fixing spacing issues

windows/keep-secure/take-ownership-of-files-or-other-objects.md

@@ -2,98 +2,106 @@
 title: Take ownership of files or other objects (Windows 10)
 description: Describes the best practices, location, values, policy management, and security considerations for the Take ownership of files or other objects security policy setting.
 ms.assetid: cb8595d1-74cc-4176-bb15-d97663eebb2d
-ms.pagetype: security
 ms.prod: W10
 ms.mktglfcycl: deploy
 ms.sitesec: library
+ms.pagetype: security
 author: brianlic-msft
 ---
+
 # Take ownership of files or other objects
+
 **Applies to**
 -   Windows 10
+
 Describes the best practices, location, values, policy management, and security considerations for the **Take ownership of files or other objects** security policy setting.
+
 ## Reference
+
 This policy setting determines which users can take ownership of any securable object in the device, including Active Directory objects, NTFS files and folders, printers, registry keys, services, processes, and threads.
+
 Every object has an owner, whether the object resides in an NTFS volume or Active Directory database. The owner controls how permissions are set on the object and to whom permissions are granted.
+
 By default, the owner is the person who or the process which created the object. Owners can always change permissions to objects, even when they are denied all access to the object.
+
 Constant: SeTakeOwnershipPrivilege
+
 ### Possible values
+
 -   User-defined list of accounts
 -   Not defined
+
 ### Best practices
+
 -   Assigning this user right can be a security risk. Because owners of objects have full control of them, only assign this user right to trusted users.
+
 ### Location
+
 Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\User Rights Assignment
+
 ### Default values
+
 By default this setting is Administrators on domain controllers and on stand-alone servers.
+
 The following table lists the actual and effective default policy values. Default values are also listed on the policy’s property page.
-<table>
+
-<colgroup>
+| Server type or GPO | Default value |
-<col width="50%" />
+| - | - |
-<col width="50%" />
+| Default Domain Policy| Not defined| 
-</colgroup>
+| Default Domain Controller Policy | Administrators| 
-<thead>
+| Stand-Alone Server Default Settings | Administrators| 
-<tr class="header">
+| Domain Controller Effective Default Settings | Administrators| 
-<th align="left">Server type or GPO</th>
+| Member Server Effective Default Settings | Administrators| 
-<th align="left">Default value</th>
+| Client Computer Effective Default Settings | Administrators| 
-</tr>
-</thead>
-<tbody>
-<tr class="odd">
-<td align="left"><p>Default Domain Policy</p></td>
-<td align="left"><p>Not defined</p></td>
-</tr>
-<tr class="even">
-<td align="left"><p>Default Domain Controller Policy</p></td>
-<td align="left"><p>Administrators</p></td>
-</tr>
-<tr class="odd">
-<td align="left"><p>Stand-Alone Server Default Settings</p></td>
-<td align="left"><p>Administrators</p></td>
-</tr>
-<tr class="even">
-<td align="left"><p>Domain Controller Effective Default Settings</p></td>
-<td align="left"><p>Administrators</p></td>
-</tr>
-<tr class="odd">
-<td align="left"><p>Member Server Effective Default Settings</p></td>
-<td align="left"><p>Administrators</p></td>
-</tr>
-<tr class="even">
-<td align="left"><p>Client Computer Effective Default Settings</p></td>
-<td align="left"><p>Administrators</p></td>
-</tr>
-</tbody>
-</table>
  
 ## Policy management
+
 This section describes features, tools, and guidance to help you manage this policy.
+
 A restart of the device is not required for this policy setting to be effective.
+
 Any change to the user rights assignment for an account becomes effective the next time the owner of the account logs on.
+
 Ownership can be taken by:
+
 -   An administrator. By default, the Administrators group is given the **Take ownership of files or other objects** user right.
 -   Anyone or any group who has the **Take ownership** user right on the object.
 -   A user who has the **Restore files and directories** user right.
+
 Ownership can be transferred in the following ways:
+
 -   The current owner can grant the **Take ownership** user right to another user if that user is a member of a group defined in the current owner's access token. The user must take ownership to complete the transfer.
 -   An administrator can take ownership.
 -   A user who has the **Restore files and directories** user right can double-click **Other users and groups** and choose any user or group to assign ownership to.
+
 ### Group Policy
+
 Settings are applied in the following order through a Group Policy Object (GPO), which will overwrite settings on the local computer at the next Group Policy update:
+
 1.  Local policy settings
 2.  Site policy settings
 3.  Domain policy settings
 4.  OU policy settings
+
 When a local setting is greyed out, it indicates that a GPO currently controls that setting.
+
 ## Security considerations
+
 This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation.
+
 ### Vulnerability
-Any users with the **Take ownership of files or other objects user right** can take control of any object, regardless of the permissions on that object, and then make any changes that they want to make to that object. Such changes could result in exposure of data, corruption of data, or a denial-of-service condition.
+
+Any users with the **Take ownership of files or other objects user right** can take control of any object, regardless of the permissions on that object, and then make any changes that they want to make to that object. Such changes could result in exposure of data, corruption of data, or a 
+denial-of-service condition.
+
 ### Countermeasure
+
 Ensure that only the local Administrators group has the **Take ownership of files or other objects** user right.
+
 ### Potential impact
+
 None. Restricting the **Take ownership of files or other objects** user right to the local Administrators group is the default configuration.
+
 ## Related topics
-[User Rights Assignment](user-rights-assignment.md)
+
- 
+- [User Rights Assignment](user-rights-assignment.md)
- 

windows/keep-secure/test-an-applocker-policy-by-using-test-applockerpolicy.md

@@ -2,28 +2,42 @@
 title: Test an AppLocker policy by using Test-AppLockerPolicy (Windows 10)
 description: This topic for IT professionals describes the steps to test an AppLocker policy prior to importing it into a Group Policy Object (GPO) or another computer.
 ms.assetid: 048bfa38-6825-4a9a-ab20-776cf79f402a
-ms.pagetype: security
 ms.prod: W10
 ms.mktglfcycl: deploy
 ms.sitesec: library
+ms.pagetype: security
 author: brianlic-msft
 ---
+
 # Test an AppLocker policy by using Test-AppLockerPolicy
+
 **Applies to**
 -   Windows 10
+
 This topic for IT professionals describes the steps to test an AppLocker policy prior to importing it into a Group Policy Object (GPO) or another computer.
+
 The **Test-AppLockerPolicy** Windows PowerShell cmdlet can be used to determine whether any of the rules in your rule collections will be blocked on your reference computer or the computer on which you maintain policies. Perform the following steps on any computer where the AppLocker policies are applied.
+
 Any user account can be used to complete this procedure.
+
 **To test an AppLocker policy by using Test-AppLockerPolicy**
+
 1.  Export the effective AppLocker policy. To do this, you must use the **Get-AppLockerPolicy** Windows PowerShell cmdlet.
+
     1.  Open a Windows PowerShell command prompt window as an administrator.
     2.  Use the **Get-AppLockerPolicy** cmdlet to export the effective AppLocker policy to an XML file:
+
         `Get-AppLockerPolicy –Effective –XML > <PathofFiletoExport.XML>`
+
 2.  Use the **Get-ChildItem** cmdlet to specify the directory that you want to test, specify the **Test-AppLockerPolicy** cmdlet with the XML file from the previous step to test the policy, and use the **Export-CSV** cmdlet to export the results to a file to be analyzed:
+
     `Get-ChildItem <DirectoryPathtoReview> -Filter <FileExtensionFilter> -Recurse | Convert-Path | Test-AppLockerPolicy –XMLPolicy <PathToExportedPolicyFile> -User <domain\username> -Filter <TypeofRuletoFilterFor> | Export-CSV <PathToExportResultsTo.CSV>`
+
 The following shows example input for **Test-AppLockerPolicy**:
-`PS C:\ Get-AppLockerPolicy –Effective –XML > C:\Effective.xml`
+
-`PS C:\ Get-ChildItem 'C:\Program Files\Microsoft Office\' –filter *.exe –Recurse | Convert-Path | Test-AppLockerPolicy –XMLPolicy C:\Effective.xml –User contoso\zwie –Filter Denied,DeniedByDefault | Export-CSV C:\BlockedFiles.csv`
+```syntax
+PS C:\ Get-AppLockerPolicy –Effective –XML > C:\Effective.xml
+PS C:\ Get-ChildItem 'C:\Program Files\Microsoft Office\' –filter *.exe –Recurse | Convert-Path | Test-AppLockerPolicy –XMLPolicy C:\Effective.xml –User contoso\zwie –Filter Denied,DeniedByDefault | Export-CSV C:\BlockedFiles.csv
+```
+
 In the example, the effective AppLocker policy is exported to the file C:\\Effective.xml. The **Get-ChildItem** cmdlet is used to recursively gather path names for the .exe files in C:\\Program Files\\Microsoft Office\\. The XMLPolicy parameter specifies that the C:\\Effective.xml file is an XML AppLocker policy file. By specifying the User parameter, you can test the rules for specific users, and the **Export-CSV** cmdlet allows the results to be exported to a comma-separated file. In the example, `-FilterDenied,DeniedByDefault` displays only those files that will be blocked for the user under the policy.
- 
- 

