Merge remote-tracking branch 'origin/master' into atp-api-danm

windows/security/TOC.md

@@ -1,7 +1,6 @@
 # [Security](index.yml)
 ## [Identity and access management](identity-protection/index.md)
 ## [Information protection](information-protection/index.md)
-## [Hardware-based protection](hardware-protection/index.md)
 ## [Threat protection](threat-protection/index.md)
 
 

windows/security/hardware-protection/TOC.md

@@ -1,21 +0,0 @@
-# [Hardware-based protection](index.md)
-
-## [Encrypted Hard Drive](encrypted-hard-drive.md)
-
-## [Windows Defender System Guard](how-hardware-based-containers-help-protect-windows.md)
-
-## [Secure the Windows 10 boot process](secure-the-windows-10-boot-process.md)
-
-## [Trusted Platform Module](tpm/trusted-platform-module-top-node.md)
-### [Trusted Platform Module Overview](tpm/trusted-platform-module-overview.md)
-### [TPM fundamentals](tpm/tpm-fundamentals.md)
-### [How Windows 10 uses the TPM](tpm/how-windows-uses-the-tpm.md)
-### [TPM Group Policy settings](tpm/trusted-platform-module-services-group-policy-settings.md)
-### [Back up the TPM recovery information to AD DS](tpm/backup-tpm-recovery-information-to-ad-ds.md)
-### [Manage TPM commands](tpm/manage-tpm-commands.md)
-### [Manage TPM lockout](tpm/manage-tpm-lockout.md)
-### [Change the TPM owner password](tpm/change-the-tpm-owner-password.md)
-### [View status, clear, or troubleshoot the TPM](tpm/initialize-and-configure-ownership-of-the-tpm.md)
-### [Understanding PCR banks on TPM 2.0 devices](tpm/switch-pcr-banks-on-tpm-2-0-devices.md)
-### [TPM recommendations](tpm/tpm-recommendations.md)
-

windows/security/hardware-protection/how-hardware-based-containers-help-protect-windows.md

@@ -1,51 +0,0 @@
----
-title: How hardware-based containers help protect Windows 10 (Windows 10)
-description: Windows 10 uses containers to isolate sensitive system services and data, enabling them to remain secure even when the operating system has been compromised.
-ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-author: justinha
-ms.date: 06/29/2017
----
-
-# How hardware-based containers help protect Windows 10
-
-Windows 10 uses containers to isolate sensitive system services and data, enabling them to remain secure even when the operating system has been compromised. 
-Windows 10 protects critical resources, such as the Windows authentication stack, single sign-on tokens, Windows Hello biometric stack, and Virtual Trusted Platform Module, by using a container type called Windows Defender System Guard. 
-
-Windows Defender System Guard reorganizes the existing Windows 10 system integrity features under one roof and sets up the next set of investments in Windows security. It's designed to make the these security guarantees:
-
-- Protect and maintain the integrity of the system as it starts up
-- Protect and maintain the integrity of the system after it's running
-- Validate that system integrity has truly been maintained through local and remote attestation
-
-## Maintaining the integrity of the system as it starts
-
-With Windows 7, one of the means attackers would use to persist and evade detection was to install what is often referred to as a bootkit or rootkit on the system. This malicious software would start before Windows started, or during the boot process itself, enabling it to start with the highest level of privilege.
-
-With Windows 10 running on modern hardware (that is, Windows 8-certified or greater) we have a hardware-based root of trust that helps us ensure that no unauthorized firmware or software (such as a bootkit) can start before the Windows bootloader. This hardware-based root of trust comes from the device’s [Secure Boot feature](https://docs.microsoft.com/previous-versions/windows/it-pro/windows-8.1-and-8/hh824987), which is part of the Unified Extensible Firmware Interface (UEFI). 
-
-After successful verification and startup of the device’s firmware and Windows bootloader, the next opportunity for attackers to tamper with the system’s integrity is while the rest of the Windows operating system and defenses are starting. As an attacker, embedding your malicious code using a rootkit within the boot process enables you to gain the maximum level of privilege and gives you the ability to more easily persist and evade detection. 
-
-This is where Windows Defender System Guard protection begins with its ability to ensure that only properly signed and secure Windows files and drivers, including third party, can start on the device. At the end of the Windows boot process, System Guard will start the system’s antimalware solution, which scans all third party drivers, at which point the system boot process is completed. In the end, Windows Defender System Guard helps ensure that the system securely boots with integrity and that it hasn’t been compromised before the remainder of your system defenses start.
-
-![Boot time integrity](images/windows-defender-system-guard-boot-time-integrity.png)
-
-## Maintaining integrity of the system after it’s running (run time)
-
-Prior to Windows 10, if an attacker exploited the system and gained SYSTEM level privilege or they compromised the kernel itself, it was game over. The level of control that an attacker would acquire in this condition would enable them to tamper with and bypass many, if not all, of your system defenses. While we have a number of development practices and technologies (such as Windows Defender Exploit Guard) that have made it difficult to gain this level of privilege in Windows 10, the reality is that we needed a way to maintain the integrity of the most sensitive Windows services and data, even when the highest level of privilege has been secured by an adversary.
-
-With Windows 10, we introduced the concept of virtualization-based security (VBS), which enables us to contain the most sensitive Windows services and data in hardware-based isolation, which is the Windows Defender System Guard container. This secure environment provides us with the hardware-based security boundary we need to be able to secure and maintain the integrity of critical system services at run time like Credential Guard, Device Guard, Virtual TPM and parts of Windows Defender Exploit Guard, just to name a few.
-
-![Windows Defender System Guard](images/windows-defender-system-guard.png) 
-
-## Validating platform integrity after Windows is running (run time)
-
-While Windows Defender System Guard provides advanced protection that will help protect and maintain the integrity of the platform during boot and at run time, the reality is that we must apply an "assume breach" mentality to even our most sophisticated security technologies. We should be able to trust that the technologies are successfully doing their jobs, but we also need the ability to verify that they were successful in achieving their goals. When it comes to platform integrity, we can’t just trust the platform, which potentially could be compromised, to self-attest to its security state. So Windows Defender System Guard includes a series of technologies that enable remote analysis of the device’s integrity.
-
-As Windows 10 boots, a series of integrity measurements are taken by Windows Defender System Guard using the device’s Trusted Platform Module 2.0 (TPM 2.0). This process and data are hardware-isolated away from Windows to help ensure that the measurement data is not subject to the type of tampering that could happen if the platform was compromised. From here, the measurements can be used to determine the integrity of the device’s firmware, hardware configuration state, and Windows boot-related components, just to name a few. After the system boots, Windows Defender System Guard signs and seals these measurements using the TPM. Upon request, a management system like Intune or System Center Configuration Manager can acquire them for remote analysis. If Windows Defender System Guard indicates that the device lacks integrity, the management system can take a series of actions, such as denying the device access to resources.
-
-![Windows Defender System Guard](images/windows-defender-system-guard-validate-system-integrity.png) 
-

windows/security/hardware-protection/index.md

@@ -1,21 +0,0 @@
----
-title: Hardware-based Protection (Windows 10)
-description: Learn more about how to help protect against threats in Windows 10 and Windows 10 Mobile.
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-author: brianlic-msft
-ms.date: 02/05/2018
----
-
-# Hardware-based protection
-
-Windows 10 leverages these hardware-based security features to protect and maintain system integrity.
-
-| Section | Description |
-|-|-|
-| [Encrypted Hard Drive](encrypted-hard-drive.md) | Provides information about Encrypted Hard Drive, which uses the rapid encryption that is provided by BitLocker Drive Encryption to enhance data security and management.|
-|[How hardware-based containers help protect Windows 10](how-hardware-based-containers-help-protect-windows.md) |Learn about how hardware-based containers can isolate sensitive system services and data, enabling them to remain secure even when the operating system has been compromised.|
-|[Secure the Windows 10 boot process](secure-the-windows-10-boot-process.md) |Learn about the Windows 10 security features that help to protect your PC from malware, including rootkits and other applications.|
-| [Trusted Platform Module](tpm/trusted-platform-module-top-node.md)| Provides links to information about the Trusted Platform Module (TPM), which is a secure crypto-processor that helps you with actions such as generating, storing, and limiting the use of cryptographic keys. |

windows/security/identity-protection/TOC.md

@@ -17,7 +17,7 @@
 
 ## [Install digital certificates on Windows 10 Mobile](installing-digital-certificates-on-windows-10-mobile.md)
 
-## [How hardware-based containers help protect Windows 10](how-hardware-based-containers-help-protect-windows.md)
+## [Windows Defender System Guard](how-hardware-based-containers-help-protect-windows.md)
 
 ## [Protect derived domain credentials with Credential Guard](credential-guard/credential-guard.md)
 ### [How Credential Guard works](credential-guard/credential-guard-how-it-works.md)
@@ -28,7 +28,6 @@
 ### [Credential Guard: Additional mitigations](credential-guard/additional-mitigations.md)
 ### [Credential Guard: Known issues](credential-guard/credential-guard-known-issues.md)
 
-
 ## [Protect Remote Desktop credentials with Remote Credential Guard](remote-credential-guard.md)
 
 ## [Smart Cards](smart-cards/smart-card-windows-smart-card-technical-reference.md)

windows/security/identity-protection/access-control/local-accounts.md

@@ -5,7 +5,7 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
-ms.date: 04/19/2017
+ms.date: 07/30/2018
 ---
 
 # Local Accounts
@@ -114,11 +114,11 @@ Even when the Administrator account has been disabled, it can still be used to g
 
 ### <a href="" id="sec-guest"></a>Guest account
 
-The Guest account (SID S-1-5-32-546) is disabled by default on installation. The Guest account lets occasional or one-time users, who do not have an account on the computer, temporarily sign in to the local server or client computer with limited user rights. By default, the Guest account has a blank password. Because the Guest account can provide anonymous access, it is a security risk. For this reason, it is a best practice to leave the Guest account disabled, unless its use is entirely necessary.
+The Guest account is disabled by default on installation. The Guest account lets occasional or one-time users, who do not have an account on the computer, temporarily sign in to the local server or client computer with limited user rights. By default, the Guest account has a blank password. Because the Guest account can provide anonymous access, it is a security risk. For this reason, it is a best practice to leave the Guest account disabled, unless its use is entirely necessary.
 
 **Account group membership**
 
-By default, the Guest account is the only member of the default Guests group, which lets a user sign in to a server. On occasion, an administrator who is a member of the Administrators group can set up a user with a Guest account on one or more computers.
+By default, the Guest account is the only member of the default Guests group (SID S-1-5-32-546), which lets a user sign in to a server. On occasion, an administrator who is a member of the Administrators group can set up a user with a Guest account on one or more computers.
 
 **Security considerations**
 

windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-prereqs.md

@@ -23,16 +23,16 @@ Hybrid environments are distributed systems that enable organizations to use on-
 
 The distributed systems on which these technologies were built involved several pieces of on-premises and cloud infrastructure.  High-level pieces of the infrastructure include:
 * [Directories](#directories)
-* [Public Key Infrastucture](#public-key-infastructure)
+* [Public Key Infrastructure](#public-key-infrastructure)
 * [Directory Synchronization](#directory-synchronization)
 * [Federation](#federation)
 * [MultiFactor Authetication](#multifactor-authentication)
 * [Device Registration](#device-registration)
   
 ## Directories ##
-Hybrid Windows Hello for Business needs two directories: on-premises Active Directory and a cloud Azure Active Directory.  The minimum required domain functional and forest functional levels for Windows Hello for Business deployment is Windows Server 2008 R2. The 
+Hybrid Windows Hello for Business needs two directories: on-premises Active Directory and a cloud Azure Active Directory.  The minimum required domain functional and forest functional levels for Windows Hello for Business deployment is Windows Server 2008 R2.  
 
-A hybrid Windows Hello for Busines deployment needs an Azure Active Directory subscription.  The hybrid key trust deployment, does not need a premium Azure Active Directory subscription.
+A hybrid Windows Hello for Business deployment needs an Azure Active Directory subscription.  The hybrid key trust deployment, does not need a premium Azure Active Directory subscription.
 
 You can deploy Windows Hello for Business in any environment with Windows Server 2008 R2 or later domain controllers.  However, the key trust deployment needs an ***adequate*** number of Windows Server 2016 domain controllers at each site where users authenticate using Windows Hello for Business.  Read the [Planning an adequate number of Windows Server 2016 Domain Controllers for Windows Hello for Business deployments](hello-adequate-domain-controllers.md) to learn more.
  
@@ -52,13 +52,13 @@ Review these requirements and those from the Windows Hello for Business planning
 ## Public Key Infrastructure ##
 The Windows Hello for Business deployment depends on an enterprise public key infrastructure as trust anchor for authentication. Domain controllers for hybrid deployments need a certificate in order for Windows 10 devices to trust the domain controller.
 
-Key trust deployments do not need client issued certificates for on-premises authentication.  Active Directory user accounts are automatically configured for public key mapping by Azure AD Connect synchronizing the public key of the registered Windows Hello for Business credential to an attribute on the user's Active Diretory object.
+Key trust deployments do not need client issued certificates for on-premises authentication.  Active Directory user accounts are automatically configured for public key mapping by Azure AD Connect synchronizing the public key of the registered Windows Hello for Business credential to an attribute on the user's Active Directory object.
 
 The minimum required enterprise certificate authority that can be used with Windows Hello for Business is Windows Server 2012.
 
 > [!IMPORTANT]
 > For Azure AD joined device to authenticate to and use on-premises resources, ensure you:
-> * Install the root certificate authority certificate for your organization in the user's trusted root certifcate store.
+> * Install the root certificate authority certificate for your organization in the user's trusted root certificate store.
 > * Publish your certificate revocation list to a location that is available to Azure AD joined devices, such as a web-based url.
 
 ### Section Review
@@ -99,12 +99,12 @@ Hybrid Windows Hello for Business deployments can use Azure’s Multifactor Auth
 > [!div class="checklist"]
 > * Azure MFA Service
 > * Windows Server 2016 AD FS and Azure (optional, if federated)
-> * Windows Server 2016 AD FS and third party MFA Adapter (optional, if federated)
+> * Windows Server 2016 AD FS and third-party MFA Adapter (optional, if federated)
 
 <br>
 
 ## Device Registration ##
-Organizations wanting to deploy hybrid key trust need thier domain joined devices to register to Azure Active Directory.  Just as a computer has an identity in Active Directory, that same computer has an identity in the cloud.  This ensures that only approved computers are used with that Azure Active Directory.  Each computer registers its identity in Azure Active Directory. 
+Organizations wanting to deploy hybrid key trust need their domain joined devices to register to Azure Active Directory.  Just as a computer has an identity in Active Directory, that same computer has an identity in the cloud.  This ensures that only approved computers are used with that Azure Active Directory.  Each computer registers its identity in Azure Active Directory. 
  
 
 ### Section Checklist ###
@@ -114,11 +114,11 @@ Organizations wanting to deploy hybrid key trust need thier domain joined device
 <br>
 
 ### Next Steps ###
-Follow the Windows Hello for Business hybrid key trust deployment guide.  For proof-of-concepts, labs, and new installations, choose the **New Installation Basline**.  
+Follow the Windows Hello for Business hybrid key trust deployment guide.  For proof-of-concepts, labs, and new installations, choose the **New Installation Baseline**.  
 
-For environments transitioning from on-premises to hybrid, start with  **Configure Azure Directory Syncrhonization**. 
+For environments transitioning from on-premises to hybrid, start with  **Configure Azure Directory Synchronization**. 
 
-For federerated and non-federated environments, start with **Configure Windows Hello for Business settings**.
+For federated and non-federated environments, start with **Configure Windows Hello for Business settings**.
 
 > [!div class="op_single_selector"]
 > - [New Installation Baseline](hello-hybrid-key-new-install.md)
@@ -131,7 +131,7 @@ For federerated and non-federated environments, start with **Configure Windows H
 
 ## Follow the Windows Hello for Business hybrid key trust deployment guide
 1. [Overview](hello-hybrid-key-trust.md)
-2. Prerequistes (*You are here*)
+2. Prerequisites (*You are here*)
 3. [New Installation Baseline](hello-hybrid-key-new-install.md)
 4. [Configure Directory Synchronization](hello-hybrid-key-trust-dirsync.md)
 5. [Configure Azure Device Registration](hello-hybrid-key-trust-devreg.md)

windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-provision.md

@@ -45,11 +45,11 @@ The provisioning flow has all the information it needs to complete the Windows H
 * A fresh, successful multi-factor authentication
 * A validated PIN that meets the PIN complexity requirements
 
-The remainder of the provisioning includes Windows Hello for Business requesting an asymmetric key pair for the user, preferably from the TPM (or required if explicitly set through policy). Once the key pair is acquired, Windows communicates with Azure Active Directory to register the public key.  When key registration completes, Windows Hello for Business provisioning informs the user  they can use their PIN to sign-in.  The user may close the provisiong application and see their desktop.  While the user has completed provisioning, Azure AD Connect syncrhonizes the user's key to Active Directory.   
+The remainder of the provisioning includes Windows Hello for Business requesting an asymmetric key pair for the user, preferably from the TPM (or required if explicitly set through policy). Once the key pair is acquired, Windows communicates with Azure Active Directory to register the public key.  When key registration completes, Windows Hello for Business provisioning informs the user they can use their PIN to sign-in.  The user may close the provisioning application and see their desktop.  While the user has completed provisioning, Azure AD Connect synchronizes the user's key to Active Directory.   
 
 > [!IMPORTANT]
-> The minimum time needed to syncrhonize the user's public key from Azure Active Directory to the on-premises Active Directory is 30 minutes. The Azure AD Connect scheduler controls the synchronization interval. 
-> **This synchronization latency delays the user's ability to authenticate and use on-premises resouces until the user's public key has synchronized to Active Directory.** Once synchronized, the user can authenticate and use on-premises resources.
+> The minimum time needed to synchronize the user's public key from Azure Active Directory to the on-premises Active Directory is 30 minutes. The Azure AD Connect scheduler controls the synchronization interval. 
+> **This synchronization latency delays the user's ability to authenticate and use on-premises resources until the user's public key has synchronized to Active Directory.** Once synchronized, the user can authenticate and use on-premises resources.
 > Read [Azure AD Connect sync: Scheduler](https://docs.microsoft.com/en-us/azure/active-directory/connect/active-directory-aadconnectsync-feature-scheduler) to view and adjust the **synchronization cycle** for your organization.
 
 > [!NOTE]

windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-ad.md

@@ -18,7 +18,7 @@ ms.date: 10/23/2017
 
 >This guide only applies to Hybrid deployments for Windows 10, version 1703 or higher.
 
-Configure the appropriate security groups to effeiciently deploy Windows Hello for Business to users. 
+Configure the appropriate security groups to efficiently deploy Windows Hello for Business to users. 
 
 
 ### Creating Security Groups
@@ -58,4 +58,4 @@ Sign-in a domain controller or management workstation with *Domain Admin* equiva
 4. [Configure Directory Synchronization](hello-hybrid-key-trust-dirsync.md)
 5. [Configure Azure Device Registration](hello-hybrid-key-trust-devreg.md)
 6. Configure Windows Hello for Business settings: Active Directory (*You are here*)
-7. [Sign-in and Provision](hello-hybrid-key-whfb-provision.md)
+7. [Sign-in and Provision](hello-hybrid-key-whfb-provision.md)

windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-pki.md

@@ -19,13 +19,13 @@ ms.date: 10/23/2017
 
 >This guide only applies to Hybrid deployments for Windows 10, version 1703 or higher.
 
-Windows Hello for Business deployments rely on certificates.  Hybrid deployments uses publicly issued server authentication certifcates to validate the name of the server to which they are connecting and to encyrpt the data that flows them and the client computer.
+Windows Hello for Business deployments rely on certificates.  Hybrid deployments uses publicly issued server authentication certificates to validate the name of the server to which they are connecting and to encrypt the data that flows them and the client computer.
 
 All deployments use enterprise issued certificates for domain controllers as a root of trust. 
 
-## Certifcate Templates
+## Certificate Templates
 
-This section has you configure certificate templates on your Windows Server 2012 or later issuing certificate authtority. 
+This section has you configure certificate templates on your Windows Server 2012 or later issuing certificate authority. 
 
 ### Domain Controller certificate template
 
@@ -49,7 +49,7 @@ Sign-in a certificate authority or management workstations with _Domain Admin_ e
 7.	On the **Cryptography** tab, select **Key Storage Provider** from the **Provider Category** list.  Select **RSA** from the **Algorithm name** list.  Type **2048** in the **Minimum key size** text box.  Select **SHA256** from the **Request hash** list.  Click **OK**. 
 8.	Close the console.
 
-#### Configure Certificate Suspeding for the Domain Controller Authentication (Kerberos) Certificate Template
+#### Configure Certificate Superseding for the Domain Controller Authentication (Kerberos) Certificate Template
 
 Many domain controllers may have an existing domain controller certificate.  The Active Directory Certificate Services provides a default certificate template for domain controllers--the domain controller certificate template.  Later releases provided a new certificate template--the domain controller authentication certificate template.  These certificate templates were provided prior to update of the Kerberos specification that stated Key Distribution Centers (KDCs) performing certificate authentication needed to include the **KDC Authentication** extension.  
 
@@ -108,7 +108,7 @@ Sign-in to the certificate authority or management workstation with _Enterprise
 
 ## Follow the Windows Hello for Business hybrid key trust deployment guide
 1. [Overview](hello-hybrid-cert-trust.md)
-2. [Prerequistes](hello-hybrid-key-trust-prereqs.md)
+2. [Prerequisites](hello-hybrid-key-trust-prereqs.md)
 3. [New Installation Baseline](hello-hybrid-key-new-install.md)
 4. [Configure Directory Synchronization](hello-hybrid-key-trust-dirsync.md)
 5. [Configure Azure Device Registration](hello-hybrid-key-trust-devreg.md)

windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-policy.md

@@ -67,7 +67,7 @@ The Windows Hello for Business Group Policy object delivers the correct Group Po
 
 #### Enable Windows Hello for Business
 
-The Enable Windows Hello for Business Group Policy setting is the configuration needed for Windows to determine if a user should be attempt to enroll for Windows Hello for Business.  A user will only attempt enrollment if this policy setting is configured to enabled.  
+The Enable Windows Hello for Business Group Policy setting is the configuration needed for Windows to determine if a user should attempt to enroll for Windows Hello for Business.  A user will only attempt enrollment if this policy setting is configured to enabled.  
 
 You can configure the Enable Windows Hello for Business Group Policy setting for computer or users. Deploying this policy setting to computers results in ALL users that sign-in that computer to attempt a Windows Hello for Business enrollment. Deploying this policy setting to a user results in only that user attempting a Windows Hello for Business enrollment.  Additionally, you can deploy the policy setting to a group of users so only those users attempt a Windows Hello for Business enrollment. If both user and computer policy settings are deployed, the user policy setting has precedence.
 
@@ -163,7 +163,7 @@ Users must receive the Windows Hello for Business group policy settings and have
 
 ## Follow the Windows Hello for Business hybrid key trust deployment guide
 1. [Overview](hello-hybrid-cert-trust.md)
-2. [Prerequistes](hello-hybrid-key-trust-prereqs.md)
+2. [Prerequisites](hello-hybrid-key-trust-prereqs.md)
 3. [New Installation Baseline](hello-hybrid-key-new-install.md)
 4. [Configure Directory Synchronization](hello-hybrid-key-trust-dirsync.md)
 5. [Configure Azure Device Registration](hello-hybrid-key-trust-devreg.md)

windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings.md

@@ -21,7 +21,7 @@ ms.date: 10/23/2017
 You are ready to configure your hybrid key trust environment for Windows Hello for Business.
   
 > [!IMPORTANT]
-> Ensure your environment meets all the [prerequistes](hello-hybrid-key-trust-prereqs.md) before proceeding. Review the [New Installation baseline](hello-hybrid-key-new-install.md) section of this deployment document to learn how to prepare your environment for your Windows Hello for Business deployment.  
+> Ensure your environment meets all the [prerequisites](hello-hybrid-key-trust-prereqs.md) before proceeding. Review the [New Installation baseline](hello-hybrid-key-new-install.md) section of this deployment document to learn how to prepare your environment for your Windows Hello for Business deployment.  
 
 The configuration for Windows Hello for Business is grouped in four categories.  These categories are: 
 * [Active Directory](hello-hybrid-key-whfb-settings-ad.md)
@@ -45,4 +45,4 @@ For the most efficent deployment, configure these technologies in order beginnin
 4. [Configure Directory Synchronization](hello-hybrid-key-trust-dirsync.md)
 5. [Configure Azure Device Registration](hello-hybrid-key-trust-devreg.md)
 6. Configure Windows Hello for Business settings (*You are here*)
-7. [Sign-in and Provision](hello-hybrid-key-whfb-provision.md)
+7. [Sign-in and Provision](hello-hybrid-key-whfb-provision.md)

windows/security/identity-protection/how-hardware-based-containers-help-protect-windows.md

@@ -7,54 +7,46 @@ ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
 author: justinha
-ms.date: 06/29/2017
+ms.date: 08/01/2018
 ---
 
-# How hardware-based containers help protect Windows 10
+
+# Windows Defender System Guard: How hardware-based containers help protect Windows 10
 
 Windows 10 uses containers to isolate sensitive system services and data, enabling them to remain secure even when the operating system has been compromised. 
 Windows 10 protects critical resources, such as the Windows authentication stack, single sign-on tokens, Windows Hello biometric stack, and Virtual Trusted Platform Module, by using a container type called Windows Defender System Guard. 
 
-Protecting system services and data with Windows Defender System Guard is an important first step, but is just the beginning of what we need to do as it doesn’t protect the rest of the operating system, information on the device, other apps, or the network. 
-Since systems are generally compromised through the application layer, and often though browsers, Windows 10 includes Windows Defender Application Guard to isolate Microsoft Edge from the operating system, information on the device, and the network. 
-With this, Windows can start to protect the broader range of resources.
+Windows Defender System Guard reorganizes the existing Windows 10 system integrity features under one roof and sets up the next set of investments in Windows security. It's designed to make the these security guarantees:
 
-The following diagram shows Windows Defender System Guard and Windows Defender Application Guard in relation to the Windows 10 operating system.
+- Protect and maintain the integrity of the system as it starts up
+- Protect and maintain the integrity of the system after it's running
+- Validate that system integrity has truly been maintained through local and remote attestation
 
-![Application Guard and System Guard](images/application-guard-and-system-guard.png)
+## Maintaining the integrity of the system as it starts
 
-## What security threats do containers protect against
+With Windows 7, one of the means attackers would use to persist and evade detection was to install what is often referred to as a bootkit or rootkit on the system. This malicious software would start before Windows started, or during the boot process itself, enabling it to start with the highest level of privilege.
 
-Exploiting zero days and vulnerabilities are an increasing threat that attackers are attempting to take advantage of. 
-The following diagram shows the traditional Windows software stack: a kernel with an app platform, and an app running on top of it. 
-Let’s look at how an attacker might elevate privileges and move down the stack.
+With Windows 10 running on modern hardware (that is, Windows 8-certified or greater) we have a hardware-based root of trust that helps us ensure that no unauthorized firmware or software (such as a bootkit) can start before the Windows bootloader. This hardware-based root of trust comes from the device’s Secure Boot feature, which is part of the Unified Extensible Firmware Interface (UEFI). 
 
-![Traditional Windows software stack](images/traditional-windows-software-stack.png)
+After successful verification and startup of the device’s firmware and Windows bootloader, the next opportunity for attackers to tamper with the system’s integrity is while the rest of the Windows operating system and defenses are starting. As an attacker, embedding your malicious code using a rootkit within the boot process enables you to gain the maximum level of privilege and gives you the ability to more easily persist and evade detection. 
 
-In desktop operating systems, those apps typically run under the context of the user’s privileges. 
-If the app was malicious, it would have access to all the files in the file system, all the settings that you as a user Standard user have access to, and so on. 
+This is where Windows Defender System Guard protection begins with its ability to ensure that only properly signed and secure Windows files and drivers, including third party, can start on the device. At the end of the Windows boot process, System Guard will start the system’s antimalware solution, which scans all third party drivers, at which point the system boot process is completed. In the end, Windows Defender System Guard helps ensure that the system securely boots with integrity and that it hasn’t been compromised before the remainder of your system defenses start.
 
-A different type of app may run under the context of an Administrator. 
-If attackers exploit a vulnerability in that app, they could gain Administrator privileges. 
-Then they can start turning off defenses. 
+![Boot time integrity](images/windows-defender-system-guard-boot-time-integrity.png)
 
-They can poke down a little bit lower in the stack and maybe elevate to System, which is greater than Administrator. 
-Or if they can exploit the kernel mode, they can turn on and turn off all defenses, while at the same time making the computer look healthy. 
-SecOps tools could report the computer as healthy when in fact it’s completely under the control of someone else.
+## Maintaining integrity of the system after it’s running (run time)
 
-One way to address this threat is to use a sandbox, as smartphones do. 
-That puts a layer between the app layer and the Windows platform services. 
-Universal Windows Platform (UWP) applications work this way. 
-But what if a vulnerability in the sandbox exists? 
-The attacker can escape and take control of the system.
+Prior to Windows 10, if an attacker exploited the system and gained SYSTEM level privilege or they compromised the kernel itself, it was game over. The level of control that an attacker would acquire in this condition would enable them to tamper with and bypass many, if not all, of your system defenses. While we have a number of development practices and technologies (such as Windows Defender Exploit Guard) that have made it difficult to gain this level of privilege in Windows 10, the reality is that we needed a way to maintain the integrity of the most sensitive Windows services and data, even when the highest level of privilege has been secured by an adversary.
 
-## How containers help protect Windows 10
+With Windows 10, we introduced the concept of virtualization-based security (VBS), which enables us to contain the most sensitive Windows services and data in hardware-based isolation, which is the Windows Defender System Guard container. This secure environment provides us with the hardware-based security boundary we need to be able to secure and maintain the integrity of critical system services at run time like Credential Guard, Device Guard, Virtual TPM and parts of Windows Defender Exploit Guard, just to name a few.
 
