updates

windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-overview.md

@@ -16,13 +16,13 @@ This article provides an overview of the virtual smart card technology.
 
 ## Feature description
 
-Virtual smart card technology offers comparable security benefits to physical smart cards by using two-factor authentication. Virtual smart cards emulate the functionality of physical smart cards, but they use the Trusted Platform Module (TPM) chip that is available on devices, rather than requiring the use of a separate physical smart card and reader. Virtual smart cards are created in the TPM, where the keys used for authentication are stored in cryptographically-secured hardware.
+Virtual smart card technology offers comparable security benefits to physical smart cards by using two-factor authentication. Virtual smart cards emulate the functionality of physical smart cards, but they use the Trusted Platform Module (TPM) chip that is available on devices. Virtual smart cards don't require the use of a separate physical smart card and reader. You create virtual smart cards in the TPM, where the keys used for authentication are stored in cryptographically-secured hardware.
 
 By utilizing TPM devices that provide the same cryptographic capabilities as physical smart cards, virtual smart cards accomplish the three key properties that are desired for smart cards: non-exportability, isolated cryptography, and anti-hammering.
 
 ## Practical applications
 
-Virtual smart cards are functionally similar to physical smart cards and appear in Windows as smart cards that are always-inserted. Virtual smart cards can be used for authentication to external resources, protection of data by secure encryption, and integrity through reliable signing. They're easily deployed by using in-house methods or a purchased solution, and they can become a full replacement for other methods of strong authentication in a corporate setting of any scale.
+Virtual smart cards are functionally similar to physical smart cards, appearing in Windows as smart cards that are always-inserted. Virtual smart cards can be used for authentication to external resources, protection of data by encryption, and integrity through signing. You can deploy virtual smart cards by using in-house methods or a purchased solution, and they can be a replacement for other methods of strong authentication in a corporate setting of any scale.
 
 ### Authentication use cases
 
@@ -38,25 +38,28 @@ Virtual smart cards can also be used for client authentication by using TLS/SSL
 
 **Virtual smart card redirection for remote desktop connections**
 
-The concept of two-factor authentication associated with virtual smart cards relies on the proximity of users to the computers that they access domain resources through. Therefore, when a user remotely connects to a computer that is hosting virtual smart cards, the virtual smart cards that are located on the remote computer can't be used during the remote session. However, the virtual smart cards that are stored on the connecting computer (which is under physical control of the user) are loaded onto the remote computer, and they can be used as if they were installed by using the remote computer's TPM. This extends a user's privileges to the remote computer, while maintaining the principles of two-factor authentication.
+The concept of two-factor authentication associated with virtual smart cards relies on the proximity of users to the devices that they use to access domain. When you connect to a device that is hosting virtual smart cards, you can't use the virtual smart cards located on the remote device during the remote session. However, you can access the virtual smart cards on the connecting device (which is under your physical control), which are loaded onto the remote device. You can use the virtual smart cards as if they were installed by using the remote devices' TPM, extending your privileges to the remote device, while maintaining the principles of two-factor authentication.
 
 ### Confidentiality use cases
 
 **S/MIME email encryption**
 
-Physical smart cards are designed to hold private keys that can be used for email encryption and decryption. This functionality also exists in virtual smart cards. By using S/MIME with a user's public key to encrypt email, the sender of an email can be assured that only the person with the corresponding private key will be able to decrypt the email. This assurance is a result of the non-exportability of the private key. It never exists within reach of malicious software, and it remains protected by the TPM—even during decryption.
+Physical smart cards are designed to hold private keys. You can use the private keys for email encryption and decryption. The same functionality exists in virtual smart cards. By using S/MIME with a user's public key to encrypt email, the sender of an email is assured that only the person with the corresponding private key can decrypt the email. This assurance is a result of the non-exportability of the private key. It never exists within reach of malicious software, and it remains protected by the TPM—even during decryption.
 
