updates

windows/security/book/hardware-security.md

@@ -15,6 +15,8 @@ With Windows 11, Microsoft has raised the hardware security bar to design the mo
 
 ## Hardware root-of-trust
 
+:::image type="icon" source="images/go-to-section.svg" border="false"::: **Go to section:**
+
 - [Trusted Platform Module (TPM)](#trusted-platform-module-tpm)
 - [Microsoft Pluton security processor](#microsoft-pluton-security-processor)
 
@@ -47,6 +49,8 @@ Pluton also solves the major security challenge of keeping its own security proc
 
 In addition to a modern hardware root-of-trust, there are numerous other capabilities in the latest chips that harden the operating system against threats by protecting the boot process, safeguarding the integrity of memory, isolating security-sensitive compute logic, and more.
 
+:::image type="icon" source="images/go-to-section.svg" border="false"::: **Go to section:**
+
 - [Secured kernel](#secured-kernel)
 - [Hardware-enforced stack protection](#hardware-enforced-stack-protection)
 - [Kernel Direct Memory Access (DMA) protection](#kernel-direct-memory-access-dma-protection)
@@ -62,7 +66,9 @@ implements virtual trust level 1 (VTL1), which has higher privilege than the vir
 
 Since more privileged VTLs can enforce their own memory protections, higher VTLs can effectively protect areas of memory from lower VTLs. In practice, this allows a lower VTL to protect isolated memory regions by securing them with a higher VTL. For example, VTL0 could store a secret in VTL1, at which point only VTL1 could access it. Even if VTL0 is compromised, the secret would be safe.
 
-:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:** [Virtualization-based security (VBS)](/windows-hardware/design/device-experiences/oem-vbs)
+:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
+
+- [Virtualization-based security (VBS)](/windows-hardware/design/device-experiences/oem-vbs)
 
 Hypervisor-protected code integrity (HVCI), also called memory integrity, uses VBS to run Kernel Mode Code Integrity (KMCI) inside the secure VBS environment instead of the main Windows kernel. This helps prevent attacks that attempt to modify kernel-mode code for things like drivers. The KMCI checks that all kernel code is properly signed and hasn't been tampered with before it is allowed to run. HVCI ensures that only validated code can be executed in kernel mode. The hypervisor leverages processor virtualization extensions to enforce memory protections that prevent kernel-mode software from executing code that has not been first validated by the code integrity subsystem. HVCI protects against common attacks like WannaCry that rely on the ability to inject malicious code into the kernel. HVCI can prevent injection of malicious kernel-mode code even when drivers and other kernel-mode software have bugs.
 
@@ -88,7 +94,9 @@ Application code includes a program processing stack that hackers seek to corrup
 
 Windows 11 protects against physical threats such as drive-by Direct Memory Access (DMA) attacks. Peripheral Component Interconnect Express (PCIe) hot-pluggable devices such as Thunderbolt, USB4, and CFexpress allow users to attach new classes of external peripherals, including graphics cards or other PCI devices, to their PCs with the plug-and-play ease of USB. Because PCI hot-plug ports are external and easily accessible, PCs are susceptible to drive-by DMA attacks. Memory access protection (also known as Kernel DMA Protection) protects against these attacks by preventing external peripherals from gaining unauthorized access to memory. Drive-by DMA attacks typically happen quickly while the system owner isn't present. The attacks are performed using simple to moderate attacking tools created with affordable, off-the-shelf hardware and software that do not require the disassembly of the PC. For example, a PC owner might leave a device for a quick coffee break. Meanwhile, an attacker plugs an external tool into a port to steal information or inject code that gives the attacker remote control over the PCs, including the ability to bypass the lock screen. With memory access protection built in and enabled, Windows 11 is protected against physical attack wherever people work.
 
-:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:** [Kernel Direct Memory Access (DMA) protection](/windows/security/hardware-security/kernel-dma-protection-for-thunderbolt)
+:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
+
+- [Kernel Direct Memory Access (DMA) protection](/windows/security/hardware-security/kernel-dma-protection-for-thunderbolt)
 
 ### Secured-core PC
 
@@ -115,7 +123,9 @@ System Management Mode (SMM) isolation is an execution mode in x86-based process
 
 In many organizations, IT administrators enforce policies on their corporate devices to protect the OS and keep devices in a compliant state by preventing users from changing configurations and creating configuration drift. Configuration drift occurs when users with local admin rights change settings and put the device out of sync with security policies. Devices in a non-compliant state can be vulnerable until the next sync, when configuration is reset with the mobile device management (MDM) solution. Secured-core configuration lock (config lock) is a Secured-core PC (SCPC) feature that prevents users from making unwanted changes to security settings. With config lock, the OS monitors the registry keys that are supported and reverts to the IT-desired SCPC state in seconds after detecting a drift.
 
-:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:** [Windows 11 with config lock](/windows/client-management/mdm/config-lock)
+:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
+
+- [Windows 11 with config lock](/windows/client-management/mdm/config-lock)
 
 > [!div class="nextstepaction"]
 > [Chapter 2: Operating System security >](operating-system-security.md)

windows/security/book/images/go-to-section.svg

@@ -0,0 +1,3 @@
+<svg width="24" height="18" viewBox="0 0 24 18" fill="none" xmlns="http://www.w3.org/2000/svg">
+<path d="M20.6704 10.0795C21.1098 10.5189 21.1098 11.2311 20.6704 11.6704L14.6704 17.6704C14.2311 18.1098 13.5189 18.1098 13.0795 17.6704L7.0795 11.6704C6.64017 11.2311 6.64017 10.5189 7.0795 10.0795C7.51884 9.6402 8.23116 9.6402 8.67049 10.0795L12.75 14.1589V4.5C12.75 3.25735 11.7426 2.25 10.5 2.25H1.125C0.503685 2.25 0 1.74631 0 1.125C0 0.503685 0.503685 0 1.125 0H10.5C12.9853 0 15 2.01472 15 4.5V14.1589L19.0795 10.0795C19.5189 9.6402 20.2311 9.6402 20.6704 10.0795Z" fill="#0883D9"/>
+</svg>

windows/security/book/index.md

@@ -47,7 +47,9 @@ In Windows 11, hardware and software work together to protect sensitive data fro
 
 :::image type="content" source="images\chip-to-cloud.png" alt-text="Diagram of chip-to-cloud containng a list of security features." lightbox="images\chip-to-cloud.png" border="false":::
 
-:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:** [Windows security features licensing and edition requirements](https://learn.microsoft.com/en-us/windows/security/licensing-and-edition-requirements?tabs=edition)
+:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
+
+- [Windows security features licensing and edition requirements](https://learn.microsoft.com/en-us/windows/security/licensing-and-edition-requirements?tabs=edition)
 
 > [!div class="nextstepaction"]
 > [Chapter 1: Hardware security >](hardware-security.md)

windows/security/book/operating-system-security.md

@@ -13,6 +13,8 @@ Windows 11 is the most secure Windows yet with extensive security measures in th
 
 ## System security
 
+:::image type="icon" source="images/go-to-section.svg" border="false"::: **Go to section:**
+
 - [Trusted Boot (Secure Boot + Measured Boot)](#trusted-boot-secure-boot--measured-boot)
 - [Cryptography](#cryptography)
 - [Certificates](#certificates)
@@ -37,7 +39,9 @@ Tampering or malware attacks on the Windows boot sequence are blocked by the sig
 
 For more information about these features and how they help prevent rootkits and bootkits from loading during the startup process, see [Secure the Windows boot process](../operating-system-security/system-security/secure-the-windows-10-boot-process.md)
 
-:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:** [Secure Boot and Trusted Boot](../operating-system-security/system-security/trusted-boot.md)
+:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
+
+- [Secure Boot and Trusted Boot](../operating-system-security/system-security/trusted-boot.md)
 
 ### Cryptography
 
@@ -117,7 +121,9 @@ Learn more:
 
 With Assigned Access, Windows devices restrict functionality to pre-selected applications depending on the user and keep individual identities separate, which is ideal for public-facing or shared devices. Configuring a device in Kiosk Mode is a straightforward process. You can do this locally on the device or remotely using modern device management.
 
-:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:** [Windows kiosks and restricted user experiences](/windows/configuration/assigned-access)
+:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
+
+- [Windows kiosks and restricted user experiences](/windows/configuration/assigned-access)
 
 ### Config Refresh
 
@@ -140,6 +146,8 @@ Learn more:
 
 ## Encryption and data protection
 
+:::image type="icon" source="images/go-to-section.svg" border="false"::: **Go to section:**
+
 - [BitLocker](#bitlocker)
 - [BitLocker To Go](#bitlocker-to-go)
 - [Device Encryption](#device-encryption)
@@ -153,19 +161,25 @@ When people travel with their PCs, their confidential information travels with t
 
 BitLocker Drive Encryption is a data protection feature that integrates with the operating system and addresses the threats of data theft or exposure from lost, stolen, or inappropriately decommissioned computers. BitLocker uses the AES algorithm in XTS or CBC mode of operation with 128-bit or 256-bit key length to encrypt data on the volume. Cloud storage on Microsoft OneDrive or Azure<sup>9</sup> can be used to save recovery key content. BitLocker can be managed by any MDM solution such as Microsoft Intune<sup>6</sup> using a configuration service provider (CSP).<sup>9</sup> BitLocker provides encryption for the OS, fixed data, and removable data drives (BitLocker To Go), leveraging technologies like Hardware Security Test Interface (HSTI), Modern Standby, UEFI Secure Boot, and TPM. Windows consistently improves data protection by expanding existing options and providing new strategies.
 
-:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:** [BitLocker overview](../operating-system-security/data-protection/bitlocker/index.md)
+:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
+
+- [BitLocker overview](../operating-system-security/data-protection/bitlocker/index.md)
 
 ### BitLocker To Go
 
 BitLocker To Go refers to BitLocker Drive Encryption on removable data drives. BitLocker To Go includes the encryption of USB flash drives, SD cards, and external hard disk drives. Drives can be unlocked using a password, certificate on a smart card, or recovery password.
 
-:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:** [BitLocker FAQ](../operating-system-security/data-protection/bitlocker/faq.yml)
+:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
+
+- [BitLocker FAQ](../operating-system-security/data-protection/bitlocker/faq.yml)
 
 ### Device Encryption
 
 Device Encryption is consumer-level device encryption that cannot be managed. Device Encryption is turned on by default for devices with the right hardware components (for example, TPM 2.0, UEFI Secure Boot, Hardware Security Test Interface, and Modern Standby). However, for a commercial scenario, it is possible for commercial customers to disable Device Encryption in favor of BitLocker Drive Encryption. BitLocker Drive Encryption is manageable through MDM.
 
-:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:** [Device encryption](../operating-system-security/data-protection/bitlocker/index.md#device-encryption)
+:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
+
+- [Device encryption](../operating-system-security/data-protection/bitlocker/index.md#device-encryption)
 
 ### Encrypted hard drive
 
@@ -181,7 +195,9 @@ Encrypted hard drives enable:
 to re-encrypt data on the drive
 - Lower cost of ownership: There is no need for new infrastructure to manage encryption keys since BitLocker leverages your existing infrastructure to store recovery information. Your device operates more efficiently because processor cycles do not need to be used for the encryption process
 
-:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:** [Encrypted hard drive](../operating-system-security/data-protection/encrypted-hard-drive.md)
+:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
+
+- [Encrypted hard drive](../operating-system-security/data-protection/encrypted-hard-drive.md)
 
 ### Personal data encryption
 
@@ -191,7 +207,9 @@ With the first release of PDE (Windows 11 22H2), the PDE API was available, whic
 
 PDE requires Microsoft Entra ID.
 
-:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:** [Personal Data Encryption (PDE)](../operating-system-security/data-protection/personal-data-encryption/index.md)
+:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
+
+- [Personal Data Encryption (PDE)](../operating-system-security/data-protection/personal-data-encryption/index.md)
 
 ### Email encryption
 
@@ -201,7 +219,9 @@ These encrypted messages can be sent by a user to people within their organizati
 
 However, recipients using Windows 11 Mail app can only read encrypted messages if the message is received on their Exchange account and they have corresponding decryption keys. Encrypted messages can be read only by recipients who have a certificate. If an encrypted message is sent to recipients whose encryption certificates are not available, the app will prompt you to remove these recipients before sending the email.
 
-### Network security
+## Network security
+
+:::image type="icon" source="images/go-to-section.svg" border="false"::: **Go to section:**
 
 Windows 11 raises the bar for network security, offering comprehensive protection to help people work with confidence from almost anywhere. To help reduce an organization's attack
 surface, network protection in Windows prevents people from accessing dangerous IP addresses and domains that may host phishing scams, exploits, and other malicious content.
@@ -211,7 +231,9 @@ New DNS and TLS protocol versions strengthen the end-to-end protections needed f
 
 In enterprise environments, network protection works best with Microsoft Defender for Endpoint, which provides detailed reporting on protection events as part of larger investigation scenarios.
 
-:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:** [How to protect your network](/security/defender-endpoint/network-protection)
+:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
+
+- [How to protect your network](/security/defender-endpoint/network-protection)
 
 ### Transport layer security (TLS)
 
@@ -318,7 +340,9 @@ templates in the Endpoint Security node in Microsoft Intune<sup>9</sup>, leverag
 support from the Firewall configuration service provider (CSP) and applying these settings to
 Windows endpoints.
 
-:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:** [Windows Firewall overview](../operating-system-security/network-security/windows-firewall/index.md)
+:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
+
+- [Windows Firewall overview](../operating-system-security/network-security/windows-firewall/index.md)
 
 ### Virtual private networks (VPN)
 
@@ -350,7 +374,9 @@ VPN platform. The integration into the Windows VPN platform leads to a simpler I
 experience. User authentication is more consistent, and users can easily find and control
 their VPN.
 
-:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:** Windows VPN technical guide
+:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
+
+- Windows VPN technical guide
 
 ### Server Message Block file services
 Server Message Block (SMB) and file services are the most common Windows workloads in
@@ -392,7 +418,9 @@ that Microsoft superseded by later versions of SMB starting with Windows Vista.
 began uninstalling SMB 1.0 by default in certain Windows 10 editions in 2017. No versions of
 Windows 11 now install SMB 1.0 by default.
 
-:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:** File sharing using the SMB 3 protocol
+:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
+
+- File sharing using the SMB 3 protocol
 
 ## Virus and threat protection