Merge remote-tracking branch 'refs/remotes/origin/master' into jdrs2apn

windows/TOC.md

@@ -1,8 +0,0 @@
-# [Windows 10 and Windows 10 Mobile](index.md)
-## [What's new in Windows 10](whats-new/index.md)
-## [Plan for Windows 10 deployment](plan/index.md)
-## [Deploy Windows 10](deploy/index.md)
-## [Configure Windows 10](configure/index.md)
-## [Update Windows 10](update/index.md)
-## [Keep Windows 10 secure](keep-secure/index.md)
-## [Manage Windows 10](manage/index.md)

windows/access-protection/TOC.md

@@ -0,0 +1,190 @@
+# [Access protection](access-control/access-control.md)
+
+## [Access Control Overview](access-control/access-control.md)
+### [Dynamic Access Control Overview](access-control/dynamic-access-control.md)
+### [Security identifiers](access-control/security-identifiers.md)
+### [Security Principals](access-control/security-principals.md)
+### [Local Accounts](access-control/local-accounts.md)
+### [Active Directory Accounts](access-control/active-directory-accounts.md)
+### [Microsoft Accounts](access-control/microsoft-accounts.md)
+### [Service Accounts](access-control/service-accounts.md)
+### [Active Directory Security Groups](access-control/active-directory-security-groups.md)
+### [Special Identities](access-control/special-identities.md)
+
+## [Configure S/MIME for Windows 10 and Windows 10 Mobile](configure-s-mime.md)
+
+## [Enterprise Certificate Pinning](enterprise-certificate-pinning.md)
+
+## [Install digital certificates on Windows 10 Mobile](installing-digital-certificates-on-windows-10-mobile.md)
+
+## [Protect derived domain credentials with Credential Guard](credential-guard/credential-guard.md)
+### [How Credential Guard works](credential-guard/credential-guard-how-it-works.md)
+### [Credential Guard Requirements](credential-guard/credential-guard-requirements.md)
+### [Manage Credential Guard](credential-guard/credential-guard-manage.md)
+### [Credential Guard protection limits](credential-guard/credential-guard-protection-limits.md)
+### [Considerations when using Credential Guard](credential-guard/credential-guard-considerations.md)
+### [Credential Guard: Additional mitigations](credential-guard/additional-mitigations.md)
+### [Credential Guard: Known issues](credential-guard/credential-guard-known-issues.md)
+
+
+## [Protect Remote Desktop credentials with Remote Credential Guard](remote-credential-guard.md)
+
+## [Smart Cards](smart-cards/smart-card-windows-smart-card-technical-reference.md)
+### [How Smart Card Sign-in Works in Windows](smart-cards/smart-card-how-smart-card-sign-in-works-in-windows.md)
+#### [Smart Card Architecture](smart-cards/smart-card-architecture.md)
+#### [Certificate Requirements and Enumeration](smart-cards/smart-card-certificate-requirements-and-enumeration.md)
+#### [Smart Card and Remote Desktop Services](smart-cards/smart-card-and-remote-desktop-services.md)
+#### [Smart Cards for Windows Service](smart-cards/smart-card-smart-cards-for-windows-service.md)
+#### [Certificate Propagation Service](smart-cards/smart-card-certificate-propagation-service.md)
+#### [Smart Card Removal Policy Service](smart-cards/smart-card-removal-policy-service.md)
+### [Smart Card Tools and Settings](smart-cards/smart-card-tools-and-settings.md)
+#### [Smart Cards Debugging Information](smart-cards/smart-card-debugging-information.md)
+#### [Smart Card Group Policy and Registry Settings](smart-cards/smart-card-group-policy-and-registry-settings.md)
+#### [Smart Card Events](smart-cards/smart-card-events.md)
+
+### [User Account Control](user-account-control\user-account-control-overview.md)
+#### [How User Account Control works](user-account-control\how-user-account-control-works.md)
+#### [User Account Control security policy settings](user-account-control\user-account-control-security-policy-settings.md)
+#### [User Account Control Group Policy and registry key settings](user-account-control\user-account-control-group-policy-and-registry-key-settings.md)
+
+### [Virtual Smart Cards](virtual-smart-cards\virtual-smart-card-overview.md)
+### [Virtual Smart Cards](virtual-smart-cards\virtual-smart-card-overview.md)
+#### [Understanding and Evaluating Virtual Smart Cards](virtual-smart-cards\virtual-smart-card-understanding-and-evaluating.md)
+##### [Get Started with Virtual Smart Cards: Walkthrough Guide](virtual-smart-cards\virtual-smart-card-get-started.md)
+##### [Use Virtual Smart Cards](virtual-smart-cards\virtual-smart-card-use-virtual-smart-cards.md)
+##### [Deploy Virtual Smart Cards](virtual-smart-cards\virtual-smart-card-deploy-virtual-smart-cards.md)
+##### [Evaluate Virtual Smart Card Security](virtual-smart-cards\virtual-smart-card-evaluate-security.md)
+#### [Tpmvscmgr](virtual-smart-cards\virtual-smart-card-tpmvscmgr.md)
+
+
+## [VPN technical guide](vpn\vpn-guide.md)
+### [VPN connection types](vpn\vpn-connection-type.md)
+### [VPN routing decisions](vpn\vpn-routing.md)
+### [VPN authentication options](vpn\vpn-authentication.md)
+### [VPN and conditional access](vpn\vpn-conditional-access.md)
+### [VPN name resolution](vpn\vpn-name-resolution.md)
+### [VPN auto-triggered profile options](vpn\vpn-auto-trigger-profile.md)
+### [VPN security features](vpn\vpn-security-features.md)
+### [VPN profile options](vpn\vpn-profile-options.md)
+### [How to use single sign-on (SSO) over VPN and Wi-Fi connections](vpn\how-to-use-single-sign-on-sso-over-vpn-and-wi-fi-connections.md)
+### [Windows 10 credential theft mitigation guide abstract](windows-credential-theft-mitigation-guide-abstract.md)
+
+## [Windows Firewall with Advanced Security](windows-firewall/windows-firewall-with-advanced-security.md)
+### [Isolating Windows Store Apps on Your Network](windows-firewall/isolating-apps-on-your-network.md)
+### [Securing End-to-End IPsec Connections by Using IKEv2 in Windows Server 2012](windows-firewall/securing-end-to-end-ipsec-connections-by-using-ikev2.md)
+### [Windows Firewall with Advanced Security Administration with Windows PowerShell](windows-firewall/windows-firewall-with-advanced-security-administration-with-windows-powershell.md)
+### [Windows Firewall with Advanced Security Design Guide](windows-firewall/windows-firewall-with-advanced-security-design-guide.md)
+#### [Understanding the Windows Firewall with Advanced Security Design Process](windows-firewall/understanding-the-windows-firewall-with-advanced-security-design-process.md)
+#### [Identifying Your Windows Firewall with Advanced Security Deployment Goals](windows-firewall/identifying-your-windows-firewall-with-advanced-security-deployment-goals.md)
+##### [Protect Devices from Unwanted Network Traffic](windows-firewall/protect-devices-from-unwanted-network-traffic.md)
+##### [Restrict Access to Only Trusted Devices](windows-firewall/restrict-access-to-only-trusted-devices.md)
+##### [Require Encryption When Accessing Sensitive Network Resources](windows-firewall/require-encryption-when-accessing-sensitive-network-resources.md)
+##### [Restrict Access to Only Specified Users or Computers](windows-firewall/restrict-access-to-only-specified-users-or-devices.md)
+#### [Mapping Your Deployment Goals to a Windows Firewall with Advanced Security Design](windows-firewall/mapping-your-deployment-goals-to-a-windows-firewall-with-advanced-security-design.md)
+##### [Basic Firewall Policy Design](windows-firewall/basic-firewall-policy-design.md)
+##### [Domain Isolation Policy Design](windows-firewall/domain-isolation-policy-design.md)
+##### [Server Isolation Policy Design](windows-firewall/server-isolation-policy-design.md)
+##### [Certificate-based Isolation Policy Design](windows-firewall/certificate-based-isolation-policy-design.md)
+#### [Evaluating Windows Firewall with Advanced Security Design Examples](windows-firewall/evaluating-windows-firewall-with-advanced-security-design-examples.md)
+##### [Firewall Policy Design Example](windows-firewall/firewall-policy-design-example.md)
+##### [Domain Isolation Policy Design Example](windows-firewall/domain-isolation-policy-design-example.md)
+##### [Server Isolation Policy Design Example](windows-firewall/server-isolation-policy-design-example.md)
+##### [Certificate-based Isolation Policy Design Example](windows-firewall/certificate-based-isolation-policy-design-example.md)
+#### [Designing a Windows Firewall with Advanced Security Strategy](windows-firewall/designing-a-windows-firewall-with-advanced-security-strategy.md)
+##### [Gathering the Information You Need](windows-firewall/gathering-the-information-you-need.md)
+###### [Gathering Information about Your Current Network Infrastructure](windows-firewall/gathering-information-about-your-current-network-infrastructure.md)
+###### [Gathering Information about Your Active Directory Deployment](windows-firewall/gathering-information-about-your-active-directory-deployment.md)
+###### [Gathering Information about Your Computers](windows-firewall/gathering-information-about-your-devices.md)
+###### [Gathering Other Relevant Information](windows-firewall/gathering-other-relevant-information.md)
+##### [Determining the Trusted State of Your Computers](windows-firewall/determining-the-trusted-state-of-your-devices.md)
+#### [Planning Your Windows Firewall with Advanced Security Design](windows-firewall/planning-your-windows-firewall-with-advanced-security-design.md)
+##### [Planning Settings for a Basic Firewall Policy](windows-firewall/planning-settings-for-a-basic-firewall-policy.md)
+##### [Planning Domain Isolation Zones](windows-firewall/planning-domain-isolation-zones.md)
+###### [Exemption List](windows-firewall/exemption-list.md)
+###### [Isolated Domain](windows-firewall/isolated-domain.md)
+###### [Boundary Zone](windows-firewall/boundary-zone.md)
+###### [Encryption Zone](windows-firewall/encryption-zone.md)
+##### [Planning Server Isolation Zones](windows-firewall/planning-server-isolation-zones.md)
+##### [Planning Certificate-based Authentication](windows-firewall/planning-certificate-based-authentication.md)
+###### [Documenting the Zones](windows-firewall/documenting-the-zones.md)
+###### [Planning Group Policy Deployment for Your Isolation Zones](windows-firewall/planning-group-policy-deployment-for-your-isolation-zones.md)
+####### [Planning Isolation Groups for the Zones](windows-firewall/planning-isolation-groups-for-the-zones.md)
+####### [Planning Network Access Groups](windows-firewall/planning-network-access-groups.md)
+####### [Planning the GPOs](windows-firewall/planning-the-gpos.md)
+######## [Firewall GPOs](windows-firewall/firewall-gpos.md)
+######### [GPO_DOMISO_Firewall](windows-firewall/gpo-domiso-firewall.md)
+######## [Isolated Domain GPOs](windows-firewall/isolated-domain-gpos.md)
+######### [GPO_DOMISO_IsolatedDomain_Clients](windows-firewall/gpo-domiso-isolateddomain-clients.md)
+######### [GPO_DOMISO_IsolatedDomain_Servers](windows-firewall/gpo-domiso-isolateddomain-servers.md)
+######## [Boundary Zone GPOs](windows-firewall/boundary-zone-gpos.md)
+######### [GPO_DOMISO_Boundary](windows-firewall/gpo-domiso-boundary.md)
+######## [Encryption Zone GPOs](windows-firewall/encryption-zone-gpos.md)
+######### [GPO_DOMISO_Encryption](windows-firewall/gpo-domiso-encryption.md)
+######## [Server Isolation GPOs](windows-firewall/server-isolation-gpos.md)
+####### [Planning GPO Deployment](windows-firewall/planning-gpo-deployment.md)
+#### [Appendix A: Sample GPO Template Files for Settings Used in this Guide](windows-firewall/appendix-a-sample-gpo-template-files-for-settings-used-in-this-guide.md)
+### [Windows Firewall with Advanced Security Deployment Guide](windows-firewall/windows-firewall-with-advanced-security-deployment-guide.md)
+#### [Planning to Deploy Windows Firewall with Advanced Security](windows-firewall/planning-to-deploy-windows-firewall-with-advanced-security.md)
+#### [Implementing Your Windows Firewall with Advanced Security Design Plan](windows-firewall/implementing-your-windows-firewall-with-advanced-security-design-plan.md)
+#### [Checklist: Creating Group Policy Objects](windows-firewall/checklist-creating-group-policy-objects.md)
+#### [Checklist: Implementing a Basic Firewall Policy Design](windows-firewall/checklist-implementing-a-basic-firewall-policy-design.md)
+#### [Checklist: Configuring Basic Firewall Settings](windows-firewall/checklist-configuring-basic-firewall-settings.md)
+#### [Checklist: Creating Inbound Firewall Rules](windows-firewall/checklist-creating-inbound-firewall-rules.md)
+#### [Checklist: Creating Outbound Firewall Rules](windows-firewall/checklist-creating-outbound-firewall-rules.md)
+#### [Checklist: Implementing a Domain Isolation Policy Design](windows-firewall/checklist-implementing-a-domain-isolation-policy-design.md)
+##### [Checklist: Configuring Rules for the Isolated Domain](windows-firewall/checklist-configuring-rules-for-the-isolated-domain.md)
+##### [Checklist: Configuring Rules for the Boundary Zone](windows-firewall/checklist-configuring-rules-for-the-boundary-zone.md)
+##### [Checklist: Configuring Rules for the Encryption Zone](windows-firewall/checklist-configuring-rules-for-the-encryption-zone.md)
+##### [Checklist: Configuring Rules for an Isolated Server Zone](windows-firewall/checklist-configuring-rules-for-an-isolated-server-zone.md)
+#### [Checklist: Implementing a Standalone Server Isolation Policy Design](windows-firewall/checklist-implementing-a-standalone-server-isolation-policy-design.md)
+##### [Checklist: Configuring Rules for Servers in a Standalone Isolated Server Zone](windows-firewall/checklist-configuring-rules-for-servers-in-a-standalone-isolated-server-zone.md)
+##### [Checklist: Creating Rules for Clients of a Standalone Isolated Server Zone](windows-firewall/checklist-creating-rules-for-clients-of-a-standalone-isolated-server-zone.md)
+#### [Checklist: Implementing a Certificate-based Isolation Policy Design](windows-firewall/checklist-implementing-a-certificate-based-isolation-policy-design.md)
+#### [Procedures Used in This Guide](windows-firewall/procedures-used-in-this-guide.md)
+##### [Add Production Devices to the Membership Group for a Zone](windows-firewall/add-production-devices-to-the-membership-group-for-a-zone.md)
+##### [Add Test Devices to the Membership Group for a Zone](windows-firewall/add-test-devices-to-the-membership-group-for-a-zone.md)
+##### [Assign Security Group Filters to the GPO](windows-firewall/assign-security-group-filters-to-the-gpo.md)
+##### [Change Rules from Request to Require Mode](windows-firewall/change-rules-from-request-to-require-mode.md)
+##### [Configure Authentication Methods](windows-firewall/configure-authentication-methods.md)
+##### [Configure Data Protection (Quick Mode) Settings](windows-firewall/configure-data-protection-quick-mode-settings.md)
+##### [Configure Group Policy to Autoenroll and Deploy Certificates](windows-firewall/configure-group-policy-to-autoenroll-and-deploy-certificates.md)
+##### [Configure Key Exchange (Main Mode) Settings](windows-firewall/configure-key-exchange-main-mode-settings.md)
+##### [Configure the Rules to Require Encryption](windows-firewall/configure-the-rules-to-require-encryption.md)
+##### [Configure the Windows Firewall Log](windows-firewall/configure-the-windows-firewall-log.md)
+##### [Configure the Workstation Authentication Certificate Template](windows-firewall/configure-the-workstation-authentication-certificate-template.md)
+##### [Configure Windows Firewall to Suppress Notifications When a Program Is Blocked](windows-firewall/configure-windows-firewall-to-suppress-notifications-when-a-program-is-blocked.md)
+##### [Confirm That Certificates Are Deployed Correctly](windows-firewall/confirm-that-certificates-are-deployed-correctly.md)
+##### [Copy a GPO to Create a New GPO](windows-firewall/copy-a-gpo-to-create-a-new-gpo.md)
+##### [Create a Group Account in Active Directory](windows-firewall/create-a-group-account-in-active-directory.md)
+##### [Create a Group Policy Object](windows-firewall/create-a-group-policy-object.md)
+##### [Create an Authentication Exemption List Rule](windows-firewall/create-an-authentication-exemption-list-rule.md)
+##### [Create an Authentication Request Rule](windows-firewall/create-an-authentication-request-rule.md)
+##### [Create an Inbound ICMP Rule](windows-firewall/create-an-inbound-icmp-rule.md)
+##### [Create an Inbound Port Rule](windows-firewall/create-an-inbound-port-rule.md)
+##### [Create an Inbound Program or Service Rule](windows-firewall/create-an-inbound-program-or-service-rule.md)
+##### [Create an Outbound Port Rule](windows-firewall/create-an-outbound-port-rule.md)
+##### [Create an Outbound Program or Service Rule](windows-firewall/create-an-outbound-program-or-service-rule.md)
+##### [Create Inbound Rules to Support RPC](windows-firewall/create-inbound-rules-to-support-rpc.md)
+##### [Create WMI Filters for the GPO](windows-firewall/create-wmi-filters-for-the-gpo.md)
+##### [Enable Predefined Inbound Rules](windows-firewall/enable-predefined-inbound-rules.md)
+##### [Enable Predefined Outbound Rules](windows-firewall/enable-predefined-outbound-rules.md)
+##### [Exempt ICMP from Authentication](windows-firewall/exempt-icmp-from-authentication.md)
+##### [Link the GPO to the Domain](windows-firewall/link-the-gpo-to-the-domain.md)
+##### [Modify GPO Filters to Apply to a Different Zone or Version of Windows](windows-firewall/modify-gpo-filters-to-apply-to-a-different-zone-or-version-of-windows.md)
+##### [Open the Group Policy Management Console to IP Security Policies](windows-firewall/open-the-group-policy-management-console-to-ip-security-policies.md)
+##### [Open the Group Policy Management Console to Windows Firewall](windows-firewall/open-the-group-policy-management-console-to-windows-firewall.md)
+##### [Open the Group Policy Management Console to Windows Firewall with Advanced Security](windows-firewall/open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md)
+##### [Open Windows Firewall with Advanced Security](windows-firewall/open-windows-firewall-with-advanced-security.md)
+##### [Restrict Server Access to Members of a Group Only](windows-firewall/restrict-server-access-to-members-of-a-group-only.md)
+##### [Turn on Windows Firewall and Configure Default Behavior](windows-firewall/turn-on-windows-firewall-and-configure-default-behavior.md)
+##### [Verify That Network Traffic Is Authenticated](windows-firewall/verify-that-network-traffic-is-authenticated.md)
+
+## [Windows Hello for Business](hello-for-business/hello-identity-verification.md)
+### [How Windows Hello for Business works](hello-for-business/hello-how-it-works.md)
+### [Manage Windows Hello for Business in your organization](hello-for-business/hello-manage-in-organization.md)
+### [Why a PIN is better than a password](hello-for-business/hello-why-pin-is-better-than-password.md)
+### [Prepare people to use Windows Hello](hello-for-business/hello-prepare-people-to-use.md)
+### [Windows Hello and password changes](hello-for-business/hello-and-password-changes.md)
+### [Windows Hello errors during PIN creation](hello-for-business/hello-errors-during-pin-creation.md)
+### [Event ID 300 - Windows Hello successfully created](hello-for-business/hello-event-300.md)
+### [Windows Hello biometrics in the enterprise](hello-for-business/hello-biometrics-in-enterprise.md)

windows/access-protection/access-control/access-control.md

@@ -114,14 +114,14 @@ User rights grant specific privileges and sign-in rights to users and groups in
 
 User rights are different from permissions because user rights apply to user accounts, and permissions are associated with objects. Although user rights can apply to individual user accounts, user rights are best administered on a group account basis. There is no support in the access control user interface to grant user rights. However, user rights assignment can be administered through **Local Security Settings**.
 
-For more information about user rights, see [User Rights Assignment](user-rights-assignment.md).
+For more information about user rights, see [User Rights Assignment](/windows/device-security/security-policy-settings/access-user-rights-assignment).
 
 ## Object auditing
 
 
 With administrator's rights, you can audit users' successful or failed access to objects. You can select which object access to audit by using the access control user interface, but first you must enable the audit policy by selecting **Audit object access** under **Local Policies** in **Local Security Settings**. You can then view these security-related events in the Security log in Event Viewer.
 
-For more information about auditing, see [Security Auditing Overview](security-auditing-overview.md).
+For more information about auditing, see [Security Auditing Overview](/windows/device-security/auditing/security-auditing-overview).
 
 ## See also
 

windows/access-protection/access-control/active-directory-accounts.md

@@ -176,7 +176,7 @@ Because the Guest account can provide anonymous access, it is a security risk. I
 
 When the Guest account is required, an Administrator on the domain controller is required to enable the Guest account. The Guest account can be enabled without requiring a password, or it can be enabled with a strong password. The Administrator also grants restricted rights and permissions for the Guest account. To help prevent unauthorized access:
 
--   Do not grant the Guest account the [Shut down the system](shut-down-the-system.md) user right. When a computer is shutting down or starting up, it is possible that a Guest user or anyone with local access, such as a malicious user, could gain unauthorized access to the computer.
+-   Do not grant the Guest account the [Shut down the system](/windows/device-security/security-policy-settings/shut-down-the-system) user right. When a computer is shutting down or starting up, it is possible that a Guest user or anyone with local access, such as a malicious user, could gain unauthorized access to the computer.
 
 -   Do not provide the Guest account with the ability to view the event logs. After the Guest account is enabled, it is a best practice to monitor this account frequently to ensure that other users cannot use services and other resources, such as resources that were unintentionally left available by a previous user.
 
@@ -571,7 +571,7 @@ If the administrators in your environment can sign in locally to managed servers
 
 -   **Better**. Do not grant administrators membership in the local Administrator group on the computer in order to restrict the administrator from bypassing these protections.
 
--   **Ideal**. Restrict workstations from having any network connectivity, except for the domain controllers and servers that the administrator accounts are used to manage. Alternately, use AppLocker application control policies to restrict all applications from running, except for the operating system and approved administrative tools and applications. For more information about AppLocker, see [AppLocker](applocker-overview.md).
+-   **Ideal**. Restrict workstations from having any network connectivity, except for the domain controllers and servers that the administrator accounts are used to manage. Alternately, use AppLocker application control policies to restrict all applications from running, except for the operating system and approved administrative tools and applications. For more information about AppLocker, see [AppLocker](/windows/device-security/applocker/applocker-overview).
 
 The following procedure describes how to block Internet access by creating a Group Policy Object (GPO) that configures an invalid proxy address on administrative workstations. These instructions apply only to computers running Internet Explorer and other Windows components that use these proxy settings.
 

windows/access-protection/access-control/active-directory-security-groups.md

@@ -50,7 +50,7 @@ Security groups can provide an efficient way to assign access to resources on yo
 
     For example, a user who is added to the Backup Operators group in Active Directory has the ability to back up and restore files and directories that are located on each domain controller in the domain. This is possible because, by default, the user rights **Backup files and directories** and **Restore files and directories** are automatically assigned to the Backup Operators group. Therefore, members of this group inherit the user rights that are assigned to that group.
 
-    You can use Group Policy to assign user rights to security groups to delegate specific tasks. For more information about using Group Policy, see [User Rights Assignment](user-rights-assignment.md).
+    You can use Group Policy to assign user rights to security groups to delegate specific tasks. For more information about using Group Policy, see [User Rights Assignment](/windows/device-security/security-policy-settings/user-rights-assignment).
 
 -   Assign permissions to security groups for resources.
 
@@ -650,7 +650,7 @@ This security group has not changed since Windows Server 2008.
 </tr>
 <tr class="odd">
 <td><p>Default User Rights</p></td>
-<td><p>[Allow log on locally](allow-log-on-locally.md): SeInteractiveLogonRight</p></td>
+<td><p>[Allow log on locally](/windows/device-security/security-policy-settings/allow-log-on-locally): SeInteractiveLogonRight</p></td>
 </tr>
 </tbody>
 </table>
@@ -672,9 +672,9 @@ Membership can be modified by members of the following groups: the default servi
 
 This security group includes the following changes since Windows Server 2008:
 
--   Default user rights changes: **Allow log on through Terminal Services** existed in Windows Server 2008, and it was replaced by [Allow log on through Remote Desktop Services](allow-log-on-through-remote-desktop-services.md).
+-   Default user rights changes: **Allow log on through Terminal Services** existed in Windows Server 2008, and it was replaced by [Allow log on through Remote Desktop Services](/windows/device-security/security-policy-settings/allow-log-on-through-remote-desktop-services).
 
--   [Remove computer from docking station](remove-computer-from-docking-station.md) was removed in Windows Server 2012 R2.
+-   [Remove computer from docking station](/windows/device-security/security-policy-settings/remove-computer-from-docking-station) was removed in Windows Server 2012 R2.
 
 <table>
 <colgroup>
@@ -722,33 +722,33 @@ This security group includes the following changes since Windows Server 2008:
 </tr>
 <tr class="odd">
 <td><p>Default User Rights</p></td>
-<td><p>[Adjust memory quotas for a process](adjust-memory-quotas-for-a-process.md): SeIncreaseQuotaPrivilege</p>
-<p>[Access this computer from the network](access-this-computer-from-the-network.md): SeNetworkLogonRight</p>
-<p>[Allow log on locally](allow-log-on-locally.md): SeInteractiveLogonRight</p>
-<p>[Allow log on through Remote Desktop Services](allow-log-on-through-remote-desktop-services.md): SeRemoteInteractiveLogonRight</p>
-<p>[Back up files and directories](back-up-files-and-directories.md): SeBackupPrivilege</p>
-<p>[Bypass traverse checking](bypass-traverse-checking.md): SeChangeNotifyPrivilege</p>
-<p>[Change the system time](change-the-system-time.md): SeSystemTimePrivilege</p>
-<p>[Change the time zone](change-the-time-zone.md): SeTimeZonePrivilege</p>
-<p>[Create a pagefile](create-a-pagefile.md): SeCreatePagefilePrivilege</p>
-<p>[Create global objects](create-global-objects.md): SeCreateGlobalPrivilege</p>
-<p>[Create symbolic links](create-symbolic-links.md): SeCreateSymbolicLinkPrivilege</p>
-<p>[Debug programs](debug-programs.md): SeDebugPrivilege</p>
-<p>[Enable computer and user accounts to be trusted for delegation](enable-computer-and-user-accounts-to-be-trusted-for-delegation.md): SeEnableDelegationPrivilege</p>
-<p>[Force shutdown from a remote system](force-shutdown-from-a-remote-system.md): SeRemoteShutdownPrivilege</p>
-<p>[Impersonate a client after authentication](impersonate-a-client-after-authentication.md): SeImpersonatePrivilege</p>
-<p>[Increase scheduling priority](increase-scheduling-priority.md): SeIncreaseBasePriorityPrivilege</p>
-<p>[Load and unload device drivers](load-and-unload-device-drivers.md): SeLoadDriverPrivilege</p>
-<p>[Log on as a batch job](log-on-as-a-batch-job.md): SeBatchLogonRight</p>
-<p>[Manage auditing and security log](manage-auditing-and-security-log.md): SeSecurityPrivilege</p>
-<p>[Modify firmware environment values](modify-firmware-environment-values.md): SeSystemEnvironmentPrivilege</p>
-<p>[Perform volume maintenance tasks](perform-volume-maintenance-tasks.md): SeManageVolumePrivilege</p>
-<p>[Profile system performance](profile-system-performance.md): SeSystemProfilePrivilege</p>
-<p>[Profile single process](profile-single-process.md): SeProfileSingleProcessPrivilege</p>
-<p>[Remove computer from docking station](remove-computer-from-docking-station.md): SeUndockPrivilege</p>
-<p>[Restore files and directories](restore-files-and-directories.md): SeRestorePrivilege</p>
-<p>[Shut down the system](shut-down-the-system.md): SeShutdownPrivilege</p>
-<p>[Take ownership of files or other objects](take-ownership-of-files-or-other-objects.md): SeTakeOwnershipPrivilege</p></td>
+<td><p>[Adjust memory quotas for a process](/windows/device-security/security-policy-settings/adjust-memory-quotas-for-a-process): SeIncreaseQuotaPrivilege</p>
+<p>[Access this computer from the network](/windows/device-security/security-policy-settings/access-this-computer-from-the-network): SeNetworkLogonRight</p>
+<p>[Allow log on locally](/windows/device-security/security-policy-settings/allow-log-on-locally): SeInteractiveLogonRight</p>
+<p>[Allow log on through Remote Desktop Services](/windows/device-security/security-policy-settings/allow-log-on-through-remote-desktop-services): SeRemoteInteractiveLogonRight</p>
+<p>[Back up files and directories](/windows/device-security/security-policy-settings/back-up-files-and-directories): SeBackupPrivilege</p>
+<p>[Bypass traverse checking](/windows/device-security/security-policy-settings/bypass-traverse-checking): SeChangeNotifyPrivilege</p>
+<p>[Change the system time](/windows/device-security/security-policy-settings/change-the-system-time): SeSystemTimePrivilege</p>
+<p>[Change the time zone](/windows/device-security/security-policy-settings/change-the-time-zone): SeTimeZonePrivilege</p>
+<p>[Create a pagefile](/windows/device-security/security-policy-settings/create-a-pagefile): SeCreatePagefilePrivilege</p>
+<p>[Create global objects](/windows/device-security/security-policy-settings/create-global-objects): SeCreateGlobalPrivilege</p>
+<p>[Create symbolic links](/windows/device-security/security-policy-settings/create-symbolic-links): SeCreateSymbolicLinkPrivilege</p>
+<p>[Debug programs](/windows/device-security/security-policy-settings/debug-programs): SeDebugPrivilege</p>
+<p>[Enable computer and user accounts to be trusted for delegation](/windows/device-security/security-policy-settings/enable-computer-and-user-accounts-to-be-trusted-for-delegation): SeEnableDelegationPrivilege</p>
+<p>[Force shutdown from a remote system](/windows/device-security/security-policy-settings/force-shutdown-from-a-remote-system): SeRemoteShutdownPrivilege</p>
+<p>[Impersonate a client after authentication](/windows/device-security/security-policy-settings/impersonate-a-client-after-authentication): SeImpersonatePrivilege</p>
+<p>[Increase scheduling priority](/windows/device-security/security-policy-settings/increase-scheduling-priority): SeIncreaseBasePriorityPrivilege</p>
+<p>[Load and unload device drivers](/windows/device-security/security-policy-settings/load-and-unload-device-drivers): SeLoadDriverPrivilege</p>
+<p>[Log on as a batch job](/windows/device-security/security-policy-settings/log-on-as-a-batch-job): SeBatchLogonRight</p>
+<p>[Manage auditing and security log](/windows/device-security/security-policy-settings/manage-auditing-and-security-log): SeSecurityPrivilege</p>
+<p>[Modify firmware environment values](/windows/device-security/security-policy-settings/modify-firmware-environment-values): SeSystemEnvironmentPrivilege</p>
+<p>[Perform volume maintenance tasks](/windows/device-security/security-policy-settings/perform-volume-maintenance-tasks): SeManageVolumePrivilege</p>
+<p>[Profile system performance](/windows/device-security/security-policy-settings/profile-system-performance): SeSystemProfilePrivilege</p>
+<p>[Profile single process](/windows/device-security/security-policy-settings/profile-single-process): SeProfileSingleProcessPrivilege</p>
+<p>[Remove computer from docking station](/windows/device-security/security-policy-settings/remove-computer-from-docking-station): SeUndockPrivilege</p>
+<p>[Restore files and directories](/windows/device-security/security-policy-settings/restore-files-and-directories): SeRestorePrivilege</p>
+<p>[Shut down the system](/windows/device-security/security-policy-settings/shut-down-the-system): SeShutdownPrivilege</p>
+<p>[Take ownership of files or other objects](/windows/device-security/security-policy-settings/take-ownership-of-files-or-other-objects): SeTakeOwnershipPrivilege</p></td>
 </tr>
 </tbody>
 </table>
@@ -870,11 +870,11 @@ This security group has not changed since Windows Server 2008.
 </tr>
 <tr class="odd">
 <td><p>Default User Rights</p></td>
-<td><p>[Allow log on locally](allow-log-on-locally.md): SeInteractiveLogonRight</p>
-<p>[Back up files and directories](back-up-files-and-directories.md): SeBackupPrivilege</p>
-<p>[Log on as a batch job](log-on-as-a-batch-job.md): SeBatchLogonRight</p>
-<p>[Restore files and directories](restore-files-and-directories.md): SeRestorePrivilege</p>
-<p>[Shut down the system](shut-down-the-system.md): SeShutdownPrivilege</p></td>
+<td><p>[Allow log on locally](/windows/device-security/security-policy-settings/allow-log-on-locally): SeInteractiveLogonRight</p>
+<p>[Back up files and directories](/windows/device-security/security-policy-settings/back-up-files-and-directories): SeBackupPrivilege</p>
+<p>[Log on as a batch job](/windows/device-security/security-policy-settings/log-on-as-a-batch-job): SeBatchLogonRight</p>
+<p>[Restore files and directories](/windows/device-security/security-policy-settings/restore-files-and-directories): SeRestorePrivilege</p>
+<p>[Shut down the system](/windows/device-security/security-policy-settings/shut-down-the-system): SeShutdownPrivilege</p></td>
 </tr>
 </tbody>
 </table>
@@ -2330,7 +2330,7 @@ Members of the Performance Log Users group can manage performance counters, logs
 
 -   Can use all the features that are available to the Performance Monitor Users group.
 
--   Can create and modify Data Collector Sets after the group is assigned the [Log on as a batch job](log-on-as-a-batch-job.md) user right.
+-   Can create and modify Data Collector Sets after the group is assigned the [Log on as a batch job](/windows/device-security/security-policy-settings/log-on-as-a-batch-job) user right.
 
     **Warning**  
     If you are a member of the Performance Log Users group, you must configure Data Collector Sets that you create to run under your credentials.
@@ -2339,7 +2339,7 @@ Members of the Performance Log Users group can manage performance counters, logs
 
 -   Cannot use the Windows Kernel Trace event provider in Data Collector Sets.
 
-For members of the Performance Log Users group to initiate data logging or modify Data Collector Sets, the group must first be assigned the [Log on as a batch job](log-on-as-a-batch-job.md) user right. To assign this user right, use the Local Security Policy snap-in in Microsoft Management Console.
+For members of the Performance Log Users group to initiate data logging or modify Data Collector Sets, the group must first be assigned the [Log on as a batch job](/windows/device-security/security-policy-settings/log-on-as-a-batch-job) user right. To assign this user right, use the Local Security Policy snap-in in Microsoft Management Console.
 
