Modes / States / Key Sizes
diff --git a/windows/security/threat-protection/images/simplified-sdl.png b/windows/security/threat-protection/images/simplified-sdl.png
new file mode 100644
index 0000000000..97c7448b8c
Binary files /dev/null and b/windows/security/threat-protection/images/simplified-sdl.png differ
diff --git a/windows/security/threat-protection/index.md b/windows/security/threat-protection/index.md
index f299d99657..7baa36b1a0 100644
--- a/windows/security/threat-protection/index.md
+++ b/windows/security/threat-protection/index.md
@@ -1,149 +1,51 @@
---
-title: Threat Protection (Windows 10)
-description: Microsoft Defender for Endpoint is a unified platform for preventative protection, post-breach detection, automated investigation, and response.
-keywords: threat protection, Microsoft Defender Advanced Threat Protection, attack surface reduction, next-generation protection, endpoint detection and response, automated investigation and response, microsoft threat experts, Microsoft Secure Score for Devices, advanced hunting, cyber threat hunting, web threat protection
+title: Windows threat protection
+description: Describes the security capabilities in Windows client focused on threat protection
+keywords: threat protection, Microsoft Defender Antivirus, attack surface reduction, next-generation protection, endpoint detection and response, automated investigation and response, microsoft threat experts, Microsoft Secure Score for Devices, advanced hunting, cyber threat hunting, web threat protection
search.product: eADQiWindows 10XVcnh
ms.prod: m365-security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
-ms.author: macapara
-author: mjcaparas
+ms.author: dansimp
+author: dansimp
ms.localizationpriority: medium
manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
-ms.technology: mde
+ms.technology: windows-sec
---
-# Threat Protection
+# Windows threat protection
**Applies to:**
-- [Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/)
-- [Microsoft 365 Defender](/microsoft-365/security/defender/microsoft-365-defender)
+- Windows 10
+- Windows 11
-[Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/microsoft-defender-endpoint) is a unified platform for preventative protection, post-breach detection, automated investigation, and response. Defender for Endpoint protects endpoints from cyber threats, detects advanced attacks and data breaches, automates security incidents, and improves security posture.
+In Windows client, hardware and software work together to help protect you from new and emerging threats. Expanded security protections in Windows 11 help boost security from the chip, to the cloud.
-**Applies to:**
-- [Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/)
+## Windows threat protection
-> [!TIP]
-> Enable your users to access cloud services and on-premises applications with ease and enable modern management capabilities for all devices. For more information, see [Secure your remote workforce](/enterprise-mobility-security/remote-work/).
+See the following articles to learn more about the different areas of Windows threat protection:
-Microsoft Defender for Endpoint
-
-
-
-
-
-
->[!VIDEO https://www.microsoft.com/en-us/videoplayer/embed/RE4obJq]
-
-**[Threat & vulnerability management](/microsoft-365/security/defender-endpoint/next-gen-threat-and-vuln-mgt)**
-This built-in capability uses a game-changing risk-based approach to the discovery, prioritization, and remediation of endpoint vulnerabilities and misconfigurations.
-
-- [Threat & vulnerability management overview](/microsoft-365/security/defender-endpoint/next-gen-threat-and-vuln-mgt)
-- [Get started](/microsoft-365/security/defender-endpoint/tvm-prerequisites)
-- [Access your security posture](/microsoft-365/security/defender-endpoint/tvm-dashboard-insights)
-- [Improve your security posture and reduce risk](/microsoft-365/security/defender-endpoint/tvm-security-recommendation)
-- [Understand vulnerabilities on your devices](/microsoft-365/security/defender-endpoint/tvm-software-inventory)
-
-
-
-**[Attack surface reduction](/microsoft-365/security/defender-endpoint/overview-attack-surface-reduction)**
-The attack surface reduction set of capabilities provide the first line of defense in the stack. By ensuring configuration settings are properly set and exploit mitigation techniques are applied, these set of capabilities resist attacks and exploitation.
-
-- [Hardware based isolation](/microsoft-365/security/defender-endpoint/overview-hardware-based-isolation)
-- [Application control](windows-defender-application-control/windows-defender-application-control.md)
-- [Device control](device-guard/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control.md)
+- [Microsoft Defender Application Guard](\windows\security\threat-protection\microsoft-defender-application-guard\md-app-guard-overview.md)
+- [Virtualization-based protection of code integrity](\windows\security\threat-protection\device-guard\enable-virtualization-based-protection-of-code-integrity.md)
+- [Application control](/windows-defender-application-control/windows-defender-application-control.md)
+- [Microsoft Defender Device Guard](device-guard/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control.md)
- [Exploit protection](/microsoft-365/security/defender-endpoint/exploit-protection)
- [Network protection](/microsoft-365/security/defender-endpoint/network-protection), [web protection](/microsoft-365/security/defender-endpoint/web-protection-overview)
+- [Microsoft Defender SmartScreen](\windows\security\threat-protection\microsoft-defender-smartscreen\microsoft-defender-smartscreen-overview.md)
- [Controlled folder access](/microsoft-365/security/defender-endpoint/controlled-folders)
- [Network firewall](windows-firewall/windows-firewall-with-advanced-security.md)
- [Attack surface reduction rules](/microsoft-365/security/defender-endpoint/attack-surface-reduction)
+- [Windows Sandbox](\windows\security\threat-protection\windows-sandbox\windows-sandbox-overview.md)
-
-
-**[Next-generation protection](/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-in-windows-10)**
-To further reinforce the security perimeter of your network, Microsoft Defender for Endpoint uses next-generation protection designed to catch all types of emerging threats.
+### Next-generation protection
+Next-generation protection is designed to identify and block new and emerging threats. Powered by the cloud and machine learning, Microsoft Defender Antivirus can help stop attacks in real-time.
- [Behavior monitoring](/microsoft-365/security/defender-endpoint/configure-real-time-protection-microsoft-defender-antivirus)
- [Cloud-based protection](/microsoft-365/security/defender-endpoint/configure-protection-features-microsoft-defender-antivirus)
- [Machine learning](/microsoft-365/security/defender-endpoint/cloud-protection-microsoft-defender-antivirus)
- [URL Protection](/microsoft-365/security/defender-endpoint/configure-network-connections-microsoft-defender-antivirus)
-- [Automated sandbox service](/microsoft-365/security/defender-endpoint/configure-block-at-first-sight-microsoft-defender-antivirus)
-
-
-
-**[Endpoint detection and response](/microsoft-365/security/defender-endpoint/overview-endpoint-detection-response)**
-Endpoint detection and response capabilities are put in place to detect, investigate, and respond to intrusion attempts and active breaches. With Advanced hunting, you have a query-based threat-hunting tool that lets your proactively find breaches and create custom detections.
-
-- [Alerts](/microsoft-365/security/defender-endpoint/alerts-queue)
-- [Historical endpoint data](/microsoft-365/security/defender-endpoint/investigate-machines#timeline)
-- [Response orchestration](/microsoft-365/security/defender-endpoint/respond-machine-alerts)
-- [Forensic collection](/microsoft-365/security/defender-endpoint/respond-machine-alerts#collect-investigation-package-from-devices)
-- [Threat intelligence](/microsoft-365/security/defender-endpoint/threat-indicator-concepts)
-- [Advanced detonation and analysis service](/microsoft-365/security/defender-endpoint/respond-file-alerts#deep-analysis)
-- [Advanced hunting](/microsoft-365/security/defender-endpoint/advanced-hunting-overview)
- - [Custom detections](/microsoft-365/security/defender-endpoint/overview-custom-detections)
-
-
-
-**[Automated investigation and remediation](/microsoft-365/security/defender-endpoint/automated-investigations)**
-In addition to quickly responding to advanced attacks, Microsoft Defender for Endpoint offers automated investigation and remediation capabilities that help reduce the volume of alerts in minutes at scale.
-
-- [Get an overview of automated investigation and remediation](/microsoft-365/security/defender-endpoint/automated-investigations)
-- [Learn about automation levels](/microsoft-365/security/defender-endpoint/automation-levels)
-- [Configure automated investigation and remediation in Defender for Endpoint](/microsoft-365/security/defender-endpoint/configure-automated-investigations-remediation)
-- [Visit the Action center to see remediation actions](/microsoft-365/security/defender-endpoint/auto-investigation-action-center)
-- [Review remediation actions following an automated investigation](/microsoft-365/security/defender-endpoint/manage-auto-investigation)
-
-
-
-**[Microsoft Threat Experts](/microsoft-365/security/defender-endpoint/microsoft-threat-experts)**
-Microsoft Defender for Endpoint's new managed threat hunting service provides proactive hunting, prioritization, and additional context and insights. Microsoft Threat Experts further empowers Security Operation Centers (SOCs) to identify and respond to threats quickly and accurately.
-
-- [Targeted attack notification](/microsoft-365/security/defender-endpoint/microsoft-threat-experts)
-- [Experts-on-demand](/microsoft-365/security/defender-endpoint/microsoft-threat-experts)
-- [Configure your Microsoft 365 Defender managed hunting service](/microsoft-365/security/defender-endpoint/configure-microsoft-threat-experts)
-
-
-
-**[Centralized configuration and administration, APIs](/microsoft-365/security/defender-endpoint/management-apis)**
-Integrate Microsoft Defender for Endpoint into your existing workflows.
-- [Onboarding](/microsoft-365/security/defender-endpoint/onboard-configure)
-- [API and SIEM integration](/microsoft-365/security/defender-endpoint/configure-siem)
-- [Exposed APIs](/microsoft-365/security/defender-endpoint/apis-intro)
-- [Role-based access control (RBAC)](/microsoft-365/security/defender-endpoint/rbac)
-- [Reporting and trends](/microsoft-365/security/defender-endpoint/threat-protection-reports)
-
-
-**[Integration with Microsoft solutions](/microsoft-365/security/defender-endpoint/threat-protection-integration)**
- Microsoft Defender for Endpoint directly integrates with various Microsoft solutions, including:
-- Intune
-- Microsoft Defender for Office 365
-- Microsoft Defender for Identity
-- Azure Defender
-- Skype for Business
-- Microsoft Cloud App Security
-
-
-**[Microsoft 365 Defender](/microsoft-365/security/mtp/microsoft-threat-protection)**
- With Microsoft 365 Defender, Microsoft Defender for Endpoint and various Microsoft security solutions form a unified pre- and post-breach enterprise defense suite that natively integrates across endpoint, identity, email, and applications to detect, prevent, investigate, and automatically respond to sophisticated attacks.
