Merge branch 'main' of https://github.com/MicrosoftDocs/windows-docs-pr into export-recall-9257953

education/windows/windows-11-se-faq.yml

@@ -8,7 +8,11 @@ metadata:
     - ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 11 SE</a>
 
 title: Common questions about Windows 11 SE
-summary: Windows 11 SE combines the power and privacy of Windows 11 with educator feedback to create a simplified experience on devices built for education. This Frequently Asked Questions (FAQ) article is intended to help you learn more about Windows 11 SE so you can get to what matters most.
+summary: |
+
+  [!INCLUDE [winse-eos](../includes/winse-eos.md)]
+
+  Windows 11 SE combines the power and privacy of Windows 11 with educator feedback to create a simplified experience on devices built for education. This Frequently Asked Questions (FAQ) article is intended to help you learn more about Windows 11 SE so you can get to what matters most.
 
 sections:
   - name: General

windows/security/identity-protection/credential-guard/configure.md

@@ -191,29 +191,6 @@ Open the Event Viewer (`eventvwr.exe`) and go to `Windows Logs\System` and filte
   :::column-end:::
 :::row-end:::
 
-The following event indicates whether TPM is used for key protection. Path: `Applications and Services logs > Microsoft > Windows > Kernel-Boot`
-
-:::row:::
-  :::column span="1":::
-  **Event ID**
-  :::column-end:::
-  :::column span="3":::
-  **Description**
-  :::column-end:::
-:::row-end:::
-:::row:::
-  :::column span="1":::
-  51 (Information)
-  :::column-end:::
-  :::column span="3":::
-  ```logging
-  VSM Master Encryption Key Provisioning. Using cached copy status: 0x0. Unsealing cached copy status: 0x1. New key generation status: 0x1. Sealing status: 0x1. TPM PCR mask: 0x0.
-  ```
-  :::column-end:::
-:::row-end:::
-
-The TPM PCR mask is only relevant when SRTM is used. If the cached Copy status is 1, SRTM was not used - typically indicating DRTM is in use - and the PCR mask should be ignored.
-
 ## Disable Credential Guard
 
 There are different options to disable Credential Guard. The option you choose depends on how Credential Guard is configured:

windows/security/identity-protection/credential-guard/how-it-works.md

@@ -1,5 +1,5 @@
 ---
-ms.date: 02/25/2025
+ms.date: 06/12/2025
 title: How Credential Guard works
 description: Learn how Credential Guard uses virtualization to protect secrets, so that only privileged system software can access them.
 ms.topic: concept-article
@@ -20,6 +20,18 @@ Kerberos, NTLM, and Credential Manager isolate secrets by using Virtualization-b
   :::column-end:::
 :::row-end:::
 
+## VSM and TPM Protections
+
+Secrets protected by Credential Guard are protected in memory and isolated at runtime by the hypervisor using [Virtual Secure Mode](/virtualization/hyper-v-on-windows/tlfs/vsm) (VSM). On recent supported hardware with TPM 2.0, VSM data that is persisted will be protected by a key called the *VSM master key*, which is protected by device firmware protections. To learn more, see [System Guard: How a hardware-based root of trust helps protect Windows](/windows/security/hardware-security/how-hardware-based-root-of-trust-helps-protect-windows). The VSM master key is protected by the TPM, ensuring that the key and secrets protected by Credential Guard can only be accessed in a trusted environment.
+ 
+Credential Guard doesn't typically persist authentication data (NTLM hash and TGTs), as that data is lost between reboots and refreshed when the user signs into the system. This means that it isn't dependent on the VSM master key or the TPM to protect that data at reset.
+ 
+> [!NOTE]
+> The VBS master key might not be protected by the TPM in any of the following environments:
+>
+> - If Secure Boot is disabled
+> - If a TPM isn't available on the firmware
+
 ## Credential Guard protection limits
 
 Some ways to store credentials aren't protected by Credential Guard, including:

windows/whats-new/enable-extended-security-updates.md

@@ -151,11 +151,11 @@ If the device doesn't have access to the internet or to the Microsoft Activation
 
 ## Activate large numbers of devices that don't have internet access
 
-For more information on how to do manual activation of large numbers of devices, review the Volume Activation Management Tool (VAMT) [Proxy Activation](/windows/deployment/volume-activation/proxy-activation-vamt) scenario. You should install the latest [Automated Deployment Kit (ADK) tool](/windows-hardware/get-started/adk-install) to ensure that the VAMT tool includes updated PkeyConfig files for Windows 10 ESU MAK keys.
+For more information on how to do manual activation of large numbers of devices, review the Volume Activation Management Tool (VAMT) [Proxy Activation](/windows/deployment/volume-activation/proxy-activation-vamt) scenario. You should install the latest [Automated Deployment Kit (ADK) tool](/windows-hardware/get-started/adk-install) to ensure that you have the latest VAMT. You'll also need to install an update to the VMAT from [https://www.microsoft.com/download/details.aspx?id=106364](https://www.microsoft.com/download/details.aspx?id=106364) so it includes updated PkeyConfig files for Windows 10 ESU MAK keys.
 
 For more information on adding additional activations to a Windows 10 ESU MAK, see [Request an increase to MAK activation limits](/microsoft-365/commerce/licenses/product-keys-for-vl#request-an-increase-to-mak-activation-limits).
 
 ## Related content
 
 - [Slmgr.vbs options](/windows-server/get-started/activation-slmgr-vbs-options)
-- [Extended Security Updates (ESU) program for Windows 10](extended-security-updates.md)
+- [Extended Security Updates (ESU) program for Windows 10](extended-security-updates.md)