windows/keep-secure/test-and-update-an-applocker-policy.md

@@ -2,37 +2,61 @@
 title: Test and update an AppLocker policy (Windows 10)
 description: This topic discusses the steps required to test an AppLocker policy prior to deployment.
 ms.assetid: 7d53cbef-078c-4d20-8b00-e821e33b6ea1
-ms.pagetype: security
 ms.prod: W10
 ms.mktglfcycl: deploy
 ms.sitesec: library
+ms.pagetype: security
 author: brianlic-msft
 ---
+
 # Test and update an AppLocker policy
+
 **Applies to**
 -   Windows 10
+
 This topic discusses the steps required to test an AppLocker policy prior to deployment.
+
 You should test each set of rules to ensure that the rules perform as intended. If you use Group Policy to manage AppLocker policies, complete the following steps for each Group Policy Object (GPO) where you have created AppLocker rules. Because AppLocker rules are inherited from linked GPOs, you should deploy all of the rules for simultaneous testing in all of your test GPOs.
+
 ## Step 1: Enable the Audit only enforcement setting
+
 By using the **Audit only** enforcement setting, you can ensure that the AppLocker rules that you have created are properly configured for your organization. This setting can be enabled on the **Enforcement** tab of the **AppLocker Properties** dialog box. For the procedure to do this, see [Configure an AppLocker policy for audit only](configure-an-applocker-policy-for-audit-only.md).
+
 ## Step 2: Configure the Application Identity service to start automatically
+
 Because AppLocker uses the Application Identity service to verify the attributes of a file, you must configure it to start automatically in any one GPO that applies AppLocker rules. For the procedure to do this, see [Configure the Application Identity Service](configure-the-application-identity-service.md). For AppLocker policies that are not managed by a GPO, you must ensure that the service is running on each PC in order for the policies to be applied.
+
 ## Step 3: Test the policy
+
 Test the AppLocker policy to determine if your rule collection needs to be modified. Because you have created AppLocker rules, enabled the Application Identity service, and enabled the **Audit only** enforcement setting, the AppLocker policy should be present on all client PC that are configured to receive your AppLocker policy.
+
 The **Test-AppLockerPolicy** Windows PowerShell cmdlet can be used to determine whether any of the rules in your rule collection will be blocked on your reference PCs. For the procedure to do this, see [Test an AppLocker policy by using Test-AppLockerPolicy](test-an-applocker-policy-by-using-test-applockerpolicy.md).
+
 ## Step 4: Analyze AppLocker events
 You can either manually analyze AppLocker events or use the **Get-AppLockerFileInformation** Windows PowerShell cmdlet to automate the analysis.
+
 **To manually analyze AppLocker events**
+
 You can view the events either in Event Viewer or a text editor and then sort those events to perform an analysis, such as looking for patterns in application usage events, access frequencies, or access by user groups. If you have not configured an event subscription, then you will have to review the logs on a sampling of computers in your organization. For more information about using Event Viewer, see [Monitor application usage with AppLocker](monitor-application-usage-with-applocker.md).
+
 **To analyze AppLocker events by using Get-AppLockerFileInformation**
+
 You can use the **Get-AppLockerFileInformation** Windows PowerShell cmdlet to analyze AppLocker events from a remote computer. If an app is being blocked and should be allowed, you can use the AppLocker cmdlets to help troubleshoot the problem.
+
 For both event subscriptions and local events, you can use the **Get-AppLockerFileInformation** cmdlet to determine which files have been blocked or would have been blocked (if you are using the **Audit only** enforcement mode) and how many times the event has occurred for each file. For the procedure to do this, see [Monitor Application Usage with AppLocker](monitor-application-usage-with-applocker.md).
+
 After using **Get-AppLockerFileInformation** to determine how many times that a file would have been blocked from running, you should review your rule list to determine whether a new rule should be created for the blocked file or whether an existing rule is too strictly defined. Ensure that you check which GPO is currently preventing the file from running. To determine this, you can use the Group Policy Results Wizard to view rule names.
+
 ## Step 5: Modify the AppLocker policy
+
 After you have identified which rules need to be edited or added to the policy, you can use the Group Policy Management Console to modify the AppLocker rules in the relevant GPOs. For AppLocker policies that are not managed by a GPO, you can use the Local Security Policy snap-in (secpol.msc). For info how to modify an AppLocker policy, see, [Edit an AppLocker policy](edit-an-applocker-policy.md).
+
 ## Step 6: Repeat policy testing, analysis, and policy modification
+
 Repeat the previous steps 3–5 until all the rules perform as intended before applying enforcement.
+
 ## Additional resources
+
 -   For steps to perform other AppLocker policy tasks, see [Administer AppLocker](administer-applocker.md).
  
  

windows/keep-secure/tools-to-use-with-applocker.md

@@ -2,33 +2,52 @@
 title: Tools to use with AppLocker (Windows 10)
 description: This topic for the IT professional describes the tools available to create and administer AppLocker policies.
 ms.assetid: db2b7cb3-7643-4be5-84eb-46ba551e1ad1
-ms.pagetype: security
 ms.prod: W10
 ms.mktglfcycl: deploy
 ms.sitesec: library
+ms.pagetype: security
 author: brianlic-msft
 ---
+
 # Tools to use with AppLocker
+
 **Applies to**
 -   Windows 10
+
 This topic for the IT professional describes the tools available to create and administer AppLocker policies.
+
 The following tools can help you administer the application control policies created by using AppLocker on the local device or by using Group Policy. For info about the basic requirements for using AppLocker, see [Requirements to use AppLocker](requirements-to-use-applocker.md).
+
 -   **AppLocker Local Security Policy MMC snap-in**
+
     The AppLocker rules can be maintained by using the Local Security Policy snap-in (secpol.msc) of the Microsoft Management Console (MMC). For procedures to create, modify, and delete AppLocker rules, see [Working with AppLocker rules](working-with-applocker-rules.md).
+
 -   **Generate Default Rules tool**
+
     AppLocker includes default rules for each rule collection accessed through the Local Security Policy snap-in. These rules are intended to help ensure that the files that are required for Windows to operate properly are allowed in an AppLocker rule collection. For info about how to use this tool, see [Create AppLocker default rules](create-applocker-default-rules.md).
+
 -   **Automatically Generate AppLocker Rules wizard**
+
     By using the Local Security Policy snap-in, you can automatically generate rules for all files within a folder. The wizard will scan the specified folder and create the condition types that you choose for each file in that folder. For info about how to use this wizard, see [Run the Automatically Generate Rules wizard](run-the-automatically-generate-rules-wizard.md).
+
 -   **Group Policy**
+
     You can edit an AppLocker policy by adding, changing, or removing rules by using the Group Policy Management Console (GPMC).
+
     If you want additional features to manage AppLocker policies, such as version control, use Group Policy management software that allows you to create versions of Group Policy Objects (GPOs). An example of this type of software is the Advanced Group Policy Management feature from the Microsoft Desktop Optimization Pack.
+
 -   **Remote Server Administration Tools (RSAT)**
+
     You can use a device with a supported operating system that has the Remote Server Administration Tools (RSAT) installed to create and maintain AppLocker policies.
+
 -   **Event Viewer**
+
     The AppLocker log contains information about applications that are affected by AppLocker rules. For info about using Event Viewer to review the AppLocker logs, see [Using Event Viewer with AppLocker](using-event-viewer-with-applocker.md), and [Monitor app usage with AppLocker](monitor-application-usage-with-applocker.md).
+
 -   **AppLocker PowerShell cmdlets**
+
     The AppLocker Windows PowerShell cmdlets are designed to streamline the administration of AppLocker policy. They can be used to help create, test, maintain, and troubleshoot an AppLocker policy. The cmdlets are intended to be used in conjunction with the AppLocker user interface that is accessed through the Local Security Policy snap-in and the GPMC. For information about the cmdlets, see the [AppLocker PowerShell Command Reference](http://technet.microsoft.com/library/hh847210.aspx).
+
 ## Related topics
-[AppLocker technical reference](applocker-technical-reference.md)
+
- 
+- [AppLocker technical reference](applocker-technical-reference.md)
- 