\ No newline at end of file
+- [Automated sandbox service](/microsoft-365/security/defender-endpoint/configure-block-at-first-sight-microsoft-defender-antivirus)
\ No newline at end of file
diff --git a/windows/security/threat-protection/intelligence/TOC.yml b/windows/security/threat-protection/intelligence/TOC.yml
deleted file mode 100644
index 78fea4eba3..0000000000
--- a/windows/security/threat-protection/intelligence/TOC.yml
+++ /dev/null
@@ -1,60 +0,0 @@
-- name: Security intelligence
- href: index.md
- items:
- - name: Understand malware & other threats
- href: understanding-malware.md
- items:
- - name: Coin miners
- href: coinminer-malware.md
- - name: Exploits and exploit kits
- href: exploits-malware.md
- - name: Fileless threats
- href: fileless-threats.md
- - name: Macro malware
- href: macro-malware.md
- - name: Phishing attacks
- href: phishing.md
- items:
- - name: Phishing trends and techniques
- href: phishing-trends.md
- - name: Ransomware
- href: /security/compass/human-operated-ransomware
- - name: Rootkits
- href: rootkits-malware.md
- - name: Supply chain attacks
- href: supply-chain-malware.md
- - name: Tech support scams
- href: support-scams.md
- - name: Trojans
- href: trojans-malware.md
- - name: Unwanted software
- href: unwanted-software.md
- - name: Worms
- href: worms-malware.md
- - name: Prevent malware infection
- href: prevent-malware-infection.md
- - name: Malware naming convention
- href: malware-naming.md
- - name: How Microsoft identifies malware and PUA
- href: criteria.md
- - name: Submit files for analysis
- href: submission-guide.md
- - name: Troubleshoot malware submission
- href: portal-submission-troubleshooting.md
- - name: Safety Scanner download
- href: safety-scanner-download.md
- - name: Industry collaboration programs
- href: cybersecurity-industry-partners.md
- items:
- - name: Virus information alliance
- href: virus-information-alliance-criteria.md
- - name: Microsoft virus initiative
- href: virus-initiative-criteria.md
- - name: Coordinated malware eradication
- href: coordinated-malware-eradication.md
- - name: Information for developers
- items:
- - name: Software developer FAQ
- href: developer-faq.yml
- - name: Software developer resources
- href: developer-resources.md
diff --git a/windows/security/threat-protection/mbsa-removal-and-guidance.md b/windows/security/threat-protection/mbsa-removal-and-guidance.md
index 83a6f5e00b..a12edb4f83 100644
--- a/windows/security/threat-protection/mbsa-removal-and-guidance.md
+++ b/windows/security/threat-protection/mbsa-removal-and-guidance.md
@@ -9,7 +9,7 @@ ms.author: dansimp
author: dansimp
ms.reviewer:
manager: dansimp
-ms.technology: mde
+ms.technology: other
---
# What is Microsoft Baseline Security Analyzer and its uses?
diff --git a/windows/security/threat-protection/microsoft-bug-bounty-program.md b/windows/security/threat-protection/microsoft-bug-bounty-program.md
new file mode 100644
index 0000000000..7dcc6cdd7f
--- /dev/null
+++ b/windows/security/threat-protection/microsoft-bug-bounty-program.md
@@ -0,0 +1,22 @@
+---
+title: About the Microsoft Bug Bounty Program
+description: If you are a security researcher, you can get a reward for reporting a vulnerability in a Microsoft product, service, or device.
+ms.prod: m365-security
+audience: ITPro
+author: dansimp
+ms.author: dansimp
+manager: dansimp
+ms.collection: M365-identity-device-management
+ms.topic: article
+ms.localizationpriority: medium
+ms.reviewer:
+ms.technology: other
+---
+
+# About the Microsoft Bug Bounty Program
+
+Are you a security researcher? Did you find a vulnerability in a Microsoft product, service, or device? If so, we want to hear from you!
+
+If your vulnerability report affects a product or service that is within scope of one of our bounty programs below, you could receive a bounty award according to the program descriptions.
+
+Visit the [Microsoft Bug Bounty Program site](https://www.microsoft.com/en-us/msrc/bounty?rtc=1) for all the details!
\ No newline at end of file
diff --git a/windows/security/threat-protection/microsoft-defender-application-guard/TOC.yml b/windows/security/threat-protection/microsoft-defender-application-guard/TOC.yml
index ee887e168a..e235cf65ec 100644
--- a/windows/security/threat-protection/microsoft-defender-application-guard/TOC.yml
+++ b/windows/security/threat-protection/microsoft-defender-application-guard/TOC.yml
@@ -3,13 +3,16 @@
items:
- name: System requirements
href: reqs-md-app-guard.md
- - name: Install WDAG
+ - name: Install Application Guard
href: install-md-app-guard.md
- - name: Configure WDAG policies
+ - name: Configure Application Guard policies
href: configure-md-app-guard.md
- name: Test scenarios
href: test-scenarios-md-app-guard.md
- name: Microsoft Defender Application Guard Extension
href: md-app-guard-browser-extension.md
- - name: FAQ
+ - name: Application Guard FAQ
href: faq-md-app-guard.yml
+- name: Windows security
+ href: /windows/security/
+
diff --git a/windows/security/threat-protection/microsoft-defender-application-guard/faq-md-app-guard.yml b/windows/security/threat-protection/microsoft-defender-application-guard/faq-md-app-guard.yml
index 9ad53a26f5..c0d45b5bad 100644
--- a/windows/security/threat-protection/microsoft-defender-application-guard/faq-md-app-guard.yml
+++ b/windows/security/threat-protection/microsoft-defender-application-guard/faq-md-app-guard.yml
@@ -9,7 +9,7 @@ metadata:
ms.localizationpriority: medium
author: denisebmsft
ms.author: deniseb
- ms.date: 07/23/2021
+ ms.date: 09/29/2021
ms.reviewer:
manager: dansimp
ms.custom: asr
@@ -217,6 +217,16 @@ sections:
Policy: Allow installation of devices using drivers that match these device setup classes
- `{71a27cdd-812a-11d0-bec7-08002be2092f}`
+ - question: |
+ I'm encountering TCP fragmentation issues, and cannot enable my VPN connection. How do I fix this?
+ answer: |
+ WinNAT drops ICMP/UDP messages with packets greater than MTU when using Default Switch or Docker NAT network. Support for this has been added in [KB4571744](https://www.catalog.update.microsoft.com/Search.aspx?q=4571744). To fix the issue, install the update and enable the fix by following these steps:
+
+ 1. Ensure that the FragmentAware DWORD is set to 1 in this registry setting: `\Registry\Machine\SYSTEM\CurrentControlSet\Services\Winnat`.
+
+ 2. Reboot the device.
+
+
additionalContent: |
## See also
diff --git a/windows/security/threat-protection/msft-security-dev-lifecycle.md b/windows/security/threat-protection/msft-security-dev-lifecycle.md
new file mode 100644
index 0000000000..c16994d574
--- /dev/null
+++ b/windows/security/threat-protection/msft-security-dev-lifecycle.md
@@ -0,0 +1,31 @@
+---
+title: Microsoft Security Development Lifecycle
+description: Download the Microsoft Security Development Lifecycle white paper which covers a security assurance process focused on software development.
+ms.prod: m365-security
+audience: ITPro
+author: dansimp
+ms.author: dansimp
+manager: dansimp
+ms.collection: M365-identity-device-management
+ms.topic: article
+ms.localizationpriority: medium
+ms.reviewer:
+ms.technology: other
+---
+
+# Microsoft Security Development Lifecycle
+
+The Security Development Lifecycle (SDL) is a security assurance process that is focused on software development. As a Microsoft-wide initiative and a mandatory policy since 2004, the SDL has played a critical role in embedding security and privacy in software and culture at Microsoft.
+
+[:::image type="content" source="images/simplified-sdl.png" alt-text="Simplified secure development lifecycle":::](https://www.microsoft.com/en-us/securityengineering/sdl)
+
+Combining a holistic and practical approach, the SDL aims to reduce the number and severity of vulnerabilities in software. The SDL introduces security and privacy throughout all phases of the development process.
+
+The Microsoft SDL is based on three core concepts:
+- Education
+- Continuous process improvement
+- Accountability
+
+To learn more about the SDL, visit the [Security Engineering site](https://www.microsoft.com/en-us/securityengineering/sdl).
+
+And, download the [Simplified Implementation of the Microsoft SDL whitepaper](https://go.microsoft.com/?linkid=9708425).
