diff --git a/windows/client-management/mdm/policy-configuration-service-provider.md b/windows/client-management/mdm/policy-configuration-service-provider.md
index 7c699b0382..940e812a79 100644
--- a/windows/client-management/mdm/policy-configuration-service-provider.md
+++ b/windows/client-management/mdm/policy-configuration-service-provider.md
@@ -2915,6 +2915,9 @@ The following diagram shows the Policy configuration service provider in tree fo
Security/PreventAutomaticDeviceEncryptionForAzureADJoinedDevices
+
+ Security/RecoveryEnvironmentAuthentication
+
Security/RequireDeviceEncryption
diff --git a/windows/client-management/mdm/policy-csp-security.md b/windows/client-management/mdm/policy-csp-security.md
index e0557a49ab..0deb6e2076 100644
--- a/windows/client-management/mdm/policy-csp-security.md
+++ b/windows/client-management/mdm/policy-csp-security.md
@@ -11,6 +11,8 @@ ms.date: 07/30/2018
# Policy CSP - Security
+> [!WARNING]
+> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
@@ -43,6 +45,9 @@ ms.date: 07/30/2018
Security/PreventAutomaticDeviceEncryptionForAzureADJoinedDevices
+
+ Security/RecoveryEnvironmentAuthentication
+
Security/RequireDeviceEncryption
@@ -488,6 +493,87 @@ The following list shows the supported values:
+
+**Security/RecoveryEnvironmentAuthentication**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+  |
+  5 |
+ 5 |
+ 5 |
+ 5 |
+ |
+ |
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+> * Device
+
+
+
+
+
+Added in Windows 10, next major version. This policy controls the Admin Authentication requirement in RecoveryEnvironment.
+
+Supported values:
+- 0 - Default: Keep using default(current) behavior
+- 1 - RequireAuthentication: Admin Authentication is always required for components in RecoveryEnvironment
+- 2 - NoRequireAuthentication: Admin Authentication is not required for components in RecoveryEnvironment
+
+
+
+
+
+
+
+
+
+**Validation procedure**
+
+The validation requires a check whether Refresh ("Keep my files") and Reset ("Remove everything") requires admin authentication in WinRE.
+The process of starting Push Button Reset (PBR) in WinRE:
+
+1. Open a cmd as Administrator, run command "reagentc /boottore" and restart the OS to boot to WinRE.
+1. OS should boot to the blue screen of WinRE UI, go through TroubleShoot -> Reset this PC, it should show two options: "Keep my files" and "Remove everything".
+
+If the MDM policy is set to "Default" (0) or does not exist, the admin authentication flow should work as default behavior:
+
+1. Start PBR in WinRE, choose "Keep my files", it should pop up admin authentication.
+1. Click "<-" (right arrow) button and choose "Remove everything", it should not pop up admin authentication and just go to PBR options.
+
+If the MDM policy is set to "RequireAuthentication" (1)
+
+1. Start PBR in WinRE, choose "Keep my files", it should pop up admin authentication.
+1. Click "<-" (right arrow) button and choose "Remove everything", it should also pop up admin authentication.
+
+If the MDM policy is set to "NoRequireAuthentication" (2)
+
+1. Start PBR in WinRE, choose "Keep my files", it should not pop up admin authentication.
+1. Go through PBR options and click "cancel" at final confirmation page, wait unit the UI is back.
+1. Click "TroubleShoot" -> "Reset this PC" again, choose "Remove everything", it should not pop up admin authentication neither.
+
+
+
+
+
+
**Security/RequireDeviceEncryption**
@@ -661,6 +747,7 @@ Footnote:
- 2 - Added in Windows 10, version 1703.
- 3 - Added in Windows 10, version 1709.
- 4 - Added in Windows 10, version 1803.
+- 5 - Added in the next major release of Windows 10.