windows/keep-secure/tpm-fundamentals.md

@@ -2,23 +2,34 @@
 title: TPM fundamentals (Windows 10)
 description: This topic for the IT professional provides a description of the components of the Trusted Platform Module (TPM 1.2 and TPM 2.0) and explains how they are used to mitigate dictionary attacks.
 ms.assetid: ac90f5f9-9a15-4e87-b00d-4adcf2ec3000
-ms.pagetype: security
 ms.prod: W10
 ms.mktglfcycl: deploy
 ms.sitesec: library
+ms.pagetype: security
 author: brianlic-msft
 ---
+
 # TPM fundamentals
+
 **Applies to**
 -   Windows 10
+
 This topic for the IT professional provides a description of the components of the Trusted Platform Module (TPM 1.2 and TPM 2.0) and explains how they are used to mitigate dictionary attacks.
+
 A Trusted Platform Module (TPM) is a microchip designed to provide basic security-related functions, primarily involving encryption keys. The TPM is usually installed on the motherboard of a computer, and it communicates with the remainder of the system by using a hardware bus.
+
 Computers that incorporate a TPM can create cryptographic keys and encrypt them so that they can only be decrypted by the TPM. This process, often called wrapping or binding a key, can help protect the key from disclosure. Each TPM has a master wrapping key, called the storage root key, which is stored within the TPM itself. The private portion of a storage root key or endorsement key that is created in a TPM is never exposed to any other component, software, process, or user.
+
 You can specify whether encryption keys that are created by the TPM can be migrated or not. If you specify that they can be migrated, the public and private portions of the key can be exposed to other components, software, processes, or users. If you specify that encryption keys cannot be migrated, the private portion of the key is never exposed outside the TPM.
+
 Computers that incorporate a TPM can also create a key that has not only been wrapped, but is also tied to certain platform measurements. This type of key can be unwrapped only when those platform measurements have the same values that they had when the key was created. This process is referred to as “sealing the key to the TPM.” Decrypting the key is called unsealing. The TPM can also seal and unseal data that is generated outside the TPM. With this sealed key and software, such as BitLocker Drive Encryption, you can lock data until specific hardware or software conditions are met.
+
 With a TPM, private portions of key pairs are kept separate from the memory that is controlled by the operating system. Keys can be sealed to the TPM, and certain assurances about the state of a system (assurances that define the trustworthiness of a system) can be made before the keys are unsealed and released for use. Because the TPM uses its own internal firmware and logic circuits to process instructions, it does not rely on the operating system, and it is not exposed to vulnerabilities that might exist in the operating system or application software.
+
 For info about which versions of Windows support which versions of the TPM, see [Trusted Platform Module technology overview](trusted-platform-module-overview.md). The features that are available in the versions are defined in specifications by the Trusted Computing Group (TCG). For more info, see the Trusted Platform Module page on the Trusted Computing Group website: [Trusted Platform Module](http://www.trustedcomputinggroup.org/developers/trusted_platform_module).
+
 The following sections provide an overview of the technologies that support the TPM:
+
 -   [TPM-based Virtual Smart Card](#bkmk-vsc)
 -   [Measured Boot with support for attestation](#bkmk-measuredboot)
 -   [Automated provisioning and management of the TPM](#bkmk-autoprov)
@@ -32,156 +43,157 @@ The following sections provide an overview of the technologies that support the
 -   [How the TPM mitigates dictionary attacks](#bkmk-howtpmmitigates)
 -   [How do I check the state of my TPM?](#bkmk-checkstate)
 -   [What can I do if my TPM is in reduced functionality mode?](#bkmk-fixrfm)
+
 The following topic describes the TPM Services that can be controlled centrally by using Group Policy settings:
 [Trusted Platform Module Services Group Policy Settings](trusted-platform-module-services-group-policy-settings.md)
+
 ## <a href="" id="bkmk-autoprov"></a>Automated provisioning and management of the TPM
+
 TPM provisioning can be streamlined to make it easier to deploy systems that are ready for BitLocker and other TPM-dependent features. These enhancements include simplifying the TPM state model to report **Ready**, **Ready with reduced functionality**, or **Not ready**. You can also automatically provision TPMs in the **Ready** state, remote provisioning to remove the requirement for the physical presence of a technician for the initial deployment. In addition, the TPM stack is available in the Windows Preinstallation Environment (Windows PE).
+
 A number of management settings have been added for easier management and configuration of the TPM through Group Policy. The primary new settings include Active Directory-based backup of TPM owner authentication, the level of owner authentication that should be stored locally on the TPM, and the software-based TPM lockout settings for standard users. For more info about backing up owner authentication to Windows Server 2008 R2 AD DS domains, see [AD DS schema extensions to support TPM backup](ad-ds-schema-extensions-to-support-tpm-backup.md).
+
 ## <a href="" id="bkmk-measuredboot"></a>Measured Boot with support for attestation
+
 The Measured Boot feature provides antimalware software with a trusted (resistant to spoofing and tampering) log of all boot components. Antimalware software can use the log to determine whether components that ran before it are trustworthy versus infected with malware. It can also send the Measured Boot logs to a remote server for evaluation. The remote server can initiate remediation actions by interacting with software on the client or through out-of-band mechanisms, as appropriate.
+
 ## <a href="" id="bkmk-vsc"></a>TPM-based Virtual Smart Card
-The Virtual Smart Card emulates the functionality of traditional smart cards, but Virtual Smart Cards use the TPM chip that is available on an organization’s computers, rather than requiring the use of a separate physical smart card and reader. This greatly reduces the management and deployment cost of smart cards in an enterprise. To the end user, the Virtual Smart Card is always available on the computer. If a user needs to use more than one computer, a Virtual Smart Card must be issued to the user for each computer. A computer that is shared among multiple users can host multiple Virtual Smart Cards, one for each user.
+
+The Virtual Smart Card emulates the functionality of traditional smart cards, but Virtual Smart Cards use the TPM chip that is available on an organization’s computers, rather than requiring the use of a separate physical smart card and reader. This greatly reduces the management and deployment cost of smart cards in an enterprise. To the end user, the Virtual Smart Card is always available on the computer. If a user needs to use more than one computer, a 
+Virtual Smart Card must be issued to the user for each computer. A computer that is shared among multiple users can host multiple Virtual Smart Cards, one for each user.
+
 ## <a href="" id="bkmk-tpmcs"></a>TPM-based certificate storage
+
 The TPM can be used to protect certificates and RSA keys. The TPM key storage provider (KSP) provides easy, convenient use of the TPM as a way of strongly protecting private keys. The TPM KSP can be used to generate keys when an organization enrolls for certificates, and the KSP is managed by templates in the UI. The TPM can also be used to protect certificates that are imported from an outside source. TPM-based certificates can be used exactly as standard certificates with the added functionality that the certificate can never leave the TPM from which the keys were generated. The TPM can now be used for crypto-operations through Cryptography API: Next Generation (CNG). For more info, see [Cryptography API: Next Generation](http://msdn.microsoft.com/library/windows/desktop/aa376210.aspx).
+
 ## <a href="" id="bkmk-authvalue"></a>TPM Owner Authorization Value
-For Windows 8 a change to how the TPM owner authorization value is stored in AD DS was implemented in the AD DS schema. The TPM owner authorization value is now stored in a separate object which is linked to the Computer object. This value was stored as a property in the Computer object itself for the default Windows Server 2008 R2 schemas. Windows Server 2012 domain controllers have the default schema to backup TPM owner authorization information in the separate object. If you are not upgrading your domain controller to Windows Server 2012 you need to extend the schema to support this change. If Active Directory backup of the TPM owner authorization value is enabled in a Windows Server 2008 R2 environment without extending the schema, the TPM provisioning will fail and the TPM will remain in a Not Ready state for computers running Windows 8.
+
+For Windows 8 a change to how the TPM owner authorization value is stored in AD DS was implemented in the AD DS schema. The TPM owner authorization value is now stored in a separate object which is linked to the Computer object. 
+This value was stored as a property in the Computer object itself for the default Windows Server 2008 R2 schemas. Windows Server 2012 domain controllers have the default schema to backup TPM owner authorization information in the separate object. If you are not upgrading your domain controller to Windows Server 2012 you need to extend the schema to support this change. If Active Directory backup of the TPM owner authorization value is enabled in a Windows Server 2008 R2 environment without extending the schema, the TPM provisioning will fail and the TPM will remain in a Not Ready state for computers running Windows 8.
+
 If your computer is not being joined to a domain the TPM owner authorization value will be stored in the local computer registry. Using BitLocker to encrypt the operating system drive will protect the owner authorization value from being disclosed when the computer is at rest, but there is a risk that a malicious user could obtain the TPM owner authorization value when the computer is unlocked. Therefore, we recommend that in this situation you configure your computer to automatically lock after 30 seconds of inactivity. If automatic locking is not used, then you should consider removing full owner authorization from the computer registry.
+
 **Registry information**
+
 Registry key: HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\TPM
 DWORD: OSManagedAuthLevel
-<table>
+
-<colgroup>
+| Value Data | Setting |
-<col width="50%" />
+| - | - |
-<col width="50%" />
+| 0 | None|
-</colgroup>
+| 2 | Delegated| 
-<thead>
+| 4 | Full| 
-<tr class="header">
-<th align="left">Value Data</th>
-<th align="left">Setting</th>
-</tr>
-</thead>
-<tbody>
-<tr class="odd">
-<td align="left"><p>0</p></td>
-<td align="left"><p>None</p></td>
-</tr>
-<tr class="even">
-<td align="left"><p>2</p></td>
-<td align="left"><p>Delegated</p></td>
-</tr>
-<tr class="odd">
-<td align="left"><p>4</p></td>
-<td align="left"><p>Full</p></td>
-</tr>
-</tbody>
-</table>
  
-**Note**  
+>**Note:**  If the operating system managed TPM authentication setting is changed from "Full" to "Delegated" the full TPM owner authorization value will be regenerated and any copies of the original TPM owner authorization value will be invalid. If you are backing up the TPM owner authorization value to AD DS, the new owner authorization value will be automatically backed up to AD DS when it is changed.
-If the operating system managed TPM authentication setting is changed from "Full" to "Delegated" the full TPM owner authorization value will be regenerated and any copies of the original TPM owner authorization value will be invalid. If you are backing up the TPM owner authorization value to AD DS, the new owner authorization value will be automatically backed up to AD DS when it is changed.
  
 ## <a href="" id="bkmk-tpmcmdlets"></a>TPM Cmdlets
+
 If you are using PowerShell to script and manage your computers, you can now manage the TPM using Windows PowerShell as well. To install the TPM cmdlets use the following command:
-**dism /online /enable-feature /FeatureName:tpm-psh-cmdlets**
+
+`dism /online /enable-feature /FeatureName:tpm-psh-cmdlets`
 For details about the individual cmdlets, see [TPM Cmdlets in Windows PowerShell](http://technet.microsoft.com/library/jj603116.aspx)
+
 ## <a href="" id="bkmk-physicalpresenceinterface"></a>Physical presence interface
-The TCG specifications for TPMs require physical presence to perform some TPM administrative functions, such as turning on and turning off the TPM. Physical presence means a person must physically interact with the system and the TPM interface to confirm or reject changes to TPM status. This typically cannot be automated with scripts or other automation tools unless the individual OEM supplies them. Here are some are examples of TPM administrative tasks that require physical presence:
+
+The TCG specifications for TPMs require physical presence to perform some TPM administrative functions, such as turning on and turning off the TPM. Physical presence means a person must physically interact with the system and the 
+TPM interface to confirm or reject changes to TPM status. This typically cannot be automated with scripts or other automation tools unless the individual OEM supplies them. Here are some are examples of TPM administrative tasks that require physical presence:
+
 -   Activating the TPM
 -   Clearing the existing owner information from the TPM without the owner’s password
 -   Deactivating the TPM
 -   Disabling the TPM temporarily without the owner’s password
+
 ## <a href="" id="bkmk-stateex"></a>States of existence in a TPM
+
 For each of these TPM 1.2 states of existence, the TPM can transition into another state (for example, moving from disabled to enabled). The states are not exclusive.
+
 These states of existence do not apply for Trusted Platform Module 2.0 because it cannot be turned off from within the operating system environment.
-<table>
+
-<colgroup>
+| State | Description |
-<col width="50%" />
+| - | - |
-<col width="50%" />
+| Enabled| Most features of the TPM are available.<br/>The TPM can be enabled and disabled multiple times within a boot period, if ownership is taken.| 
-</colgroup>
+| Disabled| The TPM restricts most operations. Exceptions include the ability to report TPM capabilities, extend and reset Platform Configuration Register (PCR) functions, and perform hashing and basic initialization.<br/>The TPM can be enabled and disabled multiple times within a start-up period. |
-<thead>
+| Activated| Most features of the TPM are available. The TPM can be activated and deactivated only through physical presence, which requires a restart.| 
-<tr class="header">
+| Deactivated| Similar to the disabled state, with the exception that ownership can be taken when the TPM is deactivated and enabled. The TPM can be activated and deactivated only through physical presence, which requires a restart.| 
-<th align="left">State</th>
+| Owned| Most features of the TPM are available. The TPM has an endorsement key and storage root key, and the owner knows information about owner authorization data.| 
-<th align="left">Description</th>
+| Unowned| The TPM does not have a storage root key, and it may or may not have an endorsement key.| 
-</tr>
-</thead>
-<tbody>
-<tr class="odd">
-<td align="left"><p>Enabled</p></td>
-<td align="left"><p>Most features of the TPM are available.</p>
-<p>The TPM can be enabled and disabled multiple times within a boot period, if ownership is taken.</p></td>
-</tr>
-<tr class="even">
-<td align="left"><p>Disabled</p></td>
-<td align="left"><p>The TPM restricts most operations. Exceptions include the ability to report TPM capabilities, extend and reset Platform Configuration Register (PCR) functions, and perform hashing and basic initialization.</p>
-<p>The TPM can be enabled and disabled multiple times within a start-up period.</p></td>
-</tr>
-<tr class="odd">
-<td align="left"><p>Activated</p></td>
-<td align="left"><p>Most features of the TPM are available. The TPM can be activated and deactivated only through physical presence, which requires a restart.</p></td>
-</tr>
-<tr class="even">
-<td align="left"><p>Deactivated</p></td>
-<td align="left"><p>Similar to the disabled state, with the exception that ownership can be taken when the TPM is deactivated and enabled. The TPM can be activated and deactivated only through physical presence, which requires a restart.</p></td>
-</tr>
-<tr class="odd">
-<td align="left"><p>Owned</p></td>
-<td align="left"><p>Most features of the TPM are available. The TPM has an endorsement key and storage root key, and the owner knows information about owner authorization data.</p></td>
-</tr>
-<tr class="even">
-<td align="left"><p>Unowned</p></td>
-<td align="left"><p>The TPM does not have a storage root key, and it may or may not have an endorsement key.</p></td>
-</tr>
-</tbody>
-</table>
  
-**Important**  
+>**Important:**  Applications cannot use the TPM until the state is enabled, activated, and owned. All operations are available only when the TPM is in this state.
-Applications cannot use the TPM until the state is enabled, activated, and owned. All operations are available only when the TPM is in this state.
  
 The state of the TPM exists independently of the computer’s operating system. When the TPM is enabled, activated, and owned, the state of the TPM is preserved if the operating system is reinstalled.
+
 ## <a href="" id="bkmk-endorsementkeys"></a>Endorsement keys
-For a TPM to be usable by a trusted application, it must contain an endorsement key, which is an RSA key pair. The private half of the key pair is held inside the TPM, and it is never revealed or accessible outside the TPM. If the TPM does not contain an endorsement key, the application might cause the TPM to generate one automatically as part of the setup.
+
+For a TPM to be usable by a trusted application, it must contain an endorsement key, which is an RSA key pair. The private half of the key pair is held inside the TPM, and it is never revealed or accessible outside the TPM. If the 
+TPM does not contain an endorsement key, the application might cause the TPM to generate one automatically as part of the setup.
 An endorsement key can be created at various points in the TPM’s lifecycle, but it needs to be created only once for the lifetime of the TPM. The existence of an endorsement key is a requirement before TPM ownership can be taken.
+
 ## <a href="" id="bkmk-ketattestation"></a>Key attestation
+
 TPM key attestation allows a certification authority to verify that a private key is actually protected by a TPM and that the TPM is one that the certification authority trusts. Endorsement keys which have been proven valid can be used to bind the user identity to a device. Moreover, the user certificate with a TPM attested key provides higher security assurance backed up by the non-exportability, anti-hammering, and isolation of keys provided by a TPM.
+
 ## <a href="" id="bkmk-howtpmmitigates"></a>How the TPM mitigates dictionary attacks
+
 When a TPM processes a command, it does so in a protected environment, for example, a dedicated microcontroller on a discrete chip or a special hardware-protected mode on the main CPU. A TPM can be used to create a cryptographic key that is not disclosed outside the TPM, but is able to be used in the TPM after the correct authorization value is provided.
+
 TPMs have dictionary attack logic that is designed to prevent brute force attacks that attempt to determine authorization values for using a key. The basic approach is for the TPM to allow only a limited number of authorization failures before it prevents more attempts to use keys and locks. Providing a failure count for individual keys is not technically practical, so TPMs have a global lockout when too many authorization failures occur.
+
 Because many entities can use the TPM, a single authorization success cannot reset the TPM’s dictionary attack logic. This prevents an attacker from creating a key with a known authorization value and then using it to reset the TPM’s dictionary attack logic. Generally TPMs are designed to forget about authorization failures after a period of time so the TPM does not enter a lockout state unnecessarily. A TPM owner password can be used to reset the TPM’s lockout logic.
+
 ### TPM 2.0 dictionary attack behavior
+
 TPM 2.0 has well defined dictionary attack logic behavior. This is in contrast to TPM 1.2 for which the dictionary attack logic was set by the manufacturer, and the logic varied widely throughout the industry.
-**Warning**  
+
-For the purposes of this topic, Windows 8 Certified Hardware also pertains to Windows 8.1 systems. The following references to “Windows” include these supported Windows versions.
+>**Warning:**  For the purposes of this topic, Windows 8 Certified Hardware also pertains to Windows 8.1 systems. The following references to “Windows” include these supported Windows versions.
  
 For Windows 8 Certified Hardware systems with TPM 2.0, the TPM is configured by Windows to lock after 32 authorization failures and to forget one authorization failure every two hours. This means that a user could quickly attempt to use a key with the wrong authorization value 32 times. For each of the 32 attempts, the TPM records if the authorization value was correct or not. This inadvertently causes the TPM to enter a locked state after 32 failed attempts.
+
 Attempts to use a key with an authorization value for the next two hours would not return success or failure; instead the response indicates that the TPM is locked. After two hours, one authorization failure is forgotten and the number of authorization failures remembered by the TPM drops to 31, so the TPM leaves the locked state and returns to normal operation. With the correct authorization value, keys could be used normally if no authorization failures occur during the next two hours. If a period of 64 hours elapses with no authorization failures, the TPM does not remember any authorization failures, and 32 failed attempts could occur again.
+
 Windows 8 Certification does not require TPM 2.0 systems to forget about authorization failures when the system is fully powered off or when the system has hibernated. Windows does require that authorization failures are forgotten when the system is running normally, in a sleep mode, or in low power states other than off. If a Windows system with TPM 2.0 is locked, the TPM leaves lockout mode if the system is left on for two hours.
+
 The dictionary attack logic for TPM 2.0 can be fully reset immediately by sending a reset lockout command to the TPM and providing the TPM owner password. By default, Windows automatically provisions TPM 2.0 and stores the TPM owner password for use by system administrators.
+
 In some enterprise situations, the TPM owner authorization value is configured to be stored centrally in Active Directory, and it is not stored on the local system. An administrator can launch the TPM MMC and choose to reset the TPM lockout time. If the TPM owner password is stored locally, it is used to reset the lockout time. If the TPM owner password is not available on the local system, the administrator needs to provide it. If an administrator attempts to reset the TPM lockout state with the wrong TPM owner password, the TPM does not allow another attempt to reset the lockout state for 24 hours.
+
 TPM 2.0 allows some keys to be created without an authorization value associated with them. These keys can be used when the TPM is locked. For example, BitLocker with a default TPM-only configuration is able to use a key in the TPM to start Windows, even when the TPM is locked.
+
 ### Rationale behind the Windows 8.1 and Windows 8 defaults
+
 Windows relies on the TPM 2.0 dictionary attack protection for multiple features. The defaults that are selected for Windows 8 balance trade-offs for different scenarios.
 For example, when BitLocker is used with a TPM plus PIN configuration, it needs the number of PIN guesses to be limited over time. If the computer is lost, someone could make only 32 PIN guesses immediately, and then only one more guess every two hours. This totals about 4415 guesses per year. This makes a good standard for system administrators to determine how many PIN characters to use for BitLocker deployments.
+
 The Windows TPM-based smart card, which is a virtual smart card, can be configured to allow sign in to the system. In contrast with physical smart cards, the sign-in process uses a TPM-based key with an authorization value. The following list shows the advantages of virtual smart cards:
+
 Physical smart cards can enforce lockout for only the physical smart card PIN, and they can reset the lockout after the correct PIN is entered. With a virtual smart card, the TPM’s dictionary attack is not reset after a successful authentication. The allowed number of authorization failures before the TPM enters lockout includes many factors.
+
 Hardware manufacturers and software developers have the option to use the security features of the TPM to meet their requirements.
+
 The intent of selecting 32 failures as the lock-out threshold is so users rarely lock the TPM (even when learning to type new passwords or if they frequently lock and unlock their computers). If users lock the TPM, they must to wait two hours or use some other credential to sign in, such as a user name and password.
+
 ## <a href="" id="bkmk-checkstate"></a>How do I check the state of my TPM?
+
 You can check the state of the TPM on a PC by running the Trusted Platform Module snap-in (tpm.msc). The **Status** heading tells you the state of your TPM. The TPM can be in one of the following states: **Ready for use**, **Ready for use, with reduced functionality**, and **Not ready for use**. To take advantage of most of the TPM features in Windows 10, the TPM must be **Ready for use**.
+
 ## <a href="" id="bkmk-fixrfm"></a>What can I do if my TPM is in reduced functionality mode?
-If your TPM is in reduced functionality mode, some features that rely on the TPM will not function correctly. This is most often caused by doing a clean installation of Windows 10 on a device where Windows 8.1, Windows 8, or Windows 7 had previously been installed on the same hardware. If your TPM is in reduced functionality mode, the Status heading in the Trusted Platform Module snap-in shows **The TPM is ready for use, with reduced functionality**. You can fix this by clearing the TPM.
+
+If your TPM is in reduced functionality mode, some features that rely on the TPM will not function correctly. This is most often caused by doing a clean installation of Windows 10 on a device where Windows 8.1, Windows 8, or Windows 7 had previously been installed on the same hardware. If your TPM is in reduced functionality mode, the Status heading in the Trusted Platform Module snap-in shows **The TPM is ready for use, with reduced functionality**. 
+You can fix this by clearing the TPM.
+
 **To clear the TPM**
+
 1.  Open the Trusted Platform Module snap-in (tpm.msc).
 2.  Click **Clear TPM**, and then click **Restart.**
 3.  When the PC is restarting, you might be prompted to press a button on the keyboard to clear the TPM.
 4.  After the PC restarts, your TPM will be automatically prepared for use by Windows 10.
-**Note**  
+
-Clearing the TPM causes you to lose all TPM keys and data protected by those keys, such as a virtual smart card. You should not perform this procedure on a device you do not own, such as a work or school PC, without being instructed to do so by your IT administrator.
+>**Note:**  Clearing the TPM causes you to lose all TPM keys and data protected by those keys, such as a virtual smart card. You should not perform this procedure on a device you do not own, such as a work or school PC, without being instructed to do so by your IT administrator.
  
