new build 3/22

windows/keep-secure/TOC.md

@@ -394,7 +394,7 @@
 ### [Windows Defender in Windows 10](windows-defender-in-windows-10.md)
 #### [Update and manage Windows Defender in Windows 10](get-started-with-windows-defender-for-windows-10.md)
 #### [Configure Windows Defender in Windows 10](configure-windows-defender-for-windows-10.md)
-#### [Troubleshoot Windows Defender in Windows 10](troubleshoot-windows-defender-for-windows-10.md)
+#### [Troubleshoot Windows Defender in Windows 10](troubleshoot-windows-defender-in-windows-10.md)
 ## [Enterprise security guides](enterprise-security-guides-portal.md)
 ### [Control the health of Windows 10-based devices](protect-high-value-assets-by-controlling-the-health-of-windows-10-based-devices.md)
 ### [Device Guard deployment guide](device-guard-deployment-guide.md)

windows/keep-secure/configure-windows-defender-in-windows-10

@@ -0,0 +1,223 @@
+---
+title: Configure Windows Defender in Windows 10 (Windows 10)
+description: IT professionals can configure definition updates and cloud-based protection in Windows Defender in Windows 10 through Microsoft Active Directory and Windows Server Update Services (WSUS).
+ms.assetid: 22649663-AC7A-40D8-B1F7-5CAD9E49653D
+ms.prod: W10
+ms.mktglfcycl: manage
+ms.sitesec: library
+author: brianlic-msft
+---
+
+# Configure Windows Defender in Windows 10
+
+
+**Applies to**
+
+-   Windows 10
+
+IT professionals can configure definition updates and cloud-based protection in Windows Defender in Windows 10 through Microsoft Active Directory and Windows Server Update Services (WSUS).
+
+## Configure definition updates
+
+
+It is important to update definitions regularly to ensure that your endpoints are protected. Definition updates can be configured to suit the requirements of your organization.
+
+Windows Defender supports the same updating options (such as using multiple definition sources) as other Microsoft endpoint protection products; for more information, see [Configuring Definition Updates](https://technet.microsoft.com/library/gg412502.aspx).
+
+When you configure multiple definition sources in Windows Defender, you can configure the fallback order using the following values through *Group Policy* settings:
+
+-   InternalDefinitionUpdateServer - WSUS
+-   MicrosoftUpdateServer - Microsoft Update
+-   MMPC - [Microsoft Malware Protection Center definitions page](http://www.microsoft.com/security/portal/definitions/adl.aspx)
+-   FileShares - file share
+
+Read about deploying administrative template files for Windows Defender in the article [Description of the Windows Defender Group Policy administrative template settings](https://support.microsoft.com/kb/927367).
+
+You can also manage your Windows Defender update configuration settings through System Center Configuration Manager. See [How to Configure Definition Updates for Endpoint Protection in Configuration Manager](https://technet.microsoft.com/library/jj822983.aspx) for details.
+
+## Definition update logic
+
+
+You can update Windows Defender definitions in four ways depending on your business requirements:
+
+-   WSUS, the managed server. You can manage the distribution of updates that are released through Microsoft Update to computers in your enterprise environment; read more on the [Windows Server Update Services](https://technet.microsoft.com/windowsserver/bb332157.aspx) website.
+-   Microsoft Update, the unmanaged server. You can use this method to get regular updates from Microsoft Update.
+-   The [Microsoft Malware Protection Center definitions page](http://www.microsoft.com/security/portal/definitions/adl.aspx), as an alternate download location. You can use this method if you want to download the latest definitions.
+-   File share, where the definition package is downloaded. You can retrieve definition updates from a file share. The file share must be provisioned on a regular basis with the update files.
+
+## Update Windows Defender definitions through Active Directory and WSUS
+
+
+This section details how to update Windows Defender definitions for Windows 10 endpoints through Active Directory and WSUS.
+
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Method</th>
+<th align="left">Instructions</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>WSUS</p></td>
+<td align="left"><p>See [Software Updates and Windows Server Update Services Definition Updates](https://technet.microsoft.com/library/gg398036.aspx) in the [Configuring Definition Updates](https://technet.microsoft.com/library/gg412502.aspx) topic that also applies to Windows Defender.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Microsoft Update</p></td>
+<td align="left"><p>Set the following fallback order <em>Group Policy</em> to enable Microsoft Update:</p>