 **BitLocker for data volumes**
 
-BitLocker Drive Encryption technology makes use of symmetric-key encryption to protect the content of a user's hard drive. This ensures that if the physical ownership of a hard drive is compromised, an adversary won't be able to read data off the drive. The key used to encrypt the drive can be stored in a virtual smart card, which necessitates knowledge of the virtual smart card PIN to access the drive and possession of the computer that is hosting the TPM virtual smart card. If the drive is obtained without access to the TPM that hosts the virtual smart card, any brute force attack will be difficult.
+BitLocker Drive Encryption technology makes use of symmetric-key encryption to protect the content of a user's hard drive. BitLocker ensures that if the physical ownership of a hard drive is compromised, an adversary won't be able to read data off the drive. The key used to encrypt the drive can be stored in a virtual smart card, which necessitates knowledge of the virtual smart card PIN to access the drive, and possession of the device that is hosting the TPM virtual smart card. If the drive is obtained without access to the TPM that hosts the virtual smart card, any brute force attack will be difficult.
 
-BitLocker can also be used to encrypt portable drives, storing keys in virtual smart cards. In this scenario (unlike using BitLocker with a physical smart card), the encrypted drive can be used only when it's connected to device for the virtual smart card that is used to encrypt the drive, because the BitLocker key is only accessible from this device. This method can be useful to ensure the security of backup drives and personal storage uses outside the main hard drive, too.
+You can use BitLocker to encrypt portable drives, storing keys in virtual smart cards. In this scenario, unlike using BitLocker with a physical smart card, the encrypted drive can be used only when it's connected to device for the virtual smart card that is used to encrypt the drive, because the BitLocker key is only accessible from the device. This method can be useful to ensure the security of backup drives and personal storage uses outside the main hard drive, too.
 
 ### Data integrity use case
 
 **Signing data**
 
-To verify authorship of data, a user can sign it by using a private key stored in the virtual smart card. Digital signatures confirm the integrity and origin of the data. If the key is stored in an operating system that is accessible, a malicious user could access it and use it to modify already signed data or to spoof the key owner's identity. However, if the key is stored in a virtual smart card, it can be used only to sign data on the host device. The key can't be exported to other systems (intentionally or unintentionally, such as with malware theft), making digital signatures more secure than other methods for private key storage.
+To verify authorship of data, a user can sign it by using a private key stored in the virtual smart card. Digital signatures confirm the integrity and origin of the data.
+
+- Storing the key in an operating system that is accessible, malicious users could access it and use it to modify already signed data or to spoof the key owner's identity
+- Storing the key in a virtual smart card, means that you can only use it to sign data on the host device. You can't export the key to other systems (intentionally or unintentionally, such as with malware theft), making digital signatures more secure than other methods for private key storage
 
 ## Hardware requirements
 

windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-tpmvscmgr.md

@@ -1,6 +1,6 @@
 ---
-title: Tpmvscmgr (Windows 10)
+title: Tpmvscmgr
-description: This topic for the IT professional describes the Tpmvscmgr command-line tool, through which an administrator can create and delete TPM virtual smart cards on a computer.
+description: Learn about the Tpmvscmgr command-line tool, through which an administrator can create and delete TPM virtual smart cards on a computer.
 ms.topic: conceptual
 ms.date: 02/22/2023
 appliesto:
@@ -22,7 +22,7 @@ The Tpmvscmgr command-line tool allows users with Administrative credentials to
 
 ### Parameters for Create command
 
-The Create command sets up new virtual smart cards on the user's system. It returns the instance ID of the newly created card for later reference if deletion is required. The instance ID is in the format ROOT\\SMARTCARDREADER\\000n where n starts from 0 and is increased by 1 each time you create a new virtual smart card.
+The Create command sets up new virtual smart cards on the user's system. It returns the instance ID of the newly created card for later reference if deletion is required. The instance ID is in the format `ROOT\SMARTCARDREADER\000n` where n starts from 0 and is increased by 1 each time you create a new virtual smart card.
 
 | Parameter | Description |
 |-----------|-------------|
@@ -30,10 +30,10 @@ The Create command sets up new virtual smart cards on the user's system. It retu
 | /AdminKey | Indicates the desired administrator key that can be used to reset the PIN of the card if the user forgets the PIN.<br>**DEFAULT** Specifies the default value of 010203040506070801020304050607080102030405060708.<br>**PROMPT**&nbsp;&nbsp;Prompts the user to enter a value for the administrator key.<br>**RANDOM**&nbsp;&nbsp;Results in a random setting for the administrator key for a card that is not returned to the user. This creates a card that might not be manageable by using smart card management tools. When generated with RANDOM, the administrator key is set as 48 hexadecimal characters. |
 | /PIN | Indicates desired user PIN value.<br>**DEFAULT**&nbsp;&nbsp;Specifies the default PIN of 12345678.<br>**PROMPT**&nbsp;&nbsp;Prompts the user to enter a PIN at the command line. The PIN must be a minimum of eight characters, and it can contain numerals, characters, and special characters. |
 | /PUK | Indicates the desired PIN Unlock Key (PUK) value. The PUK value must be a minimum of eight characters, and it can contain numerals, characters, and special characters. If the parameter is omitted, the card is created without a PUK.<br>**DEFAULT**&nbsp;&nbsp;Specifies the default PUK of 12345678.<br>**PROMPT**&nbsp;&nbsp;Prompts the user to enter a PUK at the command line. |
-| /generate | Generates the files in storage that are necessary for the virtual smart card to function. If the /generate parameter is omitted, it is equivalent to creating a card without this file system. A card without a file system can be managed only by a smart card management system such as Microsoft Configuration Manager. |
+| /generate | Generates the files in storage that are necessary for the virtual smart card to function. If the /generate parameter is omitted, it's equivalent to creating a card without this file system. A card without a file system can be managed only by a smart card management system such as Microsoft Configuration Manager. |
 | /machine | Allows you to specify the name of a remote computer on which the virtual smart card can be created. This can be used in a domain environment only, and it relies on DCOM. For the command to succeed in creating a virtual smart card on a different computer, the user running this command must be a member in the local administrators group on the remote computer. |
 | /pinpolicy | If **/pin prompt** is used, **/pinpolicy** allows you to specify the following PIN policy options:<br>**minlen** &lt;minimum PIN length&gt;<br>&nbsp;&nbsp;&nbsp;If not specified, defaults to 8. The lower bound is 4.<br>**maxlen** &lt;maximum PIN length&gt;<br>&nbsp;&nbsp;&nbsp;If not specified, defaults to 127. The upper bound is 127.<br>**uppercase**&nbsp;&nbsp;Can be **ALLOWED**, **DISALLOWED**, or **REQUIRED.** Default is **ALLOWED.**<br>**lowercase**&nbsp;&nbsp;Can be **ALLOWED**, **DISALLOWED**, or **REQUIRED.** Default is **ALLOWED.**<br>**digits**&nbsp;&nbsp;Can be **ALLOWED**, **DISALLOWED**, or **REQUIRED.** Default is **ALLOWED.**<br>**specialchars**&nbsp;&nbsp;Can be **ALLOWED**, **DISALLOWED**, or **REQUIRED.** Default is **ALLOWED.**<br><br>When using **/pinpolicy**, PIN characters must be printable ASCII characters. |
-| /attestation | Configures attestation (subject only). This attestation uses an [Attestation Identity Key (AIK) certificate](/openspecs/windows_protocols/ms-dha/a4a71926-3639-4d62-b915-760c2483f489#gt_89a2ba3c-80af-4d1f-88b3-06ec3489fd5a) as a trust anchor to vouch that the virtual smart card keys and certificates are truly hardware bound. The attestation methods are:<br>**AIK_AND_CERT**&nbsp;&nbsp;Creates an AIK and obtains an AIK certificate from the Microsoft cloud certification authority (CA). This requires the device to have a TPM with an [EK certificate](/openspecs/windows_protocols/ms-wcce/719b890d-62e6-4322-b9b1-1f34d11535b4#gt_6aaaff7f-d380-44fb-91d3-b985e458eb6d). If this option is specified and there is no network connectivity, it is possible that creation of the virtual smart card will fail.<br>**AIK_ONLY**&nbsp;&nbsp;Creates an AIK but does not obtain an AIK certificate. |
+| /attestation | Configures attestation (subject only). This attestation uses an [Attestation Identity Key (AIK) certificate](/openspecs/windows_protocols/ms-dha/a4a71926-3639-4d62-b915-760c2483f489#gt_89a2ba3c-80af-4d1f-88b3-06ec3489fd5a) as a trust anchor to vouch that the virtual smart card keys and certificates are truly hardware bound. The attestation methods are:<br>**AIK_AND_CERT**&nbsp;&nbsp;Creates an AIK and obtains an AIK certificate from the Microsoft cloud certification authority (CA). This requires the device to have a TPM with an [EK certificate](/openspecs/windows_protocols/ms-wcce/719b890d-62e6-4322-b9b1-1f34d11535b4#gt_6aaaff7f-d380-44fb-91d3-b985e458eb6d). If this option is specified and there's no network connectivity, it's possible that creation of the virtual smart card will fail.<br>**AIK_ONLY**&nbsp;&nbsp;Creates an AIK but doesn't obtain an AIK certificate. |
 | /? | Displays Help for this command. |
 
