Merge remote-tracking branch 'refs/remotes/origin/master' into jd-sandbox

2025-06-16 10:53:43 +00:00 · 2017-04-06 10:38:32 -07:00
parent 2a27635b37 cc5af58730
commit df56641810
25 changed files with 601 additions and 134 deletions
--- a/mdop/agpm/choosing-which-version-of-agpm-to-install.md
+++ b/mdop/agpm/choosing-which-version-of-agpm-to-install.md
@ -50,31 +50,37 @@ Table 1 lists the operating systems on which you can install AGPM 4.0 SP3, and
 <td align="left"><p>Supported</p></td>
 </tr>
 <tr class="even">
 <td align="left"><p>Windows Server 2012 R2</p></td>
 <td align="left"><p>Windows 10</p></td>
 <td align="left"><p>Supported with the caveats outlined in [KB 4015786](https://support.microsoft.com/en-us/help/4015786/known-issues-managing-a-windows-10-group-policy-client-in-windows-serv)
 </p></td>
 </tr>
 <tr class="odd">
 <td align="left"><p>Windows Server 2012 R2 or Windows 8.1</p></td>
 <td align="left"><p>Windows Server 2012 R2 or Windows 8.1</p></td>
 <td align="left"><p>Supported</p></td>
 </tr>
-<tr class="odd">
+<tr class="even">
 <td align="left"><p>Windows Server 2012 R2, Windows Server 2012, or Windows 8.1</p></td>
 <td align="left"><p>Windows Server 2012 or Windows 8.1</p></td>
 <td align="left"><p>Supported, but cannot edit policy settings or preference items that exist only in Windows 8.1</p></td>
 </tr>
-<tr class="even">
+<tr class="odd">
 <td align="left"><p>Windows Server 2008 R2 or Windows 7</p></td>
 <td align="left"><p>Windows Server 2008 R2 or Windows 7</p></td>
 <td align="left"><p>Supported, but cannot edit policy settings or preference items that exist only in Windows 8.1</p></td>
 </tr>
-<tr class="odd">
+<tr class="even">
 <td align="left"><p>Windows Server 2012, Windows Server 2008 R2, or Windows 7</p></td>
 <td align="left"><p>Windows Server 2008 or Windows Vista with Service Pack 1 (SP1)</p></td>
 <td align="left"><p>Supported, but cannot edit policy settings or preference items that exist only in Windows Server 2012 R2, Windows Server 2012, Windows Server 2008 R2, Windows 8.1, or Windows 7</p></td>
 </tr>
-<tr class="even">
+<tr class="odd">
 <td align="left"><p>Windows Server 2008 or Windows Vista with SP1</p></td>
 <td align="left"><p>Windows Server 2012, Windows Server 2008 R2, Windows 8, or Windows 7</p></td>
 <td align="left"><p>Not supported</p></td>
 </tr>
-<tr class="odd">
+<tr class="even">
 <td align="left"><p>Windows Server 2008 or Windows Vista with SP1</p></td>
 <td align="left"><p>Windows Server 2008 or Windows Vista with SP1</p></td>
 <td align="left"><p>Supported, but cannot report or edit policy settings or preference items that exist only in Windows Server 2012 R2, Windows Server 2012, Windows Server 2008 R2, Windows 8.1, or Windows 7</p></td>
--- a/windows/configure/basic-level-windows-diagnostic-events-and-fields.md
+++ b/windows/configure/basic-level-windows-diagnostic-events-and-fields.md
@ -1491,7 +1491,7 @@ This event sends data about the device, including hardware type, OEM brand, mode
 The following fields are available:
- **ChassisType**  Represents the type of device chassis, such as desktop or low profile desktop. The possible values can range between 1 - 24.
+- **ChassisType**  Represents the type of device chassis, such as desktop or low profile desktop. The possible values can range between 1 - 36.
 - **ComputerHardwareID**  Identifies a device class that is represented by a hash of different SMBIOS fields.
 - **DeviceColor**  Indicates a color of the device.
 - **DeviceName**  The device name that is set by the user.
--- a/windows/configure/kiosk-shared-pc.md
+++ b/windows/configure/kiosk-shared-pc.md
@ -17,7 +17,7 @@ Some desktop devices in an enterprise serve a special purpose, such as a common
 | Topic | Description |
 | --- | --- |
-| [Set up a shared or guest PC with Windows 10](set-up-a-device-for-anyone-to-use.md) | Windows 10, version 1607, introduced *shared PC mode*, which optimizes Windows 10 for shared use scenarios, such as touchdown spaces in an enterprise and temporary customer use in retail.  |
+| [Set up a shared or guest PC with Windows 10](set-up-shared-or-guest-pc.md) | Windows 10, version 1607, introduced *shared PC mode*, which optimizes Windows 10 for shared use scenarios, such as touchdown spaces in an enterprise and temporary customer use in retail.  |
 | [Set up a kiosk on Windows 10 Pro, Enterprise, or Education](set-up-a-kiosk-for-windows-10-for-desktop-editions.md) | You can configure a device running Windows 10 Pro, Windows 10 Enterprise, or Windows 10 Education as a kiosk device, so that users can only interact with a single application that you select.  |
 | [Guidelines for choosing an app for assigned access (kiosk mode)](guidelines-for-assigned-access-app.md) | You can choose almost any Windows app for assigned access; however, some apps may not provide a good user experience. This topic provides guidelines to help you choose an approprate app for a kiosk device.  |
 | [Lock down Windows 10 to specific apps (AppLocker)](lock-down-windows-10-to-specific-apps.md) | Learn how to configure a device running Windows 10 Enterprise or Windows 10 Education so that users can only run a few specific apps. The result is similar to a kiosk device, but with multiple apps available. For example, you might set up a library computer so that users can search the catalog and browse the Internet, but can't run any other apps or change computer settings. |
--- a/windows/keep-secure/TOC.md
+++ b/windows/keep-secure/TOC.md
@ -21,6 +21,7 @@
 #### [Deploy code integrity policies: steps](deploy-code-integrity-policies-steps.md)
 #### [Deploy catalog files to support code integrity policies](deploy-catalog-files-to-support-code-integrity-policies.md)
 ### [Deploy Device Guard: enable virtualization-based security](deploy-device-guard-enable-virtualization-based-security.md)
 ## [Mitigate threats by using Windows 10 security features](overview-of-threat-mitigations-in-windows-10.md)
 ## [Protect derived domain credentials with Credential Guard](credential-guard.md)
 ### [How Credential Guard works](credential-guard-how-it-works.md)
 ### [Credential Guard Requirements](credential-guard-requirements.md)
--- a/windows/keep-secure/bitlocker-frequently-asked-questions.md
+++ b/windows/keep-secure/bitlocker-frequently-asked-questions.md
@ -97,44 +97,13 @@ Yes. Open the **BitLocker Drive Encryption** Control Panel, click **Manage BitLo
 ### <a href="" id="bkmk-decryptfirst"></a>Do I have to decrypt my BitLocker-protected drive to download and install system updates and upgrades?
-The following table lists what action you need to take before you perform an upgrade or update installation.
+No user action is required for BitLocker in order to apply updates from Microsoft, including [Windows quality updates and feature updates](https://technet.microsoft.com/itpro/windows/manage/waas-quick-start). 
 Users need to suspend BitLocker for Non-Microsoft software updates, such as:   
 - Computer manufacturer firmware updates
 - TPM firmware updates
 - Non-Microsoft application updates that modify boot components
 <table>
 <colgroup>
 <col width="50%" />
 <col width="50%" />
 </colgroup>
 <thead>
 <tr class="header">
 <th align="left">Type of update</th>
 <th align="left">Action</th>
 </tr>
 </thead>
 <tbody>
 <tr class="odd">
 <td align="left"><p>Windows Anytime Upgrade</p></td>
 <td align="left"><p>Decrypt</p></td>
 </tr>
 <tr class="even">
 <td align="left"><p>[Feature updates](https://technet.microsoft.com/itpro/windows/manage/waas-quick-start) for Windows 10 (example: Windows 10, version 1703)</p></td>
 <td align="left"><p>Suspend</p></td>
 </tr>
 <tr class="odd">
 <td align="left"><p>Non-Microsoft software updates, such as:</p>
 <ul>
 <li><p>Computer manufacturer firmware updates</p></li>
 <li><p>TPM firmware updates</p></li>
 <li><p>Non-Microsoft application updates that modify boot components</p></li>
 </ul></td>
 <td align="left"><p>Suspend</p></td>
 </tr>
 <tr class="even">
 <td align="left"><p>Software and [quality updates](https://technet.microsoft.com/itpro/windows/manage/waas-quick-start) from Windows Update</p></td>
 <td align="left"><p>Nothing</p></td>
 </tr>
 </tbody>
 </table>
 > **Note:**  If you have suspended BitLocker, you can resume BitLocker protection after you have installed the upgrade or update. Upon resuming protection, BitLocker will reseal the encryption key to the new values of the measured components that changed as a part of the upgrade or update. If these types of upgrades or updates are applied without suspending BitLocker, your computer will enter recovery mode when restarting and will require a recovery key or password to access the computer.
 ## <a href="" id="bkmk-deploy"></a>Deployment and administration
--- a/windows/keep-secure/change-history-for-keep-windows-10-secure.md
+++ b/windows/keep-secure/change-history-for-keep-windows-10-secure.md
@ -25,6 +25,7 @@ This topic lists new and updated topics in the [Keep Windows 10 secure](index.md
 |[Windows Defender SmartScreen overview](windows-defender-smartscreen-overview.md)|New |
 |[Available Windows Defender SmartScreen Group Policy and mobile device management (MDM) settings](windows-defender-smartscreen-available-settings.md)|New |
 |[Use Windows Defender Security Center to set Windows Defender SmartScreen for individual devices](windows-defender-smartscreen-set-individual-device.md)|New |
 |[Overview of threat mitigations in Windows 10](overview-of-threat-mitigations-in-windows-10.md) | Reorganized from existing content, to provide a better overview of threat mitigations. Explains how mitigations in the Enhanced Mitigation Experience Toolkit (EMET) relate to those in Windows 10. |
 ## January 2017
 |New or changed topic |Description |
--- a/windows/keep-secure/credential-guard-manage.md
+++ b/windows/keep-secure/credential-guard-manage.md
@ -1,4 +1,4 @@
---
+---
 title: Manage Credential Guard (Windows 10)
 description: Deploying and managing Credential Guard using Group Policy, the registry, or the Device Guard and Credential Guard hardware readiness tool.
 ms.prod: w10
@ -19,7 +19,9 @@ Prefer video? See [Protecting privileged users with Credential Guard](https://mv
 in the Deep Dive into Credential Guard video series.
 ## Enable Credential Guard
-Credential Guard can be enabled by using [Group Policy](#turn-on-credential-guard-by-using-group-policy), the [registry](#turn-on-credential-guard-by-using-the-registry), or the Device Guard and Credential Guard [hardware readiness tool](#hardware-readiness-tool).
+Credential Guard can be enabled either by using [Group Policy](#turn-on-credential-guard-by-using-group-policy), the [registry](#turn-on-credential-guard-by-using-the-registry), or the Device Guard and Credential Guard [hardware readiness tool](#hardware-readiness-tool). Credential Guard can also protect secrets in a Hyper-V virtual machine, just as it would on a physical machine. 
 The same set of procedures used to enable Credential Guard on physical machines applies also to virtual machines.
 ### Enable Credential Guard by using Group Policy
@ -41,7 +43,7 @@ To enforce processing of the group policy, you can run ```gpupdate /force```.
 If you don't use Group Policy, you can enable Credential Guard by using the registry. Credential Guard uses virtualization-based security features which have to be enabled first on some operating systems.
-### Add the virtualization-based security features
+#### Add the virtualization-based security features
 Starting with Windows 10, version 1607 and Windows Server 2016, enabling Windows features to use virtualization-based security is not necessary and this step can be skipped.
@ -74,7 +76,7 @@ If you enable Credential Guard by using Group Policy, the steps to enable Window
 > [!NOTE]  
 > You can also add these features to an online image by using either DISM or Configuration Manager.
-### Enable virtualization-based security and Credential Guard
+#### Enable virtualization-based security and Credential Guard
 1.  Open Registry Editor.
 2.  Enable virtualization-based security:
@ -101,22 +103,16 @@ DG_Readiness_Tool_v3.0.ps1 -Enable -AutoReboot
 ### Credential Guard deployment in virtual machines
-Credential Guard can protect secrets in a Hyper-V virtual machine, just as it would on a physical machine. The enablement steps are the same from within the virtual machine.
+Credential Guard can protect secrets in a Hyper-V virtual machine, just as it would on a physical machine. When Credential Guard is deployed on a VM, secrets are protected from attacks inside the VM. Credential Guard does not provide additional protection from privileged system attacks originating from the host.
-Credential Guard protects secrets from non-privileged access inside the VM. It does not provide additional protection from the host administrator. From the host, you can disable Credential Guard for a virtual machine:
+#### Requirements for running Credential Guard in Hyper-V virtual machines
 ``` PowerShell
 Set-VMSecurity -VMName <VMName> -VirtualizationBasedSecurityOptOut $true
 ```
 Requirements for running Credential Guard in Hyper-V virtual machines
 - The Hyper-V host must have an IOMMU, and run at least Windows Server 2016 or Windows 10 version 1607.
 - The Hyper-V virtual machine must be Generation 2, have an enabled virtual TPM, and running at least Windows Server 2016 or Windows 10. 
 ### Review Credential Guard performance
-### Check that Credential Guard is running
+You can view System Information to check that Credential Guard is running on a PC.
 You can use System Information to ensure that Credential Guard is running on a PC.
 1.  Click **Start**, type **msinfo32.exe**, and then click **System Information**.
 2.  Click **System Summary**.
@ -132,10 +128,31 @@ You can also check that Credential Guard is running by using the [Device Guard a
 DG_Readiness_Tool_v3.0.ps1 -Ready
 ```
 -   If Credential Guard is enabled on a device after it's joined to a domain, the user and device secrets may already be compromised. We recommend that Credential Guard should be enabled before the PC is joined to a domain.
-### Remove Credential Guard
+-   You should perform regular reviews of the PCs that have Credential Guard enabled. This can be done with security audit policies or WMI queries. Here's a list of WinInit event IDs to look for:
    -   **Event ID 13** Credential Guard (LsaIso.exe) was started and will protect LSA credentials.
    -   **Event ID 14** Credential Guard (LsaIso.exe) configuration: 0x1, 0
        -   The first variable: 0x1 means Credential Guard is configured to run. 0x0 means it’s not configured to run.
        -   The second variable: 0 means it’s configured to run in protect mode. 1 means it's configured to run in test mode. This variable should always be 0.
    -   **Event ID 15** Credential Guard (LsaIso.exe) is configured but the secure kernel is not running; continuing without Credential Guard.
    -   **Event ID 16** Credential Guard (LsaIso.exe) failed to launch: \[error code\]
    -   **Event ID 17** Error reading Credential Guard (LsaIso.exe) UEFI configuration: \[error code\]
    You can also verify that TPM is being used for key protection by checking the following event in the **Microsoft** -&gt; **Windows** -&gt; **Kernel-Boot** event source. If you are running with a TPM, the TPM PCR mask value will be something other than 0.
    -   **Event ID 51** VSM Master Encryption Key Provisioning. Using cached copy status: 0x0. Unsealing cached copy status: 0x1. New key generation status: 0x1. Sealing status: 0x1. TPM PCR mask: 0x0.
 -   Passwords are still weak so we recommend that your organization deploy Credential Guard and move away from passwords and to other authentication methods, such as physical smart cards, virtual smart cards, or Windows Hello for Business.
 -   Some 3rd party Security Support Providers (SSPs and APs) might not be compatible with Credential Guard. Credential Guard does not allow 3rd party SSPs to ask for password hashes from LSA. However, SSPs and APs still get notified of the password when a user logs on and/or changes their password. Any use of undocumented APIs within custom SSPs and APs are not supported. We recommend that custom implementations of SSPs/APs are tested against Credential Guard to ensure that the SSPs and APs do not depend on any undocumented or unsupported behaviors. For example, using the KerbQuerySupplementalCredentialsMessage API is not supported. You should not replace the NTLM or Kerberos SSPs with custom SSPs and APs. For more info, see [Restrictions around Registering and Installing a Security Package](http://msdn.microsoft.com/library/windows/desktop/dn865014.aspx) on MSDN.
 -   As the depth and breadth of protections provided by Credential Guard are increased, subsequent releases of Windows 10 with Credential Guard running may impact scenarios that were working in the past. For example, Credential Guard may block the use of a particular type of credential or a particular component to prevent malware from taking advantage of vulnerabilities. Therefore, we recommend that scenarios required for operations in an organization are tested before upgrading a device that has Credential Guard running.
-If you have to remove Credential Guard on a PC, you can use the following set of procedures, or you can [use the Device Guard and Credential Guard hardware readiness tool](#turn-off-with-hardware-readiness-tool).
+-   Starting with Windows 10, version 1511, domain credentials that are stored with Credential Manager are protected with Credential Guard. Credential Manager allows you to store credentials, such as user names and passwords that you use to log on to websites or other computers on a network. The following considerations apply to the Credential Guard protections for Credential Manager:
    -   Credentials saved by Remote Desktop Services cannot be used to remotely connect to another machine without supplying the password. Attempts to use saved credentials will fail, displaying the error message "Logon attempt failed".
    -   Applications that extract derived domain credentials from Credential Manager will no longer be able to use those credentials.
    -   You cannot restore credentials using the Credential Manager control panel if the credentials were backed up from a PC that has Credential Guard turned on. If you need to back up your credentials, you must do this before you enable Credential Guard. Otherwise, you won't be able to restore those credentials.
    - Credential Guard uses hardware security so some features, such as Windows To Go, are not supported. 
 ## Disable Credential Guard
 If you have to disable Credential Guard on a PC, you can use the following set of procedures, or you can [use the Device Guard and Credential Guard hardware readiness tool](#turn-off-with-hardware-readiness-tool).
 1.  If you used Group Policy, disable the Group Policy setting that you used to enable Credential Guard (**Computer Configuration** -&gt; **Administrative Templates** -&gt; **System** -&gt; **Device Guard** -&gt; **Turn on Virtualization Based Security**).
 2.  Delete the following registry settings:
@ -146,11 +163,7 @@ If you have to remove Credential Guard on a PC, you can use the following set of
    > [!IMPORTANT]  
    > If you manually remove these registry settings, make sure to delete them all. If you don't remove them all, the device might go into BitLocker recovery.
-3.  Delete the Credential Guard EFI variables by using bcdedit.
+3.  Delete the Credential Guard EFI variables by using bcdedit. From an elevated command prompt, type the following commands:
 **Delete the Credential Guard EFI variables**
 1.  From an elevated command prompt, type the following commands:
    ``` syntax
    mountvol X: /s
@ -180,7 +193,7 @@ If you have to remove Credential Guard on a PC, you can use the following set of
 For more info on virtualization-based security and Device Guard, see [Device Guard deployment guide](device-guard-deployment-guide.md).
 <span id="turn-off-with-hardware-readiness-tool" />
-#### Turn off Credential Guard by using the Device Guard and Credential Guard hardware readiness tool
+#### Disable Credential Guard by using the Device Guard and Credential Guard hardware readiness tool
 You can also disable Credential Guard by using the [Device Guard and Credential Guard hardware readiness tool](https://www.microsoft.com/download/details.aspx?id=53337).
@ -188,5 +201,15 @@ You can also disable Credential Guard by using the [Device Guard and Credential
 DG_Readiness_Tool_v3.0.ps1 -Disable -AutoReboot
 ```
 #### Disable Credential Guard for a virtual machine
 From the host, you can disable Credential Guard for a virtual machine:
 ``` PowerShell
 Set-VMSecurity -VMName <VMName> -VirtualizationBasedSecurityOptOut $true
 ```
--- a/windows/keep-secure/credential-guard-not-protected-scenarios.md
+++ b/windows/keep-secure/credential-guard-not-protected-scenarios.md
@ -29,13 +29,9 @@ Some ways to store credentials are not protected by Credential Guard, including:
 -   Third-party security packages
 -   Digest and CredSSP credentials
    -   When Credential Guard is enabled, neither Digest nor CredSSP have access to users' logon credentials. This implies no Single Sign-On use for these protocols.
-   Supplied credentials for NTLM authentication are not protected. If a user is prompted for and enters credentials for NTLM authentication, these credentials are vulnerable to be read from LSASS memory. Note that these same credentials are vulnerable to key loggers as well.
+-   Supplied credentials for NTLM authentication are not protected. If a user is prompted for and enters credentials for NTLM authentication, these credentials are vulnerable to be read from LSASS memory. Note that these same credentials are vulnerable to key loggers as well.- 
-
+-  When Credential Guard is deployed on a VM, Credential Guard protects secrets from attacks inside the VM. However, it does not provide additional protection from privileged system attacks originating from the host.
->[!NOTE] 
+-  Windows logon cached password verifiers (commonly called "cached credentials")
 When Credential Guard is deployed on a VM, Credential Guard protects secrets from attacks inside the VM. However, it does not provide additional protection from privileged system attacks originating from the host.
 >[!NOTE] 
 Windows logon cached password verifiers (commonly called "cached credentials")
 do not qualify as credentials because they cannot be presented to another computer for authentication, and can only be used locally to verify credentials. They are stored in the registry on the local computer and provide validation for credentials when a domain-joined computer cannot connect to AD DS during user logon. These “cached logons”, or more specifically, cached domain account information, can be managed using the security policy setting **Interactive logon: Number of previous logons to cache** if a domain controller is not available.
 ## Additional mitigations
@ -638,42 +634,6 @@ write-host $tmp -Foreground Red
 > [!NOTE]  
 > If you're having trouble running this script, try replacing the single quote after the ConvertFrom-StringData parameter.
 ## Troubleshooting Credential Guard
 ### Known Issues
 Microsoft is aware of certain issues with Credential Guard that affect client machines that run Windows 10.
 •	For devices with Credential Guard enabled, a sign-in attempt that fails because of a bad password counts as two bad password attempts instead of one. Consequently, if your enterprise has an account lockout policy based on a certain number of failed password attempts, that threshold will be reached in half the number of attempts. 
 This issue has been resolved for clients that run Windows 10 version 1703. For clients that run Windows 10 version 1607, a hotfix is available for download to resolve the issue. For clients that run Windows 10 versions 1507 or 1511, no hotfix is available. For those operating systems, to resolve the issue, you can upgrade the client to a later version of Windows 10. As a workaround, administrators can either choose to increase the account lockout threshold accordingly, consistent with current security policy, or can disable Credential Guard. For further information, see Credential Guard generates double bad password count
 Credential guard has known issues on Windows 10 when used with certain third-party applications:
 •	Applications Appsense and Lumension E S. are known to cause high CPU utilization on Windows 10 client machines with credential guard enabled. 
 •	Citrix Applications are known to cause high CPU utilization on Windows 10 client machines. This issue is currently under investigation.
 •	Cisco Proxy Agents are known to cause authentication failure on Windows 10 client machines. This issue is currently under investigation.
 •	Client machines with Credential Guard enabled cannot access shares on For further information see: Machines with Credential Guard enabled unable to connect to IBM File Servers
 ### How-to
 ## See also
 **Deep Dive into Credential Guard: Related videos**
--- a/windows/keep-secure/override-mitigation-options-for-app-related-security-policies.md
+++ b/windows/keep-secure/override-mitigation-options-for-app-related-security-policies.md
@ -24,11 +24,11 @@ Windows 10 includes Group Policy-configurable “Process Mitigation Options” t
 The Group Policy settings in this topic are related to three types of process mitigations. In Windows 10, all three types are on by default for 64-bit applications, but by using the Group Policy settings described in this topic, you can configure additional protections. The types of process mitigations are:
- **Data Execution Prevention (DEP)** is a system-level memory protection feature that enables the operating system to mark one or more pages of memory as non-executable, preventing code from being run from that region of memory, to help prevent exploitation of buffer overruns. DEP helps prevent code from being run from data pages such as the default heap, stacks, and memory pools. 
+- **Data Execution Prevention (DEP)** is a system-level memory protection feature that enables the operating system to mark one or more pages of memory as non-executable, preventing code from being run from that region of memory, to help prevent exploitation of buffer overruns. DEP helps prevent code from being run from data pages such as the default heap, stacks, and memory pools. For more information, see [Data Execution Prevention](overview-of-threat-mitigations-in-windows-10.md#data-execution-prevention).
- **Structured Exception Handling Overwrite Protection (SEHOP)** is designed to block exploits that use the Structured Exception Handler (SEH) overwrite technique. Because this protection mechanism is provided at run-time, it helps to protect apps regardless of whether they have been compiled with the latest improvements. 
+- **Structured Exception Handling Overwrite Protection (SEHOP)** is designed to block exploits that use the Structured Exception Handler (SEH) overwrite technique. Because this protection mechanism is provided at run-time, it helps to protect apps regardless of whether they have been compiled with the latest improvements. For more information, see [Structured Exception Handling Overwrite Protection](overview-of-threat-mitigations-in-windows-10.md#structured-exception-handling-overwrite-protection).
- **Address Space Layout Randomization (ASLR)** loads DLLs into random memory addresses at boot time to mitigate against malware that’s designed to attack specific memory locations, where specific DLLs are expected to be loaded. 
+- **Address Space Layout Randomization (ASLR)** loads DLLs into random memory addresses at boot time to mitigate against malware that’s designed to attack specific memory locations, where specific DLLs are expected to be loaded. For more information, see [Address Space Layout Randomization](overview-of-threat-mitigations-in-windows-10.md#address-space-layout-randomization). 
    To find additional ASLR protections in the table below, look for `IMAGES` or `ASLR`.
 The following procedure describes how to use Group Policy to override individual **Process Mitigation Options** settings.
--- a/windows/keep-secure/overview-of-threat-mitigations-in-windows-10.md
+++ b/windows/keep-secure/overview-of-threat-mitigations-in-windows-10.md
@ -0,0 +1,457 @@
 ---
 title: Mitigate threats by using Windows 10 security features (Windows 10)
 description: This topic provides an overview of software and firmware threats faced in the current security landscape, and the mitigations that Windows 10 offers in response to these threats. 
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
 localizationpriority: high
 author: justinha
 ---
 # Mitigate threats by using Windows 10 security features
 **Applies to:**
 - Windows 10
 This topic provides an overview of some of the software and firmware threats faced in the current security landscape, and the mitigations that Windows 10 offers in response to these threats. For information about related types of protection offered by Microsoft, see [Related topics](#related-topics).
 | **Section**  | **Contents** |
 |--------------|-------------------------|
 | [The security threat landscape](#threat-landscape) | Describes the current nature of the security threat landscape, and outlines how Windows 10 is designed to mitigate software exploits and similar threats.  |
 | [Windows 10 mitigations that you can configure](#windows-10-mitigations-that-you-can-configure) | Provides tables of configurable threat mitigations with links to more information. Product features such as Device Guard appear in [Table 1](#windows-10-mitigations-that-you-can-configure), and memory protection options such as Data Execution Prevention appear in [Table 2](#table-2). |
 | [Mitigations that are built in to Windows 10](#mitigations-that-are-built-in-to-windows-10) | Provides descriptions of Windows 10 mitigations that require no configuration—they are built into the operating system. For example, heap protections and kernel pool protections are built into Windows 10. |
 | [Understanding Windows 10 in relation to the Enhanced Mitigation Experience Toolkit](#understanding-windows-10-in-relation-to-the-enhanced-mitigation-experience-toolkit) | Describes how mitigations in the [Enhanced Mitigation Experience Toolkit (EMET)](https://support.microsoft.com/kb/2458544) correspond to features built into Windows 10 and how to convert EMET settings into mitigation policies for Windows 10. |
 <a href="" id="threat-landscape"></a>This topic focuses on pre-breach mitigations aimed at device protection and threat resistance. These protections work with other security defenses in Windows 10, as shown in the following illustration:
 <img src="images/threat-mitigations-pre-breach-post-breach-conceptual.png" alt="Types of defenses in Windows 10" />
 *Figure 1.&nbsp;&nbsp;Device protection and threat resistance as part of the Windows 10 security defenses*
 ## The security threat landscape
 Today’s security threat landscape is one of aggressive and tenacious threats. In previous years, malicious attackers mostly focused on gaining community recognition through their attacks or the thrill of of temporarily taking a system offline. Since then, attacker’s motives have shifted toward making money, including holding devices and data hostage until the owner pays the demanded ransom. Modern attacks increasingly focus on large-scale intellectual property theft; targeted system degradation that can result in financial loss; and now even cyberterrorism that threatens the security of individuals, businesses, and national interests all over the world. These attackers are typically highly trained individuals and security experts, some of whom are in the employ of nation states that have large budgets and seemingly unlimited human resources. Threats like these require an approach that can meet this challenge.
 In recognition of this landscape, Windows 10 Creator's Update (Windows 10, version 1703) includes multiple security features that were created to make it difficult (and costly) to find and exploit many software vulnerabilities. These features are designed to:
 -   Eliminate entire classes of vulnerabilities
 -   Break exploitation techniques
 -   Contain the damage and prevent persistence
 -   Limit the window of opportunity to exploit
 The following sections provide more detail about security mitigations in Windows 10, version 1703.
 ## Windows 10 mitigations that you can configure
 Windows 10 mitigations that you can configure are listed in the following two tables. The first table covers a wide array of protections for devices and users across the enterprise and the second table drills down into specific memory protections such as Data Execution Prevention. Memory protection options provide specific mitigations against malware that attempts to manipulate memory in order to gain control of a system.
 **Table 1  Windows 10 mitigations that you can configure**
 | Mitigation and corresponding threat | Description and links |
 |---|---|
 | **Windows Defender SmartScreen**<br> helps prevent<br>malicious applications<br>from being downloaded | Windows Defender SmartScreen can check the reputation of a downloaded application by using a service that Microsoft maintains. The first time a user runs an app that originates from the Internet (even if the user copied it from another PC), SmartScreen checks to see if the app lacks a reputation or is known to be malicious, and responds accordingly.<br><br>**More information**: [Windows Defender SmartScreen](#windows-defender-smartscreen), later in this topic |
 | **Credential Guard**<br> helps keep attackers<br>from gaining access through<br>Pass-the-Hash or<br>Pass-the-Ticket attacks | Credential Guard uses virtualization-based security to isolate secrets, such as NTLM password hashes and Kerberos Ticket Granting Tickets, so that only privileged system software can access them.<br>Credential Guard is included in Windows 10 Enterprise and Windows Server 2016.<br><br>**More information**: [Protect derived domain credentials with Credential Guard](credential-guard.md) |
 | **Enterprise certificate pinning**<br> helps prevent <br>man-in-the-middle attacks<br>that leverage PKI | Enterprise certificate pinning enables you to protect your internal domain names from chaining to unwanted certificates or to fraudulently issued certificates. With enterprise certificate pinning, you can “pin” (associate) an X.509 certificate and its public key to its Certification Authority, either root or leaf. <br><br>**More information**: [Enterprise Certificate Pinning](enterprise-certificate-pinning.md) |
 | **Device Guard**<br> helps keep a device<br>from running malware or<br>other untrusted apps | Device Guard includes a Code Integrity policy that you create; a whitelist of trusted apps—the only apps allowed to run in your organization. Device Guard also includes a powerful system mitigation called hypervisor-protected code integrity (HVCI), which leverages virtualization-based security (VBS) to protect Windows’ kernel-mode code integrity validation process. HVCI has specific hardware requirements, and works with Code Integrity policies to help stop attacks even if they gain access to the kernel.<br>Device Guard is included in Windows 10 Enterprise and Windows Server 2016.<br><br>**More information**: [Introduction to Device Guard](introduction-to-device-guard-virtualization-based-security-and-code-integrity-policies.md) |
 | **Windows Defender Antivirus**,<br>which helps keep devices<br>free of viruses and other<br>malware | Windows 10 includes Windows Defender Antivirus, a robust inbox antimalware solution. Windows Defender Antivirus has been significantly improved since it was introduced in Windows 8.<br><br>**More information**: [Windows Defender Antivirus](#windows-defender-antivirus), later in this topic |
 | **Blocking of untrusted fonts**<br> helps prevent fonts<br>from being used in<br>elevation-of-privilege attacks | Block Untrusted Fonts is a setting that allows you to prevent users from loading fonts that are "untrusted" onto your network, which can mitigate elevation-of-privilege attacks associated with the parsing of font files. However, as of Windows 10, version 1703, this mitigation is less important, because font parsing is isolated in an [AppContainer sandbox](https://msdn.microsoft.com/library/windows/desktop/mt595898(v=vs.85).aspx) (for a list describing this and other kernel pool protections, see [Kernel pool protections](#kernel-pool-protections), later in this topic).<br><br>**More information**: [Block untrusted fonts in an enterprise](block-untrusted-fonts-in-enterprise.md) |
 | **Memory protections**<br> help prevent malware<br>from using memory manipulation<br>techniques such as buffer<br>overruns | These mitigations, listed in [Table 2](#table-2), help to protect against memory-based attacks, where malware or other code manipulates memory to gain control of a system (for example, malware that attempts to use buffer overruns to inject malicious executable code into memory. Note:<br>A subset of apps will not be able to run if some of these mitigations are set to their most restrictive settings. Testing can help you maximize protection while still allowing these apps to run.<br><br>**More information**: [Table 2](#table-2), later in this topic |
 | **UEFI Secure Boot**<br> helps protect<br>the platform from<br>bootkits and rootkits | Unified Extensible Firmware Interface (UEFI) Secure Boot is a security standard for firmware built in to PCs by manufacturers beginning with Windows 8. It helps to protect the boot process and firmware against tampering, such as from a physically present attacker or from forms of malware that run early in the boot process or in kernel after startup.<br><br>**More information**: [UEFI and Secure Boot](bitlocker-countermeasures.md#uefi-and-secure-boot)</a> |
 | **Early Launch Antimalware (ELAM)**<br> helps protect<br>the platform from<br>rootkits disguised as drivers | Early Launch Antimalware (ELAM) is designed to enable the antimalware solution to start before all non-Microsoft drivers and apps. If malware modifies a boot-related driver, ELAM will detect the change, and Windows will prevent the driver from starting, thus blocking driver-based rootkits.<br><br>**More information**: [Early Launch Antimalware](bitlocker-countermeasures.md#protection-during-startup) |
 | **Device Health Attestation**<br> helps prevent<br>compromised devices from<br>accessing an organization’s<br>assets | Device Health Attestation (DHA) provides a way to confirm that devices attempting to connect to an organization's network are in a healthy state, not compromised with malware. When DHA has been configured, a device’s actual boot data measurements can be checked against the expected "healthy" boot data. If the check indicates a device is unhealthy, the device can be prevented from accessing the network.<br><br>**More information**: [Control the health of Windows 10-based devices](protect-high-value-assets-by-controlling-the-health-of-windows-10-based-devices.md) and [Device Health Attestation](https://technet.microsoft.com/windows-server-docs/security/device-health-attestation) |
 Configurable Windows 10 mitigations designed to help protect against memory manipulation require in-depth understanding of these threats and mitigations and knowledge about how the operating system and applications handle memory. The standard process for maximizing these types of mitigations is to work in a test lab to discover whether a given setting interferes with any applications that you use so that you can deploy settings that maximize protection while still allowing apps to run correctly.
 As an IT professional, you can ask application developers and software vendors to deliver applications that include an additional protection called Control Flow Guard (CFG). No configuration is needed in the operating system—the protection is compiled into applications. More information can be found in [Control Flow Guard](#control-flow-guard).
 ### <span id="table-2" class="anchor"></span>Table 2&nbsp;&nbsp;Configurable Windows 10 mitigations designed to help protect against memory exploits
 | Mitigation and corresponding threat | Description |
 |---|---|
 | **Data Execution Prevention (DEP)**<br> helps prevent<br>exploitation of buffer overruns | **Data Execution Prevention (DEP)** is a system-level memory protection feature available in Windows operating systems. DEP enables the operating system to mark one or more pages of memory as non-executable, which prevents code from being run from that region of memory, to help prevent exploitation of buffer overruns.<br>DEP helps prevent code from being run from data pages such as the default heap, stacks, and memory pools. Although some applications have compatibility problems with DEP, the vast majority of applications do not.<br>**More information**: [Data Execution Prevention](#data-execution-prevention), later in this topic.<br><br>**Group Policy settings**: DEP is on by default for 64-bit applications, but you can configure additional DEP protections by using the Group Policy settings described in [Override Process Mitigation Options to help enforce app-related security policies](override-mitigation-options-for-app-related-security-policies.md). |
 | **SEHOP**<br> helps prevent<br>overwrites of the<br>Structured Exception Handler | **Structured Exception Handling Overwrite Protection (SEHOP)** is designed to help block exploits that use the Structured Exception Handler (SEH) overwrite technique. Because this protection mechanism is provided at run-time, it helps to protect apps regardless of whether they have been compiled with the latest improvements. A few applications have compatibility problems with SEHOP, so be sure to test for your environment.<br>**More information**: [Structured Exception Handling Overwrite Protection](#structured-exception-handling-overwrite-protection), later in this topic.<br><br>**Group Policy setting**: SEHOP is on by default for 64-bit applications, but you can configure additional SEHOP protections by using the Group Policy setting described in [Override Process Mitigation Options to help enforce app-related security policies](override-mitigation-options-for-app-related-security-policies.md). |
 | **ASLR**<br> helps mitigate malware<br>attacks based on<br>expected memory locations | **Address Space Layout Randomization (ASLR)** loads DLLs into random memory addresses at boot time. This helps mitigate malware that's designed to attack specific memory locations, where specific DLLs are expected to be loaded.<br>**More information**: [Address Space Layout Randomization](#address-space-layout-randomization), later in this topic.<br><br>**Group Policy settings**: ASLR is on by default for 64-bit applications, but you can configure additional ASLR protections by using the Group Policy settings described in [Override Process Mitigation Options to help enforce app-related security policies](override-mitigation-options-for-app-related-security-policies.md). |
 ### Windows Defender SmartScreen
 Windows Defender SmartScreen notifies users if they click on reported phishing and malware websites, and helps protect them against unsafe downloads or make informed decisions about downloads.
 For Windows 10, Microsoft improved SmartScreen (now called Windows Defender SmartScreen) protection capability by integrating its app reputation abilities into the operating system itself, which allows SmartScreen to check the reputation of files downloaded from the Internet and warn users when they’re about to run a high-risk downloaded file. The first time a user runs an app that originates from the Internet, SmartScreen checks the reputation of the application by using digital signatures and other factors against a service that Microsoft maintains. If the app lacks a reputation or is known to be malicious, SmartScreen warns the user or blocks execution entirely, depending on how the administrator has configured Microsoft Intune or Group Policy settings.
 For more information, see [Windows Defender SmartScreen overview](windows-defender-smartscreen-overview.md).
 ### Windows Defender Antivirus
 Windows Defender Antivirus in Windows 10 uses a multi-pronged approach to improve antimalware:
 -   **Cloud-delivered protection** helps detect and block new malware within seconds, even if the malware has never been seen before. The service, available as of Windows 10, version 1703, uses distributed resources and machine learning to deliver protection to endpoints at a rate that is far faster than traditional signature updates.
 -   **Rich local context** improves how malware is identified. Windows 10 informs Windows Defender Antivirus not only about content like files and processes but also where the content came from, where it has been stored, and more. The information about source and history enables Windows Defender Antivirus to apply different levels of scrutiny to different content.
 -   **Extensive global sensors** help keep Windows Defender Antivirus current and aware of even the newest malware. This is accomplished in two ways: by collecting the rich local context data from end points and by centrally analyzing that data.
 -   **Tamper proofing** helps guard Windows Defender Antivirus itself against malware attacks. For example, Windows Defender Antivirus uses Protected Processes, which prevents untrusted processes from attempting to tamper with Windows Defender Antivirus components, its registry keys, and so on. ([Protected Processes](#protected-processes) is described later in this topic.)
 -   **Enterprise-level features** give IT pros the tools and configuration options necessary to make Windows Defender Antivirus an enterprise-class antimalware solution.
 <!-- Watch the link text for the following links - try to keep it in sync with the actual topic. -->
 For more information, see [Windows Defender in Windows 10](windows-defender-in-windows-10.md) and [Windows Defender Overview for Windows Server](https://technet.microsoft.com/windows-server-docs/security/windows-defender/windows-defender-overview-windows-server).
 For information about Windows Defender Advanced Threat Protection, a service that helps enterprises to detect, investigate, and respond to advanced and targeted attacks on their networks, see [Windows Defender Advanced Threat Protection (ATP)](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp) (resources) and [Windows Defender Advanced Threat Protection (ATP)](https://technet.microsoft.com/itpro/windows/keep-secure/windows-defender-advanced-threat-protection) (documentation).
 ### Data Execution Prevention
 Malware depends on its ability to insert a malicious payload into memory with the hope that it will be executed later. Wouldn’t it be great if you could prevent malware from running if it wrote to an area that has been allocated solely for the storage of information?
 Data Execution Prevention (DEP) does exactly that, by substantially reducing the range of memory that malicious code can use for its benefit. DEP uses the No eXecute bit on modern CPUs to mark blocks of memory as read-only so that those blocks can’t be used to execute malicious code that may be inserted by means of a vulnerability exploit.
 **To use Task Manager to see apps that use DEP**
 1.  Open Task Manager: Press Ctrl+Alt+Del and select **Task Manager**, or search the Start screen.
 2.  Click **More Details** (if necessary), and then click the **Details** tab.
 3.  Right-click any column heading, and then click **Select Columns**.
 4.  In the **Select Columns** dialog box, select the last **Data Execution Prevention** check box.
 5.  Click **OK**.
 You can now see which processes have DEP enabled. 
 <!-- This might be a good place to mention the cmdlet that lets you see the same kind of output. -->
 ![Processes with DEP enabled in Windows 10](images/security-fig5-dep.png)
 *Figure 2.&nbsp;&nbsp;Processes on which DEP has been enabled in Windows 10*
 You can use Control Panel to view or change DEP settings.
 #### To use Control Panel to view or change DEP settings on an individual PC
 1.  Open Control Panel, System: click Start, type **Control Panel System**, and press ENTER.
 2.  Click **Advanced system settings**, and then click the **Advanced** tab.
 3.  In the **Performance** box, click **Settings**.
 4.  In **Performance Options**, click the **Data Execution Prevention** tab.
 5.  Select an option:
    -   **Turn on DEP for essential Windows programs and services only**
    -   **Turn on DEP for all programs and services except those I select**. If you choose this option, use the **Add** and **Remove** buttons to create the list of exceptions for which DEP will not be turned on.
 #### To use Group Policy to control DEP settings
 You can use the Group Policy setting called **Process Mitigation Options** to control DEP settings. A few applications have compatibility problems with DEP, so be sure to test for your environment. To use the Group Policy setting, see [Override Process Mitigation Options to help enforce app-related security policies](override-mitigation-options-for-app-related-security-policies.md).
 ### Structured Exception Handling Overwrite Protection
 Structured Exception Handling Overwrite Protection (SEHOP) helps prevent attackers from being able to use malicious code to exploit the [Structured Exception Handler](https://msdn.microsoft.com/library/windows/desktop/ms680657(v=vs.85).aspx) (SEH), which is integral to the system and allows (non-malicious) apps to handle exceptions appropriately. Because this protection mechanism is provided at run-time, it helps to protect applications regardless of whether they have been compiled with the latest improvements.
 You can use the Group Policy setting called **Process Mitigation Options** to control the SEHOP setting. A few applications have compatibility problems with SEHOP, so be sure to test for your environment. To use the Group Policy setting, see [Override Process Mitigation Options to help enforce app-related security policies](override-mitigation-options-for-app-related-security-policies.md).
 ### Address Space Layout Randomization
 One of the most common techniques used to gain access to a system is to find a vulnerability in a privileged process that is already running, guess or find a location in memory where important system code and data have been placed, and then overwrite that information with a malicious payload. Any malware that could write directly to the system memory could simply overwrite it in well-known and predictable locations.
 Address Space Layout Randomization (ASLR) makes that type of attack much more difficult because it randomizes how and where important data is stored in memory. With ASLR, it is more difficult for malware to find the specific location it needs to attack. Figure 3 illustrates how ASLR works by showing how the locations of different critical Windows components can change in memory between restarts.
 ![ASLR at work](images/security-fig4-aslr.png)
 **Figure 3.&nbsp;&nbsp;ASLR at work**
 Windows 10 applies ASLR holistically across the system and increases the level of entropy many times compared with previous versions of Windows to combat sophisticated attacks such as heap spraying. 64-bit system and application processes can take advantage of a vastly increased memory space, which makes it even more difficult for malware to predict where Windows 10 stores vital data. When used on systems that have TPMs, ASLR memory randomization will be increasingly unique across devices, which makes it even more difficult for a successful exploit that works on one system to work reliably on another.
 You can use the Group Policy setting called **Process Mitigation Options** to control ASLR settings (“Force ASLR” and “Bottom-up ASLR”), as described in [Override Process Mitigation Options to help enforce app-related security policies](override-mitigation-options-for-app-related-security-policies.md).
 ## Mitigations that are built in to Windows 10
 Windows 10 provides many threat mitigations to protect against exploits that are built into the operating system and need no configuration within the operating system. The table that follows describes some of these mitigations.
 Control Flow Guard (CFG) is a mitigation that does not need configuration within the operating system, but does require that an application developer configure the mitigation into the application when it’s compiled. CFG is built into Microsoft Edge, IE11, and other areas in Windows 10, and can be built into many other applications when they are compiled.
 ### Table 3   Windows 10 mitigations to protect against memory exploits – no configuration needed
 | Mitigation and corresponding threat | Description |
 |---|---|
 | **SMB hardening for SYSVOL and NETLOGON shares**<br>helps mitigate<br>man-in-the-middle attacks | Client connections to the Active Directory Domain Services default SYSVOL and NETLOGON shares on domain controllers now require SMB signing and mutual authentication (such as Kerberos).<br><br>**More information**: [SMB hardening improvements for SYSVOL and NETLOGON shares](#smb-hardening-improvements-for-sysvol-and-netlogon-shares), later in this topic. |
 | **Protected Processes**<br>help prevent one process<br>from tampering with another<br>process | With the Protected Processes feature, Windows 10 prevents untrusted processes from interacting or tampering with those that have been specially signed.<br><br>**More information**: [Protected Processes](#protected-processes), later in this topic. |
 | **Universal Windows apps protections**<br>screen downloadable<br>apps and run them in<br>an AppContainer sandbox | Universal Windows apps are carefully screened before being made available, and they run in an AppContainer sandbox with limited privileges and capabilities.<br><br>**More information**: [Universal Windows apps protections](#universal-windows-apps-protections), later in this topic. |
 | **Heap protections**<br>help prevent<br>exploitation of the heap | Windows 10 includes protections for the heap, such as the use of internal data structures which help protect against corruption of memory used by the heap.<br><br>**More information**: [Windows heap protections](#windows-heap-protections), later in this topic. |
 | **Kernel pool protections**<br>help prevent<br>exploitation of pool memory<br>used by the kernel | Windows 10 includes protections for the pool of memory used by the kernel. For example, safe unlinking protects against pool overruns that are combined with unlinking operations that can be used to create an attack.<br><br>**More information**: [Kernel pool protections](#kernel-pool-protections), later in this topic. |
 | **Control Flow Guard**<br>helps mitigate exploits<br>that are based on<br>flow between code locations<br>in memory | Control Flow Guard (CFG) is a mitigation that requires no configuration within the operating system, but instead is built into software when it’s compiled. It is built into Microsoft Edge, IE11, and other areas in Windows 10. CFG can be built into applications written in C or C++, or applications compiled using Visual Studio 2015.<br>For such an application, CFG can detect an attacker’s attempt to change the intended flow of code. If this occurs, CFG terminates the application. You can request software vendors to deliver Windows applications compiled with CFG enabled.<br><br>**More information**: [Control Flow Guard](#control-flow-guard), later in this topic. |
 | **Protections built into Microsoft Edge** (the browser)<br>helps mitigate multiple<br>threats | Windows 10 includes an entirely new browser, Microsoft Edge, designed with multiple security improvements.<br><br>**More information**: [Microsoft Edge and Internet Explorer 11](#microsoft-edge-and-internet-explorer-11), later in this topic. |
 ### SMB hardening improvements for SYSVOL and NETLOGON shares
 In Windows 10 and Windows Server 2016, client connections to the Active Directory Domain Services default SYSVOL and NETLOGON shares on domain controllers require Server Message Block (SMB) signing and mutual authentication (such as Kerberos). This reduces the likelihood of man-in-the-middle attacks. If SMB signing and mutual authentication are unavailable, a computer running Windows 10 or Windows Server 2016 won’t process domain-based Group Policy and scripts.
 > [!NOTE]
 > The registry values for these settings aren’t present by default, but the hardening rules still apply until overridden by Group Policy or other registry values. For more information on these security improvements, (also referred to as UNC hardening), see  [Microsoft Knowledge Base article 3000483](https://support.microsoft.com/en-us/help/3000483/ms15-011-vulnerability-in-group-policy-could-allow-remote-code-execution-february-10,-2015) and [MS15-011 & MS15-014: Hardening Group Policy](https://blogs.technet.microsoft.com/srd/2015/02/10/ms15-011-ms15-014-hardening-group-policy/).
 ### Protected Processes
 Most security controls are designed to prevent the initial infection point. However, despite all the best preventative controls, malware might eventually find a way to infect the system. So, some protections are built to place limits on malware that gets on the device. Protected Processes creates limits of this type.
 With Protected Processes, Windows 10 prevents untrusted processes from interacting or tampering with those that have been specially signed. Protected Processes defines levels of trust for processes. Less trusted processes are prevented from interacting with and therefore attacking more trusted processes. Windows 10 uses Protected Processes more broadly across the operating system, and as in Windows 8.1, implements them in a way that can be used by 3rd party anti-malware vendors, as described in [Protecting Anti-Malware Services](https://msdn.microsoft.com/library/windows/desktop/dn313124(v=vs.85).aspx). This helps make the system and antimalware solutions less susceptible to tampering by malware that does manage to get on the system.
 ### Universal Windows apps protections
 When users download Universal Windows apps from the Windows Store, it’s unlikely that they will encounter malware because all apps go through a careful screening process before being made available in the store. Apps that organizations build and distribute through sideloading processes will need to be reviewed internally to ensure that they meet organizational security requirements.
 Regardless of how users acquire Universal Windows apps, they can use them with increased confidence. Universal Windows apps run in an AppContainer sandbox with limited privileges and capabilities. For example, Universal Windows apps have no system-level access, have tightly controlled interactions with other apps, and have no access to data unless the user explicitly grants the application permission.
 In addition, all Universal Windows apps follow the security principle of least privilege. Apps receive only the minimum privileges they need to perform their legitimate tasks, so even if an attacker exploits an app, the damage the exploit can do is severely limited and should be contained within the sandbox. The Windows Store displays the exact capabilities the app requires (for example, access to the camera), along with the app’s age rating and publisher.
 ### Windows heap protections
 The *heap* is a location in memory that Windows uses to store dynamic application data. Windows 10 continues to improve on earlier Windows heap designs by further mitigating the risk of heap exploits that could be used as part of an attack.
 Windows 10 has several important improvements to the security of the heap:
 -   **Heap metadata hardening** for internal data structures that the heap uses, to improve protections against memory corruption.
 -   **Heap allocation randomization**, that is, the use of randomized locations and sizes for heap memory allocations, which makes it more difficult for an attacker to predict the location of critical memory to overwrite. Specifically, Windows 10 adds a random offset to the address of a newly allocated heap, which makes the allocation much less predictable.
 -   **Heap guard pages** before and after blocks of memory, which work as tripwires. If an attacker attempts to write past a block of memory (a common technique known as a buffer overflow), the attacker will have to overwrite a guard page. Any attempt to modify a guard page is considered a memory corruption, and Windows 10 responds by instantly terminating the app.
 ### Kernel pool protections
 The operating system kernel in Windows sets aside two pools of memory, one that remains in physical memory (“nonpaged pool”) and one that can be paged in and out of physical memory (“paged pool”). There are many types of attacks that have been attempted against these pools, such as process quota pointer encoding; lookaside, delay free, and pool page cookies; and PoolIndex bounds checks. Windows 10 has multiple “pool hardening” protections, such as integrity checks, that help protect the kernel pool against such attacks.
 In addition to pool hardening, Windows 10 includes other kernel hardening features:
 -   **Kernel DEP** and **Kernel ASLR**: Follow the same principles as [Data Execution Prevention](#data-execution-prevention) and [Address Space Layout Randomization](#address-space-layout-randomization), described earlier in this topic.
 -   **Font parsing in AppContainer:** Isolates font parsing in an [AppContainer sandbox](https://msdn.microsoft.com/library/windows/desktop/mt595898(v=vs.85).aspx).
 -   **Disabling of NT Virtual DOS Machine (NTVDM)**: The old NTVDM kernel module (for running 16-bit applications) is disabled by default, which neutralizes the associated vulnerabilities. (Enabling NTVDM decreases protection against Null dereference and other exploits.)
 -   **Supervisor Mode Execution Prevention (SMEP)**: Helps prevent the kernel (the “supervisor”) from executing code in user pages, a common technique used by attackers for local kernel elevation of privilege (EOP). This requires processor support found in Intel Ivy Bridge or later processors, or ARM with PXN support.
 -   **Safe unlinking:** Helps protect against pool overruns that are combined with unlinking operations to create an attack. Windows 10 includes global safe unlinking, which extends heap and kernel pool safe unlinking to all usage of LIST\_ENTRY and includes the “FastFail” mechanism to enable rapid and safe process termination.
 -   **Memory reservations**: The lowest 64 KB of process memory is reserved for the system. Apps are not allowed to allocate that portion of the memory. This makes it more difficult for malware to use techniques such as “NULL dereference” to overwrite critical system data structures in memory.
 ### Control Flow Guard
 When applications are loaded into memory, they are allocated space based on the size of the code, requested memory, and other factors. When an application begins to execute code, it calls additional code located in other memory addresses. The relationships between the code locations are well known—they are written in the code itself—but previous to Windows 10, the flow between these locations was not enforced, which gave attackers the opportunity to change the flow to meet their needs.
 This kind of threat is mitigated in Windows 10 through the Control Flow Guard (CFG) feature. When a trusted application that was compiled to use CFG calls code, CFG verifies that the code location called is trusted for execution. If the location is not trusted, the application is immediately terminated as a potential security risk.
 An administrator cannot configure CFG; rather, an application developer can take advantage of CFG by configuring it when the application is compiled. Consider asking application developers and software vendors to deliver trustworthy Windows applications compiled with CFG enabled. For example, it can be enabled for applications written in C or C++, or applications compiled using Visual Studio 2015. For information about enabling CFG for a Visual Studio 2015 project, see [Control Flow Guard](https://msdn.microsoft.com/library/windows/desktop/mt637065(v=vs.85).aspx).
 Of course, browsers are a key entry point for attacks, so Microsoft Edge, IE, and other Windows features take full advantage of CFG.
 ### Microsoft Edge and Internet Explorer 11
 Browser security is a critical component of any security strategy, and for good reason: the browser is the user’s interface to the Internet, an environment with many malicious sites and content waiting to attack. Most users cannot perform at least part of their job without a browser, and many users are completely reliant on one. This reality has made the browser the common pathway from which malicious hackers initiate their attacks.
 All browsers enable some amount of extensibility to do things beyond the original scope of the browser. Two common examples of this are Flash and Java extensions that enable their respective applications to run inside a browser. Keeping Windows 10 secure for web browsing and applications, especially for these two content types, is a priority.
 Windows 10 includes an entirely new browser, Microsoft Edge. Microsoft Edge is more secure in multiple ways, especially:
 -   **Smaller attack surface; no support for non-Microsoft binary extensions**. Multiple browser components with vulnerable attack surfaces have been removed from Microsoft Edge. Components that have been removed include legacy document modes and script engines, Browser Helper Objects (BHOs), ActiveX controls, and Java. However, Microsoft Edge supports Flash content and PDF viewing by default through built-in extensions.
 -   **Runs 64-bit processes.** A 64-bit PC running an older version of Windows often runs in 32-bit compatibility mode to support older and less secure extensions. When Microsoft Edge runs on a 64-bit PC, it runs only 64-bit processes, which are much more secure against exploits.
 -   **Includes Memory Garbage Collection (MemGC)**. This helps protect against use-after-free (UAF) issues.
 -   **Designed as a Universal Windows app.** Microsoft Edge is inherently compartmentalized and runs in an AppContainer that sandboxes the browser from the system, data, and other apps. IE11 on Windows 10 can also take advantage of the same AppContainer technology through Enhanced Protect Mode. However, because IE11 can run ActiveX and BHOs, the browser and sandbox are susceptible to a much broader range of attacks than Microsoft Edge.
 -   **Simplifies security configuration tasks.** Because Microsoft Edge uses a simplified application structure and a single sandbox configuration, there are fewer required security settings. In addition, Microsoft Edge default settings align with security best practices, which makes it more secure by default.
 In addition to Microsoft Edge, Microsoft includes IE11 in Windows 10, primarily for backwards-compatibility with websites and with binary extensions that do not work with Microsoft Edge. It should not be configured as the primary browser but rather as an optional or automatic switchover. We recommend using Microsoft Edge as the primary web browser because it provides compatibility with the modern web and the best possible security.
 For sites that require IE11 compatibility, including those that require binary extensions and plug ins, enable Enterprise mode and use the Enterprise Mode Site List to define which sites have the dependency. With this configuration, when Microsoft Edge identifies a site that requires IE11, users will automatically be switched to IE11.
 ### Functions that software vendors can use to build mitigations into apps
 Some of the protections available in Windows 10 are provided through functions that can be called from apps or other software. Such software is less likely to provide openings for exploits. If you are working with a software vendor, you can request that they include these security-oriented functions in the application. The following table lists some types of mitigations and the corresponding security-oriented functions that can be used in apps.
 > [!NOTE]
 > Control Flow Guard (CFG) is also an important mitigation that a developer can include in software when it is compiled. For more information, see [Control Flow Guard](#control-flow-guard), earlier in this topic.
 ### Table 4   Functions available to developers for building mitigations into apps
 | Mitigation  | Function  |
 |-------------|-----------|
 | LoadLib image loading restrictions  | [UpdateProcThreadAttribute function](https://msdn.microsoft.com/en-us/library/windows/desktop/ms686880(v=vs.85).aspx)<br>\[PROCESS\_CREATION\_MITIGATION\_POLICY\_IMAGE\_LOAD\_NO\_REMOTE\_ALWAYS\_ON\] |
 | MemProt dynamic code restriction    | [UpdateProcThreadAttribute function](https://msdn.microsoft.com/en-us/library/windows/desktop/ms686880(v=vs.85).aspx)<br>\[PROCESS\_CREATION\_MITIGATION\_POLICY\_PROHIBIT\_DYNAMIC\_CODE\_ALWAYS\_ON\] |
 | Child Process Restriction to restrict the ability to create child processes      | [UpdateProcThreadAttribute function](https://msdn.microsoft.com/en-us/library/windows/desktop/ms686880(v=vs.85).aspx)<br>\[PROC\_THREAD\_ATTRIBUTE\_CHILD\_PROCESS\_POLICY\] |
 | Code Integrity Restriction to restrict image loading                             | [SetProcessMitigationPolicy function](https://msdn.microsoft.com/en-us/library/windows/desktop/hh769088(v=vs.85).aspx)<br>\[ProcessSignaturePolicy\] |
 | Win32k System Call Disable Restriction to restrict ability to use NTUser and GDI | [SetProcessMitigationPolicy function](https://msdn.microsoft.com/en-us/library/windows/desktop/hh769088(v=vs.85).aspx)<br>\[ProcessSystemCallDisablePolicy\] |
 | High Entropy ASLR for up to 1TB of variance in memory allocations                | [UpdateProcThreadAttribute function](https://msdn.microsoft.com/en-us/library/windows/desktop/ms686880(v=vs.85).aspx)<br>\[PROCESS\_CREATION\_MITIGATION\_POLICY\_HIGH\_ENTROPY\_ASLR\_ALWAYS\_ON\] |
 | Strict handle checks to raise immediate exception upon bad handle reference      | [UpdateProcThreadAttribute function](https://msdn.microsoft.com/en-us/library/windows/desktop/ms686880(v=vs.85).aspx)<br>\[PROCESS\_CREATION\_MITIGATION\_POLICY\_STRICT\_HANDLE\_CHECKS\_ALWAYS\_ON\]    |
 | Extension point disable to block the use of certain third-party extension points | [UpdateProcThreadAttribute function](https://msdn.microsoft.com/en-us/library/windows/desktop/ms686880(v=vs.85).aspx)<br>\[PROCESS\_CREATION\_MITIGATION\_POLICY\_EXTENSION\_POINT\_DISABLE\_ALWAYS\_ON\] |
 | Heap terminate on corruption to protect the system against a corrupted heap      | [UpdateProcThreadAttribute function](https://msdn.microsoft.com/en-us/library/windows/desktop/ms686880(v=vs.85).aspx)<br>\[PROCESS\_CREATION\_MITIGATION\_POLICY\_HEAP\_TERMINATE\_ALWAYS\_ON\]  |
 ## Understanding Windows 10 in relation to the Enhanced Mitigation Experience Toolkit 
 You might already be familiar with the [Enhanced Mitigation Experience Toolkit (EMET)](https://support.microsoft.com/kb/2458544), which has since 2009 offered a variety of exploit mitigations, and an interface for configuring those mitigations. You can use this section to understand how EMET mitigations relate to those in Windows 10. Many of EMET’s mitigations have been built into Windows 10, some with additional improvements. However, some EMET mitigations carry high performance cost, or appear to be relatively ineffective against modern threats, and therefore have not been brought into Windows 10.
 Because many of EMET’s mitigations and security mechanisms already exist in Windows 10 and have been improved, particularly those assessed to have high effectiveness at mitigating known bypasses, version 5.5*x* has been announced as the final major version release for EMET (see [Enhanced Mitigation Experience Toolkit](https://technet.microsoft.com/security/jj653751)).
 The following table lists EMET features in relation to Windows 10 features.
 ### Table 5   EMET features in relation to Windows 10 features
 <table>
 <thead>
 <tr class="header">
 <th><strong>Specific EMET features</strong></th>
 <th><strong>How these EMET features map<br />
 to Windows 10 features</strong></th>
 </tr>
 </thead>
 <tbody>
 <tr class="odd">
 <td><ul>
 <li><p>DEP</p></li>
 <li><p>SEHOP</p></li>
 <li><p>ASLR (Force ASLR, Bottom-up ASLR)</p></li>
 </ul></td>
 <td><p>DEP, SEHOP and ASLR are included in Windows 10 as configurable features. See <a href="#table-2">Table 2</a>, earlier in this topic.</p>
 <p>You can install the ProcessMitigations PowerShell module to convert your EMET settings for these features into policies that you can apply to Windows 10.</p></td>
 </tr>
 <tr class="even">
 <td><ul>
 <li><p>Load Library Check (LoadLib)</p></li>
 <li><p>Memory Protection Check (MemProt)</p></li>
 </ul></td>
 <td>LoadLib and MemProt are supported in Windows 10, for all applications that are written to use these functions. See <a href="#functions-that-software-vendors-can-use-to-build-mitigations-into-apps">Table 4</a>, earlier in this topic.</td>
 </tr>
 <tr class="odd">
 <td><ul>
 <li><p>Null Page</p></li>
 </ul></td>
 <td>Mitigations for this threat are built into Windows 10, as described in the “Memory reservations” item in <a href="#kernel-pool-protections">Kernel pool protections</a>, earlier in this topic.</td>
 </tr>
 <tr class="even">
 <td><ul>
 <li><p>Heap Spray</p></li>
 <li><p>EAF</p></li>
 <li><p>EAF+</p></li>
 </ul></td>
 <td>Windows 10 does not include mitigations that map specifically to these EMET features because they have low impact in the current threat landscape, and do not significantly increase the difficulty of exploiting vulnerabilities. Microsoft remains committed to monitoring the security environment as new exploits appear and taking steps to harden the operating system against them.</td>
 </tr>
 <tr class="odd">
 <td><ul>
 <li><p>Caller Check</p></li>
 <li><p>Simulate Execution Flow</p></li>
 <li><p>Stack Pivot</p></li>
 <li><p>Deep Hooks (an ROP “Advanced Mitigation”)</p></li>
 <li><p>Anti Detours (an ROP “Advanced Mitigation”)</p></li>
 <li><p>Banned Functions (an ROP “Advanced Mitigation”)</p></li>
 </ul></td>
 <td>Mitigated in Windows 10 with applications compiled with Control Flow Guard, as described in <a href="#control-flow-guard">Control Flow Guard</a>, earlier in this topic.</td>
 </tr>
 </tbody>
 </table>
 ### Converting an EMET XML settings file into Windows 10 mitigation policies
 One of EMET’s strengths is that it allows you to import and export configuration settings for EMET mitigations as an XML settings file for straightforward deployment. To generate mitigation policies for Windows 10 from an EMET XML settings file, you can install the ProcessMitigations PowerShell module. In an elevated PowerShell session, run this cmdlet:
 ```powershell
 Install-Module -Name ProcessMitigations
 ```
 The Get-ProcessMitigation cmdlet gets the current mitigation settings from the registry or from a running process, or it can save all settings to an XML file. 
 To get the current settings on all running instances of notepad.exe:
 ```powershell
 Get-ProcessMitigation -Name notepad.exe -RunningProcess
 ```
 To get the current settings in the registry for notepad.exe:
 ```powershell
 Get-ProcessMitigation -Name notepad.exe
 ```
 To get the current settings for the running process with pid 1304:
 ```powershell
 Get-ProcessMitigation -Id 1304
 ```
 To get the all process mitigation settings from the registry and save them to the xml file settings.xml:
 ```powershell
 Get-ProcessMitigation -RegistryConfigFilePath settings.xml
 ```
 The Set-ProcessMitigation cmdlet can enable and disable process mitigations or set them in bulk from an XML file.
 To get the current process mitigation for "notepad.exe" from the registry and then enable MicrosoftSignedOnly and disable MandatoryASLR:
 ```powershell
 Set-ProcessMitigation -Name Notepad.exe -Enable MicrosoftSignedOnly -Disable MandatoryASLR
 ```
 To set the process mitigations from an XML file (which can be generated from get-ProcessMitigation -RegistryConfigFilePath settings.xml):
 ```powershell
 Set-ProcessMitigation -PolicyFilePath settings.xml
 ```
 To set the system default to be MicrosoftSignedOnly:
 ```powershell
 Set-ProcessMitigation -System -Enable MicrosoftSignedOnly
 ```
 The ConvertTo-ProcessMitigationPolicy cmdlet converts mitigation policy file formats. The syntax is:
 ```powershell
 ConvertTo-ProcessMitigationPolicy -EMETFilePath <String> -OutputFilePath <String> [<CommonParameters>]
 ```
 Examples:
 -   **Convert EMET settings to Windows 10 settings**: You can run ConvertTo-ProcessMitigationPolicy and provide an EMET XML settings file as input, which will generate a result file of Windows 10 mitigation settings. For example:
    ```powershell
    ConvertTo-ProcessMitigationPolicy -EMETFilePath policy.xml -OutputFilePath result.xml
    ```
 -   **Audit and modify the converted settings (the output file)**: Additional cmdlets let you apply, enumerate, enable, disable, and save settings in the output file. For example, this cmdlet enables SEHOP and disables MandatoryASLR and DEPATL registry settings for Notepad:
    ```powershell
    Set-ProcessMitigation -Name notepad.exe -Enable SEHOP -Disable MandatoryASLR,DEPATL
    ```
 -   **Convert Attack Surface Reduction (ASR) settings to a Code Integrity policy file**: If the input file contains any settings for EMET’s Attack Surface Reduction (ASR) mitigation, the converter will also create a Code Integrity policy file. In this case, you can complete the merging, auditing, and deployment process for the Code Integrity policy, as described in [Deploy Device Guard: deploy code integrity policies](deploy-device-guard-deploy-code-integrity-policies.md). This will enable protections on Windows 10 equivalent to EMET’s ASR protections.
 -   **Convert Certificate Trust settings to enterprise certificate pinning rules**: If you have an EMET “Certificate Trust” XML file (pinning rules file), you can also use ConvertTo-ProcessMitigationPolicy to convert the pinning rules file into an enterprise certificate pinning rules file. Then you can finish enabling that file as described in [Enterprise Certificate Pinning](enterprise-certificate-pinning.md). For example:
    ```powershell
    ConvertTo-ProcessMitigationPolicy -EMETfilePath certtrustrules.xml -OutputFilePath enterprisecertpinningrules.xml
    ```
 #### EMET-related products
 Microsoft Consulting Services (MCS) and Microsoft Support/Premier Field Engineering (PFE) offer a range of options for EMET, support for EMET, and EMET-related reporting and auditing products such as the EMET Enterprise Reporting Service (ERS). For any enterprise customers who use such products today or who are interested in similar capabilities, we recommend evaluating [Windows Defender Advanced Threat Protection](windows-defender-advanced-threat-protection.md) (ATP).
 ## Related topics
 - [Keep Windows 10 secure](index.md)
 - [Security technologies in Windows 10](security-technologies.md)
 - [Security and Assurance in Windows Server 2016](https://technet.microsoft.com/windows-server-docs/security/security-and-assurance)
 - [Windows Defender Advanced Threat Protection (ATP) - resources](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp)
 - [Windows Defender Advanced Threat Protection (ATP) - documentation](windows-defender-advanced-threat-protection.md)
 - [Exchange Online Advanced Threat Protection Service Description](https://technet.microsoft.com/library/exchange-online-advanced-threat-protection-service-description.aspx)
 - [Office 365 Advanced Threat Protection](https://products.office.com/en-us/exchange/online-email-threat-protection)
 - [Microsoft Malware Protection Center](https://www.microsoft.com/en-us/security/portal/mmpc/default.aspx)
--- a/windows/keep-secure/troubleshoot-windows-defender-antivirus.md
+++ b/windows/keep-secure/troubleshoot-windows-defender-antivirus.md
@ -1029,7 +1029,7 @@ Description of the error. </dt>
 <dt>Engine Version: &lt;Antimalware Engine version&gt;</dt>
 <p>NOTE:
 <p>Whenever Windows Defender, Microsoft Security Essentials, Malicious Software Removal Tool, or System Center Endpoint Protection detects a malware, it will restore the following system settings and services which the malware might have changed:<ul>
-<li>Default Internet Explorer or Edge setting</li>
+<li>Default Internet Explorer or Microsoft Edge setting</li>
 <li>User Access Control settings</li>
 <li>Chrome settings</li>
 <li>Boot Control Data</li>
--- a/windows/update/change-history-for-update-windows-10.md
+++ b/windows/update/change-history-for-update-windows-10.md
@ -15,5 +15,7 @@ This topic lists new and updated topics in the [Update Windows 10](index.md) doc
 ## RELEASE: Windows 10, version 1703
-The topics in this library have been updated for Windows 10, version 1703 (also known as the Creators Update).
+The topics in this library have been updated for Windows 10, version 1703 (also known as the Creators Update). The following new topics have been added:
-
+* [Windows Insider Program for Business](waas-windows-insider-for-business.md)
 * [Windows Insider Program for Business using Azure Active Directory](waas-windows-insider-for-business-aad.md)
 * [Windows Insider Program for Business Frequently Asked Questions](waas-windows-insider-for-business-faq.md)
--- a/windows/update/images/waas-wipfb-aad-classicaad.png
+++ b/windows/update/images/waas-wipfb-aad-classicaad.png
--- a/windows/update/images/waas-wipfb-aad-classicenable.png
+++ b/windows/update/images/waas-wipfb-aad-classicenable.png
--- a/windows/update/images/waas-wipfb-aad-consent.png
+++ b/windows/update/images/waas-wipfb-aad-consent.png
--- a/windows/update/images/waas-wipfb-aad-error.png
+++ b/windows/update/images/waas-wipfb-aad-error.png
--- a/windows/update/images/waas-wipfb-aad-newaad.png
+++ b/windows/update/images/waas-wipfb-aad-newaad.png
--- a/windows/update/images/waas-wipfb-aad-newdirectorybutton.png
+++ b/windows/update/images/waas-wipfb-aad-newdirectorybutton.png
--- a/windows/update/images/waas-wipfb-aad-newenable.png
+++ b/windows/update/images/waas-wipfb-aad-newenable.png
--- a/windows/update/images/waas-wipfb-aad-newusersettings.png
+++ b/windows/update/images/waas-wipfb-aad-newusersettings.png
--- a/windows/update/index.md
+++ b/windows/update/index.md
@ -41,6 +41,7 @@ Windows as a service provides a new way to think about building, deploying, and
 | [Manage Windows 10 updates using Windows Server Update Services (WSUS)](waas-manage-updates-wsus.md) | Explains how to use WSUS to manage Windows 10 updates. |
 | [Manage Windows 10 updates using System Center Configuration Manager](waas-manage-updates-configuration-manager.md) | Explains how to use Configuration Manager to manage Windows 10 updates.  |
 | [Manage device restarts after updates](waas-restart.md) | Explains how to use Group Policy to manage device restarts. |
 | [Windows Insider Program for Business](waas-windows-insider-for-business.md) | Explains how the Windows Insider Program for Business works and how to become an insider. |
 >[!TIP]
 >Windows servicing is changing, but for disaster recovery scenarios and bare-metal deployments of Windows 10, you still can use traditional imaging software such as System Center Configuration Manager or the Microsoft Deployment Toolkit. Using these tools to deploy Windows 10 images is similar to deploying previous versions of Windows.
--- a/windows/update/waas-configure-wufb.md
+++ b/windows/update/waas-configure-wufb.md
@ -84,11 +84,11 @@ After you configure the servicing branch (CB or CBB), you can then define if, an
 ## Pause Feature Updates
-You can also pause a device from receiving Feature Updates by a period of up to 60 days from when the value is set. After 60 days has passed, pause functionality will automatically expire and the device will scan Windows Update for applicable Feature Updates. Following this scan, Feature Updates for the device can then be paused again.
+You can also pause a device from receiving Feature Updates by a period of up to 35 days from when the value is set. After 35 days has passed, pause functionality will automatically expire and the device will scan Windows Update for applicable Feature Updates. Following this scan, Feature Updates for the device can then be paused again.
-Starting with version 1703, when configuring pause through policy, a start date has to be set from which the pause begins. The pause period will be calculated by adding 60 days to the start date. 
+Starting with version 1703, when configuring pause through policy, a start date has to be set from which the pause begins. The pause period will be calculated by adding 35 days to the start date. 
-In cases where the pause policy is first applied after the configured start date has passed, administrators will be able to extend the pause period up to a total of 60 days by configuring a later start date.
+In cases where the pause policy is first applied after the configured start date has passed, administrators will be able to extend the pause period up to a total of 35 days by configuring a later start date.
 With version 1703, pausing through the settings app will provide a more consistent experience:
 - Any active restart notification are cleared or closed
@ -98,6 +98,8 @@ With version 1703, pausing through the settings app will provide a more consiste
 >[!IMPORTANT]
 >This policy does not apply to Windows 10 Mobile Enterprise.
 >
 >Prior to Windows 10, version 1703, feature updates could be paused by up to 60 days. This number has been changed to 35, similar to the number of days for quality updates.
 **Pause Feature Updates policies**
@ -110,7 +112,7 @@ With version 1703, pausing through the settings app will provide a more consiste
 You can check the date Feature Updates were paused at by checking the registry key **PausedFeatureDate** under **HKLM\SOFTWARE\Microsoft\WindowsUpdate\UpdatePolicy\Settings**. 
-The local group policy editor (GPEdit.msc) will not reflect if your Feature Update Pause period has expired. Although the device will resume Feature Updates after 60 days automatically, the pause checkbox will remain checked in the policy editor.  To see if a device has auto-resumed taking Feature Updates, you can check the status registry key **PausedFeatureStatus** under **HKLM\SOFTWARE\Microsoft\WindowsUpdate\UpdatePolicy\Settings**.
+The local group policy editor (GPEdit.msc) will not reflect if your Feature Update Pause period has expired. Although the device will resume Feature Updates after 35 days automatically, the pause checkbox will remain checked in the policy editor.  To see if a device has auto-resumed taking Feature Updates, you can check the status registry key **PausedFeatureStatus** under **HKLM\SOFTWARE\Microsoft\WindowsUpdate\UpdatePolicy\Settings**.
 | Value | Status|
 | --- | --- |
--- a/windows/update/waas-windows-insider-for-business-aad.md
+++ b/windows/update/waas-windows-insider-for-business-aad.md
@ -37,12 +37,11 @@ Simply go to **Settings > Accounts > Access work or school**. If a corporate acc
 ## Enroll a device with an Azure Active Directory account
 1. Visit [insider.windows.com](https://insider.windows.com). Sign-in with your corporate account in AAD and follow the on-screen registration directions. 
 2. On your Windows 10 device, go to **Settings > Updates & Security >  Windows Insider Program**. 
 3. Enter the AAD account that you used to register and follow the on-screen directions. 
 >[!NOTE]
 >Make sure that you have administrator rights to the machine and that it has latest Windows updates. 
