From 9c48e4e64397dbc1d37ca354fdec4a751feadfb2 Mon Sep 17 00:00:00 2001
From: mgewida1 <mariamgewida@microsoft.com>
Date: Fri, 6 Jun 2025 10:21:36 -0700
Subject: [PATCH 01/10] Update configure.md

removed event ID 51
---
 .../credential-guard/configure.md             | 23 -------------------
 1 file changed, 23 deletions(-)

diff --git a/windows/security/identity-protection/credential-guard/configure.md b/windows/security/identity-protection/credential-guard/configure.md
index 2e5a9a8c07..e22e1a7aef 100644
--- a/windows/security/identity-protection/credential-guard/configure.md
+++ b/windows/security/identity-protection/credential-guard/configure.md
@@ -191,29 +191,6 @@ Open the Event Viewer (`eventvwr.exe`) and go to `Windows Logs\System` and filte
   :::column-end:::
 :::row-end:::
 
-The following event indicates whether TPM is used for key protection. Path: `Applications and Services logs > Microsoft > Windows > Kernel-Boot`
-
-:::row:::
-  :::column span="1":::
-  **Event ID**
-  :::column-end:::
-  :::column span="3":::
-  **Description**
-  :::column-end:::
-:::row-end:::
-:::row:::
-  :::column span="1":::
-  51 (Information)
-  :::column-end:::
-  :::column span="3":::
-  ```logging
-  VSM Master Encryption Key Provisioning. Using cached copy status: 0x0. Unsealing cached copy status: 0x1. New key generation status: 0x1. Sealing status: 0x1. TPM PCR mask: 0x0.
-  ```
-  :::column-end:::
-:::row-end:::
-
-The TPM PCR mask is only relevant when SRTM is used. If the cached Copy status is 1, SRTM was not used - typically indicating DRTM is in use - and the PCR mask should be ignored.
-
 ## Disable Credential Guard
 
 There are different options to disable Credential Guard. The option you choose depends on how Credential Guard is configured:

From e901064907fb2be58f766d11147ced8fa20d1246 Mon Sep 17 00:00:00 2001
From: mgewida1 <mariamgewida@microsoft.com>
Date: Fri, 6 Jun 2025 11:15:57 -0700
Subject: [PATCH 02/10] Update how-it-works.md

Added section on VSM and TPM protections
---
 .../identity-protection/credential-guard/how-it-works.md | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/windows/security/identity-protection/credential-guard/how-it-works.md b/windows/security/identity-protection/credential-guard/how-it-works.md
index 57b7f1812e..f4b8e04488 100644
--- a/windows/security/identity-protection/credential-guard/how-it-works.md
+++ b/windows/security/identity-protection/credential-guard/how-it-works.md
@@ -20,6 +20,15 @@ Kerberos, NTLM, and Credential Manager isolate secrets by using Virtualization-b
   :::column-end:::
 :::row-end:::
 
+## VSM and TPM Protections
+Secrets protected by Credential Guard are protected in memory isolated at runtime by the hypervisor using [Virtual Secure Mode](https://learn.microsoft.com/en-us/virtualization/hyper-v-on-windows/tlfs/vsm). On recent supported hardware with TPM2.0, VSM data that is persisted will be protected by a key called the VSM master key which is protected by device firmware protections (see [System Guard: How a hardware-based root of trust helps protect Windows](https://learn.microsoft.com/en-us/windows/security/hardware-security/how-hardware-based-root-of-trust-helps-protect-windows)). The VSM master key is protected by the TPM, ensuring that they key and the secrets protected by Credential Guard can only be accessed in a trusted environment. 
+
+Credential Guard does not typically persist authentication data (NTLM hash and TGTs) and that data is lost between reboots and refreshed when the user signs into the system. This means that it is not dependent on the VSM master key or the TPM to protect that data at rest. 
+
+Note: The VBS master key may not be protected by the TPM in any of the following environments:
+- If Secure Boot is disabled
+- If a TPM is not available on the firmware
+
 ## Credential Guard protection limits
 
 Some ways to store credentials aren't protected by Credential Guard, including:

From 1317d8fbcd0d3e2c5b3f020879f831ec04197ad3 Mon Sep 17 00:00:00 2001
From: mgewida1 <mariamgewida@microsoft.com>
Date: Fri, 6 Jun 2025 11:27:02 -0700
Subject: [PATCH 03/10] Update how-it-works.md

