Merge branch 'main' of https://github.com/MicrosoftDocs/windows-docs-pr into fr-boot-image-patching

.openpublishing.redirection.windows-security.json

@@ -170,19 +170,14 @@
       "redirect_url": "/windows/security/information-protection/tpm/trusted-platform-module-services-group-policy-settings",
       "redirect_document_id": false
     },
-    {
-      "source_path": "windows/security/identity.md",
-      "redirect_url": "/windows/security/identity-protection",
-      "redirect_document_id": false
-    },
-    {
-      "source_path": "windows/security/identity-protection/hello-for-business/hello-overview.md",
-      "redirect_url": "/windows/security/identity-protection/hello-for-business",
-      "redirect_document_id": false
-    },
     {
       "source_path": "windows/security/hardware-protection/tpm/trusted-platform-module-top-node.md",
-      "redirect_url": "/windows/security/information-protection/tpm/trusted-platform-module-top-node",
+      "redirect_url": "/windows/security/hardware-security/tpm/trusted-platform-module-top-node",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security/hardware.md",
+      "redirect_url": "/windows/security/hardware-security",
       "redirect_document_id": false
     },
     {
@@ -365,6 +360,11 @@
       "redirect_url": "/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust",
       "redirect_document_id": false
     },
+    {
+      "source_path": "windows/security/identity-protection/hello-for-business/hello-overview.md",
+      "redirect_url": "/windows/security/identity-protection/hello-for-business",
+      "redirect_document_id": false
+    },
     {
       "source_path": "windows/security/identity-protection/hello-for-business/microsoft-compatible-security-key.md",
       "redirect_url": "/azure/active-directory/authentication/howto-authentication-passwordless-security-key",
@@ -400,6 +400,11 @@
       "redirect_url": "https://support.microsoft.com/windows/windows-10-mobile-end-of-support-faq-8c2dd1cf-a571-00f0-0881-bb83926d05c5",
       "redirect_document_id": false
     },
+    {
+      "source_path": "windows/security/identity-protection/password-support-policy.md",
+      "redirect_url": "https://support.microsoft.com/help/4490115",
+      "redirect_document_id": false
+    },
     {
       "source_path": "windows/security/identity-protection/user-account-control/how-user-account-control-works.md",
       "redirect_url": "/windows/security/application-security/application-control/user-account-control/how-it-works",
@@ -480,6 +485,16 @@
       "redirect_url": "/windows/security/operating-system-security/network-security/vpn/vpn-security-features",
       "redirect_document_id": false
     },
+    {
+      "source_path": "windows/security/identity-protection/windows-credential-theft-mitigation-guide-abstract.md",
+      "redirect_url": "/windows/security/identity-protection",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security/identity.md",
+      "redirect_url": "/windows/security/identity-protection",
+      "redirect_document_id": false
+    },
     {
       "source_path": "windows/security/information-protection/bitlocker/bcd-settings-and-bitlocker.md",
       "redirect_url": "/windows/security/operating-system-security/data-protection/bitlocker/bcd-settings-and-bitlocker",
@@ -655,11 +670,6 @@
       "redirect_url": "/troubleshoot/windows-client/windows-security/enforcing-bitlocker-policies-by-using-intune-known-issues",
       "redirect_document_id": false
     },
-    {
-      "source_path": "windows/security/identity-protection/windows-credential-theft-mitigation-guide-abstract.md",
-      "redirect_url": "/windows/security/identity-protection",
-      "redirect_document_id": false
-    },
     {
       "source_path": "windows/security/information-protection/bitlocker/ts-bitlocker-network-unlock-issues.md",
       "redirect_url": "/troubleshoot/windows-client/windows-security/bitlocker-network-unlock-known-issues",
@@ -735,11 +745,81 @@
       "redirect_url": "/windows/security/operating-system-security/data-protection/personal-data-encryption/intune-enable-pde",
       "redirect_document_id": false
     },
+    {
+      "source_path": "windows/security/information-protection/pluton/microsoft-pluton-security-processor.md",
+      "redirect_url": "/windows/security/hardware-security/pluton/microsoft-pluton-security-processor",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security/information-protection/pluton/pluton-as-tpm.md",
+      "redirect_url": "/windows/security/hardware-security/pluton/pluton-as-tpm",
+      "redirect_document_id": false
+    },
     {
       "source_path": "windows/security/information-protection/secure-the-windows-10-boot-process.md",
       "redirect_url": "/windows/security/operating-system-security/system-security/secure-the-windows-10-boot-process",
       "redirect_document_id": false
     },
+    {
+      "source_path": "windows/security/information-protection/tpm/backup-tpm-recovery-information-to-ad-ds.md",
+      "redirect_url": "/windows/security/hardware-security/tpm/backup-tpm-recovery-information-to-ad-ds",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security/information-protection/tpm/change-the-tpm-owner-password.md",
+      "redirect_url": "/windows/security/hardware-security/tpm/change-the-tpm-owner-password",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security/information-protection/tpm/how-windows-uses-the-tpm.md",
+      "redirect_url": "/windows/security/hardware-security/tpm/how-windows-uses-the-tpm",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security/information-protection/tpm/initialize-and-configure-ownership-of-the-tpm.md",
+      "redirect_url": "/windows/security/hardware-security/tpm/initialize-and-configure-ownership-of-the-tpm",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security/information-protection/tpm/manage-tpm-commands.md",
+      "redirect_url": "/windows/security/hardware-security/tpm/manage-tpm-commands",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security/information-protection/tpm/manage-tpm-lockout.md",
+      "redirect_url": "/windows/security/hardware-security/tpm/manage-tpm-lockout",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security/information-protection/tpm/switch-pcr-banks-on-tpm-2-0-devices.md",
+      "redirect_url": "/windows/security/hardware-security/tpm/switch-pcr-banks-on-tpm-2-0-devices",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security/information-protection/tpm/tpm-fundamentals.md",
+      "redirect_url": "/windows/security/hardware-security/tpm/tpm-fundamentals",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security/information-protection/tpm/tpm-recommendations.md",
+      "redirect_url": "/windows/security/hardware-security/tpm/tpm-recommendations",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security/information-protection/tpm/trusted-platform-module-overview.md",
+      "redirect_url": "/windows/security/hardware-security/tpm/trusted-platform-module-overview",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security/information-protection/tpm/trusted-platform-module-services-group-policy-settings.md",
+      "redirect_url": "/windows/security/hardware-security/tpm/trusted-platform-module-services-group-policy-settings",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security/information-protection/tpm/trusted-platform-module-top-node.md",
+      "redirect_url": "/windows/security/hardware-security/tpm/trusted-platform-module-top-node",
+      "redirect_document_id": false
+    },
     {
       "source_path": "windows/security/information-protection/windows-information-protection/create-vpn-and-wip-policy-using-intune.md",
       "redirect_url": "/windows/security/information-protection/windows-information-protection/create-vpn-and-wip-policy-using-intune-azure",
@@ -7226,16 +7306,29 @@
       "redirect_document_id": false
     },
     {
-      "source_path": "windows/security/identity-protection/password-support-policy.md",
-      "redirect_url": "https://support.microsoft.com/help/4490115",
+      "source_path": "windows/security/introduction/index.md",
+      "redirect_url": "/windows/security/introduction",
       "redirect_document_id": false
     },
     {
-      "source_path": "windows/security/hardware.md",
-      "redirect_url": "/windows/security/hardware-security",
+      "source_path": "windows/security/threat-protection/windows-platform-common-criteria.md",
+      "redirect_url": "/windows/security/security-foundations/certification/windows-platform-common-criteria",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security/threat-protection/fips-140-validation.md",
+      "redirect_url": "/windows/security/security-foundations/certification/fips-140-validation",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security/threat-protection/msft-security-dev-lifecycle.md",
+      "redirect_url": "/windows/security/security-foundations/msft-security-dev-lifecycle",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security/zero-trust-windows-device-health.md",
+      "redirect_url": "/windows/security/security-foundations/zero-trust-windows-device-health",
       "redirect_document_id": false
     }
   ]
 }
-
-

browsers/edge/index.yml

@@ -10,7 +10,6 @@ metadata:
   keywords: Microsoft Edge Legacy, Windows 10
   ms.localizationpriority: medium
   ms.topic: landing-page # Required
-  ms.collection: collection # Optional; Remove if no collection is used.
   author: dougeby #Required; your GitHub user alias, with correct capitalization.
   ms.author: pashort #Required; microsoft alias of author; optional team alias.
   ms.date: 07/07/2020 #Required; mm/dd/yyyy format.

browsers/internet-explorer/kb-support/ie-edge-faqs.yml

@@ -2,7 +2,6 @@
 metadata:
   title: IE and Microsoft Edge FAQ for IT Pros
   description: Describes frequently asked questions about Internet Explorer and Microsoft Edge for IT professionals. 
-  audience: ITPro
   manager: msmets
   author: ramakoni1
   ms.author: ramakoni
@@ -10,7 +9,6 @@ metadata:
   ms.prod: internet-explorer
   ms.technology:
   ms.topic: faq
-  ms.custom: CI=111020
   ms.localizationpriority: medium
   ms.date: 01/23/2020
 title: Internet Explorer and Microsoft Edge frequently asked questions (FAQ) for IT Pros

education/includes/education-content-updates.md

@@ -2,6 +2,16 @@
 
 
 
+## Week of July 24, 2023
+
+
+| Published On |Topic title | Change |
+|------|------------|--------|
+| 7/24/2023 | [Windows 11 SE Overview](/education/windows/windows-11-se-overview) | modified |
+| 7/25/2023 | [Set up Windows devices for education](/education/windows/set-up-windows-10) | modified |
+| 7/25/2023 | [Windows 10 editions for education customers](/education/windows/windows-editions-for-education-customers) | modified |
+
+
 ## Week of July 10, 2023
 
 
@@ -35,18 +45,3 @@
 | 7/14/2023 | [Set up Azure Active Directory](/education/windows/tutorial-school-deployment/set-up-azure-ad) | added |
 | 7/14/2023 | [Set up device management](/education/windows/tutorial-school-deployment/set-up-microsoft-intune) | added |
 | 7/14/2023 | [Troubleshoot Windows devices](/education/windows/tutorial-school-deployment/troubleshoot-overview) | added |
-
-
-## Week of June 19, 2023
-
-
-| Published On |Topic title | Change |
-|------|------------|--------|
-| 6/23/2023 | [Important considerations before deploying apps with managed installer](/education/windows/tutorial-deploy-apps-winse/considerations) | added |
-| 6/23/2023 | [Create policies to enable applications](/education/windows/tutorial-deploy-apps-winse/create-policies) | added |
-| 6/23/2023 | [Applications deployment considerations](/education/windows/tutorial-deploy-apps-winse/deploy-apps) | added |
-| 6/23/2023 | [Deploy policies to enable applications](/education/windows/tutorial-deploy-apps-winse/deploy-policies) | added |
-| 6/23/2023 | [Deploy applications to Windows 11 SE with Intune](/education/windows/tutorial-deploy-apps-winse/index) | added |
-| 6/23/2023 | [Troubleshoot app deployment issues in Windows SE](/education/windows/tutorial-deploy-apps-winse/troubleshoot) | added |
-| 6/23/2023 | [Validate the applications deployed to Windows SE devices](/education/windows/tutorial-deploy-apps-winse/validate-apps) | added |
-| 6/23/2023 | [Configure applications with Microsoft Intune](/education/windows/tutorial-school-deployment/configure-device-apps) | modified |

windows/deployment/do/delivery-optimization-endpoints.md

@@ -28,7 +28,7 @@ Use the table below to reference any particular content types or services endpoi
 
 |Domain Name  |Protocol/Port(s)  | Content Type | Additional Information | Microsoft Connected Cache Version |
 |---------|---------|---------------|-------------------|-----------------|
-| *.b1.download.windowsupdate.com, *.dl.delivery.mp.microsoft.com, *.download.windowsupdate.com, *.au.download.windowsupdate.com, *.au.b1.download.windowsupdate.com, *.tlu.dl.delivery.mp.microsoft.com, *.emdl.ws.microsoft.com, *.ctldl.windowsupdate.com   |  HTTP / 80  | Windows Update </br> Windows Defender </br> Windows Drivers | [Complete list](/windows/privacy/manage-windows-2004-endpoints) of endpoints for Windows Update services and payload. | Both |
+| *.b1.download.windowsupdate.com, *.dl.delivery.mp.microsoft.com, *.download.windowsupdate.com, *.au.download.windowsupdate.com, *.au.b1.download.windowsupdate.com, *.tlu.dl.delivery.mp.microsoft.com, *.emdl.ws.microsoft.com, *.ctldl.windowsupdate.com   |  HTTP / 80  | Windows Update </br> Windows Defender </br> Windows Drivers </br> Windows Store | [Complete list](/windows/privacy/manage-windows-2004-endpoints) of endpoints for Windows Update services and payload. | Both |
 | *.delivery.mp.microsoft.com  |  HTTP / 80  | Edge Browser | [Complete list](/deployedge/microsoft-edge-security-endpoints) of endpoints for Edge Browser. | Both |
 | *.officecdn.microsoft.com.edgesuite.net, *.officecdn.microsoft.com, *.cdn.office.net |  HTTP / 80  | Office CDN updates | [Complete list](/office365/enterprise/office-365-endpoints) of endpoints for Office CDN updates. | Both |
 | *.manage.microsoft.com, *.swda01.manage.microsoft.com, *.swda02.manage.microsoft.com, *.swdb01.manage.microsoft.com, *.swdb02.manage.microsoft.com, *.swdc01.manage.microsoft.com, *.swdc02.manage.microsoft.com, *.swdd01.manage.microsoft.com, *.swdd02.manage.microsoft.com, *.swda01-mscdn.manage.microsoft.com, *.swda02-mscdn.manage.microsoft.com, *.swdb01-mscdn.manage.microsoft.com, *.swdb02-mscdn.manage.microsoft.com, *.swdc01-mscdn.manage.microsoft.com, *.swdc02-mscdn.manage.microsoft.com, *.swdd01-mscdn.manage.microsoft.com, *.swdd02-mscdn.manage.microsoft.com |  HTTP / 80 </br> HTTPs / 443  | Intune Win32 Apps | [Complete list](/mem/intune/fundamentals/intune-endpoints) of endpoints for Intune Win32 Apps updates. | Both |

windows/deployment/do/includes/waas-delivery-optimization-monitor.md

@@ -5,7 +5,7 @@ manager: aaroncz
 ms.prod: windows-client
 ms.technology: itpro-deploy
 ms.topic: include
-ms.date: 04/06/2022
+ms.date: 07/31/2023
 ms.localizationpriority: medium
 ---
 <!--This file is shared by do/waas-delivery-optimization-setup.md and the update/update-compliance-get-started.md articles -->
@@ -27,13 +27,13 @@ ms.localizationpriority: medium
 | FileSizeInCache | Size of the file in the cache |
 | TotalBytesDownloaded | The number of bytes from any source downloaded so far |
 | PercentPeerCaching |The percentage of bytes downloaded from peers versus over HTTP |
-| BytesFromPeers | Total bytes downloaded from peer devices (sum of bytes downloaded from LAN, Group, and Internet Peers) |
+| BytesFromPeers | Total bytes downloaded from peer devices (sum of bytes downloaded from LAN, Group, and Internet Peers) |
 | BytesfromHTTP | Total number of bytes received over HTTP. This metric represents all HTTP sources, which includes BytesFromCacheServer |
 | Status | Current state of the operation. Possible values are: **Downloading** (download in progress); **Complete** (download completed, but isn't uploading yet); **Caching** (download completed successfully and is ready to upload or uploading); **Paused** (download/upload paused by caller) |
 | Priority | Priority of the download; values are **foreground** or **background** |
 | BytesFromCacheServer | Total number of bytes received from cache server (MCC) |
 | BytesFromLanPeers | Total number of bytes received from peers found on the LAN |
-| BytesFromGroupPeers | Total number of bytes received from peers found in the group. (Note: Group mode is LAN + Group. If peers are found on the LAN, those bytes will be registered in 'BytesFromLANPeers'.)  |
+| BytesFromGroupPeers | Total number of bytes received from peers found in the group. (Note: Group mode is LAN + Group. If peers are found on the LAN, those bytes are registered in 'BytesFromLANPeers'.)  |
 | BytesFromInternetPeers | Total number of bytes received from internet peers |
 | BytesToLanPeers | Total number of bytes delivered from peers found on the LAN |
 | BytesToGroupPeers | Total number of bytes delivered from peers found in the group |
@@ -168,3 +168,33 @@ Using the `-ListConnections` option returns these details about peers:
 If `Path` isn't specified, this cmdlet reads all logs from the DoSvc log directory, which requires administrator permissions. If `Flush` is specified, the cmdlet stops DoSvc before reading logs.
 
 Log entries are written to the PowerShell pipeline as objects. To dump logs to a text file, run `Get-DeliveryOptimizationLog | Set-Content <output file>` or something similar.
+
+
+**Starting in Windows 10, version 1803:**
+
+`Get-DOConfig -Verbose`
+
+This cmdlet lists local configuration and policies that are applied to Delivery Optimization. This includes policies that are set via Group Policies or MDM Policies. Each policy is listed with the current set value and the provider of that policy. For example:
+
+DownloadMode:Simple
+DownloadModeProvider:Mdm Provider
+
+The provider is listed as "Default Provider" if it's using the Delivery Optimization platform configured default. 
+
+The cmdlet returns the following data:
+
+- BatteryPctToSeed: Corresponds to the [DOMinBatteryPercentageAllowedToUpload](../waas-delivery-optimization-reference.md#allow-uploads-while-the-device-is-on-battery-while-under-set-battery-level) policy.
+- WorkingDirectory: The local folder containing the Delivery Optimization cache.
+- MinTotalDiskSize: Corresponds to the [DOMinDiskSizeAllowedToPeer](../waas-delivery-optimization-reference.md#minimum-disk-size-allowed-to-use-peer-caching) policy.
+- MinTotalRAM: Corresponds to the [DOMinRAMAllowedToPeer](../waas-delivery-optimization-reference.md#minimum-ram-inclusive-allowed-to-use-peer-caching) policy.
+- VpnPeerCachingAllowed: Corresponds to the [DOAllowVPNPeerCaching](../waas-delivery-optimization-reference.md#enable-peer-caching-while-the-device-connects-via-vpn) policy.
+- VpnKeywords: List of keywords used to identify a VPN adapter.
+- SetHoursToLimitDownloadBackground: Corresponds to the [DOSetHoursToLimitBackgroundDownloadBandwidth](../waas-delivery-optimization-reference.md#set-business-hours-to-limit-background-download-bandwidth) policy.
+- SetHoursToLimitDownloadForeground: Corresponds to the [DOSetHoursToLimitForegroundDownloadBandwidth](../waas-delivery-optimization-reference.md#set-business-hours-to-limit-foreground-download-bandwidth) policy.
+- DownloadMode: Corresponds to the [DODownloadMode](../waas-delivery-optimization-reference.md#download-mode) policy.
+- DownBackLimitBps: Corresponds to the [DOMaxBackgroundDownloadBandwidth](../waas-delivery-optimization-reference.md#maximum-background-download-bandwidth-in-kbs) policy.
+- DownloadForegroundLimitBps: Corresponds to the [DOMaxForegroundDownloadBandwidth](../waas-delivery-optimization-reference.md#maximum-foreground-download-bandwidth-in-kbs) policy.
+- DownBackLimitPct: Corresponds to the [DOPercentageMaxBackgroundBandwidth](../waas-delivery-optimization-reference.md#maximum-background-download-bandwidth) policy.
+- DownloadForegroundLimitPct: Corresponds to the [DOPercentageMaxForegroundBandwidth](../waas-delivery-optimization-reference.md#maximum-foreground-download-bandwidth) policy.
+- MaxUploadRatePct: Corresponds to the [DOMaxUploadBandwidth](../waas-delivery-optimization-reference.md#max-upload-bandwidth) policy (deprecated in Windows 10, version 2004).
+- UploadLimitMonthlyGB: Corresponds to the [DOMonthlyUploadDataCap](../waas-delivery-optimization-reference.md#monthly-upload-data-cap) policy.

windows/deployment/do/waas-delivery-optimization-faq.yml

@@ -12,7 +12,7 @@ metadata:
     - highpri
     - tier3
   ms.topic: faq
-  ms.date: 07/11/2023
+  ms.date: 07/31/2023
 title: Delivery Optimization Frequently Asked Questions
 summary: |
   **Applies to**
@@ -62,6 +62,10 @@ sections:
           Microsoft content, such as Windows updates, are hosted and delivered globally via Content Delivery Networks (CDNs) and [Microsoft Connected Cache](waas-microsoft-connected-cache.md) (MCC) servers, which are hosted within Internet Service Provider (ISP) networks. 
           The network of CDNs and MCCs allows Microsoft to reach the scale required to meet the demand of the Windows user base. Given this delivery infrastructure changes dynamically, providing an exhaustive list of IPs and keeping it up to date isn't feasible. 
         
+      - question: Delivery Optimization is downloading Windows content on my devices directly from an IP Address, is it expected? 
+        answer: | 
+          When Delivery Optimization downloads from a [Microsoft Connected Cache](waas-microsoft-connected-cache.md) server that is hosted by your Internet Service Provider, the download will be pulled directly from the IP Address of that server. If the Microsoft Connected cache isn't available, the download will fall back seamlessly to the CDN instead. Delivery Optimization Peers are used in parallel if available. 
+
       - question: Does Delivery Optimization use multicast?
         answer: No. It relies on the cloud service for peer discovery, resulting in a list of peers and their IP addresses. Client devices then connect to their peers to obtain download files over TCP/IP.
           
@@ -131,7 +135,7 @@ sections:
       
       - question: Delivery Optimization is using device resources and I can't tell why?
         answer: |
-          Delivery Optimization is used by most content providers from Microsoft. A complete list can be found [here](waas-delivery-optimization.md#types-of-download-content-supported-by-delivery-optimization). Oftentimes customers may not realize the vast application of Delivery Optimization and how it's used across different apps. Content providers have the option to run downloads in the foreground or background. It's good to check any apps running in the background to see what is running. Also note that depending on the app, closing the app may not necessarily stop the download.
+          Delivery Optimization is used by most content providers from Microsoft. A complete list can be found [here](waas-delivery-optimization.md#types-of-download-content-supported-by-delivery-optimization). Often customers may not realize the vast application of Delivery Optimization and how it's used across different apps. Content providers have the option to run downloads in the foreground or background. It's good to check any apps running in the background to see what is running. Also note that depending on the app, closing the app may not necessarily stop the download.
 
       - question: What Delivery Optimization settings are available?
         answer: |

windows/deployment/do/waas-delivery-optimization-reference.md

@@ -6,9 +6,9 @@ ms.prod: windows-client
 author: cmknox
 ms.localizationpriority: medium
 ms.author: carmenf
-ms.topic: article
+ms.topic: reference
 ms.technology: itpro-updates
-ms.date: 06/28/2023
+ms.date: 07/31/2023
 ms.collection: tier3
 ---
 
@@ -16,18 +16,18 @@ ms.collection: tier3
 
 **Applies to**
 
-- Windows 10
+- Windows 10
 - Windows 11
 
 > **Looking for Group Policy objects?** See [Delivery Optimization reference](waas-delivery-optimization-reference.md) or the master spreadsheet available at the Download Center [for Windows 11](https://www.microsoft.com/en-us/download/details.aspx?id=104594) or [for Windows 10](https://www.microsoft.com/en-us/download/details.aspx?id=104678).
 
-There are many configuration options you can set in Delivery Optimization to customize the content delivery experience specific to your environment needs. This topic summarizes those configurations for your reference. If you just need an overview of Delivery Optimization, see [What is Delivery Optimization](waas-delivery-optimization.md). If you need information about setting up Delivery Optimization, including tips for the best settings in different scenarios, see [Set up Delivery Optimization for Windows](waas-delivery-optimization-setup.md).
+There are many configuration options you can set in Delivery Optimization to customize the content delivery experience specific to your environment needs. This article summarizes those configurations for your reference. If you just need an overview of Delivery Optimization, see [What is Delivery Optimization](waas-delivery-optimization.md). If you need information about setting up Delivery Optimization, including tips for the best settings in different scenarios, see [Set up Delivery Optimization for Windows](waas-delivery-optimization-setup.md).
 