 ### Parameters for Destroy command
@@ -87,8 +87,4 @@ The following command will create a TPM virtual smart card with the default valu
 
 ```console
 tpmvscmgr.exe create /name "VirtualSmartCardForCorpAccess" /PIN PROMPT /pinpolicy minlen 4 maxlen 8 /AdminKey DEFAULT /attestation AIK_AND_CERT /generate
-```
+```
-
-## Additional references
-
--   [Virtual Smart Card Overview](virtual-smart-card-overview.md)

windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-use-virtual-smart-cards.md

@@ -1,6 +1,6 @@
 ---
-title: Use Virtual Smart Cards (Windows 10)
+title: Use Virtual Smart Cards
-description: This topic for the IT professional describes requirements for virtual smart cards and provides information about how to use and manage them.
+description: Learn about the requirements for virtual smart cards, how to use and manage them.
 ms.topic: conceptual
 ms.date: 02/22/2023
 appliesto:
@@ -12,7 +12,7 @@ appliesto:
 
 [!INCLUDE [virtual-smart-card-deprecation-notice](../../includes/virtual-smart-card-deprecation-notice.md)]
 
-This topic for the IT professional describes requirements for virtual smart cards, how to use virtual smart cards, and tools that are available to help you create and manage them.
+Learn about the requirements for virtual smart cards, how to use and manage them.
 
 ## Requirements, restrictions, and limitations
 
@@ -20,9 +20,9 @@ This topic for the IT professional describes requirements for virtual smart card
 |-------------|---------------------------|
 | Supported operating systems  | Windows Server 2016 <br>Windows Server 2012 R2 <br>Windows Server 2012 <br>Windows 10 <br>Windows 8.1 <br>Windows 8  |
 | Supported Trusted Platform Module (TPM)                        | Any TPM that adheres to the TPM main specifications for version 1.2 or version 2.0 (as set by the Trusted Computing Group) is supported for use as a virtual smart card. For more information, see the [TPM Main Specification](http://www.trustedcomputinggroup.org/resources/tpm_main_specification).      |
-| Supported virtual smart cards per computer                     | Ten smart cards can be connected to a computer or device at one time. This includes physical and virtual smart cards combined. <br><br>**Note**<br>You can create more than one virtual smart card; however, after creating more than four virtual smart cards, you may start to notice performance degradation. Because all smart cards appear as if they are always inserted, if more than one person shares a computer or device, each person can see all the virtual smart cards that are created on that computer or device. If the user knows the PIN values for all the virtual smart cards, the user will also be able to use them.<br> |
+| Supported virtual smart cards per computer                     | Ten smart cards can be connected to a computer or device at one time. This includes physical and virtual smart cards combined. <br><br>**Note**<br>You can create more than one virtual smart card; however, after creating more than four virtual smart cards, you may start to notice performance degradation. Because all smart cards appear as if they're always inserted, if more than one person shares a computer or device, each person can see all the virtual smart cards that are created on that computer or device. If the user knows the PIN values for all the virtual smart cards, the user will also be able to use them.<br> |
-| Supported number of certificates on a virtual smart card       | A single TPM virtual smart card can contain 30 distinct certificates with the corresponding private keys. Users can continue to renew certificates on the card until the total number of certificates on a card exceeds 90. The reason that the total number of certificates is different from the total number of private keys is that sometimes the renewal can be done with the same private key—in which case a new private key is not generated.       |
+| Supported number of certificates on a virtual smart card       | A single TPM virtual smart card can contain 30 distinct certificates with the corresponding private keys. Users can continue to renew certificates on the card until the total number of certificates on a card exceeds 90. The reason that the total number of certificates is different from the total number of private keys is that sometimes the renewal can be done with the same private key—in which case a new private key isn't generated.       |
-| PIN, PIN Unlock Key (PUK), and Administrative key requirements | The PIN and the PUK must be a minimum of eight characters that can include numerals, alphabetic characters, and special characters.<br>The Administrative key must be entered as 48 hexadecimal characters. It is a 3-key triple DES with ISO/IEC 9797 padding method 2 in CBC chaining mode.                 |
+| PIN, PIN Unlock Key (PUK), and Administrative key requirements | The PIN and the PUK must be a minimum of eight characters that can include numerals, alphabetic characters, and special characters.<br>The Administrative key must be entered as 48 hexadecimal characters. It's a 3-key triple DES with ISO/IEC 9797 padding method 2 in CBC chaining mode.                 |
 
 ## Using Tpmvscmgr.exe
 
@@ -64,7 +64,7 @@ For more information about these Windows APIs, see:
 
 ## Distinguishing TPM-based virtual smart cards from physical smart cards
 
-To help users visually distinguish a Trusted Platform Module (TPM)-based virtual smart card from physical smart cards, the virtual smart card has a different icon. The following icon is displayed during sign in, and on other screens that require the user to enter the PIN for a virtual smart card.
+To help users visually distinguish a Trusted Platform Module (TPM)-based virtual smart card from physical smart cards, the virtual smart card has a different icon. The following icon is displayed during sign-in, and on other screens that require the user to enter the PIN for a virtual smart card.
 
 ![Icon for a virtual smart card.](images/vsc-virtual-smart-card-icon.png)
 
@@ -82,17 +82,17 @@ The PIN for a virtual smart card can be changed by following these steps:
 
 ### TPM not provisioned
 
-For a TPM-based virtual smart card to function properly, a provisioned TPM must be available on the computer. If the TPM is disabled in the BIOS, or it is not provisioned with full ownership and the storage root key, the TPM virtual smart card creation will fail.
+For a TPM-based virtual smart card to function properly, a provisioned TPM must be available on the computer. If the TPM is disabled in the BIOS, or it isn't provisioned with full ownership and the storage root key, the TPM virtual smart card creation will fail.
 
 If the TPM is initialized after creating a virtual smart card, the card will no longer function, and it will need to be re-created.
 
-If the TPM ownership was established on a Windows Vista installation, the TPM will not be ready to use virtual smart cards. The system administrator needs to clear and initialize the TPM for it to be suitable for creating TPM virtual smart cards.
+If the TPM ownership was established on a Windows Vista installation, the TPM won't be ready to use virtual smart cards. The system administrator needs to clear and initialize the TPM for it to be suitable for creating TPM virtual smart cards.
 
 If the operating system is reinstalled, prior TPM virtual smart cards are no longer available and need to be re-created. If the operating system is upgraded, prior TPM virtual smart cards will be available to use in the upgraded operating system.
 
 ### TPM in lockout state
 
-Sometimes, due to frequent incorrect PIN attempts from a user, the TPM may enter the lockout state. To resume using the TPM virtual smart card, it is necessary to reset the lockout on the TPM by using the owner's password or to wait for the lockout to expire. Unblocking the user PIN does not reset the lockout in the TPM. When the TPM is in lockout, the TPM virtual smart card appears as if it is blocked. When the TPM enters the lockout state because the user entered an incorrect PIN too many times, it may be necessary to reset the user PIN by using the virtual smart card management tools, such as Tpmvscmgr command-line tool.
+Sometimes, due to frequent incorrect PIN attempts from a user, the TPM may enter the lockout state. To resume using the TPM virtual smart card, it's necessary to reset the lockout on the TPM by using the owner's password or to wait for the lockout to expire. Unblocking the user PIN doesn't reset the lockout in the TPM. When the TPM is in lockout, the TPM virtual smart card appears as if it's blocked. When the TPM enters the lockout state because the user entered an incorrect PIN too many times, it may be necessary to reset the user PIN by using the virtual smart card management tools, such as Tpmvscmgr command-line tool.
 
 ## See also
 

windows/security/information-protection/tpm/initialize-and-configure-ownership-of-the-tpm.md

@@ -20,7 +20,7 @@ ms.collection:
 
 This article provides information how to troubleshoot the Trusted Platform Module (TPM):
 
-- [Troubleshoot TPM initialization](#troubleshoot-tpm-initialization)
+- [Troubleshoot TPM initialization](#tpm-initialization)
 - [Clear all the keys from the TPM](#clear-all-the-keys-from-the-tpm)
 
 With TPM 1.2 and Windows 11, you can also take the following actions:

windows/security/information-protection/tpm/tpm-fundamentals.md

@@ -1,13 +1,13 @@
 ---
-title: Trusted Platform Module (TPM) fundamentals (Windows)
+title: Trusted Platform Module (TPM) fundamentals
-description: Inform yourself about the components of the Trusted Platform Module (TPM 1.2 and TPM 2.0) and how they are used to mitigate dictionary attacks.
+description: Learn about the components of the Trusted Platform Module and how they're used to mitigate dictionary attacks.
 ms.reviewer: 
 ms.prod: windows-client
 author: dansimp
 ms.author: dansimp
 manager: aaroncz
 ms.topic: conceptual
-ms.date: 12/27/2021
+ms.date: 02/22/2023
 ms.technology: itpro-security
 appliesto: 
 - ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10 and later</a>
@@ -65,7 +65,7 @@ You can manage the TPM using Windows PowerShell. For details, see [TPM Cmdlets i
 
 ## Physical presence interface
 
-For TPM 1.2, the TCG specifications for TPMs require physical presence (typically, pressing a key) for turning on the TPM, turning it off, or clearing it. These actions typically cannot be automated with scripts or other automation tools unless the individual OEM supplies them.
+For TPM 1.2, the TCG specifications for TPMs require physical presence (typically, pressing a key) for turning on the TPM, turning it off, or clearing it. These actions typically can't be automated with scripts or other automation tools unless the individual OEM supplies them.
 
 ## TPM 1.2 states and initialization
 
@@ -114,7 +114,7 @@ Both BitLocker and Windows Hello use the TPM to prevent PIN brute-force attacks.
 
 Windows 10, version 1607 and earlier used Dictionary Attack Prevention parameters. The Dictionary Attack Prevention Parameters provide a way to balance security needs with usability. For example, when BitLocker is used with a TPM + PIN configuration, the number of PIN guesses is limited over time. A TPM 2.0 in this example could be configured to allow only 32 PIN guesses immediately, and then only one more guess every two hours. This totals a maximum of about 4415 guesses per year. If the PIN is four digits, all 9999 possible PIN combinations could be attempted in a little over two years.
 
-Staring in Windows 10, version 1703, the minimum length for the BitLocker PIN was increased to 6 characters, to better align with other Windows features that use TPM 2.0, including Windows Hello. Increasing the PIN length requires a greater number of guesses for an attacker. Therefore, the lockout duration between each guess was shortened to allow legitimate users to retry a failed attempt sooner while maintaining a similar level of protection. In case the legacy parameters for lockout threshold and recovery time need to be used, make sure that GPO is enabled and [configure the system to use legacy Dictionary Attack Prevention Parameters setting for TPM 2.0](/windows/security/information-protection/tpm/trusted-platform-module-services-group-policy-settings#configure-the-system-to-use-legacy-dictionary-attack-prevention-parameters-setting-for-tpm-20).
+Staring in Windows 10, version 1703, the minimum length for the BitLocker PIN was increased to six characters, to better align with other Windows features that use TPM 2.0, including Windows Hello. Increasing the PIN length requires a greater number of guesses for an attacker. Therefore, the lockout duration between each guess was shortened to allow legitimate users to retry a failed attempt sooner while maintaining a similar level of protection. In case the legacy parameters for lockout threshold and recovery time need to be used, make sure that GPO is enabled and [configure the system to use legacy Dictionary Attack Prevention Parameters setting for TPM 2.0](/windows/security/information-protection/tpm/trusted-platform-module-services-group-policy-settings#configure-the-system-to-use-legacy-dictionary-attack-prevention-parameters-setting-for-tpm-20).
 
 ### TPM-based smart cards
 

windows/security/information-protection/tpm/trusted-platform-module-overview.md

@@ -1,12 +1,12 @@
 ---
-title: Trusted Platform Module Technology Overview (Windows)
+title: Trusted Platform Module Technology Overview
-description: This topic for the IT professional describes the Trusted Platform Module (TPM) and how Windows uses it for access control and authentication.
+description: Learn about the Trusted Platform Module (TPM) and how Windows uses it for access control and authentication.
 ms.prod: windows-client
 author: paolomatarazzo
 ms.author: paoloma
 manager: aaroncz
 ms.topic: conceptual
-ms.date: 02/02/2023
+ms.date: 02/22/2023
 ms.technology: itpro-security
 appliesto: 
 - ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10 and later</a>
@@ -18,30 +18,21 @@ ms.collection:
 
 # Trusted Platform Module Technology Overview
 
-**Applies to**
+This article describes the Trusted Platform Module (TPM) and how Windows uses it for access control and authentication.
-- Windows 11
-- Windows 10
-- Windows Server 2022
-- Windows Server 2019
-- Windows Server 2016
-
-This topic for the IT professional describes the Trusted Platform Module (TPM) and how Windows uses it for access control and authentication.
 
 ## Feature description
 
-[Trusted Platform Module (TPM)](/windows/security/information-protection/tpm/trusted-platform-module-top-node) technology is designed to provide hardware-based, security-related functions. A TPM chip is a secure crypto-processor that is designed to carry out cryptographic operations. The chip includes multiple physical security mechanisms to make it tamper-resistant, and malicious software is unable to tamper with the security functions of the TPM. Some of the key advantages of using TPM technology are that you can:
+The [*Trusted Platform Module (TPM)*](/windows/security/information-protection/tpm/trusted-platform-module-top-node) technology is designed to provide hardware-based, security-related functions. A TPM chip is a secure crypto-processor that is designed to carry out cryptographic operations. The chip includes multiple physical security mechanisms to make it tamper-resistant, and malicious software is unable to tamper with the security functions of the TPM. Some of the advantages of using TPM technology are:
 
-- Generate, store, and limit the use of cryptographic keys.
+- Generate, store, and limit the use of cryptographic keys
-
+- Use it for device authentication by using the TPM's unique RSA key, which is burned into the chip
-- Use TPM technology for platform device authentication by using the TPM's unique RSA key, which is burned into it.
+- Help ensure platform integrity by taking and storing security measurements of the boot process
-
-- Help ensure platform integrity by taking and storing security measurements.
 
 The most common TPM functions are used for system integrity measurements and for key creation and use. During the boot process of a system, the boot code that is loaded (including firmware and the operating system components) can be measured and recorded in the TPM. The integrity measurements can be used as evidence for how a system started and to make sure that a TPM-based key was used only when the correct software was used to boot the system.
 
 TPM-based keys can be configured in a variety of ways. One option is to make a TPM-based key unavailable outside the TPM. This is good to mitigate phishing attacks because it prevents the key from being copied and used without the TPM. TPM-based keys can also be configured to require an authorization value to use them. If too many incorrect authorization guesses occur, the TPM will activate its dictionary attack logic and prevent further authorization value guesses.
 
-Different versions of the TPM are defined in specifications by the Trusted Computing Group (TCG). For more information, consult the [TCG Web site](http://www.trustedcomputinggroup.org/work-groups/trusted-platform-module/).
+Different versions of the TPM are defined in specifications by the Trusted Computing Group (TCG). For more information, see the [TCG Web site](http://www.trustedcomputinggroup.org/work-groups/trusted-platform-module/).
 
 ### Automatic initialization of the TPM with Windows
 
@@ -51,11 +42,11 @@ In certain specific enterprise scenarios limited to Windows 10, versions 1507 an
 
 ## Practical applications
 
-Certificates can be installed or created on computers that are using the TPM. After a computer is provisioned, the RSA private key for a certificate is bound to the TPM and cannot be exported. The TPM can also be used as a replacement for smart cards, which reduces the costs associated with creating and disbursing smart cards.
+Certificates can be installed or created on computers that are using the TPM. After a computer is provisioned, the RSA private key for a certificate is bound to the TPM and can't be exported. The TPM can also be used as a replacement for smart cards, which reduces the costs associated with creating and disbursing smart cards.
 
 Automated provisioning in the TPM reduces the cost of TPM deployment in an enterprise. New APIs for TPM management can determine if TPM provisioning actions require physical presence of a service technician to approve TPM state change requests during the boot process.
 
-Antimalware software can use the boot measurements of the operating system start state to prove the integrity of a computer running Windows 10 or Windows 11 or Windows Server 2016. These measurements include the launch of Hyper-V to test that datacenters using virtualization are not running untrusted hypervisors. With BitLocker Network Unlock, IT administrators can push an update without concerns that a computer is waiting for PIN entry.
+Anti-malware software can use the boot measurements of the operating system start state to prove the integrity of a computer running Windows 10 or Windows 11 or Windows Server 2016. These measurements include the launch of Hyper-V to test that datacenters using virtualization aren't running untrusted hypervisors. With BitLocker Network Unlock, IT administrators can push an update without concerns that a computer is waiting for PIN entry.
 
 The TPM has several Group Policy settings that might be useful in certain enterprise scenarios. For more info, see [TPM Group Policy Settings](trusted-platform-module-services-group-policy-settings.md).
 
@@ -67,16 +58,14 @@ For more info on new and changed functionality for Trusted Platform Module in Wi
 
 Device health attestation enables enterprises to establish trust based on hardware and software components of a managed device. With device heath attestation, you can configure an MDM server to query a health attestation service that will allow or deny a managed device access to a secure resource.
 
-Some things that you can check on the device are:
+Some things that you can check on the device include:
 
--   Is Data Execution Prevention supported and enabled?
+- Is Data Execution Prevention supported and enabled?
-
+- Is BitLocker Drive Encryption supported and enabled?
--   Is BitLocker Drive Encryption supported and enabled?
+- Is SecureBoot supported and enabled?
-
--   Is SecureBoot supported and enabled?
 
 > [!NOTE]
->  Windows 11, Windows 10, Windows Server 2016, and Windows Server 2019 support Device Health Attestation with TPM 2.0. Support for TPM 1.2 was added beginning with Windows 10, version 1607. TPM 2.0 requires UEFI firmware. A computer with legacy BIOS and TPM 2.0 won't work as expected.
+>  Windows supports Device Health Attestation with TPM 2.0. TPM 2.0 requires UEFI firmware. A device with legacy BIOS and TPM 2.0 won't work as expected.
 
 ## Supported versions for device health attestation
 
@@ -84,16 +73,3 @@ Some things that you can check on the device are:
 |-------------|-------------|-------------|---------------------|---------------------|---------------------|
 | TPM 1.2     |             | >= ver 1607 |                     |      Yes            |    >= ver 1607      |
 | TPM 2.0     |   **Yes**   |  **Yes**    |    **Yes**          |    **Yes**          |    **Yes**          |
-
-## Related topics
-
-- [Trusted Platform Module](trusted-platform-module-top-node.md) (list of topics)
-- [Details on the TPM standard](https://www.microsoft.com/research/project/the-trusted-platform-module-tpm/) (has links to features using TPM)
-- [TPM Base Services Portal](/windows/desktop/TBS/tpm-base-services-portal)
-- [TPM Base Services API](/windows/desktop/api/_tbs/)
-- [TPM Cmdlets in Windows PowerShell](/powershell/module/trustedplatformmodule)
-- [Prepare your organization for BitLocker: Planning and Policies - TPM configurations](../bitlocker/prepare-your-organization-for-bitlocker-planning-and-policies.md)
-- [Azure device provisioning: Identity attestation with TPM](https://azure.microsoft.com/blog/device-provisioning-identity-attestation-with-tpm/)
-- [Azure device provisioning: A manufacturing timeline for TPM devices](https://azure.microsoft.com/blog/device-provisioning-a-manufacturing-timeline-for-tpm-devices/)
-- [Windows 10: Enabling vTPM (Virtual TPM)](https://social.technet.microsoft.com/wiki/contents/articles/34431.windows-10-enabling-vtpm-virtual-tpm.aspx)
-- [How to Multiboot with Bitlocker, TPM, and a Non-Windows OS](https://social.technet.microsoft.com/wiki/contents/articles/9528.how-to-multiboot-with-bitlocker-tpm-and-a-non-windows-os.aspx)