updates

.openpublishing.redirection.windows-security.json

@@ -9984,6 +9984,36 @@
       "source_path": "windows/security/application-security/application-control/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control.md",
       "redirect_url": "/windows/security/application-security/application-control/introduction-to-virtualization-based-security-and-appcontrol.md",
       "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security/application-security/index.md",
+      "redirect_url": "/windows/security/book/application-security.md",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security/hardware-security/index.md",
+      "redirect_url": "/windows/security/book/hardware-security.md",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security/cloud-services/index.md",
+      "redirect_url": "/windows/security/book/cloud-services.md",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security/identity-protection/index.md",
+      "redirect_url": "/windows/security/book/identity-protection.md",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security/operating-system-security/index.md",
+      "redirect_url": "/windows/security/book/operating-system-security.md",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security/security-foundations/index.md",
+      "redirect_url": "/windows/security/book/security-foundation.md",
+      "redirect_document_id": false
     }
   ]
 }

windows/security/application-security/index.md

@@ -1,14 +0,0 @@
----
-title: Windows application security
-description: Get an overview of application security in Windows
-ms.date: 08/02/2023
-ms.topic: conceptual
----
-
-# Windows application security
-
-Cybercriminals can take advantage of poorly secured applications to access valuable resources. With Windows, IT admins can combat common application attacks from the moment a device is provisioned. For example, IT can remove local admin rights from user accounts, so that PCs run with least privilege to prevent malicious applications from accessing sensitive resources.
-
-Learn more about application security features in Windows.
-
-[!INCLUDE [application](../includes/sections/application.md)]

windows/security/application-security/toc.yml

@@ -1,6 +1,4 @@
 items:
-- name: Overview
-  href: index.md
 - name: Application and driver control
   href: application-control/toc.yml
 - name: Application isolation

windows/security/book/application-security-application-and-driver-control.md

@@ -22,9 +22,9 @@ We've been making significant improvements to Smart App Control to increase the
 
 Additionally, evaluation mode starts automatically enabling devices that the cloud AI model predicts will have a good experience with Smart App Control in the coming months, first starting with users in North America and eventually expanding to other regions.
 
-As a developer, to ensure that your users have a seamless experience with Smart App Control enabled, we ask that you sign your application with a code signing certificate from the Microsoft Trusted Root Program.  Make sure to include all binaries, such as exe, dll, temp installer files, and uninstallers. Trusted signing makes the process of obtaining, maintaining, and signing with a trusted certificate simple and secure. More on that later in this doc.
+As a developer, to ensure that your users have a seamless experience with Smart App Control enabled, we ask that you sign your application with a code signing certificate from the Microsoft Trusted Root Program. Make sure to include all binaries, such as exe, dll, temp installer files, and uninstallers. Trusted signing makes the process of obtaining, maintaining, and signing with a trusted certificate simple and secure. More on that later in this doc.
 
-Devices running previous versions of Windows 11 will have to be reset with a clean installation of Windows 11, version 22H2 or later to take advantage of this feature. Smart App Control will be disabled on devices enrolled in enterprise management. We suggest enterprises running line-of-business applications continue to leverage App Control for Business.
+Devices running previous versions of Windows 11 must be reset with a clean installation of the operating system to take advantage of this feature. Smart App Control is disabled on devices enrolled in enterprise management. We suggest enterprises running line-of-business applications continue to leverage App Control for Business.
 
 [!INCLUDE [learn-more](includes/learn-more.md)]
 
@@ -36,9 +36,7 @@ Your organization is only as secure as the applications that run on your devices
 
 App Control for Business (previously called *Windows Defender Application Control*) and AppLocker are both included in Windows. App Control for Business is the next-generation app control solution for Windows and provides powerful control over what runs in your environment. Customers who were using AppLocker on previous versions of Windows can continue to use the feature as they consider whether to switch to App Control for Business for stronger protection.
 
