diff --git a/.openpublishing.redirection.json b/.openpublishing.redirection.json
index 49135c37f0..e51c5d4efc 100644
--- a/.openpublishing.redirection.json
+++ b/.openpublishing.redirection.json
@@ -20809,6 +20809,11 @@
       "source_path": "store-for-business/sign-up-microsoft-store-for-business.md",
       "redirect_url": "/microsoft-store",
       "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security/information-protection/index.md",
+      "redirect_url": "/windows/security/encryption-data-protection",
+      "redirect_document_id": false
     }
   ]
 }
diff --git a/education/windows/federated-sign-in.md b/education/windows/federated-sign-in.md
index 326c71ca59..b587dca55d 100644
--- a/education/windows/federated-sign-in.md
+++ b/education/windows/federated-sign-in.md
@@ -1,7 +1,7 @@
 ---
 title: Configure federated sign-in for Windows devices
 description: Description of federated sign-in feature for the Education SKUs of Windows 11 and how to configure it via Intune or provisioning packages.
-ms.date: 04/11/2023
+ms.date: 04/24/2023
 ms.topic: how-to
 appliesto:
   - ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 11</a>
@@ -53,9 +53,11 @@ To use federated sign-in, the devices must have Internet access. This feature wo
 > - provisioning packages (PPKG)
 > - Windows Autopilot self-deploying mode
 
-### System requirements
+[!INCLUDE [federated-sign-in](../../includes/licensing/federated-sign-in.md)]
 
-Federated sign-in is supported on the following Windows SKUs and versions:
+## System requirements
+
+Federated sign-in is supported on the following Windows editions and versions:
 
 - Windows 11 SE, version 22H2 and later
 - Windows 11 Pro Edu/Education, version 22H2 with [KB5022913][KB-1]
diff --git a/includes/intune/intune-custom-settings-1.md b/includes/intune/intune-custom-settings-1.md
new file mode 100644
index 0000000000..d911751e75
--- /dev/null
+++ b/includes/intune/intune-custom-settings-1.md
@@ -0,0 +1,13 @@
+---
+ms.date: 02/22/2022
+ms.topic: include
+---
+
+To configure devices with Microsoft Intune, use a custom policy:
+
+1. Go to the <a href="https://intune.microsoft.com" target="_blank"><b>Microsoft Intune admin center</b></a>
+2. Select **Devices > Configuration profiles > Create profile**
+3. Select **Platform > Windows 10 and later** and **Profile type > Templates > Custom**
+4. Select **Create**
+5. Specify a **Name** and, optionally, a **Description > Next**
+6. Add the following settings:
\ No newline at end of file
diff --git a/includes/intune/intune-custom-settings-2.md b/includes/intune/intune-custom-settings-2.md
new file mode 100644
index 0000000000..1a601acaa7
--- /dev/null
+++ b/includes/intune/intune-custom-settings-2.md
@@ -0,0 +1,9 @@
+---
+ms.date: 11/08/2022
+ms.topic: include
+---
+
+7. Select **Next**
+8. Assign the policy to a security group that contains as members the devices or users that you want to configure > **Next**
+9. Under **Applicability Rules**, select **Next**
+10. Review the policy configuration and select **Create**
\ No newline at end of file
diff --git a/includes/intune/intune-custom-settings-info.md b/includes/intune/intune-custom-settings-info.md
new file mode 100644
index 0000000000..8ff9da4294
--- /dev/null
+++ b/includes/intune/intune-custom-settings-info.md
@@ -0,0 +1,6 @@
+---
+ms.date: 11/08/2022
+ms.topic: include
+---
+
+For more information about how to create custom settings using Intune, see [Use custom settings for Windows devices in Intune](/mem/intune/configuration/custom-settings-windows-10).
\ No newline at end of file
diff --git a/includes/licensing/_edition-requirements.md b/includes/licensing/_edition-requirements.md
new file mode 100644
index 0000000000..207141f3e5
--- /dev/null
+++ b/includes/licensing/_edition-requirements.md
@@ -0,0 +1,79 @@
+---
+author: paolomatarazzo
+ms.author: paoloma
+ms.date: 05/04/2023
+ms.topic: include
+---
+
+| Feature name | Windows Pro | Windows Enterprise | Windows Pro Education/SE | Windows Education |
+|:---|:---:|:---:|:---:|:---:|
+|**[Access Control (ACLs/SCALS)](/windows/security/identity-protection/access-control/access-control)**|Yes|Yes|Yes|Yes|
+|**[Account Lockout Policy](/windows/security/threat-protection/security-policy-settings/account-lockout-policy)**|Yes|Yes|Yes|Yes|
+|**[Always On VPN (device tunnel)](/windows-server/remote/remote-access/vpn/always-on-vpn/)**|❌|Yes|❌|Yes|
+|**[Assigned Access (kiosk mode)](/windows/configuration/kiosk-methods)**|Yes|Yes|Yes|Yes|
+|**[Attack surface reduction (ASR)](/microsoft-365/security/defender-endpoint/overview-attack-surface-reduction)**|Yes|Yes|Yes|Yes|
+|**[Azure AD join, Active Directory domain join, and Hybrid Azure AD join with single sign-on (SSO)](/azure/active-directory/devices/concept-azure-ad-join)**|Yes|Yes|Yes|Yes|
+|**[BitLocker](/windows/security/information-protection/bitlocker/bitlocker-overview)**|Yes|Yes|Yes|Yes|
+|**Bluetooth pairing and connection protection**|Yes|Yes|Yes|Yes|
+|**[Common Criteria certifications](/windows/security/threat-protection/windows-platform-common-criteria)**|Yes|Yes|Yes|Yes|
+|**[Controlled folder access](/microsoft-365/security/defender-endpoint/controlled-folders)**|Yes|Yes|Yes|Yes|
+|**[Device health attestation service](/windows/security/threat-protection/protect-high-value-assets-by-controlling-the-health-of-windows-10-based-devices)**|Yes|Yes|Yes|Yes|
+|**[Direct Access](/windows-server/remote/remote-access/directaccess/directaccess)**|❌|Yes|❌|Yes|
+|**[Email Encryption (S/MIME)](/windows/security/identity-protection/configure-s-mime)**|Yes|Yes|Yes|Yes|
+|**[Encrypted hard drive](/windows/security/information-protection/encrypted-hard-drive)**|Yes|Yes|Yes|Yes|
+|**[Enhanced phishing protection with SmartScreen](/windows/security/threat-protection/microsoft-defender-smartscreen/phishing-protection-microsoft-defender-smartscreen)**|Yes|Yes|Yes|Yes|
+|**[Exploit protection](/microsoft-365/security/defender-endpoint/exploit-protection)**|Yes|Yes|Yes|Yes|
+|**[Fast Identity Online (FIDO2) security key](/azure/active-directory/authentication/howto-authentication-passwordless-security-key)**|Yes|Yes|Yes|Yes|
+|**[Federal Information Processing Standard (FIPS) 140 validation](/windows/security/threat-protection/fips-140-validation)**|Yes|Yes|Yes|Yes|
+|**[Federated sign-in](/education/windows/federated-sign-in)**|❌|❌|Yes|Yes|
+|**[Hardware-enforced stack protection](https://techcommunity.microsoft.com/t5/windows-os-platform-blog/understanding-hardware-enforced-stack-protection/ba-p/1247815)**|Yes|Yes|Yes|Yes|
+|**[Hypervisor-protected Code Integrity (HVCI)](/windows/security/threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity)**|Yes|Yes|Yes|Yes|
+|**[Kernel Direct Memory Access (DMA) protection](/windows/security/information-protection/kernel-dma-protection-for-thunderbolt)**|Yes|Yes|Yes|Yes|
+|**Local Security Authority (LSA) Protection**|Yes|Yes|Yes|Yes|
+|**[Manage by Mobile Device Management (MDM) and group policy](/windows/security/threat-protection/windows-security-configuration-framework/windows-security-baselines)**|Yes|Yes|Yes|Yes|
+|**[Measured boot](/windows/compatibility/measured-boot)**|Yes|Yes|Yes|Yes|
+|**[Microsoft Defender Antivirus](/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-windows)**|Yes|Yes|Yes|Yes|
+|**[Microsoft Defender Application Guard (MDAG) configure via MDM](/windows/client-management/mdm/windowsdefenderapplicationguard-csp)**|❌|Yes|❌|Yes|
+|**[Microsoft Defender Application Guard (MDAG) for Edge enterprise mode and enterprise management](/deployedge/microsoft-edge-security-windows-defender-application-guard)**|❌|Yes|❌|Yes|
+|**[Microsoft Defender Application Guard (MDAG) for Edge standalone mode](/windows/security/threat-protection/microsoft-defender-application-guard/md-app-guard-overview)**|Yes|Yes|Yes|Yes|
+|**[Microsoft Defender Application Guard (MDAG) for Microsoft Office](https://support.microsoft.com/office/application-guard-for-office-9e0fb9c2-ffad-43bf-8ba3-78f785fdba46)**|❌|Yes|❌|Yes|
+|**Microsoft Defender Application Guard (MDAG) public APIs**|❌|Yes|❌|Yes|
+|**[Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint)**|Yes|Yes|Yes|Yes|
+|**[Microsoft Defender SmartScreen](/windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-overview)**|Yes|Yes|Yes|Yes|
+|**[Microsoft Pluton security processor](/windows/security/information-protection/pluton/microsoft-pluton-security-processor)**|Yes|Yes|Yes|Yes|
+|**[Microsoft Vulnerable Driver Blocklist](/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules)**|Yes|Yes|Yes|Yes|
+|**Opportunistic Wireless Encryption (OWE)**|Yes|Yes|Yes|Yes|
+|**[Personal data encryption (PDE)](/windows/security/information-protection/personal-data-encryption/overview-pde)**|❌|Yes|❌|Yes|
+|**Privacy Resource Usage**|Yes|Yes|Yes|Yes|
+|**Privacy Transparency and Controls**|Yes|Yes|Yes|Yes|
+|**[Remote wipe](/windows/client-management/mdm/remotewipe-csp)**|Yes|Yes|Yes|Yes|
+|**[Secure Boot and Trusted Boot](/windows/security/trusted-boot)**|Yes|Yes|Yes|Yes|
+|**[Secured-core configuration lock](/windows/client-management/config-lock)**|Yes|Yes|Yes|Yes|
+|**[Secured-core PC](/windows-hardware/design/device-experiences/oem-highly-secure-11)**|Yes|Yes|Yes|Yes|
+|**[Security baselines](/windows/security/threat-protection/windows-security-configuration-framework/windows-security-baselines)**|Yes|Yes|Yes|Yes|
+|**[Server Message Block (SMB) file service](/windows-server/storage/file-server/file-server-smb-overview)**|Yes|Yes|Yes|Yes|
+|**[Server Message Block Direct (SMB Direct)](/windows-server/storage/file-server/smb-direct)**|Yes|Yes|Yes|Yes|
+|**[Smart App Control](/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control)**|Yes|Yes|Yes|Yes|
+|**[Smart Cards for Windows Service](/windows/security/identity-protection/smart-cards/smart-card-smart-cards-for-windows-service)**|Yes|Yes|Yes|Yes|
+|**[Tamper protection settings for MDE](/microsoft-365/security/defender-endpoint/prevent-changes-to-security-settings-with-tamper-protection)**|Yes|Yes|Yes|Yes|
+|**[Transport layer security (TLS)](/windows-server/security/tls/tls-ssl-schannel-ssp-overview)**|Yes|Yes|Yes|Yes|
+|**[Trusted Platform Module (TPM) 2.0](/windows/security/information-protection/tpm/trusted-platform-module-overview)**|Yes|Yes|Yes|Yes|
+|**[Universal Print](/universal-print/)**|Yes|Yes|Yes|Yes|
+|**[User Account Control (UAC)](/windows/security/identity-protection/user-account-control/user-account-control-overview)**|Yes|Yes|Yes|Yes|
+|**[Virtual Private Network (VPN)](/windows/security/identity-protection/vpn/vpn-guide)**|Yes|Yes|Yes|Yes|
+|**[Virtualization-based security (VBS)](/windows-hardware/design/device-experiences/oem-vbs)**|Yes|Yes|Yes|Yes|
+|**[WiFi Security](https://support.microsoft.com/windows/faster-and-more-secure-wi-fi-in-windows-26177a28-38ed-1a8e-7eca-66f24dc63f09)**|Yes|Yes|Yes|Yes|
+|**[Windows Autopatch](/windows/deployment/windows-autopatch/)**|❌|Yes|❌|Yes|
+|**[Windows Autopilot](/windows/deployment/windows-autopilot)**|Yes|Yes|Yes|Yes|
+|**[Windows containers](/virtualization/windowscontainers/about/)**|Yes|Yes|Yes|Yes|
+|**[Windows Defender Application Control (WDAC)](/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control)**|Yes|Yes|Yes|Yes|
+|**[Windows Defender Credential Guard](/windows/security/identity-protection/credential-guard/credential-guard)**|❌|Yes|❌|Yes|
+|**[Windows Defender Remote Credential Guard](/windows/security/identity-protection/remote-credential-guard)**|Yes|Yes|Yes|Yes|
+|**[Windows Defender System Guard](/windows/security/threat-protection/windows-defender-system-guard/how-hardware-based-root-of-trust-helps-protect-windows)**|Yes|Yes|Yes|Yes|
+|**[Windows Firewall](/windows/security/threat-protection/windows-firewall/windows-firewall-with-advanced-security)**|Yes|Yes|Yes|Yes|
+|**[Windows Hello for Business](/windows/security/identity-protection/hello-for-business)**|Yes|Yes|Yes|Yes|
+|**[Windows Hello for Business Enhanced Security Sign-in (ESS)](/windows-hardware/design/device-experiences/windows-hello-enhanced-sign-in-security)**|Yes|Yes|Yes|Yes|
+|**[Windows LAPS](/windows-server/identity/laps/laps-overview)**|Yes|Yes|Yes|Yes|
+|**[Windows presence sensing](https://support.microsoft.com/windows/wake-your-windows-11-pc-when-you-approach-82285c93-440c-4e15-9081-c9e38c1290bb)**|Yes|Yes|Yes|Yes|
+|**[Windows Sandbox](/windows/security/threat-protection/windows-sandbox/windows-sandbox-overview)**|Yes|Yes|Yes|Yes|
+|**[Windows Security policy settings and auditing](/windows/security/threat-protection/security-policy-settings/security-policy-settings)**|Yes|Yes|Yes|Yes|
diff --git a/includes/licensing/_licensing-requirements.md b/includes/licensing/_licensing-requirements.md
new file mode 100644
index 0000000000..a27829cbab
--- /dev/null
+++ b/includes/licensing/_licensing-requirements.md
@@ -0,0 +1,79 @@
+---
+author: paolomatarazzo
+ms.author: paoloma
+ms.date: 05/04/2023
+ms.topic: include
+---
+
+|Feature name|Windows Pro/Pro Education/SE|Windows Enterprise E3|Windows Enterprise E5|Windows Education A3|Windows Education A5|
+|:---|:---:|:---:|:---:|:---:|:---:|
+|**[Access Control (ACLs/SCALS)](/windows/security/identity-protection/access-control/access-control)**|Yes|Yes|Yes|Yes|Yes|
+|**[Account Lockout Policy](/windows/security/threat-protection/security-policy-settings/account-lockout-policy)**|Yes|Yes|Yes|Yes|Yes|
+|**[Always On VPN (device tunnel)](/windows-server/remote/remote-access/vpn/always-on-vpn/)**|❌|Yes|Yes|Yes|Yes|
+|**[Assigned Access (kiosk mode)](/windows/configuration/kiosk-methods)**|Yes|Yes|Yes|Yes|Yes|
+|**[Attack surface reduction (ASR)](/microsoft-365/security/defender-endpoint/overview-attack-surface-reduction)**|Yes|Yes|Yes|Yes|Yes|
+|**[Azure AD join, Active Directory domain join, and Hybrid Azure AD join with single sign-on (SSO)](/azure/active-directory/devices/concept-azure-ad-join)**|Yes|Yes|Yes|Yes|Yes|
+|**[BitLocker](/windows/security/information-protection/bitlocker/bitlocker-overview)**|Yes|Yes|Yes|Yes|Yes|
+|**Bluetooth pairing and connection protection**|Yes|Yes|Yes|Yes|Yes|
+|**[Common Criteria certifications](/windows/security/threat-protection/windows-platform-common-criteria)**|Yes|Yes|Yes|Yes|Yes|
+|**[Controlled folder access](/microsoft-365/security/defender-endpoint/controlled-folders)**|Yes|Yes|Yes|Yes|Yes|
+|**[Device health attestation service](/windows/security/threat-protection/protect-high-value-assets-by-controlling-the-health-of-windows-10-based-devices)**|Yes|Yes|Yes|Yes|Yes|
+|**[Direct Access](/windows-server/remote/remote-access/directaccess/directaccess)**|❌|Yes|Yes|Yes|Yes|
+|**[Email Encryption (S/MIME)](/windows/security/identity-protection/configure-s-mime)**|Yes|Yes|Yes|Yes|Yes|
+|**[Encrypted hard drive](/windows/security/information-protection/encrypted-hard-drive)**|Yes|Yes|Yes|Yes|Yes|
+|**[Enhanced phishing protection with SmartScreen](/windows/security/threat-protection/microsoft-defender-smartscreen/phishing-protection-microsoft-defender-smartscreen)**|Yes|Yes|Yes|Yes|Yes|
+|**[Exploit protection](/microsoft-365/security/defender-endpoint/exploit-protection)**|Yes|Yes|Yes|Yes|Yes|
+|**[Fast Identity Online (FIDO2) security key](/azure/active-directory/authentication/howto-authentication-passwordless-security-key)**|Yes|Yes|Yes|Yes|Yes|
+|**[Federal Information Processing Standard (FIPS) 140 validation](/windows/security/threat-protection/fips-140-validation)**|Yes|Yes|Yes|Yes|Yes|
+|**[Federated sign-in](/education/windows/federated-sign-in)**|❌|❌|❌|Yes|Yes|
+|**[Hardware-enforced stack protection](https://techcommunity.microsoft.com/t5/windows-os-platform-blog/understanding-hardware-enforced-stack-protection/ba-p/1247815)**|Yes|Yes|Yes|Yes|Yes|
+|**[Hypervisor-protected Code Integrity (HVCI)](/windows/security/threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity)**|Yes|Yes|Yes|Yes|Yes|
+|**[Kernel Direct Memory Access (DMA) protection](/windows/security/information-protection/kernel-dma-protection-for-thunderbolt)**|Yes|Yes|Yes|Yes|Yes|
+|**Local Security Authority (LSA) Protection**|Yes|Yes|Yes|Yes|Yes|
+|**[Manage by Mobile Device Management (MDM) and group policy](/windows/security/threat-protection/windows-security-configuration-framework/windows-security-baselines)**|Yes|Yes|Yes|Yes|Yes|
+|**[Measured boot](/windows/compatibility/measured-boot)**|Yes|Yes|Yes|Yes|Yes|
+|**[Microsoft Defender Antivirus](/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-windows)**|Yes|Yes|Yes|Yes|Yes|
+|**[Microsoft Defender Application Guard (MDAG) configure via MDM](/windows/client-management/mdm/windowsdefenderapplicationguard-csp)**|❌|Yes|Yes|Yes|Yes|
+|**[Microsoft Defender Application Guard (MDAG) for Edge enterprise mode and enterprise management](/deployedge/microsoft-edge-security-windows-defender-application-guard)**|❌|Yes|Yes|Yes|Yes|
+|**[Microsoft Defender Application Guard (MDAG) for Edge standalone mode](/windows/security/threat-protection/microsoft-defender-application-guard/md-app-guard-overview)**|Yes|Yes|Yes|Yes|Yes|
+|**[Microsoft Defender Application Guard (MDAG) for Microsoft Office](https://support.microsoft.com/office/application-guard-for-office-9e0fb9c2-ffad-43bf-8ba3-78f785fdba46)**|❌|❌|❌|❌|❌|
+|**Microsoft Defender Application Guard (MDAG) public APIs**|❌|Yes|Yes|Yes|Yes|
+|**[Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint)**|❌|❌|Yes|❌|Yes|
+|**[Microsoft Defender SmartScreen](/windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-overview)**|Yes|Yes|Yes|Yes|Yes|
+|**[Microsoft Pluton security processor](/windows/security/information-protection/pluton/microsoft-pluton-security-processor)**|Yes|Yes|Yes|Yes|Yes|
+|**[Microsoft Vulnerable Driver Blocklist](/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules)**|Yes|Yes|Yes|Yes|Yes|
+|**Opportunistic Wireless Encryption (OWE)**|Yes|Yes|Yes|Yes|Yes|
+|**[Personal data encryption (PDE)](/windows/security/information-protection/personal-data-encryption/overview-pde)**|❌|Yes|Yes|Yes|Yes|
+|**Privacy Resource Usage**|Yes|Yes|Yes|Yes|Yes|
+|**Privacy Transparency and Controls**|Yes|Yes|Yes|Yes|Yes|
+|**[Remote wipe](/windows/client-management/mdm/remotewipe-csp)**|Yes|Yes|Yes|Yes|Yes|
+|**[Secure Boot and Trusted Boot](/windows/security/trusted-boot)**|Yes|Yes|Yes|Yes|Yes|
+|**[Secured-core configuration lock](/windows/client-management/config-lock)**|Yes|Yes|Yes|Yes|Yes|
+|**[Secured-core PC](/windows-hardware/design/device-experiences/oem-highly-secure-11)**|Yes|Yes|Yes|Yes|Yes|
+|**[Security baselines](/windows/security/threat-protection/windows-security-configuration-framework/windows-security-baselines)**|Yes|Yes|Yes|Yes|Yes|
+|**[Server Message Block (SMB) file service](/windows-server/storage/file-server/file-server-smb-overview)**|Yes|Yes|Yes|Yes|Yes|
+|**[Server Message Block Direct (SMB Direct)](/windows-server/storage/file-server/smb-direct)**|Yes|Yes|Yes|Yes|Yes|
+|**[Smart App Control](/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control)**|Yes|Yes|Yes|Yes|Yes|
+|**[Smart Cards for Windows Service](/windows/security/identity-protection/smart-cards/smart-card-smart-cards-for-windows-service)**|Yes|Yes|Yes|Yes|Yes|
+|**[Tamper protection settings for MDE](/microsoft-365/security/defender-endpoint/prevent-changes-to-security-settings-with-tamper-protection)**|Yes|Yes|Yes|Yes|Yes|
+|**[Transport layer security (TLS)](/windows-server/security/tls/tls-ssl-schannel-ssp-overview)**|Yes|Yes|Yes|Yes|Yes|
+|**[Trusted Platform Module (TPM) 2.0](/windows/security/information-protection/tpm/trusted-platform-module-overview)**|Yes|Yes|Yes|Yes|Yes|
+|**[Universal Print](/universal-print/)**|❌|Yes|Yes|Yes|Yes|
+|**[User Account Control (UAC)](/windows/security/identity-protection/user-account-control/user-account-control-overview)**|Yes|Yes|Yes|Yes|Yes|
+|**[Virtual Private Network (VPN)](/windows/security/identity-protection/vpn/vpn-guide)**|Yes|Yes|Yes|Yes|Yes|
+|**[Virtualization-based security (VBS)](/windows-hardware/design/device-experiences/oem-vbs)**|Yes|Yes|Yes|Yes|Yes|
+|**[WiFi Security](https://support.microsoft.com/windows/faster-and-more-secure-wi-fi-in-windows-26177a28-38ed-1a8e-7eca-66f24dc63f09)**|Yes|Yes|Yes|Yes|Yes|
+|**[Windows Autopatch](/windows/deployment/windows-autopatch/)**|❌|Yes|Yes|❌|❌|
+|**[Windows Autopilot](/windows/deployment/windows-autopilot)**|Yes|Yes|Yes|Yes|Yes|
+|**[Windows containers](/virtualization/windowscontainers/about/)**|Yes|Yes|Yes|Yes|Yes|
+|**[Windows Defender Application Control (WDAC)](/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control)**|Yes|Yes|Yes|Yes|Yes|
+|**[Windows Defender Credential Guard](/windows/security/identity-protection/credential-guard/credential-guard)**|❌|Yes|Yes|Yes|Yes|
+|**[Windows Defender Remote Credential Guard](/windows/security/identity-protection/remote-credential-guard)**|Yes|Yes|Yes|Yes|Yes|
+|**[Windows Defender System Guard](/windows/security/threat-protection/windows-defender-system-guard/how-hardware-based-root-of-trust-helps-protect-windows)**|Yes|Yes|Yes|Yes|Yes|
+|**[Windows Firewall](/windows/security/threat-protection/windows-firewall/windows-firewall-with-advanced-security)**|Yes|Yes|Yes|Yes|Yes|
+|**[Windows Hello for Business](/windows/security/identity-protection/hello-for-business)**|Yes|Yes|Yes|Yes|Yes|
+|**[Windows Hello for Business Enhanced Security Sign-in (ESS)](/windows-hardware/design/device-experiences/windows-hello-enhanced-sign-in-security)**|Yes|Yes|Yes|Yes|Yes|
+|**[Windows LAPS](/windows-server/identity/laps/laps-overview)**|Yes|Yes|Yes|Yes|Yes|
+|**[Windows presence sensing](https://support.microsoft.com/windows/wake-your-windows-11-pc-when-you-approach-82285c93-440c-4e15-9081-c9e38c1290bb)**|Yes|Yes|Yes|Yes|Yes|
+|**[Windows Sandbox](/windows/security/threat-protection/windows-sandbox/windows-sandbox-overview)**|Yes|Yes|Yes|Yes|Yes|
+|**[Windows Security policy settings and auditing](/windows/security/threat-protection/security-policy-settings/security-policy-settings)**|Yes|Yes|Yes|Yes|Yes|
diff --git a/includes/licensing/access-control-aclsscals.md b/includes/licensing/access-control-aclsscals.md
new file mode 100644
index 0000000000..74b2f49090
--- /dev/null
+++ b/includes/licensing/access-control-aclsscals.md
@@ -0,0 +1,22 @@
+---
+author: paolomatarazzo
+ms.author: paoloma
+ms.date: 05/04/2023
+ms.topic: include
+---
+
+## Windows edition and licensing requirements
+
+The following table lists the Windows editions that support Access Control (ACLs/SCALS):
+
+|Windows Pro|Windows Enterprise|Windows Pro Education/SE|Windows Education|
+|:---:|:---:|:---:|:---:|
+|Yes|Yes|Yes|Yes|
+
+Access Control (ACLs/SCALS) license entitlements are granted by the following licenses:
+
+|Windows Pro/Pro Education/SE|Windows Enterprise E3|Windows Enterprise E5|Windows Education A3|Windows Education A5|
+|:---:|:---:|:---:|:---:|:---:|
+|Yes|Yes|Yes|Yes|Yes|
+
+For more information about Windows licensing, see [Windows licensing overview](/windows/whats-new/windows-licensing).
diff --git a/includes/licensing/account-lockout-policy.md b/includes/licensing/account-lockout-policy.md
new file mode 100644
index 0000000000..f73aa4228c
--- /dev/null
+++ b/includes/licensing/account-lockout-policy.md
@@ -0,0 +1,22 @@
+---
+author: paolomatarazzo
+ms.author: paoloma
+ms.date: 05/04/2023
+ms.topic: include
+---
+
+## Windows edition and licensing requirements
+
+The following table lists the Windows editions that support Account Lockout Policy:
+
+|Windows Pro|Windows Enterprise|Windows Pro Education/SE|Windows Education|
+|:---:|:---:|:---:|:---:|
+|Yes|Yes|Yes|Yes|
+
+Account Lockout Policy license entitlements are granted by the following licenses:
+
+|Windows Pro/Pro Education/SE|Windows Enterprise E3|Windows Enterprise E5|Windows Education A3|Windows Education A5|
+|:---:|:---:|:---:|:---:|:---:|
+|Yes|Yes|Yes|Yes|Yes|
+
+For more information about Windows licensing, see [Windows licensing overview](/windows/whats-new/windows-licensing).
diff --git a/includes/licensing/always-on-vpn-device-tunnel.md b/includes/licensing/always-on-vpn-device-tunnel.md
new file mode 100644
index 0000000000..74b2333a3d
--- /dev/null
+++ b/includes/licensing/always-on-vpn-device-tunnel.md
@@ -0,0 +1,22 @@
+---
+author: paolomatarazzo
+ms.author: paoloma
+ms.date: 05/04/2023
+ms.topic: include
+---
+
+## Windows edition and licensing requirements
+
+The following table lists the Windows editions that support Always On VPN (device tunnel):
+
+|Windows Pro|Windows Enterprise|Windows Pro Education/SE|Windows Education|
+|:---:|:---:|:---:|:---:|
+|No|Yes|No|Yes|
+
+Always On VPN (device tunnel) license entitlements are granted by the following licenses:
+
+|Windows Pro/Pro Education/SE|Windows Enterprise E3|Windows Enterprise E5|Windows Education A3|Windows Education A5|
+|:---:|:---:|:---:|:---:|:---:|
+|No|Yes|Yes|Yes|Yes|
+
+For more information about Windows licensing, see [Windows licensing overview](/windows/whats-new/windows-licensing).
diff --git a/includes/licensing/assigned-access-kiosk-mode.md b/includes/licensing/assigned-access-kiosk-mode.md
new file mode 100644
index 0000000000..a2f4b745bb
--- /dev/null
+++ b/includes/licensing/assigned-access-kiosk-mode.md
@@ -0,0 +1,22 @@
+---
+author: paolomatarazzo
+ms.author: paoloma
+ms.date: 05/04/2023
+ms.topic: include
+---
+
+## Windows edition and licensing requirements
+
+The following table lists the Windows editions that support Assigned Access (kiosk mode):
+
+|Windows Pro|Windows Enterprise|Windows Pro Education/SE|Windows Education|
+|:---:|:---:|:---:|:---:|
+|Yes|Yes|Yes|Yes|
+
+Assigned Access (kiosk mode) license entitlements are granted by the following licenses:
+
+|Windows Pro/Pro Education/SE|Windows Enterprise E3|Windows Enterprise E5|Windows Education A3|Windows Education A5|
+|:---:|:---:|:---:|:---:|:---:|
+|Yes|Yes|Yes|Yes|Yes|
+
+For more information about Windows licensing, see [Windows licensing overview](/windows/whats-new/windows-licensing).
diff --git a/includes/licensing/attack-surface-reduction-asr.md b/includes/licensing/attack-surface-reduction-asr.md
new file mode 100644
index 0000000000..666af08c54
--- /dev/null
+++ b/includes/licensing/attack-surface-reduction-asr.md
@@ -0,0 +1,22 @@
+---
+author: paolomatarazzo
+ms.author: paoloma
+ms.date: 05/04/2023
+ms.topic: include
+---
+
+## Windows edition and licensing requirements
+
+The following table lists the Windows editions that support Attack surface reduction (ASR):
+
+|Windows Pro|Windows Enterprise|Windows Pro Education/SE|Windows Education|
+|:---:|:---:|:---:|:---:|
+|Yes|Yes|Yes|Yes|
+
+Attack surface reduction (ASR) license entitlements are granted by the following licenses:
+
+|Windows Pro/Pro Education/SE|Windows Enterprise E3|Windows Enterprise E5|Windows Education A3|Windows Education A5|
+|:---:|:---:|:---:|:---:|:---:|
+|Yes|Yes|Yes|Yes|Yes|
+
+For more information about Windows licensing, see [Windows licensing overview](/windows/whats-new/windows-licensing).
diff --git a/includes/licensing/azure-ad-join-active-directory-domain-join-and-hybrid-azure-ad-join-with-single-sign-on-sso.md b/includes/licensing/azure-ad-join-active-directory-domain-join-and-hybrid-azure-ad-join-with-single-sign-on-sso.md
new file mode 100644
index 0000000000..b093cd8faa
--- /dev/null
+++ b/includes/licensing/azure-ad-join-active-directory-domain-join-and-hybrid-azure-ad-join-with-single-sign-on-sso.md
@@ -0,0 +1,22 @@
+---
+author: paolomatarazzo
+ms.author: paoloma
+ms.date: 05/04/2023
+ms.topic: include
+---
+
+## Windows edition and licensing requirements
+
+The following table lists the Windows editions that support Azure AD join, Active Directory domain join, and Hybrid Azure AD join with single sign-on (SSO):
+
+|Windows Pro|Windows Enterprise|Windows Pro Education/SE|Windows Education|
+|:---:|:---:|:---:|:---:|
+|Yes|Yes|Yes|Yes|
+
+Azure AD join, Active Directory domain join, and Hybrid Azure AD join with single sign-on (SSO) license entitlements are granted by the following licenses:
+
+|Windows Pro/Pro Education/SE|Windows Enterprise E3|Windows Enterprise E5|Windows Education A3|Windows Education A5|
+|:---:|:---:|:---:|:---:|:---:|
+|Yes|Yes|Yes|Yes|Yes|
+
+For more information about Windows licensing, see [Windows licensing overview](/windows/whats-new/windows-licensing).
diff --git a/includes/licensing/bitlocker.md b/includes/licensing/bitlocker.md
new file mode 100644
index 0000000000..cf1f80b079
--- /dev/null
+++ b/includes/licensing/bitlocker.md
@@ -0,0 +1,22 @@
+---
+author: paolomatarazzo
+ms.author: paoloma
+ms.date: 05/04/2023
+ms.topic: include
+---
+
+## Windows edition and licensing requirements
+
+The following table lists the Windows editions that support BitLocker:
+
+|Windows Pro|Windows Enterprise|Windows Pro Education/SE|Windows Education|
+|:---:|:---:|:---:|:---:|
+|Yes|Yes|Yes|Yes|
+
+BitLocker license entitlements are granted by the following licenses:
+
+|Windows Pro/Pro Education/SE|Windows Enterprise E3|Windows Enterprise E5|Windows Education A3|Windows Education A5|
+|:---:|:---:|:---:|:---:|:---:|
+|Yes|Yes|Yes|Yes|Yes|
+
+For more information about Windows licensing, see [Windows licensing overview](/windows/whats-new/windows-licensing).
diff --git a/includes/licensing/bluetooth-pairing-and-connection-protection.md b/includes/licensing/bluetooth-pairing-and-connection-protection.md
new file mode 100644
index 0000000000..494fee6609
--- /dev/null
+++ b/includes/licensing/bluetooth-pairing-and-connection-protection.md
@@ -0,0 +1,22 @@
+---
+author: paolomatarazzo
+ms.author: paoloma
+ms.date: 05/04/2023
+ms.topic: include
+---
+
+## Windows edition and licensing requirements
+
+The following table lists the Windows editions that support Bluetooth pairing and connection protection:
+
+|Windows Pro|Windows Enterprise|Windows Pro Education/SE|Windows Education|
+|:---:|:---:|:---:|:---:|
+|Yes|Yes|Yes|Yes|
+
+Bluetooth pairing and connection protection license entitlements are granted by the following licenses:
+
+|Windows Pro/Pro Education/SE|Windows Enterprise E3|Windows Enterprise E5|Windows Education A3|Windows Education A5|
+|:---:|:---:|:---:|:---:|:---:|
+|Yes|Yes|Yes|Yes|Yes|
+
+For more information about Windows licensing, see [Windows licensing overview](/windows/whats-new/windows-licensing).
diff --git a/includes/licensing/common-criteria-certifications.md b/includes/licensing/common-criteria-certifications.md
new file mode 100644
index 0000000000..dbb9d1669a
--- /dev/null
+++ b/includes/licensing/common-criteria-certifications.md
@@ -0,0 +1,22 @@
+---
+author: paolomatarazzo
+ms.author: paoloma
+ms.date: 05/04/2023
+ms.topic: include
+---
+
+## Windows edition and licensing requirements
+
+The following table lists the Windows editions that support Common Criteria certifications:
+
+|Windows Pro|Windows Enterprise|Windows Pro Education/SE|Windows Education|
+|:---:|:---:|:---:|:---:|
+|Yes|Yes|Yes|Yes|
+
+Common Criteria certifications license entitlements are granted by the following licenses:
+
+|Windows Pro/Pro Education/SE|Windows Enterprise E3|Windows Enterprise E5|Windows Education A3|Windows Education A5|
+|:---:|:---:|:---:|:---:|:---:|
+|Yes|Yes|Yes|Yes|Yes|
+
+For more information about Windows licensing, see [Windows licensing overview](/windows/whats-new/windows-licensing).
diff --git a/includes/licensing/controlled-folder-access.md b/includes/licensing/controlled-folder-access.md
new file mode 100644
index 0000000000..855d0cf28f
--- /dev/null
+++ b/includes/licensing/controlled-folder-access.md
@@ -0,0 +1,22 @@
+---
+author: paolomatarazzo
+ms.author: paoloma
+ms.date: 05/04/2023
+ms.topic: include
+---
+
+## Windows edition and licensing requirements
+
+The following table lists the Windows editions that support Controlled folder access:
+
+|Windows Pro|Windows Enterprise|Windows Pro Education/SE|Windows Education|
+|:---:|:---:|:---:|:---:|
+|Yes|Yes|Yes|Yes|
+
+Controlled folder access license entitlements are granted by the following licenses:
+
+|Windows Pro/Pro Education/SE|Windows Enterprise E3|Windows Enterprise E5|Windows Education A3|Windows Education A5|
+|:---:|:---:|:---:|:---:|:---:|
+|Yes|Yes|Yes|Yes|Yes|
+
+For more information about Windows licensing, see [Windows licensing overview](/windows/whats-new/windows-licensing).
diff --git a/includes/licensing/device-health-attestation-service.md b/includes/licensing/device-health-attestation-service.md
new file mode 100644
index 0000000000..f8fdb1e381
--- /dev/null
+++ b/includes/licensing/device-health-attestation-service.md
@@ -0,0 +1,22 @@
+---
+author: paolomatarazzo
+ms.author: paoloma
+ms.date: 05/04/2023
+ms.topic: include
+---
+
+## Windows edition and licensing requirements
+
+The following table lists the Windows editions that support Device health attestation service:
+
+|Windows Pro|Windows Enterprise|Windows Pro Education/SE|Windows Education|
+|:---:|:---:|:---:|:---:|
+|Yes|Yes|Yes|Yes|
+
+Device health attestation service license entitlements are granted by the following licenses:
+
+|Windows Pro/Pro Education/SE|Windows Enterprise E3|Windows Enterprise E5|Windows Education A3|Windows Education A5|
+|:---:|:---:|:---:|:---:|:---:|
+|Yes|Yes|Yes|Yes|Yes|
+
+For more information about Windows licensing, see [Windows licensing overview](/windows/whats-new/windows-licensing).
diff --git a/includes/licensing/direct-access.md b/includes/licensing/direct-access.md
new file mode 100644
index 0000000000..f1b2da9ef5
--- /dev/null
+++ b/includes/licensing/direct-access.md
@@ -0,0 +1,22 @@
+---
+author: paolomatarazzo
+ms.author: paoloma
+ms.date: 05/04/2023
+ms.topic: include
+---
+
+## Windows edition and licensing requirements
+
+The following table lists the Windows editions that support Direct Access:
+
+|Windows Pro|Windows Enterprise|Windows Pro Education/SE|Windows Education|
+|:---:|:---:|:---:|:---:|
+|No|Yes|No|Yes|
+
+Direct Access license entitlements are granted by the following licenses:
+
+|Windows Pro/Pro Education/SE|Windows Enterprise E3|Windows Enterprise E5|Windows Education A3|Windows Education A5|
+|:---:|:---:|:---:|:---:|:---:|
+|No|Yes|Yes|Yes|Yes|
+
+For more information about Windows licensing, see [Windows licensing overview](/windows/whats-new/windows-licensing).
diff --git a/includes/licensing/email-encryption-smime.md b/includes/licensing/email-encryption-smime.md
new file mode 100644
index 0000000000..07e14851b2
--- /dev/null
+++ b/includes/licensing/email-encryption-smime.md
@@ -0,0 +1,22 @@
+---
+author: paolomatarazzo
+ms.author: paoloma
+ms.date: 05/04/2023
+ms.topic: include
+---
+
+## Windows edition and licensing requirements
+
+The following table lists the Windows editions that support Email Encryption (S/MIME):
+
+|Windows Pro|Windows Enterprise|Windows Pro Education/SE|Windows Education|
+|:---:|:---:|:---:|:---:|
+|Yes|Yes|Yes|Yes|
+
+Email Encryption (S/MIME) license entitlements are granted by the following licenses:
+
+|Windows Pro/Pro Education/SE|Windows Enterprise E3|Windows Enterprise E5|Windows Education A3|Windows Education A5|
+|:---:|:---:|:---:|:---:|:---:|
+|Yes|Yes|Yes|Yes|Yes|
+
+For more information about Windows licensing, see [Windows licensing overview](/windows/whats-new/windows-licensing).
diff --git a/includes/licensing/encrypted-hard-drive.md b/includes/licensing/encrypted-hard-drive.md
new file mode 100644
index 0000000000..e365c0d71c
--- /dev/null
+++ b/includes/licensing/encrypted-hard-drive.md
@@ -0,0 +1,22 @@
+---
+author: paolomatarazzo
+ms.author: paoloma
+ms.date: 05/04/2023
+ms.topic: include
+---
+
+## Windows edition and licensing requirements
+
+The following table lists the Windows editions that support Encrypted hard drive:
+
+|Windows Pro|Windows Enterprise|Windows Pro Education/SE|Windows Education|
+|:---:|:---:|:---:|:---:|
+|Yes|Yes|Yes|Yes|
+
+Encrypted hard drive license entitlements are granted by the following licenses:
+
+|Windows Pro/Pro Education/SE|Windows Enterprise E3|Windows Enterprise E5|Windows Education A3|Windows Education A5|
+|:---:|:---:|:---:|:---:|:---:|
+|Yes|Yes|Yes|Yes|Yes|
+
+For more information about Windows licensing, see [Windows licensing overview](/windows/whats-new/windows-licensing).
diff --git a/includes/licensing/enhanced-phishing-protection-with-smartscreen.md b/includes/licensing/enhanced-phishing-protection-with-smartscreen.md
new file mode 100644
index 0000000000..4f4c059f8b
--- /dev/null
+++ b/includes/licensing/enhanced-phishing-protection-with-smartscreen.md
@@ -0,0 +1,22 @@
+---
+author: paolomatarazzo
+ms.author: paoloma
+ms.date: 05/04/2023
+ms.topic: include
+---
+
+## Windows edition and licensing requirements
+
+The following table lists the Windows editions that support Enhanced phishing protection with SmartScreen:
+
+|Windows Pro|Windows Enterprise|Windows Pro Education/SE|Windows Education|
+|:---:|:---:|:---:|:---:|
+|Yes|Yes|Yes|Yes|
+
+Enhanced phishing protection with SmartScreen license entitlements are granted by the following licenses:
+
+|Windows Pro/Pro Education/SE|Windows Enterprise E3|Windows Enterprise E5|Windows Education A3|Windows Education A5|
+|:---:|:---:|:---:|:---:|:---:|
+|Yes|Yes|Yes|Yes|Yes|
+
+For more information about Windows licensing, see [Windows licensing overview](/windows/whats-new/windows-licensing).
diff --git a/includes/licensing/exploit-protection.md b/includes/licensing/exploit-protection.md
new file mode 100644
index 0000000000..c774cb4f5e
--- /dev/null
+++ b/includes/licensing/exploit-protection.md
@@ -0,0 +1,22 @@
+---
+author: paolomatarazzo
+ms.author: paoloma
+ms.date: 05/04/2023
+ms.topic: include
+---
+
+## Windows edition and licensing requirements
+
+The following table lists the Windows editions that support Exploit protection:
+
+|Windows Pro|Windows Enterprise|Windows Pro Education/SE|Windows Education|
+|:---:|:---:|:---:|:---:|
+|Yes|Yes|Yes|Yes|
+
+Exploit protection license entitlements are granted by the following licenses:
+
+|Windows Pro/Pro Education/SE|Windows Enterprise E3|Windows Enterprise E5|Windows Education A3|Windows Education A5|
+|:---:|:---:|:---:|:---:|:---:|
+|Yes|Yes|Yes|Yes|Yes|
+
+For more information about Windows licensing, see [Windows licensing overview](/windows/whats-new/windows-licensing).
diff --git a/includes/licensing/fast-identity-online-fido2-security-key.md b/includes/licensing/fast-identity-online-fido2-security-key.md
new file mode 100644
index 0000000000..b47385e2f5
--- /dev/null
+++ b/includes/licensing/fast-identity-online-fido2-security-key.md
@@ -0,0 +1,22 @@
+---
+author: paolomatarazzo
+ms.author: paoloma
+ms.date: 05/04/2023
+ms.topic: include
+---
+
+## Windows edition and licensing requirements
+
+The following table lists the Windows editions that support Fast Identity Online (FIDO2) security key:
+
+|Windows Pro|Windows Enterprise|Windows Pro Education/SE|Windows Education|
+|:---:|:---:|:---:|:---:|
+|Yes|Yes|Yes|Yes|
+
+Fast Identity Online (FIDO2) security key license entitlements are granted by the following licenses:
+
+|Windows Pro/Pro Education/SE|Windows Enterprise E3|Windows Enterprise E5|Windows Education A3|Windows Education A5|
+|:---:|:---:|:---:|:---:|:---:|
+|Yes|Yes|Yes|Yes|Yes|
+
+For more information about Windows licensing, see [Windows licensing overview](/windows/whats-new/windows-licensing).
diff --git a/includes/licensing/federal-information-processing-standard-fips-140-validation.md b/includes/licensing/federal-information-processing-standard-fips-140-validation.md
new file mode 100644
index 0000000000..ff0563a439
--- /dev/null
+++ b/includes/licensing/federal-information-processing-standard-fips-140-validation.md
@@ -0,0 +1,22 @@
+---
+author: paolomatarazzo
+ms.author: paoloma
+ms.date: 05/04/2023
+ms.topic: include
+---
+
+## Windows edition and licensing requirements
+
+The following table lists the Windows editions that support Federal Information Processing Standard (FIPS) 140 validation:
+
+|Windows Pro|Windows Enterprise|Windows Pro Education/SE|Windows Education|
+|:---:|:---:|:---:|:---:|
+|Yes|Yes|Yes|Yes|
+
+Federal Information Processing Standard (FIPS) 140 validation license entitlements are granted by the following licenses:
+
+|Windows Pro/Pro Education/SE|Windows Enterprise E3|Windows Enterprise E5|Windows Education A3|Windows Education A5|
+|:---:|:---:|:---:|:---:|:---:|
+|Yes|Yes|Yes|Yes|Yes|
+
+For more information about Windows licensing, see [Windows licensing overview](/windows/whats-new/windows-licensing).
diff --git a/includes/licensing/federated-sign-in.md b/includes/licensing/federated-sign-in.md
new file mode 100644
index 0000000000..5a1a787e06
--- /dev/null
+++ b/includes/licensing/federated-sign-in.md
@@ -0,0 +1,22 @@
+---
+author: paolomatarazzo
+ms.author: paoloma
+ms.date: 05/04/2023
+ms.topic: include
+---
+
+## Windows edition and licensing requirements
+
+The following table lists the Windows editions that support Federated sign-in:
+
+|Windows Pro|Windows Enterprise|Windows Pro Education/SE|Windows Education|
+|:---:|:---:|:---:|:---:|
+|No|No|Yes|Yes|
+
+Federated sign-in license entitlements are granted by the following licenses:
+
+|Windows Pro Education/SE|Windows Enterprise E3|Windows Enterprise E5|Windows Education A3|Windows Education A5|
+|:---:|:---:|:---:|:---:|:---:|
+|Yes|No|No|Yes|Yes|
+
+For more information about Windows licensing, see [Windows licensing overview](/windows/whats-new/windows-licensing).
diff --git a/includes/licensing/hardware-enforced-stack-protection.md b/includes/licensing/hardware-enforced-stack-protection.md
new file mode 100644
index 0000000000..50ae05045a
--- /dev/null
+++ b/includes/licensing/hardware-enforced-stack-protection.md
@@ -0,0 +1,22 @@
+---
+author: paolomatarazzo
+ms.author: paoloma
+ms.date: 05/04/2023
+ms.topic: include
+---
+
+## Windows edition and licensing requirements
+
+The following table lists the Windows editions that support Hardware-enforced stack protection:
+
+|Windows Pro|Windows Enterprise|Windows Pro Education/SE|Windows Education|
+|:---:|:---:|:---:|:---:|
+|Yes|Yes|Yes|Yes|
+
+Hardware-enforced stack protection license entitlements are granted by the following licenses:
+
+|Windows Pro/Pro Education/SE|Windows Enterprise E3|Windows Enterprise E5|Windows Education A3|Windows Education A5|
+|:---:|:---:|:---:|:---:|:---:|
+|Yes|Yes|Yes|Yes|Yes|
+
+For more information about Windows licensing, see [Windows licensing overview](/windows/whats-new/windows-licensing).
diff --git a/includes/licensing/hypervisor-protected-code-integrity-hvci.md b/includes/licensing/hypervisor-protected-code-integrity-hvci.md
new file mode 100644
index 0000000000..8f6b16cf28
--- /dev/null
+++ b/includes/licensing/hypervisor-protected-code-integrity-hvci.md
@@ -0,0 +1,22 @@
+---
+author: paolomatarazzo
+ms.author: paoloma
+ms.date: 05/04/2023
+ms.topic: include
+---
+
+## Windows edition and licensing requirements
+
+The following table lists the Windows editions that support Hypervisor-protected Code Integrity (HVCI):
+
+|Windows Pro|Windows Enterprise|Windows Pro Education/SE|Windows Education|
+|:---:|:---:|:---:|:---:|
+|Yes|Yes|Yes|Yes|
+
+Hypervisor-protected Code Integrity (HVCI) license entitlements are granted by the following licenses:
+
+|Windows Pro/Pro Education/SE|Windows Enterprise E3|Windows Enterprise E5|Windows Education A3|Windows Education A5|
+|:---:|:---:|:---:|:---:|:---:|
+|Yes|Yes|Yes|Yes|Yes|
+
+For more information about Windows licensing, see [Windows licensing overview](/windows/whats-new/windows-licensing).
diff --git a/includes/licensing/kernel-direct-memory-access-dma-protection.md b/includes/licensing/kernel-direct-memory-access-dma-protection.md
new file mode 100644
index 0000000000..7c805915cb
--- /dev/null
+++ b/includes/licensing/kernel-direct-memory-access-dma-protection.md
@@ -0,0 +1,22 @@
+---
+author: paolomatarazzo
+ms.author: paoloma
+ms.date: 05/04/2023
+ms.topic: include
+---
+
+## Windows edition and licensing requirements
+
+The following table lists the Windows editions that support Kernel Direct Memory Access (DMA) protection:
+
+|Windows Pro|Windows Enterprise|Windows Pro Education/SE|Windows Education|
+|:---:|:---:|:---:|:---:|
+|Yes|Yes|Yes|Yes|
+
+Kernel Direct Memory Access (DMA) protection license entitlements are granted by the following licenses:
+
+|Windows Pro/Pro Education/SE|Windows Enterprise E3|Windows Enterprise E5|Windows Education A3|Windows Education A5|
+|:---:|:---:|:---:|:---:|:---:|
+|Yes|Yes|Yes|Yes|Yes|
+
+For more information about Windows licensing, see [Windows licensing overview](/windows/whats-new/windows-licensing).
diff --git a/includes/licensing/local-security-authority-lsa-protection.md b/includes/licensing/local-security-authority-lsa-protection.md
new file mode 100644
index 0000000000..af4fb5b47f
--- /dev/null
+++ b/includes/licensing/local-security-authority-lsa-protection.md
@@ -0,0 +1,22 @@
+---
+author: paolomatarazzo
+ms.author: paoloma
+ms.date: 05/04/2023
+ms.topic: include
+---
+
+## Windows edition and licensing requirements
+
+The following table lists the Windows editions that support Local Security Authority (LSA) Protection:
+
+|Windows Pro|Windows Enterprise|Windows Pro Education/SE|Windows Education|
+|:---:|:---:|:---:|:---:|
+|Yes|Yes|Yes|Yes|
+
+Local Security Authority (LSA) Protection license entitlements are granted by the following licenses:
+
+|Windows Pro/Pro Education/SE|Windows Enterprise E3|Windows Enterprise E5|Windows Education A3|Windows Education A5|
+|:---:|:---:|:---:|:---:|:---:|
+|Yes|Yes|Yes|Yes|Yes|
+
+For more information about Windows licensing, see [Windows licensing overview](/windows/whats-new/windows-licensing).
diff --git a/includes/licensing/manage-by-mobile-device-management-mdm-and-group-policy.md b/includes/licensing/manage-by-mobile-device-management-mdm-and-group-policy.md
new file mode 100644
index 0000000000..7330817deb
--- /dev/null
+++ b/includes/licensing/manage-by-mobile-device-management-mdm-and-group-policy.md
@@ -0,0 +1,22 @@
+---
+author: paolomatarazzo
+ms.author: paoloma
+ms.date: 05/04/2023
+ms.topic: include
+---
+
+## Windows edition and licensing requirements
+
+The following table lists the Windows editions that support Manage by Mobile Device Management (MDM) and group policy:
+
+|Windows Pro|Windows Enterprise|Windows Pro Education/SE|Windows Education|
+|:---:|:---:|:---:|:---:|
+|Yes|Yes|Yes|Yes|
+
+Manage by Mobile Device Management (MDM) and group policy license entitlements are granted by the following licenses:
+
+|Windows Pro/Pro Education/SE|Windows Enterprise E3|Windows Enterprise E5|Windows Education A3|Windows Education A5|
+|:---:|:---:|:---:|:---:|:---:|
+|Yes|Yes|Yes|Yes|Yes|
+
+For more information about Windows licensing, see [Windows licensing overview](/windows/whats-new/windows-licensing).
diff --git a/includes/licensing/measured-boot.md b/includes/licensing/measured-boot.md
new file mode 100644
index 0000000000..39c560d47f
--- /dev/null
+++ b/includes/licensing/measured-boot.md
@@ -0,0 +1,22 @@
+---
+author: paolomatarazzo
+ms.author: paoloma
+ms.date: 05/04/2023
+ms.topic: include
+---
+
+## Windows edition and licensing requirements
+
+The following table lists the Windows editions that support Measured boot:
+
+|Windows Pro|Windows Enterprise|Windows Pro Education/SE|Windows Education|
+|:---:|:---:|:---:|:---:|
+|Yes|Yes|Yes|Yes|
+
+Measured boot license entitlements are granted by the following licenses:
+
+|Windows Pro/Pro Education/SE|Windows Enterprise E3|Windows Enterprise E5|Windows Education A3|Windows Education A5|
+|:---:|:---:|:---:|:---:|:---:|
+|Yes|Yes|Yes|Yes|Yes|
+
+For more information about Windows licensing, see [Windows licensing overview](/windows/whats-new/windows-licensing).
diff --git a/includes/licensing/microsoft-defender-antivirus.md b/includes/licensing/microsoft-defender-antivirus.md
new file mode 100644
index 0000000000..ba5bb932ea
--- /dev/null
+++ b/includes/licensing/microsoft-defender-antivirus.md
@@ -0,0 +1,22 @@
+---
+author: paolomatarazzo
+ms.author: paoloma
+ms.date: 05/04/2023
+ms.topic: include
+---
+
+## Windows edition and licensing requirements
+
+The following table lists the Windows editions that support Microsoft Defender Antivirus:
+
+|Windows Pro|Windows Enterprise|Windows Pro Education/SE|Windows Education|
+|:---:|:---:|:---:|:---:|
+|Yes|Yes|Yes|Yes|
+
+Microsoft Defender Antivirus license entitlements are granted by the following licenses:
+
+|Windows Pro/Pro Education/SE|Windows Enterprise E3|Windows Enterprise E5|Windows Education A3|Windows Education A5|
+|:---:|:---:|:---:|:---:|:---:|
+|Yes|Yes|Yes|Yes|Yes|
+
+For more information about Windows licensing, see [Windows licensing overview](/windows/whats-new/windows-licensing).
diff --git a/includes/licensing/microsoft-defender-application-guard-mdag-configure-via-mdm.md b/includes/licensing/microsoft-defender-application-guard-mdag-configure-via-mdm.md
new file mode 100644
index 0000000000..453b5db930
--- /dev/null
+++ b/includes/licensing/microsoft-defender-application-guard-mdag-configure-via-mdm.md
@@ -0,0 +1,22 @@
+---
+author: paolomatarazzo
+ms.author: paoloma
+ms.date: 05/04/2023
+ms.topic: include
+---
+
+## Windows edition and licensing requirements
+
+The following table lists the Windows editions that support Microsoft Defender Application Guard (MDAG) configure via MDM:
+
+|Windows Pro|Windows Enterprise|Windows Pro Education/SE|Windows Education|
+|:---:|:---:|:---:|:---:|
+|No|Yes|No|Yes|
+
+Microsoft Defender Application Guard (MDAG) configure via MDM license entitlements are granted by the following licenses:
+
+|Windows Pro/Pro Education/SE|Windows Enterprise E3|Windows Enterprise E5|Windows Education A3|Windows Education A5|
+|:---:|:---:|:---:|:---:|:---:|
+|No|Yes|Yes|Yes|Yes|
+
+For more information about Windows licensing, see [Windows licensing overview](/windows/whats-new/windows-licensing).
diff --git a/includes/licensing/microsoft-defender-application-guard-mdag-for-edge-enterprise-mode-and-enterprise-management.md b/includes/licensing/microsoft-defender-application-guard-mdag-for-edge-enterprise-mode-and-enterprise-management.md
new file mode 100644
index 0000000000..36c1c33234
--- /dev/null
+++ b/includes/licensing/microsoft-defender-application-guard-mdag-for-edge-enterprise-mode-and-enterprise-management.md
@@ -0,0 +1,22 @@
+---
+author: paolomatarazzo
+ms.author: paoloma
+ms.date: 05/04/2023
+ms.topic: include
+---
+
+## Windows edition and licensing requirements
+
+The following table lists the Windows editions that support Microsoft Defender Application Guard (MDAG) for Edge enterprise mode and enterprise management:
+
+|Windows Pro|Windows Enterprise|Windows Pro Education/SE|Windows Education|
+|:---:|:---:|:---:|:---:|
+|No|Yes|No|Yes|
+
+Microsoft Defender Application Guard (MDAG) for Edge enterprise mode and enterprise management license entitlements are granted by the following licenses:
+
+|Windows Pro/Pro Education/SE|Windows Enterprise E3|Windows Enterprise E5|Windows Education A3|Windows Education A5|
+|:---:|:---:|:---:|:---:|:---:|
+|No|Yes|Yes|Yes|Yes|
+
+For more information about Windows licensing, see [Windows licensing overview](/windows/whats-new/windows-licensing).
diff --git a/includes/licensing/microsoft-defender-application-guard-mdag-for-edge-standalone-mode.md b/includes/licensing/microsoft-defender-application-guard-mdag-for-edge-standalone-mode.md
new file mode 100644
index 0000000000..23bf14013f
--- /dev/null
+++ b/includes/licensing/microsoft-defender-application-guard-mdag-for-edge-standalone-mode.md
@@ -0,0 +1,22 @@
+---
+author: paolomatarazzo
+ms.author: paoloma
+ms.date: 05/04/2023
+ms.topic: include
+---
+
+## Windows edition and licensing requirements
+
+The following table lists the Windows editions that support Microsoft Defender Application Guard (MDAG) for Edge standalone mode:
+
+|Windows Pro|Windows Enterprise|Windows Pro Education/SE|Windows Education|
+|:---:|:---:|:---:|:---:|
+|Yes|Yes|Yes|Yes|
+
+Microsoft Defender Application Guard (MDAG) for Edge standalone mode license entitlements are granted by the following licenses:
+
+|Windows Pro/Pro Education/SE|Windows Enterprise E3|Windows Enterprise E5|Windows Education A3|Windows Education A5|
+|:---:|:---:|:---:|:---:|:---:|
+|Yes|Yes|Yes|Yes|Yes|
+
+For more information about Windows licensing, see [Windows licensing overview](/windows/whats-new/windows-licensing).
diff --git a/includes/licensing/microsoft-defender-application-guard-mdag-for-microsoft-office.md b/includes/licensing/microsoft-defender-application-guard-mdag-for-microsoft-office.md
new file mode 100644
index 0000000000..2ccf97f2da
--- /dev/null
+++ b/includes/licensing/microsoft-defender-application-guard-mdag-for-microsoft-office.md
@@ -0,0 +1,22 @@
+---
+author: paolomatarazzo
+ms.author: paoloma
+ms.date: 05/04/2023
+ms.topic: include
+---
+
+## Windows edition and licensing requirements
+
+The following table lists the Windows editions that support Microsoft Defender Application Guard (MDAG) for Microsoft Office:
+
+|Windows Pro|Windows Enterprise|Windows Pro Education/SE|Windows Education|
+|:---:|:---:|:---:|:---:|
+|No|Yes|No|Yes|
+
+Microsoft Defender Application Guard (MDAG) for Microsoft Office license entitlements are granted by the following licenses:
+
+|Windows Pro/Pro Education/SE|Windows Enterprise E3|Windows Enterprise E5|Windows Education A3|Windows Education A5|
+|:---:|:---:|:---:|:---:|:---:|
+|No|No|No|No|No|
+
+For more information about Windows licensing, see [Windows licensing overview](/windows/whats-new/windows-licensing).
diff --git a/includes/licensing/microsoft-defender-application-guard-mdag-public-apis.md b/includes/licensing/microsoft-defender-application-guard-mdag-public-apis.md
new file mode 100644
index 0000000000..bf903c766f
--- /dev/null
+++ b/includes/licensing/microsoft-defender-application-guard-mdag-public-apis.md
@@ -0,0 +1,22 @@
+---
+author: paolomatarazzo
+ms.author: paoloma
+ms.date: 05/04/2023
+ms.topic: include
+---
+
+## Windows edition and licensing requirements
+
+The following table lists the Windows editions that support Microsoft Defender Application Guard (MDAG) public APIs:
+
+|Windows Pro|Windows Enterprise|Windows Pro Education/SE|Windows Education|
+|:---:|:---:|:---:|:---:|
+|No|Yes|No|Yes|
+
+Microsoft Defender Application Guard (MDAG) public APIs license entitlements are granted by the following licenses:
+
+|Windows Pro/Pro Education/SE|Windows Enterprise E3|Windows Enterprise E5|Windows Education A3|Windows Education A5|
+|:---:|:---:|:---:|:---:|:---:|
+|No|Yes|Yes|Yes|Yes|
+
+For more information about Windows licensing, see [Windows licensing overview](/windows/whats-new/windows-licensing).
diff --git a/includes/licensing/microsoft-defender-for-endpoint.md b/includes/licensing/microsoft-defender-for-endpoint.md
new file mode 100644
index 0000000000..be03daf05e
--- /dev/null
+++ b/includes/licensing/microsoft-defender-for-endpoint.md
@@ -0,0 +1,22 @@
+---
+author: paolomatarazzo
+ms.author: paoloma
+ms.date: 05/04/2023
+ms.topic: include
+---
+
+## Windows edition and licensing requirements
+
+The following table lists the Windows editions that support Microsoft Defender for Endpoint:
+
+|Windows Pro|Windows Enterprise|Windows Pro Education/SE|Windows Education|
+|:---:|:---:|:---:|:---:|
+|Yes|Yes|Yes|Yes|
+
+Microsoft Defender for Endpoint license entitlements are granted by the following licenses:
+
+|Windows Pro/Pro Education/SE|Windows Enterprise E3|Windows Enterprise E5|Windows Education A3|Windows Education A5|
+|:---:|:---:|:---:|:---:|:---:|
+|No|No|Yes|No|Yes|
+
+For more information about Windows licensing, see [Windows licensing overview](/windows/whats-new/windows-licensing).
diff --git a/includes/licensing/microsoft-defender-smartscreen.md b/includes/licensing/microsoft-defender-smartscreen.md
new file mode 100644
index 0000000000..a946b12155
--- /dev/null
+++ b/includes/licensing/microsoft-defender-smartscreen.md
@@ -0,0 +1,22 @@
+---
+author: paolomatarazzo
+ms.author: paoloma
+ms.date: 05/04/2023
+ms.topic: include
+---
+
+## Windows edition and licensing requirements
+
+The following table lists the Windows editions that support Microsoft Defender SmartScreen:
+
+|Windows Pro|Windows Enterprise|Windows Pro Education/SE|Windows Education|
+|:---:|:---:|:---:|:---:|
+|Yes|Yes|Yes|Yes|
+
+Microsoft Defender SmartScreen license entitlements are granted by the following licenses:
+
+|Windows Pro/Pro Education/SE|Windows Enterprise E3|Windows Enterprise E5|Windows Education A3|Windows Education A5|
+|:---:|:---:|:---:|:---:|:---:|
+|Yes|Yes|Yes|Yes|Yes|
+
+For more information about Windows licensing, see [Windows licensing overview](/windows/whats-new/windows-licensing).
diff --git a/includes/licensing/microsoft-pluton-security-processor.md b/includes/licensing/microsoft-pluton-security-processor.md
new file mode 100644
index 0000000000..2190c8a4ab
--- /dev/null
+++ b/includes/licensing/microsoft-pluton-security-processor.md
@@ -0,0 +1,22 @@
+---
+author: paolomatarazzo
+ms.author: paoloma
+ms.date: 05/04/2023
+ms.topic: include
+---
+
+## Windows edition and licensing requirements
+
+The following table lists the Windows editions that support Microsoft Pluton security processor:
+
+|Windows Pro|Windows Enterprise|Windows Pro Education/SE|Windows Education|
+|:---:|:---:|:---:|:---:|
+|Yes|Yes|Yes|Yes|
+
+Microsoft Pluton security processor license entitlements are granted by the following licenses:
+
+|Windows Pro/Pro Education/SE|Windows Enterprise E3|Windows Enterprise E5|Windows Education A3|Windows Education A5|
+|:---:|:---:|:---:|:---:|:---:|
+|Yes|Yes|Yes|Yes|Yes|
+
+For more information about Windows licensing, see [Windows licensing overview](/windows/whats-new/windows-licensing).
diff --git a/includes/licensing/microsoft-vulnerable-driver-blocklist.md b/includes/licensing/microsoft-vulnerable-driver-blocklist.md
new file mode 100644
index 0000000000..39e258739c
--- /dev/null
+++ b/includes/licensing/microsoft-vulnerable-driver-blocklist.md
@@ -0,0 +1,22 @@
+---
+author: paolomatarazzo
+ms.author: paoloma
+ms.date: 05/04/2023
+ms.topic: include
+---
+
+## Windows edition and licensing requirements
+
+The following table lists the Windows editions that support Microsoft Vulnerable Driver Blocklist:
+
+|Windows Pro|Windows Enterprise|Windows Pro Education/SE|Windows Education|
+|:---:|:---:|:---:|:---:|
+|Yes|Yes|Yes|Yes|
+
+Microsoft Vulnerable Driver Blocklist license entitlements are granted by the following licenses:
+
+|Windows Pro/Pro Education/SE|Windows Enterprise E3|Windows Enterprise E5|Windows Education A3|Windows Education A5|
+|:---:|:---:|:---:|:---:|:---:|
+|Yes|Yes|Yes|Yes|Yes|
+
+For more information about Windows licensing, see [Windows licensing overview](/windows/whats-new/windows-licensing).
diff --git a/includes/licensing/opportunistic-wireless-encryption-owe.md b/includes/licensing/opportunistic-wireless-encryption-owe.md
new file mode 100644
index 0000000000..e0203c3e4d
--- /dev/null
+++ b/includes/licensing/opportunistic-wireless-encryption-owe.md
@@ -0,0 +1,22 @@
+---
+author: paolomatarazzo
+ms.author: paoloma
+ms.date: 05/04/2023
+ms.topic: include
+---
+
+## Windows edition and licensing requirements
+
+The following table lists the Windows editions that support Opportunistic Wireless Encryption (OWE):
+
+|Windows Pro|Windows Enterprise|Windows Pro Education/SE|Windows Education|
+|:---:|:---:|:---:|:---:|
+|Yes|Yes|Yes|Yes|
+
+Opportunistic Wireless Encryption (OWE) license entitlements are granted by the following licenses:
+
+|Windows Pro/Pro Education/SE|Windows Enterprise E3|Windows Enterprise E5|Windows Education A3|Windows Education A5|
+|:---:|:---:|:---:|:---:|:---:|
+|Yes|Yes|Yes|Yes|Yes|
+
+For more information about Windows licensing, see [Windows licensing overview](/windows/whats-new/windows-licensing).
diff --git a/includes/licensing/personal-data-encryption-pde.md b/includes/licensing/personal-data-encryption-pde.md
new file mode 100644
index 0000000000..3ca149f34f
--- /dev/null
+++ b/includes/licensing/personal-data-encryption-pde.md
@@ -0,0 +1,22 @@
+---
+author: paolomatarazzo
+ms.author: paoloma
+ms.date: 05/04/2023
+ms.topic: include
+---
+
+## Windows edition and licensing requirements
+
+The following table lists the Windows editions that support Personal data encryption (PDE):
+
+|Windows Pro|Windows Enterprise|Windows Pro Education/SE|Windows Education|
+|:---:|:---:|:---:|:---:|
+|No|Yes|No|Yes|
+
+Personal data encryption (PDE) license entitlements are granted by the following licenses:
+
+|Windows Pro/Pro Education/SE|Windows Enterprise E3|Windows Enterprise E5|Windows Education A3|Windows Education A5|
+|:---:|:---:|:---:|:---:|:---:|
+|No|Yes|Yes|Yes|Yes|
+
+For more information about Windows licensing, see [Windows licensing overview](/windows/whats-new/windows-licensing).
diff --git a/includes/licensing/privacy-resource-usage.md b/includes/licensing/privacy-resource-usage.md
new file mode 100644
index 0000000000..054bf054cc
--- /dev/null
+++ b/includes/licensing/privacy-resource-usage.md
@@ -0,0 +1,22 @@
+---
+author: paolomatarazzo
+ms.author: paoloma
+ms.date: 05/04/2023
+ms.topic: include
+---
+
+## Windows edition and licensing requirements
+
+The following table lists the Windows editions that support Privacy Resource Usage:
+
+|Windows Pro|Windows Enterprise|Windows Pro Education/SE|Windows Education|
+|:---:|:---:|:---:|:---:|
+|Yes|Yes|Yes|Yes|
+
+Privacy Resource Usage license entitlements are granted by the following licenses:
+
+|Windows Pro/Pro Education/SE|Windows Enterprise E3|Windows Enterprise E5|Windows Education A3|Windows Education A5|
+|:---:|:---:|:---:|:---:|:---:|
+|Yes|Yes|Yes|Yes|Yes|
+
+For more information about Windows licensing, see [Windows licensing overview](/windows/whats-new/windows-licensing).
diff --git a/includes/licensing/privacy-transparency-and-controls.md b/includes/licensing/privacy-transparency-and-controls.md
new file mode 100644
index 0000000000..711440f7a5
--- /dev/null
+++ b/includes/licensing/privacy-transparency-and-controls.md
@@ -0,0 +1,22 @@
+---
+author: paolomatarazzo
+ms.author: paoloma
+ms.date: 05/04/2023
+ms.topic: include
+---
+
+## Windows edition and licensing requirements
+
+The following table lists the Windows editions that support Privacy Transparency and Controls:
+
+|Windows Pro|Windows Enterprise|Windows Pro Education/SE|Windows Education|
+|:---:|:---:|:---:|:---:|
+|Yes|Yes|Yes|Yes|
+
+Privacy Transparency and Controls license entitlements are granted by the following licenses:
+
+|Windows Pro/Pro Education/SE|Windows Enterprise E3|Windows Enterprise E5|Windows Education A3|Windows Education A5|
+|:---:|:---:|:---:|:---:|:---:|
+|Yes|Yes|Yes|Yes|Yes|
+
+For more information about Windows licensing, see [Windows licensing overview](/windows/whats-new/windows-licensing).
diff --git a/includes/licensing/remote-wipe.md b/includes/licensing/remote-wipe.md
new file mode 100644
index 0000000000..5f5e79eeb6
--- /dev/null
+++ b/includes/licensing/remote-wipe.md
@@ -0,0 +1,22 @@
+---
+author: paolomatarazzo
+ms.author: paoloma
+ms.date: 05/04/2023
+ms.topic: include
+---
+
+## Windows edition and licensing requirements
+
+The following table lists the Windows editions that support Remote wipe:
+
+|Windows Pro|Windows Enterprise|Windows Pro Education/SE|Windows Education|
+|:---:|:---:|:---:|:---:|
+|Yes|Yes|Yes|Yes|
+
+Remote wipe license entitlements are granted by the following licenses:
+
+|Windows Pro/Pro Education/SE|Windows Enterprise E3|Windows Enterprise E5|Windows Education A3|Windows Education A5|
+|:---:|:---:|:---:|:---:|:---:|
+|Yes|Yes|Yes|Yes|Yes|
+
+For more information about Windows licensing, see [Windows licensing overview](/windows/whats-new/windows-licensing).
diff --git a/includes/licensing/secure-boot-and-trusted-boot.md b/includes/licensing/secure-boot-and-trusted-boot.md
new file mode 100644
index 0000000000..8c60a8b048
--- /dev/null
+++ b/includes/licensing/secure-boot-and-trusted-boot.md
@@ -0,0 +1,22 @@
+---
+author: paolomatarazzo
+ms.author: paoloma
+ms.date: 05/04/2023
+ms.topic: include
+---
+
+## Windows edition and licensing requirements
+
+The following table lists the Windows editions that support Secure Boot and Trusted Boot:
+
+|Windows Pro|Windows Enterprise|Windows Pro Education/SE|Windows Education|
+|:---:|:---:|:---:|:---:|
+|Yes|Yes|Yes|Yes|
+
+Secure Boot and Trusted Boot license entitlements are granted by the following licenses:
+
+|Windows Pro/Pro Education/SE|Windows Enterprise E3|Windows Enterprise E5|Windows Education A3|Windows Education A5|
+|:---:|:---:|:---:|:---:|:---:|
+|Yes|Yes|Yes|Yes|Yes|
+
+For more information about Windows licensing, see [Windows licensing overview](/windows/whats-new/windows-licensing).
diff --git a/includes/licensing/secured-core-configuration-lock.md b/includes/licensing/secured-core-configuration-lock.md
new file mode 100644
index 0000000000..9a2f06088b
--- /dev/null
+++ b/includes/licensing/secured-core-configuration-lock.md
@@ -0,0 +1,22 @@
+---
+author: paolomatarazzo
+ms.author: paoloma
+ms.date: 05/04/2023
+ms.topic: include
+---
+
+## Windows edition and licensing requirements
+
+The following table lists the Windows editions that support Secured-core configuration lock:
+
+|Windows Pro|Windows Enterprise|Windows Pro Education/SE|Windows Education|
+|:---:|:---:|:---:|:---:|
+|Yes|Yes|Yes|Yes|
+
+Secured-core configuration lock license entitlements are granted by the following licenses:
+
+|Windows Pro/Pro Education/SE|Windows Enterprise E3|Windows Enterprise E5|Windows Education A3|Windows Education A5|
+|:---:|:---:|:---:|:---:|:---:|
+|Yes|Yes|Yes|Yes|Yes|
+
+For more information about Windows licensing, see [Windows licensing overview](/windows/whats-new/windows-licensing).
diff --git a/includes/licensing/secured-core-pc.md b/includes/licensing/secured-core-pc.md
new file mode 100644
index 0000000000..f22319bbdb
--- /dev/null
+++ b/includes/licensing/secured-core-pc.md
@@ -0,0 +1,22 @@
+---
+author: paolomatarazzo
+ms.author: paoloma
+ms.date: 05/04/2023
+ms.topic: include
+---
+
+## Windows edition and licensing requirements
+
+The following table lists the Windows editions that support Secured-core PC:
+
+|Windows Pro|Windows Enterprise|Windows Pro Education/SE|Windows Education|
+|:---:|:---:|:---:|:---:|
+|Yes|Yes|Yes|Yes|
+
+Secured-core PC license entitlements are granted by the following licenses:
+
+|Windows Pro/Pro Education/SE|Windows Enterprise E3|Windows Enterprise E5|Windows Education A3|Windows Education A5|
+|:---:|:---:|:---:|:---:|:---:|
+|Yes|Yes|Yes|Yes|Yes|
+
+For more information about Windows licensing, see [Windows licensing overview](/windows/whats-new/windows-licensing).
diff --git a/includes/licensing/security-baselines.md b/includes/licensing/security-baselines.md
new file mode 100644
index 0000000000..a615d3af13
--- /dev/null
+++ b/includes/licensing/security-baselines.md
@@ -0,0 +1,22 @@
+---
+author: paolomatarazzo
+ms.author: paoloma
+ms.date: 05/04/2023
+ms.topic: include
+---
+
+## Windows edition and licensing requirements
+
+The following table lists the Windows editions that support Security baselines:
+
+|Windows Pro|Windows Enterprise|Windows Pro Education/SE|Windows Education|
+|:---:|:---:|:---:|:---:|
+|Yes|Yes|Yes|Yes|
+
+Security baselines license entitlements are granted by the following licenses:
+
+|Windows Pro/Pro Education/SE|Windows Enterprise E3|Windows Enterprise E5|Windows Education A3|Windows Education A5|
+|:---:|:---:|:---:|:---:|:---:|
+|Yes|Yes|Yes|Yes|Yes|
+
+For more information about Windows licensing, see [Windows licensing overview](/windows/whats-new/windows-licensing).
diff --git a/includes/licensing/server-message-block-direct-smb-direct.md b/includes/licensing/server-message-block-direct-smb-direct.md
new file mode 100644
index 0000000000..ba99c98579
--- /dev/null
+++ b/includes/licensing/server-message-block-direct-smb-direct.md
@@ -0,0 +1,22 @@
+---
+author: paolomatarazzo
+ms.author: paoloma
+ms.date: 05/04/2023
+ms.topic: include
+---
+
+## Windows edition and licensing requirements
+
+The following table lists the Windows editions that support Server Message Block Direct (SMB Direct):
+
+|Windows Pro|Windows Enterprise|Windows Pro Education/SE|Windows Education|
+|:---:|:---:|:---:|:---:|
+|Yes|Yes|Yes|Yes|
+
+Server Message Block Direct (SMB Direct) license entitlements are granted by the following licenses:
+
+|Windows Pro/Pro Education/SE|Windows Enterprise E3|Windows Enterprise E5|Windows Education A3|Windows Education A5|
+|:---:|:---:|:---:|:---:|:---:|
+|Yes|Yes|Yes|Yes|Yes|
+
+For more information about Windows licensing, see [Windows licensing overview](/windows/whats-new/windows-licensing).
diff --git a/includes/licensing/server-message-block-smb-file-service.md b/includes/licensing/server-message-block-smb-file-service.md
new file mode 100644
index 0000000000..a271907d88
--- /dev/null
+++ b/includes/licensing/server-message-block-smb-file-service.md
@@ -0,0 +1,22 @@
+---
+author: paolomatarazzo
+ms.author: paoloma
+ms.date: 05/04/2023
+ms.topic: include
+---
+
+## Windows edition and licensing requirements
+
+The following table lists the Windows editions that support Server Message Block (SMB) file service:
+
+|Windows Pro|Windows Enterprise|Windows Pro Education/SE|Windows Education|
+|:---:|:---:|:---:|:---:|
+|Yes|Yes|Yes|Yes|
+
+Server Message Block (SMB) file service license entitlements are granted by the following licenses:
+
+|Windows Pro/Pro Education/SE|Windows Enterprise E3|Windows Enterprise E5|Windows Education A3|Windows Education A5|
+|:---:|:---:|:---:|:---:|:---:|
+|Yes|Yes|Yes|Yes|Yes|
+
+For more information about Windows licensing, see [Windows licensing overview](/windows/whats-new/windows-licensing).
diff --git a/includes/licensing/smart-app-control.md b/includes/licensing/smart-app-control.md
new file mode 100644
index 0000000000..ff42750aab
--- /dev/null
+++ b/includes/licensing/smart-app-control.md
@@ -0,0 +1,22 @@
+---
+author: paolomatarazzo
+ms.author: paoloma
+ms.date: 05/04/2023
+ms.topic: include
+---
+
+## Windows edition and licensing requirements
+
+The following table lists the Windows editions that support Smart App Control:
+
+|Windows Pro|Windows Enterprise|Windows Pro Education/SE|Windows Education|
+|:---:|:---:|:---:|:---:|
+|Yes|Yes|Yes|Yes|
+
+Smart App Control license entitlements are granted by the following licenses:
+
+|Windows Pro/Pro Education/SE|Windows Enterprise E3|Windows Enterprise E5|Windows Education A3|Windows Education A5|
+|:---:|:---:|:---:|:---:|:---:|
+|Yes|Yes|Yes|Yes|Yes|
+
+For more information about Windows licensing, see [Windows licensing overview](/windows/whats-new/windows-licensing).
diff --git a/includes/licensing/smart-cards-for-windows-service.md b/includes/licensing/smart-cards-for-windows-service.md
new file mode 100644
index 0000000000..98f271770f
--- /dev/null
+++ b/includes/licensing/smart-cards-for-windows-service.md
@@ -0,0 +1,22 @@
+---
+author: paolomatarazzo
+ms.author: paoloma
+ms.date: 05/04/2023
+ms.topic: include
+---
+
+## Windows edition and licensing requirements
+
+The following table lists the Windows editions that support Smart Cards for Windows Service:
+
+|Windows Pro|Windows Enterprise|Windows Pro Education/SE|Windows Education|
+|:---:|:---:|:---:|:---:|
+|Yes|Yes|Yes|Yes|
+
+Smart Cards for Windows Service license entitlements are granted by the following licenses:
+
+|Windows Pro/Pro Education/SE|Windows Enterprise E3|Windows Enterprise E5|Windows Education A3|Windows Education A5|
+|:---:|:---:|:---:|:---:|:---:|
+|Yes|Yes|Yes|Yes|Yes|
+
+For more information about Windows licensing, see [Windows licensing overview](/windows/whats-new/windows-licensing).
diff --git a/includes/licensing/tamper-protection-settings-for-mde.md b/includes/licensing/tamper-protection-settings-for-mde.md
new file mode 100644
index 0000000000..95a86ec97c
--- /dev/null
+++ b/includes/licensing/tamper-protection-settings-for-mde.md
@@ -0,0 +1,22 @@
+---
+author: paolomatarazzo
+ms.author: paoloma
+ms.date: 05/04/2023
+ms.topic: include
+---
+
+## Windows edition and licensing requirements
+
+The following table lists the Windows editions that support Tamper protection settings for MDE:
+
+|Windows Pro|Windows Enterprise|Windows Pro Education/SE|Windows Education|
+|:---:|:---:|:---:|:---:|
+|Yes|Yes|Yes|Yes|
+
+Tamper protection settings for MDE license entitlements are granted by the following licenses:
+
+|Windows Pro/Pro Education/SE|Windows Enterprise E3|Windows Enterprise E5|Windows Education A3|Windows Education A5|
+|:---:|:---:|:---:|:---:|:---:|
+|Yes|Yes|Yes|Yes|Yes|
+
+For more information about Windows licensing, see [Windows licensing overview](/windows/whats-new/windows-licensing).
diff --git a/includes/licensing/transport-layer-security-tls.md b/includes/licensing/transport-layer-security-tls.md
new file mode 100644
index 0000000000..9af6799b44
--- /dev/null
+++ b/includes/licensing/transport-layer-security-tls.md
@@ -0,0 +1,22 @@
+---
+author: paolomatarazzo
+ms.author: paoloma
+ms.date: 05/04/2023
+ms.topic: include
+---
+
+## Windows edition and licensing requirements
+
+The following table lists the Windows editions that support Transport layer security (TLS):
+
+|Windows Pro|Windows Enterprise|Windows Pro Education/SE|Windows Education|
+|:---:|:---:|:---:|:---:|
+|Yes|Yes|Yes|Yes|
+
+Transport layer security (TLS) license entitlements are granted by the following licenses:
+
+|Windows Pro/Pro Education/SE|Windows Enterprise E3|Windows Enterprise E5|Windows Education A3|Windows Education A5|
+|:---:|:---:|:---:|:---:|:---:|
+|Yes|Yes|Yes|Yes|Yes|
+
+For more information about Windows licensing, see [Windows licensing overview](/windows/whats-new/windows-licensing).
diff --git a/includes/licensing/trusted-platform-module-tpm-20.md b/includes/licensing/trusted-platform-module-tpm-20.md
new file mode 100644
index 0000000000..b2e593986b
--- /dev/null
+++ b/includes/licensing/trusted-platform-module-tpm-20.md
@@ -0,0 +1,22 @@
+---
+author: paolomatarazzo
+ms.author: paoloma
+ms.date: 05/04/2023
+ms.topic: include
+---
+
+## Windows edition and licensing requirements
+
+The following table lists the Windows editions that support Trusted Platform Module (TPM) 2.0:
+
+|Windows Pro|Windows Enterprise|Windows Pro Education/SE|Windows Education|
+|:---:|:---:|:---:|:---:|
+|Yes|Yes|Yes|Yes|
+
+Trusted Platform Module (TPM) 2.0 license entitlements are granted by the following licenses:
+
+|Windows Pro/Pro Education/SE|Windows Enterprise E3|Windows Enterprise E5|Windows Education A3|Windows Education A5|
+|:---:|:---:|:---:|:---:|:---:|
+|Yes|Yes|Yes|Yes|Yes|
+
+For more information about Windows licensing, see [Windows licensing overview](/windows/whats-new/windows-licensing).
diff --git a/includes/licensing/universal-print.md b/includes/licensing/universal-print.md
new file mode 100644
index 0000000000..9c6572d61e
--- /dev/null
+++ b/includes/licensing/universal-print.md
@@ -0,0 +1,22 @@
+---
+author: paolomatarazzo
+ms.author: paoloma
+ms.date: 05/04/2023
+ms.topic: include
+---
+
+## Windows edition and licensing requirements
+
+The following table lists the Windows editions that support Universal Print:
+
+|Windows Pro|Windows Enterprise|Windows Pro Education/SE|Windows Education|
+|:---:|:---:|:---:|:---:|
+|Yes|Yes|Yes|Yes|
+
+Universal Print license entitlements are granted by the following licenses:
+
+|Windows Pro/Pro Education/SE|Windows Enterprise E3|Windows Enterprise E5|Windows Education A3|Windows Education A5|
+|:---:|:---:|:---:|:---:|:---:|
+|No|Yes|Yes|Yes|Yes|
+
+For more information about Windows licensing, see [Windows licensing overview](/windows/whats-new/windows-licensing).
diff --git a/includes/licensing/user-account-control-uac.md b/includes/licensing/user-account-control-uac.md
new file mode 100644
index 0000000000..9da42619fe
--- /dev/null
+++ b/includes/licensing/user-account-control-uac.md
@@ -0,0 +1,22 @@
+---
+author: paolomatarazzo
+ms.author: paoloma
+ms.date: 05/04/2023
+ms.topic: include
+---
+
+## Windows edition and licensing requirements
+
+The following table lists the Windows editions that support User Account Control (UAC):
+
+|Windows Pro|Windows Enterprise|Windows Pro Education/SE|Windows Education|
+|:---:|:---:|:---:|:---:|
+|Yes|Yes|Yes|Yes|
+
+User Account Control (UAC) license entitlements are granted by the following licenses:
+
+|Windows Pro/Pro Education/SE|Windows Enterprise E3|Windows Enterprise E5|Windows Education A3|Windows Education A5|
+|:---:|:---:|:---:|:---:|:---:|
+|Yes|Yes|Yes|Yes|Yes|
+
+For more information about Windows licensing, see [Windows licensing overview](/windows/whats-new/windows-licensing).
diff --git a/includes/licensing/virtual-private-network-vpn.md b/includes/licensing/virtual-private-network-vpn.md
new file mode 100644
index 0000000000..aa184cdbb6
--- /dev/null
+++ b/includes/licensing/virtual-private-network-vpn.md
@@ -0,0 +1,22 @@
+---
+author: paolomatarazzo
+ms.author: paoloma
+ms.date: 05/04/2023
+ms.topic: include
+---
+
+## Windows edition and licensing requirements
+
+The following table lists the Windows editions that support Virtual Private Network (VPN):
+
+|Windows Pro|Windows Enterprise|Windows Pro Education/SE|Windows Education|
+|:---:|:---:|:---:|:---:|
+|Yes|Yes|Yes|Yes|
+
+Virtual Private Network (VPN) license entitlements are granted by the following licenses:
+
+|Windows Pro/Pro Education/SE|Windows Enterprise E3|Windows Enterprise E5|Windows Education A3|Windows Education A5|
+|:---:|:---:|:---:|:---:|:---:|
+|Yes|Yes|Yes|Yes|Yes|
+
+For more information about Windows licensing, see [Windows licensing overview](/windows/whats-new/windows-licensing).
diff --git a/includes/licensing/virtualization-based-security-vbs.md b/includes/licensing/virtualization-based-security-vbs.md
new file mode 100644
index 0000000000..bab3110e7a
--- /dev/null
+++ b/includes/licensing/virtualization-based-security-vbs.md
@@ -0,0 +1,22 @@
+---
+author: paolomatarazzo
+ms.author: paoloma
+ms.date: 05/04/2023
+ms.topic: include
+---
+
+## Windows edition and licensing requirements
+
+The following table lists the Windows editions that support Virtualization-based security (VBS):
+
+|Windows Pro|Windows Enterprise|Windows Pro Education/SE|Windows Education|
+|:---:|:---:|:---:|:---:|
+|Yes|Yes|Yes|Yes|
+
+Virtualization-based security (VBS) license entitlements are granted by the following licenses:
+
+|Windows Pro/Pro Education/SE|Windows Enterprise E3|Windows Enterprise E5|Windows Education A3|Windows Education A5|
+|:---:|:---:|:---:|:---:|:---:|
+|Yes|Yes|Yes|Yes|Yes|
+
+For more information about Windows licensing, see [Windows licensing overview](/windows/whats-new/windows-licensing).
diff --git a/includes/licensing/wifi-security.md b/includes/licensing/wifi-security.md
new file mode 100644
index 0000000000..edb7a92967
--- /dev/null
+++ b/includes/licensing/wifi-security.md
@@ -0,0 +1,22 @@
+---
+author: paolomatarazzo
+ms.author: paoloma
+ms.date: 05/04/2023
+ms.topic: include
+---
+
+## Windows edition and licensing requirements
+
+The following table lists the Windows editions that support WiFi Security:
+
+|Windows Pro|Windows Enterprise|Windows Pro Education/SE|Windows Education|
+|:---:|:---:|:---:|:---:|
+|Yes|Yes|Yes|Yes|
+
+WiFi Security license entitlements are granted by the following licenses:
+
+|Windows Pro/Pro Education/SE|Windows Enterprise E3|Windows Enterprise E5|Windows Education A3|Windows Education A5|
+|:---:|:---:|:---:|:---:|:---:|
+|Yes|Yes|Yes|Yes|Yes|
+
+For more information about Windows licensing, see [Windows licensing overview](/windows/whats-new/windows-licensing).
diff --git a/includes/licensing/windows-autopatch.md b/includes/licensing/windows-autopatch.md
new file mode 100644
index 0000000000..85f7df53dc
--- /dev/null
+++ b/includes/licensing/windows-autopatch.md
@@ -0,0 +1,22 @@
+---
+author: paolomatarazzo
+ms.author: paoloma
+ms.date: 05/04/2023
+ms.topic: include
+---
+
+## Windows edition and licensing requirements
+
+The following table lists the Windows editions that support Windows Autopatch:
+
+|Windows Pro|Windows Enterprise|Windows Pro Education/SE|Windows Education|
+|:---:|:---:|:---:|:---:|
+|No|Yes|No|Yes|
+
+Windows Autopatch license entitlements are granted by the following licenses:
+
+|Windows Pro/Pro Education/SE|Windows Enterprise E3|Windows Enterprise E5|Windows Education A3|Windows Education A5|
+|:---:|:---:|:---:|:---:|:---:|
+|No|Yes|Yes|No|No|
+
+For more information about Windows licensing, see [Windows licensing overview](/windows/whats-new/windows-licensing).
diff --git a/includes/licensing/windows-autopilot.md b/includes/licensing/windows-autopilot.md
new file mode 100644
index 0000000000..e187e7a3fa
--- /dev/null
+++ b/includes/licensing/windows-autopilot.md
@@ -0,0 +1,22 @@
+---
+author: paolomatarazzo
+ms.author: paoloma
+ms.date: 05/04/2023
+ms.topic: include
+---
+
+## Windows edition and licensing requirements
+
+The following table lists the Windows editions that support Windows Autopilot:
+
+|Windows Pro|Windows Enterprise|Windows Pro Education/SE|Windows Education|
+|:---:|:---:|:---:|:---:|
+|Yes|Yes|Yes|Yes|
+
+Windows Autopilot license entitlements are granted by the following licenses:
+
+|Windows Pro/Pro Education/SE|Windows Enterprise E3|Windows Enterprise E5|Windows Education A3|Windows Education A5|
+|:---:|:---:|:---:|:---:|:---:|
+|Yes|Yes|Yes|Yes|Yes|
+
+For more information about Windows licensing, see [Windows licensing overview](/windows/whats-new/windows-licensing).
diff --git a/includes/licensing/windows-containers.md b/includes/licensing/windows-containers.md
new file mode 100644
index 0000000000..f3f9962827
--- /dev/null
+++ b/includes/licensing/windows-containers.md
@@ -0,0 +1,22 @@
+---
+author: paolomatarazzo
+ms.author: paoloma
+ms.date: 05/04/2023
+ms.topic: include
+---
+
+## Windows edition and licensing requirements
+
+The following table lists the Windows editions that support Windows containers:
+
+|Windows Pro|Windows Enterprise|Windows Pro Education/SE|Windows Education|
+|:---:|:---:|:---:|:---:|
+|Yes|Yes|Yes|Yes|
+
+Windows containers license entitlements are granted by the following licenses:
+
+|Windows Pro/Pro Education/SE|Windows Enterprise E3|Windows Enterprise E5|Windows Education A3|Windows Education A5|
+|:---:|:---:|:---:|:---:|:---:|
+|Yes|Yes|Yes|Yes|Yes|
+
+For more information about Windows licensing, see [Windows licensing overview](/windows/whats-new/windows-licensing).
diff --git a/includes/licensing/windows-defender-application-control-wdac.md b/includes/licensing/windows-defender-application-control-wdac.md
new file mode 100644
index 0000000000..66d6ac70dc
--- /dev/null
+++ b/includes/licensing/windows-defender-application-control-wdac.md
@@ -0,0 +1,22 @@
+---
+author: paolomatarazzo
+ms.author: paoloma
+ms.date: 05/04/2023
+ms.topic: include
+---
+
+## Windows edition and licensing requirements
+
+The following table lists the Windows editions that support Windows Defender Application Control (WDAC):
+
+|Windows Pro|Windows Enterprise|Windows Pro Education/SE|Windows Education|
+|:---:|:---:|:---:|:---:|
+|Yes|Yes|Yes|Yes|
+
+Windows Defender Application Control (WDAC) license entitlements are granted by the following licenses:
+
+|Windows Pro/Pro Education/SE|Windows Enterprise E3|Windows Enterprise E5|Windows Education A3|Windows Education A5|
+|:---:|:---:|:---:|:---:|:---:|
+|Yes|Yes|Yes|Yes|Yes|
+
+For more information about Windows licensing, see [Windows licensing overview](/windows/whats-new/windows-licensing).
diff --git a/includes/licensing/windows-defender-credential-guard.md b/includes/licensing/windows-defender-credential-guard.md
new file mode 100644
index 0000000000..c134726708
--- /dev/null
+++ b/includes/licensing/windows-defender-credential-guard.md
@@ -0,0 +1,22 @@
+---
+author: paolomatarazzo
+ms.author: paoloma
+ms.date: 05/04/2023
+ms.topic: include
+---
+
+## Windows edition and licensing requirements
+
+The following table lists the Windows editions that support Windows Defender Credential Guard:
+
+|Windows Pro|Windows Enterprise|Windows Pro Education/SE|Windows Education|
+|:---:|:---:|:---:|:---:|
+|No|Yes|No|Yes|
+
+Windows Defender Credential Guard license entitlements are granted by the following licenses:
+
+|Windows Pro/Pro Education/SE|Windows Enterprise E3|Windows Enterprise E5|Windows Education A3|Windows Education A5|
+|:---:|:---:|:---:|:---:|:---:|
+|No|Yes|Yes|Yes|Yes|
+
+For more information about Windows licensing, see [Windows licensing overview](/windows/whats-new/windows-licensing).
diff --git a/includes/licensing/windows-defender-remote-credential-guard.md b/includes/licensing/windows-defender-remote-credential-guard.md
new file mode 100644
index 0000000000..b638a7c661
--- /dev/null
+++ b/includes/licensing/windows-defender-remote-credential-guard.md
@@ -0,0 +1,22 @@
+---
+author: paolomatarazzo
+ms.author: paoloma
+ms.date: 05/04/2023
+ms.topic: include
+---
+
+## Windows edition and licensing requirements
+
+The following table lists the Windows editions that support Windows Defender Remote Credential Guard:
+
+|Windows Pro|Windows Enterprise|Windows Pro Education/SE|Windows Education|
+|:---:|:---:|:---:|:---:|
+|Yes|Yes|Yes|Yes|
+
+Windows Defender Remote Credential Guard license entitlements are granted by the following licenses:
+
+|Windows Pro/Pro Education/SE|Windows Enterprise E3|Windows Enterprise E5|Windows Education A3|Windows Education A5|
+|:---:|:---:|:---:|:---:|:---:|
+|Yes|Yes|Yes|Yes|Yes|
+
+For more information about Windows licensing, see [Windows licensing overview](/windows/whats-new/windows-licensing).
diff --git a/includes/licensing/windows-defender-system-guard.md b/includes/licensing/windows-defender-system-guard.md
new file mode 100644
index 0000000000..0c747b64c5
--- /dev/null
+++ b/includes/licensing/windows-defender-system-guard.md
@@ -0,0 +1,22 @@
+---
+author: paolomatarazzo
+ms.author: paoloma
+ms.date: 05/04/2023
+ms.topic: include
+---
+
+## Windows edition and licensing requirements
+
+The following table lists the Windows editions that support Windows Defender System Guard:
+
+|Windows Pro|Windows Enterprise|Windows Pro Education/SE|Windows Education|
+|:---:|:---:|:---:|:---:|
+|Yes|Yes|Yes|Yes|
+
+Windows Defender System Guard license entitlements are granted by the following licenses:
+
+|Windows Pro/Pro Education/SE|Windows Enterprise E3|Windows Enterprise E5|Windows Education A3|Windows Education A5|
+|:---:|:---:|:---:|:---:|:---:|
+|Yes|Yes|Yes|Yes|Yes|
+
+For more information about Windows licensing, see [Windows licensing overview](/windows/whats-new/windows-licensing).
diff --git a/includes/licensing/windows-firewall.md b/includes/licensing/windows-firewall.md
new file mode 100644
index 0000000000..2e0754b3ac
--- /dev/null
+++ b/includes/licensing/windows-firewall.md
@@ -0,0 +1,22 @@
+---
+author: paolomatarazzo
+ms.author: paoloma
+ms.date: 05/04/2023
+ms.topic: include
+---
+
+## Windows edition and licensing requirements
+
+The following table lists the Windows editions that support Windows Firewall:
+
+|Windows Pro|Windows Enterprise|Windows Pro Education/SE|Windows Education|
+|:---:|:---:|:---:|:---:|
+|Yes|Yes|Yes|Yes|
+
+Windows Firewall license entitlements are granted by the following licenses:
+
+|Windows Pro/Pro Education/SE|Windows Enterprise E3|Windows Enterprise E5|Windows Education A3|Windows Education A5|
+|:---:|:---:|:---:|:---:|:---:|
+|Yes|Yes|Yes|Yes|Yes|
+
+For more information about Windows licensing, see [Windows licensing overview](/windows/whats-new/windows-licensing).
diff --git a/includes/licensing/windows-hello-for-business-enhanced-security-sign-in-ess.md b/includes/licensing/windows-hello-for-business-enhanced-security-sign-in-ess.md
new file mode 100644
index 0000000000..3d0c015bc5
--- /dev/null
+++ b/includes/licensing/windows-hello-for-business-enhanced-security-sign-in-ess.md
@@ -0,0 +1,22 @@
+---
+author: paolomatarazzo
+ms.author: paoloma
+ms.date: 05/04/2023
+ms.topic: include
+---
+
+## Windows edition and licensing requirements
+
+The following table lists the Windows editions that support Windows Hello for Business Enhanced Security Sign-in (ESS):
+
+|Windows Pro|Windows Enterprise|Windows Pro Education/SE|Windows Education|
+|:---:|:---:|:---:|:---:|
+|Yes|Yes|Yes|Yes|
+
+Windows Hello for Business Enhanced Security Sign-in (ESS) license entitlements are granted by the following licenses:
+
+|Windows Pro/Pro Education/SE|Windows Enterprise E3|Windows Enterprise E5|Windows Education A3|Windows Education A5|
+|:---:|:---:|:---:|:---:|:---:|
+|Yes|Yes|Yes|Yes|Yes|
+
+For more information about Windows licensing, see [Windows licensing overview](/windows/whats-new/windows-licensing).
diff --git a/includes/licensing/windows-hello-for-business.md b/includes/licensing/windows-hello-for-business.md
new file mode 100644
index 0000000000..f48b9316b7
--- /dev/null
+++ b/includes/licensing/windows-hello-for-business.md
@@ -0,0 +1,22 @@
+---
+author: paolomatarazzo
+ms.author: paoloma
+ms.date: 05/04/2023
+ms.topic: include
+---
+
+## Windows edition and licensing requirements
+
+The following table lists the Windows editions that support Windows Hello for Business:
+
+|Windows Pro|Windows Enterprise|Windows Pro Education/SE|Windows Education|
+|:---:|:---:|:---:|:---:|
+|Yes|Yes|Yes|Yes|
+
+Windows Hello for Business license entitlements are granted by the following licenses:
+
+|Windows Pro/Pro Education/SE|Windows Enterprise E3|Windows Enterprise E5|Windows Education A3|Windows Education A5|
+|:---:|:---:|:---:|:---:|:---:|
+|Yes|Yes|Yes|Yes|Yes|
+
+For more information about Windows licensing, see [Windows licensing overview](/windows/whats-new/windows-licensing).
diff --git a/includes/licensing/windows-laps.md b/includes/licensing/windows-laps.md
new file mode 100644
index 0000000000..d462168228
--- /dev/null
+++ b/includes/licensing/windows-laps.md
@@ -0,0 +1,22 @@
+---
+author: paolomatarazzo
+ms.author: paoloma
+ms.date: 05/04/2023
+ms.topic: include
+---
+
+## Windows edition and licensing requirements
+
+The following table lists the Windows editions that support Windows LAPS:
+
+|Windows Pro|Windows Enterprise|Windows Pro Education/SE|Windows Education|
+|:---:|:---:|:---:|:---:|
+|Yes|Yes|Yes|Yes|
+
+Windows LAPS license entitlements are granted by the following licenses:
+
+|Windows Pro/Pro Education/SE|Windows Enterprise E3|Windows Enterprise E5|Windows Education A3|Windows Education A5|
+|:---:|:---:|:---:|:---:|:---:|
+|Yes|Yes|Yes|Yes|Yes|
+
+For more information about Windows licensing, see [Windows licensing overview](/windows/whats-new/windows-licensing).
diff --git a/includes/licensing/windows-presence-sensing.md b/includes/licensing/windows-presence-sensing.md
new file mode 100644
index 0000000000..c6cc796c33
--- /dev/null
+++ b/includes/licensing/windows-presence-sensing.md
@@ -0,0 +1,22 @@
+---
+author: paolomatarazzo
+ms.author: paoloma
+ms.date: 05/04/2023
+ms.topic: include
+---
+
+## Windows edition and licensing requirements
+
+The following table lists the Windows editions that support Windows presence sensing:
+
+|Windows Pro|Windows Enterprise|Windows Pro Education/SE|Windows Education|
+|:---:|:---:|:---:|:---:|
+|Yes|Yes|Yes|Yes|
+
+Windows presence sensing license entitlements are granted by the following licenses:
+
+|Windows Pro/Pro Education/SE|Windows Enterprise E3|Windows Enterprise E5|Windows Education A3|Windows Education A5|
+|:---:|:---:|:---:|:---:|:---:|
+|Yes|Yes|Yes|Yes|Yes|
+
+For more information about Windows licensing, see [Windows licensing overview](/windows/whats-new/windows-licensing).
diff --git a/includes/licensing/windows-sandbox.md b/includes/licensing/windows-sandbox.md
new file mode 100644
index 0000000000..7ed933449c
--- /dev/null
+++ b/includes/licensing/windows-sandbox.md
@@ -0,0 +1,22 @@
+---
+author: paolomatarazzo
+ms.author: paoloma
+ms.date: 05/04/2023
+ms.topic: include
+---
+
+## Windows edition and licensing requirements
+
+The following table lists the Windows editions that support Windows Sandbox:
+
+|Windows Pro|Windows Enterprise|Windows Pro Education/SE|Windows Education|
+|:---:|:---:|:---:|:---:|
+|Yes|Yes|Yes|Yes|
+
+Windows Sandbox license entitlements are granted by the following licenses:
+
+|Windows Pro/Pro Education/SE|Windows Enterprise E3|Windows Enterprise E5|Windows Education A3|Windows Education A5|
+|:---:|:---:|:---:|:---:|:---:|
+|Yes|Yes|Yes|Yes|Yes|
+
+For more information about Windows licensing, see [Windows licensing overview](/windows/whats-new/windows-licensing).
diff --git a/includes/licensing/windows-security-policy-settings-and-auditing.md b/includes/licensing/windows-security-policy-settings-and-auditing.md
new file mode 100644
index 0000000000..270d3267ee
--- /dev/null
+++ b/includes/licensing/windows-security-policy-settings-and-auditing.md
@@ -0,0 +1,22 @@
+---
+author: paolomatarazzo
+ms.author: paoloma
+ms.date: 05/04/2023
+ms.topic: include
+---
+
+## Windows edition and licensing requirements
+
+The following table lists the Windows editions that support Windows Security policy settings and auditing:
+
+|Windows Pro|Windows Enterprise|Windows Pro Education/SE|Windows Education|
+|:---:|:---:|:---:|:---:|
+|Yes|Yes|Yes|Yes|
+
+Windows Security policy settings and auditing license entitlements are granted by the following licenses:
+
+|Windows Pro/Pro Education/SE|Windows Enterprise E3|Windows Enterprise E5|Windows Education A3|Windows Education A5|
+|:---:|:---:|:---:|:---:|:---:|
+|Yes|Yes|Yes|Yes|Yes|
+
+For more information about Windows licensing, see [Windows licensing overview](/windows/whats-new/windows-licensing).
diff --git a/windows/client-management/config-lock.md b/windows/client-management/config-lock.md
index 2e86f60f6a..d32bed289c 100644
--- a/windows/client-management/config-lock.md
+++ b/windows/client-management/config-lock.md
@@ -26,11 +26,9 @@ To summarize, config lock:
 
 ## Configuration Flow
 
-After a secured-core PC reaches the desktop, config lock will prevent configuration drift by detecting if the device is a secured-core PC or not. When the device isn't a secured-core PC, the lock won't apply. If the device is a secured-core PC, config lock will lock the policies listed under [List of locked policies](#list-of-locked-policies).
+After a [secured-core PCs](/windows-hardware/design/device-experiences/oem-highly-secure) reaches the desktop, config lock will prevent configuration drift by detecting if the device is a secured-core PC or not. When the device isn't a secured-core PC, the lock won't apply. If the device is a secured-core PC, config lock will lock the policies listed under [List of locked policies](#list-of-locked-policies).
 
-## System Requirements
-
-Config lock will be available for all Windows Professional and Enterprise Editions running on [secured-core PCs](/windows-hardware/design/device-experiences/oem-highly-secure).
+[!INCLUDE [secured-core-configuration-lock](../../includes/licensing/secured-core-configuration-lock.md)]
 
 ## Enabling config lock using Microsoft Intune
 
diff --git a/windows/client-management/mdm-overview.md b/windows/client-management/mdm-overview.md
index ecc058a048..65a8d393da 100644
--- a/windows/client-management/mdm-overview.md
+++ b/windows/client-management/mdm-overview.md
@@ -56,6 +56,8 @@ For more information about the MDM policies defined in the MDM security baseline
 
 For information about the MDM policies defined in the Intune security baseline, see [Windows security baseline settings for Intune](/mem/intune/protect/security-baseline-settings-mdm-all).
 
+[!INCLUDE [manage-by-mobile-device-management-mdm-and-group-policy](../../includes/licensing/manage-by-mobile-device-management-mdm-and-group-policy.md)]
+
 ## Frequently Asked Questions
 
 ### Can there be more than one MDM server to enroll and manage devices in Windows?
diff --git a/windows/client-management/mdm/remotewipe-csp.md b/windows/client-management/mdm/remotewipe-csp.md
index fb31d8961d..94ada2240d 100644
--- a/windows/client-management/mdm/remotewipe-csp.md
+++ b/windows/client-management/mdm/remotewipe-csp.md
@@ -19,6 +19,8 @@ ms.topic: reference
 <!-- RemoteWipe-Editable-Begin -->
 <!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
 The RemoteWipe configuration service provider can be used by mobile operators DM server or enterprise management server to remotely reset a device. The RemoteWipe configuration service provider can make the data stored in memory and hard disks difficult to recover if the device is remotely reset after being lost or stolen. Enterprise IT Professionals can update these settings by using the Exchange Server.
+
+[!INCLUDE [remote-wipe](../../../includes/licensing/remote-wipe.md)]
 <!-- RemoteWipe-Editable-End -->
 
 <!-- RemoteWipe-Tree-Begin -->
diff --git a/windows/client-management/mdm/windowsdefenderapplicationguard-csp.md b/windows/client-management/mdm/windowsdefenderapplicationguard-csp.md
index 54a396d94f..7cc00d2ad9 100644
--- a/windows/client-management/mdm/windowsdefenderapplicationguard-csp.md
+++ b/windows/client-management/mdm/windowsdefenderapplicationguard-csp.md
@@ -19,6 +19,8 @@ ms.topic: reference
 <!-- WindowsDefenderApplicationGuard-Editable-Begin -->
 <!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
 The WindowsDefenderApplicationGuard configuration service provider (CSP) is used by the enterprise to configure the settings in Microsoft Defender Application Guard. This CSP was added in Windows 10, version 1709.
+
+[!INCLUDE [microsoft-defender-application-guard-mdag-configure-via-mdm](../../../includes/licensing/microsoft-defender-application-guard-mdag-configure-via-mdm.md)]
 <!-- WindowsDefenderApplicationGuard-Editable-End -->
 
 <!-- WindowsDefenderApplicationGuard-Tree-Begin -->
diff --git a/windows/configuration/kiosk-methods.md b/windows/configuration/kiosk-methods.md
index fca2b5ab94..0fdc2d15c1 100644
--- a/windows/configuration/kiosk-methods.md
+++ b/windows/configuration/kiosk-methods.md
@@ -71,6 +71,8 @@ There are several kiosk configuration methods that you can choose from, dependin
 >[!IMPORTANT]
 >Single-app kiosk mode isn't supported over a remote desktop connection. Your kiosk users must sign in on the physical device that is set up as a kiosk.
 
+[!INCLUDE [assigned-access-kiosk-mode](../../includes/licensing/assigned-access-kiosk-mode.md)]
+
 ## Methods for a single-app kiosk running a UWP app
 
 You can use this method | For this edition | For this kiosk account type 
diff --git a/windows/deployment/update/wufb-compliancedeadlines.md b/windows/deployment/update/wufb-compliancedeadlines.md
index 2c627d3a6e..3549b7bdb6 100644
--- a/windows/deployment/update/wufb-compliancedeadlines.md
+++ b/windows/deployment/update/wufb-compliancedeadlines.md
@@ -8,13 +8,13 @@ ms.author: mstewart
 manager: aaroncz
 ms.topic: article
 ms.technology: itpro-updates
-ms.date: 12/31/2017
+ms.date: 05/12/2023
 ---
 # Enforcing compliance deadlines for updates
 
 **Applies to**
 
-- Windows 10
+- Windows 10
 - Windows 11
 
 Deploying feature or quality updates for many organizations is only part of the equation for managing their device ecosystem. The ability to enforce update compliance is the next important part. Windows Update for Business provides controls to manage deadlines for when devices should migrate to newer versions.
@@ -43,3 +43,6 @@ When **Specify deadlines for automatic updates and restarts** is set (Windows 10
 For feature updates, the deadline and grace period start their countdown from the time of a pending restart after the installation is complete. As soon as installation is complete and the device reaches pending restart, the device will try to update outside of active hours. Once the *effective deadline* is reached, the device will try to restart during active hours. (The effective deadline is whichever is the later of the restart pending date plus the specified deadline or the restart pending date plus the grace period.) 
 
 For quality updates, the deadline countdown starts from the time the update is *offered* (not downloaded or installed). The grace period countdown starts from the time of the pending restart. The device will try to download and install the update at a time based on your other download and installation policies (the default is to automatically download and install in in the background). When the pending restart time is reached, the device will notify the user and try to update outside of active hours. Once the effective deadline is reached, the device will try to restart during active hours.
+
+> [!NOTE]
+> When **Specify deadlines for automatic updates and restarts** is used, download, installation, and reboot settings stemming from the [Configure Automatic Updates](waas-restart.md#schedule-update-installation) are ignored.
diff --git a/windows/deployment/windows-autopatch/deploy/windows-autopatch-groups-manage-autopatch-groups.md b/windows/deployment/windows-autopatch/deploy/windows-autopatch-groups-manage-autopatch-groups.md
index 71ba52fc37..9831d4850d 100644
--- a/windows/deployment/windows-autopatch/deploy/windows-autopatch-groups-manage-autopatch-groups.md
+++ b/windows/deployment/windows-autopatch/deploy/windows-autopatch-groups-manage-autopatch-groups.md
@@ -1,7 +1,7 @@
 ---
 title: Manage Windows Autopatch groups
 description: This article explains how to manage Autopatch groups
-ms.date: 05/05/2023
+ms.date: 05/11/2023
 ms.prod: windows-client
 ms.technology: itpro-updates
 ms.topic: how-to
@@ -219,3 +219,12 @@ The Windows Autopatch team is currently developing the Autopatch group Azure AD
 > - Modern Workplace Devices-Windows Autopatch-Broad
 > 
 > Use the [Policy health feature](../operate/windows-autopatch-policy-health-and-remediation.md) to restore these groups, if needed. For more information, see [restore deployment groups](../operate/windows-autopatch-policy-health-and-remediation.md#restore-deployment-groups).
+
+### Rename an Autopatch group 
+
+- **Status: Active**
+
+You can't rename an Autopatch group yet. The Autopatch group name is appended to all deployment ring names in the Autopatch group. Windows Autopatch is currently developing the rename feature.
+
+> [!IMPORTANT]
+> During the public preview, if you try to rename either the [Update rings](/mem/intune/protect/windows-10-update-rings) or [feature updates](/mem/intune/protect/windows-10-feature-updates) for Windows 10 and later policies directly in the Microsoft Intune end-user experience, the policy names are reverted back to the name defined by the Autopatch group end-user experience interface.
diff --git a/windows/security/TOC.yml b/windows/security/TOC.yml
index d71b135f49..0c78b4dfbe 100644
--- a/windows/security/TOC.yml
+++ b/windows/security/TOC.yml
@@ -1,450 +1,28 @@
 
 - name: Windows security
   href: index.yml
-- name: Zero Trust and Windows
-  href: zero-trust-windows-device-health.md
   expanded: true
+- name: Introduction
+  items:
+  - name: Windows security overview
+    href: introduction/index.md
+  - name: Zero Trust and Windows
+    href: zero-trust-windows-device-health.md
+  - name: Security features and edition requirements
+    href: introduction/security-features-edition-requirements.md
+  - name: Security features and licensing requirements
+    href: introduction/security-features-licensing-requirements.md
 - name: Hardware security
-  items:
-    - name: Overview
-      href: hardware.md
-    - name: Microsoft Pluton security processor
-      items:
-        - name: Microsoft Pluton overview
-          href: information-protection/pluton/microsoft-pluton-security-processor.md
-        - name: Microsoft Pluton as TPM
-          href: information-protection/pluton/pluton-as-tpm.md
-    - name: Trusted Platform Module
-      href: information-protection/tpm/trusted-platform-module-top-node.md
-      items:
-        - name: Trusted Platform Module overview
-          href: information-protection/tpm/trusted-platform-module-overview.md
-        - name: TPM fundamentals
-          href: information-protection/tpm/tpm-fundamentals.md
-        - name: How Windows uses the TPM
-          href: information-protection/tpm/how-windows-uses-the-tpm.md
-        - name: Manage TPM commands
-          href: information-protection/tpm/manage-tpm-commands.md
-        - name: Manager TPM Lockout
-          href: information-protection/tpm/manage-tpm-lockout.md
-        - name: Change the TPM password
-          href: information-protection/tpm/change-the-tpm-owner-password.md
-        - name: TPM Group Policy settings
-          href: information-protection/tpm/trusted-platform-module-services-group-policy-settings.md
-        - name: Back up the TPM recovery information to AD DS
-          href: information-protection/tpm/backup-tpm-recovery-information-to-ad-ds.md
-        - name: View status, clear, or troubleshoot the TPM
-          href: information-protection/tpm/initialize-and-configure-ownership-of-the-tpm.md
-        - name: Understanding PCR banks on TPM 2.0 devices
-          href: information-protection/tpm/switch-pcr-banks-on-tpm-2-0-devices.md
-        - name: TPM recommendations
-          href: information-protection/tpm/tpm-recommendations.md
-
-    - name: Hardware-based root of trust
-      href: threat-protection/windows-defender-system-guard/how-hardware-based-root-of-trust-helps-protect-windows.md
-    - name: System Guard Secure Launch and SMM protection
-      href: threat-protection/windows-defender-system-guard/system-guard-secure-launch-and-smm-protection.md
-    - name: Enable virtualization-based protection of code integrity
-      href: threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity.md
-    - name: Kernel DMA Protection
-      href: information-protection/kernel-dma-protection-for-thunderbolt.md
-    - name: Windows secured-core devices
-      href: /windows-hardware/design/device-experiences/oem-highly-secure
+  href: hardware-security/toc.yml
 - name: Operating system security
-  items:
-    - name: Overview
-      href: operating-system.md
-    - name: System security
-      items:
-      - name: Secure the Windows boot process
-        href: information-protection/secure-the-windows-10-boot-process.md
-      - name: Trusted Boot
-        href: trusted-boot.md
-      - name: Cryptography and certificate management
-        href: cryptography-certificate-mgmt.md
-      - name: The Windows Security app
-        href: threat-protection/windows-defender-security-center/windows-defender-security-center.md
-        items:
-        - name: Virus & threat protection
-          href: threat-protection\windows-defender-security-center\wdsc-virus-threat-protection.md
-        - name: Account protection
-          href: threat-protection\windows-defender-security-center\wdsc-account-protection.md
-        - name: Firewall & network protection
-          href: threat-protection\windows-defender-security-center\wdsc-firewall-network-protection.md
-        - name: App & browser control
-          href: threat-protection\windows-defender-security-center\wdsc-app-browser-control.md
-        - name: Device security
-          href: threat-protection\windows-defender-security-center\wdsc-device-security.md
-        - name: Device performance & health
-          href: threat-protection\windows-defender-security-center\wdsc-device-performance-health.md
-        - name: Family options
-          href: threat-protection\windows-defender-security-center\wdsc-family-options.md
-      - name: Security policy settings
-        href: threat-protection/security-policy-settings/security-policy-settings.md
-      - name: Security auditing
-        href: threat-protection/auditing/security-auditing-overview.md
-    - name: Encryption and data protection
-      href: encryption-data-protection.md
-      items:
-      - name: Encrypted Hard Drive
-        href: information-protection/encrypted-hard-drive.md
-      - name: BitLocker
-        href: information-protection/bitlocker/bitlocker-overview.md
-        items:
-        - name: Overview of BitLocker Device Encryption in Windows
-          href: information-protection/bitlocker/bitlocker-device-encryption-overview-windows-10.md
-        - name: BitLocker frequently asked questions (FAQ)
-          href: information-protection/bitlocker/bitlocker-frequently-asked-questions.yml
-          items:
-            - name: Overview and requirements
-              href: information-protection/bitlocker/bitlocker-overview-and-requirements-faq.yml
-            - name: Upgrading
-              href: information-protection/bitlocker/bitlocker-upgrading-faq.yml
-            - name: Deployment and administration
-              href: information-protection/bitlocker/bitlocker-deployment-and-administration-faq.yml
-            - name: Key management
-              href: information-protection/bitlocker/bitlocker-key-management-faq.yml
-            - name: BitLocker To Go
-              href: information-protection/bitlocker/bitlocker-to-go-faq.yml
-            - name: Active Directory Domain Services
-              href: information-protection/bitlocker/bitlocker-and-adds-faq.yml
-            - name: Security
-              href: information-protection/bitlocker/bitlocker-security-faq.yml
-            - name: BitLocker Network Unlock
-              href: information-protection/bitlocker/bitlocker-network-unlock-faq.yml
-            - name: General
-              href: information-protection/bitlocker/bitlocker-using-with-other-programs-faq.yml
-        - name: "Prepare your organization for BitLocker: Planning and policies"
-          href: information-protection/bitlocker/prepare-your-organization-for-bitlocker-planning-and-policies.md
-        - name: BitLocker deployment comparison
-          href: information-protection/bitlocker/bitlocker-deployment-comparison.md
-        - name: BitLocker basic deployment
-          href: information-protection/bitlocker/bitlocker-basic-deployment.md
-        - name: Deploy BitLocker on Windows Server 2012 and later
-          href: information-protection/bitlocker/bitlocker-how-to-deploy-on-windows-server.md
-        - name: BitLocker management for enterprises
-          href: information-protection/bitlocker/bitlocker-management-for-enterprises.md
-        - name: Enable Network Unlock with BitLocker
-          href: information-protection/bitlocker/bitlocker-how-to-enable-network-unlock.md
-        - name: Use BitLocker Drive Encryption Tools to manage BitLocker
-          href: information-protection/bitlocker/bitlocker-use-bitlocker-drive-encryption-tools-to-manage-bitlocker.md
-        - name: Use BitLocker Recovery Password Viewer
-          href: information-protection/bitlocker/bitlocker-use-bitlocker-recovery-password-viewer.md
-        - name: BitLocker Group Policy settings
-          href: information-protection/bitlocker/bitlocker-group-policy-settings.md
-        - name: BCD settings and BitLocker
-          href: information-protection/bitlocker/bcd-settings-and-bitlocker.md
-        - name: BitLocker Recovery Guide
-          href: information-protection/bitlocker/bitlocker-recovery-guide-plan.md
-        - name: BitLocker Countermeasures
-          href: information-protection/bitlocker/bitlocker-countermeasures.md
-        - name: Protecting cluster shared volumes and storage area networks with BitLocker
-          href: information-protection/bitlocker/protecting-cluster-shared-volumes-and-storage-area-networks-with-bitlocker.md
-        - name: Troubleshoot BitLocker
-          items:
-            - name: Troubleshoot BitLocker
-              href: /troubleshoot/windows-client/windows-security/bitlocker-issues-troubleshooting
-            - name: "BitLocker cannot encrypt a drive: known issues"
-              href: /troubleshoot/windows-client/windows-security/bitlocker-cannot-encrypt-a-drive-known-issues
-            - name: "Enforcing BitLocker policies by using Intune: known issues"
-              href: /troubleshoot/windows-client/windows-security/enforcing-bitlocker-policies-by-using-intune-known-issues
-            - name: "BitLocker Network Unlock: known issues"
-              href: /troubleshoot/windows-client/windows-security/bitlocker-network-unlock-known-issues
-            - name: "BitLocker recovery: known issues"
-              href: /troubleshoot/windows-client/windows-security/bitlocker-recovery-known-issues
-            - name: "BitLocker configuration: known issues"
-              href: /troubleshoot/windows-client/windows-security/bitlocker-configuration-known-issues
-            - name: Troubleshoot BitLocker and TPM issues
-              items:
-                - name: "BitLocker cannot encrypt a drive: known TPM issues"
-                  href: /troubleshoot/windows-client/windows-security/bitlocker-cannot-encrypt-a-drive-known-tpm-issues
-                - name: "BitLocker and TPM: other known issues"
-                  href: /troubleshoot/windows-client/windows-security/bitlocker-and-tpm-other-known-issues
-                - name: Decode Measured Boot logs to track PCR changes
-                  href: /troubleshoot/windows-client/windows-security/decode-measured-boot-logs-to-track-pcr-changes
-    - name: Personal Data Encryption (PDE)
-      items:
-      - name: Personal Data Encryption (PDE) overview
-        href: information-protection/personal-data-encryption/overview-pde.md
-      - name: Personal Data Encryption (PDE) frequently asked questions (FAQ)
-        href: information-protection/personal-data-encryption/faq-pde.yml
-      - name: Configure Personal Data Encryption (PDE) in Intune
-        items:
-        - name: Configure Personal Data Encryption (PDE) in Intune
-          href: information-protection/personal-data-encryption/configure-pde-in-intune.md
-        - name: Enable Personal Data Encryption (PDE)
-          href: information-protection/personal-data-encryption/pde-in-intune/intune-enable-pde.md
-        - name: Disable Winlogon automatic restart sign-on (ARSO) for PDE
-          href: information-protection/personal-data-encryption/pde-in-intune/intune-disable-arso.md
-        - name: Disable kernel-mode crash dumps and live dumps for PDE
-          href: information-protection/personal-data-encryption/pde-in-intune/intune-disable-memory-dumps.md
-        - name: Disable Windows Error Reporting (WER)/user-mode crash dumps for PDE
-          href: information-protection/personal-data-encryption/pde-in-intune/intune-disable-wer.md
-        - name: Disable hibernation for PDE
-          href: information-protection/personal-data-encryption/pde-in-intune/intune-disable-hibernation.md
-        - name: Disable allowing users to select when a password is required when resuming from connected standby for PDE
-          href: information-protection/personal-data-encryption/pde-in-intune/intune-disable-password-connected-standby.md
-    - name: Configure S/MIME for Windows
-      href: identity-protection/configure-s-mime.md
-    - name: Network security
-      items:
-      - name: VPN technical guide
-        href: identity-protection/vpn/vpn-guide.md
-        items:
-        - name: VPN connection types
-          href: identity-protection/vpn/vpn-connection-type.md
-        - name: VPN routing decisions
-          href: identity-protection/vpn/vpn-routing.md
-        - name: VPN authentication options
-          href: identity-protection/vpn/vpn-authentication.md
-        - name: VPN and conditional access
-          href: identity-protection/vpn/vpn-conditional-access.md
-        - name: VPN name resolution
-          href: identity-protection/vpn/vpn-name-resolution.md
-        - name: VPN auto-triggered profile options
-          href: identity-protection/vpn/vpn-auto-trigger-profile.md
-        - name: VPN security features
-          href: identity-protection/vpn/vpn-security-features.md
-        - name: VPN profile options
-          href: identity-protection/vpn/vpn-profile-options.md
-        - name: How to configure Diffie Hellman protocol over IKEv2 VPN connections
-          href: identity-protection/vpn/how-to-configure-diffie-hellman-protocol-over-ikev2-vpn-connections.md
-        - name: How to use single sign-on (SSO) over VPN and Wi-Fi connections
-          href: identity-protection/vpn/how-to-use-single-sign-on-sso-over-vpn-and-wi-fi-connections.md
-        - name: Optimizing Office 365 traffic with the Windows VPN client
-          href: identity-protection/vpn/vpn-office-365-optimization.md
-      - name: Windows Defender Firewall
-        href: threat-protection/windows-firewall/windows-firewall-with-advanced-security.md
-    - name: Windows security baselines
-      href: threat-protection/windows-security-configuration-framework/windows-security-baselines.md
-      items:
-      - name: Security Compliance Toolkit
-        href: threat-protection/windows-security-configuration-framework/security-compliance-toolkit-10.md
-      - name: Get support
-        href: threat-protection/windows-security-configuration-framework/get-support-for-security-baselines.md
-      - name: Guide to removing Microsoft Baseline Security Analyzer (MBSA)
-        href: threat-protection/mbsa-removal-and-guidance.md
-    - name: Virus & threat protection
-      items:
-      - name: Overview
-        href: threat-protection/index.md
-      - name: Microsoft Defender Antivirus
-        href: /microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-windows
-      - name: Attack surface reduction rules
-        href: /microsoft-365/security/defender-endpoint/attack-surface-reduction
-      - name: Tamper protection
-        href: /microsoft-365/security/defender-endpoint/prevent-changes-to-security-settings-with-tamper-protection
-      - name: Network protection
-        href: /microsoft-365/security/defender-endpoint/network-protection
-      - name: Controlled folder access
-        href: /microsoft-365/security/defender-endpoint/controlled-folders
-      - name: Exploit protection
-        href: /microsoft-365/security/defender-endpoint/exploit-protection
-      - name: Microsoft Defender for Endpoint
-        href: /microsoft-365/security/defender-endpoint
-    - name: More Windows security
-      items:
-      - name: Override Process Mitigation Options to help enforce app-related security policies
-        href: threat-protection/override-mitigation-options-for-app-related-security-policies.md
-      - name: Use Windows Event Forwarding to help with intrusion detection
-        href: threat-protection/use-windows-event-forwarding-to-assist-in-intrusion-detection.md
-      - name: Block untrusted fonts in an enterprise
-        href: threat-protection/block-untrusted-fonts-in-enterprise.md
-      - name: Windows Information Protection (WIP)
-        href: information-protection/windows-information-protection/protect-enterprise-data-using-wip.md
-        items:
-          - name: Create a WIP policy using Microsoft Intune
-            href: information-protection/windows-information-protection/overview-create-wip-policy.md
-            items:
-            - name: Create a WIP policy in Microsoft Intune
-              href: information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md
-              items:
-                - name: Deploy your WIP policy in Microsoft Intune
-                  href: information-protection/windows-information-protection/deploy-wip-policy-using-intune-azure.md
-                - name: Associate and deploy a VPN policy for WIP in Microsoft Intune
-                  href: information-protection/windows-information-protection/create-vpn-and-wip-policy-using-intune-azure.md
-            - name: Create and verify an EFS Data Recovery Agent (DRA) certificate
-              href: information-protection/windows-information-protection/create-and-verify-an-efs-dra-certificate.md
-            - name: Determine the enterprise context of an app running in WIP
-              href: information-protection/windows-information-protection/wip-app-enterprise-context.md
-          - name: Create a WIP policy using Microsoft Configuration Manager
-            href: information-protection/windows-information-protection/overview-create-wip-policy-configmgr.md
-            items:
-            - name: Create and deploy a WIP policy in Configuration Manager
-              href: information-protection/windows-information-protection/create-wip-policy-using-configmgr.md
-            - name: Create and verify an EFS Data Recovery Agent (DRA) certificate
-              href: information-protection/windows-information-protection/create-and-verify-an-efs-dra-certificate.md
-            - name: Determine the enterprise context of an app running in WIP
-              href: information-protection/windows-information-protection/wip-app-enterprise-context.md
-          - name: Mandatory tasks and settings required to turn on WIP
-            href: information-protection/windows-information-protection/mandatory-settings-for-wip.md
-          - name: Testing scenarios for WIP
-            href: information-protection/windows-information-protection/testing-scenarios-for-wip.md
-          - name: Limitations while using WIP
-            href: information-protection/windows-information-protection/limitations-with-wip.md
-          - name: How to collect WIP audit event logs
-            href: information-protection/windows-information-protection/collect-wip-audit-event-logs.md
-          - name: General guidance and best practices for WIP
-            href: information-protection/windows-information-protection/guidance-and-best-practices-wip.md
-            items:
-            - name: Enlightened apps for use with WIP
-              href: information-protection/windows-information-protection/enlightened-microsoft-apps-and-wip.md
-            - name: Unenlightened and enlightened app behavior while using WIP
-              href: information-protection/windows-information-protection/app-behavior-with-wip.md
-            - name: Recommended Enterprise Cloud Resources and Neutral Resources network settings with WIP
-              href: information-protection/windows-information-protection/recommended-network-definitions-for-wip.md
-            - name: Using Outlook Web Access with WIP
-              href: information-protection/windows-information-protection/using-owa-with-wip.md
-          - name: Fine-tune WIP Learning
-            href: information-protection/windows-information-protection/wip-learning.md
-          - name: Disable WIP
-            href: information-protection/windows-information-protection/how-to-disable-wip.md
+  href: operating-system-security/toc.yml
 - name: Application security
-  items:
-    - name: Overview
-      href: apps.md
-    - name: Windows Defender Application Control and virtualization-based protection of code integrity
-      href: threat-protection/device-guard/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control.md
-    - name: Windows Defender Application Control
-      href: threat-protection\windows-defender-application-control\windows-defender-application-control.md
-    - name: Microsoft Defender Application Guard
-      href: threat-protection\microsoft-defender-application-guard\md-app-guard-overview.md
-    - name: Windows Sandbox
-      href: threat-protection/windows-sandbox/windows-sandbox-overview.md
-      items:
-        - name: Windows Sandbox architecture
-          href: threat-protection/windows-sandbox/windows-sandbox-architecture.md
-        - name: Windows Sandbox configuration
-          href: threat-protection/windows-sandbox/windows-sandbox-configure-using-wsb-file.md
-    - name: Microsoft Defender SmartScreen overview
-      href: threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-overview.md
-      items:
-        - name: Enhanced Phishing Protection in Microsoft Defender SmartScreen
-          href: threat-protection\microsoft-defender-smartscreen\phishing-protection-microsoft-defender-smartscreen.md
-        - name: Microsoft Defender SmartScreen Group Policy and mobile device management (MDM) settings
-          href: threat-protection\microsoft-defender-smartscreen\microsoft-defender-smartscreen-available-settings.md
-    - name: Configure S/MIME for Windows
-      href: identity-protection\configure-s-mime.md
-    - name: Windows Credential Theft Mitigation Guide Abstract
-      href: identity-protection\windows-credential-theft-mitigation-guide-abstract.md
-- name: User security and secured identity
-  items:
-    - name: Overview
-      href: identity.md
-    - name: Windows credential theft mitigation guide
-      href: identity-protection/windows-credential-theft-mitigation-guide-abstract.md
-    - name: Passwordless
-      items:
-      - name: Windows Hello for Business ⇒
-        href: identity-protection/hello-for-business/index.yml
-      - name: FIDO 2 security keys
-        href: /azure/active-directory/authentication/howto-authentication-passwordless-security-key?context=/windows/security/context/context
-    - name: Local Administrator Password Solution (LAPS)
-      href: /windows-server/identity/laps/laps-overview?context=/windows/security/context/context
-    - name: Enterprise Certificate Pinning
-      href: identity-protection/enterprise-certificate-pinning.md
-    - name: Credential Guard
-      items:
-        - name: Protect derived domain credentials with Credential Guard
-          href: identity-protection/credential-guard/credential-guard.md
-        - name: How Credential Guard works
-          href: identity-protection/credential-guard/credential-guard-how-it-works.md
-        - name: Requirements
-          href: identity-protection/credential-guard/credential-guard-requirements.md
-        - name: Manage Credential Guard
-          href: identity-protection/credential-guard/credential-guard-manage.md
-        - name: Credential Guard protection limits
-          href: identity-protection/credential-guard/credential-guard-protection-limits.md
-        - name: Considerations when using Credential Guard
-          href: identity-protection/credential-guard/credential-guard-considerations.md
-        - name: Additional mitigations
-          href: identity-protection/credential-guard/additional-mitigations.md
-        - name: Known issues
-          href: identity-protection/credential-guard/credential-guard-known-issues.md
-    - name: Remote Credential Guard
-      href: identity-protection/remote-credential-guard.md
-    - name: Configuring LSA Protection
-      href: /windows-server/security/credentials-protection-and-management/configuring-additional-lsa-protection?toc=/windows/security/toc.json&bc=/windows/security/breadcrumb/toc.json
-    - name: Technical support policy for lost or forgotten passwords
-      href: identity-protection/password-support-policy.md
-    - name: Access Control
-      items:
-        - name: Overview
-          href: identity-protection/access-control/access-control.md
-        - name: Local Accounts
-          href: identity-protection/access-control/local-accounts.md
-    - name: User Account Control (UAC)
-      items:
-        - name: Overview
-          href: identity-protection/user-account-control/user-account-control-overview.md
-        - name: How User Account Control works
-          href: identity-protection/user-account-control/how-user-account-control-works.md
-        - name: User Account Control security policy settings
-          href: identity-protection/user-account-control/user-account-control-security-policy-settings.md
-        - name: User Account Control Group Policy and registry key settings
-          href: identity-protection/user-account-control/user-account-control-group-policy-and-registry-key-settings.md
-    - name: Smart Cards
-      href: identity-protection/smart-cards/smart-card-windows-smart-card-technical-reference.md
-      items:
-        - name: How Smart Card Sign-in Works in Windows
-          href: identity-protection/smart-cards/smart-card-how-smart-card-sign-in-works-in-windows.md
-          items:
-            - name: Smart Card Architecture
-              href: identity-protection/smart-cards/smart-card-architecture.md
-            - name: Certificate Requirements and Enumeration
-              href: identity-protection/smart-cards/smart-card-certificate-requirements-and-enumeration.md
-            - name: Smart Card and Remote Desktop Services
-              href: identity-protection/smart-cards/smart-card-and-remote-desktop-services.md
-            - name: Smart Cards for Windows Service
-              href: identity-protection/smart-cards/smart-card-smart-cards-for-windows-service.md
-            - name: Certificate Propagation Service
-              href: identity-protection/smart-cards/smart-card-certificate-propagation-service.md
-            - name: Smart Card Removal Policy Service
-              href: identity-protection/smart-cards/smart-card-removal-policy-service.md
-        - name: Smart Card Tools and Settings
-          href: identity-protection/smart-cards/smart-card-tools-and-settings.md
-          items:
-            - name: Smart Cards Debugging Information
-              href: identity-protection/smart-cards/smart-card-debugging-information.md
-            - name: Smart Card Group Policy and Registry Settings
-              href: identity-protection/smart-cards/smart-card-group-policy-and-registry-settings.md
-            - name: Smart Card Events
-              href: identity-protection/smart-cards/smart-card-events.md
-        - name: Virtual smart cards
-          href: identity-protection/virtual-smart-cards/virtual-smart-card-overview.md
-          items:
-            - name: Understand and evaluate virtual smart cards
-              href: identity-protection/virtual-smart-cards/virtual-smart-card-understanding-and-evaluating.md
-              items:
-                - name: Get started with virtual smart cards
-                  href: identity-protection/virtual-smart-cards/virtual-smart-card-get-started.md
-                - name: Use virtual smart cards
-                  href: identity-protection/virtual-smart-cards/virtual-smart-card-use-virtual-smart-cards.md
-                - name: Deploy virtual smart cards
-                  href: identity-protection/virtual-smart-cards/virtual-smart-card-deploy-virtual-smart-cards.md
-                - name: Evaluate virtual smart card security
-                  href: identity-protection/virtual-smart-cards/virtual-smart-card-evaluate-security.md
-            - name: Tpmvscmgr
-              href: identity-protection/virtual-smart-cards/virtual-smart-card-tpmvscmgr.md
-- name: Cloud services
-  items:
-    - name: Overview
-      href: cloud.md
-    - name: Mobile device management
-      href: /windows/client-management/mdm/
-    - name: Windows 365 Cloud PCs
-      href: /windows-365/overview
-    - name: Azure Virtual Desktop
-      href: /azure/virtual-desktop/
+  href: application-security/toc.yml
+- name: Identity protection
+  href: identity-protection/toc.yml
+- name: Windows Privacy 🔗
+  href: /windows/privacy
 - name: Security foundations
-  items:
-    - name: Overview
-      href: security-foundations.md
-    - name: Microsoft Security Development Lifecycle
-      href: threat-protection/msft-security-dev-lifecycle.md
-    - name: FIPS 140-2 Validation
-      href: threat-protection/fips-140-validation.md
-    - name: Common Criteria Certifications
-      href: threat-protection/windows-platform-common-criteria.md
-- name: Windows Privacy
-  href: /windows/privacy/windows-10-and-privacy-compliance
+  href: security-foundations/toc.yml
+- name: Cloud security
+  href: cloud-security/toc.yml
\ No newline at end of file
diff --git a/windows/security/application-security/application-control/toc.yml b/windows/security/application-security/application-control/toc.yml
new file mode 100644
index 0000000000..5cea979d61
--- /dev/null
+++ b/windows/security/application-security/application-control/toc.yml
@@ -0,0 +1,17 @@
+items:
+- name: User Account Control (UAC)
+  items:
+  - name: Overview
+    href: ../../identity-protection/user-account-control/user-account-control-overview.md
+  - name: How User Account Control works
+    href: ../../identity-protection/user-account-control/how-user-account-control-works.md
+  - name: User Account Control security policy settings
+    href: ../../identity-protection/user-account-control/user-account-control-security-policy-settings.md
+  - name: User Account Control Group Policy and registry key settings
+    href: ../../identity-protection/user-account-control/user-account-control-group-policy-and-registry-key-settings.md
+- name: Windows Defender Application Control and virtualization-based protection of code integrity
+  href: ../../threat-protection/device-guard/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control.md
+- name: Windows Defender Application Control
+  href: ../../threat-protection/windows-defender-application-control/windows-defender-application-control.md
+- name: Smart App Control
+  href: ../../threat-protection/windows-defender-application-control/windows-defender-application-control.md
\ No newline at end of file
diff --git a/windows/security/application-security/application-isolation/toc.yml b/windows/security/application-security/application-isolation/toc.yml
new file mode 100644
index 0000000000..8c17971749
--- /dev/null
+++ b/windows/security/application-security/application-isolation/toc.yml
@@ -0,0 +1,20 @@
+items:
+- name: Microsoft Defender Application Guard (MDAG)
+  href: ../../threat-protection\microsoft-defender-application-guard\md-app-guard-overview.md
+- name: MDAG for Edge standalone mode
+  href: ../../threat-protection/microsoft-defender-application-guard/md-app-guard-overview.md
+- name: MDAG for Edge enterprise mode and enterprise management 🔗
+  href: /deployedge/microsoft-edge-security-windows-defender-application-guard
+- name: MDAG for Microsoft Office
+  href: https://support.microsoft.com/office/application-guard-for-office-9e0fb9c2-ffad-43bf-8ba3-78f785fdba46
+- name: MDAG configure via MDM 🔗
+  href: /windows/client-management/mdm/windowsdefenderapplicationguard-csp
+- name: Windows containers 🔗
+  href: /virtualization/windowscontainers/about
+- name: Windows Sandbox
+  href: ../../threat-protection/windows-sandbox/windows-sandbox-overview.md
+  items:
+  - name: Windows Sandbox architecture
+    href: ../../threat-protection/windows-sandbox/windows-sandbox-architecture.md
+  - name: Windows Sandbox configuration
+    href: ../../threat-protection/windows-sandbox/windows-sandbox-configure-using-wsb-file.md
\ No newline at end of file
diff --git a/windows/security/application-security/toc.yml b/windows/security/application-security/toc.yml
new file mode 100644
index 0000000000..5e2bd70284
--- /dev/null
+++ b/windows/security/application-security/toc.yml
@@ -0,0 +1,8 @@
+items:
+- name: Overview
+  href: ../apps.md
+- name: Application Control
+  href: application-control/toc.yml
+- name: Application Isolation
+  href: application-isolation/toc.yml
+
diff --git a/windows/security/cloud-security/toc.yml b/windows/security/cloud-security/toc.yml
new file mode 100644
index 0000000000..a927cf5384
--- /dev/null
+++ b/windows/security/cloud-security/toc.yml
@@ -0,0 +1,18 @@
+items:
+- name: Overview
+  href: ../cloud.md
+- name: Join Active Directory and Azure AD with single sign-on (SSO) 🔗
+  href: /azure/active-directory/devices/concept-azure-ad-join
+- name: Security baselines with Intune 🔗
+  href: /mem/intune/protect/security-baselines
+- name: Remote wipe (Autopilot reset) 🔗
+  href: /windows/client-management/mdm/remotewipe-csp
+- name: Mobile Device Management (MDM) 🔗
+  href: /windows/client-management/mdm/
+- name: Universal Print 🔗
+  href: /universal-print
+- name: Windows Autopatch 🔗
+  href: /windows/deployment/windows-autopatch
+- name: Windows Autopilot 🔗
+  href: /windows/deployment/windows-autopilot
+
diff --git a/windows/security/hardware-security/toc.yml b/windows/security/hardware-security/toc.yml
new file mode 100644
index 0000000000..6cd5d10c39
--- /dev/null
+++ b/windows/security/hardware-security/toc.yml
@@ -0,0 +1,54 @@
+items:
+  - name: Overview
+    href: ../hardware.md
+  - name: Hardware root of trust
+    items:
+      - name: Windows Defender System Guard
+        href: ../threat-protection/windows-defender-system-guard/how-hardware-based-root-of-trust-helps-protect-windows.md
+      - name: Trusted Platform Module
+        href: ../information-protection/tpm/trusted-platform-module-top-node.md
+        items:
+          - name: Trusted Platform Module overview
+            href: ../information-protection/tpm/trusted-platform-module-overview.md
+          - name: TPM fundamentals
+            href: ../information-protection/tpm/tpm-fundamentals.md
+          - name: How Windows uses the TPM
+            href: ../information-protection/tpm/how-windows-uses-the-tpm.md
+          - name: Manage TPM commands
+            href: ../information-protection/tpm/manage-tpm-commands.md
+          - name: Manager TPM Lockout
+            href: ../information-protection/tpm/manage-tpm-lockout.md
+          - name: Change the TPM password
+            href: ../information-protection/tpm/change-the-tpm-owner-password.md
+          - name: TPM Group Policy settings
+            href: ../information-protection/tpm/trusted-platform-module-services-group-policy-settings.md
+          - name: Back up the TPM recovery information to AD DS
+            href: ../information-protection/tpm/backup-tpm-recovery-information-to-ad-ds.md
+          - name: View status, clear, or troubleshoot the TPM
+            href: ../information-protection/tpm/initialize-and-configure-ownership-of-the-tpm.md
+          - name: Understanding PCR banks on TPM 2.0 devices
+            href: ../information-protection/tpm/switch-pcr-banks-on-tpm-2-0-devices.md
+          - name: TPM recommendations
+            href: ../information-protection/tpm/tpm-recommendations.md
+      - name: Microsoft Pluton security processor
+        items:
+          - name: Microsoft Pluton overview
+            href: ../information-protection/pluton/microsoft-pluton-security-processor.md
+          - name: Microsoft Pluton as TPM
+            href: ../information-protection/pluton/pluton-as-tpm.md
+  - name: Silicon assisted security
+    items:
+      - name: Virtualization-based security (VBS)
+        href: /windows-hardware/design/device-experiences/oem-vbs
+      - name: Memory integrity (HVCI)
+        href: ../threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity.md
+      - name: Memory integrity and VBS enablement 🔗
+        href: /windows-hardware/design/device-experiences/oem-hvci-enablement
+      - name: Hardware-enforced stack protection
+        href: https://techcommunity.microsoft.com/t5/windows-os-platform-blog/understanding-hardware-enforced-stack-protection/ba-p/1247815
+      - name: Secured-core PC 🔗
+        href: /windows-hardware/design/device-experiences/oem-highly-secure-11
+      - name: Kernel Direct Memory Access (DMA) protection
+        href: ../information-protection/kernel-dma-protection-for-thunderbolt.md
+      - name: System Guard Secure Launch
+        href: ../threat-protection/windows-defender-system-guard/system-guard-secure-launch-and-smm-protection.md
\ No newline at end of file
diff --git a/windows/security/identity-protection/access-control/access-control.md b/windows/security/identity-protection/access-control/access-control.md
index 6bec9ee14c..b1ca0e2e0f 100644
--- a/windows/security/identity-protection/access-control/access-control.md
+++ b/windows/security/identity-protection/access-control/access-control.md
@@ -39,6 +39,8 @@ This content set contains:
   - [Service Accounts](/windows-server/identity/ad-ds/manage/understand-service-accounts)
   - [Active Directory Security Groups](/windows-server/identity/ad-ds/manage/understand-security-groups)
 
+[!INCLUDE [access-control-aclsscals](../../../../includes/licensing/access-control-aclsscals.md)]
+
 ## Practical applications
 
 Administrators who use the supported version of Windows can refine the application and management of access control to objects and subjects to provide the following security:
diff --git a/windows/security/identity-protection/configure-s-mime.md b/windows/security/identity-protection/configure-s-mime.md
index 317ef89a50..510e690593 100644
--- a/windows/security/identity-protection/configure-s-mime.md
+++ b/windows/security/identity-protection/configure-s-mime.md
@@ -20,6 +20,8 @@ Encrypted messages can be read only by recipients who have a certificate. If you
 
 A digitally signed message reassures the recipient that the message hasn't been tampered with and verifies the identity of the sender. Recipients can only verify the digital signature if they're using an email client that supports S/MIME.
 
+[!INCLUDE [email-encryption-smime](../../../includes/licensing/email-encryption-smime.md)]
+
 ## Prerequisites
 
 -   [S/MIME is enabled for Exchange accounts](/microsoft-365/security/office-365-security/s-mime-for-message-signing-and-encryption) (on-premises and Office 365). Users can't use S/MIME signing and encryption with a personal account such as Outlook.com.
diff --git a/windows/security/identity-protection/credential-guard/additional-mitigations.md b/windows/security/identity-protection/credential-guard/additional-mitigations.md
index ca9c7acd52..32967fd8b7 100644
--- a/windows/security/identity-protection/credential-guard/additional-mitigations.md
+++ b/windows/security/identity-protection/credential-guard/additional-mitigations.md
@@ -18,7 +18,6 @@ Credential theft attacks allow the attacker to steal secrets from one device and
 Kerberos armoring is part of RFC 6113. When a device supports Kerberos armoring, its TGT is used to protect the user's proof of possession which can mitigate offline dictionary attacks. Kerberos armoring also provides the additional benefit of signed KDC errors this mitigates tampering which can result in things such as downgrade attacks. 
 
 **To enable Kerberos armoring for restricting domain users to specific domain-joined devices**
-
 - Users need to be in domains that are running Windows Server 2012 R2 or higher
 - All the domain controllers in these domains must be configured to support Kerberos armoring. Set the **KDC support for claims, compound authentication, and Kerberos armoring** Group Policy setting to either **Supported** or **Always provide claims**.
 - All the devices with Windows Defender Credential Guard that the users will be restricted to must be configured to support Kerberos armoring. Enable the **Kerberos client support for claims, compound authentication and Kerberos armoring** Group Policy settings under **Computer Configuration** -&gt; **Administrative Templates** -&gt; **System** -&gt; **Kerberos**.
diff --git a/windows/security/identity-protection/credential-guard/credential-guard-requirements.md b/windows/security/identity-protection/credential-guard/credential-guard-requirements.md
index ea7bf02bae..2afb9f4a6a 100644
--- a/windows/security/identity-protection/credential-guard/credential-guard-requirements.md
+++ b/windows/security/identity-protection/credential-guard/credential-guard-requirements.md
@@ -66,6 +66,8 @@ Applications may cause performance issues when they attempt to hook the isolated
 
 Services or protocols that rely on Kerberos, such as file shares, remote desktop, or BranchCache, continue to work and are not affected by Windows Defender Credential Guard.
 
+[!INCLUDE [windows-defender-credential-guard](../../../../includes/licensing/windows-defender-credential-guard.md)]
+
 ## Security considerations
 
 All computers that meet baseline protections for hardware, firmware, and software can use Windows Defender Credential Guard.
@@ -96,7 +98,7 @@ The following tables describe baseline protections, plus protections for improve
 |Protections for Improved Security|Description|
 |---|---|
 |Hardware: **IOMMU** (input/output memory management unit)|**Requirement**: </br> - VT-D or AMD Vi IOMMU </br> </br> **Security benefits**: </br> - An IOMMU can enhance system resiliency against memory attacks. For more information, see [Advanced Configuration and Power Interface (ACPI) description tables](/windows-hardware/drivers/bringup/acpi-system-description-tables)|
-|Firmware: **Securing Boot Configuration and Management**|**Requirements**: </br> - BIOS password or stronger authentication must be supported. </br> - In the BIOS configuration, BIOS authentication must be set. </br> - There must be support for protected BIOS option to configure list of permitted boot devices (for example, “Boot only from internal hard drive”) and boot device order, overriding BOOTORDER modification made by operating system. </br> - In the BIOS configuration, BIOS options related to security and boot options (list of permitted boot devices, boot order) must be secured to prevent other operating systems from starting and to prevent changes to the BIOS settings.|
+|Firmware: **Securing Boot Configuration and Management**|**Requirements**: </br> - BIOS password or stronger authentication must be supported. </br> - In the BIOS configuration, BIOS authentication must be set. </br> - There must be support for protected BIOS option to configure list of permitted boot devices (for example, "Boot only from internal hard drive") and boot device order, overriding BOOTORDER modification made by operating system. </br> - In the BIOS configuration, BIOS options related to security and boot options (list of permitted boot devices, boot order) must be secured to prevent other operating systems from starting and to prevent changes to the BIOS settings.|
 |Firmware: **Secure MOR, revision 2 implementation**|**Requirement**: </br> - Secure MOR, revision 2 implementation|
 
 ### 2016 Additional security qualifications starting with Windows 10, version 1607, and Windows Server 2016
diff --git a/windows/security/identity-protection/credential-guard/toc.yml b/windows/security/identity-protection/credential-guard/toc.yml
new file mode 100644
index 0000000000..3661af7b0e
--- /dev/null
+++ b/windows/security/identity-protection/credential-guard/toc.yml
@@ -0,0 +1,17 @@
+items:
+- name: Protect derived domain credentials with Credential Guard
+  href: credential-guard.md
+- name: How Credential Guard works
+  href: credential-guard-how-it-works.md
+- name: Requirements
+  href: credential-guard-requirements.md
+- name: Manage Credential Guard
+  href: credential-guard-manage.md
+- name: Credential Guard protection limits
+  href: credential-guard-protection-limits.md
+- name: Considerations when using Credential Guard
+  href: credential-guard-considerations.md
+- name: Additional mitigations
+  href: additional-mitigations.md
+- name: Known issues
+  href: credential-guard-known-issues.md
\ No newline at end of file
diff --git a/windows/security/identity-protection/hello-for-business/hello-overview.md b/windows/security/identity-protection/hello-for-business/hello-overview.md
index 005fb6c685..84acf6b19c 100644
--- a/windows/security/identity-protection/hello-for-business/hello-overview.md
+++ b/windows/security/identity-protection/hello-for-business/hello-overview.md
@@ -1,11 +1,11 @@
 ---
-title: Windows Hello for Business Overview (Windows)
-description: Learn how Windows Hello for Business replaces passwords with strong two-factor authentication on PCs and mobile devices in Windows 10 and Windows 11.
+title: Windows Hello for Business Overview
+description: Learn how Windows Hello for Business replaces passwords with strong two-factor authentication on Windows devices.
 ms.collection: 
   - highpri
   - tier1
 ms.topic: conceptual
-ms.date: 12/31/2017
+ms.date: 04/24/2023
 ---
 # Windows Hello for Business Overview
 
@@ -65,6 +65,8 @@ Imagine that someone is looking over your shoulder as you get money from an ATM
 
 Windows Hello helps protect user identities and user credentials. Because the user doesn't enter a password (except during provisioning), it helps circumvent phishing and brute force attacks. It also helps prevent server breaches because Windows Hello credentials are an asymmetric key pair, which helps prevent replay attacks when these keys are protected by TPMs.
 
+[!INCLUDE [windows-hello-for-business](../../../../includes/licensing/windows-hello-for-business.md)]
+
 ## How Windows Hello for Business works: key points
 
 - Windows Hello credentials are based on certificate or asymmetrical key pair. Windows Hello credentials can be bound to the device, and the token that is obtained using the credential is also bound to the device.
diff --git a/windows/security/identity-protection/remote-credential-guard.md b/windows/security/identity-protection/remote-credential-guard.md
index 64e9869d2a..c492d78079 100644
--- a/windows/security/identity-protection/remote-credential-guard.md
+++ b/windows/security/identity-protection/remote-credential-guard.md
@@ -20,9 +20,7 @@ Introduced in Windows 10, version 1607, Windows Defender Remote Credential Guard
 Administrator credentials are highly privileged and must be protected. By using Windows Defender Remote Credential Guard to connect during Remote Desktop sessions, if the target device is compromised, your credentials are not exposed because both credential and credential derivatives are never passed over the network to the target device.
 
 > [!IMPORTANT]
-> For information on Remote Desktop connection scenarios involving helpdesk support, see [Remote Desktop connections and helpdesk support scenarios](#helpdesk) in this article.
-
-<a id="comparing-remote-credential-guard-with-other-remote-desktop-connection-options"></a>
+> For information on Remote Desktop connection scenarios involving helpdesk support, see [Remote Desktop connections and helpdesk support scenarios](#remote-desktop-connections-and-helpdesk-support-scenarios) in this article.
 
 ## Comparing Windows Defender Remote Credential Guard with other Remote Desktop connection options
 
@@ -30,43 +28,28 @@ The following diagram helps you to understand how a standard Remote Desktop sess
 
 ![RDP connection to a server without Windows Defender Remote Credential Guard.png.](images/rdp-to-a-server-without-windows-defender-remote-credential-guard.png)
 
-<br />
-
 The following diagram helps you to understand how Windows Defender Remote Credential Guard works, what it helps to protect against, and compares it with the [Restricted Admin mode](https://social.technet.microsoft.com/wiki/contents/articles/32905.how-to-enable-restricted-admin-mode-for-remote-desktop.aspx) option:
 
 ![Windows Defender Remote Credential Guard.](images/windows-defender-remote-credential-guard-with-remote-admin-mode.png)
 
-<br />
 As illustrated, Windows Defender Remote Credential Guard blocks NTLM (allowing only Kerberos), prevents Pass-the-Hash (PtH) attacks, and also prevents use of credentials after disconnection.
 
-<br />
-<br />
 Use the following table to compare different Remote Desktop connection security options:
 
-<br />
-<br />
-
-
 | Feature | Remote Desktop | Windows Defender Remote Credential Guard | Restricted Admin mode |
-|--------------------------------------------------------------------------------------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
-|                                                 **Protection benefits**                                                  |                                Credentials on the server are not protected from Pass-the-Hash attacks.                                 |  User credentials remain on the client. An attacker can act on behalf of the user *only* when the session is ongoing   |                                                                                  User logs on to the server as local administrator, so an attacker cannot act on behalf of the "domain user". Any attack is local to the server                                                                                   |
-|                                                   **Version support**                                                    |                                        The remote computer can run any Windows operating system                                        | Both the client and the remote computer must be running **at least Windows 10, version 1607, or Windows Server 2016**. | The remote computer must be running **at least patched Windows 7 or patched Windows Server 2008 R2**. <br /><br />For more information about patches (software updates) related to Restricted Admin mode, see [Microsoft Security Advisory 2871997](/security-updates/SecurityAdvisories/2016/2871997). |
-| **Helps prevent**   &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;   &nbsp;&nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp;&nbsp; |                             &nbsp;&nbsp;&nbsp;&nbsp; N/A &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;                              |                   <ul><li> Pass-the-Hash</li> <li>Use of a credential after disconnection </li></ul>                   |                                                                                                                <ul><li> Pass-the-Hash</li> <li>Use of domain identity during connection </li></ul>                                                                                                                |
-|                             **Credentials supported from the remote desktop client device**                              | <ul><li><b>Signed on</b> credentials <li> <b>Supplied</b> credentials<li> <b>Saved</b> credentials </ul> |                                  <ul><li> <b>Signed on</b> credentials only                                  |                                                                                        <ul><li><b>Signed on</b> credentials<li><b>Supplied</b> credentials<li><b>Saved</b> credentials</ul>                                                                                         |
-|                                                        **Access**                                                        |                           **Users allowed**, that is, members of Remote Desktop Users group of remote host.                            |                      **Users allowed**, that is, members of Remote Desktop Users of remote host.                       |                                                                                                              **Administrators only**, that is, only members of Administrators group of remote host.                                                                                                               |
-|                                                   **Network identity**                                                   |                               Remote Desktop session **connects to other resources as signed-in user**.                                |                       Remote Desktop session **connects to other resources as signed-in user**.                        |                                                                                                                 Remote Desktop session **connects to other resources as remote host's identity**.                                                                                                                 |
-|                                                      **Multi-hop**                                                       |                        From the remote desktop, **you can connect through Remote Desktop to another computer**                         |                From the remote desktop, you **can connect through Remote Desktop to another computer**.                |                                                                                                                      Not allowed for user as the session is running as a local host account                                                                                                                       |
-|                                               **Supported authentication**                                               |                                                        Any negotiable protocol.                                                        |                                                     Kerberos only.                                                     |                                                                                                                                              Any negotiable protocol                                                                                                                                              |
-
-<br />
+|--|--|--|--|
+| **Protection benefits** | Credentials on the server are not protected from Pass-the-Hash attacks. | User credentials remain on the client. An attacker can act on behalf of the user *only* when the session is ongoing | User logs on to the server as local administrator, so an attacker cannot act on behalf of the "domain user". Any attack is local to the server |
+| **Version support** | The remote computer can run any Windows operating system | Both the client and the remote computer must be running **at least Windows 10, version 1607, or Windows Server 2016**. | The remote computer must be running **at least patched Windows 7 or patched Windows Server 2008 R2**. <br /><br />For more information about patches (software updates) related to Restricted Admin mode, see [Microsoft Security Advisory 2871997](/security-updates/SecurityAdvisories/2016/2871997). |
+| **Helps prevent**   &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;   &nbsp;&nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp;&nbsp; | &nbsp;&nbsp;&nbsp;&nbsp; N/A &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; | <ul><li> Pass-the-Hash</li> <li>Use of a credential after disconnection </li></ul> | <ul><li> Pass-the-Hash</li> <li>Use of domain identity during connection </li></ul> |
+| **Credentials supported from the remote desktop client device** | <ul><li><b>Signed on</b> credentials <li> <b>Supplied</b> credentials<li> <b>Saved</b> credentials </ul> | <ul><li> <b>Signed on</b> credentials only | <ul><li><b>Signed on</b> credentials<li><b>Supplied</b> credentials<li><b>Saved</b> credentials</ul> |
+| **Access** | **Users allowed**, that is, members of Remote Desktop Users group of remote host. | **Users allowed**, that is, members of Remote Desktop Users of remote host. | **Administrators only**, that is, only members of Administrators group of remote host. |
+| **Network identity** | Remote Desktop session **connects to other resources as signed-in user**. | Remote Desktop session **connects to other resources as signed-in user**. | Remote Desktop session **connects to other resources as remote host's identity**. |
+| **Multi-hop** | From the remote desktop, **you can connect through Remote Desktop to another computer** | From the remote desktop, you **can connect through Remote Desktop to another computer**. | Not allowed for user as the session is running as a local host account |
+| **Supported authentication** | Any negotiable protocol. | Kerberos only. | Any negotiable protocol |
 
 For further technical information, see [Remote Desktop Protocol](/windows/win32/termserv/remote-desktop-protocol)
 and [How Kerberos works](/previous-versions/windows/it-pro/windows-2000-server/cc961963(v=technet.10)).
 
-<br />
-
-<a id="helpdesk"></a>
-
 ## Remote Desktop connections and helpdesk support scenarios
 
 For helpdesk support scenarios in which personnel require administrative access to provide remote assistance to computer users via Remote Desktop sessions, Microsoft recommends that Windows Defender Remote Credential Guard should not be used in that context. This is because if an RDP session is initiated to a compromised client that an attacker already controls, the attacker could use that open channel to create sessions on the user's behalf (without compromising credentials) to access any of the user's resources for a limited time (a few hours) after the session disconnects.
@@ -77,8 +60,7 @@ To further harden security, we also recommend that you implement Local Administr
 
 For further information on LAPS, see [Microsoft Security Advisory 3062591](https://technet.microsoft.com/library/security/3062591.aspx).
 
-
-<a id="reqs"></a>
+[!INCLUDE [windows-defender-remote-credential-guard](../../../includes/licensing/windows-defender-remote-credential-guard.md)]
 
 ## Remote Credential Guard requirements
 
@@ -86,20 +68,17 @@ To use Windows Defender Remote Credential Guard, the Remote Desktop client and r
 
 The Remote Desktop client device:
 
--  Must be running at least Windows 10, version 1703 to be able to supply credentials, which is sent to the remote device. This allows users to run as different users without having to send credentials to the remote machine.
-
--  Must be running at least Windows 10, version 1607 or Windows Server 2016 to use the user's signed-in credentials. This requires the user's account be able to sign in to both the client device and the remote host.
-
--  Must be running the Remote Desktop Classic Windows application. The Remote Desktop Universal Windows Platform application doesn't support Windows Defender Remote Credential Guard.
-
--  Must use Kerberos authentication to connect to the remote host. If the client cannot connect to a domain controller, then RDP attempts to fall back to NTLM. Windows Defender Remote Credential Guard does not allow NTLM fallback because this would expose credentials to risk.
+- Must be running at least Windows 10, version 1703 to be able to supply credentials, which is sent to the remote device. This allows users to run as different users without having to send credentials to the remote machine
+- Must be running at least Windows 10, version 1607 or Windows Server 2016 to use the user's signed-in credentials. This requires the user's account be able to sign in to both the client device and the remote host
+- Must be running the Remote Desktop Classic Windows application. The Remote Desktop Universal Windows Platform application doesn't support Windows Defender Remote Credential Guard
+- Must use Kerberos authentication to connect to the remote host. If the client cannot connect to a domain controller, then RDP attempts to fall back to NTLM. Windows Defender Remote Credential Guard does not allow NTLM fallback because this would expose credentials to risk
 
 The Remote Desktop remote host:
 
--  Must be running at least Windows 10, version 1607 or Windows Server 2016.
--  Must allow Restricted Admin connections.
--  Must allow the client's domain user to access Remote Desktop connections.
--  Must allow delegation of non-exportable credentials.
+- Must be running at least Windows 10, version 1607 or Windows Server 2016.
+- Must allow Restricted Admin connections.
+- Must allow the client's domain user to access Remote Desktop connections.
+- Must allow delegation of non-exportable credentials.
 
 There are no hardware requirements for Windows Defender Remote Credential Guard.
 
@@ -109,31 +88,26 @@ There are no hardware requirements for Windows Defender Remote Credential Guard.
 > GPO [Remote host allows delegation of non-exportable credentials](/windows/client-management/mdm/policy-csp-credentialsdelegation) should be enabled for delegation of non-exportable credentials.
 
 - For Windows Defender Remote Credential Guard to be supported, the user must authenticate to the remote host using Kerberos authentication.
-
 - The remote host must be running at least Windows 10 version 1607, or Windows Server 2016.
-
 - The Remote Desktop classic Windows app is required. The Remote Desktop Universal Windows Platform app doesn't support Windows Defender Remote Credential Guard.
 
 ## Enable Windows Defender Remote Credential Guard
 
 You must enable Restricted Admin or Windows Defender Remote Credential Guard on the remote host by using the Registry.
 
-1. Open Registry Editor on the remote host.
+1. Open Registry Editor on the remote host
+1. Enable Restricted Admin and Windows Defender Remote Credential Guard:
 
-2. Enable Restricted Admin and Windows Defender Remote Credential Guard:
+  - Go to `HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa`
+  - Add a new DWORD value named **DisableRestrictedAdmin**
+  - To turn on Restricted Admin and Windows Defender Remote Credential Guard, set the value of this registry setting to 0
 
-    - Go to HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa.
-    
-    - Add a new DWORD value named **DisableRestrictedAdmin**.
-    
-    - To turn on Restricted Admin and Windows Defender Remote Credential Guard, set the value of this registry setting to 0.
-    
-3. Close Registry Editor.
+1. Close Registry Editor
 
 You can add this by running the following command from an elevated command prompt:
 
-```console
-reg add HKLM\SYSTEM\CurrentControlSet\Control\Lsa /v DisableRestrictedAdmin /d 0 /t REG_DWORD
+```cmd
+reg.exe add HKLM\SYSTEM\CurrentControlSet\Control\Lsa /v DisableRestrictedAdmin /d 0 /t REG_DWORD
 ```
 
 ## Using Windows Defender Remote Credential Guard
@@ -142,36 +116,28 @@ Beginning with Windows 10 version 1703, you can enable Windows Defender Remote C
 
 ### Turn on Windows Defender Remote Credential Guard by using Group Policy
 
-1. From the Group Policy Management Console, go to **Computer Configuration** -> **Administrative Templates** -> **System** -> **Credentials Delegation**.
-
-2. Double-click **Restrict delegation of credentials to remote servers**.
-
+1. From the Group Policy Management Console, go to **Computer Configuration** -> **Administrative Templates** -> **System** -> **Credentials Delegation**
+1. Double-click **Restrict delegation of credentials to remote servers**
     ![Windows Defender Remote Credential Guard Group Policy.](images/remote-credential-guard-gp.png)
-
-3. Under **Use the following restricted mode**:
-
-   - If you want to require either [Restricted Admin mode](https://social.technet.microsoft.com/wiki/contents/articles/32905.remote-desktop-services-enable-restricted-admin-mode.aspx) or Windows Defender Remote Credential Guard, choose **Restrict Credential Delegation**. In this configuration, Windows Defender Remote Credential Guard is preferred, but it will use Restricted Admin mode (if supported) when Windows Defender Remote Credential Guard cannot be used.
+1. Under **Use the following restricted mode**:
+  - If you want to require either [Restricted Admin mode](https://social.technet.microsoft.com/wiki/contents/articles/32905.remote-desktop-services-enable-restricted-admin-mode.aspx) or Windows Defender Remote Credential Guard, choose **Restrict Credential Delegation**. In this configuration, Windows Defender Remote Credential Guard is preferred, but it will use Restricted Admin mode (if supported) when Windows Defender Remote Credential Guard cannot be used
 
      > [!NOTE]
      > Neither Windows Defender Remote Credential Guard nor Restricted Admin mode will send credentials in clear text to the Remote Desktop server.
-     > When **Restrict Credential Delegation** is enabled, the /restrictedAdmin switch will be ignored. Windows will enforce the policy configuration instead and will use Windows Defender Remote Credential Guard. 
+     > When **Restrict Credential Delegation** is enabled, the /restrictedAdmin switch will be ignored. Windows will enforce the policy configuration instead and will use Windows Defender Remote Credential Guard.
 
-   - If you want to require Windows Defender Remote Credential Guard, choose **Require Remote Credential Guard**. With this setting, a Remote Desktop connection will succeed only if the remote computer meets the [requirements](#reqs) listed earlier in this topic.
-
-   - If you  want to require Restricted Admin mode, choose **Require Restricted Admin**. For information about Restricted Admin mode, see the table in [Comparing Windows Defender Remote Credential Guard with other Remote Desktop connection options](#comparing-remote-credential-guard-with-other-remote-desktop-connection-options), earlier in this topic.
-
-4. Click **OK**.
-
-5. Close the Group Policy Management Console.
-
-6. From a command prompt, run **gpupdate.exe /force** to ensure that the Group Policy object is applied.
+  - If you want to require Windows Defender Remote Credential Guard, choose **Require Remote Credential Guard**. With this setting, a Remote Desktop connection will succeed only if the remote computer meets the [requirements](#remote-credential-guard-requirements) listed earlier in this topic.
+  - If you  want to require Restricted Admin mode, choose **Require Restricted Admin**. For information about Restricted Admin mode, see the table in  [Comparing Windows Defender Remote Credential Guard with other Remote Desktop connection options](#comparing-windows-defender-remote-credential-guard-with-other-remote-desktop-connection-options), earlier in this topic.
 
+1. Click **OK**
+1. Close the Group Policy Management Console
+1. From a command prompt, run **gpupdate.exe /force** to ensure that the Group Policy object is applied
 
 ### Use Windows Defender Remote Credential Guard with a parameter to Remote Desktop Connection
 
 If you don't use Group Policy in your organization, or if not all your remote hosts support Remote Credential Guard, you can add the remoteGuard parameter when you start Remote Desktop Connection to turn on Windows Defender Remote Credential Guard for that connection.
 
-```console
+```cmd
 mstsc.exe /remoteGuard
 ```
 
@@ -180,12 +146,8 @@ mstsc.exe /remoteGuard
 
 ## Considerations when using Windows Defender Remote Credential Guard
 
-- Windows Defender Remote Credential Guard does not support compound authentication. For example, if you're trying to access a file server from a remote host that requires a device claim, access will be denied.
-
-- Windows Defender Remote Credential Guard can be used only when connecting to a device that is joined to a Windows Server Active Directory domain, including AD domain-joined servers that run as Azure virtual machines (VMs). Windows Defender Remote Credential Guard cannot be used when connecting to remote devices joined to Azure Active Directory.
-
-- Remote Desktop Credential Guard only works with the RDP protocol.
-
-- No credentials are sent to the target device, but the target device still acquires Kerberos Service Tickets on its own.
-
-- The server and client must authenticate using Kerberos.
+- Windows Defender Remote Credential Guard does not support compound authentication. For example, if you're trying to access a file server from a remote host that requires a device claim, access will be denied
+- Windows Defender Remote Credential Guard can be used only when connecting to a device that is joined to a Windows Server Active Directory domain, including AD domain-joined servers that run as Azure virtual machines (VMs). Windows Defender Remote Credential Guard cannot be used when connecting to remote devices joined to Azure Active Directory
+- Remote Desktop Credential Guard only works with the RDP protocol
+- No credentials are sent to the target device, but the target device still acquires Kerberos Service Tickets on its own
+- The server and client must authenticate using Kerberos
diff --git a/windows/security/identity-protection/smart-cards/smart-card-how-smart-card-sign-in-works-in-windows.md b/windows/security/identity-protection/smart-cards/smart-card-how-smart-card-sign-in-works-in-windows.md
index a44e2533fc..5d498cb152 100644
--- a/windows/security/identity-protection/smart-cards/smart-card-how-smart-card-sign-in-works-in-windows.md
+++ b/windows/security/identity-protection/smart-cards/smart-card-how-smart-card-sign-in-works-in-windows.md
@@ -21,3 +21,5 @@ This topic for IT professional provides links to resources about the implementat
 -   [Certificate Propagation Service](smart-card-certificate-propagation-service.md): Learn about how the certificate propagation service works when a smart card is inserted into a computer.
 
 -   [Smart Card Removal Policy Service](smart-card-removal-policy-service.md): Learn about using Group Policy to control what happens when a user removes a smart card.
+
+[!INCLUDE [smart-cards-for-windows-service](../../../../includes/licensing/smart-cards-for-windows-service.md)]
\ No newline at end of file
diff --git a/windows/security/identity-protection/smart-cards/toc.yml b/windows/security/identity-protection/smart-cards/toc.yml
new file mode 100644
index 0000000000..0d82f8c3a7
--- /dev/null
+++ b/windows/security/identity-protection/smart-cards/toc.yml
@@ -0,0 +1,28 @@
+items:
+- name: Smart Card Technical Reference
+  href: smart-card-windows-smart-card-technical-reference.md
+  items:
+    - name: How Smart Card Sign-in Works in Windows
+      href: smart-card-how-smart-card-sign-in-works-in-windows.md
+      items:
+        - name: Smart Card Architecture
+          href: smart-card-architecture.md
+        - name: Certificate Requirements and Enumeration
+          href: smart-card-certificate-requirements-and-enumeration.md
+        - name: Smart Card and Remote Desktop Services
+          href: smart-card-and-remote-desktop-services.md
+        - name: Smart Cards for Windows Service
+          href: smart-card-smart-cards-for-windows-service.md
+        - name: Certificate Propagation Service
+          href: smart-card-certificate-propagation-service.md
+        - name: Smart Card Removal Policy Service
+          href: smart-card-removal-policy-service.md
+    - name: Smart Card Tools and Settings
+      href: smart-card-tools-and-settings.md
+      items:
+        - name: Smart Cards Debugging Information
+          href: smart-card-debugging-information.md
+        - name: Smart Card Group Policy and Registry Settings
+          href: smart-card-group-policy-and-registry-settings.md
+        - name: Smart Card Events
+          href: smart-card-events.md
\ No newline at end of file
diff --git a/windows/security/identity-protection/toc.yml b/windows/security/identity-protection/toc.yml
new file mode 100644
index 0000000000..c90f5b2316
--- /dev/null
+++ b/windows/security/identity-protection/toc.yml
@@ -0,0 +1,49 @@
+items:
+  - name: Overview
+    href: ../identity.md
+  - name: Windows credential theft mitigation guide
+    href: windows-credential-theft-mitigation-guide-abstract.md
+  - name: Passwordless sign-in
+    items:
+    - name: Windows Hello for Business 🔗
+      href: hello-for-business/index.yml
+    - name: Windows presence sensing
+      href: https://support.microsoft.com/windows/wake-your-windows-11-pc-when-you-approach-82285c93-440c-4e15-9081-c9e38c1290bb
+    - name: Windows Hello for Business Enhanced Security Sign-in (ESS) 🔗
+      href: /windows-hardware/design/device-experiences/windows-hello-enhanced-sign-in-security
+    - name: FIDO 2 security key 🔗
+      href: /azure/active-directory/authentication/howto-authentication-passwordless-security-key
+    - name: Federated sign-in 🔗
+      href: /education/windows/federated-sign-in
+    - name: Smart Cards
+      href: smart-cards/toc.yml
+    - name: Virtual smart cards
+      href: virtual-smart-cards/toc.yml
+      displayName: VSC
+    - name: Enterprise Certificate Pinning
+      href: enterprise-certificate-pinning.md
+  - name: Advanced credential protection
+    items:
+    - name: Account Lockout Policy 🔗
+      href: ../threat-protection/security-policy-settings/account-lockout-policy.md
+    - name: Technical support policy for lost or forgotten passwords
+      href: password-support-policy.md
+    - name: Windows LAPS (Local Administrator Password Solution) 🔗
+      displayName: LAPS
+      href: /windows-server/identity/laps/laps-overview
+    - name: Enhanced Phishing Protection in Microsoft Defender SmartScreen
+      href: ../threat-protection/microsoft-defender-smartscreen/phishing-protection-microsoft-defender-smartscreen.md
+      displayName: EPP
+    - name: Access Control
+      items:
+      - name: Overview
+        href: access-control/access-control.md
+        displayName: ACL
+      - name: Local Accounts
+        href: access-control/local-accounts.md
+    - name: Security policy settings 🔗
+      href: ../threat-protection/security-policy-settings/security-policy-settings.md
+    - name: Windows Defender Credential Guard
+      href: credential-guard/toc.yml
+  - name: Windows Defender Remote Credential Guard
+    href: remote-credential-guard.md
\ No newline at end of file
diff --git a/windows/security/identity-protection/user-account-control/user-account-control-overview.md b/windows/security/identity-protection/user-account-control/user-account-control-overview.md
index e85aae3ab9..ad89a60ec7 100644
--- a/windows/security/identity-protection/user-account-control/user-account-control-overview.md
+++ b/windows/security/identity-protection/user-account-control/user-account-control-overview.md
@@ -18,6 +18,8 @@ Other apps, especially those that were not specifically designed with security s
 
 When an app needs to run with more than standard user rights, UAC allows users to run apps with their administrator token (with administrative groups and privileges) instead of their default, standard user access token. Users continue to operate in the standard user security context, while enabling certain apps to run with elevated privileges, if needed.
 
+[!INCLUDE [user-account-control-uac](../../../../includes/licensing/user-account-control-uac.md)]
+
 ## Practical applications
 
 Admin Approval Mode in UAC helps prevent malware from silently installing without an administrator's knowledge. It also helps protect from inadvertent system-wide changes. Lastly, it can be used to enforce a higher level of compliance where administrators must actively consent or provide credentials for each administrative process.
diff --git a/windows/security/identity-protection/virtual-smart-cards/toc.yml b/windows/security/identity-protection/virtual-smart-cards/toc.yml
new file mode 100644
index 0000000000..68842b6001
--- /dev/null
+++ b/windows/security/identity-protection/virtual-smart-cards/toc.yml
@@ -0,0 +1,17 @@
+items:
+- name: Virtual Smart Card overview
+  href: virtual-smart-card-overview.md
+  items:
+    - name: Understand and evaluate virtual smart cards
+      href: virtual-smart-card-understanding-and-evaluating.md
+      items:
+        - name: Get started with virtual smart cards
+          href: virtual-smart-card-get-started.md
+        - name: Use virtual smart cards
+          href: virtual-smart-card-use-virtual-smart-cards.md
+        - name: Deploy virtual smart cards
+          href: virtual-smart-card-deploy-virtual-smart-cards.md
+        - name: Evaluate virtual smart card security
+          href: virtual-smart-card-evaluate-security.md
+    - name: Tpmvscmgr
+      href: virtual-smart-card-tpmvscmgr.md
\ No newline at end of file
diff --git a/windows/security/identity-protection/vpn/vpn-guide.md b/windows/security/identity-protection/vpn/vpn-guide.md
index 15f788082b..8a775eea81 100644
--- a/windows/security/identity-protection/vpn/vpn-guide.md
+++ b/windows/security/identity-protection/vpn/vpn-guide.md
@@ -14,6 +14,8 @@ To create a Windows 10 VPN device configuration profile see: [Windows 10 and Win
 > [!NOTE]
 > This guide does not explain server deployment.
 
+[!INCLUDE [virtual-private-network-vpn](../../../../includes/licensing/virtual-private-network-vpn.md)]
+
 ## In this guide
 
 | Article | Description  |
diff --git a/windows/security/information-protection/bitlocker/bitlocker-overview.md b/windows/security/information-protection/bitlocker/bitlocker-overview.md
index a3b7a72ca1..d6c02185e3 100644
--- a/windows/security/information-protection/bitlocker/bitlocker-overview.md
+++ b/windows/security/information-protection/bitlocker/bitlocker-overview.md
@@ -52,6 +52,8 @@ BitLocker control panel, and they're appropriate to be used for automated deploy
 
 To find out what's new in BitLocker for Windows, such as support for the XTS-AES encryption algorithm, see [What's new in Windows 10, versions 1507 and 1511 for IT Pros: BitLocker](/windows/whats-new/whats-new-windows-10-version-1507-and-1511#bitlocker).
 
+[!INCLUDE [bitlocker](../../../../includes/licensing/bitlocker.md)]
+
 ## System requirements
 
 BitLocker has the following hardware requirements:
diff --git a/windows/security/information-protection/encrypted-hard-drive.md b/windows/security/information-protection/encrypted-hard-drive.md
index 4523cd4552..035d511240 100644
--- a/windows/security/information-protection/encrypted-hard-drive.md
+++ b/windows/security/information-protection/encrypted-hard-drive.md
@@ -48,6 +48,8 @@ Encrypted hard drives are supported natively in the operating system through the
 
 If you're a storage device vendor who is looking for more info on how to implement Encrypted Hard Drive, see the [Encrypted Hard Drive Device Guide](/previous-versions/windows/hardware/design/dn653989(v=vs.85)).
 
+[!INCLUDE [encrypted-hard-drive](../../../includes/licensing/encrypted-hard-drive.md)]
+
 ## System Requirements
 
 To use encrypted hard drives, the following system requirements apply:
diff --git a/windows/security/information-protection/index.md b/windows/security/information-protection/index.md
deleted file mode 100644
index f84702dd1c..0000000000
--- a/windows/security/information-protection/index.md
+++ /dev/null
@@ -1,24 +0,0 @@
----
-title: Information protection (Windows 10)
-description: Learn more about how to protect sensitive data across your organization.
-ms.prod: windows-client
-author: paolomatarazzo
-ms.author: paoloma
-manager: aaroncz
-ms.topic: conceptual
-ms.date: 03/09/2023
-ms.technology: itpro-security
----
-
-# Information protection
-
-Learn more about how to secure documents and other data across your organization.
-
-| Section | Description |
-|-|-|
-| [BitLocker](bitlocker/bitlocker-overview.md)| Provides information about BitLocker, which is a data protection feature that integrates with the operating system and addresses the threats of data theft or exposure from lost, stolen, or inappropriately decommissioned computers. |
-| [Encrypted Hard Drive](encrypted-hard-drive.md)| Encrypted Hard Drive uses the rapid encryption that is provided by BitLocker Drive Encryption to enhance data security and management. |
-| [Kernel DMA Protection](kernel-dma-protection-for-thunderbolt.md)| Kernel DMA Protection protects PCs against drive-by Direct Memory Access (DMA) attacks using PCI hot plug devices connected to PCI accessible ports, such as Thunderbolt&trade; 3 ports. |
-| [Protect your enterprise data using Windows Information Protection (WIP)](windows-information-protection/protect-enterprise-data-using-wip.md)|Provides info about how to create a Windows Information Protection policy that can help protect against potential corporate data leakage.|
-| [Secure the Windows 10 boot process](secure-the-windows-10-boot-process.md)| Windows 10 supports features to help prevent rootkits and bootkits from loading during the startup process. |
-| [Trusted Platform Module](tpm/trusted-platform-module-top-node.md)| Trusted Platform Module (TPM) technology is designed to provide hardware-based, security-related functions. A TPM chip is a secure crypto-processor that helps you with actions such as generating, storing, and limiting the use of cryptographic keys.  |
diff --git a/windows/security/information-protection/kernel-dma-protection-for-thunderbolt.md b/windows/security/information-protection/kernel-dma-protection-for-thunderbolt.md
index eb8db70020..f0503ef3a9 100644
--- a/windows/security/information-protection/kernel-dma-protection-for-thunderbolt.md
+++ b/windows/security/information-protection/kernel-dma-protection-for-thunderbolt.md
@@ -41,6 +41,8 @@ When Kernel DMA Protection is enabled:
 - Peripherals with DMA Remapping-compatible device drivers will be automatically enumerated and started
 - Peripherals with DMA Remapping-incompatible drivers will be blocked from starting if the peripheral was plugged in before an authorized user logs in, or while the screen is locked. Once the system is unlocked, the peripheral driver will be started by the OS, and the peripheral will continue to function normally until the system is rebooted, or the peripheral is unplugged. The peripheral will continue to function normally if the user locks the screen or signs out of the system.
 
+[!INCLUDE [kernel-direct-memory-access-dma-protection](../../../includes/licensing/kernel-direct-memory-access-dma-protection.md)]
+
 ## System compatibility
 
 Kernel DMA Protection requires UEFI firmware support, and Virtualization-based Security (VBS) isn't required.
diff --git a/windows/security/information-protection/personal-data-encryption/overview-pde.md b/windows/security/information-protection/personal-data-encryption/overview-pde.md
index a88c9d276a..c7efa3d342 100644
--- a/windows/security/information-protection/personal-data-encryption/overview-pde.md
+++ b/windows/security/information-protection/personal-data-encryption/overview-pde.md
@@ -23,6 +23,8 @@ ms.date: 03/13/2023
 
 [!INCLUDE [Personal Data Encryption (PDE) description](includes/pde-description.md)]
 
+[!INCLUDE [personal-data-encryption-pde](../../../../includes/licensing/personal-data-encryption-pde.md)]
+
 ## Prerequisites
 
 ### Required
diff --git a/windows/security/information-protection/pluton/microsoft-pluton-security-processor.md b/windows/security/information-protection/pluton/microsoft-pluton-security-processor.md
index 5274334565..d2d8321257 100644
--- a/windows/security/information-protection/pluton/microsoft-pluton-security-processor.md
+++ b/windows/security/information-protection/pluton/microsoft-pluton-security-processor.md
@@ -18,7 +18,7 @@ ms.technology: itpro-security
 
 Microsoft Pluton security processor is a chip-to-cloud security technology built with [Zero Trust](/security/zero-trust/zero-trust-overview) principles at the core. Microsoft Pluton provides hardware-based root of trust, secure identity, secure attestation, and cryptographic services. Pluton technology is a combination of a secure subsystem which is part of the System on Chip (SoC) and Microsoft authored software that runs on this integrated secure subsystem.
 
-Microsoft Pluton is currently available on devices with Ryzen 6000 and Qualcomm Snapdragon® 8cx Gen 3 series processors. Microsoft Pluton can be enabled on devices with Pluton capable processors running Windows 11, version 22H2.
+Microsoft Pluton is currently available on devices with Ryzen 6000 and Qualcomm Snapdragon&reg; 8cx Gen 3 series processors. Microsoft Pluton can be enabled on devices with Pluton capable processors running Windows 11, version 22H2.
 
 ## What is Microsoft Pluton?
 
@@ -46,6 +46,8 @@ When the system boots, Pluton hardware initialization is performed by loading th
 
 ![Diagram showing the Microsoft Pluton Firmware load flow](../images/pluton/pluton-firmware-load.png)
 
+[!INCLUDE [microsoft-pluton-security-processor](../../../../includes/licensing/microsoft-pluton-security-processor.md)]
+
 ## Related topics
 
 [Microsoft Pluton as TPM](pluton-as-tpm.md)
diff --git a/windows/security/information-protection/tpm/trusted-platform-module-overview.md b/windows/security/information-protection/tpm/trusted-platform-module-overview.md
index 2c2f23d5cb..d3a0a6e2b7 100644
--- a/windows/security/information-protection/tpm/trusted-platform-module-overview.md
+++ b/windows/security/information-protection/tpm/trusted-platform-module-overview.md
@@ -50,6 +50,8 @@ Anti-malware software can use the boot measurements of the operating system star
 
 The TPM has several Group Policy settings that might be useful in certain enterprise scenarios. For more info, see [TPM Group Policy Settings](trusted-platform-module-services-group-policy-settings.md).
 
+[!INCLUDE [trusted-platform-module-tpm-20](../../../../includes/licensing/trusted-platform-module-tpm-20.md)]
+
 ## New and changed functionality
 
 For more info on new and changed functionality for Trusted Platform Module in Windows, see [What's new in Trusted Platform Module?](/windows/whats-new/whats-new-windows-10-version-1507-and-1511#trusted-platform-module)
diff --git a/windows/security/introduction/index.md b/windows/security/introduction/index.md
new file mode 100644
index 0000000000..f051acac9f
--- /dev/null
+++ b/windows/security/introduction/index.md
@@ -0,0 +1,57 @@
+---
+title: Introduction to Windows security
+description: System security book.
+ms.date: 04/24/2023
+ms.topic: tutorial
+ms.author: paoloma
+ms.custom: ai-gen-docs
+author: paolomatarazzo
+appliesto:
+  - ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 11</a>
+---
+
+# Introduction to Windows security
+
+The acceleration of digital transformation and the expansion of both remote and hybrid work brings new opportunities to organizations, communities, and individuals. This expansion introduces new threats and risks.
+
+Organizations worldwide are adopting a **Zero Trust** security model based on the premise that no person or device anywhere can have access until safety and integrity is proven. Windows 11 is built on Zero Trust principles to enable hybrid productivity and new experiences anywhere, without compromising security. Windows 11 raises the [security baselines](../threat-protection/windows-security-configuration-framework/windows-security-baselines.md) with new requirements for advanced hardware and software protection that extends from chip to cloud.
+
+## How Windows 11 enables Zero Trust protection
+
+A Zero Trust security model gives the right people the right access at the right time. Zero Trust security is based on three principles:
+
+1. Reduce risk by explicitly verifying data points such as user identity, location, and device health for every access request, without exception
+1. When verified, give people and devices access to only necessary resources for the necessary amount of time
+1. Use continuous analytics to drive threat detection and improve defenses
+
+For Windows 11, the Zero Trust principle of *verify explicitly* applies to risks introduced by both devices and people. Windows 11 provides *chip-to-cloud security*, enabling IT administrators to implement strong authorization and authentication processes with features like [Windows Hello for Business](../identity-protection/hello-for-business/hello-overview.md). IT administrators also gain attestation and measurements for determining if a device meets requirements and can be trusted. Windows 11 works out-of-the-box with Microsoft Intune and Azure Active Directory, which enable timely and seamless access decisions. Furthermore, IT administrators can easily customize Windows to meet specific user and policy requirements for access, privacy, compliance, and more.
+
+### Security, by default
+
+Windows 11 is a natural evolution of its predecessor, Windows 10. We have collaborated with our manufacturer and silicon partners to incorporate extra hardware security measures that address the increasingly complex security threats of today. These measures not only enable the hybrid work and learning that many organizations now embrace but also help bolster our already strong foundation and resilience against attacks.
+
+### Enhanced hardware and operating system security
+
+With hardware-based isolation security that begins at the chip, Windows 11 stores sensitive data behind other barriers separated from the operating system. As a result, information including encryption keys and user credentials are protected from unauthorized access and tampering.
+
+In Windows 11, hardware and software work together to protect the operating system. For example, new devices come with [Virtualization-based security (VBS)](/windows-hardware/design/device-experiences/oem-vbs) and [Secure Boot](../trusted-boot.md) built-in and enabled by default to contain and limit malware exploits.
+
+### Robust application security and privacy controls
+
+To help keep personal and business information protected and private, Windows 11 has multiple layers of application security that safeguard critical data and code integrity. Application isolation and controls, code integrity, privacy controls, and least-privilege principles enable developers to build in security and privacy from the ground up. This integrated security protects against breaches and malware, helps keep data private, and gives IT administrators the controls they need.
+
+In Windows 11, [Microsoft Defender Application Guard](/windows-hardware/design/device-experiences/oem-app-guard) uses Hyper-V virtualization technology to isolate untrusted websites and Microsoft Office files in containers, separate from and unable to access the host operating system and enterprise data. To protect privacy, Windows 11 also provides more controls over which apps and features can collect and use data such as the device's location, or access resources like camera and microphone.
+
+### Secured identities
+
+Passwords have been an important part of digital security for a long time, and they're also a top target for cybercriminals. Windows 11 provides powerful protection against credential theft with chip-level hardware security. Credentials are protected by layers of hardware and software security such as [TPM 2.0](../information-protection/tpm/trusted-platform-module-overview.md), [VBS](/windows-hardware/design/device-experiences/oem-vbs), and/or [Windows Defender Credential Guard](../identity-protection/credential-guard/credential-guard.md), making it harder for attackers to steal credentials from a device. With [Windows Hello for Business](../identity-protection/hello-for-business/hello-overview.md), users can quickly sign in with face, fingerprint, or PIN for passwordless protection. Windows 11 also supports [FIDO2 security keys](/azure/active-directory/authentication/howto-authentication-passwordless-security-key) for passwordless authentication.
+
+### Connecting to cloud services
+
+Microsoft offers comprehensive cloud services for identity, storage, and access management in addition to the tools needed to attest that Windows devices connecting to your network are trustworthy. You can also enforce compliance and conditional access with a modern device management (MDM) service such as Microsoft Intune, which works with Azure Active Directory and Microsoft Azure Attestation to control access to applications and data through the cloud.
+
+## Next steps
+
+To learn more about the security features included in Windows 11, download the [Windows 11 Security Book: Powerful security from chip to cloud](https://aka.ms/Windows11SecurityBook).
+
+[!INCLUDE [ai-disclaimer-generic](../../../includes/ai-disclaimer-generic.md)]
\ No newline at end of file
diff --git a/windows/security/introduction/security-features-edition-requirements.md b/windows/security/introduction/security-features-edition-requirements.md
new file mode 100644
index 0000000000..0cffb54f8f
--- /dev/null
+++ b/windows/security/introduction/security-features-edition-requirements.md
@@ -0,0 +1,26 @@
+---
+title: Windows security features and edition requirements
+description: Learn about Windows edition requirements for the feature included in Windows.
+ms.prod: windows-client
+author: paolomatarazzo
+ms.author: paoloma
+manager: aaroncz
+ms.collection:
+- tier3
+ms.topic: conceptual
+ms.date: 05/04/2023
+appliesto:
+- ✅ <a href=/windows/release-health/supported-versions-windows-client target=_blank>Windows 11</a>
+ms.technology: itpro-security
+---
+
+# Windows security features and edition requirements
+
+This article lists the security features that are available in Windows, and the Windows editions that support them.
+
+> [!NOTE]
+> The **Windows edition** requirements listed in the following table may be different from the **licensing** requirements. If you're looking for licensing requirements, see [Windows security features and licensing requirements](security-features-licensing-requirements.md).
+
+[!INCLUDE [_edition-requirements](../../../includes/licensing/_edition-requirements.md)]
+
+For more information about Windows licensing, see [Windows Commercial Licensing overview](/windows/whats-new/windows-licensing).
diff --git a/windows/security/introduction/security-features-licensing-requirements.md b/windows/security/introduction/security-features-licensing-requirements.md
new file mode 100644
index 0000000000..df7e5bdcec
--- /dev/null
+++ b/windows/security/introduction/security-features-licensing-requirements.md
@@ -0,0 +1,26 @@
+---
+title: Windows security features and licensing requirements
+description: Learn about Windows features and licensing requirements for the feature included in Windows.
+ms.prod: windows-client
+author: paolomatarazzo
+ms.author: paoloma
+manager: aaroncz
+ms.collection:
+- tier3
+ms.topic: conceptual
+ms.date: 04/24/2023
+appliesto:
+- ✅ <a href=/windows/release-health/supported-versions-windows-client target=_blank>Windows 11</a>
+ms.technology: itpro-security
+---
+
+# Windows security features and licensing requirements
+
+This article lists the security features that are available in Windows, and the licensing requirements to use them.
+
+> [!NOTE]
+> The **licensing** requirements listed in the following table may be different from the **Windows edition** requirements. If you're looking for Windows edition requirements, see [Windows security features and edition requirements](security-features-edition-requirements.md).
+
+[!INCLUDE [_licensing-requirements](../../../includes/licensing/_licensing-requirements.md)]
+
+For more information about Windows licensing, see [Windows Commercial Licensing overview](/windows/whats-new/windows-licensing).
diff --git a/windows/security/operating-system-security/data-protection/toc.yml b/windows/security/operating-system-security/data-protection/toc.yml
new file mode 100644
index 0000000000..56500215a0
--- /dev/null
+++ b/windows/security/operating-system-security/data-protection/toc.yml
@@ -0,0 +1,152 @@
+items:
+- name: Overview
+  href: ../../encryption-data-protection.md
+- name: BitLocker
+  href: ../../information-protection/bitlocker/bitlocker-overview.md
+  items:
+  - name: Overview of BitLocker Device Encryption in Windows
+    href: ../../information-protection/bitlocker/bitlocker-device-encryption-overview-windows-10.md
+  - name: BitLocker frequently asked questions (FAQ)
+    href: ../../information-protection/bitlocker/bitlocker-frequently-asked-questions.yml
+    items:
+    - name: Overview and requirements
+      href: ../../information-protection/bitlocker/bitlocker-overview-and-requirements-faq.yml
+    - name: Upgrading
+      href: ../../information-protection/bitlocker/bitlocker-upgrading-faq.yml
+    - name: Deployment and administration
+      href: ../../information-protection/bitlocker/bitlocker-deployment-and-administration-faq.yml
+    - name: Key management
+      href: ../../information-protection/bitlocker/bitlocker-key-management-faq.yml
+    - name: BitLocker To Go
+      href: ../../information-protection/bitlocker/bitlocker-to-go-faq.yml
+    - name: Active Directory Domain Services
+      href: ../../information-protection/bitlocker/bitlocker-and-adds-faq.yml
+    - name: Security
+      href: ../../information-protection/bitlocker/bitlocker-security-faq.yml
+    - name: BitLocker Network Unlock
+      href: ../../information-protection/bitlocker/bitlocker-network-unlock-faq.yml
+    - name: General
+      href: ../../information-protection/bitlocker/bitlocker-using-with-other-programs-faq.yml
+  - name: "Prepare your organization for BitLocker: Planning and policies"
+    href: ../../information-protection/bitlocker/prepare-your-organization-for-bitlocker-planning-and-policies.md
+  - name: BitLocker deployment comparison
+    href: ../../information-protection/bitlocker/bitlocker-deployment-comparison.md
+  - name: BitLocker basic deployment
+    href: ../../information-protection/bitlocker/bitlocker-basic-deployment.md
+  - name: Deploy BitLocker on Windows Server 2012 and later
+    href: ../../information-protection/bitlocker/bitlocker-how-to-deploy-on-windows-server.md
+  - name: BitLocker management for enterprises
+    href: ../../information-protection/bitlocker/bitlocker-management-for-enterprises.md
+  - name: Enable Network Unlock with BitLocker
+    href: ../../information-protection/bitlocker/bitlocker-how-to-enable-network-unlock.md
+  - name: Use BitLocker Drive Encryption Tools to manage BitLocker
+    href: ../../information-protection/bitlocker/bitlocker-use-bitlocker-drive-encryption-tools-to-manage-bitlocker.md
+  - name: Use BitLocker Recovery Password Viewer
+    href: ../../information-protection/bitlocker/bitlocker-use-bitlocker-recovery-password-viewer.md
+  - name: BitLocker Group Policy settings
+    href: ../../information-protection/bitlocker/bitlocker-group-policy-settings.md
+  - name: BCD settings and BitLocker
+    href: ../../information-protection/bitlocker/bcd-settings-and-bitlocker.md
+  - name: BitLocker Recovery Guide
+    href: ../../information-protection/bitlocker/bitlocker-recovery-guide-plan.md
+  - name: BitLocker Countermeasures
+    href: ../../information-protection/bitlocker/bitlocker-countermeasures.md
+  - name: Protecting cluster shared volumes and storage area networks with BitLocker
+    href: ../../information-protection/bitlocker/protecting-cluster-shared-volumes-and-storage-area-networks-with-bitlocker.md
+  - name: Troubleshoot BitLocker
+    items:
+      - name: Troubleshoot BitLocker
+        href: /troubleshoot/windows-client/windows-security/bitlocker-issues-troubleshooting
+      - name: "BitLocker cannot encrypt a drive: known issues"
+        href: /troubleshoot/windows-client/windows-security/bitlocker-cannot-encrypt-a-drive-known-issues
+      - name: "Enforcing BitLocker policies by using Intune: known issues"
+        href: /troubleshoot/windows-client/windows-security/enforcing-bitlocker-policies-by-using-intune-known-issues
+      - name: "BitLocker Network Unlock: known issues"
+        href: /troubleshoot/windows-client/windows-security/bitlocker-network-unlock-known-issues
+      - name: "BitLocker recovery: known issues"
+        href: /troubleshoot/windows-client/windows-security/bitlocker-recovery-known-issues
+      - name: "BitLocker configuration: known issues"
+        href: /troubleshoot/windows-client/windows-security/bitlocker-configuration-known-issues
+      - name: Troubleshoot BitLocker and TPM issues
+        items:
+          - name: "BitLocker cannot encrypt a drive: known TPM issues"
+            href: /troubleshoot/windows-client/windows-security/bitlocker-cannot-encrypt-a-drive-known-tpm-issues
+          - name: "BitLocker and TPM: other known issues"
+            href: /troubleshoot/windows-client/windows-security/bitlocker-and-tpm-other-known-issues
+          - name: Decode Measured Boot logs to track PCR changes
+            href: /troubleshoot/windows-client/windows-security/decode-measured-boot-logs-to-track-pcr-changes
+- name: Encrypted Hard Drive
+  href: ../../information-protection/encrypted-hard-drive.md
+- name: Personal Data Encryption (PDE)
+  items:
+  - name: Personal Data Encryption (PDE) overview
+    href: ../../information-protection/personal-data-encryption/overview-pde.md
+  - name: Personal Data Encryption (PDE) frequently asked questions (FAQ)
+    href: ../../information-protection/personal-data-encryption/faq-pde.yml
+  - name: Configure Personal Data Encryption (PDE) in Intune
+    items:
+    - name: Configure Personal Data Encryption (PDE) in Intune
+      href: ../../information-protection/personal-data-encryption/configure-pde-in-intune.md
+    - name: Enable Personal Data Encryption (PDE)
+      href: ../../information-protection/personal-data-encryption/pde-in-intune/intune-enable-pde.md
+    - name: Disable Winlogon automatic restart sign-on (ARSO) for PDE
+      href: ../../information-protection/personal-data-encryption/pde-in-intune/intune-disable-arso.md
+    - name: Disable kernel-mode crash dumps and live dumps for PDE
+      href: ../../information-protection/personal-data-encryption/pde-in-intune/intune-disable-memory-dumps.md
+    - name: Disable Windows Error Reporting (WER)/user-mode crash dumps for PDE
+      href: ../../information-protection/personal-data-encryption/pde-in-intune/intune-disable-wer.md
+    - name: Disable hibernation for PDE
+      href: ../../information-protection/personal-data-encryption/pde-in-intune/intune-disable-hibernation.md
+    - name: Disable allowing users to select when a password is required when resuming from connected standby for PDE
+      href: ../../information-protection/personal-data-encryption/pde-in-intune/intune-disable-password-connected-standby.md
+- name: Configure S/MIME for Windows
+  href: ../../identity-protection/configure-s-mime.md
+- name: Windows Information Protection (WIP)
+  href: ../../information-protection/windows-information-protection/protect-enterprise-data-using-wip.md
+  items:
+    - name: Create a WIP policy using Microsoft Intune
+      href: ../../information-protection/windows-information-protection/overview-create-wip-policy.md
+      items:
+      - name: Create a WIP policy in Microsoft Intune
+        href: ../../information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md
+        items:
+          - name: Deploy your WIP policy in Microsoft Intune
+            href: ../../information-protection/windows-information-protection/deploy-wip-policy-using-intune-azure.md
+          - name: Associate and deploy a VPN policy for WIP in Microsoft Intune
+            href: ../../information-protection/windows-information-protection/create-vpn-and-wip-policy-using-intune-azure.md
+      - name: Create and verify an EFS Data Recovery Agent (DRA) certificate
+        href: ../../information-protection/windows-information-protection/create-and-verify-an-efs-dra-certificate.md
+      - name: Determine the enterprise context of an app running in WIP
+        href: ../../information-protection/windows-information-protection/wip-app-enterprise-context.md
+    - name: Create a WIP policy using Microsoft Configuration Manager
+      href: ../../information-protection/windows-information-protection/overview-create-wip-policy-configmgr.md
+      items:
+      - name: Create and deploy a WIP policy in Configuration Manager
+        href: ../../information-protection/windows-information-protection/create-wip-policy-using-configmgr.md
+      - name: Create and verify an EFS Data Recovery Agent (DRA) certificate
+        href: ../../information-protection/windows-information-protection/create-and-verify-an-efs-dra-certificate.md
+      - name: Determine the enterprise context of an app running in WIP
+        href: ../../information-protection/windows-information-protection/wip-app-enterprise-context.md
+    - name: Mandatory tasks and settings required to turn on WIP
+      href: ../../information-protection/windows-information-protection/mandatory-settings-for-wip.md
+    - name: Testing scenarios for WIP
+      href: ../../information-protection/windows-information-protection/testing-scenarios-for-wip.md
+    - name: Limitations while using WIP
+      href: ../../information-protection/windows-information-protection/limitations-with-wip.md
+    - name: How to collect WIP audit event logs
+      href: ../../information-protection/windows-information-protection/collect-wip-audit-event-logs.md
+    - name: General guidance and best practices for WIP
+      href: ../../information-protection/windows-information-protection/guidance-and-best-practices-wip.md
+      items:
+      - name: Enlightened apps for use with WIP
+        href: ../../information-protection/windows-information-protection/enlightened-microsoft-apps-and-wip.md
+      - name: Unenlightened and enlightened app behavior while using WIP
+        href: ../../information-protection/windows-information-protection/app-behavior-with-wip.md
+      - name: Recommended Enterprise Cloud Resources and Neutral Resources network settings with WIP
+        href: ../../information-protection/windows-information-protection/recommended-network-definitions-for-wip.md
+      - name: Using Outlook Web Access with WIP
+        href: ../../information-protection/windows-information-protection/using-owa-with-wip.md
+    - name: Fine-tune WIP Learning
+      href: ../../information-protection/windows-information-protection/wip-learning.md
+    - name: Disable WIP
+      href: ../../information-protection/windows-information-protection/how-to-disable-wip.md
\ No newline at end of file
diff --git a/windows/security/operating-system-security/device-management/toc.yml b/windows/security/operating-system-security/device-management/toc.yml
new file mode 100644
index 0000000000..239b2eb2a6
--- /dev/null
+++ b/windows/security/operating-system-security/device-management/toc.yml
@@ -0,0 +1,26 @@
+items:
+  - name: Security policy settings
+    href: ../../threat-protection/security-policy-settings/security-policy-settings.md
+  - name: Security auditing
+    href: ../../threat-protection/auditing/security-auditing-overview.md
+  - name: Secured-core configuration lock
+    href: /windows/client-management/config-lock
+  - name: Assigned Access (kiosk mode)
+    href: /windows/configuration/kiosk-methods
+  - name: Security baselines
+    href: ../../threat-protection/windows-security-configuration-framework/windows-security-baselines.md
+    items:
+    - name: Security Compliance Toolkit
+      href: ../../threat-protection/windows-security-configuration-framework/security-compliance-toolkit-10.md
+    - name: Get support
+      href: ../../threat-protection/windows-security-configuration-framework/get-support-for-security-baselines.md
+    - name: Guide to removing Microsoft Baseline Security Analyzer (MBSA)
+      href: ../../threat-protection/mbsa-removal-and-guidance.md
+  - name: More Windows security
+    items:
+    - name: Override Process Mitigation Options to help enforce app-related security policies
+      href: ../../threat-protection/override-mitigation-options-for-app-related-security-policies.md
+    - name: Use Windows Event Forwarding to help with intrusion detection
+      href: ../../threat-protection/use-windows-event-forwarding-to-assist-in-intrusion-detection.md
+    - name: Block untrusted fonts in an enterprise
+      href: ../../threat-protection/block-untrusted-fonts-in-enterprise.md
\ No newline at end of file
diff --git a/windows/security/operating-system-security/network-security/toc.yml b/windows/security/operating-system-security/network-security/toc.yml
new file mode 100644
index 0000000000..af372280a4
--- /dev/null
+++ b/windows/security/operating-system-security/network-security/toc.yml
@@ -0,0 +1,40 @@
+items:
+- name: Transport layer security (TLS)
+  href: /windows-server/security/tls/tls-ssl-schannel-ssp-overview
+- name: WiFi Security
+  href: https://support.microsoft.com/windows/faster-and-more-secure-wi-fi-in-windows-26177a28-38ed-1a8e-7eca-66f24dc63f09
+- name: Windows Firewall
+  href: ../../threat-protection/windows-firewall/windows-firewall-with-advanced-security.md
+- name: Virtual Private Network (VPN)
+  href: ../../identity-protection/vpn/vpn-guide.md
+  items:
+  - name: VPN connection types
+    href: ../../identity-protection/vpn/vpn-connection-type.md
+  - name: VPN routing decisions
+    href: ../../identity-protection/vpn/vpn-routing.md
+  - name: VPN authentication options
+    href: ../../identity-protection/vpn/vpn-authentication.md
+  - name: VPN and conditional access
+    href: ../../identity-protection/vpn/vpn-conditional-access.md
+  - name: VPN name resolution
+    href: ../../identity-protection/vpn/vpn-name-resolution.md
+  - name: VPN auto-triggered profile options
+    href: ../../identity-protection/vpn/vpn-auto-trigger-profile.md
+  - name: VPN security features
+    href: ../../identity-protection/vpn/vpn-security-features.md
+  - name: VPN profile options
+    href: ../../identity-protection/vpn/vpn-profile-options.md
+  - name: How to configure Diffie Hellman protocol over IKEv2 VPN connections
+    href: ../../identity-protection/vpn/how-to-configure-diffie-hellman-protocol-over-ikev2-vpn-connections.md
+  - name: How to use single sign-on (SSO) over VPN and Wi-Fi connections
+    href: ../../identity-protection/vpn/how-to-use-single-sign-on-sso-over-vpn-and-wi-fi-connections.md
+  - name: Optimizing Office 365 traffic with the Windows VPN client
+    href: ../../identity-protection/vpn/vpn-office-365-optimization.md
+- name: Always On VPN
+  href: /windows-server/remote/remote-access/vpn/always-on-vpn/
+- name: Direct Access
+  href: /windows-server/remote/remote-access/directaccess/directaccess
+- name: Server Message Block (SMB) file service
+  href: /windows-server/storage/file-server/file-server-smb-overview
+- name: Server Message Block Direct (SMB Direct)
+  href: /windows-server/storage/file-server/smb-direct
\ No newline at end of file
diff --git a/windows/security/operating-system-security/system-security/toc.yml b/windows/security/operating-system-security/system-security/toc.yml
new file mode 100644
index 0000000000..86abf54e55
--- /dev/null
+++ b/windows/security/operating-system-security/system-security/toc.yml
@@ -0,0 +1,28 @@
+items:
+- name: Secure the Windows boot process
+  href: ../../information-protection/secure-the-windows-10-boot-process.md
+- name: Secure Boot and Trusted Boot
+  href: ../../trusted-boot.md
+- name: Measured Boot
+  href: /windows/compatibility/measured-boot
+- name: Device health attestation service
+  href: ../../threat-protection/protect-high-value-assets-by-controlling-the-health-of-windows-10-based-devices.md
+- name: Cryptography and certificate management
+  href: ../../cryptography-certificate-mgmt.md
+- name: The Windows Security app
+  href: ../../threat-protection/windows-defender-security-center/windows-defender-security-center.md
+  items:
+  - name: Virus & threat protection
+    href: ../../threat-protection\windows-defender-security-center\wdsc-virus-threat-protection.md
+  - name: Account protection
+    href: ../../threat-protection\windows-defender-security-center\wdsc-account-protection.md
+  - name: Firewall & network protection
+    href: ../../threat-protection\windows-defender-security-center\wdsc-firewall-network-protection.md
+  - name: App & browser control
+    href: ../../threat-protection\windows-defender-security-center\wdsc-app-browser-control.md
+  - name: Device security
+    href: ../../threat-protection\windows-defender-security-center\wdsc-device-security.md
+  - name: Device performance & health
+    href: ../../threat-protection\windows-defender-security-center\wdsc-device-performance-health.md
+  - name: Family options
+    href: ../../threat-protection\windows-defender-security-center\wdsc-family-options.md
\ No newline at end of file
diff --git a/windows/security/operating-system-security/toc.yml b/windows/security/operating-system-security/toc.yml
new file mode 100644
index 0000000000..a0ee50c4bb
--- /dev/null
+++ b/windows/security/operating-system-security/toc.yml
@@ -0,0 +1,13 @@
+items:
+- name: Overview
+  href: ../operating-system.md
+- name: System security
+  href: system-security/toc.yml
+- name: Virus and threat protection
+  href: virus-and-threat-protection/toc.yml
+- name: Network security
+  href: network-security/toc.yml
+- name: Data protection
+  href: data-protection/toc.yml
+- name: Device management
+  href: device-management/toc.yml
\ No newline at end of file
diff --git a/windows/security/operating-system-security/virus-and-threat-protection/toc.yml b/windows/security/operating-system-security/virus-and-threat-protection/toc.yml
new file mode 100644
index 0000000000..a8c5cdf1e5
--- /dev/null
+++ b/windows/security/operating-system-security/virus-and-threat-protection/toc.yml
@@ -0,0 +1,21 @@
+items:
+- name: Overview
+  href: ../../threat-protection/index.md
+- name: Microsoft Defender Antivirus
+  href: /microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-windows
+- name: Configuring LSA Protection
+  href: /windows-server/security/credentials-protection-and-management/configuring-additional-lsa-protection?toc=/windows/security/toc.json&bc=/windows/security/breadcrumb/toc.json
+- name: Attack surface reduction (ASR)
+  href: /microsoft-365/security/defender-endpoint/attack-surface-reduction
+- name: Tamper protection for MDE
+  href: /microsoft-365/security/defender-endpoint/prevent-changes-to-security-settings-with-tamper-protection
+- name: Microsoft Vulnerable Driver Blocklist
+  href: ../../threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules.md
+- name: Controlled folder access
+  href: /microsoft-365/security/defender-endpoint/controlled-folders
+- name: Exploit protection
+  href: /microsoft-365/security/defender-endpoint/exploit-protection
+- name: Microsoft Defender SmartScreen
+  href: ../../threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-overview.md
+- name: Microsoft Defender for Endpoint
+  href: /microsoft-365/security/defender-endpoint
\ No newline at end of file
diff --git a/windows/security/security-foundations/certification/toc.yml b/windows/security/security-foundations/certification/toc.yml
new file mode 100644
index 0000000000..70d9d800b8
--- /dev/null
+++ b/windows/security/security-foundations/certification/toc.yml
@@ -0,0 +1,5 @@
+items:
+- name: FIPS 140-2 Validation
+  href: ../../threat-protection/fips-140-validation.md
+- name: Common Criteria Certifications
+  href: ../../threat-protection/windows-platform-common-criteria.md
\ No newline at end of file
diff --git a/windows/security/security-foundations/toc.yml b/windows/security/security-foundations/toc.yml
new file mode 100644
index 0000000000..d52c477387
--- /dev/null
+++ b/windows/security/security-foundations/toc.yml
@@ -0,0 +1,7 @@
+items:
+- name: Overview
+  href: ../security-foundations.md
+- name: Microsoft Security Development Lifecycle
+  href: ../threat-protection/msft-security-dev-lifecycle.md
+- name: Certification
+  href: certification/toc.yml
\ No newline at end of file
diff --git a/windows/security/threat-protection/microsoft-defender-application-guard/md-app-guard-overview.md b/windows/security/threat-protection/microsoft-defender-application-guard/md-app-guard-overview.md
index afc6aaef79..f6a9150ebc 100644
--- a/windows/security/threat-protection/microsoft-defender-application-guard/md-app-guard-overview.md
+++ b/windows/security/threat-protection/microsoft-defender-application-guard/md-app-guard-overview.md
@@ -8,7 +8,7 @@ ms.pagetype: security
 ms.localizationpriority: medium
 author: vinaypamnani-msft
 ms.author: vinpa
-ms.date: 09/09/2021
+ms.date: 05/01/2023
 ms.reviewer: 
 manager: aaroncz
 ms.custom: asr
@@ -49,6 +49,8 @@ Application Guard has been created to target several types of devices:
 
 - **Personal devices**. These personally owned desktops or mobile laptops aren't domain-joined or managed by an organization. The user is an admin on the device and uses a high-bandwidth wireless personal network while at home or a comparable public network while outside.
 
+[!INCLUDE [microsoft-defender-application-guard-mdag-for-edge-standalone-mode](../../../../includes/licensing/microsoft-defender-application-guard-mdag-for-edge-standalone-mode.md)]
+
 ## Related articles
 
 |Article |Description |
diff --git a/windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-overview.md b/windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-overview.md
index e7f02d821d..b58a2be3ac 100644
--- a/windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-overview.md
+++ b/windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-overview.md
@@ -48,6 +48,8 @@ Microsoft Defender SmartScreen provide an early warning system against websites
 > [!IMPORTANT]
 > SmartScreen protects against malicious files from the internet. It does not protect against malicious files on internal locations or network shares, such as shared folders with UNC paths or SMB/CIFS shares.
 
+[!INCLUDE [microsoft-defender-smartscreen](../../../../includes/licensing/microsoft-defender-smartscreen.md)]
+
 ## Submit files to Microsoft Defender SmartScreen for review
 
 If you believe a warning or block was incorrectly shown for a file or application, or if you believe an undetected file is malware, you can [submit a file](https://www.microsoft.com/wdsi/filesubmission/) to Microsoft for review. For more information, see [Submit files for analysis](/microsoft-365/security/intelligence/submission-guide).
diff --git a/windows/security/threat-protection/microsoft-defender-smartscreen/phishing-protection-microsoft-defender-smartscreen.md b/windows/security/threat-protection/microsoft-defender-smartscreen/phishing-protection-microsoft-defender-smartscreen.md
index aa2ffc3b9d..7ca1ed702c 100644
--- a/windows/security/threat-protection/microsoft-defender-smartscreen/phishing-protection-microsoft-defender-smartscreen.md
+++ b/windows/security/threat-protection/microsoft-defender-smartscreen/phishing-protection-microsoft-defender-smartscreen.md
@@ -37,6 +37,8 @@ Enhanced Phishing Protection provides robust phishing protections for work or sc
 
 - **Easy management through Group Policy and Microsoft Intune:** Enhanced Phishing Protection works with Group Policy and mobile device management (MDM) settings to help you manage your organization's computer settings. Based on how you set up Enhanced Phishing Protection, you can customize which phishing protection scenarios show users warning dialogs. For example, the Service Enabled setting determines whether the Enhanced Phishing Protection service is on or off. The feature is in audit mode if the other settings, which correspond to notification policies, aren't enabled.
 
+[!INCLUDE [enhanced-phishing-protection-with-smartscreen](../../../../includes/licensing/enhanced-phishing-protection-with-smartscreen.md)]
+
 ## Configure Enhanced Phishing Protection for your organization
 
 Enhanced Phishing Protection can be configured via Microsoft Intune, Group Policy Objects (GPO) or Configuration Service Providers (CSP) with an MDM service. Follow these instructions to configure your devices using either Microsoft Intune, GPO or CSP.
diff --git a/windows/security/threat-protection/protect-high-value-assets-by-controlling-the-health-of-windows-10-based-devices.md b/windows/security/threat-protection/protect-high-value-assets-by-controlling-the-health-of-windows-10-based-devices.md
index b6fcd28bd2..a29c0cb634 100644
--- a/windows/security/threat-protection/protect-high-value-assets-by-controlling-the-health-of-windows-10-based-devices.md
+++ b/windows/security/threat-protection/protect-high-value-assets-by-controlling-the-health-of-windows-10-based-devices.md
@@ -1,5 +1,5 @@
 ---
-title: Control the health of Windows 10-based devices (Windows 10)
+title: Control the health of Windows devices
 description: This article details an end-to-end solution that helps you protect high-value assets by enforcing, controlling, and reporting the health of Windows 10-based devices.
 ms.prod: windows-client
 ms.date: 10/13/2017
@@ -11,7 +11,7 @@ manager: dougeby
 ms.topic: conceptual
 ---
 
-# Control the health of Windows 10-based devices
+# Control the health of Windows devices
 
 **Applies to**
 
@@ -327,6 +327,8 @@ For Windows 10-based devices, Microsoft introduces a new public API that will al
 
 For more information on device health attestation, see the [Detect an unhealthy Windows 10-based device](#detect-unhealthy) section.
 
+[!INCLUDE [device-health-attestation-service](../../../includes/licensing/device-health-attestation-service.md)]
+
 ### <a href="" id="hardware-req"></a>Hardware requirements
 
 The following table details the hardware requirements for both virtualization-based security services and the health attestation feature. For more information, see [Minimum hardware requirements](/windows-hardware/design/minimum/minimum-hardware-requirements-overview).
diff --git a/windows/security/threat-protection/security-policy-settings/account-lockout-policy.md b/windows/security/threat-protection/security-policy-settings/account-lockout-policy.md
index 03d4f6bba0..301d74416d 100644
--- a/windows/security/threat-protection/security-policy-settings/account-lockout-policy.md
+++ b/windows/security/threat-protection/security-policy-settings/account-lockout-policy.md
@@ -32,6 +32,8 @@ The following topics provide a discussion of each policy setting's implementatio
 >[!NOTE]
 >Account lockout settings for remote access clients can be configured separately by editing the Registry on the server that manages the remote access. For more information, see [How to configure remote access client account lockout](/troubleshoot/windows-server/networking/configure-remote-access-client-account-lockout).
 
+[!INCLUDE [account-lockout-policy](../../../../includes/licensing/account-lockout-policy.md)]
+
 ## In this section
 
 | Topic | Description |
diff --git a/windows/security/threat-protection/security-policy-settings/security-policy-settings.md b/windows/security/threat-protection/security-policy-settings/security-policy-settings.md
index e5a2bba1d9..5cac6b5f49 100644
--- a/windows/security/threat-protection/security-policy-settings/security-policy-settings.md
+++ b/windows/security/threat-protection/security-policy-settings/security-policy-settings.md
@@ -71,6 +71,8 @@ The Security Settings extension of the Local Group Policy Editor includes the fo
 - **IP Security Policies on Local Computer.** Specify settings to ensure private, secure communications over IP networks by using cryptographic security services. IPsec establishes trust and security from a source IP address to a destination IP address.
 - **Advanced Audit Policy Configuration.** Specify settings that control the logging of security events into the security log on the device. The settings under Advanced Audit Policy Configuration provide finer control over which activities to monitor as opposed to the Audit Policy settings under Local Policies.
 
+[!INCLUDE [windows-security-policy-settings-and-auditing](../../../../includes/licensing/windows-security-policy-settings-and-auditing.md)]
+
 ## Policy-based security settings management
 
 The Security Settings extension to Group Policy provides an integrated policy-based management infrastructure to help you manage and enforce your security policies.
diff --git a/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules.md b/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules.md
index 161e563a19..a03dd12363 100644
--- a/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules.md
+++ b/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules.md
@@ -59,6 +59,8 @@ The blocklist is updated with each new major release of Windows, typically 1-2 t
 
 Customers who always want the most up-to-date driver blocklist can also use Windows Defender Application Control (WDAC) to apply the latest recommended driver blocklist contained in this article. For your convenience, we've provided a download of the most up-to-date vulnerable driver blocklist along with instructions to apply it on your computer at the end of this article. Otherwise, you can use the XML provided below to create your own custom WDAC policies.
 
+[!INCLUDE [microsoft-vulnerable-driver-blocklist](../../../../includes/licensing/microsoft-vulnerable-driver-blocklist.md)]
+
 ## Blocking vulnerable drivers using WDAC
 
 Microsoft recommends enabling [HVCI](/windows/security/threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity) or S mode to protect your devices against security threats. If this setting isn't possible, Microsoft recommends blocking [this list of drivers](#vulnerable-driver-blocklist-xml) within your existing Windows Defender Application Control policy. Blocking kernel drivers without sufficient testing can cause devices or software to malfunction, and in rare cases, blue screen. It's recommended to first validate this policy in [audit mode](/windows/security/threat-protection/windows-defender-application-control/audit-windows-defender-application-control-policies) and review the audit block events.
diff --git a/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control.md b/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control.md
index 2ba7d43f84..9f1f0f96d3 100644
--- a/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control.md
+++ b/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control.md
@@ -73,6 +73,8 @@ Smart App Control enforces the [Microsoft Recommended Driver Block rules](micros
 - Microsoft.Build.Framework.dll
 - Wslhost.dll
 
+[!INCLUDE [windows-defender-application-control-wdac](../../../../includes/licensing/windows-defender-application-control-wdac.md)]
+
 ## Related articles
 
 - [WDAC design guide](windows-defender-application-control-design-guide.md)
diff --git a/windows/security/threat-protection/windows-defender-system-guard/how-hardware-based-root-of-trust-helps-protect-windows.md b/windows/security/threat-protection/windows-defender-system-guard/how-hardware-based-root-of-trust-helps-protect-windows.md
index 10b4f41000..74e332cb87 100644
--- a/windows/security/threat-protection/windows-defender-system-guard/how-hardware-based-root-of-trust-helps-protect-windows.md
+++ b/windows/security/threat-protection/windows-defender-system-guard/how-hardware-based-root-of-trust-helps-protect-windows.md
@@ -30,7 +30,7 @@ With Windows 7, one of the means attackers would use to persist and evade detect
 This malicious software would start before Windows started, or during the boot process itself, enabling it to start with the highest level of privilege.
 
 With Windows 10 running on modern hardware (that is, Windows 8-certified or greater) a hardware-based root of trust helps ensure that no unauthorized firmware or software (such as a bootkit) can start before the Windows bootloader. 
-This hardware-based root of trust comes from the device’s Secure Boot feature, which is part of the Unified Extensible Firmware Interface (UEFI). 
+This hardware-based root of trust comes from the device's Secure Boot feature, which is part of the Unified Extensible Firmware Interface (UEFI). 
 This technique of measuring the static early boot UEFI components is called the Static Root of Trust for Measurement (SRTM). 
 
 As there are thousands of PC vendors that produce many models with different UEFI BIOS versions, there becomes an incredibly large number of SRTM measurements upon bootup. 
@@ -69,18 +69,20 @@ Paging protection can be implemented to lock certain code tables to be read-only
 A hardware-enforced processor feature known as a supervisor SMI handler can monitor the SMM and make sure it doesn't access any part of the address space that it isn't supposed to. 
 
 SMM protection is built on top of the Secure Launch technology and requires it to function. 
-In the future, Windows 10 will also measure this SMI Handler’s behavior and attest that no OS-owned memory has been tampered with. 
+In the future, Windows 10 will also measure this SMI Handler's behavior and attest that no OS-owned memory has been tampered with. 
 
 ## Validating platform integrity after Windows is running (run time)
 
-While Windows Defender System Guard provides advanced protection that will help protect and maintain the integrity of the platform during boot and at run time, the reality is that we must apply an "assume breach" mentality to even our most sophisticated security technologies. We can trust that the technologies are successfully doing their jobs, but we also need the ability to verify that they were successful in achieving their goals. For platform integrity, we can’t just trust the platform, which potentially could be compromised, to self-attest to its security state. So Windows Defender System Guard includes a series of technologies that enable remote analysis of the device’s integrity.
+While Windows Defender System Guard provides advanced protection that will help protect and maintain the integrity of the platform during boot and at run time, the reality is that we must apply an "assume breach" mentality to even our most sophisticated security technologies. We can trust that the technologies are successfully doing their jobs, but we also need the ability to verify that they were successful in achieving their goals. For platform integrity, we can't just trust the platform, which potentially could be compromised, to self-attest to its security state. So Windows Defender System Guard includes a series of technologies that enable remote analysis of the device's integrity.
 
-As Windows 10 boots, a series of integrity measurements are taken by Windows Defender System Guard using the device’s Trusted Platform Module 2.0 (TPM 2.0). System Guard Secure Launch won't support earlier TPM versions, such as TPM 1.2. This process and data are hardware-isolated away from Windows to help ensure that the measurement data isn't subject to the type of tampering that could happen if the platform was compromised. From here, the measurements can be used to determine the integrity of the device’s firmware, hardware configuration state, and Windows boot-related components, just to name a few.
+As Windows 10 boots, a series of integrity measurements are taken by Windows Defender System Guard using the device's Trusted Platform Module 2.0 (TPM 2.0). System Guard Secure Launch won't support earlier TPM versions, such as TPM 1.2. This process and data are hardware-isolated away from Windows to help ensure that the measurement data isn't subject to the type of tampering that could happen if the platform was compromised. From here, the measurements can be used to determine the integrity of the device's firmware, hardware configuration state, and Windows boot-related components, just to name a few.
 
 ![Boot time integrity.](images/windows-defender-system-guard-boot-time-integrity.png)
 
 After the system boots, Windows Defender System Guard signs and seals these measurements using the TPM. Upon request, a management system like Intune or Microsoft Configuration Manager can acquire them for remote analysis. If Windows Defender System Guard indicates that the device lacks integrity, the management system can take a series of actions, such as denying the device access to resources.
 
+[!INCLUDE [windows-defender-system-guard](../../../../includes/licensing/windows-defender-system-guard.md)]
+
 ## System requirements for System Guard
 
 This feature is available for the following processors:
diff --git a/windows/security/threat-protection/windows-firewall/windows-firewall-with-advanced-security.md b/windows/security/threat-protection/windows-firewall/windows-firewall-with-advanced-security.md
index 282125d3bd..a5468a9a20 100644
--- a/windows/security/threat-protection/windows-firewall/windows-firewall-with-advanced-security.md
+++ b/windows/security/threat-protection/windows-firewall/windows-firewall-with-advanced-security.md
@@ -23,7 +23,7 @@ Windows Defender Firewall in Windows 8, Windows 7, Windows Vista, Windows Serv
 
 The Windows Defender Firewall with Advanced Security MMC snap-in is more flexible and provides much more functionality than the consumer-friendly Windows Defender Firewall interface found in the Control Panel. Both interfaces interact with the same underlying services, but provide different levels of control over those services. While the Windows Defender Firewall Control Panel program can protect a single device in a home environment, it doesn't provide enough centralized management or security features to help secure more complex network traffic found in a typical business enterprise environment.
 
-
+[!INCLUDE [windows-firewall](../../../../includes/licensing/windows-firewall.md)]
 
 ## Feature description
 
diff --git a/windows/security/threat-protection/windows-sandbox/windows-sandbox-overview.md b/windows/security/threat-protection/windows-sandbox/windows-sandbox-overview.md
index 74e81b1a05..8f3d7bd7de 100644
--- a/windows/security/threat-protection/windows-sandbox/windows-sandbox-overview.md
+++ b/windows/security/threat-protection/windows-sandbox/windows-sandbox-overview.md
@@ -32,10 +32,10 @@ Windows Sandbox has the following properties:
 > [!IMPORTANT]
 > Windows Sandbox enables network connection by default. It can be disabled using the [Windows Sandbox configuration file](/windows/security/threat-protection/windows-sandbox/windows-sandbox-configure-using-wsb-file#networking).
 
+[!INCLUDE [windows-sandbox](../../../../includes/licensing/windows-sandbox.md)]
+
 ## Prerequisites
 
-- Windows 10, version 1903 and later, or Windows 11
-- Windows Pro, Enterprise or Education edition
 - ARM64 (for Windows 11, version 22H2 and later) or AMD64 architecture
 - Virtualization capabilities enabled in BIOS
 - At least 4 GB of RAM (8 GB recommended)
diff --git a/windows/security/threat-protection/windows-security-configuration-framework/windows-security-baselines.md b/windows/security/threat-protection/windows-security-configuration-framework/windows-security-baselines.md
index 238193ef00..b4829615f9 100644
--- a/windows/security/threat-protection/windows-security-configuration-framework/windows-security-baselines.md
+++ b/windows/security/threat-protection/windows-security-configuration-framework/windows-security-baselines.md
@@ -41,6 +41,8 @@ For example, there are over 3,000 group policy settings for Windows 10, which do
 
 In modern organizations, the security threat landscape is constantly evolving, and IT pros and policy-makers must keep up with security threats and make required changes to security settings to help mitigate these threats. To enable faster deployments and make managing Microsoft products easier, Microsoft provides customers with security baselines that are available in consumable formats, such as group policy object backups.
 
+[!INCLUDE [security-baselines](../../../../includes/licensing/security-baselines.md)]
+
 ## Baseline principles
 
 Our recommendations follow a streamlined and efficient approach to baseline definitions. The foundation of that approach is essentially:
diff --git a/windows/security/trusted-boot.md b/windows/security/trusted-boot.md
index ad5c50ecc7..8790964196 100644
--- a/windows/security/trusted-boot.md
+++ b/windows/security/trusted-boot.md
@@ -29,6 +29,8 @@ Trusted Boot picks up the process that started with Secure Boot. The Windows boo
 
 Often, Windows can automatically repair the corrupted component, restoring the integrity of Windows and allowing the Windows 11 device to start normally.
 
+[!INCLUDE [secure-boot-and-trusted-boot](../../includes/licensing/secure-boot-and-trusted-boot.md)]
+
 ## See also
 
 [Secure the Windows boot process](information-protection/secure-the-windows-10-boot-process.md)
\ No newline at end of file
diff --git a/windows/security/zero-trust-windows-device-health.md b/windows/security/zero-trust-windows-device-health.md
index d6159d39a6..64a4233745 100644
--- a/windows/security/zero-trust-windows-device-health.md
+++ b/windows/security/zero-trust-windows-device-health.md
@@ -13,7 +13,7 @@ ms.date: 12/31/2017
 ---
 
 # Zero Trust and Windows device health
-Organizations need a security model that more effectively adapts to the complexity of the modern work environment. IT admins need to embrace the hybrid workplace, while protecting people, devices, apps, and data wherever they’re located. Implementing a Zero Trust model for security helps address today's complex environments.
+Organizations need a security model that more effectively adapts to the complexity of the modern work environment. IT admins need to embrace the hybrid workplace, while protecting people, devices, apps, and data wherever they're located. Implementing a Zero Trust model for security helps address today's complex environments.
 
 The [Zero Trust](https://www.microsoft.com/security/business/zero-trust) principles are:
 
@@ -27,12 +27,12 @@ The Zero Trust concept of **verify explicitly** applies to the risks introduced
 
 [Conditional access](/azure/active-directory/conditional-access/overview) evaluates identity signals to confirm that users are who they say they are before they're granted access to corporate resources. 
 
-Windows 11 supports device health attestation, helping to confirm that devices are in a good state and haven't been tampered with. This capability helps users access corporate resources whether they’re in the office, at home, or when they’re traveling.
+Windows 11 supports device health attestation, helping to confirm that devices are in a good state and haven't been tampered with. This capability helps users access corporate resources whether they're in the office, at home, or when they're traveling.
 
 Attestation helps verify the identity and status of essential components and that the device, firmware, and boot process haven't been altered. Information about the firmware, boot process, and software, is used to validate the security state of the device. This information is cryptographically stored in the security co-processor Trusted Platform Module (TPM). Once the device is attested, it can be granted access to resources.
 
 ## Device health attestation on Windows
- Many security risks can emerge during the boot process as this process can be the most privileged component of the whole system. The verification process uses remote attestation as the secure channel to determine and present the device’s health. Remote attestation determines:
+ Many security risks can emerge during the boot process as this process can be the most privileged component of the whole system. The verification process uses remote attestation as the secure channel to determine and present the device's health. Remote attestation determines:
 
 - If the device can be trusted
 - If the operating system booted correctly
diff --git a/windows/whats-new/TOC.yml b/windows/whats-new/TOC.yml
index 0e145097a8..b3ff701a34 100644
--- a/windows/whats-new/TOC.yml
+++ b/windows/whats-new/TOC.yml
@@ -24,6 +24,8 @@
       href: whats-new-windows-10-version-21H1.md
     - name: What's new in Windows 10, version 20H2
       href: whats-new-windows-10-version-20H2.md
+- name: Windows commercial licensing overview
+  href: windows-licensing.md
 - name: Deprecated and removed Windows features
   expanded: false
   items:
diff --git a/windows/whats-new/index.yml b/windows/whats-new/index.yml
index c988c8ebb4..f11b6dbc0c 100644
--- a/windows/whats-new/index.yml
+++ b/windows/whats-new/index.yml
@@ -32,6 +32,8 @@ landingContent:
             url: windows-11-plan.md
           - text: Prepare for Windows 11
             url: windows-11-prepare.md
+          - text: Windows commercial licensing overview
+            url: windows-licensing.md
 
   - title: Windows 10
     linkLists:
diff --git a/windows/whats-new/windows-licensing.md b/windows/whats-new/windows-licensing.md
new file mode 100644
index 0000000000..212d022557
--- /dev/null
+++ b/windows/whats-new/windows-licensing.md
@@ -0,0 +1,212 @@
+---
+title: Windows commercial licensing overview
+description: Learn about products and use rights available through Windows commercial licensing.
+ms.prod: windows-client
+author: paolomatarazzo
+ms.author: paoloma
+manager: aaroncz
+ms.collection:
+- tier2
+ms.topic: conceptual
+ms.date: 05/04/2023
+appliesto:
+- ✅ <a href=/windows/release-health/supported-versions-windows-client target=_blank>Windows 11</a>
+ms.technology: itpro-security
+---
+
+# Windows Commercial Licensing overview
+
+This document provides an overview of the products and use rights available through Microsoft Commercial Licensing, information about the products that are eligible for upgrades, and the key choices you have for using Windows in your organization.
+
+> [!NOTE]
+> The content of this article doesn't replace or override other licensing documentation, such as the Windows 11 End User License Agreement or [Commercial Licensing Product Terms][EXT-4].
+
+## Windows 11 editions
+
+The following table lists the editions of Windows 11 available through each Microsoft distribution channel:
+
+| Full Packaged Product (Retail) | Preinstalled on device (OEM)|Commercial Licensing|
+|-|-|-|
+|Windows 11 Home<br>Windows 11 Pro|Windows 11 Home<br>Windows 11 Pro|Windows 11 Pro<br>Windows 11 Enterprise <br>Windows 11 Enterprise LTSC|
+
+## Windows desktop offerings available through Commercial Licensing
+
+The following offerings are available for purchase through [Microsoft Commercial Licensing][EXT-5]:
+
+|Product|Description|Availability|
+|-|-|-|
+|Windows 11 Pro Upgrade |Windows 11 Pro is designed for small and medium businesses. Windows 11 Pro enables organizations to manage devices and apps, protect their data, facilitate remote and mobile scenarios, while taking advantage of the cloud technologies that support their business. Windows 11 Pro devices are a good choice for organizations that support *choose your own device (CYOD)* programs and *prosumer* customers. | The Windows 11 Pro Upgrade in Commercial Licensing upgrades a device from a previous version of Windows Pro.|
+|Windows 11 Enterprise E3|Windows 11 Enterprise E3 is intended for large and medium-sized organizations. It includes Windows Enterprise edition with cloud-powered capabilities and subscription use rights. Examples include advanced identity protection, the broadest range of options for operating system deployment, update control, and device management. |Windows 11 Enterprise E3 is available **per-user** in Commercial Licensing programs. It requires Windows Pro as qualifying operating systems.|
+|Windows 11 Enterprise E5|Windows 11 Enterprise E5 is for organizations that want to take advantage of everything in Windows 11 Enterprise E3 with the addition of **Microsoft Defender for Endpoint Plan 2**, a service that helps enterprises detect, investigate, and respond to advanced cybersecurity attacks on their endpoints and networks.| Windows 11 Enterprise E5 is available **per-user** in Commercial Licensing programs. It requires Windows Pro as qualifying operating systems.|
+|Windows 10 Enterprise LTSC |Windows 10 Enterprise LTSC is designed for devices that have strict change-management policies with only security and critical bug fixes. By using a Long-Term Servicing Channel edition, you can apply monthly Windows 10 security updates for specialized devices while holding back new-feature updates for an extended period of time, up to five years. | Windows Enterprise LTSC is available in the **per-user** and **per-device** model, depending on the Volume Licensing program through which it's acquired.|
+|Windows Virtual Desktop Access (VDA) Subscription License|The Windows VDA subscription license provides the right to access virtual Windows desktop environments from devices that aren't covered by a Commercial Licensing offer that includes VDA rights, such as thin clients. |Windows VDA is available on a **per-device** and **per-user** basis.|
+
+## Windows 11 Pro Upgrade license
+
+Windows 11 Pro is designed for small and medium businesses. Windows 11 Pro enables you to manage your devices and apps, protect your business data, facilitate remote and mobile scenarios, and take advantage of the cloud technologies for your organization.
+
+The Windows 11 Pro Upgrade license is recommended if you want to:
+
+- Upgrade a Windows 10 Pro device to Windows 11 Pro
+- Upgrade Windows 7/8/8.1 Pro devices to Windows 10 Pro  
+
+## Windows 11 Enterprise
+
+There are two core Windows 11 Enterprise offers: **Windows 11 Enterprise E3** and **Windows 11 Enterprise E5**. These offers can be purchased on a **per-user basis**, and are only available through **Commercial Licensing**, including the **Cloud Solution Provider** program.
+
+### Windows 11 Enterprise E3
+
+Windows 11 Enterprise E3 builds on Windows 11 Pro by adding more advanced features designed to address the needs of large and mid-size organizations. Examples include advanced protection against modern security threats, the broadest range of options for operating system deployment and update, and comprehensive device and app management.
+
+> [!NOTE]
+> Windows Enterprise E3 is a **per user subscription**, intended for organizations. It includes **Windows Enterprise edition** with cloud-powered capabilities and **subscription use rights**. Windows Enterprise E3 is usually licensed through Volume Licensing programs and is an upgrade from Windows Pro.
+
+#### Windows 11 Enterprise features
+
+The following table describes the unique Windows Enterprise edition features:
+
+| OS-based feature | Description |
+|-|-|
+|**[Windows Defender Credential Guard][WIN-1]**|Protects against user credential harvesting and pass-the-hash attacks or pass the token attacks.|
+|**[Managed Microsoft Defender Application Guard for Microsoft Edge][EDGE-1]**| Isolates enterprise-defined untrusted sites with virtualization-based security from Windows, protecting your organization while users browse the Internet.|
+|**[Modern BitLocker Management][WIN-2]** | Allows you to eliminate on-premises tools to monitor and support BitLocker recovery scenarios. |  
+|**[Personal Data Encryption][WIN-3]**|Encrypts individual's content using Windows Hello for Business to link the encryption keys to user credentials.|
+|**[Direct Access][WINS-1]**|Connect remote users to the organization network without the need for traditional VPN connections.|
+|**[Always-On VPN device tunnel][WINS-2]**|Advanced security capabilities to restrict the type of traffic and which applications can use the VPN connection.|
+|**[Windows Experience customization][WIN-4]**|Settings to lock down the user experience of corporate desktops and Shell Launcher with Unified Write Filter for frontline workers devices or public kiosks.|
+
+#### Windows 11 Enterprise cloud-based capabilities
+
+The following table describes the unique Windows Enterprise cloud-based features:
+
+|Cloud-based feature | Description |
+|-|-|
+|**[Windows subscription activation][WIN-5]**|Enables you to *step-up* from **Windows Pro edition** to **Enterprise edition**. You can eliminate license key management and the deployment of Enterprise edition images.|
+|**[Windows Autopatch][WIN-6]**|Cloud service that puts Microsoft in control of automating updates to Windows, Microsoft 365 Apps for enterprise, Microsoft Edge, and Microsoft Teams.|
+|**[Windows Update For Business deployment service][WIN-7]**|This cloud service gives you the control over the approval, scheduling, and safeguarding of quality, feature upgrades, and driver updates delivered from Windows Update.|
+|**[Universal Print][UP-1]**|Removes the need for on-premises print servers and enables any endpoint to print to cloud registered printers.|
+|**[Microsoft Connected Cache][WIN-8]**|A software solution that caches app and OS updates on the local network to save Internet bandwidth in locations with limited connectivity.|
+|**[Endpoint analytics proactive remediation][MEM-1]**|Helps you fix common support issues before end-users notice them.|
+|**[Organizational messages][MEM-2]**|Keeps employees informed with organizational messages directly inserted in Windows UI surfaces.|
+
+#### Windows 11 Enterprise licensing use rights
+
+The following table describes the Windows Enterprise licensing use rights:
+
+|Licensing use rights|Description|
+|-|-|
+|**[Five Windows instances per licensed user][EXT-1]**|Allows your employees to simultaneously use a Windows laptop, a cloud PC and a specialized device with Windows LTSC, and more.|
+|**[36 months (3 years) support on annual feature releases][WIN-9]**|Get extra time to deploy feature releases.|
+|**[Azure Virtual Desktop, Windows 365 Enterprise and Virtual Desktop Access][AZ-1]**|Empower flexible work styles and smarter work with the included virtualization access rights. Includes FSLogix for a consistent experience of
+Windows user profiles in virtual desktop environments.|
+|**[Windows release health in the Microsoft 365 admin center][EXT-2]**|Gives you essential information about monthly quality and feature updates in the Microsoft 365 admin center.|
+|**[Windows feature update device readiness report][MEM-3]**|Provides per-device information about compatibility risks that are associated with an upgrade or update to a chosen version of Windows.|
+|**[Windows feature update compatibility risks reports][MEM-3]**|Provides a summary view of the top compatibility risks, so you understand which compatibility risks impact the greatest number of devices in your organization.|
+|**[Windows LTSC Enterprise][WIN-10]**|Intended for highly specialized devices that require limited changes due to regulations and certification|
+|**[Microsoft Desktop Optimization Pack (MDOP) ][MDOP-1]**|Help improve compatibility and management, reduce support costs, improve asset management, and improve policy control.|
+
+Learn more about [Windows 11 Enterprise E3][EXT-3].
+
+### Windows 11 Enterprise E5
+
+Windows 11 Enterprise E5 is for organizations that want to take advantage of everything in Windows 11 Enterprise E3 with the addition of **Microsoft Defender for Endpoint Plan 2**, a cloud service that helps enterprises detect, investigate, and respond to advanced cybersecurity attacks on their endpoints and networks.
+
+Building on the existing security defenses in Windows 11, Microsoft Defender for Device provides a post-breach layer of protection to the Windows 11 security stack. With a combination of client technology built into Windows 11 and a robust cloud service, it can help detect threats that have made it past other defenses, provide enterprises with information to investigate the breach across endpoints, and offer response recommendations.
+
+> [!NOTE]
+> Windows 11 Enterprise E5 is available per user in Commercial Licensing programs.
+
+### Windows Enterprise E3 in Microsoft 365 F3
+
+Windows Enterprise E3 subscription license in Microsoft 365 F3 has all the OS features, and most of the cloud services and use rights, included with regular Windows Enterprise E3.
+Windows Enterprise E3 in Microsoft 365 F3 does not include some use rights previously included in Software Assurance benefits that come with the regular E3 user subscription license. F3 does not come with:
+
+- Microsoft Desktop Optimization Pack (MDOP)
+- Windows LTSC Enterprise
+- Windows Autopatch
+
+## Use a Windows Pro device with the Windows Enterprise user subscription license
+
+In most cases, the Windows Pro edition comes pre-installed on a business-class device. Microsoft recommends upgrading your Windows Pro devices to Enterprise edition when you have acquired a user subscription licenses for Windows. However, there are cases that require to keep devices on the Pro edition and not upgrade them to Enterprise edition. With Windows 11 Enterprise E3, you can take advantage of features, services and use rights not licensed to the Windows Pro license bound to the device. It includes Windows Enterprise edition with cloud-powered capabilities and subscription use rights, and these capabilities are not always technically enforced. Some scenarios that may require to not upgrade to Windows Enterprise edition:
+
+- Devices not properly provisioned that don't automatically upgrade to Windows Enterprise edition
+- Devices may have been acquired for a business process that was not under control of a central IT department or outside of the IT department's knowledge
+- Devices may be used temporarily for a project by vendors and added to the IT infrastructure, but not upgraded to Enterprise edition
+- A developer that is developing applications that must be tested and certified on Pro, as that is how it will be delivered to customers
+- A Windows Pro device that was pre-configured for a specific purpose and is certified on Pro only
+
+In these cases, you want the PC to be configured, secured, monitored, and updated with the enterprise management and security tools that come with the Windows Enterprise user subscription. Your Windows Enterprise E3 subscriptions does not block these scenarios.
+
+The following table lists the Windows 11 Enterprise features and their Windows edition requirements:
+
+| OS-based feature |Windows Pro|Windows Enterprise|
+|-|-|-|
+|**[Windows Defender Credential Guard][WIN-1]**|❌|Yes|
+|**[Microsoft Defender Application Guard (MDAG) for Microsoft Edge][EDGE-1]**|Yes|Yes|
+|**[Modern BitLocker Management][WIN-2]**|Yes|Yes|
+|**[Personal data encryption (PDE)][WIN-3]**|❌|Yes|
+|**[Direct Access][WINS-1]**|Yes|Yes|
+|**[Always On VPN][WINS-2]**|Yes|Yes|
+|**[Windows Experience customization][WIN-4]**|❌|Yes|
+
+The following table lists the Windows 11 Enterprise cloud-based features and their Windows edition requirements:
+
+| Cloud-based feature |Windows Pro|Windows Enterprise|
+|-|-|-|
+|**[Windows subscription activation][WIN-5]**|Yes|Yes|
+|**[Windows Autopatch][WIN-6]**|Yes|Yes|
+|**[Windows Update For Business deployment service][WIN-7]**|Yes|Yes|
+|**[Universal Print][UP-1]**|Yes|Yes|
+|**[Microsoft Connected Cache][WIN-8]**|Yes|Yes|
+|**[Endpoint analytics proactive remediation][MEM-1]**|Yes|Yes|
+|**[Organizational messages][MEM-2]**|❌|Yes|
+
+The following table lists the Windows 11 Enterprise E3 licensing use rights and their Windows edition requirements:
+
+|Licensing use rights|Windows Pro|Windows Enterprise|
+|-|-|-|
+|**[Five Windows instances per licensed user][EXT-1]**|n/a|n/a|
+|**[36 months (3 years) support on annual feature releases][WIN-9]**|❌|Yes|
+|**[Azure Virtual Desktop, Windows 365 Enterprise and Virtual Desktop Access][AZ-1]**|n/a|n/a|
+|**[Windows release health in the Microsoft 365 admin center][EXT-2]**|n/a|n/a|
+|**[Windows feature update device readiness report][MEM-3]**|Yes|Yes|
+|**[Windows feature update compatibility risks reports][MEM-3]**|Yes|Yes|
+|**[Windows LTSC Enterprise][WIN-10]**|n/a|n/a|
+|**[Microsoft Desktop Optimization Pack (MDOP)][MDOP-1]**|Yes|Yes|
+
+## Next steps
+
+To learn more about Windows 11 Enterprise E3 and E5 licensing, download the [Windows 11 licensing guide][EXT-6]. The guide provides additional information to complement the information in this article, including:
+
+- Description of qualifying operating systems
+- Availability of Windows desktop operating system products in licensing programs
+- Deciding between per-device and per-user licensing
+- Windows 11 downgrade rights
+- Volume license activation methods
+- How to acquire licenses through Commercial Licensing
+
+[AZ-1]: /azure/virtual-desktop/prerequisites#operating-systems-and-licenses
+[EDGE-1]: /deployedge/microsoft-edge-security-windows-defender-application-guard
+[EXT-1]: https://www.microsoft.com/licensing/terms/productoffering/WindowsDesktopOperatingSystem/EAEAS
+[EXT-2]: https://techcommunity.microsoft.com/t5/windows-it-pro-blog/windows-release-health-now-available-in-the-microsoft-365-admin/ba-p/2235908
+[EXT-3]: https://windows.com/enterprise
+[EXT-4]: https://www.microsoft.com/licensing/product-licensing/products.aspx
+[EXT-5]: https://www.microsoft.com/licensing
+[EXT-6]: https://aka.ms/WindowsLicensingGuide
+[MDOP-1]: /microsoft-desktop-optimization-pack
+[MEM-1]: /mem/analytics/proactive-remediations
+[MEM-2]: /mem/intune/remote-actions/organizational-messages-overview
+[MEM-3]: /mem/intune/protect/windows-update-compatibility-reports
+[UP-1]: /universal-print/
+[WIN-1]: /windows/security/identity-protection/credential-guard/credential-guard
+[WIN-2]: /windows/security/information-protection/bitlocker/bitlocker-overview
+[WIN-3]: /windows/security/information-protection/personal-data-encryption/overview-pde
+[WIN-4]: /windows/client-management/mdm/policy-csp-experience
+[WIN-5]: /windows/deployment/windows-10-subscription-activation
+[WIN-6]: /windows/deployment/windows-autopatch
+[WIN-7]: /windows/deployment/update/deployment-service-overview
+[WIN-8]: /windows/deployment/do/waas-microsoft-connected-cache
+[WIN-9]: /windows/release-health/supported-versions-windows-client#enterprise-and-iot-enterprise-ltsbltsc-editions
+[WIN-10]: /windows/whats-new/ltsc/
+[WINS-1]: /windows-server/remote/remote-access/directaccess/directaccess
+[WINS-2]: /windows-server/remote/remote-access/vpn/always-on-vpn/