Move appropriate articles under OS system security

windows/security/operating-system-security/network-security/vpn/vpn-conditional-access.md

@@ -7,7 +7,7 @@ ms.topic: conceptual
 
 # VPN and conditional access
 
-The VPN client is now able to integrate with the cloud-based Conditional Access Platform to provide a device compliance option for remote clients. Conditional Access is a policy-based evaluation engine that lets you create access rules for any Azure Active Directory (Azure AD) connected application.  
+The VPN client is now able to integrate with the cloud-based Conditional Access Platform to provide a device compliance option for remote clients. Conditional Access is a policy-based evaluation engine that lets you create access rules for any Azure Active Directory (Azure AD) connected application.
 
 >[!NOTE]
 >Conditional Access is an Azure AD Premium feature.
@@ -16,8 +16,8 @@ Conditional Access Platform components used for Device Compliance include the fo
 
 - [Conditional Access Framework](/archive/blogs/tip_of_the_day/tip-of-the-day-the-conditional-access-framework-and-device-compliance-for-vpn)
 - [Azure AD Connect Health](/azure/active-directory/connect-health/active-directory-aadconnect-health)
-- [Windows Health Attestation Service](../../../threat-protection/protect-high-value-assets-by-controlling-the-health-of-windows-10-based-devices.md#device-health-attestation) (optional)
-- Azure AD Certificate Authority - It is a requirement that the client certificate used for the cloud-based device compliance solution be issued by an Azure Active Directory-based Certificate Authority (CA). An Azure AD CA is essentially a mini-CA cloud tenant in Azure. The Azure AD CA cannot be configured as part of an on-premises Enterprise CA. 
+- [Windows Health Attestation Service](../../system-security/protect-high-value-assets-by-controlling-the-health-of-windows-10-based-devices.md) (optional)
+- Azure AD Certificate Authority - It is a requirement that the client certificate used for the cloud-based device compliance solution be issued by an Azure Active Directory-based Certificate Authority (CA). An Azure AD CA is essentially a mini-CA cloud tenant in Azure. The Azure AD CA cannot be configured as part of an on-premises Enterprise CA.
 See also [Always On VPN deployment for Windows Server and Windows 10](/windows-server/remote/remote-access/vpn/always-on-vpn/deploy/always-on-vpn-deploy).
 - Azure AD-issued short-lived certificates - When a VPN connection attempt is made, the Azure AD Token Broker on the local device communicates with Azure Active Directory, which then checks for health based on compliance rules. If compliant, Azure AD sends back a short-lived certificate that is used to authenticate the VPN. Note that certificate authentication methods such as EAP-TLS can be used. When the client reconnects and determines that the certificate has expired, the client will again check with Azure AD for health validation before a new certificate is issued.
 - [Microsoft Intune device compliance policies](/mem/intune/protect/device-compliance-get-started) - Cloud-based device compliance leverages Microsoft Intune Compliance Policies, which are capable of querying the device state and define compliance rules for the following, among other things.
@@ -79,19 +79,20 @@ When a VPNv2 Profile is configured with \<DeviceCompliance> \<Enabled>true<\/Ena
 
 ## Configure conditional access
 
-See [VPN profile options](vpn-profile-options.md) and [VPNv2 CSP](/windows/client-management/mdm/vpnv2-csp) for XML configuration. 
+See [VPN profile options](vpn-profile-options.md) and [VPNv2 CSP](/windows/client-management/mdm/vpnv2-csp) for XML configuration.
 
 ## Learn more about Conditional Access and Azure AD Health
 
 - [Azure Active Directory conditional access](/azure/active-directory/conditional-access/overview)
 - [Getting started with Azure Active Directory Conditional Access](/azure/active-directory/authentication/tutorial-enable-azure-mfa)
-- [Control the health of Windows devices](../../../threat-protection/protect-high-value-assets-by-controlling-the-health-of-windows-10-based-devices.md)
+- [Control the health of Windows devices](../../system-security/protect-high-value-assets-by-controlling-the-health-of-windows-10-based-devices.md)
 - [Tip of the Day: The Conditional Access Framework and Device Compliance for VPN (Part 1)](/archive/blogs/tip_of_the_day/tip-of-the-day-the-conditional-access-framework-and-device-compliance-for-vpn)
 - [Tip of the Day: The Conditional Access Framework and Device Compliance for VPN (Part 2)](/archive/blogs/tip_of_the_day/tip-of-the-day-the-conditional-access-framework-and-device-compliance-for-vpn-part-2)
 - [Tip of the Day: The Conditional Access Framework and Device Compliance for VPN (Part 3)](/archive/blogs/tip_of_the_day/tip-of-the-day-the-conditional-access-framework-and-device-compliance-for-vpn-part-3)
 - [Tip of the Day: The Conditional Access Framework and Device Compliance for VPN (Part 4)](/archive/blogs/tip_of_the_day/tip-of-the-day-the-conditional-access-framework-and-device-compliance-for-vpn-part-4)
 
 ## Related topics
+
 - [VPN technical guide](vpn-guide.md)
 - [VPN connection types](vpn-connection-type.md)
 - [VPN routing decisions](vpn-routing.md)

windows/security/operating-system-security/operating-system.md

@@ -0,0 +1,40 @@
+---
+title: Windows operating system security
+description: Securing the operating system includes system security, encryption, network security, and threat protection.
+ms.reviewer:
+ms.topic: article
+manager: aaroncz
+ms.author: paoloma
+author: paolomatarazzo
+ms.prod: windows-client
+ms.technology: itpro-security
+ms.date: 09/21/2021
+---
+
+# Windows operating system security
+
+Security and privacy depend on an operating system that guards your system and information from the moment it starts up, providing fundamental chip-to-cloud protection. Windows 11 is the most secure Windows yet with extensive security measures designed to help keep you safe. These measures include built-in advanced encryption and data protection, robust network and system security, and intelligent safeguards against ever-evolving threats.
+
+Watch the latest [Microsoft Mechanics Windows 11 security](https://youtu.be/tg9QUrnVFho) video that shows off some of the latest Windows 11 security technology.
+
+Use the links in the following table to learn more about the operating system security features and capabilities in Windows 11.<br/><br/>
+
+| Security Measures | Features & Capabilities |
+|:---|:---|
+| Secure Boot and Trusted Boot | Secure Boot and Trusted Boot help prevent malware and corrupted components from loading when a Windows device is starting. Secure Boot starts with initial boot-up protection, and then Trusted Boot picks up the process. Together, Secure Boot and Trusted Boot help to ensure your Windows system boots up safely and securely.<br><br/> Learn more [Secure Boot and Trusted Boot](system-security/trusted-boot.md). |
+Cryptography and certificate management|Cryptography uses code to convert data so that only a specific recipient can read it by using a key. Cryptography enforces privacy to prevent anyone except the intended recipient from reading data, integrity to ensure data is free of tampering, and authentication that verifies identity to ensure that communication is secure. <br><br/> Learn more about [Cryptography and certificate management](system-security/cryptography-certificate-mgmt.md). <br/><br/>|
+Windows Security app | The Windows built-in security application found in settings provides an at-a-glance view of the security status and health of your device. These insights help you identify issues and take action to make sure you're protected. You can quickly see the status of your virus and threat protection, firewall and network security, device security controls, and more. <br><br/> Learn more about the [Windows Security app](system-security/windows-defender-security-center/windows-defender-security-center.md).|
+| Encryption and data protection | Wherever confidential data is stored, it must be protected against unauthorized access, whether through physical device theft or from malicious applications. Windows provides strong at-rest data-protection solutions that guard against nefarious attackers. <br/><br/> Learn more about [Encryption](../encryption-data-protection.md).
+| BitLocker | BitLocker Drive Encryption is a data protection feature that integrates with the operating system and addresses the threats of data theft or exposure from lost, stolen, or inappropriately decommissioned computers. BitLocker provides the most protection when used with a Trusted Platform Module (TPM) version 1.2 or later. <br/> <br/> Learn more about [BitLocker](../information-protection/bitlocker/bitlocker-overview.md). |
+| Encrypted Hard Drive | Encrypted Hard Drive uses the rapid encryption that is provided by BitLocker Drive Encryption to enhance data security and management. <br> By offloading the cryptographic operations to hardware, Encrypted Hard Drives increase BitLocker performance and reduce CPU usage and power consumption. Because Encrypted Hard Drives encrypt data quickly, enterprise devices can expand BitLocker deployment with minimal impact on productivity. <br/><br/> Learn more about [Encrypted Hard Drives](../information-protection/encrypted-hard-drive.md).|
+| S/MIME | S/MIME lets users encrypt outgoing messages and attachments so that only intended recipients who have a digital identification (ID), also known as a certificate, can read them. Users can digitally sign a message, which provides the recipients with a way to verify the identity of the sender and that the message hasn't been tampered with. <br/><br/> Learn more about [S/MIME for Windows](data-protection/configure-s-mime.md).|
+| Security baselines | A security baseline is a group of Microsoft-recommended configuration settings that explains their security impact. These settings are based on feedback from Microsoft security engineering teams, product groups, partners, and customers. <br/><br/>Security baselines are included in the [Security Compliance Toolkit](../threat-protection/windows-security-configuration-framework/security-compliance-toolkit-10.md) that you can download from the Microsoft Download Center.<br/><br/>Learn more about [security baselines](../threat-protection/windows-security-configuration-framework/windows-security-baselines.md). |
+| Virtual Private Network | Virtual private networks (VPNs) are point-to-point connections across a private or public network, such as the Internet. A VPN client uses special TCP/IP or UDP-based protocols, called tunneling protocols, to make a virtual call to a virtual port on a VPN server. <br><br/>Learn more about [Virtual Private Networks](network-security/vpn/vpn-guide.md).<br/><br/>|
+| Windows Defender Firewall | Windows Defender Firewall is a stateful host firewall that helps secure the device by allowing you to create rules that determine which network traffic is permitted to enter the device from the network and which network traffic the device is allowed to send to the network. Windows Defender Firewall also supports Internet Protocol security (IPsec), which you can use to require authentication from any device that is attempting to communicate with your device. <br><br/> Learn more about [Windows Defender Firewall with advanced security](network-security/windows-firewall/windows-firewall-with-advanced-security.md).<br/><br/>
+| Antivirus & antimalware protection | Microsoft Defender Antivirus is included in all versions of Windows 10, Windows Server 2016 and later, and Windows 11. If you have another antivirus app installed and turned on, Microsoft Defender Antivirus will turn off automatically. If you uninstall the other app, Microsoft Defender Antivirus will turn back on. <br/><br/>From the moment you boot Windows, Microsoft Defender Antivirus continually monitors for malware, viruses, and security threats. Updates are downloaded automatically to help protect your device from threats.  Microsoft Defender Antivirus continually scans for malware and threats, and also detects and blocks [potentially unwanted applications](/microsoft-365/security/defender-endpoint/detect-block-potentially-unwanted-apps-microsoft-defender-antivirus) (applications that can negatively impact your device even though they are not considered malware).<br/><br/>Microsoft Defender Antivirus integrates with [cloud-delivered protection](/microsoft-365/security/defender-endpoint/cloud-protection-microsoft-defender-antivirus), which helps ensure near-instant detection and blocking of new and emerging threats.<br/><br/>Learn more about [next-generation protection and Microsoft Defender Antivirus](/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-windows).|
+| Attack surface reduction rules | Your attack surfaces are the places and ways you are vulnerable to a cyber attack. Attack surface reduction rules are built into Windows and Windows Server to prevent and block certain behaviors that are often abused to compromise your device or network. Such behaviors can include launching scripts or executables that attempt to download or run other files, running suspicious scripts, or performing other behaviors that apps don't typically initiate during normal work. You can configure your attack surface reduction rules to protect against these risky behaviors.<br/><br/> Learn more about [Attack surface reduction rules](/microsoft-365/security/defender-endpoint/attack-surface-reduction) |
+| Anti-tampering protection | During cyber attacks (like ransomware attempts), bad actors attempt to disable security features, such as antivirus protection on targeted devices. Bad actors like to disable security features to get easier access to user's data, to install malware, or to otherwise exploit user's data, identity, and devices without fear of being blocked. Tamper protection helps prevent these kinds of activities.<br/><br/>With tamper protection, malware is prevented from taking actions such as:<br/>- Disabling virus and threat protection<br/>- Disabling real-time protection<br/>- Turning off behavior monitoring<br/>- Disabling antivirus (such as IOfficeAntivirus (IOAV))<br/>- Disabling cloud-delivered protection<br/>- Removing security intelligence updates <br/><br/>Learn more about [Tamper protection](/microsoft-365/security/defender-endpoint/prevent-changes-to-security-settings-with-tamper-protection). |
+| Network protection | Network protection in Windows helps prevent users from accessing dangerous IP addresses and domains that may host phishing scams, exploits, and other malicious content on the Internet. Network protection is part of attack surface reduction and helps provide an extra layer of protection for a user. Using reputation-based services, network protection blocks access to potentially harmful, low-reputation based domains and IP addresses. <br/><br/>In enterprise environments, network protection works best with [Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/), which provides detailed reporting into protection events as part of larger investigation scenarios.<br/><br/> Learn more about [Network protection](/microsoft-365/security/defender-endpoint/network-protection). |
+| Controlled folder access | With controlled folder access, you can protect your valuable information in specific folders by managing apps' access to specific folders. Only trusted apps can access protected folders, which are specified when controlled folder access is configured. Typically, commonly used folders, such as those used for documents, pictures, downloads, are included in the list of controlled folders. Controlled folder access helps protect valuable data from malicious apps and threats, such as ransomware. <br/><br/>Learn more about [Controlled folder access](/microsoft-365/security/defender-endpoint/controlled-folders). |
+| Exploit protection | Exploit protection, available in Windows 10, version 1709 and later, automatically applies several exploit mitigation techniques to operating system processes and apps. Exploit protection works best with Microsoft Defender for Endpoint, which gives organizations detailed reporting into exploit protection events and blocks as part of typical alert investigation scenarios. <br/><br/>You can enable exploit protection on an individual device, and then use Group Policy to distribute the XML file to multiple devices simultaneously. When a mitigation is encountered on the device, a notification will be displayed from the Action Center. You can customize the notification with your company details and contact information. You can also enable the rules individually to customize which techniques the feature monitors.<br/><br/>Learn more about [Exploit protection](/microsoft-365/security/defender-endpoint/exploit-protection). |
+| Microsoft Defender for Endpoint | Windows E5 customers benefit from [Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/microsoft-defender-endpoint), an enterprise endpoint detection and response capability that helps enterprise security teams detect, investigate, and respond to advanced threats. With rich event data and attack insights, Defender for Endpoint enables your security team to investigate incidents and take remediation actions effectively and efficiently.<br/><br/>Defender for Endpoint also is part of [Microsoft 365 Defender](/microsoft-365/security/defender/), a unified pre- and post-breach enterprise defense suite that natively coordinates detection, prevention, investigation, and response across endpoints, identities, email, and applications to provide integrated protection against sophisticated attacks.<br/><br/>Learn more about [Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint) and [Microsoft 365 Defender](/microsoft-365/security/defender/). |

windows/security/operating-system-security/system-security/cryptography-certificate-mgmt.md

@@ -0,0 +1,36 @@
+---
+title: Cryptography and Certificate Management
+description: Get an overview of cryptography and certificate management in Windows
+author: vinaypamnani-msft
+ms.author: vinpa
+manager: aaroncz
+ms.topic: conceptual
+ms.date: 09/07/2021
+ms.prod: windows-client
+ms.technology: itpro-security
+ms.reviewer: skhadeer, raverma
+---
+
+# Cryptography and Certificate Management
+
+## Cryptography
+
+Cryptography uses code to convert data so that only a specific recipient can read it by using a key. Cryptography enforces privacy to prevent anyone except the intended recipient from reading data, integrity to ensure data is free of tampering, and authentication that verifies identity to ensure that communication is secure. The cryptography stack in Windows extends from the chip to the cloud enabling Windows, applications, and services protect system and user secrets.
+
+Cryptography in Windows is Federal Information Processing Standards (FIPS) 140 certified. FIPS 140 certification ensures that US government approved algorithms are being used (RSA for signing, ECDH with NIST curves for key agreement, AES for symmetric encryption, and SHA2 for hashing), tests module integrity to prove that no tampering has occurred and proves the randomness for entropy sources.
+
+Windows cryptographic modules provide low-level primitives such as:
+
+- Random number generators (RNG)
+- Symmetric and asymmetric encryption (support for  AES 128/256 and RSA 512 to 16384, in 64-bit increments and ECDSA over NIST-standard prime curves P-256, P-384, P-521)
+- Hashing (support for SHA-256, SHA-384, and SHA-512)
+- Signing and verification (padding support for OAEP, PSS, PKCS1)
+- Key agreement and key derivation (support for ECDH over NIST-standard prime curves P-256, P-384, P-521, and HKDF)
+
+These modules are natively exposed on Windows through the Crypto API (CAPI) and the Cryptography Next Generation API (CNG) which is powered by Microsoft's open-source cryptographic library SymCrypt. Application developers can use these APIs to perform low-level cryptographic operations (BCrypt), key storage operations (NCrypt), protect static data (DPAPI), and securely share secrets (DPAPI-NG).
+
+## Certificate management
+
+Windows offers several APIs to operate and manage certificates. Certificates are crucial to public key infrastructure (PKI) as they provide the means for safeguarding and authenticating information. Certificates are electronic documents used to claim ownership of a public key. Public keys are used to prove server and client identity, validate code integrity, and used in secure emails. Windows offers users the ability to auto-enroll and renew certificates in Active Directory with Group Policy to reduce the risk of potential outages due to certificate expiration or misconfiguration. Windows validates certificates through an automatic update mechanism that downloads certificate trust lists (CTL) daily. Trusted root certificates are used by applications as a reference for trustworthy PKI hierarchies and digital certificates. The list of trusted and untrusted certificates are stored in the CTL and can be updated by administrators. In the case of certificate revocation, a certificate is added as an untrusted certificate in the CTL causing it to be revoked globally across user devices immediately.
+
+Windows also offers enterprise certificate pinning to help reduce man-in-the-middle attacks by enabling users to protect their internal domain names from chaining to unwanted certificates. A web application's server authentication certificate chain is checked to ensure it matches a restricted set of certificates. Any web application triggering a name mismatch will start event logging and prevent user access from Edge or Internet Explorer.