 ## Delivery Optimization options
 
 You can use Group Policy or an MDM solution like Intune to configure Delivery Optimization.
 
-You'll find the Delivery Optimization settings in Group Policy under **Configuration\Policies\Administrative Templates\Windows Components\Delivery Optimization**.
+The Delivery Optimization settings in Group Policy are under **Configuration\Policies\Administrative Templates\Windows Components\Delivery Optimization**.
 In MDM, the same settings are under **.Vendor/MSFT/Policy/Config/DeliveryOptimization/**.
 
 ### Summary of Delivery Optimization settings
@@ -35,9 +35,9 @@ In MDM, the same settings are under **.Vendor/MSFT/Policy/Config/DeliveryOptimiz
 | Group Policy setting | MDM setting | Supported from version | Notes |
 | --- | --- | --- | ------- |
 | [Download mode](#download-mode) | DODownloadMode | 1511 | Default is set to LAN(1). The Group [Download mode](#download-mode) (2) combined with [Group ID](#group-id), enables administrators to create custom device groups that will share content between devices in the group.|
-| [Group ID](#group-id)  | DOGroupID | 1511 | Used with Group [Download mode](#download-mode). If not set, check [GroupIDSource](#select-the-source-of-group-ids). When GroupID or GroupIDSource policies aren't set, the GroupID will be defined as the AD Site (1), Authenticated domain SID (2) or AAD Tenant ID (5), in that order.  |
-| [Select the source of Group IDs](#select-the-source-of-group-ids) | DOGroupIDSource | 1803 | If not set, check [Group ID](#group-id). When the GroupID or GroupIDSource policies aren't set, the Group will be defined as the AD Site (1), Authenticated domain SID (2) or AAD Tenant ID (5), in that order. |
-| [Select a method to restrict peer selection](#select-a-method-to-restrict-peer-selection) | DORestrictPeerSelectionBy | 1803 | Starting in Windows 11, consumer devices default to using 'Local discovery (DNS-SD)' and commercial devices  default to using 'Subnet'.  |
+| [Group ID](#group-id)  | DOGroupID | 1511 | Used with Group [Download mode](#download-mode). If not set, check [GroupIDSource](#select-the-source-of-group-ids). When GroupID or GroupIDSource policies aren't set, the GroupID is defined as the AD Site (1), Authenticated domain SID (2) or Azure AD Tenant ID (5), in that order.  |
+| [Select the source of Group IDs](#select-the-source-of-group-ids) | DOGroupIDSource | 1803 | If not set, check [Group ID](#group-id). When the GroupID or GroupIDSource policies aren't set, the Group is defined as the AD Site (1), Authenticated domain SID (2) or Azure AD Tenant ID (5), in that order. |
+| [Select a method to restrict peer selection](#select-a-method-to-restrict-peer-selection) | DORestrictPeerSelectionBy | 1803 | Starting in Windows 11, a new option to use 'Local discovery (DNS-SD)' is available to set via this policy. |
 | [Minimum RAM (inclusive) allowed to use peer caching](#minimum-ram-inclusive-allowed-to-use-peer-caching) | DOMinRAMAllowedToPeer | 1703 | Default value is 4 GB. |
 | [Minimum disk size allowed to use peer caching](#minimum-disk-size-allowed-to-use-peer-caching) | DOMinDiskSizeAllowedToPeer | 1703 | Default value is 32 GB. |
 | [Max cache age](#max-cache-age) | DOMaxCacheAge | 1511 | Default value is 259,200 seconds (three days). |
@@ -51,16 +51,16 @@ In MDM, the same settings are under **.Vendor/MSFT/Policy/Config/DeliveryOptimiz
 | [Allow uploads while the device is on battery while under set battery level](#allow-uploads-while-the-device-is-on-battery-while-under-set-battery-level) | DOMinBatteryPercentageAllowedToUpload | 1709 | Default is to not allow peering while on battery.  |
 | [Maximum foreground download bandwidth (percentage)](#maximum-foreground-download-bandwidth) | DOPercentageMaxForegroundBandwidth | 1803 | Default is '0' which will dynamically adjust. |
 | [Maximum background download bandwidth (percentage)](#maximum-background-download-bandwidth) | DOPercentageMaxBackgroundBandwidth | 1803 | Default is '0' which will dynamically adjust. |
-| [Maximum foreground download bandwidth (in KB/s)](#maximum-background-download-bandwidth-in-kbs) | DOMaxForegroundDownloadBandwidth | 2004 | Default is '0' which will dynamically adjust. |
+| [Maximum foreground download bandwidth (in KB/s)](#maximum-foreground-download-bandwidth-in-kbs) | DOMaxForegroundDownloadBandwidth | 2004 | Default is '0' which will dynamically adjust. |
 | [Maximum background download bandwidth (in KB/s)](#maximum-background-download-bandwidth-in-kbs) | DOMaxBackgroundDownloadBandwidth | 2004 | Default is '0' which will dynamically adjust. |
 | [Set hours to limit background download bandwidth](#set-business-hours-to-limit-background-download-bandwidth) | DOSetHoursToLimitBackgroundDownloadBandwidth | 1803 | Default isn't set. |
 | [Set hours to limit foreground download bandwidth](#set-business-hours-to-limit-foreground-download-bandwidth) |DOSetHoursToLimitForegroundDownloadBandwidth | 1803 | Default isn't set. |
 | [Delay background download from HTTP (in secs)](#delay-background-download-from-http-in-secs) | DODelayBackgroundDownloadFromHttp | 1803 | Default isn't set. For peering, use this policy to delay the fallback to the HTTP source. [Learn more](#policies-to-prioritize-the-use-of-peer-to-peer-and-cache-server-sources) about the different delay options. |
 | [Delay foreground download from HTTP (in secs)](#delay-foreground-download-from-http-in-secs) | DODelayForegroundDownloadFromHttp | 1803 | Default isn't set. For peering, use this policy to delay the fallback to the HTTP source. [Learn more](#policies-to-prioritize-the-use-of-peer-to-peer-and-cache-server-sources) about the different delay options.|
-| [Delay foreground download Cache Server fallback (in secs)](#delay-foreground-download-cache-server-fallback-in-secs) | DelayCacheServerFallbackForeground | 1903 | Default isn't set. For Microsoft Connected Cache content use this policy to delay the fallback to the HTTP source. [Learn more](#policies-to-prioritize-the-use-of-peer-to-peer-and-cache-server-sources) about the different delay options. |
-| [Delay background download Cache Server fallback (in secs)](#delay-background-download-cache-server-fallback-in-secs) | DelayCacheServerFallbackBackground | 1903 | Default isn't set. For Microsoft Connected Cache content use this policy to delay the fallback to the HTTP source. [Learn more](#policies-to-prioritize-the-use-of-peer-to-peer-and-cache-server-sources) about the different delay options.|
-| [Cache Server Hostname](#cache-server-hostname) | DOCacheHost | 1809  | Default is it has no value. |
-| [Cache Server Hostname Source](#cache-server-hostname-source) | DOCacheHostSource | 2004 | Default is it has no value. |
+| [Delay foreground download Cache Server fallback (in secs)](#delay-foreground-download-cache-server-fallback-in-secs) | DelayCacheServerFallbackForeground | 1903 | Default isn't set. For Microsoft Connected Cache content, use this policy to delay the fallback to the HTTP source. [Learn more](#policies-to-prioritize-the-use-of-peer-to-peer-and-cache-server-sources) about the different delay options. |
+| [Delay background download Cache Server fallback (in secs)](#delay-background-download-cache-server-fallback-in-secs) | DelayCacheServerFallbackBackground | 1903 | Default isn't set. For Microsoft Connected Cache content, use this policy to delay the fallback to the HTTP source. [Learn more](#policies-to-prioritize-the-use-of-peer-to-peer-and-cache-server-sources) about the different delay options.|
+| [Cache Server Hostname](#cache-server-hostname) | DOCacheHost | 1809  | No value is set as default. |
+| [Cache Server Hostname Source](#cache-server-hostname-source) | DOCacheHostSource | 2004 | No value is set as default. |
 | [Maximum download bandwidth](#maximum-download-bandwidth) | DOMaxDownloadBandwidth | 1607 (deprecated in Windows 10, version 2004); use [Maximum background download bandwidth (in KB/s)](#maximum-background-download-bandwidth-in-kbs) or [Maximum foreground download bandwidth (in KB/s)](#maximum-foreground-download-bandwidth-in-kbs) instead)| Default is '0' which will dynamically adjust. |
 | [Percentage of maximum download bandwidth](#percentage-of-maximum-download-bandwidth) | DOPercentageMaxDownloadBandwidth | 1607 (deprecated in Windows 10, version 2004); use [Maximum background download bandwidth (in KB/s)](#maximum-background-download-bandwidth-in-kbs)  or [Maximum foreground download bandwidth (in KB/s)](#maximum-foreground-download-bandwidth-in-kbs) instead)| Default is '0' which will dynamically adjust. |
 | [Maximum upload bandwidth](#max-upload-bandwidth) | DOMaxUploadBandwidth | 1607 (deprecated in Windows 10, version 2004) | Default is '0' (unlimited). |
@@ -82,7 +82,7 @@ All cached files have to be above a set minimum size. This size is automatically
 
 #### Impact to network
 
-More options available that control the impact Delivery Optimization has on your network include the following:
+More options available that control the impact Delivery Optimization has on your network include the following settings:
 
 - [Minimum Background QoS](#minimum-background-qos) lets administrators guarantee a minimum download speed for Windows updates. This setting adjusts the amount of data downloaded directly from HTTP sources, rather than other peers in the network.
 - [Maximum Foreground Download Bandwidth](#maximum-foreground-download-bandwidth) specifies the maximum foreground download bandwidth*hat Delivery Optimization uses, across all concurrent download activities, as a percentage of available download bandwidth.
@@ -94,7 +94,7 @@ More options available that control the impact Delivery Optimization has on your
 
 #### Policies to prioritize the use of Peer-to-Peer and Cache Server sources
 
-When Delivery Optimization client is configured to use peers and Microsoft Connected Cache (MCC), to achieve the best possible content delivery experience, the client will connect to both MCC and peers in parallel. If the desired content can’t be obtained from MCC or peers, Delivery Optimization will automatically fallback to the HTTP source to get the requested content. There are four settings that allow you to prioritize peer-to-peer or MCC sources by delaying the immediate fallback to HTTP source which is the default behavior.
+When Delivery Optimization client is configured to use peers and Microsoft Connected Cache (MCC), to achieve the best possible content delivery experience, the client connects to both MCC and peers in parallel. If the desired content can't be obtained from MCC or peers, Delivery Optimization will automatically fallback to the HTTP source to get the requested content. There are four settings that allow you to prioritize peer-to-peer or MCC sources by delaying the immediate fallback to HTTP source, which is the default behavior.
 
 ##### Peer-to-peer delay fallback settings
 
@@ -106,11 +106,11 @@ When Delivery Optimization client is configured to use peers and Microsoft Conne
 - [Delay foreground download Cache Server fallback (in secs)](#delay-foreground-download-cache-server-fallback-in-secs) allows you to delay the use of an HTTP source in a foreground (interactive) download that is allowed to use a cache server.
 - [Delay background download from HTTP (in secs)](#delay-background-download-from-http-in-secs) allows you to delay the use of an HTTP source in a background  download that is allowed to use a cache server.
 
-**If both peer-to-peer and MCC are configured, the peer-to-peer delay settings will take precedence over the cache server delay settings.** This allows Delivery Optimization to discover peers first then recognize the fallback setting for the MCC cache server.
+**If both peer-to-peer and MCC are configured, the peer-to-peer delay settings will take precedence over the cache server delay settings.** This setting allows Delivery Optimization to discover peers first then recognize the fallback setting for the MCC cache server.
 
 #### System resource usage
 
-Administrators can further customize scenarios where Delivery Optimization will be used with the following settings:
+Administrators can further customize scenarios where Delivery Optimization is used with the following settings:
 
 - [Minimum RAM (inclusive) allowed to use Peer Caching](#minimum-ram-inclusive-allowed-to-use-peer-caching) sets the minimum RAM required for peer caching to be enabled.
 - [Minimum disk size allowed to use Peer Caching](#minimum-disk-size-allowed-to-use-peer-caching) sets the minimum disk size required for peer caching to be enabled.
@@ -119,12 +119,14 @@ Administrators can further customize scenarios where Delivery Optimization will
 
 ### Download mode
 
+MDM Setting: **DODownloadMode**
+
 Download mode dictates which download sources clients are allowed to use when downloading Windows updates in addition to Windows Update servers. The following table shows the available download mode options and what they do. Other technical details for these policies are available in [Policy CSP - Delivery Optimization](/windows/client-management/mdm/policy-csp-deliveryoptimization).
 
 | Download mode option | Functionality when set |
 | --- | --- |
 | HTTP Only (0) | This setting disables peer-to-peer caching but still allows Delivery Optimization to download content over HTTP from the download's original source or a Microsoft Connected Cache server. This mode uses additional metadata provided by the Delivery Optimization cloud services for a peerless reliable and efficient download experience. |
-| LAN (**1 – Default**) | This default operating mode for Delivery Optimization enables peer sharing on the same network. The Delivery Optimization cloud service finds other clients that connect to the Internet using the same public IP as the target client. These clients then try to connect to other peers on the same network by using their private subnet IP.|
+| LAN (**1 - Default**) | This default operating mode for Delivery Optimization enables peer sharing on the same network. The Delivery Optimization cloud service finds other clients that connect to the Internet using the same public IP as the target client. These clients then try to connect to other peers on the same network by using their private subnet IP.|
 | Group (2) | When group mode is set, the group is automatically selected based on the device's Active Directory Domain Services (AD DS) site (Windows 10, version 1607) or the domain the device is authenticated to (Windows 10, version 1511). In group mode, peering occurs across internal subnets, between devices that belong to the same group, including devices in remote offices. You can use GroupID option to create your own custom group independently of domains and AD DS sites. Starting with Windows 10, version 1803, you can use the GroupIDSource parameter to take advantage of other method to create groups dynamically. Group download mode is the recommended option for most organizations looking to achieve the best bandwidth optimization with Delivery Optimization. |
 | Internet (3) | Enable Internet peer sources for Delivery Optimization. |
 | Simple (99) | Simple mode disables the use of Delivery Optimization cloud services completely (for offline environments). Delivery Optimization switches to this mode automatically when the Delivery Optimization cloud services are unavailable, unreachable, or when the content file size is less than 10 MB. In this mode, Delivery Optimization provides a reliable download experience over HTTP from the download's original source or a Microsoft Connected Cache server, with no peer-to-peer caching. |
@@ -135,6 +137,8 @@ Download mode dictates which download sources clients are allowed to use when do
 
 ### Group ID
 
+MDM Setting: **DOGroupID**
+
 By default, peer sharing on clients using the Group download mode (option 2) is limited to the same domain in Windows 10, version 1511, and the same domain and Active Directory Domain Services site in Windows 10, version 1607. By using the Group ID setting, you can optionally create a custom group that contains devices that should participate in Delivery Optimization but don't fall within those domain or Active Directory Domain Services site boundaries, including devices in another domain. Using Group ID, you can further restrict the default group (for example, you could create a subgroup representing an office building), or extend the group beyond the domain, allowing devices in multiple domains in your organization to be peers. This setting requires the custom group to be specified as a GUID on each device that participates in the custom group.
 
 >[!NOTE]
@@ -144,23 +148,29 @@ By default, peer sharing on clients using the Group download mode (option 2) is
 
 ### Select the source of Group IDs
 
+MDM Setting: **DOGroupIDSource**
+
 Starting in Windows 10, version 1803, set this policy to restrict peer selection to a specific source, when using a GroupID policy. The options are:
 
 - 0 = Not set
 - 1 = AD Site
 - 2 = Authenticated domain SID
-- 3 = DHCP Option ID (with this option, the client will query DHCP Option ID 234 and use the returned GUID value as the Group ID)
+- 3 = DHCP Option ID (with this option, the client queries DHCP Option ID 234 and use the returned GUID value as the Group ID)
 - 4 = DNS Suffix
-- 5 = Starting with Windows 10, version 1903, you can use the Azure Active Directory (AAD) Tenant ID as a means to define groups. To do this set the value for DOGroupIdSource to its new maximum value of 5.
+- 5 = Starting with Windows 10, version 1903, you can use the Azure AD Tenant ID as a means to define groups. To do this set the value for DOGroupIdSource to its new maximum value of 5.
 
-When set, the Group ID is assigned automatically from the selected source. If you set this policy, the GroupID policy will be ignored. The default behavior, when the GroupID or GroupIDSource policies aren't set, is to determine the Group ID using AD Site (1), Authenticated domain SID (2) or AAD Tenant ID (5), in that order. If GroupIDSource is set to either DHCP Option ID (3) or DNS Suffix (4) and those methods fail, the default behavior is used instead. The option set in this policy only applies to Group (2) download mode. If Group (2) isn't set as Download mode, this policy will be ignored. If you set the value to anything other than 0-5, the policy is ignored.  
+When set, the Group ID is assigned automatically from the selected source. If you set this policy, the GroupID policy is ignored. The default behavior, when the GroupID or GroupIDSource policies aren't set, is to determine the Group ID using AD Site (1), Authenticated domain SID (2) or Azure AD Tenant ID (5), in that order. If GroupIDSource is set to either DHCP Option ID (3) or DNS Suffix (4) and those methods fail, the default behavior is used instead. The option set in this policy only applies to Group (2) download mode. If Group (2) isn't set as Download mode, this policy will be ignored. If you set the value to anything other than 0-5, the policy is ignored.  
 
 ### Minimum RAM (inclusive) allowed to use Peer Caching  
 
+MDM Setting: **DOMinRAMAllowedToPeer**
+
 This setting specifies the minimum RAM size in GB required to use Peer Caching. For example if the minimum set is 1 GB, then devices with 1 GB or higher available RAM will be allowed to use Peer caching. The recommended values are 1 to 4, and **the default value is 4 GB**.
 
 ### Minimum disk size allowed to use Peer Caching
 
+MDM Setting: **DOMinDiskSizeAllowedToPeer**
+
 This setting specifies the required minimum disk size (capacity in GB) for the device to use Peer Caching. The recommended values are 64 to 256, and **the default value is 32 GB**.
 
 >[!NOTE]
@@ -168,57 +178,82 @@ This setting specifies the required minimum disk size (capacity in GB) for the d
 
 ### Max Cache Age
 
-In environments configured for Delivery Optimization, you might want to set an expiration on cached updates and Windows application installation files. If so, this setting defines the maximum number of seconds each file can be held in the Delivery Optimization cache on each Windows 10 client device. Alternatively, organizations might choose to set this value to "0" which means "unlimited" to avoid peers re-downloading content. When "Unlimited" value is set, Delivery Optimization will hold the files in the cache longer and will clean up the cache as needed (for example when the cache size exceeded the maximum space allowed). **The default value is 259,200 seconds (three days)**.
+MDM Setting: **DOMaxCacheAge**
+
+In environments configured for Delivery Optimization, you might want to set an expiration on cached updates and Windows application installation files. If so, this setting defines the maximum number of seconds each file can be held in the Delivery Optimization cache on each Windows 10 client device. Alternatively, organizations might choose to set this value to "0" which means "unlimited" to avoid peers redownloading content. When "Unlimited" value is set, Delivery Optimization holds the files in the cache longer and will clean up the cache as needed (for example when the cache size exceeded the maximum space allowed). **The default value is 259,200 seconds (three days)**.
 
 ### Max Cache Size
 
-This setting limits the maximum amount of space the Delivery Optimization cache can use as a percentage of the available drive space, from 1 to 100. For example, if you set this value to 10 on a Windows client device that has 100 GB of available drive space, then Delivery Optimization will use up to 10 GB of that space. Delivery Optimization will constantly assess the available drive space and automatically clear the cache to keep the maximum cache size under the set percentage. **The default value is 20%**.
+MDM Setting: **DOMaxCacheSize**
+
+This setting limits the maximum amount of space the Delivery Optimization cache can use as a percentage of the available drive space, from 1 to 100. For example, if you set this value to 10 on a Windows client device that has 100 GB of available drive space, then Delivery Optimization uses up to 10 GB of that space. Delivery Optimization will constantly assess the available drive space and automatically clear the cache to keep the maximum cache size under the set percentage. **The default value is 20%**.
 
 ### Absolute Max Cache Size
 
-This setting specifies the maximum number of gigabytes the Delivery Optimization cache can use. This is different from the [**Max Cache Size**](#max-cache-size) setting, which is a percentage of available disk space. Also, if you configure this policy, it will override the [**Max Cache Size**](#max-cache-size) setting. **The default value is 10 GB**.
+MDM Setting: **DOAbsoluteMaxCacheSize**
+
+This setting specifies the maximum number of gigabytes the Delivery Optimization cache can use. This is different from the [**Max Cache Size**](#max-cache-size) setting, which is a percentage of available disk space. Also, if you configure this policy, it overrides the [**Max Cache Size**](#max-cache-size) setting. **The default value is 10 GB**.
 
 ### Minimum Peer Caching Content File Size
 
+MDM Setting: **DOMinFileSizeToCache**
+
 This setting specifies the minimum content file size in MB enabled to use Peer Caching. The recommended values are from 1 to 100000. **The default file size is 50 MB** to participate in peering.
 
 ### Maximum Download Bandwidth
 
+MDM Setting: **DOMaxUploadBandwidth**
+
+Deprecated in Windows 10, version 2004.
 This setting specifies the maximum download bandwidth that can be used across all concurrent Delivery Optimization downloads in kilobytes per second (KB/s). **A default value of "0"** means that Delivery Optimization will dynamically adjust and optimize the maximum bandwidth used.
 
-> [!NOTE]
-> This is the best option for low bandwidth environments.
 
 ### Maximum Foreground Download Bandwidth
 
+MDM Setting: **DOPercentageMaxForegroundBandwidth**
+
 Starting in Windows 10, version 1803, specifies the maximum foreground download bandwidth that Delivery Optimization uses across all concurrent download activities as a percentage of available download bandwidth. **The default value of "0"** means that Delivery Optimization dynamically adjusts to use the available bandwidth for foreground downloads. However, downloads from LAN peers aren't throttled even when this policy is set.
 
 ### Maximum Background Download Bandwidth
 
+MDM Setting: **DOPercentageMaxBackgroundBandwidth**
+
 Starting in Windows 10, version 1803, specifies the maximum background download bandwidth that Delivery Optimization uses across all concurrent download activities as a percentage of available download bandwidth. **The default value of "0"** means that Delivery Optimization dynamically adjusts to use the available bandwidth for background downloads. However, downloads from LAN peers aren't throttled even when this policy is set.
 
+> [!NOTE]
+> It is recommended to use the absolute value download options 'DOMaxBackgroundDownloadBandwidth' and 'DOMaxForegroundDownloadBandwidth', rather than percentage-based options, for low bandwidth environments.
+
 ### Percentage of Maximum Download Bandwidth
 
-This setting specifies the maximum download bandwidth that Delivery Optimization can use across all concurrent download activities as a percentage of available download bandwidth. **The default value of "0"** means that Delivery Optimization dynamically adjusts to use the available bandwidth for downloads.
+MDM Setting: **DOPercentageMaxDownloadBandwidth**
 
-> [!NOTE]
-> It is recommended to use the absolute value download option 'Maximum Download Bandwidth', rather than percentage-based options, for low bandwidth environments.
+Deprecated in Windows 10, version 2004.
+This setting specifies the maximum download bandwidth that Delivery Optimization can use across all concurrent download activities as a percentage of available download bandwidth. **The default value of "0"** means that Delivery Optimization dynamically adjusts to use the available bandwidth for downloads.
 
 ### Max Upload Bandwidth
 
+MDM Setting: **DOMaxUploadBandwidth**
+
+Deprecated in Windows 10, version 2004.
 This setting allows you to limit the number of upload bandwidth individual clients can use for Delivery Optimization. Consider this setting when clients are providing content to requesting peers on the network. This option is set in kilobytes per second (KB/s). **The default value is "0" or "unlimited"** which means Delivery Optimization dynamically optimizes for minimal usage of upload bandwidth; however it doesn't cap the upload bandwidth rate at a set rate.
 
