Acrolinx Enhancement Effort

windows/security/threat-protection/security-policy-settings/domain-member-maximum-machine-account-password-age.md

@@ -43,7 +43,7 @@ For more information, see [Machine Account Password Process](https://techcommuni
 
 ### Best practices
 
-We recommend that you set **Domain member: Maximum machine account password age** to about 30 days. Setting the value to fewer days can increase replication and affect domain controllers. For example, in Windows NT domains, machine passwords were changed every 7 days. The additional replication churn would affect domain controllers in large organizations that have many computers or slow links between sites. 
+We recommend that you set **Domain member: Maximum machine account password age** to about 30 days. Setting the value to fewer days can increase replication and affect domain controllers. For example, in Windows NT domains, machine passwords were changed every 7 days. The extra replication churn would affect domain controllers in large organizations that have many computers or slow links between sites. 
 
 ### Location
 
@@ -68,7 +68,7 @@ This section describes features and tools that are available to help you manage
 
 ### Restart requirement
 
-None. Changes to this policy become effective without a computer restart when they are saved locally or distributed through Group Policy.
+None. Changes to this policy become effective without a computer restart when they're saved locally or distributed through Group Policy.
 
 ## Security considerations
 
@@ -76,7 +76,7 @@ This section describes how an attacker might exploit a feature or its configurat
 
 ### Vulnerability
 
-By default, the domain members submit a password change every 30 days. If you increase this interval significantly so that the computers no longer submit a password change, an attacker has more time to undertake a brute-force attack to guess the password of one or more computer accounts.
+By default, the domain members submit a password change every 30 days. If you increase this interval so that the computers no longer submit a password change, an attacker has more time to undertake a brute-force attack to guess the password of one or more computer accounts.
 
 ### Countermeasure
 
@@ -84,7 +84,7 @@ Configure the **Domain member: Maximum machine account password age** setting to
 
 ### Potential impact
 
-None. This is the default configuration.
+None. This non-impact state is the default configuration.
 ## Related topics
 
 - [Security Options](security-options.md)

windows/security/threat-protection/security-policy-settings/domain-member-require-strong-windows-2000-or-later-session-key.md

@@ -27,7 +27,7 @@ Describes the best practices, location, values, and security considerations for
 
 ## Reference
 
-The **Domain member: Require strong (Windows 2000 or later) session key** policy setting determines whether a secure channel can be established with a domain controller that is not capable of encrypting secure channel traffic with a strong, 128-bit session key. Enabling this policy setting prevents establishing a secure channel with any domain controller that cannot encrypt secure channel data with a strong key. Disabling this policy setting allows 64-bit session keys.
+The **Domain member: Require strong (Windows 2000 or later) session key** policy setting determines whether a secure channel can be established with a domain controller that isn't capable of encrypting secure channel traffic with a strong, 128-bit session key. Enabling this policy setting prevents establishing a secure channel with any domain controller that can't encrypt secure channel data with a strong key. Disabling this policy setting allows 64-bit session keys.
 
 Whenever possible, you should take advantage of these stronger session keys to help protect secure channel communications from eavesdropping and session-hijacking network attacks. Eavesdropping is a form of hacking in which network data is read or altered in transit. The data can be modified to hide or change the name of the sender, or it can be redirected.
 
@@ -35,7 +35,7 @@ Whenever possible, you should take advantage of these stronger session keys to h
 
 -   Enabled
 
-    When enabled on a member workstation or server, all domain controllers in the domain that the member belongs to must be capable of encrypting secure channel data with a strong, 128-bit key. This means that all such domain controllers must be running at least Windows 2000 Server.
+    When enabled on a member workstation or server, all domain controllers in the domain that the member belongs to must be capable of encrypting secure channel data with a strong, 128-bit key. This capability means that all such domain controllers must be running at least Windows 2000 Server.
 
 -   Disabled
 
@@ -45,7 +45,7 @@ Whenever possible, you should take advantage of these stronger session keys to h
 
 ### Best practices
 
--   It is advisable to set **Domain member: Require strong (Windows 2000 or later) session key** to Enabled. Enabling this policy setting ensures that all outgoing secure channel traffic will require a strong encryption key. Disabling this policy setting requires that key strength be negotiated. Only enable this option if the domain controllers in all trusted domains support strong keys. By default, this value is disabled.
+-   It's advisable to set **Domain member: Require strong (Windows 2000 or later) session key** to Enabled. Enabling this policy setting ensures that all outgoing secure channel traffic will require a strong encryption key. Disabling this policy setting requires that key strength be negotiated. Only enable this option if the domain controllers in all trusted domains support strong keys. By default, this value is disabled.
 
 ### Location
 
@@ -73,13 +73,13 @@ This section describes features and tools that are available to help you manage
 
 ### Restart requirement
 
-None. Changes to this policy become effective without a device restart when they are saved locally or distributed through Group Policy.
+None. Changes to this policy become effective without a device restart when they're saved locally or distributed through Group Policy.
 
 ### Group Policy
 
 Misuse of this policy setting is a common error that can cause data loss or problems with data access or security.
 
-You will you be able to join devices that do not support this policy setting to domains where the domain controllers have this policy setting enabled.
+You'll you be able to join devices that don't support this policy setting to domains where the domain controllers have this policy setting enabled.
 
 ## Security considerations
 
@@ -99,7 +99,7 @@ If you enable this policy setting, all outgoing secure channel traffic requires
 
 ### Potential impact
 
-Devices that do not support this policy setting cannot join domains in which the domain controllers have this policy setting enabled.
+Devices that don't support this policy setting can't join domains in which the domain controllers have this policy setting enabled.
 
 ## Related topics
 

windows/security/threat-protection/security-policy-settings/enable-computer-and-user-accounts-to-be-trusted-for-delegation.md

@@ -28,7 +28,7 @@ Describes the best practices, location, values, policy management, and security
 ## Reference
 
 This policy setting determines which users can set the **Trusted for Delegation** setting on a user or computer object.
-Security account delegation provides the ability to connect to multiple servers, and each server change retains the authentication credentials of the original client. Delegation of authentication is a capability that client and server applications use when they have multiple tiers. It allows a public-facing service to use client credentials to authenticate to an application or database service. For this configuration to be possible, the client and the server must run under accounts that are trusted for delegation.
+Security account delegation enables connection to multiple servers, and each server change retains the authentication credentials of the original client. Delegation of authentication is a capability that client and server applications use when they have multiple tiers. It allows a public-facing service to use client credentials to authenticate to an application or database service. For this configuration to be possible, the client and the server must run under accounts that are trusted for delegation.
 
 Only administrators who have the **Enable computer and user accounts to be trusted for delegation** credential can set up delegation. Domain admins and Enterprise admins have this credential. The procedure to allow a user to be trusted for delegation depends on the functionality level of the domain.
 
@@ -43,7 +43,7 @@ Constant: SeEnableDelegationPrivilege
 
 ### Best practices
 
--   There is no reason to assign this user right to anyone on member servers and workstations that belong to a domain because it has no meaning in those contexts. It is only relevant on domain controllers and stand-alone devices.
+-   There's no reason to assign this user right to anyone on member servers and workstations that belong to a domain because it has no meaning in those contexts. It's only relevant on domain controllers and stand-alone devices.
 
 ### Location
 
@@ -68,7 +68,7 @@ This section describes features, tools and guidance to help you manage this poli
 
 Modifying this setting might affect compatibility with clients, services, and applications.
 
-A restart of the device is not required for this policy setting to be effective.
+A restart of the device isn't required for this policy setting to be effective.
 
 Any change to the user rights assignment for an account becomes effective the next time the owner of the account logs on.
 
@@ -99,7 +99,7 @@ after a security incident.
 
 ### Countermeasure
 
-The **Enable computer and user accounts to be trusted for delegation** user right should be assigned only if there is a clear need for its functionality. When you assign this right, you should investigate the use of constrained delegation to control what the delegated accounts can do. On domain controllers, this right is assigned to the Administrators group by default.
+The **Enable computer and user accounts to be trusted for delegation** user right should be assigned only if there's a clear need for its functionality. When you assign this right, you should investigate the use of constrained delegation to control what the delegated accounts can do. On domain controllers, this right is assigned to the Administrators group by default.
 
 >**Note:**  There is no reason to assign this user right to anyone on member servers and workstations that belong to a domain because it has no meaning in those contexts. It is only relevant on domain controllers and stand-alone computers.
  

windows/security/threat-protection/security-policy-settings/enforce-password-history.md

@@ -30,7 +30,7 @@ Describes the best practices, location, values, policy management, and security
 The **Enforce password history** policy setting determines the number of unique new passwords that must be associated with a user account before an old password can be reused.
 Password reuse is an important concern in any organization. Many users want to reuse the same password for their account over a long period of time. The longer the same password is used for a particular account, the greater the chance that an attacker will be able to determine the password through brute force attacks. If users are required to change their password, but they can reuse an old password, the effectiveness of a good password policy is greatly reduced.
 
-Specifying a low number for **Enforce password history** allows users to continually use the same small number of passwords repeatedly. If you do not also set [Minimum password age](minimum-password-age.md), users can change their password as many times in a row as necessary to reuse their original password.
+Specifying a low number for **Enforce password history** allows users to continually use the same small number of passwords repeatedly. If you don't also set [Minimum password age](minimum-password-age.md), users can change their password as many times in a row as necessary to reuse their original password.
 
 ### Possible values
 
@@ -39,9 +39,9 @@ Specifying a low number for **Enforce password history** allows users to continu
 
 ### Best practices
 
--   Set **Enforce password history** to 24. This will help mitigate vulnerabilities that are caused by password reuse.
+-   Set **Enforce password history** to 24. This setting will help mitigate vulnerabilities that are caused by password reuse.
 -   Set [Maximum password age](maximum-password-age.md) to expire passwords between 60 and 90 days. Try to expire the passwords between major business cycles to prevent work loss.
--   Configure [Minimum password age](minimum-password-age.md) so that you do not allow passwords to be changed immediately.
+-   Configure [Minimum password age](minimum-password-age.md) so that you don't allow passwords to be changed immediately.
 
