diff --git a/.openpublishing.redirection.windows-security.json b/.openpublishing.redirection.windows-security.json
index 6e2cc5c911..998d8fad5e 100644
--- a/.openpublishing.redirection.windows-security.json
+++ b/.openpublishing.redirection.windows-security.json
@@ -170,19 +170,14 @@
"redirect_url": "/windows/security/information-protection/tpm/trusted-platform-module-services-group-policy-settings",
"redirect_document_id": false
},
- {
- "source_path": "windows/security/identity.md",
- "redirect_url": "/windows/security/identity-protection",
- "redirect_document_id": false
- },
- {
- "source_path": "windows/security/identity-protection/hello-for-business/hello-overview.md",
- "redirect_url": "/windows/security/identity-protection/hello-for-business",
- "redirect_document_id": false
- },
{
"source_path": "windows/security/hardware-protection/tpm/trusted-platform-module-top-node.md",
- "redirect_url": "/windows/security/information-protection/tpm/trusted-platform-module-top-node",
+ "redirect_url": "/windows/security/hardware-security/tpm/trusted-platform-module-top-node",
+ "redirect_document_id": false
+ },
+ {
+ "source_path": "windows/security/hardware.md",
+ "redirect_url": "/windows/security/hardware-security",
"redirect_document_id": false
},
{
@@ -365,6 +360,11 @@
"redirect_url": "/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust",
"redirect_document_id": false
},
+ {
+ "source_path": "windows/security/identity-protection/hello-for-business/hello-overview.md",
+ "redirect_url": "/windows/security/identity-protection/hello-for-business",
+ "redirect_document_id": false
+ },
{
"source_path": "windows/security/identity-protection/hello-for-business/microsoft-compatible-security-key.md",
"redirect_url": "/azure/active-directory/authentication/howto-authentication-passwordless-security-key",
@@ -400,6 +400,11 @@
"redirect_url": "https://support.microsoft.com/windows/windows-10-mobile-end-of-support-faq-8c2dd1cf-a571-00f0-0881-bb83926d05c5",
"redirect_document_id": false
},
+ {
+ "source_path": "windows/security/identity-protection/password-support-policy.md",
+ "redirect_url": "https://support.microsoft.com/help/4490115",
+ "redirect_document_id": false
+ },
{
"source_path": "windows/security/identity-protection/user-account-control/how-user-account-control-works.md",
"redirect_url": "/windows/security/application-security/application-control/user-account-control/how-it-works",
@@ -480,6 +485,16 @@
"redirect_url": "/windows/security/operating-system-security/network-security/vpn/vpn-security-features",
"redirect_document_id": false
},
+ {
+ "source_path": "windows/security/identity-protection/windows-credential-theft-mitigation-guide-abstract.md",
+ "redirect_url": "/windows/security/identity-protection",
+ "redirect_document_id": false
+ },
+ {
+ "source_path": "windows/security/identity.md",
+ "redirect_url": "/windows/security/identity-protection",
+ "redirect_document_id": false
+ },
{
"source_path": "windows/security/information-protection/bitlocker/bcd-settings-and-bitlocker.md",
"redirect_url": "/windows/security/operating-system-security/data-protection/bitlocker/bcd-settings-and-bitlocker",
@@ -655,11 +670,6 @@
"redirect_url": "/troubleshoot/windows-client/windows-security/enforcing-bitlocker-policies-by-using-intune-known-issues",
"redirect_document_id": false
},
- {
- "source_path": "windows/security/identity-protection/windows-credential-theft-mitigation-guide-abstract.md",
- "redirect_url": "/windows/security/identity-protection",
- "redirect_document_id": false
- },
{
"source_path": "windows/security/information-protection/bitlocker/ts-bitlocker-network-unlock-issues.md",
"redirect_url": "/troubleshoot/windows-client/windows-security/bitlocker-network-unlock-known-issues",
@@ -735,11 +745,81 @@
"redirect_url": "/windows/security/operating-system-security/data-protection/personal-data-encryption/intune-enable-pde",
"redirect_document_id": false
},
+ {
+ "source_path": "windows/security/information-protection/pluton/microsoft-pluton-security-processor.md",
+ "redirect_url": "/windows/security/hardware-security/pluton/microsoft-pluton-security-processor",
+ "redirect_document_id": false
+ },
+ {
+ "source_path": "windows/security/information-protection/pluton/pluton-as-tpm.md",
+ "redirect_url": "/windows/security/hardware-security/pluton/pluton-as-tpm",
+ "redirect_document_id": false
+ },
{
"source_path": "windows/security/information-protection/secure-the-windows-10-boot-process.md",
"redirect_url": "/windows/security/operating-system-security/system-security/secure-the-windows-10-boot-process",
"redirect_document_id": false
},
+ {
+ "source_path": "windows/security/information-protection/tpm/backup-tpm-recovery-information-to-ad-ds.md",
+ "redirect_url": "/windows/security/hardware-security/tpm/backup-tpm-recovery-information-to-ad-ds",
+ "redirect_document_id": false
+ },
+ {
+ "source_path": "windows/security/information-protection/tpm/change-the-tpm-owner-password.md",
+ "redirect_url": "/windows/security/hardware-security/tpm/change-the-tpm-owner-password",
+ "redirect_document_id": false
+ },
+ {
+ "source_path": "windows/security/information-protection/tpm/how-windows-uses-the-tpm.md",
+ "redirect_url": "/windows/security/hardware-security/tpm/how-windows-uses-the-tpm",
+ "redirect_document_id": false
+ },
+ {
+ "source_path": "windows/security/information-protection/tpm/initialize-and-configure-ownership-of-the-tpm.md",
+ "redirect_url": "/windows/security/hardware-security/tpm/initialize-and-configure-ownership-of-the-tpm",
+ "redirect_document_id": false
+ },
+ {
+ "source_path": "windows/security/information-protection/tpm/manage-tpm-commands.md",
+ "redirect_url": "/windows/security/hardware-security/tpm/manage-tpm-commands",
+ "redirect_document_id": false
+ },
+ {
+ "source_path": "windows/security/information-protection/tpm/manage-tpm-lockout.md",
+ "redirect_url": "/windows/security/hardware-security/tpm/manage-tpm-lockout",
+ "redirect_document_id": false
+ },
+ {
+ "source_path": "windows/security/information-protection/tpm/switch-pcr-banks-on-tpm-2-0-devices.md",
+ "redirect_url": "/windows/security/hardware-security/tpm/switch-pcr-banks-on-tpm-2-0-devices",
+ "redirect_document_id": false
+ },
+ {
+ "source_path": "windows/security/information-protection/tpm/tpm-fundamentals.md",
+ "redirect_url": "/windows/security/hardware-security/tpm/tpm-fundamentals",
+ "redirect_document_id": false
+ },
+ {
+ "source_path": "windows/security/information-protection/tpm/tpm-recommendations.md",
+ "redirect_url": "/windows/security/hardware-security/tpm/tpm-recommendations",