 ## Additional resources
-[Trusted Platform Module Technology Overview](trusted-platform-module-overview.md)
+
-[Trusted Platform Module Services Group Policy Settings](trusted-platform-module-services-group-policy-settings.md)
+- [Trusted Platform Module Technology Overview](trusted-platform-module-overview.md)
-[TPM Cmdlets in Windows PowerShell](http://technet.microsoft.com/library/jj603116.aspx)
+- [Trusted Platform Module Services Group Policy Settings](trusted-platform-module-services-group-policy-settings.md)
-[Schema Extensions for Windows Server 2008 R2 to support AD DS backup of TPM information from Windows 8 clients](ad-ds-schema-extensions-to-support-tpm-backup.md)
+- [TPM Cmdlets in Windows PowerShell](http://technet.microsoft.com/library/jj603116.aspx)
-[TPM WMI providers](http://go.microsoft.com/fwlink/p/?LinkId=93478)
+- [Schema Extensions for Windows Server 2008 R2 to support AD DS backup of TPM information from Windows 8 clients](ad-ds-schema-extensions-to-support-tpm-backup.md)
-[Prepare your organization for BitLocker: Planning and Policies - TPM configurations](http://technet.microsoft.com/library/jj592683.aspx)
+- [TPM WMI providers](http://go.microsoft.com/fwlink/p/?LinkId=93478)
- 
+- [Prepare your organization for BitLocker: Planning and Policies - TPM configurations](http://technet.microsoft.com/library/jj592683.aspx)
- 

windows/keep-secure/tpm-recommendations.md

@@ -2,76 +2,116 @@
 title: TPM recommendations (Windows 10)
 description: This topic provides recommendations for Trusted Platform Module (TPM) technology for Windows 10.
 ms.assetid: E85F11F5-4E6A-43E7-8205-672F77706561
-ms.pagetype: security
 ms.prod: W10
 ms.mktglfcycl: deploy
 ms.sitesec: library
+ms.pagetype: security
 author: brianlic-msft
 ---
+
 # TPM recommendations
+
 **Applies to**
 -   Windows 10
 -   Windows 10 Mobile
 -   Windows Server 2016 Technical Preview
 -   Windows 10 IoT Core (IoT Core)
+
 This topic provides recommendations for Trusted Platform Module (TPM) technology for Windows 10.
+
 ## Overview
+
 Trusted Platform Module (TPM) technology is designed to provide hardware-based, security-related functions. It has a security-related crypto-processor that is designed to carry out cryptographic operations in a variety of devices and form factors. It includes multiple physical security mechanisms to help prevent malicious software from tampering with the security functions of the TPM. Some of the key advantages of using TPM technology are that you can:
+
 1.  Generate, store, use, and protected cryptographic keys,
 2.  Use TPM technology for platform device authentication by using a unique endorsement key (EK), and
 3.  Help enhance platform integrity by taking and storing security measurements.
+
 The most common TPM functions are used for system integrity measurements and for key creation and use. During the boot process of a system, the boot code that is loaded (including firmware and the operating system components) can be measured and recorded in the TPM. The integrity measurements can be used as evidence for how a system started and to make sure that a TPM-based key was used only when the correct software was used to boot the system.
 Traditionally, TPMs have been discrete chips soldered to a computer’s motherboard. Such implementations allow the computer’s original equipment manufacturer (OEM) to evaluate and certify the TPM separate from the rest of the system. Although discrete TPM implementations are still common, they can be problematic for integrated devices that are small or have low power consumption. Some newer TPM implementations integrate TPM functionality into the same chipset as other platform components while still providing logical separation similar to discrete TPM chips.
+
 TPMs are passive: they receive commands and return responses. To realize the full benefit of a TPM, the OEM must carefully integrate system hardware and firmware with the TPM to send it commands and react to its responses. TPMs were originally designed to provide security and privacy benefits to a platform’s owner and users, but newer versions can provide security and privacy benefits to the system hardware itself. Before it can be used for advanced scenarios, however, a TPM must be provisioned. Windows 10 automatically provisions a TPM, but if the user reinstalls the operating system, he or she may need to tell the operating system to explicitly provision the TPM again before it can use all the TPM’s features.
+
 The Trusted Computing Group (TCG) is the nonprofit organization that publishes and maintains the TPM specification. The TCG exists to develop, define, and promote vendor-neutral, global industry standards that support a hardware-based root of trust for interoperable trusted computing platforms. The TCG also publishes the TPM specification as the international standard ISO/IEC 11889, using the Publicly Available Specification Submission Process that the Joint Technical Committee 1 defines between the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC).
+
 OEMs implement the TPM as a component in a trusted computing platform, such as a PC, tablet, or phone. Trusted computing platforms use the TPM to support privacy and security scenarios that software alone cannot achieve. For example, software alone cannot reliably report whether malware is present during the system startup process. The close integration between TPM and platform increases the transparency of the startup process and supports evaluating device health by enabling reliable measuring and reporting of the software that starts the device. Implementation of a TPM as part of a trusted computing platform provides a hardware root of trust—that is, it behaves in a trusted way. For example, if a key stored in a TPM has properties that disallow exporting the key, that key truly cannot leave the TPM.
+
 The TCG designed the TPM as a low-cost, mass-market security solution that addresses the requirements of different customer segments. There are variations in the security properties of different TPM implementations just as there are variations in customer and regulatory requirements for different sectors. In public-sector procurement, for example, some governments have clearly defined security requirements for TPMs whereas others do not.
-**Note**  
+
-Some information relates to pre-released product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
+>**Note:**  Some information relates to pre-released product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
  
