acrolinx-windows-security

windows/security/identity-protection/smart-cards/smart-card-debugging-information.md

@@ -26,9 +26,9 @@ Debugging and tracing smart card issues requires a variety of tools and approach
 
 -   [Certutil](#certutil)
 
--   [Debugging and tracing using WPP](#debugging-and-tracing-using-wpp)
+-   [Debugging and tracing using Windows software trace preprocessor (WPP)](#debugging-and-tracing-using-wpp)
 
--   [Kerberos protocol, KDC, and NTLM debugging and tracing](#kerberos-protocol-kdc-and-ntlm-debugging-and-tracing)
+-   [Kerberos protocol, Key Distribution Center (KDC), and NTLM debugging and tracing](#kerberos-protocol-kdc-and-ntlm-debugging-and-tracing)
 
 -   [Smart Card service](#smart-card-service)
 
@@ -42,22 +42,22 @@ For a complete description of Certutil including examples that show how to use i
 
 ### List certificates available on the smart card
 
-To list certificates that are available on the smart card, type certutil -scinfo.
+To list certificates that are available on the smart card, type `certutil -scinfo`.
 
 > [!NOTE]
 > Entering a PIN is not required for this operation. You can press ESC if you are prompted for a PIN.
 
 ### Delete certificates on the smart card
 
-Each certificate is enclosed in a container. When you delete a certificate on the smart card, you are deleting the container for the certificate.
+Each certificate is enclosed in a container. When you delete a certificate on the smart card, you're deleting the container for the certificate.
 
-To find the container value, type certutil -scinfo.
+To find the container value, type `certutil -scinfo`.
 
 To delete a container, type **certutil -delkey -csp "Microsoft Base Smart Card Crypto Provider"** "<*ContainerValue*>".
 
 ## Debugging and tracing using WPP
 
-Windows software trace preprocessor (WPP) simplifies tracing the operation of the trace provider. It provides a mechanism for the trace provider to log real-time binary messages. Logged messages can be converted to a human-readable trace of the operation. For more information, see [Diagnostics with WPP - The NDIS blog](https://blogs.msdn.com/b/ndis/archive/2011/04/06/diagnostics-with-wpp.aspx).
+WPP simplifies tracing the operation of the trace provider. It provides a mechanism for the trace provider to log real-time binary messages. Logged messages can be converted to a human-readable trace of the operation. For more information, see [Diagnostics with WPP - The NDIS blog](https://blogs.msdn.com/b/ndis/archive/2011/04/06/diagnostics-with-wpp.aspx).
 
 ### Enable the trace
 
@@ -65,21 +65,21 @@ Using WPP, use one of the following commands to enable tracing:
 
 - **tracelog.exe -kd -rt -start** <*FriendlyName*> **-guid \#**<*GUID*> **-f .\\**<*LogFileName*>**.etl -flags** <*flags*> **-ft 1**
 
-- **logman start** &lt;*FriendlyName*&gt; **-ets -p {**&lt;*GUID*&gt;**} -**&lt;*Flags*&gt; **-ft 1 -rt -o .\\**&lt;*LogFileName*&gt;<em>**.etl -mode 0x00080000</em>*
+- **logman start** &lt;*FriendlyName*&gt; **-ets -p {**&lt;*GUID*&gt;**} -**&lt;*Flags*&gt; **-ft 1 -rt -o .\\**&lt;*LogFileName*&gt;<em>**.etl -mode 0x00080000</em>**
 
 You can use the parameters in the following table.
 
 | Friendly name | GUID           | Flags |
 |-------------------|--------------------------------------|-----------|
-| scardsvr          | 13038e47-ffec-425d-bc69-5707708075fe | 0xffff    |
-| winscard          | 3fce7c5f-fb3b-4bce-a9d8-55cc0ce1cf01 | 0xffff    |
-| basecsp           | 133a980d-035d-4e2d-b250-94577ad8fced | 0x7       |
-| scksp             | 133a980d-035d-4e2d-b250-94577ad8fced | 0x7       |
-| msclmd            | fb36caf4-582b-4604-8841-9263574c4f2c | 0x7       |
-| credprov          | dba0e0e0-505a-4ab6-aa3f-22f6f743b480 | 0xffff    |
-| certprop          | 30eae751-411f-414c-988b-a8bfa8913f49 | 0xffff    |
-| scfilter          | eed7f3c9-62ba-400e-a001-658869df9a91 | 0xffff    |
-| wudfusbccid       | a3c09ba3-2f62-4be5-a50f-8278a646ac9d | 0xffff    |
+| `scardsvr`          | 13038e47-ffec-425d-bc69-5707708075fe | 0xffff    |
+| `winscard`          | 3fce7c5f-fb3b-4bce-a9d8-55cc0ce1cf01 | 0xffff    |
+| `basecsp`           | 133a980d-035d-4e2d-b250-94577ad8fced | 0x7       |
+| `scksp`             | 133a980d-035d-4e2d-b250-94577ad8fced | 0x7       |
+| `msclmd`            | fb36caf4-582b-4604-8841-9263574c4f2c | 0x7       |
+| `credprov`          | dba0e0e0-505a-4ab6-aa3f-22f6f743b480 | 0xffff    |
+| `certprop`          | 30eae751-411f-414c-988b-a8bfa8913f49 | 0xffff    |
+| `scfilter`          | eed7f3c9-62ba-400e-a001-658869df9a91 | 0xffff    |
+| `wudfusbccid`       | a3c09ba3-2f62-4be5-a50f-8278a646ac9d | 0xffff    |
 
 Examples
 
@@ -119,7 +119,7 @@ You can use these resources to troubleshoot these protocols and the KDC:
 
 -   [Windows Driver Kit (WDK) and Debugging Tools for Windows (WinDbg)](https://developer.microsoft.com/en-us/windows/hardware/windows-driver-kit).  You can use the trace log tool in this SDK to debug Kerberos authentication failures.
 
-To begin tracing, you can use Tracelog. Different components use different control GUIDs as explained in these examples. For more information, see [Tracelog](https://msdn.microsoft.com/library/windows/hardware/ff552994.aspx).
+To begin tracing, you can use `Tracelog`. Different components use different control GUIDs as explained in these examples. For more information, see [`Tracelog`](https://msdn.microsoft.com/library/windows/hardware/ff552994.aspx).
 
 ### NTLM
 
@@ -143,7 +143,7 @@ To stop tracing for Kerberos authentication, run this command:
 
 ### KDC
 
-To enable tracing for the Key Distribution Center (KDC), run the following command on the command line:
+To enable tracing for the KDC, run the following command on the command line:
 
  - **tracelog.exe -kd -rt -start kdc -guid \#1BBA8B19-7F31-43c0-9643-6E911F79A06B -f .\\kdc.etl -flags 0x803 -ft 1**
 
@@ -166,7 +166,7 @@ You can also configure tracing by editing the Kerberos registry values shown in
 | Kerberos    | HKEY\_LOCAL\_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Lsa\\Kerberos<br>Value name: LogToFile<br>Value type: DWORD<br>Value data: 00000001<br><br>HKEY\_LOCAL\_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Lsa\\Kerberos\\Parameters<br>Value name: KerbDebugLevel<br>Value type: DWORD<br>Value data: c0000043<br><br>HKEY\_LOCAL\_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Lsa\\Kerberos\\Parameters<br>Value name: LogToFile<br>Value type: DWORD<br>Value data: 00000001 |
 | KDC         | HKEY\_LOCAL\_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\Kdc<br>Value name: KdcDebugLevel<br>Value type: DWORD<br>Value data: c0000803                  |
 
-If you used Tracelog, look for the following log file in your current directory: kerb.etl/kdc.etl/ntlm.etl.
+If you used `Tracelog`, look for the following log file in your current directory: kerb.etl/kdc.etl/ntlm.etl.
 
 If you used the registry key settings shown in the previous table, look for the trace log files in the following locations:
 
@@ -176,7 +176,7 @@ If you used the registry key settings shown in the previous table, look for the
 
 -   KDC: %systemroot%\\tracing\\kdcsvc 
 
-To decode event trace files, you can use Tracefmt (tracefmt.exe). Tracefmt is a command-line tool that formats and displays trace messages from an event trace log file (.etl) or a real-time trace session. Tracefmt can display the messages in the Command Prompt window or save them in a text file. It is located in the \\tools\\tracing subdirectory of the Windows Driver Kit (WDK). For more information, see [Tracefmt](https://msdn.microsoft.com/library/ff552974.aspx).
+To decode event trace files, you can use `Tracefmt` (tracefmt.exe). `Tracefmt` is a command-line tool that formats and displays trace messages from an event trace log file (.etl) or a real-time trace session. `Tracefmt` can display the messages in the Command Prompt window or save them in a text file. It is located in the \\tools\\tracing subdirectory of the Windows Driver Kit (WDK). For more information, see [`Tracefmt`](https://msdn.microsoft.com/library/ff552974.aspx).
 
 ## Smart Card service
 
@@ -198,11 +198,11 @@ The smart card resource manager service runs in the context of a local service.
 
 2.  If the **User Account Control** dialog box appears, confirm that the action it displays is what you want, and then select **Yes**.
 
-3.  At the command prompt, type **net stop SCardSvr**.
+3.  At the command prompt, type `net stop SCardSvr`.
 
-4.  At the command prompt, type **net start SCardSvr**.
+4.  At the command prompt, type `net start SCardSvr`.
 
-You can use the following command at the command prompt to check whether the service is running: **sc queryex scardsvr**.
+You can use the following command at the command prompt to check whether the service is running: `sc queryex scardsvr`.
 
 The following code sample is an example output from this command:
 

windows/security/information-protection/bitlocker/bitlocker-and-adds-faq.md

@@ -30,15 +30,15 @@ Stored information | Description
 -------------------|------------
 Hash of the TPM owner password | Beginning with Windows 10, the password hash is not stored in AD DS by default. The password hash can be stored only if the TPM is owned and the ownership was taken by using components of Windows 8.1 or earlier, such as the BitLocker Setup Wizard or the TPM snap-in.
 BitLocker recovery password | The recovery password allows you to unlock and access the drive after a recovery incident. Domain administrators can view the BitLocker recovery password by using the BitLocker Recovery Password Viewer. For more information about this tool, see [BitLocker: Use BitLocker Recovery Password Viewer](bitlocker-use-bitlocker-recovery-password-viewer.md).
-BitLocker key package | The key package helps to repair damage to the hard disk that would otherwise prevent standard recovery. Using the key package for recovery requires the BitLocker Repair Tool, Repair-bde. 
+BitLocker key package | The key package helps to repair damage to the hard disk that would otherwise prevent standard recovery. Using the key package for recovery requires the BitLocker Repair Tool, `Repair-bde`. 
 
 ## What if BitLocker is enabled on a computer before the computer has joined the domain?
 
-If BitLocker is enabled on a drive before Group Policy has been applied to enforce backup, the recovery information will not be automatically backed up to AD DS when the computer joins the domain or when Group Policy is subsequently applied. However, you can use the **Choose how BitLocker-protected operating system drives can be recovered**, **Choose how BitLocker-protected fixed drives can be recovered**, and **Choose how BitLocker-protected removable drives can be recovered** Group Policy settings to require the computer to be connected to a domain before BitLocker can be enabled to help ensure that recovery information for BitLocker-protected drives in your organization is backed up to AD DS.
+If BitLocker is enabled on a drive before Group Policy has been applied to enforce a backup, the recovery information will not be automatically backed up to AD DS when the computer joins the domain or when Group Policy is subsequently applied. However, you can use the **Choose how BitLocker-protected operating system drives can be recovered**, **Choose how BitLocker-protected fixed drives can be recovered**, and **Choose how BitLocker-protected removable drives can be recovered** Group Policy settings to require the computer to be connected to a domain before BitLocker can be enabled to help ensure that recovery information for BitLocker-protected drives in your organization is backed up to AD DS.
 
 For more info, see [BitLocker Group Policy settings](bitlocker-group-policy-settings.md).
 
-The BitLocker Windows Management Instrumentation (WMI) interface does allow administrators to write a script to back up or synchronize an online client's existing recovery information; however, BitLocker does not automatically manage this process. The manage-bde command-line tool can also be used to manually back up recovery information to AD DS. For example, to back up all of the recovery information for the `$env:SystemDrive` to AD DS, you would use the following command script from an elevated command prompt:
+The BitLocker Windows Management Instrumentation (WMI) interface does allow administrators to write a script to back up or synchronize an online client's existing recovery information; however, BitLocker does not automatically manage this process. The `manage-bde` command-line tool can also be used to manually back up recovery information to AD DS. For example, to back up all of the recovery information for the `$env:SystemDrive` to AD DS, you would use the following command script from an elevated command prompt:
 
 ```PowerShell
 $BitLocker = Get-BitLockerVolume -MountPoint $env:SystemDrive
@@ -61,7 +61,7 @@ Ultimately, determining whether a legitimate backup exists in AD DS requires qu
 
 No. By design, BitLocker recovery password entries do not get deleted from AD DS; therefore, you might see multiple passwords for each drive. To identify the latest password, check the date on the object.
 
-## What happens if the backup initially fails? Will BitLocker retry the backup?
+## What happens if the backup initially fails? Will BitLocker retry it?
 
 If the backup initially fails, such as when a domain controller is unreachable at the time when the BitLocker setup wizard is run, BitLocker does not try again to back up the recovery information to AD DS.
 
@@ -69,5 +69,5 @@ When an administrator selects the **Require BitLocker backup to AD DS** check b
 
 For more info, see [BitLocker Group Policy settings](bitlocker-group-policy-settings.md).
 
-When an administrator clears these check boxes, the administrator is allowing a drive to be BitLocker-protected without having the recovery information successfully backed up to AD DS; however, BitLocker will not automatically retry the backup if it fails. Instead, administrators can create a script for the backup, as described earlier in [What if BitLocker is enabled on a computer before the computer has joined the domain?](#what-if-bitlocker-is-enabled-on-a-computer-before-the-computer-has-joined-the-domain) to capture the information after connectivity is restored.
+When an administrator clears these check boxes, the administrator is allowing a drive to be BitLocker-protected without having the recovery information successfully backed up to AD DS; however, BitLocker will not automatically retry the backup if it fails. Instead, administrators can create a backup script, as described earlier in [What if BitLocker is enabled on a computer before the computer has joined the domain?](#what-if-bitlocker-is-enabled-on-a-computer-before-the-computer-has-joined-the-domain) to capture the information after connectivity is restored.
 

windows/security/information-protection/bitlocker/bitlocker-to-go-faq.md

@@ -25,7 +25,14 @@ ms.custom: bitlocker
 
 ## What is BitLocker To Go?
 
-BitLocker To Go is BitLocker Drive Encryption on removable data drives. This feature includes the encryption of USB flash drives, SD cards, external hard disk drives, and other drives formatted by using the NTFS, FAT16, FAT32, or exFAT file systems. Drive partitioning must meet the [BitLocker Drive Encryption Partitioning Requirements](https://docs.microsoft.com/windows-hardware/manufacture/desktop/bitlocker-drive-encryption#bitlocker-drive-encryption-partitioning-requirements).
+BitLocker To Go is BitLocker Drive Encryption on removable data drives. This feature includes the encryption of: 
 
-As with BitLocker, drives that are encrypted using BitLocker To Go can be opened with a password or smart card on another computer by using **BitLocker Drive Encryption** in Control Panel. 
+- USB flash drives
+- SD cards
+- External hard disk drives
+- Other drives that are formatted by using the NTFS, FAT16, FAT32, or exFAT file system. 
+ 
+Drive partitioning must meet the [BitLocker Drive Encryption Partitioning Requirements](https://docs.microsoft.com/windows-hardware/manufacture/desktop/bitlocker-drive-encryption#bitlocker-drive-encryption-partitioning-requirements).
+
+As with BitLocker, you can open drives that are encrypted by BitLocker To Go by using a password or smart card on another computer. In Control Panel, use **BitLocker Drive Encryption**.