Move appropriate articles under OS system security

windows/security/index.yml

@@ -60,8 +60,8 @@ landingContent:
           url: operating-system.md
       - linkListType: concept
         links:
-        - text: System security
-          url: trusted-boot.md
+        - text: Trusted boot
+          url: operating-system-security\system-security\trusted-boot.md
         - text: Encryption and data protection
           url: encryption-data-protection.md
         - text: Windows security baselines
@@ -136,7 +136,7 @@ landingContent:
         - text: OneDrive
           url: /onedrive/onedrive
         - text: Family safety
-          url: threat-protection/windows-defender-security-center/wdsc-family-options.md
+          url: operating-system-security\system-security\windows-defender-security-center\wdsc-family-options.md
 # Cards and links should be based on top customer tasks or top subjects
 # Start card title with a verb
   # Card (optional)

windows/security/information-protection/bitlocker/bitlocker-countermeasures.md

@@ -1,7 +1,7 @@
 ---
-title: BitLocker Countermeasures 
+title: BitLocker Countermeasures
 description: Windows uses technologies including TPM, Secure Boot, Trusted Boot, and Early Launch Anti-malware (ELAM) to protect against attacks on the BitLocker encryption key.
-ms.reviewer: 
+ms.reviewer:
 ms.prod: windows-client
 ms.localizationpriority: medium
 author: frankroj
@@ -45,7 +45,7 @@ A trusted platform module (TPM) is a microchip designed to provide basic securit
 
 Unified Extensible Firmware Interface (UEFI) is a programmable boot environment that initializes devices and starts the operating system's bootloader.
 
-The UEFI specification defines a firmware execution authentication process called [Secure Boot](../secure-the-windows-10-boot-process.md). Secure Boot blocks untrusted firmware and bootloaders (signed or unsigned) from being able to start on the system.
+The UEFI specification defines a firmware execution authentication process called [Secure Boot](/windows/security/operating-system-security/system-security/secure-the-windows-10-boot-process.md). Secure Boot blocks untrusted firmware and bootloaders (signed or unsigned) from being able to start on the system.
 
 By default, BitLocker provides integrity protection for Secure Boot by utilizing the TPM PCR[7] measurement. An unauthorized EFI firmware, EFI boot application, or bootloader can't run and acquire the BitLocker key.
 
@@ -70,11 +70,11 @@ Pre-boot authentication is designed to prevent the encryption keys from being lo
 
 On computers with a compatible TPM, operating system drives that are BitLocker-protected can be unlocked in four ways:
 
-- **TPM-only.** Using TPM-only validation doesn't require any interaction with the user to unlock and provide access to the drive. If the TPM validation succeeds, the user sign-in experience is the same as a standard sign-in. If the TPM is missing or changed or if BitLocker detects changes to the BIOS or UEFI code or configuration, critical operating system startup files, or the boot configuration, BitLocker enters recovery mode, and the user must enter a recovery password to regain access to the data. This option is more convenient for sign-in but less secure than the other options, which require an additional authentication factor.  
+- **TPM-only.** Using TPM-only validation doesn't require any interaction with the user to unlock and provide access to the drive. If the TPM validation succeeds, the user sign-in experience is the same as a standard sign-in. If the TPM is missing or changed or if BitLocker detects changes to the BIOS or UEFI code or configuration, critical operating system startup files, or the boot configuration, BitLocker enters recovery mode, and the user must enter a recovery password to regain access to the data. This option is more convenient for sign-in but less secure than the other options, which require an additional authentication factor.
 
 - **TPM with startup key.** In addition to the protection that the TPM-only provides, part of the encryption key is stored on a USB flash drive, referred to as a startup key. Data on the encrypted volume can't be accessed without the startup key.
 
-- **TPM with PIN.** In addition to the protection that the TPM provides, BitLocker requires that the user enters a PIN. Data on the encrypted volume can't be accessed without entering the PIN. TPMs also have [anti-hammering protection](/windows/security/hardware-protection/tpm/tpm-fundamentals#anti-hammering) that is designed to prevent brute force attacks that attempt to determine the PIN.  
+- **TPM with PIN.** In addition to the protection that the TPM provides, BitLocker requires that the user enters a PIN. Data on the encrypted volume can't be accessed without entering the PIN. TPMs also have [anti-hammering protection](/windows/security/hardware-protection/tpm/tpm-fundamentals#anti-hammering) that is designed to prevent brute force attacks that attempt to determine the PIN.
 
 - **TPM with startup key and PIN.** In addition to the core component protection that the TPM-only provides, part of the encryption key is stored on a USB flash drive, and a PIN is required to authenticate the user to the TPM. This configuration provides multifactor authentication so that if the USB key is lost or stolen, it can't be used for access to the drive, because the correct PIN is also required.
 
@@ -86,11 +86,11 @@ Pre-boot authentication with a PIN can mitigate an attack vector for devices tha
 
 On the other hand, Pre-boot authentication-prompts can be inconvenient to users. In addition, users who forget their PIN or lose their startup key are denied access to their data until they can contact their organization's support team to obtain a recovery key. Pre-boot authentication can also make it more difficult to update unattended desktops and remotely administered servers because a PIN needs to be entered when a computer reboots or resumes from hibernation.
 
-To address these issues, [BitLocker Network Unlock](./bitlocker-how-to-enable-network-unlock.md) can be deployed. Network Unlock allows systems within the physical enterprise security perimeter that meet the hardware requirements and have BitLocker enabled with TPM+PIN to boot into Windows without user intervention. It requires direct ethernet connectivity to an enterprise Windows Deployment Services (WDS) server.  
+To address these issues, [BitLocker Network Unlock](./bitlocker-how-to-enable-network-unlock.md) can be deployed. Network Unlock allows systems within the physical enterprise security perimeter that meet the hardware requirements and have BitLocker enabled with TPM+PIN to boot into Windows without user intervention. It requires direct ethernet connectivity to an enterprise Windows Deployment Services (WDS) server.
 
 ### Protecting Thunderbolt and other DMA ports
 
-There are a few different options to protect DMA ports, such as Thunderbolt™3. Beginning with Windows 10 version 1803, new Intel-based devices have kernel protection against DMA attacks via Thunderbolt™ 3 ports enabled by default. This Kernel DMA Protection is available only for new systems beginning with Windows 10 version 1803, as it requires changes in the system firmware and/or BIOS.  
+There are a few different options to protect DMA ports, such as Thunderbolt™3. Beginning with Windows 10 version 1803, new Intel-based devices have kernel protection against DMA attacks via Thunderbolt™ 3 ports enabled by default. This Kernel DMA Protection is available only for new systems beginning with Windows 10 version 1803, as it requires changes in the system firmware and/or BIOS.
 
 You can use the System Information desktop app `MSINFO32.exe` to check if a device has kernel DMA protection enabled:
 
@@ -112,7 +112,7 @@ For Thunderbolt v1 and v2 (DisplayPort Connector), refer to the **Thunderbolt Mi
 
 ## Attack countermeasures
 
-This section covers countermeasures for specific types of attacks. 
+This section covers countermeasures for specific types of attacks.
 
 ### Bootkits and rootkits
 
@@ -142,7 +142,7 @@ Enable secure boot and mandatorily prompt a password to change BIOS settings. Fo
 ### Tricking BitLocker to pass the key to a rogue operating system
 
 An attacker might modify the boot manager configuration database (BCD) which is stored on a non-encrypted partition and add an entry point to a rogue operating system on a different partition. During the boot process, BitLocker code will make sure that the operating system that the encryption key obtained from the TPM is given to, is cryptographically verified to be the intended recipient. Because this strong cryptographic verification already exists, we don't recommend storing a hash of a disk partition table in Platform Configuration Register (PCR) 5.
- 
+
 An attacker might also replace the entire operating system disk while preserving the platform hardware and firmware and could then extract a protected BitLocker key blob from the metadata of the victim OS partition. The attacker could then attempt to unseal that BitLocker key blob by calling the TPM API from an operating system under their control. This will not succeed because when Windows seals the BitLocker key to the TPM, it does it with a PCR 11 value of 0, and to successfully unseal the blob, PCR 11 in the TPM must have a value of 0. However, when the boot manager passes the control to any boot loader (legitimate or rogue) it always changes PCR 11 to a value of 1. Since the PCR 11 value is guaranteed to be different after exiting the boot manager, the attacker can't unlock the BitLocker key.
 
 ## Attacker countermeasures

windows/security/introduction/index.md

@@ -34,7 +34,7 @@ Windows 11 is a natural evolution of its predecessor, Windows 10. We have collab
 
 With hardware-based isolation security that begins at the chip, Windows 11 stores sensitive data behind other barriers separated from the operating system. As a result, information including encryption keys and user credentials are protected from unauthorized access and tampering.
 
-In Windows 11, hardware and software work together to protect the operating system. For example, new devices come with [Virtualization-based security (VBS)](/windows-hardware/design/device-experiences/oem-vbs) and [Secure Boot](../trusted-boot.md) built-in and enabled by default to contain and limit malware exploits.
+In Windows 11, hardware and software work together to protect the operating system. For example, new devices come with [Virtualization-based security (VBS)](/windows-hardware/design/device-experiences/oem-vbs) and [Secure Boot](/windows/security/operating-system-security/system-security/trusted-boot.md) built-in and enabled by default to contain and limit malware exploits.
 
 ### Robust application security and privacy controls
 
@@ -54,4 +54,4 @@ Microsoft offers comprehensive cloud services for identity, storage, and access
 
 To learn more about the security features included in Windows 11, download the [Windows 11 Security Book: Powerful security from chip to cloud](https://aka.ms/Windows11SecurityBook).
 
-[!INCLUDE [ai-disclaimer-generic](../../../includes/ai-disclaimer-generic.md)]
+[!INCLUDE [ai-disclaimer-generic](../../../includes/ai-disclaimer-generic.md)]

windows/security/operating-system-security/network-security/vpn/vpn-conditional-access.md

@@ -7,7 +7,7 @@ ms.topic: conceptual
 
 # VPN and conditional access
 
-The VPN client is now able to integrate with the cloud-based Conditional Access Platform to provide a device compliance option for remote clients. Conditional Access is a policy-based evaluation engine that lets you create access rules for any Azure Active Directory (Azure AD) connected application.  
+The VPN client is now able to integrate with the cloud-based Conditional Access Platform to provide a device compliance option for remote clients. Conditional Access is a policy-based evaluation engine that lets you create access rules for any Azure Active Directory (Azure AD) connected application.
 
 >[!NOTE]
 >Conditional Access is an Azure AD Premium feature.
@@ -16,8 +16,8 @@ Conditional Access Platform components used for Device Compliance include the fo
 
 - [Conditional Access Framework](/archive/blogs/tip_of_the_day/tip-of-the-day-the-conditional-access-framework-and-device-compliance-for-vpn)
 - [Azure AD Connect Health](/azure/active-directory/connect-health/active-directory-aadconnect-health)
-- [Windows Health Attestation Service](../../../threat-protection/protect-high-value-assets-by-controlling-the-health-of-windows-10-based-devices.md#device-health-attestation) (optional)
-- Azure AD Certificate Authority - It is a requirement that the client certificate used for the cloud-based device compliance solution be issued by an Azure Active Directory-based Certificate Authority (CA). An Azure AD CA is essentially a mini-CA cloud tenant in Azure. The Azure AD CA cannot be configured as part of an on-premises Enterprise CA. 
+- [Windows Health Attestation Service](../../system-security/protect-high-value-assets-by-controlling-the-health-of-windows-10-based-devices.md) (optional)
+- Azure AD Certificate Authority - It is a requirement that the client certificate used for the cloud-based device compliance solution be issued by an Azure Active Directory-based Certificate Authority (CA). An Azure AD CA is essentially a mini-CA cloud tenant in Azure. The Azure AD CA cannot be configured as part of an on-premises Enterprise CA.
 See also [Always On VPN deployment for Windows Server and Windows 10](/windows-server/remote/remote-access/vpn/always-on-vpn/deploy/always-on-vpn-deploy).
 - Azure AD-issued short-lived certificates - When a VPN connection attempt is made, the Azure AD Token Broker on the local device communicates with Azure Active Directory, which then checks for health based on compliance rules. If compliant, Azure AD sends back a short-lived certificate that is used to authenticate the VPN. Note that certificate authentication methods such as EAP-TLS can be used. When the client reconnects and determines that the certificate has expired, the client will again check with Azure AD for health validation before a new certificate is issued.
 - [Microsoft Intune device compliance policies](/mem/intune/protect/device-compliance-get-started) - Cloud-based device compliance leverages Microsoft Intune Compliance Policies, which are capable of querying the device state and define compliance rules for the following, among other things.
@@ -79,19 +79,20 @@ When a VPNv2 Profile is configured with \<DeviceCompliance> \<Enabled>true<\/Ena
 
 ## Configure conditional access
 
-See [VPN profile options](vpn-profile-options.md) and [VPNv2 CSP](/windows/client-management/mdm/vpnv2-csp) for XML configuration. 
+See [VPN profile options](vpn-profile-options.md) and [VPNv2 CSP](/windows/client-management/mdm/vpnv2-csp) for XML configuration.
 
 ## Learn more about Conditional Access and Azure AD Health
 
 - [Azure Active Directory conditional access](/azure/active-directory/conditional-access/overview)
 - [Getting started with Azure Active Directory Conditional Access](/azure/active-directory/authentication/tutorial-enable-azure-mfa)
-- [Control the health of Windows devices](../../../threat-protection/protect-high-value-assets-by-controlling-the-health-of-windows-10-based-devices.md)
+- [Control the health of Windows devices](../../system-security/protect-high-value-assets-by-controlling-the-health-of-windows-10-based-devices.md)
 - [Tip of the Day: The Conditional Access Framework and Device Compliance for VPN (Part 1)](/archive/blogs/tip_of_the_day/tip-of-the-day-the-conditional-access-framework-and-device-compliance-for-vpn)
 - [Tip of the Day: The Conditional Access Framework and Device Compliance for VPN (Part 2)](/archive/blogs/tip_of_the_day/tip-of-the-day-the-conditional-access-framework-and-device-compliance-for-vpn-part-2)
 - [Tip of the Day: The Conditional Access Framework and Device Compliance for VPN (Part 3)](/archive/blogs/tip_of_the_day/tip-of-the-day-the-conditional-access-framework-and-device-compliance-for-vpn-part-3)
 - [Tip of the Day: The Conditional Access Framework and Device Compliance for VPN (Part 4)](/archive/blogs/tip_of_the_day/tip-of-the-day-the-conditional-access-framework-and-device-compliance-for-vpn-part-4)
 
 ## Related topics
+
 - [VPN technical guide](vpn-guide.md)
 - [VPN connection types](vpn-connection-type.md)
 - [VPN routing decisions](vpn-routing.md)

windows/security/operating-system-security/operating-system.md

@@ -1,7 +1,7 @@
 ---
 title: Windows operating system security
 description: Securing the operating system includes system security, encryption, network security, and threat protection.
-ms.reviewer: 
+ms.reviewer:
 ms.topic: article
 manager: aaroncz
 ms.author: paoloma
@@ -21,21 +21,20 @@ Use the links in the following table to learn more about the operating system se
 