-Windows 10 addresses this by using virtualization based security to isolate more and more components out of Windows (left side) over time and moving those components into a separate, isolated hardware container. 
-The container helps prevent zero days and vulnerabilities from allowing an attacker to take control of a device.
+![Windows Defender System Guard](images/windows-defender-system-guard.png) 
 
-Anything that's running in that container on the right side will be safe, even from Windows, even if the kernel's compromised. 
-Anything that's running in that container will also be secure against a compromised app. 
-Initially, Windows Defender System Guard will protect things like authentication and other system services and data that needs to resist malware, and more things will be protected over time.
+## Validating platform integrity after Windows is running (run time)
 
-![Windows Defender System Guard](images/windows-defender-system-guard.png)
+While Windows Defender System Guard provides advanced protection that will help protect and maintain the integrity of the platform during boot and at run time, the reality is that we must apply an "assume breach" mentality to even our most sophisticated security technologies. We should be able to trust that the technologies are successfully doing their jobs, but we also need the ability to verify that they were successful in achieving their goals. When it comes to platform integrity, we can’t just trust the platform, which potentially could be compromised, to self-attest to its security state. So Windows Defender System Guard includes a series of technologies that enable remote analysis of the device’s integrity.
+
+As Windows 10 boots, a series of integrity measurements are taken by Windows Defender System Guard using the device’s Trusted Platform Module 2.0 (TPM 2.0). This process and data are hardware-isolated away from Windows to help ensure that the measurement data is not subject to the type of tampering that could happen if the platform was compromised. From here, the measurements can be used to determine the integrity of the device’s firmware, hardware configuration state, and Windows boot-related components, just to name a few. After the system boots, Windows Defender System Guard signs and seals these measurements using the TPM. Upon request, a management system like Intune or System Center Configuration Manager can acquire them for remote analysis. If Windows Defender System Guard indicates that the device lacks integrity, the management system can take a series of actions, such as denying the device access to resources.
+
+
+![Windows Defender System Guard](images/windows-defender-system-guard-validate-system-integrity.png)

windows/security/identity-protection/windows-firewall/configure-the-workstation-authentication-certificate-template.md

@@ -6,8 +6,8 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
-author: brianlic-msft
-ms.date: 04/19/2017
+author: Justinha
+ms.date: 07/30/2018
 ---
 
 # Configure the Workstation Authentication Certificate Template
@@ -36,7 +36,7 @@ To complete these procedures, you must be a member of both the Domain Admins gro
 
 6.  Click the **Subject Name** tab. Make sure that **Build from this Active Directory information** is selected. In **Subject name format**, select **Fully distinguished name**.
 
-7.  Click the **Request Handling** tab. You must determine the best minimum key size for your environment. Large key sizes provide better security, but they can affect server performance. We recommended that you use the default setting of 2048.
+7.  Click the **Cryptography** tab. You must determine the best minimum key size for your environment. Large key sizes provide better security, but they can affect server performance. We recommended that you use the default setting of 2048.
 
 8.  Click the **Security** tab. In **Group or user names**, click **Domain Computers**, under **Allow**, select **Enroll** and **Autoenroll**, and then click **OK**.
 

windows/security/index.yml

@@ -85,10 +85,10 @@ sections:
       Prevent, detect, investigate, and respond to advanced threats. The following capabilities are available across multiple products that make up the Windows Defender ATP platform.
       <br>&nbsp;<br>
       <table border='0'><tr><td><b>Attack surface reduction</b></td><td><b>Next generation protection</b></td><td><b>Endpoint detection and response</b></td><td><b>Auto investigation and remediation</b></td><td><b>Security posture</b></td></tr>
-      <tr><td>[Hardware based isolation](https://docs.microsoft.com/en-us/windows/security/hardware-protection/how-hardware-based-containers-help-protect-windows)<br><br>[Application control](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control)<br><br>[Exploit protection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-exploit-guard/windows-defender-exploit-guard)<br><br>[Network protection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-exploit-guard/network-protection-exploit-guard)<br><br>[Device restrictions](https://docs.microsoft.com/en-us/intune/device-restrictions-configure)<br><br>[Controlled folder access](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-exploit-guard/controlled-folders-exploit-guard)<br><br>[Network firewall](https://docs.microsoft.com/en-us/windows/security/identity-protection/windows-firewall/windows-firewall-with-advanced-security)<br><br>[Attack surface reduction controls](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard)</td>
-      <td>[Antivirus](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-in-windows-10)<br><br>[Machine learning](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/utilize-microsoft-cloud-protection-windows-defender-antivirus)<br><br>[Automated sandbox service](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-antivirus/configure-block-at-first-sight-windows-defender-antivirus)</td>
-      <td>[Alerts queue](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-atp/alerts-queue-windows-defender-advanced-threat-protection)<br><br>[Historical endpoint data](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/investigate-machines-windows-defender-advanced-threat-protection#machine-timeline)<br><br>[Realtime and historical threat hunting](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/advanced-hunting-windows-defender-advanced-threat-protection)<br><br>[API and SIEM integration](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-atp/configure-siem-windows-defender-advanced-threat-protection)<br><br>[Response orchestration](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/response-actions-windows-defender-advanced-threat-protection)<br><br>[Forensic collection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/respond-machine-alerts-windows-defender-advanced-threat-protection#collect-investigation-package-from-machines)<br><br>[Threat intelligence](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/threat-indicator-concepts-windows-defender-advanced-threat-protection)<br><br>[Advanced detonation and analysis service](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-atp/respond-file-alerts-windows-defender-advanced-threat-protection#deep-analysis)</td>
-      <td>[Automated investigation and remediation](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-atp/automated-investigations-windows-defender-advanced-threat-protection)<br><br>[Threat remediation](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-atp/automated-investigations-windows-defender-advanced-threat-protection#how-threats-are-remediated)<br><br>[Manage automated investigations](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-atp/automated-investigations-windows-defender-advanced-threat-protection#manage-automated-investigations)<br><br>[Analyze automated investigation](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-atp/automated-investigations-windows-defender-advanced-threat-protection#analyze-automated-investigations)</td>
+      <tr><td>[Hardware based isolation](https://docs.microsoft.com/windows/security/hardware-protection/how-hardware-based-containers-help-protect-windows)<br><br>[Application control](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control)<br><br>[Exploit protection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-exploit-guard/windows-defender-exploit-guard)<br><br>[Network protection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-exploit-guard/network-protection-exploit-guard)<br><br>[Controlled folder access](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-exploit-guard/controlled-folders-exploit-guard)<br><br>[Network firewall](https://docs.microsoft.com/windows/security/identity-protection/windows-firewall/windows-firewall-with-advanced-security)<br><br>[Attack surface reduction controls](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard)</td>
+      <td>[Antivirus](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-in-windows-10)<br><br>[Machine learning](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/utilize-microsoft-cloud-protection-windows-defender-antivirus)<br><br>[Automated sandbox service](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/configure-block-at-first-sight-windows-defender-antivirus)</td>
+      <td>[Alerts queue](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/alerts-queue-windows-defender-advanced-threat-protection)<br><br>[Historical endpoint data](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/investigate-machines-windows-defender-advanced-threat-protection#machine-timeline)<br><br>[Realtime and historical threat hunting](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/advanced-hunting-windows-defender-advanced-threat-protection)<br><br>[API and SIEM integration](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/configure-siem-windows-defender-advanced-threat-protection)<br><br>[Response orchestration](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/response-actions-windows-defender-advanced-threat-protection)<br><br>[Forensic collection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/respond-machine-alerts-windows-defender-advanced-threat-protection#collect-investigation-package-from-machines)<br><br>[Threat intelligence](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/threat-indicator-concepts-windows-defender-advanced-threat-protection)<br><br>[Advanced detonation and analysis service](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/respond-file-alerts-windows-defender-advanced-threat-protection#deep-analysis)</td>
+      <td>[Automated investigation and remediation](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/automated-investigations-windows-defender-advanced-threat-protection)<br><br>[Threat remediation](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/automated-investigations-windows-defender-advanced-threat-protection#how-threats-are-remediated)<br><br>[Manage automated investigations](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/automated-investigations-windows-defender-advanced-threat-protection#manage-automated-investigations)<br><br>[Analyze automated investigation](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/automated-investigations-windows-defender-advanced-threat-protection#analyze-automated-investigations)</td>
       <td>[Asset inventory](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/secure-score-dashboard-windows-defender-advanced-threat-protection)<br><br>[Operating system baseline compliance](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/secure-score-dashboard-windows-defender-advanced-threat-protection)<br><br>[Recommended improvement actions](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/secure-score-dashboard-windows-defender-advanced-threat-protection)<br><br>[Secure score](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/secure-score-dashboard-windows-defender-advanced-threat-protection)<br><br>[Threat analytics](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/threat-analytics-dashboard-windows-defender-advanced-threat-protection)<br><br>[Reporting and trends](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/powerbi-reports-windows-defender-advanced-threat-protection)</td>
       </tr>
       </table>"

windows/security/information-protection/TOC.md

@@ -28,6 +28,7 @@
 #### [Choose the Right BitLocker Countermeasure](bitlocker\choose-the-right-bitlocker-countermeasure.md)
 ### [Protecting cluster shared volumes and storage area networks with BitLocker](bitlocker\protecting-cluster-shared-volumes-and-storage-area-networks-with-bitlocker.md)
 
+## [Encrypted Hard Drive](encrypted-hard-drive.md)
 
 ## [Protect your enterprise data using Windows Information Protection (WIP)](windows-information-protection\protect-enterprise-data-using-wip.md)
 ### [Create a Windows Information Protection (WIP) policy using Microsoft Intune](windows-information-protection\overview-create-wip-policy.md)
@@ -53,3 +54,20 @@
 #### [Using Outlook Web Access with Windows Information Protection (WIP)](windows-information-protection\using-owa-with-wip.md)
 ### [Fine-tune Windows Information Protection (WIP) with WIP Learning](windows-information-protection\wip-learning.md)
 
+## [Secure the Windows 10 boot process](secure-the-windows-10-boot-process.md)
+
+## [Trusted Platform Module](tpm/trusted-platform-module-top-node.md)
+### [Trusted Platform Module Overview](tpm/trusted-platform-module-overview.md)
+### [TPM fundamentals](tpm/tpm-fundamentals.md)
+### [How Windows 10 uses the TPM](tpm/how-windows-uses-the-tpm.md)
+### [TPM Group Policy settings](tpm/trusted-platform-module-services-group-policy-settings.md)
+### [Back up the TPM recovery information to AD DS](tpm/backup-tpm-recovery-information-to-ad-ds.md)
+### [Manage TPM commands](tpm/manage-tpm-commands.md)
+### [Manage TPM lockout](tpm/manage-tpm-lockout.md)
+### [Change the TPM owner password](tpm/change-the-tpm-owner-password.md)
+### [View status, clear, or troubleshoot the TPM](tpm/initialize-and-configure-ownership-of-the-tpm.md)
+### [Understanding PCR banks on TPM 2.0 devices](tpm/switch-pcr-banks-on-tpm-2-0-devices.md)
+### [TPM recommendations](tpm/tpm-recommendations.md)
+
+
+

windows/security/information-protection/bitlocker/bitlocker-how-to-enable-network-unlock.md

@@ -351,6 +351,7 @@ The following steps can be used to configure Network Unlock on these older syste
 6.  [Step Six: Configure registry settings for Network Unlock](#bkmk-stepsix)
 
     Apply the registry settings by running the following certutil script on each computer running any of the client operating systems designated in the **Applies To** list at the beginning of this topic.
+
         certutil -f -grouppolicy -addstore FVE_NKP BitLocker-NetworkUnlock.cer
         reg add "HKLM\SOFTWARE\Policies\Microsoft\FVE" /v OSManageNKP /t REG_DWORD /d 1 /f
         reg add "HKLM\SOFTWARE\Policies\Microsoft\FVE" /v UseAdvancedStartup /t REG_DWORD /d 1 /f

windows/security/information-protection/bitlocker/types-of-attacks-for-volume-encryption-keys.md

@@ -85,13 +85,13 @@ DMA-based expansion slots are another avenue of attack, but these slots generall
 
 To mitigate a port-based DMA attack an administrator can configure policy settings to disable FireWire and other device types that have DMA. Also, many PCs allow those devices to be disabled by using firmware settings. Although the need for pre-boot authentication can be eliminated at the device level or through Windows configuration, the BitLocker pre-boot authentication feature is still available when needed. When used, it successfully mitigates all types of DMA port and expansion slot attacks on any type of device.
 
-### Hyberfil.sys Attacks
+### Hiberfil.sys Attacks
 
-The hyberfil.sys file is the Windows hibernation file. It contains a snapshot of system memory that is generated when a device goes into hibernation and includes the encryption key for BitLocker and other encryption technologies. Attackers have claimed that they have successfully extracted encryption keys from the hyberfil.sys file.
+The hiberfil.sys file is the Windows hibernation file. It contains a snapshot of system memory that is generated when a device goes into hibernation and includes the encryption key for BitLocker and other encryption technologies. Attackers have claimed that they have successfully extracted encryption keys from the hiberfil.sys file.
 
-Like the DMA port attack discussed in the previous section, tools are available that can scan the hyberfile.sys file and locate the encryption key, including a tool made by [Passware](http://www.lostpassword.com/). Microsoft does not consider Windows to be vulnerable to this type of attack, because Windows stores the hyberfil.sys file within the encrypted system volume. As a result, the file would be accessible only if the attacker had both physical and sign-in access to the PC. When an attacker has sign-in access to the PC, there are few reasons for the attacker to decrypt the drive, because they would already have full access to the data within it.
+Like the DMA port attack discussed in the previous section, tools are available that can scan the hiberfile.sys file and locate the encryption key, including a tool made by [Passware](http://www.lostpassword.com/). Microsoft does not consider Windows to be vulnerable to this type of attack, because Windows stores the hiberfil.sys file within the encrypted system volume. As a result, the file would be accessible only if the attacker had both physical and sign-in access to the PC. When an attacker has sign-in access to the PC, there are few reasons for the attacker to decrypt the drive, because they would already have full access to the data within it.
 
-In practice, the only reason an attack on hyberfil.sys would grant an attacker additional access is if an administrator had changed the default Windows configuration and stored the hyberfil.sys file on an unencrypted drive. By default, Windows 10 is designed to be secure against this type of attack.
+In practice, the only reason an attack on hiberfil.sys would grant an attacker additional access is if an administrator had changed the default Windows configuration and stored the hiberfil.sys file on an unencrypted drive. By default, Windows 10 is designed to be secure against this type of attack.
 
 ### Memory Remanence Attacks
 

windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md

@@ -8,7 +8,7 @@ ms.pagetype: security
 author: justinha
 ms.author: justinha
 ms.localizationpriority: medium
-ms.date: 07/10/2018
+ms.date: 08/08/2018
 ---
 
 # Create a Windows Information Protection (WIP) policy with MDM using the Azure portal for Microsoft Intune
@@ -348,14 +348,14 @@ If you're running into compatibility issues where your app is incompatible with
 ## Manage the WIP protection mode for your enterprise data
 After you've added the apps you want to protect with WIP, you'll need to apply a management and protection mode.
 
-We recommend that you start with **Silent** or **Allow Overrides** while verifying with a small group that you have the right apps on your protected apps list. After you're done, you can change to your final enforcement policy, **Hide Overrides**.
+We recommend that you start with **Silent** or **Allow Overrides** while verifying with a small group that you have the right apps on your protected apps list. After you're done, you can change to your final enforcement policy, **Block**.
 
 >[!NOTE]
 >For info about how to collect your audit log files, see [How to collect Windows Information Protection (WIP) audit event logs](collect-wip-audit-event-logs.md).
 
 **To add your protection mode**
 
-1.	From the **App policy** blade, click the name of your policy, and then click **Required settings** from the menu that appears.
+1.	From the **App protection policy** blade, click the name of your policy, and then click **Required settings** from the menu that appears.
     
     The **Required settings** blade appears.
 
