Merge branch 'main' into vp-csp-tuning

2025-05-12 21:37:22 +00:00 · 2023-05-15 11:16:45 -04:00 · 2023-05-15 11:16:45 -04:00 · ae35aaab68
commit ae35aaab68
parent 934bc148aa fabbbda6ea
138 changed files with 2735 additions and 576 deletions
--- a/.openpublishing.redirection.json
+++ b/.openpublishing.redirection.json
@ -20809,6 +20809,11 @@
      "source_path": "store-for-business/sign-up-microsoft-store-for-business.md",
      "redirect_url": "/microsoft-store",
      "redirect_document_id": false
    },
    {
      "source_path": "windows/security/information-protection/index.md",
      "redirect_url": "/windows/security/encryption-data-protection",
      "redirect_document_id": false
    }
  ]
 }
--- a/education/windows/federated-sign-in.md
+++ b/education/windows/federated-sign-in.md
@ -1,7 +1,7 @@
 ---
 title: Configure federated sign-in for Windows devices
 description: Description of federated sign-in feature for the Education SKUs of Windows 11 and how to configure it via Intune or provisioning packages.
-ms.date: 04/11/2023
+ms.date: 04/24/2023
 ms.topic: how-to
 appliesto:
  - ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 11</a>
@ -53,9 +53,11 @@ To use federated sign-in, the devices must have Internet access. This feature wo
 > - provisioning packages (PPKG)
 > - Windows Autopilot self-deploying mode
-### System requirements
+[!INCLUDE [federated-sign-in](../../includes/licensing/federated-sign-in.md)]
-Federated sign-in is supported on the following Windows SKUs and versions:
+## System requirements
 Federated sign-in is supported on the following Windows editions and versions:
 - Windows 11 SE, version 22H2 and later
 - Windows 11 Pro Edu/Education, version 22H2 with [KB5022913][KB-1]
--- a/includes/intune/intune-custom-settings-1.md
+++ b/includes/intune/intune-custom-settings-1.md
@ -0,0 +1,13 @@
 ---
 ms.date: 02/22/2022
 ms.topic: include
 ---
 To configure devices with Microsoft Intune, use a custom policy:
 1. Go to the <a href="https://intune.microsoft.com" target="_blank"><b>Microsoft Intune admin center</b></a>
 2. Select **Devices > Configuration profiles > Create profile**
 3. Select **Platform > Windows 10 and later** and **Profile type > Templates > Custom**
 4. Select **Create**
 5. Specify a **Name** and, optionally, a **Description > Next**
 6. Add the following settings:
--- a/includes/intune/intune-custom-settings-2.md
+++ b/includes/intune/intune-custom-settings-2.md
@ -0,0 +1,9 @@
 ---
 ms.date: 11/08/2022
 ms.topic: include
 ---
 7. Select **Next**
 8. Assign the policy to a security group that contains as members the devices or users that you want to configure > **Next**
 9. Under **Applicability Rules**, select **Next**
 10. Review the policy configuration and select **Create**
--- a/includes/intune/intune-custom-settings-info.md
+++ b/includes/intune/intune-custom-settings-info.md
@ -0,0 +1,6 @@
 ---
 ms.date: 11/08/2022
 ms.topic: include
 ---
 For more information about how to create custom settings using Intune, see [Use custom settings for Windows devices in Intune](/mem/intune/configuration/custom-settings-windows-10).
--- a/includes/licensing/_edition-requirements.md
+++ b/includes/licensing/_edition-requirements.md
@ -0,0 +1,79 @@
 ---
 author: paolomatarazzo
 ms.author: paoloma
 ms.date: 05/04/2023
 ms.topic: include
 ---
 | Feature name | Windows Pro | Windows Enterprise | Windows Pro Education/SE | Windows Education |
 |:---|:---:|:---:|:---:|:---:|
 |**[Access Control (ACLs/SCALS)](/windows/security/identity-protection/access-control/access-control)**|Yes|Yes|Yes|Yes|
 |**[Account Lockout Policy](/windows/security/threat-protection/security-policy-settings/account-lockout-policy)**|Yes|Yes|Yes|Yes|
 |**[Always On VPN (device tunnel)](/windows-server/remote/remote-access/vpn/always-on-vpn/)**|❌|Yes|❌|Yes|
 |**[Assigned Access (kiosk mode)](/windows/configuration/kiosk-methods)**|Yes|Yes|Yes|Yes|
 |**[Attack surface reduction (ASR)](/microsoft-365/security/defender-endpoint/overview-attack-surface-reduction)**|Yes|Yes|Yes|Yes|
 |**[Azure AD join, Active Directory domain join, and Hybrid Azure AD join with single sign-on (SSO)](/azure/active-directory/devices/concept-azure-ad-join)**|Yes|Yes|Yes|Yes|
 |**[BitLocker](/windows/security/information-protection/bitlocker/bitlocker-overview)**|Yes|Yes|Yes|Yes|
 |**Bluetooth pairing and connection protection**|Yes|Yes|Yes|Yes|
 |**[Common Criteria certifications](/windows/security/threat-protection/windows-platform-common-criteria)**|Yes|Yes|Yes|Yes|
 |**[Controlled folder access](/microsoft-365/security/defender-endpoint/controlled-folders)**|Yes|Yes|Yes|Yes|
 |**[Device health attestation service](/windows/security/threat-protection/protect-high-value-assets-by-controlling-the-health-of-windows-10-based-devices)**|Yes|Yes|Yes|Yes|
 |**[Direct Access](/windows-server/remote/remote-access/directaccess/directaccess)**|❌|Yes|❌|Yes|
 |**[Email Encryption (S/MIME)](/windows/security/identity-protection/configure-s-mime)**|Yes|Yes|Yes|Yes|
 |**[Encrypted hard drive](/windows/security/information-protection/encrypted-hard-drive)**|Yes|Yes|Yes|Yes|
 |**[Enhanced phishing protection with SmartScreen](/windows/security/threat-protection/microsoft-defender-smartscreen/phishing-protection-microsoft-defender-smartscreen)**|Yes|Yes|Yes|Yes|
 |**[Exploit protection](/microsoft-365/security/defender-endpoint/exploit-protection)**|Yes|Yes|Yes|Yes|
 |**[Fast Identity Online (FIDO2) security key](/azure/active-directory/authentication/howto-authentication-passwordless-security-key)**|Yes|Yes|Yes|Yes|
 |**[Federal Information Processing Standard (FIPS) 140 validation](/windows/security/threat-protection/fips-140-validation)**|Yes|Yes|Yes|Yes|
 |**[Federated sign-in](/education/windows/federated-sign-in)**|❌|❌|Yes|Yes|
 |**[Hardware-enforced stack protection](https://techcommunity.microsoft.com/t5/windows-os-platform-blog/understanding-hardware-enforced-stack-protection/ba-p/1247815)**|Yes|Yes|Yes|Yes|
 |**[Hypervisor-protected Code Integrity (HVCI)](/windows/security/threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity)**|Yes|Yes|Yes|Yes|
 |**[Kernel Direct Memory Access (DMA) protection](/windows/security/information-protection/kernel-dma-protection-for-thunderbolt)**|Yes|Yes|Yes|Yes|
 |**Local Security Authority (LSA) Protection**|Yes|Yes|Yes|Yes|
 |**[Manage by Mobile Device Management (MDM) and group policy](/windows/security/threat-protection/windows-security-configuration-framework/windows-security-baselines)**|Yes|Yes|Yes|Yes|
 |**[Measured boot](/windows/compatibility/measured-boot)**|Yes|Yes|Yes|Yes|
 |**[Microsoft Defender Antivirus](/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-windows)**|Yes|Yes|Yes|Yes|
 |**[Microsoft Defender Application Guard (MDAG) configure via MDM](/windows/client-management/mdm/windowsdefenderapplicationguard-csp)**|❌|Yes|❌|Yes|
 |**[Microsoft Defender Application Guard (MDAG) for Edge enterprise mode and enterprise management](/deployedge/microsoft-edge-security-windows-defender-application-guard)**|❌|Yes|❌|Yes|
 |**[Microsoft Defender Application Guard (MDAG) for Edge standalone mode](/windows/security/threat-protection/microsoft-defender-application-guard/md-app-guard-overview)**|Yes|Yes|Yes|Yes|
 |**[Microsoft Defender Application Guard (MDAG) for Microsoft Office](https://support.microsoft.com/office/application-guard-for-office-9e0fb9c2-ffad-43bf-8ba3-78f785fdba46)**|❌|Yes|❌|Yes|
 |**Microsoft Defender Application Guard (MDAG) public APIs**|❌|Yes|❌|Yes|
 |**[Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint)**|Yes|Yes|Yes|Yes|
 |**[Microsoft Defender SmartScreen](/windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-overview)**|Yes|Yes|Yes|Yes|
 |**[Microsoft Pluton security processor](/windows/security/information-protection/pluton/microsoft-pluton-security-processor)**|Yes|Yes|Yes|Yes|
 |**[Microsoft Vulnerable Driver Blocklist](/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules)**|Yes|Yes|Yes|Yes|
 |**Opportunistic Wireless Encryption (OWE)**|Yes|Yes|Yes|Yes|
 |**[Personal data encryption (PDE)](/windows/security/information-protection/personal-data-encryption/overview-pde)**|❌|Yes|❌|Yes|
 |**Privacy Resource Usage**|Yes|Yes|Yes|Yes|
 |**Privacy Transparency and Controls**|Yes|Yes|Yes|Yes|
 |**[Remote wipe](/windows/client-management/mdm/remotewipe-csp)**|Yes|Yes|Yes|Yes|
 |**[Secure Boot and Trusted Boot](/windows/security/trusted-boot)**|Yes|Yes|Yes|Yes|
 |**[Secured-core configuration lock](/windows/client-management/config-lock)**|Yes|Yes|Yes|Yes|
 |**[Secured-core PC](/windows-hardware/design/device-experiences/oem-highly-secure-11)**|Yes|Yes|Yes|Yes|
 |**[Security baselines](/windows/security/threat-protection/windows-security-configuration-framework/windows-security-baselines)**|Yes|Yes|Yes|Yes|
 |**[Server Message Block (SMB) file service](/windows-server/storage/file-server/file-server-smb-overview)**|Yes|Yes|Yes|Yes|
 |**[Server Message Block Direct (SMB Direct)](/windows-server/storage/file-server/smb-direct)**|Yes|Yes|Yes|Yes|
 |**[Smart App Control](/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control)**|Yes|Yes|Yes|Yes|
 |**[Smart Cards for Windows Service](/windows/security/identity-protection/smart-cards/smart-card-smart-cards-for-windows-service)**|Yes|Yes|Yes|Yes|
 |**[Tamper protection settings for MDE](/microsoft-365/security/defender-endpoint/prevent-changes-to-security-settings-with-tamper-protection)**|Yes|Yes|Yes|Yes|
 |**[Transport layer security (TLS)](/windows-server/security/tls/tls-ssl-schannel-ssp-overview)**|Yes|Yes|Yes|Yes|
 |**[Trusted Platform Module (TPM) 2.0](/windows/security/information-protection/tpm/trusted-platform-module-overview)**|Yes|Yes|Yes|Yes|
 |**[Universal Print](/universal-print/)**|Yes|Yes|Yes|Yes|
 |**[User Account Control (UAC)](/windows/security/identity-protection/user-account-control/user-account-control-overview)**|Yes|Yes|Yes|Yes|
 |**[Virtual Private Network (VPN)](/windows/security/identity-protection/vpn/vpn-guide)**|Yes|Yes|Yes|Yes|
 |**[Virtualization-based security (VBS)](/windows-hardware/design/device-experiences/oem-vbs)**|Yes|Yes|Yes|Yes|
 |**[WiFi Security](https://support.microsoft.com/windows/faster-and-more-secure-wi-fi-in-windows-26177a28-38ed-1a8e-7eca-66f24dc63f09)**|Yes|Yes|Yes|Yes|
 |**[Windows Autopatch](/windows/deployment/windows-autopatch/)**|❌|Yes|❌|Yes|
 |**[Windows Autopilot](/windows/deployment/windows-autopilot)**|Yes|Yes|Yes|Yes|
 |**[Windows containers](/virtualization/windowscontainers/about/)**|Yes|Yes|Yes|Yes|
 |**[Windows Defender Application Control (WDAC)](/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control)**|Yes|Yes|Yes|Yes|
 |**[Windows Defender Credential Guard](/windows/security/identity-protection/credential-guard/credential-guard)**|❌|Yes|❌|Yes|
 |**[Windows Defender Remote Credential Guard](/windows/security/identity-protection/remote-credential-guard)**|Yes|Yes|Yes|Yes|
 |**[Windows Defender System Guard](/windows/security/threat-protection/windows-defender-system-guard/how-hardware-based-root-of-trust-helps-protect-windows)**|Yes|Yes|Yes|Yes|
 |**[Windows Firewall](/windows/security/threat-protection/windows-firewall/windows-firewall-with-advanced-security)**|Yes|Yes|Yes|Yes|
 |**[Windows Hello for Business](/windows/security/identity-protection/hello-for-business)**|Yes|Yes|Yes|Yes|
 |**[Windows Hello for Business Enhanced Security Sign-in (ESS)](/windows-hardware/design/device-experiences/windows-hello-enhanced-sign-in-security)**|Yes|Yes|Yes|Yes|
 |**[Windows LAPS](/windows-server/identity/laps/laps-overview)**|Yes|Yes|Yes|Yes|
 |**[Windows presence sensing](https://support.microsoft.com/windows/wake-your-windows-11-pc-when-you-approach-82285c93-440c-4e15-9081-c9e38c1290bb)**|Yes|Yes|Yes|Yes|
 |**[Windows Sandbox](/windows/security/threat-protection/windows-sandbox/windows-sandbox-overview)**|Yes|Yes|Yes|Yes|
 |**[Windows Security policy settings and auditing](/windows/security/threat-protection/security-policy-settings/security-policy-settings)**|Yes|Yes|Yes|Yes|
--- a/includes/licensing/_licensing-requirements.md
+++ b/includes/licensing/_licensing-requirements.md
@ -0,0 +1,79 @@
 ---
 author: paolomatarazzo
 ms.author: paoloma
 ms.date: 05/04/2023
 ms.topic: include
 ---
 |Feature name|Windows Pro/Pro Education/SE|Windows Enterprise E3|Windows Enterprise E5|Windows Education A3|Windows Education A5|
 |:---|:---:|:---:|:---:|:---:|:---:|
 |**[Access Control (ACLs/SCALS)](/windows/security/identity-protection/access-control/access-control)**|Yes|Yes|Yes|Yes|Yes|
 |**[Account Lockout Policy](/windows/security/threat-protection/security-policy-settings/account-lockout-policy)**|Yes|Yes|Yes|Yes|Yes|
 |**[Always On VPN (device tunnel)](/windows-server/remote/remote-access/vpn/always-on-vpn/)**|❌|Yes|Yes|Yes|Yes|
 |**[Assigned Access (kiosk mode)](/windows/configuration/kiosk-methods)**|Yes|Yes|Yes|Yes|Yes|
 |**[Attack surface reduction (ASR)](/microsoft-365/security/defender-endpoint/overview-attack-surface-reduction)**|Yes|Yes|Yes|Yes|Yes|
 |**[Azure AD join, Active Directory domain join, and Hybrid Azure AD join with single sign-on (SSO)](/azure/active-directory/devices/concept-azure-ad-join)**|Yes|Yes|Yes|Yes|Yes|
 |**[BitLocker](/windows/security/information-protection/bitlocker/bitlocker-overview)**|Yes|Yes|Yes|Yes|Yes|
 |**Bluetooth pairing and connection protection**|Yes|Yes|Yes|Yes|Yes|
 |**[Common Criteria certifications](/windows/security/threat-protection/windows-platform-common-criteria)**|Yes|Yes|Yes|Yes|Yes|
 |**[Controlled folder access](/microsoft-365/security/defender-endpoint/controlled-folders)**|Yes|Yes|Yes|Yes|Yes|
 |**[Device health attestation service](/windows/security/threat-protection/protect-high-value-assets-by-controlling-the-health-of-windows-10-based-devices)**|Yes|Yes|Yes|Yes|Yes|
 |**[Direct Access](/windows-server/remote/remote-access/directaccess/directaccess)**|❌|Yes|Yes|Yes|Yes|
 |**[Email Encryption (S/MIME)](/windows/security/identity-protection/configure-s-mime)**|Yes|Yes|Yes|Yes|Yes|
 |**[Encrypted hard drive](/windows/security/information-protection/encrypted-hard-drive)**|Yes|Yes|Yes|Yes|Yes|
 |**[Enhanced phishing protection with SmartScreen](/windows/security/threat-protection/microsoft-defender-smartscreen/phishing-protection-microsoft-defender-smartscreen)**|Yes|Yes|Yes|Yes|Yes|
 |**[Exploit protection](/microsoft-365/security/defender-endpoint/exploit-protection)**|Yes|Yes|Yes|Yes|Yes|
 |**[Fast Identity Online (FIDO2) security key](/azure/active-directory/authentication/howto-authentication-passwordless-security-key)**|Yes|Yes|Yes|Yes|Yes|
 |**[Federal Information Processing Standard (FIPS) 140 validation](/windows/security/threat-protection/fips-140-validation)**|Yes|Yes|Yes|Yes|Yes|
 |**[Federated sign-in](/education/windows/federated-sign-in)**|❌|❌|❌|Yes|Yes|
 |**[Hardware-enforced stack protection](https://techcommunity.microsoft.com/t5/windows-os-platform-blog/understanding-hardware-enforced-stack-protection/ba-p/1247815)**|Yes|Yes|Yes|Yes|Yes|
 |**[Hypervisor-protected Code Integrity (HVCI)](/windows/security/threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity)**|Yes|Yes|Yes|Yes|Yes|
 |**[Kernel Direct Memory Access (DMA) protection](/windows/security/information-protection/kernel-dma-protection-for-thunderbolt)**|Yes|Yes|Yes|Yes|Yes|
 |**Local Security Authority (LSA) Protection**|Yes|Yes|Yes|Yes|Yes|
 |**[Manage by Mobile Device Management (MDM) and group policy](/windows/security/threat-protection/windows-security-configuration-framework/windows-security-baselines)**|Yes|Yes|Yes|Yes|Yes|
 |**[Measured boot](/windows/compatibility/measured-boot)**|Yes|Yes|Yes|Yes|Yes|
 |**[Microsoft Defender Antivirus](/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-windows)**|Yes|Yes|Yes|Yes|Yes|
 |**[Microsoft Defender Application Guard (MDAG) configure via MDM](/windows/client-management/mdm/windowsdefenderapplicationguard-csp)**|❌|Yes|Yes|Yes|Yes|
 |**[Microsoft Defender Application Guard (MDAG) for Edge enterprise mode and enterprise management](/deployedge/microsoft-edge-security-windows-defender-application-guard)**|❌|Yes|Yes|Yes|Yes|
 |**[Microsoft Defender Application Guard (MDAG) for Edge standalone mode](/windows/security/threat-protection/microsoft-defender-application-guard/md-app-guard-overview)**|Yes|Yes|Yes|Yes|Yes|
 |**[Microsoft Defender Application Guard (MDAG) for Microsoft Office](https://support.microsoft.com/office/application-guard-for-office-9e0fb9c2-ffad-43bf-8ba3-78f785fdba46)**|❌|❌|❌|❌|❌|
 |**Microsoft Defender Application Guard (MDAG) public APIs**|❌|Yes|Yes|Yes|Yes|
 |**[Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint)**|❌|❌|Yes|❌|Yes|
 |**[Microsoft Defender SmartScreen](/windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-overview)**|Yes|Yes|Yes|Yes|Yes|
 |**[Microsoft Pluton security processor](/windows/security/information-protection/pluton/microsoft-pluton-security-processor)**|Yes|Yes|Yes|Yes|Yes|
 |**[Microsoft Vulnerable Driver Blocklist](/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules)**|Yes|Yes|Yes|Yes|Yes|
 |**Opportunistic Wireless Encryption (OWE)**|Yes|Yes|Yes|Yes|Yes|
 |**[Personal data encryption (PDE)](/windows/security/information-protection/personal-data-encryption/overview-pde)**|❌|Yes|Yes|Yes|Yes|
 |**Privacy Resource Usage**|Yes|Yes|Yes|Yes|Yes|
 |**Privacy Transparency and Controls**|Yes|Yes|Yes|Yes|Yes|
 |**[Remote wipe](/windows/client-management/mdm/remotewipe-csp)**|Yes|Yes|Yes|Yes|Yes|
 |**[Secure Boot and Trusted Boot](/windows/security/trusted-boot)**|Yes|Yes|Yes|Yes|Yes|
 |**[Secured-core configuration lock](/windows/client-management/config-lock)**|Yes|Yes|Yes|Yes|Yes|
 |**[Secured-core PC](/windows-hardware/design/device-experiences/oem-highly-secure-11)**|Yes|Yes|Yes|Yes|Yes|
 |**[Security baselines](/windows/security/threat-protection/windows-security-configuration-framework/windows-security-baselines)**|Yes|Yes|Yes|Yes|Yes|
 |**[Server Message Block (SMB) file service](/windows-server/storage/file-server/file-server-smb-overview)**|Yes|Yes|Yes|Yes|Yes|
 |**[Server Message Block Direct (SMB Direct)](/windows-server/storage/file-server/smb-direct)**|Yes|Yes|Yes|Yes|Yes|
 |**[Smart App Control](/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control)**|Yes|Yes|Yes|Yes|Yes|
 |**[Smart Cards for Windows Service](/windows/security/identity-protection/smart-cards/smart-card-smart-cards-for-windows-service)**|Yes|Yes|Yes|Yes|Yes|
 |**[Tamper protection settings for MDE](/microsoft-365/security/defender-endpoint/prevent-changes-to-security-settings-with-tamper-protection)**|Yes|Yes|Yes|Yes|Yes|
 |**[Transport layer security (TLS)](/windows-server/security/tls/tls-ssl-schannel-ssp-overview)**|Yes|Yes|Yes|Yes|Yes|
 |**[Trusted Platform Module (TPM) 2.0](/windows/security/information-protection/tpm/trusted-platform-module-overview)**|Yes|Yes|Yes|Yes|Yes|
 |**[Universal Print](/universal-print/)**|❌|Yes|Yes|Yes|Yes|
 |**[User Account Control (UAC)](/windows/security/identity-protection/user-account-control/user-account-control-overview)**|Yes|Yes|Yes|Yes|Yes|
 |**[Virtual Private Network (VPN)](/windows/security/identity-protection/vpn/vpn-guide)**|Yes|Yes|Yes|Yes|Yes|
 |**[Virtualization-based security (VBS)](/windows-hardware/design/device-experiences/oem-vbs)**|Yes|Yes|Yes|Yes|Yes|
 |**[WiFi Security](https://support.microsoft.com/windows/faster-and-more-secure-wi-fi-in-windows-26177a28-38ed-1a8e-7eca-66f24dc63f09)**|Yes|Yes|Yes|Yes|Yes|
 |**[Windows Autopatch](/windows/deployment/windows-autopatch/)**|❌|Yes|Yes|❌|❌|
 |**[Windows Autopilot](/windows/deployment/windows-autopilot)**|Yes|Yes|Yes|Yes|Yes|
 |**[Windows containers](/virtualization/windowscontainers/about/)**|Yes|Yes|Yes|Yes|Yes|
 |**[Windows Defender Application Control (WDAC)](/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control)**|Yes|Yes|Yes|Yes|Yes|
 |**[Windows Defender Credential Guard](/windows/security/identity-protection/credential-guard/credential-guard)**|❌|Yes|Yes|Yes|Yes|
 |**[Windows Defender Remote Credential Guard](/windows/security/identity-protection/remote-credential-guard)**|Yes|Yes|Yes|Yes|Yes|
 |**[Windows Defender System Guard](/windows/security/threat-protection/windows-defender-system-guard/how-hardware-based-root-of-trust-helps-protect-windows)**|Yes|Yes|Yes|Yes|Yes|
 |**[Windows Firewall](/windows/security/threat-protection/windows-firewall/windows-firewall-with-advanced-security)**|Yes|Yes|Yes|Yes|Yes|
 |**[Windows Hello for Business](/windows/security/identity-protection/hello-for-business)**|Yes|Yes|Yes|Yes|Yes|
 |**[Windows Hello for Business Enhanced Security Sign-in (ESS)](/windows-hardware/design/device-experiences/windows-hello-enhanced-sign-in-security)**|Yes|Yes|Yes|Yes|Yes|
 |**[Windows LAPS](/windows-server/identity/laps/laps-overview)**|Yes|Yes|Yes|Yes|Yes|
 |**[Windows presence sensing](https://support.microsoft.com/windows/wake-your-windows-11-pc-when-you-approach-82285c93-440c-4e15-9081-c9e38c1290bb)**|Yes|Yes|Yes|Yes|Yes|
 |**[Windows Sandbox](/windows/security/threat-protection/windows-sandbox/windows-sandbox-overview)**|Yes|Yes|Yes|Yes|Yes|
 |**[Windows Security policy settings and auditing](/windows/security/threat-protection/security-policy-settings/security-policy-settings)**|Yes|Yes|Yes|Yes|Yes|
--- a/includes/licensing/access-control-aclsscals.md
+++ b/includes/licensing/access-control-aclsscals.md
@ -0,0 +1,22 @@
 ---
 author: paolomatarazzo
 ms.author: paoloma
 ms.date: 05/04/2023
 ms.topic: include
 ---
 ## Windows edition and licensing requirements
 The following table lists the Windows editions that support Access Control (ACLs/SCALS):
 |Windows Pro|Windows Enterprise|Windows Pro Education/SE|Windows Education|
 |:---:|:---:|:---:|:---:|
 |Yes|Yes|Yes|Yes|
 Access Control (ACLs/SCALS) license entitlements are granted by the following licenses:
 |Windows Pro/Pro Education/SE|Windows Enterprise E3|Windows Enterprise E5|Windows Education A3|Windows Education A5|
 |:---:|:---:|:---:|:---:|:---:|
 |Yes|Yes|Yes|Yes|Yes|
 For more information about Windows licensing, see [Windows licensing overview](/windows/whats-new/windows-licensing).