 **Note**  
 This group appears as a SID until the domain controller is made the primary domain controller and it holds the operations master role (also known as flexible single master operations or FSMO).
@@ -2401,7 +2401,7 @@ This security group has not changed since Windows Server 2008.
 </tr>
 <tr class="odd">
 <td><p>Default User Rights</p></td>
-<td><p>[Log on as a batch job](log-on-as-a-batch-job.md): SeBatchLogonRight</p></td>
+<td><p>[Log on as a batch job](/windows/device-security/security-policy-settings/log-on-as-a-batch-job): SeBatchLogonRight</p></td>
 </tr>
 </tbody>
 </table>
@@ -2548,8 +2548,8 @@ This security group has not changed since Windows Server 2008.
 </tr>
 <tr class="odd">
 <td><p>Default User Rights</p></td>
-<td><p>[Access this computer from the network](access-this-computer-from-the-network.md): SeNetworkLogonRight</p>
-<p>[Bypass traverse checking](bypass-traverse-checking.md): SeChangeNotifyPrivilege</p></td>
+<td><p>[Access this computer from the network](/windows/device-security/security-policy-settings/access-this-computer-from-the-network): SeNetworkLogonRight</p>
+<p>[Bypass traverse checking](/windows/device-security/security-policy-settings/bypass-traverse-checking): SeChangeNotifyPrivilege</p></td>
 </tr>
 </tbody>
 </table>
@@ -2612,9 +2612,9 @@ This security group has not changed since Windows Server 2008. However, in Windo
 </tr>
 <tr class="odd">
 <td><p>Default User Rights</p></td>
-<td><p>[Allow log on locally](allow-log-on-locally.md): SeInteractiveLogonRight</p>
-<p>[Load and unload device drivers](load-and-unload-device-drivers.md): SeLoadDriverPrivilege</p>
-<p>[Shut down the system](shut-down-the-system.md): SeShutdownPrivilege</p></td>
+<td><p>[Allow log on locally](/windows/device-security/security-policy-settings/allow-log-on-locally): SeInteractiveLogonRight</p>
+<p>[Load and unload device drivers](/windows/device-security/security-policy-settings/load-and-unload-device-drivers): SeLoadDriverPrivilege</p>
+<p>[Shut down the system](/windows/device-security/security-policy-settings/shut-down-the-system): SeShutdownPrivilege</p></td>
 </tr>
 </tbody>
 </table>
@@ -3327,13 +3327,13 @@ This security group has not changed since Windows Server 2008.
 </tr>
 <tr class="odd">
 <td><p>Default User Rights</p></td>
-<td><p>[Allow log on locally](allow-log-on-locally.md): SeInteractiveLogonRight</p>
-<p>[Back up files and directories](back-up-files-and-directories.md): SeBackupPrivilege</p>
-<p>[Change the system time](change-the-system-time.md): SeSystemTimePrivilege</p>
-<p>[Change the time zone](change-the-time-zone.md): SeTimeZonePrivilege</p>
-<p>[Force shutdown from a remote system](force-shutdown-from-a-remote-system.md): SeRemoteShutdownPrivilege</p>
-<p>[Restore files and directories](restore-files-and-directories.md): Restore files and directories SeRestorePrivilege</p>
-<p>[Shut down the system](shut-down-the-system.md): SeShutdownPrivilege</p></td>
+<td><p>[Allow log on locally](/windows/device-security/security-policy-settings/allow-log-on-locally): SeInteractiveLogonRight</p>
+<p>[Back up files and directories](/windows/device-security/security-policy-settings/back-up-files-and-directories): SeBackupPrivilege</p>
+<p>[Change the system time](/windows/device-security/security-policy-settings/change-the-system-time): SeSystemTimePrivilege</p>
+<p>[Change the time zone](/windows/device-security/security-policy-settings/change-the-time-zone): SeTimeZonePrivilege</p>
+<p>[Force shutdown from a remote system](/windows/device-security/security-policy-settings/force-shutdown-from-a-remote-system): SeRemoteShutdownPrivilege</p>
+<p>[Restore files and directories](/windows/device-security/security-policy-settings/restore-files-and-directories): Restore files and directories SeRestorePrivilege</p>
+<p>[Shut down the system](/windows/device-security/security-policy-settings/shut-down-the-system): SeShutdownPrivilege</p></td>
 </tr>
 </tbody>
 </table>

windows/access-protection/access-control/local-accounts.md

@@ -123,7 +123,7 @@ By default, the Guest account is the only member of the default Guests group, wh
 
 When an administrator enables the Guest account, it is a best practice to create a strong password for this account. In addition, the administrator on the computer should also grant only limited rights and permissions for the Guest account. For security reasons, the Guest account should not be used over the network and made accessible to other computers.
 
-When a computer is shutting down or starting up, it is possible that a guest user or anyone with local access could gain unauthorized access to the computer. To help prevent this risk, do not grant the Guest account the [Shut down the system](shut-down-the-system.md) user right.
+When a computer is shutting down or starting up, it is possible that a guest user or anyone with local access could gain unauthorized access to the computer. To help prevent this risk, do not grant the Guest account the [Shut down the system](/windows/device-security/security-policy-settings/shut-down-the-system) user right.
 
 In addition, the guest user in the Guest account should not be able to view the event logs. After the Guest account is enabled, it is a best practice to monitor the Guest account frequently to ensure that other users cannot use services and other resources, such as resources that were unintentionally left available by a previous user.
 
@@ -200,7 +200,7 @@ In addition, UAC can require administrators to specifically approve applications
 
 For example, a default feature of UAC is shown when a local account signs in from a remote computer by using Network logon (for example, by using NET.EXE USE). In this instance, it is issued a standard user token with no administrative rights, but with the ability to request or receive elevation. Consequently, local accounts that sign in by using Network logon cannot access administrative shares such as C$, or ADMIN$, or perform any remote administration.
 
-For more information about UAC, see [User Account Control](user-account-control-overview.md).
+For more information about UAC, see [User Account Control](/windows/access-protection/user-account-control/user-account-control-overview).
 
 The following table shows the Group Policy and registry settings that are used to enforce local account restrictions for remote access.
 
@@ -224,7 +224,7 @@ The following table shows the Group Policy and registry settings that are used t
 <tr class="odd">
 <td><p>1</p></td>
 <td><p>Policy name</p></td>
-<td><p>[User Account Control: Run all administrators in Admin Approval Mode](user-account-control-run-all-administrators-in-admin-approval-mode.md)</p></td>
+<td><p>[User Account Control: Run all administrators in Admin Approval Mode](/windows/device-security/security-policy-settings/user-account-control-run-all-administrators-in-admin-approval-mode)</p></td>
 </tr>
 <tr class="even">
 <td><p></p></td>
@@ -239,7 +239,7 @@ The following table shows the Group Policy and registry settings that are used t
 <tr class="even">
 <td><p></p></td>
 <td><p>Policy name</p></td>
-<td><p>[User Account Control: Run all administrators in Admin Approval Mode](user-account-control-run-all-administrators-in-admin-approval-mode.md)</p></td>
+<td><p>[User Account Control: Run all administrators in Admin Approval Mode](/windows/device-security/security-policy-settings/user-account-control-run-all-administrators-in-admin-approval-mode)</p></td>
 </tr>
 <tr class="odd">
 <td><p></p></td>
@@ -368,7 +368,7 @@ The following table shows the Group Policy settings that are used to deny networ
 <tr class="odd">
 <td><p>1</p></td>
 <td><p>Policy name</p></td>
-<td><p>[Deny access to this computer from the network](deny-access-to-this-computer-from-the-network.md)</p></td>
+<td><p>[Deny access to this computer from the network](/windows/device-security/security-policy-settings/deny-access-to-this-computer-from-the-network)</p></td>
 </tr>
 <tr class="even">
 <td><p></p></td>
@@ -384,7 +384,7 @@ The following table shows the Group Policy settings that are used to deny networ
 <tr class="even">
 <td><p></p></td>
 <td><p>Policy name</p></td>
-<td><p>[Deny log on through Remote Desktop Services](deny-log-on-through-remote-desktop-services.md)</p></td>
+<td><p>[Deny log on through Remote Desktop Services](/windows/device-security/security-policy-settings/deny-log-on-through-remote-desktop-services)</p></td>
 </tr>
 <tr class="odd">
 <td><p></p></td>

windows/access-protection/access-control/microsoft-accounts.md

@@ -118,7 +118,7 @@ Depending on your IT and business models, introducing Microsoft accounts into yo
 
 ### <a href="" id="bkmk-restrictuse"></a>Restrict the use of the Microsoft account
 
-If employees are allowed to join the domain with their personal devices, they might expect to connect to enterprise resources by using their Microsoft accounts. If you want to prevent any use of Microsoft accounts within your enterprise, you can configure the local security policy setting [Accounts: Block Microsoft accounts](accounts-block-microsoft-accounts.md). However, this setting can prevent the users from signing in to their Windows devices with their Microsoft accounts (if they had set them up to do so) when they are joined to the domain.
+If employees are allowed to join the domain with their personal devices, they might expect to connect to enterprise resources by using their Microsoft accounts. If you want to prevent any use of Microsoft accounts within your enterprise, you can configure the local security policy setting [Accounts: Block Microsoft accounts](/windows/device-security/security-policy-settings/accounts-block-microsoft-accounts). However, this setting can prevent the users from signing in to their Windows devices with their Microsoft accounts (if they had set them up to do so) when they are joined to the domain.
 
 The default for this setting is **Disabled**, which enables users to use their Microsoft accounts on devices that are joined to your domain. Other options in the setting can:
 
@@ -151,7 +151,7 @@ Only the owner of the Microsoft account can change the password. Passwords can b
 
 ### <a href="" id="bkmk-restrictappinstallationandusage"></a>Restrict app installation and usage
 
-Within your organization, you can set application control policies to regulate app installation and usage for Microsoft accounts. For more information, see [AppLocker](applocker-overview.md) and [Packaged Apps and Packaged App Installer Rules in AppLocker](packaged-apps-and-packaged-app-installer-rules-in-applocker.md).
+Within your organization, you can set application control policies to regulate app installation and usage for Microsoft accounts. For more information, see [AppLocker](/windows/device-security/applocker/applocker-overview) and [Packaged Apps and Packaged App Installer Rules in AppLocker](/windows/device-security/applocker/packaged-apps-and-packaged-app-installer-rules-in-applocker).
 
 ## See also
 

windows/access-protection/access-control/security-principals.md

@@ -83,7 +83,7 @@ Permissions are different from user rights in that permissions are attached to o
 
 On computers, user rights enable administrators to control who has the authority to perform operations that affect an entire computer, rather than a particular object. Administrators assign user rights to individual users or groups as part of the security settings for the computer. Although user rights can be managed centrally through Group Policy, they are applied locally. Users can (and usually do) have different user rights on different computers.
 
-For information about which user rights are available and how they can be implemented, see [User Rights Assignment](user-rights-assignment.md).
+For information about which user rights are available and how they can be implemented, see [User Rights Assignment](/windows/device-security/security-policy-settings/user-rights-assignment).
 
 ### <a href="" id="bkmk-authn"></a> Security context in authentication
 

windows/access-protection/access-control/special-identities.md

@@ -145,9 +145,9 @@ Any user who accesses the system through a sign-in process has the Authenticated
 </tr>
 <tr class="even">
 <td><p>Default User Rights</p></td>
-<td><p>[Access this computer from the network](access-this-computer-from-the-network.md): SeNetworkLogonRight</p>
-<p>[Add workstations to domain](add-workstations-to-domain.md): SeMachineAccountPrivilege</p>
-<p>[Bypass traverse checking](bypass-traverse-checking.md): SeChangeNotifyPrivilege</p></td>
+<td><p>[Access this computer from the network](/windows/device-security/security-policy-settings/access-this-computer-from-the-network): SeNetworkLogonRight</p>
+<p>[Add workstations to domain](/windows/device-security/security-policy-settings/add-workstations-to-domain): SeMachineAccountPrivilege</p>
+<p>[Bypass traverse checking](/windows/device-security/security-policy-settings/bypass-traverse-checking): SeChangeNotifyPrivilege</p></td>
 </tr>
 </tbody>
 </table>
@@ -375,8 +375,8 @@ This group includes all domain controllers in an Active Directory forest. Domain
 </tr>
 <tr class="even">
 <td><p>Default User Rights Assignment</p></td>
-<td><p>[Access this computer from the network](access-this-computer-from-the-network.md): SeNetworkLogonRight</p>
-<p>[Allow log on locally](allow-log-on-locally.md): SeInteractiveLogonRight</p></td>
+<td><p>[Access this computer from the network](/windows/device-security/security-policy-settings/access-this-computer-from-the-network): SeNetworkLogonRight</p>
+<p>[Allow log on locally](/windows/device-security/security-policy-settings/allow-log-on-locally): SeInteractiveLogonRight</p></td>
 </tr>
 </tbody>
 </table>
@@ -418,9 +418,9 @@ Membership is controlled by the operating system.
 </tr>
 <tr class="even">
 <td><p>Default User Rights</p></td>
-<td><p>[Access this computer from the network](access-this-computer-from-the-network.md): SeNetworkLogonRight</p>
-<p>[Act as part of the operating system](act-as-part-of-the-operating-system.md): SeTcbPrivilege</p>
-<p>[Bypass traverse checking](bypass-traverse-checking.md): SeChangeNotifyPrivilege</p></td>
+<td><p>[Access this computer from the network](/windows/device-security/security-policy-settings/access-this-computer-from-the-network): SeNetworkLogonRight</p>
+<p>[Act as part of the operating system](/windows/device-security/security-policy-settings/act-as-part-of-the-operating-system): SeTcbPrivilege</p>
+<p>[Bypass traverse checking](/windows/device-security/security-policy-settings/bypass-traverse-checking): SeChangeNotifyPrivilege</p></td>
 </tr>
 </tbody>
 </table>
@@ -496,14 +496,14 @@ The Local Service account is similar to an Authenticated User account. The Local
 </tr>
 <tr class="even">
 <td><p>Default user rights</p></td>
-<td><p>[Adjust memory quotas for a process](adjust-memory-quotas-for-a-process.md): SeIncreaseQuotaPrivilege</p>
-<p>[Bypass traverse checking](bypass-traverse-checking.md): SeChangeNotifyPrivilege</p>
-<p>[Change the system time](change-the-system-time.md): SeSystemtimePrivilege</p>
-<p>[Change the time zone](change-the-time-zone.md): SeTimeZonePrivilege</p>
-<p>[Create global objects](create-global-objects.md): SeCreateGlobalPrivilege</p>
-<p>[Generate security audits](generate-security-audits.md): SeAuditPrivilege</p>
-<p>[Impersonate a client after authentication](impersonate-a-client-after-authentication.md): SeImpersonatePrivilege</p>
-<p>[Replace a process level token](replace-a-process-level-token.md): SeAssignPrimaryTokenPrivilege</p></td>
+<td><p>[Adjust memory quotas for a process](/windows/device-security/security-policy-settings/adjust-memory-quotas-for-a-process): SeIncreaseQuotaPrivilege</p>
+<p>[Bypass traverse checking](/windows/device-security/security-policy-settings/bypass-traverse-checking): SeChangeNotifyPrivilege</p>
+<p>[Change the system time](/windows/device-security/security-policy-settings/change-the-system-time): SeSystemtimePrivilege</p>
+<p>[Change the time zone](/windows/device-security/security-policy-settings/change-the-time-zone): SeTimeZonePrivilege</p>
+<p>[Create global objects](/windows/device-security/security-policy-settings/create-global-objects): SeCreateGlobalPrivilege</p>
+<p>[Generate security audits](/windows/device-security/security-policy-settings/generate-security-audits): SeAuditPrivilege</p>
+<p>[Impersonate a client after authentication](/windows/device-security/security-policy-settings/impersonate-a-client-after-authentication): SeImpersonatePrivilege</p>
+<p>[Replace a process level token](/windows/device-security/security-policy-settings/replace-a-process-level-token): SeAssignPrimaryTokenPrivilege</p></td>
 </tr>
 </tbody>
 </table>
@@ -617,13 +617,13 @@ The Network Service account is similar to an Authenticated User account. The Net
 </tr>
 <tr class="even">
 <td><p>Default User Rights</p></td>
-<td><p>[Adjust memory quotas for a process](adjust-memory-quotas-for-a-process.md): SeIncreaseQuotaPrivilege</p>
-<p>[Bypass traverse checking](bypass-traverse-checking.md): SeChangeNotifyPrivilege</p>
-<p>[Create global objects](create-global-objects.md): SeCreateGlobalPrivilege</p>
-<p>[Generate security audits](generate-security-audits.md): SeAuditPrivilege</p>
-<p>[Impersonate a client after authentication](impersonate-a-client-after-authentication.md): SeImpersonatePrivilege</p>
-<p>[Restore files and directories](restore-files-and-directories.md): SeRestorePrivilege</p>
-<p>[Replace a process level token](replace-a-process-level-token.md): SeAssignPrimaryTokenPrivilege</p></td>
+<td><p>[Adjust memory quotas for a process](/windows/device-security/security-policy-settings/adjust-memory-quotas-for-a-process): SeIncreaseQuotaPrivilege</p>
+<p>[Bypass traverse checking](/windows/device-security/security-policy-settings/bypass-traverse-checking): SeChangeNotifyPrivilege</p>
+<p>[Create global objects](/windows/device-security/security-policy-settings/create-global-objects): SeCreateGlobalPrivilege</p>
+<p>[Generate security audits](/windows/device-security/security-policy-settings/generate-security-audits): SeAuditPrivilege</p>
+<p>[Impersonate a client after authentication](/windows/device-security/security-policy-settings/impersonate-a-client-after-authentication): SeImpersonatePrivilege</p>
+<p>[Restore files and directories](/windows/device-security/security-policy-settings/restore-files-and-directories): SeRestorePrivilege</p>
+<p>[Replace a process level token](/windows/device-security/security-policy-settings/replace-a-process-level-token): SeAssignPrimaryTokenPrivilege</p></td>
 </tr>
 </tbody>
 </table>
@@ -885,8 +885,8 @@ Any service that accesses the system has the Service identity. This identity gro
 </tr>
 <tr class="even">
 <td><p>Default User Rights</p></td>
-<td><p>[Create global objects](create-global-objects.md): SeCreateGlobalPrivilege</p>
-<p>[Impersonate a client after authentication](impersonate-a-client-after-authentication.md): SeImpersonatePrivilege</p></td>
+<td><p>[Create global objects](/windows/device-security/security-policy-settings/create-global-objects): SeCreateGlobalPrivilege</p>
+<p>[Impersonate a client after authentication](/windows/device-security/security-policy-settings/impersonate-a-client-after-authentication): SeImpersonatePrivilege</p></td>
 </tr>
 </tbody>
 </table>
@@ -996,8 +996,8 @@ Any user accessing the system through Terminal Services has the Terminal Server
 </tr>
 <tr class="even">
 <td><p>Default User Rights</p></td>
-<td><p>[Bypass traverse checking](bypass-traverse-checking.md): SeChangeNotifyPrivilege</p>
-<p>[Increase a process working set](increase-a-process-working-set.md): SeIncreaseWorkingSetPrivilege</p></td>
+<td><p>[Bypass traverse checking](/windows/device-security/security-policy-settings/bypass-traverse-checking): SeChangeNotifyPrivilege</p>
+<p>[Increase a process working set](/windows/device-security/security-policy-settings/increase-a-process-working-set): SeIncreaseWorkingSetPrivilege</p></td>
 </tr>
 </tbody>
 </table>

windows/access-protection/change-history-for-access-protection.md

@@ -0,0 +1,17 @@
+---
+title: Change history for access protection (Windows 10)
+description: This topic lists new and updated topics in the Windows 10 access protection documentation for Windows 10 and Windows 10 Mobile.
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+author: brianlic-msft
+---
+
+# Change history for access protection
+This topic lists new and updated topics in the [Access protection](index.md) documentation.
+
+## March 2017
+|New or changed topic |Description |
+|---------------------|------------|
+|[Protect derived domain credentials with Credential Guard](credential-guard/credential-guard.md) |Updated to include additional security qualifications starting with Window 10, version 1703.|

windows/access-protection/credential-guard/additional-mitigations.md

@@ -0,0 +1,612 @@
+---
+title: Scripts for Certificate Issuance Policies in Credential Guard (Windows 10)
+description: Scripts listed in this topic for obtaining the available issuance policies on the certificate authority for Credential Guard on Windows 10.
+ms.prod: w10
+ms.mktglfcycl: explore
+ms.sitesec: library
+ms.pagetype: security
+localizationpriority: high
+author: brianlic-msft
+---
+
+## Additional mitigations
+
+Credential Guard can provide mitigations against attacks on derived credentials and prevent the use of stolen credentials elsewhere. However, PCs can still be vulnerable to certain attacks, even if the derived credentials are protected by Credential Guard. These attacks can include abusing privileges and use of derived credentials directly from a compromised device, reusing previously stolen credentials prior to Device Guard, and abuse of management tools and weak application configurations. Because of this, additional mitigations also must be deployed to make the domain environment more robust.
+
+### Restricting domain users to specific domain-joined devices
+
+Credential theft attacks allow the attacker to steal secrets from one device and use them from another device. If a user can sign on to multiple devices then any device could be used to steal credentials. How do you ensure that users only sign on using devices that have Credential Guard enabled? By deploying authentication policies that restrict them to specific domain-joined devices that have been configured with Credential Guard. For the domain controller to know what device a user is signing on from, Kerberos armoring must be used.
+
+#### Kerberos armoring
+
+Kerberos armoring is part of RFC 6113. When a device supports Kerberos armoring, its TGT is used to protect the user's proof of possession which can mitigate offline dictionary attacks. Kerberos armoring also provides the additional benefit of signed KDC errors this mitigates tampering which can result in things such as downgrade attacks. 
+
+**To enable Kerberos armoring for restricting domain users to specific domain-joined devices**
+
+-   Users need to be in domains that are running Windows Server 2012 R2 or higher
+-   All the domain controllers in these domains must be configured to support Kerberos armoring. Set the **KDC support for claims, compound authentication, and Kerberos armoring** Group Policy setting to either **Supported** or **Always provide claims**.
+-   All the devices with Credential Guard that the users will be restricted to must be configured to support Kerberos armoring. Enable the **Kerberos client support for claims, compound authentication and Kerberos armoring** Group Policy settings under **Computer Configuration** -> **Administrative Templates** -> **System** -> **Kerberos**.
+
+#### Protecting domain-joined device secrets
+
+Since domain-joined devices also use shared secrets for authentication, attackers can steal those secrets as well. By deploying device certificates with Credential Guard, the private key can be protected. Then authentication policies can require that users sign on devices that authenticate using those certificates. This prevents shared secrets stolen from the device to be used with stolen user credentials to sign on as the user.
+
+Domain-joined device certificate authentication has the following requirements:
+-   Devices' accounts are in Windows Server 2012 domain functional level or higher.
+-   All domain controllers in those domains have KDC certificates which satisfy strict KDC validation certificate requirements:
+    -   KDC EKU present
+    -   DNS domain name matches the DNSName field of the SubjectAltName (SAN) extension
+-   Windows 10 devices have the CA issuing the domain controller certificates in the enterprise store.
+-   A process is established to ensure the identity and trustworthiness of the device in a similar manner as you would establish the identity and trustworthiness of a user before issuing them a smartcard.
+
+##### Deploying domain-joined device certificates
+
+To guarantee that certificates with the required issuance policy are only installed on the devices these users must use, they must be deployed manually on each device. The same security procedures used for issuing smart cards to users should be applied to device certificates.
+
+For example, let's say you wanted to use the High Assurance policy only on these devices. Using a Windows Server Enterprise certificate authority, you would create a new template.
+
+**Creating a new certificate template**
+
+1.  From the Certificate Manager console, right-click **Certificate Templates**, and then click **Manage.**
+2.  Right-click **Workstation Authentication**, and then click **Duplicate Template**.
+3.  Right-click the new template, and then click **Properties**.
+4.  On the **Extensions** tab, click **Application Policies**, and then click **Edit**.
+5.  Click **Client Authentication**, and then click **Remove**.
+6.  Add the ID-PKInit-KPClientAuth EKU. Click **Add**, click **New**, and then specify the following values:
+    -   Name: Kerberos Client Auth
+    -   Object Identifier: 1.3.6.1.5.2.3.4
+7.  On the **Extensions** tab, click **Issuance Policies**, and then click **Edit**.
+8.  Under **Issuance Policies**, click**High Assurance**.
+9.  On the **Subject name** tab, clear the **DNS name** check box, and then select the **User Principal Name (UPN)** check box.
+
+Then on the devices that are running Credential Guard, enroll the devices using the certificate you just created.
+
+**Enrolling devices in a certificate**
+
+Run the following command:
+``` syntax
+CertReq -EnrollCredGuardCert MachineAuthentication
+```
+
+> [!NOTE]  
+> You must restart the device after enrolling the machine authentication certificate.
+ 
+##### How a certificate issuance policy can be used for access control
+
+Beginning with the Windows Server 2008 R2 domain functional level, domain controllers support for authentication mechanism assurance provides a way to map certificate issuance policy OIDs to universal security groups. Windows Server 2012 domain controllers with claim support can map them to claims. To learn more about authentication mechanism assurance, see [Authentication Mechanism Assurance for AD DS in Windows Server 2008 R2 Step-by-Step Guide](https://technet.microsoft.com/en-us/library/dd378897(v=ws.10).aspx) on TechNet.
+
+**To see the issuance policies available**
+
+-   The [get-IssuancePolicy.ps1](#bkmk-getscript) shows all of the issuance policies that are available on the certificate authority.
+    From a Windows PowerShell command prompt, run the following command:
+
+    ``` syntax
+    .\get-IssuancePolicy.ps1 –LinkedToGroup:All
+    ```
+
+**To link an issuance policy to a universal security group**
+
+-   The [set-IssuancePolicyToGroupLink.ps1](#bkmk-setscript) creates a Universal security group, creates an organizational unit, and links the issuance policy to that Universal security group.
+    From a Windows PowerShell command prompt, run the following command:
+
+    ``` syntax
+    .\set-IssuancePolicyToGroupLink.ps1 –IssuancePolicyName:"<name of issuance policy>" –groupOU:"<Name of OU to create>" –groupName:”<name of Universal security group to create>"
+    ```
+
+#### Restricting user sign on
+
+So we now have completed the following:
+
+-   Created a special certificate issuance policy to identify devices that meet the deployment criteria required for the user to be able to sign on
+-   Mapped that policy to a universal security group or claim
+-   Provided a way for domain controllers to get the device authorization data during user sign on using Kerberos armoring. Now what is left to do is to configure the access check on the domain controllers. This is done using authentication policies.
+
+Authentication policies have the following requirements:
+-   User accounts are in a Windows Server 2012 domain functional level or higher domain.
+
+**Creating an authentication policy restricting users to the specific universal security group**
+
+1.  Open Active Directory Administrative Center.
+2.  Click **Authentication**, click **New**, and then click **Authentication Policy**.
+3.  In the **Display name** box, enter a name for this authentication policy.
+4.  Under the **Accounts** heading, click **Add**.
+5.  In the **Select Users, Computers, or Service Accounts** dialog box, type the name of the user account you wish to restrict, and then click **OK**.
+6.  Under the **User Sign On** heading, click the **Edit** button.
+7. Click **Add a condition**.
+8. In the **Edit Access Control Conditions** box, ensure that it reads **User** &gt; **Group** &gt; **Member of each** &gt; **Value**, and then click **Add items**.
+9. In the **Select Users, Computers, or Service Accounts** dialog box, type the name of the universal security group that you created with the set-IssuancePolicyToGroupLink script, and then click **OK**.
+10. Click **OK** to close the **Edit Access Control Conditions** box.
+11. Click **OK** to create the authentication policy.
+12. Close Active Directory Administrative Center.
+
+> [!NOTE]  
+> When the authentication policy enforces policy restrictions, users will not be able to sign on using devices that do not have a certificate with the appropriate issuance policy deployed. This applies to both local and remote sign on scenarios. Therefore, it is strongly recommended to first only audit policy restrictions to ensure you don't have unexpected failures.
+
+##### Discovering authentication failures due to authentication policies
+
+To make tracking authentication failures due to authentication policies easier, an operational log exists with just those events. To enable the logs on the domain controllers, in Event Viewer, navigate to **Applications and Services Logs\\Microsoft\\Windows\\Authentication, right-click AuthenticationPolicyFailures-DomainController**, and then click **Enable Log**.
+
+To learn more about authentication policy events, see [Authentication Policies and Authentication Policy Silos](https://technet.microsoft.com/en-us/library/dn486813(v=ws.11).aspx).
+
+### Appendix: Scripts
+
+Here is a list of scripts mentioned in this topic.
+
+#### <a href="" id="bkmk-getscript"></a>Get the available issuance policies on the certificate authority
+
+Save this script file as get-IssuancePolicy.ps1.
+
+``` syntax
+#######################################
+##     Parameters to be defined      ##
+##     by the user                   ##
+#######################################
+Param (
+$Identity,
+$LinkedToGroup
+)
+#######################################
+##     Strings definitions           ##
+#######################################
+Data getIP_strings {
+# culture="en-US"
+ConvertFrom-StringData -stringdata @'
+help1 = This command can be used to retrieve all available Issuance Policies in a forest. The forest of the currently logged on user is targeted.
+help2 = Usage:
+help3 = The following parameter is mandatory:
+help4 = -LinkedToGroup:<yes|no|all>
+help5 = "yes" will return only Issuance Policies that are linked to groups. Checks that the linked Issuance Policies are linked to valid groups.
+help6 = "no" will return only Issuance Policies that are not currently linked to any group.
+help7 = "all" will return all Issuance Policies defined in the forest. Checks that the linked Issuance policies are linked to valid groups.
+help8 = The following parameter is optional:
+help9 = -Identity:<Name, Distinguished Name or Display Name of the Issuance Policy that you want to retrieve>. If you specify an identity, the option specified in the "-LinkedToGroup" parameter is ignored.
+help10 = Output: This script returns the Issuance Policy objects meeting the criteria defined by the above parameters.
+help11 = Examples:
+errorIPNotFound = Error: no Issuance Policy could be found with Identity "{0}"
+ErrorNotSecurity = Error: Issuance Policy "{0}" is linked to group "{1}" which is not of type "Security".
+ErrorNotUniversal = Error: Issuance Policy "{0}" is linked to group "{1}" whose scope is not "Universal".
+ErrorHasMembers = Error: Issuance Policy "{0}" is linked to group "{1}" which has a non-empty membership. The group has the following members:
+LinkedIPs = The following Issuance Policies are linked to groups:
+displayName = displayName : {0}
+Name = Name : {0}
+dn = distinguishedName : {0}
+        InfoName = Linked Group Name: {0}
+        InfoDN = Linked Group DN: {0}   
+NonLinkedIPs = The following Issuance Policies are NOT linked to groups:
+'@
+}
+##Import-LocalizedData getIP_strings
+import-module ActiveDirectory
+#######################################
+##           Help                    ##
+#######################################
+function Display-Help {
+    ""
+    $getIP_strings.help1
+    ""
+$getIP_strings.help2
+""
+$getIP_strings.help3
+"     " + $getIP_strings.help4
+"             " + $getIP_strings.help5
+    "             " + $getIP_strings.help6
+    "             " + $getIP_strings.help7
+""
+$getIP_strings.help8
+    "     " + $getIP_strings.help9
+    ""
+    $getIP_strings.help10
+""
+""    
+$getIP_strings.help11
+    "     " + '$' + "myIPs = .\get-IssuancePolicy.ps1 -LinkedToGroup:All"
+    "     " + '$' + "myLinkedIPs = .\get-IssuancePolicy.ps1 -LinkedToGroup:yes"
+    "     " + '$' + "myIP = .\get-IssuancePolicy.ps1 -Identity:""Medium Assurance"""
+""
+}
+$root = get-adrootdse
+$domain = get-addomain -current loggedonuser
+$configNCDN = [String]$root.configurationNamingContext
+if ( !($Identity) -and !($LinkedToGroup) ) {
+display-Help
+break
+}
+if ($Identity) {
+    $OIDs = get-adobject -Filter {(objectclass -eq "msPKI-Enterprise-Oid") -and ((name -eq $Identity) -or (displayname -eq $Identity) -or (distinguishedName -like $Identity)) } -searchBase $configNCDN -properties *
+    if ($OIDs -eq $null) {
+$errormsg = $getIP_strings.ErrorIPNotFound -f $Identity
+write-host $errormsg -ForegroundColor Red
+    }
+    foreach ($OID in $OIDs) {
+        if ($OID."msDS-OIDToGroupLink") {
+# In case the Issuance Policy is linked to a group, it is good to check whether there is any problem with the mapping.
+            $groupDN = $OID."msDS-OIDToGroupLink"
+            $group = get-adgroup -Identity $groupDN
+    $groupName = $group.Name
+# Analyze the group
+            if ($group.groupCategory -ne "Security") {
+$errormsg = $getIP_strings.ErrorNotSecurity -f $Identity, $groupName
+                write-host $errormsg -ForegroundColor Red
+            }
+            if ($group.groupScope -ne "Universal") {
+                $errormsg = $getIP_strings.ErrorNotUniversal -f $Identity, $groupName
+write-host $errormsg -ForegroundColor Red
+            }
+            $members = Get-ADGroupMember -Identity $group
+            if ($members) {
+                $errormsg = $getIP_strings.ErrorHasMembers -f $Identity, $groupName
+write-host $errormsg -ForegroundColor Red
+                foreach ($member in $members) {
+                    write-host "          "  $member -ForeGroundColor Red
+                }
+            }
+        }
+    }
+    return $OIDs
+    break
+}
+if (($LinkedToGroup -eq "yes") -or ($LinkedToGroup -eq "all")) {
+    $LDAPFilter = "(&(objectClass=msPKI-Enterprise-Oid)(msDS-OIDToGroupLink=*)(flags=2))"
+    $LinkedOIDs = get-adobject -searchBase $configNCDN -LDAPFilter $LDAPFilter -properties *
+    write-host ""    
+    write-host "*****************************************************"
+    write-host $getIP_strings.LinkedIPs
+    write-host "*****************************************************"
+    write-host ""
+    if ($LinkedOIDs -ne $null){
+      foreach ($OID in $LinkedOIDs) {
+# Display basic information about the Issuance Policies
+          ""
+  $getIP_strings.displayName -f $OID.displayName
+  $getIP_strings.Name -f $OID.Name
+  $getIP_strings.dn -f $OID.distinguishedName
+# Get the linked group.
+          $groupDN = $OID."msDS-OIDToGroupLink"
+          $group = get-adgroup -Identity $groupDN
+          $getIP_strings.InfoName -f $group.Name
+          $getIP_strings.InfoDN -f $groupDN
+# Analyze the group
+          $OIDName = $OID.displayName
+    $groupName = $group.Name
+          if ($group.groupCategory -ne "Security") {
+          $errormsg = $getIP_strings.ErrorNotSecurity -f $OIDName, $groupName
+          write-host $errormsg -ForegroundColor Red
+          }
+          if ($group.groupScope -ne "Universal") {
+          $errormsg = $getIP_strings.ErrorNotUniversal -f $OIDName, $groupName
+          write-host $errormsg -ForegroundColor Red
+          }
+          $members = Get-ADGroupMember -Identity $group
+          if ($members) {
+          $errormsg = $getIP_strings.ErrorHasMembers -f $OIDName, $groupName
+          write-host $errormsg -ForegroundColor Red
+              foreach ($member in $members) {
+                  write-host "          "  $member -ForeGroundColor Red
+              }
+          }
+          write-host ""
+      }
+    }else{
+write-host "There are no issuance policies that are mapped to a group"
+    }
+    if ($LinkedToGroup -eq "yes") {
+        return $LinkedOIDs
+        break
+    }
+}    
+if (($LinkedToGroup -eq "no") -or ($LinkedToGroup -eq "all")) {  
+    $LDAPFilter = "(&(objectClass=msPKI-Enterprise-Oid)(!(msDS-OIDToGroupLink=*))(flags=2))"
+    $NonLinkedOIDs = get-adobject -searchBase $configNCDN -LDAPFilter $LDAPFilter -properties *
+    write-host ""    
+    write-host "*********************************************************"
+    write-host $getIP_strings.NonLinkedIPs
+    write-host "*********************************************************"
+    write-host ""
+    if ($NonLinkedOIDs -ne $null) {
+      foreach ($OID in $NonLinkedOIDs) {
+# Display basic information about the Issuance Policies
+write-host ""
+$getIP_strings.displayName -f $OID.displayName
+$getIP_strings.Name -f $OID.Name
+$getIP_strings.dn -f $OID.distinguishedName
+write-host ""
+      }
+    }else{
+write-host "There are no issuance policies which are not mapped to groups"
+    }
+    if ($LinkedToGroup -eq "no") {
+        return $NonLinkedOIDs
+        break
+    }
+}
+```
+> [!NOTE]  
+> If you're having trouble running this script, try replacing the single quote after the ConvertFrom-StringData parameter.
+ 
+#### <a href="" id="bkmk-setscript"></a>Link an issuance policy to a group
+
+Save the script file as set-IssuancePolicyToGroupLink.ps1.
+
+``` syntax
+#######################################
+##     Parameters to be defined      ##
+##     by the user                   ##
+#######################################
+Param (
+$IssuancePolicyName,
+$groupOU,
+$groupName
+)
+#######################################
+##     Strings definitions           ##
+#######################################
+Data ErrorMsg {
+# culture="en-US"
+ConvertFrom-StringData -stringdata @'
+help1 = This command can be used to set the link between a certificate issuance policy and a universal security group.
+help2 = Usage:
+help3 = The following parameters are required:
+help4 = -IssuancePolicyName:<name or display name of the issuance policy that you want to link to a group>
+help5 = -groupName:<name of the group you want to link the issuance policy to>. If no name is specified, any existing link to a group is removed from the Issuance Policy.
+help6 = The following parameter is optional:
+help7 = -groupOU:<Name of the Organizational Unit dedicated to the groups which are linked to issuance policies>. If this parameter is not specified, the group is looked for or created in the Users container.
+help8 = Examples:
+help9 = This command will link the issuance policy whose display name is "High Assurance" to the group "HighAssuranceGroup" in the Organizational Unit "OU_FOR_IPol_linked_groups". If the group or the Organizational Unit do not exist, you will be prompted to create them.
+help10 = This command will unlink the issuance policy whose name is "402.164959C40F4A5C12C6302E31D5476062" from any group.
+MultipleIPs = Error: Multiple Issuance Policies with name or display name "{0}" were found in the subtree of "{1}"
+NoIP = Error: no issuance policy with name or display name "{0}" could be found in the subtree of "{1}".
+IPFound = An Issuance Policy with name or display name "{0}" was successfully found: {1}
+MultipleOUs = Error: more than 1 Organizational Unit with name "{0}" could be found in the subtree of "{1}".
+confirmOUcreation = Warning: The Organizational Unit that you specified does not exist. Do you want to create it?
+OUCreationSuccess = Organizational Unit "{0}" successfully created.
+OUcreationError = Error: Organizational Unit "{0}" could not be created.
+OUFoundSuccess = Organizational Unit "{0}" was successfully found.
+multipleGroups = Error: More than one group with name "{0}" was found in Organizational Unit "{1}".  
+confirmGroupCreation = Warning: The group that you specified does not exist. Do you want to create it?
+groupCreationSuccess = Univeral Security group "{0}" successfully created.
+groupCreationError = Error: Univeral Security group "{0}" could not be created.
+GroupFound = Group "{0}" was successfully found.
+confirmLinkDeletion = Warning: The Issuance Policy "{0}" is currently linked to group "{1}". Do you really want to remove the link?
+UnlinkSuccess = Certificate issuance policy successfully unlinked from any group.
+UnlinkError = Removing the link failed.
+UnlinkExit = Exiting without removing the link from the issuance policy to the group.
+IPNotLinked = The Certificate issuance policy is not currently linked to any group. If you want to link it to a group, you should specify the -groupName option when starting this script.
+ErrorNotSecurity = Error: You cannot link issuance Policy "{0}" to group "{1}" because this group is not of type "Security".
+ErrorNotUniversal = Error: You cannot link issuance Policy "{0}" to group "{1}" because the scope of this group is not "Universal".
+ErrorHasMembers = Error: You cannot link issuance Policy "{0}" to group "{1}" because it has a non-empty membership. The group has the following members:
+ConfirmLinkReplacement = Warning: The Issuance Policy "{0}" is currently linked to group "{1}". Do you really want to update the link to point to group "{2}"?
+LinkSuccess = The certificate issuance policy was successfully linked to the specified group.
+LinkError = The certificate issuance policy could not be linked to the specified group.
+ExitNoLinkReplacement = Exiting without setting the new link.
+'@
+}
+# import-localizeddata ErrorMsg
+function Display-Help {
+""
+write-host $ErrorMsg.help1
+""
+write-host $ErrorMsg.help2
+""
+write-host $ErrorMsg.help3
+write-host "`t" $ErrorMsg.help4
+write-host "`t" $ErrorMsg.help5
+""
+write-host $ErrorMsg.help6
+write-host "`t" $ErrorMsg.help7
+""
+""
+write-host $ErrorMsg.help8
+""
+write-host $ErrorMsg.help9
+".\Set-IssuancePolicyToGroupMapping.ps1 -IssuancePolicyName ""High Assurance"" -groupOU ""OU_FOR_IPol_linked_groups"" -groupName ""HighAssuranceGroup"" "
+""
+write-host $ErrorMsg.help10
+'.\Set-IssuancePolicyToGroupMapping.ps1 -IssuancePolicyName "402.164959C40F4A5C12C6302E31D5476062" -groupName $null '
+""
+}
+# Assumption:  The group to which the Issuance Policy is going
+#              to be linked is (or is going to be created) in
+#              the domain the user running this script is a member of.
+import-module ActiveDirectory
+$root = get-adrootdse
+$domain = get-addomain -current loggedonuser
+if ( !($IssuancePolicyName) ) {
+display-Help
+break
+}
+#######################################
+##     Find the OID object           ##
+##     (aka Issuance Policy)         ##
+#######################################
+$searchBase = [String]$root.configurationnamingcontext
+$OID = get-adobject -searchBase $searchBase -Filter { ((displayname -eq $IssuancePolicyName) -or (name -eq $IssuancePolicyName)) -and (objectClass -eq "msPKI-Enterprise-Oid")} -properties *
+if ($OID -eq $null) {
+$tmp = $ErrorMsg.NoIP -f $IssuancePolicyName, $searchBase  
+write-host $tmp -ForeGroundColor Red
+break;
+}
+elseif ($OID.GetType().IsArray) {
+$tmp = $ErrorMsg.MultipleIPs -f $IssuancePolicyName, $searchBase  
+write-host $tmp -ForeGroundColor Red
+break;
+}
+else {
+$tmp = $ErrorMsg.IPFound -f $IssuancePolicyName, $OID.distinguishedName
+write-host $tmp -ForeGroundColor Green
+}
+#######################################
+##  Find the container of the group  ##
+#######################################
+if ($groupOU -eq $null) {
+# default to the Users container
+$groupContainer = $domain.UsersContainer
+}
+else {
+$searchBase = [string]$domain.DistinguishedName
+$groupContainer = get-adobject -searchBase $searchBase -Filter { (Name -eq $groupOU) -and (objectClass -eq "organizationalUnit")}
+if ($groupContainer.count -gt 1) {
+$tmp = $ErrorMsg.MultipleOUs -f $groupOU, $searchBase
+write-host $tmp -ForegroundColor Red
+break;
+}
+elseif ($groupContainer -eq $null) {
+$tmp = $ErrorMsg.confirmOUcreation
+write-host $tmp " ( (y)es / (n)o )" -ForegroundColor Yellow -nonewline
+$userChoice = read-host
+if ( ($userChoice -eq "y") -or ($userChoice -eq "yes") ) {
+new-adobject -Name $groupOU -displayName $groupOU -Type "organizationalUnit" -ProtectedFromAccidentalDeletion $true -path $domain.distinguishedName
+if ($?){
+$tmp = $ErrorMsg.OUCreationSuccess -f $groupOU
+write-host $tmp -ForegroundColor Green
+}
+else{
+$tmp = $ErrorMsg.OUCreationError -f $groupOU
+write-host $tmp -ForeGroundColor Red
+break;
+}
+$groupContainer = get-adobject -searchBase $searchBase -Filter { (Name -eq $groupOU) -and (objectClass -eq "organizationalUnit")}
+}
+else {
+break;
+}
+}
+else {
+$tmp = $ErrorMsg.OUFoundSuccess -f $groupContainer.name
+write-host $tmp -ForegroundColor Green
+}
+}
+#######################################
+##  Find the group               ##
+#######################################
+if (($groupName -ne $null) -and ($groupName -ne "")){
+##$searchBase = [String]$groupContainer.DistinguishedName
+$searchBase = $groupContainer
+$group = get-adgroup -Filter { (Name -eq $groupName) -and (objectClass -eq "group") } -searchBase $searchBase
+if ($group -ne $null -and $group.gettype().isarray) {
+$tmp = $ErrorMsg.multipleGroups -f $groupName, $searchBase
+write-host $tmp -ForeGroundColor Red
+break;
+}
+elseif ($group -eq $null) {
+$tmp = $ErrorMsg.confirmGroupCreation
+write-host $tmp " ( (y)es / (n)o )" -ForegroundColor Yellow -nonewline
+$userChoice = read-host
+if ( ($userChoice -eq "y") -or ($userChoice -eq "yes") ) {
+new-adgroup -samAccountName $groupName -path $groupContainer.distinguishedName -GroupScope "Universal" -GroupCategory "Security"
+if ($?){
+$tmp = $ErrorMsg.GroupCreationSuccess -f $groupName
+write-host $tmp -ForegroundColor Green
+}else{
+$tmp = $ErrorMsg.groupCreationError -f $groupName
+write-host $tmp -ForeGroundColor Red
+break
+}
+$group = get-adgroup -Filter { (Name -eq $groupName) -and (objectClass -eq "group") } -searchBase $searchBase
+}
+else {
+break;
+}
+}
+else {
+$tmp = $ErrorMsg.GroupFound -f $group.Name
+write-host $tmp -ForegroundColor Green
+}
+}
+else {
+#####
+## If the group is not specified, we should remove the link if any exists
+#####
+if ($OID."msDS-OIDToGroupLink" -ne $null) {
+$tmp = $ErrorMsg.confirmLinkDeletion -f $IssuancePolicyName, $OID."msDS-OIDToGroupLink"
+write-host $tmp " ( (y)es / (n)o )" -ForegroundColor Yellow -nonewline
+$userChoice = read-host
+if ( ($userChoice -eq "y") -or ($userChoice -eq "yes") ) {
+set-adobject -Identity $OID -Clear "msDS-OIDToGroupLink"
+if ($?) {
+$tmp = $ErrorMsg.UnlinkSuccess
+write-host $tmp -ForeGroundColor Green
+}else{
+$tmp = $ErrorMsg.UnlinkError
+write-host $tmp -ForeGroundColor Red
+}
+}
+else {
+$tmp = $ErrorMsg.UnlinkExit
+write-host $tmp
+break
+}
+}
+else {
+$tmp = $ErrorMsg.IPNotLinked
+write-host $tmp -ForeGroundColor Yellow
+}
+break;
+}
+#######################################
+##  Verify that the group is         ##
+##  Universal, Security, and         ##
+##  has no members                   ##
+#######################################
+if ($group.GroupScope -ne "Universal") {
+$tmp = $ErrorMsg.ErrorNotUniversal -f $IssuancePolicyName, $groupName
+write-host $tmp -ForeGroundColor Red
+break;
+}
+if ($group.GroupCategory -ne "Security") {
+$tmp = $ErrorMsg.ErrorNotSecurity -f $IssuancePolicyName, $groupName
+write-host $tmp -ForeGroundColor Red
+break;
+}
+$members = Get-ADGroupMember -Identity $group
+if ($members -ne $null) {
+$tmp = $ErrorMsg.ErrorHasMembers -f $IssuancePolicyName, $groupName
+write-host $tmp -ForeGroundColor Red
+foreach ($member in $members) {write-host "   $member.name" -ForeGroundColor Red}
+break;
+}
+#######################################
+##  We have verified everything. We  ##
+##  can create the link from the     ##
+##  Issuance Policy to the group.    ##
+#######################################
+if ($OID."msDS-OIDToGroupLink" -ne $null) {
+$tmp = $ErrorMsg.ConfirmLinkReplacement -f $IssuancePolicyName, $OID."msDS-OIDToGroupLink", $group.distinguishedName
+write-host $tmp  "( (y)es / (n)o )" -ForegroundColor Yellow -nonewline
+$userChoice = read-host
+if ( ($userChoice -eq "y") -or ($userChoice -eq "yes") ) {
+$tmp = @{'msDS-OIDToGroupLink'= $group.DistinguishedName}
+set-adobject -Identity $OID -Replace $tmp
+if ($?) {
+$tmp = $Errormsg.LinkSuccess
+write-host $tmp -Foreground Green
+}else{
+$tmp = $ErrorMsg.LinkError
+write-host $tmp -Foreground Red
+}
+} else {
+$tmp = $Errormsg.ExitNoLinkReplacement
+write-host $tmp
+break
+}
+}
+else {
+$tmp = @{'msDS-OIDToGroupLink'= $group.DistinguishedName}
+set-adobject -Identity $OID -Add $tmp
+if ($?) {
+$tmp = $Errormsg.LinkSuccess
+write-host $tmp -Foreground Green
+}else{
+$tmp = $ErrorMsg.LinkError
+write-host $tmp -Foreground Red
+}
+}
+```
+
+> [!NOTE]  
+> If you're having trouble running this script, try replacing the single quote after the ConvertFrom-StringData parameter.
+
+## See also
+
+**Deep Dive into Credential Guard: Related videos**
+
+[Protecting privileged users with Credential Guard](https://mva.microsoft.com/en-us/training-courses/deep-dive-into-credential-guard-16651?l=JNbjYMJyC_8104300474)

windows/access-protection/credential-guard/credential-guard-considerations.md

@@ -1,4 +1,4 @@
----
+---
 title: Considerations when using Credential Guard (Windows 10)
 description: Considerations and recommendations for certain scenarios when using Credential Guard in Windows 10.
 ms.prod: w10
@@ -17,19 +17,8 @@ author: brianlic-msft
 
 Prefer video? See [Credentials Protected by Credential Guard](https://mva.microsoft.com/en-us/training-courses/deep-dive-into-credential-guard-16651?l=mD3geLJyC_8304300474)
 in the Deep Dive into Credential Guard video series.
-
--   If Credential Guard is enabled on a device after it's joined to a domain, the user and device secrets may already be compromised. We recommend that Credential Guard is enabled before the PC is joined to a domain.
--   You should perform regular reviews of the PCs that have Credential Guard enabled. This can be done with security audit policies or WMI queries. Here's a list of WinInit event IDs to look for:
-    -   **Event ID 13** Credential Guard (LsaIso.exe) was started and will protect LSA credentials.
-    -   **Event ID 14** Credential Guard (LsaIso.exe) configuration: 0x1, 0
-        -   The first variable: 0x1 means Credential Guard is configured to run. 0x0 means it’s not configured to run.
-        -   The second variable: 0 means it’s configured to run in protect mode. 1 means it's configured to run in test mode. This variable should always be 0.
-    -   **Event ID 15** Credential Guard (LsaIso.exe) is configured but the secure kernel is not running; continuing without Credential Guard.
-    -   **Event ID 16** Credential Guard (LsaIso.exe) failed to launch: \[error code\]
-    -   **Event ID 17** Error reading Credential Guard (LsaIso.exe) UEFI configuration: \[error code\]
-    You can also verify that TPM is being used for key protection by checking the following event in the **Microsoft** -> **Windows** -> **Kernel-Boot** event source. If you are running with a TPM, the TPM PCR mask value will be something other than 0.
-    -   **Event ID 51** VSM Master Encryption Key Provisioning. Using cached copy status: 0x0. Unsealing cached copy status: 0x1. New key generation status: 0x1. Sealing status: 0x1. TPM PCR mask: 0x0.
--   Passwords are still weak so we recommend that your organization deploy Credential Guard and move away from passwords and to other authentication methods, such as physical smart cards, virtual smart cards, or Windows Hello for Business.
+     
+-  Passwords are still weak so we recommend that your organization deploy Credential Guard and move away from passwords and to other authentication methods, such as physical smart cards, virtual smart cards, or Windows Hello for Business.
 -   Some 3rd party Security Support Providers (SSPs and APs) might not be compatible with Credential Guard. Credential Guard does not allow 3rd party SSPs to ask for password hashes from LSA. However, SSPs and APs still get notified of the password when a user logs on and/or changes their password. Any use of undocumented APIs within custom SSPs and APs are not supported. We recommend that custom implementations of SSPs/APs are tested against Credential Guard to ensure that the SSPs and APs do not depend on any undocumented or unsupported behaviors. For example, using the KerbQuerySupplementalCredentialsMessage API is not supported. You should not replace the NTLM or Kerberos SSPs with custom SSPs and APs. For more info, see [Restrictions around Registering and Installing a Security Package](http://msdn.microsoft.com/library/windows/desktop/dn865014.aspx) on MSDN.
 -   As the depth and breadth of protections provided by Credential Guard are increased, subsequent releases of Windows 10 with Credential Guard running may impact scenarios that were working in the past. For example, Credential Guard may block the use of a particular type of credential or a particular component to prevent malware from taking advantage of vulnerabilities. Therefore, we recommend that scenarios required for operations in an organization are tested before upgrading a device that has Credential Guard running.
 
@@ -38,7 +27,6 @@ in the Deep Dive into Credential Guard video series.
     -   Applications that extract derived domain credentials from Credential Manager will no longer be able to use those credentials.
     -   You cannot restore credentials using the Credential Manager control panel if the credentials were backed up from a PC that has Credential Guard turned on. If you need to back up your credentials, you must do this before you enable Credential Guard. Otherwise, you won't be able to restore those credentials.
     - Credential Guard uses hardware security so some features, such as Windows To Go, are not supported. 
-      
 
 ## NTLM and CHAP Considerations
 

windows/access-protection/credential-guard/credential-guard-known-issues.md

@@ -0,0 +1,70 @@
+---
+title: Credential Guard Known issues (Windows 10)
+description: Credential Guard - Known issues in Windows 10 Enterprise
+ms.prod: w10
+ms.mktglfcycl: explore
+ms.sitesec: library
+ms.pagetype: security
+localizationpriority: high
+author: brianlic-msft
+---
+
+#  Credential Guard: Known issues 
+
+**Applies to**
+-   Windows 10
+-   Windows Server 2016
+ 
+Credential Guard has certain application requirements. Credential Guard blocks specific authentication capabilities. Therefore applications that require such capabilities will not function when Credential Guard is enabled. For further information, see [Application requirements](https://docs.microsoft.com/en-us/windows/access-protection/credential-guard/credential-guard-requirements#application-requirements). 
+
+The following known issues have been fixed by servicing releases made available in the Cumulative Security Updates for April 2017:
+
+-	KB4015217: [Credential Guard generates double bad password count on Active Directory domain-joined Windows 10 machines](https://support.microsoft.com/en-us/help/4015217/windows-10-update-kb4015217)
+
+    This issue can potentially lead to unexpected account lockouts.
+See also Knowledge Base articles [KB4015219](https://support.microsoft.com/en-us/help/4015219/windows-10-update-kb4015219) and 
+[KB4015221](https://support.microsoft.com/en-us/help/4015221/windows-10-update-kb4015221)
+
+The following issue is under investigation. For available workarounds, see the following Knowledge Base article:
+-	[Installing AppSense Environment Manager on Windows 10 machines causes LsaIso.exe to exhibit high CPU usage when Credential Guard is enabled](http://www.appsense.com/kb/160525073917945) *
+
+    *Registration required to access this article. 
+
+-	[Blue screen on Windows 10 computers running Device Guard and Credential Guard with Cisco Anyconnect 4.3.04027](https://quickview.cloudapps.cisco.com/quickview/bug/CSCvc66692)**
+
+    **Registration required to access this article. 
+
+Products that connect to Virtualization Based Security (VBS) protected processes can cause Credential Guard-enabled Windows 10 clients to exhibit high CPU usage. For further information, see the following Knowledge Base articles:
+
+-	KB88869: [Windows 10 machines exhibit high CPU usage with McAfee Application and Change Control (MACC) installed when Credential Guard is enabled](https://kc.mcafee.com/corporate/index?page=content&id=KB88869)
+
+
+-	 Windows 10 machines exhibit high CPU usage with Citrix applications installed when Credential Guard is enabled.
+
+     Microsoft is currently working with Citrix to investigate this issue.
+
+
+## Vendor support
+
+-	[Citrix Support for Secure Boot](https://www.citrix.com/blogs/2016/12/08/windows-server-2016-hyper-v-secure-boot-support-now-available-in-xenapp-7-12/)
+
+Credential Guard is not supported by either these products, products versions, computer systems, or Windows 10 versions:
+
+-	For Credential Guard on Windows 10 with McAfee Encryption products, see:
+[Support for Device Guard and Credential Guard on Windows 10 with McAfee encryption products](https://kc.mcafee.com/corporate/index?page=content&id=KB86009)
+
+-	For Credential Guard on Windows 10 with Check Point Endpoint Security Client, see:
+[Check Point Endpoint Security Client support for Microsoft Windows 10 Credential Guard and Device Guard features](https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk113912)
+
+-	For Credential Guard on Windows 10 with VMWare Workstation
+[Windows 10 host fails when running VMWare Workstation when Credential Guard is enabled](https://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=2146361)
+
+-	For Credential Guard on Windows 10 with specific versions of the Lenovo ThinkPad
+[ThinkPad support for Device Guard and Credential Guard in Microsoft Windows 10 – ThinkPad](https://support.lenovo.com/in/en/solutions/ht503039)
+
+-	For Credential Guard on Windows 10 with Symantec Endpoint Protection
+[Windows 10 with Credential Guard and Symantec Endpoint Protection 12.1](https://www.symantec.com/connect/forums/windows-10-device-guard-credentials-guard-and-sep-121)
+
+ This is not a comprehensive list. Check whether your product vendor, product version, or computer system, supports Credential guard on systems that run Windows 10 or specific versions of Windows 10. Specific computer system models may be incompatible with Credential Guard. 
+
+ Microsoft encourages third-party vendors to contribute to this page by providing relevant product support information and by adding links to their own product support statements.

windows/access-protection/credential-guard/credential-guard-manage.md

@@ -1,4 +1,4 @@
----
+---
 title: Manage Credential Guard (Windows 10)
 description: Deploying and managing Credential Guard using Group Policy, the registry, or the Device Guard and Credential Guard hardware readiness tool.
 ms.prod: w10
@@ -15,11 +15,12 @@ author: brianlic-msft
 -   Windows 10
 -   Windows Server 2016
 
-Prefer video? See [Protecting privileged users with Credential Guard](https://mva.microsoft.com/en-us/training-courses/deep-dive-into-credential-guard-16651?l=JNbjYMJyC_8104300474)
-in the Deep Dive into Credential Guard video series.
+Prefer video? See [Credential Guard Deployment](https://mva.microsoft.com/en-us/training-courses/deep-dive-into-credential-guard-16651?l=sRcyvLJyC_3304300474) in the Deep Dive into Credential Guard video series.
 
