Merge branch 'main' of https://github.com/MicrosoftDocs/windows-docs-pr into wufbr-schemaupdates-8506381

2025-05-12 13:27:23 +00:00 · 2023-12-05 12:15:24 -08:00 · 2023-12-05 12:15:24 -08:00 · 5fc9cb39a9
commit 5fc9cb39a9
parent 6403a2e7ca 43f42f4515
334 changed files with 3528 additions and 4052 deletions
--- a/.openpublishing.publish.config.json
+++ b/.openpublishing.publish.config.json
@ -12,7 +12,8 @@
      "type_mapping": {
        "Conceptual": "Content",
        "ManagedReference": "Content",
-        "RestApi": "Content"
+        "RestApi": "Content",
        "ZonePivotGroups": "Toc"
      },
      "build_entry_point": "docs",
      "template_folder": "_themes"
@ -90,6 +91,7 @@
      "moniker_ranges": [],
      "open_to_public_contributors": true,
      "type_mapping": {
        "ZonePivotGroups": "Toc",
        "Conceptual": "Content",
        "ManagedReference": "Content",
        "RestApi": "Content"
@ -106,6 +108,7 @@
      "moniker_ranges": [],
      "open_to_public_contributors": false,
      "type_mapping": {
        "ZonePivotGroups": "Toc",
        "Conceptual": "Content",
        "ManagedReference": "Content",
        "RestApi": "Content"
@ -122,6 +125,7 @@
      "moniker_ranges": [],
      "open_to_public_contributors": true,
      "type_mapping": {
        "ZonePivotGroups": "Toc",
        "Conceptual": "Content",
        "ManagedReference": "Content",
        "RestApi": "Content"
@ -138,6 +142,7 @@
      "moniker_ranges": [],
      "open_to_public_contributors": true,
      "type_mapping": {
        "ZonePivotGroups": "Toc",
        "Conceptual": "Content",
        "ManagedReference": "Content",
        "RestApi": "Content"
@ -170,6 +175,7 @@
      "moniker_ranges": [],
      "open_to_public_contributors": true,
      "type_mapping": {
        "ZonePivotGroups": "Toc",
        "Conceptual": "Content",
        "ManagedReference": "Content",
        "RestApi": "Content"
@ -186,6 +192,7 @@
      "moniker_ranges": [],
      "open_to_public_contributors": true,
      "type_mapping": {
        "ZonePivotGroups": "Toc",
        "Conceptual": "Content",
        "ManagedReference": "Content",
        "RestApi": "Content"
--- a/.openpublishing.redirection.windows-security.json
+++ b/.openpublishing.redirection.windows-security.json
@ -177,7 +177,12 @@
    },
    {
      "source_path": "windows/security/hardware-protection/tpm/trusted-platform-module-top-node.md",
-      "redirect_url": "/windows/security/hardware-security/tpm/trusted-platform-module-top-node",
+      "redirect_url": "/windows/security/hardware-security/tpm/trusted-platform-module-overview",
      "redirect_document_id": false
    },
    {
      "source_path": "windows/security/hardware-security/tpm/trusted-platform-module-top-node.md",
      "redirect_url": "/windows/security/hardware-security/tpm/trusted-platform-module-overview",
      "redirect_document_id": false
    },
    {
@ -6842,7 +6847,7 @@
    },
    {
      "source_path": "windows/security/threat-protection/windows-firewall/configure-the-windows-firewall-log.md",
-      "redirect_url": "/windows/security/operating-system-security/network-security/windows-firewall/configure-the-windows-firewall-log",
+      "redirect_url": "/windows/security/operating-system-security/network-security/windows-firewall/configure-logging",
      "redirect_document_id": false
    },
    {
@ -6925,11 +6930,6 @@
      "redirect_url": "/windows/security/operating-system-security/network-security/windows-firewall/create-wmi-filters-for-the-gpo",
      "redirect_document_id": false
    },
    {
      "source_path": "windows/security/threat-protection/windows-firewall/designing-a-windows-firewall-with-advanced-security-strategy.md",
      "redirect_url": "/windows/security/operating-system-security/network-security/windows-firewall/designing-a-windows-firewall-with-advanced-security-strategy",
      "redirect_document_id": false
    },
    {
      "source_path": "windows/security/threat-protection/windows-firewall/determining-the-trusted-state-of-your-devices.md",
      "redirect_url": "/windows/security/operating-system-security/network-security/windows-firewall/determining-the-trusted-state-of-your-devices",
@ -7077,7 +7077,7 @@
    },
    {
      "source_path": "windows/security/threat-protection/windows-firewall/isolating-apps-on-your-network.md",
-      "redirect_url": "/windows/security/operating-system-security/network-security/windows-firewall/isolating-apps-on-your-network",
+      "redirect_url": "/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/hh831418(v=ws.11)",
      "redirect_document_id": false
    },
    {
@ -7954,6 +7954,91 @@
      "source_path": "windows/security/operating-system-security/network-security/windows-firewall/determining-the-trusted-state-of-your-devices.md",
      "redirect_url": "/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/cc753540(v=ws.10)",
      "redirect_document_id": false
    },
    {
      "source_path": "windows/security/operating-system-security/network-security/windows-firewall/windows-firewall-with-advanced-security.md",
      "redirect_url": "/windows/security/operating-system-security/network-security/windows-firewall",
      "redirect_document_id": false
    },
    {
      "source_path": "windows/security/operating-system-security/network-security/windows-firewall/create-inbound-rules-to-support-rpc.md",
      "redirect_url": "/windows/security/operating-system-security/network-security/windows-firewall/configure",
      "redirect_document_id": false
    },
    {
      "source_path": "windows/security/operating-system-security/network-security/windows-firewall/create-an-outbound-program-or-service-rule.md",
      "redirect_url": "/windows/security/operating-system-security/network-security/windows-firewall/configure",
      "redirect_document_id": false
    },
    {
      "source_path": "windows/security/operating-system-security/network-security/windows-firewall/create-an-outbound-port-rule.md",
      "redirect_url": "/windows/security/operating-system-security/network-security/windows-firewall/configure",
      "redirect_document_id": false
    },
    {
      "source_path": "windows/security/operating-system-security/network-security/windows-firewall/create-an-inbound-program-or-service-rule.md",
      "redirect_url": "/windows/security/operating-system-security/network-security/windows-firewall/configure",
      "redirect_document_id": false
    },
    {
      "source_path": "windows/security/operating-system-security/network-security/windows-firewall/create-an-inbound-port-rule.md",
      "redirect_url": "/windows/security/operating-system-security/network-security/windows-firewall/configure",
      "redirect_document_id": false
    },
    {
      "source_path": "windows/security/operating-system-security/network-security/windows-firewall/create-an-inbound-icmp-rule.md",
      "redirect_url": "/windows/security/operating-system-security/network-security/windows-firewall/configure",
      "redirect_document_id": false
    },
    {
      "source_path": "windows/security/operating-system-security/network-security/windows-firewall-with-advanced-security-administration-with-windows-powershell.md",
      "redirect_url": "/windows/security/operating-system-security/network-security/windows-firewall/configure-with-command-line",
      "redirect_document_id": false
    },
    {
      "source_path": "windows/security/threat-protection/windows-firewall/designing-a-windows-firewall-with-advanced-security-strategy.md",
      "redirect_url": "/windows/security/operating-system-security/network-security/windows-firewall",
      "redirect_document_id": false
    },
    {
      "source_path": "windows/security/operating-system-security/network-security/windows-firewall/designing-a-windows-firewall-with-advanced-security-strategy.md",
      "redirect_url": "/windows/security/operating-system-security/network-security/windows-firewall",
      "redirect_document_id": false
    },
    {
      "source_path": "windows/security/operating-system-security/network-security/windows-firewall/windows-firewall-with-advanced-security-administration-with-windows-powershell.md",
      "redirect_url": "/windows/security/operating-system-security/network-security/windows-firewall/configure-with-command-line",
      "redirect_document_id": false
    },
    {
      "source_path": "windows/security/operating-system-security/network-security/windows-firewall/securing-end-to-end-ipsec-connections-by-using-ikev2.md",
      "redirect_url": "/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/hh831807(v=ws.11)",
      "redirect_document_id": false
    },
    {
      "source_path": "windows/security/operating-system-security/network-security/windows-firewall/best-practices-configuring.md",
      "redirect_url": "/windows/security/operating-system-security/network-security/windows-firewall/configure",
      "redirect_document_id": false
    },
    {
      "source_path": "windows/security/operating-system-security/network-security/windows-firewall/isolating-apps-on-your-network.md",
      "redirect_url": "/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/hh831418(v=ws.11)",
      "redirect_document_id": false
    },
    {
      "source_path": "windows/security/operating-system-security/network-security/windows-firewall/configure-the-windows-firewall-log.md",
      "redirect_url": "/windows/security/operating-system-security/network-security/windows-firewall/configure-logging",
      "redirect_document_id": false
    },
    {
      "source_path": "windows/security/operating-system-security/network-security/windows-firewall/create-windows-firewall-rules-in-intune.md",
      "redirect_url": "/windows/security/operating-system-security/network-security/windows-firewall/configure",
      "redirect_document_id": false
    },
    {
      "source_path": "windows/security/operating-system-security/network-security/windows-firewall/firewall-settings-lost-on-upgrade.md",
      "redirect_url": "/windows/security/operating-system-security/network-security/windows-firewall",
      "redirect_document_id": false
    }
  ]
 }
--- a/education/breadcrumb/toc.yml
+++ b/education/breadcrumb/toc.yml
@ -1,3 +1,4 @@
 items:
 - name: Windows
  tocHref: /windows/
  topicHref: /windows/index
--- a/includes/configure/gpo-settings-1.md
+++ b/includes/configure/gpo-settings-1.md
@ -6,4 +6,4 @@ ms.topic: include
 ms.prod: windows-client
 ---
-To configure devices using group policy, [create a group policy object (GPO)](/windows/security/operating-system-security/network-security/windows-firewall/create-a-group-policy-object) and use the following settings:
+To configure a device with group policy, use the [Local Group Policy Editor](/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/cc731745(v=ws.10)). To configure multiple devices joined to Active Directory, [create or edit](/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/cc754740(v=ws.11)) a group policy object (GPO) and use the following settings:
--- a/includes/configure/gpo-settings-2.md
+++ b/includes/configure/gpo-settings-2.md
@ -6,4 +6,4 @@ ms.topic: include
 ms.prod: windows-client
 ---
-The policy settings can be configured locally by using the Local Group Policy Editor (`gpedit.msc`), linked to the domain or organizational units, and filtered to security groups.
+Group policies can be [linked](/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/cc732979(v=ws.10)) to domains or organizational units, [filtered using security groups](/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/cc752992(v=ws.10)), or [filtered using WMI filters](/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/jj717288(v=ws.11)).
--- a/includes/configure/intune-settings-catalog-1.md
+++ b/includes/configure/intune-settings-catalog-1.md
@ -6,4 +6,4 @@ ms.topic: include
 ms.prod: windows-client
 ---
-To configure devices using Microsoft Intune, [create a Settings catalog policy](/mem/intune/configuration/settings-catalog) and use the following settings:
+To configure devices with Microsoft Intune, [create a Settings catalog policy](/mem/intune/configuration/settings-catalog) and use the following settings:
--- a/includes/configure/registry.md
+++ b/includes/configure/registry.md
@ -0,0 +1,9 @@
 ---
 author: paolomatarazzo
 ms.author: paoloma
 ms.date: 08/15/2023
 ms.topic: include
 ms.prod: windows-client
 ---
 To configure devices with the [Registry Editor](/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/cc755256(v=ws.11)), use the following settings:
--- a/includes/licensing/_edition-requirements.md
+++ b/includes/licensing/_edition-requirements.md
@ -81,7 +81,7 @@ ms.topic: include
 |**[Windows Autopilot](/autopilot/)**|Yes|Yes|Yes|Yes|
 |**[Windows Defender Application Control (WDAC)](/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control)**|Yes|Yes|Yes|Yes|
 |**[Windows Defender System Guard](/windows/security/hardware-security/how-hardware-based-root-of-trust-helps-protect-windows)**|Yes|Yes|Yes|Yes|
-|**[Windows Firewall](/windows/security/operating-system-security/network-security/windows-firewall/windows-firewall-with-advanced-security)**|Yes|Yes|Yes|Yes|
+|**[Windows Firewall](/windows/security/operating-system-security/network-security/windows-firewall)**|Yes|Yes|Yes|Yes|
 |**[Windows Hello for Business](/windows/security/identity-protection/hello-for-business/)**|Yes|Yes|Yes|Yes|
 |**[Windows Hello for Business Enhanced Security Sign-in (ESS)](/windows-hardware/design/device-experiences/windows-hello-enhanced-sign-in-security)**|Yes|Yes|Yes|Yes|
 |**[Windows LAPS](/windows-server/identity/laps/laps-overview)**|Yes|Yes|Yes|Yes|
--- a/includes/licensing/_licensing-requirements.md
+++ b/includes/licensing/_licensing-requirements.md
@ -81,7 +81,7 @@ ms.topic: include
 |**[Windows Autopilot](/autopilot/)**|Yes|Yes|Yes|Yes|Yes|
 |**[Windows Defender Application Control (WDAC)](/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control)**|Yes|Yes|Yes|Yes|Yes|
 |**[Windows Defender System Guard](/windows/security/hardware-security/how-hardware-based-root-of-trust-helps-protect-windows)**|Yes|Yes|Yes|Yes|Yes|
-|**[Windows Firewall](/windows/security/operating-system-security/network-security/windows-firewall/windows-firewall-with-advanced-security)**|Yes|Yes|Yes|Yes|Yes|
+|**[Windows Firewall](/windows/security/operating-system-security/network-security/windows-firewall)**|Yes|Yes|Yes|Yes|Yes|
 |**[Windows Hello for Business](/windows/security/identity-protection/hello-for-business/)**|Yes|Yes|Yes|Yes|Yes|
 |**[Windows Hello for Business Enhanced Security Sign-in (ESS)](/windows-hardware/design/device-experiences/windows-hello-enhanced-sign-in-security)**|Yes|Yes|Yes|Yes|Yes|
 |**[Windows LAPS](/windows-server/identity/laps/laps-overview)**|Yes|Yes|Yes|Yes|Yes|
--- a/windows/client-management/docfx.json
+++ b/windows/client-management/docfx.json
@ -38,6 +38,7 @@
      "ms.collection": [
        "tier2"
      ],
      "zone_pivot_group_filename": "resources/zone-pivot-groups.json",
      "breadcrumb_path": "/windows/resources/breadcrumb/toc.json",
      "uhfHeaderId": "MSDocsHeader-Windows",
      "ms.technology": "itpro-manage",
--- a/windows/client-management/manage-windows-copilot.md
+++ b/windows/client-management/manage-windows-copilot.md
@ -1,7 +1,7 @@
 ---
 title: Manage Copilot in Windows
 description: Learn how to manage Copilot in Windows for commercial environments using MDM and group policy. Learn about the chat providers available to Copilot in Windows.
-ms.topic: article
+ms.topic: conceptual
 ms.technology: itpro-windows-copilot
 ms.date: 11/06/2023
 ms.author: mstewart
--- a/windows/client-management/mdm/policy-csp-authentication.md
+++ b/windows/client-management/mdm/policy-csp-authentication.md
@ -469,10 +469,7 @@ Specifies whether web-based sign-in is allowed for signing in to Windows.
 <!-- EnableWebSignIn-Editable-Begin -->
 <!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
-> [!WARNING]
+Web sign-in is a credential provider that enables a web-based sign-in experience on Windows devices. Initially introduced in Windows 10 with support for Temporary Access Pass (TAP) only, Web sign-in expanded its capabilities starting in Windows 11, version 22H2 with KB5030310. For more information, see [Web sign-in for Windows](/windows/security/identity-protection/web-sign-in).
 > The Web sign-in feature is intended for recovery purposes in the event a password isn't available as an authentication method. Web sign-in only supports *temporary access pass* as an authentication method for Microsoft Entra ID, unless it's used in a limited federated scope.
 **Web sign-in** is a modern way of signing into a Windows PC. It enables Windows sign-in support for new Microsoft Entra credentials, like temporary access pass.
 > [!NOTE]
 > Web sign-in is only supported on Microsoft Entra joined PCs.
--- a/windows/configuration/docfx.json
+++ b/windows/configuration/docfx.json
@ -38,6 +38,7 @@
      "ms.collection": [
        "tier2"
      ],
      "zone_pivot_group_filename": "resources/zone-pivot-groups.json",
      "breadcrumb_path": "/windows/resources/breadcrumb/toc.json",
      "uhfHeaderId": "MSDocsHeader-Windows",
      "ms.technology": "itpro-configure",
--- a/windows/deployment/deploy-whats-new.md
+++ b/windows/deployment/deploy-whats-new.md
@ -11,16 +11,14 @@ ms.topic: conceptual
 ms.collection:
  - highpri
  - tier2
-ms.date: 11/23/2022
+ms.date: 11/17/2023
 appliesto:
  - ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 11</a>
  - ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 10</a>
 ---
 # What's new in Windows client deployment
 *Applies to:*
 - Windows 10
 - Windows 11
 This article provides an overview of new solutions and online content related to deploying Windows client in your organization.
 - For an all-up overview of new features in Windows 10, see [What's new in Windows 10](/windows/whats-new/index).
@ -33,41 +31,39 @@ When you deploy Windows 11 with Autopilot, you can enable users to view addition
 Check out the following new articles about Windows 11:
- [Overview of Windows 11](/windows/whats-new/windows-11)
+- [Overview of Windows 11](/windows/whats-new/windows-11).
- [Plan for Windows 11](/windows/whats-new/windows-11-plan)
+- [Plan for Windows 11](/windows/whats-new/windows-11-plan).
- [Prepare for Windows 11](/windows/whats-new/windows-11-prepare)
+- [Prepare for Windows 11](/windows/whats-new/windows-11-prepare).
-
+- [Windows ADK for Windows 11](/windows-hardware/get-started/adk-install) is available.
 The [Windows ADK for Windows 11](/windows-hardware/get-started/adk-install) is available.<br>
 ## Deployment tools
-[SetupDiag](#setupdiag) is included with Windows 10, version 2004 and later, and Windows 11.<br>
+- [SetupDiag](#setupdiag) is included with all currently supported versions of Windows.
-New capabilities are available for [Delivery Optimization](#delivery-optimization) and [Windows Update for Business](#windows-update-for-business).<br>
+- New capabilities are available for [Delivery Optimization](#delivery-optimization) and [Windows Update for Business](#windows-update-for-business).
-VPN support is added to [Windows Autopilot](#windows-autopilot)<br>
+- VPN support is added to [Windows Autopilot](#windows-autopilot).
-An in-place upgrade wizard is available in [Configuration Manager](#microsoft-configuration-manager).<br>
+- An in-place upgrade wizard is available in [Configuration Manager](#microsoft-configuration-manager).
 The Windows 10 deployment and update [landing page](index.yml) has been redesigned, with more content added and more content coming soon.<br>
 ## The Modern Desktop Deployment Center
-The [Modern Desktop Deployment Center](/microsoft-365/enterprise/desktop-deployment-center-home) has launched with tons of content to help you with large-scale deployment of Windows 10 and Microsoft 365 Apps for enterprise.
+The [Modern Desktop Deployment Center](/microsoft-365/enterprise/desktop-deployment-center-home) has content to help you with large-scale deployment of supported version of Windows and Microsoft 365 Apps for enterprise.
 ## Microsoft 365
-Microsoft 365 is a new offering from Microsoft that combines
+Microsoft 365 is a new offering from Microsoft that combines:
- Windows 10
+- A currently supported version of Windows.
- Office 365
+- Office 365.
 - Enterprise Mobility and Security (EMS).
-See [Deploy Windows 10 with Microsoft 365](deploy-m365.md) for an overview, which now includes a link to download a nifty [Microsoft 365 Enterprise poster](deploy-m365.md#microsoft-365-enterprise-poster).
+See [Deploy Windows 10 with Microsoft 365](deploy-m365.md) for an overview, which now includes a link to download a [Microsoft 365 Enterprise poster](deploy-m365.md#microsoft-365-enterprise-poster).
-## Windows 10 servicing and support
+## Windows servicing and support
 ### Delivery Optimization
-Windows PowerShell cmdlets for Delivery Optimization have been improved:
+Windows PowerShell cmdlets for Delivery Optimization is improved:
- **Get-DeliveryOptimizationStatus** has added the  **-PeerInfo** option for a real-time peek behind the scenes on peer-to-peer activity (for example the peer IP Address, bytes received / sent).
+- **Get-DeliveryOptimizationStatus** has the  **-PeerInfo** option for a real-time peek behind the scenes on peer-to-peer activity (for example the peer IP Address, bytes received / sent).
 - **Get-DeliveryOptimizationLogAnalysis** is a new cmdlet that provides a summary of the activity in your DO log (# of downloads, downloads from peers, overall peer efficiency). Use the **-ListConnections** option to for in-depth look at peer-to-peer connections.
 - **Enable-DeliveryOptimizationVerboseLogs** is a new cmdlet that enables a greater level of logging detail to help in troubleshooting.
@ -79,29 +75,36 @@ Other improvements in [Delivery Optimization](./do/waas-delivery-optimization.md
 The following Delivery Optimization policies are removed in the Windows 10, version 2004 release:
- Percentage of Maximum Download Bandwidth (DOPercentageMaxDownloadBandwidth)
+- Percentage of Maximum Download Bandwidth (DOPercentageMaxDownloadBandwidth).
-  - Reason: Replaced with separate policies for foreground and background
+  - Reason: Replaced with separate policies for foreground and background.
- Max Upload Bandwidth (DOMaxUploadBandwidth)
+- Max Upload Bandwidth (DOMaxUploadBandwidth).
  - Reason: impacts uploads to internet peers only, which isn't used in enterprises.
- Absolute max throttle (DOMaxDownloadBandwidth)
+- Absolute max throttle (DOMaxDownloadBandwidth).
-  - Reason: separated to foreground and background
+  - Reason: separated to foreground and background.
 ### Windows Update for Business
 [Windows Update for Business](./update/waas-manage-updates-wufb.md) enhancements in this release include:
- Intune console updates: target version is now available allowing you to specify which version of Windows 10 you want devices to move to. Additionally, this capability enables you to keep devices on their current version until they reach end of service. Check it out in Intune, also available as a Group Policy and Configuration Service Provider (CSP) policy.
+- **Intune console updates**: target version is now available allowing you to specify which supported version of Windows you want devices to move to. Additionally, this capability enables you to keep devices on their current version until they reach end of service. Check it out in Intune, also available as a Group Policy and Configuration Service Provider (CSP) policy.
- Validation improvements: To ensure devices and end users stay productive and protected, Microsoft uses safeguard holds to block devices from updating when there are known issues that would impact that device. Also, to better enable IT administrators to validate on the latest release, we've created a new policy that enables admins to opt devices out of the built-in safeguard holds.
+
 - **Validation improvements**: To ensure devices and end users stay productive and protected, Microsoft blocks devices from updating when there are known issues that would impact that device. Also, to better enable IT administrators to validate on the latest release, a new policy is available that enables admins to opt devices out of the built-in safeguard holds.
 - [**Automatic Restart Sign-on (ARSO)**](/windows-server/identity/ad-ds/manage/component-updates/winlogon-automatic-restart-sign-on--arso-): Windows automatically signs in as the user and locks their device in order to complete the update. This automatic sign-on ensures that when the user returns and unlocks the device, the update is completed.
 - [**Windows Update for Business**](https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/Windows-Update-for-Business-and-the-retirement-of-SAC-T/ba-p/339523): There's now a single, common start date for phased deployments (no more SAC-T designation). In addition, there's a new notification and reboot scheduling experience for end users, the ability to enforce update installation and reboot deadlines, and the ability to provide end user control over reboots for a specific time period.
 - [**Automatic Restart Sign-on (ARSO)**](/windows-server/identity/ad-ds/manage/component-updates/winlogon-automatic-restart-sign-on--arso-): Windows will automatically sign in as the user and lock their device in order to complete the update, ensuring that when the user returns and unlocks the device, the update will be completed.
 - [**Windows Update for Business**](https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/Windows-Update-for-Business-and-the-retirement-of-SAC-T/ba-p/339523): There will now be a single, common start date for phased deployments (no more SAC-T designation). In addition, there will be a new notification and reboot scheduling experience for end users, the ability to enforce update installation and reboot deadlines, and the ability to provide end user control over reboots for a specific time period.
 - **Update rollback improvements**: You can now automatically recover from startup failures by removing updates if the startup failure was introduced after the installation of recent driver or quality updates. When a device is unable to start up properly after the recent installation of Quality of driver updates, Windows will now automatically uninstall the updates to get the device back up and running normally.
 - **Pause updates**: We've extended the ability to pause updates for both feature and monthly updates. This extension ability is for all editions of Windows 10, including Home. You can pause both feature and monthly updates for up to 35 days (seven days at a time, up to five times). Once the 35-day pause period is reached, you'll need to update your device before pausing again.
 - **Improved update notifications**: When there's an update requiring you to restart your device, you'll see a colored dot on the Power button in the Start menu and on the Windows icon in your taskbar.
 - **Intelligent active hours**: To further enhance active hours, users now can let Windows Update intelligently adjust active hours based on their device-specific usage patterns. You must enable the intelligent active hours feature for the system to predict device-specific usage patterns.
 - **Improved update orchestration to improve system responsiveness**: This feature will improve system performance by intelligently coordinating Windows updates and Microsoft Store updates, so they occur when users are away from their devices to minimize disruptions.
-Microsoft previously announced that we're [extending support](https://www.microsoft.com/microsoft-365/blog/2018/09/06/helping-customers-shift-to-a-modern-desktop) for Windows 10 Enterprise and Windows 10 Education editions to 30 months from the version release date. These editions include all past versions and future versions that are targeted for release in September (versions ending in 09, ex: 1809). Future releases that are targeted for release in March (versions ending in 03, ex: 1903) will continue to be supported for 18 months from their release date. All releases of Windows 10 Home, Windows 10 Pro, and Microsoft 365 Apps for enterprise will continue to be supported for 18 months (there's no change for these editions).  These support policies are summarized in the table below.
+- **Pause updates**: The ability to pause updates for both feature and monthly updates is extended. This extension ability is for all currently supported editions of Windows, including Home. You can pause both feature and monthly updates for up to 35 days (seven days at a time, up to five times). Once the 35-day pause period is reached, the device needs to update before pausing again.
 - **Improved update notifications**: When there's an update requiring you to restart your device, a colored dot appears on the Power button in the Start menu and on the Windows icon in the taskbar.
 - **Intelligent active hours**: To further enhance active hours, users now can let Windows Update intelligently adjust active hours based on their device-specific usage patterns. You must enable the intelligent active hours feature for the system to predict device-specific usage patterns.
 - **Improved update orchestration to improve system responsiveness**: This feature improves system performance by intelligently coordinating Windows updates and Microsoft Store updates, so they occur when users are away from their devices to minimize disruptions.
 Microsoft previously announced that we're [extending support](https://www.microsoft.com/microsoft-365/blog/2018/09/06/helping-customers-shift-to-a-modern-desktop) for Windows 10 Enterprise and Windows 10 Education editions to 30 months from the version release date. These editions include all past versions and future versions that are targeted for release in September (versions ending in 09, ex: 1809). Future releases that are targeted for release in March (versions ending in 03, ex: 1903) will continue to be supported for 18 months from their release date. All releases of Windows 10 Home, Windows 10 Pro, and Microsoft 365 Apps for enterprise will continue to be supported for 18 months (there's no change for these editions).  These support policies are summarized in the following table:
 ![Support lifecycle.](images/support-cycle.png)
@ -111,7 +114,7 @@ Windows 10 version 1703 includes a Windows 10 Enterprise E3 and E5 benefit to Mi
 Windows 10 Enterprise E3 launched in the Cloud Solution Provider (CSP) channel on September 1, 2016. Previously, only organizations with a Microsoft Volume Licensing Agreement could deploy Windows 10 Enterprise to their users. With Windows 10 Enterprise E3 in CSP, small and medium-sized organizations can more easily take advantage of Windows 10 Enterprise features.
-For more information, see [Windows 10 Enterprise E3 in CSP](windows-10-enterprise-e3-overview.md)
+For more information, see [Windows 10 Enterprise E3 in CSP](windows-10-enterprise-e3-overview.md).
 ## Deployment solutions and tools
@ -119,17 +122,17 @@ For more information, see [Windows 10 Enterprise E3 in CSP](windows-10-enterpris
 [Windows Autopilot](/windows/deployment/windows-autopilot/windows-autopilot) streamlines and automates the process of setting up and configuring new devices, with minimal interaction required from the end user. You can also use Windows Autopilot to reset, repurpose, and recover devices.
-With the release of Windows 10, version 2004 you can configure [Windows Autopilot user-driven](/windows/deployment/windows-autopilot/user-driven) Hybrid Azure Active Directory join with VPN support. This support is also backported to Windows 10, version 1909 and 1903.
+With the release of Windows 10, version 2004 you can configure [Windows Autopilot user-driven](/windows/deployment/windows-autopilot/user-driven) Microsoft Entra hybrid join with VPN support.
-If you configure the language settings in the Autopilot profile and the device is connected to Ethernet, all scenarios will now skip the language, locale, and keyboard pages. In previous versions, these language settings were only supported with self-deploying profiles.
+If you configure the language settings in the Autopilot profile and the device is connected to Ethernet, all scenarios now skip the language, locale, and keyboard pages. In previous versions, these language settings were only supported with self-deploying profiles.
 The following Windows Autopilot features are available in Windows 10, version 1903 and later:
- [Windows Autopilot for white glove deployment](/windows/deployment/windows-autopilot/white-glove) is new in Windows 10, version 1903. "White glove" deployment enables partners or IT staff to pre-provision devices so they're fully configured and business ready for your users.
+- [Windows Autopilot for pre-provisioned deployment](/autopilot/pre-provision) is new in Windows 10, version 1903. Pre-provisioned deployment enables partners or IT staff to pre-provision devices so they're fully configured and business ready for your users.
 - The Intune [enrollment status page](/intune/windows-enrollment-status) (ESP) now tracks Intune Management Extensions.
 - [Cortana voiceover](/windows-hardware/customize/desktop/cortana-voice-support) and speech recognition during OOBE is disabled by default for all Windows 10 Pro Education, and Enterprise SKUs.
- Windows Autopilot is self-updating during OOBE. From Windows 10 onward, version 1903 Autopilot functional and critical updates will begin downloading automatically during OOBE.
+- Windows Autopilot is self-updating during OOBE. From Windows 10 onward, version 1903 Autopilot functional and critical updates begin downloading automatically during OOBE.
- Windows Autopilot will set the [diagnostics data](/windows/privacy/windows-diagnostic-data) level to Full on Windows 10 version 1903 and later during OOBE.
+- Windows Autopilot sets the [diagnostics data](/windows/privacy/windows-diagnostic-data) level to Full on Windows 10 version 1903 and later during OOBE.
 ### Microsoft Configuration Manager
@ -137,25 +140,21 @@ An in-place upgrade wizard is available in Configuration Manager. For more infor
 ### Windows 10 Subscription Activation
-Windows 10 Education support has been added to Windows 10 Subscription Activation.
+Windows 10 Education support is added to Windows 10 Subscription Activation.
 With Windows 10, version 1903, you can step up from Windows 10 Pro Education to the enterprise-grade edition for educational institutions - Windows 10 Education. For more information, see [Windows 10 Subscription Activation](./windows-10-subscription-activation.md).
 ### SetupDiag
-[SetupDiag](upgrade/setupdiag.md) is a command-line tool that can help diagnose why a Windows 10 update failed. SetupDiag works by searching Windows Setup log files. When log files are being searched, SetupDiag uses a set of rules to match known issues.
+[SetupDiag](upgrade/setupdiag.md) is a command-line tool that can help diagnose why an update of Windows failed. SetupDiag works by searching Windows Setup log files. When log files are being searched, SetupDiag uses a set of rules to match known issues.
-In Windows 10, version 2004, SetupDiag is now automatically installed.
+During the upgrade process, Windows Setup extracts all its sources files to the `%SystemDrive%\$Windows.~bt\Sources` directory. **SetupDiag.exe** is also installed to this directory. If there's an issue with the upgrade, SetupDiag automatically runs to determine the cause of the failure. If the upgrade process proceeds normally, this directory is moved under `%SystemDrive%\Windows.Old` for cleanup.
 During the upgrade process, Windows Setup will extract all its sources files to the **%SystemDrive%\$Windows.~bt\Sources** directory. With Windows 10, version 2004 and later, Windows Setup now also installs SetupDiag.exe to this directory. If there's an issue with the upgrade, SetupDiag is automatically run to determine the cause of the failure. If the upgrade process proceeds normally, this directory is moved under %SystemDrive%\Windows.Old for cleanup.
 ### Upgrade Readiness
-The Upgrade Readiness tool moved from public preview to general availability on March 2, 2017.
+Upgrade Readiness helps you ensure that applications and drivers are ready for an upgrade of Windows. The solution provides up-to-date application and driver inventory, information about known issues, troubleshooting guidance, and per-device readiness and tracking details.
-Upgrade Readiness helps you ensure that applications and drivers are ready for a Windows 10 upgrade. The solution provides up-to-date application and driver inventory, information about known issues, troubleshooting guidance, and per-device readiness and tracking details.
+Input from the community heavily influenced the development of Upgrade Readiness and the development of new features is ongoing. To begin using Upgrade Readiness, add it to an existing Operation Management Suite (OMS) workspace or sign up for a new OMS workspace with the Upgrade Readiness solution enabled.
 The development of Upgrade Readiness has been heavily influenced by input from the community; the development of new features is ongoing. To begin using Upgrade Readiness, add it to an existing Operation Management Suite (OMS) workspace or sign up for a new OMS workspace with the Upgrade Readiness solution enabled.
 For more information about Upgrade Readiness, see the following articles:
@ -164,7 +163,7 @@ For more information about Upgrade Readiness, see the following articles:
 ### Update Compliance
-Update Compliance helps you to keep Windows 10 devices in your organization secure and up-to-date.
+Update Compliance helps you to keep supported Windows devices in your organization secure and up-to-date.
 Update Compliance is a solution built using OMS Logs and Analytics that provides information about installation status of monthly quality and feature updates. Details are provided about the deployment progress of existing updates and the status of future updates. Information is also provided about devices that might need attention to resolve issues.
@ -172,31 +171,35 @@ For more information about Update Compliance, see [Monitor Windows Updates with
 ### Device Health
-Device Health is the newest Windows Analytics solution that complements the existing Upgrade Readiness and Update Compliance solutions by helping to identify devices crashes and the cause. Device drivers that are causing crashes are identified along with alternative drivers that might reduce the number of crashes.  Windows Information Protection misconfigurations are also identified. For more information, see [Monitor the health of devices with Device Health](/mem/configmgr/desktop-analytics/overview)
+Device Health is the newest Windows Analytics solution that complements the existing Upgrade Readiness and Update Compliance solutions by helping to identify devices crashes and the cause. Device drivers that are causing crashes are identified along with alternative drivers that might reduce the number of crashes.  Windows Information Protection misconfigurations are also identified. For more information, see [Monitor the health of devices with Device Health](/mem/configmgr/desktop-analytics/overview).
 ### MBR2GPT
 MBR2GPT.EXE converts a disk from Master Boot Record (MBR) to GUID Partition Table (GPT) partition style without modifying or deleting data on the disk. Previously, it was necessary to image, then wipe and reload a disk to change from MBR format to GPT.
-There are many benefits to converting the partition style of a disk to GPT, including the use of larger disk partitions, added data reliability, and faster boot and shutdown speeds. The GPT format also enables you to use the Unified Extensible Firmware Interface (UEFI) which replaces the Basic Input/Output System (BIOS) firmware interface.  Security features of Windows 10 that require UEFI mode include: Secure Boot, Early Launch Anti-malware (ELAM) driver, Windows Trusted Boot, Measured Boot, Device Guard, Credential Guard, and BitLocker Network Unlock.
+There are many benefits to converting the partition style of a disk to GPT, including the use of larger disk partitions, added data reliability, and faster boot and shutdown speeds. The GPT format also enables you to use the Unified Extensible Firmware Interface (UEFI) which replaces the Basic Input/Output System (BIOS) firmware interface.  Security features of supported versions of Windows that require UEFI mode include: Secure Boot, Early Launch Anti-malware (ELAM) driver, Windows Trusted Boot, Measured Boot, Device Guard, Credential Guard, and BitLocker Network Unlock.
 For more information, see [MBR2GPT.EXE](mbr-to-gpt.md).
 ### Microsoft Deployment Toolkit (MDT)
-MDT version 8456 supports Windows 10, version 2004 and earlier operating systems, including Windows Server 2019. There's currently an issue that causes MDT to incorrectly detect that UEFI is present in Windows 10, version 2004.  This issue is currently under investigation.
+MDT version 8456 supports Windows 10, version 2004 and earlier operating systems, including Windows Server 2019.
 For the latest information about MDT, see the [MDT release notes](/mem/configmgr/mdt/release-notes).
 > [!IMPORTANT]
 >
 > MDT doesn't support versions of Windows after Windows 10 and Windows Server 2019.
 ### Windows Assessment and Deployment Kit (ADK)
-The Windows Assessment and Deployment Kit (Windows ADK) contains tools that can be used by IT Pros to deploy Windows.
+IT Pros can use the tools in the Windows Assessment and Deployment Kit (Windows ADK) to deploy Windows.
 Download the Windows ADK and Windows PE add-on for Windows 11 [here](/windows-hardware/get-started/adk-install).
 For information about what's new in the ADK, see [What's new in the Windows ADK](/windows-hardware/get-started/what-s-new-in-kits-and-tools).
-Also see [Windows ADK for Windows 10 scenarios for IT Pros](windows-adk-scenarios-for-it-pros.md).
+Also see [Windows ADK for Windows scenarios for IT Pros](windows-adk-scenarios-for-it-pros.md).
 ## Testing and validation guidance
@ -206,19 +209,19 @@ The Windows 10 PoC guide enables you to test Windows 10 deployment in a virtual
 For more information, see the following guides:
- [Step by step guide: Configure a test lab to deploy Windows 10](windows-10-poc.md)
+- [Step by step guide: Configure a test lab to deploy Windows 10](windows-10-poc.md).
- [Deploy Windows 10 in a test lab using Microsoft Deployment Toolkit](windows-10-poc-mdt.md)
+- [Deploy Windows 10 in a test lab using Microsoft Deployment Toolkit](windows-10-poc-mdt.md).
- [Deploy Windows 10 in a test lab using Microsoft Configuration Manager](windows-10-poc-sc-config-mgr.md)
+- [Deploy Windows 10 in a test lab using Microsoft Configuration Manager](windows-10-poc-sc-config-mgr.md).
 ## Troubleshooting guidance
-[Resolve Windows 10 upgrade errors](upgrade/resolve-windows-10-upgrade-errors.md) was published in October of 2016 and will continue to be updated with new fixes. The article provides a detailed explanation of the Windows 10 upgrade process and instructions on how to locate, interpret, and resolve specific errors that can be encountered during the upgrade process.
+[Resolve Windows 10 upgrade errors](upgrade/resolve-windows-10-upgrade-errors.md) was published in October of 2016 and continues to be updated with new fixes. The article provides a detailed explanation of the Windows upgrade process and instructions on how to locate, interpret, and resolve specific errors that can be encountered during the upgrade process.
 ## Related articles
-[Overview of Windows as a service](update/waas-overview.md)<br>
+- [Overview of Windows as a service](update/waas-overview.md).
-[Windows 10 deployment considerations](planning/windows-10-deployment-considerations.md)<br>
+- [Windows 10 deployment considerations](planning/windows-10-deployment-considerations.md).
-[Windows 10 release information](/windows/windows-10/release-information)<br>
+- [Windows 10 release information](/windows/windows-10/release-information).
-[Windows 10 Specifications & Systems Requirements](https://www.microsoft.com/windows/windows-10-specifications)<br>
+- [Windows 10 Specifications & Systems Requirements](https://www.microsoft.com/windows/windows-10-specifications).
-[Windows 10 upgrade paths](upgrade/windows-10-upgrade-paths.md)<br>
+- [Windows 10 upgrade paths](upgrade/windows-10-upgrade-paths.md).
-[Windows 10 deployment tools](windows-deployment-scenarios-and-tools.md)<br>
+- [Windows 10 deployment tools](windows-deployment-scenarios-and-tools.md).
--- a/windows/deployment/do/waas-delivery-optimization.md
+++ b/windows/deployment/do/waas-delivery-optimization.md
@ -50,7 +50,8 @@ The following table lists the minimum Windows 10 version that supports Delivery
 | Windows Client | Minimum Windows version | HTTP Downloader | Peer to Peer | Microsoft Connected Cache (MCC)
 |------------------|---------------|----------------|----------|----------------|
 | Windows Update ([feature updates quality updates, language packs, drivers](../update/get-started-updates-channels-tools.md#types-of-updates)) | Windows 10 1511, Windows 11 | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: |
-| Windows 10 Store apps | Windows 10 1511, Windows 11 | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: |
+| Windows 10/11 UWP Store apps | Windows 10 1511, Windows 11 | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: |
 | Windows 11 Win32 Store apps | Windows 11 | :heavy_check_mark: |  |  |
 | Windows 10 Store for Business apps | Windows 10 1511, Windows 11 | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: |
 | Windows Defender definition updates | Windows 10 1511, Windows 11 | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: |
 | Intune Win32 apps| Windows 10 1709, Windows 11 | :heavy_check_mark: | :heavy_check_mark:  | :heavy_check_mark: |
--- a/windows/deployment/update/waas-configure-wufb.md
+++ b/windows/deployment/update/waas-configure-wufb.md
@ -16,7 +16,7 @@ appliesto:
 - ✅ <a href=https://learn.microsoft.com/windows/release-health/windows-server-release-info target=_blank>Windows Server 2022</a>
 - ✅ <a href=https://learn.microsoft.com/windows/release-health/windows-server-release-info target=_blank>Windows Server 2019</a>
 - ✅ <a href=https://learn.microsoft.com/windows/release-health/windows-server-release-info target=_blank>Windows Server 2016</a>
-ms.date: 08/22/2023
+ms.date: 11/30/2023
 ---
 # Configure Windows Update for Business
@ -243,8 +243,8 @@ The following options are available for the policy:
 | Policy | Sets registry key under HKLM\Software |
 | --- | --- |
-| GPO for Windows 11, version 22H2 with [KB5029351](https://support.microsoft.com/help/5029351) and later: </br>Computer Configuration > Administrative Templates > Windows Components > Windows Update > Manage updates offered from Windows Update > **Enable optional updates**| \Policies\Microsoft\Windows\WindowsUpdate\AllowOptionalContent |
+| **GPO applies to**: <br/> <ul><li> Windows 11, version 22H2 with [KB5029351](https://support.microsoft.com/help/5029351), and later versions </li><li> Windows 10, version 22H2 with [KB5032278](https://support.microsoft.com/help/5032278), or a later cumulative update installed <!--8503602--> </li></ul> </br>**GPO location**: Computer Configuration > Administrative Templates > Windows Components > Windows Update > Manage updates offered from Windows Update > **Enable optional updates**| \Policies\Microsoft\Windows\WindowsUpdate\AllowOptionalContent |
-| MDM for Windows 11, version 22H2 with [KB5029351](https://support.microsoft.com/help/5029351) and later: </br>./Device/Vendor/MSFT/Policy/Config/Update/</br>**[AllowOptionalContent](/windows/client-management/mdm/policy-csp-update?toc=/windows/deployment/toc.json&bc=/windows/deployment/breadcrumb/toc.json#allowoptionalcontent)** | \Policies\Microsoft\Windows\WindowsUpdate\AllowOptionalContent |
+| **MDM applies to**: <br/> <ul><li> Windows 11, version 22H2 with [KB5029351](https://support.microsoft.com/help/5029351) and later versions </li><li> Windows 10, version 22H2 with [KB5032278](https://support.microsoft.com/help/5032278), or a later cumulative update installed <!--8503602--></li></ul> </br>**MDM location**: ./Device/Vendor/MSFT/Policy/Config/Update/</br>**[AllowOptionalContent](/windows/client-management/mdm/policy-csp-update?toc=/windows/deployment/toc.json&bc=/windows/deployment/breadcrumb/toc.json#allowoptionalcontent)** | \Policies\Microsoft\Windows\WindowsUpdate\AllowOptionalContent |
 ## Enable features that are behind temporary enterprise feature control
 <!--6544872-->
@ -269,7 +269,7 @@ The following are quick-reference tables of the supported policy values for Wind
 | GPO Key |	Key type | Value |
 | --- | --- | --- |
-| AllowOptionalContent</br> </br>*Added in Windows 11, version 22H2*| REG_DWORD | 1: Automatically receive optional updates (including CFRs)</br> 2: Automatically receive optional updates </br> 3: Users can select which optional updates to receive </br> Other value or absent: Don't receive optional updates|
+| AllowOptionalContent</br> </br>*Added in*: <br/> <ul><li> Windows 11, version 22H2 with [KB5029351](https://support.microsoft.com/help/5029351) and later </li><li> Windows 10, version 22H2 with [KB5032278](https://support.microsoft.com/help/5032278), or a later cumulative update installed </li></ul> </br>| REG_DWORD | 1: Automatically receive optional updates (including CFRs)</br> 2: Automatically receive optional updates </br> 3: Users can select which optional updates to receive </br> Other value or absent: Don't receive optional updates|
 | AllowTemporaryEnterpriseFeatureControl </br> </br>*Added in Windows 11, version 22H2*| REG_DWORD | 1: Allowed. All features in the latest monthly cumulative update are enabled.</br> Other value or absent: Features that are shipped turned off by default will remain off |
 | BranchReadinessLevel	| REG_DWORD | 2: Systems take feature updates for the Windows Insider build - Fast </br> 4: Systems take feature updates for the Windows Insider build - Slow </br> 8: Systems take feature updates for the Release Windows Insider build </br></br> Other value or absent: Receive all applicable updates |
 | DeferFeatureUpdates | REG_DWORD | 1: Defer feature updates</br>Other value or absent: Don't defer feature updates |
@ -285,7 +285,7 @@ The following are quick-reference tables of the supported policy values for Wind
 | MDM Key | Key type | Value |
 | --- | --- | --- |
-| AllowOptionalContent </br> </br>*Added in Windows 11, version 22H2*| REG_DWORD | 1: Automatically receive optional updates (including CFRs)</br> 2: Automatically receive optional updates </br> 3: Users can select which optional updates to receive </br> Other value or absent: Don't receive optional updates|
+| AllowOptionalContent </br> </br>*Added in*: <br/> <ul><li> Windows 11, version 22H2 with [KB5029351](https://support.microsoft.com/help/5029351) and later </li><li> Windows 10, version 22H2 with [KB5032278](https://support.microsoft.com/help/5032278), or a later cumulative update installed </li></ul> </br>| REG_DWORD | 1: Automatically receive optional updates (including CFRs)</br> 2: Automatically receive optional updates </br> 3: Users can select which optional updates to receive </br> Other value or absent: Don't receive optional updates|
 | AllowTemporaryEnterpriseFeatureControl </br> </br>*Added in Windows 11, version 22H2*| REG_DWORD | 1: Allowed. All features in the latest monthly cumulative update are enabled.</br> Other value or absent: Features that are shipped turned off by default will remain off |
 | BranchReadinessLevel | REG_DWORD |2: Systems take feature updates for the Windows Insider build - Fast </br> 4: Systems take feature updates for the Windows Insider build - Slow </br> 8: Systems take feature updates for the Release Windows Insider build  </br>32: Systems take feature updates from General Availability Channel </br>Note: Other value or absent: Receive all applicable updates |
 | DeferFeatureUpdatesPeriodinDays | REG_DWORD | 0-365: Defer feature updates by given days |
--- a/windows/deployment/update/waas-wufb-csp-mdm.md
+++ b/windows/deployment/update/waas-wufb-csp-mdm.md
@ -11,7 +11,7 @@ ms.localizationpriority: medium
 appliesto: 
 - ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 11</a>
 - ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10</a>	
-ms.date: 10/10/2023
+ms.date: 11/30/2023
 ---
 # Walkthrough: Use CSPs and MDMs to configure Windows Update for Business
@ -47,19 +47,19 @@ Drivers are automatically enabled because they're beneficial to device systems.
 ### Set when devices receive feature and quality updates
-#### I want to receive pre-release versions of the next feature update
+#### I want to receive prerelease versions of the next feature update
-1. Ensure that you're enrolled in the Windows Insider Program for Business. This is a free program available to commercial customers to aid them in their validation of feature updates before they're released. Joining the program enables you to receive updates prior to their release as well as receive emails and content related to what is coming in the next updates. 
+1. Ensure that you're enrolled in the Windows Insider Program for Business. Windows Insider is a free program available to commercial customers to aid them in their validation of feature updates before they're released. Joining the program enables you to receive updates prior to their release as well as receive emails and content related to what is coming in the next updates. 
-1. For any of test devices you want to install pre-release builds, use [Update/ManagePreviewBuilds](/windows/client-management/mdm/policy-csp-update#update-managepreviewbuilds). Set this to **Enable preview builds**.
+1. For any of test devices you want to install prerelease builds, use [Update/ManagePreviewBuilds](/windows/client-management/mdm/policy-csp-update#update-managepreviewbuilds). Set the option to **Enable preview builds**.
-1. Use [Update/BranchReadinessLevel](/windows/client-management/mdm/policy-csp-update#update-branchreadinesslevel) and select one of the preview Builds. Windows Insider Program Slow is the recommended channel for commercial customers who are using pre-release builds for validation.
+1. Use [Update/BranchReadinessLevel](/windows/client-management/mdm/policy-csp-update#update-branchreadinesslevel) and select one of the preview Builds. Windows Insider Program Slow is the recommended channel for commercial customers who are using prerelease builds for validation.
-1. Additionally, you can defer pre-release feature updates the same way as released updates, by setting a deferral period up to 14 days by using [Update/DeferFeatureUpdatesPeriodInDays](/windows/client-management/mdm/policy-csp-update#update-deferfeatureupdatesperiodindays). If you're testing with Windows Insider Program Slow builds, we recommend that you receive the preview updates to your IT department on day 0, when the update is released, and then have a 7-10 day deferral before rolling out to your group of testers. This ensures that if a problem is discovered, you can pause the rollout of the preview update before it reaches your tests.
+1. Additionally, you can defer prerelease feature updates the same way as released updates, by setting a deferral period up to 14 days by using [Update/DeferFeatureUpdatesPeriodInDays](/windows/client-management/mdm/policy-csp-update#update-deferfeatureupdatesperiodindays). If you're testing with Windows Insider Program Slow builds, we recommend that you receive the preview updates to your IT department on day 0, when the update is released, and then have a 7-10 day deferral before rolling out to your group of testers. This schedule helps ensure that if a problem is discovered, you can pause the rollout of the preview update before it reaches your tests.
 #### I want to manage which released feature update my devices receive
-A Windows Update for Business administrator can defer or pause updates. You can defer feature updates for up to 365 days and defer quality updates for up to 30 days. Deferring simply means that you won't receive the update until it has been released for at least the number of deferral days you specified (offer date = release date + deferral date). You can pause feature or quality updates for up to 35 days from a given start date that you specify.
+A Windows Update for Business administrator can defer or pause updates. You can defer feature updates for up to 365 days and defer quality updates for up to 30 days. Deferring simply means that you don't receive the update until it has been released for at least the number of deferral days you specified (offer date = release date + deferral date). You can pause feature or quality updates for up to 35 days from a given start date that you specify.
 - To defer a feature update: [Update/DeferFeatureUpdatesPeriodInDays](/windows/client-management/mdm/policy-csp-update#update-deferfeatureupdatesperiodindays)
 - To pause a feature update: [Update/PauseFeatureUpdatesStartTime](/windows/client-management/mdm/policy-csp-update#update-pausefeatureupdatesstarttime)
@ -72,7 +72,7 @@ In this example, there are three rings for quality updates. The first ring ("pil
 ![illustration of devices divided into three rings.](images/waas-wufb-3-rings.png)
-When the quality update is released, it is offered to devices in the pilot ring the next time they scan for updates.
+When the quality update is released, it's offered to devices in the pilot ring the next time they scan for updates.
 ##### Five days later
 The devices in the fast ring are offered the quality update the next time they scan for updates.
@ -80,11 +80,11 @@ The devices in the fast ring are offered the quality update the next time they s
 ![illustration of devices with fast ring deployed.](images/waas-wufb-fast-ring.png)
 ##### Ten days later
-Ten days after the quality update is released, it is offered to the devices in the slow ring the next time they scan for updates.
+Ten days after the quality update is released, it's offered to the devices in the slow ring the next time they scan for updates.
 ![illustration of devices with slow ring deployed.](images/waas-wufb-slow-ring.png)
-If no problems occur, all of the devices that scan for updates will be offered the quality update within ten days of its release, in three waves.
+If no problems occur, all of the devices that scan for updates are offered the quality update within ten days of its release, in three waves.
 ##### What if a problem occurs with the update?
@ -109,13 +109,13 @@ If you need a device to stay on a version beyond the point when deferrals on the
 #### I want to manage when devices download, install, and restart after updates
-We recommended that you allow to update automatically--this is the default behavior. If you don't set an automatic update policy, the device will attempt to download, install, and restart at the best times for the user by using built-in intelligence such as intelligent active hours and smart busy check.
+We recommended that you allow to update automatically, which is the default behavior. If you don't set an automatic update policy, the device attempts to download, install, and restart at the best times for the user by using built-in intelligence such as intelligent active hours and smart busy check.
 For more granular control, you can set the maximum period of active hours the user can set with [Update/ActiveHoursMaxRange](/windows/client-management/mdm/policy-csp-update#update-activehoursmaxrange). You could also set specific start and end times for active ours with [Update/ActiveHoursEnd](/windows/client-management/mdm/policy-csp-update#update-activehoursend) and [Update/ActiveHoursStart](/windows/client-management/mdm/policy-csp-update#update-activehoursstart).
-It's best to refrain from setting the active hours policy because it's enabled by default when automatic updates are not disabled and provides a better experience when users can set their own active hours.
+It's best to refrain from setting the active hours policy because it's enabled by default when automatic updates aren't disabled and provides a better experience when users can set their own active hours.
-To update outside of the active hours, use [Update/AllowAutoUpdate](/windows/client-management/mdm/policy-csp-update#update-allowautoupdate) with Option 2 (which is the default setting). For even more granular control, consider using automatic updates to schedule the install time, day, or week. To do this, use Option 3, and then set the following policies as appropriate for your plan:
+To update outside of the active hours, use [Update/AllowAutoUpdate](/windows/client-management/mdm/policy-csp-update#update-allowautoupdate) with Option 2 (which is the default setting). For even more granular control, consider using automatic updates to schedule the install time, day, or week. To use a schedule, use Option 3, and then set the following policies as appropriate for your plan:
 - [Update/ScheduledInstallDay](/windows/client-management/mdm/policy-csp-update#update-scheduledinstallday) 
 - [Update/ScheduledInstallEveryWeek](/windows/client-management/mdm/policy-csp-update#update-scheduledinstalleveryweek) 
@ -132,7 +132,7 @@ If you don't want to allow any automatic updates prior to the deadline, set [Upd
 #### I want to keep devices secure and compliant with update deadlines
-We recommend that you use set specific deadlines for feature and quality updates to ensure that devices stay secure on Windows 10, version 1709 and later. This works by enabling you to specify the number of days that can elapse after an update is offered to a device before it must be installed. Also you can set the number of days that can elapse after a pending restart before the user is forced to restart. Use these settings:
+We recommend that you use set specific deadlines for feature and quality updates to ensure that devices stay secure on Windows 10, version 1709 and later. Deadlines work by enabling you to specify the number of days that can elapse after an update is offered to a device before it must be installed. Also you can set the number of days that can elapse after a pending restart before the user is forced to restart. Use these settings:
 - [Update/ConfigureDeadlineForFeatureUpdates](/windows/client-management/mdm/policy-csp-update#update-configuredeadlineforfeatureupdates) 
 - [Update/ConfigureDeadlineForQualityUpdates ](/windows/client-management/mdm/policy-csp-update#update-configuredeadlineforqualityupdates)
@ -140,7 +140,7 @@ We recommend that you use set specific deadlines for feature and quality updates
 - [Update/ConfigureDeadlineGracePeriodForFeatureUpdates](/windows/client-management/mdm/policy-csp-update#configuredeadlinegraceperiodforfeatureupdates)
 - [Update/ConfigureDeadlineNoAutoReboot](/windows/client-management/mdm/policy-csp-update#update-configuredeadlinenoautoreboot)
-These policies also offer an option to opt out of automatic restarts until a deadline is reached by presenting an "engaged restart experience" until the deadline has actually expired. At that point the device will automatically schedule a restart regardless of active hours.
+These policies also offer an option to opt out of automatic restarts until a deadline is reached by presenting an "engaged restart experience" until the deadline has actually expired. At that point, the device automatically schedules a restart regardless of active hours.
 These notifications are what the user sees depending on the settings you choose:
@ -172,7 +172,7 @@ When **Specify deadlines for automatic updates and restarts** is set (For Window
 There are additional settings that affect the notifications.
-We recommend that you use the default notifications as they aim to provide the best user experience while adjusting for the compliance policies that you have set. If you do have further needs that aren't met by the default notification settings, you can use the [Update/UpdateNotificationLevel](/windows/client-management/mdm/policy-csp-update#update-updatenotificationlevel) policy with these values:
+We recommend that you use the default notifications as they aim to provide the best user experience while adjusting for the compliance policies that you set. If you do have further needs that aren't met by the default notification settings, you can use the [Update/UpdateNotificationLevel](/windows/client-management/mdm/policy-csp-update#update-updatenotificationlevel) policy with these values:
 **0** (default) - Use the default Windows Update notifications<br/>
 **1** - Turn off all notifications, excluding restart warnings<br/>
@ -181,14 +181,14 @@ We recommend that you use the default notifications as they aim to provide the b
 > [!NOTE]
 > Option **2** creates a poor experience for personal devices; it's only recommended for kiosk devices where automatic restarts have been disabled.
-Still more options are available in [Update/ScheduleRestartWarning](/windows/client-management/mdm/policy-csp-update#update-schedulerestartwarning). This setting allows you to specify the period for auto-restart warning reminder notifications (from 2-24 hours; 4 hours is the default) before the update. You can also specify the period for auto-restart imminent warning notifications with [Update/ScheduleImminentRestartWarning](/windows/client-management/mdm/policy-csp-update#update-scheduleimminentrestartwarning) (15-60 minutes is the default). We recommend using the default notifications.
+Still more options are available in [Update/ScheduleRestartWarning](/windows/client-management/mdm/policy-csp-update#update-schedulerestartwarning). This setting allows you to specify the period for auto restart warning reminder notifications (from 2-24 hours; 4 hours is the default) before the update. You can also specify the period for auto restart imminent warning notifications with [Update/ScheduleImminentRestartWarning](/windows/client-management/mdm/policy-csp-update#update-scheduleimminentrestartwarning) (15-60 minutes is the default). We recommend using the default notifications.
 #### I want to manage the update settings a user can access
-Every Windows device provides users with a variety of controls they can use to manage Windows Updates. They can access these controls by Search to find Windows Updates or by going selecting **Updates and Security** in **Settings**. We provide the ability to disable a variety of these controls that are accessible to users.
+Every Windows device provides users with various controls they can use to manage Windows Updates. They can access these controls by Search to find Windows Updates or by going selecting **Updates and Security** in **Settings**. We provide the ability to disable a variety of these controls that are accessible to users.
 Users with access to update pause settings can prevent both feature and quality updates for 7 days. You can prevent users from pausing updates through the Windows Update settings page by using [Update/SetDisablePauseUXAccess](/windows/client-management/mdm/policy-csp-update#update-setdisablepauseuxaccess).
-When you disable this setting, users will see **Some settings are managed by your organization** and the update pause settings are greyed out.
+When you disable this setting, users see **Some settings are managed by your organization** and the update pause settings are greyed out.
 If you use Windows Server Update Server (WSUS), you can prevent users from scanning Windows Update. To do this, use [Update/SetDisableUXWUAccess](/windows/client-management/mdm/policy-csp-update#update-setdisableuxwuaccess).
@ -205,3 +205,11 @@ The features that are turned off by default from servicing updates will be enabl
 - **0** (default): Allowed. All features in the latest monthly cumulative update are enabled.
  - When the policy is set to **0**, all features that are currently turned off will turn on when the device next reboots
 - **1** - Not allowed. Features that are shipped turned off by default will remain off
 #### I want to enable optional updates
 <!--7991583-->
 *Applies to:* 
 - Windows 11, version 22H2 with [KB5029351](https://support.microsoft.com/help/5029351) and later <!--7991583-->
 - Windows 10, version 22H2 with [KB5032278](https://support.microsoft.com/help/5032278), or a later cumulative update installed <!--8503602-->
 In addition to the monthly cumulative update, optional updates are available to provide new features and nonsecurity changes. Most optional updates are released on the fourth Tuesday of the month, known as optional nonsecurity preview releases. Optional updates can also include features that are gradually rolled out, known as controlled feature rollouts (CFRs). Installation of optional updates isn't enabled by default for devices that receive updates using Windows Update for Business. However, you can enable optional updates for devices by using [AllowOptionalContent](/windows/client-management/mdm/policy-csp-update?toc=/windows/deployment/toc.json&bc=/windows/deployment/breadcrumb/toc.json#allowoptionalcontent). For more information about optional content, see [Enable optional updates](waas-configure-wufb.md#enable-optional-updates).
--- a/windows/deployment/update/waas-wufb-group-policy.md
+++ b/windows/deployment/update/waas-wufb-group-policy.md
@ -17,7 +17,7 @@ appliesto:
 - ✅ <a href=https://learn.microsoft.com/windows/release-health/windows-server-release-info target=_blank>Windows Server 2022</a>
 - ✅ <a href=https://learn.microsoft.com/windows/release-health/windows-server-release-info target=_blank>Windows Server 2019</a>
 - ✅ <a href=https://learn.microsoft.com/windows/release-health/windows-server-release-info target=_blank>Windows Server 2016</a>
-ms.date: 10/10/2023
+ms.date: 11/30/2023
 ---
 # Walkthrough: Use Group Policy to configure Windows Update for Business
@ -202,7 +202,9 @@ If you use Windows Server Update Server (WSUS), you can prevent users from scann
 #### I want to enable optional updates
 <!--7991583-->
-(*Starting in Windows 11, version 22H2 or later*)
+*Applies to:* 
 - Windows 11, version 22H2 with [KB5029351](https://support.microsoft.com/help/5029351) and later <!--7991583-->
 - Windows 10, version 22H2 with [KB5032278](https://support.microsoft.com/help/5032278), or a later cumulative update installed <!--8503602-->
 In addition to the monthly cumulative update, optional updates are available to provide new features and nonsecurity changes. Most optional updates are released on the fourth Tuesday of the month, known as optional nonsecurity preview releases. Optional updates can also include features that are gradually rolled out, known as controlled feature rollouts (CFRs). Installation of optional updates isn't enabled by default for devices that receive updates using Windows Update for Business. However, you can enable optional updates for devices by using the **Computer Configuration > Administrative Templates > Windows Components > Windows Update > Manage updates offered from Windows Update > Enable optional updates** policy.
--- a/windows/deployment/windows-autopatch/overview/windows-autopatch-faq.yml
+++ b/windows/deployment/windows-autopatch/overview/windows-autopatch-faq.yml
@ -4,7 +4,7 @@ metadata:
  description: Answers to frequently asked questions about Windows Autopatch.
  ms.prod: windows-client
  ms.topic: faq
-  ms.date: 07/19/2023
+  ms.date: 12/04/2023
  audience: itpro
  ms.localizationpriority: medium
  manager: dougeby
@ -28,7 +28,7 @@ sections:
          Windows Autopatch supports Windows 365 for Enterprise. Windows 365 for Business isn't supported.
      - question: Does Windows Autopatch support Windows Education (A3/A5) or Windows Front Line Worker (F3) licensing?
        answer: |
-          Autopatch isn't available for 'A' or 'F' series licensing.
+          Autopatch isn't available for 'A'. Windows Autopatch supports some 'F' series licensing. For more information, see [More about licenses](../prepare/windows-autopatch-prerequisites.md#more-about-licenses). 
      - question: Will Windows Autopatch support local domain join Windows 10?
        answer: | 
          Windows Autopatch doesn't support local (on-premises) domain join. Windows Autopatch supports [Hybrid AD join](/azure/active-directory/devices/concept-azure-ad-join-hybrid) or pure [Microsoft Entra join](/azure/active-directory/devices/concept-azure-ad-join-hybrid).
@ -54,8 +54,8 @@ sections:
          - [Switch workloads for device configuration, Windows Update and Microsoft 365 Apps from Configuration Manager to Intune](/mem/configmgr/comanage/how-to-switch-workloads) (minimum Pilot Intune. Pilot collection must contain the devices you want to register into Autopatch.)
      - question: What are the licensing requirements for Windows Autopatch?
        answer: |
-          - Windows Autopatch is included with Window 10/11 Enterprise E3 or higher (user-based only). For more information, see [More about licenses](../prepare/windows-autopatch-prerequisites.md#more-about-licenses).
+          - Windows Autopatch is included with Window 10/11 Enterprise E3 or higher (user-based only) or F3. For more information, see [More about licenses](../prepare/windows-autopatch-prerequisites.md#more-about-licenses).
-          - [Azure AD Premium](/azure/active-directory/fundamentals/active-directory-whatis#what-are-the-azure-ad-licenses) (for Co-management)
+          - [Azure AD Premium](/azure/active-directory/fundamentals/active-directory-whatis#what-are-the-azure-ad-licenses) (for co-management)
          - [Microsoft Intune](/mem/intune/fundamentals/licenses) (includes Configuration Manager 2010 or greater via co-management)
      - question: Are there hardware requirements for Windows Autopatch?
        answer: |
--- a/windows/deployment/windows-autopatch/prepare/windows-autopatch-prerequisites.md
+++ b/windows/deployment/windows-autopatch/prepare/windows-autopatch-prerequisites.md
@ -1,7 +1,7 @@
 ---
 title: Prerequisites
 description: This article details the prerequisites needed for Windows Autopatch
-ms.date: 09/24/2023
+ms.date: 12/04/2023
 ms.prod: windows-client
 ms.technology: itpro-updates
 ms.topic: conceptual
@ -21,7 +21,7 @@ Getting started with Windows Autopatch has been designed to be easy. This articl
 | Area | Prerequisite details |
 | ----- | ----- |
-| Licensing | Windows Autopatch requires Windows 10/11 Enterprise E3 (or higher) to be assigned to your users. Additionally, Microsoft Entra ID P1 or P2 and Microsoft Intune are required. For details about the specific service plans, see [more about licenses](#more-about-licenses).<p><p>For more information on available licenses, see [Microsoft 365 licensing](https://www.microsoft.com/microsoft-365/compare-microsoft-365-enterprise-plans).<p><p>For more information about licensing terms and conditions for products and services purchased through Microsoft Commercial Volume Licensing Programs, see the [Product Terms site](https://www.microsoft.com/licensing/terms/). |
+| Licensing | Windows Autopatch requires Windows 10/11 Enterprise E3 (or higher), or F3 to be assigned to your users. Additionally, Microsoft Entra ID P1 or P2 and Microsoft Intune are required. For details about the specific service plans, see [more about licenses](#more-about-licenses).<p><p>For more information on available licenses, see [Microsoft 365 licensing](https://www.microsoft.com/microsoft-365/compare-microsoft-365-enterprise-plans).<p><p>For more information about licensing terms and conditions for products and services purchased through Microsoft Commercial Volume Licensing Programs, see the [Product Terms site](https://www.microsoft.com/licensing/terms/). |
 | Connectivity | All Windows Autopatch devices require connectivity to multiple Microsoft service endpoints from the corporate network.<p><p>For the full list of required IPs and URLs, see [Configure your network](../prepare/windows-autopatch-configure-network.md). |
 | Microsoft Entra ID | Microsoft Entra ID must either be the source of authority for all user accounts, or user accounts must be synchronized from on-premises Active Directory using the latest supported version of Microsoft Entra Connect to enable Microsoft Entra hybrid join.<br><ul><li>For more information, see [Microsoft Entra Connect](/azure/active-directory/hybrid/whatis-azure-ad-connect) and [Microsoft Entra hybrid join](/azure/active-directory/devices/howto-hybrid-azure-ad-join)</li><li>For more information on supported Microsoft Entra Connect versions, see [Microsoft Entra Connect:Version release history](/azure/active-directory/hybrid/reference-connect-version-history).</li></ul> |
 | Device management | [Devices must be already enrolled with Microsoft Intune](/mem/intune/user-help/enroll-windows-10-device) prior to registering with Windows Autopatch. Intune must be set as the Mobile Device Management (MDM) authority or co-management must be turned on and enabled on the target devices.<p><p>At a minimum, the Windows Update, Device configuration and Office Click-to-Run apps workloads must be set to Pilot Intune or Intune. You must also ensure that the devices you intend on bringing to Windows Autopatch are in the targeted device collection. For more information, see [co-management requirements for Windows Autopatch](#configuration-manager-co-management-requirements).<p>Other device management prerequisites include:<ul><li>Devices must be corporate-owned. Windows bring-your-own-devices (BYOD) are blocked during device registration prerequisite checks.</li><li>Devices must be managed by either Intune or Configuration Manager co-management. Devices only managed by Configuration Manager aren't supported.</li><li>Devices must be in communication with Microsoft Intune in the **last 28 days**. Otherwise, the devices won't be registered with Autopatch.</li><li>Devices must be connected to the internet.</li><li>Devices must have a **Serial number**, **Model** and **Manufacturer**. Device emulators that don't generate this information fail to meet **Intune or Cloud-attached** prerequisite check.</li></ul><p>See [Register your devices](/windows/deployment/windows-autopatch/deploy/windows-autopatch-register-devices) for more details on device prerequisites and on how the device registration process works with Windows Autopatch.<p>For more information on co-management, see [co-management for Windows devices](/mem/configmgr/comanage/overview).</p> |
@ -46,6 +46,10 @@ Windows Autopatch is included with Windows 10/11 Enterprise E3 or higher (user-b
 | [Windows 10/11 Enterprise E3](/azure/active-directory/enterprise-users/licensing-service-plan-reference) | WIN10_VDA_E3 | 6a0f6da5-0b87-4190-a6ae-9bb5a2b9546a |
 | [Windows 10/11 Enterprise E5](/azure/active-directory/enterprise-users/licensing-service-plan-reference) | WIN10_VDA_E5 | 488ba24a-39a9-4473-8ee5-19291e71b002 |
 | [Windows 10/11 Enterprise VDA](/windows/deployment/deploy-enterprise-licenses#virtual-desktop-access-vda) | E3_VDA_only | d13ef257-988a-46f3-8fce-f47484dd4550 |
 | [Microsoft 365 F3](/azure/active-directory/enterprise-users/licensing-service-plan-reference) | SPE_F1 | 66b55226-6b4f-492c-910c-a3b7a3c9d993 |
 | Microsoft 365 F3 (self-service) | Microsoft_365_F3_Department |6803cf1e-c822-41a1-864e-a31377bcdb7e |
 | Microsoft 365 F3 (for Department) | Microsoft_365_F3_DEPT |45972061-34c4-44c8-9e83-ad97815acc34 |
 | Microsoft 365 F3 EEA (no Teams) | Microsoft_365_F3_EEA_(no_Teams) | f7ee79a7-7aec-4ca4-9fb9-34d6b930ad87 |
 The following Windows 10 editions, build version and architecture are supported to be [registered](../deploy/windows-autopatch-register-devices.md) with Windows Autopatch:
--- a/windows/deployment/windows-autopatch/whats-new/windows-autopatch-whats-new-2023.md
+++ b/windows/deployment/windows-autopatch/whats-new/windows-autopatch-whats-new-2023.md
@ -1,7 +1,7 @@
 ---
 title: What's new 2023
 description: This article lists the 2023 feature releases and any corresponding Message center post numbers.
-ms.date: 11/16/2023 
+ms.date: 12/04/2023 
 ms.prod: windows-client
 ms.technology: itpro-updates
 ms.topic: whats-new
@ -21,7 +21,13 @@ This article lists new and updated feature releases, and service releases, with
 Minor corrections such as typos, style, or formatting issues aren't listed.
-## November 2023
+## December 2023
 ### December feature releases or updates
 | Article | Description |
 | ----- | ----- |
 | [Prerequisites](../prepare/windows-autopatch-prerequisites.md#more-about-licenses) | Added F SKU licenses to the [More about licenses](../prepare/windows-autopatch-prerequisites.md#more-about-licenses) section. Also see [FAQ](../overview/windows-autopatch-faq.yml)<ul><li>[MC690609](https://admin.microsoft.com/adminportal/home#/MessageCenter)</li></ul> |
 ## November service release
--- a/windows/hub/breadcrumb/toc.yml
+++ b/windows/hub/breadcrumb/toc.yml
@ -1,3 +1,27 @@
 items:
  - name: Docs
    tocHref: /
    topicHref: /
    items:
      - name: Windows
        tocHref: /windows/
-  topicHref: /windows/index
+        topicHref: /windows/resources/
        items:
          - name: What's new
            tocHref: /windows/whats-new/
            topicHref: /windows/whats-new/
          - name: Configuration
            tocHref: /windows/configuration/
            topicHref: /windows/configuration/
          - name: Deployment
            tocHref: /windows/deployment/
            topicHref: /windows/deployment/
          - name: Client management
            tocHref: /windows/client-management/
            topicHref: /windows/client-management/
          - name: Privacy
            tocHref: /windows/privacy/
            topicHref: /windows/privacy/
          - name: Security
            tocHref: /windows/security/
            topicHref: /windows/security/
--- a/windows/hub/docfx.json
+++ b/windows/hub/docfx.json
@ -39,6 +39,7 @@
        "tier1"
      ],
      "audience": "ITPro",
      "zone_pivot_group_filename": "resources/zone-pivot-groups.json",
      "breadcrumb_path": "/windows/resources/breadcrumb/toc.json",
      "uhfHeaderId": "MSDocsHeader-Windows",
      "ms.technology": "itpro-fundamentals",
--- a/windows/hub/zone-pivot-groups.yml
+++ b/windows/hub/zone-pivot-groups.yml
@ -0,0 +1,18 @@
 # YamlMime:ZonePivotGroups
 groups:
 - id: windows-versions-10-11
  title: Windows versions
  prompt: "Select the Windows version you want to learn about:"
  pivots:
  - id: windows-10
    title: Windows 10
  - id: windows-11
    title: Windows 11
 - id: windows-editions-proent-proedu
  title: Windows editions
  prompt: "Select the Windows edition you want to learn about:"
  pivots:
  - id: windows-pro
    title: Windows Pro Edu/Education
  - id: windows-ent
    title: Windows Pro/Enterprise
--- a/windows/privacy/required-diagnostic-events-fields-windows-11-22H2.md
+++ b/windows/privacy/required-diagnostic-events-fields-windows-11-22H2.md
@ -1,6 +1,6 @@
 ---
 description: Learn more about the diagnostic data gathered for Windows 11, versions 23H2 and 22H2.
-title: Required diagnostic events and fields for Windows 11, versions 23H3 and 22H2
+title: Required diagnostic events and fields for Windows 11, versions 23H2 and 22H2
 keywords: privacy, telemetry
 ms.prod: windows-client
 ms.technology: itpro-privacy
--- a/windows/security/application-security/application-control/user-account-control/how-it-works.md
+++ b/windows/security/application-security/application-control/user-account-control/how-it-works.md
@ -16,7 +16,7 @@ With UAC, each application that requires the *administrator access token* must p
 Windows protects processes by marking their integrity levels. Integrity levels are measurements of trust:
 - A *high integrity application* is one that performs tasks that modify system data, such as a disk partitioning application
- A *low integrity application* is one that performs tasks that could potentially compromise the operating system, like as a Web brows
+- A *low integrity application* is one that performs tasks that could potentially compromise the operating system, like as a Web browser
 Applications with lower integrity levels can't modify data in applications with higher integrity levels. When a standard user attempts to run an app that requires an administrator access token, UAC requires that the user provides valid administrator credentials.
--- a/windows/security/application-security/application-control/windows-defender-application-control/design/plan-wdac-management.md
+++ b/windows/security/application-security/application-control/windows-defender-application-control/design/plan-wdac-management.md
@ -2,7 +2,7 @@
 title: Plan for WDAC policy management
 description: Learn about the decisions you need to make to establish the processes for managing and maintaining Windows Defender Application Control policies.
 ms.localizationpriority: medium
-ms.date: 11/02/2022
+ms.date: 11/22/2023
 ms.topic: article
 ---
@ -11,7 +11,7 @@ ms.topic: article
 >[!NOTE]
 >Some capabilities of Windows Defender Application Control (WDAC) are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](../feature-availability.md).
-This topic describes the decisions you need to make to establish the processes for managing and maintaining Windows Defender Application Control (WDAC) policies.
+This article describes the decisions you need to make to establish the processes for managing and maintaining Windows Defender Application Control (WDAC) policies.
 ## Policy XML lifecycle management
@ -23,7 +23,7 @@ Most Windows Defender Application Control policies will evolve over time and pro
 2. [Deploy the audit mode policy](/windows/security/threat-protection/windows-defender-application-control/audit-windows-defender-application-control-policies) to intended devices.
 3. [Monitor audit block events](/windows/security/threat-protection/windows-defender-application-control/event-id-explanations) from the intended devices and add/edit/delete rules as needed to address unexpected/unwanted blocks.
 4. Repeat steps 2-3 until the remaining block events meet expectations.
-5. [Generate the enforced mode version](/windows/security/threat-protection/windows-defender-application-control/enforce-windows-defender-application-control-policies) of the policy. In enforced mode, files that aren't allowed by the policy are prevented from executing and corresponding block events are generated.
+5. [Generate the enforced mode version](/windows/security/threat-protection/windows-defender-application-control/enforce-windows-defender-application-control-policies) of the policy. In enforced mode, files that the policy doesn't allow are prevented from running and corresponding block events are generated.
 6. [Deploy the enforced mode policy](/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control-deployment-guide) to intended devices. We recommend using staged rollouts for enforced policies to detect and respond to issues before deploying the policy broadly.
 7. Repeat steps 1-6 anytime the desired "circle-of-trust" changes.  
@ -35,7 +35,7 @@ To effectively manage Windows Defender Application Control policies, you should
 ### Set PolicyName, PolicyID, and Version metadata for each policy
-Use the [Set-CIPolicyIDInfo](/powershell/module/configci/set-cipolicyidinfo) cmdlet to give each policy a descriptive name and set a unique ID in order to differentiate each policy when reviewing Windows Defender Application Control events or when viewing the policy XML document. Although you can specify a string value for PolicyId, for policies using the multiple policy format we recommend using the -ResetPolicyId switch to let the system autogenerate a unique ID for the policy.
+Use the [Set-CIPolicyIDInfo](/powershell/module/configci/set-cipolicyidinfo) cmdlet to give each policy a descriptive name and set a unique policy ID. These unique attributes help you differentiate each policy when reviewing Windows Defender Application Control events or when viewing the policy XML document. Although you can specify a string value for PolicyId, for policies using the multiple policy format we recommend using the -ResetPolicyId switch to let the system autogenerate a unique ID for the policy.
 > [!NOTE]
 > PolicyID only applies to policies using the [multiple policy format](deploy-multiple-wdac-policies.md) on computers running Windows 10, version 1903 and above, or Windows 11. Running -ResetPolicyId on a policy created for pre-1903 computers will convert it to multiple policy format and prevent it from running on those earlier versions of Windows 10.
@ -45,15 +45,15 @@ In addition, we recommend using the [Set-CIPolicyVersion](/powershell/module/con
 ### Policy rule updates
-As new apps are deployed or existing apps are updated by the software publisher, you may need to make revisions to your rules to ensure that these apps run correctly. Whether policy rule updates are required will depend significantly on the types of rules your policy includes. Rules based on codesigning certificates provide the most resiliency against app changes while rules based on file attributes or hash are most likely to require updates when apps change. Alternatively, if you use WDAC [managed installer](configure-authorized-apps-deployed-with-a-managed-installer.md) functionality and consistently deploy all apps and their updates through your managed installer, then you're less likely to need policy updates.
+You might need to revise your policy when new apps are deployed or existing apps are updated by the software publisher to ensure that apps run correctly. Whether policy rule updates are required will depend significantly on the types of rules your policy includes. Rules based on codesigning certificates provide the most resiliency against app changes while rules based on file attributes or hash are most likely to require updates when apps change. Alternatively, if you use WDAC [managed installer](configure-authorized-apps-deployed-with-a-managed-installer.md) functionality and consistently deploy all apps and their updates through your managed installer, then you're less likely to need policy updates.
 ## WDAC event management
-Each time that a process is blocked by Windows Defender Application Control, events will be written to either the CodeIntegrity\Operational or the AppLocker\MSI and Script Windows event logs. The event details which file tried to run, the attributes of that file and its signatures, and the process that attempted to run the blocked file.
+Each time that WDAC blocks a process, events are written to either the CodeIntegrity\Operational or the AppLocker\MSI and Script Windows event logs. The event describes the file that tried to run, the attributes of that file and its signatures, and the process that attempted to run the blocked file.
-Collecting these events in a central location can help you maintain your Windows Defender Application Control policy and troubleshoot rule configuration problems. Event collection technologies such as those available in Windows allow administrators to subscribe to specific event channels and have the events from source computers aggregated into a forwarded event log on a Windows Server operating system collector. For more info about setting up an event subscription, see [Configure Computers to Collect and Forward Events](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc748890(v=ws.11)).
+Collecting these events in a central location can help you maintain your Windows Defender Application Control policy and troubleshoot rule configuration problems. You can [use the Azure Monitor Agent](/azure/azure-monitor/agents/data-collection-rule-azure-monitor-agent) to automatically collect your WDAC events for analysis.
-Additionally, Windows Defender Application Control events are collected by [Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/microsoft-defender-endpoint) and can be queried using the [advanced hunting](../operations/querying-application-control-events-centrally-using-advanced-hunting.md) feature.
+Additionally, [Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/microsoft-defender-endpoint) collects WDAC events which can be queried using the [advanced hunting](../operations/querying-application-control-events-centrally-using-advanced-hunting.md) feature.
 ## Application and user support policy
@ -75,9 +75,9 @@ If your organization has an established help desk support department in place, c
 ### End-user support
-Because Windows Defender Application Control is preventing unapproved apps from running, it's important that your organization carefully plan how to provide end-user support. Considerations include:
+Because Windows Defender Application Control is preventing unapproved apps from running, it's important that your organization carefully plans how to provide end-user support. Considerations include:
- Do you want to use an intranet site as a first line of support for users who have tried to run a blocked app?
+- Do you want to use an intranet site as a frontline of support for users who try to run a blocked app?
 - How do you want to support exceptions to the policy? Will you allow users to run a script to temporarily allow access to a blocked app?
 ## Document your plan
--- a/windows/security/application-security/application-control/windows-defender-application-control/design/select-types-of-rules-to-create.md
+++ b/windows/security/application-security/application-control/windows-defender-application-control/design/select-types-of-rules-to-create.md
@ -2,7 +2,7 @@
 title: Understand Windows Defender Application Control (WDAC) policy rules and file rules
 description: Learn how WDAC policy rules and file rules can control your Windows 10 and Windows 11 computers.
 ms.localizationpriority: medium
-ms.date: 08/11/2023
+ms.date: 11/22/2023
 ms.topic: article
 ---
@ -11,7 +11,7 @@ ms.topic: article
 > [!NOTE]
 > Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [WDAC feature availability](../feature-availability.md).
-Windows Defender Application Control (WDAC) can control what runs on Windows 10, Windows 11, and Windows Server 2016 and later, by setting policies that specify whether a driver or application is trusted. A policy includes *policy rules* that control options such as audit mode, and *file rules* (or *file rule levels*) that specify how applications are identified and trusted.
+Windows Defender Application Control (WDAC) can control what runs on your Windows devices by setting policies that specify whether a driver or application is trusted. A policy includes *policy rules* that control options such as audit mode, and *file rules* (or *file rule levels*) that specify how to identify applications your organization trusts.
 ## Windows Defender Application Control policy rules
@ -20,7 +20,9 @@ To modify the policy rule options of an existing WDAC policy XML, use the [WDAC
 You can set several rule options within a WDAC policy. Table 1 describes each rule option, and whether supplemental policies can set them. Some rule options are reserved for future work or not supported.
 > [!NOTE]
-> We recommend that you use **Enabled:Audit Mode** initially because it allows you to test new WDAC policies before you enforce them. With audit mode, no application is blocked-instead the policy logs an event whenever an application outside the policy is started. To allow these applications, you can capture the policy information from the event log, and then merge that information into the existing policy. When the **Enabled:Audit Mode** is deleted, the policy runs in enforced mode.
+> We recommend that you use **Enabled:Audit Mode** initially because it allows you to test new WDAC policies before you enforce them. With audit mode, applications run normally but WDAC logs events whenever a file runs that isn't allowed by the policy. To allow these files, you can capture the policy information from the event log, and then merge that information into the existing policy. When the **Enabled:Audit Mode** is deleted, the policy runs in enforced mode.
 >
 > Some apps may behave differently even when your policy is in audit mode. When an option may change behaviors in audit mode, that is noted in Table 1. You should always test your apps thoroughly when deploying significant updates to your WDAC policies.
 ### Table 1. Windows Defender Application Control policy - policy rule options
@ -37,7 +39,7 @@ You can set several rule options within a WDAC policy. Table 1 describes each ru
 | **8 Required:EV Signers** | This option isn't currently supported. | No |
 | **9 Enabled:Advanced Boot Options Menu** | The F8 preboot menu is disabled by default for all WDAC policies. Setting this rule option allows the F8 menu to appear to physically present users. | No |
 | **10 Enabled:Boot Audit on Failure** | Used when the WDAC policy is in enforcement mode. When a boot-critical driver fails during startup, the WDAC policy is placed in audit mode so that Windows loads. Administrators can validate the reason for the failure in the CodeIntegrity event log. | No |
-| **11 Disabled:Script Enforcement** | This option disables script enforcement options, covering PowerShell, Windows Based Script Host (wscript.exe), Windows Console Based Script Host (cscript.exe), HTA files run in Microsoft HTML Application Host (mshta.exe), and MSXML. For more information on script enforcement, see [Script enforcement with WDAC](/windows/security/threat-protection/windows-defender-application-control/design/script-enforcement). <br/> NOTE: This option isn't supported on Windows Server 2016 or Windows 10 1607 LTSB and shouldn't be used on those operating systems. | No |
+| **11 Disabled:Script Enforcement** | This option disables script enforcement options, covering PowerShell, Windows Based Script Host (wscript.exe), Windows Console Based Script Host (cscript.exe), HTA files run in Microsoft HTML Application Host (mshta.exe), and MSXML. Some script hosts may behave differently even when your policy is in audit mode. For more information on script enforcement, see [Script enforcement with WDAC](/windows/security/threat-protection/windows-defender-application-control/design/script-enforcement). <br/> NOTE: This option isn't supported on Windows Server 2016 or Windows 10 1607 LTSB and shouldn't be used on those operating systems. | No |
 | **12 Required:Enforce Store Applications** | If this rule option is enabled, WDAC policies also apply to Universal Windows applications. | No |
 | **13 Enabled:Managed Installer** | Use this option to automatically allow applications installed by a managed installer. For more information, see [Authorize apps deployed with a WDAC managed installer](configure-authorized-apps-deployed-with-a-managed-installer.md) | Yes |
 | **14 Enabled:Intelligent Security Graph Authorization** | Use this option to automatically allow applications with "known good" reputation as defined by Microsoft's Intelligent Security Graph (ISG). | Yes |
@ -45,7 +47,7 @@ You can set several rule options within a WDAC policy. Table 1 describes each ru
 | **16 Enabled:Update Policy No Reboot** | Use this option to allow future WDAC policy updates to apply without requiring a system reboot.<br/> NOTE: This option is only supported on Windows 10, version 1709 and later, or Windows Server 2019 and later.| No |
 | **17 Enabled:Allow Supplemental Policies** | Use this option on a base policy to allow supplemental policies to expand it.<br/> NOTE: This option is only supported on Windows 10, version 1903 and later, or Windows Server 2022 and later. | No |
 | **18 Disabled:Runtime FilePath Rule Protection** | This option disables the default runtime check that only allows FilePath rules for paths that are only writable by an administrator.<br/> NOTE: This option is only supported on Windows 10, version 1903 and later, or Windows Server 2022 and later. | Yes |
-| **19 Enabled:Dynamic Code Security** | Enables policy enforcement for .NET applications and dynamically loaded libraries.<br/> NOTE: This option is only supported on Windows 10, version 1803 and later, or Windows Server 2019 and later. | No |
+| **19 Enabled:Dynamic Code Security** | Enables policy enforcement for .NET applications and dynamically loaded libraries.<br/> NOTE: This option is only supported on Windows 10, version 1803 and later, or Windows Server 2019 and later.<br/> NOTE: This option is always enforced if *any* WDAC UMCI policy enables it. There's no audit mode for .NET dynamic code security hardening. | No |
 | **20 Enabled:Revoked Expired As Unsigned** | Use this option to treat binaries signed with revoked certificates, or expired certificates with the Lifetime Signing EKU on the signature, as "Unsigned binaries" for user-mode process/components, under enterprise signing scenarios. | No |
 | **Enabled:Developer Mode Dynamic Code Trust** | Use this option to trust UWP apps that are [debugged in Visual Studio](/visualstudio/debugger/run-windows-store-apps-on-a-remote-machine) or deployed through device portal when Developer Mode is enabled on the system. | No |
@ -71,7 +73,7 @@ Each file rule level has advantages and disadvantages. Use Table 2 to select the
 | **LeafCertificate** | Adds trusted signers at the individual signing certificate level. The benefit of using this level versus the individual hash level is that new versions of the product have different hash values but typically the same signing certificate. When this level is used, no policy update would be needed to run the new version of the application. However, leaf certificates typically have shorter validity periods than other certificate levels, so the WDAC policy must be updated whenever these certificates change. |
 | **PcaCertificate** | Adds the highest available certificate in the provided certificate chain to signers. This level is typically one certificate below the root because the scan doesn't resolve the complete certificate chain via the local root stores or with an online check. |
 | **RootCertificate** | Not supported. |
-| **WHQL** | Only trusts binaries that have been submitted to Microsoft and signed by the Windows Hardware Qualification Lab (WHQL). This level is primarily for kernel binaries. |
+| **WHQL** | Only trusts binaries that were submitted to Microsoft and signed by the Windows Hardware Qualification Lab (WHQL). This level is primarily for kernel binaries. |
 | **WHQLPublisher** | This level combines the WHQL level and the CN on the leaf certificate, and is primarily for kernel binaries. |
 | **WHQLFilePublisher** | This level combines the "FileName" attribute of the signed file, plus "WHQLPublisher", plus a minimum version number. This level is primarily for kernel binaries. By default, this level uses the OriginalFileName attribute of the file's resource header. Use [-SpecificFileNameLevel](#use--specificfilenamelevel-with-filename-filepublisher-or-whqlfilepublisher-level-rules) to choose an alternative attribute, such as ProductName. |
@ -96,7 +98,7 @@ For example, consider an IT professional in a department that runs many servers.
 To create the WDAC policy, they build a reference server on their standard hardware, and install all of the software that their servers are known to run. Then they run [New-CIPolicy](/powershell/module/configci/new-cipolicy) with **-Level Publisher** (to allow software from their software providers, the "Publishers") and **-Fallback Hash** (to allow the internal, unsigned application). They deploy the policy in auditing mode to determine the potential impact from enforcing the policy. With the help of the audit data, they update their WDAC policies to include any other software they want to run. Then they enable the WDAC policy in enforced mode for their servers.
-As part of normal operations, they'll eventually install software updates, or perhaps add software from the same software providers. Because the "Publisher" remains the same on those updates and software, they won't need to update their WDAC policy. If the unsigned, internal application is updated, they must also update the WDAC policy to allow the new version.
+As part of normal operations, they'll eventually install software updates, or perhaps add software from the same software providers. Because the "Publisher" remains the same on those updates and software, they don't need to update their WDAC policy. If the unsigned, internal application is updated, they must also update the WDAC policy to allow the new version.
 ## File rule precedence order
@ -107,7 +109,7 @@ WDAC has a built-in file rule conflict logic that translates to precedence order
 ## Use -SpecificFileNameLevel with FileName, FilePublisher, or WHQLFilePublisher level rules
-By default, the FileName, FilePublisher, and WHQLFilePublisher rule levels will use the OriginalFileName attribute from the file's resource header. You can use an alternative resource header attribute for your rules by setting the **-SpecificFileNameLevel**. For instance, a software developer may use the same ProductName for all binaries that are part of an app. Using -SpecificFileNameLevel, you can create a single rule to cover all of those binaries in your policy rather than individual rules for every file.
+By default, the FileName, FilePublisher, and WHQLFilePublisher rule levels use the OriginalFileName attribute from the file's resource header. You can use an alternative resource header attribute for your rules by setting the **-SpecificFileNameLevel**. For instance, a software developer might use the same ProductName for all binaries that are part of an app. Using -SpecificFileNameLevel, you can create a single rule to cover all of those binaries in your policy rather than individual rules for every file.
 Table 3 describes the available resource header attribute options you can set with -SpecificFileNameLevel.
@ -124,7 +126,7 @@ Table 3 describes the available resource header attribute options you can set wi
 ## More information about filepath rules
-Filepath rules don't provide the same security guarantees that explicit signer rules do, since they're based on mutable access permissions. Filepath rules are best suited for environments where most users are running as standard rather than admin. Path rules are best suited to allow paths that you expect to remain admin-writeable only. You may want to avoid path rules for directories where standard users can modify ACLs on the folder.
+Filepath rules don't provide the same security guarantees that explicit signer rules do, since they're based on mutable access permissions. Filepath rules are best suited for environments where most users are running as standard rather than admin. Path rules are best suited to allow paths that you expect to remain admin-writeable only. You might want to avoid path rules for directories where standard users can modify ACLs on the folder.
 ### User-writable filepaths
@ -182,8 +184,8 @@ In the cmdlets, rather than try to predict which hash will be used, we precalcul
 ### Why does scan create eight hash rules for certain files?
-Separate rules are created for UMCI and KMCI. If the cmdlets can't determine that a file will only run in user-mode or in the kernel, then rules are created for both signing scenarios out of an abundance of caution. If you know that a particular file will only load in either user-mode or kernel, then you can safely remove the extra rules.
+Separate rules are created for UMCI and KMCI. If the cmdlets can't determine that a file only runs in user-mode or in the kernel, then rules are created for both signing scenarios out of an abundance of caution. If you know that a particular file only loads in either user-mode or kernel, then you can safely remove the extra rules.
 ### When does WDAC use the flat file hash value?
-There are some rare cases where a file's format doesn't conform to the Authenticode spec and so WDAC falls back to use the flat file hash. This can occur for a number of reasons, such as if changes are made to the in-memory version of the file at runtime. In such cases, you'll see that the hash shown in the correlated 3089 signature information event matches the flat file hash from the 3076/3077 block event. To create rules for files with an invalid format, you can add hash rules to the policy for the flat file hash using the WDAC Wizard or by editing the policy XML directly.
+There are some rare cases where a file's format doesn't conform to the Authenticode spec and so WDAC falls back to use the flat file hash. This behavior can occur for many reasons, such as if changes are made to the in-memory version of the file at runtime. In such cases, you'll see that the hash shown in the correlated 3089 signature information event matches the flat file hash from the 3076/3077 block event. To create rules for files with an invalid format, you can add hash rules to the policy for the flat file hash using the WDAC Wizard or by editing the policy XML directly.
--- a/windows/security/application-security/application-control/windows-defender-application-control/design/wdac-and-dotnet.md
+++ b/windows/security/application-security/application-control/windows-defender-application-control/design/wdac-and-dotnet.md
@ -2,7 +2,7 @@
 title: Windows Defender Application Control and .NET
 description: Understand how WDAC and .NET work together and use Dynamic Code Security to verify code loaded by .NET at runtime.
 ms.localizationpriority: medium
-ms.date: 08/10/2022
+ms.date: 11/22/2023
 ms.topic: article
 ---
@ -10,9 +10,9 @@ ms.topic: article
 .NET apps (as written in a high-level language like C#) are compiled to an Intermediate Language (IL). IL is a compact code format that can be supported on any operating system or architecture. Most .NET apps use APIs that are supported in multiple environments, requiring only the .NET runtime to run. IL needs to be compiled to native code in order to execute on a CPU, for example Arm64 or x64. When .NET compiles IL to native image (NI) on a device with a WDAC user mode policy, it first checks whether the original IL file passes the current WDAC policies. If so, .NET sets an NTFS extended attribute (EA) on the generated NI file so that WDAC knows to trust it as well. When the .NET app runs, WDAC sees the EA on the NI file and allows it.