@@ -363,7 +363,7 @@ We recommend that you start with **Silent** or **Allow Overrides** while verifyi
 
     |Mode |Description |
     |-----|------------|
-    |Hide Overrides |WIP looks for inappropriate data sharing practices and stops the employee from completing the action. This can include sharing info across non-enterprise-protected apps in addition to sharing enterprise data between other people and devices outside of your enterprise.|
+    |Block |WIP looks for inappropriate data sharing practices and stops the employee from completing the action. This can include sharing info across non-enterprise-protected apps in addition to sharing enterprise data between other people and devices outside of your enterprise.|
     |Allow Overrides |WIP looks for inappropriate data sharing, warning employees if they do something deemed potentially unsafe. However, this management mode lets the employee override the policy and share the data, logging the action to your audit log. For info about how to collect your audit log files, see [How to collect Windows Information Protection (WIP) audit event logs](collect-wip-audit-event-logs.md).|
     |Silent |WIP runs silently, logging inappropriate data sharing, without blocking anything that would’ve been prompted for employee interaction while in Allow Override mode. Unallowed actions, like apps inappropriately trying to access a network resource or WIP-protected data, are still stopped.|
     |Off (not recommended) |WIP is turned off and doesn't help to protect or audit your data.<br><br>After you turn off WIP, an attempt is made to decrypt any WIP-tagged files on the locally attached drives. Be aware that your previous decryption and policy info isn’t automatically reapplied if you turn WIP protection back on.|

windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune.md

@@ -7,7 +7,7 @@ ms.mktglfcycl: explore
 ms.sitesec: library
 ms.pagetype: security
 ms.author: justinha
-ms.date: 05/30/2018
+ms.date: 08/08/2018
 ms.localizationpriority: medium
 ---
 
@@ -308,11 +308,11 @@ If you're running into compatibility issues where your app is incompatible with
 ## Manage the WIP protection mode for your enterprise data
 After you've added the apps you want to protect with WIP, you'll need to apply a management and protection mode.
 
-We recommend that you start with **Silent** or **Allow Overrides** while verifying with a small group that you have the right apps on your protected apps list. After you're done, you can change to your final enforcement policy, either **Allow Overrides** or **Hide Overrides**.
+We recommend that you start with **Silent** or **Allow Overrides** while verifying with a small group that you have the right apps on your protected apps list. After you're done, you can change to your final enforcement policy, either **Allow Overrides** or **Block**.
 
 |Mode |Description |
 |-----|------------|
-|Hide Overrides|WIP looks for inappropriate data sharing practices and stops the employee from completing the action. This can include sharing info across non-enterprise-protected apps in addition to sharing enterprise data between other people and devices outside of your enterprise.|
+|Block|WIP looks for inappropriate data sharing practices and stops the employee from completing the action. This can include sharing info across non-enterprise-protected apps in addition to sharing enterprise data between other people and devices outside of your enterprise.|
 |Allow Overrides|WIP looks for inappropriate data sharing, warning employees if they do something deemed potentially unsafe. However, this management mode lets the employee override the policy and share the data, logging the action to your audit log, accessible through the [Reporting CSP](https://go.microsoft.com/fwlink/p/?LinkID=746459). |
 |Silent |WIP runs silently, logging inappropriate data sharing, without blocking anything that would’ve been prompted for employee interaction while in Allow Overrides mode. Unallowed actions, like apps inappropriately trying to access a network resource or WIP-protected data, are still blocked.|
 |Off (not recommended) |WIP is turned off and doesn't help to protect or audit your data.<p>After you turn off WIP, an attempt is made to decrypt any WIP-tagged files on the locally attached drives. Be aware that your previous decryption and policy info isn’t automatically reapplied if you turn WIP protection back on.|

windows/security/information-protection/windows-information-protection/create-wip-policy-using-mam-intune-azure.md

@@ -7,7 +7,7 @@ ms.sitesec: library
 ms.pagetype: security
 author: justinha
 ms.author: justinha
-ms.date: 05/30/2018
+ms.date: 08/08/2018
 localizationpriority: medium
 ---
 
@@ -377,7 +377,7 @@ In the **Required settings** blade you must pick your Windows Information Protec
 ### Manage the WIP protection mode for your enterprise data
 After you've added the apps you want to protect with WIP, you'll need to apply a management and protection mode.
 
-We recommend that you start with **Silent** or **Allow Overrides** while verifying with a small group that you have the right apps on your allowed apps list. After you're done, you can change to your final enforcement policy, **Hide Overrides**.
+We recommend that you start with **Silent** or **Allow Overrides** while verifying with a small group that you have the right apps on your allowed apps list. After you're done, you can change to your final enforcement policy, **Block**.
 
 >[!NOTE]
 >For info about how to collect your audit log files, see [How to collect Windows Information Protection (WIP) audit event logs](collect-wip-audit-event-logs.md).
@@ -392,7 +392,7 @@ We recommend that you start with **Silent** or **Allow Overrides** while verifyi
 
     |Mode |Description |
     |-----|------------|
-    |Hide Overrides |WIP looks for inappropriate data sharing practices and stops the employee from completing the action. This can include sharing info across non-enterprise-protected apps in addition to sharing enterprise data between other people and devices outside of your enterprise.|
+    |Block |WIP looks for inappropriate data sharing practices and stops the employee from completing the action. This can include sharing info across non-enterprise-protected apps in addition to sharing enterprise data between other people and devices outside of your enterprise.|
     |Allow Overrides |WIP looks for inappropriate data sharing, warning employees if they do something deemed potentially unsafe. However, this management mode lets the employee override the policy and share the data, logging the action to your audit log. For info about how to collect your audit log files, see [How to collect Windows Information Protection (WIP) audit event logs](collect-wip-audit-event-logs.md).|
     |Silent |WIP runs silently, logging inappropriate data sharing, without blocking anything that would’ve been prompted for employee interaction while in Allow Override mode. Unallowed actions, like apps inappropriately trying to access a network resource or WIP-protected data, are still stopped.|
     |Off (not recommended) |WIP is turned off and doesn't help to protect or audit your data.<br><br>After you turn off WIP, an attempt is made to decrypt any WIP-tagged files on the locally attached drives. Be aware that your previous decryption and policy info isn’t automatically reapplied if you turn WIP protection back on.|
@@ -420,7 +420,7 @@ In the **Advanced settings** blade you must specify where apps can access your c
 ### Choose where apps can access enterprise data
 After you've added a protection mode to your apps, you'll need to decide where those apps can access enterprise data on your network.
 
-There are no default locations included with WIP, you must add each of your network locations. This area applies to any network endpoint device that gets an IP address in your enterprise’s range and is also bound to one of your enterprise domains, including SMB shares. Local file system locations should just maintain encryption (for example, on local NTFS, FAT, ExFAT).
+Intune will add SharePoint sites that are discovered through the Graph API. You must add other network locations. This area applies to any network endpoint device that gets an IP address in your enterprise’s range and is also bound to one of your enterprise domains, including SMB shares. Local file system locations should just maintain encryption (for example, on local NTFS, FAT, ExFAT).
 
 >[!Important]
 >Every WIP policy should include policy that defines your enterprise network locations.<br>Classless Inter-Domain Routing (CIDR) notation isn’t supported for WIP configurations.

windows/security/information-protection/windows-information-protection/create-wip-policy-using-sccm.md

@@ -9,7 +9,7 @@ ms.sitesec: library
 ms.pagetype: security
 author: justinha
 ms.localizationpriority: medium
-ms.date: 10/16/2017
+ms.date: 08/08/2018
 ---
 
 # Create and deploy a Windows Information Protection (WIP) policy using System Center Configuration Manager
@@ -340,14 +340,14 @@ If you're running into compatibility issues where your app is incompatible with
 ## Manage the WIP-protection level for your enterprise data
 After you've added the apps you want to protect with WIP, you'll need to apply a management and protection mode.
 
-We recommend that you start with **Silent** or **Override** while verifying with a small group that you have the right apps on your protected apps list. After you're done, you can change to your final enforcement policy, either **Override** or **Hide Overrides**.
+We recommend that you start with **Silent** or **Override** while verifying with a small group that you have the right apps on your protected apps list. After you're done, you can change to your final enforcement policy, either **Override** or **Block**.
 
 >[!NOTE]
 >For info about how to collect your audit log files, see [How to collect Windows Information Protection (WIP) audit event logs](collect-wip-audit-event-logs.md).
 
 |Mode |Description |
 |-----|------------|
-|Hide Overrides |WIP looks for inappropriate data sharing practices and stops the employee from completing the action. This can include sharing info across non-enterprise-protected apps in addition to sharing enterprise data between other people and devices outside of your enterprise.|
+|Block |WIP looks for inappropriate data sharing practices and stops the employee from completing the action. This can include sharing info across non-enterprise-protected apps in addition to sharing enterprise data between other people and devices outside of your enterprise.|
 |Override |WIP looks for inappropriate data sharing, warning employees if they do something deemed potentially unsafe. However, this management mode lets the employee override the policy and share the data, logging the action to your audit log. |
 |Silent |WIP runs silently, logging inappropriate data sharing, without blocking anything that would’ve been prompted for employee interaction while in Override mode. Unallowed actions, like apps inappropriately trying to access a network resource or WIP-protected data, are still blocked.|
 |Off (not recommended) |WIP is turned off and doesn't help to protect or audit your data.<p>After you turn off WIP, an attempt is made to decrypt any WIP-tagged files on the locally attached drives. Be aware that your previous decryption and policy info isn’t automatically reapplied if you turn WIP protection back on.|

windows/security/information-protection/windows-information-protection/deploy-wip-policy-using-intune.md

@@ -9,7 +9,7 @@ ms.sitesec: library
 ms.pagetype: security
 author: justinha
 ms.localizationpriority: medium
-ms.date: 09/11/2017
+ms.date: 08/08/2018
 ---
 
 # Deploy your Windows Information Protection (WIP) policy using the classic console for Microsoft Intune

windows/security/information-protection/windows-information-protection/protect-enterprise-data-using-wip.md

@@ -77,13 +77,13 @@ WIP gives you a new way to manage data policy enforcement for apps and documents
 
     -   **Copying or downloading enterprise data.** When an employee or an app downloads content from a location like SharePoint, a network share, or an enterprise web location, while using a WIP-protected device, WIP encrypts the data on the device.
 
-    - **Using allowed apps.** Managed apps (apps that you've included on the **Allowed apps** list in your WIP policy) are allowed to access your enterprise data and will interact differently when used with unallowed, non-enterprise aware, or personal-only apps. For example, if WIP management is set to **Hide overrides**, your employees can copy and paste from one protected app to another allowed app, but not to personal apps. Imagine an HR person wants to copy a job description from an allowed app to the internal career website, an enterprise-protected location, but goofs and tries to paste into a personal app instead. The paste action fails and a notification pops up, saying that the app couldn’t paste because of a policy restriction. The HR person then correctly pastes to the career website without a problem.
+    - **Using allowed apps.** Managed apps (apps that you've included on the **Allowed apps** list in your WIP policy) are allowed to access your enterprise data and will interact differently when used with unallowed, non-enterprise aware, or personal-only apps. For example, if WIP management is set to **Block**, your employees can copy and paste from one protected app to another allowed app, but not to personal apps. Imagine an HR person wants to copy a job description from an allowed app to the internal career website, an enterprise-protected location, but goofs and tries to paste into a personal app instead. The paste action fails and a notification pops up, saying that the app couldn’t paste because of a policy restriction. The HR person then correctly pastes to the career website without a problem.
 
     -   **Managed apps and restrictions.** With WIP you can control which apps can access and use your enterprise data. After adding an app to your allowed apps list, the app is trusted with enterprise data. All apps not on this list are stopped from accessing your enterprise data, depending on your WIP management-mode.
     
         You don’t have to modify line-of-business apps that never touch personal data to list them as allowed apps; just include them in the allowed apps list.
 
-    -   **Deciding your level of data access.** WIP lets you hide overrides, allow overrides, or audit employees' data sharing actions. Hiding overrides stops the action immediately. Allowing overrides lets the employee know there's a risk, but lets him or her continue to share the data while recording and auditing the action. Silent just logs the action without stopping anything that the employee could've overridden while using that setting; collecting info that can help you to see patterns of inappropriate sharing so you can take educative action or find apps that should be added to your allowed apps list. For info about how to collect your audit log files, see [How to collect Windows Information Protection (WIP) audit event logs](collect-wip-audit-event-logs.md).
+    -   **Deciding your level of data access.** WIP lets you block, allow overrides, or audit employees' data sharing actions. Hiding overrides stops the action immediately. Allowing overrides lets the employee know there's a risk, but lets him or her continue to share the data while recording and auditing the action. Silent just logs the action without stopping anything that the employee could've overridden while using that setting; collecting info that can help you to see patterns of inappropriate sharing so you can take educative action or find apps that should be added to your allowed apps list. For info about how to collect your audit log files, see [How to collect Windows Information Protection (WIP) audit event logs](collect-wip-audit-event-logs.md).
 
 
     -   **Data encryption at rest.** WIP helps protect enterprise data on local files and on removable media.
@@ -132,7 +132,7 @@ You can set your WIP policy to use 1 of 4 protection and management modes:
 
 |Mode|Description|
 |----|-----------|
-|Hide overrides |WIP looks for inappropriate data sharing practices and stops the employee from completing the action. This can include sharing enterprise data to non-enterprise-protected apps in addition to sharing enterprise data between apps or attempting to share outside of your organization’s network.|
+|Block |WIP looks for inappropriate data sharing practices and stops the employee from completing the action. This can include sharing enterprise data to non-enterprise-protected apps in addition to sharing enterprise data between apps or attempting to share outside of your organization’s network.|
 |Allow overrides |WIP looks for inappropriate data sharing, warning employees if they do something deemed potentially unsafe. However, this management mode lets the employee override the policy and share the data, logging the action to your audit log.|
 |Silent |WIP runs silently, logging inappropriate data sharing, without stopping anything that would’ve been prompted for employee interaction while in Allow overrides mode. Unallowed actions, like apps inappropriately trying to access a network resource or WIP-protected data, are still stopped.|
 |Off |WIP is turned off and doesn't help to protect or audit your data.<p>After you turn off WIP, an attempt is made to decrypt any WIP-tagged files on the locally attached drives. Be aware that your previous decryption and policy info isn’t automatically reapplied if you turn WIP protection back on.<p>**Note**<br>For more info about setting your WIP-protection modes, see either [Create a Windows Information Protection (WIP) policy using Intune](create-wip-policy-using-intune.md) or [Create and deploy a Windows Information Protection (WIP) policy using Configuration Manager](create-wip-policy-using-sccm.md), depending on your management solution. |

windows/security/information-protection/windows-information-protection/wip-learning.md

@@ -10,7 +10,7 @@ ms.sitesec: library
 ms.pagetype: security
 author: coreyp-at-msft
 ms.localizationpriority: medium
-ms.date: 04/18/2018
+ms.date: 08/08/2018
 ---
 
 # Fine-tune Windows Information Protection (WIP) with WIP Learning
@@ -21,16 +21,16 @@ ms.date: 04/18/2018
 
 With WIP Learning, you can intelligently tune which apps and websites are included in your WIP policy to help reduce disruptive prompts and keep it accurate and relevant. WIP Learning generates two reports: The **App learning report** and the **Website learning report**. Both reports are accessed from Microsoft Azure Intune, and you can alternately access the App learning report from Microsoft Operations Management Suite (OMS).
 
-The **App learning report** monitors your apps, not in policy, that attempt to access work data. You can identify these apps using the report and add them to your WIP policies to avoid productivity disruption before fully enforcing WIP with [“Hide overrides”](protect-enterprise-data-using-wip.md#bkmk-modes) mode. Frequent monitoring of the report will help you continuously identify access attempts so you can update your policy accordingly.
+The **App learning report** monitors your apps, not in policy, that attempt to access work data. You can identify these apps using the report and add them to your WIP policies to avoid productivity disruption before fully enforcing WIP with [“Block”](protect-enterprise-data-using-wip.md#bkmk-modes) mode. Frequent monitoring of the report will help you continuously identify access attempts so you can update your policy accordingly.
 
 In the **Website learning report**, you can view a summary of the devices that have shared work data with websites. You can use this information to determine which websites should be added to group and user WIP policies. The summary shows which website URLs are accessed by WIP-enabled apps so you can decide which ones are cloud or personal, and add them to the resource list.
 
-## Access the WIP Learning reports
-
-1. Open the [Azure portal](http://portal.azure.com/). Choose **All services**. Type **Intune** in the text box filter.
-
+## Access the WIP Learning reports
+
+1. Open the [Azure portal](http://portal.azure.com/). Choose **All services**. Type **Intune** in the text box filter.
+
 2. Choose **Intune** > **Mobile Apps**.
-
+
 3. Choose **App protection status**.
 
 4. Choose **Reports**. 
@@ -95,7 +95,7 @@ Here, you can copy the **WipAppid** and use it to adjust your WIP protection pol
 
 9. Go back to OMS one more time and note the version number of the app and type it in **MIN VERSION** in Intune (alternately, you can specify the max version, but one or the other is required), and then select the **ACTION**: **Allow** or **Deny**
 
-When working with WIP-enabled apps and WIP-unknown apps, it is recommended that you start with **Silent** or **Allow overrides** while verifying with a small group that you have the right apps on your allowed apps list. After you're done, you can change to your final enforcement policy, **Hide overrides**. For more information about WIP modes, see: [Protect enterprise data using WIP: WIP-modes](protect-enterprise-data-using-wip.md#bkmk-modes)
+When working with WIP-enabled apps and WIP-unknown apps, it is recommended that you start with **Silent** or **Allow overrides** while verifying with a small group that you have the right apps on your allowed apps list. After you're done, you can change to your final enforcement policy, **Block**. For more information about WIP modes, see: [Protect enterprise data using WIP: WIP-modes](protect-enterprise-data-using-wip.md#bkmk-modes)
 
 >[!NOTE]
 >Help to make this topic better by providing us with edits, additions, and feedback. For info about how to contribute to this topic, see [Contributing to TechNet content](https://github.com/Microsoft/windows-itpro-docs/blob/master/CONTRIBUTING.md).

windows/security/threat-protection/TOC.md

@@ -306,18 +306,18 @@
 ###### [Requirements for virtualization-based protection of code integrity](windows-defender-exploit-guard\requirements-and-deployment-planning-guidelines-for-virtualization-based-protection-of-code-integrity.md)
 ###### [Enable virtualization-based protection of code integrity](windows-defender-exploit-guard\enable-virtualization-based-protection-of-code-integrity.md)
 #### [Attack surface reduction](windows-defender-exploit-guard\attack-surface-reduction-exploit-guard.md)
-#### [Evaluate Attack surface reduction](windows-defender-exploit-guard\evaluate-attack-surface-reduction.md)
-#### [Enable Attack surface reduction](windows-defender-exploit-guard\enable-attack-surface-reduction.md)
-#### [Customize Attack surface reduction](windows-defender-exploit-guard\customize-attack-surface-reduction.md)
-#### [Troubleshoot Attack surface reduction rules](windows-defender-exploit-guard\troubleshoot-asr.md)
+##### [Evaluate Attack surface reduction](windows-defender-exploit-guard\evaluate-attack-surface-reduction.md)
+##### [Enable Attack surface reduction](windows-defender-exploit-guard\enable-attack-surface-reduction.md)
+##### [Customize Attack surface reduction](windows-defender-exploit-guard\customize-attack-surface-reduction.md)
+##### [Troubleshoot Attack surface reduction rules](windows-defender-exploit-guard\troubleshoot-asr.md)
 #### [Network Protection](windows-defender-exploit-guard\network-protection-exploit-guard.md)
-#### [Evaluate Network Protection](windows-defender-exploit-guard\evaluate-network-protection.md)
-#### [Enable Network Protection](windows-defender-exploit-guard\enable-network-protection.md)
-#### [Troubleshoot Network protection](windows-defender-exploit-guard\troubleshoot-np.md)
+##### [Evaluate Network Protection](windows-defender-exploit-guard\evaluate-network-protection.md)
+##### [Enable Network Protection](windows-defender-exploit-guard\enable-network-protection.md)
+##### [Troubleshoot Network protection](windows-defender-exploit-guard\troubleshoot-np.md)
 #### [Controlled folder access](windows-defender-exploit-guard\controlled-folders-exploit-guard.md)
-#### [Evaluate Controlled folder access](windows-defender-exploit-guard\evaluate-controlled-folder-access.md)
-#### [Enable Controlled folder access](windows-defender-exploit-guard\enable-controlled-folders-exploit-guard.md)
-#### [Customize Controlled folder access](windows-defender-exploit-guard\customize-controlled-folders-exploit-guard.md)
+##### [Evaluate Controlled folder access](windows-defender-exploit-guard\evaluate-controlled-folder-access.md)
+##### [Enable Controlled folder access](windows-defender-exploit-guard\enable-controlled-folders-exploit-guard.md)
+##### [Customize Controlled folder access](windows-defender-exploit-guard\customize-controlled-folders-exploit-guard.md)
 
 
 
@@ -387,10 +387,10 @@
 ###### [Audit process tracking](auditing/basic-audit-process-tracking.md)
 ###### [Audit system events](auditing/basic-audit-system-events.md)
 
-##### [Advanced security audit policies](auditing/advanced-security-auditing.md)
-###### [Planning and deploying advanced security audit policies](auditing/planning-and-deploying-advanced-security-audit-policies.md)
-###### [Advanced security auditing FAQ](auditing/advanced-security-auditing-faq.md)
-####### [Which editions of Windows support advanced audit policy configuration](auditing/which-editions-of-windows-support-advanced-audit-policy-configuration.md)
+#### [Advanced security audit policies](auditing/advanced-security-auditing.md)
+##### [Planning and deploying advanced security audit policies](auditing/planning-and-deploying-advanced-security-audit-policies.md)
+##### [Advanced security auditing FAQ](auditing/advanced-security-auditing-faq.md)
+###### [Which editions of Windows support advanced audit policy configuration](auditing/which-editions-of-windows-support-advanced-audit-policy-configuration.md)
 
 ###### [Using advanced security auditing options to monitor dynamic access control objects](auditing/using-advanced-security-auditing-options-to-monitor-dynamic-access-control-objects.md)
 ####### [Monitor the central access policies that apply on a file server](auditing/monitor-the-central-access-policies-that-apply-on-a-file-server.md)
@@ -731,7 +731,7 @@
 
 
 
-#### [Security policy settings](security-policy-settings/security-policy-settings.md)
+### [Security policy settings](security-policy-settings/security-policy-settings.md)
 #### [Administer security policy settings](security-policy-settings/administer-security-policy-settings.md)
 ##### [Network List Manager policies](security-policy-settings/network-list-manager-policies.md)
 #### [Configure security policy settings](security-policy-settings/how-to-configure-security-policy-settings.md)
@@ -908,8 +908,8 @@
 
 
 ### [Windows security baselines](windows-security-baselines.md)
-### [Security Compliance Toolkit](security-compliance-toolkit-10.md)
-### [Get support](get-support-for-security-baselines.md)
+#### [Security Compliance Toolkit](security-compliance-toolkit-10.md)
+#### [Get support](get-support-for-security-baselines.md)
 
 ### [Windows 10 Mobile security guide](windows-10-mobile-security-guide.md)
 

windows/security/threat-protection/device-guard/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control.md

@@ -1,6 +1,6 @@
 ---
-title: Windows Defender Device Guard - virtualization-based security and code integrity policies (Windows 10)
-description: Microsoft Windows Defender Device Guard is a feature set that consists of both hardware and software system integrity hardening features that revolutionize the Windows operating system’s security.
+title: Windows Defender Application Control Configurable Code Integrity and Virtualization-based security  (Windows 10)
+description: Microsoft Windows 10 has a feature set that consists of both hardware and software system integrity hardening capabilites that revolutionize the Windows operating system’s security.
 keywords: virtualization, security, malware
 ms.prod: w10
 ms.mktglfcycl: deploy
@@ -9,36 +9,37 @@ author: mdsakibMSFT
 ms.date: 04/19/2018
 ---
 
-# Windows Defender Device Guard: virtualization-based security and Windows Defender Application Control
+# Windows Defender Application Control Configurable Code Integrity and Virtualization-based security (aka Windows Defender Device Guard)
 
 **Applies to**
 -   Windows 10
 -   Windows Server 2016
 
-With Windows 10, we introduced Windows Defender Device Guard, a set of hardware and OS technologies that, when configured together, allow enterprises to lock down Windows systems so they operate with many of the properties of mobile devices. 
-In this configuration, Device Guard restricts devices to only run authorized apps by using a feature called configurable code integrity (CI), while simultaneously hardening the OS against kernel memory attacks through the use of virtualization-based protection of code integrity (more specifically, HVCI). 
+Windows 10 includes a set of hardware and OS technologies that, when configured together, allow enterprises to "lock down" Windows systems so they operate with many of the properties of mobile devices. In this configuration, specific technologies work together to restrict devices to only run authorized apps by using a feature called configurable code integrity (CI), while simultaneously hardening the OS against kernel memory attacks through the use of virtualization-based protection of code integrity (more specifically, HVCI). 
 
-Configurable CI has these advantages over other solutions:
+Configurable CI and HVCI are very powerful protections that can be used separately. However, when these two technologies are configured to work together, they present a very strong protection capability for Windows 10 devices. Starting with the Windows 10 Anniversary Update (1607), this combined "configuration state" of Configurable CI and HVCI has been referred to as Windows Defender Device Guard. 
+
+Using Configurable CI to restrict devices to only autherized apps has these advantages over other solutions:
 
 1. Configurable CI policy is enforced by the Windows kernel itself. As such, the policy takes effect early in the boot sequence before nearly all other OS code and before traditional antivirus solutions run. 
 2. Configurable CI allows customers to set application control policy not only over code running in user mode, but also kernel mode hardware and software drivers and even code that runs as part of Windows. 
-3. Customers can protect the configurable CI policy even from local administrator tampering by digitally signing the policy. Then changing the policy requires administrative privilege and access to the organization’s digital signing process, making it extremely difficult for an attacker or malware that managed to gain administrative privilege to alter the application control policy. 
+3. Customers can protect the configurable CI policy even from local administrator tampering by digitally signing the policy. This would mean that changing the policy would require both administrative privilege and access to the organization’s digital signing process, making it extremely difficult for an attacker with administrative privledge, or malicious software that managed to gain administrative privilege, to alter the application control policy. 
 4. The entire configurable CI enforcement mechanism can be protected by HVCI, where even if a vulnerability exists in kernel mode code, the likelihood that an attacker could successfully exploit it is significantly diminished. Why is this relevant? That’s because an attacker that compromises the kernel would otherwise have enough privilege to disable most system defenses and override the application control policies enforced by configurable CI or any other application control solution.
 
 ## (Re-)Introducing Windows Defender Application Control
 
-When we originally designed Device Guard it was built with a specific security promise in mind. Although there were no direct dependencies between its two main OS features, configurable CI and HVCI, we intentionally focused our marketing story around the Device Guard lockdown state you achieve when deploying them together. 
+When we originally designed the configuration state that we have referred to as Windows Defender Device Guard, we did so with a specific security promise in mind. Although there were no direct dependencies between the two main OS features of the Device Guard configuration, configurable CI and HVCI, we intentionally focused our discussion around the Device Guard lockdown state you achieve when deploying them together. 
 
-However, this unintentionally left an impression for many customers that the two features were inexorably linked and could not be deployed separately. 
-And given that HVCI relies on the Windows virtualization-based security, it comes with additional hardware, firmware, and kernel driver compatibility requirements that some older systems can’t meet. 
+However, the use of the term Device Guard to describe this configuration state has unintentionally left an impression for many IT professionals that the two features were inexorably linked and could not be deployed separately. 
+Additionally, given that HVCI relies on Windows virtualization-based security, it comes with additional hardware, firmware, and kernel driver compatibility requirements that some older systems can’t meet. 
 
-As a result, many customers assumed that they couldn’t use configurable CI either. 
-But configurable CI carries no specific hardware or software requirements other than running Windows 10, which means many customers were wrongly denied the benefits of this powerful application control capability.
+As a result, many IT Professionals assumed that because some systems couldn't use HVCI, they couldn’t use configurable CI either. 
+But configurable CI carries no specific hardware or software requirements other than running Windows 10, which means many IT professionals were wrongly denied the benefits of this powerful application control capability.
 
-Since the initial release of Windows 10, the world has witnessed numerous hacking and malware attacks where application control alone could have prevented the attack altogether. So we are promoting configurable CI within our security stack and giving it a name of its own: [Windows Defender Application Control](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-application-control). 
-We hope this branding change will help us better communicate options for adopting application control within an organization.
+Since the initial release of Windows 10, the world has witnessed numerous hacking and malware attacks where application control alone could have prevented the attack altogether. With this in mind, we are discussing and documenting configurable CI as a independent technology within our security stack and giving it a name of its own: [Windows Defender Application Control](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-application-control). 
+We hope this change will help us better communicate options for adopting application control within an organization.
 
-Does this mean Windows Defender Device Guard is going away? Not at all. Device Guard will continue to exist as a way to describe the fully locked down state achieved through the use of Windows Defender Application Control (WDAC), HVCI, and hardware and firmware security features. It also allows us to work with our OEM partners to identify specifications for devices that are “Device Guard capable” so that our joint customers can easily purchase devices that meet all of the hardware and firmware requirements of the original Device Guard scenario.
+Does this mean Windows Defender Device Guard configuration state is going away? Not at all. The term Device Guard will continue to be used as a way to describe the fully locked down state achieved through the use of Windows Defender Application Control (WDAC), HVCI, and hardware and firmware security features. It also allows us to work with our OEM partners to identify specifications for devices that are “Device Guard capable” so that our joint customers can easily purchase devices that meet all of the hardware and firmware requirements of the original "Device Guard" locked down scenario for Windows 10 based devices.
 
