new build 3/22

windows/keep-secure/TOC.md

@@ -394,7 +394,7 @@
 ### [Windows Defender in Windows 10](windows-defender-in-windows-10.md)
 #### [Update and manage Windows Defender in Windows 10](get-started-with-windows-defender-for-windows-10.md)
 #### [Configure Windows Defender in Windows 10](configure-windows-defender-for-windows-10.md)
-#### [Troubleshoot Windows Defender in Windows 10](troubleshoot-windows-defender-for-windows-10.md)
+#### [Troubleshoot Windows Defender in Windows 10](troubleshoot-windows-defender-in-windows-10.md)
 ## [Enterprise security guides](enterprise-security-guides-portal.md)
 ### [Control the health of Windows 10-based devices](protect-high-value-assets-by-controlling-the-health-of-windows-10-based-devices.md)
 ### [Device Guard deployment guide](device-guard-deployment-guide.md)

windows/keep-secure/configure-windows-defender-in-windows-10

@@ -0,0 +1,223 @@
+---
+title: Configure Windows Defender in Windows 10 (Windows 10)
+description: IT professionals can configure definition updates and cloud-based protection in Windows Defender in Windows 10 through Microsoft Active Directory and Windows Server Update Services (WSUS).
+ms.assetid: 22649663-AC7A-40D8-B1F7-5CAD9E49653D
+ms.prod: W10
+ms.mktglfcycl: manage
+ms.sitesec: library
+author: brianlic-msft
+---
+
+# Configure Windows Defender in Windows 10
+
+
+**Applies to**
+
+-   Windows 10
+
+IT professionals can configure definition updates and cloud-based protection in Windows Defender in Windows 10 through Microsoft Active Directory and Windows Server Update Services (WSUS).
+
+## Configure definition updates
+
+
+It is important to update definitions regularly to ensure that your endpoints are protected. Definition updates can be configured to suit the requirements of your organization.
+
+Windows Defender supports the same updating options (such as using multiple definition sources) as other Microsoft endpoint protection products; for more information, see [Configuring Definition Updates](https://technet.microsoft.com/library/gg412502.aspx).
+
+When you configure multiple definition sources in Windows Defender, you can configure the fallback order using the following values through *Group Policy* settings:
+
+-   InternalDefinitionUpdateServer - WSUS
+-   MicrosoftUpdateServer - Microsoft Update
+-   MMPC - [Microsoft Malware Protection Center definitions page](http://www.microsoft.com/security/portal/definitions/adl.aspx)
+-   FileShares - file share
+
+Read about deploying administrative template files for Windows Defender in the article [Description of the Windows Defender Group Policy administrative template settings](https://support.microsoft.com/kb/927367).
+
+You can also manage your Windows Defender update configuration settings through System Center Configuration Manager. See [How to Configure Definition Updates for Endpoint Protection in Configuration Manager](https://technet.microsoft.com/library/jj822983.aspx) for details.
+
+## Definition update logic
+
+
+You can update Windows Defender definitions in four ways depending on your business requirements:
+
+-   WSUS, the managed server. You can manage the distribution of updates that are released through Microsoft Update to computers in your enterprise environment; read more on the [Windows Server Update Services](https://technet.microsoft.com/windowsserver/bb332157.aspx) website.
+-   Microsoft Update, the unmanaged server. You can use this method to get regular updates from Microsoft Update.
+-   The [Microsoft Malware Protection Center definitions page](http://www.microsoft.com/security/portal/definitions/adl.aspx), as an alternate download location. You can use this method if you want to download the latest definitions.
+-   File share, where the definition package is downloaded. You can retrieve definition updates from a file share. The file share must be provisioned on a regular basis with the update files.
+
+## Update Windows Defender definitions through Active Directory and WSUS
+
+
+This section details how to update Windows Defender definitions for Windows 10 endpoints through Active Directory and WSUS.
+
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Method</th>
+<th align="left">Instructions</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>WSUS</p></td>
+<td align="left"><p>See [Software Updates and Windows Server Update Services Definition Updates](https://technet.microsoft.com/library/gg398036.aspx) in the [Configuring Definition Updates](https://technet.microsoft.com/library/gg412502.aspx) topic that also applies to Windows Defender.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Microsoft Update</p></td>
+<td align="left"><p>Set the following fallback order <em>Group Policy</em> to enable Microsoft Update:</p>
+<ol>
+<li>Open the <strong>Group Policy Editor</strong>.</li>
+<li>In the <strong>Local Computer Policy</strong> tree, expand <strong>Computer Configuration</strong>, then <strong>Administrative Templates</strong>, then <strong>Windows Components</strong>, then <strong>Windows Defender</strong>.</li>
+<li>Click on <strong>Signature Updates</strong>.</li>
+<li><p>Double-click on <strong>Define the order of sources for downloading definition updates</strong>.</p>
+<p>This will open the <strong>Define the order of sources for downloading definition updates</strong> window.</p></li>
+<li>Click <strong>Enable</strong>.</li>
+<li><p>In the <strong>Options</strong> pane, define the following <em>Group Policy</em> to enable Microsoft Update:</p>
+<p><strong>{MicrosoftUpdateServer}</strong></p>
+<p><img src="images/defender-gp-defsourcefield.png" alt="&quot;Define the order of sources for downloading definition updates&quot; field" /></p></li>
+<li><p>Click <strong>OK</strong>.</p>
+<p>The window will close automatically.</p></li>
+</ol></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>[Microsoft Malware Protection Center definitions page](http://www.microsoft.com/security/portal/definitions/adl.aspx)</p></td>
+<td align="left"><p>Set the following fallback order <em>Group Policy</em> to enable Windows Defender to download updated signatures:</p>
+<ol>
+<li>Open the <strong>Group Policy Editor</strong>.</li>
+<li>In the <strong>Local Computer Policy</strong> tree, expand <strong>Computer Configuration</strong>, then <strong>Administrative Templates</strong>, then <strong>Windows Components</strong>, then <strong>Windows Defender</strong>.</li>
+<li>Click on <strong>Signature Updates</strong>.</li>
+<li><p>Double-click on <strong>Define the order of sources for downloading definition updates</strong>.</p>
+<p>This will open the <strong>Define the order of sources for downloading definition updates</strong> window.</p></li>
+<li>Click <strong>Enable</strong>.</li>
+<li><p>In the <strong>Options</strong> pane, define the following <em>Group Policy</em> to enable Windows Defender to download updated signatures:</p>
+<p><strong>{MMPC}</strong></p>
+<p><img src="images/defender-gp-defsourcefield.png" alt="&quot;Define the order of sources for downloading definition updates&quot; field" /></p></li>
+<li><p>Click <strong>OK</strong>.</p>
+<p>The window will close automatically.</p></li>
+</ol></td>
+</tr>
+<tr class="even">
+<td align="left"><p>File share</p></td>
+<td align="left"><p></p>
+<ol>
+<li>Open the <strong>Group Policy Editor</strong>.</li>
+<li>In the <strong>Local Computer Policy</strong> tree, expand <strong>Computer Configuration</strong>, then <strong>Administrative Templates</strong>, then <strong>Windows Components</strong>, then <strong>Windows Defender</strong>.</li>
+<li>Click on <strong>Signature Updates</strong>.</li>
+<li><p>Double-click on <strong>Define the order of sources for downloading definition updates</strong>.</p>
+<p>This will open the <strong>Define the order of sources for downloading definition updates</strong> window:</p></li>
+<li>Click <strong>Enable</strong>.</li>
+<li><p>In the <strong>Options</strong> pane, define the following <em>Group Policy</em> to enable Windows Defender to download updated signatures:</p>
+<p><strong>{FileShares}</strong></p>
+<p><img src="images/defender-gp-defsourcefield.png" alt="&quot;Define the order of sources for downloading definition updates&quot; field" /></p></li>
+<li><p>Click <strong>OK</strong>.</p>
+<p>The window will close automatically.</p></li>
+<li><p>Double-click on <strong>Define file shares for downloading definition updates</strong>.</p>
+<p>This will open the <strong>Define file shares for downloading definition updates</strong> window.</p></li>
+<li>Click <strong>Enable</strong>.</li>
+<li><p>In the <strong>Options</strong> pane, define the following <em>Group Policy</em> to specify the Universal Naming Convention (UNC) share source:</p>
+<p><strong>{\\unc1\\unc2}</strong> - where you define [unc] as the UNC shares.</p>
+<p><img src="images/defender-gp-defsharesfield.png" alt="&quot;Define the file shares for downloading definition updates&quot; field" /></p></li>
+<li><p>Click <strong>OK</strong>.</p>
+<p>The window will close automatically.</p></li>
+</ol></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+## Manage cloud-based protection
+
+
+Windows Defender offers improved cloud-based protection and threat intelligence for endpoint protection clients using the Microsoft Active Protection Service. Read more about the Microsoft Active Protection Service community in [Join the Microsoft Active Protection Service community](http://windows.microsoft.com/windows-8/join-maps-community).