-The EA set on the NI file only applies to the currently active WDAC policies. If one of the active WDAC policies is updated or a new policy is applied, the EA on the NI file is invalidated. The next time the app runs, WDAC will block the NI file. .NET handles the block gracefully and will fall back to the original IL code. If the IL still passes the latest WDAC policies, then the app runs without any functional impact. Since the IL is now being compiled at runtime, you may notice a slight impact to performance of the app. When .NET must fall back to IL, .NET will also schedule a process to run at the next maintenance window to regenerate all NI files, thus reestablishing the WDAC EA for all code that passes the latest WDAC policies.
+The EA set on the NI file only applies to the currently active WDAC policies. If one of the active WDAC policies is updated or a new policy is applied, the EA on the NI file is invalidated. The next time the app runs, WDAC will block the NI file. .NET handles the block gracefully and falls back to the original IL code. If the IL still passes the latest WDAC policies, then the app runs without any functional impact. Since the IL is now being compiled at runtime, you might notice a slight impact to performance of the app. When .NET must fall back to IL, .NET will also schedule a process to run at the next maintenance window to regenerate all NI files, thus reestablishing the WDAC EA for all code that passes the latest WDAC policies.
-In some cases, if an NI file is blocked, you may see a "false positive" block event in the *CodeIntegrity - Operational* event log as described in [WDAC Admin Tips & Known Issues](/windows/security/threat-protection/windows-defender-application-control/operations/known-issues#net-native-images-may-generate-false-positive-block-events).
+In some cases, if an NI file is blocked, you might see a "false positive" block event in the *CodeIntegrity - Operational* event log as described in [WDAC Admin Tips & Known Issues](/windows/security/threat-protection/windows-defender-application-control/operations/known-issues#net-native-images-may-generate-false-positive-block-events).
 To mitigate any performance impact caused when the WDAC EA isn't valid or missing:
@ -22,14 +22,17 @@ To mitigate any performance impact caused when the WDAC EA isn't valid or missin
 ## WDAC and .NET hardening
-Security researchers have found that some .NET capabilities that allow apps to load libraries from external sources or generate new code at runtime can be used to circumvent WDAC controls.
+Security researchers found that some .NET capabilities that allow apps to load libraries from external sources or generate new code at runtime can be used to circumvent WDAC controls.
-Beginning with Windows 10, version 1803, WDAC includes a new option, called *Dynamic Code Security* that works with .NET to verify code loaded at runtime.
+To address this potential vulnerability, WDAC includes an option called *Dynamic Code Security* that works with .NET to verify code loaded at runtime.
-When the Dynamic Code Security option is enabled, Application Control policy is applied to libraries that .NET loads from external sources. For example, any non-local sources, such as the internet or a network share.
+When the Dynamic Code Security option is enabled, Application Control policy is applied to libraries that .NET loads from external sources. For example, any remote sources, such as the internet or a network share.
-Additionally, it detects tampering in code generated to disk by .NET and blocks loading code that has been tampered with.
+> [!IMPORTANT]
 > .Net dynamic code security hardening is *turned on and enforced* if any WDAC policy with UMCI enabled has set option **19 Enabled:Dynamic Code Security**. There is no audit mode for this feature. You should test your apps with this option set before turning it on across large numbers of devices.
-Dynamic Code Security isn't enabled by default because existing policies may not account for externally loaded libraries.
+Additionally, it detects tampering in code generated to disk by .NET and blocks loading code that was tampered with.
 Dynamic Code Security isn't enabled by default because existing policies might not account for externally loaded libraries.
 Additionally, a few .NET loading features, including loading unsigned assemblies built with System.Reflection.Emit, aren't currently supported with Dynamic Code Security enabled.
 Microsoft recommends testing Dynamic Code Security in audit mode before enforcing it to discover whether any new libraries should be included in the policy.
--- a/windows/security/application-security/application-control/windows-defender-application-control/operations/configure-wdac-managed-installer.md
+++ b/windows/security/application-security/application-control/windows-defender-application-control/operations/configure-wdac-managed-installer.md
@ -1,9 +1,9 @@
 ---
 title: Managed installer and ISG technical reference and troubleshooting guide
-description: Explains how to configure a custom Manged Installer.
+description: A technical reference and troubleshooting guide for managed installer and Intelligent Security Graph (ISG).
 ms.localizationpriority: medium
 ms.date: 11/11/2022
-ms.topic: article
+ms.topic: troubleshooting
 ---
 # Managed installer and ISG technical reference and troubleshooting guide
--- a/windows/security/application-security/application-control/windows-defender-application-control/operations/known-issues.md
+++ b/windows/security/application-security/application-control/windows-defender-application-control/operations/known-issues.md
@ -2,7 +2,7 @@
 title: WDAC Admin Tips & Known Issues
 description: WDAC Known Issues
 ms.manager: jsuther
-ms.date: 05/09/2023
+ms.date: 11/22/2023
 ms.topic: article
 ms.localizationpriority: medium
 ---
@ -23,7 +23,7 @@ This article covers tips and tricks for admins and known issues with Windows Def
 The *\{PolicyId GUID\}* value is unique by policy and defined in the policy XML with the &lt;PolicyId&gt; element.
-For **single policy format WDAC policies**, in addition to the two preceding locations, also look for a file called SiPolicy.p7b that may be found in the following locations:
+For **single policy format WDAC policies**, in addition to the two preceding locations, also look for a file called SiPolicy.p7b in the following locations:
 - &lt;EFI System Partition&gt;\\Microsoft\\Boot\\SiPolicy.p7b
 - &lt;OS Volume&gt;\\Windows\\System32\\CodeIntegrity\\SiPolicy.p7b
@ -35,7 +35,7 @@ For **single policy format WDAC policies**, in addition to the two preceding loc
 When the WDAC engine evaluates files against the active set of policies on the device, rules are applied in the following order. Once a file encounters a match, WDAC stops further processing.
-1. Explicit deny rules - if any explicit deny rule exists for the file, it's blocked even if other rules are created to try to allow it. Deny rules can use any [rule level](/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create#windows-defender-application-control-file-rule-levels). Use the most specific rule level practical when creating deny rules to avoid blocking more than you intend.
+1. Explicit deny rules - a file is blocked if any explicit deny rule exists for it, even if other rules are created to try to allow it. Deny rules can use any [rule level](/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create#windows-defender-application-control-file-rule-levels). Use the most specific rule level practical when creating deny rules to avoid blocking more than you intend.
 2. Explicit allow rules - if any explicit allow rule exists for the file, the file runs.
@ -43,17 +43,24 @@ When the WDAC engine evaluates files against the active set of policies on the d
 4. Lastly, WDAC makes a cloud call to the ISG to get reputation about the file, if the policy enables the ISG option.
-5. If no rule exists for the file and it's not allowed based on ISG or MI, then the file is blocked implicitly.
+5. If no explicit rule exists for the file and it's not allowed based on ISG or MI, then the file is blocked implicitly.
 ## Known issues
 ### Boot stop failure (blue screen) occurs if more than 32 policies are active
-If the maximum number of policies is exceeded, the device may bluescreen referencing ci.dll with a bug check value of 0x0000003b. Consider this maximum policy count limit when planning your WDAC policies. Any [Windows inbox policies](/windows/security/threat-protection/windows-defender-application-control/operations/inbox-wdac-policies) that are active on the device also count towards this limit.
+If the maximum number of policies is exceeded, the device will bluescreen referencing ci.dll with a bug check value of 0x0000003b. Consider this maximum policy count limit when planning your WDAC policies. Any [Windows inbox policies](/windows/security/threat-protection/windows-defender-application-control/operations/inbox-wdac-policies) that are active on the device also count towards this limit.
 ### Audit mode policies can change the behavior for some apps or cause app crashes
 Although WDAC audit mode is designed to avoid impact to apps, some features are always on/always enforced with any WDAC policy that includes the option **0 Enabled:UMCI**. Here's a list of known system changes in audit mode:
 - Some script hosts might block code or run code with fewer privileges even in audit mode. See [Script enforcement with WDAC](/windows/security/application-security/application-control/windows-defender-application-control/design/script-enforcement) for information about individual script host behaviors.
 - Option **19 Enabled:Dynamic Code Security** is always enforced if any UMCI policy includes that option. See [WDAC and .NET](/windows/security/application-security/application-control/windows-defender-application-control/design/wdac-and-dotnet#wdac-and-net-hardening).
 ### Managed Installer and ISG may cause excessive events
-When Managed Installer and ISG are enabled, 3091 and 3092 events are logged when a file didn't have Managed Installer or ISG authorization, regardless of whether the file was allowed. These events have been moved to the verbose channel beginning with the September 2022 Update Preview since the events don't indicate an issue with the policy.
+When Managed Installer and ISG are enabled, 3091 and 3092 events are logged when a file didn't have Managed Installer or ISG authorization, regardless of whether the file was allowed. These events were moved to the verbose channel beginning with the September 2022 Update Preview since the events don't indicate an issue with the policy.
 ### .NET native images may generate false positive block events
@ -83,13 +90,13 @@ msiexec -i c:\temp\Windows10_Version_1511_ADMX.msi
 ```
 ### Slow boot and performance with custom policies
-WDAC will evaluate all running processes, including inbox Windows processes. If policies don't build off the WDAC templates or don't trust the Windows signers, you'll see slower boot times, degraded performance and possibly boot issues. For these reasons, it's strongly recommended to build off the [WDAC base templates](../design/example-wdac-base-policies.md). 
+WDAC evaluates all processes that run, including inbox Windows processes. If policies don't build off the WDAC templates or don't trust the Windows signers, you'll see slower boot times, degraded performance and possibly boot issues. For these reasons, you should use the [WDAC base templates](../design/example-wdac-base-policies.md) whenever possible to create your policies.
 #### AppId Tagging policy considerations
 If the AppId Tagging Policy wasn't built off the WDAC base templates or doesn't allow the Windows in-box signers, you'll notice a significant increase in boot times (~2 minutes). 
-If you can't allowlist the Windows signers, or build off the WDAC base templates, it is strongly recommended to add the following rule to your policies to improve the performance:
+If you can't allowlist the Windows signers, or build off the WDAC base templates, it's recommended to add the following rule to your policies to improve the performance:
 :::image type="content" source="../images/known-issue-appid-dll-rule.png" alt-text="Allow all dlls in the policy.":::
--- a/windows/security/application-security/application-isolation/microsoft-defender-application-guard/faq-md-app-guard.yml
+++ b/windows/security/application-security/application-isolation/microsoft-defender-application-guard/faq-md-app-guard.yml
@ -119,10 +119,7 @@ sections:
      - question: |
          Why am I getting the error message "ERR_NAME_NOT_RESOLVED" after not being able to reach the PAC file?
        answer: |
-          This issue is a known one. To mitigate this issue, you need to create two firewall rules. For information about creating a firewall rule by using Group Policy, see the following resources:
+          This issue is a known one. To mitigate this issue, you need to create two firewall rules. For information about creating a firewall rule with Group Policy, see [Configure Windows Firewall rules with group policy](../../../operating-system-security/network-security/windows-firewall/configure.md)
          - [Create an inbound icmp rule](../../../operating-system-security/network-security/windows-firewall/create-an-inbound-icmp-rule.md)
          - [Open Group Policy management console for Microsoft Defender Firewall](../../../operating-system-security/network-security/windows-firewall/open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md)
          ### First rule (DHCP Server)
          - Program path: `%SystemRoot%\System32\svchost.exe`
--- a/windows/security/application-security/application-isolation/microsoft-defender-application-guard/md-app-guard-browser-extension.md
+++ b/windows/security/application-security/application-isolation/microsoft-defender-application-guard/md-app-guard-browser-extension.md
@ -19,7 +19,7 @@ Microsoft Defender Application Guard Extension defends devices in your organizat
 ## Prerequisites
-Microsoft Defender Application Guard Extension works with the following editions of Windows 10, version 1803 or later:
+Microsoft Defender Application Guard Extension works with the following editions of Windows 10, version 1809 or later:
 - Windows 10 Professional
 - Windows 10 Enterprise
--- a/windows/security/docfx.json
+++ b/windows/security/docfx.json
@ -39,6 +39,7 @@
        "tier2"
      ],
      "breadcrumb_path": "/windows/resources/breadcrumb/toc.json",
      "zone_pivot_group_filename": "resources/zone-pivot-groups.json",
      "uhfHeaderId": "MSDocsHeader-Windows",
      "ms.localizationpriority": "medium",
      "ms.prod": "windows-client",
--- a/windows/security/hardware-security/toc.yml
+++ b/windows/security/hardware-security/toc.yml
@ -6,10 +6,8 @@ items:
      - name: Windows Defender System Guard
        href: how-hardware-based-root-of-trust-helps-protect-windows.md
      - name: Trusted Platform Module
        href: tpm/trusted-platform-module-top-node.md
        items:
          - name: Trusted Platform Module overview
        href: tpm/trusted-platform-module-overview.md
        items:
          - name: TPM fundamentals
            href: tpm/tpm-fundamentals.md
          - name: How Windows uses the TPM
--- a/windows/security/hardware-security/tpm/backup-tpm-recovery-information-to-ad-ds.md
+++ b/windows/security/hardware-security/tpm/backup-tpm-recovery-information-to-ad-ds.md
@ -2,7 +2,7 @@
 title: Back up TPM recovery information to Active Directory
 description: Learn how to back up the Trusted Platform Module (TPM) recovery information to Active Directory.
 ms.topic: conceptual
-ms.date: 02/02/2023
+ms.date: 11/17/2023
 ---
 # Back up the TPM recovery information to AD DS
--- a/windows/security/hardware-security/tpm/change-the-tpm-owner-password.md
+++ b/windows/security/hardware-security/tpm/change-the-tpm-owner-password.md
@ -2,7 +2,7 @@
 title: Change the TPM owner password
 description: This topic for the IT professional describes how to change the password or PIN for the owner of the Trusted Platform Module (TPM) that is installed on your system.
 ms.topic: conceptual
-ms.date: 04/26/2023
+ms.date: 11/17/2023
 ---
 # Change the TPM owner password
@ -14,12 +14,7 @@ This article for the IT professional describes how to change the password or PIN
 Starting with Windows 10, version 1607, Windows doesn't retain the TPM owner password when provisioning the TPM. The password is set to a random high entropy value and then discarded.
 > [!IMPORTANT]
->
+> Although the TPM owner password isn't retained starting with Windows 10, version 1607, you can change a default registry key to retain it. However, we strongly recommend that you don't make this change. To retain the TPM owner password, under the registry key `HKLM\Software\Policies\Microsoft\TPM`, create a `REG_DWORD` value of `OSManagedAuthLevel` and set it to `4`.
 > Although the TPM owner password isn't retained starting with Windows 10, version 1607, you can change a default registry key to retain it. However, we strongly recommend that you don't make this change. To retain the TPM owner password, under the registry key of
 >
 > `HKLM\Software\Policies\Microsoft\TPM`
 >
 > create a `REG_DWORD` value of `OSManagedAuthLevel` and set it to `4`.
 >
 > For Windows versions newer than Windows 10 1703, the default value for this key is 5. A value of 5 means:
 >
@ -52,4 +47,4 @@ You can manage the TPM using Windows PowerShell. For details, see [TPM Cmdlets i
 ## Related articles
- [Trusted Platform Module](trusted-platform-module-top-node.md)
+- [Trusted Platform Module](trusted-platform-module-overview.md)
--- a/windows/security/hardware-security/tpm/how-windows-uses-the-tpm.md
+++ b/windows/security/hardware-security/tpm/how-windows-uses-the-tpm.md
@ -2,7 +2,7 @@
 title: How Windows uses the TPM
 description: Learn how Windows uses the Trusted Platform Module (TPM) to enhance security.
 ms.topic: conceptual
-ms.date: 02/02/2023
+ms.date: 11/17/2023
 ---
 # How Windows uses the Trusted Platform Module
@ -31,11 +31,11 @@ The security features of Windows combined with the benefits of a TPM offer pract
 ## Platform Crypto Provider
-Windows includes a cryptography framework called *Cryptographic API: Next Generation* (CNG), the basic approach of which is to implement cryptographic algorithms in different ways but with a common application programming interface (API). Applications that use cryptography can use the common API without knowing the details of how an algorithm is implemented much less the algorithm itself.
+Windows includes a cryptography framework called Cryptographic API: Next Generation (CNG), the basic approach of which is to implement cryptographic algorithms in different ways but with a common application programming interface (API). Applications that use cryptography can use the common API without knowing the details of how an algorithm is implemented much less the algorithm itself.
 Although CNG sounds like a mundane starting point, it illustrates some of the advantages that a TPM provides. Underneath the CNG interface, Windows or third parties supply a cryptographic provider (that is, an implementation of an algorithm) implemented as software libraries alone or in a combination of software and available system hardware or third-party hardware. If implemented through hardware, the cryptographic provider communicates with the hardware behind the software interface of CNG.
-The Platform Crypto Provider, introduced in the Windows 8 operating system, exposes the following special TPM properties, which software-only CNG providers can't offer or can't offer as effectively:
+The Platform Crypto Provider, introduced in the Windows 8, exposes the following special TPM properties, which software-only CNG providers can't offer or can't offer as effectively:
 - **Key protection**. The Platform Crypto Provider can create keys in the TPM with restrictions on their use. The operating system can load and use the keys in the TPM without copying the keys to system memory, where they're vulnerable to malware. The Platform Crypto Provider can also configure keys that a TPM protects so that they aren't removable. If a TPM creates a key, the key is unique and resides only in that TPM. If the TPM imports a key, the Platform Crypto Provider can use the key in that TPM, but that TPM isn't a source for making more copies of the key or enabling the use of copies elsewhere. In sharp contrast, software solutions that protect keys from copying are subject to reverse-engineering attacks, in which someone figures out how the solution stores keys or makes copies of keys while they are in memory during use.
@ -49,7 +49,7 @@ These TPM features give Platform Crypto Provider distinct advantages over softwa
 Smart cards are physical devices that typically store a single certificate and the corresponding private key. Users insert a smart card into a built-in or USB card reader and enter a PIN to unlock it. Windows can then access the card's certificate and use the private key for authentication or to unlock BitLocker protected data volumes. Smart cards are popular because they provide two-factor authentication that requires both something the user has (that is, the smart card) and something the user knows (such as the smart card PIN). However, smart cards can be expensive because they require purchase and deployment of both smart cards and smart card readers.
-In Windows, the *Virtual Smart Card* feature allows the TPM to mimic a permanently inserted smart card. The TPM becomes *something the user has* but still requires a PIN. While physical smart cards limit the number of PIN attempts before locking the card and requiring a reset, a virtual smart card relies on the TPM's dictionary attack protection to prevent too many PIN guesses.
+In Windows, the Virtual Smart Card feature allows the TPM to mimic a permanently inserted smart card. The TPM becomes *something the user has* but still requires a PIN. While physical smart cards limit the number of PIN attempts before locking the card and requiring a reset, a virtual smart card relies on the TPM's dictionary attack protection to prevent too many PIN guesses.
 For TPM-based virtual smart cards, the TPM protects the use and storage of the certificate private key, so that it can't be copied when it is in use or stored and used elsewhere. Using a component that is part of the system rather than a separate physical smart card, can reduce total cost of ownership. The *lost card* or *card left at home* scenarios are not applicable, and the benefits of smart card-based multifactor authentication is preserved. For users, virtual smart cards are simple to use, requiring only a PIN to unlock. Virtual smart cards support the same scenarios that physical smart cards support, including signing in to Windows or authenticating for resource access.
@ -61,7 +61,7 @@ The adoption of new authentication technology requires that identity providers a
 Identity providers have flexibility in how they provision credentials on client devices. For example, an organization might provision only those devices that have a TPM so that the organization knows that a TPM protects the credentials. The ability to distinguish a TPM from malware acting like a TPM requires the following TPM capabilities (see Figure 1):
- **Endorsement key**. The TPM manufacturer can create a special key in the TPM called an *endorsement key*. An endorsement key certificate, signed by the manufacturer, says that the endorsement key is present in a TPM that the manufacturer made. Solutions can use the certificate with the TPM containing the endorsement key to confirm a scenario really involves a TPM from a specific TPM manufacturer (instead of malware acting like a TPM).
+- **Endorsement key**. The TPM manufacturer can create a special key in the TPM called an endorsement key. An endorsement key certificate, signed by the manufacturer, says that the endorsement key is present in a TPM that the manufacturer made. Solutions can use the certificate with the TPM containing the endorsement key to confirm a scenario really involves a TPM from a specific TPM manufacturer (instead of malware acting like a TPM).
 - **Attestation identity key**. To protect privacy, most TPM scenarios do not directly use an actual endorsement key. Instead, they use attestation identity keys, and an identity certificate authority (CA) uses the endorsement key and its certificate to prove that one or more attestation identity keys actually exist in a real TPM. The identity CA issues attestation identity key certificates. More than one identity CA will generally see the same endorsement key certificate that can uniquely identify the TPM, but any number of attestation identity key certificates can be created to limit the information shared in other scenarios.
@ -130,15 +130,15 @@ The TPM adds hardware-based security benefits to Windows. When installed on hard
 <br/>
 | Feature                    | Benefits when used on a system with a TPM                                                                                                                                                             |
-|---|---|
+|----------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
-| Platform Crypto Provider | <ul><li>If the machine is compromised, the private key associated with the certificate can't be copied off the device.</li><li>The TPM's dictionary attack mechanism protects PIN values to use a certificate.</li></ul> |
+| Platform Crypto Provider   | - If the machine is compromised, the private key associated with the certificate can't be copied off the device.<br>- The TPM's dictionary attack mechanism protects PIN values to use a certificate. |
-| Virtual Smart Card | <ul><li>Achieve security similar to that of physical smart cards without deploying physical smart cards or card readers.</li></ul> |
+| Virtual Smart Card         | Achieve security similar to that of physical smart cards without deploying physical smart cards or card readers.                                                                                      |
-| Windows Hello for Business | <ul><li>Credentials provisioned on a device can't be copied elsewhere.</li><li>Confirm a device's TPM before credentials are provisioned.</li></ul> |
+| Windows Hello for Business | - Credentials provisioned on a device can't be copied elsewhere.<br>- Confirm a device's TPM before credentials are provisioned.                                                                      |
-| BitLocker Drive Encryption | <ul><li>Multiple options are available for enterprises to protect data at rest while balancing security requirements with different device hardware.</li></ul> |
+| BitLocker Drive Encryption | Multiple options are available for enterprises to protect data at rest while balancing security requirements with different device hardware.                                                          |
-|Device Encryption | <ul><li>With a Microsoft account and the right hardware, consumers' devices seamlessly benefit from data-at-rest protection.</li></ul> |
+| Device Encryption          | With a Microsoft account and the right hardware, consumers' devices seamlessly benefit from data-at-rest protection.                                                                                  |
-| Measured Boot | <ul><li>A hardware root of trust contains boot measurements that help detect malware during remote attestation.</li></ul> |
+| Measured Boot              | A hardware root of trust contains boot measurements that help detect malware during remote attestation.                                                                                               |
-| Health Attestation | <ul><li>MDM solutions can easily perform remote attestation and evaluate client health before granting access to resources or cloud services such as Office 365. </li></ul> |
+| Health Attestation         | MDM solutions can easily perform remote attestation and evaluate client health before granting access to resources or cloud services such as Office 365.                                              |
-| Credential Guard | <ul><li>Defense in depth increases so that even if malware has administrative rights on one machine, it is significantly more difficult to compromise additional machines in an organization.</li></ul> |
+| Credential Guard           | Defense in depth increases so that even if malware has administrative rights on one machine, it is significantly more difficult to compromise additional machines in an organization.                 |
 <br />
--- a/windows/security/hardware-security/tpm/initialize-and-configure-ownership-of-the-tpm.md
+++ b/windows/security/hardware-security/tpm/initialize-and-configure-ownership-of-the-tpm.md
@ -2,7 +2,7 @@
 title: Troubleshoot the TPM
 description: Learn how to view and troubleshoot the Trusted Platform Module (TPM).
 ms.topic: conceptual
-ms.date: 02/02/2023
+ms.date: 11/17/2023
 ms.collection:
 - tier1
 ---
@ -15,13 +15,14 @@ This article provides information how to troubleshoot the Trusted Platform Modul
 - [Clear all the keys from the TPM](#clear-all-the-keys-from-the-tpm)
 With TPM 1.2 and Windows 11, you can also take the following actions:
- [Turn on or turn off the TPM](#turn-on-or-turn-off)
+
 - [Turn on or turn off the TPM](#turn-on-or-turn-off-the-tpm)
 For information about the TPM cmdlets, see [TPM Cmdlets in Windows PowerShell](/powershell/module/trustedplatformmodule/?view=win10-ps&preserve-view=true).
 ## About TPM initialization and ownership
-Windows automatically initializes and takes ownership of the TPM. This is a change from previous operating systems, where you had to initialize the TPM and create an owner password.
+Windows automatically initializes and takes ownership of the TPM. There's no need for you to initialize the TPM and create an owner password.
 ### TPM initialization
@ -68,7 +69,7 @@ Clearing the TPM can result in data loss. To protect against such loss, review t
 Membership in the local Administrators group, or equivalent, is the minimum required to complete this procedure.
-**To clear the TPM**
+#### To clear the TPM
 1. Open the Windows Defender Security Center app.
 1. Select **Device security**.
@ -78,7 +79,7 @@ Membership in the local Administrators group, or equivalent, is the minimum requ
    - You'll be prompted to restart the computer. During the restart, you might be prompted by the UEFI to press a button to confirm that you wish to clear the TPM.
    - After the device restarts, your TPM will be automatically prepared for use by Windows.
-## <a href="" id="turn-on-or-turn-off"></a>Turn on or turn off the TPM
+## Turn on or turn off the TPM
 Normally, the TPM is turned on as part of the TPM initialization process. You don't normally need to turn the TPM on or off. However, if necessary you can do so by using the TPM MMC.
--- a/windows/security/hardware-security/tpm/manage-tpm-commands.md
+++ b/windows/security/hardware-security/tpm/manage-tpm-commands.md
@ -2,7 +2,7 @@
 title: Manage TPM commands
 description: This article for the IT professional describes how to manage which Trusted Platform Module (TPM) commands are available to domain users and to local users.
 ms.topic: conceptual
-ms.date: 04/26/2023
+ms.date: 11/17/2023
 ---
 # Manage TPM commands
@ -15,10 +15,9 @@ The following procedures describe how to manage the TPM command lists. You must
 ## Block TPM commands by using the Local Group Policy Editor
-1. Open the Local Group Policy Editor (gpedit.msc). If the **User Account Control** dialog box appears, confirm that the action it displays is what you want, and then select **Yes**.
+1. Open the Local Group Policy Editor (`gpedit.msc`). If the **User Account Control** dialog box appears, confirm that the action it displays is what you want, and then select **Yes**.
    > [!NOTE]
    >
    > Administrators with appropriate rights in a domain can configure a Group Policy Object (GPO) that can be applied through Active Directory Domain Services (AD DS).
 1. In the console tree, under **Computer Configuration**, expand **Administrative Templates**, and then expand **System**.
@ -32,7 +31,6 @@ The following procedures describe how to manage the TPM command lists. You must
 1. For each command that you want to block, select **Add**, enter the command number, and then select **OK**.
    > [!NOTE]
    >
    > For a list of commands, see links in the [TPM Specification](https://www.trustedcomputinggroup.org/tpm-main-specification/).
 1. After you have added numbers for each command that you want to block, select **OK** twice.
@ -41,9 +39,7 @@ The following procedures describe how to manage the TPM command lists. You must
 ## Block or allow TPM commands by using the TPM MMC
-1. Open the TPM MMC (tpm.msc)
+1. Open the TPM MMC (`tpm.msc`). If the **User Account Control** dialog box appears, confirm that the action it displays is what you want, and then select **Yes**.
 1. If the **User Account Control** dialog box appears, confirm that the action it displays is what you want, and then select **Yes**.
 1. In the console tree, select **Command Management**. A list of TPM commands is displayed.
@ -53,9 +49,7 @@ The following procedures describe how to manage the TPM command lists. You must
 ## Block new commands
-1. Open the TPM MMC (tpm.msc).
+1. Open the TPM MMC (`tpm.msc`). If the **User Account Control** dialog box appears, confirm that the action it displays is what you want, and then select **Yes**.
    If the **User Account Control** dialog box appears, confirm that the action it displays is what you want, and then select **Yes**.
 1. In the console tree, select **Command Management**. A list of TPM commands is displayed.
@ -69,4 +63,4 @@ You can manage the TPM using Windows PowerShell. For details, see [TrustedPlatfo
 ## Related articles
- [Trusted Platform Module](trusted-platform-module-top-node.md)
+- [Trusted Platform Module](trusted-platform-module-overview.md)
--- a/windows/security/hardware-security/tpm/manage-tpm-lockout.md
+++ b/windows/security/hardware-security/tpm/manage-tpm-lockout.md
@ -2,7 +2,7 @@
 title: Manage TPM lockout
 description: This article for the IT professional describes how to manage the lockout feature for the Trusted Platform Module (TPM) in Windows.
 ms.topic: conceptual
-ms.date: 04/26/2023
+ms.date: 11/17/2023
 ---
 # Manage TPM lockout
@ -17,20 +17,19 @@ Windows takes ownership of the TPM ownership upon first boot. By default, Window
 In some cases, encryption keys are protected by a TPM by requiring a valid authorization value to access the key. A common example is configuring BitLocker Drive Encryption to use the TPM plus PIN key protector. In this scenario, the user must type the correct PIN during the boot process to access the volume encryption key protected by the TPM. To prevent malicious users or software from discovering authorization values, TPMs implement protection logic. The protection logic is designed to slow or stop responses from the TPM if it detects that an entity might be trying to guess authorization values.
 ### TPM 1.2
 The industry standards from the Trusted Computing Group (TCG) specify that TPM manufacturers must implement some form of protection logic in TPM 1.2 and TPM 2.0 chips. TPM 1.2 devices implement different protection mechanisms and behavior. In general, the TPM chip takes exponentially longer to respond if incorrect authorization values are sent to the TPM. Some TPM chips may not store failed attempts over time. Other TPM chips may store every failed attempt indefinitely. Therefore, some users may experience increasingly longer delays when they mistype an authorization value that is sent to the TPM. These delays can prevent them from using the TPM for a period of time.
 ### TPM 2.0
 TPM 2.0 devices have standardized lockout behavior which Windows configures. TPM 2.0 devices have a maximum count threshold and a healing time. Windows configures the maximum count to be 32 and the healing time to be 10 minutes. This configuration means that every continuous 10 minutes of powered on operation without an event causes the counter to decrease by 1.
 If your TPM has entered lockout mode or is responding slowly to commands, you can reset the lockout value by using the following procedures. Resetting the TPM lockout requires the TPM owner's authorization. This value is no longer retained by default starting with Windows 10 version 1607 and higher.
 ### TPM 1.2
 The industry standards from the Trusted Computing Group (TCG) specify that TPM manufacturers must implement some form of protection logic in TPM 1.2 and TPM 2.0 chips. TPM 1.2 devices implement different protection mechanisms and behavior. In general, the TPM chip takes exponentially longer to respond if incorrect authorization values are sent to the TPM. Some TPM chips may not store failed attempts over time. Other TPM chips may store every failed attempt indefinitely. Therefore, some users may experience increasingly longer delays when they mistype an authorization value that is sent to the TPM. These delays can prevent them from using the TPM for a period of time.
 ## Reset the TPM lockout by using the TPM MMC
 > [!NOTE]
 >
 > This procedure is only available if you have configured Windows to retain the TPM Owner Password. By default, this password isn't available in Windows 10 starting with version 1607 and higher.
 The following procedure explains the steps to reset the TPM lockout by using the TPM MMC.
@ -39,7 +38,7 @@ The following procedure explains the steps to reset the TPM lockout by using the
 1. Open the TPM MMC (tpm.msc).
-1 In the **Action** pane, select **Reset TPM Lockout** to start the Reset TPM Lockout Wizard.
+1. In the **Action** pane, select **Reset TPM Lockout** to start the Reset TPM Lockout Wizard.
 1. Choose one of the following methods to enter the TPM owner password:
@ -77,4 +76,4 @@ You can manage the TPM using Windows PowerShell. For details, see [TPM Cmdlets i
 ## Related articles
- [Trusted Platform Module](trusted-platform-module-top-node.md)
+- [Trusted Platform Module](trusted-platform-module-overview.md)
--- a/windows/security/hardware-security/tpm/switch-pcr-banks-on-tpm-2-0-devices.md
+++ b/windows/security/hardware-security/tpm/switch-pcr-banks-on-tpm-2-0-devices.md
@ -2,14 +2,14 @@
 title: UnderstandPCR banks on TPM 2.0 devices
 description: Learn about what happens when you switch PCR banks on TPM 2.0 devices.
 ms.topic: conceptual
-ms.date: 02/02/2023
+ms.date: 11/17/2023
 ---
 # PCR banks on TPM 2.0 devices
 For steps on how to switch PCR banks on TPM 2.0 devices on your PC, you should contact your OEM or UEFI vendor. This article provides background about what happens when you switch PCR banks on TPM 2.0 devices.
-A *Platform Configuration Register (PCR)* is a memory location in the TPM that has some unique properties. The size of the value that can be stored in a PCR is determined by the size of a digest generated by an associated hashing algorithm. A SHA-1 PCR can store 20 bytes - the size of a SHA-1 digest. Multiple PCRs associated with the same hashing algorithm are referred to as a *PCR bank*.
+A Platform Configuration Register (PCR) is a memory location in the TPM that has some unique properties. The size of the value that can be stored in a PCR is determined by the size of a digest generated by an associated hashing algorithm. A SHA-1 PCR can store 20 bytes - the size of a SHA-1 digest. Multiple PCRs associated with the same hashing algorithm are referred to as a *PCR bank*.
 To store a new value in a PCR, the existing value is extended with a new value as follows: `PCR[N] = HASHalg( PCR[N] || ArgumentOfExtend)`
@ -21,8 +21,7 @@ Some TPM PCRs are used as checksums of log events. The log events are extended i
 ## How does Windows use PCRs?
-To bind the use of a TPM based key to a certain state of the device, the key can be sealed to an expected set of PCR values.\
+To bind the use of a TPM based key to a certain state of the device, the key can be sealed to an expected set of PCR values. For instance, PCRs 0 through 7 have a well-defined value after the boot process, when the OS is loaded. When the hardware, firmware, or boot loader of the machine changes, the change can be detected in the PCR values. Windows uses this capability to make certain cryptographic keys only available at certain times during the boot process. For instance, the BitLocker key can be used at a certain point in the boot, but not before or after.
 For instance, PCRs 0 through 7 have a well-defined value after the boot process, when the OS is loaded. When the hardware, firmware, or boot loader of the machine changes, the change can be detected in the PCR values. Windows uses this capability to make certain cryptographic keys only available at certain times during the boot process. For instance, the BitLocker key can be used at a certain point in the boot, but not before or after.
 It's important to note that this binding to PCR values also includes the hashing algorithm used for the PCR. For instance, a key can be bound to a specific value of the `SHA-1 PCR[12]`, if using the SHA-256 PCR bank, even with the same system configuration. Otherwise, the PCR values won't match.
@ -30,7 +29,7 @@ It's important to note that this binding to PCR values also includes the hashing
 When the PCR banks are switched, the algorithm used to compute the hashed values stored in the PCRs during extend operations is changed. Each hash algorithm will return a different cryptographic signature for the same inputs.
-As a result, if the currently used PCR bank is switched all keys that have been bound to the previous PCR values will no longer work. For example, if you had a key bound to the SHA-1 value of PCR\[12\] and subsequently changed the PCR bank to SHA-256, the banks wouldn't match, and you would be unable to use that key. The BitLocker key is secured using the PCR banks and Windows won't be able to unseal it if the PCR banks are switched while BitLocker is enabled.
+As a result, if the currently used PCR bank is switched all keys that have been bound to the previous PCR values will no longer work. For example, if you had a key bound to the SHA-1 value of PCR[12] and subsequently changed the PCR bank to SHA-256, the banks wouldn't match, and you would be unable to use that key. The BitLocker key is secured using the PCR banks and Windows won't be able to unseal it if the PCR banks are switched while BitLocker is enabled.
 ## What can I do to switch PCRs when BitLocker is already active?
@ -42,7 +41,7 @@ You can configure a TPM to have multiple PCR banks active. When BIOS performs me
 - Registry key: `HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\IntegrityServices`
 - DWORD: `TPMActivePCRBanks`
- Defines which PCR banks are currently active. (This value should be interpreted as a bitmap for which the bits are defined in the [TCG Algorithm Registry](https://trustedcomputinggroup.org/resource/tcg-algorithm-registry/) Table 21 of Revision 1.27.)
+- Defines which PCR banks are currently active. This value should be interpreted as a bitmap for which the bits are defined in the [TCG Algorithm Registry](https://trustedcomputinggroup.org/resource/tcg-algorithm-registry/) Table 21 of Revision 1.27.
 Windows checks which PCR banks are active and supported by the BIOS. Windows also checks if the measured boot log supports measurements for all active PCR banks. Windows will prefer the use of the SHA-256 bank for measurements and will fall back to SHA1 PCR bank if one of the pre-conditions isn't met.
@ -50,6 +49,6 @@ You can identify which PCR bank is currently used by Windows by looking at the r
 - Registry key: `HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\IntegrityServices`
 - DWORD: `TPMDigestAlgID`
- Algorithm ID of the PCR bank that Windows is currently using. (This value represents an algorithm identifier as defined in the [TCG Algorithm Registry](https://trustedcomputinggroup.org/resource/tcg-algorithm-registry/) Table 3 of Revision 1.27.)
+- Algorithm ID of the PCR bank that Windows is currently using. This value represents an algorithm identifier as defined in the [TCG Algorithm Registry](https://trustedcomputinggroup.org/resource/tcg-algorithm-registry/) Table 3 of Revision 1.27.
 Windows only uses one PCR bank to continue boot measurements. All other active PCR banks will be extended with a separator to indicate that they aren't used by Windows and measurements that appear to be from Windows shouldn't be trusted.
--- a/windows/security/hardware-security/tpm/tpm-fundamentals.md
+++ b/windows/security/hardware-security/tpm/tpm-fundamentals.md
@ -2,24 +2,27 @@
 title: Trusted Platform Module (TPM) fundamentals
 description: Learn about the components of the Trusted Platform Module and how they're used to mitigate dictionary attacks.
 ms.topic: conceptual
-ms.date: 03/09/2023
+ms.date: 11/17/2023
 ---
 # TPM fundamentals
-This article provides a description of the *Trusted Platform Module* (TPM 1.2 and TPM 2.0) components, and explains how they're used to mitigate dictionary attacks.
+This article provides a description of the Trusted Platform Module (TPM 1.2 and TPM 2.0) components, and explains how they're used to mitigate dictionary attacks.
 A TPM is a microchip designed to provide basic security-related functions, primarily involving encryption keys. The TPM is installed on the motherboard of a computer, and it communicates with the rest of the system by using a hardware bus.
-Devices that incorporate a TPM can create cryptographic keys and encrypt them, so that the keys can only be decrypted by the TPM. This process, often called *wrapping* or *binding a key*, can help protect the key from disclosure. Each TPM has a *master wrapping key*, called the *storage root key*, which is stored within the TPM itself. The private portion of a storage root key, or *endorsement key*, that is created in a TPM is never exposed to any other component, software, process, or user.
+Devices that incorporate a TPM can create cryptographic keys and encrypt them, so that the keys can only be decrypted by the TPM. This process, often called "wrapping" or "binding" a key, can help protect the key from disclosure. Each TPM has a primary wrapping key, called the **storage root key**, which is stored within the TPM itself. The private portion of a storage root key, or **endorsement key**, that is created in a TPM is never exposed to any other component, software, process, or user.
-You can specify whether encryption keys that are created by the TPM can be migrated or not. If you specify that they can be migrated, the public and private portions of the key can be exposed to other components, software, processes, or users. If you specify that encryption keys can't be migrated, the private portion of the key is never exposed outside the TPM.
+You can specify whether encryption keys that the TPM creates can be migrated or not. If you specify that they can be migrated, the public and private portions of the key can be exposed to other components, software, processes, or users. If you specify that encryption keys can't be migrated, the private portion of the key is never exposed outside the TPM.
 Devices that incorporate a TPM can also create a key wrapped and tied to certain platform measurements. This type of key can be unwrapped only when those platform measurements have the same values that they had when the key was created. This process is referred to as *sealing the key to the TPM*. Decrypting the key is called *unsealing*. The TPM can also seal and unseal data that is generated outside the TPM. With sealed key and software, such as BitLocker Drive Encryption, data can be locked until specific hardware or software conditions are met.
 With a TPM, private portions of key pairs are kept separate from the memory that is controlled by the operating system. Keys can be sealed to the TPM, and certain assurances about the state of a system (assurances that define the trustworthiness of a system) can be made before the keys are unsealed and released for use. The TPM uses its own internal firmware and logic circuits to process instructions. Hence, it doesn't rely on the operating system and it isn't exposed to vulnerabilities that might exist in the operating system or application software.
-For information about which versions of Windows support which versions of the TPM, see [Trusted Platform Module technology overview](trusted-platform-module-overview.md). The features that are available in the versions are defined in specifications by the Trusted Computing Group (TCG). For more information, see the Trusted Platform Module page on the Trusted Computing Group website: [Trusted Platform Module](http://www.trustedcomputinggroup.org/developers/trusted_platform_module).
+- For information about which versions of Windows support which versions of the TPM, see [Trusted Platform Module technology overview](trusted-platform-module-overview.md).
 - For more information about which TPM services can be controlled centrally by using Group Policy settings, see [TPM Group Policy Settings](trusted-platform-module-services-group-policy-settings.md).
 The features that are available in the versions are defined in specifications by the Trusted Computing Group (TCG). For more information, see the [Trusted Platform Module page](http://www.trustedcomputinggroup.org/developers/trusted_platform_module) on the Trusted Computing Group website.
 The following sections provide an overview of the technologies that support the TPM:
@ -33,12 +36,9 @@ The following sections provide an overview of the technologies that support the
 - [TPM Key Attestation](#key-attestation)
 - [Anti-hammering](#anti-hammering)
 The following article describes the TPM services that can be controlled centrally by using Group Policy settings:
 [TPM Group Policy Settings](trusted-platform-module-services-group-policy-settings.md).
 ## Measured Boot with support for attestation
-The *Measured Boot* feature provides anti-malware software with a trusted (resistant to spoofing and tampering) log of all boot components. Anti-malware software can use the log to determine whether components that ran before it are trustworthy or infected with malware. It can also send the Measured Boot logs to a remote server for evaluation. The remote server can start remediation actions by interacting with software on the client or through out-of-band mechanisms, as appropriate.
+The Measured Boot feature provides anti-malware software with a trusted (resistant to spoofing and tampering) log of all boot components. Anti-malware software can use the log to determine whether components that ran before it are trustworthy or infected with malware. It can also send the Measured Boot logs to a remote server for evaluation. The remote server can start remediation actions by interacting with software on the client or through out-of-band mechanisms, as appropriate.
 ## TPM-based Virtual Smart Card
@ -48,7 +48,7 @@ The Virtual Smart Card emulates the functionality of traditional smart cards. Vi
 ## TPM-based certificate storage
-The TPM protects certificates and RSA keys. The TPM key storage provider (KSP) provides easy and convenient use of the TPM as a way of strongly protecting private keys. The TPM KSP generates keys when an organization enrolls for certificates. The TPM also protects certificates that are imported from an outside source. TPM-based certificates are standard certificates. The certificate can never leave the TPM from which the keys are generated. The TPM can now be used for crypto-operations through Cryptography API: Next Generation (CNG). For more info, see [Cryptography API: Next Generation](/windows/win32/seccng/cng-portal).
+The TPM protects certificates and RSA keys. The TPM key storage provider (KSP) provides easy and convenient use of the TPM as a way of strongly protecting private keys. The TPM KSP generates keys when an organization enrolls for certificates. The TPM also protects certificates that are imported from an outside source. TPM-based certificates are standard certificates. The certificate can never leave the TPM from which the keys are generated. The TPM can also be used for crypto-operations through [Cryptography API: Next Generation (CNG)](/windows/win32/seccng/cng-portal).
 ## TPM Cmdlets
@ -68,7 +68,7 @@ A trusted application can use TPM only if the TPM contains an endorsement key, w
 ## Key attestation
-*TPM key attestation* allows a certification authority to verify that a private key is protected by a TPM and that the TPM is one that the certification authority trusts. Endorsement keys proven valid are used to bind the user identity to a device. The user certificate with a TPM-attested key provides higher security assurance backed up by non-exportability, anti-hammering, and isolation of keys provided by a TPM.
+TPM key attestation allows a certification authority to verify that a private key is protected by a TPM and that the TPM is one that the certification authority trusts. Endorsement keys proven valid are used to bind the user identity to a device. The user certificate with a TPM-attested key provides higher security assurance backed up by nonexportability, anti-hammering, and isolation of keys provided by a TPM.
 ## Anti-hammering
@ -84,12 +84,9 @@ TPM 2.0 has well defined anti-hammering behavior. This is in contrast to TPM 1.2
 For systems with TPM 2.0, the TPM is configured by Windows to lock after 32 authorization failures and to forget one authorization failure every 10 minutes. This means that a user could quickly attempt to use a key with the wrong authorization value 32 times. For each of the 32 attempts, the TPM records if the authorization value was correct or not. This inadvertently causes the TPM to enter a locked state after 32 failed attempts.
-Attempts to use a key with an authorization value for the next 10 minutes wouldn't return success or failure. Instead, the response indicates that the TPM is locked.\
+Attempts to use a key with an authorization value for the next 10 minutes wouldn't return success or failure. Instead, the response indicates that the TPM is locked. After 10 minutes, one authorization failure is forgotten and the number of authorization failures remembered by the TPM drops to 31. The TPM leaves the locked state and returns to normal operation. With the correct authorization value, keys could be used normally if no authorization failures occur during the next 10 minutes. If a period of 320 minutes elapses with no authorization failures, the TPM doesn't remember any authorization failures, and 32 failed attempts could occur again.
 After 10 minutes, one authorization failure is forgotten and the number of authorization failures remembered by the TPM drops to 31. The TPM leaves the locked state and returns to normal operation.\
 With the correct authorization value, keys could be used normally if no authorization failures occur during the next 10 minutes. If a period of 320 minutes elapses with no authorization failures, the TPM doesn't remember any authorization failures, and 32 failed attempts could occur again.
-Windows doesn't require TPM 2.0 systems to forget about authorization failures when the system is fully powered off or when the system has hibernated.\
+Windows doesn't require TPM 2.0 systems to forget about authorization failures when the system is fully powered off or when the system has hibernated. Windows requires that authorization failures are forgotten when the system is running normally, in a sleep mode, or in low power states other than off. If a Windows system with TPM 2.0 is locked, the TPM leaves lockout mode if the system is left on for 10 minutes.
 Windows requires that authorization failures are forgotten when the system is running normally, in a sleep mode, or in low power states other than off. If a Windows system with TPM 2.0 is locked, the TPM leaves lockout mode if the system is left on for 10 minutes.
 The anti-hammering protection for TPM 2.0 can be fully reset immediately by sending a reset lockout command to the TPM, and providing the TPM owner password. By default, Windows automatically provisions TPM 2.0 and stores the TPM owner password for use by system administrators.
@ -99,18 +96,16 @@ TPM 2.0 allows some keys to be created without an authorization value associated
 ### Rationale behind the defaults
-Originally, BitLocker allowed from 4 to 20 characters for a PIN.
+Originally, BitLocker allowed from 4 to 20 characters for a PIN. Windows Hello has its own PIN for sign-in, which can be 4 to 127 characters. Both BitLocker and Windows Hello use the TPM to prevent PIN brute-force attacks.
 Windows Hello has its own PIN for sign-in, which can be 4 to 127 characters.
 Both BitLocker and Windows Hello use the TPM to prevent PIN brute-force attacks.
 Windows 10, version 1607 and earlier used Dictionary Attack Prevention parameters. The Dictionary Attack Prevention Parameters provide a way to balance security needs with usability. For example, when BitLocker is used with a TPM + PIN configuration, the number of PIN guesses is limited over time. A TPM 2.0 in this example could be configured to allow only 32 PIN guesses immediately, and then only one more guess every two hours. This totals a maximum of about 4415 guesses per year. If the PIN is four digits, all 9999 possible PIN combinations could be attempted in a little over two years.
-Staring in Windows 10, version 1703, the minimum length for the BitLocker PIN was increased to six characters, to better align with other Windows features that use TPM 2.0, including Windows Hello. Increasing the PIN length requires a greater number of guesses for an attacker. Therefore, the lockout duration between each guess was shortened to allow legitimate users to retry a failed attempt sooner while maintaining a similar level of protection. In case the legacy parameters for lockout threshold and recovery time need to be used, make sure that GPO is enabled and [configure the system to use legacy Dictionary Attack Prevention Parameters setting for TPM 2.0](/windows/security/information-protection/tpm/trusted-platform-module-services-group-policy-settings#configure-the-system-to-use-legacy-dictionary-attack-prevention-parameters-setting-for-tpm-20).
+Starting in Windows 10, version 1703, the minimum length for the BitLocker PIN was increased to six characters, to better align with other Windows features that use TPM 2.0, including Windows Hello. Increasing the PIN length requires a greater number of guesses for an attacker. Therefore, the lockout duration between each guess was shortened to allow legitimate users to retry a failed attempt sooner while maintaining a similar level of protection. In case the legacy parameters for lockout threshold and recovery time need to be used, make sure that GPO is enabled and [configure the system to use legacy Dictionary Attack Prevention Parameters setting for TPM 2.0](/windows/security/information-protection/tpm/trusted-platform-module-services-group-policy-settings#configure-the-system-to-use-legacy-dictionary-attack-prevention-parameters-setting-for-tpm-20).
 ### TPM-based smart cards
 The Windows TPM-based smart card, which is a virtual smart card, can be configured to allow sign in to the system. In contrast with physical smart cards, the sign-in process uses a TPM-based key with an authorization value. The following list shows the advantages of virtual smart cards:
- Physical smart cards can enforce lockout for only the physical smart card PIN, and they can reset the lockout after the correct PIN is entered.
+
-  With a virtual smart card, the TPM's anti-hammering protection isn't reset after a successful authentication. The allowed number of authorization failures before the TPM enters lockout includes many factors
+- Physical smart cards can enforce lockout for only the physical smart card PIN, and they can reset the lockout after the correct PIN is entered. With a virtual smart card, the TPM's anti-hammering protection isn't reset after a successful authentication. The allowed number of authorization failures before the TPM enters lockout includes many factors.
- Hardware manufacturers and software developers can use the security features of the TPM to meet their requirements
+- Hardware manufacturers and software developers can use the security features of the TPM to meet their requirements.
- The intent of selecting 32 failures as the lock-out threshold is to avoid users to lock the TPM (even when learning to type new passwords or if they frequently lock and unlock their computers). If users lock the TPM, they must wait 10 minutes or use other credentials to sign in, such as a user name and password
+- The intent of selecting 32 failures as the lock-out threshold is to avoid users to lock the TPM (even when learning to type new passwords or if they frequently lock and unlock their computers). If users lock the TPM, they must wait 10 minutes or use other credentials to sign in, such as a user name and password.
--- a/windows/security/hardware-security/tpm/tpm-recommendations.md
+++ b/windows/security/hardware-security/tpm/tpm-recommendations.md
@ -2,7 +2,7 @@
 title: TPM recommendations
 description: This topic provides recommendations for Trusted Platform Module (TPM) technology for Windows.
 ms.topic: conceptual
-ms.date: 02/02/2023
+ms.date: 11/17/2023
 ms.collection:
 - tier1
 ---
@ -34,25 +34,15 @@ From an industry standard, Microsoft has been an industry leader in moving and s
 TPM 2.0 products and systems have important security advantages over TPM 1.2, including:
 - The TPM 1.2 spec only allows for the use of RSA and the SHA-1 hashing algorithm.
 - For security reasons, some entities are moving away from SHA-1. Notably, NIST has required many federal agencies to move to SHA-256 as of 2014, and technology leaders, including Microsoft and Google have announced they will remove support for SHA-1 based signing or certificates in 2017.
 - TPM 2.0 **enables greater crypto agility** by being more flexible with respect to cryptographic algorithms.
  - TPM 2.0 supports newer algorithms, which can improve drive signing and key generation performance. For the full list of supported algorithms, see the [TCG Algorithm Registry](http://www.trustedcomputinggroup.org/tcg-algorithm-registry/). Some TPMs don't support all algorithms.
  - For the list of algorithms that Windows supports in the platform cryptographic storage provider, see [CNG Cryptographic Algorithm Providers](/windows/win32/seccertenroll/cng-cryptographic-algorithm-providers).
  - TPM 2.0 achieved ISO standardization ([ISO/IEC 11889:2015](https://www.microsoft.com/security/blog/2015/06/29/governments-recognize-the-importance-of-tpm-2-0-through-iso-adoption)).
  - Use of TPM 2.0 may help eliminate the need for OEMs to make exception to standard configurations for certain countries and regions.
 - TPM 2.0 offers a more **consistent experience** across different implementations.
  - TPM 1.2 implementations vary in policy settings. This may result in support issues as lockout policies vary.
  - TPM 2.0 lockout policy is configured by Windows, ensuring a consistent dictionary attack protection guarantee.
 - While TPM 1.2 parts are discrete silicon components, which are typically soldered on the motherboard, TPM 2.0 is available as a **discrete (dTPM)** silicon component in a single semiconductor package, an **integrated** component incorporated in one or more semiconductor packages - alongside other logic units in the same package(s), and as a **firmware (fTPM)** based component running in a trusted execution environment (TEE) on a general purpose SoC.
 > [!NOTE]
@ -64,11 +54,9 @@ TPM 2.0 products and systems have important security advantages over TPM 1.2, in
 There are three implementation options for TPMs:
- Discrete TPM chip as a separate component in its own semiconductor package
+- Discrete TPM chip as a separate component in its own semiconductor package.
-
+- Integrated TPM solution, using dedicated hardware integrated into one or more semiconductor packages alongside, but logically separate from, other components.
- Integrated TPM solution, using dedicated hardware integrated into one or more semiconductor packages alongside, but logically separate from, other components
+- Firmware TPM solution, running the TPM in firmware in a Trusted Execution mode of a general purpose computation unit.
 - Firmware TPM solution, running the TPM in firmware in a Trusted Execution mode of a general purpose computation unit
 Windows uses any compatible TPM in the same way. Microsoft does not take a position on which way a TPM should be implemented and there is a wide ecosystem of available TPM solutions, which should suit all needs.
@ -94,22 +82,22 @@ For end consumers, TPM is behind the scenes but is still relevant. TPM is used f
 The following table defines which Windows features require TPM support.
- Windows Features | TPM Required | Supports TPM 1.2  | Supports TPM 2.0  | Details  |
+| Windows Features | TPM Required | Supports TPM 1.2 | Supports TPM 2.0 | Details |
-|-|-|-|-
+|--|--|--|--|--|
- Measured Boot | Yes | Yes | Yes | Measured Boot requires TPM 1.2 or 2.0 and UEFI Secure Boot. TPM 2.0 is recommended since it supports newer cryptographic algorithms. TPM 1.2 only supports the SHA-1 algorithm which is being deprecated.  
+| Measured Boot | Yes | Yes | Yes | Measured Boot requires TPM 1.2 or 2.0 and UEFI Secure Boot. TPM 2.0 is recommended since it supports newer cryptographic algorithms. TPM 1.2 only supports the SHA-1 algorithm which is being deprecated. |
- BitLocker | No | Yes | Yes | TPM 1.2 or 2.0 are supported but TPM 2.0 is recommended. [Device Encryption requires Modern Standby](../../operating-system-security/data-protection/bitlocker/index.md#device-encryption) including TPM 2.0 support
+| BitLocker | No | Yes | Yes | TPM 1.2 or 2.0 are supported but TPM 2.0 is recommended. [Device Encryption requires Modern Standby](../../operating-system-security/data-protection/bitlocker/index.md#device-encryption) including TPM 2.0 support |
- Device Encryption | Yes | N/A | Yes | Device Encryption requires Modern Standby/Connected Standby certification, which requires TPM 2.0.
+| Device Encryption | Yes | N/A | Yes | Device Encryption requires Modern Standby/Connected Standby certification, which requires TPM 2.0. |
- Windows Defender Application Control (Device Guard) | No | Yes | Yes
+| Windows Defender Application Control (Device Guard) | No | Yes | Yes |
- Windows Defender System Guard (DRTM) | Yes | No | Yes | TPM 2.0 and UEFI firmware is required.
+| Windows Defender System Guard (DRTM) | Yes | No | Yes | TPM 2.0 and UEFI firmware is required. |
- Credential Guard | No | Yes | Yes | Windows 10, version 1507 (End of Life as of May 2017) only supported TPM 2.0 for Credential Guard. Beginning with Windows 10, version 1511, TPM 1.2 and 2.0 are supported. Paired with Windows Defender System Guard, TPM 2.0 provides enhanced security for Credential Guard. Windows 11 requires TPM 2.0 by default to facilitate easier enablement of this enhanced security for customers.
+| Credential Guard | No | Yes | Yes | Windows 10, version 1507 (End of Life as of May 2017) only supported TPM 2.0 for Credential Guard. Beginning with Windows 10, version 1511, TPM 1.2 and 2.0 are supported. Paired with Windows Defender System Guard, TPM 2.0 provides enhanced security for Credential Guard. Windows 11 requires TPM 2.0 by default to facilitate easier enablement of this enhanced security for customers. |
- Device Health Attestation| Yes | Yes | Yes | TPM 2.0 is recommended since it supports newer cryptographic algorithms. TPM 1.2 only supports the SHA-1 algorithm which is being deprecated.
+| Device Health Attestation | Yes | Yes | Yes | TPM 2.0 is recommended since it supports newer cryptographic algorithms. TPM 1.2 only supports the SHA-1 algorithm which is being deprecated. |
- Windows Hello/Windows Hello for Business| No | Yes | Yes | Microsoft Entra join supports both versions of TPM, but requires TPM with keyed-hash message authentication code (HMAC) and Endorsement Key (EK) certificate for key attestation support. TPM 2.0 is recommended over TPM 1.2 for better performance and security. Windows Hello as a FIDO platform authenticator will take advantage of TPM 2.0 for key storage.
+| Windows Hello/Windows Hello for Business | No | Yes | Yes | Microsoft Entra join supports both versions of TPM, but requires TPM with keyed-hash message authentication code (HMAC) and Endorsement Key (EK) certificate for key attestation support. TPM 2.0 is recommended over TPM 1.2 for better performance and security. Windows Hello as a FIDO platform authenticator will take advantage of TPM 2.0 for key storage. |
- UEFI Secure Boot | No | Yes | Yes
+| UEFI Secure Boot | No | Yes | Yes |
- TPM Platform Crypto Provider Key Storage Provider| Yes | Yes | Yes
+| TPM Platform Crypto Provider Key Storage Provider | Yes | Yes | Yes |
- Virtual Smart Card | Yes | Yes | Yes
+| Virtual Smart Card | Yes | Yes | Yes |
- Certificate storage | No | Yes | Yes | TPM is only required when the certificate is stored in the TPM.
+| Certificate storage | No | Yes | Yes | TPM is only required when the certificate is stored in the TPM. |
- Autopilot | No | N/A | Yes | If you intend to deploy a scenario which requires TPM (such as white glove and self-deploying mode), then TPM 2.0 and UEFI firmware are required.
+| Autopilot | No | N/A | Yes | If you intend to deploy a scenario which requires TPM (such as white glove and self-deploying mode), then TPM 2.0 and UEFI firmware are required. |
- SecureBIO | Yes | No | Yes | TPM 2.0 and UEFI firmware is required.
+| SecureBIO | Yes | No | Yes | TPM 2.0 and UEFI firmware is required. |
 ## OEM Status on TPM 2.0 system availability and certified parts
@ -117,4 +105,4 @@ Government customers and enterprise customers in regulated industries may have a
 ## Related topics
- [Trusted Platform Module](trusted-platform-module-top-node.md) (list of topics)
+- [Trusted Platform Module](trusted-platform-module-overview.md)
--- a/windows/security/hardware-security/tpm/trusted-platform-module-overview.md
+++ b/windows/security/hardware-security/tpm/trusted-platform-module-overview.md
@ -2,7 +2,7 @@
 title: Trusted Platform Module Technology Overview
 description: Learn about the Trusted Platform Module (TPM) and how Windows uses it for access control and authentication.
 ms.topic: conceptual
-ms.date: 02/22/2023
+ms.date: 11/17/2023
 ms.collection:
 - tier1
 ---
@ -13,21 +13,26 @@ This article describes the Trusted Platform Module (TPM) and how Windows uses it
 ## Feature description
-The [*Trusted Platform Module (TPM)*](/windows/security/information-protection/tpm/trusted-platform-module-top-node) technology is designed to provide hardware-based, security-related functions. A TPM chip is a secure crypto-processor that is designed to carry out cryptographic operations. The chip includes multiple physical security mechanisms to make it tamper-resistant, and malicious software is unable to tamper with the security functions of the TPM. Some of the advantages of using TPM technology are:
+The [Trusted Platform Module (TPM)](/windows/security/information-protection/tpm/trusted-platform-module-overview) technology is designed to provide hardware-based, security-related functions. A TPM chip is a secure crypto-processor that is designed to carry out cryptographic operations. The chip includes multiple physical security mechanisms to make it tamper-resistant, and malicious software is unable to tamper with the security functions of the TPM. Some of the advantages of using TPM technology are:
- Generate, store, and limit the use of cryptographic keys
+- Generate, store, and limit the use of cryptographic keys.
- Use it for device authentication by using the TPM's unique RSA key, which is burned into the chip
+- Use it for device authentication by using the TPM's unique RSA key, which is burned into the chip.
- Help ensure platform integrity by taking and storing security measurements of the boot process
+- Help ensure platform integrity by taking and storing security measurements of the boot process.
 The most common TPM functions are used for system integrity measurements and for key creation and use. During the boot process of a system, the boot code that is loaded (including firmware and the operating system components) can be measured and recorded in the TPM. The integrity measurements can be used as evidence for how a system started and to make sure that a TPM-based key was used only when the correct software was used to boot the system.
-TPM-based keys can be configured in a variety of ways. One option is to make a TPM-based key unavailable outside the TPM. This is good to mitigate phishing attacks because it prevents the key from being copied and used without the TPM. TPM-based keys can also be configured to require an authorization value to use them. If too many incorrect authorization guesses occur, the TPM will activate its dictionary attack logic and prevent further authorization value guesses.
+TPM-based keys can be configured in various ways. One option is to make a TPM-based key unavailable outside the TPM. This is good to mitigate phishing attacks because it prevents the key from being copied and used without the TPM. TPM-based keys can also be configured to require an authorization value to use them. If too many incorrect authorization guesses occur, the TPM activates its dictionary attack logic and prevents further authorization value guesses.
 Different versions of the TPM are defined in specifications by the Trusted Computing Group (TCG). For more information, see the [TCG Web site](http://www.trustedcomputinggroup.org/work-groups/trusted-platform-module/).
-### Automatic initialization of the TPM with Windows
+[!INCLUDE [trusted-platform-module-tpm-20](../../../../includes/licensing/trusted-platform-module-tpm.md)]
-Starting with Windows 10 and Windows 11, the operating system automatically initializes and takes ownership of the TPM. This means that in most cases, we recommend that you avoid configuring the TPM through the TPM management console, **TPM.msc**. There are a few exceptions, mostly related to resetting or performing a clean installation on a PC. For more information, see [Clear all the keys from the TPM](initialize-and-configure-ownership-of-the-tpm.md#clear-all-the-keys-from-the-tpm). We're [no longer actively developing the TPM management console](/windows-server/get-started-19/removed-features-19#features-were-no-longer-developing) beginning with Windows Server 2019 and Windows 10, version 1809.
+## Automatic initialization of the TPM with Windows
 Starting with Windows 10 and Windows 11, the operating system automatically initializes and takes ownership of the TPM. This means that in most cases, we recommend that you avoid configuring the TPM through the TPM management console, **TPM.msc**. There are a few exceptions, mostly related to resetting or performing a clean installation on a PC. For more information, see [Clear all the keys from the TPM](initialize-and-configure-ownership-of-the-tpm.md#clear-all-the-keys-from-the-tpm).
 > [!NOTE]
 > We're [no longer actively developing the TPM management console](/windows-server/get-started-19/removed-features-19#features-were-no-longer-developing) beginning with Windows Server 2019 and Windows 10, version 1809.
 In certain specific enterprise scenarios limited to Windows 10, versions 1507 and 1511, Group Policy might be used to back up the TPM owner authorization value in Active Directory. Because the TPM state persists across operating system installations, this TPM information is stored in a location in Active Directory that is separate from computer objects.
@ -37,21 +42,15 @@ Certificates can be installed or created on computers that are using the TPM. Af
 Automated provisioning in the TPM reduces the cost of TPM deployment in an enterprise. New APIs for TPM management can determine if TPM provisioning actions require physical presence of a service technician to approve TPM state change requests during the boot process.
-Anti-malware software can use the boot measurements of the operating system start state to prove the integrity of a computer running Windows 10 or Windows 11 or Windows Server 2016. These measurements include the launch of Hyper-V to test that datacenters using virtualization aren't running untrusted hypervisors. With BitLocker Network Unlock, IT administrators can push an update without concerns that a computer is waiting for PIN entry.
+Anti-malware software can use the boot measurements of the operating system start state to prove the integrity of a computer running Windows. These measurements include the launch of Hyper-V to test that datacenters using virtualization aren't running untrusted hypervisors. With BitLocker Network Unlock, IT administrators can push an update without concerns that a computer is waiting for PIN entry.
 The TPM has several Group Policy settings that might be useful in certain enterprise scenarios. For more info, see [TPM Group Policy Settings](trusted-platform-module-services-group-policy-settings.md).
 [!INCLUDE [trusted-platform-module-tpm-20](../../../../includes/licensing/trusted-platform-module-tpm.md)]
 ## New and changed functionality
 For more info on new and changed functionality for Trusted Platform Module in Windows, see [What's new in Trusted Platform Module?](/windows/whats-new/whats-new-windows-10-version-1507-and-1511#trusted-platform-module)
 ## Device health attestation
-Device health attestation enables enterprises to establish trust based on hardware and software components of a managed device. With device heath attestation, you can configure an MDM server to query a health attestation service that will allow or deny a managed device access to a secure resource.
+Device health attestation enables enterprises to establish trust based on hardware and software components of a managed device. With device heath attestation, you can configure an MDM server to query a health attestation service that allows or denies a managed device access to a secure resource.
-Some security issues that you can check on the device include the following:
+Some security issues that you can check on the devices include:
 - Is Data Execution Prevention supported and enabled?
 - Is BitLocker Drive Encryption supported and enabled?
--- a/windows/security/hardware-security/tpm/trusted-platform-module-services-group-policy-settings.md
+++ b/windows/security/hardware-security/tpm/trusted-platform-module-services-group-policy-settings.md
@ -2,18 +2,12 @@
 title: TPM Group Policy settings
 description: This topic describes the Trusted Platform Module (TPM) Services that can be controlled centrally by using Group Policy settings.
 ms.topic: conceptual
-ms.date: 07/31/2023
+ms.date: 11/17/2023
 ---
 # TPM Group Policy settings
-This topic describes the Trusted Platform Module (TPM) Services that can be controlled centrally by using Group Policy settings.
+This topic describes the Trusted Platform Module (TPM) Services that can be controlled centrally by using Group Policy settings. The Group Policy settings for TPM services are located under **Computer Configuration** > **Administrative Templates** > **System** > **Trusted Platform Module Services**.
 The Group Policy settings for TPM services are located at:
 **Computer Configuration\\Administrative Templates\\System\\Trusted Platform Module Services\\**
 The following Group Policy settings were introduced in Windows.
 ## Configure the level of TPM owner authorization information available to the operating system
@ -23,27 +17,26 @@ The following Group Policy settings were introduced in Windows.
 This policy setting configured which TPM authorization values are stored in the registry of the local computer. Certain authorization values are required in order to allow Windows to perform certain actions.
 | TPM 1.2 value        | TPM 2.0 value    | Purpose                                   | Kept at level 0? | Kept at level 2? | Kept at level 4? |
-|--------------|---------------|---------|-----------------|-----------------|------------------|
+|----------------------|------------------|-------------------------------------------|------------------|------------------|------------------|
 | OwnerAuthAdmin       | StorageOwnerAuth | Create SRK                                | No               | Yes              | Yes              |
 | OwnerAuthEndorsement | EndorsementAuth  | Create or use EK (1.2 only: Create AIK)   | No               | Yes              | Yes              |
 | OwnerAuthFull        | LockoutAuth      | Reset/change Dictionary Attack Protection | No               | No               | Yes              |
 There are three TPM owner authentication settings that are managed by the Windows operating system. You can choose a value of **Full**, **Delegate**, or **None**.
-   **Full**   This setting stores the full TPM owner authorization, the TPM administrative delegation blob, and the TPM user delegation blob in the local registry. With this setting, you can use the TPM without requiring remote or external storage of the TPM owner authorization value. This setting is appropriate for scenarios that do not require you to reset the TPM anti-hammering logic or change the TPM owner authorization value. Some TPM-based applications may require that this setting is changed before features that depend on the TPM anti-hammering logic can be used. Full owner authorization in TPM 1.2 is similar to lockout authorization in TPM 2.0. Owner authorization has a different meaning for TPM 2.0.
+- **Full**: This setting stores the full TPM owner authorization, the TPM administrative delegation blob, and the TPM user delegation blob in the local registry. With this setting, you can use the TPM without requiring remote or external storage of the TPM owner authorization value. This setting is appropriate for scenarios that do not require you to reset the TPM anti-hammering logic or change the TPM owner authorization value. Some TPM-based applications may require that this setting is changed before features that depend on the TPM anti-hammering logic can be used. Full owner authorization in TPM 1.2 is similar to lockout authorization in TPM 2.0. Owner authorization has a different meaning for TPM 2.0.
-   **Delegated**   This setting stores only the TPM administrative delegation blob and the TPM user delegation blob in the local registry. This setting is appropriate for use with TPM-based applications that depend on the TPM antihammering logic. This is the default setting in Windows prior to version 1703.
+- **Delegated**: This setting stores only the TPM administrative delegation blob and the TPM user delegation blob in the local registry. This setting is appropriate for use with TPM-based applications that depend on the TPM antihammering logic. This is the default setting in Windows prior to version 1703.
-   **None**   This setting provides compatibility with previous operating systems and applications. You can also use it for scenarios when TPM owner authorization cannot be stored locally. Using this setting might cause issues with some TPM-based applications.
+- **None**: This setting provides compatibility with previous operating systems and applications. You can also use it for scenarios when TPM owner authorization cannot be stored locally. Using this setting might cause issues with some TPM-based applications.
 > [!NOTE]
 > If the operating system managed TPM authentication setting is changed from **Full** to **Delegated**, the full TPM owner authorization value will be regenerated, and any copies of the previously set TPM owner authorization value will be invalid.
 **Registry information**
-Registry key: HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\TPM
+Registry key: `HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\TPM`
-
+DWORD: `OSManagedAuthLevel`
 DWORD: OSManagedAuthLevel
 The following table shows the TPM owner authorization values in the registry.
@ -68,9 +61,8 @@ This setting helps administrators prevent the TPM hardware from entering a locko
 For each standard user, two thresholds apply. Exceeding either threshold prevents the user from sending a command that requires authorization to the TPM. Use the following policy settings to set the lockout duration:
-   [Standard User Individual Lockout Threshold](#standard-user-individual-lockout-threshold)   This value is the maximum number of authorization failures that each standard user can have before the user is not allowed to send commands that require authorization to the TPM.
+- [Standard User Individual Lockout Threshold](#standard-user-individual-lockout-threshold): This value is the maximum number of authorization failures that each standard user can have before the user is not allowed to send commands that require authorization to the TPM.
-
+- [Standard User Total Lockout Threshold](#standard-user-total-lockout-threshold): This value is the maximum total number of authorization failures that all standard users can have before all standard users are not allowed to send commands that require authorization to the TPM.
 -   [Standard User Total Lockout Threshold](#standard-user-total-lockout-threshold)   This value is the maximum total number of authorization failures that all standard users can have before all standard users are not allowed to send commands that require authorization to the TPM.
 An administrator with the TPM owner password can fully reset the TPM's hardware lockout logic by using the Windows Defender Security Center. Each time an administrator resets the TPM's hardware lockout logic, all prior standard user TPM authorization failures are ignored. This allows standard users to immediately use the TPM normally.
@ -118,9 +110,7 @@ Introduced in Windows 10, version 1703, this policy setting configures the TPM t
 ## TPM Group Policy settings in Windows Security
-You can change what users see about TPM in **Windows Security**. The Group Policy settings for the TPM area in **Windows Security** are located at:
+You can change what users see about TPM in **Windows Security**. The Group Policy settings for the TPM area in **Windows Security** are located under **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Windows Security** > **Device security**.
 **Computer Configuration\\Administrative Templates\\Windows Components\\Windows Security\\Device security**
 ### Disable the Clear TPM button
@ -132,6 +122,6 @@ If you don't want users to see the recommendation to update TPM firmware, you ca
 ## Related topics
- [Trusted Platform Module](trusted-platform-module-top-node.md)
+- [Trusted Platform Module](trusted-platform-module-overview.md)
 - [TPM Cmdlets in Windows PowerShell](/powershell/module/trustedplatformmodule/?view=win10-ps&preserve-view=true)
 - [BitLocker planning guide](../../operating-system-security/data-protection/bitlocker/planning-guide.md)
--- a/windows/security/hardware-security/tpm/trusted-platform-module-top-node.md
+++ b/windows/security/hardware-security/tpm/trusted-platform-module-top-node.md
@ -1,24 +0,0 @@
 ---
 title: Trusted Platform Module
 description: This topic for the IT professional provides links to information about the Trusted Platform Module (TPM) and how Windows uses it for access control and authentication.
 ms.topic: conceptual
 ms.date: 02/02/2023
 ms.collection:
 - tier1
 ---
 # Trusted Platform Module
 Trusted Platform Module (TPM) technology is designed to provide hardware-based, security-related functions. A TPM chip is a secure crypto-processor that helps you with actions such as generating, storing, and limiting the use of cryptographic keys. The following topics provide details.
 <!-- The description for "Manage TPM lockout" might need updating-- the topic is being revised in December 2016 or January 2017. -->
 | Topic | Description |
 |-------|-------------|
 | [Trusted Platform Module Overview](trusted-platform-module-overview.md) | Provides an overview of the Trusted Platform Module (TPM) and how Windows uses it for access control and authentication. |
 | [TPM fundamentals](tpm-fundamentals.md) | Provides background about how a TPM can work with cryptographic keys. Also describes technologies that work with the TPM, such as TPM-based virtual smart cards. |
 | [TPM Group Policy settings](trusted-platform-module-services-group-policy-settings.md) | Describes TPM services that can be controlled centrally by using Group Policy settings. |
 | [Back up the TPM recovery information to AD DS](backup-tpm-recovery-information-to-ad-ds.md) | For Windows 10, version 1511 and Windows 10, version 1507 only, describes how to back up a computer's TPM information to Active Directory Domain Services. |
 | [Troubleshoot the TPM](initialize-and-configure-ownership-of-the-tpm.md) | Describes actions you can take through the TPM snap-in, TPM.msc: view TPM status, troubleshoot TPM initialization, and clear keys from the TPM. Also, for TPM 1.2 and Windows 10, version 1507 or 1511, or Windows 11, describes how to turn the TPM on or off. |
 | [Understanding PCR banks on TPM 2.0 devices](switch-pcr-banks-on-tpm-2-0-devices.md) | Provides background about what happens when you switch PCR banks on TPM 2.0 devices. |
 | [TPM recommendations](tpm-recommendations.md) | Discusses aspects of TPMs such as the difference between TPM 1.2 and 2.0, and the Windows features for which a TPM is required or recommended. |
--- a/windows/security/identity-protection/remote-credential-guard.md
+++ b/windows/security/identity-protection/remote-credential-guard.md
@ -2,7 +2,7 @@
 title: Remote Credential Guard 
 description: Learn how Remote Credential Guard helps to secure Remote Desktop credentials by never sending them to the target device.
 ms.topic: how-to
-ms.date: 09/06/2023
+ms.date: 12/04/2023
 appliesto: 
 - ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 11</a>
 - ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10</a>
@ -33,7 +33,7 @@ Using a Remote Desktop session without Remote Credential Guard has the following
 The security benefits of Remote Credential Guard include:
 - Credentials aren't sent to the remote host
- During the remote session you can connect to other systems using SSO
+- During the remote session, you can connect to other systems using SSO
 - An attacker can act on behalf of the user only when the session is ongoing
 The security benefits of [Restricted Admin mode][TECH-1] include:
@ -67,14 +67,14 @@ The remote host:
 The client device:
 - Must be running the Remote Desktop Windows application. The Remote Desktop Universal Windows Platform (UWP) application doesn't support Remote Credential Guard
- Must use Kerberos authentication to connect to the remote host. If the client can't connect to a domain controller, then RDP attempts to fall back to NTLM. Remote Credential Guard does not allow NTLM fallback because this would expose credentials to risk
+- Must use Kerberos authentication to connect to the remote host. If the client can't connect to a domain controller, then RDP attempts to fall back to NTLM. Remote Credential Guard doesn't allow NTLM fallback because it would expose credentials to risk
 [!INCLUDE [remote-credential-guard](../../../includes/licensing/remote-credential-guard.md)]
 ## Enable delegation of nonexportable credentials on the remote hosts
 This policy is required on the remote hosts to support Remote Credential Guard and Restricted Admin mode. It allows the remote host to delegate nonexportable credentials to the client device.\
-If you disable or don't configure this setting, Restricted Admin and Remote Credential Guard mode aren't supported. User will always need to pass their credentials to the host, exposing users to the risk of credential theft from attackers on the remote host.
+If you disable or don't configure this setting, Restricted Admin and Remote Credential Guard mode aren't supported. Users must pass their credentials to the host, exposing them to the risk of credential theft from attackers on the remote host.
 To enable delegation of nonexportable credentials on the remote hosts, you can use:
@ -131,9 +131,12 @@ To enable Remote Credential Guard on the clients, you can configure a policy tha
 > [!TIP]
 > If you don't want to configure your clients to enforce Remote Credential Guard, you can use the following command to use Remote Credential Guard for a specific RDP session:
 >
 > ```cmd
 > mstsc.exe /remoteGuard
 > ```
 >
 > If the server hosts the RDS Host role, then the command works only if the user is an administrator of the remote host.
 The policy can have different values, depending on the level of security you want to enforce:
@ -203,17 +206,17 @@ To further harden security, we also recommend that you implement Windows Local A
 For more information about LAPS, see [What is Windows LAPS][LEARN-1].
-## Additional considerations
+## Considerations
-Here are some additional considerations for Remote Credential Guard:
+Here are some considerations for Remote Credential Guard:
- Remote Credential Guard doesn't support compound authentication. For example, if you're trying to access a file server from a remote host that requires a device claim, access will be denied
+- Remote Credential Guard doesn't support compound authentication. For example, if you're trying to access a file server from a remote host that requires a device claim, access is denied
 - Remote Credential Guard can be used only when connecting to a device that is joined to an Active Directory domain. It can't be used when connecting to remote devices joined to Microsoft Entra ID
 - Remote Credential Guard can be used from a Microsoft Entra joined client to connect to an Active Directory joined remote host, as long as the client can authenticate using Kerberos
 - Remote Credential Guard only works with the RDP protocol
 - No credentials are sent to the target device, but the target device still acquires Kerberos Service Tickets on its own
 - The server and client must authenticate using Kerberos
- Remote Credential Guard is only supported for direct connections to the target machines and not for the ones via Remote Desktop Connection Broker and Remote Desktop Gateway
+- Remote Credential Guard is only supported for direct connections to the target machines. It isn't support for connections via Remote Desktop Connection Broker and Remote Desktop Gateway
 <!--links-->
--- a/windows/security/identity-protection/smart-cards/smart-card-and-remote-desktop-services.md
+++ b/windows/security/identity-protection/smart-cards/smart-card-and-remote-desktop-services.md
@ -1,9 +1,10 @@
 ---
-ms.date: 11/07/2023
+ms.date: 11/22/2023
 title: Smart Card and Remote Desktop Services
 description: This topic for the IT professional describes the behavior of Remote Desktop Services when you implement smart card sign-in.
-ms.topic: conceptual
+ms.topic: concept-article
 ---
 # Smart Card and Remote Desktop Services
 This topic for the IT professional describes the behavior of Remote Desktop Services when you implement smart card sign-in.
@ -25,7 +26,7 @@ In a Remote Desktop scenario, a user is using a remote server for running servic
 Notes about the redirection model:
-1. This scenario is a remote sign-in session on a computer with Remote Desktop Services. In the remote session (labeled as "Client session"), the user runs `net use /smartcard`
+1. This scenario is a remote sign-in session on a computer with Remote Desktop Services. In the remote session (labeled as *Client session*), the user runs `net use /smartcard`
 1. Arrows represent the flow of the PIN after the user types the PIN at the command prompt until it reaches the user's smart card in a smart card reader that is connected to the Remote Desktop Connection (RDC) client computer
 1. The authentication is performed by the LSA in session 0
 1. The CryptoAPI processing is performed in the LSA (`lsass.exe`). This is possible because RDP redirector (`rdpdr.sys`) allows per-session, rather than per-process, context
@ -44,7 +45,7 @@ When smart card-enabled single sign-in (SSO) is used for Remote Desktop Services
 Remote Desktop Services enables users to sign in with a smart card by entering a PIN on the RDC client computer and sending it to the RD Session Host server in a manner similar to authentication that is based on user name and password.
-In addition, Group Policy settings that are specific to Remote Desktop Services need to be enabled for smart card-based sign-in.
+In addition, group policy settings that are specific to Remote Desktop Services need to be enabled for smart card-based sign-in.
 To enable smart card sign-in to a Remote Desktop Session Host (RD Session Host) server, the Key Distribution Center (KDC) certificate must be present on the RDC client computer. If the computer isn't in the same domain or workgroup, the following command can be used to deploy the certificate:
--- a/windows/security/identity-protection/smart-cards/smart-card-architecture.md
+++ b/windows/security/identity-protection/smart-cards/smart-card-architecture.md
@ -2,7 +2,7 @@
 title: Smart Card Architecture 
 description: This topic for the IT professional describes the system architecture that supports smart cards in the Windows operating system.
 ms.topic: reference-architecture
-ms.date: 11/06/2023
+ms.date: 11/22/2023
 ---
 # Smart Card Architecture
--- a/windows/security/identity-protection/smart-cards/smart-card-certificate-propagation-service.md
+++ b/windows/security/identity-protection/smart-cards/smart-card-certificate-propagation-service.md
@ -1,15 +1,13 @@
 ---
-title: Certificate Propagation Service 
+title: Certificate propagation service 
-description: This topic for the IT professional describes the certificate propagation service (CertPropSvc), which is used in smart card implementation.
+description: Learn about the certificate propagation service (CertPropSvc), which is used in smart card implementation.
 ms.topic: concept-article
-ms.date: 08/24/2021
+ms.date: 11/22/2023
 ---
-# Certificate Propagation Service
+# Certificate propagation service
-This topic for the IT professional describes the certificate propagation service (CertPropSvc), which is used in smart card implementation.
+The certificate propagation service (CertPropSvc) is a Windows service that activates when a user inserts a smart card in a reader that is attached to the device. The action causes the certificates to be read from the smart card. The certificates are then added to the user's Personal store. Certificate propagation service actions are controlled by using Group Policy. For more information, see [Smart Card Group Policy and Registry Settings](smart-card-group-policy-and-registry-settings.md).
 The certificate propagation service activates when a signed-in user inserts a smart card in a reader that is attached to the computer. This action causes the certificate to be read from the smart card. The certificates are then added to the user's Personal store. Certificate propagation service actions are controlled by using Group Policy. For more information, see [Smart Card Group Policy and Registry Settings](smart-card-group-policy-and-registry-settings.md).
 > [!NOTE]
 > The certificate propagation service must be running for smart card Plug and Play to work.
@ -47,9 +45,9 @@ Root certificate propagation is responsible for the following smart card deploym
 - Joining the domain
 - Accessing a network remotely
-In both cases, the computer isn't joined to a domain, and therefore, trust isn't being managed by Group Policy. However, the objective is to authenticate to a remote server, such as the domain controller. Root certificate propagation provides the ability to use the smart card to include the missing trust chain.
+In both cases, the computer isn't joined to a domain, and therefore, trust isn't being managed by group policy. However, the objective is to authenticate to a remote server, such as the domain controller. Root certificate propagation provides the ability to use the smart card to include the missing trust chain.
-When the smart card is inserted, the certificate propagation service propagates any root certificates on the card to the trusted smart card root computer certificate stores. This process establishes a trust relationship with the enterprise resources. You might also use a subsequent cleanup action when the user's smart card is removed from the reader, or when the user signs out. This is configurable with Group Policy. For more information, see [Smart Card Group Policy and Registry Settings](smart-card-group-policy-and-registry-settings.md).
+When the smart card is inserted, the certificate propagation service propagates any root certificates on the card to the trusted smart card root computer certificate stores. This process establishes a trust relationship with the enterprise resources. You might also use a subsequent cleanup action when the user's smart card is removed from the reader, or when the user signs out. This is configurable with group policy. For more information, see [Smart Card Group Policy and Registry Settings](smart-card-group-policy-and-registry-settings.md).
 For more information about root certificate requirements, see [Smart card root certificate requirements for use with domain sign-in](smart-card-certificate-requirements-and-enumeration.md#smart-card-root-certificate-requirements-for-use-with-domain-sign-in).
--- a/windows/security/identity-protection/smart-cards/smart-card-certificate-requirements-and-enumeration.md
+++ b/windows/security/identity-protection/smart-cards/smart-card-certificate-requirements-and-enumeration.md
@ -2,7 +2,7 @@
 title: Certificate Requirements and Enumeration 
 description: This topic for the IT professional and smart card developers describes how certificates are managed and used for smart card sign-in.
 ms.topic: concept-article
-ms.date: 11/06/2023
+ms.date: 11/22/2023
 ---
 # Certificate Requirements and Enumeration
@ -23,23 +23,23 @@ When a smart card is inserted, the following steps are performed.
 1. The certificate is then queried from the key context by using KP_CERTIFICATE. The certificate is added to an in-memory certificate store.
 1. For each certificate in the certificate store from Step 5 or Step 7, the following checks are performed:
-    1. The certificate must be valid, based on the computer system clock (not expired or valid with a future date).
+    1. The certificate must be valid, based on the computer system clock (not expired or valid with a future date)
-    1. The certificate must not be in the AT_SIGNATURE part of a container.
+    1. The certificate must not be in the AT_SIGNATURE part of a container
-    1. The certificate must have a valid user principal name (UPN).
+    1. The certificate must have a valid user principal name (UPN)
-    1. The certificate must have the digital signature key usage.
+    1. The certificate must have the digital signature key usage
-    1. The certificate must have the smart card logon EKU.
+    1. The certificate must have the smart card logon EKU
-    Any certificate that meets these requirements is displayed to the user with the certificate's UPN (or e-mail address or subject, depending on the presence of the certificate extensions).
+    Any certificate that meets these requirements is displayed to the user with the certificate's UPN (or e-mail address or subject, depending on the presence of the certificate extensions)
-1. The process then chooses a certificate, and the PIN is entered.
+1. The process then chooses a certificate, and the PIN is entered
-1. LogonUI.exe packages the information and sends it to Lsass.exe to process the sign-in attempt.
+1. LogonUI.exe packages the information and sends it to Lsass.exe to process the sign-in attempt
-1. If successful, LogonUI.exe closes. This causes the context acquired in Step 3 to be released.
+1. If successful, `LogonUI.exe` closes. This causes the context acquired in Step 3 to be released
 ## Smart card sign-in flow in Windows
 Most issues during authentication occur because of session behavior changes. When changes occur, the Local Security Authority (LSA) doesn't reacquire the session context; it relies instead on the Cryptographic Service Provider to handle the session change.
-Client certificates that don't contain a UPN in the `subjectAltName`` (SAN) field of the certificate can be enabled for sign-in, which supports a wider variety of certificates and supports multiple sign-in certificates on the same card.
+Client certificates that don't contain a UPN in the `subjectAltName` (SAN) field of the certificate can be enabled for sign-in, which supports a wider variety of certificates and supports multiple sign-in certificates on the same card.
 Support for multiple certificates on the same card is enabled by default. New certificate types must be enabled through Group Policy.
@ -53,22 +53,22 @@ The following diagram illustrates how smart card sign-in works in the supported
 Following are the steps that are performed during a smart card sign-in:
-1. Winlogon requests the sign-in UI credential information.
+1. Winlogon requests the sign-in UI credential information
 1. Asynchronously, smart card resource manager starts, and the smart card credential provider does the following:
-    1. Gets credential information (a list of known credentials, or if no credentials exist, the smart card reader information that Windows detected).
+    1. Gets credential information (a list of known credentials, or if no credentials exist, the smart card reader information that Windows detected)
-    1. Gets a list of smart card readers (by using the WinSCard API) and the list of smart cards inserted in each of them.
+    1. Gets a list of smart card readers (by using the WinSCard API) and the list of smart cards inserted in each of them
-    1. Enumerates each card to verify that a sign-in certificate that is controlled by Group Policy is present. If the certificate is present, the smart card credential provider copies it into a temporary, secure cache on the computer or terminal.
+    1. Enumerates each card to verify that a sign-in certificate that is controlled by Group Policy is present. If the certificate is present, the smart card credential provider copies it into a temporary, secure cache on the computer or terminal
    > [!NOTE]
    > Smartcard cache entries are created for certificates with a subject name or with a subject key identifier. If the certificate has a subject name, it is stored with an index that is based on the subject name and certificate issuer. If another certificate with the same subject name and certificate issuer is used, it will replace the existing cached entry. A change in this behavior, allows for the condition when the certificate does not have a subject name, the cache is created with an index that is based on the subject key identifier and certificate issuer. If another certificate has the same the subject key identifier and certificate issuer, the cache entry is replaced. When certificates have neither a subject name nor subject key identifier, a cached entry is not created.
-    1. Notifies the sign-in UI that it has new credentials.
+    1. Notifies the sign-in UI that it has new credentials
-1. The sign-in UI requests the new credentials from the smart card credential provider. As a response, the smart card credential provider provides each sign-in certificate to the sign-in UI, and corresponding sign-in tiles are displayed. The user selects a smart card-based sign-in certificate tile, and Windows displays a PIN dialog box.
+1. The sign-in UI requests the new credentials from the smart card credential provider. As a response, the smart card credential provider provides each sign-in certificate to the sign-in UI, and corresponding sign-in tiles are displayed. The user selects a smart card-based sign-in certificate tile, and Windows displays a PIN dialog box
-1. The user enters the PIN, and then presses ENTER. The smart card credential provider encrypts the PIN.
+1. The user enters the PIN, and then presses ENTER. The smart card credential provider encrypts the PIN
-1. The credential provider that resides in the LogonUI system collects the PIN. As part of packaging credentials in the smart card credential provider, the data is packaged in a KERB_CERTIFICATE_LOGON structure. The main contents of the KERB_CERTIFICATE_LOGON structure are the smart card PIN, CSP data (such as reader name and container name), user name, and domain name. User name is required if the sign-in domain isn't in the same forest because it enables a certificate to be mapped to multiple user accounts.
+1. The credential provider that resides in the LogonUI system collects the PIN. As part of packaging credentials in the smart card credential provider, the data is packaged in a KERB_CERTIFICATE_LOGON structure. The main contents of the KERB_CERTIFICATE_LOGON structure are the smart card PIN, CSP data (such as reader name and container name), user name, and domain name. User name is required if the sign-in domain isn't in the same forest because it enables a certificate to be mapped to multiple user accounts
-1. The credential provider wraps the data (such as the encrypted PIN, container name, reader name, and card key specification) and sends it back to LogonUI.
+1. The credential provider wraps the data (such as the encrypted PIN, container name, reader name, and card key specification) and sends it back to LogonUI
-1. Winlogon presents the data from LogonUI to the LSA with the user information in LSALogonUser.
+1. Winlogon presents the data from LogonUI to the LSA with the user information in LSALogonUser
 1. LSA calls the Kerberos authentication package (Kerberos SSP) to create a Kerberos authentication service request (KRB_AS_REQ), which containing a preauthenticator (as specified in RFC 4556: [Public Key Cryptography for Initial Authentication in Kerberos (PKINIT)](http://www.ietf.org/rfc/rfc4556.txt)).
    If the authentication is performed by using a certificate that uses a digital signature, the preauthentication data consists of the user's public certificate and the certificate that is digitally signed with the corresponding private key.\
--- a/windows/security/identity-protection/smart-cards/smart-card-debugging-information.md
+++ b/windows/security/identity-protection/smart-cards/smart-card-debugging-information.md
@ -2,7 +2,7 @@
 title: Smart Card Troubleshooting 
 description: Describes the tools and services that smart card developers can use to help identify certificate issues with the smart card deployment.
 ms.topic: troubleshooting
-ms.date: 11/06/2023
+ms.date: 11/22/2023
 ---
 # Smart Card Troubleshooting
--- a/windows/security/identity-protection/smart-cards/smart-card-events.md
+++ b/windows/security/identity-protection/smart-cards/smart-card-events.md
@ -2,7 +2,7 @@
 title: Smart card events 
 description: Learn about smart card deployment and development events.
 ms.topic: troubleshooting
-ms.date: 06/02/2023
+ms.date: 11/22/2023
 ---
 # Smart card events
--- a/windows/security/identity-protection/smart-cards/smart-card-group-policy-and-registry-settings.md
+++ b/windows/security/identity-protection/smart-cards/smart-card-group-policy-and-registry-settings.md
@ -2,7 +2,7 @@
 title: Smart Card Group Policy and Registry Settings 
 description: Discover the Group Policy, registry key, local security policy, and credential delegation policy settings that are available for configuring smart cards.
 ms.topic: reference
-ms.date: 11/06/2023
+ms.date: 11/22/2023
 ---
 # Smart Card Group Policy and Registry Settings
@ -262,7 +262,7 @@ When this setting isn't turned on, Credential Manager can return plaintext PINs.
 You can use this policy setting to control the way the subject name appears during sign-in.
 > [!NOTE]
-> To help users distinguish one certificate from another, the user principal name (UPN) and the common name are displayed by default. For example, when this setting is enabled, if the certificate subject is CN=User1, OU=Users, DN=example, DN=com and the UPN is user1@example.com, "User1" is displayed with "user1@example.com." If the UPN is not present, the entire subject name is displayed. This setting controls the appearance of that subject name, and it might need to be adjusted for your organization.
+> To help users distinguish one certificate from another, the user principal name (UPN) and the common name are displayed by default. For example, when this setting is enabled, if the certificate subject is *CN=User1, OU=Users, DN=example, DN=com* and the UPN is *user1@example.com*, *User1* is displayed with *user1@example.com*. If the UPN is not present, the entire subject name is displayed. This setting controls the appearance of that subject name, and it might need to be adjusted for your organization.
 When this policy setting is turned on, the subject name during sign-in appears reversed from the way that it's stored in the certificate.
--- a/windows/security/identity-protection/smart-cards/smart-card-how-smart-card-sign-in-works-in-windows.md
+++ b/windows/security/identity-protection/smart-cards/smart-card-how-smart-card-sign-in-works-in-windows.md
@ -2,7 +2,7 @@
 title: How Smart Card Sign-in Works in Windows
 description: This topic for IT professional provides links to resources about the implementation of smart card technologies in the Windows operating system.
 ms.topic: overview
-ms.date: 1/06/2023
+ms.date: 11/22/2023
 ---
 # How Smart Card Sign-in Works in Windows
--- a/windows/security/identity-protection/smart-cards/smart-card-removal-policy-service.md
+++ b/windows/security/identity-protection/smart-cards/smart-card-removal-policy-service.md
@ -2,23 +2,23 @@
 title: Smart Card Removal Policy Service 
 description: This topic for the IT professional describes the role of the removal policy service (ScPolicySvc) in smart card implementation.
 ms.topic: concept-article
-ms.date: 09/24/2021
+ms.date: 11/22/2023
 ---
 # Smart Card Removal Policy Service
-This topic for the IT professional describes the role of the removal policy service (ScPolicySvc) in smart card implementation.
+This article describes the role of the removal policy service (`ScPolicySvc`) in smart card implementations.
-The smart card removal policy service is applicable when a user has signed in with a smart card and then removes that smart card from the reader. The action that is performed when the smart card is removed is controlled by Group Policy settings. For more information, see [Smart Card Group Policy and Registry Settings](smart-card-group-policy-and-registry-settings.md).
+The smart card removal policy service is applicable when a user signs in with a smart card and then removes that smart card from the reader. The action that is performed when the smart card is removed is controlled by group policy settings. For more information, see [Smart Card Group Policy and Registry Settings](smart-card-group-policy-and-registry-settings.md).
-![Smart card removal policy service.](images/sc-image501.gif)
+![Diagram showing the smart card removal policy service.](images/sc-image501.gif)
-The numbers in the previous figure represent the following actions:
+The numbers in the diagram represent the following actions:
-1. Winlogon isn't directly involved in monitoring for smart card removal events. The sequence of steps that are involved when a smart card is removed begins with the smart card credential provider in the sign-in UI process. When a user successfully signs in with a smart card, the smart card credential provider captures the reader name. This information is then stored in the registry with the session identifier where the sign-in was initiated.
+1. `Winlogon` isn't directly involved in monitoring for smart card removal events. The sequence of steps that are involved when a smart card is removed begins with the smart card credential provider in the sign-in UI process. When a user successfully signs in with a smart card, the smart card credential provider captures the reader name. This information is then stored in the registry with the session identifier where the sign-in was initiated
-1. The smart card resource manager service notifies the smart card removal policy service that a sign-in has occurred.
+1. The smart card resource manager service notifies the smart card removal policy service that a sign-in occurred
-1. ScPolicySvc retrieves the smart card information that the smart card credential provider stored in the registry. This call is redirected if the user is in a remote session. If the smart card is removed, ScPolicySvc is notified.
+1. `ScPolicySvc` retrieves the smart card information that the smart card credential provider stored in the registry. This call is redirected if the user is in a remote session. If the smart card is removed, `ScPolicySvc` is notified
-1. ScPolicySvc calls Remote Desktop Services to take the appropriate action if the request is to sign out the user or to disconnect the user's session, which might result in data loss. If the setting is configured to lock the computer when the smart card is removed, ScPolicySvc sends a message to Winlogon to lock the computer.
+1. `ScPolicySvc` calls Remote Desktop Services to take the appropriate action if the request is to sign out the user or to disconnect the user's session, which might result in data loss. If the setting is configured to lock the computer when the smart card is removed, `ScPolicySvc` sends a message to Winlogon to lock the computer.
 ## See also
--- a/windows/security/identity-protection/smart-cards/smart-card-smart-cards-for-windows-service.md
+++ b/windows/security/identity-protection/smart-cards/smart-card-smart-cards-for-windows-service.md
@ -2,7 +2,7 @@
 title: Smart Cards for Windows Service 
 description: This topic for the IT professional and smart card developers describes how the Smart Cards for Windows service manages readers and application interactions.
 ms.topic: concept-article
-ms.date: 11/06/2023
+ms.date: 11/22/2023
 ---
 # Smart Cards for Windows Service
--- a/windows/security/identity-protection/smart-cards/smart-card-tools-and-settings.md
+++ b/windows/security/identity-protection/smart-cards/smart-card-tools-and-settings.md
@ -2,7 +2,7 @@
 title: Smart Card Tools and Settings 
 description: This topic for the IT professional and smart card developer links to information about smart card debugging, settings, and events.
 ms.topic: conceptual
-ms.date: 11/06/2023
+ms.date: 11/22/2023
 ---
 # Smart Card Tools and Settings
--- a/windows/security/identity-protection/smart-cards/smart-card-windows-smart-card-technical-reference.md
+++ b/windows/security/identity-protection/smart-cards/smart-card-windows-smart-card-technical-reference.md
@ -2,7 +2,7 @@
 title: Smart Card Technical Reference 
 description: Learn about the Windows smart card infrastructure for physical smart cards, and how smart card-related components work in Windows.
 ms.topic: overview
-ms.date: 11/06/2023
+ms.date: 11/22/2023
 ---
 # Smart Card Technical Reference
--- a/windows/security/identity-protection/toc.yml
+++ b/windows/security/identity-protection/toc.yml
@ -24,7 +24,7 @@ items:
      href: enterprise-certificate-pinning.md
  - name: Web sign-in
    href: web-sign-in/index.md
-  - name: Federated sign-in 🔗
+  - name: Federated sign-in (EDU) 🔗
    href: /education/windows/federated-sign-in
  - name: Advanced credential protection
    items:
--- a/windows/security/includes/sections/operating-system-security.md
+++ b/windows/security/includes/sections/operating-system-security.md
@ -1,7 +1,7 @@
 ---
 author: paolomatarazzo
 ms.author: paoloma
-ms.date: 09/18/2023
+ms.date: 11/21/2023
 ms.topic: include
 ---
@ -10,8 +10,8 @@ ms.topic: include
 | Feature name | Description |
 |:---|:---|
 | **[Secure Boot and Trusted Boot](/windows/security/operating-system-security/system-security/trusted-boot)** | Secure Boot and Trusted Boot help to prevent malware and corrupted components from loading when a device starts. <br><br>Secure Boot starts with initial boot-up protection, and then Trusted Boot picks up the process. Together, Secure Boot and Trusted Boot help to ensure the system boots up safely and securely. |
-| **[Measured boot](/windows/compatibility/measured-boot)** | Measured Boot measures all important code and configuration settings during the boot of Windows. This includes: the firmware, boot manager, hypervisor, kernel, secure kernel and operating system. Measured Boot stores the measurements in the TPM on the machine, and makes them available in a log that can be tested remotely to verify the boot state of the client.<br><br>The Measured Boot feature provides antimalware software with a trusted (resistant to spoofing and tampering) log of all boot components that started before it. The antimalware software can use the log to determine whether components that ran before it are trustworthy, or if they are infected with malware. The antimalware software on the local machine can send the log to a remote server for evaluation. The remote server may initiate remediation actions, either by interacting with software on the client, or through out-of-band mechanisms, as appropriate. |
+| **[Measured boot](/windows/compatibility/measured-boot)** | Measured Boot measures all important code and configuration settings during the boot of Windows. This includes: the firmware, boot manager, hypervisor, kernel, secure kernel and operating system. Measured Boot stores the measurements in the TPM on the machine, and makes them available in a log that can be tested remotely to verify the boot state of the client.<br><br>The Measured Boot feature provides anti-malware software with a trusted (resistant to spoofing and tampering) log of all boot components that started before it. The anti-malware software can use the log to determine whether components that ran before it are trustworthy, or if they're infected with malware. The anti-malware software on the local machine can send the log to a remote server for evaluation. The remote server may initiate remediation actions, either by interacting with software on the client, or through out-of-band mechanisms, as appropriate. |
-| **[Device health attestation service](/windows/security/operating-system-security/system-security/protect-high-value-assets-by-controlling-the-health-of-windows-10-based-devices)** | The Windows device health attestation process supports a zero-trust paradigm that shifts the focus from static, network-based perimeters, to users, assets, and resources. The attestation process confirms the device, firmware, and boot process are in a good state and have not been tampered with before they can access corporate resources. The determinations are made with data stored in the TPM, which provides a secure root of trust. The information is sent to an attestation service, such as Azure Attestation, to verify the device is in a trusted state. Then, an MDM tool like Microsoft Intune reviews device health and connects this information with Microsoft Entra ID for conditional access. |
+| **[Device health attestation service](/windows/security/operating-system-security/system-security/protect-high-value-assets-by-controlling-the-health-of-windows-10-based-devices)** | The Windows device health attestation process supports a zero-trust paradigm that shifts the focus from static, network-based perimeters, to users, assets, and resources. The attestation process confirms the device, firmware, and boot process are in a good state and haven't been tampered with before they can access corporate resources. The determinations are made with data stored in the TPM, which provides a secure root of trust. The information is sent to an attestation service, such as Azure Attestation, to verify the device is in a trusted state. Then, an MDM tool like Microsoft Intune reviews device health and connects this information with Microsoft Entra ID for conditional access. |
 | **[Windows security policy settings and auditing](/windows/security/threat-protection/security-policy-settings/security-policy-settings)** | Microsoft provides a robust set of security settings policies that IT administrators can use to protect Windows devices and other resources in their organization. |
 | **[Assigned Access (kiosk mode)](/windows/configuration/kiosk-methods)** | Some desktop devices in an enterprise serve a special purpose. For example, a PC in the lobby that customers use to see your product catalog. Or, a PC displaying visual content as a digital sign. Windows client offers two different locked-down experiences for public or specialized use: A single-app kiosk that runs a single Universal Windows Platform (UWP) app in full screen above the lock screen, or A multi-app kiosk that runs one or more apps from the desktop.<br><br>Kiosk configurations are based on Assigned Access, a feature in Windows that allows an administrator to manage the user's experience by limiting the application entry points exposed to the user. |
@ -19,13 +19,13 @@ ms.topic: include
 | Feature name | Description |
 |:---|:---|
-| **[Microsoft Defender Antivirus](/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-windows)** | Microsoft Defender Antivirus is a protection solution included in all versions of Windows. From the moment you boot Windows, Microsoft Defender Antivirus continually monitors for malware, viruses, and security threats. Updates are downloaded automatically to help keep your device safe and protect it from threats. Microsoft Defender Antivirus includes real-time, behavior-based, and heuristic antivirus protection.<br><br>The combination of always-on content scanning, file and process behavior monitoring, and other heuristics effectively prevents security threats. Microsoft Defender Antivirus continually scans for malware and threats and also detects and blocks potentially unwanted applications (PUA) which are applications that are deemed to negatively impact your device but are not considered malware. |
+| **[Microsoft Defender Antivirus](/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-windows)** | Microsoft Defender Antivirus is a protection solution included in all versions of Windows. From the moment you boot Windows, Microsoft Defender Antivirus continually monitors for malware, viruses, and security threats. Updates are downloaded automatically to help keep your device safe and protect it from threats. Microsoft Defender Antivirus includes real-time, behavior-based, and heuristic antivirus protection.<br><br>The combination of always-on content scanning, file and process behavior monitoring, and other heuristics effectively prevents security threats. Microsoft Defender Antivirus continually scans for malware and threats and also detects and blocks potentially unwanted applications (PUA) which are applications that are deemed to negatively impact your device but aren't considered malware. |
 | **[Local Security Authority (LSA) Protection](/windows-server/security/credentials-protection-and-management/configuring-additional-lsa-protection)** | Windows has several critical processes to verify a user's identity. Verification processes include Local Security Authority (LSA), which is responsible for authenticating users and verifying Windows logins. LSA handles tokens and credentials such as passwords that are used for single sign-on to a Microsoft account and Azure services. To help protect these credentials, additional LSA protection only allows loading of trusted, signed code and provides significant protection against Credential theft.<br><br>LSA protection is enabled by default on new, enterprise joined Windows 11 devices with added support for non-UEFI lock and policy management controls via MDM and group policy. |
 | **[Attack surface reduction (ASR)](/microsoft-365/security/defender-endpoint/overview-attack-surface-reduction)** | Attack surface reduction (ASR) rules help to prevent software behaviors that are often abused to compromise your device or network. By reducing the number of attack surfaces, you can reduce the overall vulnerability of your organization.<br><br>Administrators can configure specific ASR rules to help block certain behaviors, such as launching executable files and scripts that attempt to download or run files, running obfuscated or otherwise suspicious scripts, performing behaviors that apps don't usually initiate during normal day-to-day work. |
 | **[Tamper protection settings for MDE](/microsoft-365/security/defender-endpoint/prevent-changes-to-security-settings-with-tamper-protection)** | Tamper protection is a capability in Microsoft Defender for Endpoint that helps protect certain security settings, such as virus and threat protection, from being disabled or changed. During some kinds of cyber attacks, bad actors try to disable security features on devices. Disabling security features provides bad actors with easier access to your data, the ability to install malware, and the ability to exploit your data, identity, and devices. Tamper protection helps guard against these types of activities. |
-| **[Controlled folder access](/microsoft-365/security/defender-endpoint/controlled-folders)** | You can protect your valuable information in specific folders by managing app access to specific folders. Only trusted apps can access protected folders, which are specified when controlled folder access is configured. Commonly used folders, such as those used for documents, pictures, downloads, are typically included in the list of controlled folders. Controlled folder access works with a list of trusted apps. Apps that are included in the list of trusted software work as expected. Apps that are not included in the trusted list are prevented from making any changes to files inside protected folders. <br><br>Controlled folder access helps to protect user's valuable data from malicious apps and threats, such as ransomware.  |
+| **[Controlled folder access](/microsoft-365/security/defender-endpoint/controlled-folders)** | You can protect your valuable information in specific folders by managing app access to specific folders. Only trusted apps can access protected folders, which are specified when controlled folder access is configured. Commonly used folders, such as those used for documents, pictures, downloads, are typically included in the list of controlled folders. Controlled folder access works with a list of trusted apps. Apps that are included in the list of trusted software work as expected. Apps that aren't included in the trusted list are prevented from making any changes to files inside protected folders. <br><br>Controlled folder access helps to protect user's valuable data from malicious apps and threats, such as ransomware.  |
 | **[Exploit protection](/microsoft-365/security/defender-endpoint/exploit-protection)** | Exploit protection automatically applies several exploit mitigation techniques to operating system processes and apps. Exploit protection works best with Microsoft Defender for Endpoint, which gives organizations detailed reporting into exploit protection events and blocks as part of typical alert investigation scenarios. You can enable exploit protection on an individual device, and then use MDM or group policy to distribute the configuration file to multiple devices. When a mitigation is encountered on the device, a notification will be displayed from the Action Center. You can customize the notification with your company details and contact information. You can also enable the rules individually to customize which techniques the feature monitors. |
-| **[Microsoft Defender SmartScreen](/windows/security/operating-system-security/virus-and-threat-protection/microsoft-defender-smartscreen/)** | Microsoft Defender SmartScreen protects against phishing, malware websites and applications, and the downloading of potentially malicious files. For enhanced phishing protection, SmartScreen also alerts people when they are entering their credentials into a potentially risky location. IT can customize which notifications appear via MDM or group policy. The protection runs in audit mode by default, giving IT admins full control to make decisions around policy creation and enforcement. |
+| **[Microsoft Defender SmartScreen](/windows/security/operating-system-security/virus-and-threat-protection/microsoft-defender-smartscreen/)** | Microsoft Defender SmartScreen protects against phishing, malware websites and applications, and the downloading of potentially malicious files. For enhanced phishing protection, SmartScreen also alerts people when they're entering their credentials into a potentially risky location. IT can customize which notifications appear via MDM or group policy. The protection runs in audit mode by default, giving IT admins full control to make decisions around policy creation and enforcement. |
 | **[Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint)** | Microsoft Defender for Endpoint is an enterprise endpoint detection and response solution that helps security teams to detect, investigate, and respond to advanced threats. Organizations can use the rich event data and attack insights Defender for Endpoint provides to investigate incidents. Defender for Endpoint brings together the following elements to provide a more complete picture of security incidents: endpoint behavioral sensors, cloud security analytics, threat intelligence and rich response capabilities. |
 ## Network security
@ -33,11 +33,11 @@ ms.topic: include
 | Feature name | Description |
 |:---|:---|
 | **[Transport Layer Security (TLS)](/windows-server/security/tls/tls-ssl-schannel-ssp-overview)** | Transport Layer Security (TLS) is a cryptographic protocol designed to provide communications security over a network. TLS 1.3 is the latest version of the protocol and is enabled by default in Windows 11. This version eliminates obsolete cryptographic algorithms, enhances security over older versions, and aims to encrypt as much of the TLS handshake as possible. The handshake is more performant with one fewer round trip per connection on average, and supports only five strong cipher suites which provide perfect forward secrecy and less operational risk. |
-| **[Domain Name System (DNS) security](/windows-server/networking/dns/doh-client-support)** | Starting in Windows 11, the Windows DNS client supports DNS over HTTPS (DoH), an encrypted DNS protocol. This allows administrators to ensure their devices protect DNS queries from on-path attackers, whether they are passive observers logging browsing behavior or active attackers trying to redirect clients to malicious sites.<br><br>In a zero-trust model where there is no trust placed in a network boundary, having a secure connection to a trusted name resolver is required. |
+| **[Domain Name System (DNS) security](/windows-server/networking/dns/doh-client-support)** | Starting in Windows 11, the Windows DNS client supports DNS over HTTPS (DoH), an encrypted DNS protocol. This allows administrators to ensure their devices protect DNS queries from on-path attackers, whether they're passive observers logging browsing behavior or active attackers trying to redirect clients to malicious sites.<br><br>In a zero-trust model where there is no trust placed in a network boundary, having a secure connection to a trusted name resolver is required. |
-| **Bluetooth pairing and connection protection** | The number of Bluetooth devices connected to Windows continues to increase. Windows supports all standard Bluetooth pairing protocols, including classic and LE Secure connections, secure simple pairing, and classic and LE legacy pairing. Windows also implements host based LE privacy. Windows updates help users stay current with OS and driver security features in accordance with the Bluetooth Special Interest Group (SIG), Standard Vulnerability Reports, as well as issues beyond those required by the Bluetooth core industry standards. Microsoft strongly recommends that users ensure their firmware and/ or software of their Bluetooth accessories are kept up to date. |
+| **Bluetooth pairing and connection protection** | The number of Bluetooth devices connected to Windows continues to increase. Windows supports all standard Bluetooth pairing protocols, including classic and LE Secure connections, secure simple pairing, and classic and LE legacy pairing. Windows also implements host based LE privacy. Windows updates help users stay current with OS and driver security features in accordance with the Bluetooth Special Interest Group (SIG), Standard Vulnerability Reports, and issues beyond those required by the Bluetooth core industry standards. Microsoft strongly recommends that users ensure their firmware and/ or software of their Bluetooth accessories are kept up to date. |
-| **[WiFi Security](https://support.microsoft.com/windows/faster-and-more-secure-wi-fi-in-windows-26177a28-38ed-1a8e-7eca-66f24dc63f09)** | Wi-Fi Protected Access (WPA) is a security certification programs designed to secure wireless networks. WPA3 is the latest version of the certification and provides a more secure and reliable connection method as compared to WPA2 and older security protocols. Windows supports three WPA3 modes: WPA3 personal with the Hash-to-Element (H2E) protocol, WPA3 Enterprise, and WPA3 Enterprise 192-bit Suite B.<br><br>Windows 11 also supports WFA defined WPA3 Enterprise that includes enhanced Server Cert validation and TLS 1.3 for authentication using EAP-TLS Authentication. |
+| **[WiFi Security](https://support.microsoft.com/windows/faster-and-more-secure-wi-fi-in-windows-26177a28-38ed-1a8e-7eca-66f24dc63f09)** | Wi-Fi Protected Access (WPA) is a security certification program designed to secure wireless networks. WPA3 is the latest version of the certification and provides a more secure and reliable connection method as compared to WPA2 and older security protocols. Windows supports three WPA3 modes: WPA3 personal with the Hash-to-Element (H2E) protocol, WPA3 Enterprise, and WPA3 Enterprise 192-bit Suite B.<br><br>Windows 11 also supports WFA defined WPA3 Enterprise that includes enhanced Server Cert validation and TLS 1.3 for authentication using EAP-TLS Authentication. |
 | **Opportunistic Wireless Encryption (OWE)** | Opportunistic Wireless Encryption (OWE) is a technology that allows wireless devices to establish encrypted connections to public Wi-Fi hotspots.  |
-| **[Windows Firewall](/windows/security/operating-system-security/network-security/windows-firewall/windows-firewall-with-advanced-security)** | Windows Firewall with Advanced Securityprovides host-based, two-way network traffic filtering, blocking unauthorized traffic flowing into or out of the local device based on the types of networks to which the device is connected. Windows Firewall reduces the attack surface of a device with rules to restrict or allow traffic by many properties such as IP addresses, ports, or program paths. Reducing the attack surface of a device increases manageability and decreases the likelihood of a successful attack.<br><br>With its integration with Internet Protocol Security (IPsec), Windows Firewall provides a simple way to enforce authenticated, end-to-end network communications. It provides scalable, tiered access to trusted network resources, helping to enforce integrity of the data, and optionally helping to protect the confidentiality of the data. Windows Firewall is a host-based firewall that is included with the operating system, there is no additional hardware or software required. Windows Firewall is also designed to complement existing non-Microsoft network security solutions through a documented application programming interface (API). |
+| **[Windows Firewall](/windows/security/operating-system-security/network-security/windows-firewall)** | Windows Firewall provides host-based, two-way network traffic filtering, blocking unauthorized traffic flowing into or out of the local device based on the types of networks to which the device is connected. Windows Firewall reduces the attack surface of a device with rules to restrict or allow traffic by many properties such as IP addresses, ports, or program paths. Reducing the attack surface of a device increases manageability and decreases the likelihood of a successful attack.<br><br>With its integration with Internet Protocol Security (IPsec), Windows Firewall provides a simple way to enforce authenticated, end-to-end network communications. It provides scalable, tiered access to trusted network resources, helping to enforce integrity of the data, and optionally helping to protect the confidentiality of the data. Windows Firewall is a host-based firewall that is included with the operating system, there's no additional hardware or software required. Windows Firewall is also designed to complement existing non-Microsoft network security solutions through a documented application programming interface (API). |
 | **[Virtual private network (VPN)](/windows/security/operating-system-security/network-security/vpn/vpn-guide)** | The Windows VPN client platform includes built in VPN protocols, configuration support, a common VPN user interface, and programming support for custom VPN protocols. VPN apps are available in the Microsoft Store for both enterprise and consumer VPNs, including apps for the most popular enterprise VPN gateways.<br><br>In Windows 11, the most commonly used VPN controls are integrated right into the Quick Actions pane. From the Quick Actions pane, users can see the status of their VPN, start and stop the VPN tunnels, and access the Settings app for more controls.  |
 | **[Always On VPN (device tunnel)](/Windows-server/remote/remote-access/overview-always-on-vpn)** | With Always On VPN, you can create a dedicated VPN profile for the device. Unlike User Tunnel, which only connects after a user logs on to the device, Device Tunnel allows the VPN to establish connectivity before a user sign-in. Both Device Tunnel and User Tunnel operate independently with their VPN profiles, can be connected at the same time, and can use different authentication methods and other VPN configuration settings as appropriate. |
 | **[Direct Access](/windows-server/remote/remote-access/directaccess/directaccess)** | DirectAccess allows connectivity for remote users to organization network resources without the need for traditional Virtual Private Network (VPN) connections.<br><br>With DirectAccess connections, remote devices are always connected to the organization and there's no need for remote users to start and stop connections. |
@ -51,5 +51,5 @@ ms.topic: include
 | **[BitLocker management](/windows/security/operating-system-security/data-protection/bitlocker/bitlocker-management-for-enterprises)** | The BitLocker CSP allows an MDM solution, like Microsoft Intune, to manage the BitLocker encryption features on Windows devices. This includes OS volumes, fixed drives and removeable storage, and recovery key management into Microsoft Entra ID.  |
 | **[BitLocker enablement](/windows/security/operating-system-security/data-protection/bitlocker/)** | BitLocker Drive Encryption is a data protection feature that integrates with the operating system and addresses the threats of data theft or exposure from lost, stolen, or inappropriately decommissioned computers. BitLocker uses AES algorithm in XTS or CBC mode of operation with 128-bit or 256-bit key length to encrypt data on the volume. Cloud storage on Microsoft OneDrive or Azure can be used to save recovery key content. BitLocker can be managed by any MDM solution such as Microsoft Intune, using a configuration service provider (CSP).<br><br>BitLocker provides encryption for the OS, fixed data, and removable data drives leveraging technologies like hardware security test interface (HSTI), Modern Standby, UEFI Secure Boot and TPM. |
 | **[Encrypted hard drive](/windows/security/operating-system-security/data-protection/encrypted-hard-drive)** | Encrypted hard drives are a class of hard drives that are self-encrypted at the hardware level and allow for full disk hardware encryption while being transparent to the device user. These drives combine the security and management benefits provided by BitLocker Drive Encryption with the power of self-encrypting drives.<br><br>By offloading the cryptographic operations to hardware, encrypted hard drives increase BitLocker performance and reduce CPU usage and power consumption. Because encrypted hard drives encrypt data quickly, BitLocker deployment can be expanded across enterprise devices with little to no impact on productivity. |
-| **[Personal data encryption (PDE)](/windows/security/operating-system-security/data-protection/personal-data-encryption/)** | Personal data encryption (PDE) works with BitLocker and Windows Hello for Business to further protect user documents and other files, including when the device is turned on and locked. Files are encrypted automatically and seamlessly to give users more security without interrupting their workflow. <br><br>Windows Hello for Business is used to protect the container which houses the encryption keys used by PDE. When the user signs in, the container gets authenticated to release the keys in the container to decrypt user content.  |
+| **[Personal data encryption (PDE)](/windows/security/operating-system-security/data-protection/personal-data-encryption/)** | Personal data encryption (PDE) works with BitLocker and Windows Hello for Business to further protect user documents and other files, including when the device is turned on and locked. Files are encrypted automatically and seamlessly to give users more security without interrupting their workflow. <br><br>Windows Hello for Business is used to protect the container, which houses the encryption keys used by PDE. When the user signs in, the container gets authenticated to release the keys in the container to decrypt user content.  |
-| **[Email Encryption (S/MIME)](/windows/security/operating-system-security/data-protection/configure-s-mime)** | Email encryption enables users to encrypt outgoing email messages and attachments, so only intended recipients with a digital ID (certificate) can read them. Users can digitally sign a message, which verifies the identity of the sender and confirms the message has not been tampered with. The encrypted messages can be sent by a user to other users within their organization or external contacts if they have proper encryption certificates. |
+| **[Email Encryption (S/MIME)](/windows/security/operating-system-security/data-protection/configure-s-mime)** | Email encryption enables users to encrypt outgoing email messages and attachments, so only intended recipients with a digital ID (certificate) can read them. Users can digitally sign a message, which verifies the identity of the sender and confirms the message hasn't been tampered with. The encrypted messages can be sent by a user to other users within their organization or external contacts if they have proper encryption certificates. |
--- a/windows/security/index.yml
+++ b/windows/security/index.yml
@ -63,7 +63,7 @@ productDirectory:
        - url: /windows/security/operating-system-security/device-management/windows-security-configuration-framework/windows-security-baselines
          text: Windows security baselines
        - url: /windows/security/operating-system-security/virus-and-threat-protection/microsoft-defender-smartscreen/
-          text: MMicrosoft Defender SmartScreen
+          text: Microsoft Defender SmartScreen
        - url: /windows/security/operating-system-security
          text: Learn more about OS security >
--- a/windows/security/operating-system-security/data-protection/bitlocker/configure.md
+++ b/windows/security/operating-system-security/data-protection/bitlocker/configure.md
@ -10,11 +10,9 @@ ms.date: 10/30/2023
 To configure BitLocker, you can use one of the following options:
 - Configuration Service Provider (CSP): this option is commonly used for devices managed by a Mobile Device Management (MDM) solution, like Microsoft Intune. The [BitLocker CSP][WIN-1] is used to configure BitLocker, and to report the status of different BitLocker functions to the MDM solution. With Microsoft Intune, you can use the BitLocker status in [compliance policies][INT-1], combining them with [Conditional Access][ENTRA-1]. Conditional Access can prevent or grant access to services like Exchange Online and SharePoint Online, based on the status of BitLocker. To learn more about the Intune options to configure and monitor BitLocker, check the following articles:
    - [Manage BitLocker policy for Windows devices with Intune][INT-2]
    - [Monitor device encryption with Intune][INT-3]
    - [Use compliance policies to set rules for devices you manage with Intune][INT-4]
 - Group policy (GPO): this option can be used for devices that are joined to an Active Directory domain and aren't managed by a device management solution. Group policy can also be used for devices that aren't joined to an Active Directory domain, using the local group policy editor
 - Microsoft Configuration Manager: this option can be used for devices that are managed by Microsoft Configuration Manager using the BitLocker management agent. To learn more about options to configure BitLocker via Microsoft Configuration Manager, see [Deploy BitLocker management][MCM-1]
--- a/windows/security/operating-system-security/network-security/windows-firewall/best-practices-configuring.md
+++ b/windows/security/operating-system-security/network-security/windows-firewall/best-practices-configuring.md
@ -1,209 +0,0 @@
 ---
 title: Best practices for configuring Windows Firewall
 description: Learn about best practices for configuring Windows Firewall
 ms.prod: windows-client
 ms.date: 11/10/2023
 ms.topic: best-practice
 ---
 # Best practices for configuring Windows Firewall
 Windows Firewall with Advanced Security provides host-based, two-way network traffic filtering and blocks unauthorized network traffic flowing into or out of the local device. Configuring your Windows Firewall based on the following best practices can help you optimize protection for devices in your network. These recommendations cover a wide range of deployments including home networks and enterprise desktop/server systems.
 To open Windows Firewall, select **Start** > **Run**, type **wf.msc**, and then select **OK**. See also [Open Windows Firewall](open-windows-firewall-with-advanced-security.md).
 ## Keep default settings
 When you open the Windows Firewall for the first time, you can see the default settings applicable to the local computer. The Overview panel displays security settings for each type of network to which the device can connect.
 ![Windows Firewall with Advanced Security first time opening.](images/fw01-profiles.png)
 1. **Domain profile**: Used for networks where there's a system of account authentication against an Active Directory domain controller
 1. **Private profile**: Designed for and best used in private networks such as a home network
 1. **Public profile**: Designed with higher security in mind for public networks, like Wi-Fi hotspots, coffee shops, airports, hotels, or stores
 To view detailed settings for each profile, right-click the top-level **Windows Defender Firewall with Advanced Security** node in the left pane and then select **Properties**.
 Maintain the default settings in Windows Firewall whenever possible. These settings have been designed to secure your device for use in most network scenarios. One key example is the default Block behavior for Inbound connections.
 :::image type="content" source="images/fw03-defaults.png" alt-text="Screenshot of the default inbound/outbound Firewall settings.":::
 > [!IMPORTANT]
 > To maintain maximum security, do not change the default Block setting for inbound connections.
 For more on configuring basic firewall settings, see [Turn on Windows Firewall and Configure Default Behavior](turn-on-windows-firewall-and-configure-default-behavior.md) and [Checklist: Configuring Basic Firewall Settings](checklist-configuring-basic-firewall-settings.md).
 ## Rule precedence for inbound rules
 In many cases, a next step for administrators is to customize the firewall profiles using *rules* (sometimes called *filters*), so that they can work with applications or other types of software. For example, an administrator or user may choose to add a rule to accommodate a program, open a port or protocol, or allow a predefined type of traffic.
 The rule-adding task can be accomplished by right-clicking either **Inbound Rules** or **Outbound Rules**, and selecting **New Rule**. The interface for adding a new rule looks like this:
 ![Rule creation wizard.](images/fw02-createrule.png)
 > [!NOTE]
 >This article doesn't cover step-by-step rule configuration. See the [Windows Firewall with Advanced Security Deployment Guide](windows-firewall-with-advanced-security-deployment-guide.md) for general guidance on policy creation.
 In many cases, allowing specific types of inbound traffic is required for applications to function in the network. Administrators should keep the following rule precedence behaviors in mind when allowing these inbound exceptions:
 1. Explicitly defined allow rules take precedence over the default block setting
 1. Explicit block rules take precedence over any conflicting allow rules
 1. More specific rules take precedence over less specific rules, except if there are explicit block rules as mentioned in 2. For example, if the parameters of rule 1 include an IP address range, while the parameters of rule 2 include a single IP host address, rule 2 takes precedence.
 > [!TIP]
 > Because of 1 and 2, when designing a set of policies you should make sure that there are no other explicit block rules that could inadvertently overlap, thus preventing the traffic flow you wish to allow.
 A general security recommended practice when creating inbound rules is to be as specific as possible. However, when new rules must be made that use ports or IP addresses, consider using consecutive ranges or subnets instead of individual addresses or ports where possible. This approach avoids creation of multiple filters under the hood, reduces complexity, and helps to avoid performance degradation.
 > [!NOTE]
 > Windows Firewall doesn't support weighted, administrator-assigned rule ordering. An effective policy set with expected behaviors can be created by keeping in mind the few, consistent, and logical rule behaviors as described.
 ## Create rules for new applications before first launch
 ### Inbound allow rules
 When first installed, networked applications and services issue a listen call specifying the protocol/port information required for them to function properly. As there's a default block action in Windows Firewall, it's necessary to create inbound exception rules to allow this traffic. It's common for the app or the app installer itself to add this firewall rule. Otherwise, the user (or firewall admin on behalf of the user) needs to manually create a rule.
 If there's no active application or administrator-defined allow rule(s), a dialog box prompts the user to either allow or block an application's packets the first time the app is launched or tries to communicate in the network.
 - If the user has admin permissions, they're prompted. If they respond *No* or cancel the prompt, block rules are created. Two rules are typically created, one each for TCP and UDP traffic.
 - If the user isn't a local admin, they won't be prompted. In most cases, block rules are created.
 In either of these scenarios, once the rules are added, they must be deleted to generate the prompt again. If not, the traffic continues to be blocked.
 > [!NOTE]
 > The firewall's default settings are designed for security. Allowing all inbound connections by default introduces the network to various threats. Therefore, creating exceptions for inbound connections from third-party software should be determined by trusted app developers, the user, or the admin on behalf of the user.
 ### Known issues with automatic rule creation
 When designing a set of firewall policies for your network, it's a recommended practice to configure *allow rules* for any networked applications deployed on the host. Having the rules in place before the user first launches the application helps to ensure a seamless experience.
 The absence of these staged rules doesn't necessarily mean that in the end an application will be unable to communicate on the network. However, the behaviors involved in the automatic creation of application rules at runtime require user interaction and administrative privilege. If the device is expected to be used by non-administrative users, you should follow best practices and provide these rules before the application's first launch to avoid unexpected networking issues.
 To determine why some applications are blocked from communicating in the network, check for the following instances:
 1. A user with sufficient privileges receives a query notification advising them that the application needs to make a change to the firewall policy. Not fully understanding the prompt, the user cancels or dismisses the prompt
 1. A user lacks sufficient privileges and is therefore not prompted to allow the application to make the appropriate policy changes
 1. Local Policy Merge is disabled, preventing the application or network service from creating local rules
 Creation of application rules at runtime can also be prohibited by administrators using the Settings app or Group Policy.
 :::image type="content" alt-text="Windows Firewall prompt." source="images/fw04-userquery.png":::
 See also [Checklist: Creating Inbound Firewall Rules](checklist-creating-inbound-firewall-rules.md).
 ## Establish local policy merge and application rules
 Firewall rules can be deployed:
 1. Locally using the Firewall snap-in (**wf.msc**)
 1. Locally using PowerShell
 1. Remotely using Group Policy if the device is a member of an Active Directory Name or managed by Configuration Manager
 1. Remotely, using a mobile device management (MDM) solution like Microsoft Intune
 Rule merging settings control how rules from different policy sources can be combined. Administrators can configure different merge behaviors for *Domain*, *Private*, and *Public profiles*.
 The rule-merging settings either allow or prevent local administrators from creating their own firewall rules in addition to those rules obtained from Group Policy.
 ![Customize settings.](images/fw05-rulemerge.png)
 > [!TIP]
 > In the firewall [configuration service provider](/windows/client-management/mdm/firewall-csp), the equivalent setting is *AllowLocalPolicyMerge*. This setting can be found under each respective profile node, *DomainProfile*, *PrivateProfile*, and *PublicProfile*.
 If merging of local policies is disabled, centralized deployment of rules is required for any app that needs inbound connectivity.
 Administrators may disable *LocalPolicyMerge* in high-security environments to maintain tighter control over endpoints. This setting can impact some applications and services that automatically generate a local firewall policy upon installation as discussed above. For these types of apps and services to work, admins should push rules centrally via group policy (GP), Mobile Device
 Management (MDM), or both (for hybrid or co-management environments).
 [Firewall CSP](/windows/client-management/mdm/firewall-csp) and [Policy CSP](/windows/client-management/mdm/policy-configuration-service-provider) also have settings that can affect rule merging.
 As a best practice, it's important to list and log such apps, including the network ports used for communications. Typically, you can find what ports must be open for a given service on the app's website. For more complex or customer application deployments, a more thorough analysis may be needed using network packet capture tools.
 In general, to maintain maximum security, admins should only deploy firewall exceptions for apps and services determined to serve legitimate purposes.
 > [!NOTE]
 > The use of wildcard patterns, such as *C:\*\\teams.exe* is not supported in application rules. You can only create rules using the full path to the application(s).
 ## Understand group policy processing  
 The Windows Firewall settings configured via group policy or CSP are stored in the registry. By default, group policies are refreshed in the background every 90 minutes, with a random offset of 0 to 30 minutes.
 Windows Firewall monitors the registry for changes, and if something is written to the registry it notifies the *Windows Filtering Platform (WFP)*, which performs the following actions:
 - Reads all firewall rules and settings
 - Applies any new filters
 - Removes the old filters
 > [!NOTE]
 > The actions are triggered whenever something is written to, or deleted from the registry location the GPO settings are stored, regardless if there's really a configuration change. During the process, IPsec connections are disconnected.
 Many policy implementations specify that they're updated only when changed. However, you might want to update unchanged policies, such as reapplying a desired policy setting in case a user has changed it. To control the behavior of the registry group policy processing, you can use the policy `Computer Configuration > Administrative Templates > System > Group Policy > Configure registry policy processing`. The *Process even if the Group Policy objects haven't changed* option updates and reapplies the policies even if the policies haven't changed. This option is disabled by default.
 If you enable the option *Process even if the Group Policy objects haven't changed*, the WFP filters get reapplied during **every** background refresh. In case you have 10 group policies, the WFP filters get reapplied 10 times during the refresh interval. If an error happens during policy processing, the applied settings might be incomplete, resulting in issues like:
 - Windows Firewall blocks inbound or outbound traffic allowed by group policies
 - Local Firewall settings are applied instead of group policy settings
 - IPsec connections can't establish
 The temporary solution is to refresh the group policy settings, using the command `gpupdate.exe /force`, which requires connectivity to a domain controller.
 To avoid the issue, leave the policy `Computer Configuration > Administrative Templates > System > Group Policy > Configure registry policy processing` to the default value of *Not Configured* or, if already configured, configure it *Disabled*.
 > [!IMPORTANT]
 > The checkbox next to **Process even if the Group Policy objects have not changed** must be unchecked. If you leave it unchecked, WFP filters are written only in case there's a configuration change.
 >
 > If there's a requirement to force registry deletion and rewrite, then disable background processing by checking the checkbox next to **Do not apply during periodic background processing**.
 ## Know how to use *shields up* mode for active attacks
 An important firewall feature you can use to mitigate damage during an active attack is the "shields up" mode. It's an informal term referring to an easy method a firewall administrator can use to temporarily increase security in the face of an active attack.
 Shields up can be achieved by checking **Block all
 incoming connections, including those in the list of allowed apps** setting found in either the Windows Settings app or the legacy file *firewall.cpl*.
 ![Incoming connections.](images/fw06-block.png)
 *Figure 6: Windows settings App/Windows Security/Firewall Protection/Network Type*
 :::image type="content" alt-text="Firewall cpl." source="images/fw07-legacy.png":::
 *Figure 7: Legacy firewall.cpl*
 By default, the Windows Firewall blocks everything unless there's an exception rule created. This setting overrides the exceptions.
 For example, the Remote Desktop feature automatically creates firewall rules when enabled. However, if there's an active exploit using multiple ports and services on a host, you can, instead of disabling individual rules, use the shields up mode to block all inbound connections, overriding previous exceptions, including the rules for Remote Desktop. The Remote Desktop rules remain intact but remote access won't work as long as shields up is activated.
 Once the emergency is over, uncheck the setting to restore regular network traffic.
 ## Create outbound rules
 What follows are a few general guidelines for configuring outbound rules.
 - The default configuration of Blocked for Outbound rules can be considered for certain highly secure environments. However, the Inbound rule configuration should never be changed in a way that Allows traffic by default
 - It's recommended to Allow Outbound by default for most deployments for the sake of simplification around app deployments, unless the enterprise prefers tight security controls over ease-of-use
 - In high security environments, an inventory of all enterprise-spanning apps must be taken and logged by the administrator or administrators. Records must include whether an app used requires network connectivity. Administrators need to create new rules specific to each app that needs network connectivity and push those rules centrally, via group policy (GP), Mobile Device Management (MDM), or both (for hybrid or co-management environments)
 For tasks related to creating outbound rules, see [Checklist: Creating Outbound Firewall Rules](checklist-creating-outbound-firewall-rules.md).
 ## Document your changes
 When creating an inbound or outbound rule, you should specify details about the app itself, the port range used, and important notes like creation date. Rules must be well-documented for ease of review both by you and other admins. We highly encourage taking the time to make the work of reviewing your firewall rules at a later date easier. And *never* create unnecessary holes in your firewall.
 ## Configure Windows Firewall rules with WDAC tagging policies
 Windows Firewall now supports the use of Windows Defender Application Control (WDAC) Application ID (AppID) tags in firewall rules. With this capability, Windows Firewall rules can now be scoped to an application or a group of applications by referencing process tags, without using absolute path or sacrificing security. There are two steps for this configuration:
 ### Step 1: Deploy WDAC AppId Tagging Policies
 A Windows Defender Application Control (WDAC) policy needs to be deployed which specifies individual applications or groups of applications to apply a PolicyAppId tag to the process token(s). Then, the admin can define firewall rules that are scoped to all processes tagged with the matching PolicyAppId.
 Follow the detailed [WDAC Application ID (AppId) Tagging Guide](/windows/security/threat-protection/windows-defender-application-control/appidtagging/windows-defender-application-control-appid-tagging-guide) to create, deploy, and test an AppID (Application ID) policy to tag applications.
 ### Step 2: Configure Firewall Rules using PolicyAppId Tags
 - **Deploy firewall rules with Intune:** When creating firewall rules with Intune Microsoft Defender Firewall Rules, provide the AppId tag in the Policy App ID setting. The properties come directly from the [Firewall configuration service provider](/windows/client-management/mdm/firewall-csp)(CSP) and apply to the Windows platform.
 You can do this through the Intune admin center under Endpoint security > Firewall. Policy templates can be found via Create policy > Windows 10, Windows 11, and Windows Server > Microsoft Defender Firewall or Microsoft Defender Firewall Rules.
 OR
 - **Create local firewall rules with PowerShell**: You can use PowerShell to configure by adding a Firewall rule using [New-NetFirewallRule](/powershell/module/netsecurity/new-netfirewallrule) and specify the `-PolicyAppId` tag. You can specify one tag at a time while creating firewall rules. Multiple User Ids are supported.
--- a/windows/security/operating-system-security/network-security/windows-firewall/configure-logging.md
+++ b/windows/security/operating-system-security/network-security/windows-firewall/configure-logging.md
@ -0,0 +1,177 @@
 ---
 title: Configure Windows Firewall logging 
 description: Learn how to configure Windows Firewall to log dropped packets or successful connections with CSP and group policy.
 ms.topic: how-to
 ms.date: 11/21/2023
 ---
 # Configure Windows Firewall logging
 To configure Windows Firewall to log dropped packets or successful connections, you can use:
 - Configuration Service Provider (CSP), using an MDM solution like Microsoft Intune
 - Group policy (GPO)
 [!INCLUDE [tab-intro](../../../../../includes/configure/tab-intro.md)]
 # [:::image type="icon" source="../../../images/icons/intune.svg" border="false"::: **Intune/CSP**](#tab/intune)
 1. Sign into the [Microsoft Intune admin center][INT]
 1. Go to **Endpoint security** > **Firewall** > **Create policy** > **Windows 10, Windows 11, and Windows Server** > **Windows Firewall** > **Create**
 1. Enter a name and, optionally, a description > **Next**
 1. Under **Configuration settings**, for each network location type (*Domain*, *Private*, *Public*), configure:
    - **Log file path**
    - **Enable log dropped packets**
    - **Enable log success connections**
    - **Log max file size**
 1. Select **Next** > **Next**
 1. Assign the policy to a group that contains as members the devices or users that you want to configure > **Next** > **Create**
 > [!TIP]
 > If you prefer you can also use a [Settings catalog policy][MEM-1] to configure Windows Firewall logging.
 Alternatively, you can configure devices using a [custom policy][INT-1] with the [Firewall CSP][CSP-1].
 | Network profile | Setting |
 |--|--|
 | *Domain* | Setting name: [EnableLogDroppedPackets][CSP-2]<br>OMA-URI: `./Vendor/MSFT/Firewall/MdmStore/DomainProfile/EnableLogDroppedPackets` |
 | *Domain* | Setting name: [LogFilePath][CSP-5]<br>OMA-URI: `./Vendor/MSFT/Firewall/MdmStore/DomainProfile/LogFilePath` |
 | *Domain* | Setting name: [EnableLogSuccessConnections][CSP-8]<br>OMA-URI: `./Vendor/MSFT/Firewall/MdmStore/DomainProfile/EnableLogSuccessConnections` |
 | *Domain* | Setting name: [LogMaxFileSize][CSP-11]<br>OMA-URI: `./Vendor/MSFT/Firewall/MdmStore/DomainProfile/LogMaxFileSize` |
 | *Private* | Setting name: [EnableLogDroppedPackets][CSP-3]<br>OMA-URI: `./Vendor/MSFT/Firewall/MdmStore/PrivateProfile/EnableLogDroppedPackets` |
 | *Private* | Setting name: [LogFilePath][CSP-6]<br>OMA-URI: `./Vendor/MSFT/Firewall/MdmStore/PrivateProfile/LogFilePath`|
 | *Private* | Setting name: [EnableLogSuccessConnections][CSP-9]<br>OMA-URI: `./Vendor/MSFT/Firewall/MdmStore/PrivateProfile/EnableLogSuccessConnections` |
 | *Private* | Setting name: [LogMaxFileSize][CSP-12]<br>OMA-URI: `./Vendor/MSFT/Firewall/MdmStore/PrivateProfile/LogMaxFileSize` |
 | *Public* | Setting name: [EnableLogDroppedPackets][CSP-4]<br>OMA-URI: `./Vendor/MSFT/Firewall/MdmStore/PublicProfile/EnableLogDroppedPackets` |
 | *Public* | Setting name: [LogFilePath][CSP-7]<br>OMA-URI: `./Vendor/MSFT/Firewall/MdmStore/PublicProfile/LogFilePath`|
 | *Public* | Setting name: [EnableLogSuccessConnections][CSP-10]<br>OMA-URI: `./Vendor/MSFT/Firewall/MdmStore/PublicProfile/EnableLogSuccessConnections` |
 | *Public* | Setting name: [LogMaxFileSize][CSP-13]<br>OMA-URI: `./Vendor/MSFT/Firewall/MdmStore/PublicProfile/LogMaxFileSize` |
 # [:::image type="icon" source="../../../images/icons/group-policy.svg" border="false"::: **Group policy**](#tab/gpo)
 [!INCLUDE [gpo-settings-1](../../../../../includes/configure/gpo-settings-1.md)]
 1. Expand the nodes **Computer Configuration** > **Policies** > **Windows Settings** > **Security Settings** > **Windows Firewall with Advanced Security**
 1. In the details pane, in the **Overview** section, select **Windows Defender Firewall Properties**
 1. For each network location type (*Domain*, *Private*, *Public*), perform the following steps
    1. Select the tab that corresponds to the network location type
    1. Under **Logging**, select **Customize**
    1. The default path for the log is `%windir%\system32\logfiles\firewall\pfirewall.log`. If you want to change this path, clear the **Not configured** check box and enter the path to the new location, or select **Browse** to select a file location
 1. The default maximum file size for the log is 4,096 kilobytes (KB). If you want to change this size, clear the **Not configured** check box, and enter the new size in KB, or use the up and down arrows to select a size. The file won't grow beyond this size; when the limit is reached, old log entries are deleted to make room for the newly created ones.
 1. No logging occurs until you set one of following two options:
    - To create a log entry when Windows Defender Firewall drops an incoming network packet, change **Log dropped packets** to **Yes**
    - To create a log entry when Windows Defender Firewall allows an inbound connection, change **Log successful connections** to **Yes**
 1. Select **OK** twice
 [!INCLUDE [gpo-settings-2](../../../../../includes/configure/gpo-settings-2.md)]
 ---
 > [!IMPORTANT]
 > The location you specify must have permissions assigned that permit the Windows Firewall service to write to the log file.
 ## Recommendations
 Here are some recommendations for configuring Windows Firewall logging:
 - Change the logging size to at least **20,480 KB (20 MB)** to ensure that the log file doesn't fill up too quickly. The maximum log size is 32,768 KB (32 MB)
 - For each profile (Domain, Private, and Public) change the default log file name from `%windir%\system32\logfiles\firewall\pfirewall.log` to:
  - `%windir%\system32\logfiles\firewall\pfirewall_Domain.log`
  - `%windir%\system32\logfiles\firewall\pfirewall_Private.log`
  - `%windir%\system32\logfiles\firewall\pfirewall_Public.log`
 - Log dropped packets to **Yes**
 - Log successful connections to **Yes**
 On a single system, you can use the following commands to configure logging:
 ```cmd
 netsh advfirewall>set allprofiles logging allowedconnections enable
 netsh advfirewall>set allprofiles logging droppedconnections enable
 ```
 ## Parsing methods
 There are several methods to parse the Windows Firewall log files. For example:
 - Enable *Windows Event Forwarding* (WEF) to a *Windows Event Collector* (WEC). To learn more, see [Use Windows Event Forwarding to help with intrusion detection][WIN-1]
 - Forward the logs to your SIEM product such as our Azure Sentinel. To learn more, see [Windows Firewall connector for Microsoft Sentinel][AZ-1]
 - Forward the logs to Azure Monitor and use KQL to parse the data. To learn more, see [Azure Monitor agent on Windows client devices][AZ-2]
 > [!TIP]
 > If logs are slow to appear in your SIEM solution, you can decrease the log file size. Just beware that the downsizing results in more resource usage due to the increased log rotation.
 ## Troubleshoot if the log file is not created or modified
 Sometimes the Windows Firewall log files aren't created, or the events aren't written to the log files. Some examples when this condition might occur include:
 - Missing permissions for the *Windows Defender Firewall Service* (`mpssvc`) on the folder or on the log files
 - You want to store the log files in a different folder and the permissions are missing, or aren't set automatically
 - if firewall logging is configured via policy settings, it can happen that
  - the log folder in the default location `%windir%\System32\LogFiles\firewall` doesn't exist
  - the log folder in a custom path doesn't exist
 In both cases, you must create the folder manually or via script, and add the permissions for `mpssvc`.
 ```PowerShell
 New-Item -ItemType Directory -Path $env:windir\System32\LogFiles\Firewall
 ```
 Verify if `mpssvc` has *FullControl* on the folder and the files. From an elevated PowerShell session, use the following commands, ensuring to use the correct path:
 ```PowerShell
 $LogPath = Join-Path -path $env:windir -ChildPath "System32\LogFiles\Firewall"
 (Get-ACL -Path $LogPath).Access | Format-Table IdentityReference,FileSystemRights,AccessControlType,IsInherited,InheritanceFlags -AutoSize
 ```
 The output should show `NT SERVICE\mpssvc` having *FullControl*:
 ```PowerShell
 IdentityReference      FileSystemRights AccessControlType IsInherited InheritanceFlags
 -----------------      ---------------- ----------------- ----------- ----------------
 NT AUTHORITY\SYSTEM         FullControl             Allow       False    ObjectInherit
 BUILTIN\Administrators      FullControl             Allow       False    ObjectInherit
 NT SERVICE\mpssvc           FullControl             Allow       False    ObjectInherit
 ```
 If not, add *FullControl* permissions for `mpssvc` to the folder, subfolders and files. Make sure to use the correct path.
 ```PowerShell
 $LogPath = Join-Path -path $env:windir -ChildPath "System32\LogFiles\Firewall"
 $NewAcl = Get-Acl -Path $LogPath 
 $identity = "NT SERVICE\mpssvc"
 $fileSystemRights = "FullControl"
 $inheritanceFlags = "ContainerInherit,ObjectInherit"
 $propagationFlags = "None"
 $type = "Allow"
 $fileSystemAccessRuleArgumentList = $identity, $fileSystemRights, $inheritanceFlags, $propagationFlags, $type
 $fileSystemAccessRule = New-Object -TypeName System.Security.AccessControl.FileSystemAccessRule -ArgumentList $fileSystemAccessRuleArgumentList
 $NewAcl.SetAccessRule($fileSystemAccessRule)
 Set-Acl -Path $LogPath -AclObject $NewAcl
 ```
 Restart the device to restart the *Windows Defender Firewall* service.
 <!--links-->
 [INT-1]: /mem/intune/configuration/custom-settings-windows-10
 [CSP-1]: /windows/client-management/mdm/firewall-csp
 [AZ-1]: /azure/sentinel/data-connectors/windows-firewall
 [INT]: https://go.microsoft.com/fwlink/?linkid=2109431
 [MEM-1]: /mem/intune/configuration/settings-catalog
 [WIN-1]: /windows/security/threat-protection/use-windows-event-forwarding-to-assist-in-intrusion-detection
 [AZ-2]: /azure/azure-monitor/agents/azure-monitor-agent-windows-client
 [CSP-2]: /windows/client-management/mdm/firewall-csp#mdmstoredomainprofileenablelogdroppedpackets
 [CSP-3]: /windows/client-management/mdm/firewall-csp#mdmstoreprivateprofileenablelogdroppedpackets
 [CSP-4]: /windows/client-management/mdm/firewall-csp#mdmstorepublicprofileenablelogdroppedpackets
 [CSP-5]: /windows/client-management/mdm/firewall-csp#mdmstoredomainprofilelogfilepath
 [CSP-6]: /windows/client-management/mdm/firewall-csp#mdmstoreprivateprofilelogfilepath
 [CSP-7]: /windows/client-management/mdm/firewall-csp#mdmstorepublicprofilelogfilepath
 [CSP-8]: /windows/client-management/mdm/firewall-csp#mdmstoredomainprofileenablelogsuccessconnections
 [CSP-9]: /windows/client-management/mdm/firewall-csp#mdmstoreprivateprofileenablelogsuccessconnections
 [CSP-10]: /windows/client-management/mdm/firewall-csp#mdmstorepublicprofileenablelogsuccessconnections
 [CSP-11]: /windows/client-management/mdm/firewall-csp#mdmstoredomainprofilelogmaxfilesize
 [CSP-12]: /windows/client-management/mdm/firewall-csp#mdmstoreprivateprofilelogmaxfilesize
 [CSP-13]: /windows/client-management/mdm/firewall-csp#mdmstorepublicprofilelogmaxfilesize
--- a/windows/security/operating-system-security/network-security/windows-firewall/configure-the-windows-firewall-log.md
+++ b/windows/security/operating-system-security/network-security/windows-firewall/configure-the-windows-firewall-log.md
@ -1,94 +0,0 @@
 ---
 title: Configure the Windows Defender Firewall Log 
 description: Learn how to configure Windows Defender Firewall with Advanced Security to log dropped packets or successful connections by using Group Policy Management MMC.
 ms.prod: windows-client
 ms.topic: conceptual
 ms.date: 09/07/2021
 ---
 # Configure the Windows Defender Firewall with Advanced Security Log
 To configure Windows Defender Firewall with Advanced Security to log dropped packets or successful connections, use the Windows Defender Firewall with Advanced Security node in the Group Policy Management MMC snap-in.
 **Administrative credentials**
 To complete these procedures, you must be a member of the Domain Administrators group, or otherwise be delegated permissions to modify the GPOs.
 ## To configure the Windows Defender Firewall with Advanced Security log
 1. Open the Group Policy Management Console to [Windows Defender Firewall with Advanced Security](open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md).
 2.  In the details pane, in the **Overview** section, click **Windows Defender Firewall Properties**.
 3.  For each network location type (Domain, Private, Public), perform the following steps.
    1.  Click the tab that corresponds to the network location type.
    2.  Under **Logging**, click **Customize**.
    3.  The default path for the log is **%windir%\\system32\\logfiles\\firewall\\pfirewall.log**. If you want to change this path, clear the **Not configured** check box and type the path to the new location, or click **Browse** to select a file location.
        > [!IMPORTANT]
        > The location you specify must have permissions assigned that permit the Windows Defender Firewall service to write to the log file.
    5.  The default maximum file size for the log is 4,096 kilobytes (KB). If you want to change this size, clear the **Not configured** check box, and type in the new size in KB, or use the up and down arrows to select a size. The file won't grow beyond this size; when the limit is reached, old log entries are deleted to make room for the newly created ones.
    6.  No logging occurs until you set one of following two options:
        -   To create a log entry when Windows Defender Firewall drops an incoming network packet, change **Log dropped packets** to **Yes**.
        -   To create a log entry when Windows Defender Firewall allows an inbound connection, change **Log successful connections** to **Yes**.
    7.  Click **OK** twice.
 ### Troubleshoot if the log file is not created or modified
 Sometimes the Windows Firewall log files aren't created, or the events aren't written to the log files. Some examples when this condition might occur include:
 - missing permissions for the Windows Defender Firewall Service (MpsSvc) on the folder or on the log files
 - you want to store the log files in a different folder and the permissions were removed, or haven't been set automatically
 - if firewall logging is configured via policy settings, it can happen that
  - the log folder in the default location `%windir%\System32\LogFiles\firewall` doesn't exist
  - the log folder in a custom path doesn't exist
  In both cases, you must create the folder manually or via script, and add the permissions for MpsSvc
 If firewall logging is configured via Group Policy only, it also can happen that the `firewall` folder is not created in the default location `%windir%\System32\LogFiles\`. The same can happen if a custom path to a non-existent folder is configured via Group Policy. In this case, create the folder manually or via script and add the permissions for MPSSVC.  
 ```PowerShell
 New-Item -ItemType Directory -Path $env:windir\System32\LogFiles\Firewall
 ```
 Verify if MpsSvc has *FullControl* on the folder and the files.
 From an elevated PowerShell session, use the following commands, ensuring to use the correct path:
 ```PowerShell
 $LogPath = Join-Path -path $env:windir -ChildPath "System32\LogFiles\Firewall"
 (Get-ACL -Path $LogPath).Access | Format-Table IdentityReference,FileSystemRights,AccessControlType,IsInherited,InheritanceFlags -AutoSize
 ```
 The output should show `NT SERVICE\mpssvc` having *FullControl*:
 ```PowerShell
 IdentityReference      FileSystemRights AccessControlType IsInherited InheritanceFlags
 -----------------      ---------------- ----------------- ----------- ----------------
 NT AUTHORITY\SYSTEM         FullControl             Allow       False    ObjectInherit
 BUILTIN\Administrators      FullControl             Allow       False    ObjectInherit
 NT SERVICE\mpssvc           FullControl             Allow       False    ObjectInherit
 ```
 If not, add *FullControl* permissions for mpssvc to the folder, subfolders and files. Make sure to use the correct path.
 ```PowerShell
 $LogPath = Join-Path -path $env:windir -ChildPath "System32\LogFiles\Firewall"
 $ACL = get-acl -Path $LogPath
 $ACL.SetAccessRuleProtection($true, $false)
 $RULE = New-Object System.Security.AccessControl.FileSystemAccessRule ("NT SERVICE\mpssvc","FullControl","ContainerInherit,ObjectInherit","None","Allow")
 $ACL.AddAccessRule($RULE)
 ```
 Restart the device to restart the Windows Defender Firewall Service.
 ### Troubleshoot Slow Log Ingestion
 If logs are slow to appear in Sentinel, you can turn down the log file size. Just beware that this downsizing will result in more resource usage due to the increased resource usage for log rotation. 
--- a/windows/security/operating-system-security/network-security/windows-firewall/windows-firewall-with-advanced-security-administration-with-windows-powershell.md
+++ b/windows/security/operating-system-security/network-security/windows-firewall/windows-firewall-with-advanced-security-administration-with-windows-powershell.md
@ -1,114 +1,86 @@
 ---
-title: Windows Defender Firewall with Advanced Security Administration with Windows PowerShell 
+title: Manage Windows Firewall with the command line
-description: Windows Defender Firewall with Advanced Security Administration with Windows PowerShell
+description: Learn how to manage Windows Firewall from the command line. This guide provides examples how to manage Windows Firewall with PowerShell and Netsh. 
 ms.prod: windows-client
 ms.topic: conceptual
-ms.date: 09/08/2021
+ms.date: 11/21/2023
 ---
-# Windows Defender Firewall with Advanced Security Administration with Windows PowerShell
+# Manage Windows Firewall with the command line
 This article provides examples how to manage Windows Firewall with PowerShell and `netsh.exe`, which can be used to automate the management of Windows Firewall.
-The Windows Defender Firewall with Advanced Security Administration with Windows PowerShell Guide provides essential scriptlets for automating Windows Defender Firewall management. It's designed for IT pros, system administrators, IT managers, and others who use and need to automate Windows Defender Firewall management in Windows.
+## Set profile global defaults
-You can use Windows PowerShell to manage your firewall and IPsec deployments. This object-oriented scripting environment will make it easier for you to manage policies and monitor network conditions than was possible in netsh. Windows PowerShell allows network settings to be self-discoverable through the syntax and parameters in each of the cmdlets. This guide demonstrates how common tasks were performed in netsh and how you can use Windows PowerShell to accomplish them.
+Global defaults set the device behavior in a per-profile basis. Windows Firewall supports Domain, Private, and Public profiles.
-In future versions of Windows, Microsoft might remove the netsh functionality for Windows Defender Firewall. Microsoft recommends that you transition to Windows PowerShell if you currently use netsh to configure and manage Windows Defender Firewall.
+Windows Firewall drops traffic that doesn't correspond to allowed unsolicited traffic, or traffic that is sent in response to a request by the device. If you find that the rules you create aren't enforced, you might need to enable Windows Firewall. Here's how to enable Windows Firewall on a local device:
-Windows PowerShell and netsh command references are at the following locations.
+# [:::image type="icon" source="images/powershell.svg"::: **PowerShell**](#tab/powershell)
 -   [Netsh Commands for Windows Defender Firewall](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc771920(v=ws.10))
 ## Scope
 This guide doesn't teach you the fundamentals of Windows Defender Firewall, which can be found in [Windows Defender Firewall](windows-firewall-with-advanced-security.md). It doesn't teach the fundamentals of Windows PowerShell, and it assumes that you're familiar with the Windows PowerShell language and the basic concepts of Windows PowerShell. For more info about Windows PowerShell concepts and usage, see the reference topics in the [Additional resources](#other-resources) section of this guide.
 ## Audience and user requirements
 This guide is intended for IT pros, system administrators, and IT managers, and it assumes that you're familiar with Windows Defender Firewall, the Windows PowerShell language, and the basic concepts of Windows PowerShell.
 ## In this topic
 | Section | Description |
 | - | - |
 | [Set profile global defaults](#bkmk-profileglobaldefaults) | Enable and control firewall behavior|
 | [Deploy basic firewall rules](#deploy-basic-firewall-rules)| How to create, modify, and delete firewall rules|
 | [Manage Remotely](#manage-remotely) | Remote management by using `-CimSession`|
 | [Deploy basic IPsec rule settings](#deploy-basic-ipsec-rule-settings) | IPsec rules and associated parameters|
 | [Deploy secure firewall rules with IPsec](#deploy-secure-firewall-rules-with-ipsec) | Domain and server isolation|
 | [Other resources](#other-resources) | More information about Windows PowerShell|
 ## <a href="" id="bkmk-profileglobaldefaults"></a>Set profile global defaults
 Global defaults set the device behavior in a per-profile basis. Windows Defender Firewall supports Domain, Private, and Public profiles.
 ### Enable Windows Defender Firewall with Advanced Security
 Windows Defender Firewall drops traffic that doesn't correspond to allowed unsolicited traffic, or traffic that is sent in response to a request by the  device. If you find that the rules you create aren't being enforced, you may need to enable Windows Defender Firewall. Here's how to enable Windows Defender Firewall on a local domain  device:
 **Netsh**
 ``` syntax
 netsh advfirewall set allprofiles state on
 ```
 **Windows PowerShell**
 ```powershell
 Set-NetFirewallProfile -Profile Domain,Public,Private -Enabled True
 ```
-### Control Windows Defender Firewall with Advanced Security behavior
+# [:::image type="icon" source="images/cmd.svg"::: **Command Prompt**](#tab/cmd)
-The global default settings can be defined through the command-line interface. These modifications are also available through the Windows Defender Firewall with Advanced Security console.
+``` cmd
 netsh.exe advfirewall set allprofiles state on
 ```
 ---
 ### Control Windows Firewall behavior
 The global default settings can be defined through the command-line interface. These modifications are also available through the Windows Firewall console.
 The following scriptlets set the default inbound and outbound actions, specifies protected network connections, and allows notifications to be displayed to the user when a program is blocked from receiving inbound connections. It allows unicast response to multicast or broadcast network traffic, and it specifies logging settings for troubleshooting.
-**Netsh**
+# [:::image type="icon" source="images/powershell.svg"::: **PowerShell**](#tab/powershell)
-``` syntax
+```powershell
 Set-NetFirewallProfile -DefaultInboundAction Block -DefaultOutboundAction Allow -NotifyOnListen True -AllowUnicastResponseToMulticast True -LogFileName %SystemRoot%\System32\LogFiles\Firewall\pfirewall.log
 ```
 # [:::image type="icon" source="images/cmd.svg"::: **Command Prompt**](#tab/cmd)
 ```cmd
 netsh advfirewall set allprofiles firewallpolicy blockinbound,allowoutbound
 netsh advfirewall set allprofiles settings inboundusernotification enable
 netsh advfirewall set allprofiles settings unicastresponsetomulticast enable
 netsh advfirewall set allprofiles logging filename %SystemRoot%\System32\LogFiles\Firewall\pfirewall.log
 ```
-Windows PowerShell
+---
-```powershell
+### Disable Windows Firewall
 Set-NetFirewallProfile -DefaultInboundAction Block -DefaultOutboundAction Allow –NotifyOnListen True -AllowUnicastResponseToMulticast True –LogFileName %SystemRoot%\System32\LogFiles\Firewall\pfirewall.log
 ```
-### Disable Windows Defender Firewall with Advanced Security
+Microsoft recommends that you don't disable Windows Firewall because you lose other benefits provided by the service, such as the ability to use Internet Protocol security (IPsec) connection security rules, network protection from attacks that employ network fingerprinting, [Windows Service Hardening](https://go.microsoft.com/fwlink/?linkid=104976), and [boot time filters](https://blogs.technet.microsoft.com/networking/2009/03/24/stopping-the-windows-authenticating-firewall-service-and-the-boot-time-policy/).
-
+Disabling Windows Firewall can also cause problems, including:
 Microsoft recommends that you don't disable Windows Defender Firewall because you lose other benefits provided by the service, such as the ability to use Internet Protocol security (IPsec) connection security rules, network protection from attacks that employ network fingerprinting, [Windows Service Hardening](https://go.microsoft.com/fwlink/?linkid=104976), and [boot time filters](https://blogs.technet.microsoft.com/networking/2009/03/24/stopping-the-windows-authenticating-firewall-service-and-the-boot-time-policy/).
 Disabling Windows Defender Firewall with Advanced Security can also cause problems, including:
 - Start menu can stop working
 - Modern applications can fail to install or update
 - Activation of Windows via phone fails
- Application or OS incompatibilities that depend on Windows Defender Firewall
+- Application or OS incompatibilities that depend on Windows Firewall
-Microsoft recommends disabling Windows Defender Firewall only when installing a third-party firewall, and resetting Windows Defender Firewall back to defaults when the third-party software is disabled or removed.
+Microsoft recommends disabling Windows Firewall only when installing a third-party firewall, and resetting Windows Firewall back to defaults when the third-party software is disabled or removed.
-
+If disabling Windows Firewall is required, don't disable it by stopping the Windows Firewall service (in the **Services** snap-in, the display name is Windows Firewall and the service name is MpsSvc).
-If disabling Windows Defender Firewall is required, don't disable it by stopping the Windows Defender Firewall service (in the **Services** snap-in, the display name is Windows Defender Firewall and the service name is MpsSvc).
+Stopping the Windows Firewall service isn't supported by Microsoft.
-Stopping the Windows Defender Firewall service isn't supported by Microsoft.
+Non-Microsoft firewall software can programmatically disable only the parts of Windows Firewall that need to be disabled for compatibility.
 Non-Microsoft firewall software can programmatically disable only the parts of Windows Defender Firewall that need to be disabled for compatibility.
 You shouldn't disable the firewall yourself for this purpose.
 The proper method to disable the Windows Firewall is to disable the Windows Firewall Profiles and leave the service running.
 Use the following procedure to turn off the firewall, or disable the Group Policy setting **Computer Configuration|Administrative Templates|Network|Network Connections|Windows Firewall|Domain Prolfile|Windows Firewall:Protect all network connections**.
 For more information, see [Windows Firewall deployment guide](windows-firewall-with-advanced-security-deployment-guide.md).
 The following example disables Windows Firewall for all profiles.
-The proper method to disable the Windows Defender Firewall is to disable the Windows Defender Firewall Profiles and leave the service running.
+# [:::image type="icon" source="images/powershell.svg"::: **PowerShell**](#tab/powershell)
 Use the following procedure to turn off the firewall, or disable the Group Policy setting **Computer Configuration|Administrative Templates|Network|Network Connections|Windows Defender Firewall|Domain Prolfile|Windows Defender Firewall:Protect all network connections**.
 For more information, see [Windows Defender Firewall with Advanced Security deployment guide](windows-firewall-with-advanced-security-deployment-guide.md).
 The following example disables Windows Defender Firewall for all profiles.
 ```powershell
 Set-NetFirewallProfile -Profile Domain,Public,Private -Enabled False
 ```
 # [:::image type="icon" source="images/cmd.svg"::: **Command Prompt**](#tab/cmd)
 ---
 ## Deploy basic firewall rules
 This section provides scriptlet examples for creating, modifying, and deleting firewall rules.
@ -116,50 +88,49 @@ This section provides scriptlet examples for creating, modifying, and deleting f
 ### Create firewall rules
 Adding a firewall rule in Windows PowerShell looks a lot like it did in Netsh, but the parameters and values are specified differently.
 Here's an example of how to allow the Telnet application to listen on the network. This firewall rule is scoped to the local subnet by using a keyword instead of an IP address. Just like in Netsh, the rule is created on the local  device, and it becomes effective immediately.
-**Netsh**
+# [:::image type="icon" source="images/powershell.svg"::: **PowerShell**](#tab/powershell)
-``` syntax
+```powershell
 New-NetFirewallRule -DisplayName "Allow Inbound Telnet" -Direction Inbound -Program %SystemRoot%\System32\tlntsvr.exe -RemoteAddress LocalSubnet -Action Allow
 ```
 # [:::image type="icon" source="images/cmd.svg"::: **Command Prompt**](#tab/cmd)
 ``` cmd
 netsh advfirewall firewall add rule name="Allow Inbound Telnet" dir=in program= %SystemRoot%\System32\tlntsvr.exe remoteip=localsubnet action=allow
 ```
-Windows PowerShell
+---
 ```powershell
 New-NetFirewallRule -DisplayName “Allow Inbound Telnet” -Direction Inbound -Program %SystemRoot%\System32\tlntsvr.exe -RemoteAddress LocalSubnet -Action Allow
 ```
 The following scriptlet shows how to add a basic firewall rule that blocks outbound traffic from a specific application and local port to a Group Policy Object (GPO) in Active Directory. In Windows PowerShell, the policy store is specified as a parameter within the **New-NetFirewall** cmdlet. In Netsh, you must first specify the GPO that the commands in a Netsh session should modify. The commands you enter are run against the contents of the GPO, and the execution remains in effect until the Netsh session is ended or until another set store command is executed.
 Here, **domain.contoso.com** is the name of your Active Directory Domain Services (AD DS), and **gpo\_name** is the name of the GPO that you want to modify. Quotation marks are required if there are any spaces in the GPO name.
-**Netsh**
+# [:::image type="icon" source="images/powershell.svg"::: **PowerShell**](#tab/powershell)
-``` syntax
+```powershell
 New-NetFirewallRule -DisplayName "Block Outbound Telnet" -Direction Outbound -Program %SystemRoot%\System32\tlntsvr.exe -Protocol TCP -LocalPort 23 -Action Block -PolicyStore domain.contoso.com\gpo_name
 ```
 # [:::image type="icon" source="images/cmd.svg"::: **Command Prompt**](#tab/cmd)
 ``` cmd
 netsh advfirewall set store gpo=domain.contoso.com\gpo_name
 netsh advfirewall firewall add rule name="Block Outbound Telnet" dir=out program=%SystemRoot%\System32\telnet.exe protocol=tcp localport=23 action=block
 ```
-Windows PowerShell
+---
 ```powershell
 New-NetFirewallRule -DisplayName “Block Outbound Telnet” -Direction Outbound -Program %SystemRoot%\System32\tlntsvr.exe –Protocol TCP –LocalPort 23 -Action Block –PolicyStore domain.contoso.com\gpo_name
 ```
 ### GPO Caching
 To reduce the burden on busy domain controllers, Windows PowerShell allows you to load a GPO to your local session, make all your changes in that session, and then save it back at all once.
 The following command performs the same actions as the previous example (by adding a Telnet rule to a GPO), but we do so by applying GPO caching in PowerShell. Changing the GPO by loading it onto your local session and using the *-GPOSession* parameter aren't supported in Netsh
 Windows PowerShell
 ```powershell
-$gpo = Open-NetGPO –PolicyStore domain.contoso.com\gpo_name
+$gpo = Open-NetGPO -PolicyStore domain.contoso.com\gpo_name
-New-NetFirewallRule -DisplayName “Block Outbound Telnet” -Direction Outbound -Program %SystemRoot%\System32\telnet.exe –Protocol TCP –LocalPort 23 -Action Block –GPOSession $gpo
+New-NetFirewallRule -DisplayName "Block Outbound Telnet" -Direction Outbound -Program %SystemRoot%\System32\telnet.exe -Protocol TCP -LocalPort 23 -Action Block -GPOSession $gpo
-Save-NetGPO –GPOSession $gpo
+Save-NetGPO -GPOSession $gpo
 ```
 This command doesn't batch your individual changes, it loads and saves the entire GPO at once. So if any other changes are made by other administrators, or in a different Windows PowerShell window, saving the GPO overwrites those changes.
@ -167,120 +138,105 @@ This command doesn't batch your individual changes, it loads and saves the entir
 ### Modify an existing firewall rule
 When a rule is created, Netsh and Windows PowerShell allow you to change rule properties and influence, but the rule maintains its unique identifier (in Windows PowerShell, this identifier is specified with the *-Name* parameter).
 For example, you could have a rule **Allow Web 80** that enables TCP port 80 for inbound unsolicited traffic. You can change the rule to match a different remote IP address of a Web server whose traffic will be allowed by specifying the human-readable, localized name of the rule.
-**Netsh**
+# [:::image type="icon" source="images/powershell.svg"::: **PowerShell**](#tab/powershell)
-``` syntax
+```powershell
 Set-NetFirewallRule -DisplayName "Allow Web 80" -RemoteAddress 192.168.0.2
 ```
 # [:::image type="icon" source="images/cmd.svg"::: **Command Prompt**](#tab/cmd)
 ``` cmd
 netsh advfirewall firewall set rule name="Allow Web 80" new remoteip=192.168.0.2
 ```
-Windows PowerShell
+---
 ```powershell
 Set-NetFirewallRule –DisplayName “Allow Web 80” -RemoteAddress 192.168.0.2
 ```
 Netsh requires you to provide the name of the rule for it to be changed and we don't have an alternate way of getting the firewall rule. In Windows PowerShell, you can query for the rule using its known properties.
 When you run `Get-NetFirewallRule`, you may notice that common conditions like addresses and ports don't appear. These conditions are represented in separate objects called Filters. As shown before, you can set all the conditions in New-NetFirewallRule and Set-NetFirewallRule. If you want to query for firewall rules based on these fields (ports, addresses, security, interfaces, services), you'll need to get the filter objects themselves.
 You can change the remote endpoint of the **Allow Web 80** rule (as done previously) using filter objects. Using Windows PowerShell, you query by port using the port filter, then assuming other rules exist affecting the local port, you build with further queries until your desired rule is retrieved.
-
+In the following example, we assume the query returns a single firewall rule, which is then piped to the `Set-NetFirewallRule` cmdlet utilizing Windows PowerShell's ability to pipeline inputs.
 In the following example, we assume the query returns a single firewall rule, which is then piped to the `Set-NetFirewallRule` cmdlet utilizing Windows PowerShell’s ability to pipeline inputs.
 Windows PowerShell
 ```powershell
-Get-NetFirewallPortFilter | ?{$_.LocalPort -eq 80} | Get-NetFirewallRule | ?{ $_.Direction –eq “Inbound” -and $_.Action –eq “Allow”} | Set-NetFirewallRule -RemoteAddress 192.168.0.2
+Get-NetFirewallPortFilter | ?{$_.LocalPort -eq 80} | Get-NetFirewallRule | ?{ $_.Direction -eq "Inbound" -and $_.Action -eq "Allow"} | Set-NetFirewallRule -RemoteAddress 192.168.0.2
 ```
 You can also query for rules using the wildcard character. The following example returns an array of firewall rules associated with a particular program. The elements of the array can be modified in subsequent `Set-NetFirewallRule` cmdlets.
 Windows PowerShell
 ```powershell
 Get-NetFirewallApplicationFilter -Program "*svchost*" | Get-NetFirewallRule
 ```
 Multiple rules in a group can be simultaneously modified when the associated group name is specified in a Set command. You can add firewall rules to specified management groups in order to manage multiple rules that share the same influences.
 In the following example, we add both inbound and outbound Telnet firewall rules to the group **Telnet Management**. In Windows PowerShell, group membership is specified when the rules are first created so we re-create the previous example rules. Adding rules to a custom rule group isn't possible in Netsh.
 Windows PowerShell
 ```powershell
-New-NetFirewallRule -DisplayName “Allow Inbound Telnet” -Direction Inbound -Program %SystemRoot%\System32\tlntsvr.exe -RemoteAddress LocalSubnet -Action Allow –Group “Telnet Management”
+New-NetFirewallRule -DisplayName "Allow Inbound Telnet" -Direction Inbound -Program %SystemRoot%\System32\tlntsvr.exe -RemoteAddress LocalSubnet -Action Allow -Group "Telnet Management"
-New-NetFirewallRule -DisplayName “Block Outbound Telnet” -Direction Outbound -Program %SystemRoot%\System32\tlntsvr.exe -RemoteAddress LocalSubnet -Action Allow –Group “Telnet Management”
+New-NetFirewallRule -DisplayName "Block Outbound Telnet" -Direction Outbound -Program %SystemRoot%\System32\tlntsvr.exe -RemoteAddress LocalSubnet -Action Allow -Group "Telnet Management"
 ```
 If the group isn't specified at rule creation time, the rule can be added to the rule group using dot notation in Windows PowerShell. You can't specify the group using `Set-NetFirewallRule` since the command allows querying by rule group.
 Windows PowerShell
 ```powershell
-$rule = Get-NetFirewallRule -DisplayName “Allow Inbound Telnet”
+$rule = Get-NetFirewallRule -DisplayName "Allow Inbound Telnet"
-$rule.Group = “Telnet Management”
+$rule.Group = "Telnet Management"
 $rule | Set-NetFirewallRule
 ```
 With the help of the `Set` command, if the rule group name is specified, the group membership isn't modified but rather all rules of the group receive the same modifications indicated by the given parameters.
 The following scriptlet enables all rules in a predefined group containing remote management influencing firewall rules.
-**Netsh**
+# [:::image type="icon" source="images/powershell.svg"::: **PowerShell**](#tab/powershell)
 ``` syntax
 netsh advfirewall firewall set rule group="Windows Defender Firewall remote management" new enable=yes
 ```
 Windows PowerShell
 ```powershell
-Set-NetFirewallRule -DisplayGroup “Windows Defender Firewall Remote Management” –Enabled True
+Set-NetFirewallRule -DisplayGroup "Windows Firewall Remote Management" -Enabled True
 ```
 # [:::image type="icon" source="images/cmd.svg"::: **Command Prompt**](#tab/cmd)
 ``` cmd
 netsh advfirewall firewall set rule group="Windows Firewall remote management" new enable=yes
 ```
 ---
 There's also a separate `Enable-NetFirewallRule` cmdlet for enabling rules by group or by other properties of the rule.
 Windows PowerShell
 ```powershell
-Enable-NetFirewallRule -DisplayGroup “Windows Defender Firewall Remote Management” -Verbose
+Enable-NetFirewallRule -DisplayGroup "Windows Firewall Remote Management" -Verbose
 ```
 ### Delete a firewall rule
 Rule objects can be disabled so that they're no longer active. In Windows PowerShell, the **Disable-NetFirewallRule** cmdlet will leave the rule on the system, but put it in a disabled state so the rule no longer is applied and impacts traffic. A disabled firewall rule can be re-enabled by **Enable-NetFirewallRule**. This cmdlet is different from the **Remove-NetFirewallRule**, which permanently removes the rule definition from the device.
 The following cmdlet deletes the specified existing firewall rule from the local policy store.
-**Netsh**
+# [:::image type="icon" source="images/powershell.svg"::: **PowerShell**](#tab/powershell)
 ``` syntax
 netsh advfirewall firewall delete rule name=“Allow Web 80”
 ```
 Windows PowerShell
 ```powershell
-Remove-NetFirewallRule –DisplayName “Allow Web 80”
+Remove-NetFirewallRule -DisplayName "Allow Web 80"
 ```
 # [:::image type="icon" source="images/cmd.svg"::: **Command Prompt**](#tab/cmd)
 ``` cmd
 netsh advfirewall firewall delete rule name="Allow Web 80"
 ```
 ---
 Like with other cmdlets, you can also query for rules to be removed. Here, all blocking firewall rules are deleted from the device.
 Windows PowerShell
 ```powershell
-Remove-NetFirewallRule –Action Block
+Remove-NetFirewallRule -Action Block
 ```
 It may be safer to query the rules with the **Get** command and save it in a variable, observe the rules to be affected, then pipe them to the **Remove** command, just as we did for the **Set** commands. The following example shows how you can view all the blocking firewall rules, and then delete the first four rules.
 Windows PowerShell
 ```powershell
-$x = Get-NetFirewallRule –Action Block
+$x = Get-NetFirewallRule -Action Block
 $x
 $x[0-3] | Remove-NetFirewallRule
 ```
@ -288,86 +244,76 @@ $x[0-3] | Remove-NetFirewallRule
 ## Manage remotely
 Remote management using WinRM is enabled by default. The cmdlets that support the *CimSession* parameter use WinRM and can be managed remotely by default.
 The following example returns all firewall rules of the persistent store on a device named **RemoteDevice**.
 Windows PowerShell
 ```powershell
-Get-NetFirewallRule –CimSession RemoteDevice
+Get-NetFirewallRule -CimSession RemoteDevice
 ```
-We can perform any modifications or view rules on remote  devices by using the *–CimSession* parameter. Here we remove a specific firewall rule from a remote device.
+We can perform any modifications or view rules on remote  devices by using the *-CimSession* parameter. Here we remove a specific firewall rule from a remote device.
 Windows PowerShell
 ```powershell
-$RemoteSession = New-CimSession –ComputerName RemoteDevice
+$RemoteSession = New-CimSession -ComputerName RemoteDevice
-Remove-NetFirewallRule –DisplayName “AllowWeb80” –CimSession $RemoteSession -Confirm
+Remove-NetFirewallRule -DisplayName "AllowWeb80" -CimSession $RemoteSession -Confirm
 ```
 ## Deploy basic IPsec rule settings
 An Internet Protocol security (IPsec) policy consists of rules that determine IPsec behavior. IPsec supports network-level peer authentication, data origin authentication, data integrity, data confidentiality (encryption), and replay protection.
-
+Windows PowerShell can create powerful, complex IPsec policies like in Netsh and the Windows Firewall console. However, because Windows PowerShell is object-based rather than string token-based, configuration in Windows PowerShell offers greater control and flexibility.
 Windows PowerShell can create powerful, complex IPsec policies like in Netsh and the Windows Defender Firewall with Advanced Security console. However, because Windows PowerShell is object-based rather than string token-based, configuration in Windows PowerShell offers greater control and flexibility.
 In Netsh, the authentication and cryptographic sets were specified as a list of comma-separated tokens in a specific format. In Windows PowerShell, rather than using default settings, you first create your desired authentication or cryptographic proposal objects and bundle them into lists in your preferred order. Then, you create one or more IPsec rules that reference these sets. The benefit of this model is that programmatic access to the information in the rules is much easier. See the following sections for clarifying examples.
 ![object model for creating a single ipsec rule.](images/createipsecrule.gif)
 ### Create IPsec rules
 The following cmdlet creates basic IPsec transport mode rule in a Group Policy Object. An IPsec rule is simple to create; all that is required is the display name, and the remaining properties use default values. Inbound traffic is authenticated and integrity checked using the default quick mode and main mode settings. These default settings can be found in the console under Customize IPsec Defaults.
-**Netsh**
+# [:::image type="icon" source="images/powershell.svg"::: **PowerShell**](#tab/powershell)
-``` syntax
+```powershell
 New-NetIPsecRule -DisplayName "Require Inbound Authentication" -PolicyStore domain.contoso.com\gpo_name
 ```
 # [:::image type="icon" source="images/cmd.svg"::: **Command Prompt**](#tab/cmd)
 ``` cmd
 netsh advfirewall set store gpo=domain.contoso.com\gpo_name
 netsh advfirewall consec add rule name="Require Inbound Authentication" endpoint1=any endpoint2=any action=requireinrequestout
 ```
-Windows PowerShell
+---
 ```powershell
 New-NetIPsecRule -DisplayName “Require Inbound Authentication” -PolicyStore domain.contoso.com\gpo_name
 ```
 ### Add custom authentication methods to an IPsec rule
 If you want to create a custom set of quick-mode proposals that includes both AH and ESP in an IPsec rule object, you create the associated objects separately and link their associations. For more information about authentication methods, see [Choosing the IPsec Protocol](/previous-versions/windows/it-pro/windows-server-2003/cc757847(v=ws.10)).
 You can then use the newly created custom quick-mode policies when you create IPsec rules. The cryptography set object is linked to an IPsec rule object.
 ![crypto set object.](images/qmcryptoset.gif)
 In this example, we build on the previously created IPsec rule by specifying a custom quick-mode crypto set. The final IPsec rule requires outbound traffic to be authenticated by the specified cryptography method.
-**Netsh**
+# [:::image type="icon" source="images/powershell.svg"::: **PowerShell**](#tab/powershell)
-``` syntax
+```powershell
 $AHandESPQM = New-NetIPsecQuickModeCryptoProposal -Encapsulation AH,ESP -AHHash SHA1 -ESPHash SHA1 -Encryption DES3
 $QMCryptoSet = New-NetIPsecQuickModeCryptoSet -DisplayName "ah:sha1+esp:sha1-des3" -Proposal $AHandESPQM -PolicyStore domain.contoso.com\gpo_name
 New-NetIPsecRule -DisplayName "Require Inbound Authentication" -InboundSecurity Require -OutboundSecurity Request -QuickModeCryptoSet $QMCryptoSet.Name -PolicyStore domain.contoso.com\gpo_name
 ```
 # [:::image type="icon" source="images/cmd.svg"::: **Command Prompt**](#tab/cmd)
 ``` cmd
 netsh advfirewall set store gpo=domain.contoso.com\gpo_name
 netsh advfirewall consec add rule name="Require Outbound Authentication" endpoint1=any endpoint2=any action=requireinrequestout qmsecmethods=ah:sha1+esp:sha1-3des
 ```
-Windows PowerShell
+---
 ```powershell
 $AHandESPQM = New-NetIPsecQuickModeCryptoProposal -Encapsulation AH,ESP –AHHash SHA1 -ESPHash SHA1 -Encryption DES3
 $QMCryptoSet = New-NetIPsecQuickModeCryptoSet –DisplayName “ah:sha1+esp:sha1-des3” -Proposal $AHandESPQM –PolicyStore domain.contoso.com\gpo_name
 New-NetIPsecRule -DisplayName “Require Inbound Authentication” -InboundSecurity Require -OutboundSecurity Request -QuickModeCryptoSet $QMCryptoSet.Name –PolicyStore domain.contoso.com\gpo_name
 ```
 ### IKEv2 IPsec transport rules
 A corporate network may need to secure communications with another agency. But, you discover the agency runs non-Windows operating systems and requires the use of the Internet Key Exchange Version 2 (IKEv2) standard.
 You can apply IKEv2 capabilities in Windows Server 2012 by specifying IKEv2 as the key module in an IPsec rule. This capability specification can only be done using computer certificate authentication and can't be used with phase-2 authentication.
 Windows PowerShell
 ```powershell
-New-NetIPsecRule -DisplayName “Require Inbound Authentication” -InboundSecurity Require -OutboundSecurity Request –Phase1AuthSet MyCertAuthSet -KeyModule IKEv2 –RemoteAddress $nonWindowsGateway
+New-NetIPsecRule -DisplayName "Require Inbound Authentication" -InboundSecurity Require -OutboundSecurity Request -Phase1AuthSet MyCertAuthSet -KeyModule IKEv2 -RemoteAddress $nonWindowsGateway
 ```
 For more info about IKEv2, including scenarios, see [Securing End-to-End IPsec Connections by Using IKEv2](securing-end-to-end-ipsec-connections-by-using-ikev2.md).
@ -375,105 +321,90 @@ For more info about IKEv2, including scenarios, see [Securing End-to-End IPsec C
 ### Copy an IPsec rule from one policy to another
 Firewall and IPsec rules with the same rule properties can be duplicated to simplify the task of re-creating them within different policy stores.
 To copy the previously created rule from one policy store to another, the associated objects must also be copied separately. There's no need to copy associated firewall filters. You can query rules to be copied in the same way as other cmdlets.
 Copying individual rules is a task that isn't possible through the Netsh interface. Here's how you can accomplish it with Windows PowerShell.
 Windows PowerShell
 ```powershell
-$Rule = Get-NetIPsecRule –DisplayName “Require Inbound Authentication”
+$Rule = Get-NetIPsecRule -DisplayName "Require Inbound Authentication"
-$Rule | Copy-NetIPsecRule –NewPolicyStore domain.costoso.com\new_gpo_name
+$Rule | Copy-NetIPsecRule -NewPolicyStore domain.costoso.com\new_gpo_name
-$Rule | Copy-NetPhase1AuthSet –NewPolicyStore domain.costoso.com\new_gpo_name
+$Rule | Copy-NetPhase1AuthSet -NewPolicyStore domain.costoso.com\new_gpo_name
 ```
 ### Handling Windows PowerShell errors
-To handle errors in your Windows PowerShell scripts, you can use the *–ErrorAction* parameter. This parameter is especially useful with the **Remove** cmdlets. If you want to remove a particular rule, you'll notice that it fails if the rule isn't found. When rules are being removed, if the rule isn’t already there, it's acceptable to ignore that error. In this case, you can do the following to suppress any “rule not found” errors during the remove operation.
+To handle errors in your Windows PowerShell scripts, you can use the *-ErrorAction* parameter. This parameter is especially useful with the **Remove** cmdlets. If you want to remove a particular rule, you'll notice that it fails if the rule isn't found. When rules are being removed, if the rule isn't already there, it's acceptable to ignore that error. In this case, you can do the following to suppress any "rule not found" errors during the remove operation.
 Windows PowerShell
 ```powershell
-Remove-NetFirewallRule –DisplayName “Contoso Messenger 98” –ErrorAction SilentlyContinue
+Remove-NetFirewallRule -DisplayName "Contoso Messenger 98" -ErrorAction SilentlyContinue
 ```
-The use of wildcards can also suppress errors, but they could potentially match rules that you didn't intend to remove. These wildcards can be a useful shortcut, but should only be used if you know there aren’t any extra rules that will be accidentally deleted. So the following cmdlet will also remove the rule, suppressing any “not found” errors.
+The use of wildcards can also suppress errors, but they could potentially match rules that you didn't intend to remove. These wildcards can be a useful shortcut, but should only be used if you know there aren't any extra rules that will be accidentally deleted. So the following cmdlet will also remove the rule, suppressing any "not found" errors.
 Windows PowerShell
 ```powershell
-Remove-NetFirewallRule –DisplayName “Contoso Messenger 98*”
+Remove-NetFirewallRule -DisplayName "Contoso Messenger 98*"
 ```
-When using wildcards, if you want to double-check the set of rules that is matched, you can use the *–WhatIf* parameter.
+When using wildcards, if you want to double-check the set of rules that is matched, you can use the *-WhatIf* parameter.
 Windows PowerShell
 ```powershell
-Remove-NetFirewallRule –DisplayName “Contoso Messenger 98*” –WhatIf
+Remove-NetFirewallRule -DisplayName "Contoso Messenger 98*" -WhatIf
 ```
-If you only want to delete some of the matched rules, you can use the *–Confirm* parameter to get a rule-by-rule confirmation prompt.
+If you only want to delete some of the matched rules, you can use the *-Confirm* parameter to get a rule-by-rule confirmation prompt.
 Windows PowerShell
 ```powershell
-Remove-NetFirewallRule –DisplayName “Contoso Messenger 98*” –Confirm
+Remove-NetFirewallRule -DisplayName "Contoso Messenger 98*" -Confirm
 ```
 You can also just perform the whole operation, displaying the name of each rule as the operation is performed.
 Windows PowerShell
 ```powershell
-Remove-NetFirewallRule –DisplayName “Contoso Messenger 98*” –Verbose
+Remove-NetFirewallRule -DisplayName "Contoso Messenger 98*" -Verbose
 ```
 ### Monitor
 The following Windows PowerShell commands are useful in the update cycle of a deployment phase.
 To allow you to view all the IPsec rules in a particular store, you can use the following commands. In Netsh, this command doesn't show rules where profile=domain,public or profile=domain,private. It only shows rules that have the single entry domain that is included in the rule. The following command examples will show the IPsec rules in all profiles.
-**Netsh**
+# [:::image type="icon" source="images/powershell.svg"::: **PowerShell**](#tab/powershell)
-``` syntax
+```powershell
 Show-NetIPsecRule -PolicyStore ActiveStore
 ```
 # [:::image type="icon" source="images/cmd.svg"::: **Command Prompt**](#tab/cmd)
 ``` cmd
 netsh advfirewall consec show rule name=all
 ```
-Windows PowerShell
+---
 ```powershell
 Show-NetIPsecRule –PolicyStore ActiveStore
 ```
 You can monitor main mode security associations for information such as which peers are currently connected to the device and which protection suite is used to form the security associations.
 Use the following cmdlet to view existing main mode rules and their security associations:
-**Netsh**
+# [:::image type="icon" source="images/powershell.svg"::: **PowerShell**](#tab/powershell)
 ``` syntax
 netsh advfirewall monitor show mmsa all
 ```
 Windows PowerShell
 ```powershell
 Get-NetIPsecMainModeSA
 ```
 # [:::image type="icon" source="images/cmd.svg"::: **Command Prompt**](#tab/cmd)
 ``` cmd
 netsh advfirewall monitor show mmsa all
 ```
 ---
 ### Find the source GPO of a rule
 To view the properties of a particular rule or group of rules, you query for the rule. When a query returns fields that are specified as **NotConfigured**, you can determine which policy store a rule originates from.
-
+For objects that come from a GPO (the *-PolicyStoreSourceType* parameter is specified as **GroupPolicy** in the **Show** command), if *-TracePolicyStore* is passed, the name of the GPO is found and returned in the **PolicyStoreSource** field.
 For objects that come from a GPO (the *–PolicyStoreSourceType* parameter is specified as **GroupPolicy** in the **Show** command), if *–TracePolicyStore* is passed, the name of the GPO is found and returned in the **PolicyStoreSource** field.
 Windows PowerShell
 ```powershell
-Get-NetIPsecRule –DisplayName “Require Inbound Authentication” –TracePolicyStore
+Get-NetIPsecRule -DisplayName "Require Inbound Authentication" -TracePolicyStore
 ```
 It's important to note that the revealed sources don't contain a domain name.
@ -481,146 +412,140 @@ It's important to note that the revealed sources don't contain a domain name.
 ### Deploy a basic domain isolation policy
 IPsec can be used to isolate domain members from non-domain members. Domain isolation uses IPsec authentication to require that the domain-joined devices positively establish the identities of the communicating devices to improve security of an organization. One or more features of IPsec can be used to secure traffic with an IPsec rule object.
 To implement domain isolation on your network, the devices in the domain receive IPsec rules that block unsolicited inbound network traffic that isn't protected by IPsec. Here we create an IPsec rule that requires authentication by domain members. Through this authentication, you can isolate domain-joined devices from devices that aren't joined to a domain. In the following examples, Kerberos authentication is required for inbound traffic and requested for outbound traffic.
-**Netsh**
+# [:::image type="icon" source="images/powershell.svg"::: **PowerShell**](#tab/powershell)
 ``` syntax
 netsh advfirewall set store gpo=domain.contoso.com\domain_isolation
 netsh advfirewall consec add rule name=“Basic Domain Isolation Policy” profile=domain endpoint1=”any” endpoint2=”any” action=requireinrequestout auth1=”computerkerb”
 ```
 Windows PowerShell
 ```powershell
-$kerbprop = New-NetIPsecAuthProposal –Machine –Kerberos
+$kerbprop = New-NetIPsecAuthProposal -Machine -Kerberos
-$Phase1AuthSet = New-NetIPsecPhase1AuthSet -DisplayName "Kerberos Auth Phase1" -Proposal $kerbprop –PolicyStore domain.contoso.com\domain_isolation
+$Phase1AuthSet = New-NetIPsecPhase1AuthSet -DisplayName "Kerberos Auth Phase1" -Proposal $kerbprop -PolicyStore domain.contoso.com\domain_isolation
-New-NetIPsecRule –DisplayName “Basic Domain Isolation Policy” –Profile Domain –Phase1AuthSet $Phase1AuthSet.Name –InboundSecurity Require –OutboundSecurity Request –PolicyStore domain.contoso.com\domain_isolation
+New-NetIPsecRule -DisplayName "Basic Domain Isolation Policy" -Profile Domain -Phase1AuthSet $Phase1AuthSet.Name -InboundSecurity Require -OutboundSecurity Request -PolicyStore domain.contoso.com\domain_isolation
 ```
 # [:::image type="icon" source="images/cmd.svg"::: **Command Prompt**](#tab/cmd)
 ``` cmd
 netsh advfirewall set store gpo=domain.contoso.com\domain_isolation
 netsh advfirewall consec add rule name="Basic Domain Isolation Policy" profile=domain endpoint1="any" endpoint2="any" action=requireinrequestout auth1="computerkerb"
 ```
 ---
 ### Configure IPsec tunnel mode
 The following command creates an IPsec tunnel that routes traffic from a private network (192.168.0.0/16) through an interface on the local device (1.1.1.1) attached to a public network to a second device through its public interface (2.2.2.2) to another private network (192.157.0.0/16). All traffic through the tunnel is checked for integrity by using ESP/SHA1, and it's encrypted by using ESP/DES3.
-**Netsh**
+# [:::image type="icon" source="images/powershell.svg"::: **PowerShell**](#tab/powershell)
 ``` syntax
 netsh advfirewall consec add rule name="Tunnel from 192.168.0.0/16 to 192.157.0.0/16" mode=tunnel endpoint1=192.168.0.0/16 endpoint2=192.157.0.0/16 localtunnelendpoint=1.1.1.1 remotetunnelendpoint=2.2.2.2 action=requireinrequireout qmsecmethods=esp:sha1-3des
 ```
 Windows PowerShell
 ```powershell
 $QMProposal = New-NetIPsecQuickModeCryptoProposal -Encapsulation ESP -ESPHash SHA1 -Encryption DES3
-$QMCryptoSet = New-NetIPsecQuickModeCryptoSet –DisplayName “esp:sha1-des3” -Proposal $QMProposal
+$QMCryptoSet = New-NetIPsecQuickModeCryptoSet -DisplayName "esp:sha1-des3" -Proposal $QMProposal
-New-NetIPSecRule -DisplayName “Tunnel from HQ to Dallas Branch” -Mode Tunnel -LocalAddress 192.168.0.0/16 -RemoteAddress 192.157.0.0/16 -LocalTunnelEndpoint 1.1.1.1 -RemoteTunnelEndpoint 2.2.2.2 -InboundSecurity Require -OutboundSecurity Require -QuickModeCryptoSet $QMCryptoSet.Name
+New-NetIPSecRule -DisplayName "Tunnel from HQ to Dallas Branch" -Mode Tunnel -LocalAddress 192.168.0.0/16 -RemoteAddress 192.157.0.0/16 -LocalTunnelEndpoint 1.1.1.1 -RemoteTunnelEndpoint 2.2.2.2 -InboundSecurity Require -OutboundSecurity Require -QuickModeCryptoSet $QMCryptoSet.Name
 ```
 # [:::image type="icon" source="images/cmd.svg"::: **Command Prompt**](#tab/cmd)
 ``` cmd
 netsh advfirewall consec add rule name="Tunnel from 192.168.0.0/16 to 192.157.0.0/16" mode=tunnel endpoint1=192.168.0.0/16 endpoint2=192.157.0.0/16 localtunnelendpoint=1.1.1.1 remotetunnelendpoint=2.2.2.2 action=requireinrequireout qmsecmethods=esp:sha1-3des
 ```
 ---
 ## Deploy secure firewall rules with IPsec
-In situations where only secure traffic can be allowed through the Windows Defender Firewall, a combination of manually configured firewall and IPsec rules are necessary. The firewall rules determine the level of security for allowed packets, and the underlying IPsec rules secure the traffic. The scenarios can be accomplished in Windows PowerShell and in Netsh, with many similarities in deployment.
+In situations where only secure traffic can be allowed through the Windows Firewall, a combination of manually configured firewall and IPsec rules are necessary. The firewall rules determine the level of security for allowed packets, and the underlying IPsec rules secure the traffic. The scenarios can be accomplished in Windows PowerShell and in Netsh, with many similarities in deployment.
 ### Create a secure firewall rule (allow if secure)
 Configuring firewalls rule to allow connections if they're secure requires the corresponding traffic to be authenticated and integrity protected, and then optionally encrypted by IPsec.
 The following example creates a firewall rule that requires traffic to be authenticated. The command permits inbound Telnet network traffic only if the connection from the remote device is authenticated by using a separate IPsec rule.
-**Netsh**
+# [:::image type="icon" source="images/powershell.svg"::: **PowerShell**](#tab/powershell)
-``` syntax
+```powershell
 New-NetFirewallRule -DisplayName "Allow Authenticated Telnet" -Direction Inbound -Program %SystemRoot%\System32\tlntsvr.exe -Authentication Required -Action Allow
 ```
 # [:::image type="icon" source="images/cmd.svg"::: **Command Prompt**](#tab/cmd)
 ``` cmd
 netsh advfirewall firewall add rule name="Allow Authenticated Telnet" dir=in program=%SystemRoot%\System32\tlntsvr.exe security=authenticate action=allow
 ```
-Windows PowerShell
+---
 ```powershell
 New-NetFirewallRule -DisplayName “Allow Authenticated Telnet” -Direction Inbound -Program %SystemRoot%\System32\tlntsvr.exe -Authentication Required -Action Allow
 ```
 The following command creates an IPsec rule that requires a first (computer) authentication and then attempts an optional second (user) authentication. Creating this rule secures and allows the traffic through the firewall rule requirements for the messenger program.
-**Netsh**
+# [:::image type="icon" source="images/powershell.svg"::: **PowerShell**](#tab/powershell)
 ``` syntax
 netsh advfirewall consec add rule name="Authenticate Both Computer and User" endpoint1=any endpoint2=any action=requireinrequireout auth1=computerkerb,computerntlm auth2=userkerb,userntlm,anonymous
 ```
 Windows PowerShell
 ```powershell
-$mkerbauthprop = New-NetIPsecAuthProposal -Machine –Kerberos
+$mkerbauthprop = New-NetIPsecAuthProposal -Machine -Kerberos
 $mntlmauthprop = New-NetIPsecAuthProposal -Machine -NTLM
-$P1Auth = New-NetIPsecPhase1AuthSet -DisplayName “Machine Auth” –Proposal $mkerbauthprop,$mntlmauthprop
+$P1Auth = New-NetIPsecPhase1AuthSet -DisplayName "Machine Auth" -Proposal $mkerbauthprop,$mntlmauthprop
 $ukerbauthprop = New-NetIPsecAuthProposal -User -Kerberos
 $unentlmauthprop = New-NetIPsecAuthProposal -User -NTLM
 $anonyauthprop = New-NetIPsecAuthProposal -Anonymous
-$P2Auth = New-NetIPsecPhase2AuthSet -DisplayName “User Auth” -Proposal $ukerbauthprop,$unentlmauthprop,$anonyauthprop
+$P2Auth = New-NetIPsecPhase2AuthSet -DisplayName "User Auth" -Proposal $ukerbauthprop,$unentlmauthprop,$anonyauthprop
-New-NetIPSecRule -DisplayName “Authenticate Both Computer and User” -InboundSecurity Require -OutboundSecurity Require -Phase1AuthSet $P1Auth.Name –Phase2AuthSet $P2Auth.Name
+New-NetIPSecRule -DisplayName "Authenticate Both Computer and User" -InboundSecurity Require -OutboundSecurity Require -Phase1AuthSet $P1Auth.Name -Phase2AuthSet $P2Auth.Name
 ```
 # [:::image type="icon" source="images/cmd.svg"::: **Command Prompt**](#tab/cmd)
 ``` cmd
 netsh advfirewall consec add rule name="Authenticate Both Computer and User" endpoint1=any endpoint2=any action=requireinrequireout auth1=computerkerb,computerntlm auth2=userkerb,userntlm,anonymous
 ```
 ---
 ### Isolate a server by requiring encryption and group membership
 To improve the security of the  devices in an organization, you can deploy domain isolation in which domain-members are restricted. They require authentication when communicating among each other and reject non-authenticated inbound connections. To improve the security of servers with sensitive data, this data must be protected by allowing access only to a subset of devices within the enterprise domain.
 IPsec can provide this extra layer of protection by isolating the server. In server isolation, sensitive data access is restricted to users and devices with legitimate business need, and the data is additionally encrypted to prevent eavesdropping.
 ### Create a firewall rule that requires group membership and encryption
 To deploy server isolation, we layer a firewall rule that restricts traffic to authorized users or devices on the IPsec rule that enforces authentication.
-
+The following firewall rule allows Telnet traffic from user accounts that are members of a custom group called "Authorized to Access Server." This access can additionally be restricted based on the  device, user, or both by specifying the restriction parameters.
-The following firewall rule allows Telnet traffic from user accounts that are members of a custom group called “Authorized to Access Server.” This access can additionally be restricted based on the  device, user, or both by specifying the restriction parameters.
+A Security Descriptor Definition Language (SDDL) string is created by extending a user or group's security identifier (SID). For more information about finding a group's SID, see: [Finding the SID for a group account](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc753463(v=ws.10)#bkmk_FINDSID).
-
+Restricting access to a group allows administrations to extend strong authentication support through Windows Firewall and/or IPsec policies.
 A Security Descriptor Definition Language (SDDL) string is created by extending a user or group’s security identifier (SID). For more information about finding a group’s SID, see: [Finding the SID for a group account](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc753463(v=ws.10)#bkmk_FINDSID).
 Restricting access to a group allows administrations to extend strong authentication support through Windows Defender Firewall and/or IPsec policies.
 The following example shows you how to create an SDDL string that represents security groups.
 Windows PowerShell
 ```powershell
-$user = new-object System.Security.Principal.NTAccount (“corp.contoso.com\Administrators”)
+$user = new-object System.Security.Principal.NTAccount ("corp.contoso.com\Administrators")
 $SIDofSecureUserGroup = $user.Translate([System.Security.Principal.SecurityIdentifier]).Value
 $secureUserGroup = "D:(A;;CC;;;$SIDofSecureUserGroup)"
 ```
 By using the previous scriptlet, you can also get the SDDL string for a secure computer group as shown here:
 Windows PowerShell
 ```powershell
 $secureMachineGroup = "D:(A;;CC;;;$SIDofSecureMachineGroup)"
 ```
 For more information about how to create security groups or how to determine the SDDL string, see [Working with SIDs](/previous-versions/windows/it-pro/windows-powershell-1.0/ff730940(v=technet.10)).
 Telnet is an application that doesn't provide encryption. This application can send data, such as names and passwords, over the network. This data can be intercepted by malicious users. If an administrator would like to allow the use of Telnet, but protect the traffic, a firewall rule that requires IPsec encryption can be created. This firewall rule is necessary so that the administrator can be certain that when this application is used, all of the traffic sent or received by this port is encrypted. If IPsec fails to authorize the connection, no traffic is allowed from this application.
 In this example, we allow only authenticated and encrypted inbound Telnet traffic from a specified secure user group through the creation of the following firewall rule.
-**Netsh**
+# [:::image type="icon" source="images/powershell.svg"::: **PowerShell**](#tab/powershell)
 ``` syntax
 netsh advfirewall set store gpo=domain.contoso.com\Server_Isolation
 netsh advfirewall firewall add rule name=“Allow Encrypted Inbound Telnet to Group Members Only” program=%SystemRoot%\System32\tlntsvr.exe protocol=TCP dir=in action=allow localport=23 security=authenc rmtusrgrp ="D:(A;;CC;;; S-1-5-21-2329867823-2610410949-1491576313-1735)"
 ```
 Windows PowerShell
 ```powershell
-New-NetFirewallRule -DisplayName "Allow Encrypted Inbound Telnet to Group Members Only" -Program %SystemRoot%\System32\tlntsvr.exe -Protocol TCP -Direction Inbound -Action Allow -LocalPort 23 -Authentication Required -Encryption Required –RemoteUser $secureUserGroup –PolicyStore domain.contoso.com\Server_Isolation
+New-NetFirewallRule -DisplayName "Allow Encrypted Inbound Telnet to Group Members Only" -Program %SystemRoot%\System32\tlntsvr.exe -Protocol TCP -Direction Inbound -Action Allow -LocalPort 23 -Authentication Required -Encryption Required -RemoteUser $secureUserGroup -PolicyStore domain.contoso.com\Server_Isolation
 ```
 # [:::image type="icon" source="images/cmd.svg"::: **Command Prompt**](#tab/cmd)
 ``` cmd
 netsh advfirewall set store gpo=domain.contoso.com\Server_Isolation
 netsh advfirewall firewall add rule name="Allow Encrypted Inbound Telnet to Group Members Only" program=%SystemRoot%\System32\tlntsvr.exe protocol=TCP dir=in action=allow localport=23 security=authenc rmtusrgrp ="D:(A;;CC;;; S-1-5-21-2329867823-2610410949-1491576313-1735)"
 ```
 ---
 ### Endpoint security enforcement
 The previous example showed end to end security for a particular application. In situations where endpoint security is required for many applications, having a firewall rule per application can be cumbersome and difficult to manage. Authorization can override the per-rule basis and be done at the IPsec layer.
 In this example, we set the global IPsec setting to only allow transport mode traffic to come from an authorized user group with the following cmdlet. Consult the previous examples for working with security groups.
 Windows PowerShell
 ```powershell
 Set-NetFirewallSetting -RemoteMachineTransportAuthorizationList $secureMachineGroup
 ```
@ -628,59 +553,19 @@ Set-NetFirewallSetting -RemoteMachineTransportAuthorizationList $secureMachineGr
 ### Create firewall rules that allow IPsec-protected network traffic (authenticated bypass)
 Authenticated bypass allows traffic from a specified trusted device or user to override firewall block rules. This override is helpful when an administrator wants to use scanning servers to monitor and update devices without the need to use port-level exceptions. For more information, see [How to enable authenticated firewall bypass](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc753463(v=ws.10)).
 In this example, we assume that a blocking firewall rule exists. This example permits any network traffic on any port from any IP address to override the block rule, if the traffic is authenticated as originating from a  device or user account that is a member of the specified  device or user security group.
-**Netsh**
+# [:::image type="icon" source="images/powershell.svg"::: **PowerShell**](#tab/powershell)
-``` syntax
+```powershell
 New-NetFirewallRule -DisplayName "Inbound Secure Bypass Rule" -Direction Inbound -Authentication Required -OverrideBlockRules $true -RemoteMachine $secureMachineGroup -RemoteUser $secureUserGroup -PolicyStore domain.contoso.com\domain_isolation
 ```
 # [:::image type="icon" source="images/cmd.svg"::: **Command Prompt**](#tab/cmd)
 ``` cmd
 netsh advfirewall set store gpo=domain.contoso.com\domain_isolation
 netsh advfirewall firewall add rule name="Inbound Secure Bypass Rule" dir=in security=authenticate action="bypass" rmtcomputergrp="D:(A;;CC;;;S-1-5-21-2329867823-2610410949-1491576313-1114)" rmtusrgrp="D:(A;;CC;;; S-1-5-21-2329867823-2610410949-1491576313-1735)"
 ```
-Windows PowerShell
+---
 ```powershell
 New-NetFirewallRule –DisplayName “Inbound Secure Bypass Rule" –Direction Inbound –Authentication Required –OverrideBlockRules $true -RemoteMachine $secureMachineGroup –RemoteUser $secureUserGroup –PolicyStore domain.contoso.com\domain_isolation
 ```
 ## Other resources
 For more information about Windows PowerShell concepts, see the following topics.
 -   [Windows PowerShell Getting Started Guide](/powershell/scripting/overview)
 -   [Windows PowerShell User Guide](/powershell/scripting/overview)
 -   [Windows PowerShell About Help Topics](https://go.microsoft.com/fwlink/p/?linkid=113206)
 -   [about\_Functions](/powershell/module/microsoft.powershell.core/about/about_functions)
 -   [about\_Functions\_Advanced](/powershell/module/microsoft.powershell.core/about/about_functions_advanced)
 -   [about\_Execution\_Policies](/powershell/module/microsoft.powershell.core/about/about_execution_policies)
 -   [about\_Foreach](/powershell/module/microsoft.powershell.core/about/about_foreach)
 -   [about\_Objects](/powershell/module/microsoft.powershell.core/about/about_objects)
 -   [about\_Properties](/powershell/module/microsoft.powershell.core/about/about_properties)
 -   [about\_While](/powershell/module/microsoft.powershell.core/about/about_while)
 -   [about\_Scripts](/powershell/module/microsoft.powershell.core/about/about_scripts)
 -   [about\_Signing](/powershell/module/microsoft.powershell.core/about/about_signing)
 -   [about\_Throw](/powershell/module/microsoft.powershell.core/about/about_throw)
 -   [about\_PSSessions](/powershell/module/microsoft.powershell.core/about/about_pssessions)
 -   [about\_Modules](/powershell/module/microsoft.powershell.core/about/about_modules)
 -   [about\_Command\_Precedence](/powershell/module/microsoft.powershell.core/about/about_command_precedence)
--- a/windows/security/operating-system-security/network-security/windows-firewall/configure.md
+++ b/windows/security/operating-system-security/network-security/windows-firewall/configure.md
@ -0,0 +1,178 @@
 ---
 title: Configure firewall rules with group policy
 description: Learn how to configure firewall rules using group policy with the Windows Firewall with Advanced Security console.
 ms.topic: how-to
 ms.date: 11/21/2023
 ---
 # Configure rules with group policy
 This article contains examples how to configure Windows Firewall rules using the *Windows Firewall with Advanced Security* console.
 ## Access the Windows Firewall with Advanced Security console
 If you're configuring devices joined to an Active Directory domain, to complete these procedures you must be a member of the Domain Administrators group, or otherwise have delegated permissions to modify the GPOs in the domain. To access the *Windows Firewall with Advanced Security* console, [create or edit](/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/cc754740(v=ws.11)) a group policy object (GPO) and expand the nodes **Computer Configuration** > **Policies** > **Windows Settings** > **Security Settings** > **Windows Firewall with Advanced Security**.
 If you are configuring a single device, you must have administrative rights on the device. In which case, to access the *Windows Firewall with Advanced Security* console, select <kbd>START</kbd>, type `wf.msc`, and press <kbd>ENTER</kbd>.
 ## Create an inbound ICMP rule
 This type of rule allows ICMP requests and responses to be received by devices on the network. To create an inbound ICMP rule:
 1. Open the *Windows Firewall with Advanced Security* console
 1. In the navigation pane, select **Inbound Rules**
 1. Select **Action**, and then select **New rule**
 1. On the **Rule Type** page of the New Inbound Rule Wizard, select **Custom**, and then select **Next**
 1. On the **Program** page, select **All programs**, and then select **Next**
 1. On the **Protocol and Ports** page, select **ICMPv4** or **ICMPv6** from the **Protocol type** list. If you use both IPv4 and IPv6 on your network, you must create a separate ICMP rule for each
 1. Select **Customize**
 1. In the **Customize ICMP Settings** dialog box, do one of the following:
    - To allow all ICMP network traffic, select **All ICMP types**, and then select **OK**
    - To select one of the predefined ICMP types, select **Specific ICMP types**, and then select each type in the list that you want to allow. Select **OK**
    - To select an ICMP type that does not appear in the list, select **Specific ICMP types**, select the **Type** number from the list, select the **Code** number from the list, select **Add**, and then select the newly created entry from the list. Select **OK**
 1. Select **Next**
 1. On the **Scope** page, you can specify that the rule applies only to network traffic to or from the IP addresses entered on this page. Configure as appropriate for your design, and then select **Next**
 1. On the **Action** page, select **Allow the connection**, and then select **Next**
 1. On the **Profile** page, select the network location types to which this rule applies, and then select **Next**
 1. On the **Name** page, type a name and description for your rule, and then select **Finish**
 ## Create an inbound port rule
 This type of rule allows any program that listens on a specified TCP or UDP port to receive network traffic sent to that port. To create an inbound port rule:
 1. Open the *Windows Firewall with Advanced Security* console
 1. In the navigation pane, select **Inbound Rules**
 1. Select **Action**, and then select **New rule**
 1. On the **Rule Type** page of the New Inbound Rule Wizard, select **Custom**, and then select **Next**
   > [!NOTE]
   > Although you can create rules by selecting **Program** or **Port**, those choices limit the number of pages presented by the wizard. If you select **Custom**, you see all of the pages, and have the most flexibility in creating your rules.
 1. On the **Program** page, select **All programs**, and then select **Next**
   > [!NOTE]
   > This type of rule is often combined with a program or service rule. If you combine the rule types, you get a firewall rule that limits traffic to a specified port and allows the traffic only when the specified program is running. The specified program cannot receive network traffic on other ports, and other programs cannot receive network traffic on the specified port. If you choose to do this, follow the steps in the [Create an Inbound Program or Service Rule](#create-an-inbound-program-or-service-rule) procedure in addition to the steps in this procedure to create a single rule that filters network traffic using both program and port criteria.
 1. On the **Protocol and Ports** page, select the protocol type that you want to allow. To restrict the rule to a specified port number, you must select either **TCP** or **UDP**. Because this is an incoming rule, you typically configure only the local port number
   If you select another protocol, then only packets whose protocol field in the IP header match this rule are permitted through the firewall.\
   To select a protocol by its number, select **Custom** from the list, and then type the number in the **Protocol number** box.\
   When you have configured the protocols and ports, select **Next**.
 1. On the **Scope** page, you can specify that the rule applies only to network traffic to or from the IP addresses entered on this page. Configure as appropriate for your design, and then select **Next**
 1. On the **Action** page, select **Allow the connection**, and then select **Next**
 1. On the **Profile** page, select the network location types to which this rule applies, and then select **Next**
   > [!NOTE]
   > If this GPO is targeted at server computers running Windows Server 2008 that never move, consider modifying the rules to apply to all network location type profiles. This prevents an unexpected change in the applied rules if the network location type changes due to the installation of a new network card or the disconnection of an existing network card's cable. A disconnected network card is automatically assigned to the Public network location type.
 1. On the **Name** page, type a name and description for your rule, and then select **Finish**
 ## Create an outbound port rule
 By default, Windows Firewall allows all outbound network traffic, unless it matches a rule that prohibits the traffic. This type of rule blocks any outbound network traffic that matches the specified TCP or UDP port numbers. To create an outbound port rule:
 1. Open the *Windows Firewall with Advanced Security* console
 1. In the navigation pane, select **Outbound Rules**
 1. Select **Action**, and then select **New rule**
 1. On the **Rule Type** page of the New Outbound Rule wizard, select **Custom**, and then select **Next**
    > [!NOTE]
    > Although you can create rules by selecting **Program** or **Port**, those choices limit the number of pages presented by the wizard. If you select **Custom**, you see all of the pages, and have the most flexibility in creating your rules.
 1. On the **Program** page, select **All programs**, and then select **Next**
 1. On the **Protocol and Ports** page, select the protocol type that you want to block. To restrict the rule to a specified port number, you must select either **TCP** or **UDP**. Because this rule is an outbound rule, you typically configure only the remote port number
    If you select another protocol, then only packets whose protocol field in the IP header matches this rule are blocked by Windows Defender Firewall. Network traffic for protocols is allowed as long as other rules that match don't block it. To select a protocol by its number, select **Custom** from the list, and then type the number in the **Protocol number** box. When you've configured the protocols and ports, select **Next**
 1. On the **Scope** page, you can specify that the rule applies only to network traffic to or from the IP addresses entered on this page. Configure as appropriate for your design, and then select **Next**
 1. On the **Action** page, select **Block the connection**, and then select **Next**
 1. On the **Profile** page, select the network location types to which this rule applies, and then select **Next**
 1. On the **Name** page, type a name and description for your rule, and then select **Finish**
 ## Create an inbound program or service rule
 This type of rule allows the program to listen and receive inbound network traffic on any port.
 > [!NOTE]
 > This type of rule is often combined with a program or service rule. If you combine the rule types, you get a firewall rule that limits traffic to a specified port and allows the traffic only when the specified program is running. The program cannot receive network traffic on other ports, and other programs cannot receive network traffic on the specified port. To combine the program and port rule types into a single rule, follow the steps in the [Create an Inbound Port Rule](#create-an-inbound-port-rule) procedure in addition to the steps in this procedure.
 To create an inbound firewall rule for a program or service:
 1. Open the *Windows Firewall with Advanced Security* console
 1. In the navigation pane, select **Inbound Rules**
 1. Select **Action**, and then select **New rule**
 1. On the **Rule Type** page of the New Inbound Rule Wizard, select **Custom**, and then select **Next**
    > [!NOTE]
    > Information the user should notice even if skimmingAlthough you can create rules by selecting **Program** or **Port**, those choices limit the number of pages presented by the wizard. If you select **Custom**, you see all of the pages, and have the most flexibility in creating your rules.
 1. On the **Program** page, select **This program path**
 1. Type the path to the program in the text box. Use environment variables, where applicable, to ensure that programs installed in different locations on different computers work correctly.
 1. Do one of the following:
    - If the executable file contains a single program, select **Next**
    - If the executable file is a container for multiple services that must all be allowed to receive inbound network traffic, select **Customize**, select **Apply to services only**, select **OK**, and then select **Next**
    - If the executable file is a container for a single service or contains multiple services but the rule only applies to one of them, select **Customize**, select **Apply to this service**, and then select the service from the list. If the service does not appear in the list, select **Apply to service with this service short name**, and then type the short name for the service in the text box. Select **OK**, and then select **Next**
    > [!IMPORTANT]
    > To use the **Apply to this service** or **Apply to service with this service short name** options, the service must be configured with a security identifier (SID) with a type of **RESTRICTED** or **UNRESTRICTED**. To check the SID type of a service, run the following command: `sc qsidtype <ServiceName>`
    >
    > If the result is `NONE`, then a firewall rule cannot be applied to that service.
    To set a SID type on a service, run the following command: `sc sidtype <ServiceName> <Type>`
    In the preceding command, the value of `<Type>` can be `UNRESTRICTED` or `RESTRICTED`. Although the command also permits the value of `NONE`, that setting means the service cannot be used in a firewall rule as described here. By default, most services in Windows are configured as `UNRESTRICTED`. If you change the SID type to `RESTRICTED`, the service might fail to start. We recommend that you change the SID type only on services that you want to use in firewall rules, and that you change the SID type to `UNRESTRICTED`.
 1. It is a best practice to restrict the firewall rule for the program to only the ports it needs to operate. On the **Protocols and Ports** page, you can specify the port numbers for the allowed traffic. If the program tries to listen on a port different from the one specified here, it is blocked. For more information about protocol and port options, see [Create an Inbound Port Rule](#create-an-inbound-port-rule). After you have configured the protocol and port options, select **Next**
 1. On the **Scope** page, you can specify that the rule applies only to network traffic to or from the IP addresses entered on this page. Configure as appropriate for your design, and then select **Next**
 1. On the **Action** page, select **Allow the connection**, and then select **Next**
 1. On the **Profile** page, select the network location types to which this rule applies, and then select **Next**
 1. On the **Name** page, type a name and description for your rule, and then select **Finish**
 ## Create an outbound program or service rule
 By default, Windows Defender Firewall allows all outbound network traffic unless it matches a rule that prohibits the traffic. This type of rule prevents the program from sending any outbound network traffic on any port. To create an outbound firewall rule for a program or service:
 1. Open the *Windows Firewall with Advanced Security* console
 1. In the navigation pane, select **Outbound Rules**
 1. Select **Action**, and then select **New rule**
 1. On the **Rule Type** page of the New Outbound Rule Wizard, select **Custom**, and then select **Next**
    > [!NOTE]
    > Although you can create many rules by selecting **Program** or **Port**, those choices limit the number of pages presented by the wizard. If you select **Custom**, you see all of the pages, and have the most flexibility in creating your rules.
 1. On the **Program** page, select **This program path**
 1. Type the path to the program in the text box. Use environment variables as appropriate to ensure that programs installed in different locations on different computers work correctly
 1. Do one of the following:
    - If the executable file contains a single program, select **Next**
    - If the executable file is a container for multiple services that must all be blocked from sending outbound network traffic, select **Customize**, select **Apply to services only**, select **OK**, and then select **Next**
    - If the executable file is a container for a single service or contains multiple services but the rule only applies to one of them, select **Customize**, select **Apply to this service**, and then select the service from the list. If the service does not appear in the list, then select **Apply to service with this service short name**, and type the short name for the service in the text box. Select **OK**, and then select **Next**
 1. If you want the program to be allowed to send on some ports, but blocked from sending on others, then you can restrict the firewall rule to block only the specified ports or protocols. On the **Protocols and Ports** page, you can specify the port numbers or protocol numbers for the blocked traffic. If the program tries to send to or from a port number different from the one specified here, or by using a protocol number different from the one specified here, then the default outbound firewall behavior allows the traffic. For more information about the protocol and port options, see [Create an Outbound Port Rule](#create-an-outbound-port-rule). When you have configured the protocol and port options, select **Next**
 1. On the **Scope** page, you can specify that the rule applies only to network traffic to or from the IP addresses entered on this page. Configure as appropriate for your design, and then select **Next**
 1. On the **Action** page, select **Block the connection**, and then select **Next**
 1. On the **Profile** page, select the network location types to which this rule applies, and then select **Next**
 1. On the **Name** page, type a name and description for your rule, and then select **Finish**
 ## Create inbound rules to support RPC
 To allow inbound remote procedure call (RPC) network traffic, you must create two firewall rules:
 - the first rule allows incoming network packets on TCP port 135 to the RPC Endpoint Mapper service. The incoming traffic consists of requests to communicate with a specified network service. The RPC Endpoint Mapper replies with a dynamically assigned port number that the client must use to communicate with the service
 - the second rule allows the network traffic that is sent to the dynamically assigned port number
 Using the two rules configured as described in this topic helps to protect your device by allowing network traffic only from devices that have received RPC dynamic port redirection and to only those TCP port numbers assigned by the RPC Endpoint Mapper.
 ### RPC Endpoint Mapper service
 1. Open the *Windows Firewall with Advanced Security* console
 1. In the navigation pane, select **Inbound Rules**
 1. Select **Action**, and then select **New rule**
 1. On the **Rule Type** page of the New Inbound Rule Wizard, select **Custom**, and then select **Next**
 1. On the **Program** page, select **This Program Path**, and then type `%systemroot%\system32\svchost.exe`
 1. Select **Customize**.
 1. In the **Customize Service Settings** dialog box, select **Apply to this service**, select **Remote Procedure Call (RPC)** with a short name of **RpcSs**, select **OK**, and then select **Next**
 1. On the warning about Windows service-hardening rules, select **Yes**
 1. On the **Protocol and Ports** dialog box, for **Protocol type**, select **TCP**
 1. For **Local port**, select **RPC Endpoint Mapper**, and then select **Next**
 1. On the **Scope** page, you can specify that the rule applies only to network traffic to or from the IP addresses entered on this page. Configure as appropriate for your design, and then select **Next**
 1. On the **Action** page, select **Allow the connection**, and then select **Next**
 1. On the **Profile** page, select the network location types to which this rule applies, and then select **Next**
 1. On the **Name** page, type a name and description for your rule, and then select **Finish**
 ### RPC-enabled network services
 1. On the same GPO you edited in the preceding procedure, select **Action**, and then select **New rule**
 1. On the **Rule Type** page of the New Inbound Rule Wizard, select **Custom**, and then select **Next**
 1. On the **Program** page, select **This Program Path**, and then type the path to the executable file that hosts the network service. Select **Customize**
 1. In the **Customize Service Settings** dialog box, select **Apply to this service**, and then select the service that you want to allow. If the service doesn't appear in the list, then select **Apply to service with this service short name**, and then type the short name of the service in the text box
 1. Select **OK**, and then select **Next**
 1. On the **Protocol and Ports** dialog box, for **Protocol type**, select **TCP**
 1. For **Local port**, select **RPC Dynamic Ports**, and then select **Next**
 1. On the **Scope** page, you can specify that the rule applies only to network traffic to or from the IP addresses entered on this page. Configure as appropriate for your design, and then select **Next**
 1. On the **Action** page, select **Allow the connection**, and then select **Next**
 1. On the **Profile** page, select the network location types to which this rule applies, and then select **Next**
 1. On the **Name** page, type a name and description for your rule, and then select **Finish**
--- a/windows/security/operating-system-security/network-security/windows-firewall/create-an-inbound-icmp-rule.md
+++ b/windows/security/operating-system-security/network-security/windows-firewall/create-an-inbound-icmp-rule.md
@ -1,56 +0,0 @@
 ---
 title: Create an Inbound ICMP Rule 
 description: Learn how to allow inbound ICMP traffic by using the Group Policy Management MMC snap-in to create rules in Windows Defender Firewall with Advanced Security.
 ms.prod: windows-client
 ms.topic: conceptual
 ms.date: 09/07/2021
 ---
 # Create an Inbound ICMP Rule
 To allow inbound Internet Control Message Protocol (ICMP) network traffic, use the Windows Defender Firewall with Advanced Security node in the Group Policy Management MMC snap-in to create firewall rules. This type of rule allows ICMP requests and responses to be sent and received by computers on the network.
 **Administrative credentials**
 To complete these procedures, you must be a member of the Domain Administrators group, or otherwise be delegated permissions to modify the GPOs.
 This topic describes how to create a port rule that allows inbound ICMP network traffic. For other inbound port rule types, see:
 -   [Create an Inbound Port Rule](create-an-inbound-port-rule.md)
 -   [Create Inbound Rules to Support RPC](create-inbound-rules-to-support-rpc.md)
 To create an inbound ICMP rule
 1.  Open the Group Policy Management Console to [Windows Defender Firewall with Advanced Security](open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md).
 2.  In the navigation pane, click **Inbound Rules**.
 3.  Click **Action**, and then click **New rule**.
 4.  On the **Rule Type** page of the New Inbound Rule Wizard, click **Custom**, and then click **Next**.
 5.  On the **Program** page, click **All programs**, and then click **Next**.
 6.  On the **Protocol and Ports** page, select **ICMPv4** or **ICMPv6** from the **Protocol type** list. If you use both IPv4 and IPv6 on your network, you must create a separate ICMP rule for each.
 7.  Click **Customize**.
 8.  In the **Customize ICMP Settings** dialog box, do one of the following:
    -   To allow all ICMP network traffic, click **All ICMP types**, and then click **OK**.
    -   To select one of the predefined ICMP types, click **Specific ICMP types**, and then select each type in the list that you want to allow. Click **OK**.
    -   To select an ICMP type that does not appear in the list, click **Specific ICMP types**, select the **Type** number from the list, select the **Code** number from the list, click **Add**, and then select the newly created entry from the list. Click **OK**
 9.  Click **Next**.
 10. On the **Scope** page, you can specify that the rule applies only to network traffic to or from the IP addresses entered on this page. Configure as appropriate for your design, and then click **Next**.
 11. On the **Action** page, select **Allow the connection**, and then click **Next**.
 12. On the **Profile** page, select the network location types to which this rule applies, and then click **Next**.
 13. On the **Name** page, type a name and description for your rule, and then click **Finish**.
--- a/windows/security/operating-system-security/network-security/windows-firewall/create-an-inbound-port-rule.md
+++ b/windows/security/operating-system-security/network-security/windows-firewall/create-an-inbound-port-rule.md
@ -1,64 +0,0 @@
 ---
 title: Create an Inbound Port Rule 
 description: Learn to allow traffic on specific ports by using the Group Policy Management MMC snap-in to create rules in Windows Defender Firewall with Advanced Security.
 ms.prod: windows-client
 ms.collection: 
  - highpri
  - tier3
  - must-keep
 ms.topic: conceptual
 ms.date: 09/07/2021
 ---
 # Create an Inbound Port Rule
 To allow inbound network traffic on only a specified TCP or UDP port number, use the Windows Defender Firewall 
 with Advanced Security node in the Group Policy Management MMC snap-in to create firewall rules. This type of rule allows any program that listens on a specified TCP or UDP port to receive network traffic sent to that port.
 **Administrative credentials**
 To complete these procedures, you must be a member of the Domain Administrators group, or otherwise be delegated permissions to modify the GPOs.
 This topic describes how to create a standard port rule for a specified protocol or TCP or UDP port number. For other inbound port rule types, see:
 -   [Create an Inbound ICMP Rule](create-an-inbound-icmp-rule.md)
 -   [Create Inbound Rules to Support RPC](create-inbound-rules-to-support-rpc.md)
 **To create an inbound port rule**
 1. Open the Group Policy Management Console to [Windows Defender Firewall with Advanced Security](open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md).
 2. In the navigation pane, click **Inbound Rules**.
 3. Click **Action**, and then click **New rule**.
 4. On the **Rule Type** page of the New Inbound Rule Wizard, click **Custom**, and then click **Next**.
   > [!Note]
   > Although you can create rules by selecting **Program** or **Port**, those choices limit the number of pages presented by the wizard. If you select **Custom**, you see all of the pages, and have the most flexibility in creating your rules.
 5. On the **Program** page, click **All programs**, and then click **Next**.
   > [!Note]
   > This type of rule is often combined with a program or service rule. If you combine the rule types, you get a firewall rule that limits traffic to a specified port and allows the traffic only when the specified program is running. The specified program cannot receive network traffic on other ports, and other programs cannot receive network traffic on the specified port. If you choose to do this, follow the steps in the [Create an Inbound Program or Service Rule](create-an-inbound-program-or-service-rule.md) procedure in addition to the steps in this procedure to create a single rule that filters network traffic using both program and port criteria.
 6. On the **Protocol and Ports** page, select the protocol type that you want to allow. To restrict the rule to a specified port number, you must select either **TCP** or **UDP**. Because this is an incoming rule, you typically configure only the local port number.
   If you select another protocol, then only packets whose protocol field in the IP header match this rule are permitted through the firewall.
   To select a protocol by its number, select **Custom** from the list, and then type the number in the **Protocol number** box.
   When you have configured the protocols and ports, click **Next**.
 7. On the **Scope** page, you can specify that the rule applies only to network traffic to or from the IP addresses entered on this page. Configure as appropriate for your design, and then click **Next**.
 8. On the **Action** page, select **Allow the connection**, and then click **Next**.
 9. On the **Profile** page, select the network location types to which this rule applies, and then click **Next**.
   > [!Note]
   > If this GPO is targeted at server computers running Windows Server 2008 that never move, consider modifying the rules to apply to all network location type profiles. This prevents an unexpected change in the applied rules if the network location type changes due to the installation of a new network card or the disconnection of an existing network card's cable. A disconnected network card is automatically assigned to the Public network location type.
 10. On the **Name** page, type a name and description for your rule, and then click **Finish**.
--- a/windows/security/operating-system-security/network-security/windows-firewall/create-an-inbound-program-or-service-rule.md
+++ b/windows/security/operating-system-security/network-security/windows-firewall/create-an-inbound-program-or-service-rule.md
@ -1,65 +0,0 @@
 ---
 title: Create an Inbound Program or Service Rule 
 description: Learn how to allow inbound traffic to a program or service by using the Group Policy Management MMC snap-in to create firewall rules.
 ms.prod: windows-client
 ms.topic: conceptual
 ms.date: 09/07/2021
 ---
 # Create an Inbound Program or Service Rule
 To allow inbound network traffic to a specified program or service, use the Windows Defender Firewall with Advanced Securitynode in the Group Policy Management MMC snap-in to create firewall rules. This type of rule allows the program to listen and receive inbound network traffic on any port.
 >**Note:**  This type of rule is often combined with a program or service rule. If you combine the rule types, you get a firewall rule that limits traffic to a specified port and allows the traffic only when the specified program is running. The program cannot receive network traffic on other ports, and other programs cannot receive network traffic on the specified port. To combine the program and port rule types into a single rule, follow the steps in the [Create an Inbound Port Rule](create-an-inbound-port-rule.md) procedure in addition to the steps in this procedure.
 **Administrative credentials**
 To complete these procedures, you must be a member of the Domain Administrators group, or otherwise be delegated permissions to modify the GPOs.
 To create an inbound firewall rule for a program or service
 1. Open the Group Policy Management Console to [Windows Defender Firewall with Advanced Security](open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md).
 2.  In the navigation pane, click **Inbound Rules**.
 3.  Click **Action**, and then click **New rule**.
 4.  On the **Rule Type** page of the New Inbound Rule Wizard, click **Custom**, and then click **Next**.
    >**Note:**  Although you can create rules by selecting **Program** or **Port**, those choices limit the number of pages presented by the wizard. If you select **Custom**, you see all of the pages, and have the most flexibility in creating your rules.
 5.  On the **Program** page, click **This program path**.
 6.  Type the path to the program in the text box. Use environment variables, where applicable, to ensure that programs installed in different locations on different computers work correctly.
 7.  Do one of the following:
    -   If the executable file contains a single program, click **Next**.
    -   If the executable file is a container for multiple services that must all be allowed to receive inbound network traffic, click **Customize**, select **Apply to services only**, click **OK**, and then click **Next**.
    -   If the executable file is a container for a single service or contains multiple services but the rule only applies to one of them, click **Customize**, select **Apply to this service**, and then select the service from the list. If the service does not appear in the list, click **Apply to service with this service short name**, and then type the short name for the service in the text box. Click **OK**, and then click **Next**.
    **Important**  
    To use the **Apply to this service** or **Apply to service with this service short name** options, the service must be configured with a security identifier (SID) with a type of **RESTRICTED** or **UNRESTRICTED**. To check the SID type of a service, run the following command:
    **sc** **qsidtype** *&lt;ServiceName&gt;*
    If the result is **NONE**, then a firewall rule cannot be applied to that service.
    To set a SID type on a service, run the following command:
    **sc** **sidtype** *&lt;ServiceName&gt; &lt;Type&gt;*
    In the preceding command, the value of *&lt;Type&gt;* can be **UNRESTRICTED** or **RESTRICTED**. Although the command also permits the value of **NONE**, that setting means the service cannot be used in a firewall rule as described here. By default, most services in Windows are configured as **UNRESTRICTED**. If you change the SID type to **RESTRICTED**, the service might fail to start. We recommend that you change the SID type only on services that you want to use in firewall rules, and that you change the SID type to **UNRESTRICTED**.
 8.  It is a best practice to restrict the firewall rule for the program to only the ports it needs to operate. On the **Protocols and Ports** page, you can specify the port numbers for the allowed traffic. If the program tries to listen on a port different from the one specified here, it is blocked. For more information about protocol and port options, see [Create an Inbound Port Rule](create-an-inbound-port-rule.md). After you have configured the protocol and port options, click **Next**.
 9.  On the **Scope** page, you can specify that the rule applies only to network traffic to or from the IP addresses entered on this page. Configure as appropriate for your design, and then click **Next**.
 10. On the **Action** page, select **Allow the connection**, and then click **Next**.
 11. On the **Profile** page, select the network location types to which this rule applies, and then click **Next**.
 12. On the **Name** page, type a name and description for your rule, and then click **Finish**.
--- a/windows/security/operating-system-security/network-security/windows-firewall/create-an-outbound-port-rule.md
+++ b/windows/security/operating-system-security/network-security/windows-firewall/create-an-outbound-port-rule.md
@ -1,46 +0,0 @@
 ---
 title: Create an Outbound Port Rule 
 description: Learn to block outbound traffic on a port by using the Group Policy Management MMC snap-in to create rules in Windows Defender Firewall with Advanced Security.
 ms.prod: windows-client
 ms.topic: conceptual
 ms.date: 09/07/2021
 ---
 # Create an Outbound Port Rule
 By default, Windows Defender Firewall allows all outbound network traffic unless it matches a rule that prohibits the traffic. To block outbound network traffic on a specified TCP or UDP port number, use the Windows Defender Firewall with Advanced Security node in the Group Policy Management console to create firewall rules. This type of rule blocks any outbound network traffic that matches the specified TCP or UDP port numbers.
 **Administrative credentials**
 To complete these procedures, you must be a member of the Domain Administrators group, or otherwise be delegated permissions to modify the GPOs.
 To create an outbound port rule
 1.  Open the Group Policy Management Console to [Windows Defender Firewall with Advanced Security](open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md).
 2.  In the navigation pane, click **Outbound Rules**.
 3.  Click **Action**, and then click **New rule**.
 4.  On the **Rule Type** page of the New Outbound Rule wizard, click **Custom**, and then click **Next**.
    >**Note:**  Although you can create rules by selecting **Program** or **Port**, those choices limit the number of pages presented by the wizard. If you select **Custom**, you see all of the pages, and have the most flexibility in creating your rules.
 5.  On the **Program** page, click **All programs**, and then click **Next**.
 6.  On the **Protocol and Ports** page, select the protocol type that you want to block. To restrict the rule to a specified port number, you must select either **TCP** or **UDP**. Because this rule is an outbound rule, you typically configure only the remote port number.
    If you select another protocol, then only packets whose protocol field in the IP header matches this rule are blocked by Windows Defender Firewall. Network traffic for protocols is allowed as long as other rules that match don't block it.
    To select a protocol by its number, select **Custom** from the list, and then type the number in the **Protocol number** box.
    When you've configured the protocols and ports, click **Next**.
 7.  On the **Scope** page, you can specify that the rule applies only to network traffic to or from the IP addresses entered on this page. Configure as appropriate for your design, and then click **Next**.
 8.  On the **Action** page, select **Block the connection**, and then click **Next**.
 9.  On the **Profile** page, select the network location types to which this rule applies, and then click **Next**.
 10. On the **Name** page, type a name and description for your rule, and then click **Finish**.
--- a/windows/security/operating-system-security/network-security/windows-firewall/create-an-outbound-program-or-service-rule.md
+++ b/windows/security/operating-system-security/network-security/windows-firewall/create-an-outbound-program-or-service-rule.md
@ -1,50 +0,0 @@
 ---
 title: Create an Outbound Program or Service Rule 
 description: Use the Windows Defender Firewall with Advanced Security node in the Group Policy Management console to create firewall rules.
 ms.prod: windows-client
 ms.topic: conceptual
 ms.date: 09/07/2021
 ---
 # Create an Outbound Program or Service Rule
 By default, Windows Defender Firewall allows all outbound network traffic unless it matches a rule that prohibits the traffic. To block outbound network traffic for a specified program or service, use the Windows Defender Firewall with Advanced Security node in the Group Policy Management console to create firewall rules. This type of rule prevents the program from sending any outbound network traffic on any port.
 **Administrative credentials**
 To complete these procedures, you must be a member of the Domain Administrators group, or otherwise be delegated permissions to modify the GPOs.
 To create an outbound firewall rule for a program or service
 1. Open the Group Policy Management Console to [Windows Defender Firewall with Advanced Security](open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md).
 2.  In the navigation pane, click **Outbound Rules**.
 3.  Click **Action**, and then click **New rule**.
 4.  On the **Rule Type** page of the New Outbound Rule Wizard, click **Custom**, and then click **Next**.
    >**Note:**  Although you can create many rules by selecting **Program** or **Port**, those choices limit the number of pages presented by the wizard. If you select **Custom**, you see all of the pages, and have the most flexibility in creating your rules.
 5.  On the **Program** page, click **This program path**.
 6.  Type the path to the program in the text box. Use environment variables as appropriate to ensure that programs installed in different locations on different computers work correctly.
 7.  Do one of the following:
    -   If the executable file contains a single program, click **Next**.
    -   If the executable file is a container for multiple services that must all be blocked from sending outbound network traffic, click **Customize**, select **Apply to services only**, click **OK**, and then click **Next**.
    -   If the executable file is a container for a single service or contains multiple services but the rule only applies to one of them, click **Customize**, select **Apply to this service**, and then select the service from the list. If the service does not appear in the list, then click **Apply to service with this service short name**, and type the short name for the service in the text box. Click **OK**, and then click **Next**.
 8.  If you want the program to be allowed to send on some ports, but blocked from sending on others, then you can restrict the firewall rule to block only the specified ports or protocols. On the **Protocols and Ports** page, you can specify the port numbers or protocol numbers for the blocked traffic. If the program tries to send to or from a port number different from the one specified here, or by using a protocol number different from the one specified here, then the default outbound firewall behavior allows the traffic. For more information about the protocol and port options, see [Create an Outbound Port Rule](create-an-outbound-port-rule.md). When you have configured the protocol and port options, click **Next**.
 9.  On the **Scope** page, you can specify that the rule applies only to network traffic to or from the IP addresses entered on this page. Configure as appropriate for your design, and then click **Next**.
 10. On the **Action** page, select **Block the connection**, and then click **Next**.
 11. On the **Profile** page, select the network location types to which this rule applies, and then click **Next**.
 12. On the **Name** page, type a name and description for your rule, and then click **Finish**.
--- a/windows/security/operating-system-security/network-security/windows-firewall/create-inbound-rules-to-support-rpc.md
+++ b/windows/security/operating-system-security/network-security/windows-firewall/create-inbound-rules-to-support-rpc.md
@ -1,83 +0,0 @@
 ---
 title: Create Inbound Rules to Support RPC 
 description: Learn how to allow RPC network traffic by using the Group Policy Management MMC snap-in to create rules in Windows Defender Firewall with Advanced Security.
 ms.prod: windows-client
 ms.topic: conceptual
 ms.date: 09/07/2021
 ---
 # Create Inbound Rules to Support RPC
 To allow inbound remote procedure call (RPC) network traffic, use the Windows Defender Firewall with Advanced Security node in the Group Policy Management console to create two firewall rules. The first rule allows incoming network packets on TCP port 135 to the RPC Endpoint Mapper service. The incoming traffic consists of requests to communicate with a specified network service. The RPC Endpoint Mapper replies with a dynamically assigned port number that the client must use to communicate with the service. The second rule allows the network traffic that is sent to the dynamically assigned port number. Using the two rules configured as described in this topic helps to protect your device by allowing network traffic only from devices that have received RPC dynamic port redirection and to only those TCP port numbers assigned by the RPC Endpoint Mapper.
 **Administrative credentials**
 To complete these procedures, you must be a member of the Domain Administrators group, or otherwise be delegated permissions to modify the GPOs.
 This topic describes how to create rules that allow inbound RPC network traffic. For other inbound port rule types, see:
 -   [Create an Inbound Port Rule](create-an-inbound-port-rule.md)
 -   [Create an Inbound ICMP Rule](create-an-inbound-icmp-rule.md)
 In this topic:
 -   [To create a rule to allow inbound network traffic to the RPC Endpoint Mapper service](#to-create-a-rule-to-allow-inbound-network-traffic-to-the-rpc-endpoint-mapper-service)
 -   [To create a rule to allow inbound network traffic to RPC-enabled network services](#to-create-a-rule-to-allow-inbound-network-traffic-to-rpc-enabled-network-services)
 ## To create a rule to allow inbound network traffic to the RPC Endpoint Mapper service
 1. Open the Group Policy Management Console to [Windows Defender Firewall with Advanced Security](open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md).
 2.  In the navigation pane, click **Inbound Rules**.
 3.  Click **Action**, and then click **New rule**.
 4.  On the **Rule Type** page of the New Inbound Rule Wizard, click **Custom**, and then click **Next**.
 5.  On the **Program** page, click **This Program Path**, and then type **%systemroot%\\system32\\svchost.exe**.
 6.  Click **Customize**.
 7.  In the **Customize Service Settings** dialog box, click **Apply to this service**, select **Remote Procedure Call (RPC)** with a short name of **RpcSs**, click **OK**, and then click **Next**.
 8.  On the warning about Windows service-hardening rules, click **Yes**.
 9.  On the **Protocol and Ports** dialog box, for **Protocol type**, select **TCP**.
 10. For **Local port**, select **RPC Endpoint Mapper**, and then click **Next**.
 11. On the **Scope** page, you can specify that the rule applies only to network traffic to or from the IP addresses entered on this page. Configure as appropriate for your design, and then click **Next**.
 12. On the **Action** page, select **Allow the connection**, and then click **Next**.
 13. On the **Profile** page, select the network location types to which this rule applies, and then click **Next**.   
 14. On the **Name** page, type a name and description for your rule, and then click **Finish**.
 ## To create a rule to allow inbound network traffic to RPC-enabled network services
 1.  On the same GPO you edited in the preceding procedure, click **Action**, and then click **New rule**.
 2.  On the **Rule Type** page of the New Inbound Rule Wizard, click **Custom**, and then click **Next**.
 3.  On the **Program** page, click **This Program Path**, and then type the path to the executable file that hosts the network service. Click **Customize**.
 4.  In the **Customize Service Settings** dialog box, click **Apply to this service**, and then select the service that you want to allow. If the service doesn't appear in the list, then click **Apply to service with this service short name**, and then type the short name of the service in the text box.
 5.  Click **OK**, and then click **Next**.
 6.  On the **Protocol and Ports** dialog box, for **Protocol type**, select **TCP**.
 7.  For **Local port**, select **RPC Dynamic Ports**, and then click **Next**.
 8.  On the **Scope** page, you can specify that the rule applies only to network traffic to or from the IP addresses entered on this page. Configure as appropriate for your design, and then click **Next**.
 9.  On the **Action** page, select **Allow the connection**, and then click **Next**.
 10. On the **Profile** page, select the network location types to which this rule applies, and then click **Next**.
 11. On the **Name** page, type a name and description for your rule, and then click **Finish**.
--- a/windows/security/operating-system-security/network-security/windows-firewall/create-windows-firewall-rules-in-intune.md
+++ b/windows/security/operating-system-security/network-security/windows-firewall/create-windows-firewall-rules-in-intune.md
@ -1,110 +0,0 @@
 ---
 title: Create Windows Firewall rules in Intune 
 description: Learn how to use Intune to create rules in Windows Defender Firewall with Advanced Security. Start by creating a profile in Device Configuration in Intune.
 ms.topic: conceptual
 ms.date: 11/07/2023
 ---
 # Create Windows Firewall rules in Intune
 >[!IMPORTANT]
 >This information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
 To get started, Open the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431), and then go to **Devices** > **Windows** > **Configuration profiles** > **Create profile** > Choose **Windows 10 and later** as the platform, Choose **Templates**, then **Endpoint protection** as the profile type.
 Select Windows Defender Firewall.
 :::image type="content" source="images/windows-firewall-intune.png" alt-text="Example of a Windows Defender Firewall policy in Microsoft Intune and the Intune admin center.":::
 >[!IMPORTANT]
 >A single Endpoint Protection profile may contain up to a maximum of 150 firewall rules. If a client device requires more than 150 rules, then multiple profiles must be assigned to it.
 ## Firewall rule components
 The firewall rule configurations in Intune use the Windows CSP for Firewall. For more information, see [Firewall CSP](/windows/client-management/mdm/firewall-csp).
 ## Application
 Control connections for an app or program.
 Apps and programs can be specified either file path, package family name, or Windows service short name.
 The file path of an app is its location on the client device.
 For example, C:\Windows\System\Notepad.exe.
 [Learn more](/windows/client-management/mdm/firewall-csp#filepath)
 Package family names can be retrieved by running the Get-AppxPackage command from PowerShell.
 [Learn more](https://aka.ms/intunefirewallPackageNameFromPowerShell)
 Windows service short names are used in cases when a service, not an application, is sending or receiving traffic.
 Default is All.
 [Learn more](/windows/client-management/mdm/firewall-csp#servicename)
 ## Protocol
 Select the protocol for this port rule. Transport layer protocols—TCP and UDP—allow you to specify ports or port ranges. For custom protocols, enter a number between 0 and 255 representing the IP protocol.
 Default is Any.
 [Learn more](/windows/client-management/mdm/firewall-csp#protocol)
 ## Local ports
 Comma separated list of ranges. For example, *100-120,200,300-320*. Default is All.
 [Learn more](/windows/client-management/mdm/firewall-csp#localportranges)
 ## Remote ports
 Comma separated list of ranges. For example, *100-120,200,300-320*. Default is All.
 [Learn more](/windows/client-management/mdm/firewall-csp#remoteportranges)
 ## Local addresses
 Comma-separated list of local addresses covered by the rule. Valid tokens include:
 - `*` indicates any local address. If present, this token must be the only one included
 - A subnet can be specified using either the subnet mask or network prefix notation. If a subnet mask or a network prefix isn't specified, the subnet mask default is 255.255.255.255
 - A valid IPv6 address
 - An IPv4 address range in the format of "start address-end address" with no spaces included
 - An IPv6 address range in the format of "start address-end address" with no spaces included. Default is Any address
 [Learn more](/windows/client-management/mdm/firewall-csp#localaddressranges)
 ## Remote addresses
 List of comma separated tokens specifying the remote addresses covered by the rule. Tokens are case insensitive. Valid tokens include:
 - `*` indicates any remote address. If present, this token must be the only one included
 - Defaultgateway
 - DHCP
 - DNS
 - WINS
 - Intranet
 - RmtIntranet
 - Internet
 - Ply2Renders
 - LocalSubnet indicates any local address on the local subnet
 - A subnet can be specified using either the subnet mask or network prefix notation. If neither a subnet mask not a network prefix is specified, the subnet mask defaults to 255.255.255.255
 - A valid IPv6 address
 - An IPv4 address range in the format of "start address-end address" with no spaces included
 - An IPv6 address range in the format of "start address-end address" with no spaces included
 Default is Any address
 [Learn more](https://aka.ms/intunefirewallremotaddressrule)
 ## Edge traversal (UI coming soon)
 Indicates whether edge traversal is enabled or disabled for this rule. The EdgeTraversal setting indicates that specific inbound traffic is allowed to tunnel through NATs and other edge devices using the Teredo tunneling technology. In order for this setting to work correctly, the application or service with the inbound firewall rule needs to support IPv6. The primary application of this setting allows listeners on the host to be globally addressable through a Teredo IPv6 address. New rules have the EdgeTraversal property disabled by default. This setting can only be configured via Intune Graph at this time.
 [Learn more](/windows/client-management/mdm/firewall-csp#edgetraversal)
 ## Authorized users
 Specifies the list of authorized local users for this rule. A list of authorized users can't be specified if the rule being authored is targeting a Windows service. Default is all users.
 [Learn more](/windows/client-management/mdm/firewall-csp#localuserauthorizedlist)
 ## Configuring firewall rules programmatically
 Coming soon.
--- a/windows/security/operating-system-security/network-security/windows-firewall/designing-a-windows-firewall-with-advanced-security-strategy.md
+++ b/windows/security/operating-system-security/network-security/windows-firewall/designing-a-windows-firewall-with-advanced-security-strategy.md
@ -1,41 +0,0 @@
 ---
 title: Designing a Windows Defender Firewall Strategy 
 description: Answer the question in this article to design an effective Windows Defender Firewall with Advanced Security Strategy.
 ms.prod: windows-client
 ms.topic: conceptual
 ms.date: 09/07/2021
 ---
 # Designing a Windows Defender Firewall with Advanced Security Strategy
 To select the most effective design for helping to protect the network, you must spend time collecting key information about your current computer environment. You must have a good understanding of what tasks the devices on the network perform, and how they use the network to accomplish those tasks. You must understand the network traffic generated by the programs running on the devices.
 -   [Gathering the Information You Need](gathering-the-information-you-need.md)
 -   [Determining the Trusted State of Your Devices](determining-the-trusted-state-of-your-devices.md)
 The information that you gather will help you answer the following questions. The answers will help you understand your security requirements and select the design that best matches those requirements. The information will also help you when it comes time to deploy your design, by helping you to build a deployment strategy that is cost effective and resource efficient. It will help you project and justify the expected costs associated with implementing the design.
 -   What traffic must always be allowed? What are characteristics of the network traffic generated and consumed by the business programs?
 -   What traffic must always be blocked? Does your organization have policies that prohibit the use of specific programs? If so, what are the characteristics of the network traffic generated and consumed by the prohibited programs?
 -   What traffic on the network can't be protected by IPsec because the devices or devices sending or receiving the traffic don't support IPsec?
 -   For each type of network traffic, does the default configuration of the firewall (block all unsolicited inbound network traffic, allow all outbound traffic) allow or block the traffic as required?
 -   Do you have an Active Directory domain (or forest of trusted domains) to which all your devices are joined? If you don't, then you can't use Group Policy for easy mass deployment of your firewall and connection security rules. You also can't easily take advantage of Kerberos V5 authentication that all domain clients can use.
 -   Which devices must be able to accept unsolicited inbound connections from devices that aren't part of the domain?
 -   Which devices contain data that must be encrypted when exchanged with another computer?
 -   Which devices contain sensitive data to which access must be restricted to authorized users and devices?
 -   Does your organization have specific network troubleshooting devices or devices (such as protocol analyzers) that must be granted unlimited access to the devices on the network, essentially bypassing the firewall?
 This guide describes how to plan your groups and GPOs for an environment with a mix of operating systems. Details can be found in the section [Planning Group Policy Deployment for Your Isolation Zones](planning-group-policy-deployment-for-your-isolation-zones.md) later in this guide.
 **Next:** [Gathering the Information You Need](gathering-the-information-you-need.md)
--- a/windows/security/operating-system-security/network-security/windows-firewall/filter-origin-documentation.md
+++ b/windows/security/operating-system-security/network-security/windows-firewall/filter-origin-documentation.md
@ -1,21 +1,19 @@
 ---
-title: Filter origin audit log improvements
+title: Filter origin audit log
-description: Filter origin documentation audit log improvements
+description: Learn about Windows Firewall and filter origin audit log to troubleshoot packet drops.
 ms.topic: troubleshooting
-ms.date: 11/07/2023
+ms.date: 11/21/2023
 ---
-# Filter origin audit log improvements
+# Filter origin audit log
-Debugging packet drops is a continuous issue to Windows customers. In the past, customers had limited information about packet drops.
+When investigating packet drop events, you can use the field `Filter Run-Time ID` from Windows Filtering Platform (WFP) audits `5157` or `5152`.
 Typically, when investigating packet drop events, a customer would use the field `Filter Run-Time ID` from Windows Filtering Platform (WFP) audits 5157 or 5152.
 ![Event properties.](images/event-properties-5157.png)
-The filter ID uniquely identifies the filter that caused the packet drop. The filter ID can be searched in the WFP state dump output to trace back to the Firewall rule where the filter originated from. However, the filter ID isn't a reliable source for tracing back to the filter or the rule, as the filter ID can change for many reasons despite the rule not changing at all. This change in ID makes the diagnosis process error-prone and difficult.
+The *filter ID* uniquely identifies the filter that caused the packet drop. The filter ID can be searched in the WFP state dump output to trace back to the Firewall rule where the filter originated from. However, the filter ID isn't a reliable source for tracing back to the filter or the rule, as the filter ID can change for many reasons despite the rule not changing at all. The change in ID makes the diagnosis process error-prone and difficult.
-For customers to debug packet drop events correctly and efficiently, they would need more context about the blocking filter such as its origin. The blocking filters can be categorized under these filter origins:
+To debug packet drop events correctly and efficiently, you need more context about the blocking filter, such as its origin. The blocking filters can be categorized under these filter origins:
 1. Firewall rules
 1. Firewall default block filters
@ -27,17 +25,14 @@ For customers to debug packet drop events correctly and efficiently, they would
    1. Universal Windows Platform (UWP) default
    1. Windows Service Hardening (WSH) default
-The next section describes the improvements made to audits 5157 and 5152, and how the above filter origins are used in these events. These improvements were added in the Windows Server 2022 and Windows 11 releases.
+The next section describes the improvements made to audits `5157` and `5152` in Windows 11 and Windows Server 2022, and how the filter origins are used in these events.
 ## Improved firewall audit
-The two new fields added to the audit 5157 and 5152 events are `Filter Origin` and `Interface Index`.
+Starting in Windows 11 and Windows Server 2022, two new fields added to the audit `5157` and `5152` events are *Filter Origin* and *Interface Index*:
-The `Filter Origin` field helps identify the cause of the drop. Packet drops from firewall are explicitly dropped by default block filters created by the Windows Firewall service or a firewall rule that may be created by users, policies, services, apps, etc.
+- The *Filter Origin* field helps identify the cause of the drop. Packet drops from firewall are explicitly dropped by default block filters created by the Windows Firewall service or a firewall rule that may be created by users, policies, services, apps, etc. Filter Origin` specifies either the *rule ID* (a unique identifier of a Firewall rule) or the name of one of the default block filters
-
+- The *Interface Index* field specifies the network interface in which the packet was dropped. This field helps to identify which interface was quarantined, if the *Filter Origin* is a *Quarantine Default*
 `Filter Origin` specifies either the rule ID (a unique identifier of a Firewall rule) or the name of one of the default block filters.
 The `Interface Index` field specifies the network interface in which the packet was dropped. This field helps to identify which interface was quarantined, if the `Filter Origin` is a `Quarantine Default`.
 To enable a specific audit event, run the corresponding command in an administrator command prompt:
@ -48,11 +43,11 @@ To enable a specific audit event, run the corresponding command in an administra
 ## Example flow of debugging packet drops with filter origin
-As the audit surfaces `Filter Origin` and `Interface Index`, the network admin can determine the root cause of the network packet drop, and the interface it happened on.
+As the audit surfaces *Filter Origin* and *Interface Index*, the network admin can determine the root cause of the network packet drop, and the interface it happened on.
 ![Event audit.](images/event-audit-5157.png)
-The next sections are divided by `Filter Origin` type, the value is either a rule name or the name of one of the default block filters. If the filter origin is one of the default block filters, skip to the section, **Firewall default block filters**. Otherwise, continue to the section **Firewall rules**.
+The next sections are divided by *Filter Origin* type, the value is either a rule name or the name of one of the default block filters. If the filter origin is one of the default block filters, skip to the section, [Firewall default block filters](#firewall-default-block-filters).
 ## Firewall rules
@ -65,20 +60,19 @@ Get-NetFirewallRule -Name " {A549B7CF-0542-4B67-93F9-EEBCDD584377} "
 ![Firewall rule.](images/firewallrule.png)
-After identifying the rule that caused the drop, the network admin can now modify/disable the rule to allow the traffic they want through command prompt or using the Windows Defender UI. The network admin can find the rule in the UI with the rule's `DisplayName`.
+After identifying the rule that caused the drop, the network admin can modify or disable the rule to allow the traffic they want through one of the available [tools](tools.md). The network admin can find the rule in the UI with the rule's *DisplayName*.
 >[!NOTE]
-> Firewall rules from Mobile Device Management (MDM) store cannot be searched using the Windows Defender UI. Additionally, the above method will not work when the `Filter Origin` is one of the default block filters, as they do not correspond to any firewall rules.
+> Firewall rules from Mobile Device Management (MDM) store cannot be searched using the Windows Firewall UI. Additionally, the above method doesn't work when the *Filter Origin* is one of the default block filters, as they don't correspond to any firewall rules.
 ## Firewall default block filters
 ### AppContainer loopback
-Network drop events from the AppContainer loopback block filter origin occur when localhost loopback isn't enabled properly for the Universal Windows Platform (UWP) app.
+Network drop events from the AppContainer loopback block filter origin occur when localhost loopback isn't enabled properly for the Universal Windows Platform (UWP) app:
-To enable localhost loopback in a local debugging environment, see [Communicating with localhost](/windows/iot-core/develop-your-app/loopback).
+- To enable localhost loopback in a local debugging environment, see [Communicating with localhost](/windows/iot-core/develop-your-app/loopback)
-
+- To enable localhost loopback for a published app that requires loopback access to communicate with another UWP or packaged Win32 app, see [uap4:LoopbackAccessRules](/uwp/schemas/appxpackage/uapmanifestschema/element-uap4-loopbackaccessrules)
 To enable localhost loopback for a published app that requires loopback access to communicate with another UWP or packaged Win32 app, see [uap4:LoopbackAccessRules](/uwp/schemas/appxpackage/uapmanifestschema/element-uap4-loopbackaccessrules).
 ### Boot time default
@ -92,11 +86,8 @@ Run the following PowerShell command to generate more information about the inte
 ```Powershell
 Get-NetIPInterface -InterfaceIndex <Interface Index>
 Get-NetIPInterface -InterfaceIndex 5
 ```
 ![Quarantine default block filter.](images/quarantine-default-block-filter.png)
 To learn more about the quarantine feature, see [Quarantine behavior](quarantine.md).
 >[!NOTE]
@ -115,11 +106,7 @@ To generate a list of all the query user block rules, you can run the following
 Get-NetFirewallRule | Where {$_.Name -like "*Query User*"}
 ```
-![Query user default block filter.](images/query-user-default-block-filters.png)
+The query user pop-up feature is enabled by default. To disable the query user pop-up, you can run the following command in administrative command prompt:
 The query user pop-up feature is enabled by default.
 To disable the query user pop-up, you can run the following command in administrative command prompt:
 ```cmd
 Netsh set allprofiles inboundusernotification disable
--- a/windows/security/operating-system-security/network-security/windows-firewall/firewall-settings-lost-on-upgrade.md
+++ b/windows/security/operating-system-security/network-security/windows-firewall/firewall-settings-lost-on-upgrade.md
@ -1,31 +0,0 @@
 ---
 title: Troubleshooting Windows Firewall settings after a Windows upgrade
 description: Firewall settings lost on upgrade
 ms.topic: troubleshooting
 ms.date: 11/07/2023
 ---
 # Troubleshooting Windows Firewall settings after a Windows upgrade
 Use this article to troubleshoot firewall settings that are turned off after upgrading to a new version of Windows.
 ## Rule groups
 To help you organize your list, individual built-in firewall rules are categorized within a group. For example, the following rules form part of the Remote Desktop group.
 - Remote Desktop - Shadow (TCP-In)
 - Remote Desktop - User Mode (TCP-In)
 - Remote Desktop - User-Mode (UDP-In)
 Other group examples include **core networking**, **file and print sharing**, and **network discovery**. Grouping allows administrators to manage sets of similar rules by filtering on categories in the firewall interface (wf.msc). Do this filtering by right-clicking on either **Inbound** or **Outbound Rules** and selecting **Filter by Group**. Optionally, you can use PowerShell using the `Get-NetFirewallRule` cmdlet with the `-Group` switch.
 ```Powershell
 Get-NetFirewallRule -Group <groupName>
 ```
 > [!NOTE]
 > Microsoft recommends to enable or disable an entire group instead of individual rules.
 Microsoft recommends that you enable/disable all of the rules within a group instead of one or two individual rules. This recommendation is because groups aren't only used to organize rules and allow batch rule modification by type, but they also represent a 'unit' by which rule state is maintained across a Windows upgrade. Rule groups, as opposed to individual rules, are the unit by which the update process determines what should be enabled/disabled when the upgrade is complete.
 For example, the Remote Desktop group consists of three rules. To ensure that the rule set is properly migrated during an upgrade, all three rules must be enabled. If only one rule is enabled, the upgrade process will see that two of three rules are disabled and then disable the entire group to maintain a clean, out-of-the-box configuration. This scenario has the unintended consequence of breaking Remote Desktop Protocol (RDP) connectivity to the host.
--- a/windows/security/operating-system-security/network-security/windows-firewall/hyper-v-firewall.md
+++ b/windows/security/operating-system-security/network-security/windows-firewall/hyper-v-firewall.md
@ -2,9 +2,7 @@
 title: Hyper-V firewall 
 description: Learn how to configure Hyper-V firewall rules and settings using PowerShell or Configuration Service Provider (CSP).
 ms.topic: how-to
-ms.date: 11/08/2023
+ms.date: 11/21/2023
 author: paolomatarazzo
 ms.author: paoloma
 appliesto:
 - ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 11</a>
 ---
--- a/windows/security/operating-system-security/network-security/windows-firewall/images/cmd.svg
+++ b/windows/security/operating-system-security/network-security/windows-firewall/images/cmd.svg
@ -0,0 +1,9 @@
 <svg width="20" height="17" viewBox="0 0 20 17" fill="none" xmlns="http://www.w3.org/2000/svg">
 <rect x="0.90909" y="1.88889" width="18.1818" height="14.1667" fill="black"/>
 <path d="M4.45117 6.87549C4.30957 6.93245 4.17204 6.97477 4.03857 7.00244C3.90674 7.03011 3.76921 7.04395 3.62598 7.04395C3.39648 7.04395 3.19303 7.01058 3.01562 6.94385C2.83984 6.87549 2.69092 6.77458 2.56885 6.64111C2.4484 6.50765 2.35645 6.34245 2.29297 6.14551C2.23112 5.94694 2.2002 5.71663 2.2002 5.45459C2.2002 5.18604 2.23438 4.94759 2.30273 4.73926C2.37109 4.5293 2.46875 4.3527 2.5957 4.20947C2.72266 4.06462 2.87646 3.95475 3.05713 3.87988C3.23942 3.80339 3.44368 3.76514 3.66992 3.76514C3.74316 3.76514 3.81152 3.76676 3.875 3.77002C3.9401 3.77327 4.00358 3.77979 4.06543 3.78955C4.12728 3.79769 4.18994 3.80908 4.25342 3.82373C4.31689 3.83838 4.38281 3.8571 4.45117 3.87988V4.47559C4.31283 4.41048 4.18099 4.3641 4.05566 4.33643C3.93034 4.30876 3.81641 4.29492 3.71387 4.29492C3.5625 4.29492 3.43311 4.32259 3.32568 4.37793C3.21826 4.43164 3.12956 4.50814 3.05957 4.60742C2.99121 4.70508 2.94076 4.82227 2.9082 4.95898C2.87565 5.09408 2.85938 5.243 2.85938 5.40576C2.85938 5.57829 2.87565 5.73291 2.9082 5.86963C2.94238 6.00472 2.99447 6.11947 3.06445 6.21387C3.13444 6.30827 3.22396 6.3807 3.33301 6.43115C3.44206 6.47998 3.57145 6.50439 3.72119 6.50439C3.7749 6.50439 3.83268 6.49951 3.89453 6.48975C3.95801 6.47835 4.02148 6.46452 4.08496 6.44824C4.15007 6.43034 4.21354 6.40999 4.27539 6.38721C4.33887 6.36279 4.39746 6.33838 4.45117 6.31396V6.87549ZM6.12354 4.49512C6.18538 4.49512 6.24316 4.50651 6.29688 4.5293C6.35059 4.55208 6.39697 4.58382 6.43604 4.62451C6.4751 4.66357 6.50602 4.70996 6.52881 4.76367C6.5516 4.81738 6.56299 4.87435 6.56299 4.93457C6.56299 4.99642 6.5516 5.0542 6.52881 5.10791C6.50602 5.16162 6.4751 5.20801 6.43604 5.24707C6.39697 5.28613 6.35059 5.31706 6.29688 5.33984C6.24316 5.36263 6.18538 5.37402 6.12354 5.37402C6.06169 5.37402 6.00391 5.36263 5.9502 5.33984C5.89811 5.31706 5.85173 5.28613 5.81104 5.24707C5.77197 5.20801 5.74105 5.16162 5.71826 5.10791C5.69548 5.0542 5.68408 4.99642 5.68408 4.93457C5.68408 4.87435 5.69548 4.81738 5.71826 4.76367C5.74105 4.70996 5.77197 4.66357 5.81104 4.62451C5.85173 4.58382 5.89811 4.55208 5.9502 4.5293C6.00391 4.50651 6.06169 4.49512 6.12354 4.49512ZM6.12354 6.17725C6.18538 6.17725 6.24316 6.18864 6.29688 6.21143C6.35059 6.23421 6.39697 6.26514 6.43604 6.3042C6.4751 6.34326 6.50602 6.38965 6.52881 6.44336C6.5516 6.49707 6.56299 6.55404 6.56299 6.61426C6.56299 6.67611 6.5516 6.73389 6.52881 6.7876C6.50602 6.84131 6.4751 6.88851 6.43604 6.9292C6.39697 6.96826 6.35059 6.99919 6.29688 7.02197C6.24316 7.04476 6.18538 7.05615 6.12354 7.05615C6.06169 7.05615 6.00391 7.04476 5.9502 7.02197C5.89811 6.99919 5.85173 6.96826 5.81104 6.9292C5.77197 6.88851 5.74105 6.84131 5.71826 6.7876C5.69548 6.73389 5.68408 6.67611 5.68408 6.61426C5.68408 6.55404 5.69548 6.49707 5.71826 6.44336C5.74105 6.38965 5.77197 6.34326 5.81104 6.3042C5.85173 6.26514 5.89811 6.23421 5.9502 6.21143C6.00391 6.18864 6.06169 6.17725 6.12354 6.17725ZM8.36719 3.55029L10.0737 7.5249H9.49268L7.78857 3.55029H8.36719ZM10.2471 8.00098V7.52979H12.9961V8.00098H10.2471ZM12.9961 8.00098V7.52979H15.7451V8.00098H12.9961Z" fill="white"/>
 <rect x="0.90909" y="0.944443" width="18.1818" height="1.88889" fill="#D9D9D9"/>
 <rect x="17.2727" y="0.944443" width="0.909091" height="0.944444" fill="#605E5C"/>
 <rect x="15.4545" y="0.944443" width="0.909091" height="0.944444" fill="#605E5C"/>
 <rect x="13.6364" y="0.944443" width="0.909091" height="0.944444" fill="#605E5C"/>
 <rect x="0.5" y="0.5" width="19" height="16" stroke="#CDCDCD"/>
 </svg>
--- a/windows/security/operating-system-security/network-security/windows-firewall/images/control-panel.png
+++ b/windows/security/operating-system-security/network-security/windows-firewall/images/control-panel.png
--- a/windows/security/operating-system-security/network-security/windows-firewall/images/corpnet.gif
+++ b/windows/security/operating-system-security/network-security/windows-firewall/images/corpnet.gif
--- a/windows/security/operating-system-security/network-security/windows-firewall/images/domain-network.svg
+++ b/windows/security/operating-system-security/network-security/windows-firewall/images/domain-network.svg
@ -0,0 +1,3 @@
 <svg width="14" height="19" viewBox="0 0 14 19" fill="none" xmlns="http://www.w3.org/2000/svg">
 <path d="M0.583311 19C0.425331 19 0.288617 18.9412 0.17317 18.8237C0.0577235 18.7062 0 18.5671 0 18.4063V1.78174C0 1.54054 0.0455712 1.31171 0.136714 1.09524C0.227856 0.878776 0.352417 0.690142 0.510397 0.529339C0.668377 0.368536 0.856738 0.238657 1.07548 0.139702C1.29422 0.0407464 1.51904 -0.00563901 1.74993 0.000545711H8.74966C8.98663 0.000545711 9.21145 0.0469311 9.42412 0.139702C9.63678 0.232473 9.82211 0.359259 9.98009 0.520062C10.1381 0.680865 10.2657 0.872591 10.3629 1.09524C10.4601 1.31789 10.5057 1.54673 10.4996 1.78174V7.12534H12.2495C12.4865 7.12534 12.7113 7.17173 12.924 7.2645C13.1366 7.35727 13.322 7.48405 13.48 7.64486C13.6379 7.80566 13.7655 7.99739 13.8627 8.22004C13.96 8.44269 14.0055 8.67152 13.9995 8.90654V18.4063C13.9995 18.5671 13.9417 18.7062 13.8263 18.8237C13.7108 18.9412 13.5741 19 13.4162 19H0.583311ZM1.16662 17.8125H3.49987V14.8439C3.49987 14.6831 3.55759 14.5439 3.67304 14.4264C3.78848 14.3089 3.9252 14.2501 4.08318 14.2501H9.91629C10.0743 14.2501 10.211 14.3089 10.3264 14.4264C10.4419 14.5439 10.4996 14.6831 10.4996 14.8439V17.8125H12.8328V8.90654C12.8328 8.74574 12.7751 8.60658 12.6597 8.48907C12.5442 8.37156 12.4075 8.31281 12.2495 8.31281H9.91629C9.75831 8.31281 9.62159 8.25405 9.50615 8.13654C9.3907 8.01903 9.33298 7.87988 9.33298 7.71907V1.78174C9.33298 1.62094 9.27525 1.48179 9.1598 1.36428C9.04436 1.24677 8.90764 1.18801 8.74966 1.18801H1.74993C1.59195 1.18801 1.45524 1.24677 1.33979 1.36428C1.22435 1.48179 1.16662 1.62094 1.16662 1.78174V17.8125ZM2.33324 4.45354C2.33324 4.20615 2.41831 3.99587 2.58844 3.8227C2.75857 3.64953 2.96516 3.56294 3.20821 3.56294C3.45126 3.56294 3.65785 3.64953 3.82798 3.8227C3.99811 3.99587 4.08318 4.20615 4.08318 4.45354C4.08318 4.70093 3.99811 4.91121 3.82798 5.08438C3.65785 5.25756 3.45126 5.34414 3.20821 5.34414C2.96516 5.34414 2.75857 5.25756 2.58844 5.08438C2.41831 4.91121 2.33324 4.70093 2.33324 4.45354ZM5.83311 4.45354C5.83311 4.20615 5.91818 3.99587 6.08831 3.8227C6.25844 3.64953 6.46503 3.56294 6.70808 3.56294C6.95112 3.56294 7.15771 3.64953 7.32784 3.8227C7.49798 3.99587 7.58304 4.20615 7.58304 4.45354C7.58304 4.70093 7.49798 4.91121 7.32784 5.08438C7.15771 5.25756 6.95112 5.34414 6.70808 5.34414C6.46503 5.34414 6.25844 5.25756 6.08831 5.08438C5.91818 4.91121 5.83311 4.70093 5.83311 4.45354ZM2.33324 8.01594C2.33324 7.76855 2.41831 7.55827 2.58844 7.3851C2.75857 7.21193 2.96516 7.12534 3.20821 7.12534C3.45126 7.12534 3.65785 7.21193 3.82798 7.3851C3.99811 7.55827 4.08318 7.76855 4.08318 8.01594C4.08318 8.26333 3.99811 8.47361 3.82798 8.64678C3.65785 8.81995 3.45126 8.90654 3.20821 8.90654C2.96516 8.90654 2.75857 8.81995 2.58844 8.64678C2.41831 8.47361 2.33324 8.26333 2.33324 8.01594ZM5.83311 8.01594C5.83311 7.76855 5.91818 7.55827 6.08831 7.3851C6.25844 7.21193 6.46503 7.12534 6.70808 7.12534C6.95112 7.12534 7.15771 7.21193 7.32784 7.3851C7.49798 7.55827 7.58304 7.76855 7.58304 8.01594C7.58304 8.26333 7.49798 8.47361 7.32784 8.64678C7.15771 8.81995 6.95112 8.90654 6.70808 8.90654C6.46503 8.90654 6.25844 8.81995 6.08831 8.64678C5.91818 8.47361 5.83311 8.26333 5.83311 8.01594ZM2.33324 11.5783C2.33324 11.3309 2.41831 11.1207 2.58844 10.9475C2.75857 10.7743 2.96516 10.6877 3.20821 10.6877C3.45126 10.6877 3.65785 10.7743 3.82798 10.9475C3.99811 11.1207 4.08318 11.3309 4.08318 11.5783C4.08318 11.8257 3.99811 12.036 3.82798 12.2092C3.65785 12.3824 3.45126 12.4689 3.20821 12.4689C2.96516 12.4689 2.75857 12.3824 2.58844 12.2092C2.41831 12.036 2.33324 11.8257 2.33324 11.5783ZM5.83311 11.5783C5.83311 11.3309 5.91818 11.1207 6.08831 10.9475C6.25844 10.7743 6.46503 10.6877 6.70808 10.6877C6.95112 10.6877 7.15771 10.7743 7.32784 10.9475C7.49798 11.1207 7.58304 11.3309 7.58304 11.5783C7.58304 11.8257 7.49798 12.036 7.32784 12.2092C7.15771 12.3824 6.95112 12.4689 6.70808 12.4689C6.46503 12.4689 6.25844 12.3824 6.08831 12.2092C5.91818 12.036 5.83311 11.8257 5.83311 11.5783ZM9.33298 11.5783C9.33298 11.3309 9.41804 11.1207 9.58817 10.9475C9.75831 10.7743 9.9649 10.6877 10.2079 10.6877C10.451 10.6877 10.6576 10.7743 10.8277 10.9475C10.9978 11.1207 11.0829 11.3309 11.0829 11.5783C11.0829 11.8257 10.9978 12.036 10.8277 12.2092C10.6576 12.3824 10.451 12.4689 10.2079 12.4689C9.9649 12.4689 9.75831 12.3824 9.58817 12.2092C9.41804 12.036 9.33298 11.8257 9.33298 11.5783ZM4.66649 15.4376V17.8125H6.41642V15.4376H4.66649ZM7.58304 15.4376V17.8125H9.33298V15.4376H7.58304Z" fill="#5489d7"/>
 </svg>
--- a/windows/security/operating-system-security/network-security/windows-firewall/images/feedback.svg
+++ b/windows/security/operating-system-security/network-security/windows-firewall/images/feedback.svg
@ -0,0 +1,3 @@
 <svg width="42" height="40" viewBox="0 0 42 40" fill="none" xmlns="http://www.w3.org/2000/svg">
 <path d="M27.27 21C27.03 21 26.78 20.96 26.54 20.88C25.6 20.57 25 19.73 25 18.75V15.94C22.74 15.58 21 13.61 21 11.25V4.75C21 2.13 23.13 0 25.75 0H37.25C39.87 0 42 2.13 42 4.75V11.25C42 13.87 39.87 16 37.25 16H32.13L29.05 20.1C28.61 20.68 27.96 21 27.27 21ZM13 23.5C8.86 23.5 5.5 20.14 5.5 16C5.5 11.86 8.86 8.5 13 8.5C17.14 8.5 20.5 11.86 20.5 16C20.5 20.14 17.14 23.5 13 23.5ZM0 30.79C0 30.88 0.15 40 13 40C25.85 40 26 30.88 26 30.79V29.75C26 27.68 24.32 26 22.25 26H3.75C1.68 26 0 27.68 0 29.75V30.79Z" fill="#0078D4"/>
 </svg>
--- a/windows/security/operating-system-security/network-security/windows-firewall/images/fw01-profiles.png
+++ b/windows/security/operating-system-security/network-security/windows-firewall/images/fw01-profiles.png
--- a/windows/security/operating-system-security/network-security/windows-firewall/images/fw02-createrule.png
+++ b/windows/security/operating-system-security/network-security/windows-firewall/images/fw02-createrule.png
--- a/windows/security/operating-system-security/network-security/windows-firewall/images/fw03-defaults.png
+++ b/windows/security/operating-system-security/network-security/windows-firewall/images/fw03-defaults.png
--- a/windows/security/operating-system-security/network-security/windows-firewall/images/fw04-userquery.png
+++ b/windows/security/operating-system-security/network-security/windows-firewall/images/fw04-userquery.png
--- a/windows/security/operating-system-security/network-security/windows-firewall/images/fw05-rulemerge.png
+++ b/windows/security/operating-system-security/network-security/windows-firewall/images/fw05-rulemerge.png
--- a/windows/security/operating-system-security/network-security/windows-firewall/images/grouppolicy-paste.png
+++ b/windows/security/operating-system-security/network-security/windows-firewall/images/grouppolicy-paste.png
--- a/windows/security/operating-system-security/network-security/windows-firewall/images/powershell.svg
+++ b/windows/security/operating-system-security/network-security/windows-firewall/images/powershell.svg
--- a/windows/security/operating-system-security/network-security/windows-firewall/images/powershelllogosmall.gif
+++ b/windows/security/operating-system-security/network-security/windows-firewall/images/powershelllogosmall.gif
--- a/windows/security/operating-system-security/network-security/windows-firewall/images/private-network.svg
+++ b/windows/security/operating-system-security/network-security/windows-firewall/images/private-network.svg
@ -0,0 +1,3 @@
 <svg width="18" height="14" viewBox="0 0 18 14" fill="none" xmlns="http://www.w3.org/2000/svg">
 <path d="M2.25 10.5V5.77865C1.91602 5.70573 1.61133 5.57812 1.33594 5.39583C1.06055 5.21354 0.823242 4.99479 0.624023 4.73958C0.424805 4.48437 0.272461 4.19271 0.166992 3.86458C0.0615234 3.53646 0.00585938 3.19922 0 2.85286C0 2.4579 0.0761719 2.08724 0.228516 1.74089C0.380859 1.39453 0.585937 1.09375 0.84375 0.838542C1.10156 0.583333 1.40039 0.379774 1.74023 0.227865C2.08008 0.0759549 2.4375 0 2.8125 0C3.1875 0 3.54492 0.0729167 3.88477 0.21875C4.22461 0.364583 4.52344 0.568142 4.78125 0.829427C5.03906 1.09071 5.24414 1.39453 5.39648 1.74089C5.54883 2.08724 5.625 2.4579 5.625 2.85286C5.625 3.2053 5.57227 3.54253 5.4668 3.86458C5.36133 4.18663 5.20898 4.47526 5.00977 4.73047C4.81055 4.98568 4.57324 5.20747 4.29785 5.39583C4.02246 5.5842 3.71484 5.71181 3.375 5.77865V10.5H6.75V5.25C6.75 5.06771 6.81445 4.91884 6.94336 4.80339L10.8809 1.30339C10.9863 1.21224 11.1094 1.16667 11.25 1.16667C11.3906 1.16667 11.5137 1.21224 11.6191 1.30339L15.5566 4.80339C15.6855 4.91884 15.75 5.06771 15.75 5.25V10.5H17.4375C17.5898 10.5 17.7217 10.5577 17.833 10.6732C17.9443 10.7886 18 10.9253 18 11.0833C18 11.2413 17.9443 11.378 17.833 11.4935C17.7217 11.6089 17.5898 11.6667 17.4375 11.6667H0.5625C0.410156 11.6667 0.27832 11.6089 0.166992 11.4935C0.0556641 11.378 0 11.2413 0 11.0833C0 10.9253 0.0556641 10.7886 0.166992 10.6732C0.27832 10.5577 0.410156 10.5 0.5625 10.5H2.25ZM2.8125 4.66667C3.04102 4.66667 3.25781 4.62109 3.46289 4.52995C3.66797 4.4388 3.84668 4.31424 3.99902 4.15625C4.15137 3.99826 4.27441 3.8099 4.36816 3.59115C4.46191 3.3724 4.50586 3.14757 4.5 2.91667C4.5 2.67969 4.45605 2.45486 4.36816 2.24219C4.28027 2.02951 4.16016 1.84418 4.00781 1.6862C3.85547 1.52821 3.67383 1.40061 3.46289 1.30339C3.25195 1.20616 3.03516 1.16059 2.8125 1.16667C2.58398 1.16667 2.36719 1.21224 2.16211 1.30339C1.95703 1.39453 1.77832 1.5191 1.62598 1.67708C1.47363 1.83507 1.35059 2.02344 1.25684 2.24219C1.16309 2.46094 1.11914 2.68576 1.125 2.91667C1.125 3.15365 1.16895 3.37847 1.25684 3.59115C1.34473 3.80382 1.46484 3.98915 1.61719 4.14714C1.76953 4.30512 1.95117 4.43273 2.16211 4.52995C2.37305 4.62717 2.58984 4.67274 2.8125 4.66667ZM11.25 2.51562L7.875 5.51432V10.5H14.625V5.51432L11.25 2.51562ZM17.4375 12.8333C17.5898 12.8333 17.7217 12.8911 17.833 13.0065C17.9443 13.122 18 13.2587 18 13.4167C18 13.5747 17.9443 13.7114 17.833 13.8268C17.7217 13.9423 17.5898 14 17.4375 14H0.5625C0.410156 14 0.27832 13.9423 0.166992 13.8268C0.0556641 13.7114 0 13.5747 0 13.4167C0 13.2587 0.0556641 13.122 0.166992 13.0065C0.27832 12.8911 0.410156 12.8333 0.5625 12.8333H17.4375Z" fill="#5489d7"/>
 </svg>
--- a/windows/security/operating-system-security/network-security/windows-firewall/images/public-network.svg
+++ b/windows/security/operating-system-security/network-security/windows-firewall/images/public-network.svg
@ -0,0 +1,3 @@
 <svg width="19" height="14" viewBox="0 0 19 14" fill="none" xmlns="http://www.w3.org/2000/svg">
 <path d="M0 7.01818V1.36364C0 1.17576 0.0371094 1 0.111328 0.836364C0.185547 0.672727 0.284505 0.527273 0.408203 0.4C0.531901 0.272727 0.677246 0.175758 0.844238 0.109091C1.01123 0.0424242 1.19368 0.00606061 1.3916 0H12.8584C13.0316 0 13.1955 0.030303 13.3501 0.0909091C13.5047 0.151515 13.647 0.236364 13.7769 0.345455C13.9067 0.454545 14.0088 0.581818 14.083 0.727273C14.1572 0.872727 14.2098 1.0303 14.2407 1.2H15.5117C15.9941 1.2 16.4456 1.29394 16.8662 1.48182C17.2868 1.6697 17.6579 1.92424 17.9795 2.24545C18.3011 2.56667 18.5485 2.93636 18.7217 3.35455C18.8949 3.77273 18.9876 4.21818 19 4.69091C19 5.15758 18.9103 5.6 18.731 6.01818C18.5516 6.43636 18.3011 6.80909 17.9795 7.13636C17.6579 7.46364 17.2899 7.71818 16.8755 7.9C16.4611 8.08182 16.0065 8.17576 15.5117 8.18182H14.1479C14.049 8.73939 13.8882 9.2697 13.6655 9.77273C13.4429 10.2758 13.1676 10.7455 12.8398 11.1818C12.512 11.6182 12.141 12.0061 11.7266 12.3455C11.3122 12.6848 10.8576 12.9818 10.3628 13.2364C9.868 13.4909 9.35156 13.6788 8.81348 13.8C8.27539 13.9212 7.71257 13.9879 7.125 14C6.4694 14 5.83854 13.9182 5.23242 13.7545C4.6263 13.5909 4.05729 13.3545 3.52539 13.0455C2.99349 12.7364 2.51416 12.3727 2.0874 11.9545C1.66064 11.5364 1.28955 11.0667 0.974121 10.5455C0.658691 10.0242 0.420573 9.4697 0.259766 8.88182C0.0989583 8.29394 0.0123698 7.67273 0 7.01818ZM13.0625 7.01818V1.36364C13.0625 1.30909 13.0439 1.26364 13.0068 1.22727C12.9697 1.19091 12.9202 1.1697 12.8584 1.16364H1.3916C1.33594 1.16364 1.28955 1.18182 1.25244 1.21818C1.21533 1.25455 1.19368 1.30303 1.1875 1.36364V7.01818C1.1875 7.82424 1.34212 8.57879 1.65137 9.28182C1.96061 9.98485 2.38428 10.603 2.92236 11.1364C3.46045 11.6697 4.08822 12.0848 4.80566 12.3818C5.52311 12.6788 6.29622 12.8303 7.125 12.8364C7.94759 12.8364 8.71761 12.6848 9.43506 12.3818C10.1525 12.0788 10.7834 11.6636 11.3276 11.1364C11.8719 10.6091 12.2956 9.99394 12.5986 9.29091C12.9017 8.58788 13.0563 7.8303 13.0625 7.01818ZM15.4839 7.01818C15.8055 7.01818 16.1055 6.95455 16.3838 6.82727C16.6621 6.7 16.9095 6.5303 17.126 6.31818C17.3424 6.10606 17.5094 5.86061 17.627 5.58182C17.7445 5.30303 17.8063 5.00606 17.8125 4.69091C17.8125 4.38182 17.7507 4.08788 17.627 3.80909C17.5033 3.5303 17.3363 3.28182 17.126 3.06364C16.9157 2.84545 16.6714 2.67576 16.3931 2.55455C16.1147 2.43333 15.8117 2.3697 15.4839 2.36364H14.25V7.01818H15.4839Z" fill="#5489d7"/>
 </svg>
--- a/windows/security/operating-system-security/network-security/windows-firewall/images/quarantine-default-block-filter.png
+++ b/windows/security/operating-system-security/network-security/windows-firewall/images/quarantine-default-block-filter.png
--- a/windows/security/operating-system-security/network-security/windows-firewall/images/quarantine-interfaceindex1.png
+++ b/windows/security/operating-system-security/network-security/windows-firewall/images/quarantine-interfaceindex1.png
--- a/windows/security/operating-system-security/network-security/windows-firewall/images/query-user-default-block-filters.png
+++ b/windows/security/operating-system-security/network-security/windows-firewall/images/query-user-default-block-filters.png
--- a/windows/security/operating-system-security/network-security/windows-firewall/images/uac.png
+++ b/windows/security/operating-system-security/network-security/windows-firewall/images/uac.png
--- a/windows/security/operating-system-security/network-security/windows-firewall/images/wfas-design2example1.gif
+++ b/windows/security/operating-system-security/network-security/windows-firewall/images/wfas-design2example1.gif
--- a/Show More
+++ b/Show More