Merge branch 'master' of https://github.com/Microsoft/win-cpub-itpro-docs

windows/keep-secure/change-history-for-keep-windows-10-secure.md

@@ -12,12 +12,17 @@ author: brianlic-msft
 # Change history for Keep Windows 10 secure
 This topic lists new and updated topics in the [Keep Windows 10 secure](index.md) documentation for [Windows 10 and Windows 10 Mobile](../index.md).
 
-## October 2016
-
+## November 2016
 | New or changed topic | Description |
 | --- | --- |
 |[Protect your enterprise data using Windows Information Protection (WIP)](protect-enterprise-data-using-wip.md), [Create a Windows Information Protection (WIP) policy using Microsoft Intune](create-wip-policy-using-intune.md), and [Create and deploy a Windows Information Protection (WIP) policy using System Center Configuration Manager](create-wip-policy-using-sccm.md) |Added additional details about what happens when you turn off WIP. |
 |[Create and deploy a VPN policy for Windows Information Protection (WIP) using Microsoft Intune](create-vpn-and-wip-policy-using-intune.md) |Changed WIPModeID to EDPModeID, to match the CSP. |
+
+
+## October 2016
+
+| New or changed topic | Description |
+| --- | --- |
 |[List of enlightened Microsoft apps for use with Windows Information Protection (WIP)](enlightened-microsoft-apps-and-wip.md) |Added Microsoft Remote Desktop information. |
 |[Create and deploy a Windows Information Protection (WIP) policy using System Center Configuration Manager](create-wip-policy-using-sccm.md) and [Create a Windows Information Protection (WIP) policy using Microsoft Intune](create-wip-policy-using-intune.md) |Updated the text about where the optioanl icon overlay appears.|
 |[Limitations while using Windows Information Protection (WIP)](limitations-with-wip.md) |Added content about using ActiveX controls.|

windows/keep-secure/event-4713.md

@@ -21,7 +21,7 @@ author: Mir0sh
 
 ***Event Description:***
 
-This event generates when [Kerberos policy](https://technet.microsoft.com/en-us/library/cc782061(v=ws.10).aspx) was changed.
+This event generates when [Kerberos](https://msdn.microsoft.com/library/windows/desktop/aa378747.aspx) policy was changed.
 
 This event is generated only on domain controllers.
 

windows/keep-secure/implement-microsoft-passport-in-your-organization.md

@@ -20,7 +20,7 @@ localizationpriority: high
 You can create a Group Policy or mobile device management (MDM) policy that will implement Windows Hello on devices running Windows 10.
 
 >[!IMPORTANT]
->The Group Policy setting **Turn on PIN sign-in** does not apply to Windows Hello for Business. It still prevents or enables the creation of a convenience PIN for Windows 10, version 1507 and 1511. 
+>The Group Policy setting **Turn on PIN sign-in** does not apply to Windows Hello for Business. Use the **Turn on PIN sign-in** setting to allow or deny the use of a convenience PIN for Windows 10, versions 1507, 1511, and 1607. 
 >
 >Beginning in version 1607, Windows Hello as a convenience PIN is disabled by default on all domain-joined computers. To enable a convenience PIN for Windows 10, version 1607, enable the Group Policy setting **Turn on convenience PIN sign-in**. 
 >
@@ -275,7 +275,7 @@ The following table lists the MDM policy settings that you can configure for Win
 <td>Device or user</td>
 <td>1</td>
 <td>
-<p>1: Uppercase letters are not allowed </p>
+<p>1: Uppercase letters are not allowed. </p>
 <p>2: At least one uppercase letter is required</p>
 </td>
 </tr>
@@ -318,27 +318,27 @@ You’ll need this software to set Windows Hello for Business policies in your e
 <tbody>
 <tr class="odd">
 <td align="left">Key-based authentication</td>
-<td align="left">Azure AD subscription</td>
+<td align="left">[Azure AD subscription](https://docs.microsoft.com/azure/active-directory/active-directory-howto-tenant)</td>
 <td align="left"><ul>
-<li>Azure AD subscription</li>
-<li>[Azure AD Connect](https://go.microsoft.com/fwlink/p/?LinkId=616792)</li>
+<li>[Azure AD subscription](https://docs.microsoft.com/azure/active-directory/active-directory-howto-tenant)</li>
+<li>[Azure AD Connect](https://docs.microsoft.com/azure/active-directory/active-directory-aadconnect)</li>
 <li>A few Windows Server 2016 domain controllers on-site</li>
-<li>A management solution, such as Configuration Manager, Group Policy, or MDM</li>
-<li>Active Directory Certificate Services (AD CS) without Network Device Enrollment Service (NDES)</li>
+<li>A management solution, such as [Configuration Manager](https://docs.microsoft.com/sccm/index), Group Policy, or MDM</li>
+<li>[Active Directory Certificate Services](https://technet.microsoft.com/windowsserver/dd448615.aspx) (AD CS) without Network Device Enrollment Service (NDES)</li>
 </ul></td>
 </tr>
 <tr class="even">
 <td align="left">Certificate-based authentication</td>
 <td align="left"><ul>
-<li>Azure AD subscription</li>
+<li>[Azure AD subscription](https://docs.microsoft.com/azure/active-directory/active-directory-howto-tenant)</li>
 <li>Intune or non-Microsoft mobile device management (MDM) solution</li>
-<li>PKI infrastructure</li>
+<li>[PKI infrastructure](https://msdn.microsoft.com/library/windows/desktop/bb427432(v=vs.85).aspx)</li>
 </ul></td>
 <td align="left"><ul>
-<li>Azure AD subscription</li>
-<li>[Azure AD Connect](https://go.microsoft.com/fwlink/p/?LinkId=616792)</li>
-<li>AD CS with NDES</li>
-<li>Configuration Manager for domain-joined certificate enrollment, or InTune for non-domain-joined devices, or a non-Microsoft MDM service that supports Passport for Work</li>
+<li>[Azure AD subscription](https://docs.microsoft.com/azure/active-directory/active-directory-howto-tenant)</li>
+<li>[Azure AD Connect](https://docs.microsoft.com/azure/active-directory/active-directory-aadconnect)</li>
+<li>[AD CS](https://technet.microsoft.com/windowsserver/dd448615.aspx) with NDES</li>
+<li>[Configuration Manager](https://docs.microsoft.com/sccm/index) for domain-joined certificate enrollment, or [InTune](https://docs.microsoft.com/intune/deploy-use/control-microsoft-passport-settings-on-devices-with-microsoft-intune) for non-domain-joined devices, or a non-Microsoft MDM service that supports Hello for Business</li>
 </ul></td>
 </tr>
 </tbody>
@@ -346,7 +346,9 @@ You’ll need this software to set Windows Hello for Business policies in your e
  
 Configuration Manager and MDM provide the ability to manage Windows Hello for Business policy and to deploy and manage certificates protected by Windows Hello for Business.
 
-Azure AD provides the ability to register devices with your enterprise and to provision Windows Hello for Business for organization accounts.
+[Azure AD](https://docs.microsoft.com/azure/active-directory/active-directory-azureadjoin-passport) provides the ability to register devices with your enterprise and to provision Windows Hello for Business for organization accounts.
+
+[Learn more about enabling Windows Hello for Business in an Azure AD/AD hybrid environment.](https://docs.microsoft.com/azure/active-directory/active-directory-azureadjoin-passport-deployment)
 
 
 ## Windows Hello for BYOD
@@ -374,4 +376,4 @@ The PIN is managed using the same Windows Hello for Business policies that you c
 [Event ID 300 - Windows Hello successfully created](passport-event-300.md)
 
 [Windows Hello biometrics in the enterprise](windows-hello-in-enterprise.md)
- 
+ 

windows/keep-secure/protect-high-value-assets-by-controlling-the-health-of-windows-10-based-devices.md

@@ -93,7 +93,7 @@ This section is an overview that describes different parts of the end-to-end sec
 
 | Number | Part of the solution | Description |
 | - | - | - |
-| **1** | Windows 10-based device | The first time a Windows 10-based device is powered on, the out-of-box experience (OOBE) screen is displayed. During setup, the device can be automatically registered into Azure Active Directory (AD) and enrolled in MDM.<br/>A Windows 10-based device with TPM 2.0 can report health status at any time by using the Health Attestation Service available with all editions of Windows 10.|
+| **1** | Windows 10-based device | The first time a Windows 10-based device is powered on, the out-of-box experience (OOBE) screen is displayed. During setup, the device can be automatically registered into Azure Active Directory (AD) and enrolled in MDM.<br/>A Windows 10-based device with TPM can report health status at any time by using the Health Attestation Service available with all editions of Windows 10.|
 | **2** | Identity provider | Azure AD contains users, registered devices, and registered application of organization’s tenant. A device always belongs to a user and a user can have multiple devices. A device is represented as an object with different attributes like the compliance status of the device. A trusted MDM can update the compliance status.<br/>Azure AD is more than a repository. Azure AD is able to authenticate users and devices and can also authorize access to managed resources. Azure AD has a conditional access control engine that leverages the identity of the user, the location of the device and also the compliance status of the device when making a trusted access decision.|
 | **3**|Mobile device management| Windows 10 has MDM support that enables the device to be managed out-of-box without deploying any agent.<br/>MDM can be Microsoft Intune or any third-party MDM solution that is compatible with Windows 10.|
 | **4** | Remote health attestation | The Health Attestation Service is a trusted cloud service operated by Microsoft that performs a series of health checks and reports to MDM what Windows 10 security features are enabled on the device.<br/>Security verification includes boot state (WinPE, Safe Mode, Debug/test modes) and components that manage security and integrity of runtime operations (BitLocker, Device Guard).|
@@ -123,9 +123,9 @@ Windows 10 supports features to help prevent sophisticated low-level malware li
     -   The first TPM specification, version 1.2, was published in February 2005 by the TCG and standardized under ISO / IEC 11889 standard.
     -   The latest TPM specification, referred to as TPM 2.0, was released in April 2014 and has been approved by the ISO/IEC Joint Technical Committee (JTC) as ISO/IEC 11889:2015.
 
-    Windows 10 uses the TPM for cryptographic calculations as part of health attestation and to protect the keys for BitLocker, Microsoft Passport, virtual smart cards, and other public key certificates. For more information, see [TPM requirements in Windows 10](https://go.microsoft.com/fwlink/p/?LinkId=733948).
+    Windows 10 uses the TPM for cryptographic calculations as part of health attestation and to protect the keys for BitLocker, Windows Hello, virtual smart cards, and other public key certificates. For more information, see [TPM requirements in Windows 10](https://go.microsoft.com/fwlink/p/?LinkId=733948).
 
-    Windows 10 recognizes versions 1.2 and 2.0 TPM specifications produced by the TCG. For the most recent and modern security features, Windows 10 supports only TPM 2.0. TPM 2.0 is required for device health attestation.
+    Windows 10 recognizes versions 1.2 and 2.0 TPM specifications produced by the TCG. For the most recent and modern security features, Windows 10 supports only TPM 2.0. 
 
     TPM 2.0 provides a major revision to the capabilities over TPM 1.2:
 
@@ -202,8 +202,6 @@ Windows 10 supports features to help prevent sophisticated low-level malware li
 
     During each subsequent boot, the same components are measured, which allows comparison of the measurements against an expected baseline. For additional security, the values measured by the TPM can be signed and transmitted to a remote server, which can then perform the comparison. This process, called *remote device health attestation*, allows the server to verify health status of the Windows device.
 
-    Health attestation requires the presence of TPM 2.0. On Windows 10, TPM 2.0 also requires UEFI firmware.
-
     Although Secure Boot is a proactive form of protection, health attestation is a reactive form of boot protection. Health attestation ships disabled in Windows and is enabled by an antimalware or an MDM vendor. Unlike Secure Boot, health attestation will not stop the boot process and enter remediation when a measurement does not work. But with conditional access control, health attestation will help to prevent access to high-value assets.
 
 ### <a href="" id="virtual"></a>Virtualization-based security
@@ -317,7 +315,7 @@ MDM solutions are becoming prevalent as a light-weight device management technol
 
 ### Device health attestation
 
-Device health attestation leverages the TPM 2.0 to provide cryptographically strong and verifiable measurements of the chain of software used to boot the device.
+Device health attestation leverages the TPM to provide cryptographically strong and verifiable measurements of the chain of software used to boot the device.
 
 For Windows 10-based devices, Microsoft introduces a new public API that will allow MDM software to access a remote attestation service called Windows Health Attestation Service. A health attestation result, in addition with other elements, can be used to allow or deny access to networks, apps, or services, based on whether devices prove to be healthy.
 
@@ -380,7 +378,7 @@ As of today, many organizations only consider devices to be compliant with compa
 
 The biggest challenge with rootkits is that they can be undetectable to the client. Because they start before antimalware, and they have system-level privileges, they can completely disguise themselves while continuing to access system resources. As a result, traditional computers infected with rootkits appear to be healthy, even with antimalware running.
 
-As previously discussed, the health attestation feature of Windows 10 uses the TPM 2.0 hardware component to securely record a measurement of every boot-related component, including firmware, Windows 10 kernel, and even early boot drivers. Because, health attestation leverages the hardware-based security capabilities of TPM, the log of all boot measured components remains out of the reach of any malware.
+As previously discussed, the health attestation feature of Windows 10 uses the TPM hardware component to securely record a measurement of every boot-related component, including firmware, Windows 10 kernel, and even early boot drivers. Because, health attestation leverages the hardware-based security capabilities of TPM, the log of all boot measured components remains out of the reach of any malware.
 
 By attesting a trusted boot state, devices can prove that they are not running low-level malware that could spoof later compliance checks. TPM-based health attestation provides a reliable anchor of trust for assets that contain high-value data.
 
@@ -404,7 +402,7 @@ This is the most secure approach available for Windows 10-based devices to dete
 
 A relying party like an MDM can inspect the report generated by the remote health attestation service.
 
->**Note:**  To use the health attestation feature of Windows 10, the device must be equipped with a discrete or firmware TPM 2.0. There is no restriction on any particular edition of Windows 10.
+>**Note:**  To use the health attestation feature of Windows 10, the device must be equipped with a discrete or firmware TPM. There is no restriction on any particular edition of Windows 10.
  
 Windows 10 supports health attestation scenarios by allowing applications access to the underlying health attestation configuration service provider (CSP) so that applications can request a health attestation token. The measurement of the boot sequence can be checked at any time locally by an antimalware or an MDM agent.
 
@@ -418,7 +416,7 @@ Health attestation logs the measurements in various TPM Platform Configuration R
 
 ![figure 6](images/hva-fig6-logs.png)
 
-When starting a device equipped with a TPM, a measurement of different components is performed. This includes firmware, UEFI drivers, CPU microcode, and also all the Windows 10 drivers whose type is Boot Start. The raw measurements are stored in the TPM PCR registers while the details of all events (executable path, authority certification, and so on) are available in the TCG log.
+When starting a device equipped with TPM, a measurement of different components is performed. This includes firmware, UEFI drivers, CPU microcode, and also all the Windows 10 drivers whose type is Boot Start. The raw measurements are stored in the TPM PCR registers while the details of all events (executable path, authority certification, and so on) are available in the TCG log.
 
 ![figure 7](images/hva-fig7-measurement.png)
 
@@ -438,7 +436,7 @@ The number of retained logs may be set with the registry **REG\_DWORD** value **
  
 The following process describes how health boot measurements are sent to the health attestation service:
 
-1.  The client (a Windows 10-based device with a TPM 2.0) initiates the request with the remote device health attestation service. Because the health attestation server is expected to be a Microsoft cloud service, the URI is already pre-provisioned in the client.
+1.  The client (a Windows 10-based device with TPM) initiates the request with the remote device health attestation service. Because the health attestation server is expected to be a Microsoft cloud service, the URI is already pre-provisioned in the client.
 2.  The client then sends the TCG log, the AIK signed data (PCR values, boot counter) and the AIK certificate information.
 3.  The remote device heath attestation service then:
 
@@ -492,14 +490,14 @@ For certain devices that use firmware-based TPM produced by Intel or Qualcomm, t
 
 Because the endorsement certificate is unique for each device and does not change, the usage of it may present privacy concerns because it's theoretically possible to track a specific device. To avoid this privacy problem, Windows 10 issues a derived attestation anchor based on the endorsement certificate. This intermediate key, which can be attested to an endorsement key, is the Attestation Identity Key (AIK) and the corresponding certificate is called the AIK certificate. This AIK certificate is issued by a Microsoft cloud service.
 
->**Note:**  Before the device can report its health using the TPM 2.0 attestation functions, an AIK certificate must be provisioned in conjunction with a third-party service like the Microsoft Cloud CA service. After it is provisioned, the AIK private key can be used to report platform configuration. Windows 10 creates a signature over the platform log state (and a monotonic counter value) at each boot by using the AIK.
+>**Note:**  Before the device can report its health using the TPM attestation functions, an AIK certificate must be provisioned in conjunction with a third-party service like the Microsoft Cloud CA service. After it is provisioned, the AIK private key can be used to report platform configuration. Windows 10 creates a signature over the platform log state (and a monotonic counter value) at each boot by using the AIK.
  
 The AIK is an asymmetric (public/private) key pair that is used as a substitute for the EK as an identity for the TPM for privacy purposes. The private portion of an AIK is never revealed or used outside the TPM and can only be used inside the TPM for a limited set of operations. Furthermore, it can only be used for signing, and only for limited, TPM-defined operations.
 
 Windows 10 creates AIKs protected by the TPM, if available, that are 2048-bit RSA signing keys. Microsoft is hosting a cloud service called Microsoft Cloud CA to establish cryptographically that it is communicating with a real TPM and that the TPM possesses the presented AIK. After the Microsoft 
 Cloud CA service has established these facts, it will issue an AIK certificate to the Windows 10-based device.
 
-Many existing devices that will upgrade to Windows 10 will not have a TPM, or the TPM will not contain an endorsement certificate. **To accommodate those devices, Windows 10 allows the issuance of AIK certificates without the presence of an endorsement certificate.** Such AIK certificates are not issued by Microsoft Cloud CA. Note that this is not as trustworthy as an endorsement certificate that is burned into the device during manufacturing, but it will provide compatibility for advanced scenarios like Microsoft Passport without TPM.
+Many existing devices that will upgrade to Windows 10 will not have a TPM, or the TPM will not contain an endorsement certificate. **To accommodate those devices, Windows 10 allows the issuance of AIK certificates without the presence of an endorsement certificate.** Such AIK certificates are not issued by Microsoft Cloud CA. Note that this is not as trustworthy as an endorsement certificate that is burned into the device during manufacturing, but it will provide compatibility for advanced scenarios like Windows Hello for Business without TPM.
 
 In the issued AIK certificate, a special OID is added to attest that endorsement certificate was used during the attestation process. This information can be leveraged by a relying party to decide whether to reject devices that are attested using AIK certificates without an endorsement certificate or accept them. Another scenario can be to not allow access to high-value assets from devices that are attested by an AIK certificate that is not backed by an endorsement certificate.
 

windows/keep-secure/remote-credential-guard.md

@@ -21,10 +21,30 @@ You can use Remote Credential Guard in the following ways:
 
 - Helpdesk employees in your organization must connect to domain-joined devices that could be compromised. With Remote Credential Guard, the helpdesk employee can use RDP to connect to the target device without compromising their credentials to malware.
 
-Use the following diagrams to help understand how Remote Credential Guard works and what it helps protect against.
+## Comparing Remote Credential Guard with a server protected with Credential Guard
+
+Use the following diagrams to help understand how Remote Credential Guard works, what it helps protect against, and how it compares with using a server protected with Credential Guard. As the diagram shows, Remote Credential Guard blocks NTLM (allowing only Kerberos), prevents Pass the Hash, and prevents usage of a credential after disconnection.
 
 ![Remote Credential Guard](images/remote-credential-guard.png)
 
+## Comparing Remote Credential Guard with other options for Remote Desktop connections
+
+Use the following table to compare different security options for Remote Desktop connections.
+
+> [!NOTE]
+> This table compares different options than are shown in the previous diagram.
+
+| Remote Desktop with Credential Delegation | Remote Credential Guard | Restricted Admin mode |
+|---|---|---|
+| Protection: Provides **less protection** than other modes in this table. | Protection: Provides **moderate protection**, compared to other modes in this table. | Protection: Provides **the most protection** of the modes in this table. However, it also requires you to be in the local “Administrators” group on the remote computer. |
+| Version support: The remote computer can be running **any operating system that supports credential delegation**, which was introduced in Windows Vista. | Version support: The remote computer must be running **at least Windows 10, version 1607, or Windows Server 2016**. | Version support: The remote computer must be running **at least patched Windows 7 or patched Windows Server 2008 R2**.<br><br>For more information about patches (software updates) related to Restricted Admin mode, see  [Microsoft Security Advisory 2871997](https://technet.microsoft.com/library/security/2871997.aspx). |
+| NA | Helps prevent:<br><br>- **Pass the Hash**<br>- Usage of a **credential after disconnection** | Prevents:<br><br>- **Pass the Hash**<br>- Usage of **domain identity during connection** |
+| Credentials supported from the remote desktop client device:<br><br>- **Signed on** credentials<br>- **Supplied** credentials<br>- **Saved** credentials | Credentials supported from the remote desktop client device:<br><br>- **Signed on** credentials only | Credentials supported from the remote desktop client device:<br><br>- **Signed on** credentials<br>- **Supplied** credentials<br>- **Saved** credentials |
+| Access: **Users allowed**, that is, members of remote desktop users group of remote host. | Access: **Users allowed**, that is, members of remote desktop users group of remote host. | Access: **Administrators only**, that is, only members in administrators group of remote host.  |
+| Network identity: Remote desktop session **connects to other resources as signed on user**. | Network identity: Remote desktop session **connects to other resources as signed on user**. | Network identity: Remote desktop session **connects to other resources as remote host’s identity**.  |
+| Multi-hop: From the remote desktop, you **can connect through Remote Desktop to another computer**. | Multi-hop: From the remote desktop, you **can connect through Remote Desktop to another computer**. | No multi-hop: From the remote desktop, you **cannot connect through Remote Desktop to another computer**. |
+| Supported authentication protocol: **Any negotiable protocol**. | Supported authentication protocol: **Kerberos only**. | Supported authentication protocol: **Any negotiable protocol**. |
+
 ## Hardware and software requirements
 
 The Remote Desktop client and server must meet the following requirements in order to use Remote Credential Guard:
@@ -58,7 +78,11 @@ You can use Remote Credential Guard on the client device by setting a Group Poli
 ### Turn on Remote Credential Guard by using Group Policy
 
 1. From the Group Policy Management Console, go to **Computer Configuration** -> **Administrative Templates** -> **System** -> **Credentials Delegation**.
+
 2. Double-click **Restrict delegation of credentials to remote servers**.
+
+    ![Remote Credential Guard Group Policy](images/remote-credential-guard-gp.png)
+
 3. Under **Use the following restricted mode**:
     - If you want to require either [Restricted Admin mode](http://social.technet.microsoft.com/wiki/contents/articles/32905.how-to-enable-restricted-admin-mode-for-remote-desktop.aspx) or Remote Credential Guard, choose **Prefer Remote Credential Guard**. In this configuration, Remote Credential Guard is preferred, but it will use Restricted Admin mode (if supported) when Remote Credential Guard cannot be used.
 
@@ -66,10 +90,10 @@ You can use Remote Credential Guard on the client device by setting a Group Poli
         
     - If you want to require Remote Credential Guard, choose **Require Remote Credential Guard**. With this setting, a Remote Desktop connection will succeed only if the remote computer meets the [Hardware and software requirements](#hardware-and-software-requirements) listed earlier in this topic.
     
+    - If you  want to require Restricted Admin mode, choose **Require Restricted Admin**. For information about Restricted Admin mode, see the table in [Comparing Remote Credential Guard with other options for Remote Desktop connections](#comparing-remote-credential-guard-with-other-options-for-remote-desktop-connections), earlier in this topic.
+    
 4. Click **OK**.
 
-    ![Remote Credential Guard Group Policy](images/remote-credential-guard-gp.png)
-
 5. Close the Group Policy Management Console.
 
 6. From a command prompt, run **gpupdate.exe /force** to ensure that the Group Policy object is applied.
@@ -96,7 +120,7 @@ mstsc.exe /remoteGuard
 
 - Remote Desktop Gateway is not compatible with Remote Credential Guard.
 
-- You cannot used saved credentials or credentials that are different than yours. You must use the credentials of the user who is logged into the device.
+- You cannot use saved credentials or credentials that are different than yours. You must use the credentials of the user who is logged into the device.
 
 - Both the client and the server must be joined to the same domain or the domains must have a trust relationship.
 

windows/keep-secure/smart-card-windows-smart-card-technical-reference.md

@@ -36,11 +36,11 @@ Smart cards provide:
 
 Smart cards can be used to sign in to domain accounts only, not local accounts. When you use a password to sign in interactively to a domain account, Windows uses the Kerberos version 5 (v5) protocol for authentication. If you use a smart card, the operating system uses Kerberos v5 authentication with X.509 v3 certificates.
 
-Virtual smart cards   Virtual smart cards were introduced in Windows Server 2012 and Windows 8 to alleviate the need for a physical smart card, the smart card reader, and the associated administration of that hardware. For information about virtual smart card technology, see [Virtual Smart Card Overview](https://technet.microsoft.com/en-us/library/dn593708(v=ws.11).aspx).
+**Virtual smart cards** were introduced in Windows Server 2012 and Windows 8 to alleviate the need for a physical smart card, the smart card reader, and the associated administration of that hardware. For information about virtual smart card technology, see [Virtual Smart Card Overview](virtual-smart-card-overview.md).
 
 ## In this technical reference
 
-This reference contains the following topics, which apply to versions of the Windows operating system that are designated in the **Applies To** list at the beginning of each topic.
+This reference contains the following topics.
 
 -   [How Smart Card Sign-in Works in Windows](smart-card-how-smart-card-sign-in-works-in-windows.md)
 

windows/keep-secure/tpm-recommendations.md

@@ -63,7 +63,7 @@ TPM 2.0 products and systems have important security advantages over TPM 1.2, in
     -   TPM 1.2 implementations vary in policy settings. This may result in support issues as lockout policies vary.
     -   TPM 2.0 lockout policy is configured by Windows, ensuring a consistent dictionary attack protection guarantee.
 
--   While TPM 1.2 parts are discrete silicon components which are typically soldered on the motherboard, TPM 2.0 is available as a **discrete (dTPM)** silicon component in a sinple semiconductor package, an **integrated** component incorporated in one or more semiconductor packages - alongside other logic units in the same package(s) - and as a **firmware (fTPM)** based component running in a trusted execution environment (TEE) on a general purpose SoC.
+-   While TPM 1.2 parts are discrete silicon components which are typically soldered on the motherboard, TPM 2.0 is available as a **discrete (dTPM)** silicon component in a single semiconductor package, an **integrated** component incorporated in one or more semiconductor packages - alongside other logic units in the same package(s) - and as a **firmware (fTPM)** based component running in a trusted execution environment (TEE) on a general purpose SoC.
 
 ## Discrete, Integrated or Firmware TPM?
 

windows/keep-secure/trusted-platform-module-overview.md

@@ -45,7 +45,7 @@ The TPM has several Group Policy settings that can be used to manage how it is u
 
 ## <a href="" id="bkmk-new"></a>New and changed functionality
 
-For more info on new and changed functionality for Trusted Platform Module in Windows 10, see [What's new in Trusted Platform Module?](../whats-new/trusted-platform-module.md).
+For more info on new and changed functionality for Trusted Platform Module in Windows 10, see [What's new in Trusted Platform Module?](../whats-new/whats-new-windows-10-version-1507-and-1511.md#trusted-platform-module).
 
 ## <a href="" id="bkmk-dha"></a>Device health attestation
 

windows/keep-secure/virtual-smart-card-overview.md

@@ -16,7 +16,7 @@ This topic for IT professional provides an overview of the virtual smart card te
 
 **Did you mean…**
 
--   [Smart Cards](https://technet.microsoft.com/windows-server-docs/security/smart-cards/smart-card-overview)
+-   [Smart Cards](smart-card-windows-smart-card-technical-reference.md)
 
 ## Feature description
 

windows/keep-secure/vpn-name-resolution.md

@@ -21,11 +21,11 @@ The name resolution setting in the VPN profile configures how name resolution sh
 
 ## Name Resolution Policy table (NRPT)
  
-The NRPT is a table of namespaces that determines the DNS client’s havior when issuing name resolution queries and processing responses. It is the first place that the stack will look after the DNSCache.
+The NRPT is a table of namespaces that determines the DNS client’s behavior when issuing name resolution queries and processing responses. It is the first place that the stack will look after the DNSCache.
 
 There are 3 types of name matches that can  set up for NRPT:
 
-- Fully qualified domain name (FQDN) that can  used for direct matching to a name
+- Fully qualified domain name (FQDN) that can be used for direct matching to a name
 
 - Suffix match results in either a comparison of suffixes (for FQDN resolution) or the appending of the suffix (in case of a short name)
 

windows/keep-secure/vpn-routing.md

@@ -23,7 +23,7 @@ In a split tunnel configuration, routes can be specified to go over VPN and all
 
 Routes can be configured using the VPNv2/*ProfileName*/RouteList setting in the [VPNv2 Configuration Service Provider (CSP)](https://msdn.microsoft.com/library/windows/hardware/dn914776.aspx).
  
-For each route item in the list the following can be specified: 
+For each route item in the list, the following can be specified: 
 
 - **Address**: VPNv2/*ProfileName*/RouteList/*routeRowId*/Address
 - **Prefix size**: VPNv2/*ProfileName*/RouteList/*routeRowId*/Prefix
@@ -37,11 +37,11 @@ Routes can also be added at connect time through the server for UWP VPN apps.
 
 In a force tunnel configuration, all traffic will go over VPN. This is the default configuration and takes effect if no routes are specified. 
 
-The only implication of this setting is the manipulation of routing entries. In the case of a force Tunnel VPN V4 and V6 default routes (for example. 0.0.0.0/0) are added to the routing table with a lower Metric than ones for other interfaces. This sends traffic through the VPN as long as there isn’t a specific route on the Physical Interface itself. 
+The only implication of this setting is the manipulation of routing entries. In the case of a force tunnel, VPN V4 and V6 default routes (for example. 0.0.0.0/0) are added to the routing table with a lower metric than ones for other interfaces. This sends traffic through the VPN as long as there isn’t a specific route on the physical interface itself. 
 
 For built-in VPN, this decision is controlled using the MDM setting **VPNv2/ProfileName/NativeProfile/RoutingPolicyType**.
 
-For a UWP VPN plug-in, this property is directly controlled by the app. If the VPN plug-in passes only 2 include routes (default route for both v4 and v6), the Windows VPN Platform marks the VPN as force tunnel.  
+For a UWP VPN plug-in, this property is directly controlled by the app. If the VPN plug-in indicates the default route for IPv4 and IPv6 as the only two Inclusion routes, the VPN platform marks the connection as Force Tunneled. 
 
 ## Configure routing
 

windows/keep-secure/windows-10-security-guide.md

@@ -21,7 +21,7 @@ This guide provides a detailed description of the most important security improv
 #### Introduction
 
 Windows 10 is designed to protect against known and emerging security threats across the spectrum of attack vectors. Three broad categories of security work went into Windows 10:
--   [**Identity and access control**](#identity-and-access-control) features have been greatly expanded to both simplify and enhance the security of user authentication. These features include Windows Hello and Microsoft Passport, which better protect user identities through easy-to-deploy and easy-to-use multifactor authentication (MFA). Another new feature is Credential Guard, which uses virtualization-based security (VBS) to help protect the Windows authentication subsystems and users’ credentials.
+-   [**Identity and access control**](#identity-and-access-control) features have been greatly expanded to both simplify and enhance the security of user authentication. These features include Windows Hello for Business, which better protects user identities through easy-to-deploy and easy-to-use multifactor authentication (MFA). Another new feature is Credential Guard, which uses virtualization-based security (VBS) to help protect the Windows authentication subsystems and users’ credentials.
 -   [**Information protection**](#information) that guards information at rest, in use, and in transit. In addition to BitLocker and BitLocker To Go for protection of data at rest, Windows 10 includes file-level encryption with Enterprise Data Protection that performs data separation and containment and, when combined with Rights Management services, can keep data encrypted when it leaves the corporate network. Windows 10 can also help keep data secure by using virtual private networks (VPNs) and Internet Protocol Security.
 -   [**Malware resistance**](#malware) includes architectural changes that can isolate critical system and security components from threats. Several new features in Windows 10 help reduce the threat of malware, including VBS, Device Guard, Microsoft Edge, and an entirely new version of Windows Defender. In addition, the many antimalware features from the Windows 8.1 operating system— including AppContainers for application sandboxing and numerous boot-protection features, such as Trusted Boot—have been carried forward and improved in Windows 10.
 
@@ -50,10 +50,10 @@ Table 1. Windows 10 solutions to typical access control challenges
 <tr class="odd">
 <td align="left"><p>Organizations frequently use passwords because the alternative methods are too complex and costly to deploy.</p>
 <p>Organizations that choose password alternatives such as smart cards must purchase and manage smart card readers, smart cards, and management software. These solutions delay productivity when the MFA component is lost or damaged. Consequently, MFA solutions like smart cards tend to be used only for VPN and select assets.</p></td>
-<td align="left"><p>Windows Hello on biometric-capable devices and Microsoft Passport enable simpler MFA.</p></td>
+<td align="left"><p>Windows Hello for Business enables simpler MFA.</p></td>
 </tr>
 <tr class="even">
-<td align="left"><p>Tablet users must type their password on a touchscreen, which is error prone and less efficient than a keyboard. Windows Hello enables secure facial recognition–based authentication.</p></td>
+<td align="left"><p>Tablet users must type their password on a touchscreen, which is error prone and less efficient than a keyboard.</p></td>
 <td align="left"><p>Windows Hello enables secure facial recognition–based authentication.</p></td>
 </tr>
 <tr class="odd">
@@ -62,7 +62,7 @@ Table 1. Windows 10 solutions to typical access control challenges
 </tr>
 <tr class="even">
 <td align="left"><p>Users dislike typing their passwords.</p></td>
-<td align="left"><p>Single sign-on (SSO) allows users to sign in once with their Microsoft Passport and get access to all corporate resources without the need to re-authenticate.</p>
+<td align="left"><p>Single sign-on (SSO) allows users to sign in once with Windows Hello and get access to all corporate resources without the need to re-authenticate.</p>
 <p>Windows Hello enables secure fingerprint- and facial recognition–based authentication and can be used to revalidate user presence when sensitive resources are accessed.</p></td>
 </tr>
 <tr class="odd">
@@ -74,36 +74,39 @@ Table 1. Windows 10 solutions to typical access control challenges
  
 The sections that follow describe these challenges and solutions in more detail.
 
-### Microsoft Passport
+### Windows Hello
 
-Microsoft Passport provides strong two-factor authentication (2FA), fully integrated into Windows, and replaces passwords with the combination of an enrolled device and either a PIN or Windows Hello. Microsoft Passport is conceptually similar to smart cards but more flexible. Authentication is performed by using an asymmetric key pair instead of a string comparison (for example, password), and the user’s key material can be secured by using hardware.
-Unlike smart cards, Microsoft Passport does not require the extra infrastructure components required for smart card deployment. In particular, you do not need public key infrastructure (PKI). If you already use PKI – for example, in secure email or VPN authentication – you can use the existing infrastructure with Microsoft Passport. Microsoft Passport combines the major advantages of smart card technology – deployment flexibility for virtual smart cards and robust security for physical smart cards – without any of their drawbacks.
+Windows Hello provides strong two-factor authentication (2FA), fully integrated into Windows, and replaces passwords with the combination of an enrolled device and either a PIN or biometric gesture. Windows Hello is conceptually similar to smart cards but more flexible. Authentication is performed by using an asymmetric key pair instead of a string comparison (for example, password), and the user’s key material can be secured by using hardware.
+Unlike smart cards, Windows Hello does not require the extra infrastructure components required for smart card deployment. In particular, you do not need public key infrastructure (PKI). If you already use PKI – for example, in secure email or VPN authentication – you can use the existing infrastructure with Windows Hello. Windows Hello combines the major advantages of smart card technology – deployment flexibility for virtual smart cards and robust security for physical smart cards – without any of their drawbacks.
 
-Microsoft Passport offers three significant advantages over the current state of Windows authentication: It’s more flexible, it’s based on industry standards, and it effectively mitigates risks. The sections that follow look at each of these advantages in more detail.
+>[!NOTE]
+>When Windows 10 first shipped, it included **Microsoft Passport** and **Windows Hello**, which worked together to provide multifactor authentication. To simplify deployment and improve supportability, Microsoft has combined these technologies into a single solution under the **Windows Hello** name. Customers who have already deployed these technologies will not experience any change in functionality. Customers who have yet to evaluate Windows Hello will find it easier to deploy due to simplified policies, documentation, and semantics. 
+
+Windows Hello offers three significant advantages over the current state of Windows authentication: It’s more flexible, it’s based on industry standards, and it effectively mitigates risks. The sections that follow look at each of these advantages in more detail.
 
 #### It’s flexible
 
-Microsoft Passport offers unprecedented flexibility. Although the format and use of passwords and smart cards is fixed, Microsoft Passport gives both administrators and users options to manage authentication. First and foremost, Microsoft Passport works with biometric sensors and PINs. Next, you can use your PC or even your phone as one of the factors to authenticate on your PC. Finally, your user credentials can come from your PKI infrastructure, or Windows can create the credential itself.
+Windows Hello offers unprecedented flexibility. Although the format and use of passwords and smart cards is fixed, Windows Hello gives both administrators and users options to manage authentication. First and foremost, Windows Hello works with biometric sensors and PINs. Next, you can use your PC or even your phone as one of the factors to authenticate on your PC. Finally, your user credentials can come from your PKI infrastructure, or Windows can create the credential itself.
 
-Microsoft Passport gives you options beyond long, complex passwords. Instead of requiring users to memorize and retype frequently-changed passwords, Microsoft Passport enables PIN- and biometrics-based authentication through Windows Hello to securely identify users.
+MWindows Hello gives you options beyond long, complex passwords. Instead of requiring users to memorize and retype frequently-changed passwords, Windows Hello enables PIN- and biometrics-based authentication to securely identify users.
 
-With Microsoft Passport, you gain flexibility in the data center, too. To deploy it, you must add Windows Server 2016 domain controllers to your Active Directory environment, but you do not have to replace or remove your existing Active Directory servers: Microsoft Passport builds on and adds to your existing infrastructure. You can either add on premises servers or use Microsoft Azure Active Directory to deploy Microsoft Passport to your network. The choice of which users to enable for Microsoft Passport use is completely up to you – you choose which items to protect and which authentication factors you want to support. This flexibility makes it easy to use Microsoft Passport to supplement existing smart card or token deployments by adding 2FA to users who do not currently have it, or to deploy Microsoft Passport in scenarios that call for extra protection for sensitive resources or systems.
+With Windows Hello for Business, you gain flexibility in the data center, too. To deploy it, you must add Windows Server 2016 domain controllers to your Active Directory environment, but you do not have to replace or remove your existing Active Directory servers: Windows Hello for Business builds on and adds to your existing infrastructure. You can either add on premises servers or use Microsoft Azure Active Directory to deploy Windows Hello for Business to your network. The choice of which users to enable for Windows Hello for Business use is completely up to you – you choose which items to protect and which authentication factors you want to support. This flexibility makes it easy to use Windows Hello for Business to supplement existing smart card or token deployments by adding 2FA to users who do not currently have it, or to deploy Windows Hello for Business in scenarios that call for extra protection for sensitive resources or systems.
 
 #### It’s standardized
 
 Both software vendors and enterprise customers have come to realize that proprietary identity and authentication systems are a dead end: The future lies with open, interoperable systems that allow secure authentication across a variety of devices, line of business (LOB) apps, and external applications and websites. To this end, a group of industry players formed FIDO, the Fast IDentity Online Alliance. The FIDO Alliance is a nonprofit organization intended to address the lack of interoperability among strong authentication devices, as well as the problems users face when they need to create and remember multiple user names and passwords. The FIDO Alliance plans to change the nature of authentication by developing specifications that define an open, scalable, interoperable set of mechanisms that supplant reliance on passwords to securely authenticate users of online services. This new standard for security devices and browser plug ins will allow any website or cloud application to interface with a broad variety of existing and future FIDO-enabled devices that the user has for online security.
 
-In 2014, Microsoft joined the board of the [FIDO Alliance](https://go.microsoft.com/fwlink/p/?LinkId=626934). FIDO standards enable a universal framework that a global ecosystem delivers for a consistent and greatly improved user experience of strong password-less authentication. The FIDO 1.0 specifications, published in December 2014, provide for two types of authentications: password-less (known as UAF) and second factor (U2F). The FIDO Alliance is working on a set of 2.0 proposals that incorporate the best ideas from its U2F and UAF FIDO 1.0 standards, and of course, on new ideas. Microsoft has contributed Microsoft Passport technology to the FIDO 2.0 specification workgroup for review and feedback and continues to work with the FIDO Alliance as the FIDO 2.0 specification moves forward. Interoperability of FIDO products is a hallmark of FIDO authentication. Microsoft believes that bringing a FIDO solution to market will help solve a critical need for enterprises and consumers alike.
+In 2014, Microsoft joined the board of the [FIDO Alliance](https://go.microsoft.com/fwlink/p/?LinkId=626934). FIDO standards enable a universal framework that a global ecosystem delivers for a consistent and greatly improved user experience of strong password-less authentication. The FIDO 1.0 specifications, published in December 2014, provide for two types of authentications: password-less (known as UAF) and second factor (U2F). The FIDO Alliance is working on a set of 2.0 proposals that incorporate the best ideas from its U2F and UAF FIDO 1.0 standards, and of course, on new ideas. Microsoft has contributed Windows Hello technology to the FIDO 2.0 specification workgroup for review and feedback and continues to work with the FIDO Alliance as the FIDO 2.0 specification moves forward. Interoperability of FIDO products is a hallmark of FIDO authentication. Microsoft believes that bringing a FIDO solution to market will help solve a critical need for enterprises and consumers alike.
 
 #### It’s effective
 
-Microsoft Passport effectively mitigates two major security risks. First, it eliminates the use of passwords for logon and so reduces the risk that a nefarious attacker will steal and reuse the user’s credentials. User key material is generated and available within the Trusted Platform Module (TPM) of the user device, which protects it from attackers who want to capture the key material and reuse it. Second, because Microsoft Passport uses asymmetrical key pairs, users credentials can’t be stolen in cases where the identity provider or websites the user accesses have been compromised.
+Windows Hello effectively mitigates two major security risks. First, it eliminates the use of passwords for sign-in and so reduces the risk that a nefarious attacker will steal and reuse the user’s credentials. User key material is generated and available within the Trusted Platform Module (TPM) of the user device, which protects it from attackers who want to capture the key material and reuse it. Second, because Windows Hello uses asymmetrical key pairs, users credentials can’t be stolen in cases where the identity provider or websites the user accesses have been compromised.
 
-To compromise a Microsoft Passport credential that TPM protects, an attacker must have access to the physical device, and then must find a way to spoof the user’s biometrics or guess his or her PIN—and all of this must be done before TPM anti-hammer capabilities lock the device. This sets the bar magnitudes of order higher than password phishing attacks.
+To compromise a Windows Hello credential that TPM protects, an attacker must have access to the physical device, and then must find a way to spoof the user’s biometrics or guess his or her PIN—and all of this must be done before TPM anti-hammer capabilities lock the device. This sets the bar magnitudes of order higher than password phishing attacks.
 
-### Windows Hello
+### Biometric sign-in
 
-Windows Hello is the name given to the new biometric sign-in option for Microsoft Passport. Because biometric authentication is built directly into the operating system, Windows Hello allows users to unlock their devices by using their face or fingerprint. From here, authentication to the devices and resources is enabled through a combination of the user’s unique biometric identifier and the device itself.
+Because biometric authentication is built directly into the operating system, Windows Hello allows users to unlock their devices by using their face or fingerprint. From here, authentication to the devices and resources is enabled through a combination of the user’s unique biometric identifier and the device itself.
 
 The user’s biometric data that is used for Windows Hello is considered a local gesture and consequently doesn’t roam among a user’s devices and is not centrally stored. The biometric image of the user the sensor takes is converted into an algorithmic form that cannot be converted back into the original image that the sensor took. Devices that have TPM 2.0 encrypt the biometric data in a form that makes it unreadable if the data is ever removed from the device. If multiple users share a device, each user will be able to enroll and use Windows Hello for his or her Windows profile.
 
@@ -269,7 +272,6 @@ For more information about how to configure Network Unlock, see [BitLocker: How
 
 ### Microsoft BitLocker Administration and Monitoring
 
->>>>>>> refs/remotes/origin/master
 Part of the Microsoft Desktop Optimization Pack, MBAM makes it easier to manage and support BitLocker and BitLocker To Go. MBAM 2.5 with Service Pack 1, the latest version, has the following key features:
 
 * Enables administrators to automate the process of encrypting volumes on client computers across the enterprise.
@@ -451,7 +453,7 @@ Several Windows 10 security features require TPM:
 * Health attestation (requires TPM 2.0 or later)
 * InstantGo (requires TPM 2.0 or later)
 
-Other Windows 10 security features like BitLocker may take advantage of TPM if it is available but do not require it to work. An example of this is Microsoft Passport.
+Other Windows 10 security features like BitLocker may take advantage of TPM if it is available but do not require it to work. An example of this is Windows Hello for Business.
 
 All of these features are covered in this document.