Move articles to os-security and refresh

2025-05-12 13:27:23 +00:00 · 2023-12-26 11:43:20 -05:00 · 2023-12-26 11:43:20 -05:00 · 0430f10e62
commit 0430f10e62
parent d5e76d21f6
14 changed files with 157 additions and 191 deletions
--- a/.openpublishing.redirection.windows-security.json
+++ b/.openpublishing.redirection.windows-security.json
@ -15,6 +15,21 @@
      "redirect_url": "/windows/security/application-security/application-control/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control",
      "redirect_document_id": false
    },
    {
      "source_path": "windows/security/threat-protection/override-mitigation-options-for-app-related-security-policies.md",
      "redirect_url": "/windows/security/operating-system-security/device-management/override-mitigation-options-for-app-related-security-policies",
      "redirect_document_id": false
    },
    {
      "source_path": "windows/security/threat-protection/block-untrusted-fonts-in-enterprise.md",
      "redirect_url": "/windows/security/operating-system-security/device-management/block-untrusted-fonts-in-enterprise",
      "redirect_document_id": false
    },
    {
      "source_path": "windows/security/threat-protection/use-windows-event-forwarding-to-assist-in-intrusion-detection.md",
      "redirect_url": "/windows/security/operating-system-security/device-management/use-windows-event-forwarding-to-assist-in-intrusion-detection",
      "redirect_document_id": false
    },
    {
      "source_path": "windows/security//threat-protection/mbsa-removal-and-guidance.md",
      "redirect_url": "/windows/security/operating-system-security/device-management/windows-security-configuration-framework/mbsa-removal-and-guidance",
--- a/windows/security/docfx.json
+++ b/windows/security/docfx.json
@ -193,7 +193,7 @@
        "operating-system-security/data-protection/personal-data-encryption/*.yml": [
          "✅ <a href=\"https://learn.microsoft.com/windows/release-health/supported-versions-windows-client\" target=\"_blank\">Windows 11</a>"
        ],
-        "operating-system-security/device-management/windows-security-configuration-framework/**/*.md": [
+        "operating-system-security/device-management/**/*.md": [
          "✅ <a href=\"https://learn.microsoft.com/windows/release-health/supported-versions-windows-client\" target=\"_blank\">Windows 11</a>",
          "✅ <a href=\"https://learn.microsoft.com/windows/release-health/supported-versions-windows-client\" target=\"_blank\">Windows 10</a>",
          "✅ <a href=\"https://learn.microsoft.com/windows/release-health/windows-server-release-info\" target=\"_blank\">Windows Server 2022</a>",
--- a/windows/security/operating-system-security/device-management/block-untrusted-fonts-in-enterprise.md
+++ b/windows/security/operating-system-security/device-management/block-untrusted-fonts-in-enterprise.md
@ -1,34 +1,24 @@
 ---
 title: Block untrusted fonts in an enterprise
 description: To help protect your company from attacks that may originate from untrusted or attacker controlled font files, we've created the Blocking Untrusted Fonts feature.
 ms.reviewer: 
 ms.prod: windows-client
 author: aczechowski
 ms.author: aaroncz
 manager: aaroncz
 ms.date: 08/14/2017
 ms.localizationpriority: medium
-ms.technology: itpro-security
+ms.topic: how-to
-ms.topic: reference
+ms.date: 12/22/2023
 ---
 # Block untrusted fonts in an enterprise
-**Applies to:**
+To help protect your company from attacks that may originate from untrusted or attacker-controlled font files, we've created the Blocking Untrusted Fonts feature. Using this feature, you can turn on a global setting that stops your employees from loading untrusted fonts processed using the Graphics Device Interface (GDI) onto your network. Untrusted fonts are any font installed outside of the `%windir%\Fonts` directory. Blocking untrusted fonts helps prevent both remote (web-based or email-based) and local EOP attacks that can happen during the font file-parsing process.
 - Windows 10
 > Learn more about what features and functionality are supported in each Windows edition at [Compare Windows 10 Editions](https://www.microsoft.com/WindowsForBusiness/Compare).
 To help protect your company from attacks that may originate from untrusted or attacker-controlled font files, we've created the Blocking Untrusted Fonts feature. Using this feature, you can turn on a global setting that stops your employees from loading untrusted fonts processed using the Graphics Device Interface (GDI) onto your network. Untrusted fonts are any font installed outside of the `%windir%/Fonts` directory. Blocking untrusted fonts helps prevent both remote (web-based or email-based) and local EOP attacks that can happen during the font file-parsing process.
 ## What does this mean for me?
 Blocking untrusted fonts helps improve your network and employee protection against font-processing-related attacks. By default, this feature isn't turned on.
 ## How does this feature work?
 There are three ways to use this feature:
- **On.** Helps stop any font processed using GDI from loading outside of the `%windir%/Fonts` directory. It also turns on event logging.
+- **On.** Helps stop any font processed using GDI from loading outside of the `%windir%\Fonts` directory. It also turns on event logging.
 - **Audit.** Turns on event logging, but doesn't block fonts from loading, regardless of location. The name of the apps that use untrusted fonts appear in your event log.
@ -38,110 +28,95 @@ There are three ways to use this feature:
 - **Exclude apps to load untrusted fonts.** You can exclude specific apps, allowing them to load untrusted fonts, even while this feature is turned on. For instructions, see [Fix apps having problems because of blocked fonts](#fix-apps-having-problems-because-of-blocked-fonts).