windows/security/operating-system-security/system-security/protect-high-value-assets-by-controlling-the-health-of-windows-10-based-devices.md

@@ -0,0 +1,767 @@
+---
+title: Control the health of Windows devices
+description: This article details an end-to-end solution that helps you protect high-value assets by enforcing, controlling, and reporting the health of Windows devices.
+ms.prod: windows-client
+ms.date: 10/13/2017
+ms.localizationpriority: medium
+ms.technology: itpro-security
+author: vinaypamnani-msft
+ms.author: vinpa
+manager: aaroncz
+ms.topic: conceptual
+appliesto:
+  - ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 11</a>
+  - ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 10</a>
+---
+
+# Control the health of Windows devices
+
+This article details an end-to-end solution that helps you protect high-value assets by enforcing, controlling, and reporting the health of Windows devices.
+
+## Introduction
+
+For Bring Your Own Device (BYOD) scenarios, employees bring commercially available devices to access both work-related resources and their personal data. Users want to use the device of their choice to access the organization's applications, data, and resources not only from the internal network but also from anywhere. This phenomenon is also known as the consumerization of IT.
+
+Users want to have the best productivity experience when accessing corporate applications and working on organization data from their devices. That means they won't tolerate being prompted to enter their work credentials each time they access an application or a file server. From a security perspective, it also means that users will manipulate corporate credentials and corporate data on unmanaged devices.
+
+With the increased use of BYOD, there will be more unmanaged and potentially unhealthy systems accessing corporate services, internal resources, and cloud apps.
+
+Even managed devices can be compromised and become harmful. Organizations need to detect when security has been breached and react as early as possible in order to protect high-value assets.
+
+As Microsoft moves forward, security investments are increasingly focused on security preventive defenses and also on detection and response capabilities.
+
+Windows 10 is an important component of an end-to-end security solution that focuses not only on the implementation of security preventive defenses, but adds device health attestation capabilities to the overall security strategy.
+
+## Description of a robust end-to-end security solution
+
+Today's computing threat landscape is increasing at a speed never encountered before. The sophistication of criminal attacks is growing, and there's no doubt that malware now targets both consumers and professionals in all industries.
+
+During recent years, one particular category of threat has become prevalent: advanced persistent threats (APTs). The term APT is commonly used to describe any attack that seems to target individual organizations on an on-going basis. In fact, this type of attack typically involves determined adversaries who may use any methods or techniques necessary.
+
+With the BYOD phenomena, a poorly maintained device represents a target of choice. For an attacker, it's an easy way to breach the security network perimeter, gain access to, and then steal high-value assets.
+
+The attackers target individuals, not specifically because of who they are, but because of who they work for. An infected device will bring malware into an organization, even if the organization has hardened the perimeter of networks or has invested in its defensive posture. A defensive strategy isn't sufficient against these threats.
+
+### A different approach
+
+Rather than the traditional focus on the prevention of compromise, an effective security strategy assumes that determined adversaries will successfully breach any defenses. It means that it's necessary to shift focus away from preventative security controls to detection of, and response to, security issues. The implementation of the risk management strategy, therefore, balances investment in prevention, detection, and response.
+
+Because mobile devices are increasingly being used to access corporate information, some way to evaluate device security or health is required. This section describes how to provision device health assessment in such a way that high-value assets can be protected from unhealthy devices.
+
+Devices that are used to access corporate resources must be trusted. An efficient end-to-end security approach is able to evaluate device health and use the current security state when granting access to a high-value asset.
+
+:::image type="content" alt-text="figure 1." source="images/hva-fig1-endtoend1.png":::
+
+A robust design needs to establish the user's identity, strengthen the authentication method if needed, and learn behavior like the network location the user regularly connects from. Also, a modern approach must be able to release sensitive content only if user devices are determined to be healthy and secure.
+
+The following figure shows a solution built to assess device health from the cloud. The device authenticates the user through a connection to an identity provider in the cloud. If the managed asset contains highly confidential information, the conditional access engine of the identity provider may elect to verify the security compliance of the mobile device before access is granted. The user's device is able to prove its health status that can be sent at any time or when mobile device management (MDM) requests it.
+
+:::image type="content" alt-text="figure 2." source="images/hva-fig2-assessfromcloud2.png":::
+
+Windows devices can be protected from low-level rootkits and bootkits by using low-level hardware technologies such as Unified Extensible Firmware Interface (UEFI) Secure Boot.
+
+Secure Boot is a firmware validation process that helps prevent rootkit attacks; it's part of the UEFI specification. The intent of UEFI is to define a standard way for the operating system to communicate with modern hardware, which can perform faster and with more efficient input/output (I/O) functions than older, software interrupt-driven BIOS systems.
+
+A device health attestation module can communicate measured boot data that is protected by a Trusted Platform Module (TPM) to a remote service. After the device successfully boots, boot process measurement data is sent to a trusted cloud service (Health Attestation Service) using a more secure and tamper-resistant communication channel.
+
+Remote health attestation service performs a series of checks on the measurements. It validates security related data points, including boot state (Secure Boot, Debug Mode, and so on), and the state of components that manage security (BitLocker, Device Guard, and so on). It then conveys the health state of the device by sending a health encrypted blob back to the device.
+
+An MDM solution typically applies configuration policies and deploys software to devices. MDM defines the security baseline and knows the level of compliance of the device with regular checks to see what software is installed and what configuration is enforced, and determining the health status of the device.
+
+An MDM solution asks the device to send device health information and forward the health encrypted blob to the remote health attestation service. The remote health attestation service verifies device health data, checks that MDM is communicating to the same device, and then issues a device health report back to the MDM solution.
+
+An MDM solution evaluates the health assertions and, depending on the health rules belonging to the organization, can decide if the device is healthy. If the device is healthy and compliant, MDM passes that information to the identity provider so the organization's access control policy can be invoked to grant access.
+
+Access to content is then authorized to the appropriate level of trust for whatever the health status and other conditional elements indicate.
+
+Depending on the requirements and the sensitivity of the managed asset, device health status can be combined with user identity information when processing an access request. Access to content is then authorized to the appropriate level of trust. The Conditional Access engine may be structured to allow more verification as needed by the sensitivity of the managed asset. For example, if access to high-value data is requested, further security authentication may need to be established by querying the user to answer a phone call before access is granted.
+
+### Microsoft's security investments in Windows 10
+
+In Windows 10, there are three pillars of investments:
+
+- **Secure identities.** Microsoft is part of the FIDO alliance that aims to provide an interoperable method of secure authentication by moving away from the use of passwords for authentication, both on the local system and for services like on-premises resources and cloud resources.
+- **Information protection.** Microsoft is making investments to allow organizations to have better control over who has access to important data and what they can do with that data. With Windows 10, organizations can take advantage of policies that specify which applications are considered to be corporate applications and can be trusted to access secure data.
+- **Threat resistance.** Microsoft is helping organizations to better secure enterprise assets against the threats of malware and attacks by using security defenses relying on hardware.
+
+### Protect, control, and report on the security status of Windows 10-based devices
+
+This section is an overview that describes different parts of the end-to-end security solution that helps protect high-value assets and information from attackers and malware.
+
+:::image type="content" alt-text="figure 3." source="images/hva-fig3-endtoendoverview3.png":::
+
+| Number | Part of the solution | Description |
+| - | - | - |
+| **1** | Windows 10-based device | The first time a Windows 10-based device is powered on, the out-of-box experience (OOBE) screen is displayed. During setup, the device can be automatically registered into Azure Active Directory (AD) and enrolled in MDM.<br/>A Windows 10-based device with TPM can report health status at any time by using the Health Attestation Service available with all editions of Windows 10.|
+| **2** | Identity provider | Azure AD contains users, registered devices, and registered application of organization's tenant. A device always belongs to a user and a user can have multiple devices. A device is represented as an object with different attributes like the compliance status of the device. A trusted MDM can update the compliance status.<br/>Azure AD is more than a repository. Azure AD is able to authenticate users and devices and can also authorize access to managed resources. Azure AD has a conditional access control engine that uses the identity of the user, the location of the device and also the compliance status of the device when making a trusted access decision.|
+| **3**|Mobile device management| Windows 10 has MDM support that enables the device to be managed out-of-box without deploying any agent.<br/>MDM can be Microsoft Intune or any third-party MDM solution that is compatible with Windows 10.|
+| **4** | Remote health attestation | The Health Attestation Service is a trusted cloud service operated by Microsoft that performs a series of health checks and reports to MDM what Windows 10 security features are enabled on the device.<br/>Security verification includes boot state (WinPE, Safe Mode, Debug/test modes) and components that manage security and integrity of runtime operations (BitLocker, Device Guard).|
+| **5** | Enterprise managed asset | Enterprise managed asset is the resource to protect.<br/>For example, the asset can be Office 365, other cloud apps, on-premises web resources published by Azure AD, or even VPN access.|
+
+The combination of Windows 10-based devices, identity provider, MDM, and remote health attestation creates a robust end-to-end-solution that provides validation of health and compliance of devices that access high-value assets.
+
+## Protect devices and enterprise credentials against threats
+
+This section describes what Windows 10 offers in terms of security defenses and what control can be measured and reported to.
+
+### Windows 10 hardware-based security defenses
+
+The most aggressive forms of malware try to insert themselves into the boot process as early as possible so that they can take control of the operating system early and prevent protection mechanisms and antimalware software from working. This type of malicious code is often called a rootkit or bootkit. The best way to avoid having to deal with low-level malware is to secure the boot process so that the device is protected from the very start.
+Windows 10 supports multiple layers of boot protection. Some of these features are available only if specific types of hardware are installed. For more information, see the [Hardware requirements](#hardware-requirements) section.
+
+:::image type="content" alt-text="figure 4." source="images/hva-fig4-hardware.png":::
+
+Windows 10 supports features to help prevent sophisticated low-level malware like rootkits and bootkits from loading during the startup process:
+
+- **Trusted Platform Module.** A Trusted Platform Module (TPM) is a hardware component that provides unique security features.
+
+  Windows 10 uses security characteristics of a TPM for measuring boot integrity sequence (and based on that, unlocking automatically BitLocker protected drives), for protecting credentials or for health attestation.
+
+  A TPM implements controls that meet the specification described by the Trusted Computing Group (TCG). At the time of this writing, there are two versions of TPM specification produced by TCG that aren't compatible with each other:
+
+  - The first TPM specification, version 1.2, was published in February 2005 by the TCG and standardized under ISO / IEC 11889 standard.
+  - The latest TPM specification, referred to as TPM 2.0, was released in April 2014 and has been approved by the ISO/IEC Joint Technical Committee (JTC) as ISO/IEC 11889:2015.
+
+  Windows 10 uses the TPM for cryptographic calculations as part of health attestation and to protect the keys for BitLocker, Windows Hello, virtual smart cards, and other public key certificates. For more information, see [TPM requirements in Windows 10](/windows-hardware/design/minimum/minimum-hardware-requirements-overview).
+
+  Windows 10 recognizes versions 1.2 and 2.0 TPM specifications produced by the TCG. For the most recent and modern security features, Windows 10 supports only TPM 2.0.
+
+  TPM 2.0 provides a major revision to the capabilities over TPM 1.2:
+
+  - Update crypto strength to meet modern security needs
+
+    - Support for SHA-256 for PCRs
+    - Support for HMAC command
+
+  - Cryptographic algorithms flexibility to support government needs
+
+    - TPM 1.2 is severely restricted in terms of what algorithms it can support
+    - TPM 2.0 can support arbitrary algorithms with minor updates to the TCG specification documents
+
+  - Consistency across implementations
+
+    - The TPM 1.2 specification allows vendors wide latitude when choosing implementation details
+    - TPM 2.0 standardizes much of this behavior
+
+- **Secure Boot.** Devices with UEFI firmware can be configured to load only trusted operating system bootloaders. Secure Boot doesn't require a TPM.
+
+    The most basic protection is the Secure Boot feature, which is a standard part of the UEFI 2.2+ architecture. On a PC with conventional BIOS, anyone who can take control of the boot process can boot by using an alternative OS loader, and potentially gain access to system resources. When Secure Boot is enabled, you can boot using only an OS loader that's signed using a certificate stored in the UEFI Secure Boot DB. Naturally, the Microsoft certificate used to digitally sign the Windows 10 OS loaders are in that store, which allows UEFI to validate the certificate as part of its security policy. Secure Boot must be enabled by default on all computers that are certified for Windows 10 under the Windows Hardware Compatibility Program.
+
+    Secure Boot is a UEFI firmware-based feature, which allows for the signing and verification of critical boot files and drivers at boot time. Secure Boot checks signature values of the Windows Boot Manager, BCD store, Windows OS loader file, and other boot critical DLLs at boot time before the system is allowed to fully boot into a usable operating system by using policies that are defined by the OEM at build time. Secure Boot prevents many types of boot-based rootkit, malware, and other security-related attacks against the Windows platform. Secure Boot protects the operating system boot process whether booting from local hard disk, USB, PXE, or DVD, or into full Windows or Windows Recovery Environment (RE).
+    Secure Boot protects the boot environment of a Windows 10 installation by verifying the signatures of the critical boot components to confirm malicious activity didn't compromise them. Secure Boot protection ends after the Windows kernel file (ntoskrnl.exe) has been loaded.
+
+    > [!NOTE]
+    > Secure Boot protects the platform until the Windows kernel is loaded. Then protections like ELAM take over.
+
+- **Secure Boot configuration policy.** Extends Secure Boot functionality to critical Windows 10 configuration.
+
+    Examples of protected configuration information include protecting Disable Execute bit (NX option) or ensuring that the test signing policy (code integrity) can't be enabled. This protective action ensures that the binaries and configuration of the computer can be trusted after the boot process has completed.
+    Secure Boot configuration policy does this protective action with UEFI policy. These signatures for these policies are signed in the same way that operating system binaries are signed for use with Secure Boot.
+
+    The Secure Boot configuration policy must be signed by a private key that corresponds to one of the public keys stored in the Key Exchange Key (KEK) list. The Microsoft Certificate Authority (CA) will be present in the KEK list of all Windows certified Secure Boot systems. By default, a policy signed by the Microsoft KEK shall be work on all Secure Boot systems. BootMgr must verify the signature against the KEK list before applying a signed policy. With Windows 10, the default Secure Boot configuration policy is embedded in bootmgr.
+
+    The bootloader verifies the digital signature of the Windows 10 kernel before loading it. The Windows 10 kernel, in turn, verifies every other component of the Windows startup process, including the boot drivers, startup files, and the ELAM component. This step is important and protects the rest of the boot process by verifying that all Windows boot components have integrity and can be trusted.
+
+- **Early Launch Antimalware (ELAM).** ELAM tests all drivers before they load and prevents unapproved drivers from loading.
+
+    Traditional antimalware apps don't start until after the boot drivers have been loaded, which gives a rootkit that is disguised as a driver the opportunity to work. ELAM is a Windows mechanism introduced in a previous version of Windows that allows antimalware software to run early in the boot sequence. Thus, the antimalware component is the first third-party component to run and control the initialization of other boot drivers until the Windows operating system is operational. When the system is started with a complete runtime environment (network access, storage, and so on), then a full-featured antimalware is loaded.
+
+    ELAM can load a Microsoft or non-Microsoft antimalware driver before all non-Microsoft boot drivers and applications, thus continuing the chain of trust established by Secure Boot and Trusted Boot. Because the operating system hasn't started yet, and because Windows needs to boot as quickly as possible, ELAM has a simple task: Examine every boot driver and determine whether it is on the list of trusted drivers. If it's not trusted, Windows won't load it.
+
+    > [!NOTE]
+    > Windows Defender, Microsoft's antimalware included by default in Windows 10, supports ELAM; it can be replaced with a third-party antimalware compatible solution. The name of the Windows Defender ELAM driver is WdBoot.sys. Windows Defender in Windows 10 uses its ELAM driver to roll back any malicious changes made to the Windows Defender driver at the next reboot. This prevents kernel mode malware making lasting changes to Windows Defender's mini-filter driver before shutdown or reboot.
+
+    The ELAM signed driver is loaded before any other third-party drivers or applications, which allows the antimalware software to detect and block any attempts to tamper with the boot process by trying to load unsigned or untrusted code.
+
+    The ELAM driver is a small driver with a small policy database that has a narrow scope, focused on drivers that are loaded early at system launch. The policy database is stored in a registry hive that is also measured to the TPM, to record the operational parameters of the ELAM driver. An ELAM driver must be signed by Microsoft and the associated certificate must contain the complementary EKU (1.3.6.1.4.1.311.61.4.1).
+
+- **Virtualization-based security (Hyper-V + Secure Kernel).** Virtualization-based security is a new enforced security boundary that allows you to protect critical parts of Windows 10.
+
+    Virtualization-based security isolates sensitive code like Kernel Mode Code Integrity or sensitive corporate domain credentials from the rest of the Windows operating system. For more information, see [Virtualization-based security](#virtualization-based-security) section.
+
+- **Hypervisor-protected Code Integrity (HVCI).** Hypervisor-protected Code Integrity is a feature of Device Guard that ensures only drivers, executables, and DLLs that comply with the Device Guard Code Integrity policy are allowed to run.
+
+    When enabled and configured, Windows 10 can start the Hyper-V virtualization-based security services. HVCI helps protect the system core (kernel), privileged drivers, and system defenses, like antimalware solutions, by preventing malware from running early in the boot process, or after startup.
+
+    HVCI uses virtualization-based security to isolate Code Integrity, the only way kernel memory can become executable is through a Code Integrity verification. This dependency on verification means that kernel memory pages can never be Writable and Executable (W+X) and executable code can't be directly modified.
+
+    > [!NOTE]
+    > Device Guard devices that run Kernel Mode Code Integrity with virtualization-based security must have compatible drivers. For additional information, please read the [Driver compatibility with Device Guard in Windows 10](https://techcommunity.microsoft.com/t5/windows-hardware-certification/driver-compatibility-with-device-guard-in-windows-10/ba-p/364865) blog post.
+
+    The Device Guard Code Integrity feature lets organizations control what code is trusted to run into the Windows kernel and what applications are approved to run in user mode. It's configurable by using a policy.
+    Device Guard Code Integrity policy is a binary file that Microsoft recommends you sign. The signing of the Code Integrity policy aids in the protection against a malicious user with Administrator privileges trying to modify or remove the current Code Integrity policy.
+
+- **Credential Guard.** Credential Guard protects corporate credentials with hardware-based credential isolation.
+
+    In Windows 10, Credential Guard aims to protect domain corporate credentials from theft and reuse by malware. With Credential Guard, Windows 10 implemented an architectural change that fundamentally prevents the current forms of the pass-the-hash (PtH) attack.
+
+    This attack-free state is accomplished by using Hyper-V and the new virtualization-based security feature to create a protected container where trusted code and secrets are isolated from the Windows kernel. This accomplishment means that even if the Windows kernel is compromised, an attacker has no way to read and extract the data required to initiate a PtH attack. Credential Guard prevents this unauthorized access because the memory where secrets are stored is no longer accessible from the regular OS, even in kernel mode - the hypervisor controls who can access the memory.
+
+- **Health attestation.** The device's firmware logs the boot process, and Windows 10 can send it to a trusted server that can check and assess the device's health.
+
+    Windows 10 takes measurements of the UEFI firmware and each of the Windows and antimalware components are made as they load during the boot process. Additionally, they're taken and measured sequentially, not all at once. When these measurements are complete, their values are digitally signed and stored securely in the TPM and can't be changed unless the system is reset.
+
+    For more information, see [Secured Boot and Measured Boot: Hardening Early Boot Components Against Malware](/previous-versions/windows/hardware/design/dn653311(v=vs.85)).
+
+    During each subsequent boot, the same components are measured, which allows comparison of the measurements against an expected baseline. For more security, the values measured by the TPM can be signed and transmitted to a remote server, which can then perform the comparison. This process, called *remote device health attestation*, allows the server to verify health status of the Windows device.
+
+    Although Secure Boot is a proactive form of protection, health attestation is a reactive form of boot protection. Health attestation ships disabled in Windows and is enabled by an antimalware or an MDM vendor. Unlike Secure Boot, health attestation won't stop the boot process and enter remediation when a measurement doesn't work. But with conditional access control, health attestation will help to prevent access to high-value assets.
+
+### Virtualization-based security
+
+Virtualization-based security provides a new trust boundary for Windows 10 and uses Hyper-V hypervisor technology to enhance platform security. Virtualization-based security provides a secure execution environment to run specific Windows trusted code (trustlet) and to protect sensitive data.
+
+Virtualization-based security helps to protect against a compromised kernel or a malicious user with Administrator privileges. Virtualization-based security isn't trying to protect against a physical attacker.
+
+The following Windows 10 services are protected with virtualization-based security:
+
+- **Credential Guard** (LSA Credential Isolation): prevents pass-the-hash attacks and enterprise credential theft that happens by reading and dumping the content of lsass memory
+- **Device Guard** (Hyper-V Code Integrity): Device Guard uses the new virtualization-based security in Windows 10 to isolate the Code Integrity service from the Windows kernel itself, which lets the service use signatures defined by your enterprise-controlled policy to help determine what is trustworthy. In effect, the Code Integrity service runs alongside the kernel in a Windows hypervisor-protected container.
+- **Other isolated services**: for example, on Windows Server 2016, there's the vTPM feature that allows you to have encrypted virtual machines (VMs) on servers.
+
+> [!NOTE]
+> Virtualization-based security is only available with Windows 10 Enterprise. Virtualization-based security requires devices with UEFI (2.3.1 or higher) with Secure Boot enabled, x64 processor with Virtualization Extensions and SLAT enabled. IOMMU, TPM 2.0. and support for Secure Memory overwritten are optional, but recommended.
+
+The schema below is a high-level view of Windows 10 with virtualization-based security.
+
+:::image type="content" alt-text="figure 5." source="images/hva-fig5-virtualbasedsecurity.png":::
+
+### Credential Guard
+
+In Windows 10, when Credential Guard is enabled, Local Security Authority Subsystem Service (lsass.exe) runs a sensitive code in an Isolated user mode to help protect data from malware that may be running in the normal user mode. This code execution helps ensure that protected data isn't stolen and reused on
+remote machines, which mitigates many PtH-style attacks.
+
+Credential Guard helps protect credentials by encrypting them with either a per-boot or persistent key:
+
+- **The per-boot key** is used for any in-memory credentials that don't require persistence. An example of such a credential would be a ticket-granting ticket (TGT) session key. This key is negotiated with a Key Distribution Center (KDC) every time authentication occurs and is protected with a per-boot key.
+- **The persistent key**, or some derivative, is used to help protect items that are stored and reloaded after a reboot. Such protection is intended for long-term storage, and must be protected with a consistent key.
+Credential Guard is activated by a registry key and then enabled by using a UEFI variable. This activation is done to protect against remote modifications of the configuration. The use of a UEFI variable implies that physical access is required to change the configuration. When lsass.exe detects that
+credential isolation is enabled, it then spawns LsaIso.exe as an isolated process, which ensures that it runs within isolated user mode. The startup of LsaIso.exe is performed before initialization of a security support provider, which ensures that the secure mode support routines are ready before any authentication begins.
+
+### Device Guard
+
+Device Guard is a new feature of Windows 10 Enterprise that allows organizations to lock down a device to help protect it from running untrusted software. In this configuration, the only applications allowed to run are those applications that are trusted by the organization.
+
+The trust decision to execute code is performed by using Hyper-V Code Integrity, which runs in virtualization-based security, a Hyper-V protected container that runs alongside regular Windows.
+
+Hyper-V Code Integrity is a feature that validates the integrity of a driver or system file each time it's loaded into memory. Code integrity detects whether an unsigned driver or system file is being loaded into the kernel, or whether a system file has been modified by malicious software that is being run by a user account with Administrator privileges. On x64-based versions of Windows 10, kernel-mode drivers must be digitally signed.
+
+> [!NOTE]
+> Independently of activation of Device Guard Policy, Windows 10 drivers must be signed by Microsoft, and more specifically, by the WHQL (Windows Hardware Quality Labs) portal. Additionally, starting in October 2015, the WHQL portal will only accept driver submissions, including both kernel and user mode driver submissions, that have a valid Extended Validation ("EV") Code Signing Certificate.
+
+With Device Guard in Windows 10, organizations are now able to define their own Code Integrity policy for use on x64 systems running Windows 10 Enterprise. Organizations have the ability to configure the policy that determines what is trusted to run. These include drivers and system files, and traditional desktop applications and scripts. The system is then locked down to only run applications that the organization trusts.
+
+Device Guard is a built-in feature of Windows 10 Enterprise that prevents the execution of unwanted code and applications. Device Guard can be configured using two rule actions - allow and deny:
+
+- **Allow** limits execution of applications to an allowed list of code or trusted publisher and blocks everything else.
+- **Deny** completes the allow trusted publisher approach by blocking the execution of a specific application.
+
+At the time of this writing, and according to Microsoft's latest research, more than 90 percent of malware is unsigned completely. So implementing a basic Device Guard policy can simply and effectively help block malware. In fact, Device Guard has the potential to go further, and can also help block signed malware.
+
+Device Guard needs to be planned and configured to be truly effective. It isn't just a protection that is enabled or disabled. Device Guard is a combination of hardware security features and software security features that, when configured together, can lock down a computer to help ensure the most secure and resistant system possible.
+
+There are three different parts that make up the Device Guard solution in Windows 10:
+
+- The first part is a base **set of hardware security features** introduced with the previous version of Windows. TPM for hardware cryptographic operations and UEFI with modern firmware, along with Secure Boot, allows you to control what the device is running when the systems start.
+- After the hardware security feature, there's the code integrity engine. In Windows 10, **Code Integrity is now fully configurable** and now resides in Isolated user mode, a part of the memory that is protected by virtualization-based security.
+- The last part of Device Guard is **manageability**. Code Integrity configuration is exposed through specific Group Policy Objects, PowerShell cmdlets, and MDM configuration service providers (CSPs).
+
+For more information on how to deploy Device Guard in an enterprise, see the [Device Guard deployment guide](/windows/device-security/device-guard/device-guard-deployment-guide).
+
+### Device Guard scenarios
+
+As previously described, Device Guard is a powerful way to lock down systems. Device Guard isn't intended to be used broadly and it may not always be applicable, but there are some high-interest scenarios.
+
+Device Guard is useful and applicable on fixed workloads systems like cash registers, kiosk machines, Secure Admin Workstations (SAWs), or well managed desktops. Device Guard is highly relevant on systems that have a well-defined software that are expected to run and don't change too frequently.
+It could also help protect Information Workers (IWs) beyond just SAWs, as long as what they need to run is known and the set of applications isn't going to change on a daily basis.
+
+SAWs are computers that are built to help significantly reduce the risk of compromise from malware, phishing attacks, bogus websites, and PtH attacks, among other security risks. Although SAWs can't be considered a "silver bullet" security solution to these attacks, these types of clients are helpful as part of a layered, defense-in-depth approach to security.
+
+To protect high-value assets, SAWs are used to make secure connections to those assets.
+
+Similarly, on corporate fully managed workstations, where applications are installed by using a distribution tool like Microsoft Configuration Manager, Intune, or any third-party device management, then Device Guard is applicable. In that type of scenario, the organization has a good idea of the software that an average user is running.
+
+It could be challenging to use Device Guard on corporate, lightly managed workstations where the user is typically allowed to install software on their own. When an organization offers great flexibility, it's difficult to run Device Guard in enforcement mode. Nevertheless, Device Guard can be run in Audit mode, and in that case, the event log will contain a record of any binaries that violated the Device Guard policy. When Device Guard is used in Audit mode, organizations can get rich data about drivers and applications that users install and run.
+
+Before you can benefit from the protection included in Device Guard, Code Integrity policy must be created by using tools provided by Microsoft, but the policy can be deployed with common management tools, like Group Policy. The Code Integrity policy is a binary-encoded XML document that includes configuration settings for both the User and Kernel-modes of Windows 10, along with restrictions on Windows 10 script hosts. Device Guard Code Integrity policy restricts what code can run on a device.
+
+> [!NOTE]
+> Device Guard policy can be signed in Windows 10, which adds additional protection against administrative users changing or removing this policy.
+
+Signed Device Guard policy offers stronger protection against a malicious local administrator trying to defeat Device Guard.
+
+When the policy is signed, the GUID of the policy is stored in a UEFI pre-OS secure variable that offers tampering protection. The only way to update the Device Guard policy later is to provide a new version of the policy signed by the same signer or from a signer specified as part of the
+Device Guard policy into the UpdateSigner section.
+
+### The importance of signing applications
+
+On computers with Device Guard, Microsoft proposes to move from a world where unsigned apps can be run without restriction to a world where only signed and trusted code is allowed to run on Windows 10.
+
+With Windows 10, organizations will make line-of-business (LOB) apps available to members of the organization through the Microsoft Store infrastructure. More specifically, LOB apps will be available in a private store within the public Microsoft Store. Microsoft Store signs and distributes Universal
+Windows apps and Classic Windows apps. All apps downloaded from the Microsoft Store are signed.
+
+In organizations today, many LOB applications are unsigned. Code signing is frequently viewed as a tough problem to solve for various reasons, like the lack of code signing expertise. Even if code signing is a best practice, many internal applications aren't signed.
+
+Windows 10 includes tools that allow IT pros to take applications that have been already packaged and run them through a process to create more signatures that can be distributed along with existing applications.
+
+### Why are antimalware and device management solutions still necessary?
+
+Although allowlist mechanisms are efficient at ensuring that only trusted applications can be run, they can't prevent the compromise of a trusted (but vulnerable) application by malicious content designed to exploit a known vulnerability. Device Guard doesn't protect against user mode malicious code run by exploiting vulnerabilities.
+
+Vulnerabilities are weaknesses in software that could allow an attacker to compromise the integrity, availability, or confidentiality of the device. Some of the worst vulnerabilities allow attackers to exploit the compromised device by causing it to run malicious code without the user's knowledge.
+
+It's common to see attackers distributing specially crafted content in an attempt to exploit known vulnerabilities in user mode software like web browsers (and their plug-ins), Java virtual machines, PDF readers, or document editors. As of today, 90 percent of discovered vulnerabilities affect user mode applications compared to the operating system and kernel mode drivers that host them.
+
+To combat these threats, patching is the single most effective control, with antimalware software forming complementary layers of defense.
+
+Most application software has no facility for updating itself, so even if the software vendor publishes an update that fixes the vulnerability, the user may not know that the update is available or how to obtain it, and therefore remains vulnerable to attack. Organizations still need to manage devices and to patch vulnerabilities.
+
+MDM solutions are becoming prevalent as a light-weight device management technology. Windows 10 extends the management capabilities that have become available for MDMs. One key feature Microsoft has added to Windows 10 is the ability for MDMs to acquire a strong statement of device health from managed and registered devices.
+
+### Device health attestation
+
+Device health attestation uses the TPM to provide cryptographically strong and verifiable measurements of the chain of software used to boot the device.
+
+For Windows 10-based devices, Microsoft introduces a new public API that will allow MDM software to access a remote attestation service called Windows Health Attestation Service. A health attestation result, in addition with other elements, can be used to allow or deny access to networks, apps, or services, based on whether devices prove to be healthy.
+
+For more information on device health attestation, see the [Detect an unhealthy Windows 10-based device](#detect-an-unhealthy-windows-10-based-device) section.
+
+[!INCLUDE [device-health-attestation-service](../../../../includes/licensing/device-health-attestation-service.md)]
+
+### Hardware requirements
+
+The following table details the hardware requirements for both virtualization-based security services and the health attestation feature. For more information, see [Minimum hardware requirements](/windows-hardware/design/minimum/minimum-hardware-requirements-overview).
+
+|Hardware|Motivation|
+|--- |--- |
+|UEFI 2.3.1 or later firmware with Secure Boot enabled|Required to support UEFI Secure Boot.<p>UEFI Secure Boot ensures that the device boots only authorized code.<p>Additionally, Boot Integrity (Platform Secure Boot) must be supported following the requirements in Hardware Compatibility Specification for Systems for Windows 10 under the subsection: "System.Fundamentals.Firmware.CS.UEFISecureBoot.ConnectedStandby"|
+|Virtualization extensions, such as Intel VT-x, AMD-V, and SLAT must be enabled|Required to support virtualization-based security.<div class="alert">**Note:** Device Guard can be enabled without using virtualization-based security.</div>|
+|X64 processor|Required to support virtualization-based security that uses Windows Hypervisor. Hyper-V is supported only on x64 processor (and not on x86).<p>Direct Memory Access (DMA) protection can be enabled to provide extra memory protection but requires processors to include DMA protection technologies.|
+|IOMMU, such as Intel VT-d, AMD-Vi|Support for the IOMMU in Windows 10 enhances system resiliency against DMA attacks.|
+|Trusted Platform Module (TPM)|Required to support health attestation and necessary for other key protections for virtualization-based security. TPM 2.0 is supported. Support for TPM 1.2 was added beginning in Windows 10, version 1607 (RS1)|
+
+This section presented information about several closely related controls in Windows 10. The multi-layer defenses and in-depth approach help to eradicate low-level malware during boot sequence. Virtualization-based security is a fundamental operating system architecture change that adds a new security boundary. Device Guard and Credential Guard respectively help to block untrusted code and protect corporate domain credentials from theft and reuse. This section also briefly discussed the importance of managing devices and patching vulnerabilities. All these technologies can be used to harden and lock down devices while limiting the risk of attackers compromising them.
+
+## Detect an unhealthy Windows 10-based device
+
+As of today, many organizations only consider devices to be compliant with company policy after they've passed various checks that show, for example, that the operating system is in the correct state, properly configured, and has security protection enabled. Unfortunately, with today's systems, this form of reporting isn't entirely reliable because malware can spoof a software statement about system health. A rootkit, or a similar low-level exploit, can report a false healthy state to traditional compliance tools.
+
+The biggest challenge with rootkits is that they can be undetectable to the client. Because they start before antimalware, and they have system-level privileges, they can completely disguise themselves while continuing to access system resources. As a result, traditional computers infected with rootkits appear to be healthy, even with antimalware running.
+
+As previously discussed, the health attestation feature of Windows 10 uses the TPM hardware component to securely record a measurement of every boot-related component, including firmware, Windows 10 kernel, and even early boot drivers. Because health attestation uses the hardware-based security capabilities of TPM, the log of all boot measured components remains out of the reach of any malware.
+
+After the devices attest a trusted boot state, they can prove that they aren't running low-level malware that could spoof later compliance checks. TPM-based health attestation provides a reliable anchor of trust for assets that contain high-value data.
+
+### What is the concept of device health?
+
+To understand the concept of device health, it's important to know traditional measures that IT pros have taken to prevent the breach of malware. Malware control technologies are highly focused on the prevention of installation and distribution.
+
+However, the use of traditional malware prevention technologies like antimalware or patching solutions brings a new set of issues for IT pros: the ability to monitor and control the compliance of devices accessing organization's resources.
+
+The definition of device compliance will vary based on an organization's installed antimalware, device configuration settings, patch management baseline, and other security requirements. But health of the device is part of the overall device compliance policy.
+
+The health of the device isn't binary and depends on the organization's security implementation. The Health Attestation Service provides information back to the MDM on which security features are enabled during the boot of the device by using trustworthy hardware TPM.
+
+But health attestation only provides information, which is why an MDM solution is needed to take and enforce a decision.
+
+### Remote device health attestation
+
+In Windows 10, health attestation refers to a feature where Measured Boot data generated during the boot process is sent to a remote device health attestation service operated by Microsoft.
+
+This approach is the most secure one available for Windows 10-based devices to detect when security defenses are down. During the boot process, the TCG log and PCRs' values are sent to a remote Microsoft cloud service. Logs are then checked by the Health Attestation Service to determine what changes have occurred on the device.
+
+A relying party like an MDM can inspect the report generated by the remote health attestation service.
+
+> [!NOTE]
+> To use the health attestation feature of Windows 10, the device must be equipped with a discrete or firmware TPM. There is no restriction on any particular edition of Windows 10.
+
+Windows 10 supports health attestation scenarios by allowing applications access to the underlying health attestation configuration service provider (CSP) so that applications can request a health attestation token. The measurement of the boot sequence can be checked at any time locally by an antimalware or an MDM agent.
+
+Remote device health attestation combined with an MDM provides a hardware-rooted method for reporting the current security status and detecting any changes, without having to trust the software running on the system.
+
+In the case where malicious code is running on the device, the use of a remote server is required. If a rootkit is present on the device, the antimalware is no longer reliable, and its behavior can be hijacked by a malicious code running early in the startup sequence. This reason is what makes it important to use Secure Boot and Device Guard, to control which code is loaded during the boot sequence.
+
+The antimalware software can search to determine whether the boot sequence contains any signs of malware, such as a rootkit. It can also send the TCG log and the PCRs to a remote health attestation server to provide a separation between the measurement component and the verification component.
+
+Health attestation logs the measurements in various TPM Platform Configuration Registers (PCRs) and TCG logs during the boot process.
+
+:::image type="content" alt-text="figure 6." source="images/hva-fig6-logs.png":::
+
+When you start a device equipped with TPM, a measurement of different components is performed. These components include firmware, UEFI drivers, CPU microcode, and also all the Windows 10 drivers whose type is Boot Start. The raw measurements are stored in the TPM PCR registers while the details of all events (executable path, authority certification, and so on) are available in the TCG log.
+
+:::image type="content" alt-text="figure 7." source="images/hva-fig7-measurement.png":::
+
+The health attestation process works as follows:
+
+1. Hardware boot components are measured.
+2. Operating system boot components are measured.
+3. If Device Guard is enabled, current Device Guard policy is measured.
+4. Windows kernel is measured.
+5. Antivirus software is started as the first kernel mode driver.
+6. Boot start drivers are measured.
+7. MDM server through the MDM agent issues a health check command by using the Health Attestation CSP.
+8. Boot measurements are validated by the Health Attestation Service
+
+> [!NOTE]
+> By default, the last 100 system boot logs and all associated resume logs are archived in the %SystemRoot%\\logs\\measuredboot folder.
+The number of retained logs may be set with the registry **REG\_DWORD** value **PlatformLogRetention** under the **HKLM\\SYSTEM\\CurrentControlSet\\Services\\TPM** key. A value of **0** will turn off log archival and a value of **0xffffffff** will keep all logs.
+
+The following process describes how health boot measurements are sent to the health attestation service:
+
+1. The client (a Windows 10-based device with TPM) initiates the request with the remote device health attestation service. Because the health attestation server is expected to be a Microsoft cloud service, the URI is already pre-provisioned in the client.
+2. The client then sends the TCG log, the AIK signed data (PCR values, boot counter) and the AIK certificate information.
+3. The remote device heath attestation service then:
+
+    1. Verifies that the AIK certificate is issued by a known and trusted CA and the certificate is valid and not revoked.
+    2. Verifies that the signature on the PCR quotes is correct and consistent with the TCG log value.
+    3. Parses the properties in the TCG log.
+    4. Issues the device health token that contains the health information, the AIK information, and the boot counter information. The health token also contains valid issuance time. The device health token is encrypted and signed, that means that the information is protected and only accessible to issuing health attestation service.
+
+4. The client stores the health encrypted blob in its local store. The device health token contains device health status, a device ID (the Windows AIK), and the boot counter.
+
+:::image type="content" alt-text="figure 8." source="images/hva-fig8a-healthattest8a.png":::
+
+### Device health attestation components
+
+The device health attestation solution involves different components that are TPM, Health Attestation CSP, and the Windows Health Attestation Service. Those components are described in this section.
+
+### Trusted Platform Module
+
+This section describes how PCRs (that contain system configuration data), endorsement key (EK) (that act as an identity card for TPM), SRK (that protect keys) and AIKs (that can report platform state) are used for health attestation reporting.
+
+In a simplified manner, the TPM is a passive component with limited resources. It can calculate random numbers, RSA keys, decrypt short data, store hashes taken when booting the device.
+
+A TPM incorporates in a single component:
+
+- An RSA 2048-bit key generator
+- A random number generator
+- Nonvolatile memory for storing EK, SRK, and AIK keys
+- A cryptographic engine to encrypt, decrypt, and sign
+- Volatile memory for storing the PCRs and RSA keys
+
+### Endorsement key
+
+The TPM has an embedded unique cryptographic key called the endorsement key. The TPM endorsement key is a pair of asymmetric keys (RSA size 2048 bits).
+
+The endorsement key public key is used for sending securely sensitive parameters, such as when taking possession of the TPM that contains the defining hash of the owner password. The EK private key is used when creating secondary keys like AIKs.
+
+The endorsement key acts as an identity card for the TPM. For more information, see [Understand the TPM endorsement key](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc770443(v=ws.11)).
+
+The endorsement key is often accompanied by one or two digital certificates:
+
+- One certificate is produced by the TPM manufacturer and is called the **endorsement certificate**. The endorsement certificate is used to prove the authenticity of the TPM (for example, that it's a real TPM manufactured by a specific chip maker) to local processes, applications, or cloud services. The endorsement certificate is created during manufacturing or the first time the TPM is initialized by communicating with an online service.
+- The other certificate is produced by the platform builder and is called the **platform certificate** to indicate that a specific TPM is integrated with a certain device.
+For certain devices that use firmware-based TPM produced by Intel or Qualcomm, the endorsement certificate is created when the TPM is initialized during the OOBE of Windows 10.
+
+> [!NOTE]
+> Secure Boot protects the platform until the Windows kernel is loaded. Then protections like Trusted Boot, Hyper-V Code Integrity and ELAM take over. A device that uses Intel TPM or Qualcomm TPM gets a signed certificate online from the manufacturer that has created the chip and then stores the signed certificate in TPM storage. For the operation to succeed, if you are filtering Internet access from your client devices, you must authorize the following URLs:
+
+- For Intel firmware TPM: **```https://ekop.intel.com/ekcertservice```**
+- For Qualcomm firmware TPM: **```https://ekcert.spserv.microsoft.com/```**
+
+### Attestation Identity Keys
+
+Because the endorsement certificate is unique for each device and doesn't change, the usage of it may present privacy concerns because it's theoretically possible to track a specific device. To avoid this privacy problem, Windows 10 issues a derived attestation anchor based on the endorsement certificate. This intermediate key, which can be attested to an endorsement key, is the Attestation Identity Key (AIK) and the corresponding certificate is called the AIK certificate. This AIK certificate is issued by a Microsoft cloud service.
+
+> [!NOTE]
+> Before the device can report its health using the TPM attestation functions, an AIK certificate must be provisioned in conjunction with a third-party service like the Microsoft Cloud CA service. After it is provisioned, the AIK private key can be used to report platform configuration. Windows 10 creates a signature over the platform log state (and a monotonic counter value) at each boot by using the AIK.
+
+The AIK is an asymmetric (public/private) key pair that is used as a substitute for the EK as an identity for the TPM for privacy purposes. The private portion of an AIK is never revealed or used outside the TPM and can only be used inside the TPM for a limited set of operations. Furthermore, it can only be used for signing, and only for limited, TPM-defined operations.
+
+Windows 10 creates AIKs protected by the TPM, if available, that are 2048-bit RSA signing keys. Microsoft is hosting a cloud service called Microsoft Cloud CA to establish cryptographically that it's communicating with a real TPM and that the TPM possesses the presented AIK. After the Microsoft
+Cloud CA service has established these facts, it will issue an AIK certificate to the Windows 10-based device.
+
+Many existing devices that will upgrade to Windows 10 won't have a TPM, or the TPM won't contain an endorsement certificate. **To accommodate those devices, Windows 10 allows the issuance of AIK certificates without the presence of an endorsement certificate.** Such AIK certificates aren't issued by Microsoft Cloud CA. These certificates aren't as trustworthy as an endorsement certificate that is burned into the device during manufacturing, but it will provide compatibility for advanced scenarios like Windows Hello for Business without TPM.