-Customers using Microsoft Intune<sup>[\[7\]](conclusion.md#footnote7)</sup> to manage their devices are now able to configure App Control for Business in the admin console, including setting up Intune as a managed installer.
+Microsoft Intune<sup>[\[7\]](conclusion.md#footnote7)</sup> can configure App Control for Business in the admin console, including setting up Intune as a managed installer. Intune includes built-in options for App Control for Business and the possibility to upload policies as an XML file for Intune to package and deploy.
-
-Customers can use some built-in options for App Control for Business or upload their own policy as an XML file for Intune to package and deploy.
 
 [!INCLUDE [learn-more](includes/learn-more.md)]
 

windows/security/book/cloud-services-protect-your-work-information.md

@@ -249,7 +249,7 @@ There's a lot more to learn about Windows Autopatch: this [Forrester Consulting
 - [Windows Autopatch documentation](/windows/deployment/windows-autopatch/)
 - [Windows updates API overview](/graph/windowsupdates-concept-overview)
 - [Windows IT Pro Blog](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/bg-p/Windows-ITPro-blog/label-name/Windows%20Autopatch)
-- [Windowes Autopatch community](https://techcommunity.microsoft.com/t5/windows-autopatch/bd-p/Windows-Autopatch).
+- [Windows Autopatch community](https://techcommunity.microsoft.com/t5/windows-autopatch/bd-p/Windows-Autopatch).
 
 ## OneDrive for work or school
 
@@ -257,7 +257,7 @@ Data in OneDrive for work or school is protected both in transit and at rest.
 
 When data transits either into the service from clients or between datacenters, it's protected using transport layer security (TLS) encryption. OneDrive only permits secure access.
 
-Authenticated connections are not allowed over HTTP and instead redirect to HTTPS.
+Authenticated connections aren't allowed over HTTP and instead redirect to HTTPS.
 
 There are several ways that OneDrive for work or school is protected at rest:
 
@@ -272,40 +272,37 @@ There are several ways that OneDrive for work or school is protected at rest:
 
 ## Universal Print
 
-Universal Print eliminates the need for on-premises print servers. It also eliminates the need for print drivers from the users' Windows devices and makes the devices secure, reducing the malware attacks that typically exploit vulnerabilities in driver model. It enables Universal Print-ready printers (with native support) to connect directly to the Microsoft Cloud. All major printer OEMs have these [models](/universal-print/fundamentals/universal-print-partner-integrations). It also supports existing printers by using the connector software that comes with Universal Print.
+Universal Print eliminates the need for on-premises print servers. It also eliminates the need for print drivers from the users' Windows devices and makes the devices secure, reducing the malware attacks that typically exploit vulnerabilities in driver model. It enables Universal Print-ready printers (with native support) to connect directly to the Microsoft Cloud. All major printer OEMs have these [models][LINK-23]. It also supports existing printers by using the connector software that comes with Universal Print.
 
-Unlike traditional print solutions that rely on Windows print servers, Universal Print is a Microsoft-hosted cloud subscription service that supports a Zero Trust security model when using the Universal Print-ready printers. Customers can enable network isolation of printers, including the Universal Print connector software, from the rest of the organization's resources. Users and their devices do not need to be on the same local network as the printers or the Universal Print connector.
+Unlike traditional print solutions that rely on Windows print servers, Universal Print is a Microsoft-hosted cloud subscription service that supports a Zero Trust security model when using the Universal Print-ready printers. Customers can enable network isolation of printers, including the Universal Print connector software, from the rest of the organization's resources. Users and their devices don't need to be on the same local network as the printers or the Universal Print connector.
 
 Universal Print supports Zero Trust security by requiring that:
 
