Merge pull request #9823 from MicrosoftDocs/main

Publish main to live, Monday 10:30AM PDT, 05/06

.openpublishing.redirection.windows-security.json

@@ -9169,6 +9169,16 @@
       "source_path": "windows/security/threat-protection/security-policy-settings/user-rights-assignment.md",
       "redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/security-policy-settings/user-rights-assignment",
       "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security/cloud-security/index.md",
+      "redirect_url": "/windows/security/cloud-services",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security/identity-protection/hello-for-business/hello-feature-dual-enrollment.md",
+      "redirect_url": "/windows/security/identity-protection/hello-for-business/dual-enrollment",
+      "redirect_document_id": false
     }
   ]
 }

education/windows/windows-11-se-settings-list.md

@@ -2,7 +2,7 @@
 title: Windows 11 SE settings list
 description: Windows 11 SE automatically configures settings in the operating system. Learn more about the settings you can control and manage, and the settings you can't change.
 ms.topic: reference
-ms.date: 08/18/2023
+ms.date: 05/06/2024
 appliesto:
   - ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 11 SE</a>
 ms.collection:

windows/security/cloud-services/index.md

@@ -1,18 +1,18 @@
 ---
-title: Windows and cloud security
+title: Windows and cloud services
-description: Get an overview of cloud security features in Windows.
+description: Get an overview of cloud-based services in Windows.
-ms.date: 08/02/2023
+ms.date: 05/06/2024
 ms.topic: overview
 author: paolomatarazzo
 ms.author: paoloma
 ---
 
-# Windows and cloud security
+# Windows and cloud services
 
 Today's workforce has more freedom and mobility than ever before, and the risk of data exposure is also at its highest. We're focused on getting customers to the cloud to benefit from modern hybrid workstyles while improving security management. Built on zero-trust principles, Windows works with Microsoft cloud services to safeguard sensitive information while controlling access and mitigating threats.
 
 From identity and device management to Office apps and data storage, Windows and integrated cloud services can help improve productivity, security, and resilience anywhere.
 
-Learn more about cloud security features in Windows.
+Learn more about cloud-based services in Windows.
 
 [!INCLUDE [cloud-services](../includes/sections/cloud-services.md)]

windows/security/identity-protection/hello-for-business/dual-enrollment.md

@@ -0,0 +1,72 @@
+---
+title: Dual enrollment
+description: Learn how to configure Windows Hello for Business dual enrollment and how to configure Active Directory to support Domain Administrator enrollment.
+ms.date: 05/06/2024
+ms.topic: how-to
+---
+
+# Dual enrollment
+
+[!INCLUDE [intro](deploy/includes/intro.md)]
+- **Deployment type:** [!INCLUDE [tooltip-deployment-onpremises](deploy/includes/tooltip-deployment-onpremises.md)], [!INCLUDE [tooltip-deployment-hybrid](deploy/includes/tooltip-deployment-hybrid.md)]
+- **Trust type:** [!INCLUDE [tooltip-cert-trust](deploy/includes/tooltip-trust-cert.md)]
+- **Join type:** [!INCLUDE [tooltip-join-domain](deploy/includes/tooltip-join-domain.md)], [!INCLUDE [tooltip-join-hybrid](deploy/includes/tooltip-join-hybrid.md)]
+---
+
+> [!IMPORTANT]
+> Dual enrollment does not replace or provide the same security as Privileged Access Workstations feature. Microsoft encourages organizations to use the Privileged Access Workstations for their privileged credential users. Organizations can consider Windows Hello for Business dual enrollment in situations where the Privileged Access feature can't be used. To learn more, see [Privileged Access Workstations](/windows-server/identity/securing-privileged-access/privileged-access-workstations).
+
+Dual enrollment enables administrators to perform elevated, administrative functions by enrolling both their nonprivileged and privileged credentials on their device.
+
+By design, Windows doesn't enumerate all Windows Hello for Business users from within a user's session. Using the group policy setting, **Allow enumeration of emulated smart card for all users**, you can configure a device to enumerate all enrolled Windows Hello for Business credentials on selected devices.
+
+With this setting, administrative users can sign in to Windows using their nonprivileged Windows Hello credentials for normal work flow such as email, but can launch Microsoft Management Consoles (MMCs), Remote Desktop Services clients, and other applications by selecting **Run as different user** or **Run as administrator**, selecting the privileged user account, and providing their PIN. Administrators can also take advantage of this feature with command-line applications by using `runas.exe` combined with the `/smartcard` argument. This enables administrators to perform their day-to-day operations without needing to sign in and out, or use fast user switching when alternating between privileged and nonprivileged workloads.
+
+> [!IMPORTANT]
+> You must configure a Windows computer for Windows Hello for Business dual enrollment before either user (privileged or non-privileged) provisions Windows Hello for Business. Dual enrollment is a special setting that is configured on the Windows Hello container during creation.
+
+## Configure Windows Hello for Business dual enrollment
+
+Here are the steps to enable dual enrollment:
+
+- Configure Active Directory to support Domain Administrator enrollment
+- Configure dual enrollment using Group Policy
+
+### Configure Active Directory to support Domain Administrator enrollment
+
+The designed Windows Hello for Business configuration gives the `Key Admins` group read and write permissions to the `msDS-KeyCredentialsLink` attribute. You provided these permissions at root of the domain and use object inheritance to ensure the permissions apply to all users in the domain regardless of their location within the domain hierarchy.
+
+Active Directory Domain Services uses `AdminSDHolder` to secure privileged users and groups from unintentional modification by comparing and replacing the security on privileged users and groups to match those defined on the AdminSDHolder object on an hourly cycle. For Windows Hello for Business, your domain administrator account might receive the permissions but they disappear from the user object unless you give the `AdminSDHolder` read and write permissions to the `msDS-KeyCredential` attribute.
+
+Sign in to a domain controller or management workstation with access equivalent to *domain administrator*.
+
+1. Type the following command to add the **allow** read and write property permissions for msDS-KeyCredentialLink attribute for the `Key Admins` group on the `AdminSDHolder` object
+
+    ```cmd
+    dsacls "CN=AdminSDHolder,CN=System,DC=domain,DC=com" /g "[domainName\keyAdminGroup]":RPWP;msDS-KeyCredentialLink
+    ```
+
+    where `DC=domain,DC=com` is the LDAP path of your Active Directory domain and `domainName\keyAdminGroup` is the NetBIOS name of your domain and the name of the group you use to give access to keys based on your deployment. For example:
+
+    ```cmd
+    dsacls "CN=AdminSDHolder,CN=System,DC=corp,DC=mstepdemo,DC=net" /g "mstepdemo\Key Admins":RPWP;msDS-KeyCredentialLink
+    ```
+
+1. To trigger security descriptor propagation, open `ldp.exe`
+1. Select **Connection** and select **Connect...**  Next to **Server**, type the name of the domain controller that holds the PDC role for the domain. Next to **Port**, type **389** and select **OK**
+1. Select **Connection** and select **Bind...**  Select **OK** to bind as the currently signed-in user
+1. Select **Browser** and select **Modify**. Leave the **DN** text box blank. Next to **Attribute**, type **RunProtectAdminGroupsTask**. Next to **Values**, type `1`. Select **Enter** to add this to the **Entry List**
+1. Select **Run** to start the task
+1. Close LDP
+
+### Configure dual enrollment with group policy
+
+You configure Windows to support dual enrollment using the computer configuration portion of a Group Policy object:
+
+1. Using the Group Policy Management Console (GPMC), create a new domain-based Group Policy object and link it to an organizational Unit that contains Active Directory computer objects used by privileged users
+1. Edit the Group Policy object from step 1
+1. Enable the **Allow enumeration of emulated smart cards for all users** policy setting located under **Computer Configuration->Administrative Templates->Windows Components->Windows Hello for Business**
+1. Close the Group Policy Management Editor to save the Group Policy object. Close the GPMC
+1. Restart computers targeted by this Group Policy object
+
+The computer is ready for dual enrollment. Sign in as the privileged user first and enroll for Windows Hello for Business. Once completed, sign out and sign in as the nonprivileged user and enroll for Windows Hello for Business. You can now use your privileged credential to perform privileged tasks without using your password and without needing to switch users.

windows/security/identity-protection/hello-for-business/hello-feature-dual-enrollment.md

@@ -1,64 +0,0 @@
----
-title: Dual Enrollment
-description: Learn how to configure Windows Hello for Business dual enrollment and how to configure Active Directory to support Domain Administrator enrollment.
-ms.date: 07/05/2023
-ms.topic: how-to
----
-
-# Dual Enrollment
-
-**Requirements**
-
-- Hybrid and On-premises Windows Hello for Business deployments
-- Enterprise joined or Hybrid Azure joined devices
-- Certificate trust
-
-> [!IMPORTANT]
-> Dual enrollment does not replace or provide the same security as Privileged Access Workstations feature.  Microsoft encourages enterprises to use the Privileged Access Workstations for their privileged credential users.  Enterprises can consider Windows Hello for Business dual enrollment in situations where the Privileged Access feature cannot be used.  Read [Privileged Access Workstations](/windows-server/identity/securing-privileged-access/privileged-access-workstations) for more information.
-
-Dual enrollment enables administrators to perform elevated, administrative functions by enrolling both their non-privileged and privileged credentials on their device.
-
-By design, Windows does not enumerate all Windows Hello for Business users from within a user's session.  Using the computer Group Policy setting, **Allow enumeration of emulated smart card for all users**, you can configure a device to enumerate all enrolled Windows Hello for Business credentials on selected devices.
-
-With this setting, administrative users can sign in to Windows 10, version 1709 or later using their non-privileged Windows Hello for Business credentials for normal work flow such as email, but can launch Microsoft Management Consoles (MMCs), Remote Desktop Services clients, and other applications by selecting **Run as different user** or **Run as administrator**, selecting the privileged user account, and providing their PIN.  Administrators can also take advantage of this feature with command-line applications by using **runas.exe** combined with the **/smartcard** argument.  This enables administrators to perform their day-to-day operations without needing to sign in and out, or use fast user switching when alternating between privileged and non-privileged workloads.
-
-> [!IMPORTANT]
-> You must configure a Windows computer for Windows Hello for Business dual enrollment before either user (privileged or non-privileged) provisions Windows Hello for Business.  Dual enrollment is a special setting that is configured on the Windows Hello container during creation.
-
-## Configure Windows Hello for Business Dual Enrollment
-
-In this task, you will
-
-* Configure Active Directory to support Domain Administrator enrollment
-* Configure Dual Enrollment using Group Policy
-
-### Configure Active Directory to support Domain Administrator enrollment
-
-The designed Windows Hello for Business configuration gives the **Key Admins** (or **KeyCredential Admins** when using domain controllers prior to Windows Server 2016) group read and write permissions to the msDS-KeyCredentialsLink attribute.  You provided these permissions at root of the domain and use object inheritance to ensure the permissions apply to all users in the domain regardless of their location within the domain hierarchy.
-
-Active Directory Domain Services uses AdminSDHolder to secure privileged users and groups from unintentional modification by comparing and replacing the security on privileged users and groups to match those defined on the AdminSDHolder object on an hourly cycle. For Windows Hello for Business, your domain administrator account may receive the permissions but they will disappear from the user object unless you give the AdminSDHolder read and write permissions to the msDS-KeyCredential attribute.
-
-Sign in to a domain controller or management workstation with access equivalent to _domain administrator_.
-
-1. Type the following command to add the **allow** read and write property permissions for msDS-KeyCredentialLink attribute for the **Key Admins** (or **KeyCredential Admins**) group on the AdminSDHolder object.</br>
-```dsacls "CN=AdminSDHolder,CN=System,DC=domain,DC=com" /g "[domainName\keyAdminGroup]":RPWP;msDS-KeyCredentialLink```</br>
-where **DC=domain,DC=com** is the LDAP path of your Active Directory domain and **domainName\keyAdminGroup]** is the NetBIOS name of your domain and the name of the group you use to give access to keys based on your deployment.  For example:</br>
-```dsacls "CN=AdminSDHolder,CN=System,DC=corp,DC=mstepdemo,DC=net" /g "mstepdemo\Key Admins":RPWP;msDS-KeyCredentialLink```
-2. To trigger security descriptor propagation, open **ldp.exe**.
-3. Click **Connection** and select **Connect...**  Next to **Server**, type the name of the domain controller that holds the PDC role for the domain. Next to **Port**, type **389** and click **OK**.
-4. Click **Connection** and select **Bind...**  Click **OK** to bind as the currently signed-in user.
-5. Click **Browser** and select **Modify**.  Leave the **DN** text box blank.  Next to **Attribute**, type **RunProtectAdminGroupsTask**. Next to **Values**, type **1**.  Click **Enter** to add this to the **Entry List**.
-6. Click **Run** to start the task.
-7. Close LDP.  
-
-### Configuring Dual Enrollment using Group Policy
-
-You configure Windows 10 or Windows 11 to support dual enrollment using the computer configuration portion of a Group Policy object.
-
-1. Using the Group Policy Management Console (GPMC), create a new domain-based Group Policy object and link it to an organizational Unit that contains Active Directory computer objects used by privileged users.
-2. Edit the Group Policy object from step 1.
-3. Enable the **Allow enumeration of emulated smart cards for all users** policy setting located under **Computer Configuration->Administrative Templates->Windows Components->Windows Hello for Business**.
-4. Close the Group Policy Management Editor to save the Group Policy object.  Close the GPMC.
-5. Restart computers targeted by this Group Policy object.
-
-The computer is ready for dual enrollment.  Sign in as the privileged user first and enroll for Windows Hello for Business. Once completed, sign out and sign in as the non-privileged user and enroll for Windows Hello for Business.  You can now use your privileged credential to perform privileged tasks without using your password and without needing to switch users.

windows/security/identity-protection/hello-for-business/toc.yml

@@ -20,7 +20,7 @@ items:
   - name: Configure PIN reset
     href: pin-reset.md
   - name: Configure dual enrollment
-    href: hello-feature-dual-enrollment.md
+    href: dual-enrollment.md
   - name: Configure dynamic lock
     href: hello-feature-dynamic-lock.md
   - name: Configure multi-factor unlock

windows/security/operating-system-security/data-protection/bitlocker/recovery-overview.md

@@ -29,6 +29,10 @@ The following list provides examples of common events that cause a device to ent
 - Modifying the Platform Configuration Registers (PCRs) used by the TPM validation profile
 - Moving a BitLocker-protected drive into a new computer
 - On devices with TPM 1.2, changing the BIOS or firmware boot device order
+- Exceeding the maximum allowed number of failed sign-in attempts
+
+    > [!NOTE]
+    > To take advantage of this functionality, you must configure the policy setting **Interactive logon: Machine account lockout threshold** located in **Computer Configuration** > **Windows Settings** > **Security Settings** > **Local Policies** > **Security Options**. Alternatively, use the [Exchange ActiveSync](/Exchange/clients/exchange-activesync/exchange-activesync) **MaxFailedPasswordAttempts** policy setting, or the [DeviceLock Configuration Service Provider (CSP)](/windows/client-management/mdm/policy-csp-devicelock#accountlockoutpolicy).
 
 As part of the [BitLocker recovery process](recovery-process.md), it's recommended to determine what caused a device to enter in recovery mode. Root cause analysis might help to prevent the problem from occurring again in the future. For instance, if you determine that an attacker modified a device by obtaining physical access, you can implement new security policies for tracking who has physical presence.
 
@@ -40,6 +44,23 @@ For planned scenarios, such as a known hardware or firmware upgrades, initiating
 > [!TIP]
 > Recovery is described within the context of unplanned or undesired behavior. However, recovery can also be caused as an intended production scenario, for example in order to manage access control. When devices are redeployed to other departments or employees in the organization, BitLocker can be forced into recovery before the device is delivered to a new user.
 
+## Windows RE and BitLocker recovery
+
+Windows Recovery Environment (Windows RE) can be used to recover access to a drive protected by BitLocker. If a device is unable to boot after two failures, *Startup Repair* starts automatically.
+
+When Startup Repair is launched automatically due to boot failures, it only executes operating system and driver file repairs, provided that the boot logs or any available crash dump point to a specific corrupted file. On devices that support specific TPM measurements for PCR[7], the TPM validates that Windows RE is a trusted operating environment and unlocks any BitLocker-protected drives if Windows RE has not been modified. If the Windows RE environment has been modified, for example the TPM is disabled, the drives stay locked until the BitLocker recovery key is provided. If Startup Repair can't run automatically, and instead Windows RE is manually started from a repair disk, then the BitLocker recovery key must be provided to unlock the BitLocker-protected drives.
+
+Windows RE will also ask for your BitLocker recovery key when you start a *Remove everything* reset from Windows RE on a device that uses the **TPM + PIN** or **Password for OS drive** protector. If you start BitLocker recovery on a keyboardless device with TPM-only protection, Windows RE, not the boot manager, will ask for the BitLocker recovery key. After you enter the key, you can access Windows RE troubleshooting tools or start Windows normally.
+
+The BitLocker recovery screen that's shown by Windows RE has the accessibility tools like narrator and on-screen keyboard to help you enter your BitLocker recovery key:
+
+- To activate the narrator during BitLocker recovery in Windows RE, press <kbd>WIN</kbd> + <kbd>CTRL</kbd> + <kbd>Enter</kbd>
+- To activate the on-screen keyboard, tap on a text input control
+
+:::image type="content" source="images/bl-narrator.png" alt-text="Screenshot of Windows RE and narrator.":::
+
+If the BitLocker recovery key is requested by the Windows boot manager, those tools might not be available.
+
 ## BitLocker recovery options
 
 In a recovery scenario, the following options to restore access to the drive might be available, depending on the policy settings applied to the devices:

windows/security/operating-system-security/data-protection/personal-data-encryption/configure.md

@@ -2,7 +2,7 @@
 title: PDE settings and configuration
 description: Learn about the available options to configure Personal Data Encryption (PDE) and how to configure them via Microsoft Intune or Configuration Service Providers (CSP).
 ms.topic: how-to
-ms.date: 08/11/2023
+ms.date: 05/06/2024
 ---
 
 # PDE settings and configuration

windows/security/operating-system-security/data-protection/personal-data-encryption/faq.yml

@@ -4,7 +4,7 @@ metadata:
   title: Frequently asked questions for Personal Data Encryption (PDE)
   description: Answers to common questions regarding Personal Data Encryption (PDE).
   ms.topic: faq
-  ms.date: 08/11/2023
+  ms.date: 05/06/2024
 
 title: Frequently asked questions for Personal Data Encryption (PDE)
 summary: |
@@ -15,7 +15,7 @@ sections:
     questions:
       - question: Can PDE encrypt entire volumes or drives?
         answer: |
-          No. PDE only encrypts specified files and content.
+          No, PDE only encrypts specified files and content.
       - question: How are files and content protected by PDE selected?
         answer: |
           [PDE APIs](/uwp/api/windows.security.dataprotection.userdataprotectionmanager) are used to select which files and content are protected using PDE.
@@ -24,10 +24,10 @@ sections:
           Currently users can decrypt files manually but they can't encrypt files manually. For information on how a user can manually decrypt a file, see the section [Decrypt PDE-encrypted content](configure.md#decrypt-pde-encrypted-content).
       - question: Can PDE protected content be accessed after signing on via a Remote Desktop connection (RDP)?
         answer: |
-          No. Accessing PDE protected content over RDP isn't currently supported.
+          No, it's not supported to access PDE-protected content over RDP.
       - question: Can PDE protected content be accessed via a network share?
         answer: |
-          No. PDE protected content can only be accessed after signing on locally to Windows with Windows Hello for Business credentials.
+          No, PDE protected content can only be accessed after signing on locally to Windows with Windows Hello for Business credentials.
       - question: What encryption method and strength does PDE use?
         answer: |
           PDE uses AES-CBC with a 256-bit key to encrypt content.
@@ -39,13 +39,13 @@ sections:
           During user sign-on, Windows Hello for Business unlocks the keys that PDE uses to protect content.
       - question: If a user signs into Windows with a password instead of Windows Hello for Business, will they be able to access their PDE protected content?
         answer: |
-          No. The keys used by PDE to protect content are protected by Windows Hello for Business credentials and will only be unlocked when signing on with Windows Hello for Business PIN or biometrics.
+          No, the keys used by PDE to protect content are protected by Windows Hello for Business credentials and will only be unlocked when signing on with Windows Hello for Business PIN or biometrics.
       - question: Can a file be protected with both PDE and EFS at the same time?
         answer: |
-          No. PDE and EFS are mutually exclusive.
+          No, PDE and EFS are mutually exclusive.
       - question: Is PDE a replacement for BitLocker?
         answer: |
-          No. It's still recommended to encrypt all volumes with BitLocker Drive Encryption for increased security.
+          No, it's recommended to encrypt all volumes with BitLocker Drive Encryption for increased security.
       - question: Do I need to use OneDrive in Microsoft 365 as my backup provider?
         answer: |
-          No. PDE doesn't have a requirement for a backup provider, including OneDrive in Microsoft 365. However, backups are recommended in case the keys used by PDE to protect files are lost. OneDrive in Microsoft 365 is a recommended backup provider.
+          No, PDE doesn't have a requirement for a backup provider, including OneDrive in Microsoft 365. However, backups are recommended in case the keys used by PDE to protect files are lost. OneDrive in Microsoft 365 is a recommended backup provider.

windows/security/operating-system-security/data-protection/personal-data-encryption/index.md

@@ -2,7 +2,7 @@
 title: Personal Data Encryption (PDE)
 description: Personal Data Encryption unlocks user encrypted files at user sign-in instead of at boot.
 ms.topic: how-to
-ms.date: 08/11/2023
+ms.date: 05/06/2024
 ---
 
 # Personal Data Encryption (PDE)

windows/security/operating-system-security/network-security/vpn/how-to-configure-diffie-hellman-protocol-over-ikev2-vpn-connections.md

@@ -1,7 +1,7 @@
 ---
 title: How to configure cryptographic settings for IKEv2 VPN connections
 description: Learn how to update the IKEv2 cryptographic settings of VPN servers and clients by running VPN cmdlets to secure connections.
-ms.date: 08/03/2023
+ms.date: 05/06/2024
 ms.topic: how-to
 ---
 

windows/security/operating-system-security/network-security/vpn/how-to-use-single-sign-on-sso-over-vpn-and-wi-fi-connections.md

@@ -1,7 +1,7 @@
 ---
 title: How to use single sign-on (SSO) over VPN and Wi-Fi connections
 description: Explains requirements to enable single sign-on (SSO) to on-premises domain resources over WiFi or VPN connections.
-ms.date: 12/12/2023
+ms.date: 05/06/2024
 ms.topic: how-to
 ---
 

windows/security/operating-system-security/network-security/vpn/vpn-authentication.md

@@ -1,7 +1,7 @@
 ---
 title: VPN authentication options
 description: Learn about the EAP authentication methods that Windows supports in VPNs to provide secure authentication using username/password and certificate-based methods.
-ms.date: 08/03/2023
+ms.date: 05/06/2024
 ms.topic: concept-article
 ---
 

windows/security/operating-system-security/network-security/vpn/vpn-auto-trigger-profile.md

@@ -1,7 +1,7 @@
 ---
 title: VPN auto-triggered profile options
 description: With auto-triggered VPN profile options, Windows can automatically establish a VPN connection based on IT admin-defined rules. Learn about the types of auto-trigger rules that you can create for VPN connections.
-ms.date: 08/03/2023
+ms.date: 05/06/2024
 ms.topic: how-to
 ---
 

windows/security/operating-system-security/network-security/vpn/vpn-conditional-access.md

@@ -1,7 +1,7 @@
 ---
 title: VPN and conditional access
 description: Learn how to integrate the VPN client with the Conditional Access platform, and how to create access rules for Microsoft Entra connected apps.
-ms.date: 08/03/2023
+ms.date: 05/06/2024
 ms.topic: how-to
 ---
 

windows/security/operating-system-security/network-security/vpn/vpn-connection-type.md

@@ -1,7 +1,7 @@
 ---
 title: VPN connection types
 description: Learn about Windows VPN platform clients and the VPN connection-type features that can be configured.
-ms.date: 08/03/2023
+ms.date: 05/06/2024
 ms.topic: concept-article
 ---
 
@@ -30,7 +30,7 @@ Tunneling protocols:
 
 Using the UWP platform, non-Microsoft VPN providers can create app-containerized plug-ins using WinRT APIs, eliminating the complexity and problems often associated with writing to system-level drivers.
 
-There are many Universal Windows Platform VPN applications, such as Pulse Secure, Cisco AnyConnect, F5 Access, Sonicwall Mobile Connect, and Check Point Capsule. If you want to use a UWP VPN plug-in, work with your vendor for any custom settings needed to configure your VPN solution.
+There are many Universal Windows Platform VPN applications, such as Pulse Secure, Cisco AnyConnect, F5 Access, SonicWall Mobile Connect, and Check Point Capsule. If you want to use a UWP VPN plug-in, work with your vendor for any custom settings needed to configure your VPN solution.
 
 ## Configure connection type
 

windows/security/operating-system-security/network-security/vpn/vpn-guide.md

@@ -1,7 +1,7 @@
 ---
 title: Windows VPN technical guide
 description: Learn how to plan and configure Windows devices for your organization's VPN solution.
-ms.date: 08/03/2023
+ms.date: 05/06/2024
 ms.topic: overview
 ---
 

windows/security/operating-system-security/network-security/vpn/vpn-name-resolution.md

@@ -1,7 +1,7 @@
 ---
 title: VPN name resolution
 description: Learn how name resolution works when using a VPN connection.
-ms.date: 08/03/2023
+ms.date: 05/06/2024
 ms.topic: concept-article
 ---
 

windows/security/operating-system-security/network-security/vpn/vpn-office-365-optimization.md

@@ -2,7 +2,7 @@
 title: Optimize Microsoft 365 traffic for remote workers with the Windows VPN client
 description: Learn how to optimize Microsoft 365 traffic for remote workers with the Windows VPN client
 ms.topic: how-to
-ms.date: 08/03/2023
+ms.date: 05/06/2024
 ---
 # Optimize Microsoft 365 traffic for remote workers with the Windows VPN client
 

windows/security/operating-system-security/network-security/vpn/vpn-profile-options.md

@@ -1,7 +1,7 @@
 ---
 title: VPN profile options
 description: Windows adds Virtual Private Network (VPN) profile options to help manage how users connect. VPNs give users secure remote access to the company network.
-ms.date: 08/03/2023
+ms.date: 05/06/2024
 ms.topic: how-to
 ---
 

windows/security/operating-system-security/network-security/vpn/vpn-routing.md

@@ -1,5 +1,5 @@
 ---
-ms.date: 08/03/2023
+ms.date: 05/06/2024
 title: VPN routing decisions
 description: Learn about approaches that either send all data through a VPN or only selected data. The one you choose impacts capacity planning and security expectations.
 ms.topic: concept-article

windows/security/operating-system-security/network-security/vpn/vpn-security-features.md

@@ -1,7 +1,7 @@
 ---
 title: VPN security features
 description: Learn about security features for VPN, including LockDown VPN and traffic filters.
-ms.date: 08/03/2023
+ms.date: 05/06/2024
 ms.topic: concept-article
 ---
 

windows/security/toc.yml

@@ -16,6 +16,6 @@ items:
 - name: Identity protection
   href: identity-protection/toc.yml
 - name: Cloud security
-  href: cloud-security/toc.yml
+  href: cloud-services/toc.yml
 - name: Windows Privacy 🔗
   href: /windows/privacy