Acrolinx Enhancement Effort

windows/security/threat-protection/windows-firewall/checklist-configuring-rules-for-the-boundary-zone.md

@@ -27,16 +27,16 @@ ms.technology: windows-sec
 
 The following checklists include tasks for configuring connection security rules and IPsec settings in your GPOs to implement the boundary zone in an isolated domain.
 
-Rules for the boundary zone are typically the same as those for the isolated domain, with the exception that the final rule is left to only request, not require, authentication.
+Rules for the boundary zone are typically the same as those rules for the isolated domain, with the exception that the final rule is left to only request, not require, authentication.
 
 **Checklist: Configuring boundary zone rules**
 
-This checklist assumes that you have already created the GPO for the isolated domain as described in [Checklist: Implementing a Domain Isolation Policy Design](checklist-implementing-a-domain-isolation-policy-design.md). After you create a copy for the boundary zone, make sure that you do not change the rule from request authentication to require authentication when you create the other GPOs.
+This checklist assumes that you've already created the GPO for the isolated domain as described in [Checklist: Implementing a Domain Isolation Policy Design](checklist-implementing-a-domain-isolation-policy-design.md). After you create a copy for the boundary zone, make sure that you don't change the rule from request authentication to require authentication when you create the other GPOs.
 
 | Task | Reference |
 | - | - |
-| Make a copy of the domain isolation GPO for this version of Windows to serve as a starting point for the GPO for the boundary zone. Unlike the GPO for the main isolated domain zone, this copy is not changed after deployment to require authentication.| [Copy a GPO to Create a New GPO](copy-a-gpo-to-create-a-new-gpo.md) |
-| If you are working on a copy of a GPO, modify the group memberships and WMI filters so that they are correct for the boundary zone and version of Windows for which this GPO is intended.| [Modify GPO Filters to Apply to a Different Zone or Version of Windows](modify-gpo-filters-to-apply-to-a-different-zone-or-version-of-windows.md) |
+| Make a copy of the domain isolation GPO for this version of Windows to serve as a starting point for the GPO for the boundary zone. Unlike the GPO for the main isolated domain zone, this copy isn't changed after deployment to require authentication.| [Copy a GPO to Create a New GPO](copy-a-gpo-to-create-a-new-gpo.md) |
+| If you're working on a copy of a GPO, modify the group memberships and WMI filters so that they're correct for the boundary zone and version of Windows for which this GPO is intended.| [Modify GPO Filters to Apply to a Different Zone or Version of Windows](modify-gpo-filters-to-apply-to-a-different-zone-or-version-of-windows.md) |
 | Link the GPO to the domain level of the Active Directory organizational unit hierarchy.| [Link the GPO to the Domain](link-the-gpo-to-the-domain.md)| 
 | Add your test computers to the membership group for the boundary zone. Be sure to add at least one for each operating system supported by a different GPO in the group.| [Add Test Computers to the Membership Group for a Zone](add-test-devices-to-the-membership-group-for-a-zone.md)| 
 | Verify that the connection security configuration is protecting network traffic with authentication when it can, and that unauthenticated traffic is accepted. | [Verify That Network Traffic Is Authenticated](verify-that-network-traffic-is-authenticated.md)| 

windows/security/threat-protection/windows-firewall/checklist-configuring-rules-for-the-encryption-zone.md

@@ -27,16 +27,16 @@ ms.technology: windows-sec
 
 This checklist includes tasks for configuring connection security rules and IPsec settings in your GPOs to implement the encryption zone in an isolated domain.
 
-Rules for the encryption zone are typically the same as those for the isolated domain, with the exception that the main rule requires encryption in addition to authentication.
+Rules for the encryption zone are typically the same as those rules for the isolated domain, with the exception that the main rule requires encryption in addition to authentication.
 