Replaced absolute links with relative links
---
 .../identity-protection/credential-guard/how-it-works.md       | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/windows/security/identity-protection/credential-guard/how-it-works.md b/windows/security/identity-protection/credential-guard/how-it-works.md
index f4b8e04488..e89553a19e 100644
--- a/windows/security/identity-protection/credential-guard/how-it-works.md
+++ b/windows/security/identity-protection/credential-guard/how-it-works.md
@@ -21,7 +21,8 @@ Kerberos, NTLM, and Credential Manager isolate secrets by using Virtualization-b
 :::row-end:::
 
 ## VSM and TPM Protections
-Secrets protected by Credential Guard are protected in memory isolated at runtime by the hypervisor using [Virtual Secure Mode](https://learn.microsoft.com/en-us/virtualization/hyper-v-on-windows/tlfs/vsm). On recent supported hardware with TPM2.0, VSM data that is persisted will be protected by a key called the VSM master key which is protected by device firmware protections (see [System Guard: How a hardware-based root of trust helps protect Windows](https://learn.microsoft.com/en-us/windows/security/hardware-security/how-hardware-based-root-of-trust-helps-protect-windows)). The VSM master key is protected by the TPM, ensuring that they key and the secrets protected by Credential Guard can only be accessed in a trusted environment. 
+Secrets protected by Credential Guard are protected in memory isolated at runtime by the hypervisor using [Virtual Secure Mode](/virtualization/hyper-v-on-windows/tlfs/vsm). On recent supported hardware with TPM2.0, VSM data that is persisted will be protected by a key called the VSM master key which is protected by device firmware protections (see [System Guard: How a hardware-based root of trust helps protect Windows](/windows/security/hardware-security/how-hardware-based-root-of-trust-helps-protect-windows
+)). The VSM master key is protected by the TPM, ensuring that they key and the secrets protected by Credential Guard can only be accessed in a trusted environment. 
 
 Credential Guard does not typically persist authentication data (NTLM hash and TGTs) and that data is lost between reboots and refreshed when the user signs into the system. This means that it is not dependent on the VSM master key or the TPM to protect that data at rest. 
 

From 6f01f1715fead7a62dd06df7ec287686c0fe9274 Mon Sep 17 00:00:00 2001
From: mgewida1 <mariamgewida@microsoft.com>
Date: Mon, 9 Jun 2025 14:26:19 -0700
Subject: [PATCH 04/10] Update how-it-works.md

Updated format for the Note text
---
 .../credential-guard/how-it-works.md            | 17 +++++++++--------
 1 file changed, 9 insertions(+), 8 deletions(-)

diff --git a/windows/security/identity-protection/credential-guard/how-it-works.md b/windows/security/identity-protection/credential-guard/how-it-works.md
index e89553a19e..a48fd8c925 100644
--- a/windows/security/identity-protection/credential-guard/how-it-works.md
+++ b/windows/security/identity-protection/credential-guard/how-it-works.md
@@ -21,14 +21,15 @@ Kerberos, NTLM, and Credential Manager isolate secrets by using Virtualization-b
 :::row-end:::
 
 ## VSM and TPM Protections
-Secrets protected by Credential Guard are protected in memory isolated at runtime by the hypervisor using [Virtual Secure Mode](/virtualization/hyper-v-on-windows/tlfs/vsm). On recent supported hardware with TPM2.0, VSM data that is persisted will be protected by a key called the VSM master key which is protected by device firmware protections (see [System Guard: How a hardware-based root of trust helps protect Windows](/windows/security/hardware-security/how-hardware-based-root-of-trust-helps-protect-windows
-)). The VSM master key is protected by the TPM, ensuring that they key and the secrets protected by Credential Guard can only be accessed in a trusted environment. 
-
-Credential Guard does not typically persist authentication data (NTLM hash and TGTs) and that data is lost between reboots and refreshed when the user signs into the system. This means that it is not dependent on the VSM master key or the TPM to protect that data at rest. 
-
-Note: The VBS master key may not be protected by the TPM in any of the following environments:
-- If Secure Boot is disabled
-- If a TPM is not available on the firmware
+Secrets protected by Credential Guard are protected in memory and isolated at runtime by the hypervisor using [Virtual Secure Mode](/virtualization/hyper-v-on-windows/tlfs/vsm) (VSM). On recent supported hardware with TPM 2.0, VSM data that is persisted will be protected by a key called the VSM master key which is protected by device firmware protections. To learn more, see [System Guard: How a hardware-based root of trust helps protect Windows](/windows/security/hardware-security/how-hardware-based-root-of-trust-helps-protect-windows). The VSM master key is protected by the TPM, ensuring that they key and the secrets protected by Credential Guard can only be accessed in a trusted environment.
+ 
+Credential Guard does not typically persist authentication data (NTLM hash and TGTs) as that data is lost between reboots and refreshed when the user signs into the system. This means that it isn't dependent on the VSM master key or the TPM to protect that data at reset.
+ 
+> [!NOTE]
+> The VBS master key may not be protected by the TPM in any of the following environments:
+>
+> - If Secure Boot is disabled
+> - If a TPM is not available on the firmware
 
