Add sections include files

.openpublishing.redirection.json

@@ -20842,7 +20842,7 @@
     },
     {
       "source_path": "windows/security/operating-system.md",
-      "redirect_url": "/windows/security/operating-system-security/operating-system",
+      "redirect_url": "/windows/security/operating-system-security",
       "redirect_document_id": false
     },
     {

windows/security/includes/sections/application-application-control-overview.md

@@ -0,0 +1,22 @@
+---
+author: paolomatarazzo
+ms.author: paoloma
+ms.date: 06/02/2023
+ms.topic: include
+---
+
+The following table lists the edition applicability for all Application Control features.
+
+|Feature|Windows Pro|Windows Enterprise|Windows Pro Education/SE|Windows Education|
+|:-:|:-:|:-:|:-:|:-:|
+|[User Account Control (UAC)](/windows/security/application-security/application-control/user-account-control/)|Yes|Yes|Yes|Yes|
+|[Windows Defender Application Control (WDAC)](/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control)|Yes|Yes|Yes|Yes|
+|[Smart App Control](/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control)|Yes|Yes|Yes|Yes|
+
+The following table lists the licensing applicability for all Application Control features.
+
+|Feature|Windows Pro/Pro Education/SE|Windows Enterprise E3|Windows Enterprise E5|Windows Education A3|Windows Education A5|
+|:-:|:-:|:-:|:-:|:-:|:-:|
+|[User Account Control (UAC)](/windows/security/application-security/application-control/user-account-control/)|Yes|Yes|Yes|Yes|Yes|
+|[Windows Defender Application Control (WDAC)](/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control)|Yes|Yes|Yes|Yes|Yes|
+|[Smart App Control](/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control)|Yes|Yes|Yes|Yes|Yes|

windows/security/includes/sections/application-application-isolation-overview.md

@@ -0,0 +1,30 @@
+---
+author: paolomatarazzo
+ms.author: paoloma
+ms.date: 06/02/2023
+ms.topic: include
+---
+
+The following table lists the edition applicability for all Application Isolation features.
+
+|Feature|Windows Pro|Windows Enterprise|Windows Pro Education/SE|Windows Education|
+|:-:|:-:|:-:|:-:|:-:|
+|[Microsoft Defender Application Guard (MDAG) for Edge standalone mode](/windows/security/threat-protection/microsoft-defender-application-guard/md-app-guard-overview)|Yes|Yes|Yes|Yes|
+|[Microsoft Defender Application Guard (MDAG) for Edge enterprise mode and enterprise management](/windows/security/threat-protection/microsoft-defender-application-guard/configure-md-app-guard)|❌|Yes|❌|Yes|
+|Microsoft Defender Application Guard (MDAG) public APIs|❌|Yes|❌|Yes|
+|[Microsoft Defender Application Guard (MDAG) for Microsoft Office](https://support.microsoft.com/office/application-guard-for-office-9e0fb9c2-ffad-43bf-8ba3-78f785fdba46)|❌|Yes|❌|Yes|
+|[Microsoft Defender Application Guard (MDAG) configure via MDM](/windows/client-management/mdm/windowsdefenderapplicationguard-csp)|❌|Yes|❌|Yes|
+|[Windows containers](/virtualization/windowscontainers/about/)|Yes|Yes|Yes|Yes|
+|[Windows Sandbox](/windows/security/application-security/application-isolation/windows-sandbox/windows-sandbox-overview)|Yes|Yes|Yes|Yes|
+
+The following table lists the licensing applicability for all Application Isolation features.
+
+|Feature|Windows Pro/Pro Education/SE|Windows Enterprise E3|Windows Enterprise E5|Windows Education A3|Windows Education A5|
+|:-:|:-:|:-:|:-:|:-:|:-:|
+|[Microsoft Defender Application Guard (MDAG) for Edge standalone mode](/windows/security/threat-protection/microsoft-defender-application-guard/md-app-guard-overview)|Yes|Yes|Yes|Yes|Yes|
+|[Microsoft Defender Application Guard (MDAG) for Edge enterprise mode and enterprise management](/windows/security/threat-protection/microsoft-defender-application-guard/configure-md-app-guard)|❌|Yes|Yes|Yes|Yes|
+|Microsoft Defender Application Guard (MDAG) public APIs|❌|Yes|Yes|Yes|Yes|
+|[Microsoft Defender Application Guard (MDAG) for Microsoft Office](https://support.microsoft.com/office/application-guard-for-office-9e0fb9c2-ffad-43bf-8ba3-78f785fdba46)|❌|❌|❌|❌|❌|
+|[Microsoft Defender Application Guard (MDAG) configure via MDM](/windows/client-management/mdm/windowsdefenderapplicationguard-csp)|❌|Yes|Yes|Yes|Yes|
+|[Windows containers](/virtualization/windowscontainers/about/)|Yes|Yes|Yes|Yes|Yes|
+|[Windows Sandbox](/windows/security/application-security/application-isolation/windows-sandbox/windows-sandbox-overview)|Yes|Yes|Yes|Yes|Yes|

windows/security/includes/sections/application.md

@@ -0,0 +1,26 @@
+---
+author: paolomatarazzo
+ms.author: paoloma
+ms.date: 06/02/2023
+ms.topic: include
+---
+
+## Application Control
+
+| Security Measures | Features & Capabilities |
+|:---|:---|
+| **[User Account Control (UAC)](https://learn.microsoft.com/windows/security/application-security/application-control/user-account-control/)** | User Account Control (UAC) helps prevent malware from damaging a PC and helps organizations deploy a better-managed desktop. With UAC, apps and tasks always run in the security context of a non-administrator account, unless an administrator specifically authorizes administrator-level access to the system. UAC can block the automatic installation of unauthorized apps and prevent inadvertent changes to system settings. Enabling UAC helps prevent malware from altering PC settings and potentially gaining access to networks and sensitive data. UAC can also block the automatic installation of unauthorized apps and prevent inadvertent changes to system settings.  |
+| **[Windows Defender Application Control (WDAC)](https://learn.microsoft.com/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control)** |  |
+| **[Smart App Control](https://learn.microsoft.com/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control)** | Smart App Control prevents users from running malicious applications on Windows devices by blocking untrusted or unsigned applications. Smart App Control goes beyond previous built-in browser protections, by adding another layer of security that is woven directly into the core of the OS at the process level. Using AI, our new Smart App Control only allows processes to run that are predicted to be safe based on existing and new intelligence processed daily. Smart App Control builds on top of the same cloud-based AI used in Windows Defender Application Control (WDAC) to predict the safety of an application, so people can be confident they are using safe and reliable applications on their new Windows 11 devices, or Windows 11 devices that have been reset. |
+
+## Application Isolation
+
+| Security Measures | Features & Capabilities |
+|:---|:---|
+| **[Microsoft Defender Application Guard (MDAG) for Edge standalone mode](https://learn.microsoft.com/windows/security/threat-protection/microsoft-defender-application-guard/md-app-guard-overview)** | Standalone mode allows Windows users to use hardware-isolated browsing sessions without any administrator or management policy configuration. In this mode, user must manually start Microsoft Edge in Application Guard from Edge menu for browsing untrusted sites |
+| **[Microsoft Defender Application Guard (MDAG) for Edge enterprise mode and enterprise management](https://learn.microsoft.com/windows/security/threat-protection/microsoft-defender-application-guard/configure-md-app-guard)** | Microsoft Defender Application Guard protect user's desktop while they browse the Internet using Microsoft Edge browser. Application Guard in enterprise mode automatically redirects untrusted website navigations in an anonymous and isolated Hyper-V based container which is separate from the host operating system. With Enterprise mode you can define your corporate boundaries by explicitly adding trusted domains and can customizing the Application Guard experience to meet and enforce your organization needs on Windows devices. |
+| **Microsoft Defender Application Guard (MDAG) public APIs** | Enable applications using them to be isolated Hyper-V based container which is separate from the host operating system. |
+| **[Microsoft Defender Application Guard (MDAG) for Microsoft Office](https://support.microsoft.com/office/application-guard-for-office-9e0fb9c2-ffad-43bf-8ba3-78f785fdba46)** | Application Guard protects Office files including Word, PowerPoint, and Excel. Application icons will have a small shield if Application Guard has been enabled and they are under protection. |
+| **[Microsoft Defender Application Guard (MDAG) configure via MDM](https://learn.microsoft.com/windows/client-management/mdm/windowsdefenderapplicationguard-csp)** | The WindowsDefenderApplicationGuard configuration service provider (CSP) is used by the enterprise to configure the settings in Microsoft Defender Application Guard. |
+| **[Windows containers](https://learn.microsoft.com/virtualization/windowscontainers/about/)** | Universal Windows Platform (UWP) applications run in Windows containers known as app containers. Processes that run in app containers operate with low integrity level, meaning they have limited access to resources they do not own. Because the default integrity level of most resources is medium integrity level, the UWP app can access only a subset of the filesystem, registry, and other resources. The app container also enforces restrictions on network connectivity; for example, access to a local host is not allowed. As a result, malware or infected apps have limited footprint for escape. |
+| **[Windows Sandbox](https://learn.microsoft.com/windows/security/application-security/application-isolation/windows-sandbox/windows-sandbox-overview)** | Windows Sandbox provides a lightweight desktop environment to safely run untrusted Win32 applications in isolation, using the same hardware-based Hyper-V virtualization technology to isolate apps without fear of lasting impact to your PC. |

windows/security/includes/sections/cloud-services-protecting-your-work-information-overview.md