 **Checklist: Configuring encryption zone rules**
 
-This checklist assumes that you have already created the GPO for the isolated domain as described in [Checklist: Implementing a Domain Isolation Policy Design](checklist-implementing-a-domain-isolation-policy-design.md). You can then copy those GPOs for use with the encryption zone. After you create the copies, modify the main rule to require encryption in addition to the authentication required by the rest of the isolated domain.
+This checklist assumes that you've already created the GPO for the isolated domain as described in [Checklist: Implementing a Domain Isolation Policy Design](checklist-implementing-a-domain-isolation-policy-design.md). You can then copy those GPOs for use with the encryption zone. After you create the copies, modify the main rule to require encryption in addition to the authentication required by the rest of the isolated domain.
 
 | Task | Reference |
 | - | - |
 | Make a copy of the domain isolation GPOs to serve as a starting point for the GPOs for the encryption zone.| [Copy a GPO to Create a New GPO](copy-a-gpo-to-create-a-new-gpo.md)| 
-| Modify the group memberships and WMI filters so that they are correct for the encryption zone and the version of Windows for which this GPO is intended. | [Modify GPO Filters to Apply to a Different Zone or Version of Windows](modify-gpo-filters-to-apply-to-a-different-zone-or-version-of-windows.md) |
+| Modify the group memberships and WMI filters so that they're correct for the encryption zone and the version of Windows for which this GPO is intended. | [Modify GPO Filters to Apply to a Different Zone or Version of Windows](modify-gpo-filters-to-apply-to-a-different-zone-or-version-of-windows.md) |
 | Add the encryption requirements for the zone. | [Configure the Rules to Require Encryption](configure-the-rules-to-require-encryption.md)| 
 | Link the GPO to the domain level of the Active Directory organizational unit hierarchy. | [Link the GPO to the Domain](link-the-gpo-to-the-domain.md)| 
 | Add your test computers to the membership group for the encryption zone. Be sure to add at least one for each operating system supported by a different GPO in the group.| [Add Test Computers to the Membership Group for a Zone](add-test-devices-to-the-membership-group-for-a-zone.md)| 

windows/security/threat-protection/windows-firewall/checklist-configuring-rules-for-the-isolated-domain.md

@@ -31,8 +31,8 @@ The following checklists include tasks for configuring connection security rules
 
 | Task | Reference |
 | - | - |
-| Create a GPO for the computers in the isolated domain running one of the operating systems. After you have finished the tasks in this checklist and configured the GPO for that version of Windows, you can create a copy of it.| [Checklist: Creating Group Policy Objects](checklist-creating-group-policy-objects.md)<br/>[Copy a GPO to Create a New GPO](copy-a-gpo-to-create-a-new-gpo.md)| 
-| If you are working on a GPO that was copied from another GPO, modify the group memberships and WMI filters so that they are correct for the isolated domain zone and the version of Windows for which this GPO is intended. | [Modify GPO Filters to Apply to a Different Zone or Version of Windows](modify-gpo-filters-to-apply-to-a-different-zone-or-version-of-windows.md) |
+| Create a GPO for the computers in the isolated domain running one of the operating systems. After you've finished the tasks in this checklist and configured the GPO for that version of Windows, you can create a copy of it.| [Checklist: Creating Group Policy Objects](checklist-creating-group-policy-objects.md)<br/>[Copy a GPO to Create a New GPO](copy-a-gpo-to-create-a-new-gpo.md)| 
+| If you're working on a GPO that was copied from another GPO, modify the group memberships and WMI filters so that they're correct for the isolated domain zone and the version of Windows for which this GPO is intended. | [Modify GPO Filters to Apply to a Different Zone or Version of Windows](modify-gpo-filters-to-apply-to-a-different-zone-or-version-of-windows.md) |
 | Configure IPsec to exempt all ICMP network traffic from IPsec protection. | [Exempt ICMP from Authentication](exempt-icmp-from-authentication.md)| 
 | Create a rule that exempts all network traffic to and from computers on the exemption list from IPsec. | [Create an Authentication Exemption List Rule](create-an-authentication-exemption-list-rule.md)| 
 | Configure the key exchange (main mode) security methods and algorithms to be used. | [Configure Key Exchange (Main Mode) Settings](configure-key-exchange-main-mode-settings.md)| 
@@ -44,4 +44,4 @@ The following checklists include tasks for configuring connection security rules
 | Verify that the connection security rules are protecting network traffic to and from the test computers. | [Verify That Network Traffic Is Authenticated](verify-that-network-traffic-is-authenticated.md)| 
  
 
-Do not change the rules for any of your zones to require authentication until all of the zones have been set up and are operating correctly.
+Don't change the rules for any of your zones to require authentication until all of the zones have been set up and are operating correctly.

windows/security/threat-protection/windows-firewall/checklist-creating-group-policy-objects.md

@@ -25,7 +25,7 @@ ms.technology: windows-sec
 -   Windows 11
 -   Windows Server 2016 and above
 
-To deploy firewall or IPsec settings or firewall or connection security rules, we recommend that you use Group Policy in AD DS. This section describes a tested, efficient method that requires some up-front work, but serves an administrator well in the long run by making GPO assignments as easy as dropping a device into a membership group.
+To deploy firewall or IPsec settings or firewall or connection security rules, we recommend that you use Group Policy in AD DS. This section describes a tested, efficient method that requires some up-front work, but serves an administrator well in the end by making GPO assignments as easy as dropping a device into a membership group.
 
 The checklists for firewall, domain isolation, and server isolation include a link to this checklist.
 
@@ -35,19 +35,19 @@ For most GPO deployment tasks, you must determine which devices must receive and
 
 ## About exclusion groups
 
-A Windows Defender Firewall with Advanced Security design must often take into account domain-joined devices on the network that cannot or must not apply the rules and settings in the GPOs. Because these devices are typically fewer in number than the devices that must apply the GPO, it is easier to use the Domain Members group in the GPO membership group, and then place these exception devices into an exclusion group that is denied Apply Group Policy permissions on the GPO. Because deny permissions take precedence over allow permissions, a device that is a member of both the membership group and the exception group is prevented from applying the GPO. Devices typically found in a GPO exclusion group for domain isolation include the domain controllers, DHCP servers, and DNS servers.
+A Windows Defender Firewall with Advanced Security design must often take into account domain-joined devices on the network that can't or must not apply the rules and settings in the GPOs. Because these devices are typically fewer in number than the devices that must apply the GPO, it's easier to use the Domain Members group in the GPO membership group, and then place these exception devices into an exclusion group that is denied Apply Group Policy permissions on the GPO. Because deny permissions take precedence over allow permissions, a device that is a member of both the membership group and the exception group is prevented from applying the GPO. Devices typically found in a GPO exclusion group for domain isolation include the domain controllers, DHCP servers, and DNS servers.
 
-You can also use a membership group for one zone as an exclusion group for another zone. For example, devices in the boundary and encryption zones are technically in the main domain isolation zone, but must apply only the GPO for their assigned role. To do this, the GPOs for the main isolation zone deny Apply Group Policy permissions to members of the boundary and encryption zones.
+You can also use a membership group for one zone as an exclusion group for another zone. For example, devices in the boundary and encryption zones are technically in the main domain isolation zone, but must apply only the GPO for their assigned role. To use the group as an exclusion group, the GPOs for the main isolation zone deny Apply Group Policy permissions to members of the boundary and encryption zones.
 