 ### Set Business Hours to Limit Background Download Bandwidth
 
+MDM Setting: **DOSetHoursToLimitBackgroundDownloadBandwidth**
+
 Starting in Windows 10, version 1803, specifies the maximum background download bandwidth that Delivery Optimization uses during and outside business hours across all concurrent download activities as a percentage of available download bandwidth. **By default, this policy isn't set.**
 
 ### Set Business Hours to Limit Foreground Download Bandwidth
 
+MDM Setting: **DOSetHoursToLimitForegroundDownloadBandwidth**
+
 Starting in Windows 10, version 1803, specifies the maximum foreground download bandwidth that Delivery Optimization uses during and outside business hours across all concurrent download activities as a percentage of available download bandwidth. **By default, this policy isn't set.**
 
 ### Select a method to restrict peer selection
 
-Starting in Windows 10, version 1803, set this policy to restrict peer selection via selected option. In Windows 11 the 'Local Peer Discovery' option was introduced to restrict peer discovery to the local network. Currently the available options include: 0 = NAT, 1 = Subnet mask, and 2 = Local Peer Discovery. These options apply to both Download Modes LAN (1) and Group (2) and therefore means there's no peering between subnets. **The default value in Windows 11 is set to "Local Peer Discovery"**.
+MDM Setting: **DORestrictPeerSelectionBy**
+
+Starting in Windows 10, version 1803, set this policy to restrict peer selection via selected option. In Windows 11, the 'Local Peer Discovery' option was introduced to restrict peer discovery to the local network. Currently the available options include: 0 = NAT, 1 = Subnet mask, and 2 = Local Peer Discovery. These options apply to both Download Modes LAN (1) and Group (2) and therefore means there's no peering between subnets.
 
 If Group mode is set, Delivery Optimization will connect to locally discovered peers that are also part of the same Group (have the same Group ID).
 
@@ -226,40 +261,58 @@ The Local Peer Discovery (DNS-SD) option can only be set via MDM delivered polic
 
 ### Delay background download from HTTP (in secs)
 
+MDM Setting: **DODelayBackgroundDownloadFromHttp**
+
 Starting in Windows 10, version 1803, this allows you to delay the use of an HTTP source in a background download that is allowed to use peer-to-peer. The maximum value is 4294967295 seconds. **By default, this policy isn't set.**
 
 ### Delay foreground download from HTTP (in secs)
 
+MDM Setting: **DODelayForegroundDownloadFromHttp**
+
 Starting in Windows 10, version 1803, allows you to delay the use of an HTTP source in a foreground (interactive) download that is allowed to use peer-to-peer. The maximum value is 4294967295 seconds. **By default, this policy isn't set.**
 
 ### Delay Foreground Download Cache Server Fallback (in secs)
 
+MDM Setting: **DelayCacheServerFallbackForeground**
+
 Starting in Windows 10, version 1903, allows you to delay the fallback from cache server to the HTTP source for foreground content download by X seconds. If the 'Delay foreground download from HTTP' policy is set, it will apply first (to allow downloads from peers) and then this policy will be applied. **By default, this policy isn't set.**
 
 By default this policy isn't set. So,
 
 ### Delay Background Download Cache Server Fallback (in secs)
 
+MDM Setting: **DelayCacheServerFallbackBackground**
+
 Starting in Windows 10, version 1903, set this policy to delay the fallback from cache server to the HTTP source for a background content download by X seconds. If the 'Delay background download from HTTP' policy is set, it will apply first (to allow downloads from peers) and then this policy will be applied. **By default, this policy isn't set.**
 
 ### Minimum Background QoS
 
-This value specifies the minimum download speed guarantee that a client attempts to achieve and will fulfill by downloading more kilobytes from HTTP sources. The lower this value is, the more content will be sourced using peers on the network rather than HTTP sources. The higher this value, the more content is received from HTTP sources, versus peers on the local network. **The default value is 2500 KB/s.**
+MDM Setting: **DOMinBackgroundQoS**
+
+This value specifies the minimum download speed guarantee that a client attempts to achieve and will fulfill by downloading more kilobytes from HTTP sources. The lower this value is, the more content is sourced using peers on the network rather than HTTP sources. The higher this value, the more content is received from HTTP sources, versus peers on the local network. **The default value is 2500 KB/s.**
 
 ### Modify Cache Drive
 
+MDM Setting: **DOModifyCacheDrive**
+
 This setting allows for an alternate Delivery Optimization cache location on the clients. **By default, the cache is stored on the operating system drive through the %SYSTEMDRIVE% environment variable.** You can set the value to an environment variable (for example, %SYSTEMDRIVE%), a drive letter (for example, D:), or a folder path (for example, D:\DOCache).
 
 ### Monthly Upload Data Cap
 
+MDM Setting: **DOMonthlyUploadDataCap**
+
 This setting specifies the total amount of data in gigabytes that a Delivery Optimization client can upload to Internet peers per month. A value of "0" means that an unlimited amount of data can be uploaded. **The default value for this setting is 20 GB.**
 
 ### Enable Peer Caching while the device connects via VPN
 
-This setting determines whether a device will be allowed to participate in Peer Caching while connected to VPN. **By default, if a VPN connection is detected, peering isn't allowed.** Specify "true" to allow the device to participate in Peer Caching while connected via VPN to the domain network. The device can download from or upload to other domain network devices, either on VPN or on the corporate domain network.
+MDM Setting: **DOAllowVPNPeerCaching**
+
+This setting determines whether a device will be allowed to participate in Peer Caching while connected to VPN. **By default, if a VPN connection is detected, peering isn't allowed, except when the 'Local Discovery' (DNS-SD) option is chosen.** Specify "true" to allow the device to participate in Peer Caching while connected via VPN to the domain network. The device can download from or upload to other domain network devices, either on VPN or on the corporate domain network.
 
 ### Allow uploads while the device is on battery while under set Battery level
 
+MDM Setting: **DOMinBatteryPercentageAllowedToUpload**
+
 This setting specifies battery levels at which a device will be allowed to upload data. Specify any value between 1 and 100 (in percentage) to allow the device to upload data to LAN and Group peers while on DC power (Battery). Uploads will automatically pause when the battery level drops below the set minimum battery level. The recommended value to set if you allow uploads on battery is 40 (for 40%).
 The device can download from peers while on battery regardless of this policy.
 
@@ -268,6 +321,8 @@ The device can download from peers while on battery regardless of this policy.
 
 ### Cache Server Hostname
 
+MDM Setting: **DOCacheHost**
+
 Set this policy to designate one or more Microsoft Connected Cache servers to be used by Delivery Optimization. You can set one or more FQDNs or IP Addresses that are comma-separated, for example: myhost.somerandomhost.com,myhost2.somerandomhost.com,10.10.1.7. **By default, this policy has no value.**
 
 >[!IMPORTANT]
@@ -275,12 +330,14 @@ Set this policy to designate one or more Microsoft Connected Cache servers to be
 
 ### Cache Server Hostname Source
 
+MDM Setting: **DOCacheHostSource**
+
 This policy allows you to specify how your client(s) can discover Delivery Optimization in Network Cache servers dynamically. There are two options:
 
 - 1 = DHCP Option 235.
 - 2 = DHCP Option 235 Force.
 
-With either option, the client will query DHCP Option ID 235 and use the returned value as the Cache Server Hostname. Option 2 overrides the Cache Server Hostname policy, if set. **By default, this policy has no value.**
+With either option, the client queries DHCP Option ID 235 and use the returned value as the Cache Server Hostname. Option 2 overrides the Cache Server Hostname policy, if set. **By default, this policy has no value.**
 
 Set this policy to designate Delivery Optimization in Network Cache servers through a custom DHCP Option. Specify the custom DHCP option on your DHCP server as *text* type. You can add one or more values as either fully qualified domain names (FQDN) or IP addresses. To add multiple values, separate each FQDN or IP address with commas.
 
@@ -289,12 +346,16 @@ Set this policy to designate Delivery Optimization in Network Cache servers thro
 
 ### Maximum Foreground Download Bandwidth (in KB/s)
 
+MDM Setting: **DOMaxForegroundDownloadBandwidth**
+
 Specifies the maximum foreground download bandwidth in kilobytes/second that the device can use across all concurrent download activities using Delivery Optimization.
 
 **The default value of "0" means that Delivery Optimization dynamically adjusts to use the available bandwidth for downloads.**
 
 ### Maximum Background Download Bandwidth (in KB/s)
 
+MDM Setting: **DOMaxBackgroundDownloadBandwidth**
+
 Specifies the maximum background download bandwidth in kilobytes/second that the device can use across all concurrent download activities using Delivery Optimization.
 
 **The default value "0" means that Delivery Optimization dynamically adjusts to use the available bandwidth for downloads.**

windows/deployment/windows-autopatch/deploy/windows-autopatch-groups-manage-autopatch-groups.md

@@ -170,7 +170,7 @@ Device conflict across different deployment rings in different Autopatch groups
 | -----  | ----- |
 | You, the IT admin at Contoso Ltd., are using several Custom Autopatch groups. While navigating through devices in the Windows Autopatch Devices blade (**Not ready** tab), you notice that the same device is part of different deployment rings across several different Custom Autopatch groups. | You must resolve this conflict.<p>Autopatch groups informs you about the device conflict in the **Devices** > **Not ready** tab. You’re required to manually indicate which of the existing Custom Autopatch groups the device should exclusively belong to.</p> |
 
-#### Device conflict prior device registration
+#### Device conflict prior to device registration
 
 When you create or edit the Custom or Default Autopatch group, Windows Autopatch checks if the devices that are part of the Azure AD groups, used in Autopatch groups’ deployment rings, are registered with the service.
 

windows/deployment/windows-autopatch/index.yml

@@ -10,6 +10,7 @@ metadata:
   ms.topic: landing-page # Required
   author: tiaraquan #Required; your GitHub user alias, with correct capitalization.
   ms.author: tiaraquan #Required; microsoft alias of author; optional team alias.
+  manager: dougeby
   ms.date: 05/30/2022 #Required; mm/dd/yyyy format.
   ms.prod: windows-client
   ms.technology: itpro-updates

windows/deployment/windows-autopatch/operate/windows-autopatch-device-alerts.md

@@ -1,7 +1,7 @@
 ---
 title: Device alerts
 description: Provide notifications and information about the necessary steps to keep your devices up to date. 
-ms.date: 07/25/2023
+ms.date: 08/01/2023
 ms.prod: windows-client
 ms.technology: itpro-updates
 ms.topic: how-to
@@ -79,6 +79,7 @@ Alert resolutions are provided through the Windows Update service and provide th
 | `InstallIssueRedirection` | A known folder that doesn't support redirection to another drive might have been redirected to another drive. | The Windows Update service has reported that the Windows Update file location may be redirected to an invalid location. Check your Windows Installation, and retry the update.<p>If the alert persists, [submit a support request](../operate/windows-autopatch-support-request.md).</p> |
 | `InstallMissingInfo` | Windows Update doesn't have the information it needs about the update to finish the installation. | The Windows Update service has reported that another update may have replaced the one you're trying to install. Check the update, and then try reinstalling it. |
 | `InstallOutOfMemory` | The installation couldn't be completed because Windows ran out of memory. | The Windows Update service has reported the system doesn't have sufficient system memory to perform the update.<p>Restart Windows, then try the installation again.</p><p>If it still fails, allocate more memory to the device, or increase the size of the virtual memory pagefile(s). For more information, see [How to determine the appropriate page file size for 64-bit versions of Windows](/troubleshoot/windows-client/performance/how-to-determine-the-appropriate-page-file-size-for-64-bit-versions-of-windows).</p> |
+| `InstallSetupBlock` | There is an application or driver blocking the upgrade. | The Windows Update service has detected that an application or driver is hindering the upgrade process. Utilize the SetupDiag utility to identify and diagnose any compatibility problems.<p>For more information, see [SetupDiag - Windows Deployment](/windows/deployment/upgrade/setupdiag).</p> |
 | `InstallSetupError` | Windows Setup encountered an error while installing. | The Windows Update service has reported an error during installation.Review the last reported HEX error code in [Quality update status report](../operate/windows-autopatch-groups-windows-quality-update-status-report.md) to further investigate.<p>If the alert persists, [submit a support request](../operate/windows-autopatch-support-request.md).</p> |
 | `PolicyConflict` | There are client policies (MDM, GP) that conflict with Windows Update settings. | The Windows Update service has reported a policy conflict. Review  the [Windows Autopatch Policy Health dashboard](../operate/windows-autopatch-policy-health-and-remediation.md).<p>If the alert persists, [submit a support request](../operate/windows-autopatch-support-request.md).</p> |
 | `PolicyConflictDeferral` | The Deferral Policy configured on the device is preventing the update from installing. | The Windows Update service has reported a policy conflict. Review  the [Windows Autopatch Policy Health dashboard](../operate/windows-autopatch-policy-health-and-remediation.md).<p>If the alert persists, [submit a support request](../operate/windows-autopatch-support-request.md).</p> |

windows/deployment/windows-autopatch/operate/windows-autopatch-groups-windows-quality-and-feature-update-reports-overview.md

@@ -17,7 +17,7 @@ ms.collection:
 
 # Windows quality and feature update reports overview
 
-## Windows quality reports
+## Windows quality update reports
 
 The Windows quality reports provide you with information about:
 

windows/deployment/windows-autopatch/overview/windows-autopatch-roles-responsibilities.md

@@ -1,7 +1,7 @@
 ---
 title: Roles and responsibilities
 description: This article describes the roles and responsibilities provided by Windows Autopatch and what the customer must do
-ms.date: 07/25/2023
+ms.date: 07/31/2023
 ms.prod: windows-client
 ms.technology: itpro-updates
 ms.topic: conceptual
@@ -28,13 +28,14 @@ This article outlines your responsibilities and Windows Autopatch's responsibili
 | Task | Your responsibility | Windows Autopatch |
 | ----- | :-----: | :-----: |
 | Review the [prerequisites](../prepare/windows-autopatch-prerequisites.md) | :heavy_check_mark: | :x: |
+| Review the [FAQ](../overview/windows-autopatch-faq.yml) | :heavy_check_mark: | :x: |
 | [Review the service data platform and privacy compliance details](../overview/windows-autopatch-privacy.md) | :heavy_check_mark: | :x: |
 | Ensure device [prerequisites](../prepare/windows-autopatch-prerequisites.md) are met and in place prior to enrollment | :heavy_check_mark: | :x: |
 | Ensure [infrastructure and environment prerequisites](../prepare/windows-autopatch-configure-network.md) are met and in place prior to enrollment | :heavy_check_mark: | :x: |
 | Prepare to remove your devices from existing unsupported [Windows update](../references/windows-autopatch-windows-update-unsupported-policies.md) and [Microsoft 365](../references/windows-autopatch-microsoft-365-policies.md) policies | :heavy_check_mark: | :x: |
 | [Configure required network endpoints](../prepare/windows-autopatch-configure-network.md#required-microsoft-product-endpoints) | :heavy_check_mark: | :x: |
-| [Fix issues identified by the Readiness assessment tool](../prepare/windows-autopatch-fix-issues.md) | :heavy_check_mark: | :x: |
-| [Enroll tenant into the Windows Autopatch service](../prepare/windows-autopatch-enroll-tenant.md) | :heavy_check_mark: | :x: |
+| [Enroll tenant into the Windows Autopatch service](../prepare/windows-autopatch-enroll-tenant.md)<ul><li>[Fix issues identified by the Readiness assessment tool](../prepare/windows-autopatch-fix-issues.md)</li><li>If required, [submit a tenant enrollment support request](../prepare/windows-autopatch-enrollment-support-request.md)</li></ul> | :heavy_check_mark: | :x: |
+| [Manage and respond to tenant enrollment support requests](../prepare/windows-autopatch-enrollment-support-request.md) | :x: | :heavy_check_mark: |
 | Identify stakeholders for deployment communications | :heavy_check_mark: | :x: |
 
 ## Deploy
@@ -43,20 +44,18 @@ This article outlines your responsibilities and Windows Autopatch's responsibili
 | ----- | :-----: | :-----: |
 | [Add and verify admin contacts](../deploy/windows-autopatch-admin-contacts.md) in Microsoft Intune |  :heavy_check_mark: | :x: |
 | [Deploy and configure Windows Autopatch service configuration](../references/windows-autopatch-changes-to-tenant.md) | :x: | :heavy_check_mark: |
-| Educate users on the Windows Autopatch end user update experience<ul><li>[Windows quality update end user experience](../operate/windows-autopatch-windows-quality-update-end-user-exp.md)</li><li>[Windows feature update end user experience](../operate/windows-autopatch-windows-feature-update-end-user-exp.md)</li><li>[Microsoft 365 Apps for enterprise end user experience](../operate/windows-autopatch-microsoft-365-apps-enterprise.md#end-user-experience)</li><li>[Microsoft Teams end user experience](../operate/windows-autopatch-teams.md#end-user-experience)</li></ul> | :heavy_check_mark: | :x: |
-| Remove your devices from existing unsupported [Windows update](../references/windows-autopatch-windows-update-unsupported-policies.md) and [Microsoft 365](../references/windows-autopatch-microsoft-365-policies.md) policies | :heavy_check_mark: | :x: |
-| [Turn on or off expedited Windows quality updates](../operate/windows-autopatch-windows-quality-update-overview.md#expedited-releases) | :heavy_check_mark: | :x: |
-| [Allow or block Microsoft 365 Apps for enterprise updates](../operate/windows-autopatch-microsoft-365-apps-enterprise.md#allow-or-block-microsoft-365-app-updates) | :heavy_check_mark: | :x: |
-| [Manage driver and firmware updates](../operate/windows-autopatch-manage-driver-and-firmware-updates.md) | :heavy_check_mark: | :x: |
-| [Customize Windows Update settings](../operate/windows-autopatch-windows-update.md) |  :heavy_check_mark: | :x: |
-| [Register devices/add devices to the Windows Autopatch Device Registration group](../deploy/windows-autopatch-register-devices.md) | :heavy_check_mark: | :x: |
+| Educate users on the Windows Autopatch end user update experience<ul><li>[Windows quality update end user experience](../operate/windows-autopatch-groups-windows-quality-update-end-user-exp.md)</li><li>[Windows feature update end user experience](../operate/windows-autopatch-groups-manage-windows-feature-update-release.md)</li><li>[Microsoft 365 Apps for enterprise end user experience](../operate/windows-autopatch-microsoft-365-apps-enterprise.md#end-user-experience)</li><li>[Microsoft Edge end user experience](../operate/windows-autopatch-edge.md)</li><li>[Microsoft Teams end user experience](../operate/windows-autopatch-teams.md#end-user-experience)</li></ul> | :heavy_check_mark: | :x: |
+| Review network optimization<ul><li>[Prepare your network](../prepare/windows-autopatch-configure-network.md)</li><li>[Delivery Optimization](../prepare/windows-autopatch-configure-network.md#delivery-optimization) | :heavy_check_mark: | :x: |
+| Review existing configurations<ul><li>Remove your devices from existing unsupported [Windows Update](../references/windows-autopatch-windows-update-unsupported-policies.md) and [Microsoft 365](../references/windows-autopatch-microsoft-365-policies.md) policies</li></ul>|  :heavy_check_mark: | :x: |
+| Confirm your update service needs and configure your workloads<ul><li>[Turn on or off expedited Windows quality updates](../operate/windows-autopatch-groups-windows-quality-update-overview.md#expedited-releases)</li><li>[Allow or block Microsoft 365 Apps for enterprise updates](../operate/windows-autopatch-microsoft-365-apps-enterprise.md#allow-or-block-microsoft-365-app-updates)</li><li>[Manage driver and firmware updates](../operate/windows-autopatch-manage-driver-and-firmware-updates.md)</li><li>[Customize Windows Update settings](../operate/windows-autopatch-windows-update.md)</li><li>Decide your [Windows feature update versions(s)](../operate/windows-autopatch-groups-windows-feature-update-overview.md)</li></ul>| :heavy_check_mark: | :x: |
+| [Consider your Autopatch groups distribution](../deploy/windows-autopatch-groups-overview.md)<ul><li>[Default Autopatch group](../deploy/windows-autopatch-groups-overview.md#about-the-default-autopatch-group)</li><li>[Custom Autopatch group](../deploy/windows-autopatch-groups-overview.md#about-custom-autopatch-groups)</li></ul> | :heavy_check_mark: | :x: |
+| [Register devices](../deploy/windows-autopatch-register-devices.md)<ul><li>[Review your device registration options](../deploy/windows-autopatch-device-registration-overview.md)</li><li>[Register your first devices](../deploy/windows-autopatch-register-devices.md) | :heavy_check_mark: | :x: |
 | [Run the pre-registration device readiness checks](../deploy/windows-autopatch-register-devices.md#about-the-registered-not-ready-and-not-registered-tabs) | :x: | :heavy_check_mark: |
-| [Automatically assign devices to First, Fast & Broad deployment rings at device registration](../operate/windows-autopatch-update-management.md#deployment-ring-calculation-logic) | :x: | :heavy_check_mark: |
-| [Manually override device assignments to First, Fast & Broad deployment rings](../operate/windows-autopatch-update-management.md#moving-devices-in-between-deployment-rings) | :heavy_check_mark: | :x: |
-| [Remediate devices displayed in the **Not ready** tab](../deploy/windows-autopatch-post-reg-readiness-checks.md#about-the-three-tabs-in-the-devices-blade) | :heavy_check_mark: | :x: |
-| [Remediate devices displayed in the **Not registered** tab](../deploy/windows-autopatch-post-reg-readiness-checks.md#about-the-three-tabs-in-the-devices-blade) | :heavy_check_mark: | :x: |
-| [Populate the Test deployment ring membership](../operate/windows-autopatch-update-management.md#deployment-ring-calculation-logic) | :heavy_check_mark: | :x: |
-| [Ensure devices are only present in one deployment ring](../operate/windows-autopatch-update-management.md#automated-deployment-ring-remediation-functions) | :x: | :heavy_check_mark: |
+| Automatically assign devices to deployment rings at device registration<ul><li>[Default Windows Autopatch group deployment rings](../deploy/windows-autopatch-groups-overview.md#about-the-default-autopatch-group)</li><li>[Custom Windows Autopatch group deployment rings](../deploy/windows-autopatch-groups-overview.md#about-custom-autopatch-groups)</li></ul>| :x: | :heavy_check_mark: |
+| Remediate registration issues<ul><li>[For devices displayed in the **Not ready** tab](../deploy/windows-autopatch-post-reg-readiness-checks.md#about-the-three-tabs-in-the-devices-blade)</li><li>[For devices displayed in the **Not registered** tab](../deploy/windows-autopatch-post-reg-readiness-checks.md#about-the-three-tabs-in-the-devices-blade)</li></ul> | :heavy_check_mark: | :x: |
+| Populate the Test and Last deployment ring membership<ul><li>[Default Windows Autopatch group deployment rings](../deploy/windows-autopatch-groups-overview.md#about-the-default-autopatch-group)</li><li>[Custom Windows Autopatch group deployment rings](../deploy/windows-autopatch-groups-overview.md#about-custom-autopatch-groups)</li></ul> | :heavy_check_mark: | :x: |
+| [Manually override device assignments to deployment rings](../operate/windows-autopatch-update-management.md#moving-devices-in-between-deployment-rings) | :heavy_check_mark: | :x: |
+| Review device conflict scenarios<ul><li>[Device conflict in deployment rings within an Autopatch group](../deploy/windows-autopatch-groups-manage-autopatch-groups.md#device-conflict-in-deployment-rings-within-an-autopatch-group)</li><li>[Device conflict across different Autopatch groups](../deploy/windows-autopatch-groups-manage-autopatch-groups.md#device-conflict-across-different-autopatch-groups)</li></ul> | :heavy_check_mark: | :x: |
 | Communicate to end-users, help desk and stakeholders | :heavy_check_mark: | :x: |
 
