Merge remote-tracking branch 'refs/remotes/origin/master' into live

2025-06-18 11:53:37 +00:00 · 2016-11-01 16:00:22 -07:00
parent 86f539ed44 a4a46c3380
commit 86532d830e
53 changed files with 90 additions and 175 deletions
--- a/windows/deploy/introduction-vamt.md
+++ b/windows/deploy/introduction-vamt.md
@ -22,18 +22,18 @@ VAMT can be installed on, and can manage, physical or virtual instances. VAMT ca
 -   [Enterprise Environment](#bkmk-enterpriseenvironment)
 -   [VAMT User Interface](#bkmk-userinterface)

-## Managing Multiple Activation Key (MAK) and Retail Activation
+## <a href="" id="bkmk-managingmak"></a>Managing Multiple Activation Key (MAK) and Retail Activation

 You can use a MAK or a retail product key to activate Windows, Windows Server, or Office on an individual computer or a group of computers. VAMT enables two different activation scenarios:
 -   **Online activation.** Many enterprises maintain a single Windows system image or Office installation package for deployment across the enterprise. Occasionally there is also a need to use retail product keys in special situations. Online activation enables you to activate over the Internet any products installed with MAK, KMS host, or retail product keys on one or more connected computers within a network. This process requires that each product communicate activation information directly to Microsoft.
 -   **Proxy activation.** This activation method enables you to perform volume activation for products installed on client computers that do not have Internet access. The VAMT host computer distributes a MAK, KMS Host key (CSVLK), or retail product key to one or more client products and collects the installation ID (IID) from each client product. The VAMT host sends the IIDs to Microsoft on behalf of the client products and obtains the corresponding Confirmation IDs (CIDs). The VAMT host then installs the CIDs on the client products to complete the activation. Using this method, only the VAMT host computer needs Internet access. You can also activate products installed on computers in a workgroup that is completely isolated from any larger network, by installing a second instance of VAMT on a computer within the workgroup. Then, use removable media to transfer activation data between this new instance of VAMT and the Internet-connected VAMT host.

-## Managing Key Management Service (KMS) Activation
+## <a href="" id="bkmk-managingkms"></a>Managing Key Management Service (KMS) Activation

 In addition to MAK or retail activation, you can use VAMT to perform volume activation using the Key Management Service (KMS). VAMT can install and activate GVLK (KMS client) keys on client products. GVLKs are the default product keys used by Volume License editions of Windows Vista, Windows 7, Windows 8, Windows 10, Windows Server 2008, Windows Server 2008 R2, and Windows Server 2012 as well as Microsoft Office 2010.
 VAMT treats a KMS Host key (CSVLK) product key identically to a retail-type product key; therefore, the experience for product key entry and activation management are identical for both these product key types.

-## Enterprise Environment
+## <a href="" id="bkmk-enterpriseenvironment"></a>Enterprise Environment

 VAMT is commonly implemented in enterprise environments. The following illustrates three common environments—Core Network, Secure Zone, and Isolated Lab.

@ -42,7 +42,7 @@ VAMT is commonly implemented in enterprise environments. The following illustrat
 In the Core Network environment, all computers are within a common network managed by Active Directory® Domain Services (AD DS). The Secure Zone represents higher-security Core Network computers that have additional firewall protection.
 The Isolated Lab environment is a workgroup that is physically separate from the Core Network, and its computers do not have Internet access. The network security policy states that no information that could identify a specific computer or user may be transferred out of the Isolated Lab.

-## VAMT User Interface
+## <a href="" id="bkmk-userinterface"></a>VAMT User Interface

 The following screenshot shows the VAMT graphical user interface.