 ## Potential reductions in functionality
 After you turn on this feature, your employees might experience reduced functionality when:
 - Sending a print job to a remote printer server that uses this feature and where the spooler process hasn't been excluded. In this situation, any fonts that aren't already available in the server's %windir%/Fonts folder won't be used.
 - Printing using fonts provided by the installed printer's graphics .dll file, outside of the %windir%/Fonts folder. For more information, see [Introduction to Printer Graphics DLLs](/windows-hardware/drivers/print/introduction-to-printer-graphics-dlls).
 - Using first or third-party apps that use memory-based fonts.
 - Using Internet Explorer to look at websites that use embedded fonts. In this situation, the feature blocks the embedded font, causing the website to use a default font. However, not all fonts have all of the characters, so the website might render differently.
 - Using desktop Office to look at documents with embedded fonts. In this situation, content shows up using a default font picked by Office.
 ## Turn on and use the Blocking Untrusted Fonts feature
 Use Group Policy or the registry to turn this feature on, off, or to use audit mode.
 **To turn on and use the Blocking Untrusted Fonts feature through Group Policy**
 1. Open the Group Policy editor (gpedit.msc) and go to `Computer Configuration\Administrative Templates\System\Mitigation Options\Untrusted Font Blocking`.
 2. Click **Enabled** to turn on the feature, and then click one of the following **Mitigation Options**:
    - **Block untrusted fonts and log events.** Turns on the feature, blocking untrusted fonts and logging installation attempts to the event log.
    - **Do not block untrusted fonts.** Turns on the feature, but doesn't block untrusted fonts nor does it log installation attempts to the event log.
    - **Log events without blocking untrusted fonts**. Turns on the feature, logging installation attempts to the event log, but not blocking untrusted fonts.
 3. Click **OK**.
 **To turn on and use the Blocking Untrusted Fonts feature through the registry**
 To turn this feature on, off, or to use audit mode:
 1. Open the registry editor (regedit.exe) and go to `HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Kernel\`.
 2. If the **MitigationOptions** key isn't there, right-click and add a new **QWORD (64-bit) Value**, renaming it to **MitigationOptions**.
-
+3. Right click on the **MitigationOptions** key, and then click **Modify**. The **Edit QWORD (64-bit) Value** box opens.
 3. Right click on the **MitigationOptions** key, and then click **Modify**.
   The **Edit QWORD (64-bit) Value** box opens.
 4. Make sure the **Base** option is **Hexadecimal**, and then update the **Value data**, making sure you keep your existing value, like in the important note below:
   - **To turn this feature on.** Type **1000000000000**.
   - **To turn this feature off.** Type **2000000000000**.
   - **To audit with this feature.** Type **3000000000000**.
-     > [!Important]
+     > [!IMPORTANT]
     > Your existing **MitigationOptions** values should be saved during your update. For example, if the current value is *1000*, your updated value should be *1000000001000*.
 5. Restart your computer.
 ## View the event log
 After you turn on this feature, or start using Audit mode, you can look at your event logs for details.
 **To look at your event log**
 1. Open the event viewer (eventvwr.exe) and go to **Application and Service Logs/Microsoft/Windows/Win32k/Operational**.
 2. Scroll down to **EventID: 260** and review the relevant events.
-    **Event Example 1 - MS Word**<br>
+  **Event Example 1 - MS Word**
    WINWORD.EXE attempted loading a font that is restricted by font-loading policy.<br>
    FontType: Memory<br>
    FontPath:<br>
    Blocked: true
-    > [!NOTE]
+  > WINWORD.EXE attempted loading a font that is restricted by font-loading policy.<br>
-    > Because the **FontType** is *Memory*, there's no associated **FontPath**.
+  > FontType: Memory<br>
  > FontPath:<br>
  > Blocked: true<br>
-    **Event Example 2 - Winlogon**<br>
+  > [!NOTE]
-    Winlogon.exe attempted loading a font that is restricted by font-loading policy.<br>
+  > Because the **FontType** is *Memory*, there's no associated **FontPath**.
    FontType: File<br>
    FontPath: `\??\C:\PROGRAM FILES (X86)\COMMON FILES\MICROSOFT SHARED\EQUATION\MTEXTRA.TTF`<br>
    Blocked: true
-    > [!NOTE]
+  **Event Example 2 - Winlogon**
    > Because the **FontType** is *File*, there's also an associated **FontPath**.
-    **Event Example 3 - Internet Explorer running in Audit mode**<br>
+  > Winlogon.exe attempted loading a font that is restricted by font-loading policy.<br>
-    Iexplore.exe attempted loading a font that is restricted by font-loading policy.<br>
+  > FontType: File<br>
-    FontType: Memory<br>
+  > FontPath: `\??\C:\PROGRAM FILES (X86)\COMMON FILES\MICROSOFT SHARED\EQUATION\MTEXTRA.TTF`<br>
-    FontPath:<br>
+  > Blocked: true<br>
    Blocked: false
-    > [!NOTE]
+  > [!NOTE]
-    > In Audit mode, the problem is recorded, but the font isn't blocked.
+  > Because the **FontType** is *File*, there's also an associated **FontPath**.
  **Event Example 3 - Internet Explorer running in Audit mode**
  > Iexplore.exe attempted loading a font that is restricted by font-loading policy.<br>
  > FontType: Memory<br>
  > FontPath:<br>
  > Blocked: false<br>
  > [!NOTE]
  > In Audit mode, the problem is recorded, but the font isn't blocked.
 ## Fix apps having problems because of blocked fonts
 Your company may still need apps that are having problems because of blocked fonts, so we suggest that you first run this feature in Audit mode to determine which fonts are causing the problems.
 After you figure out the problematic fonts, you can try to fix your apps in two ways: by directly installing the fonts into the %windir%/Fonts directory or by excluding the underlying processes and letting the fonts load. As the default solution, we highly recommend that you install the problematic font. Installing fonts is safer than excluding apps because excluded apps can load any font, trusted or untrusted.
 **To fix your apps by installing the problematic fonts (recommended)**
- On each computer with the app installed, right-click on the font name and click **Install**.<p>The font should automatically install into your `%windir%/Fonts` directory. If it doesn't, you'll need to manually copy the font files into the **Fonts** directory and run the installation from there.
+On each computer with the app installed, right-click on the font name and click **Install**. The font should automatically install into your `%windir%\Fonts` directory. If it doesn't, you'll need to manually copy the font files into the **Fonts** directory and run the installation from there.
 **To fix your apps by excluding processes**
-1.  On each computer with the app installed, open regedit.exe and go to `HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\<process_image_name>`.<br><br>For example, if you want to exclude Microsoft Word processes, you'd use `HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Winword.exe`.
+1.  On each computer with the app installed, open regedit.exe and go to `HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\<process_image_name>`.For example, if you want to exclude Microsoft Word processes, you'd use `HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Winword.exe`.
 2.  Add other processes that need to be excluded here, and then turn on the Blocking untrusted fonts feature, using the steps in [Turn on and use the Blocking Untrusted Fonts feature](#turn-on-and-use-the-blocking-untrusted-fonts-feature), earlier in this article.
 ## Related content
 - [Dropping the "Untrusted Font Blocking" setting](https://techcommunity.microsoft.com/t5/microsoft-security-baselines/dropping-the-quot-untrusted-font-blocking-quot-setting/ba-p/701068/)
--- a/windows/security/operating-system-security/device-management/images/capi-gpo.png
+++ b/windows/security/operating-system-security/device-management/images/capi-gpo.png
--- a/windows/security/operating-system-security/device-management/images/gp-process-mitigation-options-bit-flag-image.png
+++ b/windows/security/operating-system-security/device-management/images/gp-process-mitigation-options-bit-flag-image.png
--- a/windows/security/operating-system-security/device-management/images/gp-process-mitigation-options-show.png
+++ b/windows/security/operating-system-security/device-management/images/gp-process-mitigation-options-show.png
--- a/windows/security/operating-system-security/device-management/images/gp-process-mitigation-options.png
+++ b/windows/security/operating-system-security/device-management/images/gp-process-mitigation-options.png
--- a/windows/security/operating-system-security/device-management/images/runkey.png
+++ b/windows/security/operating-system-security/device-management/images/runkey.png
--- a/windows/security/operating-system-security/device-management/images/runoncekey.png
+++ b/windows/security/operating-system-security/device-management/images/runoncekey.png
--- a/windows/security/operating-system-security/device-management/images/wef-client-config.png
+++ b/windows/security/operating-system-security/device-management/images/wef-client-config.png
--- a/windows/security/operating-system-security/device-management/override-mitigation-options-for-app-related-security-policies.md
+++ b/windows/security/operating-system-security/device-management/override-mitigation-options-for-app-related-security-policies.md
@ -0,0 +1,59 @@
 ---
 title: Override Process Mitigation Options
 description: How to use Group Policy to override individual Process Mitigation Options settings and to help enforce specific app-related security policies.
 ms.localizationpriority: medium
 ms.topic: how-to
 ms.date: 12/22/2023
 ---
 # Override Process Mitigation Options to help enforce app-related security policies
 Windows includes group policy-configurable "Process Mitigation Options" that add advanced protections against memory-based attacks, that is, attacks where malware manipulates memory to gain control of a system. For example, malware might attempt to use buffer overruns to inject malicious executable code into memory, but Process Mitigation Options can prevent the running of the malicious code.
 > [!IMPORTANT]
 > We recommend trying these mitigations in a test lab before deploying to your organization, to determine if they interfere with your organization's required apps.
 The Group Policy settings in this topic are related to three types of process mitigations. All three types are on by default for 64-bit applications, but by using the Group Policy settings described in this topic, you can configure more protections. The types of process mitigations are:
 - **Data Execution Prevention (DEP)** is a system-level memory protection feature that enables the operating system to mark one or more pages of memory as non-executable, preventing code from being run from that region of memory, to help prevent exploitation of buffer overruns. DEP helps prevent code from being run from data pages such as the default heap, stacks, and memory pools. For more information, see [Data Execution Prevention](../../threat-protection/overview-of-threat-mitigations-in-windows-10.md#data-execution-prevention).
 - **Structured Exception Handling Overwrite Protection (SEHOP)** is designed to block exploits that use the Structured Exception Handler (SEH) overwrite technique. Because this protection mechanism is provided at run-time, it helps to protect apps regardless of whether they've been compiled with the latest improvements. For more information, see [Structured Exception Handling Overwrite Protection](../../threat-protection/overview-of-threat-mitigations-in-windows-10.md#structured-exception-handling-overwrite-protection).
 - **Address Space Layout Randomization (ASLR)** loads DLLs into random memory addresses at boot time to mitigate against malware that's designed to attack specific memory locations, where specific DLLs are expected to be loaded. For more information, see [Address Space Layout Randomization](../../threat-protection/overview-of-threat-mitigations-in-windows-10.md#address-space-layout-randomization). To find more ASLR protections in the table below, look for `IMAGES` or `ASLR`.
 The following procedure describes how to use Group Policy to override individual **Process Mitigation Options** settings.
 **To modify Process Mitigation Options**
 1. Open your Group Policy editor and go to the **Administrative Templates\System\Mitigation Options\Process Mitigation Options** setting.
    ![Group Policy editor: Process Mitigation Options with setting enabled and Show button active.](images/gp-process-mitigation-options.png)
 2. Click **Enabled**, and then in the **Options** area, click **Show** to open the **Show Contents** box, where you'll be able to add your apps and the appropriate bit flag values, as shown in the [Setting the bit field](#setting-the-bit-field) and [Example](#example) sections of this topic.
    > [!IMPORTANT]
    > For each app you want to include, you must include:
    > - **Value name.** The app file name, including the extension. For example, `iexplore.exe`.
    > - **Value.** A bit field with a series of bit flags in particular positions. Bits can be set to `0` (where the setting is forced off), `1` (where the setting is forced on), or `?` (where the setting retains the previous, existing value).
    > Setting bit flags in positions not specified here to anything other than `?` might cause undefined behavior.
    ![Group Policy editor: Process Mitigation Options with Show Contents box and example text.](images/gp-process-mitigation-options-show.png)
 ## Setting the bit field
 Here's a visual representation of the bit flag locations for the various Process Mitigation Options settings:
 ![Visual representation of the bit flag locations for the Process Mitigation Options settings.](images/gp-process-mitigation-options-bit-flag-image.png)
 Where the bit flags are read from right to left and are defined as:
 | Flag | Bit location | Setting                                                                           | Details                                                                                                                                                                                                                                                                                |
 |------|--------------|-----------------------------------------------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
 | A    | 0            | `PROCESS_CREATION_MITIGATION_POLICY_DEP_ENABLE (0x00000001)`                      | Turns on Data Execution Prevention (DEP) for child processes.                                                                                                                                                                                                                          |
 | B    | 1            | `PROCESS_CREATION_MITIGATION_POLICY_DEP_ATL_THUNK_ENABLE (0x00000002)`            | Turns on DEP-ATL thunk emulation for child processes. DEP-ATL thunk emulation lets the system intercept non-executable (NX) faults that originate from the Active Template Library (ATL) thunk layer, and then emulate and handle the instructions so the process can continue to run. |
 | C    | 2            | `PROCESS_CREATION_MITIGATION_POLICY_SEHOP_ENABLE (0x00000004)`                    | Turns on Structured Exception Handler Overwrite Protection (SEHOP) for child processes. SEHOP helps to block exploits that use the Structured Exception Handler (SEH) overwrite technique.                                                                                             |
 | D    | 8            | `PROCESS_CREATION_MITIGATION_POLICY_FORCE_RELOCATE_IMAGES_ALWAYS_ON (0x00000100)` | Uses the force Address Space Layout Randomization (ASLR) setting to act as though an image base collision happened at load time, forcibly rebasing images that aren't dynamic base compatible. Images without the base relocation section won't be loaded if relocations are required. |
 | E    | 15           | `PROCESS_CREATION_MITIGATION_POLICY_BOTTOM_UP_ASLR_ALWAYS_ON (0x00010000)`        | Turns on the bottom-up randomization policy, which includes stack randomization options and causes a random location to be used as the lowest user address.                                                                                                                            |
 | F    | 16           | `PROCESS_CREATION_MITIGATION_POLICY_BOTTOM_UP_ASLR_ALWAYS_OFF (0x00020000)`       | Turns off the bottom-up randomization policy, which includes stack randomization options and causes a random location to be used as the lowest user address.                                                                                                                           |
 ### Example
 If you want to turn on the **PROCESS_CREATION_MITIGATION_POLICY_DEP_ENABLE** and **PROCESS_CREATION_MITIGATION_POLICY_FORCE_RELOCATE_IMAGES_ALWAYS_ON** settings, turn off the **PROCESS_CREATION_MITIGATION_POLICY_BOTTOM_UP_ASLR_ALWAYS_OFF** setting, and leave everything else as the default values, you'd want to type a value of `???????????????0???????1???????1`.
--- a/windows/security/operating-system-security/device-management/toc.yml
+++ b/windows/security/operating-system-security/device-management/toc.yml
@ -11,8 +11,8 @@ items:
  - name: More Windows security
    items:
    - name: Override Process Mitigation Options to help enforce app-related security policies
-      href: ../../threat-protection/override-mitigation-options-for-app-related-security-policies.md
+      href: override-mitigation-options-for-app-related-security-policies.md
    - name: Use Windows Event Forwarding to help with intrusion detection
-      href: ../../threat-protection/use-windows-event-forwarding-to-assist-in-intrusion-detection.md
+      href: use-windows-event-forwarding-to-assist-in-intrusion-detection.md
    - name: Block untrusted fonts in an enterprise
-      href: ../../threat-protection/block-untrusted-fonts-in-enterprise.md
+      href: block-untrusted-fonts-in-enterprise.md
--- a/windows/security/operating-system-security/device-management/use-windows-event-forwarding-to-assist-in-intrusion-detection.md
+++ b/windows/security/operating-system-security/device-management/use-windows-event-forwarding-to-assist-in-intrusion-detection.md
@ -1,22 +1,13 @@
 ---
 title: Use Windows Event Forwarding to help with intrusion detection
 description: Learn about an approach to collect events from devices in your organization. This article talks about events in both normal operations and when an intrusion is suspected.
 ms.prod: windows-client
 author: aczechowski
 ms.author: aaroncz
 manager: aaroncz
 ms.date: 02/28/2019
 ms.localizationpriority: medium
 ms.technology: itpro-security
 ms.topic: how-to
 ms.date: 12/22/2023
 ---
 # Use Windows Event Forwarding to help with intrusion detection
 **Applies to**
 -   Windows 10
 -   Windows Server
 Learn about an approach to collect events from devices in your organization. This article talks about events in both normal operations and when an intrusion is suspected.
 Windows Event Forwarding (WEF) reads any operational or administrative event log on a device in your organization and forwards the events you choose to a Windows Event Collector (WEC) server.
@ -41,7 +32,8 @@ Event generation on a device must be enabled either separately or as part of the
 For the minimum recommended audit policy and registry system ACL settings, see [Appendix A - Minimum recommended minimum audit policy](#bkmk-appendixa) and [Appendix B - Recommended minimum registry system ACL policy](#bkmk-appendixb).
->**Note:**  These are only minimum values need to meet what the WEF subscription selects.
+> [!NOTE]
 > These are only minimum values need to meet what the WEF subscription selects.
 From a WEF subscription management perspective, the event queries provided should be used in two separate subscriptions for ease of maintenance; only machines meeting specific criteria would be allowed access to the targeted subscription, this access would be determined by an algorithm or an analysts' direction. All devices should have access to the Baseline subscription.
@ -52,9 +44,9 @@ This system of dual subscription means you would create two base subscriptions:
 Each using the respective event query below. For the Targeted subscription, enabling the "read existing events" option should be set to true to allow collection of existing events from systems. By default, WEF subscriptions will only forward events generated after the WEF subscription was received by the client.
-In [Appendix E – Annotated Baseline Subscription Event Query](#bkmk-appendixe) and [Appendix F – Annotated Suspect Subscription Event Query](#bkmk-appendixf), the event query XML is included when creating WEF subscriptions. These subscriptions are annotated for query purpose and clarity. Individual &lt;Query&gt; element can be removed or edited without affecting the rest of the query.
+In [Appendix E - Annotated Baseline Subscription Event Query](#bkmk-appendixe) and [Appendix F - Annotated Suspect Subscription Event Query](#bkmk-appendixf), the event query XML is included when creating WEF subscriptions. These subscriptions are annotated for query purpose and clarity. Individual `<Query>` element can be removed or edited without affecting the rest of the query.
-### Common WEF questions
+## Common WEF questions
 This section addresses common questions from IT pros and customers.
@ -91,13 +83,13 @@ The HTTPS option is available if certificate based authentication is used, in ca
 ### Do WEF Clients have a separate buffer for events?
-The WEF client machines local event log is the buffer for WEF for when the connection to the WEC server is lost. To increase the "buffer size", increase the maximum file size of the specific event log file where events are being selected. For more info, see [Appendix C – Event Channel Settings (enable and Channel Access) methods](#bkmk-appendixc).
+The WEF client machines local event log is the buffer for WEF for when the connection to the WEC server is lost. To increase the "buffer size", increase the maximum file size of the specific event log file where events are being selected. For more info, see [Appendix C - Event Channel Settings (enable and Channel Access) methods](#bkmk-appendixc).
 When the event log overwrites existing events (resulting in data loss if the device isn't connected to the Event Collector), there's no notification sent to the WEF collector that events are lost from the client. Neither is there an indicator that there was a gap encountered in the event stream.
 ### What format is used for forwarded events?
-WEF has two modes for forwarded events. The default is "Rendered Text" that includes the textual description of the event as you would see it in Event Viewer. This description's inclusion means that the event size is effectively doubled or tripled depending on the size of the rendered description. The alternative mode is "Events" (also sometimes referred to as "Binary" format) – which is just the event XML itself sent in binary XML format (as it would be written to the evtx file.) This format is compact and can more than double the event volume a single WEC server can accommodate.
+WEF has two modes for forwarded events. The default is "Rendered Text" that includes the textual description of the event as you would see it in Event Viewer. This description's inclusion means that the event size is effectively doubled or tripled depending on the size of the rendered description. The alternative mode is "Events" (also sometimes referred to as "Binary" format) - which is just the event XML itself sent in binary XML format (as it would be written to the evtx file.) This format is compact and can more than double the event volume a single WEC server can accommodate.
 A subscription "testSubscription" can be configured to use the Events format through the WECUTIL utility:
@ -108,12 +100,12 @@ Wecutil ss "testSubscription" /cf:Events
 ### How frequently are WEF events delivered?
-Event delivery options are part of the WEF subscription configuration parameters – There are three built-in subscription delivery options: Normal, Minimize Bandwidth, and Minimize Latency. A fourth, catch-all called "Custom" is available but can't be selected or configured through the WEF UI by using Event Viewer. The Custom delivery option must be selected and configured using the WECUTIL.EXE command-line application. All subscription options define a maximum event count and maximum event age, if either limit is exceeded then the accumulated events are sent to the event collector.
+Event delivery options are part of the WEF subscription configuration parameters - There are three built-in subscription delivery options: Normal, Minimize Bandwidth, and Minimize Latency. A fourth, catch-all called "Custom" is available but can't be selected or configured through the WEF UI by using Event Viewer. The Custom delivery option must be selected and configured using the WECUTIL.EXE command-line application. All subscription options define a maximum event count and maximum event age, if either limit is exceeded then the accumulated events are sent to the event collector.
 This table outlines the built-in delivery options:
 | Event delivery optimization options | Description |
-| - | - |
+|--|--|
 | Normal | This option ensures reliable delivery of events and doesn't attempt to conserve bandwidth. It's the appropriate choice unless you need tighter control over bandwidth usage or need forwarded events delivered as quickly as possible. It uses pull delivery mode, batches 5 items at a time and sets a batch timeout of 15 minutes. |
 | Minimize bandwidth | This option ensures that the use of network bandwidth for event delivery is strictly controlled. It's an appropriate choice if you want to limit the frequency of network connections made to deliver events. It uses push delivery mode and sets a batch timeout of 6 hours. In addition, it uses a heartbeat interval of 6 hours. |
 | Minimize latency | This option ensures that events are delivered with minimal delay. It's an appropriate choice if you're collecting alerts or critical events. It uses push delivery mode and sets a batch timeout of 30 seconds. |
@ -122,7 +114,7 @@ For more info about delivery options, see [Configure Advanced Subscription Setti
 The primary difference is in the latency which events are sent from the client. If none of the built-in options meet your requirements, you can set Custom event delivery options for a given subscription from an elevated command prompt:
-``` syntax
+```cmd
@rem required to set the DeliveryMaxItems or DeliveryMaxLatencyTime
 Wecutil ss "SubscriptionNameGoesHere" /cm:Custom
@rem set DeliveryMaxItems to 1 event
@ -134,13 +126,13 @@ Wecutil ss "SubscriptionNameGoesHere" /dmlt:10
 For source initiated subscriptions: Each WEF subscription on a WEC server has its own ACL for machine accounts or security groups containing machine accounts (not user accounts) that are explicitly allowed to participate in that subscription or are explicitly denied access. This ACL applies to only a single WEF subscription (since there can be multiple WEF subscriptions on a given WEC server), other WEF Subscriptions have their own separate ACL.
-For collector initiated subscriptions: The subscription contains the list of machines from which the WEC server is to collect events. This list is managed at the WEC server, and the credentials used for the subscription must have access to read event logs from the WEF Clients – the credentials can be either the machine account or a domain account.
+For collector initiated subscriptions: The subscription contains the list of machines from which the WEC server is to collect events. This list is managed at the WEC server, and the credentials used for the subscription must have access to read event logs from the WEF Clients - the credentials can be either the machine account or a domain account.
 ### Can a client communicate to multiple WEF Event Collectors?
 Yes. If you desire a High-Availability environment, configure multiple WEC servers with the same subscription configuration and publish both WEC Server URIs to WEF clients. WEF Clients will forward events simultaneously to the configured subscriptions on the WEC servers, if they have the appropriate access.
-### <a href="" id="what-are-the-wec-server-s-limitations-"></a>What are the WEC server's limitations?
+### What are the WEC server's limitations?
 There are three factors that limit the scalability of WEC servers. The general rule for a stable WEC server on commodity hardware is planning for a total of 3,000 events per second on average for all configured subscriptions.
@ -158,7 +150,7 @@ Below lists all of the items that each subscription collects, the actual subscri
 ### Baseline subscription
-While this subscription appears to be the largest subscription, it really is the lowest volume on a per-device basis. (Exceptions should be allowed for unusual devices – a device performing complex developer related tasks can be expected to create an unusually high volume of process create and AppLocker events.) This subscription doesn't require special configuration on client devices to enable event channels or modify channel permissions.
+While this subscription appears to be the largest subscription, it really is the lowest volume on a per-device basis. (Exceptions should be allowed for unusual devices - a device performing complex developer related tasks can be expected to create an unusually high volume of process create and AppLocker events.) This subscription doesn't require special configuration on client devices to enable event channels or modify channel permissions.
 The subscription is essentially a collection of query statements applied to the Event Log. This subscription means that it's modular in nature and a given query statement can be removed or changed without impacting other query statement in the subscription. Additionally, suppress statements that filter out specific events, only apply within that query statement and aren't to the entire subscription.
@ -166,21 +158,21 @@ The subscription is essentially a collection of query statements applied to the
 To gain the most value out of the baseline subscription, we recommend having the following requirements set on the device to ensure that the clients are already generating the required events to be forwarded off the system.
-   Apply a security audit policy that is a super-set of the recommended minimum audit policy. For more info, see [Appendix A – Minimum Recommended minimum Audit Policy](#bkmk-appendixa). This policy ensures that the security event log is generating the required events.
+-   Apply a security audit policy that is a super-set of the recommended minimum audit policy. For more info, see [Appendix A - Minimum Recommended minimum Audit Policy](#bkmk-appendixa). This policy ensures that the security event log is generating the required events.
 -   Apply at least an Audit-Only AppLocker policy to devices.
    -   If you're already allowing or restricting events by using AppLocker, then this requirement is met.
    -   AppLocker events contain useful information, such as file hash and digital signature information for executables and scripts.
 -   Enable disabled event channels and set the minimum size for modern event files.
-   Currently, there's no GPO template for enabling or setting the maximum size for the modern event files. This threshold must be defined by using a GPO. For more info, see [Appendix C – Event Channel Settings (enable and Channel Access) methods](#bkmk-appendixc).
+-   Currently, there's no GPO template for enabling or setting the maximum size for the modern event files. This threshold must be defined by using a GPO. For more info, see [Appendix C - Event Channel Settings (enable and Channel Access) methods](#bkmk-appendixc).
-The annotated event query can be found in the following. For more info, see [Appendix F – Annotated Suspect Subscription Event Query](#bkmk-appendixf).
+The annotated event query can be found in the following. For more info, see [Appendix F - Annotated Suspect Subscription Event Query](#bkmk-appendixf).
 - Anti-malware events from Microsoft Antimalware or Windows Defender. These events can be configured for any given anti-malware product easily if it writes to the Windows event log.
 - Security event log Process Create events.
 - AppLocker Process Create events (EXE, script, packaged App installation and execution).
- Registry modification events. For more info, see [Appendix B – Recommended minimum Registry System ACL Policy](#bkmk-appendixb).
+- Registry modification events. For more info, see [Appendix B - Recommended minimum Registry System ACL Policy](#bkmk-appendixb).
 - OS startup and shutdown
  -   Startup events include operating system version, service pack level, QFE version, and boot mode.
@ -388,12 +380,12 @@ The recommended and most effective way to do this customization is configuring t
 The following GPO snippet performs the following tasks:
-   Enables the **Microsoft-Windows-Capi2/Operational** event channel.
+- Enables the **Microsoft-Windows-Capi2/Operational** event channel.
-   Sets the maximum file size for **Microsoft-Windows-Capi2/Operational** to 100MB.
+- Sets the maximum file size for **Microsoft-Windows-Capi2/Operational** to 100MB.
-   Sets the maximum file size for **Microsoft-Windows-AppLocker/EXE and DLL** to 100 MB.
+- Sets the maximum file size for **Microsoft-Windows-AppLocker/EXE and DLL** to 100 MB.
-   Sets the maximum channel access for **Microsoft-Windows-Capi2/Operational** to include the built-in Event Log Readers security group.
+- Sets the maximum channel access for **Microsoft-Windows-Capi2/Operational** to include the built-in Event Log Readers security group.
-   Enables the **Microsoft-Windows-DriverFrameworks-UserMode/Operational** event channel.
+- Enables the **Microsoft-Windows-DriverFrameworks-UserMode/Operational** event channel.
-   Sets the maximum file size for **Microsoft-Windows-DriverFrameworks-UserMode/Operational** to 50 MB.
+- Sets the maximum file size for **Microsoft-Windows-DriverFrameworks-UserMode/Operational** to 50 MB.
 ![configure event channels.](images/capi-gpo.png)
@ -418,7 +410,7 @@ Here are the minimum steps for WEF to operate:
 ![configure the wef client.](images/wef-client-config.png)
-## <a href="" id="bkmk-appendixe"></a>Appendix E – Annotated baseline subscription event query
+## <a href="" id="bkmk-appendixe"></a>Appendix E - Annotated baseline subscription event query
 ```xml
 <QueryList>
@ -588,7 +580,7 @@ Here are the minimum steps for WEF to operate:
 </QueryList>
 ```
-## <a href="" id="bkmk-appendixf"></a>Appendix F – Annotated Suspect Subscription Event Query
+## <a href="" id="bkmk-appendixf"></a>Appendix F - Annotated Suspect Subscription Event Query
 ```xml
 <QueryList>
@ -617,7 +609,7 @@ Here are the minimum steps for WEF to operate:
    <Select Path="Security">*[System[(EventID=4634)]] and (*[EventData[Data[@Name="LogonType"] = "3"]])</Select>
  </Query>
  <Query Id="6" Path="Security">
-    <!-- RRAS events – only generated on Microsoft IAS server -->
+    <!-- RRAS events - only generated on Microsoft IAS server -->
    <Select Path="Security">*[System[( (EventID &gt;= 6272 and EventID &lt;= 6280) )]]</Select>
  </Query>
  <Query Id="7" Path="Microsoft-Windows-DNS-Client/Operational">
@ -658,12 +650,11 @@ Here are the minimum steps for WEF to operate:
  </Query>
 </QueryList>
 ```
-## <a href="" id="bkmk-appendixg"></a>Appendix G - Online resources
+## Appendix G - Online resources
 You can get more info with the following links:
-   [Event Selection](/previous-versions//aa385231(v=vs.85))
+- [Event Selection](/previous-versions//aa385231(v=vs.85))
-   [Event Queries and Event XML](/previous-versions/bb399427(v=vs.90))
+- [Event Queries and Event XML](/previous-versions/bb399427(v=vs.90))
-   [Event Query Schema](/windows/win32/wes/queryschema-schema)
+- [Event Query Schema](/windows/win32/wes/queryschema-schema)
-   [Windows Event Collector](/windows/win32/wec/windows-event-collector)
+- [Windows Event Collector](/windows/win32/wec/windows-event-collector)
 -   [4625(F): An account failed to log on](auditing/event-4625.md)
--- a/windows/security/threat-protection/override-mitigation-options-for-app-related-security-policies.md
+++ b/windows/security/threat-protection/override-mitigation-options-for-app-related-security-policies.md
@ -1,74 +0,0 @@
 ---
 title: Override Process Mitigation Options 
 description: How to use Group Policy to override individual Process Mitigation Options settings and to help enforce specific app-related security policies.
 ms.prod: windows-client
 author: aczechowski
 ms.author: aaroncz
 manager: aaroncz
 ms.localizationpriority: medium
 ms.technology: itpro-security
 ms.date: 12/31/2017
 ms.topic: article
 ---
 # Override Process Mitigation Options to help enforce app-related security policies
 **Applies to:**
 -   Windows 10, version 1607
 -   Windows Server 2016
 Windows 10 includes Group Policy-configurable "Process Mitigation Options" that add advanced protections against memory-based attacks, that is, attacks where malware manipulates memory to gain control of a system. For example, malware might attempt to use buffer overruns to inject malicious executable code into memory, but Process Mitigation Options can prevent the running of the malicious code.
 > [!IMPORTANT]
 > We recommend trying these mitigations in a test lab before deploying to your organization, to determine if they interfere with your organization's required apps.
 The Group Policy settings in this topic are related to three types of process mitigations. In Windows 10, all three types are on by default for 64-bit applications, but by using the Group Policy settings described in this topic, you can configure more protections. The types of process mitigations are:
 - **Data Execution Prevention (DEP)** is a system-level memory protection feature that enables the operating system to mark one or more pages of memory as non-executable, preventing code from being run from that region of memory, to help prevent exploitation of buffer overruns. DEP helps prevent code from being run from data pages such as the default heap, stacks, and memory pools. For more information, see [Data Execution Prevention](overview-of-threat-mitigations-in-windows-10.md#data-execution-prevention).
 - **Structured Exception Handling Overwrite Protection (SEHOP)** is designed to block exploits that use the Structured Exception Handler (SEH) overwrite technique. Because this protection mechanism is provided at run-time, it helps to protect apps regardless of whether they've been compiled with the latest improvements. For more information, see [Structured Exception Handling Overwrite Protection](overview-of-threat-mitigations-in-windows-10.md#structured-exception-handling-overwrite-protection).
 - **Address Space Layout Randomization (ASLR)** loads DLLs into random memory addresses at boot time to mitigate against malware that's designed to attack specific memory locations, where specific DLLs are expected to be loaded. For more information, see [Address Space Layout Randomization](overview-of-threat-mitigations-in-windows-10.md#address-space-layout-randomization). 
    To find more ASLR protections in the table below, look for `IMAGES` or `ASLR`.
 The following procedure describes how to use Group Policy to override individual **Process Mitigation Options** settings.
 **To modify Process Mitigation Options**
 1. Open your Group Policy editor and go to the **Administrative Templates\System\Mitigation Options\Process Mitigation Options** setting.
    ![Group Policy editor: Process Mitigation Options with setting enabled and Show button active.](images/gp-process-mitigation-options.png)
 2. Click **Enabled**, and then in the **Options** area, click **Show** to open the **Show Contents** box, where you'll be able to add your apps and the appropriate bit flag values, as shown in the [Setting the bit field](#setting-the-bit-field) and [Example](#example) sections of this topic.
    **Important**<br>For each app you want to include, you must include:
   - **Value name.** The app file name, including the extension. For example, iexplore.exe.
   - **Value.** A bit field with a series of bit flags in particular positions. Bits can be set to 0 (where the setting is forced off), 1 (where the setting is forced on), or ? (where the setting retains the previous, existing value).
       **Note**<br>Setting bit flags in positions not specified here to anything other than ? might cause undefined behavior.
     ![Group Policy editor: Process Mitigation Options with Show Contents box and example text.](images/gp-process-mitigation-options-show.png)
 ## Setting the bit field
 Here's a visual representation of the bit flag locations for the various Process Mitigation Options settings:
 ![Visual representation of the bit flag locations for the Process Mitigation Options settings.](images/gp-process-mitigation-options-bit-flag-image.png)
 Where the bit flags are read from right to left and are defined as:
 |Flag |Bit location |Setting |Details |
 |-----|--------------|--------|--------|
 |A |0 |`PROCESS_CREATION_MITIGATION_POLICY_DEP_ENABLE (0x00000001)` |Turns on Data Execution Prevention (DEP) for child processes. |
 |B |1 |`PROCESS_CREATION_MITIGATION_POLICY_DEP_ATL_THUNK_ENABLE (0x00000002)` |Turns on DEP-ATL thunk emulation for child processes. DEP-ATL thunk emulation lets the system intercept non-executable (NX) faults that originate from the Active Template Library (ATL) thunk layer, and then emulate and handle the instructions so the process can continue to run. |
 |C |2 |`PROCESS_CREATION_MITIGATION_POLICY_SEHOP_ENABLE (0x00000004)` |Turns on Structured Exception Handler Overwrite Protection (SEHOP) for child processes. SEHOP helps to block exploits that use the Structured Exception Handler (SEH) overwrite technique. |
 |D |8 |`PROCESS_CREATION_MITIGATION_POLICY_FORCE_RELOCATE_IMAGES_ALWAYS_ON (0x00000100)` |Uses the force Address Space Layout Randomization (ASLR) setting to act as though an image base collision happened at load time, forcibly rebasing images that aren't dynamic base compatible. Images without the base relocation section won't be loaded if relocations are required. |
 |E |15 |`PROCESS_CREATION_MITIGATION_POLICY_BOTTOM_UP_ASLR_ALWAYS_ON (0x00010000)` |Turns on the bottom-up randomization policy, which includes stack randomization options and causes a random location to be used as the lowest user address. |
 |F |16 |`PROCESS_CREATION_MITIGATION_POLICY_BOTTOM_UP_ASLR_ALWAYS_OFF (0x00020000)` |Turns off the bottom-up randomization policy, which includes stack randomization options and causes a random location to be used as the lowest user address. |
 ## Example
 If you want to turn on the **PROCESS_CREATION_MITIGATION_POLICY_DEP_ENABLE** and **PROCESS_CREATION_MITIGATION_POLICY_FORCE_RELOCATE_IMAGES_ALWAYS_ON** settings, turn off the **PROCESS_CREATION_MITIGATION_POLICY_BOTTOM_UP_ASLR_ALWAYS_OFF** setting, and leave everything else as the default values, you'd want to type a value of `???????????????0???????1???????1`.