 ### Location
 
@@ -66,7 +66,7 @@ This section describes features, tools, and guidance to help you manage this pol
 
 ### Restart requirement
 
-None. Changes to this policy become effective without a device restart when they are saved locally or distributed through Group Policy.
+None. Changes to this policy become effective without a device restart when they're saved locally or distributed through Group Policy.
 
 ## Security considerations
 
@@ -74,9 +74,9 @@ This section describes how an attacker might exploit a feature or its configurat
 
 ### Vulnerability
 
-The longer a user uses the same password, the greater the chance that an attacker can determine the password through brute force attacks. Also, any accounts that may have been compromised remain exploitable for as long as the password is left unchanged. If password changes are required but password reuse is not prevented, or if users continually reuse a small number of passwords, the effectiveness of a good password policy is greatly reduced.
+The longer a user uses the same password, the greater the chance that an attacker can determine the password through brute force attacks. Also, any accounts that may have been compromised remain exploitable for as long as the password is left unchanged. If password changes are required but password reuse isn't prevented, or if users continually reuse a few passwords, the effectiveness of a good password policy is greatly reduced.
 
-If you specify a low number for this policy setting, users can use the same small number of passwords repeatedly. If you do not also configure the [Minimum password age](minimum-password-age.md) policy setting, users might repeatedly change their passwords until they can reuse their original password.
+If you specify a low number for this policy setting, users can use the same small number of passwords repeatedly. If you don't also configure the [Minimum password age](minimum-password-age.md) policy setting, users might repeatedly change their passwords until they can reuse their original password.
 
 >**Note:**  After an account has been compromised, a simple password reset might not be enough to restrict a malicious user because the malicious user might have modified the user's environment so that the password is changed back to a known value automatically at a certain time. If an account has been compromised, it is best to delete the account and assign the user a new account after all affected systems have been restored to normal operations and verified that they are no longer compromised.
  
@@ -88,7 +88,7 @@ For this policy setting to be effective, you should also configure effective val
 
 ### Potential impact
 
-The major impact of configuring the **Enforce password history** setting to 24 is that users must create a new password every time they are required to change their old one. If users are required to change their passwords to new unique values, there is an increased risk of users who write their passwords somewhere so that they do not forget them. Another risk is that users may create passwords that change incrementally (for example, password01, password02, and so on) to facilitate memorization, but this makes them easier for an attacker to guess. Also, an excessively low value for the [Maximum password age](maximum-password-age.md) policy setting is likely to increase administrative overhead because users who forget their passwords might ask the Help Desk to reset them frequently.
+The major impact of configuring the **Enforce password history** setting to 24 is that users must create a new password every time they're required to change their old one. If users are required to change their passwords to new unique values, there's an increased risk of users who write their passwords somewhere so that they don't forget them. Another risk is that users may create passwords that change incrementally (for example, password01, password02, and so on) to facilitate memorization, but these passwords make it easier for an attacker to guess. Also, an excessively low value for the [Maximum password age](maximum-password-age.md) policy setting is likely to increase administrative overhead because users who forget their passwords might ask the Help Desk to reset them frequently.
 
 ## Related topics
 

windows/security/threat-protection/security-policy-settings/enforce-user-logon-restrictions.md

@@ -37,9 +37,9 @@ The possible values for this Group Policy setting are:
 
 ### Best practices
 
--   If this policy setting is disabled, users might be granted session tickets for services that they do not have the right to use.
+-   If this policy setting is disabled, users might be granted session tickets for services that they don't have the right to use.
 
-    We recommend to set **Enforce user logon restrictions** to Enabled.
+    We recommend setting **Enforce user logon restrictions** to Enabled.
 
 ### Location
 
@@ -62,7 +62,7 @@ The following table lists the actual and effective default policy values. Defaul
 
 This section describes features, tools, and guidance to help you manage this policy.
 
-A restart of the device is not required for this policy setting to be effective.
+A restart of the device isn't required for this policy setting to be effective.
 
 ### Group Policy
 
@@ -91,7 +91,7 @@ Enable the **Enforce user logon restrictions** setting.
 
 ### Potential impact
 
-None. This is the default configuration.
+None. This non-impact state is the default configuration.
 
 ## Related topics
 

windows/security/threat-protection/security-policy-settings/increase-a-process-working-set.md

@@ -27,7 +27,7 @@ Describes the best practices, location, values, policy management, and security
 
 ## Reference
 
-This policy setting determines which users can increase or decrease the size of the working set of a process. The working set of a process is the set of memory pages currently visible to the process in physical RAM. These pages are resident, and they are available for an application to use without triggering a page fault. The minimum and maximum working set sizes affect the virtual memory paging behavior of a process.
+This policy setting determines which users can increase or decrease the size of the working set of a process. The working set of a process is the set of memory pages currently visible to the process in physical RAM. These pages are resident, and they're available for an application to use without triggering a page fault. The minimum and maximum working set sizes affect the virtual memory paging behavior of a process.
 
 Constant: SeIncreaseWorkingSetPrivilege
 
@@ -63,7 +63,7 @@ The following table lists the actual and effective default policy values. Defaul
 
 This section describes features, tools, and guidance to help you manage this policy.
 
-A restart of the computer is not required for this policy setting to be effective.
+A restart of the computer isn't required for this policy setting to be effective.
 
 Any change to the user rights assignment for an account becomes effective the next time the owner of the account logs on.
 

windows/security/threat-protection/security-policy-settings/interactive-logon-display-user-information-when-the-session-is-locked.md

@@ -44,9 +44,9 @@ This setting has these possible values:
 
 -   **User display name, domain and user names**
 
-    For a local logon, the user's full name is displayed.
+    For a local sign in, the user's full name is displayed.
     If the user signed in using a Microsoft account, the user's email address is displayed.
-    For a domain logon, the domain\username is displayed.
+    For a domain sign in, the domain\username is displayed.
     This setting has the same effect as turning on the **Privacy** setting.
 
 -   **User display name only**
@@ -57,30 +57,30 @@ This setting has these possible values:
 -   **Do not display user information**
 
     No names are displayed.
-    Beginning with Windows 10 version 1607, this option is not supported.
+    Beginning with Windows 10 version 1607, this option isn't supported.
     If this option is chosen, the full name of the user who locked the session is displayed instead.
     This change makes this setting consistent with the functionality of the new **Privacy** setting.
     To display no user information, enable the Group Policy setting **Interactive logon: Don't display last signed-in**.
 
 -   **Domain and user names only**
 
-    For a domain logon only, the domain\username is displayed.
+    For a domain sign in only, the domain\username is displayed.
     The **Privacy** setting is automatically on and grayed out.
     
 -   **Blank**
 
     Default setting.
     This setting translates to “Not defined,” but it will display the user's full name in the same manner as the option **User display name only**.
-    When an option is set, you cannot reset this policy to blank, or not defined.
+    When an option is set, you can't reset this policy to blank, or not defined.
 
 ### Hotfix for Windows 10 version 1607
 
-Clients that run Windows 10 version 1607 will not show details on the sign-in screen even if the **User display name, domain and user names** option is chosen because the **Privacy** setting is off.
+Clients that run Windows 10 version 1607 won't show details on the sign-in screen even if the **User display name, domain and user names** option is chosen because the **Privacy** setting is off.
 If the **Privacy** setting is turned on, details will show.
 
-The **Privacy** setting cannot be changed for clients in bulk.
+The **Privacy** setting can't be changed for clients in bulk.
 Instead, apply [KB 4013429](https://www.catalog.update.microsoft.com/Search.aspx?q=KB4013429) to clients that run Windows 10 version 1607 so they behave similarly to previous versions of Windows.
-Clients that run later versions of Windows 10 do not require a hotfix.
+Clients that run later versions of Windows 10 don't require a hotfix.
 
 There are related Group Policy settings:
 
@@ -93,19 +93,19 @@ There are related Group Policy settings:
 For all versions of Windows 10, only the user display name is shown by default.
 
 If **Block user from showing account details on sign-in** is enabled, then only the user display name is shown regardless of any other Group Policy settings.
-Users will not be able to show details.
+Users won't be able to show details.
 
-If **Block user from showing account details on sign-in** is not enabled, then you can set **Interactive logon: Display user information when the session is locked** to **User display name, domain and user names** or **Domain and user names only** to show additional details such as domain\username.
+If **Block user from showing account details on sign-in** isn't enabled, then you can set **Interactive logon: Display user information when the session is locked** to **User display name, domain and user names** or **Domain and user names only** to show other details such as domain\username.
 In this case, clients that run Windows 10 version 1607 need [KB 4013429](https://www.catalog.update.microsoft.com/Search.aspx?q=KB4013429) applied.
-Users will not be able to hide additional details.
+Users won't be able to hide other details.
 
-If **Block user from showing account details on sign-in** is not enabled and **Don’t display last signed-in** is enabled, the username will not be shown.
+If **Block user from showing account details on sign-in** isn't enabled and **Don’t display last signed-in** is enabled, the username won't be shown.
 
 ### Best practices
 
-Your implementation of this policy depends on your security requirements for displayed logon information. If you run computers that store sensitive data, with monitors displayed in unsecured locations, or if you have computers with sensitive data that are remotely accessed, revealing logged on user’s full names or domain account names might contradict your overall security policy.
+Your implementation of this policy depends on your security requirements for displayed sign-in information. If you run computers that store sensitive data, with monitors displayed in unsecured locations, or if you have computers with sensitive data that are remotely accessed, revealing logged on user’s full names or domain account names might contradict your overall security policy.
 
