Merge branch 'main' of https://github.com/MicrosoftDocs/windows-docs-pr into wufbr-chartchange-7974367

2025-05-14 06:17:22 +00:00 · 2023-06-09 13:17:14 -07:00 · 2023-06-09 13:17:14 -07:00 · 10d348dd2a
commit 10d348dd2a
parent c279f36a2f 356121cce6
200 changed files with 2059 additions and 2368 deletions
--- a/.openpublishing.redirection.json
+++ b/.openpublishing.redirection.json
@ -20840,6 +20840,81 @@
      "redirect_url": "/windows/security/operating-system-security/virus-and-threat-protection/microsoft-defender-smartscreen",
      "redirect_document_id": false
    },
    {
      "source_path": "windows/security/operating-system.md",
      "redirect_url": "/windows/security/operating-system-security",
      "redirect_document_id": false
    },
    {
      "source_path": "windows/security/cryptography-certificate-mgmt.md",
      "redirect_url": "/windows/security/operating-system-security/system-security/cryptography-certificate-mgmt",
      "redirect_document_id": false
    },
    {
      "source_path": "windows/security/information-protection/secure-the-windows-10-boot-process.md",
      "redirect_url": "/windows/security/operating-system-security/system-security/secure-the-windows-10-boot-process",
      "redirect_document_id": false
    },
    {
      "source_path": "windows/security/trusted-boot.md",
      "redirect_url": "/windows/security/operating-system-security/system-security/trusted-boot",
      "redirect_document_id": false
    },
    {
      "source_path": "windows/security/threat-protection/protect-high-value-assets-by-controlling-the-health-of-windows-10-based-devices.md",
      "redirect_url": "/windows/security/operating-system-security/system-security/protect-high-value-assets-by-controlling-the-health-of-windows-10-based-devices",
      "redirect_document_id": false
    },
    {
      "source_path": "windows/security/threat-protection/windows-defender-security-center/wdsc-account-protection.md",
      "redirect_url": "/windows/security/operating-system-security/system-security/windows-defender-security-center/wdsc-account-protection",
      "redirect_document_id": false
    },
    {
      "source_path": "windows/security/threat-protection/windows-defender-security-center/wdsc-app-browser-control.md",
      "redirect_url": "/windows/security/operating-system-security/system-security/windows-defender-security-center/wdsc-app-browser-control",
      "redirect_document_id": false
    },
    {
      "source_path": "windows/security/threat-protection/windows-defender-security-center/wdsc-customize-contact-information.md",
      "redirect_url": "/windows/security/operating-system-security/system-security/windows-defender-security-center/wdsc-customize-contact-information",
      "redirect_document_id": false
    },
    {
      "source_path": "windows/security/threat-protection/windows-defender-security-center/wdsc-device-performance-health.md",
      "redirect_url": "/windows/security/operating-system-security/system-security/windows-defender-security-center/wdsc-device-performance-health",
      "redirect_document_id": false
    },
    {
      "source_path": "windows/security/threat-protection/windows-defender-security-center/wdsc-device-security.md",
      "redirect_url": "/windows/security/operating-system-security/system-security/windows-defender-security-center/wdsc-device-security",
      "redirect_document_id": false
    },
    {
      "source_path": "windows/security/threat-protection/windows-defender-security-center/wdsc-family-options.md",
      "redirect_url": "/windows/security/operating-system-security/system-security/windows-defender-security-center/wdsc-family-options",
      "redirect_document_id": false
    },
    {
      "source_path": "windows/security/threat-protection/windows-defender-security-center/wdsc-firewall-network-protection.md",
      "redirect_url": "/windows/security/operating-system-security/system-security/windows-defender-security-center/wdsc-firewall-network-protection",
      "redirect_document_id": false
    },
    {
      "source_path": "windows/security/threat-protection/windows-defender-security-center/wdsc-hide-notifications.md",
      "redirect_url": "/windows/security/operating-system-security/system-security/windows-defender-security-center/wdsc-hide-notifications",
      "redirect_document_id": false
    },
    {
      "source_path": "windows/security/threat-protection/windows-defender-security-center/wdsc-virus-threat-protection.md",
      "redirect_url": "/windows/security/operating-system-security/system-security/windows-defender-security-center/wdsc-virus-threat-protection",
      "redirect_document_id": false
    },
    {
      "source_path": "windows/security/threat-protection/windows-defender-security-center/windows-defender-security-center.md",
      "redirect_url": "/windows/security/operating-system-security/system-security/windows-defender-security-center/windows-defender-security-center",
      "redirect_document_id": false
    },
    {
      "source_path": "windows/security/information-protection/index.md",
      "redirect_url": "/windows/security/encryption-data-protection",
--- a/windows/client-management/mdm-known-issues.md
+++ b/windows/client-management/mdm-known-issues.md
@ -68,7 +68,7 @@ EAP XML must be updated with relevant information for your environment. This tas
 - For Wi-Fi, look for the &lt;EAPConfig&gt; section of your current WLAN Profile XML (This detail is what you specify for the WLanXml node in the Wi-Fi CSP). Within these tags, you'll find the complete EAP configuration. Replace the section under &lt;EAPConfig&gt; with your updated XML and update your Wi-Fi profile. You might need to refer to your MDM's guidance on how to deploy a new Wi-Fi profile.
 - For VPN, EAP Configuration is a separate field in the MDM Configuration. Work with your MDM provider to identify and update the appropriate Field.
-For information about EAP Settings, see <https://technet.microsoft.com/library/hh945104.aspx#BKMK_Cfg_cert_Selct>.
+For information about EAP Settings, see [Extensible Authentication Protocol (EAP) for network access](/windows-server/networking/technologies/extensible-authentication-protocol/network-access).
 For information about generating an EAP XML, see [EAP configuration](mdm/eap-configuration.md).
@ -225,7 +225,7 @@ Alternatively you can use the following procedure to create an EAP Configuration
 1. Continue following the procedure in [EAP configuration](mdm/eap-configuration.md) from Step 9 to get an EAP TLS profile with appropriate filtering.
 > [!NOTE]
-> You can also set all the other applicable EAP Properties through this UI as well. A guide to what these properties mean can be found in [Extensible Authentication Protocol (EAP) Settings for Network Access](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/hh945104(v=ws.11)).
+> You can also set all the other applicable EAP Properties through this UI as well. A guide to what these properties mean can be found in [Extensible Authentication Protocol (EAP) for network access](/windows-server/networking/technologies/extensible-authentication-protocol/network-access).
 ## MDM client will immediately check in with the MDM server after client renews WNS channel URI
--- a/windows/client-management/mdm/eap-configuration.md
+++ b/windows/client-management/mdm/eap-configuration.md
@ -145,7 +145,7 @@ EAP XML must be updated with relevant information for your environment. This tas
 - For Wi-Fi, look for the `<EAPConfig>` section of your current WLAN Profile XML. (This section is what you specify for the WLanXml node in the Wi-Fi CSP.) Within these tags, you'll find the complete EAP configuration. Replace the section under `<EAPConfig>` with your updated XML and update your Wi-Fi profile. You can refer to your MDM’s guidance on how to deploy a new Wi-Fi profile.
 - For VPN, EAP configuration is a separate field in the MDM configuration. Work with your MDM provider to identify and update the appropriate field.
-For information about EAP settings, see <https://technet.microsoft.com/library/hh945104.aspx#BKMK_Cfg_cert_Selct>.
+For information about EAP settings, see [Extensible Authentication Protocol (EAP) for network access](/windows-server/networking/technologies/extensible-authentication-protocol/network-access).
 For information about generating an EAP XML, see the EAP configuration article.
@ -297,7 +297,7 @@ Alternatively, you can use the following procedure to create an EAP configuratio
 1. Continue following the procedure in the EAP configuration article from step 9 to get an EAP TLS profile with appropriate filtering.
 > [!NOTE]
-> You can also set all the other applicable EAP Properties through this UI as well. A guide for what these properties mean can be found in the [Extensible Authentication Protocol (EAP) Settings for Network Access](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/hh945104(v=ws.11)) article.
+> You can also set all the other applicable EAP Properties through this UI as well. A guide for what these properties mean can be found in the [Extensible Authentication Protocol (EAP) for network access](/windows-server/networking/technologies/extensible-authentication-protocol/network-access) article.
 ## Related topics
--- a/windows/client-management/mdm/policy-csp-settings.md
+++ b/windows/client-management/mdm/policy-csp-settings.md
@ -742,7 +742,7 @@ hide:bluetooth.
 For more information on the URI reference scheme used for the various pages of the System Settings app, see [ms-settings: URI scheme reference](/windows/uwp/launch-resume/launch-settings-app#ms-settings-uri-scheme-reference).
 > [!WARNING]
-> When you configure this policy to hide any pages that contain `quietmoments` in the URI (for example, `ms-settings:quietmomentsgame`), the Notifications page under System category is hidden.
+> In Windows 11, version 22H2 and later, when you configure this policy to hide any pages that contain `quietmoments` in the URI (for example, `ms-settings:quietmomentsgame`), the Notifications page under System category is hidden.
 To validate this policy, use the following steps:
--- a/windows/configuration/cortana-at-work/cortana-at-work-feedback.md
+++ b/windows/configuration/cortana-at-work/cortana-at-work-feedback.md
@ -13,6 +13,8 @@ ms.technology: itpro-configure
 ---
 # Send feedback about Cortana back to Microsoft
 <!--Using include for Cortana in Windows deprecation -->
 [!INCLUDE [Deprecation of Cortana in Windows](./includes/cortana-deprecation.md)]
 To provide feedback on an individual request or response, select the item in the conversation history and then select **Give feedback**. The Feedback Hub application is launched, where you can provide more information to help diagnose reported issues.
--- a/windows/configuration/cortana-at-work/cortana-at-work-o365.md
+++ b/windows/configuration/cortana-at-work/cortana-at-work-o365.md
@ -16,6 +16,8 @@ ms.technology: itpro-configure
 # Set up and test Cortana in Windows 10, versions 1909 and earlier, with Microsoft 365 in your organization
 <!--Using include for Cortana in Windows deprecation -->
 [!INCLUDE [Deprecation of Cortana in Windows](./includes/cortana-deprecation.md)]
 ## What can you do with in Windows 10, versions 1909 and earlier?
 Your employees can use Cortana to help manage their day and be more productive by getting quick answers to common questions, setting reminders, adding tasks to their To-Do lists, and find out where their next meeting is.
--- a/windows/configuration/cortana-at-work/cortana-at-work-overview.md
+++ b/windows/configuration/cortana-at-work/cortana-at-work-overview.md
@ -14,7 +14,8 @@ ms.topic: article
 ---
 # Configure Cortana in Windows 10 and Windows 11
-
+<!--Using include for Cortana in Windows deprecation -->
 [!INCLUDE [Deprecation of Cortana in Windows](./includes/cortana-deprecation.md)]
 ## Who is Cortana?
 Cortana is a personal productivity assistant in Microsoft 365, helping your users achieve more with less effort and focus on what matters. The Cortana app in Windows 10 and Windows 11 helps users quickly get information across Microsoft 365, using typed or spoken queries to connect with people, check calendars, set reminders, add tasks, and more.
--- a/windows/configuration/cortana-at-work/cortana-at-work-policy-settings.md
+++ b/windows/configuration/cortana-at-work/cortana-at-work-policy-settings.md
@ -14,6 +14,8 @@ ms.topic: article
 ---
 # Use Group Policy and mobile device management (MDM) settings to configure Cortana in your organization
 <!--Using include for Cortana in Windows deprecation -->
 [!INCLUDE [Deprecation of Cortana in Windows](./includes/cortana-deprecation.md)]
 For specific info about how to set, manage, and use each of these MDM policies to configure Cortana in your enterprise, see the [Policy CSP](/windows/client-management/mdm/policy-configuration-service-provider).
--- a/windows/configuration/cortana-at-work/cortana-at-work-scenario-1.md
+++ b/windows/configuration/cortana-at-work/cortana-at-work-scenario-1.md
@ -14,6 +14,8 @@ ms.topic: article
 ---
 # Test scenario 1 – Sign into Azure AD, enable the wake word, and try a voice query
 <!--Using include for Cortana in Windows deprecation -->
 [!INCLUDE [Deprecation of Cortana in Windows](./includes/cortana-deprecation.md)]
 >[!NOTE]
 >The wake word has been re-enabled in the latest version of Cortana in Windows. If you're on Windows 10, version 2004, be sure that you've updated to build 19041.329 or later to use the wake word with Cortana. For earlier builds, you can still click on the microphone button to use your voice with Cortana.
--- a/windows/configuration/cortana-at-work/cortana-at-work-scenario-2.md
+++ b/windows/configuration/cortana-at-work/cortana-at-work-scenario-2.md
@ -13,6 +13,8 @@ ms.technology: itpro-configure
 ---
 # Test scenario 2 – Perform a Bing search with Cortana
 <!--Using include for Cortana in Windows deprecation -->
 [!INCLUDE [Deprecation of Cortana in Windows](./includes/cortana-deprecation.md)]
 1. Select the  **Cortana**  icon in the taskbar.
--- a/windows/configuration/cortana-at-work/cortana-at-work-scenario-3.md
+++ b/windows/configuration/cortana-at-work/cortana-at-work-scenario-3.md
@ -13,6 +13,8 @@ ms.technology: itpro-configure
 ---
 # Test scenario 3 - Set a reminder
 <!--Using include for Cortana in Windows deprecation -->
 [!INCLUDE [Deprecation of Cortana in Windows](./includes/cortana-deprecation.md)]
 This scenario helps you set up, review, and edit a reminder. For example, you can remind yourself to send someone a link to a document after a meeting.
--- a/windows/configuration/cortana-at-work/cortana-at-work-scenario-4.md
+++ b/windows/configuration/cortana-at-work/cortana-at-work-scenario-4.md
@ -14,6 +14,9 @@ ms.technology: itpro-configure
 # Test scenario 4 - Use Cortana to find free time on your calendar for your upcoming meetings.
 <!--Using include for Cortana in Windows deprecation -->
 [!INCLUDE [Deprecation of Cortana in Windows](./includes/cortana-deprecation.md)]
 This scenario helps you find out if a time slot is free on your calendar.
 1. Select the  **Cortana**  icon in the taskbar.
--- a/windows/configuration/cortana-at-work/cortana-at-work-scenario-5.md
+++ b/windows/configuration/cortana-at-work/cortana-at-work-scenario-5.md
@ -1,6 +1,6 @@
 ---
-title: Use Cortana to send email to a co-worker (Windows)
+title: Use Cortana to send email to a coworker (Windows)
-description: A test scenario about how to use Cortana at work to send email to a co-worker.
+description: A test scenario about how to use Cortana at work to send email to a coworker.
 ms.prod: windows-client
 ms.collection: tier3
 author: aczechowski
@ -13,6 +13,8 @@ ms.technology: itpro-configure
 ---
 # Test scenario 5 - Test scenario 5 – Find out about a person
 <!--Using include for Cortana in Windows deprecation -->
 [!INCLUDE [Deprecation of Cortana in Windows](./includes/cortana-deprecation.md)]
 Cortana can help you quickly look up information about someone or the org chart.
--- a/windows/configuration/cortana-at-work/cortana-at-work-scenario-6.md
+++ b/windows/configuration/cortana-at-work/cortana-at-work-scenario-6.md
@ -13,6 +13,8 @@ ms.technology: itpro-configure
 ---
 # Test scenario 6 – Change your language and perform a quick search with Cortana
 <!--Using include for Cortana in Windows deprecation -->
 [!INCLUDE [Deprecation of Cortana in Windows](./includes/cortana-deprecation.md)]
 Cortana can help employees in regions outside the US search for quick answers like currency conversions, time zone conversions, or weather in their location.
--- a/windows/configuration/cortana-at-work/cortana-at-work-scenario-7.md
+++ b/windows/configuration/cortana-at-work/cortana-at-work-scenario-7.md
@ -13,6 +13,8 @@ ms.technology: itpro-configure
 ---
 # Test scenario 7 - Use Cortana and Windows Information Protection (WIP) to help protect your organization’s data on a device
 <!--Using include for Cortana in Windows deprecation -->
 [!INCLUDE [Deprecation of Cortana in Windows](./includes/cortana-deprecation.md)]
 >[!IMPORTANT]
 >The data created as part of these scenarios will be uploaded to Microsoft’s Cloud to help Cortana learn and help your employees. This is the same info that Cortana uses in the consumer offering.
--- a/windows/configuration/cortana-at-work/cortana-at-work-testing-scenarios.md
+++ b/windows/configuration/cortana-at-work/cortana-at-work-testing-scenarios.md
@ -14,6 +14,9 @@ ms.technology: itpro-configure
 # Cortana at work testing scenarios
 <!--Using include for Cortana in Windows deprecation -->
 [!INCLUDE [Deprecation of Cortana in Windows](./includes/cortana-deprecation.md)]
 We've come up with a list of suggested testing scenarios that you can use to test Cortana in your organization. After you complete all the scenarios, you should be able to:
 - [Sign into Azure AD, enable the Cortana wake word, and try a voice query](cortana-at-work-scenario-1.md)
--- a/windows/configuration/cortana-at-work/cortana-at-work-voice-commands.md
+++ b/windows/configuration/cortana-at-work/cortana-at-work-voice-commands.md
@ -13,6 +13,8 @@ ms.technology: itpro-configure
 ---
 # Set up and test custom voice commands in Cortana for your organization
 <!--Using include for Cortana in Windows deprecation -->
 [!INCLUDE [Deprecation of Cortana in Windows](./includes/cortana-deprecation.md)]
 >[!NOTE]
 >This content applies to Cortana in versions 1909 and earlier, but will not be available in future releases.
--- a/windows/configuration/cortana-at-work/includes/cortana-deprecation.md
+++ b/windows/configuration/cortana-at-work/includes/cortana-deprecation.md
@ -0,0 +1,14 @@
 ---
 author: mestew
 ms.author: mstewart
 manager: aaroncz
 ms.technology: itpro-updates
 ms.prod: windows-client
 ms.topic: include
 ms.date: 06/08/2023
 ms.localizationpriority: medium
 ---
 <!--This file is shared by all Cortana in Windows (standalone app) articles under /windows/configuration. 7987543 -->
 > [!Important]
 > Cortana in Windows as a standalone app is [deprecated](/windows/whats-new/deprecated-features). This change only impacts Cortana in Windows, and your productivity assistant, Cortana, will continue to be available in Outlook mobile, Teams mobile, Microsoft Teams display, and Microsoft Teams rooms. 
--- a/windows/configuration/cortana-at-work/set-up-and-test-cortana-in-windows-10.md
+++ b/windows/configuration/cortana-at-work/set-up-and-test-cortana-in-windows-10.md
@ -14,7 +14,8 @@ ms.topic: article
 ---
 # Set up and test Cortana in Windows 10, version 2004 and later
-
+<!--Using include for Cortana in Windows deprecation -->
 [!INCLUDE [Deprecation of Cortana in Windows](./includes/cortana-deprecation.md)]
 ## Before you begin
 - If your enterprise had previously disabled Cortana for your employees using the **Computer Configuration\Administrative Templates\Windows Components\Search\Allow Cortana** Group Policy or the **Experience\AllowCortana** MDM setting but want to enable it now that Cortana is part of Microsoft 365, you'll need to re-enable it at least for Windows 10, version 2004 and later, or Windows 11.
--- a/windows/configuration/cortana-at-work/test-scenario-1.md
+++ b/windows/configuration/cortana-at-work/test-scenario-1.md
@ -13,6 +13,8 @@ ms.technology: itpro-configure
 ---
 # Test scenario 1 – Sign in with your work or school account and use Cortana to manage the notebook
 <!--Using include for Cortana in Windows deprecation -->
 [!INCLUDE [Deprecation of Cortana in Windows](./includes/cortana-deprecation.md)]
 This scenario turns on Azure AD and lets your employee use Cortana to manage an entry in the notebook.
--- a/windows/configuration/cortana-at-work/test-scenario-2.md
+++ b/windows/configuration/cortana-at-work/test-scenario-2.md
@ -13,6 +13,8 @@ ms.technology: itpro-configure
 ---
 # Test scenario 2 – Perform a quick search with Cortana at work
 <!--Using include for Cortana in Windows deprecation -->
 [!INCLUDE [Deprecation of Cortana in Windows](./includes/cortana-deprecation.md)]
 >[!Important]
 >The data created as part of these scenarios will be uploaded to Microsoft’s Cloud to help Cortana learn and help your employees. This is the same info that Cortana uses in the consumer offering.
--- a/windows/configuration/cortana-at-work/test-scenario-3.md
+++ b/windows/configuration/cortana-at-work/test-scenario-3.md
@ -13,6 +13,8 @@ ms.technology: itpro-configure
 ---
 # Test scenario 3 - Set a reminder for a specific location using Cortana at work
 <!--Using include for Cortana in Windows deprecation -->
 [!INCLUDE [Deprecation of Cortana in Windows](./includes/cortana-deprecation.md)]
 >[!Important]
 >The data created as part of these scenarios will be uploaded to Microsoft’s Cloud to help Cortana learn and help your employees. This is the same info that Cortana uses in the consumer offering.
--- a/windows/configuration/cortana-at-work/test-scenario-4.md
+++ b/windows/configuration/cortana-at-work/test-scenario-4.md
@ -13,6 +13,8 @@ ms.technology: itpro-configure
 ---
 # Test scenario 4 - Use Cortana to find your upcoming meetings at work
 <!--Using include for Cortana in Windows deprecation -->
 [!INCLUDE [Deprecation of Cortana in Windows](./includes/cortana-deprecation.md)]
 >[!Important]
 >The data created as part of these scenarios will be uploaded to Microsoft’s Cloud to help Cortana learn and help your employees. This is the same info that Cortana uses in the consumer offering.
--- a/windows/configuration/cortana-at-work/test-scenario-5.md
+++ b/windows/configuration/cortana-at-work/test-scenario-5.md
@ -13,6 +13,8 @@ ms.technology: itpro-configure
 ---
 # Test scenario 5 - Use Cortana to send an email to co-worker
 <!--Using include for Cortana in Windows deprecation -->
 [!INCLUDE [Deprecation of Cortana in Windows](./includes/cortana-deprecation.md)]
 >[!Important]
 >The data created as part of these scenarios will be uploaded to Microsoft’s Cloud to help Cortana learn and help your employees. This is the same info that Cortana uses in the consumer offering.
--- a/windows/configuration/cortana-at-work/test-scenario-6.md
+++ b/windows/configuration/cortana-at-work/test-scenario-6.md
@ -13,6 +13,8 @@ ms.technology: itpro-configure
 ---
 # Test scenario 6 - Review a reminder suggested by Cortana based on what you’ve promised in email
 <!--Using include for Cortana in Windows deprecation -->
 [!INCLUDE [Deprecation of Cortana in Windows](./includes/cortana-deprecation.md)]
 >[!Important]
 >The data created as part of these scenarios will be uploaded to Microsoft’s Cloud to help Cortana learn and help your employees. This is the same info that Cortana uses in the consumer offering. For more info, see the [Microsoft Privacy Statement](https://privacy.microsoft.com/privacystatement) and the [Microsoft Services Agreement](https://www.microsoft.com/servicesagreement).
--- a/windows/configuration/cortana-at-work/testing-scenarios-using-cortana-in-business-org.md
+++ b/windows/configuration/cortana-at-work/testing-scenarios-using-cortana-in-business-org.md
@ -13,6 +13,8 @@ ms.technology: itpro-configure
 ---
 # Testing scenarios using Cortana in your business or organization
 <!--Using include for Cortana in Windows deprecation -->
 [!INCLUDE [Deprecation of Cortana in Windows](./includes/cortana-deprecation.md)]
 We've come up with a list of suggested testing scenarios that you can use to test Cortana in your organization. After you complete all the scenarios, you should be able to:
--- a/windows/deployment/planning/windows-to-go-overview.md
+++ b/windows/deployment/planning/windows-to-go-overview.md
@ -94,22 +94,6 @@ As of the date of publication, the following are the USB drives currently certif
 - IronKey Workspace W500 ([http://www.ironkey.com/windows-to-go-drives/ironkey-workspace-w500.html](https://www.kingston.com/support/technical/products?model=dtws))
 - IronKey Workspace W300 ([http://www.ironkey.com/windows-to-go-drives/ironkey-workspace-w300.html](https://www.kingston.com/support/technical/products?model=dtws))
 - Kingston DataTraveler Workspace for Windows To Go ([http://www.kingston.com/wtg/](https://go.microsoft.com/fwlink/p/?LinkId=618719))
 - Spyrus Portable Workplace ([http://www.spyruswtg.com/](https://go.microsoft.com/fwlink/p/?LinkId=618720))
    We recommend that you run the Spyrus Deployment Suite for Windows To Go to provision the Spyrus Portable Workplace.
 - Spyrus Secure Portable Workplace ([http://www.spyruswtg.com/](https://go.microsoft.com/fwlink/p/?LinkId=618720))
    > [!IMPORTANT]
    > You must use the Spyrus Deployment Suite for Windows To Go to provision the Spyrus Secure Portable Workplace. For more information about the Spyrus Deployment Suite for Windows To Go, see [http://www.spyruswtg.com/](https://go.microsoft.com/fwlink/p/?LinkId=618720).
