Merge remote-tracking branch 'refs/remotes/origin/master' into jdhello

windows/keep-secure/TOC.md

@@ -198,7 +198,7 @@
 ###### [Monitor claim types](monitor-claim-types.md)
 ##### [Advanced security audit policy settings](advanced-security-audit-policy-settings.md)
 ###### [Audit Credential Validation](audit-credential-validation.md)
-####### [Event 4774 S: An account was mapped for logon.](event-4774.md)
+####### [Event 4774 S, F: An account was mapped for logon.](event-4774.md)
 ####### [Event 4775 F: An account could not be mapped for logon.](event-4775.md)
 ####### [Event 4776 S, F: The computer attempted to validate the credentials for an account.](event-4776.md)
 ####### [Event 4777 F: The domain controller failed to validate the credentials for an account.](event-4777.md)

windows/keep-secure/configure-arcsight-windows-defender-advanced-threat-protection.md

@@ -79,8 +79,8 @@ The following steps assume that you have completed all the required steps in [Be
     <td>Type in the name of the client property file. It must match the client property file.</td>
     </tr>
     <td>Events URL</td>
-    <td>Depending on the location of your datacenter, select either the EU or the US URL: </br></br> **For EU**:  https://<i></i>wdatp-alertexporter-eu.securitycenter.windows.com/api/alerts/?sinceTimeUtc=$START_AT_TIME
- </br>**For US:** https://<i></i>wdatp-alertexporter-us.securitycenter.windows.com/api/alerts/?sinceTimeUtc=$START_AT_TIME</td>
+    <td>Depending on the location of your datacenter, select either the EU or the US URL: </br></br> **For EU**:  https://<i></i>wdatp-alertexporter-eu.windows.com/api/alerts/?sinceTimeUtc=$START_AT_TIME
+ </br>**For US:** https://<i></i>wdatp-alertexporter-us.windows.com/api/alerts/?sinceTimeUtc=$START_AT_TIME</td>
     <tr>
     <td>Authentication Type</td>
     <td>OAuth 2</td>

windows/keep-secure/configure-splunk-windows-defender-advanced-threat-protection.md

@@ -56,7 +56,7 @@ You'll need to configure Splunk so that it can consume Windows Defender ATP aler
   </tr>
   <tr>
   <td>Endpoint URL</td>
-  <td>Depending on the location of your datacenter, select either the EU or the US URL: </br></br> **For EU**:  https://<i></i>wdatp-alertexporter-eu.securitycenter.windows.com/api/alerts </br>**For US:** https://<i></i>wdatp-alertexporter-us.securitycenter.windows.com/api/alerts
+  <td>Depending on the location of your datacenter, select either the EU or the US URL: </br></br> **For EU**:  https://<i></i>wdatp-alertexporter-eu.windows.com/api/alerts  </br>**For US:** https://<i></i>wdatp-alertexporter-us.windows.com/api/alerts
 
   </tr>
   <tr>

windows/keep-secure/create-wip-policy-using-sccm.md

@@ -436,11 +436,11 @@ There are no default locations included with WIP, you must add each of your netw
 
     ![Create Configuration Item wizard, Add whether to search for additional network settings](images/wip-sccm-optsettings.png)
 
-        - **Enterprise Proxy Servers list is authoritative (do not auto-detect).** Click this box if you want Windows to treat the proxy servers you specified in the network boundary definition as the complete list of proxy servers available on your network. If you clear this box, Windows will search for additional proxy servers in your immediate network. Not configured is the default option.
+    - **Enterprise Proxy Servers list is authoritative (do not auto-detect).** Click this box if you want Windows to treat the proxy servers you specified in the network boundary definition as the complete list of proxy servers available on your network. If you clear this box, Windows will search for additional proxy servers in your immediate network. Not configured is the default option.
 
-        - **Enterprise IP Ranges list is authoritative (do not auto-detect).** Click this box if you want Windows to treat the IP ranges you specified in the network boundary definition as the complete list of IP ranges available on your network. If you clear this box, Windows will search for additional IP ranges on any domain-joined devices connected to your network. Not configured is the default option.
+    - **Enterprise IP Ranges list is authoritative (do not auto-detect).** Click this box if you want Windows to treat the IP ranges you specified in the network boundary definition as the complete list of IP ranges available on your network. If you clear this box, Windows will search for additional IP ranges on any domain-joined devices connected to your network. Not configured is the default option.
 
-        - **Show the Windows Information Protection icon overlay on your allowed apps that are WIP-unaware on corporate files in the File Explorer.** Click this box if you want the Windows Information Protection icon overlay to appear on corporate files in the Save As and File Explorer views. Additionally, for unenlightened but allowed apps, the icon overlay also appears on the app tile and with *Managed* text on the app name in the **Start** menu. Not configured is the default option.
+    - **Show the Windows Information Protection icon overlay on your allowed apps that are WIP-unaware on corporate files in the File Explorer.** Click this box if you want the Windows Information Protection icon overlay to appear on corporate files in the Save As and File Explorer views. Additionally, for unenlightened but allowed apps, the icon overlay also appears on the app tile and with *Managed* text on the app name in the **Start** menu. Not configured is the default option.
 
 5.	In the required **Upload a Data Recovery Agent (DRA) certificate to allow recovery of encrypted data** box, click **Browse** to add a data recovery certificate for your policy.
     

windows/keep-secure/event-4774.md

@@ -1,6 +1,6 @@
 ---
 title: 4774(S) An account was mapped for logon. (Windows 10)
-description: Describes security event 4774(S) An account was mapped for logon.
+description: Describes security event 4774(S, F) An account was mapped for logon.
 ms.pagetype: security
 ms.prod: w10
 ms.mktglfcycl: deploy
@@ -8,14 +8,13 @@ ms.sitesec: library
 author: Mir0sh
 ---
 
-# 4774(S): An account was mapped for logon.
+# 4774(S, F): An account was mapped for logon.
 
 **Applies to**
 -   Windows 10
 -   Windows Server 2016
 
-
-It appears that this event never occurs.
+Success events do not appear to occur. Failure event [has been reported](http://forum.ultimatewindowssecurity.com/Topic7313-282-1.aspx). 
 
 ***Subcategory:*** [Audit Credential Validation](audit-credential-validation.md)
 
@@ -23,7 +22,7 @@ It appears that this event never occurs.
 
 *An account was mapped for logon.*
 
-*Authentication Package:%1*
+*Authentication Package:Schannel*
 
 *Account UPN:%2*
 

windows/keep-secure/how-to-configure-security-policy-settings.md

@@ -31,9 +31,9 @@ When a local setting is inaccessible, it indicates that a GPO currently controls
 3.  When you find the policy setting in the details pane, double-click the security policy that you want to modify.
 4.  Modify the security policy setting, and then click **OK**.
 
-    **Note**  
-    -   Some security policy settings require that the device be restarted before the setting takes effect.
-    -   Any change to the user rights assignment for an account becomes effective the next time the owner of the account logs on.
+    > [!NOTE]
+    > -   Some security policy settings require that the device be restarted before the setting takes effect.
+    > -   Any change to the user rights assignment for an account becomes effective the next time the owner of the account logs on.
      
 ## <a href="" id="bkmk-domain"></a>To configure a security policy setting using the Local Group Policy Editor console
 
@@ -48,11 +48,13 @@ You must have the appropriate permissions to install and use the Microsoft Manag
 
 4.  In the details pane, double-click the security policy setting that you want to modify.
 
-    >**Note:**  If this security policy has not yet been defined, select the **Define these policy settings** check box.
+    > [!NOTE]
+    > If this security policy has not yet been defined, select the **Define these policy settings** check box.
      
 5.  Modify the security policy setting, and then click **OK**.
 
->**Note:**  If you want to configure security settings for many devices on your network, you can use the Group Policy Management Console.
+> [!NOTE]
+> If you want to configure security settings for many devices on your network, you can use the Group Policy Management Console.
  
 ## <a href="" id="bkmk-dc"></a>To configure a setting for a domain controller
 
@@ -65,13 +67,15 @@ The following procedure describes how to configure a security policy setting for
     -   Click **Local Policies** to edit the **Audit Policy**, a **User Rights Assignment**, or **Security Options**.
 
 3.  In the details pane, double-click the security policy that you want to modify.
-    >**Note**  If this security policy has not yet been defined, select the **Define these policy settings** check box.
+
+    > [!NOTE]
+    > If this security policy has not yet been defined, select the **Define these policy settings** check box.
      
 4.  Modify the security policy setting, and then click **OK**.
 
-**Important**  
--   Always test a newly created policy in a test organizational unit before you apply it to your network.
--   When you change a security setting through a GPO and click **OK**, that setting will take effect the next time you refresh the settings.
+> [!IMPORTANT]  
+> -   Always test a newly created policy in a test organizational unit before you apply it to your network.
+> -   When you change a security setting through a GPO and click **OK**, that setting will take effect the next time you refresh the settings.
  
 ## Related topics
 

windows/keep-secure/how-to-use-single-sign-on-sso-over-vpn-and-wi-fi-connections.md

@@ -22,8 +22,8 @@ Credential Manager is a place where credentials in the OS are can be stored for
 For VPN, the VPN stack saves its credential as the session default. 
 For WiFi, EAP does it. 
 
-The credentials are put in Credential Manager as a "`*Session`" credential. 
-A "`*Session`" credential implies that it is valid for the current user session. 
+The credentials are put in Credential Manager as a "\*Session" credential. 
+A "\*Session" credential implies that it is valid for the current user session. 
 The credentials are also cleaned up when the WiFi or VPN connection is disconnected. 
 
 When the user tries to access a domain resource, using Edge for example, Edge has the right Enterprise Authentication capability so [WinInet](https://msdn.microsoft.com/library/windows/desktop/aa385483.aspx) can release the credentials that it gets from the Credential Manager to the SSP that is requesting it. 

windows/keep-secure/index.md

@@ -6,6 +6,7 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
+localizationpriority: high
 author: brianlic-msft
 ---
 # Keep Windows 10 secure

windows/keep-secure/troubleshoot-windows-defender-in-windows-10.md

@@ -2222,7 +2222,20 @@ Description of the error. </dt>
 <td colspan="2">
 <p>The support for your operating system has expired. Windows Defender is no longer supported on your operating system, has stopped functioning, and is not protecting against malware threats.</p>
 </td>
-</tr><tr><th rowspan="3">Event ID: 2050</th><td><p>Symbolic name:</p></td><td colspan="2"><p><b>MALWAREPROTECTION_SAMPLESUBMISSION_UPLOADED</b></p></td></tr><tr><td><p>Message:</p></td><td colspan="2"><p><b>The antimalware engine has uploaded a file for further analysis.<br />Filename &lt;uploaded filename&gt;<br />Sha256: &lt;file SHA&gt;</b></p></td></tr><tr><td><p>Description:</p></td><td colspan="2"><p>A file was uploaded to the Windows Defender Antimalware cloud for further analysis or processing.</p></td></tr>
+</tr>
+<tr><th rowspan="3">Event ID: 2050</th><td><p>Symbolic name:</p></td><td colspan="2"><p><b>MALWAREPROTECTION_SAMPLESUBMISSION_UPLOAD</b></p></td></tr><tr><td><p>Message:</p></td><td colspan="2"><p><b>The antimalware engine has uploaded a file for further analysis.<br />Filename &lt;uploaded filename&gt;<br />Sha256: &lt;file SHA&gt;</b></p></td></tr><tr><td><p>Description:</p></td><td colspan="2"><p>A file was uploaded to the Windows Defender Antimalware cloud for further analysis or processing.</p></td></tr>
+
+<tr><th rowspan="4">Event ID: 2051</th><td><p>Symbolic name:</p></td><td colspan="2"><p><b>MALWAREPROTECTION_SAMPLESUBMISSION_UPLOADED_FAILED</b></p></td></tr><tr><td><p>Message:</p></td><td colspan="2"><p><b>The antimalware engine has encountered an error trying to upload a suspicious file for further analysis.<br />
+Filename: &lt;uploaded filename&gt;<br />
+Sha256: &lt;file SHA&gt;<br />
+Current Signature Version: &lt;signature version number&gt;<br/>
+Current Engine Version: &lt;engine version number&gt;<br />
+Error code: &lt;error code&gt;</b></p></td></tr><tr><td><p>Description:</p></td><td colspan="2"><p>A file could not be uploaded to the Windows Defender Antimalware cloud.</p></td></tr><tr><td><p>User action:</p></td><td colspan="2"><p>You can attempt to manually submit the file.</p></td></tr>
+
+
+
+
+
 <tr>
 <th rowspan="4">Event ID: 3002</th>
 <td>

windows/keep-secure/using-owa-with-wip.md

@@ -23,7 +23,6 @@ Because Outlook Web Access (OWA) can be used both personally and as part of your
 |-------|-------------|
 |Disable OWA. Employees can only use Microsoft Outlook 2016 or the Office 365 Mail app. | Disabled. |
 |Don't configure outlook.office.com in any of your networking settings. |All mailboxes are automatically marked as personal. This means employees attempting to copy work content into OWA receive prompts and that files downloaded from OWA aren't automatically protected as corporate data. |
-|Do all of the following:<ul><li>Create a domain (such as mail.contoso.com, redirecting to outlook.office.com) that can be used by your employees to access work email.</li><li>Add the new domain to the Enterprise Cloud Resources network element in your WIP policy.</li><li>Add the following URLs to the Neutral Resources network element in your WIP policy:<ul><li>outlook.office365.com</li><li>outlook.office.com</li><li>outlook-sdf.office.com</li><li>attachment.outlook.office.net</li></ul></li></ul> |Inbox content accessed through the new domain is automatically marked as corporate data, while content accessed through personal email is automatically marked as personal. |
 |Add outlook.office.com to the Enterprise Cloud Resources network element in your WIP policy. |All mailboxes are automatically marked as corporate. This means any personal inboxes hosted on Office 365 are also automatically marked as corporate data. |
 
 >[!NOTE]