+ "redirect_document_id": false
+ },
+ {
+ "source_path": "windows/security/information-protection/tpm/trusted-platform-module-overview.md",
+ "redirect_url": "/windows/security/hardware-security/tpm/trusted-platform-module-overview",
+ "redirect_document_id": false
+ },
+ {
+ "source_path": "windows/security/information-protection/tpm/trusted-platform-module-services-group-policy-settings.md",
+ "redirect_url": "/windows/security/hardware-security/tpm/trusted-platform-module-services-group-policy-settings",
+ "redirect_document_id": false
+ },
+ {
+ "source_path": "windows/security/information-protection/tpm/trusted-platform-module-top-node.md",
+ "redirect_url": "/windows/security/hardware-security/tpm/trusted-platform-module-top-node",
+ "redirect_document_id": false
+ },
{
"source_path": "windows/security/information-protection/windows-information-protection/create-vpn-and-wip-policy-using-intune.md",
"redirect_url": "/windows/security/information-protection/windows-information-protection/create-vpn-and-wip-policy-using-intune-azure",
@@ -7224,18 +7304,6 @@
"source_path": "windows/security/trusted-boot.md",
"redirect_url": "/windows/security/operating-system-security/system-security/trusted-boot",
"redirect_document_id": false
- },
- {
- "source_path": "windows/security/identity-protection/password-support-policy.md",
- "redirect_url": "https://support.microsoft.com/help/4490115",
- "redirect_document_id": false
- },
- {
- "source_path": "windows/security/hardware.md",
- "redirect_url": "/windows/security/hardware-security",
- "redirect_document_id": false
}
]
}
-
-
diff --git a/windows/security/docfx.json b/windows/security/docfx.json
index 2b3bcbfcc8..84fafe0fa1 100644
--- a/windows/security/docfx.json
+++ b/windows/security/docfx.json
@@ -134,10 +134,20 @@
"✅ Windows Server 2019",
"✅ Windows Server 2016"
],
- "hardware-security//**/*.md": [
+ "hardware-security/**/*.md": [
"✅ Windows 11",
"✅ Windows 10"
],
+ "hardware-security/pluton/**/*.md": [
+ "✅ Windows 11"
+ ],
+ "hardware-security/tpm/**/*.md": [
+ "✅ Windows 11",
+ "✅ Windows 10",
+ "✅ Windows Server 2022",
+ "✅ Windows Server 2019",
+ "✅ Windows Server 2016"
+ ],
"identity-protection/**/*.md": [
"✅ Windows 11",
"✅ Windows 10"
diff --git a/windows/security/information-protection/images/pluton/pluton-firmware-load.png b/windows/security/hardware-security/images/pluton/pluton-firmware-load.png
similarity index 100%
rename from windows/security/information-protection/images/pluton/pluton-firmware-load.png
rename to windows/security/hardware-security/images/pluton/pluton-firmware-load.png
diff --git a/windows/security/information-protection/images/pluton/pluton-security-architecture.png b/windows/security/hardware-security/images/pluton/pluton-security-architecture.png
similarity index 100%
rename from windows/security/information-protection/images/pluton/pluton-security-architecture.png
rename to windows/security/hardware-security/images/pluton/pluton-security-architecture.png
diff --git a/windows/security/information-protection/pluton/microsoft-pluton-security-processor.md b/windows/security/hardware-security/pluton/microsoft-pluton-security-processor.md
similarity index 98%
rename from windows/security/information-protection/pluton/microsoft-pluton-security-processor.md
rename to windows/security/hardware-security/pluton/microsoft-pluton-security-processor.md
index 99d114299e..b1f7221ccc 100644
--- a/windows/security/information-protection/pluton/microsoft-pluton-security-processor.md
+++ b/windows/security/hardware-security/pluton/microsoft-pluton-security-processor.md
@@ -2,9 +2,7 @@
title: Microsoft Pluton security processor
description: Learn more about Microsoft Pluton security processor
ms.topic: conceptual
-ms.date: 09/15/2022
-appliesto:
- - ✅ Windows 11, version 22H2
+ms.date: 07/31/2023
---
# Microsoft Pluton security processor
diff --git a/windows/security/information-protection/pluton/pluton-as-tpm.md b/windows/security/hardware-security/pluton/pluton-as-tpm.md
similarity index 98%
rename from windows/security/information-protection/pluton/pluton-as-tpm.md
rename to windows/security/hardware-security/pluton/pluton-as-tpm.md
index 8386eb0f40..152bac55bc 100644
--- a/windows/security/information-protection/pluton/pluton-as-tpm.md
+++ b/windows/security/hardware-security/pluton/pluton-as-tpm.md
@@ -2,9 +2,7 @@
title: Microsoft Pluton as Trusted Platform Module (TPM 2.0)
description: Learn more about Microsoft Pluton security processor as Trusted Platform Module (TPM 2.0)
ms.topic: conceptual
-ms.date: 09/15/2022
-appliesto:
- - ✅ Windows 11, version 22H2
+ms.date: 07/31/2023
---
# Microsoft Pluton as Trusted Platform Module
diff --git a/windows/security/hardware-security/toc.yml b/windows/security/hardware-security/toc.yml
index d3bda5003f..001c8c7a8f 100644
--- a/windows/security/hardware-security/toc.yml
+++ b/windows/security/hardware-security/toc.yml
@@ -6,36 +6,36 @@ items:
- name: Windows Defender System Guard
href: how-hardware-based-root-of-trust-helps-protect-windows.md
- name: Trusted Platform Module
- href: ../information-protection/tpm/trusted-platform-module-top-node.md
+ href: tpm/trusted-platform-module-top-node.md
items:
- name: Trusted Platform Module overview
- href: ../information-protection/tpm/trusted-platform-module-overview.md
+ href: tpm/trusted-platform-module-overview.md
- name: TPM fundamentals
- href: ../information-protection/tpm/tpm-fundamentals.md
+ href: tpm/tpm-fundamentals.md
- name: How Windows uses the TPM
- href: ../information-protection/tpm/how-windows-uses-the-tpm.md
+ href: tpm/how-windows-uses-the-tpm.md
- name: Manage TPM commands
- href: ../information-protection/tpm/manage-tpm-commands.md
- - name: Manager TPM Lockout
- href: ../information-protection/tpm/manage-tpm-lockout.md
+ href: tpm/manage-tpm-commands.md
+ - name: Manage TPM Lockout
+ href: tpm/manage-tpm-lockout.md
- name: Change the TPM password
- href: ../information-protection/tpm/change-the-tpm-owner-password.md
+ href: tpm/change-the-tpm-owner-password.md
- name: TPM Group Policy settings
- href: ../information-protection/tpm/trusted-platform-module-services-group-policy-settings.md
+ href: tpm/trusted-platform-module-services-group-policy-settings.md
- name: Back up the TPM recovery information to AD DS
- href: ../information-protection/tpm/backup-tpm-recovery-information-to-ad-ds.md
+ href: tpm/backup-tpm-recovery-information-to-ad-ds.md
- name: View status, clear, or troubleshoot the TPM
- href: ../information-protection/tpm/initialize-and-configure-ownership-of-the-tpm.md