 3. Enter the AAD account that you used to register and follow the on-screen directions. 
 ## Switch device enrollment from your Microsoft account to your AAD account 
 1. Visit [insider.windows.com](https://insider.windows.com) to register your AAD account. If you are signed in with your Microsoft account, sign out, then sign back in with your corporate AAD account. 
 2. Click **Get started**, read and accept the privacy statement and program terms and click **Submit**. 
@ -55,6 +54,46 @@ Simply go to **Settings > Accounts > Access work or school**. If a corporate acc
 >[!NOTE]
 >Your device must be connected to your corporate account in AAD for the account to appear in the account list.
 ## User consent requirement
 With the current version of the Feedback Hub app, we need the user's consent to access their AAD account profile data (We read their name, organizational tenant ID and user ID). When they sign in for the first time with the AAD account, they will se a popup asking for their permissions, like this:
 ![Feedback Hub consent to AAD pop-up](images/waas-wipfb-aad-consent.png)
 Once agreed, everything will work fine and that user won't be asked for permissions again.
 ### Something went wrong
 The option for users to give consent for apps to access their profile data is controlled through Azure Active Directory. This means the AAD administrators have the ability to allow or block users from giving consent.
 In case the administrators blocked this option, when the user signs in with the AAD account, they will see the following error message:
 ![Feedback Hub consent error message](images/waas-wipfb-aad-error.png)
 This blocks the user from signing in, which means they won't be able to use the Feedback Hub app with their AAD credentials.
 **To fix this issue**, an adminsitrator of the AAD directory will need to enable user consent for apps to access their data.
 To do this through the **classic Azure portal**:
 1. Go to https://manage.windowsazure.com/ .
 2. Switch to the **Active Directory** dashboard.  
   ![Azure classic portal dashboard button](images/waas-wipfb-aad-classicaad.png)
 3. Select the appropriate directory and go to the **Configure** tab.
 4. Under the **integrated applications** section, enable **Users may give applications permissions to access their data**.  
   ![Azure classic portal enable consent](images/waas-wipfb-aad-classicenable.png)
 To do this through the **new Azure portal**:
 1. Go to https://portal.azure.com/ .
 2. Switch to the **Active Directory** dashboard.  
   ![Azure new portal dashboard button](images/waas-wipfb-aad-newaad.png)
 3. Switch to the appropriate directory.  
   ![Azure new portal switch directory button](images/waas-wipfb-aad-newdirectorybutton.png)
 4. Under the **Manage** section, select **User settings**.  
   ![Azure new portal user settings](images/waas-wipfb-aad-newusersettings.png)
 5. In the **Enterprise applications** section, enable **Users can allow apps to access their data**.  
   ![Azure new portal enable consent](images/waas-wipfb-aad-newenable.png)
 ## Frequently Asked Questions
 ### Will my test machines be affected by automatic registration?
--- a/windows/update/waas-windows-insider-for-business-faq.md
+++ b/windows/update/waas-windows-insider-for-business-faq.md
@ -31,11 +31,12 @@ Hindi, Catalan, and Vietnamese can only be installed as a language pack over [su
 > To learn how to install a language pack, see [How to add an input language to your PC Additional](https://support.microsoft.com/instantanswers/60f32ff8-8697-4452-af7d-647439c38433/how-to-add-and-switch-input-languages-on-your-pc).
 ### How do I register for  the Windows Insider Program for Business? 
-To register for the Windows Insider Program for Business, follow the steps below using your corporate account in Azure Active Directory (AAD). This account is the same account  \that you use for Office 365 and other Microsoft services. 
+To register for the Windows Insider Program for Business, follow the steps below using your corporate account in Azure Active Directory (AAD). This account is the same account that you use for Office 365 and other Microsoft services. 
 1. Visit https://insider.windows.com and click **Get Started**. 
 2. Sign-in with your corporate account in AAD (username/password) and follow the on-screen registration directions. 
-3. Enroll your Windows 10 PC to get the latest Windows 10 Insider Preview builds. Go to **Settings > Updates & Security > Windows Insider Program**. Click **Get Started**, enter your corporate credentials that you used to register, then follow the on-screen directions. 
+3. Enroll your Windows 10 PC to get the latest Windows 10 Insider Preview builds. Go to **Settings > Updates & Security > Windows Insider Program**. Click **Get Started**, enter your corporate credentials that you used to register, then follow the on-screen directions.
 >[!NOTE]
 >Make sure that you have administrator rights to your machine and that it has latest Windows updates.
--- a/windows/update/waas-windows-insider-for-business.md
+++ b/windows/update/waas-windows-insider-for-business.md
@ -20,7 +20,7 @@ localizationpriority: high
 For many IT pros, gaining visibility into feature updates early—before they’re available to the CB servicing branch—can be both intriguing and valuable for future end user communications as well as provide additional prestaging for CB machines. With Windows 10, feature flighting enables Windows Insiders to consume and deploy preproduction code to their test machines, gaining early visibility into the next build. Testing the early builds of Windows 10 helps both Microsoft and its customers because they have the opportunity to discover possible issues before the update is ever publicly available and can report it to Microsoft. Also, as flighted builds get closer to their release to CB, organizations can test their deployment on test devices for compatibility validation.
 The Windows Insider Program for Business gives you the opportunity to: 
-* Get early access to Windows Insider Preview Builds 
+* Get early access to Windows Insider Preview Builds. 
 * Provide feedback to Microsoft in real-time via the Feedback Hub app.
 * Sign-in with corporate credentials (Azure Active Directory) and increase the visibility of your organization's feedback with Microsoft – especially on features that support your productivity and business needs.
@ -56,9 +56,8 @@ Best for Insiders who enjoy getting early access to updates for the Current Bran
 Insiders on this level receive builds of Windows just before Microsoft releases them for CB. Although these builds aren’t final, they are the most complete and stable builds available to Windows Insider Program participants. This level provides the best testing platform for organizations that conduct early application compatibility testing on Windows Insider PCs.
-* The Release Preview Ring will only be visible when your Windows build version is the same as the Current Branch  
+* The Release Preview Ring will only be visible when your Windows build version is the same as the Current Branch.
-* The easiest way to go between the Development Branch to the Current Branch is to use the [Media Creation Tool](http://go.microsoft.com/fwlink/?LinkId=691209) (for PC) or [Windows Device Recovery Tool](http://go.microsoft.com/fwlink/p/?LinkId=522381) (for Mobile) to reinstall Windows  
+* The easiest way to go between the Development Branch to the Current Branch is to use the [Media Creation Tool](http://go.microsoft.com/fwlink/?LinkId=691209) (for PC) or [Windows Device Recovery Tool](http://go.microsoft.com/fwlink/p/?LinkId=522381) (for Mobile) to reinstall Windows.  
 Ring 
 ### Slow
@ -70,11 +69,12 @@ The Slow Windows Insider level is for users who enjoy seeing new builds of Windo
 ### Fast
-Best for Insiders who enjoy being the first to get access to builds and feature upgrades, with some risk to their devices in order to identify issues, and provide suggestions and ideas to make Windows software and devices great 
+Best for Insiders who enjoy being the first to get access to builds and feature upgrades, with some risk to their devices in order to identify issues, and provide suggestions and ideas to make Windows software and devices great.
 * Windows Insiders with devices in the Fast Ring should be prepared for more issues that may block key activities that are important to you or may require significant workarounds. 
 * Because we are also validating a build on a smaller set of devices before going to Fast, there is also a chance that some features may work on some devices but may fail in other device configurations. 
-* Windows Insiders should be ready to reinstall Windows using the [Media Creation Tool](http://go.microsoft.com/fwlink/?LinkId=691209) or [Windows Device Recovery Tool](http://go.microsoft.com/fwlink/p/?LinkId=522381) when you are significantly blocked. • Please remember to report any issue to us through the Windows Insider Feedback Hub or the Windows Insider community Forum 
+* Windows Insiders should be ready to reinstall Windows using the [Media Creation Tool](http://go.microsoft.com/fwlink/?LinkId=691209) or [Windows Device Recovery Tool](http://go.microsoft.com/fwlink/p/?LinkId=522381) when you are significantly blocked.
 * Please remember to report any issue to us through the Windows Insider Feedback Hub or the Windows Insider community Forum.
 >[!NOTE]
 >Once your machine is updated to Windows 10 and you select your desired flight ring, the process known as "Compatibility check" will need to run in the background. There is no manual way to force this process to run. This process allows for the discovery of your OS type (32-bit, 64-bit), build edition (Home, Pro, Enterprise), country and language settings, and other required information. Once this process is complete, your machine will be auto-targeted for the next available flight for your selected ring. For the first build on any given machine, this may take up to 24 hours to complete.
@ -85,11 +85,11 @@ During your time in the Windows Insider Program, you may want to change between
 1. Go to **Settings > Updates & Security >  Windows Insider Program**
 2. Under **Choose your level**, select between the following rings -
-    * [Windows Insider Fast](#fast)
+  * [Windows Insider Fast](#fast)
-    * [Windows Insider Slow](#slow)
+  * [Windows Insider Slow](#slow)
-    * [Release Preview](#release-preview)
+  * [Release Preview](#release-preview)
-## How to switch between you MSA and your Corporate AAD account
+## How to switch between your MSA and your Corporate AAD account
 The Windows Insider Program for Business now gives users the option to register and enroll devices using a corporate account in [Azure Active Directory](https://azure.microsoft.com/services/active-directory/) (AAD) as well as their Microsoft Account (MSA).
@ -108,11 +108,16 @@ When providing feedback, please consider the following:
 3. Provide as much information to us as possible: include reproduction steps, screenshots, any detail you think would help us experience the issue as you have, so that we can work on a fix and get it into a new build as soon as possible.
 ### How to use your corporate AAD account for additional Feedback Hub benefits 
-Get even more out of the Feedback Hub by signing in to the Feedback Hub using the same corporate account in AAD that are using to flight builds. One of the benefits of submitting feedback using your AAD account is the addition of a page to the Feedback Hub for your organization. Simply click the **My Company** page in the feedback hub to see and upvote all feedback submitted by other Insiders in your organization.
+Get even more out of the Feedback Hub by signing in to the Feedback Hub using the same corporate account in AAD that you're using to flight builds. One of the benefits of submitting feedback using your AAD account is the addition of a page to the Feedback Hub for your organization. Simply click the **My Company** page in the feedback hub to see and upvote all feedback submitted by other Insiders in your organization.
 >[!NOTE]
 >If you signed into the Feedback Hub previously with your MSA, your feedback and badges will not be transferred to your AAD sing-in. However, you can switch back to your MSA account in the Feedback Hub to access feedback you’ve submitted and badges you’ve earned.
 >[!IMPORTANT]
 >With the current version of the Feedback Hub app, we need the user's consent to access their AAD account profile data (We read their name, organizational tenant ID and user ID). When they sign in for the first time with the AAD account, they will se a popup asking for their permissions. Once agreed, everything will work fine and that user won't be asked for permissions again.
 >
 > If something goes wrong, it is possible that users aren't enabled to give persmissions to access their data. This can be resolved through the AAD portal. For more information about this, please see [User consent requirement](waas-windows-insider-for-business-aad.md#user-consent-requirement).
 ## Not receiving Windows 10 Insider Preview build updates?
 In some cases, your PC may not update to the latest Insider Preview build as expected. Here are items that you can review to troubleshoot this issue: