<strong> tags causing loc issues. replacing w <b>

windows/security/identity-protection/access-control/active-directory-accounts.md

@@ -470,7 +470,7 @@ Each default local account in Active Directory has a number of account settings
 </tr>
 <tr class="odd">
 <td><p>Account is trusted for delegation</p></td>
-<td><p>Lets a service running under this account perform operations on behalf of other user accounts on the network. A service running under a user account (also known as a service account) that is trusted for delegation can impersonate a client to gain access to resources, either on the computer where the service is running or on other computers. For example, in a forest that is set to the Windows Server 2003 functional level, this setting is found on the <strong>Delegation</strong> tab. It is available only for accounts that have been assigned service principal names (SPNs), which are set by using the <strong>setspn</strong> command from Windows Support Tools. This setting is security-sensitive and should be assigned cautiously.</p></td>
+<td><p>Lets a service running under this account perform operations on behalf of other user accounts on the network. A service running under a user account (also known as a service account) that is trusted for delegation can impersonate a client to gain access to resources, either on the computer where the service is running or on other computers. For example, in a forest that is set to the Windows Server 2003 functional level, this setting is found on the <b>Delegation</b> tab. It is available only for accounts that have been assigned service principal names (SPNs), which are set by using the <b>setspn</b> command from Windows Support Tools. This setting is security-sensitive and should be assigned cautiously.</p></td>
 </tr>
 <tr class="even">
 <td><p>Account is sensitive and cannot be delegated</p></td>
@@ -480,7 +480,7 @@ Each default local account in Active Directory has a number of account settings
 <td><p>Use DES encryption types for this account</p></td>
 <td><p>Provides support for the Data Encryption Standard (DES). DES supports multiple levels of encryption, including Microsoft Point-to-Point Encryption (MPPE) Standard (40-bit and 56-bit), MPPE standard (56-bit), MPPE Strong (128-bit), Internet Protocol security (IPSec) DES (40-bit), IPSec 56-bit DES, and IPSec Triple DES (3DES).</p>
 <div class="alert">
-<strong>Note</strong><br/><p>DES is not enabled by default in Windows Server operating systems starting with Windows Server 2008 R2, nor in Windows client operating systems starting with Windows 7. For these operating systems, computers will not use DES-CBC-MD5 or DES-CBC-CRC cipher suites by default. If your environment requires DES, then this setting might affect compatibility with client computers or services and applications in your environment. For more information, see <a href="https://blogs.technet.com/b/askds/archive/2010/10/19/hunting-down-des-in-order-to-securely-deploy-kerberos.aspx" data-raw-source="[Hunting down DES in order to securely deploy Kerberos](https://blogs.technet.com/b/askds/archive/2010/10/19/hunting-down-des-in-order-to-securely-deploy-kerberos.aspx)">Hunting down DES in order to securely deploy Kerberos</a>.</p>
+<b>Note</b><br/><p>DES is not enabled by default in Windows Server operating systems starting with Windows Server 2008 R2, nor in Windows client operating systems starting with Windows 7. For these operating systems, computers will not use DES-CBC-MD5 or DES-CBC-CRC cipher suites by default. If your environment requires DES, then this setting might affect compatibility with client computers or services and applications in your environment. For more information, see <a href="https://blogs.technet.com/b/askds/archive/2010/10/19/hunting-down-des-in-order-to-securely-deploy-kerberos.aspx" data-raw-source="[Hunting down DES in order to securely deploy Kerberos](https://blogs.technet.com/b/askds/archive/2010/10/19/hunting-down-des-in-order-to-securely-deploy-kerberos.aspx)">Hunting down DES in order to securely deploy Kerberos</a>.</p>
 </div>
 <div>
 
@@ -656,8 +656,8 @@ In this procedure, the workstations are dedicated to domain administrators. By s
         </colgroup>
         <tbody>
         <tr class="odd">
-        <td><p><strong>Windows Update Setting</strong></p></td>
+        <td><p><b>Windows Update Setting</b></p></td>
-        <td><p><strong>Configuration</strong></p></td>
+        <td><p><b>Configuration</b></p></td>
         </tr>
         <tr class="even">
         <td><p>Allow Automatic Updates immediate installation</p></td>

windows/security/identity-protection/access-control/local-accounts.md

@@ -297,9 +297,9 @@ The following table shows the Group Policy and registry settings that are used t
 </colgroup>
 <tbody>
 <tr class="odd">
-<td><p><strong>No.</strong></p></td>
+<td><p><b>No.</b></p></td>
-<td><p><strong>Setting</strong></p></td>
+<td><p><b>Setting</b></p></td>
-<td><p><strong>Detailed Description</strong></p></td>
+<td><p><b>Detailed Description</b></p></td>
 </tr>
 <tr class="even">
 <td><p></p></td>
@@ -334,7 +334,7 @@ The following table shows the Group Policy and registry settings that are used t
 <tr class="even">
 <td><p>3</p></td>
 <td><p>Registry key</p></td>
-<td><p><strong>HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System</strong></p></td>
+<td><p><b>HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System</b></p></td>
 </tr>
 <tr class="odd">
 <td><p></p></td>
@@ -444,9 +444,9 @@ The following table shows the Group Policy settings that are used to deny networ
 </colgroup>
 <tbody>
 <tr class="odd">
-<td><p><strong>No.</strong></p></td>
+<td><p><b>No.</b></p></td>
-<td><p><strong>Setting</strong></p></td>
+<td><p><b>Setting</b></p></td>
-<td><p><strong>Detailed Description</strong></p></td>
+<td><p><b>Detailed Description</b></p></td>
 </tr>
 <tr class="even">
 <td><p></p></td>

windows/security/identity-protection/credential-guard/credential-guard-requirements.md

@@ -98,7 +98,7 @@ The following tables describe baseline protections, plus protections for improve
 | Hardware: **Trusted Platform Module (TPM)**  |  **Requirement**: TPM 1.2 or TPM 2.0, either discrete or firmware.<br>[TPM recommendations](https://technet.microsoft.com/itpro/windows/keep-secure/tpm-recommendations) | A TPM provides protection for VBS encryption keys that are stored in the firmware. This helps protect against attacks involving a physically present user with BIOS access. |
 | Firmware: **UEFI firmware version 2.3.1.c or higher with UEFI Secure Boot** | **Requirements**: See the following Windows Hardware Compatibility Program requirement: [System.Fundamentals.Firmware.UEFISecureBoot](https://msdn.microsoft.com/library/windows/hardware/dn932805.aspx#system-fundamentals-firmware-uefisecureboot)| UEFI Secure Boot helps ensure that the device boots only authorized code. This can prevent boot kits and root kits from installing and persisting across reboots.  |
 | Firmware: **Secure firmware update process**  | **Requirements**: UEFI firmware must support secure firmware update found under the following Windows Hardware Compatibility Program requirement: [System.Fundamentals.Firmware.UEFISecureBoot](https://msdn.microsoft.com/library/windows/hardware/dn932805.aspx#system-fundamentals-firmware-uefisecureboot).| UEFI firmware just like software can have security vulnerabilities that, when found, need to be patched through firmware updates. Patching helps prevent root kits from getting installed. |
-| Software: Qualified **Windows operating system**  | **Requirement**: Windows 10 Enterprise, Windows 10 Education, Windows Server 2016, or Windows 10 IoT Enterprise<br><blockquote><p><strong>Important:</strong><br> Windows Server 2016 running as a domain controller does not support Windows Defender Credential Guard. </p></blockquote> |Support for VBS and for management features that simplify configuration of Windows Defender Credential Guard. |
+| Software: Qualified **Windows operating system**  | **Requirement**: Windows 10 Enterprise, Windows 10 Education, Windows Server 2016, or Windows 10 IoT Enterprise<br><blockquote><p><b>Important:</b><br> Windows Server 2016 running as a domain controller does not support Windows Defender Credential Guard. </p></blockquote> |Support for VBS and for management features that simplify configuration of Windows Defender Credential Guard. |
 
 > [!IMPORTANT]
 > The following tables list additional qualifications for improved security. We strongly recommend meeting the additional qualifications to significantly strengthen the level of security that Windows Defender Credential Guard can provide.
@@ -133,5 +133,5 @@ The following table lists qualifications for Windows 10, version 1703, which are
 
 | Protections for Improved Security  | Description  | Security Benefits
 |---|---|---|
-| Firmware: **VBS enablement of NX protection for UEFI runtime services** | **Requirements**:<br>• VBS will enable No-Execute (NX) protection on UEFI runtime service code and data memory regions. UEFI runtime service code must support read-only page protections, and UEFI runtime service data must not be executable.<br>• UEFI runtime service must meet these requirements: <br>&nbsp;&nbsp;&nbsp;&nbsp;- Implement UEFI 2.6 EFI_MEMORY_ATTRIBUTES_TABLE. All UEFI runtime service memory (code and data) must be described by this table. <br>&nbsp;&nbsp;&nbsp;&nbsp;- PE sections need to be page-aligned in memory (not required for in non-volatile storage).<br>&nbsp;&nbsp;&nbsp;&nbsp;- The Memory Attributes Table needs to correctly mark code and data as RO/NX for configuration by the OS:<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;- All entries must include attributes EFI_MEMORY_RO, EFI_MEMORY_XP, or both <br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;- No entries may be left with neither of the above attributes, indicating memory that is both executable and writable. Memory must be either readable and executable or writeable and non-executable. <br><blockquote><p><strong>Notes:</strong><br>• This only applies to UEFI runtime service memory, and not UEFI boot service memory. <br>• This protection is applied by VBS on OS page tables.</p></blockquote><br> Please also note the following: <br>• Do not use sections that are both writeable and executable<br>• Do not attempt to directly modify executable system memory<br>• Do not use dynamic code | • Vulnerabilities in UEFI runtime, if any, will be blocked from compromising VBS (such as in functions like UpdateCapsule and SetVariable)<br>• Reduces the attack surface to VBS from system firmware.     |
+| Firmware: **VBS enablement of NX protection for UEFI runtime services** | **Requirements**:<br>• VBS will enable No-Execute (NX) protection on UEFI runtime service code and data memory regions. UEFI runtime service code must support read-only page protections, and UEFI runtime service data must not be executable.<br>• UEFI runtime service must meet these requirements: <br>&nbsp;&nbsp;&nbsp;&nbsp;- Implement UEFI 2.6 EFI_MEMORY_ATTRIBUTES_TABLE. All UEFI runtime service memory (code and data) must be described by this table. <br>&nbsp;&nbsp;&nbsp;&nbsp;- PE sections need to be page-aligned in memory (not required for in non-volatile storage).<br>&nbsp;&nbsp;&nbsp;&nbsp;- The Memory Attributes Table needs to correctly mark code and data as RO/NX for configuration by the OS:<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;- All entries must include attributes EFI_MEMORY_RO, EFI_MEMORY_XP, or both <br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;- No entries may be left with neither of the above attributes, indicating memory that is both executable and writable. Memory must be either readable and executable or writeable and non-executable. <br><blockquote><p><b>Notes:</b><br>• This only applies to UEFI runtime service memory, and not UEFI boot service memory. <br>• This protection is applied by VBS on OS page tables.</p></blockquote><br> Please also note the following: <br>• Do not use sections that are both writeable and executable<br>• Do not attempt to directly modify executable system memory<br>• Do not use dynamic code | • Vulnerabilities in UEFI runtime, if any, will be blocked from compromising VBS (such as in functions like UpdateCapsule and SetVariable)<br>• Reduces the attack surface to VBS from system firmware.     |
 | Firmware: **Firmware support for SMM protection** | **Requirements**: The [Windows SMM Security Mitigations Table (WSMT) specification](https://download.microsoft.com/download/1/8/A/18A21244-EB67-4538-BAA2-1A54E0E490B6/WSMT.docx) contains details of an Advanced Configuration and Power Interface (ACPI) table that was created for use with Windows operating systems that support Windows virtualization-based security (VBS) features. |  • Protects against potential vulnerabilities in UEFI runtime services, if any, will be blocked from compromising VBS (such as in functions like UpdateCapsule and SetVariable)<br>• Reduces the attack surface to VBS from system firmware.<br>• Blocks additional security attacks against SMM. |

windows/security/identity-protection/hello-for-business/hello-feature-pin-reset.md

@@ -84,7 +84,7 @@ To configure PIN reset on Windows devices you manage, use an [Intune Windows 10
 1. In the **Custom OMA-URI Settings** blade, Click **Add**.
 1. In the **Add Row** blade, type **PIN Reset Settings** in the **Name** field. In the **OMA-URI** field, type **./Device/Vendor/MSFT/PassportForWork/*tenant ID*/Policies/EnablePinRecovery** where <b>*tenant ID*</b> is your Azure Active Directory tenant ID from step 2.
 1. Select **Boolean** from the **Data type** list and select **True** from the **Value** list.
-1. Click **OK** to save the row configuration. Click **OK** to close the <strong>Custom OMA-URI Settings blade.  Click **Create</strong> to save the profile.
+1. Click **OK** to save the row configuration. Click **OK** to close the <b>Custom OMA-URI Settings blade.  Click **Create</b> to save the profile.
  
 #### Assign the PIN Reset Device configuration profile using Microsoft Intune
 

windows/security/identity-protection/hello-for-business/hello-how-it-works-provisioning.md

@@ -17,7 +17,7 @@ ms.reviewer:
 ---
 # Windows Hello for Business Provisioning
 <span id="windows-hello-for-business-provisioning" />
-<strong>Applies to:</strong>
+<b>Applies to:</b>
 -   Windows 10
 
 Windows Hello for Business provisioning enables a user to enroll a new, strong, two-factor credential that they can use for passwordless authentication.  Provisioning experience vary based on:

windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-base.md

@@ -187,7 +187,7 @@ The web server is ready to host the CRL distribution point.  Now, configure the
 1. On the issuing certificate authority, sign-in as a local administrator.  Start the **Certificate Authority** console from **Administrative Tools**. 
 2. In the navigation pane, right-click the name of the certificate authority and click **Properties**
 3. Click **Extensions**.  On the **Extensions** tab, select **CRL Distribution Point (CDP)** from the **Select extension** list.
-4. On the **Extensions** tab, click **Add**. Type <strong>http://crl.[domainname]/cdp/</strong> in **location**.  For example, *<http://crl.corp.contoso.com/cdp/>* or *<http://crl.contoso.com/cdp/>* (do not forget the trailing forward slash). 
+4. On the **Extensions** tab, click **Add**. Type <b>http://crl.[domainname]/cdp/</b> in **location**.  For example, *<http://crl.corp.contoso.com/cdp/>* or *<http://crl.contoso.com/cdp/>* (do not forget the trailing forward slash). 
    ![CDP New Location dialog box](images/aadj/cdp-extension-new-location.png)
 5. Select **\<CaName>** from the **Variable** list and click **Insert**.  Select **\<CRLNameSuffix>** from the **Variable** list and click **Insert**.  Select **\<DeltaCRLAllowed>** from the **Variable** list and click **Insert**.
 6. Type **.crl** at the end of the text in **Location**. Click **OK**.
@@ -225,7 +225,7 @@ The web server is ready to host the CRL distribution point.  Now, configure the
 
 Validate your new CRL distribution point is working. 
 
-1. Open a web browser.  Navigate to <strong>http://crl.[yourdomain].com/cdp</strong>.  You should see two files created from publishing your new CRL.
+1. Open a web browser.  Navigate to <b>http://crl.[yourdomain].com/cdp</b>.  You should see two files created from publishing your new CRL.
    ![Validate the new CRL](images/aadj/validate-cdp-using-browser.png)
 
 ### Reissue domain controller certificates

windows/security/identity-protection/remote-credential-guard.md

@@ -58,7 +58,7 @@ Use the following table to compare different Remote Desktop connection security
 |                                                 **Protection benefits**                                                  |                                Credentials on the server are not protected from Pass-the-Hash attacks.                                 |  User credentials remain on the client. An attacker can act on behalf of the user *only* when the session is ongoing   |                                                                                  User logs on to the server as local administrator, so an attacker cannot act on behalf of the “domain user”. Any attack is local to the server                                                                                   |
 |                                                   **Version support**                                                    |                                        The remote computer can run any Windows operating system                                        | Both the client and the remote computer must be running **at least Windows 10, version 1607, or Windows Server 2016**. | The remote computer must be running **at least patched Windows 7 or patched Windows Server 2008 R2**. <br /><br />For more information about patches (software updates) related to Restricted Admin mode, see [Microsoft Security Advisory 2871997](https://technet.microsoft.com/library/security/2871997.aspx). |
 | **Helps prevent**   &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;   &nbsp;&nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp;&nbsp; |                             &nbsp;&nbsp;&nbsp;&nbsp; N/A &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;                              |                   <ul><li> Pass-the-Hash</li> <li>Use of a credential after disconnection </li></ul>                   |                                                                                                                <ul><li> Pass-the-Hash</li> <li>Use of domain identity during connection </li></ul>                                                                                                                |
-|                             **Credentials supported from the remote desktop client device**                              | <ul><li><strong>Signed on</strong> credentials <li> <strong>Supplied</strong> credentials<li> <strong>Saved</strong> credentials </ul> |                                  <ul><li> <strong>Signed on</strong> credentials only                                  |                                                                                        <ul><li><strong>Signed on</strong> credentials<li><strong>Supplied</strong> credentials<li><strong>Saved</strong> credentials</ul>                                                                                         |
+|                             **Credentials supported from the remote desktop client device**                              | <ul><li><b>Signed on</b> credentials <li> <b>Supplied</b> credentials<li> <b>Saved</b> credentials </ul> |                                  <ul><li> <b>Signed on</b> credentials only                                  |                                                                                        <ul><li><b>Signed on</b> credentials<li><b>Supplied</b> credentials<li><b>Saved</b> credentials</ul>                                                                                         |
 |                                                        **Access**                                                        |                           **Users allowed**, that is, members of Remote Desktop Users group of remote host.                            |                      **Users allowed**, that is, members of Remote Desktop Users of remote host.                       |                                                                                                              **Administrators only**, that is, only members of Administrators group of remote host.                                                                                                               |
 |                                                   **Network identity**                                                   |                               Remote Desktop session **connects to other resources as signed-in user**.                                |                       Remote Desktop session **connects to other resources as signed-in user**.                        |                                                                                                                 Remote Desktop session **connects to other resources as remote host’s identity**.                                                                                                                 |
 |                                                      **Multi-hop**                                                       |                        From the remote desktop, **you can connect through Remote Desktop to another computer**                         |                From the remote desktop, you **can connect through Remote Desktop to another computer**.                |                                                                                                                      Not allowed for user as the session is running as a local host account                                                                                                                       |

windows/security/identity-protection/user-account-control/how-user-account-control-works.md

@@ -270,7 +270,7 @@ To better understand each component, review the table below:
 </tr>
 </table>
  
-The slider will never turn UAC completely off. If you set it to <strong>Never notify</strong>, it will:
+The slider will never turn UAC completely off. If you set it to <b>Never notify</b>, it will:
 
 -   Keep the UAC service running.
 -   Cause all elevation request initiated by administrators to be auto-approved without showing a UAC prompt.

windows/security/information-protection/bitlocker/bitlocker-basic-deployment.md

@@ -252,11 +252,11 @@ Windows PowerShell cmdlets provide an alternative way to work with BitLocker. Us
 </colgroup>
 <tbody>
 <tr class="odd">
-<td align="left"><p><strong>Name</strong></p></td>
+<td align="left"><p><b>Name</b></p></td>
-<td align="left"><p><strong>Parameters</strong></p></td>
+<td align="left"><p><b>Parameters</b></p></td>
 </tr>
 <tr class="even">
-<td align="left"><p><strong>Add-BitLockerKeyProtector</strong></p></td>
+<td align="left"><p><b>Add-BitLockerKeyProtector</b></p></td>
 <td align="left"><p>-ADAccountOrGroup</p>
 <p>-ADAccountOrGroupProtector</p>
 <p>-Confirm</p>
@@ -278,26 +278,26 @@ Windows PowerShell cmdlets provide an alternative way to work with BitLocker. Us
 <p>-WhatIf</p></td>
 </tr>
 <tr class="odd">
-<td align="left"><p><strong>Backup-BitLockerKeyProtector</strong></p></td>
+<td align="left"><p><b>Backup-BitLockerKeyProtector</b></p></td>
 <td align="left"><p>-Confirm</p>
 <p>-KeyProtectorId</p>
 <p>-MountPoint</p>
 <p>-WhatIf</p></td>
 </tr>
 <tr class="even">
-<td align="left"><p><strong>Disable-BitLocker</strong></p></td>
+<td align="left"><p><b>Disable-BitLocker</b></p></td>
 <td align="left"><p>-Confirm</p>
 <p>-MountPoint</p>
 <p>-WhatIf</p></td>
 </tr>
 <tr class="odd">
-<td align="left"><p><strong>Disable-BitLockerAutoUnlock</strong></p></td>
+<td align="left"><p><b>Disable-BitLockerAutoUnlock</b></p></td>
 <td align="left"><p>-Confirm</p>
 <p>-MountPoint</p>
 <p>-WhatIf</p></td>
 </tr>
 <tr class="even">
-<td align="left"><p><strong>Enable-BitLocker</strong></p></td>
+<td align="left"><p><b>Enable-BitLocker</b></p></td>
 <td align="left"><p>-AdAccountOrGroup</p>
 <p>-AdAccountOrGroupProtector</p>
 <p>-Confirm</p>
@@ -322,44 +322,44 @@ Windows PowerShell cmdlets provide an alternative way to work with BitLocker. Us
 <p>-WhatIf</p></td>
 </tr>
 <tr class="odd">
-<td align="left"><p><strong>Enable-BitLockerAutoUnlock</strong></p></td>
+<td align="left"><p><b>Enable-BitLockerAutoUnlock</b></p></td>
 <td align="left"><p>-Confirm</p>
 <p>-MountPoint</p>
 <p>-WhatIf</p></td>
 </tr>
 <tr class="even">
-<td align="left"><p><strong>Get-BitLockerVolume</strong></p></td>
+<td align="left"><p><b>Get-BitLockerVolume</b></p></td>
 <td align="left"><p>-MountPoint</p></td>
 </tr>
 <tr class="odd">
-<td align="left"><p><strong>Lock-BitLocker</strong></p></td>
+<td align="left"><p><b>Lock-BitLocker</b></p></td>
 <td align="left"><p>-Confirm</p>
 <p>-ForceDismount</p>
 <p>-MountPoint</p>
 <p>-WhatIf</p></td>
 </tr>
 <tr class="even">
-<td align="left"><p><strong>Remove-BitLockerKeyProtector</strong></p></td>
+<td align="left"><p><b>Remove-BitLockerKeyProtector</b></p></td>
 <td align="left"><p>-Confirm</p>
 <p>-KeyProtectorId</p>
 <p>-MountPoint</p>
 <p>-WhatIf</p></td>
 </tr>
 <tr class="odd">
-<td align="left"><p><strong>Resume-BitLocker</strong></p></td>
+<td align="left"><p><b>Resume-BitLocker</b></p></td>
 <td align="left"><p>-Confirm</p>
 <p>-MountPoint</p>
 <p>-WhatIf</p></td>
 </tr>
 <tr class="even">
-<td align="left"><p><strong>Suspend-BitLocker</strong></p></td>
+<td align="left"><p><b>Suspend-BitLocker</b></p></td>
 <td align="left"><p>-Confirm</p>
 <p>-MountPoint</p>
 <p>-RebootCount</p>
 <p>-WhatIf</p></td>
 </tr>
 <tr class="odd">
-<td align="left"><p><strong>Unlock-BitLocker</strong></p></td>
+<td align="left"><p><b>Unlock-BitLocker</b></p></td>
 <td align="left"><p>-AdAccountOrGroup</p>
 <p>-Confirm</p>
 <p>-MountPoint</p>
@@ -374,7 +374,7 @@ Windows PowerShell cmdlets provide an alternative way to work with BitLocker. Us
  
 Similar to manage-bde, the Windows PowerShell cmdlets allow configuration beyond the options offered in the control panel. As with manage-bde, users need to consider the specific needs of the volume they are encrypting prior to running Windows PowerShell cmdlets.
 A good initial step is to determine the current state of the volume(s) on the computer. You can do this using the <code>Get-BitLocker</code> volume cmdlet. The output from this cmdlet displays information on the volume type, protectors, protection status, and other useful information.
-Occasionally, all protectors may not be shown when using <strong>Get-BitLockerVolume</strong> due to lack of space in the output display. If you do not see all of the protectors for a volume, you can use the Windows PowerShell pipe command (|) to format a listing of the protectors.
+Occasionally, all protectors may not be shown when using <b>Get-BitLockerVolume</b> due to lack of space in the output display. If you do not see all of the protectors for a volume, you can use the Windows PowerShell pipe command (|) to format a listing of the protectors.
 
 > **Note:**  In the event that there are more than four protectors for a volume, the pipe command may run out of display space. For volumes with more than four protectors, use the method described in the section below to generate a listing of all protectors with protector ID.
  

windows/security/information-protection/bitlocker/bitlocker-use-bitlocker-drive-encryption-tools-to-manage-bitlocker.md

@@ -126,11 +126,11 @@ Windows PowerShell cmdlets provide a new way for administrators to use when work
 </colgroup>
 <tbody>
 <tr class="odd">
-<td align="left"><p><strong>Name</strong></p></td>
+<td align="left"><p><b>Name</b></p></td>
-<td align="left"><p><strong>Parameters</strong></p></td>
+<td align="left"><p><b>Parameters</b></p></td>
 </tr>
 <tr class="even">
-<td align="left"><p><strong>Add-BitLockerKeyProtector</strong></p></td>
+<td align="left"><p><b>Add-BitLockerKeyProtector</b></p></td>
 <td align="left"><p>-ADAccountOrGroup</p>
 <p>-ADAccountOrGroupProtector</p>
 <p>-Confirm</p>
@@ -152,26 +152,26 @@ Windows PowerShell cmdlets provide a new way for administrators to use when work
 <p>-WhatIf</p></td>
 </tr>
 <tr class="odd">
-<td align="left"><p><strong>Backup-BitLockerKeyProtector</strong></p></td>
+<td align="left"><p><b>Backup-BitLockerKeyProtector</b></p></td>
 <td align="left"><p>-Confirm</p>
 <p>-KeyProtectorId</p>
 <p>-MountPoint</p>
 <p>-WhatIf</p></td>
 </tr>
 <tr class="even">
-<td align="left"><p><strong>Disable-BitLocker</strong></p></td>
+<td align="left"><p><b>Disable-BitLocker</b></p></td>
 <td align="left"><p>-Confirm</p>
 <p>-MountPoint</p>
 <p>-WhatIf</p></td>
 </tr>
 <tr class="odd">
-<td align="left"><p><strong>Disable-BitLockerAutoUnlock</strong></p></td>
+<td align="left"><p><b>Disable-BitLockerAutoUnlock</b></p></td>
 <td align="left"><p>-Confirm</p>
 <p>-MountPoint</p>
 <p>-WhatIf</p></td>
 </tr>
 <tr class="even">
-<td align="left"><p><strong>Enable-BitLocker</strong></p></td>
+<td align="left"><p><b>Enable-BitLocker</b></p></td>
 <td align="left"><p>-AdAccountOrGroup</p>
 <p>-AdAccountOrGroupProtector</p>
 <p>-Confirm</p>
@@ -196,44 +196,44 @@ Windows PowerShell cmdlets provide a new way for administrators to use when work
 <p>-WhatIf</p></td>
 </tr>
 <tr class="odd">
-<td align="left"><p><strong>Enable-BitLockerAutoUnlock</strong></p></td>
+<td align="left"><p><b>Enable-BitLockerAutoUnlock</b></p></td>
 <td align="left"><p>-Confirm</p>
 <p>-MountPoint</p>
 <p>-WhatIf</p></td>
 </tr>
 <tr class="even">
-<td align="left"><p><strong>Get-BitLockerVolume</strong></p></td>
+<td align="left"><p><b>Get-BitLockerVolume</b></p></td>
 <td align="left"><p>-MountPoint</p></td>
 </tr>
 <tr class="odd">
-<td align="left"><p><strong>Lock-BitLocker</strong></p></td>
+<td align="left"><p><b>Lock-BitLocker</b></p></td>
 <td align="left"><p>-Confirm</p>
 <p>-ForceDismount</p>
 <p>-MountPoint</p>
 <p>-WhatIf</p></td>
 </tr>
 <tr class="even">
-<td align="left"><p><strong>Remove-BitLockerKeyProtector</strong></p></td>
+<td align="left"><p><b>Remove-BitLockerKeyProtector</b></p></td>
 <td align="left"><p>-Confirm</p>
 <p>-KeyProtectorId</p>
 <p>-MountPoint</p>
 <p>-WhatIf</p></td>
 </tr>
 <tr class="odd">
-<td align="left"><p><strong>Resume-BitLocker</strong></p></td>
+<td align="left"><p><b>Resume-BitLocker</b></p></td>
 <td align="left"><p>-Confirm</p>
 <p>-MountPoint</p>
 <p>-WhatIf</p></td>
 </tr>
 <tr class="even">
-<td align="left"><p><strong>Suspend-BitLocker</strong></p></td>
+<td align="left"><p><b>Suspend-BitLocker</b></p></td>
 <td align="left"><p>-Confirm</p>
 <p>-MountPoint</p>
 <p>-RebootCount</p>
 <p>-WhatIf</p></td>
 </tr>
 <tr class="odd">
-<td align="left"><p><strong>Unlock-BitLocker</strong></p></td>
+<td align="left"><p><b>Unlock-BitLocker</b></p></td>
 <td align="left"><p>-AdAccountOrGroup</p>
 <p>-Confirm</p>
 <p>-MountPoint</p>

windows/security/information-protection/bitlocker/protecting-cluster-shared-volumes-and-storage-area-networks-with-bitlocker.md

@@ -168,91 +168,91 @@ The following table contains information about both Physical Disk Resources (i.e
 </colgroup>
 <tbody>
 <tr class="odd">
-<td align="left"><p><strong>Action</strong></p></td>
+<td align="left"><p><b>Action</b></p></td>
-<td align="left"><p><strong>On owner node of failover volume</strong></p></td>
+<td align="left"><p><b>On owner node of failover volume</b></p></td>
-<td align="left"><p><strong>On Metadata Server (MDS) of CSV</strong></p></td>
+<td align="left"><p><b>On Metadata Server (MDS) of CSV</b></p></td>
-<td align="left"><p><strong>On (Data Server) DS of CSV</strong></p></td>
+<td align="left"><p><b>On (Data Server) DS of CSV</b></p></td>
-<td align="left"><p><strong>Maintenance Mode</strong></p></td>
+<td align="left"><p><b>Maintenance Mode</b></p></td>
 </tr>
 <tr class="even">
-<td align="left"><p><strong>Manage-bde –on</strong></p></td>
+<td align="left"><p><b>Manage-bde –on</b></p></td>
 <td align="left"><p>Blocked</p></td>
 <td align="left"><p>Blocked</p></td>
 <td align="left"><p>Blocked</p></td>
 <td align="left"><p>Allowed</p></td>
 </tr>
 <tr class="odd">
-<td align="left"><p><strong>Manage-bde –off</strong></p></td>
+<td align="left"><p><b>Manage-bde –off</b></p></td>
 <td align="left"><p>Blocked</p></td>
 <td align="left"><p>Blocked</p></td>
 <td align="left"><p>Blocked</p></td>
 <td align="left"><p>Allowed</p></td>
 </tr>
 <tr class="even">
-<td align="left"><p><strong>Manage-bde Pause/Resume</strong></p></td>
+<td align="left"><p><b>Manage-bde Pause/Resume</b></p></td>
 <td align="left"><p>Blocked</p></td>
-<td align="left"><p>Blocked<strong></p></td>
+<td align="left"><p>Blocked<b></p></td>
 <td align="left"><p>Blocked</p></td>
 <td align="left"><p>Allowed</p></td>
 </tr>
 <tr class="odd">
-<td align="left"><p><strong>Manage-bde –lock</strong></p></td>
+<td align="left"><p><b>Manage-bde –lock</b></p></td>
 <td align="left"><p>Blocked</p></td>
 <td align="left"><p>Blocked</p></td>
 <td align="left"><p>Blocked</p></td>
 <td align="left"><p>Allowed</p></td>
 </tr>
 <tr class="even">
-<td align="left"><p><strong>manage-bde –wipe</strong></p></td>
+<td align="left"><p><b>manage-bde –wipe</b></p></td>
 <td align="left"><p>Blocked</p></td>
 <td align="left"><p>Blocked</p></td>
 <td align="left"><p>Blocked</p></td>
 <td align="left"><p>Allowed</p></td>
 </tr>
 <tr class="odd">
-<td align="left"><p><strong>Unlock</strong></p></td>
+<td align="left"><p><b>Unlock</b></p></td>
 <td align="left"><p>Automatic via cluster service</p></td>
 <td align="left"><p>Automatic via cluster service</p></td>
 <td align="left"><p>Automatic via cluster service</p></td>
 <td align="left"><p>Allowed</p></td>
 </tr>
 <tr class="even">
-<td align="left"><p><strong>manage-bde –protector –add</strong></p></td>
+<td align="left"><p><b>manage-bde –protector –add</b></p></td>
 <td align="left"><p>Allowed</p></td>
 <td align="left"><p>Allowed</p></td>
 <td align="left"><p>Blocked</p></td>
 <td align="left"><p>Allowed</p></td>
 </tr>
 <tr class="odd">
-<td align="left"><p><strong>manage-bde -protector -delete</strong></p></td>
+<td align="left"><p><b>manage-bde -protector -delete</b></p></td>
 <td align="left"><p>Allowed</p></td>
 <td align="left"><p>Allowed</p></td>
 <td align="left"><p>Blocked</p></td>
 <td align="left"><p>Allowed</p></td>
 </tr>
 <tr class="even">
-<td align="left"><p><strong>manage-bde –autounlock</strong></p></td>
+<td align="left"><p><b>manage-bde –autounlock</b></p></td>
 <td align="left"><p>Allowed (not recommended)</p></td>
 <td align="left"><p>Allowed (not recommended)</p></td>
 <td align="left"><p>Blocked</p></td>
 <td align="left"><p>Allowed (not recommended)</p></td>
 </tr>
 <tr class="odd">
-<td align="left"><p><strong>Manage-bde -upgrade</strong></p></td>
+<td align="left"><p><b>Manage-bde -upgrade</b></p></td>
 <td align="left"><p>Allowed</p></td>
 <td align="left"><p>Allowed</p></td>
 <td align="left"><p>Blocked</p></td>
 <td align="left"><p>Allowed</p></td>
 </tr>
 <tr class="even">
-<td align="left"><p><strong>Shrink</strong></p></td>
+<td align="left"><p><b>Shrink</b></p></td>
 <td align="left"><p>Allowed</p></td>
 <td align="left"><p>Allowed</p></td>
 <td align="left"><p>Blocked</p></td>
 <td align="left"><p>Allowed</p></td>
 </tr>
 <tr class="odd">
-<td align="left"><p><strong>Extend</strong></p></td>
+<td align="left"><p><b>Extend</b></p></td>
 <td align="left"><p>Allowed</p></td>
 <td align="left"><p>Allowed</p></td>
 <td align="left"><p>Blocked</p></td>
@@ -261,7 +261,7 @@ The following table contains information about both Physical Disk Resources (i.e
 </tbody>
 </table>
  
-&gt;</strong>Note:**  Although the manage-bde -pause command is Blocked in clusters, the cluster service will automatically resume a paused encryption or decryption from the MDS node
+&gt;</b>Note:**  Although the manage-bde -pause command is Blocked in clusters, the cluster service will automatically resume a paused encryption or decryption from the MDS node
  
 In the case where a physical disk resource experiences a failover event during conversion, the new owning node will detect the conversion is not complete and will complete the conversion process.
 

windows/security/information-protection/windows-information-protection/app-behavior-with-wip.md

@@ -53,7 +53,7 @@ This table includes info about how unenlightened apps might behave, based on you
         <th align="center">Name-based policies, using the /&#42;AppCompat&#42;/ string or proxy-based policies</th>
     </tr>
    <tr align="left">
-     <td><strong>Not required.</strong> App connects to enterprise cloud resources directly, using an IP address.</td>
+     <td><b>Not required.</b> App connects to enterprise cloud resources directly, using an IP address.</td>
      <td>
         <ul>
             <li>App is entirely blocked from both personal and enterprise cloud resources.</li>
@@ -70,7 +70,7 @@ This table includes info about how unenlightened apps might behave, based on you
     </td>
    </tr>
     <tr align="left">
-     <td><strong>Not required.</strong> App connects to enterprise cloud resources, using a hostname.</td>
+     <td><b>Not required.</b> App connects to enterprise cloud resources, using a hostname.</td>
      <td colspan="2">
         <ul>
             <li>App is blocked from accessing enterprise cloud resources, but can access other network resources.</li>
@@ -80,7 +80,7 @@ This table includes info about how unenlightened apps might behave, based on you
     </td>
    </tr>
     <tr align="left">
-     <td><strong>Allow.</strong> App connects to enterprise cloud resources, using an IP address or a hostname.</td>
+     <td><b>Allow.</b> App connects to enterprise cloud resources, using an IP address or a hostname.</td>
      <td colspan="2">
         <ul>
             <li>App can access both personal and enterprise cloud resources.</li>
@@ -90,7 +90,7 @@ This table includes info about how unenlightened apps might behave, based on you
     </td>
    </tr>
     <tr align="left" colspan="2">
-     <td><strong>Exempt.</strong> App connects to enterprise cloud resources, using an IP address or a hostname.</td>
+     <td><b>Exempt.</b> App connects to enterprise cloud resources, using an IP address or a hostname.</td>
      <td colspan="2">
         <ul>
             <li>App can access both personal and enterprise cloud resources.</li>
@@ -110,7 +110,7 @@ This table includes info about how enlightened apps might behave, based on your
      <th>Networking policy configuration for name-based policies, possibly using the /&#42;AppCompat&#42;/ string, or proxy-based policies</th>
    </tr>
     <tr>
-        <td><strong>Not required.</strong> App connects to enterprise cloud resources, using an IP address or a hostname.</td>
+        <td><b>Not required.</b> App connects to enterprise cloud resources, using an IP address or a hostname.</td>
         <td>
             <ul>
                 <li>App is blocked from accessing enterprise cloud resources, but can access other network resources.</li>
@@ -120,7 +120,7 @@ This table includes info about how enlightened apps might behave, based on your
         </td>
     </tr>
     <tr>
-        <td><strong>Allow.</strong> App connects to enterprise cloud resources, using an IP address or a hostname.</td>
+        <td><b>Allow.</b> App connects to enterprise cloud resources, using an IP address or a hostname.</td>
         <td>
             <ul>
                 <li>App can access both personal and enterprise cloud resources.</li>
@@ -130,7 +130,7 @@ This table includes info about how enlightened apps might behave, based on your
         </td>
     </tr>
     <tr>
-        <td><strong>Exempt.</strong> App connects to enterprise cloud resources, using an IP address or a hostname.</td>
+        <td><b>Exempt.</b> App connects to enterprise cloud resources, using an IP address or a hostname.</td>
         <td>
             <ul>
                 <li>App can access both personal and enterprise cloud resources.</li>

windows/security/information-protection/windows-information-protection/create-wip-policy-using-configmgr.md

@@ -190,27 +190,27 @@ For this example, we're going to add Internet Explorer, a desktop app, to the **
             <td>All files signed by any publisher. (Not recommended.)</td>
         </tr>
         <tr>
-            <td><strong>Publisher</strong> selected</td>
+            <td><b>Publisher</b> selected</td>
             <td>All files signed by the named publisher.<p>This might be useful if your company is the publisher and signer of internal line-of-business apps.</td>
         </tr>
         <tr>
-            <td><strong>Publisher</strong> and <strong>Product Name</strong> selected</td>
+            <td><b>Publisher</b> and <b>Product Name</b> selected</td>
             <td>All files for the specified product, signed by the named publisher.</td>
         </tr>
         <tr>
-            <td><strong>Publisher</strong>, <strong>Product Name</strong>, and <strong>Binary name</strong> selected</td>
+            <td><b>Publisher</b>, <b>Product Name</b>, and <b>Binary name</b> selected</td>
             <td>Any version of the named file or package for the specified product, signed by the named publisher.</td>
         </tr>
         <tr>
-            <td><strong>Publisher</strong>, <strong>Product Name</strong>, <strong>Binary name</strong>, and <strong>File Version, and above</strong>, selected</td>
+            <td><b>Publisher</b>, <b>Product Name</b>, <b>Binary name</b>, and <b>File Version, and above</b>, selected</td>
             <td>Specified version or newer releases of the named file or package for the specified product, signed by the named publisher.<p>This option is recommended for enlightened apps that weren't previously enlightened.</td>
         </tr>
         <tr>
-            <td><strong>Publisher</strong>, <strong>Product Name</strong>, <strong>Binary name</strong>, and <strong>File Version, And below</strong> selected</td>
+            <td><b>Publisher</b>, <b>Product Name</b>, <b>Binary name</b>, and <b>File Version, And below</b> selected</td>
             <td>Specified version or older releases of the named file or package for the specified product, signed by the named publisher.</td>
         </tr>
         <tr>
-            <td><strong>Publisher</strong>, <strong>Product Name</strong>, <strong>Binary name</strong>, and <strong>File Version, Exactly</strong> selected</td>
+            <td><b>Publisher</b>, <b>Product Name</b>, <b>Binary name</b>, and <b>File Version, Exactly</b> selected</td>
             <td>Specified version of the named file or package for the specified product, signed by the named publisher.</td>
         </tr>
     </table>
@@ -403,8 +403,8 @@ There are no default locations included with WIP, you must add each of your netw
        </tr>
        <tr>
            <td>Enterprise Cloud Resources</td>
-           <td><strong>With proxy:</strong> contoso.sharepoint.com,contoso.internalproxy1.com|<br>contoso.visualstudio.com,contoso.internalproxy2.com<p><strong>Without proxy:</strong> contoso.sharepoint.com|contoso.visualstudio.com</td>
+           <td><b>With proxy:</b> contoso.sharepoint.com,contoso.internalproxy1.com|<br>contoso.visualstudio.com,contoso.internalproxy2.com<p><b>Without proxy:</b> contoso.sharepoint.com|contoso.visualstudio.com</td>
-           <td>Specify the cloud resources to be treated as corporate and protected by WIP.<p>For each cloud resource, you may also optionally specify a proxy server from your Internal proxy servers list to route traffic for this cloud resource. Be aware that all traffic routed through your Internal proxy servers is considered enterprise.<p>If you have multiple resources, you must separate them using the &quot;|&quot; delimiter. If you don't use proxy servers, you must also include the &quot;,&quot; delimiter just before the &quot;|&quot;. For example: <code>URL &lt;,proxy&gt;|URL &lt;,proxy&gt;</code>.<p><strong>Important</strong><br>In some cases, such as when an app connects directly to a cloud resource through an IP address, Windows can't tell whether it's attempting to connect to an enterprise cloud resource or to a personal site. In this case, Windows blocks the connection by default. To stop Windows from automatically blocking these connections, you can add the <code>/&#42;AppCompat&#42;/</code> string to the setting. For example: <code>URL &lt;,proxy&gt;|URL &lt;,proxy&gt;|/&#42;AppCompat&#42;/</code>.</td>
+           <td>Specify the cloud resources to be treated as corporate and protected by WIP.<p>For each cloud resource, you may also optionally specify a proxy server from your Internal proxy servers list to route traffic for this cloud resource. Be aware that all traffic routed through your Internal proxy servers is considered enterprise.<p>If you have multiple resources, you must separate them using the &quot;|&quot; delimiter. If you don't use proxy servers, you must also include the &quot;,&quot; delimiter just before the &quot;|&quot;. For example: <code>URL &lt;,proxy&gt;|URL &lt;,proxy&gt;</code>.<p><b>Important</b><br>In some cases, such as when an app connects directly to a cloud resource through an IP address, Windows can't tell whether it's attempting to connect to an enterprise cloud resource or to a personal site. In this case, Windows blocks the connection by default. To stop Windows from automatically blocking these connections, you can add the <code>/&#42;AppCompat&#42;/</code> string to the setting. For example: <code>URL &lt;,proxy&gt;|URL &lt;,proxy&gt;|/&#42;AppCompat&#42;/</code>.</td>
        </tr>
        <tr>
            <td>Enterprise Network Domain Names (Required)</td>
@@ -422,12 +422,12 @@ There are no default locations included with WIP, you must add each of your netw
            <td>Specify the internal proxy servers your devices will go through to reach your cloud resources. Using this server type indicates that the cloud resources you're connecting to are enterprise resources.<br><br>This list shouldn't include any servers listed in your Proxy servers list. Proxy servers must be used only for non-WIP-protected (non-enterprise) traffic.<br><br>If you have multiple resources, you must separate them using the &quot;;&quot; delimiter.</td><br/>    </tr>
        <tr>
            <td>Enterprise IPv4 Range (Required)</td>
-           <td><strong>Starting IPv4 Address:</strong> 3.4.0.1<br><strong>Ending IPv4 Address:</strong> 3.4.255.254<br><strong>Custom URI:</strong> 3.4.0.1-3.4.255.254,<br>10.0.0.1-10.255.255.254</td>
+           <td><b>Starting IPv4 Address:</b> 3.4.0.1<br><b>Ending IPv4 Address:</b> 3.4.255.254<br><b>Custom URI:</b> 3.4.0.1-3.4.255.254,<br>10.0.0.1-10.255.255.254</td>
            <td>Specify the addresses for a valid IPv4 value range within your intranet. These addresses, used with your Enterprise Network Domain Names, define your corporate network boundaries.<p>If you have multiple ranges, you must separate them using the &quot;,&quot; delimiter.</td>
        </tr>
        <tr>
            <td>Enterprise IPv6 Range</td>
-           <td><strong>Starting IPv6 Address:</strong> 2a01:110::<br><strong>Ending IPv6 Address:</strong> 2a01:110:7fff:ffff:ffff:ffff:ffff:ffff<br><strong>Custom URI:</strong> 2a01:110:7fff:ffff:ffff:ffff:ffff:ffff,<br>fd00::-fdff:ffff:ffff:ffff:ffff:ffff:ffff:ffff</td>
+           <td><b>Starting IPv6 Address:</b> 2a01:110::<br><b>Ending IPv6 Address:</b> 2a01:110:7fff:ffff:ffff:ffff:ffff:ffff<br><b>Custom URI:</b> 2a01:110:7fff:ffff:ffff:ffff:ffff:ffff,<br>fd00::-fdff:ffff:ffff:ffff:ffff:ffff:ffff:ffff</td>
            <td>Specify the addresses for a valid IPv6 value range within your intranet. These addresses, used with your Enterprise Network Domain Names, define your corporate network boundaries.<p>If you have multiple ranges, you must separate them using the &quot;,&quot; delimiter.</td>
        </tr>
        <tr>

windows/security/information-protection/windows-information-protection/enlightened-microsoft-apps-and-wip.md

@@ -108,7 +108,7 @@ You can add any or all of the enlightened Microsoft apps to your allowed apps li
 |                 Microsoft Messaging                  |                                                                                                                                       **Publisher:** `CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US`<br>**Product Name:** Microsoft.Messaging<br>**App Type:** Universal app                                                                                                                                        |
 |                         IE11                         |                                                                                                                                                         **Publisher:** `O=Microsoft Corporation, L=Redmond, S=Washington, C=US`<br>**Binary Name:** iexplore.exe<br>**App Type:** Desktop app                                                                                                                                                          |
 |                 OneDrive Sync Client                 |                                                                                                                                                         **Publisher:** `O=Microsoft Corporation, L=Redmond, S=Washington, C=US`<br>**Binary Name:** onedrive.exe<br>**App Type:** Desktop app                                                                                                                                                          |
-|                     OneDrive app                     |                                                                                              **Publisher:** `CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US`<br>**Product Name:** Microsoft.Microsoftskydrive<br><strong>Product Version:</strong>Product version: 17.21.0.0 (and later)<br>**App Type:** Universal app                                                                                              |
+|                     OneDrive app                     |                                                                                              **Publisher:** `CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US`<br>**Product Name:** Microsoft.Microsoftskydrive<br><b>Product Version:</b>Product version: 17.21.0.0 (and later)<br>**App Type:** Universal app                                                                                              |
 |                       Notepad                        |                                                                                                                                                          **Publisher:** `O=Microsoft Corporation, L=Redmond, S=Washington, C=US`<br>**Binary Name:** notepad.exe<br>**App Type:** Desktop app                                                                                                                                                          |
 |                   Microsoft Paint                    |                                                                                                                                                          **Publisher:** `O=Microsoft Corporation, L=Redmond, S=Washington, C=US`<br>**Binary Name:** mspaint.exe<br>**App Type:** Desktop app                                                                                                                                                          |
 |               Microsoft Remote Desktop               |                                                                                                                                                           **Publisher:** `O=Microsoft Corporation, L=Redmond, S=Washington, C=US`<br>**Binary Name:** mstsc.exe<br>**App Type:** Desktop app                                                                                                                                                           |

windows/security/information-protection/windows-information-protection/limitations-with-wip.md

@@ -33,18 +33,18 @@ This table provides info about the most common problems you might encounter whil
     </tr>
     <tr>
         <td>Your enterprise data on USB drives might be tied to the device it was protected on, based on your Azure RMS configuration.</td>
-        <td><strong>If you’re using Azure RMS:</strong> Authenticated users can open enterprise data on USB drives, on computers running Windows 10, version 1703.<br><br><strong>If you’re not using Azure RMS:</strong> Data in the new location remains encrypted, but becomes inaccessible on other devices and for other users. For example, the file won&#39;t open or the file opens, but doesn&#39;t contain readable text.</td>
+        <td><b>If you’re using Azure RMS:</b> Authenticated users can open enterprise data on USB drives, on computers running Windows 10, version 1703.<br><br><b>If you’re not using Azure RMS:</b> Data in the new location remains encrypted, but becomes inaccessible on other devices and for other users. For example, the file won&#39;t open or the file opens, but doesn&#39;t contain readable text.</td>
         <td>Share files with fellow employees through enterprise file servers or enterprise cloud locations. If data must be shared via USB, employees can decrypt protected files, but it will be audited.<br><br>We strongly recommend educating employees about how to limit or eliminate the need for this decryption.</td>
     </tr>
     <tr>
         <td>Direct Access is incompatible with WIP.</td>
         <td>Direct Access might experience problems with how WIP enforces app behavior and data movement because of how WIP determines what is and isn’t a corporate network resource.</td>
-        <td>We recommend that you use VPN for client access to your intranet resources.<br><br><strong>Note</strong><br>VPN is optional and isn’t required by WIP.</td>
+        <td>We recommend that you use VPN for client access to your intranet resources.<br><br><b>Note</b><br>VPN is optional and isn’t required by WIP.</td>
     </tr>
     <tr>
-        <td><strong>NetworkIsolation</strong> Group Policy setting takes precedence over MDM Policy settings.</td>
+        <td><b>NetworkIsolation</b> Group Policy setting takes precedence over MDM Policy settings.</td>
-        <td>The <strong>NetworkIsolation</strong> Group Policy setting can configure network settings that can also be configured by using MDM. WIP relies on these policies being correctly configured.</td>
+        <td>The <b>NetworkIsolation</b> Group Policy setting can configure network settings that can also be configured by using MDM. WIP relies on these policies being correctly configured.</td>
-        <td>If you use both Group Policy and MDM to configure your <strong>NetworkIsolation</strong> settings, you must make sure that those same settings are deployed to your organization using both Group Policy and MDM.</td>
+        <td>If you use both Group Policy and MDM to configure your <b>NetworkIsolation</b> settings, you must make sure that those same settings are deployed to your organization using both Group Policy and MDM.</td>
     </tr>
     <tr>
         <td>Cortana can potentially allow data leakage if it’s on the allowed apps list.</td>
@@ -63,7 +63,7 @@ This table provides info about the most common problems you might encounter whil
             <ul>
                 <li>Start the installer directly from the file share.<br><br>-OR-<br><br></li>
                 <li>Decrypt the locally copied files needed by the installer.<br><br>-OR-<br><br></li>
-                <li>Mark the file share with the installation media as “personal”. To do this, you’ll need to set the Enterprise IP ranges as <strong>Authoritative</strong> and then exclude the IP address of the file server, or you’ll need to put the file server on the Enterprise Proxy Server list.</li>
+                <li>Mark the file share with the installation media as “personal”. To do this, you’ll need to set the Enterprise IP ranges as <b>Authoritative</b> and then exclude the IP address of the file server, or you’ll need to put the file server on the Enterprise Proxy Server list.</li>
             </ul></td>
     </tr>
     <tr>
@@ -74,17 +74,17 @@ This table provides info about the most common problems you might encounter whil
     <tr>
         <td>Redirected folders with Client Side Caching are not compatible with WIP.</td>
         <td>Apps might encounter access errors while attempting to read a cached, offline file.</td>
-        <td>Migrate to use another file synchronization method, such as Work Folders or OneDrive for Business.<br><br><strong>Note</strong><br>For more info about Work Folders and Offline Files, see the blog, <a href="https://blogs.technet.microsoft.com/filecab/2016/08/29/work-folders-and-offline-files-support-for-windows-information-protection/" data-raw-source="[Work Folders and Offline Files support for Windows Information Protection](https://blogs.technet.microsoft.com/filecab/2016/08/29/work-folders-and-offline-files-support-for-windows-information-protection/)">Work Folders and Offline Files support for Windows Information Protection</a>. If you&#39;re having trouble opening files offline while using Offline Files and WIP, see the support article, <a href="https://support.microsoft.com/kb/3187045" data-raw-source="[Can&#39;t open files offline when you use Offline Files and Windows Information Protection](https://support.microsoft.com/kb/3187045)">Can&#39;t open files offline when you use Offline Files and Windows Information Protection</a>.</td>
+        <td>Migrate to use another file synchronization method, such as Work Folders or OneDrive for Business.<br><br><b>Note</b><br>For more info about Work Folders and Offline Files, see the blog, <a href="https://blogs.technet.microsoft.com/filecab/2016/08/29/work-folders-and-offline-files-support-for-windows-information-protection/" data-raw-source="[Work Folders and Offline Files support for Windows Information Protection](https://blogs.technet.microsoft.com/filecab/2016/08/29/work-folders-and-offline-files-support-for-windows-information-protection/)">Work Folders and Offline Files support for Windows Information Protection</a>. If you&#39;re having trouble opening files offline while using Offline Files and WIP, see the support article, <a href="https://support.microsoft.com/kb/3187045" data-raw-source="[Can&#39;t open files offline when you use Offline Files and Windows Information Protection](https://support.microsoft.com/kb/3187045)">Can&#39;t open files offline when you use Offline Files and Windows Information Protection</a>.</td>
     </tr>
     <tr>
         <td>An unmanaged device can use Remote Desktop Protocol (RDP) to connect to a WIP-managed device.</td>
-        <td><p>Data copied from the WIP-managed device is marked as <strong>Work</strong>.<p>Data copied to the WIP-managed device is not marked as <strong>Work</strong>.<p>Local <strong>Work</strong> data copied to the WIP-managed device remains <strong>Work</strong> data.<p><strong>Work</strong> data that is copied between two apps in the same session remains </strong> data.</td>
+        <td><p>Data copied from the WIP-managed device is marked as <b>Work</b>.<p>Data copied to the WIP-managed device is not marked as <b>Work</b>.<p>Local <b>Work</b> data copied to the WIP-managed device remains <b>Work</b> data.<p><b>Work</b> data that is copied between two apps in the same session remains </b> data.</td>
         <td>Disable RDP to prevent access because there is no way to restrict access to only devices managed by WIP. RDP is disabled by default.</td>
     </tr>
     <tr>
         <td>You can&#39;t upload an enterprise file to a personal location using Microsoft Edge or Internet Explorer.</td>
-        <td>A message appears stating that the content is marked as <strong>Work</strong> and the user isn&#39;t given an option to override to <strong>Personal</strong>.</td>
+        <td>A message appears stating that the content is marked as <b>Work</b> and the user isn&#39;t given an option to override to <b>Personal</b>.</td>
-        <td>Open File Explorer and change the file ownership to <strong>Personal</strong> before you upload.</td>
+        <td>Open File Explorer and change the file ownership to <b>Personal</b> before you upload.</td>
     </tr>
     <tr>
         <td>ActiveX controls should be used with caution.</td>
@@ -97,7 +97,7 @@ This table provides info about the most common problems you might encounter whil
         <td>Format drive for NTFS, or use a different drive.</td>
     </tr>
     <tr>
-        <td>WIP isn’t turned on if any of the following folders have the <strong>MakeFolderAvailableOfflineDisabled</strong> option set to <strong>False</strong>:
+        <td>WIP isn’t turned on if any of the following folders have the <b>MakeFolderAvailableOfflineDisabled</b> option set to <b>False</b>:
             <ul>
                 <li>AppDataRoaming</li>
                 <li>Desktop</li>
@@ -115,7 +115,7 @@ This table provides info about the most common problems you might encounter whil
             </ul>
         </td>
         <td>WIP isn’t turned on for employees in your organization. Error code 0x807c0008 will result if WIP is deployed by using Microsoft Endpoint Configuration Manager.</td>
-        <td>Don’t set the <strong>MakeFolderAvailableOfflineDisabled</strong> option to <strong>False</strong> for any of the specified folders.  You can configure this parameter, as described <a href="https://docs.microsoft.com/windows-server/storage/folder-redirection/disable-offline-files-on-folders" data-raw-source="[here](https://docs.microsoft.com/windows-server/storage/folder-redirection/disable-offline-files-on-folders)">here</a>.<br><br>If you currently use redirected folders, we recommend that you migrate to a file synchronization solution that supports WIP, such as Work Folders or OneDrive for Business. Additionally, if you apply redirected folders after WIP is already in place, you might be unable to open your files offline. For more info about these potential access errors, see <a href="https://support.microsoft.com/help/3187045/can-t-open-files-offline-when-you-use-offline-files-and-windows-information-protection" data-raw-source="[Can&#39;t open files offline when you use Offline Files and Windows Information Protection](https://support.microsoft.com/help/3187045/can-t-open-files-offline-when-you-use-offline-files-and-windows-information-protection)">Can&#39;t open files offline when you use Offline Files and Windows Information Protection</a>.
+        <td>Don’t set the <b>MakeFolderAvailableOfflineDisabled</b> option to <b>False</b> for any of the specified folders.  You can configure this parameter, as described <a href="https://docs.microsoft.com/windows-server/storage/folder-redirection/disable-offline-files-on-folders" data-raw-source="[here](https://docs.microsoft.com/windows-server/storage/folder-redirection/disable-offline-files-on-folders)">here</a>.<br><br>If you currently use redirected folders, we recommend that you migrate to a file synchronization solution that supports WIP, such as Work Folders or OneDrive for Business. Additionally, if you apply redirected folders after WIP is already in place, you might be unable to open your files offline. For more info about these potential access errors, see <a href="https://support.microsoft.com/help/3187045/can-t-open-files-offline-when-you-use-offline-files-and-windows-information-protection" data-raw-source="[Can&#39;t open files offline when you use Offline Files and Windows Information Protection](https://support.microsoft.com/help/3187045/can-t-open-files-offline-when-you-use-offline-files-and-windows-information-protection)">Can&#39;t open files offline when you use Offline Files and Windows Information Protection</a>.
         </td>
     </tr>
     <tr>
@@ -143,7 +143,7 @@ This table provides info about the most common problems you might encounter whil
 Wait a few minutes to allow OneDrive to finish syncing & upgrading the notebook, and the folder should automatically convert to an Internet Shortcut.  Opening the shortcut will open the notebook in the browser, which can then be opened in the OneNote client by using the “Open in app” button.</td>    
     </tr>
     <tr>
-        <td>Microsoft Office Outlook offline data files (PST and OST files) are not marked as <strong>Work</strong> files, and are therefore not protected.
+        <td>Microsoft Office Outlook offline data files (PST and OST files) are not marked as <b>Work</b> files, and are therefore not protected.
         </td>
         <td>If Microsoft Office Outlook is set to work in cached mode (default setting), or if some emails are stored in a local PST file, the data is unprotected. 
         </td>

windows/security/information-protection/windows-information-protection/testing-scenarios-for-wip.md

@@ -39,30 +39,30 @@ You can try any of the processes included in these scenarios, but you should foc
     </tr>
     <tr>
         <td>Encrypt and decrypt files using File Explorer.</td>
-        <td><strong>For desktop:</strong><br><br>
+        <td><b>For desktop:</b><br><br>
             <ol>
-                <li>Open File Explorer, right-click a work document, and then click <strong>Work</strong> from the <strong>File Ownership</strong> menu.<br>Make sure the file is encrypted by right-clicking the file again, clicking <strong>Advanced</strong> from the <strong>General</strong> tab, and then clicking <strong>Details</strong> from the <strong>Compress or Encrypt attributes</strong> area. The file should show up under the heading, <strong>This enterprise domain can remove or revoke access:</strong> <em>&lt;your_enterprise_identity&gt;</em>. For example, contoso.com.</li>
+                <li>Open File Explorer, right-click a work document, and then click <b>Work</b> from the <b>File Ownership</b> menu.<br>Make sure the file is encrypted by right-clicking the file again, clicking <b>Advanced</b> from the <b>General</b> tab, and then clicking <b>Details</b> from the <b>Compress or Encrypt attributes</b> area. The file should show up under the heading, <b>This enterprise domain can remove or revoke access:</b> <em>&lt;your_enterprise_identity&gt;</em>. For example, contoso.com.</li>
-                <li>In File Explorer, right-click the same document, and then click <strong>Personal</strong> from the <strong>File Ownership</strong> menu.<br>Make sure the file is decrypted by right-clicking the file again, clicking <strong>Advanced</strong> from the <strong>General</strong> tab, and then verifying that the <strong>Details</strong> button is unavailable.</li>
+                <li>In File Explorer, right-click the same document, and then click <b>Personal</b> from the <b>File Ownership</b> menu.<br>Make sure the file is decrypted by right-clicking the file again, clicking <b>Advanced</b> from the <b>General</b> tab, and then verifying that the <b>Details</b> button is unavailable.</li>
             </ol>
-            <strong>For mobile:</strong><br><br>
+            <b>For mobile:</b><br><br>
             <ol>
-                <li>Open the File Explorer app, browse to a file location, click the elipsis (...), and then click <strong>Select</strong> to mark at least one file as work-related.</li>
+                <li>Open the File Explorer app, browse to a file location, click the elipsis (...), and then click <b>Select</b> to mark at least one file as work-related.</li>
-                <li>Click the elipsis (...) again, click <strong>File ownership</strong> from the drop down menu, and then click <strong>Work</strong>.<br>Make sure the file is encrypted, by locating the <strong>Briefcase</strong> icon next to the file name.</li>
+                <li>Click the elipsis (...) again, click <b>File ownership</b> from the drop down menu, and then click <b>Work</b>.<br>Make sure the file is encrypted, by locating the <b>Briefcase</b> icon next to the file name.</li>
-                <li>Select the same file, click <strong>File ownership</strong> from the drop down menu, and then click <strong>Personal</strong>.<br>Make sure the file is decrypted and that you&#39;re no longer seeing the <strong>Briefcase</strong> icon next to file name.</li>
+                <li>Select the same file, click <b>File ownership</b> from the drop down menu, and then click <b>Personal</b>.<br>Make sure the file is decrypted and that you&#39;re no longer seeing the <b>Briefcase</b> icon next to file name.</li>
             </ol>
         </td>
     </tr>
     <tr>
         <td>Create work documents in enterprise-allowed apps.</td>
-        <td><strong>For desktop:</strong><br><br>
+        <td><b>For desktop:</b><br><br>
             <ul>
-                <li>Start an unenlightened but allowed app, such as a line-of-business app, and then create a new document, saving your changes.<br>Make sure the document is encrypted to your Enterprise Identity. This might take a few minutes and require you to close and re-open the file.<br><br><strong>Important</strong><br>Certain file types like <code>.exe</code> and <code>.dll</code>, along with certain file paths, such as <code>%windir%</code> and <code>%programfiles%</code> are excluded from automatic encryption.<br><br>For more info about your Enterprise Identity and adding apps to your allowed apps list, see either <a href="create-wip-policy-using-intune-azure.md" data-raw-source="[Create a Windows Information Protection (WIP) policy using Microsoft Intune](create-wip-policy-using-intune-azure.md)">Create a Windows Information Protection (WIP) policy using Microsoft Intune</a> or <a href="create-wip-policy-using-configmgr.md" data-raw-source="[Create a Windows Information Protection (WIP) policy using Microsoft Endpoint Configuration Manager](create-wip-policy-using-configmgr.md)">Create a Windows Information Protection (WIP) policy using Microsoft Endpoint Configuration Manager</a>, based on your deployment system.</li>
+                <li>Start an unenlightened but allowed app, such as a line-of-business app, and then create a new document, saving your changes.<br>Make sure the document is encrypted to your Enterprise Identity. This might take a few minutes and require you to close and re-open the file.<br><br><b>Important</b><br>Certain file types like <code>.exe</code> and <code>.dll</code>, along with certain file paths, such as <code>%windir%</code> and <code>%programfiles%</code> are excluded from automatic encryption.<br><br>For more info about your Enterprise Identity and adding apps to your allowed apps list, see either <a href="create-wip-policy-using-intune-azure.md" data-raw-source="[Create a Windows Information Protection (WIP) policy using Microsoft Intune](create-wip-policy-using-intune-azure.md)">Create a Windows Information Protection (WIP) policy using Microsoft Intune</a> or <a href="create-wip-policy-using-configmgr.md" data-raw-source="[Create a Windows Information Protection (WIP) policy using Microsoft Endpoint Configuration Manager](create-wip-policy-using-configmgr.md)">Create a Windows Information Protection (WIP) policy using Microsoft Endpoint Configuration Manager</a>, based on your deployment system.</li>
             </ul>
-            <strong>For mobile:</strong><br><br>
+            <b>For mobile:</b><br><br>
             <ol>
-                <li>Start an allowed mobile app, such as Word Mobile, create a new document, and then save your changes as <strong>Work</strong> to a local, work-related location.<br>Make sure the document is encrypted, by locating the <strong>Briefcase</strong> icon next to the file name.</li>
+                <li>Start an allowed mobile app, such as Word Mobile, create a new document, and then save your changes as <b>Work</b> to a local, work-related location.<br>Make sure the document is encrypted, by locating the <b>Briefcase</b> icon next to the file name.</li>
                 <li>Open the same document and attempt to save it to a non-work-related location.<br>WIP should stop you from saving the file to this location.</li>
-                <li>Open the same document one last time, make a change to the contents, and then save it again using the <strong>Personal</strong> option.<br>Make sure the file is decrypted and that you&#39;re no longer seeing the <strong>Briefcase</strong> icon next to file name.</li>
+                <li>Open the same document one last time, make a change to the contents, and then save it again using the <b>Personal</b> option.<br>Make sure the file is decrypted and that you&#39;re no longer seeing the <b>Briefcase</b> icon next to file name.</li>
             </ol>
         </td><br/>    </tr>
     <tr>
@@ -70,7 +70,7 @@ You can try any of the processes included in these scenarios, but you should foc
         <td>
             <ol>
                 <li>Start an app that doesn&#39;t appear on your allowed apps list, and then try to open a work-encrypted file.<br>The app shouldn&#39;t be able to access the file.</li>
-                <li>Try double-clicking or tapping on the work-encrypted file.<br>If your default app association is an app not on your allowed apps list, you should get an <strong>Access Denied</strong> error message.</li>
+                <li>Try double-clicking or tapping on the work-encrypted file.<br>If your default app association is an app not on your allowed apps list, you should get an <b>Access Denied</b> error message.</li>
             </ol>
         </td>
     </tr>
@@ -78,9 +78,9 @@ You can try any of the processes included in these scenarios, but you should foc
         <td>Copy and paste from enterprise apps to non-enterprise apps.</td>
         <td>
             <ol>
-                <li>Copy (CTRL+C) content from an app on your allowed apps list, and then try to paste (CTRL+V) the content into an app that doesn&#39;t appear on your allowed apps list.<br>You should see a WIP-related warning box, asking you to click either <strong>Change to personal</strong> or <strong>Keep at work</strong>.</li>
+                <li>Copy (CTRL+C) content from an app on your allowed apps list, and then try to paste (CTRL+V) the content into an app that doesn&#39;t appear on your allowed apps list.<br>You should see a WIP-related warning box, asking you to click either <b>Change to personal</b> or <b>Keep at work</b>.</li>
-                <li>Click <strong>Keep at work</strong>.<br>The content isn&#39;t pasted into the non-enterprise app.</li>
+                <li>Click <b>Keep at work</b>.<br>The content isn&#39;t pasted into the non-enterprise app.</li>
-                <li>Repeat Step 1, but this time click <strong>Change to personal</strong>, and try to paste the content again.<br>The content is pasted into the non-enterprise app.</li>
+                <li>Repeat Step 1, but this time click <b>Change to personal</b>, and try to paste the content again.<br>The content is pasted into the non-enterprise app.</li>
                 <li>Try copying and pasting content between apps on your allowed apps list.<br>The content should copy and paste between apps without any warning messages.</li>
             </ol>
         </td>
@@ -89,9 +89,9 @@ You can try any of the processes included in these scenarios, but you should foc
         <td>Drag and drop from enterprise apps to non-enterprise apps.</td>
         <td>
             <ol>
-                <li>Drag content from an app on your allowed apps list, and then try to drop the content into an app that doesn&#39;t appear on your allowed apps list.<br>You should see a WIP-related warning box, asking you to click either <strong>Keep at work</strong> or <strong>Change to personal</strong>.</li>
+                <li>Drag content from an app on your allowed apps list, and then try to drop the content into an app that doesn&#39;t appear on your allowed apps list.<br>You should see a WIP-related warning box, asking you to click either <b>Keep at work</b> or <b>Change to personal</b>.</li>
-                <li>Click <strong>Keep at work</strong>.<br>The content isn&#39;t dropped into the non-enterprise app.</li>
+                <li>Click <b>Keep at work</b>.<br>The content isn&#39;t dropped into the non-enterprise app.</li>
-                <li>Repeat Step 1, but this time click <strong>Change to personal</strong>, and try to drop the content again.<br>The content is dropped into the non-enterprise app.</li>
+                <li>Repeat Step 1, but this time click <b>Change to personal</b>, and try to drop the content again.<br>The content is dropped into the non-enterprise app.</li>
                 <li>Try dragging and dropping content between apps on your allowed apps list.<br>The content should move between the apps without any warning messages.</li>
             </ol>
         </td>
@@ -100,9 +100,9 @@ You can try any of the processes included in these scenarios, but you should foc
         <td>Share between enterprise apps and non-enterprise apps.</td>
         <td>
             <ol>
-                <li>Open an app on your allowed apps list, like Microsoft Photos, and try to share content with an app that doesn&#39;t appear on your allowed apps list, like Facebook.<br>You should see a WIP-related warning box, asking you to click either <strong>Keep at work</strong> or <strong>Change to personal</strong>.</li>
+                <li>Open an app on your allowed apps list, like Microsoft Photos, and try to share content with an app that doesn&#39;t appear on your allowed apps list, like Facebook.<br>You should see a WIP-related warning box, asking you to click either <b>Keep at work</b> or <b>Change to personal</b>.</li>
-                <li>Click <strong>Keep at work</strong>.<br>The content isn&#39;t shared into Facebook.</li>
+                <li>Click <b>Keep at work</b>.<br>The content isn&#39;t shared into Facebook.</li>
-                <li>Repeat Step 1, but this time click <strong>Change to personal</strong>, and try to share the content again.<br>The content is shared into Facebook.</li>
+                <li>Repeat Step 1, but this time click <b>Change to personal</b>, and try to share the content again.<br>The content is shared into Facebook.</li>
                 <li>Try sharing content between apps on your allowed apps list.<br>The content should share between the apps without any warning messages.</li>
             </ol>
         </td>
@@ -112,8 +112,8 @@ You can try any of the processes included in these scenarios, but you should foc
         <td>
             <ol>
                 <li>Start Windows Journal and Internet Explorer 11, creating, editing, and saving files in both apps.<br>Make sure that all of the files you worked with are encrypted to your configured Enterprise Identity. In some cases, you might need to close the file and wait a few moments for it to be automatically encrypted.</li>
-                <li>Open File Explorer and make sure your modified files are appearing with a <strong>Lock</strong> icon.</li>
+                <li>Open File Explorer and make sure your modified files are appearing with a <b>Lock</b> icon.</li>
-                <li>Try copying and pasting, dragging and dropping, and sharing using these apps with other apps that appear both on and off the allowed apps list.<br><br><strong>Note</strong><br>Most Windows-signed components like File Explorer (when running in the user's context), should have access to enterprise data.<br><br>A few notable exceptions include some of the user-facing in-box apps, like Wordpad, Notepad, and Microsoft Paint. These apps don&#39;t have access by default, but can be added to your allowed apps list.</li>
+                <li>Try copying and pasting, dragging and dropping, and sharing using these apps with other apps that appear both on and off the allowed apps list.<br><br><b>Note</b><br>Most Windows-signed components like File Explorer (when running in the user's context), should have access to enterprise data.<br><br>A few notable exceptions include some of the user-facing in-box apps, like Wordpad, Notepad, and Microsoft Paint. These apps don&#39;t have access by default, but can be added to your allowed apps list.</li>
             </ol>
         </td>
     </tr>
@@ -130,7 +130,7 @@ You can try any of the processes included in these scenarios, but you should foc
         <td>Verify your shared files can use WIP.</td>
         <td>
             <ol>
-                <li>Download a file from a protected file share, making sure the file is encrypted by locating the <strong>Briefcase</strong> icon next to the file name.</li>
+                <li>Download a file from a protected file share, making sure the file is encrypted by locating the <b>Briefcase</b> icon next to the file name.</li>
                 <li>Open the same file, make a change, save it and then try to upload it back to the file share. Again, this should work without any warnings.</li>
                 <li>Open an app that doesn&#39;t appear on your allowed apps list and attempt to access a file on the WIP-enabled file share.<br>The app shouldn&#39;t be able to access the file share.</li>
             </ol>
@@ -142,7 +142,7 @@ You can try any of the processes included in these scenarios, but you should foc
             <ol>
                 <li>Add both Internet Explorer 11 and Microsoft Edge to your allowed apps list.</li>
                 <li>Open SharePoint (or another cloud resource that&#39;s part of your policy) and access a WIP-enabled resource by using both IE11 and Microsoft Edge.<br>Both browsers should respect the enterprise and personal boundary.</li>
-                <li>Remove Internet Explorer 11 from your allowed app list and then try to access an intranet site or enterprise-related cloud resource.<br>IE11 shouldn&#39;t be able to access the sites.<br><br><strong>Note</strong><br>Any file downloaded from your work SharePoint site, or any other WIP-enabled cloud resource, is automatically marked as <strong>Work</strong>.</li>
+                <li>Remove Internet Explorer 11 from your allowed app list and then try to access an intranet site or enterprise-related cloud resource.<br>IE11 shouldn&#39;t be able to access the sites.<br><br><b>Note</b><br>Any file downloaded from your work SharePoint site, or any other WIP-enabled cloud resource, is automatically marked as <b>Work</b>.</li>
             </ol>
         </td>
     </tr>
@@ -150,7 +150,7 @@ You can try any of the processes included in these scenarios, but you should foc
         <td>Verify your Virtual Private Network (VPN) can be auto-triggered.</td>
         <td>
             <ol>
-                <li>Set up your VPN network to start based on the <strong>WIPModeID</strong> setting.<br>For specific info about how to do this, see the <a href="create-vpn-and-wip-policy-using-intune-azure.md" data-raw-source="[Create and deploy a VPN policy for Windows Information Protection (WIP) using Microsoft Intune](create-vpn-and-wip-policy-using-intune-azure.md)">Create and deploy a VPN policy for Windows Information Protection (WIP) using Microsoft Intune</a> topic.</li>
+                <li>Set up your VPN network to start based on the <b>WIPModeID</b> setting.<br>For specific info about how to do this, see the <a href="create-vpn-and-wip-policy-using-intune-azure.md" data-raw-source="[Create and deploy a VPN policy for Windows Information Protection (WIP) using Microsoft Intune](create-vpn-and-wip-policy-using-intune-azure.md)">Create and deploy a VPN policy for Windows Information Protection (WIP) using Microsoft Intune</a> topic.</li>
                 <li>Start an app from your allowed apps list.<br>The VPN network should automatically start.</li>
                 <li>Disconnect from your network and then start an app that isn&#39;t on your allowed apps list.<br>The VPN shouldn&#39;t start and the app shouldn&#39;t be able to access your enterprise network.</li>
             </ol>
@@ -160,7 +160,7 @@ You can try any of the processes included in these scenarios, but you should foc
         <td>Unenroll client devices from WIP.</td>
         <td>
             <ul>
-                <li>Unenroll a device from WIP by going to <strong>Settings</strong>, click <strong>Accounts</strong>, click <strong>Work</strong>, click the name of the device you want to unenroll, and then click <strong>Remove</strong>.<br>The device should be removed and all of the enterprise content for that managed account should be gone.<br><br><strong>Important</strong><br>On desktop devices, the data isn&#39;t removed and can be recovered, so you must make sure the content is marked as <strong>Revoked</strong> and that access is denied for the employee. On mobile devices, the data is removed.</li>
+                <li>Unenroll a device from WIP by going to <b>Settings</b>, click <b>Accounts</b>, click <b>Work</b>, click the name of the device you want to unenroll, and then click <b>Remove</b>.<br>The device should be removed and all of the enterprise content for that managed account should be gone.<br><br><b>Important</b><br>On desktop devices, the data isn&#39;t removed and can be recovered, so you must make sure the content is marked as <b>Revoked</b> and that access is denied for the employee. On mobile devices, the data is removed.</li>
             </ul>
         </td>
     </tr>

windows/security/threat-protection/auditing/event-4626.md

@@ -157,7 +157,7 @@ This event generates on the computer to which the logon was performed (target co
 
     -   “dadmin” – claim value.
 
-**Device Claims** \[Type = UnicodeString\]**:** list of device claims for new logon session. For user accounts this field typically has “**-**“ value<strong>.</strong> For computer accounts this field has device claims listed.
+**Device Claims** \[Type = UnicodeString\]**:** list of device claims for new logon session. For user accounts this field typically has “**-**“ value<b>.</b> For computer accounts this field has device claims listed.
 
 ## Security Monitoring Recommendations
 

windows/security/threat-protection/auditing/event-4670.md

@@ -274,5 +274,5 @@ For file system and registry objects, the following recommendations apply.
 
 - If you have critical registry objects for which you need to monitor all modifications (especially permissions changes and owner changes), monitor for the specific **Object\\Object Name.**
 
-- If you have high-value computers for which you need to monitor all changes for all or specific objects (for example, file system or registry objects), monitor for all [4670](event-4670.md) events on these computers<strong>.</strong> For example, you could monitor the **ntds.dit** file on domain controllers.
+- If you have high-value computers for which you need to monitor all changes for all or specific objects (for example, file system or registry objects), monitor for all [4670](event-4670.md) events on these computers<b>.</b> For example, you could monitor the **ntds.dit** file on domain controllers.
 

windows/security/threat-protection/auditing/event-4672.md

@@ -22,7 +22,7 @@ ms.author: dansimp
 
 <img src="images/event-4672.png" alt="Event 4672 illustration" width="449" height="503" hspace="10" align="left" />
 </br>
-<strong><em>Subcategory:</em></strong>&nbsp;<a href="audit-special-logon.md" data-raw-source="[Audit Special Logon](audit-special-logon.md)">Audit Special Logon</a>
+<b><em>Subcategory:</em></b>&nbsp;<a href="audit-special-logon.md" data-raw-source="[Audit Special Logon](audit-special-logon.md)">Audit Special Logon</a>
 
 ***Event Description:***
 

windows/security/threat-protection/auditing/event-4673.md

@@ -135,40 +135,40 @@ Failure event generates when service call attempt fails.
 
 |     **Subcategory of event**      |                        **Privilege Name: <br>User Right Group Policy Name**                         |                                                                                                                                                                                           **Description**                                                                                                                                                                                           |
 |-----------------------------------|-----------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
-| Audit Non Sensitive Privilege Use |               <strong>SeChangeNotifyPrivilege: <br></strong>Bypass traverse checking                | Required to receive notifications of changes to files or directories. This privilege also causes the system to skip all traversal access checks. <br>With this privilege, the user can traverse directory trees even though the user may not have permissions on the traversed directory. This privilege does not allow the user to list the contents of a directory, only to traverse directories. |
+| Audit Non Sensitive Privilege Use |               <b>SeChangeNotifyPrivilege: <br></b>Bypass traverse checking                | Required to receive notifications of changes to files or directories. This privilege also causes the system to skip all traversal access checks. <br>With this privilege, the user can traverse directory trees even though the user may not have permissions on the traversed directory. This privilege does not allow the user to list the contents of a directory, only to traverse directories. |
-| Audit Non Sensitive Privilege Use |                 <strong>SeCreateGlobalPrivilege: <br></strong>Create global objects                 |                                                                                                                                              Required to create named file mapping objects in the global namespace during Terminal Services sessions.                                                                                                                                               |
+| Audit Non Sensitive Privilege Use |                 <b>SeCreateGlobalPrivilege: <br></b>Create global objects                 |                                                                                                                                              Required to create named file mapping objects in the global namespace during Terminal Services sessions.                                                                                                                                               |
-| Audit Non Sensitive Privilege Use |                  <strong>SeCreatePagefilePrivilege: <br></strong>Create a pagefile                  |                                                                                                                                                             With this privilege, the user can create and change the size of a pagefile.                                                                                                                                                             |
+| Audit Non Sensitive Privilege Use |                  <b>SeCreatePagefilePrivilege: <br></b>Create a pagefile                  |                                                                                                                                                             With this privilege, the user can create and change the size of a pagefile.                                                                                                                                                             |
-| Audit Non Sensitive Privilege Use |          <strong>SeCreatePermanentPrivilege: <br></strong>Create permanent shared objects           |                                                                Required to create a permanent object. <br>This privilege is useful to kernel-mode components that extend the object namespace. Components that are running in kernel mode already have this privilege inherently; it is not necessary to assign them the privilege.                                                                 |
+| Audit Non Sensitive Privilege Use |          <b>SeCreatePermanentPrivilege: <br></b>Create permanent shared objects           |                                                                Required to create a permanent object. <br>This privilege is useful to kernel-mode components that extend the object namespace. Components that are running in kernel mode already have this privilege inherently; it is not necessary to assign them the privilege.                                                                 |
-| Audit Non Sensitive Privilege Use |              <strong>SeCreateSymbolicLinkPrivilege: <br></strong>Create symbolic links              |                                                                                                                                                                                 Required to create a symbolic link.                                                                                                                                                                                 |
+| Audit Non Sensitive Privilege Use |              <b>SeCreateSymbolicLinkPrivilege: <br></b>Create symbolic links              |                                                                                                                                                                                 Required to create a symbolic link.                                                                                                                                                                                 |
-| Audit Non Sensitive Privilege Use |         <strong>SeIncreaseBasePriorityPrivilege: <br></strong>Increase scheduling priority          |                            Required to increase the base priority of a process. <br>With this privilege, the user can use a process with Write property access to another process to increase the execution priority assigned to the other process. A user with this privilege can change the scheduling priority of a process through the Task Manager user interface.                             |
+| Audit Non Sensitive Privilege Use |         <b>SeIncreaseBasePriorityPrivilege: <br></b>Increase scheduling priority          |                            Required to increase the base priority of a process. <br>With this privilege, the user can use a process with Write property access to another process to increase the execution priority assigned to the other process. A user with this privilege can change the scheduling priority of a process through the Task Manager user interface.                             |
-| Audit Non Sensitive Privilege Use |          <strong>SeIncreaseQuotaPrivilege: <br></strong>Adjust memory quotas for a process          |                                                                                                                      Required to increase the quota assigned to a process. <br>With this privilege, the user can change the maximum memory that can be consumed by a process.                                                                                                                       |
+| Audit Non Sensitive Privilege Use |          <b>SeIncreaseQuotaPrivilege: <br></b>Adjust memory quotas for a process          |                                                                                                                      Required to increase the quota assigned to a process. <br>With this privilege, the user can change the maximum memory that can be consumed by a process.                                                                                                                       |
-| Audit Non Sensitive Privilege Use |         <strong>SeIncreaseWorkingSetPrivilege: <br></strong>Increase a process working set          |                                                                                                                                                         Required to allocate more memory for applications that run in the context of users.                                                                                                                                                         |
+| Audit Non Sensitive Privilege Use |         <b>SeIncreaseWorkingSetPrivilege: <br></b>Increase a process working set          |                                                                                                                                                         Required to allocate more memory for applications that run in the context of users.                                                                                                                                                         |
-| Audit Non Sensitive Privilege Use |                  <strong>SeLockMemoryPrivilege: <br></strong>Lock pages in memory                   |                         Required to lock physical pages in memory. <br>With this privilege, the user can use a process to keep data in physical memory, which prevents the system from paging the data to virtual memory on disk. Exercising this privilege could significantly affect system performance by decreasing the amount of available random access memory (RAM).                         |
+| Audit Non Sensitive Privilege Use |                  <b>SeLockMemoryPrivilege: <br></b>Lock pages in memory                   |                         Required to lock physical pages in memory. <br>With this privilege, the user can use a process to keep data in physical memory, which prevents the system from paging the data to virtual memory on disk. Exercising this privilege could significantly affect system performance by decreasing the amount of available random access memory (RAM).                         |
-| Audit Non Sensitive Privilege Use |             <strong>SeMachineAccountPrivilege: <br></strong>Add workstations to domain              |                                                                                                                                        With this privilege, the user can create a computer account. <br>This privilege is valid only on domain controllers.                                                                                                                                         |
+| Audit Non Sensitive Privilege Use |             <b>SeMachineAccountPrivilege: <br></b>Add workstations to domain              |                                                                                                                                        With this privilege, the user can create a computer account. <br>This privilege is valid only on domain controllers.                                                                                                                                         |
-| Audit Non Sensitive Privilege Use |           <strong>SeManageVolumePrivilege: <br></strong>Perform volume maintenance tasks            |                                                                                                                                                           Required to run maintenance tasks on a volume, such as remote defragmentation.                                                                                                                                                            |
+| Audit Non Sensitive Privilege Use |           <b>SeManageVolumePrivilege: <br></b>Perform volume maintenance tasks            |                                                                                                                                                           Required to run maintenance tasks on a volume, such as remote defragmentation.                                                                                                                                                            |
-| Audit Non Sensitive Privilege Use |            <strong>SeProfileSingleProcessPrivilege: <br></strong>Profile single process             |                                                                                                      Required to gather profiling information for a single process. <br>With this privilege, the user can use performance monitoring tools to monitor the performance of non-system processes.                                                                                                      |
+| Audit Non Sensitive Privilege Use |            <b>SeProfileSingleProcessPrivilege: <br></b>Profile single process             |                                                                                                      Required to gather profiling information for a single process. <br>With this privilege, the user can use performance monitoring tools to monitor the performance of non-system processes.                                                                                                      |
-| Audit Non Sensitive Privilege Use |                   <strong>SeRelabelPrivilege: <br></strong>Modify an object label                   |                                                                                                                                                                   Required to modify the mandatory integrity level of an object.                                                                                                                                                                    |
+| Audit Non Sensitive Privilege Use |                   <b>SeRelabelPrivilege: <br></b>Modify an object label                   |                                                                                                                                                                   Required to modify the mandatory integrity level of an object.                                                                                                                                                                    |
-| Audit Non Sensitive Privilege Use |         <strong>SeRemoteShutdownPrivilege: <br></strong>Force shutdown from a remote system         |                                                                                                                                                                       Required to shut down a system using a network request.                                                                                                                                                                       |
+| Audit Non Sensitive Privilege Use |         <b>SeRemoteShutdownPrivilege: <br></b>Force shutdown from a remote system         |                                                                                                                                                                       Required to shut down a system using a network request.                                                                                                                                                                       |
-| Audit Non Sensitive Privilege Use |                   <strong>SeShutdownPrivilege: <br></strong>Shut down the system                    |                                                                                                                                                                                Required to shut down a local system.                                                                                                                                                                                |
+| Audit Non Sensitive Privilege Use |                   <b>SeShutdownPrivilege: <br></b>Shut down the system                    |                                                                                                                                                                                Required to shut down a local system.                                                                                                                                                                                |
-| Audit Non Sensitive Privilege Use |            <strong>SeSyncAgentPrivilege: <br></strong>Synchronize directory service data            |      This privilege enables the holder to read all objects and properties in the directory, regardless of the protection on the objects and properties. By default, it is assigned to the Administrator and LocalSystem accounts on domain controllers. <br>With this privilege, the user can synchronize all directory service data. This is also known as Active Directory synchronization.       |
+| Audit Non Sensitive Privilege Use |            <b>SeSyncAgentPrivilege: <br></b>Synchronize directory service data            |      This privilege enables the holder to read all objects and properties in the directory, regardless of the protection on the objects and properties. By default, it is assigned to the Administrator and LocalSystem accounts on domain controllers. <br>With this privilege, the user can synchronize all directory service data. This is also known as Active Directory synchronization.       |
-| Audit Non Sensitive Privilege Use |              <strong>SeSystemProfilePrivilege: <br></strong>Profile system performance              |                                                                                                       Required to gather profiling information for the entire system. <br>With this privilege, the user can use performance monitoring tools to monitor the performance of system processes.                                                                                                        |
+| Audit Non Sensitive Privilege Use |              <b>SeSystemProfilePrivilege: <br></b>Profile system performance              |                                                                                                       Required to gather profiling information for the entire system. <br>With this privilege, the user can use performance monitoring tools to monitor the performance of system processes.                                                                                                        |
-| Audit Non Sensitive Privilege Use |                 <strong>SeSystemtimePrivilege: <br></strong>Change the system time                  |                     Required to modify the system time. With this privilege, the user can change the time and date on the internal clock of the computer. Users that are assigned this user right can affect the appearance of event logs. <br>If the system time is changed, events that are logged will reflect this new time, not the actual time that the events occurred.                      |
+| Audit Non Sensitive Privilege Use |                 <b>SeSystemtimePrivilege: <br></b>Change the system time                  |                     Required to modify the system time. With this privilege, the user can change the time and date on the internal clock of the computer. Users that are assigned this user right can affect the appearance of event logs. <br>If the system time is changed, events that are logged will reflect this new time, not the actual time that the events occurred.                      |
-| Audit Non Sensitive Privilege Use |                   <strong>SeTimeZonePrivilege: <br></strong>Change the time zone                    |                                                                                                                                                           Required to adjust the time zone associated with the computer's internal clock.                                                                                                                                                           |
+| Audit Non Sensitive Privilege Use |                   <b>SeTimeZonePrivilege: <br></b>Change the time zone                    |                                                                                                                                                           Required to adjust the time zone associated with the computer's internal clock.                                                                                                                                                           |
-| Audit Non Sensitive Privilege Use | <strong>SeTrustedCredManAccessPrivilege: <br></strong>Access Credential Manager as a trusted caller |                                                                                                                                                                     Required to access Credential Manager as a trusted caller.                                                                                                                                                                      |
+| Audit Non Sensitive Privilege Use | <b>SeTrustedCredManAccessPrivilege: <br></b>Access Credential Manager as a trusted caller |                                                                                                                                                                     Required to access Credential Manager as a trusted caller.                                                                                                                                                                      |
-| Audit Non Sensitive Privilege Use |            <strong>SeUndockPrivilege: <br></strong>Remove computer from docking station             |                                                                                                                             Required to undock a laptop. <br>With this privilege, the user can undock a portable computer from its docking station without logging on.                                                                                                                              |
+| Audit Non Sensitive Privilege Use |            <b>SeUndockPrivilege: <br></b>Remove computer from docking station             |                                                                                                                             Required to undock a laptop. <br>With this privilege, the user can undock a portable computer from its docking station without logging on.                                                                                                                              |
 
 |   **Subcategory of event**    |                               **Privilege Name: <br>User Right Group Policy Name**                               |                                                                                                                                                                                                                                                                                                        **Description**                                                                                                                                                                                                                                                                                                         |
 |-------------------------------|------------------------------------------------------------------------------------------------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
-| Audit Sensitive Privilege Use |                <strong>SeAssignPrimaryTokenPrivilege: <br></strong>Replace a process-level token                 |                                                                                                                                                                     Required to assign the [*primary token*](https://msdn.microsoft.com/library/windows/desktop/ms721603(v=vs.85).aspx#_security_primary_token_gly) of a process. With this privilege, the user can initiate a process to replace the default token associated with a started subprocess.                                                                                                                                                                      |
+| Audit Sensitive Privilege Use |                <b>SeAssignPrimaryTokenPrivilege: <br></b>Replace a process-level token                 |                                                                                                                                                                     Required to assign the [*primary token*](https://msdn.microsoft.com/library/windows/desktop/ms721603(v=vs.85).aspx#_security_primary_token_gly) of a process. With this privilege, the user can initiate a process to replace the default token associated with a started subprocess.                                                                                                                                                                      |
-| Audit Sensitive Privilege Use |                         <strong>SeAuditPrivilege: <br></strong>Generate security audits                          |                                                                                                                                                                                                                                                                               With this privilege, the user can add entries to the security log.                                                                                                                                                                                                                                                                               |
+| Audit Sensitive Privilege Use |                         <b>SeAuditPrivilege: <br></b>Generate security audits                          |                                                                                                                                                                                                                                                                               With this privilege, the user can add entries to the security log.                                                                                                                                                                                                                                                                               |
-| Audit Sensitive Privilege Use |                        <strong>SeCreateTokenPrivilege: <br></strong>Create a token object                        |                                                                                                                         Allows a process to create a token which it can then use to get access to any local resources when the process uses NtCreateToken() or other token-creation APIs. When a process requires this privilege, we recommend using the LocalSystem account (which already includes the privilege), rather than creating a separate user account and assigning this privilege to it.                                                                                                                          |
+| Audit Sensitive Privilege Use |                        <b>SeCreateTokenPrivilege: <br></b>Create a token object                        |                                                                                                                         Allows a process to create a token which it can then use to get access to any local resources when the process uses NtCreateToken() or other token-creation APIs. When a process requires this privilege, we recommend using the LocalSystem account (which already includes the privilege), rather than creating a separate user account and assigning this privilege to it.                                                                                                                          |
-| Audit Sensitive Privilege Use |                              <strong>SeDebugPrivilege: <br></strong>Debug programs                               |                                                                                                 Required to debug and adjust the memory of a process owned by another account. With this privilege, the user can attach a debugger to any process or to the kernel. Developers who are debugging their own applications do not need this user right. Developers who are debugging new system components need this user right. This user right provides complete access to sensitive and critical operating system components.                                                                                                  |
+| Audit Sensitive Privilege Use |                              <b>SeDebugPrivilege: <br></b>Debug programs                               |                                                                                                 Required to debug and adjust the memory of a process owned by another account. With this privilege, the user can attach a debugger to any process or to the kernel. Developers who are debugging their own applications do not need this user right. Developers who are debugging new system components need this user right. This user right provides complete access to sensitive and critical operating system components.                                                                                                  |
-| Audit Sensitive Privilege Use |              <strong>SeImpersonatePrivilege: <br></strong>Impersonate a client after authentication              |                                                                                                                                                                                                                                                                                 With this privilege, the user can impersonate other accounts.                                                                                                                                                                                                                                                                                  |
+| Audit Sensitive Privilege Use |              <b>SeImpersonatePrivilege: <br></b>Impersonate a client after authentication              |                                                                                                                                                                                                                                                                                 With this privilege, the user can impersonate other accounts.                                                                                                                                                                                                                                                                                  |
-| Audit Sensitive Privilege Use |                    <strong>SeLoadDriverPrivilege: <br></strong>Load and unload device drivers                    |                                                                                                                                                                                                   Required to load or unload a device driver. With this privilege, the user can dynamically load and unload device drivers or other code in to kernel mode. This user right does not apply to Plug and Play device drivers.                                                                                                                                                                                                    |
+| Audit Sensitive Privilege Use |                    <b>SeLoadDriverPrivilege: <br></b>Load and unload device drivers                    |                                                                                                                                                                                                   Required to load or unload a device driver. With this privilege, the user can dynamically load and unload device drivers or other code in to kernel mode. This user right does not apply to Plug and Play device drivers.                                                                                                                                                                                                    |
-| Audit Sensitive Privilege Use |                         <strong>SeLockMemoryPrivilege: <br></strong>Lock pages in memory                         |                                                                                                                                        Required to lock physical pages in memory. With this privilege, the user can use a process to keep data in physical memory, which prevents the system from paging the data to virtual memory on disk. Exercising this privilege could significantly affect system performance by decreasing the amount of available random access memory (RAM).                                                                                                                                         |
+| Audit Sensitive Privilege Use |                         <b>SeLockMemoryPrivilege: <br></b>Lock pages in memory                         |                                                                                                                                        Required to lock physical pages in memory. With this privilege, the user can use a process to keep data in physical memory, which prevents the system from paging the data to virtual memory on disk. Exercising this privilege could significantly affect system performance by decreasing the amount of available random access memory (RAM).                                                                                                                                         |
-| Audit Sensitive Privilege Use |              <strong>SeSystemEnvironmentPrivilege: <br></strong>Modify firmware environment values               |                                                                                                                                                                                                                                                       Required to modify the nonvolatile RAM of systems that use this type of memory to store configuration information.                                                                                                                                                                                                                                                       |
+| Audit Sensitive Privilege Use |              <b>SeSystemEnvironmentPrivilege: <br></b>Modify firmware environment values               |                                                                                                                                                                                                                                                       Required to modify the nonvolatile RAM of systems that use this type of memory to store configuration information.                                                                                                                                                                                                                                                       |
-| Audit Sensitive Privilege Use |                     <strong>SeTcbPrivilege: <br></strong>Act as part of the operating system                     |                                                                                                                                                                                          This privilege identifies its holder as part of the trusted computer base. This user right allows a process to impersonate any user without authentication. The process can therefore gain access to the same local resources as that user.                                                                                                                                                                                           |
+| Audit Sensitive Privilege Use |                     <b>SeTcbPrivilege: <br></b>Act as part of the operating system                     |                                                                                                                                                                                          This privilege identifies its holder as part of the trusted computer base. This user right allows a process to impersonate any user without authentication. The process can therefore gain access to the same local resources as that user.                                                                                                                                                                                           |
-| Audit Sensitive Privilege Use | <strong>SeEnableDelegationPrivilege: <br></strong>Enable computer and user accounts to be trusted for delegation | Required to mark user and computer accounts as trusted for delegation. With this privilege, the user can set the **Trusted for Deleg**ation setting on a user or computer object. The user or object that is granted this privilege must have write access to the account control flags on the user or computer object. A server process running on a computer (or under a user context) that is trusted for delegation can access resources on another computer using the delegated credentials of a client, as long as the account of the client does not have the **Account cannot be delegated** account control flag set. |
+| Audit Sensitive Privilege Use | <b>SeEnableDelegationPrivilege: <br></b>Enable computer and user accounts to be trusted for delegation | Required to mark user and computer accounts as trusted for delegation. With this privilege, the user can set the **Trusted for Deleg**ation setting on a user or computer object. The user or object that is granted this privilege must have write access to the account control flags on the user or computer object. A server process running on a computer (or under a user context) that is trusted for delegation can access resources on another computer using the delegated credentials of a client, as long as the account of the client does not have the **Account cannot be delegated** account control flag set. |
 
 ## Security Monitoring Recommendations
 

windows/security/threat-protection/auditing/event-4674.md

@@ -157,42 +157,42 @@ Failure event generates when operation attempt fails.
 
 |     **Subcategory of event**      |                        **Privilege Name: <br>User Right Group Policy Name**                         |                                                                                                                                                                                           **Description**                                                                                                                                                                                           |
 |-----------------------------------|-----------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
-| Audit Non Sensitive Privilege Use |               <strong>SeChangeNotifyPrivilege: <br></strong>Bypass traverse checking                | Required to receive notifications of changes to files or directories. This privilege also causes the system to skip all traversal access checks. <br>With this privilege, the user can traverse directory trees even though the user may not have permissions on the traversed directory. This privilege does not allow the user to list the contents of a directory, only to traverse directories. |
+| Audit Non Sensitive Privilege Use |               <b>SeChangeNotifyPrivilege: <br></b>Bypass traverse checking                | Required to receive notifications of changes to files or directories. This privilege also causes the system to skip all traversal access checks. <br>With this privilege, the user can traverse directory trees even though the user may not have permissions on the traversed directory. This privilege does not allow the user to list the contents of a directory, only to traverse directories. |
-| Audit Non Sensitive Privilege Use |                 <strong>SeCreateGlobalPrivilege: <br></strong>Create global objects                 |                                                                                                                                              Required to create named file mapping objects in the global namespace during Terminal Services sessions.                                                                                                                                               |
+| Audit Non Sensitive Privilege Use |                 <b>SeCreateGlobalPrivilege: <br></b>Create global objects                 |                                                                                                                                              Required to create named file mapping objects in the global namespace during Terminal Services sessions.                                                                                                                                               |
-| Audit Non Sensitive Privilege Use |                  <strong>SeCreatePagefilePrivilege: <br></strong>Create a pagefile                  |                                                                                                                                                             With this privilege, the user can create and change the size of a pagefile.                                                                                                                                                             |
+| Audit Non Sensitive Privilege Use |                  <b>SeCreatePagefilePrivilege: <br></b>Create a pagefile                  |                                                                                                                                                             With this privilege, the user can create and change the size of a pagefile.                                                                                                                                                             |
-| Audit Non Sensitive Privilege Use |          <strong>SeCreatePermanentPrivilege: <br></strong>Create permanent shared objects           |                                                                Required to create a permanent object. <br>This privilege is useful to kernel-mode components that extend the object namespace. Components that are running in kernel mode already have this privilege inherently; it is not necessary to assign them the privilege.                                                                 |
+| Audit Non Sensitive Privilege Use |          <b>SeCreatePermanentPrivilege: <br></b>Create permanent shared objects           |                                                                Required to create a permanent object. <br>This privilege is useful to kernel-mode components that extend the object namespace. Components that are running in kernel mode already have this privilege inherently; it is not necessary to assign them the privilege.                                                                 |
-| Audit Non Sensitive Privilege Use |              <strong>SeCreateSymbolicLinkPrivilege: <br></strong>Create symbolic links              |                                                                                                                                                                                 Required to create a symbolic link.                                                                                                                                                                                 |
+| Audit Non Sensitive Privilege Use |              <b>SeCreateSymbolicLinkPrivilege: <br></b>Create symbolic links              |                                                                                                                                                                                 Required to create a symbolic link.                                                                                                                                                                                 |
-| Audit Non Sensitive Privilege Use |         <strong>SeIncreaseBasePriorityPrivilege: <br></strong>Increase scheduling priority          |                             Required to increase the base priority of a process.<br>With this privilege, the user can use a process with Write property access to another process to increase the execution priority assigned to the other process. A user with this privilege can change the scheduling priority of a process through the Task Manager user interface.                             |
+| Audit Non Sensitive Privilege Use |         <b>SeIncreaseBasePriorityPrivilege: <br></b>Increase scheduling priority          |                             Required to increase the base priority of a process.<br>With this privilege, the user can use a process with Write property access to another process to increase the execution priority assigned to the other process. A user with this privilege can change the scheduling priority of a process through the Task Manager user interface.                             |
-| Audit Non Sensitive Privilege Use |          <strong>SeIncreaseQuotaPrivilege: <br></strong>Adjust memory quotas for a process          |                                                                                                                      Required to increase the quota assigned to a process. <br>With this privilege, the user can change the maximum memory that can be consumed by a process.                                                                                                                       |
+| Audit Non Sensitive Privilege Use |          <b>SeIncreaseQuotaPrivilege: <br></b>Adjust memory quotas for a process          |                                                                                                                      Required to increase the quota assigned to a process. <br>With this privilege, the user can change the maximum memory that can be consumed by a process.                                                                                                                       |
-| Audit Non Sensitive Privilege Use |         <strong>SeIncreaseWorkingSetPrivilege: <br></strong>Increase a process working set          |                                                                                                                                                         Required to allocate more memory for applications that run in the context of users.                                                                                                                                                         |
+| Audit Non Sensitive Privilege Use |         <b>SeIncreaseWorkingSetPrivilege: <br></b>Increase a process working set          |                                                                                                                                                         Required to allocate more memory for applications that run in the context of users.                                                                                                                                                         |
-| Audit Non Sensitive Privilege Use |                  <strong>SeLockMemoryPrivilege: <br></strong>Lock pages in memory                   |                         Required to lock physical pages in memory. <br>With this privilege, the user can use a process to keep data in physical memory, which prevents the system from paging the data to virtual memory on disk. Exercising this privilege could significantly affect system performance by decreasing the amount of available random access memory (RAM).                         |
+| Audit Non Sensitive Privilege Use |                  <b>SeLockMemoryPrivilege: <br></b>Lock pages in memory                   |                         Required to lock physical pages in memory. <br>With this privilege, the user can use a process to keep data in physical memory, which prevents the system from paging the data to virtual memory on disk. Exercising this privilege could significantly affect system performance by decreasing the amount of available random access memory (RAM).                         |
-| Audit Non Sensitive Privilege Use |             <strong>SeMachineAccountPrivilege: <br></strong>Add workstations to domain              |                                                                                                                                          With this privilege, the user can create a computer account. This privilege is valid only on domain controllers.                                                                                                                                           |
+| Audit Non Sensitive Privilege Use |             <b>SeMachineAccountPrivilege: <br></b>Add workstations to domain              |                                                                                                                                          With this privilege, the user can create a computer account. This privilege is valid only on domain controllers.                                                                                                                                           |
-| Audit Non Sensitive Privilege Use |           <strong>SeManageVolumePrivilege: <br></strong>Perform volume maintenance tasks            |                                                                                                                                                           Required to run maintenance tasks on a volume, such as remote defragmentation.                                                                                                                                                            |
+| Audit Non Sensitive Privilege Use |           <b>SeManageVolumePrivilege: <br></b>Perform volume maintenance tasks            |                                                                                                                                                           Required to run maintenance tasks on a volume, such as remote defragmentation.                                                                                                                                                            |
-| Audit Non Sensitive Privilege Use |            <strong>SeProfileSingleProcessPrivilege: <br></strong>Profile single process             |                                                                                                      Required to gather profiling information for a single process. <br>With this privilege, the user can use performance monitoring tools to monitor the performance of non-system processes.                                                                                                      |
+| Audit Non Sensitive Privilege Use |            <b>SeProfileSingleProcessPrivilege: <br></b>Profile single process             |                                                                                                      Required to gather profiling information for a single process. <br>With this privilege, the user can use performance monitoring tools to monitor the performance of non-system processes.                                                                                                      |
-| Audit Non Sensitive Privilege Use |                   <strong>SeRelabelPrivilege: <br></strong>Modify an object label                   |                                                                                                                                                                   Required to modify the mandatory integrity level of an object.                                                                                                                                                                    |
+| Audit Non Sensitive Privilege Use |                   <b>SeRelabelPrivilege: <br></b>Modify an object label                   |                                                                                                                                                                   Required to modify the mandatory integrity level of an object.                                                                                                                                                                    |
-| Audit Non Sensitive Privilege Use |         <strong>SeRemoteShutdownPrivilege: <br></strong>Force shutdown from a remote system         |                                                                                                                                                                       Required to shut down a system using a network request.                                                                                                                                                                       |
+| Audit Non Sensitive Privilege Use |         <b>SeRemoteShutdownPrivilege: <br></b>Force shutdown from a remote system         |                                                                                                                                                                       Required to shut down a system using a network request.                                                                                                                                                                       |
-| Audit Non Sensitive Privilege Use |                   <strong>SeShutdownPrivilege: <br></strong>Shut down the system                    |                                                                                                                                                                                Required to shut down a local system.                                                                                                                                                                                |
+| Audit Non Sensitive Privilege Use |                   <b>SeShutdownPrivilege: <br></b>Shut down the system                    |                                                                                                                                                                                Required to shut down a local system.                                                                                                                                                                                |
-| Audit Non Sensitive Privilege Use |            <strong>SeSyncAgentPrivilege: <br></strong>Synchronize directory service data            |      This privilege enables the holder to read all objects and properties in the directory, regardless of the protection on the objects and properties. By default, it is assigned to the Administrator and LocalSystem accounts on domain controllers. <br>With this privilege, the user can synchronize all directory service data. This is also known as Active Directory synchronization.       |
+| Audit Non Sensitive Privilege Use |            <b>SeSyncAgentPrivilege: <br></b>Synchronize directory service data            |      This privilege enables the holder to read all objects and properties in the directory, regardless of the protection on the objects and properties. By default, it is assigned to the Administrator and LocalSystem accounts on domain controllers. <br>With this privilege, the user can synchronize all directory service data. This is also known as Active Directory synchronization.       |
-| Audit Non Sensitive Privilege Use |              <strong>SeSystemProfilePrivilege: <br></strong>Profile system performance              |                                                                                                       Required to gather profiling information for the entire system. <br>With this privilege, the user can use performance monitoring tools to monitor the performance of system processes.                                                                                                        |
+| Audit Non Sensitive Privilege Use |              <b>SeSystemProfilePrivilege: <br></b>Profile system performance              |                                                                                                       Required to gather profiling information for the entire system. <br>With this privilege, the user can use performance monitoring tools to monitor the performance of system processes.                                                                                                        |
-| Audit Non Sensitive Privilege Use |                 <strong>SeSystemtimePrivilege: <br></strong>Change the system time                  |                     Required to modify the system time. <br>With this privilege, the user can change the time and date on the internal clock of the computer. Users that are assigned this user right can affect the appearance of event logs. If the system time is changed, events that are logged will reflect this new time, not the actual time that the events occurred.                      |
+| Audit Non Sensitive Privilege Use |                 <b>SeSystemtimePrivilege: <br></b>Change the system time                  |                     Required to modify the system time. <br>With this privilege, the user can change the time and date on the internal clock of the computer. Users that are assigned this user right can affect the appearance of event logs. If the system time is changed, events that are logged will reflect this new time, not the actual time that the events occurred.                      |
-| Audit Non Sensitive Privilege Use |                   <strong>SeTimeZonePrivilege: <br></strong>Change the time zone                    |                                                                                                                                                           Required to adjust the time zone associated with the computer's internal clock.                                                                                                                                                           |
+| Audit Non Sensitive Privilege Use |                   <b>SeTimeZonePrivilege: <br></b>Change the time zone                    |                                                                                                                                                           Required to adjust the time zone associated with the computer's internal clock.                                                                                                                                                           |
-| Audit Non Sensitive Privilege Use | <strong>SeTrustedCredManAccessPrivilege: <br></strong>Access Credential Manager as a trusted caller |                                                                                                                                                                     Required to access Credential Manager as a trusted caller.                                                                                                                                                                      |
+| Audit Non Sensitive Privilege Use | <b>SeTrustedCredManAccessPrivilege: <br></b>Access Credential Manager as a trusted caller |                                                                                                                                                                     Required to access Credential Manager as a trusted caller.                                                                                                                                                                      |
-| Audit Non Sensitive Privilege Use |            <strong>SeUndockPrivilege: <br></strong>Remove computer from docking station             |                                                                                                                             Required to undock a laptop. <br>With this privilege, the user can undock a portable computer from its docking station without logging on.                                                                                                                              |
+| Audit Non Sensitive Privilege Use |            <b>SeUndockPrivilege: <br></b>Remove computer from docking station             |                                                                                                                             Required to undock a laptop. <br>With this privilege, the user can undock a portable computer from its docking station without logging on.                                                                                                                              |
 
 |   **Subcategory of event**    |                  **Privilege Name: <br>User Right Group Policy Name**                   |                                                                                                                                                                                                                                                                                                                                                                                                    **Description**                                                                                                                                                                                                                                                                                                                                                                                                    |
 |-------------------------------|-----------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
-| Audit Sensitive Privilege Use |    <strong>SeAssignPrimaryTokenPrivilege: <br></strong>Replace a process-level token    |                                                                                                                                                                                                                                                               Required to assign the [*primary token*](https://msdn.microsoft.com/library/windows/desktop/ms721603(v=vs.85).aspx#_security_primary_token_gly) of a process. <br>With this privilege, the user can initiate a process to replace the default token associated with a started subprocess.                                                                                                                                                                                                                                                               |
+| Audit Sensitive Privilege Use |    <b>SeAssignPrimaryTokenPrivilege: <br></b>Replace a process-level token    |                                                                                                                                                                                                                                                               Required to assign the [*primary token*](https://msdn.microsoft.com/library/windows/desktop/ms721603(v=vs.85).aspx#_security_primary_token_gly) of a process. <br>With this privilege, the user can initiate a process to replace the default token associated with a started subprocess.                                                                                                                                                                                                                                                               |
-| Audit Sensitive Privilege Use |             <strong>SeAuditPrivilege: <br></strong>Generate security audits             |                                                                                                                                                                                                                                                                                                                                                                          With this privilege, the user can add entries to the security log.                                                                                                                                                                                                                                                                                                                                                                           |
+| Audit Sensitive Privilege Use |             <b>SeAuditPrivilege: <br></b>Generate security audits             |                                                                                                                                                                                                                                                                                                                                                                          With this privilege, the user can add entries to the security log.                                                                                                                                                                                                                                                                                                                                                                           |
-| Audit Sensitive Privilege Use |          <strong>SeBackupPrivilege: <br></strong>Back up files and directories          |                                                     -   Required to perform backup operations. <br>With this privilege, the user can bypass file and directory, registry, and other persistent object permissions for the purposes of backing up the system. This privilege causes the system to grant all read access control to any file, regardless of the [*access control list*](https://msdn.microsoft.com/library/windows/desktop/ms721532(v=vs.85).aspx#_security_access_control_list_gly) (ACL) specified for the file. Any access request other than read is still evaluated with the ACL. <br>The following access rights are granted if this privilege is held:<br>READ\_CONTROL<br>ACCESS\_SYSTEM\_SECURITY<br>FILE\_GENERIC\_READ<br>FILE\_TRAVERSE                                                     |
+| Audit Sensitive Privilege Use |          <b>SeBackupPrivilege: <br></b>Back up files and directories          |                                                     -   Required to perform backup operations. <br>With this privilege, the user can bypass file and directory, registry, and other persistent object permissions for the purposes of backing up the system. This privilege causes the system to grant all read access control to any file, regardless of the [*access control list*](https://msdn.microsoft.com/library/windows/desktop/ms721532(v=vs.85).aspx#_security_access_control_list_gly) (ACL) specified for the file. Any access request other than read is still evaluated with the ACL. <br>The following access rights are granted if this privilege is held:<br>READ\_CONTROL<br>ACCESS\_SYSTEM\_SECURITY<br>FILE\_GENERIC\_READ<br>FILE\_TRAVERSE                                                     |
-| Audit Sensitive Privilege Use |           <strong>SeCreateTokenPrivilege: <br></strong>Create a token object            |                                                                                                                                                                                                                   Allows a process to create a token which it can then use to get access to any local resources when the process uses NtCreateToken() or other token-creation APIs. <br>When a process requires this privilege, we recommend using the LocalSystem account (which already includes the privilege), rather than creating a separate user account and assigning this privilege to it.                                                                                                                                                                                                                   |
+| Audit Sensitive Privilege Use |           <b>SeCreateTokenPrivilege: <br></b>Create a token object            |                                                                                                                                                                                                                   Allows a process to create a token which it can then use to get access to any local resources when the process uses NtCreateToken() or other token-creation APIs. <br>When a process requires this privilege, we recommend using the LocalSystem account (which already includes the privilege), rather than creating a separate user account and assigning this privilege to it.                                                                                                                                                                                                                   |
-| Audit Sensitive Privilege Use |                  <strong>SeDebugPrivilege: <br></strong>Debug programs                  |                                                                                                                                                                                         Required to debug and adjust the memory of a process owned by another account. <br>With this privilege, the user can attach a debugger to any process or to the kernel. Developers who are debugging their own applications do not need this user right. Developers who are debugging new system components need this user right. <br>This user right provides complete access to sensitive and critical operating system components.                                                                                                                                                                                         |
+| Audit Sensitive Privilege Use |                  <b>SeDebugPrivilege: <br></b>Debug programs                  |                                                                                                                                                                                         Required to debug and adjust the memory of a process owned by another account. <br>With this privilege, the user can attach a debugger to any process or to the kernel. Developers who are debugging their own applications do not need this user right. Developers who are debugging new system components need this user right. <br>This user right provides complete access to sensitive and critical operating system components.                                                                                                                                                                                         |
-| Audit Sensitive Privilege Use | <strong>SeImpersonatePrivilege: <br></strong>Impersonate a client after authentication  |                                                                                                                                                                                                                                                                                                                                                                             With this privilege, the user can impersonate other accounts.                                                                                                                                                                                                                                                                                                                                                                             |
+| Audit Sensitive Privilege Use | <b>SeImpersonatePrivilege: <br></b>Impersonate a client after authentication  |                                                                                                                                                                                                                                                                                                                                                                             With this privilege, the user can impersonate other accounts.                                                                                                                                                                                                                                                                                                                                                                             |
-| Audit Sensitive Privilege Use |       <strong>SeLoadDriverPrivilege: <br></strong>Load and unload device drivers        |                                                                                                                                                                                                                                                                                             Required to load or unload a device driver. <br>With this privilege, the user can dynamically load and unload device drivers or other code in to kernel mode. This user right does not apply to Plug and Play device drivers.                                                                                                                                                                                                                                                                                             |
+| Audit Sensitive Privilege Use |       <b>SeLoadDriverPrivilege: <br></b>Load and unload device drivers        |                                                                                                                                                                                                                                                                                             Required to load or unload a device driver. <br>With this privilege, the user can dynamically load and unload device drivers or other code in to kernel mode. This user right does not apply to Plug and Play device drivers.                                                                                                                                                                                                                                                                                             |
-| Audit Sensitive Privilege Use |            <strong>SeLockMemoryPrivilege: <br></strong>Lock pages in memory             |                                                                                                                                                                                                                                  Required to lock physical pages in memory. <br>With this privilege, the user can use a process to keep data in physical memory, which prevents the system from paging the data to virtual memory on disk. Exercising this privilege could significantly affect system performance by decreasing the amount of available random access memory (RAM).                                                                                                                                                                                                                                  |
+| Audit Sensitive Privilege Use |            <b>SeLockMemoryPrivilege: <br></b>Lock pages in memory             |                                                                                                                                                                                                                                  Required to lock physical pages in memory. <br>With this privilege, the user can use a process to keep data in physical memory, which prevents the system from paging the data to virtual memory on disk. Exercising this privilege could significantly affect system performance by decreasing the amount of available random access memory (RAM).                                                                                                                                                                                                                                  |
-| Audit Sensitive Privilege Use |         <strong>SeRestorePrivilege: <br></strong>Restore files and directories          | Required to perform restore operations. This privilege causes the system to grant all write access control to any file, regardless of the ACL specified for the file. Any access request other than write is still evaluated with the ACL. Additionally, this privilege enables you to set any valid user or group SID as the owner of a file. The following access rights are granted if this privilege is held:<br>WRITE\_DAC<br>WRITE\_OWNER<br>ACCESS\_SYSTEM\_SECURITY<br>FILE\_GENERIC\_WRITE<br>FILE\_ADD\_FILE<br>FILE\_ADD\_SUBDIRECTORY<br>DELETE<br>With this privilege, the user can bypass file, directory, registry, and other persistent objects permissions when restoring backed up files and directories and determines which users can set any valid security principal as the owner of an object. |
+| Audit Sensitive Privilege Use |         <b>SeRestorePrivilege: <br></b>Restore files and directories          | Required to perform restore operations. This privilege causes the system to grant all write access control to any file, regardless of the ACL specified for the file. Any access request other than write is still evaluated with the ACL. Additionally, this privilege enables you to set any valid user or group SID as the owner of a file. The following access rights are granted if this privilege is held:<br>WRITE\_DAC<br>WRITE\_OWNER<br>ACCESS\_SYSTEM\_SECURITY<br>FILE\_GENERIC\_WRITE<br>FILE\_ADD\_FILE<br>FILE\_ADD\_SUBDIRECTORY<br>DELETE<br>With this privilege, the user can bypass file, directory, registry, and other persistent objects permissions when restoring backed up files and directories and determines which users can set any valid security principal as the owner of an object. |
-| Audit Sensitive Privilege Use |       <strong>SeSecurityPrivilege: <br></strong>Manage auditing and security log        |                                                                                                                                                                                                                        Required to perform a number of security-related functions, such as controlling and viewing audit events in security event log. <br>With this privilege, the user can specify object access auditing options for individual resources, such as files, Active Directory objects, and registry keys. A user with this privilege can also view and clear the security log.                                                                                                                                                                                                                        |
+| Audit Sensitive Privilege Use |       <b>SeSecurityPrivilege: <br></b>Manage auditing and security log        |                                                                                                                                                                                                                        Required to perform a number of security-related functions, such as controlling and viewing audit events in security event log. <br>With this privilege, the user can specify object access auditing options for individual resources, such as files, Active Directory objects, and registry keys. A user with this privilege can also view and clear the security log.                                                                                                                                                                                                                        |
-| Audit Sensitive Privilege Use |  <strong>SeSystemEnvironmentPrivilege: <br></strong>Modify firmware environment values  |                                                                                                                                                                                                                                                                                                                                                  Required to modify the nonvolatile RAM of systems that use this type of memory to store configuration information.                                                                                                                                                                                                                                                                                                                                                   |
+| Audit Sensitive Privilege Use |  <b>SeSystemEnvironmentPrivilege: <br></b>Modify firmware environment values  |                                                                                                                                                                                                                                                                                                                                                  Required to modify the nonvolatile RAM of systems that use this type of memory to store configuration information.                                                                                                                                                                                                                                                                                                                                                   |
-| Audit Sensitive Privilege Use | <strong>SeTakeOwnershipPrivilege: <br></strong>Take ownership of files or other objects |                                                                                                                                                                                            Required to take ownership of an object without being granted discretionary access. This privilege allows the owner value to be set only to those values that the holder may legitimately assign as the owner of an object. <br>With this privilege, the user can take ownership of any securable object in the system, including Active Directory objects, files and folders, printers, registry keys, processes, and threads.                                                                                                                                                                                            |
+| Audit Sensitive Privilege Use | <b>SeTakeOwnershipPrivilege: <br></b>Take ownership of files or other objects |                                                                                                                                                                                            Required to take ownership of an object without being granted discretionary access. This privilege allows the owner value to be set only to those values that the holder may legitimately assign as the owner of an object. <br>With this privilege, the user can take ownership of any securable object in the system, including Active Directory objects, files and folders, printers, registry keys, processes, and threads.                                                                                                                                                                                            |
 
 ## Security Monitoring Recommendations
 

windows/security/threat-protection/auditing/event-4688.md

@@ -206,9 +206,9 @@ For 4688(S): A new process has been created.
 
 - It can be unusual for a process to run using a local account in either **Creator Subject\\Security ID** or in **Target** **Subject\\Security ID**.
 
-- Monitor for **Token Elevation Type** with value **TokenElevationTypeDefault (1)** when **Subject\\Security ID** lists a real user account, for example when **Account Name** doesn’t contain the $ symbol<strong>.</strong> Typically this means that UAC is disabled for this account for some reason.
+- Monitor for **Token Elevation Type** with value **TokenElevationTypeDefault (1)** when **Subject\\Security ID** lists a real user account, for example when **Account Name** doesn’t contain the $ symbol<b>.</b> Typically this means that UAC is disabled for this account for some reason.
 
-- Monitor for **Token Elevation Type** with value **TokenElevationTypeDefault (2)** on standard workstations, when **Subject\\Security ID** lists a real user account, for example when **Account Name** doesn’t contain the $ symbol<strong>.</strong> This means that a user ran a program using administrative privileges.
+- Monitor for **Token Elevation Type** with value **TokenElevationTypeDefault (2)** on standard workstations, when **Subject\\Security ID** lists a real user account, for example when **Account Name** doesn’t contain the $ symbol<b>.</b> This means that a user ran a program using administrative privileges.
 
 - You can also monitor for **Token Elevation Type** with value **TokenElevationTypeDefault (2)** on standard workstations, when a computer object was used to run the process, but that computer object is not the same computer where the event occurs.
 

windows/security/threat-protection/auditing/event-4741.md

@@ -242,7 +242,7 @@ So this UAC flags value decodes to: LOCKOUT and SCRIPT
 
 - **DNS Host Name** \[Type = UnicodeString\]: name of computer account as registered in DNS. The value of **dNSHostName** attribute of new computer object. For manually created computer account objects this field has value “**-**“.
 
-- **Service Principal Names** \[Type = UnicodeString\]**:** The list of SPNs, registered for computer account. For new computer accounts it will typically contain HOST SPNs and RestrictedKrbHost SPNs. The value of **servicePrincipalName** attribute of new computer object. For manually created computer objects it is typically equals “**-**“. This is an example of **Service Principal Names** field for new domain joined workstation<strong>:</strong>
+- **Service Principal Names** \[Type = UnicodeString\]**:** The list of SPNs, registered for computer account. For new computer accounts it will typically contain HOST SPNs and RestrictedKrbHost SPNs. The value of **servicePrincipalName** attribute of new computer object. For manually created computer objects it is typically equals “**-**“. This is an example of **Service Principal Names** field for new domain joined workstation<b>:</b>
 
   HOST/Win81.contoso.local
 

windows/security/threat-protection/auditing/event-4742.md

@@ -243,7 +243,7 @@ So this UAC flags value decodes to: LOCKOUT and SCRIPT
 
 - **Service Principal Names** \[Type = UnicodeString\]**:** The list of SPNs, registered for computer account. If the SPN list of a computer account changed, you will see the new SPN list in **Service Principal Names** field (note that you will see the new list instead of changes). If the value of **servicePrincipalName** attribute of computer object was changed, you will see the new value here.
 
-  Here is an example of **Service Principal Names** field for new domain joined workstation in event 4742 on domain controller, after workstation reboots<strong>:</strong>
+  Here is an example of **Service Principal Names** field for new domain joined workstation in event 4742 on domain controller, after workstation reboots<b>:</b>
 
   HOST/Win81.contoso.local
 

windows/security/threat-protection/auditing/event-4907.md

@@ -285,5 +285,5 @@ For 4907(S): Auditing settings on object were changed.
 
 - If you have critical file or registry objects and you need to monitor all modifications (especially changes in SACL), monitor for specific “**Object\\Object Name”**.
 
-- If you have high-value computers for which you need to monitor all changes for all or specific file or registry objects, monitor for all [4907](event-4907.md) events on these computers<strong>.</strong>
+- If you have high-value computers for which you need to monitor all changes for all or specific file or registry objects, monitor for all [4907](event-4907.md) events on these computers<b>.</b>
 

windows/security/threat-protection/auditing/event-5140.md

@@ -145,7 +145,7 @@ For 5140(S, F): A network share object was accessed.
 
 > **Important**  For this event, also see [Appendix A: Security monitoring recommendations for many audit events](appendix-a-security-monitoring-recommendations-for-many-audit-events.md).
 
-- If you have high-value computers for which you need to monitor all access to all shares or specific shares (“**Share Name**”), monitor this event<strong>.</strong> For example, you could monitor share **C$** on domain controllers.
+- If you have high-value computers for which you need to monitor all access to all shares or specific shares (“**Share Name**”), monitor this event<b>.</b> For example, you could monitor share **C$** on domain controllers.
 
 - Monitor this event if the **Network Information\\Source Address** is not from your internal IP range.
 

windows/security/threat-protection/auditing/event-5142.md

@@ -104,7 +104,7 @@ For 5142(S): A network share object was added.
 
 > **Important**  For this event, also see [Appendix A: Security monitoring recommendations for many audit events](appendix-a-security-monitoring-recommendations-for-many-audit-events.md).
 
-- If you have high-value computers for which you need to monitor creation of new file shares, monitor this event<strong>.</strong> For example, you could monitor domain controllers.
+- If you have high-value computers for which you need to monitor creation of new file shares, monitor this event<b>.</b> For example, you could monitor domain controllers.
 
 - We recommend checking “**Share Path**”, because it should not point to system directories, such as **C:\\Windows** or **C:\\**, or to critical local folders which contain private or high value information.
 

windows/security/threat-protection/auditing/event-5143.md

@@ -259,5 +259,5 @@ For 5143(S): A network share object was modified.
 
 > **Important**  For this event, also see [Appendix A: Security monitoring recommendations for many audit events](appendix-a-security-monitoring-recommendations-for-many-audit-events.md).
 
-- If you have high-value computers for which you need to monitor all modifications to all shares or specific shares (“**Share Name**”), monitor this event<strong>.</strong> For example, you could monitor all changes to the SYSVOL share on domain controllers.
+- If you have high-value computers for which you need to monitor all modifications to all shares or specific shares (“**Share Name**”), monitor this event<b>.</b> For example, you could monitor all changes to the SYSVOL share on domain controllers.
 

windows/security/threat-protection/auditing/event-5144.md

@@ -106,5 +106,5 @@ For 5144(S): A network share object was deleted.
 
 - If you have critical network shares for which you need to monitor all changes (especially, the deletion of that share), monitor for specific “**Share Information\\Share Name”.**
 
-- If you have high-value computers for which you need to monitor all changes (especially, deletion of file shares), monitor for all [5144](event-5144.md) events on these computers<strong>.</strong> For example, you could monitor file shares on domain controllers.
+- If you have high-value computers for which you need to monitor all changes (especially, deletion of file shares), monitor for all [5144](event-5144.md) events on these computers<b>.</b> For example, you could monitor file shares on domain controllers.
 

windows/security/threat-protection/device-guard/requirements-and-deployment-planning-guidelines-for-virtualization-based-protection-of-code-integrity.md

@@ -42,7 +42,7 @@ The following tables provide more information about the hardware, firmware, and
 | Firmware: **UEFI firmware version 2.3.1.c or higher with UEFI Secure Boot** | See the System.Fundamentals.Firmware.UEFISecureBoot requirement in the [Windows Hardware Compatibility Specifications for Windows 10, version 1809 and Windows Server 2019 - Systems download](https://go.microsoft.com/fwlink/?linkid=2027110). You can find previous versions of the Windows Hardware Compatibility Program Specifications and Policies [here](https://docs.microsoft.com/windows-hardware/design/compatibility/whcp-specifications-policies). | UEFI Secure Boot helps ensure that the device boots only authorized code. This can prevent boot kits and root kits from installing and persisting across reboots.  |
 | Firmware: **Secure firmware update process**      | UEFI firmware must support secure firmware update found under the System.Fundamentals.Firmware.UEFISecureBoot requirement in the [Windows Hardware Compatibility Specifications for Windows 10, version 1809 and Windows Server 2019 - Systems download](https://go.microsoft.com/fwlink/?linkid=2027110). You can find previous versions of the Windows Hardware Compatibility Program Specifications and Policies [here](https://docs.microsoft.com/windows-hardware/design/compatibility/whcp-specifications-policies).  | UEFI firmware just like software can have security vulnerabilities that, when found, need to be patched through firmware updates. Patching helps prevent root kits from getting installed. |
 | Software: **HVCI compatible drivers**       | See the Filter.Driver.DeviceGuard.DriverCompatibility requirement in the [Windows Hardware Compatibility Specifications for Windows 10, version 1809 and Windows Server 2019 - Filter driver download](https://go.microsoft.com/fwlink/?linkid=2027110). You can find previous versions of the Windows Hardware Compatibility Program Specifications and Policies [here](https://docs.microsoft.com/windows-hardware/design/compatibility/whcp-specifications-policies). | [HVCI Compatible](https://blogs.msdn.microsoft.com/windows_hardware_certification/2015/05/22/driver-compatibility-with-device-guard-in-windows-10/) drivers help ensure that VBS can maintain appropriate memory permissions. This increases resistance to bypassing vulnerable kernel drivers and helps ensure that malware cannot run in kernel. Only code verified through code integrity can run in kernel mode.  |
-| Software: Qualified **Windows operating system**  | Windows 10 Enterprise, Windows 10 Pro, Windows 10 Education, Windows Server 2016, or Windows 10 IoT Enterprise<br><blockquote><p><strong>Important:</strong><br> Windows Server 2016 running as a domain controller does not support Windows Defender Credential Guard. Only virtualization-based protection of code integrity is supported in this configuration.</p></blockquote> | Support for VBS and for management features that simplify configuration of Windows Defender Device Guard. |
+| Software: Qualified **Windows operating system**  | Windows 10 Enterprise, Windows 10 Pro, Windows 10 Education, Windows Server 2016, or Windows 10 IoT Enterprise<br><blockquote><p><b>Important:</b><br> Windows Server 2016 running as a domain controller does not support Windows Defender Credential Guard. Only virtualization-based protection of code integrity is supported in this configuration.</p></blockquote> | Support for VBS and for management features that simplify configuration of Windows Defender Device Guard. |
 
 > **Important**&nbsp;&nbsp;The following tables list additional qualifications for improved security. You can use Windows Defender Device Guard with hardware, firmware, and software that support baseline protections, even if they do not support protections for improved security. However, we strongly recommend meeting these additional qualifications to significantly strengthen the level of security that Windows Defender Device Guard can provide.
 
@@ -75,6 +75,6 @@ The following tables describe additional hardware and firmware qualifications, a
 
 | Protections for Improved Security          | Description                                        | Security benefits |
 |---------------------------------------------|----------------------------------------------------|------|
-| Firmware: **VBS enablement of NX protection for UEFI runtime services** | • VBS will enable No-Execute (NX) protection on UEFI runtime service code and data memory regions. UEFI runtime service code must support read-only page protections, and UEFI runtime service data must not be executable.<br>• UEFI runtime service must meet these requirements: <br>&nbsp;&nbsp;&nbsp;&nbsp;• Implement UEFI 2.6 EFI_MEMORY_ATTRIBUTES_TABLE. All UEFI runtime service memory (code and data) must be described by this table. <br>&nbsp;&nbsp;&nbsp;&nbsp;• PE sections need to be page-aligned in memory (not required for in non-volitile storage).<br>&nbsp;&nbsp;&nbsp;&nbsp;• The Memory Attributes Table needs to correctly mark code and data as RO/NX for configuration by the OS:<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;• All entries must include attributes EFI_MEMORY_RO, EFI_MEMORY_XP, or both <br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;• No entries may be left with neither of the above attributes, indicating memory that is both executable and writable. Memory must be either readable and executable or writeable and non-executable. <br><blockquote><p><strong>Notes:</strong><br>• This only applies to UEFI runtime service memory, and not UEFI boot service memory. <br>• This protection is applied by VBS on OS page tables.</p></blockquote><br> Please also note the following: <br>• Do not use sections that are both writeable and executable<br>• Do not attempt to directly modify executable system memory<br>• Do not use dynamic code  | • Vulnerabilities in UEFI runtime, if any, will be blocked from compromising VBS (such as in functions like UpdateCapsule and SetVariable)<br>• Reduces the attack surface to VBS from system firmware.   |
+| Firmware: **VBS enablement of NX protection for UEFI runtime services** | • VBS will enable No-Execute (NX) protection on UEFI runtime service code and data memory regions. UEFI runtime service code must support read-only page protections, and UEFI runtime service data must not be executable.<br>• UEFI runtime service must meet these requirements: <br>&nbsp;&nbsp;&nbsp;&nbsp;• Implement UEFI 2.6 EFI_MEMORY_ATTRIBUTES_TABLE. All UEFI runtime service memory (code and data) must be described by this table. <br>&nbsp;&nbsp;&nbsp;&nbsp;• PE sections need to be page-aligned in memory (not required for in non-volitile storage).<br>&nbsp;&nbsp;&nbsp;&nbsp;• The Memory Attributes Table needs to correctly mark code and data as RO/NX for configuration by the OS:<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;• All entries must include attributes EFI_MEMORY_RO, EFI_MEMORY_XP, or both <br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;• No entries may be left with neither of the above attributes, indicating memory that is both executable and writable. Memory must be either readable and executable or writeable and non-executable. <br><blockquote><p><b>Notes:</b><br>• This only applies to UEFI runtime service memory, and not UEFI boot service memory. <br>• This protection is applied by VBS on OS page tables.</p></blockquote><br> Please also note the following: <br>• Do not use sections that are both writeable and executable<br>• Do not attempt to directly modify executable system memory<br>• Do not use dynamic code  | • Vulnerabilities in UEFI runtime, if any, will be blocked from compromising VBS (such as in functions like UpdateCapsule and SetVariable)<br>• Reduces the attack surface to VBS from system firmware.   |
 | Firmware: **Firmware support for SMM protection** | The [Windows SMM Security Mitigations Table (WSMT) specification](https://download.microsoft.com/download/1/8/A/18A21244-EB67-4538-BAA2-1A54E0E490B6/WSMT.docx) contains details of an Advanced Configuration and Power Interface (ACPI) table that was created for use with Windows operating systems that support Windows virtualization-based security (VBS) features.| • Protects against potential vulnerabilities in UEFI runtime services, if any, will be blocked from compromising VBS (such as in functions like UpdateCapsule and SetVariable)<br>• Reduces the attack surface to VBS from system firmware.<br>• Blocks additional security attacks against SMM.  |
 

windows/security/threat-protection/intelligence/support-scams.md

@@ -63,6 +63,6 @@ It is also important to keep the following in mind:
 
 Help Microsoft stop scammers, whether they claim to be from Microsoft or from another tech company, by reporting tech support scams:
 
-<strong>www.microsoft.com/reportascam</strong>
+<b>www.microsoft.com/reportascam</b>
 
 You can also report any **unsafe website** that you suspect is a phishing website or contains malicious content directly to Microsoft by filling out a [Report an unsafe site form](https://www.microsoft.com/wdsi/support/report-unsafe-site) or using built in web browser functionality.

windows/security/threat-protection/microsoft-defender-atp/configure-arcsight.md

@@ -103,8 +103,8 @@ The following steps assume that you have completed all the required steps in [Be
     For example, if the configuration file in &quot;flexagent&quot; directory is named &quot;WDATP-Connector.jsonparser.properties&quot;, you must type &quot;WDATP-Connector&quot; as the name of the client property file.</td>
     </tr>
     <td>Events URL</td>
-    <td>Depending on the location of your datacenter, select either the EU or the US URL: </br></br> <strong>For EU</strong>:  https://<i></i>wdatp-alertexporter-eu.windows.com/api/alerts/?sinceTimeUtc=$START_AT_TIME <br>
+    <td>Depending on the location of your datacenter, select either the EU or the US URL: </br></br> <b>For EU</b>:  https://<i></i>wdatp-alertexporter-eu.windows.com/api/alerts/?sinceTimeUtc=$START_AT_TIME <br>
-   </br><strong>For US:</strong> https://<i></i>wdatp-alertexporter-us.windows.com/api/alerts/?sinceTimeUtc=$START_AT_TIME <br> <br> <strong>For UK</strong>:  https://<i></i>wdatp-alertexporter-uk.windows.com/api/alerts/?sinceTimeUtc=$START_AT_TIME</td>
+   </br><b>For US:</b> https://<i></i>wdatp-alertexporter-us.windows.com/api/alerts/?sinceTimeUtc=$START_AT_TIME <br> <br> <b>For UK</b>:  https://<i></i>wdatp-alertexporter-uk.windows.com/api/alerts/?sinceTimeUtc=$START_AT_TIME</td>
     <tr>
     <td>Authentication Type</td>
     <td>OAuth 2</td>
@@ -113,7 +113,7 @@ The following steps assume that you have completed all the required steps in [Be
     <td>Browse to the location of the <em>wdatp-connector.properties</em> file. The name must match the file provided in the .zip that you downloaded.</td>
     <tr>
     <td>Refresh Token</td>
-    <td>You can obtain a refresh token in two ways: by generating a refresh token from the <strong>SIEM settings</strong> page or using the restutil tool. <br><br> For more information on generating a refresh token from the <strong>Preferences setup</strong> , see <a href="enable-siem-integration.md" data-raw-source="[Enable SIEM integration in Microsoft Defender ATP](enable-siem-integration.md)">Enable SIEM integration in Microsoft Defender ATP</a>. </br> </br><strong>Get your refresh token using the restutil tool:</strong> </br> a. Open a command prompt. Navigate to C:\<em>folder_location</em>\current\bin where <em>folder_location</em> represents the location where you installed the tool. </br></br> b. Type: <code>arcsight restutil token -config</code> from the bin directory.For example: <strong>arcsight restutil boxtoken -proxy proxy.location.hp.com:8080</strong> A Web browser window will open. </br> </br>c. Type in your credentials then click on the password field to let the page redirect. In the login prompt, enter your credentials. </br> </br>d. A refresh token is shown in the command prompt. </br></br> e. Copy and paste it into the <strong>Refresh Token</strong> field.
+    <td>You can obtain a refresh token in two ways: by generating a refresh token from the <b>SIEM settings</b> page or using the restutil tool. <br><br> For more information on generating a refresh token from the <b>Preferences setup</b> , see <a href="enable-siem-integration.md" data-raw-source="[Enable SIEM integration in Microsoft Defender ATP](enable-siem-integration.md)">Enable SIEM integration in Microsoft Defender ATP</a>. </br> </br><b>Get your refresh token using the restutil tool:</b> </br> a. Open a command prompt. Navigate to C:\<em>folder_location</em>\current\bin where <em>folder_location</em> represents the location where you installed the tool. </br></br> b. Type: <code>arcsight restutil token -config</code> from the bin directory.For example: <b>arcsight restutil boxtoken -proxy proxy.location.hp.com:8080</b> A Web browser window will open. </br> </br>c. Type in your credentials then click on the password field to let the page redirect. In the login prompt, enter your credentials. </br> </br>d. A refresh token is shown in the command prompt. </br></br> e. Copy and paste it into the <b>Refresh Token</b> field.
     </td>
     </tr>
     </tr>

windows/security/threat-protection/microsoft-defender-atp/event-error-codes.md

@@ -108,15 +108,15 @@ See <a href="configure-endpoints.md" data-raw-source="[Onboard Windows 10 device
 <tr>
 <td>8</td>
 <td>Microsoft Defender Advanced Threat Protection service failed to clean its configuration. Failure code: <code>variable</code>.</td>
-<td><strong>During onboarding:</strong> The service failed to clean its configuration during the onboarding. The onboarding process continues. <br><br> <strong>During offboarding:</strong> The service failed to clean its configuration during the offboarding. The offboarding process finished but the service keeps running.
+<td><b>During onboarding:</b> The service failed to clean its configuration during the onboarding. The onboarding process continues. <br><br> <b>During offboarding:</b> The service failed to clean its configuration during the offboarding. The offboarding process finished but the service keeps running.
  </td>
-<td><strong>Onboarding:</strong> No action required. <br><br> <strong>Offboarding:</strong> Reboot the system.<br>
+<td><b>Onboarding:</b> No action required. <br><br> <b>Offboarding:</b> Reboot the system.<br>
 See <a href="configure-endpoints.md" data-raw-source="[Onboard Windows 10 devices](configure-endpoints.md)">Onboard Windows 10 devices</a>.</td>
 </tr>
 <tr>
 <td>9</td>
 <td>Microsoft Defender Advanced Threat Protection service failed to change its start type. Failure code: <code>variable</code>.</td>
-<td><strong>During onboarding:</strong> The device did not onboard correctly and will not be reporting to the portal. <br><br><strong>During offboarding:</strong> Failed to change the service start type. The offboarding process continues. </td>
+<td><b>During onboarding:</b> The device did not onboard correctly and will not be reporting to the portal. <br><br><b>During offboarding:</b> Failed to change the service start type. The offboarding process continues. </td>
 <td>Check that the onboarding settings and scripts were deployed properly. Try to redeploy the configuration packages.<br>
 See <a href="configure-endpoints.md" data-raw-source="[Onboard Windows 10 devices](configure-endpoints.md)">Onboard Windows 10 devices</a>.</td>
 </tr>

windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-available-settings.md

@@ -33,29 +33,29 @@ SmartScreen uses registry-based Administrative Template policy settings. For mor
 <th align="left">Description</th>
 </tr>
 <tr>
-<td><strong>Windows 10, version 2004:</strong><br>Administrative Templates\Windows Components\Windows Defender SmartScreen\Explorer\Configure Windows Defender SmartScreen<p>
+<td><b>Windows 10, version 2004:</b><br>Administrative Templates\Windows Components\Windows Defender SmartScreen\Explorer\Configure Windows Defender SmartScreen<p>
-<td><strong>Windows 10, version 1703:</strong><br>Administrative Templates\Windows Components\Windows Defender SmartScreen\Explorer\Configure Windows Defender SmartScreen<p><strong>Windows 10, Version 1607 and earlier:</strong><br>Administrative Templates\Windows Components\File Explorer\Configure Windows SmartScreen</td>
+<td><b>Windows 10, version 1703:</b><br>Administrative Templates\Windows Components\Windows Defender SmartScreen\Explorer\Configure Windows Defender SmartScreen<p><b>Windows 10, Version 1607 and earlier:</b><br>Administrative Templates\Windows Components\File Explorer\Configure Windows SmartScreen</td>
 <td>At least Windows Server 2012, Windows 8 or Windows RT</td>
 <td>This policy setting turns on Microsoft Defender SmartScreen.<p>If you enable this setting, it turns on Microsoft Defender SmartScreen and your employees are unable to turn it off. Additionally, when enabling this feature, you must also pick whether Microsoft Defender SmartScreen should Warn your employees or Warn and prevent bypassing the message (effectively blocking the employee from the site).<p>If you disable this setting, it turns off Microsoft Defender SmartScreen and your employees are unable to turn it on.<p>If you don't configure this setting, your employees can decide whether to use Microsoft Defender SmartScreen.</td>
 </tr>
 <tr>
-<td><strong>Windows 10, version 2004:</strong><br>Administrative Templates\Windows Components\Windows Defender SmartScreen\Explorer\Configure App Install Control</td>
+<td><b>Windows 10, version 2004:</b><br>Administrative Templates\Windows Components\Windows Defender SmartScreen\Explorer\Configure App Install Control</td>
-<td><strong>Windows 10, version 1703:</strong><br>Administrative Templates\Windows Components\Windows Defender SmartScreen\Explorer\Configure App Install Control</td>
+<td><b>Windows 10, version 1703:</b><br>Administrative Templates\Windows Components\Windows Defender SmartScreen\Explorer\Configure App Install Control</td>
-<td><strong>Windows 10, version 1703</td>
+<td><b>Windows 10, version 1703</td>
-<td>This policy setting is intended to prevent malicious content from affecting your user's devices when downloading executable content from the internet.</br></br>This setting does not protect against malicious content from USB devices, network shares or other non-internet sources.</p><p><strong>Important:</strong> Using a trustworthy browser helps ensure that these protections work as expected.</p></td>
+<td>This policy setting is intended to prevent malicious content from affecting your user's devices when downloading executable content from the internet.</br></br>This setting does not protect against malicious content from USB devices, network shares or other non-internet sources.</p><p><b>Important:</b> Using a trustworthy browser helps ensure that these protections work as expected.</p></td>
 </tr>
 <tr>
-<td><strong>Windows 10, version 2004:</strong><br>Administrative Templates\Windows Components\Windows Defender SmartScreen\Microsoft Edge\Configure Windows Defender SmartScreen<p><strong>Windows 10, version 1703:</strong><br>Administrative Templates\Windows Components\Windows Defender SmartScreen\Microsoft Edge\Configure Windows Defender SmartScreen<p><strong>Windows 10, Version 1607 and earlier:</strong><br>Administrative Templates\Windows Components\Microsoft Edge\Configure Windows SmartScreen</td>
+<td><b>Windows 10, version 2004:</b><br>Administrative Templates\Windows Components\Windows Defender SmartScreen\Microsoft Edge\Configure Windows Defender SmartScreen<p><b>Windows 10, version 1703:</b><br>Administrative Templates\Windows Components\Windows Defender SmartScreen\Microsoft Edge\Configure Windows Defender SmartScreen<p><b>Windows 10, Version 1607 and earlier:</b><br>Administrative Templates\Windows Components\Microsoft Edge\Configure Windows SmartScreen</td>
 <td>Microsoft Edge on Windows 10 or later</td>
 <td>This policy setting turns on Microsoft Defender SmartScreen.<p>If you enable this setting, it turns on Microsoft Defender SmartScreen and your employees are unable to turn it off.<p>If you disable this setting, it turns off Microsoft Defender SmartScreen and your employees are unable to turn it on.<p>If you don't configure this setting, your employees can decide whether to use Microsoft Defender SmartScreen.</td>
 </tr>
 <tr>
-<td><strong>Windows 10, version 2004:</strong><br>Administrative Templates\Windows Components\Windows Defender SmartScreen\Microsoft Edge\Prevent bypassing Windows Defender SmartScreen prompts for files<p><strong>Windows 10, version 1703:</strong><br>Administrative Templates\Windows Components\Windows Defender SmartScreen\Microsoft Edge\Prevent bypassing Windows Defender SmartScreen prompts for files<p><strong>Windows 10, Version 1511 and 1607:</strong><br>Administrative Templates\Windows Components\Microsoft Edge\Prevent bypassing Windows SmartScreen prompts for files</td>
+<td><b>Windows 10, version 2004:</b><br>Administrative Templates\Windows Components\Windows Defender SmartScreen\Microsoft Edge\Prevent bypassing Windows Defender SmartScreen prompts for files<p><b>Windows 10, version 1703:</b><br>Administrative Templates\Windows Components\Windows Defender SmartScreen\Microsoft Edge\Prevent bypassing Windows Defender SmartScreen prompts for files<p><b>Windows 10, Version 1511 and 1607:</b><br>Administrative Templates\Windows Components\Microsoft Edge\Prevent bypassing Windows SmartScreen prompts for files</td>
 <td>Microsoft Edge on Windows 10, version 1511 or later</td>
 <td>This policy setting stops employees from bypassing the Microsoft Defender SmartScreen warnings about potentially malicious files.<p>If you enable this setting, it stops employees from bypassing the warning, stopping the file download.<p>If you disable or don't configure this setting, your employees can bypass the warnings and continue to download potentially malicious files.</td>
 </tr>
 <tr>
-<td><strong>Windows 10, version 2004:</strong><br>Administrative Templates\Windows Components\Windows Defender SmartScreen\Microsoft Edge\Prevent bypassing Windows Defender SmartScreen prompts for sites<p><strong>Windows 10, version 1703:</strong><br>Administrative Templates\Windows Components\Windows Defender SmartScreen\Microsoft Edge\Prevent bypassing Windows Defender SmartScreen prompts for sites<p><strong>Windows 10, Version 1511 and 1607:</strong><br>Administrative Templates\Windows Components\Microsoft Edge\Prevent bypassing Windows SmartScreen prompts for sites</td>
+<td><b>Windows 10, version 2004:</b><br>Administrative Templates\Windows Components\Windows Defender SmartScreen\Microsoft Edge\Prevent bypassing Windows Defender SmartScreen prompts for sites<p><b>Windows 10, version 1703:</b><br>Administrative Templates\Windows Components\Windows Defender SmartScreen\Microsoft Edge\Prevent bypassing Windows Defender SmartScreen prompts for sites<p><b>Windows 10, Version 1511 and 1607:</b><br>Administrative Templates\Windows Components\Microsoft Edge\Prevent bypassing Windows SmartScreen prompts for sites</td>
 <td>Microsoft Edge on Windows 10, version 1511 or later</td>
 <td>This policy setting stops employees from bypassing the Microsoft Defender SmartScreen warnings about potentially malicious sites.<p>If you enable this setting, it stops employees from bypassing the warning, stopping them from going to the site.<p>If you disable or don't configure this setting, your employees can bypass the warnings and continue to visit a potentially malicious site.</td>
 </tr>
@@ -90,11 +90,11 @@ For Microsoft Defender SmartScreen Internet Explorer MDM policies, see [Policy C
 <td>Windows 10</td>
 <td>
 <ul>
-<li><strong>URI full path.</strong> ./Vendor/MSFT/Policy/Config/Browser/AllowSmartScreen</li>
+<li><b>URI full path.</b> ./Vendor/MSFT/Policy/Config/Browser/AllowSmartScreen</li>
-<li><strong>Data type.</strong> Integer</li>
+<li><b>Data type.</b> Integer</li>
-<li><strong>Allowed values:</strong><ul>
+<li><b>Allowed values:</b><ul>
-<li><strong>0 .</strong> Turns off Microsoft Defender SmartScreen in Edge.</li>
+<li><b>0 .</b> Turns off Microsoft Defender SmartScreen in Edge.</li>
-<li><strong>1.</strong> Turns on Microsoft Defender SmartScreen in Edge.</li></ul></li></ul>
+<li><b>1.</b> Turns on Microsoft Defender SmartScreen in Edge.</li></ul></li></ul>
 </td>
 </tr>
 <tr>
@@ -102,11 +102,11 @@ For Microsoft Defender SmartScreen Internet Explorer MDM policies, see [Policy C
 <td>Windows 10, version 1703</td>
 <td>
 <ul>
-<li><strong>URI full path.</strong> ./Vendor/MSFT/Policy/Config/SmartScreen/EnableAppInstallControl</li>
+<li><b>URI full path.</b> ./Vendor/MSFT/Policy/Config/SmartScreen/EnableAppInstallControl</li>
-<li><strong>Data type.</strong> Integer</li>
+<li><b>Data type.</b> Integer</li>
-<li><strong>Allowed values:</strong><ul>
+<li><b>Allowed values:</b><ul>
-<li><strong>0 .</strong> Turns off Application Installation Control, allowing users to download and install files from anywhere on the web.</li>
+<li><b>0 .</b> Turns off Application Installation Control, allowing users to download and install files from anywhere on the web.</li>
-<li><strong>1.</strong> Turns on Application Installation Control, allowing users to install apps from the Microsoft Store only.</li></ul></li></ul>
+<li><b>1.</b> Turns on Application Installation Control, allowing users to install apps from the Microsoft Store only.</li></ul></li></ul>
 </td>
 </tr>
 <tr>
@@ -114,11 +114,11 @@ For Microsoft Defender SmartScreen Internet Explorer MDM policies, see [Policy C
 <td>Windows 10, version 1703</td>
 <td>
 <ul>
-<li><strong>URI full path.</strong> ./Vendor/MSFT/Policy/Config/SmartScreen/EnableSmartScreenInShell</li>
+<li><b>URI full path.</b> ./Vendor/MSFT/Policy/Config/SmartScreen/EnableSmartScreenInShell</li>
-<li><strong>Data type.</strong> Integer</li>
+<li><b>Data type.</b> Integer</li>
-<li><strong>Allowed values:</strong><ul>
+<li><b>Allowed values:</b><ul>
-<li><strong>0 .</strong> Turns off Microsoft Defender SmartScreen in Windows for app and file execution.</li>
+<li><b>0 .</b> Turns off Microsoft Defender SmartScreen in Windows for app and file execution.</li>
-<li><strong>1.</strong> Turns on Microsoft Defender SmartScreen in Windows for app and file execution.</li></ul></li></ul>
+<li><b>1.</b> Turns on Microsoft Defender SmartScreen in Windows for app and file execution.</li></ul></li></ul>
 </td>
 </tr>
 <tr>
@@ -126,11 +126,11 @@ For Microsoft Defender SmartScreen Internet Explorer MDM policies, see [Policy C
 <td>Windows 10, version 1703</td>
 <td>
 <ul>
-<li><strong>URI full path.</strong> ./Vendor/MSFT/Policy/Config/SmartScreen/PreventOverrideForFilesInShell</li>
+<li><b>URI full path.</b> ./Vendor/MSFT/Policy/Config/SmartScreen/PreventOverrideForFilesInShell</li>
-<li><strong>Data type.</strong> Integer</li>
+<li><b>Data type.</b> Integer</li>
-<li><strong>Allowed values:</strong><ul>
+<li><b>Allowed values:</b><ul>
-<li><strong>0 .</strong> Employees can ignore Microsoft Defender SmartScreen warnings and run malicious files.</li>
+<li><b>0 .</b> Employees can ignore Microsoft Defender SmartScreen warnings and run malicious files.</li>
-<li><strong>1.</strong> Employees can't ignore Microsoft Defender SmartScreen warnings and run malicious files.</li></ul></li></ul>
+<li><b>1.</b> Employees can't ignore Microsoft Defender SmartScreen warnings and run malicious files.</li></ul></li></ul>
 </td>
 </tr>
 <tr>
@@ -138,11 +138,11 @@ For Microsoft Defender SmartScreen Internet Explorer MDM policies, see [Policy C
 <td>Windows 10, Version 1511 and later</td>
 <td>
 <ul>
-<li><strong>URI full path.</strong> ./Vendor/MSFT/Policy/Config/Browser/PreventSmartscreenPromptOverride</li>
+<li><b>URI full path.</b> ./Vendor/MSFT/Policy/Config/Browser/PreventSmartscreenPromptOverride</li>
-<li><strong>Data type.</strong> Integer</li>
+<li><b>Data type.</b> Integer</li>
-<li><strong>Allowed values:</strong><ul>
+<li><b>Allowed values:</b><ul>
-<li><strong>0 .</strong> Employees can ignore Microsoft Defender SmartScreen warnings.</li>
+<li><b>0 .</b> Employees can ignore Microsoft Defender SmartScreen warnings.</li>
-<li><strong>1.</strong> Employees can't ignore Microsoft Defender SmartScreen warnings.</li></ul></li></ul>
+<li><b>1.</b> Employees can't ignore Microsoft Defender SmartScreen warnings.</li></ul></li></ul>
 </td>
 </tr>
 <tr>
@@ -150,11 +150,11 @@ For Microsoft Defender SmartScreen Internet Explorer MDM policies, see [Policy C
 <td>Windows 10, Version 1511 and later</td>
 <td>
 <ul>
-<li><strong>URI full path.</strong> ./Vendor/MSFT/Policy/Config/Browser/PreventSmartScreenPromptOverrideForFiles</li>
+<li><b>URI full path.</b> ./Vendor/MSFT/Policy/Config/Browser/PreventSmartScreenPromptOverrideForFiles</li>
-<li><strong>Data type.</strong> Integer</li>
+<li><b>Data type.</b> Integer</li>
-<li><strong>Allowed values:</strong><ul>
+<li><b>Allowed values:</b><ul>
-<li><strong>0 .</strong> Employees can ignore Microsoft Defender SmartScreen warnings for files.</li>
+<li><b>0 .</b> Employees can ignore Microsoft Defender SmartScreen warnings for files.</li>
-<li><strong>1.</strong> Employees can't ignore Microsoft Defender SmartScreen warnings for files.</li></ul></li></ul>
+<li><b>1.</b> Employees can't ignore Microsoft Defender SmartScreen warnings for files.</li></ul></li></ul>
 </td>
 </tr>
 </table>
@@ -170,19 +170,19 @@ To better help you protect your organization, we recommend turning on and using
 </tr>
 <tr>
 <td>Administrative Templates\Windows Components\Microsoft Edge\Configure Windows Defender SmartScreen</td>
-<td><strong>Enable.</strong> Turns on Microsoft Defender SmartScreen.</td>
+<td><b>Enable.</b> Turns on Microsoft Defender SmartScreen.</td>
 </tr>
 <tr>
 <td>Administrative Templates\Windows Components\Microsoft Edge\Prevent bypassing Windows Defender SmartScreen prompts for sites</td>
-<td><strong>Enable.</strong> Stops employees from ignoring warning messages and continuing to a potentially malicious website.</td>
+<td><b>Enable.</b> Stops employees from ignoring warning messages and continuing to a potentially malicious website.</td>
 </tr>
 <tr>
 <td>Administrative Templates\Windows Components\Microsoft Edge\Prevent bypassing Windows Defender SmartScreen prompts for files</td>
-<td><strong>Enable.</strong> Stops employees from ignoring warning messages and continuing to download potentially malicious files.</td>
+<td><b>Enable.</b> Stops employees from ignoring warning messages and continuing to download potentially malicious files.</td>
 </tr>
 <tr>
 <td>Administrative Templates\Windows Components\File Explorer\Configure Windows Defender SmartScreen</td>
-<td><strong>Enable with the Warn and prevent bypass option.</strong> Stops employees from ignoring warning messages about malicious files downloaded from the Internet.</td>
+<td><b>Enable with the Warn and prevent bypass option.</b> Stops employees from ignoring warning messages about malicious files downloaded from the Internet.</td>
 </tr>
 </table>
 <p>
@@ -193,23 +193,23 @@ To better help you protect your organization, we recommend turning on and using
 </tr>
 <tr>
 <td>Browser/AllowSmartScreen</td>
-<td><strong>1.</strong> Turns on Microsoft Defender SmartScreen.</td>
+<td><b>1.</b> Turns on Microsoft Defender SmartScreen.</td>
 </tr>
 <tr>
 <td>Browser/PreventSmartScreenPromptOverride</td>
-<td><strong>1.</strong> Stops employees from ignoring warning messages and continuing to a potentially malicious website.</td>
+<td><b>1.</b> Stops employees from ignoring warning messages and continuing to a potentially malicious website.</td>
 </tr>
 <tr>
 <td>Browser/PreventSmartScreenPromptOverrideForFiles</td>
-<td><strong>1.</strong> Stops employees from ignoring warning messages and continuing to download potentially malicious files.</td>
+<td><b>1.</b> Stops employees from ignoring warning messages and continuing to download potentially malicious files.</td>
 </tr>
 <tr>
 <td>SmartScreen/EnableSmartScreenInShell</td>
-<td><strong>1.</strong> Turns on Microsoft Defender SmartScreen in Windows.<p>Requires at least Windows 10, version 1703.</td>
+<td><b>1.</b> Turns on Microsoft Defender SmartScreen in Windows.<p>Requires at least Windows 10, version 1703.</td>
 </tr>
 <tr>
 <td>SmartScreen/PreventOverrideForFilesInShell</td>
-<td><strong>1.</strong> Stops employees from ignoring warning messages about malicious files downloaded from the Internet.<p>Requires at least Windows 10, version 1703.</td>
+<td><b>1.</b> Stops employees from ignoring warning messages about malicious files downloaded from the Internet.<p>Requires at least Windows 10, version 1703.</td>
 </tr>
 </table> 
 

windows/security/threat-protection/overview-of-threat-mitigations-in-windows-10.md

@@ -311,9 +311,9 @@ The following table lists EMET features in relation to Windows 10 features.
 <table>
 <thead>
 <tr class="header">
-<th><strong>Specific EMET features</strong></th>
+<th><b>Specific EMET features</b></th>
-<th><strong>How these EMET features map<br />
+<th><b>How these EMET features map<br />
-to Windows 10 features</strong></th>
+to Windows 10 features</b></th>
 </tr>
 </thead>
 <tbody>

windows/security/threat-protection/protect-high-value-assets-by-controlling-the-health-of-windows-10-based-devices.md

@@ -351,7 +351,7 @@ The following table details the hardware requirements for both virtualization-ba
 <td align="left"><p>Virtualization extensions, such as Intel VT-x, AMD-V, and SLAT must be enabled</p></td>
 <td align="left"><p>Required to support virtualization-based security.</p>
 <div class="alert">
-<strong>Note</strong><br/><p>Device Guard can be enabled without using virtualization-based security.</p>
+<b>Note</b><br/><p>Device Guard can be enabled without using virtualization-based security.</p>
 </div>
 <div>
 
@@ -533,7 +533,7 @@ If the TPM ownership is not known but the EK exists, the client library will pro
 
 As part of the provisioning process, Windows 10 will create an AIK with the TPM. When this operation is performed, the resulting AIK public portion is stored in the registry at the following location: **HKLM\\SYSTEM\\CurrentControlSet\\Services\\TPM\\WMI\\WindowsAIKPub**
 
-> **Note:**  For provisioning AIK certificates and filtering Internet access, you must authorize the following wildcard URL: <strong>https://\*.microsoftaik.azure.net</strong>
+> **Note:**  For provisioning AIK certificates and filtering Internet access, you must authorize the following wildcard URL: <b>https://\*.microsoftaik.azure.net</b>
 
 ### Windows 10 Health Attestation CSP
 

windows/security/threat-protection/windows-defender-application-control/applocker/create-a-rule-for-packaged-apps.md

@@ -59,12 +59,12 @@ You can perform this task by using the Group Policy Management Console for an Ap
     </thead>
     <tbody>
     <tr class="odd">
-    <td align="left"><p><strong>Use an installed packaged app as a reference</strong></p></td>
+    <td align="left"><p><b>Use an installed packaged app as a reference</b></p></td>
     <td align="left"><p>If selected, AppLocker requires you to choose an app that is already installed on which to base your new rule. AppLocker uses the publisher, package name and package version to define the rule.</p></td>
     <td align="left"><p>You want the Sales group only to use the app named Microsoft.BingMaps for its outside sales calls. The Microsoft.BingMaps app is already installed on the device where you are creating the rule, so you choose this option, and select the app from the list of apps installed on the computer and create the rule using this app as a reference.</p></td>
     </tr>
     <tr class="even">
-    <td align="left"><p><strong>Use a packaged app installer as a reference</strong></p></td>
+    <td align="left"><p><b>Use a packaged app installer as a reference</b></p></td>
     <td align="left"><p>If selected, AppLocker requires you to choose an app installer on which to base your new rule. A packaged app installer has the .appx extension. AppLocker uses the publisher, package name and package version of the installer to define the rule.</p></td>
     <td align="left"><p>Your company has developed a number of internal line-of-business packaged apps. The app installers are stored on a common file share. Employees can install the required apps from that file share. You want to allow all your employees to install the Payroll app from this share. So you choose this option from the wizard, browse to the file share and choose the installer for the Payroll app as a reference to create your rule.</p></td>
     </tr>
@@ -87,30 +87,30 @@ You can perform this task by using the Group Policy Management Console for an Ap
     </thead>
     <tbody>
     <tr class="odd">
-    <td align="left"><p>Applies to <strong>Any publisher</strong></p></td>
+    <td align="left"><p>Applies to <b>Any publisher</b></p></td>
-    <td align="left"><p>This is the least restrictive scope condition for an <strong>Allow</strong> rule. It permits every packaged app to run or install.</p>
+    <td align="left"><p>This is the least restrictive scope condition for an <b>Allow</b> rule. It permits every packaged app to run or install.</p>
-    <p>Conversely, if this is a <strong>Deny</strong> rule, then this option is the most restrictive because it denies all apps from installing or running.</p></td>
+    <p>Conversely, if this is a <b>Deny</b> rule, then this option is the most restrictive because it denies all apps from installing or running.</p></td>
     <td align="left"><p>You want the Sales group to use any packaged app from any signed publisher. You set the permissions to allow the Sales group to be able to run any app.</p></td>
     </tr>
     <tr class="even">
-    <td align="left"><p>Applies to a specific <strong>Publisher</strong></p></td>
+    <td align="left"><p>Applies to a specific <b>Publisher</b></p></td>
     <td align="left"><p>This scopes the rule to all apps published by a particular publisher.</p></td>
     <td align="left"><p>You want to allow all your users to install apps published by the publisher of Microsoft.BingMaps. You could select Microsoft.BingMaps as a reference and choose this rule scope.</p></td>
     </tr>
     <tr class="odd">
-    <td align="left"><p>Applies to a <strong>Package name</strong></p></td>
+    <td align="left"><p>Applies to a <b>Package name</b></p></td>
     <td align="left"><p>This scopes the rule to all packages that share the publisher name and package name as the reference file.</p></td>
     <td align="left"><p>You want to allow your Sales group to install any version of the Microsoft.BingMaps app. You could select the Microsoft.BingMaps app as a reference and choose this rule scope.</p></td>
     </tr>
     <tr class="even">
-    <td align="left"><p>Applies to a <strong>Package version</strong></p></td>
+    <td align="left"><p>Applies to a <b>Package version</b></p></td>
     <td align="left"><p>This scopes the rule to a particular version of the package.</p></td>
     <td align="left"><p>You want to be very selective in what you allow. You do not want to implicitly trust all future updates of the Microsoft.BingMaps app. You can limit the scope of your rule to the version of the app currently installed on your reference computer.</p></td>
     </tr>
     <tr class="odd">
     <td align="left"><p>Applying custom values to the rule</p></td>
-    <td align="left"><p>Selecting the <strong>Use custom values</strong> check box allows you to adjust the scope fields for your particular circumstance.</p></td>
+    <td align="left"><p>Selecting the <b>Use custom values</b> check box allows you to adjust the scope fields for your particular circumstance.</p></td>
-    <td align="left"><p>You want to allow users to install all Microsoft.Bing* applications which include Microsoft.BingMaps, Microsoft.BingWeather, Microsoft.BingMoney. You can choose the Microsoft.BingMaps as a reference, select the <strong>Use custom values</strong> check box and edit the package name field by adding “Microsoft.Bing*” as the Package name.</p></td>
+    <td align="left"><p>You want to allow users to install all Microsoft.Bing* applications which include Microsoft.BingMaps, Microsoft.BingWeather, Microsoft.BingMoney. You can choose the Microsoft.BingMaps as a reference, select the <b>Use custom values</b> check box and edit the package name field by adding “Microsoft.Bing*” as the Package name.</p></td>
     </tr>
     </tbody>
     </table>

windows/security/threat-protection/windows-defender-application-control/applocker/document-your-application-list.md

@@ -99,9 +99,9 @@ The following table provides an example of how to list applications for each bus
 </tbody>
 </table>
  
-&gt;<strong>Note:</strong>  AppLocker only supports publisher rules for Universal Windows apps. Therefore, collecting the installation path information for Universal Windows apps is not necessary.
+&gt;<b>Note:</b>  AppLocker only supports publisher rules for Universal Windows apps. Therefore, collecting the installation path information for Universal Windows apps is not necessary.
  
-<strong>Event processing</strong>
+<b>Event processing</b>
 
 As you create your list of apps, you need to consider how to manage the events that are generated by user access, or you need to deny running those apps to make your users as productive as possible. The following list is an example of what to consider and what to record:
 

windows/security/threat-protection/windows-defender-application-control/applocker/plan-for-applocker-policy-management.md

@@ -277,7 +277,7 @@ The following table is an example of what to consider and record.
 </tbody>
 </table>
  
-<strong>Policy maintenance policy</strong>
+<b>Policy maintenance policy</b>
 When applications are identified and policies are created for application control, then you can begin documenting how you intend to update those policies.
 The following table is an example of what to consider and record.
 <table>

windows/security/threat-protection/windows-defender-application-control/applocker/requirements-for-deploying-applocker-policies.md

@@ -131,7 +131,7 @@ An AppLocker policy deployment plan is the result of investigating which applica
 </tbody>
 </table>
  
-<strong>Event processing policy</strong>
+<b>Event processing policy</b>
 
 <table>
 <colgroup>
@@ -169,7 +169,7 @@ An AppLocker policy deployment plan is the result of investigating which applica
 </tbody>
 </table>
  
-<strong>Policy maintenance policy</strong>
+<b>Policy maintenance policy</b>
 
 <table>
 <colgroup>

windows/security/threat-protection/windows-defender-application-control/applocker/understand-applocker-policy-design-decisions.md

@@ -119,7 +119,7 @@ If your organization supports multiple Windows operating systems, app control po
 </ul></td>
 <td align="left"><p>AppLocker rules are only applied to computers running the supported versions of Windows, but SRP rules can be applied to all versions of Windows beginning with Windows XP and Windows Server 2003. For specific operating system version requirements, see <a href="requirements-to-use-applocker.md" data-raw-source="[Requirements to use AppLocker](requirements-to-use-applocker.md)">Requirements to use AppLocker</a>.</p>
 <div class="alert">
-<strong>Note</strong><br/><p>If you are using the Basic User security level as assigned in SRP, those privileges are not supported on computers running that support AppLocker.</p>
+<b>Note</b><br/><p>If you are using the Basic User security level as assigned in SRP, those privileges are not supported on computers running that support AppLocker.</p>
 </div>
 <div>
 

windows/security/threat-protection/windows-defender-application-control/applocker/what-is-applocker.md

@@ -119,7 +119,7 @@ The following table compares AppLocker to Software Restriction Policies.
 </tbody>
 </table>
 
-<strong>Application control function differences</strong>
+<b>Application control function differences</b>
 
 The following table compares the application control functions of Software Restriction Policies (SRP) and AppLocker.
 <table>
@@ -141,7 +141,7 @@ The following table compares the application control functions of Software Restr
 <td align="left"><p>SRP policies can be applied to all Windows operating systems beginning with Windows XP and Windows Server 2003.</p></td>
 <td align="left"><p>AppLocker policies apply only to those supported operating system versions and editions listed in <a href="requirements-to-use-applocker.md" data-raw-source="[Requirements to use AppLocker](requirements-to-use-applocker.md)">Requirements to use AppLocker</a>. But these systems can also use SRP.</p>
 <div class="alert">
-<strong>Note</strong><br/><p>Use different GPOs for SRP and AppLocker rules.</p>
+<b>Note</b><br/><p>Use different GPOs for SRP and AppLocker rules.</p>
 </div>
 <div>