+<ol>
+<li>Open the <strong>Group Policy Editor</strong>.</li>
+<li>In the <strong>Local Computer Policy</strong> tree, expand <strong>Computer Configuration</strong>, then <strong>Administrative Templates</strong>, then <strong>Windows Components</strong>, then <strong>Windows Defender</strong>.</li>
+<li>Click on <strong>Signature Updates</strong>.</li>
+<li><p>Double-click on <strong>Define the order of sources for downloading definition updates</strong>.</p>
+<p>This will open the <strong>Define the order of sources for downloading definition updates</strong> window.</p></li>
+<li>Click <strong>Enable</strong>.</li>
+<li><p>In the <strong>Options</strong> pane, define the following <em>Group Policy</em> to enable Microsoft Update:</p>
+<p><strong>{MicrosoftUpdateServer}</strong></p>
+<p><img src="images/defender-gp-defsourcefield.png" alt="&quot;Define the order of sources for downloading definition updates&quot; field" /></p></li>
+<li><p>Click <strong>OK</strong>.</p>
+<p>The window will close automatically.</p></li>
+</ol></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>[Microsoft Malware Protection Center definitions page](http://www.microsoft.com/security/portal/definitions/adl.aspx)</p></td>
+<td align="left"><p>Set the following fallback order <em>Group Policy</em> to enable Windows Defender to download updated signatures:</p>
+<ol>
+<li>Open the <strong>Group Policy Editor</strong>.</li>
+<li>In the <strong>Local Computer Policy</strong> tree, expand <strong>Computer Configuration</strong>, then <strong>Administrative Templates</strong>, then <strong>Windows Components</strong>, then <strong>Windows Defender</strong>.</li>
+<li>Click on <strong>Signature Updates</strong>.</li>
+<li><p>Double-click on <strong>Define the order of sources for downloading definition updates</strong>.</p>
+<p>This will open the <strong>Define the order of sources for downloading definition updates</strong> window.</p></li>
+<li>Click <strong>Enable</strong>.</li>
+<li><p>In the <strong>Options</strong> pane, define the following <em>Group Policy</em> to enable Windows Defender to download updated signatures:</p>
+<p><strong>{MMPC}</strong></p>
+<p><img src="images/defender-gp-defsourcefield.png" alt="&quot;Define the order of sources for downloading definition updates&quot; field" /></p></li>
+<li><p>Click <strong>OK</strong>.</p>
+<p>The window will close automatically.</p></li>
+</ol></td>
+</tr>
+<tr class="even">
+<td align="left"><p>File share</p></td>
+<td align="left"><p></p>
+<ol>
+<li>Open the <strong>Group Policy Editor</strong>.</li>
+<li>In the <strong>Local Computer Policy</strong> tree, expand <strong>Computer Configuration</strong>, then <strong>Administrative Templates</strong>, then <strong>Windows Components</strong>, then <strong>Windows Defender</strong>.</li>
+<li>Click on <strong>Signature Updates</strong>.</li>
+<li><p>Double-click on <strong>Define the order of sources for downloading definition updates</strong>.</p>
+<p>This will open the <strong>Define the order of sources for downloading definition updates</strong> window:</p></li>
+<li>Click <strong>Enable</strong>.</li>
+<li><p>In the <strong>Options</strong> pane, define the following <em>Group Policy</em> to enable Windows Defender to download updated signatures:</p>
+<p><strong>{FileShares}</strong></p>
+<p><img src="images/defender-gp-defsourcefield.png" alt="&quot;Define the order of sources for downloading definition updates&quot; field" /></p></li>
+<li><p>Click <strong>OK</strong>.</p>
+<p>The window will close automatically.</p></li>
+<li><p>Double-click on <strong>Define file shares for downloading definition updates</strong>.</p>
+<p>This will open the <strong>Define file shares for downloading definition updates</strong> window.</p></li>
+<li>Click <strong>Enable</strong>.</li>
+<li><p>In the <strong>Options</strong> pane, define the following <em>Group Policy</em> to specify the Universal Naming Convention (UNC) share source:</p>
+<p><strong>{\\unc1\\unc2}</strong> - where you define [unc] as the UNC shares.</p>
+<p><img src="images/defender-gp-defsharesfield.png" alt="&quot;Define the file shares for downloading definition updates&quot; field" /></p></li>
+<li><p>Click <strong>OK</strong>.</p>
+<p>The window will close automatically.</p></li>
+</ol></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+## Manage cloud-based protection
+
+
+Windows Defender offers improved cloud-based protection and threat intelligence for endpoint protection clients using the Microsoft Active Protection Service. Read more about the Microsoft Active Protection Service community in [Join the Microsoft Active Protection Service community](http://windows.microsoft.com/windows-8/join-maps-community).
+
+You can enable or disable the Microsoft Active Protection Service using *Group Policy* settings and administrative template files.
+
+More information on deploying administrative template files for Windows Defender is available in the article [Description of the Windows Defender Group Policy administrative template settings](https://support.microsoft.com/kb/927367).
+
+The Microsoft Active Protection Service can be configured with the following *Group Policy* settings:
+
+1.  Open the **Group Policy Editor**.
+2.  In the **Local Computer Policy** tree, expand **Computer Configuration**, then **Administrative Templates**, then **Windows Components**, then **Windows Defender**.
+3.  Click on **MAPS**.
+4.  Double-click on **Join Microsoft MAPS**.
+5.  Select your configuration option from the **Join Microsoft MAPS** list.
+    **Note**  Any settings modified on an endpoint will be overridden by the administrator's policy setting.
+
+     
+
+Use the Windowsdefender.adm *Group Policy* template file to control the policy settings for Windows Defender in Windows 10:
+
+Policy setting: **Configure Microsoft SpyNet Reporting**
+Registry key name: **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\\SpyNet\\SpyNetReporting**
+Policy description: **Adjusts membership in Microsoft Active Protection Service**
+
+You can also configure preferences using the following PowerShell parameters:
+
+-   Turn Microsoft Active Protection Service off: *Set-MpPreference -MAPSReporting 0*
+-   Turn Microsoft Active Protection Service on: *Set-MpPreference -MAPSReporting 2*
+
+Read more about this in:
+
+-   [Scripting with Windows PowerShell](https://technet.microsoft.com/library/bb978526.aspx)
+-   [Defender Cmdlets](https://technet.microsoft.com/library/dn433280.aspx)
+
+**Note**  Any information that Windows Defender collects is encrypted in transit to our servers, and then stored in secure facilities. Microsoft takes several steps to avoid collecting any information that directly identifies you, such as your name, email address, or account ID.
+
+ 
+
+Read more about how to manage your privacy settings in [Setting your preferences for Windows 10 services](http://windows.microsoft.com/windows-10/services-setting-preferences).
+
+## Opt-in to Microsoft Update
+
+
+You can use Microsoft Update to keep definitions on mobile computers running Windows Defender in Windows 10 up to date when they are not connected to the corporate network. If the mobile computer doesn't have a [Windows Server Update Service](https://technet.microsoft.com/windowsserver/bb332157.aspx) (WSUS) connection, the signatures will still come from Microsoft Update. This means that signatures can be pushed down (via Microsoft Update) even if WSUS overrides Windows Update.
+
+You need to opt-in to Microsoft Update on the mobile computer before it can retrieve the definition updates from Microsoft Update.
+
+There are two ways you can opt-in to Microsoft Update in Windows Defender for Windows 10:
+
+1.  Use a VBScript to create a script, then run it on each computer in your network.
+2.  Manually opt-in every computer on your network through the **Settings** menu.
+
+You can create a VBScript and run it on each computer on your network; this is an efficient way to opt-in to Microsoft Update.
+
+**Use a VBScript to opt in to Microsoft Update**
+
+1.  Use the instructions in the MSDN article [Opt-In to Microsoft Update](https://msdn.microsoft.com/library/windows/desktop/aa826676.aspx) to create the VBScript.
+2.  Run the VBScript you created on each computer in your network.
+
+You can manually opt-in each individual computer on your network to receive Microsoft Update.
+
+**Manually opt-in to Microsoft Update**
+
+1.  Open **Windows Update** in **Update & security** settings on the computer you want to opt-in.
+2.  Click **Advanced** options.
+3.  Select the checkbox for **Give me updates for other Microsoft products when I update Windows**.
+
+## Schedule updates for Microsoft Update
+
+
+Opting-in to Microsoft Update means that your system administrator can schedule updates to your mobile computer, so that it keeps up-to-date with the latest software versions and security definitions, even when you’re on the road.
+
+For more information on scheduling updates, see [Configure definition updates](https://technet.microsoft.com/library/mt622088.aspx#configure-definition-updates).
+
+## Related topics
+
+
+[Update and manage Windows Defender in Windows 10](get-started-with-windows-defender-for-windows-10.md)
+
+[Troubleshoot Windows Defender in Windows 10](troubleshoot-windows-defender-for-windows-10.md)
+
+ 
+
+ 
+
+
+
+
+

windows/keep-secure/creating-a-device-guard-policy-for-signed-apps.md

@@ -28,7 +28,7 @@ To create a code integrity policy, you'll first need to create a reference image
 
 **To create a code integrity policy based on a reference device**
 
-1.  On your reference device, start Windows PowerShell as an administrator.
+1.  On your reference device, start PowerShell as an administrator.
 
 2.  In PowerShell, initialize variables by typing:
 

windows/keep-secure/get-started-with-windows-defender-for-windows-10.md

@@ -1,6 +1,6 @@
 ---
 title: Update and manage Windows Defender in Windows 10 (Windows 10)
-description: IT professionals can manage Windows Defender on Windows 10 endpoints in their organization using Microsoft Active Directory or Windows Server Update Services (WSUS), apply updates to endpoints, and manage scans using Group Policy SettingsWindows Management Instrumentation (WMI)Windows PowerShell.
+description: IT professionals can manage Windows Defender on Windows 10 endpoints in their organization using Microsoft Active Directory or Windows Server Update Services (WSUS), apply updates to endpoints, and manage scans using Group Policy SettingsWindows Management Instrumentation (WMI)PowerShell.
 ms.assetid: 045F5BF2-87D7-4522-97E1-C1D508E063A7
 ms.prod: W10
 ms.mktglfcycl: manage
@@ -19,7 +19,7 @@ IT professionals can manage Windows Defender on Windows 10 endpoints in their o
 
 -   Group Policy Settings
 -   Windows Management Instrumentation (WMI)
--   Windows PowerShell
+-   PowerShell
 
 ## Manage Windows Defender endpoints through Active Directory and WSUS
 
@@ -112,7 +112,7 @@ Turn on email scanning with the following *Group Policy* settings:
 3.  Click **Scan**.
 4.  Double-click **Turn on e-mail scanning**.
 
-    This will open the **Turn on e-mail scanning** window:
+    This will open the **Turn on e-mail scanning** window: ![turn on e-mail scanning window](images/defender-scanemailfiles.png)
 
 5.  Select **Enabled**.
 6.  Click **OK** to apply changes.
@@ -175,16 +175,16 @@ Turn on email scanning with the following *Group Policy* settings:
 3.  Click **Scan**.
 4.  Double-click **Scan archive files**.
 
-    This will open the **Scan archive files** window:
+    This will open the **Scan archive files** window: ![scan archive files window](images/defender-scanarchivefiles.png)
 
 5.  Select **Enabled**.
 6.  Click **OK** to apply changes.
 
 There are a number of archive scan settings in the **Scan** repository you can configure through *Group Policy*, for example:
 
--   Maximum directory depth level into which archive files are unpacked during scanning
--   Maximum size of archive files that will be scanned
--   Maximum percentage CPU utilization permitted during a scan
+-   Maximum directory depth level into which archive files are unpacked during scanning ![specify the maximum depth to scan archive files window](images/defender-scanarchivedepth.png)
+-   Maximum size of archive files that will be scanned ![specify the maximum size of archive files to be scanned window](images/defender-scanarchivesize.png)
+-   Maximum percentage CPU utilization permitted during a scan ![specify the maximum percentage od cpu utilization during a scan window](images/defender-scanarchivecpu.png)
 
 ## Use WMI to disable archive scans
 
@@ -220,7 +220,7 @@ In Endpoint Protection, you can use the advanced scanning options to configure a
 
 [Configure Windows Defender in Windows 10](configure-windows-defender-for-windows-10.md)
 
-[Troubleshoot Windows Defender in Windows 10](troubleshoot-windows-defender-for-windows-10.md)
+[Troubleshoot Windows Defender in Windows 10](troubleshoot-windows-defender-in-windows-10.md)
 
  
 

windows/keep-secure/getting-apps-to-run-on-device-guard-protected-devices.md

@@ -46,7 +46,7 @@ You must run Package Inspector on a device that's running a temporary Code Integ
 
 **To create a catalog file for an existing app**
 
-1.  Start Windows PowerShell as an administrator, and create your temporary policy file by typing:
+1.  Start PowerShell as an administrator, and create your temporary policy file by typing:
 
     ``` syntax
     mkdir temp

windows/keep-secure/implement-microsoft-passport-in-your-organization.md

@@ -129,7 +129,7 @@ The following table lists the Group Policy settings that you can configure for P
 </td>
 </tr>
 <tr>
-<td><a href="prepare-people-to-use-microsoft-passport.md#BMK_remote">Remote Passport</a></td>
+<td><a href="prepare_people_to_use_microsoft_passport.htm#BMK_remote">Remote Passport</a></td>
 <td>
 <p>Use Remote Passport</p>
 <div class="alert"><b>Note</b>  Applies to desktop only. Phone sign-in is currently limited to select Technology Adoption Program (TAP) participants.</div>
@@ -142,151 +142,118 @@ The following table lists the Group Policy settings that you can configure for P
 </td>
 </tr>
 </table>
-<p> </p>
-<h2><a id="MDM_policy_settings_for_Passport"></a><a id="mdm_policy_settings_for_passport"></a><a id="MDM_POLICY_SETTINGS_FOR_PASSPORT"></a>MDM policy settings for Passport</h2>
-<p>The following table lists the MDM policy settings that you can configure for Passport use in your workplace. These MDM policy settings use the <a href="http://go.microsoft.com/fwlink/p/?LinkId=692070">PassportForWork configuration service provider (CSP)</a>.</p>
-<table>
-<tr>
-<th colspan="2">Policy</th>
-<th>Scope</th>
-<th>Default</th>
-<th>Options</th>
-</tr>
-<tr>
-<td>UsePassportForWork</td>
-<td></td>
-<td>Device</td>
-<td>True</td>
-<td>
-<p>True: Passport will be provisioned for all users on the device.</p>
-<p>False: Users will not be able to provision Passport. </p>
-<div class="alert"><b>Note</b>  If Passport is enabled, and then the policy is changed to False, users who previously set up Passport can continue to use it, but will not be able to set up Passport on other devices.</div>
-<div> </div>
-</td>
-</tr>
-<tr>
-<td>RequireSecurityDevice</td>
-<td></td>
-<td>Device</td>
-<td>False</td>
-<td>
-<p>True: Passport will only be provisioned using TPM.</p>
-<p>False: Passport will be provisioned using TPM if available, and will be provisioned using software if TPM is not available.</p>
-</td>
-</tr>
-<tr>
-<td rowspan="2">Biometrics</td>
-<td>
-<p>UseBiometrics</p>
-</td>
-<td>Device </td>
-<td>False</td>
-<td>
-<p>True: Biometrics can be used as a gesture in place of a PIN for domain logon.</p>
-<p>False: Only a PIN can be used as a gesture for domain logon.</p>
-</td>
-</tr>
-<tr>
-<td>
-<p>FacialFeaturesUser</p>
-<p>EnhancedAntiSpoofing</p>
-</td>
-<td>Device</td>
-<td>Not configured</td>
-<td>
-<p>Not configured: users can choose whether to turn on enhanced anti-spoofing.</p>
-<p>True: Enhanced anti-spoofing is required on devices which support it.</p>
-<p>False: Users cannot turn on enhanced anti-spoofing.</p>
-</td>
-</tr>
-<tr>
-<td rowspan="9">PINComplexity</td>
-</tr>
-<tr>
-<td>Digits </td>
-<td>Device or user</td>
-<td>2 </td>
-<td>
-<p>1: Numbers are not allowed. </p>
-<p>2: At least one number is required.</p>
-</td>
-</tr>
-<tr>
-<td>Lowercase letters </td>
-<td>Device or user</td>
-<td>1 </td>
-<td>
-<p>1: Lowercase letters are not allowed. </p>
-<p>2: At least one lowercase letter is required.</p>
-</td>
-</tr>
-<tr>
-<td>Maximum PIN length </td>
-<td>Device or user</td>
-<td>127 </td>
-<td>
-<p>Maximum length that can be set is 127. Maximum length cannot be less than minimum setting.</p>
-</td>
-</tr>
-<tr>
-<td>Minimum PIN length</td>
-<td>Device or user</td>
-<td>4</td>
-<td>
-<p>Minimum length that can be set is 4. Minimum length cannot be greater than maximum setting.</p>
-</td>
-</tr>
-<tr>
-<td>Expiration </td>
-<td>Device or user</td>
-<td>0</td>
-<td>
-<p>Integer value specifies the period of time (in days) that a PIN can be used before the system requires the user to change it. The largest number you can configure for this policy setting is 730. The lowest number you can configure for this policy setting is 0. If this policy is set to 0, then the user’s PIN will never expire. 
-</p>
-</td>
-</tr>
-<tr>
-<td>History</td>
-<td>Device or user</td>
-<td>0</td>
-<td>
-<p>Integer value that specifies the number of past PINs that can be associated to a user account that can’t be reused. The largest number you can configure for this policy setting is 50. The lowest number you can configure for this policy setting is 0. If this policy is set to 0, then storage of previous PINs is not required. 
-</p>
-</td>
-</tr>
-<tr>
-<td>Special characters</td>
-<td>Device or user</td>
-<td>1</td>
-<td>
-<p>1: Special characters are not allowed. </p>
-<p>2: At least one special character is required.</p>
-</td>
-</tr>
-<tr>
-<td>Uppercase letters</td>
-<td>Device or user</td>
-<td>1</td>
-<td>
-<p>1: Uppercase letters are not allowed </p>
-<p>2: At least one uppercase letter is required</p>
-</td>
-</tr>
-<tr>
-<td>Remote</td>
-<td>
-<p>UseRemotePassport</p>
-<div class="alert"><b>Note</b>  Applies to desktop only. Phone sign-in is currently limited to select Technology Adoption Program (TAP) participants.</div>
-<div> </div>
-</td>
-<td>Device or user</td>
-<td>False</td>
-<td>
-<p>True: <a href="prepare_people_to_use_microsoft_passport.htm#BMK_remote">Remote Passport</a> is enabled.</p>
-<p>False: <a href="prepare_people_to_use_microsoft_passport.htm#BMK_remote">Remote Passport</a> is disabled.</p>
-</td>
-</tr>
-</table>
+
+## MDM policy settings for Passport
+
+
+The following table lists the MDM policy settings that you can configure for Passport use in your workplace. These MDM policy settings use the [PassportForWork configuration service provider (CSP)](http://go.microsoft.com/fwlink/p/?LinkId=692070).
+
+Policy
+Scope
+Default
+Options
+UsePassportForWork
+Device
+True
+True: Passport will be provisioned for all users on the device.
+
+False: Users will not be able to provision Passport.
+
+**Note**  If Passport is enabled, and then the policy is changed to False, users who previously set up Passport can continue to use it, but will not be able to set up Passport on other devices.
+
+ 
+
+RequireSecurityDevice
+Device
+False
+True: Passport will only be provisioned using TPM.
+
+False: Passport will be provisioned using TPM if available, and will be provisioned using software if TPM is not available.
+
+Biometrics
+UseBiometrics
+
+Device
+False
+True: Biometrics can be used as a gesture in place of a PIN for domain logon.
+
+False: Only a PIN can be used as a gesture for domain logon.
+
+FacialFeaturesUser
+
+EnhancedAntiSpoofing
+
+Device
+Not configured
+Not configured: users can choose whether to turn on enhanced anti-spoofing.
+
+True: Enhanced anti-spoofing is required on devices which support it.
+
+False: Users cannot turn on enhanced anti-spoofing.
+
+PINComplexity
+Digits
+Device or user
+2
+1: Numbers are not allowed.
+
+2: At least one number is required.
+
+Lowercase letters
+Device or user
+1
+1: Lowercase letters are not allowed.
+
+2: At least one lowercase letter is required.
+
+Maximum PIN length
+Device or user
+127
+Maximum length that can be set is 127. Maximum length cannot be less than minimum setting.
+
+Minimum PIN length
+Device or user
+4
+Minimum length that can be set is 4. Minimum length cannot be greater than maximum setting.
+
+Expiration
+Device or user
+0
+Integer value specifies the period of time (in days) that a PIN can be used before the system requires the user to change it. The largest number you can configure for this policy setting is 730. The lowest number you can configure for this policy setting is 0. If this policy is set to 0, then the user’s PIN will never expire.
+
+History
+Device or user
+0
+Integer value that specifies the number of past PINs that can be associated to a user account that can’t be reused. The largest number you can configure for this policy setting is 50. The lowest number you can configure for this policy setting is 0. If this policy is set to 0, then storage of previous PINs is not required.
+
+Special characters
+Device or user
+1
+1: Special characters are not allowed.
+
+2: At least one special character is required.
+
+Uppercase letters
+Device or user
+1
+1: Uppercase letters are not allowed
+
+2: At least one uppercase letter is required
+
+Remote
+UseRemotePassport
+
+**Note**  Applies to desktop only. Phone sign-in is currently limited to select Technology Adoption Program (TAP) participants.
+
+ 
+
+Device or user
+False
+True: [Remote Passport](prepare-people-to-use-microsoft-passport.md#bmk-remote) is enabled.
+
+False: [Remote Passport](prepare-people-to-use-microsoft-passport.md#bmk-remote) is disabled.
+
+ 
 
 **Note**  
 If policy is not configured to explicitly require letters or special characters, users will be restricted to creating a numeric PIN.

windows/keep-secure/vpn-profile-options.md

@@ -27,7 +27,7 @@ Always On is a new feature in Windows 10 which enables the active VPN profile to
 
 -   Network change
 
-When a device has multiple profiles with Always On triggers, the user can specify the active profile in **Settings** > **Network & Internet** > **VPN** > VPN profile > **Let apps automatically use this VPN connection**.
+When a device has multiple profiles with Always On triggers, the user can specify the active profile in **Settings** > **Network & Internet** > **VPN** > *VPN profile* > **Let apps automatically use this VPN connection**.
 
 ## App-triggered VPN
 

windows/keep-secure/windows-defender-in-windows-10.md

@@ -76,7 +76,7 @@ For more information about what's new in Windows Defender in Windows 10, see [W
 <ul>
 <li>Group Policy Settings</li>
 <li>Windows Management Instrumentation (WMI)</li>
-<li>Windows PowerShell</li>
+<li>PowerShell</li>
 </ul></td>
 </tr>
 <tr class="even">
@@ -84,7 +84,7 @@ For more information about what's new in Windows Defender in Windows 10, see [W
 <td align="left"><p>IT professionals can configure definition updates and cloud-based protection in Windows Defender in Windows 10 through Active Directory and WSUS.</p></td>
 </tr>
 <tr class="odd">
-<td align="left"><p>[Troubleshoot Windows Defender in Windows 10](troubleshoot-windows-defender-for-windows-10.md)</p></td>
+<td align="left"><p>[Troubleshoot Windows Defender in Windows 10](troubleshoot-windows-defender-in-windows-10.md)</p></td>
 <td align="left"><p>IT professionals can review information about <em>event IDs</em> in Windows Defender for Windows 10 and see any relevant action they can take.</p></td>
 </tr>
 </tbody>