updates

includes/licensing/federated-sign-in.md

@@ -15,7 +15,7 @@ The following table lists the Windows editions that support Federated sign-in:
 
 Federated sign-in license entitlements are granted by the following licenses:
 
-|Windows Pro/Pro Education/SE|Windows Enterprise E3|Windows Enterprise E5|Windows Education A3|Windows Education A5|
+|Windows Pro Education/SE|Windows Enterprise E3|Windows Enterprise E5|Windows Education A3|Windows Education A5|
 |:---:|:---:|:---:|:---:|:---:|
 |No|No|No|Yes|Yes|
 

windows/security/identity-protection/access-control/access-control.md

@@ -39,6 +39,8 @@ This content set contains:
   - [Service Accounts](/windows-server/identity/ad-ds/manage/understand-service-accounts)
   - [Active Directory Security Groups](/windows-server/identity/ad-ds/manage/understand-security-groups)
 
+[!INCLUDE [access-control-aclsscals](../../../../includes/licensing/access-control-aclsscals.md)]
+
 ## Practical applications
 
 Administrators who use the supported version of Windows can refine the application and management of access control to objects and subjects to provide the following security:

windows/security/identity-protection/configure-s-mime.md

@@ -20,6 +20,8 @@ Encrypted messages can be read only by recipients who have a certificate. If you
 
 A digitally signed message reassures the recipient that the message hasn't been tampered with and verifies the identity of the sender. Recipients can only verify the digital signature if they're using an email client that supports S/MIME.
 
+[!INCLUDE [email-encryption-smime](../../../includes/licensing/email-encryption-smime.md)]
+
 ## Prerequisites
 
 -   [S/MIME is enabled for Exchange accounts](/microsoft-365/security/office-365-security/s-mime-for-message-signing-and-encryption) (on-premises and Office 365). Users can't use S/MIME signing and encryption with a personal account such as Outlook.com.

windows/security/identity-protection/remote-credential-guard.md

@@ -30,23 +30,14 @@ The following diagram helps you to understand how a standard Remote Desktop sess
 
 ![RDP connection to a server without Windows Defender Remote Credential Guard.png.](images/rdp-to-a-server-without-windows-defender-remote-credential-guard.png)
 
-<br />
-
 The following diagram helps you to understand how Windows Defender Remote Credential Guard works, what it helps to protect against, and compares it with the [Restricted Admin mode](https://social.technet.microsoft.com/wiki/contents/articles/32905.how-to-enable-restricted-admin-mode-for-remote-desktop.aspx) option:
 
 ![Windows Defender Remote Credential Guard.](images/windows-defender-remote-credential-guard-with-remote-admin-mode.png)
 
-<br />
 As illustrated, Windows Defender Remote Credential Guard blocks NTLM (allowing only Kerberos), prevents Pass-the-Hash (PtH) attacks, and also prevents use of credentials after disconnection.
 
-<br />
-<br />
 Use the following table to compare different Remote Desktop connection security options:
 
-<br />
-<br />
-
-
 | Feature | Remote Desktop | Windows Defender Remote Credential Guard | Restricted Admin mode |
 |--------------------------------------------------------------------------------------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
 |                                                 **Protection benefits**                                                  |                                Credentials on the server are not protected from Pass-the-Hash attacks.                                 |  User credentials remain on the client. An attacker can act on behalf of the user *only* when the session is ongoing   |                                                                                  User logs on to the server as local administrator, so an attacker cannot act on behalf of the "domain user". Any attack is local to the server                                                                                   |
@@ -58,12 +49,10 @@ Use the following table to compare different Remote Desktop connection security
 |                                                      **Multi-hop**                                                       |                        From the remote desktop, **you can connect through Remote Desktop to another computer**                         |                From the remote desktop, you **can connect through Remote Desktop to another computer**.                |                                                                                                                      Not allowed for user as the session is running as a local host account                                                                                                                       |
 |                                               **Supported authentication**                                               |                                                        Any negotiable protocol.                                                        |                                                     Kerberos only.                                                     |                                                                                                                                              Any negotiable protocol                                                                                                                                              |
 
-<br />
 
 For further technical information, see [Remote Desktop Protocol](/windows/win32/termserv/remote-desktop-protocol)
 and [How Kerberos works](/previous-versions/windows/it-pro/windows-2000-server/cc961963(v=technet.10)).
 
-<br />
 
 <a id="helpdesk"></a>
 
@@ -80,6 +69,8 @@ For further information on LAPS, see [Microsoft Security Advisory 3062591](https
 
 <a id="reqs"></a>
 
+[!INCLUDE [windows-defender-remote-credential-guard](../../../includes/licensing/windows-defender-remote-credential-guard.md)]
+
 ## Remote Credential Guard requirements
 
 To use Windows Defender Remote Credential Guard, the Remote Desktop client and remote host must meet the following requirements:

windows/security/identity-protection/smart-cards/smart-card-how-smart-card-sign-in-works-in-windows.md

@@ -21,3 +21,5 @@ This topic for IT professional provides links to resources about the implementat
 -   [Certificate Propagation Service](smart-card-certificate-propagation-service.md): Learn about how the certificate propagation service works when a smart card is inserted into a computer.
 
 -   [Smart Card Removal Policy Service](smart-card-removal-policy-service.md): Learn about using Group Policy to control what happens when a user removes a smart card.
+
+[!INCLUDE [smart-cards-for-windows-service](../../../../includes/licensing/smart-cards-for-windows-service.md)]

windows/security/identity-protection/user-account-control/user-account-control-overview.md

@@ -18,6 +18,8 @@ Other apps, especially those that were not specifically designed with security s
 
 When an app needs to run with more than standard user rights, UAC allows users to run apps with their administrator token (with administrative groups and privileges) instead of their default, standard user access token. Users continue to operate in the standard user security context, while enabling certain apps to run with elevated privileges, if needed.
 
+[!INCLUDE [user-account-control-uac](../../../../includes/licensing/user-account-control-uac.md)]
+
 ## Practical applications
 
 Admin Approval Mode in UAC helps prevent malware from silently installing without an administrator's knowledge. It also helps protect from inadvertent system-wide changes. Lastly, it can be used to enforce a higher level of compliance where administrators must actively consent or provide credentials for each administrative process.

windows/security/identity-protection/vpn/vpn-guide.md

@@ -14,6 +14,8 @@ To create a Windows 10 VPN device configuration profile see: [Windows 10 and Win
 > [!NOTE]
 > This guide does not explain server deployment.
 
+[!INCLUDE [virtual-private-network-vpn](../../../../includes/licensing/virtual-private-network-vpn.md)]
+
 ## In this guide
 
 | Article | Description  |

windows/security/information-protection/bitlocker/bitlocker-overview.md

@@ -52,6 +52,8 @@ BitLocker control panel, and they're appropriate to be used for automated deploy
 
 To find out what's new in BitLocker for Windows, such as support for the XTS-AES encryption algorithm, see [What's new in Windows 10, versions 1507 and 1511 for IT Pros: BitLocker](/windows/whats-new/whats-new-windows-10-version-1507-and-1511#bitlocker).
 
+[!INCLUDE [bitlocker](../../../../includes/licensing/bitlocker.md)]
+
 ## System requirements
 
 BitLocker has the following hardware requirements:

windows/security/information-protection/encrypted-hard-drive.md

@@ -48,6 +48,8 @@ Encrypted hard drives are supported natively in the operating system through the
 
 If you're a storage device vendor who is looking for more info on how to implement Encrypted Hard Drive, see the [Encrypted Hard Drive Device Guide](/previous-versions/windows/hardware/design/dn653989(v=vs.85)).
 
+[!INCLUDE [encrypted-hard-drive](../../../includes/licensing/encrypted-hard-drive.md)]
+
 ## System Requirements
 
 To use encrypted hard drives, the following system requirements apply:

windows/security/information-protection/kernel-dma-protection-for-thunderbolt.md

@@ -41,6 +41,8 @@ When Kernel DMA Protection is enabled:
 - Peripherals with DMA Remapping-compatible device drivers will be automatically enumerated and started
 - Peripherals with DMA Remapping-incompatible drivers will be blocked from starting if the peripheral was plugged in before an authorized user logs in, or while the screen is locked. Once the system is unlocked, the peripheral driver will be started by the OS, and the peripheral will continue to function normally until the system is rebooted, or the peripheral is unplugged. The peripheral will continue to function normally if the user locks the screen or signs out of the system.
 
+[!INCLUDE [kernel-direct-memory-access-dma-protection](../../../includes/licensing/kernel-direct-memory-access-dma-protection.md)]
+
 ## System compatibility
 
 Kernel DMA Protection requires UEFI firmware support, and Virtualization-based Security (VBS) isn't required.

windows/security/information-protection/personal-data-encryption/overview-pde.md

@@ -23,6 +23,8 @@ ms.date: 03/13/2023
 
 [!INCLUDE [Personal Data Encryption (PDE) description](includes/pde-description.md)]
 
+[!INCLUDE [personal-data-encryption-pde](../../../../includes/licensing/personal-data-encryption-pde.md)]
+
 ## Prerequisites
 
 ### Required

windows/security/threat-protection/windows-security-configuration-framework/windows-security-baselines.md

@@ -41,6 +41,8 @@ For example, there are over 3,000 group policy settings for Windows 10, which do
 
 In modern organizations, the security threat landscape is constantly evolving, and IT pros and policy-makers must keep up with security threats and make required changes to security settings to help mitigate these threats. To enable faster deployments and make managing Microsoft products easier, Microsoft provides customers with security baselines that are available in consumable formats, such as group policy object backups.
 
+[!INCLUDE [security-baselines](../../../../includes/licensing/security-baselines.md)]
+
 ## Baseline principles
 
 Our recommendations follow a streamlined and efficient approach to baseline definitions. The foundation of that approach is essentially: