diff --git a/.clang-format b/.clang-format
index 5a40766bbe63e..d1b81493989a0 100644
--- a/.clang-format
+++ b/.clang-format
@@ -12,6 +12,43 @@ Standard: Cpp11
 InsertBraces: true
 InsertNewlineAtEOF: true
 
+# Sort #includes by following
+# https://google.github.io/styleguide/cppguide.html#Names_and_Order_of_Includes
+#
+# ref: https://clang.llvm.org/docs/ClangFormatStyleOptions.html#includeblocks
+IncludeBlocks: Regroup
+# ref: https://clang.llvm.org/docs/ClangFormatStyleOptions.html#includecategories
+IncludeCategories:
+  # The win32 api has all sorts of implicit include order dependencies :-/
+  # Give a few headers special priorities that make sure they appear before
+  # all other headers.
+  # Sync this with SerializeIncludes in tools/add_header.py.
+  # TODO(crbug.com/329138753): remove include sorting from tools/add_header.py
+  # after confirming clang-format sort works well.
+  # LINT.IfChange(winheader)
+  - Regex:           '^<objbase\.h>' # This has to be before initguid.h.
+    Priority:        1
+  - Regex:           '^<(initguid|mmdeviceapi|windows|winsock2|ws2tcpip|shobjidl|atlbase|ole2|unknwn|tchar)\.h>'
+    Priority:        2
+  # LINT.ThenChange(/tools/add_header.py:winheader)
+  # UIAutomation*.h need to be after base/win/atl.h.
+  # Note the low priority number.
+  - Regex:           '^<UIAutomation.*\.h>'
+    Priority:        6
+  # Other C system headers.
+  - Regex:           '^<.*\.h>'
+    Priority:        3
+  # C++ standard library headers.
+  - Regex:           '^<.*'
+    Priority:        4
+  # Other libraries.
+  - Regex:           '.*'
+    Priority:        5
+# ref: https://clang.llvm.org/docs/ClangFormatStyleOptions.html#includeismainregex
+IncludeIsMainRegex: "\
+(_(android|apple|chromeos|freebsd|fuchsia|fuzzer|ios|linux|mac|nacl|openbsd|posix|stubs?|win))?\
+(_(unit|browser|perf)?tests?)?$"
+
 # Make sure code like:
 # IPC_BEGIN_MESSAGE_MAP()
 #   IPC_MESSAGE_HANDLER(WidgetHostViewHost_Update, OnUpdate)
diff --git a/base/win/atl.h b/base/win/atl.h
index 7a2826ef77131..dbdca27e07ea4 100644
--- a/base/win/atl.h
+++ b/base/win/atl.h
@@ -10,14 +10,20 @@
 // Undefine before windows header will make the poisonous defines
 #include "base/win/windows_undefines.inc"
 
+// clang-format off
 // Declare our own exception thrower (atl_throw.h includes atldef.h).
 #include "base/win/atl_throw.h"
+// clang-format on
+
+// Now include the real ATL headers.
+#include <atlbase.h>  // NOLINT(build/include_order)
 
-#include <atlbase.h>      // NOLINT(build/include_order)
 #include <atlcom.h>       // NOLINT(build/include_order)
+#include <atlcomcli.h>    // NOLINT(build/include_order)
 #include <atlctl.h>       // NOLINT(build/include_order)
 #include <atlhost.h>      // NOLINT(build/include_order)
 #include <atlsecurity.h>  // NOLINT(build/include_order)
+#include <atltypes.h>     // NOLINT(build/include_order)
 #include <atlwin.h>       // NOLINT(build/include_order)
 
 // Undefine the poisonous defines
diff --git a/base/win/sid_unittest.cc b/base/win/sid_unittest.cc
index 620974f52016c..edc3d43b9de39 100644
--- a/base/win/sid_unittest.cc
+++ b/base/win/sid_unittest.cc
@@ -6,9 +6,7 @@
 
 #include "base/win/sid.h"
 
-// clang-format off
-#include <windows.h>  // Must be in front of other Windows header files.
-// clang-format on
+#include <windows.h>
 
