refreshing build (3/11/16)

2025-06-18 20:03:40 +00:00 · 2016-03-11 15:39:26 -08:00
parent f5ee743eef
commit 9da9a0ce14
382 changed files with 3100 additions and 3085 deletions
--- a/windows/whats-new/TOC.md
+++ b/windows/whats-new/TOC.md
@ -1,4 +1,4 @@
-# [What's new in Windows 10](index.md)
+# [What's new in Windows 10]
 ## [Change history for What's new in Windows 10](change-history-for-what-s-new-in-windows-10.md)
 ## [AppLocker](applocker.md)
 ## [BitLocker](bitlocker.md)
--- a/windows/whats-new/bitlocker.md
+++ b/windows/whats-new/bitlocker.md
@ -18,7 +18,7 @@ author: TrudyHa

 BitLocker Drive Encryption is a data protection feature that integrates with the operating system and addresses the threats of data theft or exposure from lost, stolen, or inappropriately decommissioned computers.

-## New features in Windows 10, Version 1511
+## New features in Windows 10, version 1511


 -   **XTS-AES encryption algorithm**. BitLocker now supports the XTS-AES encryption algorithm. XTS-AES provides additional protection from a class of attacks on encryption that rely on manipulating cipher text to cause predictable changes in plain text. BitLocker supports both 128-bit and 256-bit XTS-AES keys.
@ -37,7 +37,7 @@ BitLocker Drive Encryption is a data protection feature that integrates with the
 ## New features in Windows 10


-   **Encrypt and recover your device with Azure Active Directory**. In addition to using a Microsoft Account, automatic [Device Encryption](http://technet.microsoft.com/library/dn306081.aspx#BKMK_Encryption) can now encrypt your devices that are joined to an Azure Active Directory domain. When the device is encrypted, the BitLocker recovery key is automatically escrowed to Azure Active Directory. This will make it easier to recover your BitLocker key online.
+-   **Encrypt and recover your device with Azure Active Directory**. In addition to using a Microsoft Account, automatic [Device Encryption](http://technet.microsoft.com/library/dn306081.aspx#bkmk-encryption) can now encrypt your devices that are joined to an Azure Active Directory domain. When the device is encrypted, the BitLocker recovery key is automatically escrowed to Azure Active Directory. This will make it easier to recover your BitLocker key online.

 -   **DMA port protection**. You can use the [DataProtection/AllowDirectMemoryAccess](http://msdn.microsoft.com/library/windows/hardware/dn904962.aspx) MDM policy to block DMA ports when the device is starting up. Also, when a device is locked, all unused DMA ports are turned off, but any devices that are already plugged into a DMA port will continue to work. When the device is unlocked, all DMA ports are turned back on.

--- a/windows/whats-new/business-store-for-windows-10.md
+++ b/windows/whats-new/business-store-for-windows-10.md
@ -52,7 +52,7 @@ You'll need this software to work with the Store for Business.

 -   IT Pros that are administering Store for Business need a browser compatible with Store for Business running on a PC or mobile device. Supported browsers include: Internet Explorer 10 or later, Microsoft Edge, or current versions of Chrome or Firefox.

-   Employees using apps from Store for Business need Windows 10, Version 1511 running on a PC or mobile device.
+-   Employees using apps from Store for Business need Windows 10, version 1511 running on a PC or mobile device.

 Microsoft Azure Active Directory (AD) accounts for your employees:

@ -153,7 +153,7 @@ Line-of-business (LOB) apps are also supported via the Business store. You can i

 The Business store supports two options to license apps: online and offline. **Online** licensing is the default licensing model and is similar to the Windows Store. Online licensed apps require users and devices to connect to the Store for Business service to acquire an app and its license. **Offline** licensing is a new licensing option for Windows 10. With offline licenses, organizations can cache apps and their licenses to deploy within their network. ISVs or devs can opt-in their apps for offline licensing when they submit them to the developer center.

-For more information, see [Apps in the Store for Business](../manage/apps-in-the-windows-store-for-business.md#licensing_model).
+For more information, see [Apps in the Store for Business](../manage/apps-in-the-windows-store-for-business.md#licensing-model).

 ### Distribute apps and content

@ -302,7 +302,7 @@ Store for Business is currently available in these markets.

 -   Vietnam

-## ISVs and the Store for Business
+## <a href="" id="isv-wsfb"></a>ISVs and the Store for Business


 Developers in your organization, or ISVs can create content specific to your organization. In the Store for Business, we call these app line-of-business (LOB) apps, and the devs that create them are LOB publishers. The process looks like this:
--- a/windows/whats-new/change-history-for-what-s-new-in-windows-10.md
+++ b/windows/whats-new/change-history-for-what-s-new-in-windows-10.md
@ -11,7 +11,7 @@ author: TrudyHa
 # Change history for What's new in Windows 10


-This topic lists new and updated topics in the [What's new in Windows 10](index.md) documentation for [Windows 10 and Windows 10 Mobile](../index.md).
+This topic lists new and updated topics in the [What's new in Windows 10] documentation for [Windows 10 and Windows 10 Mobile](../index.md).

 ## February 2016

--- a/windows/whats-new/credential-guard.md
+++ b/windows/whats-new/credential-guard.md
@ -17,7 +17,7 @@ author: TrudyHa

 Credential Guard uses virtualization-based security to isolate secrets so that only privileged system software can access them.

-## New features in Windows 10, Version 1511
+## New features in Windows 10, version 1511


 -   **Credential Manager support**. Credentials that are stored with Credential Manager, including domain credentials, are protected with Credential Guard with the following considerations:
--- a/windows/whats-new/device-guard-overview.md
+++ b/windows/whats-new/device-guard-overview.md
@ -86,7 +86,7 @@ The following table shows the hardware and software you need to install and conf
 </tr>
 <tr class="even">
 <td align="left"><p>UEFI firmware version 2.3.1 or higher and Secure Boot</p></td>
-<td align="left"><p>To verify that the firmware is using UEFI version 2.3.1 or higher and Secure Boot, you can validate it against the [System.Fundamentals.Firmware.CS.UEFISecureBoot.ConnectedStandby](http://msdn.microsoft.com/library/windows/hardware/dn932807.aspx#system_fundamentals_firmware_cs_uefisecureboot_connectedstandby) Windows Hardware Compatibility Program requirement.</p></td>
+<td align="left"><p>To verify that the firmware is using UEFI version 2.3.1 or higher and Secure Boot, you can validate it against the [System.Fundamentals.Firmware.CS.UEFISecureBoot.ConnectedStandby](http://msdn.microsoft.com/library/windows/hardware/dn932807.aspx#system-fundamentals-firmware-cs-uefisecureboot-connectedstandby) Windows Hardware Compatibility Program requirement.</p></td>
 </tr>
 <tr class="odd">
 <td align="left"><p>Virtualization extensions</p></td>
@ -110,14 +110,14 @@ The following table shows the hardware and software you need to install and conf
 </tr>
 <tr class="odd">
 <td align="left"><p>Secure firmware update process</p></td>
-<td align="left"><p>To verify that the firmware complies with the secure firmware update process, you can validate it against the [System.Fundamentals.Firmware.UEFISecureBoot](http://msdn.microsoft.com/library/windows/hardware/dn932805.aspx#system_fundamentals_firmware_uefisecureboot) Windows Hardware Compatibility Program requirement.</p></td>
+<td align="left"><p>To verify that the firmware complies with the secure firmware update process, you can validate it against the [System.Fundamentals.Firmware.UEFISecureBoot](http://msdn.microsoft.com/library/windows/hardware/dn932805.aspx#system-fundamentals-firmware-uefisecureboot) Windows Hardware Compatibility Program requirement.</p></td>
 </tr>
 </tbody>
 </table>

  

-## Before using Device Guard in your company
+## <a href="" id="before-you-begin"></a>Before using Device Guard in your company


 Before you can successfully use Device Guard, you must set up your environment and your policies.
@ -146,7 +146,7 @@ For the Device Guard feature, devices should only have Code Integrity pre-config

  

-### Virtualization-based security using Windows 10 Enterprise Hypervisor
+### <a href="" id="virtualization-based-security-using-windows-10-hypervisor"></a>Virtualization-based security using Windows 10 Enterprise Hypervisor

 Windows 10 Enterprise Hypervisor introduces new capabilities around virtual trust levels, which helps Windows 10 Enterprise services to run in a protected environment, in isolation from the running operating system. Windows 10 Enterprise virtualization-based security helps protect kernel code integrity and helps to provide credential isolation for the local security authority (LSA). Letting the Kernel Code Integrity service run as a hypervisor-hosted service increases the level of protection around the root operating system, adding additional protections against any malware that compromises the kernel layer.

--- a/windows/whats-new/enterprise-data-protection-overview.md
+++ b/windows/whats-new/enterprise-data-protection-overview.md
@ -142,15 +142,15 @@ Privileged apps are allowed to access your enterprise data and will react differ

 EDP lets you decide to block, allow overrides, or audit your employee's data sharing actions. Blocking the action stops it immediately, while allowing overrides let the employee know there's a problem, but lets the employee continue to share the info, and audit just logs the action without stopping it, letting you start to see patterns of inappropriate sharing so you can take educative action.

-### Persistent data encryption
+### <a href="" id="persistent-data-protection"></a>Persistent data encryption

 EDP helps keep your enterprise data protected, even when it roams. Apps like Office and OneNote work with EDP to persist your data encryption across locations and services. For example, if an employee opens EDP-encrypted content from Outlook, edits it, and then tries to save the edited version with a different name to remove the encryption, it won’t work. Outlook automatically applies EDP to the new document, keeping the data encryption in place.

-### Helping prevent accidental data disclosure to public spaces
+### <a href="" id="protection-against-accidental-disclosure-to-public-spaces"></a>Helping prevent accidental data disclosure to public spaces

 EDP helps protect your enterprise data from being shared to public spaces, like the public cloud, accidentally. For example, if an employee stores content in the **Documents** folder, which is automatically synched with OneDrive (an app on your privileged list), then the document is encrypted locally and not synched it to the user’s personal cloud. Likewise, if other synching apps, like Dropbox™, aren’t on the privileged list, they also won’t be able to sync encrypted files to the user’s personal cloud.