 ## TPM 1.2 vs. 2.0 comparison
+
 From an industry standard, Microsoft has been an industry leader in moving and standardizing on TPM 2.0, which has many key realized benefits across algorithms, crypto, hierarchy, root keys, authorization and NV RAM.
+
 ## Why TPM 2.0?
+
 TPM 2.0 products and systems have important security advantages over TPM 1.2, including:
+
 -   The TPM 1.2 spec only allows for the use of RSA and the SHA-1 hashing algorithm.
 -   For security reasons, some entities are moving away from SHA-1. Notably, NIST has required many federal agencies to move to SHA-256 as of 2014, and technology leaders, including Microsoft and Google have announced they will remove support for SHA-1 based signing or certificates in 2017.
 -   TPM 2.0 **enables greater crypto agility** by being more flexible with respect to cryptographic algorithms.
+
     -   TPM 2.0 supports SHA-256 as well as ECC, the latter being critical to drive signing and key generation performance.
     -   TPM 2.0 achieved ISO standardization ([ISO/IEC 11889:2015](http://blogs.microsoft.com/cybertrust/2015/06/29/governments-recognize-the-importance-of-tpm-2-0-through-iso-adoption/)).
     -   Use of TPM 2.0 may help eliminate the need for OEMs to make exception to standard configurations for certain countries and regions.
+
 -   TPM 2.0 offers a more **consistent experience** across different implementations.
+
     -   TPM 1.2 implementations across both discrete and firmware vary in policy settings. This may result in support issues as lockout policies vary.
     -   TPM 2.0 standardized policy requirement helps establish a consistent lockout experience across devices, as such, Windows can offer a better user experience end to end.
+
 -   While TPM 1.2 parts were discrete silicon components typically soldered on the motherboard, TPM 2.0 is available both as a **discrete (dTPM)** silicon component and as a **firmware (fTPM)** based component running in a trusted execution environment (TEE) on the system’s main SoC:
+
     -   On Intel chips, it is the Intel Management Engine (ME) or Converged Security Engine (CSE).
     -   For AMD chips, it is the AMD Security Processor
     -   For ARM chips, it is a Trustzone Trusted Application (TA).
     -   In the case of firmware TPM for desktop Windows systems, the chip vendor provides the firmware TPM implementation along with the other chip firmware to OEMs.
+
 ## Discrete or firmware TPM?
+
 Windows uses discrete and firmware TPM in the same way. Windows gains no functional advantage or disadvantage from either option.
+
 From a security standpoint, discrete and firmware share the same characteristics;
+
 -   Both use hardware based secure execution.
 -   Both use firmware for portions of the TPM functionality.
 -   Both are equipped with tamper resistance capabilities.
 -   Both have unique security limitations/risks.
+
 For more info, see [fTPM: A Firmware-based TPM 2.0 Implementation](http://research.microsoft.com/apps/pubs/?id=258236).
+
 ## Is there any importance for TPM for consumer?
+
 For end consumers, TPM is behind the scenes but still very relevant for Hello, Passport and in the future, many other key features in Windows 10. It offers the best Passport experience, helps encrypt passwords, secures streaming high quality 4K content and builds on our overall Windows 10 experience story for security as a critical pillar.  Using Windows on a system with a TPM enables a deeper and broader level of security coverage.
+
 ## TPM 2.0 Compliance for Windows 10
+
 ### Windows 10 for desktop editions (Home, Pro, Enterprise, and Education)
+
 - As of July 28, 2016, all new device models, lines or series (or if you are updating the hardware configuration of a existing model, line or series with a major update, such as CPU, graphic cards) must implement and enable by default TPM 2.0 (details in section 3.7, https://msdn.microsoft.com/library/windows/hardware/dn915086(v=vs.85).aspx)
  
 ## Two implementation options: 
-•	Discrete TPM chip as a separate discrete component 
+
-•	Firmware TPM solution using Intel PTT (platform trust technology) or AMD 
+-	Discrete TPM chip as a separate discrete component 
+-	Firmware TPM solution using Intel PTT (platform trust technology) or AMD 
+
 ### Windows 10 Mobile
+
 -   All devices shipping with Windows 10 Mobile must implement TPM 2.0 and ship with the TPM 2.0 enabled.
+
 ### IoT Core
+
 -   TPM is optional on IoT Core.
+
 ### Windows Server 2016 Technical Preview
+
 -   TPM is optional for Windows Server SKUs unless the SKU meets the additional qualification (AQ) criteria for the Host Guardian Services scenario in which case TPM 2.0 is required.
+
 ## TPM and Windows Features
+
 The following table defines which Windows features require TPM support. Some features are not applicable to Windows 7/8/8.1 and are noted accordingly.
+
 <table>
 <colgroup>
 <col width="20%" />
@@ -255,9 +295,11 @@ There are a variety of TPM manufacturers for both discrete and firmware.
 </table>
  
 ## OEM Feedback and Status on TPM 2.0 system availability
+
 ### Certified TPM parts
+
 Government customers and enterprise customers in regulated industries may have acquisition standards that require use of common certified TPM parts. As a result, OEMs, who provide the devices, may be required to use only certified TPM components on their commercial class systems. Discrete TPM 2.0 vendors have completion certification.
+
 ### Windows 7 32-bit support
+
 Even though Windows 7 shipped before the TPM 2.0 spec or products existed, Microsoft backported TPM 2.0 support to Windows 7 64-bit and released it in summer 2014 as a downloadable Windows hotfix for UEFI based Windows 7 systems. Microsoft is not currently planning to backport support to Windows 7 32-bit support.
- 
- 

windows/keep-secure/troubleshoot-windows-defender-in-windows-10.md

@@ -2,30 +2,41 @@
 title: Troubleshoot Windows Defender in Windows 10 (Windows 10)
 description: IT professionals can review information about event IDs in Windows Defender for Windows 10 and see any relevant action they can take.
 ms.assetid: EE488CC1-E340-4D47-B50B-35BD23CB4D70
-ms.pagetype: security
 ms.prod: W10
 ms.mktglfcycl: manage
 ms.sitesec: library
+ms.pagetype: security
 author: jasesso
 ---
+
 # Troubleshoot Windows Defender in Windows 10
+
 **Applies to**
 -   Windows 10
+
 IT professionals can review information about event IDs in Windows Defender for Windows 10 and see any relevant action they can take.
+
 ## Windows Defender client event IDs
+
 This section provides the following information about Windows Defender client events:
+
 -   The text of the message as it appears in the event
 -   The name of the source of the message
 -   The symbolic name that identifies each message in the programming source code
 -   Additional information about the message
+
 Use the information in this table to help troubleshoot Windows Defender client events; these are located in the **Windows Event Viewer**, under **Windows Logs**.
+
 **To view a Windows Defender client event**
+
 1.  Open **Event Viewer**.
 2.  In the console tree, expand **Applications and Services Logs**, then **Microsoft**, then **Windows**, then **Windows Defender**.
 3.  Double-click on **Operational**.
 4.  In the details pane, view the list of individual events to find your event.
 5.  Click the event to see specific details about an event in the lower pane, under the **General** and **Details** tabs.
+
 You can find a complete list of the Microsoft antimalware event IDs, the symbol, and the description of each ID in [Windows Server Antimalware Events TechNet](https://technet.microsoft.com/library/dn913615.aspx).
+
 <table>
 <tr>
 <th rowspan="3">Event ID: 1000</th>
@@ -3257,8 +3268,8 @@ article</a>.</p>
 </td>
 </tr>
 </table>
+
 ## Related topics
-[Configure Windows Defender in Windows 10](configure-windows-defender-in-windows-10.md)
+
-[Update and manage Windows Defender in Windows 10](get-started-with-windows-defender-for-windows-10.md)
+- [Configure Windows Defender in Windows 10](configure-windows-defender-in-windows-10.md)
- 
+- [Update and manage Windows Defender in Windows 10](get-started-with-windows-defender-for-windows-10.md)
- 