--- a/windows/deploy/usmt-exclude-files-and-settings.md
+++ b/windows/deploy/usmt-exclude-files-and-settings.md
@ -32,7 +32,7 @@ If you specify an &lt;exclude&gt; rule, always specify a corresponding &lt;inclu

 -   [Example 1: How to migrate all files from C:\\ except .mp3 files](#example-1-how-to-migrate-all-files-from-c-except-mp3-files)

-   [Example 2: How to migrate all files located in C:\\Data except files in C:\\Data\\tmp](#example-2-how-to-migrate-all-files-located-in-c-data-except-files-in-c-data-tmp)
+-   [Example 2: How to migrate all files located in C:\\Data except files in C:\\Data\\tmp](#example-2-how-to-migrate-all-files-located-in-cdata-except-files-in-cdatatmp)

 -   [Example 3: How to exclude the files in a folder but include all subfolders](#example-3-how-to-exclude-the-files-in-a-folder-but-include-all-subfolders)

@ -246,7 +246,7 @@ The following .xml file unconditionally excludes the system folders of `C:\Windo
   </component>
 </migration>
 ```
-## Create a Config.xml File
+## Create a Config XML File
 You can create and modify a Config.xml file if you want to exclude components from the migration. Excluding components using this file is easier than modifying the migration .xml files because you do not need to be familiar with the migration rules and syntax. Config.xml is an optional file that you can create using the **/genconfig** command-line option with the ScanState tool. For example, you can use the Config.xml file to exclude the settings for one of the default applications. In addition, creating and modifying this file is the only way to exclude the operating-system settings that are migrated to computers running Windows.

 -   **To exclude the settings for a default application:** Specify `migrate="no"` for the application under the &lt;Applications&gt; section of the Config.xml file.
--- a/windows/keep-secure/add-production-devices-to-the-membership-group-for-a-zone.md
+++ b/windows/keep-secure/add-production-devices-to-the-membership-group-for-a-zone.md
@ -37,7 +37,7 @@ In this topic:

 -   [Refresh Group Policy on the devices in the membership group](#to-refresh-group-policy-on-a-device)

-   [Check which GPOs apply to a device](#to-see-what-gpos-are-applied-to-a-device)
+-   [Check which GPOs apply to a device](#to-see-which-gpos-are-applied-to-a-device)

 ## To add domain devices to the GPO membership group

--- a/windows/keep-secure/add-test-devices-to-the-membership-group-for-a-zone.md
+++ b/windows/keep-secure/add-test-devices-to-the-membership-group-for-a-zone.md
@ -25,11 +25,11 @@ To complete these procedures, you must be a member of the Domain Administrators

 In this topic:

-   [Add the test devices to the GPO membership groups](#to-add-domain-devices-to-the-gpo-membership-group)
+-   [Add the test devices to the GPO membership groups](#to-add-test-devices-to-the-gpo-membership-group)

 -   [Refresh Group Policy on the devices in each membership group](#to-refresh-group-policy-on-a-device)

-   [Check which GPOs apply to a device](#to-see-what-gpos-are-applied-to-a-device)
+-   [Check which GPOs apply to a device](#to-see-which-gpos-are-applied-to-a-device)

 ## To add test devices to the GPO membership groups

--- a/windows/keep-secure/advanced-security-audit-policy-settings.md
+++ b/windows/keep-secure/advanced-security-audit-policy-settings.md
@ -86,7 +86,7 @@ Logon/Logoff security policy settings and audit events allow you to track attemp

 Object Access policy settings and audit events allow you to track attempts to access specific objects or types of objects on a network or computer. To audit attempts to access a file, directory, registry key, or any other object, you must enable the appropriate object Aaccess auditing subcategory for success and/or failure events. For example, the file system subcategory needs to be enabled to audit file operations, and the Registry subcategory needs to be enabled to audit registry accesses.

-Proving that these audit policies are in effect to an external auditor is more difficult. There is no easy way to verify that the proper SACLs are set on all inherited objects. To address this issue, see [Global Object Access Auditing](#bkmk-globalobjectaccess).
+Proving that these audit policies are in effect to an external auditor is more difficult. There is no easy way to verify that the proper SACLs are set on all inherited objects. To address this issue, see [Global Object Access Auditing](#global-object-access).

 This category includes the following subcategories:

--- a/windows/keep-secure/backup-tpm-recovery-information-to-ad-ds.md
+++ b/windows/keep-secure/backup-tpm-recovery-information-to-ad-ds.md
@ -117,7 +117,7 @@ When you need to recover the TPM owner information from AD DS and use it to man