 **Checklist: Creating Group Policy objects**
 
 | Task | Reference |
 | - | - |
 | Review important concepts and examples for deploying GPOs in a way that best meets the needs of your organization.| [Identifying Your Windows Defender Firewall with Advanced Security Deployment Goals](identifying-your-windows-firewall-with-advanced-security-deployment-goals.md)<br/>[Planning Group Policy Deployment for Your Isolation Zones](planning-group-policy-deployment-for-your-isolation-zones.md)| 
-| Create the membership group in AD DS that will be used to contain device accounts that must receive the GPO.<br/>If some devices in the membership group are running an operating system that does not support WMI filters, such as Windows 2000, create an exclusion group to contain the device accounts for the devices that cannot be blocked by using a WMI filter.| [Create a Group Account in Active Directory](create-a-group-account-in-active-directory.md)|
+| Create the membership group in AD DS that will be used to contain device accounts that must receive the GPO.<br/>If some devices in the membership group are running an operating system that doesn't support WMI filters, such as Windows 2000, create an exclusion group to contain the device accounts for the devices that can't be blocked by using a WMI filter.| [Create a Group Account in Active Directory](create-a-group-account-in-active-directory.md)|
 | Create a GPO for each version of Windows that has different implementation requirements.| [Create a Group Policy Object](create-a-group-policy-object.md) |
 | Create security group filters to limit the GPO to only devices that are members of the membership group and to exclude devices that are members of the exclusion group.|[Assign Security Group Filters to the GPO](assign-security-group-filters-to-the-gpo.md) |
 | Create WMI filters to limit each GPO to only the devices that match the criteria in the filter.| [Create WMI Filters for the GPO](create-wmi-filters-for-the-gpo.md) |
-| If you are working on a GPO that was copied from another, modify the group memberships and WMI filters so that they are correct for the new zone or version of Windows for which this GPO is intended.|[Modify GPO Filters to Apply to a Different Zone or Version of Windows](modify-gpo-filters-to-apply-to-a-different-zone-or-version-of-windows.md) |
+| If you're working on a GPO that was copied from another, modify the group memberships and WMI filters so that they're correct for the new zone or version of Windows for which this GPO is intended.|[Modify GPO Filters to Apply to a Different Zone or Version of Windows](modify-gpo-filters-to-apply-to-a-different-zone-or-version-of-windows.md) |
 | Link the GPO to the domain level of the Active Directory organizational unit hierarchy.| [Link the GPO to the Domain](link-the-gpo-to-the-domain.md) |
 | Before adding any rules or configuring the GPO, add a few test devices to the membership group, and make sure that the correct GPO is received and applied to each member of the group.| [Add Test Devices to the Membership Group for a Zone](add-test-devices-to-the-membership-group-for-a-zone.md) |

windows/security/threat-protection/windows-firewall/checklist-creating-rules-for-clients-of-a-standalone-isolated-server-zone.md

@@ -31,13 +31,13 @@ This checklist includes tasks for configuring connection security rules and IPse
 