 ## Enable Credential Guard
-Credential Guard can be enabled by using [Group Policy](#turn-on-credential-guard-by-using-group-policy), the [registry](#turn-on-credential-guard-by-using-the-registry), or the Device Guard and Credential Guard [hardware readiness tool](#hardware-readiness-tool).
+Credential Guard can be enabled either by using [Group Policy](#enable-credential-guard-by-using-group-policy), the [registry](#enable-credential-guard-by-using-the-registry), or the Device Guard and Credential Guard [hardware readiness tool](#hardware-readiness-tool). Credential Guard can also protect secrets in a Hyper-V virtual machine, just as it would on a physical machine. 
+The same set of procedures used to enable Credential Guard on physical machines applies also to virtual machines.
+
 
 ### Enable Credential Guard by using Group Policy
 
@@ -41,7 +42,7 @@ To enforce processing of the group policy, you can run ```gpupdate /force```.
 
 If you don't use Group Policy, you can enable Credential Guard by using the registry. Credential Guard uses virtualization-based security features which have to be enabled first on some operating systems.
 
-### Add the virtualization-based security features
+#### Add the virtualization-based security features
 
 Starting with Windows 10, version 1607 and Windows Server 2016, enabling Windows features to use virtualization-based security is not necessary and this step can be skipped.
 
@@ -74,7 +75,7 @@ If you enable Credential Guard by using Group Policy, the steps to enable Window
 > [!NOTE]  
 > You can also add these features to an online image by using either DISM or Configuration Manager.
 
-### Enable virtualization-based security and Credential Guard
+#### Enable virtualization-based security and Credential Guard
 
 1.  Open Registry Editor.
 2.  Enable virtualization-based security:
@@ -101,22 +102,18 @@ DG_Readiness_Tool_v3.0.ps1 -Enable -AutoReboot
 
 ### Credential Guard deployment in virtual machines
 
-Credential Guard can protect secrets in a Hyper-V virtual machine, just as it would on a physical machine. The enablement steps are the same from within the virtual machine.
+Credential Guard can protect secrets in a Hyper-V virtual machine, just as it would on a physical machine. When Credential Guard is deployed on a VM, secrets are protected from attacks inside the VM. Credential Guard does not provide additional protection from privileged system attacks originating from the host.
 
-Credential Guard protects secrets from non-privileged access inside the VM. It does not provide additional protection from the host administrator. From the host, you can disable Credential Guard for a virtual machine:
+#### Requirements for running Credential Guard in Hyper-V virtual machines
 
-``` PowerShell
-Set-VMSecurity -VMName <VMName> -VirtualizationBasedSecurityOptOut $true
-```
-
-Requirements for running Credential Guard in Hyper-V virtual machines
 - The Hyper-V host must have an IOMMU, and run at least Windows Server 2016 or Windows 10 version 1607.
 - The Hyper-V virtual machine must be Generation 2, have an enabled virtual TPM, and running at least Windows Server 2016 or Windows 10. 
 
+### Review Credential Guard performance
 
-### Check that Credential Guard is running
+**Is Credential Guard running?**
 
-You can use System Information to ensure that Credential Guard is running on a PC.
+You can view System Information to check that Credential Guard is running on a PC.
 
 1.  Click **Start**, type **msinfo32.exe**, and then click **System Information**.
 2.  Click **System Summary**.
@@ -132,10 +129,26 @@ You can also check that Credential Guard is running by using the [Device Guard a
 DG_Readiness_Tool_v3.0.ps1 -Ready
 ```
 
+> [!NOTE]
 
-### Remove Credential Guard
+For client machines that are running Windows 10 1703, LSAIso is running whenever Virtualization based security is enabled for other features.
 
-If you have to remove Credential Guard on a PC, you can use the following set of procedures, or you can [use the Device Guard and Credential Guard hardware readiness tool](#turn-off-with-hardware-readiness-tool).
+-   If Credential Guard is enabled on a device after it's joined to a domain, the user and device secrets may already be compromised. We recommend that Credential Guard should be enabled before the PC is joined to a domain.
+
+-   You should perform regular reviews of the PCs that have Credential Guard enabled. This can be done with security audit policies or WMI queries. Here's a list of WinInit event IDs to look for:
+    -   **Event ID 13** Credential Guard (LsaIso.exe) was started and will protect LSA credentials.
+    -   **Event ID 14** Credential Guard (LsaIso.exe) configuration: 0x1, 0
+        -   The first variable: 0x1 means Credential Guard is configured to run. 0x0 means it’s not configured to run.
+        -   The second variable: 0 means it’s configured to run in protect mode. 1 means it's configured to run in test mode. This variable should always be 0.
+    -   **Event ID 15** Credential Guard (LsaIso.exe) is configured but the secure kernel is not running; continuing without Credential Guard.
+    -   **Event ID 16** Credential Guard (LsaIso.exe) failed to launch: \[error code\]
+    -   **Event ID 17** Error reading Credential Guard (LsaIso.exe) UEFI configuration: \[error code\]
+    You can also verify that TPM is being used for key protection by checking the following event in the **Microsoft** -&gt; **Windows** -&gt; **Kernel-Boot** event source. If you are running with a TPM, the TPM PCR mask value will be something other than 0.
+    -   **Event ID 51** VSM Master Encryption Key Provisioning. Using cached copy status: 0x0. Unsealing cached copy status: 0x1. New key generation status: 0x1. Sealing status: 0x1. TPM PCR mask: 0x0.
+      
+## Disable Credential Guard
+
+If you have to disable Credential Guard on a PC, you can use the following set of procedures, or you can [use the Device Guard and Credential Guard hardware readiness tool](#turn-off-with-hardware-readiness-tool).
 
 1.  If you used Group Policy, disable the Group Policy setting that you used to enable Credential Guard (**Computer Configuration** -&gt; **Administrative Templates** -&gt; **System** -&gt; **Device Guard** -&gt; **Turn on Virtualization Based Security**).
 2.  Delete the following registry settings:
@@ -146,11 +159,7 @@ If you have to remove Credential Guard on a PC, you can use the following set of
     > [!IMPORTANT]  
     > If you manually remove these registry settings, make sure to delete them all. If you don't remove them all, the device might go into BitLocker recovery.
 
-3.  Delete the Credential Guard EFI variables by using bcdedit.
-
-**Delete the Credential Guard EFI variables**
-
-1.  From an elevated command prompt, type the following commands:
+3.  Delete the Credential Guard EFI variables by using bcdedit. From an elevated command prompt, type the following commands:
     ``` syntax
 
     mountvol X: /s
@@ -177,10 +186,10 @@ If you have to remove Credential Guard on a PC, you can use the following set of
 > [!NOTE]  
 > The PC must have one-time access to a domain controller to decrypt content, such as files that were encrypted with EFS. If you want to turn off both Credential Guard and virtualization-based security, run the following bcdedit command after turning off all virtualization-based security Group Policy and registry settings: bcdedit /set {0cb3b571-2f2e-4343-a879-d86a476d7215} loadoptions DISABLE-LSA-ISO,DISABLE-VBS
 
-For more info on virtualization-based security and Device Guard, see [Device Guard deployment guide](device-guard-deployment-guide.md).
+For more info on virtualization-based security and Device Guard, see [Device Guard deployment guide](/windows/device-security/device-guard/device-guard-deployment-guide).
 
 <span id="turn-off-with-hardware-readiness-tool" />
-#### Turn off Credential Guard by using the Device Guard and Credential Guard hardware readiness tool
+#### Disable Credential Guard by using the Device Guard and Credential Guard hardware readiness tool
 
 You can also disable Credential Guard by using the [Device Guard and Credential Guard hardware readiness tool](https://www.microsoft.com/download/details.aspx?id=53337).
 
@@ -188,5 +197,15 @@ You can also disable Credential Guard by using the [Device Guard and Credential
 DG_Readiness_Tool_v3.0.ps1 -Disable -AutoReboot
 ```
 
+#### Disable Credential Guard for a virtual machine
+
+From the host, you can disable Credential Guard for a virtual machine:
+
+``` PowerShell
+Set-VMSecurity -VMName <VMName> -VirtualizationBasedSecurityOptOut $true
+```
+
+
+
 
 

windows/access-protection/credential-guard/credential-guard-not-protected-scenarios.md

@@ -0,0 +1,641 @@
+---
+title: Credential Guard protection limits (Windows 10)
+description: Scenarios not protected by Credential Guard in Windows 10.
+ms.prod: w10
+ms.mktglfcycl: explore
+ms.sitesec: library
+ms.pagetype: security
+localizationpriority: high
+author: brianlic-msft
+---
+
+# Credential Guard protection limits
+
+**Applies to**
+-   Windows 10
+-   Windows Server 2016
+
+Prefer video? See [Credentials protected by Credential Guard](https://mva.microsoft.com/en-us/training-courses/deep-dive-into-credential-guard-16651?l=pdc37LJyC_1204300474)
+in the Deep Dive into Credential Guard video series.
+
+Some ways to store credentials are not protected by Credential Guard, including:
+
+-   Software that manages credentials outside of Windows feature protection
+-   Local accounts and Microsoft Accounts
+-   Credential Guard does not protect the Active Directory database running on Windows Server 2016 domain controllers. It also does not protect credential input pipelines, such as Windows Server 2016 servers running Remote Desktop Gateway. If you're using a Windows Server 2016 server as a client PC, it will get the same protection as it would when running Windows 10 Enterprise.
+-   Key loggers
+-   Physical attacks
+-   Does not prevent an attacker with malware on the PC from using the privileges associated with any credential. We recommend using dedicated PCs for high value accounts, such as IT Pros and users with access to high value assets in your organization.
+-   Third-party security packages
+-   Digest and CredSSP credentials
+    -   When Credential Guard is enabled, neither Digest nor CredSSP have access to users' logon credentials. This implies no Single Sign-On use for these protocols.
+-   Supplied credentials for NTLM authentication are not protected. If a user is prompted for and enters credentials for NTLM authentication, these credentials are vulnerable to be read from LSASS memory. Note that these same credentials are vulnerable to key loggers as well.- 
+-  When Credential Guard is deployed on a VM, Credential Guard protects secrets from attacks inside the VM. However, it does not provide additional protection from privileged system attacks originating from the host.
+-  Windows logon cached password verifiers (commonly called "cached credentials")
+do not qualify as credentials because they cannot be presented to another computer for authentication, and can only be used locally to verify credentials. They are stored in the registry on the local computer and provide validation for credentials when a domain-joined computer cannot connect to AD DS during user logon. These “cached logons”, or more specifically, cached domain account information, can be managed using the security policy setting **Interactive logon: Number of previous logons to cache** if a domain controller is not available.
+
+## Additional mitigations
+
+Credential Guard can provide mitigations against attacks on derived credentials and prevent the use of stolen credentials elsewhere. However, PCs can still be vulnerable to certain attacks, even if the derived credentials are protected by Credential Guard. These attacks can include abusing privileges and use of derived credentials directly from a compromised device, reusing previously stolen credentials prior to Device Guard, and abuse of management tools and weak application configurations. Because of this, additional mitigations also must be deployed to make the domain environment more robust.
+
+### Restricting domain users to specific domain-joined devices
+
+Credential theft attacks allow the attacker to steal secrets from one device and use them from another device. If a user can sign on to multiple devices then any device could be used to steal credentials. How do you ensure that users only sign on using devices that have Credential Guard enabled? By deploying authentication policies that restrict them to specific domain-joined devices that have been configured with Credential Guard. For the domain controller to know what device a user is signing on from, Kerberos armoring must be used.
+
+#### Kerberos armoring
+
+Kerberos armoring is part of RFC 6113. When a device supports Kerberos armoring, its TGT is used to protect the user's proof of possession which can mitigate offline dictionary attacks. Kerberos armoring also provides the additional benefit of signed KDC errors this mitigates tampering which can result in things such as downgrade attacks. 
+
+**To enable Kerberos armoring for restricting domain users to specific domain-joined devices**
+
+-   Users need to be in domains that are running Windows Server 2012 R2 or higher
+-   All the domain controllers in these domains must be configured to support Kerberos armoring. Set the **KDC support for claims, compound authentication, and Kerberos armoring** Group Policy setting to either **Supported** or **Always provide claims**.
+-   All the devices with Credential Guard that the users will be restricted to must be configured to support Kerberos armoring. Enable the **Kerberos client support for claims, compound authentication and Kerberos armoring** Group Policy settings under **Computer Configuration** -> **Administrative Templates** -> **System** -> **Kerberos**.
+
+#### Protecting domain-joined device secrets
+
+Since domain-joined devices also use shared secrets for authentication, attackers can steal those secrets as well. By deploying device certificates with Credential Guard, the private key can be protected. Then authentication policies can require that users sign on devices that authenticate using those certificates. This prevents shared secrets stolen from the device to be used with stolen user credentials to sign on as the user.
+
+Domain-joined device certificate authentication has the following requirements:
+-   Devices' accounts are in Windows Server 2012 domain functional level or higher.
+-   All domain controllers in those domains have KDC certificates which satisfy strict KDC validation certificate requirements:
+    -   KDC EKU present
+    -   DNS domain name matches the DNSName field of the SubjectAltName (SAN) extension
+-   Windows 10 devices have the CA issuing the domain controller certificates in the enterprise store.
+-   A process is established to ensure the identity and trustworthiness of the device in a similar manner as you would establish the identity and trustworthiness of a user before issuing them a smartcard.
+
+##### Deploying domain-joined device certificates
+
+To guarantee that certificates with the required issuance policy are only installed on the devices these users must use, they must be deployed manually on each device. The same security procedures used for issuing smart cards to users should be applied to device certificates.
+
+For example, let's say you wanted to use the High Assurance policy only on these devices. Using a Windows Server Enterprise certificate authority, you would create a new template.
+
+**Creating a new certificate template**
+
+1.  From the Certificate Manager console, right-click **Certificate Templates**, and then click **Manage.**
+2.  Right-click **Workstation Authentication**, and then click **Duplicate Template**.
+3.  Right-click the new template, and then click **Properties**.
+4.  On the **Extensions** tab, click **Application Policies**, and then click **Edit**.
+5.  Click **Client Authentication**, and then click **Remove**.
+6.  Add the ID-PKInit-KPClientAuth EKU. Click **Add**, click **New**, and then specify the following values:
+    -   Name: Kerberos Client Auth
+    -   Object Identifier: 1.3.6.1.5.2.3.4
+7.  On the **Extensions** tab, click **Issuance Policies**, and then click **Edit**.
+8.  Under **Issuance Policies**, click**High Assurance**.
+9.  On the **Subject name** tab, clear the **DNS name** check box, and then select the **User Principal Name (UPN)** check box.
+
+Then on the devices that are running Credential Guard, enroll the devices using the certificate you just created.
+
+**Enrolling devices in a certificate**
+
+Run the following command:
+``` syntax
+CertReq -EnrollCredGuardCert MachineAuthentication
+```
+
+> [!NOTE]  
+> You must restart the device after enrolling the machine authentication certificate.
+ 
+##### How a certificate issuance policy can be used for access control
+
+Beginning with the Windows Server 2008 R2 domain functional level, domain controllers support for authentication mechanism assurance provides a way to map certificate issuance policy OIDs to universal security groups. Windows Server 2012 domain controllers with claim support can map them to claims. To learn more about authentication mechanism assurance, see [Authentication Mechanism Assurance for AD DS in Windows Server 2008 R2 Step-by-Step Guide](https://technet.microsoft.com/en-us/library/dd378897(v=ws.10).aspx) on TechNet.
+
+**To see the issuance policies available**
+
+-   The [get-IssuancePolicy.ps1](#bkmk-getscript) shows all of the issuance policies that are available on the certificate authority.
+    From a Windows PowerShell command prompt, run the following command:
+
+    ``` syntax
+    .\get-IssuancePolicy.ps1 –LinkedToGroup:All
+    ```
+
+**To link an issuance policy to a universal security group**
+
+-   The [set-IssuancePolicyToGroupLink.ps1](#bkmk-setscript) creates a Universal security group, creates an organizational unit, and links the issuance policy to that Universal security group.
+    From a Windows PowerShell command prompt, run the following command:
+
+    ``` syntax
+    .\set-IssuancePolicyToGroupLink.ps1 –IssuancePolicyName:"<name of issuance policy>" –groupOU:"<Name of OU to create>" –groupName:”<name of Universal security group to create>"
+    ```
+
+#### Restricting user sign on
+
+So we now have completed the following:
+
+-   Created a special certificate issuance policy to identify devices that meet the deployment criteria required for the user to be able to sign on
+-   Mapped that policy to a universal security group or claim
+-   Provided a way for domain controllers to get the device authorization data during user sign on using Kerberos armoring. Now what is left to do is to configure the access check on the domain controllers. This is done using authentication policies.
+
+Authentication policies have the following requirements:
+-   User accounts are in a Windows Server 2012 domain functional level or higher domain.
+
+**Creating an authentication policy restricting users to the specific universal security group**
+
+1.  Open Active Directory Administrative Center.
+2.  Click **Authentication**, click **New**, and then click **Authentication Policy**.
+3.  In the **Display name** box, enter a name for this authentication policy.
+4.  Under the **Accounts** heading, click **Add**.
+5.  In the **Select Users, Computers, or Service Accounts** dialog box, type the name of the user account you wish to restrict, and then click **OK**.
+6.  Under the **User Sign On** heading, click the **Edit** button.
+7. Click **Add a condition**.
+8. In the **Edit Access Control Conditions** box, ensure that it reads **User** &gt; **Group** &gt; **Member of each** &gt; **Value**, and then click **Add items**.
+9. In the **Select Users, Computers, or Service Accounts** dialog box, type the name of the universal security group that you created with the set-IssuancePolicyToGroupLink script, and then click **OK**.
+10. Click **OK** to close the **Edit Access Control Conditions** box.
+11. Click **OK** to create the authentication policy.
+12. Close Active Directory Administrative Center.
+
+> [!NOTE]  
+> When the authentication policy enforces policy restrictions, users will not be able to sign on using devices that do not have a certificate with the appropriate issuance policy deployed. This applies to both local and remote sign on scenarios. Therefore, it is strongly recommended to first only audit policy restrictions to ensure you don't have unexpected failures.
+
+##### Discovering authentication failures due to authentication policies
+
+To make tracking authentication failures due to authentication policies easier, an operational log exists with just those events. To enable the logs on the domain controllers, in Event Viewer, navigate to **Applications and Services Logs\\Microsoft\\Windows\\Authentication, right-click AuthenticationPolicyFailures-DomainController**, and then click **Enable Log**.
+
+To learn more about authentication policy events, see [Authentication Policies and Authentication Policy Silos](https://technet.microsoft.com/en-us/library/dn486813(v=ws.11).aspx).
+
+
+
+
+### Appendix: Scripts
+
+
+Here is a list of scripts mentioned in this topic.
+
+#### <a href="" id="bkmk-getscript"></a>Get the available issuance policies on the certificate authority
+
+Save this script file as get-IssuancePolicy.ps1.
+
+``` syntax
+#######################################
+##     Parameters to be defined      ##
+##     by the user                   ##
+#######################################
+Param (
+$Identity,
+$LinkedToGroup
+)
+#######################################
+##     Strings definitions           ##
+#######################################
+Data getIP_strings {
+# culture="en-US"
+ConvertFrom-StringData -stringdata @'
+help1 = This command can be used to retrieve all available Issuance Policies in a forest. The forest of the currently logged on user is targeted.
+help2 = Usage:
+help3 = The following parameter is mandatory:
+help4 = -LinkedToGroup:<yes|no|all>
+help5 = "yes" will return only Issuance Policies that are linked to groups. Checks that the linked Issuance Policies are linked to valid groups.
+help6 = "no" will return only Issuance Policies that are not currently linked to any group.
+help7 = "all" will return all Issuance Policies defined in the forest. Checks that the linked Issuance policies are linked to valid groups.
+help8 = The following parameter is optional:
+help9 = -Identity:<Name, Distinguished Name or Display Name of the Issuance Policy that you want to retrieve>. If you specify an identity, the option specified in the "-LinkedToGroup" parameter is ignored.
+help10 = Output: This script returns the Issuance Policy objects meeting the criteria defined by the above parameters.
+help11 = Examples:
+errorIPNotFound = Error: no Issuance Policy could be found with Identity "{0}"
+ErrorNotSecurity = Error: Issuance Policy "{0}" is linked to group "{1}" which is not of type "Security".
+ErrorNotUniversal = Error: Issuance Policy "{0}" is linked to group "{1}" whose scope is not "Universal".
+ErrorHasMembers = Error: Issuance Policy "{0}" is linked to group "{1}" which has a non-empty membership. The group has the following members:
+LinkedIPs = The following Issuance Policies are linked to groups:
+displayName = displayName : {0}
+Name = Name : {0}
+dn = distinguishedName : {0}
+        InfoName = Linked Group Name: {0}
+        InfoDN = Linked Group DN: {0}   
+NonLinkedIPs = The following Issuance Policies are NOT linked to groups:
+'@
+}
+##Import-LocalizedData getIP_strings
+import-module ActiveDirectory
+#######################################
+##           Help                    ##
+#######################################
+function Display-Help {
+    ""
+    $getIP_strings.help1
+    ""
+$getIP_strings.help2
+""
+$getIP_strings.help3
+"     " + $getIP_strings.help4
+"             " + $getIP_strings.help5
+    "             " + $getIP_strings.help6
+    "             " + $getIP_strings.help7
+""
+$getIP_strings.help8
+    "     " + $getIP_strings.help9
+    ""
+    $getIP_strings.help10
+""
+""    
+$getIP_strings.help11
+    "     " + '$' + "myIPs = .\get-IssuancePolicy.ps1 -LinkedToGroup:All"
+    "     " + '$' + "myLinkedIPs = .\get-IssuancePolicy.ps1 -LinkedToGroup:yes"
+    "     " + '$' + "myIP = .\get-IssuancePolicy.ps1 -Identity:""Medium Assurance"""
+""
+}
+$root = get-adrootdse
+$domain = get-addomain -current loggedonuser
+$configNCDN = [String]$root.configurationNamingContext
+if ( !($Identity) -and !($LinkedToGroup) ) {
+display-Help
+break
+}
+if ($Identity) {
+    $OIDs = get-adobject -Filter {(objectclass -eq "msPKI-Enterprise-Oid") -and ((name -eq $Identity) -or (displayname -eq $Identity) -or (distinguishedName -like $Identity)) } -searchBase $configNCDN -properties *
+    if ($OIDs -eq $null) {
+$errormsg = $getIP_strings.ErrorIPNotFound -f $Identity
+write-host $errormsg -ForegroundColor Red
+    }
+    foreach ($OID in $OIDs) {
+        if ($OID."msDS-OIDToGroupLink") {
+# In case the Issuance Policy is linked to a group, it is good to check whether there is any problem with the mapping.
+            $groupDN = $OID."msDS-OIDToGroupLink"
+            $group = get-adgroup -Identity $groupDN
+    $groupName = $group.Name
+# Analyze the group
+            if ($group.groupCategory -ne "Security") {
+$errormsg = $getIP_strings.ErrorNotSecurity -f $Identity, $groupName
+                write-host $errormsg -ForegroundColor Red
+            }
+            if ($group.groupScope -ne "Universal") {
+                $errormsg = $getIP_strings.ErrorNotUniversal -f $Identity, $groupName
+write-host $errormsg -ForegroundColor Red
+            }
+            $members = Get-ADGroupMember -Identity $group
+            if ($members) {
+                $errormsg = $getIP_strings.ErrorHasMembers -f $Identity, $groupName
+write-host $errormsg -ForegroundColor Red
+                foreach ($member in $members) {
+                    write-host "          "  $member -ForeGroundColor Red
+                }
+            }
+        }
+    }
+    return $OIDs
+    break
+}
+if (($LinkedToGroup -eq "yes") -or ($LinkedToGroup -eq "all")) {
+    $LDAPFilter = "(&(objectClass=msPKI-Enterprise-Oid)(msDS-OIDToGroupLink=*)(flags=2))"
+    $LinkedOIDs = get-adobject -searchBase $configNCDN -LDAPFilter $LDAPFilter -properties *
+    write-host ""    
+    write-host "*****************************************************"
+    write-host $getIP_strings.LinkedIPs
+    write-host "*****************************************************"
+    write-host ""
+    if ($LinkedOIDs -ne $null){
+      foreach ($OID in $LinkedOIDs) {
+# Display basic information about the Issuance Policies
+          ""
+  $getIP_strings.displayName -f $OID.displayName
+  $getIP_strings.Name -f $OID.Name
+  $getIP_strings.dn -f $OID.distinguishedName
+# Get the linked group.
+          $groupDN = $OID."msDS-OIDToGroupLink"
+          $group = get-adgroup -Identity $groupDN
+          $getIP_strings.InfoName -f $group.Name
+          $getIP_strings.InfoDN -f $groupDN
+# Analyze the group
+          $OIDName = $OID.displayName
+    $groupName = $group.Name
+          if ($group.groupCategory -ne "Security") {
+          $errormsg = $getIP_strings.ErrorNotSecurity -f $OIDName, $groupName
+          write-host $errormsg -ForegroundColor Red
+          }
+          if ($group.groupScope -ne "Universal") {
+          $errormsg = $getIP_strings.ErrorNotUniversal -f $OIDName, $groupName
+          write-host $errormsg -ForegroundColor Red
+          }
+          $members = Get-ADGroupMember -Identity $group
+          if ($members) {
+          $errormsg = $getIP_strings.ErrorHasMembers -f $OIDName, $groupName
+          write-host $errormsg -ForegroundColor Red
+              foreach ($member in $members) {
+                  write-host "          "  $member -ForeGroundColor Red
+              }
+          }
+          write-host ""
+      }
+    }else{
+write-host "There are no issuance policies that are mapped to a group"
+    }
+    if ($LinkedToGroup -eq "yes") {
+        return $LinkedOIDs
+        break
+    }
+}    
+if (($LinkedToGroup -eq "no") -or ($LinkedToGroup -eq "all")) {  
+    $LDAPFilter = "(&(objectClass=msPKI-Enterprise-Oid)(!(msDS-OIDToGroupLink=*))(flags=2))"
+    $NonLinkedOIDs = get-adobject -searchBase $configNCDN -LDAPFilter $LDAPFilter -properties *
+    write-host ""    
+    write-host "*********************************************************"
+    write-host $getIP_strings.NonLinkedIPs
+    write-host "*********************************************************"
+    write-host ""
+    if ($NonLinkedOIDs -ne $null) {
+      foreach ($OID in $NonLinkedOIDs) {
+# Display basic information about the Issuance Policies
+write-host ""
+$getIP_strings.displayName -f $OID.displayName
+$getIP_strings.Name -f $OID.Name
+$getIP_strings.dn -f $OID.distinguishedName
+write-host ""
+      }
+    }else{
+write-host "There are no issuance policies which are not mapped to groups"
+    }
+    if ($LinkedToGroup -eq "no") {
+        return $NonLinkedOIDs
+        break
+    }
+}
+```
+> [!NOTE]  
+> If you're having trouble running this script, try replacing the single quote after the ConvertFrom-StringData parameter.
+ 
+#### <a href="" id="bkmk-setscript"></a>Link an issuance policy to a group
+
+Save the script file as set-IssuancePolicyToGroupLink.ps1.
+
+``` syntax
+#######################################
+##     Parameters to be defined      ##
+##     by the user                   ##
+#######################################
+Param (
+$IssuancePolicyName,
+$groupOU,
+$groupName
+)
+#######################################
+##     Strings definitions           ##
+#######################################
+Data ErrorMsg {
+# culture="en-US"
+ConvertFrom-StringData -stringdata @'
+help1 = This command can be used to set the link between a certificate issuance policy and a universal security group.
+help2 = Usage:
+help3 = The following parameters are required:
+help4 = -IssuancePolicyName:<name or display name of the issuance policy that you want to link to a group>
+help5 = -groupName:<name of the group you want to link the issuance policy to>. If no name is specified, any existing link to a group is removed from the Issuance Policy.
+help6 = The following parameter is optional:
+help7 = -groupOU:<Name of the Organizational Unit dedicated to the groups which are linked to issuance policies>. If this parameter is not specified, the group is looked for or created in the Users container.
+help8 = Examples:
+help9 = This command will link the issuance policy whose display name is "High Assurance" to the group "HighAssuranceGroup" in the Organizational Unit "OU_FOR_IPol_linked_groups". If the group or the Organizational Unit do not exist, you will be prompted to create them.
+help10 = This command will unlink the issuance policy whose name is "402.164959C40F4A5C12C6302E31D5476062" from any group.
+MultipleIPs = Error: Multiple Issuance Policies with name or display name "{0}" were found in the subtree of "{1}"
+NoIP = Error: no issuance policy with name or display name "{0}" could be found in the subtree of "{1}".
+IPFound = An Issuance Policy with name or display name "{0}" was successfully found: {1}
+MultipleOUs = Error: more than 1 Organizational Unit with name "{0}" could be found in the subtree of "{1}".
+confirmOUcreation = Warning: The Organizational Unit that you specified does not exist. Do you want to create it?
+OUCreationSuccess = Organizational Unit "{0}" successfully created.
+OUcreationError = Error: Organizational Unit "{0}" could not be created.
+OUFoundSuccess = Organizational Unit "{0}" was successfully found.
+multipleGroups = Error: More than one group with name "{0}" was found in Organizational Unit "{1}".  
+confirmGroupCreation = Warning: The group that you specified does not exist. Do you want to create it?
+groupCreationSuccess = Univeral Security group "{0}" successfully created.
+groupCreationError = Error: Univeral Security group "{0}" could not be created.
+GroupFound = Group "{0}" was successfully found.
+confirmLinkDeletion = Warning: The Issuance Policy "{0}" is currently linked to group "{1}". Do you really want to remove the link?
+UnlinkSuccess = Certificate issuance policy successfully unlinked from any group.
+UnlinkError = Removing the link failed.
+UnlinkExit = Exiting without removing the link from the issuance policy to the group.
+IPNotLinked = The Certificate issuance policy is not currently linked to any group. If you want to link it to a group, you should specify the -groupName option when starting this script.
+ErrorNotSecurity = Error: You cannot link issuance Policy "{0}" to group "{1}" because this group is not of type "Security".
+ErrorNotUniversal = Error: You cannot link issuance Policy "{0}" to group "{1}" because the scope of this group is not "Universal".
+ErrorHasMembers = Error: You cannot link issuance Policy "{0}" to group "{1}" because it has a non-empty membership. The group has the following members:
+ConfirmLinkReplacement = Warning: The Issuance Policy "{0}" is currently linked to group "{1}". Do you really want to update the link to point to group "{2}"?
+LinkSuccess = The certificate issuance policy was successfully linked to the specified group.
+LinkError = The certificate issuance policy could not be linked to the specified group.
+ExitNoLinkReplacement = Exiting without setting the new link.
+'@
+}
+# import-localizeddata ErrorMsg
+function Display-Help {
+""
+write-host $ErrorMsg.help1
+""
+write-host $ErrorMsg.help2
+""
+write-host $ErrorMsg.help3
+write-host "`t" $ErrorMsg.help4
+write-host "`t" $ErrorMsg.help5
+""
+write-host $ErrorMsg.help6
+write-host "`t" $ErrorMsg.help7
+""
+""
+write-host $ErrorMsg.help8
+""
+write-host $ErrorMsg.help9
+".\Set-IssuancePolicyToGroupMapping.ps1 -IssuancePolicyName ""High Assurance"" -groupOU ""OU_FOR_IPol_linked_groups"" -groupName ""HighAssuranceGroup"" "
+""
+write-host $ErrorMsg.help10
+'.\Set-IssuancePolicyToGroupMapping.ps1 -IssuancePolicyName "402.164959C40F4A5C12C6302E31D5476062" -groupName $null '
+""
+}
+# Assumption:  The group to which the Issuance Policy is going
+#              to be linked is (or is going to be created) in
+#              the domain the user running this script is a member of.
+import-module ActiveDirectory
+$root = get-adrootdse
+$domain = get-addomain -current loggedonuser
+if ( !($IssuancePolicyName) ) {
+display-Help
+break
+}
+#######################################
+##     Find the OID object           ##
+##     (aka Issuance Policy)         ##
+#######################################
+$searchBase = [String]$root.configurationnamingcontext
+$OID = get-adobject -searchBase $searchBase -Filter { ((displayname -eq $IssuancePolicyName) -or (name -eq $IssuancePolicyName)) -and (objectClass -eq "msPKI-Enterprise-Oid")} -properties *
+if ($OID -eq $null) {
+$tmp = $ErrorMsg.NoIP -f $IssuancePolicyName, $searchBase  
+write-host $tmp -ForeGroundColor Red
+break;
+}
+elseif ($OID.GetType().IsArray) {
+$tmp = $ErrorMsg.MultipleIPs -f $IssuancePolicyName, $searchBase  
+write-host $tmp -ForeGroundColor Red
+break;
+}
+else {
+$tmp = $ErrorMsg.IPFound -f $IssuancePolicyName, $OID.distinguishedName
+write-host $tmp -ForeGroundColor Green
+}
+#######################################
+##  Find the container of the group  ##
+#######################################
+if ($groupOU -eq $null) {
+# default to the Users container
+$groupContainer = $domain.UsersContainer
+}
+else {
+$searchBase = [string]$domain.DistinguishedName
+$groupContainer = get-adobject -searchBase $searchBase -Filter { (Name -eq $groupOU) -and (objectClass -eq "organizationalUnit")}
+if ($groupContainer.count -gt 1) {
+$tmp = $ErrorMsg.MultipleOUs -f $groupOU, $searchBase
+write-host $tmp -ForegroundColor Red
+break;
+}
+elseif ($groupContainer -eq $null) {
+$tmp = $ErrorMsg.confirmOUcreation
+write-host $tmp " ( (y)es / (n)o )" -ForegroundColor Yellow -nonewline
+$userChoice = read-host
+if ( ($userChoice -eq "y") -or ($userChoice -eq "yes") ) {
+new-adobject -Name $groupOU -displayName $groupOU -Type "organizationalUnit" -ProtectedFromAccidentalDeletion $true -path $domain.distinguishedName
+if ($?){
+$tmp = $ErrorMsg.OUCreationSuccess -f $groupOU
+write-host $tmp -ForegroundColor Green
+}
+else{
+$tmp = $ErrorMsg.OUCreationError -f $groupOU
+write-host $tmp -ForeGroundColor Red
+break;
+}
+$groupContainer = get-adobject -searchBase $searchBase -Filter { (Name -eq $groupOU) -and (objectClass -eq "organizationalUnit")}
+}
+else {
+break;
+}
+}
+else {
+$tmp = $ErrorMsg.OUFoundSuccess -f $groupContainer.name
+write-host $tmp -ForegroundColor Green
+}
+}
+#######################################
+##  Find the group               ##
+#######################################
+if (($groupName -ne $null) -and ($groupName -ne "")){
+##$searchBase = [String]$groupContainer.DistinguishedName
+$searchBase = $groupContainer
+$group = get-adgroup -Filter { (Name -eq $groupName) -and (objectClass -eq "group") } -searchBase $searchBase
+if ($group -ne $null -and $group.gettype().isarray) {
+$tmp = $ErrorMsg.multipleGroups -f $groupName, $searchBase
+write-host $tmp -ForeGroundColor Red
+break;
+}
+elseif ($group -eq $null) {
+$tmp = $ErrorMsg.confirmGroupCreation
+write-host $tmp " ( (y)es / (n)o )" -ForegroundColor Yellow -nonewline
+$userChoice = read-host
+if ( ($userChoice -eq "y") -or ($userChoice -eq "yes") ) {
+new-adgroup -samAccountName $groupName -path $groupContainer.distinguishedName -GroupScope "Universal" -GroupCategory "Security"
+if ($?){
+$tmp = $ErrorMsg.GroupCreationSuccess -f $groupName
+write-host $tmp -ForegroundColor Green
+}else{
+$tmp = $ErrorMsg.groupCreationError -f $groupName
+write-host $tmp -ForeGroundColor Red
+break
+}
+$group = get-adgroup -Filter { (Name -eq $groupName) -and (objectClass -eq "group") } -searchBase $searchBase
+}
+else {
+break;
+}
+}
+else {
+$tmp = $ErrorMsg.GroupFound -f $group.Name
+write-host $tmp -ForegroundColor Green
+}
+}
+else {
+#####
+## If the group is not specified, we should remove the link if any exists
+#####
+if ($OID."msDS-OIDToGroupLink" -ne $null) {
+$tmp = $ErrorMsg.confirmLinkDeletion -f $IssuancePolicyName, $OID."msDS-OIDToGroupLink"
+write-host $tmp " ( (y)es / (n)o )" -ForegroundColor Yellow -nonewline
+$userChoice = read-host
+if ( ($userChoice -eq "y") -or ($userChoice -eq "yes") ) {
+set-adobject -Identity $OID -Clear "msDS-OIDToGroupLink"
+if ($?) {
+$tmp = $ErrorMsg.UnlinkSuccess
+write-host $tmp -ForeGroundColor Green
+}else{
+$tmp = $ErrorMsg.UnlinkError
+write-host $tmp -ForeGroundColor Red
+}
+}
+else {
+$tmp = $ErrorMsg.UnlinkExit
+write-host $tmp
+break
+}
+}
+else {
+$tmp = $ErrorMsg.IPNotLinked
+write-host $tmp -ForeGroundColor Yellow
+}
+break;
+}
+#######################################
+##  Verify that the group is         ##
+##  Universal, Security, and         ##
+##  has no members                   ##
+#######################################
+if ($group.GroupScope -ne "Universal") {
+$tmp = $ErrorMsg.ErrorNotUniversal -f $IssuancePolicyName, $groupName
+write-host $tmp -ForeGroundColor Red
+break;
+}
+if ($group.GroupCategory -ne "Security") {
+$tmp = $ErrorMsg.ErrorNotSecurity -f $IssuancePolicyName, $groupName
+write-host $tmp -ForeGroundColor Red
+break;
+}
+$members = Get-ADGroupMember -Identity $group
+if ($members -ne $null) {
+$tmp = $ErrorMsg.ErrorHasMembers -f $IssuancePolicyName, $groupName
+write-host $tmp -ForeGroundColor Red
+foreach ($member in $members) {write-host "   $member.name" -ForeGroundColor Red}
+break;
+}
+#######################################
+##  We have verified everything. We  ##
+##  can create the link from the     ##
+##  Issuance Policy to the group.    ##
+#######################################
+if ($OID."msDS-OIDToGroupLink" -ne $null) {
+$tmp = $ErrorMsg.ConfirmLinkReplacement -f $IssuancePolicyName, $OID."msDS-OIDToGroupLink", $group.distinguishedName
+write-host $tmp  "( (y)es / (n)o )" -ForegroundColor Yellow -nonewline
+$userChoice = read-host
+if ( ($userChoice -eq "y") -or ($userChoice -eq "yes") ) {
+$tmp = @{'msDS-OIDToGroupLink'= $group.DistinguishedName}
+set-adobject -Identity $OID -Replace $tmp
+if ($?) {
+$tmp = $Errormsg.LinkSuccess
+write-host $tmp -Foreground Green
+}else{
+$tmp = $ErrorMsg.LinkError
+write-host $tmp -Foreground Red
+}
+} else {
+$tmp = $Errormsg.ExitNoLinkReplacement
+write-host $tmp
+break
+}
+}
+else {
+$tmp = @{'msDS-OIDToGroupLink'= $group.DistinguishedName}
+set-adobject -Identity $OID -Add $tmp
+if ($?) {
+$tmp = $Errormsg.LinkSuccess
+write-host $tmp -Foreground Green
+}else{
+$tmp = $ErrorMsg.LinkError
+write-host $tmp -Foreground Red
+}
+}
+```
+
+> [!NOTE]  
+> If you're having trouble running this script, try replacing the single quote after the ConvertFrom-StringData parameter.
+
+## See also
+
+**Deep Dive into Credential Guard: Related videos**
+
+[Protecting privileged users with Credential Guard](https://mva.microsoft.com/en-us/training-courses/deep-dive-into-credential-guard-16651?l=JNbjYMJyC_8104300474)

windows/access-protection/credential-guard/credential-guard-protection-limits.md

@@ -0,0 +1,41 @@
+---
+title: Credential Guard protection limits (Windows 10)
+description: Scenarios not protected by Credential Guard in Windows 10.
+ms.prod: w10
+ms.mktglfcycl: explore
+ms.sitesec: library
+ms.pagetype: security
+localizationpriority: high
+author: brianlic-msft
+---
+
+# Credential Guard protection limits
+
+**Applies to**
+-   Windows 10
+-   Windows Server 2016
+
+Prefer video? See [Credentials protected by Credential Guard](https://mva.microsoft.com/en-us/training-courses/deep-dive-into-credential-guard-16651?l=pdc37LJyC_1204300474)
+in the Deep Dive into Credential Guard video series.
+
+Some ways to store credentials are not protected by Credential Guard, including:
+
+-   Software that manages credentials outside of Windows feature protection
+-   Local accounts and Microsoft Accounts
+-   Credential Guard does not protect the Active Directory database running on Windows Server 2016 domain controllers. It also does not protect credential input pipelines, such as Windows Server 2016 servers running Remote Desktop Gateway. If you're using a Windows Server 2016 server as a client PC, it will get the same protection as it would when running Windows 10 Enterprise.
+-   Key loggers
+-   Physical attacks
+-   Does not prevent an attacker with malware on the PC from using the privileges associated with any credential. We recommend using dedicated PCs for high value accounts, such as IT Pros and users with access to high value assets in your organization.
+-   Third-party security packages
+-   Digest and CredSSP credentials
+    -   When Credential Guard is enabled, neither Digest nor CredSSP have access to users' logon credentials. This implies no Single Sign-On use for these protocols.
+-   Supplied credentials for NTLM authentication are not protected. If a user is prompted for and enters credentials for NTLM authentication, these credentials are vulnerable to be read from LSASS memory. Note that these same credentials are vulnerable to key loggers as well.- 
+-  When Credential Guard is deployed on a VM, Credential Guard protects secrets from attacks inside the VM. However, it does not provide additional protection from privileged system attacks originating from the host.
+-  Windows logon cached password verifiers (commonly called "cached credentials")
+do not qualify as credentials because they cannot be presented to another computer for authentication, and can only be used locally to verify credentials. They are stored in the registry on the local computer and provide validation for credentials when a domain-joined computer cannot connect to AD DS during user logon. These “cached logons”, or more specifically, cached domain account information, can be managed using the security policy setting **Interactive logon: Number of previous logons to cache** if a domain controller is not available.
+
+## See also
+
+**Deep Dive into Credential Guard: Related videos**
+
+[Protecting privileged users with Credential Guard](https://mva.microsoft.com/en-us/training-courses/deep-dive-into-credential-guard-16651?l=JNbjYMJyC_8104300474)

windows/access-protection/credential-guard/credential-guard.md

@@ -37,7 +37,7 @@ By enabling Credential Guard, the following features and solutions are provided:
 - [Enabling Strict KDC Validation in Windows Kerberos](http://www.microsoft.com/download/details.aspx?id=6382)
 - [What's New in Kerberos Authentication for Windows Server 2012](http://technet.microsoft.com/library/hh831747.aspx)
 - [Authentication Mechanism Assurance for AD DS in Windows Server 2008 R2 Step-by-Step Guide](http://technet.microsoft.com/library/dd378897.aspx)
-- [Trusted Platform Module](trusted-platform-module-overview.md)
+- [Trusted Platform Module](/windows/device-security/tpm/trusted-platform-module-overview)
  
 
 ## See also

windows/access-protection/docfx.json

@@ -0,0 +1,41 @@
+{
+  "build": {
+    "content": [
+      {
+        "files": [
+          "**/*.md"
+        ],
+        "exclude": [
+          "**/obj/**",
+          "**/includes/**",
+          "README.md",
+          "LICENSE",
+          "LICENSE-CODE",
+          "ThirdPartyNotices"
+        ]
+      }
+    ],
+    "resource": [
+      {
+        "files": [
+          "**/*.png",
+          "**/*.jpg",
+		  "**/*.gif"
+        ],
+        "exclude": [
+          "**/obj/**",
+          "**/includes/**"
+        ]
+      }
+    ],
+    "overwrite": [],
+    "externalReference": [],
+    "globalMetadata": {
+		"uhfHeaderId": "MSDocsHeader-WindowsIT", 
+		"breadcrumb_path": "/windows/windows-10/breadcrumb/toc.json"
+	},
+    "fileMetadata": {},
+    "template": [],
+    "dest": "win-access-protection"
+  }
+}

windows/access-protection/enterprise-certificate-pinning.md

@@ -5,7 +5,6 @@ ms.author: mstephens
 author: MikeStephens-MS
 description: Enterprise certificate pinning is a Windows feature for remembering, or “pinning” a root, issuing certificate authority, or end entity certificate to a given domain name.  
 manager: alanth
-ms.date: 2016-12-27
 ms.prod: w10
 ms.technology: security
 ms.sitesec: library

windows/access-protection/hello-for-business/hello-and-password-changes.md

@@ -25,7 +25,7 @@ Because you were using **Device A** when you changed your password, the PIN on *
 Suppose instead that you sign in on **Device B** and change your password for your Microsoft account. The next time that you try to sign in on **Device A** using your PIN, sign-in will fail because the account credentials that Hello on **Device A** knows will be outdated.
 
 >[!NOTE]
->This example also applies to an Active Directory account when [Windows Hello for Business is not implemented](implement-microsoft-passport-in-your-organization.md).
+>This example also applies to an Active Directory account when [Windows Hello for Business is not implemented](hello-manage-in-organization.md).
  
 ## How to update Hello after you change your password on another device
 

windows/access-protection/hello-for-business/hello-biometrics-in-enterprise.md

@@ -35,7 +35,7 @@ Windows Hello provides many benefits, including:
 
 -   Employees get a simple authentication method (backed up with a PIN) that’s always with them, so there’s nothing to lose. No more forgetting passwords!
 
--   Support for Windows Hello is built into the operating system so you can add additional biometric devices and polices as part of a coordinated rollout or to individual employees or groups using Group Policy or Mobile Device Management (MDM) configurations service provider (CSP) policies.<br>For more info about the available Group Policies and MDM CSPs, see the [Implement Windows Hello for Business in your organization](implement-microsoft-passport-in-your-organization.md) topic.
+-   Support for Windows Hello is built into the operating system so you can add additional biometric devices and polices as part of a coordinated rollout or to individual employees or groups using Group Policy or Mobile Device Management (MDM) configurations service provider (CSP) policies.<br>For more info about the available Group Policies and MDM CSPs, see the [Implement Windows Hello for Business in your organization](hello-manage-in-organization.md) topic.
 
 ## Where is Microsoft Hello data stored?
 The biometric data used to support Windows Hello is stored on the local device only. It doesn’t roam and is never sent to external devices or servers. This separation helps to stop potential attackers by providing no single collection point that an attacker could potentially compromise to steal biometric data. Additionally, even if an attacker was actually able to get the biometric data, it still can’t be easily converted to a form that could be recognized by the biometric sensor.

windows/access-protection/hello-for-business/hello-manage-in-organization.md

@@ -307,7 +307,7 @@ You’ll need this software to set Windows Hello for Business policies in your e
 <tr class="header">
 <th align="left">Windows Hello for Business mode</th>
 <th align="left">Azure AD</th>
-<th align="left">Active Directory (AD) on-premises (available with production release of Windows Server 2016)</th>
+<th align="left">Active Directory (AD) on-premises (only supported with Windows 10, version 1703 clients)</th>
 <th align="left">Azure AD/AD hybrid (available with production release of Windows Server 2016)</th>
 </tr>
 </thead>
@@ -318,7 +318,6 @@ You’ll need this software to set Windows Hello for Business policies in your e
 <td align="left"><ul>
 <li>Active Directory Federation Service (AD FS) (Windows Server 2016)</li>
 <li>A few Windows Server 2016 domain controllers on-site</li>
-<li>Microsoft System Center 2012 R2 Configuration Manager SP2</li>
 </ul></td>
 <td align="left"><ul>
 <li>Azure AD subscription</li>
@@ -339,7 +338,6 @@ You’ll need this software to set Windows Hello for Business policies in your e
 <li>ADFS (Windows Server 2016)</li>
 <li>Active Directory Domain Services (AD DS) Windows Server 2016 schema</li>
 <li>PKI infrastructure</li>
-<li>Configuration Manager SP2, Intune, or non-Microsoft MDM solution</li>
 </ul></td>
 <td align="left"><ul>
 <li>Azure AD subscription</li>
@@ -355,7 +353,8 @@ Configuration Manager and MDM provide the ability to manage Windows Hello for Bu
 
 Azure AD provides the ability to register devices with your enterprise and to provision Windows Hello for Business for organization accounts.
 
-
+>[!IMPORTANT]
+>Active Directory on-premises deployment **is not currently available** and will become available with a future update of ADFS on Windows Server 2016. The requirements listed in the above table will apply when this deployment type becomes available.
 
 
 ## How to use Windows Hello for Business with Azure Active Directory

windows/access-protection/hello-for-business/hello-why-pin-is-better-than-password.md

@@ -44,7 +44,7 @@ The TPM protects against a variety of known and potential attacks, including PIN
 
 ## PIN can be complex
 
-The Windows Hello for Business PIN is subject to the same set of IT management policies as a password, such as complexity, length, expiration, and history. Although we generally think of a PIN as a simple four-digit code, administrators can set [policies](implement-microsoft-passport-in-your-organization.md) for managed devices to require a PIN complexity similar to a password. You can require or block: special characters, uppercase characters, lowercase characters, and digits.
+The Windows Hello for Business PIN is subject to the same set of IT management policies as a password, such as complexity, length, expiration, and history. Although we generally think of a PIN as a simple four-digit code, administrators can set [policies](hello-manage-in-organization.md) for managed devices to require a PIN complexity similar to a password. You can require or block: special characters, uppercase characters, lowercase characters, and digits.
 
 ## What if someone steals the laptop or phone?
 

windows/access-protection/index.md

@@ -0,0 +1,28 @@
+---
+title: Access protection (Windows 10)
+description: Learn more about access protection technologies in Windows 10 and Windows 10 Mobile.
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+author: brianlic-msft
+---
+
+# Access protection
+
+Learn more about access protection technologies in Windows 10 and Windows 10 Mobile.
+
+| Section | Description |
+|-|-|
+| [Access control](access-control/access-control.md) | Describes access control in Windows, which is the process of authorizing users, groups, and computers to access objects on the network or computer. Key concepts that make up access control are permissions, ownership of objects, inheritance of permissions, user rights, and object auditing. |
+| [Configure S/MIME for Windows 10 and Windows 10 Mobile](configure-s-mime.md) | In Windows 10, S/MIME lets users encrypt outgoing messages and attachments so that only intended recipients who have a digital identification (ID), also known as a certificate, can read them. Users can digitally sign a message, which provides the recipients with a way to verify the identity of the sender and that the message hasn't been tampered with. |
+| [Install digital certificates on Windows 10 Mobile](installing-digital-certificates-on-windows-10-mobile.md) | Digital certificates bind the identity of a user or computer to a pair of keys that can be used to encrypt and sign digital information. Certificates are issued by a certification authority (CA) that vouches for the identity of the certificate holder, and they enable secure client communications with websites and services. |
+| [Protect derived domain credentials with Credential Guard](credential-guard/credential-guard.md) | Introduced in Windows 10 Enterprise, Credential Guard uses virtualization-based security to isolate secrets so that only privileged system software can access them. Unauthorized access to these secrets can lead to credential theft attacks, such as Pass-the-Hash or Pass-The-Ticket. Credential Guard helps prevent these attacks by protecting NTLM password hashes and Kerberos Ticket Granting Tickets. |
+| [Protect Remote Desktop credentials with Remote Credential Guard](remote-credential-guard.md) | Remote Credential Guard helps you protect your credentials over a Remote Desktop connection by redirecting the Kerberos requests back to the device that's requesting the connection. |
+| [User Account Control](user-account-control/user-account-control-overview.md)| Provides information about User Account Control (UAC), which helps prevent malware from damaging a PC and helps organizations deploy a better-managed desktop. UAC can help block the automatic installation of unauthorized apps and prevent inadvertent changes to system settings.|
+| [Virtual Smart Cards](virtual-smart-cards/virtual-smart-card-overview.md) | Provides information about deploying and managing virtual smart cards, which are functionally similar to physical smart cards and appear in Windows as smart cards that are always-inserted. Virtual smart cards use the Trusted Platform Module (TPM) chip that is available on computers in many organizations, rather than requiring the use of a separate physical smart card and reader. |
+| [VPN technical guide](vpn/vpn-guide.md) | Virtual private networks (VPN) let you give your users secure remote access to your company network. Windows 10 adds useful new VPN profile options to help you manage how users connect. |
+| [Smart Cards](smart-cards/smart-card-windows-smart-card-technical-reference.md) | Provides a collection of references topics about smart cards, which are tamper-resistant portable storage devices that can enhance the security of tasks such as authenticating clients, signing code, securing e-mail, and signing in with a Windows domain account. |
+| [Windows Hello for Business](hello-for-business/hello-identity-verification.md) | In Windows 10, Windows Hello replaces passwords with strong two-factor authentication on PCs and mobile devices. This authentication consists of a new type of user credential that is tied to a device and a biometric or PIN. |
+| [Windows Firewall with Advanced Security](windows-firewall/windows-firewall-with-advanced-security.md) | Provides information about Windows Firewall with Advanced Security, which is an important part of a layered security model. By providing host-based, two-way network traffic filtering for a device, Windows Firewall with Advanced Security blocks unauthorized network traffic flowing into or out of the local device. |
+| [Windows 10 Credential Theft Mitigation Guide Abstract](windows-credential-theft-mitigation-guide-abstract.md) | Learn more about credential theft mitigation in Windows 10. |