-Depending on your security policy, you might also want to enable the [Interactive logon: Do not display last user name](interactive-logon-do-not-display-last-user-name.md) policy.
+Depending on your security policy, you might also want to enable the [Interactive logon: Don't display last user name](interactive-logon-do-not-display-last-user-name.md) policy.
 
 ### Location
 
@@ -128,7 +128,7 @@ This section describes features and tools that are available to help you manage
 
 ### Restart requirement
 
-None. Changes to this policy become effective without a device restart when they are saved locally or distributed through Group Policy.
+None. Changes to this policy become effective without a device restart when they're saved locally or distributed through Group Policy.
 
 ### Policy conflict considerations
 
@@ -136,7 +136,7 @@ None
 
 ### Group Policy
 
-This policy setting can be configured by using the Group Policy Management Console (GPMC) to be distributed through Group Policy Objects (GPOs). If this policy is not contained in a distributed GPO, this policy can be configured on the local computer by using the Local Security Policy snap-in.
+This policy setting can be configured by using the Group Policy Management Console (GPMC) to be distributed through Group Policy Objects (GPOs). If this policy isn't contained in a distributed GPO, this policy can be configured on the local computer by using the Local Security Policy snap-in.
 
 ## Security considerations
 
@@ -148,9 +148,9 @@ When a computer displays the Secure Desktop in an unsecured area, certain user i
 
 ### Countermeasure
 
-Enabling this policy setting allows the operating system to hide certain user information from being displayed on the Secure Desktop (after the device has been booted or when the session has been locked by using CTRL+ALT+DEL). However, user information is displayed if the **Switch user** feature is used so that the logon tiles are displayed for each logged on user.
+Enabling this policy setting allows the operating system to hide certain user information from being displayed on the Secure Desktop (after the device has been booted or when the session has been locked by using CTRL+ALT+DEL). However, user information is displayed if the **Switch user** feature is used so that the sign-in tiles are displayed for each signed-in user.
 
-You might also want to enable the [Interactive logon: Do not display last signed-in](interactive-logon-do-not-display-last-user-name.md) policy, which will prevent the Windows operating system from displaying the logon name and logon tile of the last user to log on.
+You might also want to enable the [Interactive logon: Don't display last signed-in](interactive-logon-do-not-display-last-user-name.md) policy, which will prevent the Windows operating system from displaying the sign-in name and sign-in tile of the last user to sign in.
 
 ## Related topics
 

windows/security/threat-protection/security-policy-settings/interactive-logon-do-not-display-last-user-name.md

@@ -1,6 +1,6 @@
 ---
 title: Interactive logon Don't display last signed-in (Windows 10)
-description: Describes the best practices, location, values, and security considerations for the Interactive logon Do not display last user name security policy setting.
+description: Describes the best practices, location, values, and security considerations for the Interactive logon Don't display last user name security policy setting.
 ms.prod: m365-security
 ms.mktglfcycl: deploy
 ms.sitesec: library
@@ -26,11 +26,11 @@ Describes the best practices, location, values, and security considerations for
 
 ## Reference
 
-This security policy setting determines whether the name of the last user to log on to the device is displayed on the Secure Desktop.
+This security policy setting determines whether the name of the last user to sign in to the device is displayed on the Secure Desktop.
 
-If this policy is enabled, the full name of the last user to successfully log on is not displayed on the Secure Desktop, nor is the user’s logon tile displayed. Additionally, if the **Switch user** feature is used, the full name and logon tile are not displayed. The logon screen requests a qualified domain account name (or local user name) and password.
+If this policy is enabled, the full name of the last user to successfully sign in isn't displayed on the Secure Desktop, nor is the user’s sign-in tile displayed. Additionally, if the **Switch user** feature is used, the full name and sign-in tile aren't displayed. The sign-in screen requests a qualified domain account name (or local user name) and password.
 
-If this policy is disabled, the full name of the last user to log on is displayed, and the user’s logon tile is displayed. This behavior is the same when the **Switch user** feature is used.
+If this policy is disabled, the full name of the last user to sign in is displayed, and the user’s sign-in tile is displayed. This behavior is the same when the **Switch user** feature is used.
 
 ### Possible values
 
@@ -40,7 +40,7 @@ If this policy is disabled, the full name of the last user to log on is displaye
 
 ### Best practices
 
-Your implementation of this policy depends on your security requirements for displayed logon information. If you have devices that store sensitive data, with monitors displayed in unsecured locations, or if you have devices with sensitive data that are remotely accessed, revealing logged on user’s full names or domain account names might contradict your overall security policy.
+Your implementation of this policy depends on your security requirements for displayed sign-in information. If you have devices that store sensitive data, with monitors displayed in unsecured locations, or if you have devices with sensitive data that are remotely accessed, revealing logged on user’s full names or domain account names might contradict your overall security policy.
 
 ### Location
 
@@ -63,7 +63,7 @@ This section describes features and tools that are available to help you manage
 
 ### Restart requirement
 
-None. Changes to this policy become effective without a device restart when they are saved locally or distributed through Group Policy.
+None. Changes to this policy become effective without a device restart when they're saved locally or distributed through Group Policy.
 
 ### Policy conflict considerations
 
@@ -71,7 +71,7 @@ None.
 
 ### Group Policy
 
-This policy setting can be configured by using the Group Policy Management Console (GPMC) to be distributed through Group Policy Objects (GPOs). If this policy is not contained in a distributed GPO, this policy can be configured on the local computer by using the Local Security Policy snap-in.
+This policy setting can be configured by using the Group Policy Management Console (GPMC) to be distributed through Group Policy Objects (GPOs). If this policy isn't contained in a distributed GPO, this policy can be configured on the local computer by using the Local Security Policy snap-in.
 
 ## Security considerations
 
@@ -79,7 +79,7 @@ This section describes how an attacker might exploit a feature or its configurat
 
 ### Vulnerability
 
-An attacker with access to the console (for example, someone with physical access or someone who can connect to the device through Remote Desktop Session Host) could view the name of the last user who logged on. The attacker could then try to guess the password, use a dictionary, or use a brute-force attack to try to log on.
+An attacker with access to the console (for example, someone with physical access or someone who can connect to the device through Remote Desktop Session Host) could view the name of the last user who logged on. The attacker could then try to guess the password, use a dictionary, or use a brute-force attack to try to sign in.
 
 ### Countermeasure
 
@@ -87,7 +87,7 @@ Enable the **Interactive logon: Do not display last user name** setting.
 
 ### Potential impact
 
-Users must always type their user names and passwords when they log on locally or to the domain. The logon tiles of all logged on users are not displayed.
+Users must always type their user names and passwords when they sign in locally or to the domain. The sign-in tiles of all logged on users aren't displayed.
 
 ## Related topics
 

windows/security/threat-protection/security-policy-settings/interactive-logon-do-not-require-ctrl-alt-del.md

@@ -26,15 +26,15 @@ Describes the best practices, location, values, and security considerations for
 
 ## Reference
 
-This security setting determines whether pressing CTRL+ALT+DEL is required before a user can log on.
+This security setting determines whether pressing CTRL+ALT+DEL is required before a user can sign in.
 
-If this policy setting is enabled on a device, a user is not required to press CTRL+ALT+DEL to log on.
+If this policy setting is enabled on a device, a user isn't required to press CTRL+ALT+DEL to sign in.
 
-If this policy is disabled, any user is required to press CTRL+ALT+DEL before logging on to the Windows operating system (unless they are using a smart card for logon).
+If this policy is disabled, any user is required to press CTRL+ALT+DEL before logging on to the Windows operating system (unless they're using a smart card for signing in).
 
-Microsoft developed this feature to make it easier for users with certain types of physical impairments to log on to device running the Windows operating system; however, not having to press the CTRL+ALT+DELETE key combination leaves users susceptible to attacks that attempt to intercept their passwords. Requiring CTRL+ALT+DELETE before users log on ensures that users are communicating by means of a trusted path when entering their passwords.
+Microsoft developed this feature to make it easier for users with certain types of physical impairments to sign in to a device running the Windows operating system; however, not having to press the CTRL+ALT+DELETE key combination leaves users susceptible to attacks that attempt to intercept their passwords. Requiring CTRL+ALT+DELETE before users sign in ensures that users are communicating through a trusted path when entering their passwords.
 
-A malicious user might install malware that looks like the standard logon dialog box for the Windows operating system, and capture a user's password. The attacker can then log on to the compromised account with whatever level of user rights that user has.
+A malicious user might install malware that looks like the standard sign-in dialog box for the Windows operating system, and capture a user's password. The attacker can then sign in to the compromised account with whatever level of user rights that user has.
 
 ### Possible values
 
@@ -69,7 +69,7 @@ This section describes features and tools that are available to help you manage
 
 ### Restart requirement
 
-None. Changes to this policy become effective without a device restart when they are saved locally or distributed through Group Policy.
+None. Changes to this policy become effective without a device restart when they're saved locally or distributed through Group Policy.
 
 ### Policy conflict considerations
 
@@ -77,7 +77,7 @@ Beginning with Windows Server 2008 and Windows Vista, the CTRL+ALT+DELETE key
 
 ### Group Policy
 
-This policy setting can be configured by using the Group Policy Management Console (GPMC) to be distributed through Group Policy Objects (GPOs). If this policy is not contained in a distributed GPO, this policy can be configured on the local computer by using the Local Security Policy snap-in.
+This policy setting can be configured by using the Group Policy Management Console (GPMC) to be distributed through Group Policy Objects (GPOs). If this policy isn't contained in a distributed GPO, this policy can be configured on the local computer by using the Local Security Policy snap-in.
 
 ## Security considerations
 
@@ -85,9 +85,9 @@ This section describes how an attacker might exploit a feature or its configurat
 
 ### Vulnerability
 
-This setting makes it easier for users with certain types of physical impairments to log on to devices that run the Windows operating system. However, if users are not required to press CTRL+ALT+DEL, they are susceptible to attacks that attempt to intercept their passwords. If CTRL+ALT+DEL is required before logon, user passwords are communicated by means of a trusted path.
+This setting makes it easier for users with certain types of physical impairments to sign in to devices that run the Windows operating system. However, if users aren't required to press CTRL+ALT+DEL, they're susceptible to attacks that attempt to intercept their passwords. If CTRL+ALT+DEL is required before signing in, user passwords are communicated through a trusted path.
 
