diff --git a/education/windows/federated-sign-in.md b/education/windows/federated-sign-in.md
index 326c71ca59..6f2f8963c2 100644
--- a/education/windows/federated-sign-in.md
+++ b/education/windows/federated-sign-in.md
@@ -53,6 +53,8 @@ To use federated sign-in, the devices must have Internet access. This feature wo
> - provisioning packages (PPKG)
> - Windows Autopilot self-deploying mode
+[!INCLUDE [federated-sign-in](../../includes/licensing/security/federated-sign-in.md)]
+
### System requirements
Federated sign-in is supported on the following Windows SKUs and versions:
diff --git a/windows/security/identity-protection/hello-for-business/hello-overview.md b/windows/security/identity-protection/hello-for-business/hello-overview.md
index 005fb6c685..f4c5e4f7a1 100644
--- a/windows/security/identity-protection/hello-for-business/hello-overview.md
+++ b/windows/security/identity-protection/hello-for-business/hello-overview.md
@@ -65,6 +65,8 @@ Imagine that someone is looking over your shoulder as you get money from an ATM
Windows Hello helps protect user identities and user credentials. Because the user doesn't enter a password (except during provisioning), it helps circumvent phishing and brute force attacks. It also helps prevent server breaches because Windows Hello credentials are an asymmetric key pair, which helps prevent replay attacks when these keys are protected by TPMs.
+[!INCLUDE [windows-hello-for-business](../../../../includes/licensing/security/windows-hello-for-business.md)]
+
## How Windows Hello for Business works: key points
- Windows Hello credentials are based on certificate or asymmetrical key pair. Windows Hello credentials can be bound to the device, and the token that is obtained using the credential is also bound to the device.
diff --git a/windows/security/introduction/chip-to-cloud.svg b/windows/security/introduction/chip-to-cloud.svg
new file mode 100644
index 0000000000..62f4230955
--- /dev/null
+++ b/windows/security/introduction/chip-to-cloud.svg
@@ -0,0 +1,3 @@
+
+
+
\ No newline at end of file
diff --git a/windows/security/introduction/index.md b/windows/security/introduction/index.md
new file mode 100644
index 0000000000..b955feffb8
--- /dev/null
+++ b/windows/security/introduction/index.md
@@ -0,0 +1,57 @@
+---
+title: Introduction to Windows security
+description: System security book.
+ms.date: 04/10/2023
+ms.topic: tutorial
+appliesto:
+ - ✅ Windows 11
+---
+
+# Introduction to Windows security
+
+The acceleration of digital transformation and the expansion of both remote and hybrid workplaces brings new opportunities to organizations, communities, and individuals. Our work styles have transformed. And now more than ever, employees need simple, intuitive user experiences to collaborate and stay productive, wherever work happens. But the expansion of access and ability to work anywhere has also introduced new threats and risks. According to data from the Microsoft commissioned Security Signals report, 75% of security decision-makers at the vice-president level and above feel the move to hybrid work leaves their organization more vulnerable to security threats. And [Microsoft's 2022 Work Trend Index](https://www.microsoft.com/security/blog/2022/04/05/new-security-features-for-windows-11-will-help-protect-hybrid-work/) shows "cybersecurity issues and risks" are top concerns for business decisions makers, who worry about issues like malware, stolen credentials, devices that lack security updates, and physical attacks on lost or stolen devices.
+
+:::image type="content" source="chip-to-cloud.svg" lightbox="chip-to-cloud.svg" alt-text="chip to cloud diagram":::
+
+## How Windows 11 enables zero-trust protection
+
+A zero-trust security model gives the right people the right access at the right time. Zero-trust security is based on three principles:
+
+1. Reduce risk by explicitly verifying data points such as user identity, location, and device health for every access request, without exception
+2. When verified, give people and devices access to only necessary resources for the necessary amount of time
+3. Use continuous analytics to drive threat detection and improve defenses
+
+You should continue to strengthen your zero-trust posture as well. To improve threat detection and defenses, verify end-to-end encryption and use analytics to gain visibility.