 ## Operate
@@ -65,36 +64,36 @@ This article outlines your responsibilities and Windows Autopatch's responsibili
 | ----- | :-----: | :-----: |
 | [Maintain contacts in the Microsoft Intune admin center](../deploy/windows-autopatch-admin-contacts.md) | :heavy_check_mark: | :x: |
 | [Maintain and manage the Windows Autopatch service configuration](../operate/windows-autopatch-maintain-environment.md) | :x: | :heavy_check_mark: |
-| [Maintain customer configuration to align with the Windows Autopatch service configuration](../operate/windows-autopatch-maintain-environment.md) |  :heavy_check_mark: | :x: |
-| [Run on-going checks to ensure devices are only present in one deployment ring](../operate/windows-autopatch-update-management.md#automated-deployment-ring-remediation-functions) | :x: | :heavy_check_mark: |
-| [Maintain the Test deployment ring membership](../operate/windows-autopatch-update-management.md#deployment-ring-calculation-logic) | :heavy_check_mark: | :x: |
-| Monitor [Windows update signals](../operate/windows-autopatch-windows-quality-update-signals.md) for safe update release | :x: | :heavy_check_mark: |
-| Test specific [business update scenarios](../operate/windows-autopatch-windows-quality-update-signals.md) | :heavy_check_mark: | :x: |
-| [Manage driver and firmware updates](../operate/windows-autopatch-manage-driver-and-firmware-updates.md) | :heavy_check_mark: | :x: |
-| [Customize Windows Update settings](../operate/windows-autopatch-windows-update.md) |  :heavy_check_mark: | :x: |
-| [Define and implement service default release schedule](../operate/windows-autopatch-windows-quality-update-overview.md) | :x: | :heavy_check_mark: |
-| Communicate the update [release schedule](../operate/windows-autopatch-windows-quality-update-communications.md) | :x: | :heavy_check_mark: |
-| Release updates (as scheduled)<ul><li>[Windows quality updates](../operate/windows-autopatch-windows-quality-update-overview.md#windows-quality-update-releases)</li><li>[Microsoft 365 Apps for enterprise](../operate/windows-autopatch-microsoft-365-apps-enterprise.md#update-release-schedule)</li><li>[Microsoft Edge](../operate/windows-autopatch-edge.md#update-release-schedule)</li><li>[Microsoft Teams](../operate/windows-autopatch-teams.md#update-release-schedule)</li><ul>| :x: | :heavy_check_mark: |
-| [Release updates (expedited)](../operate/windows-autopatch-windows-quality-update-overview.md#expedited-releases) | :x: | :heavy_check_mark: |
-| [Deploy updates to devices](../operate/windows-autopatch-update-management.md) | :x: | :heavy_check_mark: |
-| Monitor [Windows quality](../operate/windows-autopatch-windows-quality-update-overview.md) or [feature updates](../operate/windows-autopatch-windows-feature-update-overview.md) through the release cycle | :x: | :heavy_check_mark: |
-| Review [update reports](../operate/windows-autopatch-windows-quality-update-reports-overview.md) | :heavy_check_mark: | :x: |
-| [Pause updates (Windows Autopatch initiated)](../operate/windows-autopatch-windows-quality-update-signals.md) | :x: | :heavy_check_mark: |
-| [Pause updates (initiated by you)](../operate/windows-autopatch-windows-quality-update-overview.md#pausing-and-resuming-a-release) | :heavy_check_mark: | :x: |
+| [Maintain customer configuration to align with the Windows Autopatch service configuration](../operate/windows-autopatch-maintain-environment.md) | :heavy_check_mark: | :x: |
+| Resolve service remediated device conflict scenarios<ul><li>[Device conflict in deployment rings within an Autopatch group](../deploy/windows-autopatch-groups-manage-autopatch-groups.md#device-conflict-in-deployment-rings-within-an-autopatch-group)</li><li>[Default to Custom Autopatch group device conflict](../deploy/windows-autopatch-groups-manage-autopatch-groups.md#default-to-custom-autopatch-group-device-conflict)</li></ul> | :x: | :heavy_check_mark: |
+| Resolve remediated device conflict scenarios<ul><li>[Custom to Custom Autopatch group device conflict](../deploy/windows-autopatch-groups-manage-autopatch-groups.md#custom-to-custom-autopatch-group-device-conflict)</li><li>[Device conflict prior to device registration](../deploy/windows-autopatch-groups-manage-autopatch-groups.md#device-conflict-prior-to-device-registration)</li></ul> |  :heavy_check_mark: | :x: |
+| Maintain the Test and Last deployment ring membership<ul><li>[Default Windows Autopatch deployment rings](../deploy/windows-autopatch-groups-overview.md#about-the-default-autopatch-group)</li><li>[Custom Windows Autopatch group deployment rings](../deploy/windows-autopatch-groups-overview.md#about-custom-autopatch-groups)</li></ul> | :heavy_check_mark: | :x: |
+| Monitor [Windows update signals](../operate/windows-autopatch-groups-windows-quality-update-signals.md) for safe update release<ul><li>[Pre-release signals](../operate/windows-autopatch-groups-windows-quality-update-signals.md#pre-release-signals)</li><li>[Early signals](../operate/windows-autopatch-groups-windows-quality-update-signals.md#early-signals)</li><li>[Device reliability signals](../operate/windows-autopatch-groups-windows-quality-update-signals.md#device-reliability-signals)</li></ul> | :x: | :heavy_check_mark: |
+| Test specific [business update scenarios](../operate/windows-autopatch-groups-windows-quality-update-signals.md) | :heavy_check_mark: | :x: |
+| [Define and implement service default release schedule](../operate/windows-autopatch-groups-windows-quality-update-overview.md) | :x: | :heavy_check_mark: |
+| Maintain your workload configuration and custom release schedule<ul><li>[Manage driver and firmware updates](../operate/windows-autopatch-manage-driver-and-firmware-updates.md)</li><li>[Customize Windows Update settings](../operate/windows-autopatch-groups-windows-update.md)</li><li>[Decide your Windows feature update version(s)](../operate/windows-autopatch-groups-windows-feature-update-overview.md)</li></ul> | :heavy_check_mark: | :x: |
+| Communicate the update [release schedule](../operate/windows-autopatch-windows-quality-update-communications.md) to IT admins | :x: | :heavy_check_mark: |
+| Release updates (as scheduled)<ul><li>[Windows quality updates](../operate/windows-autopatch-groups-windows-quality-update-overview.md#release-management)</li><li>[Windows feature updates](../operate/windows-autopatch-groups-windows-feature-update-overview.md)</li><li>[Microsoft 365 Apps for enterprise](../operate/windows-autopatch-microsoft-365-apps-enterprise.md#update-release-schedule)</li><li>[Microsoft Edge](../operate/windows-autopatch-edge.md#update-release-schedule)</li><li>[Microsoft Teams](../operate/windows-autopatch-teams.md#update-release-schedule)</li><ul>| :x: | :heavy_check_mark: |
+| [Release updates (expedited)](../operate/windows-autopatch-groups-windows-quality-update-overview.md#expedited-releases) | :x: | :heavy_check_mark: |
+| [Release updates (OOB)](../operate/windows-autopatch-groups-windows-quality-update-overview.md#out-of-band-releases) | :x: | :heavy_check_mark: |
+| [Deploy updates to devices](../operate/windows-autopatch-groups-update-management.md) | :x: | :heavy_check_mark: |
+| Monitor [Windows quality](../operate/windows-autopatch-groups-windows-quality-update-overview.md#release-management) or [feature updates](../operate/windows-autopatch-groups-windows-feature-update-overview.md) through the release cycle | :x: | :heavy_check_mark: |
+| Review [release announcements](../operate/windows-autopatch-groups-windows-quality-update-overview.md#) | :heavy_check_mark: | :x: |
+| Review deployment progress using Windows Autopatch reports<ul><li>[Windows quality update reports](../operate/windows-autopatch-groups-windows-quality-and-feature-update-reports-overview.md#windows-quality-update-reports)</li><li>[Windows feature update reports](../operate/windows-autopatch-groups-windows-quality-and-feature-update-reports-overview.md#windows-feature-update-reports)</li></ul> | :heavy_check_mark: | :x: |
+| [Pause updates (Windows Autopatch initiated)](../operate/windows-autopatch-groups-windows-quality-update-signals.md) | :x: | :heavy_check_mark: |
+| [Pause updates (initiated by you)](../operate/windows-autopatch-groups-windows-quality-update-overview.md#pause-and-resume-a-release) | :heavy_check_mark: | :x: |
 | Run [on-going post-registration device readiness checks](../deploy/windows-autopatch-post-reg-readiness-checks.md) | :x: | :heavy_check_mark: |
-| [Remediate devices displayed in the **Not ready** tab](../deploy/windows-autopatch-post-reg-readiness-checks.md#about-the-three-tabs-in-the-devices-blade) | :heavy_check_mark: | :x: |
-| Resolve any conflicting and unsupported [Windows update](../references/windows-autopatch-windows-update-unsupported-policies.md) and [Microsoft 365](../references/windows-autopatch-microsoft-365-policies.md) policies | :heavy_check_mark: | :x: |
-| [Investigate devices that aren't up to date within the service level objective (Microsoft action)](../operate/windows-autopatch-windows-quality-update-reports-overview.md#not-up-to-date-microsoft-action) | :x: | :heavy_check_mark: |
-| [Investigate and remediate devices that are marked as ineligible (Customer action)](../operate/windows-autopatch-windows-quality-update-reports-overview.md#ineligible-devices-customer-action) | :heavy_check_mark: | :x: |
+| Maintain existing configurations<ul><li>Remove your devices from existing and unsupported [Windows update](../references/windows-autopatch-windows-update-unsupported-policies.md) and [Microsoft 365](../references/windows-autopatch-microsoft-365-policies.md) policies</li></ul> | :heavy_check_mark: | :x: |
+| Understand the health of [Up to date](../operate/windows-autopatch-groups-windows-quality-and-feature-update-reports-overview.md#up-to-date-devices) devices and investigate devices that are<ul><li>[Not up to date](../operate/windows-autopatch-groups-windows-quality-and-feature-update-reports-overview.md#not-up-to-date-devices)</li><li>[Not ready](../operate/windows-autopatch-groups-windows-quality-and-feature-update-reports-overview.md#not-ready-devices)</li><li>have [Device alerts](../operate/windows-autopatch-device-alerts.md)</li></ul>
 | [Raise, manage and resolve a service incident if an update management area isn't meeting the service level objective](windows-autopatch-overview.md#update-management) | :x: | :heavy_check_mark: |
 | [Deregister devices](../operate/windows-autopatch-deregister-devices.md) | :heavy_check_mark: | :x: |
 | [Register a device that was previously deregistered (upon customers request)](../operate/windows-autopatch-deregister-devices.md#excluded-devices) | :x: | :heavy_check_mark: |
 | [Request unenrollment from Windows Autopatch](../operate/windows-autopatch-unenroll-tenant.md) | :heavy_check_mark: | :x: |
 | [Remove Windows Autopatch data from the service and deregister devices](../operate/windows-autopatch-unenroll-tenant.md#microsofts-responsibilities-during-unenrollment) | :x: | :heavy_check_mark: |
 | [Maintain update configuration & update devices post unenrollment from Windows Autopatch](../operate/windows-autopatch-unenroll-tenant.md#your-responsibilities-after-unenrolling-your-tenant) | :heavy_check_mark: | :x: |
-| Review and respond to Message Center and Service Health Dashboard notifications<ul><li>[Windows quality update communications](../operate/windows-autopatch-windows-quality-update-communications.md)</li><li>[Add and verify admin contacts](../deploy/windows-autopatch-admin-contacts.md)</li></ul> | :heavy_check_mark: | :x: |
-| [Highlight Windows Autopatch Tenant management alerts that require customer action](../operate/windows-autopatch-maintain-environment.md#windows-autopatch-tenant-actions) | :x: | :heavy_check_mark: |
-| [Review and respond to Windows Autopatch Tenant management alerts](../operate/windows-autopatch-maintain-environment.md#windows-autopatch-tenant-actions) | :heavy_check_mark: | :x: |
+| Review and respond to Message Center and Service Health Dashboard notifications<ul><li>[Windows quality update communications](../operate/windows-autopatch-groups-windows-quality-update-communications.md)</li><li>[Add and verify admin contacts](../deploy/windows-autopatch-admin-contacts.md)</li></ul> | :heavy_check_mark: | :x: |
+| Highlight Windows Autopatch management alerts that require customer action<ul><li>[Tenant management alerts](../operate/windows-autopatch-maintain-environment.md#windows-autopatch-tenant-actions)</li><li>[Policy health and remediation](../operate/windows-autopatch-policy-health-and-remediation.md)</li></ul> | :x: | :heavy_check_mark: |
+| Review and respond to Windows Autopatch management alerts<ul><li>[Tenant management alerts](../operate/windows-autopatch-maintain-environment.md#windows-autopatch-tenant-actions)</li><li>[Policy health and remediation](../operate/windows-autopatch-policy-health-and-remediation.md)</li></ul> | :heavy_check_mark: | :x: |
 | [Raise and respond to support requests](../operate/windows-autopatch-support-request.md) | :heavy_check_mark: | :x: |
 | [Manage and respond to support requests](../operate/windows-autopatch-support-request.md#manage-an-active-support-request) | :x: | :heavy_check_mark: |
 | Review the [What’s new](../whats-new/windows-autopatch-whats-new-2022.md) section to stay up to date with updated feature and service releases | :heavy_check_mark: | :x: |

windows/deployment/windows-autopatch/references/windows-autopatch-driver-and-firmware-updates-public-preview-addendum.md

@@ -2,8 +2,8 @@
 title: Driver and firmware updates for Windows Autopatch Public Preview Addendum
 description:  This article explains how driver and firmware updates are managed in Autopatch
 ms.date: 06/26/2023 
-ms.prod: w11
-ms.technology: windows
+ms.prod: windows-client
+ms.technology: itpro-updates
 ms.topic: conceptual
 ms.localizationpriority: medium
 author: tiaraquan
@@ -14,11 +14,11 @@ msreviewer: hathind
 
 # Driver and Firmware Updates for Windows Autopatch Public Preview Addendum
 
-**This Driver and Firmware Updates for Windows Autopatch Public Preview Addendum ("Addendum") to the Microsoft Product Terms’ Universal License Terms for Online Services** (as provided at: [Microsoft Product Terms](https://www.microsoft.com/licensing/terms/product/ForOnlineServices/all)  (the "**Product Terms**")) is entered into between Microsoft Corporation, a Washington corporation having its principal place of business at One Microsoft Way, Redmond, Washington, USA 98052-6399 (or based on where Customer lives, one of Microsoft's affiliates) ("**Microsoft**"), and you ("**Customer**").
+**This Driver and Firmware Updates for Windows Autopatch Public Preview Addendum ("Addendum") to the Microsoft Product Terms' Universal License Terms for Online Services** (as provided at: [Microsoft Product Terms](https://www.microsoft.com/licensing/terms/product/ForOnlineServices/all)  (the "**Product Terms**")) is entered into between Microsoft Corporation, a Washington corporation having its principal place of business at One Microsoft Way, Redmond, Washington, USA 98052-6399 (or based on where Customer lives, one of Microsoft's affiliates) ("**Microsoft**"), and you ("**Customer**").
 
 For good and valuable consideration, the receipt and sufficiency of which is acknowledged, the parties agree as follows:
 
-Microsoft desires to preview the Driver and Firmware Updates for Windows Autopatch service it's developing ("**Driver and Firmware Updates Preview**”) in order to evaluate it. Customer would like to particulate this Driver and Firmware Updates Preview under the Product Terms and this Addendum. Driver and Firmware Updates Preview consists of features and services that are in preview, beta, or other prerelease form. Driver and Firmware Updates Preview is subject to the "preview" terms set forth in the Product Terms’ Universal License Terms for Online Services.
+Microsoft desires to preview the Driver and Firmware Updates for Windows Autopatch service it's developing ("**Driver and Firmware Updates Preview**") in order to evaluate it. Customer would like to particulate this Driver and Firmware Updates Preview under the Product Terms and this Addendum. Driver and Firmware Updates Preview consists of features and services that are in preview, beta, or other prerelease form. Driver and Firmware Updates Preview is subject to the "preview" terms set forth in the Product Terms' Universal License Terms for Online Services.
 
 ## Definitions
 

windows/deployment/windows-autopatch/whats-new/windows-autopatch-whats-new-2023.md

@@ -1,7 +1,7 @@
 ---
 title: What's new 2023
 description: This article lists the 2023 feature releases and any corresponding Message center post numbers.
-ms.date: 07/25/2023 
+ms.date: 08/01/2023 
 ms.prod: windows-client
 ms.technology: itpro-updates
 ms.topic: whats-new
@@ -21,12 +21,21 @@ This article lists new and updated feature releases, and service releases, with
 
 Minor corrections such as typos, style, or formatting issues aren't listed.
 
+## August 2023
+
+### August feature releases or updates
+
+| Article | Description |
+| ----- | ----- |
+| [Device alerts](../operate/windows-autopatch-device-alerts.md) | Added `'InstallSetupBlock'` to the [Alert resolutions section](../operate/windows-autopatch-device-alerts.md#alert-resolutions) |
+
 ## July 2023
 
 ### July feature releases or updates
 
 | Article | Description |
 | ----- | ----- |
+| [Roles and responsibilities](../overview/windows-autopatch-roles-responsibilities.md) | Updated article to include Windows Autopatch groups |
 | [Windows Autopatch groups overview](../deploy/windows-autopatch-groups-overview.md) | General Availability<ul><li>[MC628172](https://admin.microsoft.com/adminportal/home#/MessageCenter)</li></ul> |
 | [Manage Windows Autopatch groups](../deploy/windows-autopatch-groups-manage-autopatch-groups.md) | General Availability<ul><li>[MC628172](https://admin.microsoft.com/adminportal/home#/MessageCenter)</li></ul> |
 | [Customize Windows Update settings](../operate/windows-autopatch-groups-windows-update.md) | General Availability<ul><li>[MC628172](https://admin.microsoft.com/adminportal/home#/MessageCenter)</li></ul> |

windows/security/application-security/application-control/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control.md

@@ -5,9 +5,7 @@ ms.prod: windows-client
 ms.localizationpriority: medium
 author: vinaypamnani-msft
 ms.author: vinpa
-ms.reviewer:
 manager: aaroncz
-ms.custom: asr
 ms.technology: itpro-security
 ms.date: 03/16/2023
 ms.topic: article

windows/security/application-security/application-control/toc.yml

@@ -1,4 +1,10 @@
 items:
+- name: Smart App Control
+  href: windows-defender-application-control/wdac.md
+- name: Windows Defender Application Control
+  href: windows-defender-application-control/wdac.md
+- name: Windows Defender Application Control and virtualization-based protection of code integrity
+  href: introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control.md
 - name: User Account Control (UAC)
   items:
   - name: Overview
@@ -7,9 +13,6 @@ items:
     href: user-account-control/how-it-works.md
   - name: UAC settings and configuration
     href: user-account-control/settings-and-configuration.md
-- name: Windows Defender Application Control and virtualization-based protection of code integrity
-  href: introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control.md
-- name: Windows Defender Application Control
-  href: windows-defender-application-control/wdac.md
-- name: Smart App Control
-  href: windows-defender-application-control/wdac.md
+- name: Microsoft Vulnerable Driver Blocklist
+  href: windows-defender-application-control/design/microsoft-recommended-driver-block-rules.md
+  

windows/security/application-security/application-control/user-account-control/settings-and-configuration.md

@@ -1,7 +1,7 @@
 ---
 title: User Account Control settings and configuration
 description: Learn about the User Account Control settings and how to configure them via Intune, CSP, group policy and registry.
-ms.date: 05/26/2023
+ms.date: 07/31/2023
 ms.topic: how-to
 ---
 
@@ -9,11 +9,11 @@ ms.topic: how-to
 
 ## User Account Control settings list
 
-The following table lists the available settings to configure the UAC behavior, and their default values.  
+The following table lists the available settings to configure the UAC behavior, and their default values.
 
 |Setting name| Description|
 |-|-|
-|Run all administrators in Admin Approval Mode|Controls the behavior of all UAC policy settings.<br><br>**Enabled (default)**: Admin Approval Mode is enabled. This policy must be enabled and related UAC settings configured. The policy allows the built-in Administrator account and members of the Administrators group to run in Admin Approval Mode.<br>**Disabled**: Admin Approval Mode and all related UAC policy settings are disabled. Note: If this policy setting is disabled, the Windows Security app notifies you that the overall security of the operating system has been reduced.|
+|Run all administrators in Admin Approval Mode|Controls the behavior of all UAC policy settings.<br><br>**Enabled (default)**: Admin Approval Mode is enabled. This policy must be enabled and related UAC settings configured. The policy allows the built-in Administrator account and members of the Administrators group to run in Admin Approval Mode.<br>**Disabled**: Admin Approval Mode and all related UAC policy settings are disabled. Note: If this policy setting is disabled, **Windows Security** notifies you that the overall security of the operating system has been reduced.|
 |Admin Approval Mode for the Built-in Administrator account|Controls the behavior of Admin Approval Mode for the built-in Administrator account.<br><br>**Enabled**: The built-in Administrator account uses Admin Approval Mode. By default, any operation that requires elevation of privilege prompts the user to approve the operation.<br>**Disabled (default)** : The built-in Administrator account runs all applications with full administrative privilege.|
 |Switch to the secure desktop when prompting for elevation|This policy setting controls whether the elevation request prompt is displayed on the interactive user's desktop or the secure desktop.<br><br>**Enabled (default)**: All elevation requests go to the secure desktop regardless of prompt behavior policy settings for administrators and standard users.<br>**Disabled**: All elevation requests go to the interactive user's desktop. Prompt behavior policy settings for administrators and standard users are used.|
 |Behavior of the elevation prompt for administrators in Admin Approval Mode|Controls the behavior of the elevation prompt for administrators.<br><br>**Elevate without prompting**: Allows privileged accounts to perform an operation that requires elevation without requiring consent or credentials. **Use this option only in the most constrained environments**.<br>**Prompt for credentials on the secure desktop**: When an operation requires elevation of privilege, the user is prompted on the secure desktop to enter a privileged user name and password. If the user enters valid credentials, the operation continues with the user's highest available privilege.<br>**Prompt for consent on the secure desktop**: When an operation requires elevation of privilege, the user is prompted on the secure desktop to select either Permit or Deny. If the user selects Permit, the operation continues with the user's highest available privilege.<br>**Prompt for credentials**: When an operation requires elevation of privilege, the user is prompted to enter an administrative user name and password. If the user enters valid credentials, the operation continues with the applicable privilege.<br>**Prompt for consent**: When an operation requires elevation of privilege, the user is prompted to select either Permit or Deny. If the user selects Permit, the operation continues with the user's highest available privilege.<br>**Prompt for consent for non-Windows binaries (default)**: When an operation for a non-Microsoft application requires elevation of privilege, the user is prompted on the secure desktop to select either Permit or Deny. If the user selects Permit, the operation continues with the user's highest available privilege.|
@@ -82,7 +82,7 @@ The policy settings are located under: `Computer Configuration\Windows Settings\
 
 #### [:::image type="icon" source="../../../images/icons/windows-os.svg" border="false"::: **Registry**](#tab/reg)
 
-The registry keys are found under the key: `HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System`.  
+The registry keys are found under the key: `HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System`.
 
 | Setting name | Registry key name | Value |
 | - | - | - |

windows/security/application-security/application-control/windows-defender-application-control/design/microsoft-recommended-driver-block-rules.md

@@ -33,9 +33,9 @@ With Windows 11 2022 update, the vulnerable driver blocklist  is enabled by defa
 
 > [!NOTE]
 >
-> - The Windows Security app is updated separately from the OS and ships out of box. The version with the vulnerable driver blocklist toggle is in the final validation ring and will ship to all customers very soon. Initially, you will be able to view the configuration state only and the toggle will appear grayed out. The ability to turn the toggle on or off will come with a future Windows update.
+> - **Windows Security** is updated separately from the OS and ships out of box. The version with the vulnerable driver blocklist toggle is in the final validation ring and will ship to all customers very soon. Initially, you will be able to view the configuration state only and the toggle will appear grayed out. The ability to turn the toggle on or off will come with a future Windows update.
 >
-> - For Windows Insiders, the option to turn Microsoft's vulnerable driver blocklist on or off using the Windows Security app is grayed out when HVCI, Smart App Control, or S mode is enabled. You must disable HVCI or Smart App Control, or switch the device out of S mode, and restart the device before you can turn off the Microsoft vulnerable driver blocklist.
+> - For Windows Insiders, the option to turn Microsoft's vulnerable driver blocklist on or off using **Windows Security** settings is grayed out when HVCI, Smart App Control, or S mode is enabled. You must disable HVCI or Smart App Control, or switch the device out of S mode, and restart the device before you can turn off the Microsoft vulnerable driver blocklist.
 
