updates

.openpublishing.redirection.windows-security.json

@@ -170,19 +170,14 @@
       "redirect_url": "/windows/security/information-protection/tpm/trusted-platform-module-services-group-policy-settings",
       "redirect_document_id": false
     },
-    {
-      "source_path": "windows/security/identity.md",
-      "redirect_url": "/windows/security/identity-protection",
-      "redirect_document_id": false
-    },
-    {
-      "source_path": "windows/security/identity-protection/hello-for-business/hello-overview.md",
-      "redirect_url": "/windows/security/identity-protection/hello-for-business",
-      "redirect_document_id": false
-    },
     {
       "source_path": "windows/security/hardware-protection/tpm/trusted-platform-module-top-node.md",
-      "redirect_url": "/windows/security/information-protection/tpm/trusted-platform-module-top-node",
+      "redirect_url": "/windows/security/hardware-security/tpm/trusted-platform-module-top-node",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security/hardware.md",
+      "redirect_url": "/windows/security/hardware-security",
       "redirect_document_id": false
     },
     {
@@ -365,6 +360,11 @@
       "redirect_url": "/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust",
       "redirect_document_id": false
     },
+    {
+      "source_path": "windows/security/identity-protection/hello-for-business/hello-overview.md",
+      "redirect_url": "/windows/security/identity-protection/hello-for-business",
+      "redirect_document_id": false
+    },
     {
       "source_path": "windows/security/identity-protection/hello-for-business/microsoft-compatible-security-key.md",
       "redirect_url": "/azure/active-directory/authentication/howto-authentication-passwordless-security-key",
@@ -400,6 +400,11 @@
       "redirect_url": "https://support.microsoft.com/windows/windows-10-mobile-end-of-support-faq-8c2dd1cf-a571-00f0-0881-bb83926d05c5",
       "redirect_document_id": false
     },
+    {
+      "source_path": "windows/security/identity-protection/password-support-policy.md",
+      "redirect_url": "https://support.microsoft.com/help/4490115",
+      "redirect_document_id": false
+    },
     {
       "source_path": "windows/security/identity-protection/user-account-control/how-user-account-control-works.md",
       "redirect_url": "/windows/security/application-security/application-control/user-account-control/how-it-works",
@@ -480,6 +485,16 @@
       "redirect_url": "/windows/security/operating-system-security/network-security/vpn/vpn-security-features",
       "redirect_document_id": false
     },
+    {
+      "source_path": "windows/security/identity-protection/windows-credential-theft-mitigation-guide-abstract.md",
+      "redirect_url": "/windows/security/identity-protection",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security/identity.md",
+      "redirect_url": "/windows/security/identity-protection",
+      "redirect_document_id": false
+    },
     {
       "source_path": "windows/security/information-protection/bitlocker/bcd-settings-and-bitlocker.md",
       "redirect_url": "/windows/security/operating-system-security/data-protection/bitlocker/bcd-settings-and-bitlocker",
@@ -655,11 +670,6 @@
       "redirect_url": "/troubleshoot/windows-client/windows-security/enforcing-bitlocker-policies-by-using-intune-known-issues",
       "redirect_document_id": false
     },
-    {
-      "source_path": "windows/security/identity-protection/windows-credential-theft-mitigation-guide-abstract.md",
-      "redirect_url": "/windows/security/identity-protection",
-      "redirect_document_id": false
-    },
     {
       "source_path": "windows/security/information-protection/bitlocker/ts-bitlocker-network-unlock-issues.md",
       "redirect_url": "/troubleshoot/windows-client/windows-security/bitlocker-network-unlock-known-issues",
@@ -735,11 +745,81 @@
       "redirect_url": "/windows/security/operating-system-security/data-protection/personal-data-encryption/intune-enable-pde",
       "redirect_document_id": false
     },
+    {
+      "source_path": "windows/security/information-protection/pluton/microsoft-pluton-security-processor.md",
+      "redirect_url": "/windows/security/hardware-security/pluton/microsoft-pluton-security-processor",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security/information-protection/pluton/pluton-as-tpm.md",
+      "redirect_url": "/windows/security/hardware-security/pluton/pluton-as-tpm",
+      "redirect_document_id": false
+    },
     {
       "source_path": "windows/security/information-protection/secure-the-windows-10-boot-process.md",
       "redirect_url": "/windows/security/operating-system-security/system-security/secure-the-windows-10-boot-process",
       "redirect_document_id": false
     },
+    {
+      "source_path": "windows/security/information-protection/tpm/backup-tpm-recovery-information-to-ad-ds.md",
+      "redirect_url": "/windows/security/hardware-security/tpm/backup-tpm-recovery-information-to-ad-ds",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security/information-protection/tpm/change-the-tpm-owner-password.md",
+      "redirect_url": "/windows/security/hardware-security/tpm/change-the-tpm-owner-password",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security/information-protection/tpm/how-windows-uses-the-tpm.md",
+      "redirect_url": "/windows/security/hardware-security/tpm/how-windows-uses-the-tpm",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security/information-protection/tpm/initialize-and-configure-ownership-of-the-tpm.md",
+      "redirect_url": "/windows/security/hardware-security/tpm/initialize-and-configure-ownership-of-the-tpm",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security/information-protection/tpm/manage-tpm-commands.md",
+      "redirect_url": "/windows/security/hardware-security/tpm/manage-tpm-commands",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security/information-protection/tpm/manage-tpm-lockout.md",
+      "redirect_url": "/windows/security/hardware-security/tpm/manage-tpm-lockout",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security/information-protection/tpm/switch-pcr-banks-on-tpm-2-0-devices.md",
+      "redirect_url": "/windows/security/hardware-security/tpm/switch-pcr-banks-on-tpm-2-0-devices",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security/information-protection/tpm/tpm-fundamentals.md",
+      "redirect_url": "/windows/security/hardware-security/tpm/tpm-fundamentals",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security/information-protection/tpm/tpm-recommendations.md",
+      "redirect_url": "/windows/security/hardware-security/tpm/tpm-recommendations",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security/information-protection/tpm/trusted-platform-module-overview.md",
+      "redirect_url": "/windows/security/hardware-security/tpm/trusted-platform-module-overview",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security/information-protection/tpm/trusted-platform-module-services-group-policy-settings.md",
+      "redirect_url": "/windows/security/hardware-security/tpm/trusted-platform-module-services-group-policy-settings",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security/information-protection/tpm/trusted-platform-module-top-node.md",
+      "redirect_url": "/windows/security/hardware-security/tpm/trusted-platform-module-top-node",
+      "redirect_document_id": false
+    },
     {
       "source_path": "windows/security/information-protection/windows-information-protection/create-vpn-and-wip-policy-using-intune.md",
       "redirect_url": "/windows/security/information-protection/windows-information-protection/create-vpn-and-wip-policy-using-intune-azure",
@@ -7225,16 +7305,6 @@
       "redirect_url": "/windows/security/operating-system-security/system-security/trusted-boot",
       "redirect_document_id": false
     },
-    {
-      "source_path": "windows/security/identity-protection/password-support-policy.md",
-      "redirect_url": "https://support.microsoft.com/help/4490115",
-      "redirect_document_id": false
-    },
-    {
-      "source_path": "windows/security/hardware.md",
-      "redirect_url": "/windows/security/hardware-security",
-      "redirect_document_id": false
-    },
     {
       "source_path": "windows/security/introduction/index.md",
       "redirect_url": "/windows/security/introduction",
@@ -7262,5 +7332,3 @@
     }
   ]
 }
-
-

windows/deployment/do/includes/waas-delivery-optimization-monitor.md

@@ -5,7 +5,7 @@ manager: aaroncz
 ms.prod: windows-client
 ms.technology: itpro-deploy
 ms.topic: include
-ms.date: 04/06/2022
+ms.date: 07/31/2023
 ms.localizationpriority: medium
 ---
 <!--This file is shared by do/waas-delivery-optimization-setup.md and the update/update-compliance-get-started.md articles -->
@@ -27,13 +27,13 @@ ms.localizationpriority: medium
 | FileSizeInCache | Size of the file in the cache |
 | TotalBytesDownloaded | The number of bytes from any source downloaded so far |
 | PercentPeerCaching |The percentage of bytes downloaded from peers versus over HTTP |
-| BytesFromPeers | Total bytes downloaded from peer devices (sum of bytes downloaded from LAN, Group, and Internet Peers) |
+| BytesFromPeers | Total bytes downloaded from peer devices (sum of bytes downloaded from LAN, Group, and Internet Peers) |
 | BytesfromHTTP | Total number of bytes received over HTTP. This metric represents all HTTP sources, which includes BytesFromCacheServer |
 | Status | Current state of the operation. Possible values are: **Downloading** (download in progress); **Complete** (download completed, but isn't uploading yet); **Caching** (download completed successfully and is ready to upload or uploading); **Paused** (download/upload paused by caller) |
 | Priority | Priority of the download; values are **foreground** or **background** |
 | BytesFromCacheServer | Total number of bytes received from cache server (MCC) |
 | BytesFromLanPeers | Total number of bytes received from peers found on the LAN |
-| BytesFromGroupPeers | Total number of bytes received from peers found in the group. (Note: Group mode is LAN + Group. If peers are found on the LAN, those bytes will be registered in 'BytesFromLANPeers'.)  |
+| BytesFromGroupPeers | Total number of bytes received from peers found in the group. (Note: Group mode is LAN + Group. If peers are found on the LAN, those bytes are registered in 'BytesFromLANPeers'.)  |
 | BytesFromInternetPeers | Total number of bytes received from internet peers |
 | BytesToLanPeers | Total number of bytes delivered from peers found on the LAN |
 | BytesToGroupPeers | Total number of bytes delivered from peers found in the group |
@@ -168,3 +168,33 @@ Using the `-ListConnections` option returns these details about peers:
 If `Path` isn't specified, this cmdlet reads all logs from the DoSvc log directory, which requires administrator permissions. If `Flush` is specified, the cmdlet stops DoSvc before reading logs.
 
 Log entries are written to the PowerShell pipeline as objects. To dump logs to a text file, run `Get-DeliveryOptimizationLog | Set-Content <output file>` or something similar.
+
+
+**Starting in Windows 10, version 1803:**
+
+`Get-DOConfig -Verbose`
+
+This cmdlet lists local configuration and policies that are applied to Delivery Optimization. This includes policies that are set via Group Policies or MDM Policies. Each policy is listed with the current set value and the provider of that policy. For example:
+
+DownloadMode:Simple
+DownloadModeProvider:Mdm Provider
+
+The provider is listed as "Default Provider" if it's using the Delivery Optimization platform configured default. 
+
+The cmdlet returns the following data:
+
+- BatteryPctToSeed: Corresponds to the [DOMinBatteryPercentageAllowedToUpload](../waas-delivery-optimization-reference.md#allow-uploads-while-the-device-is-on-battery-while-under-set-battery-level) policy.
+- WorkingDirectory: The local folder containing the Delivery Optimization cache.
+- MinTotalDiskSize: Corresponds to the [DOMinDiskSizeAllowedToPeer](../waas-delivery-optimization-reference.md#minimum-disk-size-allowed-to-use-peer-caching) policy.
+- MinTotalRAM: Corresponds to the [DOMinRAMAllowedToPeer](../waas-delivery-optimization-reference.md#minimum-ram-inclusive-allowed-to-use-peer-caching) policy.
+- VpnPeerCachingAllowed: Corresponds to the [DOAllowVPNPeerCaching](../waas-delivery-optimization-reference.md#enable-peer-caching-while-the-device-connects-via-vpn) policy.
+- VpnKeywords: List of keywords used to identify a VPN adapter.
+- SetHoursToLimitDownloadBackground: Corresponds to the [DOSetHoursToLimitBackgroundDownloadBandwidth](../waas-delivery-optimization-reference.md#set-business-hours-to-limit-background-download-bandwidth) policy.
+- SetHoursToLimitDownloadForeground: Corresponds to the [DOSetHoursToLimitForegroundDownloadBandwidth](../waas-delivery-optimization-reference.md#set-business-hours-to-limit-foreground-download-bandwidth) policy.
+- DownloadMode: Corresponds to the [DODownloadMode](../waas-delivery-optimization-reference.md#download-mode) policy.
+- DownBackLimitBps: Corresponds to the [DOMaxBackgroundDownloadBandwidth](../waas-delivery-optimization-reference.md#maximum-background-download-bandwidth-in-kbs) policy.
+- DownloadForegroundLimitBps: Corresponds to the [DOMaxForegroundDownloadBandwidth](../waas-delivery-optimization-reference.md#maximum-foreground-download-bandwidth-in-kbs) policy.
+- DownBackLimitPct: Corresponds to the [DOPercentageMaxBackgroundBandwidth](../waas-delivery-optimization-reference.md#maximum-background-download-bandwidth) policy.
+- DownloadForegroundLimitPct: Corresponds to the [DOPercentageMaxForegroundBandwidth](../waas-delivery-optimization-reference.md#maximum-foreground-download-bandwidth) policy.
+- MaxUploadRatePct: Corresponds to the [DOMaxUploadBandwidth](../waas-delivery-optimization-reference.md#max-upload-bandwidth) policy (deprecated in Windows 10, version 2004).
+- UploadLimitMonthlyGB: Corresponds to the [DOMonthlyUploadDataCap](../waas-delivery-optimization-reference.md#monthly-upload-data-cap) policy.

windows/deployment/do/waas-delivery-optimization-faq.yml

@@ -12,7 +12,7 @@ metadata:
     - highpri
     - tier3
   ms.topic: faq
-  ms.date: 07/11/2023
+  ms.date: 07/31/2023
 title: Delivery Optimization Frequently Asked Questions
 summary: |
   **Applies to**
@@ -62,6 +62,10 @@ sections:
           Microsoft content, such as Windows updates, are hosted and delivered globally via Content Delivery Networks (CDNs) and [Microsoft Connected Cache](waas-microsoft-connected-cache.md) (MCC) servers, which are hosted within Internet Service Provider (ISP) networks. 
           The network of CDNs and MCCs allows Microsoft to reach the scale required to meet the demand of the Windows user base. Given this delivery infrastructure changes dynamically, providing an exhaustive list of IPs and keeping it up to date isn't feasible. 
         
+      - question: Delivery Optimization is downloading Windows content on my devices directly from an IP Address, is it expected? 
+        answer: | 
+          When Delivery Optimization downloads from a [Microsoft Connected Cache](waas-microsoft-connected-cache.md) server that is hosted by your Internet Service Provider, the download will be pulled directly from the IP Address of that server. If the Microsoft Connected cache isn't available, the download will fall back seamlessly to the CDN instead. Delivery Optimization Peers are used in parallel if available. 
+
       - question: Does Delivery Optimization use multicast?
         answer: No. It relies on the cloud service for peer discovery, resulting in a list of peers and their IP addresses. Client devices then connect to their peers to obtain download files over TCP/IP.
           
@@ -131,7 +135,7 @@ sections:
       
       - question: Delivery Optimization is using device resources and I can't tell why?
         answer: |
-          Delivery Optimization is used by most content providers from Microsoft. A complete list can be found [here](waas-delivery-optimization.md#types-of-download-content-supported-by-delivery-optimization). Oftentimes customers may not realize the vast application of Delivery Optimization and how it's used across different apps. Content providers have the option to run downloads in the foreground or background. It's good to check any apps running in the background to see what is running. Also note that depending on the app, closing the app may not necessarily stop the download.
+          Delivery Optimization is used by most content providers from Microsoft. A complete list can be found [here](waas-delivery-optimization.md#types-of-download-content-supported-by-delivery-optimization). Often customers may not realize the vast application of Delivery Optimization and how it's used across different apps. Content providers have the option to run downloads in the foreground or background. It's good to check any apps running in the background to see what is running. Also note that depending on the app, closing the app may not necessarily stop the download.
 
       - question: What Delivery Optimization settings are available?
         answer: |

windows/deployment/do/waas-delivery-optimization-reference.md

@@ -6,9 +6,9 @@ ms.prod: windows-client
 author: cmknox
 ms.localizationpriority: medium
 ms.author: carmenf
-ms.topic: article
+ms.topic: reference
 ms.technology: itpro-updates
-ms.date: 06/28/2023
+ms.date: 07/31/2023
 ms.collection: tier3
 ---
 
@@ -16,18 +16,18 @@ ms.collection: tier3
 
 **Applies to**
 
-- Windows 10
+- Windows 10
 - Windows 11
 
 > **Looking for Group Policy objects?** See [Delivery Optimization reference](waas-delivery-optimization-reference.md) or the master spreadsheet available at the Download Center [for Windows 11](https://www.microsoft.com/en-us/download/details.aspx?id=104594) or [for Windows 10](https://www.microsoft.com/en-us/download/details.aspx?id=104678).
 
-There are many configuration options you can set in Delivery Optimization to customize the content delivery experience specific to your environment needs. This topic summarizes those configurations for your reference. If you just need an overview of Delivery Optimization, see [What is Delivery Optimization](waas-delivery-optimization.md). If you need information about setting up Delivery Optimization, including tips for the best settings in different scenarios, see [Set up Delivery Optimization for Windows](waas-delivery-optimization-setup.md).
+There are many configuration options you can set in Delivery Optimization to customize the content delivery experience specific to your environment needs. This article summarizes those configurations for your reference. If you just need an overview of Delivery Optimization, see [What is Delivery Optimization](waas-delivery-optimization.md). If you need information about setting up Delivery Optimization, including tips for the best settings in different scenarios, see [Set up Delivery Optimization for Windows](waas-delivery-optimization-setup.md).
 
 ## Delivery Optimization options
 
 You can use Group Policy or an MDM solution like Intune to configure Delivery Optimization.
 
-You'll find the Delivery Optimization settings in Group Policy under **Configuration\Policies\Administrative Templates\Windows Components\Delivery Optimization**.
+The Delivery Optimization settings in Group Policy are under **Configuration\Policies\Administrative Templates\Windows Components\Delivery Optimization**.
 In MDM, the same settings are under **.Vendor/MSFT/Policy/Config/DeliveryOptimization/**.
 
 ### Summary of Delivery Optimization settings
@@ -35,9 +35,9 @@ In MDM, the same settings are under **.Vendor/MSFT/Policy/Config/DeliveryOptimiz
 | Group Policy setting | MDM setting | Supported from version | Notes |
 | --- | --- | --- | ------- |
 | [Download mode](#download-mode) | DODownloadMode | 1511 | Default is set to LAN(1). The Group [Download mode](#download-mode) (2) combined with [Group ID](#group-id), enables administrators to create custom device groups that will share content between devices in the group.|
-| [Group ID](#group-id)  | DOGroupID | 1511 | Used with Group [Download mode](#download-mode). If not set, check [GroupIDSource](#select-the-source-of-group-ids). When GroupID or GroupIDSource policies aren't set, the GroupID will be defined as the AD Site (1), Authenticated domain SID (2) or AAD Tenant ID (5), in that order.  |
+| [Group ID](#group-id)  | DOGroupID | 1511 | Used with Group [Download mode](#download-mode). If not set, check [GroupIDSource](#select-the-source-of-group-ids). When GroupID or GroupIDSource policies aren't set, the GroupID is defined as the AD Site (1), Authenticated domain SID (2) or Azure AD Tenant ID (5), in that order.  |
-| [Select the source of Group IDs](#select-the-source-of-group-ids) | DOGroupIDSource | 1803 | If not set, check [Group ID](#group-id). When the GroupID or GroupIDSource policies aren't set, the Group will be defined as the AD Site (1), Authenticated domain SID (2) or AAD Tenant ID (5), in that order. |
+| [Select the source of Group IDs](#select-the-source-of-group-ids) | DOGroupIDSource | 1803 | If not set, check [Group ID](#group-id). When the GroupID or GroupIDSource policies aren't set, the Group is defined as the AD Site (1), Authenticated domain SID (2) or Azure AD Tenant ID (5), in that order. |
-| [Select a method to restrict peer selection](#select-a-method-to-restrict-peer-selection) | DORestrictPeerSelectionBy | 1803 | Starting in Windows 11, consumer devices default to using 'Local discovery (DNS-SD)' and commercial devices  default to using 'Subnet'.  |
+| [Select a method to restrict peer selection](#select-a-method-to-restrict-peer-selection) | DORestrictPeerSelectionBy | 1803 | Starting in Windows 11, a new option to use 'Local discovery (DNS-SD)' is available to set via this policy. |
 | [Minimum RAM (inclusive) allowed to use peer caching](#minimum-ram-inclusive-allowed-to-use-peer-caching) | DOMinRAMAllowedToPeer | 1703 | Default value is 4 GB. |
 | [Minimum disk size allowed to use peer caching](#minimum-disk-size-allowed-to-use-peer-caching) | DOMinDiskSizeAllowedToPeer | 1703 | Default value is 32 GB. |
 | [Max cache age](#max-cache-age) | DOMaxCacheAge | 1511 | Default value is 259,200 seconds (three days). |
@@ -51,16 +51,16 @@ In MDM, the same settings are under **.Vendor/MSFT/Policy/Config/DeliveryOptimiz
 | [Allow uploads while the device is on battery while under set battery level](#allow-uploads-while-the-device-is-on-battery-while-under-set-battery-level) | DOMinBatteryPercentageAllowedToUpload | 1709 | Default is to not allow peering while on battery.  |
 | [Maximum foreground download bandwidth (percentage)](#maximum-foreground-download-bandwidth) | DOPercentageMaxForegroundBandwidth | 1803 | Default is '0' which will dynamically adjust. |
 | [Maximum background download bandwidth (percentage)](#maximum-background-download-bandwidth) | DOPercentageMaxBackgroundBandwidth | 1803 | Default is '0' which will dynamically adjust. |
-| [Maximum foreground download bandwidth (in KB/s)](#maximum-background-download-bandwidth-in-kbs) | DOMaxForegroundDownloadBandwidth | 2004 | Default is '0' which will dynamically adjust. |
+| [Maximum foreground download bandwidth (in KB/s)](#maximum-foreground-download-bandwidth-in-kbs) | DOMaxForegroundDownloadBandwidth | 2004 | Default is '0' which will dynamically adjust. |
 | [Maximum background download bandwidth (in KB/s)](#maximum-background-download-bandwidth-in-kbs) | DOMaxBackgroundDownloadBandwidth | 2004 | Default is '0' which will dynamically adjust. |
 | [Set hours to limit background download bandwidth](#set-business-hours-to-limit-background-download-bandwidth) | DOSetHoursToLimitBackgroundDownloadBandwidth | 1803 | Default isn't set. |
 | [Set hours to limit foreground download bandwidth](#set-business-hours-to-limit-foreground-download-bandwidth) |DOSetHoursToLimitForegroundDownloadBandwidth | 1803 | Default isn't set. |
 | [Delay background download from HTTP (in secs)](#delay-background-download-from-http-in-secs) | DODelayBackgroundDownloadFromHttp | 1803 | Default isn't set. For peering, use this policy to delay the fallback to the HTTP source. [Learn more](#policies-to-prioritize-the-use-of-peer-to-peer-and-cache-server-sources) about the different delay options. |
 | [Delay foreground download from HTTP (in secs)](#delay-foreground-download-from-http-in-secs) | DODelayForegroundDownloadFromHttp | 1803 | Default isn't set. For peering, use this policy to delay the fallback to the HTTP source. [Learn more](#policies-to-prioritize-the-use-of-peer-to-peer-and-cache-server-sources) about the different delay options.|
-| [Delay foreground download Cache Server fallback (in secs)](#delay-foreground-download-cache-server-fallback-in-secs) | DelayCacheServerFallbackForeground | 1903 | Default isn't set. For Microsoft Connected Cache content use this policy to delay the fallback to the HTTP source. [Learn more](#policies-to-prioritize-the-use-of-peer-to-peer-and-cache-server-sources) about the different delay options. |
+| [Delay foreground download Cache Server fallback (in secs)](#delay-foreground-download-cache-server-fallback-in-secs) | DelayCacheServerFallbackForeground | 1903 | Default isn't set. For Microsoft Connected Cache content, use this policy to delay the fallback to the HTTP source. [Learn more](#policies-to-prioritize-the-use-of-peer-to-peer-and-cache-server-sources) about the different delay options. |
-| [Delay background download Cache Server fallback (in secs)](#delay-background-download-cache-server-fallback-in-secs) | DelayCacheServerFallbackBackground | 1903 | Default isn't set. For Microsoft Connected Cache content use this policy to delay the fallback to the HTTP source. [Learn more](#policies-to-prioritize-the-use-of-peer-to-peer-and-cache-server-sources) about the different delay options.|
+| [Delay background download Cache Server fallback (in secs)](#delay-background-download-cache-server-fallback-in-secs) | DelayCacheServerFallbackBackground | 1903 | Default isn't set. For Microsoft Connected Cache content, use this policy to delay the fallback to the HTTP source. [Learn more](#policies-to-prioritize-the-use-of-peer-to-peer-and-cache-server-sources) about the different delay options.|
-| [Cache Server Hostname](#cache-server-hostname) | DOCacheHost | 1809  | Default is it has no value. |
+| [Cache Server Hostname](#cache-server-hostname) | DOCacheHost | 1809  | No value is set as default. |
-| [Cache Server Hostname Source](#cache-server-hostname-source) | DOCacheHostSource | 2004 | Default is it has no value. |
+| [Cache Server Hostname Source](#cache-server-hostname-source) | DOCacheHostSource | 2004 | No value is set as default. |
 | [Maximum download bandwidth](#maximum-download-bandwidth) | DOMaxDownloadBandwidth | 1607 (deprecated in Windows 10, version 2004); use [Maximum background download bandwidth (in KB/s)](#maximum-background-download-bandwidth-in-kbs) or [Maximum foreground download bandwidth (in KB/s)](#maximum-foreground-download-bandwidth-in-kbs) instead)| Default is '0' which will dynamically adjust. |
 | [Percentage of maximum download bandwidth](#percentage-of-maximum-download-bandwidth) | DOPercentageMaxDownloadBandwidth | 1607 (deprecated in Windows 10, version 2004); use [Maximum background download bandwidth (in KB/s)](#maximum-background-download-bandwidth-in-kbs)  or [Maximum foreground download bandwidth (in KB/s)](#maximum-foreground-download-bandwidth-in-kbs) instead)| Default is '0' which will dynamically adjust. |
 | [Maximum upload bandwidth](#max-upload-bandwidth) | DOMaxUploadBandwidth | 1607 (deprecated in Windows 10, version 2004) | Default is '0' (unlimited). |
@@ -82,7 +82,7 @@ All cached files have to be above a set minimum size. This size is automatically
 
 #### Impact to network
 
-More options available that control the impact Delivery Optimization has on your network include the following:
+More options available that control the impact Delivery Optimization has on your network include the following settings:
 
 - [Minimum Background QoS](#minimum-background-qos) lets administrators guarantee a minimum download speed for Windows updates. This setting adjusts the amount of data downloaded directly from HTTP sources, rather than other peers in the network.
 - [Maximum Foreground Download Bandwidth](#maximum-foreground-download-bandwidth) specifies the maximum foreground download bandwidth*hat Delivery Optimization uses, across all concurrent download activities, as a percentage of available download bandwidth.
@@ -94,7 +94,7 @@ More options available that control the impact Delivery Optimization has on your
 
 #### Policies to prioritize the use of Peer-to-Peer and Cache Server sources
 
-When Delivery Optimization client is configured to use peers and Microsoft Connected Cache (MCC), to achieve the best possible content delivery experience, the client will connect to both MCC and peers in parallel. If the desired content can’t be obtained from MCC or peers, Delivery Optimization will automatically fallback to the HTTP source to get the requested content. There are four settings that allow you to prioritize peer-to-peer or MCC sources by delaying the immediate fallback to HTTP source which is the default behavior.
+When Delivery Optimization client is configured to use peers and Microsoft Connected Cache (MCC), to achieve the best possible content delivery experience, the client connects to both MCC and peers in parallel. If the desired content can't be obtained from MCC or peers, Delivery Optimization will automatically fallback to the HTTP source to get the requested content. There are four settings that allow you to prioritize peer-to-peer or MCC sources by delaying the immediate fallback to HTTP source, which is the default behavior.
 
 ##### Peer-to-peer delay fallback settings
 
@@ -106,11 +106,11 @@ When Delivery Optimization client is configured to use peers and Microsoft Conne
 - [Delay foreground download Cache Server fallback (in secs)](#delay-foreground-download-cache-server-fallback-in-secs) allows you to delay the use of an HTTP source in a foreground (interactive) download that is allowed to use a cache server.
 - [Delay background download from HTTP (in secs)](#delay-background-download-from-http-in-secs) allows you to delay the use of an HTTP source in a background  download that is allowed to use a cache server.
 
-**If both peer-to-peer and MCC are configured, the peer-to-peer delay settings will take precedence over the cache server delay settings.** This allows Delivery Optimization to discover peers first then recognize the fallback setting for the MCC cache server.
+**If both peer-to-peer and MCC are configured, the peer-to-peer delay settings will take precedence over the cache server delay settings.** This setting allows Delivery Optimization to discover peers first then recognize the fallback setting for the MCC cache server.
 
 #### System resource usage
 
-Administrators can further customize scenarios where Delivery Optimization will be used with the following settings:
+Administrators can further customize scenarios where Delivery Optimization is used with the following settings:
 
 - [Minimum RAM (inclusive) allowed to use Peer Caching](#minimum-ram-inclusive-allowed-to-use-peer-caching) sets the minimum RAM required for peer caching to be enabled.
 - [Minimum disk size allowed to use Peer Caching](#minimum-disk-size-allowed-to-use-peer-caching) sets the minimum disk size required for peer caching to be enabled.
@@ -119,12 +119,14 @@ Administrators can further customize scenarios where Delivery Optimization will
 
 ### Download mode
 
+MDM Setting: **DODownloadMode**
+
 Download mode dictates which download sources clients are allowed to use when downloading Windows updates in addition to Windows Update servers. The following table shows the available download mode options and what they do. Other technical details for these policies are available in [Policy CSP - Delivery Optimization](/windows/client-management/mdm/policy-csp-deliveryoptimization).
 
 | Download mode option | Functionality when set |
 | --- | --- |
 | HTTP Only (0) | This setting disables peer-to-peer caching but still allows Delivery Optimization to download content over HTTP from the download's original source or a Microsoft Connected Cache server. This mode uses additional metadata provided by the Delivery Optimization cloud services for a peerless reliable and efficient download experience. |
-| LAN (**1 – Default**) | This default operating mode for Delivery Optimization enables peer sharing on the same network. The Delivery Optimization cloud service finds other clients that connect to the Internet using the same public IP as the target client. These clients then try to connect to other peers on the same network by using their private subnet IP.|
+| LAN (**1 - Default**) | This default operating mode for Delivery Optimization enables peer sharing on the same network. The Delivery Optimization cloud service finds other clients that connect to the Internet using the same public IP as the target client. These clients then try to connect to other peers on the same network by using their private subnet IP.|
 | Group (2) | When group mode is set, the group is automatically selected based on the device's Active Directory Domain Services (AD DS) site (Windows 10, version 1607) or the domain the device is authenticated to (Windows 10, version 1511). In group mode, peering occurs across internal subnets, between devices that belong to the same group, including devices in remote offices. You can use GroupID option to create your own custom group independently of domains and AD DS sites. Starting with Windows 10, version 1803, you can use the GroupIDSource parameter to take advantage of other method to create groups dynamically. Group download mode is the recommended option for most organizations looking to achieve the best bandwidth optimization with Delivery Optimization. |
 | Internet (3) | Enable Internet peer sources for Delivery Optimization. |
 | Simple (99) | Simple mode disables the use of Delivery Optimization cloud services completely (for offline environments). Delivery Optimization switches to this mode automatically when the Delivery Optimization cloud services are unavailable, unreachable, or when the content file size is less than 10 MB. In this mode, Delivery Optimization provides a reliable download experience over HTTP from the download's original source or a Microsoft Connected Cache server, with no peer-to-peer caching. |
@@ -135,6 +137,8 @@ Download mode dictates which download sources clients are allowed to use when do
 
 ### Group ID
 
+MDM Setting: **DOGroupID**
+
 By default, peer sharing on clients using the Group download mode (option 2) is limited to the same domain in Windows 10, version 1511, and the same domain and Active Directory Domain Services site in Windows 10, version 1607. By using the Group ID setting, you can optionally create a custom group that contains devices that should participate in Delivery Optimization but don't fall within those domain or Active Directory Domain Services site boundaries, including devices in another domain. Using Group ID, you can further restrict the default group (for example, you could create a subgroup representing an office building), or extend the group beyond the domain, allowing devices in multiple domains in your organization to be peers. This setting requires the custom group to be specified as a GUID on each device that participates in the custom group.
 
 >[!NOTE]
@@ -144,23 +148,29 @@ By default, peer sharing on clients using the Group download mode (option 2) is
 
 ### Select the source of Group IDs
 
+MDM Setting: **DOGroupIDSource**
+
 Starting in Windows 10, version 1803, set this policy to restrict peer selection to a specific source, when using a GroupID policy. The options are:
 
 - 0 = Not set
 - 1 = AD Site
 - 2 = Authenticated domain SID
-- 3 = DHCP Option ID (with this option, the client will query DHCP Option ID 234 and use the returned GUID value as the Group ID)
+- 3 = DHCP Option ID (with this option, the client queries DHCP Option ID 234 and use the returned GUID value as the Group ID)
 - 4 = DNS Suffix
-- 5 = Starting with Windows 10, version 1903, you can use the Azure Active Directory (AAD) Tenant ID as a means to define groups. To do this set the value for DOGroupIdSource to its new maximum value of 5.
+- 5 = Starting with Windows 10, version 1903, you can use the Azure AD Tenant ID as a means to define groups. To do this set the value for DOGroupIdSource to its new maximum value of 5.
 
-When set, the Group ID is assigned automatically from the selected source. If you set this policy, the GroupID policy will be ignored. The default behavior, when the GroupID or GroupIDSource policies aren't set, is to determine the Group ID using AD Site (1), Authenticated domain SID (2) or AAD Tenant ID (5), in that order. If GroupIDSource is set to either DHCP Option ID (3) or DNS Suffix (4) and those methods fail, the default behavior is used instead. The option set in this policy only applies to Group (2) download mode. If Group (2) isn't set as Download mode, this policy will be ignored. If you set the value to anything other than 0-5, the policy is ignored.  
+When set, the Group ID is assigned automatically from the selected source. If you set this policy, the GroupID policy is ignored. The default behavior, when the GroupID or GroupIDSource policies aren't set, is to determine the Group ID using AD Site (1), Authenticated domain SID (2) or Azure AD Tenant ID (5), in that order. If GroupIDSource is set to either DHCP Option ID (3) or DNS Suffix (4) and those methods fail, the default behavior is used instead. The option set in this policy only applies to Group (2) download mode. If Group (2) isn't set as Download mode, this policy will be ignored. If you set the value to anything other than 0-5, the policy is ignored.  
 
 ### Minimum RAM (inclusive) allowed to use Peer Caching  
 
+MDM Setting: **DOMinRAMAllowedToPeer**
+
 This setting specifies the minimum RAM size in GB required to use Peer Caching. For example if the minimum set is 1 GB, then devices with 1 GB or higher available RAM will be allowed to use Peer caching. The recommended values are 1 to 4, and **the default value is 4 GB**.
 
 ### Minimum disk size allowed to use Peer Caching
 
+MDM Setting: **DOMinDiskSizeAllowedToPeer**
+
 This setting specifies the required minimum disk size (capacity in GB) for the device to use Peer Caching. The recommended values are 64 to 256, and **the default value is 32 GB**.
 
 >[!NOTE]
@@ -168,57 +178,82 @@ This setting specifies the required minimum disk size (capacity in GB) for the d
 
 ### Max Cache Age
 
-In environments configured for Delivery Optimization, you might want to set an expiration on cached updates and Windows application installation files. If so, this setting defines the maximum number of seconds each file can be held in the Delivery Optimization cache on each Windows 10 client device. Alternatively, organizations might choose to set this value to "0" which means "unlimited" to avoid peers re-downloading content. When "Unlimited" value is set, Delivery Optimization will hold the files in the cache longer and will clean up the cache as needed (for example when the cache size exceeded the maximum space allowed). **The default value is 259,200 seconds (three days)**.
+MDM Setting: **DOMaxCacheAge**
+
+In environments configured for Delivery Optimization, you might want to set an expiration on cached updates and Windows application installation files. If so, this setting defines the maximum number of seconds each file can be held in the Delivery Optimization cache on each Windows 10 client device. Alternatively, organizations might choose to set this value to "0" which means "unlimited" to avoid peers redownloading content. When "Unlimited" value is set, Delivery Optimization holds the files in the cache longer and will clean up the cache as needed (for example when the cache size exceeded the maximum space allowed). **The default value is 259,200 seconds (three days)**.
 
 ### Max Cache Size
 
-This setting limits the maximum amount of space the Delivery Optimization cache can use as a percentage of the available drive space, from 1 to 100. For example, if you set this value to 10 on a Windows client device that has 100 GB of available drive space, then Delivery Optimization will use up to 10 GB of that space. Delivery Optimization will constantly assess the available drive space and automatically clear the cache to keep the maximum cache size under the set percentage. **The default value is 20%**.
+MDM Setting: **DOMaxCacheSize**
+
+This setting limits the maximum amount of space the Delivery Optimization cache can use as a percentage of the available drive space, from 1 to 100. For example, if you set this value to 10 on a Windows client device that has 100 GB of available drive space, then Delivery Optimization uses up to 10 GB of that space. Delivery Optimization will constantly assess the available drive space and automatically clear the cache to keep the maximum cache size under the set percentage. **The default value is 20%**.
 
 ### Absolute Max Cache Size
 
-This setting specifies the maximum number of gigabytes the Delivery Optimization cache can use. This is different from the [**Max Cache Size**](#max-cache-size) setting, which is a percentage of available disk space. Also, if you configure this policy, it will override the [**Max Cache Size**](#max-cache-size) setting. **The default value is 10 GB**.
+MDM Setting: **DOAbsoluteMaxCacheSize**
+
+This setting specifies the maximum number of gigabytes the Delivery Optimization cache can use. This is different from the [**Max Cache Size**](#max-cache-size) setting, which is a percentage of available disk space. Also, if you configure this policy, it overrides the [**Max Cache Size**](#max-cache-size) setting. **The default value is 10 GB**.
 
 ### Minimum Peer Caching Content File Size
 
+MDM Setting: **DOMinFileSizeToCache**
+
 This setting specifies the minimum content file size in MB enabled to use Peer Caching. The recommended values are from 1 to 100000. **The default file size is 50 MB** to participate in peering.
 
 ### Maximum Download Bandwidth
 
+MDM Setting: **DOMaxUploadBandwidth**
+
+Deprecated in Windows 10, version 2004.
 This setting specifies the maximum download bandwidth that can be used across all concurrent Delivery Optimization downloads in kilobytes per second (KB/s). **A default value of "0"** means that Delivery Optimization will dynamically adjust and optimize the maximum bandwidth used.
 
-> [!NOTE]
-> This is the best option for low bandwidth environments.
 
 ### Maximum Foreground Download Bandwidth
 
+MDM Setting: **DOPercentageMaxForegroundBandwidth**
+
 Starting in Windows 10, version 1803, specifies the maximum foreground download bandwidth that Delivery Optimization uses across all concurrent download activities as a percentage of available download bandwidth. **The default value of "0"** means that Delivery Optimization dynamically adjusts to use the available bandwidth for foreground downloads. However, downloads from LAN peers aren't throttled even when this policy is set.
 
 ### Maximum Background Download Bandwidth
 
+MDM Setting: **DOPercentageMaxBackgroundBandwidth**
+
 Starting in Windows 10, version 1803, specifies the maximum background download bandwidth that Delivery Optimization uses across all concurrent download activities as a percentage of available download bandwidth. **The default value of "0"** means that Delivery Optimization dynamically adjusts to use the available bandwidth for background downloads. However, downloads from LAN peers aren't throttled even when this policy is set.
 
+> [!NOTE]
+> It is recommended to use the absolute value download options 'DOMaxBackgroundDownloadBandwidth' and 'DOMaxForegroundDownloadBandwidth', rather than percentage-based options, for low bandwidth environments.
+
 ### Percentage of Maximum Download Bandwidth
 
-This setting specifies the maximum download bandwidth that Delivery Optimization can use across all concurrent download activities as a percentage of available download bandwidth. **The default value of "0"** means that Delivery Optimization dynamically adjusts to use the available bandwidth for downloads.
+MDM Setting: **DOPercentageMaxDownloadBandwidth**
 
-> [!NOTE]
+Deprecated in Windows 10, version 2004.
-> It is recommended to use the absolute value download option 'Maximum Download Bandwidth', rather than percentage-based options, for low bandwidth environments.
+This setting specifies the maximum download bandwidth that Delivery Optimization can use across all concurrent download activities as a percentage of available download bandwidth. **The default value of "0"** means that Delivery Optimization dynamically adjusts to use the available bandwidth for downloads.
 
 ### Max Upload Bandwidth
 
+MDM Setting: **DOMaxUploadBandwidth**
+
+Deprecated in Windows 10, version 2004.
 This setting allows you to limit the number of upload bandwidth individual clients can use for Delivery Optimization. Consider this setting when clients are providing content to requesting peers on the network. This option is set in kilobytes per second (KB/s). **The default value is "0" or "unlimited"** which means Delivery Optimization dynamically optimizes for minimal usage of upload bandwidth; however it doesn't cap the upload bandwidth rate at a set rate.
 
 ### Set Business Hours to Limit Background Download Bandwidth
 
+MDM Setting: **DOSetHoursToLimitBackgroundDownloadBandwidth**
+
 Starting in Windows 10, version 1803, specifies the maximum background download bandwidth that Delivery Optimization uses during and outside business hours across all concurrent download activities as a percentage of available download bandwidth. **By default, this policy isn't set.**
 
 ### Set Business Hours to Limit Foreground Download Bandwidth
 
+MDM Setting: **DOSetHoursToLimitForegroundDownloadBandwidth**
+
 Starting in Windows 10, version 1803, specifies the maximum foreground download bandwidth that Delivery Optimization uses during and outside business hours across all concurrent download activities as a percentage of available download bandwidth. **By default, this policy isn't set.**
 
 ### Select a method to restrict peer selection
 
-Starting in Windows 10, version 1803, set this policy to restrict peer selection via selected option. In Windows 11 the 'Local Peer Discovery' option was introduced to restrict peer discovery to the local network. Currently the available options include: 0 = NAT, 1 = Subnet mask, and 2 = Local Peer Discovery. These options apply to both Download Modes LAN (1) and Group (2) and therefore means there's no peering between subnets. **The default value in Windows 11 is set to "Local Peer Discovery"**.
+MDM Setting: **DORestrictPeerSelectionBy**
+
+Starting in Windows 10, version 1803, set this policy to restrict peer selection via selected option. In Windows 11, the 'Local Peer Discovery' option was introduced to restrict peer discovery to the local network. Currently the available options include: 0 = NAT, 1 = Subnet mask, and 2 = Local Peer Discovery. These options apply to both Download Modes LAN (1) and Group (2) and therefore means there's no peering between subnets.
 
 If Group mode is set, Delivery Optimization will connect to locally discovered peers that are also part of the same Group (have the same Group ID).
 
@@ -226,40 +261,58 @@ The Local Peer Discovery (DNS-SD) option can only be set via MDM delivered polic
 
 ### Delay background download from HTTP (in secs)
 
+MDM Setting: **DODelayBackgroundDownloadFromHttp**
+
 Starting in Windows 10, version 1803, this allows you to delay the use of an HTTP source in a background download that is allowed to use peer-to-peer. The maximum value is 4294967295 seconds. **By default, this policy isn't set.**
 
 ### Delay foreground download from HTTP (in secs)
 
+MDM Setting: **DODelayForegroundDownloadFromHttp**
+
 Starting in Windows 10, version 1803, allows you to delay the use of an HTTP source in a foreground (interactive) download that is allowed to use peer-to-peer. The maximum value is 4294967295 seconds. **By default, this policy isn't set.**
 
 ### Delay Foreground Download Cache Server Fallback (in secs)
 
+MDM Setting: **DelayCacheServerFallbackForeground**
+
 Starting in Windows 10, version 1903, allows you to delay the fallback from cache server to the HTTP source for foreground content download by X seconds. If the 'Delay foreground download from HTTP' policy is set, it will apply first (to allow downloads from peers) and then this policy will be applied. **By default, this policy isn't set.**
 
 By default this policy isn't set. So,
 
 ### Delay Background Download Cache Server Fallback (in secs)
 
+MDM Setting: **DelayCacheServerFallbackBackground**
+
 Starting in Windows 10, version 1903, set this policy to delay the fallback from cache server to the HTTP source for a background content download by X seconds. If the 'Delay background download from HTTP' policy is set, it will apply first (to allow downloads from peers) and then this policy will be applied. **By default, this policy isn't set.**
 
 ### Minimum Background QoS
 
-This value specifies the minimum download speed guarantee that a client attempts to achieve and will fulfill by downloading more kilobytes from HTTP sources. The lower this value is, the more content will be sourced using peers on the network rather than HTTP sources. The higher this value, the more content is received from HTTP sources, versus peers on the local network. **The default value is 2500 KB/s.**
+MDM Setting: **DOMinBackgroundQoS**
+
+This value specifies the minimum download speed guarantee that a client attempts to achieve and will fulfill by downloading more kilobytes from HTTP sources. The lower this value is, the more content is sourced using peers on the network rather than HTTP sources. The higher this value, the more content is received from HTTP sources, versus peers on the local network. **The default value is 2500 KB/s.**
 
 ### Modify Cache Drive
 
+MDM Setting: **DOModifyCacheDrive**
+
 This setting allows for an alternate Delivery Optimization cache location on the clients. **By default, the cache is stored on the operating system drive through the %SYSTEMDRIVE% environment variable.** You can set the value to an environment variable (for example, %SYSTEMDRIVE%), a drive letter (for example, D:), or a folder path (for example, D:\DOCache).
 
 ### Monthly Upload Data Cap
 
+MDM Setting: **DOMonthlyUploadDataCap**
+
 This setting specifies the total amount of data in gigabytes that a Delivery Optimization client can upload to Internet peers per month. A value of "0" means that an unlimited amount of data can be uploaded. **The default value for this setting is 20 GB.**
 
 ### Enable Peer Caching while the device connects via VPN
 
-This setting determines whether a device will be allowed to participate in Peer Caching while connected to VPN. **By default, if a VPN connection is detected, peering isn't allowed.** Specify "true" to allow the device to participate in Peer Caching while connected via VPN to the domain network. The device can download from or upload to other domain network devices, either on VPN or on the corporate domain network.
+MDM Setting: **DOAllowVPNPeerCaching**
+
+This setting determines whether a device will be allowed to participate in Peer Caching while connected to VPN. **By default, if a VPN connection is detected, peering isn't allowed, except when the 'Local Discovery' (DNS-SD) option is chosen.** Specify "true" to allow the device to participate in Peer Caching while connected via VPN to the domain network. The device can download from or upload to other domain network devices, either on VPN or on the corporate domain network.
 
 ### Allow uploads while the device is on battery while under set Battery level
 
+MDM Setting: **DOMinBatteryPercentageAllowedToUpload**
+
 This setting specifies battery levels at which a device will be allowed to upload data. Specify any value between 1 and 100 (in percentage) to allow the device to upload data to LAN and Group peers while on DC power (Battery). Uploads will automatically pause when the battery level drops below the set minimum battery level. The recommended value to set if you allow uploads on battery is 40 (for 40%).
 The device can download from peers while on battery regardless of this policy.
 
@@ -268,6 +321,8 @@ The device can download from peers while on battery regardless of this policy.
 
 ### Cache Server Hostname
 
+MDM Setting: **DOCacheHost**
+
 Set this policy to designate one or more Microsoft Connected Cache servers to be used by Delivery Optimization. You can set one or more FQDNs or IP Addresses that are comma-separated, for example: myhost.somerandomhost.com,myhost2.somerandomhost.com,10.10.1.7. **By default, this policy has no value.**
 
 >[!IMPORTANT]
@@ -275,12 +330,14 @@ Set this policy to designate one or more Microsoft Connected Cache servers to be
 
 ### Cache Server Hostname Source
 
+MDM Setting: **DOCacheHostSource**
+
 This policy allows you to specify how your client(s) can discover Delivery Optimization in Network Cache servers dynamically. There are two options:
 
 - 1 = DHCP Option 235.
 - 2 = DHCP Option 235 Force.
 
-With either option, the client will query DHCP Option ID 235 and use the returned value as the Cache Server Hostname. Option 2 overrides the Cache Server Hostname policy, if set. **By default, this policy has no value.**
+With either option, the client queries DHCP Option ID 235 and use the returned value as the Cache Server Hostname. Option 2 overrides the Cache Server Hostname policy, if set. **By default, this policy has no value.**
 
 Set this policy to designate Delivery Optimization in Network Cache servers through a custom DHCP Option. Specify the custom DHCP option on your DHCP server as *text* type. You can add one or more values as either fully qualified domain names (FQDN) or IP addresses. To add multiple values, separate each FQDN or IP address with commas.
 
@@ -289,12 +346,16 @@ Set this policy to designate Delivery Optimization in Network Cache servers thro
 
 ### Maximum Foreground Download Bandwidth (in KB/s)
 
+MDM Setting: **DOMaxForegroundDownloadBandwidth**
+
 Specifies the maximum foreground download bandwidth in kilobytes/second that the device can use across all concurrent download activities using Delivery Optimization.
 
 **The default value of "0" means that Delivery Optimization dynamically adjusts to use the available bandwidth for downloads.**
 
 ### Maximum Background Download Bandwidth (in KB/s)
 
+MDM Setting: **DOMaxBackgroundDownloadBandwidth**
+
 Specifies the maximum background download bandwidth in kilobytes/second that the device can use across all concurrent download activities using Delivery Optimization.
 
 **The default value "0" means that Delivery Optimization dynamically adjusts to use the available bandwidth for downloads.**

windows/security/docfx.json

@@ -134,10 +134,20 @@
           "✅ <a href=\"https://learn.microsoft.com/windows/release-health/windows-server-release-info\" target=\"_blank\">Windows Server 2019</a>",
           "✅ <a href=\"https://learn.microsoft.com/windows/release-health/windows-server-release-info\" target=\"_blank\">Windows Server 2016</a>"
         ],
-        "hardware-security//**/*.md": [
+        "hardware-security/**/*.md": [
           "✅ <a href=\"https://learn.microsoft.com/windows/release-health/supported-versions-windows-client\" target=\"_blank\">Windows 11</a>",
           "✅ <a href=\"https://learn.microsoft.com/windows/release-health/supported-versions-windows-client\" target=\"_blank\">Windows 10</a>"
         ],
+        "hardware-security/pluton/**/*.md": [
+          "✅ <a href=\"https://learn.microsoft.com/windows/release-health/supported-versions-windows-client\" target=\"_blank\">Windows 11</a>"
+        ],
+        "hardware-security/tpm/**/*.md": [
+          "✅ <a href=\"https://learn.microsoft.com/windows/release-health/supported-versions-windows-client\" target=\"_blank\">Windows 11</a>",
+          "✅ <a href=\"https://learn.microsoft.com/windows/release-health/supported-versions-windows-client\" target=\"_blank\">Windows 10</a>",
+          "✅ <a href=\"https://learn.microsoft.com/windows/release-health/windows-server-release-info\" target=\"_blank\">Windows Server 2022</a>",
+          "✅ <a href=\"https://learn.microsoft.com/windows/release-health/windows-server-release-info\" target=\"_blank\">Windows Server 2019</a>",
+          "✅ <a href=\"https://learn.microsoft.com/windows/release-health/windows-server-release-info\" target=\"_blank\">Windows Server 2016</a>"
+        ],
         "identity-protection/**/*.md": [
           "✅ <a href=\"https://learn.microsoft.com/windows/release-health/supported-versions-windows-client\" target=\"_blank\">Windows 11</a>",
           "✅ <a href=\"https://learn.microsoft.com/windows/release-health/supported-versions-windows-client\" target=\"_blank\">Windows 10</a>"

windows/security/hardware-security/pluton/microsoft-pluton-security-processor.md

@@ -2,9 +2,7 @@
 title: Microsoft Pluton security processor
 description: Learn more about Microsoft Pluton security processor
 ms.topic: conceptual
-ms.date: 09/15/2022
+ms.date: 07/31/2023
-appliesto: 
-  - ✅ <b>Windows 11, version 22H2</b>
 ---
 
 # Microsoft Pluton security processor

windows/security/hardware-security/pluton/pluton-as-tpm.md

@@ -2,9 +2,7 @@
 title: Microsoft Pluton as Trusted Platform Module (TPM 2.0)
 description: Learn more about Microsoft Pluton security processor as Trusted Platform Module (TPM 2.0)
 ms.topic: conceptual
-ms.date: 09/15/2022
+ms.date: 07/31/2023
-appliesto: 
-  - ✅ <b>Windows 11, version 22H2</b>
 ---
 
 # Microsoft Pluton as Trusted Platform Module

windows/security/hardware-security/toc.yml

@@ -6,36 +6,36 @@ items:
       - name: Windows Defender System Guard
         href: how-hardware-based-root-of-trust-helps-protect-windows.md
       - name: Trusted Platform Module
-        href: ../information-protection/tpm/trusted-platform-module-top-node.md
+        href: tpm/trusted-platform-module-top-node.md
         items:
           - name: Trusted Platform Module overview
-            href: ../information-protection/tpm/trusted-platform-module-overview.md
+            href: tpm/trusted-platform-module-overview.md
           - name: TPM fundamentals
-            href: ../information-protection/tpm/tpm-fundamentals.md
+            href: tpm/tpm-fundamentals.md
           - name: How Windows uses the TPM
-            href: ../information-protection/tpm/how-windows-uses-the-tpm.md
+            href: tpm/how-windows-uses-the-tpm.md
           - name: Manage TPM commands
-            href: ../information-protection/tpm/manage-tpm-commands.md
+            href: tpm/manage-tpm-commands.md
-          - name: Manager TPM Lockout
+          - name: Manage TPM Lockout
-            href: ../information-protection/tpm/manage-tpm-lockout.md
+            href: tpm/manage-tpm-lockout.md
           - name: Change the TPM password
-            href: ../information-protection/tpm/change-the-tpm-owner-password.md
+            href: tpm/change-the-tpm-owner-password.md
           - name: TPM Group Policy settings
-            href: ../information-protection/tpm/trusted-platform-module-services-group-policy-settings.md
+            href: tpm/trusted-platform-module-services-group-policy-settings.md
           - name: Back up the TPM recovery information to AD DS
-            href: ../information-protection/tpm/backup-tpm-recovery-information-to-ad-ds.md
+            href: tpm/backup-tpm-recovery-information-to-ad-ds.md
           - name: View status, clear, or troubleshoot the TPM
-            href: ../information-protection/tpm/initialize-and-configure-ownership-of-the-tpm.md
+            href: tpm/initialize-and-configure-ownership-of-the-tpm.md
           - name: Understanding PCR banks on TPM 2.0 devices
-            href: ../information-protection/tpm/switch-pcr-banks-on-tpm-2-0-devices.md
+            href: tpm/switch-pcr-banks-on-tpm-2-0-devices.md
           - name: TPM recommendations
-            href: ../information-protection/tpm/tpm-recommendations.md
+            href: tpm/tpm-recommendations.md
       - name: Microsoft Pluton security processor
         items:
           - name: Microsoft Pluton overview
-            href: ../information-protection/pluton/microsoft-pluton-security-processor.md
+            href: pluton/microsoft-pluton-security-processor.md
           - name: Microsoft Pluton as TPM
-            href: ../information-protection/pluton/pluton-as-tpm.md
+            href: pluton/pluton-as-tpm.md
   - name: Silicon assisted security
     items:
       - name: Virtualization-based security (VBS) 🔗
@@ -53,4 +53,4 @@ items:
       - name: Kernel Direct Memory Access (DMA) protection
         href: kernel-dma-protection-for-thunderbolt.md
       - name: System Guard Secure Launch
-        href: system-guard-secure-launch-and-smm-protection.md
+        href: system-guard-secure-launch-and-smm-protection.md

windows/security/hardware-security/tpm/backup-tpm-recovery-information-to-ad-ds.md

@@ -3,9 +3,6 @@ title: Back up TPM recovery information to Active Directory
 description: Learn how to back up the Trusted Platform Module (TPM) recovery information to Active Directory.
 ms.topic: conceptual
 ms.date: 02/02/2023
-appliesto: 
-- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 11</a>
-- ✅ <a href=https://learn.microsoft.com/windows/release-health/windows-server-release-info target=_blank>Windows Server 2016 and later</a>
 ---
 
 # Back up the TPM recovery information to AD DS

windows/security/hardware-security/tpm/change-the-tpm-owner-password.md

@@ -1,14 +1,8 @@
 ---
-title: Change the TPM owner password 
+title: Change the TPM owner password
 description: This topic for the IT professional describes how to change the password or PIN for the owner of the Trusted Platform Module (TPM) that is installed on your system.
 ms.topic: conceptual
 ms.date: 04/26/2023
-appliesto:
-  - ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 11</a>
-  - ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 10</a>
-  - ✅ <a href="https://learn.microsoft.com/windows/release-health/windows-server-release-info" target="_blank">Windows Server 2022</a>
-  - ✅ <a href="https://learn.microsoft.com/windows/release-health/windows-server-release-info" target="_blank">Windows Server 2019</a>
-  - ✅ <a href="https://learn.microsoft.com/windows/release-health/windows-server-release-info" target="_blank">Windows Server 2016</a>
 ---
 
 # Change the TPM owner password

windows/security/hardware-security/tpm/how-windows-uses-the-tpm.md

@@ -3,9 +3,6 @@ title: How Windows uses the TPM
 description: Learn how Windows uses the Trusted Platform Module (TPM) to enhance security.
 ms.topic: conceptual
 ms.date: 02/02/2023
-appliesto: 
-- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10 and later</a>
-- ✅ <a href=https://learn.microsoft.com/windows/release-health/windows-server-release-info target=_blank>Windows Server 2016 and later</a>
 ---
 
 # How Windows uses the Trusted Platform Module
@@ -22,11 +19,11 @@ TPMs are passive: they receive commands and return responses. To realize the ful
 
 The Trusted Computing Group (TCG) is the nonprofit organization that publishes and maintains the TPM specification. The TCG exists to develop, define, and promote vendor-neutral, global industry standards that support a hardware-based root of trust for interoperable trusted computing platforms. The TCG also publishes the TPM specification as the international standard ISO/IEC 11889, using the Publicly Available Specification Submission Process that the Joint Technical Committee 1 defines between the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC).
 
-OEMs implement the TPM as a component in a trusted computing platform, such as a PC, tablet, or phone. Trusted computing platforms use the TPM to support privacy and security scenarios that software alone can't achieve. For example, software alone can't reliably report whether malware is present during the system startup process. The close integration between TPM and platform increases the transparency of the startup process and supports evaluating device health by enabling reliable measuring and reporting of the software that starts the device. Implementation of a TPM as part of a trusted computing platform provides a hardware root of trust—that is, it behaves in a trusted way. For example, if a key stored in a TPM has properties that disallow exporting the key, that key *truly can't leave the TPM*.
+OEMs implement the TPM as a component in a trusted computing platform, such as a PC, tablet, or phone. Trusted computing platforms use the TPM to support privacy and security scenarios that software alone can't achieve. For example, software alone can't reliably report whether malware is present during the system startup process. The close integration between TPM and platform increases the transparency of the startup process and supports evaluating device health by enabling reliable measuring and reporting of the software that starts the device. Implementation of a TPM as part of a trusted computing platform provides a hardware root of trust-that is, it behaves in a trusted way. For example, if a key stored in a TPM has properties that disallow exporting the key, that key *truly can't leave the TPM*.
 
 The TCG designed the TPM as a low-cost, mass-market security solution that addresses the requirements of different customer segments. There are variations in the security properties of different TPM implementations just as there are variations in customer and regulatory requirements for different sectors. In public-sector procurement, for example, some governments have clearly defined security requirements for TPMs, whereas others don't.
 
-Certification programs for TPMs—and technology in general—continue to evolve as the speed of innovation increases. Although having a TPM is clearly better than not having a TPM, Microsoft's best advice is to determine your organization's security needs and research any regulatory requirements associated with procurement for your industry. The result is a balance between scenarios used, assurance level, cost, convenience, and availability.
+Certification programs for TPMs-and technology in general-continue to evolve as the speed of innovation increases. Although having a TPM is clearly better than not having a TPM, Microsoft's best advice is to determine your organization's security needs and research any regulatory requirements associated with procurement for your industry. The result is a balance between scenarios used, assurance level, cost, convenience, and availability.
 
 ## TPM in Windows
 
@@ -64,7 +61,7 @@ The adoption of new authentication technology requires that identity providers a
 
 Identity providers have flexibility in how they provision credentials on client devices. For example, an organization might provision only those devices that have a TPM so that the organization knows that a TPM protects the credentials. The ability to distinguish a TPM from malware acting like a TPM requires the following TPM capabilities (see Figure 1):
 
-- **Endorsement key**. The TPM manufacturer can create a special key in the TPM called an *endorsement key*. An endorsement key certificate, signed by the manufacturer, says that the endorsement key is present in a TPM that the manufacturer made. Solutions can use the certificate with the TPM containing the endorsement key to confirm a scenario really involves a TPM from a specific TPM manufacturer (instead of malware acting like a TPM.
+- **Endorsement key**. The TPM manufacturer can create a special key in the TPM called an *endorsement key*. An endorsement key certificate, signed by the manufacturer, says that the endorsement key is present in a TPM that the manufacturer made. Solutions can use the certificate with the TPM containing the endorsement key to confirm a scenario really involves a TPM from a specific TPM manufacturer (instead of malware acting like a TPM).
 
 - **Attestation identity key**. To protect privacy, most TPM scenarios do not directly use an actual endorsement key. Instead, they use attestation identity keys, and an identity certificate authority (CA) uses the endorsement key and its certificate to prove that one or more attestation identity keys actually exist in a real TPM. The identity CA issues attestation identity key certificates. More than one identity CA will generally see the same endorsement key certificate that can uniquely identify the TPM, but any number of attestation identity key certificates can be created to limit the information shared in other scenarios.
 
@@ -77,7 +74,7 @@ For Windows Hello for Business, Microsoft can fill the role of the identity CA.
 
 BitLocker provides full-volume encryption to protect data at rest. The most common device configuration splits the hard drive into several volumes. The operating system and user data reside on one volume that holds confidential information, and other volumes hold public information such as boot components, system information and recovery tools. (These other volumes are used infrequently enough that they do not need to be visible to users.) Without more protections in place, if the volume containing the operating system and user data is not encrypted, someone can boot another operating system and easily bypass the intended operating system's enforcement of file permissions to read any user data.
 
-In the most common configuration, BitLocker encrypts the operating system volume so that if the computer or hard disk is lost or stolen when powered off, the data on the volume remains confidential. When the computer is turned on, starts normally, and proceeds to the Windows logon prompt, the only path forward is for the user to log on with his or her credentials, allowing the operating system to enforce its normal file permissions. If something about the boot process changes, however—for example, a different operating system is booted from a USB device—the operating system volume and user data can't be read and are not accessible. The TPM and system firmware collaborate to record measurements of how the system started, including loaded software and configuration details such as whether boot occurred from the hard drive or a USB device. BitLocker relies on the TPM to allow the use of a key only when startup occurs in an expected way. The system firmware and TPM are carefully designed to work together to provide the following capabilities:
+In the most common configuration, BitLocker encrypts the operating system volume so that if the computer or hard disk is lost or stolen when powered off, the data on the volume remains confidential. When the computer is turned on, starts normally, and proceeds to the Windows logon prompt, the only path forward is for the user to log on with his or her credentials, allowing the operating system to enforce its normal file permissions. If something about the boot process changes, however-for example, a different operating system is booted from a USB device-the operating system volume and user data can't be read and are not accessible. The TPM and system firmware collaborate to record measurements of how the system started, including loaded software and configuration details such as whether boot occurred from the hard drive or a USB device. BitLocker relies on the TPM to allow the use of a key only when startup occurs in an expected way. The system firmware and TPM are carefully designed to work together to provide the following capabilities:
 
 - **Hardware root of trust for measurement**. A TPM allows software to send it commands that record measurements of software or configuration information. This information can be calculated using a hash algorithm that essentially transforms a lot of data into a small, statistically unique hash value. The system firmware has a component called the Core Root of Trust for Measurement (CRTM) that is implicitly trusted. The CRTM unconditionally hashes the next software component and records the measurement value by sending a command to the TPM. Successive components, whether system firmware or operating system loaders, continue the process by measuring any software components they load before running them. Because each component's measurement is sent to the TPM before it runs, a component can't erase its measurement from the TPM. (However, measurements are erased when the system is restarted.) The result is that at each step of the system startup process, the TPM holds measurements of boot software and configuration information. Any changes in boot software or configuration yield different TPM measurements at that step and later steps. Because the system firmware unconditionally starts the measurement chain, it provides a hardware-based root of trust for the TPM measurements. At some point in the startup process, the value of recording all loaded software and configuration information diminishes and the chain of measurements stops. The TPM allows for the creation of keys that can be used only when the platform configuration registers that hold the measurements have specific values.
 

windows/security/hardware-security/tpm/initialize-and-configure-ownership-of-the-tpm.md

@@ -3,9 +3,6 @@ title: Troubleshoot the TPM
 description: Learn how to view and troubleshoot the Trusted Platform Module (TPM).
 ms.topic: conceptual
 ms.date: 02/02/2023
-appliesto: 
-- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10 and later</a>
-- ✅ <a href=https://learn.microsoft.com/windows/release-health/windows-server-release-info target=_blank>Windows Server 2016 and later</a>
 ms.collection:
 - highpri
 - tier1

windows/security/hardware-security/tpm/manage-tpm-commands.md

@@ -1,14 +1,8 @@
 ---
-title: Manage TPM commands 
+title: Manage TPM commands
 description: This article for the IT professional describes how to manage which Trusted Platform Module (TPM) commands are available to domain users and to local users.
 ms.topic: conceptual
 ms.date: 04/26/2023
-appliesto:
-  - ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 11</a>
-  - ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 10</a>
-  - ✅ <a href="https://learn.microsoft.com/windows/release-health/windows-server-release-info" target="_blank">Windows Server 2022</a>
-  - ✅ <a href="https://learn.microsoft.com/windows/release-health/windows-server-release-info" target="_blank">Windows Server 2019</a>
-  - ✅ <a href="https://learn.microsoft.com/windows/release-health/windows-server-release-info" target="_blank">Windows Server 2016</a>
 ---
 
 # Manage TPM commands

windows/security/hardware-security/tpm/manage-tpm-lockout.md

@@ -1,15 +1,10 @@
 ---
-title: Manage TPM lockout 
+title: Manage TPM lockout
 description: This article for the IT professional describes how to manage the lockout feature for the Trusted Platform Module (TPM) in Windows.
 ms.topic: conceptual
 ms.date: 04/26/2023
-appliesto:
-  - ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 11</a>
-  - ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 10</a>
-  - ✅ <a href="https://learn.microsoft.com/windows/release-health/windows-server-release-info" target="_blank">Windows Server 2022</a>
-  - ✅ <a href="https://learn.microsoft.com/windows/release-health/windows-server-release-info" target="_blank">Windows Server 2019</a>
-  - ✅ <a href="https://learn.microsoft.com/windows/release-health/windows-server-release-info" target="_blank">Windows Server 2016</a>
 ---
+
 # Manage TPM lockout
 
 This article for the IT professional describes how to manage the lockout feature for the Trusted Platform Module (TPM) in Windows.

windows/security/hardware-security/tpm/switch-pcr-banks-on-tpm-2-0-devices.md

@@ -3,9 +3,6 @@ title: UnderstandPCR banks on TPM 2.0 devices
 description: Learn about what happens when you switch PCR banks on TPM 2.0 devices.
 ms.topic: conceptual
 ms.date: 02/02/2023
-appliesto: 
-- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10 and later</a>
-- ✅ <a href=https://learn.microsoft.com/windows/release-health/windows-server-release-info target=_blank>Windows Server 2016 and later</a>
 ---
 
 # PCR banks on TPM 2.0 devices

windows/security/hardware-security/tpm/tpm-fundamentals.md

@@ -3,9 +3,6 @@ title: Trusted Platform Module (TPM) fundamentals
 description: Learn about the components of the Trusted Platform Module and how they're used to mitigate dictionary attacks.
 ms.topic: conceptual
 ms.date: 03/09/2023
-appliesto: 
-- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10 and later</a>
-- ✅ <a href=https://learn.microsoft.com/windows/release-health/windows-server-release-info target=_blank>Windows Server 2016 and later</a>
 ---
 
 # TPM fundamentals
@@ -116,4 +113,4 @@ The Windows TPM-based smart card, which is a virtual smart card, can be configur
 - Physical smart cards can enforce lockout for only the physical smart card PIN, and they can reset the lockout after the correct PIN is entered.
   With a virtual smart card, the TPM's anti-hammering protection isn't reset after a successful authentication. The allowed number of authorization failures before the TPM enters lockout includes many factors
 - Hardware manufacturers and software developers can use the security features of the TPM to meet their requirements
-- The intent of selecting 32 failures as the lock-out threshold is to avoid users to lock the TPM (even when learning to type new passwords or if they frequently lock and unlock their computers). If users lock the TPM, they must wait 10 minutes or use other credentials to sign in, such as a user name and password
+- The intent of selecting 32 failures as the lock-out threshold is to avoid users to lock the TPM (even when learning to type new passwords or if they frequently lock and unlock their computers). If users lock the TPM, they must wait 10 minutes or use other credentials to sign in, such as a user name and password

windows/security/hardware-security/tpm/tpm-recommendations.md

@@ -1,14 +1,11 @@
 ---
-title: TPM recommendations 
+title: TPM recommendations
 description: This topic provides recommendations for Trusted Platform Module (TPM) technology for Windows.
 ms.topic: conceptual
 ms.date: 02/02/2023
-appliesto: 
+ms.collection:
-- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10 and later</a>
+- highpri
-- ✅ <a href=https://learn.microsoft.com/windows/release-health/windows-server-release-info target=_blank>Windows Server 2016 and later</a>
+- tier1
-ms.collection: 
-  - highpri
-  - tier1
 ---
 
 # TPM recommendations
@@ -25,7 +22,7 @@ TPMs are passive: they receive commands and return responses. To realize the ful
 
 The Trusted Computing Group (TCG) is the nonprofit organization that publishes and maintains the TPM specification. The TCG exists to develop, define, and promote vendor-neutral, global industry standards. These standards support a hardware-based root of trust for interoperable trusted computing platforms. The TCG also publishes the TPM specification as the international standard ISO/IEC 11889, using the Publicly Available Specification Submission Process that the Joint Technical Committee 1 defines between the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC).
 
-OEMs implement the TPM as a component in a trusted computing platform, such as a PC, tablet, or phone. Trusted computing platforms use the TPM to support privacy and security scenarios that software alone cannot achieve. For example, software alone cannot reliably report whether malware is present during the system startup process. The close integration between TPM and platform increases the transparency of the startup process and supports evaluating device health by enabling reliable measuring and reporting of the software that starts the device. Implementation of a TPM as part of a trusted computing platform provides a hardware root of trust—that is, it behaves in a trusted way. For example, if a key stored in a TPM has properties that disallow exporting the key, that key truly cannot leave the TPM.
+OEMs implement the TPM as a component in a trusted computing platform, such as a PC, tablet, or phone. Trusted computing platforms use the TPM to support privacy and security scenarios that software alone cannot achieve. For example, software alone cannot reliably report whether malware is present during the system startup process. The close integration between TPM and platform increases the transparency of the startup process and supports evaluating device health by enabling reliable measuring and reporting of the software that starts the device. Implementation of a TPM as part of a trusted computing platform provides a hardware root of trust-that is, it behaves in a trusted way. For example, if a key stored in a TPM has properties that disallow exporting the key, that key truly cannot leave the TPM.
 
 The TCG designed the TPM as a low-cost, mass-market security solution that addresses the requirements of different customer segments. There are variations in the security properties of different TPM implementations just as there are variations in customer and regulatory requirements for different sectors. In public-sector procurement, for example, some governments have clearly defined security requirements for TPMs whereas others do not.
 
@@ -90,7 +87,7 @@ For end consumers, TPM is behind the scenes but is still relevant. TPM is used f
 
 - TPM is optional on IoT Core.
 
-### Windows Server 2016
+### Windows Server 2016
 
 - TPM is optional for Windows Server SKUs unless the SKU meets the other qualification (AQ) criteria for the Host Guardian Services scenario in which case TPM 2.0 is required.
 

windows/security/hardware-security/tpm/trusted-platform-module-overview.md

@@ -3,12 +3,9 @@ title: Trusted Platform Module Technology Overview
 description: Learn about the Trusted Platform Module (TPM) and how Windows uses it for access control and authentication.
 ms.topic: conceptual
 ms.date: 02/22/2023
-appliesto: 
+ms.collection:
-- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10 and later</a>
+- highpri
-- ✅ <a href=https://learn.microsoft.com/windows/release-health/windows-server-release-info target=_blank>Windows Server 2016 and later</a>
+- tier1
-ms.collection: 
-  - highpri
-  - tier1
 ---
 
 # Trusted Platform Module Technology Overview

windows/security/hardware-security/tpm/trusted-platform-module-services-group-policy-settings.md

@@ -1,16 +1,12 @@
 ---
-title: TPM Group Policy settings 
+title: TPM Group Policy settings
 description: This topic describes the Trusted Platform Module (TPM) Services that can be controlled centrally by using Group Policy settings.
 ms.topic: conceptual
 ms.date: 02/02/2023
-appliesto: 
-- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10 and later</a>
-- ✅ <a href=https://learn.microsoft.com/windows/release-health/windows-server-release-info target=_blank>Windows Server 2016 and later</a>
 ---
 
 # TPM Group Policy settings
 
-
 This topic describes the Trusted Platform Module (TPM) Services that can be controlled centrally by using Group Policy settings.
 
 The Group Policy settings for TPM services are located at:
@@ -34,11 +30,11 @@ This policy setting configured which TPM authorization values are stored in the
 
 There are three TPM owner authentication settings that are managed by the Windows operating system. You can choose a value of **Full**, **Delegate**, or **None**.
 
--   **Full**   This setting stores the full TPM owner authorization, the TPM administrative delegation blob, and the TPM user delegation blob in the local registry. With this setting, you can use the TPM without requiring remote or external storage of the TPM owner authorization value. This setting is appropriate for scenarios that do not require you to reset the TPM anti-hammering logic or change the TPM owner authorization value. Some TPM-based applications may require that this setting is changed before features that depend on the TPM anti-hammering logic can be used. Full owner authorization in TPM 1.2 is similar to lockout authorization in TPM 2.0. Owner authorization has a different meaning for TPM 2.0.
+-   **Full**   This setting stores the full TPM owner authorization, the TPM administrative delegation blob, and the TPM user delegation blob in the local registry. With this setting, you can use the TPM without requiring remote or external storage of the TPM owner authorization value. This setting is appropriate for scenarios that do not require you to reset the TPM anti-hammering logic or change the TPM owner authorization value. Some TPM-based applications may require that this setting is changed before features that depend on the TPM anti-hammering logic can be used. Full owner authorization in TPM 1.2 is similar to lockout authorization in TPM 2.0. Owner authorization has a different meaning for TPM 2.0.
 
--   **Delegated**   This setting stores only the TPM administrative delegation blob and the TPM user delegation blob in the local registry. This setting is appropriate for use with TPM-based applications that depend on the TPM antihammering logic. This is the default setting in Windows prior to version 1703.
+-   **Delegated**   This setting stores only the TPM administrative delegation blob and the TPM user delegation blob in the local registry. This setting is appropriate for use with TPM-based applications that depend on the TPM antihammering logic. This is the default setting in Windows prior to version 1703.
 
--   **None**   This setting provides compatibility with previous operating systems and applications. You can also use it for scenarios when TPM owner authorization cannot be stored locally. Using this setting might cause issues with some TPM-based applications.
+-   **None**   This setting provides compatibility with previous operating systems and applications. You can also use it for scenarios when TPM owner authorization cannot be stored locally. Using this setting might cause issues with some TPM-based applications.
 
 > [!NOTE]
 > If the operating system managed TPM authentication setting is changed from **Full** to **Delegated**, the full TPM owner authorization value will be regenerated, and any copies of the previously set TPM owner authorization value will be invalid.
@@ -57,7 +53,6 @@ The following table shows the TPM owner authorization values in the registry.
 | 2          | Delegated |
 | 4          | Full      |
 
-
 If you enable this policy setting, the Windows operating system will store the TPM owner authorization in the registry of the local computer according to the TPM authentication setting you choose.
 
 On Windows 10 prior to version 1607, if you disable or do not configure this policy setting, and the **Turn on TPM backup to Active Directory Domain Services** policy setting is also disabled or not configured, the default setting is to store the full TPM authorization value in the local registry. If this policy is disabled or not configured, and the **Turn on TPM backup to Active Directory Domain Services** policy setting is enabled, only the administrative delegation and the user delegation blobs are stored in the local registry.
@@ -73,9 +68,9 @@ This setting helps administrators prevent the TPM hardware from entering a locko
 
 For each standard user, two thresholds apply. Exceeding either threshold prevents the user from sending a command that requires authorization to the TPM. Use the following policy settings to set the lockout duration:
 
--   [Standard User Individual Lockout Threshold](#standard-user-individual-lockout-threshold)   This value is the maximum number of authorization failures that each standard user can have before the user is not allowed to send commands that require authorization to the TPM.
+-   [Standard User Individual Lockout Threshold](#standard-user-individual-lockout-threshold)   This value is the maximum number of authorization failures that each standard user can have before the user is not allowed to send commands that require authorization to the TPM.
 
--   [Standard User Total Lockout Threshold](#standard-user-total-lockout-threshold)   This value is the maximum total number of authorization failures that all standard users can have before all standard users are not allowed to send commands that require authorization to the TPM.
+-   [Standard User Total Lockout Threshold](#standard-user-total-lockout-threshold)   This value is the maximum total number of authorization failures that all standard users can have before all standard users are not allowed to send commands that require authorization to the TPM.
 
 An administrator with the TPM owner password can fully reset the TPM's hardware lockout logic by using the Windows Defender Security Center. Each time an administrator resets the TPM's hardware lockout logic, all prior standard user TPM authorization failures are ignored. This allows standard users to immediately use the TPM normally.
 

windows/security/hardware-security/tpm/trusted-platform-module-top-node.md

@@ -1,14 +1,11 @@
 ---
-title: Trusted Platform Module 
+title: Trusted Platform Module
 description: This topic for the IT professional provides links to information about the Trusted Platform Module (TPM) and how Windows uses it for access control and authentication.
 ms.topic: conceptual
 ms.date: 02/02/2023
-appliesto: 
+ms.collection:
-- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10 and later</a>
+- highpri
-- ✅ <a href=https://learn.microsoft.com/windows/release-health/windows-server-release-info target=_blank>Windows Server 2016 and later</a>
+- tier1
-ms.collection: 
-  - highpri
-  - tier1
 ---
 
 # Trusted Platform Module

windows/security/identity-protection/credential-guard/credential-guard-requirements.md

@@ -85,7 +85,7 @@ The following tables describe baseline protections, plus protections for improve
 |---|---|---|
 |Hardware: **64-bit CPU**        |A 64-bit computer is required for the Windows hypervisor to provide VBS.|
 |Hardware: **CPU virtualization extensions**, plus **extended page tables**|**Requirements**: </br> - These hardware features are required for VBS: One of the following virtualization extensions: - VT-x (Intel) or - AMD-V And: - Extended page tables, also called Second Level Address Translation (SLAT).|VBS provides isolation of secure kernel from normal operating system. </br></br> Vulnerabilities and Day 0s in normal operating system cannot be exploited because of this isolation.|
-|Hardware: **Trusted Platform Module (TPM)**|**Requirement**: </br> - TPM 1.2 or TPM 2.0, either discrete or firmware. [TPM recommendations](../../information-protection/tpm/tpm-recommendations.md)|A TPM provides protection for VBS encryption keys that are stored in the firmware. TPM helps protect against attacks involving a physically present user with BIOS access.|
+|Hardware: **Trusted Platform Module (TPM)**|**Requirement**: </br> - TPM 1.2 or TPM 2.0, either discrete or firmware. [TPM recommendations](../../hardware-security/tpm/tpm-recommendations.md)|A TPM provides protection for VBS encryption keys that are stored in the firmware. TPM helps protect against attacks involving a physically present user with BIOS access.|
 |Firmware: **UEFI firmware version 2.3.1.c or higher with UEFI Secure Boot**|**Requirements**: </br> - See the following Windows Hardware Compatibility Program requirement: System.Fundamentals.Firmware.UEFISecureBoot|UEFI Secure Boot helps ensure that the device boots only authorized code, and can prevent boot kits and root kits from installing and persisting across reboots.|
 |Firmware: **Secure firmware update process**|**Requirements**: </br> - UEFI firmware must support secure firmware update found under the following Windows Hardware Compatibility Program requirement: System.Fundamentals.Firmware.UEFISecureBoot.|UEFI firmware just like software can have security vulnerabilities that, when found, need to be patched through firmware updates. Patching helps prevent root kits from getting installed.|
 |Software: Qualified **Windows operating system**|**Requirement**: </br> - At least Windows 10 Enterprise, Windows 10 Education, or Windows Server 2016.|Support for VBS and for management features that simplify configuration of Windows Defender Credential Guard.|

windows/security/identity-protection/hello-for-business/hello-how-it-works-technology.md

@@ -359,7 +359,7 @@ A TPM implements controls that meet the specification described by the Trusted C
 - The first TPM specification, version 1.2, was published in February 2005 by the TCG and standardized under ISO / IEC 11889 standard.
 - The latest TPM specification, referred to as TPM 2.0, was released in April 2014 and has been approved by the ISO/IEC Joint Technical Committee (JTC) as ISO/IEC 11889:2015.
 
-Windows 10 and Windows 11 use the TPM for cryptographic calculations as part of health attestation and to protect the keys for BitLocker, Windows Hello, virtual smart cards, and other public key certificates. For more information, see [TPM requirements in Windows](../../information-protection/tpm/tpm-recommendations.md).
+Windows 10 and Windows 11 use the TPM for cryptographic calculations as part of health attestation and to protect the keys for BitLocker, Windows Hello, virtual smart cards, and other public key certificates. For more information, see [TPM requirements in Windows](../../hardware-security/tpm/tpm-recommendations.md).
 
 Windows recognizes versions 1.2 and 2.0 TPM specifications produced by the TCG. For the most recent and modern security features, Windows 10 and Windows 11 support only TPM 2.0.
 

windows/security/index.yml

@@ -39,7 +39,7 @@ landingContent:
       - linkListType: concept
         links:
         - text: Trusted Platform Module
-          url: information-protection/tpm/trusted-platform-module-top-node.md
+          url: hardware-security/tpm/trusted-platform-module-top-node.md
         - text: Windows Defender System Guard firmware protection
           url: hardware-security/how-hardware-based-root-of-trust-helps-protect-windows.md
         - text: System Guard Secure Launch and SMM protection enablement

windows/security/introduction.md

@@ -15,7 +15,7 @@ appliesto:
 
 The acceleration of digital transformation and the expansion of both remote and hybrid work brings new opportunities to organizations, communities, and individuals. This expansion introduces new threats and risks.
 
-Organizations worldwide are adopting a **Zero Trust** security model based on the premise that no person or device anywhere can have access until safety and integrity is proven. Windows 11 is built on Zero Trust principles to enable hybrid productivity and new experiences anywhere, without compromising security. Windows 11 raises the [security baselines](operating-system-security/device-management/windows-security-configuration-framework/windows-security-baselines.md) with new requirements for advanced hardware and software protection that extends from chip to cloud.
+Organizations worldwide are adopting a **Zero Trust** security model based on the premise that no person or device anywhere can have access until safety and integrity is proven. Windows 11 is built on Zero Trust principles to enable hybrid productivity and new experiences anywhere, without compromising security. Windows 11 raises the [security baselines](../operating-system-security/device-management/windows-security-configuration-framework/windows-security-baselines.md) with new requirements for advanced hardware and software protection that extends from chip to cloud.
 
 ## How Windows 11 enables Zero Trust protection
 
@@ -25,7 +25,7 @@ A Zero Trust security model gives the right people the right access at the right
 1. When verified, give people and devices access to only necessary resources for the necessary amount of time
 1. Use continuous analytics to drive threat detection and improve defenses
 
-For Windows 11, the Zero Trust principle of *verify explicitly* applies to risks introduced by both devices and people. Windows 11 provides *chip-to-cloud security*, enabling IT administrators to implement strong authorization and authentication processes with features like [Windows Hello for Business](identity-protection/hello-for-business/index.md). IT administrators also gain attestation and measurements for determining if a device meets requirements and can be trusted. Windows 11 works out-of-the-box with Microsoft Intune and Azure Active Directory, which enable timely and seamless access decisions. Furthermore, IT administrators can easily customize Windows to meet specific user and policy requirements for access, privacy, compliance, and more.
+For Windows 11, the Zero Trust principle of *verify explicitly* applies to risks introduced by both devices and people. Windows 11 provides *chip-to-cloud security*, enabling IT administrators to implement strong authorization and authentication processes with features like [Windows Hello for Business](../identity-protection/hello-for-business/index.md). IT administrators also gain attestation and measurements for determining if a device meets requirements and can be trusted. Windows 11 works out-of-the-box with Microsoft Intune and Azure Active Directory, which enable timely and seamless access decisions. Furthermore, IT administrators can easily customize Windows to meet specific user and policy requirements for access, privacy, compliance, and more.
 
 ### Security, by default
 
@@ -35,7 +35,7 @@ Windows 11 is a natural evolution of its predecessor, Windows 10. We have collab
 
 With hardware-based isolation security that begins at the chip, Windows 11 stores sensitive data behind other barriers separated from the operating system. As a result, information including encryption keys and user credentials are protected from unauthorized access and tampering.
 
-In Windows 11, hardware and software work together to protect the operating system. For example, new devices come with [Virtualization-based security (VBS)](/windows-hardware/design/device-experiences/oem-vbs) and [Secure Boot](operating-system-security/system-security/trusted-boot.md) built-in and enabled by default to contain and limit malware exploits.
+In Windows 11, hardware and software work together to protect the operating system. For example, new devices come with [Virtualization-based security (VBS)](/windows-hardware/design/device-experiences/oem-vbs) and [Secure Boot](../operating-system-security/system-security/trusted-boot.md) built-in and enabled by default to contain and limit malware exploits.
 
 ### Robust application security and privacy controls
 
@@ -45,7 +45,7 @@ In Windows 11, [Microsoft Defender Application Guard](/windows-hardware/design/d
 
 ### Secured identities
 
-Passwords have been an important part of digital security for a long time, and they're also a top target for cybercriminals. Windows 11 provides powerful protection against credential theft with chip-level hardware security. Credentials are protected by layers of hardware and software security such as [TPM 2.0](information-protection/tpm/trusted-platform-module-overview.md), [VBS](/windows-hardware/design/device-experiences/oem-vbs), and/or [Windows Defender Credential Guard](identity-protection/credential-guard/credential-guard.md), making it harder for attackers to steal credentials from a device. With [Windows Hello for Business](identity-protection/hello-for-business/index.md), users can quickly sign in with face, fingerprint, or PIN for passwordless protection. Windows 11 also supports [FIDO2 security keys](/azure/active-directory/authentication/howto-authentication-passwordless-security-key) for passwordless authentication.
+Passwords have been an important part of digital security for a long time, and they're also a top target for cybercriminals. Windows 11 provides powerful protection against credential theft with chip-level hardware security. Credentials are protected by layers of hardware and software security such as [TPM 2.0](../information-protection/tpm/trusted-platform-module-overview.md), [VBS](/windows-hardware/design/device-experiences/oem-vbs), and/or [Windows Defender Credential Guard](../identity-protection/credential-guard/credential-guard.md), making it harder for attackers to steal credentials from a device. With [Windows Hello for Business](../identity-protection/hello-for-business/index.md), users can quickly sign in with face, fingerprint, or PIN for passwordless protection. Windows 11 also supports [FIDO2 security keys](/azure/active-directory/authentication/howto-authentication-passwordless-security-key) for passwordless authentication.
 
 ### Connecting to cloud services
 

windows/security/operating-system-security/data-protection/bitlocker/bitlocker-group-policy-settings.md

@@ -15,7 +15,7 @@ This article for IT professionals describes the function, location, and effect o
 Group Policy administrative templates or local computer policy settings can be used to control what BitLocker drive encryption tasks and configurations can be performed by users, for example through the **BitLocker Drive Encryption** control panel. Which of these policies are configured and how they're configured depends on how BitLocker is implemented and what level of interaction is desired for end users.
 
 > [!NOTE]
-> A separate set of Group Policy settings supports the use of the Trusted Platform Module (TPM). For details about those settings, see [TPM Group Policy settings](../../../information-protection/tpm/trusted-platform-module-services-group-policy-settings.md).
+> A separate set of Group Policy settings supports the use of the Trusted Platform Module (TPM). For details about those settings, see [TPM Group Policy settings](../../../hardware-security/tpm/trusted-platform-module-services-group-policy-settings.md).
 
 BitLocker Group Policy settings can be accessed using the Local Group Policy Editor and the Group Policy Management Console (GPMC) under **Computer Configuration** > **Administrative Templates** > **Windows Components** > **BitLocker Drive Encryption**.
 
@@ -219,7 +219,7 @@ This policy setting is applied when BitLocker is turned on. The startup PIN must
 
 Originally, BitLocker allowed a length from 4 to 20 characters for a PIN. Windows Hello has its own PIN for sign-in, length of which can be 4 to 127 characters. Both BitLocker and Windows Hello use the TPM to prevent PIN brute-force attacks.
 
-The TPM can be configured to use Dictionary Attack Prevention parameters ([lockout threshold and lockout duration](../../../information-protection/tpm/trusted-platform-module-services-group-policy-settings.md) to control how many failed authorizations attempts are allowed before the TPM is locked out, and how much time must elapse before another attempt can be made.
+The TPM can be configured to use Dictionary Attack Prevention parameters ([lockout threshold and lockout duration](../../../hardware-security/tpm/trusted-platform-module-services-group-policy-settings.md) to control how many failed authorizations attempts are allowed before the TPM is locked out, and how much time must elapse before another attempt can be made.
 
 The Dictionary Attack Prevention Parameters provide a way to balance security needs with usability. For example, when BitLocker is used with a TPM + PIN configuration, the number of PIN guesses is limited over time. A TPM 2.0 in this example could be configured to allow only 32 PIN guesses immediately, and then only one more guess every two hours. This number of attempts totals to a maximum of about 4415 guesses per year. If the PIN is four digits, all 9999 possible PIN combinations could be attempted in a little over two years.
 

windows/security/operating-system-security/system-security/protect-high-value-assets-by-controlling-the-health-of-windows-10-based-devices.md

@@ -755,4 +755,4 @@ Health attestation is a key feature of Windows 10 that includes client and cloud
 
 - [Protect derived domain credentials with Credential Guard](/windows/access-protection/credential-guard/credential-guard)
 - [Device Guard deployment guide](/windows/device-security/device-guard/device-guard-deployment-guide)
-- [Trusted Platform Module technology overview](../../information-protection/tpm/trusted-platform-module-overview.md)
+- [Trusted Platform Module technology overview](../../hardware-security/tpm/trusted-platform-module-overview.md)