 | Task | Reference |
 | - | - |
-| Create a GPO for the client devices that must connect to servers in the isolated server zone, and that are running one of the versions of Windows. After you have finished the tasks in this checklist, you can make a copy of it.| [Checklist: Creating Group Policy Objects](checklist-creating-group-policy-objects.md) <br/>[Copy a GPO to Create a New GPO](copy-a-gpo-to-create-a-new-gpo.md)| 
+| Create a GPO for the client devices that must connect to servers in the isolated server zone, and that are running one of the versions of Windows. After you've finished the tasks in this checklist, you can make a copy of it.| [Checklist: Creating Group Policy Objects](checklist-creating-group-policy-objects.md) <br/>[Copy a GPO to Create a New GPO](copy-a-gpo-to-create-a-new-gpo.md)| 
 | To determine which devices receive the GPO, assign the NAG for the isolated servers to the security group filter for the GPO. Make sure that each GPO has the WMI filter for the correct version of Windows.| [Modify GPO Filters to Apply to a Different Zone or Version of Windows](modify-gpo-filters-to-apply-to-a-different-zone-or-version-of-windows.md) |
 | Configure IPsec to exempt all ICMP network traffic from IPsec protection. | [Exempt ICMP from Authentication](exempt-icmp-from-authentication.md)| 
 | Create a rule that exempts all network traffic to and from devices on the exemption list from IPsec. | [Create an Authentication Exemption List Rule](create-an-authentication-exemption-list-rule.md)| 
 | Configure the key exchange (main mode) security methods and algorithms to be used. | [Configure Key Exchange (Main Mode) Settings](configure-key-exchange-main-mode-settings.md)| 
 | Configure the data protection (quick mode) algorithm combinations to be used. | [Configure Data Protection (Quick Mode) Settings](configure-data-protection-quick-mode-settings.md)| 
 | Configure the authentication methods to be used. | [Configure Authentication Methods](configure-authentication-methods.md)| 
-| Create a rule that requests authentication for network traffic. Because fallback-to-clear behavior in Windows Vista and Windows Server 2008 has no delay when communicating with devices that cannot use IPsec, you can use the same any-to-any rule used in an isolated domain.| [Create an Authentication Request Rule](create-an-authentication-request-rule.md)| 
+| Create a rule that requests authentication for network traffic. Because fallback-to-clear behavior in Windows Vista and Windows Server 2008 has no delay when communicating with devices that can't use IPsec, you can use the same any-to-any rule used in an isolated domain.| [Create an Authentication Request Rule](create-an-authentication-request-rule.md)| 
 | Link the GPO to the domain level of the Active Directory organizational unit hierarchy. | [Link the GPO to the Domain](link-the-gpo-to-the-domain.md)| 
 | Add your test devices to the NAG for the isolated server zone. Be sure to add at least one for each operating system supported by a different GPO in the group.| [Add Test Devices to the Membership Group for a Zone](add-test-devices-to-the-membership-group-for-a-zone.md)| 

windows/security/threat-protection/windows-firewall/checklist-implementing-a-certificate-based-isolation-policy-design.md

@@ -35,7 +35,7 @@ This parent checklist includes cross-reference links to important concepts about
 | Task | Reference |
 | - | - |
 | Review important concepts and examples for certificate-based authentication to determine if this design meets your implementation goals and the needs of your organization.| [Identifying Your Windows Defender Firewall with Advanced Security Deployment Goals](identifying-your-windows-firewall-with-advanced-security-deployment-goals.md)<br/>[Certificate-based Isolation Policy Design](certificate-based-isolation-policy-design.md)<br/>[Certificate-based Isolation Policy Design Example](certificate-based-isolation-policy-design-example.md)<br/>[Planning Certificate-based Authentication](planning-certificate-based-authentication.md) |
-| Install the Active Directory Certificate Services (AD CS) role as an enterprise root issuing certification authority (CA). This step is required only if you have not already deployed a CA on your network.| |
+| Install the Active Directory Certificate Services (AD CS) role as an enterprise root issuing certification authority (CA). This step is required only if you haven't already deployed a CA on your network.| |
 | Configure the certificate template for workstation authentication certificates.| [Configure the Workstation Authentication Certificate Template](configure-the-workstation-authentication-certificate-template.md)| 
 | Configure Group Policy to automatically deploy certificates based on your template to workstation devices. | [Configure Group Policy to Autoenroll and Deploy Certificates](configure-group-policy-to-autoenroll-and-deploy-certificates.md)| 
 | On a test device, refresh Group Policy and confirm that the certificate is installed. | [Confirm That Certificates Are Deployed Correctly](confirm-that-certificates-are-deployed-correctly.md)| 

windows/security/threat-protection/windows-firewall/checklist-implementing-a-standalone-server-isolation-policy-design.md

@@ -1,6 +1,6 @@
 ---
 title: Checklist Implementing a Standalone Server Isolation Policy Design (Windows)
-description: Use these tasks to create a server isolation policy design that is not part of an isolated domain. See references to concepts and links to other checklists.
+description: Use these tasks to create a server isolation policy design that isn't part of an isolated domain. See references to concepts and links to other checklists.
 ms.assetid: 50a997d8-f079-408c-8ac6-ecd02078ade3
 ms.reviewer: 
 ms.author: dansimp
@@ -25,7 +25,7 @@ ms.technology: windows-sec
 -   Windows 11
 -   Windows Server 2016 and above
 
-This checklist contains procedures for creating a server isolation policy design that is not part of an isolated domain. For the steps required to create an isolated server zone within an isolated domain, see [Checklist: Configuring Rules for an Isolated Server Zone](checklist-configuring-rules-for-an-isolated-server-zone.md).
+This checklist contains procedures for creating a server isolation policy design that isn't part of an isolated domain. For information on the steps required to create an isolated server zone within an isolated domain, see [Checklist: Configuring Rules for an Isolated Server Zone](checklist-configuring-rules-for-an-isolated-server-zone.md).
 
