Merge branch 'main' into windows-docs-Release-branch

.openpublishing.redirection.json

@@ -5210,6 +5210,86 @@
       "redirect_url": "/windows/security/threat-protection/windows-security-baselines",
       "redirect_document_id": false
     },
+    {
+      "source_path": "windows/security//threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity.md",
+      "redirect_url": "/windows/security/hardware-security/enable-virtualization-based-protection-of-code-integrity",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security//threat-protection/windows-defender-system-guard/how-hardware-based-root-of-trust-helps-protect-windows.md",
+      "redirect_url": "/windows/security/hardware-security/how-hardware-based-root-of-trust-helps-protect-windows",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security//information-protection/kernel-dma-protection-for-thunderbolt.md",
+      "redirect_url": "/windows/security/hardware-security/kernel-dma-protection-for-thunderbolt",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security//threat-protection/windows-defender-system-guard/system-guard-secure-launch-and-smm-protection.md",
+      "redirect_url": "/windows/security/hardware-security/system-guard-secure-launch-and-smm-protection",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security//threat-protection/device-guard/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control.md",
+      "redirect_url": "/windows/security/application-security/application-control/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security//threat-protection/windows-security-configuration-framework/get-support-for-security-baselines.md",
+      "redirect_url": "/windows/security/operating-system-security/device-management/windows-security-configuration-framework/get-support-for-security-baselines",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security//threat-protection/mbsa-removal-and-guidance.md",
+      "redirect_url": "/windows/security/operating-system-security/device-management/windows-security-configuration-framework/mbsa-removal-and-guidance",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security//threat-protection/windows-security-configuration-framework/security-compliance-toolkit-10.md",
+      "redirect_url": "/windows/security/operating-system-security/device-management/windows-security-configuration-framework/security-compliance-toolkit-10",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security//threat-protection/windows-security-configuration-framework/windows-security-baselines.md",
+      "redirect_url": "/windows/security/operating-system-security/device-management/windows-security-configuration-framework/windows-security-baselines",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security//threat-protection/microsoft-defender-application-guard/configure-md-app-guard.md",
+      "redirect_url": "/windows/security/application-security/application-isolation/microsoft-defender-application-guard/configure-md-app-guard",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security//threat-protection/microsoft-defender-application-guard/install-md-app-guard.md",
+      "redirect_url": "/windows/security/application-security/application-isolation/microsoft-defender-application-guard/install-md-app-guard",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security//threat-protection/microsoft-defender-application-guard/md-app-guard-browser-extension.md",
+      "redirect_url": "/windows/security/application-security/application-isolation/microsoft-defender-application-guard/md-app-guard-browser-extension",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security//threat-protection/microsoft-defender-application-guard/md-app-guard-overview.md",
+      "redirect_url": "/windows/security/application-security/application-isolation/microsoft-defender-application-guard/md-app-guard-overview",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security//threat-protection/microsoft-defender-application-guard/reqs-md-app-guard.md",
+      "redirect_url": "/windows/security/application-security/application-isolation/microsoft-defender-application-guard/reqs-md-app-guard",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security//threat-protection/microsoft-defender-application-guard/test-scenarios-md-app-guard.md",
+      "redirect_url": "/windows/security/application-security/application-isolation/microsoft-defender-application-guard/test-scenarios-md-app-guard",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security//threat-protection/microsoft-defender-application-guard/faq-md-app-guard.yml",
+      "redirect_url": "/windows/security/application-security/application-isolation/microsoft-defender-application-guard/faq-md-app-guard",
+      "redirect_document_id": false
+    },
     {
       "source_path": "windows/threat-protection/windows-information-protection/app-behavior-with-wip.md",
       "redirect_url": "/windows/security/information-protection/windows-information-protection/app-behavior-with-wip",
@@ -21774,17 +21854,17 @@
       "source_path": "windows/deployment/update/update-compliance-get-started.md",
       "redirect_url": "/windows/deployment/update/wufb-reports-overview",
       "redirect_document_id": false
-    }, 
+    },
     {
       "source_path": "windows/deployment/update/update-compliance-configuration-script.md",
       "redirect_url": "/windows/deployment/update/wufb-reports-overview",
       "redirect_document_id": false
-    }, 
+    },
     {
       "source_path": "windows/deployment/update/update-compliance-configuration-manual.md",
       "redirect_url": "/windows/deployment/update/wufb-reports-overview",
       "redirect_document_id": false
-    }, 
+    },
     {
       "source_path": "windows/deployment/update/update-compliance-configuration-mem.md",
       "redirect_url": "/windows/deployment/update/wufb-reports-overview",
@@ -21839,7 +21919,7 @@
       "source_path": "windows/deployment/update/update-compliance-schema-waasinsiderstatus.md",
       "redirect_url": "/windows/deployment/update/wufb-reports-overview",
       "redirect_document_id": false
-    },  
+    },
     {
       "source_path": "windows/deployment/update/update-compliance-schema-waasdeploymentstatus.md",
       "redirect_url": "/windows/deployment/update/wufb-reports-overview",
@@ -21871,4 +21951,4 @@
       "redirect_document_id": false
     }
   ]
-}
+}

includes/licensing/_edition-requirements.md

@@ -28,15 +28,15 @@ ms.topic: include
 |**[Federal Information Processing Standard (FIPS) 140 validation](/windows/security/threat-protection/fips-140-validation)**|Yes|Yes|Yes|Yes|
 |**[Federated sign-in](/education/windows/federated-sign-in)**|❌|❌|Yes|Yes|
 |**[Hardware-enforced stack protection](https://techcommunity.microsoft.com/t5/windows-os-platform-blog/understanding-hardware-enforced-stack-protection/ba-p/1247815)**|Yes|Yes|Yes|Yes|
-|**[Hypervisor-protected Code Integrity (HVCI)](/windows/security/threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity)**|Yes|Yes|Yes|Yes|
+|**[Hypervisor-protected Code Integrity (HVCI)](../../windows/security/hardware-security/enable-virtualization-based-protection-of-code-integrity.md)**|Yes|Yes|Yes|Yes|
-|**[Kernel Direct Memory Access (DMA) protection](/windows/security/information-protection/kernel-dma-protection-for-thunderbolt)**|Yes|Yes|Yes|Yes|
+|**[Kernel Direct Memory Access (DMA) protection](../../windows/security/hardware-security/kernel-dma-protection-for-thunderbolt.md)**|Yes|Yes|Yes|Yes|
 |**Local Security Authority (LSA) Protection**|Yes|Yes|Yes|Yes|
-|**[Manage by Mobile Device Management (MDM) and group policy](/windows/security/threat-protection/windows-security-configuration-framework/windows-security-baselines)**|Yes|Yes|Yes|Yes|
+|**[Manage by Mobile Device Management (MDM) and group policy](../../windows/security/operating-system-security/device-management/windows-security-configuration-framework/windows-security-baselines.md)**|Yes|Yes|Yes|Yes|
 |**[Measured boot](/windows/compatibility/measured-boot)**|Yes|Yes|Yes|Yes|
 |**[Microsoft Defender Antivirus](/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-windows)**|Yes|Yes|Yes|Yes|
 |**[Microsoft Defender Application Guard (MDAG) configure via MDM](/windows/client-management/mdm/windowsdefenderapplicationguard-csp)**|❌|Yes|❌|Yes|
-|**[Microsoft Defender Application Guard (MDAG) for Edge enterprise mode and enterprise management](/windows/security/threat-protection/microsoft-defender-application-guard/configure-md-app-guard)**|❌|Yes|❌|Yes|
+|**[Microsoft Defender Application Guard (MDAG) for Edge enterprise mode and enterprise management](../../windows/security/application-security/application-isolation/microsoft-defender-application-guard/configure-md-app-guard.md)**|❌|Yes|❌|Yes|
-|**[Microsoft Defender Application Guard (MDAG) for Edge standalone mode](/windows/security/threat-protection/microsoft-defender-application-guard/md-app-guard-overview)**|Yes|Yes|Yes|Yes|
+|**[Microsoft Defender Application Guard (MDAG) for Edge standalone mode](../../windows/security/application-security/application-isolation/microsoft-defender-application-guard/md-app-guard-overview.md)**|Yes|Yes|Yes|Yes|
 |**[Microsoft Defender Application Guard (MDAG) for Microsoft Office](https://support.microsoft.com/office/application-guard-for-office-9e0fb9c2-ffad-43bf-8ba3-78f785fdba46)**|❌|Yes|❌|Yes|
 |**Microsoft Defender Application Guard (MDAG) public APIs**|❌|Yes|❌|Yes|
 |**[Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint)**|Yes|Yes|Yes|Yes|
@@ -51,7 +51,7 @@ ms.topic: include
 |**[Secure Boot and Trusted Boot](/windows/security/trusted-boot)**|Yes|Yes|Yes|Yes|
 |**[Secured-core configuration lock](/windows/client-management/config-lock)**|Yes|Yes|Yes|Yes|
 |**[Secured-core PC](/windows-hardware/design/device-experiences/oem-highly-secure-11)**|Yes|Yes|Yes|Yes|
-|**[Security baselines](/windows/security/threat-protection/windows-security-configuration-framework/windows-security-baselines)**|Yes|Yes|Yes|Yes|
+|**[Security baselines](../../windows/security/operating-system-security/device-management/windows-security-configuration-framework/windows-security-baselines.md)**|Yes|Yes|Yes|Yes|
 |**[Server Message Block (SMB) file service](/windows-server/storage/file-server/file-server-smb-overview)**|Yes|Yes|Yes|Yes|
 |**[Server Message Block Direct (SMB Direct)](/windows-server/storage/file-server/smb-direct)**|Yes|Yes|Yes|Yes|
 |**[Smart App Control](/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control)**|Yes|Yes|Yes|Yes|
@@ -70,11 +70,11 @@ ms.topic: include
 |**[Windows Defender Application Control (WDAC)](/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control)**|Yes|Yes|Yes|Yes|
 |**[Windows Defender Credential Guard](/windows/security/identity-protection/credential-guard/credential-guard)**|❌|Yes|❌|Yes|
 |**[Windows Defender Remote Credential Guard](/windows/security/identity-protection/remote-credential-guard)**|Yes|Yes|Yes|Yes|
-|**[Windows Defender System Guard](/windows/security/threat-protection/windows-defender-system-guard/how-hardware-based-root-of-trust-helps-protect-windows)**|Yes|Yes|Yes|Yes|
+|**[Windows Defender System Guard](../../windows/security/hardware-security/how-hardware-based-root-of-trust-helps-protect-windows.md)**|Yes|Yes|Yes|Yes|
 |**[Windows Firewall](/windows/security/threat-protection/windows-firewall/windows-firewall-with-advanced-security)**|Yes|Yes|Yes|Yes|
 |**[Windows Hello for Business](/windows/security/identity-protection/hello-for-business)**|Yes|Yes|Yes|Yes|
 |**[Windows Hello for Business Enhanced Security Sign-in (ESS)](/windows-hardware/design/device-experiences/windows-hello-enhanced-sign-in-security)**|Yes|Yes|Yes|Yes|
 |**[Windows LAPS](/windows-server/identity/laps/laps-overview)**|Yes|Yes|Yes|Yes|
 |**[Windows presence sensing](https://support.microsoft.com/windows/wake-your-windows-11-pc-when-you-approach-82285c93-440c-4e15-9081-c9e38c1290bb)**|Yes|Yes|Yes|Yes|
-|**[Windows Sandbox](/windows/security/threat-protection/windows-sandbox/windows-sandbox-overview)**|Yes|Yes|Yes|Yes|
+|**[Windows Sandbox](../../windows/security/application-security/application-isolation/windows-sandbox/windows-sandbox-overview.md)**|Yes|Yes|Yes|Yes|
 |**[Windows Security policy settings and auditing](/windows/security/threat-protection/security-policy-settings/security-policy-settings)**|Yes|Yes|Yes|Yes|

includes/licensing/_licensing-requirements.md

@@ -28,15 +28,15 @@ ms.topic: include
 |**[Federal Information Processing Standard (FIPS) 140 validation](/windows/security/threat-protection/fips-140-validation)**|Yes|Yes|Yes|Yes|Yes|
 |**[Federated sign-in](/education/windows/federated-sign-in)**|❌|❌|❌|Yes|Yes|
 |**[Hardware-enforced stack protection](https://techcommunity.microsoft.com/t5/windows-os-platform-blog/understanding-hardware-enforced-stack-protection/ba-p/1247815)**|Yes|Yes|Yes|Yes|Yes|
-|**[Hypervisor-protected Code Integrity (HVCI)](/windows/security/threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity)**|Yes|Yes|Yes|Yes|Yes|
+|**[Hypervisor-protected Code Integrity (HVCI)](../../windows/security/hardware-security/enable-virtualization-based-protection-of-code-integrity.md)**|Yes|Yes|Yes|Yes|Yes|
-|**[Kernel Direct Memory Access (DMA) protection](/windows/security/information-protection/kernel-dma-protection-for-thunderbolt)**|Yes|Yes|Yes|Yes|Yes|
+|**[Kernel Direct Memory Access (DMA) protection](../../windows/security/hardware-security/kernel-dma-protection-for-thunderbolt.md)**|Yes|Yes|Yes|Yes|Yes|
 |**Local Security Authority (LSA) Protection**|Yes|Yes|Yes|Yes|Yes|
-|**[Manage by Mobile Device Management (MDM) and group policy](/windows/security/threat-protection/windows-security-configuration-framework/windows-security-baselines)**|Yes|Yes|Yes|Yes|Yes|
+|**[Manage by Mobile Device Management (MDM) and group policy](../../windows/security/operating-system-security/device-management/windows-security-configuration-framework/windows-security-baselines.md)**|Yes|Yes|Yes|Yes|Yes|
 |**[Measured boot](/windows/compatibility/measured-boot)**|Yes|Yes|Yes|Yes|Yes|
 |**[Microsoft Defender Antivirus](/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-windows)**|Yes|Yes|Yes|Yes|Yes|
 |**[Microsoft Defender Application Guard (MDAG) configure via MDM](/windows/client-management/mdm/windowsdefenderapplicationguard-csp)**|❌|Yes|Yes|Yes|Yes|
-|**[Microsoft Defender Application Guard (MDAG) for Edge enterprise mode and enterprise management](/windows/security/threat-protection/microsoft-defender-application-guard/configure-md-app-guard)**|❌|Yes|Yes|Yes|Yes|
+|**[Microsoft Defender Application Guard (MDAG) for Edge enterprise mode and enterprise management](../../windows/security/application-security/application-isolation/microsoft-defender-application-guard/configure-md-app-guard.md)**|❌|Yes|Yes|Yes|Yes|
-|**[Microsoft Defender Application Guard (MDAG) for Edge standalone mode](/windows/security/threat-protection/microsoft-defender-application-guard/md-app-guard-overview)**|Yes|Yes|Yes|Yes|Yes|
+|**[Microsoft Defender Application Guard (MDAG) for Edge standalone mode](../../windows/security/application-security/application-isolation/microsoft-defender-application-guard/md-app-guard-overview.md)**|Yes|Yes|Yes|Yes|Yes|
 |**[Microsoft Defender Application Guard (MDAG) for Microsoft Office](https://support.microsoft.com/office/application-guard-for-office-9e0fb9c2-ffad-43bf-8ba3-78f785fdba46)**|❌|❌|❌|❌|❌|
 |**Microsoft Defender Application Guard (MDAG) public APIs**|❌|Yes|Yes|Yes|Yes|
 |**[Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint)**|❌|❌|Yes|❌|Yes|
@@ -51,7 +51,7 @@ ms.topic: include
 |**[Secure Boot and Trusted Boot](/windows/security/trusted-boot)**|Yes|Yes|Yes|Yes|Yes|
 |**[Secured-core configuration lock](/windows/client-management/config-lock)**|Yes|Yes|Yes|Yes|Yes|
 |**[Secured-core PC](/windows-hardware/design/device-experiences/oem-highly-secure-11)**|Yes|Yes|Yes|Yes|Yes|
-|**[Security baselines](/windows/security/threat-protection/windows-security-configuration-framework/windows-security-baselines)**|Yes|Yes|Yes|Yes|Yes|
+|**[Security baselines](../../windows/security/operating-system-security/device-management/windows-security-configuration-framework/windows-security-baselines.md)**|Yes|Yes|Yes|Yes|Yes|
 |**[Server Message Block (SMB) file service](/windows-server/storage/file-server/file-server-smb-overview)**|Yes|Yes|Yes|Yes|Yes|
 |**[Server Message Block Direct (SMB Direct)](/windows-server/storage/file-server/smb-direct)**|Yes|Yes|Yes|Yes|Yes|
 |**[Smart App Control](/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control)**|Yes|Yes|Yes|Yes|Yes|
@@ -70,11 +70,11 @@ ms.topic: include
 |**[Windows Defender Application Control (WDAC)](/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control)**|Yes|Yes|Yes|Yes|Yes|
 |**[Windows Defender Credential Guard](/windows/security/identity-protection/credential-guard/credential-guard)**|❌|Yes|Yes|Yes|Yes|
 |**[Windows Defender Remote Credential Guard](/windows/security/identity-protection/remote-credential-guard)**|Yes|Yes|Yes|Yes|Yes|
-|**[Windows Defender System Guard](/windows/security/threat-protection/windows-defender-system-guard/how-hardware-based-root-of-trust-helps-protect-windows)**|Yes|Yes|Yes|Yes|Yes|
+|**[Windows Defender System Guard](../../windows/security/hardware-security/how-hardware-based-root-of-trust-helps-protect-windows.md)**|Yes|Yes|Yes|Yes|Yes|
 |**[Windows Firewall](/windows/security/threat-protection/windows-firewall/windows-firewall-with-advanced-security)**|Yes|Yes|Yes|Yes|Yes|
 |**[Windows Hello for Business](/windows/security/identity-protection/hello-for-business)**|Yes|Yes|Yes|Yes|Yes|
 |**[Windows Hello for Business Enhanced Security Sign-in (ESS)](/windows-hardware/design/device-experiences/windows-hello-enhanced-sign-in-security)**|Yes|Yes|Yes|Yes|Yes|
 |**[Windows LAPS](/windows-server/identity/laps/laps-overview)**|Yes|Yes|Yes|Yes|Yes|
 |**[Windows presence sensing](https://support.microsoft.com/windows/wake-your-windows-11-pc-when-you-approach-82285c93-440c-4e15-9081-c9e38c1290bb)**|Yes|Yes|Yes|Yes|Yes|
-|**[Windows Sandbox](/windows/security/threat-protection/windows-sandbox/windows-sandbox-overview)**|Yes|Yes|Yes|Yes|Yes|
+|**[Windows Sandbox](../../windows/security/application-security/application-isolation/windows-sandbox/windows-sandbox-overview.md)**|Yes|Yes|Yes|Yes|Yes|
 |**[Windows Security policy settings and auditing](/windows/security/threat-protection/security-policy-settings/security-policy-settings)**|Yes|Yes|Yes|Yes|Yes|

windows/client-management/mdm/policy-csp-controlpolicyconflict.md

@@ -44,7 +44,7 @@ If set to 1 then any MDM policy that's set that has an equivalent GP policy will
 <!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
 
 > [!NOTE]
-> MDMWinsOverGP only applies to policies in Policy CSP. MDM policies win over Group Policies where applicable; not all Group Policies are available via MDM or CSP. It does not apply to other MDM settings with equivalent GP settings that are defined in other CSPs such as the [Defender CSP](defender-csp.md).
+> MDMWinsOverGP only applies to policies in Policy CSP. MDM policies win over Group Policies where applicable; not all Group Policies are available via MDM or CSP. It does not apply to other MDM settings with equivalent GP settings that are defined in other CSPs such as the [Defender CSP](defender-csp.md). Nor does it apply to the [Update Policy CSP](policy-csp-update.md) for managing Windows updates. 
 
 This policy is used to ensure that MDM policy wins over GP when policy is configured on MDM channel. The default value is 0. The MDM policies in Policy CSP will behave as described if this policy value is set 1.
 

windows/client-management/mdm/policy-csp-deviceguard.md

@@ -42,7 +42,7 @@ Secure Launch configuration: 0 - Unmanaged, configurable by Administrative user,
 
 <!-- ConfigureSystemGuardLaunch-Editable-Begin -->
 <!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
-For more information about System Guard, see [Introducing Windows Defender System Guard runtime attestation](https://www.microsoft.com/security/blog/2018/04/19/introducing-windows-defender-system-guard-runtime-attestation) and [How a hardware-based root of trust helps protect Windows 10](/windows/security/threat-protection/windows-defender-system-guard/how-hardware-based-root-of-trust-helps-protect-windows).
+For more information about System Guard, see [Introducing Windows Defender System Guard runtime attestation](https://www.microsoft.com/security/blog/2018/04/19/introducing-windows-defender-system-guard-runtime-attestation) and [How a hardware-based root of trust helps protect Windows 10](/windows/security/hardware-security/how-hardware-based-root-of-trust-helps-protect-windows).
 <!-- ConfigureSystemGuardLaunch-Editable-End -->
 
 <!-- ConfigureSystemGuardLaunch-DFProperties-Begin -->

windows/deployment/do/waas-delivery-optimization-faq.yml

@@ -12,7 +12,7 @@ metadata:
     - highpri
     - tier3
   ms.topic: faq
-  ms.date: 06/28/2023
+  ms.date: 07/11/2023
 title: Delivery Optimization Frequently Asked Questions
 summary: |
   **Applies to**
@@ -35,7 +35,7 @@ sections:
 
       - question: What are the requirements if I use a proxy?
         answer: For Delivery Optimization to successfully use the proxy, you should set up the proxy by using Windows proxy settings or Internet Explorer proxy settings. For details see [Using a proxy with Delivery Optimization](../do/delivery-optimization-proxy.md). Most content downloaded with Delivery Optimization uses byte range requests. Make sure your proxy allows byte range requests. For more information, see [Proxy requirements for Windows Update](/windows/deployment/update/windows-update-troubleshooting).
-           
+
       - question: What hostnames should I allow through my firewall to support Delivery Optimization?
         answer: | 
           **For communication between clients and the Delivery Optimization cloud service**:
@@ -57,6 +57,11 @@ sections:
 
           For more information, see [Endpoints for Delivery Optimization and Microsoft Connected Cache](../do/delivery-optimization-endpoints.md) for a list of all content endpoints needed.
 
+      - question: My firewall requires IP addresses and can't process FQDNs. How do I configure it to download content with Delivery Optimization?
+        answer: | 
+          Microsoft content, such as Windows updates, are hosted and delivered globally via Content Delivery Networks (CDNs) and Microsoft's Connected Cache (MCC) servers, which are hosted within Internet Service Provider (ISP) networks. 
+          The network of CDNs and MCCs allows Microsoft to reach the scale required to meet the demand of the Windows user base. Given this delivery infrastructure changes dynamically, providing an exhaustive list of IPs and keeping it up to date isn't feasible. 
+        
       - question: Does Delivery Optimization use multicast?
         answer: No. It relies on the cloud service for peer discovery, resulting in a list of peers and their IP addresses. Client devices then connect to their peers to obtain download files over TCP/IP.
           
@@ -100,7 +105,7 @@ sections:
 
       - question: How are downloads initiated by Delivery Optimization?
         answer: |
-         Delivery Optimization only starts when an application or service that's integrated with Delivery Optimization starts a download. For example, the Microsoft Edge browser. For more information about Delivery Optimization callers, see [Types of download content supported by Delivery Optimization](waas-delivery-optimization.md#types-of-download-content-supported-by-delivery-optimization).
+          Delivery Optimization only starts when an application or service that's integrated with Delivery Optimization starts a download. For example, the Microsoft Edge browser. For more information about Delivery Optimization callers, see [Types of download content supported by Delivery Optimization](waas-delivery-optimization.md#types-of-download-content-supported-by-delivery-optimization).
             
       - question: How does Delivery Optimization determine which content is available for peering?
         answer: |
@@ -120,9 +125,9 @@ sections:
           Delivery Optimization is an HTTP downloader used by most content providers from Microsoft. When a device is configured to use Delivery Optimization peering (on by default), it does so with the HTTP downloader capabilities to optimize bandwidth usage. 
           If you'd like to disable peer-to-peer capabilities of Delivery Optimization, change the Delivery Optimization [Download mode](waas-delivery-optimization-reference.md#download-mode) setting to '0', which will disable peer-to-peer and provide hash checks. [Download mode](waas-delivery-optimization-reference.md#download-mode) set to '99' should only be used when the device is offline and doesn't have internet access.
           Don't set **Download mode** to '100' (Bypass), which can cause some content to fail to download. Starting in Windows 11, Download mode '100' is deprecated.
-         
+
           > [!NOTE]
-          > Disabling Delivery Optimization won't prevent content from downloading to your devices. If you're looking to pause updates, you need to set policies for the relevant components such as Windows Update, Windows Store or Edge browser.  If you're looking to reduce the load on your network, look into using Delivery Optimization Peer-to-Peer, Microsoft Connected Cache or apply the [network throttling policies](waas-delivery-optimization-reference.md#maximum-download-bandwidth) available for Delivery Optimization.
+          > Disabling Delivery Optimization won't prevent content from downloading to your devices. If you're looking to pause updates, you need to set policies for the relevant components such as Windows Update, Windows Store or Microsoft Edge browser.  If you're looking to reduce the load on your network, look into using Delivery Optimization Peer-to-Peer, Microsoft Connected Cache or apply the [network throttling policies](waas-delivery-optimization-reference.md#maximum-download-bandwidth) available for Delivery Optimization.
       
       - question: Delivery Optimization is using device resources and I can't tell why?
         answer: |

windows/deployment/windows-10-enterprise-e3-overview.md

@@ -61,7 +61,7 @@ Windows 10 Enterprise edition has many features that are unavailable in Windows
 |Feature|Description|
 |--- |--- |
 |Credential Guard|Credential Guard uses virtualization-based security to help protect security secrets so that only privileged system software can access them. Examples of security secrets that can be protected include NTLM password hashes and Kerberos Ticket Granting Tickets. This protection helps prevent Pass-the-Hash or Pass-the-Ticket attacks.<br><br>Credential Guard has the following features:<li>**Hardware-level security** - Credential Guard uses hardware platform security features (such as Secure Boot and virtualization) to help protect derived domain credentials and other secrets.<li>**Virtualization-based security** - Windows services that access derived domain credentials and other secrets run in a virtualized, protected environment that is isolated.<li>**Improved protection against persistent threats** - Credential Guard works with other technologies (for example, Device Guard) to help provide further protection against attacks, no matter how persistent.<li>**Improved manageability** -  Credential Guard can be managed through Group Policy, Windows Management Instrumentation (WMI), or Windows PowerShell.<br><br>For more information, see [Protect derived domain credentials with Credential Guard](/windows/security/identity-protection/credential-guard/credential-guard).<br><br>*Credential Guard requires UEFI 2.3.1 or greater with Trusted Boot; Virtualization Extensions such as Intel VT-x, AMD-V, and SLAT must be enabled; x64 version of Windows; IOMMU, such as Intel VT-d, AMD-Vi; BIOS Lockdown; TPM 2.0 recommended for device health attestation (will use software if TPM 2.0 not present)*|
-|Device Guard|This feature is a combination of hardware and software security features that allows only trusted applications to run on a device. Even if an attacker manages to get control of the Windows kernel, they'll be much less likely to run executable code. Device Guard can use virtualization-based security (VBS) in Windows 10 Enterprise edition to isolate the Code Integrity service from the Windows kernel itself. With VBS, even if malware gains access to the kernel, the effects can be severely limited, because the hypervisor can prevent the malware from executing code.<br><br>Device Guard protects in the following ways:<li>Helps protect against malware<li>Helps protect the Windows system core from vulnerability and zero-day exploits<li>Allows only trusted apps to run<br><br>For more information, see [Introduction to Device Guard](/windows/security/threat-protection/device-guard/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control).|
+|Device Guard|This feature is a combination of hardware and software security features that allows only trusted applications to run on a device. Even if an attacker manages to get control of the Windows kernel, they'll be much less likely to run executable code. Device Guard can use virtualization-based security (VBS) in Windows 10 Enterprise edition to isolate the Code Integrity service from the Windows kernel itself. With VBS, even if malware gains access to the kernel, the effects can be severely limited, because the hypervisor can prevent the malware from executing code.<br><br>Device Guard protects in the following ways:<li>Helps protect against malware<li>Helps protect the Windows system core from vulnerability and zero-day exploits<li>Allows only trusted apps to run<br><br>For more information, see [Introduction to Device Guard](/windows/security/application-security/application-control/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control).|
 |AppLocker management|This feature helps IT pros determine which applications and files users can run on a device. The applications and files that can be managed include executable files, scripts, Windows Installer files, dynamic-link libraries (DLLs), packaged apps, and packaged app installers.<br><br>For more information, see [AppLocker](/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-overview).|
 |Application Virtualization (App-V)|This feature makes applications available to end users without installing the applications directly on users' devices. App-V transforms applications into centrally managed services that are never installed and don't conflict with other applications. This feature also helps ensure that applications are kept current with the latest security updates.<br><br>For more information, see [Getting Started with App-V for Windows 10](/windows/application-management/app-v/appv-getting-started).|
 |User Experience Virtualization (UE-V)|With this feature, you can capture user-customized Windows and application settings and store them on a centrally managed network file share.<br><br>When users log on, their personalized settings are applied to their work session, regardless of which device or virtual desktop infrastructure (VDI) sessions they log on to.<br><br>UE-V provides the following features:<li>Specify which application and Windows settings synchronize across user devices<li>Deliver the settings anytime and anywhere users work throughout the enterprise<li>Create custom templates for your third-party or line-of-business applications<li>Recover settings after hardware replacement or upgrade, or after re-imaging a virtual machine to its initial state<br><br>For more information, see [User Experience Virtualization (UE-V) for Windows 10 overview](/windows/configuration/ue-v/uev-for-windows).|
@@ -120,7 +120,7 @@ Now that the devices have Windows 10/11 Enterprise, you can implement Device Gua
 
 For more information about implementing Device Guard, see:
 
-- [Windows Defender Application Control and virtualization-based protection of code integrity](/windows/security/threat-protection/device-guard/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control)
+- [Windows Defender Application Control and virtualization-based protection of code integrity](/windows/security/application-security/application-control/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control)
 - [Device Guard deployment guide](/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control-deployment-guide)
 
 ### AppLocker management

windows/deployment/windows-autopatch/overview/windows-autopatch-overview.md

@@ -1,7 +1,7 @@
 ---
 title: What is Windows Autopatch?
 description: Details what the service is and shortcuts to articles.
-ms.date: 07/11/2022
+ms.date: 07/11/2023
 ms.prod: windows-client
 ms.technology: itpro-updates
 ms.topic: conceptual
@@ -23,14 +23,14 @@ Windows Autopatch is a cloud service that automates Windows, Microsoft 365 Apps
 
 Rather than maintaining complex digital infrastructure, businesses want to focus on what makes them unique and successful. Windows Autopatch offers a solution to some of the challenges facing businesses and their people today:
 
-- **Close the security gap**: By keeping software current, there are fewer vulnerabilities and threats to your devices.
+- **Close the security gap**: Windows Autopatch keeps software current, there are fewer vulnerabilities and threats to your devices.
-- **Close the productivity gap**: By adopting features as they're made available, users get the latest tools to enhance creation and collaboration.
+- **Close the productivity gap**: Windows Autopatch adopts features as they're made available. End users get the latest tools to amplify their collaboration and work.
-- **Optimize your IT admin resources**: By automating routine endpoint updates, IT pros have more time to create value.
+- **Optimize your IT admin resources**: Windows Autopatch automates routine endpoint updates. IT pros have more time to create value.
 - **On-premises infrastructure**: Transitioning to the world of software as a service (SaaS) allows you to minimize your investment in on-premises hardware since updates are delivered from the cloud.  
-- **Onboard new services**: Windows Autopatch is scoped to make it easy to enroll and minimizes the time investment from your IT Admins to get started.  
+- **Onboard new services**: Windows Autopatch makes it easy to enroll and minimizes the time required from your IT Admins to get started.  
-- **Minimize end user disruption**: By releasing in sequential deployment rings, and responding to reliability and compatibility signals, user disruptions due to updates are minimized.
+- **Minimize end user disruption**: Windows Autopatch releases updates in sequential deployment rings, and responding to reliability and compatibility signals, user disruptions due to updates are minimized.
 
-Windows Autopatch helps you minimize the involvement of your scarce IT resources in the planning and deployment of updates for Windows, Microsoft 365 Apps, Microsoft Edge or Teams. By crafting careful rollout sequences and communicating with you throughout the release, your IT Admins can focus on other activities and tasks.
+Windows Autopatch helps you minimize the involvement of your scarce IT resources in the planning and deployment of updates for Windows, Microsoft 365 Apps, Microsoft Edge or Teams. Windows Autopatch uses careful rollout sequences and communicates with you throughout the release, allowing your IT Admins can focus on other activities and tasks.
 
 ## Update management
 
@@ -44,11 +44,11 @@ The goal of Windows Autopatch is to deliver software updates to registered devic
 | [Microsoft Edge](../operate/windows-autopatch-edge.md) | Windows Autopatch configures eligible devices to benefit from Microsoft Edge's progressive rollouts on the Stable channel. |
 | [Microsoft Teams](../operate/windows-autopatch-teams.md) | Windows Autopatch allows eligible devices to benefit from the standard automatic update channel. |
 
-For each management area, there's a set of eligibility requirements that determine if the device will receive that specific update. An example of an eligibility criteria is that the device must have access to the required network endpoints for the Windows update. It's your responsibility to ensure that devices are meeting eligibility requirements for each management area.
+For each management area, there's a set of eligibility requirements that determine if the device receives that specific update. An example of an eligibility criteria is that the device must have access to the required network endpoints for the Windows update. It's your responsibility to ensure that devices are meeting eligibility requirements for each management area.
 
 To determine if we're meeting our service level objectives, all eligible devices are labeled as either "Healthy" or "Unhealthy". Healthy devices are meeting the eligibility requirements for that management area and unhealthy devices aren't. If Windows Autopatch falls below any service level objective for a management area, an incident is raised. Then, we bring the service back into compliance.
 
-While an update is in progress, it's monitored by Windows Autopatch. Depending on the criticality of the update, the service may decide to expedite the update. If we detect an issue during release, we may pause or roll back the update. Since each management area has a different monitoring and update control capabilities, you review the documentation for each area to familiarize yourself with the service.
+Windows Autopatch monitors in-progress updates. Depending on the criticality of the update, the service may decide to expedite the update. If we detect an issue during release, we may pause or roll back the update. Since each management area has a different monitoring and update control capabilities, you review the documentation for each area to familiarize yourself with the service.
 
 ## Messages
 
@@ -62,10 +62,10 @@ Microsoft remains committed to the security of your data and the [accessibility]
 
 | Area | Description |
 | ----- | ----- |
-| Prepare | The following articles describe the mandatory steps to prepare and enroll your tenant into Windows Autopatch:<ul><li>[Prerequisites](../prepare/windows-autopatch-prerequisites.md)</li><li>[Configure your network](../prepare/windows-autopatch-configure-network.md)</li><li>[Enroll your tenant](../prepare/windows-autopatch-enroll-tenant.md)</li><li>[Fix issues found by the Readiness assessment tool](../prepare/windows-autopatch-fix-issues.md)</li></ul> |
+| Prepare | The following articles describe the mandatory steps to prepare and enroll your tenant into Windows Autopatch:<ul><li>[Prerequisites](../prepare/windows-autopatch-prerequisites.md)</li><li>[Configure your network](../prepare/windows-autopatch-configure-network.md)</li><li>[Enroll your tenant](../prepare/windows-autopatch-enroll-tenant.md)</li><li>[Fix issues found by the Readiness assessment tool](../prepare/windows-autopatch-fix-issues.md)</li><li>[Roles and responsibilities](../overview/windows-autopatch-roles-responsibilities.md)</ul> |
-| Deploy | Once you've enrolled your tenant, this section instructs you to:<ul><li>[Add and verify admin contacts](../deploy/windows-autopatch-admin-contacts.md)</li><li>[Register your devices](../deploy/windows-autopatch-register-devices.md)</li></ul> |
+| Deploy | Once you've enrolled your tenant, this section instructs you to:<ul><li>[Add and verify admin contacts](../deploy/windows-autopatch-admin-contacts.md)</li><li>[Register your devices](../deploy/windows-autopatch-register-devices.md)</li><li>[Manage Windows Autopatch groups](../deploy/windows-autopatch-groups-manage-autopatch-groups.md)</li></ul> |
-| Operate | This section includes the following information about your day-to-day life with the service:<ul><li>[Update management](../operate/windows-autopatch-update-management.md)</li><li>[Maintain your Windows Autopatch environment](../operate/windows-autopatch-maintain-environment.md)</li><li>[Submit a support request](../operate/windows-autopatch-support-request.md)</li><li>[Deregister a device](../operate/windows-autopatch-deregister-devices.md)</li></ul>
+| Operate | This section includes the following information about your day-to-day life with the service:<ul><li>[Update management](../operate/windows-autopatch-groups-update-management.md)</li><li>[Windows quality and feature update reports](../operate/windows-autopatch-groups-windows-quality-and-feature-update-reports-overview.md)</li><li>[Maintain your Windows Autopatch environment](../operate/windows-autopatch-maintain-environment.md)</li><li>[Submit a support request](../operate/windows-autopatch-support-request.md)</li><li>[Deregister a device](../operate/windows-autopatch-deregister-devices.md)</li></ul>
-| References | This section includes the following articles:<ul><li>[Windows update policies](../references/windows-autopatch-windows-update-unsupported-policies.md)</li><li>[Microsoft 365 Apps for enterprise update policies](../references/windows-autopatch-microsoft-365-policies.md)</li><li>[Privacy](../overview/windows-autopatch-privacy.md)</li><li>[Windows Autopatch Preview Addendum](../references/windows-autopatch-preview-addendum.md)</li></ul> |
+| References | This section includes the following articles:<ul><li>[Changes made at tenant enrollment](../references/windows-autopatch-changes-to-tenant.md)<li>[Windows update policies](../references/windows-autopatch-windows-update-unsupported-policies.md)</li><li>[Microsoft 365 Apps for enterprise update policies](../references/windows-autopatch-microsoft-365-policies.md)</li></ul> |
 
 ### Have feedback or would like to start a discussion?
 

windows/privacy/windows-10-and-privacy-compliance.md

@@ -84,10 +84,10 @@ The following table provides an overview of the privacy settings discussed earli
 | [Find my device](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#find-my-device) | Group Policy:<br />**Computer Configuration** > **Windows Components** > **Find My Device** > **Turn On/Off Find My Device**<br /><br />MDM: [Experience/AllFindMyDevice](/windows/client-management/mdm/policy-csp-experience#experience-allowfindmydevice) | Off | Off |
 | [Diagnostic Data](configure-windows-diagnostic-data-in-your-organization.md) | Group Policy:<br />**Computer Configuration** > **Windows Components** > **Data Collection and Preview Builds** > **Allow Telemetry** (or **Allow diagnostic data** in Windows 11 or Windows Server 2022)<br /><br />MDM: [System/AllowTelemetry](/windows/client-management/mdm/policy-csp-system#system-allowtelemetry)<br /><br />**Note**: If you are planning to configure devices, using the Windows diagnostic data processor configuration option, the state to minimize data collection is not recommended. For more information, see [Enabling the Windows diagnostic data processor configuration](#237-diagnostic-data-enabling-the-windows-diagnostic-data-processor-configuration). | Required diagnostic data (Windows 10, version 1903 and later and Windows 11)<br /><br />Server editions:<br />Enhanced diagnostic data | Security (Off) and block endpoints |
 | [Inking and typing diagnostics](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-priv-ink) | Group Policy:<br />**Computer Configuration** > **Windows Components** > **Text Input** > **Improve inking and typing recognition**<br /><br />MDM: [TextInput/AllowLinguisticDataCollection](/windows/client-management/mdm/policy-csp-textinput#textinput-allowlinguisticdatacollection) | Off (Windows 10, version 1809 and later and Windows 11) | Off |
-| Tailored Experiences | Group Policy:<br />**User Configuration** > **Windows Components** > **Cloud Content** > **Do not use diagnostic data for tailored experiences**<br /><br />MDM: [Experience/AllowTailoredExperiencesWithDiagnosticData](/windows/client-management/mdm/policy-csp-experience#experience-allowtailoredexperienceswithdiagnosticdata) | Off | Off | 
+| Tailored Experiences | Group Policy:<br />**User Configuration** > **Windows Components** > **Cloud Content** > **Do not use diagnostic data for tailored experiences**<br /><br />MDM: [Experience/AllowTailoredExperiencesWithDiagnosticData](/windows/client-management/mdm/policy-csp-experience#experience-allowtailoredexperienceswithdiagnosticdata) | Off | Off |
-| Advertising ID | Group Policy:<br />**Computer Configuration** > **System** > **User Profile** > **Turn off the advertising Id**<br /><br />MDM: [Privacy/DisableAdvertisingId](/windows/client-management/mdm/policy-csp-privacy#privacy-disableadvertisingid) | Off | Off | 
+| Advertising ID | Group Policy:<br />**Computer Configuration** > **System** > **User Profile** > **Turn off the advertising Id**<br /><br />MDM: [Privacy/DisableAdvertisingId](/windows/client-management/mdm/policy-csp-privacy#privacy-disableadvertisingid) | Off | Off |
-| Activity History/Timeline – Cloud Sync | Group Policy:<br />**Computer Configuration** > **System** > **OS Policies** > **Allow upload of User Activities**<br /><br />MDM: [Privacy/EnableActivityFeed](/windows/client-management/mdm/policy-csp-privacy#privacy-enableactivityfeed) | Off | Off | 
+| Activity History/Timeline – Cloud Sync | Group Policy:<br />**Computer Configuration** > **System** > **OS Policies** > **Allow upload of User Activities**<br /><br />MDM: [Privacy/EnableActivityFeed](/windows/client-management/mdm/policy-csp-privacy#privacy-enableactivityfeed) | Off | Off |
-| [Cortana](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#2-cortana-and-search) | Group Policy:<br />**Computer Configuration** > **Windows Components** > **Search** > **Allow Cortana**<br /><br />MDM: [Experience/AllowCortana](/windows/client-management/mdm/policy-csp-experience#experience-allowcortana) | Off | Off | 
+| [Cortana](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#2-cortana-and-search) | Group Policy:<br />**Computer Configuration** > **Windows Components** > **Search** > **Allow Cortana**<br /><br />MDM: [Experience/AllowCortana](/windows/client-management/mdm/policy-csp-experience#experience-allowcortana) | Off | Off |
 
 ### 2.3 Guidance for configuration options
 
@@ -249,7 +249,7 @@ An administrator can configure privacy-related settings, such as choosing to onl
 * [Microsoft Trust Center: Privacy at Microsoft](https://www.microsoft.com/trust-center/privacy)
 * [Windows IT Pro Docs](/windows/#pivot=it-pro)
 * [Microsoft Privacy Statement](https://privacy.microsoft.com/privacystatement)
-* [Manage connections from Windows operating system components to Microsoft services](manage-connections-from-windows-operating-system-components-to-microsoft-services.md) 
+* [Manage connections from Windows operating system components to Microsoft services](manage-connections-from-windows-operating-system-components-to-microsoft-services.md)
 * [Privacy at Microsoft](https://privacy.microsoft.com/privacy-report)
 * [Changes to Windows diagnostic data](changes-to-windows-diagnostic-data-collection.md)
 * [Microsoft Service Trust Portal](https://servicetrust.microsoft.com/)

windows/security/application-security/application-control/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control.md

@@ -5,7 +5,7 @@ ms.prod: windows-client
 ms.localizationpriority: medium
 author: vinaypamnani-msft
 ms.author: vinpa
-ms.reviewer: 
+ms.reviewer:
 manager: aaroncz
 ms.custom: asr
 ms.technology: itpro-security
@@ -21,12 +21,12 @@ ms.topic: article
 - Windows 11
 - Windows Server 2016 and higher
 
-Windows includes a set of hardware and OS technologies that, when configured together, allow enterprises to "lock down" Windows systems so they behave more like mobile devices. In this configuration, [**Windows Defender Application Control (WDAC)**](/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control) is used to restrict devices to run only approved apps, while the OS is hardened against kernel memory attacks using [**memory integrity**](enable-virtualization-based-protection-of-code-integrity.md).
+Windows includes a set of hardware and OS technologies that, when configured together, allow enterprises to "lock down" Windows systems so they behave more like mobile devices. In this configuration, [**Windows Defender Application Control (WDAC)**](/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control) is used to restrict devices to run only approved apps, while the OS is hardened against kernel memory attacks using [**memory integrity**](../../hardware-security/enable-virtualization-based-protection-of-code-integrity.md).
 
 > [!NOTE]
 > Memory integrity is sometimes referred to as *hypervisor-protected code integrity (HVCI)* or *hypervisor enforced code integrity*, and was originally released as part of *Device Guard*. Device Guard is no longer used except to locate memory integrity and VBS settings in Group Policy or the Windows registry.
 
-WDAC policies and memory integrity are powerful protections that can be used separately. However, when these two technologies are configured to work together, they present a strong protection capability for Windows devices.  
+WDAC policies and memory integrity are powerful protections that can be used separately. However, when these two technologies are configured to work together, they present a strong protection capability for Windows devices.
 
 Using WDAC to restrict devices to only authorized apps has these advantages over other solutions:
 
@@ -44,6 +44,6 @@ WDAC has no specific hardware or software requirements.
 
 ## Related articles
 
-- [Windows Defender Application Control](../windows-defender-application-control/windows-defender-application-control.md)
+- [Windows Defender Application Control](../../threat-protection/windows-defender-application-control/windows-defender-application-control.md)
-- [Memory integrity](enable-virtualization-based-protection-of-code-integrity.md)
+- [Memory integrity](../../hardware-security/enable-virtualization-based-protection-of-code-integrity.md)
 - [Driver compatibility with memory integrity](https://techcommunity.microsoft.com/t5/windows-hardware-certification/driver-compatibility-with-device-guard-in-windows-10/ba-p/364865)

windows/security/application-security/application-control/toc.yml

@@ -8,8 +8,8 @@ items:
   - name: UAC settings and configuration
     href: user-account-control/settings-and-configuration.md
 - name: Windows Defender Application Control and virtualization-based protection of code integrity
-  href: ../../threat-protection/device-guard/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control.md
+  href: introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control.md
 - name: Windows Defender Application Control
   href: ../../threat-protection/windows-defender-application-control/windows-defender-application-control.md
 - name: Smart App Control
-  href: ../../threat-protection/windows-defender-application-control/windows-defender-application-control.md
+  href: ../../threat-protection/windows-defender-application-control/windows-defender-application-control.md

windows/security/application-security/application-isolation/microsoft-defender-application-guard/configure-md-app-guard.md

@@ -1,35 +1,20 @@
 ---
-title: Configure the Group Policy settings for Microsoft Defender Application Guard 
+title: Configure the Group Policy settings for Microsoft Defender Application Guard
 description: Learn about the available Group Policy settings for Microsoft Defender Application Guard.
-ms.prod: windows-client
-ms.mktglfcycl: manage
-ms.sitesec: library
-ms.pagetype: security
 ms.localizationpriority: medium
-author: vinaypamnani-msft
+ms.date: 07/11/2023
-ms.author: vinpa
-ms.date: 08/22/2022
-ms.reviewer: 
-manager: aaroncz
-ms.custom: sasr
-ms.technology: itpro-security
 ms.topic: how-to
 ---
 
 # Configure Microsoft Defender Application Guard policy settings
 
-**Applies to:**
-
-- Windows 10
-- Windows 11
-
 Microsoft Defender Application Guard (Application Guard) works with Group Policy to help you manage your organization's computer settings. By using Group Policy, you can configure a setting once, and then copy it onto many computers. For example, you can set up multiple security settings in a Group Policy Object, which is linked to a domain, and then apply all those settings to every endpoint in the domain.
 
 Application Guard uses both network isolation and application-specific settings.
 
-[!INCLUDE [microsoft-defender-application-guard-mdag-for-edge-enterprise-mode-and-enterprise-management](../../../../includes/licensing/microsoft-defender-application-guard-mdag-for-edge-enterprise-mode-and-enterprise-management.md)]
+[!INCLUDE [microsoft-defender-application-guard-mdag-for-edge-enterprise-mode-and-enterprise-management](../../../../../includes/licensing/microsoft-defender-application-guard-mdag-for-edge-enterprise-mode-and-enterprise-management.md)]
 
-For more information about Microsoft Defender Application Guard (MDAG) for Edge in stand-alone mode, see [Microsoft Defender Application Guard overview](/windows/security/threat-protection/microsoft-defender-application-guard/md-app-guard-overview).
+For more information about Microsoft Defender Application Guard (MDAG) for Edge in stand-alone mode, see [Microsoft Defender Application Guard overview](md-app-guard-overview.md).
 
 ## Network isolation settings
 
@@ -75,4 +60,3 @@ These settings, located at `Computer Configuration\Administrative Templates\Wind
 These settings are located at `Administrative Templates\Windows Components\Windows Security\Enterprise Customization`. If an error is encountered, you're presented with a dialog box. By default, this dialog box only contains the error information and a button for you to report it to Microsoft via the feedback hub. However, it's possible to provide additional information in the dialog box.
 
 [Use Group Policy to enable and customize contact information](/windows/security/threat-protection/windows-defender-security-center/wdsc-customize-contact-information#use-group-policy-to-enable-and-customize-contact-information).
-

windows/security/application-security/application-isolation/microsoft-defender-application-guard/faq-md-app-guard.yml

@@ -2,25 +2,15 @@
 metadata:
   title: FAQ - Microsoft Defender Application Guard (Windows 10)
   description: Learn about the commonly asked questions and answers for Microsoft Defender Application Guard.
-  ms.mktglfcycl: manage
-  ms.sitesec: library
-  ms.pagetype: security
   ms.localizationpriority: medium
-  ms.prod: windows-client
-  ms.technology: itpro-security
-  author: vinaypamnani-msft
-  ms.author: vinpa
-  ms.reviewer:
-  manager: aaroncz
-  ms.custom: asr
   ms.topic: faq
-  ms.date: 12/31/2017
+  ms.date: 07/11/2023
 title: Frequently asked questions - Microsoft Defender Application Guard
 summary: |
 
-  
+
   This article lists frequently asked questions with answers for Microsoft Defender Application Guard (Application Guard). Questions span features, integration with the Windows operating system, and general configuration.
-  
+
   ## Frequently Asked Questions
 
 sections:
@@ -30,34 +20,34 @@ sections:
           Can I enable Application Guard on machines equipped with 4-GB RAM?
         answer: |
           We recommend 8-GB RAM for optimal performance but you can use the following registry DWORD values to enable Application Guard on machines that aren't meeting the recommended hardware configuration.
-          
+
           `HKLM\software\Microsoft\Hvsi\SpecRequiredProcessorCount` (Default is four cores.)
-          
+
           `HKLM\software\Microsoft\Hvsi\SpecRequiredMemoryInGB` (Default is 8 GB.)
-          
+
           `HKLM\software\Microsoft\Hvsi\SpecRequiredFreeDiskSpaceInGB` (Default is 5 GB.)
-       
+
       - question: |
           My network configuration uses a proxy and I’m running into a “Cannot resolve External URLs from MDAG Browser: Error: err_connection_refused”. How do I resolve that?
         answer: |
          The manual or PAC server must be a hostname (not IP) that is neutral on the site-list. Additionally, if the PAC script returns a proxy, it must meet those same requirements.
-         
+
          To ensure the FQDNs (Fully Qualified Domain Names) for the “PAC file” and the “proxy servers the PAC file redirects to” are added as Neutral Resources in the Network Isolation policies used by Application Guard, you can:
-        
+
          - Verify this addition by going to edge://application-guard-internals/#utilities and entering the FQDN for the pac/proxy in the “check url trust” field and verifying that it says “Neutral.”
          - It must be an FQDN. A simple IP address won't work.
          - Optionally, if possible, the IP addresses associated with the server hosting the above should be removed from the Enterprise IP Ranges in the Network Isolation policies used by Application Guard.
-        
+
       - question: |
           How do I configure Microsoft Defender Application Guard to work with my network proxy (IP-Literal Addresses)?
         answer: |
           Application Guard requires proxies to have a symbolic name, not just an IP address. IP-Literal proxy settings such as `192.168.1.4:81` can be annotated as `itproxy:81` or using a record such as `P19216810010` for a proxy with an IP address of `192.168.100.10`. This annotation applies to Windows 10 Enterprise edition, version 1709 or higher. These annotations would be for the proxy policies under Network Isolation in Group Policy or Intune.
-          
+
       - question: |
           Which Input Method Editors (IME) in 19H1 aren't supported?
         answer: |
           The following Input Method Editors (IME) introduced in Windows 10, version 1903 are currently not supported in Microsoft Defender Application Guard:
-          
+
           - Vietnam Telex keyboard
           - Vietnam number key-based keyboard
           - Hindi phonetic keyboard
@@ -70,7 +60,7 @@ sections:
           - Gujarati phonetic keyboard
           - Odia phonetic keyboard
           - Punjabi phonetic keyboard
-          
+
       - question: |
           I enabled the hardware acceleration policy on my Windows 10 Enterprise, version 1803 deployment. Why are my users still only getting CPU rendering?
         answer: |
@@ -80,19 +70,19 @@ sections:
           What is the WDAGUtilityAccount local account?
         answer: |
           WDAGUtilityAccount is part of Application Guard, beginning with Windows 10, version 1709 (Fall Creators Update). It remains disabled by default, unless Application Guard is enabled on your device. WDAGUtilityAccount is used to sign in to the Application Guard container as a standard user with a random password. It's NOT a malicious account. It requires *Logon as a service* permissions to be able to function correctly. If this permission is denied, you might see the following error:
-          
+
           **Error: 0x80070569, Ext error: 0x00000001; RDP: Error: 0x00000000, Ext error: 0x00000000 Location: 0x00000000**
-          
+
       - question: |
           How do I trust a subdomain in my site list?
         answer: |
           To trust a subdomain, you must precede your domain with two dots (..). For example: `..contoso.com` ensures that `mail.contoso.com` or `news.contoso.com` are trusted. The first dot represents the strings for the subdomain name (mail or news), and the second dot recognizes the start of the domain name (`contoso.com`). These two dots prevent sites such as `fakesitecontoso.com` from being trusted.
-          
+
       - question: |
           Are there differences between using Application Guard on Windows Pro vs Windows Enterprise?
         answer: |
           When using Windows Pro or Windows Enterprise, you have access to using Application Guard in Standalone Mode. However, when using Enterprise you have access to Application Guard in Enterprise-Managed Mode. This mode has some extra features that the Standalone Mode doesn't. For more information, see [Prepare to install Microsoft Defender Application Guard](./install-md-app-guard.md).
-          
+
       - question: |
           Is there a size limit to the domain lists that I need to configure?
         answer: |
@@ -107,15 +97,15 @@ sections:
           Why do the Network Isolation policies in Group Policy and CSP look different?
         answer: |
           There's not a one-to-one mapping among all the Network Isolation policies between CSP and GP. Mandatory network isolation policies to deploy Application Guard are different between CSP and GP.
-          
+
           - Mandatory network isolation GP policy to deploy Application Guard: **DomainSubnets or CloudResources**
-          
+
           - Mandatory network isolation CSP policy to deploy Application Guard: **EnterpriseCloudResources or (EnterpriseIpRange and EnterpriseNetworkDomainNames)**
-          
+
           - For EnterpriseNetworkDomainNames, there's no mapped CSP policy.
-          
+
           Application Guard accesses files from a VHD mounted on the host that needs to be written during setup. If an encryption driver prevents a VHD from being mounted or from being written to, Application Guard doesn't work and results in an error message (**0x80070013 ERROR_WRITE_PROTECT**).
-          
+
       - question: |
           Why did Application Guard stop working after I turned off hyperthreading?
         answer: |
@@ -130,70 +120,70 @@ sections:
           Why am I getting the error message "ERR_NAME_NOT_RESOLVED" after not being able to reach the PAC file?
         answer: |
           This issue is a known one. To mitigate this issue, you need to create two firewall rules. For information about creating a firewall rule by using Group Policy, see the following resources:
-          
+
-          - [Create an inbound icmp rule](../windows-firewall/create-an-inbound-icmp-rule.md)
+          - [Create an inbound icmp rule](../../../operating-system-security/network-security/windows-firewall/create-an-inbound-icmp-rule.md)
-          - [Open Group Policy management console for Microsoft Defender Firewall](../windows-firewall/open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md)
+          - [Open Group Policy management console for Microsoft Defender Firewall](../../../operating-system-security/network-security/windows-firewall/open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md)
 
           ### First rule (DHCP Server)
           - Program path: `%SystemRoot%\System32\svchost.exe`
-          
+
           - Local Service: `Sid:  S-1-5-80-2009329905-444645132-2728249442-922493431-93864177  (Internet Connection Service (SharedAccess))`
-          
+
           - Protocol UDP
-          
+
           - Port 67
-          
+
           ### Second rule (DHCP Client)
           This rule is the same as the first rule, but scoped to local port 68. In the Microsoft Defender Firewall user interface go through the following steps:
-          
+
           1. Right-click on inbound rules, and then create a new rule.
-          
+
           2. Choose **custom rule**.
-          
+
           3. Specify the following program path: `%SystemRoot%\System32\svchost.exe`.
-          
+
           4. Specify the following settings:
               - Protocol Type: UDP
               - Specific ports: 67
               - Remote port: any
-          
+
           5. Specify any IP addresses.
-          
+
           6. Allow the connection.
-          
+
           7. Specify to use all profiles.
-          
+
           8. The new rule should show up in the user interface. Right click on the **rule** > **properties**.
-          
+
           9. In the **Programs and services** tab, under the **Services** section, select **settings**.
-          
+
           10. Choose **Apply to this Service** and select **Internet Connection Sharing (ICS) Shared Access**.
-          
+
       - question: |
           How can I disable portions of Internet Connection Service (ICS) without breaking Application Guard?
         answer: |
           ICS is enabled by default in Windows, and ICS must be enabled in order for Application Guard to function correctly. We don't recommend disabling ICS; however, you can disable ICS in part by using a Group Policy and editing registry keys.
-          
+
           1. In the Group Policy setting, **Prohibit use of Internet Connection Sharing on your DNS domain network**, set it to **Disabled**.
-          
+
           2. Disable IpNat.sys from ICS load as follows: <br/>
           `System\CurrentControlSet\Services\SharedAccess\Parameters\DisableIpNat = 1`
-          
+
           3. Configure ICS (SharedAccess) to be enabled as follows: <br/>
           `HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Start = 3`
-          
+
           4. (This step is optional) Disable IPNAT as follows: <br/>
           `HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\IPNat\Start = 4`
-          
+
           5. Reboot the device.
-          
+
       - question: |
           Why doesn't the container fully load when device control policies are enabled?
         answer: |
           Allow-listed items must be configured as "allowed" in the Group Policy Object to ensure AppGuard works properly.
-          
+
           Policy: Allow installation of devices that match any of the following device IDs:
-          
+
           - `SCSI\DiskMsft____Virtual_Disk____`
           - `{8e7bd593-6e6c-4c52-86a6-77175494dd8e}\msvhdhba`
           - `VMS_VSF`
@@ -206,7 +196,7 @@ sections:
           - `root\storvsp`
           - `vms_vsmp`
           - `VMS_PP`
-          
+
           Policy: Allow installation of devices using drivers that match these device setup classes
           - `{71a27cdd-812a-11d0-bec7-08002be2092f}`
 
@@ -218,25 +208,25 @@ sections:
           1. Ensure that the FragmentAware DWORD is set to 1 in this registry setting: `\Registry\Machine\SYSTEM\CurrentControlSet\Services\Winnat`.
 
           2. Reboot the device.
-          
+
       - question: |
           What does the _Allow users to trust files that open in Microsoft Defender Application Guard_ option in the Group policy do?
         answer: |
           This policy was present in Windows 10 prior to version 2004. It was removed from later versions of Windows as it doesn't enforce anything for either Edge or Office.
-         
+
       - question: |
           How do I open a support ticket for Microsoft Defender Application Guard?
         answer: |
          - Visit [Create a new support request](https://support.serviceshub.microsoft.com/supportforbusiness/create).
          - Under the Product Family, select Windows. Select the product and the product version you need help with. For the category that best describes the issue, select, **Windows Security Technologies**. In the final option, select **Windows Defender Application Guard**.
-         
+
       - question: |
           Is there a way to enable or disable the behavior where the host Edge tab auto-closes when navigating to an untrusted site?
         answer: |
           Yes. Use this Edge flag to enable or disable this behavior: `--disable-features="msWdagAutoCloseNavigatedTabs"`
-          
+
 additionalContent: |
 
   ## See also
-  
+
   [Configure Microsoft Defender Application Guard policy settings](./configure-md-app-guard.md)

windows/security/application-security/application-isolation/microsoft-defender-application-guard/install-md-app-guard.md

@@ -1,22 +1,11 @@
 ---
 title: Enable hardware-based isolation for Microsoft Edge
 description: Learn about the Microsoft Defender Application Guard modes (Standalone or Enterprise-managed), and how to install Application Guard in your enterprise.
-ms.prod: windows-client
+ms.date: 07/11/2023
-ms.localizationpriority: medium
+ms.topic: how-to
-author: vinaypamnani-msft
-ms.author: vinpa
-ms.date: 11/30/2022
-ms.reviewer:
-manager: aaroncz
-ms.custom: asr
-ms.technology: itpro-security
-appliesto:
-  - ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 10</a>
-  - ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 11</a>
 ms.collection:
   - highpri
   - tier2
-ms.topic: how-to
 ---
 
 # Prepare to install Microsoft Defender Application Guard

windows/security/application-security/application-isolation/microsoft-defender-application-guard/md-app-guard-browser-extension.md

@@ -1,25 +1,13 @@
 ---
 title: Microsoft Defender Application Guard Extension
 description: Learn about the Microsoft Defender Application Guard browser extension, which extends Application Guard's protection to more web browsers.
-ms.prod: windows-client
 ms.localizationpriority: medium
-author: vinaypamnani-msft
+ms.date: 07/11/2023
-ms.author: vinpa
-ms.date: 09/09/2021
-ms.reviewer: 
-manager: aaroncz
-ms.custom: asr
-ms.technology: itpro-security
 ms.topic: conceptual
 ---
 
 # Microsoft Defender Application Guard Extension
 
-**Applies to:**
-
-- Windows 10
-- Windows 11
-
 [Microsoft Defender Application Guard Extension](https://www.microsoft.com/security/blog/2019/05/23/new-browser-extensions-for-integrating-microsofts-hardware-based-isolation/) is a web browser add-on available for [Chrome](https://chrome.google.com/webstore/detail/application-guard-extensi/mfjnknhkkiafjajicegabkbimfhplplj/) and [Firefox](https://addons.mozilla.org/en-US/firefox/addon/application-guard-extension/).
 
 [Microsoft Defender Application Guard](md-app-guard-overview.md) provides Hyper-V isolation on Windows 10 and Windows 11, to protect users from potentially harmful content on the web. The extension helps Application Guard protect users running other web browsers.

windows/security/application-security/application-isolation/microsoft-defender-application-guard/md-app-guard-overview.md

@@ -1,19 +1,9 @@
 ---
-title: Microsoft Defender Application Guard 
+title: Microsoft Defender Application Guard
 description: Learn about Microsoft Defender Application Guard and how it helps combat malicious content and malware out on the Internet.
-ms.prod: windows-client
-ms.mktglfcycl: manage
-ms.sitesec: library
-ms.pagetype: security
 ms.localizationpriority: medium
-author: vinaypamnani-msft
+ms.date: 07/11/2023
-ms.author: vinpa
+ms.collection:
-ms.date: 05/01/2023
-ms.reviewer: 
-manager: aaroncz
-ms.custom: asr
-ms.technology: itpro-security
-ms.collection: 
   - highpri
   - tier2
 ms.topic: conceptual
@@ -21,11 +11,6 @@ ms.topic: conceptual
 
 # Microsoft Defender Application Guard overview
 
-**Applies to** 
-
-- Windows 10
-- Windows 11
-
 Microsoft Defender Application Guard (MDAG) is designed to help prevent old and newly emerging attacks to help keep employees productive. Using our unique hardware isolation approach, our goal is to destroy the playbook that attackers use by making current attack methods obsolete.
 
 ## What is Application Guard and how does it work?
@@ -48,9 +33,9 @@ Application Guard has been created to target several types of devices:
 
 - **Personal devices**. These personally owned desktops or mobile laptops aren't domain-joined or managed by an organization. The user is an admin on the device and uses a high-bandwidth wireless personal network while at home or a comparable public network while outside.
 
-[!INCLUDE [microsoft-defender-application-guard-mdag-for-edge-standalone-mode](../../../../includes/licensing/microsoft-defender-application-guard-mdag-for-edge-standalone-mode.md)]
+[!INCLUDE [microsoft-defender-application-guard-mdag-for-edge-standalone-mode](../../../../../includes/licensing/microsoft-defender-application-guard-mdag-for-edge-standalone-mode.md)]
 
-For more information about Microsoft Defender Application Guard (MDAG) for Edge enterprise mode, [Configure Microsoft Defender Application Guard policy settings.](/windows/security/threat-protection/microsoft-defender-application-guard/configure-md-app-guard)
+For more information about Microsoft Defender Application Guard (MDAG) for Edge enterprise mode, [Configure Microsoft Defender Application Guard policy settings.](configure-md-app-guard.md)
 
 ## Related articles
 
@@ -64,4 +49,3 @@ For more information about Microsoft Defender Application Guard (MDAG) for Edge
 | [Microsoft Defender Application Guard for Microsoft Office](/microsoft-365/security/office-365-security/install-app-guard) | Describes Application Guard for Microsoft Office, including minimum hardware requirements, configuration, and a troubleshooting guide |
 |[Frequently asked questions - Microsoft Defender Application Guard](faq-md-app-guard.yml)|Provides answers to frequently asked questions about Application Guard features, integration with the Windows operating system, and general configuration.|
 |[Use a network boundary to add trusted sites on Windows devices in Microsoft Intune](/mem/intune/configuration/network-boundary-windows)|Network boundary, a feature that helps you protect your environment from sites that aren't trusted by your organization.|
-

windows/security/application-security/application-isolation/microsoft-defender-application-guard/reqs-md-app-guard.md

@@ -1,24 +1,13 @@
 ---
 title: System requirements for Microsoft Defender Application Guard
 description: Learn about the system requirements for installing and running Microsoft Defender Application Guard.
-ms.prod: windows-client
-ms.technology: itpro-security
 ms.topic: overview
 ms.localizationpriority: medium
-author: vinaypamnani-msft
+ms.date: 07/11/2023
-ms.author: vinpa
-ms.date: 08/25/2022
-ms.reviewer: sazankha
-manager: aaroncz
 ---
 
 # System requirements for Microsoft Defender Application Guard
 
-**Applies to** 
-
-- Windows 10 Education, Enterprise, and Professional
-- Windows 11 Education, Enterprise, and Professional
-
 The threat landscape is continually evolving. While hackers are busy developing new techniques to breach enterprise networks by compromising workstations, phishing schemes remain one of the top ways to lure employees into social engineering attacks. Microsoft Defender Application Guard is designed to help prevent old, and newly emerging attacks, to help keep employees productive.
 
 > [!NOTE]

windows/security/application-security/application-isolation/microsoft-defender-application-guard/test-scenarios-md-app-guard.md

@@ -1,25 +1,13 @@
 ---
 title: Testing scenarios with Microsoft Defender Application Guard
 description: Suggested testing scenarios for Microsoft Defender Application Guard, showing how it works in both Standalone and Enterprise-managed mode.
-ms.prod: windows-client
-ms.technology: itpro-security
 ms.localizationpriority: medium
-author: vinaypamnani-msft
+ms.date: 07/11/2023
-ms.author: vinpa
-ms.reviewer: sazankha
-manager: aaroncz
-ms.date: 09/23/2022
-ms.custom: asr
 ms.topic: conceptual
 ---
 
 # Application Guard testing scenarios
 
-**Applies to:**
-
-- Windows 10
-- Windows 11
-
 We've come up with a list of scenarios that you can use to test hardware-based isolation in your organization.
 
 ## Application Guard in standalone mode
@@ -28,7 +16,7 @@ You can see how an employee would use standalone mode with Application Guard.
 
 ### To test Application Guard in Standalone mode
 
-1. [Install Application Guard](./install-md-app-guard.md).
+1. [Install Application Guard](install-md-app-guard.md).
 
 2. Restart the device, start Microsoft Edge, and then select **New Application Guard window** from the menu.
 
@@ -51,7 +39,7 @@ How to install, set up, turn on, and configure Application Guard for Enterprise-
 
 Before you can use Application Guard in managed mode, you must install Windows 10 Enterprise edition, version 1709, and Windows 11 which includes the functionality. Then, you must use Group Policy to set up the required settings.
 
-1. [Install Application Guard](./install-md-app-guard.md#install-application-guard).
+1. [Install Application Guard](install-md-app-guard.md#install-application-guard).
 
 2. Restart the device, and then start Microsoft Edge.
 

windows/security/application-security/application-isolation/toc.yml

@@ -2,7 +2,7 @@ items:
 - name: Microsoft Defender Application Guard (MDAG)
   href: ../../threat-protection\microsoft-defender-application-guard\md-app-guard-overview.md
 - name: MDAG for Edge standalone mode
-  href: ../../threat-protection/microsoft-defender-application-guard/md-app-guard-overview.md
+  href: microsoft-defender-application-guard/md-app-guard-overview.md
 - name: MDAG for Edge enterprise mode and enterprise management 🔗
   href: /deployedge/microsoft-edge-security-windows-defender-application-guard
 - name: MDAG for Microsoft Office
@@ -12,9 +12,9 @@ items:
 - name: Windows containers 🔗
   href: /virtualization/windowscontainers/about
 - name: Windows Sandbox
-  href: ./windows-sandbox/windows-sandbox-overview.md
+  href: windows-sandbox/windows-sandbox-overview.md
   items:
   - name: Windows Sandbox architecture
-    href: ./windows-sandbox/windows-sandbox-architecture.md
+    href: windows-sandbox/windows-sandbox-architecture.md
   - name: Windows Sandbox configuration
-    href: ./windows-sandbox/windows-sandbox-configure-using-wsb-file.md
+    href: windows-sandbox/windows-sandbox-configure-using-wsb-file.md

windows/security/application-security/index.md

@@ -20,5 +20,5 @@ The following table summarizes the Windows security features and capabilities fo
 | Security Measures | Features & Capabilities |
 |:---|:---|
 | Windows Defender Application Control | Application control is one of the most effective security controls to prevent unwanted or malicious code from running. It moves away from an application trust model where all code is assumed trustworthy to one where apps must earn trust to run. Learn more: [Application Control for Windows](../threat-protection/windows-defender-application-control/windows-defender-application-control.md) |
-| Microsoft Defender Application Guard | Application Guard uses chip-based hardware isolation to isolate untrusted websites and untrusted Office files, seamlessly running untrusted websites and files in an isolated Hyper-V-based container, separate from the desktop operating system, and making sure that anything that happens within the container remains isolated from the desktop. Learn more [Microsoft Defender Application Guard overview](../threat-protection/microsoft-defender-application-guard/md-app-guard-overview.md). |
+| Microsoft Defender Application Guard | Application Guard uses chip-based hardware isolation to isolate untrusted websites and untrusted Office files, seamlessly running untrusted websites and files in an isolated Hyper-V-based container, separate from the desktop operating system, and making sure that anything that happens within the container remains isolated from the desktop. Learn more [Microsoft Defender Application Guard overview](application-isolation/microsoft-defender-application-guard/md-app-guard-overview.md). |
-| Windows Sandbox | Windows Sandbox provides a lightweight desktop environment to safely run applications in isolation. Software installed inside the Windows Sandbox environment remains "sandboxed" and runs separately from the host machine. A sandbox is temporary. When it's closed, all the software and files and the state are deleted. You get a brand-new instance of the sandbox every time you open the application. Learn more: [Windows Sandbox](../application-security/application-isolation/windows-sandbox/windows-sandbox-overview.md) |
+| Windows Sandbox | Windows Sandbox provides a lightweight desktop environment to safely run applications in isolation. Software installed inside the Windows Sandbox environment remains "sandboxed" and runs separately from the host machine. A sandbox is temporary. When it's closed, all the software and files and the state are deleted. You get a brand-new instance of the sandbox every time you open the application. Learn more: [Windows Sandbox](application-isolation/windows-sandbox/windows-sandbox-overview.md) |

windows/security/docfx.json

@@ -73,8 +73,11 @@
     },
     "fileMetadata": {
       "author":{
+        "application-security//**/*.md": "vinaypamnani-msft",
+        "application-security//**/*.yml": "vinaypamnani-msft",
         "application-security/application-control/user-account-control/*.md": "paolomatarazzo",
-        "application-security/application-isolation/windows-sandbox/**/*.md": "vinaypamnani-msft",
+        "hardware-security/**/*.md": "vinaypamnani-msft",
+        "hardware-security/**/*.yml": "vinaypamnani-msft",
         "identity-protection/**/*.md": "paolomatarazzo",
         "identity-protection/**/*.yml": "paolomatarazzo",
         "operating-system-security/**/*.md": "vinaypamnani-msft",
@@ -87,9 +90,12 @@
         "operating-system-security/network-security/windows-firewall/**/*.yml": "ngangulyms"
       },
       "ms.author":{
+        "application-security//**/*.md": "vinpa",
+        "application-security//**/*.yml": "vinpa",
         "application-security/application-control/user-account-control/*.md": "paoloma",
         "application-security/application-control/user-account-control/*.yml": "paoloma",
-        "application-security/application-isolation/windows-sandbox/**/*.md": "vinpa",
+        "hardware-security//**/*.md": "vinpa",
+        "hardware-security//**/*.yml": "vinpa",
         "identity-protection/**/*.md": "paoloma",
         "identity-protection/**/*.yml": "paoloma",
         "operating-system-security/**/*.md": "vinpa",
@@ -109,7 +115,18 @@
           "✅ <a href=\"https://learn.microsoft.com/windows/release-health/windows-server-release-info\" target=\"_blank\">Windows Server 2019</a>",
           "✅ <a href=\"https://learn.microsoft.com/windows/release-health/windows-server-release-info\" target=\"_blank\">Windows Server 2016</a>"
         ],
-        "application-security/application-isolation/windows-sandbox/**/*.md": [
+        "application-security//**/*.md": [
+          "✅ <a href=\"https://learn.microsoft.com/windows/release-health/supported-versions-windows-client\" target=\"_blank\">Windows 11</a>",
+          "✅ <a href=\"https://learn.microsoft.com/windows/release-health/supported-versions-windows-client\" target=\"_blank\">Windows 10</a>"
+        ],
+        "application-security/application-control/user-account-control/**/*.md": [
+          "✅ <a href=\"https://learn.microsoft.com/windows/release-health/supported-versions-windows-client\" target=\"_blank\">Windows 11</a>",
+          "✅ <a href=\"https://learn.microsoft.com/windows/release-health/supported-versions-windows-client\" target=\"_blank\">Windows 10</a>",
+          "✅ <a href=\"https://learn.microsoft.com/windows/release-health/windows-server-release-info\" target=\"_blank\">Windows Server 2022</a>",
+          "✅ <a href=\"https://learn.microsoft.com/windows/release-health/windows-server-release-info\" target=\"_blank\">Windows Server 2019</a>",
+          "✅ <a href=\"https://learn.microsoft.com/windows/release-health/windows-server-release-info\" target=\"_blank\">Windows Server 2016</a>"
+        ],
+        "hardware-security//**/*.md": [
           "✅ <a href=\"https://learn.microsoft.com/windows/release-health/supported-versions-windows-client\" target=\"_blank\">Windows 11</a>",
           "✅ <a href=\"https://learn.microsoft.com/windows/release-health/supported-versions-windows-client\" target=\"_blank\">Windows 10</a>"
         ],
@@ -131,13 +148,6 @@
           "✅ <a href=\"https://learn.microsoft.com/windows/release-health/windows-server-release-info\" target=\"_blank\">Windows Server 2019</a>",
           "✅ <a href=\"https://learn.microsoft.com/windows/release-health/windows-server-release-info\" target=\"_blank\">Windows Server 2016</a>"
         ],
-        "identity-protection/user-account-control/**/*.md": [
-          "✅ <a href=\"https://learn.microsoft.com/windows/release-health/supported-versions-windows-client\" target=\"_blank\">Windows 11</a>",
-          "✅ <a href=\"https://learn.microsoft.com/windows/release-health/supported-versions-windows-client\" target=\"_blank\">Windows 10</a>",
-          "✅ <a href=\"https://learn.microsoft.com/windows/release-health/windows-server-release-info\" target=\"_blank\">Windows Server 2022</a>",
-          "✅ <a href=\"https://learn.microsoft.com/windows/release-health/windows-server-release-info\" target=\"_blank\">Windows Server 2019</a>",
-          "✅ <a href=\"https://learn.microsoft.com/windows/release-health/windows-server-release-info\" target=\"_blank\">Windows Server 2016</a>"
-        ],
         "identity-protection/virtual-smart-cards/**/*.md": [
           "✅ <a href=\"https://learn.microsoft.com/windows/release-health/supported-versions-windows-client\" target=\"_blank\">Windows 11</a>",
           "✅ <a href=\"https://learn.microsoft.com/windows/release-health/supported-versions-windows-client\" target=\"_blank\">Windows 10</a>",
@@ -169,6 +179,13 @@
         "operating-system-security/data-protection/personal-data-encryption/*.yml": [
           "✅ <a href=\"https://learn.microsoft.com/windows/release-health/supported-versions-windows-client\" target=\"_blank\">Windows 11</a>"
         ],
+        "operating-system-security/device-management/windows-security-configuration-framework/**/*.md": [
+          "✅ <a href=\"https://learn.microsoft.com/windows/release-health/supported-versions-windows-client\" target=\"_blank\">Windows 11</a>",
+          "✅ <a href=\"https://learn.microsoft.com/windows/release-health/supported-versions-windows-client\" target=\"_blank\">Windows 10</a>",
+          "✅ <a href=\"https://learn.microsoft.com/windows/release-health/windows-server-release-info\" target=\"_blank\">Windows Server 2022</a>",
+          "✅ <a href=\"https://learn.microsoft.com/windows/release-health/windows-server-release-info\" target=\"_blank\">Windows Server 2019</a>",
+          "✅ <a href=\"https://learn.microsoft.com/windows/release-health/windows-server-release-info\" target=\"_blank\">Windows Server 2016</a>"
+        ],
         "operating-system-security/network-security/windows-firewall/**/*.md": [
           "✅ <a href=\"https://learn.microsoft.com/windows/release-health/supported-versions-windows-client\" target=\"_blank\">Windows 11</a>",
           "✅ <a href=\"https://learn.microsoft.com/windows/release-health/supported-versions-windows-client\" target=\"_blank\">Windows 10</a>",
@@ -178,12 +195,14 @@
         ]
       },
       "ms.reviewer": {
+        "application-security/application-isolation/microsoft-defender-application-guard/*.md": "sazankha",
         "identity-protection/hello-for-business/*.md": "erikdau",
         "identity-protection/credential-guard/*.md": "zwhittington",
         "identity-protection/access-control/*.md": "sulahiri",
         "operating-system-security/network-security/windows-firewall/*.md": "paoloma",
         "operating-system-security/network-security/vpn/*.md": "pesmith",
-        "operating-system-security/data-protection/personal-data-encryption/*.md":"rhonnegowda"
+        "operating-system-security/data-protection/personal-data-encryption/*.md":"rhonnegowda",
+        "operating-system-security/device-management/windows-security-configuration-framework/*.md": "jmunck"
       },
       "ms.collection": {
         "identity-protection/hello-for-business/*.md": "tier1",

windows/security/hardware-security/enable-virtualization-based-protection-of-code-integrity.md

@@ -1,30 +1,22 @@
 ---
 title: Enable memory integrity
 description: This article explains the steps to opt in to using memory integrity on Windows devices.
-ms.prod: windows-client
-ms.mktglfcycl: deploy
 ms.localizationpriority: medium
-ms.author: vinpa
+ms.collection:
-author: vinaypamnani-msft
-manager: aaroncz
-audience: ITPro
-ms.collection: 
   - highpri
   - tier2
 ms.topic: conceptual
 ms.date: 03/16/2023
-ms.reviewer: 
+appliesto:
-ms.technology: itpro-security
+  - "✅ <a href=\"https://learn.microsoft.com/windows/release-health/supported-versions-windows-client\" target=\"_blank\">Windows 11</a>"
+  - "✅ <a href=\"https://learn.microsoft.com/windows/release-health/supported-versions-windows-client\" target=\"_blank\">Windows 10</a>"
+  - "✅ <a href=\"https://learn.microsoft.com/windows/release-health/windows-server-release-info\" target=\"_blank\">Windows Server 2022</a>"
+  - "✅ <a href=\"https://learn.microsoft.com/windows/release-health/windows-server-release-info\" target=\"_blank\">Windows Server 2019</a>"
+  - "✅ <a href=\"https://learn.microsoft.com/windows/release-health/windows-server-release-info\" target=\"_blank\">Windows Server 2016</a>"
 ---
 
 # Enable virtualization-based protection of code integrity
 
-**Applies to** 
-
-- Windows 10
-- Windows 11
-- Windows Server 2016 or higher
-
 **Memory integrity** is a virtualization-based security (VBS) feature available in Windows. Memory integrity and VBS improve the threat model of Windows and provide stronger protections against malware trying to exploit the Windows kernel. VBS uses the Windows hypervisor to create an isolated virtual environment that becomes the root of trust of the OS that assumes the kernel can be compromised. Memory integrity is a critical component that protects and hardens Windows by running kernel mode code integrity within the isolated virtual environment of VBS. Memory integrity also restricts kernel memory allocations that could be used to compromise the system.
 
 > [!NOTE]
@@ -73,7 +65,7 @@ Enabling in Intune requires using the Code Integrity node in the [Virtualization
 
 4. Select **Enabled** and under **Virtualization Based Protection of Code Integrity**, select **Enabled without UEFI lock**. Only select **Enabled with UEFI lock** if you want to prevent memory integrity from being disabled remotely or by policy update. Once enabled with UEFI lock, you must have access to the UEFI BIOS menu to turn off Secure Boot if you want to turn off memory integrity.
 
-   ![Enable memory integrity using Group Policy.](../images/enable-hvci-gp.png)
+   ![Enable memory integrity using Group Policy.](images/enable-hvci-gp.png)
 
 5. Select **Ok** to close the editor.
 

windows/security/hardware-security/how-hardware-based-root-of-trust-helps-protect-windows.md

@@ -1,23 +1,16 @@
 ---
-title: How a Windows Defender System Guard helps protect Windows 10
+title: How a Windows Defender System Guard helps protect Windows
-description: Windows Defender System Guard reorganizes the existing Windows 10 system integrity features under one roof. Learn how it works.
+description: Windows Defender System Guard reorganizes the existing Windows system integrity features under one roof. Learn how it works.
-ms.reviewer: 
-manager: aaroncz
-ms.author: vinpa
-search.appverid: met150
-ms.prod: windows-client
 ms.localizationpriority: medium
-author: vinaypamnani-msft
 ms.date: 03/01/2019
-ms.technology: itpro-security
 ms.topic: conceptual
 ---
 
-# Windows Defender System Guard: How a hardware-based root of trust helps protect Windows 10
+# Windows Defender System Guard: How a hardware-based root of trust helps protect Windows
 
 To protect critical resources such as the Windows authentication stack, single sign-on tokens, the Windows Hello biometric stack, and the Virtual Trusted Platform Module, a system's firmware and hardware must be trustworthy.
 
-Windows Defender System Guard reorganizes the existing Windows 10 system integrity features under one roof and sets up the next set of investments in Windows security. It's designed to make these security guarantees:
+Windows Defender System Guard reorganizes the existing Windows system integrity features under one roof and sets up the next set of investments in Windows security. It's designed to make these security guarantees:
 
 - Protect and maintain the integrity of the system as it starts up
 - Validate that system integrity has truly been maintained through local and remote attestation
@@ -29,47 +22,46 @@ Windows Defender System Guard reorganizes the existing Windows 10 system integri
 With Windows 7, one of the means attackers would use to persist and evade detection was to install what is often referred to as a bootkit or rootkit on the system.
 This malicious software would start before Windows started, or during the boot process itself, enabling it to start with the highest level of privilege.
 
-With Windows 10 running on modern hardware (that is, Windows 8-certified or greater) a hardware-based root of trust helps ensure that no unauthorized firmware or software (such as a bootkit) can start before the Windows bootloader. 
+With Windows 10 running on modern hardware (that is, Windows 8-certified or greater) a hardware-based root of trust helps ensure that no unauthorized firmware or software (such as a bootkit) can start before the Windows bootloader.
-This hardware-based root of trust comes from the device's Secure Boot feature, which is part of the Unified Extensible Firmware Interface (UEFI). 
+This hardware-based root of trust comes from the device's Secure Boot feature, which is part of the Unified Extensible Firmware Interface (UEFI).
-This technique of measuring the static early boot UEFI components is called the Static Root of Trust for Measurement (SRTM). 
+This technique of measuring the static early boot UEFI components is called the Static Root of Trust for Measurement (SRTM).
 
-As there are thousands of PC vendors that produce many models with different UEFI BIOS versions, there becomes an incredibly large number of SRTM measurements upon bootup. 
+As there are thousands of PC vendors that produce many models with different UEFI BIOS versions, there becomes an incredibly large number of SRTM measurements upon bootup.
-Two techniques exist to establish trust here—either maintain a list of known 'bad' SRTM measurements (also known as a blocklist), or a list of known 'good' SRTM measurements (also known as an allowlist). 
+Two techniques exist to establish trust here—either maintain a list of known 'bad' SRTM measurements (also known as a blocklist), or a list of known 'good' SRTM measurements (also known as an allowlist).
 
 Each option has a drawback:
 
 - A list of known 'bad' SRTM measurements allows a hacker to change just 1 bit in a component to create an entirely new SRTM hash that needs to be listed. This means that the SRTM flow is inherently brittle - a minor change can invalidate the entire chain of trust.
-- A list of known 'good' SRTM measurements requires each new BIOS/PC combination measurement to be carefully added, which is slow. 
+- A list of known 'good' SRTM measurements requires each new BIOS/PC combination measurement to be carefully added, which is slow.
 Also, a bug fix for UEFI code can take a long time to design, build, retest, validate, and redeploy.
 
 ### Secure Launch—the Dynamic Root of Trust for Measurement (DRTM)
 
-[Windows Defender System Guard Secure Launch](system-guard-secure-launch-and-smm-protection.md), first introduced in Windows 10 version 1809, aims to alleviate these issues by leveraging a technology known as the Dynamic Root of Trust for Measurement (DRTM). 
+[Windows Defender System Guard Secure Launch](system-guard-secure-launch-and-smm-protection.md), first introduced in Windows 10 version 1809, aims to alleviate these issues by leveraging a technology known as the Dynamic Root of Trust for Measurement (DRTM).
-DRTM lets the system freely boot into untrusted code initially, but shortly after launches the system into a trusted state by taking control of all CPUs and forcing them down a well-known and measured code path. 
+DRTM lets the system freely boot into untrusted code initially, but shortly after launches the system into a trusted state by taking control of all CPUs and forcing them down a well-known and measured code path.
 This has the benefit of allowing untrusted early UEFI code to boot the system, but then being able to securely transition into a trusted and measured state.
 
-
 ![System Guard Secure Launch.](images/system-guard-secure-launch.png)
 
-Secure Launch simplifies management of SRTM measurements because the launch code is now unrelated to a specific hardware configuration. This means the number of valid code measurements is small, and future updates can be deployed more widely and quickly. 
+Secure Launch simplifies management of SRTM measurements because the launch code is now unrelated to a specific hardware configuration. This means the number of valid code measurements is small, and future updates can be deployed more widely and quickly.
 
 ### System Management Mode (SMM) protection
 
-System Management Mode (SMM) is a special-purpose CPU mode in x86 microcontrollers that handles power management, hardware configuration, thermal monitoring, and anything else the manufacturer deems useful. 
+System Management Mode (SMM) is a special-purpose CPU mode in x86 microcontrollers that handles power management, hardware configuration, thermal monitoring, and anything else the manufacturer deems useful.
-Whenever one of these system operations is requested, a non-maskable interrupt (SMI) is invoked at runtime, which executes SMM code installed by the BIOS. 
+Whenever one of these system operations is requested, a non-maskable interrupt (SMI) is invoked at runtime, which executes SMM code installed by the BIOS.
-SMM code executes in the highest privilege level and is invisible to the OS, which makes it an attractive target for malicious activity. Even if System Guard Secure Launch is used to late launch, SMM code can potentially access hypervisor memory and change the hypervisor. 
+SMM code executes in the highest privilege level and is invisible to the OS, which makes it an attractive target for malicious activity. Even if System Guard Secure Launch is used to late launch, SMM code can potentially access hypervisor memory and change the hypervisor.
 
 To defend against this, two techniques are used:
 
- - Paging protection to prevent inappropriate access to code and data
+- Paging protection to prevent inappropriate access to code and data
- - SMM hardware supervision and attestation
+- SMM hardware supervision and attestation
 
-Paging protection can be implemented to lock certain code tables to be read-only to prevent tampering. This prevents access to any memory that hasn't been assigned. 
+Paging protection can be implemented to lock certain code tables to be read-only to prevent tampering. This prevents access to any memory that hasn't been assigned.
 
-A hardware-enforced processor feature known as a supervisor SMI handler can monitor the SMM and make sure it doesn't access any part of the address space that it isn't supposed to. 
+A hardware-enforced processor feature known as a supervisor SMI handler can monitor the SMM and make sure it doesn't access any part of the address space that it isn't supposed to.
 
-SMM protection is built on top of the Secure Launch technology and requires it to function. 
+SMM protection is built on top of the Secure Launch technology and requires it to function.
-In the future, Windows 10 will also measure this SMI Handler's behavior and attest that no OS-owned memory has been tampered with. 
+In the future, Windows 10 will also measure this SMI Handler's behavior and attest that no OS-owned memory has been tampered with.
 
 ## Validating platform integrity after Windows is running (run time)
 
@@ -81,7 +73,7 @@ As Windows 10 boots, a series of integrity measurements are taken by Windows Def
 
 After the system boots, Windows Defender System Guard signs and seals these measurements using the TPM. Upon request, a management system like Intune or Microsoft Configuration Manager can acquire them for remote analysis. If Windows Defender System Guard indicates that the device lacks integrity, the management system can take a series of actions, such as denying the device access to resources.
 
-[!INCLUDE [windows-defender-system-guard](../../../../includes/licensing/windows-defender-system-guard.md)]
+[!INCLUDE [windows-defender-system-guard](../../../includes/licensing/windows-defender-system-guard.md)]
 
 ## System requirements for System Guard
 

windows/security/hardware-security/kernel-dma-protection-for-thunderbolt.md

@@ -1,18 +1,11 @@
 ---
 title: Kernel DMA Protection
 description: Learn how Kernel DMA Protection protects Windows devices against drive-by Direct Memory Access (DMA) attacks using PCI hot plug devices.
-ms.prod: windows-client
+ms.collection:
-author: vinaypamnani-msft
-ms.author: vinpa
-manager: aaroncz
-ms.collection: 
   - highpri
   - tier1
 ms.topic: conceptual
 ms.date: 03/30/2023
-ms.technology: itpro-security
-appliesto:
-  - ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 10 and later</a>
 ---
 
 # Kernel DMA Protection
@@ -81,7 +74,7 @@ If the current state of **Kernel DMA Protection** is **OFF** and **Hyper-V - Vir
 
 If the state of **Kernel DMA Protection** remains Off, then the system doesn't support Kernel DMA Protection.
 
-For systems that don't support Kernel DMA Protection, refer to the [BitLocker countermeasures](bitlocker/bitlocker-countermeasures.md) or [Thunderbolt 3 and Security on Microsoft Windows Operating system][EXT-1] for other means of DMA protection.
+For systems that don't support Kernel DMA Protection, refer to the [BitLocker countermeasures](../operating-system-security/data-protection/bitlocker/bitlocker-countermeasures.md) or [Thunderbolt 3 and Security on Microsoft Windows Operating system][EXT-1] for other means of DMA protection.
 
 ## Frequently asked questions
 
@@ -129,4 +122,4 @@ The policy can be enabled by using:
 [LINK-2]: /windows/client-management/mdm/policy-csp-dmaguard#dmaguard-policies
 [LINK-3]: /windows-hardware/design/device-experiences/oem-kernel-dma-protection
 
-[EXT-1]: https://thunderbolttechnology.net/security/Thunderbolt%203%20and%20Security.pdf
+[EXT-1]: https://thunderbolttechnology.net/security/Thunderbolt%203%20and%20Security.pdf

windows/security/hardware-security/system-guard-secure-launch-and-smm-protection.md

@@ -1,29 +1,14 @@
 ---
-title: System Guard Secure Launch and SMM protection 
+title: System Guard Secure Launch and SMM protection
 description: Explains how to configure System Guard Secure Launch and System Management Mode (SMM protection) to improve the startup security of Windows 10 devices.
-search.appverid: met150
-ms.prod: windows-client
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
 ms.localizationpriority: medium
-author: vinaypamnani-msft
 ms.date: 11/30/2021
-ms.reviewer: 
-manager: aaroncz
-ms.author: vinpa
-ms.technology: itpro-security
 ms.topic: conceptual
 ---
 
 # System Guard Secure Launch and SMM protection
 
-**Applies to:**
+This topic explains how to configure [System Guard Secure Launch and System Management Mode (SMM) protection](how-hardware-based-root-of-trust-helps-protect-windows.md) to improve the startup security of Windows 10 and Windows 11 devices. The information below is presented from a client perspective.
-
-- Windows 11
-- Windows 10
-
-This topic explains how to configure [System Guard Secure Launch and System Management Mode (SMM) protection](/windows/security/threat-protection/windows-defender-system-guard/how-hardware-based-root-of-trust-helps-protect-windows) to improve the startup security of Windows 10 and Windows 11 devices. The information below is presented from a client perspective.
 
 > [!NOTE]
 > System Guard Secure Launch feature requires a supported processor. For more information, see [System requirements for System Guard](how-hardware-based-root-of-trust-helps-protect-windows.md#system-requirements-for-system-guard).
@@ -54,7 +39,7 @@ System Guard Secure Launch can be configured for Mobile Device Management (MDM)
 Click **Start** > **Settings** > **Update & Security** > **Windows Security** > **Open Windows Security** > **Device security** > **Core isolation** > **Firmware protection**.
 
   ![Windows Security app.](images/secure-launch-security-app.png)
-  
+
 ### Registry
 
 1. Open Registry editor.
@@ -76,7 +61,7 @@ To verify that Secure Launch is running, use System Information (MSInfo32). Clic
 ![Verifying Secure Launch is running in the Windows Security app.](images/secure-launch-msinfo.png)
 
 > [!NOTE]
-> To enable System Guard Secure launch, the platform must meet all the baseline requirements for [System Guard](/windows/security/threat-protection/windows-defender-system-guard/how-hardware-based-root-of-trust-helps-protect-windows), [Device Guard](../device-guard/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control.md), [Credential Guard](../../identity-protection/credential-guard/credential-guard-requirements.md), and [Virtualization Based Security](/windows-hardware/design/device-experiences/oem-vbs).
+> To enable System Guard Secure launch, the platform must meet all the baseline requirements for [System Guard](how-hardware-based-root-of-trust-helps-protect-windows.md), [Device Guard](../application-security/application-control/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control.md), [Credential Guard](../identity-protection/credential-guard/credential-guard-requirements.md), and [Virtualization Based Security](/windows-hardware/design/device-experiences/oem-vbs).
 
 > [!NOTE]
 > For more information around AMD processors, see [Microsoft Security Blog: Force firmware code to be measured and attested by Secure Launch on Windows 10](https://www.microsoft.com/security/blog/2020/09/01/force-firmware-code-to-be-measured-and-attested-by-secure-launch-on-windows-10/).

windows/security/hardware-security/toc.yml

@@ -4,7 +4,7 @@ items:
   - name: Hardware root of trust
     items:
       - name: Windows Defender System Guard
-        href: ../threat-protection/windows-defender-system-guard/how-hardware-based-root-of-trust-helps-protect-windows.md
+        href: how-hardware-based-root-of-trust-helps-protect-windows.md
       - name: Trusted Platform Module
         href: ../information-protection/tpm/trusted-platform-module-top-node.md
         items:
@@ -38,10 +38,10 @@ items:
             href: ../information-protection/pluton/pluton-as-tpm.md
   - name: Silicon assisted security
     items:
-      - name: Virtualization-based security (VBS)
+      - name: Virtualization-based security (VBS) 🔗
         href: /windows-hardware/design/device-experiences/oem-vbs
       - name: Memory integrity (HVCI)
-        href: ../threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity.md
+        href: enable-virtualization-based-protection-of-code-integrity.md
       - name: Memory integrity and VBS enablement 🔗
         href: /windows-hardware/design/device-experiences/oem-hvci-enablement
       - name: Hardware-enforced stack protection
@@ -49,6 +49,6 @@ items:
       - name: Secured-core PC 🔗
         href: /windows-hardware/design/device-experiences/oem-highly-secure-11
       - name: Kernel Direct Memory Access (DMA) protection
-        href: ../information-protection/kernel-dma-protection-for-thunderbolt.md
+        href: kernel-dma-protection-for-thunderbolt.md
       - name: System Guard Secure Launch
-        href: ../threat-protection/windows-defender-system-guard/system-guard-secure-launch-and-smm-protection.md
+        href: system-guard-secure-launch-and-smm-protection.md

windows/security/hardware.md

@@ -1,7 +1,7 @@
 ---
 title: Windows hardware security
 description: Get an overview of hardware security in Windows 11 and Windows 10
-ms.reviewer: 
+ms.reviewer:
 manager: aaroncz
 ms.author: vinpa
 author: vinaypamnani-msft
@@ -19,8 +19,7 @@ These new threats call for computing hardware that is secure down to the very co
 | Security Measures | Features & Capabilities |
 |:---|:---|
 | Trusted Platform Module (TPM) | A Trusted Platform Module (TPM) is designed to provide hardware-based security-related functions and help prevent unwanted tampering. TPMs provide security and privacy benefits for system hardware, platform owners, and users. <br> A TPM chip is a secure crypto-processor that helps with actions such as generating, storing, and limiting the use of cryptographic keys. Many TPMs include multiple physical security mechanisms to make it tamper resistant and prevent malicious software from tampering with the security functions of the TPM. <br><br/> Learn more about the [Trusted Platform Module](information-protection/tpm/trusted-platform-module-top-node.md). |
-| Hardware-based root of trust with Windows Defender System Guard | To protect critical resources such as Windows authentication, single sign-on tokens, Windows Hello, and the Virtual Trusted Platform Module, a system's firmware and hardware must be trustworthy.  <br> Windows Defender System Guard helps protect and maintain the integrity of the system as it starts up and validate that system integrity has truly been maintained through local and remote attestation. <br><br/> Learn more about [How a hardware-based root of trust helps protect Windows](threat-protection/windows-defender-system-guard/how-hardware-based-root-of-trust-helps-protect-windows.md) and [System Guard Secure Launch and SMM protection](threat-protection/windows-defender-system-guard/system-guard-secure-launch-and-smm-protection.md). |
+| Hardware-based root of trust with Windows Defender System Guard | To protect critical resources such as Windows authentication, single sign-on tokens, Windows Hello, and the Virtual Trusted Platform Module, a system's firmware and hardware must be trustworthy.  <br> Windows Defender System Guard helps protect and maintain the integrity of the system as it starts up and validate that system integrity has truly been maintained through local and remote attestation. <br><br/> Learn more about [How a hardware-based root of trust helps protect Windows](hardware-security/how-hardware-based-root-of-trust-helps-protect-windows.md) and [System Guard Secure Launch and SMM protection](hardware-security/system-guard-secure-launch-and-smm-protection.md). |
-| Enable virtualization-based protection of code integrity | Hypervisor-protected Code Integrity (HVCI) is a  virtualization based security (VBS) feature available in Windows. In the Windows Device Security settings, HVCI is referred to as Memory Integrity. <br> HVCI and VBS improve the threat model of Windows and provide stronger protections against malware trying to exploit the Windows Kernel. VBS uses the Windows Hypervisor to create an isolated virtual environment that becomes the root of trust of the OS that assumes the kernel can be compromised. HVCI is a critical component that protects and hardens this virtual environment by running kernel mode code integrity within it and restricting kernel memory allocations that could be used to compromise the system. <br><br/> Learn more: [Enable virtualization-based protection of code integrity](threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity.md).
+| Enable virtualization-based protection of code integrity | Hypervisor-protected Code Integrity (HVCI) is a  virtualization based security (VBS) feature available in Windows. In the Windows Device Security settings, HVCI is referred to as Memory Integrity. <br> HVCI and VBS improve the threat model of Windows and provide stronger protections against malware trying to exploit the Windows Kernel. VBS uses the Windows Hypervisor to create an isolated virtual environment that becomes the root of trust of the OS that assumes the kernel can be compromised. HVCI is a critical component that protects and hardens this virtual environment by running kernel mode code integrity within it and restricting kernel memory allocations that could be used to compromise the system. <br><br/> Learn more: [Enable virtualization-based protection of code integrity](hardware-security/enable-virtualization-based-protection-of-code-integrity.md).
-| Kernel Direct Memory Access (DMA) Protection | PCIe hot plug devices such as Thunderbolt, USB4, and CFexpress allow users to attach new classes of external peripherals, including graphics cards or other PCI devices, to their PCs with an experience identical to USB. Because PCI hot plug ports are external and easily accessible, PCs are susceptible to drive-by Direct Memory Access (DMA) attacks.  Memory access protection (also known as Kernel DMA Protection)  protects PCs against drive-by DMA attacks that use PCIe hot plug devices by limiting these external peripherals from being able to directly copy memory when the user has locked their PC. <br><br/> Learn more about [Kernel DMA Protection](information-protection/kernel-dma-protection-for-thunderbolt.md). |
+| Kernel Direct Memory Access (DMA) Protection | PCIe hot plug devices such as Thunderbolt, USB4, and CFexpress allow users to attach new classes of external peripherals, including graphics cards or other PCI devices, to their PCs with an experience identical to USB. Because PCI hot plug ports are external and easily accessible, PCs are susceptible to drive-by Direct Memory Access (DMA) attacks.  Memory access protection (also known as Kernel DMA Protection)  protects PCs against drive-by DMA attacks that use PCIe hot plug devices by limiting these external peripherals from being able to directly copy memory when the user has locked their PC. <br><br/> Learn more about [Kernel DMA Protection](hardware-security/kernel-dma-protection-for-thunderbolt.md). |
 | Secured-core PCs | Microsoft is working closely with OEM partners and silicon vendors to build Secured-core PCs that feature deeply integrated hardware, firmware, and software to ensure enhanced security for devices, identities, and data. <br><br/> Secured-core PCs provide protections that are useful against sophisticated attacks and can provide increased assurance when handling mission-critical data in some of the most data-sensitive industries, such as healthcare workers that handle medical records and other personally identifiable information (PII), commercial roles that handle high business impact and highly sensitive data, such as a financial controller with earnings data. <br><br/> Learn more about [Secured-core PCs](/windows-hardware/design/device-experiences/oem-highly-secure).|
-

windows/security/identity-protection/credential-guard/credential-guard-manage.md

@@ -54,7 +54,7 @@ You can use Group Policy to enable Windows Defender Credential Guard. When enabl
 
 1. In the **Credential Guard Configuration** box, select **Enabled with UEFI lock**. If you want to be able to turn off Windows Defender Credential Guard remotely, choose **Enabled without lock**.
 
-1. In the **Secure Launch Configuration** box, choose **Not Configured**, **Enabled** or **Disabled**. For more information, see [System Guard Secure Launch and SMM protection](../../threat-protection/windows-defender-system-guard/system-guard-secure-launch-and-smm-protection.md).
+1. In the **Secure Launch Configuration** box, choose **Not Configured**, **Enabled** or **Disabled**. For more information, see [System Guard Secure Launch and SMM protection](../../hardware-security/system-guard-secure-launch-and-smm-protection.md).
 
    :::image type="content" source="images/credguard-gp.png" alt-text="Windows Defender Credential Guard Group Policy setting.":::
 

windows/security/includes/sections/application-application-isolation-overview.md

@@ -9,22 +9,22 @@ The following table lists the edition applicability for all Application Isolatio
 
 |Feature|Windows Pro|Windows Enterprise|Windows Pro Education/SE|Windows Education|
 |:-:|:-:|:-:|:-:|:-:|
-|[Microsoft Defender Application Guard (MDAG) for Edge standalone mode](/windows/security/threat-protection/microsoft-defender-application-guard/md-app-guard-overview)|Yes|Yes|Yes|Yes|
+|[Microsoft Defender Application Guard (MDAG) for Edge standalone mode](../../application-security/application-isolation/microsoft-defender-application-guard/md-app-guard-overview.md)|Yes|Yes|Yes|Yes|
-|[Microsoft Defender Application Guard (MDAG) for Edge enterprise mode and enterprise management](/windows/security/threat-protection/microsoft-defender-application-guard/configure-md-app-guard)|❌|Yes|❌|Yes|
+|[Microsoft Defender Application Guard (MDAG) for Edge enterprise mode and enterprise management](../../application-security/application-isolation/microsoft-defender-application-guard/configure-md-app-guard.md)|❌|Yes|❌|Yes|
 |Microsoft Defender Application Guard (MDAG) public APIs|❌|Yes|❌|Yes|
 |[Microsoft Defender Application Guard (MDAG) for Microsoft Office](https://support.microsoft.com/office/application-guard-for-office-9e0fb9c2-ffad-43bf-8ba3-78f785fdba46)|❌|Yes|❌|Yes|
 |[Microsoft Defender Application Guard (MDAG) configure via MDM](/windows/client-management/mdm/windowsdefenderapplicationguard-csp)|❌|Yes|❌|Yes|
 |[Windows containers](/virtualization/windowscontainers/about/)|Yes|Yes|Yes|Yes|
-|[Windows Sandbox](/windows/security/application-security/application-isolation/windows-sandbox/windows-sandbox-overview)|Yes|Yes|Yes|Yes|
+|[Windows Sandbox](../../application-security/application-isolation/windows-sandbox/windows-sandbox-overview.md)|Yes|Yes|Yes|Yes|
 
 The following table lists the licensing applicability for all Application Isolation features.
 
 |Feature|Windows Pro/Pro Education/SE|Windows Enterprise E3|Windows Enterprise E5|Windows Education A3|Windows Education A5|
 |:-:|:-:|:-:|:-:|:-:|:-:|
-|[Microsoft Defender Application Guard (MDAG) for Edge standalone mode](/windows/security/threat-protection/microsoft-defender-application-guard/md-app-guard-overview)|Yes|Yes|Yes|Yes|Yes|
+|[Microsoft Defender Application Guard (MDAG) for Edge standalone mode](../../application-security/application-isolation/microsoft-defender-application-guard/md-app-guard-overview.md)|Yes|Yes|Yes|Yes|Yes|
-|[Microsoft Defender Application Guard (MDAG) for Edge enterprise mode and enterprise management](/windows/security/threat-protection/microsoft-defender-application-guard/configure-md-app-guard)|❌|Yes|Yes|Yes|Yes|
+|[Microsoft Defender Application Guard (MDAG) for Edge enterprise mode and enterprise management](../../application-security/application-isolation/microsoft-defender-application-guard/configure-md-app-guard.md)|❌|Yes|Yes|Yes|Yes|
 |Microsoft Defender Application Guard (MDAG) public APIs|❌|Yes|Yes|Yes|Yes|
 |[Microsoft Defender Application Guard (MDAG) for Microsoft Office](https://support.microsoft.com/office/application-guard-for-office-9e0fb9c2-ffad-43bf-8ba3-78f785fdba46)|❌|❌|❌|❌|❌|
 |[Microsoft Defender Application Guard (MDAG) configure via MDM](/windows/client-management/mdm/windowsdefenderapplicationguard-csp)|❌|Yes|Yes|Yes|Yes|
 |[Windows containers](/virtualization/windowscontainers/about/)|Yes|Yes|Yes|Yes|Yes|
-|[Windows Sandbox](/windows/security/application-security/application-isolation/windows-sandbox/windows-sandbox-overview)|Yes|Yes|Yes|Yes|Yes|
+|[Windows Sandbox](../../application-security/application-isolation/windows-sandbox/windows-sandbox-overview.md)|Yes|Yes|Yes|Yes|Yes|

windows/security/includes/sections/application.md

@@ -17,10 +17,10 @@ ms.topic: include
 
 | Security Measures | Features & Capabilities |
 |:---|:---|
-| **[Microsoft Defender Application Guard (MDAG) for Edge standalone mode](/windows/security/threat-protection/microsoft-defender-application-guard/md-app-guard-overview)** | Standalone mode allows Windows users to use hardware-isolated browsing sessions without any administrator or management policy configuration. In this mode, user must manually start Microsoft Edge in Application Guard from Edge menu for browsing untrusted sites. |
+| **[Microsoft Defender Application Guard (MDAG) for Edge standalone mode](../../application-security/application-isolation/microsoft-defender-application-guard/md-app-guard-overview.md)** | Standalone mode allows Windows users to use hardware-isolated browsing sessions without any administrator or management policy configuration. In this mode, user must manually start Microsoft Edge in Application Guard from Edge menu for browsing untrusted sites. |
-| **[Microsoft Defender Application Guard (MDAG) for Edge enterprise mode and enterprise management](/windows/security/threat-protection/microsoft-defender-application-guard/configure-md-app-guard)** | Microsoft Defender Application Guard protects users' desktop while they browse the Internet using Microsoft Edge browser. Application Guard in enterprise mode automatically redirects untrusted website navigation in an anonymous and isolated Hyper-V based container, which is separate from the host operating system. With Enterprise mode, you can define your corporate boundaries by explicitly adding trusted domains and can customizing the Application Guard experience to meet and enforce your organization needs on Windows devices. |
+| **[Microsoft Defender Application Guard (MDAG) for Edge enterprise mode and enterprise management](../../application-security/application-isolation/microsoft-defender-application-guard/configure-md-app-guard.md)** | Microsoft Defender Application Guard protects users' desktop while they browse the Internet using Microsoft Edge browser. Application Guard in enterprise mode automatically redirects untrusted website navigation in an anonymous and isolated Hyper-V based container, which is separate from the host operating system. With Enterprise mode, you can define your corporate boundaries by explicitly adding trusted domains and can customizing the Application Guard experience to meet and enforce your organization needs on Windows devices. |
 | **Microsoft Defender Application Guard (MDAG) public APIs** | Enable applications using them to be isolated Hyper-V based container, which is separate from the host operating system. |
 | **[Microsoft Defender Application Guard (MDAG) for Microsoft Office](https://support.microsoft.com/office/application-guard-for-office-9e0fb9c2-ffad-43bf-8ba3-78f785fdba46)** | Application Guard protects Office files including Word, PowerPoint, and Excel. Application icons have a small shield if Application Guard has been enabled and they are under protection. |
 | **[Microsoft Defender Application Guard (MDAG) configure via MDM](/windows/client-management/mdm/windowsdefenderapplicationguard-csp)** | The WindowsDefenderApplicationGuard configuration service provider (CSP) is used by the enterprise to configure the settings in Microsoft Defender Application Guard. |
 | **[Windows containers](/virtualization/windowscontainers/about/)** | Universal Windows Platform (UWP) applications run in Windows containers known as app containers. Processes that run in app containers operate with low integrity level, meaning they have limited access to resources they don't own. Because the default integrity level of most resources is medium integrity level, the UWP app can access only a subset of the filesystem, registry, and other resources. The app container also enforces restrictions on network connectivity; for example, access to a local host isn't allowed. As a result, malware or infected apps have limited footprint for escape. |
-| **[Windows Sandbox](/windows/security/application-security/application-isolation/windows-sandbox/windows-sandbox-overview)** | Windows Sandbox provides a lightweight desktop environment to safely run untrusted Win32 applications in isolation, using the same hardware-based Hyper-V virtualization technology to isolate apps without fear of lasting impact to your PC. |
+| **[Windows Sandbox](../../application-security/application-isolation/windows-sandbox/windows-sandbox-overview.md)** | Windows Sandbox provides a lightweight desktop environment to safely run untrusted Win32 applications in isolation, using the same hardware-based Hyper-V virtualization technology to isolate apps without fear of lasting impact to your PC. |

windows/security/includes/sections/cloud-services-protecting-your-work-information-overview.md

@@ -12,7 +12,7 @@ The following table lists the edition applicability for all Protecting Your Work
 |[Azure AD join, Active Directory domain join, and Hybrid Azure AD join with single sign-on (SSO)](/azure/active-directory/devices/concept-azure-ad-join)|Yes|Yes|Yes|Yes|
 |[Security baselines](/mem/intune/protect/security-baselines)|Yes|Yes|Yes|Yes|
 |[Remote wipe](/windows/client-management/mdm/remotewipe-csp)|Yes|Yes|Yes|Yes|
-|[Manage by Mobile Device Management (MDM) and group policy](/windows/security/threat-protection/windows-security-configuration-framework/windows-security-baselines)|Yes|Yes|Yes|Yes|
+|[Manage by Mobile Device Management (MDM) and group policy](../../operating-system-security/device-management/windows-security-configuration-framework/windows-security-baselines.md)|Yes|Yes|Yes|Yes|
 |[Universal Print](/universal-print/)|Yes|Yes|Yes|Yes|
 
 The following table lists the licensing applicability for all Protecting Your Work Information features.
@@ -22,5 +22,5 @@ The following table lists the licensing applicability for all Protecting Your Wo
 |[Azure AD join, Active Directory domain join, and Hybrid Azure AD join with single sign-on (SSO)](/azure/active-directory/devices/concept-azure-ad-join)|Yes|Yes|Yes|Yes|Yes|
 |[Security baselines](/mem/intune/protect/security-baselines)|Yes|Yes|Yes|Yes|Yes|
 |[Remote wipe](/windows/client-management/mdm/remotewipe-csp)|Yes|Yes|Yes|Yes|Yes|
-|[Manage by Mobile Device Management (MDM) and group policy](/windows/security/threat-protection/windows-security-configuration-framework/windows-security-baselines)|Yes|Yes|Yes|Yes|Yes|
+|[Manage by Mobile Device Management (MDM) and group policy](../../operating-system-security/device-management/windows-security-configuration-framework/windows-security-baselines.md)|Yes|Yes|Yes|Yes|Yes|
 |[Universal Print](/universal-print/)|❌|Yes|Yes|Yes|Yes|

windows/security/includes/sections/cloud-services.md

@@ -12,7 +12,7 @@ ms.topic: include
 | **[Azure AD join, Active Directory domain join, and Hybrid Azure AD join with single sign-on (SSO)](/azure/active-directory/devices/concept-azure-ad-join)** | Microsoft Azure Active Directory is a comprehensive cloud-based identity management solution that helps enable secure access to applications, networks, and other resources and guard against threats. |
 | **[Security baselines](/mem/intune/protect/security-baselines)** | Windows 11 supports modern device management so that IT pros can manage company security policies and business applications without compromising user privacy on corporate or employee-owned devices. With MDM solutions, IT can manage Windows 11 using industry-standard protocols. To simplify setup for users, management features are built directly into Windows, eliminating the need for a separate MDM client. <br><br>Windows 11 can be configured with Microsoft's MDM security baseline backed by ADMX policies, which functions like the Microsoft GP-based security baseline. The security baseline enables IT administrators to easily address security concerns and compliance needs for modern cloud-managed devices. |
 | **[Remote wipe](/windows/client-management/mdm/remotewipe-csp)** | When a device is lost or stolen, IT administrators may want to remotely wipe data stored on the device. A helpdesk agent may also want to reset devices to fix issues encountered by remote workers. <br><br>With the Remote Wipe configuration service provider (CSP), an MDM solution can remotely initiate any of the following operations on a Windows device: reset the device and remove user accounts and data, reset the device and clean the drive, reset the device but persist user accounts and data. |
-| **[Manage by Mobile Device Management (MDM) and group policy](/windows/security/threat-protection/windows-security-configuration-framework/windows-security-baselines)** | Windows 11 supports modern device management so that IT pros can manage company security policies and business applications without compromising user privacy on corporate or employee-owned devices. With MDM solutions, IT can manage Windows 11 using industry-standard protocols. To simplify setup for users, management features are built directly into Windows, eliminating the need for a separate MDM client.  |
+| **[Manage by Mobile Device Management (MDM) and group policy](../../operating-system-security/device-management/windows-security-configuration-framework/windows-security-baselines.md)** | Windows 11 supports modern device management so that IT pros can manage company security policies and business applications without compromising user privacy on corporate or employee-owned devices. With MDM solutions, IT can manage Windows 11 using industry-standard protocols. To simplify setup for users, management features are built directly into Windows, eliminating the need for a separate MDM client.  |
 | **[Universal Print](/universal-print/)** | Unlike traditional print solutions that rely on Windows print servers, Universal Print is a <br>Microsoft hosted cloud subscription service that supports a zero-trust security model by <br>enabling network isolation of printers, including the Universal Print connector software, from <br>the rest of the organization's resources. |
 
 ## Update

windows/security/includes/sections/hardware-hardware-root-of-trust-overview.md

@@ -9,7 +9,7 @@ The following table lists the edition applicability for all Hardware Root-Of-Tru
 
 |Feature|Windows Pro|Windows Enterprise|Windows Pro Education/SE|Windows Education|
 |:-:|:-:|:-:|:-:|:-:|
-|[Windows Defender System Guard](/windows/security/threat-protection/windows-defender-system-guard/how-hardware-based-root-of-trust-helps-protect-windows)|Yes|Yes|Yes|Yes|
+|[Windows Defender System Guard](../../hardware-security/how-hardware-based-root-of-trust-helps-protect-windows.md)|Yes|Yes|Yes|Yes|
 |[Trusted Platform Module (TPM) 2.0](/windows/security/information-protection/tpm/trusted-platform-module-overview)|Yes|Yes|Yes|Yes|
 |[Microsoft Pluton security processor](/windows/security/information-protection/pluton/microsoft-pluton-security-processor)|Yes|Yes|Yes|Yes|
 
@@ -17,6 +17,6 @@ The following table lists the licensing applicability for all Hardware Root-Of-T
 
 |Feature|Windows Pro/Pro Education/SE|Windows Enterprise E3|Windows Enterprise E5|Windows Education A3|Windows Education A5|
 |:-:|:-:|:-:|:-:|:-:|:-:|
-|[Windows Defender System Guard](/windows/security/threat-protection/windows-defender-system-guard/how-hardware-based-root-of-trust-helps-protect-windows)|Yes|Yes|Yes|Yes|Yes|
+|[Windows Defender System Guard](../../hardware-security/how-hardware-based-root-of-trust-helps-protect-windows.md)|Yes|Yes|Yes|Yes|Yes|
 |[Trusted Platform Module (TPM) 2.0](/windows/security/information-protection/tpm/trusted-platform-module-overview)|Yes|Yes|Yes|Yes|Yes|
 |[Microsoft Pluton security processor](/windows/security/information-protection/pluton/microsoft-pluton-security-processor)|Yes|Yes|Yes|Yes|Yes|

windows/security/includes/sections/hardware-silicon-assisted-security-secured-kernel-overview.md

@@ -13,7 +13,7 @@ The following table lists the edition applicability for all Silicon Assisted Sec
 |[Hypervisor-protected Code Integrity (HVCI)](/windows-hardware/design/device-experiences/oem-hvci-enablement)|Yes|Yes|Yes|Yes|
 |[Hardware-enforced stack protection](https://techcommunity.microsoft.com/t5/windows-os-platform-blog/understanding-hardware-enforced-stack-protection/ba-p/1247815)|Yes|Yes|Yes|Yes|
 |[Secured-core PC](/windows-hardware/design/device-experiences/oem-highly-secure-11)|Yes|Yes|Yes|Yes|
-|[Kernel Direct Memory Access (DMA) protection](/windows/security/information-protection/kernel-dma-protection-for-thunderbolt)|Yes|Yes|Yes|Yes|
+|[Kernel Direct Memory Access (DMA) protection](../../hardware-security/kernel-dma-protection-for-thunderbolt.md)|Yes|Yes|Yes|Yes|
 
 The following table lists the licensing applicability for all Silicon Assisted Security (Secured Kernel) features.
 
@@ -23,4 +23,4 @@ The following table lists the licensing applicability for all Silicon Assisted S
 |[Hypervisor-protected Code Integrity (HVCI)](/windows-hardware/design/device-experiences/oem-hvci-enablement)|Yes|Yes|Yes|Yes|Yes|
 |[Hardware-enforced stack protection](https://techcommunity.microsoft.com/t5/windows-os-platform-blog/understanding-hardware-enforced-stack-protection/ba-p/1247815)|Yes|Yes|Yes|Yes|Yes|
 |[Secured-core PC](/windows-hardware/design/device-experiences/oem-highly-secure-11)|Yes|Yes|Yes|Yes|Yes|
-|[Kernel Direct Memory Access (DMA) protection](/windows/security/information-protection/kernel-dma-protection-for-thunderbolt)|Yes|Yes|Yes|Yes|Yes|
+|[Kernel Direct Memory Access (DMA) protection](../../hardware-security/kernel-dma-protection-for-thunderbolt.md)|Yes|Yes|Yes|Yes|Yes|

windows/security/includes/sections/hardware.md

@@ -9,7 +9,7 @@ ms.topic: include
 
 | Security Measures | Features & Capabilities |
 |:---|:---|
-| **[Windows Defender System Guard](/windows/security/threat-protection/windows-defender-system-guard/how-hardware-based-root-of-trust-helps-protect-windows)** | In Secured-core PCs, Windows Defender System Guard Secure Launch protects bootup with a technology known as the Dynamic Root of Trust for Measurement (DRTM). With DRTM, the system initially follows the normal UEFI Secure Boot process. However, before launching, the system enters a hardware-controlled trusted state that forces the CPU(s) down a hardware-secured code path. If a malware rootkit/bootkit has bypassed UEFI Secure Boot and resides in memory, DRTM will prevent it from accessing secrets and critical code protected by the virtualization-based security environment. Firmware Attack Surface Reduction technology can be used instead of DRTM on supporting devices such as Microsoft Surface. |
+| **[Windows Defender System Guard](../../hardware-security/how-hardware-based-root-of-trust-helps-protect-windows.md)** | In Secured-core PCs, Windows Defender System Guard Secure Launch protects bootup with a technology known as the Dynamic Root of Trust for Measurement (DRTM). With DRTM, the system initially follows the normal UEFI Secure Boot process. However, before launching, the system enters a hardware-controlled trusted state that forces the CPU(s) down a hardware-secured code path. If a malware rootkit/bootkit has bypassed UEFI Secure Boot and resides in memory, DRTM will prevent it from accessing secrets and critical code protected by the virtualization-based security environment. Firmware Attack Surface Reduction technology can be used instead of DRTM on supporting devices such as Microsoft Surface. |
 | **[Trusted Platform Module (TPM) 2.0](/windows/security/information-protection/tpm/trusted-platform-module-overview)** | TPMs provide security and privacy benefits for system hardware, platform owners, and users. Windows Hello, BitLocker, Windows Defender System Guard, and other Windows features rely on the TPM for capabilities such as key generation, secure storage, encryption, boot integrity measurements, and attestation. The 2.0 version of the specification includes support for newer algorithms, which can improve driver signing and key generation performance.<br><br>Starting with Windows 10, Microsoft's hardware certification requires all new Windows PCs to include TPM 2.0 built in and enabled by default. With Windows 11, both new and upgraded devices must have TPM 2.0. |
 | **[Microsoft Pluton security processor](/windows/security/information-protection/pluton/microsoft-pluton-security-processor)** | Microsoft Pluton security processors are designed by Microsoft in partnership with silicon partners. Pluton enhances the protection of Windows devices with a hardware root-of-trust that provides additional protection for cryptographic keys and other secrets. Pluton is designed to reduce the attack surface as it integrates the security chip directly into the processor. It can be used with a discreet TPM 2.0, or as a standalone security processor. When root of trust is located on a separate, discrete chip on the motherboard, the communication path between the root-of-trust and the CPU can be vulnerable to physical attack. Pluton supports the TPM 2.0 industry standard, allowing customers to immediately benefit from the enhanced security in Windows features that rely on TPMs including BitLocker, Windows Hello, and Windows Defender System Guard.<br><br>In addition to providing root-of trust, Pluton also supports other security functionality beyond what is possible with the TPM 2.0 specification, and this extensibility allows for additional Pluton firmware and OS features to be delivered over time via Windows Update. Pluton-enabled Windows 11 devices are available and the selection of options with Pluton is growing. |
 
@@ -21,4 +21,4 @@ ms.topic: include
 | **[Hypervisor-protected Code Integrity (HVCI)](/windows-hardware/design/device-experiences/oem-hvci-enablement)** | Hypervisor-protected code integrity (HVCI), also called memory integrity, uses VBS to run Kernel Mode Code Integrity (KMCI) inside the secure VBS environment instead of the main Windows kernel. This helps to prevent attacks that attempt to modify kernel mode code, such as drivers. The KMCI role is to check that all kernel code is properly signed and hasn't been tampered with before it is allowed to run. HVCI helps to ensure that only validated code can be executed in kernel-mode.<br><br>Starting with Windows 10, all new devices are required to ship with firmware support for VBS and HCVI enabled by default in the BIOS. Customers can then enable the OS support in Windows.<br>With new installs of Windows 11, OS support for VBS and HVCI is turned on by default for all devices that meet prerequisites. |
 | **[Hardware-enforced stack protection](https://techcommunity.microsoft.com/t5/windows-os-platform-blog/understanding-hardware-enforced-stack-protection/ba-p/1247815)** | Hardware-enforced stack protection integrates software and hardware for a modern defense against cyberthreats such as memory corruption and zero-day exploits. Based on Control-flow Enforcement Technology (CET) from Intel and AMD Shadow Stacks, hardware-enforced stack protection is designed to protect against exploit techniques that try to hijack return addresses on the stack. |
 | **[Secured-core PC](/windows-hardware/design/device-experiences/oem-highly-secure-11)** | Microsoft has worked with OEM partners to offer a special category of devices called Secured-core PCs. The devices ship with additional security measures enabled at the firmware layer, or device core, that underpins Windows. Secured-core PCs help prevent malware attacks and minimize firmware vulnerabilities by launching into a clean and trusted state at startup with a hardware-enforced root of trust. Virtualization-based security comes enabled by default. And with built-in hypervisor protected code integrity (HVCI) shielding system memory, Secured-core PCs ensure that all executables are signed by known and approved authorities only. Secured-core PCs also protect against physical threats such as drive-by Direct Memory Access (DMA) attacks. |
-| **[Kernel Direct Memory Access (DMA) protection](/windows/security/information-protection/kernel-dma-protection-for-thunderbolt)** | Kernel DMA Protection protects against external peripherals from gaining unauthorized access to memory. Physical threats such as drive-by Direct Memory Access (DMA) attacks typically happen quickly while the system owner isn't present. PCIe hot plug devices such as Thunderbolt, USB4, and CFexpress allow users to attach new classes of external peripherals, including graphics cards or other PCI devices, to their PCs with the plug-and-play ease of USB. Because PCI hot plug ports are external and easily accessible, devices are susceptible to drive-by DMA attacks. |
+| **[Kernel Direct Memory Access (DMA) protection](../../hardware-security/kernel-dma-protection-for-thunderbolt.md)** | Kernel DMA Protection protects against external peripherals from gaining unauthorized access to memory. Physical threats such as drive-by Direct Memory Access (DMA) attacks typically happen quickly while the system owner isn't present. PCIe hot plug devices such as Thunderbolt, USB4, and CFexpress allow users to attach new classes of external peripherals, including graphics cards or other PCI devices, to their PCs with the plug-and-play ease of USB. Because PCI hot plug ports are external and easily accessible, devices are susceptible to drive-by DMA attacks. |

windows/security/introduction/index.md

@@ -15,7 +15,7 @@ appliesto:
 
 The acceleration of digital transformation and the expansion of both remote and hybrid work brings new opportunities to organizations, communities, and individuals. This expansion introduces new threats and risks.
 
-Organizations worldwide are adopting a **Zero Trust** security model based on the premise that no person or device anywhere can have access until safety and integrity is proven. Windows 11 is built on Zero Trust principles to enable hybrid productivity and new experiences anywhere, without compromising security. Windows 11 raises the [security baselines](../threat-protection/windows-security-configuration-framework/windows-security-baselines.md) with new requirements for advanced hardware and software protection that extends from chip to cloud.
+Organizations worldwide are adopting a **Zero Trust** security model based on the premise that no person or device anywhere can have access until safety and integrity is proven. Windows 11 is built on Zero Trust principles to enable hybrid productivity and new experiences anywhere, without compromising security. Windows 11 raises the [security baselines](../operating-system-security/device-management/windows-security-configuration-framework/windows-security-baselines.md) with new requirements for advanced hardware and software protection that extends from chip to cloud.
 
 ## How Windows 11 enables Zero Trust protection
 

windows/security/operating-system-security/device-management/toc.yml

@@ -8,14 +8,14 @@ items:
   - name: Assigned Access (kiosk mode)
     href: /windows/configuration/kiosk-methods
   - name: Security baselines
-    href: ../../threat-protection/windows-security-configuration-framework/windows-security-baselines.md
+    href: windows-security-configuration-framework/windows-security-baselines.md
     items:
     - name: Security Compliance Toolkit
-      href: ../../threat-protection/windows-security-configuration-framework/security-compliance-toolkit-10.md
+      href: windows-security-configuration-framework/security-compliance-toolkit-10.md
     - name: Get support
-      href: ../../threat-protection/windows-security-configuration-framework/get-support-for-security-baselines.md
+      href: windows-security-configuration-framework/get-support-for-security-baselines.md
     - name: Guide to removing Microsoft Baseline Security Analyzer (MBSA)
-      href: ../../threat-protection/mbsa-removal-and-guidance.md
+      href: windows-security-configuration-framework/mbsa-removal-and-guidance.md
   - name: More Windows security
     items:
     - name: Override Process Mitigation Options to help enforce app-related security policies
@@ -23,4 +23,4 @@ items:
     - name: Use Windows Event Forwarding to help with intrusion detection
       href: ../../threat-protection/use-windows-event-forwarding-to-assist-in-intrusion-detection.md
     - name: Block untrusted fonts in an enterprise
-      href: ../../threat-protection/block-untrusted-fonts-in-enterprise.md
+      href: ../../threat-protection/block-untrusted-fonts-in-enterprise.md

windows/security/operating-system-security/device-management/windows-security-configuration-framework/get-support-for-security-baselines.md

@@ -1,15 +1,9 @@
 ---
 title: Get support for security baselines
 description: Find answers to frequently asked question on how to get support for baselines, the Security Compliance Toolkit (SCT), and related articles.
-ms.prod: windows-client
 ms.localizationpriority: medium
-ms.author: vinpa
-author: vinaypamnani-msft
-manager: aaroncz
 ms.topic: conceptual
-ms.date: 10/19/2022
+ms.date: 07/11/2023
-ms.reviewer: jmunck
-ms.technology: itpro-security
 ---
 
 # Get Support

windows/security/operating-system-security/device-management/windows-security-configuration-framework/mbsa-removal-and-guidance.md

@@ -1,44 +1,39 @@
 ---
 title: Guide to removing Microsoft Baseline Security Analyzer (MBSA)
 description: This article documents the removal of Microsoft Baseline Security Analyzer (MBSA) and provides alternative solutions.
-ms.prod: windows-client
 ms.localizationpriority: medium
-ms.author: paoloma
+ms.date: 07/11/2023
-author: paolomatarazzo
-manager: aaroncz
-ms.technology: itpro-security
-ms.date: 03/29/2023
 ms.topic: article
 ---
- 
+
 # What is Microsoft Baseline Security Analyzer and its uses?
- 
+
-Microsoft Baseline Security Analyzer (MBSA) is used to verify patch compliance. MBSA also performed several other security checks for Windows, IIS, and SQL Server. Unfortunately, the logic behind these extra checks hadn't been actively maintained since Windows XP and Windows Server 2003. Changes in the products since then rendered many of these security checks obsolete and some of their recommendations counterproductive. 
+Microsoft Baseline Security Analyzer (MBSA) is used to verify patch compliance. MBSA also performed several other security checks for Windows, IIS, and SQL Server. Unfortunately, the logic behind these extra checks hadn't been actively maintained since Windows XP and Windows Server 2003. Changes in the products since then rendered many of these security checks obsolete and some of their recommendations counterproductive.
- 
+
 MBSA was largely used in situations where Microsoft Update a local WSUS or Configuration Manager server wasn't available, or as a compliance tool to ensure that all security updates were deployed to a managed environment. While MBSA version 2.3 introduced support for Windows Server 2012 R2 and Windows 8.1, it has since been deprecated and no longer developed. MBSA 2.3 isn't updated to fully support Windows 10 and Windows Server 2016.
 
 > [!NOTE]
-> In accordance with our [SHA-1 deprecation initiative](https://aka.ms/sha1deprecation), the Wsusscn2.cab file is no longer dual-signed using both SHA-1 and the SHA-2 suite of hash algorithms (specifically SHA-256). This file is now signed using only SHA-256. Administrators who verify digital signatures on this file should now expect only single SHA-256 signatures. Starting with the August 2020 Wsusscn2.cab file, MBSA will return the following error "The catalog file is damaged or an invalid catalog." when attempting to scan using the offline scan file. 
+> In accordance with our [SHA-1 deprecation initiative](https://aka.ms/sha1deprecation), the Wsusscn2.cab file is no longer dual-signed using both SHA-1 and the SHA-2 suite of hash algorithms (specifically SHA-256). This file is now signed using only SHA-256. Administrators who verify digital signatures on this file should now expect only single SHA-256 signatures. Starting with the August 2020 Wsusscn2.cab file, MBSA will return the following error "The catalog file is damaged or an invalid catalog." when attempting to scan using the offline scan file.
 
 ## Solution
 
 A script can help you with an alternative to MBSA's patch-compliance checking:
 
-- [Using WUA to Scan for Updates Offline](/windows/desktop/wua_sdk/using-wua-to-scan-for-updates-offline), which includes a sample .vbs script. 
+- [Using WUA to Scan for Updates Offline](/windows/desktop/wua_sdk/using-wua-to-scan-for-updates-offline), which includes a sample .vbs script.
 For a PowerShell alternative, see [Using WUA to Scan for Updates Offline with PowerShell](https://www.powershellgallery.com/packages/Scan-UpdatesOffline/1.0).
 
 For example:
 
-[![Screenshot that shows the VBS script.](images/vbs-example.png)](/windows/desktop/wua_sdk/using-wua-to-scan-for-updates-offline) 
+[![Screenshot that shows the VBS script.](images/vbs-example.png)](/windows/desktop/wua_sdk/using-wua-to-scan-for-updates-offline)
-[![Screenshot that shows the PowerShell script.](images/powershell-example.png)](https://www.powershellgallery.com/packages/Scan-UpdatesOffline/1.0) 
+[![Screenshot that shows the PowerShell script.](images/powershell-example.png)](https://www.powershellgallery.com/packages/Scan-UpdatesOffline/1.0)
-  
+
 The preceding scripts use the [WSUS offline scan file](https://support.microsoft.com/help/927745/detailed-information-for-developers-who-use-the-windows-update-offline) (wsusscn2.cab) to perform a scan and get the same information on missing updates as MBSA supplied. MBSA also relied on the wsusscn2.cab to determine which updates were missing from a given system without connecting to any online service or server. The wsusscn2.cab file is still available and there are currently no plans to remove or replace it.
 The wsusscn2.cab file contains the metadata of only security updates, update rollups and service packs available from Microsoft Update; it doesn't contain any information on non-security updates, tools or drivers.
 
-## More information  
+## More information
 
 For security compliance and for desktop/server hardening, we recommend the Microsoft Security Baselines and the Security Compliance Toolkit.
 
-- [Windows security baselines](windows-security-baselines.md) 
+- [Windows security baselines](windows-security-baselines.md)
-- [Download Microsoft Security Compliance Toolkit 1.0](https://www.microsoft.com/download/details.aspx?id=55319) 
+- [Download Microsoft Security Compliance Toolkit 1.0](https://www.microsoft.com/download/details.aspx?id=55319)
 - [Microsoft Security Guidance blog](/archive/blogs/secguide/)

windows/security/operating-system-security/device-management/windows-security-configuration-framework/security-compliance-toolkit-10.md

@@ -1,18 +1,12 @@
 ---
 title: Microsoft Security Compliance Toolkit Guide
 description: This article describes how to use Security Compliance Toolkit in your organization
-ms.prod: windows-client
 ms.localizationpriority: medium
-ms.author: vinpa
-author: vinaypamnani-msft
-manager: aaroncz
 ms.collection:
   - highpri
   - tier3
 ms.topic: conceptual
-ms.date: 06/07/2023
+ms.date: 07/11/2023
-ms.reviewer: rmunck
-ms.technology: itpro-security
 ---
 
 # Microsoft Security Compliance Toolkit - How to use

windows/security/operating-system-security/device-management/windows-security-configuration-framework/windows-security-baselines.md

@@ -1,18 +1,12 @@
 ---
 title: Security baselines guide
 description: Learn how to use security baselines in your organization.
-ms.prod: windows-client
 ms.localizationpriority: medium
-ms.author: vinpa
-author: vinaypamnani-msft
-manager: aaroncz
 ms.collection:
   - highpri
   - tier3
 ms.topic: conceptual
-ms.date: 01/26/2022
+ms.date: 07/11/2023
-ms.reviewer: jmunck
-ms.technology: itpro-security
 ---
 
 # Security baselines
@@ -41,7 +35,7 @@ For example, there are over 3,000 group policy settings for Windows 10, which do
 
 In modern organizations, the security threat landscape is constantly evolving, and IT pros and policy-makers must keep up with security threats and make required changes to security settings to help mitigate these threats. To enable faster deployments and make managing Microsoft products easier, Microsoft provides customers with security baselines that are available in consumable formats, such as group policy object backups.
 
-[!INCLUDE [security-baselines](../../../../includes/licensing/security-baselines.md)]
+[!INCLUDE [security-baselines](../../../../../includes/licensing/security-baselines.md)]
 
 ## Baseline principles
 

windows/security/threat-protection/index.md

@@ -20,14 +20,14 @@ See the following articles to learn more about the different areas of Windows th
 - [Attack Surface Reduction Rules](/microsoft-365/security/defender-endpoint/attack-surface-reduction)
 - [Controlled Folder Access](/microsoft-365/security/defender-endpoint/controlled-folders)
 - [Exploit Protection](/microsoft-365/security/defender-endpoint/exploit-protection)
-- [Microsoft Defender Application Guard](/windows/security/threat-protection/microsoft-defender-application-guard/md-app-guard-overview)
+- [Microsoft Defender Application Guard](../application-security/application-isolation/microsoft-defender-application-guard/md-app-guard-overview.md)
-- [Microsoft Defender Device Guard](device-guard/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control.md)
+- [Microsoft Defender Device Guard](../application-security/application-control/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control.md)
 - [Microsoft Defender SmartScreen](/windows/security/operating-system-security/virus-and-threat-protection/microsoft-defender-smartscreen/)
 - [Network Protection](/microsoft-365/security/defender-endpoint/network-protection)
-- [Virtualization-Based Protection of Code Integrity](/windows/security/threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity)
+- [Virtualization-Based Protection of Code Integrity](../hardware-security/enable-virtualization-based-protection-of-code-integrity.md)
 - [Web Protection](/microsoft-365/security/defender-endpoint/web-protection-overview)
 - [Windows Firewall](windows-firewall/windows-firewall-with-advanced-security.md)
-- [Windows Sandbox](/windows/security/threat-protection/windows-sandbox/windows-sandbox-overview)
+- [Windows Sandbox](../application-security/application-isolation/windows-sandbox/windows-sandbox-overview.md)
 
 ## Next-generation protection
 

windows/security/threat-protection/security-policy-settings/account-lockout-threshold.md

@@ -47,7 +47,7 @@ Because vulnerabilities can exist when this value is configured and when it's no
 
 ### Best practices
 
-The threshold that you select is a balance between operational efficiency and security, and it depends on your organization's risk level. To allow for user error and to thwart brute force attacks, [Windows security baselines](/windows/security/threat-protection/windows-security-configuration-framework/windows-security-baselines) recommend a value of 10 could be an acceptable starting point for your organization.
+The threshold that you select is a balance between operational efficiency and security, and it depends on your organization's risk level. To allow for user error and to thwart brute force attacks, [Windows security baselines](../../operating-system-security/device-management/windows-security-configuration-framework/windows-security-baselines.md) recommend a value of 10 could be an acceptable starting point for your organization.
 
 As with other account lockout settings, this value is more of a guideline than a rule or best practice because there's no "one size fits all." For more information, see [Configuring Account Lockout](/archive/blogs/secguide/configuring-account-lockout).
 
@@ -117,7 +117,7 @@ Because vulnerabilities can exist when this value is configured and when it's no
     
 -   Configure the **Account lockout threshold** policy setting to a sufficiently high value to provide users with the ability to accidentally mistype their password several times before the account is locked, but ensure that a brute force password attack still locks the account.
 
-    [Windows security baselines](/windows/security/threat-protection/windows-security-configuration-framework/windows-security-baselines) recommend configuring a threshold of 10 invalid sign-in attempts, which prevents accidental account lockouts and reduces the number of Help Desk calls, but doesn't prevent a DoS attack.
+    [Windows security baselines](../../operating-system-security/device-management/windows-security-configuration-framework/windows-security-baselines.md) recommend configuring a threshold of 10 invalid sign-in attempts, which prevents accidental account lockouts and reduces the number of Help Desk calls, but doesn't prevent a DoS attack.
     
     Using this type of policy must be accompanied by a process to unlock locked accounts. It must be possible to implement this policy whenever it's needed to help mitigate massive lockouts caused by an attack on your systems.
 

windows/security/threat-protection/security-policy-settings/interactive-logon-dont-display-username-at-sign-in.md

@@ -91,7 +91,7 @@ Enable the **Interactive logon: Don't display user name at sign-in** setting.
 
 ### Potential impact
 
-Users must always type their usernames and passwords when they log on locally or to the domain. The sign in tiles of all logged on users aren't displayed.
+Users must always type their usernames and passwords when they log on locally or to the domain. The sign in tiles of all logged on users aren't displayed. When this policy is enabled, you will be unable to change the default credential provider to anything other than username/password. In addition, this policy may be incompatible with autologon and multi-factor unlock.
 
 ## Related topics
 

windows/security/threat-protection/security-policy-settings/interactive-logon-number-of-previous-logons-to-cache-in-case-domain-controller-is-not-available.md

@@ -52,7 +52,7 @@ encrypting the information and keeping the cached credentials in the system's re
 
 ### Best practices
 
-The [Windows security baselines](/windows/security/threat-protection/windows-security-configuration-framework/windows-security-baselines) don't recommend configuring this setting. 
+The [Windows security baselines](../../operating-system-security/device-management/windows-security-configuration-framework/windows-security-baselines.md) don't recommend configuring this setting. 
 
 ### Location
 

windows/security/threat-protection/security-policy-settings/minimum-password-age.md

@@ -35,7 +35,7 @@ The **Minimum password age** policy setting determines the period of time (in da
 
 ### Best practices
 
-[Windows security baselines](/windows/security/threat-protection/windows-security-configuration-framework/windows-security-baselines) recommend setting **Minimum password age** to one day. 
+[Windows security baselines](../../operating-system-security/device-management/windows-security-configuration-framework/windows-security-baselines.md) recommend setting **Minimum password age** to one day. 
 
 Setting the number of days to 0 allows immediate password changes. This setting isn't recommended. 
 Combining immediate password changes with password history allows someone to change a password repeatedly until the password history requirement is met and re-establish the original password again. 

windows/security/threat-protection/security-policy-settings/reset-account-lockout-counter-after.md

@@ -40,7 +40,7 @@ The disadvantage of a high setting is that users lock themselves out for an inco
 
 Determine the threat level for your organization and balance that against the cost of your Help Desk support for password resets. Each organization will have specific requirements. 
 
-[Windows security baselines](/windows/security/threat-protection/windows-security-configuration-framework/windows-security-baselines) recommend configuring the **Reset account lockout counter after** policy setting to 15, but as with other account lockout settings, this value is more of a guideline than a rule or best practice because there's no "one size fits all." For more information, see [Configuring Account Lockout](/archive/blogs/secguide/configuring-account-lockout).
+[Windows security baselines](../../operating-system-security/device-management/windows-security-configuration-framework/windows-security-baselines.md) recommend configuring the **Reset account lockout counter after** policy setting to 15, but as with other account lockout settings, this value is more of a guideline than a rule or best practice because there's no "one size fits all." For more information, see [Configuring Account Lockout](/archive/blogs/secguide/configuring-account-lockout).
 
 ### Location
 
@@ -69,7 +69,7 @@ Users can accidentally lock themselves out of their accounts if they mistype the
 
 ### Countermeasure
 
-[Windows security baselines](/windows/security/threat-protection/windows-security-configuration-framework/windows-security-baselines) recommend configuring the **Reset account lockout counter after** policy setting to 15.
+[Windows security baselines](../../operating-system-security/device-management/windows-security-configuration-framework/windows-security-baselines.md) recommend configuring the **Reset account lockout counter after** policy setting to 15.
 
 ### Potential impact
 

windows/security/threat-protection/security-policy-settings/system-cryptography-use-fips-compliant-algorithms-for-encryption-hashing-and-signing.md

@@ -59,7 +59,7 @@ Additionally, if a data drive is password-protected, it can be accessed by a FIP
 
 We recommend that customers hoping to comply with FIPS 140-2 research the configuration settings of applications and protocols they may be using to ensure their solutions can be configured to utilize the FIPS 140-2 validated cryptography provided by Windows when it's operating in FIPS 140-2 approved mode.
 
-For a complete list of Microsoft-recommended configuration settings, see [Windows security baselines](/windows/security/threat-protection/windows-security-configuration-framework/windows-security-baselines). For more information about Windows and FIPS 140-2, see [FIPS 140 Validation](../fips-140-validation.md).
+For a complete list of Microsoft-recommended configuration settings, see [Windows security baselines](../../operating-system-security/device-management/windows-security-configuration-framework/windows-security-baselines.md). For more information about Windows and FIPS 140-2, see [FIPS 140 Validation](../fips-140-validation.md).
 
 ### Location
 

windows/security/threat-protection/windows-defender-application-control/TOC.yml

@@ -9,7 +9,7 @@
     - name: WDAC and AppLocker Feature Availability
       href: feature-availability.md
     - name: Virtualization-based protection of code integrity
-      href: ../device-guard/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control.md
+      href: ../../application-security/application-control/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control.md
 - name: WDAC design guide
   href: windows-defender-application-control-design-guide.md
   items:

windows/security/threat-protection/windows-defender-application-control/deployment/deploy-wdac-policies-with-script.md

@@ -31,7 +31,7 @@ This article describes how to deploy Windows Defender Application Control (WDAC)
 You should now have one or more WDAC policies converted into binary form. If not, follow the steps described in [Deploying Windows Defender Application Control (WDAC) policies](/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control-deployment-guide).
 
 > [!IMPORTANT]
-> Due to a known issue, you should always activate new **signed** WDAC Base policies with a reboot on systems with [**memory integrity**](/windows/security/threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity) enabled. Skip all steps below that use CiTool, RefreshPolicy.exe, or WMI to initiate a policy activation. Instead, copy the policy binary to the correct system32 and EFI locations and then activate the policy with a system restart.
+> Due to a known issue, you should always activate new **signed** WDAC Base policies with a reboot on systems with [**memory integrity**](../../../hardware-security/enable-virtualization-based-protection-of-code-integrity.md) enabled. Skip all steps below that use CiTool, RefreshPolicy.exe, or WMI to initiate a policy activation. Instead, copy the policy binary to the correct system32 and EFI locations and then activate the policy with a system restart.
 >
 > This issue does not affect updates to signed Base policies that are already active on the system, deployment of unsigned policies, or deployment of supplemental policies (signed or unsigned). It also does not affect deployments to systems that are not running memory integrity.
 

windows/security/threat-protection/windows-defender-application-control/deployment/deploy-windows-defender-application-control-policies-using-group-policy.md

@@ -30,7 +30,7 @@ ms.topic: article
 > Some capabilities of Windows Defender Application Control (WDAC) are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](../feature-availability.md).
 
 > [!IMPORTANT]
-> Due to a known issue, you should always activate new **signed** WDAC Base policies *with a reboot* on systems with [**memory integrity**](/windows/security/threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity) enabled. Instead of Group Policy, deploy new signed WDAC Base policies [via script](/windows/security/threat-protection/windows-defender-application-control/deployment/deploy-wdac-policies-with-script#deploying-signed-policies) and activate the policy with a system restart.
+> Due to a known issue, you should always activate new **signed** WDAC Base policies *with a reboot* on systems with [**memory integrity**](../../../hardware-security/enable-virtualization-based-protection-of-code-integrity.md) enabled. Instead of Group Policy, deploy new signed WDAC Base policies [via script](/windows/security/threat-protection/windows-defender-application-control/deployment/deploy-wdac-policies-with-script#deploying-signed-policies) and activate the policy with a system restart.
 >
 > This issue does not affect updates to signed Base policies that are already active on the system, deployment of unsigned policies, or deployment of supplemental policies (signed or unsigned). It also does not affect deployments to systems that are not running memory integrity.
 

windows/security/threat-protection/windows-defender-application-control/deployment/deploy-windows-defender-application-control-policies-using-intune.md

@@ -26,7 +26,7 @@ ms.topic: how-to
 You can use a Mobile Device Management (MDM) solution, like Microsoft Intune, to configure Windows Defender Application Control (WDAC) on client machines. Intune includes native support for WDAC, which can be a helpful starting point, but customers may find the available circle-of-trust options too limiting. To deploy a custom policy through Intune and define your own circle of trust, you can configure a profile using Custom OMA-URI. If your organization uses another MDM solution, check with your solution provider for WDAC policy deployment steps.
 
 > [!IMPORTANT]
-> Due to a known issue, you should always activate new **signed** WDAC Base policies *with a reboot* on systems with [**memory integrity**](/windows/security/threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity) enabled. Instead of Mobile Device Management (MDM), deploy new signed WDAC Base policies [via script](deploy-wdac-policies-with-script.md) and activate the policy with a system restart.
+> Due to a known issue, you should always activate new **signed** WDAC Base policies *with a reboot* on systems with [**memory integrity**](../../../hardware-security/enable-virtualization-based-protection-of-code-integrity.md) enabled. Instead of Mobile Device Management (MDM), deploy new signed WDAC Base policies [via script](deploy-wdac-policies-with-script.md) and activate the policy with a system restart.
 >
 > This issue does not affect updates to signed Base policies that are already active on the system, deployment of unsigned policies, or deployment of supplemental policies (signed or unsigned). It also does not affect deployments to systems that are not running memory integrity.
 

windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules.md

@@ -63,7 +63,7 @@ Customers who always want the most up-to-date driver blocklist can also use Wind
 
 ## Blocking vulnerable drivers using WDAC
 
-Microsoft recommends enabling [HVCI](/windows/security/threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity) or S mode to protect your devices against security threats. If this setting isn't possible, Microsoft recommends blocking [this list of drivers](#vulnerable-driver-blocklist-xml) within your existing Windows Defender Application Control policy. Blocking kernel drivers without sufficient testing can cause devices or software to malfunction, and in rare cases, blue screen. It's recommended to first validate this policy in [audit mode](/windows/security/threat-protection/windows-defender-application-control/audit-windows-defender-application-control-policies) and review the audit block events.
+Microsoft recommends enabling [HVCI](../../hardware-security/enable-virtualization-based-protection-of-code-integrity.md) or S mode to protect your devices against security threats. If this setting isn't possible, Microsoft recommends blocking [this list of drivers](#vulnerable-driver-blocklist-xml) within your existing Windows Defender Application Control policy. Blocking kernel drivers without sufficient testing can cause devices or software to malfunction, and in rare cases, blue screen. It's recommended to first validate this policy in [audit mode](/windows/security/threat-protection/windows-defender-application-control/audit-windows-defender-application-control-policies) and review the audit block events.
 
 > [!IMPORTANT]
 > Microsoft also recommends enabling Attack Surface Reduction (ASR) rule [**Block abuse of exploited vulnerable signed drivers**](/microsoft-365/security/defender-endpoint/attack-surface-reduction-rules-reference#block-abuse-of-exploited-vulnerable-signed-drivers) to prevent an application from writing a vulnerable signed driver to disk. The ASR rule doesn't block a driver already existing on the system from loading, however enabling **Microsoft vulnerable driver blocklist** or applying this WDAC policy will prevent the existing driver from loading.

windows/security/threat-protection/windows-defender-application-control/wdac-wizard-create-base-policy.md

@@ -62,7 +62,7 @@ The following table has a description of each policy rule, beginning with the le
 | **Advanced Boot Options Menu** | The F8 preboot menu is disabled by default for all Windows Defender Application Control policies. Setting this rule option allows the F8 menu to appear to physically present users. |
 | **Allow Supplemental Policies** | Use this option on a base policy to allow supplemental policies to expand it. |
 | **Disable Script Enforcement** | This option disables script enforcement options. Unsigned PowerShell scripts and interactive PowerShell are no longer restricted to [Constrained Language Mode](/powershell/module/microsoft.powershell.core/about/about_language_modes). NOTE: This option is required to run HTA files, and is only supported with the Windows 10 May 2019 Update (1903) and higher. Using it on earlier versions of Windows 10 isn't supported and may have unintended results. |
-|**[Hypervisor-protected code integrity (HVCI)](../device-guard/enable-virtualization-based-protection-of-code-integrity.md)**| When enabled, policy enforcement uses virtualization-based security to run the code integrity service inside a secure environment. HVCI provides stronger protections against kernel malware.|
+|**[Hypervisor-protected code integrity (HVCI)](../../hardware-security/enable-virtualization-based-protection-of-code-integrity.md)**| When enabled, policy enforcement uses virtualization-based security to run the code integrity service inside a secure environment. HVCI provides stronger protections against kernel malware.|
 | **Intelligent Security Graph Authorization** | Use this option to automatically allow applications with "known good" reputation as defined by the Microsoft Intelligent Security Graph (ISG). |
 | **Managed Installer** | Use this option to automatically allow applications installed by a software distribution solution, such as Microsoft Configuration Manager, that has been defined as a managed installer. |
 | **Require WHQL** | By default, legacy drivers that aren't Windows Hardware Quality Labs (WHQL) signed are allowed to execute. Enabling this rule requires that every executed driver is WHQL signed and removes legacy driver support. Henceforth, every new Windows–compatible driver must be WHQL certified. |

windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control-deployment-guide.md

@@ -56,7 +56,7 @@ All Windows Defender Application Control policy changes should be deployed in au
 ## Choose how to deploy WDAC policies
 
 > [!IMPORTANT]
-> Due to a known issue, you should always activate new **signed** WDAC Base policies with a reboot on systems with [**memory integrity**](/windows/security/threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity) enabled. We recommend [deploying via script](deployment/deploy-wdac-policies-with-script.md) in this case.
+> Due to a known issue, you should always activate new **signed** WDAC Base policies with a reboot on systems with [**memory integrity**](../../hardware-security/enable-virtualization-based-protection-of-code-integrity.md) enabled. We recommend [deploying via script](deployment/deploy-wdac-policies-with-script.md) in this case.
 >
 > This issue does not affect updates to signed Base policies that are already active on the system, deployment of unsigned policies, or deployment of supplemental policies (signed or unsigned). It also does not affect deployments to systems that are not running memory integrity.