 **To obtain TPM owner backup information from AD DS and create a password file**

 1.  Sign in to a domain controller by using domain administrator credentials.
-2.  Copy the sample script file, [Get-TPMOwnerInfo.vbs](#ms-tpm-ownerinformation), to a location on your computer.
+2.  Copy the sample script file, [Get-TPMOwnerInfo.vbs](#bkmk-get-tpmownerinfo), to a location on your computer.
 3.  Open a Command Prompt window, and change the default location to the location of the sample script files you saved in the previous step.
 4.  At the command prompt, type **cscript Get-TPMOwnerInfo.vbs**.

--- a/windows/keep-secure/bitlocker-frequently-asked-questions.md
+++ b/windows/keep-secure/bitlocker-frequently-asked-questions.md
@ -319,7 +319,7 @@ When an administrator selects the **Require BitLocker backup to AD DS** check b

 For more info, see [BitLocker Group Policy settings](bitlocker-group-policy-settings.md).

-When an administrator clears these check boxes, the administrator is allowing a drive to be BitLocker-protected without having the recovery information successfully backed up to AD DS; however, BitLocker will not automatically retry the backup if it fails. Instead, administrators can create a script for the backup, as described earlier in [What if BitLocker is enabled on a computer before the computer has joined the domain?](#bkmk-adretro) to capture the information after connectivity is restored.
+When an administrator clears these check boxes, the administrator is allowing a drive to be BitLocker-protected without having the recovery information successfully backed up to AD DS; however, BitLocker will not automatically retry the backup if it fails. Instead, administrators can create a script for the backup, as described earlier in [What if BitLocker is enabled on a computer before the computer has joined the domain?](#what-if-bitlocker-is-enabled-on-a-computer-before-the-computer-has-joined-the-domain) to capture the information after connectivity is restored.

 ## <a href="" id="bkmk-security"></a>Security

--- a/windows/keep-secure/create-wip-policy-using-sccm.md
+++ b/windows/keep-secure/create-wip-policy-using-sccm.md
@ -80,7 +80,7 @@ For this example, we’re going to add Microsoft OneNote, a store app, to the **

 3.	Click **Allow** from the **Windows Information Protection mode** drop-down list.

-    Allow turns on WIP, helping to protect that app’s corporate data through the enforcement of WIP restrictions. If you want to exempt an app, you can follow the steps in the [Exempt apps from WIP restrictions](#exempt-apps-from-wip) section.
+    Allow turns on WIP, helping to protect that app’s corporate data through the enforcement of WIP restrictions. If you want to exempt an app, you can follow the steps in the [Exempt apps from WIP restrictions](#exempt-apps-from-wip-restrictions) section.

 4.	Pick **Store App** from the **Rule template** drop-down list.

@ -164,7 +164,7 @@ For this example, we’re going to add Internet Explorer, a desktop app, to the

 3.	Click **Allow** from the **Windows Information Protection mode** drop-down list.

-    Allow turns on WIP, helping to protect that app’s corporate data through the enforcement of WIP restrictions. If you want to exempt an app, you can follow the steps in the [Exempt apps from WIP restrictions](#exempt-apps-from-wip) section.
+    Allow turns on WIP, helping to protect that app’s corporate data through the enforcement of WIP restrictions. If you want to exempt an app, you can follow the steps in the [Exempt apps from WIP restrictions](#exempt-apps-from-wip-restrictions) section.

 4.	Pick **Desktop App** from the **Rule template** drop-down list.

@ -304,7 +304,7 @@ For this example, we’re going to add an AppLocker XML file to the **App Rules*

 3.	Click **Allow** from the **Windows Information Protection mode** drop-down list.

-    Allow turns on WIP, helping to protect that app’s corporate data through the enforcement of WIP restrictions. If you want to exempt an app, you can follow the steps in the [Exempt apps from WIP restrictions](#exempt-apps-from-wip) section.
+    Allow turns on WIP, helping to protect that app’s corporate data through the enforcement of WIP restrictions. If you want to exempt an app, you can follow the steps in the [Exempt apps from WIP restrictions](#exempt-apps-from-wip-restrictions) section.

 4.	Pick the **AppLocker policy file** from the **Rule template** drop-down list.

--- a/windows/keep-secure/deploy-catalog-files-to-support-code-integrity-policies.md
+++ b/windows/keep-secure/deploy-catalog-files-to-support-code-integrity-policies.md
@ -74,7 +74,7 @@ When finished, the files will be saved to your desktop. You can double-click the

 To trust this catalog file within a code integrity policy, the catalog must first be signed. Then, the signing certificate can be added to the code integrity policy, and the catalog file can be distributed to the individual client computers. 