+
+You can enable or disable the Microsoft Active Protection Service using *Group Policy* settings and administrative template files.
+
+More information on deploying administrative template files for Windows Defender is available in the article [Description of the Windows Defender Group Policy administrative template settings](https://support.microsoft.com/kb/927367).
+
+The Microsoft Active Protection Service can be configured with the following *Group Policy* settings:
+
+1.  Open the **Group Policy Editor**.
+2.  In the **Local Computer Policy** tree, expand **Computer Configuration**, then **Administrative Templates**, then **Windows Components**, then **Windows Defender**.
+3.  Click on **MAPS**.
+4.  Double-click on **Join Microsoft MAPS**.
+5.  Select your configuration option from the **Join Microsoft MAPS** list.
+    **Note**  Any settings modified on an endpoint will be overridden by the administrator's policy setting.
+
+     
+
+Use the Windowsdefender.adm *Group Policy* template file to control the policy settings for Windows Defender in Windows 10:
+
+Policy setting: **Configure Microsoft SpyNet Reporting**
+Registry key name: **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\\SpyNet\\SpyNetReporting**
+Policy description: **Adjusts membership in Microsoft Active Protection Service**
+
+You can also configure preferences using the following PowerShell parameters:
+
+-   Turn Microsoft Active Protection Service off: *Set-MpPreference -MAPSReporting 0*
+-   Turn Microsoft Active Protection Service on: *Set-MpPreference -MAPSReporting 2*
+
+Read more about this in:
+
+-   [Scripting with Windows PowerShell](https://technet.microsoft.com/library/bb978526.aspx)
+-   [Defender Cmdlets](https://technet.microsoft.com/library/dn433280.aspx)
+
+**Note**  Any information that Windows Defender collects is encrypted in transit to our servers, and then stored in secure facilities. Microsoft takes several steps to avoid collecting any information that directly identifies you, such as your name, email address, or account ID.
+
+ 
+
+Read more about how to manage your privacy settings in [Setting your preferences for Windows 10 services](http://windows.microsoft.com/windows-10/services-setting-preferences).
+
+## Opt-in to Microsoft Update
+
+
+You can use Microsoft Update to keep definitions on mobile computers running Windows Defender in Windows 10 up to date when they are not connected to the corporate network. If the mobile computer doesn't have a [Windows Server Update Service](https://technet.microsoft.com/windowsserver/bb332157.aspx) (WSUS) connection, the signatures will still come from Microsoft Update. This means that signatures can be pushed down (via Microsoft Update) even if WSUS overrides Windows Update.
+
+You need to opt-in to Microsoft Update on the mobile computer before it can retrieve the definition updates from Microsoft Update.
+
+There are two ways you can opt-in to Microsoft Update in Windows Defender for Windows 10:
+
+1.  Use a VBScript to create a script, then run it on each computer in your network.
+2.  Manually opt-in every computer on your network through the **Settings** menu.
+
+You can create a VBScript and run it on each computer on your network; this is an efficient way to opt-in to Microsoft Update.
+
+**Use a VBScript to opt in to Microsoft Update**
+
+1.  Use the instructions in the MSDN article [Opt-In to Microsoft Update](https://msdn.microsoft.com/library/windows/desktop/aa826676.aspx) to create the VBScript.
+2.  Run the VBScript you created on each computer in your network.
+
+You can manually opt-in each individual computer on your network to receive Microsoft Update.
+
+**Manually opt-in to Microsoft Update**
+
+1.  Open **Windows Update** in **Update & security** settings on the computer you want to opt-in.
+2.  Click **Advanced** options.
+3.  Select the checkbox for **Give me updates for other Microsoft products when I update Windows**.
+
+## Schedule updates for Microsoft Update
+
+
+Opting-in to Microsoft Update means that your system administrator can schedule updates to your mobile computer, so that it keeps up-to-date with the latest software versions and security definitions, even when you’re on the road.
+
+For more information on scheduling updates, see [Configure definition updates](https://technet.microsoft.com/library/mt622088.aspx#configure-definition-updates).
+
+## Related topics
+
+
+[Update and manage Windows Defender in Windows 10](get-started-with-windows-defender-for-windows-10.md)
+
+[Troubleshoot Windows Defender in Windows 10](troubleshoot-windows-defender-for-windows-10.md)
+
+ 
+
+ 
+
+
+
+
+