 - Each connection and API call to Universal Print cloud service requires authentication validated by Microsoft Entra ID<sup>[\[7\]](conclusion.md#footnote7)</sup>. A hacker would have to have knowledge of the right credentials to successfully connect to the Universal Print service
 - Every connection established by the user's device (client), the printer, or another cloud service to the Universal Print cloud service uses SSL with TLS 1.2 protection. This protects network snooping of traffic to gain access to sensitive data
 - Each printer registered with Universal Print is created as a device object in the customer's Microsoft Entra ID tenant and issued its own device certificate. Every connection from the printer is authenticated using this certificate. The printer can access only its own data and no other device's data
-- Applications can connect to Universal Print using either user, device, or application authentication. To ensure data security, it is highly recommended that only cloud applications use application authentication
+- Applications can connect to Universal Print using either user, device, or application authentication. To ensure data security, it's highly recommended that only cloud applications use application authentication
 - Each acting application must register with Microsoft Entra ID and specify the set of permission scopes it requires. Microsoft's own acting applications - for example, the Universal Print connector - are registered with the Microsoft Entra ID service. Customer administrators need to provide their consent to the required permission scopes as part of onboarding the application to their tenant
 - Each authentication with Microsoft Entra ID from an acting application can't extend the permission scope as defined by the acting client app. This prevents the app from requesting additional permissions if the app is breached
 
-Additionally, Windows 11 includes MDM support to simplify printer setup for users. With initial support from Microsoft Intune<sup>[\[7\]](conclusion.md#footnote7)</sup>, admins can now configure policies to provision specific printers onto the user's Windows devices.
+Additionally, Windows 11 includes device management support to simplify printer setup for users. With support from Microsoft Intune<sup>[\[7\]](conclusion.md#footnote7)</sup>, admins can now configure policy settings to provision specific printers onto the user's Windows devices.
 
-Universal Print stores the print data in cloud securely in Office Storage, the same storage used by other Microsoft Office products.
+Universal Print stores the print data in cloud securely in Office Storage, the same storage used by other Microsoft 365 products.
 
-More information about handling of Microsoft 365 data (this includes Universal Print data) can be found [here](/microsoft-365/enterprise/m365-dr-overview).
+More information about handling of Microsoft 365 data (this includes Universal Print data) can be found [here][LINK-24].
 
-The Universal Print secure release platform ensures user privacy, secures organizational data, and reduces print wastage. It eliminates the need for people to rush to a shared printer as soon as they send a print job to ensure that no one sees the private or confidential content. Sometimes, printed documents are picked up by another person or not picked up at all and discarded. Detailed support and configuration information can be found [here](/universal-print/fundamentals/universal-print-qrcode).
+The Universal Print secure release platform ensures user privacy, secures organizational data, and reduces print wastage. It eliminates the need for people to rush to a shared printer as soon as they send a print job to ensure that no one sees the private or confidential content. Sometimes, printed documents are picked up by another person or not picked up at all and discarded. Detailed support and configuration information can be found [here][LINK-25].
 
-Universal Print has integrated with Administrative Units in Microsoft Entra ID to enable customers to assign a Printer Administrator role to their local IT team in the same way customers assign User Administrator or Groups Administrator roles. The local IT team can configure only the printers that are part of the same Administrative Unit.
+Universal Print supports Administrative Units in Microsoft Entra ID to enable the assignments of a *Printer Administrator* role to specific teams in the organization. The assigned team can configure only the printers that are part of the same Administrative Unit.
+
+For customers who want to stay on print servers, we recommend using the Microsoft IPP Print driver. For features beyond what's covered in the standard IPP driver, use Print Support Applications (PSA) for Windows from the respective printer OEM.
 
 [!INCLUDE [learn-more](includes/learn-more.md)]
 
-- [Universal Print](https://www.microsoft.com/microsoft-365/windows/universal-print)
+- [Universal Print][LINK-26]
-- [Data handling in Universal Print](/universal-print/data-handling)
+- [Data handling in Universal Print][LINK-27]
-- [Delegate Printer Administration with Administrative Units](/universal-print/portal/delegated-admin)
+- [Delegate Printer Administration with Administrative Units][LINK-28]
-
+- [Print support app design guide][LINK-29]
-For customers who want to stay on Print Servers, we recommend using the Microsoft IPP Print driver. For features beyond what's covered in the standard IPP driver, use Print Support Applications (PSA) for Windows from the respective printer OEM.
-
-[!INCLUDE [learn-more](includes/learn-more.md)]
-
-- [Print support app design guide](/windows-hardware/drivers/devapps/print-support-app-design-guide)
 
