diff --git a/.gitignore b/.gitignore
index b674ff367c..60755bf9e7 100644
--- a/.gitignore
+++ b/.gitignore
@@ -13,4 +13,5 @@ packages.config
windows/keep-secure/index.md
# User-specific files
-.vs/
\ No newline at end of file
+.vs/
+*.png
\ No newline at end of file
diff --git a/atp-mdm-onboarding-package.png b/atp-mdm-onboarding-package.png
new file mode 100644
index 0000000000..23b9c49490
Binary files /dev/null and b/atp-mdm-onboarding-package.png differ
diff --git a/windows/deploy/windows-10-poc.md b/windows/deploy/windows-10-poc.md
index 6bee2bafd9..fceb199fec 100644
--- a/windows/deploy/windows-10-poc.md
+++ b/windows/deploy/windows-10-poc.md
@@ -153,7 +153,7 @@ The lab architecture is summarized in the following diagram:
[Verify support and install Hyper-V](#verify-support-and-install-hyper-v)
[Download VHD and ISO files](#download-vhd-and-iso-files)
-[Convert PC to VHD](#convert-pc-to-vhd)
+[Convert PC to VM](#convert-pc-to-vm)
[Resize VHD](#resize-vhd)
[Configure Hyper-V](#configure-hyper-v)
[Configure VMs](#configure-vms)
@@ -507,21 +507,18 @@ Notes:
### Resize VHD
-**Important**: You should take advantage of [enhanced session mode](https://technet.microsoft.com/windows-server-docs/compute/hyper-v/learn-more/Use-local-resources-on-Hyper-V-virtual-machine-with-VMConnect) when completing instructions in this guide. Enhanced session mode enables you to copy and paste the commands from the Hyper-V host to VMs, between VMs, and between RDP sessions. After copying some text, you can paste into a Windows PowerShell window by simply right-clicking. Before right-clicking, do not left click other locations as this can empty the clipboard. You can also copy and paste files directly from one computer to another by right-clicking and selecting copy on one computer, then right-clicking and selecting paste on another computer.
+
+**Enhanced session mode**
-<<<<<<< HEAD
-To verify that enhanced session mode is enabled on your Hyper-V host, type the following command at an elevated Windows PowerShell prompt:
+**Important**: Before proceeding, verify that you can take advantage of [enhanced session mode](https://technet.microsoft.com/windows-server-docs/compute/hyper-v/learn-more/Use-local-resources-on-Hyper-V-virtual-machine-with-VMConnect) when completing instructions in this guide. Enhanced session mode enables you to copy and paste the commands from the Hyper-V host to VMs, between VMs, and between RDP sessions. After copying some text, you can paste into a Windows PowerShell window by simply right-clicking. Before right-clicking, do not left click other locations as this can empty the clipboard. You can also copy and paste files directly from one computer to another by right-clicking and selecting copy on one computer, then right-clicking and selecting paste on another computer.
-Set-VMhost -EnableEnhancedSessionMode $TRUE
-
-If enhanced session mode was previously disabled, you must close and re-open VM connections after enabling it. As mentioned previously: instructions to "type" commands provided in this guide can be typed, but the preferred method is to copy and paste these commands. Most of the commands to this point in the guide have been brief, but many commands in sections below are longer and more complex.
-=======
To verify that enhanced session mode is enabled on the Hyper-V host, type the following command at an elevated Windows PowerShell prompt:
Set-VMhost -EnableEnhancedSessionMode $TRUE
-If enhanced session mode was not previously enabled, you must close any existing virtual machine connections and re-open them to enable access to enhanced session mode. As mentioned previously: instructions to "type" commands provided in this guide can be typed, but the preferred method is to copy and paste these commands. Most of the commands to this point in the guide have been brief, but many commands in sections below are longer and more complex.
->>>>>>> vso-7992313a
+>If enhanced session mode was not previously enabled, close any existing virtual machine connections and re-open them to enable access to enhanced session mode. As mentioned previously: instructions to "type" commands provided in this guide can be typed, but the preferred method is to copy and paste these commands. Most of the commands to this point in the guide have been brief, but many commands in sections below are longer and more complex.
+
+
The second Windows Server 2012 R2 VHD needs to be expanded in size from 40GB to 100GB to support installing imaging tools and storing OS images.
diff --git a/windows/keep-secure/choose-the-right-bitlocker-countermeasure.md b/windows/keep-secure/choose-the-right-bitlocker-countermeasure.md
index 0293f672ae..1c6c64a34a 100644
--- a/windows/keep-secure/choose-the-right-bitlocker-countermeasure.md
+++ b/windows/keep-secure/choose-the-right-bitlocker-countermeasure.md
@@ -17,20 +17,105 @@ author: brianlic-msft
This section outlines the best countermeasures you can use to protect your organization from bootkits and rootkits, brute force sign-in, Direct Memory Access (DMA) attacks, Hyberfil.sys attacks, and memory remanence attacks.
You can use BitLocker to protect your Windows 10 PCs. Whichever operating system you’re using, Microsoft and Windows-certified devices provide countermeasures to address attacks and improve your data security. In most cases, this protection can be implemented without the need for pre-boot authentication.
-Figures 2, 3, and 4 summarize the recommended mitigations for different types of attacks against PCs running recent versions of Windows. The orange blocks indicate that the system requires additional configuration from the default
-settings.
+Tables 1 and 2 summarize the recommended mitigations for different types of attacks against PCs running recent versions of Windows. The orange blocks indicate that the system requires additional configuration from the default settings.
-
+
+
+
+
+
+
+
+ |
+
+ Windows 8.1
without TPM |
+
+ Windows 8.1 Certified
(with TPM) |
+
+
+|
+ Bootkits and
Rootkits |
+Without TPM, boot integrity checking is not available |
+Secure by default when UEFI-based Secure Boot is enabled and a firmware password is required to change settings |
+
+
+|
+ Brute Force
Sign-in |
+Secure by default, and can be improved with account lockout Group Policy |
+Secure by default, and can be improved with account lockout and device lockout Group Policy settings |
+
+
+|
+ DMA
Attacks |
+If policy is deployed, secure by default for all lost or stolen devices because new DMA devices are granted access only when an authorized user is signed in |
+If policy is deployed, secure by default for all lost or stolen devices because new DMA devices are granted access only when an authorized user is signed in |
+
+
+|
+ Hyberfil.sys
Attacks |
+Secure by default; hyberfil.sys secured on encrypted volume |
+Secure by default; hyberfil.sys secured on encrypted volume |
+
+
+|
+ Memory
Remanence
Attacks |
+Password protect the firmware and disable booting from external media. If an attack is viable, consider pre-boot authentication |
+Password protect the firmware and ensure Secure Boot is enabled. If an attack is viable, consider pre-boot authentication |
+
+
-**Figure 2.** How to choose the best countermeasures for Windows 7
+**Table 1.** How to choose the best countermeasures for Windows 8.1
-
+
+
+
+
+
+
+
+ |
+
+ Windows 10
without TPM |
+
+ Windows 10 Certified
(with TPM) |
+
+
+|
+ Bootkits and
Rootkits |
+Without TPM, boot integrity checking is not available |
+Secure by default when UEFI-based Secure Boot is enabled and a firmware password is required to change settings |
+
+
+|
+ Brute Force
Sign-in |
+Secure by default, and can be improved with account lockout Group Policy |
+Secure by default, and can be improved with account lockout and device lockout Group Policy settings |
+
+
+|
+ DMA
Attacks |
+If policy is deployed, secure by default for all lost or stolen devices because new DMA devices are granted access only when an authorized user is signed in |
+Secure by default; certified devices do not expose vulnerable DMA busses.
Can be additionally secured by deploying policy to restrict DMA devices:
+
+ |
+
+
+|
+ Hyberfil.sys
Attacks |
+Secure by default; hyberfil.sys secured on encrypted volume |
+Secure by default; hyberfil.sys secured on encrypted volume |
+
+
+|
+ Memory
Remanence
Attacks |
+Password protect the firmware and disable booting from external media. If an attack is viable, consider pre-boot authentication |
+Password protect the firmware and ensure Secure Boot is enabled.
The most effective mitigation, which we advise for high-security devices, is to configure a TPM+PIN protector, disable Standby power management, and shut down or hibernate the device before it leaves the control of an authorized user. |
+
+
-**Figure 3.** How to choose the best countermeasures for Windows 8
-
-
-
-**Figure 4.** How to choose the best countermeasures for Windows 8.1
+**Table 2.** How to choose the best countermeasures for Windows 10
The latest InstantGo devices, primarily tablets, are designed to be secure by default against all attacks that might compromise the BitLocker encryption key. Other Windows devices can be, too. DMA port–based attacks, which represent the attack vector of choice, are not possible on InstantGo devices, because these port types are prohibited. The inclusion of DMA ports on even non-InstantGo devices is extremely rare on recent devices, particularly on mobile ones. This could change if Thunderbolt is broadly adopted, so IT should consider this when purchasing new devices. In any case DMA ports can be disabled entirely, which is an increasingly popular option because the use of
DMA ports is infrequent in the non-developer space.