 The blocklist is updated with each new major release of Windows, typically 1-2 times per year, including most recently with the Windows 11 2022 update released in September 2022. The most current blocklist is now also available for Windows 10 20H2 and Windows 11 21H2 users as an optional update from Windows Update. Microsoft will occasionally publish future updates through regular Windows servicing.
 

windows/security/application-security/application-isolation/toc.yml

@@ -1,6 +1,6 @@
 items:
 - name: Microsoft Defender Application Guard (MDAG)
-  href: ../../threat-protection\microsoft-defender-application-guard\md-app-guard-overview.md
+  href: microsoft-defender-application-guard/md-app-guard-overview.md
 - name: MDAG for Edge standalone mode
   href: microsoft-defender-application-guard/md-app-guard-overview.md
 - name: MDAG for Edge enterprise mode and enterprise management 🔗
@@ -9,7 +9,7 @@ items:
   href: https://support.microsoft.com/office/application-guard-for-office-9e0fb9c2-ffad-43bf-8ba3-78f785fdba46
 - name: MDAG configure via MDM 🔗
   href: /windows/client-management/mdm/windowsdefenderapplicationguard-csp
-- name: Windows containers 🔗
+- name: App containers 🔗
   href: /virtualization/windowscontainers/about
 - name: Windows Sandbox
   href: windows-sandbox/windows-sandbox-overview.md

windows/security/application-security/toc.yml

@@ -1,8 +1,8 @@
 items:
 - name: Overview
   href: index.md
-- name: Application Control
+- name: Application and driver control
   href: application-control/toc.yml
-- name: Application Isolation
+- name: Application isolation
   href: application-isolation/toc.yml
 

windows/security/docfx.json

@@ -134,10 +134,20 @@
           "✅ <a href=\"https://learn.microsoft.com/windows/release-health/windows-server-release-info\" target=\"_blank\">Windows Server 2019</a>",
           "✅ <a href=\"https://learn.microsoft.com/windows/release-health/windows-server-release-info\" target=\"_blank\">Windows Server 2016</a>"
         ],
-        "hardware-security//**/*.md": [
+        "hardware-security/**/*.md": [
           "✅ <a href=\"https://learn.microsoft.com/windows/release-health/supported-versions-windows-client\" target=\"_blank\">Windows 11</a>",
           "✅ <a href=\"https://learn.microsoft.com/windows/release-health/supported-versions-windows-client\" target=\"_blank\">Windows 10</a>"
         ],
+        "hardware-security/pluton/**/*.md": [
+          "✅ <a href=\"https://learn.microsoft.com/windows/release-health/supported-versions-windows-client\" target=\"_blank\">Windows 11</a>"
+        ],
+        "hardware-security/tpm/**/*.md": [
+          "✅ <a href=\"https://learn.microsoft.com/windows/release-health/supported-versions-windows-client\" target=\"_blank\">Windows 11</a>",
+          "✅ <a href=\"https://learn.microsoft.com/windows/release-health/supported-versions-windows-client\" target=\"_blank\">Windows 10</a>",
+          "✅ <a href=\"https://learn.microsoft.com/windows/release-health/windows-server-release-info\" target=\"_blank\">Windows Server 2022</a>",
+          "✅ <a href=\"https://learn.microsoft.com/windows/release-health/windows-server-release-info\" target=\"_blank\">Windows Server 2019</a>",
+          "✅ <a href=\"https://learn.microsoft.com/windows/release-health/windows-server-release-info\" target=\"_blank\">Windows Server 2016</a>"
+        ],
         "identity-protection/**/*.md": [
           "✅ <a href=\"https://learn.microsoft.com/windows/release-health/supported-versions-windows-client\" target=\"_blank\">Windows 11</a>",
           "✅ <a href=\"https://learn.microsoft.com/windows/release-health/supported-versions-windows-client\" target=\"_blank\">Windows 10</a>"

windows/security/hardware-security/enable-virtualization-based-protection-of-code-integrity.md

@@ -37,17 +37,17 @@ appliesto:
 
 To enable memory integrity on Windows devices with supporting hardware throughout an enterprise, use any of these options:
 
-- [Windows Security app](#windows-security-app)
+- [Windows Security settings](#windows-security)
 - [Microsoft Intune (or another MDM provider)](#enable-memory-integrity-using-intune)
 - [Group Policy](#enable-memory-integrity-using-group-policy)
 - [Microsoft Configuration Manager](https://cloudblogs.microsoft.com/enterprisemobility/2015/10/30/managing-windows-10-device-guard-with-configuration-manager/)
 - [Registry](#use-registry-keys-to-enable-memory-integrity)
 
-### Windows Security app
+### Windows Security
 
-**Memory integrity** can be turned on in the Windows Security app and found at **Windows Security** > **Device security** > **Core isolation details** > **Memory integrity**. For more information, see [Device protection in Windows Security](https://support.microsoft.com/help/4096339/windows-10-device-protection-in-windows-defender-security-center).
+**Memory integrity** can be turned on in **Windows Security** settings and found at **Windows Security** > **Device security** > **Core isolation details** > **Memory integrity**. For more information, see [Device protection in Windows Security](https://support.microsoft.com/help/4096339/windows-10-device-protection-in-windows-defender-security-center).
 
-Beginning with Windows 11 22H2, the Windows Security app shows a warning if memory integrity is turned off. The warning indicator also appears on the Windows Security icon in the Windows Taskbar and in the Windows Notification Center. The user can dismiss the warning from within the Windows Security app.
+Beginning with Windows 11 22H2, **Windows Security** shows a warning if memory integrity is turned off. The warning indicator also appears on the Windows Security icon in the Windows Taskbar and in the Windows Notification Center. The user can dismiss the warning from within **Windows Security**.
 
 To proactively dismiss the memory integrity warning, you can set the **Hardware_HVCI_Off** (DWORD) registry value under `HKLM\SOFTWARE\Microsoft\Windows Security Health\State` to 0. After you change the registry value, you must restart the device for the change to take effect.
 

windows/security/hardware-security/kernel-dma-protection-for-thunderbolt.md

@@ -5,7 +5,7 @@ ms.collection:
   - highpri
   - tier1
 ms.topic: conceptual
-ms.date: 03/30/2023
+ms.date: 07/31/2023
 ---
 
 # Kernel DMA Protection
@@ -49,9 +49,9 @@ Kernel DMA Protection isn't compatible with other BitLocker DMA attacks counterm
 
 Systems that support Kernel DMA Protection will enable the feature automatically, with no user or IT admin configuration required.
 
-You can use the Windows Security app to check if Kernel DMA Protection is enabled:
+You can use the Windows Security settings to check if Kernel DMA Protection is enabled:
 
-1. Open Windows Security app
+1. Open **Windows Security**.
 1. Select **Device security > Core isolation details > Memory access protection**
 
 :::image type="content" source="images/kernel-dma-protection-security-center.png" alt-text="Screenshot of Kernel DMA protection in Windows Security." lightbox="images/kernel-dma-protection-security-center.png" border="true":::

windows/security/hardware-security/pluton/microsoft-pluton-security-processor.md

@@ -2,9 +2,7 @@
 title: Microsoft Pluton security processor
 description: Learn more about Microsoft Pluton security processor
 ms.topic: conceptual
-ms.date: 09/15/2022
-appliesto: 
-  - ✅ <b>Windows 11, version 22H2</b>
+ms.date: 07/31/2023
 ---
 
 # Microsoft Pluton security processor

windows/security/hardware-security/pluton/pluton-as-tpm.md

@@ -2,9 +2,7 @@
 title: Microsoft Pluton as Trusted Platform Module (TPM 2.0)
 description: Learn more about Microsoft Pluton security processor as Trusted Platform Module (TPM 2.0)
 ms.topic: conceptual
-ms.date: 09/15/2022
-appliesto: 
-  - ✅ <b>Windows 11, version 22H2</b>
+ms.date: 07/31/2023
 ---
 
 # Microsoft Pluton as Trusted Platform Module

windows/security/hardware-security/system-guard-secure-launch-and-smm-protection.md

@@ -2,7 +2,7 @@
 title: System Guard Secure Launch and SMM protection
 description: Explains how to configure System Guard Secure Launch and System Management Mode (SMM protection) to improve the startup security of Windows 10 devices.
 ms.localizationpriority: medium
-ms.date: 11/30/2021
+ms.date: 07/31/2023
 ms.topic: conceptual
 ---
 
@@ -19,7 +19,7 @@ You can enable System Guard Secure Launch by using any of these options:
 
 - [Mobile Device Management (MDM)](#mobile-device-management)
 - [Group Policy](#group-policy)
-- [Windows Security app](#windows-security-app)
+- [Windows Security settings](#windows-security)
 - [Registry](#registry)
 
 ### Mobile Device Management
@@ -34,11 +34,11 @@ System Guard Secure Launch can be configured for Mobile Device Management (MDM)
 
     ![Secure Launch Configuration.](images/secure-launch-group-policy.png)
 
-### Windows Security app
+### Windows Security
 
 Click **Start** > **Settings** > **Update & Security** > **Windows Security** > **Open Windows Security** > **Device security** > **Core isolation** > **Firmware protection**.
 
-  ![Windows Security app.](images/secure-launch-security-app.png)
+  ![Windows Security settings.](images/secure-launch-security-app.png)
 
 ### Registry
 
@@ -58,7 +58,7 @@ Click **Start** > **Settings** > **Update & Security** > **Windows Security** >
 
 To verify that Secure Launch is running, use System Information (MSInfo32). Click **Start**, search for **System Information**, and look under **Virtualization-based Security Services Running** and **Virtualization-based Security Services Configured**.
 
-![Verifying Secure Launch is running in the Windows Security app.](images/secure-launch-msinfo.png)
+![Verifying Secure Launch is running in the Windows Security settings.](images/secure-launch-msinfo.png)
 
 > [!NOTE]
 > To enable System Guard Secure launch, the platform must meet all the baseline requirements for [System Guard](how-hardware-based-root-of-trust-helps-protect-windows.md), [Device Guard](../application-security/application-control/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control.md), [Credential Guard](../identity-protection/credential-guard/credential-guard-requirements.md), and [Virtualization Based Security](/windows-hardware/design/device-experiences/oem-vbs).

windows/security/hardware-security/toc.yml

@@ -6,36 +6,36 @@ items:
       - name: Windows Defender System Guard
         href: how-hardware-based-root-of-trust-helps-protect-windows.md
       - name: Trusted Platform Module
-        href: ../information-protection/tpm/trusted-platform-module-top-node.md
+        href: tpm/trusted-platform-module-top-node.md
         items:
           - name: Trusted Platform Module overview
-            href: ../information-protection/tpm/trusted-platform-module-overview.md
+            href: tpm/trusted-platform-module-overview.md
           - name: TPM fundamentals
-            href: ../information-protection/tpm/tpm-fundamentals.md
+            href: tpm/tpm-fundamentals.md
           - name: How Windows uses the TPM
-            href: ../information-protection/tpm/how-windows-uses-the-tpm.md
+            href: tpm/how-windows-uses-the-tpm.md
           - name: Manage TPM commands
-            href: ../information-protection/tpm/manage-tpm-commands.md
-          - name: Manager TPM Lockout
-            href: ../information-protection/tpm/manage-tpm-lockout.md
+            href: tpm/manage-tpm-commands.md
+          - name: Manage TPM Lockout
+            href: tpm/manage-tpm-lockout.md
           - name: Change the TPM password
-            href: ../information-protection/tpm/change-the-tpm-owner-password.md
+            href: tpm/change-the-tpm-owner-password.md
           - name: TPM Group Policy settings
-            href: ../information-protection/tpm/trusted-platform-module-services-group-policy-settings.md
+            href: tpm/trusted-platform-module-services-group-policy-settings.md
           - name: Back up the TPM recovery information to AD DS
-            href: ../information-protection/tpm/backup-tpm-recovery-information-to-ad-ds.md
+            href: tpm/backup-tpm-recovery-information-to-ad-ds.md
           - name: View status, clear, or troubleshoot the TPM
-            href: ../information-protection/tpm/initialize-and-configure-ownership-of-the-tpm.md
+            href: tpm/initialize-and-configure-ownership-of-the-tpm.md
           - name: Understanding PCR banks on TPM 2.0 devices
-            href: ../information-protection/tpm/switch-pcr-banks-on-tpm-2-0-devices.md
+            href: tpm/switch-pcr-banks-on-tpm-2-0-devices.md
           - name: TPM recommendations
-            href: ../information-protection/tpm/tpm-recommendations.md
+            href: tpm/tpm-recommendations.md
       - name: Microsoft Pluton security processor
         items:
           - name: Microsoft Pluton overview
-            href: ../information-protection/pluton/microsoft-pluton-security-processor.md
+            href: pluton/microsoft-pluton-security-processor.md
           - name: Microsoft Pluton as TPM
-            href: ../information-protection/pluton/pluton-as-tpm.md
+            href: pluton/pluton-as-tpm.md
   - name: Silicon assisted security
     items:
       - name: Virtualization-based security (VBS) 🔗
@@ -48,9 +48,9 @@ items:
         href: https://techcommunity.microsoft.com/t5/windows-os-platform-blog/understanding-hardware-enforced-stack-protection/ba-p/1247815
       - name: Secured-core PC 🔗
         href: /windows-hardware/design/device-experiences/oem-highly-secure-11
-      - name: Secured-core PC configuration lock
-        href: /windows/client-management/config-lock 🔗
+      - name: Secured-core PC configuration lock 🔗
+        href: /windows/client-management/config-lock
       - name: Kernel Direct Memory Access (DMA) protection
         href: kernel-dma-protection-for-thunderbolt.md
       - name: System Guard Secure Launch
-        href: system-guard-secure-launch-and-smm-protection.md
+        href: system-guard-secure-launch-and-smm-protection.md

windows/security/hardware-security/tpm/backup-tpm-recovery-information-to-ad-ds.md

@@ -3,9 +3,6 @@ title: Back up TPM recovery information to Active Directory
 description: Learn how to back up the Trusted Platform Module (TPM) recovery information to Active Directory.
 ms.topic: conceptual
 ms.date: 02/02/2023
-appliesto: 
-- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 11</a>
-- ✅ <a href=https://learn.microsoft.com/windows/release-health/windows-server-release-info target=_blank>Windows Server 2016 and later</a>
 ---
 
 # Back up the TPM recovery information to AD DS

windows/security/hardware-security/tpm/change-the-tpm-owner-password.md

@@ -1,14 +1,8 @@
 ---
-title: Change the TPM owner password 
+title: Change the TPM owner password
 description: This topic for the IT professional describes how to change the password or PIN for the owner of the Trusted Platform Module (TPM) that is installed on your system.
 ms.topic: conceptual
 ms.date: 04/26/2023
-appliesto:
-  - ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 11</a>
-  - ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 10</a>
-  - ✅ <a href="https://learn.microsoft.com/windows/release-health/windows-server-release-info" target="_blank">Windows Server 2022</a>
-  - ✅ <a href="https://learn.microsoft.com/windows/release-health/windows-server-release-info" target="_blank">Windows Server 2019</a>
-  - ✅ <a href="https://learn.microsoft.com/windows/release-health/windows-server-release-info" target="_blank">Windows Server 2016</a>
 ---
 
 # Change the TPM owner password

windows/security/hardware-security/tpm/how-windows-uses-the-tpm.md

@@ -3,9 +3,6 @@ title: How Windows uses the TPM
 description: Learn how Windows uses the Trusted Platform Module (TPM) to enhance security.
 ms.topic: conceptual
 ms.date: 02/02/2023
-appliesto: 
-- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10 and later</a>
-- ✅ <a href=https://learn.microsoft.com/windows/release-health/windows-server-release-info target=_blank>Windows Server 2016 and later</a>
 ---
 
 # How Windows uses the Trusted Platform Module
@@ -22,11 +19,11 @@ TPMs are passive: they receive commands and return responses. To realize the ful
 
 The Trusted Computing Group (TCG) is the nonprofit organization that publishes and maintains the TPM specification. The TCG exists to develop, define, and promote vendor-neutral, global industry standards that support a hardware-based root of trust for interoperable trusted computing platforms. The TCG also publishes the TPM specification as the international standard ISO/IEC 11889, using the Publicly Available Specification Submission Process that the Joint Technical Committee 1 defines between the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC).
 
-OEMs implement the TPM as a component in a trusted computing platform, such as a PC, tablet, or phone. Trusted computing platforms use the TPM to support privacy and security scenarios that software alone can't achieve. For example, software alone can't reliably report whether malware is present during the system startup process. The close integration between TPM and platform increases the transparency of the startup process and supports evaluating device health by enabling reliable measuring and reporting of the software that starts the device. Implementation of a TPM as part of a trusted computing platform provides a hardware root of trust—that is, it behaves in a trusted way. For example, if a key stored in a TPM has properties that disallow exporting the key, that key *truly can't leave the TPM*.
+OEMs implement the TPM as a component in a trusted computing platform, such as a PC, tablet, or phone. Trusted computing platforms use the TPM to support privacy and security scenarios that software alone can't achieve. For example, software alone can't reliably report whether malware is present during the system startup process. The close integration between TPM and platform increases the transparency of the startup process and supports evaluating device health by enabling reliable measuring and reporting of the software that starts the device. Implementation of a TPM as part of a trusted computing platform provides a hardware root of trust-that is, it behaves in a trusted way. For example, if a key stored in a TPM has properties that disallow exporting the key, that key *truly can't leave the TPM*.
 
 The TCG designed the TPM as a low-cost, mass-market security solution that addresses the requirements of different customer segments. There are variations in the security properties of different TPM implementations just as there are variations in customer and regulatory requirements for different sectors. In public-sector procurement, for example, some governments have clearly defined security requirements for TPMs, whereas others don't.
 
-Certification programs for TPMs—and technology in general—continue to evolve as the speed of innovation increases. Although having a TPM is clearly better than not having a TPM, Microsoft's best advice is to determine your organization's security needs and research any regulatory requirements associated with procurement for your industry. The result is a balance between scenarios used, assurance level, cost, convenience, and availability.
+Certification programs for TPMs-and technology in general-continue to evolve as the speed of innovation increases. Although having a TPM is clearly better than not having a TPM, Microsoft's best advice is to determine your organization's security needs and research any regulatory requirements associated with procurement for your industry. The result is a balance between scenarios used, assurance level, cost, convenience, and availability.
 
 ## TPM in Windows
 
@@ -64,7 +61,7 @@ The adoption of new authentication technology requires that identity providers a
 
 Identity providers have flexibility in how they provision credentials on client devices. For example, an organization might provision only those devices that have a TPM so that the organization knows that a TPM protects the credentials. The ability to distinguish a TPM from malware acting like a TPM requires the following TPM capabilities (see Figure 1):
 
-- **Endorsement key**. The TPM manufacturer can create a special key in the TPM called an *endorsement key*. An endorsement key certificate, signed by the manufacturer, says that the endorsement key is present in a TPM that the manufacturer made. Solutions can use the certificate with the TPM containing the endorsement key to confirm a scenario really involves a TPM from a specific TPM manufacturer (instead of malware acting like a TPM.
+- **Endorsement key**. The TPM manufacturer can create a special key in the TPM called an *endorsement key*. An endorsement key certificate, signed by the manufacturer, says that the endorsement key is present in a TPM that the manufacturer made. Solutions can use the certificate with the TPM containing the endorsement key to confirm a scenario really involves a TPM from a specific TPM manufacturer (instead of malware acting like a TPM).
 
 - **Attestation identity key**. To protect privacy, most TPM scenarios do not directly use an actual endorsement key. Instead, they use attestation identity keys, and an identity certificate authority (CA) uses the endorsement key and its certificate to prove that one or more attestation identity keys actually exist in a real TPM. The identity CA issues attestation identity key certificates. More than one identity CA will generally see the same endorsement key certificate that can uniquely identify the TPM, but any number of attestation identity key certificates can be created to limit the information shared in other scenarios.
 
@@ -77,7 +74,7 @@ For Windows Hello for Business, Microsoft can fill the role of the identity CA.
 
 BitLocker provides full-volume encryption to protect data at rest. The most common device configuration splits the hard drive into several volumes. The operating system and user data reside on one volume that holds confidential information, and other volumes hold public information such as boot components, system information and recovery tools. (These other volumes are used infrequently enough that they do not need to be visible to users.) Without more protections in place, if the volume containing the operating system and user data is not encrypted, someone can boot another operating system and easily bypass the intended operating system's enforcement of file permissions to read any user data.
 
-In the most common configuration, BitLocker encrypts the operating system volume so that if the computer or hard disk is lost or stolen when powered off, the data on the volume remains confidential. When the computer is turned on, starts normally, and proceeds to the Windows logon prompt, the only path forward is for the user to log on with his or her credentials, allowing the operating system to enforce its normal file permissions. If something about the boot process changes, however—for example, a different operating system is booted from a USB device—the operating system volume and user data can't be read and are not accessible. The TPM and system firmware collaborate to record measurements of how the system started, including loaded software and configuration details such as whether boot occurred from the hard drive or a USB device. BitLocker relies on the TPM to allow the use of a key only when startup occurs in an expected way. The system firmware and TPM are carefully designed to work together to provide the following capabilities:
+In the most common configuration, BitLocker encrypts the operating system volume so that if the computer or hard disk is lost or stolen when powered off, the data on the volume remains confidential. When the computer is turned on, starts normally, and proceeds to the Windows logon prompt, the only path forward is for the user to log on with his or her credentials, allowing the operating system to enforce its normal file permissions. If something about the boot process changes, however-for example, a different operating system is booted from a USB device-the operating system volume and user data can't be read and are not accessible. The TPM and system firmware collaborate to record measurements of how the system started, including loaded software and configuration details such as whether boot occurred from the hard drive or a USB device. BitLocker relies on the TPM to allow the use of a key only when startup occurs in an expected way. The system firmware and TPM are carefully designed to work together to provide the following capabilities:
 
 - **Hardware root of trust for measurement**. A TPM allows software to send it commands that record measurements of software or configuration information. This information can be calculated using a hash algorithm that essentially transforms a lot of data into a small, statistically unique hash value. The system firmware has a component called the Core Root of Trust for Measurement (CRTM) that is implicitly trusted. The CRTM unconditionally hashes the next software component and records the measurement value by sending a command to the TPM. Successive components, whether system firmware or operating system loaders, continue the process by measuring any software components they load before running them. Because each component's measurement is sent to the TPM before it runs, a component can't erase its measurement from the TPM. (However, measurements are erased when the system is restarted.) The result is that at each step of the system startup process, the TPM holds measurements of boot software and configuration information. Any changes in boot software or configuration yield different TPM measurements at that step and later steps. Because the system firmware unconditionally starts the measurement chain, it provides a hardware-based root of trust for the TPM measurements. At some point in the startup process, the value of recording all loaded software and configuration information diminishes and the chain of measurements stops. The TPM allows for the creation of keys that can be used only when the platform configuration registers that hold the measurements have specific values.
 

windows/security/hardware-security/tpm/initialize-and-configure-ownership-of-the-tpm.md

@@ -3,9 +3,6 @@ title: Troubleshoot the TPM
 description: Learn how to view and troubleshoot the Trusted Platform Module (TPM).
 ms.topic: conceptual
 ms.date: 02/02/2023
-appliesto: 
-- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10 and later</a>
-- ✅ <a href=https://learn.microsoft.com/windows/release-health/windows-server-release-info target=_blank>Windows Server 2016 and later</a>
 ms.collection:
 - highpri
 - tier1

windows/security/hardware-security/tpm/manage-tpm-commands.md

@@ -1,14 +1,8 @@
 ---
-title: Manage TPM commands 
+title: Manage TPM commands
 description: This article for the IT professional describes how to manage which Trusted Platform Module (TPM) commands are available to domain users and to local users.
 ms.topic: conceptual
 ms.date: 04/26/2023
-appliesto:
-  - ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 11</a>
-  - ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 10</a>
-  - ✅ <a href="https://learn.microsoft.com/windows/release-health/windows-server-release-info" target="_blank">Windows Server 2022</a>
-  - ✅ <a href="https://learn.microsoft.com/windows/release-health/windows-server-release-info" target="_blank">Windows Server 2019</a>
-  - ✅ <a href="https://learn.microsoft.com/windows/release-health/windows-server-release-info" target="_blank">Windows Server 2016</a>
 ---
 