 - Spyrus Worksafe ([http://www.spyruswtg.com/](https://go.microsoft.com/fwlink/p/?LinkId=618720))
    > [!TIP]
    > This device contains an embedded smart card.
 -   Super Talent Express RC4 for Windows To Go
--- a/windows/deployment/update/check-release-health.md
+++ b/windows/deployment/update/check-release-health.md
@ -1,7 +1,7 @@
 ---
 title: How to check Windows release health
 description: Check the release health status of Microsoft 365 services before you call support to see if there's an active service interruption.
-ms.date: 05/03/2023
+ms.date: 06/07/2023
 ms.author: mstewart
 author: mestew
 manager: aaroncz
@ -19,28 +19,39 @@ If you're unable to sign in to the Microsoft 365 admin portal, check the [Micros
 To be informed about the latest updates and releases, follow [@WindowsUpdate](https://twitter.com/windowsupdate) on Twitter.
 ## Prerequisites
 Ensure the following prerequisites are met to display the Windows release health page in the Microsoft 365 admin center: <!--7872213-->
 - One of the following licenses:
   - Windows 10/11 Enterprise E3 or E5 (included in Microsoft 365 F3, E3, or E5)
   - Windows 10/11 Education A3 or A5 (included in Microsoft 365 A3 or A5)
 - Sign into the Microsoft 365 admin center using an [admin role](/microsoft-365/admin/add-users/about-admin-roles).
   - Most roles containing the word `administrator` give you access to the Windows release health page such as [Global Administrator](/azure/active-directory/roles/permissions-reference#global-administrator), [Helpdesk Administrator](/azure/active-directory/roles/permissions-reference#helpdesk-administrator), and [Service Support Administrator](/azure/active-directory/roles/permissions-reference#service-support-administrator). For more information, see [Assign admin roles in the Microsoft 365 admin center](/microsoft-365/admin/add-users/assign-admin-roles).
 > [!NOTE]
 > Currently, Windows release health isn't available for Government Community Cloud (GCC) tenants.
 ## How to review Windows release health information
-1. Go to the [Microsoft 365 admin center](https://admin.microsoft.com) and sign in with an administrator account.
+1. Go to the [Microsoft 365 admin center](https://admin.microsoft.com) and sign in with an admin account.
-    > [!NOTE]
+1. To view Windows release health in the Microsoft 365 Admin Center, go to **Health > Windows release health**.
    > By default, the Windows release health page is available to individuals who have been assigned the global admin or service administrator role for their tenant. To allow Exchange, SharePoint, and Skype for Business admins to view the Windows release health page, you must first assign them to a Service admin role. For more information about roles that can view service health, see [About admin roles](/microsoft-365/admin/add-users/about-admin-roles#commonly-used-microsoft-365-admin-center-roles).
-2. To view Windows release health in the Microsoft 365 Admin Center, go to **Health > Windows release health**.
+1. On the **Windows release health** page, you have access to known issue information for all supported versions of the Windows operating system.
 3. On the **Windows release health** page, you'll have access to known issue information for all supported versions of the Windows operating system.
   The **All versions** tab (the default view) shows all Windows products with access to their posted known issues.
-   ![View of current issues in release health.](images/WRH-menu.png)
+   ![Screenshot of current issues in release health.](images/WRH-menu.png)
-   A known issue is an issue that has been identified in a Windows monthly update or feature update that impacts Windows devices. The **Active and recently resolved** column provides a link to the **Known issues** tab filtered to the version selected. Selecting the **Known issues** tab will show known issues that are active or resolved within the last 30 days.
+   A known issue is an issue that has been identified in a Windows monthly update or feature update that impacts Windows devices. The **Active and recently resolved** column provides a link to the **Known issues** tab filtered to the version selected. Selecting the **Known issues** tab shows known issues that are active or resolved within the last 30 days.
-   ![View of known issues in release health.](images/WRH-known-issues-20H2.png)
+   ![Screenshot of known issues in release health.](images/WRH-known-issues-20H2.png)
   The **History** tab shows the history of known issues that have been resolved for up to 6 months.
-   ![View of history issues in release health.](images/WRH-history-20H2.png)
+   ![Screenshot of history issues in release health.](images/WRH-history-20H2.png)
   The known issue summary provides the following information:
@ -56,7 +67,7 @@ To be informed about the latest updates and releases, follow [@WindowsUpdate](ht
 ## Sign up for email notifications 
-You have the option to sign up for email notifications about Windows known issues and informational updates. Notifications include changes in issue status, new workarounds, and issue resolutions. To subscribe to notifications:
+You can sign up for email notifications about Windows known issues and informational updates. Notifications include changes in issue status, new workarounds, and issue resolutions. To subscribe to notifications:
 1. Go to the [Windows release health page](https://admin.microsoft.com/Adminportal/Home?#/windowsreleasehealth).
 1. Select **Preferences** > **Email**, then select **Send me email notifications about Windows release health**.
@ -78,20 +89,20 @@ In the **Windows release health** experience, every known issue is assigned as s
 |**Reported** | An issue has been brought to the attention of the Windows teams. At this stage, there's no confirmation that users are affected. |
 |**Investigating** | The issue is believed to affect users and efforts are underway to gather more information about the issue's scope, mitigation steps, and root cause. |
 |**Confirmed** | After close review, Microsoft has determined the issue is affecting Windows users, and progress is being made on mitigation steps and root cause. |
-|**Mitigated** | A workaround is available and communicated to Windows customers for a known issue. A known issue will stay in this state until a KB article is released by Microsoft to resolve the known issue. |
+|**Mitigated** | A workaround is available and communicated to Windows customers for a known issue. A known issue stays in this state until a KB article is released by Microsoft to resolve the known issue. |
-|**Mitigated: External** | A workaround is available and communicated to Windows customers for a known issue that was caused by a software or driver from a third-party software or device manufacturer. A known issue will stay in this state until the issue is resolved by Microsoft or the third-party. |
+|**Mitigated: External** | A workaround is available and communicated to Windows customers for a known issue caused by a software or driver from a third-party software or device manufacturer. A known issue stays in this state until the issue is resolved by Microsoft or the third-party. |
-|**Resolved** | A solution has been released by Microsoft and has been documented in a KB article that will resolve the known issue once it's deployed in the customer's environment. |
+|**Resolved** | A solution was released by Microsoft and was documented in a KB article that resolves the known issue once it's deployed in the customer's environment. |
-|**Resolved: External** | A solution has been released by a Microsoft or a third-party that will resolve the known issue once it's deployed in the customer's environment. |
+|**Resolved: External** | A solution was released by Microsoft or a third-party that resolves the known issue once it's deployed in the customer's environment. |
 ## Known issue history
 The Windows release health page lets you view the history of all status updates posted for a specific known issue. To view all past updates posted for a given issue, select **View history** on the issue detail page.
-![Show link to view message history.](images/WRH-view-message-history-padded.png)
+![Screenshot of the link to view message history.](images/WRH-view-message-history-padded.png)
-A list of all status updates posted in the selected timeframe will be displayed, as shown below. You can expand any row to view the specific information provided in that status update.  
+A list of all status updates posted in the selected time frame is displayed. You can expand any row to view the specific information provided in that status update.  
-![View message history.](images/WRH-message-history-example-padded.png)
+![Screenshot of the message history.](images/WRH-message-history-example-padded.png)
 ## Frequently asked questions
@ -104,14 +115,14 @@ A list of all status updates posted in the selected timeframe will be displayed,
    Windows release health doesn't monitor user environments or collect customer environment information. In Windows release health, all known issue content across all supported Windows versions is published to all subscribed customers. Future iterations of the solution may target content based on customer location, industry, or Windows version.
 -   **Where do I find Windows release health?**   
-    After logging into Microsoft 365 admin center, expand the left-hand menu using **…Show All**, select **Health** and you'll see **Windows release health**.
+    After logging into Microsoft 365 admin center, expand the left-hand menu using **…Show All**, select **Health** to display the **Windows release health** menu option.
 -   **Is the Windows release health content published to Microsoft 365 admin center the same as the content on Windows release health on Microsoft Learn?**   
-    No. While the content is similar, you may see more issues and more technical details published to Windows release health on Microsoft 365 admin center to better support the IT admin. For example, you’ll find details to help you diagnose issues in your environment, steps to mitigate issues, and root cause analysis.
+    No. While the content is similar, you may see more issues and more technical details published to Windows release health on Microsoft 365 admin center to better support the IT admin. For example, you'll find details to help you diagnose issues in your environment, steps to mitigate issues, and root cause analysis.
 -   **How often will content be updated?**   
-    In an effort to ensure Windows customers have important information as soon as possible, all major known issues will be shared with Windows customers on both Microsoft Learn and the Microsoft 365 admin center. We may also update the details available for Windows release health in the Microsoft 365 admin center when we have additional details on workarounds, root cause, or other information to help you plan for updates and handle issues in your environment.
+    To ensure Windows customers have important information as soon as possible, all major known issues are shared with Windows customers on both Microsoft Learn and the Microsoft 365 admin center. We may also update the details available for Windows release health in the Microsoft 365 admin center when we have additional details on workarounds, root cause, or other information to help you plan for updates and handle issues in your environment.
 -   **Can I share this content publicly or with other Windows customers?**   
    Windows release health is provided to you as a licensed Windows customer and isn't to be shared publicly.
@ -131,7 +142,7 @@ A list of all status updates posted in the selected timeframe will be displayed,
    Using the left-hand menu, go to Users, then select the Active Users tab and follow the prompts to add a new user, or assign an existing user, to the role of **Service Support admin**.
 -   **Why can't I click to the KB article from the Known issues or History tabs?**   
-    Within the issue description, you'll find links to the KB articles. In the Known issue and History tabs, the entire row is a clickable entry to the issue's Details pane.
+    Within the issue description, you'll find links to the KB articles. In the known issue and history tabs, the entire row is a clickable entry to the issue's Details pane.
 -   **Microsoft 365 admin center has a mobile app but I don't see Windows release health under the Health menu. Is this an open issue?**   
    We're working to build the Windows release health experience on mobile devices in a future release.
@ -142,7 +153,7 @@ A list of all status updates posted in the selected timeframe will be displayed,
    Seek assistance through Premier support, the [Microsoft Support website](https://support.microsoft.com), or connect with your normal channels for Windows support.
 -   **When reaching out to Support, they asked me for an advisory ID. What is this and where can it?**   
-    The advisory ID can be found in the upper left-hand corner of the known issue Details pane. To find it, select the known issue you're seeking help on, select the **Details** pane, and you'll find the ID under the issue title. It will be the letters `WI` followed by a number, similar to `WI123456`.
+    The advisory ID can be found in the upper left-hand corner of the known issue Details pane. To find it, select the known issue you're seeking help on, select the **Details** pane, and you'll find the ID under the issue title. The ID is the letters `WI` followed by a number, similar to `WI123456`.
 -   **How can I learn more about expanding my use of Microsoft 365 admin center?**
    For more information, see the [Microsoft 365 admin center documentation](/microsoft-365/admin/admin-overview/about-the-admin-center).
--- a/windows/deployment/windows-autopatch/overview/windows-autopatch-faq.yml
+++ b/windows/deployment/windows-autopatch/overview/windows-autopatch-faq.yml
@ -34,7 +34,7 @@ sections:
          Windows Autopatch doesn't support local (on-premise) domain join. Windows Autopatch supports [Hybrid AD join](/azure/active-directory/devices/concept-azure-ad-join-hybrid) or pure [Azure AD join](/azure/active-directory/devices/concept-azure-ad-join-hybrid).
      - question: Will Windows Autopatch be available for state and local government customers?
        answer: |
-          Windows Autopatch is available for all Windows E3 customers using Azure commercial cloud. However, Autopatch isn't currently supported for government cloud (GCC) customers.
+          Windows Autopatch is available for all Windows E3 customers using Azure commercial cloud. However, Autopatch isn't currently supported for government cloud (GCC) customers. Although Windows 365 Enterprise is in the Azure Commercial cloud, when Windows 365 Enterprise is used with a GCC customer tenant, Autopatch is not suppported.
      - question: What if I enrolled into Windows Autopatch using the promo code? Will I still have access to the service?
        answer: |
          Yes. For those who used the promo code to access Windows Autopatch during public preview, you'll continue to have access to Windows Autopatch even when the promo code expires. There's no additional action you have to take to continue using Windows Autopatch.
--- a/windows/security/application-security/application-isolation/windows-sandbox/windows-sandbox-configure-using-wsb-file.md
+++ b/windows/security/application-security/application-isolation/windows-sandbox/windows-sandbox-configure-using-wsb-file.md
@ -156,14 +156,16 @@ Supported values:
 ### Protected client
-Applies more security settings to the sandbox Remote Desktop client, decreasing its attack surface.
+When Protected Client mode is enabled, Sandbox adds a new layer of security boundary by running inside an [AppContainer Isolation](/windows/win32/secauthz/appcontainer-isolation) execution environment.
 AppContainer Isolation provides Credential, Device, File, Network, Process, and Window isolation.
 `<ProtectedClient>value</ProtectedClient>`
 Supported values:
- *Enable*: Runs Windows sandbox in Protected Client mode. If this value is set, the sandbox runs with extra security mitigations enabled.
+- *Enable*: Runs Windows sandbox in Protected Client mode. If this value is set, the Sandbox runs in AppContainer Isolation.
- *Disable*: Runs the sandbox in standard mode without extra security mitigations.
+- *Disable*: Runs the Sandbox in the standard mode without extra security mitigations.
 - *Default*: This value is the default value for Protected Client mode. Currently, this default value denotes that the sandbox doesn't run in Protected Client mode.
 > [!NOTE]
--- a/windows/security/docfx.json
+++ b/windows/security/docfx.json
@ -77,6 +77,8 @@
        "application-security/application-isolation/windows-sandbox/**/*.md": "vinaypamnani-msft",
        "identity-protection/**/*.md": "paolomatarazzo",
        "identity-protection/**/*.yml": "paolomatarazzo",
        "operating-system-security/**/*.md": "vinaypamnani-msft",
        "operating-system-security/**/*.yml": "vinaypamnani-msft",
        "operating-system-security/data-protection/**/*.md": "paolomatarazzo",
        "operating-system-security/data-protection/**/*.yml": "paolomatarazzo",
        "operating-system-security/network-security/**/*.md": "paolomatarazzo",
@ -90,6 +92,8 @@
        "application-security/application-isolation/windows-sandbox/**/*.md": "vinpa",
        "identity-protection/**/*.md": "paoloma",
        "identity-protection/**/*.yml": "paoloma",
        "operating-system-security/**/*.md": "vinpa",
        "operating-system-security/**/*.yml": "vinpa",
        "operating-system-security/data-protection/**/*.md": "paoloma",
        "operating-system-security/data-protection/**/*.yml": "paoloma",
        "operating-system-security/network-security/**/*.md": "paoloma",
@ -98,6 +102,13 @@
        "operating-system-security/network-security/windows-firewall/*.yml": "nganguly"
      },
      "appliesto": {
        "threat-protection/windows-defender-application-control/applocker/*.md": [
          "✅ <a href=\"https://learn.microsoft.com/windows/release-health/supported-versions-windows-client\" target=\"_blank\">Windows 11</a>",
          "✅ <a href=\"https://learn.microsoft.com/windows/release-health/supported-versions-windows-client\" target=\"_blank\">Windows 10</a>",
          "✅ <a href=\"https://learn.microsoft.com/windows/release-health/windows-server-release-info\" target=\"_blank\">Windows Server 2022</a>",
          "✅ <a href=\"https://learn.microsoft.com/windows/release-health/windows-server-release-info\" target=\"_blank\">Windows Server 2019</a>",
          "✅ <a href=\"https://learn.microsoft.com/windows/release-health/windows-server-release-info\" target=\"_blank\">Windows Server 2016</a>"
        ],
        "application-security/application-isolation/windows-sandbox/**/*.md": [
          "✅ <a href=\"https://learn.microsoft.com/windows/release-health/supported-versions-windows-client\" target=\"_blank\">Windows 11</a>",
          "✅ <a href=\"https://learn.microsoft.com/windows/release-health/supported-versions-windows-client\" target=\"_blank\">Windows 10</a>"
@ -134,6 +145,10 @@
          "✅ <a href=\"https://learn.microsoft.com/windows/release-health/windows-server-release-info\" target=\"_blank\">Windows Server 2019</a>",
          "✅ <a href=\"https://learn.microsoft.com/windows/release-health/windows-server-release-info\" target=\"_blank\">Windows Server 2016</a>"
        ],
        "operating-system-security/**/*.md": [
          "✅ <a href=\"https://learn.microsoft.com/windows/release-health/supported-versions-windows-client\" target=\"_blank\">Windows 11</a>",
          "✅ <a href=\"https://learn.microsoft.com/windows/release-health/supported-versions-windows-client\" target=\"_blank\">Windows 10</a>"
        ],
        "operating-system-security/data-protection/**/*.md": [
          "✅ <a href=\"https://learn.microsoft.com/windows/release-health/supported-versions-windows-client\" target=\"_blank\">Windows 11</a>",
          "✅ <a href=\"https://learn.microsoft.com/windows/release-health/supported-versions-windows-client\" target=\"_blank\">Windows 10</a>",
--- a/windows/security/identity-protection/hello-for-business/passwordless-strategy.md
+++ b/windows/security/identity-protection/hello-for-business/passwordless-strategy.md
@ -337,6 +337,3 @@ In this configuration, passwords for SCRIL-configured users expire based on Acti
 > [!NOTE]
 > Some components within Windows 10, such as Data Protection APIs and NTLM authentication, still need artifacts of a user possessing a password. This configuration provides interoperability by reducing the usage surface while Microsoft continues to close the gaps to remove the password completely.
 ## The road ahead
 The information presented here is just the beginning. We'll update this guide with improved tools, methods, and scenarios, like Azure AD joined and MDM managed environments. As we continue to invest in a password-less future, we would love to hear from you. Your feedback is important. Send us an email at [pwdlessQA@microsoft.com](mailto:pwdlessQA@microsoft.com?subject=Passwordless%20Feedback).
--- a/windows/security/includes/sections/application-application-control-overview.md
+++ b/windows/security/includes/sections/application-application-control-overview.md
@ -0,0 +1,22 @@
 ---
 author: paolomatarazzo
 ms.author: paoloma
 ms.date: 06/02/2023
 ms.topic: include
 ---
 The following table lists the edition applicability for all Application Control features.
 |Feature|Windows Pro|Windows Enterprise|Windows Pro Education/SE|Windows Education|
 |:-:|:-:|:-:|:-:|:-:|
 |[User Account Control (UAC)](/windows/security/application-security/application-control/user-account-control/)|Yes|Yes|Yes|Yes|
 |[Windows Defender Application Control (WDAC)](/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control)|Yes|Yes|Yes|Yes|
 |[Smart App Control](/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control)|Yes|Yes|Yes|Yes|
 The following table lists the licensing applicability for all Application Control features.
 |Feature|Windows Pro/Pro Education/SE|Windows Enterprise E3|Windows Enterprise E5|Windows Education A3|Windows Education A5|
 |:-:|:-:|:-:|:-:|:-:|:-:|
 |[User Account Control (UAC)](/windows/security/application-security/application-control/user-account-control/)|Yes|Yes|Yes|Yes|Yes|
 |[Windows Defender Application Control (WDAC)](/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control)|Yes|Yes|Yes|Yes|Yes|
 |[Smart App Control](/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control)|Yes|Yes|Yes|Yes|Yes|
--- a/windows/security/includes/sections/application-application-isolation-overview.md
+++ b/windows/security/includes/sections/application-application-isolation-overview.md
@ -0,0 +1,30 @@
 ---
 author: paolomatarazzo
 ms.author: paoloma
 ms.date: 06/02/2023
 ms.topic: include
 ---
 The following table lists the edition applicability for all Application Isolation features.
 |Feature|Windows Pro|Windows Enterprise|Windows Pro Education/SE|Windows Education|
 |:-:|:-:|:-:|:-:|:-:|
 |[Microsoft Defender Application Guard (MDAG) for Edge standalone mode](/windows/security/threat-protection/microsoft-defender-application-guard/md-app-guard-overview)|Yes|Yes|Yes|Yes|
 |[Microsoft Defender Application Guard (MDAG) for Edge enterprise mode and enterprise management](/windows/security/threat-protection/microsoft-defender-application-guard/configure-md-app-guard)|❌|Yes|❌|Yes|
 |Microsoft Defender Application Guard (MDAG) public APIs|❌|Yes|❌|Yes|
 |[Microsoft Defender Application Guard (MDAG) for Microsoft Office](https://support.microsoft.com/office/application-guard-for-office-9e0fb9c2-ffad-43bf-8ba3-78f785fdba46)|❌|Yes|❌|Yes|
 |[Microsoft Defender Application Guard (MDAG) configure via MDM](/windows/client-management/mdm/windowsdefenderapplicationguard-csp)|❌|Yes|❌|Yes|
 |[Windows containers](/virtualization/windowscontainers/about/)|Yes|Yes|Yes|Yes|
 |[Windows Sandbox](/windows/security/application-security/application-isolation/windows-sandbox/windows-sandbox-overview)|Yes|Yes|Yes|Yes|
 The following table lists the licensing applicability for all Application Isolation features.
 |Feature|Windows Pro/Pro Education/SE|Windows Enterprise E3|Windows Enterprise E5|Windows Education A3|Windows Education A5|
 |:-:|:-:|:-:|:-:|:-:|:-:|
 |[Microsoft Defender Application Guard (MDAG) for Edge standalone mode](/windows/security/threat-protection/microsoft-defender-application-guard/md-app-guard-overview)|Yes|Yes|Yes|Yes|Yes|
 |[Microsoft Defender Application Guard (MDAG) for Edge enterprise mode and enterprise management](/windows/security/threat-protection/microsoft-defender-application-guard/configure-md-app-guard)|❌|Yes|Yes|Yes|Yes|
 |Microsoft Defender Application Guard (MDAG) public APIs|❌|Yes|Yes|Yes|Yes|
 |[Microsoft Defender Application Guard (MDAG) for Microsoft Office](https://support.microsoft.com/office/application-guard-for-office-9e0fb9c2-ffad-43bf-8ba3-78f785fdba46)|❌|❌|❌|❌|❌|
 |[Microsoft Defender Application Guard (MDAG) configure via MDM](/windows/client-management/mdm/windowsdefenderapplicationguard-csp)|❌|Yes|Yes|Yes|Yes|
 |[Windows containers](/virtualization/windowscontainers/about/)|Yes|Yes|Yes|Yes|Yes|
 |[Windows Sandbox](/windows/security/application-security/application-isolation/windows-sandbox/windows-sandbox-overview)|Yes|Yes|Yes|Yes|Yes|
--- a/windows/security/includes/sections/application.md
+++ b/windows/security/includes/sections/application.md
@ -0,0 +1,26 @@
 ---
 author: paolomatarazzo
 ms.author: paoloma
 ms.date: 06/06/2023
 ms.topic: include
 ---
 ## Application Control
 | Security Measures | Features & Capabilities |
 |:---|:---|
 | **[User Account Control (UAC)](/windows/security/application-security/application-control/user-account-control/)** | User Account Control (UAC) helps prevent malware from damaging a device. With UAC, apps and tasks always run in the security context of a non-administrator account, unless an administrator authorizes administrator-level access to the system. UAC can block the automatic installation of unauthorized apps and prevents inadvertent changes to system settings. Enabling UAC helps to prevent malware from altering device settings and potentially gaining access to networks and sensitive data. UAC can also block the automatic installation of unauthorized apps and prevent inadvertent changes to system settings. |
 | **[Windows Defender Application Control (WDAC)](/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control)** | Your organization is only as secure as the applications that run on your devices. With application control, apps must earn trust to run, in contrast to an application trust model where all code is assumed trustworthy. By helping prevent unwanted or malicious code from running, application control is an important part of an effective security strategy. Many organizations cite application control as one of the most effective means for addressing the threat of executable file-based malware.<br><br>Windows 10 and above include Windows Defender Application Control (WDAC) and AppLocker. WDAC is the next generation app control solution for Windows and provides powerful control over what runs in your environment. Customers who were using AppLocker on previous versions of Windows can continue to use the feature as they consider whether to switch to WDAC for the stronger protection. |
 | **[Smart App Control](/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control)** | Smart App Control prevents users from running malicious applications on Windows devices by blocking untrusted or unsigned applications. Smart App Control goes beyond previous built-in browser protections, by adding another layer of security that is woven directly into the core of the OS at the process level. Using AI, our new Smart App Control only allows processes to run that are predicted to be safe based on existing and new intelligence processed daily. Smart App Control builds on top of the same cloud-based AI used in Windows Defender Application Control (WDAC) to predict the safety of an application, so people can be confident they're using safe and reliable applications on their new Windows 11 devices, or Windows 11 devices that have been reset. |
 ## Application Isolation
 | Security Measures | Features & Capabilities |
 |:---|:---|
 | **[Microsoft Defender Application Guard (MDAG) for Edge standalone mode](/windows/security/threat-protection/microsoft-defender-application-guard/md-app-guard-overview)** | Standalone mode allows Windows users to use hardware-isolated browsing sessions without any administrator or management policy configuration. In this mode, user must manually start Microsoft Edge in Application Guard from Edge menu for browsing untrusted sites. |
 | **[Microsoft Defender Application Guard (MDAG) for Edge enterprise mode and enterprise management](/windows/security/threat-protection/microsoft-defender-application-guard/configure-md-app-guard)** | Microsoft Defender Application Guard protects users' desktop while they browse the Internet using Microsoft Edge browser. Application Guard in enterprise mode automatically redirects untrusted website navigation in an anonymous and isolated Hyper-V based container, which is separate from the host operating system. With Enterprise mode, you can define your corporate boundaries by explicitly adding trusted domains and can customizing the Application Guard experience to meet and enforce your organization needs on Windows devices. |
 | **Microsoft Defender Application Guard (MDAG) public APIs** | Enable applications using them to be isolated Hyper-V based container, which is separate from the host operating system. |
 | **[Microsoft Defender Application Guard (MDAG) for Microsoft Office](https://support.microsoft.com/office/application-guard-for-office-9e0fb9c2-ffad-43bf-8ba3-78f785fdba46)** | Application Guard protects Office files including Word, PowerPoint, and Excel. Application icons have a small shield if Application Guard has been enabled and they are under protection. |
 | **[Microsoft Defender Application Guard (MDAG) configure via MDM](/windows/client-management/mdm/windowsdefenderapplicationguard-csp)** | The WindowsDefenderApplicationGuard configuration service provider (CSP) is used by the enterprise to configure the settings in Microsoft Defender Application Guard. |
 | **[Windows containers](/virtualization/windowscontainers/about/)** | Universal Windows Platform (UWP) applications run in Windows containers known as app containers. Processes that run in app containers operate with low integrity level, meaning they have limited access to resources they don't own. Because the default integrity level of most resources is medium integrity level, the UWP app can access only a subset of the filesystem, registry, and other resources. The app container also enforces restrictions on network connectivity; for example, access to a local host isn't allowed. As a result, malware or infected apps have limited footprint for escape. |
 | **[Windows Sandbox](/windows/security/application-security/application-isolation/windows-sandbox/windows-sandbox-overview)** | Windows Sandbox provides a lightweight desktop environment to safely run untrusted Win32 applications in isolation, using the same hardware-based Hyper-V virtualization technology to isolate apps without fear of lasting impact to your PC. |
--- a/windows/security/includes/sections/cloud-services-protecting-your-work-information-overview.md
+++ b/windows/security/includes/sections/cloud-services-protecting-your-work-information-overview.md
@ -0,0 +1,26 @@
 ---
 author: paolomatarazzo
 ms.author: paoloma
 ms.date: 06/02/2023
 ms.topic: include
 ---
 The following table lists the edition applicability for all Protecting Your Work Information features.
 |Feature|Windows Pro|Windows Enterprise|Windows Pro Education/SE|Windows Education|
 |:-:|:-:|:-:|:-:|:-:|
 |[Azure AD join, Active Directory domain join, and Hybrid Azure AD join with single sign-on (SSO)](/azure/active-directory/devices/concept-azure-ad-join)|Yes|Yes|Yes|Yes|
 |[Security baselines](/mem/intune/protect/security-baselines)|Yes|Yes|Yes|Yes|
 |[Remote wipe](/windows/client-management/mdm/remotewipe-csp)|Yes|Yes|Yes|Yes|
 |[Manage by Mobile Device Management (MDM) and group policy](/windows/security/threat-protection/windows-security-configuration-framework/windows-security-baselines)|Yes|Yes|Yes|Yes|
 |[Universal Print](/universal-print/)|Yes|Yes|Yes|Yes|
 The following table lists the licensing applicability for all Protecting Your Work Information features.
 |Feature|Windows Pro/Pro Education/SE|Windows Enterprise E3|Windows Enterprise E5|Windows Education A3|Windows Education A5|
 |:-:|:-:|:-:|:-:|:-:|:-:|
 |[Azure AD join, Active Directory domain join, and Hybrid Azure AD join with single sign-on (SSO)](/azure/active-directory/devices/concept-azure-ad-join)|Yes|Yes|Yes|Yes|Yes|
 |[Security baselines](/mem/intune/protect/security-baselines)|Yes|Yes|Yes|Yes|Yes|
 |[Remote wipe](/windows/client-management/mdm/remotewipe-csp)|Yes|Yes|Yes|Yes|Yes|
 |[Manage by Mobile Device Management (MDM) and group policy](/windows/security/threat-protection/windows-security-configuration-framework/windows-security-baselines)|Yes|Yes|Yes|Yes|Yes|
 |[Universal Print](/universal-print/)|❌|Yes|Yes|Yes|Yes|
--- a/windows/security/includes/sections/cloud-services-update-overview.md
+++ b/windows/security/includes/sections/cloud-services-update-overview.md
@ -0,0 +1,20 @@
 ---
 author: paolomatarazzo
 ms.author: paoloma
 ms.date: 06/02/2023
 ms.topic: include
 ---
 The following table lists the edition applicability for all Update features.
 |Feature|Windows Pro|Windows Enterprise|Windows Pro Education/SE|Windows Education|
 |:-:|:-:|:-:|:-:|:-:|
 |[Windows Autopatch](/windows/deployment/windows-autopatch/)|❌|Yes|❌|Yes|
 |[Windows Autopilot](/windows/deployment/windows-autopilot)|Yes|Yes|Yes|Yes|
 The following table lists the licensing applicability for all Update features.
 |Feature|Windows Pro/Pro Education/SE|Windows Enterprise E3|Windows Enterprise E5|Windows Education A3|Windows Education A5|
 |:-:|:-:|:-:|:-:|:-:|:-:|
 |[Windows Autopatch](/windows/deployment/windows-autopatch/)|❌|Yes|Yes|❌|❌|
 |[Windows Autopilot](/windows/deployment/windows-autopilot)|Yes|Yes|Yes|Yes|Yes|
--- a/windows/security/includes/sections/cloud-services.md
+++ b/windows/security/includes/sections/cloud-services.md
@ -0,0 +1,23 @@
 ---
 author: paolomatarazzo
 ms.author: paoloma
 ms.date: 06/06/2023
 ms.topic: include
 ---
 ## Protecting Your Work Information
 | Security Measures | Features & Capabilities |
 |:---|:---|
 | **[Azure AD join, Active Directory domain join, and Hybrid Azure AD join with single sign-on (SSO)](/azure/active-directory/devices/concept-azure-ad-join)** | Microsoft Azure Active Directory is a comprehensive cloud-based identity management solution that helps enable secure access to applications, networks, and other resources and guard against threats. |
 | **[Security baselines](/mem/intune/protect/security-baselines)** | Windows 11 supports modern device management so that IT pros can manage company security policies and business applications without compromising user privacy on corporate or employee-owned devices. With MDM solutions, IT can manage Windows 11 using industry-standard protocols. To simplify setup for users, management features are built directly into Windows, eliminating the need for a separate MDM client. <br><br>Windows 11 can be configured with Microsoft's MDM security baseline backed by ADMX policies, which functions like the Microsoft GP-based security baseline. The security baseline enables IT administrators to easily address security concerns and compliance needs for modern cloud-managed devices. |
 | **[Remote wipe](/windows/client-management/mdm/remotewipe-csp)** | When a device is lost or stolen, IT administrators may want to remotely wipe data stored on the device. A helpdesk agent may also want to reset devices to fix issues encountered by remote workers. <br><br>With the Remote Wipe configuration service provider (CSP), an MDM solution can remotely initiate any of the following operations on a Windows device: reset the device and remove user accounts and data, reset the device and clean the drive, reset the device but persist user accounts and data. |
 | **[Manage by Mobile Device Management (MDM) and group policy](/windows/security/threat-protection/windows-security-configuration-framework/windows-security-baselines)** | Windows 11 supports modern device management so that IT pros can manage company security policies and business applications without compromising user privacy on corporate or employee-owned devices. With MDM solutions, IT can manage Windows 11 using industry-standard protocols. To simplify setup for users, management features are built directly into Windows, eliminating the need for a separate MDM client.  |
 | **[Universal Print](/universal-print/)** | Unlike traditional print solutions that rely on Windows print servers, Universal Print is a <br>Microsoft hosted cloud subscription service that supports a zero-trust security model by <br>enabling network isolation of printers, including the Universal Print connector software, from <br>the rest of the organization's resources. |
 ## Update
 | Security Measures | Features & Capabilities |
 |:---|:---|
 | **[Windows Autopatch](/windows/deployment/windows-autopatch/)** | With the Autopatch service, IT teams can delegate management of updates to Windows 10/11, Microsoft Edge, and Microsoft 365 apps to Microsoft. Under the hood, Autopatch takes over configuration of the policies and deployment service of Windows Update for Business. What the customer gets are endpoints that are up to date, thanks to dynamically generated rings for progressive deployment that will pause and/or roll back updates (where possible) when issues arise. <br><br>The goal is to provide peace of mind to IT pros, encourage rapid adoption of updates, and to reduce bandwidth required to deploy them successfully, thereby closing gaps in protection that may have been open to exploitation by malicious actors.  |
 | **[Windows Autopilot](/windows/deployment/windows-autopilot)** | Windows Autopilot simplifies the way devices get deployed, reset, and repurposed, with an experience that is zero touch for IT. |
--- a/windows/security/includes/sections/hardware-hardware-root-of-trust-overview.md
+++ b/windows/security/includes/sections/hardware-hardware-root-of-trust-overview.md
@ -0,0 +1,22 @@
 ---
 author: paolomatarazzo
 ms.author: paoloma
 ms.date: 06/02/2023
 ms.topic: include
 ---
 The following table lists the edition applicability for all Hardware Root-Of-Trust features.
 |Feature|Windows Pro|Windows Enterprise|Windows Pro Education/SE|Windows Education|
 |:-:|:-:|:-:|:-:|:-:|
 |[Windows Defender System Guard](/windows/security/threat-protection/windows-defender-system-guard/how-hardware-based-root-of-trust-helps-protect-windows)|Yes|Yes|Yes|Yes|
 |[Trusted Platform Module (TPM) 2.0](/windows/security/information-protection/tpm/trusted-platform-module-overview)|Yes|Yes|Yes|Yes|
 |[Microsoft Pluton security processor](/windows/security/information-protection/pluton/microsoft-pluton-security-processor)|Yes|Yes|Yes|Yes|
 The following table lists the licensing applicability for all Hardware Root-Of-Trust features.
 |Feature|Windows Pro/Pro Education/SE|Windows Enterprise E3|Windows Enterprise E5|Windows Education A3|Windows Education A5|
 |:-:|:-:|:-:|:-:|:-:|:-:|
 |[Windows Defender System Guard](/windows/security/threat-protection/windows-defender-system-guard/how-hardware-based-root-of-trust-helps-protect-windows)|Yes|Yes|Yes|Yes|Yes|
 |[Trusted Platform Module (TPM) 2.0](/windows/security/information-protection/tpm/trusted-platform-module-overview)|Yes|Yes|Yes|Yes|Yes|
 |[Microsoft Pluton security processor](/windows/security/information-protection/pluton/microsoft-pluton-security-processor)|Yes|Yes|Yes|Yes|Yes|
--- a/windows/security/includes/sections/hardware-silicon-assisted-security-secured-kernel-overview.md
+++ b/windows/security/includes/sections/hardware-silicon-assisted-security-secured-kernel-overview.md
@ -0,0 +1,26 @@
 ---
 author: paolomatarazzo
 ms.author: paoloma
 ms.date: 06/02/2023
 ms.topic: include
 ---
 The following table lists the edition applicability for all Silicon Assisted Security (Secured Kernel) features.
 |Feature|Windows Pro|Windows Enterprise|Windows Pro Education/SE|Windows Education|
 |:-:|:-:|:-:|:-:|:-:|
 |[Virtualization-based security (VBS)](/windows-hardware/design/device-experiences/oem-vbs)|Yes|Yes|Yes|Yes|
 |[Hypervisor-protected Code Integrity (HVCI)](/windows-hardware/design/device-experiences/oem-hvci-enablement)|Yes|Yes|Yes|Yes|
 |[Hardware-enforced stack protection](https://techcommunity.microsoft.com/t5/windows-os-platform-blog/understanding-hardware-enforced-stack-protection/ba-p/1247815)|Yes|Yes|Yes|Yes|
 |[Secured-core PC](/windows-hardware/design/device-experiences/oem-highly-secure-11)|Yes|Yes|Yes|Yes|
 |[Kernel Direct Memory Access (DMA) protection](/windows/security/information-protection/kernel-dma-protection-for-thunderbolt)|Yes|Yes|Yes|Yes|
 The following table lists the licensing applicability for all Silicon Assisted Security (Secured Kernel) features.
 |Feature|Windows Pro/Pro Education/SE|Windows Enterprise E3|Windows Enterprise E5|Windows Education A3|Windows Education A5|
 |:-:|:-:|:-:|:-:|:-:|:-:|
 |[Virtualization-based security (VBS)](/windows-hardware/design/device-experiences/oem-vbs)|Yes|Yes|Yes|Yes|Yes|
 |[Hypervisor-protected Code Integrity (HVCI)](/windows-hardware/design/device-experiences/oem-hvci-enablement)|Yes|Yes|Yes|Yes|Yes|
 |[Hardware-enforced stack protection](https://techcommunity.microsoft.com/t5/windows-os-platform-blog/understanding-hardware-enforced-stack-protection/ba-p/1247815)|Yes|Yes|Yes|Yes|Yes|
 |[Secured-core PC](/windows-hardware/design/device-experiences/oem-highly-secure-11)|Yes|Yes|Yes|Yes|Yes|
 |[Kernel Direct Memory Access (DMA) protection](/windows/security/information-protection/kernel-dma-protection-for-thunderbolt)|Yes|Yes|Yes|Yes|Yes|
--- a/windows/security/includes/sections/hardware.md
+++ b/windows/security/includes/sections/hardware.md
@ -0,0 +1,24 @@
 ---
 author: paolomatarazzo
 ms.author: paoloma
 ms.date: 06/06/2023
 ms.topic: include
 ---
 ## Hardware Root-Of-Trust
 | Security Measures | Features & Capabilities |
 |:---|:---|
 | **[Windows Defender System Guard](/windows/security/threat-protection/windows-defender-system-guard/how-hardware-based-root-of-trust-helps-protect-windows)** | In Secured-core PCs, Windows Defender System Guard Secure Launch protects bootup with a technology known as the Dynamic Root of Trust for Measurement (DRTM). With DRTM, the system initially follows the normal UEFI Secure Boot process. However, before launching, the system enters a hardware-controlled trusted state that forces the CPU(s) down a hardware-secured code path. If a malware rootkit/bootkit has bypassed UEFI Secure Boot and resides in memory, DRTM will prevent it from accessing secrets and critical code protected by the virtualization-based security environment. Firmware Attack Surface Reduction technology can be used instead of DRTM on supporting devices such as Microsoft Surface. |
 | **[Trusted Platform Module (TPM) 2.0](/windows/security/information-protection/tpm/trusted-platform-module-overview)** | TPMs provide security and privacy benefits for system hardware, platform owners, and users. Windows Hello, BitLocker, Windows Defender System Guard, and other Windows features rely on the TPM for capabilities such as key generation, secure storage, encryption, boot integrity measurements, and attestation. The 2.0 version of the specification includes support for newer algorithms, which can improve driver signing and key generation performance.<br><br>Starting with Windows 10, Microsoft's hardware certification requires all new Windows PCs to include TPM 2.0 built in and enabled by default. With Windows 11, both new and upgraded devices must have TPM 2.0. |
 | **[Microsoft Pluton security processor](/windows/security/information-protection/pluton/microsoft-pluton-security-processor)** | Microsoft Pluton security processors are designed by Microsoft in partnership with silicon partners. Pluton enhances the protection of Windows devices with a hardware root-of-trust that provides additional protection for cryptographic keys and other secrets. Pluton is designed to reduce the attack surface as it integrates the security chip directly into the processor. It can be used with a discreet TPM 2.0, or as a standalone security processor. When root of trust is located on a separate, discrete chip on the motherboard, the communication path between the root-of-trust and the CPU can be vulnerable to physical attack. Pluton supports the TPM 2.0 industry standard, allowing customers to immediately benefit from the enhanced security in Windows features that rely on TPMs including BitLocker, Windows Hello, and Windows Defender System Guard.<br><br>In addition to providing root-of trust, Pluton also supports other security functionality beyond what is possible with the TPM 2.0 specification, and this extensibility allows for additional Pluton firmware and OS features to be delivered over time via Windows Update. Pluton-enabled Windows 11 devices are available and the selection of options with Pluton is growing. |
 ## Silicon Assisted Security (Secured Kernel)
 | Security Measures | Features & Capabilities |
 |:---|:---|
 | **[Virtualization-based security (VBS)](/windows-hardware/design/device-experiences/oem-vbs)** | In addition to a modern hardware root-of-trust, there are numerous other capabilities in the latest chips that harden the operating system against threats, such as by protecting the boot process, safeguarding the integrity of memory, isolating security sensitive compute logic, and more. Two examples include Virtualization-based security (VBS) and Hypervisor-protected code integrity (HVCI). Virtualization-based security (VBS), also known as core isolation, is a critical building block in a secure system. VBS uses hardware virtualization features to host a secure kernel separated from the operating system. This means that even if the operating system is compromised, the secure kernel remains protected.<br><br>Starting with Windows 10, all new devices are required to ship with firmware support for VBS and HCVI enabled by default in the BIOS. Customers can then enable the OS support in Windows.<br>With new installs of Windows 11, OS support for VBS and HVCI is turned on by default for all devices that meet prerequisites. |
 | **[Hypervisor-protected Code Integrity (HVCI)](/windows-hardware/design/device-experiences/oem-hvci-enablement)** | Hypervisor-protected code integrity (HVCI), also called memory integrity, uses VBS to run Kernel Mode Code Integrity (KMCI) inside the secure VBS environment instead of the main Windows kernel. This helps to prevent attacks that attempt to modify kernel mode code, such as drivers. The KMCI role is to check that all kernel code is properly signed and hasn't been tampered with before it is allowed to run. HVCI helps to ensure that only validated code can be executed in kernel-mode.<br><br>Starting with Windows 10, all new devices are required to ship with firmware support for VBS and HCVI enabled by default in the BIOS. Customers can then enable the OS support in Windows.<br>With new installs of Windows 11, OS support for VBS and HVCI is turned on by default for all devices that meet prerequisites. |
 | **[Hardware-enforced stack protection](https://techcommunity.microsoft.com/t5/windows-os-platform-blog/understanding-hardware-enforced-stack-protection/ba-p/1247815)** | Hardware-enforced stack protection integrates software and hardware for a modern defense against cyberthreats such as memory corruption and zero-day exploits. Based on Control-flow Enforcement Technology (CET) from Intel and AMD Shadow Stacks, hardware-enforced stack protection is designed to protect against exploit techniques that try to hijack return addresses on the stack. |
 | **[Secured-core PC](/windows-hardware/design/device-experiences/oem-highly-secure-11)** | Microsoft has worked with OEM partners to offer a special category of devices called Secured-core PCs. The devices ship with additional security measures enabled at the firmware layer, or device core, that underpins Windows. Secured-core PCs help prevent malware attacks and minimize firmware vulnerabilities by launching into a clean and trusted state at startup with a hardware-enforced root of trust. Virtualization-based security comes enabled by default. And with built-in hypervisor protected code integrity (HVCI) shielding system memory, Secured-core PCs ensure that all executables are signed by known and approved authorities only. Secured-core PCs also protect against physical threats such as drive-by Direct Memory Access (DMA) attacks. |
 | **[Kernel Direct Memory Access (DMA) protection](/windows/security/information-protection/kernel-dma-protection-for-thunderbolt)** | Kernel DMA Protection protects against external peripherals from gaining unauthorized access to memory. Physical threats such as drive-by Direct Memory Access (DMA) attacks typically happen quickly while the system owner isn't present. PCIe hot plug devices such as Thunderbolt, USB4, and CFexpress allow users to attach new classes of external peripherals, including graphics cards or other PCI devices, to their PCs with the plug-and-play ease of USB. Because PCI hot plug ports are external and easily accessible, devices are susceptible to drive-by DMA attacks. |
--- a/windows/security/includes/sections/identity-advanced-credential-protection-overview.md
+++ b/windows/security/includes/sections/identity-advanced-credential-protection-overview.md
@ -0,0 +1,28 @@
 ---
 author: paolomatarazzo
 ms.author: paoloma
 ms.date: 06/02/2023
 ms.topic: include
 ---
 The following table lists the edition applicability for all Advanced Credential Protection features.
 |Feature|Windows Pro|Windows Enterprise|Windows Pro Education/SE|Windows Education|
 |:-:|:-:|:-:|:-:|:-:|
 |[Windows LAPS](/windows-server/identity/laps/laps-overview)|Yes|Yes|Yes|Yes|
 |[Account Lockout Policy](/windows/security/threat-protection/security-policy-settings/account-lockout-policy)|Yes|Yes|Yes|Yes|
 |[Enhanced phishing protection with SmartScreen](/windows/security/threat-protection/microsoft-defender-smartscreen/phishing-protection-microsoft-defender-smartscreen)|Yes|Yes|Yes|Yes|
 |[Access Control (ACLs/SCALS)](/windows/security/identity-protection/access-control/access-control)|Yes|Yes|Yes|Yes|
 |[Windows Defender Credential Guard](/windows/security/identity-protection/credential-guard/credential-guard)|❌|Yes|❌|Yes|
 |[Windows Defender Remote Credential Guard](/windows/security/identity-protection/remote-credential-guard)|Yes|Yes|Yes|Yes|
 The following table lists the licensing applicability for all Advanced Credential Protection features.
 |Feature|Windows Pro/Pro Education/SE|Windows Enterprise E3|Windows Enterprise E5|Windows Education A3|Windows Education A5|
 |:-:|:-:|:-:|:-:|:-:|:-:|
 |[Windows LAPS](/windows-server/identity/laps/laps-overview)|Yes|Yes|Yes|Yes|Yes|
 |[Account Lockout Policy](/windows/security/threat-protection/security-policy-settings/account-lockout-policy)|Yes|Yes|Yes|Yes|Yes|
 |[Enhanced phishing protection with SmartScreen](/windows/security/threat-protection/microsoft-defender-smartscreen/phishing-protection-microsoft-defender-smartscreen)|Yes|Yes|Yes|Yes|Yes|
 |[Access Control (ACLs/SCALS)](/windows/security/identity-protection/access-control/access-control)|Yes|Yes|Yes|Yes|Yes|
 |[Windows Defender Credential Guard](/windows/security/identity-protection/credential-guard/credential-guard)|❌|Yes|Yes|Yes|Yes|
 |[Windows Defender Remote Credential Guard](/windows/security/identity-protection/remote-credential-guard)|Yes|Yes|Yes|Yes|Yes|
--- a/windows/security/includes/sections/identity-passwordless-sign-in-overview.md
+++ b/windows/security/includes/sections/identity-passwordless-sign-in-overview.md
@ -0,0 +1,28 @@
 ---
 author: paolomatarazzo
 ms.author: paoloma
 ms.date: 06/02/2023
 ms.topic: include
 ---
 The following table lists the edition applicability for all Passwordless Sign In features.
 |Feature|Windows Pro|Windows Enterprise|Windows Pro Education/SE|Windows Education|
 |:-:|:-:|:-:|:-:|:-:|
 |[Windows Hello for Business](/windows/security/identity-protection/hello-for-business)|Yes|Yes|Yes|Yes|
 |[Windows presence sensing](https://support.microsoft.com/windows/wake-your-windows-11-pc-when-you-approach-82285c93-440c-4e15-9081-c9e38c1290bb)|Yes|Yes|Yes|Yes|
 |[Windows Hello for Business Enhanced Security Sign-in (ESS) ](/windows-hardware/design/device-experiences/windows-hello-enhanced-sign-in-security)|Yes|Yes|Yes|Yes|
 |[Fast Identity Online (FIDO2) security key](/azure/active-directory/authentication/howto-authentication-passwordless-security-key)|Yes|Yes|Yes|Yes|
 |[Federated sign-in](/education/windows/federated-sign-in)|❌|❌|Yes|Yes|
 |[Smart Cards for Windows Service](/windows/security/identity-protection/smart-cards/smart-card-smart-cards-for-windows-service)|Yes|Yes|Yes|Yes|
 The following table lists the licensing applicability for all Passwordless Sign In features.
 |Feature|Windows Pro/Pro Education/SE|Windows Enterprise E3|Windows Enterprise E5|Windows Education A3|Windows Education A5|
 |:-:|:-:|:-:|:-:|:-:|:-:|
 |[Windows Hello for Business](/windows/security/identity-protection/hello-for-business)|Yes|Yes|Yes|Yes|Yes|
 |[Windows presence sensing](https://support.microsoft.com/windows/wake-your-windows-11-pc-when-you-approach-82285c93-440c-4e15-9081-c9e38c1290bb)|Yes|Yes|Yes|Yes|Yes|
 |[Windows Hello for Business Enhanced Security Sign-in (ESS) ](/windows-hardware/design/device-experiences/windows-hello-enhanced-sign-in-security)|Yes|Yes|Yes|Yes|Yes|
 |[Fast Identity Online (FIDO2) security key](/azure/active-directory/authentication/howto-authentication-passwordless-security-key)|Yes|Yes|Yes|Yes|Yes|
 |[Federated sign-in](/education/windows/federated-sign-in)|❌|❌|❌|Yes|Yes|
 |[Smart Cards for Windows Service](/windows/security/identity-protection/smart-cards/smart-card-smart-cards-for-windows-service)|Yes|Yes|Yes|Yes|Yes|
--- a/windows/security/includes/sections/identity.md
+++ b/windows/security/includes/sections/identity.md
@ -0,0 +1,28 @@
 ---
 author: paolomatarazzo
 ms.author: paoloma
 ms.date: 06/06/2023
 ms.topic: include
 ---
 ## Passwordless Sign In
 | Security Measures | Features & Capabilities |
 |:---|:---|
 | **[Windows Hello for Business](/windows/security/identity-protection/hello-for-business)** | Windows 11 devices can protect user identities by removing the need to use passwords from day one. It's easy to get started with the method that's right for your organization. A password may only need to be used once during the provisioning process, after which people use a PIN, face, or fingerprint to unlock credentials and sign into the device.<br><br>Windows Hello for Business replaces the username and password by combining a security key or certificate with a PIN or biometrics data, and then mapping the credentials to a user account during setup. There are multiple ways to deploy Windows Hello for Business, depending on your organization's needs. Organizations that rely on certificates typically use on-premises public key infrastructure (PKI) to support authentication through Certificate Trust. Organizations using key trust deployment require root-of-trust provided by certificates on domain controllers. |
 | **[Windows presence sensing](https://support.microsoft.com/windows/wake-your-windows-11-pc-when-you-approach-82285c93-440c-4e15-9081-c9e38c1290bb)** | Windows presence sensing provides another layer of data security protection for hybrid workers. Windows 11 devices can intelligently adapt to your presence to help you stay secure and productive, whether you're working at home, the office, or a public environment. Windows presence sensing combines presence detection sensors with Windows Hello facial recognition to automatically lock your device when you leave, and then unlock your device and sign you in using Windows Hello facial recognition when you return. Requires OEM supporting hardware. |
 | **[Windows Hello for Business Enhanced Security Sign-in (ESS)](/windows-hardware/design/device-experiences/windows-hello-enhanced-sign-in-security)** | Windows Hello biometrics also supports enhanced sign-in security, which uses specialized hardware and software components to raise the security bar even higher for biometric sign in. <br><br>Enhanced sign-in security biometrics uses VBS and the TPM to isolate user authentication processes and data and secure the pathway by which the information is communicated. These specialized components protect against a class of attacks that include biometric sample injection, replay, tampering, and more. <br><br>For example, fingerprint readers must implement Secure Device Connection Protocol, which uses key negotiation and a Microsoft-issued certificate to protect and securely store user authentication data. For facial recognition, components such as the Secure Devices (SDEV) table and process isolation with trustlets help prevent additional class of attacks. |
 | **[Fast Identity Online (FIDO2) security key](/azure/active-directory/authentication/howto-authentication-passwordless-security-key)** | Fast Identity Online (FIDO) defined CTAP and WebAuthN specifications are becoming the open standard for providing strong authentication that is non-phishable, user-friendly, and privacy-respecting with implementations from major platform providers and relying parties. FIDO standards and certifications are becoming recognized as the leading standard for creating secure authentication solutions across enterprises, governments, and consumer markets. <br><br>Windows 11 can use external FIDO2 security keys for authentication alongside or in addition to Windows Hello which is also a FIDO2 certified passwordless solution. Windows 11 can be used as a FIDO authenticator for many popular identity management services. |
 | **[Federated sign-in](/education/windows/federated-sign-in)** | Windows 11 Education editions support federated sign-in with third-party identity providers. Federated sign-in enables secure sign in through methods like QR codes or pictures. |
 | **[Smart Cards for Windows Service](/windows/security/identity-protection/smart-cards/smart-card-smart-cards-for-windows-service)** | Organizations also have the option of using smart cards, an authentication method that pre-dates biometric sign in. Smart cards are tamper-resistant, portable storage devices that can enhance Windows security when authenticating clients, signing code, securing e-mail, and signing in with Windows domain accounts. Smart cards can only be used to sign into domain accounts, not local accounts. When a password is used to sign into a domain account, Windows uses the Kerberos version 5 (v5) protocol for authentication. If you use a smart card, the operating system uses Kerberos v5 authentication with X.509 v3 certificates. |
 ## Advanced Credential Protection
 | Security Measures | Features & Capabilities |
 |:---|:---|
 | **[Windows LAPS](/windows-server/identity/laps/laps-overview)** | Windows Local Administrator Password Solution (Windows LAPS) is a Windows feature that automatically manages and backs up the password of a local administrator account on your Azure Active Directory-joined or Windows Server Active Directory-joined devices. You also can use Windows LAPS to automatically manage and back up the Directory Services Restore Mode (DSRM) account password on your Windows Server Active Directory domain controllers. An authorized administrator can retrieve the DSRM password and use it. |
 | **[Account Lockout Policy](/windows/security/threat-protection/security-policy-settings/account-lockout-policy)** |  |
 | **[Enhanced phishing protection with SmartScreen](/windows/security/threat-protection/microsoft-defender-smartscreen/phishing-protection-microsoft-defender-smartscreen)** | Users who are still using passwords can benefit from powerful credential protection. Microsoft Defender SmartScreen includes enhanced phishing protection to automatically detect when a user enters their Microsoft password into any app or website. Windows then identifies if the app or site is securely authenticating to Microsoft and warns if the credentials are at risk. Since users are alerted at the moment of potential credential theft, they can take preemptive action before their password is used against them or their organization. |
 | **[Access Control (ACLs/SCALS)](/windows/security/identity-protection/access-control/access-control)** | Access control in Windows ensures that shared resources are available to users and groups other than the resource's owner and are protected from unauthorized use. IT administrators can manage users', groups', and computers' access to objects and assets on a network or computer. After a user is authenticated, the Windows operating system implements the second phase of protecting resources by using built-in authorization and access control technologies to determine if an authenticated user has the correct permissions.<br><br>Access Control Lists (ACL) describe the permissions for a specific object and can also contain System Access Control Lists (SACL). SACLs provide a way to audit specific system level events, such as when a user attempt to access file system objects. These events are essential for tracking activity for objects that are sensitive or valuable and require extra monitoring. Being able to audit when a resource attempts to read or write part of the operating system is critical to understanding a potential attack. |
 | **[Windows Defender Credential Guard](/windows/security/identity-protection/credential-guard/credential-guard)** | Enabled by default in Windows 11 Enterprise, Windows Credential Guard uses hardware-backed, Virtualization-based security (VBS) to protect against credential theft. With Windows Credential Guard, the Local Security Authority (LSA) stores and protects secrets in an isolated environment that isn't accessible to the rest of the operating system. LSA uses remote procedure calls to communicate with the isolated LSA process. <br><br>By protecting the LSA process with Virtualization-based security, Windows Credential Guard shields systems from credential theft attack techniques like pass-the-hash or pass-the-ticket. It also helps prevent malware from accessing system secrets even if the process is running with admin privileges. |
 | **[Windows Defender Remote Credential Guard](/windows/security/identity-protection/remote-credential-guard)** | Window Defender Remote Credential Guard helps you protect your credentials over a Remote Desktop connection by redirecting the Kerberos requests back to the device that is requesting the connection. It also provides single sign-on experiences for Remote Desktop sessions. <br><br>Administrator credentials are highly privileged and must be protected. When you use Windows Defender Remote Credential Guard to connect during Remote Desktop sessions, your credential and credential derivatives are never passed over the network to the target device. If the target device is compromised, your credentials aren't exposed. |
--- a/windows/security/includes/sections/operating-system-data-protection-overview.md
+++ b/windows/security/includes/sections/operating-system-data-protection-overview.md
@ -0,0 +1,26 @@
 ---
 author: paolomatarazzo
 ms.author: paoloma
 ms.date: 06/02/2023
 ms.topic: include
 ---
 The following table lists the edition applicability for all Data Protection features.
 |Feature|Windows Pro|Windows Enterprise|Windows Pro Education/SE|Windows Education|
 |:-:|:-:|:-:|:-:|:-:|
 |[BitLocker management](/windows/security/information-protection/bitlocker/bitlocker-management-for-enterprises)|Yes|Yes|Yes|Yes|
 |[BitLocker enablement](/windows/security/information-protection/bitlocker/bitlocker-overview)|Yes|Yes|Yes|Yes|
 |[Encrypted hard drive](/windows/security/information-protection/encrypted-hard-drive)|Yes|Yes|Yes|Yes|
 |[Personal data encryption (PDE)](/windows/security/information-protection/personal-data-encryption/overview-pde)|❌|Yes|❌|Yes|
 |[Email Encryption (S/MIME)](/windows/security/identity-protection/configure-s-mime)|Yes|Yes|Yes|Yes|
 The following table lists the licensing applicability for all Data Protection features.
 |Feature|Windows Pro/Pro Education/SE|Windows Enterprise E3|Windows Enterprise E5|Windows Education A3|Windows Education A5|
 |:-:|:-:|:-:|:-:|:-:|:-:|
 |[BitLocker management](/windows/security/information-protection/bitlocker/bitlocker-management-for-enterprises)|❌|Yes|Yes|Yes|Yes|
 |[BitLocker enablement](/windows/security/information-protection/bitlocker/bitlocker-overview)|Yes|Yes|Yes|Yes|Yes|
 |[Encrypted hard drive](/windows/security/information-protection/encrypted-hard-drive)|Yes|Yes|Yes|Yes|Yes|
 |[Personal data encryption (PDE)](/windows/security/information-protection/personal-data-encryption/overview-pde)|❌|Yes|Yes|Yes|Yes|
 |[Email Encryption (S/MIME)](/windows/security/identity-protection/configure-s-mime)|Yes|Yes|Yes|Yes|Yes|
--- a/windows/security/includes/sections/operating-system-modern-device-management-overview.md
+++ b/windows/security/includes/sections/operating-system-modern-device-management-overview.md
@ -0,0 +1,22 @@
 ---
 author: paolomatarazzo
 ms.author: paoloma
 ms.date: 06/02/2023
 ms.topic: include
 ---
 The following table lists the edition applicability for all Modern Device Management features.
 |Feature|Windows Pro|Windows Enterprise|Windows Pro Education/SE|Windows Education|
 |:-:|:-:|:-:|:-:|:-:|
 |[Windows Security policy settings and auditing](/windows/security/threat-protection/security-policy-settings/security-policy-settings)|Yes|Yes|Yes|Yes|
 |[Secured-core configuration lock](/windows/client-management/config-lock)|Yes|Yes|Yes|Yes|
 |[Assigned Access (kiosk mode)](/windows/configuration/kiosk-methods)|Yes|Yes|Yes|Yes|
 The following table lists the licensing applicability for all Modern Device Management features.
 |Feature|Windows Pro/Pro Education/SE|Windows Enterprise E3|Windows Enterprise E5|Windows Education A3|Windows Education A5|
 |:-:|:-:|:-:|:-:|:-:|:-:|
 |[Windows Security policy settings and auditing](/windows/security/threat-protection/security-policy-settings/security-policy-settings)|Yes|Yes|Yes|Yes|Yes|
 |[Secured-core configuration lock](/windows/client-management/config-lock)|Yes|Yes|Yes|Yes|Yes|
 |[Assigned Access (kiosk mode)](/windows/configuration/kiosk-methods)|Yes|Yes|Yes|Yes|Yes|
--- a/windows/security/includes/sections/operating-system-network-security-overview.md
+++ b/windows/security/includes/sections/operating-system-network-security-overview.md
@ -0,0 +1,36 @@
 ---
 author: paolomatarazzo
 ms.author: paoloma
 ms.date: 06/02/2023
 ms.topic: include
 ---
 The following table lists the edition applicability for all Network Security features.
 |Feature|Windows Pro|Windows Enterprise|Windows Pro Education/SE|Windows Education|
 |:-:|:-:|:-:|:-:|:-:|
 |[Transport layer security (TLS)](/windows-server/security/tls/tls-ssl-schannel-ssp-overview)|Yes|Yes|Yes|Yes|
 |Bluetooth pairing and connection protection|Yes|Yes|Yes|Yes|
 |[WiFi Security](https://support.microsoft.com/windows/faster-and-more-secure-wi-fi-in-windows-26177a28-38ed-1a8e-7eca-66f24dc63f09)|Yes|Yes|Yes|Yes|
 |Opportunistic Wireless Encryption (OWE)|Yes|Yes|Yes|Yes|
 |[Windows Firewall](/windows/security/threat-protection/windows-firewall/windows-firewall-with-advanced-security)|Yes|Yes|Yes|Yes|
 |[Virtual Private Network (VPN)](/windows/security/identity-protection/vpn/vpn-guide)|Yes|Yes|Yes|Yes|
 |[Always On VPN (device tunnel)](/windows-server/remote/remote-access/vpn/always-on-vpn/)|❌|Yes|❌|Yes|
 |[Direct Access](/windows-server/remote/remote-access/directaccess/directaccess)|❌|Yes|❌|Yes|
 |[Server Message Block (SMB) file service](/windows-server/storage/file-server/file-server-smb-overview)|Yes|Yes|Yes|Yes|
 |[Server Message Block Direct (SMB Direct)](/windows-server/storage/file-server/smb-direct)|Yes|Yes|Yes|Yes|
 The following table lists the licensing applicability for all Network Security features.
 |Feature|Windows Pro/Pro Education/SE|Windows Enterprise E3|Windows Enterprise E5|Windows Education A3|Windows Education A5|
 |:-:|:-:|:-:|:-:|:-:|:-:|
 |[Transport layer security (TLS)](/windows-server/security/tls/tls-ssl-schannel-ssp-overview)|Yes|Yes|Yes|Yes|Yes|
 |Bluetooth pairing and connection protection|Yes|Yes|Yes|Yes|Yes|
 |[WiFi Security](https://support.microsoft.com/windows/faster-and-more-secure-wi-fi-in-windows-26177a28-38ed-1a8e-7eca-66f24dc63f09)|Yes|Yes|Yes|Yes|Yes|
 |Opportunistic Wireless Encryption (OWE)|Yes|Yes|Yes|Yes|Yes|
 |[Windows Firewall](/windows/security/threat-protection/windows-firewall/windows-firewall-with-advanced-security)|Yes|Yes|Yes|Yes|Yes|
 |[Virtual Private Network (VPN)](/windows/security/identity-protection/vpn/vpn-guide)|Yes|Yes|Yes|Yes|Yes|
 |[Always On VPN (device tunnel)](/windows-server/remote/remote-access/vpn/always-on-vpn/)|❌|Yes|Yes|Yes|Yes|
 |[Direct Access](/windows-server/remote/remote-access/directaccess/directaccess)|❌|Yes|Yes|Yes|Yes|
 |[Server Message Block (SMB) file service](/windows-server/storage/file-server/file-server-smb-overview)|Yes|Yes|Yes|Yes|Yes|
 |[Server Message Block Direct (SMB Direct)](/windows-server/storage/file-server/smb-direct)|Yes|Yes|Yes|Yes|Yes|
--- a/windows/security/includes/sections/operating-system-system-security-overview.md
+++ b/windows/security/includes/sections/operating-system-system-security-overview.md
@ -0,0 +1,22 @@
 ---
 author: paolomatarazzo
 ms.author: paoloma
 ms.date: 06/02/2023
 ms.topic: include
 ---
 The following table lists the edition applicability for all System Security features.
 |Feature|Windows Pro|Windows Enterprise|Windows Pro Education/SE|Windows Education|
 |:-:|:-:|:-:|:-:|:-:|
 |[Secure Boot and Trusted Boot](/windows/security/trusted-boot)|Yes|Yes|Yes|Yes|
 |[Measured boot](/windows/compatibility/measured-boot)|Yes|Yes|Yes|Yes|
 |[Device health attestation service](/windows/security/threat-protection/protect-high-value-assets-by-controlling-the-health-of-windows-10-based-devices)|Yes|Yes|Yes|Yes|
 The following table lists the licensing applicability for all System Security features.
 |Feature|Windows Pro/Pro Education/SE|Windows Enterprise E3|Windows Enterprise E5|Windows Education A3|Windows Education A5|
 |:-:|:-:|:-:|:-:|:-:|:-:|
 |[Secure Boot and Trusted Boot](/windows/security/trusted-boot)|Yes|Yes|Yes|Yes|Yes|
 |[Measured boot](/windows/compatibility/measured-boot)|Yes|Yes|Yes|Yes|Yes|
 |[Device health attestation service](/windows/security/threat-protection/protect-high-value-assets-by-controlling-the-health-of-windows-10-based-devices)|Yes|Yes|Yes|Yes|Yes|
--- a/windows/security/includes/sections/operating-system-virus-and-threat-protection-overview.md
+++ b/windows/security/includes/sections/operating-system-virus-and-threat-protection-overview.md
@ -0,0 +1,34 @@
 ---
 author: paolomatarazzo
 ms.author: paoloma
 ms.date: 06/02/2023
 ms.topic: include
 ---
 The following table lists the edition applicability for all Virus And Threat Protection features.
 |Feature|Windows Pro|Windows Enterprise|Windows Pro Education/SE|Windows Education|
 |:-:|:-:|:-:|:-:|:-:|
 |[Microsoft Defender Antivirus](/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-windows)|Yes|Yes|Yes|Yes|
 |Local Security Authority (LSA) Protection|Yes|Yes|Yes|Yes|
 |[Attack surface reduction (ASR)](/microsoft-365/security/defender-endpoint/overview-attack-surface-reduction)|Yes|Yes|Yes|Yes|
 |[Tamper protection settings for MDE](/microsoft-365/security/defender-endpoint/prevent-changes-to-security-settings-with-tamper-protection)|Yes|Yes|Yes|Yes|
 |[Microsoft Vulnerable Driver Blocklist](/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules#microsoft-vulnerable-driver-blocklist)|Yes|Yes|Yes|Yes|
 |[Controlled folder access](/microsoft-365/security/defender-endpoint/controlled-folders)|Yes|Yes|Yes|Yes|
 |[Exploit protection](/microsoft-365/security/defender-endpoint/exploit-protection)|Yes|Yes|Yes|Yes|
 |[Microsoft Defender SmartScreen](/windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-overview)|Yes|Yes|Yes|Yes|
 |[Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint)|Yes|Yes|Yes|Yes|
 The following table lists the licensing applicability for all Virus And Threat Protection features.
 |Feature|Windows Pro/Pro Education/SE|Windows Enterprise E3|Windows Enterprise E5|Windows Education A3|Windows Education A5|
 |:-:|:-:|:-:|:-:|:-:|:-:|
 |[Microsoft Defender Antivirus](/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-windows)|Yes|Yes|Yes|Yes|Yes|
 |Local Security Authority (LSA) Protection|Yes|Yes|Yes|Yes|Yes|
 |[Attack surface reduction (ASR)](/microsoft-365/security/defender-endpoint/overview-attack-surface-reduction)|Yes|Yes|Yes|Yes|Yes|
 |[Tamper protection settings for MDE](/microsoft-365/security/defender-endpoint/prevent-changes-to-security-settings-with-tamper-protection)|Yes|Yes|Yes|Yes|Yes|
 |[Microsoft Vulnerable Driver Blocklist](/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules#microsoft-vulnerable-driver-blocklist)|Yes|Yes|Yes|Yes|Yes|
 |[Controlled folder access](/microsoft-365/security/defender-endpoint/controlled-folders)|Yes|Yes|Yes|Yes|Yes|
 |[Exploit protection](/microsoft-365/security/defender-endpoint/exploit-protection)|Yes|Yes|Yes|Yes|Yes|
 |[Microsoft Defender SmartScreen](/windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-overview)|Yes|Yes|Yes|Yes|Yes|
 |[Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint)|❌|❌|Yes|❌|Yes|
--- a/windows/security/includes/sections/operating-system.md
+++ b/windows/security/includes/sections/operating-system.md
@ -0,0 +1,61 @@
 ---
 author: paolomatarazzo
 ms.author: paoloma
 ms.date: 06/06/2023
 ms.topic: include
 ---
 ## System Security
 | Security Measures | Features & Capabilities |
 |:---|:---|
 | **[Secure Boot and Trusted Boot](/windows/security/trusted-boot)** | Secure Boot and Trusted Boot help to prevent malware and corrupted components from loading when a device starts. <br><br>Secure Boot starts with initial boot-up protection, and then Trusted Boot picks up the process. Together, Secure Boot and Trusted Boot help to ensure the system boots up safely and securely. |
 | **[Measured boot](/windows/compatibility/measured-boot)** | Measured Boot measures all important code and configuration settings during the boot of Windows. This includes: the firmware, boot manager, hypervisor, kernel, secure kernel and operating system. Measured Boot stores the measurements in the TPM on the machine, and makes them available in a log that can be tested remotely to verify the boot state of the client.<br><br>The Measured Boot feature provides antimalware software with a trusted (resistant to spoofing and tampering) log of all boot components that started before it. The antimalware software can use the log to determine whether components that ran before it are trustworthy, or if they are infected with malware. The antimalware software on the local machine can send the log to a remote server for evaluation. The remote server may initiate remediation actions, either by interacting with software on the client, or through out-of-band mechanisms, as appropriate. |
 | **[Device health attestation service](/windows/security/threat-protection/protect-high-value-assets-by-controlling-the-health-of-windows-10-based-devices)** | The Windows device health attestation process supports a zero-trust paradigm that shifts the focus from static, network-based perimeters, to users, assets, and resources. The attestation process confirms the device, firmware, and boot process are in a good state and have not been tampered with before they can access corporate resources. The determinations are made with data stored in the TPM, which provides a secure root of trust. The information is sent to an attestation service, such as Azure Attestation, to verify the device is in a trusted state. Then, an MDM tool like Microsoft Intune reviews device health and connects this information with Azure Active Directory for conditional access. |
 ## Virus And Threat Protection
 | Security Measures | Features & Capabilities |
 |:---|:---|
 | **[Microsoft Defender Antivirus](/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-windows)** | Microsoft Defender Antivirus is a protection solution included in all versions of Windows. From the moment you boot Windows, Microsoft Defender Antivirus continually monitors for malware, viruses, and security threats. Updates are downloaded automatically to help keep your device safe and protect it from threats. Microsoft Defender Antivirus includes real-time, behavior-based, and heuristic antivirus protection.<br><br>The combination of always-on content scanning, file and process behavior monitoring, and other heuristics effectively prevents security threats. Microsoft Defender Antivirus continually scans for malware and threats and also detects and blocks potentially unwanted applications (PUA) which are applications that are deemed to negatively impact your device but are not considered malware. |
 | **Local Security Authority (LSA) Protection** | Windows has several critical processes to verify a user's identity. Verification processes include Local Security Authority (LSA), which is responsible for authenticating users and verifying Windows logins. LSA handles tokens and credentials such as passwords that are used for single sign-on to a Microsoft account and Azure services. To help protect these credentials, additional LSA protection only allows loading of trusted, signed code and provides significant protection against Credential theft.<br><br>LSA protection is enabled by default on new, enterprise joined Windows 11 devices with added support for non-UEFI lock and policy management controls via MDM and group policy. |
 | **[Attack surface reduction (ASR)](/microsoft-365/security/defender-endpoint/overview-attack-surface-reduction)** | Attack surface reduction (ASR) rules help to prevent software behaviors that are often abused to compromise your device or network. By reducing the number of attack surfaces, you can reduce the overall vulnerability of your organization.<br><br>Administrators can configure specific ASR rules to help block certain behaviors, such as launching executable files and scripts that attempt to download or run files, running obfuscated or otherwise suspicious scripts, performing behaviors that apps don't usually initiate during normal day-to-day work. |
 | **[Tamper protection settings for MDE](/microsoft-365/security/defender-endpoint/prevent-changes-to-security-settings-with-tamper-protection)** | Tamper protection is a capability in Microsoft Defender for Endpoint that helps protect certain security settings, such as virus and threat protection, from being disabled or changed. During some kinds of cyber attacks, bad actors try to disable security features on devices. Disabling security features provides bad actors with easier access to your data, the ability to install malware, and the ability to exploit your data, identity, and devices. Tamper protection helps guard against these types of activities. |
 | **[Microsoft Vulnerable Driver Blocklist](/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules#microsoft-vulnerable-driver-blocklist)** | The Windows kernel is the most privileged software and is therefore a compelling target for malware authors. Since Windows has strict requirements for code running in the kernel, cybercriminals commonly exploit vulnerabilities in kernel drivers to get access. Microsoft works with the ecosystem partners to constantly identify and respond to potentially vulnerable kernel drivers.<br><br>Prior to Windows 11, version 22H2, the operating system enforced a block policy when HVCI is enabled to prevent vulnerable versions of drivers from running. Starting in Windows 11, version 22H2, the block policy is enabled by default for all new Windows devices, and users can opt-in to enforce the policy from the Windows Security app. |
 | **[Controlled folder access](/microsoft-365/security/defender-endpoint/controlled-folders)** | You can protect your valuable information in specific folders by managing app access to specific folders. Only trusted apps can access protected folders, which are specified when controlled folder access is configured. Commonly used folders, such as those used for documents, pictures, downloads, are typically included in the list of controlled folders. Controlled folder access works with a list of trusted apps. Apps that are included in the list of trusted software work as expected. Apps that are not included in the trusted list are prevented from making any changes to files inside protected folders. <br><br>Controlled folder access helps to protect user's valuable data from malicious apps and threats, such as ransomware.  |
 | **[Exploit protection](/microsoft-365/security/defender-endpoint/exploit-protection)** | Exploit protection automatically applies several exploit mitigation techniques to operating system processes and apps. Exploit protection works best with Microsoft Defender for Endpoint, which gives organizations detailed reporting into exploit protection events and blocks as part of typical alert investigation scenarios. You can enable exploit protection on an individual device, and then use MDM or group policy to distribute the configuration file to multiple devices. When a mitigation is encountered on the device, a notification will be displayed from the Action Center. You can customize the notification with your company details and contact information. You can also enable the rules individually to customize which techniques the feature monitors. |
 | **[Microsoft Defender SmartScreen](/windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-overview)** | Microsoft Defender SmartScreen protects against phishing, malware websites and applications, and the downloading of potentially malicious files. For enhanced phishing protection, SmartScreen also alerts people when they are entering their credentials into a potentially risky location. IT can customize which notifications appear via MDM or group policy. The protection runs in audit mode by default, giving IT admins full control to make decisions around policy creation and enforcement. |
 | **[Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint)** | Microsoft Defender for Endpoint is an enterprise endpoint detection and response solution that helps security teams to detect, investigate, and respond to advanced threats. Organizations can use the rich event data and attack insights Defender for Endpoint provides to investigate incidents. Defender for Endpoint brings together the following elements to provide a more complete picture of security incidents: endpoint behavioral sensors, cloud security analytics, threat intelligence and rich response capabilities. |
 ## Network Security
 | Security Measures | Features & Capabilities |
 |:---|:---|
 | **[Transport layer security (TLS)](/windows-server/security/tls/tls-ssl-schannel-ssp-overview)** | Transport Layer Security (TLS) is a cryptographic protocol designed to provide communications security over a network. TLS 1.3 is the latest version of the protocol and is enabled by default in Windows 11. This version eliminates obsolete cryptographic algorithms, enhances security over older versions, and aims to encrypt as much of the TLS handshake as possible. The handshake is more performant with one fewer round trip per connection on average, and supports only five strong cipher suites which provide perfect forward secrecy and less operational risk. |
 | **Bluetooth pairing and connection protection** | The number of Bluetooth devices connected to Windows continues to increase. Windows supports all standard Bluetooth pairing protocols, including classic and LE Secure connections, secure simple pairing, and classic and LE legacy pairing. Windows also implements host based LE privacy. Windows updates help users stay current with OS and driver security features in accordance with the Bluetooth Special Interest Group (SIG), Standard Vulnerability Reports, as well as issues beyond those required by the Bluetooth core industry standards. Microsoft strongly recommends that users ensure their firmware and/ or software of their Bluetooth accessories are kept up to date. |
 | **[WiFi Security](https://support.microsoft.com/windows/faster-and-more-secure-wi-fi-in-windows-26177a28-38ed-1a8e-7eca-66f24dc63f09)** | Wi-Fi Protected Access (WPA) is a security certification programs designed to secure wireless networks. WPA3 is the latest version of the certification and provides a more secure and reliable connection method as compared to WPA2 and older security protocols. Windows supports three WPA3 modes: WPA3 personal with the Hash-to-Element (H2E) protocol, WPA3 Enterprise, and WPA3 Enterprise 192-bit Suite B.<br><br>Windows 11 also supports WFA defined WPA3 Enterprise that includes enhanced Server Cert validation and TLS 1.3 for authentication using EAP-TLS Authentication. |
 | **Opportunistic Wireless Encryption (OWE)** | Opportunistic Wireless Encryption (OWE) is a technology that allows wireless devices to establish encrypted connections to public Wi-Fi hotspots.  |
 | **[Windows Firewall](/windows/security/threat-protection/windows-firewall/windows-firewall-with-advanced-security)** | Windows Firewall with Advanced Securityprovides host-based, two-way network traffic filtering, blocking unauthorized traffic flowing into or out of the local device based on the types of networks to which the device is connected. Windows Firewall reduces the attack surface of a device with rules to restrict or allow traffic by many properties such as IP addresses, ports, or program paths. Reducing the attack surface of a device increases manageability and decreases the likelihood of a successful attack.<br><br>With its integration with Internet Protocol Security (IPsec), Windows Firewall provides a simple way to enforce authenticated, end-to-end network communications. It provides scalable, tiered access to trusted network resources, helping to enforce integrity of the data, and optionally helping to protect the confidentiality of the data. Windows Firewall is a host-based firewall that is included with the operating system, there is no additional hardware or software required. Windows Firewall is also designed to complement existing non-Microsoft network security solutions through a documented application programming interface (API). |
 | **[Virtual Private Network (VPN)](/windows/security/identity-protection/vpn/vpn-guide)** | The Windows VPN client platform includes built in VPN protocols, configuration support, a common VPN user interface, and programming support for custom VPN protocols. VPN apps are available in the Microsoft Store for both enterprise and consumer VPNs, including apps for the most popular enterprise VPN gateways.<br><br>In Windows 11, the most commonly used VPN controls are integrated right into the Quick Actions pane. From the Quick Actions pane, users can see the status of their VPN, start and stop the VPN tunnels, and access the Settings app for more controls.  |
 | **[Always On VPN (device tunnel)](/windows-server/remote/remote-access/vpn/always-on-vpn/)** |  |
 | **[Direct Access](/windows-server/remote/remote-access/directaccess/directaccess)** | DirectAccess allows connectivity for remote users to organization network resources without the need for traditional Virtual Private Network (VPN) connections.<br><br>With DirectAccess connections, remote devices are always connected to the organization and there's no need for remote users to start and stop connections. |
 | **[Server Message Block (SMB) file service](/windows-server/storage/file-server/file-server-smb-overview)** | SMB Encryption provides end-to-end encryption of SMB data and protects data from eavesdropping occurrences on internal networks. In Windows 11, the SMB protocol has significant security updates, including AES-256 bits encryption, accelerated SMB signing, Remote Directory Memory Access (RDMA) network encryption, and SMB over QUIC for untrusted networks. Windows 11 introduces AES-256-GCM and AES-256-CCM cryptographic suites for SMB 3.1.1 encryption. Windows administrators can mandate the use of more advanced security or continue to use the more compatible, and still-safe, AES-128 encryption. |
 | **[Server Message Block Direct (SMB Direct)](/windows-server/storage/file-server/smb-direct)** | SMB Direct (SMB over remote direct memory access) is a storage protocol that enables direct memory-to-memory data transfers between device and storage, with minimal CPU usage, while using standard RDMA-capable network adapters.<br><br>SMB Direct supports encryption, and now you can operate with the same safety as traditional TCP and the performance of RDMA. Previously, enabling SMB encryption disabled direct data placement, making RDMA as slow as TCP. Now data is encrypted before placement, leading to relatively minor performance degradation while adding AES-128 and AES-256 protected packet privacy. |
 ## Data Protection
 | Security Measures | Features & Capabilities |
 |:---|:---|
 | **[BitLocker management](/windows/security/information-protection/bitlocker/bitlocker-management-for-enterprises)** | The BitLocker CSP allows an MDM solution, like Microsoft Intune, to manage the BitLocker encryption features on Windows devices. This includes OS volumes, fixed drives and removeable storage, and recovery key management into Azure AD.  |
 | **[BitLocker enablement](/windows/security/information-protection/bitlocker/bitlocker-overview)** | BitLocker Drive Encryption is a data protection feature that integrates with the operating system and addresses the threats of data theft or exposure from lost, stolen, or inappropriately decommissioned computers. BitLocker uses AES algorithm in XTS or CBC mode of operation with 128-bit or 256-bit key length to encrypt data on the volume. Cloud storage on Microsoft OneDrive or Azure can be used to save recovery key content. BitLocker can be managed by any MDM solution such as Microsoft Intune, using a configuration service provider (CSP).<br><br>BitLocker provides encryption for the OS, fixed data, and removable data drives leveraging technologies like hardware security test interface (HSTI), Modern Standby, UEFI Secure Boot and TPM. |
 | **[Encrypted hard drive](/windows/security/information-protection/encrypted-hard-drive)** | Encrypted hard drives are a class of hard drives that are self-encrypted at the hardware level and allow for full disk hardware encryption while being transparent to the device user. These drives combine the security and management benefits provided by BitLocker Drive Encryption with the power of self-encrypting drives.<br><br>By offloading the cryptographic operations to hardware, encrypted hard drives increase BitLocker performance and reduce CPU usage and power consumption. Because encrypted hard drives encrypt data quickly, BitLocker deployment can be expanded across enterprise devices with little to no impact on productivity. |
 | **[Personal data encryption (PDE)](/windows/security/information-protection/personal-data-encryption/overview-pde)** | Personal data encryption (PDE) works with BitLocker and Windows Hello for Business to further protect user documents and other files, including when the device is turned on and locked. Files are encrypted automatically and seamlessly to give users more security without interrupting their workflow. <br><br>Windows Hello for Business is used to protect the container which houses the encryption keys used by PDE. When the user signs in, the container gets authenticated to release the keys in the container to decrypt user content.  |
 | **[Email Encryption (S/MIME)](/windows/security/identity-protection/configure-s-mime)** | Email encryption enables users to encrypt outgoing email messages and attachments, so only intended recipients with a digital ID (certificate) can read them. Users can digitally sign a message, which verifies the identity of the sender and confirms the message has not been tampered with. The encrypted messages can be sent by a user to other users within their organization or external contacts if they have proper encryption certificates. |
 ## Modern Device Management
 | Security Measures | Features & Capabilities |
 |:---|:---|
 | **[Windows Security policy settings and auditing](/windows/security/threat-protection/security-policy-settings/security-policy-settings)** | Microsoft provides a robust set of security settings policies that IT administrators can use to protect Windows devices and other resources in their organization. |
 | **[Secured-core configuration lock](/windows/client-management/config-lock)** | In an enterprise organization, IT administrators enforce policies on their corporate devices to protect the OS and keep devices in a compliant state by preventing users from changing configurations and creating configuration drift. Configuration drift occurs when users with local admin rights change settings and put the device out of sync with security policies. Devices in a non-compliant state can be vulnerable until the next sync and configuration reset with the MDM. Secured-core configuration lock (config lock) is a Secured-core PC feature that prevents users from making unwanted changes to security settings. With config lock, the OS monitors the registry keys that configure each feature and when it detects a drift, reverts to the IT-desired state in seconds.  |
 | **[Assigned Access (kiosk mode)](/windows/configuration/kiosk-methods)** | Some desktop devices in an enterprise serve a special purpose. For example, a PC in the lobby that customers use to see your product catalog. Or, a PC displaying visual content as a digital sign. Windows client offers two different locked-down experiences for public or specialized use: A single-app kiosk that runs a single Universal Windows Platform (UWP) app in full screen above the lock screen, or A multi-app kiosk that runs one or more apps from the desktop.<br><br>Kiosk configurations are based on Assigned Access, a feature in Windows that allows an administrator to manage the user's experience by limiting the application entry points exposed to the user. |
--- a/windows/security/includes/sections/privacy.md
+++ b/windows/security/includes/sections/privacy.md
@ -0,0 +1,6 @@
 ---
 author: paolomatarazzo
 ms.author: paoloma
 ms.date: 06/02/2023
 ms.topic: include
 ---
--- a/windows/security/includes/sections/security-foundations-certification-overview.md
+++ b/windows/security/includes/sections/security-foundations-certification-overview.md
@ -0,0 +1,20 @@
 ---
 author: paolomatarazzo
 ms.author: paoloma
 ms.date: 06/02/2023
 ms.topic: include
 ---
 The following table lists the edition applicability for all Certification features.
 |Feature|Windows Pro|Windows Enterprise|Windows Pro Education/SE|Windows Education|
 |:-:|:-:|:-:|:-:|:-:|
 |[Common Criteria certifications](/windows/security/threat-protection/windows-platform-common-criteria)|Yes|Yes|Yes|Yes|
 |[Federal Information Processing Standard (FIPS) 140 validation](/windows/security/threat-protection/fips-140-validation)|Yes|Yes|Yes|Yes|
 The following table lists the licensing applicability for all Certification features.
 |Feature|Windows Pro/Pro Education/SE|Windows Enterprise E3|Windows Enterprise E5|Windows Education A3|Windows Education A5|
 |:-:|:-:|:-:|:-:|:-:|:-:|
 |[Common Criteria certifications](/windows/security/threat-protection/windows-platform-common-criteria)|Yes|Yes|Yes|Yes|Yes|
 |[Federal Information Processing Standard (FIPS) 140 validation](/windows/security/threat-protection/fips-140-validation)|Yes|Yes|Yes|Yes|Yes|
--- a/windows/security/includes/sections/security-foundations.md
+++ b/windows/security/includes/sections/security-foundations.md
@ -0,0 +1,13 @@
 ---
 author: paolomatarazzo
 ms.author: paoloma
 ms.date: 06/06/2023
 ms.topic: include
 ---
 ## Certification
 | Security Measures | Features & Capabilities |
 |:---|:---|
 | **[Common Criteria certifications](/windows/security/threat-protection/windows-platform-common-criteria)** | Common Criteria (CC) is an international standard currently maintained by national governments who participate in the Common Criteria Recognition Arrangement. CC defines a common taxonomy for security functional requirements, security assurance requirements, and an evaluation methodology used to ensure products undergoing evaluation satisfy the functional and assurance requirements. Microsoft ensures that products incorporate the features and functions required by relevant Common Criteria Protection Profiles and completes Common Criteria certifications of Microsoft Windows products. |
 | **[Federal Information Processing Standard (FIPS) 140 validation](/windows/security/threat-protection/fips-140-validation)** | The Federal Information Processing Standard (FIPS) Publication 140 is a U.S. government standard that defines the minimum security requirements for cryptographic modules in IT products. Microsoft maintains an active commitment to meeting the requirements of the FIPS 140 standard, having validated cryptographic modules against FIPS 140-2 since it was first established in 2001. Multiple Microsoft products, including Windows 11, Windows 10, Windows Server, and many cloud services, use these cryptographic modules. |
--- a/windows/security/index.yml
+++ b/windows/security/index.yml
@ -57,11 +57,11 @@ landingContent:
      - linkListType: overview
        links:
        - text: Overview
-          url: operating-system.md
+          url: operating-system-security/index.md
      - linkListType: concept
        links:
-        - text: System security
+        - text: Trusted boot
-          url: trusted-boot.md
+          url: operating-system-security\system-security\trusted-boot.md
        - text: Encryption and data protection
          url: operating-system-security/data-protection/index.md
        - text: Windows security baselines
@ -136,7 +136,7 @@ landingContent:
        - text: OneDrive
          url: /onedrive/onedrive
        - text: Family safety
-          url: threat-protection/windows-defender-security-center/wdsc-family-options.md
+          url: operating-system-security\system-security\windows-defender-security-center\wdsc-family-options.md
 # Cards and links should be based on top customer tasks or top subjects
 # Start card title with a verb
  # Card (optional)
--- a/windows/security/introduction/index.md
+++ b/windows/security/introduction/index.md
@ -34,7 +34,7 @@ Windows 11 is a natural evolution of its predecessor, Windows 10. We have collab
 With hardware-based isolation security that begins at the chip, Windows 11 stores sensitive data behind other barriers separated from the operating system. As a result, information including encryption keys and user credentials are protected from unauthorized access and tampering.
-In Windows 11, hardware and software work together to protect the operating system. For example, new devices come with [Virtualization-based security (VBS)](/windows-hardware/design/device-experiences/oem-vbs) and [Secure Boot](../trusted-boot.md) built-in and enabled by default to contain and limit malware exploits.
+In Windows 11, hardware and software work together to protect the operating system. For example, new devices come with [Virtualization-based security (VBS)](/windows-hardware/design/device-experiences/oem-vbs) and [Secure Boot](../operating-system-security/system-security/trusted-boot.md) built-in and enabled by default to contain and limit malware exploits.
 ### Robust application security and privacy controls
--- a/windows/security/operating-system-security/data-protection/bitlocker/bitlocker-countermeasures.md
+++ b/windows/security/operating-system-security/data-protection/bitlocker/bitlocker-countermeasures.md
@ -31,7 +31,7 @@ A trusted platform module (TPM) is a microchip designed to provide basic securit
 Unified Extensible Firmware Interface (UEFI) is a programmable boot environment that initializes devices and starts the operating system's bootloader.
-The UEFI specification defines a firmware execution authentication process called [Secure Boot](../../../information-protection/secure-the-windows-10-boot-process.md). Secure Boot blocks untrusted firmware and bootloaders (signed or unsigned) from being able to start on the system.
+The UEFI specification defines a firmware execution authentication process called [Secure Boot](../../system-security/secure-the-windows-10-boot-process.md). Secure Boot blocks untrusted firmware and bootloaders (signed or unsigned) from being able to start on the system.
 By default, BitLocker provides integrity protection for Secure Boot by utilizing the TPM PCR[7] measurement. An unauthorized EFI firmware, EFI boot application, or bootloader can't run and acquire the BitLocker key.
--- a/windows/security/operating-system-security/index.md
+++ b/windows/security/operating-system-security/index.md
@ -0,0 +1,16 @@
 ---
 title: Windows operating system security
 description: Securing the operating system includes system security, encryption, network security, and threat protection.
 ms.date: 09/21/2021
 ms.topic: article
 ---
 # Windows operating system security
 Security and privacy depend on an operating system that guards your system and information from the moment it starts up, providing fundamental chip-to-cloud protection. Windows 11 is the most secure Windows yet with extensive security measures designed to help keep you safe. These measures include built-in advanced encryption and data protection, robust network and system security, and intelligent safeguards against ever-evolving threats.
 Watch the latest [Microsoft Mechanics Windows 11 security](https://youtu.be/tg9QUrnVFho) video that shows off some of the latest Windows 11 security technology.
 Use the links in the following sections to learn more about the operating system security features and capabilities in Windows.
 [!INCLUDE [operating-system-security](../includes/sections/operating-system.md)]
--- a/windows/security/operating-system-security/network-security/vpn/vpn-conditional-access.md
+++ b/windows/security/operating-system-security/network-security/vpn/vpn-conditional-access.md
@ -16,7 +16,7 @@ Conditional Access Platform components used for Device Compliance include the fo
 - [Conditional Access Framework](/archive/blogs/tip_of_the_day/tip-of-the-day-the-conditional-access-framework-and-device-compliance-for-vpn)
 - [Azure AD Connect Health](/azure/active-directory/connect-health/active-directory-aadconnect-health)
- [Windows Health Attestation Service](../../../threat-protection/protect-high-value-assets-by-controlling-the-health-of-windows-10-based-devices.md#device-health-attestation) (optional)
+- [Windows Health Attestation Service](../../system-security/protect-high-value-assets-by-controlling-the-health-of-windows-10-based-devices.md) (optional)
 - Azure AD Certificate Authority - It is a requirement that the client certificate used for the cloud-based device compliance solution be issued by an Azure Active Directory-based Certificate Authority (CA). An Azure AD CA is essentially a mini-CA cloud tenant in Azure. The Azure AD CA cannot be configured as part of an on-premises Enterprise CA.
 See also [Always On VPN deployment for Windows Server and Windows 10](/windows-server/remote/remote-access/vpn/always-on-vpn/deploy/always-on-vpn-deploy).
 - Azure AD-issued short-lived certificates - When a VPN connection attempt is made, the Azure AD Token Broker on the local device communicates with Azure Active Directory, which then checks for health based on compliance rules. If compliant, Azure AD sends back a short-lived certificate that is used to authenticate the VPN. Note that certificate authentication methods such as EAP-TLS can be used. When the client reconnects and determines that the certificate has expired, the client will again check with Azure AD for health validation before a new certificate is issued.
@ -85,13 +85,14 @@ See [VPN profile options](vpn-profile-options.md) and [VPNv2 CSP](/windows/clien
 - [Azure Active Directory conditional access](/azure/active-directory/conditional-access/overview)
 - [Getting started with Azure Active Directory Conditional Access](/azure/active-directory/authentication/tutorial-enable-azure-mfa)
- [Control the health of Windows devices](../../../threat-protection/protect-high-value-assets-by-controlling-the-health-of-windows-10-based-devices.md)
+- [Control the health of Windows devices](../../system-security/protect-high-value-assets-by-controlling-the-health-of-windows-10-based-devices.md)
 - [Tip of the Day: The Conditional Access Framework and Device Compliance for VPN (Part 1)](/archive/blogs/tip_of_the_day/tip-of-the-day-the-conditional-access-framework-and-device-compliance-for-vpn)
 - [Tip of the Day: The Conditional Access Framework and Device Compliance for VPN (Part 2)](/archive/blogs/tip_of_the_day/tip-of-the-day-the-conditional-access-framework-and-device-compliance-for-vpn-part-2)
 - [Tip of the Day: The Conditional Access Framework and Device Compliance for VPN (Part 3)](/archive/blogs/tip_of_the_day/tip-of-the-day-the-conditional-access-framework-and-device-compliance-for-vpn-part-3)
 - [Tip of the Day: The Conditional Access Framework and Device Compliance for VPN (Part 4)](/archive/blogs/tip_of_the_day/tip-of-the-day-the-conditional-access-framework-and-device-compliance-for-vpn-part-4)
 ## Related topics
 - [VPN technical guide](vpn-guide.md)
 - [VPN connection types](vpn-connection-type.md)
 - [VPN routing decisions](vpn-routing.md)
--- a/windows/security/operating-system-security/system-security/cryptography-certificate-mgmt.md
+++ b/windows/security/operating-system-security/system-security/cryptography-certificate-mgmt.md
@ -1,19 +1,13 @@
 ---
 title: Cryptography and Certificate Management
 description: Get an overview of cryptography and certificate management in Windows
 author: paolomatarazzo
 ms.author: paoloma
 manager: aaroncz
 ms.topic: conceptual
 ms.date: 09/07/2021
 ms.prod: windows-client
 ms.technology: itpro-security
 ms.reviewer: skhadeer, raverma
 ---
 # Cryptography and Certificate Management
 ## Cryptography
 Cryptography uses code to convert data so that only a specific recipient can read it by using a key. Cryptography enforces privacy to prevent anyone except the intended recipient from reading data, integrity to ensure data is free of tampering, and authentication that verifies identity to ensure that communication is secure. The cryptography stack in Windows extends from the chip to the cloud enabling Windows, applications, and services protect system and user secrets.
@ -32,6 +26,6 @@ These modules are natively exposed on Windows through the Crypto API (CAPI) and
 ## Certificate management
-Windows offers several APIs to operate and manage certificates. Certificates are crucial to public key infrastructure (PKI) as they provide the means for safeguarding and authenticating information. Certificates are electronic documents used to claim ownership of a public key. Public keys are used to prove server and client identity, validate code integrity, and used in secure emails. Windows offers users the ability to auto-enroll and renew certificates in Active Directory with Group Policy to reduce the risk of potential outages due to certificate expiration or misconfiguration. Windows validates certificates through an automatic update mechanism that downloads certificate trust lists (CTL) daily. Trusted root certificates are used by applications as a reference for trustworthy PKI hierarchies and digital certificates. The list of trusted and untrusted certificates are stored in the CTL and can be updated by administrators. In the case of certificate revocation, a certificate is added as an untrusted certificate in the CTL causing it to be revoked globally across user devices immediately. 
+Windows offers several APIs to operate and manage certificates. Certificates are crucial to public key infrastructure (PKI) as they provide the means for safeguarding and authenticating information. Certificates are electronic documents used to claim ownership of a public key. Public keys are used to prove server and client identity, validate code integrity, and used in secure emails. Windows offers users the ability to autoenroll and renew certificates in Active Directory with Group Policy to reduce the risk of potential outages due to certificate expiration or misconfiguration. Windows validates certificates through an automatic update mechanism that downloads certificate trust lists (CTL) daily. Trusted root certificates are used by applications as a reference for trustworthy PKI hierarchies and digital certificates. The list of trusted and untrusted certificates are stored in the CTL and can be updated by administrators. In the case of certificate revocation, a certificate is added as an untrusted certificate in the CTL causing it to be revoked globally across user devices immediately.
-Windows also offers enterprise certificate pinning to help reduce man-in-the-middle attacks by enabling users to protect their internal domain names from chaining to unwanted certificates. A web application's server authentication certificate chain is checked to ensure it matches a restricted set of certificates. Any web application triggering a name mismatch will start event logging and prevent user access from Edge or Internet Explorer. 
+Windows also offers enterprise certificate pinning to help reduce man-in-the-middle attacks by enabling users to protect their internal domain names from chaining to unwanted certificates. A web application's server authentication certificate chain is checked to ensure it matches a restricted set of certificates. Any web application triggering a name mismatch starts event logging and prevents user access from Microsoft Edge.
--- a/windows/security/information-protection/images/dn168167.boot_process(en-us,MSDN.10).png
+++ b/windows/security/information-protection/images/dn168167.boot_process(en-us,MSDN.10).png
--- a/windows/security/operating-system-security/system-security/images/hva-fig1-endtoend1.png
+++ b/windows/security/operating-system-security/system-security/images/hva-fig1-endtoend1.png
--- a/windows/security/operating-system-security/system-security/images/hva-fig10-conditionalaccesscontrol.png
+++ b/windows/security/operating-system-security/system-security/images/hva-fig10-conditionalaccesscontrol.png
--- a/windows/security/operating-system-security/system-security/images/hva-fig11-office365.png
+++ b/windows/security/operating-system-security/system-security/images/hva-fig11-office365.png
--- a/windows/security/operating-system-security/system-security/images/hva-fig12-conditionalaccess12.png
+++ b/windows/security/operating-system-security/system-security/images/hva-fig12-conditionalaccess12.png
--- a/windows/security/operating-system-security/system-security/images/hva-fig2-assessfromcloud2.png
+++ b/windows/security/operating-system-security/system-security/images/hva-fig2-assessfromcloud2.png
--- a/windows/security/operating-system-security/system-security/images/hva-fig3-endtoendoverview3.png
+++ b/windows/security/operating-system-security/system-security/images/hva-fig3-endtoendoverview3.png
--- a/windows/security/operating-system-security/system-security/images/hva-fig4-hardware.png
+++ b/windows/security/operating-system-security/system-security/images/hva-fig4-hardware.png
--- a/windows/security/operating-system-security/system-security/images/hva-fig5-virtualbasedsecurity.png
+++ b/windows/security/operating-system-security/system-security/images/hva-fig5-virtualbasedsecurity.png
--- a/windows/security/operating-system-security/system-security/images/hva-fig6-logs.png
+++ b/windows/security/operating-system-security/system-security/images/hva-fig6-logs.png
--- a/windows/security/operating-system-security/system-security/images/hva-fig7-measurement.png
+++ b/windows/security/operating-system-security/system-security/images/hva-fig7-measurement.png
--- a/windows/security/operating-system-security/system-security/images/hva-fig8-evaldevicehealth8.png
+++ b/windows/security/operating-system-security/system-security/images/hva-fig8-evaldevicehealth8.png
--- a/windows/security/operating-system-security/system-security/images/hva-fig8a-healthattest8a.png
+++ b/windows/security/operating-system-security/system-security/images/hva-fig8a-healthattest8a.png
--- a/windows/security/operating-system-security/system-security/images/hva-fig9-intune.png
+++ b/windows/security/operating-system-security/system-security/images/hva-fig9-intune.png
--- a/windows/security/information-protection/images/dn168167.measure_boot(en-us,MSDN.10).png
+++ b/windows/security/information-protection/images/dn168167.measure_boot(en-us,MSDN.10).png
--- a/windows/security/operating-system-security/system-security/protect-high-value-assets-by-controlling-the-health-of-windows-10-based-devices.md
+++ b/windows/security/operating-system-security/system-security/protect-high-value-assets-by-controlling-the-health-of-windows-10-based-devices.md
@ -1,22 +1,12 @@
 ---
 title: Control the health of Windows devices
 description: This article details an end-to-end solution that helps you protect high-value assets by enforcing, controlling, and reporting the health of Windows devices.
 ms.prod: windows-client
 ms.date: 10/13/2017
 ms.localizationpriority: medium
 ms.technology: itpro-security
 author: aczechowski
 ms.author: aaroncz
 manager: dougeby
 ms.topic: conceptual
 ---
 # Control the health of Windows devices
 **Applies to**
 -   Windows 10
 This article details an end-to-end solution that helps you protect high-value assets by enforcing, controlling, and reporting the health of Windows devices.
 ## Introduction
@ -77,7 +67,7 @@ Access to content is then authorized to the appropriate level of trust for whate
 Depending on the requirements and the sensitivity of the managed asset, device health status can be combined with user identity information when processing an access request. Access to content is then authorized to the appropriate level of trust. The Conditional Access engine may be structured to allow more verification as needed by the sensitivity of the managed asset. For example, if access to high-value data is requested, further security authentication may need to be established by querying the user to answer a phone call before access is granted.
-### <a href="" id="microsoft-s-security-investments-in-windows-10"></a>Microsoft's security investments in Windows 10
+### Microsoft's security investments in Windows 10
 In Windows 10, there are three pillars of investments:
@ -108,7 +98,7 @@ This section describes what Windows 10 offers in terms of security defenses and
 ### Windows 10 hardware-based security defenses
 The most aggressive forms of malware try to insert themselves into the boot process as early as possible so that they can take control of the operating system early and prevent protection mechanisms and antimalware software from working. This type of malicious code is often called a rootkit or bootkit. The best way to avoid having to deal with low-level malware is to secure the boot process so that the device is protected from the very start.
-Windows 10 supports multiple layers of boot protection. Some of these features are available only if specific types of hardware are installed. For more information, see the [Hardware requirements](#hardware-req) section.
+Windows 10 supports multiple layers of boot protection. Some of these features are available only if specific types of hardware are installed. For more information, see the [Hardware requirements](#hardware-requirements) section.
 :::image type="content" alt-text="figure 4." source="images/hva-fig4-hardware.png":::
@ -175,9 +165,10 @@ Windows 10 supports features to help prevent sophisticated low-level malware lik
    The ELAM signed driver is loaded before any other third-party drivers or applications, which allows the antimalware software to detect and block any attempts to tamper with the boot process by trying to load unsigned or untrusted code.
    The ELAM driver is a small driver with a small policy database that has a narrow scope, focused on drivers that are loaded early at system launch. The policy database is stored in a registry hive that is also measured to the TPM, to record the operational parameters of the ELAM driver. An ELAM driver must be signed by Microsoft and the associated certificate must contain the complementary EKU (1.3.6.1.4.1.311.61.4.1).
 - **Virtualization-based security (Hyper-V + Secure Kernel).** Virtualization-based security is a new enforced security boundary that allows you to protect critical parts of Windows 10.
-    Virtualization-based security isolates sensitive code like Kernel Mode Code Integrity or sensitive corporate domain credentials from the rest of the Windows operating system. For more information, see [Virtualization-based security](#virtual) section.
+    Virtualization-based security isolates sensitive code like Kernel Mode Code Integrity or sensitive corporate domain credentials from the rest of the Windows operating system. For more information, see [Virtualization-based security](#virtualization-based-security) section.
 - **Hypervisor-protected Code Integrity (HVCI).** Hypervisor-protected Code Integrity is a feature of Device Guard that ensures only drivers, executables, and DLLs that comply with the Device Guard Code Integrity policy are allowed to run.
@ -207,7 +198,7 @@ Windows 10 supports features to help prevent sophisticated low-level malware lik
    Although Secure Boot is a proactive form of protection, health attestation is a reactive form of boot protection. Health attestation ships disabled in Windows and is enabled by an antimalware or an MDM vendor. Unlike Secure Boot, health attestation won't stop the boot process and enter remediation when a measurement doesn't work. But with conditional access control, health attestation will help to prevent access to high-value assets.
-### <a href="" id="virtual"></a>Virtualization-based security
+### Virtualization-based security
 Virtualization-based security provides a new trust boundary for Windows 10 and uses Hyper-V hypervisor technology to enhance platform security. Virtualization-based security provides a secure execution environment to run specific Windows trusted code (trustlet) and to protect sensitive data.
@ -222,7 +213,6 @@ The following Windows 10 services are protected with virtualization-based securi
 > [!NOTE]
 > Virtualization-based security is only available with Windows 10 Enterprise. Virtualization-based security requires devices with UEFI (2.3.1 or higher) with Secure Boot enabled, x64 processor with Virtualization Extensions and SLAT enabled. IOMMU, TPM 2.0. and support for Secure Memory overwritten are optional, but recommended.
 The schema below is a high-level view of Windows 10 with virtualization-based security.
 :::image type="content" alt-text="figure 5." source="images/hva-fig5-virtualbasedsecurity.png":::
@ -325,25 +315,25 @@ Device health attestation uses the TPM to provide cryptographically strong and v
 For Windows 10-based devices, Microsoft introduces a new public API that will allow MDM software to access a remote attestation service called Windows Health Attestation Service. A health attestation result, in addition with other elements, can be used to allow or deny access to networks, apps, or services, based on whether devices prove to be healthy.
-For more information on device health attestation, see the [Detect an unhealthy Windows 10-based device](#detect-unhealthy) section.
+For more information on device health attestation, see the [Detect an unhealthy Windows 10-based device](#detect-an-unhealthy-windows-10-based-device) section.
-[!INCLUDE [device-health-attestation-service](../../../includes/licensing/device-health-attestation-service.md)]
+[!INCLUDE [device-health-attestation-service](../../../../includes/licensing/device-health-attestation-service.md)]
-### <a href="" id="hardware-req"></a>Hardware requirements
+### Hardware requirements
 The following table details the hardware requirements for both virtualization-based security services and the health attestation feature. For more information, see [Minimum hardware requirements](/windows-hardware/design/minimum/minimum-hardware-requirements-overview).
 |Hardware|Motivation|
 |--- |--- |
-|UEFI 2.3.1 or later firmware with Secure Boot enabled|Required to support UEFI Secure Boot.<p>UEFI Secure Boot ensures that the device boots only authorized code.<p>Additionally, Boot Integrity (Platform Secure Boot) must be supported following the requirements in Hardware Compatibility Specification for Systems for Windows 10 under the subsection: "System.Fundamentals.Firmware.CS.UEFISecureBoot.ConnectedStandby"|
+|UEFI 2.3.1 or later firmware with Secure Boot enabled|Required to support UEFI Secure Boot. UEFI Secure Boot ensures that the device boots only authorized code. Additionally, Boot Integrity (Platform Secure Boot) must be supported following the requirements in Hardware Compatibility Specification for Systems for Windows 10 under the subsection: "System.Fundamentals.Firmware.CS.UEFISecureBoot.ConnectedStandby"|
-|Virtualization extensions, such as Intel VT-x, AMD-V, and SLAT must be enabled|Required to support virtualization-based security.<div class="alert">**Note:** Device Guard can be enabled without using virtualization-based security.</div>|
+|Virtualization extensions, such as Intel VT-x, AMD-V, and SLAT must be enabled|Required to support virtualization-based security. **Note:** Device Guard can be enabled without using virtualization-based security.|
-|X64 processor|Required to support virtualization-based security that uses Windows Hypervisor. Hyper-V is supported only on x64 processor (and not on x86).<p>Direct Memory Access (DMA) protection can be enabled to provide extra memory protection but requires processors to include DMA protection technologies.|
+|X64 processor|Required to support virtualization-based security that uses Windows Hypervisor. Hyper-V is supported only on x64 processor (and not on x86). Direct Memory Access (DMA) protection can be enabled to provide extra memory protection but requires processors to include DMA protection technologies.|
 |IOMMU, such as Intel VT-d, AMD-Vi|Support for the IOMMU in Windows 10 enhances system resiliency against DMA attacks.|
 |Trusted Platform Module (TPM)|Required to support health attestation and necessary for other key protections for virtualization-based security. TPM 2.0 is supported. Support for TPM 1.2 was added beginning in Windows 10, version 1607 (RS1)|
 This section presented information about several closely related controls in Windows 10. The multi-layer defenses and in-depth approach help to eradicate low-level malware during boot sequence. Virtualization-based security is a fundamental operating system architecture change that adds a new security boundary. Device Guard and Credential Guard respectively help to block untrusted code and protect corporate domain credentials from theft and reuse. This section also briefly discussed the importance of managing devices and patching vulnerabilities. All these technologies can be used to harden and lock down devices while limiting the risk of attackers compromising them.
-## <a href="" id="detect-unhealthy"></a>Detect an unhealthy Windows 10-based device
+## Detect an unhealthy Windows 10-based device
 As of today, many organizations only consider devices to be compliant with company policy after they've passed various checks that show, for example, that the operating system is in the correct state, properly configured, and has security protection enabled. Unfortunately, with today's systems, this form of reporting isn't entirely reliable because malware can spoof a software statement about system health. A rootkit, or a similar low-level exploit, can report a false healthy state to traditional compliance tools.
@ -426,7 +416,7 @@ The following process describes how health boot measurements are sent to the hea
 The device health attestation solution involves different components that are TPM, Health Attestation CSP, and the Windows Health Attestation Service. Those components are described in this section.
-### <a href="" id="trusted-platform-module-"></a>Trusted Platform Module
+### Trusted Platform Module
 This section describes how PCRs (that contain system configuration data), endorsement key (EK) (that act as an identity card for TPM), SRK (that protect keys) and AIKs (that can report platform state) are used for health attestation reporting.
@ -506,7 +496,7 @@ If the TPM ownership isn't known but the EK exists, the client library will prov
 As part of the provisioning process, Windows 10 will create an AIK with the TPM. When this operation is performed, the resulting AIK public portion is stored in the registry at the following location: **HKLM\\SYSTEM\\CurrentControlSet\\Services\\TPM\\WMI\\WindowsAIKPub**
 > [!NOTE]
-> For provisioning AIK certificates and filtering Internet access, you must authorize the following wildcard URL: <b>https://\*.microsoftaik.azure.net</b>
+> For provisioning AIK certificates and filtering Internet access, you must authorize the following wildcard URL: `https://\*.microsoftaik.azure.net`
 ### Windows 10 Health Attestation CSP
@ -625,7 +615,7 @@ Third-party MDM servers can manage Windows 10 by using the MDM protocol. The bui
 The third-party MDM server will have the same consistent first-party user experience for enrollment, which also provides simplicity for Windows 10 users.
-### <a href="" id="management-of-windows-defender-by-third-party-mdm-"></a>Management of Windows Defender by third-party MDM
+### Management of Windows Defender by third-party MDM
 This management infrastructure makes it possible for IT pros to use MDM-capable products like Intune, to manage health attestation, Device Guard, or Windows Defender on Windows 10-based devices, including BYODs that aren't domain joined. IT pros will be able to manage and configure all of the actions and settings they're familiar with customizing by using Intune with Intune Endpoint Protection on down-level operating systems. Admins that currently only manage domain joined devices through Group Policy will find it easy to transition to managing Windows 10-based devices by using MDM because many of the settings and actions are shared across both mechanisms.
@ -641,7 +631,7 @@ If the device isn't registered, the user will get a message with instructions on
 :::image type="content" alt-text="figure 11." source="images/hva-fig10-conditionalaccesscontrol.png":::
-### <a href="" id="office-365-conditional-access-control-"></a>Office 365 conditional access control
+### Office 365 conditional access control
 Azure AD enforces conditional access policies to secure access to Office 365 services. A tenant admin can create a conditional access policy that blocks a user on a non-compliant device from accessing an Office 365 service. The user must conform to the company's device policies before access can be granted to the service. Alternately, the admin can also create a policy that requires users to just enroll their devices to gain access to an Office 365 service. Policies may be applied to all users of an organization, or limited to a few target groups and enhanced over time to include more
 target groups.
@ -676,7 +666,7 @@ To get to a compliant state, the Windows 10-based device needs to:
 > [!NOTE]
 > At the present time, conditional access policies are selectively enforced on users on iOS and Android devices. For more information, see the [Azure AD, Microsoft Intune and Windows 10 – Using the cloud to modernize enterprise mobility!](https://techcommunity.microsoft.com/t5/azure-active-directory-identity/azure-ad-microsoft-intune-and-windows-10-8211-using-the-cloud-to/ba-p/244012) blog post.
-### <a href="" id="cloud-and-on-premises-apps-conditional-access-control-"></a>Cloud and on-premises apps conditional access control
+### Cloud and on-premises apps conditional access control
 Conditional access control is a powerful policy evaluation engine built into Azure AD. It gives IT pros an easy way to create access rules beyond Office 365 that evaluate the context of a user's sign in to make real-time decisions about which applications they should be allowed to access.
@ -765,4 +755,4 @@ Health attestation is a key feature of Windows 10 that includes client and cloud
 - [Protect derived domain credentials with Credential Guard](/windows/access-protection/credential-guard/credential-guard)
 - [Device Guard deployment guide](/windows/device-security/device-guard/device-guard-deployment-guide)
- [Trusted Platform Module technology overview](../information-protection/tpm/trusted-platform-module-overview.md)
+- [Trusted Platform Module technology overview](../../information-protection/tpm/trusted-platform-module-overview.md)
--- a/windows/security/operating-system-security/system-security/secure-the-windows-10-boot-process.md
+++ b/windows/security/operating-system-security/system-security/secure-the-windows-10-boot-process.md
@ -1,24 +1,16 @@
 ---
 title: Secure the Windows boot process
 description: This article describes how Windows security features help protect your PC from malware, including rootkits and other applications.
-ms.prod: windows-client
+ms.topic: conceptual
-ms.author: paoloma
+ms.date: 03/09/2023
 author: paolomatarazzo
 manager: aaroncz
 ms.collection:
  - highpri
  - tier1
 ms.topic: conceptual
 ms.date: 03/09/2023
 ms.technology: itpro-security
 appliesto: 
 - ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10 and later</a>
 ---
 # Secure the Windows boot process
-
+Windows has many features to help protect you from malware, and it does an amazingly good job. Except for apps that businesses develop and use internally, all Microsoft Store apps must meet a series of requirements to be certified and included in the Microsoft Store. This certification process examines several criteria, including security, and is an effective means of preventing malware from entering the Microsoft Store. Even if a malicious app does get through, Windows includes a series of security features that can mitigate the effect. For instance, Microsoft Store apps are sandboxed and lack the privileges necessary to access user data or change system settings.
 The Windows OS has many features to help protect you from malware, and it does an amazingly good job. Except for apps that businesses develop and use internally, all Microsoft Store apps must meet a series of requirements to be certified and included in the Microsoft Store. This certification process examines several criteria, including security, and is an effective means of preventing malware from entering the Microsoft Store. Even if a malicious app does get through, the Windows 10 OS includes a series of security features that can mitigate the effect. For instance, Microsoft Store apps are sandboxed and lack the privileges necessary to access user data or change system settings.
 Windows has multiple levels of protection for desktop apps and data, too. Windows Defender Antivirus uses cloud-powered real-time detection to identify and quarantine apps that are known to be malicious. Windows Defender SmartScreen warns users before allowing them to run an untrustworthy app, even if it's recognized as malware. Before an app can change system settings, the user would have to grant the app administrative privileges by using User Account Control.
@ -50,9 +42,9 @@ Windows supports four features to help prevent rootkits and bootkits from loadin
 Figure 1 shows the Windows startup process.
-![Windows startup process.](./images/dn168167.boot_process(en-us,MSDN.10).png)
+![Screenshot that shows the Windows startup process.](./images/boot_process.png)
-*Figure 1. Secure Boot, Trusted Boot, and Measured Boot block malware at every stage*
+*Figure 1. Secure Boot, Trusted Boot, and Measured Boot block malware at every stage*:
 Secure Boot and Measured Boot are only possible on PCs with UEFI 2.3.1 and a TPM chip. Fortunately, all Windows 10 and Windows 11 PCs that meet Windows Hardware Compatibility Program requirements have these components, and many PCs designed for earlier versions of Windows have them as well.
@ -87,13 +79,9 @@ The default state of Secure Boot has a wide circle of trust which can result in
 To trust and boot operating systems, like Linux, and components signed by the UEFI signature, Secured-core PCs can be configured in the BIOS menu to add the signature in the UEFI database by following these steps:
 1. Open the firmware menu, either:
    - Boot the PC, and press the manufacturer's key to open the menus. Common keys used: Esc, Delete, F1, F2, F10, F11, or F12. On tablets, common buttons are Volume up or Volume down. During startup, there's often a screen that mentions the key. If there's not one, or if the screen goes by too fast to see it, check your manufacturer's site.
    - Or, if Windows is already installed, from either the Sign on screen or the Start menu, select Power ( ) > hold Shift while selecting Restart. Select Troubleshoot > Advanced options > UEFI Firmware settings.
 2. From the firmware menu navigate to Security > Secure Boot and select the option to trust the "3rd Party CA".
 3. Save changes and exit.
 Microsoft continues to collaborate with Linux and IHV ecosystem partners to design least privileged features to help you stay secure and opt-in trust for only the publishers and components you trust.
@ -102,7 +90,7 @@ Like most mobile devices, Arm-based devices, such as the Microsoft Surface RT de
 ## Trusted Boot
-Trusted Boot takes over where Secure Boot ends. The bootloader verifies the digital signature of the Windows 10 kernel before loading it. The Windows 10 kernel, in turn, verifies every other component of the Windows startup process, including the boot drivers, startup files, and ELAM. If a file has been modified, the bootloader detects the problem and refuses to load the corrupted component. Often, Windows can automatically repair the corrupted component, restoring the integrity of Windows and allowing the PC to start normally.
+Trusted Boot takes over where Secure Boot ends. The bootloader verifies the digital signature of the Windows kernel before loading it. The Windows kernel, in turn, verifies every other component of the Windows startup process, including the boot drivers, startup files, and ELAM. If a file has been modified, the bootloader detects the problem and refuses to load the corrupted component. Often, Windows can automatically repair the corrupted component, restoring the integrity of Windows and allowing the PC to start normally.
 ## Early Launch Anti-Malware
@ -129,13 +117,12 @@ Depending on the implementation and configuration, the server can now determine
 Figure 2 illustrates the Measured Boot and remote attestation process.
 ![Screenshot that shows the Measured Boot and remote attestation process.](./images/measured_boot.png)
-
+*Figure 2. Measured Boot proves the PC's health to a remote server*:
 ![Measured Boot and remote attestation process.](./images/dn168167.measure_boot(en-us,MSDN.10).png)
 *Figure 2. Measured Boot proves the PC's health to a remote server*
 Windows includes the application programming interfaces to support Measured Boot, but you'll need non-Microsoft tools to implement a remote attestation client and trusted attestation server to take advantage of it. For example, see the following tools from Microsoft Research:
 - [TPM Platform Crypto-Provider Toolkit](https://www.microsoft.com/download/details.aspx?id=52487)
 - [TSS.MSR](https://github.com/microsoft/TSS.MSR#tssmsr)
--- a/windows/security/operating-system-security/system-security/toc.yml
+++ b/windows/security/operating-system-security/system-security/toc.yml
@ -1,28 +1,28 @@
 items:
 - name: Secure the Windows boot process
-  href: ../../information-protection/secure-the-windows-10-boot-process.md
+  href: secure-the-windows-10-boot-process.md
 - name: Secure Boot and Trusted Boot
-  href: ../../trusted-boot.md
+  href: trusted-boot.md
- name: Measured Boot
+- name: Measured Boot 🔗
  href: /windows/compatibility/measured-boot
 - name: Device health attestation service
-  href: ../../threat-protection/protect-high-value-assets-by-controlling-the-health-of-windows-10-based-devices.md
+  href: protect-high-value-assets-by-controlling-the-health-of-windows-10-based-devices.md
 - name: Cryptography and certificate management
-  href: ../../cryptography-certificate-mgmt.md
+  href: cryptography-certificate-mgmt.md
- name: The Windows Security app
+- name: Windows Security app
-  href: ../../threat-protection/windows-defender-security-center/windows-defender-security-center.md
+  href: windows-defender-security-center/windows-defender-security-center.md
  items:
  - name: Virus & threat protection
-    href: ../../threat-protection\windows-defender-security-center\wdsc-virus-threat-protection.md
+    href: windows-defender-security-center\wdsc-virus-threat-protection.md
  - name: Account protection
-    href: ../../threat-protection\windows-defender-security-center\wdsc-account-protection.md
+    href: windows-defender-security-center\wdsc-account-protection.md
  - name: Firewall & network protection
-    href: ../../threat-protection\windows-defender-security-center\wdsc-firewall-network-protection.md
+    href: windows-defender-security-center\wdsc-firewall-network-protection.md
  - name: App & browser control
-    href: ../../threat-protection\windows-defender-security-center\wdsc-app-browser-control.md
+    href: windows-defender-security-center\wdsc-app-browser-control.md
  - name: Device security
-    href: ../../threat-protection\windows-defender-security-center\wdsc-device-security.md
+    href: windows-defender-security-center\wdsc-device-security.md
  - name: Device performance & health
-    href: ../../threat-protection\windows-defender-security-center\wdsc-device-performance-health.md
+    href: windows-defender-security-center\wdsc-device-performance-health.md
  - name: Family options
-    href: ../../threat-protection\windows-defender-security-center\wdsc-family-options.md
+    href: windows-defender-security-center\wdsc-family-options.md
--- a/windows/security/operating-system-security/system-security/trusted-boot.md
+++ b/windows/security/operating-system-security/system-security/trusted-boot.md
@ -1,14 +1,11 @@
 ---
 title: Secure Boot and Trusted Boot
 description: Trusted Boot prevents corrupted components from loading during the boot-up process in Windows 11
 author: vinaypamnani-msft
 ms.author: vinpa
 manager: aaroncz
 ms.topic: conceptual
 ms.date: 09/21/2021
 ms.prod: windows-client
 ms.technology: itpro-security
 ms.reviewer: jsuther
 appliesto:
  - "✅ <a href=\"https://learn.microsoft.com/windows/release-health/supported-versions-windows-client\" target=\"_blank\">Windows 11</a>"
 ---
 # Secure Boot and Trusted Boot
@ -29,8 +26,8 @@ Trusted Boot picks up the process that started with Secure Boot. The Windows boo
 Often, Windows can automatically repair the corrupted component, restoring the integrity of Windows and allowing the Windows 11 device to start normally.
-[!INCLUDE [secure-boot-and-trusted-boot](../../includes/licensing/secure-boot-and-trusted-boot.md)]
+[!INCLUDE [secure-boot-and-trusted-boot](../../../../includes/licensing/secure-boot-and-trusted-boot.md)]
 ## See also
-[Secure the Windows boot process](information-protection/secure-the-windows-10-boot-process.md)
+[Secure the Windows boot process](secure-the-windows-10-boot-process.md)
--- a/windows/security/operating-system-security/system-security/windows-defender-security-center/images/security-center-custom-flyout.png
+++ b/windows/security/operating-system-security/system-security/windows-defender-security-center/images/security-center-custom-flyout.png
--- a/windows/security/operating-system-security/system-security/windows-defender-security-center/images/security-center-home.png
+++ b/windows/security/operating-system-security/system-security/windows-defender-security-center/images/security-center-home.png
--- a/windows/security/operating-system-security/system-security/windows-defender-security-center/images/security-center-start-menu.png
+++ b/windows/security/operating-system-security/system-security/windows-defender-security-center/images/security-center-start-menu.png
--- a/windows/security/operating-system-security/system-security/windows-defender-security-center/images/security-center-taskbar.png
+++ b/windows/security/operating-system-security/system-security/windows-defender-security-center/images/security-center-taskbar.png
--- a/windows/security/operating-system-security/system-security/windows-defender-security-center/images/settings-windows-defender-security-center-areas.png
+++ b/windows/security/operating-system-security/system-security/windows-defender-security-center/images/settings-windows-defender-security-center-areas.png
--- a/windows/security/operating-system-security/system-security/windows-defender-security-center/images/wdsc-all-hide.png
+++ b/windows/security/operating-system-security/system-security/windows-defender-security-center/images/wdsc-all-hide.png
--- a/windows/security/operating-system-security/system-security/windows-defender-security-center/wdsc-account-protection.md
+++ b/windows/security/operating-system-security/system-security/windows-defender-security-center/wdsc-account-protection.md
@ -0,0 +1,37 @@
 ---
 title: Account protection in the Windows Security app
 description: Use the Account protection section to manage security for your account and sign in to Microsoft.
 ms.date: 12/31/2018
 ms.topic: article
 ---
 # Account protection
 The **Account protection** section contains information and settings for account protection and sign-in. You can get more information about these capabilities from the following list:
 - [Microsoft Account](https://account.microsoft.com/account/faq)
 - [Windows Hello for Business](../../../identity-protection/hello-for-business/hello-identity-verification.md)
 - [Lock your Windows 10 PC automatically when you step away from it](https://support.microsoft.com/help/4028111/windows-lock-your-windows-10-pc-automatically-when-you-step-away-from)
 You can also choose to hide the section from users of the device. This is useful if you don't want your employees to access or view user-configured options for these features.
 ## Hide the Account protection section
 You can choose to hide the entire section by using Group Policy. The section won't appear on the home page of the Windows Security app, and its icon won't be shown on the navigation bar on the side of the app.
 You can only configure these settings by using Group Policy.
 > [!IMPORTANT]
 > You must have Windows 10, version 1803 or later. The ADMX/ADML template files for earlier versions of Windows do not include these Group Policy settings.
 1. On your Group Policy management machine, open the [Group Policy Management Console](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc731212(v=ws.11)), right-click the Group Policy Object you want to configure and select  **Edit**.
 1. In the **Group Policy Management Editor** go to **Computer configuration** and select **Administrative templates**.
 1. Expand the tree to **Windows components > Windows Security > Account protection**.
 1. Open the **Hide the Account protection area** setting and set it to **Enabled**. Select **OK**.
 1. [Deploy the updated GPO as you normally do](/windows/win32/srvnodes/group-policy).
 > [!NOTE]
 > If you hide all sections then the app will show a restricted interface, as in the following screenshot:
 >
 > ![Screenshot of the Windows Security app with all sections hidden by Group Policy.](images/wdsc-all-hide.png)
--- a/windows/security/operating-system-security/system-security/windows-defender-security-center/wdsc-app-browser-control.md
+++ b/windows/security/operating-system-security/system-security/windows-defender-security-center/wdsc-app-browser-control.md
@ -1,21 +1,12 @@
 ---
 title: App & browser control in the Windows Security app
 description: Use the App & browser control section to see and configure Windows Defender SmartScreen and Exploit protection settings.
 ms.prod: windows-client
 author: vinaypamnani-msft
 ms.author: vinpa
 ms.date: 12/31/2018
 manager: aaroncz
 ms.technology: itpro-security
 ms.topic: article
 ---
 # App and browser control
 **Applies to**
 - Windows 10 and later
 The **App and browser control** section contains information and settings for Windows Defender SmartScreen. IT administrators and IT pros can get configuration guidance from the [Windows Defender SmartScreen documentation library](/windows/threat-protection/windows-defender-smartscreen/windows-defender-smartscreen-overview).
 In Windows 10, version 1709 and later, the section also provides configuration options for Exploit protection. You can prevent users from modifying these specific options with Group Policy. IT administrators can get more information at [Exploit protection](/microsoft-365/security/defender-endpoint/exploit-protection).
@ -32,13 +23,9 @@ You can only prevent users from modifying Exploit protection settings by using G
 > You must have Windows 10, version 1709 or later. The ADMX/ADML template files for earlier versions of Windows do not include these Group Policy settings.
 1. On your Group Policy management machine, open the [Group Policy Management Console](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc731212(v=ws.11)), right-click the Group Policy Object you want to configure and click **Edit**.
 2. In the **Group Policy Management Editor** go to **Computer configuration**, select **Policies** and then **Administrative templates**.
 3. Expand the tree to **Windows components > Windows Security > App and browser protection**.
 4. Open the **Prevent users from modifying settings** setting and set it to **Enabled**. Click **OK**.
 5. [Deploy the updated GPO as you normally do](/windows/win32/srvnodes/group-policy).
 ## Hide the App & browser control section
@ -51,13 +38,9 @@ This section can be hidden only by using Group Policy.
 > You must have Windows 10, version 1709 or later. The ADMX/ADML template files for earlier versions of Windows do not include these Group Policy settings.
 1. On your Group Policy management machine, open the [Group Policy Management Console](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc731212(v=ws.11)), right-click the Group Policy Object you want to configure and click **Edit**.
 2. In the **Group Policy Management Editor** go to **Computer configuration**, select **Policies** and then **Administrative templates**.
 3. Expand the tree to **Windows components > Windows Security > App and browser protection**.
 4. Open the **Hide the App and browser protection area** setting and set it to **Enabled**. Click **OK**.
 5. [Deploy the updated GPO as you normally do](/windows/win32/srvnodes/group-policy).
 > [!NOTE]
--- a/windows/security/operating-system-security/system-security/windows-defender-security-center/wdsc-customize-contact-information.md
+++ b/windows/security/operating-system-security/system-security/windows-defender-security-center/wdsc-customize-contact-information.md
@ -1,20 +1,12 @@
 ---
 title: Customize Windows Security contact information
 description: Provide information to your employees on how to contact your IT department when a security issue occurs
 ms.prod: windows-client
 author: vinaypamnani-msft
 ms.author: vinpa
 ms.date: 12/31/2018
 ms.technology: itpro-security
 ms.topic: article
 ---
 # Customize the Windows Security app for your organization
 **Applies to**
 - Windows 10 and later
 You can add information about your organization in a contact card to the Windows Security app. You can include a link to a support site, a phone number for a help desk, and an email address for email-based support.
 ![The Windows Security custom fly-out.](images/security-center-custom-flyout.png)
@ -36,11 +28,8 @@ You must have Windows 10, version 1709 or later. The ADMX/ADML template files fo
 There are two stages to using the contact card and customized notifications. First, you have to enable the contact card or custom notifications (or both), and then you must specify at least a name for your organization and one piece of contact information.
 1. On your Group Policy management machine, open the [Group Policy Management Console](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc731212(v=ws.11)), right-click the Group Policy Object you want to configure and click **Edit**.
 2. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**.
 3. Expand the tree to **Windows components > Windows Security > Enterprise Customization**.
 4. Enable the contact card and the customized notifications by configuring two separate Group Policy settings. They will both use the same source of information (explained in Steps 5 and 6). You can enable both, or select one or the other:
    1. To enable the contact card, open the **Configure customized contact information** setting and set it to **Enabled**. Click **OK**.
@ -51,8 +40,8 @@ There are two stages to using the contact card and customized notifications. Fir
    2. To enable the customized notifications, open the **Configure customized notifications** setting and set it to **Enabled**. Click **OK**.
 5. After you've enabled the contact card or the customized notifications (or both), you must configure the **Specify contact company name** to **Enabled**. Enter your company or organization's name in the field in the **Options** section. Click **OK**.
 6. To ensure the custom notifications or contact card appear, you must also configure at least one of the following settings. Open the setting, select **Enabled**, and then add the contact information in the field under **Options**:
    1. **Specify contact email address or Email ID**
    2. **Specify contact phone number or Skype ID**
    3. **Specify contact website**
--- a/windows/security/operating-system-security/system-security/windows-defender-security-center/wdsc-device-performance-health.md
+++ b/windows/security/operating-system-security/system-security/windows-defender-security-center/wdsc-device-performance-health.md
@ -2,52 +2,34 @@
 title: Device & performance health in the Windows Security app
 description: Use the Device & performance health section to see the status of the machine and note any storage, update, battery, driver, or hardware configuration issues
 ms.date: 12/31/2018
 ms.prod: windows-client
 author: vinaypamnani-msft
 ms.author: vinpa
 ms.technology: itpro-security
 ms.topic: article
 ---
 # Device performance and health
 **Applies to**
 - Windows 10
 - Windows 11
 The **Device performance & health** section contains information about hardware, devices, and drivers related to the machine. IT administrators and IT pros should reference the appropriate documentation library for the issues they're seeing, such as the [configure the Load and unload device drivers security policy setting](/windows/device-security/security-policy-settings/load-and-unload-device-drivers) and how to [deploy drivers during Windows 10 deployment using Microsoft Configuration Manager](/windows/deployment/deploy-windows-cm/add-drivers-to-a-windows-10-deployment-with-windows-pe-using-configuration-manager).
 The [Windows 10 IT pro troubleshooting topic](/windows/client-management/windows-10-support-solutions), and the main [Windows 10 documentation library](/windows/windows-10/) can also be helpful for resolving issues.
 In Windows 10, version 1709 and later, the section can be hidden from users of the machine. This option can be useful if you don't want employees in your organization to see or have access to user-configured options for the features shown in the section.
 ## Hide the Device performance & health section
 You can choose to hide the entire section by using Group Policy. The section won't appear on the home page of the Windows Security app, and its icon won't be shown on the navigation bar on the side of the app.
 This section can be hidden only by using Group Policy.
->[!IMPORTANT]
+> [!IMPORTANT]
->### Requirements
+> You must have Windows 10, version 1709 or later. The ADMX/ADML template files for earlier versions of Windows do not include these Group Policy settings.
 >
 >You must have Windows 10, version 1709 or later. The ADMX/ADML template files for earlier versions of Windows do not include these Group Policy settings. 
 1. On your Group Policy management machine, open the [Group Policy Management Console](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc731212(v=ws.11)), right-click the Group Policy Object you want to configure and click **Edit**.
 1. In **Group Policy Management Editor**, go to **Computer configuration** and click **Administrative templates**.
 1. Expand the tree to **Windows components > Windows Security > Device performance and health**.
 1. Open the **Hide the Device performance and health area** setting and set it to **Enabled**. Click **OK**.
 1. [Deploy the updated GPO as you normally do](/windows/win32/srvnodes/group-policy).
-3.  In **Group Policy Management Editor**, go to **Computer configuration** and click **Administrative templates**.
+> [!NOTE]
-
+> If you hide all sections then the app will show a restricted interface, as in the following screenshot:
 5.  Expand the tree to **Windows components > Windows Security > Device performance and health**.
 6.  Open the **Hide the Device performance and health area** setting and set it to **Enabled**. Click **OK**.
 7. [Deploy the updated GPO as you normally do](/windows/win32/srvnodes/group-policy). 
 >[!NOTE]
 >If you hide all sections then the app will show a restricted interface, as in the following screenshot:
 >
->![Windows Security app with all sections hidden by Group Policy.](images/wdsc-all-hide.png)
+> ![Screenshot of the Windows Security app with all sections hidden by Group Policy.](images/wdsc-all-hide.png)
--- a/windows/security/operating-system-security/system-security/windows-defender-security-center/wdsc-device-security.md
+++ b/windows/security/operating-system-security/system-security/windows-defender-security-center/wdsc-device-security.md
@ -0,0 +1,53 @@
 ---
 title: Device security in the Windows Security app
 description: Use the Device security section to manage security built into your device, including virtualization-based security.
 ms.date: 12/31/2018
 ms.topic: article
 ---
 # Device security
 The **Device security** section contains information and settings for built-in device security.
 You can choose to hide the section from users of the machine. This option can be useful if you don't want employees in your organization to see or have access to user-configured options for the features shown in the section.
 ## Hide the Device security section
 You can choose to hide the entire section by using Group Policy. The section won't appear on the home page of the Windows Security app, and its icon won't be shown on the navigation bar on the side of the app. You can hide the device security section by using Group Policy only.
 > [!IMPORTANT]
 > You must have Windows 10, version 1803 or later. The ADMX/ADML template files for earlier versions of Windows do not include these Group Policy settings.
 1. On your Group Policy management machine, open the [Group Policy Management Console](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc731212(v=ws.11)), right-click the Group Policy Object you want to configure and click **Edit**.
 2. In **Group Policy Management Editor**, go to **Computer configuration** and then select **Administrative templates**.
 3. Expand the tree to **Windows components** > **Windows Security** > **Device security**.
 4. Open the **Hide the Device security area** setting and set it to **Enabled**. Select **OK**.
 5. [Deploy the updated GPO as you normally do](/windows/win32/srvnodes/group-policy).
 > [!NOTE]
 > If you hide all sections then the app will show a restricted interface, as in the following screenshot:
 >
 > ![Screenshot of the Windows Security app with all sections hidden by Group Policy.](images/wdsc-all-hide.png)
 ## Disable the Clear TPM button
 If you don't want users to be able to click the **Clear TPM** button in the Windows Security app, you can disable it.
 > [!IMPORTANT]
 > You must have Windows 10, version 1809 or later. The ADMX/ADML template files for earlier versions of Windows do not include these Group Policy settings.
 1. On your Group Policy management computer, open the [Group Policy Management Console](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc731212(v=ws.11)), right-click the Group Policy Object you want to configure and click **Edit**.
 2. In **Group Policy Management Editor**, go to **Computer configuration** and then select **Administrative templates**.
 3. Expand the tree to **Windows components** > **Windows Security** > **Device security**.
 4. Open the **Disable the Clear TPM button** setting and set it to **Enabled**. Select **OK**.
 5. [Deploy the updated GPO as you normally do](/windows/win32/srvnodes/group-policy).
 ## Hide the TPM Firmware Update recommendation
 If you don't want users to see the recommendation to update TPM firmware, you can disable it.
 1. On your Group Policy management computer, open the [Group Policy Management Console](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc731212(v=ws.11)), right-click the Group Policy Object you want to configure and click **Edit**.
 2. In **Group Policy Management Editor**, go to **Computer configuration** and then select **Administrative templates**.
 3. Expand the tree to **Windows components** > **Windows Security** > **Device security**.
 4. Open the **Hide the TPM Firmware Update recommendation** setting and set it to **Enabled**. Select **OK**.
 5. [Deploy the updated GPO as you normally do](/windows/win32/srvnodes/group-policy).
--- a/windows/security/operating-system-security/system-security/windows-defender-security-center/wdsc-family-options.md
+++ b/windows/security/operating-system-security/system-security/windows-defender-security-center/wdsc-family-options.md
@ -1,50 +1,35 @@
 ---
 title: Family options in the Windows Security app
 description: Learn how to hide the Family options section of Windows Security for enterprise environments. Family options aren't intended for business environments.
 ms.prod: windows-client
 author: vinaypamnani-msft
 ms.author: vinpa
 ms.date: 12/31/2018
 ms.technology: itpro-security
 ms.topic: article
 ---
 # Family options
 **Applies to**
 - Windows 10 and later
 The **Family options** section contains links to settings and further information for parents of a Windows 10 PC. It isn't intended for enterprise or business environments.
 Home users can learn more at the [Help protection your family online in Windows Security topic at support.microsoft.com](https://support.microsoft.com/help/4013209/windows-10-protect-your-family-online-in-windows-defender)
 In Windows 10, version 1709, the section can be hidden from users of the machine. This option can be useful if you don't want employees in your organization to see or have access to this section.
 ## Hide the Family options section
 You can choose to hide the entire section by using Group Policy. The section won't appear on the home page of the Windows Security app, and its icon won't be shown on the navigation bar on the side of the app.
 This section can be hidden only by using Group Policy.
->[!IMPORTANT]
+> [!IMPORTANT]
->### Requirements
+> You must have Windows 10, version 1709 or later. The ADMX/ADML template files for earlier versions of Windows do not include these Group Policy settings.
 >
 >You must have Windows 10, version 1709 or later. The ADMX/ADML template files for earlier versions of Windows do not include these Group Policy settings. 
 1. On your Group Policy management machine, open the [Group Policy Management Console](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc731212(v=ws.11)), right-click the Group Policy Object you want to configure and click **Edit**.
 1. In **Group Policy Management Editor**, go to **Computer configuration** and click **Administrative templates**.
 1. Expand the tree to **Windows components > Windows Security > Family options**.
 1. Open the **Hide the Family options area** setting and set it to **Enabled**. Click **OK**.
 1. [Deploy the updated GPO as you normally do](/windows/win32/srvnodes/group-policy).
-3.  In **Group Policy Management Editor**, go to **Computer configuration** and click **Administrative templates**.
+> [!NOTE]
-
+> If you hide all sections then the app will show a restricted interface, as in the following screenshot:
 5.  Expand the tree to **Windows components > Windows Security > Family options**.
 6.  Open the **Hide the Family options area** setting and set it to **Enabled**. Click **OK**.
 7. [Deploy the updated GPO as you normally do](/windows/win32/srvnodes/group-policy). 
 >[!NOTE]
 >If you hide all sections then the app will show a restricted interface, as in the following screenshot:
 >
->![Windows Security app with all sections hidden by Group Policy.](images/wdsc-all-hide.png)
+> ![Screenshot of the Windows Security app with all sections hidden by Group Policy.](images/wdsc-all-hide.png)
--- a/windows/security/operating-system-security/system-security/windows-defender-security-center/wdsc-firewall-network-protection.md
+++ b/windows/security/operating-system-security/system-security/windows-defender-security-center/wdsc-firewall-network-protection.md
@ -1,49 +1,32 @@
 ---
 title: Firewall and network protection in the Windows Security app
 description: Use the Firewall & network protection section to see the status of and make changes to firewalls and network connections for the machine.
 author: vinaypamnani-msft
 ms.author: vinpa
 ms.date: 12/31/2018
 ms.technology: itpro-security
 ms.topic: article
 ---
 # Firewall and network protection
-**Applies to**
+The **Firewall & network protection** section contains information about the firewalls and network connections used by the machine, including the status of Windows Defender Firewall and any other third-party firewalls. IT administrators and IT pros can get configuration guidance from the [Windows Defender Firewall with Advanced Security documentation library](../../network-security/windows-firewall/windows-firewall-with-advanced-security.md).
 - Windows 10
 - Windows 11
 The **Firewall & network protection** section contains information about the firewalls and network connections used by the machine, including the status of Windows Defender Firewall and any other third-party firewalls. IT administrators and IT pros can get configuration guidance from the [Windows Defender Firewall with Advanced Security documentation library](../windows-firewall/windows-firewall-with-advanced-security.md).
 In Windows 10, version 1709 and later, the section can be hidden from users of the machine. This information is useful if you don't want employees in your organization to see or have access to user-configured options for the features shown in the section.
 ## Hide the Firewall & network protection section
 You can choose to hide the entire section by using Group Policy. The section won't appear on the home page of the Windows Security app, and its icon won't be shown on the navigation bar on the side of the app.
 This section can be hidden only by using Group Policy.
->[!IMPORTANT]
+> [!IMPORTANT]
->### Requirements
+> You must have Windows 10, version 1709 or later. The ADMX/ADML template files for earlier versions of Windows do not include these Group Policy settings.
 >
 >You must have Windows 10, version 1709 or later. The ADMX/ADML template files for earlier versions of Windows do not include these Group Policy settings. 
 1. On your Group Policy management machine, open the Group Policy Management Console, right-click the Group Policy Object you want to configure and click **Edit**.
 1. In **Group Policy Management Editor**, go to **Computer configuration** and click **Administrative templates**.
 1. Expand the tree to **Windows components > Windows Security > Firewall and network protection**.
 1. Open the **Hide the Firewall and network protection area** setting and set it to **Enabled**. Click **OK**.
 1. Deploy the updated GPO as you normally do.
-3.  In **Group Policy Management Editor**, go to **Computer configuration** and click **Administrative templates**.
+> [!NOTE]
-
+> If you hide all sections then the app will show a restricted interface, as in the following screenshot:
 5.  Expand the tree to **Windows components > Windows Security > Firewall and network protection**.
 6.  Open the **Hide the Firewall and network protection area** setting and set it to **Enabled**. Click **OK**.
 7.  Deploy the updated GPO as you normally do. 
 >[!NOTE]
 >If you hide all sections then the app will show a restricted interface, as in the following screenshot:
 >
->![Windows Security app with all sections hidden by Group Policy.](images/wdsc-all-hide.png)
+> ![Screenshot of the Windows Security app with all sections hidden by Group Policy.](images/wdsc-all-hide.png)
--- a/windows/security/operating-system-security/system-security/windows-defender-security-center/wdsc-hide-notifications.md
+++ b/windows/security/operating-system-security/system-security/windows-defender-security-center/wdsc-hide-notifications.md
@ -1,20 +1,12 @@
 ---
 title: Hide notifications from the Windows Security app
 description: Prevent Windows Security app notifications from appearing on user endpoints
 ms.prod: windows-client
 author: vinaypamnani-msft
 ms.author: vinpa
 ms.date: 12/31/2018
 ms.technology: itpro-security
 ms.topic: article
 ---
 # Hide Windows Security app notifications
 **Applies to**
 - Windows 10 and later
 The Windows Security app is used by many Windows security features to provide notifications about the health and security of the machine. These include notifications about firewalls, antivirus products, Windows Defender SmartScreen, and others.
 In some cases, it may not be appropriate to show these notifications, for example, if you want to hide regular status updates, or if you want to hide all notifications to the employees in your organization.
@ -28,30 +20,21 @@ If you set **Hide all notifications** to **Enabled**, changing the **Hide non-cr
 You can only use Group Policy to change these settings.
 ## Use Group Policy to hide non-critical notifications
 You can hide notifications that describe regular events related to the health and security of the machine. These notifications are the ones that don't require an action from the machine's user. It can be useful to hide these notifications if you find they're too numerous or you have other status reporting on a larger scale (such as Windows Update for Business reports or Microsoft Configuration Manager reporting).
 These notifications can be hidden only by using Group Policy.
->[!IMPORTANT]
+> [!IMPORTANT]
->
+> You must have Windows 10, version 1903 or higher. The ADMX/ADML template files for earlier versions of Windows do not include these Group Policy settings.
 > Requirement: You must have Windows 10, version 1903 or higher. The ADMX/ADML template files for earlier versions of Windows do not include these Group Policy settings. 
 1. Download the latest [Administrative Templates (.admx) for Windows 10, v2004](https://www.microsoft.com/download/101445).
-
+1. On your Group Policy management machine, open the [Group Policy Management Console](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc731212(v=ws.11)), right-click the Group Policy Object you want to configure and click **Edit**.
-2.  On your Group Policy management machine, open the [Group Policy Management Console](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc731212(v=ws.11)), right-click the Group Policy Object you want to configure and click **Edit**.
+1. In **Group Policy Management Editor**, go to **Computer configuration** and click **Administrative templates**.
-
+1. Expand the tree to **Windows components > Windows Security > Notifications**. For Windows 10 version 1803 and below, the path would be **Windows components > Windows Defender Security Center > Notifications**
-3.  In **Group Policy Management Editor**, go to **Computer configuration** and click **Administrative templates**.
+1. Open the **Hide non-critical notifications** setting and set it to **Enabled**. Click **OK**.
-
+1. [Deploy the updated GPO as you normally do](/windows/win32/srvnodes/group-policy).
 5.  Expand the tree to **Windows components > Windows Security > Notifications**. For Windows 10 version 1803 and below, the path would be **Windows components > Windows Defender Security Center > Notifications**
 6.  Open the **Hide non-critical notifications** setting and set it to **Enabled**. Click **OK**.
 7. [Deploy the updated GPO as you normally do](/windows/win32/srvnodes/group-policy). 
 ## Use Group Policy to hide all notifications
@ -59,22 +42,18 @@ You can hide all notifications that are sourced from the Windows Security app. T
 These notifications can be hidden only by using Group Policy.
->[!IMPORTANT]
+> [!IMPORTANT]
->
+> You must have Windows 10, version 1903 or higher. The ADMX/ADML template files for earlier versions of Windows do not include these Group Policy settings.
 > Requirement: You must have Windows 10, version 1903 or higher. The ADMX/ADML template files for earlier versions of Windows do not include these Group Policy settings. 
 1. On your Group Policy management machine, open the [Group Policy Management Console](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc731212(v=ws.11)), right-click the Group Policy Object you want to configure and click **Edit**.
-
+1. In **Group Policy Management Editor**, go to **Computer configuration** and click **Administrative templates**.
-3.  In **Group Policy Management Editor**, go to **Computer configuration** and click **Administrative templates**.
+1. Expand the tree to **Windows components > Windows Security > Notifications**. For Windows 10 version 1803 and below, the path would be **Windows components > Windows Defender Security Center > Notifications**.
 5.  Expand the tree to **Windows components > Windows Security > Notifications**. For Windows 10 version 1803 and below, the path would be **Windows components > Windows Defender Security Center > Notifications**.
    > [!NOTE]
    > For Windows 10 version 2004 and above the path would be **Windows components > Windows Security > Notifications**.
-6.  Open the **Hide all notifications** setting and set it to **Enabled**. Click **OK**.
+1. Open the **Hide all notifications** setting and set it to **Enabled**. Click **OK**.
-
+1. [Deploy the updated GPO as you normally do](/windows/win32/srvnodes/group-policy).
 7. [Deploy the updated GPO as you normally do](/windows/win32/srvnodes/group-policy). 
 > [!NOTE]
 > You can use the following registry key and DWORD value to **Hide all notifications**.
@ -95,7 +74,7 @@ These notifications can be hidden only by using Group Policy.
 | HVCI, driver compat check fails (upon trying to enable) | There may be an incompatibility on your device. | HVCI_ENABLE_FAILURE | Yes |Firewall and network protection notification|
 | HVCI, reboot needed to enable | The recent change to your protection settings requires a restart of your device. | HVCI_ENABLE_SUCCESS | Yes |Firewall and network protection notification|
 | Item skipped in scan, due to exclusion setting, or network scanning disabled by admin | The Microsoft Defender Antivirus scan skipped an item due to exclusion or network scanning settings. | ITEM_SKIPPED | Yes |Virus & threat protection notification|
-| Remediation failure | Microsoft Defender Antivirus couldn’t completely resolve potential threats. | CLEAN_FAILED | Yes |Virus & threat protection notification|
+| Remediation failure | Microsoft Defender Antivirus couldn't completely resolve potential threats. | CLEAN_FAILED | Yes |Virus & threat protection notification|
 | Follow-up action (restart & scan) | Microsoft Defender Antivirus found _threat_ in _file name_. Restart and scan your device. Restart and scan | MANUALSTEPS_REQUIRED | Yes |Virus & threat protection notification|
 | Follow-up action (restart) | Microsoft Defender Antivirus found _threat_ in _file_. Restart your device. | WDAV_REBOOT | Yes |Virus & threat protection notification|
 | Follow-up action (Full scan) | Microsoft Defender Antivirus found _threat_ in _file_. Run a full scan of your device. | FULLSCAN_REQUIRED | Yes |Virus & threat protection notification|
@ -109,7 +88,7 @@ These notifications can be hidden only by using Group Policy.
 | Scan finished, manual, threats found | Microsoft Defender Antivirus scanned your device at _timestamp_ on _date_, and took action against threats. | RECENT_SCAN_FOUND_THREATS | No |Virus & threat protection notification|
 | Scan finished, manual, **no** threats found | Microsoft Defender Antivirus scanned your device at _timestamp_ on _date_.  No threats were found. | RECENT_SCAN_NO_THREATS | No |Virus & threat protection notification|
 | Threat found | Microsoft Defender Antivirus found threats. Get details. | CRITICAL | No |Virus & threat protection notification|
-| LPS on notification | Microsoft Defender Antivirus is periodically scanning your device.  You’re also using another antivirus program for active protection. | PERIODIC_SCANNING_ON | No |Virus & threat protection notification|
+| LPS on notification | Microsoft Defender Antivirus is periodically scanning your device.  You're also using another antivirus program for active protection. | PERIODIC_SCANNING_ON | No |Virus & threat protection notification|
 | Long running BaFS | Your IT administrator  requires a security scan of this item.  The scan could take up to _n_ seconds. | BAFS | No |Firewall and network protection notification|
 | Long running BaFS customized | _Company_ requires a security scan of this item.  The scan could take up to _n_ seconds. | BAFS_DETECTED_CUSTOM (body) | No |Firewall and network protection notification|
 | Sense detection | This application was removed because it was blocked by your IT security settings | WDAV_SENSE_DETECTED | No |Firewall and network protection notification|
--- a/windows/security/operating-system-security/system-security/windows-defender-security-center/wdsc-virus-threat-protection.md
+++ b/windows/security/operating-system-security/system-security/windows-defender-security-center/wdsc-virus-threat-protection.md
@ -0,0 +1,58 @@
 ---
 title: Virus and threat protection in the Windows Security app
 description: Use the Virus & threat protection section to see and configure Microsoft Defender Antivirus, Controlled folder access, and 3rd-party AV products.
 ms.date: 12/31/2017
 ms.topic: article
 ---
 # Virus and threat protection
 The **Virus & threat protection** section contains information and settings for antivirus protection from Microsoft Defender Antivirus and third-party AV products.
 In Windows 10, version 1803, this section also contains information and settings for ransomware protection and recovery. These settings include Controlled folder access settings to prevent unknown apps from changing files in protected folders, plus Microsoft OneDrive configuration to help you recover from a ransomware attack. This area also notifies users and provides recovery instructions if there's a ransomware attack.
 IT administrators and IT pros can get more configuration information from these articles:
 - [Microsoft Defender Antivirus in the Windows Security app](/microsoft-365/security/defender-endpoint/microsoft-defender-security-center-antivirus)
 - [Microsoft Defender Antivirus documentation library](/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-in-windows-10)
 - [Protect important folders with Controlled folder access](/microsoft-365/security/defender-endpoint/controlled-folders)
 - [Defend yourself from cybercrime with new Office 365 capabilities](https://blogs.office.com/2018/04/05/defend-yourself-from-cybercrime-with-new-office-365-capabilities/)
 - [Microsoft Defender for Office 365](/microsoft-365/security/office-365-security/defender-for-office-365)
 - [Ransomware detection and recovering your files](https://support.office.com/article/ransomware-detection-and-recovering-your-files-0d90ec50-6bfd-40f4-acc7-b8c12c73637f?ui=en-US&rs=en-US&ad=US)
 You can hide the **Virus & threat protection** section or the **Ransomware protection** area from users of the machine. This option can be useful if you don't want employees in your organization to see or have access to user-configured options for these features.
 ## Hide the Virus & threat protection section
 You can choose to hide the entire section by using Group Policy. The section won't appear on the home page of the Windows Security app, and its icon won't be shown on the navigation bar on the side of the app.
 This section can be hidden only by using Group Policy.
 > [!IMPORTANT]
 > You must have Windows 10, version 1709 or later. The ADMX/ADML template files for earlier versions of Windows do not include these Group Policy settings.
 1. On your Group Policy management machine, open the [Group Policy Management Console](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc731212(v=ws.11)), right-click the Group Policy Object you want to configure and click **Edit**.
 1. In **Group Policy Management Editor**, go to **Computer configuration** and click **Administrative templates**.
 1. Expand the tree to **Windows components > Windows Security > Virus and threat protection**.
 1. Open the **Hide the Virus and threat protection area** setting and set it to **Enabled**. Click **OK**.
 1. [Deploy the updated GPO as you normally do](/windows/win32/srvnodes/group-policy).
 > [!NOTE]
 > If you hide all sections then the app will show a restricted interface, as in the following screenshot:
 >
 > ![Screenshot of the Windows Security app with all sections hidden by Group Policy.](images/wdsc-all-hide.png)
 ## Hide the Ransomware protection area
 You can choose to hide the **Ransomware protection** area by using Group Policy. The area won't appear on the **Virus & threat protection** section of the Windows Security app.
 This area can be hidden only by using Group Policy.
 > [!IMPORTANT]
 > You must have Windows 10, version 1709 or later. The ADMX/ADML template files for earlier versions of Windows do not include these Group Policy settings.
 1. On your Group Policy management machine, open the [Group Policy Management Console](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc731212(v=ws.11)), right-click the Group Policy Object you want to configure and click **Edit**.
 1. In **Group Policy Management Editor**, go to **Computer configuration** and click **Administrative templates**.
 1. Expand the tree to **Windows components > Windows Security > Virus and threat protection**.
 1. Open the **Hide the Ransomware data recovery area** setting and set it to **Enabled**. Click **OK**.
 1. [Deploy the updated GPO as you normally do](/windows/win32/srvnodes/group-policy).
--- a/windows/security/operating-system-security/system-security/windows-defender-security-center/windows-defender-security-center.md
+++ b/windows/security/operating-system-security/system-security/windows-defender-security-center/windows-defender-security-center.md
@ -1,32 +1,17 @@
 ---
-title: The Windows Security app
+title: Windows Security app
 description: The Windows Security app brings together common Windows security features into one place.
-search.product: eADQiWindows 10XVcnh
+ms.date: 12/31/2017
-ms.prod: windows-client
+ms.topic: article
 ms.localizationpriority: medium
 author: vinaypamnani-msft
 ms.author: vinpa
 ms.reviewer: 
 manager: aaroncz
 ms.technology: itpro-security
 ms.collection:
  - highpri
  - tier2
 ms.date: 12/31/2017
 ms.topic: article
 ---
-# The Windows Security app
+# Windows Security app
 **Applies to**
 - Windows 10
 - Windows 11
 This library describes the Windows Security app, and provides information on configuring certain features, including:
 <a id="customize-notifications-from-the-windows-defender-security-center"></a>
 - [Showing and customizing contact information on the app and in notifications](wdsc-customize-contact-information.md)
 - [Hiding notifications](wdsc-hide-notifications.md)
@ -65,9 +50,11 @@ For more information about each section, options for configuring the sections, a
 - Select the icon in the notification area on the taskbar.
    ![Screenshot of the icon for the Windows Security app on the Windows task bar.](images/security-center-taskbar.png)
 - Search the Start menu for **Windows Security**.
    ![Screenshot of the Start menu showing the results of a search for the Windows Security app, the first option with a large shield symbol is selected.](images/security-center-start-menu.png)
 - Open an area from Windows **Settings**.
    ![Screenshot of Windows Settings showing the different areas available in the Windows Security.](images/settings-windows-defender-security-center-areas.png)
@ -86,7 +73,7 @@ For more information about each section, options for configuring the sections, a
 >
 > Microsoft Defender Antivirus will be [disabled automatically when a third-party antivirus product is installed and kept up to date](/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-compatibility).
 >
-> Disabling the Windows Security Center Service won't disable Microsoft Defender Antivirus or [Windows Defender Firewall](../windows-firewall/windows-firewall-with-advanced-security.md).
+> Disabling the Windows Security Center Service won't disable Microsoft Defender Antivirus or [Windows Defender Firewall](../../network-security/windows-firewall/windows-firewall-with-advanced-security.md).
 > [!WARNING]
 > If you disable the Windows Security Center Service, or configure its associated group policy settings to prevent it from starting or running, the Windows Security app may display stale or inaccurate information about any antivirus or firewall products you have installed on the device.
--- a/windows/security/operating-system-security/toc.yml
+++ b/windows/security/operating-system-security/toc.yml
@ -1,6 +1,6 @@
 items:
 - name: Overview
-  href: ../operating-system.md
+  href: index.md
 - name: System security
  href: system-security/toc.yml
 - name: Virus and threat protection
--- a/windows/security/operating-system-security/virus-and-threat-protection/microsoft-defender-smartscreen/available-settings.md
+++ b/windows/security/operating-system-security/virus-and-threat-protection/microsoft-defender-smartscreen/available-settings.md
@ -1,18 +1,8 @@
 ---
 title: Available Microsoft Defender SmartScreen Group Policy and mobile device management (MDM) settings
 description: A list of all available settings for Microsoft Defender SmartScreen using Group Policy and mobile device management (MDM) settings.
 ms.prod: windows-client
 author: vinaypamnani-msft
 ms.localizationpriority: medium
 ms.date: 05/31/2023
 ms.reviewer:
 manager: aaroncz
 ms.author: vinpa
 ms.technology: itpro-security
 ms.topic: reference
 appliesto:
 - ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 11</a>
 - ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 10</a>
 ---
 # Available Microsoft Defender SmartScreen Group Policy and mobile device management (MDM) settings
--- a/windows/security/operating-system-security/virus-and-threat-protection/microsoft-defender-smartscreen/enhanced-phishing-protection.md
+++ b/windows/security/operating-system-security/virus-and-threat-protection/microsoft-defender-smartscreen/enhanced-phishing-protection.md
@ -1,18 +1,10 @@
 ---
 title: Enhanced Phishing Protection in Microsoft Defender SmartScreen
 description: Learn how Enhanced Phishing Protection for Microsoft Defender SmartScreen helps protect Microsoft school or work passwords against phishing and unsafe usage on sites and apps.
 ms.prod: windows-client
 ms.technology: itpro-security
 author: vinaypamnani-msft
 ms.author: vinpa
 ms.reviewer: paoloma
 manager: aaroncz
 ms.localizationpriority: medium
 ms.date: 05/31/2023
-adobe-target: true
+ms.topic: conceptual
 appliesto:
 - ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 11, version 22H2</a>
 ms.topic: conceptual
 ---
 # Enhanced Phishing Protection in Microsoft Defender SmartScreen
--- a/windows/security/operating-system-security/virus-and-threat-protection/microsoft-defender-smartscreen/index.md
+++ b/windows/security/operating-system-security/virus-and-threat-protection/microsoft-defender-smartscreen/index.md
@ -1,19 +1,12 @@
 ---
 title: Microsoft Defender SmartScreen overview
 description: Learn how Microsoft Defender SmartScreen protects against phishing or malware websites and applications, and the downloading of potentially malicious files.
-ms.prod: windows-client
+ms.date: 05/31/2023
-author: vinaypamnani-msft
+ms.topic: article
 ms.author: vinpa
 ms.localizationpriority: high
 ms.reviewer:
 manager: aaroncz
 ms.technology: itpro-security
 adobe-target: true
 ms.collection:
  - tier2
  - highpri
 ms.date: 05/31/2023
 ms.topic: article
 appliesto:
 - ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 11</a>
 - ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 10</a>
--- a/windows/security/operating-system-security/virus-and-threat-protection/toc.yml
+++ b/windows/security/operating-system-security/virus-and-threat-protection/toc.yml
@ -2,7 +2,8 @@ items:
  - name: Microsoft Defender Antivirus 🔗
    href: /microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-windows
  - name: Configuring LSA Protection
-    href: /windows-server/security/credentials-protection-and-management/configuring-additional-lsa-protection?toc=/windows/security/toc.json&bc=/windows/security/breadcrumb/toc.json
+    href: /windows-server/security/credentials-protection-and-management/configuring-additional-lsa-protection
    preserveContext: true
  - name: Attack surface reduction (ASR) 🔗
    href: /microsoft-365/security/defender-endpoint/attack-surface-reduction
  - name: Tamper protection for MDE 🔗
--- a/windows/security/operating-system.md
+++ b/windows/security/operating-system.md
@ -1,41 +0,0 @@
 ---
 title: Windows operating system security
 description: Securing the operating system includes system security, encryption, network security, and threat protection.
 ms.reviewer: 
 ms.topic: article
 manager: aaroncz
 ms.author: paoloma
 author: paolomatarazzo
 ms.prod: windows-client
 ms.technology: itpro-security
 ms.date: 09/21/2021
 ---
 # Windows operating system security
 Security and privacy depend on an operating system that guards your system and information from the moment it starts up, providing fundamental chip-to-cloud protection. Windows 11 is the most secure Windows yet with extensive security measures designed to help keep you safe. These measures include built-in advanced encryption and data protection, robust network and system security, and intelligent safeguards against ever-evolving threats.
 Watch the latest [Microsoft Mechanics Windows 11 security](https://youtu.be/tg9QUrnVFho) video that shows off some of the latest Windows 11 security technology.
 Use the links in the following table to learn more about the operating system security features and capabilities in Windows 11.<br/><br/>
 | Security Measures | Features & Capabilities |
 |:---|:---|
 | Secure Boot and Trusted Boot | Secure Boot and Trusted Boot help prevent malware and corrupted components from loading when a Windows device is starting. Secure Boot starts with initial boot-up protection, and then Trusted Boot picks up the process. Together, Secure Boot and Trusted Boot help to ensure your Windows system boots up safely and securely.<br><br/> Learn more [Secure Boot and Trusted Boot](trusted-boot.md). |
 Cryptography and certificate management|Cryptography uses code to convert data so that only a specific recipient can read it by using a key. Cryptography enforces privacy to prevent anyone except the intended recipient from reading data, integrity to ensure data is free of tampering, and authentication that verifies identity to ensure that communication is secure. <br><br/> Learn more about [Cryptography and certificate management](cryptography-certificate-mgmt.md). <br/><br/>|
 Windows Security app | The Windows built-in security application found in settings provides an at-a-glance view of the security status and health of your device. These insights help you identify issues and take action to make sure you're protected. You can quickly see the status of your virus and threat protection, firewall and network security, device security controls, and more. <br><br/> Learn more about the [Windows Security app](threat-protection/windows-defender-security-center/windows-defender-security-center.md).|
 | Encryption and data protection | Wherever confidential data is stored, it must be protected against unauthorized access, whether through physical device theft or from malicious applications. Windows provides strong at-rest data-protection solutions that guard against nefarious attackers. <br/><br/> Learn more about [Encryption](encryption-data-protection.md). 
 | BitLocker | BitLocker Drive Encryption is a data protection feature that integrates with the operating system and addresses the threats of data theft or exposure from lost, stolen, or inappropriately decommissioned computers. BitLocker provides the most protection when used with a Trusted Platform Module (TPM) version 1.2 or later. <br/> <br/> Learn more about [BitLocker ](operating-system-security/data-protection/bitlocker/index.md). |
 | Encrypted Hard Drive | Encrypted Hard Drive uses the rapid encryption that is provided by BitLocker Drive Encryption to enhance data security and management. <br> By offloading the cryptographic operations to hardware, Encrypted Hard Drives increase BitLocker performance and reduce CPU usage and power consumption. Because Encrypted Hard Drives encrypt data quickly, enterprise devices can expand BitLocker deployment with minimal impact on productivity. <br/><br/> Learn more about [Encrypted Hard Drives](information-protection/encrypted-hard-drive.md).|
 | S/MIME | S/MIME lets users encrypt outgoing messages and attachments so that only intended recipients who have a digital identification (ID), also known as a certificate, can read them. Users can digitally sign a message, which provides the recipients with a way to verify the identity of the sender and that the message hasn't been tampered with. <br/><br/> Learn more about [S/MIME for Windows](operating-system-security/data-protection/configure-s-mime.md).|
 | Security baselines | A security baseline is a group of Microsoft-recommended configuration settings that explains their security impact. These settings are based on feedback from Microsoft security engineering teams, product groups, partners, and customers. <br/><br/>Security baselines are included in the [Security Compliance Toolkit](threat-protection/windows-security-configuration-framework/security-compliance-toolkit-10.md) that you can download from the Microsoft Download Center.<br/><br/>Learn more about [security baselines](threat-protection/windows-security-configuration-framework/windows-security-baselines.md). |
 | Virtual Private Network | Virtual private networks (VPNs) are point-to-point connections across a private or public network, such as the Internet. A VPN client uses special TCP/IP or UDP-based protocols, called tunneling protocols, to make a virtual call to a virtual port on a VPN server. <br><br/>Learn more about [Virtual Private Networks](identity-protection/vpn/vpn-guide.md).<br/><br/>|
 | Windows Defender Firewall | Windows Defender Firewall is a stateful host firewall that helps secure the device by allowing you to create rules that determine which network traffic is permitted to enter the device from the network and which network traffic the device is allowed to send to the network. Windows Defender Firewall also supports Internet Protocol security (IPsec), which you can use to require authentication from any device that is attempting to communicate with your device. <br><br/> Learn more about [Windows Defender Firewall with advanced security](threat-protection/windows-firewall/windows-firewall-with-advanced-security.md).<br/><br/>
 | Antivirus & antimalware protection | Microsoft Defender Antivirus is included in all versions of Windows 10, Windows Server 2016 and later, and Windows 11. If you have another antivirus app installed and turned on, Microsoft Defender Antivirus will turn off automatically. If you uninstall the other app, Microsoft Defender Antivirus will turn back on. <br/><br/>From the moment you boot Windows, Microsoft Defender Antivirus continually monitors for malware, viruses, and security threats. Updates are downloaded automatically to help protect your device from threats.  Microsoft Defender Antivirus continually scans for malware and threats, and also detects and blocks [potentially unwanted applications](/microsoft-365/security/defender-endpoint/detect-block-potentially-unwanted-apps-microsoft-defender-antivirus) (applications that can negatively impact your device even though they are not considered malware).<br/><br/>Microsoft Defender Antivirus integrates with [cloud-delivered protection](/microsoft-365/security/defender-endpoint/cloud-protection-microsoft-defender-antivirus), which helps ensure near-instant detection and blocking of new and emerging threats.<br/><br/>Learn more about [next-generation protection and Microsoft Defender Antivirus](/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-windows).| 
 | Attack surface reduction rules | Your attack surfaces are the places and ways you are vulnerable to a cyber attack. Attack surface reduction rules are built into Windows and Windows Server to prevent and block certain behaviors that are often abused to compromise your device or network. Such behaviors can include launching scripts or executables that attempt to download or run other files, running suspicious scripts, or performing other behaviors that apps don't typically initiate during normal work. You can configure your attack surface reduction rules to protect against these risky behaviors.<br/><br/> Learn more about [Attack surface reduction rules](/microsoft-365/security/defender-endpoint/attack-surface-reduction) |
 | Anti-tampering protection | During cyber attacks (like ransomware attempts), bad actors attempt to disable security features, such as antivirus protection on targeted devices. Bad actors like to disable security features to get easier access to user's data, to install malware, or to otherwise exploit user's data, identity, and devices without fear of being blocked. Tamper protection helps prevent these kinds of activities.<br/><br/>With tamper protection, malware is prevented from taking actions such as:<br/>- Disabling virus and threat protection<br/>- Disabling real-time protection<br/>- Turning off behavior monitoring<br/>- Disabling antivirus (such as IOfficeAntivirus (IOAV))<br/>- Disabling cloud-delivered protection<br/>- Removing security intelligence updates <br/><br/>Learn more about [Tamper protection](/microsoft-365/security/defender-endpoint/prevent-changes-to-security-settings-with-tamper-protection). | 
 | Network protection | Network protection in Windows helps prevent users from accessing dangerous IP addresses and domains that may host phishing scams, exploits, and other malicious content on the Internet. Network protection is part of attack surface reduction and helps provide an extra layer of protection for a user. Using reputation-based services, network protection blocks access to potentially harmful, low-reputation based domains and IP addresses. <br/><br/>In enterprise environments, network protection works best with [Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/), which provides detailed reporting into protection events as part of larger investigation scenarios.<br/><br/> Learn more about [Network protection](/microsoft-365/security/defender-endpoint/network-protection). |
 | Controlled folder access | With controlled folder access, you can protect your valuable information in specific folders by managing apps' access to specific folders. Only trusted apps can access protected folders, which are specified when controlled folder access is configured. Typically, commonly used folders, such as those used for documents, pictures, downloads, are included in the list of controlled folders. Controlled folder access helps protect valuable data from malicious apps and threats, such as ransomware. <br/><br/>Learn more about [Controlled folder access](/microsoft-365/security/defender-endpoint/controlled-folders). |
 | Exploit protection | Exploit protection, available in Windows 10, version 1709 and later, automatically applies several exploit mitigation techniques to operating system processes and apps. Exploit protection works best with Microsoft Defender for Endpoint, which gives organizations detailed reporting into exploit protection events and blocks as part of typical alert investigation scenarios. <br/><br/>You can enable exploit protection on an individual device, and then use Group Policy to distribute the XML file to multiple devices simultaneously. When a mitigation is encountered on the device, a notification will be displayed from the Action Center. You can customize the notification with your company details and contact information. You can also enable the rules individually to customize which techniques the feature monitors.<br/><br/>Learn more about [Exploit protection](/microsoft-365/security/defender-endpoint/exploit-protection). | 
 | Microsoft Defender for Endpoint | Windows E5 customers benefit from [Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/microsoft-defender-endpoint), an enterprise endpoint detection and response capability that helps enterprise security teams detect, investigate, and respond to advanced threats. With rich event data and attack insights, Defender for Endpoint enables your security team to investigate incidents and take remediation actions effectively and efficiently.<br/><br/>Defender for Endpoint also is part of [Microsoft 365 Defender](/microsoft-365/security/defender/), a unified pre- and post-breach enterprise defense suite that natively coordinates detection, prevention, investigation, and response across endpoints, identities, email, and applications to provide integrated protection against sophisticated attacks.<br/><br/>Learn more about [Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint) and [Microsoft 365 Defender](/microsoft-365/security/defender/). |
--- a/Show More
+++ b/Show More