windows/keep-secure/creating-a-device-guard-policy-for-signed-apps.md

@@ -28,7 +28,7 @@ To create a code integrity policy, you'll first need to create a reference image
 
 **To create a code integrity policy based on a reference device**
 
-1.  On your reference device, start Windows PowerShell as an administrator.
+1.  On your reference device, start PowerShell as an administrator.
 
 2.  In PowerShell, initialize variables by typing:
 

windows/keep-secure/get-started-with-windows-defender-for-windows-10.md

@@ -1,6 +1,6 @@
 ---
 title: Update and manage Windows Defender in Windows 10 (Windows 10)
-description: IT professionals can manage Windows Defender on Windows 10 endpoints in their organization using Microsoft Active Directory or Windows Server Update Services (WSUS), apply updates to endpoints, and manage scans using Group Policy SettingsWindows Management Instrumentation (WMI)Windows PowerShell.
+description: IT professionals can manage Windows Defender on Windows 10 endpoints in their organization using Microsoft Active Directory or Windows Server Update Services (WSUS), apply updates to endpoints, and manage scans using Group Policy SettingsWindows Management Instrumentation (WMI)PowerShell.
 ms.assetid: 045F5BF2-87D7-4522-97E1-C1D508E063A7
 ms.prod: W10
 ms.mktglfcycl: manage
@@ -19,7 +19,7 @@ IT professionals can manage Windows Defender on Windows 10 endpoints in their o
 
 -   Group Policy Settings
 -   Windows Management Instrumentation (WMI)
--   Windows PowerShell
+-   PowerShell
 
 ## Manage Windows Defender endpoints through Active Directory and WSUS
 
@@ -112,7 +112,7 @@ Turn on email scanning with the following *Group Policy* settings:
 3.  Click **Scan**.
 4.  Double-click **Turn on e-mail scanning**.
 
-    This will open the **Turn on e-mail scanning** window:
+    This will open the **Turn on e-mail scanning** window: ![turn on e-mail scanning window](images/defender-scanemailfiles.png)
 
 5.  Select **Enabled**.
 6.  Click **OK** to apply changes.
@@ -175,16 +175,16 @@ Turn on email scanning with the following *Group Policy* settings:
 3.  Click **Scan**.
 4.  Double-click **Scan archive files**.
 
-    This will open the **Scan archive files** window:
+    This will open the **Scan archive files** window: ![scan archive files window](images/defender-scanarchivefiles.png)
 
 5.  Select **Enabled**.
 6.  Click **OK** to apply changes.
 
 There are a number of archive scan settings in the **Scan** repository you can configure through *Group Policy*, for example:
 
--   Maximum directory depth level into which archive files are unpacked during scanning
+-   Maximum directory depth level into which archive files are unpacked during scanning ![specify the maximum depth to scan archive files window](images/defender-scanarchivedepth.png)
--   Maximum size of archive files that will be scanned
+-   Maximum size of archive files that will be scanned ![specify the maximum size of archive files to be scanned window](images/defender-scanarchivesize.png)
--   Maximum percentage CPU utilization permitted during a scan
+-   Maximum percentage CPU utilization permitted during a scan ![specify the maximum percentage od cpu utilization during a scan window](images/defender-scanarchivecpu.png)
 
 ## Use WMI to disable archive scans
 
@@ -220,7 +220,7 @@ In Endpoint Protection, you can use the advanced scanning options to configure a
 
 [Configure Windows Defender in Windows 10](configure-windows-defender-for-windows-10.md)
 
-[Troubleshoot Windows Defender in Windows 10](troubleshoot-windows-defender-for-windows-10.md)
+[Troubleshoot Windows Defender in Windows 10](troubleshoot-windows-defender-in-windows-10.md)
 
  
 

windows/keep-secure/getting-apps-to-run-on-device-guard-protected-devices.md

@@ -46,7 +46,7 @@ You must run Package Inspector on a device that's running a temporary Code Integ
 
 **To create a catalog file for an existing app**
 
-1.  Start Windows PowerShell as an administrator, and create your temporary policy file by typing:
+1.  Start PowerShell as an administrator, and create your temporary policy file by typing:
 