@@ -0,0 +1,26 @@
+---
+author: paolomatarazzo
+ms.author: paoloma
+ms.date: 06/02/2023
+ms.topic: include
+---
+
+The following table lists the edition applicability for all Protecting Your Work Information features.
+
+|Feature|Windows Pro|Windows Enterprise|Windows Pro Education/SE|Windows Education|
+|:-:|:-:|:-:|:-:|:-:|
+|[Azure AD join, Active Directory domain join, and Hybrid Azure AD join with single sign-on (SSO)](/azure/active-directory/devices/concept-azure-ad-join)|Yes|Yes|Yes|Yes|
+|[Security baselines](/mem/intune/protect/security-baselines)|Yes|Yes|Yes|Yes|
+|[Remote wipe](/windows/client-management/mdm/remotewipe-csp)|Yes|Yes|Yes|Yes|
+|[Manage by Mobile Device Management (MDM) and group policy](/windows/security/threat-protection/windows-security-configuration-framework/windows-security-baselines)|Yes|Yes|Yes|Yes|
+|[Universal Print](/universal-print/)|Yes|Yes|Yes|Yes|
+
+The following table lists the licensing applicability for all Protecting Your Work Information features.
+
+|Feature|Windows Pro/Pro Education/SE|Windows Enterprise E3|Windows Enterprise E5|Windows Education A3|Windows Education A5|
+|:-:|:-:|:-:|:-:|:-:|:-:|
+|[Azure AD join, Active Directory domain join, and Hybrid Azure AD join with single sign-on (SSO)](/azure/active-directory/devices/concept-azure-ad-join)|Yes|Yes|Yes|Yes|Yes|
+|[Security baselines](/mem/intune/protect/security-baselines)|Yes|Yes|Yes|Yes|Yes|
+|[Remote wipe](/windows/client-management/mdm/remotewipe-csp)|Yes|Yes|Yes|Yes|Yes|
+|[Manage by Mobile Device Management (MDM) and group policy](/windows/security/threat-protection/windows-security-configuration-framework/windows-security-baselines)|Yes|Yes|Yes|Yes|Yes|
+|[Universal Print](/universal-print/)|❌|Yes|Yes|Yes|Yes|

windows/security/includes/sections/cloud-services-update-overview.md

@@ -0,0 +1,20 @@
+---
+author: paolomatarazzo
+ms.author: paoloma
+ms.date: 06/02/2023
+ms.topic: include
+---
+
+The following table lists the edition applicability for all Update features.
+
+|Feature|Windows Pro|Windows Enterprise|Windows Pro Education/SE|Windows Education|
+|:-:|:-:|:-:|:-:|:-:|
+|[Windows Autopatch](/windows/deployment/windows-autopatch/)|❌|Yes|❌|Yes|
+|[Windows Autopilot](/windows/deployment/windows-autopilot)|Yes|Yes|Yes|Yes|
+
+The following table lists the licensing applicability for all Update features.
+
+|Feature|Windows Pro/Pro Education/SE|Windows Enterprise E3|Windows Enterprise E5|Windows Education A3|Windows Education A5|
+|:-:|:-:|:-:|:-:|:-:|:-:|
+|[Windows Autopatch](/windows/deployment/windows-autopatch/)|❌|Yes|Yes|❌|❌|
+|[Windows Autopilot](/windows/deployment/windows-autopilot)|Yes|Yes|Yes|Yes|Yes|

windows/security/includes/sections/cloud-services.md

@@ -0,0 +1,23 @@
+---
+author: paolomatarazzo
+ms.author: paoloma
+ms.date: 06/02/2023
+ms.topic: include
+---
+
+## Protecting Your Work Information
+
+| Security Measures | Features & Capabilities |
+|:---|:---|
+| **[Azure AD join, Active Directory domain join, and Hybrid Azure AD join with single sign-on (SSO)](https://learn.microsoft.com/azure/active-directory/devices/concept-azure-ad-join)** |  |
+| **[Security baselines](https://learn.microsoft.com/mem/intune/protect/security-baselines)** | Windows 11 supports modern device management so that IT pros can manage company security policies and business applications without compromising user privacy on corporate or employee-owned devices. With MDM solutions, IT can manage Windows 11 using industry-standard protocols. To simplify setup for users, management features are built directly into Windows, eliminating the need for a separate MDM client. Windows 11 can be configured with Microsoft’s MDM security baseline backed by ADMX policies, which functions like the Microsoft GP-based security baseline. The security baseline enables IT administrators to easily address security concerns and compliance needs for modern cloud-managed devices. |
+| **[Remote wipe](https://learn.microsoft.com/windows/client-management/mdm/remotewipe-csp)** | When a device is lost or stolen, IT administrators might want to remotely wipe data stored in memory and hard disks. A help desk agent might also want to reset devices to fix issues encountered by remote workers. Windows 11 supports the Remote Wipe configuration service provider (CSP) so that MDM solutions can remotely initiate any of the following operations: 1) Reset the device and remove user accounts and data. 2) Reset the device and clean the drive. 3) Reset the device but persist user accounts and data. |
+| **[Manage by Mobile Device Management (MDM) and group policy](https://learn.microsoft.com/windows/security/threat-protection/windows-security-configuration-framework/windows-security-baselines)** |  |
+| **[Universal Print](https://learn.microsoft.com/universal-print/)** |  |
+
+## Update
+
+| Security Measures | Features & Capabilities |
+|:---|:---|
+| **[Windows Autopatch](https://learn.microsoft.com/windows/deployment/windows-autopatch/)** | With the Autopatch service, IT teams can delegate management of updates to Windows 10/11, Microsoft Edge, and Microsoft 365 apps to Microsoft. Under the hood, Autopatch takes over configuration of the policies and deployment service of Windows Update for Business. What the customer gets are endpoints that are up to date, thanks to dynamically generated rings for progressive deployment that will pause and/or roll back updates (where possible) when issues arise. The goal is to provide peace of mind to IT pros, encourage rapid adoption of updates, and to reduce bandwidth required to deploy them successfully, thereby closing gaps in protection that may have been open to exploitation by malicious actors.  |
+| **[Windows Autopilot](https://learn.microsoft.com/windows/deployment/windows-autopilot)** |  |

windows/security/includes/sections/hardware-hardware-root-of-trust-overview.md

@@ -0,0 +1,22 @@
+---
+author: paolomatarazzo
+ms.author: paoloma
+ms.date: 06/02/2023
+ms.topic: include
+---
+
+The following table lists the edition applicability for all Hardware Root-Of-Trust features.
+
+|Feature|Windows Pro|Windows Enterprise|Windows Pro Education/SE|Windows Education|
+|:-:|:-:|:-:|:-:|:-:|
+|[Windows Defender System Guard](/windows/security/threat-protection/windows-defender-system-guard/how-hardware-based-root-of-trust-helps-protect-windows)|Yes|Yes|Yes|Yes|
+|[Trusted Platform Module (TPM) 2.0](/windows/security/information-protection/tpm/trusted-platform-module-overview)|Yes|Yes|Yes|Yes|
+|[Microsoft Pluton security processor](/windows/security/information-protection/pluton/microsoft-pluton-security-processor)|Yes|Yes|Yes|Yes|
+
+The following table lists the licensing applicability for all Hardware Root-Of-Trust features.
+
+|Feature|Windows Pro/Pro Education/SE|Windows Enterprise E3|Windows Enterprise E5|Windows Education A3|Windows Education A5|
+|:-:|:-:|:-:|:-:|:-:|:-:|
+|[Windows Defender System Guard](/windows/security/threat-protection/windows-defender-system-guard/how-hardware-based-root-of-trust-helps-protect-windows)|Yes|Yes|Yes|Yes|Yes|
+|[Trusted Platform Module (TPM) 2.0](/windows/security/information-protection/tpm/trusted-platform-module-overview)|Yes|Yes|Yes|Yes|Yes|
+|[Microsoft Pluton security processor](/windows/security/information-protection/pluton/microsoft-pluton-security-processor)|Yes|Yes|Yes|Yes|Yes|

windows/security/includes/sections/hardware-silicon-assisted-security-secured-kernel-overview.md

@@ -0,0 +1,26 @@
+---
+author: paolomatarazzo
+ms.author: paoloma
+ms.date: 06/02/2023
+ms.topic: include
+---
+
+The following table lists the edition applicability for all Silicon Assisted Security (Secured Kernel) features.
+
+|Feature|Windows Pro|Windows Enterprise|Windows Pro Education/SE|Windows Education|
+|:-:|:-:|:-:|:-:|:-:|
+|[Virtualization-based security (VBS)](/windows-hardware/design/device-experiences/oem-vbs)|Yes|Yes|Yes|Yes|
+|[Hypervisor-protected Code Integrity (HVCI)](/windows-hardware/design/device-experiences/oem-hvci-enablement)|Yes|Yes|Yes|Yes|
+|[Hardware-enforced stack protection](https://techcommunity.microsoft.com/t5/windows-os-platform-blog/understanding-hardware-enforced-stack-protection/ba-p/1247815)|Yes|Yes|Yes|Yes|
+|[Secured-core PC](/windows-hardware/design/device-experiences/oem-highly-secure-11)|Yes|Yes|Yes|Yes|
+|[Kernel Direct Memory Access (DMA) protection](/windows/security/information-protection/kernel-dma-protection-for-thunderbolt)|Yes|Yes|Yes|Yes|
+
+The following table lists the licensing applicability for all Silicon Assisted Security (Secured Kernel) features.
+
+|Feature|Windows Pro/Pro Education/SE|Windows Enterprise E3|Windows Enterprise E5|Windows Education A3|Windows Education A5|
+|:-:|:-:|:-:|:-:|:-:|:-:|
+|[Virtualization-based security (VBS)](/windows-hardware/design/device-experiences/oem-vbs)|Yes|Yes|Yes|Yes|Yes|
+|[Hypervisor-protected Code Integrity (HVCI)](/windows-hardware/design/device-experiences/oem-hvci-enablement)|Yes|Yes|Yes|Yes|Yes|
+|[Hardware-enforced stack protection](https://techcommunity.microsoft.com/t5/windows-os-platform-blog/understanding-hardware-enforced-stack-protection/ba-p/1247815)|Yes|Yes|Yes|Yes|Yes|
+|[Secured-core PC](/windows-hardware/design/device-experiences/oem-highly-secure-11)|Yes|Yes|Yes|Yes|Yes|
+|[Kernel Direct Memory Access (DMA) protection](/windows/security/information-protection/kernel-dma-protection-for-thunderbolt)|Yes|Yes|Yes|Yes|Yes|