 <!--links-->
 
@@ -331,3 +328,10 @@ For customers who want to stay on Print Servers, we recommend using the Microsof
 [LINK-20]: /mem/autopilot/windows-autopilot-reset
 [LINK-21]: /windows/deployment/update/waas-manage-updates-wufb
 [LINK-22]: https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RW10vlw
+[LINK-23]: /universal-print/fundamentals/universal-print-partner-integrations
+[LINK-24]: /microsoft-365/enterprise/m365-dr-overview
+[LINK-25]: /universal-print/fundamentals/universal-print-qrcode
+[LINK-26]: https://www.microsoft.com/microsoft-365/windows/universal-print
+[LINK-27]: /universal-print/data-handling
+[LINK-28]: /universal-print/portal/delegated-admin
+[LINK-29]: /windows-hardware/drivers/devapps/print-support-app-design-guide

windows/security/book/hardware-security-hardware-root-of-trust.md

@@ -15,9 +15,9 @@ Trusted Platform Module (TPM) technology is designed to provide hardware-based,
 
 [!INCLUDE [learn-more](includes/learn-more.md)]
 
-- [Windows 11 TPM specifications](https://www.microsoft.com/windows/windows-11-specifications)
+- [Windows 11 TPM specifications][LINK-1]
-- [Enable TPM 2.0 on your PC](https://support.microsoft.com/topic/1fd5a332-360d-4f46-a1e7-ae6b0c90645c)
+- [Enable TPM 2.0 on your PC][LINK-2]
-- [Trusted Platform Module Technology Overview](../hardware-security/tpm/trusted-platform-module-overview.md)
+- [Trusted Platform Module Technology Overview][LINK-3]
 
 ## Microsoft Pluton security processor
 
@@ -31,5 +31,13 @@ Pluton also solves the major security challenge of keeping its own security proc
 
 [!INCLUDE [learn-more](includes/learn-more.md)]
 
-- [Microsoft Pluton processor - The security chip designed for the future of Windows PCs](https://www.microsoft.com/security/blog/2020/11/17/meet-the-microsoft-pluton-processor-the-security-chip-designed-for-the-future-of-windows-pcs/)
+- [Microsoft Pluton processor - The security chip designed for the future of Windows PCs][LINK-4]
-- [Microsoft Pluton security processor](../hardware-security/pluton/microsoft-pluton-security-processor.md)
+- [Microsoft Pluton security processor][LINK-5]
+
+<!--links-->
+
+[LINK-1]: https://www.microsoft.com/windows/windows-11-specifications
+[LINK-2]: https://support.microsoft.com/topic/1fd5a332-360d-4f46-a1e7-ae6b0c90645c
+[LINK-3]: /windows/security/hardware-security/tpm/trusted-platform-module-overview
+[LINK-4]: https://www.microsoft.com/security/blog/2020/11/17/meet-the-microsoft-pluton-processor-the-security-chip-designed-for-the-future-of-windows-pcs/
+[LINK-5]: /windows/security/hardware-security/pluton/microsoft-pluton-security-processor

windows/security/cloud-services/index.md

@@ -1,18 +0,0 @@
----
-title: Windows and cloud services
-description: Get an overview of cloud-based services in Windows.
-ms.date: 05/06/2024
-ms.topic: overview
-author: paolomatarazzo
-ms.author: paoloma
----
-
-# Windows and cloud services
-
-Today's workforce has more freedom and mobility than ever before, and the risk of data exposure is also at its highest. We're focused on getting customers to the cloud to benefit from modern hybrid workstyles while improving security management. Built on zero-trust principles, Windows works with Microsoft cloud services to safeguard sensitive information while controlling access and mitigating threats.
-
-From identity and device management to Office apps and data storage, Windows and integrated cloud services can help improve productivity, security, and resilience anywhere.
-
-Learn more about cloud-based services in Windows.
-
-[!INCLUDE [cloud-services](../includes/sections/cloud-services.md)]

windows/security/cloud-services/toc.yml

@@ -1,6 +1,4 @@
 items:
-- name: Overview
-  href: index.md
 - name: Join Active Directory and Microsoft Entra ID with single sign-on (SSO) 🔗
   href: /azure/active-directory/devices/concept-azure-ad-join
 - name: Security baselines with Intune 🔗