+
+In the issued AIK certificate, a special OID is added to attest that endorsement certificate was used during the attestation process. This information can be used by a relying party to decide whether to reject devices that are attested using AIK certificates without an endorsement certificate or accept them. Another scenario can be to not allow access to high-value assets from devices that are attested by an AIK certificate that isn't backed by an endorsement certificate.
+
+### Storage root key
+
+The storage root key (SRK) is also an asymmetric key pair (RSA with a minimum of 2048-bits length). The SRK has a major role and is used to protect TPM keys, so that these keys can't be used without the TPM. The SRK key is created when the ownership of the TPM is taken.
+
+### Platform Configuration Registers
+
+The TPM contains a set of registers that are designed to provide a cryptographic representation of the software and state of the system that booted. These registers are called Platform Configuration Registers (PCRs).
+
+The measurement of the boot sequence is based on the PCR and TCG log. To establish a static root of trust, when the device is starting, the device must be able to measure the firmware code before execution. In this case, the Core Root of Trust for Measurement (CRTM) is executed from the boot, calculates the hash of the firmware, then stores it by expanding the register PCR\[0\] and transfers execution to the firmware.
+
+PCRs are set to zero when the platform is booted, and it's the job of the firmware that boots the platform to measure components in the boot chain and to record the measurements in the PCRs. Typically, boot components take the hash of the next component that is to be run and record the measurements in the PCRs. The initial component that starts the measurement chain is implicitly trusted. This component is the CRTM. Platform manufacturers are required to have a secure update process for the CRTM or not permit updates to it. The PCRs record a cumulative hash of the components that have been measured.
+
+The value of a PCR on its own is hard to interpret (it's just a hash value), but platforms typically keep a log with details of what has been measured, and the PCRs merely ensure that the log hasn't been tampered with. The logs are referred as a TCG log. Each time a register PCR is extended, an entry is added to the TCG log. Thus, throughout the boot process, a trace of the executable code and configuration data is created in the TCG log.
+
+### TPM provisioning
+
+For the TPM of a Windows 10-based device to be usable, it must first be provisioned. The process of provisioning differs based on TPM versions, but, when successful, it results in the TPM being usable and the owner authorization data (ownerAuth) for the TPM being stored locally on the registry.
+
+When the TPM is provisioned, Windows 10 will first attempt to determine the EK and locally stored **ownerAuth** values by looking in the registry at the following location: **HKLM\\SYSTEM\\CurrentControlSet\\Services\\TPM\\WMI\\Endorsement**
+
+During the provisioning process, the device may need to be restarted.
+
+The **Get-TpmEndorsementKeyInfo PowerShell** cmdlet can be used with administrative privilege to get information about the endorsement key and certificates of the TPM.
+
+If the TPM ownership isn't known but the EK exists, the client library will provision the TPM and will store the resulting **ownerAuth** value into the registry if the policy allows it will store the SRK public portion at the following location:
+**HKLM\\SYSTEM\\CurrentControlSet\\Services\\TPM\\WMI\\Admin\\SRKPub**
+
+As part of the provisioning process, Windows 10 will create an AIK with the TPM. When this operation is performed, the resulting AIK public portion is stored in the registry at the following location: **HKLM\\SYSTEM\\CurrentControlSet\\Services\\TPM\\WMI\\WindowsAIKPub**
+
+> [!NOTE]
+> For provisioning AIK certificates and filtering Internet access, you must authorize the following wildcard URL: `https://\*.microsoftaik.azure.net`
+
+### Windows 10 Health Attestation CSP
+
+Windows 10 contains a configuration service provider (CSP) specialized for interacting with the health attestation feature. A CSP is a component that plugs into the Windows MDM client and provides a published protocol for how MDM servers can configure settings and manage Windows-based devices. The management protocol is represented as a tree structure that can be specified as URIs with functions to perform on the URIs such as "get", "set", "delete", and so on.
+
+The following list is that of the functions performed by the Windows 10 Health Attestation CSP:
+
+- Collects data that is used to verify a device's health status
+- Forwards the data to the Health Attestation Service
+- Provisions the Health Attestation Certificate that it receives from the Health Attestation Service
+- Upon request, forwards the Health Attestation Certificate (received from the Health Attestation Service) and related runtime information to the MDM server for verification
+
+During a health attestation session, the Health Attestation CSP forwards the TCG logs and PCRs' values that are measured during the boot, by using a secure communication channel to the Health Attestation Service.
+
+When an MDM server validates that a device has attested to the Health Attestation Service, it will be given a set of statements and claims about how that device booted, with the assurance that the device didn't reboot between the time that it attested its health and the time that the MDM server validated it.
+
+### Windows Health Attestation Service
+
+The role of Windows Health Attestation Service is essentially to evaluate a set of health data (TCG log and PCR values), make a series of detections (based on available health data) and generate encrypted health blob or produce report to MDM servers.
+
+> [!NOTE]
+> Both device and MDM servers must have access to **has.spserv.microsoft.com** using the TCP protocol on port 443 (HTTPS).
+
+Checking that a TPM attestation and the associated log are valid takes several steps:
+
+1. First, the server must check that the reports are signed by **trustworthy AIKs**. This verification might be done by checking that the public part of the AIK is listed in a database of assets, or perhaps that a certificate has been checked.
+2. After the key has been checked, the signed attestation (a quote structure) should be checked to see whether it's a **valid signature over PCR values**.
+3. Next the logs should be checked to ensure that they match the PCR values reported.
+4. Finally, the logs themselves should be examined by an MDM solution to see whether they represent **known or valid security configurations**. For example, a simple check might be to see whether the measured early OS components are known to be good, that the ELAM driver is as expected, and that the ELAM driver policy file is up to date. If all of these checks succeed, an attestation statement can be issued that later can be used to determine whether or not the client should be granted access to a resource.
+
+The Health Attestation Service provides the following information to an MDM solution about the health of the device:
+
+- Secure Boot enablement
+- Boot and kernel debug enablement
+- BitLocker enablement
+- VSM enabled
+- Signed or unsigned Device Guard Code Integrity policy measurement
+- ELAM loaded
+- Safe Mode boot, DEP enablement, test signing enablement
+- Device TPM has been provisioned with a trusted endorsement certificate
+
+For completeness of the measurements, see [Health Attestation CSP](/windows/client-management/mdm/healthattestation-csp).
+
+The following table presents some key items that can be reported back to MDM depending on the type of Windows 10-based device.
+
+|OS type|Key items that can be reported|
+|--- |--- |
+|Windows 10 for desktop editions|<li>PCR0 measurement<li>Secure Boot Enabled<li>Secure Boot db matches Expected<li>Secure Boot dbx is up to date<li>Secure Boot policy GUID matches Expected<li>BitLocker enabled<li>Virtualization-based security enabled<li>ELAM was loaded<li>Code Integrity version is up to date<li>Code Integrity policy hash matches Expected|
+
+### Use MDM and the Health Attestation Service
+
+To make device health relevant, the MDM solution evaluates the device health report and is configured to the organization's device health requirements.
+
+A solution that uses MDM and the Health Attestation Service consists of three main parts:
+
+1. A device with health attestation enabled. This enablement will be done as a part of enrollment with an MDM provider (health attestation will be disabled by default).
+2. After this service is enabled, and every boot thereafter, the device will send health measurements to the Health Attestation Service hosted by Microsoft, and it will receive a health attestation blob in return.
+3. At any point after this cycle, an MDM server can request the health attestation blob from the device and ask Health Attestation Service to decrypt the content and validate that it's been attested.
+
+    :::image type="content" alt-text="figure 9." source="images/hva-fig8-evaldevicehealth8.png":::
+
+Interaction between a Windows 10-based device, the Health Attestation Service, and MDM can be performed as follows:
+
+1. The client initiates a session with the MDM server. The URI for the MDM server would be part of the client app that initiates the request. The MDM server at this time could request the health attestation data by using the appropriate CSP URI.
+2. The MDM server specifies a nonce along with the request.
+3. The client then sends the AIK quoted nonce + the boot counter and the health blob information. This health blob is encrypted with a Health Attestation Service public key that only the Health Attestation Service can decrypt.
+4. The MDM server:
+
+    1. Verifies that the nonce is as expected.
+    2. Passes the quoted data, the nonce and the encrypted health blob to the Health Attestation Service server.
+
+5. The Health Attestation Service:
+
+    1. Decrypts the health blob.
+    2. Verifies that the boot counter in the quote is correct using the AIK in the health blob and matches the value in the health blob.
+    3. Verifies that the nonce matches in the quote and the one that is passed from MDM.
+    4. Because the boot counter and the nonce are quoted with the AIK from the health blob, it also proves that the device is the same one as the one for which the health blob has been generated.
+    5. Sends data back to the MDM server including health parameters, freshness, and so on.
+
+> [!NOTE]
+> The MDM server (relying party) never performs the quote or boot counter validation itself. It gets the quoted data and the health blob (which is encrypted) and sends the data to the Health Attestation Service for validation. This way, the AIK is never visible to the MDM, which thereby addresses privacy concerns.
+
+Setting the requirements for device compliance is the first step to ensure that registered devices that don't meet health and compliance requirements are detected, tracked, and have actions enforced by the MDM solution.
+
+Devices that attempt to connect to resources must have their health evaluated so that unhealthy and noncompliant devices can be detected and reported. To be fully efficient, an end-to-end security solution must impose a consequence for unhealthy devices like refusing access to high-value assets.
+That consequence for an unhealthy device is the purpose of conditional access control, which is detailed in the next section.
+
+## Control the security of a Windows 10-based device before access is granted
+
+Today's access control technology, in most cases, focuses on ensuring that the right people get access to the right resources. If users can authenticate, they get access to resources using a device that the organization's IT staff and systems know little about. Perhaps there's some check such as ensuring that a device is encrypted before giving access to email, but what if the device is infected with malware?
+
+The remote device health attestation process uses measured boot data to verify the health status of the device. The health of the device is then available for an MDM solution like Intune.
+
+> [!NOTE]
+> For the latest information on Intune and Windows 10 features support, see [What's new in Microsoft Intune](/mem/intune/fundamentals/whats-new).
+
+The figure below shows how the Health Attestation Service is expected to work with Microsoft's cloud-based Intune MDM service.
+
+:::image type="content" alt-text="figure 10." source="images/hva-fig9-intune.png":::
+
+An MDM solution can then use health state statements and take them to the next level by coupling with client policies that will enable conditional access to be granted based on the device's ability to prove that it's malware free, its antimalware system is functional and up to date, the
+firewall is running, and the devices patch state is compliant.
+
+Finally, resources can be protected by denying access to endpoints that are unable to prove they're healthy. This feature is much needed for BYOD devices that need to access organizational resources.
+
+### Built-in support of MDM in Windows 10
+
+Windows 10 has an MDM client that ships as part of the operating system. This MDM client enables MDM servers to manage Windows 10-based devices without requiring a separate agent.
+
+### Third-party MDM server support
+
+Third-party MDM servers can manage Windows 10 by using the MDM protocol. The built-in management client is able to communicate with a compatible server that supports the OMA-DM protocol to perform enterprise management tasks. For more information, see [Azure Active Directory integration with MDM](/windows/client-management/mdm/azure-active-directory-integration-with-mdm).
+
+> [!NOTE]
+> MDM servers do not need to create or download a client to manage Windows 10. For more information, see [Mobile device management](/windows/client-management/mdm/).
+
+The third-party MDM server will have the same consistent first-party user experience for enrollment, which also provides simplicity for Windows 10 users.
+
+### Management of Windows Defender by third-party MDM
+
+This management infrastructure makes it possible for IT pros to use MDM-capable products like Intune, to manage health attestation, Device Guard, or Windows Defender on Windows 10-based devices, including BYODs that aren't domain joined. IT pros will be able to manage and configure all of the actions and settings they're familiar with customizing by using Intune with Intune Endpoint Protection on down-level operating systems. Admins that currently only manage domain joined devices through Group Policy will find it easy to transition to managing Windows 10-based devices by using MDM because many of the settings and actions are shared across both mechanisms.
+
+For more information on how to manage Windows 10 security and system settings with an MDM solution, see [Custom URI settings for Windows 10 devices](/mem/intune/configuration/custom-settings-windows-10).
+
+### Conditional access control
+
+On most platforms, the Azure Active Directory (Azure AD) device registration happens automatically during enrollment. The device states are written by the MDM solution into Azure AD, and then read by Office 365 (or by any authorized Windows app that interacts with Azure AD) the next time the client tries to access an Office 365 compatible workload.
+
+If the device isn't registered, the user will get a message with instructions on how to register (also known as enrolling). If the device isn't compliant, the user will get a different message that redirects them to the MDM web portal where they can get more information on the compliance problem and how to resolve it.
+
+**Azure AD** authenticates the user and the device, **MDM** manages the compliance and conditional access policies, and the **Health Attestation Service** reports about the health of the device in an attested way.
+
+:::image type="content" alt-text="figure 11." source="images/hva-fig10-conditionalaccesscontrol.png":::
+
+### Office 365 conditional access control
+
+Azure AD enforces conditional access policies to secure access to Office 365 services. A tenant admin can create a conditional access policy that blocks a user on a non-compliant device from accessing an Office 365 service. The user must conform to the company's device policies before access can be granted to the service. Alternately, the admin can also create a policy that requires users to just enroll their devices to gain access to an Office 365 service. Policies may be applied to all users of an organization, or limited to a few target groups and enhanced over time to include more
+target groups.
+
+When a user requests access to an Office 365 service from a supported device platform, Azure AD authenticates the user and device from which the user launches the request; and grants access to the service only when the user conforms to the policy set for the service. Users that don't have their device enrolled are given remediation instructions on how to enroll and become compliant to access corporate Office 365 services.
+
+When a user enrolls, the device is registered with Azure AD, and enrolled with a compatible MDM solution like Intune.
+
+> [!NOTE]
+> Microsoft is working with third-party MDM ISVs to support automated MDM enrollment and policy based access checks. Steps to turn on auto-MDM enrollment with Azure AD and Intune are explained in the [Windows 10, Azure AD And Microsoft Intune: Automatic MDM Enrollment Powered By The Cloud!](https://techcommunity.microsoft.com/t5/azure-active-directory-identity/windows-10-azure-ad-and-microsoft-intune-automatic-mdm/ba-p/244067) blog post.
+
+When a user enrolls a device successfully, the device becomes trusted. Azure AD provides single-sign-on to access company applications and enforces conditional access policy to grant access to a service not only the first time the user requests access, but every time the user requests to renew access.
+
+The user will be denied access to services when sign-in credentials are changed, a device is lost/stolen, or the compliance policy isn't met at the time of request for renewal.
+
+Depending on the type of email application that employees use to access Exchange online, the path to establish secured access to email can be slightly different. However, the key components: Azure AD, Office 365/Exchange Online, and Intune, are the same. The IT experience and end-user experience also are similar.
+
+:::image type="content" alt-text="figure 12." source="images/hva-fig11-office365.png":::
+
+Clients that attempt to access Office 365 will be evaluated for the following properties:
+
+- Is the device managed by an MDM?
+- Is the device registered with Azure AD?
+- Is the device compliant?
+
+To get to a compliant state, the Windows 10-based device needs to:
+
+- Enroll with an MDM solution.
+- Register with Azure AD.
+- Be compliant with the device policies set by the MDM solution.
+
+> [!NOTE]
+> At the present time, conditional access policies are selectively enforced on users on iOS and Android devices. For more information, see the [Azure AD, Microsoft Intune and Windows 10 – Using the cloud to modernize enterprise mobility!](https://techcommunity.microsoft.com/t5/azure-active-directory-identity/azure-ad-microsoft-intune-and-windows-10-8211-using-the-cloud-to/ba-p/244012) blog post.
+
+### Cloud and on-premises apps conditional access control
+
+Conditional access control is a powerful policy evaluation engine built into Azure AD. It gives IT pros an easy way to create access rules beyond Office 365 that evaluate the context of a user's sign in to make real-time decisions about which applications they should be allowed to access.
+
+IT pros can configure conditional access control policies for cloud SaaS applications secured by Azure AD and even on-premises applications. Access rules in Azure AD use the conditional access engine to check device health and compliance state reported by a compatible MDM solution like Intune in order to determine whether to allow access.
+
+For more information about conditional access, see [Azure Conditional Access Preview for SaaS Apps.](/azure/active-directory/authentication/tutorial-enable-azure-mfa)
+
+> [!NOTE]
+> Conditional access control is an Azure AD Premium feature that's also available with EMS. If you don't have an Azure AD Premium subscription, you can get a trial from the [Microsoft Azure](https://go.microsoft.com/fwlink/p/?LinkId=691617) site.
+
+For on-premises applications there are two options to enable conditional access control based on a device's compliance state:
+
+- For on-premises applications that are published through the Azure AD Application Proxy, you can configure conditional access control policies as you would for cloud applications. For more information, see [Using Azure AD Application Proxy to publish on-premises apps for remote users](/azure/active-directory/app-proxy/what-is-application-proxy).
+- Additionally, Azure AD Connect will sync device compliance information from Azure AD to on-premises AD. ADFS on Windows Server 2016 will support conditional access control based on a device's compliance state. IT pros will configure conditional access control policies in ADFS that use the device's compliance state reported by a compatible MDM solution to secure on-premises applications.
+
+:::image type="content" alt-text="figure 13." source="images/hva-fig12-conditionalaccess12.png":::
+
+The following process describes how Azure AD conditional access works:
+
+1. User has already enrolled with MDM through Workplace Access/Azure AD join, which registers device with Azure AD.
+2. When the device boots or resumes from hibernate, a task "Tpm-HASCertRetr" is triggered to request in background a health attestation blob. Device sends TPM boot measurements to the Health Attestation Service.
+3. Health Attestation Service validates device state and issues an encrypted blob to the device based on the health state with details on failed checks (if any).
+4. User logs on and the MDM agent contacts the Intune/MDM server.
+5. MDM server pushes down new policies if available and queries health blob state and other inventory state.
+6. Device sends a health attestation blob previously acquired and also the value of the other state inventory requested by the Intune/MDM server.
+7. Intune/MDM server sends the health attestation blob to Health Attestation Service to be validated.
+8. Health Attestation Service validates that the device that sent the health attestation blob is healthy, and returns this result to Intune/MDM server.
+9. Intune/MDM server evaluates compliance based on the compliance and the queried inventory/health attestation state from device.
+10. Intune/MDM server updates compliance state against device object in Azure AD.
+11. User opens app, attempts to access a corporate managed asset.
+12. Access gated by compliance claim in Azure AD.
+13. If the device is compliant and the user is authorized, an access token is generated.
+14. User can access the corporate managed asset.
+
+For more information about Azure AD join, see [Azure AD & Windows 10: Better Together for Work or School](https://go.microsoft.com/fwlink/p/?LinkId=691619), a white paper.
+
+Conditional access control is a topic that many organizations and IT pros may not know and they should. The different attributes that describe a user, a device, compliance, and context of access are powerful when used with a conditional access engine. Conditional access control is an essential step that helps organizations secure their environment.
+
+## Takeaways and summary
+
+The following list contains high-level key takeaways to improve the security posture of any organization. However, the few takeaways presented in this section shouldn't be interpreted as an exhaustive list of security best practices.
+
+- **Understand that no solution is 100 percent secure**
+
+    If determined adversaries with malicious intent gain physical access to the device, they could eventually break through its security layers and control it.
+
+- **Use health attestation with an MDM solution**
+
+    Devices that attempt to connect to high-value assets must have their health evaluated so that unhealthy and noncompliant devices can be detected, reported, and eventually blocked.
+
+- **Use Credential Guard**
+
+    Credential Guard is a feature that greatly helps protect corporate domain credentials from pass-the-hash attacks.
+
+- **Use Device Guard**
+
+    Device Guard is a real advance in security and an effective way to help protect against malware. The new Device Guard feature in Windows 10 blocks untrusted apps (apps not authorized by your organization).
+
+- **Sign Device Guard policy**
+
+    Signed Device Guard policy helps protect against a user with administrator privileges trying to defeat the current policy. When a policy is signed, the only way to modify Device Guard later is to provide a new version of the policy signed by the same signer or from a signer specify as part of the Device Guard policy.
+
+- **Use virtualization-based security**
+
+    When you have Kernel Mode Code Integrity protected by virtualization-based security, the code integrity rules are still enforced even if a vulnerability allows unauthorized kernel mode memory access. Keep in mind that Device Guard devices that run Kernel Code Integrity with virtualization-based security must have compatible drivers.
+
+- **Start to deploy Device Guard with Audit mode**
+
+    Deploy Device Guard policy to targeted computers and devices in Audit mode. Monitor the Code Integrity event log that indicates a program or a driver would have been blocked if Device Guard was configured in Enforcement mode. Adjust Device Guard rules until a high level of confidence has been reached. After the testing phase has been completed, Device Guard policy can be switched to Enforcement mode.
+
+- **Build an isolated reference machine when deploying Device Guard**
+
+    Because the corporate network can contain malware, you should start to configure a reference environment that is isolated from your main corporate network. After that, you can create a code integrity policy that includes the trusted applications you want to run on your protected devices.
+
+- **Use AppLocker when it makes sense**
+
+    Although AppLocker isn't considered a new Device Guard feature, it complements Device Guard functionality for some scenarios like being able to deny a specific Universal Windows application for a specific user or a group of users.
+
+- **Lock down firmware and configuration**
+
+    After Windows 10 is installed, lock down firmware boot options access. This lockdown prevents a user with physical access from modifying UEFI settings, disabling Secure Boot, or booting other operating systems. Also, in order to protect against an administrator trying to disable Device Guard, add a rule in the current Device Guard policy that will deny and block execution of the **C:\\Windows\\System32\\SecConfig.efi** tool.
+
+Health attestation is a key feature of Windows 10 that includes client and cloud components to control access to high-value assets based on a user and their device's identity and compliance with corporate governance policy. Organizations can choose to detect and report unhealthy devices, or to configure health enforcement rules based on their needs. Health attestation provides an end-to-end security model and integration points, which vendors and software developers can use to build and integrate a customized solution.
+
+## Related topics
+
+- [Protect derived domain credentials with Credential Guard](/windows/access-protection/credential-guard/credential-guard)
+- [Device Guard deployment guide](/windows/device-security/device-guard/device-guard-deployment-guide)
+- [Trusted Platform Module technology overview](../../information-protection/tpm/trusted-platform-module-overview.md)

