Merge branch 'rs1' of https://github.com/Microsoft/win-cpub-itpro-docs into rs1

windows/keep-secure/TOC.md

@@ -29,6 +29,7 @@
 ##### [Deploy your enterprise data protection (EDP) policy](deploy-edp-policy-using-intune.md)
 ##### [Create and deploy a VPN policy for enterprise data protection (EDP) using Microsoft Intune](create-vpn-and-edp-policy-using-intune.md)
 #### [Create and deploy an enterprise data protection (EDP) policy using System Center Configuration Manager](create-edp-policy-using-sccm.md)
+#### [Create and verify an Encrypting File System (EFS) Data Recovery Agent (DRA) certificate](create-and-verify-an-efs-dra-certificate.md)
 ### [General guidance and best practices for enterprise data protection (EDP)](guidance-and-best-practices-edp.md)
 #### [Mandatory tasks and settings required to turn on Windows Information Protection (WIP)](mandatory-settings-for-wip.md)
 #### [Enlightened apps for use with enterprise data protection (EDP)](enlightened-microsoft-apps-and-edp.md)

windows/keep-secure/assign-portal-access-windows-defender-advanced-threat-protection.md

@@ -16,7 +16,7 @@ author: mjcaparas
 
 - Windows 10 Insider Preview Build 14332 or later
 - Azure Active Directory
-- Office 365
+<!--Office 365-->
 - Windows Defender Advanced Threat Protection (Windows Defender ATP)
 
 <span style="color:#ED1C24;">[Some information relates to pre-released product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.]</span>
@@ -34,6 +34,13 @@ Users with read only access can log in, view all alerts, and related information
 They will not be able to change alert states, submit files for deep analysis or perform any state changing operations.
 Assigning read only access rights requires adding the users to the “Security Reader” AAD built-in role.
 
+<!--
 Your administrator can assign roles using the Office 365 portal, or in the Azure classic portal, or by using the AAD module for Windows PowerShell. 
-For more information, see [Assigning admin roles in Office 365](https://support.office.com/en-us/article/Assigning-admin-roles-in-Office-365-eac4d046-1afd-4f1a-85fc-8219c79e1504?ui=en-US&rs=en-US&ad=US) and [Assigning administrator roles in Azure Active Directory](https://azure.microsoft.com/en-us/documentation/articles/active-directory-assign-admin-roles/).
+For more information, see [Assigning admin roles in Office 365](https://support.office.com/en-us/article/Assigning-admin-roles-in-Office-365-eac4d046-1afd-4f1a-85fc-8219c79e1504?ui=en-US&rs=en-US&ad=US) and [Assigning administrator roles in Azure Active Directory](https://azure.microsoft.com/en-us/documentation/articles/active-directory-assign-admin-roles/).-->
 
+Use the following cmdlets to perform the security role assignment:
+
+- Full access:<br>```Add-MsolRoleMember -RoleName "Security Reader" -RoleMemberEmailAddress “reader@Contoso.onmicrosoft.com”```
+- Read only access:<br>```Add-MsolRoleMember -RoleName "Security Administrator" -RoleMemberEmailAddress "secadmin@Contoso.onmicrosoft.com"```
+
+For more information see, [Manage Azure AD group and role membership](https://technet.microsoft.com/en-us/library/321d532e-407d-4e29-a00a-8afbe23008dd#BKMK_ManageGroups).

windows/keep-secure/change-history-for-keep-windows-10-secure.md

@@ -23,6 +23,7 @@ The topics in this library have been updated for Windows 10, version 1607 (also
 
 |New or changed topic | Description |
 |----------------------|-------------|
+|[Create and verify an Encrypting File System (EFS) Data Recovery Agent (DRA) certificate](create-and-verify-an-efs-dra-certificate.md) |New |
 |[Mandatory settings for Windows Information Protection (WIP)](mandatory-settings-for-wip.md) |New |
 |[Create an enterprise data protection (EDP) policy using Microsoft Intune](create-edp-policy-using-intune.md) |New |
 |[Create an enterprise data protection (EDP) policy using System Center Configuration Manager](create-edp-policy-using-sccm.md) |New |

windows/keep-secure/configure-endpoints-mdm-windows-defender-advanced-threat-protection.md

@@ -53,7 +53,7 @@ Health Status for onboarded machines | ./Device/Vendor/MSFT/WindowsAdvancedThrea
  Configuration for onboarded machines  | ./Device/Vendor/MSFT/WindowsAdvancedThreatProtection/Configuration/SampleSharing | Integer | 0 or 1 <br> Default value: 1 | Windows Defender ATP Sample sharing is enabled 
  
 
-> **Note**&nbsp;&nbsp;Policies **Health Status for onboarded machines** use read-only properties and can't be remediated.
+> **Note**&nbsp;&nbsp;The **Health Status for onboarded machines** policy uses read-only properties and can't be remediated.
 
 ### Offboard and monitor endpoints
 
@@ -82,11 +82,11 @@ Offboarding | ./Device/Vendor/MSFT/WindowsAdvancedThreatProtection/Offboarding |
  Health Status for offboarded machines | ./Device/Vendor/MSFT/WindowsAdvancedThreatProtection/HealthState/SenseIsRunning | Boolean | FALSE |Windows Defender ATP service is not running
   | ./Device/Vendor/MSFT/WindowsAdvancedThreatProtection/HealthState/OnBoardingState | Integer | 0 | Offboarded from Windows Defender ATP
 
-> **Note**&nbsp;&nbsp;Policies **Health Status for offboarded machines** use read-only properties and can't be remediated.
+> **Note**&nbsp;&nbsp;The **Health Status for offboarded machines** policy uses read-only properties and can't be remediated.
 
 
 ## Related topics
 - [Configure endpoints using Group Policy](configure-endpoints-gp-windows-defender-advanced-threat-protection.md)
 - [Configure endpoints using System Center Configuration Manager](configure-endpoints-sccm-windows-defender-advanced-threat-protection.md)
 - [Configure endpoints using a local script](configure-endpoints-script-windows-defender-advanced-threat-protection.md) 
-- [Troubleshoot Windows Defender Advanced Threat Protection onboarding issues](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md)
+- [Troubleshoot Windows Defender Advanced Threat Protection onboarding issues](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md)