-For information about signing catalog files by using a certificate and SignTool.exe, a free tool available in the Windows SDK, see the next section, [Catalog signing with SignTool.exe](#catalog-signing-with-signtool.exe).
+For information about signing catalog files by using a certificate and SignTool.exe, a free tool available in the Windows SDK, see the next section, [Catalog signing with SignTool.exe](#catalog-signing-with-signtoolexe).

 For information about adding the signing certificate to a code integrity policy, see [Add a catalog signing certificate to a code integrity policy](deploy-code-integrity-policies-steps.md#add-a-catalog-signing-certificate-to-a-code-integrity-policy).

--- a/windows/keep-secure/deploy-device-guard-enable-virtualization-based-security.md
+++ b/windows/keep-secure/deploy-device-guard-enable-virtualization-based-security.md
@ -20,7 +20,7 @@ Hardware-based security features, also called virtualization-based security or V

 2.  **Verify that hardware and firmware requirements are met**. Verify that your client computers possess the necessary hardware and firmware to run these features. A list of requirements for hardware-based security features is available in [Hardware, firmware, and software requirements for Device Guard](requirements-and-deployment-planning-guidelines-for-device-guard.md#hardware-firmware-and-software-requirements-for-device-guard).

-3.  **Enable the necessary Windows features**. There are several ways to enable the Windows features required for hardware-based security. You can use the [Device Guard and Credential Guard hardware readiness tool](https://www.microsoft.com/en-us/download/details.aspx?id=53337), or see the following section, [Windows feature requirements for virtualization-based security](#windows-feature-requirements-for-virtualization-based-security).
+3.  **Enable the necessary Windows features**. There are several ways to enable the Windows features required for hardware-based security. You can use the [Device Guard and Credential Guard hardware readiness tool](https://www.microsoft.com/en-us/download/details.aspx?id=53337), or see the following section, [Windows feature requirements for virtualization-based security](#windows-feature-requirements-for-virtualization-based-security-and-device-guard).

 4.  **Enable additional features as desired**. When the necessary Windows features have been enabled, you can enable additional hardware-based security features as desired. You can use the [Device Guard and Credential Guard hardware readiness tool](https://www.microsoft.com/en-us/download/details.aspx?id=53337), or see [Enable virtualization-based security (VBS)](#enable-virtualization-based-security-vbs-and-device-guard), later in this topic. 

@ -46,7 +46,7 @@ After you enable the feature or features, you can enable VBS for Device Guard, a

 ## Enable Virtualization Based Security (VBS) and Device Guard

-Before you begin this process, verify that the target device meets the hardware and firmware requirements for the features that you want, as described in [Hardware, firmware, and software requirements for Device Guard](requirements-and-deployment-planning-guidelines-for-device-guard.md#hardware-firmware-and-software-requirements-for-device-guard). Also, confirm that you have enabled the Windows features discussed in the previous section, [Windows feature requirements for virtualization-based security](#windows-feature-requirements-for-virtualization-based-security).
+Before you begin this process, verify that the target device meets the hardware and firmware requirements for the features that you want, as described in [Hardware, firmware, and software requirements for Device Guard](requirements-and-deployment-planning-guidelines-for-device-guard.md#hardware-firmware-and-software-requirements-for-device-guard). Also, confirm that you have enabled the Windows features discussed in the previous section, [Windows feature requirements for virtualization-based security](#windows-feature-requirements-for-virtualization-based-security-and-device-guard).

 There are multiple ways to configure VBS features for Device Guard: 

--- a/windows/keep-secure/initialize-and-configure-ownership-of-the-tpm.md
+++ b/windows/keep-secure/initialize-and-configure-ownership-of-the-tpm.md
@ -40,7 +40,7 @@ Membership in the local Administrators group, or equivalent, is the minimum requ
 2.  On the **Action** menu, click **Initialize TPM** to start the TPM Initialization Wizard.
 3.  If the TPM has never been initialized or is turned off, the TPM Initialization Wizard displays the **Turn on the TPM security hardware** dialog box. This dialog box provides guidance for initializing or turning on the TPM. Follow the instructions in the wizard.