 ## Credential Guard protection limits
 

From 36f4e8c64a0e5ac78682036e51cf6eb828077d10 Mon Sep 17 00:00:00 2001
From: scottmca <89857809+scottmca@users.noreply.github.com>
Date: Tue, 10 Jun 2025 11:33:16 -0400
Subject: [PATCH 05/10] Learn Editor: Update
 enable-extended-security-updates.md

---
 windows/whats-new/enable-extended-security-updates.md | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/windows/whats-new/enable-extended-security-updates.md b/windows/whats-new/enable-extended-security-updates.md
index af03388d2c..cb0b1f3891 100644
--- a/windows/whats-new/enable-extended-security-updates.md
+++ b/windows/whats-new/enable-extended-security-updates.md
@@ -151,7 +151,11 @@ If the device doesn't have access to the internet or to the Microsoft Activation
 
 ## Activate large numbers of devices that don't have internet access
 
-For more information on how to do manual activation of large numbers of devices, review the Volume Activation Management Tool (VAMT) [Proxy Activation](/windows/deployment/volume-activation/proxy-activation-vamt) scenario. You should install the latest [Automated Deployment Kit (ADK) tool](/windows-hardware/get-started/adk-install) to ensure that the VAMT tool includes updated PkeyConfig files for Windows 10 ESU MAK keys.
+For more information on how to do manual activation of large numbers of devices, review the Volume Activation Management Tool (VAMT) [Proxy Activation](/windows/deployment/volume-activation/proxy-activation-vamt) scenario. You should install the latest [Automated Deployment Kit (ADK) tool](/windows-hardware/get-started/adk-install) to ensure that you have latest VAMT tool
+
+Note:  In order to add Windows 10 ESU keys to VAMT update the pkeyconfig files with this update
+
+[https://www.microsoft.com/en-us/download/details.aspx?id=106364](https://www.microsoft.com/download/details.aspx?id=106364)
 
 For more information on adding additional activations to a Windows 10 ESU MAK, see [Request an increase to MAK activation limits](/microsoft-365/commerce/licenses/product-keys-for-vl#request-an-increase-to-mak-activation-limits).
 

From ed66f6b99e3f9a897ed10a742148f04a80d15ae7 Mon Sep 17 00:00:00 2001
From: Paolo Matarazzo <74918781+paolomatarazzo@users.noreply.github.com>
Date: Thu, 12 Jun 2025 13:07:52 -0400
Subject: [PATCH 07/10] Update how-it-works.md

---
 .../credential-guard/how-it-works.md                  | 11 ++++++-----
 1 file changed, 6 insertions(+), 5 deletions(-)

diff --git a/windows/security/identity-protection/credential-guard/how-it-works.md b/windows/security/identity-protection/credential-guard/how-it-works.md
index a48fd8c925..34a4f7053b 100644
--- a/windows/security/identity-protection/credential-guard/how-it-works.md
+++ b/windows/security/identity-protection/credential-guard/how-it-works.md
@@ -1,5 +1,5 @@
 ---
-ms.date: 02/25/2025
+ms.date: 06/12/2025
 title: How Credential Guard works
 description: Learn how Credential Guard uses virtualization to protect secrets, so that only privileged system software can access them.
 ms.topic: concept-article
@@ -21,15 +21,16 @@ Kerberos, NTLM, and Credential Manager isolate secrets by using Virtualization-b
 :::row-end:::
 
 ## VSM and TPM Protections
-Secrets protected by Credential Guard are protected in memory and isolated at runtime by the hypervisor using [Virtual Secure Mode](/virtualization/hyper-v-on-windows/tlfs/vsm) (VSM). On recent supported hardware with TPM 2.0, VSM data that is persisted will be protected by a key called the VSM master key which is protected by device firmware protections. To learn more, see [System Guard: How a hardware-based root of trust helps protect Windows](/windows/security/hardware-security/how-hardware-based-root-of-trust-helps-protect-windows). The VSM master key is protected by the TPM, ensuring that they key and the secrets protected by Credential Guard can only be accessed in a trusted environment.
+
+Secrets protected by Credential Guard are protected in memory and isolated at runtime by the hypervisor using [Virtual Secure Mode](/virtualization/hyper-v-on-windows/tlfs/vsm) (VSM). On recent supported hardware with TPM 2.0, VSM data that is persisted will be protected by a key called the *VSM master key*, which is protected by device firmware protections. To learn more, see [System Guard: How a hardware-based root of trust helps protect Windows](/windows/security/hardware-security/how-hardware-based-root-of-trust-helps-protect-windows). The VSM master key is protected by the TPM, ensuring that the key and secrets protected by Credential Guard can only be accessed in a trusted environment.
  
-Credential Guard does not typically persist authentication data (NTLM hash and TGTs) as that data is lost between reboots and refreshed when the user signs into the system. This means that it isn't dependent on the VSM master key or the TPM to protect that data at reset.
+Credential Guard doesn't typically persist authentication data (NTLM hash and TGTs), as that data is lost between reboots and refreshed when the user signs into the system. This means that it isn't dependent on the VSM master key or the TPM to protect that data at reset.
  
 > [!NOTE]
-> The VBS master key may not be protected by the TPM in any of the following environments:
+> The VBS master key might not be protected by the TPM in any of the following environments:
 >
 > - If Secure Boot is disabled
-> - If a TPM is not available on the firmware
+> - If a TPM isn't available on the firmware
 
 ## Credential Guard protection limits
 

From 710ae0f01ad94c1bb8086e54d8e4b83b74408527 Mon Sep 17 00:00:00 2001
From: Meghan Stewart <33289333+mestew@users.noreply.github.com>
Date: Thu, 12 Jun 2025 15:25:57 -0700
Subject: [PATCH 08/10] Update enable-extended-security-updates.md

Tweaks
---
 windows/whats-new/enable-extended-security-updates.md | 8 ++------
 1 file changed, 2 insertions(+), 6 deletions(-)

diff --git a/windows/whats-new/enable-extended-security-updates.md b/windows/whats-new/enable-extended-security-updates.md
index cb0b1f3891..33a12659e0 100644
--- a/windows/whats-new/enable-extended-security-updates.md
+++ b/windows/whats-new/enable-extended-security-updates.md
@@ -151,15 +151,11 @@ If the device doesn't have access to the internet or to the Microsoft Activation
 
 ## Activate large numbers of devices that don't have internet access
 
-For more information on how to do manual activation of large numbers of devices, review the Volume Activation Management Tool (VAMT) [Proxy Activation](/windows/deployment/volume-activation/proxy-activation-vamt) scenario. You should install the latest [Automated Deployment Kit (ADK) tool](/windows-hardware/get-started/adk-install) to ensure that you have latest VAMT tool
-
-Note:  In order to add Windows 10 ESU keys to VAMT update the pkeyconfig files with this update
-
-[https://www.microsoft.com/en-us/download/details.aspx?id=106364](https://www.microsoft.com/download/details.aspx?id=106364)
+For more information on how to do manual activation of large numbers of devices, review the Volume Activation Management Tool (VAMT) [Proxy Activation](/windows/deployment/volume-activation/proxy-activation-vamt) scenario.  You should install the latest [Automated Deployment Kit (ADK) tool](/windows-hardware/get-started/adk-install) to ensure that you have the latest VAMT. You'll also need to install an update to the VMAT from [https://www.microsoft.com/download/details.aspx?id=106364](https://www.microsoft.com/download/details.aspx?id=106364) so it includes updated PkeyConfig files for Windows 10 ESU MAK keys.
 
 For more information on adding additional activations to a Windows 10 ESU MAK, see [Request an increase to MAK activation limits](/microsoft-365/commerce/licenses/product-keys-for-vl#request-an-increase-to-mak-activation-limits).
 
 ## Related content
 
 - [Slmgr.vbs options](/windows-server/get-started/activation-slmgr-vbs-options)
-- [Extended Security Updates (ESU) program for Windows 10](extended-security-updates.md)
\ No newline at end of file
+- [Extended Security Updates (ESU) program for Windows 10](extended-security-updates.md)

From e48ad3ef0331f1be607d3b1190038e6ae6434191 Mon Sep 17 00:00:00 2001
From: Meghan Stewart <33289333+mestew@users.noreply.github.com>
Date: Thu, 12 Jun 2025 15:27:25 -0700
Subject: [PATCH 09/10] Update enable-extended-security-updates.md

remove extra space
---
 windows/whats-new/enable-extended-security-updates.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/windows/whats-new/enable-extended-security-updates.md b/windows/whats-new/enable-extended-security-updates.md
index 33a12659e0..25bbd39ee0 100644
--- a/windows/whats-new/enable-extended-security-updates.md
+++ b/windows/whats-new/enable-extended-security-updates.md
@@ -151,7 +151,7 @@ If the device doesn't have access to the internet or to the Microsoft Activation
 
 ## Activate large numbers of devices that don't have internet access
 
-For more information on how to do manual activation of large numbers of devices, review the Volume Activation Management Tool (VAMT) [Proxy Activation](/windows/deployment/volume-activation/proxy-activation-vamt) scenario.  You should install the latest [Automated Deployment Kit (ADK) tool](/windows-hardware/get-started/adk-install) to ensure that you have the latest VAMT. You'll also need to install an update to the VMAT from [https://www.microsoft.com/download/details.aspx?id=106364](https://www.microsoft.com/download/details.aspx?id=106364) so it includes updated PkeyConfig files for Windows 10 ESU MAK keys.
+For more information on how to do manual activation of large numbers of devices, review the Volume Activation Management Tool (VAMT) [Proxy Activation](/windows/deployment/volume-activation/proxy-activation-vamt) scenario. You should install the latest [Automated Deployment Kit (ADK) tool](/windows-hardware/get-started/adk-install) to ensure that you have the latest VAMT. You'll also need to install an update to the VMAT from [https://www.microsoft.com/download/details.aspx?id=106364](https://www.microsoft.com/download/details.aspx?id=106364) so it includes updated PkeyConfig files for Windows 10 ESU MAK keys.
 
 For more information on adding additional activations to a Windows 10 ESU MAK, see [Request an increase to MAK activation limits](/microsoft-365/commerce/licenses/product-keys-for-vl#request-an-increase-to-mak-activation-limits).
 

From 23d403d99ca214c7b604599e3de154e8377fe129 Mon Sep 17 00:00:00 2001
From: Paolo Matarazzo <74918781+paolomatarazzo@users.noreply.github.com>
Date: Fri, 13 Jun 2025 07:28:46 -0400
Subject: [PATCH 10/10] added banner

---
 education/windows/windows-11-se-faq.yml | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/education/windows/windows-11-se-faq.yml b/education/windows/windows-11-se-faq.yml
index c33dec8686..f649d7af01 100644
--- a/education/windows/windows-11-se-faq.yml
+++ b/education/windows/windows-11-se-faq.yml
@@ -8,7 +8,11 @@ metadata:
     - ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 11 SE</a>
 
 title: Common questions about Windows 11 SE
-summary: Windows 11 SE combines the power and privacy of Windows 11 with educator feedback to create a simplified experience on devices built for education. This Frequently Asked Questions (FAQ) article is intended to help you learn more about Windows 11 SE so you can get to what matters most.
+summary: |
+
+  [!INCLUDE [winse-eos](../includes/winse-eos.md)]
+
+  Windows 11 SE combines the power and privacy of Windows 11 with educator feedback to create a simplified experience on devices built for education. This Frequently Asked Questions (FAQ) article is intended to help you learn more about Windows 11 SE so you can get to what matters most.
 
 sections:
   - name: General