windows/keep-secure/create-and-verify-an-efs-dra-certificate.md

@@ -0,0 +1,109 @@
+---
+title: Create and verify an Encrypting File System (EFS) Data Recovery Agent (DRA) certificate (Windows 10)
+description: Follow these steps to create, verify, and perform a quick recovery by using a Encrypting File System (EFS) Data Recovery Agent (DRA) certificate.
+keywords: Windows Information Protection, WIP, WIP, Enterprise Data Protection
+ms.prod: w10
+ms.mktglfcycl: explore
+ms.sitesec: library
+ms.pagetype: security
+---
+
+# Create and verify an Encrypting File System (EFS) Data Recovery Agent (DRA) certificate
+**Applies to:**
+
+-   Windows 10 Insider Preview
+-   Windows 10 Mobile Preview
+
+<span style="color:#ED1C24;">[Some information relates to pre-released product, which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.]</span>
+
+If you don’t already have an EFS DRA certificate, you’ll need to create and extract one from your system before you can use Windows Information Protection (WIP), formerly known as enterprise data protection (EDP), in your organization. For the purposes of this section, we’ll use the file name EFSDRA; however, this name can be replaced with anything that makes sense to you.
+
+The recovery process included in this topic only works for desktop devices. WIP deletes the data on Windows 10 Mobile devices.   
+
+>**Important**<br>
+If you already have an EFS DRA certificate for your organization, you can skip creating a new one. Just use your current EFS DRA certificate in your policy. For more info about when to use a PKI and the general strategy you should use to deploy DRA certificates, see the [Security Watch Deploying EFS: Part 1](https://technet.microsoft.com/en-us/magazine/2007.02.securitywatch.aspx) article on TechNet. For more general info about EFS protection, see [Protecting Data by Using EFS to Encrypt Hard Drives](https://msdn.microsoft.com/en-us/library/cc875821.aspx).<p>If your DRA certificate has expired, you won’t be able to encrypt your files with it. To fix this, you'll need to create a new certificate, using the steps in this topic, and then deploy it through policy.
+
+**To manually create an EFS DRA certificate**
+
+1.	On a computer without an EFS DRA certificate installed, open a command prompt with elevated rights, and then navigate to where you want to store the certificate.
+
+2.	Run this command:
+    
+    `cipher /r:<EFSRA>`
+    
+    Where *&lt;EFSRA&gt;* is the name of the .cer and .pfx files that you want to create.
+
+3.	When prompted, type and confirm a password to help protect your new Personal Information Exchange (.pfx) file.
+
+    The EFSDRA.cer and EFSDRA.pfx files are created in the location you specified in Step 1.
+
+    >**Important**<br> 
+    Because the private keys in your DRA .pfx files can be used to decrypt any WIP file, you must protect them accordingly. We highly recommend storing these files offline, keeping copies on a smart card with strong protection for normal use and master copies in a secured physical location.
+
+4. Add your EFS DRA certificate to your WIP policy using a deployment tool, such as Microsoft Intune or System Center Configuration Manager. 
+
+    >**Note**<br>
+    To add your EFS DRA certificate to your policy by using Microsoft Intune, see the [Create a Windows Information Protection (WIP) policy using Microsoft Intune](create-edp-policy-using-intune.md) topic. To add your EFS DRA certificate to your policy by using System Center Configuration Manager, see the [Create a Windows Information Protection (WIP) policy using System Center Configuration Manager](create-edp-policy-using-sccm.md) topic.
+
+**To verify your data recovery certificate is correctly set up on an WIP client computer**
+
+1. Find or create a file that's encrypted using Windows Information Protection. For example, you could open an app on your allowed app list, and then create and save a file so it’s encrypted by WIP. 
+
+2. Open an app on your protected app list, and then create and save a file so that it’s encrypted by WIP.
+
+3.	Open a command prompt with elevated rights, navigate to where you stored the file you just created, and then run this command:
+
+    `cipher /c <filename>`
+
+    Where *&lt;filename&gt;* is the name of the file you created in Step 1.
+
+4.	Make sure that your data recovery certificate is listed in the **Recovery Certificates** list.
+
+**To recover your data using the EFS DRA certificate in a test environment**
+
+1.	Copy your WIP-encrypted file to a location where you have admin access.
+
+2.	Install the EFSDRA.pfx file, using its password.
+
+3.	Open a command prompt with elevated rights, navigate to the encrypted file, and then run this command:
+
+    `cipher /d <encryptedfile.extension>`
+    
+    Where *&lt;encryptedfile.extension&gt;* is the name of your encrypted file. For example, corporatedata.docx.
+
+**To quickly recover WIP-protected desktop data after unenrollment**<br>
+It's possible that you might revoke data from an unenrolled device only to later want to restore it all. This can happen in the case of a missing device being returned or if an unenrolled employee enrolls again. If the employee enrolls again using the original user profile, and the revoked key store is still on the device, all of the revoked data can be restored at once, by following these steps.
+
+>**Important**<br>To maintain control over your enterprise data, and to be able to revoke again in the future, you must only perform this process after the employee has re-enrolled the device. 
+
+1. Have your employee sign in to the unenrolled device, open a command prompt, and type:
+    
+    `Robocopy “%localappdata%\Microsoft\WIP\Recovery” <“new_location”> /EFSRAW`
+
+    Where *&lt;”new_location”&gt;* is in a different directory. This can be on the employee’s device or on a Windows 8 or Windows Server 2012 or newer server file share that can be accessed while you're logged in as a data recovery agent.
+
+2. Sign in to a different device with administrator credentials that have access to your organization's DRA certificate, and perform the file decryption and recovery by typing:
+
+    `cipher.exe /D <“new_location”>`
+
+3. Have your employee sign in to the unenrolled device, and type:
+
+    `Robocopy <”new_location”> “%localappdata%\Microsoft\WIP\Recovery\Input”`
+
+4. Ask the employee to lock and unlock the device.
+
+    The Windows Credential service automatically recovers the employee’s previously revoked keys from the `Recovery\Input` location.
+
+## Related topics
+- [Security Watch Deploying EFS: Part 1](https://technet.microsoft.com/en-us/magazine/2007.02.securitywatch.aspx)
+
+- [Protecting Data by Using EFS to Encrypt Hard Drives](https://msdn.microsoft.com/en-us/library/cc875821.aspx)
+
+- [Create a Windows Information Protection (WIP) policy using Microsoft Intune](create-edp-policy-using-intune.md)
+
+- [Create a Windows Information Protection (WIP) policy using System Center Configuration Manager](create-edp-policy-using-sccm.md)
+
+- [Creating a Domain-Based Recovery Agent](https://msdn.microsoft.com/en-us/library/cc875821.aspx#EJAA)
+
+
+