+ href: tpm/initialize-and-configure-ownership-of-the-tpm.md
- name: Understanding PCR banks on TPM 2.0 devices
- href: ../information-protection/tpm/switch-pcr-banks-on-tpm-2-0-devices.md
+ href: tpm/switch-pcr-banks-on-tpm-2-0-devices.md
- name: TPM recommendations
- href: ../information-protection/tpm/tpm-recommendations.md
+ href: tpm/tpm-recommendations.md
- name: Microsoft Pluton security processor
items:
- name: Microsoft Pluton overview
- href: ../information-protection/pluton/microsoft-pluton-security-processor.md
+ href: pluton/microsoft-pluton-security-processor.md
- name: Microsoft Pluton as TPM
- href: ../information-protection/pluton/pluton-as-tpm.md
+ href: pluton/pluton-as-tpm.md
- name: Silicon assisted security
items:
- name: Virtualization-based security (VBS) 🔗
@@ -53,4 +53,4 @@ items:
- name: Kernel Direct Memory Access (DMA) protection
href: kernel-dma-protection-for-thunderbolt.md
- name: System Guard Secure Launch
- href: system-guard-secure-launch-and-smm-protection.md
\ No newline at end of file
+ href: system-guard-secure-launch-and-smm-protection.md
diff --git a/windows/security/information-protection/tpm/backup-tpm-recovery-information-to-ad-ds.md b/windows/security/hardware-security/tpm/backup-tpm-recovery-information-to-ad-ds.md
similarity index 67%
rename from windows/security/information-protection/tpm/backup-tpm-recovery-information-to-ad-ds.md
rename to windows/security/hardware-security/tpm/backup-tpm-recovery-information-to-ad-ds.md
index 4523515094..e2b7facad8 100644
--- a/windows/security/information-protection/tpm/backup-tpm-recovery-information-to-ad-ds.md
+++ b/windows/security/hardware-security/tpm/backup-tpm-recovery-information-to-ad-ds.md
@@ -3,9 +3,6 @@ title: Back up TPM recovery information to Active Directory
description: Learn how to back up the Trusted Platform Module (TPM) recovery information to Active Directory.
ms.topic: conceptual
ms.date: 02/02/2023
-appliesto:
-- ✅ Windows 11
-- ✅ Windows Server 2016 and later
---
# Back up the TPM recovery information to AD DS
diff --git a/windows/security/information-protection/tpm/change-the-tpm-owner-password.md b/windows/security/hardware-security/tpm/change-the-tpm-owner-password.md
similarity index 83%
rename from windows/security/information-protection/tpm/change-the-tpm-owner-password.md
rename to windows/security/hardware-security/tpm/change-the-tpm-owner-password.md
index 1907cb3280..05ed6c63a9 100644
--- a/windows/security/information-protection/tpm/change-the-tpm-owner-password.md
+++ b/windows/security/hardware-security/tpm/change-the-tpm-owner-password.md
@@ -1,14 +1,8 @@
---
-title: Change the TPM owner password
+title: Change the TPM owner password
description: This topic for the IT professional describes how to change the password or PIN for the owner of the Trusted Platform Module (TPM) that is installed on your system.
ms.topic: conceptual
ms.date: 04/26/2023
-appliesto:
- - ✅ Windows 11
- - ✅ Windows 10
- - ✅ Windows Server 2022
- - ✅ Windows Server 2019
- - ✅ Windows Server 2016
---
# Change the TPM owner password
diff --git a/windows/security/information-protection/tpm/how-windows-uses-the-tpm.md b/windows/security/hardware-security/tpm/how-windows-uses-the-tpm.md
similarity index 94%
rename from windows/security/information-protection/tpm/how-windows-uses-the-tpm.md
rename to windows/security/hardware-security/tpm/how-windows-uses-the-tpm.md
index 5677cef634..b150c5e788 100644
--- a/windows/security/information-protection/tpm/how-windows-uses-the-tpm.md
+++ b/windows/security/hardware-security/tpm/how-windows-uses-the-tpm.md
@@ -3,9 +3,6 @@ title: How Windows uses the TPM
description: Learn how Windows uses the Trusted Platform Module (TPM) to enhance security.
ms.topic: conceptual
ms.date: 02/02/2023
-appliesto:
-- ✅ Windows 10 and later
-- ✅ Windows Server 2016 and later
---
# How Windows uses the Trusted Platform Module
@@ -22,11 +19,11 @@ TPMs are passive: they receive commands and return responses. To realize the ful
The Trusted Computing Group (TCG) is the nonprofit organization that publishes and maintains the TPM specification. The TCG exists to develop, define, and promote vendor-neutral, global industry standards that support a hardware-based root of trust for interoperable trusted computing platforms. The TCG also publishes the TPM specification as the international standard ISO/IEC 11889, using the Publicly Available Specification Submission Process that the Joint Technical Committee 1 defines between the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC).
-OEMs implement the TPM as a component in a trusted computing platform, such as a PC, tablet, or phone. Trusted computing platforms use the TPM to support privacy and security scenarios that software alone can't achieve. For example, software alone can't reliably report whether malware is present during the system startup process. The close integration between TPM and platform increases the transparency of the startup process and supports evaluating device health by enabling reliable measuring and reporting of the software that starts the device. Implementation of a TPM as part of a trusted computing platform provides a hardware root of trust—that is, it behaves in a trusted way. For example, if a key stored in a TPM has properties that disallow exporting the key, that key *truly can't leave the TPM*.
+OEMs implement the TPM as a component in a trusted computing platform, such as a PC, tablet, or phone. Trusted computing platforms use the TPM to support privacy and security scenarios that software alone can't achieve. For example, software alone can't reliably report whether malware is present during the system startup process. The close integration between TPM and platform increases the transparency of the startup process and supports evaluating device health by enabling reliable measuring and reporting of the software that starts the device. Implementation of a TPM as part of a trusted computing platform provides a hardware root of trust-that is, it behaves in a trusted way. For example, if a key stored in a TPM has properties that disallow exporting the key, that key *truly can't leave the TPM*.
The TCG designed the TPM as a low-cost, mass-market security solution that addresses the requirements of different customer segments. There are variations in the security properties of different TPM implementations just as there are variations in customer and regulatory requirements for different sectors. In public-sector procurement, for example, some governments have clearly defined security requirements for TPMs, whereas others don't.
-Certification programs for TPMs—and technology in general—continue to evolve as the speed of innovation increases. Although having a TPM is clearly better than not having a TPM, Microsoft's best advice is to determine your organization's security needs and research any regulatory requirements associated with procurement for your industry. The result is a balance between scenarios used, assurance level, cost, convenience, and availability.
+Certification programs for TPMs-and technology in general-continue to evolve as the speed of innovation increases. Although having a TPM is clearly better than not having a TPM, Microsoft's best advice is to determine your organization's security needs and research any regulatory requirements associated with procurement for your industry. The result is a balance between scenarios used, assurance level, cost, convenience, and availability.
## TPM in Windows
@@ -64,7 +61,7 @@ The adoption of new authentication technology requires that identity providers a
Identity providers have flexibility in how they provision credentials on client devices. For example, an organization might provision only those devices that have a TPM so that the organization knows that a TPM protects the credentials. The ability to distinguish a TPM from malware acting like a TPM requires the following TPM capabilities (see Figure 1):
-- **Endorsement key**. The TPM manufacturer can create a special key in the TPM called an *endorsement key*. An endorsement key certificate, signed by the manufacturer, says that the endorsement key is present in a TPM that the manufacturer made. Solutions can use the certificate with the TPM containing the endorsement key to confirm a scenario really involves a TPM from a specific TPM manufacturer (instead of malware acting like a TPM.
+- **Endorsement key**. The TPM manufacturer can create a special key in the TPM called an *endorsement key*. An endorsement key certificate, signed by the manufacturer, says that the endorsement key is present in a TPM that the manufacturer made. Solutions can use the certificate with the TPM containing the endorsement key to confirm a scenario really involves a TPM from a specific TPM manufacturer (instead of malware acting like a TPM).
- **Attestation identity key**. To protect privacy, most TPM scenarios do not directly use an actual endorsement key. Instead, they use attestation identity keys, and an identity certificate authority (CA) uses the endorsement key and its certificate to prove that one or more attestation identity keys actually exist in a real TPM. The identity CA issues attestation identity key certificates. More than one identity CA will generally see the same endorsement key certificate that can uniquely identify the TPM, but any number of attestation identity key certificates can be created to limit the information shared in other scenarios.
@@ -77,7 +74,7 @@ For Windows Hello for Business, Microsoft can fill the role of the identity CA.
BitLocker provides full-volume encryption to protect data at rest. The most common device configuration splits the hard drive into several volumes. The operating system and user data reside on one volume that holds confidential information, and other volumes hold public information such as boot components, system information and recovery tools. (These other volumes are used infrequently enough that they do not need to be visible to users.) Without more protections in place, if the volume containing the operating system and user data is not encrypted, someone can boot another operating system and easily bypass the intended operating system's enforcement of file permissions to read any user data.
-In the most common configuration, BitLocker encrypts the operating system volume so that if the computer or hard disk is lost or stolen when powered off, the data on the volume remains confidential. When the computer is turned on, starts normally, and proceeds to the Windows logon prompt, the only path forward is for the user to log on with his or her credentials, allowing the operating system to enforce its normal file permissions. If something about the boot process changes, however—for example, a different operating system is booted from a USB device—the operating system volume and user data can't be read and are not accessible. The TPM and system firmware collaborate to record measurements of how the system started, including loaded software and configuration details such as whether boot occurred from the hard drive or a USB device. BitLocker relies on the TPM to allow the use of a key only when startup occurs in an expected way. The system firmware and TPM are carefully designed to work together to provide the following capabilities:
+In the most common configuration, BitLocker encrypts the operating system volume so that if the computer or hard disk is lost or stolen when powered off, the data on the volume remains confidential. When the computer is turned on, starts normally, and proceeds to the Windows logon prompt, the only path forward is for the user to log on with his or her credentials, allowing the operating system to enforce its normal file permissions. If something about the boot process changes, however-for example, a different operating system is booted from a USB device-the operating system volume and user data can't be read and are not accessible. The TPM and system firmware collaborate to record measurements of how the system started, including loaded software and configuration details such as whether boot occurred from the hard drive or a USB device. BitLocker relies on the TPM to allow the use of a key only when startup occurs in an expected way. The system firmware and TPM are carefully designed to work together to provide the following capabilities:
- **Hardware root of trust for measurement**. A TPM allows software to send it commands that record measurements of software or configuration information. This information can be calculated using a hash algorithm that essentially transforms a lot of data into a small, statistically unique hash value. The system firmware has a component called the Core Root of Trust for Measurement (CRTM) that is implicitly trusted. The CRTM unconditionally hashes the next software component and records the measurement value by sending a command to the TPM. Successive components, whether system firmware or operating system loaders, continue the process by measuring any software components they load before running them. Because each component's measurement is sent to the TPM before it runs, a component can't erase its measurement from the TPM. (However, measurements are erased when the system is restarted.) The result is that at each step of the system startup process, the TPM holds measurements of boot software and configuration information. Any changes in boot software or configuration yield different TPM measurements at that step and later steps. Because the system firmware unconditionally starts the measurement chain, it provides a hardware-based root of trust for the TPM measurements. At some point in the startup process, the value of recording all loaded software and configuration information diminishes and the chain of measurements stops. The TPM allows for the creation of keys that can be used only when the platform configuration registers that hold the measurements have specific values.
diff --git a/windows/security/information-protection/tpm/images/process-to-create-evidence-of-boot-software-and-configuration-using-tpm.png b/windows/security/hardware-security/tpm/images/process-to-create-evidence-of-boot-software-and-configuration-using-tpm.png
similarity index 100%
rename from windows/security/information-protection/tpm/images/process-to-create-evidence-of-boot-software-and-configuration-using-tpm.png
rename to windows/security/hardware-security/tpm/images/process-to-create-evidence-of-boot-software-and-configuration-using-tpm.png
diff --git a/windows/security/information-protection/tpm/images/tpm-capabilities.png b/windows/security/hardware-security/tpm/images/tpm-capabilities.png
similarity index 100%
rename from windows/security/information-protection/tpm/images/tpm-capabilities.png
rename to windows/security/hardware-security/tpm/images/tpm-capabilities.png
diff --git a/windows/security/information-protection/tpm/initialize-and-configure-ownership-of-the-tpm.md b/windows/security/hardware-security/tpm/initialize-and-configure-ownership-of-the-tpm.md
similarity index 96%
rename from windows/security/information-protection/tpm/initialize-and-configure-ownership-of-the-tpm.md
rename to windows/security/hardware-security/tpm/initialize-and-configure-ownership-of-the-tpm.md
index ddf935273c..e9374612fe 100644
--- a/windows/security/information-protection/tpm/initialize-and-configure-ownership-of-the-tpm.md
+++ b/windows/security/hardware-security/tpm/initialize-and-configure-ownership-of-the-tpm.md
@@ -3,9 +3,6 @@ title: Troubleshoot the TPM
description: Learn how to view and troubleshoot the Trusted Platform Module (TPM).
