diff --git a/windows/device-security/device-guard/requirements-and-deployment-planning-guidelines-for-device-guard.md b/windows/device-security/device-guard/requirements-and-deployment-planning-guidelines-for-device-guard.md
index 46527eb217..0e79244bb9 100644
--- a/windows/device-security/device-guard/requirements-and-deployment-planning-guidelines-for-device-guard.md
+++ b/windows/device-security/device-guard/requirements-and-deployment-planning-guidelines-for-device-guard.md
@@ -75,7 +75,7 @@ The following tables describe additional hardware and firmware qualifications, a
### Additional security qualifications starting with Windows 10, version 1703
-| Protection for Improved Security | Description | Security benefits |
+| Protections for Improved Security | Description | Security benefits |
|---------------------------------------------|----------------------------------------------------|------|
| Firmware: **VBS enablement of NX protection for UEFI runtime services** | • VBS will enable No-Execute (NX) protection on UEFI runtime service code and data memory regions. UEFI runtime service code must support read-only page protections, and UEFI runtime service data must not be exceutable. • UEFI runtime service must meet these requirements: • Implement UEFI 2.6 EFI_MEMORY_ATTRIBUTES_TABLE. All UEFI runtime service memory (code and data) must be described by this table. • PE sections need to be page-aligned in memory (not required for in non-volitile storage). • The Memory Attributes Table needs to correctly mark code and data as RO/NX for configuration by the OS: • All entries must include attributes EFI_MEMORY_RO, EFI_MEMORY_XP, or both • No entries may be left with neither of the above attributes, indicating memory that is both exceutable and writable. Memory must be either readable and executable or writeable and non-executable.
Notes: • This only applies to UEFI runtime service memory, and not UEFI boot service memory. • This protection is applied by VBS on OS page tables.
Please also note the following: • Do not use sections that are both writeable and exceutable • Do not attempt to directly modify executable system memory • Do not use dynamic code | • Vulnerabilities in UEFI runtime, if any, will be blocked from compromising VBS (such as in functions like UpdateCapsule and SetVariable) • Reduces the attack surface to VBS from system firmware. |
| Firmware: **Firmware support for SMM protection** | The [Windows SMM Security Mitigations Table (WSMT) specification](http://download.microsoft.com/download/1/8/A/18A21244-EB67-4538-BAA2-1A54E0E490B6/WSMT.docx) contains details of an Advanced Configuration and Power Interface (ACPI) table that was created for use with Windows operating systems that support Windows virtualization-based security (VBS) features.| • Protects against potential vulnerabilities in UEFI runtime services, if any, will be blocked from compromising VBS (such as in functions like UpdateCapsule and SetVariable) • Reduces the attack surface to VBS from system firmware. • Blocks additional security attacks against SMM. |