\ No newline at end of file
diff --git a/windows/security/threat-protection/security-policy-settings/TOC.yml b/windows/security/threat-protection/security-policy-settings/TOC.yml
new file mode 100644
index 0000000000..1ddc477ef1
--- /dev/null
+++ b/windows/security/threat-protection/security-policy-settings/TOC.yml
@@ -0,0 +1,351 @@
+ - name: Security policy settings
+ href: security-policy-settings.md
+ items:
+ - name: Administer security policy settings
+ href: administer-security-policy-settings.md
+ items:
+ - name: Network List Manager policies
+ href: network-list-manager-policies.md
+ - name: Configure security policy settings
+ href: how-to-configure-security-policy-settings.md
+ - name: Security policy settings reference
+ href: security-policy-settings-reference.md
+ items:
+ - name: Account Policies
+ href: account-policies.md
+ items:
+ - name: Password Policy
+ href: password-policy.md
+ items:
+ - name: Enforce password history
+ href: enforce-password-history.md
+ - name: Maximum password age
+ href: maximum-password-age.md
+ - name: Minimum password age
+ href: minimum-password-age.md
+ - name: Minimum password length
+ href: minimum-password-length.md
+ - name: Password must meet complexity requirements
+ href: password-must-meet-complexity-requirements.md
+ - name: Store passwords using reversible encryption
+ href: store-passwords-using-reversible-encryption.md
+ - name: Account Lockout Policy
+ href: account-lockout-policy.md
+ items:
+ - name: Account lockout duration
+ href: account-lockout-duration.md
+ - name: Account lockout threshold
+ href: account-lockout-threshold.md
+ - name: Reset account lockout counter after
+ href: reset-account-lockout-counter-after.md
+ - name: Kerberos Policy
+ href: kerberos-policy.md
+ items:
+ - name: Enforce user logon restrictions
+ href: enforce-user-logon-restrictions.md
+ - name: Maximum lifetime for service ticket
+ href: maximum-lifetime-for-service-ticket.md
+ - name: Maximum lifetime for user ticket
+ href: maximum-lifetime-for-user-ticket.md
+ - name: Maximum lifetime for user ticket renewal
+ href: maximum-lifetime-for-user-ticket-renewal.md
+ - name: Maximum tolerance for computer clock synchronization
+ href: maximum-tolerance-for-computer-clock-synchronization.md
+ - name: Audit Policy
+ href: audit-policy.md
+ - name: Security Options
+ href: security-options.md
+ items:
+ - name: "Accounts: Administrator account status"
+ href: accounts-administrator-account-status.md
+ - name: "Accounts: Block Microsoft accounts"
+ href: accounts-block-microsoft-accounts.md
+ - name: "Accounts: Guest account status"
+ href: accounts-guest-account-status.md
+ - name: "Accounts: Limit local account use of blank passwords to console logon only"
+ href: accounts-limit-local-account-use-of-blank-passwords-to-console-logon-only.md
+ - name: "Accounts: Rename administrator account"
+ href: accounts-rename-administrator-account.md
+ - name: "Accounts: Rename guest account"
+ href: accounts-rename-guest-account.md
+ - name: "Audit: Audit the access of global system objects"
+ href: audit-audit-the-access-of-global-system-objects.md
+ - name: "Audit: Audit the use of Backup and Restore privilege"
+ href: audit-audit-the-use-of-backup-and-restore-privilege.md
+ - name: "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings"
+ href: audit-force-audit-policy-subcategory-settings-to-override.md
+ - name: "Audit: Shut down system immediately if unable to log security audits"
+ href: audit-shut-down-system-immediately-if-unable-to-log-security-audits.md
+ - name: "DCOM: Machine Access Restrictions in Security Descriptor Definition Language (SDDL) syntax"
+ href: dcom-machine-access-restrictions-in-security-descriptor-definition-language-sddl-syntax.md
+ - name: "DCOM: Machine Launch Restrictions in Security Descriptor Definition Language (SDDL) syntax"
+ href: dcom-machine-launch-restrictions-in-security-descriptor-definition-language-sddl-syntax.md
+ - name: "Devices: Allow undock without having to log on"
+ href: devices-allow-undock-without-having-to-log-on.md
+ - name: "Devices: Allowed to format and eject removable media"
+ href: devices-allowed-to-format-and-eject-removable-media.md
+ - name: "Devices: Prevent users from installing printer drivers"
+ href: devices-prevent-users-from-installing-printer-drivers.md
+ - name: "Devices: Restrict CD-ROM access to locally logged-on user only"
+ href: devices-restrict-cd-rom-access-to-locally-logged-on-user-only.md
+ - name: "Devices: Restrict floppy access to locally logged-on user only"
+ href: devices-restrict-floppy-access-to-locally-logged-on-user-only.md
+ - name: "Domain controller: Allow server operators to schedule tasks"
+ href: domain-controller-allow-server-operators-to-schedule-tasks.md
+ - name: "Domain controller: LDAP server signing requirements"
+ href: domain-controller-ldap-server-signing-requirements.md
+ - name: "Domain controller: Refuse machine account password changes"
+ href: domain-controller-refuse-machine-account-password-changes.md
+ - name: "Domain member: Digitally encrypt or sign secure channel data (always)"
+ href: domain-member-digitally-encrypt-or-sign-secure-channel-data-always.md
+ - name: "Domain member: Digitally encrypt secure channel data (when possible)"
+ href: domain-member-digitally-encrypt-secure-channel-data-when-possible.md
+ - name: "Domain member: Digitally sign secure channel data (when possible)"
+ href: domain-member-digitally-sign-secure-channel-data-when-possible.md
+ - name: "Domain member: Disable machine account password changes"
+ href: domain-member-disable-machine-account-password-changes.md
+ - name: "Domain member: Maximum machine account password age"
+ href: domain-member-maximum-machine-account-password-age.md
+ - name: "Domain member: Require strong (Windows 2000 or later) session key"
+ href: domain-member-require-strong-windows-2000-or-later-session-key.md
+ - name: "Interactive logon: Display user information when the session is locked"
+ href: interactive-logon-display-user-information-when-the-session-is-locked.md
+ - name: "Interactive logon: Don't display last signed-in"
+ href: interactive-logon-do-not-display-last-user-name.md
+ - name: "Interactive logon: Don't display username at sign-in"
+ href: interactive-logon-dont-display-username-at-sign-in.md
+ - name: "Interactive logon: Do not require CTRL+ALT+DEL"
+ href: interactive-logon-do-not-require-ctrl-alt-del.md
+ - name: "Interactive logon: Machine account lockout threshold"
+ href: interactive-logon-machine-account-lockout-threshold.md
+ - name: "Interactive logon: Machine inactivity limit"
+ href: interactive-logon-machine-inactivity-limit.md
+ - name: "Interactive logon: Message text for users attempting to log on"
+ href: interactive-logon-message-text-for-users-attempting-to-log-on.md
+ - name: "Interactive logon: Message title for users attempting to log on"
+ href: interactive-logon-message-title-for-users-attempting-to-log-on.md
+ - name: "Interactive logon: Number of previous logons to cache (in case domain controller is not available)"
+ href: interactive-logon-number-of-previous-logons-to-cache-in-case-domain-controller-is-not-available.md
+ - name: "Interactive logon: Prompt user to change password before expiration"
+ href: interactive-logon-prompt-user-to-change-password-before-expiration.md
+ - name: "Interactive logon: Require Domain Controller authentication to unlock workstation"
+ href: interactive-logon-require-domain-controller-authentication-to-unlock-workstation.md
+ - name: "Interactive logon: Require smart card"
+ href: interactive-logon-require-smart-card.md
+ - name: "Interactive logon: Smart card removal behavior"
+ href: interactive-logon-smart-card-removal-behavior.md
+ - name: "Microsoft network client: Digitally sign communications (always)"
+ href: microsoft-network-client-digitally-sign-communications-always.md
+ - name: "SMBv1 Microsoft network client: Digitally sign communications (always)"
+ href: smbv1-microsoft-network-client-digitally-sign-communications-always.md
+ - name: "SMBv1 Microsoft network client: Digitally sign communications (if server agrees)"
+ href: smbv1-microsoft-network-client-digitally-sign-communications-if-server-agrees.md
+ - name: "Microsoft network client: Send unencrypted password to third-party SMB servers"
+ href: microsoft-network-client-send-unencrypted-password-to-third-party-smb-servers.md
+ - name: "Microsoft network server: Amount of idle time required before suspending session"
+ href: microsoft-network-server-amount-of-idle-time-required-before-suspending-session.md
+ - name: "Microsoft network server: Attempt S4U2Self to obtain claim information"
+ href: microsoft-network-server-attempt-s4u2self-to-obtain-claim-information.md
+ - name: "Microsoft network server: Digitally sign communications (always)"
+ href: microsoft-network-server-digitally-sign-communications-always.md
+ - name: "SMBv1 Microsoft network server: Digitally sign communications (always)"
+ href: smbv1-microsoft-network-server-digitally-sign-communications-always.md
+ - name: "SMBv1 Microsoft network server: Digitally sign communications (if client agrees)"
+ href: smbv1-microsoft-network-server-digitally-sign-communications-if-client-agrees.md
+ - name: "Microsoft network server: Disconnect clients when logon hours expire"
+ href: microsoft-network-server-disconnect-clients-when-logon-hours-expire.md
+ - name: "Microsoft network server: Server SPN target name validation level"
+ href: microsoft-network-server-server-spn-target-name-validation-level.md
+ - name: "Network access: Allow anonymous SID/Name translation"
+ href: network-access-allow-anonymous-sidname-translation.md
+ - name: "Network access: Do not allow anonymous enumeration of SAM accounts"
+ href: network-access-do-not-allow-anonymous-enumeration-of-sam-accounts.md
+ - name: "Network access: Do not allow anonymous enumeration of SAM accounts and shares"
+ href: network-access-do-not-allow-anonymous-enumeration-of-sam-accounts-and-shares.md
+ - name: "Network access: Do not allow storage of passwords and credentials for network authentication"
+ href: network-access-do-not-allow-storage-of-passwords-and-credentials-for-network-authentication.md
+ - name: "Network access: Let Everyone permissions apply to anonymous users"
+ href: network-access-let-everyone-permissions-apply-to-anonymous-users.md
+ - name: "Network access: Named Pipes that can be accessed anonymously"
+ href: network-access-named-pipes-that-can-be-accessed-anonymously.md
+ - name: "Network access: Remotely accessible registry paths"
+ href: network-access-remotely-accessible-registry-paths.md
+ - name: "Network access: Remotely accessible registry paths and subpaths"
+ href: network-access-remotely-accessible-registry-paths-and-subpaths.md