diff --git a/windows/keep-secure/configure-arcsight-windows-defender-advanced-threat-protection.md b/windows/keep-secure/configure-arcsight-windows-defender-advanced-threat-protection.md
index 89b4b13d30..a682992574 100644
--- a/windows/keep-secure/configure-arcsight-windows-defender-advanced-threat-protection.md
+++ b/windows/keep-secure/configure-arcsight-windows-defender-advanced-threat-protection.md
@@ -79,7 +79,8 @@ The following steps assume that you have completed all the required steps in [Be
Type in the name of the client property file. It must match the client property file. |
Events URL |
- Depending on the location of your datacenter, select either the EU or the US URL: **For EU**: https://wdatp-alertexporter-eu.securitycenter.windows.com/api/alerts **For US:** https://wdatp-alertexporter-us.securitycenter.windows.com/api/alerts |
+ Depending on the location of your datacenter, select either the EU or the US URL: **For EU**: https://wdatp-alertexporter-eu.securitycenter.windows.com/api/alerts/?sinceTimeUtc=$START_AT_TIME
+ **For US:** https://wdatp-alertexporter-us.securitycenter.windows.com/api/alerts/?sinceTimeUtc=$START_AT_TIME |
| Authentication Type |
OAuth 2 |
diff --git a/windows/keep-secure/configure-endpoints-mdm-windows-defender-advanced-threat-protection.md b/windows/keep-secure/configure-endpoints-mdm-windows-defender-advanced-threat-protection.md
index b5b16faf54..c842ea1668 100644
--- a/windows/keep-secure/configure-endpoints-mdm-windows-defender-advanced-threat-protection.md
+++ b/windows/keep-secure/configure-endpoints-mdm-windows-defender-advanced-threat-protection.md
@@ -37,14 +37,14 @@ For more information on using Windows Defender ATP CSP see, [WindowsAdvancedThre
b. Select **Mobile Device Management/Microsoft Intune** > **Download package** and save the .zip file.
- 
+ 
2. Extract the contents of the .zip file to a shared, read-only location that can be accessed by the network administrators who will deploy the package. You should have a file named *WindowsDefenderATP.onboarding*.
3. Use the Microsoft Intune custom configuration policy to deploy the following supported OMA-URI settings. For more information on Microsoft Intune policy settings see, [Windows 10 policy settings in Microsoft Intune](https://docs.microsoft.com/en-us/intune/deploy-use/windows-10-policy-settings-in-microsoft-intune).
a. Select **Policy** > **Configuration Policies** > **Add**.
- 
+ 
b. Under **Windows**, select **Custom Configuration (Windows 10 Desktop and Mobile and later)** > **Create and Deploy a Custom Policy** > **Create Policy**.
@@ -56,7 +56,7 @@ For more information on using Windows Defender ATP CSP see, [WindowsAdvancedThre
e. Type the following values then select **OK**:
-
+
- **Setting name**: Type a name for the setting.
diff --git a/windows/keep-secure/credential-guard.md b/windows/keep-secure/credential-guard.md
index eaabf72651..27813be3bc 100644
--- a/windows/keep-secure/credential-guard.md
+++ b/windows/keep-secure/credential-guard.md
@@ -917,6 +917,7 @@ write-host $tmp -Foreground Red
- [Isolated User Mode Processes and Features in Windows 10 with Logan Gabriel (Channel 9)](http://channel9.msdn.com/Blogs/Seth-Juarez/Isolated-User-Mode-Processes-and-Features-in-Windows-10-with-Logan-Gabriel)
- [More on Processes and Features in Windows 10 Isolated User Mode with Dave Probert (Channel 9)](https://channel9.msdn.com/Blogs/Seth-Juarez/More-on-Processes-and-Features-in-Windows-10-Isolated-User-Mode-with-Dave-Probert)
- [Mitigating Credential Theft using the Windows 10 Isolated User Mode (Channel 9)](https://channel9.msdn.com/Blogs/Seth-Juarez/Mitigating-Credential-Theft-using-the-Windows-10-Isolated-User-Mode)
+- [Protecting network passwords with Windows 10 Credential Guard](https://www.microsoft.com/itshowcase/Article/Content/831/Protecting-network-passwords-with-Windows-10-Credential-Guard)
- [Enabling Strict KDC Validation in Windows Kerberos](http://www.microsoft.com/download/details.aspx?id=6382)
- [What's New in Kerberos Authentication for Windows Server 2012](http://technet.microsoft.com/library/hh831747.aspx)
- [Authentication Mechanism Assurance for AD DS in Windows Server 2008 R2 Step-by-Step Guide](http://technet.microsoft.com/library/dd378897.aspx)
diff --git a/windows/keep-secure/how-to-use-single-sign-on-sso-over-vpn-and-wi-fi-connections.md b/windows/keep-secure/how-to-use-single-sign-on-sso-over-vpn-and-wi-fi-connections.md
index a47a3fcb64..032e04c1ad 100644
--- a/windows/keep-secure/how-to-use-single-sign-on-sso-over-vpn-and-wi-fi-connections.md
+++ b/windows/keep-secure/how-to-use-single-sign-on-sso-over-vpn-and-wi-fi-connections.md
@@ -29,7 +29,7 @@ The credentials are also cleaned up when the WiFi or VPN connection is disconnec
When the user tries to access a domain resource, using Edge for example, Edge has the right Enterprise Authentication capability so [WinInet](https://msdn.microsoft.com/library/windows/desktop/aa385483.aspx) can release the credentials that it gets from the Credential Manager to the SSP that is requesting it.
For more information about the Enterprise Authentication capability, see [App capability declarations](https://msdn.microsoft.com/windows/uwp/packaging/app-capability-declarations).
-WinInet will look at the device application, such as a Universal Windows Platform (UWP) application, to see if it has the right capability.
+The local security authority will look at the device application, such as a Universal Windows Platform (UWP) application, to see if it has the right capability.
If the app is not UWP, it does not matter.
But if it is a UWP app, it will look at the device capability for Enterprise Authentication.
If it does have that capability and if the resource that you are trying to access is in the Intranet zone in the Internet Options (ZoneMap), then the credential will be released.
diff --git a/windows/keep-secure/images/atp-add-intune-policy.png b/windows/keep-secure/images/atp-add-intune-policy.png
new file mode 100644
index 0000000000..61a47e9f37
Binary files /dev/null and b/windows/keep-secure/images/atp-add-intune-policy.png differ
diff --git a/windows/keep-secure/images/atp-intune-add-policy.png b/windows/keep-secure/images/atp-intune-add-policy.png
deleted file mode 100644
index 570ab0a688..0000000000
Binary files a/windows/keep-secure/images/atp-intune-add-policy.png and /dev/null differ
diff --git a/windows/keep-secure/images/atp-mdm-onboarding-package.png b/windows/keep-secure/images/atp-mdm-onboarding-package.png
new file mode 100644
index 0000000000..23b9c49490
Binary files /dev/null and b/windows/keep-secure/images/atp-mdm-onboarding-package.png differ
diff --git a/windows/keep-secure/windows-defender-advanced-threat-protection.md b/windows/keep-secure/windows-defender-advanced-threat-protection.md
index 3dc835c6a2..0a9feddff7 100644
--- a/windows/keep-secure/windows-defender-advanced-threat-protection.md
+++ b/windows/keep-secure/windows-defender-advanced-threat-protection.md
@@ -93,3 +93,6 @@ Topic | Description
[Troubleshoot Windows Defender Advanced Threat Protection](troubleshoot-windows-defender-advanced-threat-protection.md) | This topic contains information to help IT Pros find workarounds for the known issues and troubleshoot issues in Windows Defender ATP.
[Review events and errors on endpoints with Event Viewer](event-error-codes-windows-defender-advanced-threat-protection.md)| Review events and errors associated with event IDs to determine if further troubleshooting steps are required.
[Windows Defender compatibility](defender-compatibility-windows-defender-advanced-threat-protection.md) | Learn about how Windows Defender works in conjunction with Windows Defender ATP.
+
+## Related topic
+[Windows Defender ATP helps detect sophisticated threats](https://www.microsoft.com/itshowcase/Article/Content/854/Windows-Defender-ATP-helps-detect-sophisticated-threats)
diff --git a/windows/keep-secure/windows-defender-in-windows-10.md b/windows/keep-secure/windows-defender-in-windows-10.md
index 7ad3e53061..58ecb02cde 100644
--- a/windows/keep-secure/windows-defender-in-windows-10.md
+++ b/windows/keep-secure/windows-defender-in-windows-10.md
@@ -18,7 +18,7 @@ author: jasesso
Windows Defender in Windows 10 is a built-in antimalware solution that provides security and antimalware management for desktops, portable computers, and servers.
This topic provides an overview of Windows Defender, including a list of system requirements and new features.
-For more important information about running Windows Defender on a server platform, see [Windows Defender Overview for Windows Server Technical Preview](https://technet.microsoft.com/library/dn765478.aspx).
+For more important information about running Windows Defender on a server platform, see [Windows Defender Overview for Windows Server](https://technet.microsoft.com/windows-server-docs/security/windows-defender/windows-defender-overview-windows-server).
Take advantage of Windows Defender by configuring settings and definitions using the following tools:
- Microsoft Active Directory *Group Policy* for settings