windows/security/hardware-security/index.md

@@ -1,15 +0,0 @@
----
-title: Windows hardware security
-description: Learn more about hardware security features support in Windows.
-ms.date: 07/10/2024
-ms.topic: overview
-appliesto:
----
-
-# Windows hardware security
-
-:::image type="content" source="..\book\images\hardware.png" alt-text="Diagram of containing a list of security features." lightbox="..\book\images\hardware.png" border="false":::
-
-Learn more about hardware security features support in Windows.
-
-[!INCLUDE [hardware](../includes/sections/hardware.md)]

windows/security/hardware-security/toc.yml

@@ -1,6 +1,4 @@
 items:
-  - name: Overview
-    href: index.md
   - name: Hardware root of trust
     items:
       - name: System Guard

windows/security/identity-protection/index.md

@@ -1,14 +0,0 @@
----
-title: Windows identity protection
-description: Learn more about identity protection technologies in Windows.
-ms.topic: overview
-ms.date: 03/12/2024
----
-
-# Windows identity protection
-
-Learn more about identity protection technologies in Windows.
-
-[!INCLUDE [virtual-smart-card-deprecation-notice](../includes/virtual-smart-card-deprecation-notice.md)]
-
-[!INCLUDE [identity](../includes/sections/identity.md)]

windows/security/identity-protection/toc.yml

@@ -1,6 +1,4 @@
 items:
-  - name: Overview
-    href: index.md
   - name: Passwordless sign-in
     items:
     - name: Passwordless strategy

windows/security/operating-system-security/index.md

@@ -1,16 +0,0 @@
----
-title: Windows operating system security
-description: Securing the operating system includes system security, encryption, network security, and threat protection.
-ms.date: 07/10/2024
-ms.topic: overview
----
-
-# Windows operating system security
-
-Security and privacy depend on an operating system that guards your system and information from the moment it starts up, providing fundamental chip-to-cloud protection. Windows 11 is the most secure Windows yet with extensive security measures designed to help keep you safe. These measures include built-in advanced encryption and data protection, robust network and system security, and intelligent safeguards against ever-evolving threats.
-
-Watch the latest [Microsoft Mechanics Windows 11 security](https://youtu.be/tg9QUrnVFho) video that shows off some of the latest Windows 11 security technology.
-
-Use the links in the following sections to learn more about the operating system security features and capabilities in Windows.
-
-[!INCLUDE [operating-system-security](../includes/sections/operating-system-security.md)]

windows/security/operating-system-security/toc.yml

@@ -1,6 +1,4 @@
 items:
-- name: Overview
-  href: index.md
 - name: System security
   href: system-security/toc.yml
 - name: Encryption and data protection

windows/security/security-foundations/index.md

@@ -1,18 +0,0 @@
----
-title: Windows security foundations
-description: Get an overview of security foundations, including the security development lifecycle, common criteria, and the bug bounty program.
-ms.topic: overview
-ms.date: 04/10/2024
-author: paolomatarazzo
-ms.author: paoloma
----
-
-# Windows security foundations
-
-Microsoft is committed to continuously invest in improving our software development process, building highly secure-by-design software, and addressing security compliance requirements. At Microsoft, we embed security and privacy considerations from the earliest life-cycle phases of all our software development processes. We build in security from the ground for powerful defense in today's threat environment.
-
-Our strong security foundation uses Microsoft Security Development Lifecycle (SDL) Bug Bounty, support for product security standards and certifications, and Azure Code signing. As a result, we improve security by producing software with fewer defects and vulnerabilities instead of relying on applying updates after vulnerabilities have been identified.
-
-Use the links in the following table to learn more about the security foundations:
-
-[!INCLUDE [security-foundations](../includes/sections/security-foundations.md)]

windows/security/security-foundations/toc.yml

@@ -1,6 +1,4 @@
 items:
-- name: Overview
-  href: index.md
 - name: Zero Trust and Windows
   href: zero-trust-windows-device-health.md
 - name: Offensive research