 This parent checklist includes cross-reference links to important concepts about the domain isolation policy design. It also contains links to subordinate checklists that will help you complete the tasks that are required to implement this design.
 

windows/security/threat-protection/windows-firewall/configure-authentication-methods.md

@@ -49,29 +49,29 @@ To complete these procedures, you must be a member of the Domain Administrators
 
    3.  **Computer (using Kerberos V5)**. Selecting this option tells the computer to use and require authentication of the computer by using its domain credentials. This option works with other computers that can use IKE v1, including earlier versions of Windows.
 
-   4.  **User (using Kerberos V5)**. Selecting this option tells the computer to use and require authentication of the currently logged-on user by using his or her domain credentials.
+   4.  **User (using Kerberos V5)**. Selecting this option tells the computer to use and require authentication of the currently signed-in user by using their domain credentials.
 
    5.  **Computer certificate from this certification authority**. Selecting this option and entering the identification of a certification authority (CA) tells the computer to use and require authentication by using a certificate that is issued by the selected CA. If you also select **Accept only health certificates**, then only certificates that include the system health authentication enhanced key usage (EKU) typically provided in a Network Access Protection (NAP) infrastructure can be used for this rule.
 
    6.  **Advanced**. Click **Customize** to specify a custom combination of authentication methods required for your scenario. You can specify both a **First authentication method** and a **Second authentication method**.
 
-       The first authentication method can be one of the following:
+       The first authentication method can be one of the following methods:
 
        -   **Computer (Kerberos V5)**. Selecting this option tells the computer to use and require authentication of the computer by using its domain credentials. This option works with other computers that can use IKE v1, including earlier versions of Windows.
 
-       -   **Computer (NTLMv2)**. Selecting this option tells the computer to use and require authentication of the computer by using its domain credentials. This option works only with other computers that can use AuthIP. User-based authentication using Kerberos V5 is not supported by IKE v1.
+       -   **Computer (NTLMv2)**. Selecting this option tells the computer to use and require authentication of the computer by using its domain credentials. This option works only with other computers that can use AuthIP. User-based authentication using Kerberos V5 isn't supported by IKE v1.
 
        -   **Computer certificate from this certification authority (CA)**. Selecting this option and entering the identification of a CA tells the computer to use and require authentication by using a certificate that is issued by that CA. If you also select **Accept only health certificates**, then only certificates issued by a NAP server can be used.
 
-       -   **Preshared key (not recommended)**. Selecting this method and entering a preshared key tells the computer to authenticate by exchanging the preshared keys. If they match, then the authentication succeeds. This method is not recommended, and is included only for backward compatibility and testing purposes.
+       -   **Preshared key (not recommended)**. Selecting this method and entering a preshared key tells the computer to authenticate by exchanging the preshared keys. If they match, then the authentication succeeds. This method isn't recommended, and is included only for backward compatibility and testing purposes.
 
        If you select **First authentication is optional**, then the connection can succeed even if the authentication attempt specified in this column fails.
 
-       The second authentication method can be one of the following:
+       The second authentication method can be one of the following methods:
 
-       -   **User (Kerberos V5)**. Selecting this option tells the computer to use and require authentication of the currently logged-on user by using his or her domain credentials. This authentication method works only with other computers that can use AuthIP. User-based authentication using Kerberos V5 is not supported by IKE v1.
+       -   **User (Kerberos V5)**. Selecting this option tells the computer to use and require authentication of the currently signed-in user by using their domain credentials. This authentication method works only with other computers that can use AuthIP. User-based authentication using Kerberos V5 isn't supported by IKE v1.
 
