Merge branch 'master' of https://github.com/Microsoft/win-cpub-itpro-docs into v-jak-sec01

windows/keep-secure/bitlocker-overview.md

@@ -42,7 +42,7 @@ BitLocker control panel, and they are appropriate to use for automated deploymen
 
 ## <a href="" id="bkmk-new"></a>New and changed functionality
 
-To find out what's new in BitLocker for Windows 10, see the [BitLocker](https://technet.microsoft.com/itpro/windows/whats-new/whats-new-windows-10-version-1507-and-1511#bitlocker) section in "What's new in Windows 10, versions 1507 and 1511."
+To find out what's new in BitLocker for Windows 10, such as support for the XTS-AES encryption algorithm, see the [BitLocker](https://technet.microsoft.com/itpro/windows/whats-new/whats-new-windows-10-version-1507-and-1511#bitlocker) section in "What's new in Windows 10, versions 1507 and 1511."
  
 ## System requirements
 

windows/keep-secure/change-the-tpm-owner-password.md

@@ -44,10 +44,7 @@ To change to a new TPM owner password, in TPM.msc, click **Change Owner Password
 
 ## Use the TPM cmdlets
 
-If you are using Windows PowerShell to manage your computers, you can also manage the TPM by using Windows PowerShell. To install the TPM cmdlets, type the following command:
-**dism /online /enable-feature /FeatureName:tpm-psh-cmdlets**
-
-For details about the individual cmdlets, see [TPM Cmdlets in Windows PowerShell](http://technet.microsoft.com/library/jj603116.aspx).
+You can manage the TPM using Windows PowerShell. For details, see [TPM Cmdlets in Windows PowerShell](http://technet.microsoft.com/library/jj603116.aspx).
 
 ## Related topics
 

windows/keep-secure/initialize-and-configure-ownership-of-the-tpm.md

@@ -27,7 +27,7 @@ With TPM 1.2 and Windows 10, version 1507 or 1511, you can also take the followi
 
 -   [Turn on or turn off the TPM](#turn-on-or-turn-off)
 
-This topic also provides information about [using the TPM cmdlets](#use-the-tpm-cmdlets).
+For information about the TPM cmdlets, see [TPM Cmdlets in Windows PowerShell](http://technet.microsoft.com/library/jj603116.aspx).
 
 ## About TPM initialization and ownership
 
@@ -150,11 +150,7 @@ If you want to stop using the services that are provided by the TPM, you can use
 
 ## Use the TPM cmdlets
 
-If you are using Windows PowerShell to manage your computers, you can also manage the TPM by using Windows PowerShell. To install the TPM cmdlets, type the following command:
-
-`dism /online /enable-feature /FeatureName:tpm-psh-cmdlets`
-
-For details about the individual cmdlets, see [TPM Cmdlets in Windows PowerShell](http://technet.microsoft.com/library/jj603116.aspx).
+You can manage the TPM using Windows PowerShell. For details, see [TPM Cmdlets in Windows PowerShell](http://technet.microsoft.com/library/jj603116.aspx).
 
 ## Related topics
 

windows/keep-secure/manage-tpm-commands.md

@@ -77,11 +77,7 @@ The following procedures describe how to manage the TPM command lists. You must
 
 ## Use the TPM cmdlets
 
-If you are using Windows PowerShell to manage your computers, you can also manage the TPM by using Windows PowerShell. To install the TPM cmdlets, type the following command:
-
-`dism /online /enable-feature /FeatureName:tpm-psh-cmdlets`
-
-For details about the individual cmdlets, see [TPM Cmdlets in Windows PowerShell](http://technet.microsoft.com/library/jj603116.aspx).
+You can manage the TPM using Windows PowerShell. For details, see [TPM Cmdlets in Windows PowerShell](http://technet.microsoft.com/library/jj603116.aspx).
 
 ## Related topics
 

windows/keep-secure/manage-tpm-lockout.md

@@ -78,11 +78,7 @@ For information about mitigating dictionary attacks that use the lockout setting
 
 ## Use the TPM cmdlets
 
-If you are using Windows PowerShell to manage your computers, you can also manage the TPM by using Windows PowerShell. To install the TPM cmdlets, type the following command:
-
-**dism /online /enable-feature /FeatureName:tpm-psh-cmdlets**
-
-For details about the individual cmdlets, see [TPM Cmdlets in Windows PowerShell](http://technet.microsoft.com/library/jj603116.aspx).
+You can manage the TPM using Windows PowerShell. For details, see [TPM Cmdlets in Windows PowerShell](http://technet.microsoft.com/library/jj603116.aspx).
 
 ## Related topics
 

windows/keep-secure/override-mitigation-options-for-app-related-security-policies.md

@@ -17,7 +17,22 @@ ms.sitesec: library
 -   Windows 10, version 1607
 -   Windows Server 2016
 
-Use Group Policy to override individual **Process Mitigation Options** settings and help to enforce specific app-related security policies.
+Windows 10 includes Group Policy-configurable “Process Mitigation Options” that add advanced protections against memory-based attacks, that is, attacks where malware manipulates memory to gain control of a system. For example, malware might attempt to use buffer overruns to inject malicious executable code into memory, but Process Mitigation Options can prevent the running of the malicious code.
+
+> [!IMPORTANT]
+> We recommend trying these mitigations in a test lab before deploying to your organization, to determine if they interfere with your organization’s required apps.
+
+The Group Policy settings in this topic are related to three types of process mitigations. In Windows 10, all three types are on by default for 64-bit applications, but by using the Group Policy settings described in this topic, you can configure additional protections. The types of process mitigations are:
+
+- **Data Execution Prevention (DEP)** is a system-level memory protection feature that enables the operating system to mark one or more pages of memory as non-executable, preventing code from being run from that region of memory, to help prevent exploitation of buffer overruns. DEP helps prevent code from being run from data pages such as the default heap, stacks, and memory pools. For more information, see [Data Execution Prevention](windows-10-security-guide.md#data-execution-prevention).
+
+- **Structured Exception Handling Overwrite Protection (SEHOP)** is designed to block exploits that use the Structured Exception Handler (SEH) overwrite technique. Because this protection mechanism is provided at run-time, it helps to protect apps regardless of whether they have been compiled with the latest improvements.
+
+- **Address Space Layout Randomization (ASLR)** loads DLLs into random memory addresses at boot time to mitigate against malware that’s designed to attack specific memory locations, where specific DLLs are expected to be loaded. For more information, see [Address Space Layout Randomization](windows-10-security-guide.md#address-space-layout-randomization).
+
+    To find additional ASLR protections in the table below, look for `IMAGES` or `ASLR`.
+
+The following procedure describes how to use Group Policy to override individual **Process Mitigation Options** settings.
 
 **To modify Process Mitigation Options**
 

windows/keep-secure/tpm-fundamentals.md

@@ -67,11 +67,7 @@ The TPM can be used to protect certificates and RSA keys. The TPM key storage pr
 
 ## TPM Cmdlets
 
-If you are using PowerShell to script and manage your computers, you can now manage the TPM using Windows PowerShell as well. To install the TPM cmdlets use the following command:
-
-`dism /online /enable-feature /FeatureName:tpm-psh-cmdlets`
-
-For details about the individual cmdlets, see [TPM Cmdlets in Windows PowerShell](http://technet.microsoft.com/library/jj603116.aspx).
+You can manage the TPM using Windows PowerShell. For details, see [TPM Cmdlets in Windows PowerShell](http://technet.microsoft.com/library/jj603116.aspx).
 
 ## Physical presence interface