+
+For Windows 11, the zero-trust principle of *verify explicitly* applies to risks introduced by both devices and people. Windows 11 provides chip-to-cloud security, enabling IT administrators to implement strong authorization and authentication processes with tools such as our premier solution Windows Hello for Business. IT administrators also gain attestation and measurements for determining if a device meets requirements and can be trusted. In addition, Windows 11 works out-of-the-box with Microsoft Endpoint Manager and Azure Active Directory, so access decisions and enforcement are seamless. Plus, IT administrators can easily customize Windows 11 to meet specific user and policy requirements for access, privacy, compliance, and more.
+
+Individual users also benefit from powerful safeguards including new standards for hardware-based security and passwordless protection that help safeguard data and privacy.
+
+## Security, by default
+
+Nearly 90% of security decision makers surveyed say outdated hardware leaves organizations more open to attacks and using modern hardware would help protect against future threats. Building on the innovations of Windows 10, we've worked with our manufacturer and silicon partners to provide additional hardware security capabilities to meet the evolving threat landscape and enable hybrid work and learning. The new set of hardware security requirements that comes with Windows 11 supports new ways of working with a foundation that is even stronger and more resilient to attacks.
+
+## Enhanced hardware and operating system security
+
+With hardware-based isolation security that begins at the chip, Windows 11 stores sensitive data behind additional barriers separated from the operating system. As a result, information including encryption keys and user credentials are protected from unauthorized access and tampering.
+
+In Windows 11, hardware and software work together to protect the operating system. For example, new devices come with virtualization-based security (VBS) and Secure Boot built-in and enabled by default to contain and limit malware exploits. [\[1\]](#note1)
+
+## Robust application security and privacy controls
+
+To help keep personal and business information protected and private, Windows 11 has multiple layers of application security that safeguard critical data and code integrity. Application isolation and controls, code integrity, privacy controls, and least-privilege principles enable developers to build in security and privacy from the ground up. This integrated security protects against breaches and malware, helps keep data private, and gives IT administrators the controls they need.
+
+In Windows 11, [Microsoft Defender Application Guard](https://docs.microsoft.com/windows-hardware/design/device-experiences/oem-app-guard) [\[2\]](#note2) uses Hyper-V virtualization technology to isolate untrusted websites and Microsoft Office files in containers, separate from and unable to access the host operating system and enterprise data. To protect privacy, Windows 11 also provides more controls over which apps and features can collect and use data such as the device's location, or access resources like camera and microphone.
+
+## Secured identities
+
+Passwords have been an important part of digital security for a long time, and they're also a top target for cybercriminals. Windows 11 provides powerful protection against credential theft with chip-level hardware security. Credentials are protected by layers of hardware and software security such as TPM 2.0, VBS, and/or Windows Defender Credential Guard, making it harder for attackers to steal credentials from a device. And with Windows Hello, users can quickly sign in with face, fingerprint, or PIN for passwordless protection. [\[3\]](#note3)
+
+## Connecting to cloud services
+
+Microsoft offers comprehensive cloud services for identity, storage, and access management in addition to the tools needed to attest that Windows 11 devices connecting to your network are trustworthy. You can also enforce compliance and conditional access with a modern device management (MDM) service such as Microsoft Endpoint Manager, which works with Azure Active Directory and Microsoft Azure Attestation to control access to applications and data through the cloud. [\[4\]](#note4)
+
+[1] Hypervisor-protected coder integrity, which activates virtualization-based security, is enabled by default on clean installations only.\
+[2] Windows 10 Pro and above support Application Guard protection for Microsoft Edge. Microsoft Defender Application Guard for Office requires Windows 10 Enterprise, and Microsoft 365 E5 or Microsoft 365 E5 Security.\
+[3] Windows Hello supports multi-factor authentication including facial recognition, fingerprint, and PIN. Requires specialized hardware such as fingerprint reader, illuminated IT sensor or other biometric sensors and capable devices.\
+[4] Microsoft Endpoint Manager and Microsoft Azure Active Directory subscriptions sold separately.\
diff --git a/windows/security/introduction/security-features-edition-requirements.md b/windows/security/introduction/security-features-edition-requirements.md
new file mode 100644
index 0000000000..8e934ddbdf
--- /dev/null
+++ b/windows/security/introduction/security-features-edition-requirements.md
@@ -0,0 +1,19 @@
+---
+title: Windows edition requirements
+description: Learn about Windows edition requirements for the feature included in Windows.
+ms.prod: windows-client
+author: paolomatarazzo
+ms.author: paoloma
+manager: aaroncz
+ms.collection:
+- tier3
+ms.topic: conceptual
+ms.date: 04/03/2023
+appliesto:
+- ✅ Windows 11
+ms.technology: itpro-security
+---
+
+# Security features Windows edition requirements
+
+[!INCLUDE [_commercial](../../whats-new/licensing/includes/_edition-requirements.md)]
\ No newline at end of file
diff --git a/windows/security/introduction/security-features-licensing-requirements-edu.md b/windows/security/introduction/security-features-licensing-requirements-edu.md
new file mode 100644
index 0000000000..c209c60a6d
--- /dev/null
+++ b/windows/security/introduction/security-features-licensing-requirements-edu.md
@@ -0,0 +1,19 @@
+---
+title: Windows security licensing requirements for Education
+description: Learn about Windows features and licensing requirements for the feature included in Windows (Education).
+ms.prod: windows-client
+author: paolomatarazzo
+ms.author: paoloma
+manager: aaroncz
+ms.collection:
+- tier3
+ms.topic: conceptual
+ms.date: 03/12/2023
+appliesto:
+- ✅ Windows 11
+ms.technology: itpro-security
+---
+
+# Windows security licensing requirements for Education
+
+[!INCLUDE [_licensing-requirements](../../whats-new/licensing/includes/_licensing-requirements-edu.md)]
\ No newline at end of file
diff --git a/windows/security/introduction/security-features-licensing-requirements.md b/windows/security/introduction/security-features-licensing-requirements.md
new file mode 100644
index 0000000000..faad9c9fab
--- /dev/null
+++ b/windows/security/introduction/security-features-licensing-requirements.md
@@ -0,0 +1,19 @@
+---
+title: Windows security licensing requirements
+description: Learn about Windows features and licensing requirements for the feature included in Windows.
+ms.prod: windows-client
+author: paolomatarazzo
+ms.author: paoloma
+manager: aaroncz
+ms.collection:
+- tier3
+ms.topic: conceptual
+ms.date: 03/12/2023
+appliesto:
+- ✅ Windows 11
+ms.technology: itpro-security
+---
+
+# Windows security licensing requirements
+
+[!INCLUDE [_licensing-requirements](../../whats-new/licensing/includes/_licensing-requirements.md)]
\ No newline at end of file
diff --git a/windows/whats-new/windows-licensing.md b/windows/whats-new/windows-licensing.md
new file mode 100644
index 0000000000..e14bbefe13
--- /dev/null
+++ b/windows/whats-new/windows-licensing.md
@@ -0,0 +1,157 @@
+---
+title: Windows 11 commercial licensing overview
+description: Learn about licensing requirements to use the features included in the Windows operating system.
+ms.prod: windows-client
+author: paolomatarazzo
+ms.author: paoloma
+manager: aaroncz
+ms.collection:
+- tier3
+ms.topic: conceptual
+ms.date: 03/12/2023
+appliesto:
+- ✅ Windows 11
+ms.technology: itpro-security
+---
+
+# Windows 11 commercial licensing overview
+
+Microsoft Commercial Licensing solutions provide the most flexible and cost-effective way to give your organization access to the latest Windows Desktop technologies. Whether you want to upgrade your devices to Windows 11, gain access to exclusive offerings such as Windows 11 Enterprise edition, or use Windows with greater flexibility, there's a Commercial Licensing option that's right for your organization.
+
+This document provides an overview of the products and use rights available through Commercial Licensing, information about the products that are eligible for upgrades, and the key choices you have for using Windows in your organization.
+
+> [!NOTE]
+> This content is not meant to replace or override other licensing documentation, such as the Windows 11 End User License Agreement or Commercial Licensing Product Terms.
+
+## Windows 11 editions
+
+There's an edition of Windows software designed to meet the needs of every organization, from a small, growing business to a multinational enterprise. The following table lists the editions of Windows 11 available through each Microsoft distribution channel.
+
+| Full Packaged Product (Retail) | Preinstalled on device (OEM)|Commercial Licensing|
+|-|-|-|
+|Windows 11 Pro Windows 11 Home|Windows 11 Pro Windows 11 Home|Windows 11 Pro Windows 11 Enterprise Windows 11 Enterprise LTSC|
+
+## Windows desktop offerings available through Commercial Licensing
+
+The following offerings are available for purchase through Microsoft Commercial Licensing:
+
+|Product|Description|
+|-|-|
+|Windows 11 Pro Upgrade |Windows 11 Pro is designed for small and medium businesses and enables organizations to manage their devices and apps, protect their business data, facilitate remote and mobile scenarios, and take advantage of the cloud technologies for their organizations. Windows 11 Pro devices are a good choice for organizations that support *choose your own device (CYOD)* programs and *prosumer* customers. The Windows 11 Pro Upgrade in Commercial Licensing upgrades a device from a previous version of Windows Pro|
+|Windows 11 Enterprise E3|Windows 11 Enterprise E3 is a per user subscription available in Commercial Licensing programs, and is intended for large and medium sized organizations. It includes Windows Enterprise edition with cloud-powered capabilities and subscription use rights. Examples include advanced identity protection, the broadest range of options for operating system deployment, update control, and device management. Windows Enterprise E3 is licensed through Commercial Licensing programs and requires Windows Pro as qualifying operating systems.
+|Windows 11 Enterprise E5|Windows 11 Enterprise E5 is for organizations that want to take advantage of everything in Windows 11 Enterprise E3 with the addition of **Microsoft Defender for Endpoint Plan 2**, a service that helps enterprises detect, investigate, and respond to advanced cybersecurity attacks on their endpoints and networks. Windows 11 Enterprise E5 is available per user in Commercial Licensing programs|
+|Windows 10 Enterprise LTSC |Windows 10 Enterprise LTSC is designed for PC systems that have strict change-management policies with only security and critical bug fixes. By using a Long-Term Servicing Channel edition, you can apply monthly Windows 10 security updates for specialized devices while holding back new-feature updates for an extended period of time, up to 5 years. Windows Enterprise LTSC is available in the per user or per device model depending on the Volume Licensing program through witch it is acquired|
+|Windows Virtual Desktop Access (VDA) Subscription License|The Windows VDA subscription license provides the right to access virtual Windows desktop environments from devices that aren't covered by a Commercial Licensing offer that includes VDA rights, such as thin clients. Windows VDA is available on a per device or per user basis|
+
+## Windows 11 Enterprise
+
+There are two core Windows 11 Enterprise offers: **Windows 11 Enterprise E3** and **Windows 11 Enterprise E5**. Each of these can be purchased on a **per-user basis**, and are available only through **Commercial Licensing**, including the **Cloud Solution Provider** program. For more details about Windows Enterprise, see [per device check out this section of this guide](*TO ADD*)
+
+### Windows 11 Enterprise E3
+
+Windows 11 Enterprise E3 is a per-user subscription, intended for organizations. It includes **Windows Enterprise edition** with cloud-powered capabilities and subscription use rights.
+Windows 11 Enterprise E3 builds on Windows 11 Pro by adding more advanced features designed to address the needs of large and mid-size organizations. Examples include advanced protection against modern security threats, the broadest range of options for operating system deployment and update, and comprehensive device and app management. Organizations with devices running Windows 11 Enterprise will can take advantage of the latest security and feature updates on an ongoing basis, while having the ability to choose the pace at which they adopt new technology.
+
+Windows 11 Enterprise E3 is usually licensed through Volume Licensing programs and is an upgrade from Windows Pro.
+
+### Windows 11 Enterprise E3 OS features
+
+With Windows 11 Enterprise E3, you can take advantage of the following OS features:
+
+| OS feature | Description |
+|-|-|
+|**[Windows Defender Credential Guard](/windows/security/identity-protection/credential-guard/credential-guard-requirements)**|Protects against user credential harvesting and pass-the-hash attacks or pass the token attacks, enabled by default|
+|**Managed Microsoft Defender Application Guard for Microsoft Edge**| Isolates enterprise-defined untrusted sites with virtualization-based security from Windows, protecting your company while employees browse the Internet|
+|**Personal Data Encryption**|Encrypts individual's content using Windows Hello for Business to link the encryption keys to user credentials|
+|**Direct Access & Always-On VPN device tunnel**|Connect remote users to the organization network without the need for traditional VPN connections with DirectAccess or benefit from advanced security capabilities to restrict the type of traffic and which applications can use the VPN connection with Always-On VPN (device tunnel)|
+|**Application Management GPOs**|Prevents unverified apps from executing and endangering your safe zone|
+|**Windows UI customization (CSP)**|Locks down the user experience of frontline workers devices or public kiosks|
+
+### Windows 11 Enterprise E3 cloud services
+
+With Windows 11 Enterprise E3, you can take advantage of the following cloud services:
+
+|Cloud-based service | Description |
+|-|-|
+|**Cloud-based BitLocker Management**|Allows you to eliminate on-premises tools to trigger, monitor and support recovery scenarios|
+|**[Windows subscription activation](/windows/deployment/windows-10-subscription-activation)**|Enables you to *step-up* from **Windows Pro edition** to **Enterprise edition** in an instant. You can eliminate license key management or deployment of Enterprise edition images|
+|**[Windows Autopatch](/windows/deployment/windows-autopatch/overview/windows-autopatch-overview)**|Cloud service that puts Microsoft in control of automating updates to Windows, Microsoft 365 Apps for enterprise, Microsoft Edge, and Microsoft Teams|
+|**[Windows Update For Business deployment service](/windows/deployment/update/deployment-service-overview)**|This cloud service gives you the control over the approval, scheduling, and safeguarding of quality, feature upgrades, and driver updates delivered from Windows Update|
+|**[Universal Print](/universal-print/)**|Removes the need for on-premises print servers and enables any endpoint to print to cloud registered printers|
+|Microsoft Connected Cache|A software-only solution that caches app and OS updates on the local network to save internet bandwidth in locations with limited connectivity|
+|**Endpoint analytics proactive remediation**|Helps you fix common support issues before end-users notice issues|
+|**[Organizational messages](/mem/intune/remote-actions/organizational-messages-overview)**|Keeps employees informed with organizational messages directly inserted in Windows UI surfaces|
+|**Windows release health**|Gives you essential information about monthly quality and feature updates in the Microsoft 365 admin center|
+|**[Windows feature update device readiness report](/mem/intune/protect/windows-update-compatibility-reports)**|Provides per-device information about compatibility risks that are associated with an upgrade or update to a chosen version of Windows|
+|**[Windows feature update compatibility risks reports](/mem/intune/protect/windows-update-compatibility-reports)**|Provides a summary view of the top compatibility risks, so you understand which compatibility risks impact the greatest number of devices in your organization|
+
+### Windows 11 Enterprise E3 licensing use rights
+
+With Windows 11 Enterprise E3, you can take advantage of the following licensing use rights:
+
+|Licensing use rights|Description|
+|-|-|
+|**Five Windows Instances per licensed user**|Allows your employees to simultaneously use a Windows laptop, a cloud PC and a specialized device with Windows LTSC, and more|
+|**36 months (3 years) support on annual feature releases**|Get extra time to deploy feature releases|
+|**[Azure Virtual Desktop, Windows 365 Enterprise and Virtual Desktop Access](/azure/virtual-desktop/prerequisites#operating-systems-and-licenses)**|Empower flexible workstyles and smarter work with the included best-in-class virtualization access rights|
+|**Windows LTSC Enterprise**|Intended for highly specialized devices that require limited changes due to regulations and certification|
+|**[Microsoft Desktop Optimization Pack (MDOP) ](/microsoft-desktop-optimization-pack)**|Help improve compatibility and management, reduce support costs, improve asset management, and improve policy control|
+
+Learn more about [Windows 11 Enterprise E3]()
+
+### Windows 11 Enterprise E5
+
+Windows 11 Enterprise E5 is for organizations that want to take advantage of everything in Windows 11 Enterprise E3 with the addition of **Microsoft Defender for Endpoint Plan 2**, a cloud service that helps enterprises detect, investigate, and respond to advanced cybersecurity attacks on their endpoints and networks. Windows 11 Enterprise E5 is available per user in Commercial Licensing programs.
+
+Learn more about [Windows 11 Enterprise E5]()
+
+### Windows Enterprise E3 in Microsoft 365 F3
+
+Windows Enterprise E3 in Microsoft 365 F3 is only sold as part of the full F3 suite, and has all the OS features, and most of the cloud services and use rights included with regular Windows Enterprise E3.
+
+Windows Enterprise E3 in Microsoft 365 F3 doesn't include the following use rights that are included in the regular E3 user subscription license:
+
+- Microsoft Desktop Optimization Pack (MDOP)
+- Windows LTSC Enterprise
+- Windows Autopatch
+
+## Use a Windows Pro device with the Windows Enterprise user subscription license
+
+In most cases, the Windows Pro edition comes pre-installed on a business-class device. Microsoft recommends upgrading your Windows Pro devices to Enterprise edition when you have acquired a user subscription licenses for Windows. However, there are cases that require to keep devices on the Pro edition and not upgrade them to Enterprise edition. With Windows 11 Enterprise E3, you can take advantage of features, services and use rights not licensed to the Windows Pro license bound to the device. It includes Windows Enterprise edition with cloud-powered capabilities and subscription use rights, and these capabilities are not always technically enforced. Some scenarios that may require to not upgrade to Windows Enterprise edition:
+
+- Devices not properly provisioned that don't automatically upgrade to Windows Enterprise edition
+- Devices may have been acquired for a business process that was not under control of a central IT department or outside of the IT department's knowledge
+- A developer that is developing applications that must be tested and certified on Pro, as that is how it will be delivered to customers
+
+In these cases, you want the PC to be configured, secured, monitored, and updated with the enterprise management and security tools that come with the Windows Enterprise user subscription. Your Windows Enterprise E3 subscriptions does not block these scenarios.
+
+The following table lists the Windows 11 Enterprise E3 features, services and use rights and their applicability to Windows Pro and Enterprise editions:
+
+|Feature, service or use right|Windows Pro|Windows Enterprise|
+|-|-|-|
+|**Windows Defender Credential Guard**||Yes|
+|**Managed Microsoft Defender Application Guard for Microsoft Edge**|Yes|Yes|
+|**Cloud-based BitLocker Management**|Yes|Yes|
+|**[Personal data encryption (PDE)](/windows/security/information-protection/personal-data-encryption/overview-pde)**||Yes|
+|**Direct Access**|Yes|Yes|
+|**[Always On VPN](/windows-server/remote/remote-access/vpn/always-on-vpn/)**|Yes [\[1\]](#Note1)|Yes|
+|**Application Management GPOs**||Yes|
+|**Windows UI customization (CSP to manage)**||Yes|
+|**Windows Subscription Activation**|Yes|Yes|
+|**Windows Autopatch**|Yes|Yes|
+|**[Windows Update For Business deployment service](/windows/deployment/update/deployment-service-overview)**|Yes|Yes|
+|**[Universal Print](/universal-print/)**|Yes|Yes|
+|**[Microsoft Connected Cache](/windows/deployment/do/waas-microsoft-connected-cache)**|Yes|Yes|
+|**Endpoint analytics proactive remediation**|Yes|Yes|
+|**[Organizational messages](/mem/intune/remote-actions/organizational-messages-overview)**||Yes|
+|**Feature release support period**| 24 months | 36 months|
+|**Windows feature update device readiness report** [\[2\]](#Note2)|Yes|Yes|
+|**Windows feature update compatibility risk report** [\[2\]](#Note2)|Yes|Yes|
+|**Microsoft Desktop Optimization Pack (MDOP)**|Yes|Yes|
+
+[1] Device Tunnel requires Enterprise edition.
+[2] Intune license required.
+
+## Next steps
+
+To learn more about Windows 11 Enterprise E3 and E5, see [Windows 11 Enterprise E3 and E5](/windows/deployment/windows-11-enterprise-e3-e5).
\ No newline at end of file