ms.topic: conceptual
ms.date: 02/02/2023
-appliesto:
-- ✅ Windows 10 and later
-- ✅ Windows Server 2016 and later
ms.collection:
- highpri
- tier1
diff --git a/windows/security/information-protection/tpm/manage-tpm-commands.md b/windows/security/hardware-security/tpm/manage-tpm-commands.md
similarity index 83%
rename from windows/security/information-protection/tpm/manage-tpm-commands.md
rename to windows/security/hardware-security/tpm/manage-tpm-commands.md
index b1be25830b..52a9473f9b 100644
--- a/windows/security/information-protection/tpm/manage-tpm-commands.md
+++ b/windows/security/hardware-security/tpm/manage-tpm-commands.md
@@ -1,14 +1,8 @@
---
-title: Manage TPM commands
+title: Manage TPM commands
description: This article for the IT professional describes how to manage which Trusted Platform Module (TPM) commands are available to domain users and to local users.
ms.topic: conceptual
ms.date: 04/26/2023
-appliesto:
- - ✅ Windows 11
- - ✅ Windows 10
- - ✅ Windows Server 2022
- - ✅ Windows Server 2019
- - ✅ Windows Server 2016
---
# Manage TPM commands
diff --git a/windows/security/information-protection/tpm/manage-tpm-lockout.md b/windows/security/hardware-security/tpm/manage-tpm-lockout.md
similarity index 89%
rename from windows/security/information-protection/tpm/manage-tpm-lockout.md
rename to windows/security/hardware-security/tpm/manage-tpm-lockout.md
index 27fb7e5fd6..a281a8e40b 100644
--- a/windows/security/information-protection/tpm/manage-tpm-lockout.md
+++ b/windows/security/hardware-security/tpm/manage-tpm-lockout.md
@@ -1,15 +1,10 @@
---
-title: Manage TPM lockout
+title: Manage TPM lockout
description: This article for the IT professional describes how to manage the lockout feature for the Trusted Platform Module (TPM) in Windows.
ms.topic: conceptual
ms.date: 04/26/2023
-appliesto:
- - ✅ Windows 11
- - ✅ Windows 10
- - ✅ Windows Server 2022
- - ✅ Windows Server 2019
- - ✅ Windows Server 2016
---
+
# Manage TPM lockout
This article for the IT professional describes how to manage the lockout feature for the Trusted Platform Module (TPM) in Windows.
diff --git a/windows/security/information-protection/tpm/switch-pcr-banks-on-tpm-2-0-devices.md b/windows/security/hardware-security/tpm/switch-pcr-banks-on-tpm-2-0-devices.md
similarity index 95%
rename from windows/security/information-protection/tpm/switch-pcr-banks-on-tpm-2-0-devices.md
rename to windows/security/hardware-security/tpm/switch-pcr-banks-on-tpm-2-0-devices.md
index ccadcd9666..01ddf58aa0 100644
--- a/windows/security/information-protection/tpm/switch-pcr-banks-on-tpm-2-0-devices.md
+++ b/windows/security/hardware-security/tpm/switch-pcr-banks-on-tpm-2-0-devices.md
@@ -3,9 +3,6 @@ title: UnderstandPCR banks on TPM 2.0 devices
description: Learn about what happens when you switch PCR banks on TPM 2.0 devices.
ms.topic: conceptual
ms.date: 02/02/2023
-appliesto:
-- ✅ Windows 10 and later
-- ✅ Windows Server 2016 and later
---
# PCR banks on TPM 2.0 devices
diff --git a/windows/security/information-protection/tpm/tpm-fundamentals.md b/windows/security/hardware-security/tpm/tpm-fundamentals.md
similarity index 97%
rename from windows/security/information-protection/tpm/tpm-fundamentals.md
rename to windows/security/hardware-security/tpm/tpm-fundamentals.md
index 5647eda9f6..4393c94d01 100644
--- a/windows/security/information-protection/tpm/tpm-fundamentals.md
+++ b/windows/security/hardware-security/tpm/tpm-fundamentals.md
@@ -3,9 +3,6 @@ title: Trusted Platform Module (TPM) fundamentals
description: Learn about the components of the Trusted Platform Module and how they're used to mitigate dictionary attacks.
ms.topic: conceptual
ms.date: 03/09/2023
-appliesto:
-- ✅ Windows 10 and later
-- ✅ Windows Server 2016 and later
---
# TPM fundamentals
@@ -116,4 +113,4 @@ The Windows TPM-based smart card, which is a virtual smart card, can be configur
- Physical smart cards can enforce lockout for only the physical smart card PIN, and they can reset the lockout after the correct PIN is entered.
With a virtual smart card, the TPM's anti-hammering protection isn't reset after a successful authentication. The allowed number of authorization failures before the TPM enters lockout includes many factors
- Hardware manufacturers and software developers can use the security features of the TPM to meet their requirements
-- The intent of selecting 32 failures as the lock-out threshold is to avoid users to lock the TPM (even when learning to type new passwords or if they frequently lock and unlock their computers). If users lock the TPM, they must wait 10 minutes or use other credentials to sign in, such as a user name and password
\ No newline at end of file
+- The intent of selecting 32 failures as the lock-out threshold is to avoid users to lock the TPM (even when learning to type new passwords or if they frequently lock and unlock their computers). If users lock the TPM, they must wait 10 minutes or use other credentials to sign in, such as a user name and password
diff --git a/windows/security/information-protection/tpm/tpm-recommendations.md b/windows/security/hardware-security/tpm/tpm-recommendations.md
similarity index 95%
rename from windows/security/information-protection/tpm/tpm-recommendations.md
rename to windows/security/hardware-security/tpm/tpm-recommendations.md
index 835270f935..a4d4b53a79 100644
--- a/windows/security/information-protection/tpm/tpm-recommendations.md
+++ b/windows/security/hardware-security/tpm/tpm-recommendations.md
@@ -1,14 +1,11 @@
---
-title: TPM recommendations
+title: TPM recommendations
description: This topic provides recommendations for Trusted Platform Module (TPM) technology for Windows.
ms.topic: conceptual
ms.date: 02/02/2023
-appliesto:
-- ✅ Windows 10 and later
-- ✅ Windows Server 2016 and later
-ms.collection:
- - highpri
- - tier1
+ms.collection:
+- highpri
+- tier1
---
# TPM recommendations
@@ -25,7 +22,7 @@ TPMs are passive: they receive commands and return responses. To realize the ful
The Trusted Computing Group (TCG) is the nonprofit organization that publishes and maintains the TPM specification. The TCG exists to develop, define, and promote vendor-neutral, global industry standards. These standards support a hardware-based root of trust for interoperable trusted computing platforms. The TCG also publishes the TPM specification as the international standard ISO/IEC 11889, using the Publicly Available Specification Submission Process that the Joint Technical Committee 1 defines between the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC).
-OEMs implement the TPM as a component in a trusted computing platform, such as a PC, tablet, or phone. Trusted computing platforms use the TPM to support privacy and security scenarios that software alone cannot achieve. For example, software alone cannot reliably report whether malware is present during the system startup process. The close integration between TPM and platform increases the transparency of the startup process and supports evaluating device health by enabling reliable measuring and reporting of the software that starts the device. Implementation of a TPM as part of a trusted computing platform provides a hardware root of trust—that is, it behaves in a trusted way. For example, if a key stored in a TPM has properties that disallow exporting the key, that key truly cannot leave the TPM.
+OEMs implement the TPM as a component in a trusted computing platform, such as a PC, tablet, or phone. Trusted computing platforms use the TPM to support privacy and security scenarios that software alone cannot achieve. For example, software alone cannot reliably report whether malware is present during the system startup process. The close integration between TPM and platform increases the transparency of the startup process and supports evaluating device health by enabling reliable measuring and reporting of the software that starts the device. Implementation of a TPM as part of a trusted computing platform provides a hardware root of trust-that is, it behaves in a trusted way. For example, if a key stored in a TPM has properties that disallow exporting the key, that key truly cannot leave the TPM.
The TCG designed the TPM as a low-cost, mass-market security solution that addresses the requirements of different customer segments. There are variations in the security properties of different TPM implementations just as there are variations in customer and regulatory requirements for different sectors. In public-sector procurement, for example, some governments have clearly defined security requirements for TPMs whereas others do not.
@@ -90,7 +87,7 @@ For end consumers, TPM is behind the scenes but is still relevant. TPM is used f
- TPM is optional on IoT Core.
-### Windows Server 2016
+### Windows Server 2016
- TPM is optional for Windows Server SKUs unless the SKU meets the other qualification (AQ) criteria for the Host Guardian Services scenario in which case TPM 2.0 is required.
diff --git a/windows/security/information-protection/tpm/trusted-platform-module-overview.md b/windows/security/hardware-security/tpm/trusted-platform-module-overview.md
similarity index 95%
rename from windows/security/information-protection/tpm/trusted-platform-module-overview.md
rename to windows/security/hardware-security/tpm/trusted-platform-module-overview.md
index b3f12158c4..b434d6a7d8 100644
--- a/windows/security/information-protection/tpm/trusted-platform-module-overview.md
+++ b/windows/security/hardware-security/tpm/trusted-platform-module-overview.md
@@ -3,12 +3,9 @@ title: Trusted Platform Module Technology Overview
description: Learn about the Trusted Platform Module (TPM) and how Windows uses it for access control and authentication.
ms.topic: conceptual
ms.date: 02/22/2023
-appliesto:
-- ✅ Windows 10 and later
-- ✅ Windows Server 2016 and later
-ms.collection:
- - highpri
- - tier1
+ms.collection:
+- highpri
+- tier1
---
# Trusted Platform Module Technology Overview
diff --git a/windows/security/information-protection/tpm/trusted-platform-module-services-group-policy-settings.md b/windows/security/hardware-security/tpm/trusted-platform-module-services-group-policy-settings.md
similarity index 83%
rename from windows/security/information-protection/tpm/trusted-platform-module-services-group-policy-settings.md
rename to windows/security/hardware-security/tpm/trusted-platform-module-services-group-policy-settings.md
index 29b88ebcbb..1799879e61 100644
--- a/windows/security/information-protection/tpm/trusted-platform-module-services-group-policy-settings.md
+++ b/windows/security/hardware-security/tpm/trusted-platform-module-services-group-policy-settings.md
@@ -1,16 +1,12 @@
---
-title: TPM Group Policy settings
+title: TPM Group Policy settings
description: This topic describes the Trusted Platform Module (TPM) Services that can be controlled centrally by using Group Policy settings.
ms.topic: conceptual
ms.date: 02/02/2023
-appliesto:
-- ✅ Windows 10 and later
-- ✅ Windows Server 2016 and later
---
# TPM Group Policy settings
-
This topic describes the Trusted Platform Module (TPM) Services that can be controlled centrally by using Group Policy settings.
The Group Policy settings for TPM services are located at:
@@ -34,11 +30,11 @@ This policy setting configured which TPM authorization values are stored in the
There are three TPM owner authentication settings that are managed by the Windows operating system. You can choose a value of **Full**, **Delegate**, or **None**.
-- **Full** This setting stores the full TPM owner authorization, the TPM administrative delegation blob, and the TPM user delegation blob in the local registry. With this setting, you can use the TPM without requiring remote or external storage of the TPM owner authorization value. This setting is appropriate for scenarios that do not require you to reset the TPM anti-hammering logic or change the TPM owner authorization value. Some TPM-based applications may require that this setting is changed before features that depend on the TPM anti-hammering logic can be used. Full owner authorization in TPM 1.2 is similar to lockout authorization in TPM 2.0. Owner authorization has a different meaning for TPM 2.0.
+- **Full** This setting stores the full TPM owner authorization, the TPM administrative delegation blob, and the TPM user delegation blob in the local registry. With this setting, you can use the TPM without requiring remote or external storage of the TPM owner authorization value. This setting is appropriate for scenarios that do not require you to reset the TPM anti-hammering logic or change the TPM owner authorization value. Some TPM-based applications may require that this setting is changed before features that depend on the TPM anti-hammering logic can be used. Full owner authorization in TPM 1.2 is similar to lockout authorization in TPM 2.0. Owner authorization has a different meaning for TPM 2.0.
-- **Delegated** This setting stores only the TPM administrative delegation blob and the TPM user delegation blob in the local registry. This setting is appropriate for use with TPM-based applications that depend on the TPM antihammering logic. This is the default setting in Windows prior to version 1703.
+- **Delegated** This setting stores only the TPM administrative delegation blob and the TPM user delegation blob in the local registry. This setting is appropriate for use with TPM-based applications that depend on the TPM antihammering logic. This is the default setting in Windows prior to version 1703.
-- **None** This setting provides compatibility with previous operating systems and applications. You can also use it for scenarios when TPM owner authorization cannot be stored locally. Using this setting might cause issues with some TPM-based applications.
+- **None** This setting provides compatibility with previous operating systems and applications. You can also use it for scenarios when TPM owner authorization cannot be stored locally. Using this setting might cause issues with some TPM-based applications.
> [!NOTE]
> If the operating system managed TPM authentication setting is changed from **Full** to **Delegated**, the full TPM owner authorization value will be regenerated, and any copies of the previously set TPM owner authorization value will be invalid.
@@ -57,7 +53,6 @@ The following table shows the TPM owner authorization values in the registry.
| 2 | Delegated |
| 4 | Full |
-
If you enable this policy setting, the Windows operating system will store the TPM owner authorization in the registry of the local computer according to the TPM authentication setting you choose.
On Windows 10 prior to version 1607, if you disable or do not configure this policy setting, and the **Turn on TPM backup to Active Directory Domain Services** policy setting is also disabled or not configured, the default setting is to store the full TPM authorization value in the local registry. If this policy is disabled or not configured, and the **Turn on TPM backup to Active Directory Domain Services** policy setting is enabled, only the administrative delegation and the user delegation blobs are stored in the local registry.
@@ -73,9 +68,9 @@ This setting helps administrators prevent the TPM hardware from entering a locko
For each standard user, two thresholds apply. Exceeding either threshold prevents the user from sending a command that requires authorization to the TPM. Use the following policy settings to set the lockout duration:
-- [Standard User Individual Lockout Threshold](#standard-user-individual-lockout-threshold) This value is the maximum number of authorization failures that each standard user can have before the user is not allowed to send commands that require authorization to the TPM.
+- [Standard User Individual Lockout Threshold](#standard-user-individual-lockout-threshold) This value is the maximum number of authorization failures that each standard user can have before the user is not allowed to send commands that require authorization to the TPM.
-- [Standard User Total Lockout Threshold](#standard-user-total-lockout-threshold) This value is the maximum total number of authorization failures that all standard users can have before all standard users are not allowed to send commands that require authorization to the TPM.
+- [Standard User Total Lockout Threshold](#standard-user-total-lockout-threshold) This value is the maximum total number of authorization failures that all standard users can have before all standard users are not allowed to send commands that require authorization to the TPM.
An administrator with the TPM owner password can fully reset the TPM's hardware lockout logic by using the Windows Defender Security Center. Each time an administrator resets the TPM's hardware lockout logic, all prior standard user TPM authorization failures are ignored. This allows standard users to immediately use the TPM normally.
diff --git a/windows/security/information-protection/tpm/trusted-platform-module-top-node.md b/windows/security/hardware-security/tpm/trusted-platform-module-top-node.md
similarity index 86%
rename from windows/security/information-protection/tpm/trusted-platform-module-top-node.md
rename to windows/security/hardware-security/tpm/trusted-platform-module-top-node.md
index 38bfc8c979..c19e762bdf 100644
--- a/windows/security/information-protection/tpm/trusted-platform-module-top-node.md
+++ b/windows/security/hardware-security/tpm/trusted-platform-module-top-node.md
@@ -1,14 +1,11 @@
---
-title: Trusted Platform Module
+title: Trusted Platform Module
description: This topic for the IT professional provides links to information about the Trusted Platform Module (TPM) and how Windows uses it for access control and authentication.
ms.topic: conceptual
ms.date: 02/02/2023
-appliesto:
-- ✅ Windows 10 and later
-- ✅ Windows Server 2016 and later
-ms.collection:
- - highpri
- - tier1
+ms.collection:
+- highpri
+- tier1
---
# Trusted Platform Module
diff --git a/windows/security/identity-protection/credential-guard/credential-guard-requirements.md b/windows/security/identity-protection/credential-guard/credential-guard-requirements.md
index 2afb9f4a6a..e8e539e520 100644
--- a/windows/security/identity-protection/credential-guard/credential-guard-requirements.md
+++ b/windows/security/identity-protection/credential-guard/credential-guard-requirements.md
@@ -85,7 +85,7 @@ The following tables describe baseline protections, plus protections for improve
|---|---|---|
|Hardware: **64-bit CPU** |A 64-bit computer is required for the Windows hypervisor to provide VBS.|
|Hardware: **CPU virtualization extensions**, plus **extended page tables**|**Requirements**: - These hardware features are required for VBS: One of the following virtualization extensions: - VT-x (Intel) or - AMD-V And: - Extended page tables, also called Second Level Address Translation (SLAT).|VBS provides isolation of secure kernel from normal operating system. Vulnerabilities and Day 0s in normal operating system cannot be exploited because of this isolation.|
-|Hardware: **Trusted Platform Module (TPM)**|**Requirement**: - TPM 1.2 or TPM 2.0, either discrete or firmware. [TPM recommendations](../../information-protection/tpm/tpm-recommendations.md)|A TPM provides protection for VBS encryption keys that are stored in the firmware. TPM helps protect against attacks involving a physically present user with BIOS access.|
+|Hardware: **Trusted Platform Module (TPM)**|**Requirement**: - TPM 1.2 or TPM 2.0, either discrete or firmware. [TPM recommendations](../../hardware-security/tpm/tpm-recommendations.md)|A TPM provides protection for VBS encryption keys that are stored in the firmware. TPM helps protect against attacks involving a physically present user with BIOS access.|
|Firmware: **UEFI firmware version 2.3.1.c or higher with UEFI Secure Boot**|**Requirements**: - See the following Windows Hardware Compatibility Program requirement: System.Fundamentals.Firmware.UEFISecureBoot|UEFI Secure Boot helps ensure that the device boots only authorized code, and can prevent boot kits and root kits from installing and persisting across reboots.|
|Firmware: **Secure firmware update process**|**Requirements**: - UEFI firmware must support secure firmware update found under the following Windows Hardware Compatibility Program requirement: System.Fundamentals.Firmware.UEFISecureBoot.|UEFI firmware just like software can have security vulnerabilities that, when found, need to be patched through firmware updates. Patching helps prevent root kits from getting installed.|
|Software: Qualified **Windows operating system**|**Requirement**: - At least Windows 10 Enterprise, Windows 10 Education, or Windows Server 2016.|Support for VBS and for management features that simplify configuration of Windows Defender Credential Guard.|
diff --git a/windows/security/identity-protection/hello-for-business/hello-how-it-works-technology.md b/windows/security/identity-protection/hello-for-business/hello-how-it-works-technology.md
index 06e3d455fa..b1338f11e5 100644
--- a/windows/security/identity-protection/hello-for-business/hello-how-it-works-technology.md
+++ b/windows/security/identity-protection/hello-for-business/hello-how-it-works-technology.md
@@ -359,7 +359,7 @@ A TPM implements controls that meet the specification described by the Trusted C
- The first TPM specification, version 1.2, was published in February 2005 by the TCG and standardized under ISO / IEC 11889 standard.
- The latest TPM specification, referred to as TPM 2.0, was released in April 2014 and has been approved by the ISO/IEC Joint Technical Committee (JTC) as ISO/IEC 11889:2015.
-Windows 10 and Windows 11 use the TPM for cryptographic calculations as part of health attestation and to protect the keys for BitLocker, Windows Hello, virtual smart cards, and other public key certificates. For more information, see [TPM requirements in Windows](../../information-protection/tpm/tpm-recommendations.md).
+Windows 10 and Windows 11 use the TPM for cryptographic calculations as part of health attestation and to protect the keys for BitLocker, Windows Hello, virtual smart cards, and other public key certificates. For more information, see [TPM requirements in Windows](../../hardware-security/tpm/tpm-recommendations.md).
Windows recognizes versions 1.2 and 2.0 TPM specifications produced by the TCG. For the most recent and modern security features, Windows 10 and Windows 11 support only TPM 2.0.
diff --git a/windows/security/index.yml b/windows/security/index.yml
index 711ec3f94b..393a49b66b 100644
--- a/windows/security/index.yml
+++ b/windows/security/index.yml
@@ -39,7 +39,7 @@ landingContent:
- linkListType: concept
links:
- text: Trusted Platform Module
- url: information-protection/tpm/trusted-platform-module-top-node.md
+ url: hardware-security/tpm/trusted-platform-module-top-node.md
- text: Windows Defender System Guard firmware protection
url: hardware-security/how-hardware-based-root-of-trust-helps-protect-windows.md
- text: System Guard Secure Launch and SMM protection enablement
diff --git a/windows/security/introduction/index.md b/windows/security/introduction/index.md
index 781c24730c..6225333cb9 100644
--- a/windows/security/introduction/index.md
+++ b/windows/security/introduction/index.md
@@ -45,7 +45,7 @@ In Windows 11, [Microsoft Defender Application Guard](/windows-hardware/design/d
### Secured identities
-Passwords have been an important part of digital security for a long time, and they're also a top target for cybercriminals. Windows 11 provides powerful protection against credential theft with chip-level hardware security. Credentials are protected by layers of hardware and software security such as [TPM 2.0](../information-protection/tpm/trusted-platform-module-overview.md), [VBS](/windows-hardware/design/device-experiences/oem-vbs), and/or [Windows Defender Credential Guard](../identity-protection/credential-guard/credential-guard.md), making it harder for attackers to steal credentials from a device. With [Windows Hello for Business](../identity-protection/hello-for-business/index.md), users can quickly sign in with face, fingerprint, or PIN for passwordless protection. Windows 11 also supports [FIDO2 security keys](/azure/active-directory/authentication/howto-authentication-passwordless-security-key) for passwordless authentication.
+Passwords have been an important part of digital security for a long time, and they're also a top target for cybercriminals. Windows 11 provides powerful protection against credential theft with chip-level hardware security. Credentials are protected by layers of hardware and software security such as [TPM 2.0](../hardware-security/tpm/trusted-platform-module-overview.md), [VBS](/windows-hardware/design/device-experiences/oem-vbs), and/or [Windows Defender Credential Guard](../identity-protection/credential-guard/credential-guard.md), making it harder for attackers to steal credentials from a device. With [Windows Hello for Business](../identity-protection/hello-for-business/index.md), users can quickly sign in with face, fingerprint, or PIN for passwordless protection. Windows 11 also supports [FIDO2 security keys](/azure/active-directory/authentication/howto-authentication-passwordless-security-key) for passwordless authentication.
### Connecting to cloud services
diff --git a/windows/security/operating-system-security/data-protection/bitlocker/bitlocker-group-policy-settings.md b/windows/security/operating-system-security/data-protection/bitlocker/bitlocker-group-policy-settings.md
index 5f0f058507..f6aa783b9e 100644
--- a/windows/security/operating-system-security/data-protection/bitlocker/bitlocker-group-policy-settings.md
+++ b/windows/security/operating-system-security/data-protection/bitlocker/bitlocker-group-policy-settings.md
@@ -15,7 +15,7 @@ This article for IT professionals describes the function, location, and effect o
Group Policy administrative templates or local computer policy settings can be used to control what BitLocker drive encryption tasks and configurations can be performed by users, for example through the **BitLocker Drive Encryption** control panel. Which of these policies are configured and how they're configured depends on how BitLocker is implemented and what level of interaction is desired for end users.
> [!NOTE]
-> A separate set of Group Policy settings supports the use of the Trusted Platform Module (TPM). For details about those settings, see [TPM Group Policy settings](../../../information-protection/tpm/trusted-platform-module-services-group-policy-settings.md).
+> A separate set of Group Policy settings supports the use of the Trusted Platform Module (TPM). For details about those settings, see [TPM Group Policy settings](../../../hardware-security/tpm/trusted-platform-module-services-group-policy-settings.md).
BitLocker Group Policy settings can be accessed using the Local Group Policy Editor and the Group Policy Management Console (GPMC) under **Computer Configuration** > **Administrative Templates** > **Windows Components** > **BitLocker Drive Encryption**.
@@ -219,7 +219,7 @@ This policy setting is applied when BitLocker is turned on. The startup PIN must
Originally, BitLocker allowed a length from 4 to 20 characters for a PIN. Windows Hello has its own PIN for sign-in, length of which can be 4 to 127 characters. Both BitLocker and Windows Hello use the TPM to prevent PIN brute-force attacks.
-The TPM can be configured to use Dictionary Attack Prevention parameters ([lockout threshold and lockout duration](../../../information-protection/tpm/trusted-platform-module-services-group-policy-settings.md) to control how many failed authorizations attempts are allowed before the TPM is locked out, and how much time must elapse before another attempt can be made.
+The TPM can be configured to use Dictionary Attack Prevention parameters ([lockout threshold and lockout duration](../../../hardware-security/tpm/trusted-platform-module-services-group-policy-settings.md) to control how many failed authorizations attempts are allowed before the TPM is locked out, and how much time must elapse before another attempt can be made.
The Dictionary Attack Prevention Parameters provide a way to balance security needs with usability. For example, when BitLocker is used with a TPM + PIN configuration, the number of PIN guesses is limited over time. A TPM 2.0 in this example could be configured to allow only 32 PIN guesses immediately, and then only one more guess every two hours. This number of attempts totals to a maximum of about 4415 guesses per year. If the PIN is four digits, all 9999 possible PIN combinations could be attempted in a little over two years.
diff --git a/windows/security/operating-system-security/system-security/protect-high-value-assets-by-controlling-the-health-of-windows-10-based-devices.md b/windows/security/operating-system-security/system-security/protect-high-value-assets-by-controlling-the-health-of-windows-10-based-devices.md
index 040f7b75d4..5152344cde 100644
--- a/windows/security/operating-system-security/system-security/protect-high-value-assets-by-controlling-the-health-of-windows-10-based-devices.md
+++ b/windows/security/operating-system-security/system-security/protect-high-value-assets-by-controlling-the-health-of-windows-10-based-devices.md
@@ -755,4 +755,4 @@ Health attestation is a key feature of Windows 10 that includes client and cloud
- [Protect derived domain credentials with Credential Guard](/windows/access-protection/credential-guard/credential-guard)
- [Device Guard deployment guide](/windows/device-security/device-guard/device-guard-deployment-guide)
-- [Trusted Platform Module technology overview](../../information-protection/tpm/trusted-platform-module-overview.md)
+- [Trusted Platform Module technology overview](../../hardware-security/tpm/trusted-platform-module-overview.md)