windows/security/includes/sections/hardware.md

@@ -0,0 +1,24 @@
+---
+author: paolomatarazzo
+ms.author: paoloma
+ms.date: 06/02/2023
+ms.topic: include
+---
+
+## Hardware Root-Of-Trust
+
+| Security Measures | Features & Capabilities |
+|:---|:---|
+| **[Windows Defender System Guard](https://learn.microsoft.com/windows/security/threat-protection/windows-defender-system-guard/how-hardware-based-root-of-trust-helps-protect-windows)** |  |
+| **[Trusted Platform Module (TPM) 2.0](https://learn.microsoft.com/windows/security/information-protection/tpm/trusted-platform-module-overview)** | TPMs provide security and privacy benefits for system hardware, platform owners, and users. Windows Hello, BitLocker, Windows Defender System Guard, and other Windows features rely on the TPM for capabilities such as key generation, secure storage, encryption, boot integrity measurements, and attestation. The 2.0 version of the specification includes support for newer algorithms, which can improve driver signing and key generation performance.  Starting with Windows 10, Microsoft’s hardware certification requires all new Windows PCs to include TPM 2.0 built in and enabled by default. With Windows 11, both new and upgraded devices must have TPM 2.0. |
+| **[Microsoft Pluton security processor](https://learn.microsoft.com/windows/security/information-protection/pluton/microsoft-pluton-security-processor)** | Microsoft Pluton security processors are designed by Microsoft in partnership with silicon partners. Pluton enhances the protection of Windows 11 devices with a hardware root-of-trust that provides additional protection for cryptographic keys and other secrets. Pluton is designed to reduce the attack surface as it integrates the security chip directly into the processor. It can be used with a discreet TPM 2.0 or as a standalone security processor. When root of trust is located on a separate, discrete chip on the motherboard, the communication path between the root-of-trust and the CPU can be vulnerable to physical attack. Pluton supports the TPM 2.0 industry standard allowing customers to immediately benefit from the enhanced security in Windows features that rely on TPMs including BitLocker, Windows Hello, and Windows Defender System Guard. In addition to providing root-of trust, Pluton also supports other security functionality beyond what is possible with the TPM 2.0 specification, and this extensibility allows for additional Pluton firmware and OS features to be delivered over time via Windows Update. Pluton enabled Windows 11 devices are available and the selection of options with Pluton is growing.  |
+
+## Silicon Assisted Security (Secured Kernel)
+
+| Security Measures | Features & Capabilities |
+|:---|:---|
+| **[Virtualization-based security (VBS)](https://learn.microsoft.com/windows-hardware/design/device-experiences/oem-vbs)** | In addition to a modern hardware root-of-trust, there are numerous other capabilities in the latest chips that harden the operating system against threats such as by protecting the boot process, safeguarding the integrity of memory, isolating security sensitive compute logic, and more. Two examples include Virtualization-based security (VBS) and Hypervisor-protected code integrity (HVCI). Virtualization-based security (VBS) also known as core isolation, is a critical building block in a secure system. VBS uses hardware virtualization features to host a secure kernel separated from the operating system. This means that even if the operating system is compromised, the secure kernel is still protected.  Starting with Windows 10,  all new devices are required to ship with firmware support for VBS and HCVI enabled by default in the BIOS. Customers can then enable the OS support in Windows. With new installs of Windows 11, OS support for VBS & HVCI is automatically turned on by default for all devices that meet modern CPU, RAM, 64G space in SSD etc and other pre-requirements  |
+| **[Hypervisor-protected Code Integrity (HVCI)](https://learn.microsoft.com/windows-hardware/design/device-experiences/oem-hvci-enablement)** | Hypervisor-protected code integrity (HVCI), also called memory integrity, uses VBS to run Kernel Mode Code Integrity (KMCI) inside the secure VBS environment instead of the main Windows kernel. This helps prevent attacks that attempt to modify kernel mode code such as drivers. The KMCI role is to check that all kernel code is properly signed and hasn’t been tampered with before it is allowed to run. HVCI helps ensure that only validated code can be executed in kernel-mode.  Starting with Windows 10, all new devices are required to ship with firmware support for VBS and HCVI enabled by default in the BIOS. Customers can then enable the OS support in Windows. With new installs of Windows 11, OS support for VBS & HVCI is automatically turned on by default for all devices that meet modern CPU, RAM, 64G space in SSD etc and other pre-requirements  |
+| **[Hardware-enforced stack protection](https://techcommunity.microsoft.com/t5/windows-os-platform-blog/understanding-hardware-enforced-stack-protection/ba-p/1247815)** | Hardware-enforced stack protection integrates software and hardware for a modern defense against cyberthreats such as memory corruption and zero-day exploits. Based on Control-flow Enforcement Technology (CET) from Intel and AMD Shadow Stacks, hardware-enforced stack protection is designed to protect against exploit techniques that try to hijack return addresses on the stack. |
+| **[Secured-core PC](https://learn.microsoft.com/windows-hardware/design/device-experiences/oem-highly-secure-11)** | Microsoft has worked with OEM partners to offer a special category of devices called Secured-core PCs. The devices ship with additional security measures enabled at the firmware layer, or device core, that underpins Windows. Secured-core PCs help prevent malware attacks and minimize firmware vulnerabilities by launching into a clean and trusted state at startup with a hardware-enforced root of trust. Virtualization-based security comes enabled by default. And with built-in hypervisor protected code integrity (HVCI) shielding system memory, Secured-core PCs ensure that all executables are signed by known and approved authorities only. Secured-core PCs also protect against physical threats such as drive-by Direct Memory Access (DMA) attacks. |
+| **[Kernel Direct Memory Access (DMA) protection](https://learn.microsoft.com/windows/security/information-protection/kernel-dma-protection-for-thunderbolt)** | Kernel DMA Protection protects against external peripherals from gaining unauthorized access to memory. Physical threats such as drive-by Direct Memory Access (DMA) attacks typically happen quickly while the system owner isn’t present. PCIe hot plug devices such as Thunderbolt, USB4, and CFexpress allow users to attach new classes of external peripherals, including graphics cards or other PCI devices, to their PCs with the plug-and-play ease of USB. Because PCI hot plug ports are external and easily accessible, PCs are susceptible to drive-by DMA attacks. |

windows/security/includes/sections/identity-advanced-credential-protection-overview.md

@@ -0,0 +1,28 @@
+---
+author: paolomatarazzo
+ms.author: paoloma
+ms.date: 06/02/2023
+ms.topic: include
+---
+
+The following table lists the edition applicability for all Advanced Credential Protection features.
+
+|Feature|Windows Pro|Windows Enterprise|Windows Pro Education/SE|Windows Education|
+|:-:|:-:|:-:|:-:|:-:|
+|[Windows LAPS](/windows-server/identity/laps/laps-overview)|Yes|Yes|Yes|Yes|
+|[Account Lockout Policy](/windows/security/threat-protection/security-policy-settings/account-lockout-policy)|Yes|Yes|Yes|Yes|
+|[Enhanced phishing protection with SmartScreen](/windows/security/threat-protection/microsoft-defender-smartscreen/phishing-protection-microsoft-defender-smartscreen)|Yes|Yes|Yes|Yes|
+|[Access Control (ACLs/SCALS)](/windows/security/identity-protection/access-control/access-control)|Yes|Yes|Yes|Yes|
+|[Windows Defender Credential Guard](/windows/security/identity-protection/credential-guard/credential-guard)|❌|Yes|❌|Yes|
+|[Windows Defender Remote Credential Guard](/windows/security/identity-protection/remote-credential-guard)|Yes|Yes|Yes|Yes|
+
+The following table lists the licensing applicability for all Advanced Credential Protection features.
+
+|Feature|Windows Pro/Pro Education/SE|Windows Enterprise E3|Windows Enterprise E5|Windows Education A3|Windows Education A5|
+|:-:|:-:|:-:|:-:|:-:|:-:|
+|[Windows LAPS](/windows-server/identity/laps/laps-overview)|Yes|Yes|Yes|Yes|Yes|
+|[Account Lockout Policy](/windows/security/threat-protection/security-policy-settings/account-lockout-policy)|Yes|Yes|Yes|Yes|Yes|
+|[Enhanced phishing protection with SmartScreen](/windows/security/threat-protection/microsoft-defender-smartscreen/phishing-protection-microsoft-defender-smartscreen)|Yes|Yes|Yes|Yes|Yes|
+|[Access Control (ACLs/SCALS)](/windows/security/identity-protection/access-control/access-control)|Yes|Yes|Yes|Yes|Yes|
+|[Windows Defender Credential Guard](/windows/security/identity-protection/credential-guard/credential-guard)|❌|Yes|Yes|Yes|Yes|
+|[Windows Defender Remote Credential Guard](/windows/security/identity-protection/remote-credential-guard)|Yes|Yes|Yes|Yes|Yes|

windows/security/includes/sections/identity-passwordless-sign-in-overview.md

@@ -0,0 +1,28 @@
+---
+author: paolomatarazzo
+ms.author: paoloma
+ms.date: 06/02/2023
+ms.topic: include
+---
+
+The following table lists the edition applicability for all Passwordless Sign In features.
+
+|Feature|Windows Pro|Windows Enterprise|Windows Pro Education/SE|Windows Education|
+|:-:|:-:|:-:|:-:|:-:|
+|[Windows Hello for Business](/windows/security/identity-protection/hello-for-business)|Yes|Yes|Yes|Yes|
+|[Windows presence sensing](https://support.microsoft.com/windows/wake-your-windows-11-pc-when-you-approach-82285c93-440c-4e15-9081-c9e38c1290bb)|Yes|Yes|Yes|Yes|
+|[Windows Hello for Business Enhanced Security Sign-in (ESS) ](/windows-hardware/design/device-experiences/windows-hello-enhanced-sign-in-security)|Yes|Yes|Yes|Yes|
+|[Fast Identity Online (FIDO2) security key](/azure/active-directory/authentication/howto-authentication-passwordless-security-key)|Yes|Yes|Yes|Yes|
+|[Federated sign-in](/education/windows/federated-sign-in)|❌|❌|Yes|Yes|
+|[Smart Cards for Windows Service](/windows/security/identity-protection/smart-cards/smart-card-smart-cards-for-windows-service)|Yes|Yes|Yes|Yes|
+
+The following table lists the licensing applicability for all Passwordless Sign In features.
+
+|Feature|Windows Pro/Pro Education/SE|Windows Enterprise E3|Windows Enterprise E5|Windows Education A3|Windows Education A5|
+|:-:|:-:|:-:|:-:|:-:|:-:|
+|[Windows Hello for Business](/windows/security/identity-protection/hello-for-business)|Yes|Yes|Yes|Yes|Yes|
+|[Windows presence sensing](https://support.microsoft.com/windows/wake-your-windows-11-pc-when-you-approach-82285c93-440c-4e15-9081-c9e38c1290bb)|Yes|Yes|Yes|Yes|Yes|
+|[Windows Hello for Business Enhanced Security Sign-in (ESS) ](/windows-hardware/design/device-experiences/windows-hello-enhanced-sign-in-security)|Yes|Yes|Yes|Yes|Yes|
+|[Fast Identity Online (FIDO2) security key](/azure/active-directory/authentication/howto-authentication-passwordless-security-key)|Yes|Yes|Yes|Yes|Yes|
+|[Federated sign-in](/education/windows/federated-sign-in)|❌|❌|❌|Yes|Yes|
+|[Smart Cards for Windows Service](/windows/security/identity-protection/smart-cards/smart-card-smart-cards-for-windows-service)|Yes|Yes|Yes|Yes|Yes|

windows/security/includes/sections/identity.md

@@ -0,0 +1,28 @@
+---
+author: paolomatarazzo
+ms.author: paoloma
+ms.date: 06/02/2023
+ms.topic: include
+---
+
+## Passwordless Sign In
+
+| Security Measures | Features & Capabilities |
+|:---|:---|
+| **[Windows Hello for Business](https://learn.microsoft.com/windows/security/identity-protection/hello-for-business)** |  |
+| **[Windows presence sensing](https://support.microsoft.com/windows/wake-your-windows-11-pc-when-you-approach-82285c93-440c-4e15-9081-c9e38c1290bb)** | Windows presence sensing provides another layer of data security protection for hybrid workers. Windows 11 devices can intelligently adapt to your presence to help you stay secure and productive, whether you’re working at home, the office, or a public environment. Windows presence sensing combines presence detection sensors with Windows Hello facial recognition to automatically lock your device when you leave, and then unlock your device and sign you in using Windows Hello facial recognition when you return. Requires OEM supporting hardware. |
+| **[Windows Hello for Business Enhanced Security Sign-in (ESS) ](https://learn.microsoft.com/windows-hardware/design/device-experiences/windows-hello-enhanced-sign-in-security)** | Windows Hello biometrics also supports enhanced sign-in security, which uses specialized hardware and software components to raise the security bar even higher for biometric sign in. Enhanced Sign-in Security is configured by device manufacturers during the manufacturing process. Enhanced sign-in security biometrics uses VBS and the TPM to isolate user authentication processes and data and secure the pathway by which the information is communicated. These specialized components protect against a class of attacks that include biometric sample injection, replay, tampering, and more.  For example, fingerprint readers must implement Secure Device Connection Protocol, which uses key negotiation and a Microsoft issued certificate to protect and securely store user authentication data.   For facial recognition, components such as the Secure Devices (SDEV) table and process isolation with trustlets help prevent additional class of attacks. For facial recognition, Enhanced Sign-in Security is supported by Intel USB and AMD USB processor/camera combinations including specific modules from manufacturers. Intel MIPI is supported starting with version Windows 11 2022 Update.  |
+| **[Fast Identity Online (FIDO2) security key](https://learn.microsoft.com/azure/active-directory/authentication/howto-authentication-passwordless-security-key)** | Fast Identity Online (FIDO) defined CTAP and WebAuthN specifications are becoming the open standard for providing strong authentication that is non-phishable, user-friendly, and privacy-respecting with implementations from major platform providers and relying parties. FIDO standards and certifications are becoming recognized as the leading standard for creating secure authentication solutions across enterprises, governments, and consumer markets. Windows 11 can use external FIDO2 security keys for authentication alongside or in addition to Windows Hello which is also a FIDO2 certified passwordless solution. Windows 11 can be used as a FIDO authenticator for many popular identity management services. |
+| **[Federated sign-in](https://learn.microsoft.com/education/windows/federated-sign-in)** | Windows 11 supports federated sign in with external education identity management services. For students unable to type easily or remember complex passwords, this capability enables secure sign in through methods like QR codes or pictures. |
+| **[Smart Cards for Windows Service](https://learn.microsoft.com/windows/security/identity-protection/smart-cards/smart-card-smart-cards-for-windows-service)** | Organizations also have the option of using smart cards, an authentication method that pre-dates biometric sign in. Smart cards are tamper-resistant, portable storage devices that can enhance Windows security when authenticating clients, signing code, securing e-mail, and signing in with Windows domain accounts. Smart cards can only be used to sign into domain accounts, not local accounts. When a password is used to sign into a domain account, Windows uses the Kerberos version 5 (v5) protocol for authentication. If you use a smart card, the operating system uses Kerberos v5 authentication with X.509 v3 certificates. |
+
+## Advanced Credential Protection
+
+| Security Measures | Features & Capabilities |
+|:---|:---|
+| **[Windows LAPS](https://learn.microsoft.com/windows-server/identity/laps/laps-overview)** |  |
+| **[Account Lockout Policy](https://learn.microsoft.com/windows/security/threat-protection/security-policy-settings/account-lockout-policy)** |  |
+| **[Enhanced phishing protection with SmartScreen](https://learn.microsoft.com/windows/security/threat-protection/microsoft-defender-smartscreen/phishing-protection-microsoft-defender-smartscreen)** | People who are still using passwords can benefit from powerful credential protection in Windows 11. Microsoft Defender SmartScreen now includes enhanced phishing protection to automatically detect when you enter your Microsoft password into any app or website. Windows then identifies if the app or site is securely authenticating to Microsoft and warns if your credentials are at risk. Because you are alerted at the moment of potential credential theft, you can take pre-emptive action before your password is used against you or your organization. |
+| **[Access Control (ACLs/SCALS)](https://learn.microsoft.com/windows/security/identity-protection/access-control/access-control)** | Access control in Windows help ensure that shared resources are available to users and groups in addition to the resource owner and are protected from unauthorized use. IT administrators can manage users’, groups’, and computers’ access to objects and assets on a network or computer. After a user is authenticated, the Windows operating system implements the second phase of protecting resources by using built-in authorization and access control technologies to determine if an authenticated user has the correct permissions. Access Control Lists (ACL) describe the permissions for a specific object and can also contain System Access Control Lists (SACL). SACLs provide a way to audit specific system level events, such as when a user attempt to access file system objects. These events are essential for tracking activity for objects that are sensitive or valuable and require extra monitoring. Being able to audit when a resource attempts to read or write part of the operating system is critical to understanding a potential attack. |
+| **[Windows Defender Credential Guard](https://learn.microsoft.com/windows/security/identity-protection/credential-guard/credential-guard)** |  |
+| **[Windows Defender Remote Credential Guard](https://learn.microsoft.com/windows/security/identity-protection/remote-credential-guard)** |  |

windows/security/includes/sections/operating-system-data-protection-overview.md

@@ -0,0 +1,26 @@
+---
+author: paolomatarazzo
+ms.author: paoloma
+ms.date: 06/02/2023
+ms.topic: include
+---
+
+The following table lists the edition applicability for all Data Protection features.
+
+|Feature|Windows Pro|Windows Enterprise|Windows Pro Education/SE|Windows Education|
+|:-:|:-:|:-:|:-:|:-:|
+|[BitLocker management](/windows/security/information-protection/bitlocker/bitlocker-management-for-enterprises)|Yes|Yes|Yes|Yes|
+|[BitLocker enablement](/windows/security/information-protection/bitlocker/bitlocker-overview)|Yes|Yes|Yes|Yes|
+|[Encrypted hard drive](/windows/security/information-protection/encrypted-hard-drive)|Yes|Yes|Yes|Yes|
+|[Personal data encryption (PDE)](/windows/security/information-protection/personal-data-encryption/overview-pde)|❌|Yes|❌|Yes|
+|[Email Encryption (S/MIME)](/windows/security/identity-protection/configure-s-mime)|Yes|Yes|Yes|Yes|
+
+The following table lists the licensing applicability for all Data Protection features.
+
+|Feature|Windows Pro/Pro Education/SE|Windows Enterprise E3|Windows Enterprise E5|Windows Education A3|Windows Education A5|
+|:-:|:-:|:-:|:-:|:-:|:-:|
+|[BitLocker management](/windows/security/information-protection/bitlocker/bitlocker-management-for-enterprises)|❌|Yes|Yes|Yes|Yes|
+|[BitLocker enablement](/windows/security/information-protection/bitlocker/bitlocker-overview)|Yes|Yes|Yes|Yes|Yes|
+|[Encrypted hard drive](/windows/security/information-protection/encrypted-hard-drive)|Yes|Yes|Yes|Yes|Yes|
+|[Personal data encryption (PDE)](/windows/security/information-protection/personal-data-encryption/overview-pde)|❌|Yes|Yes|Yes|Yes|
+|[Email Encryption (S/MIME)](/windows/security/identity-protection/configure-s-mime)|Yes|Yes|Yes|Yes|Yes|

windows/security/includes/sections/operating-system-modern-device-management-overview.md

@@ -0,0 +1,22 @@
+---
+author: paolomatarazzo
+ms.author: paoloma
+ms.date: 06/02/2023
+ms.topic: include
+---
+
+The following table lists the edition applicability for all Modern Device Management features.
+
+|Feature|Windows Pro|Windows Enterprise|Windows Pro Education/SE|Windows Education|
+|:-:|:-:|:-:|:-:|:-:|
+|[Windows Security policy settings and auditing](/windows/security/threat-protection/security-policy-settings/security-policy-settings)|Yes|Yes|Yes|Yes|
+|[Secured-core configuration lock](/windows/client-management/config-lock)|Yes|Yes|Yes|Yes|
+|[Assigned Access (kiosk mode)](/windows/configuration/kiosk-methods)|Yes|Yes|Yes|Yes|
+
+The following table lists the licensing applicability for all Modern Device Management features.
+
+|Feature|Windows Pro/Pro Education/SE|Windows Enterprise E3|Windows Enterprise E5|Windows Education A3|Windows Education A5|
+|:-:|:-:|:-:|:-:|:-:|:-:|
+|[Windows Security policy settings and auditing](/windows/security/threat-protection/security-policy-settings/security-policy-settings)|Yes|Yes|Yes|Yes|Yes|
+|[Secured-core configuration lock](/windows/client-management/config-lock)|Yes|Yes|Yes|Yes|Yes|
+|[Assigned Access (kiosk mode)](/windows/configuration/kiosk-methods)|Yes|Yes|Yes|Yes|Yes|

windows/security/includes/sections/operating-system-network-security-overview.md

@@ -0,0 +1,36 @@
+---
+author: paolomatarazzo
+ms.author: paoloma
+ms.date: 06/02/2023
+ms.topic: include
+---
+
+The following table lists the edition applicability for all Network Security features.
+
+|Feature|Windows Pro|Windows Enterprise|Windows Pro Education/SE|Windows Education|
+|:-:|:-:|:-:|:-:|:-:|
+|[Transport layer security (TLS)](/windows-server/security/tls/tls-ssl-schannel-ssp-overview)|Yes|Yes|Yes|Yes|
+|Bluetooth pairing and connection protection|Yes|Yes|Yes|Yes|
+|[WiFi Security](https://support.microsoft.com/windows/faster-and-more-secure-wi-fi-in-windows-26177a28-38ed-1a8e-7eca-66f24dc63f09)|Yes|Yes|Yes|Yes|
+|Opportunistic Wireless Encryption (OWE)|Yes|Yes|Yes|Yes|
+|[Windows Firewall](/windows/security/threat-protection/windows-firewall/windows-firewall-with-advanced-security)|Yes|Yes|Yes|Yes|
+|[Virtual Private Network (VPN)](/windows/security/identity-protection/vpn/vpn-guide)|Yes|Yes|Yes|Yes|
+|[Always On VPN (device tunnel)](/windows-server/remote/remote-access/vpn/always-on-vpn/)|❌|Yes|❌|Yes|
+|[Direct Access](/windows-server/remote/remote-access/directaccess/directaccess)|❌|Yes|❌|Yes|
+|[Server Message Block (SMB) file service](/windows-server/storage/file-server/file-server-smb-overview)|Yes|Yes|Yes|Yes|
+|[Server Message Block Direct (SMB Direct)](/windows-server/storage/file-server/smb-direct)|Yes|Yes|Yes|Yes|
+
+The following table lists the licensing applicability for all Network Security features.
+
+|Feature|Windows Pro/Pro Education/SE|Windows Enterprise E3|Windows Enterprise E5|Windows Education A3|Windows Education A5|
+|:-:|:-:|:-:|:-:|:-:|:-:|
+|[Transport layer security (TLS)](/windows-server/security/tls/tls-ssl-schannel-ssp-overview)|Yes|Yes|Yes|Yes|Yes|
+|Bluetooth pairing and connection protection|Yes|Yes|Yes|Yes|Yes|
+|[WiFi Security](https://support.microsoft.com/windows/faster-and-more-secure-wi-fi-in-windows-26177a28-38ed-1a8e-7eca-66f24dc63f09)|Yes|Yes|Yes|Yes|Yes|
+|Opportunistic Wireless Encryption (OWE)|Yes|Yes|Yes|Yes|Yes|
+|[Windows Firewall](/windows/security/threat-protection/windows-firewall/windows-firewall-with-advanced-security)|Yes|Yes|Yes|Yes|Yes|
+|[Virtual Private Network (VPN)](/windows/security/identity-protection/vpn/vpn-guide)|Yes|Yes|Yes|Yes|Yes|
+|[Always On VPN (device tunnel)](/windows-server/remote/remote-access/vpn/always-on-vpn/)|❌|Yes|Yes|Yes|Yes|
+|[Direct Access](/windows-server/remote/remote-access/directaccess/directaccess)|❌|Yes|Yes|Yes|Yes|
+|[Server Message Block (SMB) file service](/windows-server/storage/file-server/file-server-smb-overview)|Yes|Yes|Yes|Yes|Yes|
+|[Server Message Block Direct (SMB Direct)](/windows-server/storage/file-server/smb-direct)|Yes|Yes|Yes|Yes|Yes|

windows/security/includes/sections/operating-system-system-security-overview.md

@@ -0,0 +1,22 @@
+---
+author: paolomatarazzo
+ms.author: paoloma
+ms.date: 06/02/2023
+ms.topic: include
+---
+
+The following table lists the edition applicability for all System Security features.
+
+|Feature|Windows Pro|Windows Enterprise|Windows Pro Education/SE|Windows Education|
+|:-:|:-:|:-:|:-:|:-:|
+|[Secure Boot and Trusted Boot](/windows/security/trusted-boot)|Yes|Yes|Yes|Yes|
+|[Measured boot](/windows/compatibility/measured-boot)|Yes|Yes|Yes|Yes|
+|[Device health attestation service](/windows/security/threat-protection/protect-high-value-assets-by-controlling-the-health-of-windows-10-based-devices)|Yes|Yes|Yes|Yes|
+
+The following table lists the licensing applicability for all System Security features.
+
+|Feature|Windows Pro/Pro Education/SE|Windows Enterprise E3|Windows Enterprise E5|Windows Education A3|Windows Education A5|
+|:-:|:-:|:-:|:-:|:-:|:-:|
+|[Secure Boot and Trusted Boot](/windows/security/trusted-boot)|Yes|Yes|Yes|Yes|Yes|
+|[Measured boot](/windows/compatibility/measured-boot)|Yes|Yes|Yes|Yes|Yes|
+|[Device health attestation service](/windows/security/threat-protection/protect-high-value-assets-by-controlling-the-health-of-windows-10-based-devices)|Yes|Yes|Yes|Yes|Yes|

windows/security/includes/sections/operating-system-virus-and-threat-protection-overview.md

@@ -0,0 +1,34 @@
+---
+author: paolomatarazzo
+ms.author: paoloma
+ms.date: 06/02/2023
+ms.topic: include
+---
+
+The following table lists the edition applicability for all Virus And Threat Protection features.
+
+|Feature|Windows Pro|Windows Enterprise|Windows Pro Education/SE|Windows Education|
+|:-:|:-:|:-:|:-:|:-:|
+|[Microsoft Defender Antivirus](/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-windows)|Yes|Yes|Yes|Yes|
+|Local Security Authority (LSA) Protection|Yes|Yes|Yes|Yes|
+|[Attack surface reduction (ASR)](/microsoft-365/security/defender-endpoint/overview-attack-surface-reduction)|Yes|Yes|Yes|Yes|
+|[Tamper protection settings for MDE](/microsoft-365/security/defender-endpoint/prevent-changes-to-security-settings-with-tamper-protection)|Yes|Yes|Yes|Yes|
+|[Microsoft Vulnerable Driver Blocklist](/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules#microsoft-vulnerable-driver-blocklist)|Yes|Yes|Yes|Yes|
+|[Controlled folder access](/microsoft-365/security/defender-endpoint/controlled-folders)|Yes|Yes|Yes|Yes|
+|[Exploit protection](/microsoft-365/security/defender-endpoint/exploit-protection)|Yes|Yes|Yes|Yes|
+|[Microsoft Defender SmartScreen](/windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-overview)|Yes|Yes|Yes|Yes|
+|[Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint)|Yes|Yes|Yes|Yes|
+
+The following table lists the licensing applicability for all Virus And Threat Protection features.
+
+|Feature|Windows Pro/Pro Education/SE|Windows Enterprise E3|Windows Enterprise E5|Windows Education A3|Windows Education A5|
+|:-:|:-:|:-:|:-:|:-:|:-:|
+|[Microsoft Defender Antivirus](/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-windows)|Yes|Yes|Yes|Yes|Yes|
+|Local Security Authority (LSA) Protection|Yes|Yes|Yes|Yes|Yes|
+|[Attack surface reduction (ASR)](/microsoft-365/security/defender-endpoint/overview-attack-surface-reduction)|Yes|Yes|Yes|Yes|Yes|
+|[Tamper protection settings for MDE](/microsoft-365/security/defender-endpoint/prevent-changes-to-security-settings-with-tamper-protection)|Yes|Yes|Yes|Yes|Yes|
+|[Microsoft Vulnerable Driver Blocklist](/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules#microsoft-vulnerable-driver-blocklist)|Yes|Yes|Yes|Yes|Yes|
+|[Controlled folder access](/microsoft-365/security/defender-endpoint/controlled-folders)|Yes|Yes|Yes|Yes|Yes|
+|[Exploit protection](/microsoft-365/security/defender-endpoint/exploit-protection)|Yes|Yes|Yes|Yes|Yes|
+|[Microsoft Defender SmartScreen](/windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-overview)|Yes|Yes|Yes|Yes|Yes|
+|[Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint)|❌|❌|Yes|❌|Yes|

windows/security/includes/sections/operating-system.md

@@ -0,0 +1,61 @@
+---
+author: paolomatarazzo
+ms.author: paoloma
+ms.date: 06/02/2023
+ms.topic: include
+---
+
+## System Security
+
+| Security Measures | Features & Capabilities |
+|:---|:---|
+| **[Secure Boot and Trusted Boot](https://learn.microsoft.com/windows/security/trusted-boot)** | Secure Boot and Trusted Boot help prevent malware and corrupted components from loading when a Windows 11 device is starting. Secure Boot starts with initial boot-up protection, and then Trusted Boot picks up the process. Together, Secure Boot and Trusted Boot help to ensure your Windows 11 system boots up safely and securely. |
+| **[Measured boot](https://learn.microsoft.com/windows/compatibility/measured-boot)** |  |
+| **[Device health attestation service](https://learn.microsoft.com/windows/security/threat-protection/protect-high-value-assets-by-controlling-the-health-of-windows-10-based-devices)** | The Windows device health attestation process supports a zero-trust paradigm that shifts the focus from static, network-based perimeters to users, assets, and resources. The attestation process confirms the device, firmware, and boot process are in a good state and have not been tampered with before they can access corporate resources. These determinations are made with data stored in the TPM which provides a secure root of trust. The information is sent to an attestation service, such as Azure Attestation, to verify the device is in a trusted state. Then, an MDM tool like Microsoft Endpoint Manager reviews device health and connects this information with Azure Active Directory for conditional access. |
+
+## Virus And Threat Protection
+
+| Security Measures | Features & Capabilities |
+|:---|:---|
+| **[Microsoft Defender Antivirus](https://learn.microsoft.com/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-windows)** | Microsoft Defender Antivirus is a next-generation protection solution included in all versions of Windows 10 and Windows 11. From the moment you boot Windows, Microsoft Defender Antivirus continually monitors for malware, viruses, and security threats. In addition to real time protection, updates are downloaded automatically to help keep your device safe and protect it from threats. Microsoft Defender Antivirus, includes real-time, behavior-based, and heuristic antivirus protection. This combination of always-on content scanning, file and process behavior monitoring, and other heuristics effectively prevents security threats. Microsoft Defender Antivirus continually scans for malware and threats and also detects and blocks potentially unwanted applications (PUA) which are applications that are deemed to negatively impact your device but are not considered malware.  |
+| **Local Security Authority (LSA) Protection** | Windows has several critical processes to verify a user’s identity. Verification processes include Local Security Authority (LSA) which is responsible for authenticating users and verifying Windows logins. LSA handles tokens and credentials such as passwords that are used for single sign-on to a Microsoft account and Azure services. To help protect these credentials, additional LSA protection only allows loading of trusted, signed code and provides significant protection against Credential theft. LSA protection will be enabled by default on new, enterprise joined Windows 11 devices with added support for non-UEFI lock and policy management controls via MDM/GP.  |
+| **[Attack surface reduction (ASR)](https://learn.microsoft.com/microsoft-365/security/defender-endpoint/overview-attack-surface-reduction)** | Attack surface reduction rules help prevent software behaviors that are often abused to compromise your device or network. By reducing the number of attack surfaces, you can reduce the overall vulnerability of your organization. Administrators can configure specific attack surface reduction rules to help block certain behaviors, such as 1) Launching executable files and scripts that attempt to download or run files 2) Running obfuscated or otherwise suspicious scripts 3) Performing behaviors that apps don’t usually initiate during normal day-to-day work. |
+| **[Tamper protection settings for MDE](https://learn.microsoft.com/microsoft-365/security/defender-endpoint/prevent-changes-to-security-settings-with-tamper-protection)** |  |
+| **[Microsoft Vulnerable Driver Blocklist](https://learn.microsoft.com/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules#microsoft-vulnerable-driver-blocklist)** | The Windows kernel is the most privileged software and is therefore a compelling target for malware authors. Since Windows has strict requirements for code running in the kernel, cybercriminals commonly exploit vulnerabilities in kernel drivers to get access. Microsoft works with the ecosystem partners to constantly identify and respond to potentially vulnerable kernel drivers. Prior to Windows 11 2022 Update, Windows enforced a block policy when HVCI is enabled to prevent vulnerable versions of drivers from running. Beginning with Windows 11 2022 Update, the block policy is now on by default for all new Windows PCs and users can opt-in to enforce the policy from the Windows Security app. |
+| **[Controlled folder access](https://learn.microsoft.com/microsoft-365/security/defender-endpoint/controlled-folders)** | You can protect your valuable information in specific folders by managing app access to  specific folders. Only trusted apps can access protected folders, which are specified when  controlled folder access is configured. Typically, commonly used folders, such as those used  for documents, pictures, downloads, are included in the list of controlled folders. Controlled folder access works with a list of trusted apps. Apps that are included in the  list of trusted software work as expected. Apps that are not included in the trusted list are  prevented from making any changes to files inside protected folders. Controlled folder access helps protect user’s valuable data from malicious apps and threats,  such as ransomware.  |
+| **[Exploit protection](https://learn.microsoft.com/microsoft-365/security/defender-endpoint/exploit-protection)** | Exploit protection automatically applies several exploit mitigation techniques to operating system processes and apps. Exploit protection works best with Microsoft Defender for Endpoint, which gives organizations detailed reporting into exploit protection events and blocks as part of typical alert investigation scenarios. You can enable exploit protection on an individual device, and then use Group Policy in Azure Active Directory to distribute the XML file to multiple devices simultaneously. When a mitigation is encountered on the device, a notification will be displayed from the Action Center. You can customize the notification with your company details and contact information. You can also enable the rules individually to customize which techniques the feature monitors. |
+| **[Microsoft Defender SmartScreen](https://learn.microsoft.com/windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-overview)** | Microsoft Defender SmartScreen protects against phishing, malware websites and applications, and the downloading of potentially malicious files. For enhanced phishing protection, SmartScreen also alerts people when they are entering their Microsoft credentials into a potentially risky location. IT can customize which notifications appear through Microsoft Endpoint Manager. This protection runs in audit mode by default, giving IT admins full control to make decisions around policy creation and enforcement. Because Windows 11 comes with these enhancements already built-in and enabled, users have extra security from the moment they turn on their device. |
+| **[Microsoft Defender for Endpoint](https://learn.microsoft.com/microsoft-365/security/defender-endpoint)** | Microsoft Defender for Endpoint is an enterprise endpoint detection and response solution that helps security teams detect, investigate, and respond to advanced threats. Organizations can use the rich event data and attack insights Defender for Endpoint provides to investigate incidents. Defender for Endpoint brings together the following elements to provide a more complete picture of security incidents 1) Endpoint behavioral sensors, 2) Cloud security analytics 3) Threat intelligence 4) Rich response capabilities. |
+
+## Network Security
+
+| Security Measures | Features & Capabilities |
+|:---|:---|
+| **[Transport layer security (TLS)](https://learn.microsoft.com/windows-server/security/tls/tls-ssl-schannel-ssp-overview)** | TLS 1.3 is the latest version of the protocol and is enabled by default in Windows 11. This version eliminates obsolete cryptographic algorithms, enhances security over older versions, and aims to encrypt as much of the TLS handshake as possible. The handshake is more performant with one fewer round trip per connection on average and supports only five strong cipher suites which provide perfect forward secrecy and less operational risk. |
+| **Bluetooth pairing and connection protection** | The number of Bluetooth devices connected to Windows continues to increase. Windows supports all standard Bluetooth pairing protocols, including classic and LE Secure connections, secure simple pairing, and classic and LE legacy pairing. Windows also implements host based LE privacy. Windows updates help users stay current with OS and driver security features in accordance with the Bluetooth Special Interest Group (SIG), Standard Vulnerability Reports, as well as issues beyond those required by the Bluetooth core industry standards. Microsoft strongly recommends that users ensure their firmware and/ or software of their Bluetooth accessories are kept up to date. |
+| **[WiFi Security](https://support.microsoft.com/windows/faster-and-more-secure-wi-fi-in-windows-26177a28-38ed-1a8e-7eca-66f24dc63f09)** | "The current security standard for Wi-Fi Authentication is WPA3 which provides a more secure and reliable connection method as compared to WPA2 and older security protocols. Windows support 3 WPA3 modes – WPA3 personal, WPA3 Enterprise, and WPA3 Enterprise 192-bit Suite B   Window includes WPA3 personal with the new H2E protocol, and WPA3 Enterprise 192-bit Suite B   Windows 11 also supports WFA defined WPA3 Enterprise that includes enhanced Server Cert validation and TLS 1.3 for authentication using EAP-TLS Authentication " |
+| **Opportunistic Wireless Encryption (OWE)** | Opportunistic Wireless Encryption (OWE) is a technology that allows wireless devices to establish encrypted connections to public Wi-Fi hotspots.  |
+| **[Windows Firewall](https://learn.microsoft.com/windows/security/threat-protection/windows-firewall/windows-firewall-with-advanced-security)** | Windows Firewall with Advanced Security is an important part of a layered security model. It provides host-based, two-way network traffic filtering, blocking unauthorized traffic flowing into or out of the local device based on the types of networks to which the device is connected. Win 11 Firewall offers the following benefits 1) Reduces the risk of network security threats: Windows Firewall reduces the attack surface of a device with rules to restrict or allow traffic by many properties such as IP addresses, ports, or program paths. Reducing the attack surface of a device increases manageability and decreases the likelihood of a successful attack. 2) Safeguards sensitive data and intellectual property: With its integration with Internet Protocol Security (IPsec), Windows Firewall provides a simple way to enforce authenticated, end-to-end network communications. It provides scalable, tiered access to trusted network resources, helping to enforce integrity of the data, and optionally helping to protect the confidentiality of the data. 3) Extends the value of existing investments: Windows Firewall is a host based firewall that is included with the operating system, there is no additional hardware or software required. Windows Firewall is also designed to complement existing non-Microsoft network security solutions through a documented application programming interface (API). |
+| **[Virtual Private Network (VPN)](https://learn.microsoft.com/windows/security/identity-protection/vpn/vpn-guide)** | Organizations have long relied on Windows to provide reliable, secured, and manageable virtual private network (VPN) solutions. The Windows VPN client platform includes built in VPN protocols, configuration support, a common VPN user interface, and programming support for custom VPN protocols. VPN apps are available in the Microsoft Store for both enterprise and consumer VPNs, including apps for the most popular enterprise VPN gateways. In Windows 11 we’ve integrated the most commonly used VPN controls right into the Windows 11 Quick Actions pane. From the Quick Actions pane users can see the status of their VPN, start and stop the VPN tunnels, and with one click can go to the modern Settings app for more control. For E3 customers you have the option to have this always on by default.  |
+| **[Always On VPN (device tunnel)](https://learn.microsoft.com/windows-server/remote/remote-access/vpn/always-on-vpn/)** |  |
+| **[Direct Access](https://learn.microsoft.com/windows-server/remote/remote-access/directaccess/directaccess)** |  |
+| **[Server Message Block (SMB) file service](https://learn.microsoft.com/windows-server/storage/file-server/file-server-smb-overview)** | SMB Encryption provides end-to-end encryption of SMB data and protects data from eavesdropping occurrences on internal networks. SMB and file services are the most common Windows workload in the commercial and public sector ecosystem. In Windows 11, the SMB protocol has significant security updates to meet today’s threats, including AES-256 bits encryption, accelerated SMB signing, Remote Directory Memory Access (RDMA) network encryption, and entirely new scenario, SMB over QUIC for untrusted networks. Windows 11 introduces AES-256-GCM and AES-256-CCM cryptographic suites for SMB 3.1.1 encryption. Windows administrators can mandate the use of this more advanced security or continue to use the more compatible and still-safe AES-128 encryption. |
+| **[Server Message Block Direct (SMB Direct)](https://learn.microsoft.com/windows-server/storage/file-server/smb-direct)** | In Windows 11 Enterprise, Education, and Pro Workstation, SMB Direct now supports encryption. For demanding workloads like video rendering, data science, or extremely large files, you can now operate with the same safety as traditional TCP and the performance of RDMA. Previously, enabling SMB encryption disabled direct data placement, making RDMA as slow as TCP. Now data is encrypted before placement, leading to relatively minor performance degradation while adding AES-128 and AES-256 protected packet privacy. |
+
+## Data Protection
+
+| Security Measures | Features & Capabilities |
+|:---|:---|
+| **[BitLocker management](https://learn.microsoft.com/windows/security/information-protection/bitlocker/bitlocker-management-for-enterprises)** |  |
+| **[BitLocker enablement](https://learn.microsoft.com/windows/security/information-protection/bitlocker/bitlocker-overview)** | BitLocker Drive Encryption is a data protection feature that integrates with the operating system and addresses the threats of data theft or exposure from lost, stolen, or inappropriately decommissioned computers. BitLocker uses AES algorithm in XTS or CBC mode of operation with 128-bit or 256-bit key length to encrypt data on the volume. Cloud storage on Microsoft OneDrive or Azure can be used to save recovery key content. BitLocker can be managed by any MDM solution such as Microsoft Intune using a configuration service provider (CSP). BitLocker provides encryption for the OS, fixed data, and removable data drives leveraging technologies like hardware security test interface (HSTI), Modern Standby, UEFI Secure Boot and TPM. |
+| **[Encrypted hard drive](https://learn.microsoft.com/windows/security/information-protection/encrypted-hard-drive)** | Encrypted hard drives are a class of hard drives that are self-encrypted at the hardware level and allow for full disk hardware encryption while being transparent to the device user. These drives combine the security and management benefits provided by BitLocker Drive Encryption with the power of self-encrypting drives. By offloading the cryptographic operations to hardware, encrypted hard drives increase BitLocker performance and reduce CPU usage and power consumption. Because encrypted hard drives encrypt data quickly, BitLocker deployment can be expanded across enterprise devices with little to no impact on productivity. Encrypted hard drives enable 1) Smooth performance: Encryption hardware, integrated into the drive controller, allows the drive to operate at full data rate without performance degradation. 2) Strong security based in hardware: Encryption is always “on” and the keys for encryption never leave the hard drive. The drive authenticates users independently from the operating system before it unlocks. 3) Ease of use: Encryption is transparent to the user and the user does not need to enable it. Encrypted hard drives are easily erased using an on-board encryption key; there is no need to re-encrypt data on the drive. 4) Lower cost of ownership: There is no need for new infrastructure to manage encryption keys since BitLocker leverages your existing infrastructure to store recovery information. Your device operates more efficiently because processor cycles do not need to be used for the encryption process. |
+| **[Personal data encryption (PDE)](https://learn.microsoft.com/windows/security/information-protection/personal-data-encryption/overview-pde)** | Personal data encryption (PDE) works with BitLocker and Windows Hello for Business to further protect user documents and other files, including when the device is turned on and locked. Files are encrypted automatically and seamlessly to give users more security without interrupting their workflow. Windows Hello for Business, either with PIN or biometrics (Face or Fingerprint), is used to protect the container which houses the encryption keys used by PDE. When the user logs in (either after bootup or unlocking after a lock screen), the container gets authenticated to release the keys in the container to decrypt user content.  |
+| **[Email Encryption (S/MIME)](https://learn.microsoft.com/windows/security/identity-protection/configure-s-mime)** | Email encryption enables users to encrypt outgoing email messages and attachments, so only intended recipients with a digital identification (ID)—also called a certificate—can read them. Users can digitally sign a message, which verifies the identity of the sender and confirms the message has not been tampered with. These encrypted messages can be sent by a user to people within their organization as well as external contacts if they have proper encryption certificates. |
+
+## Modern Device Management
+
+| Security Measures | Features & Capabilities |
+|:---|:---|
+| **[Windows Security policy settings and auditing](https://learn.microsoft.com/windows/security/threat-protection/security-policy-settings/security-policy-settings)** | Security policy settings are a critical part of your overall security strategy. Windows provides a robust set of security setting policies IT administrators can use to help protect Windows devices and other resources in your organization. Security settings policies are rules you can configure on a device, or multiple devices, to control - User authentication to a network or device, Resources users are permitted to access, Whether to record a user’s or group’s actions in the event log, Membership in a group.  |
+| **[Secured-core configuration lock](https://learn.microsoft.com/windows/client-management/config-lock)** | In an enterprise organization, IT administrators enforce policies on their corporate devices to protect the OS and keep devices in a compliant state by preventing users from changing configurations and creating configuration drift. Configuration drift occurs when users with local admin rights change settings and put the device out of sync with security policies. Devices in a non-compliant state can be vulnerable until the next sync and configuration reset with the MDM. Secured-core configuration lock (config lock) is a Secured-core PC feature that prevents users from making unwanted changes to security settings. With config lock, the OS monitors the registry keys that configure each feature and when it detects a drift, reverts to the IT-desired state in seconds.  |
+| **[Assigned Access (kiosk mode)](https://learn.microsoft.com/windows/configuration/kiosk-methods)** |  |

windows/security/includes/sections/privacy.md

@@ -0,0 +1,6 @@
+---
+author: paolomatarazzo
+ms.author: paoloma
+ms.date: 06/02/2023
+ms.topic: include
+---

windows/security/includes/sections/security-foundations-certification-overview.md

@@ -0,0 +1,20 @@
+---
+author: paolomatarazzo
+ms.author: paoloma
+ms.date: 06/02/2023
+ms.topic: include
+---
+
+The following table lists the edition applicability for all Certification features.
+
+|Feature|Windows Pro|Windows Enterprise|Windows Pro Education/SE|Windows Education|
+|:-:|:-:|:-:|:-:|:-:|
+|[Common Criteria certifications](/windows/security/threat-protection/windows-platform-common-criteria)|Yes|Yes|Yes|Yes|
+|[Federal Information Processing Standard (FIPS) 140 validation](/windows/security/threat-protection/fips-140-validation)|Yes|Yes|Yes|Yes|
+
+The following table lists the licensing applicability for all Certification features.
+
+|Feature|Windows Pro/Pro Education/SE|Windows Enterprise E3|Windows Enterprise E5|Windows Education A3|Windows Education A5|
+|:-:|:-:|:-:|:-:|:-:|:-:|
+|[Common Criteria certifications](/windows/security/threat-protection/windows-platform-common-criteria)|Yes|Yes|Yes|Yes|Yes|
+|[Federal Information Processing Standard (FIPS) 140 validation](/windows/security/threat-protection/fips-140-validation)|Yes|Yes|Yes|Yes|Yes|

windows/security/includes/sections/security-foundations.md

@@ -0,0 +1,13 @@
+---
+author: paolomatarazzo
+ms.author: paoloma
+ms.date: 06/02/2023
+ms.topic: include
+---
+
+## Certification
+
+| Security Measures | Features & Capabilities |
+|:---|:---|
+| **[Common Criteria certifications](https://learn.microsoft.com/windows/security/threat-protection/windows-platform-common-criteria)** | Microsoft is committed to supporting product security standards and certifications, including FIPS 140 and Common Criteria as an external validation of security assurance. Common Criteria (CC) is an international standard currently maintained by national governments who participate in the Common Criteria Recognition Arrangement. CC defines a common taxonomy for security functional requirements, security assurance requirements, and an evaluation methodology used to ensure products undergoing evaluation satisfy the functional and assurance requirements. Microsoft Windows client and server products   incorporate the features and functions required by relevant Common Criteria Protection Profiles and completes Common Criteria certifications. |
+| **[Federal Information Processing Standard (FIPS) 140 validation](https://learn.microsoft.com/windows/security/threat-protection/fips-140-validation)** | The Federal Information Processing Standard (FIPS) Publication 140 is a U.S. government standard that defines the minimum security requirements for cryptographic modules in IT products. Microsoft maintains an active commitment to meeting the requirements of the FIPS 140 standard, having validated cryptographic modules against FIPS 140-2 since it was first established in 2001. Multiple Microsoft products, including Windows 11, Windows 10, Windows Server, and many cloud services, use these cryptographic modules. |

windows/security/index.yml

@@ -57,7 +57,7 @@ landingContent:
       - linkListType: overview
         links:
         - text: Overview
-          url: operating-system-security\operating-system.md
+          url: operating-system-security/index.md
       - linkListType: concept
         links:
         - text: Trusted boot

windows/security/operating-system-security/index.md

@@ -0,0 +1,25 @@
+---
+title: Windows operating system security
+description: Securing the operating system includes system security, encryption, network security, and threat protection.
+ms.reviewer:
+ms.topic: article
+manager: aaroncz
+ms.author: vinpa
+author: vinaypamnani-msft
+ms.prod: windows-client
+ms.technology: itpro-security
+ms.date: 09/21/2021
+appliesto:
+  - ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 11</a>
+  - ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 10</a>
+---
+
+# Windows operating system security
+
+Security and privacy depend on an operating system that guards your system and information from the moment it starts up, providing fundamental chip-to-cloud protection. Windows 11 is the most secure Windows yet with extensive security measures designed to help keep you safe. These measures include built-in advanced encryption and data protection, robust network and system security, and intelligent safeguards against ever-evolving threats.
+
+Watch the latest [Microsoft Mechanics Windows 11 security](https://youtu.be/tg9QUrnVFho) video that shows off some of the latest Windows 11 security technology.
+
+Use the links in the following sections to learn more about the operating system security features and capabilities in Windows.
+
+[!INCLUDE [operating-system-security](../includes/sections/operating-system.md)]

windows/security/operating-system-security/operating-system.md

@@ -1,40 +0,0 @@
----
-title: Windows operating system security
-description: Securing the operating system includes system security, encryption, network security, and threat protection.
-ms.reviewer:
-ms.topic: article
-manager: aaroncz
-ms.author: paoloma
-author: paolomatarazzo
-ms.prod: windows-client
-ms.technology: itpro-security
-ms.date: 09/21/2021
----
-
-# Windows operating system security
-
-Security and privacy depend on an operating system that guards your system and information from the moment it starts up, providing fundamental chip-to-cloud protection. Windows 11 is the most secure Windows yet with extensive security measures designed to help keep you safe. These measures include built-in advanced encryption and data protection, robust network and system security, and intelligent safeguards against ever-evolving threats.
-
-Watch the latest [Microsoft Mechanics Windows 11 security](https://youtu.be/tg9QUrnVFho) video that shows off some of the latest Windows 11 security technology.
-
-Use the links in the following table to learn more about the operating system security features and capabilities in Windows 11.<br/><br/>
-
-| Security Measures | Features & Capabilities |
-|:---|:---|
-| Secure Boot and Trusted Boot | Secure Boot and Trusted Boot help prevent malware and corrupted components from loading when a Windows device is starting. Secure Boot starts with initial boot-up protection, and then Trusted Boot picks up the process. Together, Secure Boot and Trusted Boot help to ensure your Windows system boots up safely and securely.<br><br/> Learn more [Secure Boot and Trusted Boot](system-security/trusted-boot.md). |
-Cryptography and certificate management|Cryptography uses code to convert data so that only a specific recipient can read it by using a key. Cryptography enforces privacy to prevent anyone except the intended recipient from reading data, integrity to ensure data is free of tampering, and authentication that verifies identity to ensure that communication is secure. <br><br/> Learn more about [Cryptography and certificate management](system-security/cryptography-certificate-mgmt.md). <br/><br/>|
-Windows Security app | The Windows built-in security application found in settings provides an at-a-glance view of the security status and health of your device. These insights help you identify issues and take action to make sure you're protected. You can quickly see the status of your virus and threat protection, firewall and network security, device security controls, and more. <br><br/> Learn more about the [Windows Security app](system-security/windows-defender-security-center/windows-defender-security-center.md).|
-| Encryption and data protection | Wherever confidential data is stored, it must be protected against unauthorized access, whether through physical device theft or from malicious applications. Windows provides strong at-rest data-protection solutions that guard against nefarious attackers. <br/><br/> Learn more about [Encryption](../encryption-data-protection.md).
-| BitLocker | BitLocker Drive Encryption is a data protection feature that integrates with the operating system and addresses the threats of data theft or exposure from lost, stolen, or inappropriately decommissioned computers. BitLocker provides the most protection when used with a Trusted Platform Module (TPM) version 1.2 or later. <br/> <br/> Learn more about [BitLocker](../information-protection/bitlocker/bitlocker-overview.md). |
-| Encrypted Hard Drive | Encrypted Hard Drive uses the rapid encryption that is provided by BitLocker Drive Encryption to enhance data security and management. <br> By offloading the cryptographic operations to hardware, Encrypted Hard Drives increase BitLocker performance and reduce CPU usage and power consumption. Because Encrypted Hard Drives encrypt data quickly, enterprise devices can expand BitLocker deployment with minimal impact on productivity. <br/><br/> Learn more about [Encrypted Hard Drives](../information-protection/encrypted-hard-drive.md).|
-| S/MIME | S/MIME lets users encrypt outgoing messages and attachments so that only intended recipients who have a digital identification (ID), also known as a certificate, can read them. Users can digitally sign a message, which provides the recipients with a way to verify the identity of the sender and that the message hasn't been tampered with. <br/><br/> Learn more about [S/MIME for Windows](data-protection/configure-s-mime.md).|
-| Security baselines | A security baseline is a group of Microsoft-recommended configuration settings that explains their security impact. These settings are based on feedback from Microsoft security engineering teams, product groups, partners, and customers. <br/><br/>Security baselines are included in the [Security Compliance Toolkit](../threat-protection/windows-security-configuration-framework/security-compliance-toolkit-10.md) that you can download from the Microsoft Download Center.<br/><br/>Learn more about [security baselines](../threat-protection/windows-security-configuration-framework/windows-security-baselines.md). |
-| Virtual Private Network | Virtual private networks (VPNs) are point-to-point connections across a private or public network, such as the Internet. A VPN client uses special TCP/IP or UDP-based protocols, called tunneling protocols, to make a virtual call to a virtual port on a VPN server. <br><br/>Learn more about [Virtual Private Networks](network-security/vpn/vpn-guide.md).<br/><br/>|
-| Windows Defender Firewall | Windows Defender Firewall is a stateful host firewall that helps secure the device by allowing you to create rules that determine which network traffic is permitted to enter the device from the network and which network traffic the device is allowed to send to the network. Windows Defender Firewall also supports Internet Protocol security (IPsec), which you can use to require authentication from any device that is attempting to communicate with your device. <br><br/> Learn more about [Windows Defender Firewall with advanced security](network-security/windows-firewall/windows-firewall-with-advanced-security.md).<br/><br/>
-| Antivirus & antimalware protection | Microsoft Defender Antivirus is included in all versions of Windows 10, Windows Server 2016 and later, and Windows 11. If you have another antivirus app installed and turned on, Microsoft Defender Antivirus will turn off automatically. If you uninstall the other app, Microsoft Defender Antivirus will turn back on. <br/><br/>From the moment you boot Windows, Microsoft Defender Antivirus continually monitors for malware, viruses, and security threats. Updates are downloaded automatically to help protect your device from threats.  Microsoft Defender Antivirus continually scans for malware and threats, and also detects and blocks [potentially unwanted applications](/microsoft-365/security/defender-endpoint/detect-block-potentially-unwanted-apps-microsoft-defender-antivirus) (applications that can negatively impact your device even though they are not considered malware).<br/><br/>Microsoft Defender Antivirus integrates with [cloud-delivered protection](/microsoft-365/security/defender-endpoint/cloud-protection-microsoft-defender-antivirus), which helps ensure near-instant detection and blocking of new and emerging threats.<br/><br/>Learn more about [next-generation protection and Microsoft Defender Antivirus](/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-windows).|
-| Attack surface reduction rules | Your attack surfaces are the places and ways you are vulnerable to a cyber attack. Attack surface reduction rules are built into Windows and Windows Server to prevent and block certain behaviors that are often abused to compromise your device or network. Such behaviors can include launching scripts or executables that attempt to download or run other files, running suspicious scripts, or performing other behaviors that apps don't typically initiate during normal work. You can configure your attack surface reduction rules to protect against these risky behaviors.<br/><br/> Learn more about [Attack surface reduction rules](/microsoft-365/security/defender-endpoint/attack-surface-reduction) |
-| Anti-tampering protection | During cyber attacks (like ransomware attempts), bad actors attempt to disable security features, such as antivirus protection on targeted devices. Bad actors like to disable security features to get easier access to user's data, to install malware, or to otherwise exploit user's data, identity, and devices without fear of being blocked. Tamper protection helps prevent these kinds of activities.<br/><br/>With tamper protection, malware is prevented from taking actions such as:<br/>- Disabling virus and threat protection<br/>- Disabling real-time protection<br/>- Turning off behavior monitoring<br/>- Disabling antivirus (such as IOfficeAntivirus (IOAV))<br/>- Disabling cloud-delivered protection<br/>- Removing security intelligence updates <br/><br/>Learn more about [Tamper protection](/microsoft-365/security/defender-endpoint/prevent-changes-to-security-settings-with-tamper-protection). |
-| Network protection | Network protection in Windows helps prevent users from accessing dangerous IP addresses and domains that may host phishing scams, exploits, and other malicious content on the Internet. Network protection is part of attack surface reduction and helps provide an extra layer of protection for a user. Using reputation-based services, network protection blocks access to potentially harmful, low-reputation based domains and IP addresses. <br/><br/>In enterprise environments, network protection works best with [Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/), which provides detailed reporting into protection events as part of larger investigation scenarios.<br/><br/> Learn more about [Network protection](/microsoft-365/security/defender-endpoint/network-protection). |
-| Controlled folder access | With controlled folder access, you can protect your valuable information in specific folders by managing apps' access to specific folders. Only trusted apps can access protected folders, which are specified when controlled folder access is configured. Typically, commonly used folders, such as those used for documents, pictures, downloads, are included in the list of controlled folders. Controlled folder access helps protect valuable data from malicious apps and threats, such as ransomware. <br/><br/>Learn more about [Controlled folder access](/microsoft-365/security/defender-endpoint/controlled-folders). |
-| Exploit protection | Exploit protection, available in Windows 10, version 1709 and later, automatically applies several exploit mitigation techniques to operating system processes and apps. Exploit protection works best with Microsoft Defender for Endpoint, which gives organizations detailed reporting into exploit protection events and blocks as part of typical alert investigation scenarios. <br/><br/>You can enable exploit protection on an individual device, and then use Group Policy to distribute the XML file to multiple devices simultaneously. When a mitigation is encountered on the device, a notification will be displayed from the Action Center. You can customize the notification with your company details and contact information. You can also enable the rules individually to customize which techniques the feature monitors.<br/><br/>Learn more about [Exploit protection](/microsoft-365/security/defender-endpoint/exploit-protection). |
-| Microsoft Defender for Endpoint | Windows E5 customers benefit from [Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/microsoft-defender-endpoint), an enterprise endpoint detection and response capability that helps enterprise security teams detect, investigate, and respond to advanced threats. With rich event data and attack insights, Defender for Endpoint enables your security team to investigate incidents and take remediation actions effectively and efficiently.<br/><br/>Defender for Endpoint also is part of [Microsoft 365 Defender](/microsoft-365/security/defender/), a unified pre- and post-breach enterprise defense suite that natively coordinates detection, prevention, investigation, and response across endpoints, identities, email, and applications to provide integrated protection against sophisticated attacks.<br/><br/>Learn more about [Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint) and [Microsoft 365 Defender](/microsoft-365/security/defender/). |

windows/security/operating-system-security/system-security/secure-the-windows-10-boot-process.md

@@ -18,7 +18,7 @@ appliesto:
 
 # Secure the Windows boot process
 
-The Windows OS has many features to help protect you from malware, and it does an amazingly good job. Except for apps that businesses develop and use internally, all Microsoft Store apps must meet a series of requirements to be certified and included in the Microsoft Store. This certification process examines several criteria, including security, and is an effective means of preventing malware from entering the Microsoft Store. Even if a malicious app does get through, the Windows 10 OS includes a series of security features that can mitigate the effect. For instance, Microsoft Store apps are sandboxed and lack the privileges necessary to access user data or change system settings.
+Windows has many features to help protect you from malware, and it does an amazingly good job. Except for apps that businesses develop and use internally, all Microsoft Store apps must meet a series of requirements to be certified and included in the Microsoft Store. This certification process examines several criteria, including security, and is an effective means of preventing malware from entering the Microsoft Store. Even if a malicious app does get through, Windows includes a series of security features that can mitigate the effect. For instance, Microsoft Store apps are sandboxed and lack the privileges necessary to access user data or change system settings.
 
 Windows has multiple levels of protection for desktop apps and data, too. Windows Defender Antivirus uses cloud-powered real-time detection to identify and quarantine apps that are known to be malicious. Windows Defender SmartScreen warns users before allowing them to run an untrustworthy app, even if it's recognized as malware. Before an app can change system settings, the user would have to grant the app administrative privileges by using User Account Control.
 
@@ -98,7 +98,7 @@ Like most mobile devices, Arm-based devices, such as the Microsoft Surface RT de
 
 ## Trusted Boot
 
-Trusted Boot takes over where Secure Boot ends. The bootloader verifies the digital signature of the Windows 10 kernel before loading it. The Windows 10 kernel, in turn, verifies every other component of the Windows startup process, including the boot drivers, startup files, and ELAM. If a file has been modified, the bootloader detects the problem and refuses to load the corrupted component. Often, Windows can automatically repair the corrupted component, restoring the integrity of Windows and allowing the PC to start normally.
+Trusted Boot takes over where Secure Boot ends. The bootloader verifies the digital signature of the Windows kernel before loading it. The Windows kernel, in turn, verifies every other component of the Windows startup process, including the boot drivers, startup files, and ELAM. If a file has been modified, the bootloader detects the problem and refuses to load the corrupted component. Often, Windows can automatically repair the corrupted component, restoring the integrity of Windows and allowing the PC to start normally.
 
 ## Early Launch Anti-Malware
 

windows/security/operating-system-security/system-security/toc.yml

@@ -9,7 +9,7 @@ items:
   href: protect-high-value-assets-by-controlling-the-health-of-windows-10-based-devices.md
 - name: Cryptography and certificate management
   href: cryptography-certificate-mgmt.md
-- name: The Windows Security app
+- name: Windows Security app
   href: windows-defender-security-center/windows-defender-security-center.md
   items:
   - name: Virus & threat protection

windows/security/operating-system-security/system-security/windows-defender-security-center/windows-defender-security-center.md

@@ -1,5 +1,5 @@
 ---
-title: The Windows Security app
+title: Windows Security app
 description: The Windows Security app brings together common Windows security features into one place.
 ms.prod: windows-client
 ms.localizationpriority: medium
@@ -17,7 +17,7 @@ appliesto:
 - ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 10</a>
 ---
 
-# The Windows Security app
+# Windows Security app
 
 This library describes the Windows Security app, and provides information on configuring certain features, including:
 

windows/security/operating-system-security/toc.yml

@@ -1,6 +1,6 @@
 items:
 - name: Overview
-  href: operating-system.md
+  href: index.md
 - name: System security
   href: system-security/toc.yml
 - name: Virus and threat protection