windows/security/operating-system-security/system-security/secure-the-windows-10-boot-process.md

@@ -0,0 +1,141 @@
+---
+title: Secure the Windows boot process
+description: This article describes how Windows security features help protect your PC from malware, including rootkits and other applications.
+ms.prod: windows-client
+ms.author: paoloma
+author: paolomatarazzo
+manager: aaroncz
+ms.collection:
+  - highpri
+  - tier1
+ms.topic: conceptual
+ms.date: 03/09/2023
+ms.technology: itpro-security
+appliesto:
+- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 11</a>
+- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10</a>
+---
+
+# Secure the Windows boot process
+
+The Windows OS has many features to help protect you from malware, and it does an amazingly good job. Except for apps that businesses develop and use internally, all Microsoft Store apps must meet a series of requirements to be certified and included in the Microsoft Store. This certification process examines several criteria, including security, and is an effective means of preventing malware from entering the Microsoft Store. Even if a malicious app does get through, the Windows 10 OS includes a series of security features that can mitigate the effect. For instance, Microsoft Store apps are sandboxed and lack the privileges necessary to access user data or change system settings.
+
+Windows has multiple levels of protection for desktop apps and data, too. Windows Defender Antivirus uses cloud-powered real-time detection to identify and quarantine apps that are known to be malicious. Windows Defender SmartScreen warns users before allowing them to run an untrustworthy app, even if it's recognized as malware. Before an app can change system settings, the user would have to grant the app administrative privileges by using User Account Control.
+
+Those components are just some of the ways that Windows protects you from malware. However, those security features protect you only after Windows starts. Modern malware, and bootkits specifically, are capable of starting before Windows, completely bypassing OS security, and remaining hidden.
+
+When you run Windows 10 or Windows 11 on a PC or any PC that supports Unified Extensible Firmware Interface (UEFI), Trusted Boot protects your PC from malware from the moment you power on your PC until your anti-malware starts. In the unlikely event that malware does infect a PC, it can't remain hidden; Trusted Boot can prove the system's integrity to your infrastructure in a way that malware can't disguise. Even on PCs without UEFI, Windows provides even better startup security than previous versions of Windows.
+
+First, let's examine what rootkits are and how they work. Then, we'll show you how Windows can protect you.
+
+## The threat: rootkits
+
+*Rootkits* are a sophisticated and dangerous type of malware. They run in kernel mode, using the same privileges as the OS. Because rootkits have the same rights as the OS and start before it, they can completely hide themselves and other applications. Often, rootkits are part of an entire suite of malware that can bypass local logins, record passwords and keystrokes, transfer private files, and capture cryptographic data.
+
+Different types of rootkits load during different phases of the startup process:
+
+- **Firmware rootkits.** These kits overwrite the firmware of the PC's basic input/output system or other hardware so the rootkit can start before Windows.
+- **Bootkits.** These kits replace the OS's bootloader (the small piece of software that starts the OS) so that the PC loads the bootkit before the OS.
+- **Kernel rootkits.** These kits replace a portion of the OS kernel so the rootkit can start automatically when the OS loads.
+- **Driver rootkits.** These kits pretend to be one of the trusted drivers that Windows uses to communicate with the PC hardware.
+
+## The countermeasures
+
+Windows supports four features to help prevent rootkits and bootkits from loading during the startup process:
+
+- **Secure Boot.** PCs with UEFI firmware and a Trusted Platform Module (TPM) can be configured to load only trusted OS bootloaders.
+- **Trusted Boot.** Windows checks the integrity of every component of the startup process before loading it.
+- **Early Launch Anti-Malware (ELAM).** ELAM tests all drivers before they load and prevents unapproved drivers from loading.
+- **Measured Boot.** The PC's firmware logs the boot process, and Windows can send it to a trusted server that can objectively assess the PC's health.
+
+Figure 1 shows the Windows startup process.
+
+![Windows startup process.](./images/dn168167.boot_process(en-us,MSDN.10).png)
+
+*Figure 1. Secure Boot, Trusted Boot, and Measured Boot block malware at every stage*:
+
+Secure Boot and Measured Boot are only possible on PCs with UEFI 2.3.1 and a TPM chip. Fortunately, all Windows 10 and Windows 11 PCs that meet Windows Hardware Compatibility Program requirements have these components, and many PCs designed for earlier versions of Windows have them as well.
+
+The sections that follow describe Secure Boot, Trusted Boot, ELAM, and Measured Boot.
+
+## Secure Boot
+
+When a PC starts, it first finds the OS bootloader. PCs without Secure Boot run whatever bootloader is on the PC's hard drive. There's no way for the PC to tell whether it's a trusted OS or a rootkit.
+
+When a PC equipped with UEFI starts, the PC first verifies that the firmware is digitally signed, reducing the risk of firmware rootkits. If Secure Boot is enabled, the firmware examines the bootloader's digital signature to verify that it hasn't been modified. If the bootloader is intact, the firmware starts the bootloader only if one of the following conditions is true:
+
+- **The bootloader was signed using a trusted certificate.** For PCs certified for Windows, the Microsoft certificate is trusted.
+- **The user has manually approved the bootloader's digital signature.** This action allows the user to load non-Microsoft operating systems.
+
+All x86-based Certified For Windows PCs must meet several requirements related to Secure Boot:
+
+- They must have Secure Boot enabled by default.
+- They must trust Microsoft's certificate (and thus any bootloader Microsoft has signed).
+- They must allow the user to configure Secure Boot to trust other bootloaders.
+- They must allow the user to completely disable Secure Boot.
+
+These requirements help protect you from rootkits while allowing you to run any OS you want. You have three options for running non-Microsoft operating systems:
+
+- **Use an OS with a certified bootloader.** Because all Certified For Windows PCs must trust Microsoft's certificate, Microsoft offers a service to analyze and sign any non-Microsoft bootloader so that it will be trusted by all Certified For Windows PCs. In fact, an [open source bootloader](http://mjg59.dreamwidth.org/20303.html) capable of loading Linux is already available. To begin the process of obtaining a certificate, go to <https://partner.microsoft.com/dashboard>.
+- **Configure UEFI to trust your custom bootloader.** All Certified For Windows PCs allow you to trust a non-certified bootloader by adding a signature to the UEFI database, allowing you to run any OS, including homemade operating systems.
+- **Turn off Secure Boot.** All *Certified For Windows* PCs allow you to turn off Secure Boot so that you can run any software. This action doesn't help protect you from bootkits, however.
+
+To prevent malware from abusing these options, the user must manually configure the UEFI firmware to trust a non-certified bootloader or to turn off Secure Boot. Software can't change the Secure Boot settings.
+
+The default state of Secure Boot has a wide circle of trust which can result in customers trusting boot components they may not need. Since the Microsoft 3rd Party UEFI CA certificate signs the bootloaders for all Linux distributions, trusting the Microsoft 3rd Party UEFI CA signature in the UEFI database  increase  s the attack surface of systems. A customer who intended to only trust and boot a single Linux distribution will trust all distributions – much more than their desired configuration. A vulnerability in any of the bootloaders exposes the system and places the customer at risk of exploit for a bootloader they never intended to use, as seen in recent vulnerabilities, for example [with the GRUB bootloader](https://msrc.microsoft.com/security-guidance/advisory/ADV200011) or [firmware-level rootkit]( https://www.darkreading.com/threat-intelligence/researchers-uncover-dangerous-new-firmware-level-rootkit) affecting boot components. [Secured-core PCs](/windows-hardware/design/device-experiences/OEM-highly-secure-11) require Secure Boot to be enabled and configured to distrust the Microsoft 3rd Party UEFI CA signature, by default, to provide customers with the most secure configuration of their PCs possible.
+
+To trust and boot operating systems, like Linux, and components signed by the UEFI signature, Secured-core PCs can be configured in the BIOS menu to add the signature in the UEFI database by following these steps:
+
+1. Open the firmware menu, either:
+    - Boot the PC, and press the manufacturer's key to open the menus. Common keys used: Esc, Delete, F1, F2, F10, F11, or F12. On tablets, common buttons are Volume up or Volume down. During startup, there's often a screen that mentions the key. If there's not one, or if the screen goes by too fast to see it, check your manufacturer's site.
+    - Or, if Windows is already installed, from either the Sign on screen or the Start menu, select Power ( ) > hold Shift while selecting Restart. Select Troubleshoot > Advanced options > UEFI Firmware settings.
+2. From the firmware menu navigate to Security > Secure Boot and select the option to trust the "3rd Party CA".
+3. Save changes and exit.
+
+Microsoft continues to collaborate with Linux and IHV ecosystem partners to design least privileged features to help you stay secure and opt-in trust for only the publishers and components you trust.
+
+Like most mobile devices, Arm-based devices, such as the Microsoft Surface RT device, are designed to run only Windows 8.1. Therefore, Secure Boot can't be turned off, and you can't load a different OS. Fortunately, there's a large market of ARM processor devices designed to run other operating systems.
+
+## Trusted Boot
+
+Trusted Boot takes over where Secure Boot ends. The bootloader verifies the digital signature of the Windows 10 kernel before loading it. The Windows 10 kernel, in turn, verifies every other component of the Windows startup process, including the boot drivers, startup files, and ELAM. If a file has been modified, the bootloader detects the problem and refuses to load the corrupted component. Often, Windows can automatically repair the corrupted component, restoring the integrity of Windows and allowing the PC to start normally.
+
+## Early Launch Anti-Malware
+
+Because Secure Boot has protected the bootloader and Trusted Boot has protected the Windows kernel, the next opportunity for malware to start is by infecting a non-Microsoft boot driver. Traditional anti-malware apps don't start until after the boot drivers have been loaded, giving a rootkit disguised as a driver the opportunity to work.
+
+Early Launch Anti-Malware (ELAM) can load a Microsoft or non-Microsoft anti-malware driver before all non-Microsoft boot drivers and applications, thus continuing the chain of trust established by Secure Boot and Trusted Boot. Because the OS hasn't started yet, and because Windows needs to boot as quickly as possible, ELAM has a simple task: examine every boot driver and determine whether it is on the list of trusted drivers. If it's not trusted, Windows won't load it.
+
+An ELAM driver isn't a full-featured anti-malware solution; that loads later in the boot process. Windows Defender (included with Windows) supports ELAM, as does several non-Microsoft anti-malware apps.
+
+## Measured Boot
+
+If a PC in your organization does become infected with a rootkit, you need to know about it. Enterprise anti-malware apps can report malware infections to the IT department, but that doesn't work with rootkits that hide their presence. In other words, you can't trust the client to tell you whether it's healthy.
+
+As a result, PCs infected with rootkits appear to be healthy, even with anti-malware running. Infected PCs continue to connect to the enterprise network, giving the rootkit access to vast amounts of confidential data and potentially allowing the rootkit to spread across the internal network.
+
+Measured Boot works with the TPM and non-Microsoft software in Windows. It allows a trusted server on the network to verify the integrity of the Windows startup process. Measured Boot uses the following process:
+
+1. The PC's UEFI firmware stores in the TPM a hash of the firmware, bootloader, boot drivers, and everything that will be loaded before the anti-malware app.
+2. At the end of the startup process, Windows starts the non-Microsoft remote attestation client. The trusted attestation server sends the client a unique key.
+3. The TPM uses the unique key to digitally sign the log recorded by the UEFI.
+4. The client sends the log to the server, possibly with other security information.
+
+Depending on the implementation and configuration, the server can now determine whether the client is healthy. It can grant the client access to either a limited quarantine network or to the full network.
+
+Figure 2 illustrates the Measured Boot and remote attestation process.
+
+![Measured Boot and remote attestation process.](./images/dn168167.measure_boot(en-us,MSDN.10).png)
+
+*Figure 2. Measured Boot proves the PC's health to a remote server*:
+
+Windows includes the application programming interfaces to support Measured Boot, but you'll need non-Microsoft tools to implement a remote attestation client and trusted attestation server to take advantage of it. For example, see the following tools from Microsoft Research:
+
+- [TPM Platform Crypto-Provider Toolkit](https://www.microsoft.com/download/details.aspx?id=52487)
+- [TSS.MSR](https://github.com/microsoft/TSS.MSR#tssmsr)
+
+Measured Boot uses the power of UEFI, TPM, and Windows to give you a way to confidently assess the trustworthiness of a client PC across the network.
+
+## Summary
+
+Secure Boot, Trusted Boot, and Measured Boot create an architecture that is fundamentally resistant to bootkits and rootkits. In Windows, these features have the potential to eliminate kernel-level malware from your network. With Windows, you can trust the integrity of your OS.

windows/security/operating-system-security/system-security/toc.yml

@@ -1,28 +1,28 @@
 items:
 - name: Secure the Windows boot process
-  href: ../../information-protection/secure-the-windows-10-boot-process.md
+  href: secure-the-windows-10-boot-process.md
 - name: Secure Boot and Trusted Boot
-  href: ../../trusted-boot.md
-- name: Measured Boot
+  href: trusted-boot.md
+- name: Measured Boot 🔗
   href: /windows/compatibility/measured-boot
 - name: Device health attestation service
-  href: ../../threat-protection/protect-high-value-assets-by-controlling-the-health-of-windows-10-based-devices.md
+  href: protect-high-value-assets-by-controlling-the-health-of-windows-10-based-devices.md
 - name: Cryptography and certificate management
-  href: ../../cryptography-certificate-mgmt.md
+  href: cryptography-certificate-mgmt.md
 - name: The Windows Security app
-  href: ../../threat-protection/windows-defender-security-center/windows-defender-security-center.md
+  href: windows-defender-security-center/windows-defender-security-center.md
   items:
   - name: Virus & threat protection
-    href: ../../threat-protection\windows-defender-security-center\wdsc-virus-threat-protection.md
+    href: windows-defender-security-center\wdsc-virus-threat-protection.md
   - name: Account protection
-    href: ../../threat-protection\windows-defender-security-center\wdsc-account-protection.md
+    href: windows-defender-security-center\wdsc-account-protection.md
   - name: Firewall & network protection
-    href: ../../threat-protection\windows-defender-security-center\wdsc-firewall-network-protection.md
+    href: windows-defender-security-center\wdsc-firewall-network-protection.md
   - name: App & browser control
-    href: ../../threat-protection\windows-defender-security-center\wdsc-app-browser-control.md
+    href: windows-defender-security-center\wdsc-app-browser-control.md
   - name: Device security
-    href: ../../threat-protection\windows-defender-security-center\wdsc-device-security.md
+    href: windows-defender-security-center\wdsc-device-security.md
   - name: Device performance & health
-    href: ../../threat-protection\windows-defender-security-center\wdsc-device-performance-health.md
+    href: windows-defender-security-center\wdsc-device-performance-health.md
   - name: Family options
-    href: ../../threat-protection\windows-defender-security-center\wdsc-family-options.md
+    href: windows-defender-security-center\wdsc-family-options.md

windows/security/operating-system-security/system-security/trusted-boot.md

@@ -0,0 +1,36 @@
+---
+title: Secure Boot and Trusted Boot
+description: Trusted Boot prevents corrupted components from loading during the boot-up process in Windows 11
+author: vinaypamnani-msft
+ms.author: vinpa
+manager: aaroncz
+ms.topic: conceptual
+ms.date: 09/21/2021
+ms.prod: windows-client
+ms.technology: itpro-security
+ms.reviewer: jsuther
+---
+
+# Secure Boot and Trusted Boot
+
+*This article describes Secure Boot and Trusted Boot, security measures built into Windows 11.*
+
+Secure Boot and Trusted Boot help prevent malware and corrupted components from loading when a Windows 11 device is starting. Secure Boot starts with initial boot-up protection, and then Trusted Boot picks up the process. Together, Secure Boot and Trusted Boot help to ensure your Windows 11 system boots up safely and securely.
+
+## Secure Boot
+
+The first step in protecting the operating system is to ensure that it boots securely after the initial hardware and firmware boot sequences have safely finished their early boot sequences. Secure Boot makes a safe and trusted path from the Unified Extensible Firmware Interface (UEFI) through the Windows kernel's Trusted Boot sequence. Malware attacks on the Windows boot sequence are blocked by the signature-enforcement handshakes throughout the boot sequence between the UEFI, bootloader, kernel, and application environments.
+
+As the PC begins the boot process, it will first verify that the firmware is digitally signed, reducing the risk of firmware rootkits. Secure Boot then checks all code that runs before the operating system and checks the OS bootloader's digital signature to ensure that it's trusted by the Secure Boot policy and hasn't been tampered with.
+
+## Trusted Boot
+
+Trusted Boot picks up the process that started with Secure Boot. The Windows bootloader verifies the digital signature of the Windows kernel before loading it. The Windows kernel, in turn, verifies every other component of the Windows startup process, including boot drivers, startup files, and your antimalware product's early-launch antimalware (ELAM) driver. If any of these files were tampered, the bootloader detects the problem and refuses to load the corrupted component. Tampering or malware attacks on the Windows boot sequence are blocked by the signature-enforcement handshakes between the UEFI, bootloader, kernel, and application environments.
+
+Often, Windows can automatically repair the corrupted component, restoring the integrity of Windows and allowing the Windows 11 device to start normally.
+
+[!INCLUDE [secure-boot-and-trusted-boot](../../../../includes/licensing/secure-boot-and-trusted-boot.md)]
+
+## See also
+
+[Secure the Windows boot process](secure-the-windows-10-boot-process.md)

windows/security/operating-system-security/system-security/windows-defender-security-center/wdsc-account-protection.md

@@ -0,0 +1,44 @@
+---
+title: Account protection in the Windows Security app
+description: Use the Account protection section to manage security for your account and sign in to Microsoft.
+ms.prod: windows-client
+author: vinaypamnani-msft
+ms.author: vinpa
+ms.date: 12/31/2018
+ms.technology: itpro-security
+ms.topic: article
+appliesto:
+- ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 11</a>
+- ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 10</a>
+---
+
+
+# Account protection
+
+The **Account protection** section contains information and settings for account protection and sign-in. You can get more information about these capabilities from the following list:
+
+- [Microsoft Account](https://account.microsoft.com/account/faq)
+- [Windows Hello for Business](../../../identity-protection/hello-for-business/hello-identity-verification.md)
+- [Lock your Windows 10 PC automatically when you step away from it](https://support.microsoft.com/help/4028111/windows-lock-your-windows-10-pc-automatically-when-you-step-away-from)
+
+You can also choose to hide the section from users of the device. This is useful if you don't want your employees to access or view user-configured options for these features.
+
+## Hide the Account protection section
+
+You can choose to hide the entire section by using Group Policy. The section won't appear on the home page of the Windows Security app, and its icon won't be shown on the navigation bar on the side of the app.
+
+You can only configure these settings by using Group Policy.
+
+> [!IMPORTANT]
+> You must have Windows 10, version 1803 or later. The ADMX/ADML template files for earlier versions of Windows do not include these Group Policy settings.
+
+1. On your Group Policy management machine, open the [Group Policy Management Console](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc731212(v=ws.11)), right-click the Group Policy Object you want to configure and select  **Edit**.
+1. In the **Group Policy Management Editor** go to **Computer configuration** and select **Administrative templates**.
+1. Expand the tree to **Windows components > Windows Security > Account protection**.
+1. Open the **Hide the Account protection area** setting and set it to **Enabled**. Select **OK**.
+1. [Deploy the updated GPO as you normally do](/windows/win32/srvnodes/group-policy).
+
+> [!NOTE]
+> If you hide all sections then the app will show a restricted interface, as in the following screenshot:
+>
+> ![Windows Security app with all sections hidden by Group Policy.](images/wdsc-all-hide.png)

windows/security/operating-system-security/system-security/windows-defender-security-center/wdsc-app-browser-control.md

@@ -0,0 +1,57 @@
+---
+title: App & browser control in the Windows Security app
+description: Use the App & browser control section to see and configure Windows Defender SmartScreen and Exploit protection settings.
+ms.prod: windows-client
+author: vinaypamnani-msft
+ms.author: vinpa
+ms.date: 12/31/2018
+manager: aaroncz
+ms.technology: itpro-security
+ms.topic: article
+appliesto:
+- ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 11</a>
+- ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 10</a>
+---
+
+# App and browser control
+
+The **App and browser control** section contains information and settings for Windows Defender SmartScreen. IT administrators and IT pros can get configuration guidance from the [Windows Defender SmartScreen documentation library](/windows/threat-protection/windows-defender-smartscreen/windows-defender-smartscreen-overview).
+
+In Windows 10, version 1709 and later, the section also provides configuration options for Exploit protection. You can prevent users from modifying these specific options with Group Policy. IT administrators can get more information at [Exploit protection](/microsoft-365/security/defender-endpoint/exploit-protection).
+
+You can also choose to hide the section from users of the machine. This option can be useful if you don't want employees in your organization to see or have access to user-configured options for the features shown in the section.
+
+## Prevent users from making changes to the Exploit protection area in the App & browser control section
+
+You can prevent users from modifying settings in the Exploit protection area. The settings will be either greyed out or not appear if you enable this setting. Users will still have access to other settings in the App & browser control section, such as those settings for Windows Defender SmartScreen, unless those options have been configured separately.
+
+You can only prevent users from modifying Exploit protection settings by using Group Policy.
+
+> [!IMPORTANT]
+> You must have Windows 10, version 1709 or later. The ADMX/ADML template files for earlier versions of Windows do not include these Group Policy settings.
+
+1. On your Group Policy management machine, open the [Group Policy Management Console](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc731212(v=ws.11)), right-click the Group Policy Object you want to configure and click **Edit**.
+2. In the **Group Policy Management Editor** go to **Computer configuration**, select **Policies** and then **Administrative templates**.
+3. Expand the tree to **Windows components > Windows Security > App and browser protection**.
+4. Open the **Prevent users from modifying settings** setting and set it to **Enabled**. Click **OK**.
+5. [Deploy the updated GPO as you normally do](/windows/win32/srvnodes/group-policy).
+
+## Hide the App & browser control section
+
+You can choose to hide the entire section by using Group Policy. The section won't appear on the home page of the Windows Security app, and its icon won't be shown on the navigation bar on the side of the app.
+
+This section can be hidden only by using Group Policy.
+
+> [!IMPORTANT]
+> You must have Windows 10, version 1709 or later. The ADMX/ADML template files for earlier versions of Windows do not include these Group Policy settings.
+
+1. On your Group Policy management machine, open the [Group Policy Management Console](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc731212(v=ws.11)), right-click the Group Policy Object you want to configure and click **Edit**.
+2. In the **Group Policy Management Editor** go to **Computer configuration**, select **Policies** and then **Administrative templates**.
+3. Expand the tree to **Windows components > Windows Security > App and browser protection**.
+4. Open the **Hide the App and browser protection area** setting and set it to **Enabled**. Click **OK**.
+5. [Deploy the updated GPO as you normally do](/windows/win32/srvnodes/group-policy).
+
+> [!NOTE]
+> If you hide all sections then the app will show a restricted interface, as in the following screenshot:
+>
+> ![Windows Security app with all sections hidden by Group Policy.](images/wdsc-all-hide.png)

windows/security/operating-system-security/system-security/windows-defender-security-center/wdsc-customize-contact-information.md

@@ -0,0 +1,61 @@
+---
+title: Customize Windows Security contact information
+description: Provide information to your employees on how to contact your IT department when a security issue occurs
+ms.prod: windows-client
+author: vinaypamnani-msft
+ms.author: vinpa
+ms.date: 12/31/2018
+ms.technology: itpro-security
+ms.topic: article
+appliesto:
+- ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 11</a>
+- ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 10</a>
+---
+
+# Customize the Windows Security app for your organization
+
+You can add information about your organization in a contact card to the Windows Security app. You can include a link to a support site, a phone number for a help desk, and an email address for email-based support.
+
+![The Windows Security custom fly-out.](images/security-center-custom-flyout.png)
+
+This information will also be shown in some enterprise-specific notifications (including notifications for the [Block at first sight feature](/microsoft-365/security/defender-endpoint/configure-block-at-first-sight-microsoft-defender-antivirus), and [potentially unwanted applications](/microsoft-365/security/defender-endpoint/detect-block-potentially-unwanted-apps-microsoft-defender-antivirus)).
+
+Users can select the displayed information to initiate a support request:
+
+- Select **Call** or the phone number to open Skype to start a call to the displayed number.
+- Select  **Email** or the email address to create a new email in the machine's default email app address to the displayed email.
+- Select **Help portal** or the website URL to open the machine's default web browser and go to the displayed address.
+
+## Requirements
+
+You must have Windows 10, version 1709 or later. The ADMX/ADML template files for earlier versions of Windows do not include these Group Policy settings.
+
+## Use Group Policy to enable and customize contact information
+
+There are two stages to using the contact card and customized notifications. First, you have to enable the contact card or custom notifications (or both), and then you must specify at least a name for your organization and one piece of contact information.
+
+1. On your Group Policy management machine, open the [Group Policy Management Console](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc731212(v=ws.11)), right-click the Group Policy Object you want to configure and click **Edit**.
+2. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**.
+3. Expand the tree to **Windows components > Windows Security > Enterprise Customization**.
+4. Enable the contact card and the customized notifications by configuring two separate Group Policy settings. They will both use the same source of information (explained in Steps 5 and 6). You can enable both, or select one or the other:
+
+    1. To enable the contact card, open the **Configure customized contact information** setting and set it to **Enabled**. Click **OK**.
+
+        > [!NOTE]
+        > This can only be done in Group Policy.
+
+    2. To enable the customized notifications, open the **Configure customized notifications** setting and set it to **Enabled**. Click **OK**.
+
+5. After you've enabled the contact card or the customized notifications (or both), you must configure the **Specify contact company name** to **Enabled**. Enter your company or organization's name in the field in the **Options** section. Click **OK**.
+6. To ensure the custom notifications or contact card appear, you must also configure at least one of the following settings. Open the setting, select **Enabled**, and then add the contact information in the field under **Options**:
+
+    1. **Specify contact email address or Email ID**
+    2. **Specify contact phone number or Skype ID**
+    3. **Specify contact website**
+
+7. Select **OK** after you configure each setting to save your changes.
+
+To enable the customized notifications and add the contact information in Intune, see [Manage device security with endpoint security policies in Microsoft Intune](/mem/intune/protect/endpoint-security-policy) and [Settings for the Windows Security experience profile in Microsoft Intune](/mem/intune/protect/antivirus-security-experience-windows-settings).
+
+> [!IMPORTANT]
+> You must specify the contact company name and at least one contact method - email, phone number, or website URL. If you do not specify the contact name and a contact method the customization will not apply, the contact card will not show, and notifications will not be customized.

windows/security/operating-system-security/system-security/windows-defender-security-center/wdsc-device-performance-health.md

@@ -0,0 +1,42 @@
+---
+title: Device & performance health in the Windows Security app
+description: Use the Device & performance health section to see the status of the machine and note any storage, update, battery, driver, or hardware configuration issues
+ms.date: 12/31/2018
+ms.prod: windows-client
+author: vinaypamnani-msft
+ms.author: vinpa
+ms.technology: itpro-security
+ms.topic: article
+appliesto:
+- ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 11</a>
+- ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 10</a>
+---
+
+
+# Device performance and health
+
+The **Device performance & health** section contains information about hardware, devices, and drivers related to the machine. IT administrators and IT pros should reference the appropriate documentation library for the issues they're seeing, such as the [configure the Load and unload device drivers security policy setting](/windows/device-security/security-policy-settings/load-and-unload-device-drivers) and how to [deploy drivers during Windows 10 deployment using Microsoft Configuration Manager](/windows/deployment/deploy-windows-cm/add-drivers-to-a-windows-10-deployment-with-windows-pe-using-configuration-manager).
+
+The [Windows 10 IT pro troubleshooting topic](/windows/client-management/windows-10-support-solutions), and the main [Windows 10 documentation library](/windows/windows-10/) can also be helpful for resolving issues.
+
+In Windows 10, version 1709 and later, the section can be hidden from users of the machine. This option can be useful if you don't want employees in your organization to see or have access to user-configured options for the features shown in the section.
+
+## Hide the Device performance & health section
+
+You can choose to hide the entire section by using Group Policy. The section won't appear on the home page of the Windows Security app, and its icon won't be shown on the navigation bar on the side of the app.
+
+This section can be hidden only by using Group Policy.
+
+> [!IMPORTANT]
+> You must have Windows 10, version 1709 or later. The ADMX/ADML template files for earlier versions of Windows do not include these Group Policy settings.
+
+1. On your Group Policy management machine, open the [Group Policy Management Console](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc731212(v=ws.11)), right-click the Group Policy Object you want to configure and click **Edit**.
+1. In **Group Policy Management Editor**, go to **Computer configuration** and click **Administrative templates**.
+1. Expand the tree to **Windows components > Windows Security > Device performance and health**.
+1. Open the **Hide the Device performance and health area** setting and set it to **Enabled**. Click **OK**.
+1. [Deploy the updated GPO as you normally do](/windows/win32/srvnodes/group-policy).
+
+> [!NOTE]
+> If you hide all sections then the app will show a restricted interface, as in the following screenshot:
+>
+> ![Windows Security app with all sections hidden by Group Policy.](images/wdsc-all-hide.png)

windows/security/operating-system-security/system-security/windows-defender-security-center/wdsc-device-security.md

@@ -0,0 +1,61 @@
+---
+title: Device security in the Windows Security app
+description: Use the Device security section to manage security built into your device, including virtualization-based security.
+ms.prod: windows-client
+author: vinaypamnani-msft
+ms.author: vinpa
+ms.date: 12/31/2018
+manager: aaroncz
+ms.technology: itpro-security
+ms.topic: article
+appliesto:
+- ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 11</a>
+- ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 10</a>
+---
+
+# Device security
+
+The **Device security** section contains information and settings for built-in device security.
+
+You can choose to hide the section from users of the machine. This option can be useful if you don't want employees in your organization to see or have access to user-configured options for the features shown in the section.
+
+## Hide the Device security section
+
+You can choose to hide the entire section by using Group Policy. The section won't appear on the home page of the Windows Security app, and its icon won't be shown on the navigation bar on the side of the app. You can hide the device security section by using Group Policy only.
+
+> [!IMPORTANT]
+> You must have Windows 10, version 1803 or later. The ADMX/ADML template files for earlier versions of Windows do not include these Group Policy settings.
+
+1. On your Group Policy management machine, open the [Group Policy Management Console](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc731212(v=ws.11)), right-click the Group Policy Object you want to configure and click **Edit**.
+2. In **Group Policy Management Editor**, go to **Computer configuration** and then select **Administrative templates**.
+3. Expand the tree to **Windows components** > **Windows Security** > **Device security**.
+4. Open the **Hide the Device security area** setting and set it to **Enabled**. Select **OK**.
+5. [Deploy the updated GPO as you normally do](/windows/win32/srvnodes/group-policy).
+
+> [!NOTE]
+> If you hide all sections then the app will show a restricted interface, as in the following screenshot:
+>
+> ![Windows Security app with all sections hidden by Group Policy.](images/wdsc-all-hide.png)
+
+## Disable the Clear TPM button
+
+If you don't want users to be able to click the **Clear TPM** button in the Windows Security app, you can disable it.
+
+> [!IMPORTANT]
+> You must have Windows 10, version 1809 or later. The ADMX/ADML template files for earlier versions of Windows do not include these Group Policy settings.
+
+1. On your Group Policy management computer, open the [Group Policy Management Console](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc731212(v=ws.11)), right-click the Group Policy Object you want to configure and click **Edit**.
+2. In **Group Policy Management Editor**, go to **Computer configuration** and then select **Administrative templates**.
+3. Expand the tree to **Windows components** > **Windows Security** > **Device security**.
+4. Open the **Disable the Clear TPM button** setting and set it to **Enabled**. Select **OK**.
+5. [Deploy the updated GPO as you normally do](/windows/win32/srvnodes/group-policy).
+
+## Hide the TPM Firmware Update recommendation
+
+If you don't want users to see the recommendation to update TPM firmware, you can disable it.
+
+1. On your Group Policy management computer, open the [Group Policy Management Console](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc731212(v=ws.11)), right-click the Group Policy Object you want to configure and click **Edit**.
+2. In **Group Policy Management Editor**, go to **Computer configuration** and then select **Administrative templates**.
+3. Expand the tree to **Windows components** > **Windows Security** > **Device security**.
+4. Open the **Hide the TPM Firmware Update recommendation** setting and set it to **Enabled**. Select **OK**.
+5. [Deploy the updated GPO as you normally do](/windows/win32/srvnodes/group-policy).

windows/security/operating-system-security/system-security/windows-defender-security-center/wdsc-family-options.md

@@ -0,0 +1,42 @@
+---
+title: Family options in the Windows Security app
+description: Learn how to hide the Family options section of Windows Security for enterprise environments. Family options aren't intended for business environments.
+ms.prod: windows-client
+author: vinaypamnani-msft
+ms.author: vinpa
+ms.date: 12/31/2018
+ms.technology: itpro-security
+ms.topic: article
+appliesto:
+- ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 11</a>
+- ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 10</a>
+---
+
+
+# Family options
+
+The **Family options** section contains links to settings and further information for parents of a Windows 10 PC. It isn't intended for enterprise or business environments.
+
+Home users can learn more at the [Help protection your family online in Windows Security topic at support.microsoft.com](https://support.microsoft.com/help/4013209/windows-10-protect-your-family-online-in-windows-defender)
+
+In Windows 10, version 1709, the section can be hidden from users of the machine. This option can be useful if you don't want employees in your organization to see or have access to this section.
+
+## Hide the Family options section
+
+You can choose to hide the entire section by using Group Policy. The section won't appear on the home page of the Windows Security app, and its icon won't be shown on the navigation bar on the side of the app.
+
+This section can be hidden only by using Group Policy.
+
+> [!IMPORTANT]
+> You must have Windows 10, version 1709 or later. The ADMX/ADML template files for earlier versions of Windows do not include these Group Policy settings.
+
+1. On your Group Policy management machine, open the [Group Policy Management Console](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc731212(v=ws.11)), right-click the Group Policy Object you want to configure and click **Edit**.
+1. In **Group Policy Management Editor**, go to **Computer configuration** and click **Administrative templates**.
+1. Expand the tree to **Windows components > Windows Security > Family options**.
+1. Open the **Hide the Family options area** setting and set it to **Enabled**. Click **OK**.
+1. [Deploy the updated GPO as you normally do](/windows/win32/srvnodes/group-policy).
+
+> [!NOTE]
+> If you hide all sections then the app will show a restricted interface, as in the following screenshot:
+>
+> ![Windows Security app with all sections hidden by Group Policy.](images/wdsc-all-hide.png)

windows/security/operating-system-security/system-security/windows-defender-security-center/wdsc-firewall-network-protection.md

@@ -0,0 +1,38 @@
+---
+title: Firewall and network protection in the Windows Security app
+description: Use the Firewall & network protection section to see the status of and make changes to firewalls and network connections for the machine.
+author: vinaypamnani-msft
+ms.author: vinpa
+ms.date: 12/31/2018
+ms.technology: itpro-security
+ms.topic: article
+appliesto:
+- ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 11</a>
+- ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 10</a>
+---
+
+# Firewall and network protection
+
+The **Firewall & network protection** section contains information about the firewalls and network connections used by the machine, including the status of Windows Defender Firewall and any other third-party firewalls. IT administrators and IT pros can get configuration guidance from the [Windows Defender Firewall with Advanced Security documentation library](../../network-security/windows-firewall/windows-firewall-with-advanced-security.md).
+
+In Windows 10, version 1709 and later, the section can be hidden from users of the machine. This information is useful if you don't want employees in your organization to see or have access to user-configured options for the features shown in the section.
+
+## Hide the Firewall & network protection section
+
+You can choose to hide the entire section by using Group Policy. The section won't appear on the home page of the Windows Security app, and its icon won't be shown on the navigation bar on the side of the app.
+
+This section can be hidden only by using Group Policy.
+
+> [!IMPORTANT]
+> You must have Windows 10, version 1709 or later. The ADMX/ADML template files for earlier versions of Windows do not include these Group Policy settings.
+
+1. On your Group Policy management machine, open the Group Policy Management Console, right-click the Group Policy Object you want to configure and click **Edit**.
+1. In **Group Policy Management Editor**, go to **Computer configuration** and click **Administrative templates**.
+1. Expand the tree to **Windows components > Windows Security > Firewall and network protection**.
+1. Open the **Hide the Firewall and network protection area** setting and set it to **Enabled**. Click **OK**.
+1. Deploy the updated GPO as you normally do.
+
+> [!NOTE]
+> If you hide all sections then the app will show a restricted interface, as in the following screenshot:
+>
+> ![Windows Security app with all sections hidden by Group Policy.](images/wdsc-all-hide.png)

windows/security/operating-system-security/system-security/windows-defender-security-center/wdsc-hide-notifications.md

@@ -0,0 +1,120 @@
+---
+title: Hide notifications from the Windows Security app
+description: Prevent Windows Security app notifications from appearing on user endpoints
+ms.prod: windows-client
+author: vinaypamnani-msft
+ms.author: vinpa
+ms.date: 12/31/2018
+ms.technology: itpro-security
+ms.topic: article
+appliesto:
+- ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 11</a>
+- ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 10</a>
+---
+
+# Hide Windows Security app notifications
+
+The Windows Security app is used by many Windows security features to provide notifications about the health and security of the machine. These include notifications about firewalls, antivirus products, Windows Defender SmartScreen, and others.
+
+In some cases, it may not be appropriate to show these notifications, for example, if you want to hide regular status updates, or if you want to hide all notifications to the employees in your organization.
+
+There are two levels to hiding notifications:
+
+1. Hide non-critical notifications, such as regular updates about the number of scans Microsoft Defender Antivirus ran in the past week
+2. Hide all notifications
+
+If you set **Hide all notifications** to **Enabled**, changing the **Hide non-critical notifications** setting will have no effect.
+
+You can only use Group Policy to change these settings.
+
+## Use Group Policy to hide non-critical notifications
+
+You can hide notifications that describe regular events related to the health and security of the machine. These notifications are the ones that don't require an action from the machine's user. It can be useful to hide these notifications if you find they're too numerous or you have other status reporting on a larger scale (such as Windows Update for Business reports or Microsoft Configuration Manager reporting).
+
+These notifications can be hidden only by using Group Policy.
+
+> [!IMPORTANT]
+> You must have Windows 10, version 1903 or higher. The ADMX/ADML template files for earlier versions of Windows do not include these Group Policy settings.
+
+1. Download the latest [Administrative Templates (.admx) for Windows 10, v2004](https://www.microsoft.com/download/101445).
+1. On your Group Policy management machine, open the [Group Policy Management Console](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc731212(v=ws.11)), right-click the Group Policy Object you want to configure and click **Edit**.
+1. In **Group Policy Management Editor**, go to **Computer configuration** and click **Administrative templates**.
+1. Expand the tree to **Windows components > Windows Security > Notifications**. For Windows 10 version 1803 and below, the path would be **Windows components > Windows Defender Security Center > Notifications**
+1. Open the **Hide non-critical notifications** setting and set it to **Enabled**. Click **OK**.
+1. [Deploy the updated GPO as you normally do](/windows/win32/srvnodes/group-policy).
+
+## Use Group Policy to hide all notifications
+
+You can hide all notifications that are sourced from the Windows Security app. This option may be useful if you don't want users of the machines from inadvertently modifying settings, running antivirus scans, or otherwise performing security-related actions without your input.
+
+These notifications can be hidden only by using Group Policy.
+
+> [!IMPORTANT]
+> You must have Windows 10, version 1903 or higher. The ADMX/ADML template files for earlier versions of Windows do not include these Group Policy settings.
+
+1. On your Group Policy management machine, open the [Group Policy Management Console](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc731212(v=ws.11)), right-click the Group Policy Object you want to configure and click **Edit**.
+1. In **Group Policy Management Editor**, go to **Computer configuration** and click **Administrative templates**.
+1. Expand the tree to **Windows components > Windows Security > Notifications**. For Windows 10 version 1803 and below, the path would be **Windows components > Windows Defender Security Center > Notifications**.
+
+    > [!NOTE]
+    > For Windows 10 version 2004 and above the path would be **Windows components > Windows Security > Notifications**.
+
+1. Open the **Hide all notifications** setting and set it to **Enabled**. Click **OK**.
+1. [Deploy the updated GPO as you normally do](/windows/win32/srvnodes/group-policy).
+
+> [!NOTE]
+> You can use the following registry key and DWORD value to **Hide all notifications**.
+> **[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Notifications]**
+    **"DisableNotifications"=dword:00000001**
+> You can use the following registry key and DWORD value to **Hide not-critical notifications**.
+>**[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Notifications]**
+     **"DisableEnhancedNotifications"=dword:00000001**
+
+## Notifications
+
+| Purpose | Notification text | Toast Identifier | Critical? |Notification Toggle|
+|---------|------------------|-------------|-----------|---------|
+| Network isolation | Your IT administrator has caused Windows Defender to disconnect your device. Contact IT help desk. | SENSE_ISOLATION | Yes |Firewall and network protection notification|
+| Network isolation customized | _Company name_ has caused Windows Defender to disconnect your device. Contact IT help desk _phone number_, _email address_, _url_. | SENSE_ISOLATION_CUSTOM (body) | Yes |Firewall and network protection notification|
+| Restricted access | Your IT administrator has caused Windows Defender to limit actions on this device. Some apps may not function as expected. Contact IT help desk. | SENSE_PROCESS_RESTRICTION | Yes |Firewall and network protection notification|
+| Restricted access customized | _Company_ has caused Windows Defender to limit actions on this device. Some apps may not function as expected. Contact IT help desk. | SENSE_PROCESS_RESTRICTION_CUSTOM (body) | Yes |Firewall and network protection notification|
+| HVCI, driver compat check fails (upon trying to enable) | There may be an incompatibility on your device. | HVCI_ENABLE_FAILURE | Yes |Firewall and network protection notification|
+| HVCI, reboot needed to enable | The recent change to your protection settings requires a restart of your device. | HVCI_ENABLE_SUCCESS | Yes |Firewall and network protection notification|
+| Item skipped in scan, due to exclusion setting, or network scanning disabled by admin | The Microsoft Defender Antivirus scan skipped an item due to exclusion or network scanning settings. | ITEM_SKIPPED | Yes |Virus & threat protection notification|
+| Remediation failure | Microsoft Defender Antivirus couldn't completely resolve potential threats. | CLEAN_FAILED | Yes |Virus & threat protection notification|
+| Follow-up action (restart & scan) | Microsoft Defender Antivirus found _threat_ in _file name_. Restart and scan your device. Restart and scan | MANUALSTEPS_REQUIRED | Yes |Virus & threat protection notification|
+| Follow-up action (restart) | Microsoft Defender Antivirus found _threat_ in _file_. Restart your device. | WDAV_REBOOT | Yes |Virus & threat protection notification|
+| Follow-up action (Full scan) | Microsoft Defender Antivirus found _threat_ in _file_. Run a full scan of your device. | FULLSCAN_REQUIRED | Yes |Virus & threat protection notification|
+| Sample submission prompt | Review files that Windows Defender will send to Microsoft. Sending this information can improve how Microsoft Defender Antivirus helps protect your device. | SAMPLE_SUBMISSION_REQUIRED | Yes |Virus & threat protection notification|
+| OS support ending warning | Support for your version of Windows is ending. When this support ends, Microsoft Defender Antivirus won’t be supported, and your device might be at risk. | SUPPORT_ENDING | Yes |Virus & threat protection notification|
+| OS support ended, device at risk | Support for your version of Windows has ended. Microsoft Defender Antivirus is no longer supported, and your device might be at risk. | SUPPORT_ENDED _and_ SUPPORT_ENDED_NO_DEFENDER | Yes |Virus & threat protection notification|
+| Summary notification, items found | Microsoft Defender Antivirus successfully took action on _n_ threats since your last summary. Your device was scanned _n_ times. | RECAP_FOUND_THREATS_SCANNED | No |Virus & threat protection notification|
+| Summary notification, items found, no scan count | Microsoft Defender Antivirus successfully took action on _n_ threats since your last summary. | RECAP_FOUND_THREATS | No |Virus & threat protection notification|
+| Summary notification, **no** items found, scans performed | Microsoft Defender Antivirus didn't find any threats since your last summary.  Your device was scanned _n_ times. | RECAP_NO THREATS_SCANNED | No |Virus & threat protection notification|
+| Summary notification, **no** items found, no scans | Microsoft Defender Antivirus didn't find any threats since your last summary. | RECAP_NO_THREATS | No |Virus & threat protection notification|
+| Scan finished, manual, threats found | Microsoft Defender Antivirus scanned your device at _timestamp_ on _date_, and took action against threats. | RECENT_SCAN_FOUND_THREATS | No |Virus & threat protection notification|
+| Scan finished, manual, **no** threats found | Microsoft Defender Antivirus scanned your device at _timestamp_ on _date_.  No threats were found. | RECENT_SCAN_NO_THREATS | No |Virus & threat protection notification|
+| Threat found | Microsoft Defender Antivirus found threats. Get details. | CRITICAL | No |Virus & threat protection notification|
+| LPS on notification | Microsoft Defender Antivirus is periodically scanning your device.  You're also using another antivirus program for active protection. | PERIODIC_SCANNING_ON | No |Virus & threat protection notification|
+| Long running BaFS | Your IT administrator  requires a security scan of this item.  The scan could take up to _n_ seconds. | BAFS | No |Firewall and network protection notification|
+| Long running BaFS customized | _Company_ requires a security scan of this item.  The scan could take up to _n_ seconds. | BAFS_DETECTED_CUSTOM (body) | No |Firewall and network protection notification|
+| Sense detection | This application was removed because it was blocked by your IT security settings | WDAV_SENSE_DETECTED | No |Firewall and network protection notification|
+| Sense detection customized | This application was removed because it was blocked by your IT security settings | WDAV_SENSE_DETECTED_CUSTOM (body) | No |Firewall and network protection notification|
+| Ransomware specific detection | Microsoft Defender Antivirus has detected threats, which may include ransomware. | WDAV_RANSOMWARE_DETECTED | No |Virus & threat protection notification|
+| ASR (HIPS) block | Your IT administrator caused Windows Defender Security Center to block this action. Contact your IT help desk. | HIPS_ASR_BLOCKED | No |Firewall and network protection notification|
+| ASR (HIPS) block customized | _Company_ caused Windows Defender Security Center to block this action. Contact your IT help desk. | HIPS_ASR_BLOCKED_CUSTOM (body) | No |Firewall and network protection notification|
+| CFA (FolderGuard) block | Controlled folder access blocked _process_ from making changes to the folder _path_ | FOLDERGUARD_BLOCKED | No |Firewall and network protection notification|
+| Network protect (HIPS) network block customized | _Company_ caused Windows Defender Security Center to block this network connection. Contact your IT help desk. | HIPS_NETWORK_BLOCKED_CUSTOM (body) | No |Firewall and network protection notification|
+| Network protection (HIPS) network block | Your IT administrator caused Windows Defender Security Center to block this network connection. Contact your IT help desk. | HIPS_NETWORK_BLOCKED | No |Firewall and network protection notification|
+| PUA detection, not blocked | Your settings cause the detection of any app that might perform unwanted actions on your computer. | PUA_DETECTED | No |Firewall and network protection notification|
+| PUA notification | Your IT settings caused Microsoft Defender Antivirus to block an app that may potentially perform unwanted actions on your device. | PUA_BLOCKED | No |Firewall and network protection notification|
+| PUA notification, customized | _Company_ caused Microsoft Defender Antivirus to block an app that may potentially perform unwanted actions on your device. | PUA_BLOCKED_CUSTOM (body) | No |Firewall and network protection notification|
+| Network isolation ended |  |  | No |Firewall and network protection notification|
+| Network isolation ended, customized |  |  | No |Firewall and network protection notification|
+| Restricted access ended |  |  | No |Firewall and network protection notification|
+| Restricted access ended, customized |  |  | No |Firewall and network protection notification|
+| Dynamic lock on, but bluetooth off |  |  | No |Account protection notification|
+| Dynamic lock on, bluetooth on, but device unpaired |  |  | No |Account protection notification|
+| Dynamic lock on, bluetooth on, but unable to detect device |  |  | No |Account protection notification|
+| NoPa or federated no hello |  |  | No |Account protection notification|
+| NoPa or federated hello broken |  |  | No |Account protection notification|

windows/security/operating-system-security/system-security/windows-defender-security-center/wdsc-virus-threat-protection.md

@@ -0,0 +1,69 @@
+---
+title: Virus and threat protection in the Windows Security app
+description: Use the Virus & threat protection section to see and configure Microsoft Defender Antivirus, Controlled folder access, and 3rd-party AV products.
+keywords: wdav, smartscreen, antivirus, wdsc, exploit, protection, hide
+ms.prod: windows-client
+ms.localizationpriority: medium
+author: vinaypamnani-msft
+ms.author: vinpa
+ms.reviewer:
+manager: aaroncz
+ms.technology: itpro-security
+ms.date: 12/31/2017
+ms.topic: article
+appliesto:
+- ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 11</a>
+- ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 10</a>
+---
+
+# Virus and threat protection
+
+The **Virus & threat protection** section contains information and settings for antivirus protection from Microsoft Defender Antivirus and third-party AV products.
+
+In Windows 10, version 1803, this section also contains information and settings for ransomware protection and recovery. These settings include Controlled folder access settings to prevent unknown apps from changing files in protected folders, plus Microsoft OneDrive configuration to help you recover from a ransomware attack. This area also notifies users and provides recovery instructions if there's a ransomware attack.
+
+IT administrators and IT pros can get more configuration information from these articles:
+
+- [Microsoft Defender Antivirus in the Windows Security app](/microsoft-365/security/defender-endpoint/microsoft-defender-security-center-antivirus)
+- [Microsoft Defender Antivirus documentation library](/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-in-windows-10)
+- [Protect important folders with Controlled folder access](/microsoft-365/security/defender-endpoint/controlled-folders)
+- [Defend yourself from cybercrime with new Office 365 capabilities](https://blogs.office.com/2018/04/05/defend-yourself-from-cybercrime-with-new-office-365-capabilities/)
+- [Microsoft Defender for Office 365](/microsoft-365/security/office-365-security/defender-for-office-365)
+- [Ransomware detection and recovering your files](https://support.office.com/article/ransomware-detection-and-recovering-your-files-0d90ec50-6bfd-40f4-acc7-b8c12c73637f?ui=en-US&rs=en-US&ad=US)
+
+You can hide the **Virus & threat protection** section or the **Ransomware protection** area from users of the machine. This option can be useful if you don't want employees in your organization to see or have access to user-configured options for these features.
+
+## Hide the Virus & threat protection section
+
+You can choose to hide the entire section by using Group Policy. The section won't appear on the home page of the Windows Security app, and its icon won't be shown on the navigation bar on the side of the app.
+
+This section can be hidden only by using Group Policy.
+
+> [!IMPORTANT]
+> You must have Windows 10, version 1709 or later. The ADMX/ADML template files for earlier versions of Windows do not include these Group Policy settings.
+
+1. On your Group Policy management machine, open the [Group Policy Management Console](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc731212(v=ws.11)), right-click the Group Policy Object you want to configure and click **Edit**.
+1. In **Group Policy Management Editor**, go to **Computer configuration** and click **Administrative templates**.
+1. Expand the tree to **Windows components > Windows Security > Virus and threat protection**.
+1. Open the **Hide the Virus and threat protection area** setting and set it to **Enabled**. Click **OK**.
+1. [Deploy the updated GPO as you normally do](/windows/win32/srvnodes/group-policy).
+
+> [!NOTE]
+> If you hide all sections then the app will show a restricted interface, as in the following screenshot:
+>
+> ![Windows Security app with all sections hidden by Group Policy.](images/wdsc-all-hide.png)
+
+## Hide the Ransomware protection area
+
+You can choose to hide the **Ransomware protection** area by using Group Policy. The area won't appear on the **Virus & threat protection** section of the Windows Security app.
+
+This area can be hidden only by using Group Policy.
+
+> [!IMPORTANT]
+> You must have Windows 10, version 1709 or later. The ADMX/ADML template files for earlier versions of Windows do not include these Group Policy settings.
+
+1. On your Group Policy management machine, open the [Group Policy Management Console](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc731212(v=ws.11)), right-click the Group Policy Object you want to configure and click **Edit**.
+1. In **Group Policy Management Editor**, go to **Computer configuration** and click **Administrative templates**.
+1. Expand the tree to **Windows components > Windows Security > Virus and threat protection**.
+1. Open the **Hide the Ransomware data recovery area** setting and set it to **Enabled**. Click **OK**.
+1. [Deploy the updated GPO as you normally do](/windows/win32/srvnodes/group-policy).

windows/security/operating-system-security/system-security/windows-defender-security-center/windows-defender-security-center.md

@@ -0,0 +1,103 @@
+---
+title: The Windows Security app
+description: The Windows Security app brings together common Windows security features into one place.
+ms.prod: windows-client
+ms.localizationpriority: medium
+author: vinaypamnani-msft
+ms.author: vinpa
+ms.reviewer:
+manager: aaroncz
+ms.collection:
+  - highpri
+  - tier2
+ms.date: 12/31/2017
+ms.topic: article
+appliesto:
+- ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 11</a>
+- ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 10</a>
+---
+
+# The Windows Security app
+
+This library describes the Windows Security app, and provides information on configuring certain features, including:
+
+- [Showing and customizing contact information on the app and in notifications](wdsc-customize-contact-information.md)
+- [Hiding notifications](wdsc-hide-notifications.md)
+
+In Windows 10, version 1709 and later, the app also shows information from third-party antivirus and firewall apps.
+
+In Windows 10, version 1803, the app has two new areas: **Account protection** and **Device security**.
+
+![Screenshot of the Windows Security app showing that the device is protected and five icons for each of the features.](images/security-center-home.png)
+
+> [!NOTE]
+> The Windows Security app is a client interface on Windows 10, version 1703 and later. It is not the Microsoft Defender Security Center web portal console that is used to review and manage [Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/).
+
+You can't uninstall the Windows Security app, but you can do one of the following actions:
+
+- Disable the interface on Windows Server 2016.
+- Hide all of the sections on client computers.
+- Disable Microsoft Defender Antivirus, if needed. For more information, see [Enable and configure Microsoft Defender Antivirus always-on protection in group policy](/microsoft-365/security/defender-endpoint/configure-real-time-protection-microsoft-defender-antivirus).
+
+For more information about each section, options for configuring the sections, and how to hide each of them, see the following articles:
+
+- [Virus & threat protection](wdsc-virus-threat-protection.md), which has information and access to antivirus ransomware protection settings and notifications, including Controlled folder access, and sign-in to Microsoft OneDrive.
+- [Account protection](wdsc-account-protection.md), which has information and access to sign-in and account protection settings.
+- [Firewall & network protection](wdsc-firewall-network-protection.md), which has information and access to firewall settings, including Windows Defender Firewall.
+- [App & browser control](wdsc-app-browser-control.md), covering Windows Defender SmartScreen settings and Exploit protection mitigations.
+- [Device security](wdsc-device-security.md), which provides access to built-in device security settings.
+- [Device performance & health](wdsc-device-performance-health.md), which has information about drivers, storage space, and general Windows Update issues.
+- [Family options](wdsc-family-options.md), which include access to parental controls along with tips and information for keeping kids safe online.
+
+> [!NOTE]
+> If you hide all sections then the app will show a restricted interface, as in the following screenshot:
+>
+> ![Windows Security app with all sections hidden by group policy.](images/wdsc-all-hide.png)
+
+## Open the Windows Security app
+
+- Select the icon in the notification area on the taskbar.
+
+    ![Screenshot of the icon for the Windows Security app on the Windows task bar.](images/security-center-taskbar.png)
+
+- Search the Start menu for **Windows Security**.
+
+    ![Screenshot of the Start menu showing the results of a search for the Windows Security app, the first option with a large shield symbol is selected.](images/security-center-start-menu.png)
+
+- Open an area from Windows **Settings**.
+
+    ![Screenshot of Windows Settings showing the different areas available in the Windows Security.](images/settings-windows-defender-security-center-areas.png)
+
+> [!NOTE]
+> Settings configured with management tools, such as group policy, Microsoft Intune, or Microsoft Configuration Manager, will generally take precedence over the settings in the Windows Security.
+
+## How the Windows Security app works with Windows security features
+
+> [!IMPORTANT]
+> Microsoft Defender Antivirus and the Windows Security app use similarly named services for specific purposes.
+>
+> The Windows Security app uses the Windows Security Service (*SecurityHealthService* or *Windows Security Health Service*), which in turn utilizes the Windows Security Center Service (*wscsvc*). This service makes sure that the app provides the most up-to-date information about the protection status on the endpoint. This information includes protection offered by third-party antivirus products, Windows Defender Firewall, third-party firewalls, and other security protection.
+>
+> These services don't affect the state of Microsoft Defender Antivirus. Disabling or modifying these services won't disable Microsoft Defender Antivirus. It will lead to a lowered protection state on the endpoint, even if you're using a third-party antivirus product.
+>
+> Microsoft Defender Antivirus will be [disabled automatically when a third-party antivirus product is installed and kept up to date](/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-compatibility).
+>
+> Disabling the Windows Security Center Service won't disable Microsoft Defender Antivirus or [Windows Defender Firewall](../../network-security/windows-firewall/windows-firewall-with-advanced-security.md).
+
+> [!WARNING]
+> If you disable the Windows Security Center Service, or configure its associated group policy settings to prevent it from starting or running, the Windows Security app may display stale or inaccurate information about any antivirus or firewall products you have installed on the device.
+>
+> It may also prevent Microsoft Defender Antivirus from enabling itself if you have an old or outdated third-party antivirus, or if you uninstall any third-party antivirus products you may have previously installed.
+>
+> This will significantly lower the protection of your device and could lead to malware infection.
+
+The Windows Security app operates as a separate app or process from each of the individual features, and will display notifications through the Action Center.
+
+It acts as a collector or single place to see the status and perform some configuration for each of the features.
+
+If you disable any of the individual features, it will prevent that feature from reporting its status in the Windows Security app. For example, if you disable a feature through group policy or other management tools, such as Microsoft Configuration Manager. The Windows Security app itself will still run and show status for the other security features.
+
+> [!IMPORTANT]
+> If you individually disable any of the services, it won't disable the other services or the Windows Security app.
+
+For example, [using a third-party antivirus will disable Microsoft Defender Antivirus](/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-compatibility). However, the Windows Security app will still run, show its icon in the taskbar, and display information about the other features, such as Windows Defender SmartScreen and Windows Defender Firewall.