windows/keep-secure/trusted-platform-module-overview.md

@@ -2,81 +2,75 @@
 title: Trusted Platform Module Technology Overview (Windows 10)
 description: This topic for the IT professional describes the Trusted Platform Module (TPM) and how Windows uses it for access control and authentication. The topic provides links to other resources about the TPM.
 ms.assetid: face8932-b034-4319-86ac-db1163d46538
-ms.pagetype: security
 ms.prod: W10
 ms.mktglfcycl: deploy
 ms.sitesec: library
+ms.pagetype: security
 author: brianlic-msft
 ---
+
 # Trusted Platform Module Technology Overview
+
 **Applies to**
 -   Windows 10
+
 This topic for the IT professional describes the Trusted Platform Module (TPM) and how Windows uses it for access control and authentication. The topic provides links to other resources about the TPM.
+
 ## <a href="" id="bkmk-over"></a>Feature description
+
 Trusted Platform Module (TPM) technology is designed to provide hardware-based, security-related functions. A TPM chip is a secure crypto-processor that is designed to carry out cryptographic operations. The chip includes multiple physical security mechanisms to make it tamper resistant, and malicious software is unable to tamper with the security functions of the TPM. Some of the key advantages of using TPM technology are that you can:
+
 -   Generate, store, and limit the use of cryptographic keys.
 -   Use TPM technology for platform device authentication by using the TPM’s unique RSA key, which is burned into itself.
 -   Help ensure platform integrity by taking and storing security measurements.
+
 The most common TPM functions are used for system integrity measurements and for key creation and use. During the boot process of a system, the boot code that is loaded (including firmware and the operating system components) can be measured and recorded in the TPM. The integrity measurements can be used as evidence for how a system started and to make sure that a TPM-based key was used only when the correct software was used to boot the system.
+
 TPM-based keys can be configured in a variety of ways. One option is to make a TPM-based key unavailable outside the TPM. This is good to mitigate phishing attacks because it prevents the key from being copied and used without the TPM. TPM-based keys can also be configured to require an authorization value to use them. If too many incorrect authorization guesses occur, the TPM will activate its dictionary attack logic and prevent further authorization value guesses.
+
 Different versions of the TPM are defined in specifications by the Trusted Computing Group (TCG). For more information, consult the TCG Web site (<http://www.trustedcomputinggroup.org/developers/trusted_platform_module>).
+
 Windows can automatically provision and manage the TPM. Group Policy settings can be configured to control whether the TPM owner authorization value is backed up in Active Directory. Because the TPM state persists across operating system installations, TPM information is stored in a location in Active Directory that is separate from computer objects. Depending on an enterprise’s security goals, Group Policy can be configured to allow or prevent local administrators from resetting the TPM’s dictionary attack logic. Standard users can use the TPM, but Group Policy controls limit how many authorization failures standard users can attempt so that one user is unable to prevent other users or the administrator from using the TPM. TPM technology can also be used as a virtual smart card and for secure certificate storage. With BitLocker Network Unlock, domain-joined computers are not prompted for a BitLocker PIN.
+
 ## <a href="" id="bkmk-app"></a>Practical applications
+
 Certificates can be installed or created on computers that are using the TPM. After a computer is provisioned, the RSA private key for a certificate is bound to the TPM and cannot be exported. The TPM can also be used as a replacement for smart cards, which reduces the costs associated with creating and disbursing smart cards.
+
 Automated provisioning in the TPM reduces the cost of TPM deployment in an enterprise. New APIs for TPM management can determine if TPM provisioning actions require physical presence of a service technician to approve TPM state change requests during the boot process.
+
 Antimalware software can use the boot measurements of the operating system start state to prove the integrity of a computer running Windows 10, Windows 8.1, Windows 8, Windows Server 2012 R2, or Windows Server 2012. These measurements include the launch of Hyper-V to test that datacenters using virtualization are not running untrusted hypervisors. With BitLocker Network Unlock, IT administrators can push an update without concerns that a computer is waiting for PIN entry.
+
 The TPM has several Group Policy settings that can be used to manage how it is used. These settings can be used to manage the owner authorization value, the blocked TPM commands, the standard user lockout, and the backup of the TPM to AD DS. For more info, see [Trusted Platform Module Services Group Policy Settings](trusted-platform-module-services-group-policy-settings.md).
+
 ## <a href="" id="bkmk-new"></a>New and changed functionality
+
 For more info on new and changed functionality for Trusted Platform Module in Windows 10, see [What's new in Trusted Platform Module?](../whats-new/trusted-platform-module.md).
+
 ## <a href="" id="bkmk-dha"></a>Device health attestation
+
 Device health attestation enables enterprises to establish trust based on hardware and software components of a managed device. With device heath attestation, you can configure an MDM server to query a health attestation service that will allow or deny a managed device access to a secure resource.
+
 Some things that you can check on the device are:
+
 -   Is Data Execution Prevention supported and enabled?
 -   Is BitLocker Drive Encryption supported and enabled?
 -   Is SecureBoot supported and enabled?
-**Note**  The device must be running Windows 10 and it must support at least TPM 2.0.
+
+>**Note:**  The device must be running Windows 10 and it must support at least TPM 2.0.
  
 ## <a href="" id="bkmk-supportedversions"></a>Supported versions
-<table>
+
-<colgroup>
+| TPM version | Windows 10 | Windows Server 2012 R2, Windows 8.1, and Windows RT | Windows Server 2012, Windows 8, and Windows RT | Windows Server 2008 R2 and Windows 7 |
-<col width="20%" />
+| - | - | - | - | - |
-<col width="20%" />
+| TPM 1.2| X| X| X| X|
-<col width="20%" />
+| TPM 2.0| X| X| X| X| 
-<col width="20%" />
+
-<col width="20%" />
-</colgroup>
-<thead>
-<tr class="header">
-<th align="left">TPM version</th>
-<th align="left">Windows 10</th>
-<th align="left">Windows Server 2012 R2, Windows 8.1, and Windows RT</th>
-<th align="left">Windows Server 2012, Windows 8, and Windows RT</th>
-<th align="left">Windows Server 2008 R2 and Windows 7</th>
-</tr>
-</thead>
-<tbody>
-<tr class="odd">
-<td align="left"><p>TPM 1.2</p></td>
-<td align="left"><p>X</p></td>
-<td align="left"><p>X</p></td>
-<td align="left"><p>X</p></td>
-<td align="left"><p>X</p></td>
-</tr>
-<tr class="even">
-<td align="left"><p>TPM 2.0</p></td>
-<td align="left"><p>X</p></td>
-<td align="left"><p>X</p></td>
-<td align="left"><p>X</p></td>
-<td align="left"><p>X</p></td>
-</tr>
-</tbody>
-</table>
- 
 ## <a href="" id="bkmk-additionalresources"></a>Additional Resources
-[TPM Fundamentals](tpm-fundamentals.md)
+
-[TPM Group Policy settings](trusted-platform-module-services-group-policy-settings.md)
+- [TPM Fundamentals](tpm-fundamentals.md)
-[TPM Cmdlets in Windows PowerShell](http://technet.microsoft.com/library/jj603116.aspx)
+- [TPM Group Policy settings](trusted-platform-module-services-group-policy-settings.md)
-[AD DS schema extensions to support TPM backup](ad-ds-schema-extensions-to-support-tpm-backup.md)
+- [TPM Cmdlets in Windows PowerShell](http://technet.microsoft.com/library/jj603116.aspx)
-[Prepare your organization for BitLocker: Planning and Policies - TPM configurations](http://technet.microsoft.com/library/jj592683.aspx)
+- [AD DS schema extensions to support TPM backup](ad-ds-schema-extensions-to-support-tpm-backup.md)
+- [Prepare your organization for BitLocker: Planning and Policies - TPM configurations](http://technet.microsoft.com/library/jj592683.aspx)