-If this setting is enabled, an attacker could install malware that looks like the standard logon dialog box in the Windows operating system, and capture the user's password. The attacker would then be able to log on to the compromised account with whatever level of privilege that user has.
+If this setting is enabled, an attacker could install malware that looks like the standard sign-in dialog box in the Windows operating system, and capture the user's password. The attacker would then be able to sign in to the compromised account with whatever level of privilege that user has.
 
 ### Countermeasure
 
@@ -95,7 +95,7 @@ Disable the **Interactive logon: Do not require CTRL+ALT+DEL** setting.
 
 ### Potential impact
 
-Unless they use a smart card to log on, users must simultaneously press the three keys before the logon dialog box is displayed.
+Unless they use a smart card to sign in, users must simultaneously press the three keys before the sign-in dialog box is displayed.
 
 ## Related topics
 

windows/security/threat-protection/security-policy-settings/interactive-logon-dont-display-username-at-sign-in.md

@@ -29,7 +29,7 @@ Describes the best practices, location, values, and security considerations for
 
 A new policy setting has been introduced in Windows 10 starting with Windows 10 version 1703. This security policy setting determines whether the username is displayed during sign in. This setting only affects the **Other user** tile.
 
-If the policy is enabled and a user signs in as **Other user**, the full name of the user is not displayed during sign-in. In the same context, if users type their email address and password at the sign in screen and press **Enter**, the displayed text “Other user” remains unchanged, and is no longer replaced by the user’s first and last name, as in previous versions of Windows 10. Additionally,if users enter their domain user name and password and click **Submit**, their full name is not shown until the Start screen displays.
+If the policy is enabled and a user signs in as **Other user**, the full name of the user isn't displayed during sign-in. In the same context, if users type their email address and password at the sign-in screen and press **Enter**, the displayed text “Other user” remains unchanged, and is no longer replaced by the user’s first and last name, as in previous versions of Windows 10. Additionally,if users enter their domain user name and password and click **Submit**, their full name isn't shown until the Start screen displays.
 
 If the policy is disabled and a user signs in as **Other user**, the “Other user” text is replaced by the user’s first and last name during sign-in.
 
@@ -64,7 +64,7 @@ This section describes features and tools that are available to help you manage
 
 ### Restart requirement
 
-None. Changes to this policy become effective without a device restart when they are saved locally or distributed through Group Policy.
+None. Changes to this policy become effective without a device restart when they're saved locally or distributed through Group Policy.
 
 ### Policy conflict considerations
 
@@ -72,7 +72,7 @@ None.
 
 ### Group Policy
 
-This policy setting can be configured by using the Group Policy Management Console (GPMC) to be distributed through Group Policy Objects (GPOs). If this policy is not contained in a distributed GPO, this policy can be configured on the local computer by using the Local Security Policy snap-in.
+This policy setting can be configured by using the Group Policy Management Console (GPMC) to be distributed through Group Policy Objects (GPOs). If this policy isn't contained in a distributed GPO, this policy can be configured on the local computer by using the Local Security Policy snap-in.
 
 ## Security considerations
 
@@ -80,7 +80,7 @@ This section describes how an attacker might exploit a feature or its configurat
 
 ### Vulnerability
 
-An attacker with access to the console (for example, someone with physical access or someone who can connect to the device through Remote Desktop Session Host) could view the name of the last user who logged on. The attacker could then try to guess the password, use a dictionary, or use a brute-force attack to try to log on.
+An attacker with access to the console (for example, someone with physical access or someone who can connect to the device through Remote Desktop Session Host) could view the name of the last user who logged on. The attacker could then try to guess the password, use a dictionary, or use a brute-force attack to try to sign in.
 
 ### Countermeasure
 
@@ -88,7 +88,7 @@ Enable the **Interactive logon: Don't display user name at sign-in** setting.
 
 ### Potential impact
 
-Users must always type their usernames and passwords when they log on locally or to the domain. The logon tiles of all logged on users are not displayed.
+Users must always type their usernames and passwords when they log on locally or to the domain. The sign in tiles of all logged on users aren't displayed.
 
 ## Related topics
 

windows/security/threat-protection/security-policy-settings/interactive-logon-machine-account-lockout-threshold.md

@@ -29,9 +29,9 @@ Describes the best practices, location, values, management, and security conside
 
 Beginning with Windows Server 2012 and Windows 8, the **Interactive logon: Machine account threshold** security policy setting enforces the lockout policy on those computers that have BitLocker enabled to protect operating system volumes.
 
-The security setting allows you to set a threshold for the number of failed logon attempts that causes the device to be locked by using BitLocker. This means, if the specified maximum number of failed logon attempts is exceeded, the device will invalidate the Trusted Platform Module (TPM) protector and any other protector except the 48-digit recovery password, and then reboot. During Device Lockout mode, the computer or device only boots into the touch-enabled Windows Recovery Environment (WinRE) until an authorized user enters the recovery password to restore full access.
+The security setting allows you to set a threshold for the number of failed sign-in attempts that causes the device to be locked by using BitLocker. This threshold means, if the specified maximum number of failed sign-in attempts is exceeded, the device will invalidate the Trusted Platform Module (TPM) protector and any other protector except the 48-digit recovery password, and then reboot. During Device Lockout mode, the computer or device only boots into the touch-enabled Windows Recovery Environment (WinRE) until an authorized user enters the recovery password to restore full access.
 
-Failed password attempts on workstations or member servers that have been locked by using either Ctrl+Alt+Delete or password-protected screen savers count as failed logon attempts.
+Failed password attempts on workstations or member servers that have been locked by using either Ctrl+Alt+Delete or password-protected screen savers count as failed sign-in attempts.
 
 ### Possible values
 
@@ -39,7 +39,7 @@ You can set the **invalid logon attempts** value between 1 and 999. Values from
 
 ### Best practices
 
-Use this policy setting in conjunction with your other failed account logon attempts policy. For example, if the [Account lockout threshold](account-lockout-threshold.md) policy setting is set at 4, then setting **Interactive logon: Machine account lockout threshold** at 6 allows the user to restore access to resources without having to restore access to the device resulting from a BitLocker lock out.
+Use this policy setting in conjunction with your other failed account sign-in attempts policy. For example, if the [Account lockout threshold](account-lockout-threshold.md) policy setting is set at 4, then setting **Interactive logon: Machine account lockout threshold** at 6 allows the user to restore access to resources without having to restore access to the device resulting from a BitLocker lock out.
 
 ### Location
 
@@ -64,13 +64,13 @@ This section describes features and tools that are available to help you manage
 
 ### Restart requirement
 
-A restart is required for changes to this policy to become effective when they are saved locally or distributed through Group Policy.
+A restart is required for changes to this policy to become effective when they're saved locally or distributed through Group Policy.
 
 ### Group Policy
 
 Because this policy setting was introduced in Windows Server 2012 and Windows 8, it can only be set locally on those devices that contain this policy setting, but it can be set and distributed through Group Policy to any computer running the Windows operating system that supports Group Policy and is BitLocker-enabled.
 
-When setting this policy, consider the [Account lockout threshold](account-lockout-threshold.md) policy setting, which determines the number of failed logon attempts that will cause a user account to be locked out.
+When setting this policy, consider the [Account lockout threshold](account-lockout-threshold.md) policy setting, which determines the number of failed sign-in attempts that will cause a user account to be locked out.
 
 ## Security considerations
 
@@ -82,7 +82,7 @@ This policy setting helps protect a BitLocker-encrypted device from attackers at
 
 ### Countermeasure
 
-Use this policy setting in conjunction with your other failed account logon attempts policy. For example, if the [Account lockout threshold](account-lockout-threshold.md) policy setting is set at 4, then setting **Interactive logon: Machine account lockout threshold** at 6 allows the user to restore access to resources without having to restore access to the device resulting from a BitLocker lock out.
+Use this policy setting in conjunction with your other failed account sign-in attempts policy. For example, if the [Account lockout threshold](account-lockout-threshold.md) policy setting is set at 4, then setting **Interactive logon: Machine account lockout threshold** at 6 allows the user to restore access to resources without having to restore access to the device resulting from a BitLocker lock out.
 
 ### Potential impact
 

windows/security/threat-protection/security-policy-settings/interactive-logon-machine-inactivity-limit.md

@@ -67,7 +67,7 @@ This section describes features and tools that are available to help you manage
 
 ### Restart requirement
 
-Restart is required for changes to this policy to become effective when they are saved locally or distributed through Group Policy.
+Restart is required for changes to this policy to become effective when they're saved locally or distributed through Group Policy.
 
 ### Group Policy
 

windows/security/threat-protection/security-policy-settings/interactive-logon-message-text-for-users-attempting-to-log-on.md

@@ -30,13 +30,13 @@ Describes the best practices, location, values, management, and security conside
 
 The **Interactive logon: Message text for users attempting to log on** and [Interactive logon: Message title for users attempting to log on](interactive-logon-message-title-for-users-attempting-to-log-on.md) policy settings are closely related.
 
-**Interactive logon: Message text for users attempting to log on** specifies a text message to be displayed to users when they log on.
+**Interactive logon: Message text for users attempting to log on** specifies a text message to be displayed to users when they sign in.
 
 **Interactive logon: Message title for users attempting to log on** specifies a title to appear in the title bar of the window that contains the text message. This text is often used for legal reasons—for example, to warn users about the ramifications of misusing company information, or to warn them that their actions might be audited.
 