 | Security Measures | Features & Capabilities |
 |:---|:---|
-| Secure Boot and Trusted Boot | Secure Boot and Trusted Boot help prevent malware and corrupted components from loading when a Windows device is starting. Secure Boot starts with initial boot-up protection, and then Trusted Boot picks up the process. Together, Secure Boot and Trusted Boot help to ensure your Windows system boots up safely and securely.<br><br/> Learn more [Secure Boot and Trusted Boot](trusted-boot.md). |
-Cryptography and certificate management|Cryptography uses code to convert data so that only a specific recipient can read it by using a key. Cryptography enforces privacy to prevent anyone except the intended recipient from reading data, integrity to ensure data is free of tampering, and authentication that verifies identity to ensure that communication is secure. <br><br/> Learn more about [Cryptography and certificate management](cryptography-certificate-mgmt.md). <br/><br/>|
-Windows Security app | The Windows built-in security application found in settings provides an at-a-glance view of the security status and health of your device. These insights help you identify issues and take action to make sure you're protected. You can quickly see the status of your virus and threat protection, firewall and network security, device security controls, and more. <br><br/> Learn more about the [Windows Security app](threat-protection/windows-defender-security-center/windows-defender-security-center.md).|
-| Encryption and data protection | Wherever confidential data is stored, it must be protected against unauthorized access, whether through physical device theft or from malicious applications. Windows provides strong at-rest data-protection solutions that guard against nefarious attackers. <br/><br/> Learn more about [Encryption](encryption-data-protection.md). 
-| BitLocker | BitLocker Drive Encryption is a data protection feature that integrates with the operating system and addresses the threats of data theft or exposure from lost, stolen, or inappropriately decommissioned computers. BitLocker provides the most protection when used with a Trusted Platform Module (TPM) version 1.2 or later. <br/> <br/> Learn more about [BitLocker](information-protection/bitlocker/bitlocker-overview.md). |
-| Encrypted Hard Drive | Encrypted Hard Drive uses the rapid encryption that is provided by BitLocker Drive Encryption to enhance data security and management. <br> By offloading the cryptographic operations to hardware, Encrypted Hard Drives increase BitLocker performance and reduce CPU usage and power consumption. Because Encrypted Hard Drives encrypt data quickly, enterprise devices can expand BitLocker deployment with minimal impact on productivity. <br/><br/> Learn more about [Encrypted Hard Drives](information-protection/encrypted-hard-drive.md).|
-| S/MIME | S/MIME lets users encrypt outgoing messages and attachments so that only intended recipients who have a digital identification (ID), also known as a certificate, can read them. Users can digitally sign a message, which provides the recipients with a way to verify the identity of the sender and that the message hasn't been tampered with. <br/><br/> Learn more about [S/MIME for Windows](operating-system-security/data-protection/configure-s-mime.md).|
-| Security baselines | A security baseline is a group of Microsoft-recommended configuration settings that explains their security impact. These settings are based on feedback from Microsoft security engineering teams, product groups, partners, and customers. <br/><br/>Security baselines are included in the [Security Compliance Toolkit](threat-protection/windows-security-configuration-framework/security-compliance-toolkit-10.md) that you can download from the Microsoft Download Center.<br/><br/>Learn more about [security baselines](threat-protection/windows-security-configuration-framework/windows-security-baselines.md). |
-| Virtual Private Network | Virtual private networks (VPNs) are point-to-point connections across a private or public network, such as the Internet. A VPN client uses special TCP/IP or UDP-based protocols, called tunneling protocols, to make a virtual call to a virtual port on a VPN server. <br><br/>Learn more about [Virtual Private Networks](identity-protection/vpn/vpn-guide.md).<br/><br/>|
-| Windows Defender Firewall | Windows Defender Firewall is a stateful host firewall that helps secure the device by allowing you to create rules that determine which network traffic is permitted to enter the device from the network and which network traffic the device is allowed to send to the network. Windows Defender Firewall also supports Internet Protocol security (IPsec), which you can use to require authentication from any device that is attempting to communicate with your device. <br><br/> Learn more about [Windows Defender Firewall with advanced security](threat-protection/windows-firewall/windows-firewall-with-advanced-security.md).<br/><br/>
-| Antivirus & antimalware protection | Microsoft Defender Antivirus is included in all versions of Windows 10, Windows Server 2016 and later, and Windows 11. If you have another antivirus app installed and turned on, Microsoft Defender Antivirus will turn off automatically. If you uninstall the other app, Microsoft Defender Antivirus will turn back on. <br/><br/>From the moment you boot Windows, Microsoft Defender Antivirus continually monitors for malware, viruses, and security threats. Updates are downloaded automatically to help protect your device from threats.  Microsoft Defender Antivirus continually scans for malware and threats, and also detects and blocks [potentially unwanted applications](/microsoft-365/security/defender-endpoint/detect-block-potentially-unwanted-apps-microsoft-defender-antivirus) (applications that can negatively impact your device even though they are not considered malware).<br/><br/>Microsoft Defender Antivirus integrates with [cloud-delivered protection](/microsoft-365/security/defender-endpoint/cloud-protection-microsoft-defender-antivirus), which helps ensure near-instant detection and blocking of new and emerging threats.<br/><br/>Learn more about [next-generation protection and Microsoft Defender Antivirus](/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-windows).| 
+| Secure Boot and Trusted Boot | Secure Boot and Trusted Boot help prevent malware and corrupted components from loading when a Windows device is starting. Secure Boot starts with initial boot-up protection, and then Trusted Boot picks up the process. Together, Secure Boot and Trusted Boot help to ensure your Windows system boots up safely and securely.<br><br/> Learn more [Secure Boot and Trusted Boot](system-security/trusted-boot.md). |
+Cryptography and certificate management|Cryptography uses code to convert data so that only a specific recipient can read it by using a key. Cryptography enforces privacy to prevent anyone except the intended recipient from reading data, integrity to ensure data is free of tampering, and authentication that verifies identity to ensure that communication is secure. <br><br/> Learn more about [Cryptography and certificate management](system-security/cryptography-certificate-mgmt.md). <br/><br/>|
+Windows Security app | The Windows built-in security application found in settings provides an at-a-glance view of the security status and health of your device. These insights help you identify issues and take action to make sure you're protected. You can quickly see the status of your virus and threat protection, firewall and network security, device security controls, and more. <br><br/> Learn more about the [Windows Security app](system-security/windows-defender-security-center/windows-defender-security-center.md).|
+| Encryption and data protection | Wherever confidential data is stored, it must be protected against unauthorized access, whether through physical device theft or from malicious applications. Windows provides strong at-rest data-protection solutions that guard against nefarious attackers. <br/><br/> Learn more about [Encryption](../encryption-data-protection.md).
+| BitLocker | BitLocker Drive Encryption is a data protection feature that integrates with the operating system and addresses the threats of data theft or exposure from lost, stolen, or inappropriately decommissioned computers. BitLocker provides the most protection when used with a Trusted Platform Module (TPM) version 1.2 or later. <br/> <br/> Learn more about [BitLocker](../information-protection/bitlocker/bitlocker-overview.md). |
+| Encrypted Hard Drive | Encrypted Hard Drive uses the rapid encryption that is provided by BitLocker Drive Encryption to enhance data security and management. <br> By offloading the cryptographic operations to hardware, Encrypted Hard Drives increase BitLocker performance and reduce CPU usage and power consumption. Because Encrypted Hard Drives encrypt data quickly, enterprise devices can expand BitLocker deployment with minimal impact on productivity. <br/><br/> Learn more about [Encrypted Hard Drives](../information-protection/encrypted-hard-drive.md).|
+| S/MIME | S/MIME lets users encrypt outgoing messages and attachments so that only intended recipients who have a digital identification (ID), also known as a certificate, can read them. Users can digitally sign a message, which provides the recipients with a way to verify the identity of the sender and that the message hasn't been tampered with. <br/><br/> Learn more about [S/MIME for Windows](data-protection/configure-s-mime.md).|
+| Security baselines | A security baseline is a group of Microsoft-recommended configuration settings that explains their security impact. These settings are based on feedback from Microsoft security engineering teams, product groups, partners, and customers. <br/><br/>Security baselines are included in the [Security Compliance Toolkit](../threat-protection/windows-security-configuration-framework/security-compliance-toolkit-10.md) that you can download from the Microsoft Download Center.<br/><br/>Learn more about [security baselines](../threat-protection/windows-security-configuration-framework/windows-security-baselines.md). |
+| Virtual Private Network | Virtual private networks (VPNs) are point-to-point connections across a private or public network, such as the Internet. A VPN client uses special TCP/IP or UDP-based protocols, called tunneling protocols, to make a virtual call to a virtual port on a VPN server. <br><br/>Learn more about [Virtual Private Networks](network-security/vpn/vpn-guide.md).<br/><br/>|
+| Windows Defender Firewall | Windows Defender Firewall is a stateful host firewall that helps secure the device by allowing you to create rules that determine which network traffic is permitted to enter the device from the network and which network traffic the device is allowed to send to the network. Windows Defender Firewall also supports Internet Protocol security (IPsec), which you can use to require authentication from any device that is attempting to communicate with your device. <br><br/> Learn more about [Windows Defender Firewall with advanced security](network-security/windows-firewall/windows-firewall-with-advanced-security.md).<br/><br/>
+| Antivirus & antimalware protection | Microsoft Defender Antivirus is included in all versions of Windows 10, Windows Server 2016 and later, and Windows 11. If you have another antivirus app installed and turned on, Microsoft Defender Antivirus will turn off automatically. If you uninstall the other app, Microsoft Defender Antivirus will turn back on. <br/><br/>From the moment you boot Windows, Microsoft Defender Antivirus continually monitors for malware, viruses, and security threats. Updates are downloaded automatically to help protect your device from threats.  Microsoft Defender Antivirus continually scans for malware and threats, and also detects and blocks [potentially unwanted applications](/microsoft-365/security/defender-endpoint/detect-block-potentially-unwanted-apps-microsoft-defender-antivirus) (applications that can negatively impact your device even though they are not considered malware).<br/><br/>Microsoft Defender Antivirus integrates with [cloud-delivered protection](/microsoft-365/security/defender-endpoint/cloud-protection-microsoft-defender-antivirus), which helps ensure near-instant detection and blocking of new and emerging threats.<br/><br/>Learn more about [next-generation protection and Microsoft Defender Antivirus](/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-windows).|
 | Attack surface reduction rules | Your attack surfaces are the places and ways you are vulnerable to a cyber attack. Attack surface reduction rules are built into Windows and Windows Server to prevent and block certain behaviors that are often abused to compromise your device or network. Such behaviors can include launching scripts or executables that attempt to download or run other files, running suspicious scripts, or performing other behaviors that apps don't typically initiate during normal work. You can configure your attack surface reduction rules to protect against these risky behaviors.<br/><br/> Learn more about [Attack surface reduction rules](/microsoft-365/security/defender-endpoint/attack-surface-reduction) |
-| Anti-tampering protection | During cyber attacks (like ransomware attempts), bad actors attempt to disable security features, such as antivirus protection on targeted devices. Bad actors like to disable security features to get easier access to user's data, to install malware, or to otherwise exploit user's data, identity, and devices without fear of being blocked. Tamper protection helps prevent these kinds of activities.<br/><br/>With tamper protection, malware is prevented from taking actions such as:<br/>- Disabling virus and threat protection<br/>- Disabling real-time protection<br/>- Turning off behavior monitoring<br/>- Disabling antivirus (such as IOfficeAntivirus (IOAV))<br/>- Disabling cloud-delivered protection<br/>- Removing security intelligence updates <br/><br/>Learn more about [Tamper protection](/microsoft-365/security/defender-endpoint/prevent-changes-to-security-settings-with-tamper-protection). | 
+| Anti-tampering protection | During cyber attacks (like ransomware attempts), bad actors attempt to disable security features, such as antivirus protection on targeted devices. Bad actors like to disable security features to get easier access to user's data, to install malware, or to otherwise exploit user's data, identity, and devices without fear of being blocked. Tamper protection helps prevent these kinds of activities.<br/><br/>With tamper protection, malware is prevented from taking actions such as:<br/>- Disabling virus and threat protection<br/>- Disabling real-time protection<br/>- Turning off behavior monitoring<br/>- Disabling antivirus (such as IOfficeAntivirus (IOAV))<br/>- Disabling cloud-delivered protection<br/>- Removing security intelligence updates <br/><br/>Learn more about [Tamper protection](/microsoft-365/security/defender-endpoint/prevent-changes-to-security-settings-with-tamper-protection). |
 | Network protection | Network protection in Windows helps prevent users from accessing dangerous IP addresses and domains that may host phishing scams, exploits, and other malicious content on the Internet. Network protection is part of attack surface reduction and helps provide an extra layer of protection for a user. Using reputation-based services, network protection blocks access to potentially harmful, low-reputation based domains and IP addresses. <br/><br/>In enterprise environments, network protection works best with [Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/), which provides detailed reporting into protection events as part of larger investigation scenarios.<br/><br/> Learn more about [Network protection](/microsoft-365/security/defender-endpoint/network-protection). |
 | Controlled folder access | With controlled folder access, you can protect your valuable information in specific folders by managing apps' access to specific folders. Only trusted apps can access protected folders, which are specified when controlled folder access is configured. Typically, commonly used folders, such as those used for documents, pictures, downloads, are included in the list of controlled folders. Controlled folder access helps protect valuable data from malicious apps and threats, such as ransomware. <br/><br/>Learn more about [Controlled folder access](/microsoft-365/security/defender-endpoint/controlled-folders). |
-| Exploit protection | Exploit protection, available in Windows 10, version 1709 and later, automatically applies several exploit mitigation techniques to operating system processes and apps. Exploit protection works best with Microsoft Defender for Endpoint, which gives organizations detailed reporting into exploit protection events and blocks as part of typical alert investigation scenarios. <br/><br/>You can enable exploit protection on an individual device, and then use Group Policy to distribute the XML file to multiple devices simultaneously. When a mitigation is encountered on the device, a notification will be displayed from the Action Center. You can customize the notification with your company details and contact information. You can also enable the rules individually to customize which techniques the feature monitors.<br/><br/>Learn more about [Exploit protection](/microsoft-365/security/defender-endpoint/exploit-protection). | 
+| Exploit protection | Exploit protection, available in Windows 10, version 1709 and later, automatically applies several exploit mitigation techniques to operating system processes and apps. Exploit protection works best with Microsoft Defender for Endpoint, which gives organizations detailed reporting into exploit protection events and blocks as part of typical alert investigation scenarios. <br/><br/>You can enable exploit protection on an individual device, and then use Group Policy to distribute the XML file to multiple devices simultaneously. When a mitigation is encountered on the device, a notification will be displayed from the Action Center. You can customize the notification with your company details and contact information. You can also enable the rules individually to customize which techniques the feature monitors.<br/><br/>Learn more about [Exploit protection](/microsoft-365/security/defender-endpoint/exploit-protection). |
 | Microsoft Defender for Endpoint | Windows E5 customers benefit from [Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/microsoft-defender-endpoint), an enterprise endpoint detection and response capability that helps enterprise security teams detect, investigate, and respond to advanced threats. With rich event data and attack insights, Defender for Endpoint enables your security team to investigate incidents and take remediation actions effectively and efficiently.<br/><br/>Defender for Endpoint also is part of [Microsoft 365 Defender](/microsoft-365/security/defender/), a unified pre- and post-breach enterprise defense suite that natively coordinates detection, prevention, investigation, and response across endpoints, identities, email, and applications to provide integrated protection against sophisticated attacks.<br/><br/>Learn more about [Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint) and [Microsoft 365 Defender](/microsoft-365/security/defender/). |
-

windows/security/operating-system-security/system-security/cryptography-certificate-mgmt.md

@@ -1,8 +1,8 @@
 ---
 title: Cryptography and Certificate Management
 description: Get an overview of cryptography and certificate management in Windows
-author: paolomatarazzo
-ms.author: paoloma
+author: vinaypamnani-msft
+ms.author: vinpa
 manager: aaroncz
 ms.topic: conceptual
 ms.date: 09/07/2021
@@ -13,10 +13,9 @@ ms.reviewer: skhadeer, raverma
 
 # Cryptography and Certificate Management
 
-
 ## Cryptography
 
-Cryptography uses code to convert data so that only a specific recipient can read it by using a key. Cryptography enforces privacy to prevent anyone except the intended recipient from reading data, integrity to ensure data is free of tampering, and authentication that verifies identity to ensure that communication is secure. The cryptography stack in Windows extends from the chip to the cloud enabling Windows, applications, and services protect system and user secrets. 
+Cryptography uses code to convert data so that only a specific recipient can read it by using a key. Cryptography enforces privacy to prevent anyone except the intended recipient from reading data, integrity to ensure data is free of tampering, and authentication that verifies identity to ensure that communication is secure. The cryptography stack in Windows extends from the chip to the cloud enabling Windows, applications, and services protect system and user secrets.
 
 Cryptography in Windows is Federal Information Processing Standards (FIPS) 140 certified. FIPS 140 certification ensures that US government approved algorithms are being used (RSA for signing, ECDH with NIST curves for key agreement, AES for symmetric encryption, and SHA2 for hashing), tests module integrity to prove that no tampering has occurred and proves the randomness for entropy sources.
 
@@ -28,10 +27,10 @@ Windows cryptographic modules provide low-level primitives such as:
 - Signing and verification (padding support for OAEP, PSS, PKCS1)
 - Key agreement and key derivation (support for ECDH over NIST-standard prime curves P-256, P-384, P-521, and HKDF)
 
-These modules are natively exposed on Windows through the Crypto API (CAPI) and the Cryptography Next Generation API (CNG) which is powered by Microsoft's open-source cryptographic library SymCrypt. Application developers can use these APIs to perform low-level cryptographic operations (BCrypt), key storage operations (NCrypt), protect static data (DPAPI), and securely share secrets (DPAPI-NG). 
+These modules are natively exposed on Windows through the Crypto API (CAPI) and the Cryptography Next Generation API (CNG) which is powered by Microsoft's open-source cryptographic library SymCrypt. Application developers can use these APIs to perform low-level cryptographic operations (BCrypt), key storage operations (NCrypt), protect static data (DPAPI), and securely share secrets (DPAPI-NG).
 
 ## Certificate management
 
-Windows offers several APIs to operate and manage certificates. Certificates are crucial to public key infrastructure (PKI) as they provide the means for safeguarding and authenticating information. Certificates are electronic documents used to claim ownership of a public key. Public keys are used to prove server and client identity, validate code integrity, and used in secure emails. Windows offers users the ability to auto-enroll and renew certificates in Active Directory with Group Policy to reduce the risk of potential outages due to certificate expiration or misconfiguration. Windows validates certificates through an automatic update mechanism that downloads certificate trust lists (CTL) daily. Trusted root certificates are used by applications as a reference for trustworthy PKI hierarchies and digital certificates. The list of trusted and untrusted certificates are stored in the CTL and can be updated by administrators. In the case of certificate revocation, a certificate is added as an untrusted certificate in the CTL causing it to be revoked globally across user devices immediately. 
+Windows offers several APIs to operate and manage certificates. Certificates are crucial to public key infrastructure (PKI) as they provide the means for safeguarding and authenticating information. Certificates are electronic documents used to claim ownership of a public key. Public keys are used to prove server and client identity, validate code integrity, and used in secure emails. Windows offers users the ability to auto-enroll and renew certificates in Active Directory with Group Policy to reduce the risk of potential outages due to certificate expiration or misconfiguration. Windows validates certificates through an automatic update mechanism that downloads certificate trust lists (CTL) daily. Trusted root certificates are used by applications as a reference for trustworthy PKI hierarchies and digital certificates. The list of trusted and untrusted certificates are stored in the CTL and can be updated by administrators. In the case of certificate revocation, a certificate is added as an untrusted certificate in the CTL causing it to be revoked globally across user devices immediately.
 
-Windows also offers enterprise certificate pinning to help reduce man-in-the-middle attacks by enabling users to protect their internal domain names from chaining to unwanted certificates. A web application's server authentication certificate chain is checked to ensure it matches a restricted set of certificates. Any web application triggering a name mismatch will start event logging and prevent user access from Edge or Internet Explorer. 
+Windows also offers enterprise certificate pinning to help reduce man-in-the-middle attacks by enabling users to protect their internal domain names from chaining to unwanted certificates. A web application's server authentication certificate chain is checked to ensure it matches a restricted set of certificates. Any web application triggering a name mismatch will start event logging and prevent user access from Edge or Internet Explorer.

windows/security/operating-system-security/system-security/protect-high-value-assets-by-controlling-the-health-of-windows-10-based-devices.md

@@ -5,18 +5,17 @@ ms.prod: windows-client
 ms.date: 10/13/2017
 ms.localizationpriority: medium
 ms.technology: itpro-security
-author: aczechowski
-ms.author: aaroncz
-manager: dougeby
+author: vinaypamnani-msft
+ms.author: vinpa
+manager: aaroncz
 ms.topic: conceptual
+appliesto:
+  - ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 11</a>
+  - ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 10</a>
 ---
 
 # Control the health of Windows devices
 
-**Applies to**
-
--   Windows 10
-
 This article details an end-to-end solution that helps you protect high-value assets by enforcing, controlling, and reporting the health of Windows devices.
 