+ - name: "Network access: Restrict anonymous access to Named Pipes and Shares"
+ href: network-access-restrict-anonymous-access-to-named-pipes-and-shares.md
+ - name: "Network access: Restrict clients allowed to make remote calls to SAM"
+ href: network-access-restrict-clients-allowed-to-make-remote-sam-calls.md
+ - name: "Network access: Shares that can be accessed anonymously"
+ href: network-access-shares-that-can-be-accessed-anonymously.md
+ - name: "Network access: Sharing and security model for local accounts"
+ href: network-access-sharing-and-security-model-for-local-accounts.md
+ - name: "Network security: Allow Local System to use computer identity for NTLM"
+ href: network-security-allow-local-system-to-use-computer-identity-for-ntlm.md
+ - name: "Network security: Allow LocalSystem NULL session fallback"
+ href: network-security-allow-localsystem-null-session-fallback.md
+ - name: "Network security: Allow PKU2U authentication requests to this computer to use online identities"
+ href: network-security-allow-pku2u-authentication-requests-to-this-computer-to-use-online-identities.md
+ - name: "Network security: Configure encryption types allowed for Kerberos"
+ href: network-security-configure-encryption-types-allowed-for-kerberos.md
+ - name: "Network security: Do not store LAN Manager hash value on next password change"
+ href: network-security-do-not-store-lan-manager-hash-value-on-next-password-change.md
+ - name: "Network security: Force logoff when logon hours expire"
+ href: network-security-force-logoff-when-logon-hours-expire.md
+ - name: "Network security: LAN Manager authentication level"
+ href: network-security-lan-manager-authentication-level.md
+ - name: "Network security: LDAP client signing requirements"
+ href: network-security-ldap-client-signing-requirements.md
+ - name: "Network security: Minimum session security for NTLM SSP based (including secure RPC) clients"
+ href: network-security-minimum-session-security-for-ntlm-ssp-based-including-secure-rpc-clients.md
+ - name: "Network security: Minimum session security for NTLM SSP based (including secure RPC) servers"
+ href: network-security-minimum-session-security-for-ntlm-ssp-based-including-secure-rpc-servers.md
+ - name: "Network security: Restrict NTLM: Add remote server exceptions for NTLM authentication"
+ href: network-security-restrict-ntlm-add-remote-server-exceptions-for-ntlm-authentication.md
+ - name: "Network security: Restrict NTLM: Add server exceptions in this domain"
+ href: network-security-restrict-ntlm-add-server-exceptions-in-this-domain.md
+ - name: "Network security: Restrict NTLM: Audit incoming NTLM traffic"
+ href: network-security-restrict-ntlm-audit-incoming-ntlm-traffic.md
+ - name: "Network security: Restrict NTLM: Audit NTLM authentication in this domain"
+ href: network-security-restrict-ntlm-audit-ntlm-authentication-in-this-domain.md
+ - name: "Network security: Restrict NTLM: Incoming NTLM traffic"
+ href: network-security-restrict-ntlm-incoming-ntlm-traffic.md
+ - name: "Network security: Restrict NTLM: NTLM authentication in this domain"
+ href: network-security-restrict-ntlm-ntlm-authentication-in-this-domain.md
+ - name: "Network security: Restrict NTLM: Outgoing NTLM traffic to remote servers"
+ href: network-security-restrict-ntlm-outgoing-ntlm-traffic-to-remote-servers.md
+ - name: "Recovery console: Allow automatic administrative logon"
+ href: recovery-console-allow-automatic-administrative-logon.md
+ - name: "Recovery console: Allow floppy copy and access to all drives and folders"
+ href: recovery-console-allow-floppy-copy-and-access-to-all-drives-and-folders.md
+ - name: "Shutdown: Allow system to be shut down without having to log on"
+ href: shutdown-allow-system-to-be-shut-down-without-having-to-log-on.md
+ - name: "Shutdown: Clear virtual memory pagefile"
+ href: shutdown-clear-virtual-memory-pagefile.md
+ - name: "System cryptography: Force strong key protection for user keys stored on the computer"
+ href: system-cryptography-force-strong-key-protection-for-user-keys-stored-on-the-computer.md
+ - name: "System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing"
+ href: system-cryptography-use-fips-compliant-algorithms-for-encryption-hashing-and-signing.md
+ - name: "System objects: Require case insensitivity for non-Windows subsystems"
+ href: system-objects-require-case-insensitivity-for-non-windows-subsystems.md
+ - name: "System objects: Strengthen default permissions of internal system objects (Symbolic Links)"
+ href: system-objects-strengthen-default-permissions-of-internal-system-objects.md
+ - name: "System settings: Optional subsystems"
+ href: system-settings-optional-subsystems.md
+ - name: "System settings: Use certificate rules on Windows executables for Software Restriction Policies"
+ href: system-settings-use-certificate-rules-on-windows-executables-for-software-restriction-policies.md
+ - name: "User Account Control: Admin Approval Mode for the Built-in Administrator account"
+ href: user-account-control-admin-approval-mode-for-the-built-in-administrator-account.md
+ - name: "User Account Control: Allow UIAccess applications to prompt for elevation without using the secure desktop"
+ href: user-account-control-allow-uiaccess-applications-to-prompt-for-elevation-without-using-the-secure-desktop.md
+ - name: "User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode"
+ href: user-account-control-behavior-of-the-elevation-prompt-for-administrators-in-admin-approval-mode.md
+ - name: "User Account Control: Behavior of the elevation prompt for standard users"
+ href: user-account-control-behavior-of-the-elevation-prompt-for-standard-users.md
+ - name: "User Account Control: Detect application installations and prompt for elevation"
+ href: user-account-control-detect-application-installations-and-prompt-for-elevation.md
+ - name: "User Account Control: Only elevate executables that are signed and validated"
+ href: user-account-control-only-elevate-executables-that-are-signed-and-validated.md
+ - name: "User Account Control: Only elevate UIAccess applications that are installed in secure locations"
+ href: user-account-control-only-elevate-uiaccess-applications-that-are-installed-in-secure-locations.md
+ - name: "User Account Control: Run all administrators in Admin Approval Mode"
+ href: user-account-control-run-all-administrators-in-admin-approval-mode.md
+ - name: "User Account Control: Switch to the secure desktop when prompting for elevation"
+ href: user-account-control-switch-to-the-secure-desktop-when-prompting-for-elevation.md
+ - name: "User Account Control: Virtualize file and registry write failures to per-user locations"
+ href: user-account-control-virtualize-file-and-registry-write-failures-to-per-user-locations.md
+ - name: Advanced security audit policy settings
+ href: secpol-advanced-security-audit-policy-settings.md
+ - name: User Rights Assignment
+ href: user-rights-assignment.md
+ items:
+ - name: Access Credential Manager as a trusted caller
+ href: access-credential-manager-as-a-trusted-caller.md
+ - name: Access this computer from the network
+ href: access-this-computer-from-the-network.md
+ - name: Act as part of the operating system
+ href: act-as-part-of-the-operating-system.md
+ - name: Add workstations to domain
+ href: add-workstations-to-domain.md
+ - name: Adjust memory quotas for a process
+ href: adjust-memory-quotas-for-a-process.md
+ - name: Allow log on locally
+ href: allow-log-on-locally.md
+ - name: Allow log on through Remote Desktop Services
+ href: allow-log-on-through-remote-desktop-services.md
+ - name: Back up files and directories
+ href: back-up-files-and-directories.md
+ - name: Bypass traverse checking
+ href: bypass-traverse-checking.md
+ - name: Change the system time
+ href: change-the-system-time.md
+ - name: Change the time zone
+ href: change-the-time-zone.md
+ - name: Create a pagefile
+ href: create-a-pagefile.md
+ - name: Create a token object
+ href: create-a-token-object.md
+ - name: Create global objects
+ href: create-global-objects.md
+ - name: Create permanent shared objects
+ href: create-permanent-shared-objects.md
+ - name: Create symbolic links
+ href: create-symbolic-links.md
+ - name: Debug programs
+ href: debug-programs.md
+ - name: Deny access to this computer from the network
+ href: deny-access-to-this-computer-from-the-network.md
+ - name: Deny log on as a batch job
+ href: deny-log-on-as-a-batch-job.md
+ - name: Deny log on as a service
+ href: deny-log-on-as-a-service.md
+ - name: Deny log on locally
+ href: deny-log-on-locally.md
+ - name: Deny log on through Remote Desktop Services
+ href: deny-log-on-through-remote-desktop-services.md
+ - name: Enable computer and user accounts to be trusted for delegation
+ href: enable-computer-and-user-accounts-to-be-trusted-for-delegation.md
+ - name: Force shutdown from a remote system
+ href: force-shutdown-from-a-remote-system.md
+ - name: Generate security audits
+ href: generate-security-audits.md
+ - name: Impersonate a client after authentication
+ href: impersonate-a-client-after-authentication.md
+ - name: Increase a process working set
+ href: increase-a-process-working-set.md
+ - name: Increase scheduling priority
+ href: increase-scheduling-priority.md
+ - name: Load and unload device drivers
+ href: load-and-unload-device-drivers.md
+ - name: Lock pages in memory
+ href: lock-pages-in-memory.md
+ - name: Log on as a batch job
+ href: log-on-as-a-batch-job.md
+ - name: Log on as a service
+ href: log-on-as-a-service.md
+ - name: Manage auditing and security log
+ href: manage-auditing-and-security-log.md
+ - name: Modify an object label
+ href: modify-an-object-label.md
+ - name: Modify firmware environment values
+ href: modify-firmware-environment-values.md
+ - name: Perform volume maintenance tasks
+ href: perform-volume-maintenance-tasks.md
+ - name: Profile single process
+ href: profile-single-process.md
+ - name: Profile system performance
+ href: profile-system-performance.md
+ - name: Remove computer from docking station
+ href: remove-computer-from-docking-station.md
+ - name: Replace a process level token
+ href: replace-a-process-level-token.md
+ - name: Restore files and directories
+ href: restore-files-and-directories.md
+ - name: Shut down the system
+ href: shut-down-the-system.md
+ - name: Synchronize directory service data
+ href: synchronize-directory-service-data.md
+ - name: Take ownership of files or other objects
+ href: take-ownership-of-files-or-other-objects.md
+ - name: Windows security
+ href: /windows/security/
\ No newline at end of file
diff --git a/windows/security/threat-protection/windows-defender-application-control/TOC.yml b/windows/security/threat-protection/windows-defender-application-control/TOC.yml
index 2a9d13497a..6e2bbdd64b 100644
--- a/windows/security/threat-protection/windows-defender-application-control/TOC.yml
+++ b/windows/security/threat-protection/windows-defender-application-control/TOC.yml
@@ -1,5 +1,8 @@
- name: Application Control for Windows
+ href: index.yml
+- name: About application control for Windows
href: windows-defender-application-control.md
+ expanded: true
items:
- name: WDAC and AppLocker Overview
href: wdac-and-applocker-overview.md
@@ -292,3 +295,6 @@
href: applocker\using-event-viewer-with-applocker.md
- name: AppLocker Settings
href: applocker\applocker-settings.md
+- name: Windows security
+ href: /windows/security/
+
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/TOC.yml b/windows/security/threat-protection/windows-defender-application-control/applocker/TOC.yml
deleted file mode 100644
index b796c0e95e..0000000000
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/TOC.yml
+++ /dev/null
@@ -1,186 +0,0 @@
-- name: AppLocker
- href: applocker-overview.md
- items:
- - name: Administer AppLocker
- href: administer-applocker.md
- items:
- - name: Maintain AppLocker policies
- href: maintain-applocker-policies.md
- - name: Edit an AppLocker policy
- href: edit-an-applocker-policy.md
- - name: Test and update an AppLocker policy
- href: test-and-update-an-applocker-policy.md
- - name: Deploy AppLocker policies by using the enforce rules setting
- href: deploy-applocker-policies-by-using-the-enforce-rules-setting.md
- - name: Use the AppLocker Windows PowerShell cmdlets
- href: use-the-applocker-windows-powershell-cmdlets.md
- - name: Use AppLocker and Software Restriction Policies in the same domain
- href: use-applocker-and-software-restriction-policies-in-the-same-domain.md
- - name: Optimize AppLocker performance
- href: optimize-applocker-performance.md
- - name: Monitor app usage with AppLocker
- href: monitor-application-usage-with-applocker.md
- - name: Manage packaged apps with AppLocker
- href: manage-packaged-apps-with-applocker.md
- - name: Working with AppLocker rules
- href: working-with-applocker-rules.md
- items:
- - name: Create a rule that uses a file hash condition
- href: create-a-rule-that-uses-a-file-hash-condition.md
- - name: Create a rule that uses a path condition
- href: create-a-rule-that-uses-a-path-condition.md
- - name: Create a rule that uses a publisher condition
- href: create-a-rule-that-uses-a-publisher-condition.md
- - name: Create AppLocker default rules
- href: create-applocker-default-rules.md
- - name: Add exceptions for an AppLocker rule
- href: configure-exceptions-for-an-applocker-rule.md
- - name: Create a rule for packaged apps
- href: create-a-rule-for-packaged-apps.md
- - name: Delete an AppLocker rule
- href: delete-an-applocker-rule.md
- - name: Edit AppLocker rules
- href: edit-applocker-rules.md
- - name: Enable the DLL rule collection
- href: enable-the-dll-rule-collection.md
- - name: Enforce AppLocker rules
- href: enforce-applocker-rules.md
- - name: Run the Automatically Generate Rules wizard
- href: run-the-automatically-generate-rules-wizard.md
- - name: Working with AppLocker policies
- href: working-with-applocker-policies.md
- items:
- - name: Configure the Application Identity service
- href: configure-the-application-identity-service.md
- - name: Configure an AppLocker policy for audit only
- href: configure-an-applocker-policy-for-audit-only.md
- - name: Configure an AppLocker policy for enforce rules
- href: configure-an-applocker-policy-for-enforce-rules.md
- - name: Display a custom URL message when users try to run a blocked app
- href: display-a-custom-url-message-when-users-try-to-run-a-blocked-application.md
- - name: Export an AppLocker policy from a GPO
- href: export-an-applocker-policy-from-a-gpo.md
- - name: Export an AppLocker policy to an XML file
- href: export-an-applocker-policy-to-an-xml-file.md
- - name: Import an AppLocker policy from another computer
- href: import-an-applocker-policy-from-another-computer.md
- - name: Import an AppLocker policy into a GPO
- href: import-an-applocker-policy-into-a-gpo.md
- - name: Add rules for packaged apps to existing AppLocker rule-set
- href: add-rules-for-packaged-apps-to-existing-applocker-rule-set.md
- - name: Merge AppLocker policies by using Set-ApplockerPolicy
- href: merge-applocker-policies-by-using-set-applockerpolicy.md
- - name: Merge AppLocker policies manually
- href: merge-applocker-policies-manually.md
- - name: Refresh an AppLocker policy
- href: refresh-an-applocker-policy.md
- - name: Test an AppLocker policy by using Test-AppLockerPolicy
- href: test-an-applocker-policy-by-using-test-applockerpolicy.md
- - name: AppLocker design guide
- href: applocker-policies-design-guide.md
- items:
- - name: Understand AppLocker policy design decisions
- href: understand-applocker-policy-design-decisions.md
- - name: Determine your application control objectives
- href: determine-your-application-control-objectives.md
- - name: Create a list of apps deployed to each business group
- href: create-list-of-applications-deployed-to-each-business-group.md
- items:
- - name: Document your app list
- href: document-your-application-list.md
- - name: Select the types of rules to create
- href: select-types-of-rules-to-create.md
- items:
- - name: Document your AppLocker rules
- href: document-your-applocker-rules.md
- - name: Determine the Group Policy structure and rule enforcement
- href: determine-group-policy-structure-and-rule-enforcement.md
- items:
- - name: Understand AppLocker enforcement settings
- href: understand-applocker-enforcement-settings.md
- - name: Understand AppLocker rules and enforcement setting inheritance in Group Policy
- href: understand-applocker-rules-and-enforcement-setting-inheritance-in-group-policy.md
- - name: Document the Group Policy structure and AppLocker rule enforcement
- href: document-group-policy-structure-and-applocker-rule-enforcement.md
- - name: Plan for AppLocker policy management
- href: plan-for-applocker-policy-management.md
- - name: AppLocker deployment guide
- href: applocker-policies-deployment-guide.md
- items:
- - name: Understand the AppLocker policy deployment process
- href: understand-the-applocker-policy-deployment-process.md
- - name: Requirements for Deploying AppLocker Policies
- href: requirements-for-deploying-applocker-policies.md
- - name: Use Software Restriction Policies and AppLocker policies
- href: using-software-restriction-policies-and-applocker-policies.md
- - name: Create Your AppLocker policies
- href: create-your-applocker-policies.md
- items:
- - name: Create Your AppLocker rules
- href: create-your-applocker-rules.md
- - name: Deploy the AppLocker policy into production
- href: deploy-the-applocker-policy-into-production.md
- items:
- - name: Use a reference device to create and maintain AppLocker policies
- href: use-a-reference-computer-to-create-and-maintain-applocker-policies.md
- - name: Determine which apps are digitally signed on a reference device
- href: determine-which-applications-are-digitally-signed-on-a-reference-computer.md
- - name: Configure the AppLocker reference device
- href: configure-the-appLocker-reference-device.md
- - name: AppLocker technical reference
- href: applocker-technical-reference.md
- items:
- - name: What Is AppLocker?
- href: what-is-applocker.md
- - name: Requirements to use AppLocker
- href: requirements-to-use-applocker.md
- - name: AppLocker policy use scenarios
- href: applocker-policy-use-scenarios.md
- - name: How AppLocker works
- href: how-applocker-works-techref.md
- items:
- - name: Understanding AppLocker rule behavior
- href: understanding-applocker-rule-behavior.md
- - name: Understanding AppLocker rule exceptions
- href: understanding-applocker-rule-exceptions.md
- - name: Understanding AppLocker rule collections
- href: understanding-applocker-rule-collections.md
- - name: Understanding AppLocker allow and deny actions on rules
- href: understanding-applocker-allow-and-deny-actions-on-rules.md
- - name: Understanding AppLocker rule condition types
- href: understanding-applocker-rule-condition-types.md
- items:
- - name: Understanding the publisher rule condition in AppLocker
- href: understanding-the-publisher-rule-condition-in-applocker.md
- - name: Understanding the path rule condition in AppLocker
- href: understanding-the-path-rule-condition-in-applocker.md
- - name: Understanding the file hash rule condition in AppLocker
- href: understanding-the-file-hash-rule-condition-in-applocker.md
- - name: Understanding AppLocker default rules
- href: understanding-applocker-default-rules.md
- items:
- - name: Executable rules in AppLocker
- href: executable-rules-in-applocker.md
- - name: Windows Installer rules in AppLocker
- href: windows-installer-rules-in-applocker.md
- - name: Script rules in AppLocker
- href: script-rules-in-applocker.md
- - name: DLL rules in AppLocker
- href: dll-rules-in-applocker.md
- - name: Packaged apps and packaged app installer rules in AppLocker
- href: packaged-apps-and-packaged-app-installer-rules-in-applocker.md
- - name: AppLocker architecture and components
- href: applocker-architecture-and-components.md
- - name: AppLocker processes and interactions
- href: applocker-processes-and-interactions.md
- - name: AppLocker functions
- href: applocker-functions.md
- - name: Security considerations for AppLocker
- href: security-considerations-for-applocker.md
- - name: Tools to Use with AppLocker
- href: tools-to-use-with-applocker.md
- items:
- - name: Using Event Viewer with AppLocker
- href: using-event-viewer-with-applocker.md
- - name: AppLocker Settings
- href: applocker-settings.md
diff --git a/windows/security/threat-protection/windows-defender-application-control/index.yml b/windows/security/threat-protection/windows-defender-application-control/index.yml
new file mode 100644
index 0000000000..ef5892459f
--- /dev/null
+++ b/windows/security/threat-protection/windows-defender-application-control/index.yml
@@ -0,0 +1,117 @@
+### YamlMime:Landing
+
+title: Application Control for Windows
+metadata:
+ title: Application Control for Windows
+ description: Landing page for Windows Defender Application Control
+# services: service
+# ms.service: microsoft-WDAC-AppLocker
+# ms.subservice: Application-Control
+# ms.topic: landing-page
+# author: Kim Klein
+# ms.author: Jordan Geurten
+# manager: Jeffrey Sutherland
+# ms.update: 04/30/2021
+# linkListType: overview | how-to-guide | tutorial | video
+landingContent:
+# Cards and links should be based on top customer tasks or top subjects
+# Start card title with a verb
+ # Card
+ - title: Learn about Application Control
+ linkLists:
+ - linkListType: overview
+ links:
+ - text: What is Windows Defender Application Control (WDAC)?
+ url: wdac-and-applocker-overview.md
+ - text: What is AppLocker?
+ url: applocker\applocker-overview.md
+ - text: WDAC and AppLocker feature availability
+ url: feature-availability.md
+ # Card
+ - title: Learn about Policy Design
+ linkLists:
+ - linkListType: overview
+ links:
+ - text: Using code signing to simplify application control
+ url: use-code-signing-to-simplify-application-control-for-classic-windows-applications.md
+ - text: Microsoft's Recommended Blocklist
+ url: microsoft-recommended-block-rules.md
+ - text: Microsoft's Recommended Driver Blocklist
+ url: microsoft-recommended-driver-block-rules.md
+ - text: Example WDAC policies
+ url: example-wdac-base-policies.md
+ - text: LOB Win32 apps on S Mode
+ url: LOB-win32-apps-on-s.md
+ - text: Managing multiple policies
+ url: deploy-multiple-windows-defender-application-control-policies.md
+ - linkListType: how-to-guide
+ links:
+ - text: Create a WDAC policy for a lightly managed device
+ url: create-wdac-policy-for-lightly-managed-devices.md
+ - text: Create a WDAC policy for a fully managed device
+ url: create-wdac-policy-for-fully-managed-devices.md
+ - text: Create a WDAC policy for a fixed-workload
+ url: create-initial-default-policy.md
+ - text: Deploying catalog files for WDAC management
+ url: deploy-catalog-files-to-support-windows-defender-application-control.md
+ - text: Using the WDAC Wizard
+ url: wdac-wizard.md
+ #- linkListType: Tutorial (videos)
+ # links:
+ # - text: Using the WDAC Wizard
+ # url: video md
+ # - text: Specifying custom values
+ # url: video md
+ # Card
+ - title: Learn about Policy Configuration
+ linkLists:
+ - linkListType: overview
+ links:
+ - text: Understanding policy and file rules
+ url: select-types-of-rules-to-create.md
+ - linkListType: how-to-guide
+ links:
+ - text: Allow managed installer and configure managed installer rules
+ url: configure-authorized-apps-deployed-with-a-managed-installer.md
+ - text: Allow reputable apps with ISG
+ url: use-windows-defender-application-control-with-intelligent-security-graph.md
+ - text: Managed MSIX and Appx Packaged Apps
+ url: manage-packaged-apps-with-windows-defender-application-control.md
+ - text: Allow com object registration
+ url: allow-com-object-registration-in-windows-defender-application-control-policy.md
+ - text: Manage plug-ins, add-ins and modules
+ url: use-windows-defender-application-control-policy-to-control-specific-plug-ins-add-ins-and-modules.md
+ # Card
+ - title: Learn how to deploy WDAC Policies
+ linkLists:
+ - linkListType: overview
+ links:
+ - text: Using signed policies to protect against tampering
+ url: use-signed-policies-to-protect-windows-defender-application-control-against-tampering.md
+ - text: Audit and enforce policies
+ url: audit-and-enforce-windows-defender-application-control-policies.md
+ - text: Disabling WDAC policies
+ url: disable-windows-defender-application-control-policies.md
+ - linkListType: tutorial
+ links:
+ - text: Deployment with MDM
+ url: deploy-windows-defender-application-control-policies-using-intune.md
+ - text: Deployment with MEMCM
+ url: deployment/deploy-wdac-policies-with-memcm.md
+ - text: Deployment with script and refresh policy
+ url: deployment/deploy-wdac-policies-with-script.md
+ - text: Deployment with Group Policy
+ url: deploy-windows-defender-application-control-policies-using-group-policy.md
+ # Card
+ - title: Learn how to monitor WDAC events
+ linkLists:
+ - linkListType: overview
+ links:
+ - text: Understanding event IDs
+ url: event-id-explanations.md
+ - text: Understanding event Tags
+ url: event-tag-explanations.md
+ - linkListType: how-to-guide
+ links:
+ - text: Querying events using advanced hunting
+ url: querying-application-control-events-centrally-using-advanced-hunting.md
\ No newline at end of file
diff --git a/windows/security/threat-protection/windows-defender-security-center/wdsc-account-protection.md b/windows/security/threat-protection/windows-defender-security-center/wdsc-account-protection.md
index ed1a7fe460..203ac733d5 100644
--- a/windows/security/threat-protection/windows-defender-security-center/wdsc-account-protection.md
+++ b/windows/security/threat-protection/windows-defender-security-center/wdsc-account-protection.md
@@ -10,10 +10,10 @@ ms.pagetype: security
ms.localizationpriority: medium
author: dansimp
ms.author: dansimp
-ms.date: 04/30/2018
+ms.date:
ms.reviewer:
manager: dansimp
-ms.technology: mde
+ms.technology: windows-sec
---
@@ -21,36 +21,36 @@ ms.technology: mde
**Applies to**
-- Windows 10, version 1803 and later
+- Windows 10
+- Windows 11
-
-The **Account protection** section contains information and settings for account protection and sign in. IT administrators and IT pros can get more information and documentation about configuration from the following:
+The **Account protection** section contains information and settings for account protection and sign-in. You can get more information about these capabilities from the following list:
- [Microsoft Account](https://account.microsoft.com/account/faq)
- [Windows Hello for Business](../../identity-protection/hello-for-business/hello-identity-verification.md)
- [Lock your Windows 10 PC automatically when you step away from it](https://support.microsoft.com/help/4028111/windows-lock-your-windows-10-pc-automatically-when-you-step-away-from)
-You can also choose to hide the section from users of the machine. This can be useful if you don't want employees in your organization to see or have access to user-configured options for the features shown in the section.
+You can also choose to hide the section from users of the device. This is useful if you don't want your employees to access or view user-configured options for these features.
## Hide the Account protection section
-You can choose to hide the entire section by using Group Policy. The section will not appear on the home page of the Windows Security app, and its icon will not be shown on the navigiation bar on the side of the app.
+You can choose to hide the entire section by using Group Policy. The section won't appear on the home page of the Windows Security app, and its icon won't be shown on the navigation bar on the side of the app.
-This can only be done in Group Policy.
+You can only configure these settings by using Group Policy.
>[!IMPORTANT]
>### Requirements
>
>You must have Windows 10, version 1803 or later. The ADMX/ADML template files for earlier versions of Windows do not include these Group Policy settings.
-1. On your Group Policy management machine, open the [Group Policy Management Console](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc731212(v=ws.11)), right-click the Group Policy Object you want to configure and click **Edit**.
+1. On your Group Policy management machine, open the [Group Policy Management Console](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc731212(v=ws.11)), right-click the Group Policy Object you want to configure and select **Edit**.
-3. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**.
+3. In the **Group Policy Management Editor** go to **Computer configuration** and select **Administrative templates**.
5. Expand the tree to **Windows components > Windows Security > Account protection**.
-6. Open the **Hide the Account protection area** setting and set it to **Enabled**. Click **OK**.
+6. Open the **Hide the Account protection area** setting and set it to **Enabled**. Select **OK**.
7. [Deploy the updated GPO as you normally do](/windows/win32/srvnodes/group-policy).
diff --git a/windows/security/threat-protection/windows-defender-security-center/wdsc-app-browser-control.md b/windows/security/threat-protection/windows-defender-security-center/wdsc-app-browser-control.md
index 544e90142e..acfa2cee01 100644
--- a/windows/security/threat-protection/windows-defender-security-center/wdsc-app-browser-control.md
+++ b/windows/security/threat-protection/windows-defender-security-center/wdsc-app-browser-control.md
@@ -11,17 +11,18 @@ ms.localizationpriority: medium
audience: ITPro
author: dansimp
ms.author: dansimp
-ms.date: 04/30/2018
+ms.date:
ms.reviewer:
manager: dansimp
-ms.technology: mde
+ms.technology: windows-sec
---
# App and browser control
**Applies to**
-- Windows 10, version 1703 and later
+- Windows 10
+- Windows 11
The **App and browser control** section contains information and settings for Windows Defender SmartScreen. IT administrators and IT pros can get configuration guidance from the [Windows Defender SmartScreen documentation library](/windows/threat-protection/windows-defender-smartscreen/windows-defender-smartscreen-overview).
diff --git a/windows/security/threat-protection/windows-defender-security-center/wdsc-customize-contact-information.md b/windows/security/threat-protection/windows-defender-security-center/wdsc-customize-contact-information.md
index 33a2c7d531..9f9932bc80 100644
--- a/windows/security/threat-protection/windows-defender-security-center/wdsc-customize-contact-information.md
+++ b/windows/security/threat-protection/windows-defender-security-center/wdsc-customize-contact-information.md
@@ -10,25 +10,18 @@ ms.pagetype: security
ms.localizationpriority: medium
author: dansimp
ms.author: dansimp
-ms.date: 09/13/2021
+ms.date:
ms.reviewer:
manager: dansimp
-ms.technology: mde
+ms.technology: windows-sec
---
# Customize the Windows Security app for your organization
**Applies to**
-- Windows 10, version 1709 and later
-
-**Audience**
-
-- Enterprise security administrators
-
-**Manageability available with**
-
-- Group Policy
+- Windows 10
+- Windows 11
You can add information about your organization in a contact card to the Windows Security app. You can include a link to a support site, a phone number for a help desk, and an email address for email-based support.
diff --git a/windows/security/threat-protection/windows-defender-security-center/wdsc-device-performance-health.md b/windows/security/threat-protection/windows-defender-security-center/wdsc-device-performance-health.md
index 13fce0f2d5..3672d5c25a 100644
--- a/windows/security/threat-protection/windows-defender-security-center/wdsc-device-performance-health.md
+++ b/windows/security/threat-protection/windows-defender-security-center/wdsc-device-performance-health.md
@@ -10,10 +10,10 @@ ms.pagetype: security
ms.localizationpriority: medium
author: dansimp
ms.author: dansimp
-ms.date: 04/30/2018
+ms.date:
ms.reviewer:
manager: dansimp
-ms.technology: mde
+ms.technology: windows-sec
---
@@ -21,7 +21,8 @@ ms.technology: mde
**Applies to**
-- Windows 10, version 1703 and later
+- Windows 10
+- Windows 11
The **Device performance & health** section contains information about hardware, devices, and drivers related to the machine. IT administrators and IT pros should reference the appropriate documentation library for the issues they are seeing, such as the [configure the Load and unload device drivers security policy setting](/windows/device-security/security-policy-settings/load-and-unload-device-drivers) and how to [deploy drivers during Windows 10 deployment using Microsoft Endpoint Configuration Manager](/windows/deployment/deploy-windows-cm/add-drivers-to-a-windows-10-deployment-with-windows-pe-using-configuration-manager).
diff --git a/windows/security/threat-protection/windows-defender-security-center/wdsc-device-security.md b/windows/security/threat-protection/windows-defender-security-center/wdsc-device-security.md
index f4d3053cd9..8526440bc9 100644
--- a/windows/security/threat-protection/windows-defender-security-center/wdsc-device-security.md
+++ b/windows/security/threat-protection/windows-defender-security-center/wdsc-device-security.md
@@ -10,17 +10,18 @@ ms.pagetype: security
ms.localizationpriority: medium
author: dansimp
ms.author: dansimp
-ms.date: 10/02/2018
+ms.date:
ms.reviewer:
manager: dansimp
-ms.technology: mde
+ms.technology: windows-sec
---
# Device security
**Applies to**
-- Windows 10, version 1803 and later
+- Windows 10
+- Windows 11
The **Device security** section contains information and settings for built-in device security.
@@ -28,7 +29,7 @@ You can choose to hide the section from users of the machine. This can be useful
## Hide the Device security section
-You can choose to hide the entire section by using Group Policy. The section will not appear on the home page of the Windows Security app, and its icon will not be shown on the navigiation bar on the side of the app.
+You can choose to hide the entire section by using Group Policy. The section will not appear on the home page of the Windows Security app, and its icon will not be shown on the navigation bar on the side of the app.
This can only be done in Group Policy.
diff --git a/windows/security/threat-protection/windows-defender-security-center/wdsc-family-options.md b/windows/security/threat-protection/windows-defender-security-center/wdsc-family-options.md
index 274c66bd66..a9e4a148c5 100644
--- a/windows/security/threat-protection/windows-defender-security-center/wdsc-family-options.md
+++ b/windows/security/threat-protection/windows-defender-security-center/wdsc-family-options.md
@@ -10,10 +10,10 @@ ms.pagetype: security
ms.localizationpriority: medium
author: dansimp
ms.author: dansimp
-ms.date: 04/30/2018
+ms.date:
ms.reviewer:
manager: dansimp
-ms.technology: mde
+ms.technology: windows-sec
---
@@ -21,8 +21,8 @@ ms.technology: mde
**Applies to**
-- Windows 10, version 1703 and later
-
+- Windows 10
+- Windows 11
The **Family options** section contains links to settings and further information for parents of a Windows 10 PC. It is not generally intended for enterprise or business environments.
@@ -33,7 +33,7 @@ In Windows 10, version 1709, the section can be hidden from users of the machine
## Hide the Family options section
-You can choose to hide the entire section by using Group Policy. The section will not appear on the home page of the Windows Security app, and its icon will not be shown on the navigiation bar on the side of the app.
+You can choose to hide the entire section by using Group Policy. The section will not appear on the home page of the Windows Security app, and its icon will not be shown on the navigation bar on the side of the app.
This can only be done in Group Policy.
diff --git a/windows/security/threat-protection/windows-defender-security-center/wdsc-firewall-network-protection.md b/windows/security/threat-protection/windows-defender-security-center/wdsc-firewall-network-protection.md
index 3a14dc7c26..924bcd1150 100644
--- a/windows/security/threat-protection/windows-defender-security-center/wdsc-firewall-network-protection.md
+++ b/windows/security/threat-protection/windows-defender-security-center/wdsc-firewall-network-protection.md
@@ -9,10 +9,10 @@ ms.sitesec: library
ms.localizationpriority: medium
author: dansimp
ms.author: dansimp
-ms.date: 04/30/2018
+ms.date:
ms.reviewer:
manager: dansimp
-ms.technology: mde
+ms.technology: windows-sec
---
@@ -20,8 +20,8 @@ ms.technology: mde
**Applies to**
-- Windows 10, version 1703 and later
-
+- Windows 10
+- Windows 11
The **Firewall & network protection** section contains information about the firewalls and network connections used by the machine, including the status of Windows Defender Firewall and any other third-party firewalls. IT administrators and IT pros can get configuration guidance from the [Windows Defender Firewall with Advanced Security documentation library](../windows-firewall/windows-firewall-with-advanced-security.md).
diff --git a/windows/security/threat-protection/windows-defender-security-center/wdsc-hide-notifications.md b/windows/security/threat-protection/windows-defender-security-center/wdsc-hide-notifications.md
index 0a1389c07b..a58b61c3b1 100644
--- a/windows/security/threat-protection/windows-defender-security-center/wdsc-hide-notifications.md
+++ b/windows/security/threat-protection/windows-defender-security-center/wdsc-hide-notifications.md
@@ -10,25 +10,18 @@ ms.pagetype: security
ms.localizationpriority: medium
author: dansimp
ms.author: dansimp
-ms.date: 07/23/2020
+ms.date:
ms.reviewer:
manager: dansimp
-ms.technology: mde
+ms.technology: windows-sec
---
# Hide Windows Security app notifications
**Applies to**
-- Windows 10, version 1809 and above
-
-**Audience**
-
-- Enterprise security administrators
-
-**Manageability available with**
-
-- Group Policy
+- Windows 10
+- Windows 11
The Windows Security app is used by a number of Windows security features to provide notifications about the health and security of the machine. These include notifications about firewalls, antivirus products, Windows Defender SmartScreen, and others.
diff --git a/windows/security/threat-protection/windows-defender-security-center/wdsc-virus-threat-protection.md b/windows/security/threat-protection/windows-defender-security-center/wdsc-virus-threat-protection.md
index 87960171d1..2d43e965ba 100644
--- a/windows/security/threat-protection/windows-defender-security-center/wdsc-virus-threat-protection.md
+++ b/windows/security/threat-protection/windows-defender-security-center/wdsc-virus-threat-protection.md
@@ -12,16 +12,15 @@ author: dansimp
ms.author: dansimp
ms.reviewer:
manager: dansimp
-ms.technology: mde
+ms.technology: windows-sec
---
-
# Virus and threat protection
**Applies to**
-- Windows 10, version 1703 and later
-
+- Windows 10
+- Windows 11
The **Virus & threat protection** section contains information and settings for antivirus protection from Microsoft Defender Antivirus and third-party AV products.
diff --git a/windows/security/threat-protection/windows-defender-security-center/wdsc-windows-10-in-s-mode.md b/windows/security/threat-protection/windows-defender-security-center/wdsc-windows-10-in-s-mode.md
index 30cc06c3d0..7f3ef48df0 100644
--- a/windows/security/threat-protection/windows-defender-security-center/wdsc-windows-10-in-s-mode.md
+++ b/windows/security/threat-protection/windows-defender-security-center/wdsc-windows-10-in-s-mode.md
@@ -22,19 +22,11 @@ ms.technology: mde
- Windows 10 in S mode, version 1803
-**Audience**
-
-- Enterprise security administrators
-
-**Manageability available with**
-
-- Microsoft Intune
-
Windows 10 in S mode is streamlined for tighter security and superior performance. With Windows 10 in S mode, users can only use apps from the Microsoft Store, ensuring Microsoft-verified security so you can minimize malware attacks. In addition, using Microsoft Edge provides a more secure browser experience, with extra protections against phishing and malicious software.
The Windows Security interface is a little different in Windows 10 in S mode. The **Virus & threat protection** area has fewer options, because the built-in security of Windows 10 in S mode prevents viruses and other threats from running on devices in your organization. In addition, devices running Windows 10 in S mode receive security updates automatically.
-
+:::image type="content" alt-text="Screen shot of the Windows Security app Virus & threat protection area in Windows 10 in S mode." source="images/security-center-virus-and-threat-protection-windows-10-in-s-mode.png":::
For more information about Windows 10 in S mode, including how to switch out of S mode, see [Windows 10 Pro/Enterprise in S mode](/windows/deployment/windows-10-pro-in-s-mode).
diff --git a/windows/security/threat-protection/windows-defender-security-center/windows-defender-security-center.md b/windows/security/threat-protection/windows-defender-security-center/windows-defender-security-center.md
index cb27db7bfd..7d0a3187b2 100644
--- a/windows/security/threat-protection/windows-defender-security-center/windows-defender-security-center.md
+++ b/windows/security/threat-protection/windows-defender-security-center/windows-defender-security-center.md
@@ -11,14 +11,15 @@ author: dansimp
ms.author: dansimp
ms.reviewer:
manager: dansimp
-ms.technology: mde
+ms.technology: windows-sec
---
# The Windows Security app
**Applies to**
-- Windows 10, version 1703 and later
+- Windows 10
+- Windows 11
This library describes the Windows Security app, and provides information on configuring certain features, including:
diff --git a/windows/security/threat-protection/windows-firewall/TOC.yml b/windows/security/threat-protection/windows-firewall/TOC.yml
index efaa07fa4e..ca84e461a5 100644
--- a/windows/security/threat-protection/windows-firewall/TOC.yml
+++ b/windows/security/threat-protection/windows-firewall/TOC.yml
@@ -250,3 +250,5 @@
href: quarantine.md
- name: Firewall settings lost on upgrade
href: firewall-settings-lost-on-upgrade.md
+- name: Windows security
+ href: /windows/security/
diff --git a/windows/security/threat-protection/windows-security-configuration-framework/TOC.yml b/windows/security/threat-protection/windows-security-configuration-framework/TOC.yml
deleted file mode 100644
index f7e0955409..0000000000
--- a/windows/security/threat-protection/windows-security-configuration-framework/TOC.yml
+++ /dev/null
@@ -1,9 +0,0 @@
-- name: Windows security guidance for enterprises
- items:
- - name: Windows security baselines
- href: windows-security-baselines.md
- items:
- - name: Security Compliance Toolkit
- href: security-compliance-toolkit-10.md
- - name: Get support
- href: get-support-for-security-baselines.md
diff --git a/windows/security/threat-protection/windows-security-configuration-framework/windows-security-baselines.md b/windows/security/threat-protection/windows-security-configuration-framework/windows-security-baselines.md
index 170918a4fa..435be7648b 100644
--- a/windows/security/threat-protection/windows-security-configuration-framework/windows-security-baselines.md
+++ b/windows/security/threat-protection/windows-security-configuration-framework/windows-security-baselines.md
@@ -11,22 +11,17 @@ manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
-ms.date: 06/25/2018
+ms.date:
ms.reviewer:
ms.technology: mde
---
# Windows security baselines
-**Applies to**
-
-- Windows 10
-- Windows Server 2016
-- Office 2016
## Using security baselines in your organization
-Microsoft is dedicated to providing its customers with secure operating systems, such as Windows 10 and Windows Server, and secure apps, such as Microsoft Edge. In addition to the security assurance of its products, Microsoft also enables you to have fine control over your environments by providing various configuration capabilities.
+Microsoft is dedicated to providing its customers with secure operating systems, such as Windows and Windows Server, and secure apps, such as Microsoft Edge. In addition to the security assurance of its products, Microsoft also enables you to have fine control over your environments by providing various configuration capabilities.
Even though Windows and Windows Server are designed to be secure out-of-the-box, many organizations still want more granular control over their security configurations. To navigate the large number of controls, organizations need guidance on configuring various security features. Microsoft provides this guidance in the form of security baselines.
@@ -56,12 +51,13 @@ You can use security baselines to:
## Where can I get the security baselines?
-You can download the security baselines from the [Microsoft Download Center](https://www.microsoft.com/download/details.aspx?id=55319). This download page is for the Security Compliance Toolkit (SCT), which comprises tools that can assist admins in managing baselines in addition to the security baselines.
+There are several ways to get and use security baselines:
-The security baselines are included in the [Security Compliance Toolkit (SCT)](security-compliance-toolkit-10.md), which can be downloaded from the Microsoft Download Center. The SCT also includes tools to help admins manage the security baselines.
+1. You can download the security baselines from the [Microsoft Download Center](https://www.microsoft.com/download/details.aspx?id=55319). This download page is for the Security Compliance Toolkit (SCT), which comprises tools that can assist admins in managing baselines in addition to the security baselines. The security baselines are included in the [Security Compliance Toolkit (SCT)](security-compliance-toolkit-10.md), which can be downloaded from the Microsoft Download Center. The SCT also includes tools to help admins manage the security baselines. You can also [Get Support for the security baselines](get-support-for-security-baselines.md)
-[](security-compliance-toolkit-10.md)
-[](get-support-for-security-baselines.md)
+2. [MDM (Mobile Device Management) security baselines](/windows/client-management/mdm/#mdm-security-baseline.md) function like the Microsoft group policy-based security baselines and can easily integrate this into an existing MDM management tool.
+
+3. MDM Security baselines can easily be configures in Microsoft Endpoint Manager on devices that run Windows 10 and 11. The following article provides the detail steps: [Windows MDM (Mobile Device Management) baselines](/mem/intune/protect/security-baseline-settings-mdm-all.md).
## Community
diff --git a/windows/security/trusted-boot.md b/windows/security/trusted-boot.md
new file mode 100644
index 0000000000..6792a8df14
--- /dev/null
+++ b/windows/security/trusted-boot.md
@@ -0,0 +1,40 @@
+---
+title: Secure Boot and Trusted Boot
+description: Trusted Boot prevents corrupted components from loading during the boot-up process in Windows 11
+search.appverid: MET150
+author: denisebmsft
+ms.author: deniseb
+manager: dansimp
+audience: ITPro
+ms.topic: conceptual
+ms.date: 09/21/2021
+ms.prod: m365-security
+ms.technology: windows-sec
+ms.localizationpriority: medium
+ms.collection:
+ms.custom:
+ms.reviewer: jsuther
+f1.keywords: NOCSH
+---
+
+# Secure Boot and Trusted Boot
+
+*This article describes Secure Boot and Trusted Boot, security measures built into Windows 11.*
+
+Secure Boot and Trusted Boot help prevent malware and corrupted components from loading when a Windows 11 device is starting. Secure Boot starts with initial boot-up protection, and then Trusted Boot picks up the process. Together, Secure Boot and Trusted Boot help to ensure your Windows 11 system boots up safely and securely.
+
+## Secure Boot
+
+The first step in protecting the operating system is to ensure that it boots securely after the initial hardware and firmware boot sequences have safely finished their early boot sequences. Secure Boot makes a safe and trusted path from the Unified Extensible Firmware Interface (UEFI) through the Windows kernel's Trusted Boot sequence. Malware attacks on the Windows boot sequence are blocked by the signature-enforcement handshakes throughout the boot sequence between the UEFI, bootloader, kernel, and application environments.
+
+As the PC begins the boot process, it will first verify that the firmware is digitally signed, reducing the risk of firmware rootkits. Secure Boot then checks all code that runs before the operating system and checks the OS bootloader’s digital signature to ensure that it is trusted by the Secure Boot policy and hasn’t been tampered with.
+
+## Trusted Boot
+
+Trusted Boot picks up the process that started with Secure Boot. The Windows bootloader verifies the digital signature of the Windows kernel before loading it. The Windows kernel, in turn, verifies every other component of the Windows startup process, including boot drivers, startup files, and your antimalware product’s early-launch antimalware (ELAM) driver. If any of these files were tampered, the bootloader detects the problem and refuses to load the corrupted component. Tampering or malware attacks on the Windows boot sequence are blocked by the signature-enforcement handshakes between the UEFI, bootloader, kernel, and application environments.
+
+Often, Windows can automatically repair the corrupted component, restoring the integrity of Windows and allowing the Windows 11 device to start normally.
+
+## See also
+
+[Secure the Windows boot process](information-protection/secure-the-windows-10-boot-process.md)
\ No newline at end of file
diff --git a/windows/security/zero-trust-windows-device-health.md b/windows/security/zero-trust-windows-device-health.md
new file mode 100644
index 0000000000..1462084e1e
--- /dev/null
+++ b/windows/security/zero-trust-windows-device-health.md
@@ -0,0 +1,71 @@
+---
+title: Zero Trust and Windows device health
+description: Describes the process of Windows device health attestation
+ms.reviewer:
+ms.topic: article
+manager: dansimp
+ms.author: dansimp
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+author: dansimp
+ms.collection: M365-security-compliance
+ms.prod: m365-security
+ms.technology: windows-sec
+---
+
+# Zero Trust and Windows device health
+Organizations need a security model that more effectively adapts to the complexity of the modern work environment. IT admins need to embrace the hybrid workplace, while protecting people, devices, apps, and data wherever they’re located. Implementing a Zero Trust model for security helps addresses today's complex environments.
+
+The [Zero Trust](https://www.microsoft.com/security/business/zero-trust) principles are:
+
+- **Verify explicitly**. Always authenticate and authorize based on all available data points, including user identity, location, device health, service or workload, data classification, and monitor anomalies.
+
+- **Use least-privileged access**. Limit user access with just-in-time and just-enough-access, risk-based adaptive policies, and data protection to help secure data and maintain productivity.
+
+- **Assume breach**. Prevent attackers from obtaining access to minimize potential damage to data and systems. Protect privileged roles, verify end-to-end encryption, use analytics to get visibility, and drive threat detection to improve defenses.
+
+The Zero Trust concept of **verify explicitly** applies to the risks introduced by both devices and users. Windows enables **device health attestation** and **conditional access** capabilities, which are used to grant access to corporate resources.
+
+[Conditional access](/azure/active-directory/conditional-access/overview) evaluates identity signals to confirm that users are who they say they are before they are granted access to corporate resources.
+
+Windows 11 supports device health attestation, helping to confirm that devices are in a good state and have not been tampered with. This capability helps users access corporate resources whether they’re in the office, at home, or when they’re traveling.
+
+Attestation helps verify the identity and status of essential components and that the device, firmware, and boot process have not been altered. Information about the firmware, boot process, and software, is used to validate the security state of the device. This information is cryptographically stored in the security co-processor Trusted Platform Module (TPM). Once the device is attested, it can be granted access to resources.
+
+## Device health attestation on Windows
+ Many security risks can emerge during the boot process as this process can be the most privileged component of the whole system. The verification process uses remote attestation as the secure channel to determine and present the device’s health. Remote attestation determines:
+
+- If the device can be trusted
+- If the operating system booted correctly
+- If the OS has the right set of security features enabled
+
+These determinations are made with the help of a secure root of trust using the Trusted Platform Module (TPM). Devices can attest that the TPM is enabled, and that the device has not been tampered with.
+
+Windows includes many security features to help protect users from malware and attacks. However, trusting the Windows security components can only be achieved if the platform boots as expected and was not tampered with. Windows relies on Unified Extensible Firmware Interface (UEFI) Secure Boot, Early-launch antimalware (ELAM), Dynamic Root of Trust for Measurement (DRTM), Trusted Boot, and other low-level hardware and firmware security features. When you power on your PC until your anti-malware starts, Windows is backed with the appropriate hardware configuration to help keep you safe. [Measured and Trusted boot](information-protection/secure-the-windows-10-boot-process.md), implemented by bootloaders and BIOS, verifies and cryptographically records each step of the boot in a chained manner. These events are bound to a security coprocessor (TPM) that acts as the Root of Trust. Remote Attestation is the mechanism by which these events are read and verified by a service to provide a verifiable, unbiased, and tamper resilient report. Remote attestation is the trusted auditor of your system's boot, allowing specific entities to trust the device.
+
+A summary of the steps involved in attestation and Zero Trust on the device side are as follows:
+
+1. During each step of the boot process, such as a file load, update of special variables, and more, information such as file hashes and signature are measured in the TPM PCRs. The measurements are bound by a [Trusted Computing Group specification](https://trustedcomputinggroup.org/resource/pc-client-platform-tpm-profile-ptp-specification/) (TCG) that dictates what events can be recorded and the format of each event.
+
+2. Once Windows has booted, the attestor/verifier requests the TPM to fetch the measurements stored in its Platform Configuration Register (PCR) alongside a TCG log. Both of these together form the attestation evidence that is then sent to the attestation service.
+
+3. The TPM is verified by using the keys/cryptographic material available on the chipset with an [Azure Certificate Service](/windows-server/identity/ad-ds/manage/component-updates/tpm-key-attestation).
+
+4. This information is then sent to the attestation service in the cloud to verify that the device is safe. Microsoft Endpoint Manger (MEM) integrates with Microsoft Azure Attestation to review device health comprehensively and connect this information with AAD conditional access. This integration is key for Zero Trust solutions that help bind trust to an untrusted device.
+
+5. The attestation service does the following:
+
+ - Verify the integrity of the evidence. This is done by validating the PCRs that match the values recomputed by replaying the TCG log.
+ - Verify that the TPM has a valid Attestation Identity Key issued by the authenticated TPM.
+ - Verify that the security features are in the expected states.
+
+6. The attestation service returns an attestation report that contains information about the security features based on the policy configured in the attestation service.
+
+7. The device then sends the report to the MEM cloud to assess the trustworthiness of the platform according to the admin-configured device compliance rules.
+
+8. Conditional access, along with device-compliance state then decides to allow or deny access.
+
+## Other Resources
+
+Learn more about Microsoft Zero Trust solutions in the [Zero Trust Guidance Center](/security/zero-trust/).
|
1