-    >**Note:**  If the TPM is already turned on, the TPM Initialization Wizard displays the **Create the TPM owner password** dialog box. Skip the remainder of this procedure and continue with the [To set ownership of the TPM](#bkmk-setownership) procedure.
+    >**Note:**  If the TPM is already turned on, the TPM Initialization Wizard displays the **Create the TPM owner password** dialog box. Skip the remainder of this procedure and continue with the **To set ownership of the TPM** procedure.
     
    >**Note:**  If the TPM Initialization Wizard detects that you do not have a compatible BIOS, you cannot continue with the TPM Initialization Wizard, and you are alerted to consult the computer manufacturer's documentation for instructions to initialize the TPM.
     
@ -57,7 +57,7 @@ To finish initializing the TPM for use, you must set an owner for the TPM. The p

 **To set ownership of the TPM**

-1.  If you are not continuing immediately from the last procedure, start the TPM Initialization Wizard. If you need to review the steps to do so, see the previous procedure [To start the TPM Initialization Wizard](#bkmk-starttpminitwizard).
+1.  If you are not continuing immediately from the last procedure, start the TPM Initialization Wizard. If you need to review the steps to do so, see the previous procedure **To start the TPM Initialization Wizard**.
 2.  In the **Create the TPM owner password** dialog box, click **Automatically create the password (recommended)**.
 3.  In the **Save your TPM owner password** dialog box, click **Save the password**.
 4.  In the **Save As** dialog box, select a location to save the password, and then click **Save**. The password file is saved as *computer\_name.tpm*.
--- a/windows/keep-secure/isolating-apps-on-your-network.md
+++ b/windows/keep-secure/isolating-apps-on-your-network.md
@ -44,7 +44,7 @@ To isolate Windows Store apps on your network, you need to use Group Policy to d

 -   [Prerequisites](#prerequisites)

-   [Step 1: Define your network](#step-1-Define-your-network)
+-   [Step 1: Define your network](#step-1-define-your-network)

 -   [Step 2: Create custom firewall rules](#step-2-create-custom-firewall-rules)

--- a/windows/keep-secure/local-accounts.md
+++ b/windows/keep-secure/local-accounts.md
@ -81,7 +81,7 @@ The default Administrator account is initially installed differently for Windows

 In summary, for Windows Server operating systems, the Administrator account is used to set up the local server only for tasks that require administrative rights. The default Administrator account is set up by using the default settings that are provided on installation. Initially, the Administrator account is not associated with a password. After installation, when you first set up Windows Server, your first task is to set up the Administrator account properties securely. This includes creating a strong password and securing the **Remote control** and **Remote Desktop Services Profile** settings. You can also disable the Administrator account when it is not required.

-In comparison, for the Windows client operating systems, the Administrator account has access to the local system only. The default Administrator account is initially disabled by default, and this account is not associated with a password. It is a best practice to leave the Administrator account disabled. The default Administrator account is considered only as a setup and disaster recovery account, and it can be used to join the computer to a domain. When administrator access is required, do not sign in as an administrator. You can sign in to your computer with your local (non-administrator) credentials and use **Run as administrator**. For more information, see [Security considerations](#sec-administrator-security).
+In comparison, for the Windows client operating systems, the Administrator account has access to the local system only. The default Administrator account is initially disabled by default, and this account is not associated with a password. It is a best practice to leave the Administrator account disabled. The default Administrator account is considered only as a setup and disaster recovery account, and it can be used to join the computer to a domain. When administrator access is required, do not sign in as an administrator. You can sign in to your computer with your local (non-administrator) credentials and use **Run as administrator**. For more information, see [Security considerations](#security-considerations).

 **Account group membership**

--- a/windows/keep-secure/trusted-platform-module-services-group-policy-settings.md
+++ b/windows/keep-secure/trusted-platform-module-services-group-policy-settings.md
@ -30,7 +30,7 @@ The TPM Services Group Policy settings are located at:
 | [Ignore the local list of blocked TPM commands](#bkmk-tpmgp-illb) | X| X| X| X| X| X| 
 | [Configure the level of TPM owner authorization information available to the operating system](#bkmk-tpmgp-oauthos)| | X| X| X|||  
 | [Standard User Lockout Duration](#bkmk-tpmgp-suld)| X| X| X| X|||  
-| [Standard User Individual Lockout Threshold](#bkmk-tpmgp-suilt)| X| X| X| X|||  
+| [Standard User Individual Lockout Threshold](#individual)| X| X| X| X|||  
 | [Standard User Total Lockout Threshold](#bkmk-tpmgpsutlt)| X| X| X| X||||

 ### <a href="" id="bkmk-tpmgp-addsbu"></a>Turn on TPM backup to Active Directory Domain Services
--- a/windows/keep-secure/user-account-control-group-policy-and-registry-key-settings.md
+++ b/windows/keep-secure/user-account-control-group-policy-and-registry-key-settings.md
@ -193,5 +193,5 @@ The registry keys are found in **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Microsoft\\Wind
 | ValidateAdminCodeSignatures | [User Account Control: Only elevate executables that are signed and validated](#user-account-control-only-elevate-executables-that-are-signed-and-validated) | 0 (Default) = Disabled<br/>1 = Enabled |
 | EnableSecureUIAPaths | [User Account Control: Only elevate UIAccess applications that are installed in secure locations](#user-account-control-only-elevate-uiaccess-applications-that-are-installed-in-secure-locations) | 0 = Disabled<br />1 (Default) = Enabled |
 | EnableLUA | [User Account Control: Run all administrators in Admin Approval Mode](#user-account-control-run-all-administrators-in-admin-approval-mode) | 0 = Disabled<br />1 (Default) = Enabled |
-| PromptOnSecureDesktop | [User Account Control: Switch to the secure desktop when prompting for elevation](#user-account-control:-switch-to-the-secure-desktop-when-prompting-for-elevation) | 0 = Disabled<br />1 (Default) = Enabled |
+| PromptOnSecureDesktop | [User Account Control: Switch to the secure desktop when prompting for elevation](#user-account-control-switch-to-the-secure-desktop-when-prompting-for-elevation) | 0 = Disabled<br />1 (Default) = Enabled |
 | EnableVirtualization | [User Account Control: Virtualize file and registry write failures to per-user locations](#user-account-control-virtualize-file-and-registry-write-failures-to-per-user-locations) | 0 = Disabled<br />1 (Default) = Enabled |
--- a/windows/keep-secure/windows-10-security-guide.md
+++ b/windows/keep-secure/windows-10-security-guide.md
@ -21,7 +21,7 @@ This guide provides a detailed description of the most important security improv
 #### Introduction

 Windows 10 is designed to protect against known and emerging security threats across the spectrum of attack vectors. Three broad categories of security work went into Windows 10:
-   [**Identity and access control**](#identity) features have been greatly expanded to both simplify and enhance the security of user authentication. These features include Windows Hello and Microsoft Passport, which better protect user identities through easy-to-deploy and easy-to-use multifactor authentication (MFA). Another new feature is Credential Guard, which uses virtualization-based security (VBS) to help protect the Windows authentication subsystems and users’ credentials.
+-   [**Identity and access control**](#identity-and-access-control) features have been greatly expanded to both simplify and enhance the security of user authentication. These features include Windows Hello and Microsoft Passport, which better protect user identities through easy-to-deploy and easy-to-use multifactor authentication (MFA). Another new feature is Credential Guard, which uses virtualization-based security (VBS) to help protect the Windows authentication subsystems and users’ credentials.
 -   [**Information protection**](#information) that guards information at rest, in use, and in transit. In addition to BitLocker and BitLocker To Go for protection of data at rest, Windows 10 includes file-level encryption with Enterprise Data Protection that performs data separation and containment and, when combined with Rights Management services, can keep data encrypted when it leaves the corporate network. Windows 10 can also help keep data secure by using virtual private networks (VPNs) and Internet Protocol Security.
 -   [**Malware resistance**](#malware) includes architectural changes that can isolate critical system and security components from threats. Several new features in Windows 10 help reduce the threat of malware, including VBS, Device Guard, Microsoft Edge, and an entirely new version of Windows Defender. In addition, the many antimalware features from the Windows 8.1 operating system— including AppContainers for application sandboxing and numerous boot-protection features, such as Trusted Boot—have been carried forward and improved in Windows 10.

@ -436,7 +436,7 @@ The functionality a TPM provides includes:

 Microsoft combined this small list of TPM benefits with Windows 10 and other hardware security technologies to provide practical security and privacy benefits.

-Among other functions, Windows 10 uses the TPM to protect the encryption keys for BitLocker volumes, virtual smart cards, certificates, and the many other keys that the TPM is used to generate. Windows 10 also uses the TPM to securely record and protect integrity-related measurements of select hardware and Windows boot components for the [Measured Boot](#measure-boot) feature described later in this document. In this scenario, Measured Boot measures each component, from firmware up through the drivers, and then stores those measurements in the PC’s TPM. From there, you can test the measurement log remotely so that a separate system verifies the boot state of the Windows 10 PC.
+Among other functions, Windows 10 uses the TPM to protect the encryption keys for BitLocker volumes, virtual smart cards, certificates, and the many other keys that the TPM is used to generate. Windows 10 also uses the TPM to securely record and protect integrity-related measurements of select hardware and Windows boot components for the [Measured Boot](#measured-boot) feature described later in this document. In this scenario, Measured Boot measures each component, from firmware up through the drivers, and then stores those measurements in the PC’s TPM. From there, you can test the measurement log remotely so that a separate system verifies the boot state of the Windows 10 PC.

 Windows 10 supports TPM implementations that comply with either the 1.2 or 2.0 standards. Several improvements have been made in the TPM 2.0 standard, the most notable of which is cryptographic agility. TPM 1.2 is restricted to a fixed set of encryption and hash algorithms. At the time the TPM 1.2 standard was created in the early 2000s, these algorithms were considered cryptographically strong. Since that time, advances in cryptographic algorithms and cryptanalysis attacks have increased expectations for stronger cryptography. TPM 2.0 supports additional algorithms that offer stronger cryptographic protection as well as the ability to plug in algorithms that may be preferred in certain geographies or industries. It also opens the possibility for inclusion of future algorithms without changing the TPM component itself.

@ -576,7 +576,7 @@ The core functionality and protection of Device Guard starts at the hardware lev

 Device Guard leverages VBS to isolate its Hypervisor Code Integrity (HVCI) service, which enables Device Guard to help protect kernel mode processes and drivers from vulnerability exploits and zero days. HVCI uses the processor’s IOMMU functionality to force all software running in kernel mode to safely allocate memory. This means that after memory has been allocated, its state must be changed from writable to read only or execute only. By forcing memory into these states, it helps ensure that attacks are unable to inject malicious code into kernel mode processes and drivers through techniques such as buffer overruns or heap spraying. In the end, the VBS environment protects the Device Guard HVCI service from tampering even if the operating system’s kernel has been fully compromised, and HVCI protects kernel mode processes and drivers so that a compromise of this magnitude can't happen in the first place.

-Another Windows 10 feature that employs VBS is Credential Guard. Credential Guard protects credentials by running the Windows authentication service known as LSA, and then storing the user’s derived credentials (for example, NTLM hashes; Kerberos tickets) within the same VBS environment that Device Guard uses to protect its HVCI service. By isolating the LSA service and the user’s derived credentials from both user mode and kernel mode, an attacker that has compromised the operating system core will still be unable to tamper with authentication or access derived credential data. Credential Guard prevents pass-the-hash and ticket types of attacks, which are central to the success of nearly every major network breach you’ve read about, which makes Credential Guard one of the most impactful and important features to deploy within your environment. For more information about how Credential Guard complements Device Guard, see the [Device Guard with Credential Guard](#dgwithcg) section.