     ``` syntax
     mkdir temp

windows/keep-secure/implement-microsoft-passport-in-your-organization.md

@@ -129,7 +129,7 @@ The following table lists the Group Policy settings that you can configure for P
 </td>
 </tr>
 <tr>
-<td><a href="prepare-people-to-use-microsoft-passport.md#BMK_remote">Remote Passport</a></td>
+<td><a href="prepare_people_to_use_microsoft_passport.htm#BMK_remote">Remote Passport</a></td>
 <td>
 <p>Use Remote Passport</p>
 <div class="alert"><b>Note</b>  Applies to desktop only. Phone sign-in is currently limited to select Technology Adoption Program (TAP) participants.</div>
@@ -142,151 +142,118 @@ The following table lists the Group Policy settings that you can configure for P
 </td>
 </tr>
 </table>
-<p> </p>
+
-<h2><a id="MDM_policy_settings_for_Passport"></a><a id="mdm_policy_settings_for_passport"></a><a id="MDM_POLICY_SETTINGS_FOR_PASSPORT"></a>MDM policy settings for Passport</h2>
+## MDM policy settings for Passport
-<p>The following table lists the MDM policy settings that you can configure for Passport use in your workplace. These MDM policy settings use the <a href="http://go.microsoft.com/fwlink/p/?LinkId=692070">PassportForWork configuration service provider (CSP)</a>.</p>
+
-<table>
+
-<tr>
+The following table lists the MDM policy settings that you can configure for Passport use in your workplace. These MDM policy settings use the [PassportForWork configuration service provider (CSP)](http://go.microsoft.com/fwlink/p/?LinkId=692070).
-<th colspan="2">Policy</th>
+
-<th>Scope</th>
+Policy
-<th>Default</th>
+Scope
-<th>Options</th>
+Default
-</tr>
+Options
-<tr>
+UsePassportForWork
-<td>UsePassportForWork</td>
+Device
-<td></td>
+True
-<td>Device</td>
+True: Passport will be provisioned for all users on the device.
-<td>True</td>
+
-<td>
+False: Users will not be able to provision Passport.
-<p>True: Passport will be provisioned for all users on the device.</p>
+
-<p>False: Users will not be able to provision Passport. </p>
+**Note**  If Passport is enabled, and then the policy is changed to False, users who previously set up Passport can continue to use it, but will not be able to set up Passport on other devices.
-<div class="alert"><b>Note</b>  If Passport is enabled, and then the policy is changed to False, users who previously set up Passport can continue to use it, but will not be able to set up Passport on other devices.</div>
+
-<div> </div>
+ 
-</td>
+
-</tr>
+RequireSecurityDevice
-<tr>
+Device
-<td>RequireSecurityDevice</td>
+False
-<td></td>
+True: Passport will only be provisioned using TPM.
-<td>Device</td>
+
-<td>False</td>
+False: Passport will be provisioned using TPM if available, and will be provisioned using software if TPM is not available.
-<td>
+
-<p>True: Passport will only be provisioned using TPM.</p>
+Biometrics
-<p>False: Passport will be provisioned using TPM if available, and will be provisioned using software if TPM is not available.</p>
+UseBiometrics
-</td>
+
-</tr>
+Device
-<tr>
+False
-<td rowspan="2">Biometrics</td>
+True: Biometrics can be used as a gesture in place of a PIN for domain logon.
-<td>
+
-<p>UseBiometrics</p>
+False: Only a PIN can be used as a gesture for domain logon.
-</td>
+
-<td>Device </td>
+FacialFeaturesUser
-<td>False</td>
+
-<td>
+EnhancedAntiSpoofing
-<p>True: Biometrics can be used as a gesture in place of a PIN for domain logon.</p>
+
-<p>False: Only a PIN can be used as a gesture for domain logon.</p>
+Device
-</td>
+Not configured
-</tr>
+Not configured: users can choose whether to turn on enhanced anti-spoofing.
-<tr>
+
-<td>
+True: Enhanced anti-spoofing is required on devices which support it.
-<p>FacialFeaturesUser</p>
+
-<p>EnhancedAntiSpoofing</p>
+False: Users cannot turn on enhanced anti-spoofing.
-</td>
+
-<td>Device</td>
+PINComplexity
-<td>Not configured</td>
+Digits
-<td>
+Device or user
-<p>Not configured: users can choose whether to turn on enhanced anti-spoofing.</p>
+2
-<p>True: Enhanced anti-spoofing is required on devices which support it.</p>
+1: Numbers are not allowed.
-<p>False: Users cannot turn on enhanced anti-spoofing.</p>
+
-</td>
+2: At least one number is required.
-</tr>
+
-<tr>
+Lowercase letters
-<td rowspan="9">PINComplexity</td>
+Device or user
-</tr>
+1
-<tr>
+1: Lowercase letters are not allowed.
-<td>Digits </td>
+
-<td>Device or user</td>
+2: At least one lowercase letter is required.
-<td>2 </td>
+
-<td>
+Maximum PIN length
-<p>1: Numbers are not allowed. </p>
+Device or user
-<p>2: At least one number is required.</p>
+127
-</td>
+Maximum length that can be set is 127. Maximum length cannot be less than minimum setting.
-</tr>
+
-<tr>
+Minimum PIN length
-<td>Lowercase letters </td>
+Device or user
-<td>Device or user</td>
+4
-<td>1 </td>
+Minimum length that can be set is 4. Minimum length cannot be greater than maximum setting.
-<td>
+
-<p>1: Lowercase letters are not allowed. </p>
+Expiration
-<p>2: At least one lowercase letter is required.</p>
+Device or user
-</td>
+0
-</tr>
+Integer value specifies the period of time (in days) that a PIN can be used before the system requires the user to change it. The largest number you can configure for this policy setting is 730. The lowest number you can configure for this policy setting is 0. If this policy is set to 0, then the user’s PIN will never expire.
-<tr>
+
-<td>Maximum PIN length </td>
+History
-<td>Device or user</td>
+Device or user
-<td>127 </td>
+0
-<td>
+Integer value that specifies the number of past PINs that can be associated to a user account that can’t be reused. The largest number you can configure for this policy setting is 50. The lowest number you can configure for this policy setting is 0. If this policy is set to 0, then storage of previous PINs is not required.
-<p>Maximum length that can be set is 127. Maximum length cannot be less than minimum setting.</p>
+
-</td>
+Special characters
-</tr>
+Device or user
-<tr>
+1
-<td>Minimum PIN length</td>
+1: Special characters are not allowed.
-<td>Device or user</td>
+
-<td>4</td>
+2: At least one special character is required.
-<td>
+
-<p>Minimum length that can be set is 4. Minimum length cannot be greater than maximum setting.</p>
+Uppercase letters
-</td>
+Device or user
-</tr>
+1
-<tr>
+1: Uppercase letters are not allowed
-<td>Expiration </td>
+
-<td>Device or user</td>
+2: At least one uppercase letter is required
-<td>0</td>
+
-<td>
+Remote
-<p>Integer value specifies the period of time (in days) that a PIN can be used before the system requires the user to change it. The largest number you can configure for this policy setting is 730. The lowest number you can configure for this policy setting is 0. If this policy is set to 0, then the user’s PIN will never expire. 
+UseRemotePassport
-</p>
+
-</td>
+**Note**  Applies to desktop only. Phone sign-in is currently limited to select Technology Adoption Program (TAP) participants.
-</tr>
+
-<tr>
+ 
-<td>History</td>
+
-<td>Device or user</td>
+Device or user
-<td>0</td>
+False
-<td>
+True: [Remote Passport](prepare-people-to-use-microsoft-passport.md#bmk-remote) is enabled.
-<p>Integer value that specifies the number of past PINs that can be associated to a user account that can’t be reused. The largest number you can configure for this policy setting is 50. The lowest number you can configure for this policy setting is 0. If this policy is set to 0, then storage of previous PINs is not required. 
+
-</p>
+False: [Remote Passport](prepare-people-to-use-microsoft-passport.md#bmk-remote) is disabled.
-</td>
+
-</tr>
+ 
-<tr>
-<td>Special characters</td>
-<td>Device or user</td>
-<td>1</td>
-<td>
-<p>1: Special characters are not allowed. </p>
-<p>2: At least one special character is required.</p>
-</td>
-</tr>
-<tr>
-<td>Uppercase letters</td>
-<td>Device or user</td>
-<td>1</td>
-<td>
-<p>1: Uppercase letters are not allowed </p>
-<p>2: At least one uppercase letter is required</p>
-</td>
-</tr>
-<tr>
-<td>Remote</td>
-<td>
-<p>UseRemotePassport</p>
-<div class="alert"><b>Note</b>  Applies to desktop only. Phone sign-in is currently limited to select Technology Adoption Program (TAP) participants.</div>
-<div> </div>
-</td>
-<td>Device or user</td>
-<td>False</td>
-<td>
-<p>True: <a href="prepare_people_to_use_microsoft_passport.htm#BMK_remote">Remote Passport</a> is enabled.</p>
-<p>False: <a href="prepare_people_to_use_microsoft_passport.htm#BMK_remote">Remote Passport</a> is disabled.</p>
-</td>
-</tr>
-</table>
 
 **Note**  
 If policy is not configured to explicitly require letters or special characters, users will be restricted to creating a numeric PIN.

windows/keep-secure/vpn-profile-options.md

@@ -27,7 +27,7 @@ Always On is a new feature in Windows 10 which enables the active VPN profile to
 
 -   Network change
 
-When a device has multiple profiles with Always On triggers, the user can specify the active profile in **Settings** > **Network & Internet** > **VPN** > VPN profile > **Let apps automatically use this VPN connection**.
+When a device has multiple profiles with Always On triggers, the user can specify the active profile in **Settings** > **Network & Internet** > **VPN** > *VPN profile* > **Let apps automatically use this VPN connection**.
 
 ## App-triggered VPN
 

windows/keep-secure/windows-defender-in-windows-10.md

@@ -76,7 +76,7 @@ For more information about what's new in Windows Defender in Windows 10, see [W
 <ul>
 <li>Group Policy Settings</li>
 <li>Windows Management Instrumentation (WMI)</li>
-<li>Windows PowerShell</li>
+<li>PowerShell</li>
 </ul></td>
 </tr>
 <tr class="even">
@@ -84,7 +84,7 @@ For more information about what's new in Windows Defender in Windows 10, see [W
 <td align="left"><p>IT professionals can configure definition updates and cloud-based protection in Windows Defender in Windows 10 through Active Directory and WSUS.</p></td>
 </tr>
 <tr class="odd">
-<td align="left"><p>[Troubleshoot Windows Defender in Windows 10](troubleshoot-windows-defender-for-windows-10.md)</p></td>
+<td align="left"><p>[Troubleshoot Windows Defender in Windows 10](troubleshoot-windows-defender-in-windows-10.md)</p></td>
 <td align="left"><p>IT professionals can review information about <em>event IDs</em> in Windows Defender for Windows 10 and see any relevant action they can take.</p></td>
 </tr>
 </tbody>

windows/manage/app-inventory-managemement-for-windows-store-for-business.md

@@ -194,7 +194,7 @@ You can download offline-licensed apps from your inventory. You'll need to downl
 
 For more information about online and offline licenses, see [Apps in the Windows Store for Business](apps-in-the-windows-store-for-business.md#licensing-model).
 
-For more information about downloading offline-licensed apps, see [Download offline apps](../manage/download-offline-licensed-app.md).
+For more information about downloading offline-licensed apps, see [Download offline apps](distribute-offline-apps.md).
 
  
 

windows/manage/configure-mdm-provider.md

@@ -44,6 +44,8 @@ After your management tool is added to your Azure AD directory, you can configur
 
 Your MDM tool is ready to use with Store for Business. Consult docs for your management tool to learn how to distribute apps from your synchronized inventory.
 
+See [Manage apps you purchased from Windows Store for Business with Microsoft InTune](https://technet.microsoft.com/library/mt676514.aspx) to learn how to configure synchroniztion and deploy apps.
+
  
 
  

windows/manage/distribute-apps-with-a-management-tool.md

@@ -56,6 +56,13 @@ This diagram shows how you can use a management tool to distribute an online-lic
 
 ![](images/wsfb-online-distribute-mdm.png)
 
+## Related topics
+
+
+[Configure MDM Provider](../manage/configure-mdm-provider.md)
+
+[Manage apps you purchased from the Windows Store for Business with Micosoft InTune](https://technet.microsoft.com/library/mt676514.aspx)
+
  
 
  

windows/manage/index.md

@@ -43,7 +43,7 @@ Learn about managing and updating Windows 10.
 </tr>
 <tr class="even">
 <td align="left"><p>[Manage corporate devices](manage-corporate-devices.md)</p></td>
-<td align="left"><p>You can use the same management tools to manage all device types running Windows 10 : desktops, laptops, tablets, and phones. And your current management tools, such as Group Policy, Windows Management Instrumentation (WMI), Windows PowerShell scripts, Orchestrator runbooks, System Center tools, and so on, will continue to work for Windows 10 on desktop editions.</p></td>
+<td align="left"><p>You can use the same management tools to manage all device types running Windows 10 : desktops, laptops, tablets, and phones. And your current management tools, such as Group Policy, Windows Management Instrumentation (WMI), PowerShell scripts, Orchestrator runbooks, System Center tools, and so on, will continue to work for Windows 10 on desktop editions.</p></td>
 </tr>
 <tr class="odd">
 <td align="left"><p>[Manage Windows 10 Start layout options](windows-10-start-layout-options-and-policies.md)</p></td>

windows/manage/join-windows-10-mobile-to-azure-active-directory.md

@@ -77,7 +77,7 @@ An added work account provides the same SSO experience in browser apps like Offi
 