 ## Introduction
@@ -77,13 +76,13 @@ Access to content is then authorized to the appropriate level of trust for whate
 
 Depending on the requirements and the sensitivity of the managed asset, device health status can be combined with user identity information when processing an access request. Access to content is then authorized to the appropriate level of trust. The Conditional Access engine may be structured to allow more verification as needed by the sensitivity of the managed asset. For example, if access to high-value data is requested, further security authentication may need to be established by querying the user to answer a phone call before access is granted.
 
-### <a href="" id="microsoft-s-security-investments-in-windows-10"></a>Microsoft's security investments in Windows 10
+### Microsoft's security investments in Windows 10
 
 In Windows 10, there are three pillars of investments:
 
--   **Secure identities.** Microsoft is part of the FIDO alliance that aims to provide an interoperable method of secure authentication by moving away from the use of passwords for authentication, both on the local system and for services like on-premises resources and cloud resources.
--   **Information protection.** Microsoft is making investments to allow organizations to have better control over who has access to important data and what they can do with that data. With Windows 10, organizations can take advantage of policies that specify which applications are considered to be corporate applications and can be trusted to access secure data.
--   **Threat resistance.** Microsoft is helping organizations to better secure enterprise assets against the threats of malware and attacks by using security defenses relying on hardware.
+- **Secure identities.** Microsoft is part of the FIDO alliance that aims to provide an interoperable method of secure authentication by moving away from the use of passwords for authentication, both on the local system and for services like on-premises resources and cloud resources.
+- **Information protection.** Microsoft is making investments to allow organizations to have better control over who has access to important data and what they can do with that data. With Windows 10, organizations can take advantage of policies that specify which applications are considered to be corporate applications and can be trusted to access secure data.
+- **Threat resistance.** Microsoft is helping organizations to better secure enterprise assets against the threats of malware and attacks by using security defenses relying on hardware.
 
 ### Protect, control, and report on the security status of Windows 10-based devices
 
@@ -108,43 +107,43 @@ This section describes what Windows 10 offers in terms of security defenses and
 ### Windows 10 hardware-based security defenses
 
 The most aggressive forms of malware try to insert themselves into the boot process as early as possible so that they can take control of the operating system early and prevent protection mechanisms and antimalware software from working. This type of malicious code is often called a rootkit or bootkit. The best way to avoid having to deal with low-level malware is to secure the boot process so that the device is protected from the very start.
-Windows 10 supports multiple layers of boot protection. Some of these features are available only if specific types of hardware are installed. For more information, see the [Hardware requirements](#hardware-req) section.
+Windows 10 supports multiple layers of boot protection. Some of these features are available only if specific types of hardware are installed. For more information, see the [Hardware requirements](#hardware-requirements) section.
 
 :::image type="content" alt-text="figure 4." source="images/hva-fig4-hardware.png":::
 
 Windows 10 supports features to help prevent sophisticated low-level malware like rootkits and bootkits from loading during the startup process:
 
--   **Trusted Platform Module.** A Trusted Platform Module (TPM) is a hardware component that provides unique security features.
+- **Trusted Platform Module.** A Trusted Platform Module (TPM) is a hardware component that provides unique security features.
 
-    Windows 10 uses security characteristics of a TPM for measuring boot integrity sequence (and based on that, unlocking automatically BitLocker protected drives), for protecting credentials or for health attestation.
+  Windows 10 uses security characteristics of a TPM for measuring boot integrity sequence (and based on that, unlocking automatically BitLocker protected drives), for protecting credentials or for health attestation.
 
-    A TPM implements controls that meet the specification described by the Trusted Computing Group (TCG). At the time of this writing, there are two versions of TPM specification produced by TCG that aren't compatible with each other:
+  A TPM implements controls that meet the specification described by the Trusted Computing Group (TCG). At the time of this writing, there are two versions of TPM specification produced by TCG that aren't compatible with each other:
 
-    -   The first TPM specification, version 1.2, was published in February 2005 by the TCG and standardized under ISO / IEC 11889 standard.
-    -   The latest TPM specification, referred to as TPM 2.0, was released in April 2014 and has been approved by the ISO/IEC Joint Technical Committee (JTC) as ISO/IEC 11889:2015.
+  - The first TPM specification, version 1.2, was published in February 2005 by the TCG and standardized under ISO / IEC 11889 standard.
+  - The latest TPM specification, referred to as TPM 2.0, was released in April 2014 and has been approved by the ISO/IEC Joint Technical Committee (JTC) as ISO/IEC 11889:2015.
 
-    Windows 10 uses the TPM for cryptographic calculations as part of health attestation and to protect the keys for BitLocker, Windows Hello, virtual smart cards, and other public key certificates. For more information, see [TPM requirements in Windows 10](/windows-hardware/design/minimum/minimum-hardware-requirements-overview).
+  Windows 10 uses the TPM for cryptographic calculations as part of health attestation and to protect the keys for BitLocker, Windows Hello, virtual smart cards, and other public key certificates. For more information, see [TPM requirements in Windows 10](/windows-hardware/design/minimum/minimum-hardware-requirements-overview).
 
-    Windows 10 recognizes versions 1.2 and 2.0 TPM specifications produced by the TCG. For the most recent and modern security features, Windows 10 supports only TPM 2.0.
+  Windows 10 recognizes versions 1.2 and 2.0 TPM specifications produced by the TCG. For the most recent and modern security features, Windows 10 supports only TPM 2.0.
 
-    TPM 2.0 provides a major revision to the capabilities over TPM 1.2:
+  TPM 2.0 provides a major revision to the capabilities over TPM 1.2:
 
-    -   Update crypto strength to meet modern security needs
+  - Update crypto strength to meet modern security needs
 
-        -   Support for SHA-256 for PCRs
-        -   Support for HMAC command
+    - Support for SHA-256 for PCRs
+    - Support for HMAC command
 
-    -   Cryptographic algorithms flexibility to support government needs
+  - Cryptographic algorithms flexibility to support government needs
 
-        -   TPM 1.2 is severely restricted in terms of what algorithms it can support
-        -   TPM 2.0 can support arbitrary algorithms with minor updates to the TCG specification documents
+    - TPM 1.2 is severely restricted in terms of what algorithms it can support
+    - TPM 2.0 can support arbitrary algorithms with minor updates to the TCG specification documents
 
-    -   Consistency across implementations
+  - Consistency across implementations
 
-        -   The TPM 1.2 specification allows vendors wide latitude when choosing implementation details
-        -   TPM 2.0 standardizes much of this behavior
+    - The TPM 1.2 specification allows vendors wide latitude when choosing implementation details
+    - TPM 2.0 standardizes much of this behavior
 
--   **Secure Boot.** Devices with UEFI firmware can be configured to load only trusted operating system bootloaders. Secure Boot doesn't require a TPM.
+- **Secure Boot.** Devices with UEFI firmware can be configured to load only trusted operating system bootloaders. Secure Boot doesn't require a TPM.
 
     The most basic protection is the Secure Boot feature, which is a standard part of the UEFI 2.2+ architecture. On a PC with conventional BIOS, anyone who can take control of the boot process can boot by using an alternative OS loader, and potentially gain access to system resources. When Secure Boot is enabled, you can boot using only an OS loader that's signed using a certificate stored in the UEFI Secure Boot DB. Naturally, the Microsoft certificate used to digitally sign the Windows 10 OS loaders are in that store, which allows UEFI to validate the certificate as part of its security policy. Secure Boot must be enabled by default on all computers that are certified for Windows 10 under the Windows Hardware Compatibility Program.
 
@@ -154,7 +153,7 @@ Windows 10 supports features to help prevent sophisticated low-level malware lik
     > [!NOTE]
     > Secure Boot protects the platform until the Windows kernel is loaded. Then protections like ELAM take over.
 
--   **Secure Boot configuration policy.** Extends Secure Boot functionality to critical Windows 10 configuration.
+- **Secure Boot configuration policy.** Extends Secure Boot functionality to critical Windows 10 configuration.
 
     Examples of protected configuration information include protecting Disable Execute bit (NX option) or ensuring that the test signing policy (code integrity) can't be enabled. This protective action ensures that the binaries and configuration of the computer can be trusted after the boot process has completed.
     Secure Boot configuration policy does this protective action with UEFI policy. These signatures for these policies are signed in the same way that operating system binaries are signed for use with Secure Boot.
@@ -163,7 +162,7 @@ Windows 10 supports features to help prevent sophisticated low-level malware lik
 
     The bootloader verifies the digital signature of the Windows 10 kernel before loading it. The Windows 10 kernel, in turn, verifies every other component of the Windows startup process, including the boot drivers, startup files, and the ELAM component. This step is important and protects the rest of the boot process by verifying that all Windows boot components have integrity and can be trusted.
 
--   **Early Launch Antimalware (ELAM).** ELAM tests all drivers before they load and prevents unapproved drivers from loading.
+- **Early Launch Antimalware (ELAM).** ELAM tests all drivers before they load and prevents unapproved drivers from loading.
 
     Traditional antimalware apps don't start until after the boot drivers have been loaded, which gives a rootkit that is disguised as a driver the opportunity to work. ELAM is a Windows mechanism introduced in a previous version of Windows that allows antimalware software to run early in the boot sequence. Thus, the antimalware component is the first third-party component to run and control the initialization of other boot drivers until the Windows operating system is operational. When the system is started with a complete runtime environment (network access, storage, and so on), then a full-featured antimalware is loaded.
 
@@ -175,11 +174,12 @@ Windows 10 supports features to help prevent sophisticated low-level malware lik
     The ELAM signed driver is loaded before any other third-party drivers or applications, which allows the antimalware software to detect and block any attempts to tamper with the boot process by trying to load unsigned or untrusted code.
 
     The ELAM driver is a small driver with a small policy database that has a narrow scope, focused on drivers that are loaded early at system launch. The policy database is stored in a registry hive that is also measured to the TPM, to record the operational parameters of the ELAM driver. An ELAM driver must be signed by Microsoft and the associated certificate must contain the complementary EKU (1.3.6.1.4.1.311.61.4.1).
--   **Virtualization-based security (Hyper-V + Secure Kernel).** Virtualization-based security is a new enforced security boundary that allows you to protect critical parts of Windows 10.
 
-    Virtualization-based security isolates sensitive code like Kernel Mode Code Integrity or sensitive corporate domain credentials from the rest of the Windows operating system. For more information, see [Virtualization-based security](#virtual) section.
+- **Virtualization-based security (Hyper-V + Secure Kernel).** Virtualization-based security is a new enforced security boundary that allows you to protect critical parts of Windows 10.
 
--   **Hypervisor-protected Code Integrity (HVCI).** Hypervisor-protected Code Integrity is a feature of Device Guard that ensures only drivers, executables, and DLLs that comply with the Device Guard Code Integrity policy are allowed to run.
+    Virtualization-based security isolates sensitive code like Kernel Mode Code Integrity or sensitive corporate domain credentials from the rest of the Windows operating system. For more information, see [Virtualization-based security](#virtualization-based-security) section.
+
+- **Hypervisor-protected Code Integrity (HVCI).** Hypervisor-protected Code Integrity is a feature of Device Guard that ensures only drivers, executables, and DLLs that comply with the Device Guard Code Integrity policy are allowed to run.
 
     When enabled and configured, Windows 10 can start the Hyper-V virtualization-based security services. HVCI helps protect the system core (kernel), privileged drivers, and system defenses, like antimalware solutions, by preventing malware from running early in the boot process, or after startup.
 
@@ -191,13 +191,13 @@ Windows 10 supports features to help prevent sophisticated low-level malware lik
     The Device Guard Code Integrity feature lets organizations control what code is trusted to run into the Windows kernel and what applications are approved to run in user mode. It's configurable by using a policy.
     Device Guard Code Integrity policy is a binary file that Microsoft recommends you sign. The signing of the Code Integrity policy aids in the protection against a malicious user with Administrator privileges trying to modify or remove the current Code Integrity policy.
 
--   **Credential Guard.** Credential Guard protects corporate credentials with hardware-based credential isolation.
+- **Credential Guard.** Credential Guard protects corporate credentials with hardware-based credential isolation.
 
     In Windows 10, Credential Guard aims to protect domain corporate credentials from theft and reuse by malware. With Credential Guard, Windows 10 implemented an architectural change that fundamentally prevents the current forms of the pass-the-hash (PtH) attack.
 
     This attack-free state is accomplished by using Hyper-V and the new virtualization-based security feature to create a protected container where trusted code and secrets are isolated from the Windows kernel. This accomplishment means that even if the Windows kernel is compromised, an attacker has no way to read and extract the data required to initiate a PtH attack. Credential Guard prevents this unauthorized access because the memory where secrets are stored is no longer accessible from the regular OS, even in kernel mode - the hypervisor controls who can access the memory.
 
--   **Health attestation.** The device's firmware logs the boot process, and Windows 10 can send it to a trusted server that can check and assess the device's health.
+- **Health attestation.** The device's firmware logs the boot process, and Windows 10 can send it to a trusted server that can check and assess the device's health.
 
     Windows 10 takes measurements of the UEFI firmware and each of the Windows and antimalware components are made as they load during the boot process. Additionally, they're taken and measured sequentially, not all at once. When these measurements are complete, their values are digitally signed and stored securely in the TPM and can't be changed unless the system is reset.
 
@@ -207,7 +207,7 @@ Windows 10 supports features to help prevent sophisticated low-level malware lik
 
     Although Secure Boot is a proactive form of protection, health attestation is a reactive form of boot protection. Health attestation ships disabled in Windows and is enabled by an antimalware or an MDM vendor. Unlike Secure Boot, health attestation won't stop the boot process and enter remediation when a measurement doesn't work. But with conditional access control, health attestation will help to prevent access to high-value assets.
 
-### <a href="" id="virtual"></a>Virtualization-based security
+### Virtualization-based security
 
 Virtualization-based security provides a new trust boundary for Windows 10 and uses Hyper-V hypervisor technology to enhance platform security. Virtualization-based security provides a secure execution environment to run specific Windows trusted code (trustlet) and to protect sensitive data.
 
@@ -215,14 +215,13 @@ Virtualization-based security helps to protect against a compromised kernel or a
 
 The following Windows 10 services are protected with virtualization-based security:
 
--   **Credential Guard** (LSA Credential Isolation): prevents pass-the-hash attacks and enterprise credential theft that happens by reading and dumping the content of lsass memory
--   **Device Guard** (Hyper-V Code Integrity): Device Guard uses the new virtualization-based security in Windows 10 to isolate the Code Integrity service from the Windows kernel itself, which lets the service use signatures defined by your enterprise-controlled policy to help determine what is trustworthy. In effect, the Code Integrity service runs alongside the kernel in a Windows hypervisor-protected container.
--   **Other isolated services**: for example, on Windows Server 2016, there's the vTPM feature that allows you to have encrypted virtual machines (VMs) on servers.
+- **Credential Guard** (LSA Credential Isolation): prevents pass-the-hash attacks and enterprise credential theft that happens by reading and dumping the content of lsass memory
+- **Device Guard** (Hyper-V Code Integrity): Device Guard uses the new virtualization-based security in Windows 10 to isolate the Code Integrity service from the Windows kernel itself, which lets the service use signatures defined by your enterprise-controlled policy to help determine what is trustworthy. In effect, the Code Integrity service runs alongside the kernel in a Windows hypervisor-protected container.
+- **Other isolated services**: for example, on Windows Server 2016, there's the vTPM feature that allows you to have encrypted virtual machines (VMs) on servers.
 
 > [!NOTE]
 > Virtualization-based security is only available with Windows 10 Enterprise. Virtualization-based security requires devices with UEFI (2.3.1 or higher) with Secure Boot enabled, x64 processor with Virtualization Extensions and SLAT enabled. IOMMU, TPM 2.0. and support for Secure Memory overwritten are optional, but recommended.
 
-
 The schema below is a high-level view of Windows 10 with virtualization-based security.
 
 :::image type="content" alt-text="figure 5." source="images/hva-fig5-virtualbasedsecurity.png":::
@@ -234,8 +233,8 @@ remote machines, which mitigates many PtH-style attacks.
 
 Credential Guard helps protect credentials by encrypting them with either a per-boot or persistent key:
 
--   **The per-boot key** is used for any in-memory credentials that don't require persistence. An example of such a credential would be a ticket-granting ticket (TGT) session key. This key is negotiated with a Key Distribution Center (KDC) every time authentication occurs and is protected with a per-boot key.
--   **The persistent key**, or some derivative, is used to help protect items that are stored and reloaded after a reboot. Such protection is intended for long-term storage, and must be protected with a consistent key.
+- **The per-boot key** is used for any in-memory credentials that don't require persistence. An example of such a credential would be a ticket-granting ticket (TGT) session key. This key is negotiated with a Key Distribution Center (KDC) every time authentication occurs and is protected with a per-boot key.
+- **The persistent key**, or some derivative, is used to help protect items that are stored and reloaded after a reboot. Such protection is intended for long-term storage, and must be protected with a consistent key.
 Credential Guard is activated by a registry key and then enabled by using a UEFI variable. This activation is done to protect against remote modifications of the configuration. The use of a UEFI variable implies that physical access is required to change the configuration. When lsass.exe detects that
 credential isolation is enabled, it then spawns LsaIso.exe as an isolated process, which ensures that it runs within isolated user mode. The startup of LsaIso.exe is performed before initialization of a security support provider, which ensures that the secure mode support routines are ready before any authentication begins.
 
@@ -254,8 +253,8 @@ With Device Guard in Windows 10, organizations are now able to define their own
 
 Device Guard is a built-in feature of Windows 10 Enterprise that prevents the execution of unwanted code and applications. Device Guard can be configured using two rule actions - allow and deny:
 
--   **Allow** limits execution of applications to an allowed list of code or trusted publisher and blocks everything else.
--   **Deny** completes the allow trusted publisher approach by blocking the execution of a specific application.
+- **Allow** limits execution of applications to an allowed list of code or trusted publisher and blocks everything else.
+- **Deny** completes the allow trusted publisher approach by blocking the execution of a specific application.
 
 At the time of this writing, and according to Microsoft's latest research, more than 90 percent of malware is unsigned completely. So implementing a basic Device Guard policy can simply and effectively help block malware. In fact, Device Guard has the potential to go further, and can also help block signed malware.
 
@@ -263,9 +262,9 @@ Device Guard needs to be planned and configured to be truly effective. It isn't
 
 There are three different parts that make up the Device Guard solution in Windows 10:
 
--   The first part is a base **set of hardware security features** introduced with the previous version of Windows. TPM for hardware cryptographic operations and UEFI with modern firmware, along with Secure Boot, allows you to control what the device is running when the systems start.
--   After the hardware security feature, there's the code integrity engine. In Windows 10, **Code Integrity is now fully configurable** and now resides in Isolated user mode, a part of the memory that is protected by virtualization-based security.
--   The last part of Device Guard is **manageability**. Code Integrity configuration is exposed through specific Group Policy Objects, PowerShell cmdlets, and MDM configuration service providers (CSPs).
+- The first part is a base **set of hardware security features** introduced with the previous version of Windows. TPM for hardware cryptographic operations and UEFI with modern firmware, along with Secure Boot, allows you to control what the device is running when the systems start.
+- After the hardware security feature, there's the code integrity engine. In Windows 10, **Code Integrity is now fully configurable** and now resides in Isolated user mode, a part of the memory that is protected by virtualization-based security.
+- The last part of Device Guard is **manageability**. Code Integrity configuration is exposed through specific Group Policy Objects, PowerShell cmdlets, and MDM configuration service providers (CSPs).
 
 For more information on how to deploy Device Guard in an enterprise, see the [Device Guard deployment guide](/windows/device-security/device-guard/device-guard-deployment-guide).
 
@@ -325,11 +324,11 @@ Device health attestation uses the TPM to provide cryptographically strong and v
 
 For Windows 10-based devices, Microsoft introduces a new public API that will allow MDM software to access a remote attestation service called Windows Health Attestation Service. A health attestation result, in addition with other elements, can be used to allow or deny access to networks, apps, or services, based on whether devices prove to be healthy.
 
-For more information on device health attestation, see the [Detect an unhealthy Windows 10-based device](#detect-unhealthy) section.
+For more information on device health attestation, see the [Detect an unhealthy Windows 10-based device](#detect-an-unhealthy-windows-10-based-device) section.
 
-[!INCLUDE [device-health-attestation-service](../../../includes/licensing/device-health-attestation-service.md)]
+[!INCLUDE [device-health-attestation-service](../../../../includes/licensing/device-health-attestation-service.md)]
 
-### <a href="" id="hardware-req"></a>Hardware requirements
+### Hardware requirements
 
 The following table details the hardware requirements for both virtualization-based security services and the health attestation feature. For more information, see [Minimum hardware requirements](/windows-hardware/design/minimum/minimum-hardware-requirements-overview).
 
@@ -343,7 +342,7 @@ The following table details the hardware requirements for both virtualization-ba
 
 This section presented information about several closely related controls in Windows 10. The multi-layer defenses and in-depth approach help to eradicate low-level malware during boot sequence. Virtualization-based security is a fundamental operating system architecture change that adds a new security boundary. Device Guard and Credential Guard respectively help to block untrusted code and protect corporate domain credentials from theft and reuse. This section also briefly discussed the importance of managing devices and patching vulnerabilities. All these technologies can be used to harden and lock down devices while limiting the risk of attackers compromising them.
 
-## <a href="" id="detect-unhealthy"></a>Detect an unhealthy Windows 10-based device
+## Detect an unhealthy Windows 10-based device
 
 As of today, many organizations only consider devices to be compliant with company policy after they've passed various checks that show, for example, that the operating system is in the correct state, properly configured, and has security protection enabled. Unfortunately, with today's systems, this form of reporting isn't entirely reliable because malware can spoof a software statement about system health. A rootkit, or a similar low-level exploit, can report a false healthy state to traditional compliance tools.
 
@@ -394,14 +393,14 @@ When you start a device equipped with TPM, a measurement of different components
 
 The health attestation process works as follows:
 
-1.  Hardware boot components are measured.
-2.  Operating system boot components are measured.
-3.  If Device Guard is enabled, current Device Guard policy is measured.
-4.  Windows kernel is measured.
-5.  Antivirus software is started as the first kernel mode driver.
-6.  Boot start drivers are measured.
-7.  MDM server through the MDM agent issues a health check command by using the Health Attestation CSP.
-8.  Boot measurements are validated by the Health Attestation Service
+1. Hardware boot components are measured.
+2. Operating system boot components are measured.
+3. If Device Guard is enabled, current Device Guard policy is measured.
+4. Windows kernel is measured.
+5. Antivirus software is started as the first kernel mode driver.
+6. Boot start drivers are measured.
+7. MDM server through the MDM agent issues a health check command by using the Health Attestation CSP.
+8. Boot measurements are validated by the Health Attestation Service
 
 > [!NOTE]
 > By default, the last 100 system boot logs and all associated resume logs are archived in the %SystemRoot%\\logs\\measuredboot folder.
@@ -409,16 +408,16 @@ The number of retained logs may be set with the registry **REG\_DWORD** value **
 
 The following process describes how health boot measurements are sent to the health attestation service:
 
-1.  The client (a Windows 10-based device with TPM) initiates the request with the remote device health attestation service. Because the health attestation server is expected to be a Microsoft cloud service, the URI is already pre-provisioned in the client.
-2.  The client then sends the TCG log, the AIK signed data (PCR values, boot counter) and the AIK certificate information.
-3.  The remote device heath attestation service then:
+1. The client (a Windows 10-based device with TPM) initiates the request with the remote device health attestation service. Because the health attestation server is expected to be a Microsoft cloud service, the URI is already pre-provisioned in the client.
+2. The client then sends the TCG log, the AIK signed data (PCR values, boot counter) and the AIK certificate information.
+3. The remote device heath attestation service then:
 
-    1.  Verifies that the AIK certificate is issued by a known and trusted CA and the certificate is valid and not revoked.
-    2.  Verifies that the signature on the PCR quotes is correct and consistent with the TCG log value.
-    3.  Parses the properties in the TCG log.
-    4.  Issues the device health token that contains the health information, the AIK information, and the boot counter information. The health token also contains valid issuance time. The device health token is encrypted and signed, that means that the information is protected and only accessible to issuing health attestation service.
+    1. Verifies that the AIK certificate is issued by a known and trusted CA and the certificate is valid and not revoked.
+    2. Verifies that the signature on the PCR quotes is correct and consistent with the TCG log value.
+    3. Parses the properties in the TCG log.
+    4. Issues the device health token that contains the health information, the AIK information, and the boot counter information. The health token also contains valid issuance time. The device health token is encrypted and signed, that means that the information is protected and only accessible to issuing health attestation service.
 
-4.  The client stores the health encrypted blob in its local store. The device health token contains device health status, a device ID (the Windows AIK), and the boot counter.
+4. The client stores the health encrypted blob in its local store. The device health token contains device health status, a device ID (the Windows AIK), and the boot counter.
 
 :::image type="content" alt-text="figure 8." source="images/hva-fig8a-healthattest8a.png":::
 
@@ -426,7 +425,7 @@ The following process describes how health boot measurements are sent to the hea
 
 The device health attestation solution involves different components that are TPM, Health Attestation CSP, and the Windows Health Attestation Service. Those components are described in this section.
 
-### <a href="" id="trusted-platform-module-"></a>Trusted Platform Module
+### Trusted Platform Module
 
 This section describes how PCRs (that contain system configuration data), endorsement key (EK) (that act as an identity card for TPM), SRK (that protect keys) and AIKs (that can report platform state) are used for health attestation reporting.
 
@@ -434,11 +433,11 @@ In a simplified manner, the TPM is a passive component with limited resources. I
 
 A TPM incorporates in a single component:
 
--   An RSA 2048-bit key generator
--   A random number generator
--   Nonvolatile memory for storing EK, SRK, and AIK keys
--   A cryptographic engine to encrypt, decrypt, and sign
--   Volatile memory for storing the PCRs and RSA keys
+- An RSA 2048-bit key generator
+- A random number generator
+- Nonvolatile memory for storing EK, SRK, and AIK keys
+- A cryptographic engine to encrypt, decrypt, and sign
+- Volatile memory for storing the PCRs and RSA keys
 
 ### Endorsement key
 
@@ -450,15 +449,15 @@ The endorsement key acts as an identity card for the TPM. For more information,
 
 The endorsement key is often accompanied by one or two digital certificates:
 
--   One certificate is produced by the TPM manufacturer and is called the **endorsement certificate**. The endorsement certificate is used to prove the authenticity of the TPM (for example, that it's a real TPM manufactured by a specific chip maker) to local processes, applications, or cloud services. The endorsement certificate is created during manufacturing or the first time the TPM is initialized by communicating with an online service.
--   The other certificate is produced by the platform builder and is called the **platform certificate** to indicate that a specific TPM is integrated with a certain device.
+- One certificate is produced by the TPM manufacturer and is called the **endorsement certificate**. The endorsement certificate is used to prove the authenticity of the TPM (for example, that it's a real TPM manufactured by a specific chip maker) to local processes, applications, or cloud services. The endorsement certificate is created during manufacturing or the first time the TPM is initialized by communicating with an online service.
+- The other certificate is produced by the platform builder and is called the **platform certificate** to indicate that a specific TPM is integrated with a certain device.
 For certain devices that use firmware-based TPM produced by Intel or Qualcomm, the endorsement certificate is created when the TPM is initialized during the OOBE of Windows 10.
 
 > [!NOTE]
 > Secure Boot protects the platform until the Windows kernel is loaded. Then protections like Trusted Boot, Hyper-V Code Integrity and ELAM take over. A device that uses Intel TPM or Qualcomm TPM gets a signed certificate online from the manufacturer that has created the chip and then stores the signed certificate in TPM storage. For the operation to succeed, if you are filtering Internet access from your client devices, you must authorize the following URLs:
 
--   For Intel firmware TPM: **```https://ekop.intel.com/ekcertservice```**
--   For Qualcomm firmware TPM: **```https://ekcert.spserv.microsoft.com/```**
+- For Intel firmware TPM: **```https://ekop.intel.com/ekcertservice```**
+- For Qualcomm firmware TPM: **```https://ekcert.spserv.microsoft.com/```**
 
 ### Attestation Identity Keys
 
@@ -506,7 +505,7 @@ If the TPM ownership isn't known but the EK exists, the client library will prov
 As part of the provisioning process, Windows 10 will create an AIK with the TPM. When this operation is performed, the resulting AIK public portion is stored in the registry at the following location: **HKLM\\SYSTEM\\CurrentControlSet\\Services\\TPM\\WMI\\WindowsAIKPub**
 
 > [!NOTE]
-> For provisioning AIK certificates and filtering Internet access, you must authorize the following wildcard URL: <b>https://\*.microsoftaik.azure.net</b>
+> For provisioning AIK certificates and filtering Internet access, you must authorize the following wildcard URL: `https://\*.microsoftaik.azure.net`
 
 ### Windows 10 Health Attestation CSP
 
@@ -514,10 +513,10 @@ Windows 10 contains a configuration service provider (CSP) specialized for inter
 
 The following list is that of the functions performed by the Windows 10 Health Attestation CSP:
 
--   Collects data that is used to verify a device's health status
--   Forwards the data to the Health Attestation Service
--   Provisions the Health Attestation Certificate that it receives from the Health Attestation Service
--   Upon request, forwards the Health Attestation Certificate (received from the Health Attestation Service) and related runtime information to the MDM server for verification
+- Collects data that is used to verify a device's health status
+- Forwards the data to the Health Attestation Service
+- Provisions the Health Attestation Certificate that it receives from the Health Attestation Service
+- Upon request, forwards the Health Attestation Certificate (received from the Health Attestation Service) and related runtime information to the MDM server for verification
 
 During a health attestation session, the Health Attestation CSP forwards the TCG logs and PCRs' values that are measured during the boot, by using a secure communication channel to the Health Attestation Service.
 
@@ -532,21 +531,21 @@ The role of Windows Health Attestation Service is essentially to evaluate a set
 
 Checking that a TPM attestation and the associated log are valid takes several steps:
 
-1.  First, the server must check that the reports are signed by **trustworthy AIKs**. This verification might be done by checking that the public part of the AIK is listed in a database of assets, or perhaps that a certificate has been checked.
-2.  After the key has been checked, the signed attestation (a quote structure) should be checked to see whether it's a **valid signature over PCR values**.
-3.  Next the logs should be checked to ensure that they match the PCR values reported.
-4.  Finally, the logs themselves should be examined by an MDM solution to see whether they represent **known or valid security configurations**. For example, a simple check might be to see whether the measured early OS components are known to be good, that the ELAM driver is as expected, and that the ELAM driver policy file is up to date. If all of these checks succeed, an attestation statement can be issued that later can be used to determine whether or not the client should be granted access to a resource.
+1. First, the server must check that the reports are signed by **trustworthy AIKs**. This verification might be done by checking that the public part of the AIK is listed in a database of assets, or perhaps that a certificate has been checked.
+2. After the key has been checked, the signed attestation (a quote structure) should be checked to see whether it's a **valid signature over PCR values**.
+3. Next the logs should be checked to ensure that they match the PCR values reported.
+4. Finally, the logs themselves should be examined by an MDM solution to see whether they represent **known or valid security configurations**. For example, a simple check might be to see whether the measured early OS components are known to be good, that the ELAM driver is as expected, and that the ELAM driver policy file is up to date. If all of these checks succeed, an attestation statement can be issued that later can be used to determine whether or not the client should be granted access to a resource.
 
 The Health Attestation Service provides the following information to an MDM solution about the health of the device:
 
--   Secure Boot enablement
--   Boot and kernel debug enablement
--   BitLocker enablement
--   VSM enabled
--   Signed or unsigned Device Guard Code Integrity policy measurement
--   ELAM loaded
--   Safe Mode boot, DEP enablement, test signing enablement
--   Device TPM has been provisioned with a trusted endorsement certificate
+- Secure Boot enablement
+- Boot and kernel debug enablement
+- BitLocker enablement
+- VSM enabled
+- Signed or unsigned Device Guard Code Integrity policy measurement
+- ELAM loaded
+- Safe Mode boot, DEP enablement, test signing enablement
+- Device TPM has been provisioned with a trusted endorsement certificate
 
 For completeness of the measurements, see [Health Attestation CSP](/windows/client-management/mdm/healthattestation-csp).
 
@@ -562,29 +561,29 @@ To make device health relevant, the MDM solution evaluates the device health rep
 
 A solution that uses MDM and the Health Attestation Service consists of three main parts:
 
-1.  A device with health attestation enabled. This enablement will be done as a part of enrollment with an MDM provider (health attestation will be disabled by default).
-2.  After this service is enabled, and every boot thereafter, the device will send health measurements to the Health Attestation Service hosted by Microsoft, and it will receive a health attestation blob in return.
-3.  At any point after this cycle, an MDM server can request the health attestation blob from the device and ask Health Attestation Service to decrypt the content and validate that it's been attested.
+1. A device with health attestation enabled. This enablement will be done as a part of enrollment with an MDM provider (health attestation will be disabled by default).
+2. After this service is enabled, and every boot thereafter, the device will send health measurements to the Health Attestation Service hosted by Microsoft, and it will receive a health attestation blob in return.
+3. At any point after this cycle, an MDM server can request the health attestation blob from the device and ask Health Attestation Service to decrypt the content and validate that it's been attested.
 
     :::image type="content" alt-text="figure 9." source="images/hva-fig8-evaldevicehealth8.png":::
 
 Interaction between a Windows 10-based device, the Health Attestation Service, and MDM can be performed as follows:
 
-1.  The client initiates a session with the MDM server. The URI for the MDM server would be part of the client app that initiates the request. The MDM server at this time could request the health attestation data by using the appropriate CSP URI.
-2.  The MDM server specifies a nonce along with the request.
-3.  The client then sends the AIK quoted nonce + the boot counter and the health blob information. This health blob is encrypted with a Health Attestation Service public key that only the Health Attestation Service can decrypt.
-4.  The MDM server:
+1. The client initiates a session with the MDM server. The URI for the MDM server would be part of the client app that initiates the request. The MDM server at this time could request the health attestation data by using the appropriate CSP URI.
+2. The MDM server specifies a nonce along with the request.
+3. The client then sends the AIK quoted nonce + the boot counter and the health blob information. This health blob is encrypted with a Health Attestation Service public key that only the Health Attestation Service can decrypt.
+4. The MDM server:
 
-    1.  Verifies that the nonce is as expected.
-    2.  Passes the quoted data, the nonce and the encrypted health blob to the Health Attestation Service server.
+    1. Verifies that the nonce is as expected.
+    2. Passes the quoted data, the nonce and the encrypted health blob to the Health Attestation Service server.
 
-5.  The Health Attestation Service:
+5. The Health Attestation Service:
 
-    1.  Decrypts the health blob.
-    2.  Verifies that the boot counter in the quote is correct using the AIK in the health blob and matches the value in the health blob.
-    3.  Verifies that the nonce matches in the quote and the one that is passed from MDM.
-    4.  Because the boot counter and the nonce are quoted with the AIK from the health blob, it also proves that the device is the same one as the one for which the health blob has been generated.
-    5.  Sends data back to the MDM server including health parameters, freshness, and so on.
+    1. Decrypts the health blob.
+    2. Verifies that the boot counter in the quote is correct using the AIK in the health blob and matches the value in the health blob.
+    3. Verifies that the nonce matches in the quote and the one that is passed from MDM.
+    4. Because the boot counter and the nonce are quoted with the AIK from the health blob, it also proves that the device is the same one as the one for which the health blob has been generated.
+    5. Sends data back to the MDM server including health parameters, freshness, and so on.
 
 > [!NOTE]
 > The MDM server (relying party) never performs the quote or boot counter validation itself. It gets the quoted data and the health blob (which is encrypted) and sends the data to the Health Attestation Service for validation. This way, the AIK is never visible to the MDM, which thereby addresses privacy concerns.
@@ -625,7 +624,7 @@ Third-party MDM servers can manage Windows 10 by using the MDM protocol. The bui
 
 The third-party MDM server will have the same consistent first-party user experience for enrollment, which also provides simplicity for Windows 10 users.
 
-### <a href="" id="management-of-windows-defender-by-third-party-mdm-"></a>Management of Windows Defender by third-party MDM
+### Management of Windows Defender by third-party MDM
 
 This management infrastructure makes it possible for IT pros to use MDM-capable products like Intune, to manage health attestation, Device Guard, or Windows Defender on Windows 10-based devices, including BYODs that aren't domain joined. IT pros will be able to manage and configure all of the actions and settings they're familiar with customizing by using Intune with Intune Endpoint Protection on down-level operating systems. Admins that currently only manage domain joined devices through Group Policy will find it easy to transition to managing Windows 10-based devices by using MDM because many of the settings and actions are shared across both mechanisms.
 
@@ -641,7 +640,7 @@ If the device isn't registered, the user will get a message with instructions on
 
 :::image type="content" alt-text="figure 11." source="images/hva-fig10-conditionalaccesscontrol.png":::
 
-### <a href="" id="office-365-conditional-access-control-"></a>Office 365 conditional access control
+### Office 365 conditional access control
 
 Azure AD enforces conditional access policies to secure access to Office 365 services. A tenant admin can create a conditional access policy that blocks a user on a non-compliant device from accessing an Office 365 service. The user must conform to the company's device policies before access can be granted to the service. Alternately, the admin can also create a policy that requires users to just enroll their devices to gain access to an Office 365 service. Policies may be applied to all users of an organization, or limited to a few target groups and enhanced over time to include more
 target groups.
@@ -663,20 +662,20 @@ Depending on the type of email application that employees use to access Exchange
 
 Clients that attempt to access Office 365 will be evaluated for the following properties:
 
--   Is the device managed by an MDM?
--   Is the device registered with Azure AD?
--   Is the device compliant?
+- Is the device managed by an MDM?
+- Is the device registered with Azure AD?
+- Is the device compliant?
 
 To get to a compliant state, the Windows 10-based device needs to:
 
--   Enroll with an MDM solution.
--   Register with Azure AD.
--   Be compliant with the device policies set by the MDM solution.
+- Enroll with an MDM solution.
+- Register with Azure AD.
+- Be compliant with the device policies set by the MDM solution.
 
 > [!NOTE]
 > At the present time, conditional access policies are selectively enforced on users on iOS and Android devices. For more information, see the [Azure AD, Microsoft Intune and Windows 10 – Using the cloud to modernize enterprise mobility!](https://techcommunity.microsoft.com/t5/azure-active-directory-identity/azure-ad-microsoft-intune-and-windows-10-8211-using-the-cloud-to/ba-p/244012) blog post.
 
-### <a href="" id="cloud-and-on-premises-apps-conditional-access-control-"></a>Cloud and on-premises apps conditional access control
+### Cloud and on-premises apps conditional access control
 
 Conditional access control is a powerful policy evaluation engine built into Azure AD. It gives IT pros an easy way to create access rules beyond Office 365 that evaluate the context of a user's sign in to make real-time decisions about which applications they should be allowed to access.
 
@@ -689,22 +688,22 @@ For more information about conditional access, see [Azure Conditional Access Pre
 
 For on-premises applications there are two options to enable conditional access control based on a device's compliance state:
 
--   For on-premises applications that are published through the Azure AD Application Proxy, you can configure conditional access control policies as you would for cloud applications. For more information, see [Using Azure AD Application Proxy to publish on-premises apps for remote users](/azure/active-directory/app-proxy/what-is-application-proxy).
--   Additionally, Azure AD Connect will sync device compliance information from Azure AD to on-premises AD. ADFS on Windows Server 2016 will support conditional access control based on a device's compliance state. IT pros will configure conditional access control policies in ADFS that use the device's compliance state reported by a compatible MDM solution to secure on-premises applications.
+- For on-premises applications that are published through the Azure AD Application Proxy, you can configure conditional access control policies as you would for cloud applications. For more information, see [Using Azure AD Application Proxy to publish on-premises apps for remote users](/azure/active-directory/app-proxy/what-is-application-proxy).
+- Additionally, Azure AD Connect will sync device compliance information from Azure AD to on-premises AD. ADFS on Windows Server 2016 will support conditional access control based on a device's compliance state. IT pros will configure conditional access control policies in ADFS that use the device's compliance state reported by a compatible MDM solution to secure on-premises applications.
 
 :::image type="content" alt-text="figure 13." source="images/hva-fig12-conditionalaccess12.png":::
 
 The following process describes how Azure AD conditional access works:
 
-1.  User has already enrolled with MDM through Workplace Access/Azure AD join, which registers device with Azure AD.
-2.  When the device boots or resumes from hibernate, a task "Tpm-HASCertRetr" is triggered to request in background a health attestation blob. Device sends TPM boot measurements to the Health Attestation Service.
-3.  Health Attestation Service validates device state and issues an encrypted blob to the device based on the health state with details on failed checks (if any).
-4.  User logs on and the MDM agent contacts the Intune/MDM server.
-5.  MDM server pushes down new policies if available and queries health blob state and other inventory state.
-6.  Device sends a health attestation blob previously acquired and also the value of the other state inventory requested by the Intune/MDM server.
-7.  Intune/MDM server sends the health attestation blob to Health Attestation Service to be validated.
-8.  Health Attestation Service validates that the device that sent the health attestation blob is healthy, and returns this result to Intune/MDM server.
-9.  Intune/MDM server evaluates compliance based on the compliance and the queried inventory/health attestation state from device.
+1. User has already enrolled with MDM through Workplace Access/Azure AD join, which registers device with Azure AD.
+2. When the device boots or resumes from hibernate, a task "Tpm-HASCertRetr" is triggered to request in background a health attestation blob. Device sends TPM boot measurements to the Health Attestation Service.
+3. Health Attestation Service validates device state and issues an encrypted blob to the device based on the health state with details on failed checks (if any).
+4. User logs on and the MDM agent contacts the Intune/MDM server.
+5. MDM server pushes down new policies if available and queries health blob state and other inventory state.
+6. Device sends a health attestation blob previously acquired and also the value of the other state inventory requested by the Intune/MDM server.
+7. Intune/MDM server sends the health attestation blob to Health Attestation Service to be validated.
+8. Health Attestation Service validates that the device that sent the health attestation blob is healthy, and returns this result to Intune/MDM server.
+9. Intune/MDM server evaluates compliance based on the compliance and the queried inventory/health attestation state from device.
 10. Intune/MDM server updates compliance state against device object in Azure AD.
 11. User opens app, attempts to access a corporate managed asset.
 12. Access gated by compliance claim in Azure AD.
@@ -719,43 +718,43 @@ Conditional access control is a topic that many organizations and IT pros may no
 
 The following list contains high-level key takeaways to improve the security posture of any organization. However, the few takeaways presented in this section shouldn't be interpreted as an exhaustive list of security best practices.
 
--   **Understand that no solution is 100 percent secure**
+- **Understand that no solution is 100 percent secure**
 
     If determined adversaries with malicious intent gain physical access to the device, they could eventually break through its security layers and control it.
 
--   **Use health attestation with an MDM solution**
+- **Use health attestation with an MDM solution**
 
     Devices that attempt to connect to high-value assets must have their health evaluated so that unhealthy and noncompliant devices can be detected, reported, and eventually blocked.
 
--   **Use Credential Guard**
+- **Use Credential Guard**
 
     Credential Guard is a feature that greatly helps protect corporate domain credentials from pass-the-hash attacks.
 
--   **Use Device Guard**
+- **Use Device Guard**
 
     Device Guard is a real advance in security and an effective way to help protect against malware. The new Device Guard feature in Windows 10 blocks untrusted apps (apps not authorized by your organization).
 
--   **Sign Device Guard policy**
+- **Sign Device Guard policy**
 
     Signed Device Guard policy helps protect against a user with administrator privileges trying to defeat the current policy. When a policy is signed, the only way to modify Device Guard later is to provide a new version of the policy signed by the same signer or from a signer specify as part of the Device Guard policy.
 
--   **Use virtualization-based security**
+- **Use virtualization-based security**
 
     When you have Kernel Mode Code Integrity protected by virtualization-based security, the code integrity rules are still enforced even if a vulnerability allows unauthorized kernel mode memory access. Keep in mind that Device Guard devices that run Kernel Code Integrity with virtualization-based security must have compatible drivers.
 
--   **Start to deploy Device Guard with Audit mode**
+- **Start to deploy Device Guard with Audit mode**
 
     Deploy Device Guard policy to targeted computers and devices in Audit mode. Monitor the Code Integrity event log that indicates a program or a driver would have been blocked if Device Guard was configured in Enforcement mode. Adjust Device Guard rules until a high level of confidence has been reached. After the testing phase has been completed, Device Guard policy can be switched to Enforcement mode.
 
--   **Build an isolated reference machine when deploying Device Guard**
+- **Build an isolated reference machine when deploying Device Guard**
 
     Because the corporate network can contain malware, you should start to configure a reference environment that is isolated from your main corporate network. After that, you can create a code integrity policy that includes the trusted applications you want to run on your protected devices.
 
--   **Use AppLocker when it makes sense**
+- **Use AppLocker when it makes sense**
 
     Although AppLocker isn't considered a new Device Guard feature, it complements Device Guard functionality for some scenarios like being able to deny a specific Universal Windows application for a specific user or a group of users.
 
--   **Lock down firmware and configuration**
+- **Lock down firmware and configuration**
 
     After Windows 10 is installed, lock down firmware boot options access. This lockdown prevents a user with physical access from modifying UEFI settings, disabling Secure Boot, or booting other operating systems. Also, in order to protect against an administrator trying to disable Device Guard, add a rule in the current Device Guard policy that will deny and block execution of the **C:\\Windows\\System32\\SecConfig.efi** tool.
 
@@ -765,4 +764,4 @@ Health attestation is a key feature of Windows 10 that includes client and cloud
 
 - [Protect derived domain credentials with Credential Guard](/windows/access-protection/credential-guard/credential-guard)
 - [Device Guard deployment guide](/windows/device-security/device-guard/device-guard-deployment-guide)
-- [Trusted Platform Module technology overview](../information-protection/tpm/trusted-platform-module-overview.md)
+- [Trusted Platform Module technology overview](../../information-protection/tpm/trusted-platform-module-overview.md)

windows/security/operating-system-security/system-security/secure-the-windows-10-boot-process.md

@@ -11,13 +11,13 @@ ms.collection:
 ms.topic: conceptual
 ms.date: 03/09/2023
 ms.technology: itpro-security
-appliesto: 
-- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10 and later</a>
+appliesto:
+- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 11</a>
+- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10</a>
 ---
 
 # Secure the Windows boot process
 
-
 The Windows OS has many features to help protect you from malware, and it does an amazingly good job. Except for apps that businesses develop and use internally, all Microsoft Store apps must meet a series of requirements to be certified and included in the Microsoft Store. This certification process examines several criteria, including security, and is an effective means of preventing malware from entering the Microsoft Store. Even if a malicious app does get through, the Windows 10 OS includes a series of security features that can mitigate the effect. For instance, Microsoft Store apps are sandboxed and lack the privileges necessary to access user data or change system settings.
 
 Windows has multiple levels of protection for desktop apps and data, too. Windows Defender Antivirus uses cloud-powered real-time detection to identify and quarantine apps that are known to be malicious. Windows Defender SmartScreen warns users before allowing them to run an untrustworthy app, even if it's recognized as malware. Before an app can change system settings, the user would have to grant the app administrative privileges by using User Account Control.
@@ -52,7 +52,7 @@ Figure 1 shows the Windows startup process.
 
 ![Windows startup process.](./images/dn168167.boot_process(en-us,MSDN.10).png)
 
-*Figure 1. Secure Boot, Trusted Boot, and Measured Boot block malware at every stage*
+*Figure 1. Secure Boot, Trusted Boot, and Measured Boot block malware at every stage*:
 
 Secure Boot and Measured Boot are only possible on PCs with UEFI 2.3.1 and a TPM chip. Fortunately, all Windows 10 and Windows 11 PCs that meet Windows Hardware Compatibility Program requirements have these components, and many PCs designed for earlier versions of Windows have them as well.
 
@@ -82,21 +82,17 @@ These requirements help protect you from rootkits while allowing you to run any
 
 To prevent malware from abusing these options, the user must manually configure the UEFI firmware to trust a non-certified bootloader or to turn off Secure Boot. Software can't change the Secure Boot settings.
 
-The default state of Secure Boot has a wide circle of trust which can result in customers trusting boot components they may not need. Since the Microsoft 3rd Party UEFI CA certificate signs the bootloaders for all Linux distributions, trusting the Microsoft 3rd Party UEFI CA signature in the UEFI database  increase  s the attack surface of systems. A customer who intended to only trust and boot a single Linux distribution will trust all distributions – much more than their desired configuration. A vulnerability in any of the bootloaders exposes the system and places the customer at risk of exploit for a bootloader they never intended to use, as seen in recent vulnerabilities, for example [with the GRUB bootloader](https://msrc.microsoft.com/security-guidance/advisory/ADV200011) or [firmware-level rootkit]( https://www.darkreading.com/threat-intelligence/researchers-uncover-dangerous-new-firmware-level-rootkit) affecting boot components. [Secured-core PCs](/windows-hardware/design/device-experiences/OEM-highly-secure-11) require Secure Boot to be enabled and configured to distrust the Microsoft 3rd Party UEFI CA signature, by default, to provide customers with the most secure configuration of their PCs possible. 
+The default state of Secure Boot has a wide circle of trust which can result in customers trusting boot components they may not need. Since the Microsoft 3rd Party UEFI CA certificate signs the bootloaders for all Linux distributions, trusting the Microsoft 3rd Party UEFI CA signature in the UEFI database  increase  s the attack surface of systems. A customer who intended to only trust and boot a single Linux distribution will trust all distributions – much more than their desired configuration. A vulnerability in any of the bootloaders exposes the system and places the customer at risk of exploit for a bootloader they never intended to use, as seen in recent vulnerabilities, for example [with the GRUB bootloader](https://msrc.microsoft.com/security-guidance/advisory/ADV200011) or [firmware-level rootkit]( https://www.darkreading.com/threat-intelligence/researchers-uncover-dangerous-new-firmware-level-rootkit) affecting boot components. [Secured-core PCs](/windows-hardware/design/device-experiences/OEM-highly-secure-11) require Secure Boot to be enabled and configured to distrust the Microsoft 3rd Party UEFI CA signature, by default, to provide customers with the most secure configuration of their PCs possible.
 
 To trust and boot operating systems, like Linux, and components signed by the UEFI signature, Secured-core PCs can be configured in the BIOS menu to add the signature in the UEFI database by following these steps:
 
-1. Open the firmware menu, either: 
-  
-  - Boot the PC, and press the manufacturer's key to open the menus. Common keys used: Esc, Delete, F1, F2, F10, F11, or F12. On tablets, common buttons are Volume up or Volume down. During startup, there's often a screen that mentions the key. If there's not one, or if the screen goes by too fast to see it, check your manufacturer's site.
+1. Open the firmware menu, either:
+    - Boot the PC, and press the manufacturer's key to open the menus. Common keys used: Esc, Delete, F1, F2, F10, F11, or F12. On tablets, common buttons are Volume up or Volume down. During startup, there's often a screen that mentions the key. If there's not one, or if the screen goes by too fast to see it, check your manufacturer's site.
+    - Or, if Windows is already installed, from either the Sign on screen or the Start menu, select Power ( ) > hold Shift while selecting Restart. Select Troubleshoot > Advanced options > UEFI Firmware settings.
+2. From the firmware menu navigate to Security > Secure Boot and select the option to trust the "3rd Party CA".
+3. Save changes and exit.
 
-  - Or, if Windows is already installed, from either the Sign on screen or the Start menu, select Power ( ) > hold Shift while selecting Restart. Select Troubleshoot > Advanced options > UEFI Firmware settings.
-  
-2.    From the firmware menu navigate to Security > Secure Boot and select the option to trust the "3rd Party CA". 
-
-3.    Save changes and exit. 
- 
-Microsoft continues to collaborate with Linux and IHV ecosystem partners to design least privileged features to help you stay secure and opt-in trust for only the publishers and components you trust. 
+Microsoft continues to collaborate with Linux and IHV ecosystem partners to design least privileged features to help you stay secure and opt-in trust for only the publishers and components you trust.
 
 Like most mobile devices, Arm-based devices, such as the Microsoft Surface RT device, are designed to run only Windows 8.1. Therefore, Secure Boot can't be turned off, and you can't load a different OS. Fortunately, there's a large market of ARM processor devices designed to run other operating systems.
 
@@ -129,13 +125,12 @@ Depending on the implementation and configuration, the server can now determine
 
 Figure 2 illustrates the Measured Boot and remote attestation process.
 
-
-
 ![Measured Boot and remote attestation process.](./images/dn168167.measure_boot(en-us,MSDN.10).png)
 
-*Figure 2. Measured Boot proves the PC's health to a remote server*
+*Figure 2. Measured Boot proves the PC's health to a remote server*:
 
 Windows includes the application programming interfaces to support Measured Boot, but you'll need non-Microsoft tools to implement a remote attestation client and trusted attestation server to take advantage of it. For example, see the following tools from Microsoft Research:
+
 - [TPM Platform Crypto-Provider Toolkit](https://www.microsoft.com/download/details.aspx?id=52487)
 - [TSS.MSR](https://github.com/microsoft/TSS.MSR#tssmsr)
 

windows/security/operating-system-security/system-security/toc.yml

@@ -1,28 +1,28 @@
 items:
 - name: Secure the Windows boot process
-  href: ../../information-protection/secure-the-windows-10-boot-process.md
+  href: secure-the-windows-10-boot-process.md
 - name: Secure Boot and Trusted Boot
-  href: ../../trusted-boot.md
-- name: Measured Boot
+  href: trusted-boot.md
+- name: Measured Boot 🔗
   href: /windows/compatibility/measured-boot
 - name: Device health attestation service
-  href: ../../threat-protection/protect-high-value-assets-by-controlling-the-health-of-windows-10-based-devices.md
+  href: protect-high-value-assets-by-controlling-the-health-of-windows-10-based-devices.md
 - name: Cryptography and certificate management
-  href: ../../cryptography-certificate-mgmt.md
+  href: cryptography-certificate-mgmt.md
 - name: The Windows Security app
-  href: ../../threat-protection/windows-defender-security-center/windows-defender-security-center.md
+  href: windows-defender-security-center/windows-defender-security-center.md
   items:
   - name: Virus & threat protection
-    href: ../../threat-protection\windows-defender-security-center\wdsc-virus-threat-protection.md
+    href: windows-defender-security-center\wdsc-virus-threat-protection.md
   - name: Account protection
-    href: ../../threat-protection\windows-defender-security-center\wdsc-account-protection.md
+    href: windows-defender-security-center\wdsc-account-protection.md
   - name: Firewall & network protection
-    href: ../../threat-protection\windows-defender-security-center\wdsc-firewall-network-protection.md
+    href: windows-defender-security-center\wdsc-firewall-network-protection.md
   - name: App & browser control
-    href: ../../threat-protection\windows-defender-security-center\wdsc-app-browser-control.md
+    href: windows-defender-security-center\wdsc-app-browser-control.md
   - name: Device security
-    href: ../../threat-protection\windows-defender-security-center\wdsc-device-security.md
+    href: windows-defender-security-center\wdsc-device-security.md
   - name: Device performance & health
-    href: ../../threat-protection\windows-defender-security-center\wdsc-device-performance-health.md
+    href: windows-defender-security-center\wdsc-device-performance-health.md
   - name: Family options
-    href: ../../threat-protection\windows-defender-security-center\wdsc-family-options.md
+    href: windows-defender-security-center\wdsc-family-options.md

windows/security/operating-system-security/system-security/trusted-boot.md

@@ -21,7 +21,7 @@ Secure Boot and Trusted Boot help prevent malware and corrupted components from
 
 The first step in protecting the operating system is to ensure that it boots securely after the initial hardware and firmware boot sequences have safely finished their early boot sequences. Secure Boot makes a safe and trusted path from the Unified Extensible Firmware Interface (UEFI) through the Windows kernel's Trusted Boot sequence. Malware attacks on the Windows boot sequence are blocked by the signature-enforcement handshakes throughout the boot sequence between the UEFI, bootloader, kernel, and application environments.
 
-As the PC begins the boot process, it will first verify that the firmware is digitally signed, reducing the risk of firmware rootkits. Secure Boot then checks all code that runs before the operating system and checks the OS bootloader's digital signature to ensure that it's trusted by the Secure Boot policy and hasn't been tampered with. 
+As the PC begins the boot process, it will first verify that the firmware is digitally signed, reducing the risk of firmware rootkits. Secure Boot then checks all code that runs before the operating system and checks the OS bootloader's digital signature to ensure that it's trusted by the Secure Boot policy and hasn't been tampered with.
 
 ## Trusted Boot
 
@@ -29,8 +29,8 @@ Trusted Boot picks up the process that started with Secure Boot. The Windows boo
 
 Often, Windows can automatically repair the corrupted component, restoring the integrity of Windows and allowing the Windows 11 device to start normally.
 
-[!INCLUDE [secure-boot-and-trusted-boot](../../includes/licensing/secure-boot-and-trusted-boot.md)]
+[!INCLUDE [secure-boot-and-trusted-boot](../../../../includes/licensing/secure-boot-and-trusted-boot.md)]
 
 ## See also
 
-[Secure the Windows boot process](information-protection/secure-the-windows-10-boot-process.md)
+[Secure the Windows boot process](secure-the-windows-10-boot-process.md)

windows/security/operating-system-security/system-security/windows-defender-security-center/wdsc-account-protection.md

@@ -0,0 +1,44 @@
+---
+title: Account protection in the Windows Security app
+description: Use the Account protection section to manage security for your account and sign in to Microsoft.
+ms.prod: windows-client
+author: vinaypamnani-msft
+ms.author: vinpa
+ms.date: 12/31/2018
+ms.technology: itpro-security
+ms.topic: article
+appliesto:
+- ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 11</a>
+- ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 10</a>
+---
+
+
+# Account protection
+
+The **Account protection** section contains information and settings for account protection and sign-in. You can get more information about these capabilities from the following list:
+
+- [Microsoft Account](https://account.microsoft.com/account/faq)
+- [Windows Hello for Business](../../../identity-protection/hello-for-business/hello-identity-verification.md)
+- [Lock your Windows 10 PC automatically when you step away from it](https://support.microsoft.com/help/4028111/windows-lock-your-windows-10-pc-automatically-when-you-step-away-from)
+
+You can also choose to hide the section from users of the device. This is useful if you don't want your employees to access or view user-configured options for these features.
+
+## Hide the Account protection section
+
+You can choose to hide the entire section by using Group Policy. The section won't appear on the home page of the Windows Security app, and its icon won't be shown on the navigation bar on the side of the app.
+
+You can only configure these settings by using Group Policy.
+
+> [!IMPORTANT]
+> You must have Windows 10, version 1803 or later. The ADMX/ADML template files for earlier versions of Windows do not include these Group Policy settings.
+
+1. On your Group Policy management machine, open the [Group Policy Management Console](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc731212(v=ws.11)), right-click the Group Policy Object you want to configure and select  **Edit**.
+1. In the **Group Policy Management Editor** go to **Computer configuration** and select **Administrative templates**.
+1. Expand the tree to **Windows components > Windows Security > Account protection**.
+1. Open the **Hide the Account protection area** setting and set it to **Enabled**. Select **OK**.
+1. [Deploy the updated GPO as you normally do](/windows/win32/srvnodes/group-policy).
+
+> [!NOTE]
+> If you hide all sections then the app will show a restricted interface, as in the following screenshot:
+>
+> ![Windows Security app with all sections hidden by Group Policy.](images/wdsc-all-hide.png)

windows/security/operating-system-security/system-security/windows-defender-security-center/wdsc-app-browser-control.md

@@ -8,14 +8,13 @@ ms.date: 12/31/2018
 manager: aaroncz
 ms.technology: itpro-security
 ms.topic: article
+appliesto:
+- ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 11</a>
+- ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 10</a>
 ---
 
 # App and browser control
 
-**Applies to**
-
-- Windows 10 and later
-
 The **App and browser control** section contains information and settings for Windows Defender SmartScreen. IT administrators and IT pros can get configuration guidance from the [Windows Defender SmartScreen documentation library](/windows/threat-protection/windows-defender-smartscreen/windows-defender-smartscreen-overview).
 
 In Windows 10, version 1709 and later, the section also provides configuration options for Exploit protection. You can prevent users from modifying these specific options with Group Policy. IT administrators can get more information at [Exploit protection](/microsoft-365/security/defender-endpoint/exploit-protection).
@@ -32,13 +31,9 @@ You can only prevent users from modifying Exploit protection settings by using G
 > You must have Windows 10, version 1709 or later. The ADMX/ADML template files for earlier versions of Windows do not include these Group Policy settings.
 
 1. On your Group Policy management machine, open the [Group Policy Management Console](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc731212(v=ws.11)), right-click the Group Policy Object you want to configure and click **Edit**.
-
 2. In the **Group Policy Management Editor** go to **Computer configuration**, select **Policies** and then **Administrative templates**.
-
 3. Expand the tree to **Windows components > Windows Security > App and browser protection**.
-
 4. Open the **Prevent users from modifying settings** setting and set it to **Enabled**. Click **OK**.
-
 5. [Deploy the updated GPO as you normally do](/windows/win32/srvnodes/group-policy).
 
 ## Hide the App & browser control section
@@ -51,13 +46,9 @@ This section can be hidden only by using Group Policy.
 > You must have Windows 10, version 1709 or later. The ADMX/ADML template files for earlier versions of Windows do not include these Group Policy settings.
 
 1. On your Group Policy management machine, open the [Group Policy Management Console](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc731212(v=ws.11)), right-click the Group Policy Object you want to configure and click **Edit**.
-
 2. In the **Group Policy Management Editor** go to **Computer configuration**, select **Policies** and then **Administrative templates**.
-
 3. Expand the tree to **Windows components > Windows Security > App and browser protection**.
-
 4. Open the **Hide the App and browser protection area** setting and set it to **Enabled**. Click **OK**.
-
 5. [Deploy the updated GPO as you normally do](/windows/win32/srvnodes/group-policy).
 
 > [!NOTE]

windows/security/operating-system-security/system-security/windows-defender-security-center/wdsc-customize-contact-information.md

@@ -7,14 +7,13 @@ ms.author: vinpa
 ms.date: 12/31/2018
 ms.technology: itpro-security
 ms.topic: article
+appliesto:
+- ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 11</a>
+- ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 10</a>
 ---
 
 # Customize the Windows Security app for your organization
 
-**Applies to**
-
-- Windows 10 and later
-
 You can add information about your organization in a contact card to the Windows Security app. You can include a link to a support site, a phone number for a help desk, and an email address for email-based support.
 
 ![The Windows Security custom fly-out.](images/security-center-custom-flyout.png)
@@ -36,11 +35,8 @@ You must have Windows 10, version 1709 or later. The ADMX/ADML template files fo
 There are two stages to using the contact card and customized notifications. First, you have to enable the contact card or custom notifications (or both), and then you must specify at least a name for your organization and one piece of contact information.
 
 1. On your Group Policy management machine, open the [Group Policy Management Console](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc731212(v=ws.11)), right-click the Group Policy Object you want to configure and click **Edit**.
-
 2. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**.
-
 3. Expand the tree to **Windows components > Windows Security > Enterprise Customization**.
-
 4. Enable the contact card and the customized notifications by configuring two separate Group Policy settings. They will both use the same source of information (explained in Steps 5 and 6). You can enable both, or select one or the other:
 
     1. To enable the contact card, open the **Configure customized contact information** setting and set it to **Enabled**. Click **OK**.
@@ -51,8 +47,8 @@ There are two stages to using the contact card and customized notifications. Fir
     2. To enable the customized notifications, open the **Configure customized notifications** setting and set it to **Enabled**. Click **OK**.
 
 5. After you've enabled the contact card or the customized notifications (or both), you must configure the **Specify contact company name** to **Enabled**. Enter your company or organization's name in the field in the **Options** section. Click **OK**.
-
 6. To ensure the custom notifications or contact card appear, you must also configure at least one of the following settings. Open the setting, select **Enabled**, and then add the contact information in the field under **Options**:
+
     1. **Specify contact email address or Email ID**
     2. **Specify contact phone number or Skype ID**
     3. **Specify contact website**

windows/security/operating-system-security/system-security/windows-defender-security-center/wdsc-device-performance-health.md

@@ -7,47 +7,36 @@ author: vinaypamnani-msft
 ms.author: vinpa
 ms.technology: itpro-security
 ms.topic: article
+appliesto:
+- ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 11</a>
+- ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 10</a>
 ---
 
 
 # Device performance and health
 
-**Applies to**
-
-- Windows 10
-- Windows 11
-
-
 The **Device performance & health** section contains information about hardware, devices, and drivers related to the machine. IT administrators and IT pros should reference the appropriate documentation library for the issues they're seeing, such as the [configure the Load and unload device drivers security policy setting](/windows/device-security/security-policy-settings/load-and-unload-device-drivers) and how to [deploy drivers during Windows 10 deployment using Microsoft Configuration Manager](/windows/deployment/deploy-windows-cm/add-drivers-to-a-windows-10-deployment-with-windows-pe-using-configuration-manager).
 
 The [Windows 10 IT pro troubleshooting topic](/windows/client-management/windows-10-support-solutions), and the main [Windows 10 documentation library](/windows/windows-10/) can also be helpful for resolving issues.
 
-
 In Windows 10, version 1709 and later, the section can be hidden from users of the machine. This option can be useful if you don't want employees in your organization to see or have access to user-configured options for the features shown in the section.
 
-
 ## Hide the Device performance & health section
 
 You can choose to hide the entire section by using Group Policy. The section won't appear on the home page of the Windows Security app, and its icon won't be shown on the navigation bar on the side of the app.
 
 This section can be hidden only by using Group Policy.
 
->[!IMPORTANT]
->### Requirements
+> [!IMPORTANT]
+> You must have Windows 10, version 1709 or later. The ADMX/ADML template files for earlier versions of Windows do not include these Group Policy settings.
+
+1. On your Group Policy management machine, open the [Group Policy Management Console](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc731212(v=ws.11)), right-click the Group Policy Object you want to configure and click **Edit**.
+1. In **Group Policy Management Editor**, go to **Computer configuration** and click **Administrative templates**.
+1. Expand the tree to **Windows components > Windows Security > Device performance and health**.
+1. Open the **Hide the Device performance and health area** setting and set it to **Enabled**. Click **OK**.
+1. [Deploy the updated GPO as you normally do](/windows/win32/srvnodes/group-policy).
+
+> [!NOTE]
+> If you hide all sections then the app will show a restricted interface, as in the following screenshot:
 >
->You must have Windows 10, version 1709 or later. The ADMX/ADML template files for earlier versions of Windows do not include these Group Policy settings. 
-
-1.  On your Group Policy management machine, open the [Group Policy Management Console](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc731212(v=ws.11)), right-click the Group Policy Object you want to configure and click **Edit**.
-
-3.  In **Group Policy Management Editor**, go to **Computer configuration** and click **Administrative templates**.
-
-5.  Expand the tree to **Windows components > Windows Security > Device performance and health**.
-
-6.  Open the **Hide the Device performance and health area** setting and set it to **Enabled**. Click **OK**.
-
-7. [Deploy the updated GPO as you normally do](/windows/win32/srvnodes/group-policy). 
-
->[!NOTE]
->If you hide all sections then the app will show a restricted interface, as in the following screenshot:
->  
->![Windows Security app with all sections hidden by Group Policy.](images/wdsc-all-hide.png)
+> ![Windows Security app with all sections hidden by Group Policy.](images/wdsc-all-hide.png)

windows/security/operating-system-security/system-security/windows-defender-security-center/wdsc-device-security.md

@@ -0,0 +1,61 @@
+---
+title: Device security in the Windows Security app
+description: Use the Device security section to manage security built into your device, including virtualization-based security.
+ms.prod: windows-client
+author: vinaypamnani-msft
+ms.author: vinpa
+ms.date: 12/31/2018
+manager: aaroncz
+ms.technology: itpro-security
+ms.topic: article
+appliesto:
+- ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 11</a>
+- ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 10</a>
+---
+
+# Device security
+
+The **Device security** section contains information and settings for built-in device security.
+
+You can choose to hide the section from users of the machine. This option can be useful if you don't want employees in your organization to see or have access to user-configured options for the features shown in the section.
+
+## Hide the Device security section
+
+You can choose to hide the entire section by using Group Policy. The section won't appear on the home page of the Windows Security app, and its icon won't be shown on the navigation bar on the side of the app. You can hide the device security section by using Group Policy only.
+
+> [!IMPORTANT]
+> You must have Windows 10, version 1803 or later. The ADMX/ADML template files for earlier versions of Windows do not include these Group Policy settings.
+
+1. On your Group Policy management machine, open the [Group Policy Management Console](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc731212(v=ws.11)), right-click the Group Policy Object you want to configure and click **Edit**.
+2. In **Group Policy Management Editor**, go to **Computer configuration** and then select **Administrative templates**.
+3. Expand the tree to **Windows components** > **Windows Security** > **Device security**.
+4. Open the **Hide the Device security area** setting and set it to **Enabled**. Select **OK**.
+5. [Deploy the updated GPO as you normally do](/windows/win32/srvnodes/group-policy).
+
+> [!NOTE]
+> If you hide all sections then the app will show a restricted interface, as in the following screenshot:
+>
+> ![Windows Security app with all sections hidden by Group Policy.](images/wdsc-all-hide.png)
+
+## Disable the Clear TPM button
+
+If you don't want users to be able to click the **Clear TPM** button in the Windows Security app, you can disable it.
+
+> [!IMPORTANT]
+> You must have Windows 10, version 1809 or later. The ADMX/ADML template files for earlier versions of Windows do not include these Group Policy settings.
+
+1. On your Group Policy management computer, open the [Group Policy Management Console](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc731212(v=ws.11)), right-click the Group Policy Object you want to configure and click **Edit**.
+2. In **Group Policy Management Editor**, go to **Computer configuration** and then select **Administrative templates**.
+3. Expand the tree to **Windows components** > **Windows Security** > **Device security**.
+4. Open the **Disable the Clear TPM button** setting and set it to **Enabled**. Select **OK**.
+5. [Deploy the updated GPO as you normally do](/windows/win32/srvnodes/group-policy).
+
+## Hide the TPM Firmware Update recommendation
+
+If you don't want users to see the recommendation to update TPM firmware, you can disable it.
+
+1. On your Group Policy management computer, open the [Group Policy Management Console](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc731212(v=ws.11)), right-click the Group Policy Object you want to configure and click **Edit**.
+2. In **Group Policy Management Editor**, go to **Computer configuration** and then select **Administrative templates**.
+3. Expand the tree to **Windows components** > **Windows Security** > **Device security**.
+4. Open the **Hide the TPM Firmware Update recommendation** setting and set it to **Enabled**. Select **OK**.
+5. [Deploy the updated GPO as you normally do](/windows/win32/srvnodes/group-policy).

windows/security/operating-system-security/system-security/windows-defender-security-center/wdsc-family-options.md

@@ -0,0 +1,42 @@
+---
+title: Family options in the Windows Security app
+description: Learn how to hide the Family options section of Windows Security for enterprise environments. Family options aren't intended for business environments.
+ms.prod: windows-client
+author: vinaypamnani-msft
+ms.author: vinpa
+ms.date: 12/31/2018
+ms.technology: itpro-security
+ms.topic: article
+appliesto:
+- ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 11</a>
+- ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 10</a>
+---
+
+
+# Family options
+
+The **Family options** section contains links to settings and further information for parents of a Windows 10 PC. It isn't intended for enterprise or business environments.
+
+Home users can learn more at the [Help protection your family online in Windows Security topic at support.microsoft.com](https://support.microsoft.com/help/4013209/windows-10-protect-your-family-online-in-windows-defender)
+
+In Windows 10, version 1709, the section can be hidden from users of the machine. This option can be useful if you don't want employees in your organization to see or have access to this section.
+
+## Hide the Family options section
+
+You can choose to hide the entire section by using Group Policy. The section won't appear on the home page of the Windows Security app, and its icon won't be shown on the navigation bar on the side of the app.
+
+This section can be hidden only by using Group Policy.
+
+> [!IMPORTANT]
+> You must have Windows 10, version 1709 or later. The ADMX/ADML template files for earlier versions of Windows do not include these Group Policy settings.
+
+1. On your Group Policy management machine, open the [Group Policy Management Console](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc731212(v=ws.11)), right-click the Group Policy Object you want to configure and click **Edit**.
+1. In **Group Policy Management Editor**, go to **Computer configuration** and click **Administrative templates**.
+1. Expand the tree to **Windows components > Windows Security > Family options**.
+1. Open the **Hide the Family options area** setting and set it to **Enabled**. Click **OK**.
+1. [Deploy the updated GPO as you normally do](/windows/win32/srvnodes/group-policy).
+
+> [!NOTE]
+> If you hide all sections then the app will show a restricted interface, as in the following screenshot:
+>
+> ![Windows Security app with all sections hidden by Group Policy.](images/wdsc-all-hide.png)

windows/security/operating-system-security/system-security/windows-defender-security-center/wdsc-firewall-network-protection.md