+Another Windows 10 feature that employs VBS is Credential Guard. Credential Guard protects credentials by running the Windows authentication service known as LSA, and then storing the user’s derived credentials (for example, NTLM hashes; Kerberos tickets) within the same VBS environment that Device Guard uses to protect its HVCI service. By isolating the LSA service and the user’s derived credentials from both user mode and kernel mode, an attacker that has compromised the operating system core will still be unable to tamper with authentication or access derived credential data. Credential Guard prevents pass-the-hash and ticket types of attacks, which are central to the success of nearly every major network breach you’ve read about, which makes Credential Guard one of the most impactful and important features to deploy within your environment. For more information about how Credential Guard complements Device Guard, see the [Device Guard with Credential Guard](#device-guard-with-credential-guard) section.

 #### Device Guard with AppLocker

--- a/windows/keep-secure/windows-firewall-with-advanced-security-administration-with-windows-powershell.md
+++ b/windows/keep-secure/windows-firewall-with-advanced-security-administration-with-windows-powershell.md
@ -36,7 +36,7 @@ This guide is intended for IT pros, system administrators, and IT managers, and

 | Section | Description |
 | - | - |
-| [Set profile global defaults](#set-profile-global-defaults) | Enable and control firewall behavior|
+| [Set profile global defaults](#bkmk-profileglobaldefaults) | Enable and control firewall behavior|
 | [Deploy basic firewall rules](#deploy-basic-firewall-rules)| How to create, modify, and delete firewall rules| 
 | [Manage Remotely](#manage-remotely) | Remote management by using `-CimSession`| 
 | [Deploy basic IPsec rule settings](#deploy-basic-ipsec-rule-settings) | IPsec rules and associated parameters| 
--- a/windows/manage/manage-windows-10-in-your-organization-modern-management.md
+++ b/windows/manage/manage-windows-10-in-your-organization-modern-management.md
@ -42,7 +42,7 @@ With Windows 10, you can continue to use traditional OS deployment, but you can

 <!-- The phrase "Windows Imaging and Configuration Designer (ICD)" below might need to be changed to "Windows Configuration Designer" -->

-   Avoid reimaging by using dynamic provisioning, enabled by a cloud-based device management services like Microsoft Intune.
+-   Avoid reimaging by using dynamic provisioning, enabled by a cloud-based device management services like [Microsoft Intune](https://docs.microsoft.com/intune/understand-explore/introduction-to-microsoft-intune).

 -   Create self-contained provisioning packages built with the [Windows Imaging and Configuration Designer (ICD)](https://msdn.microsoft.com/library/windows/hardware/dn916113(v=vs.85).aspx).

--- a/windows/manage/uev-configuring-uev-with-system-center-configuration-manager.md
+++ b/windows/manage/uev-configuring-uev-with-system-center-configuration-manager.md
@ -18,7 +18,6 @@ After you deploy User Experience Virtualization (UE-V) and its required features

 ## UE-V Configuration Pack supported features

-
 The UE-V Configuration Pack includes tools to:

 -   Create or update UE-V settings location template distribution baselines
@ -103,10 +102,9 @@ It might be necessary to change the PowerShell execution policy to allow these s
 1.  Select **Administration &gt; Client Settings &gt; Properties**

 2.  In the **User Agent** tab, set the **PowerShell Execution Policy** to **Bypass**
-
  

-**Create the first UE-V policy configuration item**
+<a href="" id="create"></a>**Create the first UE-V policy configuration item**

 1.  Copy the default settings configuration file from the UE-V Config Pack installation directory to a location visible to your ConfigMgr Admin Console:

@ -173,8 +171,7 @@ It might be necessary to change the PowerShell execution policy to allow these s

 3.  Reimport the CAB file. The version in ConfigMgr will be updated.

-## Generate a UE-V Template Baseline
-
+<a href="" id="create2"></a>## Generate a UE-V Template Baseline

 UE-V templates are distributed using a baseline containing multiple configuration items. Each configuration item contains the discovery and remediation scripts needed to install one UE-V template. The actual UE-V template is embedded within the remediation script for distribution using standard Configuration Item functionality.

--- a/windows/manage/uev-prepare-for-deployment.md
+++ b/windows/manage/uev-prepare-for-deployment.md
@ -25,8 +25,6 @@ Whether you want to synchronize settings for only default Windows applications o

 -   [Define a settings storage location](uev-deploy-required-features.md#ssl)

-   [Decide how to manage UE-V configurations](#config)
-
 -   [Enable the UE-V service](uev-deploy-required-features.md#enable-the-ue-v-service) on user computers

 If you want to use UE-V to synchronize user-defined settings for custom applications (third-party or line-of-business), you’ll need to install and configure these optional additional UE-V features: