diff --git a/windows/keep-secure/credential-guard.md b/windows/keep-secure/credential-guard.md
index 3bc0351b4d..0a07dfca35 100644
--- a/windows/keep-secure/credential-guard.md
+++ b/windows/keep-secure/credential-guard.md
@@ -126,11 +126,12 @@ The following tables provide more information about the hardware, firmware, and
-#### 2017 Additional Security Recommendations (starting with the next major release of Windows 10)
+#### 2017 Additional Security Recommendations (starting with Windows 10, version 1703)
| Protection for Improved Security | Description |
|---------------------------------------------|----------------------------------------------------|
-| Firmware: **Firmware support for SMM protection** | **Requirements**: The [Windows SMM Security Mitigations Table (WSMT) specification](http://download.microsoft.com/download/1/8/A/18A21244-EB67-4538-BAA2-1A54E0E490B6/WSMT.docx) contains details of an Advanced Configuration and Power Interface (ACPI) table that was created for use with Windows operating systems that support Windows virtualization-based security (VBS) features.
**Security benefits**:
- Protects against potential vulnerabilities in UEFI runtime in functions such as Update Capsule, Set Variables, and so on, so they can't compromise VBS.
- Reduces attack surface to VBS from system firmware.
- Blocks additional security attacks against SMM. |
+| Firmware: **VBS enablement of NX protection for UEFI runtime services** | **Requirements**:
- VBS will enable No-Execute (NX) protection on UEFI runtime service code and data memory regions. UEFI runtime service code must support read-only page protections, and UEFI runtime service data must not be exceutable.
- UEFI runtime service musty meet these requirements:
- Implement UEFI 2.6 EFI_MEMORY_ATTRIBUTES_TABLE. All UEFI runtime service memory (code and data) must be described by this table.
- PE sections need to be page-aligned in memory (not required in non-volitile storage).
- The Memory Attributes Table needs to correctly mark code and data as RO/NX for configuration by the OS:
- All entries must include attributes EFI_MEMORY_RO, EFI_MEMORY_XP, or both
- No entries may be left with neither of the above attributes, indicating memory that is both exceutable and writable. Memory must be either readable and executable or writeable and non-executable.
Notes:
- This only applies to UEFI runtime service memory, and not UEFI bootb service memory.
- This protection is applied by VBS on OS page tables.
Please also note the following:
- Do not use sections that are both writeable and exceutable
- Do not attempt to directly modify xceutable system memory
- Do not use dynamic code
**Security benefits**:
- Vulnerabilities in UEFI runtime, if any, will be blocked from compromising VBS (such as in functions like UpdateCapsule and SetVariable)
- Reduces the attack surface to VBS from system firmware. |
+| Firmware: **Firmware support for SMM protection** | **Requirements**: The [Windows SMM Security Mitigations Table (WSMT) specification](http://download.microsoft.com/download/1/8/A/18A21244-EB67-4538-BAA2-1A54E0E490B6/WSMT.docx) contains details of an Advanced Configuration and Power Interface (ACPI) table that was created for use with Windows operating systems that support Windows virtualization-based security (VBS) features.
**Security benefits**:
- Protects against potential vulnerabilities in UEFI runtime services, if any, will be blocked from compromising VBS (such as in functions like UpdateCapsule and SetVariable)
- Reduces the attack surface to VBS from system firmware.
- Blocks additional security attacks against SMM. |
## Manage Credential Guard
diff --git a/windows/keep-secure/requirements-and-deployment-planning-guidelines-for-device-guard.md b/windows/keep-secure/requirements-and-deployment-planning-guidelines-for-device-guard.md
index 5ccb7b399f..8a2a5ff86c 100644
--- a/windows/keep-secure/requirements-and-deployment-planning-guidelines-for-device-guard.md
+++ b/windows/keep-secure/requirements-and-deployment-planning-guidelines-for-device-guard.md
@@ -76,18 +76,18 @@ The following tables describes additional hardware and firmware requirements, an
| Protections for Improved Security - requirement | Description |
|---------------------------------------------|----------------------------------------------------|
-| Firmware: **Hardware Rooted Trust Platform Secure Boot** | **Requirements**:
Boot Integrity (Platform Secure Boot) must be supported. See the Windows Hardware Compatibility Program requirements under [System.Fundamentals.Firmware.CS.UEFISecureBoot.ConnectedStandby](https://msdn.microsoft.com/library/windows/hardware/dn932807(v=vs.85).aspx#system_fundamentals_firmware_cs_uefisecureboot_connectedstandby)
- The Hardware Security Test Interface (HSTI) must be implemented. See [Hardware Security Testability Specification](https://msdn.microsoft.com/en-us/library/windows/hardware/mt712332(v=vs.85).aspx).
**Security benefits**:
- Boot Integrity (Platform Secure Boot) from Power-On provides protections against physically present attackers, and defense-in-depth against malware.
- HSTI provides additional security assurance for correctly secured silicon and platform. |
+| Firmware: **Hardware Rooted Trust Platform Secure Boot** | **Requirements**:
Boot Integrity (Platform Secure Boot) must be supported. See the Windows Hardware Compatibility Program requirements under [System.Fundamentals.Firmware.CS.UEFISecureBoot.ConnectedStandby](https://msdn.microsoft.com/library/windows/hardware/dn932807(v=vs.85).aspx#system_fundamentals_firmware_cs_uefisecureboot_connectedstandby)
- The Hardware Security Test Interface (HSTI) must be implemented. See [Hardware Security Testability Specification](https://msdn.microsoft.com/en-us/library/windows/hardware/mt712332(v=vs.85).aspx).
**Security benefits**:
- Boot Integrity (Platform Secure Boot) from Power-On provides protections against physically present attackers, and defense-in-depth against malware.
- HSTI provides additional security assurance for correctly secured silicon and platform. |
| Firmware: **Firmware Update through Windows Update** | **Requirements**: Firmware must support field updates through Windows Update and UEFI encapsulation update.
**Security benefits**: Helps ensure that firmware updates are fast, secure, and reliable. |
| Firmware: **Securing Boot Configuration and Management** | **Requirements**:
- Required BIOS capabilities: Ability of OEM to add ISV, OEM, or Enterprise Certificate in Secure Boot DB at manufacturing time.
- Required configurations: Microsoft UEFI CA must be removed from Secure Boot DB. Support for 3rd-party UEFI modules is permitted but should leverage ISV-provided certificates or OEM certificate for the specific UEFI software.
**Security benefits**:
- Enterprises can choose to allow proprietary EFI drivers/applications to run.
- Removing Microsoft UEFI CA from Secure Boot DB provides full control to enterprises over software that runs before the operating system boots. |
-### 2017 Additional Qualification Requirements for Device Guard (announced as options for future Windows operating systems for 2017)
+#### 2017 Additional Security Recommendations (starting with Windows 10, version 1703)
-| Protections for Improved Security - requirement | Description |
+| Protection for Improved Security | Description |
|---------------------------------------------|----------------------------------------------------|
-| Firmware: **UEFI NX Protections** | **Requirements**:
- All UEFI memory that is marked executable must be read only. Memory marked writable must not be executable.
UEFI Runtime Services:
- Must implement the UEFI 2.6 EFI_MEMORY_ATTRIBUTES_TABLE. The entire UEFI runtime must be described by this table.
- All entries must include attributes EFI_MEMORY_RO, EFI_MEMORY_XP, or both.
- No entries may be left with neither of the above attributes, indicating memory that is both executable and writable. Memory MUST be either readable and executable OR writeable and non-executable.
**Security benefits**:
- Protects against potential vulnerabilities in UEFI runtime in functions such as Update Capsule, Set Variables, and so on, so they can't compromise VBS.
- Reduces attack surface to VBS from system firmware. |
-| Firmware: **Firmware support for SMM protection** | **Requirements**: The [Windows SMM Security Mitigations Table (WSMT) specification](http://download.microsoft.com/download/1/8/A/18A21244-EB67-4538-BAA2-1A54E0E490B6/WSMT.docx) contains details of an Advanced Configuration and Power Interface (ACPI) table that was created for use with Windows operating systems that support Windows virtualization-based security (VBS) features.
**Security benefits**:
- Protects against potential vulnerabilities in UEFI runtime in functions such as Update Capsule, Set Variables, and so on, so they can't compromise VBS.
- Reduces attack surface to VBS from system firmware.
- Blocks additional security attacks against SMM. |
+| Firmware: **VBS enablement of NX protection for UEFI runtime services** | **Requirements**:
- VBS will enable No-Execute (NX) protection on UEFI runtime service code and data memory regions. UEFI runtime service code must support read-only page protections, and UEFI runtime service data must not be exceutable.
- UEFI runtime service musty meet these requirements:
- Implement UEFI 2.6 EFI_MEMORY_ATTRIBUTES_TABLE. All UEFI runtime service memory (code and data) must be described by this table.
- PE sections need to be page-aligned in memory (not required in non-volitile storage).
- The Memory Attributes Table needs to correctly mark code and data as RO/NX for configuration by the OS:
- All entries must include attributes EFI_MEMORY_RO, EFI_MEMORY_XP, or both
- No entries may be left with neither of the above attributes, indicating memory that is both exceutable and writable. Memory must be either readable and executable or writeable and non-executable.
Notes:
- This only applies to UEFI runtime service memory, and not UEFI bootb service memory.
- This protection is applied by VBS on OS page tables.
Please also note the following:
- Do not use sections that are both writeable and exceutable
- Do not attempt to directly modify xceutable system memory
- Do not use dynamic code
**Security benefits**:
- Vulnerabilities in UEFI runtime, if any, will be blocked from compromising VBS (such as in functions like UpdateCapsule and SetVariable)
- Reduces the attack surface to VBS from system firmware. |
+| Firmware: **Firmware support for SMM protection** | **Requirements**: The [Windows SMM Security Mitigations Table (WSMT) specification](http://download.microsoft.com/download/1/8/A/18A21244-EB67-4538-BAA2-1A54E0E490B6/WSMT.docx) contains details of an Advanced Configuration and Power Interface (ACPI) table that was created for use with Windows operating systems that support Windows virtualization-based security (VBS) features.
**Security benefits**:
- Protects against potential vulnerabilities in UEFI runtime services, if any, will be blocked from compromising VBS (such as in functions like UpdateCapsule and SetVariable)
- Reduces the attack surface to VBS from system firmware.
- Blocks additional security attacks against SMM. |
## Device Guard deployment in different scenarios: types of devices