Merge remote-tracking branch 'refs/remotes/origin/master' into jdholo

windows/security/threat-protection/security-policy-settings/audit-audit-the-use-of-backup-and-restore-privilege.md

@@ -12,7 +12,7 @@ manager: dansimp
 audience: ITPro
 ms.collection: M365-security-compliance
 ms.topic: conceptual
-ms.date: 04/19/2017
+ms.date: 04/01/2019
 ---
 
 # Audit: Audit the use of Backup and Restore privilege
@@ -80,7 +80,7 @@ When the backup and restore function is used, it creates a copy of the file syst
 ### Countermeasure
 
 Enable the **Audit: Audit the use of Backup and Restore privilege** setting. Alternatively, implement automatic log backup by configuring the **AutoBackupLogFiles** registry key. If you enable this option when the [Audit privilege use](../auditing/basic-audit-privilege-use.md) setting is also enabled, an audit event is generated for every file that is backed up or restored. This information could help you to identify an account that was used to accidentally or maliciously restore data in an unauthorized manner.
-For more information about configuring this key, see Microsoft Knowledge Base article [100879](https://go.microsoft.com/fwlink/p/?LinkId=100879).
+For more information about configuring this key, see [Eventlog Key](https://docs.microsoft.com/windows/desktop/EventLog/eventlog-key).
 
 ### Potential impact
 

windows/security/threat-protection/windows-defender-exploit-guard/enable-network-protection.md

@@ -11,7 +11,7 @@ ms.pagetype: security
 ms.localizationpriority: medium
 author: andreabichsel
 ms.author: v-anbic
-ms.date: 03/28/2019
+ms.date: 04/01/2019
 ---
 
 # Enable network protection
@@ -47,7 +47,13 @@ Use the [./Vendor/MSFT/Policy/Config/Defender/EnableNetworkProtection](https://d
 
 ## Group Policy 
 
-1.  On your Group Policy management computer, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
+You can use the following procedure to enable network protection on a standalone computer or for domain-joined computers.
+
+1.  On a standalone computer, click **Start**, type and then click **Edit group policy**.
+
+    -Or-
+    
+    On a domain-joined Group Policy management computer, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
 
 2.  In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**.
 
@@ -58,10 +64,17 @@ Use the [./Vendor/MSFT/Policy/Config/Defender/EnableNetworkProtection](https://d
     - **Disable (Default)** - The Network protection feature will not work. Users will not be blocked from accessing malicious domains
     - **Audit Mode** - If a user visits a malicious IP address or domain, an event will be recorded in the Windows event log but the user will not be blocked from visiting the address.
 
-
 >[!IMPORTANT]
 >To fully enable network protection, you must set the Group Policy option to **Enabled** and also select **Block** in the options drop-down menu.
 
+You can confirm network protection is enabled on a local computer by using Registry editor:
+
+1. Click **Start** and type **regedit** to open **Registry Editor**.
+1. Navigate to Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\Network Protection
+1. Click **EnableNetworkProtection** and confirm the value: 
+   - 0=Off
+   - 1=On
+   - 2=Audit
 
 ## PowerShell
 
@@ -82,16 +95,11 @@ Use `Disabled` insead of `AuditMode` or `Enabled` to turn the feature off.
 
 ## 
 
-Network protection can't be turned on using the Windows Security app, but you can enable it by using Registry editor.
+Network protection can't be turned on using the Windows Security app, but you can enable it by 
-
-1. Click **Start** and type **regedit** to open **Registry Editor**.
-1. Navigate to Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\Network Protection
-1. Set the value: 
-   0=off
-   1=on
-   2=audit
 
 ## Related topics
 
-- [Protect your network](network-protection-exploit-guard.md)
+- [Windows Defender Exploit Guard](windows-defender-exploit-guard.md)
+- [Network protection](network-protection-exploit-guard.md)
 - [Evaluate network protection](evaluate-network-protection.md)
+- [Troubleshoot network protection](troubleshoot-np.md)

windows/security/threat-protection/windows-defender-exploit-guard/enable-virtualization-based-protection-of-code-integrity.md

@@ -10,7 +10,7 @@ manager: dansimp
 audience: ITPro
 ms.collection: M365-security-compliance
 ms.topic: conceptual
-ms.date: 03/15/2019
+ms.date: 04/01/2019
 ---
 
 # Enable virtualization-based protection of code integrity 
@@ -28,7 +28,7 @@ If this happens, see [Troubleshooting](#troubleshooting) for remediation steps.
 >HVCI works with modern 7th gen CPUs or higher and its equivalent on AMD. CPU new feature is required *Mode based execution control (MBE) Virtualization*.
 
 >[!TIP]
-> "The Secure Kernel relies on the Mode-Based Execution Control (MBEC) feature, if present in hardware, which enhances the SLAT with a user/kernel executable bit, or the hypervisor’s software emulation of this feature, called Restricted User Mode (RUM).". Mark Russinovich and Alex Ionescu. Windows Internals 7th Edition book
+> "The Secure Kernel relies on the Mode-Based Execution Control (MBEC) feature, if present in hardware, which enhances the SLAT with a user/kernel executable bit, or the hypervisor’s software emulation of this feature, called Restricted User Mode (RUM)." Mark Russinovich and Alex Ionescu. Windows Internals 7th Edition book
 
 ## HVCI Features
 
@@ -291,6 +291,6 @@ Set-VMSecurity -VMName <VMName> -VirtualizationBasedSecurityOptOut $true
 ### Requirements for running HVCI in Hyper-V virtual machines 
  -   The Hyper-V host must run at least Windows Server 2016 or Windows 10 version 1607.
  -   The Hyper-V virtual machine must be Generation 2, and running at least Windows Server 2016 or Windows 10. 
- -   HVCI and [virtualization](https://docs.microsoft.com/virtualization/hyper-v-on-windows/user-guide/nested-virtualization) can be enabled at the same time
+ -   HVCI and [nested virtualization](https://docs.microsoft.com/virtualization/hyper-v-on-windows/user-guide/nested-virtualization) can be enabled at the same time
  -   Virtual Fibre Channel adapters are not compatible with HVCI. Before attaching a virtual Fibre Channel Adapter to a virtual machine, you must first opt out of virtualization-based security using `Set-VMSecurity`.
  -   The AllowFullSCSICommandSet option for pass-through disks is not compatible with HVCI. Before configuring a pass-through disk with AllowFullSCSICommandSet, you must first opt out of virtualization-based security using `Set-VMSecurity`.

windows/security/threat-protection/windows-defender-exploit-guard/evaluate-network-protection.md

@@ -11,7 +11,7 @@ ms.pagetype: security
 ms.localizationpriority: medium
 author: andreabichsel
 ms.author: v-anbic
-ms.date: 03/27/2019
+ms.date: 04/01/2019
 ---
 
 # Evaluate network protection
@@ -64,6 +64,7 @@ Event ID | Provide/Source | Description
 
 ## Related topics
 
-- [Protect your network](network-protection-exploit-guard.md)
+- [Windows Defender Exploit Guard](windows-defender-exploit-guard.md)
-- [Evaluate Windows Defender Exploit Guard](evaluate-windows-defender-exploit-guard.md)
+- [Network protection](network-protection-exploit-guard.md)
-- [Use audit mode to evaluate Windows Defender Exploit Guard](audit-windows-defender-exploit-guard.md)
+- [Enable network protection](enable-network-protection.md)
+- [Troubleshoot network protection](troubleshoot-np.md)