From 907db156baedc473bc5116cb2dbd27d9531cd6b9 Mon Sep 17 00:00:00 2001
From: Brian Lich <brianlic@microsoft.com>
Date: Fri, 20 May 2016 15:22:54 -0700
Subject: [PATCH 01/17] first draft for review

---
 windows/keep-secure/TOC.md | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/windows/keep-secure/TOC.md b/windows/keep-secure/TOC.md
index 56f8c27db1..ab0867bbe6 100644
--- a/windows/keep-secure/TOC.md
+++ b/windows/keep-secure/TOC.md
@@ -25,6 +25,9 @@
 ### [General guidance and best practices for enterprise data protection (EDP)](guidance-and-best-practices-edp.md)
 #### [Enlightened apps for use with enterprise data protection (EDP)](enlightened-microsoft-apps-and-edp.md)
 #### [Testing scenarios for enterprise data protection (EDP)](testing-scenarios-for-edp.md)
+## [Use security baselines in your organization](security-baselines.md)
+### [Windows 10 security baselines](windows-10-security-baselines.md)
+### [Windows Server security baselines](windows-server-security-baselines.md)
 ## [Use Windows Event Forwarding to help with intrusion detection](use-windows-event-forwarding-to-assist-in-instrusion-detection.md)
 ## [VPN profile options](vpn-profile-options.md)
 ## [Security technologies](security-technologies.md)
@@ -406,7 +409,6 @@
 #### [Minimum requirements](minimum-requirements-windows-defender-advanced-threat-protection.md)
 #### [Data storage and privacy](data-storage-privacy-windows-defender-advanced-threat-protection.md)
 #### [Onboard endpoints and set up access](onboard-configure-windows-defender-advanced-threat-protection.md)
-<!--##### [Service onboarding](service-onboarding-windows-defender-advanced-threat-protection.md)-->
 ##### [Configure endpoints](configure-endpoints-windows-defender-advanced-threat-protection.md)
 ##### [Configure proxy and Internet settings](configure-proxy-internet-windows-defender-advanced-threat-protection.md)
 ##### [Additional configuration settings](additional-configuration-windows-defender-advanced-threat-protection.md)

From 617ef4a2975bfb78216229b51f11b7b1fe0696cf Mon Sep 17 00:00:00 2001
From: Brian Lich <brianlic@microsoft.com>
Date: Fri, 20 May 2016 15:23:08 -0700
Subject: [PATCH 02/17] first draft for review

---
 windows/keep-secure/security-baselines.md     | 70 +++++++++++++++++++
 .../windows-10-security-baselines.md          | 37 ++++++++++
 .../windows-server-security-baselines.md      | 56 +++++++++++++++
 3 files changed, 163 insertions(+)
 create mode 100644 windows/keep-secure/security-baselines.md
 create mode 100644 windows/keep-secure/windows-10-security-baselines.md
 create mode 100644 windows/keep-secure/windows-server-security-baselines.md

diff --git a/windows/keep-secure/security-baselines.md b/windows/keep-secure/security-baselines.md
new file mode 100644
index 0000000000..e8d268ffdb
--- /dev/null
+++ b/windows/keep-secure/security-baselines.md
@@ -0,0 +1,70 @@
+---
+title: Use security baselines in your organization (Windows 10)
+description: Use this topic to learn what security baselines are and how you can use them in your organization to help keep your devices secure.
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+author: brianlic-msft
+---
+
+# Use security baselines in your organization
+
+**Applies to**
+-   Windows 10
+-   Windows Server 2016 Technical Preview
+-   Windows Server 2012 R2
+
+Microsoft is dedicated to provide our customers with a secure operating system, such as Windows 10 and Windows Server, as well as secure apps, such as Microsoft Office. In addition to the security assurance of its products, Microsoft also enables you to have fine control of your environments by providing various configuration capabilities. Even though Windows and Windows Server is designed to be secure out-of-the-box, a large number of organizations still want a higher level of security. Therefore, organizations need guidance on how to best use the security features.
+
+Microsoft security baselines give organizations the security guidance they need to protect their devices and apps.  
+ 
+<!-- ## How do you manage apps and devices?
+
+Before you can apply a security baseline, you should determine how apps and devices are managed within your organization. Knowing this helps you identify the role security baselines play in your organization. 
+
+Windows 10 is more manageable than previous versions of Windows in the following ways:
+
+- Provides more management granularity, which allows you to have finer control over the Windows user experience and security.
+- Allows you to use a wide variety of management solutions, such as Mobile Device Management (MDM) services, provisioning packages, Exchange ActiveSync, System Center Configuration Manager, Windows Management Instrumentation (WMI), and Group Policy. 
+
+![Windows management architecture](images/windows-management-architecture.png)
+
+*Figure 1 Windows 10 management architecture*
+
+Historically, Microsoft customers have used Group Policy, System Center Configuration Manager, and WMI to manage their devices. Some government customers relied on the Security Content Automation Protocol (SCAP) for management. However, newer management solutions can address modern requirements.
+-->
+
+## What are security baselines?
+
+Every organization faces security threats. However, the types of security threats that are of most concern to one organization can be completely different from another organization. For example, an e-commerce company may focus on protecting their Internet-facing web apps, while a hospital may focus on protecting confidential patient information. The one thing that all organizations have in common is a need to keep their apps and devices secure. These devices must be compliant with the security standards (or security baselines) defined by the organization.
+
+A security baseline is a collection of settings that have a security impact and include Microsoft’s recommended value for configuring those settings along with guidance on the security impact of those settings. These settings are based on feedback from Microsoft product groups, partners, and 
+customers.  
+
+## Why are security baselines needed?
+
+The expert knowledge that Microsoft, partners, and other customers bring together in a security baseline is an essential benefit to customers.
+
+For example, there are over 3,000 Group Policy settings for Windows 10, which does not include over 1,800 Internet Explorer 11 settings. Of those 3,800 settings, only some of them are security-related. While Microsoft provides extensive guidance on different security features, going through each of them can take a long time. You would have to determine the security impact of each setting on your own. After you've done that, you still need to determine what values each of these settings should be. 
+
+In modern organizations, the security threat landscape is constantly evolving and you must keep current with security threats and changes to Windows security settings to help mitigate these threats. 
+
+To help faster deployments and increase the ease of managing Windows, Microsoft provides customers with security baselines that are available in formats that can be consumed, such as Group Policy Objects backups and DCM packs.
+ 
+ ## How can you use security baselines?
+ 
+ You can use security baselines to:
+ 
+ - Ensure that user and device configuration settings are compliant with the baseline. 
+ - Set configuration settings. For example, you can use Group Policy, System Center Configuration Manager, or Microsoft Intune to configure a device with the setting values specified in the baseline.
+ 
+ 
+ ## Where can I get the security baselines?
+ 
+ Here's a list of security baselines that are currently available:
+ 
+ -  [Windows 10, version 1511 security baseline](windows-10-version-1511-security-baseline.md)
+ -  [Windows 10, version 1507 security baseline](windows-10-version-1507-security-baseline.md)
+ -  [Windows Server 2012 R2 security baseline](windows-server-2012-r2-security-baseline.md)
+
diff --git a/windows/keep-secure/windows-10-security-baselines.md b/windows/keep-secure/windows-10-security-baselines.md
new file mode 100644
index 0000000000..b98d77b385
--- /dev/null
+++ b/windows/keep-secure/windows-10-security-baselines.md
@@ -0,0 +1,37 @@
+---
+title: Windows 10 security baselines (Windows 10)
+description: Use this topic to learn about updates to the Windows 10 security baselines and where to download it from.
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+author: brianlic-msft
+---
+
+# Windows 10 security baselines
+
+**Applies to**
+-   Windows 10
+
+Use the sections in this topic to learn and what has changed in the Windows 10 security baselines as well as a link to download them.
+
+## Windows 10, Version 1511 security baseline
+
+The Windows 10, Version 1507 security baseline is available on the [Microsoft Download Center](http://go.microsoft.com/fwlink/p/?LinkID=799381).
+
+Here's a list of updates that were made to this version:
+
+-   Added the **Turn off Microsoft consumer experiences** setting.
+
+## Windows 10, Version 1507 security baseline
+
+The Windows 10, Version 1507 security baseline is available on the [Microsoft Download Center](http://go.microsoft.com/fwlink/p/?LinkID=799380).
+
+Here's a list of updates that were made to this version:
+
+-   Removed configuration of **Allow unicast response** from the domain, private, and public Windows Firewall profiles. If you do not allow unicast responses, DHCP address acquisition will not work.
+-   Removed the restrictions on the number of cached logons.
+-   Removed the screen saver timeout from the user configuration because **Interactive logon: Machine inactivity limit** is configured at the device level.
+-   Removed Enhanced Mitigation Experience Toolkit settings.
+-   Removed the **Recovery console: Allow automatic administrative logon** setting.
+
diff --git a/windows/keep-secure/windows-server-security-baselines.md b/windows/keep-secure/windows-server-security-baselines.md
new file mode 100644
index 0000000000..ae6b5e01c8
--- /dev/null
+++ b/windows/keep-secure/windows-server-security-baselines.md
@@ -0,0 +1,56 @@
+---
+title: Windows Server security baselines (Windows 10)
+description: Use this topic to learn about updates to the Windows Server security baselines and where to download them.
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+author: brianlic-msft
+---
+
+# Windows Server security baselines
+
+**Applies to**
+-   Windows Server 2012 R2
+
+Use the sections in this topic to learn and what has changed in the Windows Server security baselines as well as a link to download them.
+
+## Windows Server 2012 R2 security baseline
+
+The Windows Server 2012 R2 security baseline is available on the [Microsoft Download Center](http://go.microsoft.com/fwlink/p/?LinkID=799382).
+
+> **Note:**  For Windows Server 2012 R2, we do not recommend applying this baseline to servers that are running the following server roles:
+- Hyper-V
+- Active Directory Certificate Services
+- DHCP
+- DNS
+- File Services
+- Network Policy and Access
+- Print Server 
+- Remote Access Services
+- Remote Desktop Services
+- Web Server  
+
+Here's a list of updates that were made to this version:
+
+-   Added the **Prevent enabling lock screen camera** setting.
+-   Added the **Prevent enabling lock screen slide show** setting.
+-   Added the **Include command line in process creation events** setting.
+-   Added the **Do not display network selection UI** setting.
+-   Added the **Allow Microsoft accounts to be optional** setting.
+-   Added the **Sign-in last interactive user automatically after a system-initiated restart** setting.
+-   Added the **Deny access to this computer from the network** setting.
+-   Added the **Deny log on through Remote Desktop Services** setting.
+-   Added the **Lsass.exe audit mode** (HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\LSASS.exe!AuditLevel) setting.
+-   Added the **Enable LSA Protection** (HKLM\SYSTEM\CurrentControlSet\Control\Lsa\RunAsPPL) setting.
+-   Added the **Turn off toast notifications on the lock screen** setting.
+
+Additionally, you can change the following settings to help mitigate Pass-the-hash attacks:
+
+-   Configure the **Apply UAC restrictions to local accounts on network logons** setting to 0.
+-   Add **Local account** to the **Deny access to this computer from the network** security policy setting.
+-   Add **Local account** to the **Deny log on through Remote Desktop Services** security policy setting.
+-   Add **Enterprise Admins** and **Domain Admins** to the **Deny log on as a batch job** security policy setting on all devices except for domain controllers and privileged access workstations.
+-   Add **Enterprise Admins** and **Domain Admins** to the **Deny log on as a service** security policy setting on all devices except for domain controllers and privileged access workstations.
+-   Add **Enterprise Admins** and **Domain Admins** to the **Deny log on locally** security policy setting on all devices except for domain controllers and privileged access workstations.
+-   Disable the **WDigest Authentication** setting.

From ca1ec0275279a2597f1673eb07e5ea3679f925fc Mon Sep 17 00:00:00 2001
From: Brian Lich <brianlic@microsoft.com>
Date: Fri, 20 May 2016 15:43:26 -0700
Subject: [PATCH 03/17] fixing links

---
 windows/keep-secure/security-baselines.md | 5 ++---
 1 file changed, 2 insertions(+), 3 deletions(-)

diff --git a/windows/keep-secure/security-baselines.md b/windows/keep-secure/security-baselines.md
index e8d268ffdb..9f01af2bbb 100644
--- a/windows/keep-secure/security-baselines.md
+++ b/windows/keep-secure/security-baselines.md
@@ -64,7 +64,6 @@ To help faster deployments and increase the ease of managing Windows, Microsoft
  
  Here's a list of security baselines that are currently available:
  
- -  [Windows 10, version 1511 security baseline](windows-10-version-1511-security-baseline.md)
- -  [Windows 10, version 1507 security baseline](windows-10-version-1507-security-baseline.md)
- -  [Windows Server 2012 R2 security baseline](windows-server-2012-r2-security-baseline.md)
+ -  [Windows 10 security baselines](windows-10-security-baselines.md)
+ -  [Windows Server security baselines](windows-server=security-baselines.md)
 

From 7972a612a2018171a7c547b14bf159ca0173c2d7 Mon Sep 17 00:00:00 2001
From: Brian Lich <brianlic@microsoft.com>
Date: Fri, 20 May 2016 15:52:08 -0700
Subject: [PATCH 04/17] typo

---
 windows/keep-secure/security-baselines.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/windows/keep-secure/security-baselines.md b/windows/keep-secure/security-baselines.md
index 9f01af2bbb..2bb96282e9 100644
--- a/windows/keep-secure/security-baselines.md
+++ b/windows/keep-secure/security-baselines.md
@@ -65,5 +65,5 @@ To help faster deployments and increase the ease of managing Windows, Microsoft
  Here's a list of security baselines that are currently available:
  
  -  [Windows 10 security baselines](windows-10-security-baselines.md)
- -  [Windows Server security baselines](windows-server=security-baselines.md)
+ -  [Windows Server security baselines](windows-server-security-baselines.md)
 

From 8060c79a00f2410e50eaed0db79f81c2b2d3369d Mon Sep 17 00:00:00 2001
From: Brian Lich <brianlic@microsoft.com>
Date: Fri, 20 May 2016 16:05:44 -0700
Subject: [PATCH 05/17] tweaks

---
 .../keep-secure/windows-10-security-baselines.md |  3 +++
 .../windows-server-security-baselines.md         | 16 +++++-----------
 2 files changed, 8 insertions(+), 11 deletions(-)

diff --git a/windows/keep-secure/windows-10-security-baselines.md b/windows/keep-secure/windows-10-security-baselines.md
index b98d77b385..ac48c7dec7 100644
--- a/windows/keep-secure/windows-10-security-baselines.md
+++ b/windows/keep-secure/windows-10-security-baselines.md
@@ -35,3 +35,6 @@ Here's a list of updates that were made to this version:
 -   Removed Enhanced Mitigation Experience Toolkit settings.
 -   Removed the **Recovery console: Allow automatic administrative logon** setting.
 
+## Related topics
+
+- [Use security baselines in your organization](security-baselines.md)
diff --git a/windows/keep-secure/windows-server-security-baselines.md b/windows/keep-secure/windows-server-security-baselines.md
index ae6b5e01c8..32552f4ace 100644
--- a/windows/keep-secure/windows-server-security-baselines.md
+++ b/windows/keep-secure/windows-server-security-baselines.md
@@ -19,17 +19,7 @@ Use the sections in this topic to learn and what has changed in the Windows Serv
 
 The Windows Server 2012 R2 security baseline is available on the [Microsoft Download Center](http://go.microsoft.com/fwlink/p/?LinkID=799382).
 
-> **Note:**  For Windows Server 2012 R2, we do not recommend applying this baseline to servers that are running the following server roles:
-- Hyper-V
-- Active Directory Certificate Services
-- DHCP
-- DNS
-- File Services
-- Network Policy and Access
-- Print Server 
-- Remote Access Services
-- Remote Desktop Services
-- Web Server  
+> **Note:**  For Windows Server 2012 R2, we do not recommend applying this baseline to servers that are running the following server roles, such as Hyper-V, Active Directory Certificate Services, DHCP, DNS, File Services, Network Policy and Access, Print Server, Remote Access Services, Remote Desktop Services, and Web Server.  
 
 Here's a list of updates that were made to this version:
 
@@ -54,3 +44,7 @@ Additionally, you can change the following settings to help mitigate Pass-the-ha
 -   Add **Enterprise Admins** and **Domain Admins** to the **Deny log on as a service** security policy setting on all devices except for domain controllers and privileged access workstations.
 -   Add **Enterprise Admins** and **Domain Admins** to the **Deny log on locally** security policy setting on all devices except for domain controllers and privileged access workstations.
 -   Disable the **WDigest Authentication** setting.
+
+## Related topics
+
+- [Use security baselines in your organization](security-baselines.md)
\ No newline at end of file

From 23758bb53f172c9a2c73c776e89ab85cc5f564fd Mon Sep 17 00:00:00 2001
From: Brian Lich <brianlic@microsoft.com>
Date: Wed, 1 Jun 2016 09:36:13 -0700
Subject: [PATCH 06/17] tech review feedback

---
 windows/keep-secure/security-baselines.md | 28 +++++------------------
 1 file changed, 6 insertions(+), 22 deletions(-)

diff --git a/windows/keep-secure/security-baselines.md b/windows/keep-secure/security-baselines.md
index 2bb96282e9..2b72f77eab 100644
--- a/windows/keep-secure/security-baselines.md
+++ b/windows/keep-secure/security-baselines.md
@@ -15,42 +15,26 @@ author: brianlic-msft
 -   Windows Server 2016 Technical Preview
 -   Windows Server 2012 R2
 
-Microsoft is dedicated to provide our customers with a secure operating system, such as Windows 10 and Windows Server, as well as secure apps, such as Microsoft Office. In addition to the security assurance of its products, Microsoft also enables you to have fine control of your environments by providing various configuration capabilities. Even though Windows and Windows Server is designed to be secure out-of-the-box, a large number of organizations still want a higher level of security. Therefore, organizations need guidance on how to best use the security features.
+Microsoft is dedicated to provide our customers with a secure operating system, such as Windows 10 and Windows Server, as well as secure apps, such as Microsoft Edge. In addition to the security assurance of its products, Microsoft also enables you to have fine control of your environments by providing various configuration capabilities. Even though Windows and Windows Server are designed to be secure out-of-the-box, a large number of organizations still want more granular control of their security configurations. To navigate these large number fo controls, organizations need guidance for configuring various security features. Microsoft provides this guidance in the form of security baselines.
 
-Microsoft security baselines give organizations the security guidance they need to protect their devices and apps.  
- 
-<!-- ## How do you manage apps and devices?
-
-Before you can apply a security baseline, you should determine how apps and devices are managed within your organization. Knowing this helps you identify the role security baselines play in your organization. 
-
-Windows 10 is more manageable than previous versions of Windows in the following ways:
-
-- Provides more management granularity, which allows you to have finer control over the Windows user experience and security.
-- Allows you to use a wide variety of management solutions, such as Mobile Device Management (MDM) services, provisioning packages, Exchange ActiveSync, System Center Configuration Manager, Windows Management Instrumentation (WMI), and Group Policy. 
-
-![Windows management architecture](images/windows-management-architecture.png)
-
-*Figure 1 Windows 10 management architecture*
-
-Historically, Microsoft customers have used Group Policy, System Center Configuration Manager, and WMI to manage their devices. Some government customers relied on the Security Content Automation Protocol (SCAP) for management. However, newer management solutions can address modern requirements.
--->
+We recommend implementing an industry-standard configuration that is broadly known and well-tested, such as a Mirosoft security baseline, as opposed to creating one yourself. This helps increase flexibility and reduce costs.  
 
 ## What are security baselines?
 
 Every organization faces security threats. However, the types of security threats that are of most concern to one organization can be completely different from another organization. For example, an e-commerce company may focus on protecting their Internet-facing web apps, while a hospital may focus on protecting confidential patient information. The one thing that all organizations have in common is a need to keep their apps and devices secure. These devices must be compliant with the security standards (or security baselines) defined by the organization.
 
-A security baseline is a collection of settings that have a security impact and include Microsoft’s recommended value for configuring those settings along with guidance on the security impact of those settings. These settings are based on feedback from Microsoft product groups, partners, and 
+A security baseline is a collection of settings that have a security impact and include Microsoft’s recommended value for configuring those settings along with guidance on the security impact of those settings. These settings are based on feedback from Microsoft security engineering teams, product groups, partners, and 
 customers.  
 
 ## Why are security baselines needed?
 
-The expert knowledge that Microsoft, partners, and other customers bring together in a security baseline is an essential benefit to customers.
+Security baselines are an essential benefit to customers because they bring together expert knowlege from Microsoft, partners, and customers.
 
 For example, there are over 3,000 Group Policy settings for Windows 10, which does not include over 1,800 Internet Explorer 11 settings. Of those 3,800 settings, only some of them are security-related. While Microsoft provides extensive guidance on different security features, going through each of them can take a long time. You would have to determine the security impact of each setting on your own. After you've done that, you still need to determine what values each of these settings should be. 
 
-In modern organizations, the security threat landscape is constantly evolving and you must keep current with security threats and changes to Windows security settings to help mitigate these threats. 
+In modern organizations, the security threat landscape is constantly evolving. IT pros and policy makers must keep current with security threats and changes to Windows security settings to help mitigate these threats. 
 
-To help faster deployments and increase the ease of managing Windows, Microsoft provides customers with security baselines that are available in formats that can be consumed, such as Group Policy Objects backups and DCM packs.
+To help faster deployments and increase the ease of managing Windows, Microsoft provides customers with security baselines that are available in formats that can be consumed, such as Group Policy Objects backups.
  
  ## How can you use security baselines?
  

From 9ca14e4949ba66d01206fd857f891c22179afff4 Mon Sep 17 00:00:00 2001
From: Brian Lich <brianlic@microsoft.com>
Date: Wed, 1 Jun 2016 10:24:52 -0700
Subject: [PATCH 07/17] tech review feedback

---
 windows/keep-secure/security-baselines.md | 9 ++-------
 1 file changed, 2 insertions(+), 7 deletions(-)

diff --git a/windows/keep-secure/security-baselines.md b/windows/keep-secure/security-baselines.md
index 2b72f77eab..5158753d53 100644
--- a/windows/keep-secure/security-baselines.md
+++ b/windows/keep-secure/security-baselines.md
@@ -1,5 +1,5 @@
 ---
-title: Use security baselines in your organization (Windows 10)
+title: Windows Security Baselines (Windows 10)
 description: Use this topic to learn what security baselines are and how you can use them in your organization to help keep your devices secure.
 ms.prod: W10
 ms.mktglfcycl: deploy
@@ -8,12 +8,7 @@ ms.pagetype: security
 author: brianlic-msft
 ---
 
-# Use security baselines in your organization
-
-**Applies to**
--   Windows 10
--   Windows Server 2016 Technical Preview
--   Windows Server 2012 R2
+# Windows Security Baselines
 
 Microsoft is dedicated to provide our customers with a secure operating system, such as Windows 10 and Windows Server, as well as secure apps, such as Microsoft Edge. In addition to the security assurance of its products, Microsoft also enables you to have fine control of your environments by providing various configuration capabilities. Even though Windows and Windows Server are designed to be secure out-of-the-box, a large number of organizations still want more granular control of their security configurations. To navigate these large number fo controls, organizations need guidance for configuring various security features. Microsoft provides this guidance in the form of security baselines.
 

From a647e798b3344c0a16ac74e060308f41890f86a3 Mon Sep 17 00:00:00 2001
From: Brian Lich <brianlic@microsoft.com>
Date: Wed, 1 Jun 2016 10:40:51 -0700
Subject: [PATCH 08/17] changing TOC title for security baseline

---
 windows/keep-secure/TOC.md                | 2 +-
 windows/keep-secure/security-baselines.md | 4 ++--
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/windows/keep-secure/TOC.md b/windows/keep-secure/TOC.md
index ab0867bbe6..ddd82153a3 100644
--- a/windows/keep-secure/TOC.md
+++ b/windows/keep-secure/TOC.md
@@ -25,7 +25,7 @@
 ### [General guidance and best practices for enterprise data protection (EDP)](guidance-and-best-practices-edp.md)
 #### [Enlightened apps for use with enterprise data protection (EDP)](enlightened-microsoft-apps-and-edp.md)
 #### [Testing scenarios for enterprise data protection (EDP)](testing-scenarios-for-edp.md)
-## [Use security baselines in your organization](security-baselines.md)
+## [Windows security baselines](security-baselines.md)
 ### [Windows 10 security baselines](windows-10-security-baselines.md)
 ### [Windows Server security baselines](windows-server-security-baselines.md)
 ## [Use Windows Event Forwarding to help with intrusion detection](use-windows-event-forwarding-to-assist-in-instrusion-detection.md)
diff --git a/windows/keep-secure/security-baselines.md b/windows/keep-secure/security-baselines.md
index 5158753d53..e6799bf6dc 100644
--- a/windows/keep-secure/security-baselines.md
+++ b/windows/keep-secure/security-baselines.md
@@ -1,5 +1,5 @@
 ---
-title: Windows Security Baselines (Windows 10)
+title: Windows security baselines (Windows 10)
 description: Use this topic to learn what security baselines are and how you can use them in your organization to help keep your devices secure.
 ms.prod: W10
 ms.mktglfcycl: deploy
@@ -8,7 +8,7 @@ ms.pagetype: security
 author: brianlic-msft
 ---
 
-# Windows Security Baselines
+# Windows security baselines
 
 Microsoft is dedicated to provide our customers with a secure operating system, such as Windows 10 and Windows Server, as well as secure apps, such as Microsoft Edge. In addition to the security assurance of its products, Microsoft also enables you to have fine control of your environments by providing various configuration capabilities. Even though Windows and Windows Server are designed to be secure out-of-the-box, a large number of organizations still want more granular control of their security configurations. To navigate these large number fo controls, organizations need guidance for configuring various security features. Microsoft provides this guidance in the form of security baselines.
 

From e8071be32f800518eb890b6f3bdba2f3642f01f2 Mon Sep 17 00:00:00 2001
From: Brian Lich <brianlic@microsoft.com>
Date: Wed, 1 Jun 2016 10:47:20 -0700
Subject: [PATCH 09/17] added change history entry

---
 .../change-history-for-keep-windows-10-secure.md            | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/windows/keep-secure/change-history-for-keep-windows-10-secure.md b/windows/keep-secure/change-history-for-keep-windows-10-secure.md
index 53fc6a0ef7..3c88804390 100644
--- a/windows/keep-secure/change-history-for-keep-windows-10-secure.md
+++ b/windows/keep-secure/change-history-for-keep-windows-10-secure.md
@@ -12,6 +12,12 @@ author: brianlic-msft
 # Change history for Keep Windows 10 secure
 This topic lists new and updated topics in the [Keep Windows 10 secure](index.md) documentation for [Windows 10 and Windows 10 Mobile](../index.md).
 
+## June 2016
+
+|New or changed topic | Description |
+|----------------------|-------------|
+| [Windows security baselines](security-baselines.md) | New |
+
 ## May 2016
 
 |New or changed topic | Description |

From 1baf961721afd02a8a3e57a844baaa7d5eb4badf Mon Sep 17 00:00:00 2001
From: Brian Lich <brianlic@microsoft.com>
Date: Thu, 2 Jun 2016 16:19:58 -0700
Subject: [PATCH 10/17] updating TOC

---
 windows/keep-secure/TOC.md                |  4 +-
 windows/keep-secure/security-baselines.md | 48 -----------------------
 2 files changed, 1 insertion(+), 51 deletions(-)
 delete mode 100644 windows/keep-secure/security-baselines.md

diff --git a/windows/keep-secure/TOC.md b/windows/keep-secure/TOC.md
index ddd82153a3..f62765ff7f 100644
--- a/windows/keep-secure/TOC.md
+++ b/windows/keep-secure/TOC.md
@@ -25,9 +25,7 @@
 ### [General guidance and best practices for enterprise data protection (EDP)](guidance-and-best-practices-edp.md)
 #### [Enlightened apps for use with enterprise data protection (EDP)](enlightened-microsoft-apps-and-edp.md)
 #### [Testing scenarios for enterprise data protection (EDP)](testing-scenarios-for-edp.md)
-## [Windows security baselines](security-baselines.md)
-### [Windows 10 security baselines](windows-10-security-baselines.md)
-### [Windows Server security baselines](windows-server-security-baselines.md)
+## [Windows security baselines](windows-security-baselines.md)
 ## [Use Windows Event Forwarding to help with intrusion detection](use-windows-event-forwarding-to-assist-in-instrusion-detection.md)
 ## [VPN profile options](vpn-profile-options.md)
 ## [Security technologies](security-technologies.md)
diff --git a/windows/keep-secure/security-baselines.md b/windows/keep-secure/security-baselines.md
deleted file mode 100644
index e6799bf6dc..0000000000
--- a/windows/keep-secure/security-baselines.md
+++ /dev/null
@@ -1,48 +0,0 @@
----
-title: Windows security baselines (Windows 10)
-description: Use this topic to learn what security baselines are and how you can use them in your organization to help keep your devices secure.
-ms.prod: W10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-author: brianlic-msft
----
-
-# Windows security baselines
-
-Microsoft is dedicated to provide our customers with a secure operating system, such as Windows 10 and Windows Server, as well as secure apps, such as Microsoft Edge. In addition to the security assurance of its products, Microsoft also enables you to have fine control of your environments by providing various configuration capabilities. Even though Windows and Windows Server are designed to be secure out-of-the-box, a large number of organizations still want more granular control of their security configurations. To navigate these large number fo controls, organizations need guidance for configuring various security features. Microsoft provides this guidance in the form of security baselines.
-
-We recommend implementing an industry-standard configuration that is broadly known and well-tested, such as a Mirosoft security baseline, as opposed to creating one yourself. This helps increase flexibility and reduce costs.  
-
-## What are security baselines?
-
-Every organization faces security threats. However, the types of security threats that are of most concern to one organization can be completely different from another organization. For example, an e-commerce company may focus on protecting their Internet-facing web apps, while a hospital may focus on protecting confidential patient information. The one thing that all organizations have in common is a need to keep their apps and devices secure. These devices must be compliant with the security standards (or security baselines) defined by the organization.
-
-A security baseline is a collection of settings that have a security impact and include Microsoft’s recommended value for configuring those settings along with guidance on the security impact of those settings. These settings are based on feedback from Microsoft security engineering teams, product groups, partners, and 
-customers.  
-
-## Why are security baselines needed?
-
-Security baselines are an essential benefit to customers because they bring together expert knowlege from Microsoft, partners, and customers.
-
-For example, there are over 3,000 Group Policy settings for Windows 10, which does not include over 1,800 Internet Explorer 11 settings. Of those 3,800 settings, only some of them are security-related. While Microsoft provides extensive guidance on different security features, going through each of them can take a long time. You would have to determine the security impact of each setting on your own. After you've done that, you still need to determine what values each of these settings should be. 
-
-In modern organizations, the security threat landscape is constantly evolving. IT pros and policy makers must keep current with security threats and changes to Windows security settings to help mitigate these threats. 
-
-To help faster deployments and increase the ease of managing Windows, Microsoft provides customers with security baselines that are available in formats that can be consumed, such as Group Policy Objects backups.
- 
- ## How can you use security baselines?
- 
- You can use security baselines to:
- 
- - Ensure that user and device configuration settings are compliant with the baseline. 
- - Set configuration settings. For example, you can use Group Policy, System Center Configuration Manager, or Microsoft Intune to configure a device with the setting values specified in the baseline.
- 
- 
- ## Where can I get the security baselines?
- 
- Here's a list of security baselines that are currently available:
- 
- -  [Windows 10 security baselines](windows-10-security-baselines.md)
- -  [Windows Server security baselines](windows-server-security-baselines.md)
-

From 98d7e73292556b684596f440b884393955f346d2 Mon Sep 17 00:00:00 2001
From: Brian Lich <brianlic@microsoft.com>
Date: Thu, 2 Jun 2016 16:20:07 -0700
Subject: [PATCH 11/17] updating TOC

---
 .../keep-secure/windows-security-baselines.md | 53 +++++++++++++++++++
 1 file changed, 53 insertions(+)
 create mode 100644 windows/keep-secure/windows-security-baselines.md

diff --git a/windows/keep-secure/windows-security-baselines.md b/windows/keep-secure/windows-security-baselines.md
new file mode 100644
index 0000000000..475e2050b8
--- /dev/null
+++ b/windows/keep-secure/windows-security-baselines.md
@@ -0,0 +1,53 @@
+---
+title: Windows security baselines (Windows 10)
+description: Use this topic to learn what security baselines are and how you can use them in your organization to help keep your devices secure.
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+author: brianlic-msft
+---
+
+# Windows security baselines
+
+Microsoft is dedicated to provide our customers with a secure operating system, such as Windows 10 and Windows Server, as well as secure apps, such as Microsoft Edge. In addition to the security assurance of its products, Microsoft also enables you to have fine control of your environments by providing various configuration capabilities. Even though Windows and Windows Server are designed to be secure out-of-the-box, a large number of organizations still want more granular control of their security configurations. To navigate these large number fo controls, organizations need guidance for configuring various security features. Microsoft provides this guidance in the form of security baselines.
+
+We recommend implementing an industry-standard configuration that is broadly known and well-tested, such as a Mirosoft security baseline, as opposed to creating one yourself. This helps increase flexibility and reduce costs.  
+
+## What are security baselines?
+
+Every organization faces security threats. However, the types of security threats that are of most concern to one organization can be completely different from another organization. For example, an e-commerce company may focus on protecting their Internet-facing web apps, while a hospital may focus on protecting confidential patient information. The one thing that all organizations have in common is a need to keep their apps and devices secure. These devices must be compliant with the security standards (or security baselines) defined by the organization.
+
+A security baseline is a collection of settings that have a security impact and include Microsoft’s recommended value for configuring those settings along with guidance on the security impact of those settings. These settings are based on feedback from Microsoft security engineering teams, product groups, partners, and 
+customers.  
+
+## Why are security baselines needed?
+
+Security baselines are an essential benefit to customers because they bring together expert knowlege from Microsoft, partners, and customers.
+
+For example, there are over 3,000 Group Policy settings for Windows 10, which does not include over 1,800 Internet Explorer 11 settings. Of those 3,800 settings, only some of them are security-related. While Microsoft provides extensive guidance on different security features, going through each of them can take a long time. You would have to determine the security impact of each setting on your own. After you've done that, you still need to determine what values each of these settings should be. 
+
+In modern organizations, the security threat landscape is constantly evolving. IT pros and policy makers must keep current with security threats and changes to Windows security settings to help mitigate these threats. 
+
+To help faster deployments and increase the ease of managing Windows, Microsoft provides customers with security baselines that are available in formats that can be consumed, such as Group Policy Objects backups.
+ 
+ ## How can you use security baselines?
+ 
+ You can use security baselines to:
+ 
+ - Ensure that user and device configuration settings are compliant with the baseline. 
+ - Set configuration settings. For example, you can use Group Policy, System Center Configuration Manager, or Microsoft Intune to configure a device with the setting values specified in the baseline.
+ 
+ 
+ ## Where can I get the security baselines?
+ 
+ Here's a list of security baselines that are currently available.
+ 
+ ### Windows 10 security baselines
+ 
+ -  [Windows 10, Version 1511 security baseline](http://go.microsoft.com/fwlink/p/?LinkID=799381)
+ -  [Windows 10, Version 1507 security baseline](http://go.microsoft.com/fwlink/p/?LinkID=799380)
+ 
+ ### Windows Server security baselines
+ 
+ -  [Windows Server 2012 R2 security baseline](http://go.microsoft.com/fwlink/p/?LinkID=799382)

From 29939e2a0f5c8a514163141151a3672f4fee1481 Mon Sep 17 00:00:00 2001
From: Brian Lich <brianlic@microsoft.com>
Date: Thu, 2 Jun 2016 16:31:35 -0700
Subject: [PATCH 12/17] added baselines link to index

---
 windows/keep-secure/index.md | 1 +
 1 file changed, 1 insertion(+)

diff --git a/windows/keep-secure/index.md b/windows/keep-secure/index.md
index b605acb372..c400267003 100644
--- a/windows/keep-secure/index.md
+++ b/windows/keep-secure/index.md
@@ -27,6 +27,7 @@ Learn about keeping Windows 10 and Windows 10 Mobile secure.
 | [Protect your enterprise data using enterprise data protection (EDP)](protect-enterprise-data-using-edp.md) | With the increase of employee-owned devices in the enterprise, there’s also an increasing risk of accidental data leak through apps and services, like email, social media, and the public cloud, which are outside of the enterprise’s control. For example, when an employee sends the latest engineering pictures from their personal email account, copies and pastes product info into a tweet, or saves an in-progress sales report to their public cloud storage. |
 | [Use Windows Event Forwarding to help with intrusion detection](use-windows-event-forwarding-to-assist-in-instrusion-detection.md) | Learn about an approach to collect events from devices in your organization. This article talks about events in both normal operations and when an intrusion is suspected. |
 | [VPN profile options](vpn-profile-options.md) | Virtual private networks (VPN) let you give your users secure remote access to your company network. Windows 10 adds useful new VPN profile options to help you manage how users connect. |
+| [Windows security baselines](windows-security-baselines.md) | Learn why you should use security baselines in your organization. |
 | [Security technologies](security-technologies.md) | Learn more about the different security technologies that are available in Windows 10 and Windows 10 Mobile. |
 | [Enterprise security guides](windows-10-enterprise-security-guides.md) | Get proven guidance to help you better secure and protect your enterprise by using technologies such as Credential Guard, Device Guard, Microsoft Passport, and Windows Hello. This section offers technology overviews and step-by-step guides. |
  

From 19ea65a3bbfa1ec9e42750dd9da0c85e54ef424e Mon Sep 17 00:00:00 2001
From: Brian Lich <brianlic@microsoft.com>
Date: Thu, 2 Jun 2016 16:41:56 -0700
Subject: [PATCH 13/17] fixing heading

---
 windows/keep-secure/windows-security-baselines.md | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/windows/keep-secure/windows-security-baselines.md b/windows/keep-secure/windows-security-baselines.md
index 475e2050b8..9f38fe080b 100644
--- a/windows/keep-secure/windows-security-baselines.md
+++ b/windows/keep-secure/windows-security-baselines.md
@@ -43,11 +43,11 @@ To help faster deployments and increase the ease of managing Windows, Microsoft
  
  Here's a list of security baselines that are currently available.
  
- ### Windows 10 security baselines
+### Windows 10 security baselines
  
  -  [Windows 10, Version 1511 security baseline](http://go.microsoft.com/fwlink/p/?LinkID=799381)
  -  [Windows 10, Version 1507 security baseline](http://go.microsoft.com/fwlink/p/?LinkID=799380)
  
- ### Windows Server security baselines
+### Windows Server security baselines
  
  -  [Windows Server 2012 R2 security baseline](http://go.microsoft.com/fwlink/p/?LinkID=799382)

From 50c04276882b065559919db1cd0d92a2df36566d Mon Sep 17 00:00:00 2001
From: Brian Lich <brianlic@microsoft.com>
Date: Thu, 2 Jun 2016 16:44:29 -0700
Subject: [PATCH 14/17] moving baselines topic in TOC

---
 windows/keep-secure/TOC.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/windows/keep-secure/TOC.md b/windows/keep-secure/TOC.md
index c8cc7cf7b3..88c8cc1e70 100644
--- a/windows/keep-secure/TOC.md
+++ b/windows/keep-secure/TOC.md
@@ -25,9 +25,9 @@
 ### [General guidance and best practices for enterprise data protection (EDP)](guidance-and-best-practices-edp.md)
 #### [Enlightened apps for use with enterprise data protection (EDP)](enlightened-microsoft-apps-and-edp.md)
 #### [Testing scenarios for enterprise data protection (EDP)](testing-scenarios-for-edp.md)
-## [Windows security baselines](windows-security-baselines.md)
 ## [Use Windows Event Forwarding to help with intrusion detection](use-windows-event-forwarding-to-assist-in-instrusion-detection.md)
 ## [VPN profile options](vpn-profile-options.md)
+## [Windows security baselines](windows-security-baselines.md)
 ## [Security technologies](security-technologies.md)
 ### [AppLocker](applocker-overview.md)
 #### [Administer AppLocker](administer-applocker.md)

From b93bdff8139244c6dc7232e3abba38011b5f5c39 Mon Sep 17 00:00:00 2001
From: Brian Lich <brianlic@microsoft.com>
Date: Fri, 10 Jun 2016 11:03:32 -0700
Subject: [PATCH 15/17] tech review feedback

---
 .../windows-10-security-baselines.md          | 40 ---------------
 .../keep-secure/windows-security-baselines.md |  5 +-
 .../windows-server-security-baselines.md      | 50 -------------------
 3 files changed, 4 insertions(+), 91 deletions(-)
 delete mode 100644 windows/keep-secure/windows-10-security-baselines.md
 delete mode 100644 windows/keep-secure/windows-server-security-baselines.md

diff --git a/windows/keep-secure/windows-10-security-baselines.md b/windows/keep-secure/windows-10-security-baselines.md
deleted file mode 100644
index ac48c7dec7..0000000000
--- a/windows/keep-secure/windows-10-security-baselines.md
+++ /dev/null
@@ -1,40 +0,0 @@
----
-title: Windows 10 security baselines (Windows 10)
-description: Use this topic to learn about updates to the Windows 10 security baselines and where to download it from.
-ms.prod: W10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-author: brianlic-msft
----
-
-# Windows 10 security baselines
-
-**Applies to**
--   Windows 10
-
-Use the sections in this topic to learn and what has changed in the Windows 10 security baselines as well as a link to download them.
-
-## Windows 10, Version 1511 security baseline
-
-The Windows 10, Version 1507 security baseline is available on the [Microsoft Download Center](http://go.microsoft.com/fwlink/p/?LinkID=799381).
-
-Here's a list of updates that were made to this version:
-
--   Added the **Turn off Microsoft consumer experiences** setting.
-
-## Windows 10, Version 1507 security baseline
-
-The Windows 10, Version 1507 security baseline is available on the [Microsoft Download Center](http://go.microsoft.com/fwlink/p/?LinkID=799380).
-
-Here's a list of updates that were made to this version:
-
--   Removed configuration of **Allow unicast response** from the domain, private, and public Windows Firewall profiles. If you do not allow unicast responses, DHCP address acquisition will not work.
--   Removed the restrictions on the number of cached logons.
--   Removed the screen saver timeout from the user configuration because **Interactive logon: Machine inactivity limit** is configured at the device level.
--   Removed Enhanced Mitigation Experience Toolkit settings.
--   Removed the **Recovery console: Allow automatic administrative logon** setting.
-
-## Related topics
-
-- [Use security baselines in your organization](security-baselines.md)
diff --git a/windows/keep-secure/windows-security-baselines.md b/windows/keep-secure/windows-security-baselines.md
index 9f38fe080b..7e5a5f4b9e 100644
--- a/windows/keep-secure/windows-security-baselines.md
+++ b/windows/keep-secure/windows-security-baselines.md
@@ -10,7 +10,7 @@ author: brianlic-msft
 
 # Windows security baselines
 
-Microsoft is dedicated to provide our customers with a secure operating system, such as Windows 10 and Windows Server, as well as secure apps, such as Microsoft Edge. In addition to the security assurance of its products, Microsoft also enables you to have fine control of your environments by providing various configuration capabilities. Even though Windows and Windows Server are designed to be secure out-of-the-box, a large number of organizations still want more granular control of their security configurations. To navigate these large number fo controls, organizations need guidance for configuring various security features. Microsoft provides this guidance in the form of security baselines.
+Microsoft is dedicated to provide our customers with a secure operating system, such as Windows 10 and Windows Server, as well as secure apps, such as Microsoft Edge. In addition to the security assurance of its products, Microsoft also enables you to have fine control of your environments by providing various configuration capabilities. Even though Windows and Windows Server are designed to be secure out-of-the-box, a large number of organizations still want more granular control of their security configurations. To navigate these large number of controls, organizations need guidance for configuring various security features. Microsoft provides this guidance in the form of security baselines.
 
 We recommend implementing an industry-standard configuration that is broadly known and well-tested, such as a Mirosoft security baseline, as opposed to creating one yourself. This helps increase flexibility and reduce costs.  
 
@@ -42,6 +42,8 @@ To help faster deployments and increase the ease of managing Windows, Microsoft
  ## Where can I get the security baselines?
  
  Here's a list of security baselines that are currently available.
+
+ If you want to know what has changed with each security baseline, or if you want to stay up-to-date on what’s happening with them, check out the Microsoft Security Guidance blog.
  
 ### Windows 10 security baselines
  
@@ -51,3 +53,4 @@ To help faster deployments and increase the ease of managing Windows, Microsoft
 ### Windows Server security baselines
  
  -  [Windows Server 2012 R2 security baseline](http://go.microsoft.com/fwlink/p/?LinkID=799382)
+
diff --git a/windows/keep-secure/windows-server-security-baselines.md b/windows/keep-secure/windows-server-security-baselines.md
deleted file mode 100644
index 32552f4ace..0000000000
--- a/windows/keep-secure/windows-server-security-baselines.md
+++ /dev/null
@@ -1,50 +0,0 @@
----
-title: Windows Server security baselines (Windows 10)
-description: Use this topic to learn about updates to the Windows Server security baselines and where to download them.
-ms.prod: W10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-author: brianlic-msft
----
-
-# Windows Server security baselines
-
-**Applies to**
--   Windows Server 2012 R2
-
-Use the sections in this topic to learn and what has changed in the Windows Server security baselines as well as a link to download them.
-
-## Windows Server 2012 R2 security baseline
-
-The Windows Server 2012 R2 security baseline is available on the [Microsoft Download Center](http://go.microsoft.com/fwlink/p/?LinkID=799382).
-
-> **Note:**  For Windows Server 2012 R2, we do not recommend applying this baseline to servers that are running the following server roles, such as Hyper-V, Active Directory Certificate Services, DHCP, DNS, File Services, Network Policy and Access, Print Server, Remote Access Services, Remote Desktop Services, and Web Server.  
-
-Here's a list of updates that were made to this version:
-
--   Added the **Prevent enabling lock screen camera** setting.
--   Added the **Prevent enabling lock screen slide show** setting.
--   Added the **Include command line in process creation events** setting.
--   Added the **Do not display network selection UI** setting.
--   Added the **Allow Microsoft accounts to be optional** setting.
--   Added the **Sign-in last interactive user automatically after a system-initiated restart** setting.
--   Added the **Deny access to this computer from the network** setting.
--   Added the **Deny log on through Remote Desktop Services** setting.
--   Added the **Lsass.exe audit mode** (HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\LSASS.exe!AuditLevel) setting.
--   Added the **Enable LSA Protection** (HKLM\SYSTEM\CurrentControlSet\Control\Lsa\RunAsPPL) setting.
--   Added the **Turn off toast notifications on the lock screen** setting.
-
-Additionally, you can change the following settings to help mitigate Pass-the-hash attacks:
-
--   Configure the **Apply UAC restrictions to local accounts on network logons** setting to 0.
--   Add **Local account** to the **Deny access to this computer from the network** security policy setting.
--   Add **Local account** to the **Deny log on through Remote Desktop Services** security policy setting.
--   Add **Enterprise Admins** and **Domain Admins** to the **Deny log on as a batch job** security policy setting on all devices except for domain controllers and privileged access workstations.
--   Add **Enterprise Admins** and **Domain Admins** to the **Deny log on as a service** security policy setting on all devices except for domain controllers and privileged access workstations.
--   Add **Enterprise Admins** and **Domain Admins** to the **Deny log on locally** security policy setting on all devices except for domain controllers and privileged access workstations.
--   Disable the **WDigest Authentication** setting.
-
-## Related topics
-
-- [Use security baselines in your organization](security-baselines.md)
\ No newline at end of file

From 532dc89591a21bdbe52433b978752e8bd84d40e3 Mon Sep 17 00:00:00 2001
From: Jan Backstrom <v-jaback@microsoft.com>
Date: Thu, 23 Jun 2016 14:27:20 -0700
Subject: [PATCH 16/17] fix figure titles

---
 .../manage-surface-dock-firmware-updates.md   |  2 +-
 .../surface/manage-surface-uefi-settings.md   | 32 +++++++++----------
 .../surface/microsoft-surface-data-eraser.md  | 20 ++++++------
 ...-by-step-surface-deployment-accelerator.md | 10 +++---
 devices/surface/surface-dock-updater.md       | 32 +++++++++----------
 5 files changed, 48 insertions(+), 48 deletions(-)

diff --git a/devices/surface/manage-surface-dock-firmware-updates.md b/devices/surface/manage-surface-dock-firmware-updates.md
index 9428200756..f11c5fefe8 100644
--- a/devices/surface/manage-surface-dock-firmware-updates.md
+++ b/devices/surface/manage-surface-dock-firmware-updates.md
@@ -43,7 +43,7 @@ The Surface Dock firmware update process shown in Figure 1 follows these steps:
 
 8.  When the Surface Dock is disconnected for a second time, the Surface dock installs the firmware update to the DisplayPort chipset. This process takes up to 3 minutes to apply.
 
-![figure 1](images/manage-surface-dock-fig1-updateprocess.png)
+![Surface Dock firmware update process](images/manage-surface-dock-fig1-updateprocess.png "Surface Dock firmware update process")
 
 *1- Driver installation can be performed by Windows Update, manual installation, or automatically downloaded with Microsoft Surface Dock Updater*
 
diff --git a/devices/surface/manage-surface-uefi-settings.md b/devices/surface/manage-surface-uefi-settings.md
index 44428903c1..e36486bfa4 100644
--- a/devices/surface/manage-surface-uefi-settings.md
+++ b/devices/surface/manage-surface-uefi-settings.md
@@ -39,9 +39,9 @@ You will also find detailed information about the firmware of your Surface devic
 
 - Touch Firmware 
 
-*Figure 1. System information and firmware version information*
+![System information and firmware version information](images/manage-surface-uefi-figure-1.png "System information and firmware version information")
 
-![figure 1](images/manage-surface-uefi-figure-1.png)
+*Figure 1. System information and firmware version information*
 
 You can find up-to-date information about the latest firmware version for your Surface device in the [Surface Update History](https://www.microsoft.com/surface/en-us/support/install-update-activate/surface-update-history) for your device. 
 
@@ -59,21 +59,21 @@ On the **Security** page of Surface UEFI settings, you can set a password to pro
 
 The password must be at least 6 characters and is case sensitive. 
 
-*Figure 2. Add a password to protect Surface UEFI settings*
+![Add a password to protect Surface UEFI settings](images/manage-surface-uefi-fig2.png "Add a password to protect Surface UEFI settings")
 
-![figure 2](images/manage-surface-uefi-fig2.png)
+*Figure 2. Add a password to protect Surface UEFI settings*
 
 On the **Security** page you can also change the configuration of Secure Boot on your Surface device. Secure Boot technology prevents unauthorized boot code from booting on your Surface device, which protects against bootkit and rootkit-type malware infections. You can disable Secure Boot to allow your Surface device to boot third-party operating systems or bootable media. You can also configure Secure Boot to work with third-party certificates, as shown in Figure 3. Read more about [Secure Boot](https://msdn.microsoft.com/windows/hardware/commercialize/manufacture/desktop/secure-boot-overview) in the TechNet Library.
 
-*Figure 3. Configure Secure Boot* 
+![Configure Secure Boot](images/manage-surface-uefi-fig3.png "Configure Secure Boot")
 
-![figure 3](images/manage-surface-uefi-fig3.png)
+*Figure 3. Configure Secure Boot*
 
 You can also enable or disable the Trusted Platform Module (TPM) device on the **Security** page, as shown in Figure 4. The TPM is used to authenticate encryption for your device’s data with BitLocker. Read more about [BitLocker](https://technet.microsoft.com/en-us/itpro/windows/keep-secure/bitlocker-overview) in the TechNet Library. 
 
-*Figure 4. Configure Surface UEFI security settings*
+![Configure Surface UEFI security settings](images/manage-surface-uefi-fig4.png "Configure Surface UEFI security settings")
 
-![figure 4](images/manage-surface-uefi-fig4.png)
+*Figure 4. Configure Surface UEFI security settings*
 
 ##Devices 
 
@@ -95,9 +95,9 @@ On the **Devices** page you can enable or disable specific devices and component
 
 Each device is listed with a slider button that you can move to **On** (enabled) or **Off** (disabled) position, as shown in Figure 5. 
 
-*Figure 5. Enable and disable specific devices*
+![Enable and disable specific devices](images/manage-surface-uefi-fig5.png "Enable and disable specific devices")
 
-![figure 5](images/manage-surface-uefi-fig5.png)
+*Figure 5. Enable and disable specific devices*
 
 ##Boot configuration 
 
@@ -115,9 +115,9 @@ You can boot from a specific device immediately, or you can swipe left on that d
 
 For the specified boot order to take effect, you must set the **Enable Alternate Boot Sequence** option to **On**, as shown in Figure 6. 
 
-*Figure 6. Configure the boot order for your Surface device* 
+![Configure the boot order for your Surface device](images/manage-surface-uefi-fig6.png "Configure the boot order for your Surface device")
 
-![figure 6](images/manage-surface-uefi-fig6.png)
+*Figure 6. Configure the boot order for your Surface device* 
 
 You can also turn on and off IPv6 support for PXE with the **Enable IPv6 for PXE Network Boot** option, for example when performing a Windows deployment using PXE where the PXE server is configured for IPv4 only.  
 
@@ -125,14 +125,14 @@ You can also turn on and off IPv6 support for PXE with the **Enable IPv6 for PXE
 
 The **About** page displays regulatory information, such as compliance with FCC rules, as shown in Figure 7. 
 
-*Figure 7. Regulatory information is displayed on the About page*
+![Regulatory information displayed on the About page](images/manage-surface-uefi-fig7.png "Regulatory information displayed on the About page")
 
-![figure 7](images/manage-surface-uefi-fig7.png)
+*Figure 7. Regulatory information displayed on the About page*
 
 ##Exit 
 
 Use the **Restart Now** button on the **Exit** page to exit UEFI settings, as shown in Figure 8. 
 
-*Figure 8. Click Restart Now to exit Surface UEFI and restart the device*
+![Exit Surface UEFI and restart the device](images/manage-surface-uefi-fig8.png "Exit Surface UEFI and restart the device")
 
-![figure 8](images/manage-surface-uefi-fig8.png)
+*Figure 8. Click Restart Now to exit Surface UEFI and restart the device*
diff --git a/devices/surface/microsoft-surface-data-eraser.md b/devices/surface/microsoft-surface-data-eraser.md
index 6f76da2a15..1fde46555c 100644
--- a/devices/surface/microsoft-surface-data-eraser.md
+++ b/devices/surface/microsoft-surface-data-eraser.md
@@ -65,24 +65,24 @@ After the creation tool is installed, follow these steps to create a Microsoft S
 
 3.  Click **Start** to acknowledge that you have a USB stick of at least 4 GB connected, as shown in Figure 1.
 
-    ![figure 1](images/dataeraser-start-tool.png)
+    ![Start the Microsoft Surface Data Eraser tool](images/dataeraser-start-tool.png "Start the Microsoft Surface Data Eraser tool")
 
-    Figure 1. Start the Microsoft Surface Data Eraser tool
+    *Figure 1. Start the Microsoft Surface Data Eraser tool*
 
 4.  Select the USB drive of your choice from the **USB Thumb Drive Selection** page as shown in Figure 2, and then click **Start** to begin the USB creation process. The drive you select will be formatted and any existing data on this drive will be lost.
   >**Note:**&nbsp;&nbsp;If the Start button is disabled, check that your removable drive has a total capacity of at least 4 GB.
   
-    ![figure 2](images/dataeraser-usb-selection.png)
+    ![USB thumb drive selection](images/dataeraser-usb-selection.png "USB thumb drive selection")
 
-    Figure 2. USB thumb drive selection
+    *Figure 2. USB thumb drive selection*
 
 5.  After the creation process is finished, the USB drive has been formatted and all binaries are copied to the USB drive. Click **Success**.
 
 6.  When the **Congratulations** screen is displayed, you can eject and remove the thumb drive. This thumb drive is now ready to be inserted into a Surface device, booted from, and wipe any data on the device. Click **Complete** to finish the USB creation process, as shown in Figure 3.
 
-    ![figure 3](images/dataeraser-complete-process.png)
+    ![Surface Data Eraser USB creation process](images/dataeraser-complete-process.png "Surface Data Eraser USB creation process")
 
-    Figure 3. Complete the Microsoft Surface Data Eraser USB creation process
+    *Figure 3. Complete the Microsoft Surface Data Eraser USB creation process*
 
 7.  Click **X** to close Microsoft Surface Data Eraser.
 
@@ -105,9 +105,9 @@ After you create a Microsoft Surface Data Eraser USB stick, you can boot a suppo
 
 3.  When the Surface device boots, a **SoftwareLicenseTerms** text file is displayed.
 
-    ![](images/data-eraser-3.png)
+    ![Booting the Microsoft Surface Data Eraser USB stick](images/data-eraser-3.png "Booting the Microsoft Surface Data Eraser USB stick")
 
-    Figure 4. Booting the Microsoft Surface Data Eraser USB stick
+    *Figure 4. Booting the Microsoft Surface Data Eraser USB stick*
 
 4.  Read the software license terms, and then close the notepad file.
 
@@ -123,9 +123,9 @@ After you create a Microsoft Surface Data Eraser USB stick, you can boot a suppo
 
 7.  If you typed **S** to begin the data erase process, the partition that will be erased is displayed, as shown in Figure 5. If this is correct, press **Y** to continue, or **N** to shut down the device.
 
-    ![](images/sda-fig5-erase.png)
+    ![Partition to be erased is displayed](images/sda-fig5-erase.png "Partition to be erased is displayed")
 
-    Figure 5. Partition to be erased is displayed in Microsoft Surface Data Eraser
+    *Figure 5. Partition to be erased is displayed in Microsoft Surface Data Eraser*
 
 8.  If you pressed **Y** in step 7, due to the destructive nature of the data erasure process, an additional dialog box is displayed to confirm your choice.
 
diff --git a/devices/surface/step-by-step-surface-deployment-accelerator.md b/devices/surface/step-by-step-surface-deployment-accelerator.md
index d6eb5d208f..016c7ddfbd 100644
--- a/devices/surface/step-by-step-surface-deployment-accelerator.md
+++ b/devices/surface/step-by-step-surface-deployment-accelerator.md
@@ -60,7 +60,7 @@ The following steps show you how to create a deployment share for Windows 10 th
   >**Note:**&nbsp;&nbsp;As of SDA version 1.96.0405, SDA will install only the components of the Windows ADK that are required for deployment, as follows:
     * Deployment tools
     * User State Migration Tool (USMT)
-    * Windows Preinstallation Environment (WinPE)</br>
+    * Windows Preinstallation Environment (WinPE)</br></br>
 
   >**Note:**&nbsp;&nbsp;As of SDA version 1.96.0405, SDA will install and use MDT 2013 Update 2. Earlier versions of SDA are compatible only with MDT 2013 Update 1.
 
@@ -116,7 +116,7 @@ The following steps show you how to create a deployment share for Windows 10 th
 
     ![The installatin progress window](images/sdasteps-fig5-installwindow.png "The installatin progress window")
 
-    *Figure 5. The **Installation Progress** window*
+    *Figure 5. The Installation Progress window*
 
 8.  When the SDA process completes the creation of your deployment share, a **Success** window is displayed. Click **Finish** to close the window. At this point your deployment share is now ready to perform a Windows deployment to Surface devices.
 
@@ -250,7 +250,7 @@ After you have prepared the USB drive for boot, the next step is to generate off
 
     ![Select the Update Media Content option](images/sdasteps-fig12-updatemedia.png "Select the Update Media Content option")
     
-    *Figure 12. Select the **Update Media Content** option*
+    *Figure 12. Select the Update Media Content option*
 
 22. The **Update Media Content** window is displayed and shows the progress as the media files are created. When the process completes, click **Finish.**
 
@@ -358,7 +358,7 @@ To run the Deploy Microsoft Surface task sequence:
 
     ![Select the task sequence](images/sdasteps-fig15-deploy.png "Select the task sequence")
 
-    *Figure 15. Select the **1 – Deploy Microsoft Surface** task sequence*
+    *Figure 15. Select the 1 – Deploy Microsoft Surface task sequence*
 
 2.  On the **Computer Details** page, type a name for the Surface device in the **Computer Name** box. In the **Join a domain** section, type your domain name and credentials as shown in Figure 16, and then click **Next**.
 
@@ -378,7 +378,7 @@ To run the Deploy Microsoft Surface task sequence:
 
     ![Installation progress window](images/sdasteps-fig17-installprogresswindow.png "Installation progress window")
 
-    *Figure 17. The **Installation Progress** window*
+    *Figure 17. The Installation Progress window*
 
 8.  When the deployment task sequence completes, a **Success** window is displayed. Click **Finish** to complete the deployment and begin using your Surface device.
 
diff --git a/devices/surface/surface-dock-updater.md b/devices/surface/surface-dock-updater.md
index ea56c4cc95..4020a499aa 100644
--- a/devices/surface/surface-dock-updater.md
+++ b/devices/surface/surface-dock-updater.md
@@ -34,15 +34,15 @@ To update a Surface Dock with Microsoft Surface Dock Updater, follow these steps
 
     -   If the tool determines that the firmware of your Surface Dock is up to date, a **You have the latest firmware for this Surface Dock** message is displayed, as shown in Figure 1.
 
-        ![figure 1](images/surfacedockupdater-fig1-uptodate-568pix.png)
+        ![Screen that shows your Surface Dock firmware is up to date](images/surfacedockupdater-fig1-uptodate-568pix.png "Screen that shows your Surface Dock firmware is up to date")
 
-        Figure 1. Your Surface Dock firmware is up to date.
+        *Figure 1. Your Surface Dock firmware is up to date*
 
     -   If Microsoft Surface Dock Updater determines that the firmware of your Surface Dock is not up to date, a **This Surface Dock is not running the latest firmware** message is displayed, as shown in Figure 2.
 
-        ![figure 2](images/surfacedockupdater-fig2a-needsupdating.png)
+        ![Screen that shows your Surface Dock firmware needs to be updated](images/surfacedockupdater-fig2a-needsupdating.png "Screen that shows your Surface Dock firmware needs to be updated")
 
-        Figure 2. Your Surface Dock firmware needs to be updated
+        *Figure 2. Your Surface Dock firmware needs to be updated*
 
 3.  To begin the firmware update process, click **Update** on the **Surface Dock Firmware** page.
 
@@ -50,27 +50,27 @@ To update a Surface Dock with Microsoft Surface Dock Updater, follow these steps
 
 5.  As the firmware update is uploaded to the Surface Dock, a **Progress** page is displayed, as shown in Figure 3. Do not disconnect the Surface Dock while firmware is being uploaded.
 
-    ![figure 3](images/surfacedockupdater-fig3-progress.png)
+    ![Progress of firmware update upload](images/surfacedockupdater-fig3-progress.png "Progress of firmware update upload")
 
-    Figure 3. Progress of firmware update upload to Surface Dock
+    *Figure 3. Progress of firmware update upload to Surface Dock*
 
 6.  After the firmware update has successfully uploaded to the Surface Dock, you are prompted to disconnect and then reconnect the Surface Dock from the Surface device, as shown in Figure 4. The main chipset firmware update will be applied while the Surface Dock is disconnected.
 
-    ![figure 4](images/surfacedockupdater-fig4-disconnect.png)
+    ![Disconnect and reconnect Surface Dock when prompted](images/surfacedockupdater-fig4-disconnect.png "Disconnect and reconnect Surface Dock when prompted")
 
-    Figure 4. Disconnect and reconnect Surface Dock when prompted
+    *Figure 4. Disconnect and reconnect Surface Dock when prompted*
 
 7.  When the main chipset firmware update is verified, the DisplayPort chipset firmware update will be uploaded to the Surface Dock. Upon completion, a **Success** page is displayed and you will again be prompted to disconnect the Surface Dock, as shown in Figure 5.
 
-    ![figure 5](images/surfacedockupdater-fig5-success.png)
+    ![Screen showing successful upload](images/surfacedockupdater-fig5-success.png "Screen showing successful upload")
 
-    Figure 5. Successful upload of Surface Dock firmware
+    *Figure 5. Successful upload of Surface Dock firmware*
 
 8.  After you disconnect the Surface Dock the DisplayPort firmware update will be installed. This process occurs on the Surface Dock hardware while it is disconnected. The Surface Dock must remain powered for up to 3 minutes after it has been disconnected for the firmware update to successfully install. An **Update in Progress** page is displayed (as shown in Figure 6), with a countdown timer to show the estimated time remaining to complete the firmware update installation.
 
-    ![figure 6](images/surfacedockupdater-fig6-countdown.png)
+    ![Countdown timer to complete firmware installation](images/surfacedockupdater-fig6-countdown.png "Countdown timer to complete firmware installation")
 
-    Figure 6. Countdown timer to complete firmware installation on Surface Dock
+    *Figure 6. Countdown timer to complete firmware installation on Surface Dock*
 
 9.  If you want to update multiple Surface Docks in one sitting, you can click the **Update another Surface Dock** button to begin the process on the next Surface Dock.
 
@@ -83,9 +83,9 @@ To update a Surface Dock with Microsoft Surface Dock Updater, follow these steps
 
 If the Surface Dock firmware update process encounters an installation error with either firmware update, the **Encountered an unexpected error** page may be displayed, as shown in Figure 7.
 
-![figure 7](images/surfacedockupdater-fig7-error.png)
+![Firmware update installation error](images/surfacedockupdater-fig7-error.png "Firmware update installation error")
 
-Figure 7. Firmware update installation has encountered an error
+*Figure 7. Firmware update installation has encountered an error*
 
 Microsoft Surface Dock Updater logs its progress into the Event Log, as shown in Figure 8. If you need to troubleshoot an update through this tool, you will find Surface Dock events recorded with the following event IDs:
 
@@ -97,9 +97,9 @@ Microsoft Surface Dock Updater logs its progress into the Event Log, as shown in
 | 12105    | Error                                                    |
 
 
-Figure 8. Surface Dock Updater events in Event Viewer
+![Surface Dock Updater events in Event Viewer](images/surfacedockupdater-fig8-737test.png "Surface Dock Updater events in Event Viewer")
 
-![figure 8](images/surfacedockupdater-fig8-737test.png)
+*Figure 8. Surface Dock Updater events in Event Viewer*
 
 
 ## Related topics

From 9e96b4e84c981b9512f53dbda3b01f291e381f5e Mon Sep 17 00:00:00 2001
From: Brian Lich <brianlic@microsoft.com>
Date: Fri, 24 Jun 2016 09:14:06 -0700
Subject: [PATCH 17/17] adding link to secguide blog

---
 windows/keep-secure/windows-security-baselines.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/windows/keep-secure/windows-security-baselines.md b/windows/keep-secure/windows-security-baselines.md
index 7e5a5f4b9e..b6fb29abb1 100644
--- a/windows/keep-secure/windows-security-baselines.md
+++ b/windows/keep-secure/windows-security-baselines.md
@@ -43,7 +43,7 @@ To help faster deployments and increase the ease of managing Windows, Microsoft
  
  Here's a list of security baselines that are currently available.
 
- If you want to know what has changed with each security baseline, or if you want to stay up-to-date on what’s happening with them, check out the Microsoft Security Guidance blog.
+ > **Note:**  If you want to know what has changed with each security baseline, or if you want to stay up-to-date on what’s happening with them, check out the [Microsoft Security Guidance](http://blogs.technet.microsoft.com/secguide) blog.
  
 ### Windows 10 security baselines