--- a/includes/licensing/account-lockout-policy.md
+++ b/includes/licensing/account-lockout-policy.md
@ -0,0 +1,22 @@
 ---
 author: paolomatarazzo
 ms.author: paoloma
 ms.date: 05/04/2023
 ms.topic: include
 ---
 ## Windows edition and licensing requirements
 The following table lists the Windows editions that support Account Lockout Policy:
 |Windows Pro|Windows Enterprise|Windows Pro Education/SE|Windows Education|
 |:---:|:---:|:---:|:---:|
 |Yes|Yes|Yes|Yes|
 Account Lockout Policy license entitlements are granted by the following licenses:
 |Windows Pro/Pro Education/SE|Windows Enterprise E3|Windows Enterprise E5|Windows Education A3|Windows Education A5|
 |:---:|:---:|:---:|:---:|:---:|
 |Yes|Yes|Yes|Yes|Yes|
 For more information about Windows licensing, see [Windows licensing overview](/windows/whats-new/windows-licensing).
--- a/includes/licensing/always-on-vpn-device-tunnel.md
+++ b/includes/licensing/always-on-vpn-device-tunnel.md
@ -0,0 +1,22 @@
 ---
 author: paolomatarazzo
 ms.author: paoloma
 ms.date: 05/04/2023
 ms.topic: include
 ---
 ## Windows edition and licensing requirements
 The following table lists the Windows editions that support Always On VPN (device tunnel):
 |Windows Pro|Windows Enterprise|Windows Pro Education/SE|Windows Education|
 |:---:|:---:|:---:|:---:|
 |No|Yes|No|Yes|
 Always On VPN (device tunnel) license entitlements are granted by the following licenses:
 |Windows Pro/Pro Education/SE|Windows Enterprise E3|Windows Enterprise E5|Windows Education A3|Windows Education A5|
 |:---:|:---:|:---:|:---:|:---:|
 |No|Yes|Yes|Yes|Yes|
 For more information about Windows licensing, see [Windows licensing overview](/windows/whats-new/windows-licensing).
--- a/includes/licensing/assigned-access-kiosk-mode.md
+++ b/includes/licensing/assigned-access-kiosk-mode.md
@ -0,0 +1,22 @@
 ---
 author: paolomatarazzo
 ms.author: paoloma
 ms.date: 05/04/2023
 ms.topic: include
 ---
 ## Windows edition and licensing requirements
 The following table lists the Windows editions that support Assigned Access (kiosk mode):
 |Windows Pro|Windows Enterprise|Windows Pro Education/SE|Windows Education|
 |:---:|:---:|:---:|:---:|
 |Yes|Yes|Yes|Yes|
 Assigned Access (kiosk mode) license entitlements are granted by the following licenses:
 |Windows Pro/Pro Education/SE|Windows Enterprise E3|Windows Enterprise E5|Windows Education A3|Windows Education A5|
 |:---:|:---:|:---:|:---:|:---:|
 |Yes|Yes|Yes|Yes|Yes|
 For more information about Windows licensing, see [Windows licensing overview](/windows/whats-new/windows-licensing).
--- a/includes/licensing/attack-surface-reduction-asr.md
+++ b/includes/licensing/attack-surface-reduction-asr.md
@ -0,0 +1,22 @@
 ---
 author: paolomatarazzo
 ms.author: paoloma
 ms.date: 05/04/2023
 ms.topic: include
 ---
 ## Windows edition and licensing requirements
 The following table lists the Windows editions that support Attack surface reduction (ASR):
 |Windows Pro|Windows Enterprise|Windows Pro Education/SE|Windows Education|
 |:---:|:---:|:---:|:---:|
 |Yes|Yes|Yes|Yes|
 Attack surface reduction (ASR) license entitlements are granted by the following licenses:
 |Windows Pro/Pro Education/SE|Windows Enterprise E3|Windows Enterprise E5|Windows Education A3|Windows Education A5|
 |:---:|:---:|:---:|:---:|:---:|
 |Yes|Yes|Yes|Yes|Yes|
 For more information about Windows licensing, see [Windows licensing overview](/windows/whats-new/windows-licensing).
--- a/includes/licensing/azure-ad-join-active-directory-domain-join-and-hybrid-azure-ad-join-with-single-sign-on-sso.md
+++ b/includes/licensing/azure-ad-join-active-directory-domain-join-and-hybrid-azure-ad-join-with-single-sign-on-sso.md
@ -0,0 +1,22 @@
 ---
 author: paolomatarazzo
 ms.author: paoloma
 ms.date: 05/04/2023
 ms.topic: include
 ---
 ## Windows edition and licensing requirements
 The following table lists the Windows editions that support Azure AD join, Active Directory domain join, and Hybrid Azure AD join with single sign-on (SSO):
 |Windows Pro|Windows Enterprise|Windows Pro Education/SE|Windows Education|
 |:---:|:---:|:---:|:---:|
 |Yes|Yes|Yes|Yes|
 Azure AD join, Active Directory domain join, and Hybrid Azure AD join with single sign-on (SSO) license entitlements are granted by the following licenses:
 |Windows Pro/Pro Education/SE|Windows Enterprise E3|Windows Enterprise E5|Windows Education A3|Windows Education A5|
 |:---:|:---:|:---:|:---:|:---:|
 |Yes|Yes|Yes|Yes|Yes|
 For more information about Windows licensing, see [Windows licensing overview](/windows/whats-new/windows-licensing).
--- a/includes/licensing/bitlocker.md
+++ b/includes/licensing/bitlocker.md
@ -0,0 +1,22 @@
 ---
 author: paolomatarazzo
 ms.author: paoloma
 ms.date: 05/04/2023
 ms.topic: include
 ---
 ## Windows edition and licensing requirements
 The following table lists the Windows editions that support BitLocker:
 |Windows Pro|Windows Enterprise|Windows Pro Education/SE|Windows Education|
 |:---:|:---:|:---:|:---:|
 |Yes|Yes|Yes|Yes|
 BitLocker license entitlements are granted by the following licenses:
 |Windows Pro/Pro Education/SE|Windows Enterprise E3|Windows Enterprise E5|Windows Education A3|Windows Education A5|
 |:---:|:---:|:---:|:---:|:---:|
 |Yes|Yes|Yes|Yes|Yes|
 For more information about Windows licensing, see [Windows licensing overview](/windows/whats-new/windows-licensing).
--- a/includes/licensing/bluetooth-pairing-and-connection-protection.md
+++ b/includes/licensing/bluetooth-pairing-and-connection-protection.md
@ -0,0 +1,22 @@
 ---
 author: paolomatarazzo
 ms.author: paoloma
 ms.date: 05/04/2023
 ms.topic: include
 ---
 ## Windows edition and licensing requirements
 The following table lists the Windows editions that support Bluetooth pairing and connection protection:
 |Windows Pro|Windows Enterprise|Windows Pro Education/SE|Windows Education|
 |:---:|:---:|:---:|:---:|
 |Yes|Yes|Yes|Yes|
 Bluetooth pairing and connection protection license entitlements are granted by the following licenses:
 |Windows Pro/Pro Education/SE|Windows Enterprise E3|Windows Enterprise E5|Windows Education A3|Windows Education A5|
 |:---:|:---:|:---:|:---:|:---:|
 |Yes|Yes|Yes|Yes|Yes|
 For more information about Windows licensing, see [Windows licensing overview](/windows/whats-new/windows-licensing).
--- a/includes/licensing/common-criteria-certifications.md
+++ b/includes/licensing/common-criteria-certifications.md
@ -0,0 +1,22 @@
 ---
 author: paolomatarazzo
 ms.author: paoloma
 ms.date: 05/04/2023
 ms.topic: include
 ---
 ## Windows edition and licensing requirements
 The following table lists the Windows editions that support Common Criteria certifications:
 |Windows Pro|Windows Enterprise|Windows Pro Education/SE|Windows Education|
 |:---:|:---:|:---:|:---:|
 |Yes|Yes|Yes|Yes|
 Common Criteria certifications license entitlements are granted by the following licenses:
 |Windows Pro/Pro Education/SE|Windows Enterprise E3|Windows Enterprise E5|Windows Education A3|Windows Education A5|
 |:---:|:---:|:---:|:---:|:---:|
 |Yes|Yes|Yes|Yes|Yes|
 For more information about Windows licensing, see [Windows licensing overview](/windows/whats-new/windows-licensing).
--- a/includes/licensing/controlled-folder-access.md
+++ b/includes/licensing/controlled-folder-access.md
@ -0,0 +1,22 @@
 ---
 author: paolomatarazzo
 ms.author: paoloma
 ms.date: 05/04/2023
 ms.topic: include
 ---
 ## Windows edition and licensing requirements
 The following table lists the Windows editions that support Controlled folder access:
 |Windows Pro|Windows Enterprise|Windows Pro Education/SE|Windows Education|
 |:---:|:---:|:---:|:---:|
 |Yes|Yes|Yes|Yes|
 Controlled folder access license entitlements are granted by the following licenses:
 |Windows Pro/Pro Education/SE|Windows Enterprise E3|Windows Enterprise E5|Windows Education A3|Windows Education A5|
 |:---:|:---:|:---:|:---:|:---:|
 |Yes|Yes|Yes|Yes|Yes|
 For more information about Windows licensing, see [Windows licensing overview](/windows/whats-new/windows-licensing).
--- a/includes/licensing/device-health-attestation-service.md
+++ b/includes/licensing/device-health-attestation-service.md
@ -0,0 +1,22 @@
 ---
 author: paolomatarazzo
 ms.author: paoloma
 ms.date: 05/04/2023
 ms.topic: include
 ---
 ## Windows edition and licensing requirements
 The following table lists the Windows editions that support Device health attestation service:
 |Windows Pro|Windows Enterprise|Windows Pro Education/SE|Windows Education|
 |:---:|:---:|:---:|:---:|
 |Yes|Yes|Yes|Yes|
 Device health attestation service license entitlements are granted by the following licenses:
 |Windows Pro/Pro Education/SE|Windows Enterprise E3|Windows Enterprise E5|Windows Education A3|Windows Education A5|
 |:---:|:---:|:---:|:---:|:---:|
 |Yes|Yes|Yes|Yes|Yes|
 For more information about Windows licensing, see [Windows licensing overview](/windows/whats-new/windows-licensing).
--- a/includes/licensing/direct-access.md
+++ b/includes/licensing/direct-access.md
@ -0,0 +1,22 @@
 ---
 author: paolomatarazzo
 ms.author: paoloma
 ms.date: 05/04/2023
 ms.topic: include
 ---
 ## Windows edition and licensing requirements
 The following table lists the Windows editions that support Direct Access:
 |Windows Pro|Windows Enterprise|Windows Pro Education/SE|Windows Education|
 |:---:|:---:|:---:|:---:|
 |No|Yes|No|Yes|
 Direct Access license entitlements are granted by the following licenses:
 |Windows Pro/Pro Education/SE|Windows Enterprise E3|Windows Enterprise E5|Windows Education A3|Windows Education A5|
 |:---:|:---:|:---:|:---:|:---:|
 |No|Yes|Yes|Yes|Yes|
 For more information about Windows licensing, see [Windows licensing overview](/windows/whats-new/windows-licensing).
--- a/includes/licensing/email-encryption-smime.md
+++ b/includes/licensing/email-encryption-smime.md
@ -0,0 +1,22 @@
 ---
 author: paolomatarazzo
 ms.author: paoloma
 ms.date: 05/04/2023
 ms.topic: include
 ---
 ## Windows edition and licensing requirements
 The following table lists the Windows editions that support Email Encryption (S/MIME):
 |Windows Pro|Windows Enterprise|Windows Pro Education/SE|Windows Education|
 |:---:|:---:|:---:|:---:|
 |Yes|Yes|Yes|Yes|
 Email Encryption (S/MIME) license entitlements are granted by the following licenses:
 |Windows Pro/Pro Education/SE|Windows Enterprise E3|Windows Enterprise E5|Windows Education A3|Windows Education A5|
 |:---:|:---:|:---:|:---:|:---:|
 |Yes|Yes|Yes|Yes|Yes|
 For more information about Windows licensing, see [Windows licensing overview](/windows/whats-new/windows-licensing).
--- a/includes/licensing/encrypted-hard-drive.md
+++ b/includes/licensing/encrypted-hard-drive.md
@ -0,0 +1,22 @@
 ---
 author: paolomatarazzo
 ms.author: paoloma
 ms.date: 05/04/2023
 ms.topic: include
 ---
 ## Windows edition and licensing requirements
 The following table lists the Windows editions that support Encrypted hard drive:
 |Windows Pro|Windows Enterprise|Windows Pro Education/SE|Windows Education|
 |:---:|:---:|:---:|:---:|
 |Yes|Yes|Yes|Yes|
 Encrypted hard drive license entitlements are granted by the following licenses:
 |Windows Pro/Pro Education/SE|Windows Enterprise E3|Windows Enterprise E5|Windows Education A3|Windows Education A5|
 |:---:|:---:|:---:|:---:|:---:|
 |Yes|Yes|Yes|Yes|Yes|
 For more information about Windows licensing, see [Windows licensing overview](/windows/whats-new/windows-licensing).
--- a/includes/licensing/enhanced-phishing-protection-with-smartscreen.md
+++ b/includes/licensing/enhanced-phishing-protection-with-smartscreen.md
@ -0,0 +1,22 @@
 ---
 author: paolomatarazzo
 ms.author: paoloma
 ms.date: 05/04/2023
 ms.topic: include
 ---
 ## Windows edition and licensing requirements
 The following table lists the Windows editions that support Enhanced phishing protection with SmartScreen:
 |Windows Pro|Windows Enterprise|Windows Pro Education/SE|Windows Education|
 |:---:|:---:|:---:|:---:|
 |Yes|Yes|Yes|Yes|
 Enhanced phishing protection with SmartScreen license entitlements are granted by the following licenses:
 |Windows Pro/Pro Education/SE|Windows Enterprise E3|Windows Enterprise E5|Windows Education A3|Windows Education A5|
 |:---:|:---:|:---:|:---:|:---:|
 |Yes|Yes|Yes|Yes|Yes|
 For more information about Windows licensing, see [Windows licensing overview](/windows/whats-new/windows-licensing).
--- a/includes/licensing/exploit-protection.md
+++ b/includes/licensing/exploit-protection.md
@ -0,0 +1,22 @@
 ---
 author: paolomatarazzo
 ms.author: paoloma
 ms.date: 05/04/2023
 ms.topic: include
 ---
 ## Windows edition and licensing requirements
 The following table lists the Windows editions that support Exploit protection:
 |Windows Pro|Windows Enterprise|Windows Pro Education/SE|Windows Education|
 |:---:|:---:|:---:|:---:|
 |Yes|Yes|Yes|Yes|
 Exploit protection license entitlements are granted by the following licenses:
 |Windows Pro/Pro Education/SE|Windows Enterprise E3|Windows Enterprise E5|Windows Education A3|Windows Education A5|
 |:---:|:---:|:---:|:---:|:---:|
 |Yes|Yes|Yes|Yes|Yes|
 For more information about Windows licensing, see [Windows licensing overview](/windows/whats-new/windows-licensing).
--- a/includes/licensing/fast-identity-online-fido2-security-key.md
+++ b/includes/licensing/fast-identity-online-fido2-security-key.md
@ -0,0 +1,22 @@
 ---
 author: paolomatarazzo
 ms.author: paoloma
 ms.date: 05/04/2023
 ms.topic: include
 ---
 ## Windows edition and licensing requirements
 The following table lists the Windows editions that support Fast Identity Online (FIDO2) security key:
 |Windows Pro|Windows Enterprise|Windows Pro Education/SE|Windows Education|
 |:---:|:---:|:---:|:---:|
 |Yes|Yes|Yes|Yes|
 Fast Identity Online (FIDO2) security key license entitlements are granted by the following licenses:
 |Windows Pro/Pro Education/SE|Windows Enterprise E3|Windows Enterprise E5|Windows Education A3|Windows Education A5|
 |:---:|:---:|:---:|:---:|:---:|
 |Yes|Yes|Yes|Yes|Yes|
 For more information about Windows licensing, see [Windows licensing overview](/windows/whats-new/windows-licensing).
--- a/includes/licensing/federal-information-processing-standard-fips-140-validation.md
+++ b/includes/licensing/federal-information-processing-standard-fips-140-validation.md
@ -0,0 +1,22 @@
 ---
 author: paolomatarazzo
 ms.author: paoloma
 ms.date: 05/04/2023
 ms.topic: include
 ---
 ## Windows edition and licensing requirements
 The following table lists the Windows editions that support Federal Information Processing Standard (FIPS) 140 validation:
 |Windows Pro|Windows Enterprise|Windows Pro Education/SE|Windows Education|
 |:---:|:---:|:---:|:---:|
 |Yes|Yes|Yes|Yes|
 Federal Information Processing Standard (FIPS) 140 validation license entitlements are granted by the following licenses:
 |Windows Pro/Pro Education/SE|Windows Enterprise E3|Windows Enterprise E5|Windows Education A3|Windows Education A5|
 |:---:|:---:|:---:|:---:|:---:|
 |Yes|Yes|Yes|Yes|Yes|
 For more information about Windows licensing, see [Windows licensing overview](/windows/whats-new/windows-licensing).
--- a/includes/licensing/federated-sign-in.md
+++ b/includes/licensing/federated-sign-in.md
@ -0,0 +1,22 @@
 ---
 author: paolomatarazzo
 ms.author: paoloma
 ms.date: 05/04/2023
 ms.topic: include
 ---
 ## Windows edition and licensing requirements
 The following table lists the Windows editions that support Federated sign-in:
 |Windows Pro|Windows Enterprise|Windows Pro Education/SE|Windows Education|
 |:---:|:---:|:---:|:---:|
 |No|No|Yes|Yes|
 Federated sign-in license entitlements are granted by the following licenses:
 |Windows Pro Education/SE|Windows Enterprise E3|Windows Enterprise E5|Windows Education A3|Windows Education A5|
 |:---:|:---:|:---:|:---:|:---:|
 |Yes|No|No|Yes|Yes|
 For more information about Windows licensing, see [Windows licensing overview](/windows/whats-new/windows-licensing).
--- a/includes/licensing/hardware-enforced-stack-protection.md
+++ b/includes/licensing/hardware-enforced-stack-protection.md
@ -0,0 +1,22 @@
 ---
 author: paolomatarazzo
 ms.author: paoloma
 ms.date: 05/04/2023
 ms.topic: include
 ---
 ## Windows edition and licensing requirements
 The following table lists the Windows editions that support Hardware-enforced stack protection:
 |Windows Pro|Windows Enterprise|Windows Pro Education/SE|Windows Education|
 |:---:|:---:|:---:|:---:|
 |Yes|Yes|Yes|Yes|
 Hardware-enforced stack protection license entitlements are granted by the following licenses:
 |Windows Pro/Pro Education/SE|Windows Enterprise E3|Windows Enterprise E5|Windows Education A3|Windows Education A5|
 |:---:|:---:|:---:|:---:|:---:|
 |Yes|Yes|Yes|Yes|Yes|
 For more information about Windows licensing, see [Windows licensing overview](/windows/whats-new/windows-licensing).
--- a/includes/licensing/hypervisor-protected-code-integrity-hvci.md
+++ b/includes/licensing/hypervisor-protected-code-integrity-hvci.md
@ -0,0 +1,22 @@
 ---
 author: paolomatarazzo
 ms.author: paoloma
 ms.date: 05/04/2023
 ms.topic: include
 ---
 ## Windows edition and licensing requirements
 The following table lists the Windows editions that support Hypervisor-protected Code Integrity (HVCI):
 |Windows Pro|Windows Enterprise|Windows Pro Education/SE|Windows Education|
 |:---:|:---:|:---:|:---:|
 |Yes|Yes|Yes|Yes|
 Hypervisor-protected Code Integrity (HVCI) license entitlements are granted by the following licenses:
 |Windows Pro/Pro Education/SE|Windows Enterprise E3|Windows Enterprise E5|Windows Education A3|Windows Education A5|
 |:---:|:---:|:---:|:---:|:---:|
 |Yes|Yes|Yes|Yes|Yes|
 For more information about Windows licensing, see [Windows licensing overview](/windows/whats-new/windows-licensing).
--- a/includes/licensing/kernel-direct-memory-access-dma-protection.md
+++ b/includes/licensing/kernel-direct-memory-access-dma-protection.md
@ -0,0 +1,22 @@
 ---
 author: paolomatarazzo
 ms.author: paoloma
 ms.date: 05/04/2023
 ms.topic: include
 ---
 ## Windows edition and licensing requirements
 The following table lists the Windows editions that support Kernel Direct Memory Access (DMA) protection:
 |Windows Pro|Windows Enterprise|Windows Pro Education/SE|Windows Education|
 |:---:|:---:|:---:|:---:|
 |Yes|Yes|Yes|Yes|
 Kernel Direct Memory Access (DMA) protection license entitlements are granted by the following licenses:
 |Windows Pro/Pro Education/SE|Windows Enterprise E3|Windows Enterprise E5|Windows Education A3|Windows Education A5|
 |:---:|:---:|:---:|:---:|:---:|
 |Yes|Yes|Yes|Yes|Yes|
 For more information about Windows licensing, see [Windows licensing overview](/windows/whats-new/windows-licensing).
--- a/includes/licensing/local-security-authority-lsa-protection.md
+++ b/includes/licensing/local-security-authority-lsa-protection.md
@ -0,0 +1,22 @@
 ---
 author: paolomatarazzo
 ms.author: paoloma
 ms.date: 05/04/2023
 ms.topic: include
 ---
 ## Windows edition and licensing requirements
 The following table lists the Windows editions that support Local Security Authority (LSA) Protection:
 |Windows Pro|Windows Enterprise|Windows Pro Education/SE|Windows Education|
 |:---:|:---:|:---:|:---:|
 |Yes|Yes|Yes|Yes|
 Local Security Authority (LSA) Protection license entitlements are granted by the following licenses:
 |Windows Pro/Pro Education/SE|Windows Enterprise E3|Windows Enterprise E5|Windows Education A3|Windows Education A5|
 |:---:|:---:|:---:|:---:|:---:|
 |Yes|Yes|Yes|Yes|Yes|
 For more information about Windows licensing, see [Windows licensing overview](/windows/whats-new/windows-licensing).
--- a/includes/licensing/manage-by-mobile-device-management-mdm-and-group-policy.md
+++ b/includes/licensing/manage-by-mobile-device-management-mdm-and-group-policy.md
@ -0,0 +1,22 @@
 ---
 author: paolomatarazzo
 ms.author: paoloma
 ms.date: 05/04/2023
 ms.topic: include
 ---
 ## Windows edition and licensing requirements
 The following table lists the Windows editions that support Manage by Mobile Device Management (MDM) and group policy:
 |Windows Pro|Windows Enterprise|Windows Pro Education/SE|Windows Education|
 |:---:|:---:|:---:|:---:|
 |Yes|Yes|Yes|Yes|
 Manage by Mobile Device Management (MDM) and group policy license entitlements are granted by the following licenses:
 |Windows Pro/Pro Education/SE|Windows Enterprise E3|Windows Enterprise E5|Windows Education A3|Windows Education A5|
 |:---:|:---:|:---:|:---:|:---:|
 |Yes|Yes|Yes|Yes|Yes|
 For more information about Windows licensing, see [Windows licensing overview](/windows/whats-new/windows-licensing).
--- a/includes/licensing/measured-boot.md
+++ b/includes/licensing/measured-boot.md
@ -0,0 +1,22 @@
 ---
 author: paolomatarazzo
 ms.author: paoloma
 ms.date: 05/04/2023
 ms.topic: include
 ---
 ## Windows edition and licensing requirements
 The following table lists the Windows editions that support Measured boot:
 |Windows Pro|Windows Enterprise|Windows Pro Education/SE|Windows Education|
 |:---:|:---:|:---:|:---:|
 |Yes|Yes|Yes|Yes|
 Measured boot license entitlements are granted by the following licenses:
 |Windows Pro/Pro Education/SE|Windows Enterprise E3|Windows Enterprise E5|Windows Education A3|Windows Education A5|
 |:---:|:---:|:---:|:---:|:---:|
 |Yes|Yes|Yes|Yes|Yes|
 For more information about Windows licensing, see [Windows licensing overview](/windows/whats-new/windows-licensing).
--- a/includes/licensing/microsoft-defender-antivirus.md
+++ b/includes/licensing/microsoft-defender-antivirus.md
@ -0,0 +1,22 @@
 ---
 author: paolomatarazzo
 ms.author: paoloma
 ms.date: 05/04/2023
 ms.topic: include
 ---
 ## Windows edition and licensing requirements
 The following table lists the Windows editions that support Microsoft Defender Antivirus:
 |Windows Pro|Windows Enterprise|Windows Pro Education/SE|Windows Education|
 |:---:|:---:|:---:|:---:|
 |Yes|Yes|Yes|Yes|
 Microsoft Defender Antivirus license entitlements are granted by the following licenses:
 |Windows Pro/Pro Education/SE|Windows Enterprise E3|Windows Enterprise E5|Windows Education A3|Windows Education A5|
 |:---:|:---:|:---:|:---:|:---:|
 |Yes|Yes|Yes|Yes|Yes|
 For more information about Windows licensing, see [Windows licensing overview](/windows/whats-new/windows-licensing).
--- a/includes/licensing/microsoft-defender-application-guard-mdag-configure-via-mdm.md
+++ b/includes/licensing/microsoft-defender-application-guard-mdag-configure-via-mdm.md
@ -0,0 +1,22 @@
 ---
 author: paolomatarazzo
 ms.author: paoloma
 ms.date: 05/04/2023
 ms.topic: include
 ---
 ## Windows edition and licensing requirements
 The following table lists the Windows editions that support Microsoft Defender Application Guard (MDAG) configure via MDM:
 |Windows Pro|Windows Enterprise|Windows Pro Education/SE|Windows Education|
 |:---:|:---:|:---:|:---:|
 |No|Yes|No|Yes|
 Microsoft Defender Application Guard (MDAG) configure via MDM license entitlements are granted by the following licenses:
 |Windows Pro/Pro Education/SE|Windows Enterprise E3|Windows Enterprise E5|Windows Education A3|Windows Education A5|
 |:---:|:---:|:---:|:---:|:---:|
 |No|Yes|Yes|Yes|Yes|
 For more information about Windows licensing, see [Windows licensing overview](/windows/whats-new/windows-licensing).
--- a/includes/licensing/microsoft-defender-application-guard-mdag-for-edge-enterprise-mode-and-enterprise-management.md
+++ b/includes/licensing/microsoft-defender-application-guard-mdag-for-edge-enterprise-mode-and-enterprise-management.md
@ -0,0 +1,22 @@
 ---
 author: paolomatarazzo
 ms.author: paoloma
 ms.date: 05/04/2023
 ms.topic: include
 ---
 ## Windows edition and licensing requirements
 The following table lists the Windows editions that support Microsoft Defender Application Guard (MDAG) for Edge enterprise mode and enterprise management:
 |Windows Pro|Windows Enterprise|Windows Pro Education/SE|Windows Education|
 |:---:|:---:|:---:|:---:|
 |No|Yes|No|Yes|
 Microsoft Defender Application Guard (MDAG) for Edge enterprise mode and enterprise management license entitlements are granted by the following licenses:
 |Windows Pro/Pro Education/SE|Windows Enterprise E3|Windows Enterprise E5|Windows Education A3|Windows Education A5|
 |:---:|:---:|:---:|:---:|:---:|
 |No|Yes|Yes|Yes|Yes|
 For more information about Windows licensing, see [Windows licensing overview](/windows/whats-new/windows-licensing).
--- a/includes/licensing/microsoft-defender-application-guard-mdag-for-edge-standalone-mode.md
+++ b/includes/licensing/microsoft-defender-application-guard-mdag-for-edge-standalone-mode.md
@ -0,0 +1,22 @@
 ---
 author: paolomatarazzo
 ms.author: paoloma
 ms.date: 05/04/2023
 ms.topic: include
 ---
 ## Windows edition and licensing requirements
 The following table lists the Windows editions that support Microsoft Defender Application Guard (MDAG) for Edge standalone mode:
 |Windows Pro|Windows Enterprise|Windows Pro Education/SE|Windows Education|
 |:---:|:---:|:---:|:---:|
 |Yes|Yes|Yes|Yes|
 Microsoft Defender Application Guard (MDAG) for Edge standalone mode license entitlements are granted by the following licenses:
 |Windows Pro/Pro Education/SE|Windows Enterprise E3|Windows Enterprise E5|Windows Education A3|Windows Education A5|
 |:---:|:---:|:---:|:---:|:---:|
 |Yes|Yes|Yes|Yes|Yes|
 For more information about Windows licensing, see [Windows licensing overview](/windows/whats-new/windows-licensing).
--- a/includes/licensing/microsoft-defender-application-guard-mdag-for-microsoft-office.md
+++ b/includes/licensing/microsoft-defender-application-guard-mdag-for-microsoft-office.md
@ -0,0 +1,22 @@
 ---
 author: paolomatarazzo
 ms.author: paoloma
 ms.date: 05/04/2023
 ms.topic: include
 ---
 ## Windows edition and licensing requirements
 The following table lists the Windows editions that support Microsoft Defender Application Guard (MDAG) for Microsoft Office:
 |Windows Pro|Windows Enterprise|Windows Pro Education/SE|Windows Education|
 |:---:|:---:|:---:|:---:|
 |No|Yes|No|Yes|
 Microsoft Defender Application Guard (MDAG) for Microsoft Office license entitlements are granted by the following licenses:
 |Windows Pro/Pro Education/SE|Windows Enterprise E3|Windows Enterprise E5|Windows Education A3|Windows Education A5|
 |:---:|:---:|:---:|:---:|:---:|
 |No|No|No|No|No|
 For more information about Windows licensing, see [Windows licensing overview](/windows/whats-new/windows-licensing).
--- a/includes/licensing/microsoft-defender-application-guard-mdag-public-apis.md
+++ b/includes/licensing/microsoft-defender-application-guard-mdag-public-apis.md
@ -0,0 +1,22 @@
 ---
 author: paolomatarazzo
 ms.author: paoloma
 ms.date: 05/04/2023
 ms.topic: include
 ---
 ## Windows edition and licensing requirements
 The following table lists the Windows editions that support Microsoft Defender Application Guard (MDAG) public APIs:
 |Windows Pro|Windows Enterprise|Windows Pro Education/SE|Windows Education|
 |:---:|:---:|:---:|:---:|
 |No|Yes|No|Yes|
 Microsoft Defender Application Guard (MDAG) public APIs license entitlements are granted by the following licenses:
 |Windows Pro/Pro Education/SE|Windows Enterprise E3|Windows Enterprise E5|Windows Education A3|Windows Education A5|
 |:---:|:---:|:---:|:---:|:---:|
 |No|Yes|Yes|Yes|Yes|
 For more information about Windows licensing, see [Windows licensing overview](/windows/whats-new/windows-licensing).
--- a/includes/licensing/microsoft-defender-for-endpoint.md
+++ b/includes/licensing/microsoft-defender-for-endpoint.md
@ -0,0 +1,22 @@
 ---
 author: paolomatarazzo
 ms.author: paoloma
 ms.date: 05/04/2023
 ms.topic: include
 ---
 ## Windows edition and licensing requirements
 The following table lists the Windows editions that support Microsoft Defender for Endpoint:
 |Windows Pro|Windows Enterprise|Windows Pro Education/SE|Windows Education|
 |:---:|:---:|:---:|:---:|
 |Yes|Yes|Yes|Yes|
 Microsoft Defender for Endpoint license entitlements are granted by the following licenses:
 |Windows Pro/Pro Education/SE|Windows Enterprise E3|Windows Enterprise E5|Windows Education A3|Windows Education A5|
 |:---:|:---:|:---:|:---:|:---:|
 |No|No|Yes|No|Yes|
 For more information about Windows licensing, see [Windows licensing overview](/windows/whats-new/windows-licensing).
--- a/includes/licensing/microsoft-defender-smartscreen.md
+++ b/includes/licensing/microsoft-defender-smartscreen.md
@ -0,0 +1,22 @@
 ---
 author: paolomatarazzo
 ms.author: paoloma
 ms.date: 05/04/2023
 ms.topic: include
 ---
 ## Windows edition and licensing requirements
 The following table lists the Windows editions that support Microsoft Defender SmartScreen:
 |Windows Pro|Windows Enterprise|Windows Pro Education/SE|Windows Education|
 |:---:|:---:|:---:|:---:|
 |Yes|Yes|Yes|Yes|
 Microsoft Defender SmartScreen license entitlements are granted by the following licenses:
 |Windows Pro/Pro Education/SE|Windows Enterprise E3|Windows Enterprise E5|Windows Education A3|Windows Education A5|
 |:---:|:---:|:---:|:---:|:---:|
 |Yes|Yes|Yes|Yes|Yes|
 For more information about Windows licensing, see [Windows licensing overview](/windows/whats-new/windows-licensing).
--- a/includes/licensing/microsoft-pluton-security-processor.md
+++ b/includes/licensing/microsoft-pluton-security-processor.md
@ -0,0 +1,22 @@
 ---
 author: paolomatarazzo
 ms.author: paoloma
 ms.date: 05/04/2023
 ms.topic: include
 ---
 ## Windows edition and licensing requirements
 The following table lists the Windows editions that support Microsoft Pluton security processor:
 |Windows Pro|Windows Enterprise|Windows Pro Education/SE|Windows Education|
 |:---:|:---:|:---:|:---:|
 |Yes|Yes|Yes|Yes|
 Microsoft Pluton security processor license entitlements are granted by the following licenses:
 |Windows Pro/Pro Education/SE|Windows Enterprise E3|Windows Enterprise E5|Windows Education A3|Windows Education A5|
 |:---:|:---:|:---:|:---:|:---:|
 |Yes|Yes|Yes|Yes|Yes|
 For more information about Windows licensing, see [Windows licensing overview](/windows/whats-new/windows-licensing).
--- a/includes/licensing/microsoft-vulnerable-driver-blocklist.md
+++ b/includes/licensing/microsoft-vulnerable-driver-blocklist.md
@ -0,0 +1,22 @@
 ---
 author: paolomatarazzo
 ms.author: paoloma
 ms.date: 05/04/2023
 ms.topic: include
 ---
 ## Windows edition and licensing requirements
 The following table lists the Windows editions that support Microsoft Vulnerable Driver Blocklist:
 |Windows Pro|Windows Enterprise|Windows Pro Education/SE|Windows Education|
 |:---:|:---:|:---:|:---:|
 |Yes|Yes|Yes|Yes|
 Microsoft Vulnerable Driver Blocklist license entitlements are granted by the following licenses:
 |Windows Pro/Pro Education/SE|Windows Enterprise E3|Windows Enterprise E5|Windows Education A3|Windows Education A5|
 |:---:|:---:|:---:|:---:|:---:|
 |Yes|Yes|Yes|Yes|Yes|
 For more information about Windows licensing, see [Windows licensing overview](/windows/whats-new/windows-licensing).
--- a/includes/licensing/opportunistic-wireless-encryption-owe.md
+++ b/includes/licensing/opportunistic-wireless-encryption-owe.md
@ -0,0 +1,22 @@
 ---
 author: paolomatarazzo
 ms.author: paoloma
 ms.date: 05/04/2023
 ms.topic: include
 ---
 ## Windows edition and licensing requirements
 The following table lists the Windows editions that support Opportunistic Wireless Encryption (OWE):
 |Windows Pro|Windows Enterprise|Windows Pro Education/SE|Windows Education|
 |:---:|:---:|:---:|:---:|
 |Yes|Yes|Yes|Yes|
 Opportunistic Wireless Encryption (OWE) license entitlements are granted by the following licenses:
 |Windows Pro/Pro Education/SE|Windows Enterprise E3|Windows Enterprise E5|Windows Education A3|Windows Education A5|
 |:---:|:---:|:---:|:---:|:---:|
 |Yes|Yes|Yes|Yes|Yes|
 For more information about Windows licensing, see [Windows licensing overview](/windows/whats-new/windows-licensing).
--- a/includes/licensing/personal-data-encryption-pde.md
+++ b/includes/licensing/personal-data-encryption-pde.md
@ -0,0 +1,22 @@
 ---
 author: paolomatarazzo
 ms.author: paoloma
 ms.date: 05/04/2023
 ms.topic: include
 ---
 ## Windows edition and licensing requirements
 The following table lists the Windows editions that support Personal data encryption (PDE):
 |Windows Pro|Windows Enterprise|Windows Pro Education/SE|Windows Education|
 |:---:|:---:|:---:|:---:|
 |No|Yes|No|Yes|
 Personal data encryption (PDE) license entitlements are granted by the following licenses:
 |Windows Pro/Pro Education/SE|Windows Enterprise E3|Windows Enterprise E5|Windows Education A3|Windows Education A5|
 |:---:|:---:|:---:|:---:|:---:|
 |No|Yes|Yes|Yes|Yes|
 For more information about Windows licensing, see [Windows licensing overview](/windows/whats-new/windows-licensing).
--- a/includes/licensing/privacy-resource-usage.md
+++ b/includes/licensing/privacy-resource-usage.md
@ -0,0 +1,22 @@
 ---
 author: paolomatarazzo
 ms.author: paoloma
 ms.date: 05/04/2023
 ms.topic: include
 ---
 ## Windows edition and licensing requirements
 The following table lists the Windows editions that support Privacy Resource Usage:
 |Windows Pro|Windows Enterprise|Windows Pro Education/SE|Windows Education|
 |:---:|:---:|:---:|:---:|
 |Yes|Yes|Yes|Yes|
 Privacy Resource Usage license entitlements are granted by the following licenses:
 |Windows Pro/Pro Education/SE|Windows Enterprise E3|Windows Enterprise E5|Windows Education A3|Windows Education A5|
 |:---:|:---:|:---:|:---:|:---:|
 |Yes|Yes|Yes|Yes|Yes|
 For more information about Windows licensing, see [Windows licensing overview](/windows/whats-new/windows-licensing).
--- a/includes/licensing/privacy-transparency-and-controls.md
+++ b/includes/licensing/privacy-transparency-and-controls.md
@ -0,0 +1,22 @@
 ---
 author: paolomatarazzo
 ms.author: paoloma
 ms.date: 05/04/2023
 ms.topic: include
 ---
 ## Windows edition and licensing requirements
 The following table lists the Windows editions that support Privacy Transparency and Controls:
 |Windows Pro|Windows Enterprise|Windows Pro Education/SE|Windows Education|
 |:---:|:---:|:---:|:---:|
 |Yes|Yes|Yes|Yes|
 Privacy Transparency and Controls license entitlements are granted by the following licenses:
 |Windows Pro/Pro Education/SE|Windows Enterprise E3|Windows Enterprise E5|Windows Education A3|Windows Education A5|
 |:---:|:---:|:---:|:---:|:---:|
 |Yes|Yes|Yes|Yes|Yes|
 For more information about Windows licensing, see [Windows licensing overview](/windows/whats-new/windows-licensing).
--- a/includes/licensing/remote-wipe.md
+++ b/includes/licensing/remote-wipe.md
@ -0,0 +1,22 @@
 ---
 author: paolomatarazzo
 ms.author: paoloma
 ms.date: 05/04/2023
 ms.topic: include
 ---
 ## Windows edition and licensing requirements
 The following table lists the Windows editions that support Remote wipe:
 |Windows Pro|Windows Enterprise|Windows Pro Education/SE|Windows Education|
 |:---:|:---:|:---:|:---:|
 |Yes|Yes|Yes|Yes|
 Remote wipe license entitlements are granted by the following licenses:
 |Windows Pro/Pro Education/SE|Windows Enterprise E3|Windows Enterprise E5|Windows Education A3|Windows Education A5|
 |:---:|:---:|:---:|:---:|:---:|
 |Yes|Yes|Yes|Yes|Yes|
 For more information about Windows licensing, see [Windows licensing overview](/windows/whats-new/windows-licensing).
--- a/includes/licensing/secure-boot-and-trusted-boot.md
+++ b/includes/licensing/secure-boot-and-trusted-boot.md
@ -0,0 +1,22 @@
 ---
 author: paolomatarazzo
 ms.author: paoloma
 ms.date: 05/04/2023
 ms.topic: include
 ---
 ## Windows edition and licensing requirements
 The following table lists the Windows editions that support Secure Boot and Trusted Boot:
 |Windows Pro|Windows Enterprise|Windows Pro Education/SE|Windows Education|
 |:---:|:---:|:---:|:---:|
 |Yes|Yes|Yes|Yes|
 Secure Boot and Trusted Boot license entitlements are granted by the following licenses:
 |Windows Pro/Pro Education/SE|Windows Enterprise E3|Windows Enterprise E5|Windows Education A3|Windows Education A5|
 |:---:|:---:|:---:|:---:|:---:|
 |Yes|Yes|Yes|Yes|Yes|
 For more information about Windows licensing, see [Windows licensing overview](/windows/whats-new/windows-licensing).
--- a/includes/licensing/secured-core-configuration-lock.md
+++ b/includes/licensing/secured-core-configuration-lock.md
@ -0,0 +1,22 @@
 ---
 author: paolomatarazzo
 ms.author: paoloma
 ms.date: 05/04/2023
 ms.topic: include
 ---
 ## Windows edition and licensing requirements
 The following table lists the Windows editions that support Secured-core configuration lock:
 |Windows Pro|Windows Enterprise|Windows Pro Education/SE|Windows Education|
 |:---:|:---:|:---:|:---:|
 |Yes|Yes|Yes|Yes|
 Secured-core configuration lock license entitlements are granted by the following licenses:
 |Windows Pro/Pro Education/SE|Windows Enterprise E3|Windows Enterprise E5|Windows Education A3|Windows Education A5|
 |:---:|:---:|:---:|:---:|:---:|
 |Yes|Yes|Yes|Yes|Yes|
 For more information about Windows licensing, see [Windows licensing overview](/windows/whats-new/windows-licensing).
--- a/includes/licensing/secured-core-pc.md
+++ b/includes/licensing/secured-core-pc.md
@ -0,0 +1,22 @@
 ---
 author: paolomatarazzo
 ms.author: paoloma
 ms.date: 05/04/2023
 ms.topic: include
 ---
 ## Windows edition and licensing requirements
 The following table lists the Windows editions that support Secured-core PC:
 |Windows Pro|Windows Enterprise|Windows Pro Education/SE|Windows Education|
 |:---:|:---:|:---:|:---:|
 |Yes|Yes|Yes|Yes|
 Secured-core PC license entitlements are granted by the following licenses:
 |Windows Pro/Pro Education/SE|Windows Enterprise E3|Windows Enterprise E5|Windows Education A3|Windows Education A5|
 |:---:|:---:|:---:|:---:|:---:|
 |Yes|Yes|Yes|Yes|Yes|
 For more information about Windows licensing, see [Windows licensing overview](/windows/whats-new/windows-licensing).
--- a/includes/licensing/security-baselines.md
+++ b/includes/licensing/security-baselines.md
@ -0,0 +1,22 @@
 ---
 author: paolomatarazzo
 ms.author: paoloma
 ms.date: 05/04/2023
 ms.topic: include
 ---
 ## Windows edition and licensing requirements
 The following table lists the Windows editions that support Security baselines:
 |Windows Pro|Windows Enterprise|Windows Pro Education/SE|Windows Education|
 |:---:|:---:|:---:|:---:|
 |Yes|Yes|Yes|Yes|
 Security baselines license entitlements are granted by the following licenses:
 |Windows Pro/Pro Education/SE|Windows Enterprise E3|Windows Enterprise E5|Windows Education A3|Windows Education A5|
 |:---:|:---:|:---:|:---:|:---:|
 |Yes|Yes|Yes|Yes|Yes|
 For more information about Windows licensing, see [Windows licensing overview](/windows/whats-new/windows-licensing).
--- a/includes/licensing/server-message-block-direct-smb-direct.md
+++ b/includes/licensing/server-message-block-direct-smb-direct.md
@ -0,0 +1,22 @@
 ---
 author: paolomatarazzo
 ms.author: paoloma
 ms.date: 05/04/2023
 ms.topic: include
 ---
 ## Windows edition and licensing requirements
 The following table lists the Windows editions that support Server Message Block Direct (SMB Direct):
 |Windows Pro|Windows Enterprise|Windows Pro Education/SE|Windows Education|
 |:---:|:---:|:---:|:---:|
 |Yes|Yes|Yes|Yes|
 Server Message Block Direct (SMB Direct) license entitlements are granted by the following licenses:
 |Windows Pro/Pro Education/SE|Windows Enterprise E3|Windows Enterprise E5|Windows Education A3|Windows Education A5|
 |:---:|:---:|:---:|:---:|:---:|
 |Yes|Yes|Yes|Yes|Yes|
 For more information about Windows licensing, see [Windows licensing overview](/windows/whats-new/windows-licensing).
--- a/includes/licensing/server-message-block-smb-file-service.md
+++ b/includes/licensing/server-message-block-smb-file-service.md
@ -0,0 +1,22 @@
 ---
 author: paolomatarazzo
 ms.author: paoloma
 ms.date: 05/04/2023
 ms.topic: include
 ---
 ## Windows edition and licensing requirements
 The following table lists the Windows editions that support Server Message Block (SMB) file service:
 |Windows Pro|Windows Enterprise|Windows Pro Education/SE|Windows Education|
 |:---:|:---:|:---:|:---:|
 |Yes|Yes|Yes|Yes|
 Server Message Block (SMB) file service license entitlements are granted by the following licenses:
 |Windows Pro/Pro Education/SE|Windows Enterprise E3|Windows Enterprise E5|Windows Education A3|Windows Education A5|
 |:---:|:---:|:---:|:---:|:---:|
 |Yes|Yes|Yes|Yes|Yes|
 For more information about Windows licensing, see [Windows licensing overview](/windows/whats-new/windows-licensing).
--- a/includes/licensing/smart-app-control.md
+++ b/includes/licensing/smart-app-control.md
@ -0,0 +1,22 @@
 ---
 author: paolomatarazzo
 ms.author: paoloma
 ms.date: 05/04/2023
 ms.topic: include
 ---
 ## Windows edition and licensing requirements
 The following table lists the Windows editions that support Smart App Control:
 |Windows Pro|Windows Enterprise|Windows Pro Education/SE|Windows Education|
 |:---:|:---:|:---:|:---:|
 |Yes|Yes|Yes|Yes|
 Smart App Control license entitlements are granted by the following licenses:
 |Windows Pro/Pro Education/SE|Windows Enterprise E3|Windows Enterprise E5|Windows Education A3|Windows Education A5|
 |:---:|:---:|:---:|:---:|:---:|
 |Yes|Yes|Yes|Yes|Yes|
 For more information about Windows licensing, see [Windows licensing overview](/windows/whats-new/windows-licensing).
--- a/includes/licensing/smart-cards-for-windows-service.md
+++ b/includes/licensing/smart-cards-for-windows-service.md
@ -0,0 +1,22 @@
 ---
 author: paolomatarazzo
 ms.author: paoloma
 ms.date: 05/04/2023
 ms.topic: include
 ---
 ## Windows edition and licensing requirements
 The following table lists the Windows editions that support Smart Cards for Windows Service:
 |Windows Pro|Windows Enterprise|Windows Pro Education/SE|Windows Education|
 |:---:|:---:|:---:|:---:|
 |Yes|Yes|Yes|Yes|
 Smart Cards for Windows Service license entitlements are granted by the following licenses:
 |Windows Pro/Pro Education/SE|Windows Enterprise E3|Windows Enterprise E5|Windows Education A3|Windows Education A5|
 |:---:|:---:|:---:|:---:|:---:|
 |Yes|Yes|Yes|Yes|Yes|
 For more information about Windows licensing, see [Windows licensing overview](/windows/whats-new/windows-licensing).
--- a/includes/licensing/tamper-protection-settings-for-mde.md
+++ b/includes/licensing/tamper-protection-settings-for-mde.md
@ -0,0 +1,22 @@
 ---
 author: paolomatarazzo
 ms.author: paoloma
 ms.date: 05/04/2023
 ms.topic: include
 ---
 ## Windows edition and licensing requirements
 The following table lists the Windows editions that support Tamper protection settings for MDE:
 |Windows Pro|Windows Enterprise|Windows Pro Education/SE|Windows Education|
 |:---:|:---:|:---:|:---:|
 |Yes|Yes|Yes|Yes|
 Tamper protection settings for MDE license entitlements are granted by the following licenses:
 |Windows Pro/Pro Education/SE|Windows Enterprise E3|Windows Enterprise E5|Windows Education A3|Windows Education A5|
 |:---:|:---:|:---:|:---:|:---:|
 |Yes|Yes|Yes|Yes|Yes|
 For more information about Windows licensing, see [Windows licensing overview](/windows/whats-new/windows-licensing).
--- a/includes/licensing/transport-layer-security-tls.md
+++ b/includes/licensing/transport-layer-security-tls.md
@ -0,0 +1,22 @@
 ---
 author: paolomatarazzo
 ms.author: paoloma
 ms.date: 05/04/2023
 ms.topic: include
 ---
 ## Windows edition and licensing requirements
 The following table lists the Windows editions that support Transport layer security (TLS):
 |Windows Pro|Windows Enterprise|Windows Pro Education/SE|Windows Education|
 |:---:|:---:|:---:|:---:|
 |Yes|Yes|Yes|Yes|
 Transport layer security (TLS) license entitlements are granted by the following licenses:
 |Windows Pro/Pro Education/SE|Windows Enterprise E3|Windows Enterprise E5|Windows Education A3|Windows Education A5|
 |:---:|:---:|:---:|:---:|:---:|
 |Yes|Yes|Yes|Yes|Yes|
 For more information about Windows licensing, see [Windows licensing overview](/windows/whats-new/windows-licensing).
--- a/includes/licensing/trusted-platform-module-tpm-20.md
+++ b/includes/licensing/trusted-platform-module-tpm-20.md
@ -0,0 +1,22 @@
 ---
 author: paolomatarazzo
 ms.author: paoloma
 ms.date: 05/04/2023
 ms.topic: include
 ---
 ## Windows edition and licensing requirements
 The following table lists the Windows editions that support Trusted Platform Module (TPM) 2.0:
 |Windows Pro|Windows Enterprise|Windows Pro Education/SE|Windows Education|
 |:---:|:---:|:---:|:---:|
 |Yes|Yes|Yes|Yes|
 Trusted Platform Module (TPM) 2.0 license entitlements are granted by the following licenses:
 |Windows Pro/Pro Education/SE|Windows Enterprise E3|Windows Enterprise E5|Windows Education A3|Windows Education A5|
 |:---:|:---:|:---:|:---:|:---:|
 |Yes|Yes|Yes|Yes|Yes|
 For more information about Windows licensing, see [Windows licensing overview](/windows/whats-new/windows-licensing).
--- a/includes/licensing/universal-print.md
+++ b/includes/licensing/universal-print.md
@ -0,0 +1,22 @@
 ---
 author: paolomatarazzo
 ms.author: paoloma
 ms.date: 05/04/2023
 ms.topic: include
 ---
 ## Windows edition and licensing requirements
 The following table lists the Windows editions that support Universal Print:
 |Windows Pro|Windows Enterprise|Windows Pro Education/SE|Windows Education|
 |:---:|:---:|:---:|:---:|
 |Yes|Yes|Yes|Yes|
 Universal Print license entitlements are granted by the following licenses:
 |Windows Pro/Pro Education/SE|Windows Enterprise E3|Windows Enterprise E5|Windows Education A3|Windows Education A5|
 |:---:|:---:|:---:|:---:|:---:|
 |No|Yes|Yes|Yes|Yes|
 For more information about Windows licensing, see [Windows licensing overview](/windows/whats-new/windows-licensing).
--- a/includes/licensing/user-account-control-uac.md
+++ b/includes/licensing/user-account-control-uac.md
@ -0,0 +1,22 @@
 ---
 author: paolomatarazzo
 ms.author: paoloma
 ms.date: 05/04/2023
 ms.topic: include
 ---
 ## Windows edition and licensing requirements
 The following table lists the Windows editions that support User Account Control (UAC):
 |Windows Pro|Windows Enterprise|Windows Pro Education/SE|Windows Education|
 |:---:|:---:|:---:|:---:|
 |Yes|Yes|Yes|Yes|
 User Account Control (UAC) license entitlements are granted by the following licenses:
 |Windows Pro/Pro Education/SE|Windows Enterprise E3|Windows Enterprise E5|Windows Education A3|Windows Education A5|
 |:---:|:---:|:---:|:---:|:---:|
 |Yes|Yes|Yes|Yes|Yes|
 For more information about Windows licensing, see [Windows licensing overview](/windows/whats-new/windows-licensing).
--- a/includes/licensing/virtual-private-network-vpn.md
+++ b/includes/licensing/virtual-private-network-vpn.md
@ -0,0 +1,22 @@
 ---
 author: paolomatarazzo
 ms.author: paoloma
 ms.date: 05/04/2023
 ms.topic: include
 ---
 ## Windows edition and licensing requirements
 The following table lists the Windows editions that support Virtual Private Network (VPN):
 |Windows Pro|Windows Enterprise|Windows Pro Education/SE|Windows Education|
 |:---:|:---:|:---:|:---:|
 |Yes|Yes|Yes|Yes|
 Virtual Private Network (VPN) license entitlements are granted by the following licenses:
 |Windows Pro/Pro Education/SE|Windows Enterprise E3|Windows Enterprise E5|Windows Education A3|Windows Education A5|
 |:---:|:---:|:---:|:---:|:---:|
 |Yes|Yes|Yes|Yes|Yes|
 For more information about Windows licensing, see [Windows licensing overview](/windows/whats-new/windows-licensing).
--- a/includes/licensing/virtualization-based-security-vbs.md
+++ b/includes/licensing/virtualization-based-security-vbs.md
@ -0,0 +1,22 @@
 ---
 author: paolomatarazzo
 ms.author: paoloma
 ms.date: 05/04/2023
 ms.topic: include
 ---
 ## Windows edition and licensing requirements
 The following table lists the Windows editions that support Virtualization-based security (VBS):
 |Windows Pro|Windows Enterprise|Windows Pro Education/SE|Windows Education|
 |:---:|:---:|:---:|:---:|
 |Yes|Yes|Yes|Yes|
 Virtualization-based security (VBS) license entitlements are granted by the following licenses:
 |Windows Pro/Pro Education/SE|Windows Enterprise E3|Windows Enterprise E5|Windows Education A3|Windows Education A5|
 |:---:|:---:|:---:|:---:|:---:|
 |Yes|Yes|Yes|Yes|Yes|
 For more information about Windows licensing, see [Windows licensing overview](/windows/whats-new/windows-licensing).
--- a/includes/licensing/wifi-security.md
+++ b/includes/licensing/wifi-security.md
@ -0,0 +1,22 @@
 ---
 author: paolomatarazzo
 ms.author: paoloma
 ms.date: 05/04/2023
 ms.topic: include
 ---
 ## Windows edition and licensing requirements
 The following table lists the Windows editions that support WiFi Security:
 |Windows Pro|Windows Enterprise|Windows Pro Education/SE|Windows Education|
 |:---:|:---:|:---:|:---:|
 |Yes|Yes|Yes|Yes|
 WiFi Security license entitlements are granted by the following licenses:
 |Windows Pro/Pro Education/SE|Windows Enterprise E3|Windows Enterprise E5|Windows Education A3|Windows Education A5|
 |:---:|:---:|:---:|:---:|:---:|
 |Yes|Yes|Yes|Yes|Yes|
 For more information about Windows licensing, see [Windows licensing overview](/windows/whats-new/windows-licensing).
--- a/includes/licensing/windows-autopatch.md
+++ b/includes/licensing/windows-autopatch.md
@ -0,0 +1,22 @@
 ---
 author: paolomatarazzo
 ms.author: paoloma
 ms.date: 05/04/2023
 ms.topic: include
 ---
 ## Windows edition and licensing requirements
 The following table lists the Windows editions that support Windows Autopatch:
 |Windows Pro|Windows Enterprise|Windows Pro Education/SE|Windows Education|
 |:---:|:---:|:---:|:---:|
 |No|Yes|No|Yes|
 Windows Autopatch license entitlements are granted by the following licenses:
 |Windows Pro/Pro Education/SE|Windows Enterprise E3|Windows Enterprise E5|Windows Education A3|Windows Education A5|
 |:---:|:---:|:---:|:---:|:---:|
 |No|Yes|Yes|No|No|
 For more information about Windows licensing, see [Windows licensing overview](/windows/whats-new/windows-licensing).
--- a/includes/licensing/windows-autopilot.md
+++ b/includes/licensing/windows-autopilot.md
@ -0,0 +1,22 @@
 ---
 author: paolomatarazzo
 ms.author: paoloma
 ms.date: 05/04/2023
 ms.topic: include
 ---
 ## Windows edition and licensing requirements
 The following table lists the Windows editions that support Windows Autopilot:
 |Windows Pro|Windows Enterprise|Windows Pro Education/SE|Windows Education|
 |:---:|:---:|:---:|:---:|
 |Yes|Yes|Yes|Yes|
 Windows Autopilot license entitlements are granted by the following licenses:
 |Windows Pro/Pro Education/SE|Windows Enterprise E3|Windows Enterprise E5|Windows Education A3|Windows Education A5|
 |:---:|:---:|:---:|:---:|:---:|
 |Yes|Yes|Yes|Yes|Yes|
 For more information about Windows licensing, see [Windows licensing overview](/windows/whats-new/windows-licensing).
--- a/includes/licensing/windows-containers.md
+++ b/includes/licensing/windows-containers.md
@ -0,0 +1,22 @@
 ---
 author: paolomatarazzo
 ms.author: paoloma
 ms.date: 05/04/2023
 ms.topic: include
 ---
 ## Windows edition and licensing requirements
 The following table lists the Windows editions that support Windows containers:
 |Windows Pro|Windows Enterprise|Windows Pro Education/SE|Windows Education|
 |:---:|:---:|:---:|:---:|
 |Yes|Yes|Yes|Yes|
 Windows containers license entitlements are granted by the following licenses:
 |Windows Pro/Pro Education/SE|Windows Enterprise E3|Windows Enterprise E5|Windows Education A3|Windows Education A5|
 |:---:|:---:|:---:|:---:|:---:|
 |Yes|Yes|Yes|Yes|Yes|
 For more information about Windows licensing, see [Windows licensing overview](/windows/whats-new/windows-licensing).
--- a/includes/licensing/windows-defender-application-control-wdac.md
+++ b/includes/licensing/windows-defender-application-control-wdac.md
@ -0,0 +1,22 @@
 ---
 author: paolomatarazzo
 ms.author: paoloma
 ms.date: 05/04/2023
 ms.topic: include
 ---
 ## Windows edition and licensing requirements
 The following table lists the Windows editions that support Windows Defender Application Control (WDAC):
 |Windows Pro|Windows Enterprise|Windows Pro Education/SE|Windows Education|
 |:---:|:---:|:---:|:---:|
 |Yes|Yes|Yes|Yes|
 Windows Defender Application Control (WDAC) license entitlements are granted by the following licenses:
 |Windows Pro/Pro Education/SE|Windows Enterprise E3|Windows Enterprise E5|Windows Education A3|Windows Education A5|
 |:---:|:---:|:---:|:---:|:---:|
 |Yes|Yes|Yes|Yes|Yes|
 For more information about Windows licensing, see [Windows licensing overview](/windows/whats-new/windows-licensing).
--- a/includes/licensing/windows-defender-credential-guard.md
+++ b/includes/licensing/windows-defender-credential-guard.md
@ -0,0 +1,22 @@
 ---
 author: paolomatarazzo
 ms.author: paoloma
 ms.date: 05/04/2023
 ms.topic: include
 ---
 ## Windows edition and licensing requirements
 The following table lists the Windows editions that support Windows Defender Credential Guard:
 |Windows Pro|Windows Enterprise|Windows Pro Education/SE|Windows Education|
 |:---:|:---:|:---:|:---:|
 |No|Yes|No|Yes|
 Windows Defender Credential Guard license entitlements are granted by the following licenses:
 |Windows Pro/Pro Education/SE|Windows Enterprise E3|Windows Enterprise E5|Windows Education A3|Windows Education A5|
 |:---:|:---:|:---:|:---:|:---:|
 |No|Yes|Yes|Yes|Yes|
 For more information about Windows licensing, see [Windows licensing overview](/windows/whats-new/windows-licensing).
--- a/includes/licensing/windows-defender-remote-credential-guard.md
+++ b/includes/licensing/windows-defender-remote-credential-guard.md
@ -0,0 +1,22 @@
 ---
 author: paolomatarazzo
 ms.author: paoloma
 ms.date: 05/04/2023
 ms.topic: include
 ---
 ## Windows edition and licensing requirements
 The following table lists the Windows editions that support Windows Defender Remote Credential Guard:
 |Windows Pro|Windows Enterprise|Windows Pro Education/SE|Windows Education|
 |:---:|:---:|:---:|:---:|
 |Yes|Yes|Yes|Yes|
 Windows Defender Remote Credential Guard license entitlements are granted by the following licenses:
 |Windows Pro/Pro Education/SE|Windows Enterprise E3|Windows Enterprise E5|Windows Education A3|Windows Education A5|
 |:---:|:---:|:---:|:---:|:---:|
 |Yes|Yes|Yes|Yes|Yes|
 For more information about Windows licensing, see [Windows licensing overview](/windows/whats-new/windows-licensing).
--- a/includes/licensing/windows-defender-system-guard.md
+++ b/includes/licensing/windows-defender-system-guard.md
@ -0,0 +1,22 @@
 ---
 author: paolomatarazzo
 ms.author: paoloma
 ms.date: 05/04/2023
 ms.topic: include
 ---
 ## Windows edition and licensing requirements
 The following table lists the Windows editions that support Windows Defender System Guard:
 |Windows Pro|Windows Enterprise|Windows Pro Education/SE|Windows Education|
 |:---:|:---:|:---:|:---:|
 |Yes|Yes|Yes|Yes|
 Windows Defender System Guard license entitlements are granted by the following licenses:
 |Windows Pro/Pro Education/SE|Windows Enterprise E3|Windows Enterprise E5|Windows Education A3|Windows Education A5|
 |:---:|:---:|:---:|:---:|:---:|
 |Yes|Yes|Yes|Yes|Yes|
 For more information about Windows licensing, see [Windows licensing overview](/windows/whats-new/windows-licensing).
--- a/includes/licensing/windows-firewall.md
+++ b/includes/licensing/windows-firewall.md
@ -0,0 +1,22 @@
 ---
 author: paolomatarazzo
 ms.author: paoloma
 ms.date: 05/04/2023
 ms.topic: include
 ---
 ## Windows edition and licensing requirements
 The following table lists the Windows editions that support Windows Firewall:
 |Windows Pro|Windows Enterprise|Windows Pro Education/SE|Windows Education|
 |:---:|:---:|:---:|:---:|
 |Yes|Yes|Yes|Yes|
 Windows Firewall license entitlements are granted by the following licenses:
 |Windows Pro/Pro Education/SE|Windows Enterprise E3|Windows Enterprise E5|Windows Education A3|Windows Education A5|
 |:---:|:---:|:---:|:---:|:---:|
 |Yes|Yes|Yes|Yes|Yes|
 For more information about Windows licensing, see [Windows licensing overview](/windows/whats-new/windows-licensing).
--- a/includes/licensing/windows-hello-for-business-enhanced-security-sign-in-ess.md
+++ b/includes/licensing/windows-hello-for-business-enhanced-security-sign-in-ess.md
@ -0,0 +1,22 @@
 ---
 author: paolomatarazzo
 ms.author: paoloma
 ms.date: 05/04/2023
 ms.topic: include
 ---
 ## Windows edition and licensing requirements
 The following table lists the Windows editions that support Windows Hello for Business Enhanced Security Sign-in (ESS):
 |Windows Pro|Windows Enterprise|Windows Pro Education/SE|Windows Education|
 |:---:|:---:|:---:|:---:|
 |Yes|Yes|Yes|Yes|
 Windows Hello for Business Enhanced Security Sign-in (ESS) license entitlements are granted by the following licenses:
 |Windows Pro/Pro Education/SE|Windows Enterprise E3|Windows Enterprise E5|Windows Education A3|Windows Education A5|
 |:---:|:---:|:---:|:---:|:---:|
 |Yes|Yes|Yes|Yes|Yes|
 For more information about Windows licensing, see [Windows licensing overview](/windows/whats-new/windows-licensing).
--- a/includes/licensing/windows-hello-for-business.md
+++ b/includes/licensing/windows-hello-for-business.md
@ -0,0 +1,22 @@
 ---
 author: paolomatarazzo
 ms.author: paoloma
 ms.date: 05/04/2023
 ms.topic: include
 ---
 ## Windows edition and licensing requirements
 The following table lists the Windows editions that support Windows Hello for Business:
 |Windows Pro|Windows Enterprise|Windows Pro Education/SE|Windows Education|
 |:---:|:---:|:---:|:---:|
 |Yes|Yes|Yes|Yes|
 Windows Hello for Business license entitlements are granted by the following licenses:
 |Windows Pro/Pro Education/SE|Windows Enterprise E3|Windows Enterprise E5|Windows Education A3|Windows Education A5|
 |:---:|:---:|:---:|:---:|:---:|
 |Yes|Yes|Yes|Yes|Yes|
 For more information about Windows licensing, see [Windows licensing overview](/windows/whats-new/windows-licensing).
--- a/includes/licensing/windows-laps.md
+++ b/includes/licensing/windows-laps.md
@ -0,0 +1,22 @@
 ---
 author: paolomatarazzo
 ms.author: paoloma
 ms.date: 05/04/2023
 ms.topic: include
 ---
 ## Windows edition and licensing requirements
 The following table lists the Windows editions that support Windows LAPS:
 |Windows Pro|Windows Enterprise|Windows Pro Education/SE|Windows Education|
 |:---:|:---:|:---:|:---:|
 |Yes|Yes|Yes|Yes|
 Windows LAPS license entitlements are granted by the following licenses:
 |Windows Pro/Pro Education/SE|Windows Enterprise E3|Windows Enterprise E5|Windows Education A3|Windows Education A5|
 |:---:|:---:|:---:|:---:|:---:|
 |Yes|Yes|Yes|Yes|Yes|
 For more information about Windows licensing, see [Windows licensing overview](/windows/whats-new/windows-licensing).
--- a/includes/licensing/windows-presence-sensing.md
+++ b/includes/licensing/windows-presence-sensing.md
@ -0,0 +1,22 @@
 ---
 author: paolomatarazzo
 ms.author: paoloma
 ms.date: 05/04/2023
 ms.topic: include
 ---
 ## Windows edition and licensing requirements
 The following table lists the Windows editions that support Windows presence sensing:
 |Windows Pro|Windows Enterprise|Windows Pro Education/SE|Windows Education|
 |:---:|:---:|:---:|:---:|
 |Yes|Yes|Yes|Yes|
 Windows presence sensing license entitlements are granted by the following licenses:
 |Windows Pro/Pro Education/SE|Windows Enterprise E3|Windows Enterprise E5|Windows Education A3|Windows Education A5|
 |:---:|:---:|:---:|:---:|:---:|
 |Yes|Yes|Yes|Yes|Yes|
 For more information about Windows licensing, see [Windows licensing overview](/windows/whats-new/windows-licensing).
--- a/includes/licensing/windows-sandbox.md
+++ b/includes/licensing/windows-sandbox.md
@ -0,0 +1,22 @@
 ---
 author: paolomatarazzo
 ms.author: paoloma
 ms.date: 05/04/2023
 ms.topic: include
 ---
 ## Windows edition and licensing requirements
 The following table lists the Windows editions that support Windows Sandbox:
 |Windows Pro|Windows Enterprise|Windows Pro Education/SE|Windows Education|
 |:---:|:---:|:---:|:---:|
 |Yes|Yes|Yes|Yes|
 Windows Sandbox license entitlements are granted by the following licenses:
 |Windows Pro/Pro Education/SE|Windows Enterprise E3|Windows Enterprise E5|Windows Education A3|Windows Education A5|
 |:---:|:---:|:---:|:---:|:---:|
 |Yes|Yes|Yes|Yes|Yes|
 For more information about Windows licensing, see [Windows licensing overview](/windows/whats-new/windows-licensing).
--- a/includes/licensing/windows-security-policy-settings-and-auditing.md
+++ b/includes/licensing/windows-security-policy-settings-and-auditing.md
@ -0,0 +1,22 @@
 ---
 author: paolomatarazzo
 ms.author: paoloma
 ms.date: 05/04/2023
 ms.topic: include
 ---
 ## Windows edition and licensing requirements
 The following table lists the Windows editions that support Windows Security policy settings and auditing:
 |Windows Pro|Windows Enterprise|Windows Pro Education/SE|Windows Education|
 |:---:|:---:|:---:|:---:|
 |Yes|Yes|Yes|Yes|
 Windows Security policy settings and auditing license entitlements are granted by the following licenses:
 |Windows Pro/Pro Education/SE|Windows Enterprise E3|Windows Enterprise E5|Windows Education A3|Windows Education A5|
 |:---:|:---:|:---:|:---:|:---:|
 |Yes|Yes|Yes|Yes|Yes|
 For more information about Windows licensing, see [Windows licensing overview](/windows/whats-new/windows-licensing).
--- a/windows/client-management/config-lock.md
+++ b/windows/client-management/config-lock.md
@ -26,11 +26,9 @@ To summarize, config lock:
 ## Configuration Flow
-After a secured-core PC reaches the desktop, config lock will prevent configuration drift by detecting if the device is a secured-core PC or not. When the device isn't a secured-core PC, the lock won't apply. If the device is a secured-core PC, config lock will lock the policies listed under [List of locked policies](#list-of-locked-policies).
+After a [secured-core PCs](/windows-hardware/design/device-experiences/oem-highly-secure) reaches the desktop, config lock will prevent configuration drift by detecting if the device is a secured-core PC or not. When the device isn't a secured-core PC, the lock won't apply. If the device is a secured-core PC, config lock will lock the policies listed under [List of locked policies](#list-of-locked-policies).
-## System Requirements
+[!INCLUDE [secured-core-configuration-lock](../../includes/licensing/secured-core-configuration-lock.md)]
 Config lock will be available for all Windows Professional and Enterprise Editions running on [secured-core PCs](/windows-hardware/design/device-experiences/oem-highly-secure).
 ## Enabling config lock using Microsoft Intune
--- a/windows/client-management/mdm-overview.md
+++ b/windows/client-management/mdm-overview.md
@ -56,6 +56,8 @@ For more information about the MDM policies defined in the MDM security baseline
 For information about the MDM policies defined in the Intune security baseline, see [Windows security baseline settings for Intune](/mem/intune/protect/security-baseline-settings-mdm-all).
 [!INCLUDE [manage-by-mobile-device-management-mdm-and-group-policy](../../includes/licensing/manage-by-mobile-device-management-mdm-and-group-policy.md)]
 ## Frequently Asked Questions
 ### Can there be more than one MDM server to enroll and manage devices in Windows?
--- a/windows/client-management/mdm/remotewipe-csp.md
+++ b/windows/client-management/mdm/remotewipe-csp.md
@ -19,6 +19,8 @@ ms.topic: reference
 <!-- RemoteWipe-Editable-Begin -->
 <!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
 The RemoteWipe configuration service provider can be used by mobile operators DM server or enterprise management server to remotely reset a device. The RemoteWipe configuration service provider can make the data stored in memory and hard disks difficult to recover if the device is remotely reset after being lost or stolen. Enterprise IT Professionals can update these settings by using the Exchange Server.
 [!INCLUDE [remote-wipe](../../../includes/licensing/remote-wipe.md)]
 <!-- RemoteWipe-Editable-End -->
 <!-- RemoteWipe-Tree-Begin -->
--- a/windows/client-management/mdm/windowsdefenderapplicationguard-csp.md
+++ b/windows/client-management/mdm/windowsdefenderapplicationguard-csp.md
@ -19,6 +19,8 @@ ms.topic: reference
 <!-- WindowsDefenderApplicationGuard-Editable-Begin -->
 <!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
 The WindowsDefenderApplicationGuard configuration service provider (CSP) is used by the enterprise to configure the settings in Microsoft Defender Application Guard. This CSP was added in Windows 10, version 1709.
 [!INCLUDE [microsoft-defender-application-guard-mdag-configure-via-mdm](../../../includes/licensing/microsoft-defender-application-guard-mdag-configure-via-mdm.md)]
 <!-- WindowsDefenderApplicationGuard-Editable-End -->
 <!-- WindowsDefenderApplicationGuard-Tree-Begin -->
--- a/windows/configuration/kiosk-methods.md
+++ b/windows/configuration/kiosk-methods.md
@ -71,6 +71,8 @@ There are several kiosk configuration methods that you can choose from, dependin
 >[!IMPORTANT]
 >Single-app kiosk mode isn't supported over a remote desktop connection. Your kiosk users must sign in on the physical device that is set up as a kiosk.
 [!INCLUDE [assigned-access-kiosk-mode](../../includes/licensing/assigned-access-kiosk-mode.md)]
 ## Methods for a single-app kiosk running a UWP app
 You can use this method | For this edition | For this kiosk account type 
--- a/windows/deployment/update/wufb-compliancedeadlines.md
+++ b/windows/deployment/update/wufb-compliancedeadlines.md
@ -8,13 +8,13 @@ ms.author: mstewart
 manager: aaroncz
 ms.topic: article
 ms.technology: itpro-updates
-ms.date: 12/31/2017
+ms.date: 05/12/2023
 ---
 # Enforcing compliance deadlines for updates
 **Applies to**
- Windows 10
+- Windows 10
 - Windows 11
 Deploying feature or quality updates for many organizations is only part of the equation for managing their device ecosystem. The ability to enforce update compliance is the next important part. Windows Update for Business provides controls to manage deadlines for when devices should migrate to newer versions.
@ -43,3 +43,6 @@ When **Specify deadlines for automatic updates and restarts** is set (Windows 10
 For feature updates, the deadline and grace period start their countdown from the time of a pending restart after the installation is complete. As soon as installation is complete and the device reaches pending restart, the device will try to update outside of active hours. Once the *effective deadline* is reached, the device will try to restart during active hours. (The effective deadline is whichever is the later of the restart pending date plus the specified deadline or the restart pending date plus the grace period.) 
 For quality updates, the deadline countdown starts from the time the update is *offered* (not downloaded or installed). The grace period countdown starts from the time of the pending restart. The device will try to download and install the update at a time based on your other download and installation policies (the default is to automatically download and install in in the background). When the pending restart time is reached, the device will notify the user and try to update outside of active hours. Once the effective deadline is reached, the device will try to restart during active hours.
 > [!NOTE]
 > When **Specify deadlines for automatic updates and restarts** is used, download, installation, and reboot settings stemming from the [Configure Automatic Updates](waas-restart.md#schedule-update-installation) are ignored.
--- a/windows/deployment/windows-autopatch/deploy/windows-autopatch-groups-manage-autopatch-groups.md
+++ b/windows/deployment/windows-autopatch/deploy/windows-autopatch-groups-manage-autopatch-groups.md
@ -1,7 +1,7 @@
 ---
 title: Manage Windows Autopatch groups
 description: This article explains how to manage Autopatch groups
-ms.date: 05/05/2023
+ms.date: 05/11/2023
 ms.prod: windows-client
 ms.technology: itpro-updates
 ms.topic: how-to
@ -219,3 +219,12 @@ The Windows Autopatch team is currently developing the Autopatch group Azure AD
 > - Modern Workplace Devices-Windows Autopatch-Broad
 > 
 > Use the [Policy health feature](../operate/windows-autopatch-policy-health-and-remediation.md) to restore these groups, if needed. For more information, see [restore deployment groups](../operate/windows-autopatch-policy-health-and-remediation.md#restore-deployment-groups).
 ### Rename an Autopatch group 
 - **Status: Active**
 You can't rename an Autopatch group yet. The Autopatch group name is appended to all deployment ring names in the Autopatch group. Windows Autopatch is currently developing the rename feature.
 > [!IMPORTANT]
 > During the public preview, if you try to rename either the [Update rings](/mem/intune/protect/windows-10-update-rings) or [feature updates](/mem/intune/protect/windows-10-feature-updates) for Windows 10 and later policies directly in the Microsoft Intune end-user experience, the policy names are reverted back to the name defined by the Autopatch group end-user experience interface.
--- a/windows/security/TOC.yml
+++ b/windows/security/TOC.yml
@ -1,450 +1,28 @@
 - name: Windows security
  href: index.yml
 - name: Zero Trust and Windows
  href: zero-trust-windows-device-health.md
  expanded: true
 - name: Introduction
  items:
  - name: Windows security overview
    href: introduction/index.md
  - name: Zero Trust and Windows
    href: zero-trust-windows-device-health.md
  - name: Security features and edition requirements
    href: introduction/security-features-edition-requirements.md
  - name: Security features and licensing requirements
    href: introduction/security-features-licensing-requirements.md
 - name: Hardware security
-  items:
+  href: hardware-security/toc.yml
    - name: Overview
      href: hardware.md
    - name: Microsoft Pluton security processor
      items:
        - name: Microsoft Pluton overview
          href: information-protection/pluton/microsoft-pluton-security-processor.md
        - name: Microsoft Pluton as TPM
          href: information-protection/pluton/pluton-as-tpm.md
    - name: Trusted Platform Module
      href: information-protection/tpm/trusted-platform-module-top-node.md
      items:
        - name: Trusted Platform Module overview
          href: information-protection/tpm/trusted-platform-module-overview.md
        - name: TPM fundamentals
          href: information-protection/tpm/tpm-fundamentals.md
        - name: How Windows uses the TPM
          href: information-protection/tpm/how-windows-uses-the-tpm.md
        - name: Manage TPM commands
          href: information-protection/tpm/manage-tpm-commands.md
        - name: Manager TPM Lockout
          href: information-protection/tpm/manage-tpm-lockout.md
        - name: Change the TPM password
          href: information-protection/tpm/change-the-tpm-owner-password.md
        - name: TPM Group Policy settings
          href: information-protection/tpm/trusted-platform-module-services-group-policy-settings.md
        - name: Back up the TPM recovery information to AD DS
          href: information-protection/tpm/backup-tpm-recovery-information-to-ad-ds.md
        - name: View status, clear, or troubleshoot the TPM
          href: information-protection/tpm/initialize-and-configure-ownership-of-the-tpm.md
        - name: Understanding PCR banks on TPM 2.0 devices
          href: information-protection/tpm/switch-pcr-banks-on-tpm-2-0-devices.md
        - name: TPM recommendations
          href: information-protection/tpm/tpm-recommendations.md
    - name: Hardware-based root of trust
      href: threat-protection/windows-defender-system-guard/how-hardware-based-root-of-trust-helps-protect-windows.md
    - name: System Guard Secure Launch and SMM protection
      href: threat-protection/windows-defender-system-guard/system-guard-secure-launch-and-smm-protection.md
    - name: Enable virtualization-based protection of code integrity
      href: threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity.md
    - name: Kernel DMA Protection
      href: information-protection/kernel-dma-protection-for-thunderbolt.md
    - name: Windows secured-core devices
      href: /windows-hardware/design/device-experiences/oem-highly-secure
 - name: Operating system security
-  items:
+  href: operating-system-security/toc.yml
    - name: Overview
      href: operating-system.md
    - name: System security
      items:
      - name: Secure the Windows boot process
        href: information-protection/secure-the-windows-10-boot-process.md
      - name: Trusted Boot
        href: trusted-boot.md
      - name: Cryptography and certificate management
        href: cryptography-certificate-mgmt.md
      - name: The Windows Security app
        href: threat-protection/windows-defender-security-center/windows-defender-security-center.md
        items:
        - name: Virus & threat protection
          href: threat-protection\windows-defender-security-center\wdsc-virus-threat-protection.md
        - name: Account protection
          href: threat-protection\windows-defender-security-center\wdsc-account-protection.md
        - name: Firewall & network protection
          href: threat-protection\windows-defender-security-center\wdsc-firewall-network-protection.md
        - name: App & browser control
          href: threat-protection\windows-defender-security-center\wdsc-app-browser-control.md
        - name: Device security
          href: threat-protection\windows-defender-security-center\wdsc-device-security.md
        - name: Device performance & health
          href: threat-protection\windows-defender-security-center\wdsc-device-performance-health.md
        - name: Family options
          href: threat-protection\windows-defender-security-center\wdsc-family-options.md
      - name: Security policy settings
        href: threat-protection/security-policy-settings/security-policy-settings.md
      - name: Security auditing
        href: threat-protection/auditing/security-auditing-overview.md
    - name: Encryption and data protection
      href: encryption-data-protection.md
      items:
      - name: Encrypted Hard Drive
        href: information-protection/encrypted-hard-drive.md
      - name: BitLocker
        href: information-protection/bitlocker/bitlocker-overview.md
        items:
        - name: Overview of BitLocker Device Encryption in Windows
          href: information-protection/bitlocker/bitlocker-device-encryption-overview-windows-10.md
        - name: BitLocker frequently asked questions (FAQ)
          href: information-protection/bitlocker/bitlocker-frequently-asked-questions.yml
          items:
            - name: Overview and requirements
              href: information-protection/bitlocker/bitlocker-overview-and-requirements-faq.yml
            - name: Upgrading
              href: information-protection/bitlocker/bitlocker-upgrading-faq.yml
            - name: Deployment and administration
              href: information-protection/bitlocker/bitlocker-deployment-and-administration-faq.yml
            - name: Key management
              href: information-protection/bitlocker/bitlocker-key-management-faq.yml
            - name: BitLocker To Go
              href: information-protection/bitlocker/bitlocker-to-go-faq.yml
            - name: Active Directory Domain Services
              href: information-protection/bitlocker/bitlocker-and-adds-faq.yml
            - name: Security
              href: information-protection/bitlocker/bitlocker-security-faq.yml
            - name: BitLocker Network Unlock
              href: information-protection/bitlocker/bitlocker-network-unlock-faq.yml
            - name: General
              href: information-protection/bitlocker/bitlocker-using-with-other-programs-faq.yml
        - name: "Prepare your organization for BitLocker: Planning and policies"
          href: information-protection/bitlocker/prepare-your-organization-for-bitlocker-planning-and-policies.md
        - name: BitLocker deployment comparison
          href: information-protection/bitlocker/bitlocker-deployment-comparison.md
        - name: BitLocker basic deployment
          href: information-protection/bitlocker/bitlocker-basic-deployment.md
        - name: Deploy BitLocker on Windows Server 2012 and later
          href: information-protection/bitlocker/bitlocker-how-to-deploy-on-windows-server.md
        - name: BitLocker management for enterprises
          href: information-protection/bitlocker/bitlocker-management-for-enterprises.md
        - name: Enable Network Unlock with BitLocker
          href: information-protection/bitlocker/bitlocker-how-to-enable-network-unlock.md
        - name: Use BitLocker Drive Encryption Tools to manage BitLocker
          href: information-protection/bitlocker/bitlocker-use-bitlocker-drive-encryption-tools-to-manage-bitlocker.md
        - name: Use BitLocker Recovery Password Viewer
          href: information-protection/bitlocker/bitlocker-use-bitlocker-recovery-password-viewer.md
        - name: BitLocker Group Policy settings
          href: information-protection/bitlocker/bitlocker-group-policy-settings.md
        - name: BCD settings and BitLocker
          href: information-protection/bitlocker/bcd-settings-and-bitlocker.md
        - name: BitLocker Recovery Guide
          href: information-protection/bitlocker/bitlocker-recovery-guide-plan.md
        - name: BitLocker Countermeasures
          href: information-protection/bitlocker/bitlocker-countermeasures.md
        - name: Protecting cluster shared volumes and storage area networks with BitLocker
          href: information-protection/bitlocker/protecting-cluster-shared-volumes-and-storage-area-networks-with-bitlocker.md
        - name: Troubleshoot BitLocker
          items:
            - name: Troubleshoot BitLocker
              href: /troubleshoot/windows-client/windows-security/bitlocker-issues-troubleshooting
            - name: "BitLocker cannot encrypt a drive: known issues"
              href: /troubleshoot/windows-client/windows-security/bitlocker-cannot-encrypt-a-drive-known-issues
            - name: "Enforcing BitLocker policies by using Intune: known issues"
              href: /troubleshoot/windows-client/windows-security/enforcing-bitlocker-policies-by-using-intune-known-issues
            - name: "BitLocker Network Unlock: known issues"
              href: /troubleshoot/windows-client/windows-security/bitlocker-network-unlock-known-issues
            - name: "BitLocker recovery: known issues"
              href: /troubleshoot/windows-client/windows-security/bitlocker-recovery-known-issues
            - name: "BitLocker configuration: known issues"
              href: /troubleshoot/windows-client/windows-security/bitlocker-configuration-known-issues
            - name: Troubleshoot BitLocker and TPM issues
              items:
                - name: "BitLocker cannot encrypt a drive: known TPM issues"
                  href: /troubleshoot/windows-client/windows-security/bitlocker-cannot-encrypt-a-drive-known-tpm-issues
                - name: "BitLocker and TPM: other known issues"
                  href: /troubleshoot/windows-client/windows-security/bitlocker-and-tpm-other-known-issues
                - name: Decode Measured Boot logs to track PCR changes
                  href: /troubleshoot/windows-client/windows-security/decode-measured-boot-logs-to-track-pcr-changes
    - name: Personal Data Encryption (PDE)
      items:
      - name: Personal Data Encryption (PDE) overview
        href: information-protection/personal-data-encryption/overview-pde.md
      - name: Personal Data Encryption (PDE) frequently asked questions (FAQ)
        href: information-protection/personal-data-encryption/faq-pde.yml
      - name: Configure Personal Data Encryption (PDE) in Intune
        items:
        - name: Configure Personal Data Encryption (PDE) in Intune
          href: information-protection/personal-data-encryption/configure-pde-in-intune.md
        - name: Enable Personal Data Encryption (PDE)
          href: information-protection/personal-data-encryption/pde-in-intune/intune-enable-pde.md
        - name: Disable Winlogon automatic restart sign-on (ARSO) for PDE
          href: information-protection/personal-data-encryption/pde-in-intune/intune-disable-arso.md
        - name: Disable kernel-mode crash dumps and live dumps for PDE
          href: information-protection/personal-data-encryption/pde-in-intune/intune-disable-memory-dumps.md
        - name: Disable Windows Error Reporting (WER)/user-mode crash dumps for PDE
          href: information-protection/personal-data-encryption/pde-in-intune/intune-disable-wer.md
        - name: Disable hibernation for PDE
          href: information-protection/personal-data-encryption/pde-in-intune/intune-disable-hibernation.md
        - name: Disable allowing users to select when a password is required when resuming from connected standby for PDE
          href: information-protection/personal-data-encryption/pde-in-intune/intune-disable-password-connected-standby.md
    - name: Configure S/MIME for Windows
      href: identity-protection/configure-s-mime.md
    - name: Network security
      items:
      - name: VPN technical guide
        href: identity-protection/vpn/vpn-guide.md
        items:
        - name: VPN connection types
          href: identity-protection/vpn/vpn-connection-type.md
        - name: VPN routing decisions
          href: identity-protection/vpn/vpn-routing.md
        - name: VPN authentication options
          href: identity-protection/vpn/vpn-authentication.md
        - name: VPN and conditional access
          href: identity-protection/vpn/vpn-conditional-access.md
        - name: VPN name resolution
          href: identity-protection/vpn/vpn-name-resolution.md
        - name: VPN auto-triggered profile options
          href: identity-protection/vpn/vpn-auto-trigger-profile.md
        - name: VPN security features
          href: identity-protection/vpn/vpn-security-features.md
        - name: VPN profile options
          href: identity-protection/vpn/vpn-profile-options.md
        - name: How to configure Diffie Hellman protocol over IKEv2 VPN connections
          href: identity-protection/vpn/how-to-configure-diffie-hellman-protocol-over-ikev2-vpn-connections.md
        - name: How to use single sign-on (SSO) over VPN and Wi-Fi connections
          href: identity-protection/vpn/how-to-use-single-sign-on-sso-over-vpn-and-wi-fi-connections.md
        - name: Optimizing Office 365 traffic with the Windows VPN client
          href: identity-protection/vpn/vpn-office-365-optimization.md
      - name: Windows Defender Firewall
        href: threat-protection/windows-firewall/windows-firewall-with-advanced-security.md
    - name: Windows security baselines
      href: threat-protection/windows-security-configuration-framework/windows-security-baselines.md
      items:
      - name: Security Compliance Toolkit
        href: threat-protection/windows-security-configuration-framework/security-compliance-toolkit-10.md
      - name: Get support
        href: threat-protection/windows-security-configuration-framework/get-support-for-security-baselines.md
      - name: Guide to removing Microsoft Baseline Security Analyzer (MBSA)
        href: threat-protection/mbsa-removal-and-guidance.md
    - name: Virus & threat protection
      items:
      - name: Overview
        href: threat-protection/index.md
      - name: Microsoft Defender Antivirus
        href: /microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-windows
      - name: Attack surface reduction rules
        href: /microsoft-365/security/defender-endpoint/attack-surface-reduction
      - name: Tamper protection
        href: /microsoft-365/security/defender-endpoint/prevent-changes-to-security-settings-with-tamper-protection
      - name: Network protection
        href: /microsoft-365/security/defender-endpoint/network-protection
      - name: Controlled folder access
        href: /microsoft-365/security/defender-endpoint/controlled-folders
      - name: Exploit protection
        href: /microsoft-365/security/defender-endpoint/exploit-protection
      - name: Microsoft Defender for Endpoint
        href: /microsoft-365/security/defender-endpoint
    - name: More Windows security
      items:
      - name: Override Process Mitigation Options to help enforce app-related security policies
        href: threat-protection/override-mitigation-options-for-app-related-security-policies.md
      - name: Use Windows Event Forwarding to help with intrusion detection
        href: threat-protection/use-windows-event-forwarding-to-assist-in-intrusion-detection.md
      - name: Block untrusted fonts in an enterprise
        href: threat-protection/block-untrusted-fonts-in-enterprise.md
      - name: Windows Information Protection (WIP)
        href: information-protection/windows-information-protection/protect-enterprise-data-using-wip.md
        items:
          - name: Create a WIP policy using Microsoft Intune
            href: information-protection/windows-information-protection/overview-create-wip-policy.md
            items:
            - name: Create a WIP policy in Microsoft Intune
              href: information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md
              items:
                - name: Deploy your WIP policy in Microsoft Intune
                  href: information-protection/windows-information-protection/deploy-wip-policy-using-intune-azure.md
                - name: Associate and deploy a VPN policy for WIP in Microsoft Intune
                  href: information-protection/windows-information-protection/create-vpn-and-wip-policy-using-intune-azure.md
            - name: Create and verify an EFS Data Recovery Agent (DRA) certificate
              href: information-protection/windows-information-protection/create-and-verify-an-efs-dra-certificate.md
            - name: Determine the enterprise context of an app running in WIP
              href: information-protection/windows-information-protection/wip-app-enterprise-context.md
          - name: Create a WIP policy using Microsoft Configuration Manager
            href: information-protection/windows-information-protection/overview-create-wip-policy-configmgr.md
            items:
            - name: Create and deploy a WIP policy in Configuration Manager
              href: information-protection/windows-information-protection/create-wip-policy-using-configmgr.md
            - name: Create and verify an EFS Data Recovery Agent (DRA) certificate
              href: information-protection/windows-information-protection/create-and-verify-an-efs-dra-certificate.md
            - name: Determine the enterprise context of an app running in WIP
              href: information-protection/windows-information-protection/wip-app-enterprise-context.md
          - name: Mandatory tasks and settings required to turn on WIP
            href: information-protection/windows-information-protection/mandatory-settings-for-wip.md
          - name: Testing scenarios for WIP
            href: information-protection/windows-information-protection/testing-scenarios-for-wip.md
          - name: Limitations while using WIP
            href: information-protection/windows-information-protection/limitations-with-wip.md
          - name: How to collect WIP audit event logs
            href: information-protection/windows-information-protection/collect-wip-audit-event-logs.md
          - name: General guidance and best practices for WIP
            href: information-protection/windows-information-protection/guidance-and-best-practices-wip.md
            items:
            - name: Enlightened apps for use with WIP
              href: information-protection/windows-information-protection/enlightened-microsoft-apps-and-wip.md
            - name: Unenlightened and enlightened app behavior while using WIP
              href: information-protection/windows-information-protection/app-behavior-with-wip.md
            - name: Recommended Enterprise Cloud Resources and Neutral Resources network settings with WIP
              href: information-protection/windows-information-protection/recommended-network-definitions-for-wip.md
            - name: Using Outlook Web Access with WIP
              href: information-protection/windows-information-protection/using-owa-with-wip.md
          - name: Fine-tune WIP Learning
            href: information-protection/windows-information-protection/wip-learning.md
          - name: Disable WIP
            href: information-protection/windows-information-protection/how-to-disable-wip.md
 - name: Application security
-  items:
+  href: application-security/toc.yml
-    - name: Overview
+- name: Identity protection
-      href: apps.md
+  href: identity-protection/toc.yml
-    - name: Windows Defender Application Control and virtualization-based protection of code integrity
+- name: Windows Privacy 🔗
-      href: threat-protection/device-guard/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control.md
+  href: /windows/privacy
    - name: Windows Defender Application Control
      href: threat-protection\windows-defender-application-control\windows-defender-application-control.md
    - name: Microsoft Defender Application Guard
      href: threat-protection\microsoft-defender-application-guard\md-app-guard-overview.md
    - name: Windows Sandbox
      href: threat-protection/windows-sandbox/windows-sandbox-overview.md
      items:
        - name: Windows Sandbox architecture
          href: threat-protection/windows-sandbox/windows-sandbox-architecture.md
        - name: Windows Sandbox configuration
          href: threat-protection/windows-sandbox/windows-sandbox-configure-using-wsb-file.md
    - name: Microsoft Defender SmartScreen overview
      href: threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-overview.md
      items:
        - name: Enhanced Phishing Protection in Microsoft Defender SmartScreen
          href: threat-protection\microsoft-defender-smartscreen\phishing-protection-microsoft-defender-smartscreen.md
        - name: Microsoft Defender SmartScreen Group Policy and mobile device management (MDM) settings
          href: threat-protection\microsoft-defender-smartscreen\microsoft-defender-smartscreen-available-settings.md
    - name: Configure S/MIME for Windows
      href: identity-protection\configure-s-mime.md
    - name: Windows Credential Theft Mitigation Guide Abstract
      href: identity-protection\windows-credential-theft-mitigation-guide-abstract.md
 - name: User security and secured identity
  items:
    - name: Overview
      href: identity.md
    - name: Windows credential theft mitigation guide
      href: identity-protection/windows-credential-theft-mitigation-guide-abstract.md
    - name: Passwordless
      items:
      - name: Windows Hello for Business ⇒
        href: identity-protection/hello-for-business/index.yml
      - name: FIDO 2 security keys
        href: /azure/active-directory/authentication/howto-authentication-passwordless-security-key?context=/windows/security/context/context
    - name: Local Administrator Password Solution (LAPS)
      href: /windows-server/identity/laps/laps-overview?context=/windows/security/context/context
    - name: Enterprise Certificate Pinning
      href: identity-protection/enterprise-certificate-pinning.md
    - name: Credential Guard
      items:
        - name: Protect derived domain credentials with Credential Guard
          href: identity-protection/credential-guard/credential-guard.md
        - name: How Credential Guard works
          href: identity-protection/credential-guard/credential-guard-how-it-works.md
        - name: Requirements
          href: identity-protection/credential-guard/credential-guard-requirements.md
        - name: Manage Credential Guard
          href: identity-protection/credential-guard/credential-guard-manage.md
        - name: Credential Guard protection limits
          href: identity-protection/credential-guard/credential-guard-protection-limits.md
        - name: Considerations when using Credential Guard
          href: identity-protection/credential-guard/credential-guard-considerations.md
        - name: Additional mitigations
          href: identity-protection/credential-guard/additional-mitigations.md
        - name: Known issues
          href: identity-protection/credential-guard/credential-guard-known-issues.md
    - name: Remote Credential Guard
      href: identity-protection/remote-credential-guard.md
    - name: Configuring LSA Protection
      href: /windows-server/security/credentials-protection-and-management/configuring-additional-lsa-protection?toc=/windows/security/toc.json&bc=/windows/security/breadcrumb/toc.json
    - name: Technical support policy for lost or forgotten passwords
      href: identity-protection/password-support-policy.md
    - name: Access Control
      items:
        - name: Overview
          href: identity-protection/access-control/access-control.md
        - name: Local Accounts
          href: identity-protection/access-control/local-accounts.md
    - name: User Account Control (UAC)
      items:
        - name: Overview
          href: identity-protection/user-account-control/user-account-control-overview.md
        - name: How User Account Control works
          href: identity-protection/user-account-control/how-user-account-control-works.md
        - name: User Account Control security policy settings
          href: identity-protection/user-account-control/user-account-control-security-policy-settings.md
        - name: User Account Control Group Policy and registry key settings
          href: identity-protection/user-account-control/user-account-control-group-policy-and-registry-key-settings.md
    - name: Smart Cards
      href: identity-protection/smart-cards/smart-card-windows-smart-card-technical-reference.md
      items:
        - name: How Smart Card Sign-in Works in Windows
          href: identity-protection/smart-cards/smart-card-how-smart-card-sign-in-works-in-windows.md
          items:
            - name: Smart Card Architecture
              href: identity-protection/smart-cards/smart-card-architecture.md
            - name: Certificate Requirements and Enumeration
              href: identity-protection/smart-cards/smart-card-certificate-requirements-and-enumeration.md
            - name: Smart Card and Remote Desktop Services
              href: identity-protection/smart-cards/smart-card-and-remote-desktop-services.md
            - name: Smart Cards for Windows Service
              href: identity-protection/smart-cards/smart-card-smart-cards-for-windows-service.md
            - name: Certificate Propagation Service
              href: identity-protection/smart-cards/smart-card-certificate-propagation-service.md
            - name: Smart Card Removal Policy Service
              href: identity-protection/smart-cards/smart-card-removal-policy-service.md
        - name: Smart Card Tools and Settings
          href: identity-protection/smart-cards/smart-card-tools-and-settings.md
          items:
            - name: Smart Cards Debugging Information
              href: identity-protection/smart-cards/smart-card-debugging-information.md
            - name: Smart Card Group Policy and Registry Settings
              href: identity-protection/smart-cards/smart-card-group-policy-and-registry-settings.md
            - name: Smart Card Events
              href: identity-protection/smart-cards/smart-card-events.md
        - name: Virtual smart cards
          href: identity-protection/virtual-smart-cards/virtual-smart-card-overview.md
          items:
            - name: Understand and evaluate virtual smart cards
              href: identity-protection/virtual-smart-cards/virtual-smart-card-understanding-and-evaluating.md
              items:
                - name: Get started with virtual smart cards
                  href: identity-protection/virtual-smart-cards/virtual-smart-card-get-started.md
                - name: Use virtual smart cards
                  href: identity-protection/virtual-smart-cards/virtual-smart-card-use-virtual-smart-cards.md
                - name: Deploy virtual smart cards
                  href: identity-protection/virtual-smart-cards/virtual-smart-card-deploy-virtual-smart-cards.md
                - name: Evaluate virtual smart card security
                  href: identity-protection/virtual-smart-cards/virtual-smart-card-evaluate-security.md
            - name: Tpmvscmgr
              href: identity-protection/virtual-smart-cards/virtual-smart-card-tpmvscmgr.md
 - name: Cloud services
  items:
    - name: Overview
      href: cloud.md
    - name: Mobile device management
      href: /windows/client-management/mdm/
    - name: Windows 365 Cloud PCs
      href: /windows-365/overview
    - name: Azure Virtual Desktop
      href: /azure/virtual-desktop/
 - name: Security foundations
-  items:
+  href: security-foundations/toc.yml
-    - name: Overview
+- name: Cloud security
-      href: security-foundations.md
+  href: cloud-security/toc.yml
    - name: Microsoft Security Development Lifecycle
      href: threat-protection/msft-security-dev-lifecycle.md
    - name: FIPS 140-2 Validation
      href: threat-protection/fips-140-validation.md
    - name: Common Criteria Certifications
      href: threat-protection/windows-platform-common-criteria.md
 - name: Windows Privacy
  href: /windows/privacy/windows-10-and-privacy-compliance
--- a/windows/security/application-security/application-control/toc.yml
+++ b/windows/security/application-security/application-control/toc.yml
@ -0,0 +1,17 @@
 items:
 - name: User Account Control (UAC)
  items:
  - name: Overview
    href: ../../identity-protection/user-account-control/user-account-control-overview.md
  - name: How User Account Control works
    href: ../../identity-protection/user-account-control/how-user-account-control-works.md
  - name: User Account Control security policy settings
    href: ../../identity-protection/user-account-control/user-account-control-security-policy-settings.md
  - name: User Account Control Group Policy and registry key settings
    href: ../../identity-protection/user-account-control/user-account-control-group-policy-and-registry-key-settings.md
 - name: Windows Defender Application Control and virtualization-based protection of code integrity
  href: ../../threat-protection/device-guard/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control.md
 - name: Windows Defender Application Control
  href: ../../threat-protection/windows-defender-application-control/windows-defender-application-control.md
 - name: Smart App Control
  href: ../../threat-protection/windows-defender-application-control/windows-defender-application-control.md
--- a/windows/security/application-security/application-isolation/toc.yml
+++ b/windows/security/application-security/application-isolation/toc.yml
@ -0,0 +1,20 @@
 items:
 - name: Microsoft Defender Application Guard (MDAG)
  href: ../../threat-protection\microsoft-defender-application-guard\md-app-guard-overview.md
 - name: MDAG for Edge standalone mode
  href: ../../threat-protection/microsoft-defender-application-guard/md-app-guard-overview.md
 - name: MDAG for Edge enterprise mode and enterprise management 🔗
  href: /deployedge/microsoft-edge-security-windows-defender-application-guard
 - name: MDAG for Microsoft Office
  href: https://support.microsoft.com/office/application-guard-for-office-9e0fb9c2-ffad-43bf-8ba3-78f785fdba46
 - name: MDAG configure via MDM 🔗
  href: /windows/client-management/mdm/windowsdefenderapplicationguard-csp
 - name: Windows containers 🔗
  href: /virtualization/windowscontainers/about
 - name: Windows Sandbox
  href: ../../threat-protection/windows-sandbox/windows-sandbox-overview.md
  items:
  - name: Windows Sandbox architecture
    href: ../../threat-protection/windows-sandbox/windows-sandbox-architecture.md
  - name: Windows Sandbox configuration
    href: ../../threat-protection/windows-sandbox/windows-sandbox-configure-using-wsb-file.md
--- a/windows/security/application-security/toc.yml
+++ b/windows/security/application-security/toc.yml
@ -0,0 +1,8 @@
 items:
 - name: Overview
  href: ../apps.md
 - name: Application Control
  href: application-control/toc.yml
 - name: Application Isolation
  href: application-isolation/toc.yml
--- a/windows/security/cloud-security/toc.yml
+++ b/windows/security/cloud-security/toc.yml
@ -0,0 +1,18 @@
 items:
 - name: Overview
  href: ../cloud.md
 - name: Join Active Directory and Azure AD with single sign-on (SSO) 🔗
  href: /azure/active-directory/devices/concept-azure-ad-join
 - name: Security baselines with Intune 🔗
  href: /mem/intune/protect/security-baselines
 - name: Remote wipe (Autopilot reset) 🔗
  href: /windows/client-management/mdm/remotewipe-csp
 - name: Mobile Device Management (MDM) 🔗
  href: /windows/client-management/mdm/
 - name: Universal Print 🔗
  href: /universal-print
 - name: Windows Autopatch 🔗
  href: /windows/deployment/windows-autopatch
 - name: Windows Autopilot 🔗
  href: /windows/deployment/windows-autopilot
--- a/windows/security/hardware-security/toc.yml
+++ b/windows/security/hardware-security/toc.yml
@ -0,0 +1,54 @@
 items:
  - name: Overview
    href: ../hardware.md
  - name: Hardware root of trust
    items:
      - name: Windows Defender System Guard
        href: ../threat-protection/windows-defender-system-guard/how-hardware-based-root-of-trust-helps-protect-windows.md
      - name: Trusted Platform Module
        href: ../information-protection/tpm/trusted-platform-module-top-node.md
        items:
          - name: Trusted Platform Module overview
            href: ../information-protection/tpm/trusted-platform-module-overview.md
          - name: TPM fundamentals
            href: ../information-protection/tpm/tpm-fundamentals.md
          - name: How Windows uses the TPM
            href: ../information-protection/tpm/how-windows-uses-the-tpm.md
          - name: Manage TPM commands
            href: ../information-protection/tpm/manage-tpm-commands.md
          - name: Manager TPM Lockout
            href: ../information-protection/tpm/manage-tpm-lockout.md
          - name: Change the TPM password
            href: ../information-protection/tpm/change-the-tpm-owner-password.md
          - name: TPM Group Policy settings
            href: ../information-protection/tpm/trusted-platform-module-services-group-policy-settings.md
          - name: Back up the TPM recovery information to AD DS
            href: ../information-protection/tpm/backup-tpm-recovery-information-to-ad-ds.md
          - name: View status, clear, or troubleshoot the TPM
            href: ../information-protection/tpm/initialize-and-configure-ownership-of-the-tpm.md
          - name: Understanding PCR banks on TPM 2.0 devices
            href: ../information-protection/tpm/switch-pcr-banks-on-tpm-2-0-devices.md
          - name: TPM recommendations
            href: ../information-protection/tpm/tpm-recommendations.md
      - name: Microsoft Pluton security processor
        items:
          - name: Microsoft Pluton overview
            href: ../information-protection/pluton/microsoft-pluton-security-processor.md
          - name: Microsoft Pluton as TPM
            href: ../information-protection/pluton/pluton-as-tpm.md
  - name: Silicon assisted security
    items:
      - name: Virtualization-based security (VBS)
        href: /windows-hardware/design/device-experiences/oem-vbs
      - name: Memory integrity (HVCI)
        href: ../threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity.md
      - name: Memory integrity and VBS enablement 🔗
        href: /windows-hardware/design/device-experiences/oem-hvci-enablement
      - name: Hardware-enforced stack protection
        href: https://techcommunity.microsoft.com/t5/windows-os-platform-blog/understanding-hardware-enforced-stack-protection/ba-p/1247815
      - name: Secured-core PC 🔗
        href: /windows-hardware/design/device-experiences/oem-highly-secure-11
      - name: Kernel Direct Memory Access (DMA) protection
        href: ../information-protection/kernel-dma-protection-for-thunderbolt.md
      - name: System Guard Secure Launch
        href: ../threat-protection/windows-defender-system-guard/system-guard-secure-launch-and-smm-protection.md
--- a/windows/security/identity-protection/access-control/access-control.md
+++ b/windows/security/identity-protection/access-control/access-control.md
@ -39,6 +39,8 @@ This content set contains:
  - [Service Accounts](/windows-server/identity/ad-ds/manage/understand-service-accounts)
  - [Active Directory Security Groups](/windows-server/identity/ad-ds/manage/understand-security-groups)
 [!INCLUDE [access-control-aclsscals](../../../../includes/licensing/access-control-aclsscals.md)]
 ## Practical applications
 Administrators who use the supported version of Windows can refine the application and management of access control to objects and subjects to provide the following security:
--- a/windows/security/identity-protection/configure-s-mime.md
+++ b/windows/security/identity-protection/configure-s-mime.md
@ -20,6 +20,8 @@ Encrypted messages can be read only by recipients who have a certificate. If you
 A digitally signed message reassures the recipient that the message hasn't been tampered with and verifies the identity of the sender. Recipients can only verify the digital signature if they're using an email client that supports S/MIME.
 [!INCLUDE [email-encryption-smime](../../../includes/licensing/email-encryption-smime.md)]
 ## Prerequisites
 -   [S/MIME is enabled for Exchange accounts](/microsoft-365/security/office-365-security/s-mime-for-message-signing-and-encryption) (on-premises and Office 365). Users can't use S/MIME signing and encryption with a personal account such as Outlook.com.
--- a/windows/security/identity-protection/credential-guard/additional-mitigations.md
+++ b/windows/security/identity-protection/credential-guard/additional-mitigations.md
@ -18,7 +18,6 @@ Credential theft attacks allow the attacker to steal secrets from one device and
 Kerberos armoring is part of RFC 6113. When a device supports Kerberos armoring, its TGT is used to protect the user's proof of possession which can mitigate offline dictionary attacks. Kerberos armoring also provides the additional benefit of signed KDC errors this mitigates tampering which can result in things such as downgrade attacks. 
 **To enable Kerberos armoring for restricting domain users to specific domain-joined devices**
 - Users need to be in domains that are running Windows Server 2012 R2 or higher
 - All the domain controllers in these domains must be configured to support Kerberos armoring. Set the **KDC support for claims, compound authentication, and Kerberos armoring** Group Policy setting to either **Supported** or **Always provide claims**.
 - All the devices with Windows Defender Credential Guard that the users will be restricted to must be configured to support Kerberos armoring. Enable the **Kerberos client support for claims, compound authentication and Kerberos armoring** Group Policy settings under **Computer Configuration** -&gt; **Administrative Templates** -&gt; **System** -&gt; **Kerberos**.
--- a/windows/security/identity-protection/credential-guard/credential-guard-requirements.md
+++ b/windows/security/identity-protection/credential-guard/credential-guard-requirements.md
@ -66,6 +66,8 @@ Applications may cause performance issues when they attempt to hook the isolated
 Services or protocols that rely on Kerberos, such as file shares, remote desktop, or BranchCache, continue to work and are not affected by Windows Defender Credential Guard.
 [!INCLUDE [windows-defender-credential-guard](../../../../includes/licensing/windows-defender-credential-guard.md)]
 ## Security considerations
 All computers that meet baseline protections for hardware, firmware, and software can use Windows Defender Credential Guard.
@ -96,7 +98,7 @@ The following tables describe baseline protections, plus protections for improve
 |Protections for Improved Security|Description|
 |---|---|
 |Hardware: **IOMMU** (input/output memory management unit)|**Requirement**: </br> - VT-D or AMD Vi IOMMU </br> </br> **Security benefits**: </br> - An IOMMU can enhance system resiliency against memory attacks. For more information, see [Advanced Configuration and Power Interface (ACPI) description tables](/windows-hardware/drivers/bringup/acpi-system-description-tables)|
-|Firmware: **Securing Boot Configuration and Management**|**Requirements**: </br> - BIOS password or stronger authentication must be supported. </br> - In the BIOS configuration, BIOS authentication must be set. </br> - There must be support for protected BIOS option to configure list of permitted boot devices (for example, “Boot only from internal hard drive”) and boot device order, overriding BOOTORDER modification made by operating system. </br> - In the BIOS configuration, BIOS options related to security and boot options (list of permitted boot devices, boot order) must be secured to prevent other operating systems from starting and to prevent changes to the BIOS settings.|
+|Firmware: **Securing Boot Configuration and Management**|**Requirements**: </br> - BIOS password or stronger authentication must be supported. </br> - In the BIOS configuration, BIOS authentication must be set. </br> - There must be support for protected BIOS option to configure list of permitted boot devices (for example, "Boot only from internal hard drive") and boot device order, overriding BOOTORDER modification made by operating system. </br> - In the BIOS configuration, BIOS options related to security and boot options (list of permitted boot devices, boot order) must be secured to prevent other operating systems from starting and to prevent changes to the BIOS settings.|
 |Firmware: **Secure MOR, revision 2 implementation**|**Requirement**: </br> - Secure MOR, revision 2 implementation|
 ### 2016 Additional security qualifications starting with Windows 10, version 1607, and Windows Server 2016
--- a/windows/security/identity-protection/credential-guard/toc.yml
+++ b/windows/security/identity-protection/credential-guard/toc.yml
@ -0,0 +1,17 @@
 items:
 - name: Protect derived domain credentials with Credential Guard
  href: credential-guard.md
 - name: How Credential Guard works
  href: credential-guard-how-it-works.md
 - name: Requirements
  href: credential-guard-requirements.md
 - name: Manage Credential Guard
  href: credential-guard-manage.md
 - name: Credential Guard protection limits
  href: credential-guard-protection-limits.md
 - name: Considerations when using Credential Guard
  href: credential-guard-considerations.md
 - name: Additional mitigations
  href: additional-mitigations.md
 - name: Known issues
  href: credential-guard-known-issues.md
--- a/windows/security/identity-protection/hello-for-business/hello-overview.md
+++ b/windows/security/identity-protection/hello-for-business/hello-overview.md
@ -1,11 +1,11 @@
 ---
-title: Windows Hello for Business Overview (Windows)
+title: Windows Hello for Business Overview
-description: Learn how Windows Hello for Business replaces passwords with strong two-factor authentication on PCs and mobile devices in Windows 10 and Windows 11.
+description: Learn how Windows Hello for Business replaces passwords with strong two-factor authentication on Windows devices.
 ms.collection: 
  - highpri
  - tier1
 ms.topic: conceptual
-ms.date: 12/31/2017
+ms.date: 04/24/2023
 ---
 # Windows Hello for Business Overview
@ -65,6 +65,8 @@ Imagine that someone is looking over your shoulder as you get money from an ATM
 Windows Hello helps protect user identities and user credentials. Because the user doesn't enter a password (except during provisioning), it helps circumvent phishing and brute force attacks. It also helps prevent server breaches because Windows Hello credentials are an asymmetric key pair, which helps prevent replay attacks when these keys are protected by TPMs.
 [!INCLUDE [windows-hello-for-business](../../../../includes/licensing/windows-hello-for-business.md)]
 ## How Windows Hello for Business works: key points
 - Windows Hello credentials are based on certificate or asymmetrical key pair. Windows Hello credentials can be bound to the device, and the token that is obtained using the credential is also bound to the device.
--- a/windows/security/identity-protection/remote-credential-guard.md
+++ b/windows/security/identity-protection/remote-credential-guard.md
@ -20,9 +20,7 @@ Introduced in Windows 10, version 1607, Windows Defender Remote Credential Guard
 Administrator credentials are highly privileged and must be protected. By using Windows Defender Remote Credential Guard to connect during Remote Desktop sessions, if the target device is compromised, your credentials are not exposed because both credential and credential derivatives are never passed over the network to the target device.
 > [!IMPORTANT]
-> For information on Remote Desktop connection scenarios involving helpdesk support, see [Remote Desktop connections and helpdesk support scenarios](#helpdesk) in this article.
+> For information on Remote Desktop connection scenarios involving helpdesk support, see [Remote Desktop connections and helpdesk support scenarios](#remote-desktop-connections-and-helpdesk-support-scenarios) in this article.
 <a id="comparing-remote-credential-guard-with-other-remote-desktop-connection-options"></a>
 ## Comparing Windows Defender Remote Credential Guard with other Remote Desktop connection options
@ -30,43 +28,28 @@ The following diagram helps you to understand how a standard Remote Desktop sess
 ![RDP connection to a server without Windows Defender Remote Credential Guard.png.](images/rdp-to-a-server-without-windows-defender-remote-credential-guard.png)
 <br />
 The following diagram helps you to understand how Windows Defender Remote Credential Guard works, what it helps to protect against, and compares it with the [Restricted Admin mode](https://social.technet.microsoft.com/wiki/contents/articles/32905.how-to-enable-restricted-admin-mode-for-remote-desktop.aspx) option:
 ![Windows Defender Remote Credential Guard.](images/windows-defender-remote-credential-guard-with-remote-admin-mode.png)
 <br />
 As illustrated, Windows Defender Remote Credential Guard blocks NTLM (allowing only Kerberos), prevents Pass-the-Hash (PtH) attacks, and also prevents use of credentials after disconnection.
 <br />
 <br />
 Use the following table to compare different Remote Desktop connection security options:
 <br />
 <br />
 | Feature | Remote Desktop | Windows Defender Remote Credential Guard | Restricted Admin mode |
-|--------------------------------------------------------------------------------------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+|--|--|--|--|
-|                                                 **Protection benefits**                                                  |                                Credentials on the server are not protected from Pass-the-Hash attacks.                                 |  User credentials remain on the client. An attacker can act on behalf of the user *only* when the session is ongoing   |                                                                                  User logs on to the server as local administrator, so an attacker cannot act on behalf of the "domain user". Any attack is local to the server                                                                                   |
+| **Protection benefits** | Credentials on the server are not protected from Pass-the-Hash attacks. | User credentials remain on the client. An attacker can act on behalf of the user *only* when the session is ongoing | User logs on to the server as local administrator, so an attacker cannot act on behalf of the "domain user". Any attack is local to the server |
-|                                                   **Version support**                                                    |                                        The remote computer can run any Windows operating system                                        | Both the client and the remote computer must be running **at least Windows 10, version 1607, or Windows Server 2016**. | The remote computer must be running **at least patched Windows 7 or patched Windows Server 2008 R2**. <br /><br />For more information about patches (software updates) related to Restricted Admin mode, see [Microsoft Security Advisory 2871997](/security-updates/SecurityAdvisories/2016/2871997). |
+| **Version support** | The remote computer can run any Windows operating system | Both the client and the remote computer must be running **at least Windows 10, version 1607, or Windows Server 2016**. | The remote computer must be running **at least patched Windows 7 or patched Windows Server 2008 R2**. <br /><br />For more information about patches (software updates) related to Restricted Admin mode, see [Microsoft Security Advisory 2871997](/security-updates/SecurityAdvisories/2016/2871997). |
-| **Helps prevent**   &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;   &nbsp;&nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp;&nbsp; |                             &nbsp;&nbsp;&nbsp;&nbsp; N/A &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;                              |                   <ul><li> Pass-the-Hash</li> <li>Use of a credential after disconnection </li></ul>                   |                                                                                                                <ul><li> Pass-the-Hash</li> <li>Use of domain identity during connection </li></ul>                                                                                                                |
+| **Helps prevent**   &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;   &nbsp;&nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp;&nbsp; | &nbsp;&nbsp;&nbsp;&nbsp; N/A &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; | <ul><li> Pass-the-Hash</li> <li>Use of a credential after disconnection </li></ul> | <ul><li> Pass-the-Hash</li> <li>Use of domain identity during connection </li></ul> |
-|                             **Credentials supported from the remote desktop client device**                              | <ul><li><b>Signed on</b> credentials <li> <b>Supplied</b> credentials<li> <b>Saved</b> credentials </ul> |                                  <ul><li> <b>Signed on</b> credentials only                                  |                                                                                        <ul><li><b>Signed on</b> credentials<li><b>Supplied</b> credentials<li><b>Saved</b> credentials</ul>                                                                                         |
+| **Credentials supported from the remote desktop client device** | <ul><li><b>Signed on</b> credentials <li> <b>Supplied</b> credentials<li> <b>Saved</b> credentials </ul> | <ul><li> <b>Signed on</b> credentials only | <ul><li><b>Signed on</b> credentials<li><b>Supplied</b> credentials<li><b>Saved</b> credentials</ul> |
-|                                                        **Access**                                                        |                           **Users allowed**, that is, members of Remote Desktop Users group of remote host.                            |                      **Users allowed**, that is, members of Remote Desktop Users of remote host.                       |                                                                                                              **Administrators only**, that is, only members of Administrators group of remote host.                                                                                                               |
+| **Access** | **Users allowed**, that is, members of Remote Desktop Users group of remote host. | **Users allowed**, that is, members of Remote Desktop Users of remote host. | **Administrators only**, that is, only members of Administrators group of remote host. |
-|                                                   **Network identity**                                                   |                               Remote Desktop session **connects to other resources as signed-in user**.                                |                       Remote Desktop session **connects to other resources as signed-in user**.                        |                                                                                                                 Remote Desktop session **connects to other resources as remote host's identity**.                                                                                                                 |
+| **Network identity** | Remote Desktop session **connects to other resources as signed-in user**. | Remote Desktop session **connects to other resources as signed-in user**. | Remote Desktop session **connects to other resources as remote host's identity**. |
-|                                                      **Multi-hop**                                                       |                        From the remote desktop, **you can connect through Remote Desktop to another computer**                         |                From the remote desktop, you **can connect through Remote Desktop to another computer**.                |                                                                                                                      Not allowed for user as the session is running as a local host account                                                                                                                       |
+| **Multi-hop** | From the remote desktop, **you can connect through Remote Desktop to another computer** | From the remote desktop, you **can connect through Remote Desktop to another computer**. | Not allowed for user as the session is running as a local host account |
-|                                               **Supported authentication**                                               |                                                        Any negotiable protocol.                                                        |                                                     Kerberos only.                                                     |                                                                                                                                              Any negotiable protocol                                                                                                                                              |
+| **Supported authentication** | Any negotiable protocol. | Kerberos only. | Any negotiable protocol |
 <br />
 For further technical information, see [Remote Desktop Protocol](/windows/win32/termserv/remote-desktop-protocol)
 and [How Kerberos works](/previous-versions/windows/it-pro/windows-2000-server/cc961963(v=technet.10)).
 <br />
 <a id="helpdesk"></a>
 ## Remote Desktop connections and helpdesk support scenarios
 For helpdesk support scenarios in which personnel require administrative access to provide remote assistance to computer users via Remote Desktop sessions, Microsoft recommends that Windows Defender Remote Credential Guard should not be used in that context. This is because if an RDP session is initiated to a compromised client that an attacker already controls, the attacker could use that open channel to create sessions on the user's behalf (without compromising credentials) to access any of the user's resources for a limited time (a few hours) after the session disconnects.
@ -77,8 +60,7 @@ To further harden security, we also recommend that you implement Local Administr
 For further information on LAPS, see [Microsoft Security Advisory 3062591](https://technet.microsoft.com/library/security/3062591.aspx).
-
+[!INCLUDE [windows-defender-remote-credential-guard](../../../includes/licensing/windows-defender-remote-credential-guard.md)]
 <a id="reqs"></a>
 ## Remote Credential Guard requirements
@ -86,20 +68,17 @@ To use Windows Defender Remote Credential Guard, the Remote Desktop client and r
 The Remote Desktop client device:
-  Must be running at least Windows 10, version 1703 to be able to supply credentials, which is sent to the remote device. This allows users to run as different users without having to send credentials to the remote machine.
+- Must be running at least Windows 10, version 1703 to be able to supply credentials, which is sent to the remote device. This allows users to run as different users without having to send credentials to the remote machine
-
+- Must be running at least Windows 10, version 1607 or Windows Server 2016 to use the user's signed-in credentials. This requires the user's account be able to sign in to both the client device and the remote host
-  Must be running at least Windows 10, version 1607 or Windows Server 2016 to use the user's signed-in credentials. This requires the user's account be able to sign in to both the client device and the remote host.
+- Must be running the Remote Desktop Classic Windows application. The Remote Desktop Universal Windows Platform application doesn't support Windows Defender Remote Credential Guard
-
+- Must use Kerberos authentication to connect to the remote host. If the client cannot connect to a domain controller, then RDP attempts to fall back to NTLM. Windows Defender Remote Credential Guard does not allow NTLM fallback because this would expose credentials to risk
 -  Must be running the Remote Desktop Classic Windows application. The Remote Desktop Universal Windows Platform application doesn't support Windows Defender Remote Credential Guard.
 -  Must use Kerberos authentication to connect to the remote host. If the client cannot connect to a domain controller, then RDP attempts to fall back to NTLM. Windows Defender Remote Credential Guard does not allow NTLM fallback because this would expose credentials to risk.
 The Remote Desktop remote host:
-  Must be running at least Windows 10, version 1607 or Windows Server 2016.
+- Must be running at least Windows 10, version 1607 or Windows Server 2016.
-  Must allow Restricted Admin connections.
+- Must allow Restricted Admin connections.
-  Must allow the client's domain user to access Remote Desktop connections.
+- Must allow the client's domain user to access Remote Desktop connections.
-  Must allow delegation of non-exportable credentials.
+- Must allow delegation of non-exportable credentials.
 There are no hardware requirements for Windows Defender Remote Credential Guard.
@ -109,31 +88,26 @@ There are no hardware requirements for Windows Defender Remote Credential Guard.
 > GPO [Remote host allows delegation of non-exportable credentials](/windows/client-management/mdm/policy-csp-credentialsdelegation) should be enabled for delegation of non-exportable credentials.
 - For Windows Defender Remote Credential Guard to be supported, the user must authenticate to the remote host using Kerberos authentication.
 - The remote host must be running at least Windows 10 version 1607, or Windows Server 2016.
 - The Remote Desktop classic Windows app is required. The Remote Desktop Universal Windows Platform app doesn't support Windows Defender Remote Credential Guard.
 ## Enable Windows Defender Remote Credential Guard
 You must enable Restricted Admin or Windows Defender Remote Credential Guard on the remote host by using the Registry.
-1. Open Registry Editor on the remote host.
+1. Open Registry Editor on the remote host
 1. Enable Restricted Admin and Windows Defender Remote Credential Guard:
-2. Enable Restricted Admin and Windows Defender Remote Credential Guard:
+  - Go to `HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa`
  - Add a new DWORD value named **DisableRestrictedAdmin**
  - To turn on Restricted Admin and Windows Defender Remote Credential Guard, set the value of this registry setting to 0
-    - Go to HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa.
+1. Close Registry Editor
    - Add a new DWORD value named **DisableRestrictedAdmin**.
    - To turn on Restricted Admin and Windows Defender Remote Credential Guard, set the value of this registry setting to 0.
 3. Close Registry Editor.
 You can add this by running the following command from an elevated command prompt:
-```console
+```cmd
-reg add HKLM\SYSTEM\CurrentControlSet\Control\Lsa /v DisableRestrictedAdmin /d 0 /t REG_DWORD
+reg.exe add HKLM\SYSTEM\CurrentControlSet\Control\Lsa /v DisableRestrictedAdmin /d 0 /t REG_DWORD
 ```
 ## Using Windows Defender Remote Credential Guard
@ -142,36 +116,28 @@ Beginning with Windows 10 version 1703, you can enable Windows Defender Remote C
 ### Turn on Windows Defender Remote Credential Guard by using Group Policy
-1. From the Group Policy Management Console, go to **Computer Configuration** -> **Administrative Templates** -> **System** -> **Credentials Delegation**.
+1. From the Group Policy Management Console, go to **Computer Configuration** -> **Administrative Templates** -> **System** -> **Credentials Delegation**
-
+1. Double-click **Restrict delegation of credentials to remote servers**
 2. Double-click **Restrict delegation of credentials to remote servers**.
    ![Windows Defender Remote Credential Guard Group Policy.](images/remote-credential-guard-gp.png)
-
+1. Under **Use the following restricted mode**:
-3. Under **Use the following restricted mode**:
+  - If you want to require either [Restricted Admin mode](https://social.technet.microsoft.com/wiki/contents/articles/32905.remote-desktop-services-enable-restricted-admin-mode.aspx) or Windows Defender Remote Credential Guard, choose **Restrict Credential Delegation**. In this configuration, Windows Defender Remote Credential Guard is preferred, but it will use Restricted Admin mode (if supported) when Windows Defender Remote Credential Guard cannot be used
   - If you want to require either [Restricted Admin mode](https://social.technet.microsoft.com/wiki/contents/articles/32905.remote-desktop-services-enable-restricted-admin-mode.aspx) or Windows Defender Remote Credential Guard, choose **Restrict Credential Delegation**. In this configuration, Windows Defender Remote Credential Guard is preferred, but it will use Restricted Admin mode (if supported) when Windows Defender Remote Credential Guard cannot be used.
     > [!NOTE]
     > Neither Windows Defender Remote Credential Guard nor Restricted Admin mode will send credentials in clear text to the Remote Desktop server.
     > When **Restrict Credential Delegation** is enabled, the /restrictedAdmin switch will be ignored. Windows will enforce the policy configuration instead and will use Windows Defender Remote Credential Guard.
-   - If you want to require Windows Defender Remote Credential Guard, choose **Require Remote Credential Guard**. With this setting, a Remote Desktop connection will succeed only if the remote computer meets the [requirements](#reqs) listed earlier in this topic.
+  - If you want to require Windows Defender Remote Credential Guard, choose **Require Remote Credential Guard**. With this setting, a Remote Desktop connection will succeed only if the remote computer meets the [requirements](#remote-credential-guard-requirements) listed earlier in this topic.
-
+  - If you  want to require Restricted Admin mode, choose **Require Restricted Admin**. For information about Restricted Admin mode, see the table in  [Comparing Windows Defender Remote Credential Guard with other Remote Desktop connection options](#comparing-windows-defender-remote-credential-guard-with-other-remote-desktop-connection-options), earlier in this topic.
   - If you  want to require Restricted Admin mode, choose **Require Restricted Admin**. For information about Restricted Admin mode, see the table in [Comparing Windows Defender Remote Credential Guard with other Remote Desktop connection options](#comparing-remote-credential-guard-with-other-remote-desktop-connection-options), earlier in this topic.
 4. Click **OK**.
 5. Close the Group Policy Management Console.
 6. From a command prompt, run **gpupdate.exe /force** to ensure that the Group Policy object is applied.
 1. Click **OK**
 1. Close the Group Policy Management Console
 1. From a command prompt, run **gpupdate.exe /force** to ensure that the Group Policy object is applied
 ### Use Windows Defender Remote Credential Guard with a parameter to Remote Desktop Connection
 If you don't use Group Policy in your organization, or if not all your remote hosts support Remote Credential Guard, you can add the remoteGuard parameter when you start Remote Desktop Connection to turn on Windows Defender Remote Credential Guard for that connection.
-```console
+```cmd
 mstsc.exe /remoteGuard
 ```
@ -180,12 +146,8 @@ mstsc.exe /remoteGuard
 ## Considerations when using Windows Defender Remote Credential Guard
- Windows Defender Remote Credential Guard does not support compound authentication. For example, if you're trying to access a file server from a remote host that requires a device claim, access will be denied.
+- Windows Defender Remote Credential Guard does not support compound authentication. For example, if you're trying to access a file server from a remote host that requires a device claim, access will be denied
-
+- Windows Defender Remote Credential Guard can be used only when connecting to a device that is joined to a Windows Server Active Directory domain, including AD domain-joined servers that run as Azure virtual machines (VMs). Windows Defender Remote Credential Guard cannot be used when connecting to remote devices joined to Azure Active Directory
- Windows Defender Remote Credential Guard can be used only when connecting to a device that is joined to a Windows Server Active Directory domain, including AD domain-joined servers that run as Azure virtual machines (VMs). Windows Defender Remote Credential Guard cannot be used when connecting to remote devices joined to Azure Active Directory.
+- Remote Desktop Credential Guard only works with the RDP protocol
-
+- No credentials are sent to the target device, but the target device still acquires Kerberos Service Tickets on its own
- Remote Desktop Credential Guard only works with the RDP protocol.
+- The server and client must authenticate using Kerberos
 - No credentials are sent to the target device, but the target device still acquires Kerberos Service Tickets on its own.
 - The server and client must authenticate using Kerberos.
--- a/windows/security/identity-protection/smart-cards/smart-card-how-smart-card-sign-in-works-in-windows.md
+++ b/windows/security/identity-protection/smart-cards/smart-card-how-smart-card-sign-in-works-in-windows.md
@ -21,3 +21,5 @@ This topic for IT professional provides links to resources about the implementat
 -   [Certificate Propagation Service](smart-card-certificate-propagation-service.md): Learn about how the certificate propagation service works when a smart card is inserted into a computer.
 -   [Smart Card Removal Policy Service](smart-card-removal-policy-service.md): Learn about using Group Policy to control what happens when a user removes a smart card.
 [!INCLUDE [smart-cards-for-windows-service](../../../../includes/licensing/smart-cards-for-windows-service.md)]
--- a/windows/security/identity-protection/smart-cards/toc.yml
+++ b/windows/security/identity-protection/smart-cards/toc.yml
@ -0,0 +1,28 @@
 items:
 - name: Smart Card Technical Reference
  href: smart-card-windows-smart-card-technical-reference.md
  items:
    - name: How Smart Card Sign-in Works in Windows
      href: smart-card-how-smart-card-sign-in-works-in-windows.md
      items:
        - name: Smart Card Architecture
          href: smart-card-architecture.md
        - name: Certificate Requirements and Enumeration
          href: smart-card-certificate-requirements-and-enumeration.md
        - name: Smart Card and Remote Desktop Services
          href: smart-card-and-remote-desktop-services.md
        - name: Smart Cards for Windows Service
          href: smart-card-smart-cards-for-windows-service.md
        - name: Certificate Propagation Service
          href: smart-card-certificate-propagation-service.md
        - name: Smart Card Removal Policy Service
          href: smart-card-removal-policy-service.md
    - name: Smart Card Tools and Settings
      href: smart-card-tools-and-settings.md
      items:
        - name: Smart Cards Debugging Information
          href: smart-card-debugging-information.md
        - name: Smart Card Group Policy and Registry Settings
          href: smart-card-group-policy-and-registry-settings.md
        - name: Smart Card Events
          href: smart-card-events.md
--- a/windows/security/identity-protection/toc.yml
+++ b/windows/security/identity-protection/toc.yml
@ -0,0 +1,49 @@
 items:
  - name: Overview
    href: ../identity.md
  - name: Windows credential theft mitigation guide
    href: windows-credential-theft-mitigation-guide-abstract.md
  - name: Passwordless sign-in
    items:
    - name: Windows Hello for Business 🔗
      href: hello-for-business/index.yml
    - name: Windows presence sensing
      href: https://support.microsoft.com/windows/wake-your-windows-11-pc-when-you-approach-82285c93-440c-4e15-9081-c9e38c1290bb
    - name: Windows Hello for Business Enhanced Security Sign-in (ESS) 🔗
      href: /windows-hardware/design/device-experiences/windows-hello-enhanced-sign-in-security
    - name: FIDO 2 security key 🔗
      href: /azure/active-directory/authentication/howto-authentication-passwordless-security-key
    - name: Federated sign-in 🔗
      href: /education/windows/federated-sign-in
    - name: Smart Cards
      href: smart-cards/toc.yml
    - name: Virtual smart cards
      href: virtual-smart-cards/toc.yml
      displayName: VSC
    - name: Enterprise Certificate Pinning
      href: enterprise-certificate-pinning.md
  - name: Advanced credential protection
    items:
    - name: Account Lockout Policy 🔗
      href: ../threat-protection/security-policy-settings/account-lockout-policy.md
    - name: Technical support policy for lost or forgotten passwords
      href: password-support-policy.md
    - name: Windows LAPS (Local Administrator Password Solution) 🔗
      displayName: LAPS
      href: /windows-server/identity/laps/laps-overview
    - name: Enhanced Phishing Protection in Microsoft Defender SmartScreen
      href: ../threat-protection/microsoft-defender-smartscreen/phishing-protection-microsoft-defender-smartscreen.md
      displayName: EPP
    - name: Access Control
      items:
      - name: Overview
        href: access-control/access-control.md
        displayName: ACL
      - name: Local Accounts
        href: access-control/local-accounts.md
    - name: Security policy settings 🔗
      href: ../threat-protection/security-policy-settings/security-policy-settings.md
    - name: Windows Defender Credential Guard
      href: credential-guard/toc.yml
  - name: Windows Defender Remote Credential Guard
    href: remote-credential-guard.md
--- a/Show More
+++ b/Show More