 ## Related topics
 

windows/security/threat-protection/protect-high-value-assets-by-controlling-the-health-of-windows-10-based-devices.md

@@ -366,7 +366,7 @@ The following table details the hardware requirements for both virtualization-ba
 </tr>
 <tr class="odd">
 <td align="left"><p>Trusted Platform Module (TPM) </p></td>
-<td align="left"><p>Required to support health attestation and necessary for additional key protections for virtualization-based security. TPM 2.0 is supported; TPM 1.2 is also supported beginnning with Windows 10, version 1703.</p></td>
+<td align="left"><p>Required to support health attestation and necessary for additional key protections for virtualization-based security. TPM 2.0 is supported. Support for TPM 1.2 was added beginning in Windows 10, version 1607 (RS1)</p></td>
 </tr>
 </tbody>
 </table>

windows/security/threat-protection/security-policy-settings/account-lockout-policy.md

@@ -25,8 +25,8 @@ The following topics provide a discussion of each policy setting's implementatio
 
 | Topic | Description |
 | - | - |
-| [Account lockout duration](account-lockout-duration.md) | Describes the best practices, location, values, and security considerations for the **Account lockout duration** security policy setting. |
 | [Account lockout threshold](account-lockout-threshold.md) | Describes the best practices, location, values, and security considerations for the **Account lockout threshold** security policy setting. |
+| [Account lockout duration](account-lockout-duration.md) | Describes the best practices, location, values, and security considerations for the **Account lockout duration** security policy setting. |
 | [Reset account lockout counter after](reset-account-lockout-counter-after.md) | Describes the best practices, location, values, and security considerations for the **Reset account lockout counter after** security policy setting. |
  
 ## Related topics

windows/security/threat-protection/security-policy-settings/allow-log-on-locally.md

@@ -50,7 +50,7 @@ By default, the members of the following groups have this right on domain contro
 
 ### Location
 
-Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\User Rights Assignment
+Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\User Rights Assignment
 
 ### Default values
 

windows/security/threat-protection/security-policy-settings/minimum-password-age.md

@@ -19,7 +19,7 @@ Describes the best practices, location, values, policy management, and security
 
 ## Reference
 
-The **Minimum password age** policy setting determines the period of time (in days) that a password can be used before the system requires the user to change it. You can set passwords to expire after a number of days between 1 and 999, or you can specify that passwords never expire by setting the number of days to 0. If [Maximum password age](maximum-password-age.md) is between 1 and 999 days, the minimum password age must be less than the maximum password age. If Maximum password age is set to 0, **Minimum password age** can be any value between 0 and 998 days.
+The **Minimum password age** policy setting determines the period of time (in days) that a password must be used before the user can change it. You can set a value between 1 and 998 days, or you can allow changes immediately by setting the number of days to 0. The minimum password age must be less than the Maximum password age, unless the maximum password age is set to 0, indicating that passwords will never expire. If the maximum password age is set to 0, the minimum password age can be set to any value between 0 and 998.
 
 ### Possible values
 

windows/security/threat-protection/security-policy-settings/network-security-allow-local-system-to-use-computer-identity-for-ntlm.md

@@ -26,7 +26,7 @@ When a service connects with the device identity, signing and encryption are sup
 ### Possible values
 
 | Setting | Windows Server 2008 and Windows Vista | At least Windows Server 2008 R2 and Windows 7 |
-| - | - |
+| - | - | - | 
 | Enabled | Services running as Local System that use Negotiate will use the computer identity. This might cause some authentication requests between Windows operating systems to fail and log an error.| Services running as Local System that use Negotiate will use the computer identity. This is the default behavior. |
 | Disabled| Services running as Local System that use Negotiate when reverting to NTLM authentication will authenticate anonymously. This is the default behavior.| Services running as Local System that use Negotiate when reverting to NTLM authentication will authenticate anonymously.|
 |Neither|Services running as Local System that use Negotiate when reverting to NTLM authentication will authenticate anonymously. | Services running as Local System that use Negotiate will use the computer identity. This might cause some authentication requests between Windows operating systems to fail and log an error.| 

windows/security/threat-protection/windows-defender-antivirus/run-scan-windows-defender-antivirus.md

@@ -40,16 +40,17 @@ ms.date: 07/10/2018
 You can run an on-demand scan on individual endpoints. These scans will start immediately, and you can define parameters for the scan, such as the location or type.
 
 
-## Quick scan versus full scan
+## Quick scan versus full scan and custom scan
 
 Quick scan looks at all the locations where there could be malware registered to start with the system, such as registry keys and known Windows startup folders. 
 
-Combined with [always-on real-time protection capability](configure-real-time-protection-windows-defender-antivirus.md) - which reviews files when they are opened and closed, and whenever a user navigates to a folder - a quick scan helps provide strong coverage both for malware that starts with the system and kernel-level malware.  
+Combined with [always-on real-time protection capability](configure-real-time-protection-windows-defender-antivirus.md), which reviews files when they are opened and closed, and whenever a user navigates to a folder, a quick scan helps provide strong coverage both for malware that starts with the system and kernel-level malware.  
 
 In most instances, this means a quick scan is adequate to find malware that wasn't picked up by real-time protection.
 
-A full scan can be useful on endpoints that have encountered a malware threat to identify if there are any inactive components that require a more thorough clean-up, and can be ideal when running on-demand scans.
+A full scan can be useful on endpoints that have encountered a malware threat to identify if there are any inactive components that require a more thorough clean-up, and can be ideal when running on-demand scans. 
 
+A custom scan allows you to specify files or folders to scan, such as a USB drive. 
 
 **Use the mpcmdrum.exe command-line utility to run a scan:**
 

windows/security/threat-protection/windows-defender-antivirus/scheduled-catch-up-scans-windows-defender-antivirus.md

@@ -60,7 +60,7 @@ To configure the Group Policy settings described in this topic:
 
 Also see the [Manage when protection updates should be downloaded and applied](manage-protection-update-schedule-windows-defender-antivirus.md) and [Prevent or allow users to locally modify policy settings](configure-local-policy-overrides-windows-defender-antivirus.md) topics.
 
-## Quick scan versus full scan
+## Quick scan versus full scan and custom scan
 
 When you set up scheduled scans, you can set up whether the scan should be a full or quick scan.
 
@@ -72,6 +72,8 @@ In most instances, this means a quick scan is adequate to find malware that wasn
 
 A full scan can be useful on endpoints that have encountered a malware threat to identify if there are any inactive components that require a more thorough clean-up. In this instance, you may want to use a full scan when running an [on-demand scan](run-scan-windows-defender-antivirus.md).
 
+A custom scan allows you to specify the files and folders to scan, such as a USB drive.  
+
 ## Set up scheduled scans
 
 Scheduled scans will run at the day and time you specify. You can use Group Policy, PowerShell, and WMI to configure scheduled scans.

windows/security/threat-protection/windows-defender-application-control/applocker/delete-an-applocker-rule.md

@@ -7,7 +7,7 @@ ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
 author: brianlic-msft
-ms.date: 09/21/2017
+ms.date: 08/02/2018
 ---
 
 # Delete an AppLocker rule
@@ -16,7 +16,7 @@ ms.date: 09/21/2017
  -   Windows 10 
  -   Windows Server
 
-This topic for IT professionals describes the steps to delete an AppLocker rule.
+This topic for IT professionals describes the steps to delete an AppLocker rule. 
 
 As older apps are retired and new apps are deployed in your organization, it will be necessary to modify the application control policies. If an app becomes unsupported by the IT department or is no longer allowed due to the organization's security policy, then deleting the rule or rules associated with that app will prevent the app from running.
 
@@ -25,6 +25,8 @@ For info about testing an AppLocker policy to see what rules affect which files
 You can perform this task by using the Group Policy Management Console for an AppLocker policy in a Group Policy Object (GPO) or by using the Local Security Policy snap-in for an AppLocker policy on a local computer or in a security template. For info how to use these MMC snap-ins to administer 
 AppLocker, see [Administer AppLocker](administer-applocker.md#bkmk-using-snapins).
 
+These steps apply only for locally managed devices. If the device has AppLocker policies applied by using MDM or a GPO, the local policy will not override those settings.
+
 **To delete a rule in an AppLocker policy**
 
 1.  Open the AppLocker console.
@@ -43,6 +45,7 @@ Use the Set-AppLockerPolicy cmdlet with the -XMLPolicy parameter, using an .XML
       <RuleCollection Type="Msi" EnforcementMode="NotConfigured" />
       <RuleCollection Type="Script" EnforcementMode="NotConfigured" />
       <RuleCollection Type="Dll" EnforcementMode="NotConfigured" />
+      <RuleCollection Type="Appx" EnforcementMode="NotConfigured" />
     </AppLockerPolicy>
 
 To use the Set-AppLockerPolicy cmdlet, first import the Applocker modules:

windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules.md

@@ -6,7 +6,7 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.localizationpriority: medium
 author: jsuther1974
-ms.date: 07/16/2018
+ms.date: 08/16/2018
 ---
 
 # Microsoft recommended block rules
@@ -134,7 +134,9 @@ Microsoft recommends that you block the following Microsoft-signed applications
   <Deny ID="ID_DENY_LXRUN" FriendlyName="lxrun.exe" FileName="lxrun.exe" MinimumFileVersion="65535.65535.65535.65535"/> 
   <Deny ID="ID_DENY_PWRSHLCUSTOMHOST" FriendlyName="powershellcustomhost.exe" FileName="powershellcustomhost.exe" MinimumFileVersion="65535.65535.65535.65535"/> 
   <Deny ID="ID_DENY_TEXTTRANSFORM" FriendlyName="texttransform.exe" FileName="texttransform.exe" MinimumFileVersion="65535.65535.65535.65535"/> 
-  <Deny ID="ID_DENY_WMIC" FriendlyName="wmic.exe" FileName="wmic.exe" MinimumFileVersion="65535.65535.65535.65535"/> 
+  <Deny ID="ID_DENY_WMIC" FriendlyName="wmic.exe" FileName="wmic.exe" MinimumFileVersion="65535.65535.65535.65535"/>
+  <Deny ID="ID_DENY_MWFC" FriendlyName="Microsoft.Workflow.Compiler.exe" FileName="Microsoft.Workflow.Compiler.exe" MinimumFileVersion="65535.65535.65535.65535" /> 
+  <Deny ID="ID_DENY_WFC" FriendlyName="WFC.exe" FileName="wfc.exe" MinimumFileVersion="65535.65535.65535.65535" />   
   <Deny ID="ID_DENY_D_1" FriendlyName="Powershell 1" Hash="02BE82F63EE962BCD4B8303E60F806F6613759C6"/> 
   <Deny ID="ID_DENY_D_2" FriendlyName="Powershell 2" Hash="13765D9A16CC46B2113766822627F026A68431DF"/> 
   <Deny ID="ID_DENY_D_3" FriendlyName="Powershell 3" Hash="148972F670E18790D62D753E01ED8D22B351A57E45544D88ACE380FEDAF24A40"/> 
@@ -681,7 +683,29 @@ Microsoft recommends that you block the following Microsoft-signed applications
   <Deny ID="ID_DENY_D_580" FriendlyName="PowerShellShell 580" Hash="8838FE3D8E2505F3D3D8B98C64739115838A0B443BBBBFB487342F1EE7801360"/>
   <Deny ID="ID_DENY_D_581" FriendlyName="PowerShellShell 581" Hash="28C5E53DE197E872F7E4772BF40F728F56FE3ACC"/>
   <Deny ID="ID_DENY_D_582" FriendlyName="PowerShellShell 582" Hash="3493DAEC6EC03E56ECC4A15432C750735F75F9CB38D8779C7783B4DA956BF037"/>
-
+  <Deny ID="ID_DENY_D_585" FriendlyName="PowerShellShell 585" Hash="DBB5A6F5388C574A3B5B63E65F7810AB271E9A77"/>
+  <Deny ID="ID_DENY_D_586" FriendlyName="PowerShellShell 586" Hash="6DB24D174CCF06C9138B5A9320AE4261CA0CF305357DEF1B7054DD84758E92AB"/>
+  <Deny ID="ID_DENY_D_587" FriendlyName="PowerShellShell 587" Hash="757626CF5D444F5A4AF79EDE38E9EF65FA2C9802"/>
+  <Deny ID="ID_DENY_D_588" FriendlyName="PowerShellShell 588" Hash="1E17D036EBB5E82BF2FD5BDC3ABAB08B5EA9E4504D989D2BAAAA0B6047988996"/>
+  <Deny ID="ID_DENY_D_589" FriendlyName="PowerShellShell 589" Hash="2965DC840B8F5F7ED2AEC979F21EADA664E3CB70"/>
+  <Deny ID="ID_DENY_D_590" FriendlyName="PowerShellShell 590" Hash="5449560095D020687C268BD34D9425E7A2739E1B9BFBC0886142519293E02B9D"/>
+  <Deny ID="ID_DENY_D_591" FriendlyName="PowerShellShell 591" Hash="BB47C1251866F87723A7EDEC9A01D3B955BAB846"/>
+  <Deny ID="ID_DENY_D_592" FriendlyName="PowerShellShell 592" Hash="B05F3BE23DE6AE2557D6661C6FE35E114E8A69B326A3C855023B7AC5CE9FC31B"/>
+  <Deny ID="ID_DENY_D_593" FriendlyName="PowerShellShell 593" Hash="2F3D30827E02D5FEF051E54C74ECA6AD4CC4BAD2"/>
+  <Deny ID="ID_DENY_D_594" FriendlyName="PowerShellShell 594" Hash="F074589A1FAA76A751B05AD61B968683134F3FFC10DE3077FBCEE4E263EAEB0D"/>
+  <Deny ID="ID_DENY_D_595" FriendlyName="PowerShellShell 595" Hash="10096BD0A359142A13F2B8023A341C79A4A97975"/>
+  <Deny ID="ID_DENY_D_596" FriendlyName="PowerShellShell 596" Hash="A271D72CDE48F69EB694B753BF9417CD6A72F7DA06C52E47BAB40EC2BD9DD819"/>
+  <Deny ID="ID_DENY_D_597" FriendlyName="PowerShellShell 597" Hash="F8E803E1623BA66EA2EE0751A648834130B8BE5D"/>
+  <Deny ID="ID_DENY_D_598" FriendlyName="PowerShellShell 598" Hash="E70DB033B773FE01B1D4464CAC112AF41C09E75D25FEA25AE8DAE67ED941E797"/>
+  <Deny ID="ID_DENY_D_599" FriendlyName="PowerShellShell 599" Hash="665BE52329F9CECEC1CD548A1B4924C9B1F79BD8"/>
+  <Deny ID="ID_DENY_D_600" FriendlyName="PowerShellShell 600" Hash="24CC5B946D9469A39CF892DD4E92117E0E144DC7C6FAA65E71643DEAB87B2A91"/>
+  <Deny ID="ID_DENY_D_601" FriendlyName="PowerShellShell 601" Hash="C4627F2CF69A8575D7BF7065ADF5354D96707DFD"/>
+  <Deny ID="ID_DENY_D_602" FriendlyName="PowerShellShell 602" Hash="7F1DF759C050E0EF4F9F96FF43904B418C674D4830FE61818B60CC68629F5ABA"/>
+  <Deny ID="ID_DENY_D_603" FriendlyName="PowerShellShell 603" Hash="4126DD5947E63DB50AD5C135AC39856B6ED4BF33"/>
+  <Deny ID="ID_DENY_D_604" FriendlyName="PowerShellShell 604" Hash="B38E1198F82E7C2B3123984C017417F2A48BDFF5B6DBAD20B2438D7B65F6E39F"/>
+  <Deny ID="ID_DENY_D_605" FriendlyName="PowerShellShell 605" Hash="DE16A6B93178B6C6FC33FBF3E9A86CFF070DA6D3"/>
+  <Deny ID="ID_DENY_D_606" FriendlyName="PowerShellShell 606" Hash="A3EF9A95D1E859958DEBE44C033B4562EBB9B4C6E32005CA5C07B2E07A42E2BE"/>
+  
   <!-- pubprn.vbs
   --> 
   <!-- rs2 x86fre
@@ -767,7 +791,7 @@ Microsoft recommends that you block the following Microsoft-signed applications
   --> 
   <Deny ID="ID_DENY_D_583" FriendlyName="Winrm 583" Hash="3FA2D2963CBF47FFD5F7F5A9B4576F34ED42E552"/> 
   <Deny ID="ID_DENY_D_584" FriendlyName="Winrm 584" Hash="6C96E976DC47E0C99B77814E560E0DC63161C463C75FA15B7A7CA83C11720E82"/> 
- 
+
   </FileRules>
   <!-- Signers
   --> 
@@ -814,7 +838,9 @@ Microsoft recommends that you block the following Microsoft-signed applications
   <FileRuleRef RuleID="ID_DENY_LXRUN"/> 
   <FileRuleRef RuleID="ID_DENY_PWRSHLCUSTOMHOST"/> 
   <FileRuleRef RuleID="ID_DENY_TEXTTRANSFORM"/> 
-  <FileRuleRef RuleID="ID_DENY_WMIC"/> 
+  <FileRuleRef RuleID="ID_DENY_WMIC"/>
+  <FileRuleRef RuleID="ID_DENY_MWFC" /> 
+  <FileRuleRef RuleID="ID_DENY_WFC" />   
   <FileRuleRef RuleID="ID_DENY_D_1"/> 
   <FileRuleRef RuleID="ID_DENY_D_2"/> 
   <FileRuleRef RuleID="ID_DENY_D_3"/> 
@@ -1399,6 +1425,28 @@ Microsoft recommends that you block the following Microsoft-signed applications
   <FileRuleRef RuleID="ID_DENY_D_582"/>
   <FileRuleRef RuleID="ID_DENY_D_583"/>
   <FileRuleRef RuleID="ID_DENY_D_584"/>
+  <FileRuleRef RuleID="ID_DENY_D_585"/>
+  <FileRuleRef RuleID="ID_DENY_D_586"/>
+  <FileRuleRef RuleID="ID_DENY_D_587"/>
+  <FileRuleRef RuleID="ID_DENY_D_588"/>
+  <FileRuleRef RuleID="ID_DENY_D_589"/>
+  <FileRuleRef RuleID="ID_DENY_D_590"/>
+  <FileRuleRef RuleID="ID_DENY_D_591"/>
+  <FileRuleRef RuleID="ID_DENY_D_592"/>
+  <FileRuleRef RuleID="ID_DENY_D_593"/>
+  <FileRuleRef RuleID="ID_DENY_D_594"/>
+  <FileRuleRef RuleID="ID_DENY_D_595"/>
+  <FileRuleRef RuleID="ID_DENY_D_596"/>
+  <FileRuleRef RuleID="ID_DENY_D_597"/>
+  <FileRuleRef RuleID="ID_DENY_D_598"/>
+  <FileRuleRef RuleID="ID_DENY_D_599"/>
+  <FileRuleRef RuleID="ID_DENY_D_600"/>
+  <FileRuleRef RuleID="ID_DENY_D_601"/>
+  <FileRuleRef RuleID="ID_DENY_D_602"/>
+  <FileRuleRef RuleID="ID_DENY_D_603"/>
+  <FileRuleRef RuleID="ID_DENY_D_604"/>
+  <FileRuleRef RuleID="ID_DENY_D_605"/>
+  <FileRuleRef RuleID="ID_DENY_D_606"/>
   </FileRulesRef>
   </ProductSigners>
   </SigningScenario>

windows/security/threat-protection/windows-defender-atp/advanced-hunting-windows-defender-advanced-threat-protection.md

@@ -10,7 +10,7 @@ ms.pagetype: security
 ms.author: macapara
 author: mjcaparas
 ms.localizationpriority: medium
-ms.date: 06/13/2018
+ms.date: 08/15/2018
 ---
 
 # Query data using Advanced hunting in Windows Defender ATP
@@ -51,7 +51,8 @@ First, we define a time filter to review only records from the previous seven da
 
 We then add a filter on the _FileName_  to contain only instances of _powershell.exe_.
 
-Afterwards, we add a filter on the _ProcessCommandLine_
+Afterwards, we add a filter on the _ProcessCommandLine_. 
+
 Finally, we  project only the columns we're interested in exploring and limit the results to 100 and click **Run query**.
 
 You have the option of expanding the screen view so you can focus on your hunting query and related results.

windows/security/threat-protection/windows-defender-atp/configure-email-notifications-windows-defender-advanced-threat-protection.md

@@ -9,7 +9,7 @@ ms.sitesec: library
 ms.pagetype: security
 ms.author: macapara
 author: mjcaparas
-ms.localizationpriority: high
+ms.localizationpriority: medium
 ms.date: 07/16/2018
 ---
 

windows/security/threat-protection/windows-defender-atp/configure-proxy-internet-windows-defender-advanced-threat-protection.md

@@ -127,14 +127,14 @@ Verify the proxy configuration completed successfully, that WinHTTP can discover
 
 6. Open *WDATPConnectivityAnalyzer.txt* and verify that you have performed the proxy configuration steps to enable server discovery and access to the service URLs. <br><br>
 The tool checks the connectivity of Windows Defender ATP service URLs that Windows Defender ATP client is configured to interact with. It then prints the results into the *WDATPConnectivityAnalyzer.txt* file for each URL that can potentially be used to communicate with the Windows Defender ATP  services. For example:
-  ```text
-  Testing URL : https://xxx.microsoft.com/xxx
-  1 - Default proxy: Succeeded (200)
-  2 - Proxy auto discovery (WPAD): Succeeded (200)
-  3 - Proxy disabled: Succeeded (200)
-  4 - Named proxy: Doesn't exist
-  5 - Command line proxy: Doesn't exist              
-  ```
+      ```text
+      Testing URL : https://xxx.microsoft.com/xxx
+      1 - Default proxy: Succeeded (200)
+      2 - Proxy auto discovery (WPAD): Succeeded (200)
+      3 - Proxy disabled: Succeeded (200)
+      4 - Named proxy: Doesn't exist
+      5 - Command line proxy: Doesn't exist              
+      ```
 
 If at least one of the connectivity options returns a (200) status, then the Windows Defender ATP client can communicate with the tested URL properly using this connectivity method. <br><br>
 

windows/security/threat-protection/windows-defender-atp/configure-server-endpoints-windows-defender-advanced-threat-protection.md

@@ -8,8 +8,8 @@ ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
 author: mjcaparas
-ms.localizationpriority: medium
-ms.date: 05/08/2018
+ms.localizationpriority: high
+ms.date: 08/08/2018
 ---
 
 # Onboard servers to the Windows Defender ATP service
@@ -36,12 +36,23 @@ The service supports the onboarding of the following servers:
 
 To onboard your servers to Windows Defender ATP, you’ll need to:
 
+- For Windows Server 2012 R2: Configure and update System Center Endpoint Protection clients.
 - Turn on server monitoring from the Windows Defender Security Center portal.
 - If you're already leveraging System Center Operations Manager (SCOM) or Operations Management Suite (OMS), simply attach the Microsoft Monitoring Agent (MMA) to report to your Windows Defender ATP workspace through [Multi Homing support](https://blogs.technet.microsoft.com/msoms/2016/05/26/oms-log-analytics-agent-multi-homing-support/). Otherwise, install and configure MMA to report sensor data to Windows Defender ATP as instructed below.
 
 >[!TIP]
 > After onboarding the machine, you can choose to run a detection test to verify that it is properly onboarded to the service. For more information, see [Run a detection test on a newly onboarded Windows Defender ATP endpoint](run-detection-test-windows-defender-advanced-threat-protection.md).
 
+### Configure and update System Center Endpoint Protection clients
+>[!IMPORTANT]
+>This step is required only if your organization uses System Center Endpoint Protection (SCEP) and you're onboarding Windows Server 2012 R2.
+
+Windows Defender ATP integrates with System Center Endpoint Protection to provide visibility to malware detections and to stop propagation of an attack in your organization by banning potentially malicious files or suspected malware. 
+
+The following steps are required to enable this integration: 
+- Install the [January 2017 anti-malware platform update for Endpoint Protection clients](https://support.microsoft.com/en-us/help/3209361/january-2017-anti-malware-platform-update-for-endpoint-protection-clie) 
+- Configure the SCEP client Cloud Protection Service membership to the **Advanced** setting
+
 
 ### Turn on Server monitoring from the Windows Defender Security Center portal
 
@@ -89,11 +100,9 @@ Agent Resource    |    Ports
 ## Onboard Windows Server, version 1803
 You’ll be able to onboard in the same method available for Windows 10 client machines. For more information, see  [Onboard Windows 10 machines](configure-endpoints-windows-defender-advanced-threat-protection.md). Support for Windows Server, version 1803 provides deeper insight into activities happening on the server, coverage for kernel and memory attack detection, and enables response actions on Windows Server endpoint as well. 
 
-1.	Install the latest Windows Server Insider build on a machine. For more information, see [Windows Server Insider Preview](https://www.microsoft.com/en-us/software-download/windowsinsiderpreviewserver).
+1. Configure Windows Defender ATP onboarding settings on the server. For more information, see [Onboard Windows 10 machines](configure-endpoints-windows-defender-advanced-threat-protection.md). 
 
-2. Configure Windows Defender ATP onboarding settings on the server. For more information, see [Onboard Windows 10 machines](configure-endpoints-windows-defender-advanced-threat-protection.md). 
-
-3.	If you’re running a third party antimalware solution, you'll need to apply the following Windows Defender AV passive mode settings and verify it was configured correctly:
+2.	If you’re running a third party antimalware solution, you'll need to apply the following Windows Defender AV passive mode settings and verify it was configured correctly:
 
     a. Set the following registry entry:
        - Path: `HKLM\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection`
@@ -108,12 +117,31 @@ You’ll be able to onboard in the same method available for Windows 10 client m
        
        ![Image of passive mode verification result](images/atp-verify-passive-mode.png)
 
-4. Run the following command to check if Windows Defender AV is installed:
+3. Run the following command to check if Windows Defender AV is installed:
 
    ```sc query Windefend```
 
     If the result is ‘The specified service does not exist as an installed service’, then you'll need to install Windows Defender AV. For more information, see [Windows Defender Antivirus in Windows 10](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-in-windows-10).
 
+
+## Integration with Azure Security Center
+Windows Defender ATP integrates with Azure Security Center to provide a comprehensive server protection solution. With this integration Azure Security Center can leverage the power of Windows Defender ATP to provide improved threat detection for Windows Servers.
+
+The following capabilities are included in this integration:
+- Automated onboarding - Windows Defender ATP sensor is automatically enabled on Windows Servers that are onboarded to Azure Security Center. For more information on Azure Security Center onboarding, see [Onboarding to Azure Security Center Standard for enhanced security](https://docs.microsoft.com/en-us/azure/security-center/security-center-onboarding).
+
+    >[!NOTE]
+    > Automated onboarding is only applicable for Windows Server 2012 R2 and Windows Server 2016.
+
+- Servers monitored by  Azure Security Center will also be available in Windows Defender ATP - Azure Security Center seamlessly connects to the Windows Defender ATP tenant, providing a single view across clients and servers.  In addition, Windows Defender ATP alerts will be available in the Azure Security Center console.
+- Server investigation -  Azure Security Center customers can access the Windows Defender ATP portal to perform detailed investigation to uncover the scope of a potential breach
+
+>[!IMPORTANT]
+>- When you use Azure Security Center to monitor servers, a Windows Defender ATP tenant is automatically created. The Windows Defender ATP data is stored in Europe by default. 
+>- If you use Windows Defender ATP before using Azure Security Center, your data will be stored in the location you specified when you created your tenant even if you integrate with Azure Security Center at a later time.
+
+
+
 ## Offboard servers 
 You can offboard Windows Server, version 1803 in the same method available for Windows 10 client machines. 
 

windows/security/threat-protection/windows-defender-atp/find-machine-info-by-ip-windows-defender-advanced-threat-protection.md

@@ -9,7 +9,7 @@ ms.sitesec: library
 ms.pagetype: security
 ms.author: macapara
 author: mjcaparas
-ms.localizationpriority: high
+ms.localizationpriority: medium
 ms.date: 07/25/2018
 ---
 

windows/security/threat-protection/windows-defender-atp/get-package-sas-uri-windows-defender-advanced-threat-protection.md

@@ -28,7 +28,7 @@ Users need to have Security administrator or Global admin directory roles.
 
 ## HTTP request
 ```
-POST /testwdatppreview/machineactions/{id}/getPackageUri
+GET /testwdatppreview/machineactions/{id}/getPackageUri
 ```
 
 ## Request headers

windows/security/threat-protection/windows-defender-atp/investigate-machines-windows-defender-advanced-threat-protection.md

@@ -10,7 +10,7 @@ ms.pagetype: security
 ms.author: macapara
 author: mjcaparas
 ms.localizationpriority: medium
-ms.date: 05/30/2018
+ms.date: 08/01/2018
 ---
 
 # Investigate machines in the Windows Defender ATP Machines list
@@ -178,6 +178,9 @@ Use the following registry key entry to add a tag on a machine:
 -	Registry key: `HKLM\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection\DeviceTagging\`
 -	Registry key value (string): Group
 
+>[!NOTE]
+>The device tag is part of the machine information report that’s generated once a day. As an alternative, you may choose to restart the endpoint that would transfer a new machine information report. 
+
 
 ### Add machine tags using the portal
 Dynamic context capturing is achieved using tags. By tagging machines, you can keep track of individual machines in your organization. After adding tags on machines, you can apply the Tags filter on the Machines list to get a narrowed list of machines with the tag.

windows/security/threat-protection/windows-defender-atp/manage-automation-file-uploads-windows-defender-advanced-threat-protection.md

@@ -41,9 +41,7 @@ For example, if you add *exe* and *bat* as file or attachment extension names, t
 
 3. Configure the following extension names and separate extension names with a comma:
    - **File extension names** -  Suspicious files except email attachments will be submitted for additional inspection
-   - **Attachment extension names** - Suspicious email attachments with these extension names will be submitted for additional inspection
-
-
+  
 
 ## Related topics
 - [Manage automation allowed/blocked lists](manage-automation-allowed-blocked-list-windows-defender-advanced-threat-protection.md)

windows/security/threat-protection/windows-defender-atp/minimum-requirements-windows-defender-advanced-threat-protection.md

@@ -9,7 +9,7 @@ ms.sitesec: library
 ms.pagetype: security
 ms.author: macapara
 author: mjcaparas
-ms.localizationpriority: high
+ms.localizationpriority: medium
 ms.date: 07/01/2018
 ---
 

windows/security/threat-protection/windows-defender-atp/onboard-configure-windows-defender-advanced-threat-protection.md

@@ -9,7 +9,7 @@ ms.sitesec: library
 ms.pagetype: security
 ms.author: macapara
 author: mjcaparas
-ms.localizationpriority: high
+ms.localizationpriority: medium
 ms.date: 07/01/2018
 ---
 

windows/security/threat-protection/windows-defender-atp/preview-windows-defender-advanced-threat-protection.md

@@ -10,7 +10,7 @@ ms.pagetype: security
 ms.author: macapara
 author: mjcaparas
 ms.localizationpriority: medium
-ms.date: 06/21/2018
+ms.date: 07/30/2018
 ---
 
 # Windows Defender ATP preview features
@@ -49,6 +49,10 @@ Onboard supported versions of Windows machines so that they can send sensor data
   - Windows 8.1 Enterprise
   - Windows 8.1 Pro 
 
+- [Integration with Azure Security Center](configure-server-endpoints-windows-defender-advanced-threat-protection.md#integration-with-azure-security-center)<br>
+Windows Defender ATP integrates with Azure Security Center to provide a comprehensive server protection solution. With this integration Azure Security Center can leverage the power of Windows Defender ATP to provide improved threat detection for Windows Servers.
+
+
  
 
 >Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-preview-belowfoldlink)  

windows/security/threat-protection/windows-defender-atp/troubleshoot-onboarding-error-messages-windows-defender-advanced-threat-protection.md