windows/keep-secure/dashboard-windows-defender-advanced-threat-protection.md

@@ -45,7 +45,7 @@ See the [View and organize the Windows Defender Advanced Threat Protection Alert
 The **Latest ATP alerts** section includes the latest active alerts in your network. Each row includes an alert severity category and a short description of the alert. Click an alert to see its detailed view, or **Alerts queue** at the top of the list to go directly to the Alerts queue. See the [Investigate Windows Defender Advanced Threat Protection alerts](investigate-alerts-windows-defender-advanced-threat-protection.md) and [View and organize the Windows Defender Advanced Threat Protection Alerts queue](alerts-queue-windows-defender-advanced-threat-protection.md) topics for more information.
 
 ## Machines at risk
-This tile shows you a list of machines with the highest number of active alerts. The total number of alerts for each machine is shown in a circle next to the machine name, and then further categorized by severity levels at the far end of the tile (hover over each severity bar to its label).
+This tile shows you a list of machines with the highest number of active alerts. The total number of alerts for each machine is shown in a circle next to the machine name, and then further categorized by severity levels at the far end of the tile (hover over each severity bar to see its label).
 
 ![The Machines at risk tile shows a list of machines with the highest number of alerts, and a breakdown of the severity of the alerts](images/machines-at-risk.png)
 
@@ -54,7 +54,7 @@ Click the name of the machine to see details about that machine. See the [Invest
 You can also click **Machines view** at the top of the tile to go directly to the **Machines view**, sorted by the number of active alerts. See the [Investigate machines in the Windows Defender Advanced Threat Protection Machines view](investigate-machines-windows-defender-advanced-threat-protection.md) topic for more information.
 
 ## Status
-The **Status** tile informs you if the service is active and running and the specific number of machines (endpoints) reporting to Windows Defender ATP.
+The **Status** tile informs you if the service is active and running and the unique number of machines (endpoints) reporting over the past 30 days.
 
 ![The Status tile shows an overall indicator of the service and the total number of machines reporting to the service](images/status-tile.png)
 
@@ -66,7 +66,7 @@ The **Machines reporting** tile shows a bar graph that represents the number of
 ## Machines with active malware detections
 The **Machines with active malware detections** tile will only appear if your endpoints are using Windows Defender.
 
-Active malware is defined as threats that are actively executing at the time of detection.
+Active malware is defined as threats that were actively executing at the time of detection.
 
 Hover over each bar to see the number of active malware detections (as **Malware detections**) and the number of endpoints with at least one active detection (as **Machines**) over the past 30 days.
 

windows/keep-secure/investigate-machines-windows-defender-advanced-threat-protection.md

@@ -106,7 +106,6 @@ Use the search bar to look for specific alerts or files associated with the mach
 
 You can also filter by:
 
-- Signed or unsigned files
 - Detections mode: displays Windows ATP Alerts and detections
 - Behaviors mode: displays "detections" and selected events of interest
 - Verbose mode: displays "behaviors" (including "detections"), and all reported events

windows/keep-secure/microsoft-accounts.md

@@ -98,7 +98,7 @@ Although the Microsoft account was designed to serve consumers, you might find s
 
 -   **Integrated social media services**:
 
-    Contact information and status for your users’ friends and associates automatically stay up-to-date from sites such as Hotmail, Outlook, Facebook, Twitter, and LinkedIn. Users can also access and share photos, documents, and other files from sites such as SkyDrive, Facebook, and Flickr.
+    Contact information and status for your users’ friends and associates automatically stay up-to-date from sites such as Hotmail, Outlook, Facebook, Twitter, and LinkedIn. Users can also access and share photos, documents, and other files from sites such as OneDrive, Facebook, and Flickr.
 
 ### Managing the Microsoft account in the domain
 

windows/keep-secure/overview-create-edp-policy.md

@@ -24,6 +24,7 @@ Microsoft Intune and System Center Configuration Manager Technical Preview versi
 |------|------------|
 |[Create an enterprise data protection (EDP) policy using Microsoft Intune](create-edp-policy-using-intune.md) |Intune helps you create and deploy your EDP policy, including letting you choose your protected apps, your EDP-protection level, and how to find enterprise data on the network. |
 |[Create and deploy an enterprise data protection (EDP) policy using System Center Configuration Manager](create-edp-policy-using-sccm.md) |System Center Configuration Manager Technical Preview version 1605 or later helps you create and deploy your EDP policy, including letting you choose your protected apps, your EDP-protection level, and how to find enterprise data on the network. |
+|[Create and verify an Encrypting File System (EFS) Data Recovery Agent (DRA) certificate](create-and-verify-an-efs-dra-certificate.md)] |Steps to create, verify, and perform a quick recovery using a Encrypting File System (EFS) Data Recovery Agent (DRA) certificate. |
  
 
  

windows/keep-secure/vpn-profile-options.md

@@ -51,6 +51,13 @@ A VPN profile configured with LockDown secures the device to only allow network
 -   Only one VPN LockDown profile is allowed on a device.
 > **Note:**  For inbox VPN, Lockdown VPN is only available for the Internet Key Exchange version 2 (IKEv2) tunnel type.
  
+## Learn about VPN and the Conditional Access Framework in Azure Active Directory
+
+- [Tip of the Day: The Conditional Access Framework and Device Compliance for VPN (Part 1)](https://blogs.technet.microsoft.com/tip_of_the_day/2016/03/12/tip-of-the-day-the-conditional-access-framework-and-device-compliance-for-vpn/)
+- [Tip of the Day: The Conditional Access Framework and Device Compliance for VPN (Part 2)](https://blogs.technet.microsoft.com/tip_of_the_day/2016/03/14/tip-of-the-day-the-conditional-access-framework-and-device-compliance-for-vpn-part-2/)
+- [Tip of the Day: The Conditional Access Framework and Device Compliance for VPN (Part 3)](https://blogs.technet.microsoft.com/tip_of_the_day/2016/03/15/tip-of-the-day-the-conditional-access-framework-and-device-compliance-for-vpn-part-3/)
+- [Tip of the Day: The Conditional Access Framework and Device Compliance for VPN (Part 4)](https://blogs.technet.microsoft.com/tip_of_the_day/2016/03/16/tip-of-the-day-the-conditional-access-framework-and-device-compliance-for-vpn-part-4/)
+
 ## Learn more
 
 - [Learn how to configure VPN connections in Microsoft Intune](https://docs.microsoft.com/en-us/intune/deploy-use/vpn-connections-in-microsoft-intune)

windows/keep-secure/windows-10-security-guide.md

@@ -634,7 +634,7 @@ With Protected Processes, Windows 10 prevents untrusted processes from interact
 
 ## Secure the Windows desktop
 
-Windows 10 includes critical improvements to the Windows core and the desktop environment, where attacks and malware most frequently enter. The desktop environment is now more resistant to malware thanks to significant improvements to Windows Defender and SmartScreen Filters. Internet browsing is a safer experience because of Microsoft Edge, a completely new browser. The Windows Store reduces the likelihood that malware will infect devices by ensuring that all applications that enter the Windows Store ecosystem have been thoroughly reviewed before being made available. Universal Windows applications are inherently more secure than typical applications because they are sandboxed. Sandboxing restricts the application’s risk of being compromised or tampered with in a way that would put the system, data, and other applications at risk.
+Windows 10 includes critical improvements to the Windows core and the desktop environment, where attacks and malware most frequently enter. The desktop environment is now more resistant to malware thanks to significant improvements to Windows Defender and SmartScreen Filters. Internet browsing is a safer experience because of Microsoft Edge, a completely new browser. The Windows Store reduces the likelihood that malware will infect devices by ensuring that all applications that enter the Windows Store ecosystem have been thoroughly reviewed before being made available. Universal Windows apps are inherently more secure than typical applications because they are sandboxed. Sandboxing restricts the application’s risk of being compromised or tampered with in a way that would put the system, data, and other applications at risk.
 The sections that follow describe Windows 10 improvements to application security in more detail.
 
 **Microsoft Edge and Internet Explorer 11**