-       -   **User (NTLMv2)**. Selecting this option tells the computer to use and require authentication of the currently logged-on user by using his or her domain credentials, and uses the NTLMv2 protocol instead of Kerberos V5. This authentication method works only with other computers that can use AuthIP. User-based authentication using Kerberos V5 is not supported by IKE v1.
+       -   **User (NTLMv2)**. Selecting this option tells the computer to use and require authentication of the currently signed-in user by using their domain credentials, and uses the NTLMv2 protocol instead of Kerberos V5. This authentication method works only with other computers that can use AuthIP. User-based authentication using Kerberos V5 isn't supported by IKE v1.
 
        -   **User health certificate from this certification authority (CA)**. Selecting this option and entering the identification of a CA tells the computer to use and require user-based authentication by using a certificate that is issued by the specified CA. If you also select **Enable certificate to account mapping**, then the certificate can be associated with a user in Active Directory for purposes of granting or denying access to specified users or user groups.
 

windows/security/threat-protection/windows-firewall/configure-key-exchange-main-mode-settings.md

@@ -41,23 +41,23 @@ To complete these procedures, you must be a member of the Domain Administrators
 
 4.  In the **Key exchange (Main Mode)** section, click **Advanced**, and then click **Customize**.
 
-5.  Select the security methods to be used to help protect the main mode negotiations between the two devices. If the security methods displayed in the list are not what you want, then do the following:
+5.  Select the security methods to be used to help protect the main mode negotiations between the two devices. If the security methods displayed in the list aren't what you want, then do the following steps:
 
     **Important**  
-    In Windows Vista, Windows Server 2008, or later, you can specify only one key exchange algorithm. This means that if you want to communicate by using IPsec with another device running Windows 8 or Windows Server 2012, then you must select the same key exchange algorithm on both devices.
+    In Windows Vista, Windows Server 2008, or later, you can specify only one key exchange algorithm. This rule means that if you want to communicate by using IPsec with another device running Windows 8 or Windows Server 2012, then you must select the same key exchange algorithm on both devices.
 
-    Also, if you create a connection security rule that specifies an option that requires AuthIP instead of IKE, then only the one combination of the top integrity and encryption security method are used in the negotiation. Make sure that all of your devices that are running at least Windows Vista and Windows Server 2008 have the same methods at the top of the list and the same key exchange algorithm selected.
+    Also, if you create a connection security rule that specifies an option that requires AuthIP instead of IKE, then only the one combination of the top integrity and encryption security method is used in the negotiation. Ensure that all of your devices that are running at least Windows Vista and Windows Server 2008 have the same methods at the top of the list and the same key exchange algorithm selected.
 
     **Note**  
-    When AuthIP is used, no Diffie-Hellman key exchange protocol is used. Instead, when Kerberos V5 authentication is requested, the Kerberos V5 service ticket secret is used in place of a Diffie-Hellman value. When either certificate authentication or NTLM authentication is requested, a transport level security (TLS) session is established, and its secret is used in place of the Diffie-Hellman value. This happens no matter which Diffie-Hellman key exchange protocol you select.
+    When AuthIP is used, no Diffie-Hellman key exchange protocol is used. Instead, when Kerberos V5 authentication is requested, the Kerberos V5 service ticket secret is used in place of a Diffie-Hellman value. When either certificate authentication or NTLM authentication is requested, a transport level security (TLS) session is established, and its secret is used in place of the Diffie-Hellman value. This event happens no matter which Diffie-Hellman key exchange protocol you select.
 
-    1.  Remove any of the security methods that you do not want by selecting the method and then clicking **Remove**.
+    1.  Remove any of the security methods that you don't want by selecting the method and then clicking **Remove**.
 
     2.  Add any required security method combinations by clicking **Add**, selecting the appropriate encryption algorithm and integrity algorithm from the lists, and then clicking **OK**.
 
         >**Caution:**  We recommend that you do not include MD5 or DES in any combination. They are included for backward compatibility only.
 
-    3.  After the list contains only the combinations you want, use the up and down arrows to the right of the list to arrange them in the order of preference. The combination that appears first in the list is tried first, and so on.
+    3.  After the list contains only the combinations you want, use the "up" and "down" arrows to the right of the list to arrange them in the order of preference. The combination that appears first in the list is tried first, and so on.
 
 6.  From the list on the right, select the key exchange algorithm that you want to use.
 

windows/security/threat-protection/windows-firewall/configure-the-rules-to-require-encryption.md

@@ -1,6 +1,6 @@
 ---
 title: Configure the Rules to Require Encryption (Windows)
-description: Learn how to configure rules to add encryption algorithms and delete the algorithm combinations that do not use encryption for zones that require encryption.
+description: Learn how to configure rules to add encryption algorithms and delete the algorithm combinations that don't use encryption for zones that require encryption.
 ms.assetid: 07b7760f-3225-4b4b-b418-51787b0972a0
 ms.reviewer: 
 ms.author: dansimp
@@ -20,7 +20,7 @@ ms.technology: windows-sec
 
 # Configure the Rules to Require Encryption
 
-If you are creating a zone that requires encryption, you must configure the rules to add the encryption algorithms and delete the algorithm combinations that do not use encryption.
+If you're creating a zone that requires encryption, you must configure the rules to add the encryption algorithms and delete the algorithm combinations that don't use encryption.
 
 **Administrative credentials**
 
@@ -46,9 +46,9 @@ To complete this procedure, you must be a member of the Domain Administrators gr
 
 9. Click **Require encryption for all connection security rules that use these settings**.
 
-   This disables the data integrity rules section. Make sure the **Data integrity and encryption** list contains all of the combinations that your client devices will use to connect to members of the encryption zone. The client devices receive their rules through the GPO for the zone to which they reside. You must make sure that those rules contain at least one of the data integrity and encryption algorithms that are configured in this rule, or the client devices in that zone will not be able to connect to devices in this zone.
+   This setting disables the data integrity rules section. Ensure the **Data integrity and encryption** list contains all of the combinations that your client devices will use to connect to members of the encryption zone. The client devices receive their rules through the GPO for the zone to which they reside. You must make sure that those rules contain at least one of the data integrity and encryption algorithms that are configured in this rule, or the client devices in that zone won't be able to connect to devices in this zone.
 
-10. If you need to add an algorithm combination, click **Add**, and then select the combination of encryption and integrity algorithms. The options are described in [Configure Data Protection (Quick Mode) Settings](configure-data-protection-quick-mode-settings.md).
+10. If you need to add an algorithm combination, click **Add** and then select the combination of encryption and integrity algorithms. The options are described in [Configure Data Protection (Quick Mode) Settings](configure-data-protection-quick-mode-settings.md).
 
     **Note**  
     Not all of the algorithms available in Windows 8 or Windows Server 2012 and later can be selected in the Windows Defender Firewall with Advanced Security user interface. To select them, you can use Windows PowerShell.
@@ -57,6 +57,6 @@ To complete this procedure, you must be a member of the Domain Administrators gr
 
     For more info, see [Windows Defender Firewall with Advanced Security Administration with Windows PowerShell](windows-firewall-with-advanced-security-administration-with-windows-powershell.md)
 
-11. During negotiation, algorithm combinations are proposed in the order shown in the list. Make sure that the more secure combinations are at the top of the list so that the negotiating devices select the most secure combination that they can jointly support.
+11. During negotiation, algorithm combinations are proposed in the order shown in the list. Ensure that the more secure combinations are at the top of the list so that the negotiating devices select the most secure combination that they can jointly support.
 
 12. Click **OK** three times to save your changes.