 # Manage TPM commands

windows/security/hardware-security/tpm/manage-tpm-lockout.md

@@ -1,15 +1,10 @@
 ---
-title: Manage TPM lockout 
+title: Manage TPM lockout
 description: This article for the IT professional describes how to manage the lockout feature for the Trusted Platform Module (TPM) in Windows.
 ms.topic: conceptual
 ms.date: 04/26/2023
-appliesto:
-  - ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 11</a>
-  - ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 10</a>
-  - ✅ <a href="https://learn.microsoft.com/windows/release-health/windows-server-release-info" target="_blank">Windows Server 2022</a>
-  - ✅ <a href="https://learn.microsoft.com/windows/release-health/windows-server-release-info" target="_blank">Windows Server 2019</a>
-  - ✅ <a href="https://learn.microsoft.com/windows/release-health/windows-server-release-info" target="_blank">Windows Server 2016</a>
 ---
+
 # Manage TPM lockout
 
 This article for the IT professional describes how to manage the lockout feature for the Trusted Platform Module (TPM) in Windows.

windows/security/hardware-security/tpm/switch-pcr-banks-on-tpm-2-0-devices.md

@@ -3,9 +3,6 @@ title: UnderstandPCR banks on TPM 2.0 devices
 description: Learn about what happens when you switch PCR banks on TPM 2.0 devices.
 ms.topic: conceptual
 ms.date: 02/02/2023
-appliesto: 
-- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10 and later</a>
-- ✅ <a href=https://learn.microsoft.com/windows/release-health/windows-server-release-info target=_blank>Windows Server 2016 and later</a>
 ---
 
 # PCR banks on TPM 2.0 devices

windows/security/hardware-security/tpm/tpm-fundamentals.md

@@ -3,9 +3,6 @@ title: Trusted Platform Module (TPM) fundamentals
 description: Learn about the components of the Trusted Platform Module and how they're used to mitigate dictionary attacks.
 ms.topic: conceptual
 ms.date: 03/09/2023
-appliesto: 
-- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10 and later</a>
-- ✅ <a href=https://learn.microsoft.com/windows/release-health/windows-server-release-info target=_blank>Windows Server 2016 and later</a>
 ---
 
 # TPM fundamentals
@@ -116,4 +113,4 @@ The Windows TPM-based smart card, which is a virtual smart card, can be configur
 - Physical smart cards can enforce lockout for only the physical smart card PIN, and they can reset the lockout after the correct PIN is entered.
   With a virtual smart card, the TPM's anti-hammering protection isn't reset after a successful authentication. The allowed number of authorization failures before the TPM enters lockout includes many factors
 - Hardware manufacturers and software developers can use the security features of the TPM to meet their requirements
-- The intent of selecting 32 failures as the lock-out threshold is to avoid users to lock the TPM (even when learning to type new passwords or if they frequently lock and unlock their computers). If users lock the TPM, they must wait 10 minutes or use other credentials to sign in, such as a user name and password
+- The intent of selecting 32 failures as the lock-out threshold is to avoid users to lock the TPM (even when learning to type new passwords or if they frequently lock and unlock their computers). If users lock the TPM, they must wait 10 minutes or use other credentials to sign in, such as a user name and password

windows/security/hardware-security/tpm/tpm-recommendations.md

@@ -1,14 +1,11 @@
 ---
-title: TPM recommendations 
+title: TPM recommendations
 description: This topic provides recommendations for Trusted Platform Module (TPM) technology for Windows.
 ms.topic: conceptual
 ms.date: 02/02/2023
-appliesto: 
-- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10 and later</a>
-- ✅ <a href=https://learn.microsoft.com/windows/release-health/windows-server-release-info target=_blank>Windows Server 2016 and later</a>
-ms.collection: 
-  - highpri
-  - tier1
+ms.collection:
+- highpri
+- tier1
 ---
 
 # TPM recommendations
@@ -25,7 +22,7 @@ TPMs are passive: they receive commands and return responses. To realize the ful
 
 The Trusted Computing Group (TCG) is the nonprofit organization that publishes and maintains the TPM specification. The TCG exists to develop, define, and promote vendor-neutral, global industry standards. These standards support a hardware-based root of trust for interoperable trusted computing platforms. The TCG also publishes the TPM specification as the international standard ISO/IEC 11889, using the Publicly Available Specification Submission Process that the Joint Technical Committee 1 defines between the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC).
 
-OEMs implement the TPM as a component in a trusted computing platform, such as a PC, tablet, or phone. Trusted computing platforms use the TPM to support privacy and security scenarios that software alone cannot achieve. For example, software alone cannot reliably report whether malware is present during the system startup process. The close integration between TPM and platform increases the transparency of the startup process and supports evaluating device health by enabling reliable measuring and reporting of the software that starts the device. Implementation of a TPM as part of a trusted computing platform provides a hardware root of trust—that is, it behaves in a trusted way. For example, if a key stored in a TPM has properties that disallow exporting the key, that key truly cannot leave the TPM.
+OEMs implement the TPM as a component in a trusted computing platform, such as a PC, tablet, or phone. Trusted computing platforms use the TPM to support privacy and security scenarios that software alone cannot achieve. For example, software alone cannot reliably report whether malware is present during the system startup process. The close integration between TPM and platform increases the transparency of the startup process and supports evaluating device health by enabling reliable measuring and reporting of the software that starts the device. Implementation of a TPM as part of a trusted computing platform provides a hardware root of trust-that is, it behaves in a trusted way. For example, if a key stored in a TPM has properties that disallow exporting the key, that key truly cannot leave the TPM.
 
 The TCG designed the TPM as a low-cost, mass-market security solution that addresses the requirements of different customer segments. There are variations in the security properties of different TPM implementations just as there are variations in customer and regulatory requirements for different sectors. In public-sector procurement, for example, some governments have clearly defined security requirements for TPMs whereas others do not.
 
@@ -90,7 +87,7 @@ For end consumers, TPM is behind the scenes but is still relevant. TPM is used f
 
 - TPM is optional on IoT Core.
 
-### Windows Server 2016
+### Windows Server 2016
 
 - TPM is optional for Windows Server SKUs unless the SKU meets the other qualification (AQ) criteria for the Host Guardian Services scenario in which case TPM 2.0 is required.
 

windows/security/hardware-security/tpm/trusted-platform-module-overview.md

@@ -3,12 +3,9 @@ title: Trusted Platform Module Technology Overview
 description: Learn about the Trusted Platform Module (TPM) and how Windows uses it for access control and authentication.
 ms.topic: conceptual
 ms.date: 02/22/2023
-appliesto: 
-- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10 and later</a>
-- ✅ <a href=https://learn.microsoft.com/windows/release-health/windows-server-release-info target=_blank>Windows Server 2016 and later</a>
-ms.collection: 
-  - highpri
-  - tier1
+ms.collection:
+- highpri
+- tier1
 ---
 
 # Trusted Platform Module Technology Overview

windows/security/hardware-security/tpm/trusted-platform-module-services-group-policy-settings.md

@@ -1,16 +1,12 @@
 ---
-title: TPM Group Policy settings 
+title: TPM Group Policy settings
 description: This topic describes the Trusted Platform Module (TPM) Services that can be controlled centrally by using Group Policy settings.
 ms.topic: conceptual
-ms.date: 02/02/2023
-appliesto: 
-- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10 and later</a>
-- ✅ <a href=https://learn.microsoft.com/windows/release-health/windows-server-release-info target=_blank>Windows Server 2016 and later</a>
+ms.date: 07/31/2023
 ---
 
 # TPM Group Policy settings
 
-
 This topic describes the Trusted Platform Module (TPM) Services that can be controlled centrally by using Group Policy settings.
 
 The Group Policy settings for TPM services are located at:
@@ -34,11 +30,11 @@ This policy setting configured which TPM authorization values are stored in the
 
 There are three TPM owner authentication settings that are managed by the Windows operating system. You can choose a value of **Full**, **Delegate**, or **None**.
 
--   **Full**   This setting stores the full TPM owner authorization, the TPM administrative delegation blob, and the TPM user delegation blob in the local registry. With this setting, you can use the TPM without requiring remote or external storage of the TPM owner authorization value. This setting is appropriate for scenarios that do not require you to reset the TPM anti-hammering logic or change the TPM owner authorization value. Some TPM-based applications may require that this setting is changed before features that depend on the TPM anti-hammering logic can be used. Full owner authorization in TPM 1.2 is similar to lockout authorization in TPM 2.0. Owner authorization has a different meaning for TPM 2.0.
+-   **Full**   This setting stores the full TPM owner authorization, the TPM administrative delegation blob, and the TPM user delegation blob in the local registry. With this setting, you can use the TPM without requiring remote or external storage of the TPM owner authorization value. This setting is appropriate for scenarios that do not require you to reset the TPM anti-hammering logic or change the TPM owner authorization value. Some TPM-based applications may require that this setting is changed before features that depend on the TPM anti-hammering logic can be used. Full owner authorization in TPM 1.2 is similar to lockout authorization in TPM 2.0. Owner authorization has a different meaning for TPM 2.0.
 
--   **Delegated**   This setting stores only the TPM administrative delegation blob and the TPM user delegation blob in the local registry. This setting is appropriate for use with TPM-based applications that depend on the TPM antihammering logic. This is the default setting in Windows prior to version 1703.
+-   **Delegated**   This setting stores only the TPM administrative delegation blob and the TPM user delegation blob in the local registry. This setting is appropriate for use with TPM-based applications that depend on the TPM antihammering logic. This is the default setting in Windows prior to version 1703.
 
--   **None**   This setting provides compatibility with previous operating systems and applications. You can also use it for scenarios when TPM owner authorization cannot be stored locally. Using this setting might cause issues with some TPM-based applications.
+-   **None**   This setting provides compatibility with previous operating systems and applications. You can also use it for scenarios when TPM owner authorization cannot be stored locally. Using this setting might cause issues with some TPM-based applications.
 
 > [!NOTE]
 > If the operating system managed TPM authentication setting is changed from **Full** to **Delegated**, the full TPM owner authorization value will be regenerated, and any copies of the previously set TPM owner authorization value will be invalid.
@@ -57,7 +53,6 @@ The following table shows the TPM owner authorization values in the registry.
 | 2          | Delegated |
 | 4          | Full      |
 
-
 If you enable this policy setting, the Windows operating system will store the TPM owner authorization in the registry of the local computer according to the TPM authentication setting you choose.
 
 On Windows 10 prior to version 1607, if you disable or do not configure this policy setting, and the **Turn on TPM backup to Active Directory Domain Services** policy setting is also disabled or not configured, the default setting is to store the full TPM authorization value in the local registry. If this policy is disabled or not configured, and the **Turn on TPM backup to Active Directory Domain Services** policy setting is enabled, only the administrative delegation and the user delegation blobs are stored in the local registry.
@@ -73,9 +68,9 @@ This setting helps administrators prevent the TPM hardware from entering a locko
 
 For each standard user, two thresholds apply. Exceeding either threshold prevents the user from sending a command that requires authorization to the TPM. Use the following policy settings to set the lockout duration:
 
--   [Standard User Individual Lockout Threshold](#standard-user-individual-lockout-threshold)   This value is the maximum number of authorization failures that each standard user can have before the user is not allowed to send commands that require authorization to the TPM.
+-   [Standard User Individual Lockout Threshold](#standard-user-individual-lockout-threshold)   This value is the maximum number of authorization failures that each standard user can have before the user is not allowed to send commands that require authorization to the TPM.
 
--   [Standard User Total Lockout Threshold](#standard-user-total-lockout-threshold)   This value is the maximum total number of authorization failures that all standard users can have before all standard users are not allowed to send commands that require authorization to the TPM.
+-   [Standard User Total Lockout Threshold](#standard-user-total-lockout-threshold)   This value is the maximum total number of authorization failures that all standard users can have before all standard users are not allowed to send commands that require authorization to the TPM.
 
 An administrator with the TPM owner password can fully reset the TPM's hardware lockout logic by using the Windows Defender Security Center. Each time an administrator resets the TPM's hardware lockout logic, all prior standard user TPM authorization failures are ignored. This allows standard users to immediately use the TPM normally.
 
@@ -107,32 +102,36 @@ If you do not configure this policy setting, a default value of 9 is used. A val
 
 ## Configure the system to use legacy Dictionary Attack Prevention Parameters setting for TPM 2.0
 
-Introduced in Windows 10, version 1703, this policy setting configures the TPM to use the Dictionary Attack Prevention Parameters (lockout threshold and recovery time) to the values that were used for Windows 10 Version 1607 and below. 
+Introduced in Windows 10, version 1703, this policy setting configures the TPM to use the Dictionary Attack Prevention Parameters (lockout threshold and recovery time) to the values that were used for Windows 10 Version 1607 and below.
 
 > [!IMPORTANT]
-> Setting this policy will take effect only if:  
-> -   The TPM was originally prepared using a version of Windows after Windows 10 Version 1607
-> -   The system has a TPM 2.0. 
-> 
+> Setting this policy will take effect only if:
+>
+> - The TPM was originally prepared using a version of Windows after Windows 10 Version 1607
+> - The system has a TPM 2.0.
+
 > [!NOTE]
 > Enabling this policy will only take effect after the TPM maintenance task runs (which typically happens after a system restart). Once this policy has been enabled on a system and has taken effect (after a system restart), disabling it will have no impact and the system's TPM will remain configured using the legacy Dictionary Attack Prevention parameters, regardless of the value of this group policy. The only ways for the disabled setting of this policy to take effect on a system where it was once enabled are to either:
+>
 > -  Disable it from group policy
 > -  Clear the TPM on the system
 
-## TPM Group Policy settings in the Windows Security app
+## TPM Group Policy settings in Windows Security
 
-You can change what users see about TPM in the Windows Security app. The Group Policy settings for the TPM area in the Windows Security app are located at:
+You can change what users see about TPM in **Windows Security**. The Group Policy settings for the TPM area in **Windows Security** are located at:
 
-**Computer Configuration\\Administrative Templates\\Windows Components\\Windows Security\\Device security** 
+**Computer Configuration\\Administrative Templates\\Windows Components\\Windows Security\\Device security**
 
 ### Disable the Clear TPM button
-If you don't want users to be able to click the **Clear TPM** button in the Windows Security app, you can disable it with this Group Policy setting. Select **Enabled** to make the **Clear TPM** button unavailable for use.
+
+If you don't want users to be able to click the **Clear TPM** button in **Windows Security**, you can disable it with this Group Policy setting. Select **Enabled** to make the **Clear TPM** button unavailable for use.
 
 ### Hide the TPM Firmware Update recommendation
+
 If you don't want users to see the recommendation to update TPM firmware, you can disable it with this setting. Select **Enabled** to prevent users from seeing a recommendation to update their TPM firmware when a vulnerable firmware is detected.
 
 ## Related topics
 
-- [Trusted Platform Module](trusted-platform-module-top-node.md) 
+- [Trusted Platform Module](trusted-platform-module-top-node.md)
 - [TPM Cmdlets in Windows PowerShell](/powershell/module/trustedplatformmodule/?view=win10-ps&preserve-view=true)
 - [Prepare your organization for BitLocker: Planning and Policies - TPM configurations](../../operating-system-security/data-protection/bitlocker/prepare-your-organization-for-bitlocker-planning-and-policies.md)

windows/security/hardware-security/tpm/trusted-platform-module-top-node.md

@@ -1,14 +1,11 @@
 ---
-title: Trusted Platform Module 
+title: Trusted Platform Module
 description: This topic for the IT professional provides links to information about the Trusted Platform Module (TPM) and how Windows uses it for access control and authentication.
 ms.topic: conceptual
 ms.date: 02/02/2023
-appliesto: 
-- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10 and later</a>
-- ✅ <a href=https://learn.microsoft.com/windows/release-health/windows-server-release-info target=_blank>Windows Server 2016 and later</a>
-ms.collection: 
-  - highpri
-  - tier1
+ms.collection:
+- highpri
+- tier1
 ---
 
 # Trusted Platform Module

windows/security/identity-protection/credential-guard/credential-guard-requirements.md

@@ -85,7 +85,7 @@ The following tables describe baseline protections, plus protections for improve
 |---|---|---|
 |Hardware: **64-bit CPU**        |A 64-bit computer is required for the Windows hypervisor to provide VBS.|
 |Hardware: **CPU virtualization extensions**, plus **extended page tables**|**Requirements**: </br> - These hardware features are required for VBS: One of the following virtualization extensions: - VT-x (Intel) or - AMD-V And: - Extended page tables, also called Second Level Address Translation (SLAT).|VBS provides isolation of secure kernel from normal operating system. </br></br> Vulnerabilities and Day 0s in normal operating system cannot be exploited because of this isolation.|
-|Hardware: **Trusted Platform Module (TPM)**|**Requirement**: </br> - TPM 1.2 or TPM 2.0, either discrete or firmware. [TPM recommendations](../../information-protection/tpm/tpm-recommendations.md)|A TPM provides protection for VBS encryption keys that are stored in the firmware. TPM helps protect against attacks involving a physically present user with BIOS access.|
+|Hardware: **Trusted Platform Module (TPM)**|**Requirement**: </br> - TPM 1.2 or TPM 2.0, either discrete or firmware. [TPM recommendations](../../hardware-security/tpm/tpm-recommendations.md)|A TPM provides protection for VBS encryption keys that are stored in the firmware. TPM helps protect against attacks involving a physically present user with BIOS access.|
 |Firmware: **UEFI firmware version 2.3.1.c or higher with UEFI Secure Boot**|**Requirements**: </br> - See the following Windows Hardware Compatibility Program requirement: System.Fundamentals.Firmware.UEFISecureBoot|UEFI Secure Boot helps ensure that the device boots only authorized code, and can prevent boot kits and root kits from installing and persisting across reboots.|
 |Firmware: **Secure firmware update process**|**Requirements**: </br> - UEFI firmware must support secure firmware update found under the following Windows Hardware Compatibility Program requirement: System.Fundamentals.Firmware.UEFISecureBoot.|UEFI firmware just like software can have security vulnerabilities that, when found, need to be patched through firmware updates. Patching helps prevent root kits from getting installed.|
 |Software: Qualified **Windows operating system**|**Requirement**: </br> - At least Windows 10 Enterprise, Windows 10 Education, or Windows Server 2016.|Support for VBS and for management features that simplify configuration of Windows Defender Credential Guard.|

windows/security/identity-protection/hello-for-business/hello-how-it-works-technology.md

@@ -359,7 +359,7 @@ A TPM implements controls that meet the specification described by the Trusted C
 - The first TPM specification, version 1.2, was published in February 2005 by the TCG and standardized under ISO / IEC 11889 standard.
 - The latest TPM specification, referred to as TPM 2.0, was released in April 2014 and has been approved by the ISO/IEC Joint Technical Committee (JTC) as ISO/IEC 11889:2015.
 
-Windows 10 and Windows 11 use the TPM for cryptographic calculations as part of health attestation and to protect the keys for BitLocker, Windows Hello, virtual smart cards, and other public key certificates. For more information, see [TPM requirements in Windows](../../information-protection/tpm/tpm-recommendations.md).
+Windows 10 and Windows 11 use the TPM for cryptographic calculations as part of health attestation and to protect the keys for BitLocker, Windows Hello, virtual smart cards, and other public key certificates. For more information, see [TPM requirements in Windows](../../hardware-security/tpm/tpm-recommendations.md).
 
 Windows recognizes versions 1.2 and 2.0 TPM specifications produced by the TCG. For the most recent and modern security features, Windows 10 and Windows 11 support only TPM 2.0.
 

windows/security/includes/sections/operating-system.md

@@ -1,7 +1,7 @@
 ---
 author: paolomatarazzo
 ms.author: paoloma
-ms.date: 06/06/2023
+ms.date: 07/31/2023
 ms.topic: include
 ---
 
@@ -21,7 +21,7 @@ ms.topic: include
 | **Local Security Authority (LSA) Protection** | Windows has several critical processes to verify a user's identity. Verification processes include Local Security Authority (LSA), which is responsible for authenticating users and verifying Windows logins. LSA handles tokens and credentials such as passwords that are used for single sign-on to a Microsoft account and Azure services. To help protect these credentials, additional LSA protection only allows loading of trusted, signed code and provides significant protection against Credential theft.<br><br>LSA protection is enabled by default on new, enterprise joined Windows 11 devices with added support for non-UEFI lock and policy management controls via MDM and group policy. |
 | **[Attack surface reduction (ASR)](/microsoft-365/security/defender-endpoint/overview-attack-surface-reduction)** | Attack surface reduction (ASR) rules help to prevent software behaviors that are often abused to compromise your device or network. By reducing the number of attack surfaces, you can reduce the overall vulnerability of your organization.<br><br>Administrators can configure specific ASR rules to help block certain behaviors, such as launching executable files and scripts that attempt to download or run files, running obfuscated or otherwise suspicious scripts, performing behaviors that apps don't usually initiate during normal day-to-day work. |
 | **[Tamper protection settings for MDE](/microsoft-365/security/defender-endpoint/prevent-changes-to-security-settings-with-tamper-protection)** | Tamper protection is a capability in Microsoft Defender for Endpoint that helps protect certain security settings, such as virus and threat protection, from being disabled or changed. During some kinds of cyber attacks, bad actors try to disable security features on devices. Disabling security features provides bad actors with easier access to your data, the ability to install malware, and the ability to exploit your data, identity, and devices. Tamper protection helps guard against these types of activities. |
-| **[Microsoft Vulnerable Driver Blocklist](/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules#microsoft-vulnerable-driver-blocklist)** | The Windows kernel is the most privileged software and is therefore a compelling target for malware authors. Since Windows has strict requirements for code running in the kernel, cybercriminals commonly exploit vulnerabilities in kernel drivers to get access. Microsoft works with the ecosystem partners to constantly identify and respond to potentially vulnerable kernel drivers.<br><br>Prior to Windows 11, version 22H2, the operating system enforced a block policy when HVCI is enabled to prevent vulnerable versions of drivers from running. Starting in Windows 11, version 22H2, the block policy is enabled by default for all new Windows devices, and users can opt in to enforce the policy from the Windows Security app. |
+| **[Microsoft Vulnerable Driver Blocklist](/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules#microsoft-vulnerable-driver-blocklist)** | The Windows kernel is the most privileged software and is therefore a compelling target for malware authors. Since Windows has strict requirements for code running in the kernel, cybercriminals commonly exploit vulnerabilities in kernel drivers to get access. Microsoft works with the ecosystem partners to constantly identify and respond to potentially vulnerable kernel drivers.<br><br>Prior to Windows 11, version 22H2, the operating system enforced a block policy when HVCI is enabled to prevent vulnerable versions of drivers from running. Starting in Windows 11, version 22H2, the block policy is enabled by default for all new Windows devices, and users can opt in to enforce the policy from the **Windows Security** settings. |
 | **[Controlled folder access](/microsoft-365/security/defender-endpoint/controlled-folders)** | You can protect your valuable information in specific folders by managing app access to specific folders. Only trusted apps can access protected folders, which are specified when controlled folder access is configured. Commonly used folders, such as those used for documents, pictures, downloads, are typically included in the list of controlled folders. Controlled folder access works with a list of trusted apps. Apps that are included in the list of trusted software work as expected. Apps that are not included in the trusted list are prevented from making any changes to files inside protected folders. <br><br>Controlled folder access helps to protect user's valuable data from malicious apps and threats, such as ransomware.  |
 | **[Exploit protection](/microsoft-365/security/defender-endpoint/exploit-protection)** | Exploit protection automatically applies several exploit mitigation techniques to operating system processes and apps. Exploit protection works best with Microsoft Defender for Endpoint, which gives organizations detailed reporting into exploit protection events and blocks as part of typical alert investigation scenarios. You can enable exploit protection on an individual device, and then use MDM or group policy to distribute the configuration file to multiple devices. When a mitigation is encountered on the device, a notification will be displayed from the Action Center. You can customize the notification with your company details and contact information. You can also enable the rules individually to customize which techniques the feature monitors. |
 | **[Microsoft Defender SmartScreen](/windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-overview)** | Microsoft Defender SmartScreen protects against phishing, malware websites and applications, and the downloading of potentially malicious files. For enhanced phishing protection, SmartScreen also alerts people when they are entering their credentials into a potentially risky location. IT can customize which notifications appear via MDM or group policy. The protection runs in audit mode by default, giving IT admins full control to make decisions around policy creation and enforcement. |

windows/security/index.yml

@@ -39,7 +39,7 @@ landingContent:
       - linkListType: concept
         links:
         - text: Trusted Platform Module
-          url: information-protection/tpm/trusted-platform-module-top-node.md
+          url: hardware-security/tpm/trusted-platform-module-top-node.md
         - text: Windows Defender System Guard firmware protection
           url: hardware-security/how-hardware-based-root-of-trust-helps-protect-windows.md
         - text: System Guard Secure Launch and SMM protection enablement

windows/security/introduction.md

@@ -1,7 +1,7 @@
 ---
 title: Introduction to Windows security
 description: System security book.
-ms.date: 04/24/2023
+ms.date: 08/01/2023
 ms.topic: tutorial
 ms.author: paoloma
 content_well_notification: 
@@ -15,7 +15,7 @@ appliesto:
 
 The acceleration of digital transformation and the expansion of both remote and hybrid work brings new opportunities to organizations, communities, and individuals. This expansion introduces new threats and risks.
 