-### Helping prevent accidental data disclosure to other devices
+### <a href="" id="protection-against-accidental-data-disclosure-to-other-devices"></a>Helping prevent accidental data disclosure to other devices

 EDP helps protect your enterprise data from leaking to other devices while transferring or moving between them. For example, if an employee puts corporate data on a USB key that also includes personal data, the corporate data remains encrypted even though the personal information remains open. Additionally, the encryption continues when the employee copies the encrypted content back to another corporate-managed device.

@ -158,7 +158,7 @@ EDP helps protect your enterprise data from leaking to other devices while trans

  

-### Turn off EDP
+### <a href="" id="turning-off-edp"></a>Turn off EDP

 You can turn off all enterprise data protection and restrictions, reverting to where you were pre-EDP, with no data loss. However, turning off EDP isn't recommended. If you choose to turn it off, you can always turn it back on, but EDP won't retain your decryption and policies info.

--- a/windows/whats-new/index.md
+++ b/windows/whats-new/index.md
@ -29,7 +29,7 @@ Learn about new features in Windows 10 for IT professionals, such as Enterprise
 <tbody>
 <tr class="odd">
 <td align="left"><p>[Change history for What's new in Windows 10](change-history-for-what-s-new-in-windows-10.md)</p></td>
-<td align="left"><p>**This topic lists new and updated topics in the What's new in Windows 10 documentation for [Windows 10 and Windows 10 Mobile](../index.md).**</p></td>
+<td align="left"><p>This topic lists new and updated topics in the What's new in Windows 10 documentation for [Windows 10 and Windows 10 Mobile](../index.md).</p></td>
 </tr>
 <tr class="even">
 <td align="left"><p>[AppLocker](applocker.md)</p></td>
--- a/windows/whats-new/lockdown-features-from-windows-embedded-industry-8-1.md
+++ b/windows/whats-new/lockdown-features-from-windows-embedded-industry-8-1.md
@ -46,7 +46,7 @@ Many of the lockdown features available in Windows Embedded 8.1 Industry have be
 <tr class="odd">
 <td align="left"><p>[Keyboard Filter]( http://go.microsoft.com/fwlink/p/?LinkId=626761): block hotkeys and other key combinations</p></td>
 <td align="left">[Keyboard Filter](http://go.microsoft.com/fwlink/p/?LinkId=708391)</td>
-<td align="left"><p>Keyboard filter is added in Windows 10, Version 1511. As in Windows Embedded Industry 8.1, Keyboard Filter is an optional component that can be turned on via <strong>Turn Windows Features On/Off</strong>. Keyboard Filter (in addition to the WMI configuration previously available) will be configurable through Windows Imaging and Configuration Designer (ICD) in the SMISettings path.</p></td>
+<td align="left"><p>Keyboard filter is added in Windows 10, version 1511. As in Windows Embedded Industry 8.1, Keyboard Filter is an optional component that can be turned on via <strong>Turn Windows Features On/Off</strong>. Keyboard Filter (in addition to the WMI configuration previously available) will be configurable through Windows Imaging and Configuration Designer (ICD) in the SMISettings path.</p></td>
 </tr>
 <tr class="even">
 <td align="left"><p>[Shell Launcher](http://go.microsoft.com/fwlink/p/?LinkId=626676): launch a Classic Windows application on sign-on</p></td>
--- a/windows/whats-new/security-auditing.md
+++ b/windows/whats-new/security-auditing.md
@ -18,7 +18,7 @@ author: TrudyHa

 Security auditing is one of the most powerful tools that you can use to maintain the integrity of your system. As part of your overall security strategy, you should determine the level of auditing that is appropriate for your environment. Auditing should identify attacks (successful or not) that pose a threat to your network, and attacks against resources that you have determined to be valuable in your risk assessment.

-## New features in Windows 10, Version 1511
+## New features in Windows 10, version 1511


 -   The [WindowsSecurityAuditing](http://go.microsoft.com/fwlink/p/?LinkId=690517) and [Reporting](http://go.microsoft.com/fwlink/p/?LinkId=690525) configuration service providers allow you to add security audit policies to mobile devices.
@ -28,10 +28,10 @@ Security auditing is one of the most powerful tools that you can use to maintain

 In Windows 10, security auditing has added some improvements:

-   [New audit subcategories](#BKMK_AuditSubCat)
-   [More info added to existing audit events](#BKMK_MoreInfo)
+-   [New audit subcategories](#bkmk-auditsubcat)
+-   [More info added to existing audit events](#bkmk-moreinfo)

-### New audit subcategories
+### <a href="" id="bkmk-auditsubcat"></a>New audit subcategories

 In Windows 10, two new audit subcategories were added to the Advanced Audit Policy Configuration to provide greater granularity in audit events:

@ -45,35 +45,35 @@ In Windows 10, two new audit subcategories were added to the Advanced Audit Pol

    A PnP audit event can be used to track down changes in system hardware and will be logged on the PC where the change took place. A list of hardware vendor IDs are included in the event.

-### More info added to existing audit events
+### <a href="" id="bkmk-moreinfo"></a>More info added to existing audit events

 With Windows 10, we've added more info to existing audit events to make it easier for you to put together a full audit trail and come away with the information you need to protect your enterprise. Improvements were made to the following audit events:

-   [Changed the kernel default audit policy](#BKMK_KDAL)
+-   [Changed the kernel default audit policy](#bkmk-kdal)

-   [Added a default process SACL to LSASS.exe](#BKMK_LSASS)
+-   [Added a default process SACL to LSASS.exe](#bkmk-lsass)

-   [Added new fields in the logon event](#BKMK_LOGON)
+-   [Added new fields in the logon event](#bkmk-logon)

-   [Added new fields in the process creation event](#BKMK_LOGON)
+-   [Added new fields in the process creation event](#bkmk-logon)

-   [Added new Security Account Manager events](#BKMK_SAM)
+-   [Added new Security Account Manager events](#bkmk-sam)

-   [Added new BCD events](#BKMK_BCD)
+-   [Added new BCD events](#bkmk-bcd)

-   [Added new PNP events](#BKMK_PNP)
+-   [Added new PNP events](#bkmk-pnp)

-### Changed the kernel default audit policy
+### <a href="" id="bkmk-kdal"></a>Changed the kernel default audit policy

 In previous releases, the kernel depended on the Local Security Authority (LSA) to retrieve info in some of its events. In Windows 10, the process creation events audit policy is automatically enabled until an actual audit policy is received from LSA. This results in better auditing of services that may start before LSA starts.

-### Added a default process SACL to LSASS.exe
+### <a href="" id="bkmk-lsass"></a>Added a default process SACL to LSASS.exe

 In Windows 10, a default process SACL was added to LSASS.exe to log processes attempting to access LSASS.exe. The SACL is L"S:(AU;SAFA;0x0010;;;WD)". You can enable this under **Advanced Audit Policy Configuration\\Object Access\\Audit Kernel Object**.

 This can help identify attacks that steal credentials from the memory of a process.

-### New fields in the logon event
+### <a href="" id="bkmk-logon"></a>New fields in the logon event

 The logon event ID 4624 has been updated to include more verbose information to make them easier to analyze. The following fields have been added to event 4624:

@ -105,7 +105,7 @@ The logon event ID 4624 has been updated to include more verbose information to

    For more info on restricted admin mode, see [Restricted Admin mode for RDP](http://blogs.technet.com/b/kfalde/archive/2013/08/14/restricted-admin-mode-for-rdp-in-windows-8-1-2012-r2.aspx).

-### New fields in the process creation event
+### <a href="" id="bkmk-process"></a>New fields in the process creation event

 The logon event ID 4688 has been updated to include more verbose information to make them easier to analyze. The following fields have been added to event 4688:

@ -133,7 +133,7 @@ The logon event ID 4688 has been updated to include more verbose information to

    A pointer to the actual parent process if it's different from the creator process.

-### New Security Account Manager events
+### <a href="" id="bkmk-sam"></a>New Security Account Manager events

 In Windows 10, new SAM events were added to cover SAM APIs that perform read/query operations. In previous versions of Windows, only write operations were audited. The new events are event ID 4798 and event ID 4799. The following APIs are now audited:

@ -150,7 +150,7 @@ In Windows 10, new SAM events were added to cover SAM APIs that perform read/qu
 -   SamrGetMembersInAlias
 -   SamrGetUserDomainPasswordInformation

-### New BCD events
+### <a href="" id="bkmk-bcd"></a>New BCD events

 Event ID 4826 has been added to track the following changes to the Boot Configuration Database (BCD):

@ -162,7 +162,7 @@ Event ID 4826 has been added to track the following changes to the Boot Configur
 -   Integrity Services
 -   Disable Winload debugging menu

-### New PNP events
+### <a href="" id="bkmk-pnp"></a>New PNP events

 Event ID 6416 has been added to track when an external device is detected through Plug and Play. One important scenario is if an external device that contains malware is inserted into a high-value machine that doesn’t expect this type of action, such as a domain controller.

--- a/windows/whats-new/security.md
+++ b/windows/whats-new/security.md
@ -14,11 +14,11 @@ author: TrudyHa

 **In this article**

-   [Threat resistance](#threat_resistance)
-   [Information protection](#information_protection)
-   [Identity protection and access control](#identity_protection_and_access_control)
+-   [Threat resistance](#threat-resistance)
+-   [Information protection](#information-protection)
+-   [Identity protection and access control](#identity-protection-and-access-control)
 -   [Windows 10 hardware considerations](#hardware)
-   [Related topics](#related_topics)
+-   [Related topics](#related-topics)

 There are several key client security improvements Microsoft has made in Windows 10. These improvements focus on three key areas — threat resistance, information protection, and identity protection and access control. In addition to an overview of the features themselves, this article discusses the hardware requirements for each new feature and offers configuration recommendations and links to more detailed resources.

@ -35,15 +35,15 @@ Today’s security threat landscape is one of aggressive and tenacious threats.

 Windows 10 introduces several new security features that help mitigate modern threats and protect organizations against cyber attackers, regardless of their motive. Microsoft has made significant investments in Windows 10 to make it the most malware-resistant Windows operating system to date. Rather than simply adding defenses to the operating system, as was the case in previous Windows releases, Microsoft introduces architectural changes in Windows 10 that address entire classes of threats. By fundamentally changing the way the operating system works, Microsoft seeks to make Windows 10 much more difficult for modern attackers to exploit. New features in Windows 10 include Device Guard, configurable code integrity, virtualization-based security (VBS), and improvements to Windows Defender, to name just a few. By enabling all these new features together, organizations can immediately protect themselves against the types of malware responsible for approximately 95 percent of modern attacks.

-### Virtualization-based security
+### <a href="" id="virtualization-security"></a>Virtualization-based security

 In the server world, virtualization technologies like Microsoft Hyper-V have proven extremely effective in isolating and protecting virtual machines (VMs) in the data center. Now, with those virtualization capabilities becoming more pervasive in modern client devices, there is an incredible opportunity for new Windows client security scenarios. Windows 10 can use virtualization technology to isolate core operating system services in a segregated, virtualized environment, similar to a VM. This additional level of protection, called virtualization-based security, ensures that no one can manipulate those services, even if the kernel mode of the host operating system is compromised.

 Just like with client Hyper-V, Windows itself can now take advantage of processors equipped with second-level address translation (SLAT) technology and virtualization extensions, such as Intel Virtualization Technology (VT) x and AMD V, to create a secure execution environment for sensitive Windows functions and data. This VBS environment protects the following services:

-   **Hypervisor Code Integrity (HVCI).** The HVCI service in Windows 10 determines whether code executing in kernel mode is securely designed and trustworthy. It offers Zero Day and vulnerability exploit protection capabilities by ensuring that all software running in kernel mode, including drivers, securely allocate memory and operate as they are intended. In Windows 10, kernel mode code integrity is configurable, which allows organizations to scope preboot code execution to their desired configuration. For more information about configurable code integrity in Windows 10, see the [Configurable code integrity](#config_code) section.
+-   **Hypervisor Code Integrity (HVCI).** The HVCI service in Windows 10 determines whether code executing in kernel mode is securely designed and trustworthy. It offers Zero Day and vulnerability exploit protection capabilities by ensuring that all software running in kernel mode, including drivers, securely allocate memory and operate as they are intended. In Windows 10, kernel mode code integrity is configurable, which allows organizations to scope preboot code execution to their desired configuration. For more information about configurable code integrity in Windows 10, see the [Configurable code integrity](#config-code) section.

-   **Local Security Authority (LSA).** The LSA service in Windows manages authentication operations, including NT LAN Manager (NTLM) and Kerberos mechanisms. In Windows 10, the Credential Guard feature isolates a portion of this service and helps mitigate the pass-the-hash and pass-the-ticket techniques by protecting domain credentials. In addition to logon credentials, this protection is extended to credentials stored within Credential Manager. For more information about Credential Guard, see the [Credential Guard](#credential_guard) section.
+-   **Local Security Authority (LSA).** The LSA service in Windows manages authentication operations, including NT LAN Manager (NTLM) and Kerberos mechanisms. In Windows 10, the Credential Guard feature isolates a portion of this service and helps mitigate the pass-the-hash and pass-the-ticket techniques by protecting domain credentials. In addition to logon credentials, this protection is extended to credentials stored within Credential Manager. For more information about Credential Guard, see the [Credential Guard](#credential-guard) section.

 **Note**  
 To determine whether virtualization is supported for a client machine model, simply run **systeminfo** from a command prompt window.
@ -54,11 +54,11 @@ VBS provides the core framework for some of the most impactful mitigations Windo

 ### Device Guard

-Microsoft Device Guard is a feature set that combines system integrity–hardening features that revolutionize Windows security by taking advantage of new VBS options to protect the system core and a trust-nothing model often seen in mobile operating systems. This feature set takes advantage of the best preexisting Windows hardening features (for example, Unified Extensible Firmware Interface \[UEFI\] Secure Boot, Windows Trusted Boot), and then combines them with powerful new app control features like the VBS-powered HVCI service and configurable code integrity, which together help prevent vulnerability exploits and unauthorized apps from running on the device in both user and kernel modes. For more information about VBS in Windows 10 and the additional features that use it, see the [Virtualization-based security](#virtualization_security) section. For more information about configurable code integrity, see the [Configurable code integrity](#config_code) section.
+Microsoft Device Guard is a feature set that combines system integrity–hardening features that revolutionize Windows security by taking advantage of new VBS options to protect the system core and a trust-nothing model often seen in mobile operating systems. This feature set takes advantage of the best preexisting Windows hardening features (for example, Unified Extensible Firmware Interface \[UEFI\] Secure Boot, Windows Trusted Boot), and then combines them with powerful new app control features like the VBS-powered HVCI service and configurable code integrity, which together help prevent vulnerability exploits and unauthorized apps from running on the device in both user and kernel modes. For more information about VBS in Windows 10 and the additional features that use it, see the [Virtualization-based security](#virtualization-security) section. For more information about configurable code integrity, see the [Configurable code integrity](#config-code) section.

-Although Microsoft intends the Device Guard feature set to run alongside new Windows security features such as Credential Guard, it can run independently. Depending on your organization’s client resources, you can selectively choose which features make sense for your environment and device compatibility. For information about the hardware requirements for Device Guard and other Windows 10 security features, see the [Windows 10 hardware considerations](#hardware) section. For more information about Credential Guard, see the [Credential Guard](#credential_guard) section.
+Although Microsoft intends the Device Guard feature set to run alongside new Windows security features such as Credential Guard, it can run independently. Depending on your organization’s client resources, you can selectively choose which features make sense for your environment and device compatibility. For information about the hardware requirements for Device Guard and other Windows 10 security features, see the [Windows 10 hardware considerations](#hardware) section. For more information about Credential Guard, see the [Credential Guard](#credential-guard) section.

-For most organizations, implementing specific Device Guard functionality will depend on the role of the device and its primary user, employing more features on single-workload devices, such as kiosks, and fewer features on administrative machines over which users are allowed full control. By using this model, IT organizations can categorize users into groups that align with Device Guard security policies relating to device security and code integrity restrictions. For more information about configurable code integrity, see the [Configurable code integrity](#config_code) section.
+For most organizations, implementing specific Device Guard functionality will depend on the role of the device and its primary user, employing more features on single-workload devices, such as kiosks, and fewer features on administrative machines over which users are allowed full control. By using this model, IT organizations can categorize users into groups that align with Device Guard security policies relating to device security and code integrity restrictions. For more information about configurable code integrity, see the [Configurable code integrity](#config-code) section.

 New desktops and laptops will be available to expedite your Device Guard implementation efforts. Device Guard-ready devices will require the least amount of physical interaction with the actual device before it’s ready for use. Going forward, all devices will fall into one of the following three categories:

@ -70,7 +70,7 @@ New desktops and laptops will be available to expedite your Device Guard impleme

 For more information about how to prepare for, manage, and deploy Device Guard, see the [Device Guard deployment guide](../keep-secure/device-guard-deployment-guide.md).

-### Configurable code integrity
+### <a href="" id="config-code"></a>Configurable code integrity

 *Code integrity* is the Windows component that verifies that the code Windows is running is trusted and safe. Like the operating modes found in Windows itself, Windows code integrity contains two primary components: kernel mode code integrity (KMCI) and user mode code integrity (UMCI). Microsoft has used KMCI in recent versions of Windows to prevent the Windows kernel from executing unsigned drivers. Although this approach is effective, drivers aren’t the only route malware can take to penetrate the operating system’s kernel mode space. So, for Windows 10, Microsoft has raised the standard for kernel mode code out of the box by requiring the use of security best practices regarding memory management and has provided enterprises with a way to set their own UMCI and KMCI standards.

@ -109,7 +109,7 @@ Configurable code integrity is available in Windows 10 Enterprise and Windows

 You can enable configurable code integrity as part of a Device Guard deployment or as a stand-alone component. In addition, you can run configurable code integrity on hardware that is compatible with the Windows 7 operating system, even if such hardware is not Device Guard ready. Code integrity policies can align with an existing application catalog, existing corporate imaging strategy, or with any other method that provides the organization’s desired levels of restriction. For more information about configurable code integrity with Device Guard, see the [Device Guard deployment guide](../keep-secure/device-guard-deployment-guide.md).

-### Measured Boot and remote attestation
+### <a href="" id="measured-boot-and-remote-attestation-"></a>Measured Boot and remote attestation

 Although software-based antimalware and antivirus solutions are effective, they have no way to detect pre–operating system resource modification or infection such as by bootkits and rootkits—malicious software that can manipulate a client before the operating system and antimalware solutions load. Bootkits and rootkits and similar software are nearly impossible to detect using software-based solutions alone, so Windows 10 uses the client’s Trusted Platform Module (TPM) and the Windows Measured Boot feature to analyze the overall boot integrity. When requested, Windows 10 reports integrity information to the Windows cloud-based device health attestation service, which can then be used in coordination with management solutions such as Intune to analyze the data and provide conditional access to resources based on the device’s health state.

@ -140,7 +140,7 @@ Unlike some current DLP solutions, EDP does not require users to switch modes or

 In addition to EDP, Microsoft has made substantial improvements to BitLocker, including simplified manageability through Microsoft BitLocker Administration and Monitoring (MBAM), used-space-only encryption, and single sign-on (SSO) capability. For more information about BitLocker improvements in Windows 10, see the [Improvements to BitLocker](#bitlocker) section.

-### Enterprise Data Protection
+### <a href="" id="enterprise"></a>Enterprise Data Protection

 DLP systems are intended to protect sensitive corporate data through encryption and managed use while the data is in use, in motion, or at rest. Traditional DLP software is typically invasive and frustrating for users and can be complicated for administrators to configure and deploy. Windows 10 now includes an EDP feature that offers DLP capabilities and is built in and simple to use. This solution gives you the flexibility to define policies that will help determine what kind of data to protect as business data and what should be considered personal. Based on these policies, you can also choose what to do, either automatically or manually, whenever you suspect that data is about to be or has been compromised. For example, if an employee has a personal but managed device that contains business data, an IT organization could block that user from copying and pasting business data to nonbusiness documents and locations or could even selectively wipe the business data from the device at any time without affecting the personal data on the device.

@ -148,7 +148,7 @@ You can configure EDP policies to encrypt and protect files automatically based

 To manage EDP, you use the same system management tools you probably already use to manage your Windows client computers, such as Configuration Manager and Intune. For more information about EDP, see [Enterprise data protection (EDP) overview](enterprise-data-protection-overview.md).

-### Improvements in BitLocker
+### <a href="" id="bitlocker"></a>Improvements in BitLocker

 With so many laptops stolen annually, protecting data at rest should be a top priority for any IT organization. Microsoft has provided an encryption solution called BitLocker directly in Windows since 2004. If your last encounter with BitLocker was in Windows 7, you’ll find that the manageability and SSO capabilities that were previously lacking are now included in Windows 10. These and other improvements make BitLocker one of the best choices on the marketplace for protecting data on Windows devices. Windows 10 builds on the BitLocker improvements made in the Windows 8.1 and Windows 8 operating systems to make BitLocker more manageable and to simplify its deployment even further.

@ -158,7 +158,7 @@ Microsoft has made the following key improvements to BitLocker:

 -   **MBAM improvements.** MBAM provides a simplified management console for BitLocker administration. It also simplifies recovery requests by providing a self-service portal in which users can recover their drives without calling the help desk.

-   **SSO.** BitLocker for Windows 7 often required the use of a pre-boot PIN to access the protected drive’s encryption key and allow Windows to start. In Windows 10, user input-based preboot authentication (in other words, a PIN) is not required because the TPM maintains the keys. In addition, modern hardware often mitigates the cold boot attacks (for example, port-based direct memory access attacks) that have previously necessitated PIN protection. For more information to determine which cases and device types require the use of PIN protection, refer to [BitLocker Countermeasures](1f015738-3bf6-4abb-a1cd-21c04e9ef24f).
+-   **SSO.** BitLocker for Windows 7 often required the use of a pre-boot PIN to access the protected drive’s encryption key and allow Windows to start. In Windows 10, user input-based preboot authentication (in other words, a PIN) is not required because the TPM maintains the keys. In addition, modern hardware often mitigates the cold boot attacks (for example, port-based direct memory access attacks) that have previously necessitated PIN protection. For more information to determine which cases and device types require the use of PIN protection, refer to [BitLocker Countermeasures](../keep-secure/bitlocker-countermeasures.md).

 -   **Used-space-only encryption.** Rather than encrypting an entire hard drive, you can configure BitLocker to encrypt only the used space on a drive. This option drastically reduces the overall encryption time required.

@ -171,9 +171,9 @@ Windows 10 also includes a feature called Microsoft Passport, a new 2FA mechani

 The biometrics factor available for Microsoft Passport is driven by another new feature in Windows 10 called Windows Hello. Windows Hello uses a variety of biometric sensors to accept different points of biometric measurement, such as the face, iris, and fingerprints, which allows organizations to choose from various options when they consider what makes the most sense for their users and devices. By combining Windows Hello with Microsoft Passport, users no longer need to remember a password to access corporate resources. For more information about Windows Hello, see the [Windows Hello](#hello) section.

-Finally, Windows 10 uses VBS to isolate the Windows service responsible for maintaining and brokering a user’s derived credentials (for example, Kerberos ticket, NTLM hash) through a feature called Credential Guard. In addition to service isolation, the TPM protects credential data while the machine is running and while it’s off. Credential Guard provides a comprehensive strategy to protect user-derived credentials at runtime as well as at rest, thus preventing them from being accessed and used in pass-the-hash–type attacks. For more information about Credential Guard, see the [Credential Guard](#credential_guard) section.
+Finally, Windows 10 uses VBS to isolate the Windows service responsible for maintaining and brokering a user’s derived credentials (for example, Kerberos ticket, NTLM hash) through a feature called Credential Guard. In addition to service isolation, the TPM protects credential data while the machine is running and while it’s off. Credential Guard provides a comprehensive strategy to protect user-derived credentials at runtime as well as at rest, thus preventing them from being accessed and used in pass-the-hash–type attacks. For more information about Credential Guard, see the [Credential Guard](#credential-guard) section.

-### Microsoft Passport
+### <a href="" id="passport"></a>Microsoft Passport

 Historically, companies have mitigated the risk of credential theft by implementing 2FA. In this method, a combination of something you know (for example, a PIN), something you have (traditionally a smart card or token), or possibly something about the user (for example, biometrics) strengthens the logon process. The additional factor beyond something you know requires that a credential thief acquire a physical device or, in the case of biometrics, the actual user.

@ -183,7 +183,7 @@ Microsoft Passport can use the biometric information from Windows Hello or a uni

 In Windows 10, the physical factor of authentication is the user’s device—either his or her PC or mobile phone. By using the new phone sign-in capability which will available to Windows Insiders as a preview in early 2016, users can unlock their PC without ever touching it. Users simply enroll their phone with Microsoft Passport by pairing it with the PC via Wi-Fi or Bluetooth and install a simple-to-use application on their phone that allows them to select which PC to unlock. When selected, users can enter a PIN or their biometric login from their phone to unlock their PC.

-### Windows Hello
+### <a href="" id="hello"></a>Windows Hello

 Passwords represent a losing identity and access control mechanism. When an organization relies on password-driven Windows authentication, attackers only have to determine a single string of text to access anything on a corporate network that those credentials protect. Unfortunately, attackers can use several methods to retrieve a user’s password, making credential theft relatively easy for determined attackers. By moving to an MFA mechanism to verify user identities, organizations can remove the threats that single-factor options like passwords represent.

@ -203,7 +203,7 @@ Pass the hash is the most commonly used derived credential attack today. This at

 Credential Guard is another new feature in Windows 10 Enterprise that employs VBS to protect domain credentials against theft, even when the host operating system is compromised. To achieve such protection, Credential Guard isolates a portion of the LSA service, which is responsible for managing authentication, inside a virtualized container. This container is similar to a VM running on a hypervisor but is extremely lightweight and contains only those files and components required to operate the LSA and other isolated services. By isolating a portion of the LSA service within this virtualized environment, credentials are protected even if the system kernel is compromised, removing the attack vector for pass the hash.

-For more information about the hardware requirements for Credential Guard, see the [Windows 10 hardware considerations](#hardware) section. For more information about VBS in Windows 10, see the [Virtualization-based security](#virtualization_security) section.
+For more information about the hardware requirements for Credential Guard, see the [Windows 10 hardware considerations](#hardware) section. For more information about VBS in Windows 10, see the [Virtualization-based security](#virtualization-security) section.

 **Note**  
 Because it requires isolated user mode and a Hyper-V hypervisor, you cannot configure Credential Guard on a VM, only on a physical computer.
@ -212,7 +212,7 @@ Because it requires isolated user mode and a Hyper-V hypervisor, you cannot conf

 The Credential Guard feature is targeted at resisting the use of pass-the-hash and pass-the-ticket techniques. By employing a MFA option such as Microsoft Passport with Credential Guard, you can gain additional protection against such threats. For more in-depth information about how Credential Guard works and the specific mitigations it provides, see [Protect derived domain credentials with Credential Guard](../keep-secure/credential-guard.md).

-## Windows 10 hardware considerations
+## <a href="" id="hardware"></a>Windows 10 hardware considerations


 Most of the features this article describes rely on specific hardware to maximize their capabilities. By purchasing hardware that includes these features during your next purchase cycle, you will be able to take advantage of the most comprehensive client security package Windows 10 has to offer. Careful consideration about which hardware vendor and specific models to purchase is vital to the success of your organization’s client security portfolio. Table 1 contains a list of each new Windows 10 security feature and its hardware requirements.
--- a/windows/whats-new/trusted-platform-module.md
+++ b/windows/whats-new/trusted-platform-module.md
@ -18,7 +18,7 @@ author: TrudyHa

 This topic for the IT professional describes new features for the Trusted Platform Module (TPM) in Windows 10.

-## New features in Windows 10, Version 1511
+## New features in Windows 10, version 1511


 -   Key Storage Providers (KSPs) and srvcrypt support elliptical curve cryptography (ECC).
@ -28,12 +28,12 @@ This topic for the IT professional describes new features for the Trusted Platfo

 The following sections describe the new and changed functionality in the TPM for Windows 10:

-   [Device health attestation](#BKMK_DHA)
+-   [Device health attestation](#bkmk-dha)
 -   [Microsoft Passport](microsoft-passport.md) support
 -   [Device Guard](device-guard-overview.md) support
 -   [Credential Guard](credential-guard.md) support

-## Device health attestation
+## <a href="" id="bkmk-dha"></a>Device health attestation


 Device health attestation enables enterprises to establish trust based on hardware and software components of a managed device. With device heath attestation, you can configure an MDM server to query a health attestation service that will allow or deny a managed device access to a secure resource.
--- a/windows/whats-new/windows-spotlight.md
+++ b/windows/whats-new/windows-spotlight.md
@ -18,10 +18,10 @@ author: TrudyHa

 **In this article**

-   [What does Windows spotlight include?](#what_does_windows_spotlight_include_)
-   [How do you turn off Windows spotlight?](#how_do_you_turn_off_windows_spotlight_)
-   [How do you disable Windows spotlight for managed devices?](#how_do_you_disable_windows_spotlight_for_managed_devices_)
-   [Related topics](#related_topics)
+-   [What does Windows spotlight include?](#what-does-windows-spotlight-include-)
+-   [How do you turn off Windows spotlight?](#how-do-you-turn-off-windows-spotlight-)
+-   [How do you disable Windows spotlight for managed devices?](#how-do-you-disable-windows-spotlight-for-managed-devices-)
+-   [Related topics](#related-topics)

 Windows spotlight is an option for the lock screen background that displays different background images and occasionally offers suggestions on the lock screen. Windows spotlight is now available in Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education. For managed devices running Windows 10 Enterprise and Windows 10 Education, enterprise administrators can configure a mobile device management (MDM) or Group Policy setting to prevent users from using the Windows spotlight background.