SimExec) | Ensures that calls to sensitive APIs return to legitimate callers. Only configurable for 32-bit (x86) applications. | App-level only | Yes
+Validate API invocation (CallerCheck) | Ensures that sensitive APIs are invoked by legitimate callers. Only configurable for 32-bit (x86) applications. | App-level only | Yes
+Validate handle usage | Causes an exception to be raised on any invalid handle references. | App-level only | No
+Validate image dependency integrity | Enforces code signing for Windows image dependency loading. | App-level only | Yes
+Validate stack integrity (StackPivot) | Ensures that the stack has not been redirected for sensitive APIs. | App-level only | Yes
+
+
+
+
+### Configure system-level mitigations with the Windows Defender Security Center app
+
+1. Open the Windows Defender Security Center by clicking the shield icon in the task bar or searching the start menu for **Defender**.
+
+2. Click the **App & browser control** tile (or the app icon on the left menu bar) and then the **Exploit protection** label:
+
+ 
+
+3. Under the **System settings** section, find the mitigation you want to configure and select either:
+ - **On by default**
+ - **Off by default**
+ -**Use default**
+
+ >[!NOTE]
+ >You may see a User Account Control window when changing some settings. Enter administrator credentials to apply the setting.
+
+ Changing some settings may required a restart, which will be indicated in red text underneath the setting.
+
+ 
+
+4. Repeat this for all the system-level mitigations you want to configure.
+
+You can now [export these settings as an XML file](import-export-exploit-protection-emet-xml.md) or continue on to configure app-specific mitigations.
+
+Exporting the configuration as an XML file allows you to copy the configuration from one machine onto other machines.
+
+
+### Configure app-specific mitigations with the Windows Defender Security Center app
+
+1. Open the Windows Defender Security Center by clicking the shield icon in the task bar or searching the start menu for **Defender**.
+
+2. Click the **App & browser control** tile (or the app icon on the left menu bar) and then the **Exploit protection settings** at the bottom of the screen:
+
+ 
+
+
+3. Go to the **Program settings** section and choose the app you want to apply mitigations to:
+
+ 1. If the app you want to configure is already listed, click it and then click **Edit**
+ 2. If the app is not listed, at the top of the list click **Add program to customize** and then choose how you want to add the app:
+ - Use **Add by program name** to have the mitigation applied to any running process with that name. You must specify a file with an extension. You can enter a full path to limit the mitigation to only the app with that name in that location.
+ - Use **Choose exact file path** to use a standard Windows Explorer file picker window to find and select the file you want.
+
+ 
+
+
+4. After selecting the app, you'll see a list of all the mitigations that can be applied. To enable the mitigation, click the check box and then change the slider to **On**. Select any additional options. Choosing **Audit** will apply the mitigation in audit mode only. You will be notified if you need to restart the process or app, or if you need to restart Windows.
+
+5. Repeat this for all the apps and mitigations you want to configure. Click **Apply** when you're done setting up your configuration.
+
+ 
+
+You can now [export these settings as an XML file](import-export-exploit-protection-emet-xml.md) or return to configure system-level mitigations.
+
+Exporting the configuration as an XML file allows you to copy the configuration from one machine onto other machines.
+
+
+ ## PowerShell reference
+
+ You can use the Windows Defender Security Center app to configure exploit protection, or you can use PowerShell cmdlets.
+
+ The configuration settings that were most recently modified will always be applied - regardless of whether you use PowerShell or Windows Defender Security Center. This means that if you use the app to configure a mitigation, then use PowerShell to configure the same mitigation, the app will update to show the changes you made with PowerShell. If you were to then use the app to change the mitigation again, that change would apply.
+
+ >[!IMPORTANT]
+ >Any changes that are deployed to a machine through Group Policy will override the local configuration. When setting up an initial configuration, use a machine that will not have a Group Policy configuration applied to ensure your changes aren't overriden.
+
+
+ You can use the PowerShell verb `Get` or `Set` with the cmdlet `ProcessMitigation`. Using `Get` will list the current configuration status of any mitigations that have been enabled on the device - add the `-Name` cmdlet and app exe to see mitigations for just that app:
+
+```PowerShell
+Get-ProcessMitigation -Name processName.exe
+```
+
+ Use `Set` to configure each mitigation in the following format:
+
+ ```PowerShell
+Set-ProcessMitigation - -,,
+```
+
+
+Where:
+
+- \:
+ - `-Name` to indicate the mitigations should be applied to a specific app. Specify the app's executable after this flag.
+ - `-System` to indicate the mitigation should be applied at the system level
+- \:
+ - `-Enable` to enable the mitigation
+ - `-Disable` to disable the mitigation
+- \:
+ - The mitigation's cmdlet as defined in the [mitigation cmdlets table](#cmdlets-table) below, along with any suboptions (surrounded with spaces). Each mitigation is seperated with a comma.
+
+
+ For example, to enable the Data Execution Prevention (DEP) mitigation with ATL thunk emulation and for an executable called *testing.exe* in the folder *C:\Apps\LOB\tests*, and to prevent that executable from creating child processes, you'd use the following command:
+
+ ```PowerShell
+Set-ProcessMitigation -Name c:\apps\lob\tests\testing.exe -Enable DEP, EmulateAtlThunks, DisallowChildProcessCreation
+```
+
+ >[!IMPORTANT]
+ >Seperate each mitigation option with commas.
+
+ If you wanted to apply DEP at the system level, you'd use the following command:
+
+ ```PowerShell
+Set-Processmitigation -System -Enable DEP
+```
+
+ To disable mitigations, you can replace `-Enable` with `-Disable`. However, for app-level mitigations, this will force the mitigation to be disabled only for that app.
+
+ If you need to restore the mitigation back to the system default, you need to include the `-Remove` cmdlet as well, as in the following example:
+
+ ```PowerShell
+Set-Processmitigation -Name test.exe -Remove -Disable DEP
+```
+
+
+ You can also set some mitigations to audit mode. Instead of using the PowerShell cmdlet for the mitigation, use the **Audit mode** cmdlet as specified in the [mitigation cmdlets table](#cmdlets-table) below.
+
+ For example, to enable Arbitrary Code Guard (ACG) in audit mode for the *testing.exe* used in the example above, you'd use the following command:
+
+ ```PowerShell
+Set-ProcesMitigation -Name c:\apps\lob\tests\testing.exe -Enable AuditDynamicCode
+```
+
+You can disable audit mode by using the same command but replacing `-Enable` with `-Disable`.
+
+### PowerShell reference table
+
+This table lists the PowerShell cmdlets (and associated audit mode cmdlet) that can be used to configure each mitigation.
+
+
+
+
+Mitigation | Applies to | PowerShell cmdlets | Audit mode cmdlet
+- | - | - | -
+Control flow guard (CFG) | System and app-level | CFG, StrictCFG, SuppressExports | Audit not available
+Data Execution Prevention (DEP) | System and app-level | DEP, EmulateAtlThunks | Audit not available
+Force randomization for images (Mandatory ASLR) | System and app-level | ForceRelocate | Audit not available
+Randomize memory allocations (Bottom-Up ASLR) | System and app-level | BottomUp, HighEntropy | Audit not available
+Validate exception chains (SEHOP) | System and app-level | SEHOP, SEHOPTelemetry | Audit not available
+Validate heap integrity | System and app-level | TerminateOnHeapError | Audit not available
+Arbitrary code guard (ACG) | App-level only | DynamicCode | AuditDynamicCode
+Block low integrity images | App-level only | BlockLowLabel | AuditImageLoad
+Block remote images | App-level only | BlockRemoteImages | Audit not available
+Block untrusted fonts | App-level only | DisableNonSystemFonts | AuditFont, FontAuditOnly
+Code integrity guard | App-level only | BlockNonMicrosoftSigned, AllowStoreSigned | AuditMicrosoftSigned, AuditStoreSigned
+Disable extension points | App-level only | ExtensionPoint | Audit not available
+Disable Win32k system calls | App-level only | DisableWin32kSystemCalls | AuditSystemCall
+Do not allow child processes | App-level only | DisallowChildProcessCreation | AuditChildProcess
+Export address filtering (EAF) | App-level only | EnableExportAddressFilterPlus, EnableExportAddressFilter \[1\] | Audit not available
+Import address filtering (IAF) | App-level only | EnableImportAddressFilter | Audit not available
+Simulate execution (SimExec) | App-level only | EnableRopSimExec | Audit not available
+Validate API invocation (CallerCheck) | App-level only | EnableRopCallerCheck | Audit not available
+Validate handle usage | App-level only | StrictHandle | Audit not available
+Validate image dependency integrity | App-level only | EnforceModuleDepencySigning | Audit not available
+Validate stack integrity (StackPivot) | App-level only | EnableRopStackPivot | Audit not available
+
+
+
+\[1\]: Use the following format to enable EAF modules for dlls for a process:
+
+```PowerShell
+Set-ProcessMitigation -Name processName.exe -Enable EnableExportAddressFilterPlus -EAFModules dllName1.dll,dllName2.dll
+```
## Customize the notification
-See the [Windows Defender Security Center](../windows-defender-security-center/windows-defender-security-center#customize-notifications-from-the-windows-defender-security-center) topic for more information about customizing the notification when a rule is triggered and blocks an app or file.
-
-
+See the [Windows Defender Security Center](../windows-defender-security-center/windows-defender-security-center.md#customize-notifications-from-the-windows-defender-security-center) topic for more information about customizing the notification when a rule is triggered and blocks an app or file.
## Related topics
-- [Reduce attack surfaces with Windows Defender Exploit Guard](attack-surface-reduction-exploit-guard.md)
-- [Enable Attack Surface Reduction](enable-attack-surface-reduction.md)
-- [Evaluate Attack Surface Reduction](evaluate-attack-surface-reduction.md)
-
+- [Protect devices from exploits with Windows Defender Exploit Guard](exploit-protection-exploit-guard.md)
+- [Comparison with Enhanced Mitigation Experience Toolkit](emet-exploit-protection-exploit-guard.md)
+- [Evaluate Exploit Protection](evaluate-exploit-protection.md)
+- [Enable Exploit Protection](enable-exploit-protection.md)
+- [Import, export, and deploy Exploit Protection configurations](import-export-exploit-protection-emet-xml.md)
\ No newline at end of file
diff --git a/windows/threat-protection/windows-defender-exploit-guard/emet-exploit-protection-exploit-guard.md b/windows/threat-protection/windows-defender-exploit-guard/emet-exploit-protection-exploit-guard.md
index 9dbb92d72d..f2c3551f4a 100644
--- a/windows/threat-protection/windows-defender-exploit-guard/emet-exploit-protection-exploit-guard.md
+++ b/windows/threat-protection/windows-defender-exploit-guard/emet-exploit-protection-exploit-guard.md
@@ -1,6 +1,7 @@
---
-title:
-keywords:
+title: Compare the features in Exploit Protection with EMET
+keywords: emet, enhanced mitigation experience toolkit, configuration, exploit
+description: Exploit Protection in Windows 10 provides advanced configuration over the settings offered in EMET.
search.product: eADQiWindows 10XVcnh
ms.pagetype: security
ms.prod: w10
@@ -10,247 +11,36 @@ ms.pagetype: security
localizationpriority: medium
author: iaanw
ms.author: iawilt
+ms.date: 08/25/2017
---
-# Protect devices from exploits with Windows Defender Exploit Guard
+# Comparison between Enhanced Mitigation Experience Toolkit and Windows Defender Exploit Guard
**Applies to:**
- Windows 10 Insider Preview, build 16232 and later
+[!include[Prerelease information](prerelease.md)]
+
**Audience**
- Enterprise security administrators
-**Manageability available with**
-- Group Policy
-- PowerShell
-- Windows Management Instrumentation (WMI)
-- System Center Configuration Manager
-- Microsoft Intune
-- Windows Defender Security Center app
-Exploit Protection automatically applies a number of exploit mitigation techniques on both the operating system processes and on individual apps.
+We're still working on this content and will have it published soon!
- It is part of Windows Defender Exploit Guard, which is itself a component in the new Windows Defender Advanced Threat Protection offering of security and threat prevention products.
- You configure these settings using the Windows Defender Security Center on an individual machine, and then export the configuration as an XML file that you can deploy to other machines. You can use Group Policy to distribute the XML file to multiple devices at once.
-## Requirements
+Check out the following topics for more information about Exploit Protection:
-The following requirements must be met before Exploit Protection will work:
-
-Windows 10 version | Windows Defender Advanced Threat Protection
-Insider Preview build 16232 or later (dated July 1, 2017 or later) | For full reporting you need a license for [Windows Defender ATP](../windows-defender-atp/windows-defender-advanced-threat-protection.md)
-
-
- ## System-level mitigations
-
-What is the scope for these? Any app? Only Windows/system services? Signed apps? Known bad apps?
-
-System-level mitigations are applied to...
-
-You can set each of the following system-level mitigations to on, off, or the default value:
-
-Mitigation | Default value
-Control flow guard | On
-Data execution prevention | On
-Force randomization for images (Mandatory ASLR) | Off
-Randomize memory allocations (Bottom-up ASLR) | On
-Validate exception chains (SEHOP) | On
-Validate heap integrity | Off
-
-Generally, the default values should be used to...
-
-
-
-### Control flow guard
-
-
-
-### Data execution prevention
-
-
-
-### Force randomization for images (Mandatory ASLR)
-
-
-
-### Randomize memory allocations (Bottom-up ASLR)
-
-
-
-### Validate exception chains (SEHOP)
-
-
-
-### Validate heap integrity
-
-
-
-
-
- 1. Configure
- 2. Export
- 3. Import
-
-### Configure system-level mitigations
-
-1. Open the Windows Defender Security Center by clicking the shield icon in the task bar or searching the start menu for **Defender**.
-
-2. Click the **Virus & threat protection** tile (or the shield icon on the left menu bar) and then the **Virus & threat protection settings** label:
-
- 
-
-3. Under the **Controlled folder access** section, click **Protected folders**
-
-4. Click **Add a protected folder** and follow the prompts to add apps.
-
- 
-
-You can now export these settings as an XML file. This allows you to copy the configuration from one machine onto other machines.
-
- ### Export system-level mitigations
-
-1. Open the Windows Defender Security Center by clicking the shield icon in the task bar or searching the start menu for **Defender**.
-
-2. Click the **Virus & threat protection** tile (or the shield icon on the left menu bar) and then the **Virus & threat protection settings** label:
-
- 
-
-3. Under the **Controlled folder access** section, click **Protected folders**
-
-4. Click **Add a protected folder** and follow the prompts to add apps.
-
- 
-
-You can import the XML file to other machines in your organization. You can do this individually for each machine by using the Windows Defender Security Center, or you can deploy a Group Policy setting for multiple devices.
-
- ### Import system-level mitigations
-
- **Use the Windows Defender Security app to import system-level mitigations:**
-
-1. Open the Windows Defender Security Center by clicking the shield icon in the task bar or searching the start menu for **Defender**.
-
-2. Click the **Virus & threat protection** tile (or the shield icon on the left menu bar) and then the **Virus & threat protection settings** label:
-
- 
-
-3. Under the **Controlled folder access** section, click **Protected folders**
-
-4. Click **Add a protected folder** and follow the prompts to add apps.
-
- 
-
-**Use Group Policy to import and deploy system-level mitigations:**
-
-1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
-
-3. In the **Group Policy Management Editor** go to **Computer configuration**.
-
-4. Click **Policies** then **Administrative templates**.
-
-5. Expand the tree to **Windows components > Windows Defender Antivirus > Exploit Guard**.
-
-6. Double-click the **Configure controlled folder access** setting and set the option to **Enabled**. In the options section you must specify one of the following:
- - **Enable** - Malicious and suspicious apps will not be allowed to make changes to files in protected folders. A notification will be provided in the Windows event log
- - **Disable (Default)** - The Controlled Folder Access feature will not work. All apps can make changes to files in protected folders.
- - **Audit Mode** - If a malicious or suspicious app attempts to make a change to a file in a protected folder, the change will be allowed but will be recorded in the Windows event log. This allows you to assess the impact of this feature on your organization.
-
-
- 
-
->[!IMPORTANT]
->To fully enable the Controlled Folder Access feature, you must set the Group Policy option to **Enabled** and also select **Enable** in the options drop-down menu.
-
-
- ## App-specific mitigations
-
- What is the scope for these? Any app? Only Windows/system services? Signed apps? Known bad apps?
-
- 1. Configure
- 2. Export
- 3. Import
-
-### Configure app-specific mitigations
-
-1. Open the Windows Defender Security Center by clicking the shield icon in the task bar or searching the start menu for **Defender**.
-
-2. Click the **Virus & threat protection** tile (or the shield icon on the left menu bar) and then the **Virus & threat protection settings** label:
-
- 
-
-3. Under the **Controlled folder access** section, click **Protected folders**
-
-4. Click **Add a protected folder** and follow the prompts to add apps.
-
- 
-
-You can now export these settings as an XML file. This allows you to copy the configuration from one machine onto other machines.
-
- ### Export app-specific mitigations
-
-1. Open the Windows Defender Security Center by clicking the shield icon in the task bar or searching the start menu for **Defender**.
-
-2. Click the **Virus & threat protection** tile (or the shield icon on the left menu bar) and then the **Virus & threat protection settings** label:
-
- 
-
-3. Under the **Controlled folder access** section, click **Protected folders**
-
-4. Click **Add a protected folder** and follow the prompts to add apps.
-
- 
-
-You can import the XML file to other machines in your organization. You can do this individually for each machine by using the Windows Defender Security Center, or you can deploy a Group Policy setting for multiple devices.
-
- ### Import app-specific mitigations
-
- **Use the Windows Defender Security app to import app-specific mitigations:**
-
-1. Open the Windows Defender Security Center by clicking the shield icon in the task bar or searching the start menu for **Defender**.
-
-2. Click the **Virus & threat protection** tile (or the shield icon on the left menu bar) and then the **Virus & threat protection settings** label:
-
- 
-
-3. Under the **Controlled folder access** section, click **Protected folders**
-
-4. Click **Add a protected folder** and follow the prompts to add apps.
-
- 
-
-**Use Group Policy to import and deploy app-specific mitigations:**
-
-1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
-
-3. In the **Group Policy Management Editor** go to **Computer configuration**.
-
-4. Click **Policies** then **Administrative templates**.
-
-5. Expand the tree to **Windows components > Windows Defender Antivirus > Exploit Guard**.
-
-6. Double-click the **Configure controlled folder access** setting and set the option to **Enabled**. In the options section you must specify one of the following:
- - **Enable** - Malicious and suspicious apps will not be allowed to make changes to files in protected folders. A notification will be provided in the Windows event log
- - **Disable (Default)** - The controlled folder access feature will not work. All apps can make changes to files in protected folders.
- - **Audit Mode** - If a malicious or suspicious app attempts to make a change to a file in a protected folder, the change will be allowed but will be recorded in the Windows event log. This allows you to assess the impact of this feature on your organization.
-
-
- 
-
->[!IMPORTANT]
->To fully enable the Controlled Folder Access feature, you must set the Group Policy option to **Enabled** and also select **Enable** in the options drop-down menu.
-
-
-
-## Review event logs for Exploit Protection
-
-How do you see these event logs? Are they under specific codes/areas?
-
-Also - is there any SCCM, Intune, or MDM functionality here? Can't see anything in the SCCM console.
\ No newline at end of file
+- [Protect devices from exploits with Windows Defender Exploit Guard](exploit-protection-exploit-guard.md)
+- [Evaluate Exploit Protection](evaluate-exploit-protection.md)
+- [Enable Exploit Protection](enable-exploit-protection.md)
+- [Configure and audit Exploit Protection mitigations](customize-exploit-protection.md)
+- [Import, export, and deploy Exploit Protection configurations](import-export-exploit-protection-emet-xml.md)
\ No newline at end of file
diff --git a/windows/threat-protection/windows-defender-exploit-guard/enable-attack-surface-reduction.md b/windows/threat-protection/windows-defender-exploit-guard/enable-attack-surface-reduction.md
index 85b0b1b8fc..910db87d44 100644
--- a/windows/threat-protection/windows-defender-exploit-guard/enable-attack-surface-reduction.md
+++ b/windows/threat-protection/windows-defender-exploit-guard/enable-attack-surface-reduction.md
@@ -11,6 +11,7 @@ ms.pagetype: security
localizationpriority: medium
author: iaanw
ms.author: iawilt
+ms.date: 08/25/2017
---
@@ -21,6 +22,8 @@ ms.author: iawilt
- Windows 10 Insider Preview
+[!include[Prerelease information](prerelease.md)]
+
**Audience**
- Enterprise security administrators
@@ -41,37 +44,23 @@ Attack Surface Reduction is a feature that is part of Windows Defender Exploit G
You can use Group Policy, PowerShell, or MDM CSPs to configure the state or mode for each rule. This can be useful if you only want to enable some rules, or you want to enable rules individually in audit mode.
-For further details on how audit mode works, and when you might want to use it, see the [auditing Windows Defender Exploit Guard topic](audit-windows-defender-exploit-guard.md).
+For further details on how audit mode works, and when you might want to use it, see the [audit Windows Defender Exploit Guard topic](audit-windows-defender-exploit-guard.md).
Attack Surface Reduction rules are identified by their unique rule ID.
-Rule IDs willl be populated on machines that are enrolled in an E5 license. These machines will also properly report their Attack Surface Reduction rule history in the Windows Defender Security Center web console.
-
-You can also manually add the rules from the following table:
+You can manually add the rules by using the GUIDs in the following table:
Rule description | GUIDs
-|-
-Block executable content from email client and webmail. | be9ba2d9-53ea-4cdc-84e5-9b1eeee46550
-Block Office applications from creating child processes | {d4f940ab-401b-4efc-aadc-ad5f3c50688a}
-Block Office applications from creating executable content | {3b576869-a4ec-4529-8536-b80a7769e899}
-Block Office applications from injecting into other processes | {75668c1f-73b5-4cf0-bb93-3ecf5cb7cc84}
-Impede JavaScript and VBScript to launch executables | {d3e037e1-3eb8-44c8-a917-57927947596d}
-Block execution of potentially obfuscated scripts | {5beb7efe-fd9a-4556-801d-275e5ffc04cc}
-
-
-
-
-Block Win32 imports from Macro code in Office | {92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B}
-
->[!NOTE]
->I don't see this rule in the test tool
-
-
-See the [Evaluate Attack Surface Reduction rules](evaluate-attack-surface-reduction.md) topic for details on each rule.
-
- >[!NOTE]
- >Are we revealing the rule GUIDs? Will they appear on E5 machines?
+Block executable content from email client and webmail | BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550
+Block Office applications from creating child processes | D4F940AB-401B-4EFC-AADC-AD5F3C50688A
+Block Office applications from creating executable content | 3B576869-A4EC-4529-8536-B80A7769E899
+Block Office applications from injecting into other processes | 75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84
+Impede JavaScript and VBScript to launch executables | D3E037E1-3EB8-44C8-A917-57927947596D
+Block execution of potentially obfuscated scripts | 5BEB7EFE-FD9A-4556-801D-275E5FFC04CC
+Block Win32 imports from Macro code in Office | 92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B
+See the [Attack Surface Reduction](attack-surface-reduction-exploit-guard.md) topic for details on each rule.
### Use Group Policy to enable Attack Surface Reduction rules
@@ -104,12 +93,8 @@ See the [Evaluate Attack Surface Reduction rules](evaluate-attack-surface-reduct
```PowerShell
Add-MpPreference -AttackSurfaceReductionRules_Ids
```
-
->[!NOTE]
->Not sure if this is right. What does AttackSurfaceReductionRules_Actions do? Do you need to add $TRUE/$FALSE or 1/0 at the end to enable it? Does the rule need to go in " or {}? Some examples would be handy here I think
-
-
-You can enable the feauting in auditing mode using the following cmdlet:
+
+You can enable the feature in audit mode using the following cmdlet:
```PowerShell
Set-MpPreference -AttackSurfaceReductionRules_Actions AuditMode
@@ -117,8 +102,6 @@ Set-MpPreference -AttackSurfaceReductionRules_Actions AuditMode
Use `Disabled` insead of `AuditMode` or `Enabled` to turn the feature off.
->[!NOTE]
->We need to walk through this so I understand how it works
### Use MDM CSPs to enable Attack Surface Reduction rules
diff --git a/windows/threat-protection/windows-defender-exploit-guard/enable-controlled-folders-exploit-guard.md b/windows/threat-protection/windows-defender-exploit-guard/enable-controlled-folders-exploit-guard.md
index c062b2db26..e105482635 100644
--- a/windows/threat-protection/windows-defender-exploit-guard/enable-controlled-folders-exploit-guard.md
+++ b/windows/threat-protection/windows-defender-exploit-guard/enable-controlled-folders-exploit-guard.md
@@ -11,6 +11,7 @@ ms.pagetype: security
localizationpriority: medium
author: iaanw
ms.author: iawilt
+ms.date: 08/25/2017
---
@@ -22,6 +23,8 @@ ms.author: iawilt
- Windows 10 Insider Preview
+[!include[Prerelease information](prerelease.md)]
+
**Audience**
- Enterprise security administrators
@@ -44,7 +47,7 @@ This topic describes how to enable Controlled Folder Access with the Windows Def
You can enable Controlled Folder Access with the Windows Defender Security Center app, Group Policy, PowerShell, or MDM CSPs. You can also set the feature to audit mode. Audit mode allows you to test how the feature would work (and review events) without impacting the normal use of the machine.
-For further details on how audit mode works, and when you might want to use it, see the [auditing Windows Defender Exploit Guard topic](audit-windows-defender-exploit-guard.md).
+For further details on how audit mode works, and when you might want to use it, see the [audit Windows Defender Exploit Guard topic](audit-windows-defender-exploit-guard.md).
### Use the Windows Defender Security app to enable Controlled Folder Access
@@ -89,7 +92,7 @@ For further details on how audit mode works, and when you might want to use it,
Set-MpPreference -EnableControlledFolderAccess Enabled
```
-You can enable the feauting in auditing mode by specifying `AuditMode` instead of `Enabled`.
+You can enable the feauting in audit mode by specifying `AuditMode` instead of `Enabled`.
Use `Disabled` to turn the feature off.
diff --git a/windows/threat-protection/windows-defender-exploit-guard/enable-exploit-protection.md b/windows/threat-protection/windows-defender-exploit-guard/enable-exploit-protection.md
index c062b2db26..90e6cd1782 100644
--- a/windows/threat-protection/windows-defender-exploit-guard/enable-exploit-protection.md
+++ b/windows/threat-protection/windows-defender-exploit-guard/enable-exploit-protection.md
@@ -1,7 +1,7 @@
---
-title: Turn on the protected folders feature in Windows 10
-keywords: controlled folder access, windows 10, windows defender, ransomware, protect, files, folders, enable, turn on, use
-description: Learn how to protect your important files by enabling Controlled Folder Access
+title: Turn on Exploit Protection to help mitigate against attacks
+keywords: exploit, mitigation, attacks, vulnerability
+description: Exploit Protection in Windows 10 provides advanced configuration over the settings offered in EMET.
search.product: eADQiWindows 10XVcnh
ms.pagetype: security
ms.prod: w10
@@ -11,17 +11,20 @@ ms.pagetype: security
localizationpriority: medium
author: iaanw
ms.author: iawilt
+ms.date: 08/25/2017
---
-# Enable Controlled Folder Access
+# Enable Exploit Protection
**Applies to:**
- Windows 10 Insider Preview
+[!include[Prerelease information](prerelease.md)]
+
**Audience**
- Enterprise security administrators
@@ -32,74 +35,42 @@ ms.author: iawilt
- Windows Defender Security Center app
- Group Policy
- PowerShell
-- Configuration service providers for mobile device management
-Controlled Folder Access helps you protect valuable data from malicious apps and threats, such as ransomware. It is part of [Windows Defender Exploit Guard](windows-defender-exploit-guard.md).
-This topic describes how to enable Controlled Folder Access with the Windows Defender Security Center app, Group Policy, PowerShell, and mobile device management (MDM) configuration service providers (CSPs).
+Exploit Protection applies helps protect devices from malware that use exploits to spread and infect. It consists of a number of mitigations that can be applied at either the operating system level, or at the individual app level.
+
+Many of the features that are part of the [Enhanced Mitigation Experience Toolkit (EMET)](https://technet.microsoft.com/en-us/security/jj653751) are included in Exploit Protection.
+
+It is part of [Windows Defender Exploit Guard](windows-defender-exploit-guard.md).
-## Enable and audit Controlled Folder Access
-You can enable Controlled Folder Access with the Windows Defender Security Center app, Group Policy, PowerShell, or MDM CSPs. You can also set the feature to audit mode. Audit mode allows you to test how the feature would work (and review events) without impacting the normal use of the machine.
+## Enable and audit Exploit Protection
-For further details on how audit mode works, and when you might want to use it, see the [auditing Windows Defender Exploit Guard topic](audit-windows-defender-exploit-guard.md).
+You enable and configure each Exploit Protection mitigation separately. Some mitigations apply to the entire operating system, while others can be targeted towards specific apps.
+The mitigations available in Exploit Protection are enabled or configured to their default values automatically in Windows 10. However, you can customize the configuration to suit your organization and then deploy that configuration across your network.
-### Use the Windows Defender Security app to enable Controlled Folder Access
+You can also set mitigations to audit mode. Audit mode allows you to test how the mitigations would work (and review events) without impacting the normal use of the machine.
-1. Open the Windows Defender Security Center by clicking the shield icon in the task bar or searching the start menu for **Defender**.
+For background information on how audit mode works, and when you might want to use it, see the [audit Windows Defender Exploit Guard topic](audit-windows-defender-exploit-guard.md).
-2. Click the **Virus & threat protection** tile (or the shield icon on the left menu bar) and then the **Virus & threat protection settings** label:
+You can also convert an existing EMET configuration file (in XML format) and import it into Exploit Protection. This is useful if you have been using EMET and have a customized series of policies and mitigations that you want to keep using.
- 
-
-3. Set the switch for the feature to **On**
+See the following topics for instructions on configuring Exploit Protection mitigations and importing, exporting, and converting configurations:
- 
-
-### Use Group Policy to enable Controlled Folder Access
-
-1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
-
-3. In the **Group Policy Management Editor** go to **Computer configuration**.
-
-4. Click **Policies** then **Administrative templates**.
-
-5. Expand the tree to **Windows components > Windows Defender Antivirus > Windows Defender Exploit Guard > Controlled Folder Access**.
-
-6. Double-click the **Configure controlled folder access** setting and set the option to **Enabled**. In the options section you must specify one of the following:
- - **Enable** - Malicious and suspicious apps will not be allowed to make changes to files in protected folders. A notification will be provided in the Windows event log
- - **Disable (Default)** - The Controlled Folder Access feature will not work. All apps can make changes to files in protected folders.
- - **Audit Mode** - If a malicious or suspicious app attempts to make a change to a file in a protected folder, the change will be allowed but will be recorded in the Windows event log. This allows you to assess the impact of this feature on your organization.
-
-
- 
-
->[!IMPORTANT]
->To fully enable the Controlled Folder Access feature, you must set the Group Policy option to **Enabled** and also select **Enable** in the options drop-down menu.
-
-### Use PowerShell to enable Controlled Folder Access
-
-1. Type **powershell** in the Start menu, right click **Windows PowerShell** and click **Run as administrator**
-2. Enter the following cmdlet:
-
- ```PowerShell
- Set-MpPreference -EnableControlledFolderAccess Enabled
- ```
-
-You can enable the feauting in auditing mode by specifying `AuditMode` instead of `Enabled`.
-
-Use `Disabled` to turn the feature off.
-
-### Use MDM CSPs to enable Controlled Folder Access
-
-Use the [./Vendor/MSFT/Policy/Config/Defender/GuardedFoldersList](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-defender#defender-guardedfolderslist) configuration service provider (CSP) to allow apps to make changes to protected folders.
+1. [Configure the mitigations you want to enable or audit](customize-exploit-protection.md)
+2. [Export the configuration to an XML file that you can use to deploy the configuration to multiple machines](import-export-exploit-protection-emet-xml.md).
## Related topics
-- [Protect important folders with controlled folder access](controlled-folders-exploit-guard.md)
-- [Customize Controlled Folder Access](customize-controlled-folders-exploit-guard.md)
-- [Evaluate Windows Defender Exploit Guard](evaluate-windows-defender-exploit-guard.md)
+- [Protect devices from exploits with Windows Defender Exploit Guard](exploit-protection-exploit-guard.md)
+- [Comparison with Enhanced Mitigation Experience Toolkit](emet-exploit-protection-exploit-guard.md)
+- [Evaluate Exploit Protection](evaluate-exploit-protection.md)
+- [Configure and audit Exploit Protection mitigations](customize-exploit-protection.md)
+- [Import, export, and deploy Exploit Protection configurations](import-export-exploit-protection-emet-xml.md)
+
+
+
diff --git a/windows/threat-protection/windows-defender-exploit-guard/enable-network-protection.md b/windows/threat-protection/windows-defender-exploit-guard/enable-network-protection.md
index 47c9a89313..4e8f0eea70 100644
--- a/windows/threat-protection/windows-defender-exploit-guard/enable-network-protection.md
+++ b/windows/threat-protection/windows-defender-exploit-guard/enable-network-protection.md
@@ -11,6 +11,7 @@ ms.pagetype: security
localizationpriority: medium
author: iaanw
ms.author: iawilt
+ms.date: 08/25/2017
---
@@ -21,6 +22,8 @@ ms.author: iawilt
- Windows 10 Insider Preview
+[!include[Prerelease information](prerelease.md)]
+
**Audience**
- Enterprise security administrators
@@ -35,15 +38,17 @@ ms.author: iawilt
Network Protection is a feature that is part of [Windows Defender Exploit Guard](windows-defender-exploit-guard.md). It helps to prevent employees from using any application to access dangerous domains that may host phishing scams, exploits, and other malicious content on the Internet.
+This topic describes how to enable Network Protection with Group Policy, PowerShell cmdlets, and configuration service providers (CSPs) for mobile device management (MDM).
+
## Enable and audit Network Protection
You can enable Network Protection in either audit or block mode with Group Policy, PowerShell, or MDM settings with CSP.
-For further details on how audit mode works, and when you might want to use it, see the [auditing Windows Defender Exploit Guard topic](audit-windows-defender-exploit-guard.md).
+For background information on how audit mode works, and when you might want to use it, see the [audit Windows Defender Exploit Guard topic](audit-windows-defender-exploit-guard.md).
-### Use Group Policy to enable Network Protection
+### Use Group Policy to enable or audit Network Protection
1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
@@ -64,7 +69,7 @@ For further details on how audit mode works, and when you might want to use it,
>To fully enable the Network Protection feature, you must set the Group Policy option to **Enabled** and also select **Block** in the options drop-down menu.
- ### Use PowerShell to enable Network Protection
+ ### Use PowerShell to enable or audit Network Protection
1. Type **powershell** in the Start menu, right click **Windows PowerShell** and click **Run as administrator**
2. Enter the following cmdlet:
@@ -73,17 +78,17 @@ For further details on how audit mode works, and when you might want to use it,
Set-MpPreference -EnableNetworkProtection Enabled
```
-You can enable the feauting in auditing mode using the following cmdlet:
+You can enable the feauting in audit mode using the following cmdlet:
- ```
- Set-MpPreference -EnableNetworkProtection AuditMode
- ```
+```
+Set-MpPreference -EnableNetworkProtection AuditMode
+```
Use `Disabled` insead of `AuditMode` or `Enabled` to turn the feature off.
-### Use MDM CSPs to enable Network Protection
+### Use MDM CSPs to enable or audit Network Protection
Use the [./Vendor/MSFT/Policy/Config/Defender/EnableNetworkProtection](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-defender#defender-enablenetworkprotection) configuration service provider (CSP) to enable and configure Network Protection.
diff --git a/windows/threat-protection/windows-defender-exploit-guard/evaluate-attack-surface-reduction.md b/windows/threat-protection/windows-defender-exploit-guard/evaluate-attack-surface-reduction.md
index 9aa2358b1c..e8476084c9 100644
--- a/windows/threat-protection/windows-defender-exploit-guard/evaluate-attack-surface-reduction.md
+++ b/windows/threat-protection/windows-defender-exploit-guard/evaluate-attack-surface-reduction.md
@@ -11,6 +11,7 @@ ms.pagetype: security
localizationpriority: medium
author: iaanw
ms.author: iawilt
+ms.date: 08/25/2017
---
@@ -20,6 +21,8 @@ ms.author: iawilt
- Windows 10 Insider Preview
+[!include[Prerelease information](prerelease.md)]
+
**Audience**
- Enterprise security administrators
@@ -30,8 +33,6 @@ ms.author: iawilt
- Windows Defender Security Center app
- Group Policy
- PowerShell
-- Configuration service providers for mobile device management
-
@@ -50,11 +51,9 @@ This topic helps you evaluate Attack Surface Reduction. It explains how to demo
Use the **ExploitGuard ASR test tool** app to see how Attack Surface Reduction rules are applied in certain key protection and high-risk scenarios. These scenarios are typical infection vectors for malware that use exploits to spread and infect machines.
The tool is part of the Windows Defender Exploit Guard evaluation package:
-- [Download the Exploit Guard Evaluation Package](#)
+- [Download the Exploit Guard Evaluation Package](https://aka.ms/mp7z2w)
-This tool has a simple user interface that lets you choose a rule, configure it in blocking, auditing, or disabled mode, and run a pre-created series of actions that would be evaluated by the rule.
-
-You can also set advanced options, including setting a delay, choosing a specific scenario, and how to view a record of the events.
+This tool has a simple user interface that lets you choose a rule, configure it in blocking, audit, or disabled mode, and run a pre-created series of actions that would be evaluated by the rule.
When you run a scenario, you will see what the scenario entails, what the rule is set to, and what actions were taken.
@@ -63,7 +62,7 @@ When you run a scenario, you will see what the scenario entails, what the rule i
Each scenario creates a fake or sample file or behavior that the rule would target and, if the rule was enabled, block from running.
>[!IMPORTANT]
->The settings you change while using this tool will be cleared when you close the tool. If you want to test the feature in a production environment, you should consider using [auditing mode to measure impact](#use-auditing-mode-to-measure-impact), or see the main [Attack Surface Reduction topic](attack-surface-reduction-exploit-guard.md).
+>The settings you change while using this tool will be cleared when you close the tool. If you want to test the feature in a production environment, you should consider using [audit mode to measure impact](#use-audit-mode-to-measure-impact), or see the main [Attack Surface Reduction topic](attack-surface-reduction-exploit-guard.md).
**Run a rule using the demo tool:**
@@ -89,10 +88,6 @@ You can right-click on the output window and click **Open Event Viewer** to see
>[!TIP]
>You can click **Save Filter to Custom View...** in the Event Viewer to create a custom view so you can easily come back to this view as you continue to evaluate rules.
->[!NOTE]
->What does leave dirty do? Does delay work?
-
-
Choosing the **Mode** will change how the rule functions:
@@ -106,9 +101,9 @@ Block mode will cause a notification to appear on the user's desktop:
-You can [modify the notification to display your company name and links](attack-surface-reduction-exploit-guard.md#customize-the-notification) for users to obtain more information or contact your IT help desk.
+You can [modify the notification to display your company name and links](customize-attack-surface-reduction.md#customize-the-notification) for users to obtain more information or contact your IT help desk.
-For further details on how audit mode works, and when you might want to use it, see the [auditing Windows Defender Exploit Guard topic](audit-windows-defender-exploit-guard.md).
+For further details on how audit mode works, and when you might want to use it, see the [audit Windows Defender Exploit Guard topic](audit-windows-defender-exploit-guard.md).
The following sections describe what each rule does and what the scenarios entail for each rule.
@@ -124,18 +119,12 @@ Scenario name | File type | Program
Random | A scenario will be randomly chosen from this list | Microsoft Outlook or web mail
Mail Client PE | Executable files (such as .exe, .dll, or .scr) | Microsoft Outlook
Mail Client Script | Script files (such as a PowerShell .ps, VisualBasic .vbs, or JavaScript .js file) | Microsoft Outlook
-Mail Client Script Archive | Script archive files (such as .????) | Microsoft Outlook
-WebMail PE | Executable files (such as .exe, .dll, or .scr) | Web mail, such as ??? (only outlook/hotmail? Or anything? Any browser or only Edge/IE?)
+Mail Client Script Archive | Script archive files | Microsoft Outlook
+WebMail PE | Executable files (such as .exe, .dll, or .scr) | Web mail, such as gmail, outlook, hotmail
WebMail Script | Script files (such as a PowerShell .ps, VBScript .vbs, or JavaScript .js file) | Web mail
-WebMail Script Archive | Script archive files (such as .????) | Web mail
+WebMail Script Archive | Script archive files | Web mail
->[!NOTE]
->What is a script archive file?
-
->[!NOTE]
->WebMail rules are currently being engineered and may not work as expected
-
### Rule: Block Office applications from creating child processes
>[!NOTE]
@@ -143,12 +132,9 @@ WebMail Script Archive | Script archive files (such as .????) | Web mail
Office apps, such as Word or Excel, will not be allowed to create child processes. This is a typical malware behavior, especially for macro-based attacks that attempt to use Office apps to launch or download malicious executables.
->[!NOTE]
->Note sure if this accurate
-
### Rule: Block Office applications from creating executable content
-This rule targets typical behaviors used by suspicious and malicious add-ons and scripts that create or launch executable files. This is a typical malware spreading and infection technique.
+This rule targets typical behaviors used by suspicious and malicious add-ons and scripts that create or launch executable files. This is a typical malware technique.
The following scenarios can be individually chosen:
@@ -156,13 +142,6 @@ The following scenarios can be individually chosen:
- A scenario will be randomly chosen from this list
- Extension Block
- Extensions will be blocked from being used by Office apps. Typically these extensions use the Windows Scripting Host (.wsh files) to run scripts that automate certain tasks or provide user-created add-on features.
-- MZ Block
- - ???
-
-
->[!NOTE]
->Note sure if this accurate
-
### Rule: Block Office applications from injecting into other processes
@@ -199,13 +178,7 @@ Malware and other threats can attempt to obfuscate or hide their malicious code
- AntiMalwareScanInterface
- This scenario uses the [AntiMalwareScanInterface (AMSI)](https://msdn.microsoft.com/en-us/library/windows/desktop/dn889587(v=vs.85).aspx) to determine if a script is potentially obfuscated, and then blocks such a script
- OnAccess
- - Potentially obfuscated scripts will be blocked when an attempt is made to run them
-
-
->[!NOTE]
->Note sure if this accurate
-
-
+ - Potentially obfuscated scripts will be blocked when an attempt is made to access them
## Review Attack Surface Reduction events in Windows Event Viewer
@@ -216,7 +189,7 @@ You can also review the Windows event log to see the events there were created w
2. On the left panel, under **Actions**, click **Import custom view...**
-3. Navigate to the Exploit Guard Evaluation Package, and select the file *asr-events.xml*. Alternatively, [download the XML directly](scripts/asr-events.xml).
+3. Navigate to the Exploit Guard Evaluation Package, and select the file *asr-events.xml*. Alternatively, [copy the XML directly](event-views-exploit-guard.md).
4. Click **OK**.
@@ -229,9 +202,9 @@ Event ID | Description
1121 | Event when rule fires in Block-mode
-## Use auditing mode to measure impact
+## Use audit mode to measure impact
-You can also enable the Attack Surface Reduction feature in auditing mode. This lets you see a record of what apps would have been blocked if you had enabled the feature.
+You can also enable the Attack Surface Reduction feature in audit mode. This lets you see a record of what apps would have been blocked if you had enabled the feature.
You might want to do this when testing how the feature will work in your organization, to ensure it doesn't affect your line-of-business apps, and to get an idea of how often the rules will fire during normal use.
@@ -253,10 +226,7 @@ You can also use Group Policy, Intune, or MDM CSPs to configure and deploy the s
During your evaluation, you may wish to configure each rule individualy or exclude certain files and processes from being evaluated by the feature.
-See the following topics for configuring the feature with management tools, including Group Policy and MDM CSP policies:
-
-- [Exclude files and folders](customize-attack-surface-reduction.md#exclude-files-and-folders)
-- [Configure rules individually](enable-attack-surface-reduction.md#individually-enable-attack-surface-reduction-rules)
+See the [Customize Exploit Protection](customize-exploit-protection.md) topic for information on configuring the feature with management tools, including Group Policy and MDM CSP policies.
## Related topics
diff --git a/windows/threat-protection/windows-defender-exploit-guard/evaluate-controlled-folder-access.md b/windows/threat-protection/windows-defender-exploit-guard/evaluate-controlled-folder-access.md
index 738d3d6036..151c74bdb2 100644
--- a/windows/threat-protection/windows-defender-exploit-guard/evaluate-controlled-folder-access.md
+++ b/windows/threat-protection/windows-defender-exploit-guard/evaluate-controlled-folder-access.md
@@ -11,11 +11,28 @@ ms.pagetype: security
localizationpriority: medium
author: iaanw
ms.author: iawilt
+ms.date: 08/25/2017
---
# Evaluate Controlled Folder Access
+**Applies to:**
+
+- Windows 10 Insider Preview
+
+[!include[Prerelease information](prerelease.md)]
+
+**Audience**
+
+- Enterprise security administrators
+
+
+**Manageability available with**
+
+- Windows Defender Security Center app
+- Group Policy
+- PowerShell
Controlled Folder Access is a feature that is part of Windows Defender Exploit Guard [that helps protect your documents and files from modification by suspicious or malicious apps](controlled-folders-exploit-guard.md).
@@ -23,7 +40,7 @@ It is especially useful in helping to protect your documents and information fro
This topic helps you evaluate Controlled Folder Access. It explains how to demo the feature using a specialized tool, and how to enable audit mode so you can test the feature directly in your organisation.
->[NOTE]
+>[!NOTE]
>This topic uses PowerShell cmdlets to make it easy to enable the feature and test it.
>For instructions on how to use Group Policy, Mobile Device Management (MDM), and System Center Configuration Manager to deploy these settings across your network, see the main [Controlled Folder Access topic](controlled-folders-exploit-guard.md).
@@ -33,7 +50,7 @@ This topic helps you evaluate Controlled Folder Access. It explains how to demo
Use the **ExploitGuard CFA File Creator** tool to see how Controlled Folder Access can prevent a suspicious app from creating files in protected folders.
The tool is part of the Windows Defender Exploit Guard evaluation package:
-- [Download the Exploit Guard Evaluation Package](#)
+- [Download the Exploit Guard Evaluation Package](https://aka.ms/mp7z2w)
This tool can be run locally on an individual machine to see the typical behavior of Controlled Folder Access. The tool is considered by Windows Defender Exploit Guard to be suspicious and will be blocked from creating new files or making changes to existing files in any of your protected folders.
@@ -56,11 +73,11 @@ You can enable Controlled Folder Access, run the tool, and see what the experien
6. You'll be asked to specify a name and location for the file. You can choose anything you wish to test.
-
+ 
7. A notification will appear, indicating that the tool was prevented from creating the file, as in the following example:
-
+ 
## Review Controlled Folder Access events in Windows Event Viewer
@@ -70,7 +87,7 @@ You can also review the Windows event log to see the events there were created w
2. On the left panel, under **Actions**, click **Import custom view...**
-3. Navigate to the Exploit Guard Evaluation Package, and select the file *cfa-events.xml*. Alternatively, [download the XML directly](scripts/cfa-events.xml).
+3. Navigate to the Exploit Guard Evaluation Package, and select the file *cfa-events.xml*. Alternatively, [copy the XML directly](event-views-exploit-guard.md).
4. Click **OK**.
@@ -83,9 +100,9 @@ Event ID | Description
1123 | Blocked Controlled Folder Access event
-## Use auditing mode to measure impact
+## Use audit mode to measure impact
-As with other Windows Defender EG features, you can enable the Controlled Folder Access feature in auditing mode. This lets you see a record of what *would* have happened if you had enabled the setting.
+As with other Windows Defender EG features, you can enable the Controlled Folder Access feature in audit mode. This lets you see a record of what *would* have happened if you had enabled the setting.
You might want to do this when testing how the feature will work in your organization, to ensure it doesn't affect your line-of-business apps, and to get an idea of how many suspicious file modification attempts generally occur over a certain period.
@@ -100,7 +117,7 @@ Set-MpPreference -EnableControlledFolderAccess AuditMode
You can also use Group Policy, Intune, MDM, or System Center Configuration Manager to configure and deploy the setting, as described in the main [Controlled Folder Access topic](controlled-folders-exploit-guard.md).
-For further details on how audit mode works, and when you might want to use it, see the [auditing Windows Defender Exploit Guard topic](audit-windows-defender-exploit-guard.md).
+For further details on how audit mode works, and when you might want to use it, see the [audit Windows Defender Exploit Guard topic](audit-windows-defender-exploit-guard.md).
@@ -108,10 +125,7 @@ For further details on how audit mode works, and when you might want to use it,
During your evaluation, you may wish to add to the list of protected folders, or allow certain apps to modify files.
-See the following sections in the main [Protect important folders with Controlled Folder Access](controlled-folders-exploit-guard.md) topic for configuring the feature with management tools, including Group Policy, PowerShell, and MDM CSPs:
-
-- [Protect additional folders](controlled-folders-exploit-guard.md#protect-additional-folders)
-- [Allow specifc apps to make changes to controlled folders](controlled-folders-exploit-guard.md#allow-specifc-apps-to-make-changes-to-controlled-folders)
+See the main [Protect important folders with Controlled Folder Access](controlled-folders-exploit-guard.md) topic for configuring the feature with management tools, including Group Policy, PowerShell, and MDM CSP.
## Related topics
- [Protect important folders with controlled folder access](controlled-folders-exploit-guard.md)
diff --git a/windows/threat-protection/windows-defender-exploit-guard/evaluate-exploit-protection.md b/windows/threat-protection/windows-defender-exploit-guard/evaluate-exploit-protection.md
index 8f57ca59bb..94309ec278 100644
--- a/windows/threat-protection/windows-defender-exploit-guard/evaluate-exploit-protection.md
+++ b/windows/threat-protection/windows-defender-exploit-guard/evaluate-exploit-protection.md
@@ -1,7 +1,7 @@
---
-title:
-description:
-keywords:
+title: See how Exploit Protection works in a demo
+description: See how Exploit Protection can prevent suspicious behaviors from occurring on specific apps.
+keywords: exploit protection, exploits, kernel, events, evaluate, demo, try, mitigiation
search.product: eADQiWindows 10XVcnh
ms.pagetype: security
ms.prod: w10
@@ -11,186 +11,123 @@ ms.pagetype: security
localizationpriority: medium
author: iaanw
ms.author: iawilt
+ms.date: 08/25/2017
---
-## Exploit Protection
+# Evaluate Exploit Protection
+
+**Applies to:**
+
+- Windows 10 Insider Preview
+
+[!include[Prerelease information](prerelease.md)]
+
+**Audience**
+
+- Enterprise security administrators
+
+
+**Manageability available with**
+
+- Windows Defender Security Center app
+- Group Policy
+- PowerShell
+
+
+Exploit Protection applies helps protect devices from malware that use exploits to spread and infect. It consists of a number of mitigations that can be applied at either the operating system level, or at the individual app level.
+
+Many of the features that are part of the [Enhanced Mitigation Experience Toolkit (EMET)](https://technet.microsoft.com/en-us/security/jj653751) are included in Exploit Protection.
+
+This topcs helps you evaluate Exploit Protection. See the [Exploit Protection topic](exploit-protection-exploit-guard.md) for more information on what Exploit Protection does and how to configure it for real-world deployment.
+
+>[!NOTE]
+>This topic uses PowerShell cmdlets to make it easy to enable the feature and test it.
+>For instructions on how to use Group Policy and Mobile Device Management (MDM to deploy these settings across your network, see the main [Exploit Protection topic](exploit-protection-exploit-guard.md) .
+
+
+## Enable and validate an Exploit Protection mitigation
+
+For this demo you will enable the mitigation that prevents child processes from being created. You'll use Internet Explorer as the parent app.
+
+First, enable the mitigation using PowerShell, and then confirm that it has been applied in the Windows Defender Security Center app:
+
+1. Type **powershell** in the Start menu, right click **Windows PowerShell** and click **Run as administrator**
+
+2. Enter the following cmdlet:
+
+ ```PowerShell
+ SetProcessMitigation Name iexplore.exe Enable DisallowChildProcessCreation
+ ```
+
+1. Open the Windows Defender Security Center by clicking the shield icon in the task bar or searching the start menu for **Defender**.
+
+2. Click the **App & browser control** tile (or the app icon on the left menu bar) and then **Exploit protection settings** at the bottom of the screen.
+
+3. Go to the **Program settings** section, scroll down, click **iexplore.exe**, and then **Edit**.
+
+4. Find the **Do not allow child processes** setting and make sure that **Override System settings** is enabled and the switch is set to **On**.
+
+Now that you know the mitigation has been enabled, you can test to see if it works and what the experience would be for an end user:
+
+1. Type **run** in the Start menu andp ress **Enter** to open the run dialog box.
+
+2. Type **iexplore.exe** and press **Enter** or click **OK** to attempt to open Internet Explorer.
+
+3. Internet Explorer should briefly open and then immediately shut down again, indicating that the mitigation was applied and prevented Internet Explorer from opening a child process (its own process).
+
+Lastly, we can disable the mitigation so that Internet Explorer works properly again:
+
+1. Open the Windows Defender Security Center by clicking the shield icon in the task bar or searching the start menu for **Defender**.
+
+2. Click the **App & browser control** tile (or the app icon on the left menu bar) and then **Exploit protection settings** at the bottom of the screen.
+
+3. Go to the **Program settings** section, scroll down, click **iexplore.exe**, and then **Edit**.
+
+4. Find the **Do not allow child processes** setting and set the switch to **Off**. Click **Apply**
+
+5. Validate that Internet Explorer runs by running it from the run dialog box again. It should open as expected.
+
+
+## Review Exploit Protection events in Windows Event Viewer
+
+You can now review the events that Exploit Protection sent to the Windows Event log to confirm what happened:
+
+1. Download the [Exploit Guard Evaluation Package](https://aka.ms/mp7z2w) and extract the file *ep-events.xml* to an easily accessible location on the machine.
+
+2. Type **Event viewer** in the Start menu to open the Windows Event Viewer.
+
+3. On the left panel, under **Actions**, click **Import custom view...**
+
+4. Navigate to where you extracted *ep-events.xml* and select it. Alternatively, [copy the XML directly](event-views-exploit-guard.md).
+
+4. Click **OK**.
+
+5. This will create a custom view that filters to only show the following events related to Exploit Protection, which are all listed in the [Exploit Protection](exploit-protection-exploit-guard.md) topic.
+
+6. The specific event to look for in this demo is event ID 4, which should have the following or similar information:
+
+ Process '\Device\HarddiskVolume1\Program Files\Internet Explorer\iexplore.exe' (PID 4692) was blocked from creating a child process 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' with command line '"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4692 CREDAT:75009 /prefetch:2'.
+
+
+## Use audit mode to measure impact
+
+As with other Windows Defender EG features, you can enable Exploit Protection in audit mode. You can enable audit mode for individual mitigations.
+
+This lets you see a record of what *would* have happened if you had enabled the mitigation.
+
+You might want to do this when testing how the feature will work in your organization, to ensure it doesn't affect your line-of-business apps, and to get an idea of how many suspicious or malicious events generally occur over a certain period.
+
+See the [**PowerShell reference** section in the Customize Exploit Protection topic](customize-exploit-protection.md#powershell-reference) for a list of which mitigations can be audited and instructions on enabling the mode.
+
+For further details on how audit mode works, and when you might want to use it, see the [audit Windows Defender Exploit Guard topic](audit-windows-defender-exploit-guard.md).
-Component | Configuration available with | Event ID | Corresponds to
--|-|-|-
-Exploit Protection | GP, MDM, PS & UI | Provider: Security-Mitigations |
-| | | 1 | ACG audit
-| | | 2 | ACG enforce
-| | | 3 | Do not allow child processes audit
-| | | 4 | Do not allow child processes block
-| | | 5 | Block low integrity images audit
-| | | 6 | Block low integrity images block
-| | | 7 | Block remote images audit
-| | | 8 | Block remote images block
-| | | 9 | Disable win32k system calls audit
-| | | 10 | Disable win32k system calls block
-| | | 11 | Code integrity guard audit
-| | | 12 | Code integrity guard block
-| | | 13 | EAF audit
-| | | 14 | EAF enforce
-| | | 15 | EAF+ audit
-| | | 16 | EAF+ enforce
-| | | 17 | IAF audit
-| | | 18 | IAF enforce
-| | | 19 | ROP StackPivot audit
-| | | 20 | ROP StackPivot enforce
-| | | 21 | ROP CallerCheck audit
-| | | 22 | ROP CallerCheck enforce
-| | | 23 | ROP SimExec audit
-| | | 24 | ROP SimExec enforce
-Exploit Protection | GP, MDM, PS & UI |Provider: WER-Diagnostics |
-| | | 5 | CFG Block
-Exploit Protection | GP, MDM, PS & UI | Provider: Win32K |
-| | | 260 | Untrusted Font
-
-
-
-### Audit/block modes
-Each of these components can individually be enabled in audit or blocking mode.
-
-Attack Surface Reduction and Controlled Folder Access also have mitigations that can be individually enabled in audit or blocking mode.
-
-
-
-Component |Description |Rule/mitigation description |
--|-|-|-
-Exploit Protection |Provides memory, control flow and policy restrictions that can be used to protect an application from exploits. - Each mitigation can be enabled in audit/block mode |Memory exploit mitigation | DEP
-| | | | ForceASLR
-| | | | BottomUpASLR
-| | | | HeapTermination
-| | | | SEHOP
-| | | | CFG
-| | | | Strict handle checks
-| | | | ACG
-| | | | Untrusted font blocking
-| | | | No child process
-| | | | Win32k syscall disable
-| | | | Extension point disable
-| | | | Various image loading restrictions
-| | | | Anti-ROP (CallerCheck, SimExec, StackPivot)
-| | | | EAF, EAF+
-| | | Control Flow mitigation |
-| | | Process restrictions |
-
-
-
-## Policy settings for Windows Defender EG
-The MDM policy settings for Windows Defender EG are listed in this section, along with example settings.
-### Exploit Protection
-Exploit Protection has an improved manageability experience over EMET, including support for SCCM, Intune, Powershell, and Group Policy management.
->
-> Note: SCCM and Intune will be supported in furture releases.
-You can specify a common set of WD Exploit Guard system and application mitigation settings that can be applied to all endpoints that have this GP setting configured.
-Note, however, that there are some prerequisites before you can enable this setting:
-- Manually configure a device's system and application mitigation settings using the *Set-ProcessMitigation* PowerShell cmdlet, the *ConvertTo-ProcessMitigationPolicy* PowerShell cmdlet, or directly in the Windows Defender Security Center
->
-> Note: Endpoints that have this GP setting set to **Enabled** must be able to access the XML file, otherwise the settings will not be applied.
-- Generate an XML file with the settings from the device by running the *Get-ProcessMitigation* PowerShell cmdlet or using the **Export** button at the bottom of the **Exploit Protection** area in the Windows Defender Security Center.
-- Place the generated XML file in a shared or local path.
-
-#### Group policy
-
-The Exploit Protection feature can be configured with the following Group Policy details:
-- Location: \Microsoft\Windows Defender Exploit Guard\Exploit Protection
-- Name: Use a common set of Exploit Protection settings
-- Values: **Enabled**: Specify the location of the XML file in the Options section. You can use a local (or mapped) path, a UNC path, or a URL, such as the following:
--- C:\MitigationSettings\Config.XML
--- \\Server\Share\Config.xml
--- https://localhost:8080/Config.xml
-
-The settings in the XML file will be applied to the endpoint.
-
-**Disabled:** Common settings will not be applied, and the locally configured settings will be used instead.
-
-**Not configured:** Same as **Disabled**.
-
-#### PowerShell
-
-You can also use powershell to set these mitigation policies and to convert EMET policies to Windows Defender EG, as demonstrated in the following examples:
-
-Get the current settings in the registry for processName.exe
-```
-Get-ProcessMitigation -Name processName.exe
-```
-
-Exports the current settings to the filename.xml
-```
-Get-ProcessMitigation -RegistryConfigFilePath filename.xml
-```
-
-Imports the settings in filename.xml to the system.
-```
-Set-ProcessMitigation -PolicyFilePath filename.xml
-```
-
-Enables a list of mitigations
-```
-Set-ProcessMitigation -Name processName.exe -Enable SEHOP,DEP
-```
-
-Disables a list of mitigations
-```
-Set-ProcessMitigation -Name processName.exe -Disable SEHOP,DEP
-```
-
-Sets the EAFModules for dllName1.dll & dllName2.dll for processName.exe
-```
-Set-ProcessMitigation -Name processName.exe -Enable EnableExportAddressFilterPlus -EAFModules dllName1.dll,dllName2.dll
-```
-
-Converts an emet file named, emetFile.xml, to the new windows 10 format called, filename.xml
-```
-ConvertTo-ProcessMitigationPolicy -EMETFilePath emetFile.xml -OutputFilePath filename.xml
-```
-
-
-### Make sure things are working
-
-1. Apply a mitigation setting:
-a. Launch PowerShell as an admin and run **SetProcessMitigation Name iexplore.exe Enable DisallowChildProcessCreation**
-2. Validate that the setting is correctly applied:
-a. Open Windows Defender Security Center -> App & browser control
-b. Scroll to the bottom and under **Exploit protection**, click **Exploit protection settings** and navigate to the **Program settings** pivot
-c. Scroll down to **iexplore.exe**, click on it and click **Edit**
-d. Find the **Do not allow child processes** setting and make sure that **Override System settings** and **On** are set
-3. Validate that Internet Explorer wont run:
-a. Try launching iexplore.exe via the run dialog
-b. An IE frame should appear and then close
-4. Validate that event viewer reports that the mitigation fired:
-a. Open Event Viewer
-b. Navigate to Applications and Services Log -> Microsoft -> Windows -> Security-Mitigations -> Kernel Mode
-c. Check for the following entry for Internet Explorer (event ID 4)
-
-Process '\Device\HarddiskVolume1\Program Files\Internet Explorer\iexplore.exe' (PID 4692) was blocked from creating a child process 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' with command line '"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4692 CREDAT:75009 /prefetch:2'.
-
-5. Undo the mitigation setting:
-a. Open Windows Defender Security Center -> App & browser control
-b. Scroll to the bottom and under **Exploit protection**, click on **Exploit protection settings** and navigate to the **Program settings** pivot
-c. Scroll down to **iexplore.exe**, click on it and click **Edit**
-d. Find the **Do not allow child processes **setting and toggle the **On** to **Off**
-e. Click **Apply**
-6. Validate that Internet Explorer runs:
-a. Try launching iexplore.exe via the run dialog
-b. IE should open as expected
-
-
-### Converting and Applying an EMET config:
-1. Export the existing EMET configuration. This can be done from the "Export" button in the GUI, or by running the command: **emet_conf.exe export emetConfig.xml**
-2. In an elevated PowerShell window, convert the exported configuration with: **ConvertTo-ProcessMitigationPolicy -EMETFilePath emetConfig.xml -OutputFilePath win10Config.xml**
-3. Note that this may give you some warnings, but these should be safe to ignore.
-4. Apply the new configuration: from an elevated PowerShell window run **Set-ProcessMitigation -RegistryConfigFilePath win10Config.xml **
-5. From here you can check or edit the settings in the new interface in the Windows Defender Security Center or with **Get-ProcessMitigation** (this command by itself will output the entire current state of the mitigations to the shell), and **Set-ProcessMitigation** respectively.
-
-
-### Managing Exploit Protection through Group Policy
-1. Launch Group Policy Management Console (gpmc.msc) and from within and existing or new GPO navigate to **Computer Configuration\Administrative Templates\Windows Components\Windows Defender Exploit Guard\Exploit Protection** and open the policy named *Use a common set of exploit protection settings*.
-2. Enable the setting as seen below and point to an accessible location for the client machines to the recently created XML.
-3. Apply the new GP to targeted machines by direction OU membership, Security Group or WMI filter.
\ No newline at end of file
+## Related topics
+- [Protect devices from exploits with Windows Defender Exploit Guard](exploit-protection-exploit-guard.md)
+- [Comparison with Enhanced Mitigation Experience Toolkit](emet-exploit-protection-exploit-guard.md)
+- [Enable Exploit Protection](enable-exploit-protection.md)
+- [Configure and audit Exploit Protection mitigations](customize-exploit-protection.md)
+- [Import, export, and deploy Exploit Protection configurations](import-export-exploit-protection-emet-xml.md)
\ No newline at end of file
diff --git a/windows/threat-protection/windows-defender-exploit-guard/evaluate-network-protection.md b/windows/threat-protection/windows-defender-exploit-guard/evaluate-network-protection.md
index 1832fefeeb..41d3ca0276 100644
--- a/windows/threat-protection/windows-defender-exploit-guard/evaluate-network-protection.md
+++ b/windows/threat-protection/windows-defender-exploit-guard/evaluate-network-protection.md
@@ -11,6 +11,7 @@ ms.pagetype: security
localizationpriority: medium
author: iaanw
ms.author: iawilt
+ms.date: 08/25/2017
---
# Evaluate Network Protection
@@ -21,6 +22,8 @@ ms.author: iawilt
- Windows 10 Insider Preview
+[!include[Prerelease information](prerelease.md)]
+
**Audience**
- Enterprise security administrators
@@ -30,10 +33,12 @@ ms.author: iawilt
- Group Policy
- PowerShell
-- Configuration service providers for mobile device management
-Network Protection is a feature that is part of [Windows Defender Exploit Guard](windows-defender-exploit-guard.md). It helps to prevent employees from using any application to access dangerous domains that may host phishing scams, exploits, and other malicious content on the Internet.
+
+Network Protection is a feature that is part of [Windows Defender Exploit Guard](windows-defender-exploit-guard.md).
+
+It helps to prevent employees from using any application to access dangerous domains that may host phishing scams, exploits, and other malicious content on the Internet.
This topic helps you evaluate Network Protection by enabling the feature and guiding you to a testing site.
@@ -56,7 +61,7 @@ You can also carry out the processes described in this topic in audit or disable
1. Open Internet Explorer, Google Chrome, or any other browser of your choice.
1. Go to [https://smartscreentestratings2.net](https://smartscreentestratings2.net).
-> should we add https://smartscreentestratings2.net/index.html as the test site for this example. Display a sample phishing site, and then show what happens when you go to it with Network Protection enabled
+
You will get a 403 Forbidden response in the browser, and you will see a notification that the network connnection was blocked.
@@ -70,7 +75,7 @@ You can also review the Windows event log to see the events there were created w
2. On the left panel, under **Actions**, click **Import custom view...**
-3. Navigate to the Exploit Guard Evaluation Package, and select the file *np-events.xml*. Alternatively, [download the XML directly](scripts/np-events.xml).
+3. Navigate to the Exploit Guard Evaluation Package, and select the file *np-events.xml*. Alternatively, [copy the XML directly](event-views-exploit-guard.md).
4. Click **OK**.
@@ -83,9 +88,9 @@ Event ID | Description
1126 | Event when rule fires in Block-mode
-## Use auditing mode to measure impact
+## Use audit mode to measure impact
-You can also enable the Network Protection feature in auditing mode. This lets you see a record of what IPs and domains would have been blocked if the feature were enabled.
+You can also enable the Network Protection feature in audit mode. This lets you see a record of what IPs and domains would have been blocked if the feature were enabled.
You might want to do this when testing how the feature will work in your organization, to ensure it doesn't affect your line-of-business apps, and to get an idea of how often the feature will block connections during normal use.
diff --git a/windows/threat-protection/windows-defender-exploit-guard/evaluate-windows-defender-exploit-guard.md b/windows/threat-protection/windows-defender-exploit-guard/evaluate-windows-defender-exploit-guard.md
index 4f2500cca8..bdeca98d57 100644
--- a/windows/threat-protection/windows-defender-exploit-guard/evaluate-windows-defender-exploit-guard.md
+++ b/windows/threat-protection/windows-defender-exploit-guard/evaluate-windows-defender-exploit-guard.md
@@ -11,6 +11,7 @@ ms.pagetype: security
localizationpriority: medium
author: iaanw
ms.author: iawilt
+ms.date: 08/25/2017
---
@@ -22,6 +23,8 @@ ms.author: iawilt
- Windows 10 Insider Preview
+[!include[Prerelease information](prerelease.md)]
+
**Audience**
- Enterprise security administrators
@@ -38,15 +41,15 @@ Before you begin, you should read the main [Windows Defender Exploit Guard](wind
- [Evaluate Exploit Protection](evaluate-exploit-protection.md)
- [Evaluate Network Protection](evaluate-network-protection.md)
-You might also be interested in enabling the features in auditing mode - which allows you to see how the features work in the real world without impacting your organization or employee's work habits:
+You might also be interested in enabling the features in audit mode - which allows you to see how the features work in the real world without impacting your organization or employee's work habits:
-- [Use auditing mode to evaluate Windows Defender Exploit Guard features](audit-windows-defender-exploit-guard.md)
+- [Use audit mode to evaluate Windows Defender Exploit Guard features](audit-windows-defender-exploit-guard.md)
## Related topics
Topic | Description
---|---
-- [Protect devices from exploits with Windows Defender Exploit Guard](exploit-protection-exploit-guard)
+- [Protect devices from exploits with Windows Defender Exploit Guard](exploit-protection-exploit-guard.md)
- [Reduce attack surfaces with Windows Defender Exploit Guard](attack-surface-reduction-exploit-guard.md)
- [Protect your network with Windows Defender Exploit Guard](network-protection-exploit-guard.md)
- [Protect important folders with Controlled Folder Access](controlled-folders-exploit-guard.md)
\ No newline at end of file
diff --git a/windows/threat-protection/windows-defender-exploit-guard/event-views-exploit-guard.md b/windows/threat-protection/windows-defender-exploit-guard/event-views-exploit-guard.md
new file mode 100644
index 0000000000..54066d6d43
--- /dev/null
+++ b/windows/threat-protection/windows-defender-exploit-guard/event-views-exploit-guard.md
@@ -0,0 +1,183 @@
+---
+title: Import custom views in XML to see Windows Defender Exploit Guard events
+description: Use Windows Event Viewer to import individual views for each of the features.
+keywords: event view, exploit guard, audit, review, events
+search.product: eADQiWindows 10XVcnh
+ms.pagetype: security
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.sitesec: library
+ms.pagetype: security
+ms.date: 08/25/2017
+localizationpriority: medium
+author: iaanw
+ms.author: iawilt
+
+---
+
+
+# Reduce attack surfaces with Windows Defender Exploit Guard
+
+
+**Applies to:**
+
+- Windows 10 Insider Preview
+
+[!include[Prerelease information](prerelease.md)]
+
+**Audience**
+
+- Enterprise security administrators
+
+Each of the four features in Windows Defender Exploit Guard allow you to review events in the Windos Event log. This is useful so you can monitor what rules or settings are working, and determine if any settings are too "noisy" or impacting your day to day workflow.
+
+Reviewing the events is also handy when you are evaluating the features, as you can enable audit mode for the features or settings, and then review what would have happened if they were fully enabled.
+
+This topic lists all the events, their associated feature or setting, and describes how to create custom views to filter to specific events.
+
+## Use custom views to review Windows Defender Exploit Guard features
+
+You can create custom views in the Windows Event Viewer to only see events for specific features and settings.
+
+The easiest way to do this is to import a custom view as an XML file. You can obtain XML files for each of the features in the [Exploit Guard Evaluation Package](https://aka.ms/mp7z2w), or you can copy the XML directly from this page.
+
+### Import an existing XML custom view
+
+1. Download the [Exploit Guard Evaluation Package](https://aka.ms/mp7z2w) and extract the appropraite file to an easily accessible location. The following filenames are each of the custom views:
+ - Controlled Folder Access events custom view: *cfa-events.xml*
+ - Exploit Protection events custom view: *ep-events.xml*
+ - Attack Surface Reduction events custom view: *asr-events.xml*
+ - Network Protection events custom view: *np-events.xml*
+
+1. Type **event viewer** in the Start menu and open the Windows **Event Viewer**.
+
+3. On the left panel, under **Actions**, click **Import Custom View...**
+
+ 
+
+4. Navigate to where you extracted XML file for the custom view you want and select it.
+
+4. Click **Open**.
+
+5. This will create a custom view that filters to only show the [events related to that feature](#list-of-all-windows-defender-exploit-guard-events).
+
+
+### Copy the XML directly
+
+
+1. Type **event viewer** in the Start menu and open the Windows **Event Viewer**.
+
+3. On the left panel, under **Actions**, click **Create Custom View...**
+
+ 
+
+4. Go to the XML tab and click **Edit query manually**. You'll see a warning that you won't be able to edit the query using the **Filter** tab if you use the XML option. Click **Yes**.
+
+5. Paste the XML code for the feature you want to filter events from into the XML section.
+
+4. Click **OK**. Specify a name for your filter.
+
+5. This will create a custom view that filters to only show the [events related to that feature](#list-of-all-windows-defender-exploit-guard-events).
+
+
+
+
+
+### XML for Attack Surface Reduction events
+
+```xml
+
+
+
+
+
+
+```
+
+### XML for Controlled Folder Access events
+
+```xml
+
+
+
+
+
+
+```
+
+### XML for Exploit Protection events
+
+```xml
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+```
+
+### XML for Network Protection events
+
+```xml
+
+
+
+
+
+
+
+```
+
+
+
+## List of all Windows Defender Exploit Guard events
+
+
+All Windows Defender Exploit Guard events are located under **Applications and Services Logs > Microsoft > Windows** and then the folder or provider as listed in the following table.
+
+Feature | Provider/source | Event ID | Description
+:-|:-|:-:|:-
+Exploit Protection | Security-Mitigations | 1 | ACG audit
+Exploit Protection | Security-Mitigations | 2 | ACG enforce
+Exploit Protection | Security-Mitigations | 3 | Do not allow child processes audit
+Exploit Protection | Security-Mitigations | 4 | Do not allow child processes block
+Exploit Protection | Security-Mitigations | 5 | Block low integrity images audit
+Exploit Protection | Security-Mitigations | 6 | Block low integrity images block
+Exploit Protection | Security-Mitigations | 7 | Block remote images audit
+Exploit Protection | Security-Mitigations | 8 | Block remote images block
+Exploit Protection | Security-Mitigations | 9 | Disable win32k system calls audit
+Exploit Protection | Security-Mitigations | 10 | Disable win32k system calls block
+Exploit Protection | Security-Mitigations | 11 | Code integrity guard audit
+Exploit Protection | Security-Mitigations | 12 | Code integrity guard block
+Exploit Protection | Security-Mitigations | 13 | EAF audit
+Exploit Protection | Security-Mitigations | 14 | EAF enforce
+Exploit Protection | Security-Mitigations | 15 | EAF+ audit
+Exploit Protection | Security-Mitigations | 16 | EAF+ enforce
+Exploit Protection | Security-Mitigations | 17 | IAF audit
+Exploit Protection | Security-Mitigations | 18 | IAF enforce
+Exploit Protection | Security-Mitigations | 19 | ROP StackPivot audit
+Exploit Protection | Security-Mitigations | 20 | ROP StackPivot enforce
+Exploit Protection | Security-Mitigations | 21 | ROP CallerCheck audit
+Exploit Protection | Security-Mitigations | 22 | ROP CallerCheck enforce
+Exploit Protection | Security-Mitigations | 23 | ROP SimExec audit
+Exploit Protection | Security-Mitigations | 24 | ROP SimExec enforce
+Exploit Protection | WER-Diagnostics | 5 | CFG Block
+Exploit Protection | Win32K | 260 | Untrusted Font
+Network Protection | Windows Defender | 5007 | Event when settings are changed
+Network Protection | Windows Defender | 1125 | Event when Network Protection fires in Audit-mode
+Network Protection | Windows Defender | 1126 | Event when Network Protection fires in Block-mode
+Controlled Folder Access | Windows Defender | 5007 | Event when settings are changed
+Controlled Folder Access | Windows Defender | 1124 | Audited Controlled Folder Access event
+Controlled Folder Access | Windows Defender | 1123 | Blocked Controlled Folder Access event
+Attack Surface Reduction | Windows Defender | 5007 | Event when settings are changed
+Attack Surface Reduction | Windows Defender | 1122 | Event when rule fires in Audit-mode
+Attack Surface Reduction | Windows Defender | 1121 | Event when rule fires in Block-mode
\ No newline at end of file
diff --git a/windows/threat-protection/windows-defender-exploit-guard/exploit-protection-exploit-guard.md b/windows/threat-protection/windows-defender-exploit-guard/exploit-protection-exploit-guard.md
index aee8fe555a..e2d88d19db 100644
--- a/windows/threat-protection/windows-defender-exploit-guard/exploit-protection-exploit-guard.md
+++ b/windows/threat-protection/windows-defender-exploit-guard/exploit-protection-exploit-guard.md
@@ -1,6 +1,7 @@
---
-title:
-keywords:
+title: Apply mitigations that help prevent attacks that use vulnerabilities in software
+keywords: mitigations, vulnerabilities, vulnerability, mitigation, exploit, exploits, emet
+description: Exploit Protection in Windows 10 provides advanced configuration over the settings offered in EMET.
search.product: eADQiWindows 10XVcnh
ms.pagetype: security
ms.prod: w10
@@ -10,6 +11,7 @@ ms.pagetype: security
localizationpriority: medium
author: iaanw
ms.author: iawilt
+ms.date: 08/25/2017
---
@@ -21,6 +23,8 @@ ms.author: iawilt
- Windows 10 Insider Preview
+[!include[Prerelease information](prerelease.md)]
+
**Audience**
- Enterprise security administrators
@@ -31,22 +35,25 @@ ms.author: iawilt
- Windows Defender Security Center app
- Group Policy
- PowerShell
-- Configuration service providers for mobile device management
-Exploit Protection automatically applies a number of exploit mitigation techniques on both [the operating system processes](configure-system-exploit-protection.md) and on [individual apps](configure-app-exploit-protection.md).
+
+Exploit Protection automatically applies a number of exploit mitigation techniques on both the operating system processes and on individual apps.
It is part of [Windows Defender Exploit Guard](windows-defender-exploit-guard.md).
-Exploit Protection works best with [Windows Defender Advanced Threat Protection](../windows-defender-atp/windows-defender-advanced-threat-protection) - which gives you detailed reporting into Windows Defender EG events and blocks as part of the usual [alert investigation scenarios](../windows-defender-atp/investigate-alerts-windows-defender-advanced-threat-protection).
+Exploit Protection works best with [Windows Defender Advanced Threat Protection](../windows-defender-atp/windows-defender-advanced-threat-protection.md) - which gives you detailed reporting into Windows Defender EG events and blocks as part of the usual [alert investigation scenarios](../windows-defender-atp/investigate-alerts-windows-defender-advanced-threat-protection.md).
- You configure these settings using the Windows Defender Security Center app on an individual machine, and then [export the configuration as an XML file that you can deploy to other machines](import-export-exploit-protection-emet-xml.md). You can use Group Policy to distribute the XML file to multiple devices at once.
+ You [configure these settings using the Windows Defender Security Center app or PowerShell](customize-exploit-protection.md) on an individual machine, and then [export the configuration as an XML file that you can deploy to other machines](import-export-exploit-protection-emet-xml.md). You can use Group Policy to distribute the XML file to multiple devices at once.
- Exploit Protection consists of a number of mitigations that are designed to protect against typical malware infection behavior - especially for malware that attempts to exploit software vulnerabilities to spread and infect machines.
+ When a mitigation is encountered on the machine, a notification will be displayed from the Action Center. You can [customize the notification](customize-attack-surface-reduction.md#customize-the-notification) with your company details and contact information. You can also enable the rules individually to customize what techniques the feature monitors.
- Many of the features in the Enhanced Mitigation Experience Toolkit (EMET) have been included in Exploit Protection, and you can convert and import existing EMET configuration profiles into Exploit Protection.
+ You can also use [audit mode](audit-windows-defender-exploit-guard.md) to evaluate how Exploit Protection would impact your organization if it were enabled.
- You can also use [audit mode](audit-windows-defender-exploit-guard.md) to evaluate how Attack Surface Reduction would impact your organization if it were enabled.
+ Many of the features in the [Enhanced Mitigation Experience Toolkit (EMET)](https://technet.microsoft.com/en-us/security/jj653751) have been included in Exploit Protection, and you can convert and import existing EMET configuration profiles into Exploit Protection.
+
+ >[!IMPORTANT]
+ >If you are currently using EMET you should be aware that [EMET will reach end of life on July 31, 2018](https://blogs.technet.microsoft.com/srd/2016/11/03/beyond-emet/). You should consider replacing EMET with Exploit Protection in Windows 10. You can [convert an existing EMET configuration file into Exploit Protection](import-export-exploit-protection-emet-xml.md#convert-an-emet-configuration-file-to-an-exploit-protection-configuration-file) to make the migration easier and keep your existing settings.
@@ -61,19 +68,21 @@ Insider Preview build 16232 or later (dated July 1, 2017 or later) | For full re
## Review Exploit Protection events in Windows Event Viewer
-You can review the Windows event log to see events there are created when Exploit Protection blocks (or audits) an app:
+You can review the Windows event log to see events that are created when Exploit Protection blocks (or audits) an app:
-1. Download the [Exploit Guard Evaluation Package](#) and extract the file *ep-events.xml* to an easily accessible location on the machine.
+1. Download the [Exploit Guard Evaluation Package](https://aka.ms/mp7z2w) and extract the file *ep-events.xml* to an easily accessible location on the machine.
2. Type **Event viewer** in the Start menu to open the Windows Event Viewer.
3. On the left panel, under **Actions**, click **Import custom view...**
-4. Navigate to where you extracted *ep-events.xml* and select it. Alternatively, [download the XML directly](scripts/ep-events.xml).
+ 
-4. Click **OK**.
+4. Navigate to where you extracted *ep-events.xml* and select it. Alternatively, [copy the XML directly](event-views-exploit-guard.md).
-5. This will create a custom view that filters to only show the following events related to Controlled Folder Access:
+5. Click **OK**.
+
+6. This will create a custom view that filters to only show the following events related to Exploit Protection:
Provider/source | Event ID | Description
-|:-:|-
@@ -102,7 +111,7 @@ Security-Mitigations | 22 | ROP CallerCheck enforce
Security-Mitigations | 23 | ROP SimExec audit
Security-Mitigations | 24 | ROP SimExec enforce
WER-Diagnostics | 5 | CFG Block
-Provider: Win32K | 260 | Untrusted Font
+Win32K | 260 | Untrusted Font
## In this section
@@ -111,4 +120,6 @@ Topic | Description
---|---
[Comparison with Enhanced Mitigation Experience Toolkit](emet-exploit-protection-exploit-guard.md) | Many of the features in the EMET are now included in Exploit Protection. This topic identifies those features and explains how the features have changed or evolved.
[Evaluate Exploit Protection](evaluate-exploit-protection.md) | Undertake a demo scenario to see how Exploit Protection mitigations can protect your network from malicious and suspicious behavior.
-[Enable Exploit Protection](enable-exploit-protection.md) | Use Group Policy, PowerShell, or MDM CSPs to enable and manage Exploit Protection in your network. See how to configure mitigations for the operating system and for individual apps, and how to export, import, and deploy the settings across your organization. You can also convert an existing EMET configuration profile and import it into Exploit Protection.
+[Enable Exploit Protection](enable-exploit-protection.md) | Use Group Policy or PowerShell to enable and manage Exploit Protection in your network.
+[Customize and configure Exploit Protection](customize-exploit-protection.md) | Configure mitigations for the operating system and for individual apps.
+[Import, export, and deploy Exploit Protection configurations](import-export-exploit-protection-emet-xml.md) | Export, import, and deploy the settings across your organization. You can also convert an existing EMET configuration profile and import it into Exploit Protection.
\ No newline at end of file
diff --git a/windows/threat-protection/windows-defender-exploit-guard/images/event-viewer-import.png b/windows/threat-protection/windows-defender-exploit-guard/images/event-viewer-import.png
new file mode 100644
index 0000000000..96d12d3af1
Binary files /dev/null and b/windows/threat-protection/windows-defender-exploit-guard/images/event-viewer-import.png differ
diff --git a/windows/threat-protection/windows-defender-exploit-guard/images/events-create.gif b/windows/threat-protection/windows-defender-exploit-guard/images/events-create.gif
new file mode 100644
index 0000000000..68f057de3a
Binary files /dev/null and b/windows/threat-protection/windows-defender-exploit-guard/images/events-create.gif differ
diff --git a/windows/threat-protection/windows-defender-exploit-guard/images/events-import.gif b/windows/threat-protection/windows-defender-exploit-guard/images/events-import.gif
new file mode 100644
index 0000000000..55e77c546f
Binary files /dev/null and b/windows/threat-protection/windows-defender-exploit-guard/images/events-import.gif differ
diff --git a/windows/threat-protection/windows-defender-exploit-guard/images/exp-prot-gp.png b/windows/threat-protection/windows-defender-exploit-guard/images/exp-prot-gp.png
new file mode 100644
index 0000000000..d7b921aa69
Binary files /dev/null and b/windows/threat-protection/windows-defender-exploit-guard/images/exp-prot-gp.png differ
diff --git a/windows/threat-protection/windows-defender-exploit-guard/images/wdsc-exp-prot-app-settings-options.png b/windows/threat-protection/windows-defender-exploit-guard/images/wdsc-exp-prot-app-settings-options.png
new file mode 100644
index 0000000000..01801a519d
Binary files /dev/null and b/windows/threat-protection/windows-defender-exploit-guard/images/wdsc-exp-prot-app-settings-options.png differ
diff --git a/windows/threat-protection/windows-defender-exploit-guard/images/wdsc-exp-prot-app-settings.png b/windows/threat-protection/windows-defender-exploit-guard/images/wdsc-exp-prot-app-settings.png
new file mode 100644
index 0000000000..38404d7569
Binary files /dev/null and b/windows/threat-protection/windows-defender-exploit-guard/images/wdsc-exp-prot-app-settings.png differ
diff --git a/windows/threat-protection/windows-defender-exploit-guard/images/wdsc-exp-prot-export.png b/windows/threat-protection/windows-defender-exploit-guard/images/wdsc-exp-prot-export.png
new file mode 100644
index 0000000000..3289ace8cf
Binary files /dev/null and b/windows/threat-protection/windows-defender-exploit-guard/images/wdsc-exp-prot-export.png differ
diff --git a/windows/threat-protection/windows-defender-exploit-guard/images/wdsc-exp-prot-sys-settings.png b/windows/threat-protection/windows-defender-exploit-guard/images/wdsc-exp-prot-sys-settings.png
new file mode 100644
index 0000000000..53edeb6135
Binary files /dev/null and b/windows/threat-protection/windows-defender-exploit-guard/images/wdsc-exp-prot-sys-settings.png differ
diff --git a/windows/threat-protection/windows-defender-exploit-guard/images/wdsc-exp-prot.png b/windows/threat-protection/windows-defender-exploit-guard/images/wdsc-exp-prot.png
new file mode 100644
index 0000000000..5bc0f3e22b
Binary files /dev/null and b/windows/threat-protection/windows-defender-exploit-guard/images/wdsc-exp-prot.png differ
diff --git a/windows/threat-protection/windows-defender-exploit-guard/import-export-exploit-protection-emet-xml.md b/windows/threat-protection/windows-defender-exploit-guard/import-export-exploit-protection-emet-xml.md
index 4aac198c95..c864cb9ed7 100644
--- a/windows/threat-protection/windows-defender-exploit-guard/import-export-exploit-protection-emet-xml.md
+++ b/windows/threat-protection/windows-defender-exploit-guard/import-export-exploit-protection-emet-xml.md
@@ -1,7 +1,7 @@
---
-title: Turn on the protected folders feature in Windows 10
-keywords: controlled folder access, windows 10, windows defender, ransomware, protect, files, folders, enable, turn on, use
-description: Learn how to protect your important files by enabling Controlled Folder Access
+title: Deploy Exploit Protection mitigations across your organization
+keywords: exploit protection, mitigations, import, export, configure, emet, convert, conversion, deploy, install
+description: Use Group Policy to deploy mitigations configuration. You can also convert an existing EMET configuration and import it as an Exploit Protection configuration.
search.product: eADQiWindows 10XVcnh
ms.pagetype: security
ms.prod: w10
@@ -11,6 +11,7 @@ ms.pagetype: security
localizationpriority: medium
author: iaanw
ms.author: iawilt
+ms.date: 08/25/2017
---
@@ -22,6 +23,8 @@ ms.author: iawilt
- Windows 10 Insider Preview
+[!include[Prerelease information](prerelease.md)]
+
**Audience**
- Enterprise security administrators
@@ -32,15 +35,138 @@ ms.author: iawilt
- Windows Defender Security Center app
- Group Policy
- PowerShell
-- Configuration service providers for mobile device management
+Exploit Protection applies helps protect devices from malware that use exploits to spread and infect. It consists of a number of mitigations that can be applied at either the operating system level, or at the individual app level.
+
+It is part of [Windows Defender Exploit Guard](windows-defender-exploit-guard.md).
+
+Many of the features that are part of the [Enhanced Mitigation Experience Toolkit (EMET)](https://technet.microsoft.com/en-us/security/jj653751) are now included in Exploit Protection.
+
+You use the Windows Defender Security Center or PowerShell to create a set of mitigations (known as a configuration). You can then export this configuration as an XML file and share it with multiple machines on your network so they all have the same set of mitigation settings.
+
+You can also convert and import an existing EMET configuration XML file into an Exploit Protection configuration XML.
+
+This topic describes how to create a configuration file and deploy it across your network, and how to convert an EMET configuration.
+
+The [Exploit Guard Evaluation Package](https://aka.ms/mp7z2w) contains a sample configuration file (name *ProcessMitigation-Selfhost-v4.xml* that you can use to see how the XML structure looks. The sample file also contains settings that have been converted from an EMET configuration. You can open the file in a text editor (such as Notepad) or import it directly into Exploit Protection and then review the settings in the Windows Defender Security Center app, as described further in this topic.
+
+
+
+## Create and export a configuration file
+
+Before you export a configuration file, you need to ensure you have the correct settings.
+
+You should first configure Exploit Protection on a single, dedicated machine. See the [Customize Exploit Protection](customize-exploit-protection.md) topic for descriptions about and instrucitons for configuring mitigations.
+
+When you have configured Exploit Protection to your desired state (including both system-level and app-level mitigations), you can export the file using either the Windows Defender Security Center app or PowerShell.
+
+### Use the Windows Defender Security Center app to export a configuration file
+
+
+1. Open the Windows Defender Security Center by clicking the shield icon in the task bar or searching the start menu for **Defender**.
+
+2. Click the **App & browser control** tile (or the app icon on the left menu bar) and then click **Exploit protection settings**:
+
+ 
+
+3. At the bottom of the **Exploit protection** section, click **Export settings** and then choose the location and name of the XML file where you want the configuration to be saved.
+
+
+ 
+
+>[!NOTE]
+>When you export the settings, all settings for both app-level and system-level mitigations are saved. This means you don't need to export a file from both the **System settings** and **Program settings** sections - either section will export all settings.
+
+
+### Use PowerShell to export a configuration file
+
+1. Type **powershell** in the Start menu, right click **Windows PowerShell** and click **Run as administrator**
+2. Enter the following cmdlet:
+
+ ```PowerShell
+ Get-ProcessMitigation -RegistryConfigFilePath filename.xml
+ ```
+
+Change `filename` to any name or location of your choosing.
+
+> [!IMPORTANT]
+> When you deploy the configuration using Group Policy, all machines that will use the configuration must be able to access the configuration file. Ensure you place the file in a shared location.
+
+
+## Import a configuration file
+
+You can import an Exploit Protection configuration file that you've previously created. You can only use PowerShell to import the configuration file.
+
+After importing, the settings will be instantly applied and can be reviewed in the Windows Defender Security Center app.
+
+### Use PowerShell to import a configuration file
+
+
+1. Type **powershell** in the Start menu, right click **Windows PowerShell** and click **Run as administrator**
+2. Enter the following cmdlet:
+
+ ```PowerShell
+ Set-ProcessMitigation -RegistryConfigFilePath filename.xml
+ ```
+
+Change `filename` to the location and name of the Exploit Protection XML file.
+
+>[!IMPORTANT]
+>Ensure you import a configuration file that is created specifically for Exploit Protection. You cannot directly import an EMET configuration file, you must convert it first.
+
+
+## Convert an EMET configuration file to an Exploit Protection configuration file
+
+You can convert an existing EMET configuration file to the new format used by Exploit Protection. You must do this if you want to import an EMET configuration into Exploit Protection in Windows 10.
+
+You can only do this conversion in PowerShell.
+
+1. Type **powershell** in the Start menu, right click **Windows PowerShell** and click **Run as administrator**
+2. Enter the following cmdlet:
+
+ ```PowerShell
+ ConvertTo-ProcessMitigationPolicy -EMETFilePath emetFile.xml -OutputFilePath filename.xml
+ ```
+
+Change `emetFile` to the name and location of the EMET configuration file, and change `filename` to whichever location and file name you want to use.
+
+
+## Manage or deploy a configuration
+
+You can use Group Policy to deploy the configuration you've created to multiple machines in your network.
+
+> [!IMPORTANT]
+> When you deploy the configuration using Group Policy, all machines that will use the configuration must be able to access the configuration XML file. Ensure you place the file in a shared location.
+
+### Use Group Policy to distribute the configuration
+
+1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
+
+3. In the **Group Policy Management Editor** go to **Computer configuration**.
+
+4. Click **Policies** then **Administrative templates**.
+
+5. Expand the tree to **Windows components > Windows Defender Exploit Guard > Exploit Protection**.
+
+ 
+
+6. Double-click the **Use a common set of exploit protection settings** setting and set the option to **Enabled**.
+
+7. In the **Options::** section, enter the location and filename of the Exploit Protection configuration file that you want to use, such as in the following examples:
+ - C:\MitigationSettings\Config.XML
+ - \\Server\Share\Config.xml
+ - https://localhost:8080/Config.xml
+
+8. Click **OK** and [Deploy the updated GPO as you normally do](https://msdn.microsoft.com/en-us/library/ee663280(v=vs.85).aspx).
## Related topics
-- [Protect important folders with controlled folder access](controlled-folders-exploit-guard.md)
-- [Customize Controlled Folder Access](customize-controlled-folders-exploit-guard.md)
-- [Evaluate Windows Defender Exploit Guard](evaluate-windows-defender-exploit-guard.md)
+- [Protect devices from exploits with Windows Defender Exploit Guard](exploit-protection-exploit-guard.md)
+- [Comparison with Enhanced Mitigation Experience Toolkit](emet-exploit-protection-exploit-guard.md)
+- [Evaluate Exploit Protection](evaluate-exploit-protection.md)
+- [Enable Exploit Protection](enable-exploit-protection.md)
+- [Configure and audit Exploit Protection mitigations](customize-exploit-protection.md)
diff --git a/windows/threat-protection/windows-defender-exploit-guard/network-protection-exploit-guard.md b/windows/threat-protection/windows-defender-exploit-guard/network-protection-exploit-guard.md
index c3559b3cdf..23953b3eb1 100644
--- a/windows/threat-protection/windows-defender-exploit-guard/network-protection-exploit-guard.md
+++ b/windows/threat-protection/windows-defender-exploit-guard/network-protection-exploit-guard.md
@@ -11,6 +11,7 @@ ms.pagetype: security
localizationpriority: medium
author: iaanw
ms.author: iawilt
+ms.date: 08/25/2017
---
@@ -21,6 +22,8 @@ ms.author: iawilt
- Windows 10 Insider Preview
+[!include[Prerelease information](prerelease.md)]
+
**Audience**
- Enterprise security administrators
@@ -33,14 +36,15 @@ ms.author: iawilt
- Configuration service providers for mobile device management
-Network Protection help prevent employees from using any application to access dangerous domains that may host phishing scams, exploits, and other malicious content on the Internet. By bringing smartscreen intel down onto the client, Network Protection block all outboud HTTP/S Traffic to low reputation sources based on Domain/Hostname
+Network Protection helps reduce the attack surface of your devices from Internet-based events. It prevents employees from using any application to access dangerous domains that may host phishing scams, exploits, and other malicious content on the Internet.
-As a part of [Windows Defender Exploit Guard](windows-defender-exploit-guard.md), Network Protection reduces the attak surface of your devices from internet based threats.
+It expands the scope of [Windows Defender SmartScreen](../windows-defender-smartscreen/windows-defender-smartscreen-overview.md) to block all outboud HTTP(s) traffic that attempts to connect to low-reputation sources (based on the domain or hostname).
-Network Protection works best with [Windows Defender Advanced Threat Protection](../windows-defender-atp/windows-defender-advanced-threat-protection) - which gives you detailed reporting into Windows Defender EG events and blocks as part of the usual [alert investigation scenarios](../windows-defender-atp/investigate-alerts-windows-defender-advanced-threat-protection).
+It is part of [Windows Defender Exploit Guard](windows-defender-exploit-guard.md).
