revised procedures

windows/device-security/device-guard/deploy-device-guard-enable-virtualization-based-security.md

@@ -70,22 +70,14 @@ There are multiple ways to configure VBS features for Windows Defender Device Gu
 
     Figure 3. Enable VBS
 
-5.  Select the **Enabled** button, and then choose a secure boot option, such as **Secure Boot**, from the **Select Platform Security Level** list.
+5.  Select the **Enabled** button, and for **Select Platform Security Level**,  choose a secure boot option.
 
-    ![Group Policy, Turn On Virtualization Based Security](images/device-guard-gp.png)
+    - **Secure Boot** provides as much protection as a computer’s hardware can support. If the computer does not have input/output memory management units (IOMMUs), enable **Secure Boot**.
+    - **Secure Boot with DMA** enables Secure Boot—and VBS itself—only on a computer that supports DMA, that is, a computer with IOMMUs. With this setting, any computer without IOMMUs will not have VBS (hardware-based) protection, although it can have Windows Defender Application Control enabled.<br>For information about how VBS uses the hypervisor to strengthen protections provided by a code integrity policy, see [How Windows Defender Device Guard features help protect against threats](introduction-to-device-guard-virtualization-based-security-and-code-integrity-policies.md#how-windows-defender-device-guard-features-help-protect-against-threats).
 
-    Figure 4. Configure VBS, Secure Boot setting (in Windows 10, version 1607)
+    For **Virtualization Based Protection of Code Integrity**, select an option as follows:
 
-    > **Important**&nbsp;&nbsp;These settings include **Secure Boot** and **Secure Boot with DMA**. In most situations we recommend that you choose **Secure Boot**. This option provides secure boot with as much protection as is supported by a given computer’s hardware. A computer with input/output memory management units (IOMMUs) will have secure boot with DMA protection. A computer without IOMMUs will simply have secure boot enabled.<br>In contrast, with **Secure Boot with DMA**, the setting will enable secure boot—and VBS itself—only on a computer that supports DMA, that is, a computer with IOMMUs. With this setting, any computer without IOMMUs will not have VBS (hardware-based) protection, although it can have code integrity policies enabled.<br>For information about how VBS uses the hypervisor to strengthen protections provided by a code integrity policy, see [How Windows Defender Device Guard features help protect against threats](introduction-to-device-guard-virtualization-based-security-and-code-integrity-policies.md#how-windows-defender-device-guard-features-help-protect-against-threats).
+    - Beginning with Windows 10, version 1607 and Windows Server 2016:<br>For an initial deployment or test deployment, we recommend **Enabled without lock**.<br>When your deployment is stable in your environment, we recommend changing to **Enabled with lock**. This option helps protect the registry from tampering, either through malware or by an unauthorized person.
-
-6. For **Virtualization Based Protection of Code Integrity**, select the appropriate option.
-
-    > [!WARNING]
-    >  Virtualization-based protection of code integrity may be incompatible with some devices and applications. We strongly recommend testing this configuration in your lab before enabling virtualization-based protection of code integrity on production systems. Failure to do so may result in unexpected failures up to and including data loss or a blue screen error (also called a stop error).
-    
-    Select an option as follows:
-
-    - With Windows 10, version 1607 or Windows Server 2016, choose an appropriate option:<br>For an initial deployment or test deployment, we recommend **Enabled without lock**.<br>When your deployment is stable in your environment, we recommend changing to **Enabled with lock**. This option helps protect the registry from tampering, either through malware or by an unauthorized person.
 
     - With earlier versions of Windows 10:<br>Select the **Enable Virtualization Based Protection of Code Integrity** check box.
 

windows/device-security/device-guard/device-guard-deployment-guide.md

@@ -15,7 +15,9 @@ author: brianlic-msft
 -   Windows 10
 -   Windows Server 2016
 
-Windows Defender Device Guard is a combination of enterprise-related hardware and software security features that, when configured together, will lock a device down so that it can only run trusted applications that you define in your code integrity policies. If the app isn’t trusted it can’t run, period. With hardware that meets basic requirements, it also means that even if an attacker manages to get control of the Windows kernel, the ability to run malicious executable code is much less likely. With appropriate hardware, Windows Defender Device Guard can use the virtualization-based security in Windows 10 (available in Enterprise and Education desktop SKUs and Windows Server SKUs) to isolate the Code Integrity service and run it alongside the Windows kernel in a hypervisor-protected container.
+Windows Defender Device Guard is a combination of enterprise-related hardware and software security features that run on Windows 10 Enterprise edition and Windows Server. When these features are configured together, Windows Defender Device Guard will lock a device down so that it can only run trusted applications that you define in your code integrity policies. If the app isn’t trusted, it can’t run, period. 
+
+With hardware that meets basic qualifications, Windows Defender Device Guard can also use virtualization-based security to isolate the Code Integrity service and run it alongside the Windows kernel in a hypervisor-protected container. Even if an attacker manages to get control of the Windows kernel itself, the ability to run malicious executable code is much less likely. 
 
 This guide explores the individual features in Windows Defender Device Guard as well as how to plan for, configure, and deploy them. It includes:
 

windows/device-security/device-guard/introduction-to-device-guard-virtualization-based-security-and-code-integrity-policies.md

@@ -14,9 +14,9 @@ author: brianlic-msft
 -   Windows 10
 -   Windows Server 2016
 
-With thousands of new malicious files created every day, using traditional methods like antivirus solutions—signature-based detection to fight against malware—provides an inadequate defense against new attacks. Windows Defender Device Guard on Windows 10 Enterprise changes from a mode where apps are trusted unless blocked by an antivirus or other security solution, to a mode where the operating system trusts only apps authorized by your enterprise. 
+With thousands of new malicious files created every day, using traditional methods like antivirus solutions—signature-based detection to fight against malware—provides an inadequate defense against new attacks. Windows Defender Device Guard changes from a mode where apps are trusted unless blocked by an antivirus or other security solution, to a mode where the operating system trusts only apps authorized by your enterprise. 
 
-Beginning with Windows 10, verwsion 1709, you designate these trusted apps by using Windows Defender Application Control (Windows Defender AC). On previous versions of Windows 10, this is done by creating code integrity policies.
+Beginning with Windows 10, version 1709, you designate these trusted apps by using Windows Defender Application Control (Windows Defender AC). On previous versions of Windows 10, this is done by creating code integrity policies.
 
 Like the operating system, code integrity contains two primary components: kernel mode code integrity (KMCI) and user mode code integrity (UMCI). KMCI protects the kernel mode from running unsigned drivers. Beginning with Windows 10 and Windows Server 2016, UMCI is also available to help protect against viruses and malware.