 Not using this warning-message policy setting leaves your organization legally vulnerable to trespassers who unlawfully penetrate your network. Legal precedents have established that organizations that display warnings to users who connect to their servers over a network have a higher rate of successfully prosecuting trespassers.
 
-When these policy settings are configured, users will see a dialog box before they can log on to the server console.
+When these policy settings are configured, users will see a dialog box before they can sign in to the server console.
 
 ### Possible values
 
@@ -47,10 +47,10 @@ The possible values for this setting are:
 
 ### Best practices
 
-- It is advisable to set **Interactive logon: Message text for users attempting to log on** to a value similar to one of the following:
+- It's advisable to set **Interactive logon: Message text for users attempting to log on** to a value similar to one of the following:
 
   1. IT IS AN OFFENSE TO CONTINUE WITHOUT PROPER AUTHORIZATION.
-  2. This system is restricted to authorized users. Individuals who attempt unauthorized access will be prosecuted. If you are unauthorized, terminate access now. Click OK to indicate your acceptance of this information.
+  2. This system is restricted to authorized users. Individuals who attempt unauthorized access will be prosecuted. If you're unauthorized, terminate access now. Click OK to indicate your acceptance of this information.
     > [!IMPORTANT]
     > Any warning that you display in the title or text should be approved by representatives from your organization's legal and human resources departments.
 
@@ -77,22 +77,22 @@ This section describes different requirements to help you manage this policy.
 
 ### Restart requirement
 
-None. Changes to this policy become effective without a device restart when they are saved locally or distributed through Group Policy.
+None. Changes to this policy become effective without a device restart when they're saved locally or distributed through Group Policy.
 
 ## Security considerations
 
 This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation.
 
-There are two policy settings that relate to logon displays:
+There are two policy settings that relate to sign-in displays:
 
 - **Interactive logon: Message text for users attempting to log on**
 - [Interactive logon: Message title for users attempting to log on](interactive-logon-message-title-for-users-attempting-to-log-on.md)
 
-The first policy setting specifies a text message that displays to users when they log on, and the second policy setting specifies a title for the title bar of the text message window. Many organizations use this text for legal purposes; for example, to warn users about the ramifications of misuse of company information, or to warn them that their actions may be audited.
+The first policy setting specifies a text message that displays to users when they sign in, and the second policy setting specifies a title for the title bar of the text message window. Many organizations use this text for legal purposes; for example, to warn users about the ramifications of misuse of company information, or to warn them that their actions may be audited.
 
 ### Vulnerability
 
-Users often do not understand the importance of security practices. However, the display of a warning message before logon may help prevent an attack by warning malicious or uninformed users about the consequences of their misconduct before it happens. It may also help reinforce corporate policies by notifying employees of appropriate policies during the logon process.
+Users often don't understand the importance of security practices. However, the display of a warning message before signing in may help prevent an attack by warning malicious or uninformed users about the consequences of their misconduct before it happens. It may also help reinforce corporate policies by notifying employees of appropriate policies during the sign-in process.
 
 ### Countermeasure
 
@@ -100,7 +100,7 @@ Configure the **Interactive logon: Message text for users attempting to log on**
 
 ### Potential impact
 
-Users see a message in a dialog box before they can log on to the server console.
+Users see a message in a dialog box before they can sign in to the server console.
 
 ## Related topics
 

windows/security/threat-protection/security-policy-settings/interactive-logon-message-title-for-users-attempting-to-log-on.md

@@ -33,7 +33,7 @@ The **Interactive logon: Message title for users attempting to log on** and [Int
 
 Not using this warning-message policy setting leaves your organization legally vulnerable to trespassers who unlawfully penetrate your network. Legal precedents have established that organizations that display warnings to users who connect to their servers over a network have a higher rate of successfully prosecuting trespassers.
 
-When these policy settings are configured, users will see a dialog box before they can log on to the server console.
+When these policy settings are configured, users will see a dialog box before they can sign in the server console.
 
 ### Possible values
 
@@ -42,7 +42,7 @@ When these policy settings are configured, users will see a dialog box before th
 
 ### Best practices
 
-1.  It is advisable to set **Interactive logon: Message title for users attempting to log on** to a value similar to one the following:
+1.  It's advisable to set **Interactive logon: Message title for users attempting to log on** to a value similar to one the following values:
 
     -   RESTRICTED SYSTEM
 
@@ -75,22 +75,22 @@ This section describes features and tools that are available to help you manage
 
 ### Restart requirement
 
-None. Changes to this policy become effective without a device restart when they are saved locally or distributed through Group Policy.
+None. Changes to this policy become effective without a device restart when they're saved locally or distributed through Group Policy.
 
 ## Security considerations
 
 This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation.
 
-There are two policy settings that relate to logon displays:
+There are two policy settings that relate to sign-in displays:
 
 -   [Interactive logon: Message text for users attempting to log on](interactive-logon-message-text-for-users-attempting-to-log-on.md)
 -   **Interactive logon: Message title for users attempting to log on**
 
-The first policy setting specifies a text message that displays to users when they log on, and the second policy setting specifies a title for the title bar of the text message window. Many organizations use this text for legal purposes; for example, to warn users about the ramifications of misuse of company information, or to warn them that their actions may be audited.
+The first policy setting specifies a text message that displays to users when they sign in, and the second policy setting specifies a title for the title bar of the text message window. Many organizations use this text for legal purposes; for example, to warn users about the ramifications of misuse of company information, or to warn them that their actions may be audited.
 
 ### Vulnerability
 
-Users often do not understand the importance of security practices. However, the display of a warning message with an appropriate title before logon may help prevent an attack by warning malicious or uninformed users about the consequences of their misconduct before it happens. It may also help reinforce corporate policies by notifying employees of appropriate policies during the logon process.
+Users often don't understand the importance of security practices. However, the display of a warning message with an appropriate title before signing in may help prevent an attack by warning malicious or uninformed users about the consequences of their misconduct before it happens. It may also help reinforce corporate policies by notifying employees of appropriate policies during the sign-in process.
 
 ### Countermeasure
 
@@ -100,7 +100,7 @@ Configure the [Interactive logon: Message text for users attempting to log on](i
  
 ### Potential impact
 
-Users see a message in a dialog box before they can log on to the server console.
+Users see a message in a dialog box before they can sign in to the server console.
 
 ## Related topics
 

windows/security/threat-protection/security-policy-settings/interactive-logon-number-of-previous-logons-to-cache-in-case-domain-controller-is-not-available.md

@@ -27,19 +27,19 @@ Describes the best practices, location, values, policy management, and security
 
 ## Reference
 
-The **Interactive logon: Number of previous logons to cache (in case domain controller is not available**) policy setting determines whether a user can log on to a Windows domain by using cached account information. Logon information for domain accounts can be cached locally so that, if a domain controller cannot be contacted on subsequent logons, a user can still log on. This policy setting determines the number of unique users whose logon information is cached locally.
+The **Interactive logon: Number of previous logons to cache (in case domain controller is not available**) policy setting determines whether a user can sign in to a Windows domain by using cached account information. Sign-in information for domain accounts can be cached locally so that, if a domain controller can't be contacted on subsequent logons, a user can still sign in. This policy setting determines the number of unique users whose sign-in information is cached locally.
 
-If a domain controller is unavailable and a user's logon information is cached, the user is prompted with the following message:
+If a domain controller is unavailable and a user's sign-in information is cached, the user is prompted with the following message:
 
-A domain controller for your domain could not be contacted. You have been logged on using cached account information. Changes to your profile since you last logged on might not be available.
+A domain controller for your domain couldn't be contacted. You've been logged on using cached account information. Changes to your profile since you last logged on might not be available.
 
-If a domain controller is unavailable and a user's logon information is not cached, the user is prompted with this message:
+If a domain controller is unavailable and a user's sign-in information isn't cached, the user is prompted with this message:
 
-The system cannot log you on now because the domain *DOMAIN NAME* is not available.
+The system can't log you on now because the domain *DOMAIN NAME* isn't available.
 
-The value of this policy setting indicates the number of users whose logon information the server caches locally. If the value is 10, the server caches logon information for 10 users. When an 11th user logs on to the device, the server overwrites the oldest cached logon session.
+The value of this policy setting indicates the number of users whose sign-in information the server caches locally. If the value is 10, the server caches sign-in information for 10 users. When an 11th user signs in to the device, the server overwrites the oldest cached sign-in session.
 
-Users who access the server console will have their logon credentials cached on that server. A malicious user who is able to access the file system of the server can locate this cached information and use a brute-force attack to determine user passwords. Windows mitigates this type of attack by 
+Users who access the server console will have their sign-in credentials cached on that server. A malicious user who is able to access the file system of the server can locate this cached information and use a brute-force attack to determine user passwords. Windows mitigates this type of attack by 
 encrypting the information and keeping the cached credentials in the system's registries, which are spread across numerous physical locations.
 
 > [!NOTE]
@@ -52,7 +52,7 @@ encrypting the information and keeping the cached credentials in the system's re
 
 ### Best practices
 
-The [Windows security baselines](../windows-security-baselines.md) do not recommend configuring this setting. 
+The [Windows security baselines](../windows-security-baselines.md) don't recommend configuring this setting. 
 
 ### Location
 
@@ -77,7 +77,7 @@ This section describes features and tools that are available to help you manage
 
 ### Restart requirement
 
-None. Changes to this policy become effective without a computer restart when they are saved locally or distributed through Group Policy.
+None. Changes to this policy become effective without a computer restart when they're saved locally or distributed through Group Policy.
 
 ### Policy conflict considerations
 
@@ -85,7 +85,7 @@ None
 
 ### Group Policy
 
-This policy setting can be configured by using the Group Policy Management Console (GPMC) to be distributed through Group Policy Objects (GPOs). If this policy is not contained in a distributed GPO, this policy can be configured on the local computer by using the Local Security Policy snap-in.
+This policy setting can be configured by using the Group Policy Management Console (GPMC) to be distributed through Group Policy Objects (GPOs). If this policy isn't contained in a distributed GPO, this policy can be configured on the local computer by using the Local Security Policy snap-in.
 
