Merge branch 'master' into live

.gitignore

@@ -13,4 +13,5 @@ packages.config
 windows/keep-secure/index.md
 
 # User-specific files  
-.vs/
+.vs/
+*.png

windows/deploy/windows-10-poc.md

@@ -153,7 +153,7 @@ The lab architecture is summarized in the following diagram:
 
 [Verify support and install Hyper-V](#verify-support-and-install-hyper-v)<BR>
 [Download VHD and ISO files](#download-vhd-and-iso-files)<BR>
-[Convert PC to VHD](#convert-pc-to-vhd)<BR>
+[Convert PC to VM](#convert-pc-to-vm)<BR>
 [Resize VHD](#resize-vhd)<BR>
 [Configure Hyper-V](#configure-hyper-v)<BR>
 [Configure VMs](#configure-vms)<BR>
@@ -507,21 +507,18 @@ Notes:<BR>
 
 ### Resize VHD
 
-**Important**: You should take advantage of [enhanced session mode](https://technet.microsoft.com/windows-server-docs/compute/hyper-v/learn-more/Use-local-resources-on-Hyper-V-virtual-machine-with-VMConnect) when completing instructions in this guide. Enhanced session mode enables you to copy and paste the commands from the Hyper-V host to VMs, between VMs, and between RDP sessions. After copying some text, you can paste into a Windows PowerShell window by simply right-clicking. Before right-clicking, do not left click other locations as this can empty the clipboard. You can also copy and paste <U>files</U> directly from one computer to another by right-clicking and selecting copy on one computer, then right-clicking and selecting paste on another computer.
+<HR size=4>
+**<I>Enhanced session mode</I>**
 
-<<<<<<< HEAD
-To verify that enhanced session mode is enabled on your Hyper-V host, type the following command at an elevated Windows PowerShell prompt:
+**Important**: Before proceeding, verify that you can take advantage of [enhanced session mode](https://technet.microsoft.com/windows-server-docs/compute/hyper-v/learn-more/Use-local-resources-on-Hyper-V-virtual-machine-with-VMConnect) when completing instructions in this guide. Enhanced session mode enables you to copy and paste the commands from the Hyper-V host to VMs, between VMs, and between RDP sessions. After copying some text, you can paste into a Windows PowerShell window by simply right-clicking. Before right-clicking, do not left click other locations as this can empty the clipboard. You can also copy and paste <U>files</U> directly from one computer to another by right-clicking and selecting copy on one computer, then right-clicking and selecting paste on another computer.
 
-<pre style="overflow-y: visible">Set-VMhost -EnableEnhancedSessionMode $TRUE</pre>
-
-If enhanced session mode was previously disabled, you must close and re-open VM connections after enabling it. As mentioned previously: instructions to "type" commands provided in this guide can be typed, but the preferred method is to copy and paste these commands. Most of the commands to this point in the guide have been brief, but many commands in sections below are longer and more complex.
-=======
 To verify that enhanced session mode is enabled on the Hyper-V host, type the following command at an elevated Windows PowerShell prompt:
 
 <pre style="overflow-y: visible">Set-VMhost -EnableEnhancedSessionMode $TRUE</pre>
 
-If enhanced session mode was not previously enabled, you must close any existing virtual machine connections and re-open them to enable access to enhanced session mode. As mentioned previously: instructions to "type" commands provided in this guide can be typed, but the preferred method is to copy and paste these commands. Most of the commands to this point in the guide have been brief, but many commands in sections below are longer and more complex.
->>>>>>> vso-7992313a
+>If enhanced session mode was not previously enabled, close any existing virtual machine connections and re-open them to enable access to enhanced session mode. As mentioned previously: instructions to "type" commands provided in this guide can be typed, but the preferred method is to copy and paste these commands. Most of the commands to this point in the guide have been brief, but many commands in sections below are longer and more complex.
+
+<HR size=4>
 
 The second Windows Server 2012 R2 VHD needs to be expanded in size from 40GB to 100GB to support installing imaging tools and storing OS images.
 

windows/keep-secure/choose-the-right-bitlocker-countermeasure.md

@@ -17,20 +17,105 @@ author: brianlic-msft
 This section outlines the best countermeasures you can use to protect your organization from bootkits and rootkits, brute force sign-in, Direct Memory Access (DMA) attacks, Hyberfil.sys attacks, and memory remanence attacks.
 You can use BitLocker to protect your Windows 10 PCs. Whichever operating system you’re using, Microsoft and Windows-certified devices provide countermeasures to address attacks and improve your data security. In most cases, this protection can be implemented without the need for pre-boot authentication.
 
-Figures 2, 3, and 4 summarize the recommended mitigations for different types of attacks against PCs running recent versions of Windows. The orange blocks indicate that the system requires additional configuration from the default 
-settings.
+Tables 1 and 2 summarize the recommended mitigations for different types of attacks against PCs running recent versions of Windows. The orange blocks indicate that the system requires additional configuration from the default settings.
 
-![how to choose best countermeasures for windows 7](images/bitlockerprebootprotection-counterwin7.jpg)
+<table>
+<colgroup>
+<col width="20%" />
+<col width="25%" />
+<col width="55%" />
+</colgroup>
+<tr>
+<td></td>
+<td BGCOLOR="#01BCF3">
+<p><font color="#FFFFFF"><strong>Windows 8.1<br>without TPM</strong></font></p></td>
+<td BGCOLOR="#01BCF3">
+<p><font color="#FFFFFF"><strong>Windows 8.1 Certified<br>(with TPM)</strong></font></p></td>
+</tr>
+<tr class="odd">
+<td BGCOLOR="#FF8C01">
+<p><font color="#FFFFFF">Bootkits and<br>Rootkits</p></font></td>
+<td BGCOLOR="#FED198"><p>Without TPM, boot integrity checking is not available</p></td>
+<td BGCOLOR="#99E4FB"><p>Secure by default when UEFI-based Secure Boot is enabled and a firmware password is required to change settings</p></td>
+</tr>
+<tr class="even">
+<td BGCOLOR="FF8C01">
+<p><font color="#FFFFFF">Brute Force<br>Sign-in</font></p></td>
+<td BGCOLOR="#99E4FB"><p>Secure by default, and can be improved with account lockout Group Policy</p></td>
+<td BGCOLOR="#99E4FB"><p>Secure by default, and can be improved with account lockout and device lockout Group Policy settings</p></td>
+</tr>
+<tr class="odd">
+<td BGCOLOR="#FF8C01">
+<p><font color="#FFFFFF">DMA<br>Attacks</p></font></td>
+<td BGCOLOR="#99E4FB"><p>If policy is deployed, secure by default for all lost or stolen devices because new DMA devices are granted access only when an authorized user is signed in</p></td>
+<td BGCOLOR="#99E4FB"><p>If policy is deployed, secure by default for all lost or stolen devices because new DMA devices are granted access only when an authorized user is signed in</p></td>
+</tr>
+<tr class="even">
+<td BGCOLOR="FF8C01">
+<p><font color="#FFFFFF">Hyberfil.sys<br>Attacks</font></p></td>
+<td BGCOLOR="#99E4FB"><p>Secure by default; hyberfil.sys secured on encrypted volume</p></td>
+<td BGCOLOR="#99E4FB"><p>Secure by default; hyberfil.sys secured on encrypted volume</p></td>
+</tr>
+<tr class="odd">
+<td BGCOLOR="#FF8C01">
+<p><font color="#FFFFFF">Memory<br>Remanence<br>Attacks</p></font></td>
+<td BGCOLOR="#FED198"><p>Password protect the firmware and disable booting from external media. If an attack is viable, consider pre-boot authentication</p></td>
+<td BGCOLOR="#99E4FB"><p>Password protect the firmware and ensure Secure Boot is enabled. If an attack is viable, consider pre-boot authentication</p></td>
+</tr>
+</table>
 
-**Figure 2.** How to choose the best countermeasures for Windows 7
+**Table 1.**&nbsp;&nbsp;How to choose the best countermeasures for Windows 8.1
 
-![how to choose countermeasures for windows 8](images/bitlockerprebootprotection-counterwin8.jpg)
+<table>
+<colgroup>
+<col width="20%" />
+<col width="25%" />
+<col width="55%" />
+</colgroup>
+<tr>
+<td></td>
+<td BGCOLOR="#01BCF3">
+<p><font color="#FFFFFF"><strong>Windows 10<br>without TPM</strong></font></p></td>
+<td BGCOLOR="#01BCF3">
+<p><font color="#FFFFFF"><strong>Windows 10 Certified<br>(with TPM)</strong></font></p></td>
+</tr>
+<tr class="odd">
+<td BGCOLOR="#FF8C01">
+<p><font color="#FFFFFF">Bootkits and<br>Rootkits</p></font></td>
+<td BGCOLOR="#FED198"><p>Without TPM, boot integrity checking is not available</p></td>
+<td BGCOLOR="#99E4FB"><p>Secure by default when UEFI-based Secure Boot is enabled and a firmware password is required to change settings</p></td>
+</tr>
+<tr class="even">
+<td BGCOLOR="FF8C01">
+<p><font color="#FFFFFF">Brute Force<br>Sign-in</font></p></td>
+<td BGCOLOR="#99E4FB"><p>Secure by default, and can be improved with account lockout Group Policy</p></td>
+<td BGCOLOR="#99E4FB"><p>Secure by default, and can be improved with account lockout and device lockout Group Policy settings</p></td>
+</tr>
+<tr class="odd">
+<td BGCOLOR="#FF8C01">
+<p><font color="#FFFFFF">DMA<br>Attacks</p></font></td>
+<td BGCOLOR="#99E4FB"><p>If policy is deployed, secure by default for all lost or stolen devices because new DMA devices are granted access only when an authorized user is signed in</p></td>
+<td BGCOLOR="#99E4FB"><p>Secure by default; certified devices do not expose vulnerable DMA busses.<br>Can be additionally secured by deploying policy to restrict DMA devices:</p>
+<ul>
+<li><p><a href="https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#DataProtection_AllowDirectMemoryAccess">DataProtection/AllowDirectMemoryAccess</a></p></li>
+<li><p><a href="https://support.microsoft.com/en-us/kb/2516445">Block 1394 and Thunderbolt</a></p></li></ul>
+</td>
+</tr>
+<tr class="even">
+<td BGCOLOR="FF8C01">
+<p><font color="#FFFFFF">Hyberfil.sys<br>Attacks</font></p></td>
+<td BGCOLOR="#99E4FB"><p>Secure by default; hyberfil.sys secured on encrypted volume</p></td>
+<td BGCOLOR="#99E4FB"><p>Secure by default; hyberfil.sys secured on encrypted volume</p></td>
+</tr>
+<tr class="odd">
+<td BGCOLOR="#FF8C01">
+<p><font color="#FFFFFF">Memory<br>Remanence<br>Attacks</p></font></td>
+<td BGCOLOR="#FED198"><p>Password protect the firmware and disable booting from external media. If an attack is viable, consider pre-boot authentication</p></td>
+<td BGCOLOR="#99E4FB"><p>Password protect the firmware and ensure Secure Boot is enabled.<br>The most effective mitigation, which we advise for high-security devices, is to configure a TPM+PIN protector, disable Standby power management, and shut down or hibernate the device before it leaves the control of an authorized user.</p></td>
+</tr>
+</table>
 
-**Figure 3.** How to choose the best countermeasures for Windows 8
-
-![how to choose countermeasures for windows 8.1](images/bitlockerprebootprotection-counterwin81.jpg)
-
-**Figure 4.** How to choose the best countermeasures for Windows 8.1
+**Table 2.**&nbsp;&nbsp;How to choose the best countermeasures for Windows 10
 
 The latest InstantGo devices, primarily tablets, are designed to be secure by default against all attacks that might compromise the BitLocker encryption key. Other Windows devices can be, too. DMA port–based attacks, which represent the attack vector of choice, are not possible on InstantGo devices, because these port types are prohibited. The inclusion of DMA ports on even non-InstantGo devices is extremely rare on recent devices, particularly on mobile ones. This could change if Thunderbolt is broadly adopted, so IT should consider this when purchasing new devices. In any case DMA ports can be disabled entirely, which is an increasingly popular option because the use of 
 DMA ports is infrequent in the non-developer space.

windows/keep-secure/configure-arcsight-windows-defender-advanced-threat-protection.md

@@ -79,7 +79,8 @@ The following steps assume that you have completed all the required steps in [Be
     <td>Type in the name of the client property file. It must match the client property file.</td>
     </tr>
     <td>Events URL</td>
-    <td>Depending on the location of your datacenter, select either the EU or the US URL: </br></br> **For EU**:  https://<i></i>wdatp-alertexporter-eu.securitycenter.windows.com/api/alerts </br>**For US:** https://<i></i>wdatp-alertexporter-us.securitycenter.windows.com/api/alerts</td>
+    <td>Depending on the location of your datacenter, select either the EU or the US URL: </br></br> **For EU**:  https://<i></i>wdatp-alertexporter-eu.securitycenter.windows.com/api/alerts/?sinceTimeUtc=$START_AT_TIME
+ </br>**For US:** https://<i></i>wdatp-alertexporter-us.securitycenter.windows.com/api/alerts/?sinceTimeUtc=$START_AT_TIME</td>
     <tr>
     <td>Authentication Type</td>
     <td>OAuth 2</td>

windows/keep-secure/configure-endpoints-mdm-windows-defender-advanced-threat-protection.md

@@ -37,14 +37,14 @@ For more information on using Windows Defender ATP CSP see, [WindowsAdvancedThre
 
     b.  Select **Mobile Device Management/Microsoft Intune** > **Download package** and save the .zip file.
 
-      ![Endpoint onboarding](images/atp-onboard-mdm.png)
+      ![Endpoint onboarding](images/atp-mdm-onboarding-package.png)
 
 2. Extract the contents of the .zip file to a shared, read-only location that can be accessed by the network administrators who will deploy the package. You should have a file named  *WindowsDefenderATP.onboarding*.
 
 3. Use the Microsoft Intune custom configuration policy to deploy the following supported OMA-URI settings. For more information on Microsoft Intune policy settings see, [Windows 10 policy settings in Microsoft Intune](https://docs.microsoft.com/en-us/intune/deploy-use/windows-10-policy-settings-in-microsoft-intune).
 
   a. Select **Policy** > **Configuration Policies** > **Add**.
-  ![Microsoft Intune Configuration Policies](images/atp-intune-add-policy.png)
+  ![Microsoft Intune Configuration Policies](images/atp-add-intune-policy.png)
 
   b. Under **Windows**, select **Custom Configuration (Windows 10 Desktop and Mobile and later)** > **Create and Deploy a Custom Policy** > **Create Policy**.
   ![Microsoft Intune Configuration Policies](images/atp-intune-new-policy.png)
@@ -56,7 +56,7 @@ For more information on using Windows Defender ATP CSP see, [WindowsAdvancedThre
   ![Microsoft Intune add OMC-URI](images/atp-intune-add-oma.png)
 
   e. Type the following values then select **OK**:
-  
+
   ![Microsoft Intune save policy](images/atp-intune-oma-uri-setting.png)
 
   - **Setting name**: Type a name for the setting.

windows/keep-secure/credential-guard.md

@@ -917,6 +917,7 @@ write-host $tmp -Foreground Red
 - [Isolated User Mode Processes and Features in Windows 10 with Logan Gabriel (Channel 9)](http://channel9.msdn.com/Blogs/Seth-Juarez/Isolated-User-Mode-Processes-and-Features-in-Windows-10-with-Logan-Gabriel)
 - [More on Processes and Features in Windows 10 Isolated User Mode with Dave Probert (Channel 9)](https://channel9.msdn.com/Blogs/Seth-Juarez/More-on-Processes-and-Features-in-Windows-10-Isolated-User-Mode-with-Dave-Probert)
 - [Mitigating Credential Theft using the Windows 10 Isolated User Mode (Channel 9)](https://channel9.msdn.com/Blogs/Seth-Juarez/Mitigating-Credential-Theft-using-the-Windows-10-Isolated-User-Mode)
+- [Protecting network passwords with Windows 10 Credential Guard](https://www.microsoft.com/itshowcase/Article/Content/831/Protecting-network-passwords-with-Windows-10-Credential-Guard)
 - [Enabling Strict KDC Validation in Windows Kerberos](http://www.microsoft.com/download/details.aspx?id=6382)
 - [What's New in Kerberos Authentication for Windows Server 2012](http://technet.microsoft.com/library/hh831747.aspx)
 - [Authentication Mechanism Assurance for AD DS in Windows Server 2008 R2 Step-by-Step Guide](http://technet.microsoft.com/library/dd378897.aspx)

windows/keep-secure/how-to-use-single-sign-on-sso-over-vpn-and-wi-fi-connections.md

@@ -29,7 +29,7 @@ The credentials are also cleaned up when the WiFi or VPN connection is disconnec
 When the user tries to access a domain resource, using Edge for example, Edge has the right Enterprise Authentication capability so [WinInet](https://msdn.microsoft.com/library/windows/desktop/aa385483.aspx) can release the credentials that it gets from the Credential Manager to the SSP that is requesting it. 
 For more information about the Enterprise Authentication capability, see [App capability declarations](https://msdn.microsoft.com/windows/uwp/packaging/app-capability-declarations). 
 
-WinInet will look at the device application, such as a Universal Windows Platform (UWP) application, to see if it has the right capability. 
+The local security authority will look at the device application, such as a Universal Windows Platform (UWP) application, to see if it has the right capability. 
 If the app is not UWP, it does not matter. 
 But if it is a UWP app, it will look at the device capability for Enterprise Authentication. 
 If it does have that capability and if the resource that you are trying to access is in the Intranet zone in the Internet Options (ZoneMap), then the credential will be released.

windows/keep-secure/windows-defender-advanced-threat-protection.md

@@ -93,3 +93,6 @@ Topic | Description
 [Troubleshoot Windows Defender Advanced Threat Protection](troubleshoot-windows-defender-advanced-threat-protection.md) | This topic contains information to help IT Pros find workarounds for the known issues and troubleshoot issues in Windows Defender ATP.
 [Review events and errors on endpoints with Event Viewer](event-error-codes-windows-defender-advanced-threat-protection.md)| Review events and errors associated with event IDs to determine if further troubleshooting steps are required.
 [Windows Defender compatibility](defender-compatibility-windows-defender-advanced-threat-protection.md) | Learn about how Windows Defender works in conjunction with Windows Defender ATP.
+
+## Related topic
+[Windows Defender ATP helps detect sophisticated threats](https://www.microsoft.com/itshowcase/Article/Content/854/Windows-Defender-ATP-helps-detect-sophisticated-threats)

windows/keep-secure/windows-defender-in-windows-10.md

@@ -18,7 +18,7 @@ author: jasesso
 Windows Defender in Windows 10 is a built-in antimalware solution that provides security and antimalware management for desktops, portable computers, and servers.
 This topic provides an overview of Windows Defender, including a list of system requirements and new features.
 
-For more important information about running Windows Defender on a server platform, see [Windows Defender Overview for Windows Server Technical Preview](https://technet.microsoft.com/library/dn765478.aspx).
+For more important information about running Windows Defender on a server platform, see [Windows Defender Overview for Windows Server](https://technet.microsoft.com/windows-server-docs/security/windows-defender/windows-defender-overview-windows-server).
 
 Take advantage of Windows Defender by configuring settings and definitions using the following tools:
 -   Microsoft Active Directory *Group Policy* for settings