 #include <sddl.h>
 
diff --git a/chrome/credential_provider/gaiacp/gaia_credential_other_user_unittests.cc b/chrome/credential_provider/gaiacp/gaia_credential_other_user_unittests.cc
index ed7ed56cffcc7..a8a19a4284bc9 100644
--- a/chrome/credential_provider/gaiacp/gaia_credential_other_user_unittests.cc
+++ b/chrome/credential_provider/gaiacp/gaia_credential_other_user_unittests.cc
@@ -2,15 +2,13 @@
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
-#include "base/win/atl.h"
-
-#include <atlcomcli.h>
 #include <wrl/client.h>
 
 #include "base/json/json_writer.h"
 #include "base/strings/string_number_conversions.h"
 #include "base/strings/stringprintf.h"
 #include "base/strings/utf_string_conversions.h"
+#include "base/win/atl.h"
 #include "chrome/browser/ui/startup/credential_provider_signin_dialog_win_test_data.h"
 #include "chrome/common/chrome_switches.h"
 #include "chrome/credential_provider/common/gcp_strings.h"
diff --git a/chrome/credential_provider/gaiacp/gaia_credential_provider_unittests.cc b/chrome/credential_provider/gaiacp/gaia_credential_provider_unittests.cc
index 04f426d70ebe5..243b2cfba0cf2 100644
--- a/chrome/credential_provider/gaiacp/gaia_credential_provider_unittests.cc
+++ b/chrome/credential_provider/gaiacp/gaia_credential_provider_unittests.cc
@@ -2,9 +2,8 @@
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
-#include "base/win/atl.h"
+#include "chrome/credential_provider/gaiacp/gaia_credential_provider.h"
 
-#include <atlcomcli.h>
 #include <credentialprovider.h>
 #include <wrl/client.h>
 
@@ -13,10 +12,10 @@
 
 #include "base/strings/utf_string_conversions.h"
 #include "base/synchronization/waitable_event.h"
+#include "base/win/atl.h"
 #include "base/win/win_util.h"
 #include "chrome/credential_provider/common/gcp_strings.h"
 #include "chrome/credential_provider/gaiacp/auth_utils.h"
-#include "chrome/credential_provider/gaiacp/gaia_credential_provider.h"
 #include "chrome/credential_provider/gaiacp/gaia_credential_provider_i.h"
 #include "chrome/credential_provider/gaiacp/gcpw_strings.h"
 #include "chrome/credential_provider/gaiacp/mdm_utils.h"
diff --git a/chrome/credential_provider/gaiacp/gaia_credential_unittests.cc b/chrome/credential_provider/gaiacp/gaia_credential_unittests.cc
index a50dacf71b489..a0d7540be198e 100644
--- a/chrome/credential_provider/gaiacp/gaia_credential_unittests.cc
+++ b/chrome/credential_provider/gaiacp/gaia_credential_unittests.cc
@@ -2,19 +2,18 @@
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
-#include "base/win/atl.h"
+#include "chrome/credential_provider/gaiacp/gaia_credential.h"
 
-#include <atlcomcli.h>
 #include <wrl/client.h>
 
 #include "base/json/json_writer.h"
 #include "base/strings/string_number_conversions.h"
 #include "base/strings/stringprintf.h"
 #include "base/strings/utf_string_conversions.h"
+#include "base/win/atl.h"
 #include "chrome/browser/ui/startup/credential_provider_signin_dialog_win_test_data.h"
 #include "chrome/common/chrome_switches.h"
 #include "chrome/credential_provider/common/gcp_strings.h"
-#include "chrome/credential_provider/gaiacp/gaia_credential.h"
 #include "chrome/credential_provider/gaiacp/gaia_credential_provider_i.h"
 #include "chrome/credential_provider/gaiacp/gaia_resources.h"
 #include "chrome/credential_provider/gaiacp/gcp_utils.h"
diff --git a/chrome/credential_provider/gaiacp/reauth_credential_unittests.cc b/chrome/credential_provider/gaiacp/reauth_credential_unittests.cc
index d45e7d941237e..916625dab9512 100644
--- a/chrome/credential_provider/gaiacp/reauth_credential_unittests.cc
+++ b/chrome/credential_provider/gaiacp/reauth_credential_unittests.cc
@@ -4,7 +4,6 @@
 
 #include "base/win/atl.h"
 
-#include <atlcomcli.h>
 #include <wrl/client.h>
 
 #include "base/command_line.h"
diff --git a/chrome/credential_provider/test/com_fakes.h b/chrome/credential_provider/test/com_fakes.h
index 9e4574de2870b..908af8225da47 100644
--- a/chrome/credential_provider/test/com_fakes.h
+++ b/chrome/credential_provider/test/com_fakes.h
@@ -5,9 +5,7 @@
 #ifndef CHROME_CREDENTIAL_PROVIDER_TEST_COM_FAKES_H_
 #define CHROME_CREDENTIAL_PROVIDER_TEST_COM_FAKES_H_
 
-#include "base/win/atl.h"
 
-#include <atlcomcli.h>
 #include <credentialprovider.h>
 #include <propkey.h>
 
@@ -15,6 +13,7 @@
 #include <unordered_map>
 #include <vector>
 
+#include "base/win/atl.h"
 #include "chrome/credential_provider/gaiacp/gaia_credential_provider.h"
 #include "chrome/credential_provider/gaiacp/gaia_credential_provider_i.h"
 #include "chrome/credential_provider/test/test_credential_provider.h"
diff --git a/chrome/credential_provider/test/gcp_setup_unittests.cc b/chrome/credential_provider/test/gcp_setup_unittests.cc
index 70bb94ca3a9cc..558f6f7b75a77 100644
--- a/chrome/credential_provider/test/gcp_setup_unittests.cc
+++ b/chrome/credential_provider/test/gcp_setup_unittests.cc
@@ -2,12 +2,10 @@
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
-#include "base/win/atl.h"
+#include <unknwn.h>
 
-#include <atlcomcli.h>
 #include <datetimeapi.h>
 #include <lmerr.h>
-#include <unknwn.h>
 #include <wrl/client.h>
 
 #include <memory>
@@ -29,6 +27,7 @@
 #include "base/syslog_logging.h"
 #include "base/test/scoped_path_override.h"
 #include "base/test/test_reg_util_win.h"
+#include "base/win/atl.h"
 #include "base/win/registry.h"
 #include "base/win/scoped_com_initializer.h"
 #include "base/win/win_util.h"
diff --git a/chrome/credential_provider/test/test_credential.h b/chrome/credential_provider/test/test_credential.h
index 0fb6482d5f7ca..e4acfc4d5d366 100644
--- a/chrome/credential_provider/test/test_credential.h
+++ b/chrome/credential_provider/test/test_credential.h
@@ -5,9 +5,6 @@
 #ifndef CHROME_CREDENTIAL_PROVIDER_TEST_TEST_CREDENTIAL_H_
 #define CHROME_CREDENTIAL_PROVIDER_TEST_TEST_CREDENTIAL_H_
 
-#include "base/win/atl.h"
-
-#include <atlcomcli.h>
 #include <credentialprovider.h>
 
 #include <memory>
@@ -16,6 +13,7 @@
 #include "base/command_line.h"
 #include "base/strings/string_util.h"
 #include "base/synchronization/waitable_event.h"
+#include "base/win/atl.h"
 #include "chrome/credential_provider/common/gcp_strings.h"
 #include "chrome/credential_provider/gaiacp/gaia_credential_base.h"
 #include "chrome/credential_provider/test/gls_runner_test_base.h"
diff --git a/chrome/credential_provider/test/test_credential_provider.h b/chrome/credential_provider/test/test_credential_provider.h
index c5fe7853bbc4a..ff3951e048d7b 100644
--- a/chrome/credential_provider/test/test_credential_provider.h
+++ b/chrome/credential_provider/test/test_credential_provider.h
@@ -7,8 +7,6 @@
 
 #include "base/win/atl.h"
 
-#include <atlcomcli.h>
-
 namespace credential_provider {
 
 namespace testing {
diff --git a/chrome/updater/win/ui/owner_draw_controls.h b/chrome/updater/win/ui/owner_draw_controls.h
index 86c5d0caf2837..0b468f1c67bc5 100644
--- a/chrome/updater/win/ui/owner_draw_controls.h
+++ b/chrome/updater/win/ui/owner_draw_controls.h
@@ -8,9 +8,6 @@
 #include <windows.h>
 
 #include "base/win/atl.h"
-
-#include <atltypes.h>
-
 #include "chrome/updater/win/ui/ui_constants.h"
 #include "third_party/wtl/include/atlapp.h"
 #pragma clang diagnostic push
diff --git a/tools/add_header.py b/tools/add_header.py
index d82c8b799582b..2029ef233ef93 100755
--- a/tools/add_header.py
+++ b/tools/add_header.py
@@ -342,6 +342,7 @@ def SerializeIncludes(includes):
   """
   source = []
 
+  # LINT.IfChange(winheader)
   special_headers = [
       # Must be included before ws2tcpip.h.
       # Doesn't need to be included before <windows.h> with
@@ -364,8 +365,14 @@ def SerializeIncludes(includes):
       '<objbase.h>',
       # Must be before tpcshrd.h.
       '<tchar.h>',
+      # Must be before functiondiscoverykeys_devpkey.h.
+      '<mmdeviceapi.h>',
+      # Must be before emi.h.
+      '<initguid.h>',
   ]
 
+  # LINT.ThenChange(/.clang-format:winheader)
+
   # Ensure that headers are sorted as follows:
   #
   # 1. The primary header, if any, appears first.
diff --git a/ui/accessibility/platform/ax_platform_node_textrangeprovider_win_fuzzer.cc b/ui/accessibility/platform/ax_platform_node_textrangeprovider_win_fuzzer.cc
index 336cb8ae5f466..2c9d188acde3a 100644
--- a/ui/accessibility/platform/ax_platform_node_textrangeprovider_win_fuzzer.cc
+++ b/ui/accessibility/platform/ax_platform_node_textrangeprovider_win_fuzzer.cc
@@ -2,11 +2,7 @@
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
-#include "base/win/atl.h"  // Must be before UIAutomationCore.h
-
-#include <UIAutomationClient.h>
-#include <UIAutomationCore.h>
-#include <UIAutomationCoreApi.h>
+#include "ui/accessibility/platform/ax_platform_node_textrangeprovider_win.h"
 
 #include <memory>
 #include <tuple>
@@ -32,9 +28,12 @@
 #include "ui/accessibility/ax_tree_update.h"
 #include "ui/accessibility/platform/ax_fragment_root_delegate_win.h"
 #include "ui/accessibility/platform/ax_fragment_root_win.h"
-#include "ui/accessibility/platform/ax_platform_node_textrangeprovider_win.h"
 #include "ui/accessibility/platform/test_ax_node_wrapper.h"
 
+#include <UIAutomationClient.h>
+#include <UIAutomationCore.h>
+#include <UIAutomationCoreApi.h>
+
 using Microsoft::WRL::ComPtr;
 
 // We generate positions using fuzz data, this constant should be aligned
diff --git a/ui/accessibility/platform/ax_platform_node_win_unittest.h b/ui/accessibility/platform/ax_platform_node_win_unittest.h
index 2f65b124aa9d9..7e093876adb60 100644
--- a/ui/accessibility/platform/ax_platform_node_win_unittest.h
+++ b/ui/accessibility/platform/ax_platform_node_win_unittest.h
@@ -5,15 +5,14 @@
 #ifndef UI_ACCESSIBILITY_PLATFORM_AX_PLATFORM_NODE_WIN_UNITTEST_H_
 #define UI_ACCESSIBILITY_PLATFORM_AX_PLATFORM_NODE_WIN_UNITTEST_H_
 
-#include "ui/accessibility/platform/ax_platform_node_unittest.h"
-
 #include <memory>
 #include <unordered_set>
 
 #include "base/test/scoped_feature_list.h"
-#include "base/win/atl.h"  // Must be before UIAutomationCore.h
+#include "base/win/atl.h"
 #include "ui/accessibility/ax_position.h"
 #include "ui/accessibility/platform/ax_fragment_root_delegate_win.h"
+#include "ui/accessibility/platform/ax_platform_node_unittest.h"
 #include "ui/accessibility/platform/sequence_affine_com_object_root_win.h"
 
 #include <UIAutomationCore.h>