-You can enable Network Protection in either block or auditing mode (non-blocking, Windows Defender Advanced Threat Protection events only) with Group Policy, PowerShell, or MDM settings with CSP.
+Network Protection works best with [Windows Defender Advanced Threat Protection](../windows-defender-atp/windows-defender-advanced-threat-protection.md) - which gives you detailed reporting into Windows Defender EG events and blocks as part of the usual [alert investigation scenarios](../windows-defender-atp/investigate-alerts-windows-defender-advanced-threat-protection.md).
+When Network Protection blocks a connection, a notification will be displayed from the Action Center. You can [customize the notification](customize-attack-surface-reduction.md#customize-the-notification) with your company details and contact information. You can also enable the rules individually to customize what techniques the feature monitors.
You can also use [audit mode](audit-windows-defender-exploit-guard.md) to evaluate how Network Protection would impact your organization if it were enabled.
@@ -58,15 +62,17 @@ Insider Preview build 16232 or later (dated July 1, 2017 or later) | [Windows De
## Review Network Protection events in Windows Event Viewer
-You can review the Windows event log to see events there are created when Network Protection blocked access to a malicious IP or domain:
+You can review the Windows event log to see events that are created when Network Protection blocks (or audits) access to a malicious IP or domain:
-1. Download the [Exploit Guard Evaluation Package](#) and extract the file *np-events.xml* to an easily accessible location on the machine.
+1. Download the [Exploit Guard Evaluation Package](https://aka.ms/mp7z2w) and extract the file *np-events.xml* to an easily accessible location on the machine.
1. Type **Event viewer** in the Start menu to open the Windows Event Viewer.
2. On the left panel, under **Actions**, click **Import custom view...**
-3. Navigate to the Exploit Guard Evaluation Package, and select the file *np-events.xml*. Alternatively, [download the XML directly](scripts/np-events.xml).
+ 
+
+3. Navigate to the Exploit Guard Evaluation Package, and select the file *np-events.xml*. Alternatively, [copy the XML directly](event-views-exploit-guard.md).
4. Click **OK**.
@@ -85,5 +91,5 @@ You can review the Windows event log to see events there are created when Networ
Topic | Description
---|---
-[Evaluate Network Protection](evaluate-network-protection.md) | Undertake a number of scenarios that demonstrate how the feature works, and what events would typically be created.
+[Evaluate Network Protection](evaluate-network-protection.md) | Undertake aa quick scenario that demonstrate how the feature works, and what events would typically be created.
[Enable Network Protection](enable-network-protection.md) | Use Group Policy, PowerShell, or MDM CSPs to enable and manage the Network Protection feature in your network.
\ No newline at end of file
diff --git a/windows/threat-protection/windows-defender-exploit-guard/prerelease.md b/windows/threat-protection/windows-defender-exploit-guard/prerelease.md
new file mode 100644
index 0000000000..1164534c8a
--- /dev/null
+++ b/windows/threat-protection/windows-defender-exploit-guard/prerelease.md
@@ -0,0 +1,2 @@
+> [!IMPORTANT]
+> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
\ No newline at end of file
diff --git a/windows/threat-protection/windows-defender-exploit-guard/scripts/asr-events.xml b/windows/threat-protection/windows-defender-exploit-guard/scripts/asr-events.xml
deleted file mode 100644
index 4389422066..0000000000
--- a/windows/threat-protection/windows-defender-exploit-guard/scripts/asr-events.xml
+++ /dev/null
@@ -1,21 +0,0 @@
-
-
-
-
- Microsoft-Windows-Windows Defender/Operational,Microsoft-Windows-Windows Defender/WHC
- 1121,1122,5007
- 0
- False
-
-
-
- Attack Surface Reduction view
-
-
-
-
-
-
-
-
-
\ No newline at end of file
diff --git a/windows/threat-protection/windows-defender-exploit-guard/scripts/cfa-events.xml b/windows/threat-protection/windows-defender-exploit-guard/scripts/cfa-events.xml
deleted file mode 100644
index c4d1efdeb0..0000000000
--- a/windows/threat-protection/windows-defender-exploit-guard/scripts/cfa-events.xml
+++ /dev/null
@@ -1 +0,0 @@
-Microsoft-Windows-Windows Defender/Operational,Microsoft-Windows-Windows Defender/WHC1123,1124,50070FalseControlled Folder Access view
\ No newline at end of file
diff --git a/windows/threat-protection/windows-defender-exploit-guard/scripts/ep-events.xml b/windows/threat-protection/windows-defender-exploit-guard/scripts/ep-events.xml
deleted file mode 100644
index 7077dde1b9..0000000000
--- a/windows/threat-protection/windows-defender-exploit-guard/scripts/ep-events.xml
+++ /dev/null
@@ -1,21 +0,0 @@
-
-
-
-
- Microsoft-Windows-Windows Defender/Operational,Microsoft-Windows-Windows Defender/WHC
- 1125,1126,5007
- 0
- False
-
-
-
- Network Protection view
-
-
-
-
-
-
-
-
-
\ No newline at end of file
diff --git a/windows/threat-protection/windows-defender-exploit-guard/scripts/np-events.xml b/windows/threat-protection/windows-defender-exploit-guard/scripts/np-events.xml
deleted file mode 100644
index 7077dde1b9..0000000000
--- a/windows/threat-protection/windows-defender-exploit-guard/scripts/np-events.xml
+++ /dev/null
@@ -1,21 +0,0 @@
-
-
-
-
- Microsoft-Windows-Windows Defender/Operational,Microsoft-Windows-Windows Defender/WHC
- 1125,1126,5007
- 0
- False
-
-
-
- Network Protection view
-
-
-
-
-
-
-
-
-
\ No newline at end of file
diff --git a/windows/threat-protection/windows-defender-exploit-guard/windows-defender-exploit-guard.md b/windows/threat-protection/windows-defender-exploit-guard/windows-defender-exploit-guard.md
index 7b87e5427a..7685caabc8 100644
--- a/windows/threat-protection/windows-defender-exploit-guard/windows-defender-exploit-guard.md
+++ b/windows/threat-protection/windows-defender-exploit-guard/windows-defender-exploit-guard.md
@@ -11,6 +11,7 @@ ms.pagetype: security
localizationpriority: medium
author: iaanw
ms.author: iawilt
+ms.date: 08/25/2017
---
@@ -22,25 +23,27 @@ ms.author: iawilt
- Windows 10 Insider Preview
+[!include[Prerelease information](prerelease.md)]
+
**Audience**
- Enterprise security administrators
-Windows Defender Exploit Guard is a new set of host intrusion prevention capabilities for Windows 10, allowing enterprise administrators to manage the attack surface of the OS & applications. By resticting the various vectors through which malware can cause harm to your devices, Windows Defender offers a defense in depth solution to keeping the enteprise safe. With a rich collection of tools and features based off the Intelligent Security Graph, Exploit Guard provides an easy to use experience that offers the best balance of security & productivity for an enterprise.
+Windows Defender Exploit Guard (Windows Defender EG) is a new set of host intrusion prevention capabilities for Windows 10, allowing you to manage and reduce the attack surface of the operating system and apps used by your employees.
-You can use Windows Defender Exploit Guard (WDEG) to configure and manage any of the following functionalities:
+There are four features in Windows Defender EG:
-- Apply exploit mitigation techniques to apps your organization uses, both individually and to all apps, with [Exploit Protection](exploit-protection-exploit-guard.md)
-- Reduce the attack surface of your applications with intelligent rule that stop vectors of office, script & mail based malware [Attack Surface Reduction rules](attack-surface-reduction-exploit-guard.md)
-- Extend the malware and social engineering protection offered by Windows Defender SmartScreen in Edge to cover network traffic and connectivity on the device wwith [Network Protection](network-protection-exploit-guard.md)
-- Protect files in key system folders from changes made by malicious and suspicious apps with [Controlled Folder Access](controlled-folders-exploit-guard.md)
-> How do we make the naming more clear here: could we go name first?
+- [Exploit Protection](exploit-protection-exploit-guard.md) can apply exploit mitigation techniques to apps your organization uses, both individually and to all apps
+- [Attack Surface Reduction rules](attack-surface-reduction-exploit-guard.md) can reduce the attack surface of your applications with intelligent rules that stop the vectors used by Office-, script- and mail-based malware
+- [Network Protection](network-protection-exploit-guard.md) extends the malware and social engineering protection offered by Windows Defender SmartScreen in Edge to cover network traffic and connectivity on your organization's devices
+- [Controlled Folder Access](controlled-folders-exploit-guard.md) helps protect files in key system folders from changes made by malicious and suspicious apps, including file-encrypting ransomware malware
-Evaluate each feature of Windows Defender EG with the guides at the following link, which provide pre-built PowerShell scripts and testing tools so you can see the features in action:
+
+You can evaluate each feature of Windows Defender EG with the guides at the following link, which provide pre-built PowerShell scripts and testing tools so you can see the features in action:
- [Evaluate Windows Defender Exploit Guard](evaluate-windows-defender-exploit-guard.md)
-You can also [enable audit mode](audit-windows-defender-exploit-guard.md) for Windows Defender EG, which provides you with basic event logs that indicate how the feature would have responded if it had been fully enabled. This can be useful when evaluating the impact of Windows Defender EG and to help determine the impact of the features on your network's security.
+You can also [enable audit mode](audit-windows-defender-exploit-guard.md) for the features, which provides you with basic event logs that indicate how the feature would have responded if it had been fully enabled. This can be useful when evaluating the impact of Windows Defender EG and to help determine the impact of the features on your network's security.
Windows Defender EG can be managed and reported on in the Windows Defender Security Center as part of the Windows Defender Advanced Threat Protection suite of threat mitigation, preventing, protection, and analysis technologies, which also includes:
- [The Windows Defender ATP console](../windows-defender-atp/windows-defender-advanced-threat-protection.md)
@@ -49,14 +52,14 @@ Windows Defender EG can be managed and reported on in the Windows Defender Secur
- Windows Defender Device Guard
- [Windows Defender Application Guard](../windows-defender-application-guard/wd-app-guard-overview.md)
-You can use the Windows Defender ATP console to obtain detailed reporting into events and blocks as part of the usual [alert investigation scenarios](../windows-defender-atp/investigate-alerts-windows-defender-advanced-threat-protection).
+You can use the Windows Defender ATP console to obtain detailed reporting into events and blocks as part of the usual [alert investigation scenarios](../windows-defender-atp/investigate-alerts-windows-defender-advanced-threat-protection.md).
Each of the features in Windows Defender EG have slightly different requirements:
-Feature | [Windows Defender Antivirus](../windows-defender-antivirus/windows-defender-antivirus-in-windows-10) | [Windows Defender Advanced Threat Protection license](../windows-defender-atp/minimum-requirements-windows-defender-advanced-threat-protection)
+Feature | [Windows Defender Antivirus](../windows-defender-antivirus/windows-defender-antivirus-in-windows-10.md) | [Windows Defender Advanced Threat Protection license](../windows-defender-atp/minimum-requirements-windows-defender-advanced-threat-protection.md)
-|-|-|-
Exploit Protection | No requirement | Required for reporting in the Windows Defender ATP console
-Attack Surface Reduction | Must be enabled | Required
+Attack Surface Reduction | Must be enabled | Required for reporting in the Windows Defender ATP console
Network Protection | Must be enabled | Required for reporting in the Windows Defender ATP console
Controlled Folder Access | Must be enabled | Required for reporting in the Windows Defender ATP console
@@ -68,7 +71,7 @@ Controlled Folder Access | Must be enabled | Required for reporting in the Windo
Topic | Description
---|---
-[Protect devices from exploits with Windows Defender Exploit Guard](exploit-protection-exploit-guard) | Exploit Protection provides you with many of the features in now-retired Enhanced Mitigations Experience Toolkit - and adds additional configuration and technologies. These features can help prevent threats from using vulnerabilities to gain access to your network and devices. You can create a template of settings that can be exported and copied to multiple machines in your network at once.
+[Protect devices from exploits with Windows Defender Exploit Guard](exploit-protection-exploit-guard.md) | Exploit Protection provides you with many of the features in now-retired Enhanced Mitigations Experience Toolkit - and adds additional configuration and technologies. These features can help prevent threats from using vulnerabilities to gain access to your network and devices. You can create a template of settings that can be exported and copied to multiple machines in your network at once.
[Reduce attack surfaces with Windows Defender Exploit Guard](attack-surface-reduction-exploit-guard.md) | Use pre-built rules to manage mitigations for key attack and infection vectors, such as Office-based malicious macro code and PowerShell, VBScript, and JavaScript scripts.
[Protect your network with Windows Defender Exploit Guard](network-protection-exploit-guard.md) | Minimize the exposure of your devices from network and web-based infection vectors.
[Protect important folders with Controlled Folder Access](controlled-folders-exploit-guard.md) | Prevent unknown or unauthorized apps (including ransomware encryption malware) from writing to sensitive folders, such as folders containing sensitive or business-critical data.
diff --git a/windows/threat-protection/windows-defender-security-center/windows-defender-security-center.md b/windows/threat-protection/windows-defender-security-center/windows-defender-security-center.md
index bbf61ac092..00470f7842 100644
--- a/windows/threat-protection/windows-defender-security-center/windows-defender-security-center.md
+++ b/windows/threat-protection/windows-defender-security-center/windows-defender-security-center.md
@@ -10,6 +10,8 @@ ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
author: iaanw
+ms.author: iawilt
+ms.date: 08/25/2017
---
@@ -146,15 +148,6 @@ Users can click on the displayed information to get more help:
9. Click **OK** after configuring each setting to save your changes.
-### Use PowerShell to customize the notification
-
-
-
->[!NOTE]
->Are there any PS cmdlets for customizing? What about CSPs for MDM?
-
-
-
>[!NOTE]
>The Windows Defender Security Center app is a client interface on Windows 10, version 1703. It is not the Windows Defender Security Center web portal that is used to review and manage [Windows Defender Advanced Threat Protection](https://docs.microsoft.com/en-us/windows/threat-protection/windows-defender-atp/windows-defender-advanced-threat-protection).
3