 -   **Mobile device management**
 
-    An MDM service is required for managing Azure AD-joined devices. You can use MDM to push settings to devices, as well as application and certificates used by VPN, Wi-Fi, etc. Azure AD Premium or Enterprise Mobility Services (EMS) licenses are required to set up your Azure AD-joined devices to automatically enroll in MDM. [Learn more about setting up your Azure AD tenant for MDM auto-enrollment.](http://go.microsoft.com/fwlink/p/?LinkID=691615)
+    An MDM service is required for managing Azure AD-joined devices. You can use MDM to push settings to devices, as well as application and certificates used by VPN, Wi-Fi, etc. Azure AD Premium or Enterprise Mobility Suite (EMS) licenses are required to set up your Azure AD-joined devices to automatically enroll in MDM. [Learn more about setting up your Azure AD tenant for MDM auto-enrollment.](http://go.microsoft.com/fwlink/p/?LinkID=691615)
 
 -   **Microsoft Passport**
 

windows/manage/manage-corporate-devices.md

@@ -17,7 +17,7 @@ author: jdeckerMS
 -   Windows 10
 -   Windows 10 Mobile
 
-You can use the same management tools to manage all device types running Windows 10 : desktops, laptops, tablets, and phones. And your current management tools, such as Group Policy, Windows Management Instrumentation (WMI), Windows PowerShell scripts, Orchestrator runbooks, System Center tools, and so on, will continue to work for Windows 10 on desktop editions.
+You can use the same management tools to manage all device types running Windows 10 : desktops, laptops, tablets, and phones. And your current management tools, such as Group Policy, Windows Management Instrumentation (WMI), PowerShell scripts, Orchestrator runbooks, System Center tools, and so on, will continue to work for Windows 10 on desktop editions.
 
 There are several options for managing Windows 10 on corporate-owned devices in an enterprise.
 

windows/manage/set-up-a-kiosk-for-windows-10-for-desktop-editions.md

@@ -257,7 +257,7 @@ Using Shell Launcher, you can configure a kiosk device that runs a Classic Windo
 
 ### Configure Shell Launcher
 
-To set a Classic Windows application as the shell, you first turn on the Shell Launcher feature, and then you can set your custom shell as the default using Windows PowerShell.
+To set a Classic Windows application as the shell, you first turn on the Shell Launcher feature, and then you can set your custom shell as the default using PowerShell.
 
 **To turn on Shell Launcher in Windows features**
 

windows/manage/windows-10-mobile-and-mdm.md

@@ -338,7 +338,7 @@ Table 5. Windows 10 Mobile account management settings
 It’s common sense to lock a device when it is not in use. Microsoft recommends that you secure Windows 10 Mobile devices and implement a device lock policy. A device password or PIN lock is a best practice for securing apps and data on devices. [Windows Hello](http://go.microsoft.com/fwlink/p/?LinkId=723994) is the name given to the new biometric sign-in option that allows users to use their face, iris, or fingerprints to unlock their compatible device, all of which Windows 10 supports.
 
 **Note**  
-In addition to the device lock restrictions discussed in this section, Windows 10 supports Microsoft Passport for Work, which lets you access apps and services without a password. Microsoft Passport for Work is supported only in Windows 10 for desktop and requires Configuration Manager. In addition, the device must be joined to a domain. For more information, see [Enable Microsoft Passport for work in the organization](http://go.microsoft.com/fwlink/p/?LinkId=723995).
+In addition to the device lock restrictions discussed in this section, Windows 10 supports Microsoft Passport for Work, which lets you access apps and services without a password.
 
  
 

windows/plan/index.md

@@ -85,7 +85,7 @@ Windows 10 provides new deployment capabilities, scenarios, and tools by buildi
 
 [Windows Imaging and Configuration Designer](http://go.microsoft.com/fwlink/p/?LinkId=733911)
 
-[Windows 10 and Windows 10 Mobile](../index.md)
+[Windows 10 and Windows 10 Mobile](../p_ent_nodes/windows-10.md)
 
  
 

windows/plan/setup-and-deployment.md

@@ -90,6 +90,7 @@ Windows Update for Business allows administrators to control when upgrades and u
 </td>
 </tr>
 </table>
+
 Administrators can control deferral periods with Group Policy Objects by using the [Local Group Policy Editor (GPEdit)](http://go.microsoft.com/fwlink/p/?LinkId=734030) or, for domain joined systems, [Group Policy Management Console (GPMC)](http://go.microsoft.com/fwlink/p/?LinkId=699325). For additional details on Group Policy management see [Group Policy management for IT pros](http://go.microsoft.com/fwlink/p/?LinkId=699282).
 
 **Set different deferrals based on update classification in GPedit.msc**