updates

windows/security/TOC.yml

@@ -4,10 +4,10 @@
   expanded: true
 - name: Introduction
   items:
-  - name: Zero Trust and Windows
-    href: zero-trust-windows-device-health.md
   - name: Windows security overview
     href: introduction/index.md
+  - name: Zero Trust and Windows
+    href: zero-trust-windows-device-health.md
   - name: Security features edition requirements
     href: introduction/security-features-edition-requirements.md
   - name: Security features licensing requirements

windows/security/identity-protection/credential-guard/credential-guard-requirements.md

@@ -66,6 +66,8 @@ Applications may cause performance issues when they attempt to hook the isolated
 
 Services or protocols that rely on Kerberos, such as file shares, remote desktop, or BranchCache, continue to work and are not affected by Windows Defender Credential Guard.
 
+[!INCLUDE [windows-defender-credential-guard](../../../../includes/licensing/windows-defender-credential-guard.md)]
+
 ## Security considerations
 
 All computers that meet baseline protections for hardware, firmware, and software can use Windows Defender Credential Guard.
@@ -96,7 +98,7 @@ The following tables describe baseline protections, plus protections for improve
 |Protections for Improved Security|Description|
 |---|---|
 |Hardware: **IOMMU** (input/output memory management unit)|**Requirement**: </br> - VT-D or AMD Vi IOMMU </br> </br> **Security benefits**: </br> - An IOMMU can enhance system resiliency against memory attacks. For more information, see [Advanced Configuration and Power Interface (ACPI) description tables](/windows-hardware/drivers/bringup/acpi-system-description-tables)|
-|Firmware: **Securing Boot Configuration and Management**|**Requirements**: </br> - BIOS password or stronger authentication must be supported. </br> - In the BIOS configuration, BIOS authentication must be set. </br> - There must be support for protected BIOS option to configure list of permitted boot devices (for example, “Boot only from internal hard drive”) and boot device order, overriding BOOTORDER modification made by operating system. </br> - In the BIOS configuration, BIOS options related to security and boot options (list of permitted boot devices, boot order) must be secured to prevent other operating systems from starting and to prevent changes to the BIOS settings.|
+|Firmware: **Securing Boot Configuration and Management**|**Requirements**: </br> - BIOS password or stronger authentication must be supported. </br> - In the BIOS configuration, BIOS authentication must be set. </br> - There must be support for protected BIOS option to configure list of permitted boot devices (for example, "Boot only from internal hard drive") and boot device order, overriding BOOTORDER modification made by operating system. </br> - In the BIOS configuration, BIOS options related to security and boot options (list of permitted boot devices, boot order) must be secured to prevent other operating systems from starting and to prevent changes to the BIOS settings.|
 |Firmware: **Secure MOR, revision 2 implementation**|**Requirement**: </br> - Secure MOR, revision 2 implementation|
 
 ### 2016 Additional security qualifications starting with Windows 10, version 1607, and Windows Server 2016

windows/security/identity-protection/credential-guard/credential-guard.md

@@ -21,8 +21,6 @@ By enabling Windows Defender Credential Guard, the following features and soluti
 > [!NOTE]
 > As of Windows 11, version 22H2, Windows Defender Credential Guard has been enabled by default on all devices which meet the minimum requirements as specified in the [Default Enablement](credential-guard-manage.md#default-enablement) section. For information about known issues related to default enablement, see [Credential Guard: Known Issues](credential-guard-known-issues.md#known-issue-single-sign-on-sso-for-network-services-breaks-after-upgrading-to-windows-11-version-22h2).
 
-[!INCLUDE [windows-defender-credential-guard](../../../../includes/licensing/windows-defender-credential-guard.md)]
-
 ## Related topics
 
 - [Protecting network passwords with Windows Defender Credential Guard](https://www.microsoft.com/itshowcase/Article/Content/831/Protecting-network-passwords-with-Windows-10-Credential-Guard)

windows/security/introduction/index.md

@@ -13,17 +13,17 @@ appliesto:
 
 The acceleration of digital transformation and the expansion of both remote and hybrid workplaces brings new opportunities to organizations, communities, and individuals. Our work styles have transformed. And now more than ever, employees need simple, intuitive user experiences to collaborate and stay productive, wherever work happens. But the expansion of access and ability to work anywhere has also introduced new threats and risks. According to data from the Microsoft commissioned Security Signals report, 75% of security decision-makers at the vice-president level and above feel the move to hybrid work leaves their organization more vulnerable to security threats. And [Microsoft's 2022 Work Trend Index](https://www.microsoft.com/security/blog/2022/04/05/new-security-features-for-windows-11-will-help-protect-hybrid-work/) shows "cybersecurity issues and risks" are top concerns for business decisions makers, who worry about issues like malware, stolen credentials, devices that lack security updates, and physical attacks on lost or stolen devices.
 
-## How Windows 11 enables zero-trust protection
+## How Windows 11 enables Zero Trust protection
 
-A zero-trust security model gives the right people the right access at the right time. Zero-trust security is based on three principles:
+A Zero Trust security model gives the right people the right access at the right time. Zero Trust security is based on three principles:
 
 1. Reduce risk by explicitly verifying data points such as user identity, location, and device health for every access request, without exception
 2. When verified, give people and devices access to only necessary resources for the necessary amount of time
 3. Use continuous analytics to drive threat detection and improve defenses
 
-You should continue to strengthen your zero-trust posture as well. To improve threat detection and defenses, verify end-to-end encryption and use analytics to gain visibility.
+You should continue to strengthen your Zero Trust posture as well. To improve threat detection and defenses, verify end-to-end encryption and use analytics to gain visibility.
 
-For Windows 11, the zero-trust principle of *verify explicitly* applies to risks introduced by both devices and people. Windows 11 provides chip-to-cloud security, enabling IT administrators to implement strong authorization and authentication processes with tools such as our premier solution Windows Hello for Business. IT administrators also gain attestation and measurements for determining if a device meets requirements and can be trusted. In addition, Windows 11 works out-of-the-box with Microsoft Endpoint Manager and Azure Active Directory, so access decisions and enforcement are seamless. Plus, IT administrators can easily customize Windows 11 to meet specific user and policy requirements for access, privacy, compliance, and more.
+For Windows 11, the Zero Trust principle of *verify explicitly* applies to risks introduced by both devices and people. Windows 11 provides chip-to-cloud security, enabling IT administrators to implement strong authorization and authentication processes with tools such as our premier solution Windows Hello for Business. IT administrators also gain attestation and measurements for determining if a device meets requirements and can be trusted. In addition, Windows 11 works out-of-the-box with Microsoft Endpoint Manager and Azure Active Directory, so access decisions and enforcement are seamless. Plus, IT administrators can easily customize Windows 11 to meet specific user and policy requirements for access, privacy, compliance, and more.
 
 Individual users also benefit from powerful safeguards including new standards for hardware-based security and passwordless protection that help safeguard data and privacy.
 

windows/security/zero-trust-windows-device-health.md

@@ -13,7 +13,7 @@ ms.date: 12/31/2017
 ---
 
 # Zero Trust and Windows device health
-Organizations need a security model that more effectively adapts to the complexity of the modern work environment. IT admins need to embrace the hybrid workplace, while protecting people, devices, apps, and data wherever they’re located. Implementing a Zero Trust model for security helps address today's complex environments.
+Organizations need a security model that more effectively adapts to the complexity of the modern work environment. IT admins need to embrace the hybrid workplace, while protecting people, devices, apps, and data wherever they're located. Implementing a Zero Trust model for security helps address today's complex environments.
 
 The [Zero Trust](https://www.microsoft.com/security/business/zero-trust) principles are:
 
@@ -27,12 +27,12 @@ The Zero Trust concept of **verify explicitly** applies to the risks introduced
 
 [Conditional access](/azure/active-directory/conditional-access/overview) evaluates identity signals to confirm that users are who they say they are before they're granted access to corporate resources. 
 
-Windows 11 supports device health attestation, helping to confirm that devices are in a good state and haven't been tampered with. This capability helps users access corporate resources whether they’re in the office, at home, or when they’re traveling.
+Windows 11 supports device health attestation, helping to confirm that devices are in a good state and haven't been tampered with. This capability helps users access corporate resources whether they're in the office, at home, or when they're traveling.
 
 Attestation helps verify the identity and status of essential components and that the device, firmware, and boot process haven't been altered. Information about the firmware, boot process, and software, is used to validate the security state of the device. This information is cryptographically stored in the security co-processor Trusted Platform Module (TPM). Once the device is attested, it can be granted access to resources.
 
 ## Device health attestation on Windows
- Many security risks can emerge during the boot process as this process can be the most privileged component of the whole system. The verification process uses remote attestation as the secure channel to determine and present the device’s health. Remote attestation determines:
+ Many security risks can emerge during the boot process as this process can be the most privileged component of the whole system. The verification process uses remote attestation as the secure channel to determine and present the device's health. Remote attestation determines:
 
 - If the device can be trusted
 - If the operating system booted correctly