@@ -1,76 +1,85 @@
----
-title: Troubleshoot onboarding issues and error messages
-description: Troubleshoot onboarding issues and error message while completing setup of Windows Defender Advanced Threat Protection.
-keywords: troubleshoot, troubleshooting, Azure Active Directory, onboarding, error message, error messages, windows defender atp
-search.product: eADQiWindows 10XVcnh
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: v-tanewt
-author: tbit0001
-ms.localizationpriority: medium
-ms.date: 11/28/2017
----
-
-# Troubleshoot subscription and portal access issues
-
-**Applies to:**
-
-- Windows 10 Enterprise
-- Windows 10 Education
-- Windows 10 Pro
-- Windows 10 Pro Education
-- Windows Defender Advanced Threat Protection (Windows Defender ATP)
-
-
->Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-troublshootonboarding-abovefoldlink)
-
-
-This page provides detailed steps to troubleshoot issues that might occur when setting up your Windows Defender ATP service.
-
-If you receive an error message, Windows Defender Security Center will provide a detailed explanation on what the issue is and relevant links will be supplied.
-
-## No subscriptions found
-
-If while accessing Windows Defender Security Center you get a **No subscriptions found** message, it means the Azure Active Directory (AAD) used to login the user to the portal, does not have a Windows Defender ATP license.
-
-Potential reasons:
-- The Windows E5 and Office E5 licenses are separate licenses.
-- The license was purchased but not provisioned to this AAD instance.
-    - It could be a license provisioning issue.
-    - It could be you inadvertently provisioned the license to a different Microsoft AAD than the one used for authentication into the service.
-
-For both cases you should contact Microsoft support at [General Windows Defender ATP Support](https://support.microsoft.com/en-us/getsupport?wf=0&tenant=ClassicCommercial&oaspworkflow=start_1.0.0.0&locale=en-us&supportregion=en-us&pesid=16055&ccsid=636419533611396913) or
-[Volume license support](https://www.microsoft.com/licensing/servicecenter/Help/Contact.aspx).
-
-![Image of no subscriptions found](images\atp-no-subscriptions-found.png)
-
-## Your subscription has expired
-
-If while accessing Windows Defender Security Center you get a **Your subscription has expired** message, your online service subscription has expired. Windows Defender ATP subscription, like any other online service subscription, has an expiration date. 
-
-You can choose to renew or extend the license at any point in time. When accessing the portal after the expiration date a **Your subscription has expired** message will be presented with an option to download the machine offboarding package, should you choose to not renew the license.
-
-> [!NOTE]
-> For security reasons, the package used to Offboard machines will expire 30 days after the date it was downloaded. Expired offboarding packages sent to a machine will be rejected. When downloading an offboarding package you will be notified of the packages expiry date and it will also be included in the package name.
-
-![Image of subscription expired](images\atp-subscription-expired.png)
-
-## You are not authorized to access the portal
-
-If you receive a **You are not authorized to access the portal**, be aware that Windows Defender ATP is a security monitoring, incident investigation and response product, and as such, access to it is restricted and controlled by the user.
-For more information see, [**Assign user access to the portal**](https://docs.microsoft.com/en-us/windows/threat-protection/windows-defender-atp/assign-portal-access-windows-defender-advanced-threat-protection).
-
-![Image of not authorized to access portal](images\atp-not-authorized-to-access-portal.png)
-
-## Data currently isn't available on some sections of the portal
-If the portal dashboard, and other sections show an error message such as "Data currently isn't available":
-
-![Image of data currently isn't available](images/atp-data-not-available.png)
-
-You'll need to whitelist the `securitycenter.windows.com` and all sub-domains under it. For example `*.securitycenter.windows.com`.
-
-
-## Related topics
+---
+title: Troubleshoot onboarding issues and error messages
+description: Troubleshoot onboarding issues and error message while completing setup of Windows Defender Advanced Threat Protection.
+keywords: troubleshoot, troubleshooting, Azure Active Directory, onboarding, error message, error messages, windows defender atp
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: v-tanewt
+author: tbit0001
+ms.localizationpriority: medium
+ms.date: 08/01/2018
+---
+
+# Troubleshoot subscription and portal access issues
+
+**Applies to:**
+
+- Windows 10 Enterprise
+- Windows 10 Education
+- Windows 10 Pro
+- Windows 10 Pro Education
+- Windows Defender Advanced Threat Protection (Windows Defender ATP)
+
+
+>Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-troublshootonboarding-abovefoldlink)
+
+
+This page provides detailed steps to troubleshoot issues that might occur when setting up your Windows Defender ATP service.
+
+If you receive an error message, Windows Defender Security Center will provide a detailed explanation on what the issue is and relevant links will be supplied.
+
+## No subscriptions found
+
+If while accessing Windows Defender Security Center you get a **No subscriptions found** message, it means the Azure Active Directory (AAD) used to login the user to the portal, does not have a Windows Defender ATP license.
+
+Potential reasons:
+- The Windows E5 and Office E5 licenses are separate licenses.
+- The license was purchased but not provisioned to this AAD instance.
+    - It could be a license provisioning issue.
+    - It could be you inadvertently provisioned the license to a different Microsoft AAD than the one used for authentication into the service.
+
+For both cases you should contact Microsoft support at [General Windows Defender ATP Support](https://support.microsoft.com/en-us/getsupport?wf=0&tenant=ClassicCommercial&oaspworkflow=start_1.0.0.0&locale=en-us&supportregion=en-us&pesid=16055&ccsid=636419533611396913) or
+[Volume license support](https://www.microsoft.com/licensing/servicecenter/Help/Contact.aspx).
+
+![Image of no subscriptions found](images\atp-no-subscriptions-found.png)
+
+## Your subscription has expired
+
+If while accessing Windows Defender Security Center you get a **Your subscription has expired** message, your online service subscription has expired. Windows Defender ATP subscription, like any other online service subscription, has an expiration date. 
+
+You can choose to renew or extend the license at any point in time. When accessing the portal after the expiration date a **Your subscription has expired** message will be presented with an option to download the machine offboarding package, should you choose to not renew the license.
+
+> [!NOTE]
+> For security reasons, the package used to Offboard machines will expire 30 days after the date it was downloaded. Expired offboarding packages sent to a machine will be rejected. When downloading an offboarding package you will be notified of the packages expiry date and it will also be included in the package name.
+
+![Image of subscription expired](images\atp-subscription-expired.png)
+
+## You are not authorized to access the portal
+
+If you receive a **You are not authorized to access the portal**, be aware that Windows Defender ATP is a security monitoring, incident investigation and response product, and as such, access to it is restricted and controlled by the user.
+For more information see, [**Assign user access to the portal**](https://docs.microsoft.com/en-us/windows/threat-protection/windows-defender-atp/assign-portal-access-windows-defender-advanced-threat-protection).
+
+![Image of not authorized to access portal](images\atp-not-authorized-to-access-portal.png)
+
+## Data currently isn't available on some sections of the portal
+If the portal dashboard, and other sections show an error message such as "Data currently isn't available":
+
+![Image of data currently isn't available](images/atp-data-not-available.png)
+
+You'll need to whitelist the `securitycenter.windows.com` and all sub-domains under it. For example `*.securitycenter.windows.com`.
+
+
+## Portal communication issues
+If you encounter issues with accessing the portal, missing data, or restricted access to portions of the portal, you'll need to verify that the following URLs are whitelisted and open for communciation.
+
+- `*.blob.core.windows.net 
+crl.microsoft.com`
+- `https://*.microsoftonline-p.com`
+- `https://*.securitycenter.windows.com` 
+- `https://automatediracs-eus-prd.securitycenter.windows.com`
+- `https://login.microsoftonline.com`
+- `https://login.windows.net`
 - `https://onboardingpackagescusprd.blob.core.windows.net`

windows/security/threat-protection/windows-defender-atp/troubleshoot-windows-defender-advanced-threat-protection.md

@@ -10,7 +10,7 @@ ms.pagetype: security
 ms.author: macapara
 author: mjcaparas
 ms.localizationpriority: medium
-ms.date: 07/12/2017
+ms.date: 07/30/2018
 ---
 
 # Troubleshoot service issues
@@ -22,11 +22,11 @@ ms.date: 07/12/2017
 
 This section addresses issues that might arise as you use the Windows Defender Advanced Threat service.
 
-### Server error - Access is denied due to invalid credentials
+## Server error - Access is denied due to invalid credentials
 If you encounter a server error when trying to access the service, you’ll need to change your browser cookie settings.
 Configure your browser to allow cookies.
 
-### Elements or data missing on the portal
+## Elements or data missing on the portal
 If some UI elements or data is missing on Windows Defender Security Center it’s possible that proxy settings are blocking it.
 
 Make sure that `*.securitycenter.windows.com` is included the proxy whitelist.
@@ -35,17 +35,17 @@ Make sure that `*.securitycenter.windows.com` is included the proxy whitelist.
 > [!NOTE]
 > You must use the HTTPS protocol when adding the following endpoints.
 
-### Windows Defender ATP service shows event or error logs in the Event Viewer
+## Windows Defender ATP service shows event or error logs in the Event Viewer
 
 See the topic [Review events and errors using Event Viewer](event-error-codes-windows-defender-advanced-threat-protection.md) for a list of event IDs that are reported by the Windows Defender ATP service. The topic also contains troubleshooting steps for event errors.
 
-### Windows Defender ATP service fails to start after a reboot and shows error 577
+## Windows Defender ATP service fails to start after a reboot and shows error 577
 
 If onboarding machines successfully completes but Windows Defender ATP does not start after a reboot and shows error 577, check that Windows Defender is not disabled by a policy.
 
 For more information, see [Ensure that Windows Defender Antivirus is not disabled by policy](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md#ensure-that-windows-defender-antivirus-is-not-disabled-by-a-policy).
 
-#### Known issues with regional formats
+## Known issues with regional formats
 
 **Date and time formats**<br>
 There are some known issues with the time and date formats. 
@@ -65,6 +65,20 @@ Support of use of comma as a separator in numbers are not supported. Regions whe
 
 >Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-troubleshoot-belowfoldlink)
 
+## Windows Defender ATP tenant was automatically created in Europe
+When you use Azure Security Center to monitor servers, a Windows Defender ATP tenant is automatically created. The Windows Defender ATP data is stored in Europe by default.
+
+
+
+
+
+
+
+
+
+
+
+
 
 ## Related topics
 - [Troubleshoot Windows Defender Advanced Threat Protection onboarding issues](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md)

windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md

@@ -11,7 +11,7 @@ ms.pagetype: security
 ms.localizationpriority: medium
 author: andreabichsel
 ms.author: v-anbic
-ms.date: 06/29/2018
+ms.date: 07/30/2018
 ---
 
 
@@ -103,6 +103,7 @@ Block credential stealing from the Windows local security authority subsystem (l
 Block process creations originating from PSExec and WMI commands | d1e49aac-8f56-4280-b9ba-993a6d77406c
 Block untrusted and unsigned processes that run from USB | b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4
 Block Office communication applications from creating child processes (available for beta testing) | 26190899-1602-49e8-8b27-eb1d0a1ce869
+Block Adobe Reader from creating child processes (available for beta testing) | 7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c
 
 The rules apply to the following Office apps running on Windows 10, version 1709. See the **Applies to** section at the start of this topic for a list of supported Office version.
 
@@ -214,12 +215,16 @@ With this rule, admins can prevent unsigned or untrusted executable files from r
 - Executable files (such as .exe, .dll, or .scr) 
 - Script files (such as a PowerShell .ps, VisualBasic .vbs, or JavaScript .js file)
 
-### Rule: Block Office communication applications from creating child processes
+### Rule: Block Office communication applications from creating child processes (available for beta testing)
 
 Office communication apps will not be allowed to create child processes. This includes Outlook.
 
 This is a typical malware behavior, especially for macro-based attacks that attempt to use Office apps to launch or download malicious executables.
 
+### Rule: Block Adobe Reader from creating child processes (available for beta testing)
+
+This rule blocks Adobe Reader from creating child processes.
+
 ## Review Attack surface reduction events in Windows Event Viewer
 
 You can review the Windows event log to see events that are created when an Attack surface reduction rule is triggered (or audited):

windows/security/threat-protection/windows-defender-exploit-guard/customize-attack-surface-reduction.md

@@ -11,7 +11,7 @@ ms.pagetype: security
 ms.localizationpriority: medium
 author: andreabichsel
 ms.author: v-anbic
-ms.date: 06/29/2018
+ms.date: 07/30/2018
 ---
 
 # Customize Attack surface reduction
@@ -76,7 +76,8 @@ Use advanced protection against ransomware | [!include[Check mark yes](images/sv
 Block credential stealing from the Windows local security authority subsystem (lsass.exe) | [!include[Check mark no](images/svg/check-no.svg)] | 9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2
 Block process creations originating from PSExec and WMI commands | [!include[Check mark yes](images/svg/check-yes.svg)] | d1e49aac-8f56-4280-b9ba-993a6d77406c
 Block untrusted and unsigned processes that run from USB | [!include[Check mark yes](images/svg/check-yes.svg)] | b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4
-Block Office communication applications from creating child processes (available for beta testing) | [!include[Check mark no](images/svg/check-yes.svg)] | 26190899-1602-49e8-8b27-eb1d0a1ce869
+Block Office communication applications from creating child processes (available for beta testing) | [!include[Check mark yes](images/svg/check-yes.svg)] | 26190899-1602-49e8-8b27-eb1d0a1ce869
+Block Adobe Reader from creating child processes (available for beta testing) | [!include[Check mark yes](images/svg/check-yes.svg)] | 7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c
 
 
 See the [Attack surface reduction](attack-surface-reduction-exploit-guard.md) topic for details on each rule.

windows/security/threat-protection/windows-defender-exploit-guard/enable-attack-surface-reduction.md

@@ -11,7 +11,7 @@ ms.pagetype: security
 ms.localizationpriority: medium
 author: andreabichsel
 ms.author: v-anbic
-ms.date: 06/29/2018
+ms.date: 07/30/2018
 ---
 
 
@@ -65,6 +65,7 @@ Block credential stealing from the Windows local security authority subsystem (l
 Block process creations originating from PSExec and WMI commands | d1e49aac-8f56-4280-b9ba-993a6d77406c
 Block untrusted and unsigned processes that run from USB | b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4
 Block Office communication applications from creating child processes (available for beta testing) | 26190899-1602-49e8-8b27-eb1d0a1ce869
+Block Adobe Reader from creating child processes (available for beta testing) | 7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c
 
 See the [Attack surface reduction](attack-surface-reduction-exploit-guard.md) topic for details on each rule.
 

windows/security/threat-protection/windows-defender-exploit-guard/enable-virtualization-based-protection-of-code-integrity.md

@@ -24,11 +24,16 @@ If this happens, see [Troubleshooting](#troubleshooting) for remediation steps.
 ## How to turn on HVCI in Windows 10 
 
 To enable HVCI on Windows 10 devices with supporting hardware throughout an enterprise, use any of these options:
+- [Windows Security app](#windows-security-app)
 - [Microsoft Intune (or another MDM provider)](#enable-hvci-using-intune)
 - [Group Policy](#enable-hvci-using-group-policy)
 - [System Center Configuration Manager](https://cloudblogs.microsoft.com/enterprisemobility/2015/10/30/managing-windows-10-device-guard-with-configuration-manager/) 
 - [Registry](#use-registry-keys-to-enable-virtualization-based-protection-of-code-integrity)
 
+### Windows Security app
+
+HVCI is labeled **Memory integrity** in the Windows Security app and it can be accessed via **Settings** > **Update & Security** > **Windows Security** > **Device security** > **Core isolation details** > **Memory integrity**. For more information, see [KB4096339](https://support.microsoft.com/help/4096339/windows-10-device-protection-in-windows-defender-security-center).
+
 ### Enable HVCI using Intune
 
 Enabling in Intune requires using the Code Integrity node in the [AppLocker CSP](https://docs.microsoft.com/windows/client-management/mdm/applocker-csp).