 ## Security considerations
 
@@ -93,20 +93,20 @@ This section describes how an attacker might exploit a feature or its configurat
 
 ### Vulnerability
 
-The number that is assigned to this policy setting indicates the number of users whose logon information is cache locally by the servers. If the number is set to 10, the server caches logon information for 10 users. When an 11th user logs on to the device, the server overwrites the oldest cached logon session.
+The number that is assigned to this policy setting indicates the number of users whose sign-in information is cached locally by the servers. If the number is set to 10, the server caches sign-in information for 10 users. When an 11th user signs in to the device, the server overwrites the oldest cached sign-in session.
 
-Users who access the server console have their logon credentials cached on that server. An attacker who is able to access the file system of the server could locate this cached information and use a brute force attack to attempt to determine user passwords.
+Users who access the server console have their sign-in credentials cached on that server. An attacker who is able to access the file system of the server could locate this cached information and use a brute force attack to attempt to determine user passwords.
 
 To mitigate this type of attack, Windows encrypts the information and obscures its physical location.
 
 ### Countermeasure
 
-Configure the **Interactive logon: Number of previous logons to cache (in case domain controller is not available)** setting to 0, which disables the local caching of logon information. Additional countermeasures include enforcement of strong password policies and physically secure locations for the computers.
+Configure the **Interactive logon: Number of previous logons to cache (in case domain controller is not available)** setting to 0, which disables the local caching of sign-in information. Other countermeasures include enforcement of strong password policies and physically secure locations for the computers.
 
 ### Potential impact
 
-Users cannot log on to any devices if there is no domain controller available to authenticate them. Organizations can configure this value to 2 for end-user computers, especially for mobile users. A configuration value of 2 means that the user's logon information is still in the cache, even if a 
+Users can't sign in to any devices if there's no domain controller available to authenticate them. Organizations can configure this value to 2 for end-user computers, especially for mobile users. A configuration value of 2 means that the user's sign-in information is still in the cache, even if a 
-member of the IT department has recently logged on to the device to perform system maintenance. This method allows users to log on to their computers when they are not connected to the organization's network.
+member of the IT department has recently logged on to the device to perform system maintenance. This method allows users to sign in to their computers when they aren't connected to the organization's network.
 
 ## Related topics
 

windows/security/threat-protection/security-policy-settings/interactive-logon-require-domain-controller-authentication-to-unlock-workstation.md

@@ -27,13 +27,13 @@ Describes the best practices, location, values, policy management, and security
 
 ## Reference
 
-Unlocking a locked device requires logon information. For domain accounts, the **Interactive logon: Require Domain Controller authentication to unlock workstation** policy setting determines whether it is necessary to contact a domain controller to unlock a device. Enabling this policy setting requires a domain controller to authenticate the domain account that is being used to unlock the device. Disabling this policy setting allows a user to unlock the device without the computer verifying the logon information with a domain controller. However, if [Interactive logon: Number of previous logons to cache (in case domain controller is not available)](interactive-logon-number-of-previous-logons-to-cache-in-case-domain-controller-is-not-available.md) is set to a value greater than zero, the user's cached credentials will be used to unlock the system.
+Unlocking a locked device requires sign-in information. For domain accounts, the **Interactive logon: Require Domain Controller authentication to unlock workstation** policy setting determines whether it's necessary to contact a domain controller to unlock a device. Enabling this policy setting requires a domain controller to authenticate the domain account that is being used to unlock the device. Disabling this policy setting allows a user to unlock the device without the computer verifying the sign-in information with a domain controller. However, if [Interactive logon: Number of previous logons to cache (in case domain controller is not available)](interactive-logon-number-of-previous-logons-to-cache-in-case-domain-controller-is-not-available.md) is set to a value greater than zero, the user's cached credentials will be used to unlock the system.
 
 The device caches (locally in memory) the credentials of any users who have been authenticated. The device uses these cached credentials to authenticate anyone who attempts to unlock the console.
 
-When cached credentials are used, any changes that have recently been made to the account (such as user rights assignments, account lockout, or the account being disabled) are not considered or applied after this authentication process. This means not only that user rights are not updated, but more importantly that disabled accounts are still able to unlock the console of the system.
+When cached credentials are used, any changes that have recently been made to the account (such as user rights assignments, account lockout, or the account being disabled) aren't considered or applied after this authentication process. This result means not only that user rights aren't updated, but more importantly that disabled accounts are still able to unlock the console of the system.
 
-It is advisable to set **Interactive logon: Require Domain Controller authentication to unlock workstation** to Enabled and set [Interactive logon: Number of previous logons to cache (in case domain controller is not available)](interactive-logon-number-of-previous-logons-to-cache-in-case-domain-controller-is-not-available.md) to 0. When the console of a device is locked by a user or automatically by a screen saver time-out, the console can only be unlocked if the user is able to re-authenticate to the domain controller. If no domain controller is available, users cannot unlock their devices.
+It's advisable to set **Interactive logon: Require Domain Controller authentication to unlock workstation** to Enabled and set [Interactive logon: Number of previous logons to cache (in case domain controller is not available)](interactive-logon-number-of-previous-logons-to-cache-in-case-domain-controller-is-not-available.md) to 0. When the console of a device is locked by a user or automatically by a screen saver time-out, the console can only be unlocked if the user is able to reauthenticate to the domain controller. If no domain controller is available, users can't unlock their devices.
 
 ### Possible values
 
@@ -43,7 +43,7 @@ It is advisable to set **Interactive logon: Require Domain Controller authentica
 
 ### Best practices
 
--   Set **Interactive logon: Require Domain Controller authentication to unlock workstation** to Enabled and set [Interactive logon: Number of previous logons to cache (in case domain controller is not available)](interactive-logon-number-of-previous-logons-to-cache-in-case-domain-controller-is-not-available.md) to 0. When the console of a device is locked by a user or automatically by a screen saver time-out, the console can only be unlocked if the user is able to re-authenticate to the domain controller. If no domain controller is available, users cannot unlock their devices.
+-   Set **Interactive logon: Require Domain Controller authentication to unlock workstation** to Enabled and set [Interactive logon: Number of previous logons to cache (in case domain controller is not available)](interactive-logon-number-of-previous-logons-to-cache-in-case-domain-controller-is-not-available.md) to 0. When the console of a device is locked by a user or automatically by a screen saver time-out, the console can only be unlocked if the user is able to reauthenticate to the domain controller. If no domain controller is available, users can't unlock their devices.
 
 ### Location
 
@@ -68,7 +68,7 @@ This section describes features and tools that are available to help you manage
 
 ### Restart requirement
 
-None. Changes to this policy become effective without a device restart when they are saved locally or distributed through Group Policy.
+None. Changes to this policy become effective without a device restart when they're saved locally or distributed through Group Policy.
 
 ### Policy conflict considerations
 
@@ -76,7 +76,7 @@ None
 
 ### Group Policy
 
-This policy setting can be configured by using the Group Policy Management Console (GPMC) to be distributed through Group Policy Objects (GPOs). If this policy is not contained in a distributed GPO, this policy can be configured on the local computer by using the Local Security Policy snap-in.
+This policy setting can be configured by using the Group Policy Management Console (GPMC) to be distributed through Group Policy Objects (GPOs). If this policy isn't contained in a distributed GPO, this policy can be configured on the local computer by using the Local Security Policy snap-in.
 
 ## Security considerations
 
@@ -84,7 +84,7 @@ This section describes how an attacker might exploit a feature or its configurat
 
 ### Vulnerability
 
-By default, the device caches locally in memory the credentials of any users who are authenticated. The device uses these cached credentials to authenticate anyone who attempts to unlock the console. When cached credentials are used, any changes that have recently been made to the account—such as user rights assignments, account lockout, or the account being disabled—are not considered or applied after the account is authenticated. User privileges are not updated, and disabled accounts are still able to unlock the console of the device
+By default, the device caches locally in memory the credentials of any users who are authenticated. The device uses these cached credentials to authenticate anyone who attempts to unlock the console. When cached credentials are used, any changes that have recently been made to the account—such as user rights assignments, account lockout, or the account being disabled—aren't considered or applied after the account is authenticated. User privileges aren't updated, and disabled accounts are still able to unlock the console of the device
 
 ### Countermeasure
 
@@ -92,7 +92,7 @@ Configure the **Interactive logon: Require Domain Controller authentication to u
 
 ### Potential impact
 
-When the console on a device is locked by a user or automatically by a screen-saver timeout, the console can be unlocked only if the user can re-authenticate to the domain controller. If no domain controller is available, users cannot unlock their workstations. If you configure the [Interactive logon: Number of previous logons to cache (in case domain controller is not available)](interactive-logon-number-of-previous-logons-to-cache-in-case-domain-controller-is-not-available.md) setting to 0, users whose domain controllers are unavailable (such as mobile or remote users) cannot log on.
+When the console on a device is locked by a user or automatically by a screen-saver timeout, the console can be unlocked only if the user can reauthenticate to the domain controller. If no domain controller is available, users can't unlock their workstations. If you configure the [Interactive logon: Number of previous logons to cache (in case domain controller is not available)](interactive-logon-number-of-previous-logons-to-cache-in-case-domain-controller-is-not-available.md) setting to 0, users whose domain controllers are unavailable (such as mobile or remote users) can't sign in.
 
 ## Related topics
 

windows/security/threat-protection/security-policy-settings/kerberos-policy.md

@@ -25,7 +25,7 @@ ms.technology: windows-sec
 
 Describes the Kerberos Policy settings and provides links to policy setting descriptions.
 
-The Kerberos version 5 authentication protocol provides the default mechanism for authentication services and the authorization data necessary for a user to access a resource and perform a task on that resource. By reducing the lifetime of Kerberos tickets, you reduce the risk of a legitimate user's credentials being stolen and successfully used by an attacker. However, this also increases the authorization overhead. In most environments, these settings should not need to be changed.
+The Kerberos version 5 authentication protocol provides the default mechanism for authentication services and the authorization data necessary for a user to access a resource and perform a task on that resource. By reducing the lifetime of Kerberos tickets, you reduce the risk of a legitimate user's credentials being stolen and successfully used by an attacker. However, this ticket lifetime reduction also increases the authorization overhead. In most environments, these settings shouldn't need to be changed.
 
 These policy settings are located in **\\Computer Configuration\\Windows Settings\\Security Settings\\Account Policies\\Kerberos Policy**.
 

windows/security/threat-protection/security-policy-settings/load-and-unload-device-drivers.md

@@ -27,10 +27,10 @@ Describes the best practices, location, values, policy management, and security
 
 ## Reference
 
-This policy setting determines which users can dynamically load and unload device drivers. This user right is not required if a signed driver for the new hardware already exists in the driver.cab file on the device. Device drivers run as highly privileged code.
+This policy setting determines which users can dynamically load and unload device drivers. This user right isn't required if a signed driver for the new hardware already exists in the driver.cab file on the device. Device drivers run as highly privileged code.
 Windows supports the Plug and Play specifications that define how a computer can detect and configure newly added hardware, and then automatically install the device driver. Prior to Plug and Play, users needed to manually configure devices before attaching them to the device. This model allows a user to plug in the hardware, then Windows searches for an appropriate device driver package and automatically configures it to work without interfering with other devices.
 
-Because device driver software runs as if it is a part of the operating system with unrestricted access to the entire computer, it is critical that only known and authorized device drivers be permitted.
+Because device driver software runs as if it's a part of the operating system with unrestricted access to the entire computer, it's critical that only known and authorized device drivers be permitted.
 
 Constant: SeLoadDriverPrivilege
 
@@ -42,7 +42,7 @@ Constant: SeLoadDriverPrivilege
 
 ### Best practices
 
--   Because of the potential security risk, do not assign this user right to any user, group, or process that you do not want to take over the system.
+-   Because of the potential security risk, don't assign this user right to any user, group, or process that you don't want to take over the system.
 
 ### Location
 
@@ -67,7 +67,7 @@ The following table lists the actual and effective default policy values. Defaul
 
 This section describes features, tools, and guidance to help you manage this policy.
 
-A restart of the device is not required for this policy setting to be effective.
+A restart of the device isn't required for this policy setting to be effective.
 
 Any change to the user rights assignment for an account becomes effective the next time the owner of the account logs on.
 
@@ -94,11 +94,11 @@ Device drivers run as highly privileged code. A user who has the **Load and unlo
  
 ### Countermeasure
 
-Do not assign the **Load and unload device drivers** user right to any user or group other than Administrators on member servers. On domain controllers, do not assign this user right to any user or group other than Domain Admins.
+Don't assign the **Load and unload device drivers** user right to any user or group other than Administrators on member servers. On domain controllers, don't assign this user right to any user or group other than Domain Admins.
 
 ### Potential impact
 
-If you remove the **Load and unload device drivers** user right from the Print Operators group or other accounts, you could limit the abilities of users who are assigned to specific administrative roles in your environment. You should ensure that delegated tasks are not negatively affected.
+If you remove the **Load and unload device drivers** user right from the Print Operators group or other accounts, you could limit the abilities of users who are assigned to specific administrative roles in your environment. You should ensure that delegated tasks aren't negatively affected.
 
 ## Related topics
 

windows/security/threat-protection/security-policy-settings/lock-pages-in-memory.md

@@ -31,7 +31,7 @@ This policy setting determines which accounts can use a process to keep data in
 
 Normally, an application running on Windows can negotiate for more physical memory, and in response to the request, the application begins to move the data from RAM (such as the data cache) to a disk. When the pageable memory is moved to a disk, more RAM is free for the operating system to use.
 
-Enabling this policy setting for a specific account (a user account or a process account for an application) prevents paging of the data. Thereby, the amount of memory that Windows can reclaim under pressure is limited. This could lead to performance degradation.
+Enabling this policy setting for a specific account (a user account or a process account for an application) prevents paging of the data. Thereby, the amount of memory that Windows can reclaim under pressure is limited. This limitation could lead to performance degradation.
 
 >**Note:**  By configuring this policy setting, the performance of the Windows operating system will differ depending on if applications are running on 32-bit or 64-bit systems, and if they are virtualized images. Performance will also differ between earlier and later versions of the Windows operating system.
  
@@ -67,7 +67,7 @@ The following table lists the actual and effective default policy values for the
 
 This section describes features, tools, and guidance to help you manage this policy.
 
-A restart of the computer is not required for this policy setting to be effective.
+A restart of the computer isn't required for this policy setting to be effective.
 
 Any change to the user rights assignment for an account becomes effective the next time the owner of the account logs on.
 
@@ -92,7 +92,7 @@ Users with the **Lock pages in memory** user right could assign physical memory
 
 ### Countermeasure
 
-Do not assign the **Lock pages in memory** user right to any accounts.
+Don't assign the **Lock pages in memory** user right to any accounts.
 
 ### Potential impact
 

windows/security/threat-protection/security-policy-settings/log-on-as-a-batch-job.md

@@ -27,7 +27,7 @@ This article describes the recommended practices, location, values, policy manag
 
 ## Reference
 
-This policy setting determines which accounts can log on by using a batch-queue tool such as the Task Scheduler service. When you use the Add Scheduled Task Wizard to schedule a task to run under a particular user name and password, that user is automatically assigned the **Log on as a batch job** user right. When the scheduled time arrives, the Task Scheduler service logs on the user as a batch job instead of as an interactive user, and the task runs in the user's security context.
+This policy setting determines which accounts can sign in by using a batch-queue tool such as the Task Scheduler service. When you use the Add Scheduled Task Wizard to schedule a task to run under a particular user name and password, that user is automatically assigned the **Log on as a batch job** user right. When the scheduled time arrives, the Task Scheduler service logs on the user as a batch job instead of as an interactive user, and the task runs in the user's security context.
 
 Constant: SeBatchLogonRight
 
@@ -95,7 +95,7 @@ For IIS servers, configure this policy locally instead of through domain–based
 
 ### Potential impact
 
-If you configure the **Log on as a batch job** setting by using domain-based Group Policy settings, the computer can't assign the user right to accounts that are used for scheduled jobs in the Task Scheduler. If you install optional components such as ASP.NET or IIS, you might need to assign this user right to additional accounts that those components require. For example, IIS requires assignment of this user right to the IIS\_WPG group and the IUSR\_*<ComputerName>*, ASPNET, and IWAM\_*<ComputerName>* accounts. If this user right isn't assigned to this group and these accounts, IIS can't run some COM objects that are necessary for proper functionality.
+If you configure the **Log on as a batch job** setting by using domain-based Group Policy settings, the computer can't assign the user right to accounts that are used for scheduled jobs in the Task Scheduler. If you install optional components such as ASP.NET or IIS, you might need to assign this user right to other accounts that those components require. For example, IIS requires assignment of this user right to the IIS\_WPG group and the IUSR\_*<ComputerName>*, ASPNET, and IWAM\_*<ComputerName>* accounts. If this user right isn't assigned to this group and these accounts, IIS can't run some COM objects that are necessary for proper functionality.
 
 ## Related topics
 

windows/security/threat-protection/security-policy-settings/manage-auditing-and-security-log.md

@@ -27,8 +27,7 @@ Describes the best practices, location, values, policy management, and security
 
 ## Reference
 
-This policy setting determines which users can specify object access audit options for individual resources such as files, Active Directory objects, and registry keys. These objects specify their system access control lists (SACL). A user who is assigned this user right can also view and clear the 
+This policy setting determines which users can specify object access audit options for individual resources such as files, Active Directory objects, and registry keys. These objects specify their system access control lists (SACL). A user who is assigned this user right can also view and clear the Security log in Event Viewer. For more information about the Object Access audit policy, see [Audit object access](../auditing/basic-audit-object-access.md).
-Security log in Event Viewer. For more info about the Object Access audit policy, see [Audit object access](../auditing/basic-audit-object-access.md).
 
 Constant: SeSecurityPrivilege
 
@@ -40,7 +39,7 @@ Constant: SeSecurityPrivilege
 ### Best practices
 
 1.  Before removing this right from a group, investigate whether applications are dependent on this right.
-2.  Generally, assigning this user right to groups other than Administrators is not necessary.
+2.  Generally, assigning this user right to groups other than Administrators isn't necessary.
 
 ### Location
 
@@ -65,11 +64,11 @@ The following table lists the actual and effective default policy values for the
 
 This section describes features, tools, and guidance to help you manage this policy.
 
-A restart of the computer is not required for this policy setting to be effective.
+A restart of the computer isn't required for this policy setting to be effective.
 
 Any change to the user rights assignment for an account becomes effective the next time the owner of the account logs on.
 
-Audits for object access are not performed unless you enable them by using the Local Group Policy Editor, the Group Policy Management Console (GPMC), or the Auditpol command-line tool.
+Audits for object access aren't performed unless you enable them by using the Local Group Policy Editor, the Group Policy Management Console (GPMC), or the Auditpol command-line tool.
 
 For more information about the Object Access audit policy, see [Audit object access](../auditing/basic-audit-object-access.md).
 

windows/security/threat-protection/security-policy-settings/maximum-lifetime-for-service-ticket.md

@@ -31,16 +31,16 @@ The **Maximum lifetime for service ticket** policy setting determines the maximu
 
 The possible values for this Group Policy setting are:
 
--   A user-defined number of minutes from 10 through 99,999, or 0 (in which case service tickets do not expire).
+-   A user-defined number of minutes from 10 through 99,999, or 0 (in which case service tickets don't expire).
 -   Not defined.
 
-If a client presents an expired session ticket when it requests a connection to a server, the server returns an error message. The client must request a new session ticket from the Kerberos V5 KDC. After a connection is authenticated, however, it no longer matters whether the session ticket remains valid. Session tickets are used only to authenticate new connections with servers. Ongoing operations are not interrupted if the session ticket that authenticated the connection expires during the connection.
+If a client presents an expired session ticket when it requests a connection to a server, the server returns an error message. The client must request a new session ticket from the Kerberos V5 KDC. After a connection is authenticated, however, it no longer matters whether the session ticket remains valid. Session tickets are used only to authenticate new connections with servers. Ongoing operations aren't interrupted if the session ticket that authenticated the connection expires during the connection.
 
-If the value for this policy setting is too high, users might be able to access network resources outside of their logon hours. In addition, users whose accounts have been disabled might be able to continue accessing network services by using valid service tickets that were issued before their account was disabled. If the value is set to 0, service tickets never expire.
+If the value for this policy setting is too high, users might be able to access network resources outside of their sign-in hours. In addition, users whose accounts have been disabled might be able to continue accessing network services by using valid service tickets that were issued before their account was disabled. If the value is set to 0, service tickets never expire.
 
 ### Best practices
 
--   It is advisable to set **Maximum lifetime for service ticket** to **600** minutes.
+-   It's advisable to set **Maximum lifetime for service ticket** to **600** minutes.
 
 ### Location
 
@@ -63,7 +63,7 @@ The following table lists the actual and effective default policy values. Defaul
 
 This section describes features, tools, and guidance to help you manage this policy.
 
-A restart of the device is not required for this policy setting to be effective.
+A restart of the device isn't required for this policy setting to be effective.
 
 This policy setting is configured on the domain controller.
 
@@ -86,7 +86,7 @@ This section describes how an attacker might exploit a feature or its configurat
 
 ### Vulnerability
 
-If you configure the value for the **Maximum lifetime for service ticket** setting too high, users might be able to access network resources outside of their logon hours. Also, users whose accounts were disabled might continue to have access to network services with valid service tickets that were issued before their accounts were disabled.
+If you configure the value for the **Maximum lifetime for service ticket** setting too high, users might be able to access network resources outside of their sign-in hours. Also, users whose accounts were disabled might continue to have access to network services with valid service tickets that were issued before their accounts were disabled.
 
 ### Countermeasure
 
@@ -94,7 +94,7 @@ Configure the **Maximum lifetime for service ticket** setting to 600 minutes.
 
 ### Potential impact
 
-None. This is the default configuration.
+None. This non-impact state is the default configuration.
 
 ## Related topics
 

windows/security/threat-protection/security-policy-settings/maximum-lifetime-for-user-ticket-renewal.md

@@ -36,9 +36,9 @@ The possible values for this Group Policy setting are:
 
 ### Best practices
 
--   If the value for this policy setting is too high, users may be able to renew very old user ticket-granting tickets. If the value is 0, ticket-granting tickets never expire.
+-   If the value for this policy setting is too high, users may be able to renew old user ticket-granting tickets. If the value is 0, ticket-granting tickets never expire.
 
-    It is advisable to set **Maximum lifetime for user ticket renewal** to **7** days.
+    It's advisable to set **Maximum lifetime for user ticket renewal** to **7** days.
 
 ### Location
 
@@ -61,7 +61,7 @@ The following table lists the actual and effective default policy values. Defaul
 
 This section describes features, tools, and guidance to help you manage this policy.
 
-A restart of the device is not required for this policy setting to be effective.
+A restart of the device isn't required for this policy setting to be effective.
 
 This policy setting is configured on the domain controller.
 
@@ -84,7 +84,7 @@ This section describes how an attacker might exploit a feature or its configurat
 
 ### Vulnerability
 
-If the value for the **Maximum lifetime for user ticket renewal** setting is too high, users might be able to renew very old user tickets.
+If the value for the **Maximum lifetime for user ticket renewal** setting is too high, users might be able to renew old user tickets.
 
 ### Countermeasure
 

windows/security/threat-protection/security-policy-settings/maximum-lifetime-for-user-ticket.md

@@ -34,7 +34,7 @@ The possible values for this Group Policy setting are:
 -   A user-defined number of hours from 0 through 99,999
 -   Not defined
 
-If the value for this policy setting is too high, users might be able to access network resources outside of their logon hours, or users whose accounts have been disabled might be able to continue to access network services by using valid service tickets that were issued before their account was disabled. If the value is set to 0, ticket-granting tickets never expire.
+If the value for this policy setting is too high, users might be able to access network resources outside of their sign-in hours, or users whose accounts have been disabled might be able to continue to access network services by using valid service tickets that were issued before their account was disabled. If the value is set to 0, ticket-granting tickets never expire.
 
 ### Best practices
 
@@ -61,7 +61,7 @@ The following table lists the actual and effective default policy values. Defaul
 
 This section describes features, tools, and guidance to help you manage this policy.
 
-A restart of the computer is not required for this policy setting to be effective.
+A restart of the computer isn't required for this policy setting to be effective.
 
 This policy setting is configured on the domain controller.
 
@@ -84,7 +84,7 @@ This section describes how an attacker might exploit a feature or its configurat
 
 ### Vulnerability
 
-If you configure the value for the **Maximum lifetime for user ticket** setting too high, users might be able to access network resources outside of their logon hours. Also, users whose accounts were disabled might continue to have access to network services with valid user tickets that were issued before their accounts were disabled. If you configure this value too low, ticket requests to the KDC may affect the performance of your KDC and present an opportunity for a DoS attack.
+If you configure the value for the **Maximum lifetime for user ticket** setting too high, users might be able to access network resources outside of their sign-in hours. Also, users whose accounts were disabled might continue to have access to network services with valid user tickets that were issued before their accounts were disabled. If you configure this value too low, ticket requests to the KDC may affect the performance of your KDC and present an opportunity for a DoS attack.
 
 ### Countermeasure
 
@@ -92,7 +92,7 @@ Configure the **Maximum lifetime for user ticket** setting with a value between
 
 ### Potential impact
 
-Reducing this setting from the default value reduces the likelihood that the ticket-granting ticket will be used to access resources that the user does not have rights to. However, it requires more frequent requests to the KDC for ticket-granting tickets on behalf of users. Most KDCs can support a value of four hours without too much additional burden.
+Reducing this setting from the default value reduces the likelihood that the ticket-granting ticket will be used to access resources that the user doesn't have rights to. However, it requires more frequent requests to the KDC for ticket-granting tickets on behalf of users. Most KDCs can support a value of 4 hours without any extra burden.
 
 ## Related topics
 

windows/security/threat-protection/security-policy-settings/maximum-password-age.md

@@ -27,7 +27,7 @@ Describes the best practices, location, values, policy management, and security
 
 ## Reference
 
-The **Maximum password age** policy setting determines the period of time (in days) that a password can be used before the system requires the user to change it. You can set passwords to expire after a number of days between 1 and 999, or you can specify that passwords never expire by setting the number of days to 0. If **Maximum password age** is between 1 and 999 days, the minimum password age must be less than the maximum password age. If **Maximum password age** is set to 0, [Minimum password age](minimum-password-age.md) can be any value between 0 and 998 days.
+The **Maximum password age** policy setting determines the period of time (in days) that a password can be used before the system requires the user to change it. You can set passwords to expire after a certain number of days between 1 and 999, or you can specify that passwords never expire by setting the number of days to 0. If **Maximum password age** is between 1 and 999 days, the minimum password age must be less than the maximum password age. If **Maximum password age** is set to 0, [Minimum password age](minimum-password-age.md) can be any value between 0 and 998 days.
 
 >**Note:**  Setting **Maximum password age** to -1 is equivalent to 0, which means it never expires. Setting it to any other negative number is equivalent to setting it to **Not Defined**.
  
@@ -66,7 +66,7 @@ This section describes features, tools, and guidance to help you manage this pol
 
 ### Restart requirement
 
-None. Changes to this policy become effective without a computer restart when they are saved locally or distributed through Group Policy.
+None. Changes to this policy become effective without a computer restart when they're saved locally or distributed through Group Policy.
 
 ## Security considerations
 
@@ -78,13 +78,13 @@ The longer a password exists, the higher the likelihood that it will be compromi
 
 ### Considerations
 
-Mandated password changes are a long-standing security practice, but current research strongly indicates that password expiration has a negative effect. See [Microsoft Password Guidance](https://www.microsoft.com/research/publication/password-guidance/) for further information.
+Mandated password changes are a long-standing security practice, but current research strongly indicates that password expiration has a negative effect. For more information, see [Microsoft Password Guidance](https://www.microsoft.com/research/publication/password-guidance/).
 
-Configure the **Maximum password age** policy setting to a value that is suitable for your organization's business requirements. For example, many organisations have compliance or insurance mandates requiring a short lifespan on passwords. Where such a requirement exists, the **Maximum password age** policy setting can be used to meet business requirements.
+Configure the **Maximum password age** policy setting to a value that is suitable for your organization's business requirements. For example, many organizations have compliance or insurance mandates requiring a short lifespan on passwords. Where such a requirement exists, the **Maximum password age** policy setting can be used to meet business requirements.
 
 ### Potential impact
 
-If the **Maximum password age** policy setting is too low, users are required to change their passwords very often. Such a configuration can reduce security in the organization because users might keep their passwords in an unsecured location or lose them. If the value for this policy setting is too high, the level of security within an organization is reduced because it allows potential attackers more time in which to discover user passwords or to use compromised accounts.
+If the **Maximum password age** policy setting is too low, users are required to change their passwords often. Such a configuration can reduce security in the organization because users might keep their passwords in an unsecured location or lose them. If the value for this policy setting is too high, the level of security within an organization is reduced because it allows potential attackers more time in which to discover user passwords or to use compromised accounts.
 
 ## Related topics