-Organizations worldwide are adopting a **Zero Trust** security model based on the premise that no person or device anywhere can have access until safety and integrity is proven. Windows 11 is built on Zero Trust principles to enable hybrid productivity and new experiences anywhere, without compromising security. Windows 11 raises the [security baselines](../operating-system-security/device-management/windows-security-configuration-framework/windows-security-baselines.md) with new requirements for advanced hardware and software protection that extends from chip to cloud.
+Organizations worldwide are adopting a **Zero Trust** security model based on the premise that no person or device anywhere can have access until safety and integrity is proven. Windows 11 is built on Zero Trust principles to enable hybrid productivity and new experiences anywhere, without compromising security. Windows 11 raises the [security baselines](operating-system-security/device-management/windows-security-configuration-framework/windows-security-baselines.md) with new requirements for advanced hardware and software protection that extends from chip to cloud.
 
 ## How Windows 11 enables Zero Trust protection
 
@@ -25,7 +25,7 @@ A Zero Trust security model gives the right people the right access at the right
 1. When verified, give people and devices access to only necessary resources for the necessary amount of time
 1. Use continuous analytics to drive threat detection and improve defenses
 
-For Windows 11, the Zero Trust principle of *verify explicitly* applies to risks introduced by both devices and people. Windows 11 provides *chip-to-cloud security*, enabling IT administrators to implement strong authorization and authentication processes with features like [Windows Hello for Business](../identity-protection/hello-for-business/index.md). IT administrators also gain attestation and measurements for determining if a device meets requirements and can be trusted. Windows 11 works out-of-the-box with Microsoft Intune and Azure Active Directory, which enable timely and seamless access decisions. Furthermore, IT administrators can easily customize Windows to meet specific user and policy requirements for access, privacy, compliance, and more.
+For Windows 11, the Zero Trust principle of *verify explicitly* applies to risks introduced by both devices and people. Windows 11 provides *chip-to-cloud security*, enabling IT administrators to implement strong authorization and authentication processes with features like [Windows Hello for Business](identity-protection/hello-for-business/index.md). IT administrators also gain attestation and measurements for determining if a device meets requirements and can be trusted. Windows 11 works out-of-the-box with Microsoft Intune and Azure Active Directory, which enable timely and seamless access decisions. Furthermore, IT administrators can easily customize Windows to meet specific user and policy requirements for access, privacy, compliance, and more.
 
 ### Security, by default
 
@@ -35,7 +35,7 @@ Windows 11 is a natural evolution of its predecessor, Windows 10. We have collab
 
 With hardware-based isolation security that begins at the chip, Windows 11 stores sensitive data behind other barriers separated from the operating system. As a result, information including encryption keys and user credentials are protected from unauthorized access and tampering.
 
-In Windows 11, hardware and software work together to protect the operating system. For example, new devices come with [Virtualization-based security (VBS)](/windows-hardware/design/device-experiences/oem-vbs) and [Secure Boot](../operating-system-security/system-security/trusted-boot.md) built-in and enabled by default to contain and limit malware exploits.
+In Windows 11, hardware and software work together to protect the operating system. For example, new devices come with [Virtualization-based security (VBS)](/windows-hardware/design/device-experiences/oem-vbs) and [Secure Boot](operating-system-security/system-security/trusted-boot.md) built-in and enabled by default to contain and limit malware exploits.
 
 ### Robust application security and privacy controls
 
@@ -45,7 +45,7 @@ In Windows 11, [Microsoft Defender Application Guard](/windows-hardware/design/d
 
 ### Secured identities
 
-Passwords have been an important part of digital security for a long time, and they're also a top target for cybercriminals. Windows 11 provides powerful protection against credential theft with chip-level hardware security. Credentials are protected by layers of hardware and software security such as [TPM 2.0](../information-protection/tpm/trusted-platform-module-overview.md), [VBS](/windows-hardware/design/device-experiences/oem-vbs), and/or [Windows Defender Credential Guard](../identity-protection/credential-guard/credential-guard.md), making it harder for attackers to steal credentials from a device. With [Windows Hello for Business](../identity-protection/hello-for-business/index.md), users can quickly sign in with face, fingerprint, or PIN for passwordless protection. Windows 11 also supports [FIDO2 security keys](/azure/active-directory/authentication/howto-authentication-passwordless-security-key) for passwordless authentication.
+Passwords have been an important part of digital security for a long time, and they're also a top target for cybercriminals. Windows 11 provides powerful protection against credential theft with chip-level hardware security. Credentials are protected by layers of hardware and software security such as [TPM 2.0](information-protection/tpm/trusted-platform-module-overview.md), [VBS](/windows-hardware/design/device-experiences/oem-vbs), and/or [Windows Defender Credential Guard](identity-protection/credential-guard/credential-guard.md), making it harder for attackers to steal credentials from a device. With [Windows Hello for Business](identity-protection/hello-for-business/index.md), users can quickly sign in with face, fingerprint, or PIN for passwordless protection. Windows 11 also supports [FIDO2 security keys](/azure/active-directory/authentication/howto-authentication-passwordless-security-key) for passwordless authentication.
 
 ### Connecting to cloud services
 

windows/security/operating-system-security/data-protection/bitlocker/bitlocker-group-policy-settings.md

@@ -15,7 +15,7 @@ This article for IT professionals describes the function, location, and effect o
 Group Policy administrative templates or local computer policy settings can be used to control what BitLocker drive encryption tasks and configurations can be performed by users, for example through the **BitLocker Drive Encryption** control panel. Which of these policies are configured and how they're configured depends on how BitLocker is implemented and what level of interaction is desired for end users.
 
 > [!NOTE]
-> A separate set of Group Policy settings supports the use of the Trusted Platform Module (TPM). For details about those settings, see [TPM Group Policy settings](../../../information-protection/tpm/trusted-platform-module-services-group-policy-settings.md).
+> A separate set of Group Policy settings supports the use of the Trusted Platform Module (TPM). For details about those settings, see [TPM Group Policy settings](../../../hardware-security/tpm/trusted-platform-module-services-group-policy-settings.md).
 
 BitLocker Group Policy settings can be accessed using the Local Group Policy Editor and the Group Policy Management Console (GPMC) under **Computer Configuration** > **Administrative Templates** > **Windows Components** > **BitLocker Drive Encryption**.
 
@@ -219,7 +219,7 @@ This policy setting is applied when BitLocker is turned on. The startup PIN must
 
 Originally, BitLocker allowed a length from 4 to 20 characters for a PIN. Windows Hello has its own PIN for sign-in, length of which can be 4 to 127 characters. Both BitLocker and Windows Hello use the TPM to prevent PIN brute-force attacks.
 
-The TPM can be configured to use Dictionary Attack Prevention parameters ([lockout threshold and lockout duration](../../../information-protection/tpm/trusted-platform-module-services-group-policy-settings.md) to control how many failed authorizations attempts are allowed before the TPM is locked out, and how much time must elapse before another attempt can be made.
+The TPM can be configured to use Dictionary Attack Prevention parameters ([lockout threshold and lockout duration](../../../hardware-security/tpm/trusted-platform-module-services-group-policy-settings.md) to control how many failed authorizations attempts are allowed before the TPM is locked out, and how much time must elapse before another attempt can be made.
 
 The Dictionary Attack Prevention Parameters provide a way to balance security needs with usability. For example, when BitLocker is used with a TPM + PIN configuration, the number of PIN guesses is limited over time. A TPM 2.0 in this example could be configured to allow only 32 PIN guesses immediately, and then only one more guess every two hours. This number of attempts totals to a maximum of about 4415 guesses per year. If the PIN is four digits, all 9999 possible PIN combinations could be attempted in a little over two years.
 

windows/security/operating-system-security/data-protection/bitlocker/index.md

@@ -48,7 +48,8 @@ The hard disk must be partitioned with at least two drives:
 
 When installed on a new computer, Windows automatically creates the partitions that are required for BitLocker.
 
-A partition subject to encryption can't be marked as an active partition. This requirement applies to the operating system drives, fixed data drives, and removable data drives.
+> [!IMPORTANT]
+> An encrypted partition can't be marked as active.
 
 When installing the BitLocker optional component on a server, the Enhanced Storage feature also needs to be installed. The Enhanced Storage feature is used to support hardware encrypted drives.
 

windows/security/operating-system-security/system-security/protect-high-value-assets-by-controlling-the-health-of-windows-10-based-devices.md

@@ -755,4 +755,4 @@ Health attestation is a key feature of Windows 10 that includes client and cloud
 
 - [Protect derived domain credentials with Credential Guard](/windows/access-protection/credential-guard/credential-guard)
 - [Device Guard deployment guide](/windows/device-security/device-guard/device-guard-deployment-guide)
-- [Trusted Platform Module technology overview](../../information-protection/tpm/trusted-platform-module-overview.md)
+- [Trusted Platform Module technology overview](../../hardware-security/tpm/trusted-platform-module-overview.md)

windows/security/operating-system-security/system-security/toc.yml

@@ -9,7 +9,7 @@ items:
   href: protect-high-value-assets-by-controlling-the-health-of-windows-10-based-devices.md
 - name: Cryptography and certificate management
   href: cryptography-certificate-mgmt.md
-- name: Windows Security app
+- name: Windows Security settings
   href: windows-defender-security-center/windows-defender-security-center.md
   items:
   - name: Virus & threat protection
@@ -25,4 +25,8 @@ items:
   - name: Device performance & health
     href: windows-defender-security-center\wdsc-device-performance-health.md
   - name: Family options
-    href: windows-defender-security-center\wdsc-family-options.md
+    href: windows-defender-security-center\wdsc-family-options.md
+  - name: Customize contact information
+    href: windows-defender-security-center\wdsc-customize-contact-information.md
+  - name: Hide notifications
+    href: windows-defender-security-center\wdsc-hide-notifications.md

windows/security/operating-system-security/system-security/windows-defender-security-center/wdsc-account-protection.md

@@ -1,7 +1,7 @@
 ---
-title: Account protection in the Windows Security app
+title: Account protection in Windows Security
 description: Use the Account protection section to manage security for your account and sign in to Microsoft.
-ms.date: 12/31/2018
+ms.date: 07/31/2023
 ms.topic: article
 ---
 
@@ -18,7 +18,7 @@ You can also choose to hide the section from users of the device. This is useful
 
 ## Hide the Account protection section
 
-You can choose to hide the entire section by using Group Policy. The section won't appear on the home page of the Windows Security app, and its icon won't be shown on the navigation bar on the side of the app.
+You can choose to hide the entire section by using Group Policy. The section won't appear on the home page of **Windows Security**, and its icon won't be shown on the navigation bar on the side.
 
 You can only configure these settings by using Group Policy.
 
@@ -32,6 +32,6 @@ You can only configure these settings by using Group Policy.
 1. [Deploy the updated GPO as you normally do](/windows/win32/srvnodes/group-policy).
 
 > [!NOTE]
-> If you hide all sections then the app will show a restricted interface, as in the following screenshot:
+> If you hide all sections then **Windows Security** will show a restricted interface, as in the following screenshot:
 >
-> ![Screenshot of the Windows Security app with all sections hidden by Group Policy.](images/wdsc-all-hide.png)
+> ![Screenshot of the Windows Security with all sections hidden by Group Policy.](images/wdsc-all-hide.png)

windows/security/operating-system-security/system-security/windows-defender-security-center/wdsc-app-browser-control.md

@@ -1,7 +1,7 @@
 ---
-title: App & browser control in the Windows Security app
+title: App & browser control in Windows Security
 description: Use the App & browser control section to see and configure Windows Defender SmartScreen and Exploit protection settings.
-ms.date: 12/31/2018
+ms.date: 07/31/2023
 ms.topic: article
 ---
 
@@ -30,7 +30,7 @@ You can only prevent users from modifying Exploit protection settings by using G
 
 ## Hide the App & browser control section
 
-You can choose to hide the entire section by using Group Policy. The section won't appear on the home page of the Windows Security app, and its icon won't be shown on the navigation bar on the side of the app.
+You can choose to hide the entire section by using Group Policy. The section won't appear on the home page of **Windows Security**, and its icon won't be shown on the navigation bar on the side.
 
 This section can be hidden only by using Group Policy.
 
@@ -44,6 +44,6 @@ This section can be hidden only by using Group Policy.
 5. [Deploy the updated GPO as you normally do](/windows/win32/srvnodes/group-policy).
 
 > [!NOTE]
-> If you hide all sections then the app will show a restricted interface, as in the following screenshot:
+> If you hide all sections then **Windows Security** will show a restricted interface, as in the following screenshot:
 >
-> ![Windows Security app with all sections hidden by Group Policy.](images/wdsc-all-hide.png)
+> ![Windows Security with all sections hidden by Group Policy.](images/wdsc-all-hide.png)

windows/security/operating-system-security/system-security/windows-defender-security-center/wdsc-customize-contact-information.md

@@ -1,13 +1,13 @@
 ---
-title: Customize Windows Security contact information
+title: Customize Windows Security contact information in Windows Security
 description: Provide information to your employees on how to contact your IT department when a security issue occurs
-ms.date: 12/31/2018
+ms.date: 07/31/2023
 ms.topic: article
 ---
 
-# Customize the Windows Security app for your organization
+# Customize the Windows Security settings for your organization
 
-You can add information about your organization in a contact card to the Windows Security app. You can include a link to a support site, a phone number for a help desk, and an email address for email-based support.
+You can add information about your organization in a contact card in **Windows Security**. You can include a link to a support site, a phone number for a help desk, and an email address for email-based support.
 
 ![The Windows Security custom fly-out.](images/security-center-custom-flyout.png)
 
@@ -16,7 +16,7 @@ This information will also be shown in some enterprise-specific notifications (i
 Users can select the displayed information to initiate a support request:
 
 - Select **Call** or the phone number to open Skype to start a call to the displayed number.
-- Select  **Email** or the email address to create a new email in the machine's default email app address to the displayed email.
+- Select **Email** or the email address to create a new email in the machine's default email app addressed to the displayed email.
 - Select **Help portal** or the website URL to open the machine's default web browser and go to the displayed address.
 
 ## Requirements

windows/security/operating-system-security/system-security/windows-defender-security-center/wdsc-device-performance-health.md

@@ -1,7 +1,7 @@
 ---
-title: Device & performance health in the Windows Security app
+title: Device & performance health in Windows Security
 description: Use the Device & performance health section to see the status of the machine and note any storage, update, battery, driver, or hardware configuration issues
-ms.date: 12/31/2018
+ms.date: 07/31/2023
 ms.topic: article
 ---
 
@@ -12,11 +12,11 @@ The **Device performance & health** section contains information about hardware,
 
 The [Windows 10 IT pro troubleshooting topic](/windows/client-management/windows-10-support-solutions), and the main [Windows 10 documentation library](/windows/windows-10/) can also be helpful for resolving issues.
 
-In Windows 10, version 1709 and later, the section can be hidden from users of the machine. This option can be useful if you don't want employees in your organization to see or have access to user-configured options for the features shown in the section.
+This section can be hidden from users of the machine. This option can be useful if you don't want employees in your organization to see or have access to user-configured options for the features shown in the section.
 
 ## Hide the Device performance & health section
 
-You can choose to hide the entire section by using Group Policy. The section won't appear on the home page of the Windows Security app, and its icon won't be shown on the navigation bar on the side of the app.
+You can choose to hide the entire section by using Group Policy. The section won't appear on the home page of **Windows Security**, and its icon won't be shown on the navigation bar on the side.
 
 This section can be hidden only by using Group Policy.
 
@@ -30,6 +30,6 @@ This section can be hidden only by using Group Policy.
 1. [Deploy the updated GPO as you normally do](/windows/win32/srvnodes/group-policy).
 
 > [!NOTE]
-> If you hide all sections then the app will show a restricted interface, as in the following screenshot:
+> If you hide all sections then **Windows Security** will show a restricted interface, as in the following screenshot:
 >
-> ![Screenshot of the Windows Security app with all sections hidden by Group Policy.](images/wdsc-all-hide.png)
+> ![Screenshot of the Windows Security with all sections hidden by Group Policy.](images/wdsc-all-hide.png)

windows/security/operating-system-security/system-security/windows-defender-security-center/wdsc-device-security.md

@@ -1,7 +1,7 @@
 ---
-title: Device security in the Windows Security app
+title: Device security in Windows Security
 description: Use the Device security section to manage security built into your device, including virtualization-based security.
-ms.date: 12/31/2018
+ms.date: 07/31/2023
 ms.topic: article
 ---
 
@@ -13,7 +13,7 @@ You can choose to hide the section from users of the machine. This option can be
 
 ## Hide the Device security section
 
-You can choose to hide the entire section by using Group Policy. The section won't appear on the home page of the Windows Security app, and its icon won't be shown on the navigation bar on the side of the app. You can hide the device security section by using Group Policy only.
+You can choose to hide the entire section by using Group Policy. The section won't appear on the home page of **Windows Security**, and its icon won't be shown on the navigation bar on the side. You can hide the device security section by using Group Policy only.
 
 > [!IMPORTANT]
 > You must have Windows 10, version 1803 or later. The ADMX/ADML template files for earlier versions of Windows do not include these Group Policy settings.
@@ -25,13 +25,13 @@ You can choose to hide the entire section by using Group Policy. The section won
 5. [Deploy the updated GPO as you normally do](/windows/win32/srvnodes/group-policy).
 
 > [!NOTE]
-> If you hide all sections then the app will show a restricted interface, as in the following screenshot:
+> If you hide all sections then **Windows Security** will show a restricted interface, as in the following screenshot:
 >
-> ![Screenshot of the Windows Security app with all sections hidden by Group Policy.](images/wdsc-all-hide.png)
+> ![Screenshot of the Windows Security with all sections hidden by Group Policy.](images/wdsc-all-hide.png)
 
 ## Disable the Clear TPM button
 
-If you don't want users to be able to click the **Clear TPM** button in the Windows Security app, you can disable it.
+If you don't want users to be able to click the **Clear TPM** button in **Windows Security**, you can disable it.
 
 > [!IMPORTANT]
 > You must have Windows 10, version 1809 or later. The ADMX/ADML template files for earlier versions of Windows do not include these Group Policy settings.

windows/security/operating-system-security/system-security/windows-defender-security-center/wdsc-family-options.md

@@ -1,22 +1,22 @@
 ---
-title: Family options in the Windows Security app
+title: Family options in Windows Security
 description: Learn how to hide the Family options section of Windows Security for enterprise environments. Family options aren't intended for business environments.
-ms.date: 12/31/2018
+ms.date: 07/31/2023
 ms.topic: article
 ---
 
 
 # Family options
 
-The **Family options** section contains links to settings and further information for parents of a Windows 10 PC. It isn't intended for enterprise or business environments.
+The **Family options** section contains links to settings and further information for parents of a Windows PC. It isn't intended for enterprise or business environments.
 
 Home users can learn more at the [Help protection your family online in Windows Security topic at support.microsoft.com](https://support.microsoft.com/help/4013209/windows-10-protect-your-family-online-in-windows-defender)
 
-In Windows 10, version 1709, the section can be hidden from users of the machine. This option can be useful if you don't want employees in your organization to see or have access to this section.
+This section can be hidden from users of the machine. This option can be useful if you don't want employees in your organization to see or have access to this section.
 
 ## Hide the Family options section
 
-You can choose to hide the entire section by using Group Policy. The section won't appear on the home page of the Windows Security app, and its icon won't be shown on the navigation bar on the side of the app.
+You can choose to hide the entire section by using Group Policy. The section won't appear on the home page of **Windows Security**, and its icon won't be shown on the navigation bar on the side.
 
 This section can be hidden only by using Group Policy.
 
@@ -30,6 +30,6 @@ This section can be hidden only by using Group Policy.
 1. [Deploy the updated GPO as you normally do](/windows/win32/srvnodes/group-policy).
 
 > [!NOTE]
-> If you hide all sections then the app will show a restricted interface, as in the following screenshot:
+> If you hide all sections then **Windows Security** will show a restricted interface, as in the following screenshot:
 >
-> ![Screenshot of the Windows Security app with all sections hidden by Group Policy.](images/wdsc-all-hide.png)
+> ![Screenshot of the Windows Security with all sections hidden by Group Policy.](images/wdsc-all-hide.png)

windows/security/operating-system-security/system-security/windows-defender-security-center/wdsc-firewall-network-protection.md

@@ -1,7 +1,7 @@
 ---
-title: Firewall and network protection in the Windows Security app
+title: Firewall and network protection in Windows Security
 description: Use the Firewall & network protection section to see the status of and make changes to firewalls and network connections for the machine.
-ms.date: 12/31/2018
+ms.date: 07/31/2023
 ms.topic: article
 ---
 
@@ -9,11 +9,11 @@ ms.topic: article
 
 The **Firewall & network protection** section contains information about the firewalls and network connections used by the machine, including the status of Windows Defender Firewall and any other third-party firewalls. IT administrators and IT pros can get configuration guidance from the [Windows Defender Firewall with Advanced Security documentation library](../../network-security/windows-firewall/windows-firewall-with-advanced-security.md).
 
-In Windows 10, version 1709 and later, the section can be hidden from users of the machine. This information is useful if you don't want employees in your organization to see or have access to user-configured options for the features shown in the section.
+This section can be hidden from users of the machine. This information is useful if you don't want employees in your organization to see or have access to user-configured options for the features shown in the section.
 
 ## Hide the Firewall & network protection section
 
-You can choose to hide the entire section by using Group Policy. The section won't appear on the home page of the Windows Security app, and its icon won't be shown on the navigation bar on the side of the app.
+You can choose to hide the entire section by using Group Policy. The section won't appear on the home page of **Windows Security**, and its icon won't be shown on the navigation bar on the side.
 
 This section can be hidden only by using Group Policy.
 
@@ -27,6 +27,6 @@ This section can be hidden only by using Group Policy.
 1. Deploy the updated GPO as you normally do.
 
 > [!NOTE]
-> If you hide all sections then the app will show a restricted interface, as in the following screenshot:
+> If you hide all sections then **Windows Security** will show a restricted interface, as in the following screenshot:
 >
-> ![Screenshot of the Windows Security app with all sections hidden by Group Policy.](images/wdsc-all-hide.png)
+> ![Screenshot of the Windows Security with all sections hidden by Group Policy.](images/wdsc-all-hide.png)

windows/security/operating-system-security/system-security/windows-defender-security-center/wdsc-hide-notifications.md

@@ -1,13 +1,13 @@
 ---
-title: Hide notifications from the Windows Security app
-description: Prevent Windows Security app notifications from appearing on user endpoints
-ms.date: 12/31/2018
+title: Hide notifications from Windows Security
+description: Prevent Windows Security notifications from appearing on user endpoints
+ms.date: 07/31/2023
 ms.topic: article
 ---
 
-# Hide Windows Security app notifications
+# Hide Windows Security notifications
 
-The Windows Security app is used by many Windows security features to provide notifications about the health and security of the machine. These include notifications about firewalls, antivirus products, Windows Defender SmartScreen, and others.
+**Windows Security** is used by many Windows security features to provide notifications about the health and security of the machine. These include notifications about firewalls, antivirus products, Windows Defender SmartScreen, and others.
 
 In some cases, it may not be appropriate to show these notifications, for example, if you want to hide regular status updates, or if you want to hide all notifications to the employees in your organization.
 
@@ -38,7 +38,7 @@ These notifications can be hidden only by using Group Policy.
 
 ## Use Group Policy to hide all notifications
 
-You can hide all notifications that are sourced from the Windows Security app. This option may be useful if you don't want users of the machines from inadvertently modifying settings, running antivirus scans, or otherwise performing security-related actions without your input.
+You can hide all notifications that are sourced from **Windows Security**. This option may be useful if you don't want users of the machines from inadvertently modifying settings, running antivirus scans, or otherwise performing security-related actions without your input.
 
 These notifications can be hidden only by using Group Policy.
 
@@ -57,11 +57,18 @@ These notifications can be hidden only by using Group Policy.
 
 > [!NOTE]
 > You can use the following registry key and DWORD value to **Hide all notifications**.
-> **[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Notifications]**
-    **"DisableNotifications"=dword:00000001**
+>
+> ```text
+> [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Notifications]
+>   "DisableNotifications"=dword:00000001
+> ```
+>
 > You can use the following registry key and DWORD value to **Hide not-critical notifications**.
->**[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Notifications]**
-     **"DisableEnhancedNotifications"=dword:00000001**
+>
+> ```text
+> [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Notifications]
+>   "DisableEnhancedNotifications"=dword:00000001
+> ```
 
 ## Notifications
 
@@ -79,7 +86,7 @@ These notifications can be hidden only by using Group Policy.
 | Follow-up action (restart) | Microsoft Defender Antivirus found _threat_ in _file_. Restart your device. | WDAV_REBOOT | Yes |Virus & threat protection notification|
 | Follow-up action (Full scan) | Microsoft Defender Antivirus found _threat_ in _file_. Run a full scan of your device. | FULLSCAN_REQUIRED | Yes |Virus & threat protection notification|
 | Sample submission prompt | Review files that Windows Defender will send to Microsoft. Sending this information can improve how Microsoft Defender Antivirus helps protect your device. | SAMPLE_SUBMISSION_REQUIRED | Yes |Virus & threat protection notification|
-| OS support ending warning | Support for your version of Windows is ending. When this support ends, Microsoft Defender Antivirus won’t be supported, and your device might be at risk. | SUPPORT_ENDING | Yes |Virus & threat protection notification|
+| OS support ending warning | Support for your version of Windows is ending. When this support ends, Microsoft Defender Antivirus won't be supported, and your device might be at risk. | SUPPORT_ENDING | Yes |Virus & threat protection notification|
 | OS support ended, device at risk | Support for your version of Windows has ended. Microsoft Defender Antivirus is no longer supported, and your device might be at risk. | SUPPORT_ENDED _and_ SUPPORT_ENDED_NO_DEFENDER | Yes |Virus & threat protection notification|
 | Summary notification, items found | Microsoft Defender Antivirus successfully took action on _n_ threats since your last summary. Your device was scanned _n_ times. | RECAP_FOUND_THREATS_SCANNED | No |Virus & threat protection notification|
 | Summary notification, items found, no scan count | Microsoft Defender Antivirus successfully took action on _n_ threats since your last summary. | RECAP_FOUND_THREATS | No |Virus & threat protection notification|

windows/security/operating-system-security/system-security/windows-defender-security-center/wdsc-virus-threat-protection.md

@@ -1,7 +1,7 @@
 ---
-title: Virus and threat protection in the Windows Security app
+title: Virus and threat protection in Windows Security
 description: Use the Virus & threat protection section to see and configure Microsoft Defender Antivirus, Controlled folder access, and 3rd-party AV products.
-ms.date: 12/31/2017
+ms.date: 07/31/2023
 ms.topic: article
 ---
 
@@ -13,7 +13,7 @@ In Windows 10, version 1803, this section also contains information and settings
 
 IT administrators and IT pros can get more configuration information from these articles:
 
-- [Microsoft Defender Antivirus in the Windows Security app](/microsoft-365/security/defender-endpoint/microsoft-defender-security-center-antivirus)
+- [Microsoft Defender Antivirus in Windows Security](/microsoft-365/security/defender-endpoint/microsoft-defender-security-center-antivirus)
 - [Microsoft Defender Antivirus documentation library](/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-in-windows-10)
 - [Protect important folders with Controlled folder access](/microsoft-365/security/defender-endpoint/controlled-folders)
 - [Defend yourself from cybercrime with new Office 365 capabilities](https://blogs.office.com/2018/04/05/defend-yourself-from-cybercrime-with-new-office-365-capabilities/)
@@ -24,7 +24,7 @@ You can hide the **Virus & threat protection** section or the **Ransomware prote
 
 ## Hide the Virus & threat protection section
 
-You can choose to hide the entire section by using Group Policy. The section won't appear on the home page of the Windows Security app, and its icon won't be shown on the navigation bar on the side of the app.
+You can choose to hide the entire section by using Group Policy. The section won't appear on the home page of **Windows Security**, and its icon won't be shown on the navigation bar on the side.
 
 This section can be hidden only by using Group Policy.
 
@@ -38,13 +38,13 @@ This section can be hidden only by using Group Policy.
 1. [Deploy the updated GPO as you normally do](/windows/win32/srvnodes/group-policy).
 
 > [!NOTE]
-> If you hide all sections then the app will show a restricted interface, as in the following screenshot:
+> If you hide all sections then **Windows Security** will show a restricted interface, as in the following screenshot:
 >
-> ![Screenshot of the Windows Security app with all sections hidden by Group Policy.](images/wdsc-all-hide.png)
+> ![Screenshot of the Windows Security with all sections hidden by Group Policy.](images/wdsc-all-hide.png)
 
 ## Hide the Ransomware protection area
 
-You can choose to hide the **Ransomware protection** area by using Group Policy. The area won't appear on the **Virus & threat protection** section of the Windows Security app.
+You can choose to hide the **Ransomware protection** area by using Group Policy. The area won't appear on the **Virus & threat protection** section of **Windows Security**.
 
 This area can be hidden only by using Group Policy.
 

windows/security/operating-system-security/system-security/windows-defender-security-center/windows-defender-security-center.md

@@ -1,30 +1,30 @@
 ---
-title: Windows Security app
-description: The Windows Security app brings together common Windows security features into one place.
-ms.date: 12/31/2017
+title: Windows Security
+description: Windows Security brings together common Windows security features into one place.
+ms.date: 07/31/2023
 ms.topic: article
 ms.collection:
   - highpri
   - tier2
 ---
 
-# Windows Security app
+# Windows Security
 
-This library describes the Windows Security app, and provides information on configuring certain features, including:
+This library describes **Windows Security** settings, and provides information on configuring certain features, including:
 
-- [Showing and customizing contact information on the app and in notifications](wdsc-customize-contact-information.md)
+- [Showing and customizing contact information](wdsc-customize-contact-information.md)
 - [Hiding notifications](wdsc-hide-notifications.md)
 
-In Windows 10, version 1709 and later, the app also shows information from third-party antivirus and firewall apps.
+In Windows 10, version 1709 and later, the settings also show information from third-party antivirus and firewall apps.
 
-In Windows 10, version 1803, the app has two new areas: **Account protection** and **Device security**.
+In Windows 10, version 1803, the settings have two new areas: **Account protection** and **Device security**.
 
-![Screenshot of the Windows Security app showing that the device is protected and five icons for each of the features.](images/security-center-home.png)
+![Screenshot of the Windows Security showing that the device is protected and five icons for each of the features.](images/security-center-home.png)
 
 > [!NOTE]
-> The Windows Security app is a client interface on Windows 10, version 1703 and later. It is not the Microsoft Defender Security Center web portal console that is used to review and manage [Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/).
+> **Windows Security** is a client interface on Windows 10, version 1703 and later. It is not the Microsoft Defender Security Center web portal console that is used to review and manage [Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/).
 
-You can't uninstall the Windows Security app, but you can do one of the following actions:
+You can't uninstall **Windows Security**, but you can do one of the following actions:
 
 - Disable the interface on Windows Server 2016.
 - Hide all of the sections on client computers.
@@ -41,19 +41,19 @@ For more information about each section, options for configuring the sections, a
 - [Family options](wdsc-family-options.md), which include access to parental controls along with tips and information for keeping kids safe online.
 
 > [!NOTE]
-> If you hide all sections then the app will show a restricted interface, as in the following screenshot:
+> If you hide all sections then **Windows Security** will show a restricted interface, as in the following screenshot:
 >
-> ![Windows Security app with all sections hidden by group policy.](images/wdsc-all-hide.png)
+> ![Windows Security with all sections hidden by group policy.](images/wdsc-all-hide.png)
 
-## Open the Windows Security app
+## Open Windows Security
 
 - Select the icon in the notification area on the taskbar.
 
-    ![Screenshot of the icon for the Windows Security app on the Windows task bar.](images/security-center-taskbar.png)
+    ![Screenshot of the icon for the Windows Security on the Windows task bar.](images/security-center-taskbar.png)
 
 - Search the Start menu for **Windows Security**.
 
-    ![Screenshot of the Start menu showing the results of a search for the Windows Security app, the first option with a large shield symbol is selected.](images/security-center-start-menu.png)
+    ![Screenshot of the Start menu showing the results of a search for the Windows Security, the first option with a large shield symbol is selected.](images/security-center-start-menu.png)
 
 - Open an area from Windows **Settings**.
 
@@ -62,12 +62,12 @@ For more information about each section, options for configuring the sections, a
 > [!NOTE]
 > Settings configured with management tools, such as group policy, Microsoft Intune, or Microsoft Configuration Manager, will generally take precedence over the settings in the Windows Security.
 
-## How the Windows Security app works with Windows security features
+## How Windows Security works with Windows security features
 
 > [!IMPORTANT]
-> Microsoft Defender Antivirus and the Windows Security app use similarly named services for specific purposes.
+> **Microsoft Defender Antivirus** and **Windows Security** use similarly named services for specific purposes.
 >
-> The Windows Security app uses the Windows Security Service (*SecurityHealthService* or *Windows Security Health Service*), which in turn utilizes the Windows Security Center Service (*wscsvc*). This service makes sure that the app provides the most up-to-date information about the protection status on the endpoint. This information includes protection offered by third-party antivirus products, Windows Defender Firewall, third-party firewalls, and other security protection.
+> The **Windows Security** uses the Windows Security Service (*SecurityHealthService* or *Windows Security Health Service*), which in turn utilizes the Windows Security Center Service (*wscsvc*). This service makes sure that **Windows Security** provides the most up-to-date information about the protection status on the endpoint. This information includes protection offered by third-party antivirus products, Windows Defender Firewall, third-party firewalls, and other security protection.
 >
 > These services don't affect the state of Microsoft Defender Antivirus. Disabling or modifying these services won't disable Microsoft Defender Antivirus. It will lead to a lowered protection state on the endpoint, even if you're using a third-party antivirus product.
 >
@@ -76,19 +76,19 @@ For more information about each section, options for configuring the sections, a
 > Disabling the Windows Security Center Service won't disable Microsoft Defender Antivirus or [Windows Defender Firewall](../../network-security/windows-firewall/windows-firewall-with-advanced-security.md).
 
 > [!WARNING]
-> If you disable the Windows Security Center Service, or configure its associated group policy settings to prevent it from starting or running, the Windows Security app may display stale or inaccurate information about any antivirus or firewall products you have installed on the device.
+> If you disable the Windows Security Center Service, or configure its associated group policy settings to prevent it from starting or running, **Windows Security** may display stale or inaccurate information about any antivirus or firewall products you have installed on the device.
 >
 > It may also prevent Microsoft Defender Antivirus from enabling itself if you have an old or outdated third-party antivirus, or if you uninstall any third-party antivirus products you may have previously installed.
 >
 > This will significantly lower the protection of your device and could lead to malware infection.
 
-The Windows Security app operates as a separate app or process from each of the individual features, and will display notifications through the Action Center.
+**Windows Security** operates as a separate app or process from each of the individual features, and will display notifications through the Action Center.
 
 It acts as a collector or single place to see the status and perform some configuration for each of the features.
 
-If you disable any of the individual features, it will prevent that feature from reporting its status in the Windows Security app. For example, if you disable a feature through group policy or other management tools, such as Microsoft Configuration Manager. The Windows Security app itself will still run and show status for the other security features.
+If you disable any of the individual features, it will prevent that feature from reporting its status in **Windows Security**. For example, if you disable a feature through group policy or other management tools, such as Microsoft Configuration Manager, **Windows Security** itself will still run and show status for the other security features.
 
 > [!IMPORTANT]
-> If you individually disable any of the services, it won't disable the other services or the Windows Security app.
+> If you individually disable any of the services, it won't disable the other services or **Windows Security** itself.
 
-For example, [using a third-party antivirus will disable Microsoft Defender Antivirus](/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-compatibility). However, the Windows Security app will still run, show its icon in the taskbar, and display information about the other features, such as Windows Defender SmartScreen and Windows Defender Firewall.
+For example, [using a third-party antivirus will disable Microsoft Defender Antivirus](/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-compatibility). However, **Windows Security** will still run, show its icon in the taskbar, and display information about the other features, such as Windows Defender SmartScreen and Windows Defender Firewall.

windows/security/operating-system-security/virus-and-threat-protection/toc.yml

@@ -6,8 +6,6 @@ items:
     href: /microsoft-365/security/defender-endpoint/attack-surface-reduction
   - name: Tamper protection for MDE 🔗
     href: /microsoft-365/security/defender-endpoint/prevent-changes-to-security-settings-with-tamper-protection
-  - name: Microsoft Vulnerable Driver Blocklist 🔗
-    href: ../../application-security/application-control/windows-defender-application-control/design/microsoft-recommended-driver-block-rules.md
   - name: Controlled folder access 🔗
     href: /microsoft-365/security/defender-endpoint/controlled-folders
   - name: Exploit protection 🔗

windows/security/security-foundations/certification/fips-140-validation.md

@@ -47,7 +47,7 @@ Each of the cryptographic modules has a defined security policy that must be met
 
 ### Step 3: Enable the FIPS security policy
 
-Windows provides the security policy setting, *System cryptography: Use FIPS-compliant algorithms for encryption, hashing, and signing*. This setting is used by some Microsoft products to determine whether to run in FIPS mode.  When this policy is turned on, the validated cryptographic modules in Windows will also operate in FIPS mode.  This policy may be set using Local Security Policy, as part of Group Policy, or through a Modern Device Management (MDM) solution.   For more information on the policy, see [System cryptography: Use FIPS-compliant algorithms for encryption, hashing, and signing](security-policy-settings/system-cryptography-use-fips-compliant-algorithms-for-encryption-hashing-and-signing.md).  
+Windows provides the security policy setting, *System cryptography: Use FIPS-compliant algorithms for encryption, hashing, and signing*. This setting is used by some Microsoft products to determine whether to run in FIPS mode.  When this policy is turned on, the validated cryptographic modules in Windows will also operate in FIPS mode.  This policy may be set using Local Security Policy, as part of Group Policy, or through a Modern Device Management (MDM) solution.   For more information on the policy, see [System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing](../../threat-protection/security-policy-settings/system-cryptography-use-fips-compliant-algorithms-for-encryption-hashing-and-signing.md).
 
 ### Step 4: Ensure that only FIPS validated cryptographic algorithms are used
 

windows/security/security-foundations/certification/toc.yml

@@ -1,5 +1,5 @@
 items:
 - name: FIPS 140-2 Validation
-  href: ../../threat-protection/fips-140-validation.md
+  href: fips-140-validation.md
 - name: Common Criteria Certifications
-  href: ../../threat-protection/windows-platform-common-criteria.md
+  href: windows-platform-common-criteria.md

windows/security/security-foundations/index.md

@@ -15,9 +15,4 @@ Our strong security foundation uses Microsoft Security Development Lifecycle (SD
 
 Use the links in the following table to learn more about the security foundations:
 
-| Concept | Description |
-|:---|:---|
-| FIPS 140-2 Validation | The Federal Information Processing Standard (FIPS) Publication 140-2 is a U.S. government standard. FIPS is based on Section 5131 of the Information Technology Management Reform Act of 1996. It defines the minimum security requirements for cryptographic modules in IT products. Microsoft maintains an active commitment to meeting the requirements of the FIPS 140-2 standard, having validated cryptographic modules against it since it was first established in 2001. <br/><br/>Learn more about [FIPS 140-2 Validation](../threat-protection/fips-140-validation.md). |
-| Common Criteria Certifications |  Microsoft supports the Common Criteria certification program, ensures that products incorporate the features and functions required by relevant Common Criteria Protection Profiles, and completes Common Criteria certifications of Microsoft Windows products. <br/><br/>Learn more about [Common Criteria Certifications](../threat-protection/windows-platform-common-criteria.md). |
-| Microsoft Security Development Lifecycle | The Security Development Lifecycle (SDL) is a security assurance process that is focused on software development. The SDL has played a critical role in embedding security and privacy in software and culture at Microsoft.<br/><br/>Learn more about [Microsoft SDL](../threat-protection/msft-security-dev-lifecycle.md).|
-| Microsoft Bug Bounty Program | If you find a vulnerability in a Microsoft product, service, or device, we want to hear from you! If your vulnerability report affects a product or service that is within scope of one of our bounty programs below, you could receive a bounty award according to the program descriptions.<br/><br/>Learn more about the [Microsoft Bug Bounty Program](https://www.microsoft.com/en-us/msrc/bounty?rtc=1). |
+[!INCLUDE [operating-system-security](../includes/sections/security-foundations.md)]

windows/security/security-foundations/msft-security-dev-lifecycle.md

@@ -1,14 +1,11 @@
 ---
 title: Microsoft Security Development Lifecycle
 description: Download the Microsoft Security Development Lifecycle white paper that covers a security assurance process focused on software development.
-ms.prod: windows-client
-author: aczechowski
-ms.author: aaroncz
-manager: dougeby
+author: paolomatarazzo
+ms.author: paoloma
+manager: aaroncz
 ms.topic: article
-ms.localizationpriority: medium
-ms.technology: itpro-security
-ms.date: 12/31/2017
+ms.date: 07/31/2023
 ---
 
 # Microsoft Security Development Lifecycle
@@ -20,10 +17,11 @@ The Security Development Lifecycle (SDL) is a security assurance process that is
 With the help of the combination of a holistic and practical approach, the SDL aims to reduce the number and severity of vulnerabilities in software. The SDL introduces security and privacy throughout all phases of the development process. 
 
 The Microsoft SDL is based on three core concepts:
+
 - Education
 - Continuous process improvement
 - Accountability
 
 To learn more about the SDL, visit the [Security Engineering site](https://www.microsoft.com/en-us/securityengineering/sdl).
 
-And, download the [Simplified Implementation of the Microsoft SDL whitepaper](https://go.microsoft.com/?linkid=9708425).
+And, download the [Simplified Implementation of the Microsoft SDL whitepaper](https://www.microsoft.com/download/details.aspx?id=12379).

windows/security/security-foundations/toc.yml

@@ -1,7 +1,9 @@
 items:
 - name: Overview
   href: index.md
+- name: Zero Trust and Windows
+  href: zero-trust-windows-device-health.md
 - name: Microsoft Security Development Lifecycle
-  href: ../threat-protection/msft-security-dev-lifecycle.md
+  href: msft-security-dev-lifecycle.md
 - name: Certification
-  href: certification/toc.yml
+  href: certification/toc.yml

windows/security/security-foundations/zero-trust-windows-device-health.md

@@ -41,7 +41,7 @@ Attestation helps verify the identity and status of essential components and tha
 
 These determinations are made with the help of a secure root of trust using the Trusted Platform Module (TPM). Devices can attest that the TPM is enabled, and that the device hasn't been tampered with.
 
-Windows includes many security features to help protect users from malware and attacks. However, trusting the Windows security components can only be achieved if the platform boots as expected and wasn't tampered with. Windows relies on Unified Extensible Firmware Interface (UEFI) Secure Boot, Early-launch antimalware (ELAM), Dynamic Root of Trust for Measurement (DRTM), Trusted Boot, and other low-level hardware and firmware security features. When you power on your PC until your anti-malware starts, Windows is backed with the appropriate hardware configuration to help keep you safe. [Measured and Trusted boot](operating-system-security/system-security/secure-the-windows-10-boot-process.md), implemented by bootloaders and BIOS, verifies and cryptographically records each step of the boot in a chained manner. These events are bound to a security coprocessor (TPM) that acts as the Root of Trust. Remote Attestation is the mechanism by which these events are read and verified by a service to provide a verifiable, unbiased, and tamper resilient report. Remote attestation is the trusted auditor of your system's boot, allowing specific entities to trust the device.
+Windows includes many security features to help protect users from malware and attacks. However, trusting the Windows security components can only be achieved if the platform boots as expected and wasn't tampered with. Windows relies on Unified Extensible Firmware Interface (UEFI) Secure Boot, Early-launch antimalware (ELAM), Dynamic Root of Trust for Measurement (DRTM), Trusted Boot, and other low-level hardware and firmware security features. When you power on your PC until your anti-malware starts, Windows is backed with the appropriate hardware configuration to help keep you safe. [Measured and Trusted boot](../operating-system-security/system-security/secure-the-windows-10-boot-process.md), implemented by bootloaders and BIOS, verifies and cryptographically records each step of the boot in a chained manner. These events are bound to a security coprocessor (TPM) that acts as the Root of Trust. Remote Attestation is the mechanism by which these events are read and verified by a service to provide a verifiable, unbiased, and tamper resilient report. Remote attestation is the trusted auditor of your system's boot, allowing specific entities to trust the device.
 
 A summary of the steps involved in attestation and Zero Trust on the device side are as follows:
 

windows/security/threat-protection/security-policy-settings/user-account-control-run-all-administrators-in-admin-approval-mode.md

@@ -1,8 +1,8 @@
 ---
-title: UAC Run all administrators in Admin Approval Mode 
+title: UAC Run all administrators in Admin Approval Mode
 description: Learn about best practices, security considerations and more for the security policy setting, User Account Control Run all administrators in Admin Approval Mode.
 ms.assetid: b838c561-7bfc-41ef-a7a5-55857259c7bf
-ms.reviewer: 
+ms.reviewer:
 ms.author: vinpa
 ms.prod: windows-client
 ms.mktglfcycl: deploy
@@ -20,8 +20,8 @@ ms.technology: itpro-security
 # User Account Control: Run all administrators in Admin Approval Mode
 
 **Applies to**
--   Windows 11
--   Windows 10
+-   Windows 11
+-   Windows 10
 
 This article describes the best practices, location, values, policy management and security considerations for the **User Account Control: Run all administrators in Admin Approval Mode** security policy setting.
 
@@ -40,7 +40,7 @@ This policy setting determines the behavior of all User Account Control (UAC) po
     Admin Approval Mode and all related UAC policies are disabled.
 
     > [!NOTE]
-    > If this security setting is configured to **Disabled**, Windows Security app notifies the user that the overall security of the operating system has been reduced.
+    > If this security setting is configured to **Disabled**, **Windows Security** notifies the user that the overall security of the operating system has been reduced.
 
 ### Best practices
 
@@ -56,13 +56,13 @@ The following table lists the actual and effective default values for this polic
 
 | Server type or GPO | Default value |
 | - | - |
-| Default Domain Policy| Not defined| 
-| Default Domain Controller Policy | Not defined| 
-| Stand-Alone Server Default Settings | Enabled| 
-| DC Effective Default Settings | Enabled| 
-| Member Server Effective Default Settings| Enabled| 
-| Client Computer Effective Default Settings | Enabled| 
- 
+| Default Domain Policy| Not defined|
+| Default Domain Controller Policy | Not defined|
+| Stand-Alone Server Default Settings | Enabled|
+| DC Effective Default Settings | Enabled|
+| Member Server Effective Default Settings| Enabled|
+| Client Computer Effective Default Settings | Enabled|
+
 ## Policy management
 
 This section describes features and tools that are available to help you manage this policy.

windows/security/toc.yml

@@ -2,14 +2,10 @@ items:
 - name: Windows security
   href: index.yml
   expanded: true
-- name: Introduction
-  items:
-  - name: Windows security overview
-    href: introduction/index.md
-  - name: Zero Trust and Windows
-    href: zero-trust-windows-device-health.md
-  - name: Security features licensing and edition requirements
-    href: licensing-and-edition-requirements.md
+- name: Introduction to Windows security
+  href: introduction.md
+- name: Security features licensing and edition requirements
+  href: licensing-and-edition-requirements.md
 - name: Hardware security
   href: hardware-security/toc.yml
 - name: Operating system security