@@ -0,0 +1,38 @@
+---
+title: Firewall and network protection in the Windows Security app
+description: Use the Firewall & network protection section to see the status of and make changes to firewalls and network connections for the machine.
+author: vinaypamnani-msft
+ms.author: vinpa
+ms.date: 12/31/2018
+ms.technology: itpro-security
+ms.topic: article
+appliesto:
+- ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 11</a>
+- ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 10</a>
+---
+
+# Firewall and network protection
+
+The **Firewall & network protection** section contains information about the firewalls and network connections used by the machine, including the status of Windows Defender Firewall and any other third-party firewalls. IT administrators and IT pros can get configuration guidance from the [Windows Defender Firewall with Advanced Security documentation library](../../network-security/windows-firewall/windows-firewall-with-advanced-security.md).
+
+In Windows 10, version 1709 and later, the section can be hidden from users of the machine. This information is useful if you don't want employees in your organization to see or have access to user-configured options for the features shown in the section.
+
+## Hide the Firewall & network protection section
+
+You can choose to hide the entire section by using Group Policy. The section won't appear on the home page of the Windows Security app, and its icon won't be shown on the navigation bar on the side of the app.
+
+This section can be hidden only by using Group Policy.
+
+> [!IMPORTANT]
+> You must have Windows 10, version 1709 or later. The ADMX/ADML template files for earlier versions of Windows do not include these Group Policy settings.
+
+1. On your Group Policy management machine, open the Group Policy Management Console, right-click the Group Policy Object you want to configure and click **Edit**.
+1. In **Group Policy Management Editor**, go to **Computer configuration** and click **Administrative templates**.
+1. Expand the tree to **Windows components > Windows Security > Firewall and network protection**.
+1. Open the **Hide the Firewall and network protection area** setting and set it to **Enabled**. Click **OK**.
+1. Deploy the updated GPO as you normally do.
+
+> [!NOTE]
+> If you hide all sections then the app will show a restricted interface, as in the following screenshot:
+>
+> ![Windows Security app with all sections hidden by Group Policy.](images/wdsc-all-hide.png)

windows/security/operating-system-security/system-security/windows-defender-security-center/wdsc-hide-notifications.md

@@ -7,14 +7,13 @@ ms.author: vinpa
 ms.date: 12/31/2018
 ms.technology: itpro-security
 ms.topic: article
+appliesto:
+- ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 11</a>
+- ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 10</a>
 ---
 
 # Hide Windows Security app notifications
 
-**Applies to**
-
-- Windows 10 and later
-
 The Windows Security app is used by many Windows security features to provide notifications about the health and security of the machine. These include notifications about firewalls, antivirus products, Windows Defender SmartScreen, and others.
 
 In some cases, it may not be appropriate to show these notifications, for example, if you want to hide regular status updates, or if you want to hide all notifications to the employees in your organization.
@@ -28,30 +27,21 @@ If you set **Hide all notifications** to **Enabled**, changing the **Hide non-cr
 
 You can only use Group Policy to change these settings.
 
-
-
 ## Use Group Policy to hide non-critical notifications
 
 You can hide notifications that describe regular events related to the health and security of the machine. These notifications are the ones that don't require an action from the machine's user. It can be useful to hide these notifications if you find they're too numerous or you have other status reporting on a larger scale (such as Windows Update for Business reports or Microsoft Configuration Manager reporting).
 
 These notifications can be hidden only by using Group Policy.
 
->[!IMPORTANT]
->
-> Requirement: You must have Windows 10, version 1903 or higher. The ADMX/ADML template files for earlier versions of Windows do not include these Group Policy settings. 
+> [!IMPORTANT]
+> You must have Windows 10, version 1903 or higher. The ADMX/ADML template files for earlier versions of Windows do not include these Group Policy settings.
 
 1. Download the latest [Administrative Templates (.admx) for Windows 10, v2004](https://www.microsoft.com/download/101445).
-
-2.  On your Group Policy management machine, open the [Group Policy Management Console](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc731212(v=ws.11)), right-click the Group Policy Object you want to configure and click **Edit**.
-
-3.  In **Group Policy Management Editor**, go to **Computer configuration** and click **Administrative templates**.
-
-5.  Expand the tree to **Windows components > Windows Security > Notifications**. For Windows 10 version 1803 and below, the path would be **Windows components > Windows Defender Security Center > Notifications**
-
-6.  Open the **Hide non-critical notifications** setting and set it to **Enabled**. Click **OK**.
-
-7. [Deploy the updated GPO as you normally do](/windows/win32/srvnodes/group-policy). 
-
+1. On your Group Policy management machine, open the [Group Policy Management Console](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc731212(v=ws.11)), right-click the Group Policy Object you want to configure and click **Edit**.
+1. In **Group Policy Management Editor**, go to **Computer configuration** and click **Administrative templates**.
+1. Expand the tree to **Windows components > Windows Security > Notifications**. For Windows 10 version 1803 and below, the path would be **Windows components > Windows Defender Security Center > Notifications**
+1. Open the **Hide non-critical notifications** setting and set it to **Enabled**. Click **OK**.
+1. [Deploy the updated GPO as you normally do](/windows/win32/srvnodes/group-policy).
 
 ## Use Group Policy to hide all notifications
 
@@ -59,22 +49,18 @@ You can hide all notifications that are sourced from the Windows Security app. T
 
 These notifications can be hidden only by using Group Policy.
 
->[!IMPORTANT]
->
-> Requirement: You must have Windows 10, version 1903 or higher. The ADMX/ADML template files for earlier versions of Windows do not include these Group Policy settings. 
+> [!IMPORTANT]
+> You must have Windows 10, version 1903 or higher. The ADMX/ADML template files for earlier versions of Windows do not include these Group Policy settings.
 
-1.  On your Group Policy management machine, open the [Group Policy Management Console](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc731212(v=ws.11)), right-click the Group Policy Object you want to configure and click **Edit**.
-
-3.  In **Group Policy Management Editor**, go to **Computer configuration** and click **Administrative templates**.
-
-5.  Expand the tree to **Windows components > Windows Security > Notifications**. For Windows 10 version 1803 and below, the path would be **Windows components > Windows Defender Security Center > Notifications**.
+1. On your Group Policy management machine, open the [Group Policy Management Console](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc731212(v=ws.11)), right-click the Group Policy Object you want to configure and click **Edit**.
+1. In **Group Policy Management Editor**, go to **Computer configuration** and click **Administrative templates**.
+1. Expand the tree to **Windows components > Windows Security > Notifications**. For Windows 10 version 1803 and below, the path would be **Windows components > Windows Defender Security Center > Notifications**.
 
     > [!NOTE]
     > For Windows 10 version 2004 and above the path would be **Windows components > Windows Security > Notifications**.
 
-6.  Open the **Hide all notifications** setting and set it to **Enabled**. Click **OK**.
-
-7. [Deploy the updated GPO as you normally do](/windows/win32/srvnodes/group-policy). 
+1. Open the **Hide all notifications** setting and set it to **Enabled**. Click **OK**.
+1. [Deploy the updated GPO as you normally do](/windows/win32/srvnodes/group-policy).
 
 > [!NOTE]
 > You can use the following registry key and DWORD value to **Hide all notifications**.
@@ -95,7 +81,7 @@ These notifications can be hidden only by using Group Policy.
 | HVCI, driver compat check fails (upon trying to enable) | There may be an incompatibility on your device. | HVCI_ENABLE_FAILURE | Yes |Firewall and network protection notification|
 | HVCI, reboot needed to enable | The recent change to your protection settings requires a restart of your device. | HVCI_ENABLE_SUCCESS | Yes |Firewall and network protection notification|
 | Item skipped in scan, due to exclusion setting, or network scanning disabled by admin | The Microsoft Defender Antivirus scan skipped an item due to exclusion or network scanning settings. | ITEM_SKIPPED | Yes |Virus & threat protection notification|
-| Remediation failure | Microsoft Defender Antivirus couldn’t completely resolve potential threats. | CLEAN_FAILED | Yes |Virus & threat protection notification|
+| Remediation failure | Microsoft Defender Antivirus couldn't completely resolve potential threats. | CLEAN_FAILED | Yes |Virus & threat protection notification|
 | Follow-up action (restart & scan) | Microsoft Defender Antivirus found _threat_ in _file name_. Restart and scan your device. Restart and scan | MANUALSTEPS_REQUIRED | Yes |Virus & threat protection notification|
 | Follow-up action (restart) | Microsoft Defender Antivirus found _threat_ in _file_. Restart your device. | WDAV_REBOOT | Yes |Virus & threat protection notification|
 | Follow-up action (Full scan) | Microsoft Defender Antivirus found _threat_ in _file_. Run a full scan of your device. | FULLSCAN_REQUIRED | Yes |Virus & threat protection notification|
@@ -109,7 +95,7 @@ These notifications can be hidden only by using Group Policy.
 | Scan finished, manual, threats found | Microsoft Defender Antivirus scanned your device at _timestamp_ on _date_, and took action against threats. | RECENT_SCAN_FOUND_THREATS | No |Virus & threat protection notification|
 | Scan finished, manual, **no** threats found | Microsoft Defender Antivirus scanned your device at _timestamp_ on _date_.  No threats were found. | RECENT_SCAN_NO_THREATS | No |Virus & threat protection notification|
 | Threat found | Microsoft Defender Antivirus found threats. Get details. | CRITICAL | No |Virus & threat protection notification|
-| LPS on notification | Microsoft Defender Antivirus is periodically scanning your device.  You’re also using another antivirus program for active protection. | PERIODIC_SCANNING_ON | No |Virus & threat protection notification|
+| LPS on notification | Microsoft Defender Antivirus is periodically scanning your device.  You're also using another antivirus program for active protection. | PERIODIC_SCANNING_ON | No |Virus & threat protection notification|
 | Long running BaFS | Your IT administrator  requires a security scan of this item.  The scan could take up to _n_ seconds. | BAFS | No |Firewall and network protection notification|
 | Long running BaFS customized | _Company_ requires a security scan of this item.  The scan could take up to _n_ seconds. | BAFS_DETECTED_CUSTOM (body) | No |Firewall and network protection notification|
 | Sense detection | This application was removed because it was blocked by your IT security settings | WDAV_SENSE_DETECTED | No |Firewall and network protection notification|
@@ -131,4 +117,4 @@ These notifications can be hidden only by using Group Policy.
 | Dynamic lock on, bluetooth on, but device unpaired |  |  | No |Account protection notification|
 | Dynamic lock on, bluetooth on, but unable to detect device |  |  | No |Account protection notification|
 | NoPa or federated no hello |  |  | No |Account protection notification|
-| NoPa or federated hello broken |  |  | No |Account protection notification|
+| NoPa or federated hello broken |  |  | No |Account protection notification|

windows/security/operating-system-security/system-security/windows-defender-security-center/wdsc-virus-threat-protection.md

@@ -2,28 +2,22 @@
 title: Virus and threat protection in the Windows Security app
 description: Use the Virus & threat protection section to see and configure Microsoft Defender Antivirus, Controlled folder access, and 3rd-party AV products.
 keywords: wdav, smartscreen, antivirus, wdsc, exploit, protection, hide
-search.product: eADQiWindows 10XVcnh
 ms.prod: windows-client
-ms.mktglfcycl: manage
-ms.sitesec: library
-ms.pagetype: security
 ms.localizationpriority: medium
 author: vinaypamnani-msft
 ms.author: vinpa
-ms.reviewer: 
+ms.reviewer:
 manager: aaroncz
 ms.technology: itpro-security
 ms.date: 12/31/2017
 ms.topic: article
+appliesto:
+- ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 11</a>
+- ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 10</a>
 ---
 
 # Virus and threat protection
 
-**Applies to**
-
-- Windows 10
-- Windows 11
-
 The **Virus & threat protection** section contains information and settings for antivirus protection from Microsoft Defender Antivirus and third-party AV products.
 
 In Windows 10, version 1803, this section also contains information and settings for ransomware protection and recovery. These settings include Controlled folder access settings to prevent unknown apps from changing files in protected folders, plus Microsoft OneDrive configuration to help you recover from a ransomware attack. This area also notifies users and provides recovery instructions if there's a ransomware attack.
@@ -33,38 +27,31 @@ IT administrators and IT pros can get more configuration information from these
 - [Microsoft Defender Antivirus in the Windows Security app](/microsoft-365/security/defender-endpoint/microsoft-defender-security-center-antivirus)
 - [Microsoft Defender Antivirus documentation library](/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-in-windows-10)
 - [Protect important folders with Controlled folder access](/microsoft-365/security/defender-endpoint/controlled-folders)
-- [Defend yourself from cybercrime with new Office 365 capabilities](https://blogs.office.com/en-us/2018/04/05/defend-yourself-from-cybercrime-with-new-office-365-capabilities/)
+- [Defend yourself from cybercrime with new Office 365 capabilities](https://blogs.office.com/2018/04/05/defend-yourself-from-cybercrime-with-new-office-365-capabilities/)
 - [Microsoft Defender for Office 365](/microsoft-365/security/office-365-security/defender-for-office-365)
-- [Ransomware detection and recovering your files](https://support.office.com/en-us/article/ransomware-detection-and-recovering-your-files-0d90ec50-6bfd-40f4-acc7-b8c12c73637f?ui=en-US&rs=en-US&ad=US)
+- [Ransomware detection and recovering your files](https://support.office.com/article/ransomware-detection-and-recovering-your-files-0d90ec50-6bfd-40f4-acc7-b8c12c73637f?ui=en-US&rs=en-US&ad=US)
 
 You can hide the **Virus & threat protection** section or the **Ransomware protection** area from users of the machine. This option can be useful if you don't want employees in your organization to see or have access to user-configured options for these features.
 
-
 ## Hide the Virus & threat protection section
 
 You can choose to hide the entire section by using Group Policy. The section won't appear on the home page of the Windows Security app, and its icon won't be shown on the navigation bar on the side of the app.
 
 This section can be hidden only by using Group Policy.
 
->[!IMPORTANT]
->### Requirements
+> [!IMPORTANT]
+> You must have Windows 10, version 1709 or later. The ADMX/ADML template files for earlier versions of Windows do not include these Group Policy settings.
+
+1. On your Group Policy management machine, open the [Group Policy Management Console](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc731212(v=ws.11)), right-click the Group Policy Object you want to configure and click **Edit**.
+1. In **Group Policy Management Editor**, go to **Computer configuration** and click **Administrative templates**.
+1. Expand the tree to **Windows components > Windows Security > Virus and threat protection**.
+1. Open the **Hide the Virus and threat protection area** setting and set it to **Enabled**. Click **OK**.
+1. [Deploy the updated GPO as you normally do](/windows/win32/srvnodes/group-policy).
+
+> [!NOTE]
+> If you hide all sections then the app will show a restricted interface, as in the following screenshot:
 >
->You must have Windows 10, version 1709 or later. The ADMX/ADML template files for earlier versions of Windows do not include these Group Policy settings. 
-
-1.  On your Group Policy management machine, open the [Group Policy Management Console](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc731212(v=ws.11)), right-click the Group Policy Object you want to configure and click **Edit**.
-
-3.  In **Group Policy Management Editor**, go to **Computer configuration** and click **Administrative templates**.
-
-5.  Expand the tree to **Windows components > Windows Security > Virus and threat protection**.
-
-6.  Open the **Hide the Virus and threat protection area** setting and set it to **Enabled**. Click **OK**.
-
-7. [Deploy the updated GPO as you normally do](/windows/win32/srvnodes/group-policy). 
-
->[!NOTE]
->If you hide all sections then the app will show a restricted interface, as in the following screenshot:
->  
->![Windows Security app with all sections hidden by Group Policy.](images/wdsc-all-hide.png)
+> ![Windows Security app with all sections hidden by Group Policy.](images/wdsc-all-hide.png)
 
 ## Hide the Ransomware protection area
 
@@ -72,17 +59,11 @@ You can choose to hide the **Ransomware protection** area by using Group Policy.
 
 This area can be hidden only by using Group Policy.
 
->[!IMPORTANT]
->### Requirements
->
->You must have Windows 10, version 1709 or later. The ADMX/ADML template files for earlier versions of Windows do not include these Group Policy settings. 
+> [!IMPORTANT]
+> You must have Windows 10, version 1709 or later. The ADMX/ADML template files for earlier versions of Windows do not include these Group Policy settings.
 
-1.  On your Group Policy management machine, open the [Group Policy Management Console](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc731212(v=ws.11)), right-click the Group Policy Object you want to configure and click **Edit**.
-
-3.  In **Group Policy Management Editor**, go to **Computer configuration** and click **Administrative templates**.
-
-5.  Expand the tree to **Windows components > Windows Security > Virus and threat protection**.
-
-6.  Open the **Hide the Ransomware data recovery area** setting and set it to **Enabled**. Click **OK**.
-
-7. [Deploy the updated GPO as you normally do](/windows/win32/srvnodes/group-policy).
+1. On your Group Policy management machine, open the [Group Policy Management Console](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc731212(v=ws.11)), right-click the Group Policy Object you want to configure and click **Edit**.
+1. In **Group Policy Management Editor**, go to **Computer configuration** and click **Administrative templates**.
+1. Expand the tree to **Windows components > Windows Security > Virus and threat protection**.
+1. Open the **Hide the Ransomware data recovery area** setting and set it to **Enabled**. Click **OK**.
+1. [Deploy the updated GPO as you normally do](/windows/win32/srvnodes/group-policy).

windows/security/operating-system-security/system-security/windows-defender-security-center/windows-defender-security-center.md

@@ -1,32 +1,26 @@
 ---
 title: The Windows Security app
 description: The Windows Security app brings together common Windows security features into one place.
-search.product: eADQiWindows 10XVcnh
 ms.prod: windows-client
 ms.localizationpriority: medium
 author: vinaypamnani-msft
 ms.author: vinpa
-ms.reviewer: 
+ms.reviewer:
 manager: aaroncz
-ms.technology: itpro-security
-ms.collection: 
+ms.collection:
   - highpri
   - tier2
 ms.date: 12/31/2017
 ms.topic: article
+appliesto:
+- ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 11</a>
+- ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 10</a>
 ---
 
 # The Windows Security app
 
-**Applies to**
-
-- Windows 10
-- Windows 11
-
 This library describes the Windows Security app, and provides information on configuring certain features, including:
 
-<a id="customize-notifications-from-the-windows-defender-security-center"></a>
-
 - [Showing and customizing contact information on the app and in notifications](wdsc-customize-contact-information.md)
 - [Hiding notifications](wdsc-hide-notifications.md)
 
@@ -52,7 +46,7 @@ For more information about each section, options for configuring the sections, a
 - [Firewall & network protection](wdsc-firewall-network-protection.md), which has information and access to firewall settings, including Windows Defender Firewall.
 - [App & browser control](wdsc-app-browser-control.md), covering Windows Defender SmartScreen settings and Exploit protection mitigations.
 - [Device security](wdsc-device-security.md), which provides access to built-in device security settings.
-- [Device performance & health](wdsc-device-performance-health.md), which has information about drivers, storage space, and general Windows Update issues.  
+- [Device performance & health](wdsc-device-performance-health.md), which has information about drivers, storage space, and general Windows Update issues.
 - [Family options](wdsc-family-options.md), which include access to parental controls along with tips and information for keeping kids safe online.
 
 > [!NOTE]
@@ -65,9 +59,11 @@ For more information about each section, options for configuring the sections, a
 - Select the icon in the notification area on the taskbar.
 
     ![Screenshot of the icon for the Windows Security app on the Windows task bar.](images/security-center-taskbar.png)
+
 - Search the Start menu for **Windows Security**.
 
     ![Screenshot of the Start menu showing the results of a search for the Windows Security app, the first option with a large shield symbol is selected.](images/security-center-start-menu.png)
+
 - Open an area from Windows **Settings**.
 
     ![Screenshot of Windows Settings showing the different areas available in the Windows Security.](images/settings-windows-defender-security-center-areas.png)
@@ -78,7 +74,7 @@ For more information about each section, options for configuring the sections, a
 ## How the Windows Security app works with Windows security features
 
 > [!IMPORTANT]
-> Microsoft Defender Antivirus  and the Windows Security app use similarly named services for specific purposes.  
+> Microsoft Defender Antivirus and the Windows Security app use similarly named services for specific purposes.
 >
 > The Windows Security app uses the Windows Security Service (*SecurityHealthService* or *Windows Security Health Service*), which in turn utilizes the Windows Security Center Service (*wscsvc*). This service makes sure that the app provides the most up-to-date information about the protection status on the endpoint. This information includes protection offered by third-party antivirus products, Windows Defender Firewall, third-party firewalls, and other security protection.
 >
@@ -86,7 +82,7 @@ For more information about each section, options for configuring the sections, a
 >
 > Microsoft Defender Antivirus will be [disabled automatically when a third-party antivirus product is installed and kept up to date](/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-compatibility).
 >
-> Disabling the Windows Security Center Service won't disable Microsoft Defender Antivirus or [Windows Defender Firewall](../windows-firewall/windows-firewall-with-advanced-security.md).
+> Disabling the Windows Security Center Service won't disable Microsoft Defender Antivirus or [Windows Defender Firewall](../../network-security/windows-firewall/windows-firewall-with-advanced-security.md).
 
 > [!WARNING]
 > If you disable the Windows Security Center Service, or configure its associated group policy settings to prevent it from starting or running, the Windows Security app may display stale or inaccurate information about any antivirus or firewall products you have installed on the device.

windows/security/threat-protection/windows-defender-security-center/wdsc-account-protection.md

@@ -1,51 +0,0 @@
----
-title: Account protection in the Windows Security app
-description: Use the Account protection section to manage security for your account and sign in to Microsoft.
-ms.prod: windows-client
-author: vinaypamnani-msft
-ms.author: vinpa
-ms.date: 12/31/2018
-ms.technology: itpro-security
-ms.topic: article
----
-
-
-# Account protection
-
-**Applies to**
-
-- Windows 10 and later
-
-The **Account protection** section contains information and settings for account protection and sign-in. You can get more information about these capabilities from the following list: 
-
-- [Microsoft Account](https://account.microsoft.com/account/faq)
-- [Windows Hello for Business](../../identity-protection/hello-for-business/hello-identity-verification.md)
-- [Lock your Windows 10 PC automatically when you step away from it](https://support.microsoft.com/help/4028111/windows-lock-your-windows-10-pc-automatically-when-you-step-away-from)
-
-You can also choose to hide the section from users of the device. This is useful if you don't want your employees to access or view user-configured options for these features.
-
-## Hide the Account protection section
-
-You can choose to hide the entire section by using Group Policy. The section won't appear on the home page of the Windows Security app, and its icon won't be shown on the navigation bar on the side of the app.
-
-You can only configure these settings by using Group Policy.
-
->[!IMPORTANT]
->### Requirements
->
->You must have Windows 10, version 1803 or later. The ADMX/ADML template files for earlier versions of Windows do not include these Group Policy settings. 
-
-1.  On your Group Policy management machine, open the [Group Policy Management Console](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc731212(v=ws.11)), right-click the Group Policy Object you want to configure and select  **Edit**.
-
-3.  In the **Group Policy Management Editor** go to **Computer configuration** and select **Administrative templates**.
-
-5.  Expand the tree to **Windows components > Windows Security > Account protection**.
-
-6.  Open the **Hide the Account protection area** setting and set it to **Enabled**. Select **OK**.
-
-7. [Deploy the updated GPO as you normally do](/windows/win32/srvnodes/group-policy). 
-
->[!NOTE]
->If you hide all sections then the app will show a restricted interface, as in the following screenshot:
->  
->![Windows Security app with all sections hidden by Group Policy.](images/wdsc-all-hide.png)

windows/security/threat-protection/windows-defender-security-center/wdsc-device-security.md

@@ -1,73 +0,0 @@
----
-title: Device security in the Windows Security app
-description: Use the Device security section to manage security built into your device, including virtualization-based security.
-ms.prod: windows-client
-author: vinaypamnani-msft
-ms.author: vinpa
-ms.date: 12/31/2018
-manager: aaroncz
-ms.technology: itpro-security
-ms.topic: article
----
-
-# Device security
-
-**Applies to**
-
-- Windows 10 and later
-
-The **Device security** section contains information and settings for built-in device security.
-
-You can choose to hide the section from users of the machine. This option can be useful if you don't want employees in your organization to see or have access to user-configured options for the features shown in the section.
-
-## Hide the Device security section
-
-You can choose to hide the entire section by using Group Policy. The section won't appear on the home page of the Windows Security app, and its icon won't be shown on the navigation bar on the side of the app. You can hide the device security section by using Group Policy only.
-
-> [!IMPORTANT]
-> You must have Windows 10, version 1803 or later. The ADMX/ADML template files for earlier versions of Windows do not include these Group Policy settings. 
-
-1.  On your Group Policy management machine, open the [Group Policy Management Console](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc731212(v=ws.11)), right-click the Group Policy Object you want to configure and click **Edit**.
-
-2.  In **Group Policy Management Editor**, go to **Computer configuration** and then select **Administrative templates**.
-
-3.  Expand the tree to **Windows components** > **Windows Security** > **Device security**.
-
-4.  Open the **Hide the Device security area** setting and set it to **Enabled**. Select **OK**.
-
-5. [Deploy the updated GPO as you normally do](/windows/win32/srvnodes/group-policy). 
-
->[!NOTE]
->If you hide all sections then the app will show a restricted interface, as in the following screenshot:
->  
->![Windows Security app with all sections hidden by Group Policy.](images/wdsc-all-hide.png)
-
-## Disable the Clear TPM button
-If you don't want users to be able to click the **Clear TPM** button in the Windows Security app, you can disable it.
-
-> [!IMPORTANT]
-> You must have Windows 10, version 1809 or later. The ADMX/ADML template files for earlier versions of Windows do not include these Group Policy settings. 
-
-1.  On your Group Policy management computer, open the [Group Policy Management Console](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc731212(v=ws.11)), right-click the Group Policy Object you want to configure and click **Edit**.
-
-2.  In **Group Policy Management Editor**, go to **Computer configuration** and then select **Administrative templates**.
-
-3.  Expand the tree to **Windows components** > **Windows Security** > **Device security**.
-
-4.  Open the **Disable the Clear TPM button** setting and set it to **Enabled**. Select **OK**.
-
-5. [Deploy the updated GPO as you normally do](/windows/win32/srvnodes/group-policy). 
-
-## Hide the TPM Firmware Update recommendation
-If you don't want users to see the recommendation to update TPM firmware, you can disable it.
-
-1.  On your Group Policy management computer, open the [Group Policy Management Console](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc731212(v=ws.11)), right-click the Group Policy Object you want to configure and click **Edit**.
-
-2.  In **Group Policy Management Editor**, go to **Computer configuration** and then select **Administrative templates**.
-
-3.  Expand the tree to **Windows components** > **Windows Security** > **Device security**.
-
-4.  Open the **Hide the TPM Firmware Update recommendation** setting and set it to **Enabled**. Select **OK**.
-
-5. [Deploy the updated GPO as you normally do](/windows/win32/srvnodes/group-policy). 
-

windows/security/threat-protection/windows-defender-security-center/wdsc-family-options.md

@@ -1,50 +0,0 @@
----
-title: Family options in the Windows Security app
-description: Learn how to hide the Family options section of Windows Security for enterprise environments. Family options aren't intended for business environments.
-ms.prod: windows-client
-author: vinaypamnani-msft
-ms.author: vinpa
-ms.date: 12/31/2018
-ms.technology: itpro-security
-ms.topic: article
----
-
-
-# Family options
-
-**Applies to**
-
-- Windows 10 and later
-
-The **Family options** section contains links to settings and further information for parents of a Windows 10 PC. It isn't intended for enterprise or business environments.
-
-Home users can learn more at the [Help protection your family online in Windows Security topic at support.microsoft.com](https://support.microsoft.com/help/4013209/windows-10-protect-your-family-online-in-windows-defender)
-
-In Windows 10, version 1709, the section can be hidden from users of the machine. This option can be useful if you don't want employees in your organization to see or have access to this section.
-
-
-## Hide the Family options section
-
-You can choose to hide the entire section by using Group Policy. The section won't appear on the home page of the Windows Security app, and its icon won't be shown on the navigation bar on the side of the app.
-
-This section can be hidden only by using Group Policy.
-
->[!IMPORTANT]
->### Requirements
->
->You must have Windows 10, version 1709 or later. The ADMX/ADML template files for earlier versions of Windows do not include these Group Policy settings. 
-
-1.  On your Group Policy management machine, open the [Group Policy Management Console](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc731212(v=ws.11)), right-click the Group Policy Object you want to configure and click **Edit**.
-
-3.  In **Group Policy Management Editor**, go to **Computer configuration** and click **Administrative templates**.
-
-5.  Expand the tree to **Windows components > Windows Security > Family options**.
-
-6.  Open the **Hide the Family options area** setting and set it to **Enabled**. Click **OK**.
-
-7. [Deploy the updated GPO as you normally do](/windows/win32/srvnodes/group-policy). 
-
->[!NOTE]
->If you hide all sections then the app will show a restricted interface, as in the following screenshot:
->  
->![Windows Security app with all sections hidden by Group Policy.](images/wdsc-all-hide.png)

windows/security/threat-protection/windows-defender-security-center/wdsc-firewall-network-protection.md

@@ -1,49 +0,0 @@
----
-title: Firewall and network protection in the Windows Security app
-description: Use the Firewall & network protection section to see the status of and make changes to firewalls and network connections for the machine.
-author: vinaypamnani-msft
-ms.author: vinpa
-ms.date: 12/31/2018
-ms.technology: itpro-security
-ms.topic: article
----
-
-
-# Firewall and network protection
-
-**Applies to**
-
-- Windows 10
-- Windows 11
-
-The **Firewall & network protection** section contains information about the firewalls and network connections used by the machine, including the status of Windows Defender Firewall and any other third-party firewalls. IT administrators and IT pros can get configuration guidance from the [Windows Defender Firewall with Advanced Security documentation library](../windows-firewall/windows-firewall-with-advanced-security.md).
-
-In Windows 10, version 1709 and later, the section can be hidden from users of the machine. This information is useful if you don't want employees in your organization to see or have access to user-configured options for the features shown in the section.
-
-
-## Hide the Firewall & network protection section
-
-You can choose to hide the entire section by using Group Policy. The section won't appear on the home page of the Windows Security app, and its icon won't be shown on the navigation bar on the side of the app.
-
-This section can be hidden only by using Group Policy.
-
->[!IMPORTANT]
->### Requirements
->
->You must have Windows 10, version 1709 or later. The ADMX/ADML template files for earlier versions of Windows do not include these Group Policy settings. 
-
-1.  On your Group Policy management machine, open the Group Policy Management Console, right-click the Group Policy Object you want to configure and click **Edit**.
-
-3.  In **Group Policy Management Editor**, go to **Computer configuration** and click **Administrative templates**.
-
-5.  Expand the tree to **Windows components > Windows Security > Firewall and network protection**.
-
-6.  Open the **Hide the Firewall and network protection area** setting and set it to **Enabled**. Click **OK**.
-
-7.  Deploy the updated GPO as you normally do. 
-
->[!NOTE]
->If you hide all sections then the app will show a restricted interface, as in the following screenshot:
->  
->![Windows Security app with all sections hidden by Group Policy.](images/wdsc-all-hide.png)
-

windows/security/zero-trust-windows-device-health.md

@@ -1,7 +1,7 @@
 ---
 title: Zero Trust and Windows device health
 description: Describes the process of Windows device health attestation
-ms.reviewer: 
+ms.reviewer:
 ms.topic: article
 manager: aaroncz
 ms.author: paoloma
@@ -13,6 +13,7 @@ ms.date: 12/31/2017
 ---
 
 # Zero Trust and Windows device health
+
 Organizations need a security model that more effectively adapts to the complexity of the modern work environment. IT admins need to embrace the hybrid workplace, while protecting people, devices, apps, and data wherever they're located. Implementing a Zero Trust model for security helps address today's complex environments.
 
 The [Zero Trust](https://www.microsoft.com/security/business/zero-trust) principles are:
@@ -23,15 +24,16 @@ The [Zero Trust](https://www.microsoft.com/security/business/zero-trust) princip
 
 - **Assume breach**. Prevent attackers from obtaining access to minimize potential damage to data and systems. Protect privileged roles, verify end-to-end encryption, use analytics to get visibility, and drive threat detection to improve defenses.
 
-The Zero Trust concept of **verify explicitly** applies to the risks introduced by both devices and users. Windows enables **device health attestation** and **conditional access** capabilities, which are used to grant access to corporate resources. 
+The Zero Trust concept of **verify explicitly** applies to the risks introduced by both devices and users. Windows enables **device health attestation** and **conditional access** capabilities, which are used to grant access to corporate resources.
 
-[Conditional access](/azure/active-directory/conditional-access/overview) evaluates identity signals to confirm that users are who they say they are before they're granted access to corporate resources. 
+[Conditional access](/azure/active-directory/conditional-access/overview) evaluates identity signals to confirm that users are who they say they are before they're granted access to corporate resources.
 
 Windows 11 supports device health attestation, helping to confirm that devices are in a good state and haven't been tampered with. This capability helps users access corporate resources whether they're in the office, at home, or when they're traveling.
 
 Attestation helps verify the identity and status of essential components and that the device, firmware, and boot process haven't been altered. Information about the firmware, boot process, and software, is used to validate the security state of the device. This information is cryptographically stored in the security co-processor Trusted Platform Module (TPM). Once the device is attested, it can be granted access to resources.
 
 ## Device health attestation on Windows
+
  Many security risks can emerge during the boot process as this process can be the most privileged component of the whole system. The verification process uses remote attestation as the secure channel to determine and present the device's health. Remote attestation determines:
 
 - If the device can be trusted
@@ -40,7 +42,7 @@ Attestation helps verify the identity and status of essential components and tha
 
 These determinations are made with the help of a secure root of trust using the Trusted Platform Module (TPM). Devices can attest that the TPM is enabled, and that the device hasn't been tampered with.
 
-Windows includes many security features to help protect users from malware and attacks. However, trusting the Windows security components can only be achieved if the platform boots as expected and wasn't tampered with. Windows relies on Unified Extensible Firmware Interface (UEFI) Secure Boot, Early-launch antimalware (ELAM), Dynamic Root of Trust for Measurement (DRTM), Trusted Boot, and other low-level hardware and firmware security features. When you power on your PC until your anti-malware starts, Windows is backed with the appropriate hardware configuration to help keep you safe. [Measured and Trusted boot](information-protection/secure-the-windows-10-boot-process.md), implemented by bootloaders and BIOS, verifies and cryptographically records each step of the boot in a chained manner. These events are bound to a security coprocessor (TPM) that acts as the Root of Trust. Remote Attestation is the mechanism by which these events are read and verified by a service to provide a verifiable, unbiased, and tamper resilient report. Remote attestation is the trusted auditor of your system's boot, allowing specific entities to trust the device.
+Windows includes many security features to help protect users from malware and attacks. However, trusting the Windows security components can only be achieved if the platform boots as expected and wasn't tampered with. Windows relies on Unified Extensible Firmware Interface (UEFI) Secure Boot, Early-launch antimalware (ELAM), Dynamic Root of Trust for Measurement (DRTM), Trusted Boot, and other low-level hardware and firmware security features. When you power on your PC until your anti-malware starts, Windows is backed with the appropriate hardware configuration to help keep you safe. [Measured and Trusted boot](/windows/security/operating-system-security/system-security/secure-the-windows-10-boot-process.md), implemented by bootloaders and BIOS, verifies and cryptographically records each step of the boot in a chained manner. These events are bound to a security coprocessor (TPM) that acts as the Root of Trust. Remote Attestation is the mechanism by which these events are read and verified by a service to provide a verifiable, unbiased, and tamper resilient report. Remote attestation is the trusted auditor of your system's boot, allowing specific entities to trust the device.
 
 A summary of the steps involved in attestation and Zero Trust on the device side are as follows: